Merge pull request #458 from m-1-k-3/exploit_updates

Update the known exploit behaviour
e-m-b-a · Jan 23, 2023 · 0e50d7f · 0e50d7f
2 parents 42da707 + 5da0b9f
commit 0e50d7f
Show file tree

Hide file tree

Showing 26 changed files with 93,130 additions and 9,412 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,5 +7,5 @@ tools/
 !external/.keep
 config/vt_api_key.txt
 config/emba_updater
-config/trickest_cve-db.txt
+config/emba_updater_data
 config/module_blacklist.txt
diff --git a/README.md b/README.md
@@ -72,4 +72,5 @@ We welcome [pull requests](https://github.com/e-m-b-a/emba/pulls) and [issues](h
 
 ## Team
 
-[The EMBA Team](https://github.com/orgs/e-m-b-a/people)
+[The core EMBA Team](https://github.com/orgs/e-m-b-a/people)
+[Contributors](https://github.com/e-m-b-a/emba/blob/master/CONTRIBUTORS.md)
diff --git a/config/PS_PoC_results.csv b/config/PS_PoC_results.csv
diff --git a/config/Snyk_PoC_results.csv b/config/Snyk_PoC_results.csv
diff --git a/config/bin_version_strings.cfg b/config/bin_version_strings.cfg
@@ -392,6 +392,7 @@ memtester;;gpl;"memtester\ version\ [0-4](\.[0-9]+)+?\ ";"sed -r 's/memtester\ v
 memtester;;proprietary;"memtester\ version\ [5-9](\.[0-9]+)+?\ ";"sed -r 's/memtester\ version\ ([5-9](\.[0-9]+)+?)\ /memtester:\1/'";
 midnight_commander;;gplv3;"GNU\ Midnight\ Commander\ [0-9](\.[0-9]+)+?";"sed -r 's/GNU\ Midnight\ Commander\ ([0-9](\.[0-9]+)+?)/gnu:midnight_commander:\1/'";
 mii-tool;;gplv2;"mii-tool\.c\ [0-9]\.[0-9]+\ .*\ \(David\ Hinds\)";"sed -r 's/mii-tool\.c\ ([0-9](\.[0-9]+)+?)\ .*/net-tools:mii-tool:\1/'";
+mikrotik-routeros;;;"MikroTik\ routerOS\ V[0-9]\.[0-9]+\ \(c\) [0-9]+-[0-9].*";"sed -r 's/.*MikroTik\ routerOS\ V([0-9]\.[0-9]+)\ .*/mikrotik:routeros:\1/'";
 minicom;;gplv2;"minicom\ version\ [0-9](\.[0-9]+)+?";"sed -r 's/minicom\ version\ ([0-9](\.[0-9]+)+?)$/minicom:\1/'";
 minidlna;strict;gplv2;"^Version\ [0-9](\.[0-9]+)+?$";"sed -r 's/Version\ ([0-9](\.[0-9]+)+?)$/minidlna:\1/'";
 minidlna;strict;gplv2;"Version\ [0-9]\.[0-9]+\.[0-9]+";"sed -r 's/Version\ ([0-9](\.[0-9]+)+?).*/minidlna:\1/'";

diff --git a/config/distri_id.cfg b/config/distri_id.cfg
@@ -18,3 +18,4 @@ D-Link;/image_sign;grep -a -o -E ".*_d.*_.*";sort -u | cut -d_ -f3 | sed -r 's/(
 VERSION.LTM;/VERSION.LTM;grep -a -o -E -e "^Product:.*" -a -o -E -e "^Version:.*";sort -u | tr -d '\n' | sed 's/Product: BIG-IP/BIG-IP LTM/g' | sed 's/Version://g' | sed 's/^\ //'
 # F5 BigIP - application security manager
 VERSION.ASM;/VERSION.ASM;grep -a -o -E -e "^Product:.*" -a -o -E -e "^Version:.*";sort -u | tr -d '\n' | sed 's/Product: BIG-IP/BIG-IP ASM/g' | sed 's/Version://g' | sed 's/^\ //'
+Mikrotik-router;/nova/lib/console/logo.txt;grep -a -o -E -e "MikroTik\ routerOS\ V[0-9]\.[0-9]+\ \(c\) [0-9]+-[0-9].*";sed -r 's/.*MikroTik\ routerOS\ V([0-9]\.[0-9]+)\ .*/MikroTik\ routerOS\ V\1/'
diff --git a/config/emba_updater.init b/config/emba_updater.init
@@ -6,7 +6,6 @@ BASE_PATH="$(pwd)"
 LOG_DIR="/var/log"
 
 [ -d EMBA_INSTALL_PATH ] || exit 0
-[ -d EMBA_INSTALL_PATH/external/trickest-cve ] || exit 0
 [ -x EMBA_INSTALL_PATH/external/cve-search/sbin/db_updater.py ] || exit 0
 [ -x /etc/init.d/redis-server ] || exit 0
 [ -d "$LOG_DIR" ] || exit 0
@@ -27,10 +26,5 @@ service mongod start | tee -a "$LOG_DIR"/emba_update.log
 
 EMBA_INSTALL_PATH/external/cve-search/sbin/db_updater.py -v | tee -a "$LOG_DIR"/emba_update.log
 
-echo "[*] EMBA update - update local trickest database" | tee -a "$LOG_DIR"/emba_update.log
-cd EMBA_INSTALL_PATH/external/trickest-cve || exit
-git pull | tee -a "$LOG_DIR"/emba_update.log
-cd "$BASE_PATH" || exit
-
 echo "[*] EMBA update - update local docker image" | tee -a "$LOG_DIR"/emba_update.log
 docker pull embeddedanalyzer/emba | tee -a "$LOG_DIR"/emba_update.log
diff --git a/config/emba_updater_data.init b/config/emba_updater_data.init
@@ -0,0 +1,34 @@
+#!/bin/sh
+# /etc/cron.weekly/emba_updater_data: Weekly EMBA exploit databases update script
+# Written by Michael Messner for EMBA https://github.com/e-m-b-a/emba
+
+BASE_PATH="$(pwd)"
+LOG_DIR="/var/log"
+LOG_FILE="emba_update_data.log"
+
+[ -d EMBA_INSTALL_PATH ] || exit 0
+[ -d EMBA_INSTALL_PATH/helpers/ ] || exit 0
+[ -d "$LOG_DIR" ] || exit 0
+
+cd EMBA_INSTALL_PATH || exit
+
+echo -e "\n[*] Starttime: $(date)" | tee -a "$LOG_DIR"/"$LOG_FILE"
+echo -e "[*] EMBA data update - Metasploit framework module database" | tee -a "$LOG_DIR"/"$LOG_FILE"
+./helpers/metasploit_db_update.sh | tee -a "$LOG_DIR"/"$LOG_FILE"
+
+echo -e "\n[*] EMBA update - Known exploited database" | tee -a "$LOG_DIR"/"$LOG_FILE"
+./helpers/known_exploited_vulns_update.sh | tee -a "$LOG_DIR"/"$LOG_FILE"
+
+echo -e "\n[*] EMBA update - trickest database" | tee -a "$LOG_DIR"/"$LOG_FILE"
+./helpers/trickest_db_update.sh | tee -a "$LOG_DIR"/"$LOG_FILE"
+
+echo -e "\n[*] EMBA update - packetstorm database" | tee -a "$LOG_DIR"/"$LOG_FILE"
+./helpers/packet_storm_crawler.sh | tee -a "$LOG_DIR"/"$LOG_FILE"
+
+echo -e "\n[*] EMBA update - snyk database" | tee -a "$LOG_DIR"/"$LOG_FILE"
+./helpers/snyk_crawler.sh | tee -a "$LOG_DIR"/"$LOG_FILE"
+
+cd "$BASE_PATH" || exit
+
+echo -e "\n[*] Endtime: $(date)" | tee -a "$LOG_DIR"/"$LOG_FILE"
+echo -e "[*] EMBA data update - finished" | tee -a "$LOG_DIR"/"$LOG_FILE"
diff --git a/config/known_exploited_vulnerabilities.csv b/config/known_exploited_vulnerabilities.csv
diff --git a/config/msf_cve-db.txt b/config/msf_cve-db.txt
@@ -274,6 +274,7 @@
 /usr/share/metasploit-framework/modules/auxiliary/gather/vbulletin_getindexablecontent_sqli.rb:CVE-2020-12720
 /usr/share/metasploit-framework/modules/auxiliary/gather/vbulletin_vote_sqli.rb:CVE-2013-3522
 /usr/share/metasploit-framework/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb:CVE-2020-3952
+/usr/share/metasploit-framework/modules/auxiliary/gather/wp_bookingpress_category_services_sqli.rb:CVE-2022-0739
 /usr/share/metasploit-framework/modules/auxiliary/gather/xymon_info.rb:CVE-2016-2055
 /usr/share/metasploit-framework/modules/auxiliary/gather/zabbix_toggleids_sqli.rb:CVE-2016-10134
 /usr/share/metasploit-framework/modules/auxiliary/pdf/foxit/authbypass.rb:CVE-2009-0836
@@ -402,10 +403,10 @@
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb:CVE-2013-3619
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/springcloud_directory_traversal.rb:CVE-2020-5410
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/springcloud_traversal.rb:CVE-2019-3799
-/usr/share/metasploit-framework/modules/auxiliary/scanner/http/ssl_version.rb:CVE-2014-3566
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb:CVE-2014-100002
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb:CVE-2011-2474
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb:CVE-2012-4347
+/usr/share/metasploit-framework/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb:CVE-2022-36536
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/synology_forget_passwd_user_enum.rb:CVE-2017-9554
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/thinvnc_traversal.rb:CVE-2019-17662
 /usr/share/metasploit-framework/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb:CVE-2013-1625
@@ -516,6 +517,12 @@
 /usr/share/metasploit-framework/modules/auxiliary/scanner/ssh/ssh_login.rb:CVE-1999-0502
 /usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/openssl_ccs.rb:CVE-2014-0224
 /usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb:CVE-2014-0160
+/usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/ssl_version.rb:CVE-2011-3389
+/usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/ssl_version.rb:CVE-2013-2566
+/usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/ssl_version.rb:CVE-2014-3566
+/usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/ssl_version.rb:CVE-2015-4000
+/usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/ssl_version.rb:CVE-2016-0800
+/usr/share/metasploit-framework/modules/auxiliary/scanner/ssl/ssl_version.rb:CVE-2022-3358
 /usr/share/metasploit-framework/modules/auxiliary/scanner/telnet/brocade_enable_login.rb:CVE-1999-0502
 /usr/share/metasploit-framework/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb:CVE-2017-6048
 /usr/share/metasploit-framework/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb:CVE-2011-4862
@@ -678,6 +685,8 @@
 /usr/share/metasploit-framework/modules/exploits/linux/http/f5_icontrol_exec.rb:CVE-2014-2928
 /usr/share/metasploit-framework/modules/exploits/linux/http/f5_icontrol_rce.rb:CVE-2022-1388
 /usr/share/metasploit-framework/modules/exploits/linux/http/f5_icontrol_rest_ssrf_rce.rb:CVE-2021-22986
+/usr/share/metasploit-framework/modules/exploits/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800.rb:CVE-2022-41800
+/usr/share/metasploit-framework/modules/exploits/linux/http/f5_icontrol_soap_csrf_rce_cve_2022_41622.rb:CVE-2022-41622
 /usr/share/metasploit-framework/modules/exploits/linux/http/flir_ax8_unauth_rce_cve_2022_37061.rb:CVE-2022-37061
 /usr/share/metasploit-framework/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb:CVE-2013-2121
 /usr/share/metasploit-framework/modules/exploits/linux/http/fortinet_authentication_bypass_cve_2022_40684.rb:CVE-2022-40684
@@ -753,6 +762,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/http/nginx_chunked_size.rb:CVE-2013-2028
 /usr/share/metasploit-framework/modules/exploits/linux/http/nuuo_nvrmini_auth_rce.rb:CVE-2016-5675
 /usr/share/metasploit-framework/modules/exploits/linux/http/nuuo_nvrmini_unauth_rce.rb:CVE-2016-5674
+/usr/share/metasploit-framework/modules/exploits/linux/http/opentsdb_yrange_cmd_injection.rb:CVE-2020-35476
 /usr/share/metasploit-framework/modules/exploits/linux/http/pandora_fms_events_exec.rb:CVE-2020-13851
 /usr/share/metasploit-framework/modules/exploits/linux/http/panos_op_cmd_exec.rb:CVE-2020-2038
 /usr/share/metasploit-framework/modules/exploits/linux/http/panos_readsessionvars.rb:CVE-2017-15944
@@ -823,6 +833,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/http/vap2500_tools_command_exec.rb:CVE-2014-8424
 /usr/share/metasploit-framework/modules/exploits/linux/http/vcms_upload.rb:CVE-2011-4828
 /usr/share/metasploit-framework/modules/exploits/linux/http/vestacp_exec.rb:CVE-2020-10808
+/usr/share/metasploit-framework/modules/exploits/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144.rb:CVE-2021-39144
 /usr/share/metasploit-framework/modules/exploits/linux/http/vmware_vcenter_analytics_file_upload.rb:CVE-2021-22005
 /usr/share/metasploit-framework/modules/exploits/linux/http/vmware_vcenter_vsan_health_rce.rb:CVE-2021-21985
 /usr/share/metasploit-framework/modules/exploits/linux/http/vmware_view_planner_4_6_uploadlog_rce.rb:CVE-2021-21978
@@ -900,6 +911,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/local/udev_netlink.rb:CVE-2009-1185
 /usr/share/metasploit-framework/modules/exploits/linux/local/ueb_bpserverd_privesc.rb:CVE-2018-6329
 /usr/share/metasploit-framework/modules/exploits/linux/local/ufo_privilege_escalation.rb:CVE-2017-1000112
+/usr/share/metasploit-framework/modules/exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.rb:CVE-2021-22015
 /usr/share/metasploit-framework/modules/exploits/linux/local/vmware_alsa_config.rb:CVE-2017-4915
 /usr/share/metasploit-framework/modules/exploits/linux/local/vmware_mount.rb:CVE-2013-1662
 /usr/share/metasploit-framework/modules/exploits/linux/local/vmware_workspace_one_access_certproxy_lpe.rb:CVE-2022-31660
@@ -1053,6 +1065,7 @@
 /usr/share/metasploit-framework/modules/exploits/multi/http/axis2_deployer.rb:CVE-2010-0219
 /usr/share/metasploit-framework/modules/exploits/multi/http/bassmaster_js_injection.rb:CVE-2014-7205
 /usr/share/metasploit-framework/modules/exploits/multi/http/bolt_file_upload.rb:CVE-2015-7309
+/usr/share/metasploit-framework/modules/exploits/multi/http/churchinfo_upload_exec.rb:CVE-2021-43258
 /usr/share/metasploit-framework/modules/exploits/multi/http/cisco_dcnm_upload_2019.rb:CVE-2019-1619
 /usr/share/metasploit-framework/modules/exploits/multi/http/cisco_dcnm_upload_2019.rb:CVE-2019-1620
 /usr/share/metasploit-framework/modules/exploits/multi/http/cisco_dcnm_upload_2019.rb:CVE-2019-1622
@@ -1074,6 +1087,7 @@
 /usr/share/metasploit-framework/modules/exploits/multi/http/familycms_less_exec.rb:CVE-2011-5130
 /usr/share/metasploit-framework/modules/exploits/multi/http/getsimplecms_unauth_code_exec.rb:CVE-2019-11231
 /usr/share/metasploit-framework/modules/exploits/multi/http/git_client_command_exec.rb:CVE-2014-9390
+/usr/share/metasploit-framework/modules/exploits/multi/http/gitea_git_fetch_rce.rb:CVE-2022-30781
 /usr/share/metasploit-framework/modules/exploits/multi/http/gitea_git_hooks_rce.rb:CVE-2020-14144
 /usr/share/metasploit-framework/modules/exploits/multi/http/gitlab_exif_rce.rb:CVE-2021-22204
 /usr/share/metasploit-framework/modules/exploits/multi/http/gitlab_exif_rce.rb:CVE-2021-22205
@@ -1331,6 +1345,7 @@
 /usr/share/metasploit-framework/modules/exploits/osx/email/mailapp_image_exec.rb:CVE-2007-6165
 /usr/share/metasploit-framework/modules/exploits/osx/ftp/webstar_ftp_user.rb:CVE-2004-0695
 /usr/share/metasploit-framework/modules/exploits/osx/http/evocam_webserver.rb:CVE-2010-2309
+/usr/share/metasploit-framework/modules/exploits/osx/local/acronis_trueimage_xpc_privesc.rb:CVE-2020-25736
 /usr/share/metasploit-framework/modules/exploits/osx/local/cfprefsd_race_condition.rb:CVE-2020-9839
 /usr/share/metasploit-framework/modules/exploits/osx/local/dyld_print_to_file_root.rb:CVE-2015-3760
 /usr/share/metasploit-framework/modules/exploits/osx/local/feedback_assistant_root.rb:CVE-2019-8565
@@ -1387,6 +1402,7 @@
 /usr/share/metasploit-framework/modules/exploits/unix/http/pihole_dhcp_mac_exec.rb:CVE-2020-8816
 /usr/share/metasploit-framework/modules/exploits/unix/http/quest_kace_systems_management_rce.rb:CVE-2018-11138
 /usr/share/metasploit-framework/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb:CVE-2019-6814
+/usr/share/metasploit-framework/modules/exploits/unix/http/syncovery_linux_rce_2022_36534.rb:CVE-2022-36534
 /usr/share/metasploit-framework/modules/exploits/unix/http/tnftp_savefile.rb:CVE-2014-8517
 /usr/share/metasploit-framework/modules/exploits/unix/http/twiki_debug_plugins.rb:CVE-2014-7236
 /usr/share/metasploit-framework/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb:CVE-2014-5073
@@ -2000,6 +2016,8 @@
 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_ecp_viewstate.rb:CVE-2020-0688
 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_proxylogon_rce.rb:CVE-2021-26855
 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_proxylogon_rce.rb:CVE-2021-27065
+/usr/share/metasploit-framework/modules/exploits/windows/http/exchange_proxynotshell_rce.rb:CVE-2022-41040
+/usr/share/metasploit-framework/modules/exploits/windows/http/exchange_proxynotshell_rce.rb:CVE-2022-41082
 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_proxyshell_rce.rb:CVE-2021-31207
 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_proxyshell_rce.rb:CVE-2021-34473
 /usr/share/metasploit-framework/modules/exploits/windows/http/exchange_proxyshell_rce.rb:CVE-2021-34523
@@ -2487,6 +2505,7 @@
 /usr/share/metasploit-framework/modules/post/linux/dos/xen_420_dos.rb:CVE-2012-5525
 /usr/share/metasploit-framework/modules/post/linux/gather/haserl_read.rb:CVE-2021-29133
 /usr/share/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:CVE-2018-20781
+/usr/share/metasploit-framework/modules/post/linux/gather/vcenter_secrets_dump.rb:CVE-2022-22948
 /usr/share/metasploit-framework/modules/post/multi/escalate/cups_root_file_read.rb:CVE-2012-5519
 /usr/share/metasploit-framework/modules/post/multi/sap/smdagent_get_properties.rb:CVE-2019-0307
 /usr/share/metasploit-framework/modules/post/osx/escalate/tccbypass.rb:CVE-2020-9934