bbot 2.5.0__py3-none-any.whl → 2.7.2.7424rc0__py3-none-any.whl

bbot/core/helpers/git.py

@@ -0,0 +1,17 @@
+from pathlib import Path
+
+
+def sanitize_git_repo(repo_folder: Path):
+    # sanitizing the git config is infeasible since there are too many different ways to do evil things
+    # instead, we move it out of .git and into the repo folder, so we don't miss any secrets etc. inside
+    config_file = repo_folder / ".git" / "config"
+    if config_file.exists():
+        config_file.rename(repo_folder / "git_config_original")
+    # move the index file
+    index_file = repo_folder / ".git" / "index"
+    if index_file.exists():
+        index_file.rename(repo_folder / "git_index_original")
+    # move the hooks folder
+    hooks_folder = repo_folder / ".git" / "hooks"
+    if hooks_folder.exists():
+        hooks_folder.rename(repo_folder / "git_hooks_original")

bbot/core/helpers/helper.py

@@ -89,6 +89,7 @@ class ConfigAwareHelper:
         self.yara = YaraHelper(self)
         self._dns = None
         self._web = None
+        self._cloudcheck = None
         self.config_aware_validators = self.validators.Validators(self)
         self.depsinstaller = DepsInstaller(self)
         self.word_cloud = WordCloud(self)
@@ -107,12 +108,12 @@ class ConfigAwareHelper:
         return self._web
 
     @property
-    def cloud(self):
-        if self._cloud is None:
-            from cloudcheck import cloud_providers
+    def cloudcheck(self):
+        if self._cloudcheck is None:
+            from cloudcheck import CloudCheck
 
-            self._cloud = cloud_providers
-        return self._cloud
+            self._cloudcheck = CloudCheck()
+        return self._cloudcheck
 
     def bloom_filter(self, size):
         from .bloom import BloomFilter

bbot/core/helpers/misc.py

@@ -17,6 +17,7 @@ from unidecode import unidecode  # noqa F401
 from asyncio import create_task, gather, sleep, wait_for  # noqa
 from urllib.parse import urlparse, quote, unquote, urlunparse, urljoin  # noqa F401
 
+from .git import *  # noqa F401
 from .url import *  # noqa F401
 from ... import errors
 from . import regexes as bbot_regexes
@@ -216,26 +217,29 @@ def split_host_port(d):
     host = None
     port = None
     scheme = None
+
+    # first, try to parse as an IP address
     if is_ip(d):
         return make_ip_type(d), port
 
+    # if not an IP address, try to parse as a host:port
     match = bbot_regexes.split_host_port_regex.match(d)
     if match is None:
-        raise ValueError(f'split_port() failed to parse "{d}"')
+        raise ValueError(f'split_host_port() failed to parse "{d}"')
     scheme = match.group("scheme")
     netloc = match.group("netloc")
     if netloc is None:
-        raise ValueError(f'split_port() failed to parse "{d}"')
+        raise ValueError(f'split_host_port() failed to parse "{d}"')
 
     match = bbot_regexes.extract_open_port_regex.match(netloc)
     if match is None:
-        raise ValueError(f'split_port() failed to parse netloc "{netloc}" (original value: {d})')
+        raise ValueError(f'split_host_port() failed to parse netloc "{netloc}" (original value: {d})')
 
     host = match.group(2)
     if host is None:
         host = match.group(1)
     if host is None:
-        raise ValueError(f'split_port() failed to locate host in netloc "{netloc}" (original value: {d})')
+        raise ValueError(f'split_host_port() failed to locate host in netloc "{netloc}" (original value: {d})')
 
     port = match.group(3)
     if port is None and scheme is not None:
@@ -831,7 +835,9 @@ def rand_string(length=10, digits=True, numeric_only=False):
     return "".join(random.choice(pool) for _ in range(length))
 
 
-def truncate_string(s, n):
+def truncate_string(s: str, n: int) -> str:
+    if not isinstance(s, str):
+        raise ValueError(f"Expected string, got {type(s)}")
     if len(s) > n:
         return s[: n - 3] + "..."
     else:
@@ -1309,7 +1315,7 @@ def make_netloc(host, port=None):
     return f"{host}:{port}"
 
 
-def which(*executables):
+def which(*executables, path=None):
     """Finds the full path of the first available executable from a list of executables.
 
     Args:
@@ -1325,7 +1331,7 @@ def which(*executables):
     import shutil
 
     for e in executables:
-        location = shutil.which(e)
+        location = shutil.which(e, path=path)
         if location:
             return location
 
@@ -1642,7 +1648,7 @@ def filesize(f):
     return 0
 
 
-def rm_rf(f):
+def rm_rf(f, ignore_errors=False):
     """Recursively delete a directory
 
     Args:
@@ -1653,7 +1659,7 @@ def rm_rf(f):
     """
     import shutil
 
-    shutil.rmtree(f)
+    shutil.rmtree(f, ignore_errors=ignore_errors)
 
 
 def clean_old(d, keep=10, filter=lambda x: True, key=latest_mtime, reverse=True, raise_error=False):
@@ -2286,25 +2292,6 @@ def is_file(f):
     return False
 
 
-def cloudcheck(ip):
-    """
-    Check whether an IP address belongs to a cloud provider and returns the provider name, type, and subnet.
-
-    Args:
-        ip (str): The IP address to check.
-
-    Returns:
-        tuple: A tuple containing provider name (str), provider type (str), and subnet (IPv4Network).
-
-    Examples:
-        >>> cloudcheck("168.62.20.37")
-        ('Azure', 'cloud', IPv4Network('168.62.0.0/19'))
-    """
-    import cloudcheck as _cloudcheck
-
-    return _cloudcheck.check(ip)
-
-
 def is_async_function(f):
     """
     Check if a given function is an asynchronous function.

bbot/core/helpers/names_generator.py

@@ -50,6 +50,7 @@ adjectives = [
     "delicious",
     "demented",
     "demonic",
+    "demonstrative",
     "depraved",
     "depressed",
     "deranged",
@@ -172,6 +173,7 @@ adjectives = [
     "pasty",
     "peckish",
     "pedantic",
+    "pensive",
     "pernicious",
     "perturbed",
     "perverted",
@@ -201,8 +203,10 @@ adjectives = [
     "reckless",
     "reductive",
     "ripped",
+    "ruthless",
     "sadistic",
     "satanic",
+    "saucy",
     "savvy",
     "scheming",
     "schizophrenic",
@@ -668,6 +672,7 @@ names = [
     "tracy",
     "travis",
     "treebeard",
+    "trent",
     "triss",
     "tyler",
     "tyrell",

bbot/core/helpers/ntlm.py

@@ -17,11 +17,9 @@ class StrStruct(object):
         self.alloc = alloc
         self.offset = offset
         self.raw = raw[offset : offset + length]
-        self.utf16 = False
 
         if len(self.raw) >= 2 and self.raw[1] == "\0":
             self.string = self.raw.decode("utf-16")
-            self.utf16 = True
         else:
             self.string = self.raw
 

bbot/core/helpers/regex.py

@@ -65,7 +65,7 @@ class RegexHelper:
 
         while tasks:  # While there are tasks pending
             # Wait for the first task to complete
-            done, pending = await asyncio.wait(tasks, return_when=asyncio.FIRST_COMPLETED)
+            done, _ = await asyncio.wait(tasks, return_when=asyncio.FIRST_COMPLETED)
 
             for task in done:
                 result = task.result()

bbot/core/helpers/regexes.py

@@ -23,13 +23,28 @@ num_regex = re.compile(r"\d+")
 _ipv4_regex = r"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}"
 ipv4_regex = re.compile(_ipv4_regex, re.I)
 
-# IPv6 is complicated, so we have accommodate alternative patterns,
-# :(:[A-F0-9]{1,4}){1,7} == ::1, ::ffff:1
-# ([A-F0-9]{1,4}:){1,7}: == 2001::, 2001:db8::, 2001:db8:0:1:2:3::
-# ([A-F0-9]{1,4}:){1,6}:([A-F0-9]{1,4}) == 2001::1, 2001:db8::1, 2001:db8:0:1:2:3::1
-# ([A-F0-9]{1,4}:){7,7}([A-F0-9]{1,4}) == 1:1:1:1:1:1:1:1, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-_ipv6_regex = r"(:(:[A-F0-9]{1,4}){1,7}|([A-F0-9]{1,4}:){1,7}:|([A-F0-9]{1,4}:){1,6}:([A-F0-9]{1,4})|([A-F0-9]{1,4}:){7,7}([A-F0-9]{1,4}))"
+# IPv6 regex breakdown:
+#
+# (?:                            # —— address body ——
+# We have to individually account for all possible variations of: "N left hextets :: M right hextets" with N+M ≤ 8 or fully expanded 8 hextets.
+#   (?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}        # 8 hextets, no compression.
+# | (?:[A-F0-9]{1,4}:){1,7}:                  # 1–7 left, then "::" (0 right).
+# | (?:[A-F0-9]{1,4}:){1,6}:[A-F0-9]{1,4}     # 1–6 left, "::", 1 right.
+# | (?:[A-F0-9]{1,4}:){1,5}(?::[A-F0-9]{1,4}){1,2}  # 1–5 left, "::", 1–2 right.
+# | (?:[A-F0-9]{1,4}:){1,4}(?::[A-F0-9]{1,4}){1,3}  # 1–4 left, "::", 1–3 right.
+# | (?:[A-F0-9]{1,4}:){1,3}(?::[A-F0-9]{1,4}){1,4}  # 1–3 left, "::", 1–4 right.
+# | (?:[A-F0-9]{1,4}:){1,2}(?::[A-F0-9]{1,4}){1,5}  # 1–2 left, "::", 1–5 right.
+# | [A-F0-9]{1,4}:(?::[A-F0-9]{1,4}){1,6}           # 1 left,    "::", 1–6 right.
+# | :(?::[A-F0-9]{1,4}){1,7}                        # 0 left,    "::", 1–7 right.
+# | ::                                              # all zeros.
+# )
+#
+# Notes:
+# - Does not match IPv4-embedded forms (e.g., ::ffff:192.0.2.1).
+# - Does not match zone IDs (e.g., %eth0).
+# - Pure syntax check; will not validate special ranges.
+
+_ipv6_regex = r"(?:(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}|(?:[A-F0-9]{1,4}:){1,7}:|(?:[A-F0-9]{1,4}:){1,6}:[A-F0-9]{1,4}|(?:[A-F0-9]{1,4}:){1,5}(?::[A-F0-9]{1,4}){1,2}|(?:[A-F0-9]{1,4}:){1,4}(?::[A-F0-9]{1,4}){1,3}|(?:[A-F0-9]{1,4}:){1,3}(?::[A-F0-9]{1,4}){1,4}|(?:[A-F0-9]{1,4}:){1,2}(?::[A-F0-9]{1,4}){1,5}|[A-F0-9]{1,4}:(?::[A-F0-9]{1,4}){1,6}|:(?::[A-F0-9]{1,4}){1,7}|::)"
 ipv6_regex = re.compile(_ipv6_regex, re.I)
 
 _ip_range_regexes = (
@@ -173,7 +188,9 @@ button_tag_regex2 = re.compile(
 )
 tag_attribute_regex = re.compile(r"<[^>]*(?:href|action|src)\s*=\s*[\"\']?(?!mailto:)([^\'\"\>]+)[\"\']?[^>]*>")
 
-valid_netloc = r"[^\s!@#$%^&()=/?\\'\";~`<>]+"
+_invalid_netloc_chars = r"\s!@#$%^&()=/?\\'\";~`<>"
+# first char must not be a colon, even though it's a valid char for a netloc
+valid_netloc = r"[^" + (_invalid_netloc_chars + ":") + r"]{1}[^" + _invalid_netloc_chars + "]*"
 
 _split_host_port_regex = r"(?:(?P<scheme>[a-z0-9]{1,20})://)?(?:[^?]*@)?(?P<netloc>" + valid_netloc + ")"
 split_host_port_regex = re.compile(_split_host_port_regex, re.I)

bbot/core/helpers/web/engine.py

@@ -208,7 +208,7 @@ class HTTPEngine(EngineServer):
                 raise
             else:
                 log.warning(
-                    f"Invalid URL (possibly due to dangerous redirect) on request to : {url}: {truncate_string(e, 200)}"
+                    f"Invalid URL (possibly due to dangerous redirect) on request to : {url}: {truncate_string(str(e), 200)}"
                 )
                 log.trace(traceback.format_exc())
         except ssl.SSLError as e:

bbot/core/helpers/web/web.py

@@ -267,7 +267,8 @@ class WebHelper(EngineClient):
         if not path:
             raise WordlistError(f"Invalid wordlist: {path}")
         if "cache_hrs" not in kwargs:
-            kwargs["cache_hrs"] = 720
+            # 4320 hrs = 180 days = 6 months
+            kwargs["cache_hrs"] = 4320
         if self.parent_helper.is_url(path):
             filename = await self.download(str(path), **kwargs)
             if filename is None:

bbot/core/modules.py

@@ -56,7 +56,6 @@ class ModuleLoader:
         self._shared_deps = dict(SHARED_DEPS)
 
         self.__preloaded = {}
-        self._modules = {}
         self._configs = {}
         self.flag_choices = set()
         self.all_module_choices = set()
@@ -165,8 +164,10 @@ class ModuleLoader:
                         if module_dir.name in ("output", "internal"):
                             module_type = str(module_dir.name)
 
+                        disable_auto_module_deps = preloaded.get("disable_auto_module_deps", False)
+
                         # derive module dependencies from watched event types (only for scan modules)
-                        if module_type == "scan":
+                        if module_type == "scan" and not disable_auto_module_deps:
                             for event_type in preloaded["watched_events"]:
                                 if event_type in self.default_module_deps:
                                     deps_modules = set(preloaded.get("deps", {}).get("modules", []))
@@ -329,6 +330,7 @@ class ModuleLoader:
         ansible_tasks = []
         config = {}
         options_desc = {}
+        disable_auto_module_deps = False
         python_code = open(module_file).read()
         # take a hash of the code so we can keep track of when it changes
         module_hash = sha1(python_code).hexdigest()
@@ -353,8 +355,11 @@ class ModuleLoader:
             # look for classes
             if type(root_element) == ast.ClassDef:
                 for class_attr in root_element.body:
+                    if not type(class_attr) == ast.Assign:
+                        continue
+
                     # class attributes that are dictionaries
-                    if type(class_attr) == ast.Assign and type(class_attr.value) == ast.Dict:
+                    if type(class_attr.value) == ast.Dict:
                         # module options
                         if any(target.id == "options" for target in class_attr.targets):
                             config.update(ast.literal_eval(class_attr.value))
@@ -366,7 +371,7 @@ class ModuleLoader:
                             meta = ast.literal_eval(class_attr.value)
 
                     # class attributes that are lists
-                    if type(class_attr) == ast.Assign and type(class_attr.value) == ast.List:
+                    if type(class_attr.value) == ast.List:
                         # flags
                         if any(target.id == "flags" for target in class_attr.targets):
                             for flag in class_attr.value.elts:
@@ -415,6 +420,12 @@ class ModuleLoader:
                                 if type(dep_common.value) == str:
                                     deps_common.append(dep_common.value)
 
+                    # class attributes that are booleans
+                    if type(class_attr.value) == ast.Constant:
+                        if any(target.id == "_disable_auto_module_deps" for target in class_attr.targets):
+                            if type(class_attr.value.value) == bool:
+                                disable_auto_module_deps = class_attr.value.value
+
         for task in ansible_tasks:
             if "become" not in task:
                 task["become"] = False
@@ -441,6 +452,7 @@ class ModuleLoader:
                 "common": deps_common,
             },
             "sudo": len(deps_apt) > 0,
+            "disable_auto_module_deps": disable_auto_module_deps,
         }
         ansible_task_list = list(ansible_tasks)
         for dep_common in deps_common:
@@ -461,9 +473,13 @@ class ModuleLoader:
     def load_modules(self, module_names):
         modules = {}
         for module_name in module_names:
-            module = self.load_module(module_name)
+            try:
+                module = self.load_module(module_name)
+            except ModuleNotFoundError as e:
+                raise BBOTError(
+                    f"Error loading module {module_name}: {e}. You may have leftover artifacts from an older version of BBOT. Try deleting/renaming your '~/.bbot' directory."
+                ) from e
             modules[module_name] = module
-            self._modules[module_name] = module
         return modules
 
     def load_module(self, module_name):
@@ -512,60 +528,6 @@ class ModuleLoader:
                         # then we have a module
                         return value
 
-    def recommend_dependencies(self, modules):
-        """
-        Returns a dictionary containing missing dependencies and their suggested resolutions
-
-        Needs work. For this we should probably be building a dependency graph
-        """
-        resolve_choices = {}
-        # step 1: build a dictionary containing event types and their associated modules
-        # {"IP_ADDRESS": set("masscan", "ipneighbor", ...)}
-        watched = {}
-        produced = {}
-        for modname in modules:
-            preloaded = self._preloaded.get(modname)
-            if preloaded:
-                for event_type in preloaded.get("watched_events", []):
-                    self.add_or_create(watched, event_type, modname)
-                for event_type in preloaded.get("produced_events", []):
-                    self.add_or_create(produced, event_type, modname)
-        watched_all = {}
-        produced_all = {}
-        for modname, preloaded in self.preloaded().items():
-            if preloaded:
-                for event_type in preloaded.get("watched_events", []):
-                    self.add_or_create(watched_all, event_type, modname)
-                for event_type in preloaded.get("produced_events", []):
-                    self.add_or_create(produced_all, event_type, modname)
-
-        # step 2: check to see if there are missing dependencies
-        for modname in modules:
-            preloaded = self._preloaded.get(modname)
-            module_type = preloaded.get("type", "unknown")
-            if module_type != "scan":
-                continue
-            watched_events = preloaded.get("watched_events", [])
-            missing_deps = {e: not self.check_dependency(e, modname, produced) for e in watched_events}
-            if all(missing_deps.values()):
-                for event_type in watched_events:
-                    if event_type == "SCAN":
-                        continue
-                    choices = produced_all.get(event_type, [])
-                    choices = set(choices)
-                    with suppress(KeyError):
-                        choices.remove(modname)
-                    if event_type not in resolve_choices:
-                        resolve_choices[event_type] = {}
-                    deps = resolve_choices[event_type]
-                    self.add_or_create(deps, "required_by", modname)
-                    for c in choices:
-                        choice_type = self._preloaded.get(c, {}).get("type", "unknown")
-                        if choice_type == "scan":
-                            self.add_or_create(deps, "recommended", c)
-
-        return resolve_choices
-
     def check_dependency(self, event_type, modname, produced):
         if event_type not in produced:
             return False

bbot/core/shared_deps.py

@@ -108,6 +108,24 @@ DEP_CHROMIUM = [
         "when": "ansible_facts['os_family'] == 'Debian'",
         "ignore_errors": True,
     },
+    {
+        "name": "Get latest Chromium version (Darwin x86_64)",
+        "uri": {
+            "url": "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Mac%2FLAST_CHANGE?alt=media",
+            "return_content": True,
+        },
+        "register": "chromium_version_darwin_x86_64",
+        "when": "ansible_facts['os_family'] == 'Darwin' and ansible_facts['architecture'] == 'x86_64'",
+    },
+    {
+        "name": "Get latest Chromium version (Darwin arm64)",
+        "uri": {
+            "url": "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Mac_Arm%2FLAST_CHANGE?alt=media",
+            "return_content": True,
+        },
+        "register": "chromium_version_darwin_arm64",
+        "when": "ansible_facts['os_family'] == 'Darwin' and ansible_facts['architecture'] == 'arm64'",
+    },
     {
         "name": "Download Chromium (Debian)",
         "unarchive": {
@@ -119,6 +137,26 @@ DEP_CHROMIUM = [
         "when": "ansible_facts['os_family'] == 'Debian'",
         "ignore_errors": True,
     },
+    {
+        "name": "Download Chromium (Darwin x86_64)",
+        "unarchive": {
+            "src": "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Mac%2F{{ chromium_version_darwin_x86_64.content }}%2Fchrome-mac.zip?alt=media",
+            "remote_src": True,
+            "dest": "#{BBOT_TOOLS}",
+            "creates": "#{BBOT_TOOLS}/chrome-mac",
+        },
+        "when": "ansible_facts['os_family'] == 'Darwin' and ansible_facts['architecture'] == 'x86_64'",
+    },
+    {
+        "name": "Download Chromium (Darwin arm64)",
+        "unarchive": {
+            "src": "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Mac_Arm%2F{{ chromium_version_darwin_arm64.content }}%2Fchrome-mac.zip?alt=media",
+            "remote_src": True,
+            "dest": "#{BBOT_TOOLS}",
+            "creates": "#{BBOT_TOOLS}/chrome-mac",
+        },
+        "when": "ansible_facts['os_family'] == 'Darwin' and ansible_facts['architecture'] == 'arm64'",
+    },
     # Because Ubuntu is a special snowflake, we have to bend over backwards to fix the chrome sandbox
     # see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
     {

bbot/defaults.yml

@@ -187,8 +187,10 @@ url_extension_blacklist:
   - mov
   - flv
   - webm
-# Distribute URLs with these extensions only to httpx (these are omitted from output)
-url_extension_httpx_only:
+
+# URLs with these extensions are not distributed to modules unless the module opts in via `accept_url_special = True`
+# They are also excluded from output. If you want to see them in output, remove them from this list.
+url_extension_special:
   - js
 
 # These url extensions are almost always static, so we exclude them from modules that fuzz things

bbot/modules/apkpure.py

@@ -6,7 +6,7 @@ from bbot.modules.base import BaseModule
 class apkpure(BaseModule):
     watched_events = ["MOBILE_APP"]
     produced_events = ["FILESYSTEM"]
-    flags = ["passive", "safe", "code-enum"]
+    flags = ["passive", "safe", "code-enum", "download"]
     meta = {
         "description": "Download android applications from apkpure.com",
         "created_date": "2024-10-11",
@@ -22,7 +22,7 @@ class apkpure(BaseModule):
         if output_folder:
             self.output_dir = Path(output_folder) / "apk_files"
         else:
-            self.output_dir = self.helpers.temp_dir / "apk_files"
+            self.output_dir = self.scan.temp_dir / "apk_files"
         self.helpers.mkdir(self.output_dir)
         return await super().setup()
 

bbot/modules/aspnet_bin_exposure.py

@@ -0,0 +1,80 @@
+from bbot.modules.base import BaseModule
+
+
+class aspnet_bin_exposure(BaseModule):
+    watched_events = ["URL"]
+    produced_events = ["VULNERABILITY"]
+    flags = ["active", "safe", "web-thorough"]
+    meta = {
+        "description": "Check for ASP.NET Security Feature Bypasses (CVE-2023-36899 and CVE-2023-36560)",
+        "created_date": "2025-01-28",
+        "author": "@liquidsec",
+    }
+
+    in_scope_only = True
+    test_dlls = [
+        "Telerik.Web.UI.dll",
+        "Newtonsoft.Json.dll",
+        "System.Net.Http.dll",
+        "EntityFramework.dll",
+        "AjaxControlToolkit.dll",
+    ]
+
+    @staticmethod
+    def normalize_url(url):
+        return str(url.rstrip("/") + "/").lower()
+
+    def _incoming_dedup_hash(self, event):
+        return hash(self.normalize_url(event.data))
+
+    async def handle_event(self, event):
+        normalized_url = self.normalize_url(event.data)
+        for test_dll in self.test_dlls:
+            for technique in ["b/(S(X))in/###DLL_PLACEHOLDER###/(S(X))/", "(S(X))/b/(S(X))in/###DLL_PLACEHOLDER###"]:
+                test_url = f"{normalized_url}{technique.replace('###DLL_PLACEHOLDER###', test_dll)}"
+                self.debug(f"Sending test URL: [{test_url}]")
+                kwargs = {"method": "GET", "allow_redirects": False, "timeout": 10}
+                test_result = await self.helpers.request(test_url, **kwargs)
+                if test_result:
+                    if test_result.status_code == 200 and (
+                        "content-type" in test_result.headers
+                        and "application/x-msdownload" in test_result.headers["content-type"]
+                    ):
+                        self.debug(
+                            f"Got positive result for probe with test url: [{test_url}]. Status Code: [{test_result.status_code}] Content Length: [{len(test_result.content)}]"
+                        )
+
+                        if test_result.status_code == 200 and (
+                            "content-type" in test_result.headers
+                            and "application/x-msdownload" in test_result.headers["content-type"]
+                        ):
+                            confirm_url = (
+                                f"{normalized_url}{technique.replace('###DLL_PLACEHOLDER###', 'oopsnotarealdll.dll')}"
+                            )
+                            confirm_result = await self.helpers.request(confirm_url, **kwargs)
+
+                            if confirm_result and (
+                                confirm_result.status_code != 200
+                                or not (
+                                    "content-type" in confirm_result.headers
+                                    and "application/x-msdownload" in confirm_result.headers["content-type"]
+                                )
+                            ):
+                                description = f"IIS Bin Directory DLL Exposure. Detection Url: [{test_url}]"
+                                await self.emit_event(
+                                    {
+                                        "severity": "HIGH",
+                                        "host": str(event.host),
+                                        "url": normalized_url,
+                                        "description": description,
+                                    },
+                                    "VULNERABILITY",
+                                    event,
+                                    context="{module} detected IIS Bin Directory DLL Exposure vulnerability",
+                                )
+                                return True
+
+    async def filter_event(self, event):
+        if "dir" in event.tags:
+            return True
+        return False

bbot/modules/baddns.py

@@ -22,7 +22,7 @@ class baddns(BaseModule):
         "enabled_submodules": "A list of submodules to enable. Empty list (default) enables CNAME, TXT and MX Only",
     }
     module_threads = 8
-    deps_pip = ["baddns~=1.9.130"]
+    deps_pip = ["baddns~=1.12.294"]
 
     def select_modules(self):
         selected_submodules = []

bbot/modules/baddns_direct.py

@@ -19,7 +19,7 @@ class baddns_direct(BaseModule):
         "custom_nameservers": "Force BadDNS to use a list of custom nameservers",
     }
     module_threads = 8
-    deps_pip = ["baddns~=1.9.130"]
+    deps_pip = ["baddns~=1.12.294"]
 
     scope_distance_modifier = 1
 

bbot/modules/baddns_zone.py

@@ -16,7 +16,7 @@ class baddns_zone(baddns_module):
         "only_high_confidence": "Do not emit low-confidence or generic detections",
     }
     module_threads = 8
-    deps_pip = ["baddns~=1.9.130"]
+    deps_pip = ["baddns~=1.12.294"]
 
     def set_modules(self):
         self.enabled_submodules = ["NSEC", "zonetransfer"]

bbot/modules/badsecrets.py

@@ -17,7 +17,7 @@ class badsecrets(BaseModule):
     options_desc = {
         "custom_secrets": "Include custom secrets loaded from a local file",
     }
-    deps_pip = ["badsecrets~=0.9.29"]
+    deps_pip = ["badsecrets~=0.13.47"]
 
     async def setup(self):
         self.custom_secrets = None