Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
pentestitBlackPENTESTIT:273884D44CD8ED7F5A8FB0477477DA8D
HistoryApr 08, 2018 - 7:29 a.m.

AutoSploit = Shodan/Censys/Zoomeye + Metasploit

2018-04-0807:29:47
Black
pentestit.com
1240

0.955 High

EPSS

Percentile

99.2%

JSON

PenTestIT RSS Feed

I know, I know that you already have read about AutoSploit and used it probably since word got out about this auto exploitation tool some two months ago. However, between then and now, a lot has changed with the tool and this post is about that.
AutoSploit

What is AutoSploit?

AutoSploit is an automated, mass exploitation tool coded in Python that can leverage Shodan, Censys or Zoomeye search engines to locate targets. You can choose either one or all three search engines. It also has an ability to include custom targets that you manually add. The mass exploitation tool then launches relevant Metasploit modules on the discovered targets. By default, there are about 300 pre-defined Metasploit modules that the tool comes out-of-the box with. These have been added with the purpose of code execution affecting different operating systems, web applications, IDS, etc. Of course, again as and when you want to add new modules to this list, simply editing the etc/json/default_modules.json file should be good enough. These modules include some really old exploits like MS01-023 (CVE-2001-0241) affecting Windows operating systems, etc.

Following is a list of the default Metasploit modules that comes with AutoSploit:

  • exploit/windows/ftp/ms09_053_ftpd_nlst
  • exploit/windows/firewall/blackice_pam_icq
  • exploit/windows/http/amlibweb_webquerydll_app
  • exploit/windows/http/ektron_xslt_exec_ws
  • exploit/windows/http/umbraco_upload_aspx
  • exploit/windows/iis/iis_webdav_scstoragepathfromurl
  • exploit/windows/iis/iis_webdav_upload_asp
  • exploit/windows/iis/ms01_023_printer
  • exploit/windows/iis/ms01_026_dbldecode
  • exploit/windows/iis/ms01_033_idq
  • exploit/windows/iis/ms02_018_htr
  • exploit/windows/iis/ms02_065_msadc
  • exploit/windows/iis/ms03_007_ntdll_webdav
  • exploit/windows/iis/msadc
  • exploit/windows/isapi/ms00_094_pbserver
  • exploit/windows/isapi/ms03_022_nsiislog_post
  • exploit/windows/isapi/ms03_051_fp30reg_chunked
  • exploit/windows/isapi/rsa_webagent_redirect
  • exploit/windows/isapi/w3who_query
  • exploit/windows/scada/advantech_webaccess_dashboard_file_upload
  • exploit/windows/ssl/ms04_011_pct
  • exploit/freebsd/http/watchguard_cmd_exec
  • exploit/linux/http/alienvault_exec
  • exploit/linux/http/alienvault_sqli_exec
  • exploit/linux/http/astium_sqli_upload
  • exploit/linux/http/centreon_sqli_exec
  • exploit/linux/http/centreon_useralias_exec
  • exploit/linux/http/crypttech_cryptolog_login_exec
  • exploit/linux/http/dolibarr_cmd_exec
  • exploit/linux/http/goautodial_3_rce_command_injection
  • exploit/linux/http/kloxo_sqli
  • exploit/linux/http/nagios_xi_chained_rce
  • exploit/linux/http/netgear_wnr2000_rce
  • exploit/linux/http/pandora_fms_sqli
  • exploit/linux/http/riverbed_netprofiler_netexpress_exe
  • exploit/linux/http/wd_mycloud_multiupload_upload
  • exploit/linux/http/zabbix_sqli
  • exploit/linux/misc/qnap_transcode_server
  • exploit/linux/mysql/mysql_yassl_getname
  • exploit/linux/mysql/mysql_yassl_hello
  • exploit/linux/postgres/postgres_payload
  • exploit/linux/samba/is_known_pipename
  • exploit/multi/browser/java_jre17_driver_manager
  • exploit/multi/http/atutor_sqli
  • exploit/multi/http/dexter_casinoloader_exec
  • exploit/multi/http/drupal_drupageddon
  • exploit/multi/http/manage_engine_dc_pmp_sqli
  • exploit/multi/http/manageengine_search_sqli
  • exploit/multi/http/movabletype_upgrade_exec
  • exploit/multi/http/php_volunteer_upload_exe
  • exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli
  • exploit/multi/http/splunk_mappy_exec
  • exploit/multi/http/testlink_upload_exec
  • exploit/multi/http/zpanel_information_disclosure_rce
  • exploit/multi/misc/legend_bot_exec
  • exploit/multi/mysql/mysql_udf_payload
  • exploit/multi/postgres/postgres_createlang
  • exploit/solaris/sunrpc/ypupdated_exec
  • exploit/unix/ftp/proftpd_133c_backdoor
  • exploit/unix/http/tnftp_savefile
  • exploit/unix/webapp/joomla_contenthistory_sqli_rce
  • exploit/unix/webapp/kimai_sqli
  • exploit/unix/webapp/openemr_sqli_privesc_upload
  • exploit/unix/webapp/seportal_sqli_exec
  • exploit/unix/webapp/vbulletin_vote_sqli_exec
  • exploit/unix/webapp/vicidial_manager_send_cmd_exec
  • exploit/windows/antivirus/symantec_endpoint_manager_rce
  • exploit/windows/http/apache_mod_rewrite_ldap
  • exploit/windows/http/ca_totaldefense_regeneratereports
  • exploit/windows/http/cyclope_ess_sqli
  • exploit/windows/http/hp_mpa_job_acct
  • exploit/windows/http/solarwinds_storage_manager_sql
  • exploit/windows/http/sonicwall_scrutinizer_sql
  • exploit/windows/misc/altiris_ds_sqli
  • exploit/windows/misc/fb_cnct_group
  • exploit/windows/misc/lianja_db_net
  • exploit/windows/misc/manageengine_eventlog_analyzer_rce
  • exploit/windows/mssql/lyris_listmanager_weak_pass
  • exploit/windows/mssql/ms02_039_slammer
  • exploit/windows/mssql/ms09_004_sp_replwritetovarbin
  • exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli
  • exploit/windows/mssql/mssql_linkcrawler
  • exploit/windows/mssql/mssql_payload
  • exploit/windows/mssql/mssql_payload_sqli
  • exploit/windows/mysql/mysql_mof
  • exploit/windows/mysql/mysql_start_up
  • exploit/windows/mysql/mysql_yassl_hello
  • exploit/windows/mysql/scrutinizer_upload_exec
  • exploit/windows/postgres/postgres_payload
  • exploit/windows/scada/realwin_on_fcs_login
  • exploit/multi/http/rails_actionpack_inline_exec
  • exploit/multi/http/rails_dynamic_render_code_exec
  • exploit/multi/http/rails_json_yaml_code_exec
  • exploit/multi/http/rails_secret_deserialization
  • exploit/multi/http/rails_web_console_v2_code_exec
  • exploit/multi/http/rails_xml_yaml_code_exec
  • exploit/multi/http/rocket_servergraph_file_requestor_rce
  • exploit/multi/http/phpmoadmin_exec
  • exploit/multi/http/phpmyadmin_3522_backdoor
  • exploit/multi/http/phpmyadmin_preg_replace
  • exploit/multi/http/phpscheduleit_start_date
  • exploit/multi/http/phptax_exec
  • exploit/multi/http/phpwiki_ploticus_exec
  • exploit/multi/http/plone_popen2
  • exploit/multi/http/pmwiki_pagelist
  • exploit/multi/http/joomla_http_header_rce
  • exploit/multi/http/novell_servicedesk_rce
  • exploit/multi/http/oracle_reports_rce
  • exploit/multi/http/php_utility_belt_rce
  • exploit/multi/http/phpfilemanager_rce
  • exploit/multi/http/processmaker_exec
  • exploit/multi/http/rocket_servergraph_file_requestor_rce
  • exploit/multi/http/spree_search_exec
  • exploit/multi/http/spree_searchlogic_exec
  • exploit/multi/http/struts_code_exec_parameters
  • exploit/multi/http/vtiger_install_rce
  • exploit/multi/http/werkzeug_debug_rce
  • exploit/multi/http/zemra_panel_rce
  • exploit/multi/http/zpanel_information_disclosure_rce
  • exploit/multi/http/joomla_http_header_rce
  • exploit/unix/webapp/joomla_akeeba_unserialize
  • exploit/unix/webapp/joomla_comjce_imgmanager
  • exploit/unix/webapp/joomla_contenthistory_sqli_rce
  • exploit/unix/webapp/joomla_media_upload_exec
  • exploit/multi/http/builderengine_upload_exec
  • exploit/multi/http/caidao_php_backdoor_exec
  • exploit/multi/http/atutor_sqli
  • exploit/multi/http/ajaxplorer_checkinstall_exec
  • exploit/multi/http/apache_activemq_upload_jsp
  • exploit/unix/webapp/wp_lastpost_exec
  • exploit/unix/webapp/wp_mobile_detector_upload_execute
  • exploit/multi/http/axis2_deployer
  • exploit/unix/webapp/wp_foxypress_upload
  • exploit/linux/http/tr064_ntpserver_cmdinject
  • exploit/linux/misc/quest_pmmasterd_bof
  • exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
  • exploit/unix/webapp/php_xmlrpc_eval
  • exploit/unix/webapp/wp_admin_shell_upload
  • exploit/linux/http/sophos_wpa_sblistpack_exec
  • exploit/linux/local/sophos_wpa_clear_keys
  • exploit/multi/http/zpanel_information_disclosure_rce
  • auxiliary/admin/cisco/cisco_asa_extrabacon
  • auxiliary/admin/cisco/cisco_secure_acs_bypass
  • auxiliary/admin/cisco/vpn_3000_ftp_bypass
  • exploit/bsdi/softcart/mercantec_softcart
  • exploit/freebsd/misc/citrix_netscaler_soap_bof
  • exploit/freebsd/samba/trans2open
  • exploit/linux/ftp/proftp_sreplace
  • exploit/linux/http/dcos_marathon
  • exploit/linux/http/f5_icall_cmd
  • exploit/linux/http/fritzbox_echo_exec
  • exploit/linux/http/gitlist_exec
  • exploit/linux/http/goautodial_3_rce_command_injection
  • exploit/linux/http/ipfire_bashbug_exec
  • exploit/linux/http/ipfire_oinkcode_exec
  • exploit/linux/http/ipfire_proxy_exec
  • exploit/linux/http/kaltura_unserialize_rce
  • exploit/linux/http/lifesize_uvc_ping_rce
  • exploit/linux/http/nagios_xi_chained_rce
  • exploit/linux/http/netgear_dgn1000_setup_unauth_exec
  • exploit/linux/http/netgear_wnr2000_rce
  • exploit/linux/http/nuuo_nvrmini_auth_rce
  • exploit/linux/http/nuuo_nvrmini_unauth_rce
  • exploit/linux/http/op5_config_exec
  • exploit/linux/http/pandora_fms_exec
  • exploit/linux/http/pineapple_preconfig_cmdinject
  • exploit/linux/http/seagate_nas_php_exec_noauth
  • exploit/linux/http/symantec_messaging_gateway_exec
  • exploit/linux/http/trendmicro_imsva_widget_exec
  • exploit/linux/http/trueonline_billion_5200w_rce
  • exploit/linux/http/trueonline_p660hn_v1_rce
  • exploit/linux/http/trueonline_p660hn_v2_rce
  • exploit/linux/http/vcms_upload
  • exploit/linux/misc/lprng_format_string
  • exploit/linux/misc/mongod_native_helper
  • exploit/linux/misc/ueb9_bpserverd
  • exploit/linux/mysql/mysql_yassl_getname
  • exploit/linux/pop3/cyrus_pop3d_popsubfolders
  • exploit/linux/postgres/postgres_payload
  • exploit/linux/pptp/poptop_negative_read
  • exploit/linux/proxy/squid_ntlm_authenticate
  • exploit/linux/samba/lsa_transnames_heap
  • exploit/linux/samba/setinfopolicy_heap
  • exploit/linux/samba/trans2open
  • exploit/multi/elasticsearch/script_mvel_rce
  • exploit/multi/elasticsearch/search_groovy_script
  • exploit/multi/http/atutor_sqli
  • exploit/multi/http/axis2_deployer
  • exploit/multi/http/familycms_less_exe
  • exploit/multi/http/freenas_exec_raw
  • exploit/multi/http/gestioip_exec
  • exploit/multi/http/glassfish_deployer
  • exploit/multi/http/glpi_install_rce
  • exploit/multi/http/joomla_http_header_rce
  • exploit/multi/http/makoserver_cmd_exec
  • exploit/multi/http/novell_servicedesk_rc
  • exploit/multi/http/oracle_reports_rce
  • exploit/multi/http/php_utility_belt_rce
  • exploit/multi/http/phpfilemanager_rce
  • exploit/multi/http/phpmyadmin_3522_backdoor
  • exploit/multi/http/phpwiki_ploticus_exec
  • exploit/multi/http/processmaker_exec
  • exploit/multi/http/rails_actionpack_inline_exec
  • exploit/multi/http/rails_dynamic_render_code_exec
  • exploit/multi/http/rails_secret_deserialization
  • exploit/multi/http/rocket_servergraph_file_requestor_rce
  • exploit/multi/http/simple_backdoors_exec
  • exploit/multi/http/spree_search_exec
  • exploit/multi/http/spree_searchlogic_exec
  • exploit/multi/http/struts2_rest_xstream
  • exploit/multi/http/struts_code_exec
  • exploit/multi/http/struts_code_exec_classloader
  • exploit/multi/http/struts_code_exec_parameters
  • exploit/multi/http/struts_dev_mode
  • exploit/multi/http/sysaid_auth_file_upload
  • exploit/multi/http/tomcat_jsp_upload_bypass
  • exploit/multi/http/vtiger_install_rce
  • exploit/multi/http/werkzeug_debug_rce
  • exploit/multi/http/zemra_panel_rce
  • exploit/multi/http/zpanel_information_disclosure_rce
  • exploit/multi/ids/snort_dce_rpc
  • exploit/multi/misc/batik_svg_java
  • exploit/multi/misc/pbot_exec
  • exploit/multi/misc/veritas_netbackup_cmdexec
  • exploit/multi/mysql/mysql_udf_payload
  • exploit/multi/php/php_unserialize_zval_cookie
  • exploit/unix/http/freepbx_callmenum
  • exploit/unix/http/lifesize_room
  • exploit/unix/http/pfsense_clickjacking
  • exploit/unix/http/pfsense_group_member_exec
  • exploit/unix/http/tnftp_savefile
  • exploit/unix/misc/polycom_hdx_traceroute_exec
  • exploit/unix/webapp/awstats_migrate_exec
  • exploit/unix/webapp/carberp_backdoor_exec
  • exploit/unix/webapp/citrix_access_gateway_exec
  • exploit/unix/webapp/dogfood_spell_exec
  • exploit/unix/webapp/invision_pboard_unserialize_exec
  • exploit/unix/webapp/joomla_contenthistory_sqli_rce
  • exploit/unix/webapp/mybb_backdoor
  • exploit/unix/webapp/opensis_modname_exec
  • exploit/unix/webapp/oscommerce_filemanager
  • exploit/unix/webapp/piwik_superuser_plugin_upload
  • exploit/unix/webapp/tikiwiki_upload_exec
  • exploit/unix/webapp/webtester_exec
  • exploit/unix/webapp/wp_phpmailer_host_header
  • exploit/unix/webapp/wp_total_cache_exec
  • exploit/windows/antivirus/symantec_endpoint_manager_rce
  • exploit/windows/http/ektron_xslt_exec
  • exploit/windows/http/ektron_xslt_exec_ws
  • exploit/windows/http/geutebrueck_gcore_x64_rce_bo
  • exploit/windows/http/hp_autopass_license_traversal
  • exploit/windows/http/manage_engine_opmanager_rce
  • exploit/windows/http/netgear_nms_rce
  • exploit/windows/http/sepm_auth_bypass_rce
  • exploit/windows/http/trendmicro_officescan_widget_exec
  • exploit/windows/iis/iis_webdav_upload_asp
  • exploit/windows/iis/msadc
  • exploit/windows/misc/manageengine_eventlog_analyzer_rce
  • exploit/windows/novell/file_reporter_fsfui_upload
  • exploit/windows/scada/ge_proficy_cimplicity_gefebt
  • exploit/windows/smb/ipass_pipe_exec
  • exploit/windows/smb/smb_relay
  • auxiliary/sqli/oracle/jvm_os_code_10g
  • auxiliary/sqli/oracle/jvm_os_code_11g
  • auxiliary/fuzzers/dns/dns_fuzzer
  • auxiliary/fuzzers/ftp/client_ftp
  • auxiliary/fuzzers/ftp/ftp_pre_post
  • auxiliary/fuzzers/http/http_form_field
  • auxiliary/fuzzers/http/http_get_uri_long
  • auxiliary/fuzzers/http/http_get_uri_strings
  • auxiliary/fuzzers/ntp/ntp_protocol_fuzzer
  • auxiliary/fuzzers/smb/smb2_negotiate_corrupt
  • auxiliary/fuzzers/smb/smb_create_pipe
  • auxiliary/fuzzers/smb/smb_create_pipe_corrupt
  • auxiliary/fuzzers/smb/smb_negotiate_corrupt
  • auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
  • auxiliary/fuzzers/smb/smb_tree_connect
  • auxiliary/fuzzers/smb/smb_tree_connect_corrupt
  • auxiliary/fuzzers/smtp/smtp_fuzzer
  • auxiliary/fuzzers/ssh/ssh_kexinit_corrupt
  • auxiliary/fuzzers/ssh/ssh_version_15
  • auxiliary/fuzzers/ssh/ssh_version_2
  • auxiliary/fuzzers/ssh/ssh_version_corrupt
  • auxiliary/fuzzers/tds/tds_login_corrupt
  • auxiliary/fuzzers/tds/tds_login_username

Installation of the tool is pretty simple and won’t need anything on Kali Linux, however this tool can also be Dockerized. Post installation, you are requested for your Shodan and Censys API credentials, which as stored in /AutoSploit/etc/tokens/shodan.key and /AutoSploit/etc/tokens/censys.key respectively.

All in all a good tool if you know what you are doing as you need some configuration of this tool to actually get a shell. The default module list also won’t help much as the exploits are pretty old and you may end with some low hanging fruits eventually and I do not really know the brouhaha behind the release of this tool by the people in this security industry.

Now about the newer features in the latest AutoSploit release. This release has a few bug fixes and three new features. A feature that I like in this release is the addition of an exploit reporting feature. Metasploit output is captured and saved to a report file. Additionally, a .rc script file for every module ran against a given host is also created, allowing you to reproduce whatever caused an exploit to work. Another feature in this release is the introduction of a command whitelist which contains a list of items allowed commands, blocking all others not included in this list.

Download AutoSploit:

The latest version of this mass exploitation tool was released 4 days ago - AutoSploit v2.1 (AutoSploit-2.1.zip/AutoSploit-2.1.tar.gz), which can be downloaded from here. Another way is to perform a git pull on the directory to get everything from the source repository.

The post AutoSploit = Shodan/Censys/Zoomeye + Metasploit appeared first on PenTestIT.

Related

openvas 2
securityvulns 1
canvas 2
packetstorm 1
saint 4
checkpoint_advisories 3
cert 1
cvelist 1
nessus 1
cve 1
openvas
openvas
NT IIS 5.0 Malformed HTTP Printer Request Header Buffer Overflow Vulnerability
2005-11-03 00:00:00
Microsoft NT IIS 5.0 Malformed HTTP Printer Request Header Buffer Overflow Vulnerability - Active Check
2005-11-03 00:00:00
securityvulns
securityvulns
Advisory CA-2001-10
2001-05-03 00:00:00
canvas
canvas
Immunity Canvas: MS01_023
2001-06-27 04:00:00
Immunity Canvas: IIS5ASP
2001-06-27 00:00:00
packetstorm
packetstorm
Microsoft IIS 5.0 Printer Host Header Overflow
2009-10-30 00:00:00
saint
saint
Microsoft IIS 5.0 printer ISAPI extension buffer overflow
2006-02-08 00:00:00
Microsoft IIS 5.0 printer ISAPI extension buffer overflow
2006-02-08 00:00:00
Microsoft IIS 5.0 printer ISAPI extension buffer overflow
2006-02-08 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft IIS 5.0 ISAPI Internet Printing Protocol Extension Buffer Overflow - ver 2 (CVE-2001-0241)
2016-06-30 00:00:00
Microsoft IIS 5.0 ISAPI Internet Printing Protocol Extension Buffer Overflow - Ver2 (CVE-2001-0241)
2015-03-26 00:00:00
Microsoft IIS 5.0 ISAPI Internet Printing Protocol Extension Buffer Overflow (CVE-2001-0241)
2010-05-27 00:00:00
cert
cert
Microsoft Windows 2000/Internet Information Server (IIS) 5.0 Internet Printing Protocol (IPP) ISAPI contains buffer overflow (MS01-023)
2001-05-02 00:00:00
cvelist
cvelist
CVE-2001-0241
2001-09-18 04:00:00
nessus
nessus
MS01-023: Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow (953155) (uncredentialed check)
2001-05-01 00:00:00
cve
cve
CVE-2001-0241
2001-06-27 04:00:00

0.955 High

EPSS

Percentile

99.2%

JSON
Related for PENTESTIT:273884D44CD8ED7F5A8FB0477477DA8D
openvas2securityvulns1canvas2packetstorm1saint4checkpoint_advisories3cert1cvelist1nessus1cve1