From c92a64e68721879db39e154355087706fad89b24 Mon Sep 17 00:00:00 2001 From: et <> Date: Sat, 22 Nov 2008 04:34:00 +0000 Subject: [PATCH] Added module to test for file copies git-svn-id: file:///home/svn/framework3/trunk@5975 4d416f70-5f16-0410-b530-b9f4589650da --- .../scanner/http/wmap_copy_of_file.rb | 86 +++++++++++++++++++ .../scanner/http/wmap_dir_scanner.rb | 2 +- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 modules/auxiliary/scanner/http/wmap_copy_of_file.rb diff --git a/modules/auxiliary/scanner/http/wmap_copy_of_file.rb b/modules/auxiliary/scanner/http/wmap_copy_of_file.rb new file mode 100644 index 0000000000..83c0ff85c4 --- /dev/null +++ b/modules/auxiliary/scanner/http/wmap_copy_of_file.rb @@ -0,0 +1,86 @@ +## +# $Id: wmap_backup_file.rb 5869 2008-11-10 04:38:05Z et $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'rex/proto/http' +require 'msf/core' + + + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::WMAPScanFile + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HTTP Copy File Scanner', + 'Description' => %q{ + This module identifies the existence of possible copies + of a specific file in a given path. + }, + 'Author' => [ 'et [at] cyberspace.org' ], + 'License' => BSD_LICENSE, + 'Version' => '$Revision: 5869 $')) + + register_options( + [ + OptString.new('PATH', [ true, "The path/file to identify copies", '/index.asp']) + ], self.class) + + end + + def run_host(ip) + prestr = [ + 'Copy of ', + 'Copy', + '_' + ] + + tpathf = datastore['PATH'] + testf = tpathf.split('/').last + + prestr.each do |pre| + filec = tpathf.sub(testf,pre + testf) + check_for_file(filec) + end + end + + def check_for_file(file) + begin + res = send_request_cgi({ + 'uri' => file, + 'method' => 'GET', + 'ctype' => 'text/plain' + }, 20) + + if (res and res.code >= 200 and res.code < 300) + print_status("Found http://#{target_host}:#{datastore['RPORT']}#{file}") + + rep_id = wmap_base_report_id( + wmap_target_host, + wmap_target_port, + wmap_target_ssl + ) + wmap_report(rep_id,'VULNERABILITY','COPY_FILE',"#{file}","A copy of file was found.") + else + print_status("NOT Found http://#{target_host}:#{datastore['RPORT']}#{file}") + #To be removed or just displayed with verbose debugging. + end + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end + + + end + +end diff --git a/modules/auxiliary/scanner/http/wmap_dir_scanner.rb b/modules/auxiliary/scanner/http/wmap_dir_scanner.rb index c30cf7f96f..ba02f10701 100644 --- a/modules/auxiliary/scanner/http/wmap_dir_scanner.rb +++ b/modules/auxiliary/scanner/http/wmap_dir_scanner.rb @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary }, 20) - if(not res or (res.code.to_i == ecode) or (emesg and res.body.index(emesg))) + if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg)))) print_status("NOT Found #{prot}://#{vhost}:#{datastore['RPORT']}#{tpath}#{testfdir} #{res.code} (#{target_host})") else print_status("Found #{prot}://#{vhost}:#{datastore['RPORT']}#{tpath}#{testfdir} #{res.code} (#{target_host})")