Updates the autopwn matching algorithm to use multiple ports and service names
git-svn-id: file:///home/svn/framework3/trunk@7298 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
a41b1db7de
commit
3cf4329335
|
@ -110,6 +110,40 @@ class Auxiliary < Msf::Module
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provides a list of ports that can be used for matching this module
|
||||||
|
# against target systems.
|
||||||
|
#
|
||||||
|
def autofilter_ports
|
||||||
|
@autofilter_ports || []
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provides a list of services that can be used for matching this module
|
||||||
|
# against target systems.
|
||||||
|
#
|
||||||
|
def autofilter_services
|
||||||
|
@autofilter_services || []
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adds a port into the list of ports
|
||||||
|
#
|
||||||
|
def register_autofilter_ports(ports=[])
|
||||||
|
@autofilter_ports ||= []
|
||||||
|
@autofilter_ports << ports
|
||||||
|
@autofilter_ports.flatten!
|
||||||
|
@autofilter_ports.uniq!
|
||||||
|
end
|
||||||
|
|
||||||
|
def register_autofilter_services(services=[])
|
||||||
|
@autofilter_services ||= []
|
||||||
|
@autofilter_services << services
|
||||||
|
@autofilter_services.flatten!
|
||||||
|
@autofilter_services.uniq!
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Called directly before 'run'
|
# Called directly before 'run'
|
||||||
#
|
#
|
||||||
|
|
|
@ -341,11 +341,11 @@ class Exploit < Msf::Module
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Performs last-minute sanity checking of exploit parameters. This method
|
# Performs last-minute sanity checking of auxiliary parameters. This method
|
||||||
# is called during automated exploitation attempts and allows an
|
# is called during automated exploitation attempts and allows an
|
||||||
# exploit to filter bad targets, obtain more information, and choose
|
# auxiliary module to filter bad attempts, obtain more information, and choose
|
||||||
# better targets based on the available data. Returning anything that
|
# better parameters based on the available data. Returning anything that
|
||||||
# evaluates to "false" will cause this specific exploit attempt to
|
# evaluates to "false" will cause this specific auxiliary attempt to
|
||||||
# be skipped. This method can and will change datastore values and
|
# be skipped. This method can and will change datastore values and
|
||||||
# may interact with the backend database.
|
# may interact with the backend database.
|
||||||
#
|
#
|
||||||
|
@ -353,6 +353,39 @@ class Exploit < Msf::Module
|
||||||
true
|
true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provides a list of ports that can be used for matching this module
|
||||||
|
# against target systems.
|
||||||
|
#
|
||||||
|
def autofilter_ports
|
||||||
|
@autofilter_ports || []
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provides a list of services that can be used for matching this module
|
||||||
|
# against target systems.
|
||||||
|
#
|
||||||
|
def autofilter_services
|
||||||
|
@autofilter_services || []
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adds a port into the list of ports
|
||||||
|
#
|
||||||
|
def register_autofilter_ports(ports=[])
|
||||||
|
@autofilter_ports ||= []
|
||||||
|
@autofilter_ports << ports
|
||||||
|
@autofilter_ports.flatten!
|
||||||
|
@autofilter_ports.uniq!
|
||||||
|
end
|
||||||
|
|
||||||
|
def register_autofilter_services(services=[])
|
||||||
|
@autofilter_services ||= []
|
||||||
|
@autofilter_services << services
|
||||||
|
@autofilter_services.flatten!
|
||||||
|
@autofilter_services.uniq!
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Prepares the module for exploitation, initializes any state, and starts
|
# Prepares the module for exploitation, initializes any state, and starts
|
||||||
# the payload handler.
|
# the payload handler.
|
||||||
|
|
|
@ -26,6 +26,9 @@ module Exploit::Remote::Ftp
|
||||||
OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
|
OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
|
||||||
OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'])
|
OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'])
|
||||||
], Msf::Exploit::Remote::Ftp)
|
], Msf::Exploit::Remote::Ftp)
|
||||||
|
|
||||||
|
register_autofilter_ports([ 21, 2121])
|
||||||
|
register_autofilter_services(%W{ ftp })
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -69,8 +69,11 @@ module Exploit::Remote::HttpClient
|
||||||
# OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]),
|
# OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]),
|
||||||
], self.class
|
], self.class
|
||||||
)
|
)
|
||||||
|
register_autofilter_ports([ 80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443 ])
|
||||||
|
register_autofilter_services(%W{ http https })
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Connects to an HTTP server.
|
# Connects to an HTTP server.
|
||||||
#
|
#
|
||||||
|
|
|
@ -31,8 +31,12 @@ module Exploit::Remote::MSSQL
|
||||||
File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
|
File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
|
||||||
])
|
])
|
||||||
], Msf::Exploit::Remote::MSSQL)
|
], Msf::Exploit::Remote::MSSQL)
|
||||||
|
|
||||||
|
register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638] )
|
||||||
|
register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# This method sends a UDP query packet to the server and
|
# This method sends a UDP query packet to the server and
|
||||||
# parses out the reply packet into a hash
|
# parses out the reply packet into a hash
|
||||||
|
|
|
@ -57,6 +57,9 @@ module Exploit::Remote::SMB
|
||||||
Opt::RHOST,
|
Opt::RHOST,
|
||||||
OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])
|
OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])
|
||||||
], Msf::Exploit::Remote::SMB)
|
], Msf::Exploit::Remote::SMB)
|
||||||
|
|
||||||
|
register_autofilter_ports([ 139, 445])
|
||||||
|
register_autofilter_services(%W{ netbios-ssn microsoft-ds })
|
||||||
end
|
end
|
||||||
|
|
||||||
def connect(global=true)
|
def connect(global=true)
|
||||||
|
|
|
@ -26,6 +26,8 @@ module Exploit::Remote::Smtp
|
||||||
OptString.new('MAILFROM', [ true, 'FROM address of the e-mail', 'zombie@brains.net']),
|
OptString.new('MAILFROM', [ true, 'FROM address of the e-mail', 'zombie@brains.net']),
|
||||||
OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'human@ahhhzombies111.net']),
|
OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'human@ahhhzombies111.net']),
|
||||||
], Msf::Exploit::Remote::Smtp)
|
], Msf::Exploit::Remote::Smtp)
|
||||||
|
register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
|
||||||
|
register_autofilter_services(%W{ smtp smtps})
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -70,7 +72,6 @@ module Exploit::Remote::Smtp
|
||||||
nsock.get_once
|
nsock.get_once
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -28,9 +28,10 @@ module Exploit::Remote::SMTPDeliver
|
||||||
OptString.new('MAILTO', [ true, 'The TO address of the e-mail']),
|
OptString.new('MAILTO', [ true, 'The TO address of the e-mail']),
|
||||||
OptString.new('VERBOSE', [ false, 'Display verbose information']),
|
OptString.new('VERBOSE', [ false, 'Display verbose information']),
|
||||||
], Msf::Exploit::Remote::SMTPDeliver)
|
], Msf::Exploit::Remote::SMTPDeliver)
|
||||||
|
register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
|
||||||
|
register_autofilter_services(%W{ smtp smtps})
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
# This method connects to the server and sends a message
|
# This method connects to the server and sends a message
|
||||||
def send_message(data)
|
def send_message(data)
|
||||||
|
|
||||||
|
|
|
@ -198,7 +198,7 @@ class Db
|
||||||
port_exc = Rex::Socket.portspec_crack(args.shift)
|
port_exc = Rex::Socket.portspec_crack(args.shift)
|
||||||
when '-m'
|
when '-m'
|
||||||
regx = args.shift
|
regx = args.shift
|
||||||
when '-h'
|
when '-h','--help'
|
||||||
print_status("Usage: db_autopwn [options]")
|
print_status("Usage: db_autopwn [options]")
|
||||||
print_line("\t-h Display this help text")
|
print_line("\t-h Display this help text")
|
||||||
print_line("\t-t Show all matching exploit modules")
|
print_line("\t-t Show all matching exploit modules")
|
||||||
|
@ -260,10 +260,30 @@ class Db
|
||||||
# Match based on ports alone
|
# Match based on ports alone
|
||||||
#
|
#
|
||||||
if (mode & PWN_PORT != 0)
|
if (mode & PWN_PORT != 0)
|
||||||
rport = e.datastore['RPORT']
|
rports = {}
|
||||||
if (rport)
|
rservs = {}
|
||||||
|
|
||||||
|
if(e.datastore['RPORT'])
|
||||||
|
rports[e.datastore['RPORT'].to_s] = true
|
||||||
|
end
|
||||||
|
|
||||||
|
if(e.respond_to?('autofilter_ports'))
|
||||||
|
e.autofilter_ports.each do |rport|
|
||||||
|
rports[rport.to_s] = true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if(e.respond_to?('autofilter_services'))
|
||||||
|
e.autofilter_services.each do |serv|
|
||||||
|
rservs[serv] = true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
framework.db.services.each do |serv|
|
framework.db.services.each do |serv|
|
||||||
next if not serv.host
|
next if not serv.host
|
||||||
|
|
||||||
|
# Match port numbers
|
||||||
|
rports.keys.sort.each do |rport|
|
||||||
next if serv.port.to_i != rport.to_i
|
next if serv.port.to_i != rport.to_i
|
||||||
xport = serv.port
|
xport = serv.port
|
||||||
xprot = serv.proto
|
xprot = serv.proto
|
||||||
|
@ -274,7 +294,21 @@ class Db
|
||||||
next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
|
next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
|
||||||
next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
|
next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
|
||||||
next if (regx and e.fullname !~ /#{regx}/)
|
next if (regx and e.fullname !~ /#{regx}/)
|
||||||
|
matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
|
||||||
|
end
|
||||||
|
|
||||||
|
# Match service names
|
||||||
|
rservs.keys.sort.each do |rserv|
|
||||||
|
next if serv.name.to_s != rserv
|
||||||
|
xport = serv.port
|
||||||
|
xprot = serv.proto
|
||||||
|
xhost = serv.host.address
|
||||||
|
next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost))
|
||||||
|
next if (targ_exc.length > 0 and range_include?(targ_exc, xhost))
|
||||||
|
|
||||||
|
next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
|
||||||
|
next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
|
||||||
|
next if (regx and e.fullname !~ /#{regx}/)
|
||||||
matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
|
matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue