From 117c2b9298173de83ee5ca1c12e8fab780e12aa6 Mon Sep 17 00:00:00 2001 From: "redwaysecurity.com" Date: Fri, 19 Jul 2024 12:33:13 +0200 Subject: [PATCH 01/10] feat: Allow explicit SSL configuration in start_service method The start_service method now allows users to specify their SSL preferences directly through the opts parameter. If the ssl option is not provided in opts, it will default to the value in datastore['SSL']. This change enhances the flexibility and usability of the start_service method, preventing unintended behavior when users need to control the SSL setting explicitly. Closes #19329 --- lib/msf/core/exploit/remote/http_server.rb | 11 ++++++++--- .../auxiliary/gather/magento_xxe_cve_2024_34102.rb | 9 +++------ 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/lib/msf/core/exploit/remote/http_server.rb b/lib/msf/core/exploit/remote/http_server.rb index 5b771c2b1d37..a62ee6c8cdfc 100644 --- a/lib/msf/core/exploit/remote/http_server.rb +++ b/lib/msf/core/exploit/remote/http_server.rb @@ -116,14 +116,17 @@ def check_dependencies # completely on the datastore. (See dlink_upnp_exec_noauth) def start_service(opts = {}) + # Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead. + opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl'] + check_dependencies # Start a new HTTP server service. self.service = Rex::ServiceManager.start( Rex::Proto::Http::Server, (opts['ServerPort'] || bindport).to_i, - opts['ServerHost'] || bindhost, - datastore['SSL'], # XXX: Should be in opts, need to test this + opts['ServerHost'] || bindhost, + opts['ssl'], { 'Msf' => framework, 'MsfExploit' => self, @@ -149,7 +152,9 @@ def start_service(opts = {}) 'Path' => opts['Path'] || resource_uri }.update(opts['Uri'] || {}) - proto = (datastore["SSL"] ? "https" : "http") + proto = (opts['ssl'] ? "https" : "http") + + puts proto # SSLCompression may or may not actually be available. For example, on # Ubuntu, it's disabled by default, unless the correct environment diff --git a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb index c9480526fe33..f30a057404c4 100644 --- a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb +++ b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb @@ -154,19 +154,16 @@ def run fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') end - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => '/' - } + }, + 'ssl' => false }) - datastore['SSL'] = true if ssl_restore + xxe_request rescue Timeout::Error => e fail_with(Failure::TimeoutExpired, e.message) From dc282f5cc44f49859b89a23100711cd7fc63ed52 Mon Sep 17 00:00:00 2001 From: "redwaysecurity.com" Date: Fri, 19 Jul 2024 12:38:50 +0200 Subject: [PATCH 02/10] Cleanup --- lib/msf/core/exploit/remote/http_server.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/msf/core/exploit/remote/http_server.rb b/lib/msf/core/exploit/remote/http_server.rb index a62ee6c8cdfc..8db884c0a5c7 100644 --- a/lib/msf/core/exploit/remote/http_server.rb +++ b/lib/msf/core/exploit/remote/http_server.rb @@ -154,8 +154,6 @@ def start_service(opts = {}) proto = (opts['ssl'] ? "https" : "http") - puts proto - # SSLCompression may or may not actually be available. For example, on # Ubuntu, it's disabled by default, unless the correct environment # variable is set. See https://github.com/rapid7/metasploit-framework/pull/2666 From 10e4668e689fd71e1b179c70738cd5cab5bc8bbd Mon Sep 17 00:00:00 2001 From: Heyder Andrade Date: Thu, 25 Jul 2024 19:05:48 +0200 Subject: [PATCH 03/10] Update lib/msf/core/exploit/remote/http_server.rb Co-authored-by: Simon Janusz <85949464+sjanusz-r7@users.noreply.github.com> --- lib/msf/core/exploit/remote/http_server.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/remote/http_server.rb b/lib/msf/core/exploit/remote/http_server.rb index 8db884c0a5c7..50ea6ac3664a 100644 --- a/lib/msf/core/exploit/remote/http_server.rb +++ b/lib/msf/core/exploit/remote/http_server.rb @@ -125,7 +125,7 @@ def start_service(opts = {}) self.service = Rex::ServiceManager.start( Rex::Proto::Http::Server, (opts['ServerPort'] || bindport).to_i, - opts['ServerHost'] || bindhost, + opts['ServerHost'] || bindhost, opts['ssl'], { 'Msf' => framework, From a812617feef38164aca964ed34bbd52dfd9d03d7 Mon Sep 17 00:00:00 2001 From: "redwaysecurity.com" Date: Fri, 26 Jul 2024 17:30:25 +0200 Subject: [PATCH 04/10] Removed "ssl_restore = true" --- .../linux/http/dlink_diagnostic_exec_noauth.rb | 10 +++------- .../exploits/linux/http/dlink_dir615_up_exec.rb | 10 +++------- .../exploits/linux/http/dlink_hnap_login_bof.rb | 10 +++------- .../linux/http/linksys_e1500_apply_exec.rb | 10 +++------- .../linux/http/linksys_wrt54gl_apply_exec.rb | 10 +++------- .../linux/http/netgear_dgn1000b_setup_exec.rb | 10 +++------- .../linux/http/netgear_dgn2200b_pppoe_exec.rb | 10 +++------- modules/exploits/linux/http/vestacp_exec.rb | 15 ++++----------- .../exploits/linux/smtp/exim4_dovecot_exec.rb | 11 +++-------- .../multi/http/bassmaster_js_injection.rb | 12 ++++-------- .../multi/http/mutiny_subnetmask_exec.rb | 10 +++------- .../http/rails_dynamic_render_code_exec.rb | 12 ++++-------- .../multi/http/struts_default_action_mapper.rb | 17 ++--------------- ...icro_threat_discovery_admin_sys_time_cmdi.rb | 11 +++-------- .../exploits/multi/misc/ibm_tm1_unauth_rce.rb | 11 +++-------- .../multi/sap/sap_mgmt_con_osexec_payload.rb | 10 +++------- .../manageengine_adaudit_plus_cve_2022_28219.rb | 9 ++------- 17 files changed, 52 insertions(+), 136 deletions(-) diff --git a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb index 09c6eb47aa79..dcf9edfa5bad 100644 --- a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb +++ b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb @@ -122,11 +122,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -144,9 +139,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/dlink_dir615_up_exec.rb b/modules/exploits/linux/http/dlink_dir615_up_exec.rb index d1e6db63151f..a9c210a5d7fb 100644 --- a/modules/exploits/linux/http/dlink_dir615_up_exec.rb +++ b/modules/exploits/linux/http/dlink_dir615_up_exec.rb @@ -155,11 +155,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) @@ -174,9 +169,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/dlink_hnap_login_bof.rb b/modules/exploits/linux/http/dlink_hnap_login_bof.rb index 81eed0fb1a4c..8cfb46603375 100644 --- a/modules/exploits/linux/http/dlink_hnap_login_bof.rb +++ b/modules/exploits/linux/http/dlink_hnap_login_bof.rb @@ -253,12 +253,6 @@ def exploit @elf_sent = false resource_uri = '/' + downfile - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) else @@ -272,7 +266,9 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) datastore['SSL'] = true if ssl_restore print_status("#{peer} - Asking the device to download and execute #{service_url}") diff --git a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb index b06d83c4edf6..09b00c6c7c01 100644 --- a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb +++ b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb @@ -151,11 +151,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -172,9 +167,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb index 321ac0b77b41..23dd62260c82 100644 --- a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb +++ b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb @@ -304,11 +304,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -325,9 +320,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb index f5c8f91650fb..8148b41eacc6 100644 --- a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb +++ b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb @@ -155,11 +155,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -176,9 +171,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb index fb25a57294a6..c7b3c4887da5 100644 --- a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb +++ b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb @@ -270,11 +270,6 @@ def exploit if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -291,9 +286,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/linux/http/vestacp_exec.rb b/modules/exploits/linux/http/vestacp_exec.rb index 64b89b65defc..7bf8b3430cb5 100644 --- a/modules/exploits/linux/http/vestacp_exec.rb +++ b/modules/exploits/linux/http/vestacp_exec.rb @@ -252,28 +252,21 @@ def on_request_uri(cli, _request) end def start_http_server - # - # HttpClient and HttpServer use same SSL variable :( - # We don't need SSL for payload delivery so we - # will disable it temporarily. - # - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end + start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => resource_uri - } + }, + 'ssl' => false # do not use SSL }) print_status("Second payload download URI is #{get_uri}") # We need to use instance variables since get_uri keeps using # the SSL setting from the datastore. # Once the URI is retrieved, we will restore the SSL settings within the datastore. @second_stage_url = get_uri - datastore['SSL'] = true if ssl_restore + end end diff --git a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb index caa972d00e0b..44481fc1baf9 100644 --- a/modules/exploits/linux/smtp/exim4_dovecot_exec.rb +++ b/modules/exploits/linux/smtp/exim4_dovecot_exec.rb @@ -112,12 +112,6 @@ def exploit fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80') end - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") @@ -134,9 +128,10 @@ def exploit on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end diff --git a/modules/exploits/multi/http/bassmaster_js_injection.rb b/modules/exploits/multi/http/bassmaster_js_injection.rb index 2153fee64508..5deadf9eb630 100644 --- a/modules/exploits/multi/http/bassmaster_js_injection.rb +++ b/modules/exploits/multi/http/bassmaster_js_injection.rb @@ -141,12 +141,6 @@ def start_http_server srv_host = datastore['SRVHOST'] end - # do not use SSL for the attacking web server - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - @service_url = "http:\\x2f\\x2f#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}" service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") @@ -155,8 +149,10 @@ def start_http_server on_request_uri(cli, req) }, 'Path' => resource_uri - }}) - datastore['SSL'] = true if ssl_restore + }, + 'ssl' => false # do not use SSL + }) + connect end diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb index 9b7d651cbed5..1d8af0537625 100644 --- a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb +++ b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb @@ -113,11 +113,6 @@ def on_new_session(session) def start_web_service print_status("Setting up the Web Service...") - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - resource_uri = '/' + @elfname + '.elf' service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}" @@ -127,8 +122,9 @@ def start_web_service on_request_uri(cli, req) }, 'Path' => resource_uri - }}) - datastore['SSL'] = true if ssl_restore + }, + 'ssl' => false # do not use SSL + }) return service_url end diff --git a/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb b/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb index 18ab694ccfc6..7f17ccc32cb3 100644 --- a/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb +++ b/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb @@ -162,12 +162,6 @@ def start_http_server srv_host = datastore['SRVHOST'] end - # do not use SSL for the attacking web server - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - @service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}" service_url_payload = srv_host + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...") @@ -176,8 +170,10 @@ def start_http_server on_request_uri(cli, req) }, 'Path' => resource_uri - }}) - datastore['SSL'] = true if ssl_restore + }, + 'ssl' => false # do not use SSL + }) + connect end diff --git a/modules/exploits/multi/http/struts_default_action_mapper.rb b/modules/exploits/multi/http/struts_default_action_mapper.rb index e799bd30b6c1..a7cb2ffd4a51 100644 --- a/modules/exploits/multi/http/struts_default_action_mapper.rb +++ b/modules/exploits/multi/http/struts_default_action_mapper.rb @@ -115,14 +115,6 @@ def on_new_session(session) end def start_http_service - # do not use SSL for this part - # XXX: See https://github.com/rapid7/metasploit-framework/issues/3853 - # It must be possible to do this without directly editing the - # datastore. - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) @@ -138,15 +130,10 @@ def start_http_service on_request_uri(cli, req) }, 'Path' => '/' - } + }, + 'ssl' => false # do not use SSL }) - # Restore SSL preference - # XXX: See https://github.com/rapid7/metasploit-framework/issues/3853 - # It must be possible to do this without directly editing the - # datastore. - datastore['SSL'] = true if ssl_restore - return service_url end diff --git a/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb b/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb index f3c8f243871a..0f1d432da5f6 100644 --- a/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb +++ b/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb @@ -151,12 +151,6 @@ def start_http_server downfile = rand_text_alpha(8+rand(8)) resource_uri = '/' + downfile - # do not use SSL for the attacking web server - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) else @@ -172,9 +166,10 @@ def start_http_server on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore connect end diff --git a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb index efe0e11421d6..a56108f4f55a 100644 --- a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb +++ b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb @@ -528,12 +528,6 @@ def exploit @pl = generate_payload_exe end - # do not use SSL for the CAM server! - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end - print_status('Starting up the fake CAM server...') start_service( { @@ -542,10 +536,11 @@ def exploit on_request_uri(cli, req) end, 'Path' => '/' - } + }, + 'ssl' => false # do not use SSL } ) - datastore['SSL'] = true if ssl_restore + # Step 4: send the server config update packet, and ignore what it sends back print_status('Changing authentication method to 4 (CAM auth)') diff --git a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb index 77b9c4ec6bad..ea0634787de2 100644 --- a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb +++ b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb @@ -215,11 +215,6 @@ def exploit_linux if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else - #do not use SSL - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host @@ -236,9 +231,10 @@ def exploit_linux on_request_uri(cli, req) }, 'Path' => resource_uri - }}) + }, + 'ssl' => false # do not use SSL + }) - datastore['SSL'] = true if ssl_restore end # diff --git a/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb b/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb index b30ff0e8935c..30832cc5234a 100644 --- a/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb +++ b/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb @@ -417,11 +417,6 @@ def upload_payload(payload, queue) end def serve_http_file(path, respond_with = '') - # do not use SSL for the attacking web server - if datastore['SSL'] - ssl_restore = true - datastore['SSL'] = false - end start_service({ 'Uri' => { @@ -429,10 +424,10 @@ def serve_http_file(path, respond_with = '') send_response(cli, respond_with) end, 'Path' => path - } + }, + 'ssl' => false # do not use SSL }) - datastore['SSL'] = true if ssl_restore end def create_json_request(xml_payload) From 656c8fd4fb3f9edc2b0e51e94335f9edbbc89b41 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 26 Aug 2024 22:21:27 +0200 Subject: [PATCH 05/10] Remove some useless code in modules/encoders/php/base64.rb The payload is always quoted since 975de9d4795, so there is no need to care if the first character is alpha or not. This has some chance to make the payload 5 chars smaller, woo! --- modules/encoders/php/base64.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/encoders/php/base64.rb b/modules/encoders/php/base64.rb index f9cc79f542af..7d9c21abe0a7 100644 --- a/modules/encoders/php/base64.rb +++ b/modules/encoders/php/base64.rb @@ -56,10 +56,6 @@ def encode_block(state, buf) # raw string, so strip it off. b64.gsub!(/[=\n]+/, '') - # The first character must not be a non-alpha character or PHP chokes. - i = 0 - b64[i] = "chr(#{b64[i]})." while (b64[i].chr =~ %r{[0-9/+]}) - # Similarly, when we separate large payloads into chunks to avoid the # 998-byte problem mentioned above, we have to make sure that the first # character of each chunk is an alpha character. This simple algorithm From b1ec86ebc504ce0f45b3eee319c32456ae88a55a Mon Sep 17 00:00:00 2001 From: bcoles Date: Wed, 4 Sep 2024 23:49:33 +1000 Subject: [PATCH 06/10] bypassuac_comhijack: Specify x86/x64 as supported payload architectures --- modules/exploits/windows/local/bypassuac_comhijack.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/windows/local/bypassuac_comhijack.rb b/modules/exploits/windows/local/bypassuac_comhijack.rb index b0c1e26862cd..4ba360c7d572 100644 --- a/modules/exploits/windows/local/bypassuac_comhijack.rb +++ b/modules/exploits/windows/local/bypassuac_comhijack.rb @@ -43,6 +43,7 @@ def initialize(info = {}) 'OJ Reeves' # MSF module ], 'Platform' => ['win'], + 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => ['meterpreter'], 'Targets' => [ ['Automatic', {}] From 434593dcb463a8e3987176b6346a862ca4e0e368 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Thu, 5 Sep 2024 08:49:32 -0700 Subject: [PATCH 07/10] Suggestion and rubocop fixes --- modules/exploits/linux/http/dlink_hnap_login_bof.rb | 1 - modules/exploits/linux/http/vestacp_exec.rb | 2 -- modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb | 1 - .../windows/http/manageengine_adaudit_plus_cve_2022_28219.rb | 4 +--- 4 files changed, 1 insertion(+), 7 deletions(-) diff --git a/modules/exploits/linux/http/dlink_hnap_login_bof.rb b/modules/exploits/linux/http/dlink_hnap_login_bof.rb index 8cfb46603375..ec6881f134e0 100644 --- a/modules/exploits/linux/http/dlink_hnap_login_bof.rb +++ b/modules/exploits/linux/http/dlink_hnap_login_bof.rb @@ -270,7 +270,6 @@ def exploit 'ssl' => false # do not use SSL }) - datastore['SSL'] = true if ssl_restore print_status("#{peer} - Asking the device to download and execute #{service_url}") filename = rand_text_alpha_lower(rand(8) + 2) diff --git a/modules/exploits/linux/http/vestacp_exec.rb b/modules/exploits/linux/http/vestacp_exec.rb index 7bf8b3430cb5..b65e2bbd73ff 100644 --- a/modules/exploits/linux/http/vestacp_exec.rb +++ b/modules/exploits/linux/http/vestacp_exec.rb @@ -252,7 +252,6 @@ def on_request_uri(cli, _request) end def start_http_server - start_service({ 'Uri' => { 'Proc' => proc do |cli, req| @@ -267,6 +266,5 @@ def start_http_server # the SSL setting from the datastore. # Once the URI is retrieved, we will restore the SSL settings within the datastore. @second_stage_url = get_uri - end end diff --git a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb index a56108f4f55a..bb200c4d4448 100644 --- a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb +++ b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb @@ -541,7 +541,6 @@ def exploit } ) - # Step 4: send the server config update packet, and ignore what it sends back print_status('Changing authentication method to 4 (CAM auth)') upd_cent = update_auth(4) diff --git a/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb b/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb index 30832cc5234a..f36da810c058 100644 --- a/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb +++ b/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb @@ -78,7 +78,7 @@ def initialize(info = {}) end def srv_host - if ((datastore['SRVHOST'] == '0.0.0.0') || (datastore['SRVHOST'] == '::')) + if (datastore['SRVHOST'] == '0.0.0.0') || (datastore['SRVHOST'] == '::') return datastore['URIHOST'] || Rex::Socket.source_address(rhost) end @@ -417,7 +417,6 @@ def upload_payload(payload, queue) end def serve_http_file(path, respond_with = '') - start_service({ 'Uri' => { 'Proc' => proc do |cli, _req| @@ -427,7 +426,6 @@ def serve_http_file(path, respond_with = '') }, 'ssl' => false # do not use SSL }) - end def create_json_request(xml_payload) From 3e82156200b292356eedc99dd76bfdc960af6a6d Mon Sep 17 00:00:00 2001 From: Metasploit Date: Thu, 5 Sep 2024 11:33:13 -0500 Subject: [PATCH 08/10] automatic module_metadata_base.json update --- db/modules_metadata_base.json | 36 +++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index 93fb6d632b24..07f0b46105c7 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -24023,7 +24023,7 @@ "https" ], "targets": null, - "mod_time": "2024-07-18 11:56:22 +0000", + "mod_time": "2024-07-19 12:33:13 +0000", "path": "/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb", "is_install_path": true, "ref_name": "gather/magento_xxe_cve_2024_34102", @@ -71102,7 +71102,7 @@ "CMD", "Linux mipsel Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb", "is_install_path": true, "ref_name": "linux/http/dlink_diagnostic_exec_noauth", @@ -71260,7 +71260,7 @@ "CMD", "Linux mipsel Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/dlink_dir615_up_exec.rb", "is_install_path": true, "ref_name": "linux/http/dlink_dir615_up_exec", @@ -71746,7 +71746,7 @@ "Dlink DIR-818 / 822 / 823 / 850 [MIPS]", "Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-09-05 08:49:32 +0000", "path": "/modules/exploits/linux/http/dlink_hnap_login_bof.rb", "is_install_path": true, "ref_name": "linux/http/dlink_hnap_login_bof", @@ -75856,7 +75856,7 @@ "CMD", "Linux mipsel Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/linksys_e1500_apply_exec.rb", "is_install_path": true, "ref_name": "linux/http/linksys_e1500_apply_exec", @@ -76078,7 +76078,7 @@ "CMD", "Linux mipsel Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb", "is_install_path": true, "ref_name": "linux/http/linksys_wrt54gl_apply_exec", @@ -77676,7 +77676,7 @@ "CMD", "Linux mipsbe Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb", "is_install_path": true, "ref_name": "linux/http/netgear_dgn1000b_setup_exec", @@ -77730,7 +77730,7 @@ "CMD", "Linux mipsbe Payload" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb", "is_install_path": true, "ref_name": "linux/http/netgear_dgn2200b_pppoe_exec", @@ -83221,7 +83221,7 @@ "targets": [ "Automatic" ], - "mod_time": "2022-03-11 12:17:30 +0000", + "mod_time": "2024-09-05 08:49:32 +0000", "path": "/modules/exploits/linux/http/vestacp_exec.rb", "is_install_path": true, "ref_name": "linux/http/vestacp_exec", @@ -93255,7 +93255,7 @@ "targets": [ "Linux x86" ], - "mod_time": "2023-01-04 14:45:58 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/linux/smtp/exim4_dovecot_exec.rb", "is_install_path": true, "ref_name": "linux/smtp/exim4_dovecot_exec", @@ -100063,7 +100063,7 @@ "targets": [ "Bassmaster <= 1.5.1" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/bassmaster_js_injection.rb", "is_install_path": true, "ref_name": "multi/http/bassmaster_js_injection", @@ -106532,7 +106532,7 @@ "Unix CMD", "Linux Payload" ], - "mod_time": "2022-03-11 12:08:51 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/mutiny_subnetmask_exec.rb", "is_install_path": true, "ref_name": "multi/http/mutiny_subnetmask_exec", @@ -109785,7 +109785,7 @@ "targets": [ "Ruby on Rails 4.0.8 July 2, 2014" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb", "is_install_path": true, "ref_name": "multi/http/rails_dynamic_render_code_exec", @@ -111785,7 +111785,7 @@ "Windows", "Linux" ], - "mod_time": "2021-10-06 13:43:31 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/struts_default_action_mapper.rb", "is_install_path": true, "ref_name": "multi/http/struts_default_action_mapper", @@ -112868,7 +112868,7 @@ "targets": [ "Trend Micro Threat Discovery Appliance 2.6.1062r1" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb", "is_install_path": true, "ref_name": "multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi", @@ -116861,7 +116861,7 @@ "Linux (Command)", "AIX (Command)" ], - "mod_time": "2023-02-08 15:46:07 +0000", + "mod_time": "2024-09-05 08:49:32 +0000", "path": "/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb", "is_install_path": true, "ref_name": "multi/misc/ibm_tm1_unauth_rce", @@ -119290,7 +119290,7 @@ "Linux", "Windows Universal" ], - "mod_time": "2020-10-02 17:38:06 +0000", + "mod_time": "2024-07-26 17:30:25 +0000", "path": "/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb", "is_install_path": true, "ref_name": "multi/sap/sap_mgmt_con_osexec_payload", @@ -166383,7 +166383,7 @@ "targets": [ "Windows Command" ], - "mod_time": "2024-07-24 16:42:43 +0000", + "mod_time": "2024-09-05 08:49:32 +0000", "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb", "is_install_path": true, "ref_name": "windows/http/manageengine_adaudit_plus_cve_2022_28219", From 1ffb0b16cb40ee9f1dc096f06a4b1d43807b05f8 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Thu, 5 Sep 2024 11:57:37 -0500 Subject: [PATCH 09/10] automatic module_metadata_base.json update --- db/modules_metadata_base.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index 07f0b46105c7..48cde9f95910 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -174068,7 +174068,7 @@ "URL-https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf" ], "platform": "Windows", - "arch": "", + "arch": "x86, x64", "rport": null, "autofilter_ports": [ @@ -174079,7 +174079,7 @@ "targets": [ "Automatic" ], - "mod_time": "2023-07-21 15:34:49 +0000", + "mod_time": "2024-09-04 23:49:33 +0000", "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb", "is_install_path": true, "ref_name": "windows/local/bypassuac_comhijack", From fa8c80f43064ac6369e2be759c5df8256a17de8f Mon Sep 17 00:00:00 2001 From: Metasploit Date: Thu, 5 Sep 2024 13:17:29 -0500 Subject: [PATCH 10/10] automatic module_metadata_base.json update --- db/modules_metadata_base.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index 48cde9f95910..10a0d26a5f1e 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -63691,7 +63691,7 @@ "autofilter_ports": null, "autofilter_services": null, "targets": null, - "mod_time": "2024-08-27 10:27:45 +0000", + "mod_time": "2024-09-05 11:00:56 +0000", "path": "/modules/encoders/php/base64.rb", "is_install_path": true, "ref_name": "php/base64",