diff --git a/modules/auxiliary/admin/http/intersil_pass_reset.rb b/modules/auxiliary/admin/http/intersil_pass_reset.rb index 7d663c7a44..465a4aa556 100644 --- a/modules/auxiliary/admin/http/intersil_pass_reset.rb +++ b/modules/auxiliary/admin/http/intersil_pass_reset.rb @@ -52,12 +52,12 @@ class Metasploit3 < Msf::Auxiliary }) if (res and (m = res.headers['Server'].match(/Boa\/(.*)/))) - print_status("#{peer} - Boa Version Detected: #{m[1]}") + vprint_status("#{peer} - Boa Version Detected: #{m[1]}") return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version return Exploit::CheckCode::Safe if (m[1][3].ord-48>4) return Exploit::CheckCode::Vulnerable else - print_status("#{peer} - Not a Boa Server!") + vprint_status("#{peer} - Not a Boa Server!") return Exploit::CheckCode::Safe # not a boa server end diff --git a/modules/auxiliary/admin/scada/modicon_password_recovery.rb b/modules/auxiliary/admin/scada/modicon_password_recovery.rb index f8cdaadd8f..1b953fc3f0 100644 --- a/modules/auxiliary/admin/scada/modicon_password_recovery.rb +++ b/modules/auxiliary/admin/scada/modicon_password_recovery.rb @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary [ Opt::RPORT(21), OptString.new('FTPUSER', [true, "The backdoor account to use for login", 'ftpuser']), - OptString.new('FTPPASS', [true, "The backdoor password to use for login", 'password']), + OptString.new('FTPPASS', [true, "The backdoor password to use for login", 'password']) ], self.class) register_advanced_options( @@ -59,7 +59,6 @@ class Metasploit3 < Msf::Auxiliary # device, then we're going to end up storing HTTP credentials that are not # correct. If there's a way to fingerprint the device, it should be done here. def check - return true unless datastore['RUN_CHECK'] is_modicon = false vprint_status "#{ip}:#{rport} - FTP - Checking fingerprint" connect rescue nil @@ -68,22 +67,26 @@ class Metasploit3 < Msf::Auxiliary is_modicon = check_banner() disconnect else - print_error "#{ip}:#{rport} - FTP - Cannot connect, skipping" - return false + vprint_error "#{ip}:#{rport} - FTP - Cannot connect, skipping" + return Exploit::CheckCode::Unknown end + if is_modicon - print_status "#{ip}:#{rport} - FTP - Matches Modicon fingerprint" + vprint_status "#{ip}:#{rport} - FTP - Matches Modicon fingerprint" + return Exploit::CheckCode::Detected else - print_error "#{ip}:#{rport} - FTP - Skipping due to fingerprint mismatch" + vprint_error "#{ip}:#{rport} - FTP - Skipping due to fingerprint mismatch" end - return is_modicon + + return Exploit::CheckCode::Safe end def run - if check() - if setup_ftp_connection() - grab() - end + if datastore['RUN_CHECK'] and check == Exploit::CheckCode::Detected + print_status("Service detected.") + grab() if setup_ftp_connection() + else + grab() if setup_ftp_connection() end end diff --git a/modules/auxiliary/dos/http/nodejs_pipelining.rb b/modules/auxiliary/dos/http/nodejs_pipelining.rb index 02587acb33..44b6f5c0c1 100644 --- a/modules/auxiliary/dos/http/nodejs_pipelining.rb +++ b/modules/auxiliary/dos/http/nodejs_pipelining.rb @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary def check # http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/ # check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted - status = Exploit::CheckCode::Unknown + status = Exploit::CheckCode::Safe connect sock.put(http_request("GEM")) begin @@ -56,6 +56,8 @@ class Metasploit3 < Msf::Auxiliary rescue EOFError # checking against >= 0.10.17 raises EOFError because there is no # response to GEM requests + vprint_error("Failed to determine the vulnerable state due to an EOFError (no response)") + return Msf::Exploit::CheckCode::Unknown ensure disconnect end diff --git a/modules/auxiliary/gather/coldfusion_pwd_props.rb b/modules/auxiliary/gather/coldfusion_pwd_props.rb index bc37d89b7b..f08e3f9ed9 100644 --- a/modules/auxiliary/gather/coldfusion_pwd_props.rb +++ b/modules/auxiliary/gather/coldfusion_pwd_props.rb @@ -43,7 +43,6 @@ class Metasploit3 < Msf::Auxiliary register_options( [ Opt::RPORT(80), - OptBool.new('CHECK', [false, 'Only check for vulnerability', false]), OptString.new("TARGETURI", [true, 'Base path to ColdFusion', '/']) ], self.class) end @@ -116,6 +115,14 @@ class Metasploit3 < Msf::Auxiliary end def check + if check_cf + return Msf::Exploit::CheckCode::Vulnerable + end + + Msf::Exploit::CheckCode::Safe + end + + def check_cf vuln = false url = '/CFIDE/adminapi/customtags/l10n.cfm' res = send_request_cgi({ @@ -171,17 +178,11 @@ class Metasploit3 < Msf::Auxiliary return end - if(not check) + if(not check_cf) print_status("#{peer} can't be exploited (either files missing or permissions block access)") return end - if (datastore['CHECK'] ) - print_good("#{peer} is vulnerable and most likely exploitable") if check - return - end - - res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'), diff --git a/modules/auxiliary/gather/vbulletin_vote_sqli.rb b/modules/auxiliary/gather/vbulletin_vote_sqli.rb index 859283b1f8..346b202807 100644 --- a/modules/auxiliary/gather/vbulletin_vote_sqli.rb +++ b/modules/auxiliary/gather/vbulletin_vote_sqli.rb @@ -128,21 +128,21 @@ class Metasploit3 < Msf::Auxiliary end def check - node_id = get_node - - unless node_id.nil? - return Msf::Exploit::CheckCode::Vulnerable - end - res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "index.php") }) if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/ - return Msf::Exploit::CheckCode::Detected + if get_node + # Multiple factors determine this LOOKS vulnerable + return Msf::Exploit::CheckCode::Appears + else + # Not enough information about the vuln state, but at least we know this is vbulletin + return Msf::Exploit::CheckCode::Detected + end end - return Msf::Exploit::CheckCode::Unknown + Msf::Exploit::CheckCode::Safe end def run diff --git a/modules/auxiliary/scanner/vmware/vmware_http_login.rb b/modules/auxiliary/scanner/vmware/vmware_http_login.rb index 95776f3900..6bcdfb08ee 100644 --- a/modules/auxiliary/scanner/vmware/vmware_http_login.rb +++ b/modules/auxiliary/scanner/vmware/vmware_http_login.rb @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - return unless check + return unless is_vmware? each_user_pass { |user, pass| result = vim_do_login(user, pass) case result @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary # Mostly taken from the Apache Tomcat service validator - def check + def is_vmware? soap_data = %Q| diff --git a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb index 62bc90f183..3b5f36b44b 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb @@ -58,7 +58,6 @@ class Metasploit3 < Msf::Auxiliary def auxiliary_commands return { - "check" => "Determine if the specified DNS server (RHOST) is vulnerable", "racer" => "Determine the size of the window for the target server" } end @@ -75,14 +74,9 @@ class Metasploit3 < Msf::Auxiliary calculate_race(targ, dom) end - def cmd_check(*args) - targ = args[0] || rhost() - if !(targ and targ.length > 0) - print_status("usage: check [dns-server]") - return - end + def check + targ = rhost - print_status("Using the Metasploit service to verify exploitability...") srv_sock = Rex::Socket.create_udp( 'PeerHost' => targ, 'PeerPort' => 53 @@ -111,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) t_addr, t_port = $1.split(':') - print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") + vprint_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") t_port = t_port.to_i if(lport and lport != t_port) random = true @@ -132,24 +126,29 @@ class Metasploit3 < Msf::Auxiliary srv_sock.close if(ports.keys.length == 0) - print_error("ERROR: This server is not replying to recursive requests") - return + vprint_error("ERROR: This server is not replying to recursive requests") + return Exploit::CheckCode::Unknown end if(reps < 30) - print_warning("WARNING: This server did not reply to all of our requests") + vprint_warning("WARNING: This server did not reply to all of our requests") end if(random) ports_u = ports.keys.length ports_r = ((ports.keys.length/30.0)*100).to_i - print_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}") + vprint_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}") if(ports_r != 100) - print_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.") + vprint_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.") + # Not exploitable by this tool, so we lower this to Appears on purpose to lower the user's confidence + return Exploit::CheckCode::Appears end else - print_error("FAIL: This server uses a static source port and is vulnerable to poisoning") + vprint_error("FAIL: This server uses a static source port and is vulnerable to poisoning") + return Exploit::CheckCode::Vulnerable end + + Exploit::CheckCode::Safe end def run diff --git a/modules/auxiliary/spoof/dns/bailiwicked_host.rb b/modules/auxiliary/spoof/dns/bailiwicked_host.rb index 6e584e4c4f..6ca8d1304d 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_host.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_host.rb @@ -56,8 +56,7 @@ class Metasploit3 < Msf::Auxiliary def auxiliary_commands return { - "check" => "Determine if the specified DNS server (RHOST) is vulnerable", - "racer" => "Determine the size of the window for the target server", + "racer" => "Determine the size of the window for the target server" } end @@ -73,14 +72,9 @@ class Metasploit3 < Msf::Auxiliary calculate_race(targ, dom) end - def cmd_check(*args) - targ = args[0] || rhost() - if !(targ and targ.length > 0) - print_status("usage: check [dns-server]") - return - end + def check + targ = rhost - print_status("Using the Metasploit service to verify exploitability...") srv_sock = Rex::Socket.create_udp( 'PeerHost' => targ, 'PeerPort' => 53 @@ -109,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) t_addr, t_port = $1.split(':') - print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") + vprint_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") t_port = t_port.to_i if(lport and lport != t_port) random = true @@ -130,12 +124,12 @@ class Metasploit3 < Msf::Auxiliary srv_sock.close if(ports.keys.length == 0) - print_error("ERROR: This server is not replying to recursive requests") - return + vprint_error("ERROR: This server is not replying to recursive requests") + return Exploit::CheckCode::Unknown end if(reps < 30) - print_warning("WARNING: This server did not reply to all of our requests") + vprint_warning("WARNING: This server did not reply to all of our requests") end if(random) @@ -143,11 +137,16 @@ class Metasploit3 < Msf::Auxiliary ports_r = ((ports.keys.length/30.0)*100).to_i print_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}") if(ports_r != 100) - print_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.") + vprint_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.") + # Not exploitable by this tool, so we lower this to Appears on purpose to lower the user's confidence + return Exploit::CheckCode::Appears end else - print_error("FAIL: This server uses a static source port and is vulnerable to poisoning") + vprint_error("FAIL: This server uses a static source port and is vulnerable to poisoning") + return Exploit::CheckCode::Vulnerable end + + Exploit::CheckCode::Safe end def run