metasploit-framework/lib/msf/core/exploit/db2.rb

require 'msf/core'

module Msf

###
#
# This module exposes methods for querying a remote DB2 service
#
###
module Exploit::Remote::DB2

	include Exploit::Remote::Tcp

	#
	# Creates an instance of a DB2 exploit module.
	#
	def initialize(info = {})
		super

		# Register the options that all MSSQL exploits may make use of.
		register_options(
			[
				Opt::RHOST,
				Opt::RPORT(50000),
				OptString.new('USERNAME', [ false, 'The username to authenticate as', 'db2inst1']),
				OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
				OptString.new('DATABASE', [ true, 'The name of the target database', 'toolsdb'])
			], Msf::Exploit::Remote::DB2)

	end
	
	#
	# This method sends a TCP query packet to the server, using
	# datastore options and parses out the reply packet 
	# into a hash
	#
	def db2_probe(timeout=5)
		disconnect if self.sock
		connect

		probe_packet = Rex::Proto::DRDA::Utils.client_probe(datastore['DATABASE'])
		sock.put probe_packet
		resp = sock.get_once

		return {} if not resp
		return {} if resp.length == 0
		pkt = Rex::Proto::DRDA::SERVER_PACKET.new.read(resp)
		return Rex::Proto::DRDA::Utils.server_packet_info(pkt)
	end

	def db2_check_login(timeout=5)
		probe_data = db2_probe
		return probe_data unless probe_data[:plaintext_auth]
		login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => datastore['DATABASE'],
																											 :dbuser => datastore['USERNAME'],
																											 :dbpass => datastore['PASSWORD'])
		sock.put login_packet
		resp = sock.get_once
		return {} if not resp
		return {} if resp.length == 0
		pkt = Rex::Proto::DRDA::SERVER_PACKET.new.read(resp)
		return Rex::Proto::DRDA::Utils.server_packet_info(pkt)
	end

end
end
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`require 'msf/core'`

			`module Msf`

			`###`
			`#`
			`# This module exposes methods for querying a remote DB2 service`
			`#`
			`###`
			`module Exploit::Remote::DB2`

			`include Exploit::Remote::Tcp`

			`#`
			`# Creates an instance of a DB2 exploit module.`
			`#`
			`def initialize(info = {})`
			`super`

			`# Register the options that all MSSQL exploits may make use of.`
			`register_options(`
			`[`
			`Opt::RHOST,`
			`Opt::RPORT(50000),`
			`OptString.new('USERNAME', [ false, 'The username to authenticate as', 'db2inst1']),`
			`OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),`
			`OptString.new('DATABASE', [ true, 'The name of the target database', 'toolsdb'])`
			`], Msf::Exploit::Remote::DB2)`

			`end`

			`#`
			`# This method sends a TCP query packet to the server, using`
			`# datastore options and parses out the reply packet`
			`# into a hash`
			`#`
			`def db2_probe(timeout=5)`
			`disconnect if self.sock`
			`connect`

			`probe_packet = Rex::Proto::DRDA::Utils.client_probe(datastore['DATABASE'])`
			`sock.put probe_packet`
			`resp = sock.get_once`

			`return {} if not resp`
			`return {} if resp.length == 0`
			`pkt = Rex::Proto::DRDA::SERVER_PACKET.new.read(resp)`
			`return Rex::Proto::DRDA::Utils.server_packet_info(pkt)`
			`end`

			`def db2_check_login(timeout=5)`
			`probe_data = db2_probe`
			`return probe_data unless probe_data[:plaintext_auth]`
			`login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => datastore['DATABASE'],`
			`:dbuser => datastore['USERNAME'],`
			`:dbpass => datastore['PASSWORD'])`
			`sock.put login_packet`
			`resp = sock.get_once`
			`return {} if not resp`
			`return {} if resp.length == 0`
			`pkt = Rex::Proto::DRDA::SERVER_PACKET.new.read(resp)`
			`return Rex::Proto::DRDA::Utils.server_packet_info(pkt)`
			`end`

			`end`
			`end`