Merge branch 'rapid7' into dmaloney-r7-http/auth_methods

Author: egypt

data/gui/msfgui.jar

@@ -260,7 +260,8 @@ protected RpcConnection doInBackground() throws Exception {
 				// Don't fork cause we'll check if it dies
 				String rpcType = "Basic";
 				java.util.List args = new java.util.ArrayList(java.util.Arrays.asList(new String[]{
-						"msfrpcd","-f","-P",defaultPass,"-t","Msg","-U",defaultUser,"-a","127.0.0.1"}));
+						"msfrpcd","-f","-P",defaultPass,"-t","Msg","-U",defaultUser,"-a","127.0.0.1",
+						"-p",Integer.toString(defaultPort)}));
 				if(!defaultSsl)
 					args.add("-S");
 				if(disableDb)

external/source/gui/msfguijava/src/msfgui/RpcConnection.java

@@ -76,7 +76,7 @@ def find_files(file,user,pass)
 				:category => "web",
 				:method   => "GET"
 			})
-				
+
 			loot = store_loot("lfi.data","text/plain",rhost, res.body,file)
 			vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")
 		elsif res and res.code
@@ -89,7 +89,7 @@ def run_host(ip)
 		pass = datastore['PASSWORD']
 
 		vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
-		
+
 		#test login
 		begin
 			res = send_request_cgi({

modules/auxiliary/admin/http/netgear_sph200d_traversal.rb

@@ -19,7 +19,10 @@ def initialize(info={})
 				This module attempts to identify Ruby on Rails instances vulnerable to
 				an arbitrary object instantiation flaw in the XML request processor.
 			},
-			'Author'      => 'hdm',
+			'Author'      => [
+					  'hdm', #author
+					  'jjarmoc' #improvements
+					  ],
 			'License'     => MSF_LICENSE,
 			'References'  =>
 				[
@@ -29,15 +32,16 @@ def initialize(info={})
 		))
 
 		register_options([
-			OptString.new('URIPATH', [true, "The URI to test", "/"])
+			OptString.new('URIPATH', [true, "The URI to test", "/"]),
+			OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]),
 		], self.class)
 	end
 
 	def send_probe(ptype, pdata)
 		odata = %Q^<?xml version="1.0" encoding="UTF-8"?>\n<probe type="#{ptype}"><![CDATA[\n#{pdata}\n]]></probe>^
 		res = send_request_cgi({
 			'uri'    => datastore['URIPATH'] || "/",
-			'method' => 'POST',
+			'method' => datastore['HTTP_METHOD'],
 			'ctype'  => 'application/xml',
 			'data'   => odata
 		}, 25)
@@ -46,29 +50,35 @@ def send_probe(ptype, pdata)
 	def run_host(ip)
 
 		res1 = send_probe("string", "hello")
-		res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")
-		res3 = send_probe("yaml", "--- !ruby/object:\x00")
 
 		unless res1
 			vprint_status("#{rhost}:#{rport} No reply to the initial XML request")
 			return
 		end
 
+		if res1.code.to_s =~ /^[5]/
+			vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")
+			return
+		end
+
+		res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")
+
 		unless res2
 			vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe")
 			return
 		end
 
+		res3 = send_probe("yaml", "--- !ruby/object:\x00")
+
 		unless res3
 			vprint_status("#{rhost}:#{rport} No reply to the second YAML probe")
 			return
 		end
 
-		if res1.code.to_s =~ /^[45]/
-			vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")
-		end
+		vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}")
+
 
-		if res2.code.to_s =~ /^[23]/ and res3.code != res2.code and res3.code != 200
+		if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200)
 			print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML")
 			report_vuln({
 				:host	=> rhost,
@@ -79,7 +89,7 @@ def run_host(ip)
 				:refs   => self.references
 			})
 		else
-			vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH must be set")
+			vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH & HTTP_METHOD must be set")
 		end
 	end
 

modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb

@@ -37,7 +37,7 @@ def initialize
 
 	end
 
-	def get_ppooe_credentials(conf)
+	def get_pppoe_credentials(conf)
 
 		user = ""
 		password = ""
@@ -208,7 +208,7 @@ def run_host(ip)
 		get_ftp_credentials(conf)
 		get_dvr_credentials(conf)
 		get_ddns_credentials(conf)
-		get_ppooe_credentials(conf)
+		get_pppoe_credentials(conf)
 
 		dvr_name = ""
 		if res.body =~ /DVR_NAME=(.*)/

modules/auxiliary/scanner/misc/dvr_config_disclosure.rb

@@ -38,7 +38,7 @@ def setup
 			"ST:upnp:rootdevice\r\n" +
 			"Man:\"ssdp:discover\"\r\n" +
 			"MX:3\r\n" +
-			"\r\n\r\n" # Non-standard, but helps
+			"\r\n"
 	end
 
 	def scanner_prescan(batch)
@@ -144,14 +144,14 @@ def scanner_process(data, shost, sport)
 			}
 		}
 
-		if data =~ /^Server:[\s]*(.*)/i
+		if data =~ /^Server:[\s]*(.*)/mi
 			@results[skey][:info][:server] = $1.strip
 		end
 
 		ssdp_host = nil
 		ssdp_port = 80
 		location_string = ''
-		if data =~ /^Location:[\s]*(.*)/i
+		if data =~ /^Location:[\s]*(.*)/mi
 			location_string = $1
 			@results[skey][:info][:location] = $1.strip
 			if location_string[/(https?):\x2f\x2f([^\x5c\x2f]+)/]
@@ -168,7 +168,7 @@ def scanner_process(data, shost, sport)
 			end
 		end
 
-		if data =~ /^USN:[\s]*(.*)/i
+		if data =~ /^USN:[\s]*(.*)/mi
 			@results[skey][:info][:usn] = $1.strip
 		end
 

modules/auxiliary/scanner/upnp/ssdp_msearch.rb

@@ -55,8 +55,7 @@ def initialize(info = {})
 			[
 				Opt::RPORT(80),
 				OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
-				OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])
-
+				OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ])
 			], self.class)
 
 	end

modules/exploits/multi/http/rails_json_yaml_code_exec.rb

@@ -53,8 +53,7 @@ def initialize(info = {})
 			[
 				Opt::RPORT(80),
 				OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
-				OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])
-
+				OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ])
 			], self.class)
 
 		register_evasion_options(

modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

@@ -28,7 +28,7 @@ def initialize(info = {})
 				[
 					'evilcry', # pbot analysis'
 					'Jay Turla', # pbot analysis
-					'@bwallHatesTwits', # PoC
+					'bwall', # aka @bwallHatesTwits, PoC
 					'juan vazquez' # Metasploit module
 				],
 			'License'        => MSF_LICENSE,