Merge branch 'upstream-master' into land-9539-

Author: busterb

Gemfile.lock

@@ -38,7 +38,6 @@ PATH
       pg (= 0.20.0)
       railties
       rb-readline
-      rbnacl (< 5.0.0)
       recog
       redcarpet
       rex-arch
@@ -73,7 +72,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    Ascii85 (1.0.2)
+    Ascii85 (1.0.3)
     actionpack (4.2.10)
       actionview (= 4.2.10)
       activesupport (= 4.2.10)
@@ -103,12 +102,12 @@ GEM
       public_suffix (>= 2.0.2, < 4.0)
     afm (0.2.2)
     arel (6.0.4)
-    arel-helpers (2.5.0)
+    arel-helpers (2.6.1)
       activerecord (>= 3.1.0, < 6)
-    backports (3.11.0)
+    backports (3.11.1)
     bcrypt (3.1.11)
     bcrypt_pbkdf (1.0.0)
-    bindata (2.4.1)
+    bindata (2.4.2)
     bit-struct (0.16)
     builder (3.2.3)
     coderay (1.1.2)
@@ -127,7 +126,6 @@ GEM
       i18n (>= 0.7)
     faraday (0.13.1)
       multipart-post (>= 1.2, < 3)
-    ffi (1.9.18)
     filesize (0.1.1)
     fivemat (1.3.5)
     google-protobuf (3.5.1)
@@ -249,8 +247,6 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (12.3.0)
     rb-readline (0.5.5)
-    rbnacl (4.0.2)
-      ffi
     recog (2.1.17)
       nokogiri
     redcarpet (3.4.0)
@@ -352,7 +348,7 @@ GEM
     ttfunk (1.5.1)
     tzinfo (1.2.4)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo-data (1.2018.3)
       tzinfo (>= 1.0.0)
     windows_error (0.1.2)
     xdr (2.0.0)

lib/metasploit/framework/login_scanner/bavision_cameras.rb

@@ -5,6 +5,8 @@ module Metasploit
   module Framework
     module LoginScanner
 
+      class BavisionCamerasException < Exception; end
+
       class BavisionCameras < HTTP
 
         DEFAULT_PORT  = 80
@@ -59,7 +61,13 @@ def digest_auth(user, password, response)
           nonce_count = 1
           cnonce = Digest::MD5.hexdigest("%x" % (Time.now.to_i + rand(65535)))
 
-          response['www-authenticate'] =~ /^(\w+) (.*)/
+          i = (response['www-authenticate'] =~ /^(\w+) (.*)/)
+
+          # The www-authenticate header does not return in the format we like,
+          # so let's bail.
+          unless i
+            raise BavisionCamerasException, 'www-authenticate header is not in the right format'
+          end
 
           params = {}
           $2.gsub(/(\w+)="(.*?)"/) { params[$1] = $2 }
@@ -104,7 +112,7 @@ def attempt_login(credential)
 
           begin
             result_opts.merge!(try_digest_auth(credential))
-          rescue ::Rex::ConnectionError => e
+          rescue ::Rex::ConnectionError, BavisionCamerasException => e
             # Something went wrong during login. 'e' knows what's up.
             result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
           end

lib/msf/core/handler/bind_udp.rb

@@ -0,0 +1,208 @@
+# -*- coding: binary -*-
+module Msf
+module Handler
+
+###
+#
+# This module implements the Bind TCP handler.  This means that
+# it will attempt to connect to a remote host on a given port for a period of
+# time (typically the duration of an exploit) to see if a the payload has
+# started listening.  This can tend to be rather verbose in terms of traffic
+# and in general it is preferable to use reverse payloads.
+#
+###
+module BindUdp
+
+  include Msf::Handler
+
+  #
+  # Returns the handler specific string representation, in this case
+  # 'bind_tcp'.
+  #
+  def self.handler_type
+    return "bind_udp"
+  end
+
+  #
+  # Returns the connection oriented general handler type, in this case bind.
+  #
+  def self.general_handler_type
+    "bind"
+  end
+
+  #
+  # Initializes a bind handler and adds the options common to all bind
+  # payloads, such as local port.
+  #
+  def initialize(info = {})
+    super
+
+    register_options(
+      [
+        Opt::LPORT(4444),
+        OptAddress.new('RHOST', [false, 'The target address', '']),
+      ], Msf::Handler::BindUdp)
+
+    self.conn_threads = []
+    self.listener_threads = []
+    self.listener_pairs = {}
+  end
+
+  #
+  # Kills off the connection threads if there are any hanging around.
+  #
+  def cleanup_handler
+    # Kill any remaining handle_connection threads that might
+    # be hanging around
+    conn_threads.each { |thr|
+      thr.kill
+    }
+  end
+
+  #
+  # Starts a new connecting thread
+  #
+  def add_handler(opts={})
+
+    # Merge the updated datastore values
+    opts.each_pair do |k,v|
+      datastore[k] = v
+    end
+
+    # Start a new handler
+    start_handler
+  end
+
+  #
+  # Starts monitoring for an outbound connection to become established.
+  #
+  def start_handler
+
+    # Maximum number of seconds to run the handler
+    ctimeout = 150
+
+    # Maximum number of seconds to await initial udp response
+    rtimeout = 5
+
+    if (exploit_config and exploit_config['active_timeout'])
+      ctimeout = exploit_config['active_timeout'].to_i
+    end
+
+    # Take a copy of the datastore options
+    rhost = datastore['RHOST']
+    lport = datastore['LPORT']
+
+    # Ignore this if one of the required options is missing
+    return if not rhost
+    return if not lport
+
+    # Only try the same host/port combination once
+    phash = rhost + ':' + lport.to_s
+    return if self.listener_pairs[phash]
+    self.listener_pairs[phash] = true
+
+    # Start a new handling thread
+    self.listener_threads << framework.threads.spawn("BindUdpHandlerListener-#{lport}", false) {
+      client = nil
+
+      print_status("Started bind handler")
+
+      if (rhost == nil)
+        raise ArgumentError,
+          "RHOST is not defined; bind stager cannot function.",
+          caller
+      end
+
+      stime = Time.now.to_i
+
+      while (stime + ctimeout > Time.now.to_i)
+        begin
+          client = Rex::Socket::Udp.create(
+            'PeerHost' => rhost,
+            'PeerPort' => lport.to_i,
+            'Proxies'  => datastore['Proxies'],
+            'Context'  =>
+              {
+                'Msf'        => framework,
+                'MsfPayload' => self,
+                'MsfExploit' => assoc_exploit
+              })
+        rescue Rex::ConnectionRefused
+          # Connection refused is a-okay
+        rescue ::Exception
+          wlog("Exception caught in bind handler: #{$!.class} #{$!}")
+        end
+
+        client.extend(Rex::IO::Stream)
+        begin
+          # If a connection was acknowledged, request a basic response before promoting as a session
+          if client
+            message = 'syn'
+            client.write("echo #{message}\n")
+            response = client.get(rtimeout)
+            break if response && response.include?(message)
+            client.close()
+            client = nil
+          end
+        rescue Errno::ECONNREFUSED
+          client.close()
+          client = nil
+          wlog("Connection failed in udp bind handler continuing attempts: #{$!.class} #{$!}")
+        end
+
+        # Wait a second before trying again
+        Rex::ThreadSafe.sleep(0.5)
+      end
+
+      # Valid client connection?
+      if (client)
+        # Increment the has connection counter
+        self.pending_connections += 1
+
+        # Timeout and datastore options need to be passed through to the client
+        opts = {
+          :datastore    => datastore,
+          :expiration   => datastore['SessionExpirationTimeout'].to_i,
+          :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total  => datastore['SessionRetryTotal'].to_i,
+          :retry_wait   => datastore['SessionRetryWait'].to_i,
+          :udp_session  => true
+        }
+
+        # Start a new thread and pass the client connection
+        # as the input and output pipe.  Client's are expected
+        # to implement the Stream interface.
+        conn_threads << framework.threads.spawn("BindUdpHandlerSession", false, client) { |client_copy|
+          begin
+            handle_connection(client_copy, opts)
+          rescue
+            elog("Exception raised from BindUdp.handle_connection: #{$!}")
+          end
+        }
+      else
+        wlog("No connection received before the handler completed")
+      end
+    }
+  end
+
+  #
+  # Nothing to speak of.
+  #
+  def stop_handler
+    # Stop the listener threads
+    self.listener_threads.each do |t|
+      t.kill
+    end
+    self.listener_threads = []
+    self.listener_pairs = {}
+  end
+
+protected
+
+  attr_accessor :conn_threads # :nodoc:
+  attr_accessor :listener_threads # :nodoc:
+  attr_accessor :listener_pairs # :nodoc:
+end
+
+end
+end