Add BigIP HTTP VS scanner and fix connection errors

dnkolegov · dnkolegov · commit c9e8f9cbea04 · 2015-04-03T02:30:03.000-04:00
diff --git a/modules/auxiliary/scanner/http/f5_bigip_http_vs_scanner.rb b/modules/auxiliary/scanner/http/f5_bigip_http_vs_scanner.rb
@@ -0,0 +1,89 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'F5 BigIP HTTP Virtual Server Scanner',
+      'Description' => %q{
+        This module scans network for BigIP HTTP virtual servers based on simple
+        banner grabbing technique. BigIP system uses different HTTP profiles for
+        managing HTTP traffic. In particular, BIG-IP system uses HTTP profile that
+        specifies the string used as the server agent name in traffic generated by LTM.
+        The default value is equal to "BigIP" or "BIG-IP" and depends on BigIP system version.
+      },
+      'Author'      =>
+        [
+          'Oleg Broslavsky <ovbroslavsky[at]gmail.com>',
+          'Nikita Oleksov <neoleksov[at]gmail.com>',
+          'Denis Kolegov <dnkolegov[at]gmail.com>',
+        ],
+      'License'     => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'URL', 'https://www.owasp.org/index.php/SCG_D_BIGIP'],
+        ]
+    ))
+
+    register_options(
+    [
+      OptString.new('PORTS', [true, "Ports to scan (e.g. 80-81,443,8080-8090)", "80,443"]),
+      OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]),
+    ], self.class)
+
+    deregister_options('RPORT','RHOST')
+  end
+
+  def bigip_http?(ip, port, ssl, verbose = false)
+    begin
+      timeout = (datastore['TIMEOUT'] || 1000).to_f / 1000.0
+      ::Timeout.timeout(timeout) do
+        begin
+          res = send_request_raw('method' => 'GET', 'uri' => '/', 'rport' => port, 'SSL' => ssl)
+            if res
+              server = res.headers['Server']
+              return true if server =~ /BIG\-IP/  || server =~ /BigIP/
+            end
+        rescue ::Rex::ConnectionRefused
+          print_status("#{ip}:#{port} - TCP port closed") if verbose
+        rescue ::Rex::ConnectionError
+          print_error("#{ip}:#{port} - Connection error")
+        rescue ::OpenSSL::SSL::SSLError
+          print_error("#{ip}:#{port} - SSL/TLS connection error")
+        rescue => e
+          print_error("#{ip}:#{port} - Connection failed") if verbose
+        end
+      end
+    rescue Timeout::Error
+      print_error("#{ip}:#{port} - HTTP connection timed out") if verbose
+    end
+    return false
+  end
+
+  def run_host(ip)
+    verbose = datastore['VERBOSE']
+    ports = Rex::Socket.portspec_crack(datastore['PORTS'])
+    fail Msf::OptionValidateError.new(['PORTS']) if ports.empty?
+    ports.each do |port|
+      next if port == 443
+      if bigip_http?(ip, port, ssl = false, verbose)
+        print_status("#{ip}:#{port} - BigIP HTTP virtual server found")
+      end
+    end
+
+    ports.each do |port|
+      next if port == 80
+      if bigip_http?(ip, port, ssl = true, verbose)
+        print_status("#{ip}:#{port} - BigIP HTTP virtual server found")
+      end
+    end
+
+  end
+end
diff --git a/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb b/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb
@@ -51,6 +51,8 @@ def port_open?(to, verbose)
         rescue ::OpenSSL::SSL::SSLError
           print_error("#{peer} - SSL/TLS connection error") if verbose
           return false
+        rescue => e
+          print_error("#{peer} - Connection failed") if verbose
         end
       end
     rescue Timeout::Error
