/go-msfdb

CVEs <--> Metasploit-Framework modules

Primary LanguageGoMIT LicenseMIT

go-msfdb

MIT License

This is a tool for searching CVEs in Metasploit-Framework modules from msfdb-list. Metasploit modules are inserted at sqlite database(go-msfdb) can be searched by command line interface. In server mode, a simple Web API can be used.

Docker Deployment

There's a Docker image available docker pull vuls/go-msfdb. When using the container, it takes the same arguments as the normal command line.

Installation for local deployment

Requirements

go-msfdb requires the following packages.

Install go-msfdb
$ mkdir -p $GOPATH/src/github.com/vulsio
$ cd $GOPATH/src/github.com/vulsio
$ git clone https://github.com/vulsio/go-msfdb.git
$ cd go-msfdb
$ make install

Usage: Fetch and Insert Module's info

$ go-msfdb fetch -h
Fetch the data of msfdb-list

Usage:
  go-msfdb fetch [command]

Available Commands:
  msfdb       Fetch the data of metasploit-framework cve's list

Flags:
  -h, --help          help for fetch

Global Flags:
      --config string       config file (default is $HOME/.go-msfdb.yaml)
      --dbpath string       /path/to/sqlite3 or SQL connection string
      --dbtype string       Database type to store data in (sqlite3, mysql, postgres or redis supported)
      --debug               debug mode (default: false)
      --debug-sql           SQL debug mode
      --http-proxy string   http://proxy-url:port (default: empty)
      --log-dir string      /path/to/log
      --log-json            output log as JSON
      --log-to-file         output log to file
      --quiet               quiet mode (no output)

Use "go-msfdb fetch [command] --help" for more information about a command.
Fetch and Insert msfdb-list
$ go-msfdb fetch msfdb

Usage: Search Module's info

$ go-msfdb search -h
Search the data of exploit

Usage:
  go-msfdb search [flags]

Flags:
  -h, --help           help for search
      --param string   All Metasploit Framework modules: None  |  by CVE: [CVE-xxxx]  | by EDB: [EDB-xxxx]  (default: None)
      --type string    All Metasploit Framework modules by CVE: CVE  |  by EDB: EDB (default: CVE)

Global Flags:
      --config string       config file (default is $HOME/.go-msfdb.yaml)
      --dbpath string       /path/to/sqlite3 or SQL connection string
      --dbtype string       Database type to store data in (sqlite3, mysql, postgres or redis supported)
      --debug               debug mode (default: false)
      --debug-sql           SQL debug mode
      --http-proxy string   http://proxy-url:port (default: empty)
      --log-dir string      /path/to/log
      --log-json            output log as JSON
      --log-to-file         output log to file
      --quiet               quiet mode (no output)
Search Modules by CVE(eg. CVE-2014-0160)
$ go run main.go search --type CVE --param CVE-2014-0160

Results: CVE-Metasploit Record
---------------------------------------

[*] CVE: CVE-2014-0160
  Name: openssl_heartbleed.rb
  Title: OpenSSL Heartbeat (Heartbleed) Information Leak
  Description: This module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.  The module supports several actions, allowing for scanning, dumping of memory contents to loot, and private key recovery.  The LEAK_COUNT option can be used to specify leaks per SCAN or DUMP.  The repeat command can be used to make running the SCAN or DUMP many times more powerful. As in: repeat -t 60 run; sleep 2 To run every two seconds for one minute.

[-] References
  URL: http://www.kb.cert.org/vuls/id/720951
  URL: https://www.us-cert.gov/ncas/alerts/TA14-098A
  URL: http://heartbleed.com/
  URL: https://github.com/FiloSottile/Heartbleed
  URL: https://gist.github.com/takeshixx/10107280
  URL: http://filippo.io/Heartbleed/

---------------------------------------

[*] CVE: CVE-2014-0160
  Name: openssl_heartbeat_client_memory.rb
  Title: OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
  Description: This module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is hardcoded for using the AES-128-CBC-SHA1 cipher.

[-] References
  URL: http://www.kb.cert.org/vuls/id/720951
  URL: https://www.us-cert.gov/ncas/alerts/TA14-098A
  URL: http://heartbleed.com/

---------------------------------------

Usage: Start go-msfdb as REST API server

$ go-msfdb server -h
Start go-msfdb HTTP server

Usage:
  go-msfdb server [flags]

Flags:
      --bind string   HTTP server bind to IP address (default: loop back interface
  -h, --help          help for server
      --port string   HTTP server port number (default: 1327

Global Flags:
      --config string       config file (default is $HOME/.go-msfdb.yaml)
      --dbpath string       /path/to/sqlite3 or SQL connection string
      --dbtype string       Database type to store data in (sqlite3, mysql, postgres or redis supported)
      --debug               debug mode (default: false)
      --debug-sql           SQL debug mode
      --http-proxy string   http://proxy-url:port (default: empty)
      --log-dir string      /path/to/log
      --log-json            output log as JSON
      --quiet               quiet mode (no output)
Starting Server
$ go run main.go server

INFO[06-18|17:23:14] Starting HTTP Server...
INFO[06-18|17:23:14] Listening...                             URL=127.0.0.1:1327
Search Modules Get by cURL for CVE(eg. CVE-2019-0708)
$ curl http://127.0.0.1:1327/cves/CVE-2019-0708 | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1992  100  1992    0     0   628k      0 --:--:-- --:--:-- --:--:--  648k
[
  {
    "Name": "cve_2019_0708_bluekeep.rb",
    "Title": "CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check",
    "Description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.",
    "CveID": "CVE-2019-0708",
    "References": [
      {
        "ID": 3058,
        "Link": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708"
      },
      {
        "ID": 3059,
        "Link": "https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html"
      }
    ]
  },
  {
    "Name": "cve_2019_0708_bluekeep_rce.rb",
    "Title": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free",
    "Description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.  Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.  Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout.  HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set!  If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.",
    "CveID": "CVE-2019-0708",
    "References": [
      {
        "ID": 3060,
        "Link": "https://github.com/zerosum0x0/CVE-2019-0708"
      },
      {
        "ID": 3061,
        "Link": "https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html"
      }
    ]
  }
]