infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:rapid7/metasploit-framework

unstable
sinn3r 2013-02-05 15:13:09 -06:00
parent b706af54a0 9af888c03b
commit ebd49eb534
1 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb
View File

@ -19,7 +19,10 @@ class Metasploit3 < Msf::Auxiliary
This module attempts to identify Ruby on Rails instances vulnerable to This module attempts to identify Ruby on Rails instances vulnerable to
an arbitrary object instantiation flaw in the XML request processor. an arbitrary object instantiation flaw in the XML request processor.
}, },
'Author' => 'hdm', 'Author' => [
'hdm', #author
'jjarmoc' #improvements
],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
@ -29,7 +32,8 @@ class Metasploit3 < Msf::Auxiliary
)) ))
register_options([ register_options([
OptString.new('URIPATH', [true, "The URI to test", "/"]) OptString.new('URIPATH', [true, "The URI to test", "/"]),
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]),
], self.class) ], self.class)
end end
@ -37,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
odata = %Q^<?xml version="1.0" encoding="UTF-8"?>\n<probe type="#{ptype}"><![CDATA[\n#{pdata}\n]]></probe>^ odata = %Q^<?xml version="1.0" encoding="UTF-8"?>\n<probe type="#{ptype}"><![CDATA[\n#{pdata}\n]]></probe>^
res = send_request_cgi({ res = send_request_cgi({
'uri' => datastore['URIPATH'] || "/", 'uri' => datastore['URIPATH'] || "/",
'method' => 'POST', 'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/xml', 'ctype' => 'application/xml',
'data' => odata 'data' => odata
}, 25) }, 25)
@ -46,29 +50,35 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip) def run_host(ip)
res1 = send_probe("string", "hello") res1 = send_probe("string", "hello")
res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")
res3 = send_probe("yaml", "--- !ruby/object:\x00")
unless res1 unless res1
vprint_status("#{rhost}:#{rport} No reply to the initial XML request") vprint_status("#{rhost}:#{rport} No reply to the initial XML request")
return return
end end
if res1.code.to_s =~ /^[5]/
vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")
return
end
res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")
unless res2 unless res2
vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe") vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe")
return return
end end
res3 = send_probe("yaml", "--- !ruby/object:\x00")
unless res3 unless res3
vprint_status("#{rhost}:#{rport} No reply to the second YAML probe") vprint_status("#{rhost}:#{rport} No reply to the second YAML probe")
return return
end end
if res1.code.to_s =~ /^[45]/ vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}")
vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")
end
if res2.code.to_s =~ /^[23]/ and res3.code != res2.code and res3.code != 200
if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200)
print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML") print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML")
report_vuln({ report_vuln({
:host => rhost, :host => rhost,
@ -79,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
:refs => self.references :refs => self.references
}) })
else else
vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH must be set") vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH & HTTP_METHOD must be set")
end end
end end