New resource script to check for development-related vulns.

pbarry-r7 · pbarry-r7 · commit 4fc0eb0cb380 · 2017-10-25T10:11:25.000-05:00
diff --git a/scripts/resource/dev_checks.rc b/scripts/resource/dev_checks.rc
@@ -0,0 +1,118 @@
+<ruby>
+
+#
+# This resource script will check for vulnerabilities related to
+# programs and services used by developers, including the following:
+#
+# * NodeJS debug (multi/misc/nodejs_v8_debugger)
+# * distcc (unix/misc/distcc_exe)
+# * Jenkins (linux/misc/jenkins_java_deserialize)
+# * GitHub Enterprise (linux/http/github_enterprise_secret)
+#
+# It is worth noting that ONLY CHECKS are performed, no active exploiting.
+# This makes it safe to run in many environments.
+#
+# Author:
+# pbarry-r7
+#
+
+@job_ids = []
+
+def wait_until_jobs_done
+    while true
+        @job_ids.each do |job_id|
+            current_job_ids = framework.jobs.keys.map { |e| e.to_i }
+            sleep 1 if current_job_ids.include?(job_id)
+        end
+
+        return
+    end
+end
+
+def check_exploit(host:, mod_name:, vuln_check_ret_val:)
+    begin
+        mod = framework.exploits.create(mod_name)
+        mod.datastore['RHOST'] = host.address
+        print_line("Looking for #{mod.name}...")
+        result = mod.check_simple({'RunAsJob': true, 'LocalOutput': self.output})
+        @job_ids << mod.job_id if mod.job_id
+        if vuln_check_ret_val.index(result)
+            print_line("HOST #{host.address} APPEARS VULNERABLE TO #{mod.name}")
+            framework.db.report_vuln(
+                workspace: mod.workspace,
+                host: mod.rhost,
+                name: mod.name,
+                info: "This was flagged as likely vulnerable by the explicit check of #{mod.fullname}.",
+                refs: mod.references
+            )
+        end
+    rescue ::Exception => e
+        print_error(e.message)
+    end
+end
+
+def setup
+    # Test and see if we have a database connected
+    begin
+        framework.db.hosts
+    rescue ::ActiveRecord::ConnectionNotEstablished
+        print_error("Database connection isn't established")
+        return false
+    end
+
+    run_single("setg verbose true")
+
+    true
+end
+
+def main
+    framework.db.workspace.hosts.each do |host|
+        print_line("Checking IP: #{host.address}, OS: #{host.os_name}...")
+
+        check_exploit(host: host,
+        mod_name: 'multi/misc/nodejs_v8_debugger',
+        vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
+
+        check_exploit(host: host,
+        mod_name: 'unix/misc/distcc_exec',
+        vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ])
+
+        check_exploit(host: host,
+        mod_name: 'unix/misc/qnx_qconn_exec',
+        vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ])
+
+        check_exploit(host: host,
+        mod_name: 'linux/misc/jenkins_java_deserialize',
+        vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ])
+
+        check_exploit(host: host,
+        mod_name: 'linux/http/github_enterprise_secret',
+        vuln_check_ret_val: [ Exploit::CheckCode::Vulnerable ])
+
+        check_exploit(host: host,
+        mod_name: 'multi/http/traq_plugin_exec',
+        vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
+
+        check_exploit(host: host,
+        mod_name: 'multi/http/builderengine_upload_exec',
+        vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
+
+        check_exploit(host: host,
+        mod_name: 'multi/http/mantisbt_php_exec',
+        vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
+
+        check_exploit(host: host,
+        mod_name: 'multi/http/vbulletin_unserialize',
+        vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
+
+        check_exploit(host: host,
+        mod_name: 'unix/webapp/vbulletin_vote_sqli_exec',
+        vuln_check_ret_val: [ Exploit::CheckCode::Appears ])
+    end
+    wait_until_jobs_done
+end
+
+abort("Error during setup, exiting.") unless setup
+main
+
+</ruby>
