From c388cba421eb2f0c6db786deeb87cc3e27c47a53 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 17 Jun 2012 23:39:20 -0500 Subject: [PATCH] Fix up modules calling report_vuln() to use new syntax --- .../dos/windows/rdp/ms12_020_maxchannelids.rb | 5 ++-- .../scanner/http/cisco_device_manager.rb | 4 ++-- .../scanner/http/cisco_ios_auth_bypass.rb | 11 +++++---- .../auxiliary/scanner/http/frontpage_login.rb | 6 ++--- modules/auxiliary/scanner/http/http_put.rb | 14 ++++++----- .../http/ms09_020_webdav_unicode_bypass.rb | 24 +++++++++---------- modules/auxiliary/scanner/http/options.rb | 4 ++-- .../scanner/http/rewrite_proxy_bypass.rb | 17 ++++++------- .../scanner/http/vmware_server_dir_trav.rb | 8 +++---- .../auxiliary/scanner/misc/java_rmi_server.rb | 12 ++++------ .../scanner/telnet/telnet_encrypt_overflow.rb | 13 +++++----- .../auxiliary/scanner/vnc/vnc_none_auth.rb | 13 +++++----- .../windows/gather/forensics/duqu_check.rb | 8 +++---- 13 files changed, 71 insertions(+), 68 deletions(-) diff --git a/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb b/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb index bbd0a503ee..727ab63f03 100644 --- a/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb +++ b/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb @@ -150,8 +150,9 @@ class Metasploit3 < Msf::Auxiliary report_vuln({ :host => rhost, :port => rport, - :name => self.fullname, - :refs => self.references + :name => self.name, + :refs => self.references, + :info => "Module #{self.fullname} successfully crashed the target system via RDP" }) else print_status("#{rhost}:#{rport} is still up") diff --git a/modules/auxiliary/scanner/http/cisco_device_manager.rb b/modules/auxiliary/scanner/http/cisco_device_manager.rb index a7f87975ef..70bfe3f04d 100644 --- a/modules/auxiliary/scanner/http/cisco_device_manager.rb +++ b/modules/auxiliary/scanner/http/cisco_device_manager.rb @@ -73,8 +73,8 @@ class Metasploit3 < Msf::Auxiliary :host => rhost, :port => rport, :proto => 'tcp', - :name => self.fullname, - :info => "http://#{rhost}:#{rport}/exec/show/version/CR", + :name => self.name, + :info => "Module #{self.fullname} successfully accessed http://#{rhost}:#{rport}/exec/show/version/CR", :refs => self.references, :exploited_at => Time.now.utc } diff --git a/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb b/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb index 35e78cf958..80500f00f0 100644 --- a/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb +++ b/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb @@ -64,8 +64,9 @@ class Metasploit3 < Msf::Auxiliary :host => rhost, :port => rport, :proto => 'tcp', - :name => self.fullname, - :info => "http://#{rhost}:#{rport}/level/#{level}/exec/show/version/CR", + :name => self.name, + :sname => ssl ? "https" : "http", + :info => "Module #{self.fullname} successfully accessed http://#{rhost}:#{rport}/level/#{level}/exec/show/version/CR", :refs => self.references, :exploited_at => Time.now.utc } @@ -83,8 +84,10 @@ class Metasploit3 < Msf::Auxiliary report_exploit( { :host => rhost, - :service => rport, - :name => self.fullname + :port => rport, + :name => self.name, + :sname => ssl ? "https" : "http", + :info => "Module #{self.fullname} successfully captured the configuration file:\n#{config}" } ) else diff --git a/modules/auxiliary/scanner/http/frontpage_login.rb b/modules/auxiliary/scanner/http/frontpage_login.rb index e83a8b8352..44d4bf2055 100644 --- a/modules/auxiliary/scanner/http/frontpage_login.rb +++ b/modules/auxiliary/scanner/http/frontpage_login.rb @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'FrontPage Server Extensions Login Utility', + 'Name' => 'FrontPage Server Extensions Anonymous Login Scanner', 'Version' => '$Revision$', 'Description' => 'This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.', 'References' => @@ -133,8 +133,8 @@ class Metasploit3 < Msf::Auxiliary :host => target_host, :port => rport, :proto => 'tcp', - :name => self.fullname, - :info => "#{info} FrontPage ACCESS ALLOWED [#{retcode}]", + :name => self.name, + :info => "Module #{self.fullname} confirmed access to #{info} [#{retcode}]", :refs => self.references, :exploited_at => Time.now.utc } diff --git a/modules/auxiliary/scanner/http/http_put.rb b/modules/auxiliary/scanner/http/http_put.rb index a683121fd8..9bbc8b123e 100644 --- a/modules/auxiliary/scanner/http/http_put.rb +++ b/modules/auxiliary/scanner/http/http_put.rb @@ -150,13 +150,14 @@ class Metasploit4 < Msf::Auxiliary #Check file if not res.nil? and file_exists(path, data) - print_good("File uploaded: #{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}") + turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}" + print_good("File uploaded: #{turl}") report_vuln( :host => ip, :port => rport, :proto => 'tcp', - :name => self.fullname, - :info => "PUT Enabled", + :name => self.name, + :info => "Module #{self.fullname} confirmed write access to #{turl} via PUT", :refs => self.references, :exploited_at => Time.now.utc ) @@ -182,14 +183,15 @@ class Metasploit4 < Msf::Auxiliary if res.nil? or file_exists(path, data) print_error("DELETE failed. File is still there.") else - print_good("File deleted: #{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}") + turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}" + print_good("File deleted: #{turl}") report_vuln( :host => ip, :port => rport, :proto => 'tcp', :sname => (ssl ? 'https' : 'http'), - :name => self.fullname, - :info => "DELETE ENABLED", + :name => self.name, + :info => "Module #{self.fullname} confirmed write access to #{turl} via DELETE", :refs => self.references, :exploited_at => Time.now.utc ) diff --git a/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb b/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb index f8afd7abc8..c19ab94da5 100644 --- a/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb +++ b/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb @@ -22,13 +22,12 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'MS09-020 IIS6 WebDAV Unicode Auth Bypass', + 'Name' => 'MS09-020 IIS6 WebDAV Unicode Authentication Bypass', 'Description' => %q{ - Simplified version of MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner. It attempts - to bypass authentication using the WebDAV IIS6 Unicode vulnerability - discovered by Kingcope. The vulnerability appears to be exploitable - where WebDAV is enabled on the IIS6 server, and any protected folder - requires either Basic, Digest or NTLM authentication. + This module attempts to to bypass authentication using the WebDAV IIS6 + Unicode vulnerability discovered by Kingcope. The vulnerability appears + to be exploitable where WebDAV is enabled on the IIS6 server, and any + protected folder requires either Basic, Digest or NTLM authentication. }, 'Author' => [ 'et', 'patrick' ], 'Version' => '$Revision$', @@ -77,8 +76,8 @@ class Metasploit3 < Msf::Auxiliary if(not res) print_error("NO Response.") elsif (res.code.to_i == 401) - print_status("Confirmed protected folder #{wmap_base_url}#{tpath} #{res.code} (#{wmap_target_host})") - print_status("\tTesting for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.") + print_status("#{rhost}:#{rport} Confirmed protected folder #{wmap_base_url}#{tpath} #{res.code} (#{wmap_target_host})") + print_status("#{rhost}:#{rport} \tTesting for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.") cset = %W{ & ^ % $ # @ ! } buff = '' @@ -100,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary }, 20) if (res.code.to_i == 207) - print_status("\tFound vulnerable WebDAV Unicode bypass. #{wmap_base_url}#{tpath}#{bogus}/ #{res.code} (#{wmap_target_host})") + print_status("#{rhost}:#{rport} \tFound vulnerable WebDAV Unicode bypass. #{wmap_base_url}#{tpath}#{bogus}/ #{res.code} (#{wmap_target_host})") report_vuln( @@ -108,8 +107,9 @@ class Metasploit3 < Msf::Auxiliary :host => ip, :port => rport, :proto => 'tcp', - :name => self.fullname, - :info => "#{tpath}#{bogus} / Code: #{res.code}", + :sname => ssl ? 'https' : 'http', + :name => self.name, + :info => "Module #{self.fullname} bypassed authentication with #{tpath}#{bogus} (response code #{res.code})", :refs => self.references, :exploited_at => Time.now.utc } @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary end else - print_error("Folder does not require authentication. [#{res.code}]") + print_error("#{rhost}:#{rport} Folder does not require authentication. [#{res.code}]") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::E877PIPE diff --git a/modules/auxiliary/scanner/http/options.rb b/modules/auxiliary/scanner/http/options.rb index a041d2488b..14587cb43a 100644 --- a/modules/auxiliary/scanner/http/options.rb +++ b/modules/auxiliary/scanner/http/options.rb @@ -67,8 +67,8 @@ class Metasploit3 < Msf::Auxiliary :port => rport, :proto => 'tcp', :sname => (ssl ? 'https' : 'http'), - :name => self.fullname, - :info => res.headers['Allow'], + :name => "HTTP Trace Method Allowed", + :info => "Module #{self.fullname} detected TRACE access through the Allow header: #{res.headers['Allow']}", :refs => self.references, :exploited_at => Time.now.utc ) diff --git a/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb b/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb index 50c3e76d23..24cc5c5cf0 100644 --- a/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb +++ b/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb @@ -17,7 +17,7 @@ class Metasploit4 < Msf::Auxiliary def initialize super( - 'Name' => 'Reverse Proxy Bypass Scanner', + 'Name' => 'Apache Reverse Proxy Bypass Vulnerability Scanner', 'Version' => '$Revision$', 'Description' => %q{ Scan for poorly configured reverse proxy servers. @@ -66,15 +66,15 @@ class Metasploit4 < Msf::Auxiliary end if response.nil? - vprint_error "Request against #{host} timed out" + vprint_error "#{rhost}:#{rport} Request timed out" return nil end seconds_transpired = (responded_at - requested_at).to_f - vprint_status "#{host} took #{seconds_transpired} seconds to respond to URI #{uri}" + vprint_status "#{rhost}:#{rport} Server took #{seconds_transpired} seconds to respond to URI #{uri}" status_code = response.code - vprint_status "#{host} responded with status code #{status_code} to URI #{uri}" + vprint_status "#{rhost}:#{rport} Server responded with status code #{status_code} to URI #{uri}" return { :requested_at => requested_at, @@ -92,7 +92,7 @@ class Metasploit4 < Msf::Auxiliary end if baseline[:status_code] == test_status_code - vprint_error "The baseline status code for #{host} matches our test's" + vprint_error "#{rhost}:#{rport} The baseline status code for #{host} matches our test's" return end @@ -101,13 +101,14 @@ class Metasploit4 < Msf::Auxiliary status_code = injection_info[:status_code] if status_code == test_status_code - print_good "#{host}:#{rport} is vulnerable!" + print_good "#{rhost}:#{rport} Server appears to be vulnerable!" report_vuln( :host => host, :port => rport, :proto => 'tcp', - :name => self.fullname, - :info => "Returned #{status_code} when requested #{uri}", + :sname => ssl ? 'https' : 'http', + :name => self.name, + :info => "Module #{self.fullname} obtained #{status_code} when requesting #{uri}", :refs => self.references, :exploited_at => injection_info[:requested_at] ) diff --git a/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb b/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb index 8493ee53ab..19a3c08d8d 100644 --- a/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb +++ b/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb @@ -21,9 +21,9 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'VMware Server Directory Transversal Vulnerability', + 'Name' => 'VMware Server Directory Traversal Vulnerability', 'Version' => '$Revision$', - 'Description' => 'This modules exploits the VMware Server Directory traversal + 'Description' => 'This modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports @@ -68,8 +68,8 @@ class Metasploit3 < Msf::Auxiliary :host => target_host, :port => rport, :proto => 'tcp', - :name => self.fullname, - :info => res.code, + :name => self.name, + :info => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}", :refs => self.references, :exploited_at => Time.now.utc } diff --git a/modules/auxiliary/scanner/misc/java_rmi_server.rb b/modules/auxiliary/scanner/misc/java_rmi_server.rb index 4c23f6bf72..c5c7c0b936 100644 --- a/modules/auxiliary/scanner/misc/java_rmi_server.rb +++ b/modules/auxiliary/scanner/misc/java_rmi_server.rb @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'Java RMI Server Endpoint Scanner', + 'Name' => 'Java RMI Server Insecure Endpoint Code Execution Scanner', 'Version' => '$Revision$', 'Description' => 'Detect Java RMI endpoints', 'Author' => ['mihi', 'hdm'], @@ -95,14 +95,12 @@ class Metasploit3 < Msf::Auxiliary report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "Class Loader: Disabled") elsif buf.length > 0 print_good("#{rhost}:#{rport} Java RMI Endpoint Detected: Class Loader Enabled") - report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "Class Loader: Enabled") + svc = report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "Class Loader: Enabled") report_vuln( :host => rhost, - :port => rport, - :proto => 'tcp', - :sname => (ssl ? 'https' : 'http'), - :name => self.fullname, - :info => "Class Loader: Enabled", + :service => svc, + :name => self.name, + :info => "Module #{self.fullname} confirmed remote code execution via this RMI service", :refs => self.references ) else diff --git a/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb b/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb index bf9f49d80c..d51ef25f64 100644 --- a/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb +++ b/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary # This makes db_services look a lot nicer. banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s) - report_service(:host => rhost, :port => rport, :name => "telnet", :info => banner_sanitized) + svc = report_service(:host => rhost, :port => rport, :name => "telnet", :info => banner_sanitized) # Check for encryption option ( IS(0) DES_CFB64(1) ) sock.put("\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0") @@ -124,12 +124,11 @@ class Metasploit3 < Msf::Auxiliary print_good("#{ip}:#{rport} VULNERABLE: #{banner_sanitized}") report_vuln( { - :host => ip, - :port => rport, - :proto => 'tcp', - :name => self.fullname, - :info => banner_sanitized, - :refs => self.references + :host => ip, + :service => svc, + :name => self.name, + :info => "Module #{self.fullname} confirmed acceptance of a long key ID: #{banner_sanitized}", + :refs => self.references } ) diff --git a/modules/auxiliary/scanner/vnc/vnc_none_auth.rb b/modules/auxiliary/scanner/vnc/vnc_none_auth.rb index d7a9166525..3de1c52f95 100644 --- a/modules/auxiliary/scanner/vnc/vnc_none_auth.rb +++ b/modules/auxiliary/scanner/vnc/vnc_none_auth.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary ver = "#{vnc.majver}.#{vnc.minver}" print_status("#{target_host}:#{rport}, VNC server protocol version : #{ver}") - report_service( + svc = report_service( :host => rhost, :port => rport, :proto => 'tcp', @@ -77,12 +77,11 @@ class Metasploit3 < Msf::Auxiliary print_good("#{target_host}:#{rport}, VNC server security types includes None, free access!") report_vuln( { - :host => rhost, - :port => rport, - :proto => 'tcp', - :name => self.fullname, - :info => sec_type.join(","), - :refs => self.references, + :host => rhost, + :service => svc, + :name => self.name, + :info => "Module #{self.fullname} identified the VNC 'none' security type: #{sec_type.join(", ")}", + :refs => self.references, :exploited_at => Time.now.utc }) end diff --git a/modules/post/windows/gather/forensics/duqu_check.rb b/modules/post/windows/gather/forensics/duqu_check.rb index c7de2d5fdf..270a11b37a 100644 --- a/modules/post/windows/gather/forensics/duqu_check.rb +++ b/modules/post/windows/gather/forensics/duqu_check.rb @@ -55,11 +55,11 @@ class Metasploit3 < Msf::Post match += 1 report_vuln( :host => session.session_host, - :name => self.fullname, - :info => "#{path}\\#{query} possible CVE-2011-3402 exploitation [Duqu] artifact.", + :name => self.name, + :info => "Module #{self.fullname} detected #{path}\\#{query} - possible CVE-2011-3402 exploitation [Duqu] artifact.", :refs => self.references, - :exploited_at => Time.now.utc - ) + :exploited_at => Time.now.utc, + ) end end rescue # Probably should do something here...