Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

show client side exploits found in a report

  • Loading branch information...
commit c12f228e098143480e587f3d4d5d790eb4dffe22 1 parent 2e60173
@darkoperator authored
Showing with 122 additions and 3 deletions.
  1. +122 −3 auto_exploit.rb
View
125 auto_exploit.rb
@@ -34,11 +34,12 @@ def name
# Define Commands
def commands
{
- "vuln_exploit" => "Runs exploits based on data imported from vuln scanners."
+ "vuln_exploit" => "Runs exploits based on data imported from vuln scanners.",
+ "show_client_side" => "Show matched client side exploits from data imported from vuln scanners."
}
end
- # Multi shell command
+ # vuln exploit command
def cmd_vuln_exploit(*args)
require 'timeout'
@@ -89,9 +90,16 @@ def cmd_vuln_exploit(*args)
when "-h"
print_line(opts.usage)
return
+
end
end
+ # Make sure that there are vulnerabilities in the table before doing anything else
+ if framework.db.workspace.vulns.length == 0
+ print_error("No vulnerabilities are present in the database.")
+ return
+ end
+
# generate a list of IP's to not exploit
range.each do |r|
Rex::Socket::RangeWalker.new(r).each do |i|
@@ -217,7 +225,119 @@ def cmd_vuln_exploit(*args)
return
end
end
+ # Show client side exploits
+ def cmd_show_client_side(*args)
+
+ # Define options
+ opts = Rex::Parser::Arguments.new(
+ "-r" => [ true, "Minimum Rank for exploits (low, average,normal,good,great and excellent) good is the default."],
+ "-h" => [ false, "Command Help"]
+ )
+ # set variables for options
+ os_type = ""
+ filter = []
+ matched_exploits = []
+ min_rank = 100
+ ranks ={
+ "low" => 100,
+ "average" => 200,
+ "normal" => 300 ,
+ "good"=>400,
+ "great"=>500,
+ "excellent" => 600
+ }
+ # Parse options
+ opts.parse(args) do |opt, idx, val|
+ case opt
+ when "-r"
+ if ranks.include?(val)
+ min_rank = ranks[val]
+ else
+ print_error("Value of #{val} not in list using default of good.")
+ end
+
+ when "-h"
+ print_line(opts.usage)
+ return
+ end
+ end
+
+ exploits =[]
+
+ # Make sure that there are vulnerabilities in the table before doing anything else
+ if framework.db.workspace.vulns.length == 0
+ print_error("No vulnerabilities are present in the database.")
+ return
+ end
+
+ print_status("Generating List for Matching...")
+ framework.exploits.each_module do |n,e|
+ exploit = {}
+ x=e.new
+ if x.datastore.include?('LPORT')
+ exploit = {
+ :exploit => x.fullname,
+ :port => x.datastore['RPORT'],
+ :platforms => x.platform.names.join(" "),
+ :date => x.disclosure_date,
+ :references => x.references,
+ :rank => x.rank
+ }
+ exploits << exploit
+ end
+ end
+
+ print_status("Matching Exploits (This will take a while depending on number of hosts)...")
+ framework.db.workspace.hosts.each do |h|
+ # Check that host has vulnerabilities associated in the DB
+ if h.vulns.length > 0
+ os_type = normalise_os(h.os_name)
+ #payload = chose_pay(h.os_name)
+ exploits.each do |e|
+ found = false
+
+ next if not e[:rank] >= min_rank
+ if e[:platforms].downcase =~ /#{os_type}/
+ # lets get the proper references
+ e_refs = parse_references(e[:references])
+ h.vulns.each do |v|
+ v.refs.each do |f|
+ # Filter out Nessus notes
+ next if f.name =~ /^NSS|^CWE/
+ if e_refs.include?(f.name) and not found
+ # Save exploits in manner easy to retrieve later
+ exploit = {
+ :exploit => e[:exploit],
+ :port => e[:port],
+ :target => h.address,
+ :rank => e[:rank]
+ }
+ matched_exploits << exploit
+ found = true
+ end
+ end
+ end
+ end
+ end
+ end
+
+ end
+
+
+
+ if matched_exploits.length > 0
+ # Sort by rank with highest ranked exploits first
+ matched_exploits.sort! { |x, y| y[:rank] <=> x[:rank] }
+
+ print_good("Matched Exploits:")
+ matched_exploits.each do |e|
+ print_good("\t#{e[:target]} #{e[:exploit]} #{e[:port]} #{e[:rank]}")
+ end
+ else
+ print_status("No Matching Client Side Exploits where found.")
+ end
+ end
# Normalize the OS name since different scanner may have entered different values.
def normalise_os(os_name)
case os_name
@@ -238,7 +358,6 @@ def normalise_os(os_name)
end
return os
end
-
# Parse the exploit references and get a list of CVE, BID and OSVDB values that
# we can match accurately.
def parse_references(refs)
Please sign in to comment.
Something went wrong with that request. Please try again.