agents: +8 EOL / end-of-support exploitation agents (library 397)

Detect components past their vendor end-of-life/end-of-support window and exploit
the accumulated, unpatched CVEs (pin exact version → check endoflife.date + CVE
feeds → safe PoC):
- vulns: eol_stack_detection, eol_runtime_exploitation, eol_framework_exploitation,
  eol_cms_exploitation, eol_client_library
- infra: eol_webserver_exploitation, eol_os_service, eol_tls_protocol
Docs: counts 389->397, RELEASE note.
This commit is contained in:
CyberSecurityUP
2026-07-09 19:19:21 -03:00
parent 39c28b541b
commit a50178ae71
12 changed files with 475 additions and 5 deletions
+150
View File
@@ -0,0 +1,150 @@
#!/usr/bin/env python3
"""
NeuroSploit v3.5.5 — End-of-Life (EOL) / End-of-Support exploitation agents.
Detect components past their vendor support window (runtime, framework, CMS,
web/app server, DB, OS, client libraries, TLS/protocols) and exploit the CVEs
that accumulate once security patches stop. EOL software is high-value: known,
unpatched, and often reachable. Web agents → agents_md/vulns/, host/OS → infra/.
Read-only-first, safe PoCs only, non-destructive, authorized only.
Credits: Joas A Santos & Red Team Leaders.
"""
import os
ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
VULNS = os.path.join(ROOT, "agents_md", "vulns")
INFRA = os.path.join(ROOT, "agents_md", "infra")
EOL_NOTE = ("EOL = past the vendor's end-of-life / end-of-support date, so it no longer receives security patches. "
"Pin the EXACT version, check it against public EOL data (endoflife.date) and the CVE feeds, and exploit the "
"known, unpatched issues with a SAFE proof — EOL software is high-value because the bugs are public and unfixed.")
def render(a):
L = [f"# {a['title']} Agent\n", "## User Prompt",
f"You are testing **{{target}}** for {a['for']}.\n",
f"> {EOL_NOTE}\n",
"**Recon Context:**\n{recon_json}\n", "**METHODOLOGY:**\n"]
for i, (s, bs) in enumerate(a["steps"], 1):
L.append(f"### {i}. {s}")
L += [f"- {b}" for b in bs]
L.append("")
n = len(a["steps"]) + 1
L += [f"### {n}. Report Format", "For each CONFIRMED finding:", "```", "FINDING:",
f"- Title: {a['title']} - [component vX.Y (EOL)]", f"- Severity: {a['sev']}", f"- CWE: {a['cwe']}",
"- Endpoint: [URL/host/resource]", "- Vector: [component, version, EOL date, CVE id(s)]",
"- Payload: [exact request/command/PoC]", "- Evidence: [version proof + safe exploit receipt]",
f"- Impact: {a['impact']}", f"- Remediation: {a['fix']}", "```\n", "## System Prompt", a["system"]]
return "\n".join(L) + "\n"
def A(name, title, vc, cwe, sev, steps, fix, impact):
return {"name": name, "title": title, "for": vc, "sev": sev, "cwe": cwe, "impact": impact, "fix": fix,
"steps": steps,
"system": (f"You are a specialist in exploiting {vc}. AUTHORIZED engagement. Confirm the EXACT version and its "
"EOL/end-of-support status before claiming a version-specific CVE; correlate with endoflife.date and "
"NVD/exploit feeds. Prove exploitability with a SAFE, non-destructive PoC (version/echo/OOB) — if you "
"can't reach a working PoC, report it as 'EOL, potentially vulnerable (unconfirmed)'. Report ONLY with "
"a real receipt. No destructive/DoS. Credits: Joas A Santos and Red Team Leaders.")}
VULN_AGENTS = [
A("eol_stack_detection", "EOL Stack Detection", "components that are past end-of-life / end-of-support",
"CWE-1104", "Medium",
[("Fingerprint versions", ["From headers (Server, X-Powered-By, X-AspNet-Version), assets, error pages, cookies, JS "
"bundles and /*version* endpoints, pin the EXACT version of every component: web/app server, "
"language runtime, framework, CMS, DB, TLS lib, JS libraries"]),
("Classify EOL", ["Check each version against public EOL data (endoflife.date) — flag anything past its end-of-life or "
"end-of-support date; note how far past and the last supported version"]),
("Prioritise", ["Rank EOL components by reachability and CVE weight (unauth RCE/SQLi/auth-bypass first) and hand off to "
"the specialist EOL agents"])],
"Upgrade to a supported release; add SBOM + EOL monitoring in CI; virtual-patch/WAF until upgraded",
"Expanded, unpatched attack surface across the stack"),
A("eol_runtime_exploitation", "EOL Language Runtime Exploitation", "end-of-life language runtimes (PHP/Python/Node/Java/.NET/Ruby)",
"CWE-1104", "Critical",
[("Identify runtime + version", ["Pin the runtime and exact version (e.g. PHP 5.x/7.x EOL, Python 2.7, Node 12/14, "
"Java 6/7/8u-old, .NET Framework legacy, Ruby 2.x EOL) from banners/errors/behaviour"]),
("Map runtime CVEs", ["Correlate the EOL version with known runtime CVEs (deserialization, memory, parser, type-juggling) "
"and any bundled-extension CVEs"]),
("Safe PoC", ["Trigger a benign proof (version echo, OOB callback, type-juggling auth bypass on old PHP, etc.) — never a "
"destructive payload"])],
"Migrate to a supported runtime version promptly; apply vendor advisories",
"RCE / auth bypass / memory disclosure depending on runtime"),
A("eol_framework_exploitation", "EOL Framework Exploitation", "end-of-life web frameworks (Struts/Spring-legacy/Rails/Django/Laravel/Symfony/AngularJS)",
"CWE-1104", "Critical",
[("Detect framework + version", ["Fingerprint the framework and version (cookies, headers, routes, error pages, asset "
"hashes) — e.g. Struts2 old, Spring legacy, Rails <5, Django <2, AngularJS 1.x, jQuery <3"]),
("Correlate CVEs", ["Map to known framework RCE/SSTI/deser/mass-assignment CVEs (e.g. Struts OGNL, Spring4Shell-class, "
"Rails deserialization, AngularJS sandbox escape)"]),
("Reproduce safely", ["Prove with an OOB/echo PoC; for client-side framework issues confirm in the browser"])],
"Upgrade the framework to a supported major; refactor deprecated APIs",
"RCE / SSTI / template & client-side compromise"),
A("eol_cms_exploitation", "EOL CMS Exploitation", "end-of-life CMS core & plugins (WordPress/Drupal/Joomla/Magento)",
"CWE-1104", "Critical",
[("Detect CMS + version", ["Pin CMS core version and enumerate plugins/themes/modules + versions (readme, changelog, "
"asset hashes, REST endpoints)"]),
("Flag EOL & correlate CVEs", ["Flag EOL core (e.g. Drupal 7/8, Magento 1, old WP branches) and EOL/abandoned plugins; "
"map to known unauth RCE/SQLi/file-upload/auth-bypass CVEs"]),
("Confirm", ["Reproduce one concrete issue with a safe proof (version-gated echo / unauth read)"])],
"Upgrade CMS core to a supported branch; remove abandoned plugins/themes; keep everything patched",
"Site takeover / RCE / data breach"),
A("eol_client_library", "EOL Client-Side Library Exploitation", "end-of-life front-end libraries with known CVEs",
"CWE-1104", "High",
[("Inventory JS libs", ["From responses/JS/source maps, list client libraries + exact versions (jQuery, AngularJS, "
"Bootstrap, Lodash, Moment, old React/Vue, Swiper, DOMPurify)"]),
("Flag EOL & CVEs", ["Flag EOL/abandoned versions (jQuery <3.5 XSS, AngularJS EOL, Lodash prototype pollution, etc.) and "
"map to CVEs"]),
("Confirm reachability", ["Where a sink is reachable, prove exploitability (e.g. DOM XSS via the vulnerable lib) in the "
"browser; else report as version-based exposure"])],
"Upgrade/replace EOL front-end libraries; add SCA in CI",
"XSS / prototype pollution / client-side compromise"),
]
INFRA_AGENTS = [
A("eol_webserver_exploitation", "EOL Web/App Server Exploitation", "end-of-life web & app servers (Apache/nginx/IIS/Tomcat/JBoss/WebLogic)",
"CWE-1104", "Critical",
[("Fingerprint server + version", ["Pin the exact server/app-server version from banners, error pages, default files, and "
"behaviour (Apache httpd old, nginx old, IIS 6/7, Tomcat/JBoss/WebLogic legacy)"]),
("Flag EOL & correlate", ["Flag EOL versions and map to known CVEs (Tomcat AJP Ghostcat, WebLogic deser/T3, IIS WebDAV, "
"Apache path traversal/mod CVEs)"]),
("Safe PoC", ["Reproduce with a non-destructive PoC (version-gated read / OOB) proving the CVE is present"])],
"Upgrade to a supported server release; disable legacy modules/connectors; WAF/virtual-patch meanwhile",
"RCE / file read / deserialization compromise"),
A("eol_os_service", "EOL OS & Service Exploitation", "end-of-life operating systems and network services",
"CWE-1104", "Critical",
[("Enumerate versions", ["From service banners / SSH / SMB / TLS / uname (with creds), pin OS and service versions "
"(EOL Windows/Ubuntu/CentOS, old OpenSSH/OpenSSL/Samba, SMBv1)"]),
("Flag EOL & correlate", ["Flag EOL OS/services and map to known CVEs (EternalBlue-class SMBv1, old OpenSSL Heartbleed-"
"class, unsupported OpenSSH auth issues)"]),
("Confirm safely", ["Prove the vulnerable version/config is present with a safe check — never run a destructive exploit"])],
"Upgrade/replace EOL OS & services; disable SMBv1/legacy TLS; segment until remediated",
"RCE / host compromise / lateral movement"),
A("eol_tls_protocol", "EOL TLS & Protocol Exploitation", "deprecated TLS versions and legacy protocols",
"CWE-327", "Medium",
[("Enumerate protocols/ciphers", ["Test supported TLS versions and cipher suites (SSLv3, TLS 1.0/1.1 EOL, weak/CBC/RC4/"
"export ciphers) and legacy protocols (SMBv1, FTP, Telnet, old SNMP)"]),
("Flag deprecated", ["Flag anything past deprecation (RFC 8996 TLS1.0/1.1, SSLv3 POODLE, weak ciphers) and note "
"downgrade/MITM feasibility"]),
("Confirm", ["Complete a handshake proving the deprecated protocol/cipher is accepted"])],
"Require TLS 1.2+ (prefer 1.3); disable SSLv3/TLS1.0/1.1, weak ciphers and legacy protocols",
"Downgrade / MITM / weakened transport security"),
]
def main():
os.makedirs(VULNS, exist_ok=True); os.makedirs(INFRA, exist_ok=True)
for a in VULN_AGENTS:
open(os.path.join(VULNS, a["name"] + ".md"), "w").write(render(a))
for a in INFRA_AGENTS:
open(os.path.join(INFRA, a["name"] + ".md"), "w").write(render(a))
print(f"wrote {len(VULN_AGENTS)} EOL agents to {VULNS} and {len(INFRA_AGENTS)} to {INFRA}")
if __name__ == "__main__":
main()