Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Scanner
8
  include Msf::Auxiliary::Report
9

10
  def initialize
11
    super(
12
      'Name' => 'AMQP 0-9-1 Version Scanner',
13
      'Description' => 'Detect AMQP version information.',
14
      'Author' => 'Spencer McIntyre',
15
      'License' => MSF_LICENSE,
16
      'References' => [
17
        [ 'URL', 'https://www.rabbitmq.com/amqp-0-9-1-reference.html' ]
18
      ]
19
    )
20

21
    register_options([
22
      Opt::RPORT(5671)
23
    ])
24

25
    register_advanced_options(
26
      [
27
        OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]),
28
        Opt::SSLVersion
29
      ]
30
    )
31
  end
32

33
  def peer
34
    rhost = datastore['RHOST']
35
    rport = datastore['RPORT']
36
    if Rex::Socket.is_ipv6?(rhost)
37
      "[#{rhost}]:#{rport}"
38
    else
39
      "#{rhost}:#{rport}"
40
    end
41
  end
42

43
  def print_prefix
44
    peer.ljust(21) + ' - '
45
  end
46

47
  def run_host(target_host)
48
    amqp_client = Rex::Proto::Amqp::Version091::Client.new(
49
      target_host,
50
      port: datastore['RPORT'],
51
      context: { 'Msf' => framework, 'MsfExploit' => self },
52
      ssl: datastore['SSL'],
53
      ssl_version: datastore['SSLVersion']
54
    )
55

56
    amqp_client.connect
57
    amqp_client.send_protocol_header
58
    amqp_client.recv_connection_start
59
    server_info = amqp_client.server_info
60

61
    info_line = 'AMQP Detected'
62
    unless server_info[:properties]['product'].blank? || server_info[:properties]['version'].blank?
63
      info_line << " (version:#{server_info[:properties]['product']} #{server_info[:properties]['version']})"
64
    end
65
    unless server_info[:properties]['cluster_name'].blank?
66
      info_line << " (cluster:#{server_info[:properties]['cluster_name']})"
67
    end
68
    unless server_info[:properties]['platform'].blank?
69
      info_line << " (platform:#{server_info[:properties]['platform']})"
70
    end
71
    info_line << " (authentication:#{server_info[:security_mechanisms].join(', ')})"
72
    print_status(info_line)
73
    report_service(
74
      host: target_host,
75
      port: datastore['RPORT'],
76
      name: "amqp#{datastore['SSL'] ? 's' : ''}",
77
      info: info_line
78
    )
79
  rescue Rex::Proto::Amqp::Error::UnexpectedReplyError => e
80
    fail_with(Failure::UnexpectedReply, e.message)
81
  rescue Rex::Proto::Amqp::Error::AmqpError => e
82
    fail_with(Failure::Unknown, e.message)
83
  ensure
84
    amqp_client.close
85
  end
86
end
87

88