rex 1.0.2 → 2.0.2

data/lib/rex/parser/nexpose_simple_nokogiri.rb

@@ -0,0 +1,330 @@
+# -*- coding: binary -*-
+require "rex/parser/nokogiri_doc_mixin"
+
+module Rex
+  module Parser
+
+    # If Nokogiri is available, define Nexpose document class.
+    load_nokogiri && class NexposeSimpleDocument < Nokogiri::XML::SAX::Document
+
+    include NokogiriDocMixin
+
+    attr_reader :text
+
+    # Triggered every time a new element is encountered. We keep state
+    # ourselves with the @state variable, turning things on when we
+    # get here (and turning things off when we exit in end_element()).
+    def start_element(name=nil,attrs=[])
+      attrs = normalize_attrs(attrs)
+      block = @block
+      @state[:current_tag][name] = true
+      case name
+      when "device"
+        record_device(attrs)
+      when "service"
+        record_service(attrs)
+      when "fingerprint"
+        record_service_fingerprint(attrs)
+        record_host_fingerprint(attrs)
+      when "description"
+        @state[:has_text] = true
+        record_host_fingerprint_data(name,attrs)
+      when "vendor", "family", "product", "version", "architecture"
+        @state[:has_text] = true
+        record_host_fingerprint_data(name,attrs)
+      when "vulnerability"
+        record_service_vuln(attrs)
+        record_host_vuln(attrs)
+      when "id"
+        @state[:has_text] = true
+        record_service_vuln_id(attrs)
+        record_host_vuln_id(attrs)
+      end
+    end
+
+    # When we exit a tag, this is triggered.
+    def end_element(name=nil)
+      block = @block
+      case name
+      when "device" # Wrap it up
+        collect_device_data
+        host_object = report_host &block
+        report_services(host_object)
+        report_host_fingerprint(host_object)
+        report_vulns(host_object)
+        # Reset the state once we close a host
+        @state.delete_if {|k| k != :current_tag}
+        @report_data = {:wspace => @args[:wspace]}
+      when "description"
+        @state[:has_text] = false
+        collect_service_fingerprint_description
+        collect_host_fingerprint_data(name)
+        @text = nil
+      when "vendor", "family", "product", "version", "architecture"
+        @state[:has_text] = false
+        collect_host_fingerprint_data(name)
+        @text = nil
+      when "service"
+        collect_service_data
+      when "id"
+        @state[:has_text] = false
+        collect_service_vuln_id
+        collect_host_vuln_id
+        @text = nil
+      when "vulnerability"
+        collect_service_vuln
+        collect_host_vuln
+        @state[:references] = nil
+      end
+      @state[:current_tag].delete name
+    end
+
+    def report_vulns(host_object)
+      vuln_count = 0
+      block = @block
+      return unless host_object.kind_of? ::Mdm::Host
+      return unless @report_data[:vulns]
+      @report_data[:vulns].each do |vuln|
+        if vuln[:refs]
+          vuln[:refs] << vuln[:name]
+        else
+          vuln[:refs] = [vuln[:name]]
+        end
+        vuln[:refs].uniq!
+        data = {
+          :workspace => host_object.workspace,
+          :host => host_object,
+          :name => vuln[:name],
+          :info => vuln[:info],
+          :refs => vuln[:refs]
+        }
+        if vuln[:port] && vuln[:proto]
+          data[:port] = vuln[:port]
+          data[:proto] = vuln[:proto]
+        end
+        db_report(:vuln,data)
+      end
+
+    end
+
+    def collect_host_vuln_id
+      return unless in_tag("device")
+      return unless in_tag("vulnerability")
+      return if in_tag("service")
+      return unless @state[:host_vuln_id]
+      @state[:references] ||= []
+      ref = normalize_ref( @state[:host_vuln_id]["type"], @text )
+      @state[:references] << ref if ref
+      @state[:host_vuln_id] = nil
+      @text = nil
+    end
+
+    def collect_service_vuln_id
+      return unless in_tag("device")
+      return unless in_tag("vulnerability")
+      return unless in_tag("service")
+      return unless @state[:service_vuln_id]
+      @state[:references] ||= []
+      ref = normalize_ref( @state[:service_vuln_id]["type"], @text )
+      @state[:references] << ref if ref
+      @state[:service_vuln_id] = nil
+      @text = nil
+    end
+
+    def collect_service_vuln
+      return unless in_tag("device")
+      return unless in_tag("vulnerability")
+      return unless in_tag("service")
+      @report_data[:vulns] ||= []
+      return unless actually_vulnerable(@state[:service_vuln])
+      return if @state[:service]["port"].to_i == 0
+      vid = @state[:service_vuln]["id"].to_s.downcase
+      vuln = {
+        :name => "NEXPOSE-#{vid}",
+        :info => vid,
+        :refs => @state[:references],
+        :port => @state[:service]["port"].to_i,
+        :proto => @state[:service]["protocol"]
+      }
+      @report_data[:vulns] << vuln
+    end
+
+    def collect_host_vuln
+      return unless in_tag("vulnerability")
+      return unless in_tag("device")
+      return if in_tag("service")
+      @report_data[:vulns] ||= []
+      return unless actually_vulnerable(@state[:host_vuln])
+      vid = @state[:host_vuln]["id"].to_s.downcase
+      vuln = {
+        :name => "NEXPOSE-#{vid}",
+        :info => vid,
+        :refs => @state[:references]
+      }
+      @report_data[:vulns] << vuln
+    end
+
+    def record_host_vuln_id(attrs)
+      return unless in_tag("device")
+      return if in_tag("service")
+      @state[:host_vuln_id] = attr_hash(attrs)
+    end
+
+    def record_host_vuln(attrs)
+      return unless in_tag("device")
+      return if in_tag("service")
+      @state[:host_vuln] = attr_hash(attrs)
+    end
+
+    def record_service_vuln_id(attrs)
+      return unless in_tag("device")
+      return unless in_tag("service")
+      @state[:service_vuln_id] = attr_hash(attrs)
+    end
+
+    def record_service_vuln(attrs)
+      return unless in_tag("device")
+      return unless in_tag("service")
+      @state[:service_vuln] = attr_hash(attrs)
+    end
+
+    def actually_vulnerable(vuln)
+      vuln_result = vuln["resultCode"]
+      vuln_result =~ /^V[VE]$/
+    end
+
+    def record_device(attrs)
+      attrs.each do |k,v|
+        next unless k == "address"
+        @state[:address] = v
+      end
+    end
+
+    def record_host_fingerprint(attrs)
+      return unless in_tag("device")
+      return if in_tag("service")
+      @state[:host_fingerprint] = attr_hash(attrs)
+    end
+
+    def collect_device_data
+      return unless in_tag("device")
+      @report_data[:host] = @state[:address]
+      @report_data[:state] = Msf::HostState::Alive # always
+    end
+
+    def record_host_fingerprint_data(name, attrs)
+      return unless in_tag("device")
+      return if in_tag("service")
+      return unless in_tag("fingerprint")
+      @state[:host_fingerprint] ||= {}
+      @state[:host_fingerprint].merge! attr_hash(attrs)
+    end
+
+    def collect_host_fingerprint_data(name)
+      return unless in_tag("device")
+      return if in_tag("service")
+      return unless in_tag("fingerprint")
+      return unless @text
+      @report_data[:host_fingerprint] ||= {}
+      @report_data[:host_fingerprint].merge!(@state[:host_fingerprint])
+      @report_data[:host_fingerprint][name] = @text.to_s.strip
+      @text = nil
+    end
+
+    def report_host(&block)
+      if host_is_okay
+        db.emit(:address,@report_data[:host],&block) if block
+        host_object = db_report(:host, @report_data.merge(
+          :workspace => @args[:wspace] ) )
+        if host_object
+          db.report_import_note(host_object.workspace, host_object)
+        end
+        host_object
+      end
+    end
+
+    def report_host_fingerprint(host_object)
+      return unless host_object.kind_of? ::Mdm::Host
+      return unless @report_data[:host_fingerprint].kind_of? Hash
+      @report_data[:host_fingerprint].reject! {|k,v| v.nil? || v.empty?}
+      return if @report_data[:host_fingerprint].empty?
+      note = {
+        :workspace => host_object.workspace,
+        :host => host_object,
+        :type => "host.os.nexpose_fingerprint"
+      }
+      data = {
+        :desc => @report_data[:host_fingerprint]["description"],
+        :vendor => @report_data[:host_fingerprint]["vendor"],
+        :family => @report_data[:host_fingerprint]["family"],
+        :product => @report_data[:host_fingerprint]["product"],
+        :version => @report_data[:host_fingerprint]["version"],
+        :arch => @report_data[:host_fingerprint]["architecture"]
+      }
+      db_report(:note, note.merge(:data => data))
+    end
+
+    def record_service(attrs)
+      return unless in_tag("device")
+      @state[:service] = attr_hash(attrs)
+    end
+
+    def record_service_fingerprint(attrs)
+      return unless in_tag("device")
+      return unless in_tag("service")
+      @state[:service][:fingerprint] = attr_hash(attrs)
+    end
+
+    def collect_service_data
+      return unless in_tag("device")
+      port_hash = {}
+      @report_data[:ports] ||= []
+      @state[:service].each do |k,v|
+        case k
+        when "protocol"
+          port_hash[:proto] = v
+        when "port"
+          port_hash[:port] = v
+        when "name"
+          sname = v.to_s.downcase.split("(")[0].strip
+          if sname == "<unknown>"
+            port_hash[:name] = nil
+          else
+            port_hash[:name] = db.nmap_msf_service_map(sname)
+          end
+        end
+      end
+      if @state[:service_fingerprint]
+        port_hash[:info] = "#{@state[:service_fingerprint]}"
+      end
+      @report_data[:ports] << port_hash.clone
+      @state.delete :service_fingerprint
+      @state.delete :service
+      @report_data[:ports]
+    end
+
+    def collect_service_fingerprint_description
+      return unless in_tag("device")
+      return unless in_tag("service")
+      return unless in_tag("fingerprint")
+      return unless @text
+      @state[:service_fingerprint] = @text.to_s.strip
+      @text = nil
+    end
+
+    def report_services(host_object)
+      return unless host_object.kind_of? ::Mdm::Host
+      return unless @report_data[:ports]
+      return if @report_data[:ports].empty?
+      reported = []
+      @report_data[:ports].each do |svc|
+        reported << db_report(:service, svc.merge(:host => host_object))
+      end
+      reported
+    end
+
+  end
+
+end
+end
+

data/lib/rex/parser/nexpose_xml.rb

@@ -0,0 +1,172 @@
+# -*- coding: binary -*-
+module Rex
+module Parser
+
+# XXX doesn't tie services to vulns
+class NexposeXMLStreamParser
+
+  attr_accessor :callback
+
+  def initialize(callback = nil)
+    reset_state
+    self.callback = callback if callback
+  end
+
+  def reset_state
+    @state = :generic_state
+    @only_vuln_states_needed = true
+    @current_vuln_id = nil
+    @vulnerable_markers = ['vulnerable-exploited', 'vulnerable-version', 'potential']
+    @host = {"status" => nil, "endpoints" => [], "names" => [], "vulns" => {}}
+    @vuln = {"refs" => [], "description" => [], "solution" => []}
+  end
+
+  # If all vuln states are required set this to false
+  def parse_vulnerable_states_only only_vuln_states_needed
+    @only_vuln_states_needed = only_vuln_states_needed
+  end
+
+  def tag_start(name, attributes)
+    case name
+    when "node"
+      @host["hardware-address"] = attributes["hardware-address"]
+      @host["addr"] = attributes["address"]
+      @host["status"] = attributes["status"]
+    when "os"
+      # Take only the highest certainty
+      if not @host["os_certainty"] or (@host["os_certainty"].to_f < attributes["certainty"].to_f)
+        @host["os_vendor"]    = attributes["vendor"]
+        @host["os_family"]    = attributes["family"]
+        @host["os_product"]   = attributes["product"]
+        @host["os_version"]   = attributes["version"]
+        @host["arch"]         = attributes["arch"]
+        @host["os_certainty"] = attributes["certainty"]
+      end
+    when "name"
+      #@host["names"].push attributes["name"]
+      @state = :in_name
+    when "endpoint"
+      # This is a port in NeXpose parlance
+      @host["endpoints"].push(attributes)
+    when "service"
+      @state = :in_service
+      # Store any service info with the associated port.  There shouldn't
+      # be any collisions on attribute names here, so just merge them.
+      @host["endpoints"].last.merge!(attributes)
+    when "fingerprint"
+      if @state == :in_service
+        @host["endpoints"].last.merge!(attributes)
+      end
+      when "test"
+        if (not @only_vuln_states_needed) or (@vulnerable_markers.include? attributes["status"].to_s.chomp and @only_vuln_states_needed)
+          @state = :in_test
+          @current_vuln_id = attributes["id"]
+          @host["vulns"][@current_vuln_id] = attributes.dup
+          # Append the endpoint info for how the vuln was discovered
+          unless @host["endpoints"].empty?
+            @host["vulns"][@current_vuln_id].merge!("endpoint_data" => @host["endpoints"].last)
+          end
+          if attributes["key"]
+            @host["notes"] ||= []
+            @host["notes"] << [@current_vuln_id, attributes["key"]]
+          end
+        end
+      when "vulnerability"
+        @vuln.merge! attributes
+      when "reference"
+        @state = :in_reference
+        @vuln["refs"].push attributes
+      when "solution"
+        @state = :in_solution
+      when "description"
+        @state = :in_description
+      when "URLLink"
+        @vuln["solution"] << attributes
+    end
+  end
+
+  def text(str)
+    case @state
+    when :in_name
+      @host["names"].push str
+    when :in_reference
+      @vuln["refs"].last["value"] = str
+    when :in_solution
+      @vuln["solution"] << str
+    when :in_description
+      @vuln["description"] << str
+    when :in_test
+      if @host["vulns"][@current_vuln_id]
+         proof = @host["vulns"][@current_vuln_id]["proof"] || []
+         proof << str
+         @host["vulns"][@current_vuln_id]["proof"] = proof
+      end
+    end
+  end
+
+  def tag_end(name)
+    case name
+    when "node"
+      callback.call(:host, @host) if callback
+      reset_state
+    when "vulnerability"
+      callback.call(:vuln, @vuln) if callback
+      reset_state
+    when "service","reference","names"
+      @state = :generic_state
+    end
+  end
+
+  # We don't need these methods, but they're necessary to keep REXML happy
+  def xmldecl(version, encoding, standalone) # :nodoc:
+  end
+  def cdata # :nodoc:
+  end
+  def comment(str) # :nodoc:
+  end
+  def instruction(name, instruction) # :nodoc:
+  end
+  def attlist # :nodoc:
+  end
+end
+end
+end
+
+__END__
+
+<node address="10.1.1.10" status="alive" hardware-address="0007371F3BE8">
+<names>
+<name>NETBIOSNAME</name>
+<name>hostname.example.com</name>
+</names>
+<fingerprints>
+<os  certainty="1.00" device-class="Domain controller" vendor="Microsoft" family="Windows" product="Windows Server 2003, Standard Edition" version="SP2" arch="x86"/>
+<os  certainty="0.85" device-class="General" vendor="Microsoft" family="Windows" product="Windows Server 2003"/>
+<os  certainty="0.70" vendor="Microsoft" family="Windows" product="Windows Server 2003"/>
+</fingerprints>
+<software>
+<fingerprint  certainty="1.00" vendor="Acronis" product="Acronis&#160;True&#160;Image&#160;Echo&#160;Server" version="9.5.8163"/>
+<fingerprint  certainty="1.00" vendor="Acronis" product="Acronis&#160;Universal&#160;Restore for Acronis&#160;True&#160;Image&#160;Echo&#160;Server" version="9.5.8076"/>
+<fingerprint  certainty="1.00" software-class="Internet Client" vendor="Microsoft" family="Internet Explorer" product="Internet Explorer" version="7.0.5730.11"/>
+<fingerprint  certainty="1.00" software-class="Database Client" vendor="Microsoft" family="MDAC" product="MDAC" version="2.8"/>
+<fingerprint  certainty="1.00" software-class="Media Client" vendor="Microsoft" family="Windows Media Player" product="Windows Media Player" version="10.0.0.3997"/>
+<fingerprint  certainty="1.00" vendor="MySolutions NORDIC" product="NSClient++ (Win32)" version="0.3.4.0"/>
+<fingerprint  certainty="1.00" vendor="Symantec Corporation" product="LiveUpdate 3.1 (Symantec Corporation)" version="3.1.0.99"/>
+<fingerprint  certainty="1.00" vendor="Symantec Corporation" product="Symantec AntiVirus" version="10.1.5000.5"/>
+</software>
+<tests>
+<test status="not-vulnerable" id="backdoor-ckb.cfaae1e6">
+
+<endpoint protocol="tcp" port="139" status="open">
+<services>
+<service name="CIFS">
+<fingerprints>
+<fingerprint  certainty="1.00" product="Windows Server 2003 R2 5.2"/>
+</fingerprints>
+<tests>
+</tests>
+</service>
+</services>
+</endpoint>
+</node>
+