2005-11-26 19:56:03 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This module exposes methods for manipulating the Arkeia backup service
|
|
|
|
#
|
|
|
|
###
|
|
|
|
module Exploit::Remote::Arkeia
|
|
|
|
|
|
|
|
include Exploit::Remote::Tcp
|
|
|
|
|
|
|
|
#
|
|
|
|
# Creates an instance of a MSSQL exploit module.
|
|
|
|
#
|
|
|
|
def initialize(info = {})
|
|
|
|
super
|
|
|
|
|
|
|
|
# Register the options that all FTP exploits may make use of.
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RHOST,
|
|
|
|
Opt::RPORT(617),
|
|
|
|
], Msf::Exploit::Remote::Arkeia)
|
|
|
|
|
|
|
|
self.recv_buff = ''
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2005-11-27 01:51:50 +00:00
|
|
|
#
|
|
|
|
# Flush the receive buffer on a new connection
|
|
|
|
#
|
|
|
|
def connect
|
|
|
|
super
|
|
|
|
self.recv_buff = ''
|
|
|
|
end
|
|
|
|
|
2005-11-26 19:56:03 +00:00
|
|
|
#
|
|
|
|
# This method dumps some information about the service
|
|
|
|
#
|
|
|
|
def arkeia_info
|
|
|
|
connect
|
|
|
|
|
|
|
|
info = { }
|
|
|
|
resp = ''
|
|
|
|
|
|
|
|
# Authenticate1
|
2005-11-27 01:51:50 +00:00
|
|
|
req =
|
|
|
|
"\x00\x41\x00\x00\x00\x00\x00\x73"+
|
2005-11-26 19:56:03 +00:00
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x7f\x00\x00\x01"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x01\x00\x00\x7f\x41\x52\x4b\x41"+
|
|
|
|
"\x44\x4d\x49\x4e\x00\x72\x6f\x6f"+
|
|
|
|
"\x74\x00\x72\x6f\x6f\x74\x00\x00"+
|
|
|
|
"\x00\x34\x2e\x33\x2e\x30\x2d\x31"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00"
|
|
|
|
|
|
|
|
sock.put(req)
|
|
|
|
resp = arkeia_recv()
|
|
|
|
if (not (resp and resp[0,4] == "\x00\x60\x00\x04"))
|
|
|
|
disconnect
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
# Authenticate2
|
2005-11-27 01:51:50 +00:00
|
|
|
req =
|
|
|
|
"\x00\x73\x00\x00\x00\x00\x00\x0c" +
|
2005-11-26 19:56:03 +00:00
|
|
|
"\x32\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00"
|
|
|
|
|
|
|
|
sock.put(req)
|
|
|
|
resp = arkeia_recv()
|
|
|
|
if (not (resp and resp[0,4] == "\x00\x60\x00\x04"))
|
|
|
|
disconnect
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
# SessionSetup1
|
2005-11-27 01:51:50 +00:00
|
|
|
req =
|
|
|
|
"\x00\x61\x00\x04\x00\x01\x00\x15"+
|
2005-11-26 19:56:03 +00:00
|
|
|
"\x00\x00\x31\x35\x33\x39\x38\x00"+
|
|
|
|
"\x45\x4e\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00"
|
|
|
|
|
|
|
|
sock.put(req)
|
|
|
|
resp = arkeia_recv()
|
|
|
|
if (not (resp and resp[0,4] == "\x00\x43\x00\x00"))
|
|
|
|
disconnect
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
# Begin the ARKADMIN_GET_CLIENT_INFO request
|
2005-11-27 01:51:50 +00:00
|
|
|
req =
|
|
|
|
"\x00\x62\x00\x01\x00\x02\x00\x25"+
|
2005-11-26 19:56:03 +00:00
|
|
|
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
|
|
|
|
"\x5f\x47\x45\x54\x5f\x43\x4c\x49"+
|
|
|
|
"\x45\x4e\x54\x5f\x49\x4e\x46\x4f"+
|
|
|
|
"\x00\x32\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00"
|
|
|
|
|
|
|
|
sock.put(req)
|
|
|
|
resp = arkeia_recv()
|
|
|
|
if (not (resp and resp[0,4] == "\x00\x43\x00\x00"))
|
|
|
|
disconnect
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
# Complete the ARKADMIN_GET_CLIENT_INFO request
|
2005-11-27 01:51:50 +00:00
|
|
|
req =
|
|
|
|
"\x00\x63\x00\x04\x00\x03\x00\x11"+
|
2005-11-26 19:56:03 +00:00
|
|
|
"\x30\x00\x31\x00\x32\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00"
|
|
|
|
|
|
|
|
sock.put(req)
|
|
|
|
1.upto(5) { |i|
|
|
|
|
resp = arkeia_recv()
|
|
|
|
break if not resp
|
|
|
|
break if resp =~ /VERSION/
|
|
|
|
}
|
|
|
|
|
|
|
|
if (not (resp and resp =~ /VERSION/))
|
|
|
|
disconnect
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
# Store the version information
|
|
|
|
mver = resp.match(/IVERSION\x00([^\x00]+)/)
|
|
|
|
info['Version'] = mver[1] if mver
|
|
|
|
|
|
|
|
# Store the hostname information
|
|
|
|
mver = resp.match(/ISERVNAME\x00([^\x00]+)/)
|
|
|
|
info['Hostname'] = mver[1] if mver
|
|
|
|
|
|
|
|
# Begin the ARKADMIN_GET_MACHINE_INFO request
|
2005-11-27 01:51:50 +00:00
|
|
|
req =
|
|
|
|
"\x00\x62\x00\x01\x00\x02\x00\x26"+
|
2005-11-26 19:56:03 +00:00
|
|
|
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
|
|
|
|
"\x5f\x47\x45\x54\x5f\x4d\x41\x43"+
|
|
|
|
"\x48\x49\x4e\x45\x5f\x49\x4e\x46"+
|
|
|
|
"\x4f\x00\x33\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00"
|
|
|
|
|
|
|
|
sock.put(req)
|
|
|
|
1.upto(5) { |i|
|
|
|
|
resp = arkeia_recv()
|
|
|
|
break if not resp
|
|
|
|
break if resp[0,2] == "\x00\x43"
|
|
|
|
}
|
|
|
|
if (not (resp and resp[0,2] == "\x00\x43"))
|
|
|
|
disconnect
|
|
|
|
return info
|
|
|
|
end
|
|
|
|
|
|
|
|
# Complete the ARKADMIN_GET_MACHINE_INFO request
|
2005-11-27 01:51:50 +00:00
|
|
|
req =
|
|
|
|
"\x00\x63\x00\x04\x00\x03\x00\x11"+
|
2005-11-26 19:56:03 +00:00
|
|
|
"\x30\x00\x31\x00\x33\x00\x00\x00"+
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
|
|
|
"\x00"
|
|
|
|
|
|
|
|
sock.put(req)
|
|
|
|
1.upto(5) { |i|
|
|
|
|
resp = arkeia_recv()
|
|
|
|
break if not (resp and resp.length > 0)
|
|
|
|
break if resp[0,2] == "\x00\x69"
|
|
|
|
}
|
|
|
|
if (not (resp and resp[0,2] == "\x00\x69"))
|
|
|
|
disconnect
|
|
|
|
return info
|
|
|
|
end
|
|
|
|
|
|
|
|
# Finally, parse out and store all the parameters
|
|
|
|
resp.split("TPVALUE\x00").each { |x|
|
|
|
|
minf = x.match(/^([^\x00]+)\x00PNAME\x00([^\x00]+)/)
|
|
|
|
if (minf)
|
|
|
|
info[ minf[2] ] = minf[1]
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
disconnect
|
|
|
|
return info
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# This method reads from the socket and parses out a single
|
|
|
|
# arkeia response, buffering the rest
|
|
|
|
#
|
|
|
|
def arkeia_recv(nsock = self.sock)
|
|
|
|
if (self.recv_buff.length < 8)
|
|
|
|
self.recv_buff << (sock.get_once || '')
|
|
|
|
end
|
|
|
|
|
|
|
|
if (self.recv_buff.length < 8)
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
# Read the length header out of the message
|
|
|
|
dlen = self.recv_buff[6, 2].unpack('n')[0]
|
|
|
|
|
|
|
|
# Do we have the entire response message?
|
|
|
|
if (self.recv_buff.length >= dlen + 8)
|
|
|
|
return self.recv_buff.slice!(0, dlen + 8)
|
|
|
|
end
|
|
|
|
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
attr_accessor :recv_buff
|
|
|
|
end
|
|
|
|
end
|