diff --git a/modules/auxiliary/gather/huawei_wifi_info.rb b/modules/auxiliary/gather/huawei_wifi_info.rb index 1f3aa6cddd..705b020fd5 100644 --- a/modules/auxiliary/gather/huawei_wifi_info.rb +++ b/modules/auxiliary/gather/huawei_wifi_info.rb @@ -55,16 +55,16 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => "Huawei Datacard Information Disclosure Vulnerability", 'Description' => %q{ - This module exploits an un-authenticated information disclosure vulnerability in Huawei + This module exploits an unauthenticated information disclosure vulnerability in Huawei SOHO routers. The module will gather information by accessing the /api pages where authentication is not required, allowing configuration changes as well as information - disclosure including any stored SMS. + disclosure, including any stored SMS. }, 'License' => MSF_LICENSE, 'Author' => [ - 'Jimson K James.', - '', # Msf module + 'Jimson K James', + 'Tom James ', # Msf module ], 'References' => [ @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary end - #Gather basic router information + # Gather basic router information def run get_router_info print_line('') @@ -168,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary 'uri' => '/api/wlan/basic-settings', }) - #check whether we got any response from server and proceed. + # check whether we got any response from server and proceed. unless is_target?(res) return nil end @@ -273,19 +273,19 @@ class Metasploit3 < Msf::Auxiliary end def is_target?(res) - #check whether we got any response from server and proceed. + # check whether we got any response from server and proceed. unless res print_error("#{peer} - Failed to get any response from server") return false end - #Is it a HTTP OK + # Is it a HTTP OK unless res.code == 200 print_error("#{peer} - Did not get HTTP 200, URL was not found") return false end - #Check to verify server reported is a Huawei router + # Check to verify server reported is a Huawei router unless res.headers['Server'].match(/IPWEBS\/1.4.0/i) print_error("#{peer} - Target doesn't seem to be a Huawei router") return false diff --git a/modules/auxiliary/gather/konica_minolta_pwd_extract.rb b/modules/auxiliary/gather/konica_minolta_pwd_extract.rb index c4e2acae33..5782ec8b2f 100644 --- a/modules/auxiliary/gather/konica_minolta_pwd_extract.rb +++ b/modules/auxiliary/gather/konica_minolta_pwd_extract.rb @@ -14,10 +14,11 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'Konica Minolta Password Extractor', - 'Description' => %q( - This module will extract FTP and SMB account usernames and passwords - from Konica Minolta mfp devices. Tested models include: C224, C280, - 283, C353, C360, 363, 420, C452,C452, C452, C454e, C554 ), + 'Description' => %q{ + This module will extract FTP and SMB account usernames and passwords + from Konica Minolta multifunction printer (MFP) devices. Tested models + include: C224, C280, 283, C353, C360, 363, 420, C452,C452, C452, C454e, C554 + }, 'Author' => [ 'Deral "Percentx" Heiland', diff --git a/modules/auxiliary/gather/mcafee_epo_xxe.rb b/modules/auxiliary/gather/mcafee_epo_xxe.rb index ac29c62020..4d3803f39a 100644 --- a/modules/auxiliary/gather/mcafee_epo_xxe.rb +++ b/modules/auxiliary/gather/mcafee_epo_xxe.rb @@ -18,15 +18,15 @@ class Metasploit3 < Msf::Auxiliary off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the database 'sa' user and of the admin user created during installation. This password - is encrypted with a static key, and is encrypted using a weak cipher at that (ECB). By default, - if installed with a local SQL Server instance, the SQL server is listening on all interfaces. + is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default, + if installed with a local SQL Server instance, the SQL Server is listening on all interfaces. Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server user in order to achieve remote command execution with permissions of the database process. If - the administrator has no changed the password for the initially created account since installation, - the attacker also now has the password for this account. By default, 'admin' is recommended. + the administrator has not changed the password for the initially created account since installation, + the attacker will have the password for this account. By default, 'admin' is recommended. - Any user account can be used to exploit this, all that is needed is a pair of credentials. + Any user account can be used to exploit this, all that is needed is a valid credential. The most data that can be successfully retrieved is 255 characters due to length restrictions on the field used to perform the XXE attack. diff --git a/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb b/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb index 9b8200b645..1b83069f43 100644 --- a/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb +++ b/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb @@ -19,7 +19,7 @@ class Metasploit4 < Msf::Auxiliary 'Misfortune Cookie' vulnerability which affects Allegro Software Rompager versions before 4.34 and can allow attackers to authenticate to the HTTP service as an administrator without providing valid - credentials, however more specifics are not yet known. + credentials. ), 'Author' => [ 'Jon Hart ', # metasploit module diff --git a/modules/auxiliary/voip/cisco_cucdm_call_forward.rb b/modules/auxiliary/voip/cisco_cucdm_call_forward.rb index 584e4c26aa..b3de7313ce 100644 --- a/modules/auxiliary/voip/cisco_cucdm_call_forward.rb +++ b/modules/auxiliary/voip/cisco_cucdm_call_forward.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM) 10 does not properly implement access control, which allows remote attackers to - modify user information. This module exploits the vulnerability for configure unauthorized + modify user information. This module exploits the vulnerability to configure unauthorized call forwarding. }, 'Author' => 'fozavci', diff --git a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb index a3995a1992..ae40518cd1 100644 --- a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb +++ b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM), before version 10, doesn't implement access control properly, which allows remote attackers to modify user information. This module exploits the vulnerability to make - unauthorized speeddial manipulations. + unauthorized speeddial entity manipulations. }, 'Author' => 'fozavci', 'References' => diff --git a/modules/exploits/linux/local/desktop_privilege_escalation.rb b/modules/exploits/linux/local/desktop_privilege_escalation.rb index b1e25fb160..356a82aa50 100644 --- a/modules/exploits/linux/local/desktop_privilege_escalation.rb +++ b/modules/exploits/linux/local/desktop_privilege_escalation.rb @@ -20,11 +20,11 @@ class Metasploit4 < Msf::Exploit::Local 'Description' => %q{ This module steals the user password of an administrative user on a desktop Linux system when it is entered for unlocking the screen or for doing administrative actions using - policykit. Then it escalates to root privileges using sudo and the stolen user password. + PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password. It exploits the design weakness that there is no trusted channel for transferring the password from the keyboard to the actual password verificatition against the shadow file (which is running as root since /etc/shadow is only readable to the root user). Both - screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under + screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under the current user account to query for the password and then pass it to a setuid-root binary to do the password verification. Therefore, it is possible to inject a password stealer after compromising the user account. Since sudo requires only the user password (and not diff --git a/modules/exploits/multi/http/manageengine_auth_upload.rb b/modules/exploits/multi/http/manageengine_auth_upload.rb index 28644007ab..5280c8f0a3 100644 --- a/modules/exploits/multi/http/manageengine_auth_upload.rb +++ b/modules/exploits/multi/http/manageengine_auth_upload.rb @@ -17,10 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk, AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts the upload does not handle correctly '../' sequences, which can be abused to write - in the file system. Authentication is needed to exploit this vulnerability, but this module + to the file system. Authentication is needed to exploit this vulnerability, but this module will attempt to login using the default credentials for the administrator and guest - accounts. Alternatively you can provide a pre-authenticated cookie or a username / password - combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All + accounts. Alternatively, you can provide a pre-authenticated cookie or a username / password. + For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer, SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been diff --git a/modules/exploits/multi/http/pandora_upload_exec.rb b/modules/exploits/multi/http/pandora_upload_exec.rb index e9266dd061..9442b80aa6 100644 --- a/modules/exploits/multi/http/pandora_upload_exec.rb +++ b/modules/exploits/multi/http/pandora_upload_exec.rb @@ -13,9 +13,9 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info={}) super(update_info(info, - 'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability", + 'Name' => "Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability", 'Description' => %q{ - This module exploits an authentication bypass vulnerability in Pandora v3.1 as + This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. diff --git a/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb b/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb index ea3c2a852e..146e9eee1f 100644 --- a/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb +++ b/modules/exploits/unix/webapp/wp_symposium_shell_upload.rb @@ -15,17 +15,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info( info, 'Name' => 'WordPress WP Symposium 14.11 Shell Upload', - 'Description' => %q{WP Symposium Plugin for WordPress contains a - flaw that allows a remote attacker to execute - arbitrary PHP code. This flaw exists because the - /wp-symposium/server/file_upload_form.php script - does not properly verify or sanitize - user-uploaded files. By uploading a .php file, - the remote system will place the file in a - user-accessible path. Making a direct request to - the uploaded file will allow the attacker to - execute the script with the privileges of the - web server.}, + 'Description' => %q{ + WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker + to execute arbitrary PHP code. This flaw exists because the + /wp-symposium/server/file_upload_form.php script does not properly verify or + sanitize user-uploaded files. By uploading a .php file, the remote system will + place the file in a user-accessible path. Making a direct request to the + uploaded file will allow the attacker to execute the script with the privileges + of the web server. + }, 'License' => MSF_LICENSE, 'Author' => [ diff --git a/modules/exploits/windows/browser/getgodm_http_response_bof.rb b/modules/exploits/windows/browser/getgodm_http_response_bof.rb index 3398e397c6..89655a35c9 100644 --- a/modules/exploits/windows/browser/getgodm_http_response_bof.rb +++ b/modules/exploits/windows/browser/getgodm_http_response_bof.rb @@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a stack-based buffer overflow vulnerability in GetGo Download Manager version 4.9.0.1982 and earlier, caused by an overly long HTTP response header. + By persuading the victim to download a file from a malicious server, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on diff --git a/modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb b/modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb index 7f7b6d6322..ca3e15e01a 100644 --- a/modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb +++ b/modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb @@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in BulletProof FTP Client 2010, caused by an overly long hostname. + By persuading the victim to open a specially-crafted .BPS file, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on diff --git a/modules/exploits/windows/fileformat/iftp_schedule_bof.rb b/modules/exploits/windows/fileformat/iftp_schedule_bof.rb index ecfb7bed8b..197a28bafe 100644 --- a/modules/exploits/windows/fileformat/iftp_schedule_bof.rb +++ b/modules/exploits/windows/fileformat/iftp_schedule_bof.rb @@ -19,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in i-Ftp v2.20, caused by a long time value set for scheduled download. + By persuading the victim to place a specially-crafted Schedule.xml file in the i-FTP folder, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been diff --git a/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb b/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb index dbddf31243..44441df158 100644 --- a/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb +++ b/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb @@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload', 'Description' => %q{ - This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1. - A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated + This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1. + A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated attacker to upload arbitrary files, including arbitrary JSP code. This module has been tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2. }, diff --git a/modules/exploits/windows/mysql/mysql_start_up.rb b/modules/exploits/windows/mysql/mysql_start_up.rb index 69595f0236..e3f111db6c 100644 --- a/modules/exploits/windows/mysql/mysql_start_up.rb +++ b/modules/exploits/windows/mysql/mysql_start_up.rb @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote specifically against Windows MySQL servers. This module abuses the FILE privilege to write a payload to Microsoft's All Users Start Up directory which will execute every time a user logs in. The default All Users Start - Up directory used by the module is Windows 7 friendly. + Up directory used by the module is present on Windows 7. }, 'Author' => [ diff --git a/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb b/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb index 1e536682c9..c66ff8a1a6 100644 --- a/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb +++ b/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb @@ -24,7 +24,7 @@ module Metasploit3 'Description' => 'Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method (you can spoof it with tools like hping). After that you could get your - shellcode from any IP. The socket will appear as "closed" helping us to + shellcode from any IP. The socket will appear as "closed," thus helping to hide the shellcode', 'Author' => [ diff --git a/modules/payloads/stagers/windows/bind_hidden_tcp.rb b/modules/payloads/stagers/windows/bind_hidden_tcp.rb index 2b44daaaf5..267cccfc50 100644 --- a/modules/payloads/stagers/windows/bind_hidden_tcp.rb +++ b/modules/payloads/stagers/windows/bind_hidden_tcp.rb @@ -21,7 +21,7 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, 'Name' => 'Hidden Bind TCP Stager', - 'Description' => 'Listen for a connection from a hidden port and spawn a command shell to the allowed host', + 'Description' => 'Listen for a connection from a hidden port and spawn a command shell to the allowed host.', 'Author' => [ 'hdm', # original payload module (stager bind_tcp)