113 lines
3.7 KiB
Plaintext
113 lines
3.7 KiB
Plaintext
<ruby>
|
|
|
|
#
|
|
# This resource script will check for vulnerabilities related to
|
|
# programs and services used by developers, including the following:
|
|
#
|
|
# * NodeJS debug (multi/misc/nodejs_v8_debugger)
|
|
# * distcc (unix/misc/distcc_exe)
|
|
# * Jenkins (linux/misc/jenkins_java_deserialize)
|
|
# * GitHub Enterprise (linux/http/github_enterprise_secret)
|
|
#
|
|
# It is worth noting that ONLY CHECKS are performed, no active exploiting.
|
|
# This makes it safe to run in many environments.
|
|
#
|
|
# Authors:
|
|
# * pbarry-r7
|
|
# * dmohanty-r7
|
|
#
|
|
|
|
@job_ids = []
|
|
|
|
def wait_until_jobs_done
|
|
loop do
|
|
@job_ids.each do |job_id|
|
|
current_job_ids = framework.jobs.keys.map { |e| e.to_i }
|
|
sleep 1 if current_job_ids.include?(job_id)
|
|
end
|
|
|
|
return
|
|
end
|
|
end
|
|
|
|
def run_scanner(host:, mod_name:)
|
|
begin
|
|
mod = framework.auxiliary.create(mod_name)
|
|
mod.datastore['RHOSTS'] = host.address
|
|
print_line("Running the #{mod.name}...")
|
|
result = mod.run_simple({'RunAsJob': true, 'LocalOutput': self.output})
|
|
rescue ::Exception => e
|
|
print_error(e.message)
|
|
end
|
|
end
|
|
|
|
def check_exploit(host:, mod_name:, vuln_check_ret_val:)
|
|
begin
|
|
mod = framework.exploits.create(mod_name)
|
|
mod.datastore['RHOST'] = host.address
|
|
print_line("Looking for #{mod.name}...")
|
|
result = mod.check_simple({'RunAsJob': true, 'LocalOutput': self.output})
|
|
@job_ids << mod.job_id if mod.job_id
|
|
if vuln_check_ret_val.index(result)
|
|
print_line("HOST #{host.address} APPEARS VULNERABLE TO #{mod.name}")
|
|
framework.db.report_vuln(
|
|
workspace: mod.workspace,
|
|
host: mod.rhost,
|
|
name: mod.name,
|
|
info: "This was flagged as likely vulnerable by the explicit check of #{mod.fullname}.",
|
|
refs: mod.references
|
|
)
|
|
end
|
|
rescue ::Exception => e
|
|
print_error(e.message)
|
|
end
|
|
end
|
|
|
|
def setup
|
|
# Test and see if we have a database connected
|
|
if not (framework.db and framework.db.active)
|
|
print_error("Database connection isn't established")
|
|
return false
|
|
end
|
|
|
|
run_single("setg verbose true")
|
|
|
|
true
|
|
end
|
|
|
|
def main
|
|
framework.db.workspace.hosts.each do |host|
|
|
print_line("Checking IP: #{host.address}, OS: #{host.os_name}...")
|
|
|
|
# Modules
|
|
{ 'multi/misc/nodejs_v8_debugger': [ Exploit::CheckCode::Appears ],
|
|
'unix/misc/distcc_exec': [ Exploit::CheckCode::Vulnerable ],
|
|
'unix/misc/qnx_qconn_exec': [ Exploit::CheckCode::Vulnerable ],
|
|
'linux/misc/jenkins_java_deserialize': [ Exploit::CheckCode::Vulnerable ],
|
|
'linux/http/github_enterprise_secret': [ Exploit::CheckCode::Vulnerable ],
|
|
'multi/http/traq_plugin_exec': [ Exploit::CheckCode::Appears ],
|
|
'multi/http/builderengine_upload_exec': [ Exploit::CheckCode::Appears ],
|
|
'multi/http/mantisbt_php_exec': [ Exploit::CheckCode::Appears ],
|
|
'multi/http/vbulletin_unserialize': [ Exploit::CheckCode::Appears ],
|
|
'unix/webapp/vbulletin_vote_sqli_exec': [ Exploit::CheckCode::Appears ],
|
|
'multi/misc/java_jmx_server': [ Exploit::CheckCode::Appears,
|
|
Exploit::CheckCode::Detected ] }.each do |mod,ret_val|
|
|
check_exploit(host: host,
|
|
mod_name: mod.to_s,
|
|
vuln_check_ret_val: ret_val)
|
|
end
|
|
|
|
# Scanners
|
|
[ 'scanner/misc/java_rmi_server' ].each do |mod|
|
|
run_scanner(host: host, mod_name: mod.to_s)
|
|
end
|
|
end
|
|
|
|
wait_until_jobs_done
|
|
end
|
|
|
|
abort("Error during setup, exiting.") unless setup
|
|
main
|
|
|
|
</ruby>
|