rex 1.0.2 → 2.0.2

data/lib/rex/parser/ip360_xml.rb

@@ -0,0 +1,98 @@
+# -*- coding: binary -*-
+require 'rexml/document'
+require 'rex/ui'
+
+module Rex
+module Parser
+
+
+class IP360XMLStreamParser
+
+  attr_accessor :on_found_host
+
+  def initialize(&block)
+    reset_state
+    on_found_host = block if block
+  end
+
+  def reset_state
+    @host = {'hname' => nil, 'hid' => nil, 'addr' => nil, 'mac' => nil, 'os' => nil,
+      'vulns' => ['vuln' => {'vulnid' => nil, 'port' => nil, 'proto' => nil} ],
+      'apps' => ['app' => {'appid' => nil, 'svcid' => nil, 'port' => nil, 'proto' => nil } ],
+    }
+    @state = :generic_state
+  end
+
+  def tag_start(name, attributes)
+    case name
+    when "host"
+      @host['hid'] = attributes['persistent_id']
+    when "ip"
+      @state = :is_ip
+    when "dnsName"
+      @state = :is_fqdn
+    when "macAddress"
+      @state = :is_mac
+    when "os"
+      @host['os'] = attributes['id']
+    when "vulnerability"
+      @x = Hash.new
+      @x['vulnid'] = attributes['id']
+    when "port"
+      @state = :is_port
+    when "protocol"
+      @state = :is_proto
+    when "application"
+      @y = Hash.new
+      @y['appid'] = attributes['application_id']
+      @y['svcid'] = attributes['svcid']
+      @y['port'] = attributes['port']
+      @y['proto'] = attributes['protocol']
+      @host['apps'].push @y
+    end
+  end
+
+  def text(str)
+    case @state
+    when :is_fqdn
+      @host['hname'] = str
+    when :is_ip
+      @host['addr'] = str
+    when :is_mac
+      @host['mac'] = str
+    when :is_port
+      @x['port'] = str
+    when :is_proto
+      @x['proto'] = str
+    end
+  end
+
+  def tag_end(name)
+    case name
+    when "host"
+      on_found_host.call(@host) if on_found_host
+      reset_state
+    when "vulnerability"
+      @host['vulns'].push @x
+    end
+    @state = :generic_state
+  end
+
+  def cdata(d)
+    #do nothing
+  end
+
+  # We don't need these methods, but they're necessary to keep REXML happy
+  #
+  def xmldecl(version, encoding, standalone) # :nodoc:
+  end
+  def comment(str) # :nodoc:
+  end
+  def instruction(name, instruction) # :nodoc:
+  end
+  def attlist # :nodoc:
+  end
+end
+
+end
+end

data/lib/rex/parser/mbsa_nokogiri.rb

@@ -0,0 +1,256 @@
+# -*- coding: binary -*-
+require "rex/parser/nokogiri_doc_mixin"
+
+module Rex
+  module Parser
+
+    # If Nokogiri is available, define Template document class.
+    load_nokogiri && class MbsaDocument < Nokogiri::XML::SAX::Document
+
+    include NokogiriDocMixin
+
+    # Triggered every time a new element is encountered. We keep state
+    # ourselves with the @state variable, turning things on when we
+    # get here (and turning things off when we exit in end_element()).
+    def start_element(name=nil,attrs=[])
+      attrs = normalize_attrs(attrs)
+      block = @block
+      @state[:current_tag][name] = true
+      case name
+      when "SecScan"
+        record_host(attrs)
+      when "IP" # TODO: Check to see if IPList/IP is useful to import
+      when "Check" # A list of MBSA checks. They have an ID and a Name.
+        record_check(attrs)
+      when "Advice" # Check advice. Free form text about the check
+        @state[:has_text] = true
+      when "Detail" # Check/Detail is where missing fixes are.
+        record_detail(attrs)
+      when "UpdateData" # Info about installed/missing hotfixes
+        record_updatedata(attrs)
+      when "Title" # MSB Title
+        @state[:has_text] = true
+      when "InformationURL" # Only use this if we don't have a Bulletin ID
+        @state[:has_text] = true
+      end
+    end
+
+    # This breaks xml-encoded characters, so need to append
+    def characters(text)
+      return unless @state[:has_text]
+      @text ||= ""
+      @text << text
+    end
+
+    # When we exit a tag, this is triggered.
+    def end_element(name=nil)
+      block = @block
+      case name
+      when "SecScan" # Wrap it up
+        collect_host_data
+        host_object = report_host &block
+        if host_object
+          db.report_import_note(@args[:wspace],host_object)
+          report_fingerprint(host_object)
+          report_vulns(host_object,&block)
+        end
+        # Reset the state once we close a host
+        @state.delete_if {|k| k != :current_tag}
+      when "Check"
+        collect_check_data
+      when "Advice"
+        @state[:has_text] = false
+        collect_advice_data
+      when "Detail"
+        collect_detail_data
+      when "UpdateData"
+        collect_updatedata
+      when "Title"
+        @state[:has_text] = false
+        collect_title
+      when "InformationURL"
+        collect_url
+        @state[:has_text] = false
+      end
+      @state[:current_tag].delete name
+    end
+
+    def report_fingerprint(host_object)
+      return unless host_object.kind_of? ::Mdm::Host
+      return unless @report_data[:os_fingerprint]
+      fp_note = @report_data[:os_fingerprint].merge(
+        {
+          :workspace => host_object.workspace,
+          :host => host_object
+      })
+      db_report(:note, fp_note)
+    end
+
+    def collect_url
+      return unless in_tag("References")
+      return unless in_tag("UpdateData")
+      return unless in_tag("Detail")
+      return unless in_tag("Check")
+      @state[:update][:url] = @text.to_s.strip
+      @text = nil
+    end
+
+    def report_vulns(host_object, &block)
+      return unless host_object.kind_of? ::Mdm::Host
+      return unless @report_data[:vulns]
+      return if @report_data[:vulns].empty?
+      @report_data[:vulns].each do |vuln|
+        next unless vuln[:refs]
+        if vuln[:refs].empty?
+          next
+        end
+        if block
+          db.emit(:vuln, ["Missing #{vuln[:name]}",1], &block) if block
+        end
+        db_report(:vuln, vuln.merge(:host => host_object))
+      end
+    end
+
+    def collect_title
+      return unless in_tag("SecScan")
+      return unless in_tag("Check")
+      collect_bulletin_title
+      @text = nil
+    end
+
+    def collect_bulletin_title
+      return unless @state[:check_state]["ID"] == 500.to_s
+      return unless in_tag("UpdateData")
+      return unless @state[:update]
+      return if @text.to_s.strip.empty?
+      @state[:update]["Title"] = @text.to_s.strip
+    end
+
+    def collect_updatedata
+      return unless in_tag("SecScan")
+      return unless in_tag("Check")
+      return unless in_tag("Detail")
+      collect_missing_update
+      @state[:updates] = {}
+    end
+
+    def collect_missing_update
+      return unless @state[:check_state]["ID"] == 500.to_s
+      return if @state[:update]["IsInstalled"] == "true"
+      @report_data[:missing_updates] ||= []
+      this_update = {}
+      this_update[:name] = @state[:update]["Title"].to_s.strip
+      this_update[:refs] = []
+      if @state[:update]["BulletinID"].empty?
+        this_update[:refs] << "URL-#{@state[:update][:url]}"
+      else
+        this_update[:refs] << "MSB-#{@state[:update]["BulletinID"]}"
+      end
+      @report_data[:missing_updates] << this_update
+    end
+
+    # So far, just care about Host OS
+    # There is assuredly more interesting things going on in here.
+    def collect_advice_data
+      return unless in_tag("SecScan")
+      return unless in_tag("Check")
+      collect_os_name
+      @text = nil
+    end
+
+    def collect_os_name
+      return unless @state[:check_state]["ID"] == 10101.to_s
+      return unless @text
+      return if @text.strip.empty?
+      os_match = @text.match(/Computer is running (.*)/)
+      return unless os_match
+      os_info = os_match[1]
+      os_vendor = os_info[/Microsoft/]
+      os_family = os_info[/Windows/]
+      os_version = os_info[/(XP|2000 Advanced Server|2000|2003|2008|SBS|Vista|7 .* Edition|7)/]
+      if os_info
+        @report_data[:os_fingerprint] = {}
+        @report_data[:os_fingerprint][:type] = "host.os.mbsa_fingerprint"
+        @report_data[:os_fingerprint][:data] = {
+          :os_vendor => os_vendor,
+          :os_family => os_family,
+          :os_version => os_version,
+          :os_accuracy => 100,
+          :os_match => os_info.gsub(/\x2e$/n,"")
+        }
+      end
+    end
+
+    def collect_detail_data
+      return unless in_tag("SecScan")
+      return unless in_tag("Check")
+      if @report_data[:missing_updates]
+        @report_data[:vulns] = @report_data[:missing_updates]
+      end
+    end
+
+    def collect_check_data
+      return unless in_tag("SecScan")
+      @state[:check_state] = {}
+    end
+
+    def collect_host_data
+      return unless @state[:address]
+      return if @state[:address].strip.empty?
+      @report_data[:host] = @state[:address].strip
+      if @state[:hostname] && !@state[:hostname].empty?
+        @report_data[:name] = @state[:hostname]
+      end
+      @report_data[:state] = Msf::HostState::Alive
+    end
+
+    def report_host(&block)
+      if host_is_okay
+        db.emit(:address,@report_data[:host],&block) if block
+        host_info = @report_data.merge(:workspace => @args[:wspace])
+        db_report(:host, host_info)
+      end
+    end
+
+    def record_updatedata(attrs)
+      return unless in_tag("SecScan")
+      return unless in_tag("Check")
+      return unless in_tag("Detail")
+      update_attrs = attr_hash(attrs)
+      @state[:update] = attr_hash(attrs)
+    end
+
+    def record_host(attrs)
+      host_attrs = attr_hash(attrs)
+      @state[:address] = host_attrs["IP"]
+      @state[:hostname] = host_attrs["Machine"]
+    end
+
+    def record_check(attrs)
+      return unless in_tag("SecScan")
+      @state[:check_state] = attr_hash(attrs)
+    end
+
+    def record_detail(attrs)
+      return unless in_tag("SecScan")
+      return unless in_tag("Check")
+      @state[:detail_state] = attr_hash(attrs)
+    end
+
+    # We need to override the usual host_is_okay because MBSA apparently
+    # doesn't report on open ports at all.
+    def host_is_okay
+      return false unless @report_data[:host]
+      return false unless valid_ip(@report_data[:host])
+      return false unless @report_data[:state] == Msf::HostState::Alive
+      if @args[:blacklist]
+        return false if @args[:blacklist].include?(@report_data[:host])
+      end
+      return true
+    end
+
+  end
+
+end
+end
+

data/lib/rex/parser/nessus_xml.rb

@@ -0,0 +1,121 @@
+# -*- coding: binary -*-
+require 'rexml/document'
+require 'rex/ui'
+
+module Rex
+module Parser
+
+
+class NessusXMLStreamParser
+
+  attr_accessor :on_found_host
+
+  def initialize(&block)
+    reset_state
+    on_found_host = block if block
+  end
+
+  def reset_state
+    @host = {'hname' => nil, 'addr' => nil, 'mac' => nil, 'os' => nil, 'ports' => [
+      'port' => {'port' => nil, 'svc_name'  => nil, 'proto' => nil, 'severity' => nil,
+      'nasl' => nil, 'nasl_name' => nil, 'description' => nil,
+      'cve' => [], 'bid' => [], 'xref' => [], 'msf' => nil } ] }
+    @state = :generic_state
+  end
+
+  def tag_start(name, attributes)
+    case name
+    when "tag"
+      if attributes['name'] == "mac-address"
+        @state = :is_mac
+      end
+      if attributes['name'] == "host-fqdn"
+        @state = :is_fqdn
+      end
+      if attributes['name'] == "ip-addr"
+        @state = :is_ip
+      end
+      if attributes['name'] == "host-ip"
+        @state = :is_ip
+      end
+      if attributes['name'] == "operating-system"
+        @state = :is_os
+      end
+    when "ReportHost"
+      @host['hname'] = attributes['name']
+    when "ReportItem"
+      @cve = Array.new
+      @bid = Array.new
+      @xref = Array.new
+      @x = Hash.new
+      @x['nasl'] = attributes['pluginID']
+      @x['nasl_name'] = attributes['pluginName']
+      @x['port'] = attributes['port']
+      @x['proto'] = attributes['protocol']
+      @x['svc_name'] = attributes['svc_name']
+      @x['severity'] = attributes['severity']
+    when "description"
+      @state = :is_desc
+    when "cve"
+      @state = :is_cve
+    when "bid"
+      @state = :is_bid
+    when "xref"
+      @state = :is_xref
+    when "solution"
+      @state = :is_solution
+    when "metasploit_name"
+      @state = :msf
+    end
+  end
+
+  def text(str)
+    case @state
+    when :is_fqdn
+      @host['hname'] = str
+    when :is_ip
+      @host['addr'] = str
+    when :is_os
+      @host['os'] = str
+    when :is_mac
+      @host['mac'] = str
+    when :is_desc
+      @x['description'] = str
+    when :is_cve
+      @cve.push str
+    when :is_bid
+      @bid.push str
+    when :is_xref
+      @xref.push str
+    when :msf
+      #p str
+      @x['msf'] = str
+    end
+  end
+
+  def tag_end(name)
+    case name
+    when "ReportHost"
+      on_found_host.call(@host) if on_found_host
+      reset_state
+    when "ReportItem"
+      @x['cve'] = @cve
+      @x['bid'] = @bid
+      @x['xref'] = @xref
+      @host['ports'].push @x
+    end
+    @state = :generic_state
+  end
+
+  # We don't need these methods, but they're necessary to keep REXML happy
+  #
+  def xmldecl(version, encoding, standalone); end
+  def cdata; end
+  def comment(str); end
+  def instruction(name, instruction); end
+  def attlist; end
+end
+
+end
+end
+