Abstracted the RHOST references from inside the mixins.
Added a mssql_ping_parse method to the mssql mixin git-svn-id: file:///home/svn/framework3/trunk@3827 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
7bab6241e6
commit
90fc7fa94e
|
|
@ -43,7 +43,7 @@ module Exploit::Remote::DCERPC
|
|||
end
|
||||
|
||||
def dcerpc_handle(uuid, version, protocol, opts)
|
||||
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, datastore['RHOST'], opts)
|
||||
self.handle = Rex::Proto::DCERPC::Handle.new([uuid, version], protocol, rhost, opts)
|
||||
end
|
||||
|
||||
def dcerpc_bind(h)
|
||||
|
|
|
|||
|
|
@ -48,13 +48,13 @@ module Exploit::Remote::HttpClient
|
|||
#
|
||||
def connect(opts={})
|
||||
nclient = Rex::Proto::Http::Client.new(
|
||||
datastore['RHOST'],
|
||||
datastore['RPORT'].to_i,
|
||||
rhost,
|
||||
rport.to_i,
|
||||
{
|
||||
'Msf' => framework,
|
||||
'MsfExploit' => self,
|
||||
},
|
||||
datastore['SSL']
|
||||
ssl
|
||||
)
|
||||
|
||||
# Configure the HTTP client with the supplied parameter
|
||||
|
|
@ -200,6 +200,13 @@ module Exploit::Remote::HttpClient
|
|||
datastore['VHOST']
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the boolean indicating SSL
|
||||
#
|
||||
def ssl
|
||||
datastore['SSL']
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
attr_accessor :client
|
||||
|
|
|
|||
|
|
@ -30,11 +30,11 @@ module Exploit::Remote::MSSQL
|
|||
# This method sends a UDP query packet to the server and
|
||||
# parses out the reply packet into a hash
|
||||
#
|
||||
def mssql_ping
|
||||
def mssql_ping(timeout=5)
|
||||
data = { }
|
||||
|
||||
ping_sock = Rex::Socket::Udp.create(
|
||||
'PeerHost' => datastore['RHOST'],
|
||||
'PeerHost' => rhost,
|
||||
'PeerPort' => 1434,
|
||||
'Context' =>
|
||||
{
|
||||
|
|
@ -44,23 +44,38 @@ module Exploit::Remote::MSSQL
|
|||
|
||||
|
||||
ping_sock.put("\x02")
|
||||
resp, saddr, sport = ping_sock.recvfrom()
|
||||
resp, saddr, sport = ping_sock.recvfrom(65535, timeout)
|
||||
ping_sock.close
|
||||
|
||||
return data if not resp
|
||||
return data if resp.length == 0
|
||||
|
||||
var = nil
|
||||
resp.slice!(0, resp.index('ServerName'))
|
||||
resp.split(';').each { |d|
|
||||
|
||||
return mssql_ping_parse(resp)
|
||||
end
|
||||
|
||||
#
|
||||
# Parse a 'ping' response and format as a hash
|
||||
#
|
||||
def mssql_ping_parse(data)
|
||||
res = {}
|
||||
var = nil
|
||||
idx = data.index('ServerName')
|
||||
return res if not idx
|
||||
|
||||
data[idx, data.length-idx].split(';').each do |d|
|
||||
if (not var)
|
||||
var = d
|
||||
else
|
||||
data[var] = d
|
||||
var = nil
|
||||
if (var.length > 0)
|
||||
res[var] = d
|
||||
var = nil
|
||||
end
|
||||
end
|
||||
}
|
||||
return data
|
||||
end
|
||||
|
||||
return res
|
||||
end
|
||||
|
||||
#
|
||||
|
|
@ -69,12 +84,14 @@ module Exploit::Remote::MSSQL
|
|||
# The global socket is used and left connected after auth
|
||||
#
|
||||
def mssql_login(user='sa', pass='')
|
||||
p_hdr = "\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00"+
|
||||
p_hdr =
|
||||
"\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
p_pk2 = "\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00"+
|
||||
p_pk2 =
|
||||
"\x30\x30\x30\x30\x30\x30\x61\x30\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x20\x18\x81\xb8\x2c\x08\x03"+
|
||||
"\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00"+
|
||||
|
|
@ -86,7 +103,8 @@ module Exploit::Remote::MSSQL
|
|||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00"
|
||||
|
||||
p_pk3 = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
p_pk3 =
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
|
|
@ -113,7 +131,8 @@ module Exploit::Remote::MSSQL
|
|||
"\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
|
||||
p_lang = "\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00"+
|
||||
p_lang =
|
||||
"\x02\x01\x00\x47\x00\x00\x02\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ module Exploit::Remote::SunRPC
|
|||
end
|
||||
|
||||
def sunrpc_create(protocol, program, version)
|
||||
self.rpcobj = Rex::Proto::SunRPC::Client.new(datastore['RHOST'], datastore['RPORT'], protocol, program, version)
|
||||
self.rpcobj = Rex::Proto::SunRPC::Client.new(rhost, rport.to_i, protocol, program, version)
|
||||
if datastore['ONCRPC::tcp_request_fragmentation'] == true
|
||||
self.rpcobj.should_fragment = 1
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue