go-msfdb

command module
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 16, 2021 License: MIT Imports: 4 Imported by: 0

README

go-msfdb

MIT License

This is a tool for searching CVEs in Metasploit-Framework modules from msfdb-list. Metasploit modules are inserted at sqlite database(go-msfdb) can be searched by command line interface. In server mode, a simple Web API can be used.

Docker Deployment

There's a Docker image available docker pull vuls/go-msfdb. When using the container, it takes the same arguments as the normal command line.

Installation for local deployment
Requirements

go-msfdb requires the following packages.

Install go-msfdb
$ mkdir -p $GOPATH/src/github.com/vulsio
$ cd $GOPATH/src/github.com/vulsio
$ git clone https://github.com/vulsio/go-msfdb.git
$ cd go-msfdb
$ make install

Usage: Fetch and Insert Module's info
$ go-msfdb fetch -h
Fetch the data of msfdb-list

Usage:
  go-msfdb fetch [command]

Available Commands:
  msfdb       Fetch the data of metasploit-framework cve's list

Flags:
      --expire uint   timeout to set for Redis keys in seconds. If set to 0, the key is persistent.
  -h, --help          help for fetch

Global Flags:
      --config string       config file (default is $HOME/.go-msfdb.yaml)
      --dbpath string       /path/to/sqlite3 or SQL connection string
      --dbtype string       Database type to store data in (sqlite3, mysql, postgres or redis supported)
      --debug               debug mode (default: false)
      --debug-sql           SQL debug mode
      --http-proxy string   http://proxy-url:port (default: empty)
      --log-dir string      /path/to/log
      --log-json            output log as JSON
      --quiet               quiet mode (no output)

Use "go-msfdb fetch [command] --help" for more information about a command.
Fetch and Insert msfdb-list
$ go-msfdb fetch msfdb
Usage: Search Module's info
$ go-msfdb search -h
Search the data of exploit

Usage:
  go-msfdb search [flags]

Flags:
  -h, --help           help for search
      --param string   All Metasploit Framework modules: None  |  by CVE: [CVE-xxxx]  | by EDB: [EDB-xxxx]  (default: None)
      --type string    All Metasploit Framework modules by CVE: CVE  |  by EDB: EDB (default: CVE)

Global Flags:
      --config string       config file (default is $HOME/.go-msfdb.yaml)
      --dbpath string       /path/to/sqlite3 or SQL connection string
      --dbtype string       Database type to store data in (sqlite3, mysql, postgres or redis supported)
      --debug               debug mode (default: false)
      --debug-sql           SQL debug mode
      --http-proxy string   http://proxy-url:port (default: empty)
      --log-dir string      /path/to/log
      --log-json            output log as JSON
      --quiet               quiet mode (no output)
Search Modules by CVE(eg. CVE-2014-0160)
$ go run main.go search --type CVE --param CVE-2014-0160

Results: CVE-Metasploit Record
---------------------------------------

[*] CVE: CVE-2014-0160
  Name: openssl_heartbleed.rb
  Title: OpenSSL Heartbeat (Heartbleed) Information Leak
  Description: This module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.  The module supports several actions, allowing for scanning, dumping of memory contents to loot, and private key recovery.  The LEAK_COUNT option can be used to specify leaks per SCAN or DUMP.  The repeat command can be used to make running the SCAN or DUMP many times more powerful. As in: repeat -t 60 run; sleep 2 To run every two seconds for one minute.

[-] References
  URL: http://www.kb.cert.org/vuls/id/720951
  URL: https://www.us-cert.gov/ncas/alerts/TA14-098A
  URL: http://heartbleed.com/
  URL: https://github.com/FiloSottile/Heartbleed
  URL: https://gist.github.com/takeshixx/10107280
  URL: http://filippo.io/Heartbleed/

---------------------------------------

[*] CVE: CVE-2014-0160
  Name: openssl_heartbeat_client_memory.rb
  Title: OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
  Description: This module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is hardcoded for using the AES-128-CBC-SHA1 cipher.

[-] References
  URL: http://www.kb.cert.org/vuls/id/720951
  URL: https://www.us-cert.gov/ncas/alerts/TA14-098A
  URL: http://heartbleed.com/

---------------------------------------
Usage: Start go-msfdb as REST API server
$ go-msfdb server -h
Start go-msfdb HTTP server

Usage:
  go-msfdb server [flags]

Flags:
      --bind string   HTTP server bind to IP address (default: loop back interface
  -h, --help          help for server
      --port string   HTTP server port number (default: 1327

Global Flags:
      --config string       config file (default is $HOME/.go-msfdb.yaml)
      --dbpath string       /path/to/sqlite3 or SQL connection string
      --dbtype string       Database type to store data in (sqlite3, mysql, postgres or redis supported)
      --debug               debug mode (default: false)
      --debug-sql           SQL debug mode
      --http-proxy string   http://proxy-url:port (default: empty)
      --log-dir string      /path/to/log
      --log-json            output log as JSON
      --quiet               quiet mode (no output)
Starting Server
$ go run main.go server

INFO[06-18|17:23:14] Starting HTTP Server...
INFO[06-18|17:23:14] Listening...                             URL=127.0.0.1:1327
Search Modules Get by cURL for CVE(eg. CVE-2019-0708)
$ curl http://127.0.0.1:1327/cves/CVE-2019-0708 | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1992  100  1992    0     0   628k      0 --:--:-- --:--:-- --:--:--  648k
[
  {
    "Name": "cve_2019_0708_bluekeep.rb",
    "Title": "CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check",
    "Description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.",
    "CveID": "CVE-2019-0708",
    "References": [
      {
        "ID": 3058,
        "Link": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708"
      },
      {
        "ID": 3059,
        "Link": "https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html"
      }
    ]
  },
  {
    "Name": "cve_2019_0708_bluekeep_rce.rb",
    "Title": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free",
    "Description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.  Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.  Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout.  HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set!  If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.",
    "CveID": "CVE-2019-0708",
    "References": [
      {
        "ID": 3060,
        "Link": "https://github.com/zerosum0x0/CVE-2019-0708"
      },
      {
        "ID": 3061,
        "Link": "https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html"
      }
    ]
  }
]

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL