include extractor modules into 2nd round of deep extraction

Rubusch · Dec 28, 2021 · 48e867c · 48e867c
1 parent aa44e3e
commit 48e867c
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 2 deletions.
diff --git a/config/msf_cve-db.txt b/config/msf_cve-db.txt
@@ -243,6 +243,10 @@
 /usr/share/metasploit-framework/modules/auxiliary/gather/ibm_sametime_version.rb:CVE-2013-3982
 /usr/share/metasploit-framework/modules/auxiliary/gather/ie_sandbox_findfiles.rb:CVE-2016-3321
 /usr/share/metasploit-framework/modules/auxiliary/gather/ie_uxss_injection.rb:CVE-2015-0072
+/usr/share/metasploit-framework/modules/auxiliary/gather/jetty_web_inf_disclosure.rb:casedatastoreCVE
+/usr/share/metasploit-framework/modules/auxiliary/gather/jetty_web_inf_disclosure.rb:CVE-2021-28164
+/usr/share/metasploit-framework/modules/auxiliary/gather/jetty_web_inf_disclosure.rb:CVE-2021-34429
+/usr/share/metasploit-framework/modules/auxiliary/gather/jetty_web_inf_disclosure.rb:OptEnum.new(CVE-true,Thevulnerabilitytouse,CVE-2021-34429,CVE-2021-34429,CVE-2021-28164)
 /usr/share/metasploit-framework/modules/auxiliary/gather/joomla_contenthistory_sqli.rb:CVE-2015-7297
 /usr/share/metasploit-framework/modules/auxiliary/gather/ldap_hashdump.rb:CVE-2020-3952
 /usr/share/metasploit-framework/modules/auxiliary/gather/mantisbt_admin_sqli.rb:CVE-2014-2238
@@ -829,6 +833,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/local/bpf_priv_esc.rb:CVE-2016-4557
 /usr/share/metasploit-framework/modules/exploits/linux/local/bpf_sign_extension_priv_esc.rb:CVE-2017-16995
 /usr/share/metasploit-framework/modules/exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe.rb:CVE-2021-3490
+/usr/share/metasploit-framework/modules/exploits/linux/local/cve_2021_3493_overlayfs.rb:CVE-2021-3493
 /usr/share/metasploit-framework/modules/exploits/linux/local/cve_2021_38648_omigod.rb:CVE-2021-38648
 /usr/share/metasploit-framework/modules/exploits/linux/local/docker_runc_escape.rb:CVE-2019-5736
 /usr/share/metasploit-framework/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb:CVE-2019-10149
@@ -889,6 +894,7 @@
 /usr/share/metasploit-framework/modules/exploits/linux/misc/mongod_native_helper.rb:CVE-2013-1892
 /usr/share/metasploit-framework/modules/exploits/linux/misc/nagios_nrpe_arguments.rb:CVE-2013-1362
 /usr/share/metasploit-framework/modules/exploits/linux/misc/netsupport_manager_agent.rb:CVE-2011-0404
+/usr/share/metasploit-framework/modules/exploits/linux/misc/nimbus_gettopologyhistory_cmd_exec.rb:CVE-2021-38294
 /usr/share/metasploit-framework/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb:CVE-2012-0432
 /usr/share/metasploit-framework/modules/exploits/linux/misc/opennms_java_serialize.rb:CVE-2015-8103
 /usr/share/metasploit-framework/modules/exploits/linux/misc/qnap_transcode_server.rb:CVE-2017-13067
@@ -1367,6 +1373,7 @@
 /usr/share/metasploit-framework/modules/exploits/unix/ssh/arista_tacplus_shell.rb:CVE-2020-9015
 /usr/share/metasploit-framework/modules/exploits/unix/ssh/tectia_passwd_changereq.rb:CVE-2012-5975
 /usr/share/metasploit-framework/modules/exploits/unix/webapp/actualanalyzer_ant_cookie_exec.rb:CVE-2014-5470
+/usr/share/metasploit-framework/modules/exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.rb:CVE-2020-16152,#stillcategorizedasRESERVED
 /usr/share/metasploit-framework/modules/exploits/unix/webapp/awstats_configdir_exec.rb:CVE-2005-0116
 /usr/share/metasploit-framework/modules/exploits/unix/webapp/awstats_migrate_exec.rb:CVE-2006-2237
 /usr/share/metasploit-framework/modules/exploits/unix/webapp/awstatstotals_multisort.rb:CVE-2008-3922
@@ -1880,6 +1887,7 @@
 /usr/share/metasploit-framework/modules/exploits/windows/fileformat/winrar_ace.rb:CVE-2018-20250
 /usr/share/metasploit-framework/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb:CVE-2014-2299
 /usr/share/metasploit-framework/modules/exploits/windows/fileformat/wireshark_packet_dect.rb:CVE-2011-1591
+/usr/share/metasploit-framework/modules/exploits/windows/fileformat/word_mshtml_rce.rb:CVE-2021-40444
 /usr/share/metasploit-framework/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb:#CVE-
 /usr/share/metasploit-framework/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb:CVE-2008-2789
 /usr/share/metasploit-framework/modules/exploits/windows/fileformat/zahir_enterprise_plus_csv.rb:CVE-2018-17408
@@ -2033,6 +2041,7 @@
 /usr/share/metasploit-framework/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb:CVE-2012-1196
 /usr/share/metasploit-framework/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb:CVE-2014-8741
 /usr/share/metasploit-framework/modules/exploits/windows/http/mailenable_auth_header.rb:CVE-2005-1348
+/usr/share/metasploit-framework/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb:CVE-2021-40539
 /usr/share/metasploit-framework/modules/exploits/windows/http/manageengine_appmanager_exec.rb:CVE-2018-7890
 /usr/share/metasploit-framework/modules/exploits/windows/http/manageengine_connectionid_write.rb:CVE-2015-8249
 /usr/share/metasploit-framework/modules/exploits/windows/http/manage_engine_opmanager_rce.rb:CVE-2015-7765,#Hardcodedpassword
@@ -2076,6 +2085,7 @@
 /usr/share/metasploit-framework/modules/exploits/windows/http/sharepoint_workflows_xoml.rb:CVE-2020-0646
 /usr/share/metasploit-framework/modules/exploits/windows/http/shoutcast_format.rb:CVE-2004-1373
 /usr/share/metasploit-framework/modules/exploits/windows/http/shttpd_post.rb:CVE-2006-5216
+/usr/share/metasploit-framework/modules/exploits/windows/http/sitecore_xp_cve_2021_42237.rb:CVE-2021-42237
 /usr/share/metasploit-framework/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb:CVE-2015-2284
 /usr/share/metasploit-framework/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb:CVE-2012-2962
 /usr/share/metasploit-framework/modules/exploits/windows/http/ssrs_navcorrector_viewstate.rb:CVE-2020-0618

diff --git a/modules/P16_EnGenius_decryptor.sh b/modules/P16_EnGenius_decryptor.sh
@@ -47,9 +47,12 @@ engenius_enc_extractor() {
     print_output "[-] Decryptor not found - check your installation"
   fi
 
+  print_output ""
   if [[ -f "$EXTRACTION_FILE_" ]]; then
     print_output "[+] Decrypted EnGenius firmware file to $ORANGE$EXTRACTION_FILE_$NC"
     export FIRMWARE_PATH="$EXTRACTION_FILE_"
+    file "$EXTRACTION_FILE_"
+    #export FIRMWARE_PATH="$LOG_DIR"/firmware
   else
     print_output "[-] Decryption of EnGenius firmware file failed"
   fi

diff --git a/modules/P20_firmware_bin_extractor.sh b/modules/P20_firmware_bin_extractor.sh
@@ -307,6 +307,27 @@ deep_extractor() {
 
     readarray -t FILE_ARR_TMP < <(find "$FIRMWARE_PATH_CP" -xdev "${EXCL_FIND[@]}" -type f ! \( -iname "*.udeb" -o -iname "*.deb" -o -iname "*.ipk" -o -iname "*.pdf" -o -iname "*.php" -o -iname "*.txt" -o -iname "*.doc" -o -iname "*.rtf" -o -iname "*.docx" -o -iname "*.htm" -o -iname "*.html" -o -iname "*.md5" -o -iname "*.sha1" -o -iname "*.torrent" -o -iname "*.png" -o -iname "*.svg" \) -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\  -f3 )
     for FILE_TMP in "${FILE_ARR_TMP[@]}"; do
+      # do a quick check if EMBA should handle the file or we give it to binwalk:
+      fw_bin_detector "$FILE_TMP"
+
+      if [[ "$VMDK_DETECTED" -eq 1 ]]; then
+        vmdk_extractor "$FILE_TMP" "${FILE_TMP}_vmdk_extracted" &
+        WAIT_PIDS_P20+=( "$!" )
+      elif [[ "$UBI_IMAGE" -eq 1 ]]; then
+        ubi_extractor "$FILE_TMP" "${FILE_TMP}_ubi_extracted" &
+        WAIT_PIDS_P20+=( "$!" )
+      elif [[ "$DLINK_ENC_DETECTED" -eq 1 ]]; then
+        dlink_SHRS_enc_extractor "$FILE_TMP" "${FILE_TMP}_shrs_extracted" &
+        WAIT_PIDS_P20+=( "$!" )
+      elif [[ "$EXT_IMAGE" -eq 1 ]]; then
+        ext2_extractor "$FILE_TMP" "${FILE_TMP}_ext_extracted" &
+        WAIT_PIDS_P20+=( "$!" )
+      else
+        # default case to binwalk
+        binwalk_deep_extract_helper &
+        WAIT_PIDS_P20+=( "$!" )
+      fi
+
       FILE_MD5=$(md5sum "$FILE_TMP" | cut -d\  -f1)
       # let's check the current md5sum against our array of unique md5sums - if we have a match this is already extracted
       # already extracted stuff is now ignored

diff --git a/modules/P99_prepare_analyzer.sh b/modules/P99_prepare_analyzer.sh
@@ -33,6 +33,7 @@ P99_prepare_analyzer() {
   module_log_init "${FUNCNAME[0]}"
   module_title "Analysis preparation"
 
+  # we have a linux:
   if [[ $LINUX_PATH_COUNTER -gt 0 || ${#ROOT_PATH[@]} -gt 1 ]] ; then
     export FIRMWARE=1
     export FIRMWARE_PATH
@@ -42,15 +43,15 @@ P99_prepare_analyzer() {
   print_output "[*] Quick check if it is a real Linux system"
   check_firmware
   print_output ""
-  prepare_binary_arr
-  print_output ""
 
   if [[ -d "$FIRMWARE_PATH" ]]; then
 
     export RTOS=0
 
     prepare_file_arr
     print_output ""
+    prepare_binary_arr
+    print_output ""
 
     if [[ $KERNEL -eq 0 ]] ; then
       architecture_check