Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7

Author: egypt

modules/auxiliary/admin/http/rails_devise_pass_reset.rb

@@ -27,9 +27,9 @@ def initialize(info = {})
 
 					Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database
 					except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails
-					3.2.11. Patch applied to Rails 3.2.12 should prevent exploitation of this
-					vulnerability, by quoting numeric values when comparing them with non numeric
-					values.
+					3.2.11. Patch applied to Rails 3.2.12 and 3.1.11 should prevent exploitation
+					of this vulnerability, by quoting numeric values when comparing them with
+					non numeric values.
 				},
 			'Author'        =>
 				[
@@ -44,7 +44,8 @@ def initialize(info = {})
 					[ 'BID', '57577' ],
 					[ 'URL', 'http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/'],
 					[ 'URL', 'http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html'],
-					[ 'URL', 'https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8' ]
+					[ 'URL', 'https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8' ],
+					[ 'URL', 'https://github.com/rails/rails/commit/26e13c3ca71cbc7859cc4c51e64f3981865985d8']
 				],
 			'DisclosureDate' => 'Jan 28 2013'
 		))

modules/auxiliary/gather/dns_bruteforce.rb

@@ -0,0 +1,134 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require "net/dns/resolver"
+require 'rex'
+
+class Metasploit3 < Msf::Auxiliary
+	include Msf::Auxiliary::Report
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		   => 'DNS Brutefoce Enumeration',
+			'Description'	=> %q{
+					This module uses a dictionary to perform a bruteforce attack to enumerate
+				hostnames and subdomains available under a given domain.
+			},
+			'Author'		=> [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
+			'License'		=> BSD_LICENSE
+		))
+
+		register_options(
+			[
+				OptString.new('DOMAIN', [ true, "The target domain name"]),
+				OptAddress.new('NS', [ false, "Specify the name server to use for queries, otherwise use the system DNS" ]),
+				OptPath.new('WORDLIST', [ true, "Wordlist file for domain name brute force.",
+							File.join(Msf::Config.install_root, "data", "wordlists", "namelist.txt")])
+			], self.class)
+
+		register_advanced_options(
+			[
+				OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]),
+				OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]),
+				OptInt.new('THREADS', [ true, "Number of threads", 1])
+			], self.class)
+	end
+
+	def run
+		print_status("Enumerating #{datastore['DOMAIN']}")
+		@res = Net::DNS::Resolver.new()
+		@res.retry = datastore['RETRY'].to_i unless datastore['RETRY'].nil?
+		@res.retry_interval = datastore['RETRY_INTERVAL'].to_i unless datastore['RETRY_INTERVAL'].nil?
+		wildcard(datastore['DOMAIN'])
+		switchdns() unless datastore['NS'].nil?
+		dnsbrt(datastore['DOMAIN'])
+	end
+
+	def wildcard(target)
+		rendsub = rand(10000).to_s
+		query = @res.query("#{rendsub}.#{target}", "A")
+		if query.answer.length != 0
+			print_status("This Domain has wild-cards enabled!!")
+			query.answer.each do |rr|
+				print_warning("Wild-card IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME
+			end
+			return true
+		else
+			return false
+		end
+	end
+
+	def get_ip(host)
+		results = []
+		query = @res.search(host, "A")
+		if (query)
+			query.answer.each do |rr|
+				if rr.type == "CNAME"
+					results = results + get_ip(rr.cname)
+				else
+					record = {}
+					record[:host] = host
+					record[:type] = "AAAA"
+					record[:address] = rr.address.to_s
+					results << record
+				end
+			end
+		end
+		query1 = @res.search(host, "AAAA")
+		if (query1)
+			query1.answer.each do |rr|
+				if rr.type == "CNAME"
+					results = results + get_ip(rr.cname)
+				else
+					record = {}
+					record[:host] = host
+					record[:type] = "AAAA"
+					record[:address] = rr.address.to_s
+					results << record
+				end
+			end
+		end
+		return results
+	end
+
+	def switchdns()
+		print_status("Using DNS server: #{datastore['NS']}")
+		@res.nameserver=(datastore['NS'])
+		@nsinuse = datastore['NS']
+	end
+
+	def dnsbrt(domain)
+		print_status("Performing bruteforce against #{domain}")
+		queue = []
+		File.open(datastore['WORDLIST'], 'rb').each_line do |testd|
+			queue << testd.strip
+		end
+		while(not queue.empty?)
+			tl = []
+			1.upto(datastore['THREADS']) do
+				tl << framework.threads.spawn("Module(#{self.refname})-#{domain}", false, queue.shift) do |testf|
+					Thread.current.kill if not testf
+					vprint_status("Testing #{testf}.#{domain}")
+					get_ip("#{testf}.#{domain}").each do |i|
+						print_good("Host #{i[:host]} with address #{i[:address]} found")
+						report_host(
+							:host => i[:address].to_s,
+							:name => i[:host].gsub(/\.$/,'')
+						)
+					end
+				end
+			end
+			if(tl.length == 0)
+				break
+			end
+			tl.first.join
+			tl.delete_if { |t| not t.alive? }
+		end
+	end
+end
+

modules/auxiliary/gather/dns_info.rb

@@ -0,0 +1,231 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require "net/dns/resolver"
+require 'rex'
+
+class Metasploit3 < Msf::Auxiliary
+	include Msf::Auxiliary::Report
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'        => 'DNS Basic Information Enumeration',
+			'Description' => %q{
+					This module enumerates basic DNS information for a given domain. The module
+				gets information regarding to A (addresses), AAAA (IPv6 addresses), NS (name
+				servers), SOA (start of authority) and MX (mail servers) records for a given
+				domain. In addition, this module retrieves information stored in TXT records.
+			},
+			'Author'      => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
+			'License'     => BSD_LICENSE
+		))
+
+		register_options(
+			[
+				OptString.new('DOMAIN', [ true, "The target domain name"]),
+				OptAddress.new('NS', [ false, "Specify the name server to use for queries, otherwise use the system configured DNS Server is used." ]),
+
+			], self.class)
+
+		register_advanced_options(
+			[
+				OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]),
+				OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]),
+			], self.class)
+	end
+
+	def run
+		print_status("Enumerating #{datastore['DOMAIN']}")
+		@res = Net::DNS::Resolver.new()
+
+		if datastore['RETRY']
+			@res.retry = datastore['RETRY'].to_i
+		end
+
+		if datastore['RETRY_INTERVAL']
+			@res.retry_interval = datastore['RETRY_INTERVAL'].to_i
+		end
+
+		wildcard(datastore['DOMAIN'])
+		switchdns() unless datastore['NS'].nil? or datastore['NS'].empty?
+
+		get_ip(datastore['DOMAIN']).each do |r|
+			print_good("#{r[:host]} - Address #{r[:address]} found. Record type: #{r[:type]}")
+			report_host(:host => r[:address])
+		end
+
+		get_ns(datastore['DOMAIN']).each do |r|
+			print_good("#{datastore['DOMAIN']} - Name server #{r[:host]} (#{r[:address]}) found. Record type: #{r[:type]}")
+			report_host(:host => r[:address], :name => r[:host])
+			report_service(
+				:host => r[:address],
+				:name => "dns",
+				:port => 53,
+				:proto => "udp"
+			)
+		end
+
+		get_soa(datastore['DOMAIN']).each do |r|
+			print_good("#{datastore['DOMAIN']} - #{r[:host]} (#{r[:address]}) found. Record type: #{r[:type]}")
+			report_host(:host => r[:address], :name => r[:host])
+		end
+
+		get_mx(datastore['DOMAIN']).each do |r|
+			print_good("#{datastore['DOMAIN']} - Mail server #{r[:host]} (#{r[:address]}) found. Record type: #{r[:type]}")
+			report_host(:host => r[:address], :name => r[:host])
+			report_service(
+				:host => r[:address],
+				:name => "smtp",
+				:port => 25,
+				:proto => "tcp"
+			)
+		end
+
+		get_txt(datastore['DOMAIN']).each do |r|
+			print_good("#{datastore['DOMAIN']} - Text info found: #{r[:text]}. Record type: #{r[:type]}")
+			report_note(
+				:host => datastore['DOMAIN'],
+				:proto => 'udp',
+				:port => 53,
+				:type => 'dns.info',
+				:data => {:text => r[:text]}
+			)
+		end
+	end
+
+	def wildcard(target)
+		rendsub = rand(10000).to_s
+		query = @res.query("#{rendsub}.#{target}", "A")
+		if query.answer.length != 0
+			print_status("This Domain has Wild-cards Enabled!!")
+			query.answer.each do |rr|
+				print_status("Wild-card IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME
+				report_note(
+					:host => datastore['DOMAIN'],
+					:proto => 'UDP',
+					:port => 53,
+					:type => 'dns.wildcard',
+					:data => "Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}"
+				)
+			end
+			return true
+		else
+			return false
+		end
+	end
+
+	def get_ip(host)
+		results = []
+		query = @res.search(host, "A")
+		if query
+			query.answer.each do |rr|
+				record = {}
+				record[:host] = host
+				record[:type] = "A"
+				record[:address] = rr.address.to_s
+				results << record
+			end
+		end
+		query1 = @res.search(host, "AAAA")
+		if query1
+			query1.answer.each do |rr|
+				record = {}
+				record[:host] = host
+				record[:type] = "AAAA"
+				record[:address] = rr.address.to_s
+				results << record
+			end
+		end
+		return results
+	end
+
+	def get_ns(target)
+		results = []
+		query = @res.query(target, "NS")
+		return results if not query
+		(query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr|
+			get_ip(rr.nsdname).each do |r|
+				record = {}
+				record[:host] = rr.nsdname.gsub(/\.$/,'')
+				record[:type] = "NS"
+				record[:address] = r[:address].to_s
+				results << record
+			end
+		end
+		return results
+	end
+
+	def get_soa(target)
+		results = []
+		query = @res.query(target, "SOA")
+		return results if not query
+		(query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr|
+			if Rex::Socket.dotted_ip?(rr.mname)
+				record = {}
+				record[:host] = rr.mname
+				record[:type] = "SOA"
+				record[:address] = rr.mname
+				results << record
+			else
+				get_ip(rr.mname).each do |ip|
+					record = {}
+					record[:host] = rr.mname.gsub(/\.$/,'')
+					record[:type] = "SOA"
+					record[:address] = ip[:address].to_s
+					results << record
+				end
+			end
+		end
+		return results
+	end
+
+	def get_txt(target)
+		results = []
+		query = @res.query(target, "TXT")
+		return results if not query
+		query.answer.each do |rr|
+			record = {}
+			record[:host] = target
+			record[:text] = rr.txt
+			record[:type] = "TXT"
+			results << record
+		end
+		return results
+	end
+
+	def get_mx(target)
+		results = []
+		query = @res.query(target, "MX")
+		return results if not query
+		(query.answer.select { |i| i.class == Net::DNS::RR::MX}).each do |rr|
+			if Rex::Socket.dotted_ip?(rr.exchange)
+				record = {}
+				record[:host] = rr.exchange
+				record[:type] = "MX"
+				record[:address] = rr.exchange
+				results << record
+			else
+				get_ip(rr.exchange).each do |ip|
+					record = {}
+					record[:host] = rr.exchange.gsub(/\.$/,'')
+					record[:type] = "MX"
+					record[:address] = ip[:address].to_s
+					results << record
+				end
+			end
+		end
+		return results
+	end
+
+	def switchdns()
+		print_status("Using DNS server: #{datastore['NS']}")
+		@res.nameserver=(datastore['NS'])
+		@nsinuse = datastore['NS']
+	end
+end
+