diff --git a/modules/auxiliary/scanner/nfs/nfsmount.rb b/modules/auxiliary/scanner/nfs/nfsmount.rb index b1a0b9ddca..5e828d2e2f 100644 --- a/modules/auxiliary/scanner/nfs/nfsmount.rb +++ b/modules/auxiliary/scanner/nfs/nfsmount.rb @@ -19,12 +19,11 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'NFS Mount Scanner', - 'Description' => %q{ + 'Name' => 'NFS Mount Scanner', + 'Description' => %q{ This module scans NFS mounts and their permissions. }, - 'Author' => - ['tebo '], + 'Author' => ['tebo '], 'References' => [ ['URL', 'http://www.ietf.org/rfc/rfc1094.txt'], @@ -32,51 +31,42 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE ) - register_options( - [ - OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']), - OptInt.new('GID', [false, 'GID to emulate', 0]), - OptInt.new('UID', [false, 'UID to emulate', 0]) - ], - self.class - ) - + register_options([ + OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']), + OptInt.new('GID', [false, 'GID to emulate', 0]), + OptInt.new('UID', [false, 'UID to emulate', 0]) + ], self.class) end def run_host(ip) begin - print_status("Trying #{ip}") - hostname = datastore['HOSTNAME'] program = 100005 progver = 1 procedure = 1 - + pport = sunrpc_create('udp', program, progver) sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], []) resp = sunrpc_call(5, "") - if resp[3] = 1 - print_status("Export list for #{ip}") - - while XDR.decode_int!(resp) == 1 do - dir = XDR.decode_string!(resp) - while XDR.decode_int!(resp) == 1 do - grp = XDR.decode_string!(resp) - end - print_line("\t#{dir}\t[#{grp}]") - end - - else - print_status("No exports to list..\n") - end + if (resp[3,1].unpack('C')[0] == 0x01) + print_status("#{ip} Exports found") + while XDR.decode_int!(resp) == 1 do + dir = XDR.decode_string!(resp) + while XDR.decode_int!(resp) == 1 do + grp = XDR.decode_string!(resp) + end + print_line("#{ip}\t#{dir}\t[#{grp}]") + end + else + print_status("#{ip} has no exports") + end + sunrpc_destroy - rescue ::Rex::Proto::SunRPC::RPCTimeout end - end end diff --git a/modules/auxiliary/scanner/x11/open_x11.rb b/modules/auxiliary/scanner/x11/open_x11.rb index e364574fe1..8287b1e511 100644 --- a/modules/auxiliary/scanner/x11/open_x11.rb +++ b/modules/auxiliary/scanner/x11/open_x11.rb @@ -25,8 +25,7 @@ class Metasploit3 < Msf::Auxiliary This module scans for X11 servers that allow anyone to connect without authentication. }, - 'Author' => - ['tebo '], + 'Author' => ['tebo '], 'References' => [ ['OSVDB', '309'], @@ -35,47 +34,39 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE ) - register_options( - [ - Opt::RPORT(6000) - ], - self.class - ) - + register_options([ + Opt::RPORT(6000) + ],self.class) end def run_host(ip) begin - print_status("Trying #{ip}") - connect # X11.00 Null Auth Connect - buf = "\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00" - - sock.put(buf) + sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00") response = sock.get_once - if response - success = response[0] + disconnect + + if(response) + success = response[0,1].unpack('C')[0] end - if success == 1 - vendor_len = response[24..25].unpack('s')[0] - vendor = response[40..(40+vendor_len)].unpack('A*') - - print_status("Open X Server @ #{ip} (#{vendor})") - elsif success == 0 - print_status("Access Denied on #{ip}") + if(success == 1) + vendor_len = response[24,2].unpack('v')[0] + vendor = response[40,vendor_len].unpack('A*')[0] + print_status("#{ip} Open X Server (#{vendor})") + elsif (success == 0) + print_status("#{ip} Access Denied") else # X can return a reason for auth failure but we don't really care for this end - + rescue ::Rex::ConnectionError rescue ::Errno::EPIPE - end end