Updates the autopwn matching algorithm to use multiple ports and service names

git-svn-id: file:///home/svn/framework3/trunk@7298 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-10-28 18:04:50 +00:00
parent a41b1db7de
commit 3cf4329335
9 changed files with 133 additions and 17 deletions

View File

@ -109,6 +109,40 @@ class Auxiliary < Msf::Module
def autofilter
false
end
#
# Provides a list of ports that can be used for matching this module
# against target systems.
#
def autofilter_ports
@autofilter_ports || []
end
#
# Provides a list of services that can be used for matching this module
# against target systems.
#
def autofilter_services
@autofilter_services || []
end
#
# Adds a port into the list of ports
#
def register_autofilter_ports(ports=[])
@autofilter_ports ||= []
@autofilter_ports << ports
@autofilter_ports.flatten!
@autofilter_ports.uniq!
end
def register_autofilter_services(services=[])
@autofilter_services ||= []
@autofilter_services << services
@autofilter_services.flatten!
@autofilter_services.uniq!
end
#
# Called directly before 'run'

View File

@ -341,11 +341,11 @@ class Exploit < Msf::Module
end
#
# Performs last-minute sanity checking of exploit parameters. This method
# Performs last-minute sanity checking of auxiliary parameters. This method
# is called during automated exploitation attempts and allows an
# exploit to filter bad targets, obtain more information, and choose
# better targets based on the available data. Returning anything that
# evaluates to "false" will cause this specific exploit attempt to
# auxiliary module to filter bad attempts, obtain more information, and choose
# better parameters based on the available data. Returning anything that
# evaluates to "false" will cause this specific auxiliary attempt to
# be skipped. This method can and will change datastore values and
# may interact with the backend database.
#
@ -353,6 +353,39 @@ class Exploit < Msf::Module
true
end
#
# Provides a list of ports that can be used for matching this module
# against target systems.
#
def autofilter_ports
@autofilter_ports || []
end
#
# Provides a list of services that can be used for matching this module
# against target systems.
#
def autofilter_services
@autofilter_services || []
end
#
# Adds a port into the list of ports
#
def register_autofilter_ports(ports=[])
@autofilter_ports ||= []
@autofilter_ports << ports
@autofilter_ports.flatten!
@autofilter_ports.uniq!
end
def register_autofilter_services(services=[])
@autofilter_services ||= []
@autofilter_services << services
@autofilter_services.flatten!
@autofilter_services.uniq!
end
#
# Prepares the module for exploitation, initializes any state, and starts
# the payload handler.

View File

@ -26,6 +26,9 @@ module Exploit::Remote::Ftp
OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'])
], Msf::Exploit::Remote::Ftp)
register_autofilter_ports([ 21, 2121])
register_autofilter_services(%W{ ftp })
end
#
@ -153,4 +156,4 @@ protected
end
end
end

View File

@ -69,8 +69,11 @@ module Exploit::Remote::HttpClient
# OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]),
], self.class
)
register_autofilter_ports([ 80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443 ])
register_autofilter_services(%W{ http https })
end
#
# Connects to an HTTP server.
#

View File

@ -31,8 +31,12 @@ module Exploit::Remote::MSSQL
File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
])
], Msf::Exploit::Remote::MSSQL)
register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638] )
register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
end
#
# This method sends a UDP query packet to the server and
# parses out the reply packet into a hash

View File

@ -57,8 +57,11 @@ module Exploit::Remote::SMB
Opt::RHOST,
OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])
], Msf::Exploit::Remote::SMB)
register_autofilter_ports([ 139, 445])
register_autofilter_services(%W{ netbios-ssn microsoft-ds })
end
def connect(global=true)
disconnect() if global

View File

@ -26,6 +26,8 @@ module Exploit::Remote::Smtp
OptString.new('MAILFROM', [ true, 'FROM address of the e-mail', 'zombie@brains.net']),
OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'human@ahhhzombies111.net']),
], Msf::Exploit::Remote::Smtp)
register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
register_autofilter_services(%W{ smtp smtps})
end
#
@ -70,7 +72,6 @@ module Exploit::Remote::Smtp
nsock.get_once
end
protected
#
@ -81,4 +82,4 @@ protected
end
end
end

View File

@ -28,9 +28,10 @@ module Exploit::Remote::SMTPDeliver
OptString.new('MAILTO', [ true, 'The TO address of the e-mail']),
OptString.new('VERBOSE', [ false, 'Display verbose information']),
], Msf::Exploit::Remote::SMTPDeliver)
register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
register_autofilter_services(%W{ smtp smtps})
end
# This method connects to the server and sends a message
def send_message(data)

View File

@ -198,7 +198,7 @@ class Db
port_exc = Rex::Socket.portspec_crack(args.shift)
when '-m'
regx = args.shift
when '-h'
when '-h','--help'
print_status("Usage: db_autopwn [options]")
print_line("\t-h Display this help text")
print_line("\t-t Show all matching exploit modules")
@ -260,23 +260,57 @@ class Db
# Match based on ports alone
#
if (mode & PWN_PORT != 0)
rport = e.datastore['RPORT']
if (rport)
framework.db.services.each do |serv|
next if not serv.host
rports = {}
rservs = {}
if(e.datastore['RPORT'])
rports[e.datastore['RPORT'].to_s] = true
end
if(e.respond_to?('autofilter_ports'))
e.autofilter_ports.each do |rport|
rports[rport.to_s] = true
end
end
if(e.respond_to?('autofilter_services'))
e.autofilter_services.each do |serv|
rservs[serv] = true
end
end
framework.db.services.each do |serv|
next if not serv.host
# Match port numbers
rports.keys.sort.each do |rport|
next if serv.port.to_i != rport.to_i
xport = serv.port
xprot = serv.proto
xhost = serv.host.address
next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost))
next if (targ_exc.length > 0 and range_include?(targ_exc, xhost))
next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
next if (regx and e.fullname !~ /#{regx}/)
matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
end
# Match service names
rservs.keys.sort.each do |rserv|
next if serv.name.to_s != rserv
xport = serv.port
xprot = serv.proto
xhost = serv.host.address
next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost))
next if (targ_exc.length > 0 and range_include?(targ_exc, xhost))
next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
next if (regx and e.fullname !~ /#{regx}/)
matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
end
end
end
end