Merge pull request #110 from jhartftw/soap_xml_6249

Improvements to auxiiliary/scanner/http/soap_xml to (#6249)
2012-01-16 18:19:33 -08:00 · 2012-01-16 18:19:33 -08:00 · d5443159d7
parent 7b8bfd401e 6a057560fa
commit d5443159d7
1 changed files with 85 additions and 71 deletions
--- a/modules/auxiliary/scanner/http/soap_xml.rb
+++ b/modules/auxiliary/scanner/http/soap_xml.rb
@ -42,7 +42,9 @@ class Metasploit3 < Msf::Auxiliary
 				OptString.new('XMLSCHEMA', [ true,  "XML Schema", 'http://www.w3.org/2001/XMLSchema']),
 				OptString.new('XMLSOAP', [ true,  "XML SOAP", 'http://schemas.xmlsoap.org/soap/envelope/']),
 				OptString.new('CONTENTTYPE', [ true,  "The HTTP Content-Type Header", 'application/x-www-form-urlencoded']),
+				OptInt.new('SLEEP', [true, "Sleep this many seconds between requests", 0 ]),
 				OptBool.new('DISPLAYHTML', [ true,  "Display HTML response", false ]),
+				OptBool.new('SSL', [ true,  "Use SSL", false ]),
 			], self.class)

 	end
@ -53,6 +55,7 @@ class Metasploit3 < Msf::Auxiliary
 		verbs = [
 				'get',
 				'active',
+				'activate',
 				'create',
 				'change',
 				'set',
@ -74,33 +77,49 @@ class Metasploit3 < Msf::Auxiliary
 				'register',
 				'log',
 				'add',
+				'list',
+				'query',
 				#'delete', # Best to be safe!
 			]

 		nouns = [
 				'password',
 				'task',
+				'tasks',
 				'pass',
 				'administration',
 				'account',
+				'accounts',
 				'admin',
 				'login',
+				'logins',
 				'token',
-				'credentials',
+				'tokens',
 				'credential',
+				'credentials',
 				'key',
+				'keys',
 				'guid',
 				'message',
+				'messages',
 				'user',
+				'users',
 				'username',
+				'usernames',
 				'load',
 				'list',
 				'name',
+				'names',
 				'file',
+				'files',
 				'path',
+				'paths',
 				'directory',
+				'directories',
 				'configuration',
+				'configurations',
 				'config',
+				'configs',
 				'setting',
 				'settings',
 				'registry',
@ -111,79 +130,74 @@ class Metasploit3 < Msf::Auxiliary
 		target_port = datastore['RPORT']
 		vhost = datastore['VHOST'] || wmap_target_host || ip

+        # regular expressions for common rejection messages
+        reject_regexen = []
+        reject_regexen << Regexp.new("method \\S+ is not valid", true)
+        reject_regexen << Regexp.new("Method \\S+ not implemented", true)
+        reject_regexen << Regexp.new("unable to resolve WSDL method name", true)
+
 		begin
-			# Check service exists
-			res = send_request_raw({
-				'uri'          => datastore['PATH'],
-				'method'       => 'GET',
-				'vhost'         => vhost,
-			}, 10)
+            verbs.each do |v|
+                nouns.each do |n|
+                    data_parts = []
+                    data_parts << "<?xml version=\"1.0\" encoding=\"utf-8\"?>"
+                    data_parts << "<soap:Envelope xmlns:xsi=\"#{datastore['XMLINSTANCE']}\" xmlns:xsd=\"#{datastore['XMLSCHEMA']}\" xmlns:soap=\"#{datastore['XMLSOAP']}\">"
+                    data_parts << "<soap:Body>"
+                    data_parts << "<#{v}#{n} xmlns=\"#{datastore['XMLNAMESPACE']}\">"
+                    data_parts << "</#{v}#{n}>"
+                    data_parts << "</soap:Body>"
+                    data_parts << "</soap:Envelope>"
+                    data_parts << nil
+                    data_parts << nil
+                    data = data_parts.join("\r\n")

-			if (res.code == 200)
-				print_status("PATH appears to be OK.")
+                    res = send_request_raw({
+                        'uri'          => datastore['PATH'] + '/' + v + n,
+                        'method'       => 'POST',
+                        'vhost'         => vhost,
+                        'data'		=> data,
+                        'headers' =>
+                            {
+                                'Content-Length' => data.length,
+                                'SOAPAction'	=> '"' + datastore['XMLNAMESPACE'] + v + n + '"',
+                                'Expect'	=> '100-continue',
+                                'Content-Type'	=> datastore['CONTENTTYPE'],
+                            }
+                    }, 15)

-				verbs.each do |v|
-					nouns.each do |n|
-
-						# This could be cleaned up - patrickw
-						data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
-						data << '<soap:Envelope xmlns:xsi="' + datastore['XMLINSTANCE'] + '" xmlns:xsd="' + datastore['XMLSCHEMA'] + '" xmlns:soap="' + datastore['XMLSOAP'] + '">' + "\r\n"
-						data << '<soap:Body>' + "\r\n"
-						data << "<#{v}#{n}" + " xmlns=\"#{datastore['XMLNAMESPACE']}\">" + "\r\n"
-						data << "</#{v}#{n}>" + "\r\n"
-						data << '</soap:Body>' + "\r\n"
-						data << '</soap:Envelope>' + "\r\n\r\n"
-
-						res = send_request_raw({
-							'uri'          => datastore['PATH'] + '/' + v + n,
-							'method'       => 'POST',
-							'vhost'         => vhost,
-							'data'		=> data,
-							'headers' =>
-								{
-									'Content-Length' => data.length,
-									'SOAPAction'	=> '"' + datastore['XMLNAMESPACE'] + v + n + '"',
-									'Expect'	=> '100-continue',
-									'Content-Type'	=> datastore['CONTENTTYPE'],
-								}
-						}, 15)
-
-						if (res && !(res.body.empty?))
-							if (res.body =~ /method name is not valid/)
-								print_status("Server rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
-							elsif (res.message =~ /Cannot process the message because the content type/)
-								print_status("Server rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")
-								res.message =~ /was not the expected type\s\'([^']+)'/
-								print_status("Set CONTENTTYPE to \"#{$1}\"")
-								return false
-							elsif (res.code == 404)
-								return false
-							else
-								print_status("Server responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
-								## Add Report
-								report_note(
-									:host	=> ip,
-									:proto => 'tcp',
-									:sname	=> 'HTTP',
-									:port	=> rport,
-									:type	=> "SOAPAction: #{v}#{n}",
-									:data	=> "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."
-								)
-								if datastore['DISPLAYHTML']
-									print_status("The HTML content follows:")
-									print_status(res.body + "\r\n")
-								end
-							end
-						end
-					end
-				end
-
-		else
-			print_status("Server did not respond with 200 OK.")
-			print_status(res.to_s)
-		end
-		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-		rescue ::Timeout::Error, ::Errno::EPIPE
+                    if (res && !(res.body.empty?))
+                        if ((not reject_regexen.select { |r| res.body =~ r }.empty?))
+                            print_status("Server rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
+                        elsif (res.message =~ /Cannot process the message because the content type/)
+                            print_status("Server rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")
+                            res.message =~ /was not the expected type\s\'([^']+)'/
+                            print_status("Set CONTENTTYPE to \"#{$1}\"")
+                            return false
+                        elsif (res.code == 404)
+                            print_status("Server returned HTTP 404 for #{datastore['PATH']}.  Use a different one.")
+                            return false
+                        else
+                            print_status("Server responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
+                            ## Add Report
+                            report_note(
+                                :host	=> ip,
+                                :proto => 'tcp',
+                                :sname  => (ssl ? 'https' : 'http'),
+                                :port	=> rport,
+                                :type	=> "SOAPAction: #{v}#{n}",
+                                :data	=> "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."
+                            )
+                            if datastore['DISPLAYHTML']
+                                print_status("The HTML content follows:")
+                                print_status(res.body + "\r\n")
+                            end
+                        end
+                    end
+                    select(nil, nil, nil, datastore['SLEEP']) if (datastore['SLEEP'] > 0)
+                end
+            end
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
+		    print_error(e)
 		end
 	end
 end