Module: Msf::DBManager::Import::MetasploitFramework::XML

Included in:
Msf::DBManager::Import::MetasploitFramework
Defined in:
lib/msf/core/db_manager/import/metasploit_framework/xml.rb

Constant Summary collapse

MSF_WEB_PAGE_TEXT_ELEMENT_NAMES =

Elements that can be treated as text (i.e. do not need to be deserialized) in #import_msf_web_page_element

[
    'auth',
    'body',
    'code',
    'cookie',
    'ctype',
    'location',
    'mtime'
]
MSF_WEB_TEXT_ELEMENT_NAMES =

Elements that can be treated as text (i.e. do not need to be deserialized) in #import_msf_web_element.

[
    'created-at',
    'host',
    'path',
    'port',
    'query',
    'ssl',
    'updated-at',
    'vhost'
]
MSF_WEB_VULN_TEXT_ELEMENT_NAMES =

Elements that can be treated as text (i.e. do not need to be deserialized) in #import_msf_web_vuln_element.

[
    'blame',
    'category',
    'confidence',
    'description',
    'method',
    'name',
    'pname',
    'proof',
    'risk'
]

Instance Method Summary collapse

Instance Method Details

#import_msf_file(args = {}) ⇒ Object

Import a Metasploit XML file.


57
58
59
60
61
62
63
64
65
# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 57

def import_msf_file(args={})
  filename = args[:filename]

  data = ""
  ::File.open(filename, 'rb') do |f|
    data = f.read(f.stat.size)
  end
  import_msf_xml(args.merge(:data => data))
end

#import_msf_note_element(note, allow_yaml, note_data = {}) ⇒ void

This method returns an undefined value.

Imports `Mdm::Note` objects from the XML element.

Parameters:

  • note (Nokogiri::XML::Element)

    The Note element

  • allow_yaml (Boolean)

    whether to allow yaml

  • note_data (Hash) (defaults to: {})

    hash containing note attributes to be passed along


73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 73

def import_msf_note_element(note, allow_yaml, note_data={})
  note_data[:type] = nils_for_nulls(note.at("ntype").text.to_s.strip)
  note_data[:data] = nils_for_nulls(unserialize_object(note.at("data"), allow_yaml))

  if note.at("critical").text
    note_data[:critical] = true unless note.at("critical").text.to_s.strip == "NULL"
  end
  if note.at("seen").text
    note_data[:seen] = true unless note.at("critical").text.to_s.strip == "NULL"
  end
  %W{created-at updated-at}.each { |datum|
    if note.at(datum).text
      note_data[datum.gsub("-","_")] = nils_for_nulls(note.at(datum).text.to_s.strip)
    end
  }
  report_note(note_data)
end

#import_msf_web_form_element(element, options = {}) {|event, data| ... } ⇒ void

This method returns an undefined value.

Imports web_form element using Msf::DBManager#report_web_form.

Parameters:

  • element (Nokogiri::XML::Element)

    web_form element.

  • options (Hash{Symbol => Object}) (defaults to: {})

    options

Options Hash (options):

  • :allow_yaml (Boolean) — default: false

    Whether to allow YAML when deserializing params.

  • :workspace (Mdm::Workspace, nil) — default: Msf::DBManager#workspace

    workspace under which to report the Mdm::WebForm

Yields:

  • (event, data)

Yield Parameters:

  • event (:web_page)

    The event name

  • data (String)

    path

Yield Returns:

  • (void)

105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 105

def import_msf_web_form_element(element, options={}, &notifier)
  options.assert_valid_keys(:allow_yaml, :workspace)

  import_msf_web_element(element,
                         :allow_yaml => options[:allow_yaml],
                         :notifier => notifier,
                         :type => :form,
                         :workspace => options[:workspace]) do |element, options|
    info = import_msf_text_element(element, 'method')

    # FIXME https://www.pivotaltracker.com/story/show/46578647
    # FIXME https://www.pivotaltracker.com/story/show/47128407
    unserialized_params = unserialize_object(
        element.at('params'),
        options[:allow_yaml]
    )
    info[:params] = nils_for_nulls(unserialized_params)

    info
  end
end

#import_msf_web_page_element(element, options = {}) {|event, data| ... } ⇒ void

This method returns an undefined value.

Imports web_page element using Msf::DBManager#report_web_page.

Parameters:

  • element (Nokogiri::XML::Element)

    web_page element.

  • options (Hash{Symbol => Object}) (defaults to: {})

    options

Options Hash (options):

  • :allow_yaml (Boolean) — default: false

    Whether to allow YAML when deserializing headers and body.

  • :workspace (Mdm::Workspace, nil) — default: Msf::DBManager#workspace

    workspace under which to report the Mdm::WebPage.

Yields:

  • (event, data)

Yield Parameters:

  • event (:web_page)

    The event name

  • data (String)

    path

Yield Returns:

  • (void)

141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 141

def import_msf_web_page_element(element, options={}, &notifier)
  options.assert_valid_keys(:allow_yaml, :workspace)

  import_msf_web_element(element,
                         :allow_yaml => options[:allow_yaml],
                         :notifier => notifier,
                         :type => :page,
                         :workspace => options[:workspace]) do |element, options|
    info = {}

    MSF_WEB_PAGE_TEXT_ELEMENT_NAMES.each do |name|
      element_info = import_msf_text_element(element, name)
      info.merge!(element_info)
    end

    code = info[:code]

    if code
      info[:code] = code.to_i
    end

    # FIXME https://www.pivotaltracker.com/story/show/46578647
    # FIXME https://www.pivotaltracker.com/story/show/47128407
    unserialized_headers = unserialize_object(
        element.at('headers'),
        options[:allow_yaml]
    )

    unserialized_body = unserialize_object(element.at('body'), options[:allow_yaml])
    unless unserialized_body.blank?
      begin
        unserialized_body = Base64.urlsafe_decode64(unserialized_body).b
      rescue ArgumentError => e
        print_error("Data format suggests response body is not encoded: #{e}")
      end
    end

    info[:headers] = nils_for_nulls(unserialized_headers)
    info[:body] = nils_for_nulls(unserialized_body)
    info
  end
end

#import_msf_web_vuln_element(element, options = {}) {|event, data| ... } ⇒ void

This method returns an undefined value.

Imports web_vuln element using Msf::DBManager#report_web_vuln.

Parameters:

  • element (Nokogiri::XML::Element)

    web_vuln element.

  • options (Hash{Symbol => Object}) (defaults to: {})

    options

Options Hash (options):

  • :allow_yaml (Boolean) — default: false

    Whether to allow YAML when deserializing headers.

  • :workspace (Mdm::Workspace, nil) — default: Msf::DBManager#workspace

    workspace under which to report the Mdm::WebPage.

Yields:

  • (event, data)

Yield Parameters:

  • event (:web_page)

    The event name

  • data (String)

    path

Yield Returns:

  • (void)

198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 198

def import_msf_web_vuln_element(element, options={}, &notifier)
  options.assert_valid_keys(:allow_yaml, :workspace)

  import_msf_web_element(element,
                         :allow_yaml => options[:allow_yaml],
                         :notifier => notifier,
                         :workspace => options[:workspace],
                         :type => :vuln) do |element, options|
    info = {}

    MSF_WEB_VULN_TEXT_ELEMENT_NAMES.each do |name|
      element_info = import_msf_text_element(element, name)
      info.merge!(element_info)
    end

    confidence = info[:confidence]

    if confidence
      info[:confidence] = confidence.to_i
    end

    # FIXME https://www.pivotaltracker.com/story/show/46578647
    # FIXME https://www.pivotaltracker.com/story/show/47128407
    unserialized_params = unserialize_object(
        element.at('params'),
        options[:allow_yaml]
    )
    info[:params] = nils_for_nulls(unserialized_params)

    risk = info[:risk]

    if risk
      info[:risk] = risk.to_i
    end

    info
  end
end

#import_msf_xml(args = {}, &block) ⇒ Object

For each host, step through services, notes, and vulns, and import them. TODO: loot, tasks, and reports


240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
# File 'lib/msf/core/db_manager/import/metasploit_framework/xml.rb', line 240

def import_msf_xml(args={}, &block)
  data = args[:data]
  wspace = Msf::Util::DBManager.process_opts_workspace(args, framework).name
  args = args.clone()
  args.delete(:workspace)
  bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []

  doc = Nokogiri::XML::Reader.from_memory(data)
   = check_msf_xml_version!(doc.first.name)
  allow_yaml = [:allow_yaml]
  btag = [:root_tag]

  doc.each do |node|
    unless node.inner_xml.nil?
      unless node.inner_xml.empty?
        case node.name
        when 'host'
          parse_host(Nokogiri::XML(node.outer_xml).at("./#{node.name}"), wspace, bl, allow_yaml, btag, args, &block)
        when 'web_site'
          parse_web_site(Nokogiri::XML(node.outer_xml).at("./#{node.name}"), wspace, allow_yaml, &block)
        when 'web_page', 'web_form', 'web_vuln'
          send(
              "import_msf_#{node.name}_element",
              Nokogiri::XML(node.outer_xml).at("./#{node.name}"),
              :allow_yaml => allow_yaml,
              :workspace => wspace,
              &block
          )
        end
      end
    end
  end
end