diff --git a/scripts/resource/dev_checks.rc b/scripts/resource/dev_checks.rc new file mode 100644 index 0000000000..24ecc52907 --- /dev/null +++ b/scripts/resource/dev_checks.rc @@ -0,0 +1,118 @@ + + +# +# This resource script will check for vulnerabilities related to +# programs and services used by developers, including the following: +# +# * NodeJS debug (multi/misc/nodejs_v8_debugger) +# * distcc (unix/misc/distcc_exe) +# * Jenkins (linux/misc/jenkins_java_deserialize) +# * GitHub Enterprise (linux/http/github_enterprise_secret) +# +# It is worth noting that ONLY CHECKS are performed, no active exploiting. +# This makes it safe to run in many environments. +# +# Author: +# pbarry-r7 +# + +@job_ids = [] + +def wait_until_jobs_done + while true + @job_ids.each do |job_id| + current_job_ids = framework.jobs.keys.map { |e| e.to_i } + sleep 1 if current_job_ids.include?(job_id) + end + + return + end +end + +def check_exploit(host:, mod_name:, vuln_check_ret_val:) + begin + mod = framework.exploits.create(mod_name) + mod.datastore['RHOST'] = host.address + print_line("Looking for #{mod.name}...") + result = mod.check_simple({'RunAsJob': true, 'LocalOutput': self.output}) + @job_ids << mod.job_id if mod.job_id + if vuln_check_ret_val.index(result) + print_line("HOST #{host.address} APPEARS VULNERABLE TO #{mod.name}") + framework.db.report_vuln( + workspace: mod.workspace, + host: mod.rhost, + name: mod.name, + info: "This was flagged as likely vulnerable by the explicit check of #{mod.fullname}.", + refs: mod.references + ) + end + rescue ::Exception => e + print_error(e.message) + end +end + +def setup + # Test and see if we have a database connected + begin + framework.db.hosts + rescue ::ActiveRecord::ConnectionNotEstablished + print_error("Database connection isn't established") + return false + end + + run_single("setg verbose true") + + true +end + +def main + framework.db.workspace.hosts.each do |host| + print_line("Checking IP: #{host.address}, OS: #{host.os_name}...") + + check_exploit(host: host, + mod_name: 'multi/misc/nodejs_v8_debugger', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'unix/misc/distcc_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + + check_exploit(host: host, + mod_name: 'unix/misc/qnx_qconn_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + + check_exploit(host: host, + mod_name: 'linux/misc/jenkins_java_deserialize', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + + check_exploit(host: host, + mod_name: 'linux/http/github_enterprise_secret', + vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ]) + + check_exploit(host: host, + mod_name: 'multi/http/traq_plugin_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'multi/http/builderengine_upload_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'multi/http/mantisbt_php_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'multi/http/vbulletin_unserialize', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + + check_exploit(host: host, + mod_name: 'unix/webapp/vbulletin_vote_sqli_exec', + vuln_check_ret_val: [ Exploit::CheckCode::Appears ]) + end + wait_until_jobs_done +end + +abort("Error during setup, exiting.") unless setup +main + +