Fix modules - unpack('s') breaks on big-endian, lots of formatting issues
git-svn-id: file:///home/svn/framework3/trunk@7042 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
5f650c0751
commit
532d80b7df
|
|
@ -19,12 +19,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'NFS Mount Scanner',
|
'Name' => 'NFS Mount Scanner',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module scans NFS mounts and their permissions.
|
This module scans NFS mounts and their permissions.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' => ['tebo <tebo [at] attackresearch.com>'],
|
||||||
['tebo <tebo [at] attackresearch [dot] com>'],
|
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
['URL', 'http://www.ietf.org/rfc/rfc1094.txt'],
|
['URL', 'http://www.ietf.org/rfc/rfc1094.txt'],
|
||||||
|
|
@ -32,51 +31,42 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
)
|
)
|
||||||
|
|
||||||
register_options(
|
register_options([
|
||||||
[
|
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
|
||||||
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
|
OptInt.new('GID', [false, 'GID to emulate', 0]),
|
||||||
OptInt.new('GID', [false, 'GID to emulate', 0]),
|
OptInt.new('UID', [false, 'UID to emulate', 0])
|
||||||
OptInt.new('UID', [false, 'UID to emulate', 0])
|
], self.class)
|
||||||
],
|
|
||||||
self.class
|
|
||||||
)
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
|
|
||||||
begin
|
begin
|
||||||
|
|
||||||
print_status("Trying #{ip}")
|
|
||||||
|
|
||||||
hostname = datastore['HOSTNAME']
|
hostname = datastore['HOSTNAME']
|
||||||
program = 100005
|
program = 100005
|
||||||
progver = 1
|
progver = 1
|
||||||
procedure = 1
|
procedure = 1
|
||||||
|
|
||||||
pport = sunrpc_create('udp', program, progver)
|
pport = sunrpc_create('udp', program, progver)
|
||||||
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
|
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
|
||||||
resp = sunrpc_call(5, "")
|
resp = sunrpc_call(5, "")
|
||||||
if resp[3] = 1
|
|
||||||
print_status("Export list for #{ip}")
|
|
||||||
|
|
||||||
while XDR.decode_int!(resp) == 1 do
|
|
||||||
dir = XDR.decode_string!(resp)
|
|
||||||
while XDR.decode_int!(resp) == 1 do
|
|
||||||
grp = XDR.decode_string!(resp)
|
|
||||||
end
|
|
||||||
print_line("\t#{dir}\t[#{grp}]")
|
|
||||||
end
|
|
||||||
|
|
||||||
else
|
|
||||||
print_status("No exports to list..\n")
|
|
||||||
end
|
|
||||||
|
|
||||||
|
if (resp[3,1].unpack('C')[0] == 0x01)
|
||||||
|
print_status("#{ip} Exports found")
|
||||||
|
while XDR.decode_int!(resp) == 1 do
|
||||||
|
dir = XDR.decode_string!(resp)
|
||||||
|
while XDR.decode_int!(resp) == 1 do
|
||||||
|
grp = XDR.decode_string!(resp)
|
||||||
|
end
|
||||||
|
print_line("#{ip}\t#{dir}\t[#{grp}]")
|
||||||
|
end
|
||||||
|
else
|
||||||
|
print_status("#{ip} has no exports")
|
||||||
|
end
|
||||||
|
|
||||||
sunrpc_destroy
|
sunrpc_destroy
|
||||||
|
|
||||||
rescue ::Rex::Proto::SunRPC::RPCTimeout
|
rescue ::Rex::Proto::SunRPC::RPCTimeout
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -25,8 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
This module scans for X11 servers that allow anyone
|
This module scans for X11 servers that allow anyone
|
||||||
to connect without authentication.
|
to connect without authentication.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' => ['tebo <tebodell[at]gmail.com>'],
|
||||||
['tebo <tebodell[at]gmail.com>'],
|
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
['OSVDB', '309'],
|
['OSVDB', '309'],
|
||||||
|
|
@ -35,47 +34,39 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'License' => MSF_LICENSE
|
'License' => MSF_LICENSE
|
||||||
)
|
)
|
||||||
|
|
||||||
register_options(
|
register_options([
|
||||||
[
|
Opt::RPORT(6000)
|
||||||
Opt::RPORT(6000)
|
],self.class)
|
||||||
],
|
|
||||||
self.class
|
|
||||||
)
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
|
|
||||||
begin
|
begin
|
||||||
|
|
||||||
print_status("Trying #{ip}")
|
|
||||||
|
|
||||||
connect
|
connect
|
||||||
|
|
||||||
# X11.00 Null Auth Connect
|
# X11.00 Null Auth Connect
|
||||||
buf = "\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00")
|
||||||
|
|
||||||
sock.put(buf)
|
|
||||||
response = sock.get_once
|
response = sock.get_once
|
||||||
|
|
||||||
if response
|
disconnect
|
||||||
success = response[0]
|
|
||||||
|
if(response)
|
||||||
|
success = response[0,1].unpack('C')[0]
|
||||||
end
|
end
|
||||||
|
|
||||||
if success == 1
|
if(success == 1)
|
||||||
vendor_len = response[24..25].unpack('s')[0]
|
vendor_len = response[24,2].unpack('v')[0]
|
||||||
vendor = response[40..(40+vendor_len)].unpack('A*')
|
vendor = response[40,vendor_len].unpack('A*')[0]
|
||||||
|
print_status("#{ip} Open X Server (#{vendor})")
|
||||||
print_status("Open X Server @ #{ip} (#{vendor})")
|
elsif (success == 0)
|
||||||
elsif success == 0
|
print_status("#{ip} Access Denied")
|
||||||
print_status("Access Denied on #{ip}")
|
|
||||||
else
|
else
|
||||||
# X can return a reason for auth failure but we don't really care for this
|
# X can return a reason for auth failure but we don't really care for this
|
||||||
end
|
end
|
||||||
|
|
||||||
rescue ::Rex::ConnectionError
|
rescue ::Rex::ConnectionError
|
||||||
rescue ::Errno::EPIPE
|
rescue ::Errno::EPIPE
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue