Delete print_debug/vprint_debug
parent
8aca4539c9
commit
4224008709
|
@ -92,11 +92,7 @@ module Exploit::Remote::HttpServer
|
||||||
def print_error(msg='')
|
def print_error(msg='')
|
||||||
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
||||||
end
|
end
|
||||||
# :category: print_* overrides
|
|
||||||
# Prepends client and module name if inside a thread with a #cli
|
|
||||||
def print_debug(msg='')
|
|
||||||
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
|
||||||
end
|
|
||||||
#
|
#
|
||||||
# :category: print_* overrides
|
# :category: print_* overrides
|
||||||
# Prepends client and module name if inside a thread with a #cli
|
# Prepends client and module name if inside a thread with a #cli
|
||||||
|
@ -126,11 +122,6 @@ module Exploit::Remote::HttpServer
|
||||||
end
|
end
|
||||||
# :category: print_* overrides
|
# :category: print_* overrides
|
||||||
# Prepends client and module name if inside a thread with a #cli
|
# Prepends client and module name if inside a thread with a #cli
|
||||||
def vprint_debug(msg='')
|
|
||||||
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
|
||||||
end
|
|
||||||
# :category: print_* overrides
|
|
||||||
# Prepends client and module name if inside a thread with a #cli
|
|
||||||
def vprint_warning(msg='')
|
def vprint_warning(msg='')
|
||||||
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
||||||
end
|
end
|
||||||
|
|
|
@ -219,7 +219,7 @@ module Msf
|
||||||
|
|
||||||
@requirements.each do |k, v|
|
@requirements.each do |k, v|
|
||||||
expected = k != :vuln_test ? v : 'true'
|
expected = k != :vuln_test ? v : 'true'
|
||||||
vprint_debug("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k.to_sym]}")
|
vprint_status("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k.to_sym]}")
|
||||||
|
|
||||||
if k == :activex
|
if k == :activex
|
||||||
bad_reqs << k if has_bad_activex?(profile[k.to_sym])
|
bad_reqs << k if has_bad_activex?(profile[k.to_sym])
|
||||||
|
@ -334,7 +334,7 @@ module Msf
|
||||||
when :script
|
when :script
|
||||||
# Gathers target data from a POST request
|
# Gathers target data from a POST request
|
||||||
parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
|
parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
|
||||||
vprint_debug("Received sniffed browser data over POST: \n#{parsed_body}.")
|
vprint_status("Received sniffed browser data over POST: \n#{parsed_body}.")
|
||||||
parsed_body.each { |k, v| update_profile(target_info, k.to_sym, v.first) }
|
parsed_body.each { |k, v| update_profile(target_info, k.to_sym, v.first) }
|
||||||
when :headers
|
when :headers
|
||||||
# Gathers target data from headers
|
# Gathers target data from headers
|
||||||
|
|
|
@ -1,9 +1,4 @@
|
||||||
module Msf::Module::UI::Message::Verbose
|
module Msf::Module::UI::Message::Verbose
|
||||||
# Verbose version of #print_debug
|
|
||||||
def vprint_debug(msg)
|
|
||||||
print_debug(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
|
||||||
end
|
|
||||||
|
|
||||||
# Verbose version of #print_error
|
# Verbose version of #print_error
|
||||||
def vprint_error(msg)
|
def vprint_error(msg)
|
||||||
print_error(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
print_error(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
||||||
|
|
|
@ -119,13 +119,6 @@ class Plugin
|
||||||
output.print_good(msg) if (output)
|
output.print_good(msg) if (output)
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Prints a 'debug' message.
|
|
||||||
#
|
|
||||||
def print_debug(msg='')
|
|
||||||
output.print_debug(msg) if (output)
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Prints a status line.
|
# Prints a status line.
|
||||||
#
|
#
|
||||||
|
|
|
@ -331,7 +331,6 @@ protected
|
||||||
begin
|
begin
|
||||||
client.sys.config.getprivs()
|
client.sys.config.getprivs()
|
||||||
root_key, base_key = session.sys.registry.splitkey(key)
|
root_key, base_key = session.sys.registry.splitkey(key)
|
||||||
#print_debug("Loading file #{file}")
|
|
||||||
begin
|
begin
|
||||||
loadres = session.sys.registry.load_key(root_key, base_key, file)
|
loadres = session.sys.registry.load_key(root_key, base_key, file)
|
||||||
rescue Rex::Post::Meterpreter::RequestError => e
|
rescue Rex::Post::Meterpreter::RequestError => e
|
||||||
|
@ -349,7 +348,6 @@ protected
|
||||||
#print_error("An unknown error has occurred: #{loadres.to_s}")
|
#print_error("An unknown error has occurred: #{loadres.to_s}")
|
||||||
return false
|
return false
|
||||||
else
|
else
|
||||||
#print_debug("Registry Hive Loaded Successfully: #{key}")
|
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -377,7 +375,6 @@ protected
|
||||||
#print_error("An unknown error has occurred: #{unloadres.to_s}")
|
#print_error("An unknown error has occurred: #{unloadres.to_s}")
|
||||||
return false
|
return false
|
||||||
else
|
else
|
||||||
#print_debug("Registry Hive Unloaded Successfully: #{key}")
|
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -32,10 +32,10 @@ module Msf::HTTP::Typo3::Login
|
||||||
end
|
end
|
||||||
n = n_match[1]
|
n = n_match[1]
|
||||||
|
|
||||||
vprint_debug("e: #{e}")
|
vprint_status("e: #{e}")
|
||||||
vprint_debug("n: #{n}")
|
vprint_status("n: #{n}")
|
||||||
rsa_enc = typo3_helper_login_rsa(e, n, pass)
|
rsa_enc = typo3_helper_login_rsa(e, n, pass)
|
||||||
vprint_debug("RSA Hash: #{rsa_enc}")
|
vprint_status("RSA Hash: #{rsa_enc}")
|
||||||
# make login request
|
# make login request
|
||||||
vars_post = {
|
vars_post = {
|
||||||
'n' => '',
|
'n' => '',
|
||||||
|
@ -58,10 +58,10 @@ module Msf::HTTP::Typo3::Login
|
||||||
})
|
})
|
||||||
if res_login
|
if res_login
|
||||||
if res_login.body =~ /<!-- ###LOGIN_ERROR### begin -->(.*)<!-- ###LOGIN_ERROR### end -->/im
|
if res_login.body =~ /<!-- ###LOGIN_ERROR### begin -->(.*)<!-- ###LOGIN_ERROR### end -->/im
|
||||||
vprint_debug(strip_tags($1))
|
vprint_status(strip_tags($1))
|
||||||
return nil
|
return nil
|
||||||
elsif res_login.body =~ /<p class="t3-error-text">(.*?)<\/p>/im
|
elsif res_login.body =~ /<p class="t3-error-text">(.*?)<\/p>/im
|
||||||
vprint_debug(strip_tags($1))
|
vprint_status(strip_tags($1))
|
||||||
return nil
|
return nil
|
||||||
else
|
else
|
||||||
cookies = res_login.get_cookies
|
cookies = res_login.get_cookies
|
||||||
|
|
|
@ -87,10 +87,6 @@ class BidirectionalPipe < Rex::Ui::Text::Input
|
||||||
print_line('[+] ' + msg)
|
print_line('[+] ' + msg)
|
||||||
end
|
end
|
||||||
|
|
||||||
def print_debug(msg='')
|
|
||||||
print_line('[!] ' + msg)
|
|
||||||
end
|
|
||||||
|
|
||||||
def flush
|
def flush
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -30,9 +30,6 @@ class Output
|
||||||
def print_good(msg='')
|
def print_good(msg='')
|
||||||
end
|
end
|
||||||
|
|
||||||
def print_debug(msg='')
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Prints a status line.
|
# Prints a status line.
|
||||||
#
|
#
|
||||||
|
|
|
@ -56,16 +56,6 @@ module Subscriber
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Wraps user_output.print_debug
|
|
||||||
#
|
|
||||||
def print_debug(msg='')
|
|
||||||
if (user_output)
|
|
||||||
print_blank_line if user_output.prompting?
|
|
||||||
user_output.print_debug(msg)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Wraps user_output.print_warning
|
# Wraps user_output.print_warning
|
||||||
#
|
#
|
||||||
|
|
|
@ -55,10 +55,6 @@ class Output < Rex::Ui::Output
|
||||||
print_line("%bld%grn[+]%clr #{msg}")
|
print_line("%bld%grn[+]%clr #{msg}")
|
||||||
end
|
end
|
||||||
|
|
||||||
def print_debug(msg = '')
|
|
||||||
print_line("%bld%cya[!]%clr #{msg}")
|
|
||||||
end
|
|
||||||
|
|
||||||
def print_status(msg = '')
|
def print_status(msg = '')
|
||||||
print_line("%bld%blu[*]%clr #{msg}")
|
print_line("%bld%blu[*]%clr #{msg}")
|
||||||
end
|
end
|
||||||
|
|
|
@ -129,7 +129,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
}
|
}
|
||||||
|
|
||||||
space_to_fill = size_bytes - empty_xml.size
|
space_to_fill = size_bytes - empty_xml.size
|
||||||
vprint_debug("#{peer} - max XML space to fill: #{space_to_fill} bytes")
|
vprint_status("#{peer} - max XML space to fill: #{space_to_fill} bytes")
|
||||||
|
|
||||||
payload = "&#{entity};" * (space_to_fill / 6)
|
payload = "&#{entity};" * (space_to_fill / 6)
|
||||||
entity_value_length = space_to_fill - payload.length
|
entity_value_length = space_to_fill - payload.length
|
||||||
|
|
|
@ -101,7 +101,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# Verify if session cookie is valid and return user's ID
|
# Verify if session cookie is valid and return user's ID
|
||||||
#
|
#
|
||||||
def get_user_id
|
def get_user_id
|
||||||
# print_debug("#{peer} - Trying to hijack session '#{@cookie}'")
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
|
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
|
||||||
'cookie' => @cookie
|
'cookie' => @cookie
|
||||||
|
@ -121,7 +120,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# Construct cookie using token
|
# Construct cookie using token
|
||||||
#
|
#
|
||||||
def create_cookie(token)
|
def create_cookie(token)
|
||||||
# print_debug("#{peer} - Creating a cookie with token '#{token}'")
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
|
'uri' => normalize_uri(target_uri.path, 'user/fiche.php'),
|
||||||
'cookie' => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}"
|
'cookie' => "DOLSESSID_#{Rex::Text.rand_text_alphanumeric(10)}=#{token}"
|
||||||
|
|
|
@ -43,7 +43,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
val_actual = resp[idx,4].unpack("V")[0]
|
val_actual = resp[idx,4].unpack("V")[0]
|
||||||
idx += 4
|
idx += 4
|
||||||
value = resp[idx,val_actual*2]
|
value = resp[idx,val_actual*2]
|
||||||
#print_debug "resp[0x#{idx.to_s(16)},#{val_actual*2}] : " + value
|
|
||||||
idx += val_actual * 2
|
idx += val_actual * 2
|
||||||
|
|
||||||
idx += val_actual % 2 * 2 # alignment
|
idx += val_actual % 2 * 2 # alignment
|
||||||
|
@ -54,15 +53,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
def parse_net_wksta_enum_users_info(resp)
|
def parse_net_wksta_enum_users_info(resp)
|
||||||
accounts = [ Hash.new() ]
|
accounts = [ Hash.new() ]
|
||||||
|
|
||||||
#print_debug resp[0,20].unpack("H*")
|
|
||||||
idx = 20
|
idx = 20
|
||||||
count = resp[idx,4].unpack("V")[0] # wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> Max Count
|
count = resp[idx,4].unpack("V")[0] # wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> Max Count
|
||||||
idx += 4
|
idx += 4
|
||||||
#print_debug "Max Count : " + count.to_s
|
|
||||||
|
|
||||||
1.upto(count) do
|
1.upto(count) do
|
||||||
# wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> Ref ID
|
# wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> Ref ID
|
||||||
# print_debug "Ref ID#{account.to_s}: " + resp[idx,4].unpack("H*").to_s
|
|
||||||
idx += 4 # ref id name
|
idx += 4 # ref id name
|
||||||
idx += 4 # ref id logon domain
|
idx += 4 # ref id logon domain
|
||||||
idx += 4 # ref id other domains
|
idx += 4 # ref id other domains
|
||||||
|
|
|
@ -173,7 +173,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
while (attempt_num <= retry_num) && (ret.nil? || ret == :connection_error)
|
while (attempt_num <= retry_num) && (ret.nil? || ret == :connection_error)
|
||||||
if attempt_num > 0
|
if attempt_num > 0
|
||||||
Rex.sleep(2 ** attempt_num)
|
Rex.sleep(2 ** attempt_num)
|
||||||
print_debug "#{peer(ip)} Retrying '#{user}' due to connection error"
|
vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")
|
||||||
end
|
end
|
||||||
|
|
||||||
ret = check_user(ip, user, rport)
|
ret = check_user(ip, user, rport)
|
||||||
|
|
|
@ -148,7 +148,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)
|
while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)
|
||||||
if attempt_num > 0
|
if attempt_num > 0
|
||||||
Rex.sleep(2 ** attempt_num)
|
Rex.sleep(2 ** attempt_num)
|
||||||
print_debug "#{peer(ip)} Retrying '#{user}' due to connection error"
|
vprint_status("#{peer(ip)} Retrying '#{user}' due to connection error")
|
||||||
end
|
end
|
||||||
|
|
||||||
ret = check_user(ip, user, rport)
|
ret = check_user(ip, user, rport)
|
||||||
|
@ -161,12 +161,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
def show_result(attempt_result, user, ip)
|
def show_result(attempt_result, user, ip)
|
||||||
case attempt_result
|
case attempt_result
|
||||||
when :success
|
when :success
|
||||||
print_good "#{peer(ip)} User '#{user}' found"
|
print_good("#{peer(ip)} User '#{user}' found")
|
||||||
do_report(ip, user, rport)
|
do_report(ip, user, rport)
|
||||||
when :connection_error
|
when :connection_error
|
||||||
print_error "#{peer(ip)} User '#{user}' on could not connect"
|
print_error("#{peer(ip)} User '#{user}' on could not connect")
|
||||||
when :fail
|
when :fail
|
||||||
print_debug "#{peer(ip)} User '#{user}' not found"
|
print_error("#{peer(ip)} User '#{user}' not found")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -693,12 +693,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ssl_type = ssl_unpacked[0]
|
ssl_type = ssl_unpacked[0]
|
||||||
ssl_version = ssl_unpacked[1]
|
ssl_version = ssl_unpacked[1]
|
||||||
ssl_len = ssl_unpacked[2]
|
ssl_len = ssl_unpacked[2]
|
||||||
vprint_debug("SSL record ##{ssl_record_counter}:")
|
vprint_status("SSL record ##{ssl_record_counter}:")
|
||||||
vprint_debug("\tType: #{ssl_type}")
|
vprint_status("\tType: #{ssl_type}")
|
||||||
vprint_debug("\tVersion: 0x#{ssl_version}")
|
vprint_status("\tVersion: 0x#{ssl_version}")
|
||||||
vprint_debug("\tLength: #{ssl_len}")
|
vprint_status("\tLength: #{ssl_len}")
|
||||||
if ssl_type != HANDSHAKE_RECORD_TYPE
|
if ssl_type != HANDSHAKE_RECORD_TYPE
|
||||||
vprint_debug("\tWrong Record Type! (#{ssl_type})")
|
vprint_status("\tWrong Record Type! (#{ssl_type})")
|
||||||
else
|
else
|
||||||
ssl_data = remaining_data[5, ssl_len]
|
ssl_data = remaining_data[5, ssl_len]
|
||||||
handshakes = parse_handshakes(ssl_data)
|
handshakes = parse_handshakes(ssl_data)
|
||||||
|
@ -729,24 +729,24 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
hs_len = hs_unpacked[2]
|
hs_len = hs_unpacked[2]
|
||||||
hs_data = remaining_data[4, hs_len]
|
hs_data = remaining_data[4, hs_len]
|
||||||
handshake_count += 1
|
handshake_count += 1
|
||||||
vprint_debug("\tHandshake ##{handshake_count}:")
|
vprint_status("\tHandshake ##{handshake_count}:")
|
||||||
vprint_debug("\t\tLength: #{hs_len}")
|
vprint_status("\t\tLength: #{hs_len}")
|
||||||
|
|
||||||
handshake_parsed = nil
|
handshake_parsed = nil
|
||||||
case hs_type
|
case hs_type
|
||||||
when HANDSHAKE_SERVER_HELLO_TYPE
|
when HANDSHAKE_SERVER_HELLO_TYPE
|
||||||
vprint_debug("\t\tType: Server Hello (#{hs_type})")
|
vprint_status("\t\tType: Server Hello (#{hs_type})")
|
||||||
handshake_parsed = parse_server_hello(hs_data)
|
handshake_parsed = parse_server_hello(hs_data)
|
||||||
when HANDSHAKE_CERTIFICATE_TYPE
|
when HANDSHAKE_CERTIFICATE_TYPE
|
||||||
vprint_debug("\t\tType: Certificate Data (#{hs_type})")
|
vprint_status("\t\tType: Certificate Data (#{hs_type})")
|
||||||
handshake_parsed = parse_certificate_data(hs_data)
|
handshake_parsed = parse_certificate_data(hs_data)
|
||||||
when HANDSHAKE_KEY_EXCHANGE_TYPE
|
when HANDSHAKE_KEY_EXCHANGE_TYPE
|
||||||
vprint_debug("\t\tType: Server Key Exchange (#{hs_type})")
|
vprint_status("\t\tType: Server Key Exchange (#{hs_type})")
|
||||||
# handshake_parsed = parse_server_key_exchange(hs_data)
|
# handshake_parsed = parse_server_key_exchange(hs_data)
|
||||||
when HANDSHAKE_SERVER_HELLO_DONE_TYPE
|
when HANDSHAKE_SERVER_HELLO_DONE_TYPE
|
||||||
vprint_debug("\t\tType: Server Hello Done (#{hs_type})")
|
vprint_status("\t\tType: Server Hello Done (#{hs_type})")
|
||||||
else
|
else
|
||||||
vprint_debug("\t\tType: Handshake type #{hs_type} not implemented")
|
vprint_status("\t\tType: Handshake type #{hs_type} not implemented")
|
||||||
end
|
end
|
||||||
|
|
||||||
handshakes << {
|
handshakes << {
|
||||||
|
@ -763,13 +763,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# Parse Server Hello message
|
# Parse Server Hello message
|
||||||
def parse_server_hello(data)
|
def parse_server_hello(data)
|
||||||
version = data.unpack('H4')[0]
|
version = data.unpack('H4')[0]
|
||||||
vprint_debug("\t\tServer Hello Version: 0x#{version}")
|
vprint_status("\t\tServer Hello Version: 0x#{version}")
|
||||||
random = data[2,32].unpack('H*')[0]
|
random = data[2,32].unpack('H*')[0]
|
||||||
vprint_debug("\t\tServer Hello random data: #{random}")
|
vprint_status("\t\tServer Hello random data: #{random}")
|
||||||
session_id_length = data[34,1].unpack('C')[0]
|
session_id_length = data[34,1].unpack('C')[0]
|
||||||
vprint_debug("\t\tServer Hello Session ID length: #{session_id_length}")
|
vprint_status("\t\tServer Hello Session ID length: #{session_id_length}")
|
||||||
session_id = data[35,session_id_length].unpack('H*')[0]
|
session_id = data[35,session_id_length].unpack('H*')[0]
|
||||||
vprint_debug("\t\tServer Hello Session ID: #{session_id}")
|
vprint_status("\t\tServer Hello Session ID: #{session_id}")
|
||||||
# TODO Read the rest of the server hello (respect message length)
|
# TODO Read the rest of the server hello (respect message length)
|
||||||
|
|
||||||
# TODO: return hash with data
|
# TODO: return hash with data
|
||||||
|
@ -782,8 +782,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
unpacked = data.unpack('Cn')
|
unpacked = data.unpack('Cn')
|
||||||
cert_len_padding = unpacked[0]
|
cert_len_padding = unpacked[0]
|
||||||
cert_len = unpacked[1]
|
cert_len = unpacked[1]
|
||||||
vprint_debug("\t\tCertificates length: #{cert_len}")
|
vprint_status("\t\tCertificates length: #{cert_len}")
|
||||||
vprint_debug("\t\tData length: #{data.length}")
|
vprint_status("\t\tData length: #{data.length}")
|
||||||
# contains multiple certs
|
# contains multiple certs
|
||||||
already_read = 3
|
already_read = 3
|
||||||
cert_counter = 0
|
cert_counter = 0
|
||||||
|
@ -793,14 +793,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
single_cert_unpacked = data[already_read, 3].unpack('Cn')
|
single_cert_unpacked = data[already_read, 3].unpack('Cn')
|
||||||
single_cert_len_padding = single_cert_unpacked[0]
|
single_cert_len_padding = single_cert_unpacked[0]
|
||||||
single_cert_len = single_cert_unpacked[1]
|
single_cert_len = single_cert_unpacked[1]
|
||||||
vprint_debug("\t\tCertificate ##{cert_counter}:")
|
vprint_status("\t\tCertificate ##{cert_counter}:")
|
||||||
vprint_debug("\t\t\tCertificate ##{cert_counter}: Length: #{single_cert_len}")
|
vprint_status("\t\t\tCertificate ##{cert_counter}: Length: #{single_cert_len}")
|
||||||
certificate_data = data[(already_read + 3), single_cert_len]
|
certificate_data = data[(already_read + 3), single_cert_len]
|
||||||
cert = OpenSSL::X509::Certificate.new(certificate_data)
|
cert = OpenSSL::X509::Certificate.new(certificate_data)
|
||||||
# First received certificate is the one from the server
|
# First received certificate is the one from the server
|
||||||
@cert = cert if @cert.nil?
|
@cert = cert if @cert.nil?
|
||||||
#vprint_debug("Got certificate: #{cert.to_text}")
|
#vprint_status("Got certificate: #{cert.to_text}")
|
||||||
vprint_debug("\t\t\tCertificate ##{cert_counter}: #{cert.inspect}")
|
vprint_status("\t\t\tCertificate ##{cert_counter}: #{cert.inspect}")
|
||||||
already_read = already_read + single_cert_len + 3
|
already_read = already_read + single_cert_len + 3
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -233,7 +233,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
)
|
)
|
||||||
|
|
||||||
if (datastore['DEBUG'])
|
if (datastore['DEBUG'])
|
||||||
print_debug("NOTE: Debug Mode; javascript will not be obfuscated")
|
print_status("NOTE: Debug Mode; javascript will not be obfuscated")
|
||||||
else
|
else
|
||||||
pre = Time.now
|
pre = Time.now
|
||||||
|
|
||||||
|
|
|
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
send_response(cli, apk_bytes, magic_headers)
|
send_response(cli, apk_bytes, magic_headers)
|
||||||
end
|
end
|
||||||
elsif req.uri =~ /_poll/
|
elsif req.uri =~ /_poll/
|
||||||
vprint_debug "Polling #{req.qstring['id']}: #{@served_payloads[req.qstring['id']]}"
|
vprint_status("Polling #{req.qstring['id']}: #{@served_payloads[req.qstring['id']]}")
|
||||||
send_response(cli, @served_payloads[req.qstring['id']].to_s, 'Content-type' => 'text/plain')
|
send_response(cli, @served_payloads[req.qstring['id']].to_s, 'Content-type' => 'text/plain')
|
||||||
elsif req.uri =~ /launch$/
|
elsif req.uri =~ /launch$/
|
||||||
send_response_html(cli, launch_html)
|
send_response_html(cli, launch_html)
|
||||||
|
|
|
@ -349,7 +349,7 @@ int main(int argc,char *argv[], char ** envp)
|
||||||
rm_f executable_path
|
rm_f executable_path
|
||||||
write_file(executable_path, elf)
|
write_file(executable_path, elf)
|
||||||
output = cmd_exec("chmod +x #{executable_path}; #{executable_path}")
|
output = cmd_exec("chmod +x #{executable_path}; #{executable_path}")
|
||||||
output.each_line { |line| print_debug line.chomp }
|
output.each_line { |line| vprint_status(line.chomp) }
|
||||||
|
|
||||||
stime = Time.now.to_f
|
stime = Time.now.to_f
|
||||||
print_status "Starting the payload handler..."
|
print_status "Starting the payload handler..."
|
||||||
|
|
|
@ -446,7 +446,7 @@ int main(int argc, char **argv) {
|
||||||
rm_f executable_path
|
rm_f executable_path
|
||||||
write_file(executable_path, elf)
|
write_file(executable_path, elf)
|
||||||
output = cmd_exec("chmod +x #{executable_path}; #{executable_path}")
|
output = cmd_exec("chmod +x #{executable_path}; #{executable_path}")
|
||||||
output.each_line { |line| print_debug line.chomp }
|
output.each_line { |line| vprint_status(line.chomp) }
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -195,8 +195,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def execute_command(cmd, opts)
|
def execute_command(cmd, opts)
|
||||||
vprint_debug(cmd)
|
|
||||||
|
|
||||||
# Get the length of the command, for the backdoor's command injection
|
# Get the length of the command, for the backdoor's command injection
|
||||||
cmd_length = cmd.length
|
cmd_length = cmd.length
|
||||||
|
|
||||||
|
|
|
@ -97,7 +97,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
|
|
||||||
rescue
|
rescue
|
||||||
peer = "#{rhost}:#{rport}"
|
peer = "#{rhost}:#{rport}"
|
||||||
vprint_debug("#{peer} - Caught #{$!.class}: #{$!.message}")
|
vprint_status("#{peer} - Caught #{$!.class}: #{$!.message}")
|
||||||
|
|
||||||
ensure
|
ensure
|
||||||
smtp_disconnect
|
smtp_disconnect
|
||||||
|
@ -160,14 +160,14 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
16.times do
|
16.times do
|
||||||
done = catch(:another_heap_shift) do
|
done = catch(:another_heap_shift) do
|
||||||
heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15)
|
heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15)
|
||||||
print_debug("#{{ heap_shift: heap_shift }}")
|
vprint_status("#{{ heap_shift: heap_shift }}")
|
||||||
|
|
||||||
# write the malloc_chunk header at increasing offsets (8-byte step),
|
# write the malloc_chunk header at increasing offsets (8-byte step),
|
||||||
# until we overwrite the "503 sender not yet given" error message
|
# until we overwrite the "503 sender not yet given" error message
|
||||||
|
|
||||||
128.step(256, 8) do |write_offset|
|
128.step(256, 8) do |write_offset|
|
||||||
error = try_information_leak(heap_shift, write_offset)
|
error = try_information_leak(heap_shift, write_offset)
|
||||||
print_debug("#{{ write_offset: write_offset, error: error }}")
|
vprint_status("#{{ write_offset: write_offset, error: error }}")
|
||||||
throw(:another_heap_shift) if not error
|
throw(:another_heap_shift) if not error
|
||||||
next if error == "503 sender not yet given"
|
next if error == "503 sender not yet given"
|
||||||
|
|
||||||
|
@ -179,7 +179,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
error[i] = try_information_leak(heap_shift, write_offset + i*8)
|
error[i] = try_information_leak(heap_shift, write_offset + i*8)
|
||||||
throw(:another_heap_shift) if not error[i]
|
throw(:another_heap_shift) if not error[i]
|
||||||
end
|
end
|
||||||
print_debug("#{{ error: error }}")
|
vprint_status("#{{ error: error }}")
|
||||||
|
|
||||||
_leaked_arch = leaked_arch
|
_leaked_arch = leaked_arch
|
||||||
if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize
|
if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize
|
||||||
|
@ -197,7 +197,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
else
|
else
|
||||||
throw(:another_heap_shift)
|
throw(:another_heap_shift)
|
||||||
end
|
end
|
||||||
print_debug("#{{ leaked_arch: leaked_arch }}")
|
vprint_status("#{{ leaked_arch: leaked_arch }}")
|
||||||
fail_with(Failure::BadConfig, "arch changed") if _leaked_arch and _leaked_arch != leaked_arch
|
fail_with(Failure::BadConfig, "arch changed") if _leaked_arch and _leaked_arch != leaked_arch
|
||||||
|
|
||||||
# try different large-bins: most of them should be empty,
|
# try different large-bins: most of them should be empty,
|
||||||
|
@ -211,7 +211,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK
|
next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK
|
||||||
count[error] += 1
|
count[error] += 1
|
||||||
end
|
end
|
||||||
print_debug("#{{ count: count }}")
|
vprint_status("#{{ count: count }}")
|
||||||
throw(:another_heap_shift) if count.empty?
|
throw(:another_heap_shift) if count.empty?
|
||||||
|
|
||||||
# convert count to a nested array of [key, value] arrays and sort it
|
# convert count to a nested array of [key, value] arrays and sort it
|
||||||
|
@ -345,7 +345,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
encoded = payload.raw.gsub(/[\"\\]/, '\\\\\\&').gsub(/[\$\{\}\\]/, '\\\\\\&')
|
encoded = payload.raw.gsub(/[\"\\]/, '\\\\\\&').gsub(/[\$\{\}\\]/, '\\\\\\&')
|
||||||
# setsid because of Exim's "killpg(pid, SIGKILL);" after "alarm(60);"
|
# setsid because of Exim's "killpg(pid, SIGKILL);" after "alarm(60);"
|
||||||
command = '${run{/usr/bin/env setsid /bin/sh -c "' + encoded + '"}}'
|
command = '${run{/usr/bin/env setsid /bin/sh -c "' + encoded + '"}}'
|
||||||
print_debug(command)
|
vprint_status("Command: #{command}")
|
||||||
|
|
||||||
# don't try to execute commands directly, try a very simple ACL first,
|
# don't try to execute commands directly, try a very simple ACL first,
|
||||||
# to distinguish between exploitation-problems and shellcode-problems
|
# to distinguish between exploitation-problems and shellcode-problems
|
||||||
|
@ -407,9 +407,9 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
# (we don't control what's stored at heap_addr)
|
# (we don't control what's stored at heap_addr)
|
||||||
|
|
||||||
rand_offset = rand(max_rand_offset)
|
rand_offset = rand(max_rand_offset)
|
||||||
print_debug("#{{ helo: helo_len, step: step_len, addr: heap_addr.to_s(16), offset: rand_offset }}")
|
vprint_status("#{{ helo: helo_len, step: step_len, addr: heap_addr.to_s(16), offset: rand_offset }}")
|
||||||
reply = try_code_execution(helo_len, acldrop, heap_addr + rand_offset)
|
reply = try_code_execution(helo_len, acldrop, heap_addr + rand_offset)
|
||||||
print_debug("#{{ reply: reply }}") if reply
|
vprint_status("#{{ reply: reply }}") if reply
|
||||||
|
|
||||||
if reply and
|
if reply and
|
||||||
reply[:code] == "550" and
|
reply[:code] == "550" and
|
||||||
|
@ -419,7 +419,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
||||||
print_good("Please wait for reply...")
|
print_good("Please wait for reply...")
|
||||||
# execute command this time, not acldrop
|
# execute command this time, not acldrop
|
||||||
reply = try_code_execution(helo_len, command, heap_addr + rand_offset)
|
reply = try_code_execution(helo_len, command, heap_addr + rand_offset)
|
||||||
print_debug("#{{ reply: reply }}")
|
vprint_status("#{{ reply: reply }}")
|
||||||
return handler
|
return handler
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -97,10 +97,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def on_request_uri( cli, request )
|
def on_request_uri( cli, request )
|
||||||
print_debug("Requesting: #{request.uri}")
|
vprint_status("Requesting: #{request.uri}")
|
||||||
if request.uri !~ /\.jar$/i
|
if request.uri !~ /\.jar$/i
|
||||||
if not request.uri =~ /\/$/
|
if not request.uri =~ /\/$/
|
||||||
print_status("Sending redirect...")
|
vprint_status("Sending redirect...")
|
||||||
send_redirect(cli, "#{get_resource}/", '')
|
send_redirect(cli, "#{get_resource}/", '')
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
|
@ -112,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
md5_base64 = phpass_encode64(md5, md5.length)
|
md5_base64 = phpass_encode64(md5, md5.length)
|
||||||
md5_stripped = md5_base64[0...22]
|
md5_stripped = md5_base64[0...22]
|
||||||
pass = "$P\\$" + iter_char + salt + md5_stripped
|
pass = "$P\\$" + iter_char + salt + md5_stripped
|
||||||
vprint_debug("#{peer} - password hash: #{pass}")
|
vprint_status("#{peer} - password hash: #{pass}")
|
||||||
|
|
||||||
return pass
|
return pass
|
||||||
end
|
end
|
||||||
|
@ -129,8 +129,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
form_build_id = $1 if content =~ /name="form_build_id" value="(.+?)"/
|
form_build_id = $1 if content =~ /name="form_build_id" value="(.+?)"/
|
||||||
form_token = $1 if content =~ /name="form_token" value="(.+?)"/
|
form_token = $1 if content =~ /name="form_token" value="(.+?)"/
|
||||||
|
|
||||||
vprint_debug("#{peer} - form_build_id: #{form_build_id}")
|
vprint_status("#{peer} - form_build_id: #{form_build_id}")
|
||||||
vprint_debug("#{peer} - form_token: #{form_token}")
|
vprint_status("#{peer} - form_token: #{form_token}")
|
||||||
|
|
||||||
return form_build_id, form_token
|
return form_build_id, form_token
|
||||||
end
|
end
|
||||||
|
@ -202,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
cookie = res.get_cookies
|
cookie = res.get_cookies
|
||||||
vprint_debug("#{peer} - cookie: #{cookie}")
|
vprint_status("#{peer} - cookie: #{cookie}")
|
||||||
|
|
||||||
# call admin interface to extract CSRF token and enabled modules
|
# call admin interface to extract CSRF token and enabled modules
|
||||||
print_status("#{peer} - Trying to parse enabled modules")
|
print_status("#{peer} - Trying to parse enabled modules")
|
||||||
|
@ -280,7 +280,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
# get administrator role id
|
# get administrator role id
|
||||||
id = $1 if res.body =~ /for="edit-([0-9]+)-administer-content-types">#{admin_role}:/
|
id = $1 if res.body =~ /for="edit-([0-9]+)-administer-content-types">#{admin_role}:/
|
||||||
vprint_debug("#{peer} - admin role id: #{id}")
|
vprint_status("#{peer} - admin role id: #{id}")
|
||||||
|
|
||||||
unless id
|
unless id
|
||||||
fail_with(Failure::Unknown, "Could not parse out administrator ID")
|
fail_with(Failure::Unknown, "Could not parse out administrator ID")
|
||||||
|
|
|
@ -80,21 +80,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}"
|
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}"
|
||||||
}, timeout=datastore['TIMEOUT'])
|
}, timeout=datastore['TIMEOUT'])
|
||||||
if (res and res.code == 302 and res.headers['Location'])
|
if (res and res.code == 302 and res.headers['Location'])
|
||||||
vprint_debug("Server sent a 302 with location")
|
vprint_status("Server sent a 302 with location")
|
||||||
if (res.headers['Location'] =~ %r(public\+static\+java\.lang\.Runtime\+java.lang.Runtime.getRuntime\%28\%29))
|
if (res.headers['Location'] =~ %r(public\+static\+java\.lang\.Runtime\+java.lang.Runtime.getRuntime\%28\%29))
|
||||||
report_vuln({
|
report_vuln({
|
||||||
:host => rhost,
|
:host => rhost,
|
||||||
:port => rport,
|
:port => rport,
|
||||||
:name => "#{self.name} - #{uri}",
|
:name => "#{self.name} - #{uri}",
|
||||||
:refs => self.references,
|
:refs => self.references,
|
||||||
:info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource."
|
:info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource."
|
||||||
})
|
})
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
else
|
else
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
return Exploit::CheckCode::Unknown
|
return Exploit::CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
|
||||||
# If we reach this point, we didn't find the service
|
# If we reach this point, we didn't find the service
|
||||||
|
@ -205,8 +205,6 @@ EOJSP
|
||||||
|
|
||||||
|
|
||||||
def get_full_path(filename)
|
def get_full_path(filename)
|
||||||
#vprint_debug("Trying to find full path for #{filename}")
|
|
||||||
|
|
||||||
uri = target_uri.path
|
uri = target_uri.path
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
|
@ -220,7 +218,6 @@ EOJSP
|
||||||
# the user argument should be set to the result of our call - which
|
# the user argument should be set to the result of our call - which
|
||||||
# will be the full path of our file
|
# will be the full path of our file
|
||||||
matches = /.*user=(.+)\&.*/.match(res.headers['Location'])
|
matches = /.*user=(.+)\&.*/.match(res.headers['Location'])
|
||||||
#vprint_debug("Location is " + res.headers['Location'])
|
|
||||||
if (matches and matches.captures)
|
if (matches and matches.captures)
|
||||||
return Rex::Text::uri_decode(matches.captures[0])
|
return Rex::Text::uri_decode(matches.captures[0])
|
||||||
else
|
else
|
||||||
|
@ -241,16 +238,16 @@ EOJSP
|
||||||
|
|
||||||
append = 'false'
|
append = 'false'
|
||||||
while (data.length > chunk_size)
|
while (data.length > chunk_size)
|
||||||
status = upload_file_chunk(@payload_exe, append, data[0, chunk_size])
|
status = upload_file_chunk(@payload_exe, append, data[0, chunk_size])
|
||||||
if status
|
if status
|
||||||
vprint_debug("Uploaded chunk")
|
vprint_status("Uploaded chunk")
|
||||||
else
|
else
|
||||||
vprint_error("Failed to upload chunk")
|
vprint_error("Failed to upload chunk")
|
||||||
break
|
break
|
||||||
end
|
end
|
||||||
data = data[chunk_size, data.length - chunk_size]
|
data = data[chunk_size, data.length - chunk_size]
|
||||||
# first chunk is an overwrite, afterwards, we need to append
|
# first chunk is an overwrite, afterwards, we need to append
|
||||||
append = 'true'
|
append = 'true'
|
||||||
end
|
end
|
||||||
status = upload_file_chunk(@payload_exe, 'true', data)
|
status = upload_file_chunk(@payload_exe, 'true', data)
|
||||||
if status
|
if status
|
||||||
|
@ -290,7 +287,7 @@ EOJSP
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
vprint_debug("Sending in chunks of #{chunk_size}")
|
vprint_status("Sending in chunks of #{chunk_size}")
|
||||||
|
|
||||||
case target['Platform']
|
case target['Platform']
|
||||||
when 'java'
|
when 'java'
|
||||||
|
|
|
@ -128,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_warning("#{peer} - File upload may have failed")
|
print_warning("#{peer} - File upload may have failed")
|
||||||
return fname
|
return fname
|
||||||
else
|
else
|
||||||
vprint_debug("#{peer} - Received response: #{res.code} - #{res.body}")
|
vprint_status("#{peer} - Received response: #{res.code} - #{res.body}")
|
||||||
fail_with(Failure::Unknown, "#{peer} - Something went wrong")
|
fail_with(Failure::Unknown, "#{peer} - Something went wrong")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -116,7 +116,6 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
print_status("Creating task: #{taskname}")
|
print_status("Creating task: #{taskname}")
|
||||||
cmdline = "schtasks.exe /create /tn #{taskname} /tr \"#{cmd}\" /sc monthly /f"
|
cmdline = "schtasks.exe /create /tn #{taskname} /tr \"#{cmd}\" /sc monthly /f"
|
||||||
# print_debug("Will Execute:\n\t#{cmdline}")
|
|
||||||
exec_schtasks(cmdline, "create the task")
|
exec_schtasks(cmdline, "create the task")
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|
|
@ -59,9 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
# We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof!
|
# We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof!
|
||||||
file = "..\\..\\" << remote_filepath << remote_filename << "\x00"
|
file = "..\\..\\" << remote_filepath << remote_filename << "\x00"
|
||||||
#print_debug("File to upload: #{file}")
|
|
||||||
pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4
|
pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4
|
||||||
#print_debug(pkt_size)
|
|
||||||
|
|
||||||
# Magic_code + packing + size
|
# Magic_code + packing + size
|
||||||
pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L')
|
pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L')
|
||||||
|
|
|
@ -185,7 +185,7 @@ class Metasploit3 < Msf::Post
|
||||||
:source_type => "exploit",
|
:source_type => "exploit",
|
||||||
:user => user_name,
|
:user => user_name,
|
||||||
:pass => password)
|
:pass => password)
|
||||||
print_debug "Should have reported..."
|
vprint_status("Should have reported...")
|
||||||
|
|
||||||
# Set savedpwds to 1 on return
|
# Set savedpwds to 1 on return
|
||||||
return 1
|
return 1
|
||||||
|
|
|
@ -86,12 +86,12 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
|
|
||||||
def read(size)
|
def read(size)
|
||||||
vprint_debug("Reading #{size} bytes")
|
vprint_status("Reading #{size} bytes")
|
||||||
client.railgun.kernel32.ReadFile(@handle, size, size, 4, nil)['lpBuffer']
|
client.railgun.kernel32.ReadFile(@handle, size, size, 4, nil)['lpBuffer']
|
||||||
end
|
end
|
||||||
|
|
||||||
def seek(offset)
|
def seek(offset)
|
||||||
vprint_debug("Seeking to offset #{offset}")
|
vprint_status("Seeking to offset #{offset}")
|
||||||
high_offset = offset >> 32
|
high_offset = offset >> 32
|
||||||
low_offset = offset & (2**33 - 1)
|
low_offset = offset & (2**33 - 1)
|
||||||
client.railgun.kernel32.SetFilePointer(@handle, low_offset, high_offset, 0)
|
client.railgun.kernel32.SetFilePointer(@handle, low_offset, high_offset, 0)
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
shared_examples_for 'Msf::Module::UI::Message::Verbose' do
|
shared_examples_for 'Msf::Module::UI::Message::Verbose' do
|
||||||
it { is_expected.to respond_to :vprint_debug }
|
|
||||||
it { is_expected.to respond_to :vprint_error }
|
it { is_expected.to respond_to :vprint_error }
|
||||||
it { is_expected.to respond_to :vprint_good }
|
it { is_expected.to respond_to :vprint_good }
|
||||||
it { is_expected.to respond_to :vprint_status }
|
it { is_expected.to respond_to :vprint_status }
|
||||||
|
|
|
@ -34,12 +34,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
print_debug "Check is successful"
|
vprint_status("Check is successful")
|
||||||
return Msf::Exploit::CheckCode::Vulnerable
|
return Msf::Exploit::CheckCode::Vulnerable
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
print_debug "Run is successful."
|
vprint_status("Run is successful.")
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -34,12 +34,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
print_debug "Check is successful"
|
vprint_status("Check is successful")
|
||||||
return Msf::Exploit::CheckCode::Vulnerable
|
return Msf::Exploit::CheckCode::Vulnerable
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
print_debug "Run is successful."
|
vprint_status("Run is successful.")
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -123,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def on_request_exploit(cli, request, target_info)
|
def on_request_exploit(cli, request, target_info)
|
||||||
print_debug("Target selected: #{get_target.name}")
|
vprint_status("Target selected: #{get_target.name}")
|
||||||
print_line(Rex::Text.to_hex_dump([rop_junk].pack("V*")))
|
print_line(Rex::Text.to_hex_dump([rop_junk].pack("V*")))
|
||||||
print_line(Rex::Text.to_hex_dump([rop_nop].pack("V*")))
|
print_line(Rex::Text.to_hex_dump([rop_nop].pack("V*")))
|
||||||
p = get_payload(cli, target_info)
|
p = get_payload(cli, target_info)
|
||||||
|
@ -148,4 +148,4 @@ end
|
||||||
=begin
|
=begin
|
||||||
Example of raw target_info:
|
Example of raw target_info:
|
||||||
{:source=>"script", :os_name=>"Microsoft Windows", :os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0", :arch=>"x86", :office=>"null", :proxy=>false, :language=>"en-us", :tried=>true}
|
{:source=>"script", :os_name=>"Microsoft Windows", :os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0", :arch=>"x86", :office=>"null", :proxy=>false, :language=>"en-us", :tried=>true}
|
||||||
=end
|
=end
|
||||||
|
|
|
@ -32,12 +32,12 @@ class Metasploit3 < Msf::Exploit
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
print_debug "Check is successful"
|
vprint_status("Check is successful")
|
||||||
return Msf::Exploit::CheckCode::Vulnerable
|
return Msf::Exploit::CheckCode::Vulnerable
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
print_debug "Exploit is successful."
|
vprint_status("Exploit is successful.")
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue