CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/lib/metasploit/framework/login_scanner/db2.rb
Views: 1904
require 'metasploit/framework/tcp/client'1require 'metasploit/framework/login_scanner/base'2require 'metasploit/framework/login_scanner/rex_socket'34module Metasploit5module Framework6module LoginScanner7# This is the LoginScanner class for dealing with DB2 Database servers.8# It is responsible for taking a single target, and a list of credentials9# and attempting them. It then saves the results.10class DB211include Metasploit::Framework::LoginScanner::Base12include Metasploit::Framework::LoginScanner::RexSocket13include Metasploit::Framework::Tcp::Client1415DEFAULT_PORT = 5000016DEFAULT_REALM = 'toolsdb'17LIKELY_PORTS = [ DEFAULT_PORT ]18# @todo XXX19LIKELY_SERVICE_NAMES = [ ]20PRIVATE_TYPES = [ :password ]21REALM_KEY = Metasploit::Model::Realm::Key::DB2_DATABASE2223# @see Base#attempt_login24def attempt_login(credential)25result_options = {26credential: credential27}2829begin30probe_data = send_probe(credential.realm)3132if probe_data.empty?33result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT34else35if authenticate?(credential)36result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL37else38result_options[:status] = Metasploit::Model::Login::Status::INCORRECT39end40end41rescue ::Rex::ConnectionError, ::Rex::Proto::DRDA::RespError, ::Timeout::Error => e42result_options.merge!({43status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,44proof: e,45})46end4748result = ::Metasploit::Framework::LoginScanner::Result.new(result_options)49result.host = host50result.port = port51result.protocol = 'tcp'52result.service_name = 'db2'53result54end5556private57# This method takes the credential and actually attempts the authentication58# @param credential [Credential] The Credential object to authenticate with.59# @return [Boolean] Whether the authentication was successful60def authenticate?(credential)61# Send the login packet and get a response packet back62login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => credential.realm,63:dbuser => credential.public,64:dbpass => credential.private65)66sock.put login_packet67response = sock.get_once68if valid_response?(response)69if successful_login?(response)70true71else72false73end74else75false76end77end7879# This method opens a socket to the target DB2 server.80# It then sends a client probe on that socket to get information81# back on the server.82# @param database_name [String] The name of the database to probe83# @return [Hash] A hash containing the server information from the probe reply84def send_probe(database_name)85disconnect if self.sock86connect8788probe_packet = Rex::Proto::DRDA::Utils.client_probe(database_name)89sock.put probe_packet90response = sock.get_once9192response_data = {}93if valid_response?(response)94packet = Rex::Proto::DRDA::Packet::SERVER_PACKET.new.read(response)95response_data = Rex::Proto::DRDA::Utils.server_packet_info(packet)96end97response_data98end99100# This method sets the sane defaults for things101# like timeouts and TCP evasion options102def set_sane_defaults103self.connection_timeout ||= 30104self.port ||= DEFAULT_PORT105self.max_send_size ||= 0106self.send_delay ||= 0107108self.ssl = false if self.ssl.nil?109end110111# This method takes a response packet and checks to see112# if the authentication was actually successful.113#114# @param response [String] The unprocessed response packet115# @return [Boolean] Whether the authentication was successful116def successful_login?(response)117packet = Rex::Proto::DRDA::Packet::SERVER_PACKET.new.read(response)118packet_info = Rex::Proto::DRDA::Utils.server_packet_info(packet)119if packet_info[:db_login_success]120true121else122false123end124end125126# This method provides a simple test on whether the response127# packet was valid.128#129# @param response [String] The response to examine from the socket130# @return [Boolean] Whether the response is valid131def valid_response?(response)132response && response.length > 0133end134end135136end137end138end139140141