infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix modules - unpack('s') breaks on big-endian, lots of formatting issues 

git-svn-id: file:///home/svn/framework3/trunk@7042 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-09-19 17:24:29 +00:00
parent 5f650c0751
commit 532d80b7df
2 changed files with 38 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
modules/auxiliary/scanner/nfs/nfsmount.rb
View File

@ -19,12 +19,11 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'NFS Mount Scanner',
'Description' => %q{
'Name' => 'NFS Mount Scanner',
'Description' => %q{
This module scans NFS mounts and their permissions.
},
'Author' =>
['tebo <tebo [at] attackresearch [dot] com>'],
'Author' => ['tebo <tebo [at] attackresearch.com>'],
'References' =>
[
['URL', 'http://www.ietf.org/rfc/rfc1094.txt'],
@ -32,51 +31,42 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
],
self.class
)
register_options([
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class)
end
def run_host(ip)
begin
print_status("Trying #{ip}")
hostname = datastore['HOSTNAME']
program = 100005
progver = 1
procedure = 1
pport = sunrpc_create('udp', program, progver)
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
resp = sunrpc_call(5, "")
if resp[3] = 1
print_status("Export list for #{ip}")
while XDR.decode_int!(resp) == 1 do
dir = XDR.decode_string!(resp)
while XDR.decode_int!(resp) == 1 do
grp = XDR.decode_string!(resp)
end
print_line("\t#{dir}\t[#{grp}]")
end
else
print_status("No exports to list..\n")
end
if (resp[3,1].unpack('C')[0] == 0x01)
print_status("#{ip} Exports found")
while XDR.decode_int!(resp) == 1 do
dir = XDR.decode_string!(resp)
while XDR.decode_int!(resp) == 1 do
grp = XDR.decode_string!(resp)
end
print_line("#{ip}\t#{dir}\t[#{grp}]")
end
else
print_status("#{ip} has no exports")
end
sunrpc_destroy
rescue ::Rex::Proto::SunRPC::RPCTimeout
end
end
end

41
modules/auxiliary/scanner/x11/open_x11.rb
View File

@ -25,8 +25,7 @@ class Metasploit3 < Msf::Auxiliary
This module scans for X11 servers that allow anyone
to connect without authentication.
},
'Author' =>
['tebo <tebodell[at]gmail.com>'],
'Author' => ['tebo <tebodell[at]gmail.com>'],
'References' =>
[
['OSVDB', '309'],
@ -35,47 +34,39 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(6000)
],
self.class
)
register_options([
Opt::RPORT(6000)
],self.class)
end
def run_host(ip)
begin
print_status("Trying #{ip}")
connect
# X11.00 Null Auth Connect
buf = "\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00"
sock.put(buf)
sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00")
response = sock.get_once
if response
success = response[0]
disconnect
if(response)
success = response[0,1].unpack('C')[0]
end
if success == 1
vendor_len = response[24..25].unpack('s')[0]
vendor = response[40..(40+vendor_len)].unpack('A*')
print_status("Open X Server @ #{ip} (#{vendor})")
elsif success == 0
print_status("Access Denied on #{ip}")
if(success == 1)
vendor_len = response[24,2].unpack('v')[0]
vendor = response[40,vendor_len].unpack('A*')[0]
print_status("#{ip} Open X Server (#{vendor})")
elsif (success == 0)
print_status("#{ip} Access Denied")
else
# X can return a reason for auth failure but we don't really care for this
end
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
end
end