diff --git a/modules/auxiliary/scanner/db2/db2_auth.rb b/modules/auxiliary/scanner/db2/db2_auth.rb index ba5ad5a1038d5..7652390792296 100644 --- a/modules/auxiliary/scanner/db2/db2_auth.rb +++ b/modules/auxiliary/scanner/db2/db2_auth.rb @@ -14,35 +14,48 @@ class MetasploitModule < Msf::Auxiliary def initialize super( - 'Name' => 'DB2 Authentication Brute Force Utility', - 'Description' => %q{This module attempts to authenticate against a DB2 - instance using username and password combinations indicated by the - USER_FILE, PASS_FILE, and USERPASS_FILE options.}, - 'Author' => ['todb'], - 'References' => - [ - [ 'CVE', '1999-0502'] # Weak password - ], - 'License' => MSF_LICENSE + 'Name' => 'DB2 Authentication Brute Force Utility', + 'Description' => %q{ + This module attempts to authenticate against a DB2 instance + using username and password combinations indicated by the + USER_FILE, PASS_FILE, and USERPASS_FILE options. + }, + 'Author' => ['todb'], + 'References' => [ + [ 'CVE', '1999-0502'] # Weak password + ], + 'License' => MSF_LICENSE, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [IOC_IN_LOGS, ACCOUNT_LOCKOUTS], + 'Reliability' => [] + } ) register_options( [ Opt::Proxies, - OptPath.new('USERPASS_FILE', [ false, "File containing (space-separated) users and passwords, one pair per line", - File.join(Msf::Config.data_directory, "wordlists", "db2_default_userpass.txt") ]), - OptPath.new('USER_FILE', [ false, "File containing users, one per line", - File.join(Msf::Config.data_directory, "wordlists", "db2_default_user.txt") ]), - OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", - File.join(Msf::Config.data_directory, "wordlists", "db2_default_pass.txt") ]), - ]) + OptPath.new('USERPASS_FILE', [ + false, 'File containing (space-separated) users and passwords, one pair per line', + File.join(Msf::Config.data_directory, 'wordlists', 'db2_default_userpass.txt') + ]), + OptPath.new('USER_FILE', [ + false, 'File containing users, one per line', + File.join(Msf::Config.data_directory, 'wordlists', 'db2_default_user.txt') + ]), + OptPath.new('PASS_FILE', [ + false, 'File containing passwords, one per line', + File.join(Msf::Config.data_directory, 'wordlists', 'db2_default_pass.txt') + ]), + ] + ) end def run_host(ip) cred_collection = build_credential_collection( - realm: datastore['DATABASE'], - username: datastore['USERNAME'], - password: datastore['PASSWORD'] + realm: datastore['DATABASE'], + username: datastore['USERNAME'], + password: datastore['PASSWORD'] ) scanner = Metasploit::Framework::LoginScanner::DB2.new( @@ -70,8 +83,8 @@ def run_host(ip) scanner.scan! do |result| credential_data = result.to_h credential_data.merge!( - module_fullname: self.fullname, - workspace_id: myworkspace_id + module_fullname: fullname, + workspace_id: myworkspace_id ) if result.success? credential_core = create_credential(credential_data) diff --git a/modules/auxiliary/scanner/db2/db2_version.rb b/modules/auxiliary/scanner/db2/db2_version.rb index f315312cdebec..44085b608eb1c 100644 --- a/modules/auxiliary/scanner/db2/db2_version.rb +++ b/modules/auxiliary/scanner/db2/db2_version.rb @@ -10,50 +10,56 @@ class MetasploitModule < Msf::Auxiliary def initialize super( - 'Name' => 'DB2 Probe Utility', - 'Description' => 'This module queries a DB2 instance information.', - 'Author' => ['todb'], - 'License' => MSF_LICENSE + 'Name' => 'DB2 Probe Utility', + 'Description' => 'This module queries a DB2 instance information.', + 'Author' => ['todb'], + 'License' => MSF_LICENSE, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [], + 'Reliability' => [] + } ) register_options( [ OptInt.new('TIMEOUT', [true, 'Timeout for the DB2 probe', 5]) - ]) + ] + ) - deregister_options('USERNAME' , 'PASSWORD') + deregister_options('USERNAME', 'PASSWORD') end def to return 5 if datastore['TIMEOUT'].to_i.zero? + datastore['TIMEOUT'].to_i end def run_host(ip) - begin - - info = db2_probe(to) - if info[:excsatrd] - inst,plat,ver,pta = info[:instance_name],info[:platform],info[:version],info[:plaintext_auth] - report_info = "Platform: #{plat}, Version: #{ver}, Instance: #{inst}, Plain-Authentication: #{pta ? "OK" : "NO"}" - print_good("#{ip}:#{rport} DB2 - #{report_info}") - report_service( - :host => rhost, - :port => rport, - :name => "db2", - :info => report_info - ) - end - disconnect - - rescue ::Rex::ConnectionRefused - vprint_error("#{rhost}:#{rport} : Cannot connect to host") - return :done - rescue ::Rex::ConnectionError - vprint_error("#{rhost}:#{rport} : Unable to attempt probe") - return :done - rescue ::Rex::Proto::DRDA::RespError => e - vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") - return :error + info = db2_probe(to) + if info[:excsatrd] + inst = info[:instance_name] + plat = info[:platform] + ver = info[:version] + pta = info[:plaintext_auth] + report_info = "Platform: #{plat}, Version: #{ver}, Instance: #{inst}, Plain-Authentication: #{pta ? 'OK' : 'NO'}" + print_good("#{ip}:#{rport} DB2 - #{report_info}") + report_service( + host: rhost, + port: rport, + name: 'db2', + info: report_info + ) end + disconnect + rescue ::Rex::ConnectionRefused + vprint_error("#{rhost}:#{rport} : Cannot connect to host") + return :done + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} : Unable to attempt probe") + return :done + rescue ::Rex::Proto::DRDA::RespError => e + vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") + return :error end end diff --git a/modules/auxiliary/scanner/db2/discovery.rb b/modules/auxiliary/scanner/db2/discovery.rb index 359dde7285b93..bb50ee40b9c82 100644 --- a/modules/auxiliary/scanner/db2/discovery.rb +++ b/modules/auxiliary/scanner/db2/discovery.rb @@ -10,55 +10,59 @@ class MetasploitModule < Msf::Auxiliary def initialize super( - 'Name' => 'DB2 Discovery Service Detection', - 'Description' => 'This module simply queries the DB2 discovery service for information.', - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE + 'Name' => 'DB2 Discovery Service Detection', + 'Description' => 'This module simply queries the DB2 discovery service for information.', + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'SideEffects' => [], + 'Reliability' => [] + } ) register_options([Opt::RPORT(523),]) end def run_host(ip) + pkt = 'DB2GETADDR' + "\x00" + 'SQL05000' + "\x00" - pkt = "DB2GETADDR" + "\x00" + "SQL05000" + "\x00" + connect_udp + udp_sock.put(pkt) + res = udp_sock.read(1024) - begin - - connect_udp - udp_sock.put(pkt) - res = udp_sock.read(1024) - - unless res - print_error("Unable to determine version info for #{ip}") - return - end - - res = res.split(/\x00/) + unless res + print_error("Unable to determine version info for #{ip}") + return + end - report_note( - :host => ip, - :proto => 'udp', - :port => datastore['RPORT'], - :type => 'SERVICE_INFO', - :data => { :service_info => "#{res[2]}_#{res[1]}" } - ) + res = res.split(/\x00/) - report_service( - :host => ip, - :port => datastore['RPORT'], - :proto => 'udp', - :name => "ibm-db2", - :info => "#{res[2]}_#{res[1]}" - ) + product_id = res[1] + node_name = res[2] - print_good("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] ) + report_note( + host: ip, + proto: 'udp', + port: datastore['RPORT'], + type: 'SERVICE_INFO', + data: { service_info: "#{node_name}_#{product_id}" } + ) - rescue ::Rex::ConnectionError - rescue ::Errno::EPIPE - ensure - disconnect_udp - end + report_service( + host: ip, + port: datastore['RPORT'], + proto: 'udp', + name: 'ibm-db2', + info: "#{node_name}_#{product_id}" + ) + print_good("Host #{ip} node name is #{node_name} with a product id of #{product_id}") + rescue ::Rex::ConnectionError => e + vprint_error(e.message) + rescue ::Errno::EPIPE => e + vprint_error(e.message) + ensure + disconnect_udp end end