go-msfdb
This is a tool for searching CVEs in Metasploit-Framework modules from msfdb-list.
Metasploit modules are inserted at sqlite database(go-msfdb) can be searched by command line interface.
In server mode, a simple Web API can be used.
Docker Deployment
There's a Docker image available docker pull vuls/go-msfdb
. When using the container, it takes the same arguments as the normal command line.
Installation for local deployment
Requirements
go-msfdb requires the following packages.
- git
- SQLite3, MySQL, PostgreSQL, Redis
- lastest version of go
Install go-msfdb
$ mkdir -p $GOPATH/src/github.com/vulsio
$ cd $GOPATH/src/github.com/vulsio
$ git clone https://github.com/vulsio/go-msfdb.git
$ cd go-msfdb
$ make install
Usage: Fetch and Insert Module's info
$ go-msfdb fetch -h
Fetch the data of msfdb-list
Usage:
go-msfdb fetch [command]
Available Commands:
msfdb Fetch the data of metasploit-framework cve's list
Flags:
--expire uint timeout to set for Redis keys in seconds. If set to 0, the key is persistent.
-h, --help help for fetch
Global Flags:
--config string config file (default is $HOME/.go-msfdb.yaml)
--dbpath string /path/to/sqlite3 or SQL connection string
--dbtype string Database type to store data in (sqlite3, mysql, postgres or redis supported)
--debug debug mode (default: false)
--debug-sql SQL debug mode
--http-proxy string http://proxy-url:port (default: empty)
--log-dir string /path/to/log
--log-json output log as JSON
--quiet quiet mode (no output)
Use "go-msfdb fetch [command] --help" for more information about a command.
Fetch and Insert msfdb-list
$ go-msfdb fetch msfdb
Usage: Search Module's info
$ go-msfdb search -h
Search the data of exploit
Usage:
go-msfdb search [flags]
Flags:
-h, --help help for search
--param string All Metasploit Framework modules: None | by CVE: [CVE-xxxx] | by EDB: [EDB-xxxx] (default: None)
--type string All Metasploit Framework modules by CVE: CVE | by EDB: EDB (default: CVE)
Global Flags:
--config string config file (default is $HOME/.go-msfdb.yaml)
--dbpath string /path/to/sqlite3 or SQL connection string
--dbtype string Database type to store data in (sqlite3, mysql, postgres or redis supported)
--debug debug mode (default: false)
--debug-sql SQL debug mode
--http-proxy string http://proxy-url:port (default: empty)
--log-dir string /path/to/log
--log-json output log as JSON
--quiet quiet mode (no output)
Search Modules by CVE(eg. CVE-2014-0160)
$ go run main.go search --type CVE --param CVE-2014-0160
Results: CVE-Metasploit Record
---------------------------------------
[*] CVE: CVE-2014-0160
Name: openssl_heartbleed.rb
Title: OpenSSL Heartbeat (Heartbleed) Information Leak
Description: This module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable. The module supports several actions, allowing for scanning, dumping of memory contents to loot, and private key recovery. The LEAK_COUNT option can be used to specify leaks per SCAN or DUMP. The repeat command can be used to make running the SCAN or DUMP many times more powerful. As in: repeat -t 60 run; sleep 2 To run every two seconds for one minute.
[-] References
URL: http://www.kb.cert.org/vuls/id/720951
URL: https://www.us-cert.gov/ncas/alerts/TA14-098A
URL: http://heartbleed.com/
URL: https://github.com/FiloSottile/Heartbleed
URL: https://gist.github.com/takeshixx/10107280
URL: http://filippo.io/Heartbleed/
---------------------------------------
[*] CVE: CVE-2014-0160
Name: openssl_heartbeat_client_memory.rb
Title: OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
Description: This module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is hardcoded for using the AES-128-CBC-SHA1 cipher.
[-] References
URL: http://www.kb.cert.org/vuls/id/720951
URL: https://www.us-cert.gov/ncas/alerts/TA14-098A
URL: http://heartbleed.com/
---------------------------------------
Usage: Start go-msfdb as REST API server
$ go-msfdb server -h
Start go-msfdb HTTP server
Usage:
go-msfdb server [flags]
Flags:
--bind string HTTP server bind to IP address (default: loop back interface
-h, --help help for server
--port string HTTP server port number (default: 1327
Global Flags:
--config string config file (default is $HOME/.go-msfdb.yaml)
--dbpath string /path/to/sqlite3 or SQL connection string
--dbtype string Database type to store data in (sqlite3, mysql, postgres or redis supported)
--debug debug mode (default: false)
--debug-sql SQL debug mode
--http-proxy string http://proxy-url:port (default: empty)
--log-dir string /path/to/log
--log-json output log as JSON
--quiet quiet mode (no output)
Starting Server
$ go run main.go server
INFO[06-18|17:23:14] Starting HTTP Server...
INFO[06-18|17:23:14] Listening... URL=127.0.0.1:1327
Search Modules Get by cURL for CVE(eg. CVE-2019-0708)
$ curl http://127.0.0.1:1327/cves/CVE-2019-0708 | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1992 100 1992 0 0 628k 0 --:--:-- --:--:-- --:--:-- 648k
[
{
"Name": "cve_2019_0708_bluekeep.rb",
"Title": "CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check",
"Description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.",
"CveID": "CVE-2019-0708",
"References": [
{
"ID": 3058,
"Link": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708"
},
{
"ID": 3059,
"Link": "https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html"
}
]
},
{
"Name": "cve_2019_0708_bluekeep_rce.rb",
"Title": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free",
"Description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.",
"CveID": "CVE-2019-0708",
"References": [
{
"ID": 3060,
"Link": "https://github.com/zerosum0x0/CVE-2019-0708"
},
{
"ID": 3061,
"Link": "https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html"
}
]
}
]