标题: 修补Metasploit扫描Misfortune Cookie漏洞的插件
创建: 2015-03-17 17:59
链接: https://scz.617.cn/misc/201503171759.txt
Metasploit有个插件:
http://www.rapid7.com/db/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb
metasploit\apps\pro\msf3\modules\auxiliary\scanner\http\allegro_rompager_misfortune_cookie.rb
本意是:
--------------------------------------------------------------------------
$ curl -i http://192.168.1.1/Allegro
HTTP/1.1 200 OK
Content-Type: text/html
Date: Tue, 17 Mar 2015 10:35:27 GMT
Pragma: no-cache
Expires: Thu, 26 Oct 1995 00:00:00 GMT
Transfer-Encoding: chunked
Server: RomPager/4.07 UPnP/1.0
EXT:
Allegro Copyright
RomPager Advanced Version 4.07
(C) 1995 - 2002 Allegro Software Development Corporation
--------------------------------------------------------------------------
从响应报文的HTTP Header中析取"Server: ...",然后从中析取RomPager版本号,最
后判断其是否小于4.34,是则报漏洞。
相应代码如下:
--------------------------------------------------------------------------
fp = http_fingerprint( response:res )
if /RomPager\/(?[\d\.]+)$/ =~ fp
if Gem::Version.new(version) < Gem::Version.new('4.34')
report_vuln(
host: ip,
port: rport,
name: name,
refs: references
)
return Exploit::CheckCode::Appears
--------------------------------------------------------------------------
对于192.168.1.1,fp等于"RomPager/4.07 UPnP/1.0",插件所用正则表达式
"RomPager\/(?[\d\.]+)$"无法匹配fp,导致漏报。插件作者Jon Hart可能
缺少大规模扫描banner信息的经验。
这是一个在线ruby正则表达式工具:
http://www.rubular.com/
可以比较直观地检验正则表达式是否匹配、如何匹配。
前述插件中的正则表达式应该修改成:
RomPager\/(?[\d\.]+).*$
或
RomPager\/(?[\d\.]+)
这里表示将"[\d\.]+"的匹配内容析取并赋给名为version的变量。