Fix modules - unpack('s') breaks on big-endian, lots of formatting issues
git-svn-id: file:///home/svn/framework3/trunk@7042 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
5f650c0751
commit
532d80b7df
|
@ -23,8 +23,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Description' => %q{
|
||||
This module scans NFS mounts and their permissions.
|
||||
},
|
||||
'Author' =>
|
||||
['tebo <tebo [at] attackresearch [dot] com>'],
|
||||
'Author' => ['tebo <tebo [at] attackresearch.com>'],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://www.ietf.org/rfc/rfc1094.txt'],
|
||||
|
@ -32,23 +31,17 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
register_options([
|
||||
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
|
||||
OptInt.new('GID', [false, 'GID to emulate', 0]),
|
||||
OptInt.new('UID', [false, 'UID to emulate', 0])
|
||||
],
|
||||
self.class
|
||||
)
|
||||
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
begin
|
||||
|
||||
print_status("Trying #{ip}")
|
||||
|
||||
hostname = datastore['HOSTNAME']
|
||||
program = 100005
|
||||
progver = 1
|
||||
|
@ -57,26 +50,23 @@ class Metasploit3 < Msf::Auxiliary
|
|||
pport = sunrpc_create('udp', program, progver)
|
||||
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
|
||||
resp = sunrpc_call(5, "")
|
||||
if resp[3] = 1
|
||||
print_status("Export list for #{ip}")
|
||||
|
||||
if (resp[3,1].unpack('C')[0] == 0x01)
|
||||
print_status("#{ip} Exports found")
|
||||
while XDR.decode_int!(resp) == 1 do
|
||||
dir = XDR.decode_string!(resp)
|
||||
while XDR.decode_int!(resp) == 1 do
|
||||
grp = XDR.decode_string!(resp)
|
||||
end
|
||||
print_line("\t#{dir}\t[#{grp}]")
|
||||
print_line("#{ip}\t#{dir}\t[#{grp}]")
|
||||
end
|
||||
|
||||
else
|
||||
print_status("No exports to list..\n")
|
||||
print_status("#{ip} has no exports")
|
||||
end
|
||||
|
||||
sunrpc_destroy
|
||||
|
||||
rescue ::Rex::Proto::SunRPC::RPCTimeout
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -25,8 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
This module scans for X11 servers that allow anyone
|
||||
to connect without authentication.
|
||||
},
|
||||
'Author' =>
|
||||
['tebo <tebodell[at]gmail.com>'],
|
||||
'Author' => ['tebo <tebodell[at]gmail.com>'],
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '309'],
|
||||
|
@ -35,47 +34,39 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
register_options([
|
||||
Opt::RPORT(6000)
|
||||
],
|
||||
self.class
|
||||
)
|
||||
|
||||
],self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
begin
|
||||
|
||||
print_status("Trying #{ip}")
|
||||
|
||||
connect
|
||||
|
||||
# X11.00 Null Auth Connect
|
||||
buf = "\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
sock.put(buf)
|
||||
sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00")
|
||||
response = sock.get_once
|
||||
|
||||
if response
|
||||
success = response[0]
|
||||
disconnect
|
||||
|
||||
if(response)
|
||||
success = response[0,1].unpack('C')[0]
|
||||
end
|
||||
|
||||
if success == 1
|
||||
vendor_len = response[24..25].unpack('s')[0]
|
||||
vendor = response[40..(40+vendor_len)].unpack('A*')
|
||||
|
||||
print_status("Open X Server @ #{ip} (#{vendor})")
|
||||
elsif success == 0
|
||||
print_status("Access Denied on #{ip}")
|
||||
if(success == 1)
|
||||
vendor_len = response[24,2].unpack('v')[0]
|
||||
vendor = response[40,vendor_len].unpack('A*')[0]
|
||||
print_status("#{ip} Open X Server (#{vendor})")
|
||||
elsif (success == 0)
|
||||
print_status("#{ip} Access Denied")
|
||||
else
|
||||
# X can return a reason for auth failure but we don't really care for this
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionError
|
||||
rescue ::Errno::EPIPE
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue