search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
534 stars 201 forks source link

Collect exploits from metasploit #1454

Closed pombredanne closed 1 month ago

pombredanne commented 7 months ago

Collect exploits from metasploit https://github.com/rapid7/metasploit-framework and https://www.metasploit.com/

See discussion document at https://docs.google.com/document/d/1XtMmxthmANhr-IqXsyMgFnrOq5fTGfsE/edit?usp=sharing&ouid=117241222429542576816&rtpof=true&sd=true See work-in-progress normalized model spreadsheet at https://docs.google.com/spreadsheets/d/1J2t2T_s015pnAouy5ss-AA0SI4e2xjT4uICjlL_Aa38/edit?usp=sharing

ziadhany commented 7 months ago

I think this link is a good start to get all CVEs that metasploit uses: https://github.com/rapid7/metasploit-framework/discussions/16415

ziad@ziad:~/metasploit-framework$ tools/modules/module_reference.rb -t CVE
Type: CVE
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:104: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:124: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:125: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:198: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:214: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!

Module References
=================

  Module                                                      Reference
  ------                                                      ---------
  auxiliary/admin/2wire/xslt_password_reset                   CVE-2007-4387
  auxiliary/admin/android/google_play_store_uxss_xframe_rce   CVE-2014-6041
  auxiliary/admin/backupexec/dump                             CVE-2005-2611
  auxiliary/admin/backupexec/registry                         CVE-2005-0771
  auxiliary/admin/db2/db2rcmd                                 CVE-2004-0795
  auxiliary/admin/dcerpc/cve_2020_1472_zerologon              CVE-2020-1472
  auxiliary/admin/dcerpc/cve_2022_26923_certifried            CVE-2022-26923
  ...
ziadhany commented 2 months ago

@DennisClark For the Metasploit Git repository, I think we are primarily interested in a single file: modules_metadata_base.json. This file includes the exploits path and detailed information about each exploit.

We can create a ref from a file path like this "/modules/auxiliary/admin/2wire/xslt_password_reset.rb" -> https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/admin/2wire/xslt_password_reset.rb

also, we can make use of the reference field ( 'https://seclists.org/bugtraq/2007/Aug/225' ), but what type should this reference be categorized as? Should it be set as other, left empty, or classified as an exploit? I think it should be left empty.

And I'm also a bit confused about the licensing because it seems they have different licenses for various files: https://github.com/rapid7/metasploit-framework?tab=License-1-ov-file. What is the license in this situation?

{
  "auxiliary_admin/2wire/xslt_password_reset": {
    "name": "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
    "fullname": "auxiliary/admin/2wire/xslt_password_reset",
    "aliases": [

    ],
    "rank": 300,
    "disclosure_date": "2007-08-15",
    "type": "auxiliary",
    "author": [
      "hkm <hkm@hakim.ws>",
      "Travis Phillips"
    ],
    "description": "This module will reset the admin password on a 2Wire wireless router.  This is\n        done by using the /xslt page where authentication is not required, thus allowing\n        configuration changes (such as resetting the password) as administrators.",
    "references": [
      "CVE-2007-4387",
      "OSVDB-37667",
      "BID-36075",
      "URL-https://seclists.org/bugtraq/2007/Aug/225"
    ],
    "platform": "",
    "arch": "",
    "rport": 80,
    "autofilter_ports": [
      80,
      8080,
      443,
      8000,
      8888,
      8880,
      8008,
      3000,
      8443
    ],
    "autofilter_services": [
      "http",
      "https"
    ],
    "targets": null,
    "mod_time": "2020-10-02 17:38:06 +0000",
    "path": "/modules/auxiliary/admin/2wire/xslt_password_reset.rb",
    "is_install_path": true,
    "ref_name": "admin/2wire/xslt_password_reset",
    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
    },
    "session_types": false,
    "needs_cleanup": false,
    "actions": [

    ]
  },
DennisClark commented 2 months ago

@ziadhany since the overall license for metasploit-framework is 3 Clause BSD, that should apply to any data that we get from them; the many other licenses mentioned appear to apply only to the various third-party components used by the software itself.

DennisClark commented 2 months ago

@ziadhany I think that the best reference type to use in this case would be exploit since it is related to that even if not specifically an exploit report.