metasploit-framework/modules/auxiliary/scanner/rsync/modules_list.rb

182 lines
5.2 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
RSYNC_HEADER = '@RSYNCD:'
def initialize
super(
'Name' => 'List Rsync Modules',
'Description' => %q(
An rsync module is essentially a directory share. These modules can
optionally be protected by a password. This module connects to and
negotiates with an rsync server, lists the available modules and,
optionally, determines if the module requires a password to access.
),
'Author' => [
'ikkini', # original metasploit module
'Jon Hart <jon_hart[at]rapid7.com>' # improved metasploit module
],
2014-08-28 23:47:56 +00:00
'References' =>
[
['URL', 'http://rsync.samba.org/ftp/rsync/rsync.html']
],
'License' => MSF_LICENSE
)
register_options(
[
OptBool.new('TEST_AUTHENTICATION',
[ true, 'Test if the rsync module requires authentication', true ]),
2014-08-28 23:40:55 +00:00
Opt::RPORT(873)
], self.class)
end
2015-10-12 20:03:55 +00:00
def read_timeout
10
end
def rsync_requires_auth?(rmodule)
sock.puts("#{rmodule}\n")
res = sock.get_once
if res && (res =~ /^#{RSYNC_HEADER} AUTHREQD/)
true
else
false
end
end
2015-10-12 18:19:31 +00:00
def rsync_list
sock.puts("#list\n")
2015-11-04 17:01:07 +00:00
listing_metadata = []
2015-10-12 18:19:31 +00:00
# the module listing is the module name and comment separated by a tab, each module
# on its own line, lines separated with a newline
2015-10-12 20:03:55 +00:00
sock.get(read_timeout).split(/\n/).map(&:strip).map do |module_line|
next if module_line =~ /^#{RSYNC_HEADER} EXIT$/
2015-11-02 17:14:41 +00:00
name, comment = module_line.split(/\t/).map(&:strip)
next unless name
2015-11-04 17:01:07 +00:00
listing_metadata << { name: name, comment: comment }
2015-10-12 18:19:31 +00:00
end
2015-10-12 20:03:55 +00:00
2015-11-04 17:01:07 +00:00
listing_metadata
2015-10-12 18:19:31 +00:00
end
# Attempts to negotiate the rsync protocol with the endpoint.
def rsync_negotiate(get_motd)
2015-10-30 20:13:44 +00:00
# rsync is promiscuous and will send the negotitation and motd
# upon connecting. abort if we get nothing
return unless (greeting = sock.get_once)
2014-08-28 23:40:55 +00:00
# parse the greeting control and data lines. With some systems, the data
# lines at this point will be the motd.
greeting_control_lines, greeting_data_lines = rsync_parse_lines(greeting)
2015-10-12 20:03:55 +00:00
2015-10-30 20:13:44 +00:00
# locate the rsync negotiation and complete it by just echo'ing
# back the same rsync version that it sent us
version = nil
greeting_control_lines.map do |greeting_control_line|
if /^#{RSYNC_HEADER} (?<version>\d+(\.\d+)?)$/ =~ greeting_control_line
version = Regexp.last_match('version')
sock.puts("#{RSYNC_HEADER} #{version}\n")
2015-10-12 20:03:55 +00:00
end
end
2015-10-30 20:13:44 +00:00
unless version
vprint_error("#{ip}:#{rport} - no rsync negotation found")
return
end
motd_lines = greeting_data_lines
if get_motd
_, post_neg_data_lines = rsync_parse_lines(sock.get_once)
motd_lines |= post_neg_data_lines
end
2015-11-02 17:18:10 +00:00
[ version, motd_lines.empty? ? nil : motd_lines.join("\n") ]
end
# parses the control and data lines from the provided response data
def rsync_parse_lines(response_data)
control_lines = []
data_lines = []
if response_data
response_data.strip!
response_data.split(/\n/).map do |line|
if line =~ /^#{RSYNC_HEADER}/
control_lines << line
else
data_lines << line
end
end
end
[ control_lines, data_lines ]
2015-10-12 18:19:31 +00:00
end
def run_host(ip)
2015-10-12 20:03:55 +00:00
connect
version, motd = rsync_negotiate(true)
2015-10-12 20:03:55 +00:00
unless version
2015-10-30 19:39:06 +00:00
vprint_error("#{ip}:#{rport} - does not appear to be rsync")
2015-10-12 18:19:31 +00:00
disconnect
return
end
2014-10-18 22:29:36 +00:00
2015-10-12 20:03:55 +00:00
info = "rsync protocol version #{version}"
info += ", MOTD '#{motd}'" if motd
2015-10-12 17:56:21 +00:00
report_service(
2015-10-12 16:05:01 +00:00
host: ip,
port: rport,
2015-10-12 17:56:21 +00:00
proto: 'tcp',
name: 'rsync',
2015-10-12 20:03:55 +00:00
info: info
2014-08-28 23:40:55 +00:00
)
2015-10-12 20:03:55 +00:00
vprint_good("#{ip}:#{rport} - rsync MOTD: #{motd}") if motd
2014-08-28 23:40:55 +00:00
2015-11-04 17:01:07 +00:00
listing_metadata = rsync_list
disconnect
2015-11-04 17:01:07 +00:00
if listing_metadata.empty?
2015-10-12 20:03:55 +00:00
print_status("#{ip}:#{rport} - rsync #{version}: no modules found")
else
2015-11-04 17:01:07 +00:00
modules = listing_metadata.map { |m| m[:name] }
print_good("#{ip}:#{rport} - rsync #{version}: #{modules.size} modules found: #{modules.join(', ')}")
table_columns = %w(Name Comment)
if datastore['TEST_AUTHENTICATION']
table_columns << 'Authentication?'
2015-11-04 17:01:07 +00:00
listing_metadata.each do |module_metadata|
connect
rsync_negotiate(false)
2015-11-04 17:01:07 +00:00
module_metadata[:authentication?] = rsync_requires_auth?(module_metadata[:name])
disconnect
end
end
# build a table to store the module listing in
listing_table = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
2015-10-12 20:03:55 +00:00
'Header' => "rsync modules for #{ip}:#{rport}",
'Columns' => table_columns,
2015-11-04 17:01:07 +00:00
'Rows' => listing_metadata.map(&:values)
2015-10-12 18:19:31 +00:00
)
vprint_line(listing_table.to_s)
report_note(
host: ip,
proto: 'tcp',
port: rport,
2015-10-12 17:56:21 +00:00
type: 'rsync_modules',
2015-11-04 17:01:07 +00:00
data: { modules: listing_metadata }
)
end
end
end