Module: Msf::DBManager::Import::MetasploitFramework::XML

Included in:

Msf::DBManager::Import::MetasploitFramework

Defined in:

lib/msf/core/db_manager/import/metasploit_framework/xml.rb

Constant Summary

MSF_WEB_PAGE_TEXT_ELEMENT_NAMES =

Elements that can be treated as text (i.e. do not need to be deserialized) in #import_msf_web_page_element

[
    'auth',
    'body',
    'code',
    'cookie',
    'ctype',
    'location',
    'mtime'
]

MSF_WEB_TEXT_ELEMENT_NAMES =

Elements that can be treated as text (i.e. do not need to be deserialized) in #import_msf_web_element.

[
    'created-at',
    'host',
    'path',
    'port',
    'query',
    'ssl',
    'updated-at',
    'vhost'
]

MSF_WEB_VULN_TEXT_ELEMENT_NAMES =

Elements that can be treated as text (i.e. do not need to be deserialized) in #import_msf_web_vuln_element.

[
    'blame',
    'category',
    'confidence',
    'description',
    'method',
    'name',
    'pname',
    'proof',
    'risk'
]

Instance Method Summary

• #import_msf_file(args = {}) ⇒ Object

  Import a Metasploit XML file.

• #import_msf_note_element(note, allow_yaml, note_data = {}) ⇒ void

  Imports ‘Mdm::Note` objects from the XML element.

• #import_msf_web_form_element(element, options = {}) {|event, data| ... } ⇒ void

  Imports web_form element using Msf::DBManager#report_web_form.

• #import_msf_web_page_element(element, options = {}) {|event, data| ... } ⇒ void

  Imports web_page element using Msf::DBManager#report_web_page.

• #import_msf_web_vuln_element(element, options = {}) {|event, data| ... } ⇒ void

  Imports web_vuln element using Msf::DBManager#report_web_vuln.

• #import_msf_xml(args = {}, &block) ⇒ Object

  For each host, step through services, notes, and vulns, and import them.

Instance Method Details

#import_msf_file(args = {}) ⇒ Object

Import a Metasploit XML file.

# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 57

def import_msf_file(args={})
  filename = args[:filename]

  data = ""
  ::File.open(filename, 'rb') do |f|
    data = f.read(f.stat.size)
  end
  import_msf_xml(args.merge(:data => data))
end

#import_msf_note_element(note, allow_yaml, note_data = {}) ⇒ void

This method returns an undefined value.

Imports ‘Mdm::Note` objects from the XML element.

Parameters:

• note (Nokogiri::XML::Element) —

  The Note element

• allow_yaml (Boolean) —

  whether to allow yaml

• note_data (Hash) (defaults to: {}) —

  hash containing note attributes to be passed along

# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 73

def import_msf_note_element(note, allow_yaml, note_data={})
  note_data[:type] = nils_for_nulls(note.at("ntype").text.to_s.strip)
  note_data[:data] = nils_for_nulls(unserialize_object(note.at("data"), allow_yaml))

  if note.at("critical").text
    note_data[:critical] = true unless note.at("critical").text.to_s.strip == "NULL"
  end
  if note.at("seen").text
    note_data[:seen] = true unless note.at("critical").text.to_s.strip == "NULL"
  end
  %W{created-at updated-at}.each { |datum|
    if note.at(datum).text
      note_data[datum.gsub("-","_")] = nils_for_nulls(note.at(datum).text.to_s.strip)
    end
  }
  msf_import_note(note_data)
end

#import_msf_web_form_element(element, options = {}) {|event, data| ... } ⇒ void

This method returns an undefined value.

Imports web_form element using Msf::DBManager#report_web_form.

Parameters:

• element (Nokogiri::XML::Element) —

  web_form element.

• options (Hash{Symbol => Object}) (defaults to: {}) —

  options

Options Hash (options):

• :allow_yaml (Boolean) — default: false —

  Whether to allow YAML when deserializing params.

• :workspace (Mdm::Workspace, nil) — default: Msf::DBManager#workspace —

  workspace under which to report the Mdm::WebForm

Yields:

• (event, data)

Yield Parameters:

• event (:web_page) —

  The event name

• data (String) —

  path

Yield Returns:

• (void)

# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 105

def import_msf_web_form_element(element, options={}, &notifier)
  options.assert_valid_keys(:allow_yaml, :workspace)

  import_msf_web_element(element,
                         :allow_yaml => options[:allow_yaml],
                         :notifier => notifier,
                         :type => :form,
                         :workspace => options[:workspace]) do |element, options|
    info = import_msf_text_element(element, 'method')

    # FIXME https://www.pivotaltracker.com/story/show/46578647
    # FIXME https://www.pivotaltracker.com/story/show/47128407
    unserialized_params = unserialize_object(
        element.at('params'),
        options[:allow_yaml]
    )
    info[:params] = nils_for_nulls(unserialized_params)

    info
  end
end

#import_msf_web_page_element(element, options = {}) {|event, data| ... } ⇒ void

This method returns an undefined value.

Imports web_page element using Msf::DBManager#report_web_page.

Parameters:

• element (Nokogiri::XML::Element) —

  web_page element.

• options (Hash{Symbol => Object}) (defaults to: {}) —

  options

Options Hash (options):

• :allow_yaml (Boolean) — default: false —

  Whether to allow YAML when deserializing headers and body.

• :workspace (Mdm::Workspace, nil) — default: Msf::DBManager#workspace —

  workspace under which to report the Mdm::WebPage.

Yields:

• (event, data)

Yield Parameters:

• event (:web_page) —

  The event name

• data (String) —

  path

Yield Returns:

• (void)

# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 141

def import_msf_web_page_element(element, options={}, &notifier)
  options.assert_valid_keys(:allow_yaml, :workspace)

  import_msf_web_element(element,
                         :allow_yaml => options[:allow_yaml],
                         :notifier => notifier,
                         :type => :page,
                         :workspace => options[:workspace]) do |element, options|
    info = {}

    MSF_WEB_PAGE_TEXT_ELEMENT_NAMES.each do |name|
      element_info = import_msf_text_element(element, name)
      info.merge!(element_info)
    end

    code = info[:code]

    if code
      info[:code] = code.to_i
    end

    # FIXME https://www.pivotaltracker.com/story/show/46578647
    # FIXME https://www.pivotaltracker.com/story/show/47128407
    unserialized_headers = unserialize_object(
        element.at('headers'),
        options[:allow_yaml]
    )

    unserialized_body = unserialize_object(element.at('body'), options[:allow_yaml])
    unless unserialized_body.blank?
      begin
        unserialized_body = Base64.urlsafe_decode64(unserialized_body).b
      rescue ArgumentError => e
        elog("Data format suggests response body is not encoded", e)
      end
    end

    info[:headers] = nils_for_nulls(unserialized_headers)
    info[:body] = nils_for_nulls(unserialized_body)
    info
  end
end

#import_msf_web_vuln_element(element, options = {}) {|event, data| ... } ⇒ void

This method returns an undefined value.

Imports web_vuln element using Msf::DBManager#report_web_vuln.

Parameters:

• element (Nokogiri::XML::Element) —

  web_vuln element.

• options (Hash{Symbol => Object}) (defaults to: {}) —

  options

Options Hash (options):

• :allow_yaml (Boolean) — default: false —

  Whether to allow YAML when deserializing headers.

• :workspace (Mdm::Workspace, nil) — default: Msf::DBManager#workspace —

  workspace under which to report the Mdm::WebPage.

Yields:

• (event, data)

Yield Parameters:

• event (:web_page) —

  The event name

• data (String) —

  path

Yield Returns:

• (void)

# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 198

def import_msf_web_vuln_element(element, options={}, &notifier)
  options.assert_valid_keys(:allow_yaml, :workspace)

  import_msf_web_element(element,
                         :allow_yaml => options[:allow_yaml],
                         :notifier => notifier,
                         :workspace => options[:workspace],
                         :type => :vuln) do |element, options|
    info = {}

    MSF_WEB_VULN_TEXT_ELEMENT_NAMES.each do |name|
      element_info = import_msf_text_element(element, name)
      info.merge!(element_info)
    end

    confidence = info[:confidence]

    if confidence
      info[:confidence] = confidence.to_i
    end

    # FIXME https://www.pivotaltracker.com/story/show/46578647
    # FIXME https://www.pivotaltracker.com/story/show/47128407
    unserialized_params = unserialize_object(
        element.at('params'),
        options[:allow_yaml]
    )
    info[:params] = nils_for_nulls(unserialized_params)

    risk = info[:risk]

    if risk
      info[:risk] = risk.to_i
    end

    info
  end
end

#import_msf_xml(args = {}, &block) ⇒ Object

For each host, step through services, notes, and vulns, and import them. TODO: loot, tasks, and reports

# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 240

def import_msf_xml(args={}, &block)
  data = args[:data]
  wspace = Msf::Util::DBManager.process_opts_workspace(args, framework).name
  args = args.clone()
  args.delete(:workspace)
  bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []

  doc = Nokogiri::XML::Reader.from_memory(data)
  metadata = check_msf_xml_version!(doc.first.name)
  allow_yaml = metadata[:allow_yaml]
  btag = metadata[:root_tag]

  doc.each do |node|
    unless node.inner_xml.nil?
      unless node.inner_xml.empty?
        case node.name
        when 'host'
          parse_host(Nokogiri::XML(node.outer_xml).at("./#{node.name}"), wspace, bl, allow_yaml, btag, args, &block)
        when 'web_site'
          parse_web_site(Nokogiri::XML(node.outer_xml).at("./#{node.name}"), wspace, allow_yaml, &block)
        when 'web_page', 'web_form', 'web_vuln'
          send(
              "import_msf_#{node.name}_element",
              Nokogiri::XML(node.outer_xml).at("./#{node.name}"),
              :allow_yaml => allow_yaml,
              :workspace => wspace,
              &block
          )
        end
      end
    end
  end
end