Fix modules - unpack('s') breaks on big-endian, lots of formatting issues

git-svn-id: file:///home/svn/framework3/trunk@7042 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-09-19 17:24:29 +00:00
parent 5f650c0751
commit 532d80b7df
2 changed files with 38 additions and 57 deletions

View File

@ -23,8 +23,7 @@ class Metasploit3 < Msf::Auxiliary
'Description' => %q{
This module scans NFS mounts and their permissions.
},
'Author' =>
['tebo <tebo [at] attackresearch [dot] com>'],
'Author' => ['tebo <tebo [at] attackresearch.com>'],
'References' =>
[
['URL', 'http://www.ietf.org/rfc/rfc1094.txt'],
@ -32,23 +31,17 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE
)
register_options(
[
register_options([
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
],
self.class
)
], self.class)
end
def run_host(ip)
begin
print_status("Trying #{ip}")
hostname = datastore['HOSTNAME']
program = 100005
progver = 1
@ -57,26 +50,23 @@ class Metasploit3 < Msf::Auxiliary
pport = sunrpc_create('udp', program, progver)
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
resp = sunrpc_call(5, "")
if resp[3] = 1
print_status("Export list for #{ip}")
if (resp[3,1].unpack('C')[0] == 0x01)
print_status("#{ip} Exports found")
while XDR.decode_int!(resp) == 1 do
dir = XDR.decode_string!(resp)
while XDR.decode_int!(resp) == 1 do
grp = XDR.decode_string!(resp)
end
print_line("\t#{dir}\t[#{grp}]")
print_line("#{ip}\t#{dir}\t[#{grp}]")
end
else
print_status("No exports to list..\n")
print_status("#{ip} has no exports")
end
sunrpc_destroy
rescue ::Rex::Proto::SunRPC::RPCTimeout
end
end
end

View File

@ -25,8 +25,7 @@ class Metasploit3 < Msf::Auxiliary
This module scans for X11 servers that allow anyone
to connect without authentication.
},
'Author' =>
['tebo <tebodell[at]gmail.com>'],
'Author' => ['tebo <tebodell[at]gmail.com>'],
'References' =>
[
['OSVDB', '309'],
@ -35,47 +34,39 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE
)
register_options(
[
register_options([
Opt::RPORT(6000)
],
self.class
)
],self.class)
end
def run_host(ip)
begin
print_status("Trying #{ip}")
connect
# X11.00 Null Auth Connect
buf = "\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00"
sock.put(buf)
sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00")
response = sock.get_once
if response
success = response[0]
disconnect
if(response)
success = response[0,1].unpack('C')[0]
end
if success == 1
vendor_len = response[24..25].unpack('s')[0]
vendor = response[40..(40+vendor_len)].unpack('A*')
print_status("Open X Server @ #{ip} (#{vendor})")
elsif success == 0
print_status("Access Denied on #{ip}")
if(success == 1)
vendor_len = response[24,2].unpack('v')[0]
vendor = response[40,vendor_len].unpack('A*')[0]
print_status("#{ip} Open X Server (#{vendor})")
elsif (success == 0)
print_status("#{ip} Access Denied")
else
# X can return a reason for auth failure but we don't really care for this
end
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
end
end