After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
jvazquez-r7
OJ
sinn3r
Tod Beardsley
Thomas Hibbert
William Vu
jvazquez-r7
Norbert Szetei
FireFart