Skip to content

Metasploit

These are the auxiliary modules I developed that are part of Metasploit:

Auxiliary modules

auxiliary/server/openssl_altchainsforgery_mitm_proxy

This module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an active man-in-the-middle attack.

openssl_altchainsforgery_mitm_proxy.rb · View on Rapid7 Database

auxiliary/server/jsse_skiptls_mitm_proxy

This module exploits an incomplete internal state distinction in Java Secure Socket Extension (JSSE) by impersonating the server and finishing the handshake before the peers have authenticated themselves and instantiated negotiated security parameters, resulting in a plaintext SSL/TLS session with the client. This plaintext SSL/TLS session is then proxied to the server using a second SSL/TLS session from the proxy to the server (or an alternate fake server) allowing the session to continue normally and plaintext application data transmitted between the peers to be saved. This module requires an active man-in-the-middle attack.

jsse_skiptls_mitm_proxy.rb · View on Rapid7 Database

auxiliary/server/dhclient_bash_env

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution.

dhclient_bash_env.rb · View on Rapid7 Database

auxiliary/admin/http/katello_satellite_priv_esc

This module exploits a missing authorization vulnerability in the "update_roles" action of "users" controller of Katello and Red Hat Satellite (Katello 1.5.0-14 and earlier) by changing the specified account to an administrator account.

katello_satellite_priv_esc.rb · View on Rapid7 Database

auxiliary/admin/http/cfme_manageiq_evm_pass_reset

This module exploits a SQL injection vulnerability in the "explorer" action of "miq_policy" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by changing the password of the target account to the specified password.

cfme_manageiq_evm_pass_reset.rb · View on Rapid7 Database

auxiliary/admin/http/foreman_openstack_satellite_priv_esc

This module exploits a mass assignment vulnerability in the 'create' action of 'users' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator account. For this exploit to work, your account must have 'create_users' permission (e.g., Manager role).

foreman_openstack_satellite_priv_esc.rb · View on Rapid7 Database

auxiliary/scanner/snmp/aix_version

AIX SNMP Scanner Auxiliary Module

aix_version.rb · View on Rapid7 Database

auxiliary/scanner/misc/ib_service_mgr_info

This module retrieves version of the services manager, version and implementation of the InterBase server from InterBase Services Manager.

ib_service_mgr_info.rb · View on Rapid7 Database