metasploit-framework/modules/auxiliary/scanner/x11/open_x11.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'


class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'		=> 'X11 No-Auth Scanner',
      'Description'	=> %q{
        This module scans for X11 servers that allow anyone
        to connect without authentication.
      },
      'Author'	=> ['tebo <tebodell[at]gmail.com>'],
      'References'	=>
        [
          ['OSVDB', '309'],
          ['CVE', '1999-0526'],
        ],
      'License'	=> MSF_LICENSE
    )

    register_options([
      Opt::RPORT(6000)
    ],self.class)
  end

  def run_host(ip)

    begin

      connect

      # X11.00 Null Auth Connect
      sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00")
      response = sock.get_once

      disconnect

      if response
        success = response[0,1].unpack('C')[0]
      else
        print_error("No response received due to a timeout")
        return
      end


      if(success == 1)
        vendor_len = response[24,2].unpack('v')[0]
        vendor = response[40,vendor_len].unpack('A*')[0]
        print_good("#{ip} Open X Server (#{vendor})")
        # Add Report
        report_note(
          :host	=> ip,
          :proto => 'tcp',
          :sname	=> 'x11',
          :port	=> rport,
          :type	=> 'Open X Server',
          :data	=> "Open X Server (#{vendor})"
      )
      elsif (success == 0)
        print_error("#{ip} Access Denied")
      else
        # X can return a reason for auth failure but we don't really care for this
      end

    rescue ::Rex::ConnectionError
    rescue ::Errno::EPIPE
    end

  end

end
added aux module open_x11.rb provided by tebo. git-svn-id: file:///home/svn/framework3/trunk@5758 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-15 15:15:29 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added aux module open_x11.rb provided by tebo. git-svn-id: file:///home/svn/framework3/trunk@5758 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-15 15:15:29 +00:00			`##`

			`require 'msf/core'`


use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
added aux module open_x11.rb provided by tebo. git-svn-id: file:///home/svn/framework3/trunk@5758 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-15 15:15:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

			`def initialize`
			`super(`
			`'Name' => 'X11 No-Auth Scanner',`
			`'Description' => %q{`
			`This module scans for X11 servers that allow anyone`
			`to connect without authentication.`
			`},`
			`'Author' => ['tebo <tebodell[at]gmail.com>'],`
			`'References' =>`
			`[`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`['OSVDB', '309'],`
Retab modules 2013-08-30 21:28:54 +00:00			`['CVE', '1999-0526'],`
			`],`
			`'License' => MSF_LICENSE`
			`)`

			`register_options([`
			`Opt::RPORT(6000)`
			`],self.class)`
			`end`

			`def run_host(ip)`

			`begin`

			`connect`

			`# X11.00 Null Auth Connect`
			`sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00")`
			`response = sock.get_once`

			`disconnect`

Resolve #4408 - bad uncaught nil get_once 2014-12-17 18:46:12 +00:00			`if response`
Retab modules 2013-08-30 21:28:54 +00:00			`success = response[0,1].unpack('C')[0]`
Resolve #4408 - bad uncaught nil get_once 2014-12-17 18:46:12 +00:00			`else`
			`print_error("No response received due to a timeout")`
			`return`
Retab modules 2013-08-30 21:28:54 +00:00			`end`


			`if(success == 1)`
			`vendor_len = response[24,2].unpack('v')[0]`
			`vendor = response[40,vendor_len].unpack('A*')[0]`
print_{good,error} more specifically in open_x11 2016-10-31 16:29:00 +00:00			`print_good("#{ip} Open X Server (#{vendor})")`
yard doc and comment corrections for auxiliary 2015-04-03 11:12:23 +00:00			`# Add Report`
Retab modules 2013-08-30 21:28:54 +00:00			`report_note(`
			`:host => ip,`
			`:proto => 'tcp',`
			`:sname => 'x11',`
			`:port => rport,`
			`:type => 'Open X Server',`
			`:data => "Open X Server (#{vendor})"`
			`)`
			`elsif (success == 0)`
print_{good,error} more specifically in open_x11 2016-10-31 16:29:00 +00:00			`print_error("#{ip} Access Denied")`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
			`# X can return a reason for auth failure but we don't really care for this`
			`end`

			`rescue ::Rex::ConnectionError`
			`rescue ::Errno::EPIPE`
			`end`

			`end`
added aux module open_x11.rb provided by tebo. git-svn-id: file:///home/svn/framework3/trunk@5758 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-15 15:15:29 +00:00
Switch to the new exception format git-svn-id: file:///home/svn/framework3/trunk@5880 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-11 05:12:52 +00:00			`end`