97 lines
3.4 KiB
Ruby
97 lines
3.4 KiB
Ruby
|
class Msf::Analyze
|
||
|
|
||
|
def initialize(framework)
|
||
|
@framework = framework
|
||
|
end
|
||
|
|
||
|
def host(eval_host)
|
||
|
suggested_modules = {}
|
||
|
|
||
|
mrefs, _mports, _mservs = Msf::Modules::Metadata::Cache.instance.all_remote_exploit_maps
|
||
|
|
||
|
unless eval_host.vulns
|
||
|
return {}
|
||
|
end
|
||
|
|
||
|
vuln_refs = []
|
||
|
eval_host.vulns.each do |vuln|
|
||
|
next if vuln.service.nil?
|
||
|
vuln_refs.push(*vuln.refs)
|
||
|
end
|
||
|
|
||
|
# finds all modules that have references matching those found on host vulns with service data
|
||
|
found_modules = mrefs.values_at(*(vuln_refs.map { |x| x.name.upcase } & mrefs.keys)).map { |x| x.values }.flatten.uniq
|
||
|
found_modules.each do |fnd_mod|
|
||
|
# next if exploit_filter_by_service(fnd_mod, vuln.service)
|
||
|
next unless exploit_matches_host_os(fnd_mod, eval_host)
|
||
|
end
|
||
|
|
||
|
suggested_modules[:modules] = found_modules
|
||
|
|
||
|
suggested_modules
|
||
|
end
|
||
|
|
||
|
|
||
|
private
|
||
|
|
||
|
# Tests for various service conditions by comparing the module's full_name (which
|
||
|
# is basically a pathname) to the intended target service record. The service.info
|
||
|
# column is tested against a regex in most/all cases and "false" is returned in the
|
||
|
# event of a match between an incompatible module and service fingerprint.
|
||
|
def exploit_filter_by_service(mod, serv)
|
||
|
|
||
|
# Filter out Unix vs Windows exploits for SMB services
|
||
|
return true if (mod.full_name =~ /\/samba/ and serv.info.to_s =~ /windows/i)
|
||
|
return true if (mod.full_name =~ /\/windows/ and serv.info.to_s =~ /samba|unix|vxworks|qnx|netware/i)
|
||
|
return true if (mod.full_name =~ /\/netware/ and serv.info.to_s =~ /samba|unix|vxworks|qnx/i)
|
||
|
|
||
|
# Filter out IIS exploits for non-Microsoft services
|
||
|
return true if (mod.full_name =~ /\/iis\/|\/isapi\// and (serv.info.to_s !~ /microsoft|asp/i))
|
||
|
|
||
|
# Filter out Apache exploits for non-Apache services
|
||
|
return true if (mod.full_name =~ /\/apache/ and serv.info.to_s !~ /apache|ibm/i)
|
||
|
|
||
|
false
|
||
|
end
|
||
|
|
||
|
# Determines if an exploit (mod, an instantiated module) is suitable for the host (host)
|
||
|
# defined operating system. Returns true if the host.os isn't defined, if the module's target
|
||
|
# OS isn't defined, if the module's OS is "unix" and the host's OS is not "windows," or
|
||
|
# if the module's target is "php." Or, of course, in the event the host.os actually matches.
|
||
|
# This is a fail-open gate; if there's a doubt, assume the module will work on this target.
|
||
|
def exploit_matches_host_os(mod, host)
|
||
|
hos = host.os_name
|
||
|
return true if not hos
|
||
|
return true if hos.length == 0
|
||
|
|
||
|
set = mod.platform.split(',').map{ |x| x.downcase }
|
||
|
return true if set.length == 0
|
||
|
|
||
|
# Special cases
|
||
|
return true if set.include?("unix") and hos !~ /windows/i
|
||
|
|
||
|
# Skip archaic old HPUX bugs if we have a solid match against another OS
|
||
|
if set.include?("unix") and set.include?("hpux") and mod.refname.index("hpux") and hos =~ /linux|irix|solaris|aix|bsd/i
|
||
|
return false
|
||
|
end
|
||
|
|
||
|
# Skip AIX bugs if we have a solid match against another OS
|
||
|
if set.include?("unix") and set.include?("aix") and mod.refname.index("aix") and hos =~ /linux|irix|solaris|hpux|bsd/i
|
||
|
return false
|
||
|
end
|
||
|
|
||
|
# Skip IRIX bugs if we have a solid match against another OS
|
||
|
if set.include?("unix") and set.include?("irix") and mod.refname.index("irix") and hos =~ /linux|solaris|hpux|aix|bsd/i
|
||
|
return false
|
||
|
end
|
||
|
|
||
|
return true if set.include?("php")
|
||
|
|
||
|
set.each do |mos|
|
||
|
return true if hos.downcase.index(mos)
|
||
|
end
|
||
|
|
||
|
false
|
||
|
end
|
||
|
end
|