@@ -13,61 +13,31 @@ def initialize(info = {})
1313 super (
1414 update_info (
1515 info ,
16- # TODO: fill in all of this
17- 'Name' => 'UDP Scanner Example' ,
16+ 'Name' => 'Gather Steam Server Information' ,
1817 'Description' => %q(
19- This module is an example of how to send probes to UDP services
20- en-masse, analyze any responses, and then report on any discovered
21- hosts, services, vulnerabilities or otherwise noteworthy things.
22- Simply address any of the TODOs.
18+ This module uses the A2S_INFO request to obtain information from a Steam server.
2319 ) ,
24- 'Author' => 'Joe Contributor <joe_contributor [at]example .com> ' ,
20+ 'Author' => 'Jon Hart <jon_hart [at]rapid7 .com' ,
2521 'References' =>
2622 [
27- [ 'URL' , 'https://example.com/~jcontributor' ]
23+ # TODO: add more from https://developer.valvesoftware.com/wiki/Server_queries,
24+ # perhaps in different modules
25+ [ 'URL' , 'https://developer.valvesoftware.com/wiki/Server_queries#A2S_INFO' ]
2826 ] ,
29- 'DisclosureDate' => 'Mar 15 2014' ,
3027 'License' => MSF_LICENSE
3128 )
3229 )
3330
3431 register_options (
3532 [
36- # TODO: change to the port you need to scan
37- #Opt::RPORT(27015)
38- Opt ::RPORT ( 4672 )
33+ Opt ::RPORT ( 27015 )
3934 ] , self . class )
4035
41- # TODO: add any advanced, special options here, otherwise remove
42- register_advanced_options (
43- [
44- OptBool . new ( 'SPECIAL' , [ true , 'Try this special thing' , false ] )
45- ] , self . class )
46- end
47-
48- def setup
49- super
50- # TODO: do any sort of preliminary sanity checking, like perhaps validating some options
51- # in the datastore, etc.
5236 end
5337
5438 # TODO: construct the appropriate probe here.
5539 def build_probe
56- #@probe ||= "\xFF\xFF\xFF\xFFTSource Engine Query\x00"
57- @probe ||= "\xe4 \x01 "
58- end
59-
60- # TODO: this is called before the scan block for each batch of hosts. Do any
61- # per-batch setup here, otherwise remove it.
62- def scanner_prescan ( batch )
63- super
64- end
65-
66- # TODO: this is called for each IP in the batch. This will send all of the
67- # necessary probes. If something different must be done for each IP, do it
68- # here, otherwise remove it.
69- def scan_host ( ip )
70- super
40+ @probe ||= "\xFF \xFF \xFF \xFF TSource Engine Query\x00 "
7141 end
7242
7343 # Called for each response packet
@@ -77,45 +47,19 @@ def scanner_process(response, src_host, _src_port)
7747 puts "Got something from #{ src_host }
7848 #puts response.unpack("NCCZ*Z*Z*Z*SCCCCCCCZ*C")
7949
80- # TODO: store something about this response, perhaps the response itself,
81- # some metadata obtained by analyzing it, the proof that it is vulnerable
82- # to something, etc. In this example, we simply look for any response
83- # with a sequence of 5 useful ASCII characters and, iff found, we store
84- # that sequence
85- /(?<relevant>[\x20 -\x7E ]{5})/ =~ response && @results [ src_host ] << relevant
8650 end
8751
8852 # Called after the scan block
8953 def scanner_postscan ( _batch )
90- @results . each_pair do |host , relevant_responses |
91- peer = "#{ host } #{ rport }
92-
93- # report on the host
54+ @results . each_pair do |host , info |
9455 report_host ( host : host )
95-
96- # report on the service, since it responded
9756 report_service (
9857 host : host ,
9958 proto : 'udp' ,
10059 port : rport ,
101- name : 'example' ,
102- # show at most 4 relevant responses
103- info : relevant_responses [ 0 , 4 ] . join ( ',' )
60+ name : 'Steam' ,
61+ info : info
10462 )
105-
106- if relevant_responses . empty?
107- vprint_status ( "#{ peer } )
108- else
109- print_good ( "#{ peer } )
110- report_vuln (
111- host : host ,
112- port : rport ,
113- proto : 'udp' ,
114- name : 'something!' ,
115- info : "Got #{ relevant_responses . size } ,
116- refs : references
117- )
118- end
11963 end
12064 end
12165end
0 commit comments