Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/lotus/lotus_domino_version.rb
19852 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Scanner

9
  include Msf::Auxiliary::Report

10


11
  def initialize

12
    super(

13
      'Name' => 'Lotus Domino Version',

14
      'Description' => 'Several checks to determine Lotus Domino Server Version.',

15
      'Author' => ['CG'],

16
      'License' => MSF_LICENSE

17
      )

18
    register_options(

19
      [

20
        OptString.new('PATH', [ true, "path", '/']),

21
      ]

22
    )

23
  end

24


25
  def run_host(ip)

26
    path = datastore['PATH']

27
    check1 = [

28
      'iNotes/Forms5.nsf',

29
      'iNotes/Forms6.nsf',

30
      'iNotes/Forms7.nsf',

31
    ]

32


33
    check2 = [

34
      'help/readme.nsf?OpenAbout'

35
    ]

36
    check3 = [

37
      'download/filesets/l_LOTUS_SCRIPT.inf',

38
      'download/filesets/n_LOTUS_SCRIPT.inf',

39
      'download/filesets/l_SEARCH.inf',

40
      'download/filesets/n_SEARCH.inf',

41
    ]

42


43
    currentversion = []

44
    baseversion = []

45


46
    begin

47
      check1.each do |check|

48
        res = send_request_raw({

49
          'uri' => normalize_uri(path, check),

50
          'method' => 'GET'

51
        }, 10)

52


53
        if (res.nil?)

54
          print_error("no response for #{ip}:#{rport} #{check}")

55
        elsif (res.code == 200 and res.body)

56
          # string we are regexing: <!-- Domino Release 7.0.3FP1 (Windows NT/Intel) -->

57
          if match = res.body.match(/\<!-- Domino Release(.*) --\>/);

58
            server1 = $1

59
            report_note(

60
              :host	=> ip,

61
              :proto => 'tcp',

62
              :sname => (ssl ? "https" : "http"),

63
              :port	=> rport,

64
              :type => 'lotusdomino.version.current',

65
              :data => { :version => server1.strip }

66
            )

67
            if currentversion.empty? then

68
              currentversion << server1.strip

69
            elsif server1.strip == currentversion.last then

70
              ''

71
            else server1.strip != currentversion.last

72
                 print_error("Different current version values") # this shouldnt happen,but just in case

73
                 currentversion << ' : ' + server1.strip

74
            end

75
          else

76
            ''

77
          end

78
        elsif (res.code and res.headers['Location'])

79
          print_error("#{ip}:#{rport} #{res.code} Redirect to #{res.headers['Location']}")

80
        else

81
          ''

82
        end

83
      end

84
      if currentversion.length == 0 then

85
        ''

86
      else

87
        print_good("#{ip}:#{rport} Lotus Domino Current Version: #{currentversion}")

88
      end

89


90
      check2.each do |check|

91
        res = send_request_raw({

92
          'uri' => normalize_uri(path, check),

93
          'method' => 'GET'

94
        }, 10)

95


96
        if (res.nil?)

97
          print_error("no response for #{ip}:#{rport} #{check}")

98
        elsif (res.code == 200 and res.body)

99
          # string we are regexing: <title>IBM Lotus Notes/Domino 6.5.6 Release Notes</title>

100
          if match = res.body.match(/\<title\>(.*)Lotus Notes\/Domino (.*) Release Notes\<\/title\>/);

101
            server2 = $2

102
            print_good("#{ip}:#{rport} Lotus Domino Release Notes Version: " + $2)

103
            report_note(

104
              :host	=> ip,

105
              :proto => 'tcp',

106
              :sname => (ssl ? "https" : "http"),

107
              :port	=> rport,

108
              :type => 'lotusdomino.version.releasenotes',

109
              :data => { :version_release_notes => server2.strip }

110
            )

111
          else

112
            ''

113
          end

114
        elsif if (res.code and res.headers['Location'])

115
                print_error("#{ip}:#{rport} #{res.code} Redirect to #{res.headers['Location']}")

116
              else

117
                ''

118
              end

119
        else

120
          ''

121
        end

122
      end

123


124
      check3.each do |check|

125
        res = send_request_raw({

126
          'uri' => normalize_uri(path, check),

127
          'method' => 'GET'

128
        }, 10)

129


130
        if (res.nil?)

131
          print_error("no response for #{ip}:#{rport} #{check}")

132
        elsif (res.code == 200 and res.body and res.body.index('TotalFileSize') and res.body.index('FileCount'))

133
          # string we are regexing: # Regex Version=8.5.1.0

134
          if match = res.body.match(/Version=(.*)/);

135
            server3 = $1

136
            report_note(

137
              :host	=> ip,

138
              :proto => 'tcp',

139
              :sname => (ssl ? "https" : "http"),

140
              :port	=> rport,

141
              :type => 'lotusdomino.version.base',

142
              :data => { :version_base => server3.strip }

143
            )

144
            if baseversion.empty? then

145
              baseversion << server3.strip

146
            elsif server3.strip == baseversion.last then

147
              ''

148
            else server3.strip != baseversion.last # this shouldnt happen,but just in case

149
                 print_error("Different base version values")

150
                 baseversion << ' : ' + server3.strip

151
            end

152
          else

153
            ''

154
          end

155
        elsif if (res.code and res.headers['Location'])

156
                print_error("#{ip}:#{rport} #{res.code} Redirect to #{res.headers['Location']}")

157
              else

158
                ''

159
              end

160
        else

161
          ''

162
        end

163
      end

164
      if baseversion.length == 0 then

165
        ''

166
      else

167
        print_good("#{ip}:#{rport} Lotus Domino Base Install Version: #{baseversion}")

168
      end

169
    end

170
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

171
  rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, Resolv::ResolvError, EOFError, Errno::ECONNABORTED, Errno::ECONNREFUSED, Errno::EHOSTUNREACH => e

172
    print_error(e.message)

173
  end

174
end

175


176