infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9079, adding @h00die's gopher scanner

bug/bundler_fix
Jon Hart 2017-10-20 17:16:08 -07:00
parent f250e15b6e c517ded3ae
commit 9658776adf
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
2 changed files with 251 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
documentation/modules/auxiliary/scanner/gopher/gopher_gophermap.md Normal file
View File

@ -0,0 +1,148 @@
## Vulnerable Application
Any gopher server will work. There seems to only be [a few left](https://en.wikipedia.org/wiki/Gopher_(protocol)#Server_software)
in 2017.
A few options for local installation and testing are below.
### Docker Install
A [dockerized gopher server written in Go](https://hub.docker.com/r/prodhe/gopher/) is available. To install and run this, with content being
served out of a temporary directory in which you'll be left:
```
$ docker pull prodhe/gopher
Using default tag: latest
latest: Pulling from prodhe/gopher
627beaf3eaaf: Already exists
8800e3417eb1: Pull complete
d9f3bcdad0eb: Pull complete
c018073abd26: Pull complete
b2855f535c50: Pull complete
23480a2f73d8: Pull complete
1555a5435ec5: Pull complete
0728d289e0fc: Pull complete
6f6f265b58ee: Pull complete
Digest: sha256:69931d56946d192d9bd155a88b6f365cb276e9edf453129d374e64d244d1edaa
Status: Downloaded newer image for prodhe/gopher:latest
$ cd `mktemp -d`;
$ sudo docker run --rm -d -it --name gopher_test -v `pwd -P`:/public -p 70:70 prodhe/gopher
2017/10/20 16:45:01 Serving /public/ at localhost:70
$ date > test.txt
$ echo HELLO > README.md
```
*NOTE*: Don't forget to `docker stop` the container ID returned from the `docker run` command just run above:
```
$ docker stop X
X
```
### Ubuntu 16.04 Install
First we need to install the server:
```
sudo apt-get install gopher-server
```
Next, we need to build content for the scanner to find. Gopher works off of a `gophermap`, somewhat similar
to a content index page, where files are listed in a menu type system.
```
echo "<html><h1>hello world</h1></html>" | sudo tee /var/gopher/example.html
echo "foobarbaz" | sudo tee /var/gopher/foobar.txt
sudo mkdir /var/gopher/msf
echo "meterpreter rules" | sudo tee /var/gopher/msf/meterp.txt
sudo wget "https://pbs.twimg.com/profile_images/580131056629735424/2ENTk2K2.png" -O /var/gopher/msf/logo.png
echo -ne "gopher custom gophermap\n\nhHello World\t/example.html\t1.1.1.1\t70\n0Foo File\t/foobar.txt\t1.1.1.1\t70\n1msf\t/msf\t1.1.1.1\t70\nhmetasploit homepage\tURL:http://metasploit.com/\n" | sudo tee /var/gopher/gophermap
sudo chmod +r -R /var/gopher
```
In this case we create an html file, text file, a directory with a text file and png file in it. Enough content so its nice to look at.
Next we write our `gophermap` file. The first line is just an intro. After that, we list our files that the client can access.
The format of these lines is: `XSome text here[TAB]/path/to/content[TAB]example.org[TAB]port`. The first character, `X` is the file type
which can be referenced in the table below. The final address (example.org) and PORT are optional.
The following table contains the file types associated with the characters:
| Itemtype | Content |
|----------|---------------------------------|
| 0 | Text file |
| 1 | Directory |
| 2 | CSO name server |
| 3 | Error |
| 4 | Mac HQX filer |
| 5 | PC binary |
| 6 | UNIX uuencoded file |
| 7 | Search server |
| 8 | Telnet Session |
| 9 | Binary File |
| c | Calendar (not in 2.06) |
| e | Event (not in 2.06) |
| g | GIF image |
| h | HTML, Hypertext Markup Language |
| i | inline text type |
| s | Sound |
| I | Image (other than GIF) |
| M | MIME multipart/mixed message |
| T | TN3270 Session |
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use auxiliary/scanner/gopher/gopher_gophermap```
4. Do: ```set rhosts [IPs]```
5. Do: ```run```
6. You should see the gophermap file printed in a parsed format
## Options
**PATH**
It is possible to view content within a directory of the gophermap. If the intial run shows directory `Directory: foobar`,
setting **path** to `/foobar` will enumerate the contents of that folder. Default: [empty string].
## Scenarios
### Docker Gopher Server
```
msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > set RHOSTS localhost
RHOSTS => localhost
msf auxiliary(gopher_gophermap) > run
[+] 127.0.0.1:70 - Text file: README.md
[+] 127.0.0.1:70 - Path: localhost:70/README.md
[+] 127.0.0.1:70 - Text file: test.txt
[+] 127.0.0.1:70 - Path: localhost:70/test.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
### Gopher-server on Ubuntu 16.04
```
msf > use auxiliary/scanner/gopher/gopher_gophermap
msf auxiliary(gopher_gophermap) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf auxiliary(gopher_gophermap) > set verbose true
verbose => true
msf auxiliary(gopher_gophermap) > run
[+] 1.1.1.1:70 - gopher custom gophermap
[+] 1.1.1.1:70 -
[+] 1.1.1.1:70 - HTML: Hello World
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/example.html
[+] 1.1.1.1:70 - Text file: Foo File
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/foobar.txt
[+] 1.1.1.1:70 - Directory: msf
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/msf
[+] 1.1.1.1:70 - HTML: metasploit homepage
[+] 1.1.1.1:70 - Path: 1.1.1.1:70/URL:http://metasploit.com/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

103
modules/auxiliary/scanner/gopher/gopher_gophermap.rb Normal file
View File

@ -0,0 +1,103 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Gopher gophermap Scanner',
'Description' => %q(
This module identifies Gopher servers, and processes the gophermap
file which lists all the files on the server.
),
'References' =>
[
['URL', 'https://sdfeu.org/w/tutorials:gopher']
],
'Author' => 'h00die',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(70),
OptString.new('PATH', [false, 'Path to enumerate', ''])
]
)
end
TYPE_MAP = {
'0' => 'Text file',
'1' => 'Directory',
'2' => 'CSO name server',
'3' => 'Error',
'4' => 'Mac HQX filer',
'5' => 'PC binary',
'6' => 'UNIX uuencoded file',
'7' => 'Search server',
'8' => 'Telnet Session',
'9' => 'Binary File',
'c' => 'Calendar',
'e' => 'Event',
'g' => 'GIF image',
'h' => 'HTML',
'i' => 'inline text',
's' => 'Sound',
'I' => 'Image',
'M' => 'MIME multipart/mixed message',
'T' => 'TN3270 Session'
}.freeze
def get_type(char)
TYPE_MAP.fetch(char.chomp)
end
def run_host(ip)
begin
connect
sock.put("#{datastore['path']}\r\n")
gophermap = sock.get_once
if gophermap
gophermap.split("\r\n").each do |line|
line_parts = line.split("\t")
next unless line_parts.length >= 2
# syntax: [type_character]description[tab]path[tab, after this is optional]server[tab]port
line_parts = line.split("\t")
desc = line_parts[0]
type_char = desc.slice!(0) # remove first character which is the file type
file_type = get_type(type_char)
if file_type && file_type == 'inline text'
print_good(desc)
next
end
if file_type
print_good(" #{file_type}: #{desc}")
else
print_good(" Invalid File Type (#{type_char}): #{desc}")
end
if line_parts.length >= 3
print_good(" Path: #{line_parts[2]}:#{line_parts[3]}#{line_parts[1]}")
elsif line.length >= 2
print_good(" Path: #{line_parts[2]}#{line_parts[1]}")
else
print_good(" Path: #{line_parts[1]}")
end
end
report_service(host: ip, port: rport, service: 'gopher', info: gophermap)
else
print_error('No gophermap')
end
rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET
rescue ::Exception => e
print_error("#{ip}: #{e} #{e.backtrace}")
ensure
disconnect
end
end
end