metasploit-framework/modules/auxiliary/scanner/x11/open_x11.rb

75 lines
1.5 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'X11 No-Auth Scanner',
'Version' => '$Revision$',
'Description' => %q{
This module scans for X11 servers that allow anyone
to connect without authentication.
},
'Author' => ['tebo <tebodell[at]gmail.com>'],
'References' =>
[
['OSVDB', '309'],
['CVE', '1999-0526'],
],
'License' => MSF_LICENSE
)
register_options([
Opt::RPORT(6000)
],self.class)
end
def run_host(ip)
begin
connect
# X11.00 Null Auth Connect
sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00")
response = sock.get_once
disconnect
if(response)
success = response[0,1].unpack('C')[0]
end
if(success == 1)
vendor_len = response[24,2].unpack('v')[0]
vendor = response[40,vendor_len].unpack('A*')[0]
print_status("#{ip} Open X Server (#{vendor})")
elsif (success == 0)
print_status("#{ip} Access Denied")
else
# X can return a reason for auth failure but we don't really care for this
end
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
end
end
end