Updates the autopwn matching algorithm to use multiple ports and service names

git-svn-id: file:///home/svn/framework3/trunk@7298 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/auxiliary.rb

@@ -109,6 +109,40 @@ class Auxiliary < Msf::Module
 	def autofilter
 		false
 	end
+	
+	#
+	# Provides a list of ports that can be used for matching this module 
+	# against target systems.
+	#
+	def autofilter_ports
+		@autofilter_ports || []
+	end
+	
+	#
+	# Provides a list of services that can be used for matching this module 
+	# against target systems.
+	#	
+	def autofilter_services
+		@autofilter_services || []	
+	end
+	
+	#
+	# Adds a port into the list of ports
+	#
+	def register_autofilter_ports(ports=[])
+		@autofilter_ports ||= []
+		@autofilter_ports << ports
+		@autofilter_ports.flatten!
+		@autofilter_ports.uniq!
+	end
+	
+	def register_autofilter_services(services=[])
+		@autofilter_services ||= []
+		@autofilter_services << services
+		@autofilter_services.flatten!
+		@autofilter_services.uniq!	
+	end
+	
 		
 	#
 	# Called directly before 'run'

lib/msf/core/exploit.rb

@@ -341,11 +341,11 @@ class Exploit < Msf::Module
 	end
 
 	#
-	# Performs last-minute sanity checking of exploit parameters. This method
+	# Performs last-minute sanity checking of auxiliary parameters. This method
 	# is called during automated exploitation attempts and allows an
-	# exploit to filter bad targets, obtain more information, and choose
-	# better targets based on the available data. Returning anything that
-	# evaluates to "false" will cause this specific exploit attempt to
+	# auxiliary module to filter bad attempts, obtain more information, and choose
+	# better parameters based on the available data. Returning anything that
+	# evaluates to "false" will cause this specific auxiliary attempt to
 	# be skipped. This method can and will change datastore values and
 	# may interact with the backend database.
 	#
@@ -353,6 +353,39 @@ class Exploit < Msf::Module
 		true
 	end
 	
+	#
+	# Provides a list of ports that can be used for matching this module 
+	# against target systems.
+	#
+	def autofilter_ports
+		@autofilter_ports || []
+	end
+	
+	#
+	# Provides a list of services that can be used for matching this module 
+	# against target systems.
+	#	
+	def autofilter_services
+		@autofilter_services || []	
+	end
+	
+	#
+	# Adds a port into the list of ports
+	#
+	def register_autofilter_ports(ports=[])
+		@autofilter_ports ||= []
+		@autofilter_ports << ports
+		@autofilter_ports.flatten!
+		@autofilter_ports.uniq!
+	end
+	
+	def register_autofilter_services(services=[])
+		@autofilter_services ||= []
+		@autofilter_services << services
+		@autofilter_services.flatten!
+		@autofilter_services.uniq!	
+	end
+	
 	#
 	# Prepares the module for exploitation, initializes any state, and starts
 	# the payload handler.

lib/msf/core/exploit/ftp.rb

@@ -26,6 +26,9 @@ module Exploit::Remote::Ftp
 				OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
 				OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'])
 			], Msf::Exploit::Remote::Ftp)
+			
+		register_autofilter_ports([ 21, 2121])
+		register_autofilter_services(%W{ ftp })				
 	end
 
 	#
@@ -153,4 +156,4 @@ protected
 
 end
 
-end
+end

lib/msf/core/exploit/http.rb

@@ -69,8 +69,11 @@ module Exploit::Remote::HttpClient
 #               OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]),
 			], self.class
 		)
+		register_autofilter_ports([ 80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443 ])
+		register_autofilter_services(%W{ http https })		
 	end
 
+	
 	#
 	# Connects to an HTTP server.
 	#

lib/msf/core/exploit/mssql.rb

@@ -31,8 +31,12 @@ module Exploit::Remote::MSSQL
 					File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
 				])
 			], Msf::Exploit::Remote::MSSQL)
+			
+		register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638] )
+		register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })				
 	end
-	
+
+		
 	#
 	# This method sends a UDP query packet to the server and
 	# parses out the reply packet into a hash

lib/msf/core/exploit/smb.rb

@@ -57,8 +57,11 @@ module Exploit::Remote::SMB
 			Opt::RHOST,
 			OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])	
 		], Msf::Exploit::Remote::SMB)
+		
+		register_autofilter_ports([ 139, 445])
+		register_autofilter_services(%W{ netbios-ssn microsoft-ds })		
 	end
-
+	
 	def connect(global=true)
 		
 		disconnect() if global

lib/msf/core/exploit/smtp.rb

@@ -26,6 +26,8 @@ module Exploit::Remote::Smtp
 				OptString.new('MAILFROM', [ true, 'FROM address of the e-mail', 'zombie@brains.net']),
 				OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'human@ahhhzombies111.net']),
 			], Msf::Exploit::Remote::Smtp)
+		register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
+		register_autofilter_services(%W{ smtp smtps})			
 	end
 
 	#
@@ -70,7 +72,6 @@ module Exploit::Remote::Smtp
 		nsock.get_once
 	end
 
-	
 protected
 
 	#
@@ -81,4 +82,4 @@ protected
 
 end
 
-end
+end

lib/msf/core/exploit/smtp_deliver.rb

@@ -28,9 +28,10 @@ module Exploit::Remote::SMTPDeliver
 				OptString.new('MAILTO', [ true, 'The TO address of the e-mail']),
 				OptString.new('VERBOSE', [ false, 'Display verbose information']),
 			], Msf::Exploit::Remote::SMTPDeliver)
+		register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
+		register_autofilter_services(%W{ smtp smtps})
 	end
 
-
 	# This method connects to the server and sends a message
 	def send_message(data)
 

lib/msf/ui/console/command_dispatcher/db.rb

@@ -198,7 +198,7 @@ class Db
 					port_exc = Rex::Socket.portspec_crack(args.shift)
 				when '-m'
 					regx = args.shift
-				when '-h'
+				when '-h','--help'
 					print_status("Usage: db_autopwn [options]")
 					print_line("\t-h          Display this help text")
 					print_line("\t-t          Show all matching exploit modules")
@@ -260,23 +260,57 @@ class Db
 					# Match based on ports alone
 					#
 					if (mode & PWN_PORT != 0)
-						rport = e.datastore['RPORT']
-						if (rport)
-							framework.db.services.each do |serv|
-								next if not serv.host
+						rports = {}
+						rservs = {}
+						
+						if(e.datastore['RPORT'])
+							rports[e.datastore['RPORT'].to_s] = true
+						end
+
+						if(e.respond_to?('autofilter_ports'))
+							e.autofilter_ports.each do |rport|
+								rports[rport.to_s] = true 
+							end
+						end
+						
+						if(e.respond_to?('autofilter_services'))
+							e.autofilter_services.each do |serv|
+								rservs[serv] = true 
+							end
+						end	
+											
+						framework.db.services.each do |serv|
+							next if not serv.host
+
+							# Match port numbers
+							rports.keys.sort.each do |rport|
 								next if serv.port.to_i != rport.to_i
 								xport = serv.port
 								xprot = serv.proto
 								xhost = serv.host.address
 								next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost))
 								next if (targ_exc.length > 0 and range_include?(targ_exc, xhost))
-							
+
 								next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
 								next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
 								next if (regx and e.fullname !~ /#{regx}/)
-										
 								matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
 							end
+
+							# Match service names 
+							rservs.keys.sort.each do |rserv|
+								next if serv.name.to_s != rserv
+								xport = serv.port
+								xprot = serv.proto
+								xhost = serv.host.address
+								next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost))
+								next if (targ_exc.length > 0 and range_include?(targ_exc, xhost))
+
+								next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
+								next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
+								next if (regx and e.fullname !~ /#{regx}/)
+								matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
+							end								
 						end
 					end					
 				end