infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2896, @wchen-r7's check's normalization for auxiliary modules

bug/bundler_fix
jvazquez-r7 2014-01-24 08:53:53 -06:00
parent 4bac297f66 e8b591ef54
commit fdaa172cc5
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
8 changed files with 66 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/auxiliary/admin/http/intersil_pass_reset.rb
View File

@ -52,12 +52,12 @@ class Metasploit3 < Msf::Auxiliary
})
if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
print_status("#{peer} - Boa Version Detected: #{m[1]}")
vprint_status("#{peer} - Boa Version Detected: #{m[1]}")
return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
return Exploit::CheckCode::Vulnerable
else
print_status("#{peer} - Not a Boa Server!")
vprint_status("#{peer} - Not a Boa Server!")
return Exploit::CheckCode::Safe # not a boa server
end

25
modules/auxiliary/admin/scada/modicon_password_recovery.rb
View File

@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
[
Opt::RPORT(21),
OptString.new('FTPUSER', [true, "The backdoor account to use for login", 'ftpuser']),
OptString.new('FTPPASS', [true, "The backdoor password to use for login", 'password']),
OptString.new('FTPPASS', [true, "The backdoor password to use for login", 'password'])
], self.class)
register_advanced_options(
@ -59,7 +59,6 @@ class Metasploit3 < Msf::Auxiliary
# device, then we're going to end up storing HTTP credentials that are not
# correct. If there's a way to fingerprint the device, it should be done here.
def check
return true unless datastore['RUN_CHECK']
is_modicon = false
vprint_status "#{ip}:#{rport} - FTP - Checking fingerprint"
connect rescue nil
@ -68,22 +67,26 @@ class Metasploit3 < Msf::Auxiliary
is_modicon = check_banner()
disconnect
else
print_error "#{ip}:#{rport} - FTP - Cannot connect, skipping"
return false
vprint_error "#{ip}:#{rport} - FTP - Cannot connect, skipping"
return Exploit::CheckCode::Unknown
end
if is_modicon
print_status "#{ip}:#{rport} - FTP - Matches Modicon fingerprint"
vprint_status "#{ip}:#{rport} - FTP - Matches Modicon fingerprint"
return Exploit::CheckCode::Detected
else
print_error "#{ip}:#{rport} - FTP - Skipping due to fingerprint mismatch"
vprint_error "#{ip}:#{rport} - FTP - Skipping due to fingerprint mismatch"
end
return is_modicon
return Exploit::CheckCode::Safe
end
def run
if check()
if setup_ftp_connection()
grab()
end
if datastore['RUN_CHECK'] and check == Exploit::CheckCode::Detected
print_status("Service detected.")
grab() if setup_ftp_connection()
else
grab() if setup_ftp_connection()
end
end

4
modules/auxiliary/dos/http/nodejs_pipelining.rb
View File

@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
def check
# http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
# check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted
status = Exploit::CheckCode::Unknown
status = Exploit::CheckCode::Safe
connect
sock.put(http_request("GEM"))
begin
@ -56,6 +56,8 @@ class Metasploit3 < Msf::Auxiliary
rescue EOFError
# checking against >= 0.10.17 raises EOFError because there is no
# response to GEM requests
vprint_error("Failed to determine the vulnerable state due to an EOFError (no response)")
return Msf::Exploit::CheckCode::Unknown
ensure
disconnect
end

17
modules/auxiliary/gather/coldfusion_pwd_props.rb
View File

@ -43,7 +43,6 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
Opt::RPORT(80),
OptBool.new('CHECK', [false, 'Only check for vulnerability', false]),
OptString.new("TARGETURI", [true, 'Base path to ColdFusion', '/'])
], self.class)
end
@ -116,6 +115,14 @@ class Metasploit3 < Msf::Auxiliary
end
def check
if check_cf
return Msf::Exploit::CheckCode::Vulnerable
end
Msf::Exploit::CheckCode::Safe
end
def check_cf
vuln = false
url = '/CFIDE/adminapi/customtags/l10n.cfm'
res = send_request_cgi({
@ -171,17 +178,11 @@ class Metasploit3 < Msf::Auxiliary
return
end
if(not check)
if(not check_cf)
print_status("#{peer} can't be exploited (either files missing or permissions block access)")
return
end
if (datastore['CHECK'] )
print_good("#{peer} is vulnerable and most likely exploitable") if check
return
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),

16
modules/auxiliary/gather/vbulletin_vote_sqli.rb
View File

@ -128,21 +128,21 @@ class Metasploit3 < Msf::Auxiliary
end
def check
node_id = get_node
unless node_id.nil?
return Msf::Exploit::CheckCode::Vulnerable
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "index.php")
})
if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/
return Msf::Exploit::CheckCode::Detected
if get_node
# Multiple factors determine this LOOKS vulnerable
return Msf::Exploit::CheckCode::Appears
else
# Not enough information about the vuln state, but at least we know this is vbulletin
return Msf::Exploit::CheckCode::Detected
end
end
return Msf::Exploit::CheckCode::Unknown
Msf::Exploit::CheckCode::Safe
end
def run

4
modules/auxiliary/scanner/vmware/vmware_http_login.rb
View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
return unless check
return unless is_vmware?
each_user_pass { |user, pass|
result = vim_do_login(user, pass)
case result
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
# Mostly taken from the Apache Tomcat service validator
def check
def is_vmware?
soap_data =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>

29
modules/auxiliary/spoof/dns/bailiwicked_domain.rb
View File

@ -58,7 +58,6 @@ class Metasploit3 < Msf::Auxiliary
def auxiliary_commands
return {
"check" => "Determine if the specified DNS server (RHOST) is vulnerable",
"racer" => "Determine the size of the window for the target server"
}
end
@ -75,14 +74,9 @@ class Metasploit3 < Msf::Auxiliary
calculate_race(targ, dom)
end
def cmd_check(*args)
targ = args[0] || rhost()
if !(targ and targ.length > 0)
print_status("usage: check [dns-server]")
return
end
def check
targ = rhost
print_status("Using the Metasploit service to verify exploitability...")
srv_sock = Rex::Socket.create_udp(
'PeerHost' => targ,
'PeerPort' => 53
@ -111,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)
t_addr, t_port = $1.split(':')
print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")
vprint_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")
t_port = t_port.to_i
if(lport and lport != t_port)
random = true
@ -132,24 +126,29 @@ class Metasploit3 < Msf::Auxiliary
srv_sock.close
if(ports.keys.length == 0)
print_error("ERROR: This server is not replying to recursive requests")
return
vprint_error("ERROR: This server is not replying to recursive requests")
return Exploit::CheckCode::Unknown
end
if(reps < 30)
print_warning("WARNING: This server did not reply to all of our requests")
vprint_warning("WARNING: This server did not reply to all of our requests")
end
if(random)
ports_u = ports.keys.length
ports_r = ((ports.keys.length/30.0)*100).to_i
print_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}")
vprint_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}")
if(ports_r != 100)
print_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.")
vprint_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.")
# Not exploitable by this tool, so we lower this to Appears on purpose to lower the user's confidence
return Exploit::CheckCode::Appears
end
else
print_error("FAIL: This server uses a static source port and is vulnerable to poisoning")
vprint_error("FAIL: This server uses a static source port and is vulnerable to poisoning")
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def run

29
modules/auxiliary/spoof/dns/bailiwicked_host.rb
View File

@ -56,8 +56,7 @@ class Metasploit3 < Msf::Auxiliary
def auxiliary_commands
return {
"check" => "Determine if the specified DNS server (RHOST) is vulnerable",
"racer" => "Determine the size of the window for the target server",
"racer" => "Determine the size of the window for the target server"
}
end
@ -73,14 +72,9 @@ class Metasploit3 < Msf::Auxiliary
calculate_race(targ, dom)
end
def cmd_check(*args)
targ = args[0] || rhost()
if !(targ and targ.length > 0)
print_status("usage: check [dns-server]")
return
end
def check
targ = rhost
print_status("Using the Metasploit service to verify exploitability...")
srv_sock = Rex::Socket.create_udp(
'PeerHost' => targ,
'PeerPort' => 53
@ -109,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary
if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)
t_addr, t_port = $1.split(':')
print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")
vprint_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")
t_port = t_port.to_i
if(lport and lport != t_port)
random = true
@ -130,12 +124,12 @@ class Metasploit3 < Msf::Auxiliary
srv_sock.close
if(ports.keys.length == 0)
print_error("ERROR: This server is not replying to recursive requests")
return
vprint_error("ERROR: This server is not replying to recursive requests")
return Exploit::CheckCode::Unknown
end
if(reps < 30)
print_warning("WARNING: This server did not reply to all of our requests")
vprint_warning("WARNING: This server did not reply to all of our requests")
end
if(random)
@ -143,11 +137,16 @@ class Metasploit3 < Msf::Auxiliary
ports_r = ((ports.keys.length/30.0)*100).to_i
print_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}")
if(ports_r != 100)
print_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.")
vprint_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.")
# Not exploitable by this tool, so we lower this to Appears on purpose to lower the user's confidence
return Exploit::CheckCode::Appears
end
else
print_error("FAIL: This server uses a static source port and is vulnerable to poisoning")
vprint_error("FAIL: This server uses a static source port and is vulnerable to poisoning")
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def run