diff --git a/modules/auxiliary/scanner/smb/ms08_067_check.rb b/modules/auxiliary/scanner/smb/ms08_067_check.rb deleted file mode 100644 index 34eb524d3a..0000000000 --- a/modules/auxiliary/scanner/smb/ms08_067_check.rb +++ /dev/null @@ -1,120 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require "msf/core" -require 'msf/core/module/deprecated' - -class Metasploit4 < Msf::Auxiliary - - include Msf::Exploit::Remote::DCERPC - include Msf::Exploit::Remote::SMB - include Msf::Auxiliary::Scanner - include Msf::Auxiliary::Report - include Msf::Module::Deprecated - deprecated Date.new(2014, 2, 26), "exploit/windows/smb/ms08_067_netapi" - - def initialize(info = {}) - super(update_info(info, - 'Name' => "MS08-067 Scanner", - 'Description' => %q{ - This module uses the check in ms08_067_netapi to scan for MS08-067. - }, - 'Author' => [ - "hdm", # with tons of input/help/testing from the community - "Brett Moore ", - "frank2 ", # check() detection - "jduck", # XP SP2/SP3 AlwaysOn DEP bypass - "sho-luv", # Original module - "wvu" # Refactor and cleanup - ], - 'References' => [ - ["CVE", "2008-4250"], - ["OSVDB", "49243"], - ["MSB", "MS08-067"], - # If this vulnerability is found, ms08-67 is exposed as well - ["URL", "http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"] - ], - 'License' => MSF_LICENSE - )) - - register_options([ - OptString.new("SMBPIPE", [true, "The pipe name to use (BROWSER, SRVSVC)", "BROWSER"]) - ], self.class) - end - - def run_host(ip) - case check_vuln - when Msf::Exploit::CheckCode::Vulnerable - print_good("#{ip}:#{rport} - MS08-067 VULNERABLE") - report_vuln({ - :host => ip, - :name => "MS08-067", - :info => "Vulnerability in Server service could allow remote code execution", - :refs => self.references - }) - when Msf::Exploit::CheckCode::Safe - vprint_status("#{ip}:#{rport} - MS08-067 SAFE") - when Msf::Exploit::CheckCode::Unknown - vprint_status("#{ip}:#{rport} - MS08-067 UNKNOWN") - end - end - - def check_vuln - begin - connect() - smb_login() - rescue Rex::Proto::SMB::Exceptions::LoginError - return Msf::Exploit::CheckCode::Unknown - end - - # - # Build the malicious path name - # 5b878ae7 "db @eax;g" - prefix = "\\" - path = - "\x00\\\x00/"*0x10 + - Rex::Text.to_unicode("\\") + - Rex::Text.to_unicode("R7") + - Rex::Text.to_unicode("\\..\\..\\") + - Rex::Text.to_unicode("R7") + - "\x00"*2 - - server = Rex::Text.rand_text_alpha(rand(8)+1).upcase - - handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', - 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] - ) - - begin - # Samba doesn't have this handle and returns an ErrorCode - dcerpc_bind(handle) - rescue Rex::Proto::SMB::Exceptions::ErrorCode - return Msf::Exploit::CheckCode::Safe - end - - stub = - NDR.uwstring(server) + - NDR.UnicodeConformantVaryingStringPreBuilt(path) + - NDR.long(8) + - NDR.wstring(prefix) + - NDR.long(4097) + - NDR.long(0) - - resp = dcerpc.call(0x1f, stub) - error = resp[4,4].unpack("V")[0] - - # Cleanup - simple.client.close - simple.client.tree_disconnect - disconnect - - if (error == 0x0052005c) # \R :) - return Msf::Exploit::CheckCode::Vulnerable - else - return Msf::Exploit::CheckCode::Safe - end - end - -end diff --git a/modules/post/windows/recon/resolve_hostname.rb b/modules/post/windows/recon/resolve_hostname.rb deleted file mode 100644 index 37befc65e2..0000000000 --- a/modules/post/windows/recon/resolve_hostname.rb +++ /dev/null @@ -1,79 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'rex' - -class Metasploit3 < Msf::Post - require 'msf/core/module/deprecated' - include Msf::Module::Deprecated - deprecated Date.new(2014, 03, 24), 'post/multi/gather/resolve_hosts' - - def initialize(info={}) - super( update_info( info, - 'Name' => 'Windows Recon Resolve Hostname', - 'Description' => %q{ - This module resolves a hostname to IP address via the victim, - similar to the Unix 'dig' command. Since resolution happens over - an established session from the perspective of the remote host, - this module can be used to determine differences between external - and internal resolution, especially for potentially high-value - internal addresses of devices named 'mail' or 'www.' - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'mubix' ], - 'Platform' => [ 'win' ], - 'SessionTypes' => [ 'meterpreter' ] - )) - - register_options( - [ - OptString.new('HOSTNAME', [false, 'Hostname to lookup', nil]), - OptPath.new('HOSTFILE', [false, 'Line separated file with hostnames to resolve', nil]), - OptBool.new('SAVEHOSTS', [true, 'Save resolved hosts to the database', true]) - ], self.class) - end - - def resolve_hostname(hostname) - begin - vprint_status("Looking up IP for #{hostname}") - result = client.net.resolve.resolve_host(hostname) - if result[:ip].nil? or result[:ip].blank? - print_error("Failed to resolve #{hostname}") - return - else - hostip = result[:ip] - end - - - print_status("#{hostname} resolves to #{hostip}") - - if datastore['SAVEHOSTS'] - report_host({ - :host => hostip, - :name => hostname - }) - end - - rescue Rex::Post::Meterpreter::RequestError - print_status('Windows 2000 and prior does not support getaddrinfo') - end - - end - - def run - if datastore['HOSTNAME'] - resolve_hostname(datastore['HOSTNAME']) - end - - if datastore['HOSTFILE'] - ::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname| - if hostname.strip != "" - resolve_hostname(hostname.strip) - end - end - end - end -end