rapid7 · bcoles · May 24, 2025
diff --git a/modules/auxiliary/scanner/db2/db2_auth.rb b/modules/auxiliary/scanner/db2/db2_auth.rb
@@ -14,35 +14,48 @@ class MetasploitModule < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'           => 'DB2 Authentication Brute Force Utility',
-      'Description'    => %q{This module attempts to authenticate against a DB2
-        instance using username and password combinations indicated by the
-        USER_FILE, PASS_FILE, and USERPASS_FILE options.},
-      'Author'         => ['todb'],
-      'References'     =>
-        [
-          [ 'CVE', '1999-0502'] # Weak password
-        ],
-      'License'        => MSF_LICENSE
+      'Name' => 'DB2 Authentication Brute Force Utility',
+      'Description' => %q{
+        This module attempts to authenticate against a DB2 instance
+        using username and password combinations indicated by the
+        USER_FILE, PASS_FILE, and USERPASS_FILE options.
+      },
+      'Author' => ['todb'],
+      'References' => [
+        [ 'CVE', '1999-0502'] # Weak password
+      ],
+      'License' => MSF_LICENSE,
+      'Notes' => {
+        'Stability' => [CRASH_SAFE],
+        'SideEffects' => [IOC_IN_LOGS, ACCOUNT_LOCKOUTS],
+        'Reliability' => []
+      }
     )
 
     register_options(
       [
         Opt::Proxies,
-        OptPath.new('USERPASS_FILE',  [ false, "File containing (space-separated) users and passwords, one pair per line",
-          File.join(Msf::Config.data_directory, "wordlists", "db2_default_userpass.txt") ]),
-        OptPath.new('USER_FILE',  [ false, "File containing users, one per line",
-          File.join(Msf::Config.data_directory, "wordlists", "db2_default_user.txt") ]),
-        OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
-          File.join(Msf::Config.data_directory, "wordlists", "db2_default_pass.txt") ]),
-      ])
+        OptPath.new('USERPASS_FILE', [
+          false, 'File containing (space-separated) users and passwords, one pair per line',
+          File.join(Msf::Config.data_directory, 'wordlists', 'db2_default_userpass.txt')
+        ]),
+        OptPath.new('USER_FILE', [
+          false, 'File containing users, one per line',
+          File.join(Msf::Config.data_directory, 'wordlists', 'db2_default_user.txt')
+        ]),
+        OptPath.new('PASS_FILE', [
+          false, 'File containing passwords, one per line',
+          File.join(Msf::Config.data_directory, 'wordlists', 'db2_default_pass.txt')
+        ]),
+      ]
+    )
   end
 
   def run_host(ip)
     cred_collection = build_credential_collection(
-        realm: datastore['DATABASE'],
-        username: datastore['USERNAME'],
-        password: datastore['PASSWORD']
+      realm: datastore['DATABASE'],
+      username: datastore['USERNAME'],
+      password: datastore['PASSWORD']
     )
 
     scanner = Metasploit::Framework::LoginScanner::DB2.new(
@@ -70,8 +83,8 @@ def run_host(ip)
     scanner.scan! do |result|
       credential_data = result.to_h
       credential_data.merge!(
-          module_fullname: self.fullname,
-          workspace_id: myworkspace_id
+        module_fullname: fullname,
+        workspace_id: myworkspace_id
       )
       if result.success?
         credential_core = create_credential(credential_data)

diff --git a/modules/auxiliary/scanner/db2/db2_version.rb b/modules/auxiliary/scanner/db2/db2_version.rb
@@ -10,50 +10,56 @@ class MetasploitModule < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'           => 'DB2 Probe Utility',
-      'Description'    => 'This module queries a DB2 instance information.',
-      'Author'         => ['todb'],
-      'License'        => MSF_LICENSE
+      'Name' => 'DB2 Probe Utility',
+      'Description' => 'This module queries a DB2 instance information.',
+      'Author' => ['todb'],
+      'License' => MSF_LICENSE,
+      'Notes' => {
+        'Stability' => [CRASH_SAFE],
+        'SideEffects' => [],
+        'Reliability' => []
+      }
     )
     register_options(
       [
         OptInt.new('TIMEOUT', [true, 'Timeout for the DB2 probe', 5])
-    ])
+      ]
+    )
 
-    deregister_options('USERNAME' , 'PASSWORD')
+    deregister_options('USERNAME', 'PASSWORD')
   end
 
   def to
     return 5 if datastore['TIMEOUT'].to_i.zero?
+
     datastore['TIMEOUT'].to_i
   end
 
   def run_host(ip)
-    begin
-
-      info = db2_probe(to)
-      if info[:excsatrd]
-        inst,plat,ver,pta = info[:instance_name],info[:platform],info[:version],info[:plaintext_auth]
-        report_info = "Platform: #{plat}, Version: #{ver}, Instance: #{inst}, Plain-Authentication: #{pta ? "OK" : "NO"}"
-        print_good("#{ip}:#{rport} DB2 - #{report_info}")
-        report_service(
-          :host => rhost,
-          :port => rport,
-          :name => "db2",
-          :info => report_info
-        )
-      end
-      disconnect
-
-    rescue ::Rex::ConnectionRefused
-      vprint_error("#{rhost}:#{rport} : Cannot connect to host")
-      return :done
-    rescue ::Rex::ConnectionError
-      vprint_error("#{rhost}:#{rport} : Unable to attempt probe")
-      return :done
-    rescue ::Rex::Proto::DRDA::RespError => e
-      vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}")
-      return :error
+    info = db2_probe(to)
+    if info[:excsatrd]
+      inst = info[:instance_name]
+      plat = info[:platform]
+      ver = info[:version]
+      pta = info[:plaintext_auth]
+      report_info = "Platform: #{plat}, Version: #{ver}, Instance: #{inst}, Plain-Authentication: #{pta ? 'OK' : 'NO'}"
+      print_good("#{ip}:#{rport} DB2 - #{report_info}")
+      report_service(
+        host: rhost,
+        port: rport,
+        name: 'db2',
+        info: report_info
+      )
     end
+    disconnect
+  rescue ::Rex::ConnectionRefused
+    vprint_error("#{rhost}:#{rport} : Cannot connect to host")
+    return :done
+  rescue ::Rex::ConnectionError
+    vprint_error("#{rhost}:#{rport} : Unable to attempt probe")
+    return :done
+  rescue ::Rex::Proto::DRDA::RespError => e
+    vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}")
+    return :error
   end
 end
diff --git a/modules/auxiliary/scanner/db2/discovery.rb b/modules/auxiliary/scanner/db2/discovery.rb
@@ -10,55 +10,59 @@ class MetasploitModule < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'           => 'DB2 Discovery Service Detection',
-      'Description'    => 'This module simply queries the DB2 discovery service for information.',
-      'Author'         => [ 'MC' ],
-      'License'        => MSF_LICENSE
+      'Name' => 'DB2 Discovery Service Detection',
+      'Description' => 'This module simply queries the DB2 discovery service for information.',
+      'Author' => [ 'MC' ],
+      'License' => MSF_LICENSE,
+      'Notes' => {
+        'Stability' => [CRASH_SAFE],
+        'SideEffects' => [],
+        'Reliability' => []
+      }
     )
 
     register_options([Opt::RPORT(523),])
   end
 
   def run_host(ip)
+    pkt = 'DB2GETADDR' + "\x00" + 'SQL05000' + "\x00"
 
-    pkt = "DB2GETADDR" + "\x00" + "SQL05000" + "\x00"
+    connect_udp
+    udp_sock.put(pkt)
+    res = udp_sock.read(1024)
 
-    begin
-
-      connect_udp
-      udp_sock.put(pkt)
-      res = udp_sock.read(1024)
-
-      unless res
-        print_error("Unable to determine version info for #{ip}")
-        return
-      end
-
-      res = res.split(/\x00/)
+    unless res
+      print_error("Unable to determine version info for #{ip}")
+      return
+    end
 
-      report_note(
-        :host   => ip,
-        :proto  => 'udp',
-        :port   => datastore['RPORT'],
-        :type   => 'SERVICE_INFO',
-        :data   => { :service_info => "#{res[2]}_#{res[1]}" }
-        )
+    res = res.split(/\x00/)
 
-      report_service(
-        :host => ip,
-        :port => datastore['RPORT'],
-        :proto => 'udp',
-        :name => "ibm-db2",
-        :info => "#{res[2]}_#{res[1]}"
-      )
+    product_id = res[1]
+    node_name = res[2]
 
-      print_good("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] )
+    report_note(
+      host: ip,
+      proto: 'udp',
+      port: datastore['RPORT'],
+      type: 'SERVICE_INFO',
+      data: { service_info: "#{node_name}_#{product_id}" }
+    )
 
-    rescue ::Rex::ConnectionError
-    rescue ::Errno::EPIPE
-    ensure
-      disconnect_udp
-    end
+    report_service(
+      host: ip,
+      port: datastore['RPORT'],
+      proto: 'udp',
+      name: 'ibm-db2',
+      info: "#{node_name}_#{product_id}"
+    )
 
+    print_good("Host #{ip} node name is #{node_name} with a product id of #{product_id}")
+  rescue ::Rex::ConnectionError => e
+    vprint_error(e.message)
+  rescue ::Errno::EPIPE => e
+    vprint_error(e.message)
+  ensure
+    disconnect_udp
   end
 end