Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/lib/rex/parser/nexpose_xml.rb
Views: 11779
# -*- coding: binary -*-1module Rex2module Parser34# XXX doesn't tie services to vulns5class NexposeXMLStreamParser67attr_accessor :callback89def initialize(callback = nil)10reset_state11self.callback = callback if callback12end1314def reset_state15@state = :generic_state16@only_vuln_states_needed = true17@current_vuln_id = nil18@vulnerable_markers = ['vulnerable-exploited', 'vulnerable-version', 'potential']19@host = {"status" => nil, "endpoints" => [], "names" => [], "vulns" => {}}20@vuln = {"refs" => [], "description" => [], "solution" => []}21end2223# If all vuln states are required set this to false24def parse_vulnerable_states_only only_vuln_states_needed25@only_vuln_states_needed = only_vuln_states_needed26end2728def tag_start(name, attributes)29case name30when "node"31@host["hardware-address"] = attributes["hardware-address"]32@host["addr"] = attributes["address"]33@host["status"] = attributes["status"]34when "os"35# Take only the highest certainty36if not @host["os_certainty"] or (@host["os_certainty"].to_f < attributes["certainty"].to_f)37@host["os_vendor"] = attributes["vendor"]38@host["os_family"] = attributes["family"]39@host["os_product"] = attributes["product"]40@host["os_version"] = attributes["version"]41@host["arch"] = attributes["arch"]42@host["os_certainty"] = attributes["certainty"]43end44when "name"45#@host["names"].push attributes["name"]46@state = :in_name47when "endpoint"48# This is a port in NeXpose parlance49@host["endpoints"].push(attributes)50when "service"51@state = :in_service52# Store any service info with the associated port. There shouldn't53# be any collisions on attribute names here, so just merge them.54@host["endpoints"].last.merge!(attributes)55when "fingerprint"56if @state == :in_service57@host["endpoints"].last.merge!(attributes)58end59when "test"60if (not @only_vuln_states_needed) or (@vulnerable_markers.include? attributes["status"].to_s.chomp and @only_vuln_states_needed)61@state = :in_test62@current_vuln_id = attributes["id"]63@host["vulns"][@current_vuln_id] = attributes.dup64# Append the endpoint info for how the vuln was discovered65unless @host["endpoints"].empty?66@host["vulns"][@current_vuln_id].merge!("endpoint_data" => @host["endpoints"].last)67end68if attributes["key"]69@host["notes"] ||= []70@host["notes"] << [@current_vuln_id, attributes["key"]]71end72end73when "vulnerability"74@vuln.merge! attributes75when "reference"76@state = :in_reference77@vuln["refs"].push attributes78when "solution"79@state = :in_solution80when "description"81@state = :in_description82when "URLLink"83@vuln["solution"] << attributes84end85end8687def text(str)88case @state89when :in_name90@host["names"].push str91when :in_reference92@vuln["refs"].last["value"] = str93when :in_solution94@vuln["solution"] << str95when :in_description96@vuln["description"] << str97when :in_test98if @host["vulns"][@current_vuln_id]99proof = @host["vulns"][@current_vuln_id]["proof"] || []100proof << str101@host["vulns"][@current_vuln_id]["proof"] = proof102end103end104end105106def tag_end(name)107case name108when "node"109callback.call(:host, @host) if callback110reset_state111when "vulnerability"112callback.call(:vuln, @vuln) if callback113reset_state114when "service","reference","names"115@state = :generic_state116end117end118119# We don't need these methods, but they're necessary to keep REXML happy120def xmldecl(version, encoding, standalone) # :nodoc:121end122def cdata # :nodoc:123end124def comment(str) # :nodoc:125end126def instruction(name, instruction) # :nodoc:127end128def attlist # :nodoc:129end130end131end132end133134__END__135136<node address="10.1.1.10" status="alive" hardware-address="0007371F3BE8">137<names>138<name>NETBIOSNAME</name>139<name>hostname.example.com</name>140</names>141<fingerprints>142<os certainty="1.00" device-class="Domain controller" vendor="Microsoft" family="Windows" product="Windows Server 2003, Standard Edition" version="SP2" arch="x86"/>143<os certainty="0.85" device-class="General" vendor="Microsoft" family="Windows" product="Windows Server 2003"/>144<os certainty="0.70" vendor="Microsoft" family="Windows" product="Windows Server 2003"/>145</fingerprints>146<software>147<fingerprint certainty="1.00" vendor="Acronis" product="Acronis True Image Echo Server" version="9.5.8163"/>148<fingerprint certainty="1.00" vendor="Acronis" product="Acronis Universal Restore for Acronis True Image Echo Server" version="9.5.8076"/>149<fingerprint certainty="1.00" software-class="Internet Client" vendor="Microsoft" family="Internet Explorer" product="Internet Explorer" version="7.0.5730.11"/>150<fingerprint certainty="1.00" software-class="Database Client" vendor="Microsoft" family="MDAC" product="MDAC" version="2.8"/>151<fingerprint certainty="1.00" software-class="Media Client" vendor="Microsoft" family="Windows Media Player" product="Windows Media Player" version="10.0.0.3997"/>152<fingerprint certainty="1.00" vendor="MySolutions NORDIC" product="NSClient++ (Win32)" version="0.3.4.0"/>153<fingerprint certainty="1.00" vendor="Symantec Corporation" product="LiveUpdate 3.1 (Symantec Corporation)" version="3.1.0.99"/>154<fingerprint certainty="1.00" vendor="Symantec Corporation" product="Symantec AntiVirus" version="10.1.5000.5"/>155</software>156<tests>157<test status="not-vulnerable" id="backdoor-ckb.cfaae1e6">158159<endpoint protocol="tcp" port="139" status="open">160<services>161<service name="CIFS">162<fingerprints>163<fingerprint certainty="1.00" product="Windows Server 2003 R2 5.2"/>164</fingerprints>165<tests>166</tests>167</service>168</services>169</endpoint>170</node>171172173174