vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Collect exploits from metasploit

Open pombredanne opened this issue 1 year ago • 4 comments

Collect exploits from metasploit https://github.com/rapid7/metasploit-framework and https://www.metasploit.com/

See discussion document at https://docs.google.com/document/d/1XtMmxthmANhr-IqXsyMgFnrOq5fTGfsE/edit?usp=sharing&ouid=117241222429542576816&rtpof=true&sd=true See work-in-progress normalized model spreadsheet at https://docs.google.com/spreadsheets/d/1J2t2T_s015pnAouy5ss-AA0SI4e2xjT4uICjlL_Aa38/edit?usp=sharing

pombredanne avatar Apr 05 '24 07:04 pombredanne

I think this link is a good start to get all CVEs that metasploit uses: https://github.com/rapid7/metasploit-framework/discussions/16415

ziad@ziad:~/metasploit-framework$ tools/modules/module_reference.rb -t CVE
Type: CVE
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:104: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:124: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:125: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:198: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!
/home/ziad/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py:214: warning: One-line pattern matching is experimental, and the behavior may change in future versions of Ruby!

Module References
=================

  Module                                                      Reference
  ------                                                      ---------
  auxiliary/admin/2wire/xslt_password_reset                   CVE-2007-4387
  auxiliary/admin/android/google_play_store_uxss_xframe_rce   CVE-2014-6041
  auxiliary/admin/backupexec/dump                             CVE-2005-2611
  auxiliary/admin/backupexec/registry                         CVE-2005-0771
  auxiliary/admin/db2/db2rcmd                                 CVE-2004-0795
  auxiliary/admin/dcerpc/cve_2020_1472_zerologon              CVE-2020-1472
  auxiliary/admin/dcerpc/cve_2022_26923_certifried            CVE-2022-26923
  ...

ziadhany avatar Apr 06 '24 20:04 ziadhany

@DennisClark For the Metasploit Git repository, I think we are primarily interested in a single file: modules_metadata_base.json. This file includes the exploits path and detailed information about each exploit.

We can create a ref from a file path like this "/modules/auxiliary/admin/2wire/xslt_password_reset.rb" -> https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/admin/2wire/xslt_password_reset.rb

also, we can make use of the reference field ( 'https://seclists.org/bugtraq/2007/Aug/225' ), but what type should this reference be categorized as? Should it be set as other, left empty, or classified as an exploit? I think it should be left empty.

And I'm also a bit confused about the licensing because it seems they have different licenses for various files: https://github.com/rapid7/metasploit-framework?tab=License-1-ov-file. What is the license in this situation?

{
  "auxiliary_admin/2wire/xslt_password_reset": {
    "name": "2Wire Cross-Site Request Forgery Password Reset Vulnerability",
    "fullname": "auxiliary/admin/2wire/xslt_password_reset",
    "aliases": [

    ],
    "rank": 300,
    "disclosure_date": "2007-08-15",
    "type": "auxiliary",
    "author": [
      "hkm <[email protected]>",
      "Travis Phillips"
    ],
    "description": "This module will reset the admin password on a 2Wire wireless router.  This is\n        done by using the /xslt page where authentication is not required, thus allowing\n        configuration changes (such as resetting the password) as administrators.",
    "references": [
      "CVE-2007-4387",
      "OSVDB-37667",
      "BID-36075",
      "URL-https://seclists.org/bugtraq/2007/Aug/225"
    ],
    "platform": "",
    "arch": "",
    "rport": 80,
    "autofilter_ports": [
      80,
      8080,
      443,
      8000,
      8888,
      8880,
      8008,
      3000,
      8443
    ],
    "autofilter_services": [
      "http",
      "https"
    ],
    "targets": null,
    "mod_time": "2020-10-02 17:38:06 +0000",
    "path": "/modules/auxiliary/admin/2wire/xslt_password_reset.rb",
    "is_install_path": true,
    "ref_name": "admin/2wire/xslt_password_reset",
    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
    },
    "session_types": false,
    "needs_cleanup": false,
    "actions": [

    ]
  },

ziadhany avatar Aug 05 '24 22:08 ziadhany

@ziadhany since the overall license for metasploit-framework is 3 Clause BSD, that should apply to any data that we get from them; the many other licenses mentioned appear to apply only to the various third-party components used by the software itself.

DennisClark avatar Aug 06 '24 14:08 DennisClark

@ziadhany I think that the best reference type to use in this case would be exploit since it is related to that even if not specifically an exploit report.

DennisClark avatar Aug 06 '24 14:08 DennisClark