在Metapsloit,exploit和輔助模塊支持check命令 使得用戶可以在開始使用模塊之前確認漏洞的狀態.這個功能是便利于那些需要在不彈出shell的情況下確認漏洞的人,并且可以用于快速識別網絡上所有易受攻擊或可能被利用的機器。 雖然漏洞確認不是metasploit的關注點,因為它不是像Nexpose這樣的漏洞掃描器.我們通常鼓勵人們實現check()方法來增加模塊的價值.如果你寫,一定要記住下面的條例 ## check 方法輸出 模塊消息對用戶來說是重要,因為它們通知它一直在做什么,和通常使得模塊更好debug.但是,你也想要你的消息在詳細模式,因為如果該檢查針對多個目標使用，則會變得非常嘈雜。理想情況下，您只應使用這些打印方法： | Method | Description | | ------ | ----------- | | **vprint_line()** | verbose version of print_line | | **vprint_status()** | verbose version of print_status that begins with "[*]" | | **vprint_error()** | verbose version of print_error that begins with "[x]" | | **vprint_warning()** | verbose version of print_warning that begins with "[!]", in yellow | | **vprint_debug()** | verbose versino of print_debug that begins with "[!]", in blue | 注意:如果目標存在漏洞,你不應該輸出,因為你的方法返回一個確認碼后框架會自動處理 ## 確認碼 只要你有一個確認漏洞狀態,你應該返回一個確認碼.確認碼是定義在Msf::Exploit::CheckCode的常量,這些是你可以使用的 | Checkcode | Description | | --------- | ----------- | | **Exploit::CheckCode::Unknown** | Used if the module fails to retrieve enough information from the target machine, such as due to a timeout. | | **Exploit::CheckCode::Safe** | Used if the check fails to trigger the vulnerability, or even detect the service. | | **Exploit::CheckCode::Detected** | The target is running the service in question, but the check fails to determine whether the target is vulnerable or not. | | **Exploit::CheckCode::Appears** | This is used if the vulnerability is determined based on passive reconnaissance. For example: version, banner grabbing, or simply having the resource that's known to be vulnearble. | | **Exploit::CheckCode::Vulnerable** | Only used if the check is able to actually take advantage of the bug, and obtain some sort of hard evidence. For example: for a command execution type bug, get a command output from the target system. For a directory traversal, read a file from the target, etc. Since this level of check is pretty aggressive in nature, you should not try to DoS the host as a way to prove the vulnerability. | | **Exploit::CheckCode::Unsupported** | The exploit does not support the check method. If this is the case, then you don't really have to add the check method. | ## 遠程確認例子 這是一個如何編寫Metasploit check的抽象例子 ```ruby # # Returns a check code that indicates the vulnerable state on an app running on OS X # def check if exec_cmd_via_http("id") =~ /uid=\d+\(.+\)/ # Found the correct ID output, good indicating our command executed return Exploit::CheckCode::Vulnerable end http_body = get_http_body if http_body if http_body =~ /Something CMS v1\.0/ # We are able to find the version thefore more precise about the vuln state return Exploit::CheckCode::Appears elsif http_body =~ /Something CMS/ # All we can tell the vulnerable app is running, but no more info to # determine the vuln return Exploit::CheckCode::Detected end else vprint_error("Unable to determine due to a HTTP connection timeout") return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end ``` 注意: 如果你在編寫一個使用```Msf::Auxiliary::Scanner``` mixin的輔助模塊,你的方法聲明應該像這樣 ```ruby def check_host(ip) # Do your thing end ``` ### 本地exploit利用例子 大多數本地exploit check 是確認漏洞文件的版本,這被認為是被動的,因此他們應該標記Exploit::CheckCode::Appears.被動本地exploit check不代表他們是不可靠的,實際上,它們是沒問題的.但是要符合Exploit::CheckCode::Vulnerable,你的check應該是額外的,這意味著要么以某種方式使程序返回易受攻擊的響應，要么檢查易受攻擊的代碼。 ```ruby def check check_str = Rex::Text.rand_text_alphanumeric(5) # ensure they are vulnerable to bash env variable bug if cmd_exec("env x='() { :;}; echo #{check_str}' bash -c echo").include?(check_str) && cmd_exec("file '#{datastore['VMWARE_PATH']}'") !~ /cannot open/ Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end ``` 檢查易受攻擊的代碼的一種方法是提供一個簽名，看看它是否存在于易受攻擊的進程中.以下是adobe_sandbox_adobecollabsync.rb的示例： ```ruby # 'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF" # 'AdobeCollabSyncTrigger' => 0x18fa0 def check_trigger signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length) if signature == target['AdobeCollabSyncTriggerSignature'] return true end return false end def check @addresses = {} acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe") @addresses['AcroRd32.exe'] = acrord32["return"] if @addresses['AcroRd32.exe'] == 0 return Msf::Exploit::CheckCode::Unknown elsif check_trigger return Msf::Exploit::CheckCode::Vulnerable else return Msf::Exploit::CheckCode::Detected end end ``` 另一個可能的檢查方法是抓住易受攻擊的文件,并使用Metasm.但是當然,這會慢很多,會產生更多的網絡流量。