edb modules missing in msf

[h00die]

This will be a list of modules in EDB which are not in MSF. I can attempt to PR them and be in charge of this if no one from r7 (cough cough, intern) wants to handle it. I went back until 2014-12-16, doing a search for '(metasploit)' with the author NOT metasploit.

to do

• Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)
• Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (3)
• Barracuda Web Application Firewall <= v8.0.1.008 Post Auth Root Exploit
• Barracuda Spam & Virus Firewall (bdump.cgi) Post Auth Root Exploit
• Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit
• Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)
• Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection
• PCMAN FTP Server Buffer Overflow - ls Command
• Wolfcms 0.8.2 Arbitrary PHP File Upload Vulnerability
• Tomabo M3U SEH Based Stack Buffer Overflow
• Bomgar Remote Support Unauthenticated Code Execution
• PCMan RENAME overflow - #6808 not sure what happened there.
• Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution
• Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever
• HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection
• Sysaid Helpdesk Software Unauthenticated SQLi
• Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root
• QNAP admin shell via Bash Environment Variable Code Injection - may just be part of shellshock module
• QNAP Web server remote code execution via Bash Environment Variable Code Injection - may just be part of shellshock module
• Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
• Lotus Mail Encryption Server (Protector for Mail) Local File Inclusion previously #1074

By no means am i saying these are good, just making a list so we can start to determine what to do about it.

PRed

• Varnish Cache CLI Interface Bruteforce Utility see #7652, originally #3658
• Zabbix 2.0.5 - Cleartext ldap_bind_Password Password Disclosure see #7951

Finished

• PDF Shaper 3.5 - Buffer Overflow see #6058 -> now #7574
• Meteocontrol WEBLog Password Extractor - see #7790

Rejecting

• Simatic S7-1200 CPU START/STOP Module Just don't see the utility in start/stop a device. Not sure how that would be useful in a pentest

[d3fiantc0der]

bump

[h00die]

just wanted to make sure its understood, these aren't necessarily easy to do. Some of them need pretty heavy conversion to fit standards and the the updates since they were produced. Also, lots of hardware based ones which at least I don't have the hardware to test against.

For example, i'm working on varnish...

1. msftidy is angry
2. it has docs written in it, needs to be put in a .md
3. it never checks res before using res
4. it tries to load /etc/shadow only, for the purpose of determining if your running as root or not. This should be expanded to load any file
5. adjust regexes
6. if no auth, we still want to read in a file, not only if there was auth required and we broke it
7. it uses AuthBrute instead of LoginScanners, which is a pretty big conversion.
8. I'm no varnish admin, learning how to run it on a non-local IP and with/without authentication when Varnish only has docs for 4+ and Ubuntu installed 3.
9. There's lots of mentions of exploitation, maybe an exploit module should also be written, or a ticket submitted to do such.

I'm not saying its bad code, just want to quantify how it can take a few hours to get one of these updated and running.

[aushack]

Oh yeah this was sent https://github.com/rapid7/metasploit-framework/pull/3658 but I already finished that pentest... been a few years. The other one is https://github.com/rapid7/metasploit-framework/pull/1074 FYI.

[h00die]

Thanks @aushack for the original ticket references. linked them back to the to do list for reference.

[busterb]

I wonder if rather than having all of these rollup wishlist + one-off module requests, we instead created an Exploit Module Wishlist in the projects section. That way it would be easier to see them all at a glance.

[h00die]

It would be cool if there was some way for people to vote to help prioritize as well

[busterb]

You can sort github issues by number of thumbs-up reactions. If we tagged all feature requests the same way, and had them broken out separately, we could create a prioritized list easily.

[h00die]

thats not a bad idea. maybe include a link somewhere (wiki) as a quick reference. Pain to break everything out, but makes sense. I'd hate to see all the docs that are missing broken out, nightmare.

[bcoles]

For what it's worth, the two QNAP ShellShock modules should be exploitable with the apache_mod_cgi_bash_env_exec module.

I haven't verified, however I have verified that ShellShock is exploitable on a QNAP NAS via CSRF. The same principle should apply.

That said, it should be a fairly easy module to write for someone who has access to a test model and three year old firmware.