Merge pull request #1 from jhart-r7/landing-3992-jhart-fixes

Refactor hp_enum_perfd for better looting
2014-10-12 20:44:24 -03:00 · 2014-10-12 20:44:24 -03:00 · d0f1cd1251
parent 7bd0f2c114 c3a58cec9e
commit d0f1cd1251
1 changed files with 49 additions and 15 deletions
--- a/modules/auxiliary/gather/hp_enum_perfd.rb
+++ b/modules/auxiliary/gather/hp_enum_perfd.rb
@ -6,11 +6,15 @@
 require 'msf/core'

 class Metasploit3 < Msf::Auxiliary
-
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

+  # TODO: figure out what these do:
+  #   o: valid command, takes no args, does nothing
+  #   B, c, F, G, I, M, U, x: all require an "instance id" and possibly other args
+  ALLOWED_COMMANDS = %w(a A i g l p t T u w Z)
+
  def initialize
    super(
      'Name'        => 'HP Operations Manager Perfd Environment Scanner',
@ -22,31 +26,61 @@ class Metasploit3 < Msf::Auxiliary
      'License'     => MSF_LICENSE
    )

+    commands_help = ALLOWED_COMMANDS.join(' ')
    register_options(
    [
      Opt::RPORT(5227),
-      OptEnum.new("CMD", [true, 'Command to execute', 'p', %w(u i p a g l T A q)])
+      OptString.new("COMMANDS", [true, "Command(s) to execute (one or more of #{commands_help})", commands_help])
    ], self.class)
  end

+  def commands
+    datastore['COMMANDS'].split(/[, ]+/).map(&:strip)
+  end
+
+  def setup
+    super
+    if datastore['COMMANDS']
+      bad_commands = commands - ALLOWED_COMMANDS
+      unless bad_commands.empty?
+        fail ArgumentError, "Bad perfd command(s) #{bad_commands}"
+      end
+    end
+  end
+
  def run_host(target_host)
    begin
-        cmd = datastore['CMD']

-        connect
-        sock.put("\n#{cmd}\n")
-        Rex.sleep(1)
-        resp = sock.get_once
+      connect
+      banner_resp = sock.get_once
+      if banner_resp && banner_resp =~ /^Welcome to the perfd server/
+        banner_resp.strip!
+        print_good("#{target_host}:#{rport}, Perfd server banner: #{banner_resp}")
+        perfd_service = report_service(host: rhost, port: rport, name: "perfd", proto: "tcp", info: banner_resp)
+        sock.puts("\n")

-        if (resp && resp =~ /Welcome/)
-          print_good("#{target_host}:#{rport}, Perfd server banner: #{resp}")
-          report_service(:host => rhost, :port => rport, :name => "perfd", :proto => "tcp", :info => resp)
-        else
-          print_error("#{target_host}:#{rport}, Perfd server banner detection failed!")
+        commands.each do |command|
+          sock.puts("#{command}\n")
+          Rex.sleep(1)
+          command_resp = sock.get_once
+
+          loot_name = "HP Ops Agent perfd #{command}"
+          path = store_loot(
+            "hp.ops.agent.perfd.#{command}",
+            'text/plain',
+            target_host,
+            command_resp,
+            nil,
+            "HP Ops Agent perfd #{command}",
+            perfd_service
+          )
+          print_status("#{target_host}:#{rport} - #{loot_name} saved in: #{path}")
        end
-        disconnect
-
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
+      else
+        print_error("#{target_host}:#{rport}, Perfd server banner detection failed!")
+      end
+      disconnect
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    rescue Timeout::Error => e
      print_error(e.message)
    end