infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2896, @wchen-r7's check's normalization for auxiliary modules

bug/bundler_fix
jvazquez-r7 2014-01-24 08:53:53 -06:00
parent 4bac297f66 e8b591ef54
commit fdaa172cc5
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
8 changed files with 66 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/auxiliary/admin/http/intersil_pass_reset.rb
View File

@ -52,12 +52,12 @@ class Metasploit3 < Msf::Auxiliary
}) })
if (res and (m = res.headers['Server'].match(/Boa\/(.*)/))) if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
print_status("#{peer} - Boa Version Detected: #{m[1]}") vprint_status("#{peer} - Boa Version Detected: #{m[1]}")
return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
return Exploit::CheckCode::Safe if (m[1][3].ord-48>4) return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
else else
print_status("#{peer} - Not a Boa Server!") vprint_status("#{peer} - Not a Boa Server!")
return Exploit::CheckCode::Safe # not a boa server return Exploit::CheckCode::Safe # not a boa server
end end

25
modules/auxiliary/admin/scada/modicon_password_recovery.rb
View File

@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
[ [
Opt::RPORT(21), Opt::RPORT(21),
OptString.new('FTPUSER', [true, "The backdoor account to use for login", 'ftpuser']), OptString.new('FTPUSER', [true, "The backdoor account to use for login", 'ftpuser']),
OptString.new('FTPPASS', [true, "The backdoor password to use for login", 'password']), OptString.new('FTPPASS', [true, "The backdoor password to use for login", 'password'])
], self.class) ], self.class)
register_advanced_options( register_advanced_options(
@ -59,7 +59,6 @@ class Metasploit3 < Msf::Auxiliary
# device, then we're going to end up storing HTTP credentials that are not # device, then we're going to end up storing HTTP credentials that are not
# correct. If there's a way to fingerprint the device, it should be done here. # correct. If there's a way to fingerprint the device, it should be done here.
def check def check
return true unless datastore['RUN_CHECK']
is_modicon = false is_modicon = false
vprint_status "#{ip}:#{rport} - FTP - Checking fingerprint" vprint_status "#{ip}:#{rport} - FTP - Checking fingerprint"
connect rescue nil connect rescue nil
@ -68,22 +67,26 @@ class Metasploit3 < Msf::Auxiliary
is_modicon = check_banner() is_modicon = check_banner()
disconnect disconnect
else else
print_error "#{ip}:#{rport} - FTP - Cannot connect, skipping" vprint_error "#{ip}:#{rport} - FTP - Cannot connect, skipping"
return false return Exploit::CheckCode::Unknown
end end
if is_modicon if is_modicon
print_status "#{ip}:#{rport} - FTP - Matches Modicon fingerprint" vprint_status "#{ip}:#{rport} - FTP - Matches Modicon fingerprint"
return Exploit::CheckCode::Detected
else else
print_error "#{ip}:#{rport} - FTP - Skipping due to fingerprint mismatch" vprint_error "#{ip}:#{rport} - FTP - Skipping due to fingerprint mismatch"
end end
return is_modicon
return Exploit::CheckCode::Safe
end end
def run def run
if check() if datastore['RUN_CHECK'] and check == Exploit::CheckCode::Detected
if setup_ftp_connection() print_status("Service detected.")
grab() grab() if setup_ftp_connection()
end else
grab() if setup_ftp_connection()
end end
end end

4
modules/auxiliary/dos/http/nodejs_pipelining.rb
View File

@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
def check def check
# http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/ # http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
# check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted # check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted
status = Exploit::CheckCode::Unknown status = Exploit::CheckCode::Safe
connect connect
sock.put(http_request("GEM")) sock.put(http_request("GEM"))
begin begin
@ -56,6 +56,8 @@ class Metasploit3 < Msf::Auxiliary
rescue EOFError rescue EOFError
# checking against >= 0.10.17 raises EOFError because there is no # checking against >= 0.10.17 raises EOFError because there is no
# response to GEM requests # response to GEM requests
vprint_error("Failed to determine the vulnerable state due to an EOFError (no response)")
return Msf::Exploit::CheckCode::Unknown
ensure ensure
disconnect disconnect
end end

17
modules/auxiliary/gather/coldfusion_pwd_props.rb
View File

@ -43,7 +43,6 @@ class Metasploit3 < Msf::Auxiliary
register_options( register_options(
[ [
Opt::RPORT(80), Opt::RPORT(80),
OptBool.new('CHECK', [false, 'Only check for vulnerability', false]),
OptString.new("TARGETURI", [true, 'Base path to ColdFusion', '/']) OptString.new("TARGETURI", [true, 'Base path to ColdFusion', '/'])
], self.class) ], self.class)
end end
@ -116,6 +115,14 @@ class Metasploit3 < Msf::Auxiliary
end end
def check def check
if check_cf
return Msf::Exploit::CheckCode::Vulnerable
end
Msf::Exploit::CheckCode::Safe
end
def check_cf
vuln = false vuln = false
url = '/CFIDE/adminapi/customtags/l10n.cfm' url = '/CFIDE/adminapi/customtags/l10n.cfm'
res = send_request_cgi({ res = send_request_cgi({
@ -171,17 +178,11 @@ class Metasploit3 < Msf::Auxiliary
return return
end end
if(not check) if(not check_cf)
print_status("#{peer} can't be exploited (either files missing or permissions block access)") print_status("#{peer} can't be exploited (either files missing or permissions block access)")
return return
end end
if (datastore['CHECK'] )
print_good("#{peer} is vulnerable and most likely exploitable") if check
return
end
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'), 'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', 'customtags', 'l10n.cfm'),

16
modules/auxiliary/gather/vbulletin_vote_sqli.rb
View File

@ -128,21 +128,21 @@ class Metasploit3 < Msf::Auxiliary
end end
def check def check
node_id = get_node
unless node_id.nil?
return Msf::Exploit::CheckCode::Vulnerable
end
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "index.php") 'uri' => normalize_uri(target_uri.path, "index.php")
}) })
if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/ if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/
return Msf::Exploit::CheckCode::Detected if get_node
# Multiple factors determine this LOOKS vulnerable
return Msf::Exploit::CheckCode::Appears
else
# Not enough information about the vuln state, but at least we know this is vbulletin
return Msf::Exploit::CheckCode::Detected
end
end end
return Msf::Exploit::CheckCode::Unknown Msf::Exploit::CheckCode::Safe
end end
def run def run

4
modules/auxiliary/scanner/vmware/vmware_http_login.rb
View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip) def run_host(ip)
return unless check return unless is_vmware?
each_user_pass { |user, pass| each_user_pass { |user, pass|
result = vim_do_login(user, pass) result = vim_do_login(user, pass)
case result case result
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
# Mostly taken from the Apache Tomcat service validator # Mostly taken from the Apache Tomcat service validator
def check def is_vmware?
soap_data = soap_data =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> %Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body> <env:Body>

29
modules/auxiliary/spoof/dns/bailiwicked_domain.rb
View File

@ -58,7 +58,6 @@ class Metasploit3 < Msf::Auxiliary
def auxiliary_commands def auxiliary_commands
return { return {
"check" => "Determine if the specified DNS server (RHOST) is vulnerable",
"racer" => "Determine the size of the window for the target server" "racer" => "Determine the size of the window for the target server"
} }
end end
@ -75,14 +74,9 @@ class Metasploit3 < Msf::Auxiliary
calculate_race(targ, dom) calculate_race(targ, dom)
end end
def cmd_check(*args) def check
targ = args[0] || rhost() targ = rhost
if !(targ and targ.length > 0)
print_status("usage: check [dns-server]")
return
end
print_status("Using the Metasploit service to verify exploitability...")
srv_sock = Rex::Socket.create_udp( srv_sock = Rex::Socket.create_udp(
'PeerHost' => targ, 'PeerHost' => targ,
'PeerPort' => 53 'PeerPort' => 53
@ -111,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)
t_addr, t_port = $1.split(':') t_addr, t_port = $1.split(':')
print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") vprint_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")
t_port = t_port.to_i t_port = t_port.to_i
if(lport and lport != t_port) if(lport and lport != t_port)
random = true random = true
@ -132,24 +126,29 @@ class Metasploit3 < Msf::Auxiliary
srv_sock.close srv_sock.close
if(ports.keys.length == 0) if(ports.keys.length == 0)
print_error("ERROR: This server is not replying to recursive requests") vprint_error("ERROR: This server is not replying to recursive requests")
return return Exploit::CheckCode::Unknown
end end
if(reps < 30) if(reps < 30)
print_warning("WARNING: This server did not reply to all of our requests") vprint_warning("WARNING: This server did not reply to all of our requests")
end end
if(random) if(random)
ports_u = ports.keys.length ports_u = ports.keys.length
ports_r = ((ports.keys.length/30.0)*100).to_i ports_r = ((ports.keys.length/30.0)*100).to_i
print_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}") vprint_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}")
if(ports_r != 100) if(ports_r != 100)
print_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.") vprint_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.")
# Not exploitable by this tool, so we lower this to Appears on purpose to lower the user's confidence
return Exploit::CheckCode::Appears
end end
else else
print_error("FAIL: This server uses a static source port and is vulnerable to poisoning") vprint_error("FAIL: This server uses a static source port and is vulnerable to poisoning")
return Exploit::CheckCode::Vulnerable
end end
Exploit::CheckCode::Safe
end end
def run def run

29
modules/auxiliary/spoof/dns/bailiwicked_host.rb
View File

@ -56,8 +56,7 @@ class Metasploit3 < Msf::Auxiliary
def auxiliary_commands def auxiliary_commands
return { return {
"check" => "Determine if the specified DNS server (RHOST) is vulnerable", "racer" => "Determine the size of the window for the target server"
"racer" => "Determine the size of the window for the target server",
} }
end end
@ -73,14 +72,9 @@ class Metasploit3 < Msf::Auxiliary
calculate_race(targ, dom) calculate_race(targ, dom)
end end
def cmd_check(*args) def check
targ = args[0] || rhost() targ = rhost
if !(targ and targ.length > 0)
print_status("usage: check [dns-server]")
return
end
print_status("Using the Metasploit service to verify exploitability...")
srv_sock = Rex::Socket.create_udp( srv_sock = Rex::Socket.create_udp(
'PeerHost' => targ, 'PeerHost' => targ,
'PeerPort' => 53 'PeerPort' => 53
@ -109,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary
if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m)
t_addr, t_port = $1.split(':') t_addr, t_port = $1.split(':')
print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") vprint_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")
t_port = t_port.to_i t_port = t_port.to_i
if(lport and lport != t_port) if(lport and lport != t_port)
random = true random = true
@ -130,12 +124,12 @@ class Metasploit3 < Msf::Auxiliary
srv_sock.close srv_sock.close
if(ports.keys.length == 0) if(ports.keys.length == 0)
print_error("ERROR: This server is not replying to recursive requests") vprint_error("ERROR: This server is not replying to recursive requests")
return return Exploit::CheckCode::Unknown
end end
if(reps < 30) if(reps < 30)
print_warning("WARNING: This server did not reply to all of our requests") vprint_warning("WARNING: This server did not reply to all of our requests")
end end
if(random) if(random)
@ -143,11 +137,16 @@ class Metasploit3 < Msf::Auxiliary
ports_r = ((ports.keys.length/30.0)*100).to_i ports_r = ((ports.keys.length/30.0)*100).to_i
print_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}") print_status("PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}")
if(ports_r != 100) if(ports_r != 100)
print_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.") vprint_status("INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.")
# Not exploitable by this tool, so we lower this to Appears on purpose to lower the user's confidence
return Exploit::CheckCode::Appears
end end
else else
print_error("FAIL: This server uses a static source port and is vulnerable to poisoning") vprint_error("FAIL: This server uses a static source port and is vulnerable to poisoning")
return Exploit::CheckCode::Vulnerable
end end
Exploit::CheckCode::Safe
end end
def run def run