3

I could not find any match for the vulnerabilities with their CVE numbers found from OpenVAS scanner with exploits using sites such as Rapid 7 Vulnerability DB and Exploit DB, or by using a command like 'search cve-xxxx-xxxx'. Do you have any suggestions/commands for msfconsole or other ideas for finding matching exploits?

metavaronos
  • 145
  • 2
  • 9

3 Answers3

3

Not all vulnerabilities have a public exploit, some of them just have some POC code that will give you a direction about how to trigger the flaw.

You can search on metasploit, exploit-db, immunity canvas, core impact and make a little bit of research on internet. Web application flaws, usually can be exploited "by hand", other flaws like shellshock can be exploited by hand too. For local/privilege escalation flaws, metasploit have some modules, but you usually will need to find an exploit on the internet for that.

For linux/windows, there is several discussion lists, exploit-db and you can use Linux exploit suggester Windows exploit suggester. For other platforms like AIX, Solaris, HPUX, you will have to take some time to search for exploits.

As said before, for web exploitation, sql injection can be done by hand easily, for blind/timebased I suggest that you write a small script for that task, or use sqlmap. Check OWASP top 10 list, there is a plenty of documentation about how to exploit every kind of flaw.

OPSXCQ
  • 336
  • 1
  • 5
3

You can search within metasploit using the search command for example :

msf>search ms08-067

you can also search by the name of the program that has a vulnerability using: 

msf>search name:windows

http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commands#search

Kurtis Brown
  • 96
  • 2
  • 1
    Also just because a vulnerability is found, it does not necessarily mean that it is exploitable and metasploit has an actual exploit for it. Do you have an exampled of any of the CVE's OpenVAS has discovered? – Kurtis Brown Nov 20 '14 at 14:33
  • Thank you, as you can tell i am new in this field and trying to make my way. It's actually a website-app based on php so should i look more for vuls there?Yes, i have PHP Multiple Vulnerabilities CVE-2014-3478,3515,0207,3487,3479,3480,2020 CVE-2013-7226,7327,7328 and also PHP 'FastCGI Process Manager' Privilage Escalation CVE-2014-0185 – metavaronos Nov 20 '14 at 15:30
  • For custom PHP, you might find more luck by probing the custom code itself - such probing tends to be done by hand or with an automated WebApp scanner (i.e. w3af on Kali) – schroeder Nov 20 '14 at 15:45
  • Yes, also i am thinking on trying harder with nessus open version, since openVAS appears to be quite buggy starting from msf – metavaronos Nov 20 '14 at 17:30
1

Try search cve:xxxx-xxxx. For example:

msf> search cve:2012-1823
Matching Modules
================
Name                                      Disclosure Date          Rank       Description
----                                      ---------------          ----       -----------
exploit/multi/http/php_cgi_arg_injection  2012-05-03 00:00:00 UTC  excellent  PHP CGI Argument Injection
msf> use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) >
msf exploit(php_cgi_arg_injection) > set RHOST 192.168.1.219 RHOST => 192.168.1.219
msf exploit(php_cgi_arg_injection) > show payloads
Compatible Payloads
===================
Name                           Disclosure Date  Rank    Description  
----                           ---------------  ----    -----------
generic/shell_bind_tcp                          normal  Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp                       normal  Generic Command Shell, Reverse TCP Inline

Reference: http://www.networklab.fr/web-pen-test/

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
sonar
  • 131
  • 3