show client side exploits found in a report

darkoperator · Feb 2, 2012 · c12f228 · c12f228
1 parent 2e60173
commit c12f228
Showing 1 changed file with 122 additions and 3 deletions.
diff --git a/auto_exploit.rb b/auto_exploit.rb
@@ -34,11 +34,12 @@ def name
 			# Define Commands
 			def commands
 				{
-					"vuln_exploit" => "Runs exploits based on data imported from vuln scanners."
+					"vuln_exploit"    => "Runs exploits based on data imported from vuln scanners.",
+					"show_client_side" => "Show matched client side exploits from data imported from vuln scanners."
 				}
 			end
 
-			# Multi shell command
+			# vuln exploit command
 			def cmd_vuln_exploit(*args)
 				require 'timeout'
 
@@ -89,9 +90,16 @@ def cmd_vuln_exploit(*args)
 					when "-h"
 						print_line(opts.usage)
 						return
+
 					end
 				end
 
+				# Make sure that there are vulnerabilities in the table before doing anything else
+				if framework.db.workspace.vulns.length == 0
+					print_error("No vulnerabilities are present in the database.")
+					return
+				end
+
 				# generate a list of IP's to not exploit
 				range.each do |r|
 					Rex::Socket::RangeWalker.new(r).each do |i|
@@ -217,7 +225,119 @@ def cmd_vuln_exploit(*args)
 					return
 				end
 			end
+			# Show client side exploits
+			def cmd_show_client_side(*args)
+
+				# Define options
+				opts = Rex::Parser::Arguments.new(
+					"-r"   => [ true,   "Minimum Rank for exploits (low, average,normal,good,great and excellent) good is the default."],
+					"-h"   => [ false,  "Command Help"]
+				)
 
+				# set variables for options
+				os_type = ""
+				filter = []
+				matched_exploits = []
+				min_rank = 100
+				ranks ={
+					"low" => 100,
+					"average" => 200,
+					"normal" => 300 ,
+					"good"=>400,
+					"great"=>500,
+					"excellent" => 600
+				}
+				# Parse options
+				opts.parse(args) do |opt, idx, val|
+					case opt
+					when "-r"
+						if ranks.include?(val)
+							min_rank = ranks[val]
+						else
+							print_error("Value of #{val} not in list using default of good.")
+						end
+
+					when "-h"
+						print_line(opts.usage)
+						return
+					end
+				end
+
+				exploits =[]
+
+				# Make sure that there are vulnerabilities in the table before doing anything else
+				if framework.db.workspace.vulns.length == 0
+					print_error("No vulnerabilities are present in the database.")
+					return
+				end
+
+				print_status("Generating List for Matching...")
+				framework.exploits.each_module do |n,e|
+					exploit = {}
+					x=e.new
+					if x.datastore.include?('LPORT')
+						exploit = {
+							:exploit => x.fullname,
+							:port => x.datastore['RPORT'],
+							:platforms => x.platform.names.join(" "),
+							:date => x.disclosure_date,
+							:references => x.references,
+							:rank => x.rank
+						}
+						exploits << exploit
+					end
+				end
+
+				print_status("Matching Exploits (This will take a while depending on number of hosts)...")
+				framework.db.workspace.hosts.each do |h|
+					# Check that host has vulnerabilities associated in the DB
+					if h.vulns.length > 0
+						os_type = normalise_os(h.os_name)
+						#payload = chose_pay(h.os_name)
+						exploits.each do |e|
+							found = false
+
+							next if not e[:rank] >= min_rank
+							if e[:platforms].downcase =~ /#{os_type}/
+								# lets get the proper references
+								e_refs = parse_references(e[:references])
+								h.vulns.each do |v|
+									v.refs.each do |f|
+										# Filter out Nessus notes
+										next if f.name =~ /^NSS|^CWE/
+										if e_refs.include?(f.name) and not found
+											# Save exploits in manner easy to retrieve later
+											exploit = {
+												:exploit => e[:exploit],
+												:port => e[:port],
+												:target => h.address,
+												:rank => e[:rank]
+											}
+											matched_exploits << exploit
+											found = true
+										end
+									end
+								end
+							end
+						end
+					end
+
+				end
+
+
+
+				if matched_exploits.length > 0
+					# Sort by rank with highest ranked exploits first
+					matched_exploits.sort! { |x, y| y[:rank] <=> x[:rank] }
+
+					print_good("Matched Exploits:")
+					matched_exploits.each do |e|
+						print_good("\t#{e[:target]} #{e[:exploit]} #{e[:port]} #{e[:rank]}")
+					end
+				else
+					print_status("No Matching Client Side Exploits where found.")
+				end
+			end
 			# Normalize the OS name since different scanner may have entered different values.
 			def normalise_os(os_name)
 				case os_name
@@ -238,7 +358,6 @@ def normalise_os(os_name)
 				end
 				return os
 			end
-
 			# Parse the exploit references and get a list of CVE, BID and OSVDB values that
 			# we can match accurately.
 			def parse_references(refs)