Merge remote-tracking branch 'upstream/master'

CERTCC · Sep 5, 2024 · 9d0a77c · 9d0a77c
2 parents 3651344 + fa8c80f
commit 9d0a77c
Show file tree

Hide file tree

Showing 22 changed files with 79 additions and 172 deletions.
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -24023,7 +24023,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2024-07-18 11:56:22 +0000",
+    "mod_time": "2024-07-19 12:33:13 +0000",
     "path": "/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb",
     "is_install_path": true,
     "ref_name": "gather/magento_xxe_cve_2024_34102",
@@ -63691,7 +63691,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2024-08-27 10:27:45 +0000",
+    "mod_time": "2024-09-05 11:00:56 +0000",
     "path": "/modules/encoders/php/base64.rb",
     "is_install_path": true,
     "ref_name": "php/base64",
@@ -71102,7 +71102,7 @@
       "CMD",
       "Linux mipsel Payload"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb",
     "is_install_path": true,
     "ref_name": "linux/http/dlink_diagnostic_exec_noauth",
@@ -71260,7 +71260,7 @@
       "CMD",
       "Linux mipsel Payload"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/linux/http/dlink_dir615_up_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/dlink_dir615_up_exec",
@@ -71746,7 +71746,7 @@
       "Dlink DIR-818 / 822 / 823 / 850 [MIPS]",
       "Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-09-05 08:49:32 +0000",
     "path": "/modules/exploits/linux/http/dlink_hnap_login_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/http/dlink_hnap_login_bof",
@@ -75856,7 +75856,7 @@
       "CMD",
       "Linux mipsel Payload"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/linux/http/linksys_e1500_apply_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/linksys_e1500_apply_exec",
@@ -76078,7 +76078,7 @@
       "CMD",
       "Linux mipsel Payload"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/linksys_wrt54gl_apply_exec",
@@ -77676,7 +77676,7 @@
       "CMD",
       "Linux mipsbe Payload"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/netgear_dgn1000b_setup_exec",
@@ -77730,7 +77730,7 @@
       "CMD",
       "Linux mipsbe Payload"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/netgear_dgn2200b_pppoe_exec",
@@ -83221,7 +83221,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2022-03-11 12:17:30 +0000",
+    "mod_time": "2024-09-05 08:49:32 +0000",
     "path": "/modules/exploits/linux/http/vestacp_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/vestacp_exec",
@@ -93255,7 +93255,7 @@
     "targets": [
       "Linux x86"
     ],
-    "mod_time": "2023-01-04 14:45:58 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/linux/smtp/exim4_dovecot_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/smtp/exim4_dovecot_exec",
@@ -100063,7 +100063,7 @@
     "targets": [
       "Bassmaster <= 1.5.1"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/multi/http/bassmaster_js_injection.rb",
     "is_install_path": true,
     "ref_name": "multi/http/bassmaster_js_injection",
@@ -106532,7 +106532,7 @@
       "Unix CMD",
       "Linux Payload"
     ],
-    "mod_time": "2022-03-11 12:08:51 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/multi/http/mutiny_subnetmask_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/mutiny_subnetmask_exec",
@@ -109785,7 +109785,7 @@
     "targets": [
       "Ruby on Rails 4.0.8 July 2, 2014"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/rails_dynamic_render_code_exec",
@@ -111785,7 +111785,7 @@
       "Windows",
       "Linux"
     ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/multi/http/struts_default_action_mapper.rb",
     "is_install_path": true,
     "ref_name": "multi/http/struts_default_action_mapper",
@@ -112868,7 +112868,7 @@
     "targets": [
       "Trend Micro Threat Discovery Appliance 2.6.1062r1"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb",
     "is_install_path": true,
     "ref_name": "multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi",
@@ -116861,7 +116861,7 @@
       "Linux (Command)",
       "AIX (Command)"
     ],
-    "mod_time": "2023-02-08 15:46:07 +0000",
+    "mod_time": "2024-09-05 08:49:32 +0000",
     "path": "/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/misc/ibm_tm1_unauth_rce",
@@ -119290,7 +119290,7 @@
       "Linux",
       "Windows Universal"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
     "path": "/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb",
     "is_install_path": true,
     "ref_name": "multi/sap/sap_mgmt_con_osexec_payload",
@@ -166383,7 +166383,7 @@
     "targets": [
       "Windows Command"
     ],
-    "mod_time": "2024-07-24 16:42:43 +0000",
+    "mod_time": "2024-09-05 08:49:32 +0000",
     "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb",
     "is_install_path": true,
     "ref_name": "windows/http/manageengine_adaudit_plus_cve_2022_28219",
@@ -174068,7 +174068,7 @@
       "URL-https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf"
     ],
     "platform": "Windows",
-    "arch": "",
+    "arch": "x86, x64",
     "rport": null,
     "autofilter_ports": [
 
@@ -174079,7 +174079,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2023-07-21 15:34:49 +0000",
+    "mod_time": "2024-09-04 23:49:33 +0000",
     "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb",
     "is_install_path": true,
     "ref_name": "windows/local/bypassuac_comhijack",

diff --git a/lib/msf/core/exploit/remote/http_server.rb b/lib/msf/core/exploit/remote/http_server.rb
@@ -116,14 +116,17 @@ def check_dependencies
   # completely on the datastore. (See dlink_upnp_exec_noauth)
   def start_service(opts = {})
 
+    # Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead.
+    opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl']
+
     check_dependencies
 
     # Start a new HTTP server service.
     self.service = Rex::ServiceManager.start(
       Rex::Proto::Http::Server,
       (opts['ServerPort'] || bindport).to_i,
       opts['ServerHost'] || bindhost,
-      datastore['SSL'], # XXX: Should be in opts, need to test this
+      opts['ssl'],
       {
         'Msf'        => framework,
         'MsfExploit' => self,
@@ -149,7 +152,7 @@ def start_service(opts = {})
       'Path' => opts['Path'] || resource_uri
     }.update(opts['Uri'] || {})
 
-    proto = (datastore["SSL"] ? "https" : "http")
+    proto = (opts['ssl'] ? "https" : "http")
 
     # SSLCompression may or may not actually be available. For example, on
     # Ubuntu, it's disabled by default, unless the correct environment

diff --git a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb
@@ -154,19 +154,16 @@ def run
       fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')
     end
 
-    if datastore['SSL']
-      ssl_restore = true
-      datastore['SSL'] = false
-    end
     start_service({
       'Uri' => {
         'Proc' => proc do |cli, req|
           on_request_uri(cli, req)
         end,
         'Path' => '/'
-      }
+      },
+      'ssl' => false
     })
-    datastore['SSL'] = true if ssl_restore
+
     xxe_request
   rescue Timeout::Error => e
     fail_with(Failure::TimeoutExpired, e.message)

diff --git a/modules/encoders/php/base64.rb b/modules/encoders/php/base64.rb
@@ -71,10 +71,6 @@ def encode_block(state, buf)
     # raw string, so strip it off.
     b64.gsub!(/[=\n]+/, '')
 
-    # The first character must not be a non-alpha character or PHP chokes.
-    i = 0
-    b64[i] = "chr(#{b64[i]})." while (b64[i].chr =~ %r{[0-9/+]})
-
     # Similarly, when we separate large payloads into chunks to avoid the
     # 998-byte problem mentioned above, we have to make sure that the first
     # character of each chunk is an alpha character.  This simple algorithm

diff --git a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb
@@ -122,11 +122,6 @@ def exploit
     if (datastore['DOWNHOST'])
       service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
     else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
 
       #we use SRVHOST as download IP for the coming wget command.
       #SRVHOST needs a real IP address of our download host
@@ -144,9 +139,10 @@ def exploit
           on_request_uri(cli, req)
         },
         'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })
 
-      datastore['SSL'] = true if ssl_restore
     end
 
     #

diff --git a/modules/exploits/linux/http/dlink_dir615_up_exec.rb b/modules/exploits/linux/http/dlink_dir615_up_exec.rb
@@ -155,11 +155,6 @@ def exploit
     if (datastore['DOWNHOST'])
       service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
     else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
 
       if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
         srv_host = Rex::Socket.source_address(rhost)
@@ -174,9 +169,10 @@ def exploit
           on_request_uri(cli, req)
         },
         'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+      })
 
-      datastore['SSL'] = true if ssl_restore
     end
 
     #

diff --git a/modules/exploits/linux/http/dlink_hnap_login_bof.rb b/modules/exploits/linux/http/dlink_hnap_login_bof.rb
@@ -253,12 +253,6 @@ def exploit
       @elf_sent = false
       resource_uri = '/' + downfile
 
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
-
       if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
         srv_host = Rex::Socket.source_address(rhost)
       else
@@ -272,9 +266,10 @@ def exploit
           on_request_uri(cli, req)
         },
         'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+      })
 
-      datastore['SSL'] = true if ssl_restore
       print_status("#{peer} - Asking the device to download and execute #{service_url}")
 
       filename = rand_text_alpha_lower(rand(8) + 2)

diff --git a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb
@@ -151,11 +151,6 @@ def exploit
     if (datastore['DOWNHOST'])
       service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
     else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
 
       #we use SRVHOST as download IP for the coming wget command.
       #SRVHOST needs a real IP address of our download host
@@ -172,9 +167,10 @@ def exploit
           on_request_uri(cli, req)
         },
         'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })
 
-      datastore['SSL'] = true if ssl_restore
     end
 
     #

diff --git a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb
@@ -304,11 +304,6 @@ def exploit
     if (datastore['DOWNHOST'])
       service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
     else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
 
       #we use SRVHOST as download IP for the coming wget command.
       #SRVHOST needs a real IP address of our download host
@@ -325,9 +320,10 @@ def exploit
           on_request_uri(cli, req)
         },
         'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })
 
-      datastore['SSL'] = true if ssl_restore
     end
 
     #