Updates the autopwn matching algorithm to use multiple ports and service names
git-svn-id: file:///home/svn/framework3/trunk@7298 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
a41b1db7de
commit
3cf4329335
|
@ -110,6 +110,40 @@ class Auxiliary < Msf::Module
|
|||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Provides a list of ports that can be used for matching this module
|
||||
# against target systems.
|
||||
#
|
||||
def autofilter_ports
|
||||
@autofilter_ports || []
|
||||
end
|
||||
|
||||
#
|
||||
# Provides a list of services that can be used for matching this module
|
||||
# against target systems.
|
||||
#
|
||||
def autofilter_services
|
||||
@autofilter_services || []
|
||||
end
|
||||
|
||||
#
|
||||
# Adds a port into the list of ports
|
||||
#
|
||||
def register_autofilter_ports(ports=[])
|
||||
@autofilter_ports ||= []
|
||||
@autofilter_ports << ports
|
||||
@autofilter_ports.flatten!
|
||||
@autofilter_ports.uniq!
|
||||
end
|
||||
|
||||
def register_autofilter_services(services=[])
|
||||
@autofilter_services ||= []
|
||||
@autofilter_services << services
|
||||
@autofilter_services.flatten!
|
||||
@autofilter_services.uniq!
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Called directly before 'run'
|
||||
#
|
||||
|
|
|
@ -341,11 +341,11 @@ class Exploit < Msf::Module
|
|||
end
|
||||
|
||||
#
|
||||
# Performs last-minute sanity checking of exploit parameters. This method
|
||||
# Performs last-minute sanity checking of auxiliary parameters. This method
|
||||
# is called during automated exploitation attempts and allows an
|
||||
# exploit to filter bad targets, obtain more information, and choose
|
||||
# better targets based on the available data. Returning anything that
|
||||
# evaluates to "false" will cause this specific exploit attempt to
|
||||
# auxiliary module to filter bad attempts, obtain more information, and choose
|
||||
# better parameters based on the available data. Returning anything that
|
||||
# evaluates to "false" will cause this specific auxiliary attempt to
|
||||
# be skipped. This method can and will change datastore values and
|
||||
# may interact with the backend database.
|
||||
#
|
||||
|
@ -353,6 +353,39 @@ class Exploit < Msf::Module
|
|||
true
|
||||
end
|
||||
|
||||
#
|
||||
# Provides a list of ports that can be used for matching this module
|
||||
# against target systems.
|
||||
#
|
||||
def autofilter_ports
|
||||
@autofilter_ports || []
|
||||
end
|
||||
|
||||
#
|
||||
# Provides a list of services that can be used for matching this module
|
||||
# against target systems.
|
||||
#
|
||||
def autofilter_services
|
||||
@autofilter_services || []
|
||||
end
|
||||
|
||||
#
|
||||
# Adds a port into the list of ports
|
||||
#
|
||||
def register_autofilter_ports(ports=[])
|
||||
@autofilter_ports ||= []
|
||||
@autofilter_ports << ports
|
||||
@autofilter_ports.flatten!
|
||||
@autofilter_ports.uniq!
|
||||
end
|
||||
|
||||
def register_autofilter_services(services=[])
|
||||
@autofilter_services ||= []
|
||||
@autofilter_services << services
|
||||
@autofilter_services.flatten!
|
||||
@autofilter_services.uniq!
|
||||
end
|
||||
|
||||
#
|
||||
# Prepares the module for exploitation, initializes any state, and starts
|
||||
# the payload handler.
|
||||
|
|
|
@ -26,6 +26,9 @@ module Exploit::Remote::Ftp
|
|||
OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']),
|
||||
OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla@example.com'])
|
||||
], Msf::Exploit::Remote::Ftp)
|
||||
|
||||
register_autofilter_ports([ 21, 2121])
|
||||
register_autofilter_services(%W{ ftp })
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -69,8 +69,11 @@ module Exploit::Remote::HttpClient
|
|||
# OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]),
|
||||
], self.class
|
||||
)
|
||||
register_autofilter_ports([ 80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443 ])
|
||||
register_autofilter_services(%W{ http https })
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Connects to an HTTP server.
|
||||
#
|
||||
|
|
|
@ -31,8 +31,12 @@ module Exploit::Remote::MSSQL
|
|||
File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
|
||||
])
|
||||
], Msf::Exploit::Remote::MSSQL)
|
||||
|
||||
register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638] )
|
||||
register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# This method sends a UDP query packet to the server and
|
||||
# parses out the reply packet into a hash
|
||||
|
|
|
@ -57,6 +57,9 @@ module Exploit::Remote::SMB
|
|||
Opt::RHOST,
|
||||
OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])
|
||||
], Msf::Exploit::Remote::SMB)
|
||||
|
||||
register_autofilter_ports([ 139, 445])
|
||||
register_autofilter_services(%W{ netbios-ssn microsoft-ds })
|
||||
end
|
||||
|
||||
def connect(global=true)
|
||||
|
|
|
@ -26,6 +26,8 @@ module Exploit::Remote::Smtp
|
|||
OptString.new('MAILFROM', [ true, 'FROM address of the e-mail', 'zombie@brains.net']),
|
||||
OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'human@ahhhzombies111.net']),
|
||||
], Msf::Exploit::Remote::Smtp)
|
||||
register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
|
||||
register_autofilter_services(%W{ smtp smtps})
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -70,7 +72,6 @@ module Exploit::Remote::Smtp
|
|||
nsock.get_once
|
||||
end
|
||||
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
|
|
|
@ -28,9 +28,10 @@ module Exploit::Remote::SMTPDeliver
|
|||
OptString.new('MAILTO', [ true, 'The TO address of the e-mail']),
|
||||
OptString.new('VERBOSE', [ false, 'Display verbose information']),
|
||||
], Msf::Exploit::Remote::SMTPDeliver)
|
||||
register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
|
||||
register_autofilter_services(%W{ smtp smtps})
|
||||
end
|
||||
|
||||
|
||||
# This method connects to the server and sends a message
|
||||
def send_message(data)
|
||||
|
||||
|
|
|
@ -198,7 +198,7 @@ class Db
|
|||
port_exc = Rex::Socket.portspec_crack(args.shift)
|
||||
when '-m'
|
||||
regx = args.shift
|
||||
when '-h'
|
||||
when '-h','--help'
|
||||
print_status("Usage: db_autopwn [options]")
|
||||
print_line("\t-h Display this help text")
|
||||
print_line("\t-t Show all matching exploit modules")
|
||||
|
@ -260,10 +260,30 @@ class Db
|
|||
# Match based on ports alone
|
||||
#
|
||||
if (mode & PWN_PORT != 0)
|
||||
rport = e.datastore['RPORT']
|
||||
if (rport)
|
||||
rports = {}
|
||||
rservs = {}
|
||||
|
||||
if(e.datastore['RPORT'])
|
||||
rports[e.datastore['RPORT'].to_s] = true
|
||||
end
|
||||
|
||||
if(e.respond_to?('autofilter_ports'))
|
||||
e.autofilter_ports.each do |rport|
|
||||
rports[rport.to_s] = true
|
||||
end
|
||||
end
|
||||
|
||||
if(e.respond_to?('autofilter_services'))
|
||||
e.autofilter_services.each do |serv|
|
||||
rservs[serv] = true
|
||||
end
|
||||
end
|
||||
|
||||
framework.db.services.each do |serv|
|
||||
next if not serv.host
|
||||
|
||||
# Match port numbers
|
||||
rports.keys.sort.each do |rport|
|
||||
next if serv.port.to_i != rport.to_i
|
||||
xport = serv.port
|
||||
xprot = serv.proto
|
||||
|
@ -274,7 +294,21 @@ class Db
|
|||
next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
|
||||
next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
|
||||
next if (regx and e.fullname !~ /#{regx}/)
|
||||
matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
|
||||
end
|
||||
|
||||
# Match service names
|
||||
rservs.keys.sort.each do |rserv|
|
||||
next if serv.name.to_s != rserv
|
||||
xport = serv.port
|
||||
xprot = serv.proto
|
||||
xhost = serv.host.address
|
||||
next if (targ_inc.length > 0 and not range_include?(targ_inc, xhost))
|
||||
next if (targ_exc.length > 0 and range_include?(targ_exc, xhost))
|
||||
|
||||
next if (port_inc.length > 0 and not port_inc.include?(serv.port.to_i))
|
||||
next if (port_exc.length > 0 and port_exc.include?(serv.port.to_i))
|
||||
next if (regx and e.fullname !~ /#{regx}/)
|
||||
matches[[xport,xprot,xhost,mtype[1]+'/'+n]]=true
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue