metasploit-framework/lib/rex/parser/nexpose_simple_document.rb

# -*- coding: binary -*-
require "rex/parser/nokogiri_doc_mixin"

module Rex
  module Parser

    # If Nokogiri is available, define Nexpose document class.
    load_nokogiri && class NexposeSimpleDocument < Nokogiri::XML::SAX::Document

    include NokogiriDocMixin

    attr_reader :text

    # Triggered every time a new element is encountered. We keep state
    # ourselves with the @state variable, turning things on when we
    # get here (and turning things off when we exit in end_element()).
    def start_element(name=nil,attrs=[])
      attrs = normalize_attrs(attrs)
      block = @block
      @state[:current_tag][name] = true
      case name
      when "device"
        record_device(attrs)
      when "service"
        record_service(attrs)
      when "fingerprint"
        record_service_fingerprint(attrs)
        record_host_fingerprint(attrs)
      when "description"
        @state[:has_text] = true
        record_host_fingerprint_data(name,attrs)
      when "vendor", "family", "product", "version", "architecture"
        @state[:has_text] = true
        record_host_fingerprint_data(name,attrs)
      when "vulnerability"
        record_service_vuln(attrs)
        record_host_vuln(attrs)
      when "id"
        @state[:has_text] = true
        record_service_vuln_id(attrs)
        record_host_vuln_id(attrs)
      end
    end

    # When we exit a tag, this is triggered.
    def end_element(name=nil)
      block = @block
      case name
      when "device" # Wrap it up
        collect_device_data
        host_object = report_host &block
        report_services(host_object)
        report_host_fingerprint(host_object)
        report_vulns(host_object)
        # Reset the state once we close a host
        @state.delete_if {|k| k != :current_tag}
        @report_data = {:workspace => @args[:workspace]}
      when "description"
        @state[:has_text] = false
        collect_service_fingerprint_description
        collect_host_fingerprint_data(name)
        @text = nil
      when "vendor", "family", "product", "version", "architecture"
        @state[:has_text] = false
        collect_host_fingerprint_data(name)
        @text = nil
      when "service"
        collect_service_data
      when "id"
        @state[:has_text] = false
        collect_service_vuln_id
        collect_host_vuln_id
        @text = nil
      when "vulnerability"
        collect_service_vuln
        collect_host_vuln
        @state[:references] = nil
      end
      @state[:current_tag].delete name
    end

    def report_vulns(host_object)
      vuln_count = 0
      block = @block
      return unless host_object.kind_of? ::Mdm::Host
      return unless @report_data[:vulns]
      @report_data[:vulns].each do |vuln|
        if vuln[:refs]
          vuln[:refs] << vuln[:name]
        else
          vuln[:refs] = [vuln[:name]]
        end
        vuln[:refs].uniq!
        data = {
          :workspace => host_object.workspace,
          :host => host_object,
          :name => vuln[:name],
          :info => vuln[:info],
          :refs => vuln[:refs]
        }
        if vuln[:port] && vuln[:proto]
          data[:port] = vuln[:port]
          data[:proto] = vuln[:proto]
        end
        db_report(:vuln,data)
      end

    end

    def collect_host_vuln_id
      return unless in_tag("device")
      return unless in_tag("vulnerability")
      return if in_tag("service")
      return unless @state[:host_vuln_id]
      @state[:references] ||= []
      ref = normalize_ref( @state[:host_vuln_id]["type"], @text )
      @state[:references] << ref if ref
      @state[:host_vuln_id] = nil
      @text = nil
    end

    def collect_service_vuln_id
      return unless in_tag("device")
      return unless in_tag("vulnerability")
      return unless in_tag("service")
      return unless @state[:service_vuln_id]
      @state[:references] ||= []
      ref = normalize_ref( @state[:service_vuln_id]["type"], @text )
      @state[:references] << ref if ref
      @state[:service_vuln_id] = nil
      @text = nil
    end

    def collect_service_vuln
      return unless in_tag("device")
      return unless in_tag("vulnerability")
      return unless in_tag("service")
      @report_data[:vulns] ||= []
      return unless actually_vulnerable(@state[:service_vuln])
      return if @state[:service]["port"].to_i == 0
      vid = @state[:service_vuln]["id"].to_s.downcase
      vuln = {
        :name => "NEXPOSE-#{vid}",
        :info => vid,
        :refs => @state[:references],
        :port => @state[:service]["port"].to_i,
        :proto => @state[:service]["protocol"]
      }
      @report_data[:vulns] << vuln
    end

    def collect_host_vuln
      return unless in_tag("vulnerability")
      return unless in_tag("device")
      return if in_tag("service")
      @report_data[:vulns] ||= []
      return unless actually_vulnerable(@state[:host_vuln])
      vid = @state[:host_vuln]["id"].to_s.downcase
      vuln = {
        :name => "NEXPOSE-#{vid}",
        :info => vid,
        :refs => @state[:references]
      }
      @report_data[:vulns] << vuln
    end

    def record_host_vuln_id(attrs)
      return unless in_tag("device")
      return if in_tag("service")
      @state[:host_vuln_id] = attr_hash(attrs)
    end

    def record_host_vuln(attrs)
      return unless in_tag("device")
      return if in_tag("service")
      @state[:host_vuln] = attr_hash(attrs)
    end

    def record_service_vuln_id(attrs)
      return unless in_tag("device")
      return unless in_tag("service")
      @state[:service_vuln_id] = attr_hash(attrs)
    end

    def record_service_vuln(attrs)
      return unless in_tag("device")
      return unless in_tag("service")
      @state[:service_vuln] = attr_hash(attrs)
    end

    def actually_vulnerable(vuln)
      vuln_result = vuln["resultCode"]
      vuln_result =~ /^V[VE]$/
    end

    def record_device(attrs)
      attrs.each do |k,v|
        next unless k == "address"
        @state[:address] = v
      end
    end

    def record_host_fingerprint(attrs)
      return unless in_tag("device")
      return if in_tag("service")
      @state[:host_fingerprint] = attr_hash(attrs)
    end

    def collect_device_data
      return unless in_tag("device")
      @report_data[:host] = @state[:address]
      @report_data[:state] = Msf::HostState::Alive # always
    end

    def record_host_fingerprint_data(name, attrs)
      return unless in_tag("device")
      return if in_tag("service")
      return unless in_tag("fingerprint")
      @state[:host_fingerprint] ||= {}
      @state[:host_fingerprint].merge! attr_hash(attrs)
    end

    def collect_host_fingerprint_data(name)
      return unless in_tag("device")
      return if in_tag("service")
      return unless in_tag("fingerprint")
      return unless @text
      @report_data[:host_fingerprint] ||= {}
      @report_data[:host_fingerprint].merge!(@state[:host_fingerprint])
      @report_data[:host_fingerprint][name] = @text.to_s.strip
      @text = nil
    end

    def report_host(&block)
      if host_is_okay
        db.emit(:address,@report_data[:host],&block) if block
        host_object = db_report(:host, @report_data.merge(
          :workspace => @args[:workspace] ) )
        if host_object
          db.report_import_note(host_object.workspace, host_object)
        end
        host_object
      end
    end

    def report_host_fingerprint(host_object)
      return unless host_object.kind_of? ::Mdm::Host
      return unless @report_data[:host_fingerprint].kind_of? Hash
      @report_data[:host_fingerprint].reject! {|k,v| v.nil? || v.empty?}
      return if @report_data[:host_fingerprint].empty?
      note = {
        :workspace => host_object.workspace,
        :host => host_object,
        :type => "host.os.nexpose_fingerprint"
      }
      data = {
        :desc => @report_data[:host_fingerprint]["description"],
        :vendor => @report_data[:host_fingerprint]["vendor"],
        :family => @report_data[:host_fingerprint]["family"],
        :product => @report_data[:host_fingerprint]["product"],
        :version => @report_data[:host_fingerprint]["version"],
        :arch => @report_data[:host_fingerprint]["architecture"]
      }
      db_report(:note, note.merge(:data => data))
    end

    def record_service(attrs)
      return unless in_tag("device")
      @state[:service] = attr_hash(attrs)
    end

    def record_service_fingerprint(attrs)
      return unless in_tag("device")
      return unless in_tag("service")
      @state[:service][:fingerprint] = attr_hash(attrs)
    end

    def collect_service_data
      return unless in_tag("device")
      port_hash = {}
      @report_data[:ports] ||= []
      @state[:service].each do |k,v|
        case k
        when "protocol"
          port_hash[:proto] = v
        when "port"
          port_hash[:port] = v
        when "name"
          sname = v.to_s.downcase.split("(")[0].strip
          if sname == "<unknown>"
            port_hash[:name] = nil
          else
            port_hash[:name] = db.nmap_msf_service_map(sname)
          end
        end
      end
      if @state[:service_fingerprint]
        port_hash[:info] = "#{@state[:service_fingerprint]}"
      end
      @report_data[:ports] << port_hash.clone
      @state.delete :service_fingerprint
      @state.delete :service
      @report_data[:ports]
    end

    def collect_service_fingerprint_description
      return unless in_tag("device")
      return unless in_tag("service")
      return unless in_tag("fingerprint")
      return unless @text
      @state[:service_fingerprint] = @text.to_s.strip
      @text = nil
    end

    def report_services(host_object)
      return unless host_object.kind_of? ::Mdm::Host
      return unless @report_data[:ports]
      return if @report_data[:ports].empty?
      reported = []
      @report_data[:ports].each do |svc|
        reported << db_report(:service, svc.merge(:host => host_object))
      end
      reported
    end

  end

end
end