Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

dev_checks.rc 3.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112
  1. <ruby>
  2. #
  3. # This resource script will check for vulnerabilities related to
  4. # programs and services used by developers, including the following:
  5. #
  6. # * NodeJS debug (multi/misc/nodejs_v8_debugger)
  7. # * distcc (unix/misc/distcc_exe)
  8. # * Jenkins (linux/misc/jenkins_java_deserialize)
  9. # * GitHub Enterprise (linux/http/github_enterprise_secret)
  10. #
  11. # It is worth noting that ONLY CHECKS are performed, no active exploiting.
  12. # This makes it safe to run in many environments.
  13. #
  14. # Authors:
  15. # * pbarry-r7
  16. # * dmohanty-r7
  17. #
  18. @job_ids = []
  19. def wait_until_jobs_done
  20. loop do
  21. @job_ids.each do |job_id|
  22. current_job_ids = framework.jobs.keys.map { |e| e.to_i }
  23. sleep 1 if current_job_ids.include?(job_id)
  24. end
  25. return
  26. end
  27. end
  28. def run_scanner(host:, mod_name:)
  29. begin
  30. mod = framework.auxiliary.create(mod_name)
  31. mod.datastore['RHOSTS'] = host.address
  32. print_line("Running the #{mod.name}...")
  33. result = mod.run_simple({'RunAsJob': true, 'LocalOutput': self.output})
  34. rescue ::Exception => e
  35. print_error(e.message)
  36. end
  37. end
  38. def check_exploit(host:, mod_name:, vuln_check_ret_val:)
  39. begin
  40. mod = framework.exploits.create(mod_name)
  41. mod.datastore['RHOST'] = host.address
  42. print_line("Looking for #{mod.name}...")
  43. result = mod.check_simple({'RunAsJob': true, 'LocalOutput': self.output})
  44. @job_ids << mod.job_id if mod.job_id
  45. if vuln_check_ret_val.index(result)
  46. print_line("HOST #{host.address} APPEARS VULNERABLE TO #{mod.name}")
  47. framework.db.report_vuln(
  48. workspace: mod.workspace,
  49. host: mod.rhost,
  50. name: mod.name,
  51. info: "This was flagged as likely vulnerable by the explicit check of #{mod.fullname}.",
  52. refs: mod.references
  53. )
  54. end
  55. rescue ::Exception => e
  56. print_error(e.message)
  57. end
  58. end
  59. def setup
  60. # Test and see if we have a database connected
  61. if not (framework.db and framework.db.active)
  62. print_error("Database connection isn't established")
  63. return false
  64. end
  65. run_single("setg verbose true")
  66. true
  67. end
  68. def main
  69. framework.db.workspace.hosts.each do |host|
  70. print_line("Checking IP: #{host.address}, OS: #{host.os_name}...")
  71. # Modules
  72. { 'multi/misc/nodejs_v8_debugger': [ Exploit::CheckCode::Appears ],
  73. 'unix/misc/distcc_exec': [ Exploit::CheckCode::Vulnerable ],
  74. 'unix/misc/qnx_qconn_exec': [ Exploit::CheckCode::Vulnerable ],
  75. 'linux/misc/jenkins_java_deserialize': [ Exploit::CheckCode::Vulnerable ],
  76. 'linux/http/github_enterprise_secret': [ Exploit::CheckCode::Vulnerable ],
  77. 'multi/http/traq_plugin_exec': [ Exploit::CheckCode::Appears ],
  78. 'multi/http/builderengine_upload_exec': [ Exploit::CheckCode::Appears ],
  79. 'multi/http/mantisbt_php_exec': [ Exploit::CheckCode::Appears ],
  80. 'multi/http/vbulletin_unserialize': [ Exploit::CheckCode::Appears ],
  81. 'unix/webapp/vbulletin_vote_sqli_exec': [ Exploit::CheckCode::Appears ],
  82. 'multi/misc/java_jmx_server': [ Exploit::CheckCode::Appears,
  83. Exploit::CheckCode::Detected ] }.each do |mod,ret_val|
  84. check_exploit(host: host,
  85. mod_name: mod.to_s,
  86. vuln_check_ret_val: ret_val)
  87. end
  88. # Scanners
  89. [ 'scanner/misc/java_rmi_server' ].each do |mod|
  90. run_scanner(host: host, mod_name: mod.to_s)
  91. end
  92. end
  93. wait_until_jobs_done
  94. end
  95. abort("Error during setup, exiting.") unless setup
  96. main
  97. </ruby>