67 lines
1.6 KiB
Ruby
67 lines
1.6 KiB
Ruby
require 'msf/core'
|
|
|
|
module Msf
|
|
|
|
###
|
|
#
|
|
# This module exposes methods for querying a remote DB2 service
|
|
#
|
|
###
|
|
module Exploit::Remote::DB2
|
|
|
|
include Exploit::Remote::Tcp
|
|
|
|
#
|
|
# Creates an instance of a DB2 exploit module.
|
|
#
|
|
def initialize(info = {})
|
|
super
|
|
|
|
# Register the options that all MSSQL exploits may make use of.
|
|
register_options(
|
|
[
|
|
Opt::RHOST,
|
|
Opt::RPORT(50000),
|
|
OptString.new('USERNAME', [ false, 'The username to authenticate as', 'db2inst1']),
|
|
OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
|
|
OptString.new('DATABASE', [ true, 'The name of the target database', 'toolsdb'])
|
|
], Msf::Exploit::Remote::DB2)
|
|
|
|
end
|
|
|
|
#
|
|
# This method sends a TCP query packet to the server, using
|
|
# datastore options and parses out the reply packet
|
|
# into a hash
|
|
#
|
|
def db2_probe(timeout=5)
|
|
disconnect if self.sock
|
|
connect
|
|
|
|
probe_packet = Rex::Proto::DRDA::Utils.client_probe(datastore['DATABASE'])
|
|
sock.put probe_packet
|
|
resp = sock.get_once
|
|
|
|
return {} if not resp
|
|
return {} if resp.length == 0
|
|
pkt = Rex::Proto::DRDA::SERVER_PACKET.new.read(resp)
|
|
return Rex::Proto::DRDA::Utils.server_packet_info(pkt)
|
|
end
|
|
|
|
def db2_check_login(timeout=5)
|
|
probe_data = db2_probe
|
|
return probe_data unless probe_data[:plaintext_auth]
|
|
login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => datastore['DATABASE'],
|
|
:dbuser => datastore['USERNAME'],
|
|
:dbpass => datastore['PASSWORD'])
|
|
sock.put login_packet
|
|
resp = sock.get_once
|
|
return {} if not resp
|
|
return {} if resp.length == 0
|
|
pkt = Rex::Proto::DRDA::SERVER_PACKET.new.read(resp)
|
|
return Rex::Proto::DRDA::Utils.server_packet_info(pkt)
|
|
end
|
|
|
|
end
|
|
end
|